7200 intervlan routing question

Similar Messages

• Meaning of this show IP route output in InterVLAN routing (subnet calculation) - did i get mistaken ?

  Hi all,
  I am reading the configuration of interVLAN routing on 3750 from cisco @
  http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41260-189.html
  There are 3 VLAN created on the L3 switch namely
  VLAN10 - 10.1.10.0/24 network
  VLAN 2 - 10.1.2.0/24 network
  VLAN 3 - 10.1.3.0/24 network
  But on the show IP route results (see bold red), why does it indicate that 10.0.0.0/24 is subnetted. How is it subnetted ?
  10.1.10.0/24, 10.1.2.0/24, 10.1.3.0/24 all belongs to different network are not subnet out from 10.0.0.0/24.
  How does the calculation goes ?
  Cat3550#show ip route
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
  N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
  E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
  i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
  * - candidate default, U - per-user static route, o - ODR
  P - periodic downloaded static route
  Gateway of last resort is 200.1.1.2 to network 0.0.0.0
  200.1.1.0/30 is subnetted, 1 subnets
  C 200.1.1.0 is directly connected, FastEthernet0/48
  10.0.0.0/24 is subnetted, 3 subnets
  C 10.1.10.0 is directly connected, Vlan10
  C 10.1.3.0 is directly connected, Vlan3
  C 10.1.2.0 is directly connected, Vlan2
  S* 0.0.0.0/0 [1/0] via 200.1.1.2
  Please advise
  Regards,
  Noob

  Noob
  Jon is quite correct that in modern usage we tend to treat network and subnet as almost interchangeable. But technically there is a difference and that difference becomes significant for the kind of question that you are asking. There is no "network" 10.0.0.0/10. 10.0.0.0/10 is a subnet of the class A network 10.0.0.0/8. You are correct that 10.0.0.0/10 can be further subnetted but that does not make 10.0.0.0/10 into a "network".
  To go a step further in explaining this perhaps we can think of designing a network for a company that has offices in several cities. We might assign 10.0.0.0/10 as the network for the Chicago office, and 10.64.0.0/10 as the network for the New York office, and 10.128.0.0/10 as the network for the Atlanta office and 10.192.0.0/10 as the network for the Los Angeles office. (Note that while I called them network here they are actually subnets of class A 10.0.0.0/8) Within each city we might further subnet their block of addresses to create multiple subnets for each city.
  It might help to think about how Cisco organizes the routing table to support the routing function. When a router receives a packet and needs to make a forwarding decision it searches the routing table looking for the longest match. In functional terms what it is doing is to identify what network the packet belongs to and then to determine whether that network has been subnetted, and if so to which subnet does the packet go. So Cisco organizes the routing table to identify the network on one line and then to identify the subnets on lines below the network line. So in your original post the line in red
   10.0.0.0/24 is subnetted, 3 subnets
  is telling us about the network and the lines below it are telling us about the subnets that it knows of that network.
  It also seems that you are looking at 10.0.0.0/24 as if that were a single piece of information indicating that 10.0.0.0/24 is present in the routing table. That is not what is actually indicated. There are two separate and distinct pieces of information in that.
  1) the network is 10.0.0.0 (a class A network)
  2) the network is subnetted consistently using a /24 mask
  HTH
  Rick

• Best practice for intervlan routing?

  are there some best practices for intervlan routing ?
  I've been reading allot and I have seen these scenarios
  router on a stick
  intervlan at core layer
  intervlan at distribution layer.
  or is intervlan needed at all if the switches will do the routing?
  I've done all of the above but I just want to know what's current.

  The simple answer is it depends because there is no one right solution for everyone. 
  So there are no specific best practices. For example in a small setup where you may only need a couple of vlans you could use a L2 switch connected to a router or firewall using subinterfaces to route between the vlans.
  But that is not a scalable solution. The commonest approach in any network where there are multiple vlans is to use L3 switches to do this. This could be a pair of switches interconnected and using HSRP/GLBP/VRRP for the vlans or it could be stacked switches/VSS etc. You would then dual connect your access layer switches to them.
  In terms of core/distro/access layer in general if you have separate switches performing each function you would have the inter vlan routing done on the distribution switches for all the vlans on the access layer switches. The core switches would be used to route between the disribution switches and other devices eg. WAN routers, firewalls, maybe other distribution switch pairs.
  Again, generally speaking, you may well not need vlans on the core switches at all ie. you can simply use routed links between the core switches and everything else. 
  The above is quite a common setup but there are variations eg. -
  1) a collapsed core design where the core and distribution switches are the same pair. For a single building with maybe a WAN connection plus internet this is quite a common design because having a completely separate core is usually quite hard to justify in terms of cost etc.
  2) a routed access layer. Here the access layer switches are L3 and the vlans are routed at the access layer. In this instance you may not not even need vlans on the distribution switches although again to save cost often servers are deployed onto those switches so you may.
  So a lot of it comes down to the size of the network and the budget involved as to which solution you go with.
  All of the above is really concerned with non DC environments.
  In the DC the traditional core/distro or aggregation/access layer was also used and still is widely deployed but in relatively recent times new designs and technologies are changing the environment which could have a big impact on vlans.
  It's mainly to do with network virtualisation, where the vlans are defined and where they are not only routed but where the network services such as firewalling, load balancing etc. are performed.
  It's quite a big subject so i didn't want to confuse the general answer by going into it but feel free to ask if you want more details.
  Jon

• Need help InterVlan Routing on SF300-24P? .

  Hello
  I really need help with Inter vlan routing via Kerio Controll 7.4.1.
  I have several SF300-24P switches (IOS 1.3.0.62) and i have created a several VLAN's.
  Vlans: Vlan 10, 100, 200 and interface vlan 213 (for management).
  I can ping hosts in the same Vlan via this switches. From switch to host, port is in access mode and between switches ports is in Trunk mode
  (also i had a problem here, trunk wasn't working untill i used command: switchport trunk allowed vlan add all).
  Also port is in Trunk mode between KERIO and SW1 (switch). interface is in TRUNK mode from switch's side because i don't know how configure interface TRUNK mode on kerio.
  On kerio i have configed one physical interface with IP - 172.16.0.1 255.255.255.0 and on the same interface i have created
  VLAN 10, VLAN 100 and VLAN 200.
  static IP's for this interfaces:
  10.0.0.1 255.255.255.0 VLAN 10
  192.168.100.1 255.255.255.0 VLAN 100
  192.168.200.1 255.255.255.0 VLAN 200
  On KERIO i have created DHCP Lease for each VLAN, but i cannot get IP's from DHCP. So i assigned static IP's  to computers
  (for example for VLAN100 PC, VLAN 200 PC and so on) but they cannot ping each other when they are in different vlans, so inter vlan routing itsnot working. but with static IP on the PC, i can ping every VLAN's IP address on KERIO.
  so pls tell me how i must configure inter vlan routing on kerio, is it possible?
  or what must i do? where is my mistake? maybe when i put IP on pysical interface?
  here is my configs and pls help and give me config example.
  config-file-header
  SW1
  v1.3.0.62 / R750_NIK_1_3_647_260
  CLI v1.0
  set system mode switch
  file SSD indicator plaintext
  vlan database
  vlan 10,100,200,213
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  hostname SW1
  username administrator password encrypted 7fc3774d79570c81cda124d5dcf80b8ae0fcdd6c privilege 15
  username cisco password encrypted 1defefd1f4a214009775b2c2b6b961a77da384b5 privilege 15
  interface vlan 10
  name Staff
  interface vlan 100
  name Cards
  interface vlan 200
  name AP's
  interface vlan 213
  name Management
  ip address 172.16.213.1 255.255.255.0
  no ip address dhcp
  interface fastethernet1
  description MANAGEMENT-VLAN
  spanning-tree disable
  switchport mode access
  switchport access vlan 213
  interface fastethernet2
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet3
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet4
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet5
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet6
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet7
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface gigabitethernet1
  description Direction-To-SW2       <--- This port is Trunk, but its not showing here for some reason.
  spanning-tree disable
  interface gigabitethernet2
  description Direction-To-KERIO  <--- This port is Trunk also.   i used: switchport mode trunk on both interfaces
  spanning-tree disable
  exit
  banner login 
  SW1
  config-file-header
  SW2
  v1.3.0.62 / R750_NIK_1_3_647_260
  CLI v1.0
  set system mode switch
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  vlan database
  vlan 10,100,200,213
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  hostname SW2
  username administrator password encrypted 7fc3774d79570c81cda124d5dcf80b8ae0fcdd6c privilege 15
  username cisco password encrypted 1defefd1f4a214009775b2c2b6b961a77da384b5 privilege 15
  interface vlan 10
  name Staff
  interface vlan 100
  name Cards
  interface vlan 200
  name AP's
  interface vlan 213
  name Management
  ip address 172.16.213.2 255.255.255.0
  no ip address dhcp
  interface fastethernet1
  description MANAGEMENT-VLAN
  spanning-tree disable
  switchport mode access
  switchport access vlan 213
  interface fastethernet2
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet3
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet4
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet5
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet6
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet7
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet8
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface gigabitethernet1
  description Direction-To-SW1    <--- This port is Trunk also.   i used: switchport mode trunk
  exit
  banner login 
  SW2
  i have excluded many interfaces because hey have same configs.

  Yes Kerio is capable for routing. i wanted to make InterVlan routing via kerio Ccontroll, but i can't and that's i asked here, i need to know reason.
  I have modified 1 switch to L3, and inter vlan routing its now working (without Kerio) and i hope this switches dont have problem when they are DHCP server also.
  thanx for help. I Hope i didnot have much mistakes in config.

• SGE2010 layer 3 problem with intervlan routing setup

  I am new to the small business switches and could use some assistance in configuring intervlan routing between multiple vlans on the switch. I have changed the mode to layer 3 and setup the vlans. When I enter an IP address for VLAN2, I am disconnecting from the configuration interface (VLAN1 ip) on the switch and I cannot access the switch unless I reset it. I have tried this several times and each time it behaves the same. Is there something else I need to setup before configuring the ip address for the other VLANs?

  Hi Jacqueline,
  Thank you for participating in the Small Business support community. My name is Nico Muselle from Cisco Sofia SBSC.
  This is the normal way for the switch to behave. There are 2 ways to work around this.
  You assign a port to VLAN2. After configuration of the IP address, you connect your PC to this port and make sure it is in the same subnet as the VLAN 2 IP address.
  You assign a static IP to the default vlan first and make sure your connected PC is in the same subnet.
  The reason for this behaviour is, that the switch has it's DHCP client enabled, if no DHCP server is available it will revert to it's default IP 192.168.1.254 (through which I assume you connect for configuration).
  However, once you configure a static IP on the switch, the DHCP client and the default IP are disabled, which means that the IP address obtained from the DHCP or the default IP of 192.168.1.254 are no longer reachable.
  I would go with step 2, as this is the easiest workaround for your issue and you would want a static IP in the default VLAN anyway I suppose.
  Hope this helps !
  Best regards,
  Nico Muselle
  Sr. Network Engineer - CCNA

• OSPF with InterVlan Routing

  Dear All,
  Please help me about it ...
  The same network I have designed and working fine on the RIPV2 but I want it on the OSPF but it works on the packet tracer but not on the GNS3. In this diagram there are multiple areas and there are three ABRs connected to the backbone area. The others interfaces are in the area1, area2 and area3 respectfully and in that side I need the intervlan routing.
  Is it possible in the ospf the same like in the diagram ?
  What type of OSPF (Point to Point or Point to Multipoint ) will be required as the R1 is the backbone router further connected with the Internet on the BGP. ?
  Please sir, advise me about it.
  Thanks
  Best Regards
  Ali Khan

  Hi Jon,
  Thank you very much,
  1) The link between the ABRs and R1 is the wireless 1.4gig bridge link on the 5Km distand and the interface is configured with IP ospf network point-to-point.
  2) On the packet tracer all the neibour displayed with its router-id, even on GNS3 but it does not show the route of other interface like area 1 or area 2.. Means the backbone router do not show the routes of other areas..(area 1 or area 2 and area 3)
  3) i have tried alot and i dont think that i missed any route but the backbone area do not show the routes of subnterface (for Vlan, Router on the Stack).
  Thanks
  Ali

• No 'ip routing' command on switch and yet intervlan routing.

  Hi,
  In my companies 4500 switch I see there is intervlan routing configured for the 4 Vlans it has but I do not see any 'ip routing' command on it
  to enable routing on the switch. Can a switch route even though the command isnt there?

  Ran the 'show run all' command and it was there. Thought '
  sh run | i ip' would display it but didn't.
  Thanks for the command.
  We just turned enterprise. I keep forgetting that.

• SRP 546W Intervlan Routing and ACL

  Hi,
  how can I configure Access Control Lists to manage the communication between different vlan? As I activate Intervlan Routing, all vlan members can communicate together.
  Thanks a lot.
  Thomas

  Thomas,
  Intervlan Routing on the SRP routers is all or none. You cannot choose which VLAN members can communicate with other VLANs.
  - Marty

• Etherchannel on esw520s and intervlan routing

  Hello
  I have a couple of uc520s
  2 - esw - 520-24p
  2 - esw - 520-48p
  1 - 3560x switch
  the 3560x is our core switch. my uplinks between the core and the 4 esw. i was able to get the etherchannels configured and "working" however the fact that the vlan 1 on the esw is the native vlan, i change the native vlan to be vlan 20 and i'm really struggling with this
  I have 5 vlans configured on the 4 esw switches data, voice, management, servers, guest.
  i can't get the intervlan routing to work properly on the esw. If i configure any vlan on the 3560 i have access to the management vlan
  however if i connect my pc to any port on the esw switches i don't have access to the management vlan at all. for some reason intervlan routing isn't properly working. if i want to have access to the management vlan on the esw switches i need to assign a port on the esw to be on the management vlan
  if i use the common scenario, all the ports being voice + data, i can't manage any of the switches at all
  what else should i do to get this fixed ?
  is it something on the ether channels or am i missing something else ?
  thanks

  HelloI have a couple of uc520s2 - esw - 520-24p 2 - esw - 520-48p1 - 3560x switchthe 3560x is our core switch. my uplinks between the core and the 4 esw. i was able to get the etherchannels configured and "working" however the fact that the vlan 1 on the esw is the native vlan, i change the native vlan to be vlan 20 and i'm really struggling with thisI have 5 vlans configured on the 4 esw switches data, voice, management, servers, guest. i can't get the intervlan routing to work properly on the esw. If i configure any vlan on the 3560 i have access to the management vlanhowever if i connect my pc to any port on the esw switches i don't have access to the management vlan at all. for some reason intervlan routing isn't properly working. if i want to have access to the management vlan on the esw switches i need to assign a port on the esw to be on the management vlanif i use the common scenario, all the ports being voice + data, i can't manage any of the switches at allwhat else should i do to get this fixed ?is it something on the ether channels or am i missing something else ?thanks
  Hi,
  Can you put up your network in diagramtic representation view, do that it will be helpful for more understanding.
  Ganesh.H

• HSRP over Intervlan routing

  I am really having problem with the implementation of HSRP over intervlan routing.
  I configured the HSRP for multiple Vlans (10 &20), but both of the routers are in Active stage. I couldn't figure out where the
  probem lies.
  I have two routers (Cisco AS5300) and a Cisco 2950 Switch.
  The brief configuration is as follows:
  ROUTER1:
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.2 255.255.255.0
  standby 1 ip 192.168.0.1
  standby 1 priority 110
  standby 1 preempt
  interface FastEthernet0/0.20
  encapsulation dot1Q 20
  ip address 192.168.1.2 255.255.255.0
  standby 2 ip 192.168.1.1
  ROUTER2:
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.3 255.255.255.0
  standby 1 ip 192.168.0.1
  interface FastEthernet0/0.20
  encapsulation dot1Q 20
  ip address 192.168.1.3 255.255.255.0
  standby 2 ip 192.168.1.1
  standby 2 priority 110
  standby 2 preempt
  SWITCH:
  In the trunk ports, I have configured,
  (config-if)# switchport trunk encapsulation dot1q  native vlan 1
  (config-if)# switchport mode trunk 
  Hoping for  favourable responses from you mentors.
  Regards,
  Ganesh Dhungana

  Ganesh Dhungana wrote:I have two routers which are connected to the switch. Cisco 2950 is just there for the intervlan routing.Doesnt it support the intervlan routing??I have configured the HSRP on two Cisco AS5300 Routers.Darren, I am not clear with your logic, would you please clarify me ?Regards, Ganesh
  Sorry, I mis-read your original post - I thought you were trying to use the 2950 in the HSRP group. And I thought you types ASA5530, not AS5530. Two strikes for me. Mea Culpa.
  Have you actually created VLAN 10 and VLAN 20 on your switch? I don't believe the switch will trunk tagged frames unless the VLAN's actually exist.
  Also, the documentation I've found on the AS5300 (I've never used one) seems to indicate you should put a the command "standby name " into your configuration - although that may only be needed for IPSec VPN configurations on the AS5300 - see
  http://www.cisco.com/en/US/docs/ios/12_1/12_1e9/feature/guide/ft_ipsha.html for what I'm talking about.
  Sorry for the original screw up - teach me to read and try to reply coherently after a 12 hour shift!
  Cheers.

• InterVlan Routing and an ASA5520

  Hey Guys,
  I'm having problems getting something to work. First off, let me give you the topology and the configs:
  Config R1
  Vlan Database:
  VLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/1, Fa1/2, Fa1/3, Fa1/4                                                Fa1/5, Fa1/6, Fa1/7, Fa1/8                                                Fa1/9, Fa1/1010   SERVER                           active    Fa1/1430   CLIENTS                          active    Fa1/13100  Inside                           active101  LIFESIZE                         active    Fa1/12250  Mgmt                             active    Fa1/111000 Outside                          active    Fa1/151002 fddi-default                     active1003 token-ring-default               active1004 fddinet-default                  active1005 trnet-default                    active
  Trunks:
  Port      Mode         Encapsulation  Status        Native vlanFa1/0     on           802.1q         trunking      1Port      Vlans allowed on trunkFa1/0     1-1005Port      Vlans allowed and active in management domainFa1/0     1,10,30,100-101,250,1000Port      Vlans in spanning tree forwarding state and not prunedFa1/0     1,10,30,100-101,250,1000
  Running Config:
  interface FastEthernet1/0 switchport mode trunk
  interface FastEthernet1/11 switchport access vlan 250 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/12 switchport access vlan 101 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/13 switchport access vlan 30 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/14 switchport access vlan 10 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/15 switchport access vlan 1000!interface Vlan1 no ip address!interface Vlan10 description SERVER no ip address!interface Vlan20 description DRUCKER ip address 10.11.20.254 255.255.255.0!interface Vlan30 description CLIENTS ip address 10.11.30.254 255.255.255.0!interface Vlan101 description LifeSize no ip address!interface Vlan250 description Management ip address 10.11.250.254 255.255.255.0!ip default-gateway 10.11.250.251ip forward-protocol ndip route 0.0.0.0 0.0.0.0 10.11.250.251ip route 10.0.0.0 255.0.0.0 10.11.250.251
  Config ASA:
  ASA Version 8.4(2)!hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0 nameif Outside security-level 0 ip address 186.89.54.20 255.255.255.248!interface GigabitEthernet1 description Trunk to SW no nameif no security-level no ip address!interface GigabitEthernet1.10 vlan 10 nameif Server security-level 100 ip address 10.11.10.251 255.255.255.0!interface GigabitEthernet1.30 vlan 30 nameif Clients security-level 100 ip address 10.11.30.251 255.255.255.0!interface GigabitEthernet1.101 vlan 101 nameif DMZ security-level 50 ip address 10.11.101.251 255.255.255.0!interface GigabitEthernet1.250 vlan 250 nameif Mgmt security-level 100 ip address 10.11.250.251 255.255.255.0!interface GigabitEthernet2 shutdown no nameif no security-level no ip address!interface GigabitEthernet3 shutdown no nameif no security-level no ip address!interface GigabitEthernet4 shutdown no nameif no security-level no ip address!interface GigabitEthernet5 nameif Martin security-level 100 ip address 10.11.15.254 255.255.255.0!ftp mode passivesame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceaccess-list global_access extended permit ip any anyaccess-list Clients_access_in extended deny ip any 10.11.101.0 255.255.255.0 inactiveaccess-list Clients_access_in extended permit ip any 10.11.10.0 255.255.255.0 inactiveaccess-list Server_access_in extended permit ip any anyaccess-list Server_access_in extended deny ip 10.11.250.0 255.255.255.0 10.11.250.0 255.255.255.0 inactiveaccess-list Mgmt_access_in extended deny icmp any 10.11.10.0 255.255.255.0 inactiveaccess-list Mgmt_access_in extended permit ip any any inactivepager lines 24logging enablelogging buffered debuggingmtu Outside 1500mtu Server 1500mtu Clients 1500mtu DMZ 1500mtu Mgmt 1500mtu Martin 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-702.binno asdm history enablearp timeout 14400access-group Server_access_in in interface Serveraccess-group Clients_access_in in interface Clientsaccess-group Mgmt_access_in in interface Mgmtaccess-group global_access globalroute Mgmt 10.11.0.0 255.255.0.0 10.11.250.254 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 10.0.0.0 255.0.0.0 Martinhttp 10.11.250.0 255.255.255.0 Mgmtno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0management-access Mgmtthreat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map global-class match default-inspection-traffic!!policy-map global-policy class global-class  inspect dns  inspect ftp  inspect http  inspect icmp  inspect icmp error  inspect rtsp  inspect sip  inspect snmp  inspect tftp!service-policy global-policy globalprompt hostname contextno call-home reporting anonymouscall-home profile CiscoTAC-1  no active  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService  destination address email [email protected]  destination transport-method http  subscribe-to-alert-group diagnostic  subscribe-to-alert-group environment  subscribe-to-alert-group inventory periodic monthly  subscribe-to-alert-group configuration periodic monthly  subscribe-to-alert-group telemetry periodic dailycrashinfo save disableCryptochecksum:e5a96d671ff3b5453c8f1de5c39f1f63: end
  Problem:
  What I'm planning is, having an InterVlan routed network that is done by the switch and only certain Networks should be protected by the ASA.
  The Networks that should not be protected will have the GW of the L3 SVI
  The protected hosts will have the GW of the ASA and send their traffic there first
  The ASA has a Trunk to the Switch receiving all L2 Vlans from there (E1)
  The ASA has an Interface called Mgmt to which it can send all the traffic back (Asymmetric Routing problem?)
  The Inside (called Mgmt, sorry for the confusion) has a default route pointing to the Switch R1
  Mgmt 10.11.0.0 255.255.0.0 10.11.250.254
  I'm stuck with the basics
  What won't work:
  From R1 i can ping Mgmt and Client Network but not Server and DMZ
  Pinging from R1 (10.11.250.254) to ASA Server (10.11.10.251) Interface gives me this Teardown but i have a global permit any any?
  %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/20 gaddr 10.11.10.251/0 laddr 10.11.10.251/0%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:03%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:03
  R2 (Server Host) has the ASA Gateway for its interface and it can ping it. But when i'm trying to ping another interface on the ASA that i can ping from R1, it's like it is not even reaching the ASA. I can see no traffic at all.
  Can somebody tell me what what i'm doing wrong and why? I'm kinda getting a little bit frustrated since i've been working on this from quite some time but i fail to get it working properly.
  Cheers

  I'm sorry very sorry i'm responding so late i've been very busy lately.
  This forum doesn't show the topology diagram i posted so let me try that again first:
  Now, as you can see, R2 has the GW of the ASA which is 10.11.10.251/24. R1 is the L3-Switch and doesn't have an Interface IP for the Server and DMZ but a default-gateway and default-network pointing to 10.11.250.251/24 which is the Mgmt Interface of the ASA. Additionally, it has has a Trunk Port to the ASA to pass all L2-Vlans.
  The ASA can ping all L3-Vlans of the Switch R1 e.g. 10.11.30.254/24 and the host 10.11.30.5/24
  The L3-Switch can only ping the Mgmt to which it is directly connected and in the same Network 10.11.250.0/24 but not all other Interfaces
  Pinging fom 10.11.250.254/24 (L3 Interface of R1) to 10.11.10.251/24 (Server Interface ASA) gives me this logging output:
  %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/3 gaddr 10.11.10.251/0 laddr 10.11.10.251/0%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:05%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:05
  And that is the major problem for me right now. I don't know what i'm doing wrong.
  Thx

• Help with simple interVlan routing on L3 switch

  Hi all - I just can't get my head around this really simple interVlan routing issue.  I have two VLANs (1 & 6) on a 3560 L3 switch.  I simply need to route between them.  Here is how I have it set up:
  Firewall is the VLAN1 client's default gateway:
  10.10.22.1 /255.255.255.0
  3560switch config:
  ip subnet-zero
  ip routing
  VLAN1:
  (hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
  int vlan1
  ip address 10.10.22.254 255.255.255.0
  no shutdown
  VLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
  ip address 192.168.25.1 255.255.255.0
  no shutdown
  ip classless
  int gi0/31 (an available unused port)
  no switchport
  ip address ?.?.?.?
  no shutdown
  Is the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying to find 192.168.25.x, when they would need to go to 10.10.22.254; then the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then give the router on gi0/31 the 10.10.22.254 address?
  (as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)
  Thanks for any help!

  Hi all - I just can't get my head
  around this really simple interVlan routing issue.  I have two VLANs (1
  & 6) on a 3560 L3 switch.  I simply need to route between them.
  Here is how I have it set up:Firewall is the VLAN1 client's default gateway:
  10.10.22.1 /255.255.255.03560switch config:
  ip subnet-zero
  ip routingVLAN1:
  (hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
  int vlan1
  ip address 10.10.22.254 255.255.255.0
  no shutdownVLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
  ip address 192.168.25.1 255.255.255.0
  no shutdownip classlessint gi0/31 (an available unused port)
  no switchport
  ip address ?.?.?.?
  no shutdown***Is
  the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying
  to find 192.168.25.x, when they would need to go to 10.10.22.254; then
  the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then
  give the router on gi0/31 the 10.10.22.254 address?(as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)Thanks for any help!
  Hi,
  With the above configuuration vlan 1 users will be going to firewll and if they want to reach vlan 6 firewall should have rule to permit for vlan 6 subnet and route towards vlan 6 interface and which is not there is your network.
  Just clarify few things you want firewall to come into picture for every traffic which goes between vlan or not and in interface gi0/31 you will be connecting router also is this router is sending traffic to outside world if yes then you need to change some design configuration to route tha traffic from vlans to outside world.
  If you want only inter vlan routing between vlan 1 and vlan 6 via firewall then make another zone in firewall and place that in vlan 6 with ip address as given in vlan 1 so that vlan 6 users can point traffic towards vlan 6 interface of firewall and in firewall just permit the vlan 6 communication with vlan 1 and drop a route for vlan 6 towards switch vlan 6 interface.
  and if between vlans you dont want firewall to come into picture then the best is create three vlan one for vlan 1,vlan 6 and outside vlan between router and firewall and drop a default route towards firewall.In this case inter vlan routing will be taken care by switch and traffic towards outside world will scaaned as per rule given in firewall.
  Hope to help
  If helpful do rate the post
  Ganesh.H

• WRVS4400N 801.Q intra-vlan routing question

  Hi all,
  I have a question in regards to the 802.1Q intervlan feature on the WRVS4400N. My goal is to setup a test network with atleast 10 departmental VLAN(s). By reading the WRVS4400N's data sheet I know that it supports up to 4 VLAN(s). I decided to purchase a Linksys SRW224G4 since it can create more than 4 VLAN(s).
  With my previous Cisco experience I used to configure VLAN(s) on a Catalyst 2940 and trunk them to a Cisco 2501 series router by configuring trunk ports on the Catalyst and sub interfaces with 802.1q tagging on the routers.
  I was wondering if I could trunk 10 VLAN(s) from my SRW224G4 to my WRVS4400N?
  This is what I have tried to do so far
  On the SRW224G4 I configured 10 VLAN(s) and set port G1 as a trunk port to port 1 on my WRVS4400N.
  On my WRVS4400N I configured port 1 as a trunk port that accepts all frames.
  When I look at the LAN settings on my WRVS4400N it doesn't give me the option to configure gateways for my VLAN(s). Does this router only support 4 VLAN(s)? if it does is there another router I can look into that has the ability to support more than 4?
  I purchased the Linksys/Cisco small business series thinking that it can provide me with the basics to create a small network. I never thought the WRVS4400N would have a 4 VLAN limitation even when I trunk VLAN(s) from a switch.
  Thanks for the input guys
  Cheers

  Hello,
  i'm new here and planning to do something similar to what you suggest.
  I also have a slm2024 on which i plan to create more than 4 vlans. I'm looking for a gigabit router to route all my network and act as dhcp server. I will connect the switch to the router by a trunk.
  In my setup only 4 of my vlans will need a dhcp server. So if my understanding is correct, the integrated dhcp will be able to serve those 4 vlans if they are created on the router. Is it correct ? In this guide http://www.cisco.com/en/US/docs/routers/csbr/wrvs4400n/administration/guide/WVRS4400N_Admin_Guide_v2.pdf page 60, there is an illustration of dhcp configuration but i don't see anything allowing to select the vlan. How does it work in fact ?
  In my ideal setup, i would like to distribute a different subnet by vlan. Ex : 192.168.2.0 for vlan 2; 192.168.3.0 for vlan 3; etc...
  For the other vlans i would affect static IPs.
  Is this setup possible with this router ? If it's not, which other cisco router would you suggest me ?
  Thanks in advance for your answer.

• Agent Selection/Routing Question

  Hello:
  I wanted to run a question by the group to get some feedback on a question I have surrounding Agent routing within UCCX (8.5 su4).
  Here is the setup of the environment:
  CSQ1: General
  Routing Criteria: LAA
  CSQ2: Spanish
  Routing Criteria: Most Skilled
  Agent1
  has Skills of General and Spanish. 
  Their competency is the same within both skills.
  Question: Calls are in queue for both CSQ's, although the call in the spanish CSQ has been in queue longer.  And agent 1 goes ready.  Whats currently happening is that agent 1 is getting another call from the General Queue as opposed to getting it from the spanish queue.
  How do I ensure that agent 1 gets the call from the spanish CSQ over the general CSQ?  Each CSQ needs to keep the Routing Criteria the same.
  My thought is that it has to be one of these two items, if not a combination of both.
  Decrease the Competency of all General agents to a (5) and Making the Spanish competency higher then 5.
  in the script, for Spanish Calls use the Set Priority Node to increase Spanish queued calls to be at like a 5, to ensure all spanish calls have a higher priority then general Calls.
  Any feedback would be appreciated! 

  Hi Sean
  All calls on the system if you are not using priority steps already should be answered FIFO... provided that there are agents available in the queue that the first call came in (i.e. they meet the minimum competency). Competency, skills/LAA and all those algorythms only affect who gets the call, not which one is served first. The exception to that is if the competency excludes some agents from the CSQ completely.
  So a call that arrives in 'Spanish' first should be routed to agents first, as long as there are agents available. Does the same apply if the agent is 'ready' but on a call for example? E.g. call voicemail as the agent, then put a call in to spanish, then one in general, and see which one comes through first.
  Priority will work, but will mean that Spanish calls alway queue jump. Priority is absolute, so a p2 call will jump in front of all other lower-priority calls regardless of how long they have been there.
  If you just want first-come-first-served, then that's what you should have by default.
  Aaron

• BT Infinity - HG612 and second router question

  Hi,
  I've got an odd question. I have BT Infinity and have the HG612 VDSL modem. Does anyone know if and how it can be configured to bridge its WAN connection to another router? For work I need site-to-site VPN access, which is performed by this other router. Unfortunately it needs to own the WAN address, so I need to configure the HG612 to bridge the address with it. Has anyone does this? Is the HG612 even capable of doing this?
  I can't find any user manuals on it.
  Thanks, 
  Simon

  Hi Andy and welcome
  In THIS POST Phil recently wrote.-
  "Very proud of myself this afternoon.  I'm not much of an expert when it comes to DIY but I have managed to hardwire the router from the back of my house to the office on the first floor at the front.  After much contemplation, I decided to buy some external cat5e cable and run this along the same points as the SKY feed.  The result looks pretty good and I can now get 37.5Mbps upstairs as well as down. Result."
  Phil is very friendly I am sure if you have any questions it might be worth dropping him a PM ( philt1808 ) PM = Private Message if you click on the link philt1808 in brackets on the right you'll see SEND THIS USER A PRIVATE MESSAGE click on that.
  Mention it's PC's fault your contacting him... 
  Edit this thread has some info on cables http://community.bt.com/t5/BT-Infinity/Master-Socket-gt-Modem-gt-Hub-Router-cabling/td-p/408439
  Please Click On any Text in Blue as that automatically links to information.
  PC (NDEGR)