OK, I have an update. I found that some routers (version dependent) allow for the use of an outbound QoS policy on a GRE tunnel that runs MPLS and matches MPLS EXP values. My router, unfortunately did not support it. Luckily, I was able to find a work around. It is a feature called "qos-groups". The link to the Cisco document can be found below. Also below is a link to a blog that explains it a little simpler. Essentially you mark traffic on the Ingress of the router with a qos-group number (value from 0-1023). That qos-group number is locally significant, and is not carried to other routers. On your tunnel outbound QoS policy, you match on that qos-group number. Below is the config. class-map CLASS1 match dscp af11 policy-map POLICY1 class CLASS1 set qos-group 1 ! class-map CLASS2 match qos-group 1 policy-map POLICY2 class CLASS2 bandwidth 1000 interface <ingress interface> service-policy input POLICY1 ! interface tunnel 1 service-policy output POLICY2 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_classn/configuration/xe-16/qos-classn-xe-16-book/qos-classn-grp-mtch-set.html http://switchpacket.blogspot.com/2013/06/qos-groups.html I hope that proves helpful to someone.
... View more
We have an MPLS network in which a few of the P routers are connected to each other via GRE over a service provider. We are running MPLS IP over those GRE tunnels. We have configured an outbound QoS Shaping policy on those tunnel interfaces. However, the problem is that the QoS policy on the tunnel is NOT matching the MPLS EXP bits in that policy on that tunnel interface. I have already verified that the packets are marked with the MPLS EXP bits. The same outbound policy works on physical interfaces that connect to different P routers, just not over the GRE tunnels. The router is an ASR-1006X running 16.9.3. Below is a simple config. ! class-map CLASS1 match mpls experimental topmost 1 class-map CLASS2 match mpls experimental topmost 2 ! policy-map POLICY1 class CLASS1 bandwidth 1000 class CLASS2 bandwidth 2000 ! interface Tunnel1 service-policy output POLICY1 I have found an article that says that it is not supported. (listed below) I guess my question is, has anyone had any luck making this work, or do they know of a workaround? At the end of the day, we want to manage the traffic that leaves the GRE tunnel, giving priority to specific sets of traffic. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/xe-3s/mp-l3-vpns-xe-3s-book/mp-vpn-gre.html An excerpt from this document: Restrictions for MPLS VPN 3VPN over GRE The MPLS VPN L3VPN over GRE feature does not support the following: Quality of service (QoS) service policies that are configured on the tunnel interface; they are supported on the physical or subinterface. Thanks for the help!
... View more
I had the same issue. I found a bug that has the fix action. I have pasted the results of it below for those that don't have a CCO account. Removing FALSE from the field listed below fixed the problem for me.
ISE "Failed Value for attribute Protocol is mandatory" when importing network device
CSCvj13401
Description
Symptom: "Failed Value for attribute Protocol is mandatory" error message, when trying to Import Network device through CSV Conditions: having NAD that is configured for TACACS and was previously exported from ISE to a CSV Workaround: removing "FALS" under "Enable Multi Shared Secret:String(128)" and the import will work fine
... View more
I currently have a Cisco AP running in adhoc mode. I want to expand my coverage in my house, and allow for seamless roaming. Do I need a WLC to do that? Or can I run two APs in adhoc mode and roam between them? If so, are there any specific configurations I need have on the APs to allow it, and what are they?
Thanks,
... View more
Thanks for the response. I was hoping that maybe creating an IPv6 VL would allow the IPv4 routes to be learned. But I tried earlier to create a virtual link on the IPv6 side, which I did successfully. However, that did not help my problem. I still could not learn the route from the area not connected to area 0. Thanks again.
... View more
I was wondering if there is any support for virtual links in the IPv4 address family of OSPFv3. Has anyone seen it? I saw one article on Cisco's website that it isn't supported, but maybe it's an old article? Has anyone been able to make VL's work in this scenario? http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-0sy/ip6-ospf.html - Look at the Note under the OSPFv3 Virtual Links Also, see below output. There is no option for virtual links! PE1(config)#router ospfv3 1 PE1(config-router)#address-family ipv4 PE1(config-router-af)#area 1 ? authentication Enable authentication default-cost Set the summary default-cost of a NSSA/stub area filter-list Filter networks between OSPFv3 areas normal Specify a normal area type nssa Specify a NSSA area range Summarize routes matching address/mask (border routers only) stub Specify a stub area transit Use this router to transit data
... View more
I know I'm a little late in replying to this, but I had the same issue. I was able to fix it by typing in config clear all from the NAM CLI.
... View more
Edison, Thank you for your help here. While I could not make the static NAT with a route-map work with my setup, it did lead me down a different path of research, and I was eventually able to find a fix. Below are the commands. ip nat pool MyPool 192.168.0.69 192.168.0.69 netmask 255.255.255.0 type rotary ip nat inside destination list 102 pool MyPool access-list 102 permit tcp any any range 3380 3390 In the above configuration the 192.168.0.69 IP is the IP of the inside server I wanted to send my TCP 3380-3390 traffic to.
... View more
Edison, Thanks for answering! I am actually referring to port address redirection (that's the name given in the Ciscopress Cisco Router Ifrewall Security book). Essentially what it is is static NAT. An example is below: ip nat inside source static tcp interface Like I mentioned, I can make this work if I were to type it in for all of the ports individually, but when trying to make it work with a significant range of ports is proving to be difficult. I have found a way to make it work, but it is not ideal, and sends ALL traffic to an inside default IP. The method is referred to as "nat inside default server". Like I said though, that sends ALL traffic destined for the external IP of the router on any port that is not specified in any other static or dynamic nat configuration, to the default IP specified. Anyway, ... that isn't optimal. I will try what you suggested, but am not sure if it is going to work. Thanks for that! Any other ideas?
... View more
Any ideas here guys/gals? Just throwing it out here, but is there any way to accomplish this scenario with policy based routing? Or maybe some other technology? If a Linksys router can do it I have to believe that a Cisco router can too! It would be optimal if I had a firewall appliance, because I am sure I can do it with that. Thanks in advance.
... View more
Hey all, I am running into a scenario where I need to perform port address redirection for external users accessing an internal VoIP server. Configuring port address redirection is easy enough when you are dealing with one port mapping to one port. But what happens when you need to configure port redirection on a range of ports (say 10000-20000). I obviously cannot configure that many static NAT entries in the router. Anyone know of some creative ways to accomplish this? Thanks in advance for any help!
... View more
Let me start off with some background. We have a number of layer 2 switches that sit behind a router in a router-on-a-stick configuration. There are two routed VLANs. One (VLAN1) is fa 0/0, and one (VLAN1000) is fa 0/0.1000. VLAN 1000 is the management VLAN, and each of the switches has an IP in VLAN1000. VLAN 1 is the user subnet. I have noticed that on many of the switches there is no default-gateway configured. However, I can still connect to the switch on its management interface from a workstation in the user subnet. I am trying to figure out how this is possible if the layer 2 switch does not have a default-gateway configured. How does the switch know how to route back to the workstation that is in a different subnet? Now, I also tested this out with a layer 3 switch acting as the router, with multiple layer 2 switches behind it. The layer 3 switch had SVIs configured for each of the routed VLANs. In this scenario, I HAD to have a default gateway configured on the switch in order to ping to the user subnet. Anyway, sorry for the novel, but I wanted to provide as much information as possible. So, does anyone know why it is that I do NOT need a default-gateway when using the router-on-a-stick configuration? Oh, on a side note. With the router on a stick setup, if I do set a default gateway, it does not matter what IP I set it to, it always routes correctly. However, if I set the default gateway to an IP on the management subnet that is NOT the router IP, then it does not route at all, and I cannot reach my VLAN 1 subnet.
... View more
Brandon, Thanks for the reply, and sorry for taking so long to get back to you. You are correct, it does show up under the Recrod Count. I clicked on the number and it showed me the phone numbers assigned to that pickup group.
... View more
Is there a way for me to find out what numbers are assigned to a pickup group without looking at each directory number? I tried opening up the pickup group and clicking on Dependency Reports, but that did not show me what I need. Thanks in advance.
... View more