ACS 5.3 - GANYMEDE + NAS IP address load balancing

Hi all

I am currently evaluate a scenario where application AAA are load balanced on several instances of GBA 5.3. Application delivery controller is running in mode of L3, which naturally causes address of the original packet source IP be replaced by a random proxy address.

As far as RADIUS is concerned, I can fully determine the introductory NAS for instance using a "Device Filter" condition. ACS seems, unfortunately, do not have the opportunity to do the same thing for GANYMEDE. According to the manual, only the real IP from the received packet is taken into account. Also I came across the "NAS-address" attribute in the dictionary of Protocol, but it cannot be used in a custom either condition.

Someone happens to know how recover a GANYMEDE request initial IP address + in order to use it for other police services?

See you soon,.

Josef

Hi Josef, who is not possible.

Tags: Cisco Security

Similar Questions

The order of failover and load balancing

Hello
I have the following scenario. An ESXi with 4 Gbps vmnic. The questions are:
(1) if I have a group of ports configured for 'Route based on the original virtual Port code' in the policy of balancing load, and for the same port group I the option button 'Override switch failover command"checked, where I set up 3 of the active adapters vmnic, as well as the other vmic remaining as unused adapter, the ESXi uses the policy that I have configured (in this case 'Route based on the original port code') between the three vmnic load balancing marked as active? Or he uses them in the order that they appear in the section active cards?
(2) Suppossed, I configured the four physical switch ports in an etherchannel group to use 'Route based on the IP hash' load balancing policy. In this situation, then I configured for a certain group of port to only used two active adapters and two others as unused? In this case, ESXi should balance the load using the method hash IP but only in two active adapters? Or it is a misconfigiuration and I should not configure my nic teaming in this way?
(3) the official setup guide says "NOTICE on IP requires the physical switch be configured with etherchannel. For all other options, etherchannel must be disabled. ». How can I I configured my virtual network, if I have a few groups of political ports based on the hash of the IP to use load balancing and another uses 'Route based on the original port code. This is the case when I for example have two management ports using the same vSwitch with four vmnic (where they are configured as an Etherchannel in the physical switch). I would port one or several groups for virtual machines that use the IP of the hash method of balancing the load and vmkernel ports por management uses only a single adapter active with no back and as "based on the source port ID" load balancing as best practices said.
Now, the four vmnic is the same for all traffic. The physical switch ports must be configured in an etherchannel group because certain groups of ports will use the method of IP hash, but others are not. The configuration guide I said SHOULD NOT use etherchannel if I won't use the hash IP method, but I'LL use it, but only in groups of one or more ports.
Maybe I do not share the same vmnic from this situation.
Finally, it's a philosophical question. What is the difference between 'The route based on the source port ID' and the 'road based on the source MAC Hash' load balancing policy? What is the purpose of the second? It is assumed that if I had two different MAC address in a virtual machine, it would be because I had two different virtual cards inside the virtual machine, which would be connected to two different port ID in the vSwitch, I can use the first strategy (based on the original port code). In other words, which would be the case where I had the traffic entering the same vSwitch but port ID with different source MAC address, so I should chose the method to distinguish the Source MAC address load balancing traffic?
Thank you.
Guido.

(1) as long as you override vmnic only and don't change the policy for this group of ports, he uses the policy configured at level vSwitch and use the selected interface 3 with this policy

(2) it should work, I don't think it's a problem for the switch receive packets on a subset of the aggregation. I do not think that Etherchannel is supported (IIRC, it is a Cisco proprietary protocol, VMware only supports LACP passive, which corresponds to the Port channel world Cisco.) Trouble me if I'm wrong!)

(3) I think that's all right, as I have explained in 2), there is no special negotiations with the consolidation of VMware, the important thing only I know is to configure the port on the side of the switch channel if you decide to use the IP hash (that will lead to important questions)

4) (self labeled) I think it may differ in some cases individuals, as when the operating system use the same MAC address for both NICs (aggregation in-vm) or if you advertise several MAC address for the same network card (ESX in a VM for example would make for its VM). Such cases differently affect this setting.

That is the right question, and I'm curious to know if someone wants to develop on it!

ACS standard reports: must see attrib [04] "NAS-IP-Address.

Hello

We have the following topology.

NAS--> another RADIUS of the seller (proxy)--> ACS 4.0

AUTH works very well, but we have problems with the standard reports offered by ACS.

The past auth report that we must see the address IP SIN original, attrib [04]. The radius of third party (acting as agent) send the attrib as expected (we check using sniffer captures GBA).

What selection need allows us to see this attrib on report?

thnks

Juan

Ahhh. I see the problem.

The report "past authenications" uses the internal dictionary ACS (who manages the two RADIUS & GANYMEDE +).

When CSRadius writes a sound entry using the AAA client ip address (IE peer address) as the value for NAS IP rather than the actual NAS-IP-Address attribute.

Years ago I coded this part and I don't remember why I chose to use peers instead of the nas IP address. I suspect its because in the network config, you add the address of peers (existantespourlesproduitsphytopharmaceuti) and not to the original device. If the the auths newspaper spent has peripheral origin ip would not match the network configuration.

I think that this can be corrected, ACS has an attribute called "Source NAS" but which I think has been added, never used. The service of CSRadius could stuff the nas-ip-address there.

But of course I do not work for Cisco more - so you don't have to ask them to make the change!

Mounira

ACS 4.0 Ganymede + key

Hello

I try to use an ACS for switch GANYMEDE + authentic. I'm getting an incompatibility of keys, but I know more actually to the definition of a key for GANYMEDE on the GBA unit. How can I reset / know where it is?

Thank you.

1. side ACS:

-Connect to ACS via web browser

-On the main menu of ACS, check the configuration of switch (called Client AAA) State under "Network Configuration - AAA Client".

http://www.Cisco.com/en/us/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080233613.html#wp142681

-Check the details of the switch and the secret key said. You can re-enter the same key or set the new key (without spaces or characters).

-Compare or use this key in the switch, which is configured in the setting "radius-server."

-Save the config

2 switch

-Connection to the switch CLI (console/telnet/ssh)

-Scroll down to the "radius-server key" configuration line.

http://www.Cisco.com/en/us/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007f032.html#xtocid238207

-Delete the existing key (normally / encrypted hash). Enter the same key - no more space or characters.

-Make sue you're pointing to the ACS server/IP address

-Do not save the config yet. Test the Ganymede + / authentication AAA to verify that the ACS server and the used switch button fix / identical.

I hope this helps. Pls note all useful message (s)

AK

RADIUS does not pray attribute filling 4 (NAS-IP-Address)

I'm trying to get a Cisco 3120 G configured for RADIUS authentication. I have a lot of other IOS devices with identical configuration of work lines, however, it gives me a hard time. The strategy of the RADIUS server is configured by NAS-IP-Address. The configuration of the AAA and RADIUS is as follows:

AAA new-model
AAA authentication login default local radius group
AAA authorization exec default local radius group

host 10.x.x.x auth-port 1645 1646 RADIUS server acct-port
Server RADIUS ports source-1645-1646
Server RADIUS button 7 XXXXXXXXXXXXXX

See the Flash following debugging information:

indrc3120a #.
000284: 8 Feb 14:05:15.447 PST: RADIUS: Pick NAS IP for you = 0x5992EF4 = 0 cfg_addr = 0.0.0.0 tableid
000285: 8 Feb 14:05:15.447 PST: RADIUS: ustruct sharecount = 1
000286: Feb 8 14:05:15.447 PST: RADIUS: success radius_port_info() = 1 radius_nas_port = 1
000287: Feb 8 14:05:15.447 PST: RADIUS (00000000): send 10.x.x.x:1645 id 1645/8, len 84 access request
000288: Feb 8 14:05:15.447 PST: RADIUS: authenticator 12 5th 7th DF 01 B5 F1 D8 - 40 07 09 76 88 C1 A4 C5
000289: 8 Feb 14:05:15.447 PST: RADIUS: NAS-IP-Address [4] 6 0.0.0.0
000290: 8 Feb 14:05:15.447 PST: RADIUS: NAS-Port [5] 6 2
000291: Feb 8 14:05:15.447 PST: RADIUS: NAS-Port-Type [61] 6 virtual [5]
000292: 8 Feb 14:05:15.447 PST: RADIUS: username [1] 13 "admin_user '.
000293: 8 Feb 14:05:15.447 PST: RADIUS: Calling-Station-Id [31] 15 "10.y.y.y".
000294: 8 Feb 14:05:15.447 PST: RADIUS: User-Password [2] 18 *.
000295: 8 Feb 14:05:15.505 PST: RADIUS: receipt id 1645/8 10.x.x.x:1645, Access-Reject, len 20
000296: 8 Feb 14:05:15.505 PST: RADIUS: authenticator 4th EC 8F AB BB 8th F9 BB - 13 67 56 A3 5F F9 99 94
000297: Feb 8 14:05:15.505 PST: RADIUS: saved the data of permission for the user 5992EF4 to 0

Note the NAS-IP-Address populated as 0.0.0.0 attribute

Another switch with an identical Setup returns the following:

tritc3120a #.
350554: 8 Feb 14:11:00.916 PST: RADIUS / ENCODE (000155BC): ask "" user name: ".
350555: 8 Feb 14:11:10.605 PST: RADIUS / ENCODE (000155BC): ask "" password: ".
350556: 8 Feb 14:11:14.480 PST: RADIUS/ENCODE (000155BC): orig. component type = EXEC
350557: 8 Feb 14:11:14.480 PST: RADIUS: AAA Attr not supported: interface [170] 4
350558: 8 Feb 14:11:14.480 PST: RADIUS: 74 74 [tt]
350559: 8 Feb 14:11:14.480 PST: RADIUS / ENCODE (000155BC): down the type of service, "radius attribute 6 sur-pour-login-auth server" is disabled
350560: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): Config NAS IP: 0.0.0.0
350561: 8 Feb 14:11:14.480 PST: RADIUS / ENCODE (000155BC): acct_session_id: 87482
350562: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): send
350563: 8 Feb 14:11:14.480 PST: RADIUS/ENCODE: Best 10.x.x.x address IP Local to the 10.y.y.y Radius Server
350564: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): send 10.y.y.y:1645 id 1645/222, len 90 access request
350565: 8 Feb 14:11:14.480 PST: RADIUS: authenticator 5F B1 17 DF 72 4B 3D - B6 D8 5 85 66 B9 8 d 7 c A6
350566: 8 Feb 14:11:14.480 PST: RADIUS: username [1] 13 "admin_user '.
350567: 8 Feb 14:11:14.480 PST: RADIUS: User-Password [2] 18 *.
350568: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port [5] 6 2
350569: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port-Id [87] 6 'tty2 '.
350570: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port-Type [61] 6 virtual [5]
350571: 8 Feb 14:11:14.480 PST: RADIUS: Calling-Station-Id [31] 15 "10.z.z.z".
350572: 8 Feb 14:11:14.480 PST: RADIUS: NAS-IP-Address [4] 6 1.2.3.4
350573: 8 Feb 14:11:14.556 PST: RADIUS: receipt id 1645/222 10.y.y.y:1645, Access-Accept, len 83
350574: 8 Feb 14:11:14.556 PST: RADIUS: authenticator 24 D9 F9 E2 BB A3 66 F6 - 73 E8 5 42 8 A5 17 DA
350575: 8 Feb 14:11:14.556 PST: RADIUS: Type of Service [6] 6 Administrative [6]
350576: 8 Feb 14:11:14.556 PST: RADIUS: [25] in class 32
350577: 8 Feb 14:11:14.556 PST: RADIUS: 59 B1 6 06 00 00 01 37 00 01 0a 1st DC 18 01 CB C7 B8 D7 82 CA E2 00 00 00 00 00 00 00 0b [Ym7]
350578: 8 Feb 14:11:14.556 PST: RADIUS: seller, Cisco [26] 25
350579: 8 Feb 14:11:14.556 PST: RADIUS: Cisco-AVpair [1] 19 "shell: priv-lvl = 15.
350580: 8 Feb 14:11:14.556 PST: RADIUS (000155BC): receipt of id 1645/222

Note that in the above example, the NAS-IP-Address is feeding properly (I just the changed for security reasons)

If anyone has any advice, it would be greatly appreciated. Does the switch need a restart? Blow RADIUS server process?

Thank you

CSCdx27019">."

Seems to be a bug,

CSCdx27019 Pkt sent by CSS access RADIUS request contains no information NAS

The feature of Cisco ACS NAR (restricted access network) with RADIUS does not work with CSS. This is because the radius NAS-IP-Address attribute is set to 0.0.0.0 in the Radius authentication request.

Rgds, jousset

Note the useful messages

ACS load balancing

If I have CSS and I want to load balance 2 ACS. what I need to do one of them is active and seoncde backup or I can load balance between the server of the sentence.

If Yes is that it does not affect authentication, and the database.

If there is any article it wile be more better

Hello

A more classic approach will result in a third 'master' server that is used for administrative tasks. This replica config on the two slaves load balancing.

Mounira

ACS 5.2 GANYMEDE + and two-factor authentication?

I am trying to wrap my head around this topic and fault. I want to configure two-factor authentication via ACS 5.2 GANYMEDE + without having to use a token (such as RSA). Is it possible to do?

More information:

Users of the areas without AD link will connect to routers and switches.

Is there an available certificate server to generate certificates.

SSHv2 is the current Protocol of the connection.

Thank you!

Without RSA, I don't see a way to do this.

With Ganymede all you have

username:xxxxxx

password: xxxxxx

ciscoasa > activate

password: xxxxxx

above you use 2 login password and activate it.

Jatin kone

-Does the rate of useful messages-

How do I see the actual clients in Apache access.log ip address when front-end is a load balancer.

Dear.
I use ebs 12.1.3 and db 11.2.0.3 OS OUL5x64
in one applTier, I could see the ip address of the clients when they connect to the system in the access_log but
with the average level has 2 servers AP1/AP2 configure with a LoadBalancer in front.
verifying the connection in the Apache log file (access_log.1410393600) we see that the balancer IP address of load.
Please let know us if he died to set up so that I can see in file access_log which client (Ip address) connected to Server (AP1 or AP2)
Thanks in advance.
Concerning

Please see (how to show the Client IP address in The Access Log when using A load balancer (Doc ID 1355549.1)).

Thank you

Hussein

How to configure das MD3200i load balancing

I would like to connect a MD3200i (with two raid controllers) to one of our Windows 2003 R2 servers without the aid of a switch.

After most of the documentation, some things remain pretty obscure to me. I'm new to MPIO/balancing and cannot figure how to set up.

Is it possible to connect 1 nic host to RAID 0 and another host nic to RAID 1 and then combine the bandwidth? Thus having 2Gbs instead of 1Gbs? Or is it only a redundant path sollution, happening the other controller in case of failure of the first line. How can I configure this regarding the IP addresses, subnets. And where is the configuered to load balancing. This is explained in the documentation? I can't find it. I found a few examples that include the use of a switch, but none with das sollutions.

What I have is 4 the MD3200i UTP cables to connect to the host. 2 the high raid controller and 2 on the lower raid controller. And use that I have 4x1Gbs, resulting a connection 4Gbs to a single partition on the MD3200i of load balancing.

Thanks for any help.

Multiple paths and in windows 2003 load balancing is managed by the driver MPIO is installed when you install the 'host' or 'full' version install MD Storage Manager. There is no need to separately aggregated network adapters to get the aggregate bandwidth. The pilot, by default, uses repetition alternated on all ports connected to a single controller.

Also, for a single virtual disk, all i/o through a single controller and the second controller acts as a redundant path. So, if you have 2 x 1 Gbps connections to each controller, you will have, at most, 2 Gbps for each partition. Now, each controller can have virtual disks, so the second controller may have a second partition that will also have a separate between 2 x 1 Gbps connection.

You can set IP addresses and subnets that are similar to the way that you would with a switch as long as you can test the connection port. It would be wise for each NETWORK card on the host on a different subnet and each port on the MD3200i on the corresponding subnet. This will make it easier when you set up your iSCSI.

You can use the configuration utility to MD in place your iSCSI sessions too

-Mohan

Limitation of the load balancing VPN3000

Dear all,

How many devices can be configured for balancing the load of solutions?

What is the upper limit?

Can I assume that if configure US 2 devices, the throughput will be be200 MB, flow of four aircraft is 400 MB, etc.?

Any thoughts?

Best regards

Engel

No, no, the traffic is not load balanced between all hubs in the group, that the connections are. For example, when you connect with a VPN client address bundle, concentrators determine what hub is lightly loaded, your connection is then completed and supplemented by this hub. All traffic goes between your client and the hub only, like any normal connection. There is no increase in bandwidth to this connection.

In regard to the number of devices you use, we have tested successfully with 8, but there is no theoretical limit.

Hi ALL, did any attempt on the virtual computer NETWORK load balancing using HYPERV on UCS blades

I try to configure the CASE server cluster by using the Unicast NLB on the virtual machine on different blades on the UCS, it works for awhile, then he abandoned packages.

I heard that this screenplay of unicast is not supported in the UCS when she used END-host mode in the fabric interconnet...? any attempted before.

Would it, I use the multicast mode is that something needs to be done on the FBI62020 or the LAN switch upstream. ??

Header note I found on the implementation of UCS for mulitcast NLBL:

Microsoft NLB can be deployed in 3 modes:

Unicast

Multicast

IGMP multicast

For series B UCS deployments, we have seen that the multicast and IGMP multicast work.

IGMP multicast mode seems to be the more reliable deployment mode.

To do this, the monitoring settings:

All NLB Microsoft value "Multicast IGMP" nodes. Important! Check ths by logging into EACH node independently. Do not rely on the MMC of NLB snap.

An IGMP applicant must be present on the VLAN of NLB. If PIM is enabled on the VIRTUAL LAN that is your interrogator. UCS cannot function as applicant IGMP. If an interrogator of functioning is not present, NLB IGMP mode will not work.

You must have a static ARP entry on cheating it upstream pointing IP address Unicast NLB on the multicast MAC address NETWORK load balancing. This need will set up, of course, on the VLAN of the NLB VIP. The key is that the routing for the NLB VLAN interface must use this ARP entry as a unicast IP ARP response may not contain a multicast mac address. (Violation of the RFC 1812) Hosts on the NLB VLAN must also use the static entry. You may have several entries ARP. IOS can use a function of 'alias' of ARP. (Google it.)

How Microsoft NLB works. -The truncated for brevity Mac addresses.

TOPOLOGY OF NLB MS

NETWORK VLAN 10 = subnet 10.1.1.0/24 IP load balancing

VIP = 10.1.1.10 NETWORK LOAD BALANCING

Arp entry static switch advanced IP 10.1.1.10 upstream to MAC 01

NLB VIP (MAC 01, IP 10.1.1.10)

NODE-A (AA, MAC IP:10.1.1.88)

NŒUD-B (MAC BB, IP:10.1.1.99)

Using the IGMP snooping and interrogator VLAN snooping table is filled with the mac NLB address and groups pointing to the appropriate L2 ports.

MS NLB nodes will send the responses of IGMP queries.

This snooping table could take 30 to 60 seconds to complete.

Host on VLAN 200 (10.200.1.35) sends traffic to NETWORK VIP (10.1.1.10) load balancing

It goes of course to VLAN 10 interface that uses the static ARP entry to resolve to address MAC 01 VIP NETWORK load balancing.

Since it is a multicast frame destination it will be forward by the IGMP snooping table.

The framework will arrive at ALL NLB nodes. (NŒUD-A & NŒUD-B)

NLB nodes will use its load balancing algorithm to determine which node will manage the TCP session.

Only one NLB node will respond to this host with TCP ACK to start the session.

NOTES

This works in a VMware with N1k, standard vSwtich and vDS environment. Where surveillance IGMP is not enabled, the framing for VIP MAC NETWORK load balancing will be flooded.

NLB can only work with TCP-based services.

As stated previously mapping an IP unicast to a multicast mac address is a violation implied by RFC 1812.

TROUBLESHOOTING

Make sure your interrogator is working. Just to clarify that this does not mean that it is actually at work.

Wireshark lets check that IGMP queries are received by the NLB nodes.

Make sure that the ARP response works as expected. Once Wireshark again is your friend.

Look at the paintings IGMP snooping. Validate the L2 ports appearing as expected.

CSCtx27555 [Bug-preview for CSCtx27555] Unknown multicast with destination outside the range MAC 01:xx: are deleted. (6200 FI fixed in 2.0.2m)

IGMP mode not affected.

CSCtx27555 Unknown multicast with destination outside the range MAC 01:xx: are deleted.

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx27555

fixed in 2.0(2m)

Solution: Change the NLB mode of operation of "Multicast" to "multicast IGMP', which modifies balancing load NETWORK VIP MAC at 0100.5exx.xxx Beach, allows to transfer occur as expected.

Q: and if I switch to switch mode, which means all of the profile and the settings on the servers are completely exhausted and I need to recreate them. ???

A:Cisco Unified Computing System Ethernet switching Modes

http://www.Cisco.com/en/us/solutions/collateral/ns340/ns517/ns224/ns944/whitepaper_c11-701962.html

-There is no impact on the configuration, you have done service profiles. they will continue to work as expected. Mode selector has the FI behave more like a conventional switch. Most notable is that Spanning tree will be activated and if you have several uplinks yew, tree covering weight will begin to block redundant paths.

You need to review your topology and what impact tree covering weight. Generally, we at the switch port upstream defined as "edge master", you want to delete this line.

For pre-production and laboratory environment, PDI can help qualified with the planning, design and implementation partners. Given to review the IDP site and open a case if you need more detailed assistance.

Nexus 1000v, UCS, and Microsoft NETWORK load balancing

Hi all

I have a client that implements a new Exchange 2010 environment. They have an obligation to configure load balancing for Client Access servers. The environment consists of VMware vShpere running on top of Cisco UCS blades with the Nexus 1000v dvSwitch.

Everything I've read so far indicates that I must do the following:

1 configure MS in Multicast mode load balancing (by selecting the IGMP protocol option).

2. create a static ARP entry for the address of virtual cluster on the router for the subnet of the server.

3. (maybe) configure a static MAC table entry on the router for the subnet of the server.

3. (maybe) to disable the IGMP snooping on the VLAN appropriate in the Nexus 1000v.

My questions are:

1. any person running successfully a similar configuration?

2 are there missing steps in the list above, or I shouldn't do?

3. If I am disabling the snooping IGMP on the Nexus 1000v should I also disable it on the fabric of UCS interconnections and router?

Thanks a lot for your time,.

Aaron

Aaron,

The steps above you are correct, you need steps 1-4 to operate correctly. Normally people will create a VLAN separate to their interfaces NLB/subnet, to prevent floods mcast uncessisary frameworks within the network.

To answer your questions

(1) I saw multiple clients run this configuration

(2) the steps you are correct

(3) you can't toggle the on UCS IGMP snooping. It is enabled by default and not a configurable option. There is no need to change anything within the UCS regarding MS NLB with the above procedure. FYI - the ability to disable/enable the snooping IGMP on UCS is scheduled for a next version 2.1.
```
This is the correct method untill the time we have the option of configuring static multicast mac entries on

the Nexus 1000v.  If this is a feature you'd like, please open a TAC case and request for bug CSCtb93725 to be linked to your SR.
This will give more "push" to our develpment team to prioritize this request.
Hopefully some other customers can share their experience.
Regards,
```
Robert

Cisco RV016 failover & load balance Multi WAN question

Hello

I think the RV016 is the camera to buy for our small building, but I'm a bit confused in the manual if my scheduled configuration is possible, so if you could confirm if this is possible I would appreciate it.

We have a leased line as our main connection (lets call him WAN1). If this connection is not available, I don't want to load balance to any other network WAN.

We have 2 netgear 4G devices identical (we'll call WAN 2 and 3 WAN). If the leased line is not available, I would like to then load balance these two WAN connections.

Then I have a final connection, WAN4 as a slow adsl line. I don't know right now if I want to load balance this WAN1 or just have it as a backup to WAN2 and WAN3 failure (WAN2 and WAN3 have a 20 GB data limit each on their monthly allowance of the contract, if the leased line is down for more than a couple of days, what is unfortunately already happened) (then we reached this limit and then there is charged with extremely expensive data or just use the only ADSL)

In any case, it's normal, I want to balance the load. I want to only load balance WAN3 and WAN2 WAN1 fails.

Anyone know if this is possible? If not, is there any other similar device which would be appropriate?

Thank you

Ben

Hi Bencarroll01,

With RV016 you can get what you need.

RV016 supports up to 7 WAN connection, and there are two mode of operation
- Swing smart (Auto Mode): This option allows you to balance traffic between all interfaces increase the available bandwidth. The router balance traffic between the weighted alternating interfaces.
- Group of IP (by users): Select this option for trafficking group on each WAN interface by levels of priority or classes of service (CoS). With this feature, you can ensure the bandwidth and a more high priority for specified services and users. All traffic that is not added to the IP group uses Intelligent balancing mode. To specify the services and users, click modify for the WAN interface and then add the entries of binding protocol for each service, IP address or IP address range.
For our case, we must have RV016 configured with IP Group(By User), so in this case, we can configure binding protocol that we can specify and force all traffic from any IP address of the local network outside through WAN1. and any other WAN connection they always towards the TOP but not the traffic passing through them

Now if WAN1 is down, immediately the rule to redirect traffic WAN 1 will be disabled and all traffic will pass through the rest of the WAN connection

After that if the WAN1 is once again the binding protocol rule will be active again and again all the traffic will be done by WAN 1

Please let me know if you have any other questions

Please rate this post or marked as replied to help other customers of Cisco

Greetings

Mehdi

Load Balancing does not not on 2911

Hello people,

I have some difficulty to operate the Load Balance on my 2911.

I have followed the editing on this site:

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

and APARENTLY it works, but not in reality, because I see packets using a NAT IPS bot thru, but when I check on the interfaces I see we're not receive / send anything.

Background:

G0/0, I have one ISP, other 1/G0, G0/2 my network.

Building configuration...

Current configuration: 6045 bytes

!

! Last configuration change to 15:47:49 UTC Tuesday, January 28, 2014 by alan

! NVRAM config update at 14:32:59 UTC Tuesday, January 28, 2014 by alan

! NVRAM config update at 14:32:59 UTC Tuesday, January 28, 2014 by alan

version 15.1

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

ROUTER1 hostname

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

No aaa new-model

!

!

No ipv6 cef

IP source-route

IP cef

!

!

!

!

dhcp LAN_DHCP_POOL IP pool

network 192.168.0.0 255.255.0.0

default router 192.168.2.2

domain g_bacon

DNS 8.8.8.8 Server 208.67.222.222

0 8 rental

!

!

no ip domain search

IP host ROUTER1 192.168.2.2

8.8.8.8 IP name-server

name-server IP 208.67.222.222

IP-server names 8.8.4.4

IP-server names 208.67.220.220

!

Authenticated MultiLink bundle-name Panel

!

!

Crypto pki token removal timeout default 0

!

Crypto pki trustpoint TP-self-signed-2101532551

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 2101532551

revocation checking no

rsakeypair TP-self-signed-2101532551

!

!

TP-self-signed-2101532551 crypto pki certificate chain

certificate self-signed 01

3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 32313031 35333235 6174652D 3531301E 32313137 OF 31323239 170 3131

31335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31303135 65642D

33323535 3130819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100DEA3 06574FDF B2B2113F 84A1EF39 9969F4D9 04131994 A3FCC466 D0328CCF

B219F1AE A3DCC204 CD993BB2 F59C9A7F C251024E 382162 5 D9277CEB F1A575A5

0356 C 896 A7A1BB48 8EA4CFF6 DA77B72C 9904A73B 6731A6E0 3004E5EA B44C1F7F

5667496C 1E8E603D BE9B1AA1 1065E449 F6110C17 1A5FE3B9 3593BF87 96E14DEC

010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355 87FF0203

551 2304 18301680 14E5F8C8 C30593C3 CEAB1874 F94F070B 9674F152 AD301D06

03551D0E 04160414 E5F8C8C3 0593C3CE AB1874F9 4F070B96 74F152AD 300 D 0609

2A 864886 F70D0101 A 05050003 81810092 51314, 50 EA812CDA AC97A8D1 2CA06BCC

6FD5B4A6 DA888322 E2166AB4 0CF340BB E0407C95 584A1BDF 5DC3A6EE 2862E9CF

7BF0C831 54F06ABF 011664 D 3 75269FF3 02D434BD 0FD15F32 EB34730C 47FE29D9

7C2BBF9D 5BDB1D4F EEBFBED5 9B07450E 83DA57B2 1F296D0A 52D39A8F 6A 679244

05C0924C F3FA9A05 53198E BDB28409

quit smoking

license udi pid CISCO2911/K9 sn FTX1553AJQU

!

!

username privilege 15 secret 5 alan $1$ b6Jk$ 8iz3K3cTUgSZ.VePkKl5a.

!

redundancy

!

!

!

!

!

class-map correspondence-any PROHIBIDAS

Protocol httpwww.facebook.comhost game «»

Protocol httpwww.youtube.comhost game «»

match Protocol http host 'www.pornotube.com.

Protocol http host «www.xvideos.com» game

match Protocol http host 'www.mega.co.nz'.

match Protocol http host 'www.radios-on-line.com.ar'.

match Protocol http host 'www.enlaradio.com.ar'.

Protocol http host «www.cienradios.com.ar» game

match Protocol http host 'www.radios-argentina.com.ar'.

match Protocol http host 'www.fmyam.com.ar'.

Protocol http host «www.piratebay.org» game

class-map match-all P2P

winmx Protocol game

gnutella Protocol game

bittorrent Protocol game

match Protocol kazaa2

!

!

Policy-map DROP_PROHIBIDAS

class PROHIBIDAS

drop

class P2P

drop

!

!

!

!

!

!

!

!

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

!

interface GigabitEthernet0/0

Fibertel description

DHCP IP address

IP access-group acl101 in

IP access-group out acl101

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

No cdp enable

out of service-policy DROP_PROHIBIDAS

!

interface GigabitEthernet0/1

Arnet description

IP 186.153.125.138 255.255.255.248

IP access-group acl101 in

IP access-group out acl101

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

No cdp enable

out of service-policy DROP_PROHIBIDAS

!

interface GigabitEthernet0/2

IP 192.168.2.2 255.255.0.0

IP access-group block_FB in

IP access-group out acl101

IP nat inside

IP virtual-reassembly in

IP tcp adjust-mss 1452

automatic duplex

automatic speed

No cdp enable

!

router RIP

version 2

network 192.168.0.0

!

IP forward-Protocol ND

!

IP http server

IP 8180 http port

20 class IP http access

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

!

IP nat inside source map route address interface GigabitEthernet0/1 overload

IP nat inside source map route fibertel interface GigabitEthernet0/0 overload

IP route 0.0.0.0 0.0.0.0 track GigabitEthernet0/0 123

IP route 0.0.0.0 0.0.0.0 200.122.102.1 254

!

block_FB extended IP access list

deny ip 192.168.0.0 0.0.255.255 welcome 173.252.100.16

deny ip 192.168.0.0 0.0.255.255 173.252.64.0 0.0.63.255

deny ip 192.168.0.0 0.0.255.255 31.13.24.0 0.0.7.255

deny ip 192.168.0.0 0.0.255.255 31.13.64.0 0.0.63.255

deny ip 192.168.0.0 0.0.255.255 66.220.144.0 0.0.15.255

deny ip 192.168.0.0 0.0.255.255 69.63.176.0 0.0.15.255

deny ip 192.168.0.0 0.0.255.255 69.171.224.0 0.0.31.255

deny ip 192.168.0.0 0.0.255.255 74.119.76.0 0.0.3.255

deny ip 192.168.0.0 0.0.255.255 103.4.96.0 0.0.3.255

deny ip 192.168.0.0 0.0.255.255 204.15.20.0 0.0.3.255

IP 192.168.0.0 allow 0.0.255.255 everything

allow an ip

!

access-list 110 permit ip 192.168.0.0 0.0.255.255 everything

!

!

!

!

route allowed fibertel 10 map

corresponds to the IP 110

is the interface GigabitEthernet0/0

!

arnet allowed 10 route map

corresponds to the IP 110

is the interface GigabitEthernet0/1

!

!

!

control plan

!

!

exec banner ^ C ^ C

connection of the banner ^ C ^ C

Banner motd ^ C ^ C

!

Line con 0

local connection

line to 0

line 2

no activation-character

No exec

preferred no transport

transport of entry all

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

access-class 23 in

privilege level 15

local connection

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

local connection

transport input telnet ssh

!

Scheduler allocate 20000 1000

end

So far so good, I have check the transactions of NAT:

ROUTER1 #show ip nat trans

Inside global internal local outside global local outdoor Pro

TCP 200.122.102.74:62114 192.168.0.1:62114 17.151.239.110:443 17.151.239.110:443

TCP 200.122.102.74:62119 192.168.0.1:62119 17.172.233.134:5223 17.172.233.134:5223

TCP 200.122.102.74:34945 192.168.0.2:34945 181.30.241.103:443 181.30.241.103:443

TCP 200.122.102.74:37444 192.168.0.2:37444 173.194.42.230:443 173.194.42.230:443

TCP 200.122.102.74:37695 192.168.0.2:37695 181.30.241.109:80 181.30.241.109:80

TCP 200.122.102.74:40662 192.168.0.2:40662 173.194.74.188:5228 173.194.74.188:5228

TCP 186.153.125.138:41426 192.168.0.2:41426 216.115.101.179:443 216.115.101.179:443

TCP 200.122.102.74:41484 192.168.0.2:41484 216.115.101.179:443 216.115.101.179:443

TCP 200.122.102.74:42381 192.168.0.2:42381 181.30.241.31:80 181.30.241.31:80

TCP 186.153.125.138:42553 192.168.0.2:42553 98.136.223.39:8996 98.136.223.39:8996

and I see they're going through the two connections.

Buuuuuuuuuuuuut, when I check the interfaces...

ROUTER1 #show int g0/0

GigabitEthernet0/0 is up, line protocol is up

Material is CN Gigabit Ethernet, the address is c464.1354.b8c0 (BIA c464.1354.b8c0

)

Description: Fibertel

The Internet address is 200.122.102.74/24

MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

KeepAlive set (10 sec)

Full-Duplex, 100 Mbps, media type is RJ45

control output stream is XON, control of input stream is XON

Type of the ARP: ARPA, ARP Timeout 04:00

Last entry of 00:00:00, 00:00:00 exit, exit hang never

Final cleaning of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0

Strategy of queues: fifo

Output queue: 0/40 (size/max)

5 minute input rate 774000 bps, 161 packets/s

5 minute output rate 423000 bps, 102 packets/s

2133521 package, 1223904205 bytes, 0 no buffer entry

Received 615778 broadcasts (0 of IP multicasts)

0 Runts, 0 giants, 0 shifters

entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored

Watchdog 0, multicast 0, break 0 comments

1065308 packets output, 214203455 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

unknown protocol 0 drops

0 babbles, collision end 0, 0 deferred

1 lost carrier, 0 no carrier, interrupt the output of 0

output buffer, the output buffers 0 permuted 0 failures

ROUTER1 #show int g0/1

GigabitEthernet0/1 is up, line protocol is up

Material is CN Gigabit Ethernet, the address is c464.1354.b8c1 (BIA c464.1354.b8c1

)

Description: arnet

The Internet address is 186.153.125.138/29

MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

KeepAlive set (10 sec)

Full-Duplex, 100 Mbps, media type is RJ45

control output stream is XON, control of input stream is XON

Type of the ARP: ARPA, ARP Timeout 04:00

Last entry 00:04:01, 00:00:06 exit, exit hang never

Final cleaning of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0

Strategy of queues: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bps, 0 packets/s

5 minute output rate 0 bps, 0 packets/s

208948 packages, 153515983 bytes, 0 no buffer entry

Received 1236 broadcasts (0 of IP multicasts)

0 Runts, 0 giants, 0 shifters

entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored

Watchdog 0, multicast 0, break 0 comments

190283 packets output, 45657373 bytes, 0 underruns

0 output errors, 0 collisions, 0 resets interface

unknown protocol 0 drops

0 babbles, collision end 0, 0 deferred

carrier, 0 no carrier, lost 0 0 interrupt output

output buffer, the output buffers 0 permuted 0 failures

Everything happens through G0/0 and nothing in G0/1!

Any ideas on why this is happening?

Thank you in advance for your help!

Kind regards

Alan

Hello

Yes here you only have a single default route installed (one from the DHCP server) so it can't NAT on the other interface as it can route on this one.

Change your configuration like this:

no ip route 0.0.0.0 0.0.0.0 track GigabitEthernet0/0 123

no ip route 0.0.0.0 0.0.0.0 200.122.102.1 254

IP route 0.0.0.0 0.0.0.0 dhcp

IP route 0.0.0.0 0.0.0.0 200.122.102.1 254

Now if you want to follow the first route look at this document:

http://www.Cisco.com/en/us/docs/iOS/dial/configuration/guide/dia_rel_stc_rtg_bckup.html#wp1065528

Concerning

Alain

Remember messages useful rate.

Nexus1000V load balancing

Hello

could someone help me to clarify this...

In our environment, we have a Nexus1000V. VEM is connected to two switches uplink. At this point neither mac-pinning or vPC - HM are used and nexus is running the default load balancing mechanism (source-mac). I see a mac-beating on the switches uplink to servers in the VCenter. If source-mac has been used should not the mac address of a virtual machine be persistent on a specific switch, assuming he is not moved to an another ESXi?

We intend to change our port to link rising-profiles mac - pinning or vPC - HM. The documentation states that, in this case, the virtual machines are associated with an uplink of alternating. So, what is the use of the load balancing in this case? Load Balancing have effect only if good LACP is trained (stackable switches etc.)?

One last question:

If mac - pinning is used and a link fails, then all vm traffic will be sent to the second link. If the first link is displayed again, while traffic for virtual machines that have been associated with the first link, be moved to the first or the traffic will continue to flow on the second?

Thank you in advance,

Katerina

Hi Katerina,

I have configured my lab for "auto channel-group" and the two links are in a port channel.

MEC considered the two uplinks as the same interface.

Module # 4 N1K vem run vemcmd see the port
The State of the link Admin LTL VSM Port PC - LTL SGID Vem Port Type
19 Eth4/3 UP UP F / 1039 B * 0 vmnic2
20 Eth4/4 UP UP F / 1039 B * 0 vmnic3
49 UP UP FWD 0 0 vmk1 Veth9

* SGID designates sup group ID

After the release, Vmk1 traffic can take vmnic2 or vmnic3. N1k sees this as an outgoing interface port-channel. In order to avoid the beating of mac, we need to configure the two switchports upstream in a logical interface.

Now, MAC pinning configured, run us the same command

Module # 4 N1K vem run vemcmd see the port
The State of the link Admin LTL VSM Port PC - LTL SGID Vem Port Type
19 Eth4/3 UP UP F / 1040 B * 2 vmnic2
20 Eth4/4 UP UP F / 1040 B * 3 vmnic3
49 UP UP FWD 0 2 vmk1 Veth9

vmnic2 and vmnic3 are considered two different outgoing interfaces. There is no switchport upstream requirements.

HTH,

Joe

ACS 5.3 - GANYMEDE + NAS IP address load balancing

Similar Questions

Maybe you are looking for