Cisco 1841 Advance Security Image - OER Border router connected to business-class DSL
Cisco 2811 Enterprice Image - OER Master/Border connected to T1
Cisco 3750 Layer 3 IP Base image - Default Gateway to clients
Issue: OER is functioning well and the prefixes appear to be working correctly for traffic initated by the clinet (generic web browsing). However, traffic such as VPN and SMTP that is initiated from the Internet is sometimes load balanced to the other border router, which kills the connection to the remote client. The remote clients are dynamic IP from users working from home, so there is no way that I can find to do a static prefix map. I have looked for weeks for a way to force traffic flows to go through the router it was initiated through for SMTP and VPN, but no luck. Anybody have an idea?
If I'm reading that correctly, it looks like it is speaking of a single border router connecting to two different ISP's. In my design, I actually have two border routers, each connecting to an ISP. NAT is being performed on each border router.
Also, I have noticed that the packet drops actually occur right after a prefix learning cycle. For example, I can ping router A and not router B. After prefix learning occurs, I can ping router B but not router A. This cycle repeats every time prefix learning occurs.
With NAT on two different routers, you likely have an intractable problem. The reason outbound sessions aren't more of a problem is perhaps most are stateless. Even without OER, consider an outbound packet that takes path A, with one source IP translation. The return will be via the same path because of the your NAT'ed IP, but if for ANY reason the next outbound packet to the same outbound destination goes via path B, with a different source IP translation, the destination will think the packet is from a different host. Of course, OER becomes a reason for packets sourced from the same physical host to take different paths at different times.
I don't think you can within OER but it might be possible within PfR. Not 100% certain since I haven't worked with explicit prefixes or applications in either, but PfR is much more application (port?) aware than OER, so you might be able to have PfR not learn traffic on those ports.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...