Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Cisco ASA 5500-X Model Comparison: ASA 5525-X vs. ASA 5545-X vs. ASA 5555-X

July 30 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Compared with the previous ASA 5500 series, Cisco ASA 5500-X next-generation firewall has some new features, for example, it provides services such as Application Visibility and Control (AVC) Services to control specific behaviors within allowed micro-applications, Web Security Essentials (WSE) Services to restrict web and web application usage based on reputation of the site and Intrusion Prevention (IPS) to provide critical threat protection from internet edge related attacks on your personal use computing systems. Through Cisco Security Intelligence Operations (SIO)*, these services provide web reputation that protects against zero-day threats.

  1. Cisco Prime Security Manager can now be used to centrally manage core ASA-X features along with Next-Generation services such as Application Visibility and Control, Web Security and IPS.
  2. ASA IPS is the only context aware IPS that uses device awareness, network reputation of the source, target value and user identity to drive mitigation decisions and provides a proactive protection against threats. It uses a combination of on- and off-box intelligence and does not require an additional hardware module.
  3. •4x increase in firewall throughput protects users as their current and future data consumption demands increase.
  4. •Redundant power supplies (on the ASA 5545-X and 5555-X appliances) protect against power outages.
  5. •Multicore enterprise-class CPUs deliver better performance.
  6. •Additional copper and small form-factor pluggable (SFP) Gigabit Ethernet ports provide greater flexibility for network configuration.
  7. •Cisco Cloud Web Security provides unmatched web security, application visibility and control for organizations of all sizes through a network of global data centers.
  8. •Cisco AnyConnect enables seamless secure remote access by providing an always-on secure connectivity experience across a broad set of desktop and mobile devices.

 

Your business, regardless of size, can get an end-to-end network security solution with the Cisco ASA 5500-X Series Next-Generation Firewalls. Cisco ASA 5525-X, ASA 5545-X or ASA 5555-X model? There is a Cisco ASA 5500-X series firewalls comparison table showing you the difference, which make you find the right one.

Cisco ASA Model

ASA 5525-X

ASA 5545-X

ASA 5555-X

 

Stateful Inspection throughput (max1)

2 Gbps

3 Gbps

4 Gbps

Stateful Inspection throughput (multiprotocol2)

1 Gbps

1.5 Gbps

2 Gbps

Next-Generation throughput3(multiprotocol)

650 Mbps

1 Gbps

1.4 Gbps

ASA IPS throughput4

600 Mbps
(Extra hardware module not required)

900 Mbps
(Extra hardware module not required)

1.3 Gbps
(Extra hardware module not required)

Concurrent sessions

500,000

750,000

1,000,000

Connections per second

20,000

30,000

50,000

Packets per second (64 byte)

700,000

900,000

1,100,000

3DES/AES VPN throughput5

300 Mbps

400 Mbps

700 Mbps

Site-to-site and IPsec IKEv1 client VPN user sessions

750

2,500

5,000

AnyConnect or clientless VPN user sessions6(AnyConnect license required)

750

2,500

5,000

Cisco Cloud Web Security users

500

1,500

3,000

VLANs

200

300

500

High-availability support7

A/A and A/S

A/A and A/S

A/A and A/S

Integrated I/O

8-port 10/100/1000

8-port 10/100/1000

8-port 10/100/1000

Expansion I/O

6-port 10/100/1000 or 6-port GE (SFP)

6-port 10/100/1000 or 6-port GE (SFP)

6-port 10/100/1000 or 6-port GE (SFP)

Dual Power Supplies

Not available

Yes

Yes

Power

AC/DC

AC/DC

AC/DC

1Maximum throughput with UDP traffic measured under ideal test conditions
2Multiprotocol = Traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4Firewall traffic that does not go through IPS service can have higher throughput.
5VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning. Maximum throughput numbers are based on IPsec IKEv1 Remote Access VPN Connectivity
62 AnyConnect Premium User Licenses are included by default
7A/A = Active/Active; A/S = Active/Standby

 

More Related Cisco ASA Firewall Topics:

Does Cisco ASA 5500-X Series Support Both IPS and AVC/WSE in One Box?

ASA 5505 vs. ASA 5510 vs. ASA 5512-X vs. ASA 5515-X

Cisco ASA5510 Vs ASA5512-X or Cisco 5515-X

Cisco ASA 5500-X vs. ASA 5500

Read more

Basic ASA 5505 Configuration

July 28 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

In this article we will share the basic information and tips of the ASA 5505 Firewall Configuration. As we known, Cisco ASA devices can be configured and managed using either the command-line interface (CLI) or the Adaptive Security Device Manager (ASDM) GUI.

The ASA CLI is a proprietary OS which has a similar look and feel to the router IOS.

There are many similar commands between the ASA CLI and the IOS CLI. There are also many different commands.

The Cisco ASA contains a command set structure similar to that of a Cisco IOS router and offers the following access modes:

User EXEC mode - ciscoasa> en
Privileged EXEC mode - ciscoasa# config t
Global configuration mode - ciscoasa(config)# 
Various sub-configuration modes, for example - ciscoasa(config-if)#
ROMMON mode - ROMMON>    (Read-Only-Memory Monitor mode)

 

Unlike an ISR, the ASA performs as follows:
-Execute any ASA CLI command regardless of the current configuration mode prompt. The IOS "do" command is not required or recognized.
-Provide a brief description and command syntax when help is entered followed by the command. For example, typing help reload will display the command syntax for reload, a description, and the supported arguments.
-Interrupt show command output using Q. The IOS requires the use of Ctrl+C (^C).

In ROMMON mode, an administrator can use a TFTP server to load a system image into the security appliance. ROMMON mode is also used to recover the system password.

IOS Router Command

Equivalent ASA Command

erase startup-config

write erase

enable secret

enable password

line con 0
 password password
 login

passwd password

show ip interfaces brief

show interfaces ip brief

show ip route

show route

show ip nat translations

show xlate

show vlan

show switch vlan

ip route

route outside

Ctrl+C

Q


The ASA 5505 ships with a default configuration that, in most cases, is sufficient for a basic SOHO deployment.

The configuration includes two preconfigured VLAN networks: VLAN1 and VLAN2.
VLAN 1 is for the inside network and VLAN 2 is for the outside network.

The inside interface also provides DHCP addressing and NAT features. Clients on the inside network obtain a dynamic IP address from the ASA so that they can communicate with each other and with devices on the Internet. 

Specifically, the default factory configuration for the ASA 5505 configures the following:
*A default host name of ciscoasa
*Console or enable passwords which are blank.
*An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. The VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
*An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address from the ISP using DHCP.
*The default route that is derived from DHCP.
*All inside IP addresses to be translated when accessing the outside using interface PAT.
*The HTTP server to support ASDM access.
*An internal DHCP server to provide addresses between 192.168.1.5 and 192.168.1.36 for hosts that connect to a VLAN 1 interface.


The ASA can be restored to its factory default configuration by using the global configuration command:

configure factory-default

 

The ASA startup configuration can be erased using the commands:

write erase   and   reload

 

Once rebooted, the ASA displays the following prompt "Pre-configure Firewall now through interactive prompts [yes]?" 

Basic Config

hostname nam -Changes the name of the ASA
clock set 8:05:00 3 OCT 2011
domain-name name - Changes the domain name.
enable password password - Configures the privileged EXEC mode password. Note that there is no secret option.
passwd password - Configures the Telnet / SSH password
key config-key password-encryption [new-passphrase [old-passphrase]] - Creates or changes an existing master passphrase created to encrypt all passwords (aes). (similar to IOS service password-encryption
password encryption aes

 

Configure the Interfaces (vlan interfaces)

interface vlan <vlan-number> - Creates a switch virtual interface (SVI).
nameif <name>                - Assigns a name to the SVI interface.
security-level <value>       - Assigns a security level to the SVI interface
no shutdown                  - enables the Layer 2 port

show switch vlan
show interface
show int ip brief

 

IP address config

ip address ip-address netmask - Manually
ip address dhcp - Using DHCP
ip address dhcp setroute - also requests and installs a default route to the upstream device.
ip address pppoe  - Using PPPoE
ip address pppoe setroute - also requests and installs a default route

 

CAUTION: An ASA 5505 with a Base license does not allow three fully functioning VLAN interfaces to be created.

Default route
If an ASA is configured as a DHCP client, then it can receive and install a default route from the upstream device. 
Default static route will have to be configured using the usingcommand

route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address
route outside 0.0.0.0 0.0.0.0 209.195.0.1
show route

 

Configure Telnet Access

passwd password - Configures the Telnet / SSH password.
telnet - Identifies which inside host can telnet to the ASA.
telnet 0.0.0.0 0.0.0.0 management
telnet timeout minutes - Alters the default exec timeout of 5 minutes

 

SSH is also supported but requires AAA authentication to be enabled. 

username name password password - Creates a local database entry.
aaa authentication ssh console LOCAL - Configures SSH to refer to the local database for authentication. The LOCAL keyword is case sensitive and is a predefined server tag.
crypto key generate rsa modulus 1024 - Generates the RSA key required for SSH encryption.
ssh ip-addresssubnet-maskinterface-name - Identifies which inside host can SSH to the ASA.
ssh timeout minutes - Alters the default exec timeout of 5 minutes.
show ssh

 

Configure NTP Services

ntp server ip-address   - Identifies the NTP server address.
ntp authentication-key    - Configures the authentication key and password.
ntp trusted-key value    - Identifies which configured key is to be trusted.
ntp authenticate    - Enables NTP authentication.
show ntp status
show ntp associations

 

Configure DHCP Services
An ASA can be configured to be a DHCP client and a DHCP server. 
DHCP Server

dhcpd enable inside   - Enables the DHCP server service (daemon) on the inside interface of the ASA.
dhcpd address [start-of-pool]-[end-of-pool] inside - Defines the pool of IP addresses and assigns the pool to inside users. Notice that the start-of-pool and end-of-pool IP addresses are separated by a hyphen.

 

Note: The ASA 5505 Base license is a 10-user license and therefore the maximum number of DHCP clients supported is 32.

DHCP options such as DNS, domain name, WINS, and lease time can all be manually configured as follows:
dhcpd domain domain-name - Configures the DNS domain name.
dhcpd dns dns-ip-address - Configures the DNS server IP address. 
dhcpd wins wins-ip-address - Command to configure the WINS server address.
dhcpd lease seconds - Configures the lease time in seconds. The default is 3600 seconds (1 hour).
dhcpd option value - Configures the DHCP option code. Option code is in the range 0 - 250.

 

If the ASA outside interface was configured as a DHCP client, then the dhcpd auto_config outside global configuration command can be used to pass DNS, WINS, and domain information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface.

 

Verify

show dhcpd state - Displays the current DHCP state for inside and outside interfaces.
show dhcpd binding - Displays the current DHCP bindings of inside users.
show dhcpd statistics - Displays the current DHCP statistics.

 

To clear the DHCP bindings or statistics, use the commands

clear dhcpd binding
clear dhcpd statistics

 

Rs from http://sclabs.blogspot.com/2013/01/chapter-10-implementing-cisco-adaptive.html

 

More Cisco ASA Reviews and Topics

Cisco ASA IPS Module Configuration

WAYS to Help You Set Up Your Small, Medium and Large Networks

Cisco ASA Failover, Failover Modes & ASA Failover Configuration

ASA Routed vs. Transparent

ASA 5505 vs. ASA 5510 vs. ASA 5512-X vs. ASA 5515-X

Does Cisco ASA 5500-X Series Support Both IPS and AVC/WSE in One Box?

Read more

The Feature Licenses Available for Main Cisco ASA 5500 Models

July 23 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco License

How to obtain a license activation key and how to activate it? These questions are always raised by Cisco users. Cisco ASA 5500 Series is also popular today. Although Cisco ASA 5500-X series next-generation is available, Cisco ASA 5500 models have been chosen by many people. Upgrading the Cisco ASA 5500 license is common issue for people who want to broaden their Cisco ASA 5500 series’ function. What are the license features of each ASA 5500 model? Here we listed the feature license available for main Cisco ASA 5500 models, including Cisco ASA 5505, asa 5510, asa 5520, 5540 and ASA 5550.

ASA 5505

ASA 5505 License Features 

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Opt. Time-based lic: Available

Disabled

Opt. Time-based lic: Available

Firewall Conns, Concurrent

10,000

25,000

GTP/GPRS

No support

No support

Intercompany Media Eng.

Disabled

Optional license: Available

Disabled

Optional license: Available

UC Phone Proxy Sessions, Total UC Proxy Sessions

2

Optional license: 24

2

Optional license: 24

 

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect for Cisco VPN Phone

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (25 sessions)

Disabled

Optional license: Available (25 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect Premium (sessions)

2

Optional Permanent or Time-based licenses:

10

25

2

Optional Permanent or Time-based licenses:

10

25

Other VPN (sessions)

10

25

Total VPN (sessions), combined all types

up to 251

up to 25

VPN Load Balancing

No support

No support

General Licenses

Encryption

Base (DES)

Opt. lic.: Strong (3DES/AES)

Base (DES)

Opt. lic.: Strong (3DES/AES)

Failover

No support

Active/Standby (no stateful failover)

Security Contexts

No support

No support

Clustering

No support

No support

Inside Hosts, concurrent2

103

Opt. licenses:

50

Unlimited

103

Opt. licenses:

50

Unlimited

VLANs, maximum

Routed mode: 3 (2 regular and 1 restricted)
Transparent mode: 2

Routed mode: 20
Transparent mode: 3 (2 regular and 1 failover)

VLAN Trunks, maximum

No support

8 trunks

  • 1 The total number of VPN sessions depends on your licenses. If you enable AnyConnect Essentials, then the total is the model maximum of 25. If you enable AnyConnect Premium, then the total is the AnyConnect Premium value plus the Other VPN value, not to exceed 25 sessions.
  • 2 In routed mode, hosts on the inside (Business and Home VLANs) count toward the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted toward the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted toward the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted toward the host limit. Use the show local-host command to view host limits.
  • 3 For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.

 

 

ASA 5510

ASA 5510 License Features 

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent

50,000

130,000

GTP/GPRS

No support

No support

Intercompany Media Eng.

Disabled

Optional license: Available

Disabled

Optional license: Available

UC Phone Proxy Sessions, Total UC Proxy Sessions

2

Optional licenses:

2

Optional licenses:

24

50

100

24

50

100

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect for Cisco VPN Phone

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (250 sessions)

Disabled

Optional license: Available (250 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect Premium (sessions)

2

Optional Perm. or Time-based lic,:

2

Optional Perm. or Time-based lic:

10

25

50

100

250

10

25

50

100

250

Optional Shared licenses: Participant or Server. For the Server:

Optional Shared licenses: Participant or Server. For the Server:

500-50,000 in increments of 500

50,000-545,000 in increments of 1000

500-50,000 in increments of 500

50,000-545,000 in increments of 1000

Total VPN (sessions), combined all types

250

250

Other VPN (sessions)

250

250

VPN Load Balancing

No support

Supported

General Licenses

Encryption

Base (DES)

Opt. lic.: Strong (3DES/AES)

Base (DES)

Opt. lic.: Strong (3DES/AES)

Failover

No support

Active/Standby or Active/Active

Interfaces of all types, Max.

364

564

Interface Speed

All: Fast Ethernet

Ethernet 0/0 and 0/1: Gigabit Ethernet1 
Ethernet 0/2, 0/3, 0/4 (and others): Fast Eth.

Security Contexts

No support

2

Optional licenses:

5

Clustering

No support

No support

VLANs, Maximum

50

100

  • Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as "Ethernet" in the software.

 

ASA 5520

ASA 5520 License Features 

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent

280,000

GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions, Total UC Proxy Sessions

2

Optional licenses:

24

50

100

250

500

750

1000

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Phone

Disabled

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (750 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

AnyConnect Premium (sessions)

2

Optional Permanent or Time-based licenses:

10

25

50

100

250

500

750

Optional Shared licenses: Participant or Server. For the Server:

500-50,000 in increments of 500

50,000-545,000 in increments of 1000

Total VPN (sessions), combined all types

750

Other VPN (sessions)

750

VPN Load Balancing

Supported

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max.

764

Security Contexts

2

Optional licenses:

5

10

20

Clustering

No support

VLANs, Maximum

150

More about ASA 5540 License and ASA 5550 License you can read the reference from http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/license/license_management/license.html

More Cisco License Topics

General Features of Cisco ASA Licensing

How to Activate a Cisco License?

Read more

Cisco 812 vs. Cisco 819 vs. Cisco 860VAE

July 14 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Although most of Cisco 800 Series models were end of life and end of sale, it is still popular among Cisco users who need do CCNA exercise and set up a network for the branch office. The Cisco 800 Series ISRs come in various fixed configurations and deliver a consistent experience to suit heterogeneous deployment scenarios, feature requirements, performance levels and use cases.

Cisco 800 Series ISRs are available in a wide variety of performance, price, and feature tiers. The 800 Series ISR can meet almost any requirement.

Specifications at a Glance, Cisco 800 Series ISRs

860 Series (Entry-Level Fixed ISR)

  • Basic features, security performance, and connectivity for teleworkers and small branch offices of 10 users or fewer
  • Ideal for service provider-managed entry-level services

880 Series (Flagship Fixed ISR)

  • Advanced features, industry standard performance, and connectivity
  • Ideal for enterprises, small businesses, and service provider - managed services

890 Series (Premium Fixed ISR)

  • Industry-leading features and performance for enterprises, small and medium-sized businesses, and service providers
  • Exceptional fixed routers that come with a comprehensive feature set and offer high performance

810 Series (Smallest Cisco Fixed ISR)

  • Ideal for machine-to-machine and device-to-device deployments such as ATMs, point-of-sale, and other applications that help enable the "Internet of Things", where devices talk to each other with little intervention or human supervision.

Cisco 800 Series ISR solutions are ideal for small branch offices needing voice connectivity delivered by managed-service providers.

In this article, we will compare the three Cisco 800 Series: Cisco 812, Cisco 819 and Cisco 860VAE. More features and highlights will be seen through the comparison of Cisco 800 Series.

Cisco-800-Series-Routers--812--819-and-860AVE.jpg

Cisco 800 Series Routers

812

819

860VAE

 

Typical deployment

Integrated wireless solutions (cellular plus Wi-Fi) for service providers and enterprises

Machine to machine and ruggedized small form-factor cellular deployments

Enterprise teleworker or service provider managed CPE

         

Typical number of users

1 executive up to 20 employees

1-20 remote teleworkers

1-10 enterprise teleworkers

         

Performance positioning

Up to 15 Mbps

Up to 15 Mbps

Up to 10 Mbps

         

WAN

Ethernet

Gigabit Ethernet 10/100/1000

Gigabit Ethernet 10/100/1000

Gigabit Ethernet 10/100/1000

         

VDSL2/ADSL2+

-

-

Multimode VDSL2, ADSL2+, ADSL2 & ADSL1

         

SHDSL

-

-

-

         

Fiber

-

-

-

         

3G/4G LTE

3.7G HSPA+ or 3G EVDO

3.5G/3.7G HSPA+ or 3G EVDO or LTE

-

         

Serial

-

Cisco 12:1 Smart serial

-

         

LAN

Ports

-

4

5

         

802.11 wireless

Dual-band concurrent 2.4/5.0 GHz 802.11n Wi-Fi with DFS/CleanAir (Q4CY2012)

Dual-band concurrent 2.4/5.0 GHz 802.11n Wi-Fi with DFS/CleanAir (Q4CY2012)

Dual-band concurrent 2.4/5.0 GHz 802.11n Wi-Fi (Q1CY2013)

         

Voice

-

-

-

         

PoE

-

-

-

         

Software Features

Routing protocols

RIPv1, v2, BGP, OSPF, EIGRP

RIPv1, v2, BGP, OSPF, EIGRP

RIPv1, v2, BGP

         

IPv6

Yes

Yes

Yes

         

Advanced IP services

Default

Default

No

         

Video/medianet

Ready

Ready

No

         

Security

VPN support

GETVPN, DMVPN included

GETVPN, DMVPN included

Easy VPN, IPsec VPN on highly secure router

         

ScanSafe

Ready

Ready

Ready, Secure Router

         

IPsec tunnels

20

20

10

         

SSL VPN

With license

With license

No

         

Content filtering

With license

With license

No

         

Application Experience

Integrated WAN optimization - Cisco WAAS Express

1.5 Mbps optimized; 50 TCP connections, license included with all 812 models

1.5 Mbps optimized; 50 TCP connections, included with 819H or with license for 819

No

         

Application Visibility and Control (AVC)

No

No

No

         

IOS high-availability features

Yes

Yes

No

         

Physical Attributes

Maximum dimensions

2.01 x 8.95 x 9.49 in.

1.73 x 7.7 x 8.1 in.

1.75 x 9.5 x 9.0 in

         

Maximum weight

4 lb (1.8 kg)

3.2 lb (1.5 kg)

5.5 lb (2.5 kg)

         

Fanless

Yes

Yes

Yes

         

Optional hardened form factor

No

Yes

No

         

 

More Related Cisco 800 Series Comparison

Cisco 880 Model Comparison

Read more

How to Connect 2 Routers and 3 Switches Correctly?

July 2 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

How to connect 2 routers and 3 switches correctly? It’s a common question for users to set or reset their network. What’s your experience and suggestions about this? One of Cisco champions called Hamza shared his problem of connecting 2 routers and 3 switches. And more Cisco champions discussed it together. Let’s check it. Any idea? Welcome…

The problem is: “I know how to connect a router with two switches and they're able to do successful communication. But If I extend the scenario to two routers and three switches, they don't communicate…

Consider the scenario details in the image

How-to-Connect-2-Routers-and-3-Switches.png

The thing is router 1 is unable to communicate with the third network. Similarly third network is unable to communicate with the first one.”

Adam Loveless: My guess would be that you need to configure some routing. Please either post up your sanitized configs or the Packer Tracer file.

Kev Santillan: Hello, you need some form of routing. A router will make its decision based on the information that it has in its own routing table. If Router 1 or Router 0 does not have a route to each remote network, then you will not be able to establish communication. Either use static routes or a routing protocol.

I also noticed that you have the same address (172.16.1.1) for both routers. Is this just a typo?

…Hamza uploaded the pkt file

Attachments:

 

Kev Santillan (again): The reason why the routes are not learned by each node is because you have assigned a duplicate address (172.16.1.1) to the interfaces that are in the same segment. Change the address of one of the routers to any other address within the 172.16.1.0 /24 subnet and things will work as expected.

Hamza: So basically they should be of the same class in order to work but not the same id i.e the gateway?

Chandan Singh Takuli: Router conencts 2 different networks of any class or classless. If you know a & i know a too why would i ask you. same happens in routers too.

Every router must have all of its interface in different networks and every port must have a unique ip in a single topology or network. so that it can be identified accurately and reached.

Gateway is just like a door of a room. a single network/subnet is like a room. So when you wanna go to another network or room, you need to go through gateway or door in the room. 

Gateway ip must be a part/ip of the source network/subnet.

 

More than this problem

Rick raised his question: to Kev and Chandan: I tried that out-change one of the router interfaces from 172.16.1.1 to 172.16.1.4. But ping from far left hosts still can't reach far right hosts.  And for the two hosts in the middle, what default gateway can they use?

Kev Santillan: Hi Rick, ‘I tried that out-change one of the router interfaces from 172.16.1.1 to 172.16.1.4.  But ping from far left hosts still can't reach far right hosts.’ I believe modifying either of the addresses in Hamza's file should make things work immediately. Note that he is using /16 for the 172.16.X.X network. Check the mask that you have specified. Otherwise, please share the PT file.

‘And for the two hosts in the middle, what default gateway can they use?’ They can use either of the routers' addresses. If the "middle LAN" uses Router 2's address as the DG and tries to reach non-local networks, it will always pass through Router 2 first before being routed elsewhere. You can also use HSRP to have one dedicated gateway address but the logic will be the same. The active router will be the one to route traffic accordingly.

What’s your idea? Share here…

Discussion from https://learningnetwork.cisco.com/thread/72202?tstart=0

 

More Cisco hardware Topics

WAYS to Help You Set Up Your Small, Medium and Large Networks

How to Connect the Console Port to a PC?

How to Start a Cisco Catalyst 1900 Series Ethernet Switch?

Read more