OSPF with InterVlan Routing

Similar Messages

• SGE2010 layer 3 problem with intervlan routing setup

  I am new to the small business switches and could use some assistance in configuring intervlan routing between multiple vlans on the switch. I have changed the mode to layer 3 and setup the vlans. When I enter an IP address for VLAN2, I am disconnecting from the configuration interface (VLAN1 ip) on the switch and I cannot access the switch unless I reset it. I have tried this several times and each time it behaves the same. Is there something else I need to setup before configuring the ip address for the other VLANs?

  Hi Jacqueline,
  Thank you for participating in the Small Business support community. My name is Nico Muselle from Cisco Sofia SBSC.
  This is the normal way for the switch to behave. There are 2 ways to work around this.
  You assign a port to VLAN2. After configuration of the IP address, you connect your PC to this port and make sure it is in the same subnet as the VLAN 2 IP address.
  You assign a static IP to the default vlan first and make sure your connected PC is in the same subnet.
  The reason for this behaviour is, that the switch has it's DHCP client enabled, if no DHCP server is available it will revert to it's default IP 192.168.1.254 (through which I assume you connect for configuration).
  However, once you configure a static IP on the switch, the DHCP client and the default IP are disabled, which means that the IP address obtained from the DHCP or the default IP of 192.168.1.254 are no longer reachable.
  I would go with step 2, as this is the easiest workaround for your issue and you would want a static IP in the default VLAN anyway I suppose.
  Hope this helps !
  Best regards,
  Nico Muselle
  Sr. Network Engineer - CCNA

• Problem with intervlan routing on 4506...no dhcp either of course

  Is anyone having an issue getting there 4500 series to route? I have turned on ip routing and nothing...they cannot see across the vlans...
  I have attached the core switch (2980g) config that our cs-4506 connects too and our windows2003 dhcp configuration. Any help or suggestions greatly welcome... TIA, gary

  It looks like it should work as long as you know that the workstations have an address 192.168.0.0 255.255.224.0 subnet and their default gateway on the nic is pointed to 192.168.0.253 . Put a workstation on the 2980 with say an address 192.168.1.1 255.255.224.0
  and it's default gateway at 192.168.0.253 . You should be able to ping the switch address and the default gateway as they are in the same vlan and their isn't any routing involved . Then try to ping anything in vlan 3 . It should work , if not then i'm out of ideas . Just make sure you also see all your subnets in your 4500 when you do a "show ip route" . Just for grins also on the 4500 on the port that connects the 2980 put "switchport mode access and also switchport access vlan 1 . This shouldn't make any difference but can't see any other reason why it isn't working at this point.

• Help with simple interVlan routing on L3 switch

  Hi all - I just can't get my head around this really simple interVlan routing issue.  I have two VLANs (1 & 6) on a 3560 L3 switch.  I simply need to route between them.  Here is how I have it set up:
  Firewall is the VLAN1 client's default gateway:
  10.10.22.1 /255.255.255.0
  3560switch config:
  ip subnet-zero
  ip routing
  VLAN1:
  (hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
  int vlan1
  ip address 10.10.22.254 255.255.255.0
  no shutdown
  VLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
  ip address 192.168.25.1 255.255.255.0
  no shutdown
  ip classless
  int gi0/31 (an available unused port)
  no switchport
  ip address ?.?.?.?
  no shutdown
  Is the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying to find 192.168.25.x, when they would need to go to 10.10.22.254; then the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then give the router on gi0/31 the 10.10.22.254 address?
  (as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)
  Thanks for any help!

  Hi all - I just can't get my head
  around this really simple interVlan routing issue.  I have two VLANs (1
  & 6) on a 3560 L3 switch.  I simply need to route between them.
  Here is how I have it set up:Firewall is the VLAN1 client's default gateway:
  10.10.22.1 /255.255.255.03560switch config:
  ip subnet-zero
  ip routingVLAN1:
  (hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
  int vlan1
  ip address 10.10.22.254 255.255.255.0
  no shutdownVLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
  ip address 192.168.25.1 255.255.255.0
  no shutdownip classlessint gi0/31 (an available unused port)
  no switchport
  ip address ?.?.?.?
  no shutdown***Is
  the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying
  to find 192.168.25.x, when they would need to go to 10.10.22.254; then
  the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then
  give the router on gi0/31 the 10.10.22.254 address?(as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)Thanks for any help!
  Hi,
  With the above configuuration vlan 1 users will be going to firewll and if they want to reach vlan 6 firewall should have rule to permit for vlan 6 subnet and route towards vlan 6 interface and which is not there is your network.
  Just clarify few things you want firewall to come into picture for every traffic which goes between vlan or not and in interface gi0/31 you will be connecting router also is this router is sending traffic to outside world if yes then you need to change some design configuration to route tha traffic from vlans to outside world.
  If you want only inter vlan routing between vlan 1 and vlan 6 via firewall then make another zone in firewall and place that in vlan 6 with ip address as given in vlan 1 so that vlan 6 users can point traffic towards vlan 6 interface of firewall and in firewall just permit the vlan 6 communication with vlan 1 and drop a route for vlan 6 towards switch vlan 6 interface.
  and if between vlans you dont want firewall to come into picture then the best is create three vlan one for vlan 1,vlan 6 and outside vlan between router and firewall and drop a default route towards firewall.In this case inter vlan routing will be taken care by switch and traffic towards outside world will scaaned as per rule given in firewall.
  Hope to help
  If helpful do rate the post
  Ganesh.H

• Best practice for intervlan routing?

  are there some best practices for intervlan routing ?
  I've been reading allot and I have seen these scenarios
  router on a stick
  intervlan at core layer
  intervlan at distribution layer.
  or is intervlan needed at all if the switches will do the routing?
  I've done all of the above but I just want to know what's current.

  The simple answer is it depends because there is no one right solution for everyone. 
  So there are no specific best practices. For example in a small setup where you may only need a couple of vlans you could use a L2 switch connected to a router or firewall using subinterfaces to route between the vlans.
  But that is not a scalable solution. The commonest approach in any network where there are multiple vlans is to use L3 switches to do this. This could be a pair of switches interconnected and using HSRP/GLBP/VRRP for the vlans or it could be stacked switches/VSS etc. You would then dual connect your access layer switches to them.
  In terms of core/distro/access layer in general if you have separate switches performing each function you would have the inter vlan routing done on the distribution switches for all the vlans on the access layer switches. The core switches would be used to route between the disribution switches and other devices eg. WAN routers, firewalls, maybe other distribution switch pairs.
  Again, generally speaking, you may well not need vlans on the core switches at all ie. you can simply use routed links between the core switches and everything else. 
  The above is quite a common setup but there are variations eg. -
  1) a collapsed core design where the core and distribution switches are the same pair. For a single building with maybe a WAN connection plus internet this is quite a common design because having a completely separate core is usually quite hard to justify in terms of cost etc.
  2) a routed access layer. Here the access layer switches are L3 and the vlans are routed at the access layer. In this instance you may not not even need vlans on the distribution switches although again to save cost often servers are deployed onto those switches so you may.
  So a lot of it comes down to the size of the network and the budget involved as to which solution you go with.
  All of the above is really concerned with non DC environments.
  In the DC the traditional core/distro or aggregation/access layer was also used and still is widely deployed but in relatively recent times new designs and technologies are changing the environment which could have a big impact on vlans.
  It's mainly to do with network virtualisation, where the vlans are defined and where they are not only routed but where the network services such as firewalling, load balancing etc. are performed.
  It's quite a big subject so i didn't want to confuse the general answer by going into it but feel free to ask if you want more details.
  Jon

• Meaning of this show IP route output in InterVLAN routing (subnet calculation) - did i get mistaken ?

  Hi all,
  I am reading the configuration of interVLAN routing on 3750 from cisco @
  http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41260-189.html
  There are 3 VLAN created on the L3 switch namely
  VLAN10 - 10.1.10.0/24 network
  VLAN 2 - 10.1.2.0/24 network
  VLAN 3 - 10.1.3.0/24 network
  But on the show IP route results (see bold red), why does it indicate that 10.0.0.0/24 is subnetted. How is it subnetted ?
  10.1.10.0/24, 10.1.2.0/24, 10.1.3.0/24 all belongs to different network are not subnet out from 10.0.0.0/24.
  How does the calculation goes ?
  Cat3550#show ip route
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
  N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
  E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
  i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
  * - candidate default, U - per-user static route, o - ODR
  P - periodic downloaded static route
  Gateway of last resort is 200.1.1.2 to network 0.0.0.0
  200.1.1.0/30 is subnetted, 1 subnets
  C 200.1.1.0 is directly connected, FastEthernet0/48
  10.0.0.0/24 is subnetted, 3 subnets
  C 10.1.10.0 is directly connected, Vlan10
  C 10.1.3.0 is directly connected, Vlan3
  C 10.1.2.0 is directly connected, Vlan2
  S* 0.0.0.0/0 [1/0] via 200.1.1.2
  Please advise
  Regards,
  Noob

  Noob
  Jon is quite correct that in modern usage we tend to treat network and subnet as almost interchangeable. But technically there is a difference and that difference becomes significant for the kind of question that you are asking. There is no "network" 10.0.0.0/10. 10.0.0.0/10 is a subnet of the class A network 10.0.0.0/8. You are correct that 10.0.0.0/10 can be further subnetted but that does not make 10.0.0.0/10 into a "network".
  To go a step further in explaining this perhaps we can think of designing a network for a company that has offices in several cities. We might assign 10.0.0.0/10 as the network for the Chicago office, and 10.64.0.0/10 as the network for the New York office, and 10.128.0.0/10 as the network for the Atlanta office and 10.192.0.0/10 as the network for the Los Angeles office. (Note that while I called them network here they are actually subnets of class A 10.0.0.0/8) Within each city we might further subnet their block of addresses to create multiple subnets for each city.
  It might help to think about how Cisco organizes the routing table to support the routing function. When a router receives a packet and needs to make a forwarding decision it searches the routing table looking for the longest match. In functional terms what it is doing is to identify what network the packet belongs to and then to determine whether that network has been subnetted, and if so to which subnet does the packet go. So Cisco organizes the routing table to identify the network on one line and then to identify the subnets on lines below the network line. So in your original post the line in red
   10.0.0.0/24 is subnetted, 3 subnets
  is telling us about the network and the lines below it are telling us about the subnets that it knows of that network.
  It also seems that you are looking at 10.0.0.0/24 as if that were a single piece of information indicating that 10.0.0.0/24 is present in the routing table. That is not what is actually indicated. There are two separate and distinct pieces of information in that.
  1) the network is 10.0.0.0 (a class A network)
  2) the network is subnetted consistently using a /24 mask
  HTH
  Rick

• Need help InterVlan Routing on SF300-24P? .

  Hello
  I really need help with Inter vlan routing via Kerio Controll 7.4.1.
  I have several SF300-24P switches (IOS 1.3.0.62) and i have created a several VLAN's.
  Vlans: Vlan 10, 100, 200 and interface vlan 213 (for management).
  I can ping hosts in the same Vlan via this switches. From switch to host, port is in access mode and between switches ports is in Trunk mode
  (also i had a problem here, trunk wasn't working untill i used command: switchport trunk allowed vlan add all).
  Also port is in Trunk mode between KERIO and SW1 (switch). interface is in TRUNK mode from switch's side because i don't know how configure interface TRUNK mode on kerio.
  On kerio i have configed one physical interface with IP - 172.16.0.1 255.255.255.0 and on the same interface i have created
  VLAN 10, VLAN 100 and VLAN 200.
  static IP's for this interfaces:
  10.0.0.1 255.255.255.0 VLAN 10
  192.168.100.1 255.255.255.0 VLAN 100
  192.168.200.1 255.255.255.0 VLAN 200
  On KERIO i have created DHCP Lease for each VLAN, but i cannot get IP's from DHCP. So i assigned static IP's  to computers
  (for example for VLAN100 PC, VLAN 200 PC and so on) but they cannot ping each other when they are in different vlans, so inter vlan routing itsnot working. but with static IP on the PC, i can ping every VLAN's IP address on KERIO.
  so pls tell me how i must configure inter vlan routing on kerio, is it possible?
  or what must i do? where is my mistake? maybe when i put IP on pysical interface?
  here is my configs and pls help and give me config example.
  config-file-header
  SW1
  v1.3.0.62 / R750_NIK_1_3_647_260
  CLI v1.0
  set system mode switch
  file SSD indicator plaintext
  vlan database
  vlan 10,100,200,213
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  hostname SW1
  username administrator password encrypted 7fc3774d79570c81cda124d5dcf80b8ae0fcdd6c privilege 15
  username cisco password encrypted 1defefd1f4a214009775b2c2b6b961a77da384b5 privilege 15
  interface vlan 10
  name Staff
  interface vlan 100
  name Cards
  interface vlan 200
  name AP's
  interface vlan 213
  name Management
  ip address 172.16.213.1 255.255.255.0
  no ip address dhcp
  interface fastethernet1
  description MANAGEMENT-VLAN
  spanning-tree disable
  switchport mode access
  switchport access vlan 213
  interface fastethernet2
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet3
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet4
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet5
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet6
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet7
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface gigabitethernet1
  description Direction-To-SW2       <--- This port is Trunk, but its not showing here for some reason.
  spanning-tree disable
  interface gigabitethernet2
  description Direction-To-KERIO  <--- This port is Trunk also.   i used: switchport mode trunk on both interfaces
  spanning-tree disable
  exit
  banner login 
  SW1
  config-file-header
  SW2
  v1.3.0.62 / R750_NIK_1_3_647_260
  CLI v1.0
  set system mode switch
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  vlan database
  vlan 10,100,200,213
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  hostname SW2
  username administrator password encrypted 7fc3774d79570c81cda124d5dcf80b8ae0fcdd6c privilege 15
  username cisco password encrypted 1defefd1f4a214009775b2c2b6b961a77da384b5 privilege 15
  interface vlan 10
  name Staff
  interface vlan 100
  name Cards
  interface vlan 200
  name AP's
  interface vlan 213
  name Management
  ip address 172.16.213.2 255.255.255.0
  no ip address dhcp
  interface fastethernet1
  description MANAGEMENT-VLAN
  spanning-tree disable
  switchport mode access
  switchport access vlan 213
  interface fastethernet2
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet3
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet4
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet5
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet6
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet7
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet8
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface gigabitethernet1
  description Direction-To-SW1    <--- This port is Trunk also.   i used: switchport mode trunk
  exit
  banner login 
  SW2
  i have excluded many interfaces because hey have same configs.

  Yes Kerio is capable for routing. i wanted to make InterVlan routing via kerio Ccontroll, but i can't and that's i asked here, i need to know reason.
  I have modified 1 switch to L3, and inter vlan routing its now working (without Kerio) and i hope this switches dont have problem when they are DHCP server also.
  thanx for help. I Hope i didnot have much mistakes in config.

• Nexus 5K OSPF with vPC

  Hi,
  I know it is well documented using IGP's, more specifically OSPF with 7K's and vPC's but when it comes to the same thing on 5K's I am still a little confused.
  My topology is:
  5K01 and 5K02 are connected and are vPC peers, I currently have a management network on VLAN 114, both 5k's have SVI's on this and are currently OSPF neighbors over their vPC using this vlan.
  I have an MPLS router (service provider PE) which is 2 routers but clustered so logically in this instance it is one router, the 5 k's will be conecting to this PE router via some switches over a vPC and needs to become a OSPF neighbor to both the 5K's.
  Looking at this post:
  http://adamraffe.com/2013/03/08/l3-over-vpc-nexus-7000-vs-5000/
  It suggests that I can just add VLAN 114 to the vPC up to tyhe PE and turn OSPF on on the interface on the PE, although this will not support Multicast and I don't really want to restrict myself as this may be a future requirement.
  What I thought might be a better solution would be to designate a new vlan and allow it on the vPC up to the PE and use that for the OSPF neighborships between the 5K's and the PE and not allowing it over the vPC peer link - leaving the 5K's neighborship over vlan 114.
  Can someone tell me what the best practice/supported topology is here and maybe provide some cisco links?
  Thanks a lot in advance.

  You have to be very careful when configuring L3 services and interfaces while using VPC. 
  Take a look at this document:
  http://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
  Also, take a look at this post:
  http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
  You can create a vlan used exclusively for Nexus-to-Nexus iBGP peering.  Use a new 'access' link between the two switches and place them on the new vlan.  Make sure that this VLAN does not traverse the VPC peer link.  Then, create SVIs on each switch for that VLAN and peer over that link.  Then, you can create a L3 link on each nexus to peer with your eBGP neighbors.
  The point you want to make sure you understand is the VPC loop prevention mechanism that says "If a packet is received on a VPC port, traverses the VPC peer link, it is not allowed to egress on a VPC port."

• SRP 546W Intervlan Routing and ACL

  Hi,
  how can I configure Access Control Lists to manage the communication between different vlan? As I activate Intervlan Routing, all vlan members can communicate together.
  Thanks a lot.
  Thomas

  Thomas,
  Intervlan Routing on the SRP routers is all or none. You cannot choose which VLAN members can communicate with other VLANs.
  - Marty

• Etherchannel on esw520s and intervlan routing

  Hello
  I have a couple of uc520s
  2 - esw - 520-24p
  2 - esw - 520-48p
  1 - 3560x switch
  the 3560x is our core switch. my uplinks between the core and the 4 esw. i was able to get the etherchannels configured and "working" however the fact that the vlan 1 on the esw is the native vlan, i change the native vlan to be vlan 20 and i'm really struggling with this
  I have 5 vlans configured on the 4 esw switches data, voice, management, servers, guest.
  i can't get the intervlan routing to work properly on the esw. If i configure any vlan on the 3560 i have access to the management vlan
  however if i connect my pc to any port on the esw switches i don't have access to the management vlan at all. for some reason intervlan routing isn't properly working. if i want to have access to the management vlan on the esw switches i need to assign a port on the esw to be on the management vlan
  if i use the common scenario, all the ports being voice + data, i can't manage any of the switches at all
  what else should i do to get this fixed ?
  is it something on the ether channels or am i missing something else ?
  thanks

  HelloI have a couple of uc520s2 - esw - 520-24p 2 - esw - 520-48p1 - 3560x switchthe 3560x is our core switch. my uplinks between the core and the 4 esw. i was able to get the etherchannels configured and "working" however the fact that the vlan 1 on the esw is the native vlan, i change the native vlan to be vlan 20 and i'm really struggling with thisI have 5 vlans configured on the 4 esw switches data, voice, management, servers, guest. i can't get the intervlan routing to work properly on the esw. If i configure any vlan on the 3560 i have access to the management vlanhowever if i connect my pc to any port on the esw switches i don't have access to the management vlan at all. for some reason intervlan routing isn't properly working. if i want to have access to the management vlan on the esw switches i need to assign a port on the esw to be on the management vlanif i use the common scenario, all the ports being voice + data, i can't manage any of the switches at allwhat else should i do to get this fixed ?is it something on the ether channels or am i missing something else ?thanks
  Hi,
  Can you put up your network in diagramtic representation view, do that it will be helpful for more understanding.
  Ganesh.H

• HSRP over Intervlan routing

  I am really having problem with the implementation of HSRP over intervlan routing.
  I configured the HSRP for multiple Vlans (10 &20), but both of the routers are in Active stage. I couldn't figure out where the
  probem lies.
  I have two routers (Cisco AS5300) and a Cisco 2950 Switch.
  The brief configuration is as follows:
  ROUTER1:
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.2 255.255.255.0
  standby 1 ip 192.168.0.1
  standby 1 priority 110
  standby 1 preempt
  interface FastEthernet0/0.20
  encapsulation dot1Q 20
  ip address 192.168.1.2 255.255.255.0
  standby 2 ip 192.168.1.1
  ROUTER2:
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.3 255.255.255.0
  standby 1 ip 192.168.0.1
  interface FastEthernet0/0.20
  encapsulation dot1Q 20
  ip address 192.168.1.3 255.255.255.0
  standby 2 ip 192.168.1.1
  standby 2 priority 110
  standby 2 preempt
  SWITCH:
  In the trunk ports, I have configured,
  (config-if)# switchport trunk encapsulation dot1q  native vlan 1
  (config-if)# switchport mode trunk 
  Hoping for  favourable responses from you mentors.
  Regards,
  Ganesh Dhungana

  Ganesh Dhungana wrote:I have two routers which are connected to the switch. Cisco 2950 is just there for the intervlan routing.Doesnt it support the intervlan routing??I have configured the HSRP on two Cisco AS5300 Routers.Darren, I am not clear with your logic, would you please clarify me ?Regards, Ganesh
  Sorry, I mis-read your original post - I thought you were trying to use the 2950 in the HSRP group. And I thought you types ASA5530, not AS5530. Two strikes for me. Mea Culpa.
  Have you actually created VLAN 10 and VLAN 20 on your switch? I don't believe the switch will trunk tagged frames unless the VLAN's actually exist.
  Also, the documentation I've found on the AS5300 (I've never used one) seems to indicate you should put a the command "standby name " into your configuration - although that may only be needed for IPSec VPN configurations on the AS5300 - see
  http://www.cisco.com/en/US/docs/ios/12_1/12_1e9/feature/guide/ft_ipsha.html for what I'm talking about.
  Sorry for the original screw up - teach me to read and try to reply coherently after a 12 hour shift!
  Cheers.

• InterVlan Routing and an ASA5520

  Hey Guys,
  I'm having problems getting something to work. First off, let me give you the topology and the configs:
  Config R1
  Vlan Database:
  VLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/1, Fa1/2, Fa1/3, Fa1/4                                                Fa1/5, Fa1/6, Fa1/7, Fa1/8                                                Fa1/9, Fa1/1010   SERVER                           active    Fa1/1430   CLIENTS                          active    Fa1/13100  Inside                           active101  LIFESIZE                         active    Fa1/12250  Mgmt                             active    Fa1/111000 Outside                          active    Fa1/151002 fddi-default                     active1003 token-ring-default               active1004 fddinet-default                  active1005 trnet-default                    active
  Trunks:
  Port      Mode         Encapsulation  Status        Native vlanFa1/0     on           802.1q         trunking      1Port      Vlans allowed on trunkFa1/0     1-1005Port      Vlans allowed and active in management domainFa1/0     1,10,30,100-101,250,1000Port      Vlans in spanning tree forwarding state and not prunedFa1/0     1,10,30,100-101,250,1000
  Running Config:
  interface FastEthernet1/0 switchport mode trunk
  interface FastEthernet1/11 switchport access vlan 250 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/12 switchport access vlan 101 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/13 switchport access vlan 30 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/14 switchport access vlan 10 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/15 switchport access vlan 1000!interface Vlan1 no ip address!interface Vlan10 description SERVER no ip address!interface Vlan20 description DRUCKER ip address 10.11.20.254 255.255.255.0!interface Vlan30 description CLIENTS ip address 10.11.30.254 255.255.255.0!interface Vlan101 description LifeSize no ip address!interface Vlan250 description Management ip address 10.11.250.254 255.255.255.0!ip default-gateway 10.11.250.251ip forward-protocol ndip route 0.0.0.0 0.0.0.0 10.11.250.251ip route 10.0.0.0 255.0.0.0 10.11.250.251
  Config ASA:
  ASA Version 8.4(2)!hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0 nameif Outside security-level 0 ip address 186.89.54.20 255.255.255.248!interface GigabitEthernet1 description Trunk to SW no nameif no security-level no ip address!interface GigabitEthernet1.10 vlan 10 nameif Server security-level 100 ip address 10.11.10.251 255.255.255.0!interface GigabitEthernet1.30 vlan 30 nameif Clients security-level 100 ip address 10.11.30.251 255.255.255.0!interface GigabitEthernet1.101 vlan 101 nameif DMZ security-level 50 ip address 10.11.101.251 255.255.255.0!interface GigabitEthernet1.250 vlan 250 nameif Mgmt security-level 100 ip address 10.11.250.251 255.255.255.0!interface GigabitEthernet2 shutdown no nameif no security-level no ip address!interface GigabitEthernet3 shutdown no nameif no security-level no ip address!interface GigabitEthernet4 shutdown no nameif no security-level no ip address!interface GigabitEthernet5 nameif Martin security-level 100 ip address 10.11.15.254 255.255.255.0!ftp mode passivesame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceaccess-list global_access extended permit ip any anyaccess-list Clients_access_in extended deny ip any 10.11.101.0 255.255.255.0 inactiveaccess-list Clients_access_in extended permit ip any 10.11.10.0 255.255.255.0 inactiveaccess-list Server_access_in extended permit ip any anyaccess-list Server_access_in extended deny ip 10.11.250.0 255.255.255.0 10.11.250.0 255.255.255.0 inactiveaccess-list Mgmt_access_in extended deny icmp any 10.11.10.0 255.255.255.0 inactiveaccess-list Mgmt_access_in extended permit ip any any inactivepager lines 24logging enablelogging buffered debuggingmtu Outside 1500mtu Server 1500mtu Clients 1500mtu DMZ 1500mtu Mgmt 1500mtu Martin 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-702.binno asdm history enablearp timeout 14400access-group Server_access_in in interface Serveraccess-group Clients_access_in in interface Clientsaccess-group Mgmt_access_in in interface Mgmtaccess-group global_access globalroute Mgmt 10.11.0.0 255.255.0.0 10.11.250.254 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 10.0.0.0 255.0.0.0 Martinhttp 10.11.250.0 255.255.255.0 Mgmtno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0management-access Mgmtthreat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map global-class match default-inspection-traffic!!policy-map global-policy class global-class  inspect dns  inspect ftp  inspect http  inspect icmp  inspect icmp error  inspect rtsp  inspect sip  inspect snmp  inspect tftp!service-policy global-policy globalprompt hostname contextno call-home reporting anonymouscall-home profile CiscoTAC-1  no active  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService  destination address email [email protected]  destination transport-method http  subscribe-to-alert-group diagnostic  subscribe-to-alert-group environment  subscribe-to-alert-group inventory periodic monthly  subscribe-to-alert-group configuration periodic monthly  subscribe-to-alert-group telemetry periodic dailycrashinfo save disableCryptochecksum:e5a96d671ff3b5453c8f1de5c39f1f63: end
  Problem:
  What I'm planning is, having an InterVlan routed network that is done by the switch and only certain Networks should be protected by the ASA.
  The Networks that should not be protected will have the GW of the L3 SVI
  The protected hosts will have the GW of the ASA and send their traffic there first
  The ASA has a Trunk to the Switch receiving all L2 Vlans from there (E1)
  The ASA has an Interface called Mgmt to which it can send all the traffic back (Asymmetric Routing problem?)
  The Inside (called Mgmt, sorry for the confusion) has a default route pointing to the Switch R1
  Mgmt 10.11.0.0 255.255.0.0 10.11.250.254
  I'm stuck with the basics
  What won't work:
  From R1 i can ping Mgmt and Client Network but not Server and DMZ
  Pinging from R1 (10.11.250.254) to ASA Server (10.11.10.251) Interface gives me this Teardown but i have a global permit any any?
  %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/20 gaddr 10.11.10.251/0 laddr 10.11.10.251/0%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:03%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:03
  R2 (Server Host) has the ASA Gateway for its interface and it can ping it. But when i'm trying to ping another interface on the ASA that i can ping from R1, it's like it is not even reaching the ASA. I can see no traffic at all.
  Can somebody tell me what what i'm doing wrong and why? I'm kinda getting a little bit frustrated since i've been working on this from quite some time but i fail to get it working properly.
  Cheers

  I'm sorry very sorry i'm responding so late i've been very busy lately.
  This forum doesn't show the topology diagram i posted so let me try that again first:
  Now, as you can see, R2 has the GW of the ASA which is 10.11.10.251/24. R1 is the L3-Switch and doesn't have an Interface IP for the Server and DMZ but a default-gateway and default-network pointing to 10.11.250.251/24 which is the Mgmt Interface of the ASA. Additionally, it has has a Trunk Port to the ASA to pass all L2-Vlans.
  The ASA can ping all L3-Vlans of the Switch R1 e.g. 10.11.30.254/24 and the host 10.11.30.5/24
  The L3-Switch can only ping the Mgmt to which it is directly connected and in the same Network 10.11.250.0/24 but not all other Interfaces
  Pinging fom 10.11.250.254/24 (L3 Interface of R1) to 10.11.10.251/24 (Server Interface ASA) gives me this logging output:
  %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/3 gaddr 10.11.10.251/0 laddr 10.11.10.251/0%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:05%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:05
  And that is the major problem for me right now. I don't know what i'm doing wrong.
  Thx

• Need Help with Linksys router broadband-b

  I have a Linksys wireless-B broadband router for some reason it just went crazy on me. My wireless card is a wireless - G . Now when i had Verizon DSL  i  got this router and a USB  wireless adaptor from verizon. I had the usb adaptor on my wife computer and the router and modem  on my notebook for six months we had there dsl service until we moved  to a nother city. Once we  had all of our service's transfered  to the new home  we could not get verizon DSL there.
  So for a nother six months we had to use  dial up and being that we run a home business dial up was just not up to the task. Well we got rid of dish network  just to get cable T.V. just to get the cable broadband service. That's when i got a wireless card for my notebook anyway  for six months the network was working  just fine with the router and my wireless card.
  Until  Sept  this year just a few weeks ago the router started going crazy. Before my note book was config for windows to connect  linksys was connecting  and i would see all conection in the site survey,  and my own network  also. Until a few weeks a go  my network would not show .
  So i call linksys the have me download   some up dated firmware that would not install on my notebook or my wife computer after being on the phone for hours with linksys they come to tell me that  the router is ok and working alright after all the test   and steps they took me through with the router. Linksys tells me that there is something wrong with my PCM slot  on my notebook or either  my linksys wireless card. Ok  First of all i can pick up signal  on other networks  and go on line like the Hilton  Hotel  when i go in there parking lot, Second  i can pick up othr networks and get on line that are not secured  sometimes  so this tells me that there is Nothing wrong with my PCMI slot or the wireless card.
  Now i took my router across the street to a friend house and guess what he gets a signal  off the router with his notebook  but i can not and when we plug the router in the AC outlet  the internet light was flashing like crazy and my wireless card was not even in my notebook so that tells me that someone close was pulling signal off my router  but i cant.
  Can someone please explain this to me  i want to get another router wireless - G this time but if there is something that can be done to get this one working like it should that would really help.
  The Notebook has been checked out and config  and that works well when i hook the either net plug in from the modem  the  router was config as well but i just can't get a connected to the router when i use the wireless card.   

  Yes press and hold the reset button in back for 30 seconds and release.  Wait 10 seconds and power cycle the router.  Now connect to 192.168.1.1 username blank, password 'admin'.  Now try.

• I need advise and help with this problem . First , I have been with Mac for many years ( 14 to be exact ) I do have some knowledge and understanding of Apple product . At the present time I'm having lots of problems with the router so I was looking in to

  I need advise and help with this problem .
  First , I have been with Mac for many years ( 14 to be exact ) I do have some knowledge and understanding of Apple product .
  At the present time I'm having lots of problems with the router so I was looking in to some info , and come across one web site regarding : port forwarding , IP addresses .
  In my frustration , amongst lots of open web pages tutorials and other useless information , I come across innocent looking link and software to installed called Genieo , which suppose to help with any router .
  Software ask for permission to install , and about 30 % in , my instinct was telling me , there is something not right . I stop installation . Delete everything , look for any
  trace in Spotlight , Library . Nothing could be find .
  Now , every time I open Safari , Firefox or Chrome , it will open in my home page , but when I start looking for something in steed of Google page , there is
  ''search.genieo.com'' page acting like a Google . I try again to get raid of this but I can not find solution .
  With more research , again using genieo.com search eng. there is lots of articles and warnings . From that I learn do not use uninstall software , because doing this will install more things where it come from.
  I do have AppleCare support but its to late to phone them , so maybe there some people with knowledge , how to get this of my computer
  Any help is welcome , English is my learned language , you may notice this , so I'm not that quick with the respond

  Genieo definitely doesn't help with your router. It's just adware, and has no benefit to you at all. They scammed you so that they could display their ads on your computer.
  To remove it, see:
  http://www.thesafemac.com/arg-genieo/
  Do not use the Genieo uninstaller!

• I'm currently signed onto my home network and want to go on with another computer but don't remember my password for my network.  Does anyone know where to find this?  It's a password that I set myself, not the one that came with my router.

  I'm currently signed onto my home network and want to go on with another computer but don't remember my password for my network.  Does anyone know where to find this?  It's a password that I set myself, not the one that came with my router.

  It's in your Keychain on the computer you usually use to connect to your network - the "kind" will be "AirPort Network Password".
  Your Keychain can be opened by using the Keychain Access program. It is in your Utilities Folder.
  Open Keychain Access, and type airport in the search field. You will see a number of entries. Choose the one with the name of your wireless network, open it, and check the box next to "show password". Before it reveals itself you will be asked for your login password - the one you use to log in to your MacBook.
  The network password will appear in the box.
  Quit Keychain Access.