Dot1q-tunnel rejection

Similar Messages

• Dot1q tunnel VPLS support

  Hello Guys,
  I am configuring a dot1q tunnel VPLS since it suited our need for the client's requirements. To my surprise the 48 port tx we are using on our 7600 doesn't support this
  7609-PPE1(config-if)#switchport mode dot1q-tunnel
  Command rejected: Gi2/4 doesn't support 802.1q tunneling.
  IOS is s72033-pk9sv-mz.122-18.SXD5.bin
  Hardware is 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
  For me to establish a good VPLS in dot1q (dot1q in dot1q) multipoint connection, what hardware with port density is available for this one?
  I didn't have any problem with OSM modules, but we have to be practical with the port density.
  Your insights will be greatly appreciated.
  Thanks.

  For vpls to work the core facing should be a osm module.Configure IP routing in the core so that the PE routers can reach each other via IP. Configure MPLS in the core so that a label switched path (LSP) exists between the PE routers.For more info refer
  http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00801e5c06.html#wp1338115.

• Dot1q tunneling and security

  Hi,
  I don't understand how to make to improve the security of dot1q tunneling. If the client makes some errors by example by disabling the spanning-tree on a vlan and he creates a loop between differents sites (L2VPN). What are the safety standards for Q-in-Q to protect the provider ?
  Thank you for your help.
  Regards.
  David

  It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
  http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
  http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

• Dot1q-tunneling and native frames ( untagged )

  hi all I have the following setup:
  tunnel Port:
  interface GigabitEthernet1/0/2
  switchport access vlan 784
  switchport mode dot1q-tunnel
  switchport nonegotiate
  l2protocol-tunnel cdp
  l2protocol-tunnel stp
  l2protocol-tunnel vtp
  no cdp enable
  spanning-tree portfast
  Trunk Port - Into Carrier Network
  interface GigabitEthernet1/0/25
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 4094
  switchport mode trunk
  switchport nonegotiate
  load-interval 30
  speed nonegotiate
  spanning-tree bpdufilter enable
  the Native Port on the tunnel interface = 1 and native vlan tagging is enabled on the switch.
  what happens to untagged frames that hit the tunnel port from the customer? Imagine that they dont have their port as a trunk and are instead emitting untagged frames?
  are these dropped or simply have a single Q-tag pushed and are then tunnelled through the carrier network?
  I have followed the recommendation of making the trunk port have a native vlan that is not the native vlan of any of the tunnel ports.
  thanks

  Normally double-tag traffic is seen as NON-IP traffic by metro devices, since they cannot see beyond first tag.
  Untagged customer traffic will behave like IP traffic in metro network, since it will have only one tag.
  You can use a trick - create an IP access list on trunk port with "deny ip any any" - basically denying all IP traffic. That should stop all traffic that was not tagged by the customer. Ofcourse that will disable your management - so you need to plan this.
  If more than one customer is using same S-VLAN, and one customer has e.g. VLAN 3 untagged, and other one has VLAN 5 untagged, their VLANs will be interconnected.

• 713060: Tunnel Rejected: User (user) not member of group (group_name), group-lock check failed.

  Hi,
  I just configure VPN for end users in PIX515e with IOS 8 and get stuck with "Tunnel Rejected: User (msveden) not member of group (VPN-shared), group-lock check failed.". Can someone please help me and tell me how I add user to my VPN group?
  Regards
  Mikael

  May be you are looking for this-
  ASA1(config)# username msveden attributes
  ASA1(config-username)# group-lock value mygroup
  Thanks
  Ajay

• Dot1Q tunneling and routing

  I am in the process of designing a dot1q-tunnel-based service backbone. Basically client switches will uplink with tunnelled ports on the provider backbone.
  Cl-SW1 |----|P-SW1|----|P-SW2|-----|Cl-SW2|
  Assume that the CL-SW1 is at the headquarters of the client and some traffic from the client should be sent off-premisess (Internet for example) using the same link (Gig Ethernet).
  What are my options?
  P-SW1 and P-SW2 will not be able to see layer 3 information from the client switches since traffic is layer2-tunnelled. How can I route traffic off the backbone?
  I thought about trunking a single port on P-SW1 and connecting it to a router. On the router sub-interfaces will do the job. But the problem is that trunked traffic will reach the router encapsulated with dot1q tunneling? Does a 7600 series router do the job, since it understands tunneling?
  Any ideas will be appreciated.

  It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
  http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
  http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

• MVR over DOT1Q-TUNNEL

  Is it possible to use MVR for delivering multicast to customers over dot1q-tunnel interface ?
  Can QinQ and MVR work together ?

  I think the muticast vlan registration shortly termed MVR is not supported in dot1Q tunnelling interface.Because, there is a criteria for configuring MVR.That is, while configuring MVR, receiver ports cannot be trunk ports. Since, do11q is a trunking protocol,I believe MVR can't be transmitted over trunk port, and hence over dot1q tunnel interface.For detailed info on this mvr,
  refer to the configuration guidelines sections of mvr at:
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8d9.html#xtocid14

• Me3400 mep on dot1q-tunnel interface

  Hi
  Just wanted to get someone to give me some quick pointers on the following task:
  I have an me3400 with fa0/1 as a UNI.
  also I have Gig0/1 as NNI.
  I have set the commands on the switch as
  ethernet cfm ieee
  ethernet cfm global
  ethernet cfm domain testnet level 4
  ethernet evc cust1
     oam protocol cfm svlan 10 domain testnet
  interface FastEthernet0/1
    switchport access vlan 10
    switchport mode dot1q-tunnel
    speed 100
    duplex full
    l2protocol-tunnel cdp
    l2protocol-tunnel lldp
    l2protocol-tunnel stp
    l2protocol-tunnel vtp
  interface GigabitEthernet0/1
    port-type nni
    switchport mode trunk
    ethernet cfm mip level 4 vlan 10
  so this is the minimal functionality that I am after.
  What else do I need to do to link the fa0/1 port to the EVC and enable an UP MEP and CC on it?
  the end goal initially is to propagate link loss when the UNI is disconnected so that the remote me3400 brings down its UNI.
  any help please.

  It's difficult for Cisco Cat 6500.Why don't you consider products from other vendors?

• Dot1q-tunnel cos mapping

  Is it possible to map the cos from a tagged frame into the metro tag cos field when it enters a dot1q-tunnel port?
  The only option I see to set cos on a dot1q-tunnel port is to statically configure a value using the <mls qos cos <value> > commmand, this is with the 3750.
  Thanks

  It all depends on the hardware.
  For example 3750 Metro support copying inner CoS value to the outer tag. It is also supported by 4500s with SUPV-10GE.
  Also this functionality is possible with ES20 cards in 7600.
  Overall there is not much hardware that support it. The functionality you are looking for is called "ntelligent IEEE 802.1Q tunneling QoS"
  http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_25_seg_seg1/configuration/guide/swtunnel.html#wp1010491

• Dot1q tunnel

  Hi guys.
  I'm trying to setup a dot1q tunnel on a 3560X, but the option does not seem available.
  SW02#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  SW02(config)#int gig 0/1
  SW02(config-if)#sw mode ?
    access   Set trunking mode to ACCESS unconditionally
    dynamic  Set trunking mode to dynamically negotiate access or trunk mode
    trunk    Set trunking mode to TRUNK unconditionally
  SW02(config-if)#sw mode
  I'm sure I have seen this command visible previously so it could be configuration or VTP related, but obviously am now doubting myself.
  For reference the IOS version is;
  c3560e-universalk9-mz.122-55.SE5/c3560e-universalk9-mz.122-55.SE5.bin
  Its not an advipservices feature is it?
  Thanks for your help.
  Mike

  Hi Mike,
  according to the Configuration Guide, 802.1Q protocol tunneling is not supported on switches running the LAN base feature set.
  Do you have at least an IP Base license activated (show license detail)?
  Cisco Catalyst 3560-X Series Switches - Cisco IOS Software Packaging and Licensing White Paper
  HTH
  Rolf

• ASR 9010 switchport mode dot1q-tunnel QinQ Access

  Is there an IOS-XR ASR equivalent for a QinQ edge access port? On IOS the interface config would be:
  int fa 1/1
  switchport
  switchport mode dot1q-tunnel
  switchport access vlan 100

  Do you have ASR on both sides? If you do, VFI will work for you, lets say:
  CE------G1/1/1/1(1.1.1.1- PE1)---------------------(PE - 2.2.2.2) G2/2/2/2--------- CE
  On PE1:
  interface g1/1/1/1
  l2transport
  no shut
  l2vpn
  bridge group PE1
  bridge-domain CE1
  interface g1/1/1/1
  vfi CE1
  neighbor 2.2.2.2 pw-id 100
  On PE2:
  interface g2/2/2/2
  l2transport
  no shut
  l2vpn
  bridge group PE2
  bridge-domain CE2
  interface g2/2/2/2
  vfi CE2
  neighbor 1.1.1.1 pw-id 100

• Native VLAN problem when using dot1q tunnel on ME3600

  We have problems with a VPLS service for a Customer. The edge devices are Cat3560 and ME3600 (where the Customers sites are connected).
  When the edge device are ME3600 we have problems getting the traffic on the Native VLAN from the Customer out in the VPLS cloud.
  No problems using Cat3560
  No problems using ME3600 and tagged VLAN
  Config on ME3600
  interface GigabitEthernet0/2
  description VPLS_CustomerA
  switchport access vlan 888
  switchport trunk allowed vlan none
  switchport mode trunk
  mtu 9800
  storm-control broadcast level 0.10 0.05
  storm-control action trap
  no cdp enable
  spanning-tree bpdufilter enable
  service instance 64 ethernet
    encapsulation untagged , dot1q 1-4094
    bridge-domain 64
  Any ideas?
  /Jorgen

  Can you remove this line from your configuration "
  switchport access vlan 888" since it is an invalid configuration for EVC.
  Reconfigure the port after making the above change. What kind of traffic you are expecting on the native vlan?
  L2 protocol is dsable by default so STP, CDP and other control protocols will not work unless you enable L2PT forward or tunnel.

• "trust cos" on dot1q-tunnel interface

  Hello,
  we've MAN based on Cat 6500 and Cat 3750, we're using QinQ as one of our backbone technologies.
  We need to implement "trust cos" on QinQ port for one of our customers (= rewrite CoS bits from the internal 802.1q header (coming from customer) to the external 802.1q header). Do you have some idea how to deal with it ?
  We've done several experiments, but we haven't found any solution except CoS-to-CoS map, which is "Cat 6500 only" and "per-group-of-ports" feature. We need to implement it per port (only for this cusomer).
  We're looking for this because customer is using MPLS and we need to "trust QoS" as it is set by the customer. Customer is able to set
  - DSCP in IP header
  - MPLS exp. bits
  - CoS in dot1q header.
  Have you ever come accross something like this?
  Have you found any solution?
  Thanks
  Jan Klicka, SITMP

  It's difficult for Cisco Cat 6500.Why don't you consider products from other vendors?

• QoS (CoS) and Q-in-Q (dot1q-tunnel)

  Hi,
  I am looking for a document which describes the procedures and connections between QoS and Q-in-Q. Something like "NAT order of operation".
  Points I am interested in are for example:
  - Which CoS value is set in the outer VLAN tag?
  - Which VLAN tag does 'mls qos trust cos' trust?
  - Would the CoS value of the inner VLAN tag be inherited/passed to the outer VLAN tag?
  I am mainly using Cat3560 and Cat3750 with IOS 12.2(25)SED1 IP-Base.
  kind regards
  Mark

  Policing function determines if the traffic level is within the specified profile (contract). Policing function allows either dropping out-of-profile traffic or marking the traffic down to a different Differential Services Code Point (DSCP) value to enforce contracted service level. DSCP is a measure of the Quality of Service (QoS) level of the packet. Along with DSCP, IP precedence and Class of Service (CoS) are also used to convey the QoS level of the packet
  http://www.cisco.com/warp/public/473/134.html

• IPSec LAN-to-LAN from PIX 501(6.3.5) to VPNC 3000 rejects tunnel.

  I will post more data once back in the office but this is the error my VPNC3000 is showing when the IPSec tunnel tries to establish:
  I've replaced the PIX 501 outside IP with 10.0.0.1, and the concentrator subnet with 10.1.0.0
  18890 04/04/2007 15:09:33.190 SEV=6 IKE/201 RPT=2 10.0.0.2
  Group [10.0.0.2]
  Duplicate Phase 1 packet detected. Retransmitting last packet.
  18892 04/04/2007 15:09:33.190 SEV=6 IKE/0 RPT=820 10.0.0.2
  Group [10.0.0.2]
  Responder resending last msg
  18893 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45723 10.0.0.2
  RECEIVED Message (msgid=b57613b7) with payloads :
  HDR + HASH (8) + NOTIFY (11) + NONE (0)
  total length : 76
  18895 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45724 10.0.0.2
  Group [10.0.0.2]
  processing hash
  18896 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45725 10.0.0.2
  Group [10.0.0.2]
  Processing Notify payload
  18897 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=821
  Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE
  18898 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45726 10.0.0.2
  RECEIVED Message (msgid=83ab1615) with payloads :
  HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
  total length : 164
  18901 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45727 10.0.0.2
  Group [10.0.0.2]
  processing hash
  18902 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45728 10.0.0.2
  Group [10.0.0.2]
  processing SA payload
  18903 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5364 10.0.0.2
  Group [10.0.0.2]
  processing nonce payload
  18904 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5365 10.0.0.2
  Group [10.0.0.2]
  Processing ID
  18905 04/04/2007 15:09:33.310 SEV=5 IKE/35 RPT=133 10.0.0.2
  Group [10.0.0.2]
  Received remote IP Proxy Subnet data in ID Payload:
  Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
  18908 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5366 10.0.0.2
  Group [10.0.0.2]
  Processing ID
  18909 04/04/2007 15:09:33.310 SEV=5 IKE/34 RPT=233 10.0.0.2
  Group [10.0.0.2]
  Received local IP Proxy Subnet data in ID Payload:
  Address 10.1.0.0, Mask 255.255.255.0, Protocol 0, Port 0
  18912 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45729
  QM IsRekeyed old sa not found by addr
  18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2
  Group [10.0.0.2]
  Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!
  18915 04/04/2007 15:09:33.310 SEV=4 IKEDBG/0 RPT=45730
  QM FSM error (P2 struct &0x1e75390, mess id 0x83ab1615)!
  18916 04/04/2007 15:09:33.310 SEV=7 IKEDBG/65 RPT=730 10.0.0.2
  Group [10.0.0.2]
  IKE QM Responder FSM error history (struct &0x1e75390)
  <state>, <event>:
  QM_DONE, EV_ERROR
  QM_BLD_MSG2, EV_NEGO_SA
  QM_BLD_MSG2, EV_IS_REKEY
  QM_BLD_MSG2, EV_CONFIRM_SA
  18921 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45731
  sending delete/delete with reason message
  18922 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=822 10.0.0.2
  Group [10.0.0.2]
  Removing peer from correlator table failed, no match!
  18923 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45732 10.0.0.2
  Group [10.0.0.2]
  IKE SA MM:5b0e34cb rcv'd Terminate: state MM_ACTIVE
  flags 0x0001c042, refcnt 1, tuncnt 0
  18926 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45733 10.0.0.2
  Group [10.0.0.2]
  IKE SA MM:5b0e34cb terminating:
  flags 0x0101c002, refcnt 0, tuncnt 0
  18928 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45734
  sending delete/delete with reason message
  18929 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45735 10.0.0.2
  Group [10.0.0.2]
  constructing blank hash
  18930 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45736
  constructing IKE delete payload
  18931 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45737 10.0.0.2
  Group [10.0.0.2]
  constructing qm hash
  18932 04/04/2007 15:09:33.320 SEV=8 IKEDBG/0 RPT=45738 10.0.0.2
  SENDING Message (msgid=1d5c1587) with payloads :
  HDR + HASH (8) + DELETE (12)
  total length : 76
  18934 04/04/2007 15:09:33.320 SEV=4 AUTH/23 RPT=176 10.0.0.2
  User [10.0.0.2], Group [10.0.0.2] disconnected: duration: 0:00:00

  The error that sticks out to me is:
  18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2
  Group [10.0.0.2]
  Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!
  I do not know if this means policy on the Concentrator or the PIX, but I believe this is the cause. Below is my PIX 501 config:
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  hostname pix3
  domain-name mydomain.com
  fixup protocol ftp 21
  fixup protocol http 80
  fixup protocol h323 1720
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol sip 5060
  fixup protocol skinny 2000
  fixup protocol h323 1718-1719
  names
  access-list 102 permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.255.0.0
  access-list 102 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list 102 permit icmp 192.168.15.0 255.255.255.0 192.168.15.0 255.255.255.0
  no pager
  logging on
  logging timestamp
  logging monitor debugging
  interface ethernet0 10baset
  interface ethernet1 10full
  icmp permit any outside
  icmp permit any inside
  mtu outside 1500
  mtu inside 1500
  ip address outside 10.0.0.2 255.255.255.240
  ip address inside 192.168.15.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 102
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  http server enable
  http 192.168.15.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  no sysopt route dnat
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto map newmap 10 ipsec-isakmp
  crypto map newmap 10 match address 102
  crypto map newmap 10 set peer 10.1.0.1
  crypto map newmap 10 set transform-set myset
  crypto map newmap interface outside
  isakmp enable outside
  isakmp key myPSK address 10.1.0.1 netmask 255.255.255.255
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash md5
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  ssh 172.16.0.0 255.255.255.224 inside
  ssh 192.168.0.0 255.255.0.0 inside
  ssh timeout 60
  dhcpd address 192.168.15.10-192.168.15.20 inside
  dhcpd dns 172.16.1.27 172.16.1.19
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  terminal width 80