Show ARP reveals thousands of IPs on the outside interface

Problem:  When you run “show arp” on an edge router/firewall you see thousands of public IPs.  This will eat up the memory and cause things to run slowly.  I even saw in once case where “show run” revealed nothing, it would just come back blank because there wasn’t any memory available to perform the command. Solution:  Chances are the default route is using an interface as a destination and not an IP.  Such as ip route 0.0.0.0 0.0.0.0 Gig0/0 Change this to use an IP address and not an interface.  If an interface is used then there is no MAC that can be used as a destination and so the router sends an ARP request for the destination IP and adds it to the local...

Configure QoS for VPN Tunnel on Cisco Router

Class Maps are referenced by Policy Maps, which are then applied to the external interface.  VPN traffic is "pre-classified" before entering the external interface. The example below is based on 512 kbps bandwidth available for upload traffic. Create 2 class-maps like this: class-map match-any Priority_Packets match precedence 5 match dscp ef class-map match-any All_Traffic match any Create 2 policy maps like this: policy-map Voice_Priority class Priority_Packets priority 256 //256 is the amount of bandwidth in Kb you want to reserve for priority traffic. 256 is probably ok for 3 phones using the G.711 codec class class-default fair-queue random-detect policy-map Shape_Out class All_Traffic shape average 480000 //480000 is the total amount of upload in bits available (should be less than actual speed or else the policy will never kick in and QoS will be useless. In this case I had 512k up on the internet connection. service-policy Voice_Priority On the crypto map add qos pre-classify crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to68.118.31.246 set peer 68.118.31.246 set transform-set ESP-3DES-SHA match address 103 qos pre-classify On the interface apply the main policy-map: interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ bandwidth 5000 ip address dhcp client-id FastEthernet4 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly ip route-cache flow duplex auto speed auto crypto map SDM_CMAP_1 service-policy output Shape_Out ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ That should be it. Then use “sh policy-map interface fa4” to see the QoS in action. Start a big upload and you should see Shaping Active: Yes while the uploading is going. You’ll see the two classes of traffic and if the...

Is Charter Throttling My Bandwidth?

I had recently worked on a problem with a customer in which they had been experiencing  issues with the phone quality of their Voice-over-IP (VOIP) phone system at one of their branch offices (VPN connection).  During my review, I was told the Internet connection was supposed to be 20×2 (20 Mbps down and 2 Mbps up), but my speed tests were showing 3Mbps down/512 Kbps up.  What?! I asked my customer to verify with their ISP (Charter Communications) what the contracted bandwidth was and they confirmed that they were paying for 20×2 service.  Many phone calls later, the customer determined “unofficially” from a friendly insider at the ISP that they may be throttling their bandwidth due to BitTorrent traffic.  A BitTorrent client was discovered in use by an employee at that location.  After the BitTorrent client was stopped, the bandwidth resumed to normal levels. Well this situation was resolved for this particular customer, but how do you determine if your traffic is being throttled if you don’t have an “inside” connection? Glasnost Glasnost is a tool that will test to see if your ISP is suspected of throttling bandwidth.  It performs a series of tests that download/upload normal traffic and BitTorrent traffic, then compares the results of the two types of tests.  If any significant difference is detected, you can assume that your ISP is throttling your bandwidth. According to their site, “Our test runs BitTorrent and TCP downloads as well as uploads on a well-known BitTorrent port and a non-BitTorrent port.”. Bad ISPs Another source of useful info is Bad ISPs.  This site maintains a list of ISPs...

Using VMware Server 1.x to Break Exchange 2007 OWA

Another dumb mistake: installed VMware Server 1.8 on an Exchange 2007 SP1 server with the client access role installed. Instead of choosing the “custom” install option, as I usually do, I was in a hurry and chose “complete”. Halfway through the install, I remembered why I never blindly choose “complete”; VMware Server Management Interface. VMSI is a web-based management interface for VMware Server that when installed changes the preferences for IIS by enabling 32-bit ASP on 64-bit Windows. This breaks OWA (64-bit ASP) because IIS 6.0 does not support running 32-bit mode and 64-bit mode at the same time on 64-bit Windows. Here’s the fix: Disable 32-bit mode cscript %SYSTEMDRIVE%inetpubadminscriptsadsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0 Register 64-bit ASP %SYSTEMROOT%Microsoft.NETFramework64v2.0.50727aspnet_regiis.exe -i Thanks to: How to switch between the 32-bit versions of ASP.NET 1.1 and the 64-bit version of ASP.NET 2.0 on a 64-bit version of Windows HOWTO: DIAGNOSE ONE CAUSE OF W3SVC FAILING TO START WITH WIN32 ERROR 193 ON 64BIT WINDOWS Originally posted at:...

Unable to browse My Network in a 2008 Domain

As Windows Server 2008 takes it’s place in more data centers, serving as a domain controller, design changes are starting to impact end users. One of these notable changes effects a workflow most users have picked up: browsing the network to find file servers and shares. We have seen more and more customers call in with an error similar to below (wording may differ from client to client): Group Policy, user and group permissions, as well as network addressing all check out.  What could it be? The above ability is called NetBIOS browsing, and is granted via a service called Computer Browser.  The Computer Browser service keeps track of all the computers, services (WINS, DHCP, Server, etc), names, and IP addresses on the local subnet.  In a domain environment, the domain controller (DC) with the PDC emulator role acts as the Master Browser.  The server with the Master Browser role keeps a copy of all the NetBIOS lists from the other subnets (if there are any), and publishes this list for clients and servers alike.  These lists are updated every 12 minutes. The ability diminishes in an environment where Windows Server 2000 and 2003 DCs are upgraded to Server 2008.  These symptoms will begin with remote sites disappearing from the Network list, or updates not being reflected for the local subnet.  They can also be more severe as in the case above where the ability is lost all together, and replaced with a fairly cryptic error not at all actually suggesting what the problem may be. This behavior occurs because in Windows Server 2008 the Computer Browser service is...