MPLS P-to-PE OSPF Inter-Area failover
Hi Guys.
I am simulating a MPLS core using OSPF for the control plane IGP.
Here's the setup:
Area 0 - backbone
Area 1 - PE routers in location A (PE-A)
Area 2 - PE routers in location B (PE-B)
Network is running MPLS/VPN
Here are the requirements:
1. There will be nxGE links between PE-A and PE-B for better latency requirement and bypass Area 0 for Location A<>B destined traffic
- I can probably use a new direct route between PE-A and PE-B to establish MP-BGP.
2. When Area 1 to Area 0 links are down, Area1 should failover via Area 2.
And when Area 2 to Area 0 links are down, Area2 should failover via Area 1.
- I can probably use virtual-links here...But I dont want to complicate things.
Any recommendations on better design?
Thanks
A long time ago the rule of thump was that you can have up to 50 routers in one area. This was at the time that the routers and switches had low CUP speed and memory. Now days, the router and switches are powerful enough that can handle the database of more than 50 routers. I don't think this is going to be an issue with 24 routers, specially since you already have 20 routers in one area.
HTH
Similar Messages
-
Hello
I am currently facing issues while visualizing ospf routes from routers in all areas except within area 0 and ABR.
Attached the basic topology.
On R1 and R2, all routes (type IA, E2 and O) are on the ospf database and routing table.
However only ospf route type IA, E2 from the ABR seems to be announced to R3 (Area 100) and R4 (Area 102) "routes are in OSPF Database and routing table".
the ABR's route type "O" seems to to be anounced to R3 and R4 as they are not present to the OSPF database neither the routing table, EXEPT if i do a "sh ip route x.x.x.x" then i can see the announced route from the ABR.
It seems to me like a bug as i can not reproduce it from GNS3, but maybe i am missing something.
it is simple intra-area routing with no filtering implemented.
What do you think ?
thank you in advance for your help.
Regards
PhilippeHello Rolf,
Bellow the output
1.1)
ABR-ROUTER#sh ip route 192.168.30.0
Routing entry for 192.168.30.0/24
Known via "ospf 10", distance 110, metric 52, type intra area
Last update from 10.100.4.5 on GigabitEthernet0/0, 3w0d ago
Routing Descriptor Blocks:
* 10.100.4.5, from 100.100.1.13, 3w0d ago, via GigabitEthernet0/0
Route metric is 52, traffic share count is 1
1.2)
ABR-ROUTER#sh ip ospf database summary 192.168.30.0
OSPF Router with ID (10.100.4.248) (Process ID 10)
1.3)
ABR-ROUTER#sh ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 10 0 10.100.4.248/32 1 LOOP 0/0
NV0 10 0 Unnumbered Lo0 1785 P2P 0/0
Gi0/0 10 0 10.100.4.1/29 1 BDR 1/1
Tu4 10 100 10.100.100.2/30 1000 P2P 1/1
Tu2 10 102 10.100.102.2/30 1000 P2P 1/1
2.1)
R3#sh ip route 192.168.30.0
Routing entry for 192.168.0.0/16, supernet
Known via "ospf 10", distance 110, metric 1011, type inter area
Last update from 10.100.100.2 on Tunnel1, 19:31:25 ago
Routing Descriptor Blocks:
* 10.100.100.2, from 10.100.4.248, 19:31:25 ago, via Tunnel1
Route metric is 1011, traffic share count is 1
R4#sh ip route 192.168.30.0
Routing entry for 192.168.0.0/16, supernet
Known via "ospf 10", distance 110, metric 1011, type inter area
Last update from 10.100.102.2 on Tunnel1, 01:33:27 ago
Routing Descriptor Blocks:
* 10.100.102.2, from 10.100.4.248, 01:33:27 ago, via Tunnel1
Route metric is 1011, traffic share count is 1
2.2)
R3#sh ip ospf database summary 192.168.30.0
OSPF Router with ID (10.100.100.255) (Process ID 10)
R4#sh ip ospf database summary 192.168.30.0
OSPF Router with ID (10.100.102.255) (Process ID 10)
Regards
Philippe -
Inter-area TE and L1/L2 ISIS routers
I am a little bit confused when we talked about inter-area TE and L1/L2 ISIS routers.
I have 8 L1/L2 routers in a partial mesh, these routers belong to different ISIS areas.
As I understand ISIS implements a topology table for the L2 routes and thus a TE Tunnel is always possible between L1/L2 routers even if they belong to different area ids.
Inter-area TE only solves the issue for tunnels between L1 only routers belongging to different areas.
Am I correct? Can I go forward and configure a TE tunnel between L1/L2 routers in different areas?
Thanks, RoqueSo I guess what you mean is that I do not have to worry about setting up inter-area Tunnels because L1/L2 routers knows the core topology?
-
OSPF design for branch offices across MPLS
Hello fellow networking engineers,
I want to implement OSPF in our network. We have multiple branch offices, all linked to an MPLS backbone.
I know that in order to get linked areas, I would need to setup GRE tunnels between them, but I want to avoid static/manual configurations as much as possible. With multiple sites, it would become cumbersome to create a mesh real fast.
Is running OSPF independent areas at each site, and simply redistributing over eBGP a valid solution? This will host voice and data, and will failover to VPN connection (Cisco ASAs) if the MPLS goes down.
For the VPN backup links, I thought of two options. Either simply using the default route to send everything to the ASA in case of MPLS "death", or inject routes using IP SLA...
Any input would be appreciated.Marc
You don't GRE tunnels to link your areas if that is what you want to do.
If the SP supports it then you can exchange your OSPF routes between areas and they will still be seen as inter area routes rather than OSPF externals which they would if you simply treated each area as isolated from each other.
In effect the MPLS network becomes an OSPF super backbone area and your main site would also be part of the backbone area with all your other sites having an area each.
You still redistribute your OSPF routes into BGP but with some extra configuration on both your CEs and the SP PE devices.
Like I say you would need to check with your SP but it is possible.
Whether or not you need or want it I don't know.
Your other option is as you have proposed to treat each OSPF area as an isolated one and simply redistribute into OSPF at each CE. Then within each site all non local routes would be seen as OSPF external routes.
Either way in terms of backup I would keep it simple and use a default route at each site pointing to the ASA device. I can't see what you gain from IP SLA because if the main MPLS link goes down at any site the only other path they have out is via the ASA so there is nothing really worth tracking.
The only other thing I would mention is remote site to remote site traffic. If there is any then presumably with your VPN tunnels you would be doing a sort of hub and spoke where the hub is the main site so you may need to think about traffic coming in from one VPN tunnel and going out to another VPN tunnel on the main site ASA.
This would only really be needed if two or more sites had to use their backup links at the same time.
In terms of which is better ie. OSPF inter area across the MPLS cloud or OSPF externals I can't really say to be honest. With the MPLS networks i have worked on we ran EIGRP and simply treated each remote site as an isolated AS.
If you are already running OSPF then you may want to preserve your existing areas so it would make sense to go with the inter area option.
If it is a new setup then I don't really know the pros and cons of either so can't really comment.
Perhaps others may add to the thread with their thoughts.
Jon -
MPLS - How are external/internal routes distinguished?
Hi all
I was setting up an MPLS environment and wanted to get some more information about how MPLS VPN's work. Basically I have three sites connected to the MPLS cloud. Site A runs EIGRP on the customer side and Site B runs OSPF on the customer side. Site C is the one in question. The way I have it designed, Sites A and C have full visability into one another and sites B and C have full visibility into one another. When I configure site C with eigrp, all proper routes are seen, but the OSPF routes from site B are seen as EIGRP external routes. When I switch site C to OSPF, EIGRP routes from site A are seen as OSPF External type 2 routes. I guess my ultimate question is, How does the PE router at site C know the originating protocol? All the routes it receives are from BGP. Does a certain attribute carry this? If so, is this feature specific to Cisco gear or an RFC standard? Thanks in advance for all your help. I can include configs if that would help, below I'll show you my RD and RT's for each VRF and the routing tables of the CE router at Site C before and after the change.
Site A
ip vrf a
rd 1:111
route-target export 1:100
route-target import 1:101
Site B
ip vrf c
rd 3:333
route-target export 3:301
route-target import 1:101
Site C
ip vrf a
rd 1:111
route-target export 1:101
route-target import 1:100
route-target import 3:301
Change from EIGRP to OSPF
Gateway of last resort is not set
6.0.0.0/32 is subnetted, 1 subnets
D 6.6.6.6 [90/435200] via 10.2.1.1, 00:05:26, Ethernet0/0
7.0.0.0/32 is subnetted, 1 subnets
C 7.7.7.7 is directly connected, Loopback1
8.0.0.0/32 is subnetted, 1 subnets
D EX 8.8.8.8 [170/2560025856] via 10.2.1.1, 00:02:13, Ethernet0/0
D EX 111.0.0.0/8 [170/2560025856] via 10.2.1.1, 00:02:13, Ethernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.1.0/24 is directly connected, Ethernet0/0
D 10.1.1.0/24 [90/307200] via 10.2.1.1, 00:05:56, Ethernet0/0
D 10.20.0.0/16 [90/435200] via 10.2.1.1, 00:05:56, Ethernet0/0
C 10.77.0.0/16 is directly connected, Loopback2
D EX 192.168.1.0/24 [170/2560025856] via 10.2.1.1, 00:02:43, Ethernet0/0
R7(config)#no router eigrp 22
*Mar 1 02:10:20.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 22: Neighbor 10.2.1.1 (Ethernet0/0) is
down: interface down
R7(config)#router ospf 3
R7(config-router)#network 10.0.0.0 0.255.255.255 area 0
R7(config-router)#network 7.7.7.7 0.255.255.255 area 0
R7(config-router)#end
R7#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
6.0.0.0/32 is subnetted, 1 subnets
O E2 6.6.6.6 [110/409600] via 10.2.1.1, 00:00:27, Ethernet0/0
7.0.0.0/32 is subnetted, 1 subnets
C 7.7.7.7 is directly connected, Loopback1
8.0.0.0/32 is subnetted, 1 subnets
O IA 8.8.8.8 [110/21] via 10.2.1.1, 00:00:27, Ethernet0/0
O IA 111.0.0.0/8 [110/21] via 10.2.1.1, 00:00:27, Ethernet0/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.1.0/24 is directly connected, Ethernet0/0
O E2 10.1.1.0/24 [110/1] via 10.2.1.1, 00:00:26, Ethernet0/0
O E2 10.20.0.0/16 [110/409600] via 10.2.1.1, 00:00:26, Ethernet0/0
C 10.77.0.0/16 is directly connected, Loopback2
O IA 192.168.1.0/24 [110/11] via 10.2.1.1, 00:00:26, Ethernet0/0
R7#trace 6.6.6.6
Type escape sequence to abort.
Tracing the route to 6.6.6.6
1 10.2.1.1 652 msec 396 msec 192 msec
2 40.1.1.9 [MPLS: Labels 18/24 Exp 0] 2264 msec 2640 msec 2532 msec
3 30.1.1.3 [MPLS: Labels 18/24 Exp 0] 2320 msec * *
4 10.1.1.1 [MPLS: Label 24 Exp 0] 1816 msec 1792 msec 2148 msec
5 10.1.1.2 1940 msec * 2200 msec
R7#Hello Edward,
I see nothing strange in the results you have posted. They are completely natural to the process of carrying customer routes over MPLS L3 VPN.
You know yourself that the customer routes are carried between PE routers using BGP, and from PE towards CE, these routes are redistributed from BGP into the particular routing protocol running between PE and CE. Each of these routing protocols automatically marks redistributed networks as external networks. For OSPF, this is a normal part of the open protocol specification - that routes injected into OSPF via redistribution shall be represented as external routes (and carried in LSA-5). Similarly, when you redistribute into EIGRP from a different routing protocol, these routes will be carried by EIGRP as external networks. So what you see here is natural and normal. Even if all sites ran the same routing protocol (EIGRP or OSPF), one site would see networks from other sites as external routes.
In fact, there are extensions to BGP using extended community attributes that try to preserve the original nature of the redistributed routes. The prerequisite is that all sites run the same IGP, either OSPF or EIGRP. In that case, EIGRP routes carried over MPLS can be made look like internal routes although they are redistributed, and OSPF will make the routes appear as inter-area routes, not as external routes. There is even a modification to OSPF allowing you to see other sites as intra-area routes (though this requires configuring so-called OSPF sham links between PEs). All of this is done because an internal network is always preferred to an external network. This causes trouble if there is a backup link directly interconnecting two sites, bypassing the MPLS cloud. As the routing protocol run over this link advertises all networks as internal, this link would always be preferred to the MPLS VPN which is exactly the opposite of what you want to do.
Please feel welcome to ask further!
Best regards,
Peter -
MPLS TRUNK CONFIGURATION on TWO EDGE
Hi
Actually we have a network operate VRF on two EDGE (ASR9000) the diagram is this:
we try to configurate a MPLS conection between ASR (PE-1) and ASR (PE-2) try to use MPLS LDP and use a VRF OAM between this devices but the comunication is not possible
MPLS LDP is the option? or L2VPN or EoMPLS for this connection?
the actually configuration is:
ASR-2
mpls ldp
router-id 172.16.14.1
discovery hello holdtime 30
discovery hello interval 10
graceful-restart
explicit-null
interface Bundle-Ether100
ASR-1
mpls ldp
router-id 172.16.14.2
discovery hello holdtime 30
discovery hello interval 10
graceful-restart
explicit-null
interface Bundle-Ether100
but the VRF OAM only configurated between PE-1 and PE-2 is not neighbord
We don´t know if we are using the correct concept to connect the devices, can help us
thanks
Best RegardsHarold, thanks for your comments
we are making change for your comments and the final diagrame is:
on ASR9K - PE-1 we have configurated VRF, IGP and Conectivity for BUNDLE-Ethe 100 conectivity
ASR9K (PE-1):
vrf OAM
address-family ipv4 unicast
import route-policy pass-all
import route-target
64518:64518
export route-policy pass-all
export route-target
64518:64518
interface Bundle-Ether100
ipv4 address 172.16.14.1 255.255.255.252
interface Loopback10
vrf OAM
ipv4 address 172.16.162.1 255.255.255.255
router ospf 100
router-id 172.16.14.1
mpls ldp sync
mpls ldp auto-config
area 0
interface Bundle-Ether100
mpls ldp
router-id 172.16.14.1
interface Bundle-Ether100
ASR9K (PE-2):
vrf OAM
address-family ipv4 unicast
import route-policy pass-all
import route-target
64518:64518
export route-policy pass-all
export route-target
64518:64518
interface Bundle-Ether100
ipv4 address 172.16.14.2 255.255.255.252
interface Loopback10
vrf OAM
ipv4 address 172.16.162.2 255.255.255.255
router ospf 100
router-id 172.16.14.2
mpls ldp sync
mpls ldp auto-config
area 0
interface Bundle-Ether100
mpls ldp
router-id 172.16.14.2
interface Bundle-Ether100
when we verifying the MPLS neighbor is UP
RP/0/RSP0/CPU0:ED_MEX_1#sho mpls ldp neighbor
Wed May 22 18:29:03.496 UTC
Peer LDP Identifier: 172.16.14.2:0
TCP connection: 172.16.14.2:39527 - 172.16.14.1:646
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 25/25; Downstream-Unsolicited
Up time: 00:18:46
LDP Discovery Sources:
Bundle-Ether100
Addresses bound to this peer:
172.16.14.2
RP/0/RSP0/CPU0:ED_MEX_2#sho mpls ldp neighbor
Wed May 22 16:24:53.223 UTC
Peer LDP Identifier: 172.16.14.1:0
TCP connection: 172.16.14.1:646 - 172.16.14.2:39527
Graceful Restart: No
Session Holdtime: 180 sec
State: Oper; Msgs sent/rcvd: 26/26; Downstream-Unsolicited
Up time: 00:19:19
LDP Discovery Sources:
Bundle-Ether100
Addresses bound to this peer:
172.16.14.1
on OSPF 100 the neighbor is UP
RP/0/RSP0/CPU0:ED_MEX_2#sho ospf neighbor
Wed May 22 16:26:15.169 UTC
* Indicates MADJ interface
Neighbors for OSPF 100
Neighbor ID Pri State Dead Time Address Interface
172.16.14.1 1 FULL/BDR 00:00:31 172.16.14.1 Bundle-Ether100
Neighbor is up for 00:54:34
Total neighbor count: 1
RP/0/RSP0/CPU0:ED_MEX_1#sho ospf neighbor
Wed May 22 18:31:18.614 UTC
* Indicates MADJ interface
Neighbors for OSPF 100
Neighbor ID Pri State Dead Time Address Interface
172.16.14.2 1 FULL/DR 00:00:36 172.16.14.2 Bundle-Ether100
Neighbor is up for 00:54:59
Total neighbor count: 1
but when try to send a PING from Loopback 10 from ASR 1 to ASR 2 ocurre this one and viceverse
RP/0/RSP0/CPU0:ED_MEX_1#ping vrf OAM 172.16.162.1
Wed May 22 18:32:54.046 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.162.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
RP/0/RSP0/CPU0:ED_MEX_1#ping vrf OAM 172.16.162.2
Wed May 22 18:32:57.794 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.162.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
the routing table for OAM on ASR-1 is:
RP/0/RSP0/CPU0:ED_MEX_1#sho route vrf OAM
Wed May 22 18:33:59.485 UTC
Codes: C - connected, S - static, R - RIP, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, - FRR Backup path
Gateway of last resort is not set
L 172.16.162.1/32 is directly connected, 00:34:13, Loopback10
for ASR-2
RP/0/RSP0/CPU0:ED_MEX_2#sho route vrf OAM
Wed May 22 16:30:23.400 UTC
Codes: C - connected, S - static, R - RIP, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, - FRR Backup path
Gateway of last resort is not set
L 172.16.162.2/32 is directly connected, 00:34:47, Loopback10
i don´t know if need something on OSPF
Best Regards -
Activating failover config drops routing table
I'm attempting to configure two ASA 5520 for active/standby failover.
When I enter the “failover” command to enable the config on the primary ASA, the entire routing table disappears.
There is no routing process running, only static routes are configured.
Is this an expected behavior of the failover process and if so, how long should I wait for the routes to come back?
Is there a document somewhere explaining this behavior?
I’ve searched all day but couldn’t find anything that came close to explain this.
If this is not normal, what could be causing this to happen?
ThanksOriginally, both primary and secondary were configured for failover.
At this point I'm only trying to understand why the rounting table is cleared so the secondary is turned off.
Is it an expected result to have your routing cleared when you enable failover?
I've waited only ~30 seconds for the routes to come back. Maybe I'm not waiting long enough, but I haven't seen in all the documents I've read that lost of traffic should be expected when Failover is enabled.
hfn-asa5520-01# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 62.117.51.1 to network 0.0.0.0
S 172.26.0.0 255.255.0.0 [1/0] via 172.26.1.252, inside
S 172.26.30.30 255.255.255.255 [1/0] via 62.117.51.1, outside
C 172.26.1.0 255.255.255.0 is directly connected, inside
S 172.26.30.31 255.255.255.255 [1/0] via 62.117.51.1, outside
C 62.117.51.0 255.255.255.0 is directly connected, outside
C 10.1.1.0 255.255.255.0 is directly connected, dmz
S 10.21.21.0 255.255.255.0 [1/0] via 172.26.1.250, inside
C 10.255.255.0 255.255.255.252 is directly connected, Failover
C 192.168.168.0 255.255.255.0 is directly connected, Flora
S* 0.0.0.0 0.0.0.0 [1/0] via 62.117.51.1, outside
hfn-asa5520-01# sh failover
Failover Off
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
hfn-asa5520-01# sh failover
Failover Off
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
hfn-asa5520-01# conf t
hfn-asa5520-01(config)# failover
hfn-asa5520-01(config)# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.4(3), Mate Unknown
Last Failover at: 12:23:12 PDT May 21 2012
This host: Primary - Negotiation
Active time: 116 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.4(3)) status (Up Sys)
Interface outside (62.117.51.100): No Link (Waiting)
Interface inside (172.26.1.251): No Link (Waiting)
Interface dmz (10.1.1.1): No Link (Waiting)
Interface Flora (192.168.168.1): No Link (Not-Monitored)
slot 1: empty
Other host: Secondary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (62.117.51.99): Unknown (Waiting)
Interface inside (172.26.1.249): Unknown (Waiting)
Interface dmz (10.1.1.2): Unknown (Waiting)
Interface Flora (192.168.168.2): Unknown (Not-Monitored)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Failover Management0/0 (Failed)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
hfn-asa5520-01(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 10.255.255.0 255.255.255.252 is directly connected, Failover
hfn-asa5520-01(config)# no failover -
Leaking MPLS VPN learned routes from VRF to Global
I'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
RP/0/0/CPU0:B25BR1#sh run vrf TR
Wed Dec 17 22:40:33.772 UTC
vrf TR
address-family ipv4 unicast
import route-target
65000:7020
export to default-vrf route-policy TR-2-GLOBAL
export route-target
65000:7020
RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
Wed Dec 17 22:40:50.851 UTC
route-policy TR-2-GLOBAL
if destination in TR-2-GLOBAL then
pass
endif
end-policy
RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
Wed Dec 17 22:40:57.861 UTC
prefix-set TR-2-GLOBAL
192.168.0.17/32,
192.168.0.18/32,
192.168.0.19/32,
192.168.0.20/32
end-set
!Routes that I want to see also are 192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
RP/0/0/CPU0:B25BR1#sh route vrf TR
Wed Dec 17 22:41:45.767 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
B 10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
C 10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
L 10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
B 10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
B 192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
B 192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
RP/0/0/CPU0:B25BR1#sh ip rou
Wed Dec 17 22:41:50.097 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
S 10.0.0.0/27 is directly connected, 08:04:01, Null0
O 10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
C 10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
L 10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
O 10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
O 10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
S 10.0.128.0/29 is directly connected, 08:04:01, Null0
O 10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
C 10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
L 10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
S 10.1.0.4/30 is directly connected, 06:57:23, Null0
S 10.1.128.4/30 is directly connected, 08:04:01, Null0
C 10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
O 192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
O 192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
O 192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
L 192.168.0.8/32 is directly connected, 08:04:00, Loopback0
B 192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
B 192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
Thanks!
-SajithI'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
RP/0/0/CPU0:B25BR1#sh run vrf TR
Wed Dec 17 22:40:33.772 UTC
vrf TR
address-family ipv4 unicast
import route-target
65000:7020
export to default-vrf route-policy TR-2-GLOBAL
export route-target
65000:7020
RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
Wed Dec 17 22:40:50.851 UTC
route-policy TR-2-GLOBAL
if destination in TR-2-GLOBAL then
pass
endif
end-policy
RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
Wed Dec 17 22:40:57.861 UTC
prefix-set TR-2-GLOBAL
192.168.0.17/32,
192.168.0.18/32,
192.168.0.19/32,
192.168.0.20/32
end-set
!Routes that I want to see also are 192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
RP/0/0/CPU0:B25BR1#sh route vrf TR
Wed Dec 17 22:41:45.767 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
B 10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
C 10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
L 10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
B 10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
B 192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
B 192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
RP/0/0/CPU0:B25BR1#sh ip rou
Wed Dec 17 22:41:50.097 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
S 10.0.0.0/27 is directly connected, 08:04:01, Null0
O 10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
C 10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
L 10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
O 10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
O 10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
S 10.0.128.0/29 is directly connected, 08:04:01, Null0
O 10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
C 10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
L 10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
S 10.1.0.4/30 is directly connected, 06:57:23, Null0
S 10.1.128.4/30 is directly connected, 08:04:01, Null0
C 10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
O 192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
O 192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
O 192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
L 192.168.0.8/32 is directly connected, 08:04:00, Loopback0
B 192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
B 192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
Thanks!
-Sajith -
I have 5 routers (soon to be 6) with tunnels (all VTI) between them.
I also have a basic OSPF setup running here (previously it was RIP), and all networks can talk to each other, however there is one routing issue, where it takes a longer path to the remote network.
The Configs:
R1:
interface Tunnel0
description tunnel to detroit office
ip address 172.28.40.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source xx
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface Tunnel1
description tunnel to San Diego Office
ip address 172.28.42.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source xxx
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface Tunnel2
description tunnel to Detroit DC
ip address 172.28.43.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source xxx
tunnel destination xx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface Tunnel3
description tunnel to detroit office - standby
ip address 172.28.51.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0/0
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router ospf 42
log-adjacency-changes
network 10.87.1.0 0.0.0.255 area 0
network 172.28.40.0 0.0.0.255 area 0
network 172.28.42.0 0.0.0.255 area 0
network 172.28.43.0 0.0.0.255 area 0
network 172.28.51.0 0.0.0.255 area 0
cerberus#sh ip route ospf
172.28.0.0/24 is subnetted, 7 subnets
O 172.28.49.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
O 172.28.50.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
O 172.28.41.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
[110/2000] via 172.28.40.2, 05:47:06, Tunnel0
10.0.0.0/24 is subnetted, 2 subnets
O 10.87.2.0 [110/2001] via 172.28.42.2, 05:47:06, Tunnel1
O 192.168.1.0/24 [110/1001] via 172.28.42.2, 05:47:06, Tunnel1
O 192.168.2.0/24 [110/1001] via 172.28.40.2, 05:47:06, Tunnel0
cerberus#
As you can see for 10.87.2.x it is going through the 192 network, when it has a direct tunnel through tunnel 2
R2:
interface Tunnel0
description tunnel to AIS San Diego
ip address 172.28.42.2 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination xxx
tunnel protection ipsec profile VTI
interface Tunnel1
description tunnel to detroit office
ip address 172.28.41.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination xxx
tunnel protection ipsec profile VTI
interface Tunnel2
description tunnel to Detroit Data Center
ip address 172.28.49.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination xxx
tunnel protection ipsec profile VTI
interface Tunnel3
description tunnel to Detroit t1 router
ip address 172.28.50.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination xxx
tunnel protection ipsec profile VTI
router ospf 42
log-adjacency-changes
network 172.28.41.0 0.0.0.255 area 0
network 172.28.42.0 0.0.0.255 area 0
network 172.28.49.0 0.0.0.255 area 0
network 172.28.50.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 24.43.240.137 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
O 10.87.1.0 [110/1001] via 172.28.42.1, 03:55:51, Tunnel0
O 10.87.2.0 [110/1001] via 172.28.49.2, 03:55:51, Tunnel2
172.28.0.0/16 is variably subnetted, 11 subnets, 2 masks
O 172.28.40.0/24 [110/2000] via 172.28.42.1, 03:55:51, Tunnel0
[110/2000] via 172.28.41.2, 03:55:51, Tunnel1
O 172.28.43.0/24 [110/2000] via 172.28.49.2, 03:55:51, Tunnel2
[110/2000] via 172.28.42.1, 03:55:51, Tunnel0
O 172.28.51.0/24 [110/2000] via 172.28.50.2, 03:55:51, Tunnel3
[110/2000] via 172.28.42.1, 03:55:51, Tunnel0
O 192.168.2.0/24 [110/1001] via 172.28.50.2, 03:55:51, Tunnel3
[110/1001] via 172.28.41.2, 03:55:51, Tunnel1
r2 is the route that r1 ends up using when connecting to 10.87.2.x
Any advice on one, how to fix this, and two on the general setup would be wonderful. I am new to ospf and feels like I could have done a better job here (maybe using an area per site)R2 is the router R1 is using to get to the destination that Tunnel 1 on R1 is connected to
Tunnel 1 on R3 is a VTI tunnel to Tunnel 3 on R1.
R1 is currently using tunnel 1 on R1 to hop to R2 and then uses tunnel 2 to get to R3
If that makes sense..
Here is the config for R3
interface Tunnel1
description tunnel to AIS San Diego
ip address 172.28.43.2 255.255.255.0
ip ospf mtu-ignore
tunnel source xxx
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface Tunnel2
description tunnel to San Diego Main Office
ip address 172.28.49.2 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source xxx
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router ospf 42
log-adjacency-changes
network 10.87.2.0 0.0.0.255 area 0
network 172.28.43.0 0.0.0.255 area 0
network 172.28.49.0 0.0.0.255 area 0
sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 199.16.189.209 to network 0.0.0.0
172.28.0.0/24 is subnetted, 7 subnets
C 172.28.49.0 is directly connected, Tunnel2
O 172.28.50.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
O 172.28.51.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2
O 172.28.40.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2
O 172.28.41.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
O 172.28.42.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
C 172.28.43.0 is directly connected, Tunnel1
10.0.0.0/24 is subnetted, 2 subnets
O 10.87.1.0 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2
C 10.87.2.0 is directly connected, GigabitEthernet0/1
199.16.189.0/28 is subnetted, 1 subnets
C 199.16.189.208 is directly connected, GigabitEthernet0/0
O 192.168.1.0/24 [110/1001] via 172.28.49.1, 02:32:05, Tunnel2
O 192.168.2.0/24 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2 -
Multi-vrf ce and ospf domain-tag
I have configured an mpls vpn between two customer's sites. In every site I have installed two cat35xx with a multi-vrf ce.
I have a multi access ospf neighbour ship to the customer equipments and a bgp session to mpls backbone.
The ospf routes are redistributed on bpg and vice versa.
On ospf process can I use domain-tag to prevent routing loop?
How can i do to verify the domain-tag's functionality in this architecture?
I've tried to configure domain-tag but the ospf database contains all tagged routes but how can i be confident that these routes'll not be announce back to mpls backbone through bgp session between catalyst 35xx and Pe?
Is the the domain-tag functionality supported with vrf-lite?
Thanks in advanceHi Martin,
I've ospf process running only on catalyst 3550 with vrf-lite, the ospf routes are announced to the PE through bgp session configured between the catalyst 3550 and the PE.
Does the vrf-lite support the same functionalities of native PE-CE ospf in the mpls vpn, as domain-tag?
Thanks in advance
B. -
How to find all routes that are going out an interface in IOS-XR.
Hi all,
So if I have the following set up in IOS:
interface GigabitEthernet7/0/0.265
encapsulation dot1Q 265
ip vrf forwarding test
ip address 1.1.1.1 255.255.255.252
ip verify unicast reverse-path
end
ip route vrf Apollo 2.2.2.0 255.255.255.248 1.1.1.2
I can see all the routes that are going out the interface using show ip cef command:
ios-router#show ip cef vrf test GigabitEthernet7/0/0.265
2.2.2.0/29
nexthop 1.1.1.2 GigabitEthernet7/0/0.265
1.1.1.0/30
attached to GigabitEthernet7/0/0.265
1.1.1.2/32
attached to GigabitEthernet7/0/0.265
In case of IOS-XR (ASR9K 4.3.2 or 4.3.1) the same setup and command shows only
attached routes:
router static
vrf test
address-family ipv4 unicast
2.2.2.0/29 1.1.1.2
RP/0/RSP0/CPU0:TST_riga-sb7-pe-asr9#show cef vrf test bundle-ether2.265
Prefix Next Hop Interface
1.1.1.0/30 attached Bundle-Ether2.2220333
1.1.1.0/32 broadcast Bundle-Ether2.2220333
1.1.1.1/32 receive Bundle-Ether2.2220333
1.1.1.2/32 1.1.1.2 Bundle-Ether2.2220333
1.1.1.3/32 broadcast Bundle-Ether2.2220333
Is there any command to see all the routes that are going out an interface without complicated parsing
of the configuration, recursive show cef commands etc.?You can accomplish this with the "show route" command. Here is an example:
P/0/RSP1/CPU0:ASR9006-E#sh route next-hop tenGigE 0/3/0/2
Tue Oct 8 15:34:58.046 UTC
Codes: C - connected, S - static, R - RIP, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, - FRR Backup path
Gateway of last resort is 172.18.87.1 to network 0.0.0.0
D 10.95.248.1/32 [90/128512] via 10.129.56.210, 4d00h, TenGigE0/3/0/2
C 10.129.56.208/30 is directly connected, 4d00h, TenGigE0/3/0/2
L 10.129.56.209/32 is directly connected, 4d00h, TenGigE0/3/0/2
O 10.242.142.240/30 [110/20] via 10.129.56.210, 3d11h, TenGigE0/3/0/2
[110/20] via 10.129.56.214, 3d11h, TenGigE0/3/0/3
D 192.168.1.16/32 [90/128512] via 10.129.56.210, 4d00h, TenGigE0/3/0/2
D 192.168.20.39/32 [90/128512] via 10.129.56.210, 4d00h, TenGigE0/3/0/2
RP/0/RSP1/CPU0:ASR9006-E#
Thanks,
Bryan -
AnyConnect to ASA 5505 ver 8.4 unable to ping/access Inside network
My AnyConnect VPN connect to the ASA, however I cannot access my inside network hosts (tried Split Tunnel and it didn't work either). I plan to use a Split Tunnel configuration but I thought I would get this working before I implemented that configuration. My inside hosts are on a 10.0.1.0/24 network and 10.1.0.0/16 networks. My AnyConnect hosts are using 192.168.60.0/24 addresses.
I have seen other people that appeared to have similar posts but none of those solutions have worked for me. I have also tried several NAT and ACL configurations to allow traffic form my Inside network to the ANYConnect hosts and back, but apparently I did it incorrectly. I undestand that this ver 8.4 is supposed to be easier to perform NAT and such, but I now in the router IOS it was much simpler.
My configuration is included below.
Thank you in advance for your assistance.
Jerry
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password (removed)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Generic_All_Network interface
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
: endHi,
Yes, I have saved the config and did a write erase and reloaded the config, no difference. I rebuilt it once a couple of weeks ago, but that was before I had gotten this far with your assistance. I'll include my ASA and switches configs after this. Here is a little background (took it form the Firewall section issue just because it gives a little insight for the network). I have 2 3560s, one as a L3 switch the other L2 with an etherchannel between them (one of the cables was bad so I am waiting on the replacement to have 2 - Gigabit channels between the switches).
I think our issue with the VPN not getting to the Inside is posibly related to my DMZ issue not getting to the internet.
I am using 2 VLANs on my switch for Guests - one is wired and the other is wireless. I am trying to keep them separate because the wireless are any guest that might be at our restaurant that is getting on WiFi. The wired is for our Private Dining Rooms that vendors may need access and I don't want the wireless being able to see the wired network in that situation.
I have ports on my 3560s that are assigned to VLAN 20 (Guest Wired) and VLAN 22 (Guest Wireless). I am not routing those addresses within the 3560s (one 3560 is setup as a L3 switch). Those VLANs are being L2 switched to the ASA via the trunk to save ports (I tried separating them and used 2 ports on the ASA and it still didn't work). The ASA is providing DCHP for those VLANs and the routing for the DMZ VLANs. I can ping each of the gateways (which are the VLANs on the ASA from devices on the 3560s - 172.26.20.1 and 172.26.22.1. I have those in my DMZ off the ASA so it can control and route the data.
The 3560 is routing for my Corp VLANs. So far I have tested the Wired VLAN 10 (10.1.10.0/24) and it is working and gets to the Internet. I have a default route (0.0.0.0 0.0.0.0) from the L3 switch to e0/1 on the ASA and e0/1 is an Inside interface.
E0/0 on the ASA is my Outside interface and gets it IP from the upstream router (will be an AT&T router/modem when I move it to the building).
So for a simple diagram:
PC (172.26.20.21/24) -----3560 (L2) ------Trunk----(VLAN 20 - DMZ/ VLAN 22 - DMZ2)---- ASA -----Outside ------- Internet (via router/modem)
I will be back at this tomorrow morning - I've been up since 4pm yesterday and it is almost 3pm.
Thank you for all of your assistance.
Jerry
Current ASA Config:
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password $$$$$$$$$$$$$$$ encrypted
passwd $$$$$$$$$$$$$$$$ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
switchport access vlan 20
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
object network INSIDE
subnet 10.0.1.0 255.255.255.0
access-list capdmz extended permit icmp host 172.26.20.22 host 208.67.222.222
access-list capdmz extended permit icmp host 208.67.222.222 host 172.26.20.22
access-list capout extended permit icmp host 192.168.1.231 host 208.67.222.222
access-list capout extended permit icmp host 208.67.222.222 host 192.168.1.231
access-list capvpn extended permit icmp host 192.168.60.20 host 10.1.10.23
access-list capvpn extended permit icmp host 10.1.10.23 host 192.168.60.20
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list SPLIT-TUNNEL standard permit 10.0.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.1.0.0 255.255.0.0
access-list capins extended permit icmp host 10.1.10.23 host 10.0.1.1
access-list capins extended permit icmp host 10.0.1.1 host 10.1.10.23
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
nat (inside,outside) after-auto source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f6d9bbacca2a5c8b5af946a8ddc12550
: end
L3 3560 connects to ASA via port f0/3 routed port 10.0.1.0/24 network
Connects to second 3560 via G0/3 & G0/4
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560a
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip dhcp excluded-address 10.1.10.1 10.1.10.20
ip dhcp excluded-address 10.1.12.1 10.1.12.20
ip dhcp excluded-address 10.1.14.1 10.1.14.20
ip dhcp excluded-address 10.1.16.1 10.1.16.20
ip dhcp excluded-address 10.1.30.1 10.1.30.20
ip dhcp excluded-address 10.1.35.1 10.1.35.20
ip dhcp excluded-address 10.1.50.1 10.1.50.20
ip dhcp excluded-address 10.1.80.1 10.1.80.20
ip dhcp excluded-address 10.1.90.1 10.1.90.20
ip dhcp excluded-address 10.1.100.1 10.1.100.20
ip dhcp excluded-address 10.1.101.1 10.1.101.20
ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN12
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN14
network 10.1.14.0 255.255.255.0
default-router 10.1.14.1
option 150 ip 10.1.13.1
ip dhcp pool VLAN16
network 10.1.16.0 255.255.255.0
default-router 10.1.16.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN30
network 10.1.30.0 255.255.255.0
default-router 10.1.30.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN35
network 10.1.35.0 255.255.255.0
default-router 10.1.35.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
default-router 10.1.50.1
option 43 hex f104.0a01.6564
ip dhcp pool VLAN80
network 10.1.80.0 255.255.255.0
default-router 10.1.80.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN90
network 10.1.90.0 255.255.255.0
default-router 10.1.90.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
default-router 10.1.100.1
ip dhcp pool VLAN101
network 10.1.101.0 255.255.255.0
default-router 10.1.101.1
ip dhcp pool VLAN40
dns-server 208.67.222.222 208.67.220.220
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 1 downstream
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
power inline never
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/3
description Interface to MXFW E0/1
no switchport
ip address 10.0.1.2 255.255.255.0
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
switchport mode access
shutdown
power inline never
interface FastEthernet0/6
switchport mode access
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
power inline never
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
switchport mode access
shutdown
power inline never
interface FastEthernet0/10
switchport mode access
shutdown
power inline never
interface FastEthernet0/11
switchport mode access
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 50
switchport mode access
interface FastEthernet0/18
switchport mode access
shutdown
power inline never
interface FastEthernet0/19
switchport mode access
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
switchport mode access
shutdown
power inline never
interface FastEthernet0/22
switchport mode access
shutdown
power inline never
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/24
switchport access vlan 35
switchport mode access
power inline never
interface FastEthernet0/25
switchport mode access
shutdown
power inline never
interface FastEthernet0/26
switchport mode access
shutdown
power inline never
interface FastEthernet0/27
switchport mode access
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 50
switchport mode access
interface FastEthernet0/34
switchport mode access
shutdown
power inline never
interface FastEthernet0/35
switchport mode access
shutdown
power inline never
interface FastEthernet0/36
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
switchport mode access
shutdown
power inline never
interface FastEthernet0/38
switchport mode access
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
switchport mode access
shutdown
power inline never
interface FastEthernet0/42
switchport mode access
shutdown
power inline never
interface FastEthernet0/43
switchport mode access
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport mode access
shutdown
power inline never
interface GigabitEthernet0/1
description Interface to MXC2911 Port G0/0
no switchport
ip address 10.1.13.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 10.1.10.1 255.255.255.0
interface Vlan12
ip address 10.1.12.1 255.255.255.0
interface Vlan14
ip address 10.1.14.1 255.255.255.0
interface Vlan16
ip address 10.1.16.1 255.255.255.0
interface Vlan20
ip address 172.26.20.1 255.255.255.0
interface Vlan22
ip address 172.26.22.1 255.255.255.0
interface Vlan30
ip address 10.1.30.1 255.255.255.0
interface Vlan35
ip address 10.1.35.1 255.255.255.0
interface Vlan40
ip address 10.1.40.1 255.255.255.0
interface Vlan50
ip address 10.1.50.1 255.255.255.0
interface Vlan80
ip address 172.16.80.1 255.255.255.0
interface Vlan86
no ip address
shutdown
interface Vlan90
ip address 10.1.90.1 255.255.255.0
interface Vlan100
ip address 10.1.100.1 255.255.255.0
interface Vlan101
ip address 10.1.101.1 255.255.255.0
router eigrp 1
network 10.0.0.0
network 10.1.13.0 0.0.0.255
network 10.1.14.0 0.0.0.255
passive-interface default
no passive-interface GigabitEthernet0/1
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/3 10.0.1.1
ip route 192.168.60.0 255.255.255.0 FastEthernet0/3 10.0.1.1 2
ip http server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end
L3 3560 Route Table (I added 192.168.60.0/24 instead of just using the default route just in case it wasn't routing for some reason - no change)
mx3560a#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.1.1 to network 0.0.0.0
S 192.168.60.0/24 [2/0] via 10.0.1.1, FastEthernet0/3
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.80.0 is directly connected, Vlan80
172.26.0.0/24 is subnetted, 2 subnets
C 172.26.22.0 is directly connected, Vlan22
C 172.26.20.0 is directly connected, Vlan20
10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
C 10.1.10.0/24 is directly connected, Vlan10
D 10.1.13.5/32 [90/3072] via 10.1.13.1, 4d02h, GigabitEthernet0/1
C 10.1.14.0/24 is directly connected, Vlan14
C 10.1.13.0/24 is directly connected, GigabitEthernet0/1
C 10.1.12.0/24 is directly connected, Vlan12
C 10.0.1.0/24 is directly connected, FastEthernet0/3
C 10.1.30.0/24 is directly connected, Vlan30
C 10.1.16.0/24 is directly connected, Vlan16
C 10.1.40.0/24 is directly connected, Vlan40
C 10.1.35.0/24 is directly connected, Vlan35
C 10.1.50.0/24 is directly connected, Vlan50
C 10.1.90.0/24 is directly connected, Vlan90
C 10.1.101.0/24 is directly connected, Vlan101
C 10.1.100.0/24 is directly connected, Vlan100
S* 0.0.0.0/0 [1/0] via 10.0.1.1, FastEthernet0/3
I have a C2911 for CME on G0/1 - using it only for that purpose at this time.
L2 3560 Config it connects to the ASA as a trunk on e0/5 of the ASA and port f0/3 of the switch - I am using L2 switching for the DMZ networks from the switches to the ASA and allowing the ASA to provide the DHCP and routing out of the network. DMZ networks: 172.26.20.0/24 and 172.26.22.0/24.
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560b
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
crypto pki trustpoint TP-self-signed-3877365632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3877365632
revocation-check none
rsakeypair TP-self-signed-3877365632
crypto pki certificate chain TP-self-signed-3877365632
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383737 33363536 3332301E 170D3933 30333031 30303031
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373733
36353633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DF81 DA515E0B 7FC760CF 2CC98400 42DCA007 215E4DDE D0C3FBF2 D974CE85
C46A8700 6AE44C2C 79D9BD2A A9297FA0 2D9C2BE4 B3941A2F 435AC4EA 17E89DFE
34EC8E93 63BD4CDF 784E91D7 2EE0093F 06CC97FD 83CB818B 1ED624E6 F0F5DA51
1DE4B8A7 169EED2B 40575B81 BADDE052 85BA9D19 4C206DCB 00878FF3 89E74028
B3F30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 086D7833 35363062 2E301F06 03551D23 04183016 80147125
78CE8540 DB95D852 3C0BD975 5D9C6EB7 58FC301D 0603551D 0E041604 14712578
CE8540DB 95D8523C 0BD9755D 9C6EB758 FC300D06 092A8648 86F70D01 01040500
03818100 94B98410 2D9CD602 4BD16181 BCB7C515 77C8F947 7C4AF5B8 281E3131
59298655 B12FAB1D A6AAA958 8473483C E993D896 5251770B 557803C0 531DEB62
A349C057 CB473F86 DCEBF8B8 7DDE5728 048A49D0 AB18CE8C 8257C00A C2E06A63
B91F872C 5F169FF9 77DC523B AB1E3965 C6B67FCC 84AE11E9 02DD10F0 C45EAFEA 41D7FA6C
quit
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/1
switchport access vlan 50
switchport mode access
interface FastEthernet0/2
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,22
switchport mode trunk
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
shutdown
power inline never
interface FastEthernet0/6
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
shutdown
power inline never
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/11
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/18
shutdown
power inline never
interface FastEthernet0/19
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
shutdown
power inline never
interface FastEthernet0/22
shutdown
power inline never
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/24
shutdown
power inline never
interface FastEthernet0/25
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/26
shutdown
power inline never
interface FastEthernet0/27
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/34
shutdown
power inline never
interface FastEthernet0/35
shutdown
power inline never
interface FastEthernet0/36
switchport mode access
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
shutdown
power inline never
interface FastEthernet0/38
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
shutdown
power inline never
interface FastEthernet0/42
shutdown
power inline never
interface FastEthernet0/43
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport access vlan 40
switchport mode access
shutdown
interface GigabitEthernet0/1
shutdown
interface GigabitEthernet0/2
switchport access vlan 40
switchport mode access
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
ip classless
ip http server
ip http secure-server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end -
Remote access VPN client gets connected fails on hosts in LAN
Hi,
VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)Hi Mashal,
Thanks for your time,
VPN Pool(Client) 192.168.100.0/24
Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
=============
On the Switch
=============
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.2.5 to network 0.0.0.0
172.32.0.0/24 is subnetted, 1 subnets
C 172.32.0.0 is directly connected, Vlan101
C 192.168.200.0/24 is directly connected, Vlan2000
C 192.9.200.0/24 is directly connected, Vlan4000
S 192.168.250.0/24 [1/0] via 192.9.200.125
S 192.168.1.0/24 [1/0] via 192.9.200.125
C 192.168.2.0/24 is directly connected, Vlan1000
S 192.168.252.0/24 [1/0] via 192.9.200.125
S* 0.0.0.0/0 [1/0] via 192.168.2.5
===============
On ASA
===============
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.32.0.2 to network 0.0.0.0
C 172.32.0.0 255.255.255.0 is directly connected, outside
C 192.9.200.0 255.255.255.0 is directly connected, inside
C 192.168.168.0 255.255.255.0 is directly connected, failover
C 192.168.2.0 255.255.255.0 is directly connected, MGMT
S 192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
S 192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route on the being pointing to on the switch.
So we are left to do with how to on the switch with default route. -
Route not showing up in routing table.
I have my core switch connecting to my router which connects to our MPLS provider. My router has a BGP default route going to the MPLS provider edge router B* 0.0.0.0/0 [20/0] via 172.30.252.78, 1w4d .... This route is not showing up in my core switch. Shouldnt it show up as an eigrp ex default route? Can anyone assist me? my routing table for each device is below. Thank you!
Router
USJONELAWTN01R#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.30.252.78 to network 0.0.0.0
68.0.0.0/32 is subnetted, 1 subnets
S 68.142.83.236 is directly connected, Null0
198.63.196.0/32 is subnetted, 1 subnets
S 198.63.196.103 is directly connected, Null0
64.0.0.0/32 is subnetted, 1 subnets
S 64.234.192.40 is directly connected, Null0
172.26.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.26.82.0/24 [90/28416] via 172.28.82.10, 1w5d, GigabitEthernet0/1
[90/28416] via 172.28.80.10, 1w5d, GigabitEthernet0/0.1
[90/28416] via 172.28.80.9, 1w5d, GigabitEthernet0/0.1
D 172.26.83.0/24 [90/28416] via 172.28.82.10, 1w5d, GigabitEthernet0/1
[90/28416] via 172.28.80.10, 1w5d, GigabitEthernet0/0.1
[90/28416] via 172.28.80.9, 1w5d, GigabitEthernet0/0.1
D 172.26.80.0/23 [90/28416] via 172.28.82.10, 1w5d, GigabitEthernet0/1
[90/28416] via 172.28.80.10, 1w5d, GigabitEthernet0/0.1
[90/28416] via 172.28.80.9, 1w5d, GigabitEthernet0/0.1
172.28.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.28.176.0/23 is directly connected, GigabitEthernet0/0.6
C 172.28.80.0/23 is directly connected, GigabitEthernet0/0.1
C 172.28.82.0/23 is directly connected, GigabitEthernet0/1
D 172.28.80.20/32
[90/30720] via 172.28.176.3, 1w5d, GigabitEthernet0/0.6
[90/30720] via 172.28.82.3, 1w5d, GigabitEthernet0/1
[90/30720] via 172.28.80.3, 1w5d, GigabitEthernet0/0.1
172.30.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.30.252.78/32 is directly connected, Multilink1
C 172.30.252.76/30 is directly connected, Multilink1
D 172.30.252.114/32
[90/3415808] via 172.28.176.3, 4d00h, GigabitEthernet0/0.6
[90/3415808] via 172.28.82.3, 4d00h, GigabitEthernet0/1
[90/3415808] via 172.28.80.3, 4d00h, GigabitEthernet0/0.1
D 172.30.252.112/30
[90/3415808] via 172.28.176.3, 4d00h, GigabitEthernet0/0.6
[90/3415808] via 172.28.82.3, 4d00h, GigabitEthernet0/1
[90/3415808] via 172.28.80.3, 4d00h, GigabitEthernet0/0.1
D 172.30.254.24/32
[90/156160] via 172.28.176.3, 1w5d, GigabitEthernet0/0.6
[90/156160] via 172.28.82.3, 1w5d, GigabitEthernet0/1
[90/156160] via 172.28.80.3, 1w5d, GigabitEthernet0/0.1
C 172.30.254.25/32 is directly connected, Loopback10
C 192.168.202.0/24 is directly connected, GigabitEthernet0/0.1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 10.192.254.0/24 [1/0] via 172.28.82.10, GigabitEthernet0/1
S 10.201.0.0/16 [1/0] via 172.28.82.10, GigabitEthernet0/1
S 10.200.1.0/24 [1/0] via 172.28.82.10, GigabitEthernet0/1
C 192.168.203.0/24 is directly connected, GigabitEthernet0/0.1
C 192.168.51.0/24 is directly connected, GigabitEthernet0/0.1
B* 0.0.0.0/0 [20/0] via 172.30.252.78, 1w4d
B 200.200.0.0/16 [20/0] via 172.30.252.78, 1w4d
B 201.1.0.0/16 [20/0] via 172.30.252.78, 1w4d
B 172.16.0.0/12 [20/0] via 172.30.252.78, 1w4d
B 198.30.0.0/16 [20/0] via 172.30.252.78, 1w4d
B 192.168.0.0/16 [20/0] via 172.30.252.78, 1w4d
Core Switch
TNLAW-TN1COREA# sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.192.61.1 to network 0.0.0.0
172.26.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.26.82.0/24 is directly connected, Vlan601
C 172.26.83.0/24 is directly connected, Vlan603
C 172.26.80.0/23 is directly connected, Vlan602
172.28.0.0/16 is variably subnetted, 4 subnets, 2 masks
D 172.28.176.0/23 [90/28416] via 172.28.82.3, 7w0d, Vlan2
[90/28416] via 172.28.82.2, 7w0d, Vlan2
[90/28416] via 172.28.80.3, 7w0d, Vlan1
[90/28416] via 172.28.80.2, 7w0d, Vlan1
C 172.28.80.0/23 is directly connected, Vlan1
C 172.28.82.0/23 is directly connected, Vlan2
D 172.28.80.20/32 [90/28416] via 172.28.82.3, 7w0d, Vlan2
[90/28416] via 172.28.80.3, 7w0d, Vlan1
172.30.0.0/16 is variably subnetted, 6 subnets, 2 masks
D 172.30.252.78/32 [90/3413504] via 172.28.82.2, 1w4d, Vlan2
[90/3413504] via 172.28.80.2, 1w4d, Vlan1
D 172.30.252.76/30 [90/3413504] via 172.28.82.2, 1w4d, Vlan2
[90/3413504] via 172.28.80.2, 1w4d, Vlan1
D 172.30.252.114/32 [90/3413504] via 172.28.82.3, 4d00h, Vlan2
[90/3413504] via 172.28.80.3, 4d00h, Vlan1
D 172.30.252.112/30 [90/3413504] via 172.28.82.3, 4d00h, Vlan2
[90/3413504] via 172.28.80.3, 4d00h, Vlan1
D 172.30.254.24/32 [90/130816] via 172.28.82.3, 7w0d, Vlan2
[90/130816] via 172.28.80.3, 7w0d, Vlan1
D 172.30.254.25/32 [90/130816] via 172.28.82.2, 7w0d, Vlan2
[90/130816] via 172.28.80.2, 7w0d, Vlan1
D 192.168.202.0/24 [90/28416] via 172.28.82.3, 7w0d, Vlan2
[90/28416] via 172.28.82.2, 7w0d, Vlan2
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
S 10.192.254.0/24 [1/0] via 10.192.61.1, GigabitEthernet3/47
S 10.201.0.0/16 [1/0] via 10.192.61.1, GigabitEthernet3/47
S 10.200.1.0/24 [1/0] via 10.192.61.1, GigabitEthernet3/47
C 10.192.61.0/28 is directly connected, GigabitEthernet3/47
D 192.168.203.0/24 [90/28416] via 172.28.82.3, 7w0d, Vlan2
[90/28416] via 172.28.82.2, 7w0d, Vlan2
D 192.168.51.0/24 [90/28416] via 172.28.82.3, 7w0d, Vlan2
[90/28416] via 172.28.82.2, 7w0d, Vlan2
S* 0.0.0.0/0 [250/0] via 10.192.61.1, GigabitEthernet3/47Hello,
The core switch has got a static default route pointing to 10.192.61.1. It has got a better AD value than the EIGRP routes.
Even if you are redistributing the BGP routes into EIGRP, EIGRP default route will not make it to the routing table because of the higher AD value than the static route.
However, you can view that it the EIGRP topology table. Check 'Sh ip ei topo'.
Krishna -
Cisco 2821 - ASA5520 - 3750G help
I need help
Before – working no probs
at the moment my router is my dsl connection and then a point to point link between the router and the switch with ospf routing.
I'm trying to put a routed asa 5520 between my router and switch for added protection as you do...
I can get the links up and running and ospf routing between the router and the asa, however when I enable the switch side the asa becomes extremely slow and almost unresponsive not sure what is happening there and I can't get any http traffic to pass. I have a any any rule on the interfaces so that shouldn't be stopping it, the asa is passing the ospf routing to the router as I can see the routes..
i'm hitting my head against the wall so to speak any assistance would be greatly appreaciated
here are snippets of the relevant parts of the configs
router
interface Loopback0
description --- Loopback ---
ip address 10.100.0.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1
ip address 10.0.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
no mop enabled
hold-queue 0 in
router ospf 1
router-id 10.100.0.1
log-adjacency-changes detail
network 10.0.0.0 0.0.0.255 area 1
network 10.0.1.1 0.0.0.0 area 1
network 10.0.1.0 0.0.0.3 area 1
network 10.0.99.0 0.0.0.15 area 1
network 10.100.0.1 0.0.0.0 area 1
ASA
ASA# sh run
Saved
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
names
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 10.0.1.2 255.255.255.252
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.11.1 255.255.255.252
interface Management0/0
speed 100
duplex full
nameif management
security-level 0
ip address 10.1.0.3 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
object-group icmp-type Ping
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
access-list outside_access_in extended permit ip any any log
access-list outside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any eq www
access-list global_access extended permit ip any any
pager lines 24
logging trap errors
logging host inside 10.27.134.28
logging host inside 10.55.7.94
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
router ospf 1
router-id 10.0.11.1
network 10.0.1.2 255.255.255.255 area 1
network 10.0.1.0 255.255.255.252 area 1
network 10.0.11.1 255.255.255.255 area 1
network 10.0.11.0 255.255.255.252 area 1
log-adj-changes
route outside 0.0.0.0 255.255.255.255 10.0.1.1 1
route inside 10.0.0.0 255.0.0.0 10.0.11.2 1
route management 10.122.0.200 255.255.255.255 10.122.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.122.0.10
key *****
aaa-server TACACS+ (inside) host 10.122.0.20
key *****
user-identity default-domain LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
http server enable
http 10.122.0.200 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.122.0.200 255.255.255.255 management
telnet timeout 5
ssh 10.122.0.200 255.255.255.255 management
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password <removed> privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:64d0fef2ddc6fddf66f51f3f1da15d78
end
Switch
interface Loopback0
ip address 10.100.0.2 255.255.255.255
interface GigabitEthernet0/1
no switchport
ip address 10.0.11.2 255.255.255.252
logging event link-status
logging event trunk-status
logging event status
power inline never
speed 1000
duplex full
flowcontrol receive desired
router ospf 1
router-id 10.100.0.2
log-adjacency-changes detail
redistribute connected
network 10.0.1.2 0.0.0.0 area 1
network 10.0.11.0 0.0.0.3 area 1
network 10.122.0.0 0.0.0.255 area 1
network 10.27.0.0 0.0.0.255 area 1
network 10.38.0.0 0.0.0.255 area 1
network 10.41.0.0 0.0.0.255 area 1
network 10.52.0.0 0.0.0.255 area 1
network 10.68.0.0 0.0.0.255 area 1
network 10.79.0.0 0.0.0.255 area 1
network 10.100.0.2 0.0.0.0 area 1
ip route 0.0.0.0 0.0.0.0 10.0.11.1
Thanks for your time and effort.Julio
thanks so much again for your assistance
here is the info you requested.
-Can you ping from the Asa to 8.8.8.8 ?
no initially my outside route was set incorrectly,
it was route inside 10.0.0.0 255.255.255.255 10.0.11.2 1
upon pinging 8.8.8.8
ASA(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
No route to host 8.8.8.8
Success rate is 0 percent (0/1)
I changed my outside route to
route outside 0.0.0.0 0.0.0.0 10.0.1.1 1
now pinging
ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 150/152/160 ms
-Can you ping from the Switch to 8.8.8.8 ? NO
SWITCH#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Success rate is 0 percent (0/5)
-Please provide sh route on the ASA
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.0.1.1 to network 0.0.0.0
C 10.0.11.0 255.255.255.252 is directly connected, inside
O 10.0.0.2 255.255.255.255 [110/1010] via 10.0.1.1, 0:04:36, outside
O 10.2.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.0.0.3 255.255.255.255 [110/1010] via 10.0.1.1, 0:04:36, outside
O 10.3.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
S 10.0.0.0 255.0.0.0 [1/0] via 10.0.11.2, inside
O 10.0.0.1 255.255.255.255 [110/10] via 10.0.1.1, 0:04:36, outside
C 10.0.1.0 255.255.255.252 is directly connected, outside
C 10.1.0.0 255.255.255.0 is directly connected, management
O 10.6.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.7.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.0.0.4 255.255.255.255 [110/1010] via 10.0.1.1, 0:04:36, outside
O 10.4.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.5.0.0 255.255.255.0 [110/11] via 10.0.11.2, 0:04:36, inside
O 10.62.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.60.0.2 255.255.255.255 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.63.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.60.0 255.255.255.252 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.61.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.60.0.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.74.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.75.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.72.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.73.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.76.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.77.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.77.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.66.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.67.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.66.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.64.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.65.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.70.0 255.255.255.252 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.71.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.70.0.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.70.0.2 255.255.255.255 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.88.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.82.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.80.0.2 255.255.255.255 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.83.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.80.0 255.255.255.252 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.81.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.80.0.1 255.255.255.255 [110/1011] via 10.0.1.1, 0:04:37, outside
O 10.86.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.84.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.85.0.0 255.255.255.0 [110/1012] via 10.0.1.1, 0:04:37, outside
O 10.0.99.1 255.255.255.255 [110/11] via 10.0.1.1, 0:04:37, outside
O 10.100.0.2 255.255.255.255 [110/11] via 10.0.11.2, 0:04:37, inside
O 10.100.0.1 255.255.255.255 [110/11] via 10.0.1.1, 0:04:37, outside
S 10.2.0.200 255.255.255.255 [1/0] via 10.2.0.1, management
S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.1.1, outside
-Please provide sh ip route on the router
ROUTER#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 53 subnets, 4 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.1/32 is directly connected, Tunnel0
O 10.0.0.2/32 [110/1000] via 10.0.0.2, 1d23h, Tunnel0
O 10.0.0.3/32 [110/1000] via 10.0.0.3, 1d23h, Tunnel0
O 10.0.0.4/32 [110/1000] via 10.0.0.4, 1d23h, Tunnel0
C 10.0.1.0/30 is directly connected, GigabitEthernet0/1
L 10.0.1.1/32 is directly connected, GigabitEthernet0/1
C 10.0.2.0/30 is directly connected, Content-Engine1/0
L 10.0.2.1/32 is directly connected, Content-Engine1/0
O 10.0.11.0/30 [110/11] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.0.60.0/30 [110/1001] via 10.0.0.2, 1d23h, Tunnel0
O 10.0.66.1/32 [110/1001] via 10.0.0.2, 1d23h, Tunnel0
O 10.0.70.0/30 [110/1001] via 10.0.0.4, 1d23h, Tunnel0
O 10.0.77.1/32 [110/1001] via 10.0.0.4, 1d23h, Tunnel0
O 10.0.80.0/30 [110/1001] via 10.0.0.3, 1d23h, Tunnel0
O 10.0.88.1/32 [110/1001] via 10.0.0.3, 1d23h, Tunnel0
C 10.0.99.0/28 is directly connected, Loopback99
L 10.0.99.1/32 is directly connected, Loopback99
O 10.1.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.2.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.3.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.4.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.5.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.6.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.7.0.0/24 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
O 10.60.0.1/32 [110/1001] via 10.0.0.2, 1d23h, Tunnel0
O 10.60.0.2/32 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.61.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.62.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.63.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.64.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.65.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.66.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.67.0.0/24 [110/1002] via 10.0.0.2, 1d23h, Tunnel0
O 10.70.0.1/32 [110/1001] via 10.0.0.4, 1d23h, Tunnel0
O 10.70.0.2/32 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.71.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.72.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.73.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.74.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.75.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.76.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.77.0.0/24 [110/1002] via 10.0.0.4, 1d23h, Tunnel0
O 10.80.0.1/32 [110/1001] via 10.0.0.3, 1d23h, Tunnel0
O 10.80.0.2/32 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.81.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.82.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.83.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.84.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.85.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
O 10.86.0.0/24 [110/1002] via 10.0.0.3, 1d23h, Tunnel0
C 10.100.0.1/32 is directly connected, Loopback0
O 10.100.0.2/32 [110/12] via 10.0.1.2, 00:05:45, GigabitEthernet0/1
/32 is subnetted, 1 subnets
C is directly connected, Dialer0
/32 is subnetted, 1 subnets
C is directly connected, Dialer0
-Please provide sh ip route on the switch
SWITCH#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.0.11.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.0.11.1
10.0.0.0/8 is variably subnetted, 60 subnets, 3 masks
O 10.0.0.1/32 [110/11] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.0.2/32 [110/1011] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.0.3/32 [110/1011] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.0.4/32 [110/1011] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.1.0/30 [110/11] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
C 10.0.11.0/30 is directly connected, GigabitEthernet0/2
L 10.0.11.2/32 is directly connected, GigabitEthernet0/2
O 10.0.60.0/30 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.66.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.70.0/30 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.77.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.80.0/30 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.88.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.0.99.1/32 [110/12] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
C 10.1.0.0/24 is directly connected, Vlan1
L 10.1.0.1/32 is directly connected, Vlan1
C 10.2.0.0/24 is directly connected, Vlan2
L 10.2.0.1/32 is directly connected, Vlan2
C 10.3.0.0/24 is directly connected, Vlan3
L 10.3.0.1/32 is directly connected, Vlan3
C 10.4.0.0/24 is directly connected, Vlan4
L 10.4.0.1/32 is directly connected, Vlan4
C 10.5.0.0/24 is directly connected, Vlan5
L 10.5.0.1/32 is directly connected, Vlan5
C 10.6.0.0/24 is directly connected, Vlan6
L 10.6.0.1/32 is directly connected, Vlan6
C 10.7.0.0/24 is directly connected, Vlan7
L 10.7.0.1/32 is directly connected, Vlan7
C 10.8.0.0/24 is directly connected, Vlan8
L 10.8.0.1/32 is directly connected, Vlan8
C 10.9.0.0/24 is directly connected, Vlan9
L 10.9.0.1/32 is directly connected, Vlan9
O 10.60.0.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.60.0.2/32 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.61.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.62.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.63.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.64.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.65.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.66.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.67.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.70.0.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.70.0.2/32 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.71.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.72.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.73.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.74.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.75.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.76.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.77.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.80.0.1/32 [110/1012] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.80.0.2/32 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.81.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.82.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.83.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.84.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.85.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.86.0.0/24 [110/1013] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
O 10.100.0.1/32 [110/12] via 10.0.11.1, 00:07:36, GigabitEthernet0/2
C 10.100.0.2/32 is directly connected, Loopback0
Thanks again for your help
Maybe you are looking for
-
Long text doesn't fit the window exactly
Hi friends, in PO smartforms i have included the header text of PO. the problem is the long text doesn't fit to the window exactly i.e., when we enter the text in PO in the header a line can contain only 60 characters approximately where as in my sma
-
How can I make my email boxes smaller, so that all the stuff does not show after I have opemed it?
The email that I am reading is very large with a lot of stuff that I do not need to see. How can I make my box smaller?
-
Can i merge bootcamp partion with mac using parallels
I installed win 7 via bootcamp, now i installed parallels and using win 7 via my bootcamp (parallels). since i installed parallel can i merge bootcamp partition with macintosh hd, without reinstalling win7 for further use
-
I'm using Photoshop CS3 extended and am trying to stoke a path with the brush tool. I'm able to stroke the path but when you look closely at the resulting stroke, it seems to have a rough edge- as if circles were laid down very close together along t
-
"Results By Calendar Group" Accumulator return duplicate elements
i hv spend whole day debuging the following panel Nav: GP > Absence & Payroll Processing > Review Absence/Payroll Info > Results by Calendar Group > Accumulator tab screenshot http://img716.imageshack.us/img716/7603/216.jpg element for "Extended mate