Could I use "vlan interface" as a tunnel source of DMVPN ?

Similar Messages

• ASA 5545-X SVI/Vlan Interface

  I am looking to deploy ASA 5545-X with Layer 3 Vlan Interfaces, the device out of the box dosent let you create vlan interfaces. Is there any module available which enables to create Switch Virtual Interfaces.
  I was looking at I/O 6 ports Gigabit Ethernet card, but wanted to make sure before ordering.
  Many Thanks                  

  Hi,
  You are only able to configure Sub Interfaces for the Vlan ID on your ASA model.
  You can only configure actual Vlan interfaces with ASASM and ASA5505 model. This relates to the fact that ASA5505 has a switch module while your model does not.
  I have no expirience with the ASASM but I would imagine its similiar to the FWSM which also used Vlan interfaces as its a module in an actual larger switch/router platform.
  You can check this limitation from the Command Reference also
  interface vlan For the ASA 5505 and ASASM, to configure a VLAN interface and enter interface configuration mode, use the interface vlan command in global configuration mode. To remove a VLAN interface, use the no form of this command. interface vlan number no interface vlan number Syntax Description
  number
  Specifies a VLAN ID.
  For the ASA 5505, use an ID between 1 and 4090. The VLAN interface ID is enabled by default on VLAN 1.
  For the ASASM, use an ID between 2 to 1000 and from 1025 to 4094.
  - Jouni

• DMVPN using loopback interface vs. physical interface

  In a DMVPN,what´s the difference between using a loopback interface as a tunnel source instead of a physical interface?

  It will work for a static one to one nat. PAT doesnt play well with GRE because ports dont exist in GRE (not sure if NAT traversal can help here like it does with ISAKMP - it works on spokes) You also need to make sure that the loopback is set to work with the crypto profile.  Joe is right, the address it terminates on is best to be Public address space that you own, that is multihomed - if this is a hub.

• Mobility group only works using management interface?

  Hello,  in order to stablish the control traffic between 2 WLC-5508, it's necessary to use the management interface??
  It's possible using a dynamic interface o service port ?
  I think it only works with management interface,  but I don't understand the meaning of this text in the Configuration Manual:
  "Mobility control packets can use any interface address as the source, based on routing table."
  Thank you,

  No... mobility communication is done only with the management interface.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• FWSM vlan interface

  Hello, quick question I hope someone can help with.
  Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
  For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
  As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
  The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
  Hope that makes sense, let me know if you have further questions.
  Thanks

  Thanks Marvin. You do understand the question, and it occurred to me after writing the above that I could just use a single FWSM inside interface and route in and out of each VRF via that 1 interface (All VRF's belong to a single customer, just required for segregation of internal traffic).
  The third 6500 running HSRP will be located in a DC 100km away connected via dual 1Gb circuits (3ms latency), and has it's own default route to a pair of ASA 5520's. If both FWSM's go down then the gateway will go live in the second site and traffic will be switched over our SP qinq tunnel to that gateway. Relevant BGP bits (MED), etc. will also be in place for seemless failover and traffic flow to and from the /23 pi range peered with the same ISP in each location..
  Thanks again.
  Chris

• VLAN Interface Command

  Ok, I thought I had the reason for the VLAN interface command down. I thought it was either used for switch management or routing between VLANS? However, now I realized that some communication wont work with out this command which doesnt make sense. If I have a VLAN, then the switch will only switch packets to ports on the same VLAN. The only way, communication would work between VLANS is if I either enabled routing between VLANs with the VLAN Interface command, connected the switch to another multi-layer switch that did do routing between VLANS, or connected the switch to a router which routed between the VLANs.
  However, I just got this new 3550 switch in, configured the correct ports with the assigned VLANs, and the only way my cisco ip phone would work is if the VLAN Interface for my voice-ip VLAN was configured. The 3550 is connected to a 4507. Now, can someone tell my why this is? You shouldnt have to configure the VLAN Interface, right?(unless I wanted to route between VLANs, which could be done by the 4507)

  Sounds to me like you either dont have the dot1q trunk interface between your 4506 and 3550 working properly, or your 3550 is running the enhanced image which allows routing.
  It would be nice to see your config on both the 3550 and the 4500 to determine the reason. Just a stab at how it should be configured is that on your 4506, you have it running VTP server or transparent with the defined Data and Voice Vlan's. You have a port configured for trunking (which connects to the 3550). On your 3550, you have configured it as a vtp client or transparent and have verified that it has received (or if transparent VTP you have configured) the appropriate VLAN's. You than specified "interface VLAN #" or whatever number for switch management and configured the port that connects to the 4500 as a trunk. Your port connected to the port has the auxillary or voice vlan configured. If this is how your equipment is configured and it still does not work, than look for the line "ip routing" in your 3550 and negate it with "no ip routing".
  If still no worky worky, post your config.
  Cheers,

• Basic WAN / Vlan Interface Configurations

  Hello,
  I'm attempting to configure a Cisco 1812 to interface between 3 distinct subnets (e.g. 10.1.x.x, 10.2.x.x, 10.3.x.x). I'm very new at this, and am trying to learn (without having a device in front of me, to play with!)
  Two of the subnets will interface through the two WAN ports (I don't need them for any WAN connections). The following is my configuration commands for one of them:
  > enable
  <enter password at prompt>
  # config
  (config)# interface FastEthernet0/0
  (config-if)# ip address 10.1.1.1 255.255.255.0
  (config-if)# no shutdown
  The other WAN inteface would be the same, excepting that I'm using the interface FastEthernet1/0 with the IP address 10.2.1.1.
  The switch port I configure as follows:
  > enable
  <enter password at prompt>
  # vlan database
  (vlan)# vlan 1
  (vlan)# exit
  # config
  (config)# interface Vlan1
  (config-if)# ip address 10.3.1.1 255.255.255.0
  (config-if)# no shutdown
  Also, I'll configure FastEthernet0/0 as my default gateway, but I'll leave that part out of this post.
  As far as communications between the three subnets, through the three configured interfaces, does this above configuration look valid?
  Am I missing anything? Most particularly, I feel like I'm missing something in regards to configuring the SVI interface on the 8-port switch.
  Thank you very much for your time, and thank you in advance for your help.

  Thank you for the link, that's a really good example.
  I have nearly the same configuration, excepting instead of the Catalyst switch I'm using a Cisco 1812 router.
  I'm not sure that I understand the necessity for VLAN Trunking. Could the same end result be accomplished using static routing from the Cisco 2621 to the Catalyst 3512 (specifying static routes for the VLAN 1 and VLAN 2 subnets)? I suppose perhaps the VLAN Trunking uses a protocol that makes configuration simpler?

• Ipv6 Vlan Interface EUI-64 assignation problem

  Hello, I have 2 routers 1800 series with switch modules incorporated connected with IPv6. Everything is working fine except for the problem that when I assign an IPv6 address to a Vlan (using the EUI-64 format to the switch ports), it assigns the SAME interface id (last 64 bits of the IPv6) of a fastEthernet port (FE 0/0), to the vlan, causing an error problem of duplicity:
  " c..T, overlaps with another prefix "
  Why does the EUI-64 assigns the MAC address of the FastEthernet ports instead of the ones in the switch modules?

  Thanks for the reply, but I just solved the problem. The problem was with the command IPV6 ADDRESS AUTOCONFIGURATION. This command definitely brings up a lot of trouble with VLAN ipv6 address assignation.
  After some testing I concluded that:
  1- If one interface has the IPV6 ADDRESS AUTOCONFIGURATION mode on, the interface could end up with more than one ipv6 global interface address.
  2- You cannot assign this mode to a vlan interface without getting into configuration problems.
  3- If a FastEthernet Interface has this mode on(IPV& A. A.), the router does not let you assign a global unicast address to the vlan interface, and gives the following error message:
  %IPV6-6-ADDRESS: 3FFE:C00:C18:F100:213:C4FF:FE44:4961/64 can not be configurex
  4- For the VLAN`s Interface ID you have to manually assign the link local address with the command line
  IPV6 ADDRESS FE80::1 (or any other unique link local address) LINK-LOCAL.
  This is for Vlans that are in a switch module of the same router.
  All this testing was for a Cisco router 1800 series with a switch module integrated in the router.
  Could be that this command is used for other specific occasions which I am not aware of.
  Regards,
  Grupo GTD

• PING TO ACE VLAN INTERFACES

  Hi,
  I am not able to ping the VLAN interfaces defined on the ACE devices unless directly connected to the subnet.
  I tried options - defining Access-list,service-policy.I can ping the servers behind the ACE but i cannt ping the ACE vlan interface.
  I captured the traffic on the ACE.I cannt see any traffic on the interfaces if i ping the VLAN ip address.I can see the traffic if i am pinging the host behind the ACE.
  Is there any option available to enable icmp on the interfaces.

  In order to ping the Vlan Interface you just need management policy applied to the vlan interface.
  Class-maps used in the management-policy
  defines the source addresses from where these management accesses are allowed.
  If you can ping the interfaces from locally connected subnets but not from the remote subnets then there could be 2 reasons.
  1. Some routing issues
  2. Source IPs in Management class maps are not defined.
  Following is an example of typical management policy
  #Allow telnet & SSH from these ip addresses
  #Allow ICMP from any source
  class-map type management match-any MGMT-CLASS
  10 match protocol telnet
  20 match protocol ssh
  30 match protocol icmp any
  policy-map type management first-match MGMT-POLICY
  class MGMT-CLASS
  permit
  interface vlan 10
  ip address x.x.x.x 255.255.255.0
  service-policy input MGMT-POLICY
  no shutdown
  interface vlan 20
  ip address y.y.y.y 255.255.255.0
  service-policy input MGMT-POLICY
  no shutdown
  Syed Iftekhar Ahmed

• HSRP Issues on VLAN interfaces

  We are experiencing an issue with HSRP and VLANS. We have the VLANS tracked to physical interfaces, with the default decrement value of 10.
  When we physically fail the fiber circuit (pull fiber transmit) the physical port reports down condition. The VLAN reports that it is still up. BOTH routers report that they are the active router and connectivity is lost.
  When the physical port is shut down, the failover takes place and the routers report their state as predicted.
  Any help would be greatly appreciated.
  These routers are 4506's running 12.1(19)EW code
  on WS-X4515 module.

  If there are still active ports, then I would expect the VLAN interface to stay UP on both routers. However, I would not normally expect both routers to be ACTIVE. Could it be that when you take down these physical links, that the routers lose sight of each other as far as the Hellos are concerned?
  About the "If there are still active ports" bit ... don't gorget that a trunk can also constitute an active port in this sense. So if you have go any access switches uplinked to these 4506s, the trunks will be enough to keep the VLAN interface alive.
  Remember also that HSRP has a hold time of only 9 seconds by default, whereas 802.1d Spanning Tree has a convergence time up to 50 seconds by default. So it is possible that if the link you are disconnecting is the active root port of a switch, that the two HSRP routers will lose sight of each other. In that case,they can both become active for a few seconds. Effectively, during the STP convergence the VLAN can be partitioned. It all depends on your topology.
  You are pulling only the transmit fiber. I wonder if enabling UDLD would help here.
  As Georg says, it would be useful to know a bit more about the topology and the configuration.
  Kevin Dorrell
  Luxembourg

• Is it possible to automatically trigger a camera when someone arrive in the background hahaha.. Just a wild thoughts you know, like when someone suddenly pop up, the camera will automatically fire. I'm planning to use it in our Horror tunnel this october.

  Is it possible to automatically trigger a camera when someone arrive in the background hahaha.. Just a wild thoughts you know, like when someone suddenly pop up, the camera will automatically fire. I'm planning to use it in our Horror tunnel this october.

  You could try to use a motion sensor - in a do-it-yourself store you can buy motion sensors that turn on the lights when a burglar approaches the property. Connect this sensor to the remote control of your camera instead of to a light.
  Probably you can buy ready-made motion sensitive remote controls, the photographers here will know. You would need this kind of remote control for wildlife photography.

• Using empty interface -- is there a better way to do this?

  Hi,
  I have a set of classes in different projects that I'd like to be referenced together, although they have different methods depending on which project they're from. To do so, I've created an empty interface for each of these classes to implement, so I can return a similar type and then cast it however I need to based on which project I'm using.
  However, I feel the approach of creating an empty interface just isn't the best way to do this. I've looked into annotations, but I don't think they can solve my problem. I don't think I'm being too clear here, so let me give a brief example:
  Here is one of the interfaces I use:
  public interface IceClient {
       public IceOperations operations();
  }Here is the empty interface:
  public interface IceOperations {
  }I have a method which will return a type of IceOperations:
       public static synchronized IceOperations getOperations(String clientName) {
            if (clientMap.containsKey(clientName)) {
                 IceClient client = clientMap.get(clientName);
                 return client.operations();
            } else {
                 System.out.println("No client of that name is currently running.");
                 return null;
       }This is all fine and dandy. I need to instantiate a new IceOperations object in my client code as such, where operations is of type IceOperations:
  operations = new DiagOperations();And finally return it like this, where client.operations() returns a type of IceOperations:
       public DiagOperations operations() {
            return (DiagOperations)client.operations();
       }Anyway I hope that wasn't too confusing. I cannot think of a different way to do this. Is there some way I can do this with annotations? The only other thing I can think of is just returning Object, but that seems ... icky.
  If I need to be clearer, please let me know.
  Thanks

  JoachimSauer wrote:
  I didn't understand them to be trick questions, but rather serious invitations to question and verify your assumptions.
  It might be the fact that every current implementation implements Runnable for some reason (possibly because it starts a Thread on its own). But it's entirely possible that you can produce a completely different implementation that doesn't need the Runnable interface and still be conformant.
  If every implementation of X needs to implement Runnable, then it could be a sign of a slight design smell. Could you give an example where you think it's necessary?Every implementation of my "X" interface is basically a class that acts as a communicator/listener of sorts until it's stopped by the user, similar to a server socket. Sometimes, it has to sit there and wait for events, in which case it obviously must be in its own Thread. Other times it doesn't have to do this; however if I do not start it in its own Thread, I will have to continually stop and restart the communication to invoke operations on the server, which is inefficient.

• When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

  i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

  Jose,
  It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
  Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
  HTH,
  Frank

• Unusual use of interface defining static factory class with getInstance

  This question is prompted by a recent New to Java forum question ask about the differences between Interfaces and Abstract classes. Of course one of the standard things mentioned is that interfaces cannot actually implement a method.
  One of my past clients, one of the 500 group, uses interfaces as class factories. The interface defines a pubic static class with a public static method, getInstance, that is called to generate instances of a class that implements the interface.
  This architecture was very object-oriented, made good use of polymorphism and worked very well. But I haven't seen this architecture used anywhere else and it seemed a little convoluted.
  Here is a 'pseudo' version of the basic interface template and use
  -- interface that defines public static factory class and getInstance method
  public interface abc {
      public static class FactoryClass
          public static abc getInstance ()
              return (abc) FactoryGenerator(new abcImpl(), abc.class);
  -- call of interface factory to create an instance
  abc myABC = abc.Factory.getInstance();1. Each main functional area ('abc' in the above) has its own interface factory
  2. Each main functional area has its own implementation class for that interface
  3. There is one generator (FactoryGenerator) that uses the interface class ('abc.class') to determine which implementation class to instantiate and return. The generator class can be configured at startup to control the actual class to return for any given interface.
  I should mention that the people that designed this entire architecture were not novices. They wrote some very sophisticated multi-threaded code that rarely had problems, was high performance and was easy to extend to add new functionality (interfaces and implementing classes) - pretty much plug-n-play with few, if any, side-effects that affected existing modules.
  Is this a best-practices method of designing factory classes and methods? Please provide any comments about the use of an architecture like this.

  Thanks for the feedback.
  >
  I don't see how 'the generator class can be configured at startup to control the actual class to return for any given interface' can possibly be true given this pseudo-code.
  >
  I can see why that isn't clear just from what is posted.
  The way it was explained to me at the time is that the interface uses standard naming conventions and acts like a template to make it easy to clone for new modules: just change 'abc' to 'def' in three places and write a new 'defImpl' class that extends the interface and the new interface and class can just 'plug in' to the framework.
  The new 'defImpl' class established the baseline functionality that must be supported. This line
  return (abc) FactoryGenerator(new abcImpl(), abc.class);uses the initial version of the new class that was defined, 'abcImpl()', when calling the FactoryGenerator and it acted as a 'minimum version supported'. The generator class could use configuration information, if provided, to provide a newer class version that would extend this default class. Their reasoning was that this allowed the framework to use multiple versions of the class as needed when bugs got fixed or new functionality was introduced.
  So the initial objects would be an interface 'abc' and a class 'abcImpl'. Then the next version (bug fixes or enhancements) would be introduced by creating a new class, perhaps 'abcImpl_version2'. A configuration parameter could be passed giving 'abcImpl' as the base class to expect in the FactoryGenerator call and the generator would actually create an instance of 'abcImpl_version2' or any other class that extended 'abcImpl'.
  It certainly go the job done. You could use multiple versions of the class for different environments as you worked new functionality from DEV, TEST, QA and PRODUCTION environments without changing the basic framework.
  I've never seen any Java 'pattern' that looks like that or any pattern where an interface contained a class. It seemed really convoluted to me and seems like the 'versioning' aspect of it could have been accomplished in a more straightforward manner.
  Thanks for the feedback. If you wouldn't mind expanding a bit on one comment you made then I will mark this ANSWERED and put it to rest.
  >
  I don't mind interfaces containing classes per se when necessary
  >
  I have never seen this except at this one site. Would you relate any info about where you have seen or used this or when it might be necessary?

• The limit to imagination for what we could achieve using Labview

  Hiya
  I would like to create a user interface by customizing front panel so it could be used as an oscilloscope. This oscilloscope allows user to do following selections.
  Analogue or digital signal
  which channel
  raw binary data or scaled measurement
  enter mathematical formula
  and then it displays the signal. There are some knobs which could be used to zoom in or alter display to ficilate analysis. This is just imagination, Is it possible to achieve this on Labview. What are the steps please??
  Your help is much appreciated.
  Ta

  You can download and install the NI-SCOPE driver, which includes the NI-SCOPE Soft Front Panel, an oscilloscope application written entirely in LabVIEW.  This will give you an idea of what is possible (essentially anything even vaguely reasonable, plus a lot more, limited only by your imagination and skill).  Unfortunately, the driver is very large.  If you want a picture, check this out.
  The underlying architecture of this application is virtually identical to the architecture given in this post.  However, you would probably be better off following Ben's suggestion to hone your LabVIEW skills, then dive into the xylophone example.
  <fullDisclosure> I am a National Instruments employee. </fullDisclosure>
  Message Edited by DFGray on 01-28-2010 08:52 AM
  This account is no longer active. Contact ShadesOfGray for current posts and information.