PSI triple with Cisco IOS XR
Hey the Cisco Experts
Greeting
I've lost my way with config RPL, calling all of you to help me how config RPL looks for the scenario below, 2 X ASR 9006
political 0utbound
===============
1. LIKE 52 X accepts the local routes of 3 providors, as well as the default value for the rest of the internet routes
2. the traffic destined to the ISP - 1 through ASR - 1
3. the traffic destined to the ISP-2 goes via ASR - 1
4. the traffic destined to the ISP - 3 through ASR - 2
5. all other traffic prefer ISP of ASR-1-1
6. If the link to ISP-1 breaks down the traffic should re - route via ASR - 1 ISP-2
7. If the link to ISP-2 breaks down the traffic should re - route via ASR - 2 PSI-3
Inbound policy
==============
1. traffic is destinet at the subnet IP Internet shoud 91.X.X.X/24 come Via ASR - 1 ISP-1
2 traffic is destinet at the subnet IP Internet shoud 92.X.X.X/24 come Via ASR - 1 ISP-2
3. the traffic is destinet at the subnet IP Internet shoud 93.X.X.X/24 come Via ASR - 2 PSI-3
4. If an ISP or link fails, other ISP should route traffic to ACE 52 X on the internet
Thank you all
Sayed Hassan Mubarak
which seems good now! MPIO is enabled and that the two default routes will be used on a per flow basis. and if there is good distribution it will be close to 50%.
If you want to take the bw in consideration and ratio 2:1 you must use the bandwidth of link dmz to help the BGP to understand the bandwidth of each link, so instead of 50-50 to us 66/33. You can read here how to configure the dmz link bw.
article 5 of the best BGP path selection is as the path. the shortest path will win.
in many cases of the load balancing across paths, the different available paths have different lengths of the AS path showing a shorter as hop count to the destination. With the way like ignore we can omit the PATH AS looking like a switch to a preferred route.
ACE relax would negate the rule was for mpath which correspond to two AS-paths of all channels. It is also a stupid, since rule as in your case, you have different ISP and they will have different as-path sets and or length, each of these buttons do not know either of these two rules for review in the path.
Xander
Tags: Cisco Network
Similar Questions
-
Dear Cisco support community,
as seen on http://www.apple.com/ipad/business/work-with-apple/cisco/
Only the spark is described here. There will also be a better integration of the call with Cisco Jabber?
According to me, they're trying to transmit only apple ios 10 best interactive aura to the customer of the spark. This does not mean that jabber for iphone will be less functional in ios 10.
-
Hello, my question is if you need to configure the router Cisco IOS XR-activated (it is a series of 12 k by-the-by) differently on the side of the ACS or is it added like any other normal router.
Hi raul,.
the ios - xr router will act as a NAS for the candidate countries. If the configuration will be the same as any other NAS on GBA.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resloved
-
Cisco IOS Software Internet Key Exchange vulnerability Enquiry
Cisco IOS devices are vulnerable when you run a software image of an affected version of the Cisco IOS software that does not support the IKE version 2 (IKEv2) and is configured to use IKE version 1 (IKEv1).
Vulnerable products
This vulnerability affects Cisco IOS 15.1GC, 15.1 T software version trains and 15.1XB. No other Cisco IOS software release trains are affected.Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-ike
If we use "not affected (for example; version". 12.4, 15.0 releases)"and configured with IKE version1? Can it be affected by this vulnerability?
Subsys router #sh | include ikev2
ikev2_cli_registry registry 1.000.001
Thank you best regards &,.
Ye
You are not affected by this vulnerability.
As described in the notice - "There is no affected 12.4 based rejection" and «There is no rejection of base affected 15.0»
-
Cisco IOS router 837 - configure DDNS / dynamic DNS
I have an Internet, connected to my Cisco router link. The package that I subscribed comes with a dynamic IP address. I said me, if I need remote access in the Cisco router, I need to enable the DDNS function. Is this possible on a Cisco router? I have been informed that this feature is not supported. Please help me
Hi Bro
Yes, Cisco ASA and Cisco IOS router supported DDNS. Just make sure you have the right version of IOS, which you could refer to this URL of Cisco http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html#wp1202953.
Please refer to the config below made with dyndns.org.
!
hostname INT-RTR1
!
IP domain name dyndns.org
8.8.8.8 IP name-server
!
IP ddns update DynDNS method
HTTP
Add http://ramraj: [email protected] / * //nic/update?system=dyndns&hostname=&myip=>
maximum interval of 30 0 0 0
minimum interval 30 0 0 0
!
interface Dialer1
IP ddns update hostname INT - RTR1.dyndns.org
IP ddns update DynDNS
!Note: hostname = INT - RTR1.dyndns.org was the host added/registered in the dyndns.org site.
Note: Press Ctrl + V, then just type the symbol? When to add the CLI adds http://___ above.
Note: ramraj:cisco123 is simply an example of an IDs in dyndns.org.
You can also refer to this URL for more details http://www.petri.co.il/csc_configuring_dynamic_dns_in_cisco_ios.htm
P/S: If you cela this comment is useful, please rate well :-)
-
ISA500 site by site ipsec VPN with Cisco IGR
Hello
I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.
But without success.
my config for openswan, just FYI, maybe not importand for this problem
installation of config
protostack = netkey
nat_traversal = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET
nhelpers = 0
Conn rz1
IKEv2 = no
type = tunnel
left = % all
leftsubnet=192.168.5.0/24
right =.
rightsourceip = 192.168.1.2
rightsubnet=192.168.1.0/24
Keylife 28800 = s
ikelifetime 28800 = s
keyingtries = 3
AUTH = esp
ESP = aes128-sha1
KeyExchange = ike
authby secret =
start = auto
IKE = aes128-sha1; modp1536
dpdaction = redΘmarrer
dpddelay = 30
dpdtimeout = 60
PFS = No.
aggrmode = no
Config Cisco 2821 for dynamic dialin:
crypto ISAKMP policy 1
BA aes
sha hash
preshared authentication
Group 5
lifetime 28800
!
card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
!
Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac
crypto dynamic-map DYNMAP_1 1
game of transformation-ESP-AES-SHA1
match address 102
!
ISAKMP crypto key
address 0.0.0.0 0.0.0.0 ISAKMP crypto keepalive 30 periodicals
!
life crypto ipsec security association seconds 28800
!
interface GigabitEthernet0/0.4002
card crypto CMAP_1
!
I tried ISA550 a config with the same constelations, but without suggesting.
Anyone has the same problem?
And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?
I can successfully establish a tunnel between openswan linux server and the isa550.
Patrick,
as you can see on newspapers, the software behind ISA is also OpenSWAN
I have a facility with a 892 SRI running which should be the same as your 29erxx.
Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.
Here is my setup, with roardwarrior AND 2, site 2 site.
session of crypto consignment
logging crypto ezvpn
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
life 7200
ISAKMP crypto address XXXX XXXXX No.-xauth key
XXXX XXXX No.-xauth address isakmp encryption key
!
ISAKMP crypto client configuration group by default
key XXXX
DNS XXXX
default pool
ACL easyvpn_client_routes
PFS
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT
!
dynamic-map crypto VPN 20
game of transformation-FEAT
market arriere-route
!
!
card crypto client VPN authentication list by default
card crypto VPN isakmp authorization list by default
crypto map VPN client configuration address respond
10 VPN ipsec-isakmp crypto map
Description of VPN - 1
defined peer XXX
game of transformation-FEAT
match the address internal_networks_ipsec
11 VPN ipsec-isakmp crypto map
VPN-2 description
defined peer XXX
game of transformation-FEAT
PFS group2 Set
match the address internal_networks_ipsec2
card crypto 20-isakmp dynamic VPN ipsec VPN
!
!
Michael
Please note all useful posts
-
Problem with Cisco ACS and different areas
Hello
We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:
We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.
Then we have our Cisco switches with the following configuration,
AAA new-model
AAA-authentication failure message ^ CCCC
Failled to authenticate!
Please IT networks Contact Group for more information.
^ C
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization network default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.
There may be something wrong with the ACS?
Thank you
Jorge
Try increasing the timeout on IOS device using radius-server timeout 10.
Do we not have journaling enabled on the ACS server remotely?
-Philou
-
Cisco IOS server certificate - is it supported on routers 857/877
Please can someone confirm if the certificate of Cisco IOS server feature is supported on the Cisco 857 router. We have checked with the Software Advisor and no picture for the 857 when the server certificate of IOS feature is selected, but advancedIpservices image v 12.4 (11) T arrives to the 877.
The two 857/877 supports IOS server Certificate
to 857 you need the ADVANCED SECURITY feature set 12.3 (14) YT
877 offers more IOSes with Certificate server supports when I chose the certificate server Cisco IOS feature with featured navigator I got a lot of IOSes supporting this feature
Go to navigator feature
http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp
Select search by function and select element Cisco IOS Certificate Server, you can filter the results by platform (857/877)
M.
-
Hi, just got our Cisco 3850 switch newly shipped with IOS - XE. Here is an example of the command 'show version '.
Switch(Config-if) #do show worm
Cisco IOS software, IOS - XE software, catalyst L3 Switch (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.03.SE VERSION SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Last update Mon 23 - Sep - 13 18:24 by prod_rel_teamCisco IOS Software - XE, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Some components of the Cisco IOS - XE software are
distributed under the GNU General Public License ("GPL") Version 2.0. The
software licensed code GPL Version 2.0 is a free software that comes
WITHOUT ANY WARRANTY. You can redistribute it and/or modify it
Code GPL under the terms of the GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "Mention of license" file that accompanies the IOS - XE software.
or the applicable URL listed on the brochure that accompanies the IOS - XE
software.ROM: IOS - XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) 1.18 Version, SOFTWARE VERSION (P)
The availability of HK-CSW001 is 4 hours, 0 minutes
Availability for this command processor is 4 hours, 3 minutes
System return to the ROM to reload
System image file is "flash: packages.conf.
Reload last reason: reload the commandThis product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.htmlIf you need assistance please contact us by mail at
[email protected] / * /.License level: Ipbase
License type: Permanent
Then reload license level: IpbaseCisco WS-C3850-24 t (MIPS) processor with K 4194304 bytes of physical memory.
Card processor ID FOC2007U0YG
2 virtual Ethernet interfaces
28 gigabit Ethernet interfaces
4 ten interfaces Ethernet Gigabit
2048K bytes of non-volatile configuration memory.
K 4194304 bytes of physical memory.
250456K bytes of Crash crashinfo files:.
1609272K bytes of Flash Flash:.
0K bytes of Flash model to usbflash0:.
0K bytes of to webui::.MAC Ethernet base address: 00:cc:fc:d1:55:80
Motherboard Assembly number: 73-16297-04
Motherboard serial number: FOC20061W6G
Revision number of the model: Z0
Motherboard revision number: B0
Model number: WS-C3850-24 t
System serial number: XXXXXXXXXXXMy problem is, I tried to HSRP 1 before using a plotter package and thought since he succeeded, I could do it here in this new switch, but after reading a few articles 1 HSRP went and here HSRP 2 but after I typed in the
"interface vlan XXX".
"ip address subnet XXX.XXX.XXX.XXX.
command "watch version 2" is not available or the day before ipXXX XX. is not available either.
I'm stuck with this problem now, appreciate any help from you guys.
Thank you
The f
Hello Jeff,.
We were also quite surprised at the point where we realized, that our brand new 3850 did not support HSRP. This feature was introduced in a second version of the IOS - XE. Currently, we run 03.06.00.E on our WS-C3850-24 t and this version support HSRP.
I don't understand absolutely, why Cisco released such a combo of software/switch isn't over.
So, please try a newer version of the software.
See you soon
Ichnafi
Supplement: Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp) said: HSRP is supported since Version 3.3.0
-
Cisco IOS 12.3.5a vs IOS 12.3.3c
I have an ongoing execution of 2621 IP address, firewall, IDS, and NAT I opened the appropriate ports to allow a PCAnywhere client via the host inside the firewall. It works fine on IOS 12.3.3c and below. The connection starts, but does not end when executing 12.3.5a. Is it a problem with Cisco plan police control which became available in the version of IOS 12.3.4T or more, or is there a bug in the 12.3.5 undocumented code?
There is a bug documented in 12.3 (5) with FW IOS does not allow connections initiated from outside to start to internal hosts. Basically the Firewall ignores the package of TCP SYN - ACK, returning from the inside, the host for the 3-way connection never ends. Initiated by inside outbound connections are not affected.
Bug ID is CSCec78231, you can read about it here:
http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCec78231&submit=search
Stick with 12.3 (3) at the moment, already should be resolved in 12.3 (6) when it comes out.
-
Cisco IOS - failed login Admin
Hello
I configured Cisco IOS to authenticate via a server RADIUS (Cisco's ISE). By mistakely I put all authentication via RADIUS only.
Now, I can not connect via RADIUS but unable to connect through credetials local Admin of Cisco IOS and for this reason I am not able to access the privileged commands.
Is there a way back so this connection by admin (SMAP) would be possible and not on the SHELF?
I do not have access to 'configure', 'enable the RADIUS user commands '.
That worked before? BTW, what code IOS are you running?
What error you see on the IOS command line interface when ISE is DOWN and you're trying to connect with the local user account?
Do you have local authentication as a method of failover? You have paper before IOS config you locked?
You can check that the ISE live authentication records if the user is authenticated by the radius server. Can you use the RADIUS credentials, go to LSE > operations > authentication > records messages.
Did you write the changes? If this is not the case, the last resort would be to RELOAD.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Addition of Cisco IOS Gatekepper to Cisco TMS
Hi people,
Does anyone has idea about adding Cisco IOS Gatekeeper for Cisco TMS. I tried it. added, but no luck. We use the TMS 13.2.2 and IOS 12.4
Thank you
Hi Jean Claude, please refer to product support 13.x TMS guide of
I don't see that Cisco IOS GK is tested with TMS.
BR, Mahesh Adithiyha
-
Hi all
I recently added 90 - odd Cisco switches for installation of HQ of our Organization through the HQ command line tools. Almost half of them, the individual switch ports have been detected and HQ automatically created autogroups for the ports on the switch. For the rest of the switches, no switch ports have been detected automatically. As far as I know, there is no significant difference in configuration between switches, but I'm still looking into it. All switches are configured in central administration under the Cisco IOS platform.
Has anyone experience this problem with switches? Anyone know how the process of discovery of autogroup works for Cisco IOS/IOS Interface devices?
John MillerHi John,.
I think that you run into a bug that has been discussed here:
http://communities.VMware.com/message/1937579#1937579 -
I am trying to configure snmp v3 to monitor my cisco IOS devices
I get the following error when I try to add configuration properties
"The configuration has not been set for this resource due to: invalid configuration: error reported by Agent @ 10.101.11.56:2144: java.lang.UnsupportedOperationException: v3 snmp4j support not yet."
The monitoring agent is the hyperic Server
Server version: 3.0.2 under Windows 2003 SP1
Agent version: 3.0.0
What I am doing wrong?When HQ was opened last year to replace our client SNMP with SNMP4J library source. Since that we've not seen the SNMP v3 support.
http://JIRA.Hyperic.com/browse/HHQ-62
It allows you to control your devices IOS using v1 or v2?
-Ryan
-
How to take a screenshot with 10 IOS?
How to take a screenshot with 10 IOS?
Press the "home" button and the Start button / stop consecutively. You will notice the screen with disappearing a little to show you a screenshot of the page.
Maybe you are looking for
-
Cannot boot safe mode or any mode - hangs on the mup.sys driver
Can someone help me. I did some research on the internet and see that it is a familiar problem. I have been using a usb and someone removed without doing safely - storage key my laptop then froze and the only thing I could do was turn it off at the p
-
Satellite Pro L300 - CD burning problem
I recently bought a Satellite Pro L300 laptop and I have problems with the CD's I created. Any software I use Nero, Toshiba etc I still get the same problem. The created disc will play on the laptop, but not in my home Hi-Fi, the reader will recogniz
-
Cannot install Windows 7 on Satellite L550
I have a laptop Toshiba Satellite L550 - 13 c.I had problems with my laptop I couldn't start it that I managed to start my pc to windows xp with no driver.I downloaded most of the drivers now I and return to windows 7 but it do recognize the setip fi
-
Laptop HP 15-R204NE: clean install of Windows 10
Hello I'm ready to do a clean install of Windows 10 but the only thing that worried me are the drivers provided factory installed with my laptop, it was initially delivered with Windows 64 - bit of 8.1. I don't want to lose one that I have no idea ho
-
Returned by DAQmxGetDevCIMaxTimebase for a NI 9361 module incorrect frequency limit
Hello I have a NI 9361 module in a 9178 cDAQ chassis. My workflow is as follows:(1) create a new task(2) add a the meter inlet channel to the task(3) the maximum basic rate of time meter using DAQmxGetDevCIMaxTimebase entry question.(4) set the sampl