Guest VLAN cannot ping gateway
Hi Sir,
I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
wat do you think is the problem? hope you could help on this.
thanks.
Regards,
Neri
Hi Neri
The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
Regards
Roger
Similar Messages
-
hi,
i have wlc directly connected to core switch in same subnet and same vlan,
core switch connected to othe edege switches and APs connected to them.
I cannot ping wlc from core switch, i dont know how but connected APs are working fine
and users are also able to browse.
Pls suggest on this/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... 88:43:e1:31:19:8b
IP Address....................................... 172.16.10.2
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 172.16.10.253
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. LAG (29)
Primary Physical Port............................ LAG (29)
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.5.5.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled
core#show mac-address address 88:43:e1:31:19:8b
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
4001 8843.e131.198b dynamic ip GigabitEthernet5/5 -
Wireless guest users cannot ping if ACL is applied
Hi friends,
This is the first time I am trying my hands on wireless gears. I have 2500 WLC and 1142 AP (which I converted from Standalone to LAP).
I have a layer 3 POE switch where i am using port 1 for the WLC which is a trunk port.
Port 2 is for the AP using access vlan 111
Port 3 is trunk port going to a router where i am running dhcp server for the VLANs which are as follow:
VLAN 110 -Corp Wireless (10.1.110.0/24)
VLAN 111 - AP-Mgmt (10.1.111.0/24)
VLAN 999 - Guest (10.1.101.0/24)
I wanted to block the traffic from the Guest VLAN 999 but when i apply the ACL on the Guest Interface created on the WLC, I dont see any pings going across and neither I see any hit counts on the deny statement as if the ACL is never applied.
Can some one guide me to the right direction if i am missing anything??
Thanks,
Mohitrdvorak wrote:Put the ACL on the WLAN not on the interface.
But applying the ACL to the interface will affect all WLANs that utilize that interface!!!
Rating useful replies is more useful than saying "Thank you" -
Ontap 8.3 lif cannot ping gateway
Hi all, I have c-mode cluster with 1 node (DR filer). It's on subnet 172.16.230.0/24. Gateway is 172.16.230.1/24I created an intercluster LIF (172.16.230.35) to comm. with filer (production ) in another subnet. (10.1.198.0/24).I can ping 10.1.198.35. But I cannot ping the gateway 172.16.230.1 from the intercluster LIF on the DR-filer.I can also not ping from 10.1.198.35 (prod. filer) to 172.16.230.35 (dr filer) If I connect a laptop in the same subnet and give it 172.16.230.18, I can ping both ways. Thus, ping to 10.1.198.35, 172.16.230.1 and vice versa. Just as expected. So routing seems correct. BUT, if i ping from the laptop to the LIF (172.16.230.35) of the filer, I have no response, altough it's on the same subnet. So it looks like 'something' is preventing the LIF on the Dr-filer to respond to the ping(?) I spend hours of searching the internet but I'm completly lost now. If somebody could give me only a direction to search in, it would be great! Thanks!
Solved! Weird cabling issue... :-(
-
Guest vlan cannot get to webauthor
We are setting an anchor wlc in DMZ and the DHCP is also in the DMZ. Guests can get IP, but cannot get to the login page. when i type the yahoo.com' ip address in the browser, I get this following,
any idea?
thanks,
Han
guest-wlc02/login.html?redirect=98.139.183.24Scott,
Are Webauth and Splash Redirect two different authrizaton methods? Where do you configure webauth? I found at our DMZ WLC, Does it look alright?
thanks, -
Cannot ping gateway once RE is plugged in?
setup utility didn't work, so i configured it manually.
set the same SSID as my wireless network, same channel, and setup the same WEP security as well. left the static IP the same, and made the gateway my router (192.168.1.1).
when i plug in the RE, signal boosts up as it should, but i lose network connectivity and can't ping the gateway. i can still ping the RE, but nothing else. this computer was set to a static address, so i put back to DHCP and rebooted. It picked up a valid IP, but still couldn't ping the gateway?!?
should've already known that linksys products can be extremely frustrating, but help me out!!
thankstry and change change few settings under the advanced wireless settings on router .....reduce the beacon to 50, reduce the RTS and fragmentation by 40 each....
Also verify that you are using the latest firmware on the router and RE... -
Linksys E1000 cannot ping gateway unless I unplug/replug WAN
I have been using this router for the last six months and never had a single problem. Then yesterday out of nowhere internet stopped working and I was not able ping my ISP gateway (both wired and wireless) [Received: Destination host not reachable on both Windows Vista / 7]. Rebooted the router but still no luck. Unplugged / Replugged the net connection from the WAN port and then finally ping was successful.
Now the weird this is every time I power on the router the Internet does not work and ISP Gateway seems not reachable, but if I unplug/replug the WAN connection the ping reply starts and internet works without any problem.
I have updated the firmware to the latest version (2.1.02 build 5May 6, 2011), disabled SPI firewall and tried changing the MTU value but still no luck.
Another unusual thing I have noticed is that during the router boot up the WAN port LED blinks a lot faster than usual. After I unplug/replug the wan connection the blinking rate seems to be normal.My ISP Gateway uses a completely different IP address 172.16.x.x, while my router has the default IP setup 192.168.1.1. The thing is I am able to ping the router IP, but not the ISP Gateway IP unless I unplug/replug WAN.
I googled around quite a bit yesterday and found that others have also had similar problem.
http://homecommunity.cisco.com/t5/Wireless-Routers/Power-Outage-Linksys-E1000-router-lights-blinking... -
Cisco 1941 Router-on-a-Stick w/ 11VLANs trunked to a Cisco 2960: From the Switch I can Ping a device in another VLAN, that device cannot ping back. Some devices can ping devices in other VLANs and the device in the other VLAN can successfully return the Ping. Have a look at the attached diagram.
Router Config:
show run
Building configuration...
Current configuration : 7224 bytes
! Last configuration change at 09:05:48 EDT Wed Aug 6 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone EDT -8 0
ip cef
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO1941/K9
object-group network Net_Obj_Group1
description This network group allows all 10.0.0.0 and Email Forwarder server through to the Plt PCs
205.191.0.0 255.255.0.0
10.0.0.0 255.0.0.0
object-group network Net_Obj_Group2
description This Network Group includes the Host IPs allowed through the Plant Router
host 10.194.28.23
host 10.194.28.25
host 10.194.28.26
host 10.194.28.27
host 10.194.28.28
host 10.194.28.29
host 10.194.28.37
host 10.194.28.39
host 10.194.28.40
host 10.194.28.70
host 10.194.28.130
host 10.194.28.131
host 10.194.28.132
host 10.194.28.133
host 10.194.28.134
host 10.194.28.135
host 10.194.28.136
host 10.194.28.137
host 10.194.28.138
host 10.194.28.139
host 10.194.28.140
host 10.194.28.141
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Port Ge0/0 to IT Enterprise network Switch GE1/0/38
ip address 10.194.28.111 255.255.255.0
ip access-group 105 in
ip access-group 106 out
ip nat outside
ip virtual-reassembly in
shutdown
duplex full
speed auto
no mop enabled
interface GigabitEthernet0/1
description Port to Plant PCN-K/L24 Sw1 Port 0/24
no ip address
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1.102
description Port to VLAN 102
encapsulation dot1Q 102
ip address 192.168.102.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.104
description Port to VLAN 104
encapsulation dot1Q 104
ip address 192.168.104.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.105
description Port to VLAN 105
encapsulation dot1Q 105
ip address 192.168.105.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.106
description Port to VLAN 106
encapsulation dot1Q 106
ip address 192.168.106.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.107
description Port to VLAN 107
encapsulation dot1Q 107
ip address 192.168.107.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.111
description Port to VLAN 111
encapsulation dot1Q 111
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.117
description Port to VLAN 117
encapsulation dot1Q 117
ip address 192.168.117.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.121
description Port to VLAN 121
encapsulation dot1Q 121
ip address 192.168.121.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.125
description Port to VLAN 125
encapsulation dot1Q 125
ip address 192.168.125.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.150
description Port to to VLAN 150
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.999
description Port to VLAN 999
encapsulation dot1Q 999
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
no ip http secure-server
ip nat inside source static 192.168.102.201 10.194.28.23
ip nat inside source static 192.168.121.201 10.194.28.25
ip nat inside source static 192.168.106.251 10.194.28.26
ip nat inside source static 192.168.107.245 10.194.28.27
ip nat inside source static 192.168.102.251 10.194.28.28
ip nat inside source static 192.168.150.201 10.194.28.29
ip nat inside source static 192.168.107.179 10.194.28.37
ip nat inside source static 192.168.111.201 10.194.28.39
ip nat inside source static 192.168.105.201 10.194.28.40
ip nat inside source static 192.168.106.21 10.194.28.70
ip nat inside source static 192.168.107.146 10.194.28.130
ip nat inside source static 192.168.107.156 10.194.28.131
ip nat inside source static 192.168.107.161 10.194.28.132
ip nat inside source static 192.168.107.181 10.194.28.133
ip nat inside source static 192.168.107.191 10.194.28.134
ip nat inside source static 192.168.106.202 10.194.28.135
ip nat inside source static 192.168.106.212 10.194.28.136
ip nat inside source static 192.168.117.190 10.194.28.137
ip nat inside source static 192.168.117.100 10.194.28.138
ip nat inside source static 192.168.106.242 10.194.28.139
ip nat inside source static 192.168.125.100 10.194.28.140
ip nat inside source static 192.168.125.99 10.194.28.141
ip nat outside source static 10.194.28.23 10.194.28.23
ip nat outside source static 10.194.28.25 10.194.28.25
ip nat outside source static 10.194.28.26 10.194.28.26
ip nat outside source static 10.194.28.27 10.194.28.27
ip nat outside source static 10.194.28.28 10.194.28.28
ip nat outside source static 10.194.28.29 10.194.28.29
ip nat outside source static 10.194.28.37 10.194.28.37
ip nat outside source static 10.194.28.39 10.194.28.39
ip nat outside source static 10.194.28.40 10.194.28.40
ip nat outside source static 10.194.28.70 10.194.28.70
ip nat outside source static 10.194.28.130 10.194.28.130
ip nat outside source static 10.194.28.131 10.194.28.131
ip nat outside source static 10.194.28.132 10.194.28.132
ip nat outside source static 10.194.28.133 10.194.28.133
ip nat outside source static 10.194.28.134 10.194.28.134
ip nat outside source static 10.194.28.135 10.194.28.135
ip nat outside source static 10.194.28.136 10.194.28.136
ip nat outside source static 10.194.28.137 10.194.28.137
ip nat outside source static 10.194.28.138 10.194.28.138
ip nat outside source static 10.194.28.139 10.194.28.139
ip nat outside source static 10.194.28.140 10.194.28.140
ip nat outside source static 10.194.28.141 10.194.28.141
ip route 0.0.0.0 0.0.0.0 10.194.28.1
access-list 105 permit ip object-group Net_Obj_Group1 object-group Net_Obj_Group2
access-list 106 permit ip object-group Net_Obj_Group2 object-group Net_Obj_Group1
dialer-list 1 protocol ip permit
control-plane
banner login ^CC
Login banner for Plant Router #01^C
banner motd ^CC
MOTD Banner for Plant Router^C
line con 0
password XXXXXXXXX
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXXXXXXX
logging synchronous
login
transport input all
scheduler allocate 20000 1000
ntp server 10.199.100.92
end
Switch Config:
sh ru
Building configuration...
Current configuration : 6513 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname K24Sw01
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone EDT -5
clock summer-time EDT recurring
udld aggressive
crypto pki trustpoint TP-self-signed-593746944
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-593746944
revocation-check none
rsakeypair TP-self-signed-593746944
4B58BCE9 44
quit
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0
no ip address
interface GigabitEthernet0/1
description Trunk port for vlans 105, 111, 125 and 999 from K24Sw01 port Ge0/1 to P22Sw01 port Ge0/24
switchport trunk allowed vlan 105,111,125,999
switchport mode trunk
interface GigabitEthernet0/2
description Trunk port for vlans 150 and 999 from K24Sw01 port Ge0/2 to N25Sw01 port Ge0/26
switchport trunk allowed vlan 150,999
switchport mode trunk
interface GigabitEthernet0/3
description Trunk port for vlans 102, 104, 106, 107, 117 and 999 from K24Sw01 port Ge0/3 to K28Sw01 port Ge0/26
switchport trunk allowed vlan 102,104,106,107,117,999
switchport mode trunk
interface GigabitEthernet0/4
description Trunk port for vlans 102, 106, 107 and 999 from K24Sw01 port Ge0/4 to H23Sw01 port Ge0/26
switchport trunk allowed vlan 102,106,107,999
switchport mode trunk
interface GigabitEthernet0/5
description Trunk port for vlans 121, 125 and 999 from K24Sw01 port Ge0/5 to M21Sw01 port Ge0/24
switchport trunk allowed vlan 121,125,999
switchport mode trunk
interface GigabitEthernet0/6
description OPEN
spanning-tree portfast
interface GigabitEthernet0/7
description OPEN
spanning-tree portfast
interface GigabitEthernet0/8
description OPEN
spanning-tree portfast
interface GigabitEthernet0/9
description OPEN
spanning-tree portfast
interface GigabitEthernet0/10
description VLan 102 access port
switchport access vlan 102
spanning-tree portfast
interface GigabitEthernet0/11
description - VLan 104 access port
switchport access vlan 104
spanning-tree portfast
interface GigabitEthernet0/12
description - VLan 105 access port
switchport access vlan 105
spanning-tree portfast
interface GigabitEthernet0/13
description - VLan 106 access port
switchport access vlan 106
spanning-tree portfast
interface GigabitEthernet0/14
description - VLan 107 access port
switchport access vlan 107
spanning-tree portfast
interface GigabitEthernet0/15
description - VLan 111 access port
switchport access vlan 111
spanning-tree portfast
interface GigabitEthernet0/16
description - VLan 117 access port
switchport access vlan 117
spanning-tree portfast
interface GigabitEthernet0/17
description - VLan 121 access port
switchport access vlan 121
spanning-tree portfast
interface GigabitEthernet0/18
description - VLan 125 access port
switchport access vlan 125
spanning-tree portfast
interface GigabitEthernet0/19
description - VLan 150 access port
switchport access vlan 150
spanning-tree portfast
interface GigabitEthernet0/20
description - VLan 999 access port
switchport access vlan 999
spanning-tree portfast
interface GigabitEthernet0/21
description OPEN
spanning-tree portfast
interface GigabitEthernet0/22
description OPEN
spanning-tree portfast
interface GigabitEthernet0/23
description OPEN
spanning-tree portfast
interface GigabitEthernet0/24
description From ROUTER Gw ge0/1
switchport trunk allowed vlan 102,104-107,111,117,121,125,150,999
switchport mode trunk
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan102
ip address 192.168.102.253 255.255.255.0
interface Vlan104
no ip address
no ip route-cache
interface Vlan105
no ip address
no ip route-cache
interface Vlan106
no ip address
no ip route-cache
interface Vlan107
no ip address
no ip route-cache
interface Vlan111
no ip address
no ip route-cache
interface Vlan117
no ip address
no ip route-cache
interface Vlan121
no ip address
no ip route-cache
interface Vlan125
no ip address
no ip route-cache
interface Vlan150
no ip address
no ip route-cache
interface Vlan999
no ip address
no ip route-cache
ip default-gateway 192.168.102.1
ip http server
ip http secure-server
snmp-server engineID local 00000009020000019634C2C0
snmp-server community public RO
snmp-server location
snmp-server contact
banner motd ^CCC ADMIN USE ONLY! ^C
line con 0
session-timeout 10
password xxxxxx
logging synchronous
login
stopbits 1
line vty 0 4
session-timeout 10
password xxxxxxx
login
line vty 5 15
session-timeout 10
password xxxxxxxx
login
ntp server 10.199.100.92
end
K24Sw01#HI Mark,
Here is the my config:
Create sub-interfaces, set 802.1Q trunking protocol and ip address on each sub-interface
Router(config)#interface f0/0
Router(config-if)#no shutdown
(Note: The main interface f0/0 doesn’t need an IP address but it must be turned on)
Router(config)#interface f0/0.10
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.10.1 255.255.255.0
Router(config-subif)#interface f0/0.20
Router(config-subif)#encapsulation dot11 20
Router(config-subif)#ip address 192.168.20.1 255.255.255.0
(Note: In the “encapsulation dot1q 10″ command, 10 is the VLAN ID this interface operates in)
Configure VLAN
Switch(config)#vlan 10
Switch(config-vlan)#name SALES
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name TECH
Set ports to access mode & assign ports to VLAN
Switch(config)#interface range fa0/1
Switch(config-if)#no shutdown
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 15
Switch(config-if)#interface range fa0/3
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)#interface range fa0/5
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode trunk
1. Please check all your port are up.
2. Check the config once again.
3. Make sure the swicth and router connection port configured as trunk and it should be up.
This config is working for me,
Regards
Dont forget to rate helpful posts. -
Clients cannot ping the default gateway when connected to SSID
Here is my environment,
My controller is vWLC installed in ESXi which has to vNet Cards configured with all vlans(4095), then it is connected to a 3560 switch with trunk. The configuration of the switch interface is as belows:
LS3560CG#sh run int fa0/1
Building configuration...
Current configuration : 138 bytes
interface FastEthernet0/1
description To_WLC
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
end
The IP of management interface of WLC is 10.10.10.90, VLAN is 10, DHCP primary is 10.10.10.1 which is in the 3560, the DHCP pool is configured as blows:
LS3560CG#sh run int fa0/1
Building configuration...
Current configuration : 138 bytes
interface FastEthernet0/1
description To_WLC
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
end
The SSID is BYOD and I can connect the SSID and get the IP address such as 10.10.10.118/24, but for now, i cannot ping 10.10.10.1, but i can ping 10.10.10.90:
Can anyone help me with this? ThanksHi Scott
Correct! I have resolved this a few minutes earlier. I have assigned the vSwitch to Promiscuous Mode but forgot to switch it to "Accept", the default value is "Reject"
Thanks so much! -
I can SSH from the outside but cannot ping ISP gateway from 2911
Hello all,
I came across a rather strange issue. I am able to SSH to the device from my home but while I am consoled in, I cannot ping the ISP gateway or any other IP's. As expected, all trace-routes fail without hitting the gateway as the first hop. I have been reading about the NVI0 interface and I decided to use it. Most of the sample cofigs on here use the "old" ip nat inside / outside on the appropriate interfaces. What do you guys suggest?
Here is the running config. It is rather simple since i did not add all the access-lists except the ones I thought necessary to test the circuit. Please point out any mistakes or errors. Thanks in advance!
Current configuration : 1679 bytes
! Last configuration change at 04:05:17 UTC Fri Sep 12 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname StandbyGZ-2911
boot-start-marker
boot-end-marker
enable secret 5 $1$BRaM$igChPMXLeHjgYR7EGk/Nb/
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
no ip domain lookup
ip domain name StandbyGZ.local
ip name-server 211.136.20.203
ip name-server 211.139.136.68
multilink bundle-name authenticated
license udi pid CISCO2911/K9 sn FGL174410H9
username StandbyGZ secret 5 $1$CXWC$m6kqTGbf0HDLCvkfU7.RA/
ip ssh version 2
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/1
description UPLINK TO CHINA MOBILE
ip address 183.x.x.x 255.255.255.128
ip access-group REMOTE-ADMIN-ACL in
no ip redirects
ip nat enable
duplex auto
speed auto
interface GigabitEthernet0/2
description CONNECTION TO LAN SWITCH 3650-CORE
ip address 10.10.1.254 255.255.254.0
no ip redirects
ip nat enable
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat source list LAN-NAT-ACL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 183.x.x.x
ip access-list standard LAN-NAT-ACL
permit 10.10.0.0 0.0.1.255
ip access-list extended REMOTE-ADMIN-ACL
permit tcp host 68.107.195.213 any eq 22 log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input ssh
transport output ssh
scheduler allocate 20000 1000
end
StandbyGZ-2911# sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 183.x.x.x YES NVRAM up up
GigabitEthernet0/2 10.10.1.254 YES NVRAM up up
NVI0 183.x.x.x YES unset up up
StandbyGZ-2911#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 183.233.184.129 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 183.233.184.129
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.0.0/23 is directly connected, GigabitEthernet0/2
L 10.10.1.254/32 is directly connected, GigabitEthernet0/2
183.233.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 183.x.x.x/25 is directly connected, GigabitEthernet0/1
L 183.x.x.x/32 is directly connected, GigabitEthernet0/1Hi Chris,
That is what how I am used to configure the NAT, but IOS 12.3 and on introduced interface NVI0, which according to cisco documentation should make applying the NAT statements "easier". IP nat enable has to be enabled on all interfaces and then NVI0 makes the "inside" and "outside" decisions. I was hoping that someone could clarify the real use of that NVI0 interface and if it causes problems. Apparently it cannot be removed from the config. -
Hi
Network:
One firewall where the IP address is the gateway for all the internal computers and server
From one if the internal computers I can ping the the gateway
From the server I can ping all the internal computers but I cannot ping the gateway
On the server I can ping:
- 127.0.0.1,
- the IP address on the server
- All the internal computers
A hint would be nice
Best Regards
John BArp -a
Interface: 10.0.0.2 on Interface 0x1000003
Internet Address Physical Address Type
10.0.0.1 10-7b-ef-3a-58-09 dynamic
10.0.0.26 00-01-e6-b4-e1-fe dynamic
Ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : krogh01
Primary DNS Suffix . . . . . . . : Krogh.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Krogh.local
Ethernet adapter Inside:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-1C-7C-D9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 10.0.0.2
212.242.40.3
212.242.40.51
Ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Ping 10.0.0.26
Pinging 10.0.0.26 with 32 bytes of data:
Reply from 10.0.0.26: bytes=32 time=1ms TTL=64
Reply from 10.0.0.26: bytes=32 time<10ms TTL=64
Reply from 10.0.0.26: bytes=32 time<10ms TTL=64
Reply from 10.0.0.26: bytes=32 time<10ms TTL=64
Ping statistics for 10.0.0.26:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
I can ping every computer on internal network without any problems, it is only the gateway I have problem with.
I have now made a ping session from a computer on the internal network:
Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle rettigheder forbeholdes.
C:\Users\lh>ipconfig /all
Windows IP-konfiguration
Værtsnavn. . . . . . . . . . . . . . . . . . : NUC-lone
Primært DNS-suffiks. . . . . . . . . . . . . : Krogh.local
Nodetype . . . . . . . . . . . . . . . . . . : Hybrid
IP-routing aktiveret . . . . . . . . . . . . : Nej
WINS-proxy aktiveret . . . . . . . . . . . . : Nej
Søgeliste for DNS-suffiks. . . . . . . . . . : Krogh.local
Ethernet-netværkskort LAN-forbindelse:
Forbindelsesspecifikt DNS-suffiks. . . . . . :
Beskrivelse. . . . . . . . . . . . . . . . . : Intel(R) Ethernet Connection I
218-V
Fysisk adresse . . . . . . . . . . . . . . . : C0-3F-D5-61-7A-3A
DHCP aktiveret . . . . . . . . . . . . . . . : Ja
Automatisk konfiguration aktiveret . . . . . : Ja
Link-local-IPv6-adresse . . . . . : fe80::5c7a:dcbe:f8:7de7%11(Foretrukken)
IPv4-adresse . . . . . . . . . . . . . . . . : 10.0.0.113(Foretrukken)
Undernetmaske. . . . . . . . . . . . . . . . : 255.255.255.0
Rettigheden opnået . . . . . . . . . . . . . : 12. december 2014 03:15:59
Rettigheden udløber. . . . . . . . . . . . . : 19. december 2014 08:05:30
Standardgateway. . . . . . . . . . . . . . . : 10.0.0.1
DHCP-server. . . . . . . . . . . . . . . . . : 10.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 247480277
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-40-6D-C9-C0-3F-D5-61-7A-3A
DNS-servere. . . . . . . . . . . . . . . . . : 10.0.0.2
212.242.40.3
212.242.40.51
NetBIOS over Tcpip . . . . . . . . . . . . . : Aktiveret
Tunnel-netværkskort isatap.{B46FAFD6-A60A-48D9-967D-4081FAE7F6AE}:
Medietilstand. . . . . . . . . . . . . . . . : Mediet afbrudt
Forbindelsesspecifikt DNS-suffiks. . . . . . :
Beskrivelse. . . . . . . . . . . . . . . . . : Microsoft ISATAP-netværkskort
Fysisk adresse . . . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiveret . . . . . . . . . . . . . . . : Nej
Automatisk konfiguration aktiveret . . . . . : Ja
Tunnel-netværkskort Teredo Tunneling Pseudo-Interface:
Medietilstand. . . . . . . . . . . . . . . . : Mediet afbrudt
Forbindelsesspecifikt DNS-suffiks. . . . . . :
Beskrivelse. . . . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interf
ace
Fysisk adresse . . . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiveret . . . . . . . . . . . . . . . : Nej
Automatisk konfiguration aktiveret . . . . . : Ja
C:\Users\lh>ping 10.0.0.1
Pinger 10.0.0.1 med 32 byte data:
Svar fra 10.0.0.1: byte=32 tid=1ms TTL=64
Svar fra 10.0.0.1: byte=32 tid=1ms TTL=64
Svar fra 10.0.0.1: byte=32 tid=1ms TTL=64
Svar fra 10.0.0.1: byte=32 tid=1ms TTL=64
Ping-statistikker for 10.0.0.1:
Pakker: Sendt = 4, modtaget = 4, tabt = 0 (0% tab),
Beregnet tid for rundtur i millisekunder:
Minimum = 1ms, Maksimum = 1ms, Gennemsnitlig = 1ms
C:\Users\lh>
A hint would be nice :-)
Best Regards
John B -
Nexus: HSRP on vrf vlan - Active Nexus cannot ping physical ip and VIP but Standby can
Hi Cisco experts,
Has anybody experienced this kind of problem with HSRP on vrf vlan, wherein the Active Nexus cannot ping the its own Physical IP and VIP from Global vrf to Internal VRF but it can ping the physical ip of the standby. While on the Standby you can ping all ( Physical of Active, VIP, and its own physical IP.
Hope you can help me on this matter. See attached ping test for clearer view. I can show the config if needed just request.
Thanks all.yes you need it.
This is how you assign the serverfarm to the vip.
switch/User1(config)# policy-map multi-match SLB1
switch/User1(config-pmap)# class VIP-250-81
switch/User1(config-pmap-c)# no loadbalance policy SF_Linux4
switch/User1(config-pmap-c)#
gdufour-cat6k1#ping 192.168.100.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.250, timeout is 2 seconds:
Success rate is 0 percent (0/5)
gdufour-cat6k1#
[Resuming connection 1 to 127.0.0.30 ... ]
switch/User1(config-pmap-c)# loadbalance policy SF_Linux4
switch/User1(config-pmap-c)#
gdufour-cat6k1#ping 192.168.100.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.250, timeout is 2 seconds:
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
gdufour-cat6k1# -
Cannot ping IAS RADIUS from WLC 2504
I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server. All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server. The only thing that cannot ping the RADIUS server is the WLC itself. Nothing in the FW is blocking connectivity. Any ideas?
(Cisco Controller) >show radius summ
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Disabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ none
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
1 NM 10.10.50.63 1645 Enabled 5 Enabled Disabled - none/unknown/group-0/0 none/none
2 NM 10.10.50.130 1645 Enabled 5 Enabled Disabled - none/unknown/group-0/0 none/none
Accounting Servers
Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
1 N 10.10.50.63 1646 Enabled 5 N/A Disabled - none/unknown/group-0/0 none/none
2 N 10.10.50.130 1646 Enabled 5 N/A Disabled - none/unknown/group-0/0 none/noneIt's in the arp cache through the default router
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... d0:c2:82:df:5b:c0
IP Address....................................... 10.30.72.250
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.30.72.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.10.10.65
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled
(Cisco Controller) >show arp switch
Number of arp entries................................ 19
MAC Address IP Address Port VLAN Type
50:57:A8:D6:DE:C0 10.10.19.1 1 5 Host
50:57:A8:D6:DE:C0 10.10.20.138 1 5 Host
50:57:A8:D6:DE:C0 10.10.50.63 1 5 Host
64:00:F1:08:A0:D0 10.30.72.1 1 0 Host
50:57:A8:9E:B5:CD 10.30.72.40 1 0 Host
50:57:A8:A1:7B:C5 10.30.72.44 1 0 Host
50:57:A8:9E:99:78 10.30.72.48 1 0 Host
50:57:A8:3B:66:E3 10.30.72.49 1 0 Host
00:07:7D:43:23:DA 10.30.72.58 1 0 Host
50:57:A8:9E:B6:1D 10.30.72.59 1 0 Host
50:57:A8:9E:95:C5 10.30.72.60 1 0 Host
50:57:A8:A1:7C:0D 10.30.72.61 1 0 Host
00:07:7D:65:36:DD 10.30.72.62 1 0 Host
50:57:A8:44:57:0C 10.30.72.63 1 0 Host
50:57:A8:CA:CC:01 10.30.72.64 1 0 Host -
WinXp Pro as Virtualbox Guest can't ping router/internet
Hi:
I am running Arch 64 and installed virtualbox_bin 2.0.4-1 from AUR and guest additions 2.0.2-1 from AUR.
I have installed as a guest os, WinXP Pro and set up bridge networking per
http://mychael.gotdns.com/blog/2007/05/ … -bridging/.
My Arch host works fine (it can access the internet and ping the guest WinXP Pro). My WinXP Pro guest can ping my Arch host and other local machines on my network. However it cannot ping my router or access or ping the internet.
I log onto the WinXP Pro as the Administrator and I have the firewall disabled, so I don't think it is being blocked on the XP side by anything.
As far as Arch goes, I have tried adding the host name of the WinXP Pro machine to /etc/hosts and put the ip adress of the XP machine into /etc/hosts.allow. Neither of these actions resulted in success. I don't think I have a firewall or other special security measures on my Arch? I just did a fresh ftp install yesterday and did not add ssh or other security measures that weren't included in the default install and the base-devel install.
My search of the forums turned up a similar problem to mine that was solved by removing the firewall in the WinXP guest. I have already done that still without success.
My uneducated guess is that the gateway ip is not getting to the guest. I am using static ip for both the Arch host and the WinXP guest. The WinXP guest says that it is connected and reports no problems. I tried using dhcp on the XP guest but that didn't work either.
Here is the network section of my /etc/rc.conf
lo="lo 127.0.0.1"
BRIDGE_INTERFACES=(br0)
bridge_br0=(eth0)
br0="br0 192.168.1.201 netmask 255.255.255.0 broadcast 192.168.0.255"
eth0="eth0 0.0.0.0 promisc"
INTERFACES=(lo br0 eth0)
gateway="default gw 192.168.1.1"
ROUTES=(gateway)
Any help would be much appreciated.
bdikaHi Floris:
Thanks for the reply.
I originally tried the Arch Way without success, that is why I tried the other way.
However at your suggestion, I have tried the Arch Way again, with the same results. That is I can ping other computers on my network but I can't ping my router nor access the internet from my guest.
Seeing that I have the same problem regardless of which method I use leads me to believe that it must be something simple and obvious that I am doing wrong. But what??! I have no idea.
Any thoughts you have would be much appreciated.
bdika -
Cannot ping/telnet/ssh to GigabitEthernet interface of Cisco AP2602
I have a Cisco 2602 (ios ver 15.0)
I can connect trough it's SSID normally but I can't access to the AP itself. From the AP cannot ping to gateway, even though the AP can be seen on cdp from the switch.
But my other AP Cisco 1140 (ios 12.4) can be accessed with the same configuration on the switch (switchport mode trunk, allowed vlan 1 & 2)
vlan 1 is for user, vlan 2 for management...
Below is the configuration of the gigabitethernet interface of the AP 2602
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.2
encapsulation dot1Q 2
ip address 10.32.2.98 255.255.255.0
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
no ip address
no ip route-cache
ip default-gateway 10.32.2.1
please helpWith autonomous access point, the management has to be the native vlan. The issue is that your vlan 1 is native and that is for users, but your management is on vlan 2 which is management. This will not work as it is a requirement to keep management on a native vlan. You would have to move the users to a different vlan since vlan 1 is typically tagged so that you can define on the trunk port on the switch that vlan 2 is native.
-Scott
Maybe you are looking for
-
Hey... when i do an export from document to pdf-file, i embed all the used fonts. there is a margin value - automatically setted to 100 %. i know, when i use 100 % only used characters got embedded as subassemblies.When i use 0 % the whole font type
-
I am trying to install snow leopard to my Macbook Pro. However, when I run the disc, it gives me an error message. "The application "Install Mac OS X" cannot be used from this volume." I have tried partioning, but it does not allow me to change any
-
Problème avec la page contact sur DREAMWEAVER CS5.5
J'ai un problème sur ma page contact de mon site, http://www.amio.fr je pense que mon script et le PHP ne sont pas bon. J'ai donc refait un formulaire beaucoup plus simple qui s'appelle : Form_contact.html <table width="738" border="0" cellspacing="0
-
SPML Browser Schema Not Loading - newbie
We are trying to test the SPML 1.0 funtionality via SPML Browser. The steps we followed are 1. imported the spml1.xml from the samples directory. 2. Tracing is on via the web.xml parameters. <servlet> <servlet-name>rpcrouter2</servlet-name> <
-
ITunes Store not showing the latest episodes
For some reason the latest 7 or so episodes are not showing up on the actual iTunes store page but if you are subscribed to the show in iTunes it is still pushing all the current episodes but they are just not showing up on the actual store page. At