High receive discards on Sub-Interfaces in Cisco ASA.

Similar Messages

• Include multiple sub-interfaces in Cisco ASA for VPN tunnel

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

• Can I rate-limit on the sub-interface in cisco asr 1013?

  Hi,
  I am looking for the command of rate-limit on a sub-interface in cisco asr 1013.
  Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S, RELEASE SOFTWARE (fc1)
  IOS XE Version: 03.06.00.S
  Please let me know if it is possible in cisco asr 1013. If yes then what are the commands.
  Zobair

  The ASR no longer supports the rate-limit command, but it does support the same functionality in a QoS policy.
  Please find a sample configuration -
  ASR1004(config)#policy-map test
  ASR1004(config-pmap)#class class-default
  ASR1004(config-pmap-c)#shape average 10000
  Applying for both ingress and egress : -
  ASR1004(config)#int gig1/1/0
  ASR1004(config-if)#service-policy output test   
  or
  ASR1004(config-if)#service-policy input test

• High CPU due to dispatch unit in cisco ASA 5540

  Hi Any suggestion help
  High CPU due to dispatch unit in cisco ASA 5540
  ciscoasa# sh processes cpu-usage
  PC         Thread       5Sec     1Min     5Min   Process
  0805520c   ad5afdf8     0.0%     0.0%     0.0%   block_diag
  081a8d34   ad5afa08    82.6%    82.1%    82.3%   Dispatch Unit
  083b6c05   ad5af618     0.0%     0.0%     0.0%   CF OIR
  08a60aa0   ad5af420     0.0%     0.0%     0.0%   lina_int
  08069f06   ad5aee38     0.0%     0.0%     0.0%   Reload Control Thread
  08072196   ad5aec40     0.0%     0.0%     0.0%   aaa
  08c76f3d   ad5aea48     0.0%     0.0%     0.0%   UserFromCert Thread
  080a6f36   ad5ae658     0.0%     0.0%     0.0%   CMGR Server Process
  080a7445   ad5ae460     0.0%     0.0%     0.0%   CMGR Timer Process
  081a815c   ad5ada88     0.0%     0.0%     0.0%   dbgtrace
  0844d75c   ad5ad2a8     0.0%     0.0%     0.0%   557mcfix
  0844d57e   ad5ad0b0     0.0%     0.0%     0.0%   557statspoll
  08c76f3d   ad5abef8     0.0%     0.0%     0.0%   netfs_thread_init
  09319755   ad5ab520     0.0%     0.0%     0.0%   Chunk Manager
  088e3f0e   ad5ab328     0.0%     0.0%     0.0%   PIX Garbage Collector
  088d72d4   ad5ab130     0.0%     0.0%     0.0%   IP Address Assign
  08ab1cd6   ad5aaf38     0.0%     0.0%     0.0%   QoS Support Module
  08953cbf   ad5aad40     0.0%     0.0%     0.0%   Client Update Task
  093698fa   ad5aab48     0.0%     0.0%     0.0%   Checkheaps
  08ab6205   ad5aa560     0.0%     0.0%     0.0%   Quack process
  08b0dd52   ad5aa368     0.0%     0.0%     0.0%   Session Manager
  08c227d5   ad5a9f78     0.0%     0.0%     0.0%   uauth
  08bbf615   ad5a9d80     0.0%     0.0%     0.0%   Uauth_Proxy
  08bf5cbe   ad5a9798     0.0%     0.0%     0.0%   SSL
  08c20766   ad5a95a0     0.0%     0.0%     0.0%   SMTP
  081c0b4a   ad5a93a8     0.0%     0.0%     0.0%   Logger
  08c19908   ad5a91b0     0.0%     0.0%     0.0%    Syslog Retry Thread
  08c1346e   ad5a8fb8     0.0%     0.0%     0.0%   Thread Logger
  08e47c82   ad5a81f0     0.0%     0.0%     0.0%   vpnlb_thread
  08f0f055   ad5a7a10     0.0%     0.0%     0.0%   pci_nt_bridge
  0827a43d   ad5a7620     0.0%     0.0%     0.0%   TLS Proxy Inspector
  08b279f3   ad5a7428     0.0%     0.0%     0.0%   emweb/cifs_timer
  086a0217   ad5a7230     0.0%     0.0%     0.0%   netfs_mount_handler
  08535408   ad5a7038     0.0%     0.0%     0.0%   arp_timer
  0853d18c   ad5a6e40     0.0%     0.0%     0.0%   arp_forward_thread
  085ad295   ad5a6c48     0.0%     0.0%     0.0%   Lic TMR
  08c257b1   ad5a6a50     0.0%     0.0%     0.0%   tcp_fast
  08c28910   ad5a6858     0.0%     0.0%     0.0%   tcp_slow
  08c53f79   ad5a6660     0.0%     0.0%     0.0%   udp_timer
  080fe008   ad5a6468     0.0%     0.0%     0.0%   CTCP Timer process
  08df6853   ad5a6270     0.0%     0.0%     0.0%   L2TP data daemon
  08df7623   ad5a6078     0.0%     0.0%     0.0%   L2TP mgmt daemon
  08de39b8   ad5a5e80     0.0%     0.0%     0.0%   ppp_timer_thread
  08e48157   ad5a5c88     0.0%     0.0%     0.0%   vpnlb_timer_thread
  081153ff   ad5a5a90     0.0%     0.0%     0.0%   IPsec message handler
  081296cc   ad5a5898     0.0%     0.0%     0.0%   CTM message handler
  089b2bd9   ad5a56a0     0.0%     0.0%     0.0%   NAT security-level reconfiguration
  08ae1ba8   ad5a54a8     0.0%     0.0%     0.0%   ICMP event handler
  I want exact troubleshooting.
  (1) Steps to follow.
  (2) Required configuration
  (3) Any good suggestions
  (4) Any Tool to troubleshoot.
  Suggestions are welcome

  Hello,
  NMS is probably not the right community to t/s this. You probably want to move this to Security group (Security > Firewalling).
  In the meanwhile, i have some details to share for you to check, though i am not a security/ASA expert.
  The Dispatch Unit is a process that continually runs on single-core ASAs (models 5505, 5510, 5520, 5540, 5550). The Dispatch Unit takes packets off of the interface driver and passes them to the ASA SoftNP for further processing; it also performs the reverse process.
  To determine if the Dispatch Unit process is utilizing the majority of the CPU time, use the command show cpu usage and show process cpu-usage sorted non-zero
  show cpu usage (and show cpu usage detail) will show the usage of the ASA CPU cores:
  ASA# show cpu usage
  CPU utilization for 5 seconds = 0%; 1 minute: 1%; 5 minutes: 0%
  show process cpu-usage sorted non-zero will display a sorted list of processes that are using the CPU usage. 
  In the example below, the Dispatch Unit process has used 50 percent of the CPU for the last 5 seconds:
  ASA# show process cpu-usage sorted non-zero
  0x0827e731 0xc85c5bf4 50.5% 50.4% 50.3% Dispatch Unit
  0x0888d0dc 0xc85b76b4 2.3% 5.3% 5.5% esw_stats
  0x090b0155 0xc859ae40 1.5% 0.4% 0.1% ssh
  0x0878d2de 0xc85b22c8 0.1% 0.1% 0.1% ARP Thread
  0x088c8ad5 0xc85b1268 0.1% 0.1% 0.1% MFIB
  0x08cdd5cc 0xc85b4fd0 0.1% 0.1% 0.1% update_cpu_usage
  If Dispatch Unit is listed as a top consumer of CPU usage, then use this document to narrow down what might be causing the Dispatch Unit process to be so active.
  Most cases of high CPU utilization occur because the Dispatch Unit process is high. Common causes of high utilization include:
  Oversubscription
  Routing loops
  Host with a high number of connections
  Excessive system logs
  Unequal traffic distribution
  More t/s details can be shared by the ASA members from the community.
  HTH
  -Thanks
  Vinod

• How to Clear the Input errors in a Cisco ASA Interface?

  Hi Everyone,
                    My Expertise with Cisco ASA is Very less. I have observed Input errors in a Couple of Interfaces in Cisco ASA 5540 Firewall.  
  296867 input errors, 0 CRC, 0 frame, 296867 overrun, 0 ignored, 0 abort
  0 pause input, 0 resume input
  0 L2 decode drops
  102091138038 packets output, 96596756282996 bytes, 2683 underruns
  0 pause output, 0 resume output
  0 output errors, 0 collisions, 2 interface resets
  0 late collisions, 0 deferred
  52 input reset drops, 0 output reset drops, 0 tx hangs
  input queue (blocks free curr/low): hardware (255/230)
  output queue (blocks free curr/low): hardware (255/0)
  I need to Clear the Input errors on this particular Interface.
  Will Clear interface GigabitEthernet 0/0 will help?
  Thanks in Advance,
  Nanda

  Hi,
  Here is an example of using the command on my own ASA5505 firewall
  interface Ethernet0/0
  description WAN Access
  switchport access vlan 10
  ASA# sh interface Ethernet 0/0
  Interface Ethernet0/0 "", is up, line protocol is up
    Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
          Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
          Input flow control is unsupported, output flow control is unsupported
          Description: WAN Access
          Available but not configured via nameif
          MAC address 0025.45f4.0a9a, MTU not set
          IP address unassigned
          9679 packets input, 6532697 bytes, 0 no buffer
          Received 2 broadcasts, 0 runts, 0 giants
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          0 L2 decode drops
          0 switch ingress policy drops
          8421 packets output, 2202683 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 0 interface resets
          0 late collisions, 0 deferred
          0 rate limit drops
          0 switch egress policy drops
          0 input reset drops, 0 output reset drops
  ASA# clear interface Ethernet0/0
  ASA# sh interface Ethernet 0/0
  Interface Ethernet0/0 "", is up, line protocol is up
    Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
          Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
          Input flow control is unsupported, output flow control is unsupported
          Description: WAN Access
          Available but not configured via nameif
          MAC address 0025.45f4.0a9a, MTU not set
          IP address unassigned
          0 packets input, 0 bytes, 0 no buffer
          Received 0 broadcasts, 0 runts, 0 giants
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          0 L2 decode drops
          0 switch ingress policy drops
          0 packets output, 0 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 0 interface resets
          0 late collisions, 0 deferred
          0 rate limit drops
          0 switch egress policy drops
          0 input reset drops, 0 output reset drops
  interface Ethernet0/0
  description WAN Access
  switchport access vlan 10
  - Jouni

• Sub-interfaces on PO

  Hi, I have put 2 physicl interfaces (te0/8 & 9) on the ASA-5585 into a PO and am assigning ips/vlans to the sub-interfaces. I have 2 issues: - Why am I not able to ping the other sub-interface from the ASA itself? (I can ping the 1st one), Secondly, why the IPs are not visible in "sh int ip brief" ?Although I can see them in "sh ip" ..
  /actNoFailover(config-if)# int po17.100
  /actNoFailover(config-subif)# vlan 100
  /actNoFailover(config-subif)# ip add
  /actNoFailover(config-subif)# ip address 100.1.1.1 255.255.255.0
  /actNoFailover(config-subif)# int po17.101
  /actNoFailover(config-subif)# vlan 101
  /actNoFailover(config-subif)# ip address 101.1.1.1 255.255.255.0
  /actNoFailover(config-subif)# int po17.102
  /actNoFailover(config-subif)# vlan 102
  /actNoFailover(config-subif)# ip address 102.1.1.1 255.255.255.0
  /actNoFailover(config-subif)# ping 100.1.1.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 30/32/40 ms
  /actNoFailover(config-subif)# ping 101.1.1.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 101.1.1.1, timeout is 2 seconds:
  /actNoFailover(config)# sh int ip brie
  Interface                  IP-Address      OK? Method Status                Protocol
  TenGigabitEthernet0/8      unassigned      YES unset  up                    up
  TenGigabitEthernet0/9      unassigned      YES unset  up                    up
  Port-channel17             unassigned      YES unset  up                    up
  Port-channel17.100         unassigned      YES manual up                    up
  Port-channel17.101         unassigned      YES manual up                    up
  Port-channel17.102         unassigned      YES manual up                    up
  Please advise?

  Hello Sande,
  That is correct! Please mark this question as answered so future users having a similar problem can learn from your
  solution.
  Regards,
  Julio

• Issue in Sub-interface traffic on cisco 7609-s router

  Hello please support,
  I configured sub-interfaces and it is working properly, but some time sub-interface show traffic more then physical interface .
  Like 
  int gi 3/32              0.13 Mbps  12:00 PM
  int gi 3/32.11       855 Mbps   12:00 PM
  as per my knowledge physical interface have cumulative traffic of all sub-interfaces. 
  interface GigabitEthernet3/32
   no ip address
  interface GigabitEthernet3/32.10
   encapsulation dot1Q 10
   ip address 172.20.128.77 255.255.255.252
   ip ospf network point-to-point
   ip ospf bfd
   bfd interval 50 min_rx 50 multiplier 5
   no bfd echo
   no cdp enable
  interface GigabitEthernet3/32.11
   description interlink MPLS
   encapsulation dot1Q 11
   ip address 172.20.129.73 255.255.255.252
   ip ospf network point-to-point
   mpls ip
   mpls label protocol ldp
  Regards,
  Damodar Nagar

  I have not that graph so I am just guessing that you are noticing the difference between policing and shaping. It seems to me you are applying these techniques on each platform on a different way. Try to shape/police in the same order or only to shape.
  Hope to help
  Alessio
  Sent from Cisco Technical Support iPad App

• Cisco Prime Monitor Sub Interfaces

  We are currently running Cisco Prime 2.1 and trying to monitor sub interfaces on our Cisco 7606.  We can see the sub interfaces by:
  Operate | Device Work Center
  Select Quick Filter (to find the 7606)
  Select Interfaces
  Select IP Interfaces
  The sub interfaces that we wish to monitor are displayed (with the above steps).  However, when we try to select the interface to monitor, the sub interfaces do not appear:
  Home | Detail Dashboard
  Select Interface
  Select the interface pull-down | All | 7606
  We do not see the sub interfaces, only 2 interfaces are displayed.  We do not see the interface GigabitEthernet4/7 at all.  What are we missing here?

  i couldn't find the appropriate MIB to monitor the call session

• Sub interface features only in cisco routers?

  is sub interface feature available only in cisco routers? any body has any clue?

  as far as I know, only router provides sub-interface.
  Gilles.

• Asa 5505 sub interface plus ports

  I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?

  The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
  You find more on this topic on the Config-Guide:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html

• ATOM on dot1q sub interfaces

  Hello, networkers!
  Long time no see ;-)
  Straight on question now. Imagine a MPLS network with the following topology:
  A B C D E
  (X) --- (X) --- (X) --- (X) --- (X)
  CE PE P PE CE
  Router A & E are customer's routers.
  Router B & D are PE routers
  Let's say that we have created MPLS ATOM using Xconnect in between routers B and D. They are both using FastEthernet interfaces with sub-interfaces configured on. Router D is configured to RouterE in this way:
  interface FastEthernet0/0.15
  description ** RouterD->RouterE **
  encapsulation dot1Q 15
  no cdp enable
  xconnect 2.2.2.2 666 encapsulation mpls
  on the other end, router B is configured as follow:
  interface FastEthernet0/0.26
  description ** RouterB->RouterA **
  encapsulation dot1Q 26
  no cdp enable
  xconnect 1.1.1.1 666 encapsulation mpls
  end
  Where 1.1.1.1 is RouterD loopback and 2.2.2.2 is Router B lo0.
  What do you think about that scenario? Should it work with this configuration when the dot1q vlans differs? In my opinion this shouldn't work as expected as long as MPLS is doing just transparent transport of entire L2 frame (instead of using internetworking on IP level)
  Can anyone, please explain how does Cisco handle this? I remember that I've read somewhere during my CCIE journey that there are different types of AtOM VC's which can either carry the dot1q tag or not.
  Thank you in advance!
  Kind regards,
  Dani Petrov
  P.p. I tried it in a few different configurations and the results are very interesting but please first share your thoughts ;-)

  Hi,
  You can't force the vc-type and don't need to.
  To summarize:
  - switchport trunk mode and subinterfaces will always pop the outer tag
  - EVC interfaces do nothing by default.
  On top of that vc-type 4 will add a service-delimiter tag to the frame received from the AC. It's the responsibility of the egress router to know what to do with this tag (rewrite or remove it).
  GSR and 7200 will negotiate a vc-type 4 if the AC is a subinterface. 7600 will always negotiate a vc-type 5 except if the peer wants a vc-type 4.
  HTH
  Laurent.

• ASR9000/XR - BNG - L3 sub-interface limit for trunk (4096) error - what is the work around?

  We currently have 7,500 broadband subscribers that we will be terminating on our ASR 9001.
  Each one of our customers will be terminating on a sub-interface on a bundle.
  On the 9k, there will be a QoS policy applied to rate-limit their broadband connection (see example below).
  The challenge that we are running into right now is scaling beyond 4096 L3 sub-interfaces. When running through this in our lab, we receive the following fail message:
  RP/0/RSP0/CPU0:BNG(config-subif)#show config failed
  Tue Mar 10 18:32:07.552 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by 
  !! the system due to semantic errors. The individual 
  !! errors with each failed configuration command can be 
  !! found below.
  interface Bundle-Ether10.6941171
  !!% The L3 sub-interface limit for the trunk interface has been reached: Trunk limit for L3 subinterfaces on Bundle-Ether10 is 4096
  We have added the following on to each of the sub-interfaces to "fake" out the NPU, but even with SPD configured, we are receiving the max 4096 message:
  service-policy output <POLICY> subscriber-parent resource-id 0
  service-policy output <POLICY> subscriber-parent resource-id 1
  service-policy output <POLICY> subscriber-parent resource-id 2
  service-policy output <POLICY> subscriber-parent resource-id 3
  It is my understanding that we have a total of 4 resource ID's to use (0-3) and the ASR 9001 will support up to 32,000 sub-interfaces (system wide or 8,000 sub interfaces per resource-id).
  See attached image for reference this design.
  Main question to the community is what is the work around to scale beyond 4096 L3 sub-interfaces??
  In our case it is not feasible to bring in additional bundles and spread the customers out.
  Look forward to your responses.
  Below is a sample configuration:
  policy-map 10M_D
   class class-default
    shape average 10100000 bps 
   end-policy-map
  policy-map 10M_U
   class class-default
    police rate 10300000 bps 
     exceed-action drop
   end-policy-map
  interface Bundle-Ether10.650102
   description ---INT: GigabitEthernet0/0/1.650102 NAME: TEST #1---
   service-policy input 10M_U
   service-policy output 10M_D subscriber-parent resource-id 0
   ipv4 point-to-point
   local-proxy-arp
   ipv4 unnumbered Loopback10
   encapsulation dot1q 650 second-dot1q 102
  interface Bundle-Ether10.650103
   description ---GigabitEthernet0/0/1.650103 NAME: TEST #2---
   service-policy input 10M_U
   service-policy output 10M_D subscriber-parent resource-id 1
   ipv4 point-to-point
   local-proxy-arp
   ipv4 unnumbered Loopback10
   encapsulation dot1q 650 second-dot1q 103
  interface Bundle-Ether10.650104
   description ---INT: GigabitEthernet0/0/1.650104 NAME: TEST #3---
   service-policy input 10M_U
   service-policy output 10M_D subscriber-parent resource-id 2
   ipv4 point-to-point
   local-proxy-arp
   ipv4 unnumbered Loopback10
   encapsulation dot1q 650 second-dot1q 104
  interface Bundle-Ether10.650105
   description ---INT: GigabitEthernet0/0/1.650105 NAME: TEST #4---
   service-policy input 10M_U
   service-policy output 10M_D subscriber-parent resource-id 3
   ipv4 point-to-point
   local-proxy-arp
   ipv4 unnumbered Loopback10
   encapsulation dot1q 650 second-dot1q 105
  interface Bundle-Ether10.650106
   description ---INT: GigabitEthernet0/0/1.650106 NAME: TEST #5---
   service-policy input 10M_U
   service-policy output 10M_D subscriber-parent resource-id 0
   ipv4 point-to-point
   local-proxy-arp
   ipv4 unnumbered Loopback10
   encapsulation dot1q 650 second-dot1q 106
  interface Bundle-Ether10.650107
   description ---INT: GigabitEthernet0/0/1.650107 NAME: TEST #6---
   service-policy input 10M_U
   service-policy output 10M_D subscriber-parent resource-id 1
   ipv4 point-to-point
   local-proxy-arp
   ipv4 unnumbered Loopback10
   encapsulation dot1q 650 second-dot1q 107
  interface Bundle-Ether10.650108
   description ---INT: GigabitEthernet0/0/1.650108 NAME: TEST #7---
   service-policy input 10M_U
   service-policy output 10M_D subscriber-parent resource-id 2
   ipv4 point-to-point
   local-proxy-arp
   ipv4 unnumbered Loopback10
   encapsulation dot1q 650 second-dot1q 108
  interface Bundle-Ether10.650109
   description ---INT: GigabitEthernet0/0/1.650109 NAME: TEST #8---
   service-policy input 10M_U
   service-policy output 10M_D subscriber-parent resource-id 3
   ipv4 point-to-point
   local-proxy-arp
   ipv4 unnumbered Loopback10
   encapsulation dot1q 650 second-dot1q 109

  xander,
  Thanks for sharing the QinQ username, works perfectly.
  couple of design questions for you.
  #1 - If i have >7500 subscribers that will be terminating on this bundle, would this be the best design to ensure that i can scale up to 32,000 subscribers on the BE <leveraging the subscriber-parent resource-id (0-4)>
  EXAMPLE
  interface Bundle-Ether10.100
  description BE10.100 – Area 1 - BNG customers - QinQ
  ipv4 point-to-point
  ipv4 unnumbered Loopback0
  service-policy output <POLICY> subscriber-parent resource-id 0
  service-policy type control subscriber IP_PM
  ipsubscriber ipv4 l2-connected
  initiator dhcp
  encapsulation ambiguous dot1q 100 second-dot1q any
  interface Bundle-Ether10.200
  description BE10.200 – Area 2 - BNG customers - QinQ
  ipv4 point-to-point
  ipv4 unnumbered Loopback0
  service-policy output <POLICY> subscriber-parent resource-id 1
  service-policy type control subscriber IP_PM
  ipsubscriber ipv4 l2-connected
  initiator dhcp
  encapsulation ambiguous dot1q 200 second-dot1q any
  interface Bundle-Ether10.300
  description BE10.300 – Area 3 - BNG customers - QinQ
  ipv4 point-to-point
  ipv4 unnumbered Loopback0
  service-policy output <POLICY> subscriber-parent resource-id 3
  service-policy type control subscriber IP_PM
  ipsubscriber ipv4 l2-connected
  initiator dhcp
  encapsulation ambiguous dot1q 300 second-dot1q any
  interface Bundle-Ether10.400
  description BE10.400 – Area 4 - BNG customers - QinQ
  ipv4 point-to-point
  ipv4 unnumbered Loopback0
  service-policy output <POLICY> subscriber-parent resource-id 4
  service-policy type control subscriber IP_PM
  ipsubscriber ipv4 l2-connected
  initiator dhcp
  encapsulation ambiguous dot1q 400 second-dot1q any
  #2 - How do I verify in XR the CoA speed profile that is pushed down from RADIUS to a given subscriber?
  I thought I might see the dynamic policy using the command below, but no luck.
  Do you know the correct command?
  RP/0/RSP0/CPU0:bng-asr9001#show policy-map inter be10.1.ip5
  Wed Apr 1 14:12:06.390 UTC
  Bundle-Ether10.1.ip5 input: __sub_55ffffff8b7dffffffad
  Class class-default
  Classification statistics (packets/bytes) (rate - kbps)
  Matched : 126959/10831088 14
  Transmitted : N/A
  Total Dropped : N/A
  Policy __sub_55ffffff8b7dffffffad_child1 Class class-default
  Classification statistics (packets/bytes) (rate - kbps)
  Matched : 126959/10831088 14
  Transmitted : N/A
  Total Dropped : 325/322582 0
  Policing statistics (packets/bytes) (rate - kbps)
  Policed(conform) : 126634/10508506 14
  Policed(exceed) : 325/322582 0
  Policed(violate) : 0/0 0
  Policed and dropped : 325/322582
  Policed and dropped(parent policer) : N/A
  Bundle-Ether10.1.ip5 output: __sub_6effffff81ffffffbfffffffdb
  Class class-default
  Classification statistics (packets/bytes) (rate - kbps)
  Matched : 199642/280153690 453
  Transmitted : N/A
  Total Dropped : N/A
  Policy __sub_6effffff81ffffffbfffffffdb_child1 Class class-default
  Classification statistics (packets/bytes) (rate - kbps)
  Matched : 199642/280153690 453
  Transmitted : N/A
  Total Dropped : 26930/38989025 61
  Policing statistics (packets/bytes) (rate - kbps)
  Policed(conform) : 172712/241164665 392
  Policed(exceed) : 26930/38989025 61
  Policed(violate) : 0/0 0
  Policed and dropped : 26930/38989025
  Policed and dropped(parent policer) : N/A
  RP/0/RSP0/CPU0:bng-asr9001#
  #3 - CoA QoS profile -> I'm using the following avpair for ingress / egress qos.  However when validating against a speed test server, my results are well above the 10Mbps / 10Mbps I have provisioned.  Actual is more of in the ~15Mbps/15Mbps range. 
  Am I missing additional config in the policing section?
  cisco-avpair = "ip:qos-policy-in=add-class(sub, (class-default,class-default),police(10000))",
  cisco-avpair += "ip:qos-policy-out=add-class(sub, (class-default,class-default),police(10000))"
  Appreciate it in advance xander!
  -ae

• The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

  Hello
  I think the following topologies are supported for Cisco Routers
  And the Physical interface also can be using as Native VLAN interface right? 
  Topology 1.
   R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
  R1 - configuration
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   ip address 10.0.0.1 255.255.255.0
  Topology 2.
  R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
  interface GigabitEthernet0
  ip address 10.0.0.1 255.255.255.0
   And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
  R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
        Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
  R1 - configuration
  interface GigabitEthernet0
   ip address 10.0.0.1 255.255.255.0
  interface GigabitEthernet8.20
   encapsulation dot1Q 20
   ip address 20.0.0.1 255.255.255.0
  Any information is very appreciated. but if there is any CCO document please let me know.
  Thank you very much and regards,
  Masanobu Hiyoshi

  Hello,
  The diagram is helpful.
  If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
  Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
  Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
  Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
  My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
  Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
  I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
  Best regards,
  Peter

• Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet

  Dear community,
  quite frequently I am now receiving the following error message in my ASA 5502's log:
  Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  The VPN Clients (in the last case: A linux vpnc) disconnect with message
     vpnc[7736]: connection terminated by dead peer detection
  The ASA reports for that <some_ip> at around the same time:
  Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested    
  A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
     1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
         crippled (I d suppose this happens during rekeying) ?
     2) Any idea where to look for the cause of this
            WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
            SW related (vpnc bug)?
  Thanks in advance for any pointer...
  Joachim

  Yes.  You need to eliminate the things I've said to eliminate with the other side.  Ensure your configs are matching exactly.  They probably are, whatever, just make sure of it because it's easy.  You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
  The more info you can have just one person responsible for the better.  What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
  If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
  If you're seeing them come in his interface and never come back out, you know where to look.
  Set your caps to a single host to single host if need be, and generate traffic accordingly.
  You need to narrow down where NOT to look so that you know where TO look.  I would say then, and only then, do you get the ISP involved.  Once you're sure the problem exists between his edge device and your edge device.
  I do exactly this for a living on a daily basis...day after day after day.  I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions.  I always start the exact same way...from the very bottom.

• NAT on sub-interface with no internet access

  Good morning,
  Please I have a router 2901, which I configured tow sub-interfaces for Voice and Data. Everything seems to be working fine but I can't access the internet after configuring NAT.
  Config below
  Router1#sh config
  Using 5392 out of 262136 bytes
  ! No configuration change since last restart
  ! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
  ! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
  version 15.2
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname A
  boot-start-marker
  boot-end-marker
  ! card type command needed for slot/vwic-slot 0/0
  logging buffered 51200 warnings
  enable secret 4 U3/EVMmZsx9ys3vbB8aDhHy.5h4qh2V8/DkTGNsxvTA
  enable password 7 06150E2C5F5B071E
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  memory-size iomem 25
  ip cef
  ip dhcp excluded-address 10.10.36.1 10.10.36.25
  ip dhcp excluded-address 10.10.36.200 10.10.36.254
  ip dhcp pool DATA
   network 10.10.36.0 255.255.255.0
   default-router 10.10.36.1
   dns-server 8.8.8.8 4.2.2.2
  ip dhcp pool VOICE
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.10.36.4
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-3112445314
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-3112445314
   revocation-check none
   rsakeypair TP-self-signed-3112445314
  crypto pki certificate chain TP-self-signed-3112445314
   certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
  voice-card 0
  license udi pid CISCO2901/K9 sn FCZ1808C4L8
  hw-module pvdm 0/0
  username a password 7 1416111F05557C
  username e privilege 15 password 7 1437455E0E2A25382525260B67
  username c password 7 030B580E0701284F165B5C
  username a password 7 01000709481E0808
  redundancy
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address #.#.#.58 255.255.255.248
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0/1
   no ip address
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0/1.1
   encapsulation dot1Q 1 native
   ip address 10.10.36.1 255.255.255.0
   ip verify unicast reverse-path
   ip nat inside
   ip virtual-reassembly in
  interface GigabitEthernet0/1.100
   encapsulation dot1Q 100
   ip address 10.1.1.1 255.255.255.0
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
  ip route 0.0.0.0 0.0.0.0 #.#.#.57
  ip access-list extended LAN_NAT_POLICY
   permit ip 10.0.0.0 0.255.255.255 any
  access-list 23 permit 10.10.36.0 0.0.0.255
  access-list 23 permit 10.10.0.0 0.0.0.255
  access-list 23 permit 10.10.0.0 0.0.255.255
  access-list 101 permit tcp 10.10.36.0 0.0.0.255 host 10.10.36.1 eq telnet
  control-plane
  mgcp profile default
  gatekeeper
   shutdown
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you hav
  already used the username "cisco" to login to the router and your IOS imag
  supports the "one-time" user option, then this username has already expire
  You will not be able to login to the router with this username after you e
  this session.
  It is strongly suggested that you create a new username with a privilege l
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you want
  use.
  ^C
  banner login ^C
  Cisco Configuration Professional (Cisco CP) is installed on this device.
  This feature requires the one-time use of the username "cisco" with the
  password "cisco". These default credentials have a privilege level of 15.
  YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
  CREDENTIALS
  Here are the Cisco IOS commands.
  username <myuser>  privilege 15 secret 0 <mypassword>
  no username cisco
  Replace <myuser> and <mypassword> with the username and password you want
  to use.
  IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
  TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
  For more information about Cisco CP please follow the instructions in the
  QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
  ^C
  line con 0
   password 7 13041406025D52
  line aux 0
   exec-timeout 0 1
   no exec
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   access-class 23 in
   privilege level 15
   password 7 094D4D1D105441
   transport input telnet ssh
  line vty 5 15
   access-class 23 in
   privilege level 15
   transport input telnet ssh
  scheduler allocate 20000 1000
  ntp master
  ntp server 10.10.36.1
  end
  Please I need a quick response
  Thank you.

  Can you change the interface to outside interface in this command
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
  can you try this below command
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/0 ov
  Regards
  PrajithTR