Port forwarding in dual WAN setup

Question:

I would be very thankful if Cisco 3560V2 Price someone could help me out with a simple question, that made me stuck.

I have Cisco 2910 router that have 3 interfaces:

g0/0 - LAN

g0/1 - WAN1

g0/2 - WAN2

I would like to configure port forwarding in such way that connections to both WAN interface on identical ports will be redirected to a single host in a private network. When I issue command:

ip nat inside source static tcp 10.10.10.X 8080 interface g0/1 8080

everything is fine, until I add the second command:

ip nat inside source static tcp 10.10.10.X 8080 interface g0/2 8080

After that, the first statement is just replaced by the second one, not added to configuration.

It would be great if someone could give me an advice!

Answer:

You need two IP-adresses on your server and route-maps to control the return-traffic:

interface Gig0/0

  ip policy route-map Gig0/0-IN

You need two NAT-statements for the two IPs on the server:

ip nat inside source static tcp 10.10.10.101 8080 interface Gig0/1 8080

ip nat inside source static tcp 10.10.10.102 8080 interface Gig0/2 8080

With the help of PBR you force the return-traffic to the right link:

ip access-list extended TRAFFIC-FROM-10.10.10.101

  permit tcp host 10.10.10.101 eq 8080 any

ip access-list extended TRAFFIC-FROM-10.10.10.102

  permit tcp host 10.10.10.102 eq 8080 any

!

route-map Gig0/0-IN permit 10

  match ip address TRAFFIC-FROM-10.10.10.101

  set interface Gig0/1

!

route-map Gig0/0-IN permit 20

  match ip address TRAFFIC-FROM-10.10.10.102

  set interface Gig0/2

-- 

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

http://www.kiva.org/invitedby/karsteni

For more Cisco Switch news about Price ans Specification, you can click here.

Cisco 2901 and BT Infinity

Question:

We have recently had BT Cisco 3560 Switch Infinity installed, we are swapping out the homehub for a 2901 and an ASA.

I  am having some trouble with the router side of the config.  My  interface shows as up and is getting an IP address but I cannot get to  the internet, I can run a trace that appears to be getting out but it  dies before getting to the destination.

Any help would be greatly appreciated.  I have attached our config and the trace results.

Answer:

Change this:

ip nat inside source route-map infinity interface Dialer1 overload

For more Cisco Switch news about Price ans Specification, you can click here.

Avaya Phones, Cisco Switches and QoS (MPLS network in between)

Question:

I am implementing QoS on Cisco 3560X Price our MPLS network. Our environment exists of a mix of Cisco 2960 and 3560 switches. The IPT system is Avaya CM with Avaya phones.

The WAN network is a MPLS network.

Ports are configured for access and voice vlan (no trunking), one vlan for voice, one for data (vlan 1 is disabled).

I dont have Qos coonfigured on LAN just wanted to configure on WAN Router where my Mpls link is connected.I have 45 Mb Mpls links on all sites connected to each other.

I have multiple sites connected via MPLS and i have control at both sides.Current config is mentioned below in which DSCP marking is not done for signaling. Can anyone tell me the best config with example.

Current Config on all Cisco Router where MPLS link is terminated at all sites.

class-map match-any business

match access-group name business_critical

class-map match-any non-business

match access-group name non-critical

class-map match-any premium

match access-group name interactive_video_or_voice

policy-map parent-test

class premium

  set ip dscp ef

  priority percent 20

class business

  set ip dscp default

  bandwidth remaining percent 60

class non-business

  bandwidth remaining percent 30

class class-default

policy-map MPLS-OUT

class class-default

  shape average 46080000

  service-policy parent-test

interface GigabitEthernet0/0

service-policy output MPLS-OUT

ip access-list extended interactive_video_or_voice

permit ip 10.x.x.128 0.0.0.63 any-----Voice Device Vlan

permit ip host 10.x.x.11 any---New_VC_VLAN

Answer:

This is the same type of config that I use on mine. The only question that I have is your business class. Are you wanting to set your dscp to default for a reason? I'm assuming that you're going into an mpls cloud from your provider? If so, do you pay for qos support where they will match on a marking and then give that priority through Cisco 3560V2  their lsp?

OSPF Filtering IP on a routed subnet

Question:

I have already got OSPF WS-C3560X-48P-L  setup with area 0 for my backbone and area 1 for my WAN sites. Got one of the my remote site which have a static default route that points to their firewall. On my remote site router I need to filter out a certain ip address off the 192.168.0.0/16 route that OSPF create so I  can block users from that remote site to connect to that particular IP.

Answer:

If I am understanding your request correctly, the remote site is learning a 192.168.0.0/16 route from the "headend" router. There is one particular host address within 192.168.0.0/16 that you want to block as a destination from the remote site?

Like most problems in IT, there are several ways to solve this. Commonly, IP access control lists are used for traffic 'policy enforcement'. By implementing an ACL to deny the source of remote-site IP's to a destination of this particular host IP, the remote site users would no longer be able to communicate with the particular IP.

A less polished, but also effective way, to make this happen: you could null route the particular host address on your remote site router. This means that the remote site router, when it looks up the next-hop for that particular destination, it sees the next hop as the 'bit bucket' and traffic is dropped in your routing logic. WS-C3560V2-48PS-S  This is nice and efficient, but you lose any logging/visibility.

Multiple WAN Ip addresses and Multiple inside hosts

Question:

I have looked for Cisco 3560X Price a definitive answer on this and while there are many discussions on this I have still not found a good way to do the following.

We have been granted 5 Ip addresses from the provider (/29) we have 4 internal web servers. We would like to map address1 to server 1 address 2 to server 2 address 3 to server 3 address 4 to server 4 and address 5 would be the public ip that users surf out on. I want to make sure that these servers always use the same IP address.... Sounds simple and logical but it is proving more difficult than anticipated. I have seen suggestions for secondary iddresses on WAN interface but that won't help with the 1:1 mapping of server to ip address. I have seen some suggestions on doing 5 different NAT pools (Which seems promising) but when I try to put 1 single address in a NAT pool (IP nat pool test 12.111.112.113 12.111.112.113 netmask 255.255.255.255) it tells me the minimum mask should be a 255.255.255.252...

Logically in my head I think it would make sense to have 5 NAT pools each triggered by an ACL that defines the specific server but can't seem to get around this issue.....

ANY Thoughts or suggestions are most welcome.... Any other designs or creative ways to approach this are appreciated.

Answer:

if I get your meaning on this I haven't seen a lot of discussion on this topic; however I have this running on my own network. Essentially you want one address assigned to each server which you can do through a NAT inside source command, this will send the packet to the correct server. However when that server replies it will exit through the default nat pool and the address assigned to it. This is unacceptable for most Internet protocols since the host that sent the packet is receiving a response from another IP address.

In order to make this work you will need to create a NAT pool for each public address you want to use, for instance:

ip nat pool <name1> 123.123.123.98 123.123.123.98 netmask 255.255.255.248

ip nat pool <name2> 123.123.123.99 123.123.123.99 netmask 255.255.255.248

ip nat pool <name3> 123.123.123.100 123.123.123.100 netmask 255.255.255.248

ip nat pool <name4> 123.123.123.101 123.123.123.101 netmask 255.255.255.248

Next you will need to assign an access list to each of these NAT pools with the following commands

ip nat inside source list 101 interface GigabitEthernet0/1 overload <-------<Default NAT translation>

ip nat inside source list 102 pool <name1> overload

ip nat inside source list 103 pool <name2> overload

ip nat inside source list 104 pool <name3> overload

ip nat inside source list 105 pool <name4> overload

The secret to making this work is building the access list correctly, what I generally will do is I will create a private address space on the lan to assign each public address to, for instance I will segment the network into blocks of 16 private addresses to each public address except for the default pool which is generally what is left over. For instance I will segment the network like this:

10.10.10.17 - 10.10.10.31 assigned to 123.123.123.98

10.10.10.33 - 10.10.10.47 assigned to 123.123.123.99

10.10.10.49 - 10.10.10.63 assigned to 123.123.123.100

10.10.10.65 - 10.10.10.79 assigned to 123.123.123.101

10.10.10.81 - 10.10.10.254 assigned to 123.123.123.102 <-------<Default NAT translation>.

.

Given this the assess list would look something like this:

access-list 101 deny   ip 10.10.10.16 0.0.0.15 any

access-list 101 deny   ip 10.10.10.32 0.0.0.15 any

access-list 101 deny   ip 10.10.10.48 0.0.0.15 any

access-list 101 deny   ip 10.10.10.64 0.0.0.15 any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 deny   ip 10.10.10.32 0.0.0.15 any

access-list 102 deny   ip 10.10.10.48 0.0.0.15 any

access-list 102 deny   ip 10.10.10.64 0.0.0.15 any

access-list 102 permit ip 10.10.10.16 0.0.0.15 any

access-list 103 deny   ip 10.10.10.48 0.0.0.15 any

access-list 103 deny   ip 10.10.10.64 0.0.0.15 any

access-list 103 permit ip 10.10.10.32.0 0.0.15 any

access-list 104 deny   ip 10.10.10.64 0.0.0.15 any

access-list 104 permit ip 10.10.10.48 0.0.0.15 any

access-list 105 permit ip 10.10.10.64 0.0.0.15 any

This should accomplish what you are looking for, if you want to have multiple servers on an IP this becomes easy. Just assign a private address within the range you want for the given public Cisco 3560X  address.

queueing and policing

Question:

 I have a basic question WS-C3750X-24T-L on which I need help from you guys. My understanding is that when we configure policing instead of shaping, there is no queueing and scheduling in picture. These two are valid only when we configure shaping. Is my understand correct or missing anything?

Answer:

policing does not buffer traffic, and so it cannot use SW queueing for managing them.

This means that in hierarchical QoS setups the parent policy is a shaper that invokes a child that is a scheduler.

However, Sw based queueing can still be associated to the physical interface even if policing is WS-C3750X-24T-L Price configured.

Multiple WAN Ip addresses and Multiple inside hosts

Question:

I have looked for Cisco 2911-SEC a definitive answer on this and while there are many discussions on this I have still not found a good way to do the following.

We have been granted 5 Ip addresses from the provider (/29) we have 4 internal web servers. We would like to map address1 to server 1 address 2 to server 2 address 3 to server 3 address 4 to server 4 and address 5 would be the public ip that users surf out on. I want to make sure that these servers always use the same IP address.... Sounds simple and logical but it is proving more difficult than anticipated. I have seen suggestions for secondary iddresses on WAN interface but that won't help with the 1:1 mapping of server to ip address. I have seen some suggestions on doing 5 different NAT pools (Which seems promising) but when I try to put 1 single address in a NAT pool (IP nat pool test 12.111.112.113 12.111.112.113 netmask 255.255.255.255) it tells me the minimum mask should be a 255.255.255.252...

Logically in my head I think it would make sense to have 5 NAT pools each triggered by an ACL that defines the specific server but can't seem to get around this issue.....

ANY Thoughts or suggestions are most welcome.... Any other designs or creative ways to approach this are appreciated.

Answer:

if I get your meaning on this I haven't seen a lot of discussion on this topic; however I have this running on my own network. Essentially you want one address assigned to each server which you can do through a NAT inside source command, this will send the packet to the correct server. However when that server replies it will exit through the default nat pool and the address assigned to it. This is unacceptable for most Internet protocols since the host that sent the packet is receiving a response from another IP address.

In order to make this work you will need to create a NAT pool for each public address you want to use, for instance:

ip nat pool <name1> 123.123.123.98 123.123.123.98 netmask 255.255.255.248

ip nat pool <name2> 123.123.123.99 123.123.123.99 netmask 255.255.255.248

ip nat pool <name3> 123.123.123.100 123.123.123.100 netmask 255.255.255.248

ip nat pool <name4> 123.123.123.101 123.123.123.101 netmask 255.255.255.248

Next you will need to assign an access list to each of these NAT pools with the following commands

ip nat inside source list 101 interface GigabitEthernet0/1 overload <-------<Default NAT translation>

ip nat inside source list 102 pool <name1> overload

ip nat inside source list 103 pool <name2> overload

ip nat inside source list 104 pool <name3> overload

ip nat inside source list 105 pool <name4> overload

The secret to making this work is building the access list correctly, what I generally will do is I will create a private address space on the lan to assign each public address to, for instance I will segment the network into blocks of 16 private addresses to each public address except for the default pool which is generally what is left over. For instance I will segment the network like this:

10.10.10.17 - 10.10.10.31 assigned to 123.123.123.98

10.10.10.33 - 10.10.10.47 assigned to 123.123.123.99

10.10.10.49 - 10.10.10.63 assigned to 123.123.123.100

10.10.10.65 - 10.10.10.79 assigned to 123.123.123.101

10.10.10.81 - 10.10.10.254 assigned to 123.123.123.102 <-------<Default NAT translation>.

.

Given this the assess list would look something like this:

access-list 101 deny   ip 10.10.10.16 0.0.0.15 any

access-list 101 deny   ip 10.10.10.32 0.0.0.15 any

access-list 101 deny   ip 10.10.10.48 0.0.0.15 any

access-list 101 deny   ip 10.10.10.64 0.0.0.15 any

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 deny   ip 10.10.10.32 0.0.0.15 any

access-list 102 deny   ip 10.10.10.48 0.0.0.15 any

access-list 102 deny   ip 10.10.10.64 0.0.0.15 any

access-list 102 permit ip 10.10.10.16 0.0.0.15 any

access-list 103 deny   ip 10.10.10.48 0.0.0.15 any

access-list 103 deny   ip 10.10.10.64 0.0.0.15 any

access-list 103 permit ip 10.10.10.32.0 0.0.15 any

access-list 104 deny   ip 10.10.10.64 0.0.0.15 any

access-list 104 permit ip 10.10.10.48 0.0.0.15 any

access-list 105 permit ip 10.10.10.64 0.0.0.15 any

This should accomplish what you are looking for, if you want to have multiple servers on an IP this becomes easy. Just assign a private address within the range you want for the Cisco2921-SEC given public address.

plug HWIC-1FE on 1941 router running

Question:

Please I want WS-C3560X-24T-L Price to know if I can plug a HWIC-1F on a cisco 1941 router without shut it down?

Thank you a lot in advance

Answer:

Power must be removed from the system while installing cards.

For Further please read cisco WS-C3560X-24T-L documentation.

http://www.cisco.com/en/US/docs/routers/access/interfaces/ic/hardware/installation/guide/inst_ic.html#wp1037332

Cisco Routers and logging

Question:

We currently Cisco 2911-SEC use Sonicwall firewalls on our sites. On these there are logs that enable us to track bandwidth usage per IP address, which can then be linked to MAC address and machine. We are looking at alternatives to Sonicwalls and have narrowed it down including the Cisco 887VAW. Can anyone tell me what sort of logs the 887 has and can we do something similar on them.

Answer:

I am not aware of anything in the syslog capabilities of the 877 that would give you bandwidth usage per IP address. You may be able to achieve your requirements by using NetFlow. The NetFlow records do report source and destination IP address and amount of traffic sent and received. With an appropriate device to receive the NetFlow records and analyze them you should be able to get reports of bandwidth per Cisco2921-SEC IP address.

IP static route summary query 3.

Question:

In my Lab environment cisco ios commands in GNS I have connected two 7200 series router through fastethernet on router A I have given IP adress 192.168.10.54 and router B I have given IP address 192.168.10.53 and default route as 0.0.0.0 0.0.0.0 192.168.10.53 and when I run the command on router A it shows result as follows  "C  192.168.10.52/24 is directly connected ,Fast ethernet 2/0".

So I need to know why it's showing the result of .52 at last why not .53 or .54 at last what is the reason it's showing .52 which I have not mentioned in my IP address.

Answer:

Then thats the correct thing you are seeing. I have showed this to you on my previous update:

If you are using the /30 then the subnet would be displayed.

R1(config)#int f1/0

R1(config-if)#ip address 192.168.10.54 255.255.255.252

R1#show ip route

     192.168.10.0/30 is subnetted, 1 subnets

C       192.168.10.52 is directly connected, FastEthernet1/0 <<<< 52 is displayed.

In your scenario:

===========

10.255.222.52 is the subnet and followed by the host ids.  ( 10.255.222.53 & 10.255.222.54 will be the two host which can be on .52 subnet hence it only shows you the .52 in the routing table.

Details on your subnet Cisco Switches Price below:

http://www.subnet-calculator.com/subnet.php?net_class=A

http://www.subnetonline.com/pages/subnet-calculators/ip-subnet-calculator.php

internet access problem with ipsec & nat

Question:

I have the following WS-C3560V2-48PS-S  problem.

Situation:

- one main location M, with ASA5510 (v8.3) which has many (about 100) ipsec tunnels to remote locations. Local subnet is 172.16.254.0/24

- some of these remote locations have the same subnet, let's say there are 2 locations which use 192.168.1.0/24

- for one of such location (let's call it A), I create a 'virtual subnet' 192.169.1.0/24 which is a static nat in the router on the location: ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias. This location has a Cisco 881 router.

The problem is that with this NAT configuration, internet traffic on the location A is not possible.

Question: what is the best way to solve this?

dot11 syslog

ip cef

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto ipsec transform-set ipsec_tun_cybercenter esp-3des esp-md5-hmac

crypto map CMAP 1 ipsec-isakmp

set peer x.x.x.x

set transform-set ipsec_tun_cybercenter

match address 105

ip ssh version 2

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 2/32

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

dsl operating-mode auto

interface FastEthernet0

interface FastEthernet1

interface FastEthernet2

interface FastEthernet3

interface Vlan1

description LAN Interface

ip address 192.168.1.253 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

interface Dialer0

ip address negotiated

ip access-group 106 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username kpn password 7 082A5C40

crypto map CMAP

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

 no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias

access-list 101 deny   ip 192.169.1.0 0.0.0.255 172.16.254.0 0.0.0.255

access-list 101 permit ip 192.169.1.0 0.0.0.255 any

access-list 105 permit ip 192.169.1.0 0.0.0.255 172.16.254.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

Answer:

"ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias"

Perhaps you can try with a policy nat (static nat + route-map) to let nat kich in only for IPsec.

Let's know if it can solve WS-C3560X-48PF-L Price the issue.

why external ospf routes not redistributed into BGP

Question:

we have here R1, R2 Cisco 3560 Price and R3 that are in ospf 1 area 0.

we have ebgp session from R1 to BGP1 and R2 to BGP2.

we have default route in R1 and R2 pointing to FW (172.17.1.4) that are propagated with default-info originate in OSPF and BGP too.

behind the firewall there is a subnet 10.166.245.0/24 and there is a static route: 10.166.245.0 255.255.255.0 172.17.1.4 tag 1000

typically the config from R1 or R2 is:

!

router ospf 1

log-adjacency-changes

redistribute connected subnets route-map CONNECTED-2-OSPF

redistribute static subnets route-map STATIC-2-OSPF

redistribute bgp 65000 subnets route-map BGP-2-OSPF

passive-interface default

no passive-interface FastEthernet0/0

network 2.2.2.0 0.0.0.255 area 0

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

network 0.0.0.0

redistribute ospf 1  route-map OSPF-2-BGP

neighbor 2.2.2.2 remote-as 65000

neighbor 2.2.2.2 soft-reconfiguration inbound

neighbor 10.10.10.1 remote-as 7000

neighbor 10.10.10.1 soft-reconfiguration inbound

default-information originate

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 172.17.1.4

ip route 10.166.245.0 255.255.255.0 172.17.1.4 tag 1000

!

!

route-map STATIC-2-OSPF permit 10

match tag 1000

!

route-map CONNECTED-2-OSPF permit 10

match interface Vlan4

!

route-map BGP-2-OSPF permit 10

set tag 50

!

route-map OSPF-2-BGP deny 10

match tag 50

!

route-map OSPF-2-BGP permit 20

match route-type internal external

!

!

!

everybody knows that by default only internal ospf routes are redistributed into bgp, but here i wanted to redistribute the external ones too with route-map.

but no success. in the bgp table of R1 and R2, there is 10.166.245.0/24 route !!!

i have a doubt: does only the ospf routes that are in the routing table who can be redistributed OR the routes in the OSPF database?

how can i redistribute this static "10.166.245.0 255.255.255.0 172.17.1.4 tag 1000" into OSPF and then automatically to BGP ?

The deal is:

no redistribution of static routes directly to BGP

no "network 10.166.245.0 mask 255.255.255.0" command under bgp.

not change the admin distance of static routes greater thant 110.

Answer:

generally, you would need

router bgp 65000

redistribute ospf 1  match internal external 1 external 2 route-map OSPF-2-BGP

command used to redistribute both internal and external OSPF routes to BGP.

See http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800943c5.shtml#redistributionofospfinternalandexternalroutesintobgp

for details.

But as you describe, in your case the prefix is configured as a static one on your router.

So no matter if redistributed to OSPF or not, it is still treated as static by your router.

If you want to redistribute it to BGP, you need to redistribute static routes (with a route-map permitting only this single prefix, if necessary).

I think there is a  good reason for this IOS behavior - otherwise routing and redistribution loops could Cisco Catalyst 3560 be created easily.

IP SLA and Object Tracking for default route on Nexus 7010

Question:

I've searched the forums Cisco 3560V2  and haven't found anything relevant, but forgive me if this is a duplicate question already answered.  We have a Nexus 7010 running version 6.1(2).

I'd like to use IP SLAs and object tracking to define static routes for specific source/destination traffic across some WAN links we have.  I've done this in IOS and it's worked fantastically, but I've not found where/how to do this on the Nexus 7010 platform (or any Nexus platform) as of yet.  I could have sworn that this was going to be introduced in the 6.x code?  Below is an example of how we do this in the IOS world:

track 11 ip sla 1 reachability
delay down 15 up 15
ip sla 1
icmp-echo 2.2.2.2 source-ip 1.1.1.1
frequency 5
ip sla schedule 1 life forever start-time now
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 11
ip route 0.0.0.0 0.0.0.0 3.3.3.3 254

Esentially this gives us the option of using a "failover" default route.  I've attached a basic diagram to help explain what we are trying to do with IP SLAs and object checking.  The tracking should be configured against an SLA that uses icmp and the static routes should be configured against the tracking.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.      

Answer:

the good news is, there is an ip sla feature with udp-echo available since 6.1(1) and object tracking is available right from the start.
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6.x.html

However there is bad news as well: you can not track ip SLAs to date.

If you are one of those scripting and programming guys I'm sure you could tinker something with EEM, but out of the box I believe there is no possibility to do route selection based on sla reachability. While many features have been added lately, the N7k remains Cisco 3560X Price a true datacenter switch...

A binding already exists for X.X.X.X ---- Help

Question:

I need some help please,WS-C3750X-48PF-L Price I have core switch 4507 it is configured to support DHCP server for the users and Printers.

I'm using manay DHCP pools, I have some pools only providing single IP address for some networking devices like printers.

below is the configuration for one printer :

ip dhcp pool MyCompany_Konica_Minolta_4

host 10.0.88.166 255.255.255.0

client-identifier 0100.206b.8801.99

dns-server 192.168.3.9 192.168.2.59

The question is after we replace the network card for the printer, i tried to change the settings for the "client-identifier 0100.206b.8801.99"

to replace the old MAC address by the new one. after I remove the old command and try to add it with new settings i'm getting the below error:

A binding already exists for 10.0.88.166

I checked the ARP list and the binding list but i didn't find anything related to that IP ?

Please I need some help to change it to be dedicated to that printer?

Answer:

Okay thats strange...

Could you do a show run | inc 10.0.88.166 please?

If anything please try deleting the whole DHCP reservation and re-adding like this:

no ip dhcp pool MyCompany_Konica_Minolta_4

!

ip dhcp pool MyCompany_Konica_Minolta_4

  host 10.0.88.166 255.255.255.0

  client-identifier 0100.206b.8801.99

  dns-server 192.168.3.9 192.168.2.59

Hope this helps.

Please rate useful posts and remember WS-C3750X-48P-L to mark any solved questions as answered. Thank you.

RV082 IPSEC VPN missing 50% packets

Question:

We have two offices WS-C3560X-24T-L Price connected using Site-to-Site VPN (IPSEC) as shown:

(IP ficticius)

Office 1 - We had to use 2 routers since we have a range of valid IPs:

Router A: RV082

WAN: 200.215.XXXX.XXX

LAN: 187.103.200.17/29

Router B: RV082

WAN: 187.103.200.19/29 (connected to LAN above)

LAN: 192.168.102.1/24

Office 2 - We use just one router with single IP:

Router C: RV 082

WAN: 189.100.100.66

LAN: 192.168.104.1/24

Both connected using VPN Site to Site IPSEC.

1. From a host in office 2 we normally ping 192.168.102.1 (gateway at office 1)

2. But when pinging a host inside office 1 (eg: 192.168.102.8) 50% of packets have been lost.

Could it be a hardware problem?

All of them are running latest firmware

v4.2.1.02 (Jan 18 2012 14:10:55)

Answer:

Wrong forum, post in "small business - routers". You can move your posting using the actions panel WS-C3560X-24T-L  on the right.

Traffic shaping / policing inbound traffic

Question:

I have a host with a 20mb mpls cisco price connection, with several remotes all with single T1 MPLS connections.

I have my interesting traffic being tagged with my desired DSCP values. (i can cofirm this with show policy-map int ...) Currently I'm only tagging my citrix traffic EF, AF41, AF42, 21, my management (ssh, telnet, tftp,) into 21 and allowing most everything else to fall into the default-class

The issue I am running into is from a remote site, if i download a file from my host it completely saturates my T1 and my traffic tagged EF or AF41 and AF42 suffers. My file transfer is being tagged as default-class. If i send the file out to my host, the shaping works as expected and my higher priority traffic isn't affected.

Most of the examples i've found are for two locaitons with the same speed, and traffic shaping seems like it would work much easier, but because my host has so much more bandwidth, it never even slows down. Is policing the correct thing to do at each remote, give my default class a very low CIR, but allow  BE to the full T1 bandwidth? Or is there something more graceful since this is a private MPLS connection

Answer:

Sounds like you also need to apply some egress shaping/policing from the host towards the spokes.

I have attached a  good example Catalyst Switches Price from Ask the expert.