ASR1002 EasyVPN termination on vrf (fvrf)
Hi,
I need to terminate easyVPN on vrf interface, because Internet is on vrf only.
On Windows client looks like password error.
I didn't try to terminate EasyVPN in vrf before.
Can You help me?
With Best Regards,
Ugis
*Dec 29 11:35:45.518: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Dec 29 11:35:45.518: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Dec 29 11:35:45.519: ISAKMP:(35007):deleting node -1674984011 error FALSE reason "Done with xauth request/reply exchange"
*Dec 29 11:35:45.519: ISAKMP:(35007):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Dec 29 11:35:45.519: ISAKMP:(35007):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
*Dec 29 11:35:45.519: ISAKMP: set new node -1291909677 to CONF_XAUTH
*Dec 29 11:35:45.519: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Dec 29 11:35:45.519: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Dec 29 11:35:45.519: ISAKMP:(35007): initiating peer config to 4.3.2.1. ID = 3003057619
*Dec 29 11:35:45.519: ISAKMP:(35007): sending packet to 4.3.2.1 my_port 4500 peer_port 56966 (R) CONF_XAUTH
*Dec 29 11:35:45.519: ISAKMP:(35007):Sending an IKE IPv4 Packet.
*Dec 29 11:35:45.520: ISAKMP:(35007):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
*Dec 29 11:35:45.520: ISAKMP:(35007):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
*Dec 29 11:35:52.528: ISAKMP (35007): received packet from 4.3.2.1 dport 4500 sport 56966 inet (R) CONF_XAUTH
*Dec 29 11:35:52.529: ISAKMP:(35007):processing transaction payload from 4.3.2.1. message ID = -1291909677
*Dec 29 11:35:52.529: ISAKMP: Config payload REPLY
*Dec 29 11:35:52.529: ISAKMP/xauth: reply attribute XAUTH_STATUS_V2 unexpected.
*Dec 29 11:35:52.529: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.529: ISAKMP:(35007):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Dec 29 11:35:52.530: ISAKMP:(35007):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_REQ_SENT
*Dec 29 11:35:52.530: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 29 11:35:52.530: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Dec 29 11:35:52.530: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 4.3.2.1
*Dec 29 11:35:52.532: ISAKMP (35007): received packet from 4.3.2.1 dport 4500 sport 56966 inet (R) CONF_XAUTH
*Dec 29 11:35:52.532: ISAKMP: set new node 1500321808 to CONF_XAUTH
*Dec 29 11:35:52.533: ISAKMP:(35007): processing HASH payload. message ID = 1500321808
*Dec 29 11:35:52.533: ISAKMP:received payload type 18
*Dec 29 11:35:52.533: ISAKMP:(35007):Processing delete with reason payload
*Dec 29 11:35:52.533: ISAKMP:(35007):delete doi = 0
*Dec 29 11:35:52.534: ISAKMP:(35007):delete protocol id = 1
*Dec 29 11:35:52.534: ISAKMP:(35007):delete spi_size = 16
*Dec 29 11:35:52.534: ISAKMP:(35007):delete num spis = 1
*Dec 29 11:35:52.534: ISAKMP:(35007):delete_reason = 2
*Dec 29 11:35:52.534: ISAKMP:(35007): processing DELETE_WITH_REASON payload, message ID = 1500321808, reason: DELETE_BY_USER_COMMAND
*Dec 29 11:35:52.534: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.534: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.534: ISAKMP:(35007):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 4.3.2.1)
*Dec 29 11:35:52.534: ISAKMP:(35007):deleting node 1500321808 error FALSE reason "Informational (in) state 1"
*Dec 29 11:35:52.534: IPSEC(key_engine): got a queue event with 1 KMI message(s)
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group ezvpngroup
key xxxremote
pool ezvpn
netmask 255.255.255.192
crypto isakmp profile ezvpn
vrf inet (tried with and without this line)
match identity group ezvpngroup
client authentication list ez
isakmp authorization list ez
client configuration address respond
virtual-template 3
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
mode tunnel
Here is log from client:
Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
506 21:50:03.799 12/29/12 Sev=Info/4 CM/0x63100002
Begin connection process
507 21:50:03.799 12/29/12 Sev=Info/4 CM/0x63100004
Establish secure connection
508 21:50:03.799 12/29/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "1.2.3.4"
509 21:50:03.835 12/29/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 1.2.3.4.
510 21:50:03.835 12/29/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
511 21:50:03.835 12/29/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 1.2.3.4
512 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
513 21:50:03.884 12/29/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 1.2.3.4
514 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
515 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
516 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
517 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
518 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
519 21:50:03.900 12/29/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
520 21:50:03.900 12/29/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1.2.3.4
521 21:50:03.900 12/29/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
522 21:50:03.900 12/29/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xD7B9, Remote Port = 0x1194
523 21:50:03.900 12/29/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
524 21:50:03.900 12/29/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
525 21:50:03.933 12/29/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
526 21:50:03.933 12/29/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 1.2.3.4
527 21:50:03.933 12/29/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
528 21:50:03.933 12/29/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
529 21:50:03.936 12/29/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
530 21:50:03.936 12/29/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.3.4
531 21:50:03.936 12/29/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
532 21:50:04.032 12/29/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
533 21:50:04.032 12/29/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
534 21:50:08.598 12/29/12 Sev=Info/4 CM/0x63100017
xAuth application returned
535 21:50:08.598 12/29/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.3.4
536 21:50:08.635 12/29/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
537 21:50:08.635 12/29/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.3.4
538 21:50:08.635 12/29/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
Similar Messages
-
Import/Exporting iVRF routes in IPsec iVRF/FVRF environment
Hi,
I am currently terminating a number of IPsec VPNs into customers' 'inside' VRFs (iVRFs) with the 'classic' crypto-map applied in a separate Front-Door VRF (FVRF) on an ASR1k. I now want to export a VPN route from one iVRF into another VRF using MP-BGP. This works as expected in as far as the VPN prefix makes it into the BGP table, but not into the RIB - it would appear that this may be by design and a route with a next-hop in the FVRF (i.e. the VPN RRI route) cannot be exported from the VRF and imported into another VRF. Is there any workaround for this; the only one solution which looks like it might work is to import/export these routes using another VRF and back-to-back VASI interfaces, using ordinary BGP to leak routes. Another possible solution is also to use sVTIs instead of classic crypto (thus avoiding the RRI route), but this doesn't address the need to support classic crypto.
Cheers,
MattHi,
I am currently terminating a number of IPsec VPNs into customers' 'inside' VRFs (iVRFs) with the 'classic' crypto-map applied in a separate Front-Door VRF (FVRF) on an ASR1k. I now want to export a VPN route from one iVRF into another VRF using MP-BGP. This works as expected in as far as the VPN prefix makes it into the BGP table, but not into the RIB - it would appear that this may be by design and a route with a next-hop in the FVRF (i.e. the VPN RRI route) cannot be exported from the VRF and imported into another VRF. Is there any workaround for this; the only one solution which looks like it might work is to import/export these routes using another VRF and back-to-back VASI interfaces, using ordinary BGP to leak routes. Another possible solution is also to use sVTIs instead of classic crypto (thus avoiding the RRI route), but this doesn't address the need to support classic crypto.
Cheers,
Matt -
Route leaking from VRF to Global on same router with VLAN interface
Hi all,
I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0
interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0
So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
I though I could do that config but it is not possible:
(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
OR
DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)
Any ideas are really welcome.
Best regards,
LaurentHi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
router bgp 64512
bgp log-neighbor-changes
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent -
Hi,
I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
FVRF=VRF1 and IVRF=global, no VRF
there are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't receive echo reply
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.0.1 10.0.0.2 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
r1#sh cry
r1#sh crypto ip
r1#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MAPA, local addr 10.0.0.1
protected vrf: FVRF
local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCF660D5A(3479571802)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x66992BE3(1721314275)
r1#
I added static routes on r1 and r2 but apparently I missed something else:
r1:
ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
r2:
ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
Any suggestions?
HubertHi,
yes, I have the static route:
r1#sh run | i route
ip source-route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2
r1#sh ip ro
r1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.0.0.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 11.11.11.0/24 is directly connected, Loopback1
L 11.11.11.11/32 is directly connected, Loopback1
r1#sh ip route vr
r1#sh ip route vrf FVRF
Routing Table: FVRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/0
L 10.0.0.1/32 is directly connected, GigabitEthernet0/0
r1#
The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:
a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I just added:
ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global
b) With 2 VRFs:
Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I added:
ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1
ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1
So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:
Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
11.11.11.11 10.0.0.1 10.0.0.2 22.22.22.22
I wonder if Cisco supports such scenario. -
7200's + 2960's - ASR1001's + ME3600's
Hi,
We are looking at replacing 7200's + 2960/3560s' at our POPs with 2 x ASR1001's and 2 x ME3600X's - We primarily provide L3VPN (VRF's) to our customers (All L3 done on the 7200's) - At some of our POP's we have IPTransit(Full tables)+Peering sessions on the 7200's (We also peer with some customers).
We are planning on running MPLS on the ME3600's and terminating customer vrf's there (Rather than on the ASR's), the ASR's will have the IPTransit+Peering sessions (Plus connect to our other POPs via TE tunnels)
We have a couple of POPs that do not (currently) have any IPTransit or Peering sessions - At these POP's could we simply use the ME3600's without the ASR's? Or is the TE functionality on the ASR's more feature rich than the ME's? There is a potential for these POP's to provide Peering to customers, which I assume would be best served by the ASR's?
I know this is a very broad question, but not being overly familiar with the ME3600 range, what "cant" they do compared to the ASR's (Assuming we are running the MetroIPAccess IOS on the ME's)
Cheers.Do some reading and research.....and u will find no drive even gets close to ata 100 spec.....mine are 360 raptors...they only break 55 .....65 to 93 in raid 0....but that also isnt full time.....thats an average at Very best....the new 74 gig raptor can push 65 byit self...400.00 CDN... Ive read the the average7200 HD is running about 35....I have 2 pcs the other has an older 7200 maxtor on it ....and the diff between these 2 for hd speed....isnt seen in 50% of programs im running...and the other 50 % so are very good....and others are just good .....but not Breakneck speed, even though the ( manufactures would say so).....its like Videocards ....some upgrades only gain u 5 to 10% in ur games....and I bet u havent notice it....unless u look for that 1 extra Pixel in the wall..in the back conner...in the dark....behind u ......
-
Using LMS is there a way to run a job which would extract the VRF name in part of the configuration and then use it as a variable to deploy additional configuration using the VRF name. We have a number of management VRF's and need to deploy a mass configuration change on a number of devices.
aaa group server tacacs+ blah
server x.x.x.x
server x.x.x.x
ip vrf forwarding testI am working for a service provider and I was given a task to configure more than 50000 devices (!). First I started with VBS and some scriptable terminal application, but it was too complicated to handle that much data. I then decided to develop my own application dedicated to device mass-configuration. As I understand your question, you may also find it useful : http://www.prettygoodterminal.com
BR -
Hi fols,
We got ASR 1002 for use as LNS and move VPDN settings from 7204 to ASR1002... Looks like PPPoE interfaces (customers works pefect) but MLP Bundle cant establish :(
Cisco Console Log:
Feb 13 05:00:13 104.234.254.1 21010: Feb 13 10:00:12.732: %CPPOSLIB-3-ERROR_NOTIFY: SIP0: cpp_cp: cpp_cp encountered an error -Traceback= 1#adfdffd320bd4b50a075756a85bafaca errmsg:7FB80973B000+121D cpp_common_os:7FB80C74C000+D8D5 cpp_common_os:7FB80C74C000+D7D4 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C0
Feb 13 05:00:13 104.234.254.1 21011: Feb 13 10:00:12.733: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: SIP0: fman_fp_image: MLP bundle 174, link 170 download to CPP failed
Radius Log (look as well):
Fri Feb 13 04:59:41 2015 : Auth: Login OK: [[email protected]] (from client asr-lns1.xxxxx.com port 3445 cli BHVLPQ1004W lag-39:53)
Fri Feb 13 04:59:41 2015 : Info: Existing IP: x.x.x.x (did cli BHVLPQ1004W lag-39:53 port 3445 user [email protected])
Fri Feb 13 05:00:12 2015 : Auth: Login OK: [[email protected]] (from client asr-lns1.xxxxx.com port 3009 cli BHVLPQ1004W lag-39:53)
Fri Feb 13 05:00:12 2015 : Info: Existing IP: x.x.x.x (did cli BHVLPQ1004W lag-39:53 port 3009 user [email protected])
My Debug settings:
2# sh debug
PPPoE:
PPPoE protocol events debugging is on
PPPoE data packets debugging is on
PPPoE control packets debugging is on
PPPoE protocol errors debugging is on
MLP:
Multilink fragments debugging is on
Multilink events debugging is on
First bytes of multilink packet debugging is on
VTEMPLATE:
Virtual Template errors debugging is on
Virtual Template subinterface debugging is on
#sh log | in MLP
:01:13.742: Vi109 MLP: Dropped link Vi110 from bundle [email protected]
Feb 13 10:01:13.742: Vi109 MLP: Dropped last link, removing bundle [email protected]
Feb 13 10:01:13.742: Vi109 MLP: Removing bundle '[email protected]'
Feb 13 10:01:15.392: Vi111 MLP: Request add link to bundle
Feb 13 10:01:15.392: Vi111 MLP: Adding link to bundle
Feb 13 10:01:15.392: Vi111 MLP: Requested bundle vaccess creation
Feb 13 10:01:15.392: Vi111 MLP: Determine clone source for SSS
Feb 13 10:01:15.392: Vi111 MLP: Link is Virtual-Access, clone from Virtual-Template 1
Feb 13 10:01:15.395: Vi111 MLP: Determine clone source for SSS
Feb 13 10:01:15.395: Vi111 MLP: Link is Virtual-Access, clone from Virtual-Template 1
Feb 13 10:01:15.396: Vi111 MLP: SSS connect, bundle interface Vi112
Feb 13 10:01:15.396: Vi112 MLP: Changing bundle bandwidth from 100000 to 2000000
Feb 13 10:01:15.396: Vi112 MLP: Interleaving disabled
Feb 13 10:01:15.396: Vi112 MLP: Ready to finish adding link Vi111 to bundle
Feb 13 10:01:15.396: Vi111 MLP: Computed frag size 7499992 exceeds MTU, changed to 1496
Feb 13 10:01:15.396: Vi112 MLP: Update bundle bandwidth 2000000 set 2000000
Feb 13 10:01:15.396: Vi111 MLP: Change transmit status from Init to Enabled, transmit links 1
Feb 13 10:01:15.397: Vi112 MLP: Added first link Vi111 to bundle [email protected]
Feb 13 10:01:15.397: Vi111 MLP: Updating bundle's PPP handle[0xCE000105] in SSS context
Feb 13 10:01:15.398: Vi112 MLP: Received segment updated message for bundle
Feb 13 10:01:15.402: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: SIP0: fman_fp_image: MLP bundle 179, link 178 download to CPP failed
Feb 13 10:01:17.694: Vi112: MLP: Bundle has 1/2 desired links, requesting another
Feb 13 10:01:43.097: Vi111 MLP: Change transmit status from Enabled to Idle, transmit links 0
Feb 13 10:01:43.097: Vi112 MLP: No previous member for idle link in '[email protected]'
Feb 13 10:01:43.097: Vi112 MLP: Update bundle bandwidth 2000000 set 2000000
Feb 13 10:01:45.102: Vi111 MLP: Request drop link from bundle Vi112
Feb 13 10:01:45.103: Vi112 MLP: Removing link Vi111 from bundle [email protected]
Feb 13 10:01:45.103: Vi111 MLP: Change transmit status from Idle to Init, transmit links 0
Feb 13 10:01:45.103: Vi112 MLP: Bundle bandwidth 2000000 unchanged
Feb 13 10:01:45.103: Vi112 MLP: Dropped link Vi111 from bundle [email protected]
Feb 13 10:01:45.103: Vi112 MLP: Dropped last link, removing bundle [email protected]
Feb 13 10:01:45.103: Vi112 MLP: Removing bundle '[email protected]'
2# sh ppp multilink
Virtual-Access126
Bundle name: [email protected]
Remote Username: [email protected]
Remote Endpoint Discriminator: [3] 4c60.de51.dd67
Local Endpoint Discriminator: [1] asr1002
Bundle up for 00:00:25, total bandwidth 2000000, load 1/255
Receive buffer limit 12192 bytes, frag timeout 1000 ms
Bundle is Distributed
Using relaxed lost fragment detection algorithm.
0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
0/0 discarded fragments/bytes, 0 lost received
0x0 received sequence, 0x0 sent sequence
Platform Specific Multilink PPP info
NOTE: internal keyword not applicable on this platform
Interleaving: Enabled, Fragmentation: Enabled
Member links: 1 (max 16, min 2)
BHVLPQ1004W:Vi125 (x.x.x.x), since 00:00:25, 7500000 weight, 1496 frag size, unsequenced
No inactive multilink interfaces
Border-ASR1002#sh users | in xxxxx
Vi129 [email protected] PPPoVPDN never
Vi130 [email protected] MLP Bundle 00:00:06
NO IP ASSIGNED and this SESSIONs will be close in 30-50 sec. Then start again by circle.
interface Virtual-Template1
ip unnumbered Loopback100
no ip redirects
no ip proxy-arp
ip mtu 1460
ip tcp adjust-mss 1420
load-interval 60
no peer default ip address
keepalive 30
ppp mru match
ppp authentication pap chap xxx-netwrok.com
ppp authorization xxx-netwrok.com
ppp accounting xxx-netwrok.com
ppp ipcp dns 8.8.8.8
ppp multilink
ppp multilink links minimum 2
ppp multilink interleave
ppp multilink endpoint string asr1002
end
interface Loopback100
ip address x.x.x.x 255.255.255.255
end
#sh ppp statistics
Type PPP Statistic TOTAL SINCE CLEARED
4 Transition Packet Drop 2 2
5 Interrupt Transition Packet Drop 5 5
14 PPP Handles Allocated 16620 16620
15 PPP Handles Freed 13971 13971
16 LCP Renegotiations 17 17
17 NCP Renegotiations 3 3
18 NCP Negotiations Failed 348 348
19 PPP Encapped Interfaces 4583 4583
24 LCP Timeout+ 2892 2892
25 NCP Timeout+ 89257 89257
26 LCP Timeout- 793 793
27 NCP Timeout- 9542 9542
28 Authentication Timeout 1984 1984
29 Configure-Ack Id mismatch 9 9
30 Configure-Nak/Reject Id mismatch 21 21
Type PPP MIB Counters PEAK CURRENT
1 Links at LCP Stage 13 2
2 Links at Unauthenticated Name Stage 240 0
3 Links at Authenticated Name Stage 4 0
7 Links at Local Termination Stage 2650 2647
8 MLP Links at LCP Stage 1 0
9 MLP Links at Unauthenticated Name Stage 1 0
10 MLP Links at Authenticated Name Stage 1 0
14 MLP Links at Local Termination Stage 3 0
20 Successful LCP neogtiations 14497 14497
22 Entered Authentication Stage 14497 14497
28 IPCP UP Sessions 2650 2647
48 CHAP authentication attempts 2 2
49 CHAP authentication successes 1 1
51 PAP authentication attempts 14495 14495
52 PAP authentication successes 7397 7397
53 PAP authentication failures 6141 6141
95 Total Sessions 2651 2647
96 Non-MLP Sessions 2650 2647
97 MLP Sessions 1 0
98 Total Links 2654 2649
99 Non-MLP Links 2653 2649
100 MLP Links 2 0
Type PPP Disconnect Reason TOTAL SINCE CLEARED
11 Missed too many keepalives 177 177
12 PPP Renegotiating 18 18
15 LCP failed to negotiate 1694 1694
17 Received LCP TERMREQ from peer 1465 1465
18 Received LCP TERMACK from peer while OPEN 2 2
24 Removing MLP Bundle 412 412
27 MLP Kill Link 4 4
29 Lower Layer disconnected 3187 3187
37 Received disconnect from Session Manager 174 174
54 User failed PAP authentication 6141 6141
55 AAA Server did not respond 695 695
57 Authentication timeouts exceeded 2 2
If i try look show interface for two interface in bundle i see like this:
Border-ASR1002#sh int Vi24
Virtual-Access24 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback100 (x.x.x.x)
MTU 1442 bytes, BW 2000000 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open, multilink Open
REQsent: IPCP
MLP Bundle vaccess, cloned from Virtual-Template1
Vaccess status 0x44, loopback not set
Keepalive set (30 sec)
DTR is pulsed for 5 seconds on reset
Border-ASR1002#sh int Vi28
Virtual-Access28 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1500 bytes, BW 2000000 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open, multilink Open
Link is a member of Multilink bundle Virtual-Access24
PPPoVPDN vaccess, cloned from Virtual-Template1
Vaccess status 0x44
Protocol l2tp, tunnel id 64648, session id 34181, loopback not set
Keepalive set (30 sec)
DTR is pulsed for 5 seconds on reset
Looks like normal. but in 30-60 sec this crashed... and sure we have not one customers with MLP... i hope we have around 20-30... so should be tonns MLP :)
Sure i lose few hours for find solutions but without luck. Nobody have exacly answer to this question.
I got abolutely working configuration from working NAS (7201 and 7204) and move it to ASR... thats what i have with MLP :((((
Can someone try help me investigate in figure our this....
I found same thread on ciscoforums where guys tell "need update ios" but someone update it and have same issue, so i hope issue not in IOS version.
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)
IOS XE Version: 03.09.01.S
System image file is "bootflash:/asr1002x-universal.03.09.01.S.153-2.S1.SPA.bin"
If you need anything else, like more debug or more info ... just ask me... i will wait there for your questions.
Thanks a lot.!
/// Update
Little bit more debug from bootflash:/tracelogs/cpp_cp_F0-0.log.7749.20150213111013
02/13 11:09:07.734 [errmsg]: (ERR): %CPPOSLIB-3-ERROR_NOTIFY: cpp_cp encountered an error -Traceback= 1#adfdffd320bd4b50a075756a85bafaca errmsg:7FB80973B000+121D cpp_common_os:7FB80C74C000+D8D5 cpp_common_os:7FB80C74C000+D7D4 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C000+B8E7 evlib:7FB80B72C000+E1B0
02/13 11:09:07.735 [buginf]: (debug):
-Traceback=1#adfdffd320bd4b50a075756a85bafaca cpp_common_os:7FB80C74C000+11445 cpp_common_os:7FB80C74C000+D7D9 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C000+B8E7 evlib:7FB80B72C000+E1B0 cpp_common_os:7FB80C74C000+13B43 :400000+6061 c:7FB7FC394000+1E514 :400000+5CC9
02/13 11:09:07.735 [cpp-mlppp]: (warn): [cpp_mlp_tx_link_create:3260] cpp_ifm_tx_chan_create_on_if failed link=1563 (retval='CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory)
02/13 11:09:07.735 [cpp-mlppp]: (warn): [cpp_mlp_svr_bundle_add_link_cmn:5035] cpp_mlp_tx_link_create failed link=1563 (retval='CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory)
02/13 11:09:41.978 [cpp-ifm]: (ERR): cpp_ifm_tx_chan_create_on_if.806: failed to find channel for parent if_h 100-'CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory
02/13 11:09:41.980 [errmsg]: (ERR): %CPPOSLIB-3-ERROR_NOTIFY: cpp_cp encountered an error -Traceback= 1#adfdffd320bd4b50a075756a85bafaca errmsg:7FB80973B000+121D cpp_common_os:7FB80C74C000+D8D5 cpp_common_os:7FB80C74C000+D7D4 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C000+B8E7 evlib:7FB80B72C000+E1B0
02/13 11:09:41.981 [buginf]: (debug):
-Traceback=1#adfdffd320bd4b50a075756a85bafaca cpp_common_os:7FB80C74C000+11445 cpp_common_os:7FB80C74C000+D7D9 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C000+B8E7 evlib:7FB80B72C000+E1B0 cpp_common_os:7FB80C74C000+13B43 :400000+6061 c:7FB7FC394000+1E514 :400000+5CC9
02/13 11:09:41.981 [cpp-mlppp]: (warn): [cpp_mlp_tx_link_create:3260] cpp_ifm_tx_chan_create_on_if failed link=1563 (retval='CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory)
02/13 11:09:41.981 [cpp-mlppp]: (warn): [cpp_mlp_svr_bundle_add_link_cmn:5035] cpp_mlp_tx_link_create failed link=1563 (retval='CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory)
02/13 11:10:13.049 [cpp-ifm]: (ERR): cpp_ifm_tx_chan_create_on_if.806: failed to find channel for parent if_h 100-'CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directoryOriginally Posted by CRAIGDWILSON
Look in your logs for any issues zmd-messages.log regarding accessing
"AppData". If so, that could be a known issue they are looking at,
though it is not really new but there are reports back to even 11.2.x
The reports are more of a timing issue on boot, but perhaps it could
relate to logon if that happened soon enough, though non of the reports
are for logon events.
On 6/25/2014 2:26 AM, thsundel wrote:
>
> Hi!
> Anyone else have problems with bundles not installing/launching on
> schedule with 11.3FRU1 agent? Also bundles set to launch at user login
> doesn't work first time the user logs in after workstation is booted, if
> they logout and in again then it will work?
>
> Thomas
>
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Technical Support Engineer
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
Nope, nothing refering to appdata (only thing it finds is appdatalrucache but that is probably not what you are asking for)...
I've now tried assiging the bundle both to device and to user but still nothing happes, works fine on our 11.2.x agent workstations.
Thomas -
Hi Guyz,
I have 3 VRF's on VSS core.
1) VRF A
2) VRF B
3) Global VRF.
I have Firewall in L3 mode between these VRFs. Traffic between A & B have to cross firewall.
i can use BGP or EVN to leak routes between VRFs, but they leak only routes tht are present in routing table.
Now i need to leak specific route for eg 10.10.10.10/32 from VRF A to VRF B.
10.10.10.0/24 is directly connected interface on VRF A.
i need to find a way where i can leake /32 route between VRFs.
ThanksChanging the autonomous system number may be necessary when 2 separate BGP networks are combined under a single autonomous system. This typically occurs when one ISP purchases another ISP. The neighbor local-as command is used initially to configure BGP peers to support 2 local autonomous system numbers to maintain peering between 2 separate BGP networks. This configuration allows the ISP to immediately make the transition without any impact on existing customer configurations
enable
configure terminal
router bgp as-number
address-family {ipv4 | ipv6 | vpnv4| [multicast | unicast | vrf {vrf-name}]} -
Vrf routes into global route table
Dear All
I am stuck with a design I am trying to come up with for our EDGE network and looking for ideas from the community.
It is similar to what is described here:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html#wp86450http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html#wp86904
In short we have a multi-context FWSM at 2 sites creating an EDGE network, each site operate independently. The sites are linked internally in a single routing domain using OSPF. Each of the outside networks are in seperate VRFs, single-tier model.
I need to find a way to:
1) link the 2 sites (currently is done with a GRE tunnel between the site vrfs, looking at replacing this with mp-bgp and l3vpn encapsulation)
2) redistribute routes from each of the vrf into the common global route table (running ospf)
1 is working nicely with mp-BGP peer between the sites and routes distributed between, however I am stuck on how to achieve 2.
The only way I can see is to change the global route table to a vrf, then use rt import/export. This is commonly described as shared services. When I did that I got stuck with how to do the BGP peering as the loopback I was using for the peering is inside the new vrf.
Basically I want dynamic routing from the global route table to learn routes from each of the sites vrf. Then if a particular site's vrf is unavailable, it can pick up the other site's route.
Am I missing something here? The document linked makes it sound incredibly easy yet I am struggling with how to implement it.
Any advice is much appreciatedHello philip,
It is really hard to help you, if you do not provide topology where you would like to implement these changes, so just some thoughts to your points:
2) redistribute routes from each of the vrf into the common global route table (running ospf)
You can use PE - CE design. VRFs are terminated on PE with all routes you need in respective VRFs. On PE, MP-BGP routes are redistributed into respective VRF's OSPF process . PE is connected with CE via separate physical interface for each VRF or you can use one physical interface with dedicated sub-interface for each VRF. PE is peering with CE using OSPF. All routes end up in CE global routing table.
Problems with this design ->
- for each VRF you have to create separate OSPF process on PE and CE, also OSPF process ID has to be unique on PE for each VRF. Also OSPF process ID has to match to establish OSPF neighborship between PE-CE, so on CE you will have to redistribute OSPF routes from each process to your main OSPF process.
other workarounds ->
1) instead OSPF you will use as peering protocol BGP between PE-CE, but you still have to redistribute BGP routes to OSPF on CE
2) you will use different PE to redistribute each VRF -> BGP routes will be redistributed from VRF into OSPF (same process ID as your main OSPF ID). Routes will be advertised via OSPF into CE global routing table.
You will use on PE per VRF to redistribute routes into OSPF with same process ID as your main process ID. Thanks to different PEs, you can have same OSPF process ID, all these PEs will peer with same CE via OSPF.
I hope I made my thoughts understandable, cause its quite hard to explain
When I did that I got stuck with how to do the BGP peering as the loopback I was using for the peering is inside the new vrf.
This should not be a problem. You can have same IP on all VRF and also global table, so peering can still be done. After BGP routes are exchanged you can leak prefixes from one vrf to another or into global table as you need.
Best Regards
Please rate all helpful posts and close solved questions -
Multiple DMVPNs within separate VRF's using crypto keyring
Hi All,
I have deployed ASR's within a service provider environment acting as the DMVPN hubs for multiple customers networks contained within their own VRFs.
In each case from the tunnel perspective the iVRF and fVRF are the same for a specific customer and crypto key rings are used to associate pre-shared-keys.
When the box was first deployed a test network was built without using keyrings, but still using the VRF's as shown in the snippet. However I cannot get the configuration to work using keyrings, hence cannot add additional customers. It would appear that IKE phase 2 is not completing.
An initial bug scrub has come up clear so I'm guessing i must be missing something.
Current firmware: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.0(1)S)
-- snippet of test configuration --
crypto keyring CUST1 vrf CUST1
pre-shared-key address 10.10.10.0 255.255.255.0 key **CRYPTOKEY_CUST1**
crypto isakmp profile CUST1_PROFILE
vrf CUST1
keyring CUST1
match identity address 0.0.0.0
crypto ipsec transform-set CUST1 esp-aes 256 esp-sha-hmac
mode transport
interface Tunnel1
bandwidth 1000
ip vrf forwarding CUST1
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp authentication CUST1
ip nhrp map multicast dynamic
ip nhrp network-id 10101010
ip nhrp holdtime 450
ip nhrp registration no-unique
no ip split-horizon
delay 1000
tunnel source GigabitEthernet0/0/0.1010
tunnel mode gre multipoint
tunnel key 1010
tunnel vrf CUST1
tunnel protection ipsec profile CUST1_PROFILE shared
Any help would be great.
Best regards
MickConfig wise, you do not need "vrf CUST1" inside the profile, GRE will do handoff for you.
Hard to say where the problem is without more debugs ;-)
M. -
Suspecting ESP 10 to fail in ASR1002
ASR1002 Cisco doesnt recognise ESP 10 module. Log is attached. We need to decide wether the chassi is OK or it is also affected.
We have conducted the following experiment: turned on the ASR1002 without ESP module and assigned 192.168.0.2 adress to an interface.
After that tried to ping 192.168.0.2 from outside, all pings have been lost.
Does the ASR1002 have to respond on the interface without ESP module?
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 08-Oct-11 01:16 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
% failed to initialize nvram
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco ASR1002 (2RU) processor with 1700171K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7798783K bytes of eUSB flash at bootflash:.
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no
Press RETURN to get started!
*Dec 12 16:40:24.348: %ASR1000_RP_NV-3-NV_ACCESS_FAIL: Initial read of NVRAM contents failed
*Dec 12 16:40:31.211: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
*Dec 12 16:40:31.211: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
*Dec 12 16:40:31.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Dec 12 16:40:31.212: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up
*Dec 12 16:40:31.212: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
*Dec 12 16:40:31.212: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
*Dec 12 16:40:31.350: %NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun
*Dec 12 16:40:31.440: %ASR1000_MGMTVRF-6-CREATE_SUCCESS_INFO: Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
*Dec 12 16:40:31.715: %DYNCMD-7-PKGINT_INSTALLED: The command package 'platform_trace' has been succesfully installed
*Dec 12 16:40:33.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
*Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
*Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
*Dec 12 16:40:23.540: %IOSXE-5-PLATFORM: R0/0: xinetd[32286]: xinetd Version 2.3.14 started with no options compiled in.
*Dec 12 16:40:23.554: %IOSXE-5-PLATFORM: R0/0: xinetd[32286]: Started working: 1 available service
*Dec 12 16:40:34.225: %DYNCMD-7-CMDSET_LOADED: The Dynamic Command set has been loaded from the Shell Manager
*Dec 12 16:40:58.021: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
*Dec 12 16:40:58.022: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
*Dec 12 16:40:58.022: %LINK-5-CHANGED: Interface GigabitEthernet0/0/2, changed state to administratively down
*Dec 12 16:40:58.023: %LINK-5-CHANGED: Interface GigabitEthernet0/0/3, changed state to administratively down
*Dec 12 16:40:58.023: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
*Dec 12 16:40:59.021: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
*Dec 12 16:40:59.022: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
*Dec 12 16:40:59.022: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/2, changed state to down
*Dec 12 16:40:59.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/3, changed state to down
*Dec 12 16:41:02.525: %ASR1000_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
*Dec 12 16:41:02.527: %SPA_OIR-6-OFFLINECARD: SPA (4XGE-BUILT-IN) offline in subslot 0/0
*Dec 12 16:41:02.531: %ASR1000_OIR-6-INSCARD: Card (fp) inserted in slot F0
*Dec 12 16:41:02.532: %ASR1000_OIR-6-INSCARD: Card (cc) inserted in slot 0
*Dec 12 16:41:02.532: %ASR1000_OIR-6-ONLINECARD: Card (cc) online in slot 0
*Dec 12 16:41:02.536: %ASR1000_OIR-6-INSSPA: SPA inserted in subslot 0/0
*Dec 12 16:41:02.743: %SYS-5-RESTART: System restarted --
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 08-Oct-11 01:16 by mcpre
*Dec 12 16:41:05.577: %SPA_OIR-6-ONLINECARD: SPA (4XGE-BUILT-IN) online in subslot 0/0
Router>
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#in
Router(config)#int
Router(config)#interface lo
Router(config)#interface loo
Router(config)#interface loopback 0
Router(config-if)#ip ad
Router(config-if)#ip address 19
*Dec 12 16:42:04.778: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up2.1
Router(config-if)#ip address 192.168.0.1 255.255.255.0
Router(config-if)#exit
Router(config)#exit
Router#sho
Router#show run
Router#show running-config int
Router#show running-config interface
*Dec 12 16:42:18.204: %SYS-5-CONFIG_I: Configured from console by consolelo
Router#show running-config interface lo0
Router#show running-config interface loo
Router#show running-config interface loopback 0
Building configuration...
Current configuration : 65 bytes
interface Loopback0
ip address 192.168.0.1 255.255.255.0
end
Router#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Router#sho
Router#show in
Router#show in
Router#show inte
Router#show interfaces lo
Router#show interfaces loo
Router#show interfaces loopback 0
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 192.168.0.1/24
MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Router#
Router#
*Dec 12 16:43:06.922: %TRANSCEIVER-6-INSERTED: SIP0/0: transceiver module inserted in GigabitEthernet0/0/0
Router#sho
Router#show run
Router#show running-config in
Router#show running-config interface gi0/0/
% Incomplete command.
Router#show running-config interface gi0/0
% Incomplete command.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#in
Router(config)#int
Router(config)#interface gi0/0
% Incomplete command.
Router(config)#interface gi0/0/0
Router(config-if)#no shu
Router(config-if)#no shutdown
Router(config-if)#ip ad
Router(config-if)#ip address 192.1
*Dec 12 16:43:44.764: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down68.2.
*Dec 12 16:43:43.813: %LINK-3-UPDOWN: SIP0/0: Interface GigabitEthernet0/0/0, changed state to down1
*Dec 12 16:43:47.440: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
*Dec 12 16:43:46.437: %LINK-3-UPDOWN: SIP0/0: Interface GigabitEthernet0/0/0, changed state to up
*Dec 12 16:43:48.440: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#exit
Router(config)#exit
Router#sho
Router#show run
Router#show running-config int
Router#show running-config interface
*Dec 12 16:43:56.015: %SYS-5-CONFIG_I: Configured from console by consolegi
Router#show running-config interface gigabitEthernet 0/0/0
Building configuration...
Current configuration : 94 bytes
interface GigabitEthernet0/0/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
end
Router#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Router#sho
Router#show in
Router#show inte
Router#show interfaces gi
Router#show interfaces gigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Hardware is 4XGE-BUILT-IN, address is 8843.e100.7300 (bia 8843.e100.7300)
Internet address is 192.168.2.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full Duplex, 1000Mbps, link type is auto, media type is LX
output flow-control is off, input flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:27, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
17 packets input, 2015 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 17 multicast, 0 pause input
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Router#sho
Router#show pl
Router#show platform
Chassis type: ASR1002
Slot Type State Insert time (ago)
0 ASR1002-SIP10 ok 00:06:40
0/0 4XGE-BUILT-IN ok 00:03:56
R0 ASR1002-RP1 ok, active 00:06:40
F0 unknown 00:06:40
P0 ASR1002-PWR-AC ok 00:05:28
P1 ASR1002-PWR-AC ps, fail 00:05:28
Slot CPLD Version Firmware Version
0 07120202 12.2(33r)XNC
R0 08011017 12.2(33r)XNC
F0 N/A N/A
Router#
System Bootstrap, Version 12.2(33r)XNC, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2009 by cisco Systems, Inc.
Current image running: Boot ROM0
Last reset cause: PowerOn
Last reset at: Fri Dec 12 16:48:51 UTC 2014
ASR1002-RP1 platform with 4194303 Kbytes of main memory
Warning: filesystem is not clean
Located asr1000rp1-adventerprisek9.03.04.01.S.151-3.S1.bin
Image size 312873272 inode num 13, bks cnt 76386 blk size 8*512
Boot image size = 312873272 (0x12a61138) bytes
Missing or illegal ip address for variable DEFAULT_GATEWAY
Using midplane macaddr
Missing or illegal ip address for variable IP_ADDRESS
Missing or illegal ip address for variable IP_SUBNET_MASK
Package header rev 0 structure detected
Calculating SHA-1 hash...done
validate_package: SHA-1 hash:
calculated 61d80af0:032b96a1:6b3b2b5c:667f969a:ad8e4c9f
expected 61d80af0:032b96a1:6b3b2b5c:667f969a:ad8e4c9f
Image validated
%IOSXEBOOT-4-FILESYS_ERRORS_CORRECTED: (rp/0): bootflash contained errors which were auto-corrected.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 08-Oct-11 01:16 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
% failed to initialize nvram
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco ASR1002 (2RU) processor with 1700171K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7798783K bytes of eUSB flash at bootflash:.
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]: no
Press RETURN to get started!
*Dec 12 16:52:16.032: %ASR1000_RP_NV-3-NV_ACCESS_FAIL: Initial read of NVRAM contents failed
*Dec 12 16:52:24.113: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
*Dec 12 16:52:24.114: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
*Dec 12 16:52:24.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Dec 12 16:52:24.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up
*Dec 12 16:52:24.11
Router>5: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
*Dec 12 16:52:24.115: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
*Dec 12 16:52:24.361: %NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun
*Dec 12 16:52:24.656: %ASR1000_MGMTVRF-6-CREATE_SUCCESS_INFO: Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
*Dec 12 16:52:25.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
*Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
*Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
*Dec 12 16:52:25.546: %DYNCMD-7-PKGINT_INSTALLED: The command package 'platform_trace' has been succesfully installed
*Dec 12 16:52:28.680: %DYNCMD-7-CMDSET_LOADED: The Dynamic Command set has been loaded from the Shell Manager
*Dec 12 16:52:15.830: %IOSXE-5-PLATFORM: R0/0: xinetd[31943]: xinetd Version 2.3.14 started with no options compiled in.
*Dec 12 16:52:15.844: %IOSXE-5-PLATFORM: R0/0: xinetd[31943]: Started working: 1 available service
*Dec 12 16:52:50.090: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
*Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
*Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/2, changed state to administratively down
*Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/3, changed state to administratively down
*Dec 12 16:52:50.092: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
*Dec 12 16:52:51.090: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
*Dec 12 16:52:51.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
*Dec 12 16:52:51.092: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/2, changed state to down
*Dec 12 16:52:51.092: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/3, changed state to down
*Dec 12 16:52:57.608: %ASR1000_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
*Dec 12 16:52:57.609: %SPA_OIR-6-OFFLINECARD: SPA (4XGE-BUILT-IN) offline in subslot 0/0
*Dec 12 16:52:57.613: %ASR1000_OIR-6-INSCARD: Card (cc) inserted in slot 0
*Dec 12 16:52:57.613: %ASR1000_OIR-6-ONLINECARD: Card (cc) online in slot 0
*Dec 12 16:52:57.615: %ASR1000_OIR-6-INSSPA: SPA inserted in subslot 0/0
*Dec 12 16:52:57.819: %SYS-5-RESTART: System restarted --
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sat 08-Oct-11 01:16 by mcpre
*Dec 12 16:53:00.828: %SPA_OIR-6-ONLINECARD: SPA (4XGE-BUILT-IN) online in subslot 0/0
Router>en
Router#sho
Router#show pla
Router#show platform
Chassis type: ASR1002
Slot Type State Insert time (ago)
0 ASR1002-SIP10 ok 00:02:40
0/0Are you able to download and install other applications for your Mac?
Try following along with this Apple doc -> Troubleshooting iTunes installation on Mac OS X -
FlexVPN with F-VRF and multiple tunnels
Hi There,
I have a burning question and initially need to understand the possibility of the following scenario, below is a diagram of a single point-to-point connection used for proof of concept. The Hub router acts as a local RADIUS and is to issue IP addresses for both the client tunnel interfaces.
Two separate tunnels are required, one between Virtual-template 1 and tunnel 1 and one between Virtual-template 2 and tunnel 2, hence they are within a separate VRF on both routers.
Basically I am wondering if this is possible as getting this to work is a struggle.. I am currently using PSK authentication, though also wondering if there would be issues using certificates, i.e. the hub would effectively receive two separate SAs with the same certificate.
The flex client and hub have separate profiles keyrings etc for each connection...
Has anyone got this working before??
Any help or suggestions/pitfalls would be appreciated.Hi Olpeleri,
Many thx for the reply,
I have tried using two interfaces on the Hub, though no joy so far..... I want to have the hub tunnel end points in different VRFs, hence I have tried with two virtual templates A and B and interfaces A and B in different VRFs to each other.
i.e, looking at just one tunnel to start with,
HUB
interface Virtual-Template1 type tunnel
ip vrf forwarding VRF_A
ip unnumbered Loopback20
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
end
interface e0/0
ip vrf forwarding VRF_A
ip address 172.16.0.2 255.255.255.0
Is this config correct, I have tried using a front door VRF for each interface also, though the tunnel fails to build when both interfaces are there
The profile looks like this repeated for each interface with different names and virtual template etc..
crypto ikev2 profile default
match fvrf any
match identity remote fqdn domain cisco.com
identity local fqdn Hub1.cisco.com
authentication remote pre-share
authentication local pre-share
keyring ALL
pki trustpoint cisco
dpd 10 2 periodic
aaa authorization group psk AUTHOR_LIST AUTHOR_POL
virtual-template 1
Thanks, -
Apply QOS to vrf traffic?(Ethernet SubInts)
Hi,
I'm trying to apply "GOLD" QOS to vrf traffic that is terminated on eth subints, but class-map is not allowing me to match on subinterfaces:
class-map match-any GOLD
match mpls experimental topmost 5
match ip precedence 5
match input-interface fastEthernet 0/0 (Subints not allowed)
I also cannot match on access-group, as the traffic is within a vrf.
Should I be creating a seperate policy-map marking the traffic as GOLD, and then apply this as a "service-policy input" to each eth subint the vrf is associated with?Hi,
when you apply the service-policy to an interface you do NOT need to specify the interface in the class-map! Example:
class-map match-any VoIP
match ip precedence 5
match ip dscp ef
policy-map Marking
class VoIP
set mpls experimental imposition 5
interface FastEthernet0/0.100
ip address ...
encapsulation dot1q 100
service-policy input Marking
This will set MPLS exp bits on all traffic coming into F0/0.100 and being marked with either Prec 5 or DSCP EF.
Sidenote: using an ACL in class VoIP will also only match traffic on the interface, where the policy is applied. So overlapping customer addresses are not an issue.
Hope this helps! Please rate all posts.
Regards, Martin -
ASR 1002 Router doing multiple VRFs
I have an ASR 1002 router with Three VRFs coming into it. The first 2 VRFs are just terminating on the ASR with L3 sub interfaces. So no big deal with them. The third one is a VRF that needs to terminate on a separate router. The ASR that needs to split out this 3rd VRF is not allowed to have an IP address for it. So it just needs to forward off this as L2 to a separate physical port and then terminates on a different router.
So my question is what is the best way to accomplish this on the ASR? Could I setup a pseudo wire setup or is there an easier way to just split off this as separate VLAN to the other physical interface?Hi
You could try with bridging. Something like this
Interface bvi 1
no ip address
interface gig0
bridge-gropup 1
interface gig1
bridge-group 1
/Mikael -
Is it possible for an 819 router to have a 3G connection to a headend device using two vti ipsec interfaces in separate VRFs and the 3G connection within a fvrf?
I understand this is possible though I am not sure if it will work with a 3G interface...?
Thanks in advance for any response..Hi
No we had no response so have gone to neorouter and it works fine, interestingly it is only recent installations that are effected by this. Such a shame as it was a great solution when it worked.
Maybe you are looking for
-
ITunes 7.3.1 Totally Stinks!!!!!
Ever since i upgraded to the new iTunes I have a ton of problems. Mainly video podcasts not playing and no content! Apple, PLEASE FIX THESE PROBLEMS!!!!!
-
Problems with repainting in new JD 9.0.4.0
I just installed new JD 9.0.4.0 . I think that from this moment I have problems with painting java graphics objects (for example Application Module tests or simple login dialogs). When I move that window, its remains are left on the screen until I ov
-
Prompt user to save change before abnormally closing the application
Hi, I've some trouble prompting user to save change before abnormally closing the application (logging off, shutdownding machine...). I tried to use Runtime.getRuntime().addShutdownHook() and it doesn't seem to work. Here's part of my code. Help plea
-
How to change my payment methode o none
My visa card is declined and i want to change my payment method to none ......without using another visa card cause i can't... i need help, thanks...
-
Brightmail 6 and IMS 5.2
I have iMS 5.2 Batch 2 installed on solaris 9, I am testing the Brightmail Anti Spam ver 6.01 with the same My option.dat file has the following Brightmail_Library=/opt/symantec/sbas/Scanner/lib/libbmiclient.so.1 Brightmail_config_file=/opt/symantec/