HSRP using sub-interfaces,

Similar Messages

• IPSec tunnel on sub-interface on ASA 5510

  Hello All,
  I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
  I would be greatul if someone please reply post this with some details.
  Regards,
  Muds

  Hi Jennifer,
  Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
  Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
  Regards,
  Muds 

• 5540 and sub interfaces

  One of my client has a 5540 security appliance where I have configured DMZ and other few things . Currently it has 4 workable interfaces excluding management interface . 3 of them are used for data connectivity because 1 port is for failover .
  Now with 3 physical interface we have 4 zones using sub interfaces ( vlans ) . Recently there has been a change in network where they have introduced few other types of servers and now there is a request to make more zones
  Avaliable Data interfaces are 3
  Required Zones are 7
  Now this is possible using sub interfaces ( vlan ) but I want to know if this is a recommended solution to use subinterfaces at such large scale and dividing every possible interface . It is a company of 1000 users , other option could be to put an 4GE-SSM card but please let me know if the subinterfaces solution is recommended one for enterprizes ?

  Hello,
  Sub-interfaces will work fine for you, but just keep in mind that it is still a shared physical medium. Therefore, the sum of the aggregate traffic in all of the VLANs cannot exceed the capacity of the single physical interface. I would suggest ramping up the traffic slowly and monitoring for any performance issues, but otherwise you should be fine.
  -Mike

• HSRP Interface Tracking on ATM Sub-Interface?

  I want to enable HSRP interface tracking to monitor an ATM sub-interface. As I understand it, when using the (standby 1 track <interface>) command, the HSRP group priority will be decremented only if the line protocol goes down on the interface being tracked. For this reason I need to track an ATM sub-interface (i.e. atm1/0.77). I am wondering if this will work properly. Has anyone ever used this configuration successfully?

  Hi Friend,
  I find no reason why it should not work?
  When it work for serial subinterface and frame relay interfces it should also work for atm subinterface.
  I have implemented in serial subinterface.
  Yes it should work fine. Go ahead and implement and update the status.
  Regards,
  Ankur

• The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

  Hello
  I think the following topologies are supported for Cisco Routers
  And the Physical interface also can be using as Native VLAN interface right? 
  Topology 1.
   R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
  R1 - configuration
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   ip address 10.0.0.1 255.255.255.0
  Topology 2.
  R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
  interface GigabitEthernet0
  ip address 10.0.0.1 255.255.255.0
   And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
  R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
        Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
  R1 - configuration
  interface GigabitEthernet0
   ip address 10.0.0.1 255.255.255.0
  interface GigabitEthernet8.20
   encapsulation dot1Q 20
   ip address 20.0.0.1 255.255.255.0
  Any information is very appreciated. but if there is any CCO document please let me know.
  Thank you very much and regards,
  Masanobu Hiyoshi

  Hello,
  The diagram is helpful.
  If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
  Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
  Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
  Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
  My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
  Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
  I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
  Best regards,
  Peter

• Asa 5505 sub interface plus ports

  I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?

  The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
  You find more on this topic on the Config-Guide:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html

• NAT on sub-interface with no internet access

  Good morning,
  Please I have a router 2901, which I configured tow sub-interfaces for Voice and Data. Everything seems to be working fine but I can't access the internet after configuring NAT.
  Config below
  Router1#sh config
  Using 5392 out of 262136 bytes
  ! No configuration change since last restart
  ! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
  ! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
  version 15.2
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname A
  boot-start-marker
  boot-end-marker
  ! card type command needed for slot/vwic-slot 0/0
  logging buffered 51200 warnings
  enable secret 4 U3/EVMmZsx9ys3vbB8aDhHy.5h4qh2V8/DkTGNsxvTA
  enable password 7 06150E2C5F5B071E
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  memory-size iomem 25
  ip cef
  ip dhcp excluded-address 10.10.36.1 10.10.36.25
  ip dhcp excluded-address 10.10.36.200 10.10.36.254
  ip dhcp pool DATA
   network 10.10.36.0 255.255.255.0
   default-router 10.10.36.1
   dns-server 8.8.8.8 4.2.2.2
  ip dhcp pool VOICE
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.10.36.4
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-3112445314
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-3112445314
   revocation-check none
   rsakeypair TP-self-signed-3112445314
  crypto pki certificate chain TP-self-signed-3112445314
   certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
  voice-card 0
  license udi pid CISCO2901/K9 sn FCZ1808C4L8
  hw-module pvdm 0/0
  username a password 7 1416111F05557C
  username e privilege 15 password 7 1437455E0E2A25382525260B67
  username c password 7 030B580E0701284F165B5C
  username a password 7 01000709481E0808
  redundancy
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address #.#.#.58 255.255.255.248
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0/1
   no ip address
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0/1.1
   encapsulation dot1Q 1 native
   ip address 10.10.36.1 255.255.255.0
   ip verify unicast reverse-path
   ip nat inside
   ip virtual-reassembly in
  interface GigabitEthernet0/1.100
   encapsulation dot1Q 100
   ip address 10.1.1.1 255.255.255.0
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
  ip route 0.0.0.0 0.0.0.0 #.#.#.57
  ip access-list extended LAN_NAT_POLICY
   permit ip 10.0.0.0 0.255.255.255 any
  access-list 23 permit 10.10.36.0 0.0.0.255
  access-list 23 permit 10.10.0.0 0.0.0.255
  access-list 23 permit 10.10.0.0 0.0.255.255
  access-list 101 permit tcp 10.10.36.0 0.0.0.255 host 10.10.36.1 eq telnet
  control-plane
  mgcp profile default
  gatekeeper
   shutdown
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you hav
  already used the username "cisco" to login to the router and your IOS imag
  supports the "one-time" user option, then this username has already expire
  You will not be able to login to the router with this username after you e
  this session.
  It is strongly suggested that you create a new username with a privilege l
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you want
  use.
  ^C
  banner login ^C
  Cisco Configuration Professional (Cisco CP) is installed on this device.
  This feature requires the one-time use of the username "cisco" with the
  password "cisco". These default credentials have a privilege level of 15.
  YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
  CREDENTIALS
  Here are the Cisco IOS commands.
  username <myuser>  privilege 15 secret 0 <mypassword>
  no username cisco
  Replace <myuser> and <mypassword> with the username and password you want
  to use.
  IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
  TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
  For more information about Cisco CP please follow the instructions in the
  QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
  ^C
  line con 0
   password 7 13041406025D52
  line aux 0
   exec-timeout 0 1
   no exec
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   access-class 23 in
   privilege level 15
   password 7 094D4D1D105441
   transport input telnet ssh
  line vty 5 15
   access-class 23 in
   privilege level 15
   transport input telnet ssh
  scheduler allocate 20000 1000
  ntp master
  ntp server 10.10.36.1
  end
  Please I need a quick response
  Thank you.

  Can you change the interface to outside interface in this command
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
  can you try this below command
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/0 ov
  Regards
  PrajithTR

• How to make ASR9000 bridge domain forward traffic between sub interfaces of same physical interface?

  Hi,
  I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/10.3122 l2transport
  description CUSTOMER A CORE
  encapsulation dot1q 3122
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/10.3122
  When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/5.22 l2transport
  description CUSTOMER A WAN2
  encapsulation dot1q 22
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/5.22
  If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
  Is this because tag rewrites are not happening since packets don't leave the physical interface?
  How can I work around this and establish a L2 connection between the two subinterfaces?
  Thank you

  a vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
  If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
  you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
  that might give a hint to what the precise issue in your forwarding is.
  regards
  xander

• How to get input and output using math interface toolkit

  Hi,
  I am fairly new to labview and i am trying to convert my labview code
  into matlab mex files using math interface toolkit. I cant see any
  input or output terminals when i try to convert the code to mex files
  even though my vi has plenty of inputs and outputs that should be
  available during conversion.
  just to cross  check i made another vi in which i inputted an
  array of data to an fft and outputted it to an array again. i tried to
  convert this code to mex files but was still not able to see any input
  or output terminals, which makes me believe that i must be doing
  something wrong at the very basic level and inspite of trying really
  hard for some days now i have not been able to figure out that might be.
  So please help.
  I am attaching the basic vi that i created along with the link that i followed for converting labview code to mex files.
  http://zone.ni.com/devzone/conceptd.nsf/webmain/EEFA8F98491D04C586256E490002F100
  I am using labview 7.1
  Thanks
  Attachments:
  test.vi ‏17 KB

  Yes, you've made a very basic mistake. You have front panel controls and indicators but none of them are connected to the VI's connector pane. right click on the VI's icon and select "Show Connector". You use the wiring tool to select a connection there and then select a control or indicator. Use the on-line help and look up the topic "connector panes". There are some sub-topics on how to assign, confirm, delete, etc.

• Sub-interface numbering setup

  I can't find it officially stated in any Sun documentation, but I'm assuming that when a global zones boots, it checks /etc/zones/*.xml, using the XML file when starting up each zone to assign the appropriate resources?
  Is that correct? I'm just wanting to confirm how a global zone configures the interfaces for a local zone.
  For example:
  root@global00:/etc/zones> ifconfig -a
  e1000g0:23: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone wlsdva27
  inet xxx netmask ffffff00 broadcast xxxx
  I'm not sure how to make sure that this interface configuration would survive from a complete restart of the entire server. In other words, that :23 would still be assigned the same IP after a complete server restart.
  I understood that Solaris 9/10 needed /etc/hostname.interface to be setup:
  root@glocal00:/etc/zones> ls /etc/host*
  /etc/hostname.e1000g0 /etc/xxx /etc/xxxx
  /etc/hosts /etc/xxx /etc/xxxx
  root@global00:/etc/zones> cat /etc/hostname.e1000g0
  global00
  root@global00:/etc/zones>
  I don't see any /etc/hostname.* files for any of the virtual interfaces... Would/should there be?
  So, basically, with a system with multiple zones/containers, how does the global zone re-assign the same sub-interfaces to the same zone/container? I realize sub-interface numbering may not be all that important, but I was still wondering.

  It's first-come first-serve on virtual interfaces. They are not assigned statically.

• Prime 2.0 monitor sub interface

  Can you monitor a sub-interface using Prime 2.0 - TenGigabitEthernet4/7.2010?  If so how?  When we select Design | Management Tools | Port Grouping | Add to Group | Select Group | WAN Interfaces we do not see any sub-interfaces

  Step 1 Download the appropriate point patch to a local resource in your environment:
   a. With the Cisco Download Software navigator displayed in your browser, select Products > Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Cisco Prime Infrastructure .
   b. Select the version of Cisco Prime Infrastructure that most closely matches the one you are currently using (e.g., Cisco Prime Infrastructure 1.2 ).
   c. Click Prime Infrastructure Patches to see the list of available patches for that version of the product.
   d. Next to each patch that is required, click Download , then follow the prompts to download the file.
  Step 2 Open a command-line interface session with the Prime Infrastructure server (see Connecting Via CLI in the Cisco Prime Infrastructure 2.1 Administrator Guide ).
  Step 3 Copy the downloaded patch file to the default local repository. For example:
   admin# copy source path /defaultRepo
  Where:
   source is the downloaded patch file’s location and name (for example: ftp://MyFTPServer/pi_9.3.1.0_update.tar.gz).
   path is the complete path to the default local backup repository, defaultRepo.
  Step 4 Install the patch:
   admin# patch install patchFile defaultRepo
  Where patchFile is the name of the patch file you copied to defaultRepo.
  or check this Bug
  CSCun11428
  Upgrade from Prime Infrastructure 2.0 to 2.1 failed.

• Traffic Shaping on Sub-interfaces

  Hi all,
  On my network i am trying to give preference to certain traffic type A over another traffice type B  over a VSAT link.
  the VSAT link is about 64Kbps/64Kbps and this link is connected to a router subinterface.
  I initially thought of CBWFQ to reserve bandwidth for the differenct traffic types but there are restrictions to using CBWFQ on Sub interfaces.
  Hence I tot of the option of shaping the less preffered traffic to a less than half the bandwidth  say 24K will be a good idea however i worry that the contents of the shaping queue will constitute both the preffered traffic and the less preffered traffic hence introducing more delay to the more preffered traffic. which is not required.
  Any other better ways to achieve this?

  You can use hierarchical qos:
  http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a0080114326.shtml

• Main Interface and Sub Interface

  Hello,
  I'm fairly new to ASA firewalls so some help is appreciated. Can anyone explain the point of the below config. I thought that normally when using Vlan's there would be no point on configuring a nameif & security level on the main interface? In this case what would configuring an ACL based NAT exemption on the Trunk interface do to traffic on the sub interfaces?
  interface GigabitEthernet1/0
  nameif Trunk
  security-level 100
  no ip address
  interface GigabitEthernet1/0.100
  vlan 100
  nameif VLAN100
  security-level 100
  ip address 192.168.100.1 255.255.255.0 standby 192.168.100.2
  interface GigabitEthernet1/0.101
  vlan 101
  nameif VLAN101
  security-level 90
  ip address 192.168.101.1 255.255.255.0 standby 192.168.101.2
  interface GigabitEthernet1/0.102
  vlan 102
  nameif VLAN102
  security-level 80
  ip address 192.168.102.1 255.255.255.0 standby 192.168.102.2
  Thanks Steve

  You're right about the main interface.
  If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
  Hope that helps

• ATOM on dot1q sub interfaces

  Hello, networkers!
  Long time no see ;-)
  Straight on question now. Imagine a MPLS network with the following topology:
  A B C D E
  (X) --- (X) --- (X) --- (X) --- (X)
  CE PE P PE CE
  Router A & E are customer's routers.
  Router B & D are PE routers
  Let's say that we have created MPLS ATOM using Xconnect in between routers B and D. They are both using FastEthernet interfaces with sub-interfaces configured on. Router D is configured to RouterE in this way:
  interface FastEthernet0/0.15
  description ** RouterD->RouterE **
  encapsulation dot1Q 15
  no cdp enable
  xconnect 2.2.2.2 666 encapsulation mpls
  on the other end, router B is configured as follow:
  interface FastEthernet0/0.26
  description ** RouterB->RouterA **
  encapsulation dot1Q 26
  no cdp enable
  xconnect 1.1.1.1 666 encapsulation mpls
  end
  Where 1.1.1.1 is RouterD loopback and 2.2.2.2 is Router B lo0.
  What do you think about that scenario? Should it work with this configuration when the dot1q vlans differs? In my opinion this shouldn't work as expected as long as MPLS is doing just transparent transport of entire L2 frame (instead of using internetworking on IP level)
  Can anyone, please explain how does Cisco handle this? I remember that I've read somewhere during my CCIE journey that there are different types of AtOM VC's which can either carry the dot1q tag or not.
  Thank you in advance!
  Kind regards,
  Dani Petrov
  P.p. I tried it in a few different configurations and the results are very interesting but please first share your thoughts ;-)

  Hi,
  You can't force the vc-type and don't need to.
  To summarize:
  - switchport trunk mode and subinterfaces will always pop the outer tag
  - EVC interfaces do nothing by default.
  On top of that vc-type 4 will add a service-delimiter tag to the frame received from the AC. It's the responsibility of the egress router to know what to do with this tag (rewrite or remove it).
  GSR and 7200 will negotiate a vc-type 4 if the AC is a subinterface. 7600 will always negotiate a vc-type 5 except if the peer wants a vc-type 4.
  HTH
  Laurent.

• Cable Sub-Interface in VRF - DHCP Intermittent Problem

  I've configured multiple VRF's to support third party access to our cable infrastructure.
  Of the 15 CMTS' I have configured, all of them work fine except for one which happens to be a UBR10K running 12.2.15.BC1b. The other CMTS' (7200's and 7100's) are running fine with an older IOS revision but I need the latest IOS on the 10K to support VLAN sub-interfaces.
  The problem is occasionally, DHCP clients will obtain an IP address/netmask from within the proper VRF subnet, but the client is unreachable from the CMTS.
  If we disable the IP address in question from CNR and have the client renew their IP, service is restored.
  This is a big problem. Even though this only happens occasionally, when you have 8000+ users on a CMTS, 'occasionally' still works out to quite a few problem calls.
  Sub-interfaces set up to use static IP addressing on the client experience no problems.
  Any advice would be appreciated.
  = K

  More information may be require to understand the problem, mean while you can go through link :
  http://www.cisco.com/en/US/netsol/ns341/ns396/ns172/ns126/networking_solutions_design_guide_chapter09186a00800eeee8.html