L2TPv3 over DMVPN

Looking for ideas and thoughts on this one.
I have an SVI/L3 interface on a 2911. I want to extend that vlan out to a remote 3560. This is for a lab and proof of concept... otherwise remotely extended the L2 domain is like playing with fire.
3560-->819----->Nested DMVPN Tunnel--->Outer DMVPN termination--->Inner DMVPN termination--->2911 Router.
Basically the goal is that the 3560 has the appearance for testing that I am connected to the 2911. I have seen different recommendations from where to put the xconnect commands, so looking for some guidance on all of that.

Andrea,
I think I understand where my confusion comes from. You are using L2TPv3 in a context of VPDN rather than using it as a transport a pseudowire, right?
In this case the L2TPv3 session could just be routed as IP traffic through the core. Or if you want to use pseudowires through the core, it would certainly be possible to use MPLS for this purpose.
Let me know if that helps,

Similar Messages

  • MTU over DMVPN and MPLS

    Hello All,
    I have a query regarding MTU over both DMVPN and MPLS.
    I have been running the following command from a windows box
    ping x.x.x.x -f -l yyy     (yyyy being the buffer size) and x.x.x.x being my remote hosts
    I am using the same destination host and have two different paths to it. One over MPLS and one over a DMVPN.
    I would have expected to be able to send packets with a higher MTU over the MPLS but for both MPLS and DMVPN the maximum packet size I can send with the DF bit set is the same  (1372).
    Is this normal behaviour? I though MPLS would have less overhead, so my maximum packet size would be higher in my tests

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Generally, MPLS supports an increased MTU, when adding MPLS labels, while VPN tunnels, like DMVPN, don't exceed original MTU, and so, it reduces payload space.  So, normally, you should see larger ping buffer DF support across MPLS than DMVPN.  However, "normal" can be very much impacted by actual device configurations, including making MTU for DF packets the same for either MPLS or DMVPN.  (For example, you might want to make the two paths alike so flows that for any reason need to be redirect from one media path to the other see a consistent MTU.)

  • Multicast paging over DMVPN over MPLS

    We're using IPcelerate as our paging solution and have the need to extend the application across our MPLS/VPLS network. I'm looking for a configuration or, at the very least, some guidance to get this working across a DMVPN over said MPLS/VPLS.
    Regards,
    -Mike M.

    Hi Michael
    I have been in a similar situation before of having Paging to traverse over the WAN IP MPLS network with SingleWire Paging system. If we are talking about Audio paging, it is built on the IP multicast networking and thus to extend this service to remote offices connected through IP MPLS network, the Service provider should enable IP multicast over its VRFs for you. In my case it was not feasible by the Service provider(s). SingleWire introduced a solution of a Paging Gateway that is integrated with the paging server and it is located at the remote office. The Paging server sends the target audio mulitcast as a unicast session to the paging gateway in the remote office and then the paging gateway sends on the LAN as a multicast .
    I am not sure if IPcelerate has a similar solution, but it is worth asking and validating.
    Hope that helps
    MonieM

  • L2TPv3 over MPLS

    Hi folks,
    I've to implement two L2TPv3 tunnels over MPLS backbone, primary and backup. I'm thinking about L2 pseudowires, but my question is: with 2 pseudowires, how could I do, if possible, to create a primary and a backup tunnel? Something like FRR?
    I've found in a recent post a configuration for two tunnels:
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddda49d
    but no idea about how to implement a fault tolerance solution.
    Any advice will be appreciated
    Thanks
    Andrea

    Andrea,
    I think I understand where my confusion comes from. You are using L2TPv3 in a context of VPDN rather than using it as a transport a pseudowire, right?
    In this case the L2TPv3 session could just be routed as IP traffic through the core. Or if you want to use pseudowires through the core, it would certainly be possible to use MPLS for this purpose.
    Let me know if that helps,

  • Ethernet over Public link with Cisco 65XX Series

    We are transferring some equipment from one datacenter to another and we do not have private line connectivity between them at the current time.
    We are hoping to be able to temporarily be able to establish some type of Layer2 connectivity between the facilities to help allow us to spread out the migration into 2 events.  We have Cisco 65XX series switches at the core at both facilities and I am wondering what we might be able to use to make this happen?
    EoMPLS is out as we have to be able to extend the layer2 functionality across carrier networks and L2TPv3 is not supported on Cisco 65XX from what I have read / checked on our switches (if there is an IOS version that does support it, please let me know).
    I have read a bit about VPLS over GRE but I am not clear on the configuration and/or if it supported as it references MPLS at various points within the documentation that I have read.
    Any guidance would be appreciated.

    I've absolutely no idea if this would help in your case. 
    But anyway, I think 6500 handles DMVPN. May be MPLS over DMVPN would be a solution?
    https://sites.google.com/site/amitsciscozone/home/important-tips/traffic-engineering/p2mp-mpls-te-over-dmvpn
    http://networkknerd.blogspot.be/2014/08/dmvpn-mpls-over-dmvpn-oh-yeah.html
    HTH

  • DMVPN Routing Protocols

    Hi all, I have a couple of questions about routing protocols over  DMVPN.
    I'm a bit rusty so I'd appreciate if there's mistakes in my understanding if you could correct me.
    I understand the EIGRP doesn't ordinarily use the next hop field, receiving routers insert the source of the EIGRP update as the next hop. It uses split horizoning and feasibility tests to detect loops. Over DMVPN you can use the no ip next hop self eigrp command to force eigrp to insert the originating router as the next hop.
    OSPF you can specify different OSPF network types - I cannot remember exactly but it may be broadcast networks or multi-access that don't change the next hop?
    RIPv2 - I do not understand how RIPv2 works with DMVPN (although I know it does) as to my knowledge Ripv2 does indeed change the next hop.
    Can anyone explain how Ripv2 integrates with DMVPN and confirm or correct my understanding of EIGRP/OSPF?
    Thanks very much

    You're correct on EIGRP. OSPF preserves the next hop of the originating router in all modes except point-to-multipoint. RIPv2 always preserves the original next-hop and this can't be turned off... so it works with DMVPN with no modification except for the split-horizon considerations.
    For scaling DMVPN, your worst choice is OSPF because of the large link-state database that forms with so many routers on a single subnet. EIGRP and RIPv2 are very good for DMVPN because the updates are small and simple. These days, I'm moving to BGP for just about all of my DMVPN work... mostly because it scales better than any IGP.

  • L2TPv3 vs MPLS in the CORE....

    Hi:
    Are there any real pros or cons with using L2TPv3 in the Core vs using MPLS?
    Why would one utilize L2TPv3 over MPLS in the core?
    Both work but what would be the deciding factors for an engineer to deploy on over the other.
    Thanks !!

    Utlize L2TPv3 in the Core?..can you please elaborate a little on the query.
    On a overview note:
    1) L2TPv3 is a different technology which caters more for L2 forwarding between edges,
    where as MPLS is more of a Core technology.
    Having many service features under it like, L3VPN,L2VPN,MVPN, TE etc.. So they can not be compared, or other way round its comparing apples to oranges.
    Lines can be drawn only between L2VPN and L2TPv3 for comparision.
    L2VPN has to be provided to the end user by a service provider (end use also can do it, if he can lay MPLS core between his end sites), where as L2TPv3 can be implemented on your own with plain IP reachability between the end points.
    HTH-Cheers,
    Swaroop

  • Dmvpn wtih backhauled internet traffic to central site

    using dmvpn,but backhauling internet traffic over dmvpn to central site for monitoring, etc.  This unfortunately has the side effect of breaking spoke to spoke dynamic tunnels.  Anyone know a work around?

    For this Scenario you can put your internet-link into a different VRF. The differences to a "normal" DMVPN-config are the following:
    interface GigabitEthernet 0/0
    description Connection to ISP
    ip vrf PUBLIC
    interface Tunnel1
    description Tunnel to Hub
    tunnel vrf PUBLIC
    ip route vrf PUBLIC 0.0.0.0 0.0.0.0 GigabitEthernet 0/0

  • DMVPN as Backup link to MPLS

    Hi,
    i want to implement DMVPN to one of our branch as a fail over link if the MPLS point to point is down.
    The MPLS VPN is working fine but due to SP faults we are experiencing frequent link downs.so i want to place a dsl router at branch and configure DMVPN to our existing HUB router.
    i am configuring branch router as a spoke to HUB router R3 with rip so when the MPLS which using eigrp goes down , then DMVPN link should be up depending upon AD but, my doubt is if again MPLS link gets up, will it switchover to MPLS from DMVPN.
    here is the topology
    Here is the configurations for HO,HUB and Branch Routers
                                 ******** HO ********
    interface Tunnel102
     description " Tunnel HO-Br3"
     bandwidth 2048
     ip address 10.10.0.10 255.255.255.252
     tunnel source 172.33.1.18
     tunnel destination 172.33.33.18
    interface FastEthernet0/0
     description "HO-LAN"                                                 
     ip address 192.168.1.10 255.255.255.0
     duplex auto
     speed auto
    interface FastEthernet0/1
     description " Connection MPLS SP"                    
     ip address 172.33.1.18 255.255.255.252
     duplex full
     speed 100
    router eigrp 200
     redistribute ospf 10 metric 512 600 100 100 1500
     network 10.10.0.8 0.0.0.3
     no auto-summary
    router ospf 10
     log-adjacency-changes
     redistribute eigrp 200 subnets
     redistribute bgp 65350 subnets
     network 192.168.12.0 0.0.0.255 area 0
    router bgp 65350
     no synchronization
     bgp log-neighbor-changes
     bgp redistribute-internal
     network 10.10.10.0 mask 255.255.255.0
    neighbor 172.31.3.17 remote-as 65400
     no auto-summary
                                ********  HUB *********
    (Router R3 Config)
    crypto isakmp policy 10
     encr 3des
     authentication pre-share
     group 2
     lifetime 3600
    crypto isakmp key welc0me address 0.0.0.0 0.0.0.0
    crypto ipsec transform-set strong esp-3des
    crypto ipsec profile cisco
     set security-association lifetime seconds 7200
     set transform-set strong
     interface Tunnel10
     ip address 172.20.20.1 255.255.255.0
     no ip redirects
     ip mtu 1400
     ip nhrp authentication welc0me
     ip nhrp map multicast dynamic
     ip nhrp network-id 250
     ip tcp adjust-mss 1360
     no ip split-horizon
     delay 100
     tunnel source GigabitEthernet0/1
     tunnel mode gre multipoint
     tunnel key 100
     tunnel protection ipsec profile cisco
     interface GigabitEthernet0/1
     ip address 74.99.128.25 255.255.255.240
     ip flow ingress
     ip flow egress
     duplex auto
     speed auto
     router rip
     version 2
     redistribute ospf 10 metric 5
     network 172.20.0.0
     no auto-summary
     ip route 0.0.0.0 0.0.0.0 74.99.128.17
                                           (Fail over DMVPN with RIP )
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
     lifetime 3600
    crypto isakmp key welc0me address 74.99.128.25
    crypto ipsec transform-set strong esp-3des
    crypto ipsec profile cisco
     set security-association lifetime seconds 7200
     set transform-set strong
    interface Tunnel10
     bandwidth 1024
     ip address 172.20.20.2 255.255.255.0
     no ip redirects
     ip mtu 1400
     ip nhrp authentication 
     ip nhrp map multicast 74.99.128.25
     ip nhrp map 172.20.20.1 74.99.128.25
     ip nhrp network-id 250
     ip nhrp holdtime 300
     ip nhrp nhs 172.20.20.1
     ip nhrp registration no-unique
     ip tcp adjust-mss 1360
     no ip split-horizon
     delay 1000
     tunnel source FastEthernet4
     tunnel destination 74.99.128.25
     tunnel key 100
     tunnel protection ipsec profile cisco
     interface vlan 1
     description " HWIC-DSL Link"
     ip addresss dhcp
     ip virtual-reassembly in
     duplex auto
     speed auto
     router rip
     version 2
     network 172.20.0.0
     network 192.168.50.0
     no auto-summary
     ip route 74.99.128.25 255.255.255.255 192.168.1.1
    interface Tunnel102
     description " Tunnel BR-HO "
     bandwidth 2048
     ip address 10.10.0.9 255.255.255.252
     tunnel source 172.33.33.18
     tunnel destination 172.33.1.18
    interface FastEthernet0/0
     description "BR LAN"
     ip address 192.168.50.5 255.255.255.0
     duplex auto
     speed auto
    interface FastEthernet0/1
     bandwidth 2048
     ip address 172.33.33.18 255.255.255.252
     duplex auto
     speed auto
    router eigrp 200
     network 10.10.0.8 0.0.0.3
     network 192.168.50.0
     no auto-summary
    router bgp 65350
     no synchronization
     bgp log-neighbor-changes
     neighbor 172.33.33.17 remote-as 65400
     no auto-summary

    Hi,
    i am running eigrp over MPLS and i want the dmvpn as failover, so configured rip as it's AD is higher and it will be preferred only when the primary is down, but i want to make sure , it switches over to primary as soon as MPLS comes up.
    if not DMVPN then canyou please suggest me anyother way to get over it...

  • DMVPN - Question

    Hi All
    Quick question really, I have a new requirement i need to modify my network to compensate for the encryption of traffic between PE's.
    I'm obviously going to use DMVPN which will require me to have MGRE deployed on the PE's.
    Traffic will simply just traverse the core as plain old IP.
    I may require VRF encryption DMVPN seems to be the best solution here, also for vrf traffic protection
    CE's will be configured as spokes and PE's as Hubs. Do you think three PE's as hubs will be difficult to configure.  
    Topology can be found below.
    The one VRF should be encrypted between the three sites.
                                            ------  PE-3 ---- CE-3
    CE-1 --- PE-1 ----- P1 ---- P2 ------ PE-2 ----- CE-2

    hi Carl,
    As Giuseppe wrote in the previous post, the right choice would be to implement an end-to-end VPN solution directly between the CEs. PEs dont have to participate in the VPN tunnel.The connectivity will look something like as shown in the topology on my blog - http://eminent-ccie.blogspot.com/2010/07/ip-multicast-over-dmvpn-in-mpls-vpn.html. (diagram)
    Routing between CEs will be directly controlled by the CE. Any of the CE can be treated as Hub, rest as spokes. Tunnel endpoints should be reachable using the direct path via physical intterace (not via tunnel). LAN subnets across each CE should be routed via tunnel.
    IF you are specifically interested for ONLY PE-CE encrypted tunnel, you can use static P2P IPSEC tunnels between PE-CE. Traffic across the MPLS core will be unencrypted in this case. You'll need multiple encrypted tunnels per PE-CE connection. This configuration is rarely used and needed.
    For end-to-end encrypted solution, you can look for GETVPN solution as well, it has more advntages and recommened in these type of private MPLS scenarios.
    HTH
    Swap
    #19804 x2

  • Constant noise in background in voip network

    Hi,
    we have 3 branches and 20 small home offices setup.
    we installed CUCM 8.6 running and serving all the branches and home offices.
    All branch voip network is good, but we hear background noise while calling home office ip phones, the background noise is heard at headoffice only, at home office side it is good.
    i couldn't figure out where it is going wrong.
    the setup is like
    IP Phone------> call manager------> gateway(cisco 1940)------->internet----------> homeoffice router(cisco881)--------->ip phone.
    the home offices are connected over DMVPN tunnels. and the bandwidth is 1 MB for the tunnels.
    attaching router config for head office gateway and home office router

    Hi Abhijit,
    thank you for the reply,
    its some kind of crakling sound.
    we are using 6921 at home office side and 8941 and 6921 at headoffice side, but i found no issue with phones,these are working fine in internal network, when i did .mute the phone at home office side, there is no sound on head office side..
    is there any problem with the encryption used on tunnel, i applied qos for the voip but found no difference..
    please can you help me...

  • VWLC 802.1x NPS authentication Fails

    Hi Guys,
    Hopefully someone can help me with the following problem i'm facing...
    I've a vWLC running 7.3 deployed in our HQ site.
    At the HQ we have a W2k8 R2 NPS deployed at works fine for VPN, Router and Switch Authentication
    In a few remote branch offices which are connected to the HQ over DMVPN we have a couple of 3500's running in flexconnect mode with local switching.
    These AP's register just fine through the VPN link back to the vWLC.
    We deployed a few SSID's that are bound to AP groups.
    All SSID's that use WPA2 with PSK work fine
    All SSID's that use WPA2 with 802.1x Fail
    The Security Settings for the failing SSID's are:
    WPA2 Policy
    WPA2 Encryption AES
    Key Man 802.1x
    AAA Server is pointing to the right NPS for Auth and Accounting
    Radius overwrite IF is disabled
    The settings of the NPS are:
    Conditions:
    Win Group: DOMAIN\Groupxx
    NAS Port Type: Wireless - IEEE 802.11
    Settings:
    EAP Conf: Configured
    Access Perm: Granted
    EAP Method: MS PEAP
    Auth Method: EAP
    NAP Enforcement: Allow full access
    Update non complient: True
    Service Type: Login
    When a laptop (Mac os 10.8) tries to connect to a 802.1x SSID It Prompts for a username and passwd.
    Using DOMAIN\user + passwd the client tries to authenticate for a couple of times and fails
    On the vWLC i can see trap:
    AAA Authentication Failure for UserName:user  User Type: WLAN USER
    At the NPS i can see:
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID:                              DOMAIN\user
    Account Name:                              user
    Account Domain:                              DOMAIN
    Fully Qualified Account Name:          dom.com/OU/OU/OU/USER full name
    Client Machine:
    Security ID:                              NULL SID
    Account Name:                              -
    Fully Qualified Account Name:          -
    OS-Version:                              -
    Called Station Identifier:                    34-a8-4e-70-0b-90:test.sec
    Calling Station Identifier:                    10-40-f3-8f-ac-62
    NAS:
    NAS IPv4 Address:                    IP vWLC
    NAS IPv6 Address:                    -
    NAS Identifier: VWLC001
    NAS Port-Type:                              Wireless - IEEE 802.11
    NAS Port:                              1
    RADIUS Client:
    Client Friendly Name: vWLC001
    Client IP Address:                              IP vWLC
    Authentication Details:
    Connection Request Policy Name:          Use Windows authentication for all users
    Network Policy Name:                    Cisco WiFi
    Authentication Provider:                    Windows
    Authentication Server:                    FQDN NPS server
    Authentication Type:                    PEAP
    EAP Type:                              -
    Account Session Identifier:                    -
    Logging Results:                              Accounting information was written to the local log file.
    Reason Code:                              23
    Reason:                                        An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    Hopefully someone can point me in the right direction.
    Cheers,
    JP

    Find below the output of the debug:
    (Cisco Controller) >
    (Cisco Controller) >*Dot1x_NW_MsgTask_4: May 27 10:08:51.567: 00:21:6a:72:3c:ec apfMsRunStateInc
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 apfMsAssoStateInc
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *dot1xMsgTask: May 27 10:09:41.429: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *dot1xMsgTask: May 27 10:09:41.429: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *dot1xMsgTask: May 27 10:09:41.429: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *dot1xMsgTask: May 27 10:09:41.429: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 5)
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 02 00 00 32 01 05 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Reached Max EAP-Identity Request retries (3) for STA 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Not sending EAP-Failure for STA 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000000: 01 00 00 0e 02 05 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAP Response packet with mismatching id (currentid=0, eapid=5) from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
    *dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
    *dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *dot1xMsgTask: May 27 10:09:54.676: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *dot1xMsgTask: May 27 10:09:54.676: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *dot1xMsgTask: May 27 10:09:54.676: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *dot1xMsgTask: May 27 10:09:54.676: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 Filtering AAA Response with invalid Session ID - proxy state 10:40:f3:8f:ac:62-02:00
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:11:11.529: 10:40:f3:8f:ac:62 Processing AAA Error 'Timeout' (-5) for mobile 10:40:f3:8f:ac:62

  • Multiple instances of EIGRP or static routes

    I'm building a network which needs to have All but one of it's private networks pass through a DMVPN, all the routes are advertised through EIGRP, that part works great!
    I have a private VLAN that only has access onto the internet, the address is Nat'ed over to a public IP address. Each router, there's six of them, are neighbors to two other routers. The furthest router to the internet has to go through three routers to get to the internet. My current idea is to use static routes on all the routers to the Internet gateway router. Then let recursive routing sort out each hop. What I would rather do is have EIGRP do all that. I really don't want to mess with the EIGRP that's running for the DMVPN tunnels, I'd like to have another instance of EIGRP run on the routers that will route the users to the Internet.
    Does anyone have any thoughts concerning this design.
    Thanks.
    Mitch

    Mitch
    I am not clear about what you are attempting to achieve and not very clear about the topology. So my answer may or may not be on target. If it is not perhaps you can help us understand a little better what is involved.
    I believe that what you are saying is that you have an existing network with multiple locations connected over DMVPN and that you run EIGRP as the routing protocol for that network. I believe you are also saying that there is one network segment which needs access to the Internet but should not be able to access the other parts of your network.
    You say that the address of this other segment is NATed but are not clear whether the translation is ont the router where the segment is located or is on the Internet gateway router.
    Probably the traditional solution for this would be to provide a default route for this segment pointing toward the Internet gateway router, to have a route on the Internet gateway router (and other routers along the path toward where the network is located), and a series of access lists on each router along the way which allows passage to the Internet and denies access to local resources.
    I would propose a somewhat different solution. I believe that it would work if you configure a GRE tunnel between the router where the segment is located and the Internet Gateway router. On the router where the segment is located you could do Policy Based Routing to send traffic from the private segment to the Internet over the GRE tunnel (which effectively isolates it from your other resources). You might want Policy Based Routing on the Internet gateway router to be sure that traffic from the private segment was forwarded only to the Internet (though you might not need that). The Internet gateway router could have a route (probably a static route) which sends traffic to the private segment over the GRE tunnel.
    Let us know what you think of this. And if it is off the mark perhaps you could clarify a bit.
    HTH
    Rick

  • Securing LAN traffic

    Hi,
    On a remote branch i have a router which is conencted via internet to data center over DMVPN cloud. LAn side of this brnach is connected to multiple switches which are spanned over differnet buildings, connected through fiber to the main router. Most of these LAN devices are 2960 & 3560 switches. I have a requirment to encrypt traffic between the router and LAN switches.  (While i have only one internet port/Public IP on remote branch router, i am assuming DMVPN will not be able to map one Public IP to multiple LAN routers/Subnets?)
    What would be the best solution;
    1- With current devices.
    2- In case we upgrade remote LAN devices to routers etc.
    Thanks

    Hey curtis03,
    This is a pretty open question so I'll try to go with just recommending what we use. We've run Compuware NetworkVantage for a few years and love it. It works as a probe and can be wired of a monitoring port on a switch. It will summarize all data sent and received into reports you can customize. We found this valuable when assessing whether a bandwidth increase was required. You can find info on it at:
    http://www.compuware.com/products/vantage/networkvantage.htm
    If you're looking for an open-source solution... look into the use of NetFlow capturers/parsers. There's a variety of free ones that will get the job done if you're on a tight/non-existant budget. Anything else I can help with let me know.
    -Mike
    http://cs-mars.blogspot.com

  • IPv4 private addressing tradeoff: small footprint vs even VLSM length?

    Is minimising one's use of the private address space to avoid unnecesary potential overlap worth the hassle of having un-even VLSM lengths?
    I am designing my first non-trivial IPv4 addressing scheme in the 10.0.0.0/8 range.  Just two small branch offices, but on the access-layer, I'm putting servers, printers, desktops and phones onto separate VLANs.  (In fact, when doing L3 at the access-layer, you can quickly end up with multiple VLANs).
    Now, few of these VLANs are so big that they'll need a /24 all to themselves.  In fact, a /27 for phones and printers will be fine.  I'll give a /24 to desktops because 255.255.255.0 is the only mask which semi-technical users understand.  Maybe a /25 for servers, which gives a bit of room for further subnetting and putting VMs onto their own VLANs. 
    I'll summarise each site over DMVPN as a /21 subnet.  Neat.
    But at each site the routing tables look messy, with the router sporting addresses like 10.9.13.129/27 and there isn't any real pattern between the L3 address and the VLAN number.
    Why don't I just dole out /24's to each VLAN,  After all, I'm hardly going to minimise conflict with private IP addresses chosen by prospective partners by using /20's instead of /21's for each site (right?), and even if they do, NAT can handle all these situations elegantly (right?).
    What about you, would you minimise your footprint in the address space and deal with 'unevenness' in subnet sizes?  Or would you be easier on your eyes now and simply bite the bullet if you had to NAT one day?
    thanks!
    David.
    Message was edited by: David Bullock - tries to get the crux of the question closer to the top of text.

    I chose Alessio's as the 'correct' answer, since it mentioned route summarisation.  But both answers were correct in the sense that they were quite reasonable.
    In the end, I decided to go wtih my varying-length VLSM approach, to keep the address-sprawl at each site confined to a /21 subnet.  I don't find the varying-length VLSM to be much of an nuisance in practice.  I miss out on being able to make the 3rd octet 'line up' with the VLAN, but I feel that's a pretty delicate affair anyhow.  Some person just has to give VLAN100 as a 'best practice' for the Voice VLAN, for example, and you either start working with a /17 at each site (minimally), or abandon your numbering scheme.  You'd really have to go with a /16 for each site to ensure you can number 254 VLANs in this fashion.  And that means for each site that you chose, there's a 1-in-256 chance you'll pick the same second octet as someone else.  With my scheme, there is a 1 in 8192 chance that I'll pick the same address range, so I've decreased the likelyhood of a conflict by a factor of 32.
    At the end of the day though, so long as route summarisation works, all other considerations seem to be a matter of taste.

Maybe you are looking for

  • Oracle BAM not starting

    Hi, I installed fmw 11.1.1.4 on 64 bit windows system.Everyting is working fine but while starting BAM managed server its giving error, "BamServer" failed to preload on startup in Web application: "/oracle/bam". Then I check oracle-bam (11.1.1) appli

  • Converting XML string to Element Type

    Im receiving an XML document as a String. I have defined an element whose message type is of the same schema as the XML String. How can i assign this string to this element in BPEL? im using the setVariable function as follows: setVariableData("Custo

  • Transporting Sales texts to Delivery header text

    Hi All, I'm trying copy text from sold to party to delivery.It works fine in DEV client.But when i transported this change to test client it is not working.I've checked in VOTXN and everything looks fine. Please advise what could be the cause for thi

  • Java.lang.ClassNotFoundException: access

    Hi,i typed in a code and started compiling it,it got compiled but while running its giving the following error Unable to create MIDlet access java.lang.ClassNotFoundException: access      at com.sun.midp.midlet.MIDletState.createMIDlet(+29)      at c

  • What's using my data?

    I just purchased a Blackberry Bold 9930.  Other than the first 2 days, I have not used any data, visited any webpages, etc.  I do not have email set up yet.  However, Small amounts of data are being used every day; sometimes several times a day.  Is