Cisco CSR 1000v and General comment on SDN/NFV

Similar Messages

• Cisco CSR 1000V dont forward packets

  Hi,
  I have an evaluation Cisco CSR 1000V. I set up a IPSEC Connection correctly:
  CISCO1000V# sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  1.1.1.1  2.2.2.2    QM_IDLE           1007 ACTIVE
  IPv6 Crypto ISAKMP SA
  Policy:
  Extended IP access list IPSEC
      10 permit ip 10.122.20.0 0.0.0.255 10.255.0.0 0.0.0.255 log
      20 permit ip 10.255.0.0 0.0.0.255 10.122.20.0 0.0.0.255 log
  IPSEC is set up on GigabitEthernet 2 (PEER IP)
  Internal interface (GigabitEthernet 1) have IP: 3.3.3.3. On my server (in subnet 10.122.20.x) i set up a routing to 10.255.0.0/24 via 3.3.3.3.
  When I run ping from my server on address 10.255.0.0.1 i dont see any encrypted counters increase....
  I dont have any other acls.
  Where is the problem?

  Hi,
  I have an evaluation Cisco CSR 1000V. I set up a IPSEC Connection correctly:
  CISCO1000V# sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  1.1.1.1  2.2.2.2    QM_IDLE           1007 ACTIVE
  IPv6 Crypto ISAKMP SA
  Policy:
  Extended IP access list IPSEC
      10 permit ip 10.122.20.0 0.0.0.255 10.255.0.0 0.0.0.255 log
      20 permit ip 10.255.0.0 0.0.0.255 10.122.20.0 0.0.0.255 log
  IPSEC is set up on GigabitEthernet 2 (PEER IP)
  Internal interface (GigabitEthernet 1) have IP: 3.3.3.3. On my server (in subnet 10.122.20.x) i set up a routing to 10.255.0.0/24 via 3.3.3.3.
  When I run ping from my server on address 10.255.0.0.1 i dont see any encrypted counters increase....
  I dont have any other acls.
  Where is the problem?

• IOS5 "Reminders" bug and general comments

  I found a problem with the new app "Reminders" and the location (GPS) function... if you use "Restrictions" to avoid someone without security code to disable GPS then the reminders app won't allow you to add a location to the reminder that you are creating... and obviously i grant access to location service to the app reminders in the restrictions settings.
  Comments:
  Notifications in the lock screen are great but they should be persistent... at this time if you have notifications and unlock the iPhone and then you lock it again whitout check the notifications the lock screen won't display any unreaded/unchecked notification it just clear the notifications but you may want to keep the information that you have not checked.
  The notification scroll bar should show you information when you start scrolling down... at this time you have to complete scroll down the bar or at least the half of it to see any information

  paulfromburke wrote:
  Can reminders have the capability to link them to contacts so with a push of a button the number is dialed, email generated or texted app opened; have active URLs embedded so if I want to go to a site, it will open Safari; or the map open on an address?
  No.

• Cisco CSR 1000V - BDI learning mac address

  Hello all,
  about BDI, I know it is not supported through OTV. DDTS CSCuj59314 has been logged to track support of BDI over OTV. Anyone know if this problem is resolved?
  Thanks in advance
  Roberto Loiudice

  Hello,
  no one else has encountered the same problem?
  In general, someone has managed to run correctly csr1000v as SSL VPN terminator on Amazon environment ?
  Any example / network schema / suggestion?
  Thanks in advance for any replies.
  Paolo

• Build a Cisco CCNA/CCNP/CCIE Virtual Lab with ArchLinux and CSR-1000V

  Hi All,
     I'm working on the CCIE certification, thought I would share with you my scripts for building a virtual LAB. I'm using ArchLinux and the latest CSR-1000V (ISO) as of June 20th. Cisco should allow you to download this ISO for free. You'll be limited to 100kb/sec out of the box, but you can also get a free 60-day eval license that will unlock 50MB/sec.
  These scripts assume you have QEMU installed of course, bridge-tools, etc.
  Probably want to enable KSM first
  echo 1 >/sys/kernel/mm/ksm/run
  This script makes one virtual disk per virtual router. I suppose you could boot one router, let it go through the install, then power it off. Then use that disk as the parent for many others (qemu backing_file). However, the CSR-1000V seems to generate various UUID's for itself during this process and I wasn't sure how this might affect the trial license.
  Boot'em up:
  # How many vrouters you want
  ROUTERS="1 2 3"
  # Location of your ISO
  ISO="/mnt/nfs/downloads/csr1000v-universalk9.03.15.00.S.155-2.S-std.iso"
  # Path virtual hard drive storage
  VDISKS="/srv/qemu"
  # Build Virtual Disks (might only want to do this once)
  for x in $ROUTERS; do
  sudo qemu-img create -f raw $VDISKS/r$x.raw 8G
  done
  for x in $ROUTERS; do
  sudo nice qemu-system-x86_64 -name r$x -daemonize -enable-kvm \
  -nodefconfig -nodefaults -no-shutdown -rtc base=utc \
  -S -cpu host -m 4096 -smp 1,sockets=4,cores=1,threads=1 -balloon virtio \
  -drive if=virtio,media=disk,cache=none,format=raw,file=$VDISKS/r$x.raw \
  -drive if=ide,index=1,media=cdrom,file=$ISO \
  -net nic,vlan=1,macaddr=68:09:68:09:68:5$x,model=virtio \
  -net tap,vlan=1,script=no \
  -net nic,vlan=2,macaddr=68:09:68:09:69:5$x,model=virtio \
  -net tap,vlan=2,script=no \
  -serial telnet:127.0.0.1:720$x,server,nowait \
  -monitor telnet:127.0.0.1:710$x,server,nowait,nodelay \
  -nographic
  echo Booting Router $x
  done
  Note that VM's boot in CPU suspended state. That's because the CSR-1000V ISO installer doesn't correctly auto-detect serial-console mode, so you have to manually select it (but only on first boot, subsequent boots seem to get it right).
  So, get xterm's going and in each one, telnet to the virtual serial port: 7201, 7202, 7203, and so on for each router.
  Boot them each with this command
  echo "cont" | nc 127.0.0.1 7101
  echo "cont" | nc 127.0.0.1 7102
  and so on
  Now just tie together the interfaces however you want. For the connectivity in the picture, use the following:
  # Build lab ethernet segments
  for x in 1 2 3; do
  brctl addbr lab$x
  ip link set up dev lab$x
  done
  # Bring up tap devices - allocated by QEMU but not up'd
  for x in 0 1 2 3 4 5; do
  ip link set up dev tap$x
  done
  # Virtually plug in our ethernet cables to correct switch ports
  brctl addif lab1 tap0
  brctl addif lab1 tap2
  brctl addif lab2 tap3
  brctl addif lab2 tap5
  brctl addif lab3 tap1
  brctl addif lab3 tap4
  Sample configurations for each router:
  Router 1:
  en
  conf t
  hostname r1
  no ip domain-lookup
  cdp run
  int gi1
  ip address 192.168.101.1 255.255.255.0
  cdp enable
  no shut
  int gi2
  ip address 192.168.103.1 255.255.255.0
  cdp enable
  no shut
  router eigrp 6809
  network 192.168.101.0
  network 192.168.103.0
  redistribute connected
  end
  Router 2
  en
  conf t
  hostname r2
  no ip domain-lookup
  cdp run
  int gi1
  ip address 192.168.101.2 255.255.255.0
  cdp enable
  no shut
  int gi2
  ip address 192.168.102.2 255.255.255.0
  cdp enable
  no shut
  router eigrp 6809
  network 192.168.101.0
  network 192.168.102.0
  redistribute connected
  end
  wr
  Router 3
  en
  conf t
  hostname r3
  no ip domain-lookpu
  cdp run
  int gi1
  ip address 192.168.103.3 255.255.255.0
  cdp enable
  no shut
  int gi2
  ip address 192.168.102.3 255.255.255.0
  cdp enable
  no shut
  router eigrp 6809
  network 192.168.102.0
  network 192.168.103.0
  redistribute connected
  end
  wr
  Last edited by gshearer (2015-06-20 16:47:36)

  Very Interesting, but i think it fits better in the wiki then on forum.
  Care to create a wiki page ?

• VSM and Cisco nexus 1000v

  Hi,
  We are planning to install Cisco Nexus 1000v in our environment. Before we want to install we want to explore little bit about Cisco Nexus 1000v
  •  I know there is 2 elements for Cisco 1k, VEM and VSM. Does VSM is required? Can we configure VEM individually?
  •   How does Nexus 1k integrated with vCenter. Can we do all Nexus 1000v configuration from vCenter without going to VEM or VSM?
  •   In term of alarming and reporting, does we need to get SNMP trap and get from individual VEM or can be use VSM to do that. OR can we   get    Cisco Nexus 1000v alarming and reporting form VMware vCenter.
  •  Apart from using Nexus 1010 can what’s the recommended hosting location for VSM, (same Host as VEM, different VM, and different physical server)
  Foyez Ahammed

  Hi Foyez,
  Here is a brief on the Nexus1000v and I'll answer some of your questions in that:
  The Nexus1000v is a Virtual Distributed Switch (software based) from Cisco which integrated with the vSphere environment to provide uniform networking across your vmware environment for the host as well as the VMs. There are two components to the N1K infrastructure 1) VSM 2) VEM.
  VSM - Virtual supervisor module is the one which controls the entire N1K setup and is from where the configuration is done for the VEM modules, interfaces, security, monitoring etc. VSM is the one which interacts with the VC.
  VEM - Virtual ethernet module are simply the module or virtual linecards which provide the connectivity option or virtual ports for the VMs and other virtaul interfaces. Each ESX host today can only have one VEM. These VEMs recieve their configuration / programing from the VSM.
  If you are aware of any other switching products from Cisco like the Cat 6k switches, the n1k behaves the same way but in a software / virtual environment. Where the VSM are equal of a SUPs and the VEM are similar to the line cards. The control and the packet VLANs in the n1k provide the same kind of AIPC and Inband connectivity as the 6k backplane would for the communication between the modules and the SUP (VSM in this case).
  *The n1k configuration is done only from the VSM and is visible in the VC.However the port-profiles created from the VSM are pushed from the VSM to the VC and have to be assigned to the virtual / physical ports from the VC.
  *You can run the VSM either on the Nexus1010 as a Virtual service blade (VSB) or as a normal VM on any of the ESX/ESXi server. The VSM and the VEM on the same server are fully supported.
  You can refer the following deployment guide for some more details: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/guide_c07-556626.html
  Hope this answers your queries!
  ./Abhinav

• Does CSR 1000v support HA feature & how?

  Does CSR 1000v support HA feature?
  I noticed that redundancy command support in configuration mode,but neither sso/ha mode can config,
  Router(config-red)#?
  Redundancy configuration commands:
    default   Set a command to its defaults
    exit      Exit from redundancy configuration mode
    main-cpu  Enter main-cpu mode
    mode      redundancy mode for this chassis
    no        Negate a command or set its defaults
    timer     Select a timer to configure
  Router(config-red)#mode ?
    none  no redundancy
  Router#show platform 
  Chassis type: CSR1000V            
  Slot      Type                State                 Insert time (ago) 
  R0        CSR1000V            ok, active            00:18:57      
  F0        CSR1000V            ok, active            00:18:57      
  Is it possible to enable HA feature in csr1000v?
  I noticed that in startup, R1 was insert，but not online，which was in disabled state.

  Alan,
  HA provided across a network segment within AWS is not a simple solution due to the restrictions that they place on the L2 segments.  As an example, here is Amazon's suggestion for NAT HA:
  http://aws.amazon.com/articles/2781451301784570
  With that said, we're working on documenting a solution that will work around some of the restrictions through overlaid connections.  At a high level, one way that you can do this is with a couple of CSR1000Vs connected via a GRE tunnel over their Amazon segment.  You then would have to setup BFD and configure an EEM script to watch for a peer down event.  This script would then have to modify the AWS VPC Routing table (the VPC gateway) so that the hosts use the appropriate CSR as an exit point.  The unfortunate piece is that from the CSR1000V we cannot call the AWS API directly so this requires use of a second EEM script to SSH to a helper VM and execute the AWS VPC commands.  Hopefully within the next couple of weeks we will have a configuration guide to step through the individual components, as there are many moving parts.  At a high level this solution was presented in the Cisco Live session BRKARC-2023 around slides 35-40 (Session PDF) are some of the network diagrams and an example of the EEM script.  
  With that said, another solution that you might consider is Cisco InterCloud:
  http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/InterCloud/InterCloud/Cirrus_2.html
  This allows for a secure Layer 2 extension from your data center into the public cloud which could remove some complexity in dealing with the AWS infrastructure.  This solution is not one that would be for the one off, single CSR type deployment, however if you are looking at scale it could be a good alternative.  
  As for TAC support with the Advanced License, this is the hourly paid model that we have within Amazon.  Support for this type of licensing is currently only offered through the support forum, however we are looking at other options that could allow direct TAC engagement on a case by case basis rather than a term license.  Depending on where you are at with regards to your deployment it may be appropriate to engage your Cisco Account Team to help determine which solution is best for you.  I can help track them down if you want to send me a private message.
  -Nick

• Cisco Nexus 1000v on Hyper-v 2012 R2

  Dears;
  I have deployed Cisco Nexus 1000v on Hyper-v hosts 2012 R2, and I'm in phase of testing and exploring feature, while doing this I removed the Nexus Virtual Switch {VEM} from HOST, it disappeared from host but I couldn't use the uplink attached previously with the switch as it sees it still attached on Nexus 1000v. I tried to remove it by several ways finally the host gets unusable and I had to setup the host again.
  the question here; there is no mention on cisco documents for how to uninstall or remove the VEM attached to a host, can any one help in this ?
  Thanks
  Regards

  Zoning is generally a term used with fibre channel, but I think I understand what you mean.
  Microsoft Failover Clusters rely on shared storage.  So you would configure your storage so that it is accessible from all three nodes of the cluster.  Any LUN you want to be part of the cluster should be presented to all nodes.  With iSCSI,
  it is recommended to use two different IP subnets and configure MPIO.  The LUNs have to be formatted as NTFS volumes.  Run the cluster validation wizard once you think you have things configured correctly.  It will help you find any potential
  configuration issues.
  After you have run a cluster validation and there aren't any warnings left that you can't resolve, build the cluster.  The cluster will form with the available LUNs as storage to the cluster.  Configure the storage to be Cluster Shared Volumes
  for the VMs, and left the witness as the witness.  By default, the cluster will take the smallest LUN to be the witness disk.  If you are just using the cluster for Hyper-V (recommended) you do not need to assign drive letters to any of the disks. 
  You do not need, nor is it recommended to use, pass-through disks.  There are many downsides to using pass through disks, and maybe one benefit, and that one is very iffy.
  . : | : . : | : . tim

• Welcome to the Cisco CSR (Cloud Service Router) Discussion Forum

  Welcome to the Cisco CSR (Cloud Service Router) Discussion Forum!
  This forum helps CSR users interact, share knowledge and build communities with one another.
  We hope you enjoy participating in the CSR discussion forum!
  Best Regards,
  Cisco CSR Product Team

  hi,I have a question on sql database high availability. I have tried using database mirroring, where I am using sql standard edition, in this database mirroring of synchronous mode is the only option available, and it is giving problem, like sql time out errors on my applicatons since i had put in the database mirroring, as asynchronous is only available on enterprise version, is there any suggestions on this. thanks ---vijay

• Cisco 877W router and external ADSL modem

  Cisco 877W router and external ADSL modem
  In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.
  The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.
  The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.
  If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname xxxxxxxxxxxxxxxxxxxxx
  boot-start-marker
  boot-end-marker
  logging buffered 4096 warnings
  enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  aaa new-model
  aaa group server radius sdm-vpn-server-group-2
  aaa group server radius rad_eap
   server 192.168.253.1 auth-port 1812 acct-port 1813
   server 192.168.253.1 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa authorization network sdm_vpn_group_ml_2 local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone PCTime 0
  clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-2834265337
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2834265337
   revocation-check none
   rsakeypair TP-self-signed-2834265337
  crypto pki certificate chain TP-self-signed-2834265337
   certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
  dot11 syslog
  dot11 ssid GuestAP
     vlan 101
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 113B162712001F4A2D2B25
  dot11 ssid LanAP
     vlan 100
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
     mbssid guest-mode
  no ip source-route
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.252.1 192.168.252.8
  ip dhcp excluded-address 192.168.252.15 192.168.252.254
  ip dhcp pool sdm-pool1
     import all
     network 192.168.252.0 255.255.255.0
     domain-name XXX.Local
     dns-server xxx.xxx.xxx.xxx
     default-router 192.168.252.254
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  no ip bootp server
  no ip domain lookup
  ip domain name XXX.Local
  ip name-server xxx.xxx.xxx.xxx
  ip name-server xxx.xxx.xxx.xxx
  ip reflexive-list timeout 120
  vpdn enable
  vpdn-group 1
   request-dialin
    protocol pppoe
  username administrator privilege 15 secret 5 £££££££££££££££££££££
  class-map type inspect match-any IN_to_OUT_CLASS
   match protocol tcp
   match protocol udp
   match protocol icmp
  class-map type inspect match-any OUT_to_IN_CLASS
   match protocol https
   match protocol smtp extended
  class-map type inspect match-any DMZ_to_IN_CLASS
   match protocol http
   match protocol https
   match protocol smtp extended
  policy-map type inspect DMZ_to_IN_POL
   class type inspect DMZ_to_IN_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect IN_to_OUT_POL
   class type inspect IN_to_OUT_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect OUT_to_IN_POL
   class type inspect OUT_to_IN_CLASS
    inspect
   class class-default
    drop log
  zone security INSIDE
  zone security OUTSIDE
  zone security DMZ
  zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
   service-policy type inspect OUT_to_IN_POL
  zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_IN source DMZ destination INSIDE
   service-policy type inspect DMZ_to_IN_POL
  bridge irb
  interface Loopback0
   no ip address
  interface Null0
   no ip unreachables
  interface ATM0
   no ip address
   shutdown
   no atm ilmi-keepalive
   dsl operating-mode auto
  interface FastEthernet0
   description Outside Interface (PPPoE)
  interface FastEthernet1
   description Inside Interface
   switchport access vlan 10
  interface FastEthernet2
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface FastEthernet3
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface Dot11Radio0
   no ip address
   no ip route-cache cef
   no ip route-cache
   encryption vlan 100 mode ciphers aes-ccm tkip
   encryption vlan 101 mode ciphers aes-ccm tkip
   ssid GuestAP
   ssid LanAP
   mbssid
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
   channel 2437
   station-role root
  interface Dot11Radio0.100
   description LanAP
   encapsulation dot1Q 100
   no ip route-cache
   no cdp enable
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  !interface Dot11Radio0.101
  ! description GuestAP
  ! encapsulation dot1Q 101
  ! no ip route-cache
  ! no cdp enable
  ! bridge-group 1
  ! bridge-group 1 subscriber-loop-control
  ! bridge-group 1 spanning-disabled
  ! bridge-group 1 block-unknown-source
  ! no bridge-group 1 source-learning
  ! no bridge-group 1 unicast-flooding
  interface Vlan1
   description $ES_LAN$
   no ip address
   ip virtual-reassembly
   pppoe enable group global
   pppoe-client dial-pool-number 1
   bridge-group 1
  interface Vlan10
   no ip address
   ip virtual-reassembly
   bridge-group 10
  interface Dialer1
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly
   zone-member security OUTSIDE
   encapsulation ppp
   ip route-cache flow
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname XXXXXXX
   ppp chap password 7 xxxxxxxxxxxxxxxxxxx
   ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
   ppp ipcp dns request
   ppp ipcp wins request
   hold-queue 224 in
  interface Dialer0
   no ip address
  interface BVI10
   description Inside Interface
   ip address 192.168.253.254 255.255.255.0
   ip access-group 101 in
   ip helper-address 192.168.253.1
   ip nat inside
   ip virtual-reassembly
   zone-member security INSIDE
  interface BVI1
   description DMZ Interface
   ip address 192.168.252.254 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   zone-member security DMZ
  ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  ip http access-class 1
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
  ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
  ip access-list extended DMZ_to_IN_POL
   remark SDM_ACL Category=128
   permit ip any any
  ip access-list extended Inside_Clients_NAT
   remark SDM_ACL Category=2
   permit ip 192.168.253.0 0.0.0.255 any
  logging 192.168.253.10
  access-list 1 remark Auto generated by SDM Management Access feature
  access-list 1 remark SDM_ACL Category=1
  access-list 1 permit 192.168.253.0 0.0.0.255
  access-list 100 remark VTY Access-class list
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit ip 192.168.253.0 0.0.0.255 any
  access-list 100 deny   ip any any
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark SDM_ACL Category=1
  access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
  access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
  access-list 101 deny   tcp any host 192.168.253.254 eq telnet
  access-list 101 deny   tcp any host 192.168.253.254 eq 22
  access-list 101 deny   tcp any host 192.168.253.254 eq www
  access-list 101 deny   tcp any host 192.168.253.254 eq 443
  access-list 101 deny   tcp any host 192.168.253.254 eq cmd
  access-list 101 deny   udp any host 192.168.253.254 eq snmp
  access-list 101 permit ip any any
  access-list 199 permit ip any host 10.1.1.1
  dialer-list 1 protocol ip permit
  no cdp run
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
  radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
  radius-server vsa send accounting
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 10 protocol ieee
  bridge 10 route ip
  banner login C Border Router
  line con 0
   no modem enable
   transport output telnet
  line aux 0
   transport output telnet
  line vty 0 4
   access-class 100 in
   privilege level 15
   length 0
   transport input telnet ssh
  scheduler max-task-time 5000
  scheduler interval 500
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  sntp server xxx.xxx.xxx.xxx
  end

  Hi Jody,
  Apologies delay in replying. I have done the following:
  Made two of the FE ports vlan1,BVI1 (for LAN traffic)
  Left one port as VLAN10 as the pppoe client conected to the externalmodem
  Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
  I have DHCP configured to serve the DMZ  addresses.
  This all works for LAN clients and also works for a client attachedto that physical DMZ port.
  When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.
  I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.
  If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.
  I cannot add another VLAN due to the 2 vlan limit in this image.
  Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.
  Think I am about to give upon this.
  Regards,

• Cisco 3850 Switch and Windows 7 IP Conflicts

  Team,
  Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
  We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
  with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
  This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
  we went with a very vanilla config on each port
  interface g1/0/1
  switchport host
  that is it - nothing special at all.
  well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
  This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
  we tried 3+ hours of prescribed work-arounds found when researching this issue -
  ip device tracking probe delay 10 (global config)
  ip device tracking max 0 (disabed, on interface)
  finally,
  nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
  Finally,
  we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
  Doing more research, I found out this also can effect vmware guests running windows SERVER.
  this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
  the work-around I came up with which is not great is -
  Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
  interface g1/0/1
  switchport mode trunk
  switchport trunk native vlan 1
  this is NOT an acceptable workaround as this presents security issues even with
  switchport trunk allowed vlan 1, etc. as the only allowed vlan.
  Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
  192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
  1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
  2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
  3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
  4) when could confirm NO DHCP SNOOPING
  5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
  6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
  This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
  Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
  thanks,
  Joe Brunner
  #19366

  thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
  Answers in line -
  This all stems from a switch replacement correct?
  yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
  Are these 3850's in a stack?
  >yes, tested all aspects of the stack many times.
  Does it have a managment ip address -If so, is it using the old switch ip address
  >old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
  What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
  >various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
  How are they connected( L3 interface/L2 trunk/access port)
  >all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
  Are thse switches performing inter-vlan routing or just acting as host switches?
  >dumb flat network, no routing.
  Is ip routing enabled?
  >not unless enabled on 3850 by default. I didnt type "ip routing"
  Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
  Your 7 pcs = are they just client pcs not servers?
  client PC's - no servers OS per say.
  can you confirm something like ICS isnt enabled (Internet connection sharing)  on any of them?
  >yes not enabled.
  Are the just using one NIC each?
  > one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
  default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
  sh switch
  2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
  tested all power and general 3850 stacking. saw no issues.
  sh int trunk
  >all ports are now trunks (hence the workaround used to get it up).
  has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
  sh vlan brief
  >just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
  sh vtp status
  not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
  sh cdp neighbours
  cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
  sh ip route
  just the L and C routes for the vlan 1 ip address 192.168.17.1/24
  no static routes
  no vlan interfaces other than int vlan 1
  no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
  int g0/0/0
  ip vrf forwarding Switch_Mgmt
  i can get over there if you think of anything else key to show the group.
  thanks,
  Joe

• Problem leaking route from VRF to global table on CSR 1000V

  Hi Guys,
  So I have a problem with VRF's on a CSR 1000V, specifically exporting a connected subnet from a VRF into the global routing table.
  My config, very abbreviated, is as follows:
  Router:
  GE1: 10.0.0.1/31 VRF TEST
  GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))
  Now sh ip route displays:
  0.0.0.0/0 (BGP)
  172.30.20.1/24 (Connected)
  sh ip route vrf TEST displays:
  0.0.0.0/0 (BGP)
  10.0.0.1/31 connected
  My VRF config is as follows:
  ip vrf TEST
  rd 1:1
  import ipv4 unicast map GLOBAL
  export ipv4 unicast map CONNECTED-SUBNET
  ip prefix-list CONNECTED seq 1 permit 10.0.0.1/31
  ip prefix-list DEFAULT   seq 1 permit 0.0.0.0/0
  route-map CONNECTED-SUBNET permit 10
   match ip address prefix-list CONNECTED
  route-map GLOBAL permit 10
   match ip address prefix-list DEFAULT
  Now my import command works perfectly (0.0.0.0/0 is imported from BGP into the VRF's routing table), however my export command does not function - seemingly at all.
  Even though my prefix list is an exact match, I do not see 10.0.0.1/31 appearing in the global routing table, or the BGP table at all (show ip bgp 10.0.0.1 shows only the 0.0.0.0/0 default route)
  Any thoughts on what is going on here? Am I misunderstanding the export command for VRF's? I was under the impression this will export directly to the BGP table, and then be imported to the global routing table if applicable?
  Any thoughts/input would be appreciated!

  Hello
  "GE1: 10.0.0.1/31 VRF TEST
  GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))"
  I must have misunderstood somewhere  I was assuming you had no vrf bgp between GE1-2 , and just vrf on subnet 10.0.0.0/x which needed to be advertised in the global routing table hence my last post suggested you redistribute into bgp,
  So assuming you are accepting a default route from GE2 it went like this
  GE1
  int fa0/1
  ip vrf forwading TEST
  ip addresses 10.0.0.1 255.255.255.255
  int xx
  ip address 172.30.20.1 255.255.255.0
  router bgp xy
  neighbour 172.30.20.2 remote-as yx
  redistribute static ( to advertised the vrf subnet to GE2)
  ip route 10.0.0.1 255.255.255.255 fa0/1 ( this is tell the global rib where to go for the vrf route)
  ip prefix-list VRF  permit 0.0.0.0/0
  route-map VRF_rm
  match ip address prefix VRF ( match on the default route advertised from GE2 which is in the global rib)
  ip vrf TEST
  import-map ipv4 vrf VRF-rm ( import the default from global rib into the vrf rib)
  res
  Paul

• VN-Tag with Nexus 1000v and Blades

  Hi folks,
  A while ago there was a discussion on this forum regarding the use of Catalyst 3020/3120 blades switches in conjunction with VN-tag.  Specifically, you can't do VN-Tag with that Catalyst blade switch sitting inbetween the Nexus 1000V and the Nexus 5000.  I know there's a Blade switch for the IBM blade servers, but will there be a similar version for the HP C-class blades?  My guess is NO, since Cisco just kicked HP to the curb.  But if that's the case, what are my options?  Pass-through switches?  (ugh!)
  Previous thread:
  https://supportforums.cisco.com/message/469303#469303

  wondering the same...

• Cisco Nexus 1000v Virtual Switch for Hyper-V Availability

  Hi,
  Does anyone have any information on the availability of the Cisco Nexus 1000v virtual switch for Hyper-V. Is it available to download from Cisco yet? If not when will it be released? Are there any Beta programs etc?
  I can download the 1000v for VmWare but cannot find any downloads for the Hyper-V version.
  Microsoft Partner

  Any updates on the Cisco Nexus 1000v virtual switch for Hyper-V? Just checked on the Cisco site, however still only the download for VMware and no trace of any beta version. Also posted the same question at:
  http://blogs.technet.com/b/schadinio/archive/2012/06/09/windows-server-2012-hyper-v-extensible-switch-cisco-nexus-1000v.aspx
  "Hyper-V support isn't out yet. We are looking at a beta for Hyper-V starting at the end of February or the begining of March. "
  -Ian @ Cisco Community
  || MCITP: EA, VA, EMA, Lync SA, makes a killer sandwich. ||

• Nexus 1000v and vcenter domain admin account

  I changed out domain admin account on our domain in which vcenter services runs as and now its using a different services account. I am wondering if I need to update anything on the nexus 1000v switch side between the 1000v and venter

  Hi Dan,
  You are on the right track. However you can perform some of these function "online".
  First you want to ensure that you are running at a minimum, Nexus 1000v SV1(4a) as ESXi 5.0 only began support on this release. With SV1(4a), it provides support for both ESXi 5.0 and ESX/i 4.1.
  Then you can follow the procedure documented here:
  Upgrading from VMware Release 4.0/4.1 to VMware Release 5.0.0
  This document walks you through upgrading your ESX infrastructure to VMware Release 5.0.0 when Cisco Nexus 1000V is installed. It is required to be completed in the following order:
  1. Upgrade the VSMs and VEMs to Release 4.2(1)SV1(4a).
  2. Upgrade the VMware vCenter Server to VMware Release 5.0.0.
  3. Upgrade the VMware Update Manager to VMware Release 5.0.0.
  4. Upgrade your ESX hosts to VMware Release 5.0.0 with a custom ESXi image that includes the VEM bits.
  Upgrading the ESX/ESXi hosts consists of the following procedures:
  –Upgrading the vCenter Server
  –Upgrading the vCenter Update Manager
  –Augmenting the Customized ISO
  –Upgrading the ESXi Hosts
  There is also a 3 part video highlighting the procedure to perfrom the last two steps above (customized ISO and upgrading ESXi hosts)
  Video: Upgrading the VEM to VMware ESXi Release 5.0.0
  Hope that helps you with your upgrade.
  Thanks,
  Michael