Only CM, multiple interfaces
Hi guys.
I have an environment with a single CM and multiple devices.
The plant manager has two management interfaces (an interface in the primary CPE) and other secondary CPE. It is this way because we are unable to use the local switch in order to create a single management VLAN.
CPE2 - CM - CPE1
I am ready to provide redundancy for the central Manager (connectivity) and in addition, the main important thing, provide redundancy for remote devices (if the first goes down, the devices should not lose connectivity with the CM).
If possible, how can I achieve this? (primary/stanby?)
The devices are also installed in this way (two connected to two different CPE management interfaces).
The optimization is done online.
Thanks in advance
Hi Ronaldo,
Not sure that I have understood your topology, but if your two CPE are just separate layer 2 way, you should look into setting up watch on the CM and the accelerators interface, see [1, 2].
If, however, two SCE must be mapped different layer 3, there is no way to get this working, you can only save an accelerator with a single CM at a time (based on the IP address or host name). Having two different couche3 would be like having two IP addresses and names of two host during the same CM, well.
If you want redundancy for the CM database this way, you can examine a CM Eve as well, see [3, 4]. You would need another device of WAAS to do this, however.
Let me know, if this can help, or if I understood.
Kind regards
Michael
[1] WAAS 4.x: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v441/configuration/guide/cnfg/network.html#wp1041450
[2] WAAS 5.x: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/network.html#wp1041450
[3] WAAS 4.x: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v441/configuration/guide/cnfg/maint.html#wp1159476
[4] 5.x WAAS: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v531/configuration/guide/cnfg/maint.html#wp1159476
Tags: Cisco DataCenter
Similar Questions
-
SFR detects only not all interfaces ASA
Hello!
We have, for me at least, a strange problem. We have two ASA5525-x to active / standby. Only a few interfaces (7 of 30) are captured by the SFR module (the same on both units). My experience is that only traffic entering and leaving on the known interfaces at SFR are handled properly. All other traffic is to expire. Of the SAA is in production (but of course without firepower).
Any idea on how to solve this problem?
ASA # sh version | I have system
System image file is "disk0: / asa952-smp - k8.bin.
ASA # sh run | I have the interface
interface GigabitEthernet0/0
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface Management0/0
Interface Port - Channel 1
Interface Port - channel1.2
Interface Port - channel1.3
Interface Port - channel1.4
Interface Port - channel1.5
Interface Port - channel1.6
Interface Port - channel1.7
Interface Port - channel1.8
Interface Port - channel1.9
Interface Port - channel1.10
Interface Port - channel1.12
Interface Port - channel1.14
Interface Port - channel1.16
Interface Port - channel1.18
Interface Port - channel1.102
Interface Port - channel1.104
Interface Port - channel1.106
Interface Port - channel1.108
Interface Port - channel1.112
Interface Port - channel1.114
Interface Port - channel1.200
Interface Port - channel1.204
Interface Port - channel1.205
Interface Port - channel1.206
Interface Port - channel1.207
Interface Port - channel1.208
Interface Port - channel1.209
Interface Port - channel1.253
Interface Port - channel1.254
Interface Port - channel1.999
> View version
----------------[ sfr1 ]-----------------
Model: ASA5525 (72) Version 6.0.0.1 (Build 26)
> Display interfaces
-------------------[ 10.002 ]-------------------
Physical interface: Port - channel1.2
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
-------------[ 10.003 ]--------------
Physical interface: Port - channel1.3
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
------------------[ 10.004 ]-------------------
Physical interface: Port - channel1.4
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
-----------------[ 10.005 ]-----------------
Physical interface: Port - channel1.5
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
-----------------[ 10.001 ]-----------------
Physical interface: Port-Channel 1
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
---------------[ 10.006 ]----------------
Physical interface: Port - channel1.6
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
---------------[ 10.209 ]---------------
Physical interface: Port - channel1.209
Type: ASA
Security zone: no
Status: enabled
Load balancing mode: n/a
---------------------[ cplane ]---------------------
Thank you for your time.
Kind regards
Erik Qvam
Hello
What is the version of the ASA? There is an existing bug that is fixed at 9.5 (2.6) and above.
https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCut40770
Rate if helps.
Yogesh
-
Smtp only on 2nd Interface WAN traffic
We have a Sonicwall TZ600 and recently installed a 2nd RE ADSL on the X 2 interface. I want to route SMTP only (back and forth) traffic on the WAN and also including traffic HTTPS interface to specific sites.
Any ideas on how to implement this scenario?
You need a custom road policy. Links below will help you to set up the same.
How to route SMTP traffic through a specific interface (e.g. secondary WAN) (SW5733) only:
https://support.software.Dell.com/SonicWALL-TZ-series/KB/sw5733
How to route all traffic through the secondary WAN (SW11461) HTTP:
https://support.software.Dell.com/SonicWALL-TZ-series/KB/sw11461
NOTE: Above KB is for HTTP, you must select HTTPS during the creation of the traffic police.
-
ASA 5510 using only the GB interfaces
I am looking for should I use a 5510 to activate two interfaces for VPN connections broadband from only a few sites. Our 5505 s (I have dozens) can not manage speeds of more than 100 MB and I have now a few FIOS beyond that--150 to 300mpbs. I want a 5510 basis who needs to manage a few voice / data sites and just use two interfaces. A basic 5510 allow 2 gigabytes or just ports FE interfaces? I have to be able to use 2 GB interfaces and no one else. I don't know that the 5510 will probably support the same QOS settings that I use on the 5505 s... I just need more speed interface so that I'm not bottlenecking data (I know I could use several 5505 s and extend the charges but is not how I want to do it for other reasons). Thank you
Hello
To my knowledge the ASA5510 supports 2 x 1 Gbps interfaces when you the Security license for the SAA. The basic license counts 100Mbps interfaces.
Take a look at this document for more information on licensing above
http://www.Cisco.com/en/us/docs/security/ASA/asa82/license/license82.html#wp190732
Its a document from the 8.2 version but its still even to 9.x on the license requirement more security get the 2 x 1 Gbps interfaces
The documentation for ASA5500 series promises an 300Mbps for the ASA5510 model flow, but I guess that's a value of location. In the most recent document, two values of max flow max and Multiprotocol are given.
Here's a link to the document
-Jouni
-
VPN LAN - to - LAN ASA of the multiple Interfaces
I have an ASA connected to 2 ISPs.I am on tracking object for the path of route 1 so only default is used at a time. I have a configuration VPN L2L out a interface. I would like to set up a 2nd VPN out interface B with identical settings.
Is this possible?
(Software ASA 8.2)
card crypto PATH_A 1 corresponds to the address outside_1_cryptomap
card crypto PATH_A 1 peer set 10.1.1.1
card crypto PATH_A 1 set transform-set ESP-AES-128-SHA
card crypto PATH_A 1 set security-association second life 28800
card crypto PATH_A 1 set security-association kilobytes of life 4608000
card crypto PATH_A 1 set reverse-road
crypto PATH_A OUTSIDE_A map interface
card crypto PATH_B 100 corresponds to the address outside_1_cryptomap
card crypto PATH_B 100 peer set 10.1.1.1
card crypto PATH_B 100 value transform-set ESP-AES-128-SHA
card crypto PATH_B 100 set security-association second life 28800
card crypto PATH_B 100 set security-association kilobytes of life 4608000
card crypto PATH_B 100 set reverse-road
crypto PATH_B OUTSIDE_B map interface
!
!
ISAKMP crypto enable OUTSIDE_A
ISAKMP crypto enable OUTSIDE_B
crypto ISAKMP policy 1
preshared authentication
aes encryption
sha hash
Group 2
life 86400
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 General attributes
Group Policy - by default-MY-VPN
tunnel-group 10.1.1.1 ipsec-attributes
pre-shared key 123456
!
internal group MY - VPN strategy
MY - VPN group policy attributes
Protocol-tunnel-VPN IPSec
Hi Bill
This is possible, but add the same card encryption both of the inetrfaces
crypto PATH_A OUTSIDE_A map interface
crypto PATH_A OUTSIDE_B map interface
and he is not allowed to use the reverse route command.
You need to reach, but also "floating conn timeout 0:01:00.
I used an internet connection for the site to site vpn and the other for all other traffic (default route). All routes taken with ip sla.
I did it with 8.6
-
Hello!
I use Line Flow - generic, Bill only with workflow online Interface of the inventory in the sales order and when I book the order lines batch controlled items are not reserved, I still need to keep an inventory of the booking form. How to automate this when booking?
Thank you
Jon
Auto is by setting the value in the OM system settings > booking closing time (ours is R12.1.3).
-
Support for the creation of form field which allow you only to multiple of 6 to affix
I am working on a form and my boss asked me to see if I can make the fields only accept several
6 s (as it is a purchase order of the product, and they come in packs of 6). I think I'll have to use javascript for this
but I'm not yet familiar with the writing of these. a friend mentioned something about 'validate' and which confused me even more. I read a 5 inch
book on the use of pdf forms, but thought I might be able to get a faster answer here with you all of the wonderful people and then to refine my search in my book to learn about more by what answers I get here.
I REALLY APPRECIATE ANY HELP!
I hope you all had a wonderful Turkey day!
Thanks in advance!
Your friend was right, you need a validation script. The way to do is to use the modus operator (%) and then look at the result of the entered number 6 mod. If this is not 0, then the number you entered is not a multiple of 6. Try this script validation of a text field is defined as a number:
If (' event.value! = null & event.value! = "") {}
If ((Number(event.value)%6)!=0) {})
App.Alert ("you must enter a multiple of 6.");
Event.RC = false;
}
} -
Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.
I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...
Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.
If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "
One way is not good and the other real harm.
-
Terminating the VPN Client on multiple interfaces PIX
Hello people
Does anyone know if it is possible to configure a PIX 515 to complete VPN clients on more than one interface?
Specifically, we strive to allow client VPN access to the internet and the DMZ through to the internal network.
See you soon
Simon
It is sure, in fact if you want to have customers come in and then be able to route back on another LAN-to-LAN tunnel, then this is how you do it.
Here there is an example of a config:
-
Physical networks VPN multiple interfaces of the ATA.
Hello all and thanks in advance for any advice you can provide.
I have a 5220 ASA set up with 3 networks. I have a off-grid, one inside the network and a network of "DSL". Everything works great, except that I'm trying to clean up the way we connect with VPN client.
At the moment, if we are outside our network, we use the external IP address of the router (x.x.A.1). When we are on the LAN subnet, we are unable to VPN to the external IP address, so we are forced to use a completely separate identification information together and to connect to the IP address of the subnet LAN (x.x.B.1).
Is it possible to configure the VPN so that we would be able to use the same credentials to connect to the interface either? I can use DNS selective so that requests are sent to the correct IP address... but as it is, it does not accept one set of credentials on each interface.
Any help would be appreciated.
Question:
Have you tried to set up a separate crypto for the LAN interface card input.
Lets say you have an entry like this crypto map...
Crypto-map dynamic dynmap 65534 transform-set RIGHT
cry map outside_map 65536-isakmp ipsec dynamic dynmap
interface card cry out outside_map
Can you try to create another entry card crypto under a different name for the LAN interface.
Let me know.
See you soon
Gilbert
-
implementation of multiple interfaces?
Hi guys,.
I can implement several interfaces in the same class?
One solution is to do an interface extension B and that to have my inplementing interface class A. there another way that I can implement two or more interfaces directly to the same class?
Thank you!
You can implement several interfaces just separated by a comma:
public class ClassName implements interface1, interface2
-
XNET multiple sessions on a single interface
Hello guys,.
I use XNET to communicate with our equipment CAN. In my project, I created 3 Sessions: session to an image of writing/sending frames to the device, a frame off session to receive the response from the device to the back and another frame in session for you connect all frames transmitted and received.
As part of the session, I do the property "echo of the transmitted frames" option ture, so that transmitted frames also appear as "read" frames and I can connect every image that I expected. Goal, if I, in another frame in a session also transmitted frames appear as frames 'read', even if I do the property "echo transmitted frames" option in this session to False. How can I do a session read all the frames transmitted and received, but the other is not? Thx a lot!
I don't think you can. Unfortunately, some of the properties of a session, are actually a property of the interface. XNet has also of resistance internal CDN, you can turn on and off. You do this by using the session reference and turn it on. Now, even if you have two sessions on an interface you have only a single interface and so you don't have a single property for if the resistance is on or off. If you turn it on in one sitting, it will be because he shares the same interface on the other.
I believe that the same is true when it comes to the echo. In most transceiver CAN echo is a feature of the transmitter/receiver and is a feature of the hardware, not software (similar to the example of resistance). So when you turn on the echo of the session, you really turn on echo for this interface, and I do not think that you will be able to turn on the echo of a session, but not all of them on the same interface.
-
Dynamic interfaces, VIRTUAL, multiple physical interfaces LAN?
Hello
We're just starting with a WLC 5508 and WCS. We can already see that it is a big improvement on our installation current with autonomus AP we are also implementing some 11n AP is in this framework.
I think I understand the multiple interfaces AP-Manager and balance the load of the average AP in these. But I do not understand what customer traffic should be load-balanced.
The goal is to have a WLAN. When I create this I select a dynamic interface (and so a VLAN for the customers). But this VLAN is bound to a physical port (with a port of relief). So my understandig of the wil of customer traffic from the AP to the controller on several interfaces, but then goes out to the servers in a single interface?
It's not what I want - I'd like to that traffic on him VLAN on the servers to be distributed on several ports. How do I do that? I then use LAG?
Kind regards
Kaj
OK, if you don't have that a WLAN you would probably a dynamic interface, unless you use AP group VLAN.
-
Easy VPN setup with interface to multiples with the same level of security
Hello
I want to configure an ASA 5505 with 7.2 (4) software and dual license ISP and when I configure two interfaces with the level 0 on two security interfaces and enable vpnclient the trace message appear:
ERROR: Cannot determine the internal and external interfaces Easy VPN remote: multiple interfaces with the same levels of security.
vpnlclient of configuration above:
vpnclient Server x.x.x.x where x.x.x.x
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient TUNNEL_EZVPN_TUNNELSPEC vpngroup password *.
vpnclient username usr_ezvpn_tunnelspec password *.
vpnclient enableinterfaces:
interface Vlan200
nameif outside1
security-level 0
IP x.x.x.x 255.255.255.252
!
interface Vlan300
nameif outside2
security-level 1
IP x.x.x.x 255.255.255.128
!monitor the SLA to the routing:
monitor SLA 100
type echo protocol ipIcmpEcho 200.221.2.45 interface outside1
NUM-package of 5
frequency 30
monitor als 100 calendar life never start-time now
ALS 200 monitor
type echo protocol ipIcmpEcho 200.154.56.80 interface outside2
NUM-package of 5
frequency 30
Annex monitor SLA 200 life never start-time now
ALS 300 monitor
type echo protocol ipIcmpEcho 4.2.2.1 interface outside1
NUM-package of 5
frequency 30
Annex monitor SLA 300 life never start-time now
ALS 400 monitor
type echo protocol ipIcmpEcho 200.244.168.149 interface outside1
NUM-package of 5
Timeout 3000
threshold of 3000
frequency 30
Annex monitor SLA 400 life never start-time nowFollow-up:
!
track 1 rtr 400 accessibility
!
Track 2 rtr 200 accessibility
!routes:
Route 0.0.0.0 outside1 0.0.0.0 x.x.x.x 100 track 1
Route 0.0.0.0 outside2 0.0.0.0 x.x.x.x 200 track 2The track works normal.
Kind regards!
Try using the command "backup interface" on the secondary ISP interface.
http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/b_72.html#wp1338585
You need to increase the level of security to 1 for this interface.
By default, EasyVPN uses the highest level of safety inside and the lowest outside. Anything between the two must be set manually. I assume you have an interior vlan defined but not added to the posted config.
-
Multiple virtual private networks - one Interface
Hello
I read up on top of the site to create using IPSEC VPN. My question is, if I have a router dedictaed "VPN" in the same place, say the external interface is F0/0. I want to configure different VPN for this site to some remote sites using this router, but I want to be able to each of these VPN connections have got it of own interface, fo the goal, routing some subnets over a VPN connection and routing another subnet on the other VPN sites.
So Hub site, I have an outside interface, but need IPSEC VPN multi-site spoke and each site to have an interface I can route traffic through... If that makes sense?
Thank you
I fear that your post, as written makes no sense to me. You start by saying you have a router with an outside interface. Then, you say that you need more than one interface. On the surface that seems to indicate you need to get a different router which will have several available for VPN interfaces.
Maybe if stress you less the need for multiple interfaces and explain a bit more about what you really need that it would be a way to accomplish what you need with the existing router.
I'll start with what seems to indicate that with an interface of the router would have a card encryption. But a card encryption can have multiple instances of cryptographic definitions it contains with a single instance for each remote peer. So, for example, you could have crypto match GRANT_map 10 of peers A and GRANT_map 20 for homologous B and 30 GRANT_map for C counterpart. Within each instance of the encryption card you would identify a single access list to identify traffic to destination each peer. It might look like this:
map GRANT_map 10 ipsec-isakmp crypto
dieudo game address
defined peer 1.2.3.4
map GRANT_map 20 ipsec-isakmp crypto
match the address peerB
defined by the 5.6.7.8 peers
map GRANT_map 30 ipsec-isakmp crypto
match the address peerC
defined by peer 9.10.11.12
Dieudo extended IP access list
ip licensing 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255
peerB extended IP access list
ip licensing 10.2.2.0 0.0.0.255 172.17.0.0 0.0.255.255
peerC extended IP access list
IP 10.3.3.0 allow 0.0.0.255 172.18.0.0 0.0.255.255
Or maybe you can consider using the GRE with IPSec VPN tunnels. You can configure several tunnels, each source just outside of the interface, and each of them would end on a different peer. You can send some 10 to Dieudo tunnel subnets and route to other subnets of tunnel 20-peerB and route to other subnets of tunnel 30-peerC. This kind of solution might meet your requirements.
HTH
Rick
Maybe you are looking for
-
Hi all For a job/hrs. paid should I fill out my information in an excel spreadsheet. As soon as I get a number of hours worked in say D2 a triangle of red error appears where there is a formula that is not happy. The error says "Argument 1 of the TOU
-
Satellite A500-132 - FN keys do not work on Vista
Hello I bought A500-132 and installed with 32-bit Vista Home prenium. The FN keys do not work. However when in the login screen button FN F6 F7 & seems to work but when the OS is logged in they stop work all the other keys.Is there a solution to this
-
c4795 PSC fails to create the file to scan to computer
I had the previous models of HP psc units and they worked and I am familiar with the process. I uninstalled and reinstalled (with the downloaded version) software. The scanner works, it shows a preview, but when click Finish (to send images on comput
-
Not enough memory to upgrade?
iTunes says I need 770 MB of free space to upgrade to iOS 9.2.1. There are 2.28 GB of free space on the phone. I tried deleting some rarely used apps, nothing helped.
-
How can I reinstall my Vista without CD - Satellite A300
HI :) I have a little problem. I forgot to burn a recovery on the CD disc.I know that there is a special partition on my hard drive with Vista. How can I get there. How can I reinstall my windows as at a time of trees? Thank you very much I'm waiting