Double tagged traffic on L3 Interface
Hello All,
Traffic tagged with outer vlan 3050 and inner vlan 350 isn't matching the following L3 interface configuration:
interface GigabitEthernet0/4/0/28.3050
vrf ABC
ipv4 address 20.0.0.11 255.255.255.0
encapsulation dot1q 3050
Even with no second tag configured should´t the outer vlan match vlan 3050 configured on the interface ?
Many thanks for your help!
David
Hello David,
Unambiguous vlan definition works for L2 interfaces.
For L3 you should define 2nd tag too.
interface GigabitEthernet0/4/0/28.3050
vrf ABC
ipv4 address 20.0.0.11 255.255.255.0
encapsulation dot1q 3050 second-dot1q 350
Regards,
/A
Similar Messages
-
Hi,
I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/10.3122 l2transport
description CUSTOMER A CORE
encapsulation dot1q 3122
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
interface GigabitEthernet0/0/0/5.21
interface GigabitEthernet0/0/0/10.3122
When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/5.22 l2transport
description CUSTOMER A WAN2
encapsulation dot1q 22
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
interface GigabitEthernet0/0/0/5.21
interface GigabitEthernet0/0/0/5.22
If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
Is this because tag rewrites are not happening since packets don't leave the physical interface?
How can I work around this and establish a L2 connection between the two subinterfaces?
Thank youa vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
that might give a hint to what the precise issue in your forwarding is.
regards
xander -
"mpls traffic eng passive-interface" mapping on XR
Dears,
ON IOS for TE-InterAS ,the command "mpls traffic-eng passive-interface" is used on InterAS link which isn't running IGP so i am seeking for the equivlent command on XR but i can't find it so please advise what is the equivlent command on XR
ThanksHello Amr,
There is no equivalent command on IOS-XR. Are you trying to set up Inter-AS MPLS TE on XR? In IOS-XR, inter-AS tunnels are supported only by using verbatim path-options. Verbatim path-options are supported on both IOS and IOS-XR.
HTH,
Rivalino -
How to monitor the traffic on network interface card NIC
hello friends
i m dong a network based project
in that i need to calculate the incoming
and outgoing traffic on network interface
Can anyone help me regarding this...
any API that i van use, i know abt JPCAP
but unable to use that in this repect...
Thanks in Advancesorry for any mistake....
i m new to java
Actually using JPCAP we can capture the packets
and process them..may save to file or some thing like that
but how to know the current incoming and outgoing traffic...on NIC
and also how much it is capable of...
can u tell me any good tutorial
i really need to do that
thanks for concern -
Routing traffice using 2 interfaces
my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900
You can use PBR.
Here are 2 documents with examples:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
https://supportforums.cisco.com/docs/DOC-1634
HTH -
Force http traffic to specific interface
Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
Thanks in advance.I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
FE 0/0 goes to our fw, then to lan
FE 0/1 goes to DSL
S 0/2/0 goes to T1
Here is my config:
router#show run
Building configuration...
Current configuration : 4506 bytes
! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
boot-start-marker
boot system flash c2801-ipbasek9-mz.124-8.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
no aaa new-model
resource policy
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
ip tcp synwait-time 10
no ip bootp server
ip name-server 198.60.22.2
ip name-server 198.60.22.22
username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 199.104.124.210 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-LAN$
ip address 192.168.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip policy route-map toDSL
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1/0
interface FastEthernet0/1/1
interface FastEthernet0/1/2
interface FastEthernet0/1/3
interface Serial0/2/0
ip address 204.228.133.46 255.255.255.252
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip route-cache flow
ip route 0.0.0.0 0.0.0.0 204.228.133.45
ip route 192.168.2.0 255.255.255.0 192.168.2.1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
access-list 111 permit tcp any any eq www
no cdp run
route-map toDSL permit 1
match ip address 111
set ip next-hop 192.168.2.1
control-plane
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input ssh
transport output ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178101
ntp update-calendar
ntp server 198.60.22.240 source Serial0/2/0
end -
I am trying to confirm my assumption that given voice traffic arriving at an AP or wireless bridge is already tagged with COS (and TOS) precedence, the wireless device will properly deal with it by default.
It appears from the documentation, but isn't explicitly stated, that the only QoS configuration required is to classify and tag (COS) packets. If they are tagged already, no configuration is required.
Is this correct?
Also, are COS precedence values preserved across a wireless bridge link, or must they be re-tagged at the far end?Hi there,
in "Configuring QoS" of the Aironet 1310 Configuration Guide
http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804ed713.html
it reads:
"Precedence of QoS Settings
When you enable QoS, the access point/bridge queues packets based on the Layer 2 class of service value for each packet. The access point/bridge applies QoS policies in this order:
1. Packets already classified—When the access point/bridge receives packets from a QoS-enabled switch or router that has already classified the packets with non-zero 802.1Q/P user_priority values, the access point/bridge uses that classification and does not apply other QoS policy rules to the packets. An existing classification takes precedence over all other policies on the access point/bridge.
Note Even if you have not configured a QoS policy, the access point always honors tagged 802.1P packets that it receives over the radio interface."
Hope this helps
Martin -
IDSM missing traffic on trunk interface
Hi
I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.
Monitor setup is like this
monitor session 10 source interface Gi1/2
monitor session 10 source interface Gi7/1
monitor session 10 filter vlan 22 - 23 , 208
monitor session 10 destination intrusion-detection-module 5 data-port 1
where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.
The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.
Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?
Regards
Fredrik HofgrenWhat has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.
It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.
/Fredrik -
Possible to segment traffic between 2 interfaces? And other questions...
I would like to set my G5 up as a server utilizing a second connection and to keep traffic seperated between this server connection and my regular internet connection (would be wireless). I'm pretty sure this alone is fairly straightforward and can be accomplished by setting up the new interface and moving it down to the bottom of the connection list with wireless at the top. That should keep all non-specific traffic from flowing out the ethernet/server connection - I think.
If the above works the way I stated then I would also want to firewall ONLY the ethernet/server connection (the wireless has it's own hardware firewall). AND - this is the tricky part - I also want to add a fake interface that has a fake IP and bind that to the "real" ethernet/server connection. The reason for that is because I need a static IP to bind the service to. I know if the connection list thing works to flow the traffic that if I had an external router on the server connection, this wouldn't be needed. I'd already have a fake IP to bind to and I wouldn't have to run the firewall on the Mac. But I don't and I'd rather not have to buy one.
So can this be done through the network/sharing preferance panes? If so, are there any "gotchas" I should be aware of? If not, is there any software tool out there that would make setting this up easier/faster? I'm not opposed to doing it all via command line, but I'm a bit rusty with my linux/unix admin knowledge. Plus I'm not 100% certain how to set all that up command line wise without screwing up OS X!
Thanks.I'm not sure I fully understand what you are attempting to accomplish. Lets see if I have the general idea.
You have a single G5, that you want to use as both your desktop machine and also to provided specific services, such as web, email, etc.
You have some type of hardware firewall/security appliance.
You have some type of wireless access point.
You don't seem to have any type of router or switch in your configuration.
You want all of your server based traffic to be sent and received on it's own Ethernet port. You want your personal Internet traffic to be sent and received on your wireless connection.
So my questions are:
Where is the server traffic going to, coming from? Who is accessing the server, is it users on the Internet, or just computers on your own LAN (which you didn't mention).
If your server is to allow data from or send to the Internet, then you need to have a way to route the traffic there. Do you have more then one method to access the Internet, or will all traffic, both personal and server being going though the same Internet access pipe?
If it is all going through the same pipe, and you only have the single computer, I don't understand why you wish to segment the traffic.
If on the other hand you have multiple computers on your LAN. then segmenting traffic may make sense. This would allow access to your server and keep your LAN well secure.
Anyway, to get to specifics, you'll need to use the terminal app to bind specific services to specific IP's and ports on your Mac. You will also need to manually configure the firewall to be able to select specific connection ports and bindings. However, while I think it can be done, I'm not sure it makes a great deal of sense.
I would be more inclined to suggest a router or switch that can provide VLAN support, or a router that provides true DMZ support, would be a good way to go.
Anyway, a little more info would be helpful.
Oh and if I have this totally worng in what I think your doing.. My mistake.
Tom N. -
WCCP on ASA & traffic between physical interfaces on ASA
Hello,
I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
Eth 0/0 : Outside (to internet)
Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
Eth 0/1.211 : Vlan211 (20.21.10.0/24)
Eth 0/1.212 : Vlan212 (20.21.20.0/24)
Eth 0/1.220 : Vlan220 (20.22.0.0/16)
Eth 0/2 : WAAS (20.21.30.0/24)
I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
I get this error message:
3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
How can I fix this?
My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
wccp 61 redirect-list WCCP_To_LAN
wccp 62 redirect-list WCCP_To_WAN
wccp interface outside 62 redirect in
wccp interface LAN 61 redirect in
access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
Thanks
Ankitcommon guys
Am I doing something wrong here?
No one replies to my posts. I had the same experience with the previous one.
Is this not the right forum for this query???
Ankit -
Switch sending tcp traffic to incorrect interface
Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately.
Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported. Switch is a 3750x with version 12.2.I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1.
Default config for both ports:
switchport access vlan 101
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Am I missing something? Was this an attack? Was it a fluke? -
Slow tcp traffic over ge0 interface
I have a server that while using ge0 for UDP traffic, it uses full bandwidth, but for tcp is slow as hell.... ttcp is showing how slow it is, into the kbps rather than mbps. I want to know if there is a specific patch to fix this.
I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1.
Default config for both ports:
switchport access vlan 101
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Am I missing something? Was this an attack? Was it a fluke? -
Calculate traffic amount on interface
Team:
I have not deployed any monitoring software yet; however, Cacti is in the works. But is it possible to change ‘five minute input rate / five minute output rate’ time interval from 5 min to secs and get an accurate account of traffic going over a FastEthernet interface? Would I choke the hardware (3750) if I can change this attribute? Would this be a good method to see the load/traffic values in real time?
BACKGROUD:
The server team has deployed a new SQL server, and the DB devs are complaining that it is slow. I am suspecting that more traffic is going over the interfaces then what the ‘server team’ and ‘db devs’ indicated because they know I would raise a stink. I do not have access to the database server, nor the other end, yet I have access to network gear between the points.
Since I have never faced this type of issue, or problem – I need some direction and/or suggestions on how to troubleshoot this type of issue.
Thanks
JJHi Jason,
Issue the command load interval 30 on the interface and it will start displaying the input/output rate for 30 secs.
This won't impact the efficiency of the switch..
For further troubleshooting of the issue check for any output drops/ input errors/crc in the show interface fax/y output.
Thanks
Ankur
"Please rate the post if found useful" -
Limit traffic on router interface
Dear all,
how can i limit Upload/download bandwith on router interface.
please help me
thanks with regards
vikas kumarHI,
You can police the traffic in ingress/egress but the support may depend of your hardware. Please refer to the following link for more information:
http://www.cisco.com/en/US/partner/docs/ios/qos/configuration/guide/polcing_shping_oview_ps6350_TSD_Products_Configuration_Guide_Chapter.html
HTH
Laurent. -
Relay traffic out same interface
Is it possible to relay traffic out of the same interface? For instance we have a computer on the Internet that only is accessible from our network. I'd like users to connect to our network, look at the ACL, and then connect to the remote computer. So basically I'm going right back out the same interface. VPN->outside interface->Internet. I'd still want split tunneling to be enabled and have this apply to only a specific IP or subnet. Is this possible?
This is the packet tracer result:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can see the traffic comming from the VPN client to the IP, so the route is working. I get a teardown and built message in the log, but nothing saying the traffic is denied.
I think this info should cover what you're looking for:
group-policy GroupPolicy_ZSSL attributes
wins-server none
dns-server value 192.168.1.8 192.168.1.47
vpn-tunnel-protocol ikev2 ssl-client
default-domain value company.com
webvpn
anyconnect profiles value ZSSL_client_profile type user
username company password xxxxxxxxxxxxxx encrypted privilege 15
tunnel-group companyVPN type remote-access
tunnel-group companyVPN general-attributes
address-pool VPNPool
authentication-server-group MicrosoftIAS LOCAL
accounting-server-group MicrosoftIAS
default-group-policy companyVPN
password-management
tunnel-group companyVPN ipsec-attributes
ikev1 pre-shared-key *****
Maybe you are looking for
-
Qtcurve-kde3 issues with gtk2 apps
updating from qtcurve ver 0.68.1-1 to qtcurve ver 1.0 prevents gtk2 (or these that use qtcurve theme) apps from starting I narrowed problem to qtcurve-kde3 after installing latest qtcurve, apps (firefox, openoffice, thunderbird) generate the followin
-
How do I home share my iTunes number?
I now have an Apple TV and I want to use my iTunes card to rent a movie. How do I do that?
-
Iphone5 battery drained and wont open
I just bought the iphone 5 last year and it was so good everything runs so fine. Until i upgraded the software to IOS 7 , i started having problems on charging , battery drained too fast and it wont open anymore. The most irritating was when the batt
-
Can ARD be used to collect projects from a drop box where clients can store their work? Is this more of a server question? I just want my students to have a central location where they can store their project and then all I have to do is pick it up.
-
How to force Finder to authenticate WebDAV?
Hi all, Gallery2 just added webdav support. If you don't specify credentials during connection, it defaults to anonymous. Unfortunately, it looks like Finder only prompts for credentials if the initial connection fails. So I always mount the drive as