ACE Mod20 interface vlan
Hi,
is it possible to setup the service-policy on the server side vlan interface and still have it available for clients with a client subnet ip?
What i'm currently trying it to reach is the other side through the ace. And ping the interface vlan's in a context. But i don't get any answer.
Trying to reach the interface vlan adress 2.1.1.1 from a host in vlan1, but with no success. I can ping the interface vlan 1 though and can route through the module also.
Setup is simple as that:
access-list anyone line 18 extended permit ip any any
interface vlan 1
desc client vlan
ip address 1.1.1.1 255.255.255.0
alias 1.1.1.2 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
no shutdown
interface vlan 2
desc server vlan
ip address 2.1.1.1 255.255.255.0
alias 2.1.1.2 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
no shutdown
Greetings,
Frank
Hi Frank,
Service-policies need to be applied to the incoming/ingress interface, hence the 'input' keyword when applying them. As for ping, by design, the ACE will not allow you to ping a remote interface on the ACE. In other words, a host on VLAN 1 will be able to ping IP 1.1.1.1, but not 2.1.1.1. A host on VLAN 2 will be able to ping 2.1.1.1, but not 1.1.1.1.
Hope this helps,
Sean
Similar Messages
-
Hi All,
Simple question.
Assuming to have two ACE load balancer installed in two different Catalyst 6500.
The two Catalyst are directly connected over a L2 connection and all the flow-state information and the redundancy heartbeat information are transmitted over this connection.
One LB is in active and the second one in stand by. The two load balancer processing traffic for the same virtual devices, of course.
Assuming now that the link is in shutdown state.
In this case both ACE LB will be in the Active state.
Could you please briefly describe what are the impact of having two load balancer active at the same time?
Thank you.Hi Tom,
It looks the vlan and the physical interface are up. You can anyway check the following to confirm:
sh interface gi 1/4
sh interface vlan 12
In "sh interface gi 1/4 counters", do you see the "RX packets" counter increasing?
You should be able to ping 192.168.12.2 from 192.168.12.1 and vice versa. Which ip did you assign to the other peer. Should be:
ft interface vlan 12
peer ip address 192.168.12.2 255.255.255.0
ip address 192.168.12.1 255.255.255.0
no shutdown
You can check as well "sh ft stats" and see if the heartbeats counter are increasing.
Regarding to other interfaces, you mention that you can't ping devices on the ACE adjacent vlans. Are you allowing icmp traffic? For instance:
policy-map type management first-match management
class management
permit
class-map type management match-any management
match protocol icmp any
service-policy input management
Finally, did you check whether you are able to resolve mac addresses?
I hope it helps,
Olivier -
Route map does not applied on interface vlan
Hi all,
could you pls tell me why i can't apply a route-map on an interface vlan,
belown my config:
SWBBO(config-if)#ip policy route-map TEST
^
% Invalid input detected at '^' marker.
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 04-Jan-13 01:38 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
System returned to ROM by power-on
System restarted at 22:12:07 UTC Mon Feb 18 2013
System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
Best regards,
JamesHi jon,
belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
SWBB0#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 74
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 60 -
Hello friends,
we need to know if ACE context can support many intefaces, our needs is to configure one contexts and place 4 vlan interfaces inside that context
on bridge mode, vlan 102,201,103 and 301, we need to bridge interface vlan 102 and 201 on the same bridge id, the same with 103 and 301
but all these on the same context.
is this applicable setup.
please advice me.yes that is no problem.
But bridged vlans can only exist in one context...you can't share vlans between contexts when those vlans are bridged.
Gilles. -
Interface Vlan is not installed in routing table
Dear All,
Today I faced a strange problem and I want to share it with you to find what is the problem ?
we have a VRF for one customer and we use interface vlan to define customer's branch.
The customer interface is VLAN 422 and it is defined under customer VRF probably .
PE#sh running-config vrf V3056:RIYADHBANK
Building configuration...
Current configuration : 1321 bytes
ip vrf V3056:RIYADHBANK
rd 65000:3887
maximum routes 1400 80
route-target export 65000:5405
route-target import 65000:5405
route-target import 65000:5406
interface Vlan422
description By *****
ip vrf forwarding V3056:RIYADHBANK
ip address 172.29.12.97 255.255.255.252
service-policy input 2M_IN
PE#sh vlan id 422
VLAN Name Status Ports
422 422 active Gi3/0/11 efp_id 422
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
422 enet 100422 1500 - - - - - 0 0
Remote SPAN VLAN
Disabled
Primary Secondary Type Ports
PE#
we can see the interface vlan is up
PE-L3Agg-Khu-107-2#sh int vlan 422 description
Interface Status Protocol Description
Vl422 up up ****
PE#
and we can see the vlan 422 belongs to the correct VRF
PE#sh vrf V3056:RIYADHBANK
Name Default RD Protocols Interfaces
V3056:RIYADHBANK 65000:3887 ipv4 Vl627
Vl775
Vl422
PE#
when we tried to troubleshoot the customer routing we found :
PE-L3Agg-Khu-107-2#ping vrf V3056:RIYADHBANK 172.29.12.97
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.29.12.97, timeout is 2 seconds:
Success rate is 0 percent (0/5)
PE-#
we could not ping the ip address of interface vlan 422.
PE#sh ip route vrf V3056:RIYADHBANK 172.29.12.97
Routing Table: V3056:RIYADHBANK
% Subnet not in table
PE#
PE#show ip route vrf V3056:RIYADHBANK connected
Routing Table: V3056:RIYADHBANK
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.111.16 to network 0.0.0.0
172.29.0.0/16 is variably subnetted, 338 subnets, 2 masks
C 172.29.12.44/30 is directly connected, Vlan627
L 172.29.12.45/32 is directly connected, Vlan627
PE-L3Agg-Khu-107-2#
PE-L3Agg-Khu-107-2#
My question is: Why the interface vlan 422 is not installed in VRF Table as it is UP ??
thanks in advance!
Rashed Wardi.what platform is this? can you please paste the output of show version and show run?
Also when you tested this was int Gi3/0/11 up/up?
Best Regards,
Bheem -
WLC 5508 , AP client dhcp address different from WLAN interface VLAN subnet?
Hope the title makes sense, here's my situation: I have multiple businesses on 1 WLC 5508, there's a LAG to my core switch with seperate interfaces for each, broken up by vlans.
My question is: if i have a WLAN setup to use interface "Company A" which is vlan 10 with an ip of 10.0.1.5 which then points to 10.0.1.10 for dhcp.
Can the WLAN client connecting to the Company A WLAN use an IP in a different IP range?(192.168.1.10?) can the wlc route? from the perspective of the DHCP server where doers the request come from? (10.0.1.5?)
Can the DHCP server 10.0.10.10 on vlan 10 respond back with and ip on a different subnet to assign to the client to use and still be fully fonctioning? would the default gateway for the client need to be 10.0.1.5? So the clients ip would be 192.168.1.10 /24 with a gateway of 10.0.1.5 (ip adress fo vlan10 interface on WLC) And if multiple clients on the same subnet wanted to talk to each other woudl the WLC know how to route them to each other without passing through the default gateway?
Sorry if this is confusing I'm having a bit of a hard time explaining it in works, i can try and draw somethign up if it makes more sense.
thanks
EricI think if you want these clients to stick to a WLAN configured on a VLAN that has a different IP addressing you could configure your VLAN with the normal IP addressing then add on the SVI the 2nd IP_Class_default_gateway.
E.G.
Vlan 10
interface vlan 10
ip address 10.0.10.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
Clients that receive IP address from 192.168.1.0/24 network will be able to reach 192.168.1.1 and all traffic will pass right. -
How to exclude the monitoring (device avaibility) on an interface vlan?
Hello All,
How can i exclude the monitoring on an "intervace vlan"
My switch 3750X have many interface vlan , LMS 4.2.2 discover the device and have an automatic poller that test the reachability on the IP for these interface vlan.
And i have many Critical alarmes when the interface vlan is down, because no end host are in this vlan
(Operationaly Down, Unresponsive).
Thank you.
Alain Pernelle.Hello pkr_legend,
Take a look at these symptoms and see if the troubleshooting steps help to resolve your issues. Please let me know.
Good luck!
↙-----------How do I give Kudos?| How do I mark a post as Solved? ----------------↓ -
ACE Te Interface config recommendation
Hello
i wonder myself, if there is an cisco recommendation, how to configure the te interface in the cat65?gdufour-cat6k1(config)#int tenGigabitEthernet 3/1
% This interface cannot be modified
gdufour-cat6k1(config)#
So, basically, you don't do anything on the cat6k for the ACE tengig interface.
Gilles. -
Interface vlan - ACL - pinging issues.
I'm trying to understand why an ACL which is applied to an interface vlan is affecting the traffic for a different interface vlan.
Both vlans are configured on the same device and there's a trunk connecting the "access" switch to the "distribution" switch.
so, what we have is:
UD-1 UD-1B
UA
Int vlan are configured in both UDs and the vlan is allowed in the trunk that connects the UD to the UA.
There's an ACL blocking traffic to the int vlan 225 ip that is configured in the UA, but there's no ACL on the vlan 185 (the same IP that Im trying to ping).
So , why is this happening?
configs:
UD-1A:
interface Vlan185
ip address 10.8.185.3 255.255.255.0
interface Vlan225
ip address 10.18.225.3 255.255.255.0
ip access-group ud1 in
int gi1/1
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
UD-1B
interface Vlan185
ip address 10.8.185.4 255.255.255.0
interface Vlan225
ip address 10.18.225.4 255.255.255.0
ip access-group al_rpf_sre_ud1_pro in
interface GigabitEthernet4/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface Vlan185
ip address 10.8.185.7 255.255.255.0
ip access-group ro in
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
so, when I ping 10.8.185.7
I get:
GMT-3: ICMP: dst (10.8.185.7) administratively prohibited unreachable rcv from 10.8.185.4
%SEC-6-IPACCESSLOGDP: list ud1 denied icmp 10.8.185.7 (GigabitEthernet1/1) -> 10.18.232.58 (0/0), 3 packets
anybody?Hello Paresh,
thanks for replying.
But, actually I dont think this is what happening.
Because 10.18.232.58 comes from an uplink - core router, which enters from a different interface.
Let me give you the configs:
uplinks:
interface GigabitEthernet3/1
no switchport
ip address 10.18.192.26 255.255.255.252
And the core are doing load-balancing to reach the UA.
So, icmp packets are arriving from these 2 interfaces, the uplink gi3/1 (router port) and from the link that connects the UA switch.
so, pinging from the BC you have 2 ways to get to the UA, from UD1 and UD1-B, when it reaches UD1-B it goes to the vlan (ie. goes down to the UA and up to UD1A).
Not sure if this is helping.
If you need any other info let me know.
this is killing me. -
Disabling ''igmp snooping'' in a VLAN (no interface VLAN) on Catalyst 6500
Can please some help?
On 4948 or 3560 I can disable igmp snooping in a specific VLAN:
sw4948(config)#no ip igmp snooping vlan ?
<1-1001> Vlan number
<1006-4094> Vlan number
sw4948(config)#no ip igmp snooping vlan 10 ?
explicit-tracking Enable IGMP explicit host tracking
immediate-leave Enable IGMPv2 immediate leave processing
last-member-query-interval Last member query interval
mrouter Configure an L2 port as a multicast router port
static Configure an L2 port as a member of a group
<cr>
BUT, in 6509-E this command is not enabled:
sw6509(config-if)#no ip igmp snooping ?
access-group IGMP group access group
limit IGMP limit
I have just found on my 6509 that I can disable igmp snooping in a SVI interface (Interface VLAN)
sw6509(config)#int vlan 20
sw6509(config-if)#no ip igmp snooping ?
access-group IGMP group access group
fast-leave Enable IGMP fast leave processing
last-member-query-interval Configure IGMP leave query timeout
limit IGMP limit
minimum-version Minimum IGMP version
mrouter Configure an L2 port as a multicast router port
querier Enable IGMP querier processing
report-suppression Force a report suppression
ssm-safe-reporting Enable SSM Safe Reporting
static Configure an L2 port as a member of a group
<cr>
My current 6509-E IOS version is:
System image file is "sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH8b.bin"
Do I need to upgrade my IOS version?... or how can I disable ''igmp snooping'' per specific VLAN (no Interface VLAN)?
Any help would be apreciated !
Regards
guruizHi Guruiz,
So, to disable igmp snooping in some VLANs in the 6509, do I need to disable it globally?
Would it be the only way?
That appears to be the only way. If you have an SVI for the vlan you want to run Multicast in, then simply enable PIM and not worry about IGMP snooping. I think, the reason you don't see this command under the layer-2 vlan is because most of the time the 6500 is used as layer-2/layer-3 and not just layer-2.
How could "no ip igmp snooping" applied globally impact my 6509 switch?
It will impact only the vlans that are running Multicast. In general, ip IGMP snooping is used when you have a flat vlan and no SVI. If you have multiple vlans and are running Multicast between them, then you can just enable PIM.
HTH -
NX-OS 6.2 Cannot specify interface vlan as source-interface for logging
I have the following config on Catalyst:
logging source-interface Vlan1024
I want to be able to specify an interface vlan as the source-interface on NX-OS. The only option I can get is to use a loopback interface as the source-interface, but I want to specify an SVI. Is that possible with NX-OS?
NEXUS-7710(config)# logging source-interface ?
loopback Loopback interfaceHello
AppleWorks is bundled with only SOME machines, the iBook, iMac G5, eMac and macMini.
Of course, as the media used is a DVD with a huge capacity, the app is stored on the support wher the operating system SPECIFIC to the machine is also stored.
But this implies NO link with the two products.
AppleWorks 6 was carbonised in a hurry to show that the thing was do-able.
My point of view is that it was done assuming that a replacement app would be available quickly. So, stick to human guidelines was certainly not a priority.
In fact, what was thought to be a short period beame a long one because Mac OS X needed a lot of time to become a sufficiently stable basis on which Apple was able to build a successor to AppleWorks and, as we all know, the successor named iWork is far from a complete product. There is nothing like a spreadsheet or a database tool.
So, we have to continue to use our old fashioned AppleWorks (which is also, for many of us an old friend whith sympathetic wrinkles.)
Yvan KOENIG (from FRANCE lundi 30 janvier 2006 19:00:44) -
I have setting the Management Interface Vlan Identifier to 0 or untagged.
If i change this to a vlan, I am unable to manage the device, is this correct?
SteveIf u make it untagged then specify the NATIVE vlan on the switchport..
If u tag the management interface, then dont configure the native vlan on the switchport..
Both the cases u will be able to access!!
Lemme know if this answered ur question!!
Regards
Surendra -
[switchport port-security mac ] on [interface VLAN n?]
Hello,
did anyone tried to use the command [switchport port-security mac-address n?] on [interface VLAN n?] ? (for example in a 2950).
I don't have the material to make that test, and I am not sure if it works or not.
Many thanks!Hi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar -
Policy-map input on an interface VLAN
Hi there,
I have a problem with a policy-map on an interface VLAN on my Cisco 6509-E.
The switch has the IOS Version 12.2(33)SXI10, RELEASE SOFTWARE (fc2).
I have configured this policy-map:
policy-map PM-10Mbit
class class-default
police cir 10000000 bc 1875000 be 3750000 conform-action transmit exceed-action drop violate-action drop
I bind this map on a physical interface
interface GigabitEthernet2/2
description <removed>
ip vrf forwarding <removed>
ip address <removed>
ip access-group <removed> out
service-policy input PM-10Mbit
service-policy output PM-10Mbit
and get this result:
show policy-map interface
GigabitEthernet2/2
Service-policy input: PM-10Mbit
class-map: class-default (match-any)
Match: any
police :
10000000 bps 1875000 limit 1875000 extended limit
Earl in slot 5 :
6428065284 bytes
5 minute offered rate 14696 bps
aggregate-forwarded 6294160565 bytes action: transmit
exceeded 133904719 bytes action: drop
aggregate-forward 584 bps exceed 0 bps
Service-policy output: PM-10Mbit
class-map: class-default (match-any)
Match: any
police :
10000000 bps 1875000 limit 1875000 extended limit
Earl in slot 4 :
10335145381 bytes
5 minute offered rate 21536 bps
aggregate-forwarded 10142894661 bytes action: transmit
exceeded 192250720 bytes action: drop
aggregate-forward 128 bps exceed 0 bps
Earl in slot 5 :
263335780 bytes
5 minute offered rate 176 bps
aggregate-forwarded 263335780 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 448 bps exceed 0 bps
But when I bind it on an interface VLAN i see no incoming traffic:
show policy-map interface
Vlan1012
Service-policy input: PM-100Mbit
class-map: class-default (match-any)
Match: any
police :
100000000 bps 18750000 limit 18750000 extended limit
Earl in slot 4 :
0 bytes
30 second offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Earl in slot 5 :
0 bytes
30 second offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Service-policy output: PM-100Mbit
class-map: class-default (match-any)
Match: any
police :
100000000 bps 18750000 limit 18750000 extended limit
Earl in slot 4 :
1005376843668 bytes
30 second offered rate 33016448 bps
aggregate-forwarded 1005362388151 bytes action: transmit
exceeded 14455517 bytes action: drop
aggregate-forward 30943792 bps exceed 0 bps
Earl in slot 5 :
1828318775 bytes
30 second offered rate 1296 bps
aggregate-forwarded 1828318775 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 1272 bps exceed 0 bps
Is this a bug or am I doing something wrong here?Hello
As I understand it , this is command is required in mls qos because on a SVI ( L3 vlan interface) runs in a vlan-based mode which differs from normal L3 routed interfaces which run in interface mode.
As per cisco ="In VLAN-based mode, the policy map that is attached to the Layer 2 interface is ignored, and QoS is driven by the policy map that is attached to the corresponding VLAN interface."
Lastly regards
Try matching on all traffic incoming on the trunk interface on that switch for it to successfully police incoming traffic:
class-map V102
match input-interface x/x
Policy-map POLICE
class V102
Police xxxx xxxx
res
Paul -
Nexus, configure sync and Interface VLAN
We have a pair of Nexus 5548's. Not everything is dual-homed. For example,
only one of them has a 10-gig link to our main office (along with a 100 meg
link elsewhere). I'd like to set up a switch profile between these switches
so I can set up vPC's with our UCS fabric interconnects as well as a pair of
Fex Modules we have.
As it stands, we have SVI's on each switch, with hsrp between them, so the
secondary switch takes over as gateway if the primary fails.
Is it possible (and if so, best practice) after creating a switch profile,
and then going into configure sync mode to create SVI's (eg `interface vlan x`)
so that the SVI's are shared between the two switches, rather than creating
an SVI on each using hsrp in the event one of the switches fails?
Also, again, can we leave some ports out of the dual switch profile, if not
everything is dual-homed?That is correct. It is that easy. Don't forget that te physical port has to be configured as a layer 2 port (switchport).
You could create sub interfaces under the GigE interface if you were to configure that same physical interface as a layer 3 port (no switchport).
Hope this helps,
Maybe you are looking for
-
Performance Problem while Aggregation
Performance problem while aggrgating These r my dimension and cube i wrote customized Aggrgation map and i m aggragating all dimension (except for last level a unique one (PK) + cube . My system config is good .. But Aggrgation deployment (calculatio
-
Accessing / communication between VM1 and VM2 both within a CS and within a VNET
Hi, I have been trying to access one VM from another VM both within a CS and within a VNET. Let me summarise all that I have done in the last couple of days. I have VM1 and VM2 in the same CS and same VNET. I have disabled windows firewall in both t
-
Trouble summing expenses for each month
I use a website to track my expenses and it exports to csv. I plan on building some graphs based on that csv. The csv format is: Date(MM/DD/YYYY),Amount,Description,Category,Account,Jived, 01/02/2008,-210.00,"benzina",(C) Calatorii,Cash,yes, 4/4/2009
-
Code to parse string to retrieve URLs
Hi all, I need a code to parse a string to get all URLs in that string. Pls help me. Thank you
-
Lost parents photos while upgrading OS after a few drinks
Upgrading to OS 10.6.8 erased my parents iPhoto, is there a way to get it back or must I buy it, and lose their memories?