Search this Blog

Tuesday, November 26, 2013

Issues with voice over the GRE tunnel and in some instances causes the EIGRP adjacency


We have a remote site that has a 100Mbps internet bearer with a 10Mbps CIR. This site has a GRE over IPSec connection back to our HQ which has a 100Mbps internet connection. We are running EIGRP over the GRE tunnel for internal prefixes only, Internet traffic routes over remote sites local internet connection. Traffic shaping has been configured on the remote sites tunnel interface and on the hub sites physical interface at 10mbps.

1.The problem that we are facing: When a remote site user downloads data from the internet they congest the physical interface on the remote site router which causes issues with voice over the GRE tunnel and in some instances causes the EIGRP adjacency to be torn down because of dropped hellos. We have looked at configuring inbound policing on the remote site physical interface but this doesn’t really help because the bandwidth is already utilized when traffic hits the interface.

2. What is the best method to control this?  As we can’t control the internet bandwidth at the remote site we were thinking of pushing all traffic over the GRE tunnel and breaking internet traffic out via the hub, then configure shaping in the opposite direction to control bandwidth utilization.

1.  Yes, inbound downstream policing does have the problem you note.  However if inbound traffic is rate adaptive (e.g. TCP) severe policing can help.  Or you can shape outbound TCP ACKs. Neither, though, works as well as egress shaping.

2. Yes, that generally works well.  Don't forget to continue to shape from the hub to the spoke.  Also, such bandwidth caps are generally L2 values and I believe Cisco shapers don't account for all L2, so you need to shape slower than your nominal bandwidth.


Another alternative , is to obtain an inexpensive DSL or cable modem link for local Internet access and reserve your other link for just VPN traffic.




Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Sunday, November 24, 2013

What are the procedures for adding new switches to the production?

We have three core switches and 8 access switches.
We configured VTP on two core switches with the same VTP configuration

Q1:Which one will act as a server ?

Q2:What is the use of transparent mode in production any use for this ?
Q3:Suppose if we want to add new switch in same production  what is the procedure ?
Q4: Where is all VLAN information and format of storage?

1. All the switches by default act as server. However, switch a higher revision number will propagate the VLANs to other switches in the same VTP domain (Show vtp status)


2. If the switch is in transparent mode the configuration revision number resets to 0 and it does not participate in VTP and it doesn't stop any VLAN propagation from server to other switches.

3. Change the VTP mode to transparent (Which resets the revision number to 0) and connect it to the existing network then change it to client so that it receives the VLAN database from the server.

4. The vlans will be stored in vlan.dat (vlan database) and will be normally seen under flash.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, November 20, 2013

How to configure new class maps in a policy map that is already defined?


We have created a class-map, a policy-map and a service-policy on the interface gig0/0 to block msn-messenger.  
We are going to be creating more class-map’s, to block the other applications (peer-to peer programs, and some web pages) but  not sure how to configure them into the interface that we want

1. Does a single interface support multiple service-policies commands?

2.Should we configure the new class-maps’s that we are going to define into the same policy-map that is already defined?

1. Yes, you can have one input and one output Service policy per interface. So the best thing is to define multiple class maps in the same policy.

2. Yes, you might.  You might also define multiple match statements within the same class-map.  Or, if a match statement is invoking an ACL, that ACL could have multiple statements.  It all depends on what you're match requirements are.

Remember within the policy map, class maps are processed sequentially until a class is matched.  Within a class map, match statements are also processed sequentially, but whether the process stops on an individual match statement depends on whether the class-map is using match-any or match-all.

Also keep in mind, depending on your platform, class map match statements might allow NBAR matching which can examine packets beyond just port numbers.  For example, TCP port 80 is normally used by HTTP, but the port might be used for something else or HTTP might use a different port number.  "Match protocol http", I believe, should look for HTTP statements within the packet, i.e. it should match (or not) regardless of the port being used.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Problem in configuring the TACACS server - How can we configure IP TACACS source address?


On our router two IP addresses are configured as mentioned below and we are not able to configure the TACACS server due to source address issue where we can only configure source interface which is taking source IP address 192.168.11.25. Please let us know if there is any config where we can configure IP tacacs source address as a 192.168.7.55 instead of source interface.
             
interface FastEthernet0/0
description # CONNECTED TO LAN #
ip address 192.168.7.55 255.255.255.0 secondary
ip address 192.168.11.25 255.255.255.0

When you set up a source interface, it will always take the primary address as the source. You can set up another ip address on a loopback interface, but you wouldn't be able to use the 192.168.7.0/24 subnet on the loopback as it's already used as a secondary on the lan interface.

You could set up a loopback interface that references the host like:

int lo1
ip address 10.10.7.7 255.255.255.255

You'd have to set this up for routing so the tacacs server could get to it, but those are a couple of options. The other option is to swap the two addresses if you need them both on the lan interface.



Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Friday, November 15, 2013

Monitor and identify traffic on the Gigabit Interface



Need to monitor and identify the traffic on the WAN GigabitEthernet0/3 interface. Recently after some changes to our network we discovered that our traffic to outside world via this link is doubled from 150-200 to 350 MB/sec (we use MRTG for bandwidth), we suspect there are something looping in the network. That is why I want to trace what is going via Gig0/3 in and out (mostly out). What are the suggestions on how to trace down and identify the what causing such a big spike in the outbound bandwidth?

While replication of the port seems to be a good tool Im not sure that any laptop with packet tracer can handle 300 mb/s of traffic. But, what are suggestions?


Router Specs:

cisco 7204VXR (NPE-G1) processor (revision B) with 983040K/65536K bytes of memory.
Processor board ID 18281405
SB-1 CPU at 700MHz, Implementation 1, Rev 0.2, 512KB L2 Cache
4 slot VXR midplane, Version 2.0

Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.

PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 400 bandwidth points.
This configuration is within the PCI bus capacity and is supported.

PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 90 bandwidth points.
This configuration is within the PCI bus capacity and is supported.

Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.


2 FastEthernet/IEEE 802.3 interface(s)
3 Gigabit Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
509K bytes of non-volatile configuration memory.

As a starting point you may be able to spot the top talkers by enabling ip accounting on the interface.

conf t
!
interface gi0/3
ip accounting output-packets
!
end


show ip account


This will build a table of bytes & packet sent from source ip adresses to destination ip addresses.

Something like this:-

router_10.64.7.2#
show ip account

    Source         Destination              Packets               Bytes
172.17.110.208  172.17.110.223            25                   2500
10.64.7.26       172.17.111.59               13                   1092


to turn off

conf t
!
interface gi0/3
no ip accounting output-packets
!
end

Along with this enable netflow to get a detailed information.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

iBGP, next-hop inaccessible, no routes installed.


Trying to set up a new border gateway but the iBGP routes are not being installed and next hop is inaccessible. I use loopback interfaces and update-source. Am I missing something obvious?

Router 1 is ISR 2821, 12.4
Router 2 is 7301, 12.3

### gets all prefixes, not installed in routing table. next-hop is inaccessible.

rtr2#show ip bgp 8.8.8.8
BGP routing table entry for 8.8.8.0/24, version 0
Paths: (1 available, no best path)
  Not advertised to any peer
  33885 15169
    84.246.88.35 (inaccessible) from 100.100.0.1 (195.67.149.10)
      Origin IGP, metric 10, localpref 80, valid, internal

## No bgp routes in table
rtr2#show ip route | inc B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
rtr2#



## config router 1

100.100.0.2     4        39302      21   77340 291227447    0    0 00:17:30        0

interface Loopback0
ip address 100.100.0.1 255.255.255.255
!
!
interface GigabitEthernet0/0.27
description iBGP link
encapsulation dot1Q 27
ip address 10.255.255.1 255.255.255.0
no ip proxy-arp
!
router bgp 65535
bgp router-id 195.67.149.10
no bgp fast-external-fallover
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 100.100.0.2 remote-as 65535
neighbor 100.100.0.2 ebgp-multihop 2
neighbor 100.100.0.2 update-source Loopback0
!
  no synchronization
  network 100.100.0.0 mask 255.255.224.0
  neighbor 100.100.0.2 activate
  default-metric 1
  no auto-summary
exit-address-family
!
ip route 100.100.0.2 255.255.255.255 10.255.255.2





## config router 2

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
100.100.0.1    4 65535  154518      41   943080    0    0 00:16:57   469741


interface Loopback0
ip address 100.100.0.2 255.255.255.255
!
interface GigabitEthernet0/1.27
description iBGP link
encapsulation dot1Q 27
ip address 10.255.255.2 255.255.255.0
no ip proxy-arp
no snmp trap link-status
!
router bgp 65535
bgp router-id 100.100.0.2
no bgp fast-external-fallover
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 100.100.0.1 remote-as 65535
neighbor 100.100.0.1 description router01
neighbor 100.100.0.1 ebgp-multihop 2
neighbor 100.100.0.1 update-source Loopback0
!
address-family ipv4
neighbor 100.100.1 activate
no auto-summary
no synchronization
exit-address-family
!
ip route 212.112.0.1 255.255.255.255 10.255.255.1

Yes , on r1 you are missing the following :
router bgp 65535
neighbor 100.100.0.2 next-hop-self


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */