I could use some multi-vendor ipsec advice please.
Currently I have a single Cisco 4331 ISR acting as a VPN hub connecting 20 SonicWalls, 2 Sophos, and a connection to a classic Azure network. My goal is to create redundancy.
I'm investigating setting up HSRP on a secondary Cisco 4331 ISR to act as a backup. I'm using this as a guide (https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html).
This is how it will work:
Primary router interface failure:
Primary router interface recovers:
Why isn't everyone happy? The vpns on the secondary router still show "UP" so the reverse-routes are still redistributed on the secondary router.
The way Cisco solves this is by editing the Dead Peer Detection (DPD) timer with the command "crypto isakmp keepalive 10" (global setting). So the secondary router VPN states change to "DOWN" after 10 seconds.
My problem is that DPD isn't available on classic Azure VPNs and isn't editable on Sophos. So I can't enable it DPD globally so the vpns won't change their state for a really long time.
Anyone have any suggestions what I should be looking at to fix this?
Load more comments
My company just bought a warehouse and frankly, I'm out of my comfort zone. I've never designed a network for a warehouse from scratch before so I'm reaching out to you guys...
Here are the relevant factors:
We're going to be working closely with an electrician to design and implement the cross connects, data drops, MDFs and IDFs. These are the guidelines I'm going to give them:
For the wireless, I'm going to provide a CAD drawing of the building floor plan to my VAR and have them do a predictive site survey. The survey will outline where we should place 2702e Cisco WAPs. I will then provide the survey to the electricians to run the drops and mount the APs. If the users have problems with the Wi-Fi after the inventory is moved in I'll order an active site survey to reposition the antennas.
Switching and Routing Equipment:
What do ya'll think? Is anything I listed here stupid or against best practice? Any other relevant advice?
Load more comments
I'm new to QoS and could use some help with setting it up on a Cisco 4331 that has a 12Mbps mpls(L3vpn) connection.
Here are my goals:
Limit traffic out the circuit to the speed of the remote circuit. The other circuits are 1.5Mbps, 2Mbps and 3Mbps
Give priority to Voice and Citrix traffic
Limit BW consuming applications. I would like to call out SCCM especially because it is causing problems.
Here is a map of the simplified overview of the topology: http://i.imgur.com/d8AVCpU.png
Here is my configuration so far:
!ACL to define remote subnets ! ip access-list extended SHAPE_1.5Mb remark subnet_of_1.5Mbps_site permit ip any 192.168.15.0 0.0.0.255 ! ip access-list extended SHAPE_2Mb remark subnet_of_2Mbps_site permit ip any 192.168.20.0 0.0.0.255 ! ip access-list extended SHAPE_3Mb remark subnet_of_3Mbps_site permit ip any 192.168.30.0 0.0.0.255 ! !Defining class maps and matching them to the ACLs ! class-map match-any SHAPE_1.5Mb match access-group name SHAPE_1.5Mb class-map match-any SHAPE_2Mb match access-group name SHAPE_2Mb ! class-map match-any SHAPE_3Mb match access-group name SHAPE_3Mb ! ! ! policy-map MPLS_SHAPE class SHAPE_1.5Mb shape average 1425000 service-policy QoS_POLICY class SHAPE_2Mb shape average 1900000 service-policy QoS_POLICY class SHAPE_3Mb shape average 2850000 service-policy QoS_POLICY ! ! ! interface Gi0/0/1 description MPLS Provider service-policy output MPLS_SHAPE ! !
~~ class-map VOIP match protocol rtp match protocol sip class-map CITRIX match protocol citrix class-map SCCM match access-group name SCCM_SERVERS ! ip access-list standard SCCM_SERVERS permit 10.50.50.10 ! policy-map QoS_POLICY class VOIP priority percent 30 class CITRIX priority percent 20 class SCCM bandwidth percent 10 class class-default fair-queue~~
By the way, I flat out stole most of the config from user/routetehpacketz's comment
Will my config work? What am I missing here?
Edit: I pasted the wrong class maps here is updated config:
class-map VOIP match ip precedence 5 match ip dscp ef match protocol rtp class-map SIGNALING match ip precedence 3 match ip dscp cs3 match ip dscp af31 class-map CITRIX match protocol citrix class-map SCCM match access-group name SCCM_SERVERS ! ip access-list standard SCCM_SERVERS permit 10.50.50.10 ! policy-map QoS_POLICY class VOIP priority percent 30 class SIGNALING bandwidth percent 10 class CITRIX bandwidth percent 20 class SCCM bandwidth percent 10 class class-default fair-queue