Add Routes in VLAN of CSM
Hello,
i try to add this route in vlan of CSM
vlan 100 client
ip address 10.192.96.19 255.255.255.0
>route 10.0.0.0 255.0.0.0 gateway 10.192.96.10
>alias 10.192.96.18 255.255.255.0
But don't work.
Only work when i put this routes
vlan 100 client
ip address 10.192.96.19 255.255.255.0
> route 10.0.0.0 255.128.0.0 gateway 10.192.96.10
> route 10.128.0.0 255.128.0.0 gateway 10.192.96.10
alias 10.192.96.18 255.255.255.0
Global routing table
ip route 0.0.0.0 0.0.0.0 10.194.26.4
The questions are:
1) why only work after add this second route?
2) If they no have no one route in a VLAN, the CSM
uses the route of MSFC?
Thank you for cooperation.
Anderson Andrade
Brazil
hello.
When you say it does not work, does the csm reject the route with an error message ?
Do you have the same route configured on another csm vlan ?
What csm version ?
When you have the first route only, could you do a 'sho mod csm X arp' and see if you get an arp entry for the gateway.
Finally, regarding your 2nd question, the CSM never uses msfc routes.
Regards,
Gilles.
Similar Messages
-
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)# -
2 client vlan for CSM - possible?
Hi,
Is it possible that CSM has two client side vlans? The reason why i need to configure 2 client-side vlans is the ip address of the first client-side vlan is running out.
Thanks.
J.W.Yes you can definitely use mulitiple client vlans with CSM.
CSM keeps track of the MAC address from where it recieves the flow
and send the reponse from reals back there.
If you define two default gateways then you will face some routing issues. With multiple
gateways defined, CSM randomly picks one gateway. This random selection can hurt you if your reals intiate coonections.
To tackle server initiated connection issue you can use following workaround
vserver Server-side
virtual 0.0.0.0 0.0.0.0 any
vlan 100 <------- server vlan where real exist
serverfarm RealX-out
inservice
serverfarm RealX-out
no nat server
real 192.168.1.1 <---- Gateway that you want to use for this traffic
inservice
Hope it helps
Syed Iftekhar Ahmed -
how to create new routing table?
how to add routing rule to route table?Hi!
I supose your network configuration is OK.
I have some problems in order to configure mine under Solaris 10. But trying to change this, I found something that can help you.
In a terminal window, type "man route". I could add a new one, but, because I am not able to find how to change the IP gateway, it returns me an error.
I hope this can help you
Zenaida -
Add route to acs 4.1 appl.
Hi,
it is possible to add route to our acs 4.1 appl.
Our problem, not all connected networks could be arrived by the default gateway.
example
network a 30.x.x.x ==> FW1 ==> FW2 ==> ACS 20.x.x.x (network a could be arrived by default gateway)
network a 30.x.x.x ==> FW1 ==> FW2 ==> ACS 20.x.x.x (connected to interface x)
|
==> network b 10.x.x.x (connected to interface y)
Now we have the problem, that network b 10.x.x.x send his acs-request to the ACS network 20.x.x.x,which is direkly connectet to FW2, but the response from our ACS will be send through the default gw, which is at FW1. Now the FW1 drops our packets, tcp out of state.
It is possible to add more route to the appliance than the default gateway, or must we add a router to solve this problem.
30.x.x.x y.y.y.y default gw
10.x.x.x y.y.y.y 20..x.x.1
thanks & regardsHello,
This is technically not supported but if this is a requirement and there is no other work around you can open a TAC case and we may be able to help you out here. We do have ways of doing this as a last resort.
--Jesse -
Using Applescript to connect to VPN and add routes
I posted this in the wrong place last night, but actually managed to get an answer to it. Here is the original post:
I need to be able to set some routes upon opening a particular VPN connection so I did some searching and found a really simple Applescript that does the job. Problem is it tries to set the routes before the VPN actually connects so the routes don't go in.
I added in a 10 second delay which does the trick, but I'm thinking there has to be a way to do this that waits until the VPN actually connects before continuing - so if it takes 5 seconds or 10 or whatever, it waits.
The other thing I'm doing that I think is bad is I'm sending a route delete command before sending the add command. Why? Because if I don't and for some reason the route is partially in the table, it doesn't give an error and ends up not routing. Again, probably a better way to do this.
Here is my current script:
-- Connect Work VPN
tell application "System Events"
tell current location of network preferences
set VPNservice to service "Work" -- name of the VPN service
if exists VPNservice then connect VPNservice
end tell
end tell
delay 10
set gateway to "x.x.x.x" -- omitted here for security
do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges
From the response I received, I modified the script to this:
tell application "System Events"
tell current location of network preferences
set VPNservice to service "Work" -- name of the VPN service
if exists VPNservice then connect VPNservice
repeat until (connected of current configuration of VPNservice)
delay 1
end repeat
end tell
end tell
set gateway to "x.x.x.x" -- omitted here for security
do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges
That seems to work perfectly, but I'm still wondering if there is a better way of handling the routes. Suggestions?
Thanks.I realize the VPN gateway should add the routes, but it's not and they don't seem to want it to. No idea why.
As for deleting/adding the routes, yes it does seem wrong to do this or pointless. The reason I'm doing this is for what I found in my testing of the script which was if the script hung for some reason and the route did not fully go into the table, I would be unable to add it with the script when I ran it again.
I'm probably not explaining it that well, but when I couldn't route after trying to run my script initially, I tried manually running the add route command and I'd get an error. Thus, I deleted/added the route and than it worked again.
As pointless as it seems it works every time. I'm sure there's a better/cleaner/smarter way of doing this, but I don't know enough about Applescript to do any more. At this point I can probably remove the delete command, though, since it should run properly each time. -
how do i add route in switch 3650 ?
gv commands & modeHi Mahesh,
Though the model you are having is SMI but the image which you are running is EMI image which is possible if you upgrade your SMi switch with EMI lisence and that is the reason it supports OSPF.
If you check your image it is "c3550-i5q" so check the number "5" which states its an EMI image.
Check these lines from 3550 release notes
"You can use the show version privileged EXEC command to see the software version that is running on your switch. The second line displays C3550-I5Q3L2 for the enhanced multilayer software image (EMI) or C3550-I9Q3L2 for the standard multilayer software image (SMI)."
HTH
Ankur -
RV042G Router - Inter VLAN:
Does this router supports 802.1Q? Or should I connect one router port per VLAN?
eg. If I have 2 VLAN configured on ONE SWITCH, Do I:
a) TRUNK the VLAN on SWITCH and connect ONE port to the ROUTER?
b) connect ONE port on ROUTER to VLAN1, and another port to VLAN2?
Thanks,
HenriqueHello Henrique,
I don't usually deal with sales or pricing, so I'm honestly not sure which routers are low priced. However, all of the RVs except for the RV016, RV042, and RV082 support VLAN trunking, so I would just compare the other models and see what kind of a deal you can get. I usually recommend the RV180 (which is being replaced by the RV130 soon) or maybe the RV320 if you want the newest one.
With your SG200 you will probably need to disable spanning tree on the uplinks to your RV042 for the multiple links to work, but a quick check of the Spanning Tree, RTP Interface status page on the SG will let you know if those links are being taken down.
Thank you for choosing Cisco,
Christopher Ebert - Advanced Network Support Engineer
Cisco Small Business Support Center -
Route leaking from VRF to Global on same router with VLAN interface
Hi all,
I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0
interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0
So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
I though I could do that config but it is not possible:
(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
OR
DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)
Any ideas are really welcome.
Best regards,
LaurentHi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
router bgp 64512
bgp log-neighbor-changes
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent -
IPM problem with shadow router management vlan and services vlan
Hi everybody!
Im trying to config a shadow router that has 2 vlan int one is for managemt and the other for services.
Cisco Works server only sees the management interface of this shadow router.
On the other end i have a cisco device with rtr responder enabled on the services vlan, so shadow router and this device see each other on this vlan.
In the shadow router i know i can configure the source address.
Is there a way i can configure the end device as a target that has rtr responder enabled even if i cant reach it from the Cisco Works Server?
thanks in advance.Thanks for the reply - yes I did save it. All the other ports have the command. But when the phone boots up - it ends up disappearing after the above occurs:
When the phone boots up - it seems to encounter a broadcast storm (???) the port goes from this:
interface gigabitethernet36
switchport trunk allowed vlan add 10
to this:
interface gigabitethernet36
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport trunk allowed vlan add 10
macro description ip_phone
!next command is internal.
macro auto smartport dynamic_type ip_phone
Then in a minute or two I'm no longer able to ping the voicelan - and when I do a show run - gi36 isn't even visible. However, the PC that is also on gi36 works fine.
If I then reissue the 'switchport trunk allowed vlan add 10' to gi36 - the phone is pingable - and works continuously until the phone is rebooted.
So I'm not really sure what happens during the bootup that causes this to happen, or a way to try and prevent it from occuring. -
For one of our networks, we have the following path:
Internap (fiber)-> 7206vxr -> 3750g -> 3550 -> ds3 router -> customer
connected to the 3750g and 3550 are many servers and switches in different vlans. Everything works great. We are going to be modifying this network to have an additional 7206vxr and 3750g. iBGP between the 7206vxrs, GLBP between the 3750gs and EIGRP between the 7206vxrs and 3750gs. Spanning tree between the switches, like the 3550, attached to the 3750gs. I need to prepare for this in the next couple weeks.
But for right now, everything is incredibly simple. No IGP or EGP, no spanning tree, no gateway failover/load balancing. I'm now making sure all the vlans and static routes are setup properly. It's been very easy and quick. Except for this ds3 router. The ds3 router works perfect. But when I put it into vlan 5, it stops responding. What am I doing wrong? Normally, I create the vlan and its gateway address in the 7206vxr (soon it will be created on the 3750gs). Then I set the vlan for the proper ports on the 3550 (in this case) to the vlan id I setup. The difference here is that I'm trying to add a router to the vlan, not just a simple server. I would imagine the process is exactly the same, but it appears not :(. Can anybody help please?
Relevant portions of our router/switch configs:
3550
no spanning-tree vlan 5
vlan 5
interface FastEthernet0/39
switchport mode access
switchport access vlan 5
duplex full
speed 100
3750g
no spanning-tree vlan 1-4094
! (to the 7206vxr)
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
! (to the 3550)
interface GigabitEthernet1/0/22
switchport trunk encapsulation dot1q
switchport mode trunk
7206vxr
interface GigabitEthernet3/0
ip address 216.52.162.66 255.255.255.252
no negotiation auto
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 204.10.104.2 255.255.255.252
ip route 204.14.104.0 255.255.254.0 204.10.104.1a regular host is not capable of VLAN tagging, it just sends its packets towards the switchport. A networking device like a switch or router is capable of tagging, it places a VLAN tag in the header. Because of that other network devices are able to diferentiate interesting and non-interesting traffic.
If the DS3 router forwards traffic with such a tag in the headers your switchport should ignore the traffic since it only should accept traffic marked with VLAN-tag 5 or non-tagged traffic and tag the non-tagged traffic with the VLAN5 marking. Traffic coming from the network towards the DS3-router switchport originating VLAN5 or routed from another VLAN into VLAN5 is marked as soon as it enters the VLAN and the tag is stripped as soon as it leaves the switchport towards the DS3 router. The behavior of stripping the tag would be gone if the port is configured as trunk. I would suggest to be sure that the DS3 router doesn't do any encapsulation so it can be connected as a access-port. Otherwise you should be contacting the administrator of that router and have the port reconfigured encapsulating the traffic as VLAN5 -
Adding Static Routes for VLANS
We have 3 servers each in a different vlan and 1 server is a Bordermanager.
We added network routes to 2 server and all the vlans can see them, the
Bordermanager already has a default route that takes it out on the
internet, when we try to add a private network number of the vlans, it does
not see the other vlans. What is the correct way to do this or is there?
Thank you...Ok Craig,
There are only 2 vlans, VLAN1 has all the servers, VLAN2 has all the users,
a Cisco router supposedly does the routing between both VLANS because the
router protocol supports ISL. Rip has been removed from the servers. The
Bordermanager Server is in VLAN1, the problem is that all the servers you
can change the Static Route to the VLAN2 that has all the users, but the
Border cannot because it's static route goes out to the internet and it
doesn't let you make a change, would a 3 card in the Border help? Thanxs...
> In article <Mfc4e.1881$[email protected]>, wrote:
> > when we try to add a private network number of the vlans, it does
> > not see the other vlans. What is the correct way to do this or is there?
> >
> Can you give more details?
>
> Somewhere there has to be a router that contains all of the VLANS in order
> to route between them. (Or a pair of routers each with 2 of the VLANS).
> This could be a server or a routing module in your VLAN box.
>
> The BMgr server would need a static route pointing to the router(s)
> connecting the VLANS.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
> -
How to connect to external server using router from VLAN's
Hi, I am newbie. I am trying to build network system in Packet Tracer.
Now I have such network layout.
I have different VLAN's Accounting and Sales. I have configured this using subinterface in router to allow computers from different vlan's communicate with each other. Everything works.
Let's assume that there are next subnets and VLAN's. Acct. VLAN (2) (ip's 172.168.0.1-172.168.0.254/24) and Sales VLAN (4) (ip's 172.168.1.1-172.168.1.254/24).
But I need to connect all this computers to the external server. That has ip , for instance 192.168.20.13/24. Like this.
I don't know hot to correctly configure router to make it possible for computers to connect to this server. I have connected switch to the another router interface. And than connected server to the switch and specified ip 192.168.20.13/24. Than I tried to set ip to the router interface from the same subnet like 192.168.20.22/24. So now router can communicate with server.
But how to allow computers to communicate with the server. Please help. I am newbie.
I would be grateful for any help.Hi Androgen,
One question for you..How does the sales VLAN computers communicate with the accounting VLAN machines? It's through the inter-VLAN routing that you have already setup.
Communicating to the external server is also similar to this.
The computer's in the VLAN should be configured with the default gateway IP which is the the L3 sub-interface IP for that subnet.
Also, the external server needs to have a default gateway to communicate with other remote subnet. The default gateway of that server would be 192.168.20.22 which is the L3 interface for your external subnet.
CF -
Route multiple VLANs through single port
Hello,
I have a series of 3560g's setup. I am going to be connecting two of them between different offices via a fiber cable. I use 3 VLANs and am unable to find a way to make this work.
Each site will have 5 switches. 2 for VLAN1, 2 for VLAN2, and one that has VLAN1-3 on it. Is it possible to link the two sites together with the single cable in a manner that allows the two connected to route the 3 VLANs through this one cable?Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Just to clarify, only the ports, on the link between the switches, are defined as trunk ports.
By default, each switch will send all its defined VLANs to the trunk port. If both switches have the same VLAN, those VLANs will become logically one. -
SG300: How to set up routing between VLANs?
I have recently purchased a Cisco SG300-10. I need it to perform routing between two VLANs on the switch. Seems like this should be quick and easy to do from the built in GUI. When I configure it according to the documentation, it does not ropute between the VLANs.
I have set the system mode to L3 (for level 3 switching).
I have followed the instructions on pages 26 through 33 of the attached PDF (which I obtained from the Cisco site). I used the same ports on the switch and the same IP addresses as shown in the document.
Everything works until I attempt the step "ping 10.1.1.10" on page 33. This is the step to verify the level 3 switching between the 2 PCs (on separate VLANs).
The switch Firmware Version (Active Image): 1.3.5.58
I have attached the running configuration from the switch. It is the file named "running-config.txt".
The 2 PCs that I am using are running Windows 7 and Windows 8.Hi jkst,
There is a very minimum requirement to obtain layer 3 intervlan routing
1- 2 VLAN in layer 3 mode assigned an IP address
config t
vlan database
vlan 2
int vlan 1
ip address 192.168.1.1 /24
int vlan 2
ip address 192.168.2.1 /24
2 - Active link state on each VLAN - Define a port for the second vlan then connect an IP device to that port and another device to another port since the rest of the ports will default to vlan 1
config t
int gi2
switchport mode access
switchport access vlan 2
3 - Assign your device #1 that connects to any port an ip address on the same subnet as vlan 1
Computer in vlan 1 IP info=
192.168.1.100
255.255.255.0
192.168.1.1
Computer in vlan 2 IP info-
192.168.2.100
255.255.255.0
192.168.2.1
Assuming these devices respond to ping and do not have external wireless communication, this will provide basic IP connectivity through the switch across vlans.
-Tom
Please mark answered for helpful posts
Maybe you are looking for
-
How to submit an email with a header/footer in the body of the email?
I'm trying to submit an email with a PDF attachment but needs to have a static header and footer in the the body of the email before sending it. How would this be done and is it possible to do this? I'm new at this and not sure how to even start thi
-
Software Change Management - usage in SAP
Hi, Please anybody can - Are we using version control tools like ration rose, SCM Software configuration Management in SAP? Thanks in advance Swamy
-
I set up mac mini and when I test the mail server by sending a mail from administrator to administrator I get the error message 'Diagnostic-Code: X-Postfix; connect to 127.0.0.1[127.0.0.1]:10024: Connection refused'. Can any one suggest a solution
-
Contract Object Category PLOC vs PAAC
Hi: I'm customizing contract object type for public sector solution but there is a field for contract object category, the questions are: What is the difference between the PAAC Contract Object Category and the PLOC Contract Object Category? Is there
-
Iphoto crashes whenever I try to play a video
My iMac crashes whenener I attempt to open a video within iphoto. I reinstalled the OS and the problem was fixed briefly and then started again. I am also not able to use quicktime to open a video file from finder. It crashes there as well. Here