PSI triple with Cisco IOS XR

Hey the Cisco Experts

Greeting

I've lost my way with config RPL, calling all of you to help me how config RPL looks for the scenario below, 2 X ASR 9006

political 0utbound
===============

1. LIKE 52 X accepts the local routes of 3 providors, as well as the default value for the rest of the internet routes
2. the traffic destined to the ISP - 1 through ASR - 1
3. the traffic destined to the ISP-2 goes via ASR - 1
4. the traffic destined to the ISP - 3 through ASR - 2
5. all other traffic prefer ISP of ASR-1-1
6. If the link to ISP-1 breaks down the traffic should re - route via ASR - 1 ISP-2
7. If the link to ISP-2 breaks down the traffic should re - route via ASR - 2 PSI-3

Inbound policy
==============

1. traffic is destinet at the subnet IP Internet shoud 91.X.X.X/24 come Via ASR - 1 ISP-1
2 traffic is destinet at the subnet IP Internet shoud 92.X.X.X/24 come Via ASR - 1 ISP-2
3. the traffic is destinet at the subnet IP Internet shoud 93.X.X.X/24 come Via ASR - 2 PSI-3
4. If an ISP or link fails, other ISP should route traffic to ACE 52 X on the internet

Thank you all

Sayed Hassan Mubarak

which seems good now! MPIO is enabled and that the two default routes will be used on a per flow basis. and if there is good distribution it will be close to 50%.

If you want to take the bw in consideration and ratio 2:1 you must use the bandwidth of link dmz to help the BGP to understand the bandwidth of each link, so instead of 50-50 to us 66/33. You can read here how to configure the dmz link bw.

article 5 of the best BGP path selection is as the path. the shortest path will win.

in many cases of the load balancing across paths, the different available paths have different lengths of the AS path showing a shorter as hop count to the destination. With the way like ignore we can omit the PATH AS looking like a switch to a preferred route.

ACE relax would negate the rule was for mpath which correspond to two AS-paths of all channels. It is also a stupid, since rule as in your case, you have different ISP and they will have different as-path sets and or length, each of these buttons do not know either of these two rules for review in the path.

Xander

Tags: Cisco Network

Similar Questions

  • iOS 10 with Cisco Jabber

    Dear Cisco support community,

    as seen on http://www.apple.com/ipad/business/work-with-apple/cisco/

    Only the spark is described here. There will also be a better integration of the call with Cisco Jabber?

    According to me, they're trying to transmit only apple ios 10 best interactive aura to the customer of the spark. This does not mean that jabber for iphone will be less functional in ios 10.

  • Cisco IOS - XR with ACS

    Hello, my question is if you need to configure the router Cisco IOS XR-activated (it is a series of 12 k by-the-by) differently on the side of the ACS or is it added like any other normal router.

    Hi raul,.

    the ios - xr router will act as a NAS for the candidate countries. If the configuration will be the same as any other NAS on GBA.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resloved

  • Cisco IOS Software Internet Key Exchange vulnerability Enquiry

    Products affected

    Cisco IOS devices are vulnerable when you run a software image of an affected version of the Cisco IOS software that does not support the IKE version 2 (IKEv2) and is configured to use IKE version 1 (IKEv1).

    Vulnerable products

    This vulnerability affects Cisco IOS 15.1GC, 15.1 T software version trains and 15.1XB. No other Cisco IOS software release trains are affected.

    Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-ike

    If we use "not affected (for example; version". 12.4, 15.0 releases)"and configured with IKE version1?  Can it be affected by this vulnerability?

    Subsys router #sh | include ikev2

    ikev2_cli_registry registry 1.000.001

    Thank you best regards &,.

    Ye

    You are not affected by this vulnerability.

    As described in the notice - "There is no affected 12.4 based rejection" and «There is no rejection of base affected 15.0»

  • Cisco IOS router 837 - configure DDNS / dynamic DNS

    I have an Internet, connected to my Cisco router link. The package that I subscribed comes with a dynamic IP address. I said me, if I need remote access in the Cisco router, I need to enable the DDNS function. Is this possible on a Cisco router? I have been informed that this feature is not supported. Please help me

    Hi Bro

    Yes, Cisco ASA and Cisco IOS router supported DDNS. Just make sure you have the right version of IOS, which you could refer to this URL of Cisco http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html#wp1202953.

    Please refer to the config below made with dyndns.org.

    !

    hostname INT-RTR1
    !
    IP domain name dyndns.org
    8.8.8.8 IP name-server
    !
    IP ddns update DynDNS method
    HTTP
    Add http://ramraj: [email protected] / * //nic/update?system=dyndns&hostname=&myip=>
    maximum interval of 30 0 0 0
    minimum interval 30 0 0 0
    !
    interface Dialer1
    IP ddns update hostname INT - RTR1.dyndns.org
    IP ddns update DynDNS
    !

    Note: hostname = INT - RTR1.dyndns.org was the host added/registered in the dyndns.org site.

    Note: Press Ctrl + V, then just type the symbol? When to add the CLI adds http://___ above.

    Note: ramraj:cisco123 is simply an example of an IDs in dyndns.org.

    You can also refer to this URL for more details http://www.petri.co.il/csc_configuring_dynamic_dns_in_cisco_ios.htm

    P/S: If you cela this comment is useful, please rate well :-)

  • ISA500 site by site ipsec VPN with Cisco IGR

    Hello

    I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.

    But without success.

    my config for openswan, just FYI, maybe not importand for this problem

    installation of config

    protostack = netkey

    nat_traversal = yes

    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

    nhelpers = 0

    Conn rz1

    IKEv2 = no

    type = tunnel

    left = % all

    leftsubnet=192.168.5.0/24

    right =.

    rightsourceip = 192.168.1.2

    rightsubnet=192.168.1.0/24

    Keylife 28800 = s

    ikelifetime 28800 = s

    keyingtries = 3

    AUTH = esp

    ESP = aes128-sha1

    KeyExchange = ike

    authby secret =

    start = auto

    IKE = aes128-sha1; modp1536

    dpdaction = redΘmarrer

    dpddelay = 30

    dpdtimeout = 60

    PFS = No.

    aggrmode = no

    Config Cisco 2821 for dynamic dialin:

    crypto ISAKMP policy 1

    BA aes

    sha hash

    preshared authentication

    Group 5

    lifetime 28800

    !

    card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1

    !

    access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

    !

    Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac

    crypto dynamic-map DYNMAP_1 1

    game of transformation-ESP-AES-SHA1

    match address 102

    !

    ISAKMP crypto key address 0.0.0.0 0.0.0.0

    ISAKMP crypto keepalive 30 periodicals

    !

    life crypto ipsec security association seconds 28800

    !

    interface GigabitEthernet0/0.4002

    card crypto CMAP_1

    !

    I tried ISA550 a config with the same constelations, but without suggesting.

    Anyone has the same problem?

    And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?

    I can successfully establish a tunnel between openswan linux server and the isa550.

    Patrick,

    as you can see on newspapers, the software behind ISA is also OpenSWAN

    I have a facility with a 892 SRI running which should be the same as your 29erxx.

    Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.

    Here is my setup, with roardwarrior AND 2, site 2 site.

    session of crypto consignment

    logging crypto ezvpn

    !

    crypto ISAKMP policy 1

    BA 3des

    preshared authentication

    Group 2

    lifetime 28800

    !

    crypto ISAKMP policy 2

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    lifetime 28800

    !

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 4

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    !

    crypto ISAKMP policy 5

    BA 3des

    preshared authentication

    Group 2

    life 7200

    ISAKMP crypto address XXXX XXXXX No.-xauth key

    XXXX XXXX No.-xauth address isakmp encryption key

    !

    ISAKMP crypto client configuration group by default

    key XXXX

    DNS XXXX

    default pool

    ACL easyvpn_client_routes

    PFS

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT

    !

    dynamic-map crypto VPN 20

    game of transformation-FEAT

    market arriere-route

    !

    !

    card crypto client VPN authentication list by default

    card crypto VPN isakmp authorization list by default

    crypto map VPN client configuration address respond

    10 VPN ipsec-isakmp crypto map

    Description of VPN - 1

    defined peer XXX

    game of transformation-FEAT

    match the address internal_networks_ipsec

    11 VPN ipsec-isakmp crypto map

    VPN-2 description

    defined peer XXX

    game of transformation-FEAT

    PFS group2 Set

    match the address internal_networks_ipsec2

    card crypto 20-isakmp dynamic VPN ipsec VPN

    !

    !

    Michael

    Please note all useful posts

  • Problem with Cisco ACS and different areas

    Hello

    We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

    We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

    Then we have our Cisco switches with the following configuration,

    AAA new-model

    AAA-authentication failure message ^ CCCC

    Failled to authenticate!

    Please IT networks Contact Group for more information.

    ^ C

    AAA authentication login default group Ganymede + local

    AAA authorization exec default group Ganymede + local

    AAA authorization network default group Ganymede + local

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    !

    AAA - the id of the joint session

    But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

    There may be something wrong with the ACS?

    Thank you

    Jorge

    Try increasing the timeout on IOS device using radius-server timeout 10.

    Do we not have journaling enabled on the ACS server remotely?

    -Philou

  • Cisco IOS server certificate - is it supported on routers 857/877

    Please can someone confirm if the certificate of Cisco IOS server feature is supported on the Cisco 857 router. We have checked with the Software Advisor and no picture for the 857 when the server certificate of IOS feature is selected, but advancedIpservices image v 12.4 (11) T arrives to the 877.

    The two 857/877 supports IOS server Certificate

    to 857 you need the ADVANCED SECURITY feature set 12.3 (14) YT

    http://Tools.Cisco.com/ITDIT/CFN/dispatch?Act=feature&ImageID=619356&platformFamily=306&featureSet=8&featureSelected=2208&availSoftwares=iOS

    877 offers more IOSes with Certificate server supports when I chose the certificate server Cisco IOS feature with featured navigator I got a lot of IOSes supporting this feature

    Go to navigator feature

    http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp

    Select search by function and select element Cisco IOS Certificate Server, you can filter the results by platform (857/877)

    M.

  • HSRP in Cisco IOS - XE

    Hi, just got our Cisco 3850 switch newly shipped with IOS - XE. Here is an example of the command 'show version '.

    Switch(Config-if) #do show worm
    Cisco IOS software, IOS - XE software, catalyst L3 Switch (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.03.SE VERSION SOFTWARE (fc2)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2013 by Cisco Systems, Inc.
    Last update Mon 23 - Sep - 13 18:24 by prod_rel_team

    Cisco IOS Software - XE, Copyright (c) 2005-2013 by cisco Systems, Inc.
    All rights reserved.  Some components of the Cisco IOS - XE software are
    distributed under the GNU General Public License ("GPL") Version 2.0.  The
    software licensed code GPL Version 2.0 is a free software that comes
    WITHOUT ANY WARRANTY.  You can redistribute it and/or modify it
    Code GPL under the terms of the GPL Version 2.0.
    (http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
    documentation or "Mention of license" file that accompanies the IOS - XE software.
    or the applicable URL listed on the brochure that accompanies the IOS - XE
    software.

    ROM: IOS - XE ROMMON
    BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) 1.18 Version, SOFTWARE VERSION (P)
             
    The availability of HK-CSW001 is 4 hours, 0 minutes
    Availability for this command processor is 4 hours, 3 minutes
    System return to the ROM to reload
    System image file is "flash: packages.conf.
    Reload last reason: reload the command

    This product contains cryptographic features and is under the United States
    States and local laws governing the import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third party approval to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. laws and local countries. By using this product you
    agree to comply with the regulations and laws in force. If you are unable
    to satisfy the United States and local laws, return the product.

    A summary of U.S. laws governing Cisco cryptographic products to:
    http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

    If you need assistance please contact us by mail at
    [email protected] / * /.

    License level: Ipbase
    License type: Permanent
    Then reload license level: Ipbase

    Cisco WS-C3850-24 t (MIPS) processor with K 4194304 bytes of physical memory.
    Card processor ID FOC2007U0YG
    2 virtual Ethernet interfaces
    28 gigabit Ethernet interfaces
    4 ten interfaces Ethernet Gigabit
    2048K bytes of non-volatile configuration memory.
    K 4194304 bytes of physical memory.
    250456K bytes of Crash crashinfo files:.
    1609272K bytes of Flash Flash:.
    0K bytes of Flash model to usbflash0:.
    0K bytes of to webui::.

    MAC Ethernet base address: 00:cc:fc:d1:55:80
    Motherboard Assembly number: 73-16297-04
    Motherboard serial number: FOC20061W6G
    Revision number of the model: Z0
    Motherboard revision number: B0
    Model number: WS-C3850-24 t
    System serial number: XXXXXXXXXXX

    My problem is, I tried to HSRP 1 before using a plotter package and thought since he succeeded, I could do it here in this new switch, but after reading a few articles 1 HSRP went and here HSRP 2 but after I typed in the

    "interface vlan XXX".

    "ip address subnet XXX.XXX.XXX.XXX.

    command "watch version 2" is not available or the day before ipXXX XX. is not available either.

    I'm stuck with this problem now, appreciate any help from you guys.

    Thank you

    The f

    Hello Jeff,.

    We were also quite surprised at the point where we realized, that our brand new 3850 did not support HSRP. This feature was introduced in a second version of the IOS - XE. Currently, we run 03.06.00.E on our WS-C3850-24 t and this version support HSRP.

    I don't understand absolutely, why Cisco released such a combo of software/switch isn't over.

    So, please try a newer version of the software.

    See you soon

    Ichnafi

    Supplement: Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp) said: HSRP is supported since Version 3.3.0

  • Cisco IOS 12.3.5a vs IOS 12.3.3c

    I have an ongoing execution of 2621 IP address, firewall, IDS, and NAT I opened the appropriate ports to allow a PCAnywhere client via the host inside the firewall. It works fine on IOS 12.3.3c and below. The connection starts, but does not end when executing 12.3.5a. Is it a problem with Cisco plan police control which became available in the version of IOS 12.3.4T or more, or is there a bug in the 12.3.5 undocumented code?

    There is a bug documented in 12.3 (5) with FW IOS does not allow connections initiated from outside to start to internal hosts. Basically the Firewall ignores the package of TCP SYN - ACK, returning from the inside, the host for the 3-way connection never ends. Initiated by inside outbound connections are not affected.

    Bug ID is CSCec78231, you can read about it here:

    http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCec78231&submit=search

    Stick with 12.3 (3) at the moment, already should be resolved in 12.3 (6) when it comes out.

  • Cisco IOS - failed login Admin

    Hello

    I configured Cisco IOS to authenticate via a server RADIUS (Cisco's ISE). By mistakely I put all authentication via RADIUS only.

    Now, I can not connect via RADIUS but unable to connect through credetials local Admin of Cisco IOS and for this reason I am not able to access the privileged commands.

    Is there a way back so this connection by admin (SMAP) would be possible and not on the SHELF?

    I do not have access to 'configure', 'enable the RADIUS user commands '.

    That worked before? BTW, what code IOS are you running?

    What error you see on the IOS command line interface when ISE is DOWN and you're trying to connect with the local user account?

    Do you have local authentication as a method of failover? You have paper before IOS config you locked?

    You can check that the ISE live authentication records if the user is authenticated by the radius server. Can you use the RADIUS credentials, go to LSE > operations > authentication > records messages.

    Did you write the changes? If this is not the case, the last resort would be to RELOAD.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Addition of Cisco IOS Gatekepper to Cisco TMS

    Hi people,

    Does anyone has idea about adding Cisco IOS Gatekeeper for Cisco TMS. I tried it. added, but no luck.  We use the TMS 13.2.2 and IOS 12.4

    Thank you

    Hi Jean Claude, please refer to product support 13.x TMS guide of

    http://www.cisco.com/en/US/docs/telepresence/infrastructure/tms/interoperability/Cisco_TMS_Product_Support.pdf.

    I don't see that Cisco IOS GK is tested with TMS.

    BR, Mahesh Adithiyha

  • Cisco IOS autogroups

    Hi all

    I recently added 90 - odd Cisco switches for installation of HQ of our Organization through the HQ command line tools.  Almost half of them, the individual switch ports have been detected and HQ automatically created autogroups for the ports on the switch.  For the rest of the switches, no switch ports have been detected automatically.  As far as I know, there is no significant difference in configuration between switches, but I'm still looking into it.  All switches are configured in central administration under the Cisco IOS platform.

    Has anyone experience this problem with switches?  Anyone know how the process of discovery of autogroup works for Cisco IOS/IOS Interface devices?

    John Miller

    Hi John,.

    I think that you run into a bug that has been discussed here:
    http://communities.VMware.com/message/1937579#1937579

  • SNMP v3 & Cisco IOS

    I am trying to configure snmp v3 to monitor my cisco IOS devices
    I get the following error when I try to add configuration properties
    "The configuration has not been set for this resource due to: invalid configuration: error reported by Agent @ 10.101.11.56:2144: java.lang.UnsupportedOperationException: v3 snmp4j support not yet."
    The monitoring agent is the hyperic Server
    Server version: 3.0.2 under Windows 2003 SP1
    Agent version: 3.0.0
    What I am doing wrong?

    When HQ was opened last year to replace our client SNMP with SNMP4J library source.  Since that we've not seen the SNMP v3 support.

    http://JIRA.Hyperic.com/browse/HHQ-62

    It allows you to control your devices IOS using v1 or v2?

    -Ryan

  • How to take a screenshot with 10 IOS?

    How to take a screenshot with 10 IOS?

    Press the "home" button and the Start button / stop consecutively. You will notice the screen with disappearing a little to show you a screenshot of the page.

Maybe you are looking for

  • Cannot boot safe mode or any mode - hangs on the mup.sys driver

    Can someone help me. I did some research on the internet and see that it is a familiar problem. I have been using a usb and someone removed without doing safely - storage key my laptop then froze and the only thing I could do was turn it off at the p

  • Satellite Pro L300 - CD burning problem

    I recently bought a Satellite Pro L300 laptop and I have problems with the CD's I created. Any software I use Nero, Toshiba etc I still get the same problem. The created disc will play on the laptop, but not in my home Hi-Fi, the reader will recogniz

  • Cannot install Windows 7 on Satellite L550

    I have a laptop Toshiba Satellite L550 - 13 c.I had problems with my laptop I couldn't start it that I managed to start my pc to windows xp with no driver.I downloaded most of the drivers now I and return to windows 7 but it do recognize the setip fi

  • Laptop HP 15-R204NE: clean install of Windows 10

    Hello I'm ready to do a clean install of Windows 10 but the only thing that worried me are the drivers provided factory installed with my laptop, it was initially delivered with Windows 64 - bit of 8.1. I don't want to lose one that I have no idea ho

  • Returned by DAQmxGetDevCIMaxTimebase for a NI 9361 module incorrect frequency limit

    Hello I have a NI 9361 module in a 9178 cDAQ chassis. My workflow is as follows:(1) create a new task(2) add a the meter inlet channel to the task(3) the maximum basic rate of time meter using DAQmxGetDevCIMaxTimebase entry question.(4) set the sampl