3560switch: 八月 2013

2013年8月30日星期五

Cisco 819 lost everything on flash, but is still working ? please help

Question:

System image Cisco 3925 file is "flash:c800-universalk9-mz.SPA.152-4.M1.bin"

Cisco C819HG+7-K9 (revision 3.0) with 492620K/31667K bytes of memory.

cisco819#sh flash:
-#- --length-- -----date/time------ path
1 50833244 Feb 29 1984 00:01:00 +00:00 c800-universalk9-mz.SPA.152-4.M1.bin

209338368 bytes available (50835456 bytes used)

cisco819#

Cisco site sayes that latest image for My Router should be the one loaded right now...
It working, but unable to see certain things in cisco configuration proffesional...Fx Cellular 0
I tryed to downgrade, wich resultet in something like " Unsigned imaged found, Bailing out" then I had to do a tftpdnld, to recover the latest ios from Cisco
Stupid me, did not take a backup before it was to late
Anyway i did make it work again, but here comes my question

When i did the tftpdnld it told me that everythin was erassedm but i had no other way..
After a succesfull tftpdnld. i reboot and amazingly i had internet again

The strange thing is....I have a running-config if i ssh to it. but according to my flash: there is only my IOS.BIN
How is that working?
Anyone know where the latest working image can be found. because Cisco states the the one right now i the right..but still i cant see cellular 0 in CCP
But ita actualy the one making me able to write to this site, right now
BR Anders Bramsen

Answer:

When i did the tftpdnld it told me that everythin was erassedm but i had no other way..
After a succesfull tftpdnld. i reboot and amazingly i had internet again

This is because the configuration on Cisco routers is not stored in the FLASH memory but rather in a different place (and chip) called the NVRAM memory. This reason for this is historical - FLASH memory can be rewritten only a limited number of times and therefore it was not suitable to hold the startup-config file that can rewritten frequently. Your FLASH memory may really have been erased after the tftpdnld command but it did not damage your configuration stored in NVRAM. Try using the dir nvram: command to see its contents.

In order to download images for your Cisco router, you need to have a valid support contract. Cisco does not publish IOS images for free access. Cisco 3925 router

For more info, http://switch.2329893.n4.nabble.com/3900-router-td14.html

2013年8月29日星期四

ip forward-protocol udp echo

Question:

was looking for WS-C3560V2-48TS-S documentation to explain "ip forward-protocol udp echo " however, i

receive info on everything except for the actual "echo" portion. essentially i am

trying to find out if i need it or not.

Answer:

i do not believe you need it but reading here you will figure it out:

http://en.wikipedia.org/wiki/Echo_Protocol WS-C3560V2-24TS-S

Original comes from http://switch3560.drupalgardens.com/

2013年8月28日星期三

OSPF. 2 BDR

Question:

Can anyone explain me, C2951-VSEC why in my network topology, where OSPF is running, i have 2 BDR router, instead of have 1 BDR and one DROTHER.

On DR router i have following output:

CENTRE#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.16.10.150 1 FULL/BDR 00:00:31 192.168.10.1 FastEthernet0/0
172.16.10.50 1 FULL/BDR 00:00:33 192.168.10.10 FastEthernet0/1

Answer:

A DR/BDR is elected for each multiaccess network, not for the network as a whole. You have two FastEthernet interfaces and hence (at least) two multiaccess networks. On each of these networks, DR and BDR must be elected. That is why you see two Cisco 3925 BDRs - because each of them serves a different multiaccess network. This is normal. For more info, please refer to http://lilirouter.metroblog.com/

2013年8月15日星期四

BGP Multihoming ISP level redundancy

Question:

I want to go WS-C3750V2-24PS-S for ISP level redundancy, with Dual internal Internet routers. Public IP range is of /23. I want BGP announcement of my discrete address block (e.g. /24) to their peers, in addition to the entire aggregated prefix (e.g. /23).

However I have only 2800 series routers with RAM of 768 MB (512+256).

Can you please suggest how should I proceed?

Answer:

You need to use a route-map applied outbound to eBGP neighbor to perform AS path prepending in a selective way
The route-map is ISP specific

border router 1:

ip prefix-list SECOND-ROUTE 4.4.5.0/24

route-map toISP1 permit 10
match ip address prefix SECOND-ROUTE
set as-path prepend 100 100 100

route-map toISP1 permit 20
match ip address prefix IP_OUT

router bgp 100
no neigh 1.1.1.1 prefix-list IP_OUT out
neigh 1.1.1.1 route-map toISP2 out

In the same way for border router 2:

ip prefix-list FIRST-ROUTE 4.4.4.0/24

route-map toISP2 permit 10
match ip address prefix FIRST-ROUTE
set as-path prepend 100 100 100

route-map toISP2 permit 20
match ip address prefix IP_OUT

router bgp 100 WS-C3750V2-48PS-S Price
no neigh 2.2.2.2 prefix-list IP_OUT out
neigh 2.2.2.2 route-map toISP2 out

For more info, please refer to http://www.pereza.info/es/blog/traffic-shaping-and-layer-2-overhead

2013年8月14日星期三

Can't ping with BGP in GNS3 lab environment

Question:

Here is a section Cisco 3945 of my BGP lab inside GNS3:

My issue is not being able to ping anything on R5 from R2 even though R2 is recieving the routes from R5 and has placed them in it's routing table.

Thanks in advance for any help or advice!

-Steve

**********************************

R2#sho ip bgp

BGP table version is 5, local router ID is 10.1.96.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

* i150.1.50.0/24 10.1.36.2 0 700 0 777 711 911 ?

*> 10.1.24.2 0 777 911 ?

* i150.2.50.0/24 10.1.36.2 0 700 0 777 711 911 ?

*> 10.1.24.2 0 777 911 ?

* i200.50.2.0 10.1.36.2 0 700 0 777 711 i

*> 10.1.24.2 0 777 911 711 i

* i200.60.2.0 10.1.36.2 0 700 0 777 711 i

*> 10.1.24.2 0 777 911 711 i

R2#sho ip route

Gateway of last resort is not set

B 200.50.2.0/24 [20/0] via 10.1.24.2, 00:23:17

B 200.60.2.0/24 [20/0] via 10.1.24.2, 00:23:17

10.0.0.0/24 is subnetted, 3 subnets

C 10.1.12.0 is directly connected, Serial0/0

C 10.1.24.0 is directly connected, Serial0/2

C 10.1.96.0 is directly connected, Serial0/1

150.1.0.0/24 is subnetted, 1 subnets

B 150.1.50.0 [20/0] via 10.1.24.2, 00:23:17

150.2.0.0/24 is subnetted, 1 subnets

B 150.2.50.0 [20/0] via 10.1.24.2, 00:23:17

R2#ping 150.1.50.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.50.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R2#trace 150.1.50.1

Type escape sequence to abort.

Tracing the route to 150.1.50.1

1 10.1.24.2 52 msec 44 msec 24 msec

2 * * *

^ so the ping make it to the next AS but stops there

R2#sho run

Building configuration...

Current configuration : 1183 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R2

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

no ip domain lookup

ip domain name lab.local

interface Serial0/0

ip address 10.1.12.2 255.255.255.0

clock rate 64000

interface Serial0/1

ip address 10.1.96.2 255.255.255.0

clock rate 64000

interface Serial0/2

ip address 10.1.24.1 255.255.255.0

clock rate 64000

router bgp 5500

no synchronization

bgp log-neighbor-changes

neighbor 10.1.12.1 remote-as 5500

neighbor 10.1.12.1 next-hop-self

neighbor 10.1.24.2 remote-as 777

neighbor 10.1.96.1 remote-as 5500

no auto-summary

no ip http server

no ip http secure-server

control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

Answer:

You will need to enable some sort of internal routing protocol on your routers if they were in the same AS or configure static routing between them in case they were in different Autonomous Systems.

You can refer to the following links for more information about the BGP configuration

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml#directlyconnected

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml

For futher information, please refer to http://www.3anetwork.com/cisco-cisco3925/k9-price_p284.html

DR and BDR election process

Question:

I'm having 4 WS-C3750X-24T-S ethernet switches. Sw1, Sw2, Sw3 and Sw4. Sw1 is the DR, Sw2 is the BDR and Sw3 and Sw4 are configured for DR Other. Sw3 sends message to Sw1 which is the DR that it is going down. Unfortunately when Sw1 also goes down when it receives message from Sw3. So will Sw2 which is the BDR come to know that sw3 is down. Please reply.

Answer:

There are probably things in your post that I am not understanding fully. But it seems to be a fairly simple question. Routers in OSPF continue to send hello messages to indicate that they are still active members of the network. If sw3 goes down and stops sending hello packets then sw2 will detect that sw3 is down.

Original comes from http://www.3anetwork.com/cisco-ws-c3750x-48t-l-price_p103.html

2013年8月11日星期日

txload 255/255 but no traffic

Question:

I am experiencing WS-C3560X-24T-S a strange problem with a ASR1002 router that I just installed.thsi is a point to point link .the link is working but for some reason the txload on interface g0/0/0 show 255/255 even though there is no traffic going over to this router.

Thanks in advance for any suggestions !!!

Please see the below interface status for both router.

Router#sh int gi0/0/3

GigabitEthernet0/0/3 is up, line protocol is up

Hardware is 4XGE-BUILT-IN, address is a493.4c98.db03 (bia a493.4c98.db03)

Description: "100Mbps LINK"

Internet address is 10.172.20.110/30

MTU 9100 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 255/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not supported

Full Duplex, 100Mbps, link type is auto, media type is T

output flow-control is on, input flow-control is on

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:46:49, output 00:00:29, output hang never

Last clearing of "show interface" counters never

Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 7000 bits/sec, 4 packets/sec

5 minute output rate 5000 bits/sec, 2 packets/sec

17890 packets input, 9074660 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 7503 multicast, 0 pause input

10137 packets output, 2803120 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

Router#

-------------------------------------------------------------------------------------------------------------------------------------------------------------

RP/0/RSP0/CPU0:ASR-9010#sh int Gi0/0/0/13

Tue Oct 30 11:32:10.104 ist

GigabitEthernet0/0/0/13 is up, line protocol is up

Interface state transitions: 11

Hardware is GigabitEthernet, address is 18ef.63e8.6ce7 (bia 18ef.63e8.6ce7)

Description: "100Mbps , Gi0/0/0/13"

Internet address is 10.172.20.109/30

MTU 9114 bytes, BW 100000 Kbit (Max: 100000 Kbit)

reliability 253/255, txload 0/255, rxload 0/255

Encapsulation ARPA,

Full-duplex, 100Mb/s, THD, link type is force-up

output flow control is off, input flow control is off

loopback not set,

ARP type ARPA, ARP timeout 04:00:00

Last input 00:00:00, output 00:00:00

Last clearing of "show interface" counters 22w6d

30 second input rate 3000 bits/sec, 0 packets/sec

30 second output rate 8000 bits/sec, 3 packets/sec

665819 packets input, 159562042 bytes, 5896 total input drops

1 drops for unrecognized upper-level protocol

Received 21 broadcast packets, 99558 multicast packets

350 runts, 1154 giants, 0 throttles, 0 parity

5895 input errors, 2545 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

2154457 packets output, 748147945 bytes, 0 total output drops

Output 14647 broadcast packets, 1490193 multicast packets

0 output errors, 0 underruns, 0 applique, 0 resets

0 output buffer failures, 0 output buffers swapped out

11 carrier transitions

Answer:

This is due to the known defect -

CSCtw90305

Show interface X/Y returns output with counter txload 255/255

which was duplicated to CSCtr15153 WS-C3560X-48T-L Price

Please use the Bug Tool Kit and verify your the IOS is affected or not.

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

2013年8月8日星期四

NAT DNS payload replacement. Very funny, Cisco.

Question:

ip nat inside source WS-C3750X-12S-S list bunch_of_hosts pool some_pool overload

ip nat inside source static 10.10.10.10 91.91.91.91 no-payload

there is a DNS record:

some_host.some.domain IN A 91.91.91.91

from host in bunch_of_hosts list:

$ dig some_host.some.domain @8.8.8.8

;;ANSWER SECTION:

some_host.some.domain IN A 10.10.10.10

Who's idea was that? How to disable it??

Clarification: DNS server, hosting some.domain is NOT inside our network. It's completely different organisation and thir DNS gives the right answer when asked outside this NAT setup.

Answer:

Can you try using these commands? They should stop IOS rewriting the DNS contents as part of its NAT ALG.

no ip nat service alg tcp dns

no ip nat service alg udp dns

Original comes from http://www.3anetwork.com/cisco-ws-c3750x-24s-s-price_p112.html

2013年8月7日星期三

QoS (dscp-to-exp mutation) on Sup-2T/Cat6500

Question:

I ran into interesting WS-C3560X-24T-S issue on Sup-2T. As you probably know, QoS CLI is changed on this new supervisor. I'm looking to translate incoming dscp-marked packets, into exp-marked on egress.

Now, according to documentation - Catalyst 6500 Release 15.0SY Software Configuration Guide - this functionality is still called mutation-map and is configured under 'platform qos map exp-mutation'. The problem is quite simple – there is no 'platform qos map exp-mutation' on 2 different machines I checked upon. Here:

Some-6513(config)#platform qos ?

10g-only qos pure 10G mode

aggregate-policer Named aggregate policer

marking marking keyword

police police keyword

protocol protocol keyword

queueing-only queueing-only (no QoS rewrite, no policing)

rewrite packet qos rewrite enable/disable

statistics-export qos statistics data export

What do you think I'm missing?

Answer:

The command is hidden, as far as I know because it is not supported and replaced by "table-maps". If you press enter after "platform qos map" it will say incomplete command, so it's still there but hidden.

You could use the "table-map" command instead and "show table-map" to verify the config. Details in the guide below:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/qos_global_and_if.html

For more WS-C3560X-48T-L Price news about Price ans Specification, you can click here.http://www.3anetwork.com/cisco-ws-c3560x-48t-l-price_p46.html

2013年8月6日星期二

Cisco 3945 Router not detecting VWIC3-2MFT-T1/E1 Voice Card

Question:

We have installed a WS-C3750X-12S-S VWIC3-2MFT card on a Cisco 3945 voice gateway but the router doesnt detect the card. out put is as below;

What could be the issue?

Router Version

============

System image file is "flash0:c3900-universalk9-mz.SPA.150-1.M.bin"

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 980992K/67584K bytes of memory.

Processor board ID FCZ135070YF

2 FastEthernet interfaces

3 Gigabit Ethernet interfaces

DRAM configuration is 72 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

254464K bytes of ATA System CompactFlash 0 (Read/Write)

-------------------------------------------------

Device# PID SN

-------------------------------------------------

*0 C3900-SPE150/K9 FOCxxxxxxJJ

Technology Package License Information for Module:'c3900'

----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

-----------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security None None None

uc uck9 Permanent uck9

data None None None

"show diag" output

===============

WIC Slot 1:

Unknown WAN daughter card

WIC module not supported/disabled in this slot

Hardware Revision : 1.0

Top Assy. Part Number : 800-34658-01

Part Number : 73-13420-01

Board Revision : B0

Deviation Number : 0

Fab Version : 05

PCB Serial Number : FOC16323KSC

Version Identifier : V01

Product (FRU) Number : VWIC3-2MFT-T1/E1

Answer:

VWIC3-2MFT-T1/E1 requires minimum IOS version 15.0(1)M3, WS-C3750X-24S-S Price

http://www.cisco.com/en/US/prod/collateral/routers/ps5855/data_sheet_c36-609138.html

http://www.3anetwork.com/cisco-ws-c3750x-24s-s-price_p112.html

2013年8月5日星期一

ppp auth failed with ms-chap-v2

Question:

I'm trying to connect WS-C3560X-24T-S to ISP with PPPoE method using Cisco 861 equip. On the other side Cisco 3845 BRAS.

Session fails at authentication phase. Authentication protocol chosen by routers is ms-chap-v2. Chap supported also.

So here is a debug

Jan 3 14:27:38 MSK: %DIALER-6-BIND: Interface Vi1 bound to profile Di1

Jan 3 14:27:38 MSK: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up

22:27:40: Vi1 PPP: Sending cstate UP notification

22:27:40: Vi1 PPP: Processing CstateUp message

22:27:40: AAA/BIND(00000B0C): Bind i/f Virtual-Access1

22:27:40: PPP: Alloc Context [844DF258]

22:27:40: ppp810 PPP: Phase is ESTABLISHING

22:27:40: ppp810 PPP: Using AAA Unique Id = B0C

22:27:40: AAA/BIND(00000B0C): Bind i/f Virtual-Access1

22:27:40: AAA/AUTHOR (00000B0C): Method list id=0 not configured. Skip author

22:27:40: Vi1 PPP: Authorization NOT required

22:27:40: Vi1 PPP: Using dialer call direction

22:27:40: Vi1 PPP: Treating connection as a callout

22:27:40: Vi1 PPP: Session handle[C300003C] Session id[810]

22:27:40: Vi1 LCP: Event[OPEN] State[Initial to Starting]

22:27:40: Vi1 LCP: O CONFREQ [Starting] id 1 len 15

22:27:40: Vi1 LCP: AuthProto CHAP (0x0305C22305)

22:27:40: Vi1 LCP: MagicNumber 0x981EF7EB (0x0506981EF7EB)

22:27:40: Vi1 LCP: Event[UP] State[Starting to REQsent]

22:27:40: Vi1 LCP: I CONFREQ [REQsent] id 1 len 19

22:27:40: Vi1 LCP: MRU 1492 (0x010405D4)

22:27:40: Vi1 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

22:27:40: Vi1 LCP: MagicNumber 0x903962FB (0x0506903962FB)

22:27:40: Vi1 LCP: O CONFNAK [REQsent] id 1 len 8

22:27:40: Vi1 LCP: MRU 1500 (0x010405DC)

22:27:40: Vi1 LCP: Event[Receive ConfReq-] State[REQsent to REQsent]

22:27:40: Vi1 LCP: I CONFACK [REQsent] id 1 len 15

22:27:40: Vi1 LCP: AuthProto CHAP (0x0305C22305)

22:27:40: Vi1 LCP: MagicNumber 0x981EF7EB (0x0506981EF7EB)

22:27:40: Vi1 LCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]

22:27:40: Vi1 LCP: I CONFREQ [ACKrcvd] id 2 len 19

22:27:40: Vi1 LCP: MRU 1500 (0x010405DC)

22:27:40: Vi1 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

22:27:40: Vi1 LCP: MagicNumber 0x903962FB (0x0506903962FB)

22:27:40: Vi1 LCP: O CONFACK [ACKrcvd] id 2 len 19

22:27:40: Vi1 LCP: MRU 1500 (0x010405DC)

22:27:40: Vi1 LCP: AuthProto MS-CHAP-V2 (0x0305C22381)

22:27:40: Vi1 LCP: MagicNumber 0x903962FB (0x0506903962FB)

22:27:40: Vi1 LCP: Event[Receive ConfReq+] State[ACKrcvd to Open]

22:27:40: Vi1 PPP: Queue CHAP code[1] id[1]

22:27:40: Vi1 PPP: Phase is AUTHENTICATING, by both

22:27:40: Vi1 CHAP: O CHALLENGE id 1 len 27 from "ppp009"

22:27:40: Vi1 CHAP: Redirect packet to Vi1

22:27:40: Vi1 MS-CHAP-V2: I CHALLENGE id 1 len 23 from "r1"

22:27:40: AAA/AUTHEN/PPP (00000B0C): Pick method list ' Permanent Local'

22:27:40: Vi1 PPP: Sent MSCHAP_V2 SENDAUTH Request

22:27:40: Vi1 LCP: State is Open

22:27:40: Vi1 PPP: Received SENDAUTH Response FAIL

22:27:40: Vi1 MS CHAP V2: Using hostname from interface CHAP

22:27:40: Vi1 MS CHAP V2: Using password from interface CHAP

22:27:40: Vi1 MS-CHAP-V2: O RESPONSE id 1 len 60 from "ppp009"

22:27:40: Vi1 MS-CHAP-V2: I SUCCESS id 1 len 46 msg is "S=56927B5B36EA40071200B1BE5C285D2B3F3F3E8E"

22:27:40: Vi1 MS CHAP V2 No Password found for : r1

22:27:40: Vi1 MS CHAP V2 Check AuthenticatorResponse Success for : ppp009

22:27:40: Vi1 LCP: I TERMREQ [Open] id 3 len 4

22:27:40: Vi1 PPP DISC: Received LCP TERMREQ from peer

22:27:40: Vi1 PPP: Sending Acct Event[Down] id[B0C]

22:27:40: PPP: NET STOP send to AAA.

22:27:40: Vi1 PPP: Phase is TERMINATING

22:27:40: Vi1 LCP: O TERMACK [Open] id 3 len 4

22:27:40: Vi1 LCP: Event[Receive TermReq] State[Open to Stopping]

Jan 3 14:27:38 MSK: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1

22:27:40: Vi1 PPP: Block vaccess from being freed [0x10]

Jan 3 14:27:38 MSK: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down

22:27:40: Vi1 PPP: Sending cstate DOWN notification

22:27:40: Vi1 PPP: Processing CstateDown message

22:27:40: Vi1 LCP: Event[CLOSE] State[Stopping to Closing]

22:27:40: Vi1 LCP: Event[DOWN] State[Closing to Initial]

22:27:40: Vi1 PPP: Clearing AAA Unique Id = B0C

22:27:40: Vi1 PPP: Unlocked by [0x10] Still Locked by [0x0]

22:27:40: Vi1 PPP: Free previously blocked vaccess

22:27:40: Vi1 PPP: Phase is DOWN

Dialer interface config

interface Dialer1

description PPPoE

ip address negotiated

ip access-group fire in

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp encrypt mppe auto

ppp authentication chap

ppp chap hostname ppp009

ppp chap password 7 XXXXXXXXXXXXXXXXXXXXXX

ppp ms-chap-v2 refuse

ppp pap sent-username ppp009 password 7 XXXXXXXXXXXXXXXXXXXXXXXXX

no cdp enable

crypto map VPNMAP

Username and password are correct, as I tried Broadband connection on nearby Win7 workstation with these credentials.

So, I have several other locations connected to this ISP, but routers, used there, manufactured by HP MSR series. They doesn't support ms-chap-v2, only chap and I think it's a root of this issue. They can negotiate chap and authenticate with it.

Cisco 861 for some reason chooses ms-chap-v2, despite "ppp ms-chap-v2 refuse" command.

How can be chap authentication forced in this case?

Or why ms-chap-v2 fails?

I managed to get debug from ISP side:

059781: Dec 21 10:21:23.848 CET: ppp466 PPP: Using vpn set call direction

059782: Dec 21 10:21:23.848 CET: ppp466 PPP: Treating connection as a callin

059783: Dec 21 10:21:23.848 CET: ppp466 PPP: Session handle[82000AD7] Session id[466]

059784: Dec 21 10:21:23.856 CET: ppp466 PPP: Authorization required

059785: Dec 21 10:21:23.864 CET: ppp466 MS-CHAP-V2: O CHALLENGE id 1 len 23 from "r1"

059786: Dec 21 10:21:23.876 CET: ppp466 CHAP: I CHALLENGE id 1 len 27 from "ppp009"

059787: Dec 21 10:21:23.876 CET: ppp466 CHAP: Waiting for Peer to authenticate first

059788: Dec 21 10:21:23.896 CET: ppp466 MS-CHAP-V2: I RESPONSE id 1 len 60 from "ppp009"

059789: Dec 21 10:21:23.900 CET: ppp466 PPP: Sent MSCHAP_V2 LOGIN Request

059790: Dec 21 10:21:23.940 CET: ppp466 PPP: Received LOGIN Response PASS

059791: Dec 21 10:21:23.976 CET: Vi46 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=64EBEE1CB11DA3C76487BA5CED517D6B8EA9745D"

059792: Dec 21 10:21:23.980 CET: Vi46 CHAP: Unable to authenticate for peer

and config:

interface Virtual-Template1

mtu 1492

ip unnumbered Loopback1

no ip redirects

ip flow ingress

ip flow egress

ip virtual-reassembly max-reassemblies 512

no logging event link-status

no peer default ip address

ppp authentication ms-chap-v2 chap

end

Answer:

Can you please try removing the ppp authentication chap command from your Dialer1 interface? By this command, you are requesting the ISP to authenticate to you which is not usually done. It is possible that the ISP is not willing to authenticate to you and drops the connection as WS-C3560X-48T-L Price the result.

For more WS-C3560X-24T-S news about Price ans Specification, you can click here.

http://www.3anetwork.com/cisco-ws-c3560x-24t-s-price_p45.html

MPLS or VPN

Question:

we are using both WS-C3750X-12S-S Internet and MPLS connectivity to DC ,my question is how to figure out whether a user is connecting to internal network through vpn over internet or through MPLS cloud.

Answer:

Easiest way is to check the source ip, if it's connecting via VPN, the source ip normally will be within a VPN address pool WS-C3750X-24S-S Price

For more Cisco Switch news about Price ans Specification, you can click here.

http://www.3anetwork.com/cisco-ws-c3750x-24s-s-price_p112.htmlhttp://www.3anetwork.com/cisco-ws-c3750x-24s-s-price_p112.html

2013年8月2日星期五

Which IOS is for Router 7606 to accept FWSM?

Question:

I need to put WS-C3560V2-24PS-S a FWSM and a line card WS-X6148A-GE-TX to a router 7606. The FWSM version is 3.2(13). The router is running IOS 12.1(18)SXD3. The Cisco document here says the required IOS for router 7606 is 12.2(18)SXF or higher. I have downloaded the IOS 12.2(33)SRD4 and loaded it to the flash card. When I turn the router on, it doesn't load the new IOS and goes to rommon.

Can you advise which IOS I should use to make the router 7606 work and accept the FWSM.

Answer:

If the document said that the ios version must be 12.2(18)SXF or higher to support FWSM function.

Please follow the steps of ios upgradation inorder to get the router load with new ios image which you have already WS-C3560V2-48PS-S Price put in the flash.

2013年8月1日星期四

Dual MPLS BGP EIGRP Design Validation, Please suggest..

Question:

Need your inputs on WS-C3560X-48PF-L Price attached two design options. Which one is better and is there any kind of issue with second scenario (Diag2)?

We have basically multiple sites which will connect to two MPLS service providers in any to any communication.

EBGP between CE and PE Routers with both Service Providers. IBGP between CE1 and CE2 Router on a back to back physical link.

EIGRP as internal routing protocol. Redistribution will be configured between BGP to EIGRP.

Load sharing will be done on both providers using AS path preprending and Local Preference.

Tagging and Route-maps will be used while redistibuting from BGP to EIGRP to stop propagation of these routes again to BGP cloud.

AS path access-list allowing only local AS routes to BGP (Do I still need this if I am using tags in BGP - EIGRP Redist.?

Do you see any issues in this design?

Are we following current best practices?

Out of the two options for connecting Core Switches with WAN Routers, I will need additional module on Routers with the first option, Second option also looks redundant and utilizing only three interfaces on Routers. Do you see any potential issue with second option (Diag2)?

Looking for your valuable suggestions..

Answer:

there are some notes that may be useful about your design and the different topology options.

We see that design option 1 has the cross -over direct links between WAN router CEi and Core switch j with i <> j, design 2 misses this cross-over direct links.

Design option 1 provides link redundancy in the EIGRP routing domain and fault tolerance to single link fault for these addtional links.

Design option 2 can be improved if EIGRP is activated on the CE1 to CE2 direct link. If this is done the EIGRP domain achieves redundancy and fault tolerance to single link fault. So this is the first suggestion.

Looking at the whole routing plane we can see that design option 1 has still an advantage over design option 2: it allows true load balancing from the point of view of a single core switch in reaching the remote site IP subnets. It is enough that the two CE routers redistribute BGP routes into EIGRP with the same seed metric to achieve. Until both CE routers advertise the same IP subnet with the same seed metric each core router sees two equal cost paths one via CE1 and MPLS SP1 and one via CE2 and MPLS SP2.

This load balancing over both MPLS clouds cannot be achieved by design option 2 even with EIGRP enabled on CE-toCE link as each core router will prefer the directly connected CE router for the way EIGRP metric works also for external EIGRP routes.

In order to achieve load balancing over both MPLS clouds the core switch should support GLBP on client facing Vlans. This would lead to some clients using core switch 1 as default gateway and other to use core switch2.

GLBP may be supported or not on the core switch multilayer switches.

So if the design objective is to use both MPLS clouds in load sharing and GLBP cannot be used, design option 1 is to be preferred, but the direct link CE to CE might be removed under certain conditions.