Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Routers

47K

Solutions

30K

Contributors

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

Share tech news, updates, or what's on your mind.

Sign up to Post

In the hope of saving someone else's sanity...

About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consistently (that is, more than ten per cent of the time).

One minute everything would work fine; the next minute all (outbound) traffic would get dropped. After eight weeks of pulling my hair out (while talking to Cisco) it seems I had hit a 'documented' (but very well hidden bug) that means you cannot load balance on IOS 15 when using a dialer interface and NAT.

The long and short of it is that IOS gets confused and sends the packets to the wrong outbound interface it has just done the IP translation for. This means the ISP will (in the UK, at least) see the packet coming from what it sees as a spoofed IP address and will drop it.

Chances of getting load balancing to work with PPPoE: None (well almost none). Chances of seeing the bug fixed: Zero (apparently).

Incidentally, we were convinced to try a work around, involving buying another(!) Cisco router with load balancing on one and the EHWIC cards in the other (using PBR to route the traffic correctly). This works (kind of), but, due to PBR, maxes out at half the bandwidth of our two connections, which kind of defeats the point of having two lines.

Given it took Cisco eight weeks to find this bug in their own documentation (which happens to be hidden …
0
Concerto's Cloud Advisory Services
LVL 4
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance.

A concise guide to the settings required on both devices
1
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
0
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
7
 
LVL 17

Expert Comment

by:Kyle Santos
Comment Utility
Good job.
0
 
LVL 6

Author Comment

by:Teksquisite
Comment Utility
Thank you Kyle :)
0
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
1
Mikrotik OSPF Network
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
0
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
12
 

Expert Comment

by:bozo1701
Comment Utility
Reducing the quality of the picture is not really a solution. The hard line seems the only viable option today for HD video streaming. Cheers
0
 
LVL 17

Author Comment

by:Kyle Santos
Comment Utility
Reducing the quality of the picture is not really a solution. The hard line seems the only viable option today for HD video streaming. Cheers
Agreed.  But for folks like me who are in a canyon, on tower relayed internet, its been helpful and I don't notice a drastic difference in quality. :)
0
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outgoing interface.

For this test we are going to use the simple network setup shown in the diagram below:
Network-Diagram.pngStatic Route using outgoing interface.
Let's configure R1 as follows:
R1(config)#int FastEthernet0/0
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
R1(config)#end
R1#wr
Building configuration...

*Mar  1 00:15:23.571: %SYS-5-CONFIG_I: Configured from console by console[OK]
R1#

Open in new window

We then try to send a couple of pings from R1 and look at the ARP table:

R1#ping 2.2.2.2 re 3

Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.!!
Success rate is 66 percent (2/3), round-trip min/avg/max = 68/74/80 ms
R1#ping 3.3.3.3 re 3

Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.!!
Success rate is 66 percent (2/3), round-trip min/avg/max = 68/68/68 ms
R1#ping 4.4.4.4 re 3

Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
.!!
Success rate is 66 percent (2/3), round-trip min/avg/max = 72/82/92 ms
R1#ping 5.5.5.5 re 3

Type escape sequence to abort.
Sending 3, 

Open in new window

4
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
There is actually a third method that combines the two.

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 1.1.1.2

This has all of the same benefits as routing to the next-hop address, but ensures that the traffic doesn't use another interface regardless of the routing table's data for the next hop. It also has other applications, such as statically leaking routes between VRF instances.

Good write-up.
0
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done using a browser like Internet Explorer, Google Chrome or Firefox using an HTTP or HTTPs connection. For security purposes, it's important to consider the possibilities:
  • Access from the LAN side is likely safer than from the WAN (internet) side but may still need to be secured.
  • Access from the WAN (internet) side is "public" and needs to be secure.
There are at least two kinds of "security" that are possible:

1) It's important to select  a combination of Username and Password for logging into the controls. In this case, both the Username AND the Password might be viewed as "passwords" as they both have to be entered correctly. There are plenty of good articles written about how to select passwords.

2) Unless one is willing to risk that their public login communications won't be intercepted then the communications need to be encrypted. This is where HTTPS comes in. It's fair to say that the WAN side communications, if actually public, must be encrypted. Similarly, internal LAN communications might also have the same requirement - but often not. There is almost no penalty for using HTTPS - so why not?  [Well, there’s an issue regarding security certificates when using HTTPS and that’s …
1
 
LVL 26

Author Comment

by:Fred Marshall
Comment Utility
No,  I haven't published an article on VPN client access.  All of my successful experience re: RV042 has been for site-to-site VPNs and not client-to-site VPNs.    I't s been a long time.  I found that the tough cases are best tackled by putting both endpoints in the same room for system integration using a "model" or fake internet in between.  But these days with remote access being common, that may not be necessary.

I've had better luck with Netgear client-to-site VPN situations more recently.
0
 

Expert Comment

by:Zhen Fury
Comment Utility
The Certificate error will always be there because you need to buy an SSL Certificate for your Public webpage to be recognized publicly. For Lan you can provide a local cert though this is not really an issue.
0
Imagine you have a shopping list of items you need to get at the grocery store. You have two options:
A. Take one trip to the grocery store and get everything you need for the week, or
B. Take multiple trips, buying an item at a time, to achieve the same feat.
Obviously, unless you are purposefully trying to get out of the house you’d choose “A”. But why do we so often times choose “B” when it comes to our data transmission performance? The key metric here is efficiency.How many trips do you want to take?

MTU…says you need to buy Milk in 1 Gallon containers rather than by the ounce!

MTU is an acronym that stands for the Maximum Transmission Unit, which is the single largest physical packet size, measured in bytes, a network can transmit. If messages are larger than the specified MTU they are broken up into separate, smaller packets also known as packet fragmentation or “fragmented”, which slows the overall transmission speeds because instead of making one trip to the grocery store you are now making multiple trips to achieve the same feat. In other words, the maximum length of a data unit a protocol can send in one trip, without fragmentation occurring is dictated by the MTU value defined.

Do I Really need to Manually Correct the MTU Value?

The correct MTU value will help you select the correct shopping cart size in order to be the most efficient in your grocery shopping so that you don’t have to take multiple trips. Shouldn’t I just leave…
19
 

Expert Comment

by:Jason Shaw
Comment Utility
Would changing the MTU on on-side of VPN tunnel cause any issues with VPN ?
0
 
LVL 26

Author Comment

by:Blue Street Tech
Comment Utility
Hi Jason, I assume you are only changing it on one side of a VPN tunnel. If I am correct, then it would only benefit one side of the connection. So if that connection is having the issues then it may remedy the problem, however for greater efficacy I'd do both ends (they most likely will not have the same MTU).
0
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Problem Description:  

Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s.
We were in need for public IP’s to publish our web resources at the branch office
Also Home ADSL connection ISP leases the DHCP IP address to the customers and this will IP can change on frequent basis  and sometimes you will find it difficult  for port forwarding
 
Anyway so after the upgrade we were given pre-configured Cisco Router by ISP. Unfortunately, the LAN subnet configured on the router was conflicting with our IP Addressing Schema. Therefore, it was important to change the subnet on the router.

When I access to the router through the console and issue sh running-config command but the resulting configuration was virtually blank.
Moreover, I was not privileged to enter configuration mode. Then I used the command in exec mode

R1# sh run config
Current configuration : 3743 bytes
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
end 

Open in new window


Moreover, I was not privileged to enter configuration mode. Then I used the command in exec mode
Show privilege:  This command displays the current privilege. Here's an example:

R1# show privilege
Current privilege level is 2

Open in new window


With this privilege only the configure commands that are permitted are actually displayed.

Solution
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thank you very much.
0
So, I decided to flash my router with DD-WRT to get more control over its configuration.  The primary goal was to create an access point where DHCP addresses were only given out from the wireless interface and to isolate wireless clients from everything else on the LAN apart from the internet.

So I headed over to www.dd-wrt.com, searched the firmware database for the latest version for my router.  Carried out the upgrade and all is well, connect to the web interface and ready to start configuring.  I fished out a relevant article to assist:  

http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN

Carried out all the steps, and going well, I can get a wireless DHCP address... But wait, no internet access.  

I could get to the internet before I put the WLAN on its own bridge.  Hmmm, lots of talk of iptable settings for the firewall script on the forums.  After spending 5 hours, trying and retrying different settings I can across someone saying that the firmware suggested in the firmware database for your router isn't necessarily the latest or best.  I did a bit more digging and I found what seems to be the latest version on their own website:

ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2012/10-12-12-r20119-testing/linksys_wrt160nl/wrt160nl-firmware.bin

Upgraded my router to this version, carried out the same configuration I started out 5 hours earlier and BANG, all working as originally intended and as designed.  

I'm not getting those…
2
We've been using the Cisco/Linksys RV042 for years as:
- an internet Gateway
- a site-to-site VPN device
- a leased line site-to-site subnet-to-subnet interface
(And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's a caveat.)

In the first case, the WAN interface connects to or toward the internet connection or the "outside world".

In the VPN case, the WAN interface connects to or toward the internet connection or the "outside world".

In the site-to-site case we started in the same fashion with the WAN interface connecting to the "outside world" connection and the LAN ports, as usual, on the LAN in each instance.  
It turns out this was a mistake as soon as we needed to do more than connect subnets.  Like this:

Router A ... LAN 192.168.1.0/24 IP 192.168.1.101 ... WAN 192.168.200.201/24 ... Gateway 192.168.200.201

Router B ... LAN 192.168.2.0/24 IP 192.168.2.102 ... WAN 192.168.200.202/24 ... Gateway 192.168.200.202

Router C ... LAN 192.168.3.0/24 IP 192.168.3.103 ... WAN 192.168.200.203/24 ... Gateway 192.168.200.203


As you probably know, there is little written about the internal architecture of the RV0xx routers.  So much is left to guesswork and/or doing some lab characterization.  This article is a combination of doing both while not being an exhaustive treatment of lab characterization tests ... which I'd still like to do.

Question:
"What if I want to connect subnet to subnet AND have the internet access …
1
 

Expert Comment

by:Linda Claudine
Comment Utility
Thought I might get some expert up to date advice so spent 15 agonizing minutes signing up for trial.  By the time I had done that (had to go thru the form part twice just because I wanted to read the policies before clicking start trial.  By then, the article I was reading was long gone. And oddly, the same search that brought it up when not member returned no results after signing up. As for addressing VPN settings on at&t junk router/modem (manual - NO ONE CAN FIND ONE). I could continue on tips - but there was nothing slightly applicable beyond stuff any fairly knowledgable user would know - and many security settings are controversial depending on what article you read. It's now working - but we will see when I update my iPhone tonight. Oh boy!
0
 
LVL 26

Author Comment

by:Fred Marshall
Comment Utility
?? Perhaps you meant to post this somewhere else??
0
Hello ,

This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router .

The following demonstrates a traceoptions configuration on a Juniper router which has ospf enabled on it and we will be tracing for ospf .

First this is to go into a mode to make this happen Below is the command from the start of the router .

login: lab
Password:

--- JUNOS 9.6R2.11 built 2009-10-06 20:56:00 UTC
lab> configure 
Entering configuration mode
Users currently editing the configuration:
  lab terminal d0 (pid 1359) on since 2011-06-11 00:48:19 IST, idle 12:27:15
      [edit]
  lab terminal p2 (pid 1510) on since 2011-06-11 14:40:34 IST, idle 05:10:52
      [edit]

[edit]
lab# 

Open in new window


Now that you have done this we will go ahead and configure the protocol

[edit]
lab# set protocols ospf area 0 interface all 

[edit]
lab# commit 
commit complete

[edit]
lab# 

Open in new window


how would you enable traceoptions ? well traceoptions are protocol specific and not device specific . In the sense you would have traceoptions for ospf , rip , and protocols not for the entire router itself

let us enable traceoptions for ospf

[edit]
lab# edit protocols ospf 

[edit protocols ospf]
lab# set traceoptions file testtrace 

[edit protocols ospf]
lab# set traceoptions flag all 

[edit protocols ospf]
lab# commit 
commit complete

[edit protocols ospf]
lab# 

Open in new window


Now , how would you monitor it ... simple


Open in new window

0
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are instances when you cannot SSH/telnet to the external/WAN interface of the router but you can SSH/telnet from inside.

The problem is with Network Address Translation (NAT) and related Access Control List (ACL); your configutration needs to expressly permit such external access.

Consider this partial configuration:
interface fastethernet 0/0
 description WAN Interface
 ip address 172.16.1.1 255.255.255.0
 ip nat outside

interface fastethernet 0/1
 description LAN Interface
 ip address 10.10.10.1 255.255.255.0
 ip nat inside

ip access-list extended NAT-LIST
 permit ip any any

ip nat inside source list NAT-THIS interface fastethernet 0/0 overload

Open in new window

The partial configuration above will be sufficient to allow Internet access from PCs connected to the router's LAN.  It will also allow for network administrators to SSH or Telnet to routers from the LAN.  However, one will NOT be able to SSH/telnet to the router from the outside, over the Internet.

The problem (assuming that you want that capability) lies within Access Control List.
ip access-list extended NAT-LIST
permit ip any any

Open in new window

The permit any any line above translates all requests from the LAN as well as from the Internet to FastEthernet 0/0 IP Address, which in turn will break SSH/Telnet access to the router.

So, the question is:  How do you resolve this?  It is rather a simple fix.  All you need to do is replace the line...
     permit ip any any
...with...
     permit ip 10.10.10.0 0.0.0.255 any

When completed, your Access Control List should look like this:
ip access-list extended NAT-LIST
 permit ip 10.10.10.0 0.0.0.255 any

Open in new window

2
 
LVL 2

Expert Comment

by:nw-support
Comment Utility
Yes I fully understand it - it is a good explanation.
The reply above was only a reaction to the comment from rsaettel.
0
 
LVL 2

Author Comment

by:Paresh Patel
Comment Utility
Understood.  Thanks.
0
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridging can also be very useful in smaller environments to help save on wasting IPs.  The implementation I will be using for the example is this:  A single T1 comes into a router.  This router needs to hand off directly to a set of Redundant Firewalls without a switch between them.  We need to make sure both firewalls can plug into the router and use the same IP address for their next hop.  The commands used here are all entered from a Cisco 2811 running IOS version 12.3(8)T5.  Bridging is available in many other IOS versions and from what I have personally seen the commands have not changed.  So with all of that out of the way let's get into the router.

First connect to the router via the console.  We will be changing IP addresses and disabling interfaces which will cause your telnet sessions to disconnect.

After you connected you will need to be in "enable" mode so that you can make changes to the router.

Next we enter config mode, configure terminal

Now you should be sitting at a prompt similar to the one below:

Router01(config)#

There are three commands that we will enter to ensure that bridging is enabled.

Router01(config)#bridge irb
Router01(config)#bridge 1 protocol ieee
Router01(config)#bridge 1 route ip
11
 
LVL 2

Expert Comment

by:jozatan
Comment Utility
Thank you for the brief post and the excellent explanation. Sometimes things are just very simple, only we don't know that.
0
 

Expert Comment

by:jimmycher
Comment Utility
Outstanding summation.
0
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple situation with R2 connected to SW1 and SW1 allowing only pinging Ethernet interface of R2, not loopback interface

10.0.2.2---R2--192.168.1.2----------------------------192.168.1.1--SW1---10.0.1.1

SW1#sh ip int b | ex un
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet1/2            192.168.1.1     YES manual up                    up  
Loopback0                  10.0.1.1        YES manual up                    up  
R2#sh ip int b | ex un
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.2     YES manual up                    up  
Loopback0                  10.0.2.2        YES manual up                    up  

Open in new window


ACL on SW1 (number 100 in this case) should be enough to achieve this, for example:

access-list 100 permit ip any 192.168.1.0 0.0.0.255
access-list 100 deny   ip any any

Let’s apply it to int f1/2 of SW1 which is connected to f0/0 of R2

SW1#sh run int f1/2
Building configuration...
Current configuration : 111 bytes
!
interface FastEthernet1/2
 no switchport
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 out
end

Open in new window


Now let’s check if ping from SW1 to R2 loopback 0 is blocked:

SW1#ping 10.0.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/43/108 ms

Open in new window


It’s not, why ? The reason is that access list doesn’t apply to traffic initiated from the router itself. So how to test such access list if there is no access to anything behind SW1 ? In order to test it traffic has to  re-enter the router which can be achieved by introducing ‘ip local policy routing’. Let’s start from creating appropriate route-map ‘FILTER’ for traffic initiated from SW1:  

SW1#sh run | section route-map
ip local policy route-map FILTER
route-map FILTER permit 10
 match ip address 111
 set interface Loopback0

Open in new window


SW1#sh run | section access-list 111
access-list 100 permit ip any 192.168.1.0 0.0.0.255
 
The new policy ‘FILTER’ have to be applied to SW1:

Ip local policy route-map FILTER

Now ping R2 loopback 0 again from SW1


Open in new window

0
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT terminology the address  of the server is called VIP.

Here are initial configurations of R1 and R2

hostname R2

interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.200.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 192.168.1.2 0.0.0.0 area 0


hostname R1

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
!
interface FastEthernet0/1
 ip address 172.16.100.1 255.255.255.0
 ip nat inside
!
router ospf 1
 log-adjacency-changes
 redistribute static subnets
 network 192.168.1.1 0.0.0.0 area 0
!
ip route 172.16.200.2 255.255.255.255 Null0

Open in new window


Old IP address of server is distributed back to R2 , see below

R2#sh ip route

     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.16.200.0/24 is directly connected, FastEthernet0/1
O E2    172.16.200.2/32 [110/20] via 192.168.1.1, 00:07:26, FastEthernet0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
R2#

Open in new window


Now we have to configure DNAT, see below. NAT POOL is limited to only one address , because we're not going to use load-balancing in this example

ip nat pool POOL 172.16.100.2 172.16.100.2 prefix-length 24 type rotary
ip nat inside destination list SERVER pool POOL
!
ip access-list extended SERVER
 permit tcp any host 172.16.200.2 range 5000 5100

Now let's check that we can telnet to port 5000 from router R2.

R2#telnet  172.16.200.2 5000
Trying 172.16.200.2, 5000 ...
% Connection timed out; remote host not responding

Connection is timeouted because I didn't enable port 5000 on server, but we can verify translations on R1, see below.

R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 172.16.200.2:5000  172.16.100.2:5000  192.168.1.2:13038  192.168.1.2:13038

So it works !
1
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is available starting with 6.0.

The profiling is only available in CLI, so you need to know how to get there by a serial attached terminal emulation, or telnet / ssh. This is not covered here.

General CLI tip
At all times, you can type unique starting parts of the commands:
 
get fpro pac stop

Open in new window

and if you can't remember the syntax, just put a question mark after your command to get further help:
 
get fpro pac ?

Open in new window

or press [Tab] for auto-complete and help

How to

1. Preparation of profiling


The preparation can be done at any time, and needs not to be changed once set up.
 
unset fprofile packet wrap
set fprofile packet enable
set fprofile packet count 16

Open in new window

The count is measured in kilo-packets, allowed are 1-256
 

2. Start and stop profiling

 

clear fprofile
set fprofile packet start

Open in new window

If you set up nowrap (like above), profiling ends automatically as soon as the packet count is reached. If you set wrap mode, the buffer used is overwritten until you issue a
 
set fprofile packet stop

Open in new window

I've seen no CPU effect if you leave fprofile enabled (but stopped), however you can disable that to be safe:
 
unset fprofile packet enable

Open in new window

After disabling fprofile, the collected profile data is not available anymore, even after reenabling.
If you want to check the actual state of the profiling enginge:
 
get fprofile

Open in new window

shows state of fprofile: enabled and start or stop.
 

3. Viewing the profile

2
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is also the situation where the primary interface takes too long to change status. The way around these limitations is simple; IP SLA

Here's how to do it

ip sla 1   < The number 1 here is arbitrary, used only to identify this sla. It is otherwise knows as the operation number>

icmp-echo 4.2.2.2  < 4.2.2.2 is a DNS server that responds to pings out on the internet>

timeout 500  < This is how long to wait for a response from the ping>

frequency 3 < This is the repeat rate for the SLA>

ip sla schedule 1 start-time now life forever < This command says  "start SLA 1 now and keep it running forever>

track 1 rtr 1 reachability   < This comand creates the track object "1" and monitors the SLA 1>

now for the routing, we need to change the default route and associate it with the tracker

no ip route 0.0.0.0 0.0.0.0 1.1.1.1

and then put it back with the tracking

ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 1  

Then we need to add our secondary route

ip route 0.0.0.0 0.0.0.0 1.1.1.2 10

Now when the ping to 4.2.2.2 fails the primary route is removed and the secondary route with the higher metric becomes the default. The route will be reinstated when the connectivity is restored.

With the 12.4 and higher …
3
 
LVL 15

Author Comment

by:wingatesl
Comment Utility
YOu also need to set the routes as permanent to ensure a link failure does not remove them.
0
 
LVL 1

Expert Comment

by:UranT
Comment Utility
To overcome the link flapping, because you can reach 4.2.2.2 after your link is restored over the next link, you can use "source-interface" command:

icmp-echo 4.2.2.2 source-interface INTERFACE

Open in new window

0
In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you strengthen the  out of the box  default mode that was set by the manufacturer.

Wi-Fi or 802.11 networking uses radio waves to transmit data.  Most wireless routers provide a range of up to 300 feet in all directions and if you do not secure your network then just about anybody will be able to peruse your files!  For minimum security levels you will at least want to set up a Wired Equivalency Privacy (WEP) key.

You might be surprised to know that spammers and malware users could be "Wardriving" in your neighborhood with their laptops and Wi-Fi detectors seeking a wireless connection to tap into.  These hackers know default router passwords and often will find an open portal where NOTHING can be traced back to them. Unfortunately, every nasty act that they perform on an unsecured and open wireless network will be traced back to you.

Since your router is connected to the internet and stands in front of your computer -- there is no firewall that will warn you about this type of intrusion.  The router firewall can block users from the internet from accessing your computer but this same firewall will not stop people in range of your local Wi-Fi signal from getting into your …
9
 
LVL 1

Expert Comment

by:mateojaime07
Comment Utility
Also wasn't there an exploit of the WPS functionality in some of the newer routers? just as a be aware for those who use that to setup their pc to communicate with their router.

Thanks,
http://mjddesign.wordpress.com
0
 
LVL 9

Expert Comment

by:Christopher Jay Wolff
Comment Utility
This article was helpful to me.  I cannot get a manual for my Pace router and have not easily found what I want with search engines.  I have been working hack issues for a while and most recently have the neighbor's satellite router listed as my Network Infrastructure in FE.  I'm new with all this and am trying to lock things up.  My router stuff is here...

http://www.experts-exchange.com/questions/28864339/I'm-supposed-to-be-on-a-Pace-router-not-a-Cisco-router-and-not-dish-satellite.html

The follow-up comments are helpful also.  Thank you all.
0

Routers

47K

Solutions

30K

Contributors

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.