Dot1Q tunneling and routing

I am in the process of designing a dot1q-tunnel-based service backbone. Basically client switches will uplink with tunnelled ports on the provider backbone.
Cl-SW1 |----|P-SW1|----|P-SW2|-----|Cl-SW2|
Assume that the CL-SW1 is at the headquarters of the client and some traffic from the client should be sent off-premisess (Internet for example) using the same link (Gig Ethernet).
What are my options?
P-SW1 and P-SW2 will not be able to see layer 3 information from the client switches since traffic is layer2-tunnelled. How can I route traffic off the backbone?
I thought about trunking a single port on P-SW1 and connecting it to a router. On the router sub-interfaces will do the job. But the problem is that trunked traffic will reach the router encapsulated with dot1q tunneling? Does a 7600 series router do the job, since it understands tunneling?
Any ideas will be appreciated.

It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

Similar Messages

  • Dot1q tunneling and security

    Hi,
    I don't understand how to make to improve the security of dot1q tunneling. If the client makes some errors by example by disabling the spanning-tree on a vlan and he creates a loop between differents sites (L2VPN). What are the safety standards for Q-in-Q to protect the provider ?
    Thank you for your help.
    Regards.
    David

    It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
    http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
    http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

  • Dot1q-tunneling and native frames ( untagged )

    hi all I have the following setup:
    tunnel Port:
    interface GigabitEthernet1/0/2
    switchport access vlan 784
    switchport mode dot1q-tunnel
    switchport nonegotiate
    l2protocol-tunnel cdp
    l2protocol-tunnel stp
    l2protocol-tunnel vtp
    no cdp enable
    spanning-tree portfast
    Trunk Port - Into Carrier Network
    interface GigabitEthernet1/0/25
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 4094
    switchport mode trunk
    switchport nonegotiate
    load-interval 30
    speed nonegotiate
    spanning-tree bpdufilter enable
    the Native Port on the tunnel interface = 1 and native vlan tagging is enabled on the switch.
    what happens to untagged frames that hit the tunnel port from the customer? Imagine that they dont have their port as a trunk and are instead emitting untagged frames?
    are these dropped or simply have a single Q-tag pushed and are then tunnelled through the carrier network?
    I have followed the recommendation of making the trunk port have a native vlan that is not the native vlan of any of the tunnel ports.
    thanks

    Normally double-tag traffic is seen as NON-IP traffic by metro devices, since they cannot see beyond first tag.
    Untagged customer traffic will behave like IP traffic in metro network, since it will have only one tag.
    You can use a trick - create an IP access list on trunk port with "deny ip any any" - basically denying all IP traffic. That should stop all traffic that was not tagged by the customer. Ofcourse that will disable your management - so you need to plan this.
    If more than one customer is using same S-VLAN, and one customer has e.g. VLAN 3 untagged, and other one has VLAN 5 untagged, their VLANs will be interconnected.

  • IPSEC tunnel and Routing protocols Support

    Hi Everyone,
    I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
    Does it mean that If Site A  has to reach Site B over WAN  link we should use Static IP on Site A and Site B  Router?
    In  my home Lab i config Site to Site IPSES  VPN  and they are working fine  using OSPF  does this mean that IPSEC supports Routing Protocol?
    IF someone can explain me this please?
    OSPF  config A side
    router ospf 1
    router-id 3.4.4.4
    log-adjacency-changes
    area 10 virtual-link 10.4.4.1
    passive-interface Vlan10
    passive-interface Vlan20
    network 3.4.4.4 0.0.0.0 area 0
    network 192.168.4.0 0.0.0.255 area 10
    network 192.168.5.0 0.0.0.255 area 0
    network 192.168.10.0 0.0.0.255 area 0
    network 192.168.20.0 0.0.0.255 area 0
    network 192.168.30.0 0.0.0.255 area 0
    network 192.168.98.0 0.0.0.255 area 0
    network 192.168.99.0 0.0.0.255 area 0
    3550SMIA#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.5.3 to network 0.0.0.0
    O    192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
         100.0.0.0/32 is subnetted, 1 subnets
    O       100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
         3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    O       3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    C       3.4.4.0/24 is directly connected, Loopback0
    C    192.168.30.0/24 is directly connected, Vlan30
         64.0.0.0/32 is subnetted, 1 subnets
    O E2    64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
         4.0.0.0/32 is subnetted, 1 subnets
    O       4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    C    192.168.10.0/24 is directly connected, Vlan10
         172.31.0.0/24 is subnetted, 4 subnets
    O E2    172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
    C    192.168.99.0/24 is directly connected, FastEthernet0/8
    C    192.168.20.0/24 is directly connected, Vlan20
         192.168.5.0/31 is subnetted, 1 subnets
    C       192.168.5.2 is directly connected, FastEthernet0/11
    C    10.0.0.0/8 is directly connected, Tunnel0
         192.168.6.0/31 is subnetted, 1 subnets
    O       192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
    O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
    B Side Config
    Side A
    router ospf 1
    log-adjacency-changes
    network 192.168.97.0 0.0.0.255 area 0
    network 192.168.98.0 0.0.0.255 area 0
    network 192.168.99.0 0.0.0.255 area 0
    1811w#  sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.99.2 to network 0.0.0.0
    O    192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
         100.0.0.0/32 is subnetted, 1 subnets
    O       100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
         3.0.0.0/32 is subnetted, 2 subnets
    O       3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O       3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         64.0.0.0/32 is subnetted, 1 subnets
    O E2    64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
         4.0.0.0/32 is subnetted, 1 subnets
    O       4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         172.31.0.0/24 is subnetted, 4 subnets
    O E2    172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
    C    192.168.98.0/24 is directly connected, BVI98
    C    192.168.99.0/24 is directly connected, FastEthernet0
    O    192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         192.168.5.0/31 is subnetted, 1 subnets
    O       192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         192.168.6.0/31 is subnetted, 1 subnets
    O       192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
    O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
    Thanks
    Mahesh

    Hello,
    I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
    U can configure in 2 ways [ and multicast WILL work over it]
    1- GRE over IPSEC
    crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
    mode transport
    crypto ipsec profile tp
    set transform-set aes
    int tu1
    ip address 255.255.255.252
    tunnel source
    tunnel destination
    tunne protection ipsec profile tp
    We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
    Pros:
    We can as well transport IPV6 or CDP
    Cons:
    4 bytes of overhead due to GRE
    2- IP over IPSEC
    crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
    mode tunnel
    crypto ipsec profile tp
    set transform-set aes
    int tu1
    ip address 255.255.255.252
    tunnel source
    tunnel destination
    tunnel mode ipsec ipv4
    tunne protection ipsec profile tp
    This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
    Pro:
    4 bytes overhead less than GRE over IPSEC
    Cons:
    Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
    Cheers
    Olivier

  • Dot1q-tunnel rejection

    Hello,
    I am trying to setup a dot1q-tunnel on a Catalyst 6506 running IOS 12.2 and am running into trouble. I have followed everything in the manual and from other's examples, but I continually get the error:
    Command rejected: Gi1/1 doesn't support 802.1q tunneling.
    To get there I have done:
    Router(config)#vlan dot1q tag native
    Router(config)#interface range gig 1/1-48
    Router(config-if-range)#spanning-tree bpdufilter enable
    Router(config-if-range)#spanning-tree portfast
    Router(config-if-range)#switchport mode dot1q-tunnel
    and it says command rejected for all 48 ports.
    If anyone has any insight it would be greatly appreciated. Thank you for your time

    if you can't make tunnel with dot1q, check the capability of the module using follow command..
    [example]
    Swith#show interfaces gigabitEthernet 0/1 capabilities
    GigabitEthernet0/1
    Model: WS-C3550-24
    Type: unknown
    Speed: 1000
    Duplex: full
    Trunk encap. type: 802.1Q,ISL <<<--- capability
    Trunk mode: on,off,desirable,nonegotiate
    Channel: yes
    Broadcast suppression: percentage(0-100)
    Flowcontrol: rx-(off,on,desired),tx-(off,on,desired)
    Fast Start: yes
    QOS scheduling: rx-(1q0t),tx-(4q2t),tx-(1p3q2t)
    CoS rewrite: yes
    ToS rewrite: yes
    UDLD: yes
    Inline power: no
    SPAN: source/destination
    PortSecure: yes
    Dot1x: yes

  • How to configure full tunnel with VPN client and router?

    I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

    I think it is possible. Following links may help you
    http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

  • ASA 5505 site-to-site VPN tunnel and client VPN sessions

    Hello all
    I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
    I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
    The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
    Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
    Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
    I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
    Thanks in advance for any assistance provided!

    First question:
    Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
    Second question:
    Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
    Last question:
    This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
    Here is what needs to be configured:
    1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
    2) On site A configures: same-security-traffic permit intra-interface
    3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
    On Site Z:
    access-list permit ip
    On Site A:
    access-list permit ip
    4) NAT exemption on site Z needs to include vpn client pool subnet as well.
    Hope that helps.
    Message was edited by: Jennifer Halim

  • Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

    Greetings,
    I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
    Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
    OR 
    Am I forced to put the ASA behind the filtering device somehow?

    Hi Jim,
    You can use tunnel default route for vpn traffic:
    ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
    configure mode commands/options:
      <1-255>   Distance metric for this route, default is 1
      track     Install route depending on tracked item
      tunneled  Enable the default tunnel gateway option, metric is set to 255
    This route is applicable for only vpn traffic.
    HTH,
    Shetty

  • Site-to-Site VPN btw Pix535 and Router 2811, can't get it work

    Hi, every one,  I spent couple of days trying to make  a site-to-site VPN between PIX535 and router 2811 work but come up empty handed, I followed instructions here:
    http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
    #1: PIX config:
    : Saved
    : Written by enable_15 at 18:05:33.678 EDT Sat Oct 20 2012
    PIX Version 8.0(4)
    hostname pix535
    interface GigabitEthernet0
    description to-cable-modem
    nameif outside
    security-level 0
    ip address X.X.138.132 255.255.255.0
    ospf cost 10
    interface GigabitEthernet1
    description inside  10/16
    nameif inside
    security-level 100
    ip address 10.1.1.254 255.255.0.0
    ospf cost 10
    access-list outside_access_in extended permit ip any any
    access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.248
    access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.1.192 255.255.255.248
    access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    pager lines 24
    ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
    global (outside) 10 interface
    global (outside) 15 1.2.4.5
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 15 10.1.0.0 255.255.0.0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer X.X.21.29
    crypto map outside_map 1 set transform-set ESP-DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 3600
    group-policy GroupPolicy1 internal
    group-policy cnf-vpn-cls internal
    group-policy cnf-vpn-cls attributes
    wins-server value 10.1.1.7
    dns-server value 10.1.1.7 10.1.1.205
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value x.com
    username sean password U/h5bFVjXlIDx8BtqPFrQw== nt-encrypted
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key secret1
    radius-sdi-xauth
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group cnf-vpn-cls type remote-access
    tunnel-group cnf-vpn-cls general-attributes
    address-pool cnf-8-ip
    default-group-policy cnf-vpn-cls
    tunnel-group cnf-vpn-cls ipsec-attributes
    pre-shared-key secret2
    isakmp ikev1-user-authentication none
    tunnel-group cnf-vpn-cls ppp-attributes
    authentication ms-chap-v2
    tunnel-group X.X.21.29 type ipsec-l2l
    tunnel-group X.X.21.29 ipsec-attributes
    pre-shared-key SECRET
    class-map inspection_default
    match default-inspection-traffic
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
    : end
    #2:  Router 2811 config:
    ! Last configuration change at 09:15:32 PST Fri Oct 19 2012 by cnfla
    ! NVRAM config last updated at 13:45:03 PST Tue Oct 16 2012
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname LA-2800
    crypto pki trustpoint TP-self-signed-1411740556
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1411740556
    revocation-check none
    rsakeypair TP-self-signed-1411740556
    crypto pki certificate chain TP-self-signed-1411740556
    certificate self-signed 01
      3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31343131 37343035 3536301E 170D3132 31303136 32303435
      30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313137
      34303535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100F75F F1BDAD9B DE9381FD 165B5188 7EAF9685 CF15A317 1B424825 9C66AA28
      C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 84373199 C4BCF9E0
      E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
      A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
      35AF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
      551D1104 0B300982 074C412D 32383030 301F0603 551D2304 18301680 14B56EEB
      88054CCA BB8CF8E8 F44BFE2C B77954E1 52301D06 03551D0E 04160414 B56EEB88
      054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300D0609 2A864886 F70D0101 04050003
      81810056 58755C56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D20452
      E7F40F42 8B355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
      310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
      659C4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322
                quit
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key SECRET address X.X.138.132 no-xauth
    crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
    crypto map la-2800-ipsec-policy 1 ipsec-isakmp
    description vpn ipsec policy
    set peer X.X.138.132
    set transform-set la-2800-trans-set
    match address 101
    interface FastEthernet0/0
    description WAN Side
    ip address X.X.216.29 255.255.255.248
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    crypto map la-2800-ipsec-policy
    interface FastEthernet0/1
    description LAN Side
    ip address 10.20.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex full
    speed auto
    no mop enabled
    ip nat inside source route-map nonat interface FastEthernet0/0 overload
    access-list 10 permit X.X.138.132
    access-list 99 permit 64.236.96.53
    access-list 99 permit 98.82.1.202
    access-list 101 remark vpn tunnerl acl
    access-list 101 remark SDM_ACL Category=4
    access-list 101 remark tunnel policy
    access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
    access-list 110 deny   ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
    access-list 110 permit ip 10.20.0.0 0.0.0.255 any
    snmp-server community public RO
    route-map nonat permit 10
    match ip address 110
    webvpn gateway gateway_1
    ip address X.X.216.29 port 443
    ssl trustpoint TP-self-signed-1411740556
    inservice
    webvpn install svc flash:/webvpn/svc.pkg
    webvpn context gateway-1
    title "b"
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "WebVPN-Pool"
       svc keep-client-installed
       svc split include 10.20.0.0 255.255.0.0
    default-group-policy policy_1
    gateway gateway_1
    inservice
    end
    #3:  Test from Pix to router:
    Active SA:    1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: X.X.21.29
        Type    : user            Role    : initiator
        Rekey   : no              State   : MM_WAIT_MSG2
    >>DEBUG:
    Oct 22 12:07:14 pix535:Oct 22 12:20:28 EDT: %PIX-vpn-3-713902: IP = X.X.21.29, Removing peer from peer table failed, no match!
    Oct 22 12:07:14 pix535 :Oct 22 12:20:28 EDT: %PIX-vpn-4-713903: IP = X.X.21.29, Error: Unable to remove PeerTblEntry
    #4:  test from router to pix:
    LA-2800#sh  crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    X.X.138.132  X.X.216.29  MM_KEY_EXCH       1017    0 ACTIVE
    >>debug
    LA-2800#ping 10.1.1.7 source 10.20.1.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
    Packet sent with a source address of 10.20.1.1
    Oct 22 16:24:33.945: ISAKMP:(0): SA request profile is (NULL)
    Oct 22 16:24:33.945: ISAKMP: Created a peer struct for X.X.138.132, peer port 500
    Oct 22 16:24:33.945: ISAKMP: New peer created peer = 0x488B25C8 peer_handle = 0x80000013
    Oct 22 16:24:33.945: ISAKMP: Locking peer struct 0x488B25C8, refcount 1 for isakmp_initiator
    Oct 22 16:24:33.945: ISAKMP: local port 500, remote port 500
    Oct 22 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE     
    Oct 22 16:24:33.945: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 487720A0
    Oct 22 16:24:33.945: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    Oct 22 16:24:33.945: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
    Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Oct 22 16:24:33.945: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Oct 22 16:24:33.945: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Oct 22 16:24:33.945: ISAKMP:(0): beginning Main Mode exchange
    Oct 22 16:24:33.945: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_NO_STATE
    Oct 22 16:24:33.945: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Oct 22 16:24:34.049: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_NO_STATE
    Oct 22 16:24:34.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Oct 22 16:24:34.049: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Oct 22 16:24:34.049: ISAKMP:(0): processing SA payload. message ID = 0
    Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
    Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Oct 22 16:24:34.049: ISAKMP:(0): vendor ID is NAT-T v2
    Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
    Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
    Oct 22 16:24:34.053: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
    Oct 22 16:24:34.053: ISAKMP:(0): local preshared key found
    Oct 22 16:24:34.053: ISAKMP : Scanning profiles for xauth ...
    Oct 22 16:24:34.053: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
    Oct 22 16:24:34.053: ISAKMP:      encryption DES-CBC
    Oct 22 16:24:34.053: ISAKMP:      hash SHA
    Oct 22 16:24:34.053: ISAKMP:      default group 1
    Oct 22 16:24:34.053: ISAKMP:      auth pre-share
    Oct 22 16:24:34.053: ISAKMP:      life type in seconds
    Oct 22 16:24:34.053: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Oct 22 16:24:34.053: ISAKMP:(0):atts are acceptable. Next payload is 0
    Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:actual life: 0
    Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:life: 0
    Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa vpi_length:4
    Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Oct 22 16:24:34.053: ISAKMP:(0):Returning Actual lifetime: 86400
    Oct 22 16:24:34.053: ISAKMP:(0)::Started lifetime timer: 86400.
    Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
    Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Oct 22 16:24:34.053: ISAKMP:(0): vendor ID is NAT-T v2
    Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
    Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
    Oct 22 16:24:34.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Oct 22 16:24:34.053: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Oct 22 16:24:34.057: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_SA_SETUP
    Oct 22 16:24:34.057: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Oct 22 16:24:34.057: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Oct 22 16:24:34.057: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Oct 22 16:24:34.181: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_SA_SETUP
    Oct 22 16:24:34.181: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Oct 22 16:24:34.181: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Oct 22 16:24:34.181: ISAKMP:(0): processing KE payload. message ID = 0
    Oct 22 16:24:34.217: ISAKMP:(0): processing NONCE payload. message ID = 0
    Oct 22 16:24:34.217: ISAKMP:(0):found peer pre-shared key matching X.X.138.132
    Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
    Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is Unity
    Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
    Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID seems Unity/DPD but major 55 mismatch
    Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is XAUTH
    Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
    Oct 22 16:24:34.217: ISAKMP:(1018): speaking to another IOS box!
    Oct 22 16:24:34.221: ISAKMP:(1018): processing vendor id payload
    Oct 22 16:24:34.221: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
    Oct 22 16:24:34.221: ISAKMP:received payload type 20
    Oct 22 16:24:34.221: ISAKMP:received payload type 20
    Oct 22 16:24:34.221: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Oct 22 16:24:34.221: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Oct 22 16:24:34.221: ISAKMP:(1018):Send initial contact
    Oct 22 16:24:34.221: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    Oct 22 16:24:34.221: ISAKMP (0:1018): ID payload
    next-payload : 8
    type         : 1
    address      : X.X.216.29
    protocol     : 17
    port         : 500
    length       : 12
    Oct 22 16:24:34.221: ISAKMP:(1018):Total payload length: 12
    Oct 22 16:24:34.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:24:34.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:24:34.225: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Oct 22 16:24:34.225: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Oct 22 16:24:38.849: ISAKMP:(1017):purging node 198554740
    Oct 22 16:24:38.849: ISAKMP:(1017):purging node 812380002
    Oct 22 16:24:38.849: ISAKMP:(1017):purging node 773209335..
    Success rate is 0 percent (0/5)
    LA-2800#
    Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:24:44.221: ISAKMP (0:1018): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
    Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
    Oct 22 16:24:44.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:24:44.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:24:44.317: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
    Oct 22 16:24:44.317: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
    Oct 22 16:24:44.321: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 96)
    Oct 22 16:24:48.849: ISAKMP:(1017):purging SA., sa=469BAD60, delme=469BAD60
    Oct 22 16:24:52.313: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
    Oct 22 16:24:52.313: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
    Oct 22 16:24:52.313: ISAKMP:(1018): retransmitting due to retransmit phase 1
    Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:24:52.813: ISAKMP (0:1018): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
    Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
    Oct 22 16:24:52.813: ISAKMP:(1018): sending packet to X.X138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:24:52.813: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:24:52.913: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
    Oct 22 16:24:52.913: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 100)
    Oct 22 16:25:00.905: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
    Oct 22 16:25:00.905: ISAKMP: set new node 422447177 to QM_IDLE     
    Oct 22 16:25:03.941: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 1X.X.216.29, remote X.X.138.132)
    Oct 22 16:25:03.941: ISAKMP: Error while processing SA request: Failed to initialize SA
    Oct 22 16:25:03.941: ISAKMP: Error while processing KMI message 0, error 2.
    Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:25:12.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
    Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
    Oct 22 16:25:12.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:25:12.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:25:22.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
    Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
    Oct 22 16:25:22.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Oct 22 16:25:22.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    Oct 22 16:25:32.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
    Oct 22 16:25:32.814: ISAKMP:(1018):peer does not do paranoid keepalives.
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
    Oct 22 16:25:32.814: ISAKMP: Unlocking peer struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
    Oct 22 16:25:32.814: ISAKMP: Deleting peer node by peer_reap for X.X.138.132: 488B25C8
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 1112432180 error FALSE reason "IKE deleted"
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 422447177 error FALSE reason "IKE deleted"
    Oct 22 16:25:32.814: ISAKMP:(1018):deleting node -278980615 error FALSE reason "IKE deleted"
    Oct 22 16:25:32.814: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    Oct 22 16:25:32.814: ISAKMP:(1018):Old State = IKE_I_MM5  New State = IKE_DEST_SA
    Oct 22 16:26:22.816: ISAKMP:(1018):purging node 1112432180
    Oct 22 16:26:22.816: ISAKMP:(1018):purging node 422447177
    Oct 22 16:26:22.816: ISAKMP:(1018):purging node -278980615
    Oct 22 16:26:32.816: ISAKMP:(1018):purging SA., sa=487720A0, delme=487720A0
    ****** The PIX is also used    VPN client access  , such as  Cicso VPN client  5.0, working fine ; Router is  used as  SSL VPN server, working too
    I know there are lots of data here, hopefully these data may be useful for   diagnosis purpose.
    Any suggestions and advices are greatly appreciated.
    Sean

    Hi Sean,
    Current configuration:
    On the PIX:
    crypto isakmp policy 5
          authentication pre-share
          encryption 3des
          hash sha
          group 2
          lifetime 86400
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer X.X.21.29
    crypto map outside_map 1 set transform-set ESP-DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
    tunnel-group X.X.21.29 type ipsec-l2l
    tunnel-group X.X.21.29 ipsec-attributes
         pre-shared-key SECRET
    On the Router:
    crypto isakmp policy 1
          authentication pre-share
    crypto map la-2800-ipsec-policy 1 ipsec-isakmp
          description vpn ipsec policy    
          set peer X.X.138.132
          set transform-set la-2800-trans-set
          match address 101
    access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
    crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
    crypto isakmp key SECRET address X.X.138.132 no-xauth
    Portu.
    Please rate any helpful posts
    Message was edited by: Javier Portuguez

  • Branch office setup with L3 switch and router with IOS security

    Hello,
    I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
    I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
    Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
    I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
    If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
    Any input would be appreciated.
    Thanks,
    Austin

    Thanks for the input.
    1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
    2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
    3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
    Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

  • Transparent Tunneling and Local Lan Access via VPN Client

    Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
    Mike Bowyer

    Hi Mike,
    "Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
    What do you mean exactly with "disabled once the connection is made" ?
    You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
    Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
    Are any local LAN routes displayed when your are connected ?
    And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
    1: This feature works only on one NIC card, the same NIC card as the tunnel.
    2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
    Carsten
    PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel.

  • MVR over DOT1Q-TUNNEL

    Is it possible to use MVR for delivering multicast to customers over dot1q-tunnel interface ?
    Can QinQ and MVR work together ?

    I think the muticast vlan registration shortly termed MVR is not supported in dot1Q tunnelling interface.Because, there is a criteria for configuring MVR.That is, while configuring MVR, receiver ports cannot be trunk ports. Since, do11q is a trunking protocol,I believe MVR can't be transmitted over trunk port, and hence over dot1q tunnel interface.For detailed info on this mvr,
    refer to the configuration guidelines sections of mvr at:
    http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8d9.html#xtocid14

  • Discover Switch and router over VPN

    i am in contact with a company having many branches connecting over VPN tunnel and with different IP range in each branch
    how can i configure the LMs to discover my switch and my router over VPN

    LMS 3.0.1 and higher can use non-CDP discovery methods which should be able to find your remotely connected VPN devices.  You could use the Ping Sweep or Route Table modules to accomplish what you want.
    See https://supportforums.cisco.com/docs/DOC-9005 for more details.

  • Me3400 mep on dot1q-tunnel interface

    Hi
    Just wanted to get someone to give me some quick pointers on the following task:
    I have an me3400 with fa0/1 as a UNI.
    also I have Gig0/1 as NNI.
    I have set the commands on the switch as
    ethernet cfm ieee
    ethernet cfm global
    ethernet cfm domain testnet level 4
    ethernet evc cust1
       oam protocol cfm svlan 10 domain testnet
    interface FastEthernet0/1
      switchport access vlan 10
      switchport mode dot1q-tunnel
      speed 100
      duplex full
      l2protocol-tunnel cdp
      l2protocol-tunnel lldp
      l2protocol-tunnel stp
      l2protocol-tunnel vtp
    interface GigabitEthernet0/1
      port-type nni
      switchport mode trunk
      ethernet cfm mip level 4 vlan 10
    so this is the minimal functionality that I am after.
    What else do I need to do to link the fa0/1 port to the EVC and enable an UP MEP and CC on it?
    the end goal initially is to propagate link loss when the UNI is disconnected so that the remote me3400 brings down its UNI.
    any help please.

    It's difficult for Cisco Cat 6500.Why don't you consider products from other vendors?

  • Dot1q tunnel VPLS support

    Hello Guys,
    I am configuring a dot1q tunnel VPLS since it suited our need for the client's requirements. To my surprise the 48 port tx we are using on our 7600 doesn't support this
    7609-PPE1(config-if)#switchport mode dot1q-tunnel
    Command rejected: Gi2/4 doesn't support 802.1q tunneling.
    IOS is s72033-pk9sv-mz.122-18.SXD5.bin
    Hardware is 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
    For me to establish a good VPLS in dot1q (dot1q in dot1q) multipoint connection, what hardware with port density is available for this one?
    I didn't have any problem with OSM modules, but we have to be practical with the port density.
    Your insights will be greatly appreciated.
    Thanks.

    For vpls to work the core facing should be a osm module.Configure IP routing in the core so that the PE routers can reach each other via IP. Configure MPLS in the core so that a label switched path (LSP) exists between the PE routers.For more info refer
    http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00801e5c06.html#wp1338115.

Maybe you are looking for