C3560X switch: 七月 2013

2013年7月30日星期二

RSTP - Message Age

Question:

Someone knows, in RSTP, when one Cisco 1900 switch receive a BPDU, how does the switches manipulate the message age timer in RSTP? Does it modify the message age?

Answer:

In RSTP, each non-root switch receives a BPDU on its Root Port with the Message Age set to N, N>=0. As a result, the switch itself will send out its own BPDUs with the Message Age set to N+1. A root swich sends its BPDUs with the Message Age set to 0. Cisco3925E

WIC-4ESW upgrade on 1700 series router

Question:

For years I've had Cisco 3560V2 a simply NAT-based routing set up with the ISP coming into the 10BT WIC card on my 1700 and then sharing that connection out to my LAN via the integrated FastEthernet port.

I've found that that my ISP has increased my connection speed much greater than 10 mbps (varying 15-60 mbps) and my router has actually been bottlenecking my potential speeds in/out to the internet in this setup.

I've been thinking about purchasing a WIC-4ESW 4-port 10/100 switch interface for the router and swithing up the config so that the ISP connection now comes into the integrated FastEthernet port and then sharing all 10/100 ports of the switch out to my LAN which should increase my limit to 100 mbps through my router to my ISP. I'd also be able to plug my network devices directly into switch instead of an el-cheapo I currently have on my LAN.

I know just enough to be dangerous, but I think I should be able to tweak my config to make this change. I just wanted to confirm that the WIC-4ESW would be compatible with the 1700 and my plan will work (with a more recent IOS). Any suggestions or shortcomings I may not of thought of before I make this purchase?

Thank you!

EDIT: I've been seeing some mixed information that across interfaces on the router, a 1700 series might limit the bandwidth. Would I be able to transmist say 15-60 mbps through integrated FastEthernet0 to the WIC-4ESW and vice versa or would speeds near 100mpbs only beable to be transmitted within the 4 ports of the WIC-4ESW but not through the rest of the router?

Answer:

The routing performance of 1700 series is strongly below the speed of your connection. Its throughput is somewhere around 6 Mbps for 64-byte IP packets according to an internal PDF document by Cisco, and it will not go much better.

While the WIC-4ESW should be supported in your router according to the following product page:

http://www.cisco.com/en/US/products/hw/routers/ps221/products_data_sheet09186a00801c749d.html

you are not going to get any more routing performance from your router, I am afraid. This card itself is capable of high-performance Layer2 switching between its own ports but as soon as packets must be routed, the router itself will become the bottleneck.

So with this card plugged into your router, communication between the ports of this card in the same VLAN will be switched on the usual 100Mbps throughput. However, if the ports are in different VLANs and the traffic between them will need to be routed, or if the traffic needs to exit through any built-in interface of the router, the throughput will dramatically fall down.

I am not sure if this helps... but please feel welcome to discuss this further.

For more Cisco Switch news about Price ans Specification, you can click here.

2013年7月28日星期日

Routing information protocol

Question:

I would like to know about Cisco 3560 Switch timeout timer in RIP can any body explain this.....

Answer:

Update:how often the update for a specific route must be sent. (30 seconds)

Invalid: states that once an update is received for a route how long to wait until the route is considered invalid or non-reachable (180 seconds)

Hold Down: If a route gets a worse metric and is updated, the hold down timer is started. During this time no other metric for the route is accepted which is equal or worse than the current metric (180 seconds)

Flush: how many seconds, since the last valid update, until delete route (240 seconds)

invalid and Flush timer will start/reset every time an update comes in.

When you get an update the Invalid Timer starts to count to 180 and the Flush Timer to 240 seconds. They start at the same time!

After 180 seconds of the Invalid Timer have passed, the Holddown Timer will start for 60 seconds (Until the route is flushed). When this Holddown Timer run for 60 seconds it will ignore any (even better) routes it get advertised with, to give the network to properly converge/stabilize.

For Cisco Catalyst 3560 more info http://blog.ine.com/2010/04/15/how-basic-are-rip-timers-test-your-knowledge-now/

2013年7月24日星期三

Load Balancing across GRE Tunnels, EIGRP

Question:

First post here and cisco ios commands I did do a search, but didnt come up with much.

I have two GRE tunnels across 2 seperate WAN links. One link is 45 Mbps and the other link is 6Mpbs. I was thinking the Variance command would be the choice here(well only choice) since we are running EIGRP.

Below are the (Edited)configs on the spokes

First tunnel

INTERFACE TUNNEL 10500

DESCRIPTION 45Mbps

DAMPENING

BANDWIDTH 45000

IP ADDRESS X.X.X.X

TUNNEL SOURCE X.X.X.30

TUNNEL MODE IPSECIPV4

TUNNEL DESTINATION X.X.X.29

SERVICE POLICY OUTPUT SHAPING-45000

Second Tunnel

INTERFACE TUNNEL 10501

DESCRIPTION 6Mbps

DAMPENING

BANDWIDTH 6312

IP ADDRESS X.X.X.X.

TUNNEL SOURCE SERIAL 0/0/0

TUNNEL DESTINATION X.X.X.46

SERVICE POLICY OUTPUT SHAPING-6312

This is my first project for my new job, so I obviously want to get it right. If I am missing some critical information or you need clarification on something, please do not hesitate to request it.

Thanks in advance

Answer:

If you do a sh ip route eigrp at present their should be only on path for all routes in the rib table.

Now when you apply a variance value this will install another path into the rib, meaning you will then have two paths showing in the routing table.

The variance calculation can be done by the metric extracted from the Eigrp topology table:

P 10.170.9.24/30, 1 successors, FD is 1345280

via 10.170.2.50 (1345280/65280), Tunnel10500, serno 72548

via 10.170.2.56 (1688576/65280), Tunnel10501, serno 72568

1345280/1688576 =1.25 round out the highest value = variance 2

@Richard/Joseph

I think what I am trying to get at, is with or without the variance, CEF will default to forward via per destination anyway. I agree deterministically if the variance is applied and a new path is now availble, another scr/dst could use this new path, BUT wouldnt this other scr/dst always use that same path, and not load share between the two without per-packet...correct???

(by the way in my testing Cisco Switches Price i used a variance of 9)

Still on MPLS VPN

Question:

I am trying simulate WS-C3560X-48P-S a simple VPN network. Find below, the contents of one of the vrf tables. My challenge here is that I am unable to redistribute the BGP routes in the VPN table back into the CE's routing table. Command such as:

PE1(config-router)# redistribute bgp xxx route-map yyy has not had any effect. Please, give advice on how to implement this. Thanks.

*************************************************************************************************************

PE1#show ip bgp vpnv4 vrf orange

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 10000:10 (default for vrf orange)

*>i10.0.0.4/32 10.0.0.2 156160 100 0 ?

*> 10.0.0.6/32 10.255.1.2 156160 32768 ?

*> 10.255.1.0/30 0.0.0.0 0 32768 ?

*> 10.255.2.0/24 10.255.1.2 30720 32768 ?

*>i10.255.3.0/30 10.0.0.2 0 100 0 ?

*>i10.255.4.0/24 10.0.0.2 30720 100 0 ?

PE1#

**********************************************************************************************************

PE1#show ip route vrf orange

10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

D 10.0.0.6/32 [90/156160] via 10.255.1.2, 00:15:12, FastEthernet0/1

B 10.0.0.4/32 [200/156160] via 10.0.0.2, 00:14:20

B 10.255.4.0/24 [200/30720] via 10.0.0.2, 00:14:20

C 10.255.1.0/30 is directly connected, FastEthernet0/1

B 10.255.3.0/30 [200/0] via 10.0.0.2, 00:14:20

D 10.255.2.0/24 [90/30720] via 10.255.1.2, 00:15:12,

Answer:

"PE1(config-router)# redistribute bgp xxx route-map yyy has not had any effect"

Did you use this command under eigrp address family? Because from config-router it looks like you did not. Also add metric statement.

So try:

router eigrp 10000

address-family ipv4 vrf orange

redistribute bgp 50000 metric 1500 100 255 1 1500 WS-C3560X-48P-S Price

2013年7月22日星期一

Load Balancing across GRE Tunnels, EIGRP

Question:

First post here Cisco 1900 and I did do a search, but didnt come up with much.

Below are the (Edited)configs on the spokes

First tunnel

INTERFACE TUNNEL 10500

DESCRIPTION 45Mbps

DAMPENING

BANDWIDTH 45000

IP ADDRESS X.X.X.X

TUNNEL SOURCE X.X.X.30

TUNNEL MODE IPSECIPV4

TUNNEL DESTINATION X.X.X.29

SERVICE POLICY OUTPUT SHAPING-45000

Second Tunnel

INTERFACE TUNNEL 10501

DESCRIPTION 6Mbps

DAMPENING

BANDWIDTH 6312

IP ADDRESS X.X.X.X.

TUNNEL SOURCE SERIAL 0/0/0

TUNNEL DESTINATION X.X.X.46

SERVICE POLICY OUTPUT SHAPING-6312

This is my first project for my new job, so I obviously want to get it right. If I am missing some critical information or you need clarification on something, please do not hesitate to request it.

Thanks in advance

Answer:

If you do a sh ip route eigrp at present their should be only on path for all routes in the rib table.

Now when you apply a variance value this will install another path into the rib, meaning you will then have two paths showing in the routing table.

The variance calculation can be done by the metric extracted from the Eigrp topology table:

P 10.170.9.24/30, 1 successors, FD is 1345280

via 10.170.2.50 (1345280/65280), Tunnel10500, serno 72548

via 10.170.2.56 (1688576/65280), Tunnel10501, serno 72568

1345280/1688576 =1.25 round out the highest value = variance 2

@Richard/Joseph

(by the way in my Cisco 1900 router testing i used a variance of 9)

2013年7月21日星期日

2911 Router crashes after i set the ATM interface

Question:

We bought a cisoc WS-C3560V2-48TS-S Price 2911 Router with an EHWIC-VA-DSL-A Card. I did the Dialer Setup without any problem but if i set the ATM interface with the commands:

pvc 8/35

pppoe-client dial-pool-number 1

The Router crashes after some seconds. I didn't connceted the phone line to the DSL card.

Does you guys have any clue ?

Thanks in advance patrick

The DSL setup:

controller VDSL 0/0/0

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

interface Ethernet0/0/0

no ip address

shutdown

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

shutdown

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname xxx@xxx.ch

ppp chap password 7 xxxxxx

And here the relevant part of the crash file:

CMD: 'interface atm 0/0/0' 12:31:10 UTC Mon Feb 4 2013

CMD: ' pvc 8/35' 12:31:17 UTC Mon Feb 4 2013

CMD: ' pppoe-client dial-pool-number 1' 12:31:18 UTC Mon Feb 4 2013

CMD: 'exit' 12:31:19 UTC Mon Feb 4 2013

CMD: 'exit' 12:31:20 UTC Mon Feb 4 2013

CMD: 'exit' 12:31:22 UTC Mon Feb 4 2013

*Feb 4 12:31:22.927: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.10.225)

CMD: 'conf t' 12:31:38 UTC Mon Feb 4 2013

CMD: 'exit' 12:31:40 UTC Mon Feb 4 2013

*Feb 4 12:31:40.439: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.10.225)

CMD: 'sh run' 12:31:42 UTC Mon Feb 4 2013

*Feb 4 12:31:43.487: %LINK-3-UPDOWN: Interface ATM0/0/0, changed state to down

validblock_diagnose, code = 15

current memory block, bp = 0x30E14F4C,

memorypool type is Processor

data check, ptr = 0x30E14F7C

next memory block, bp = 0x30E14FA0,

memorypool type is Processor

data check, ptr = 0x30E14FD0

previous memory block, bp = 0x30E14EF8,

memorypool type is Processor

data check, ptr = 0x30E14F28

*Feb 4 12:32:15.219: %SYS-3-BADFREEPTRS: Bad tail pointer 31645FCC at 2BBBB94C (head = 2BBBB960)

-Traceback= 23BB3280z 23BB3658z 23B829BCz 23B829A0z

*Feb 4 12:32:15.219: %SYS-6-MTRACE: mallocfree: addr, pc

3213D5D0,2272FE5C 3213D5D0,40000294 330232B4,2272FE34 330232B4,4000020A

33825FAC,60000042 33825EBC,23BC6E90 33825EBC,23BC67BC 33825EBC,40000060

*Feb 4 12:32:15.219: %SYS-6-MTRACE: mallocfree: addr, pc

31F06B2C,6000004E 31F06A3C,23BC6E90 31F06A3C,23BC67BC 31F06A3C,40000060

31F881E4,6000004E 31F880F4,23BC6E90 31F880F4,23BC67BC 31F880F4,40000060

*Feb 4 12:32:15.219: %SYS-6-BLKINFO: Head does not correspond to tail in empty free list blk 30E14F4C, words 18, alloc 23411344, Free, dealloc 23414C74, rfcnt 0

-Traceback= 23BB08A4z 23BB3280z 23BB3658z 23B829BCz 23B829A0z

*Feb 4 12:32:15.223: %SYS-6-MEMDUMP: 0x30E14F4C: 0xAB1234CD 0xFFFE0000 0x0 0x27DD23D4

*Feb 4 12:32:15.223: %SYS-6-MEMDUMP: 0x30E14F5C: 0x23411344 0x30E14FA0 0x30E14F0C 0x12

*Feb 4 12:32:15.223: %SYS-6-MEMDUMP: 0x30E14F6C: 0x0 0x23414C74 0x1000001 0x2C8D5414

%Software-forced reload

Softwareversion:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M1

Cisco CISCO2911/K9 (revision 1.0) with 483328K/40960K bytes of memory.

Processor board ID FCZ16337DX5

1 DSL controller

1 Ethernet interface

3 Gigabit Ethernet interfaces

1 ATM interface

1 terminal line

DRAM configuration is 64 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device# PID SN

-------------------------------------------------

*0 CISCO2911/K9 FCZ16337DX5

Technology Package License Information for Module:'c2900'

-----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security None None None

uc None None None

data datak9 Permanent datak9

Answer:

While I have not yet been dealing with this issue before, based on the output I assume that the most probable cause of this problem is either an IOS bug or a faulty RAM module - hopefully, it's the IOS. Can you perhaps try moving to a different IOS version,WS-C3560V2-48TS-S either downgrading to 15.1(4)M2 or upgrading to 15.2(4)M2?

2013年7月18日星期四

framerelay back-to-back

Question:

I have R1-R2 Cisco 1900 connected by serial link. There are two sub interfaces on each side connecting these two. How do we configure frame relay on these two sub interfaces without disabling keepalive?

Answer:

just make one router a frame-relay switch:

enable

config t

frame-relay switching

int s1/0

encapsulation frame-relay

frame-relay intf-type dce

no shut

int s1/0.12

ip address 10.0.0.1 255.0.0.0

frame-relay interface-dlci 201

enable

config t

int s1/0

encapsulation frame-relay

no shut

int s1/0.21

ip address 10.0.0.2 255.0.0.0

frame-relay Cisco 1900 router interface-dlci 201

2013年7月17日星期三

Could someone explain which routing protocols(RIP,EIGRP,OSPF,BGP) work on which OSI layer and why?Please also confirm whether all routing protocols run on all Cisco switches?

Question:

I know BGP runs on Application Cisco 3560X Price layer but what about other routing protocols? Please also explain which routing protocol doesn't run on Cisco switches?

If possible, explain otherwise request to provide some good URL from which I get the relevant information.

Answer:

BGP uses TCP as the underlying transport protocol and RIP uses UDP as the underlying transport protocol, however, it doesn't mean that they are on Transport layer on the OSI model.

Similar to SMTP (email), it is also on Application layer, however, it uses the underlying Transport layer (TCP/25).

For 3550 switch, please find the following configuration guide on the latest version for routing protocols supported on 3550 switch:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swiprout.html

It supports all RIP, OSPF, Cisco 3560X EIGRP and BGP.

nat_problem

Question:

I have a problem with WS-C3560X-24P-L nat
I have the following topology, I ve got static nat entries for each servers and overload for other users.
When servers / users accesing to internet or from internet to servers there is no issue.
Problem is when i try to reach server 192.168.1.1 via its public ip (10.10.10.2) from server 192.168.1.2 with tcp (80, 1433 etc) it fails
If i try to ping 10.10.10.2 from 192.168.1.2 i can get replies

when i check the nat translations i can see that server 192.168.1.1's ip address is nated to 10.10.10.2 and 192.168.1.2 to 10.10.10.3

also when i run debug while i try to access to 10.10.10.2 with tcp packets i can see that packet is routed with source ip 10.10.10.3 and destination ip 10.10.10.2

am i missing somthing?

here is the sample config;

!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 192.168.1.1 10.10.10.2 extendable
ip nat inside source static 192.168.1.2 10.10.10.3 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255

Answer:

you can't communicate with the outside public IP from an inside address with the old style NAT,but normally it should work with the newest NAT NVI config and no ip redirect on both interfaces. to configure nat NVI, just replace ip nat in and ip nat out by WS-C3560X-24P-S Price simply ip nat enable and get rid of the inside keyword in your NAT statements.

2013年7月16日星期二

BGP Send community - how it works?

Question:

I hope if someone can help Catalyst 3560V2 me understand how send community attributes work between ISPs?

We have a multihomed internet connection with two ISPs peering with two local routers(INT-R01 and INT-R02) and we are prefer ISP1 over the other. Please the network diagram attached along.

We running iBGP between the local routers (INT-R01 and INT-R02) and R01 has a higher local preference which is peered with ISP1 and R02 has lower local preference which is peered with ISP2.

We are a sending community attribute to ISP2 with the advertising prefixes which they use to manipulate routing. I have also read on thier website that with that community attribute they modify the local preference of the routes so that it is lower than a route received from a peer but not lower than a transit provider.

I understand that they will lower the local preference on their router so that it is not prefered but how does IPS2 tell other ISPs not route via their network if you are going to these specific prefixes.

Really appreciate your assistance.

Answer:

IMHO, they can manipulate BGP attributes again (AS prepending or MED, e.g.) or even to use special communities agreed with thier neighbor ISPs when advertising the prefixes to them?

you can use as-path prepend and MED to influence the ISP to reach your network . and local preference if you set on your routers for incoming routes that will propagate your entire AS and thus you Catalyst 3560X Price can influence the outgoing traffic.

2013年7月14日星期日

2801 ethernet expansion card for uplink to Internet

Question:

FA 0/0 - Internal LAN Cisco Switches Price connection

FA0/1 - WAN connection

We would like to use an expansion card that we have to give us an extra FA port to connect directly to the internet and use this router as our DMZ as well.

Would there be an issue using this expansion card for this purpose? Can anyone give me an idea of the cpu load that this may cause? Is this even possible? At the moment we have a second router that is connected and is acting as our DMZ but we would like to remove this router and utilise the one router for all services.

Answer:

HWIC-1FE is a routable interface port while the HWIC-4ESW is a Layer 2 switch port. As long as you have enough Catalyst Switches Price spare HWIC port, HWIC-1FE should work.

2013年7月3日星期三

Question about RSTP & SVIs

Question:

This is something I'm looking WS-C3750V2-48PS-S Price to do on a weekend but am curious about its operation. I'm going to be created new VLANs and will need them to be routable. Therefore, I'm going to be creating VLAN interfaces for these VLANs. Our current VLAN interfaces support Multicast with the ip pim dense-mode command. They're also configured with HSRP. My theory in doing this is to configure the active HSRP host first then the others so that they don't have to exchange active/standby messages when the active host comes up. My question is how will adding new SVIs to my core switches affect RSTP? I'm assuming since SVIs support both L2/L3 protocols, RSTP would have to calculate for the new VLANs and properly reconverge. Is this accurate?

Answer:

Adding new SVI's wont effect anything but your layer 3 - remember these are only interfaces, not vlans.

You need your vlans before your interfaces.

When you create vlans on the L2/L3 switches then we might need to take a look at spanning-tree to avoid loops (although stp should work itself out) - but safe to check and be sure. Checking where the root bridge is and which ports are root ports, forwarding ports and blocking... will be beneficial.

When the switches first come up, they start the root switch selection process. Each switch transmits a BPDU to the directly connected switch on a per-VLAN basis.

As the BPDU goes out through the network, each switch compares the BPDU that the switch sends to the BPDU that the switch receives from the neighbors. The switches then agree on which switch is the root switch. The switch with the lowest bridge ID in the network wins this election process. This can be influenced by changing the priority (lower one wins)

You havent stated whether your switches are using VTP in server/client configuration, or if they're in transparent mode.

I recommend having a really good understanding of your Layer 2 topology because thats probably more important than layer 3 (since layer 3 relies on layer 2 to operate).

Generally, adding a new vlan on switch is fine since STP will calculate for the vlan - RSTP has much improved convergance times than STP (seconds if not - miliseconds) instead of the normal STP around 30sec, but you need to be sure about adding the vlan to the relevant trunks. If you have manually configured which vlans are allowed on trunks you must specify the switchport mode trunk allowed vlan add command to avoid an outage for the other vlans.

Once you have your layer 2 in place with your vlan created and allowed on the relevant trunks, you can then create your SVI's and implement your HSRP configuration and so on...

White paper on Rapid Spanning-Tree:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml

Also, with regards to dense-mode for multicast there can be implications on network performance/traffic - I'd consider sparse-mode or at least sparse-dense mode. But if this dense-mode is required because multicast is used absolutely everywhere in your network then there isn't a problem with this.

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

1841 Router Question

Question:

Does anyone know if the Cisco 1841 router has a web management interface? I have searched and searched for a way to turn it on through TelNet, but I can't find anything about it, which got me wondering if it even has an interface built in.

I have two of these I need to manage, and am basically an illiterate newby when it comes to telnet or CLI.

Answer:

Do you mean Cisco Security Device Manager ("Web-based device management tool embedded within the Cisco IOS Software access routers can be accessed remotely for faster and easier deployment of Cisco routers for both WAN access and security features")? If yes, then 1841 does have it.

See this guide for more WS-C3750V2-24PS-S details:

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/1800over.html#wp44489

Router loading bootstrap from USB key

Question:

Not sure if this Cisco 3560V2 is the right forum to ask this.

I'm experiencing some trouble trying to get a router to boot off a bootstrap configuration on a usb key.

I have configured a bootstrap configuration (verified to be valid by manually pasting it in via CLI), saved it as a .cfg file on a USB key.

USB key (3rd party) formatted as FAT16, router can see contents (the cfg file) of key via show commands.

I pasted the below command in the router via console CLI, saved the config and rebooted.

Router(config)# boot config usbflash0:CONFIG1.CFG

However, the router just booted normally without loading the bootstrap.

Anyone see if I'm missing something obvious?

Thanks in advance for any assistance.

Answer:

Now it clears things.

"bootstrap", in the eyes of Cisco is an executable file as part of the IOS of a router. What you have is a "configuration" file.

Rename the file to end in "txt". Then once you've done this, just issue the command "copy bootstrap.txt run" and the router will load the configuration you wanted into the running-config.

Then if you are happy with the changes, save the config.

NOTE: I don't recommend you copy the configuration file into the startup-config because if you make a mistake,Cisco 3560X Price you can't roll-back.

2013年7月1日星期一

CBAC for incoming and outgoing traffic

Question:

I have got a cisco Cisco 3560V2 router connected to internet. I want to apply CBAC. I need to give the incoming access to an ip xxx.xxx.xxx.xx2 port 1020 and xxx.xxx.xxx.xx3 port 1030. I don't need other access from outside.

I have the following interfaces:

FA0/0 - Connected to Inside (incoming an ip to xxx.xxx.xxx.xx2 port 1020 and xxx.xxx.xxx.xx3 port 1030 and outgoing all tcp and udp packets, the incoming traffic goes to WAN Device)

FA0/1 - connected to outside ISP 1 (incoming an ip to xxx.xxx.xxx.xx2 port 1020 and xxx.xxx.xxx.xx3 port 1030), this traffice comes from this isp link

Fa0/2 - Connected to Outside Isp 1 (Backup link) (incoming an ip to xxx.xxx.xxx.xx2 port 1020 and xxx.xxx.xxx.xx3 port 1030), this traffic comes from this isp link in the failure of main link

Fa0/3 - Connected to Outside ISP 3 - no incoming only outgoing traffic of all tcp and udp

Fa0/4 - Connected to Outside ISP 4 - no incoming only outgoing traffic of all tcp and udp

How can I fullfill this requirement.

Answer:

Have you thought of ZBFW instead of CBAC?

Anyway below is a basic cbac setup applied to your wan interfaces

Note:

if ##you have any routing protocol between this router you will need

to allow this through.(eg like rip - permit udp any any eq 520)

this also applys to ICMP from the outside.

ip inspect name CBAC TCP

ip inspect name CBAC UDP

ip inspect name CBAC ICMP

ip access-list extended IncomingWan

permit tcp any host x.x.x.2 eq 1020

permit udp any host x.x.x.2 eq 1020

permit tcp any host x.x.x.3 eq 1030

permit udp any host x.x.x.3 eq 1030

int x/x (outside wan)

ip access-group IncomingWan in

ip inspect Cisco 3560X Price CBAC out

订阅：博文 (Atom)