SF-300 24 2 subnet
I have 2 subnets and 2 uplinks
port g1 = 211.122.10.x
port g2 = 210.211.10.x
Can use 1 switch (sf-300 24)
assign port 1-12 up/down to g1
assign port 13-24 up/down to g2
Thank you.
Hi Bob,
Again, here is the config, if you are using the latest firmware on the switch.;
User Name:cisco
Password:*****
Please change your password from the default settings. Please change the password
for better protection of your network. Do you want to change the password (Y/N)[Y] ?N
switch4cf1#config
vlan database
vlan 2
exit
hostname SF300-24
no passwords complexity enable
no snmp-server server
interface range fast13-24
switchport trunk native vlan 2
exit
interface gigabitethernet2
switchport trunk native vlan 2
exit
interface vlan 2
name blue
exit
exit
SF300-24#copy run start
Overwrite file [startup-config] ?[Yes/press any key for no]...
regards Dave
Similar Messages
-
WiSM Status LED 1 & Status LED 2 showing off. Is it normal?
Hi,
WiSM WLAN Service Module WS-SVC-WISM-1-K9 in 6509e running VSS IOs s72033-ipservicesk9_wan-mz.122-33.SXI2a.bin having trouble to get the IP from service-vlan DHCP also status LED 1 & Status LED 2 showing off.
The pertinent config is as follows.
vlan 300
name WiSM_Service_Vlan
interface Vlan300
description *** WiSM Service-Vlan
ip address 192.168.200.1 255.255.255.0
ip dhcp excluded-address 192.168.200.1
ip dhcp pool WiSM_Service-Vlan_300
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
wism service-vlan 300
vlan 183
name WiSM_Management
interface Vlan183
description *** WiSM Management Vlan ***
ip address 10.39.139.254 255.255.255.0
wism switch 1 module 4 controller 1 allowed-vlan 125,126,183,300
wism switch 1 module 4 controller 2 allowed-vlan 125,126,183,300
wism switch 2 module 4 controller 1 allowed-vlan 125,126,183,300
wism switch 2 module 4 controller 2 allowed-vlan 125,126,183,300
wism switch 1 module 4 controller 1 native-vlan 183
wism switch 1 module 4 controller 2 native-vlan 183
wism switch 2 module 4 controller 1 native-vlan 183
wism switch 2 module 4 controller 2 native-vlan 183
HO2NET0001#sh wism status
Service Vlan : 300, Service IP Subnet : 192.168.200.1/255.255.255.0
WLAN
Slot Controller Service IP Management IP SW Version Status
----+-----------+----------------+----------------+-----------+---------------
20 1 0.0.0.0 0.0.0.0 Service Port Up
20 2 0.0.0.0 0.0.0.0 Service Port Up
HO2NET0001#sh module
Mod Ports Card Type Model Serial No.
1 8 CEF720 8 port 10GE with DFC WS-X6708-10GE SAL13442Q5N
2 8 CEF720 8 port 10GE with DFC WS-X6708-10GE SAL13442GAL
3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL13410N8P
4 10 WiSM WLAN Service Module WS-SVC-WISM-1-K9 SAD133101UY
5 5 Supervisor Engine 720 10GE (Active) VS-S720-10G SAL13442JE4
Mod MAC addresses Hw Fw Sw Status
1 0025.84f1.55b8 to 0025.84f1.55bf 2.1 12.2(18r)S1 12.2(33)SXI2 Ok
2 0025.84f1.4e58 to 0025.84f1.4e5f 2.1 12.2(18r)S1 12.2(33)SXI2 Ok
3 0027.0da7.c240 to 0027.0da7.c26f 3.2 12.2(18r)S1 12.2(33)SXI2 Ok
4 0023.5e25.7168 to 0023.5e25.7177 2.3 12.2(14r)S5 12.2(33)SXI2 Ok
5 001f.9e2a.2608 to 001f.9e2a.260f 3.1 8.5(3) 12.2(33)SXI2 Ok
Mod Sub-Module Model Serial Hw Status
1 Distributed Forwarding Card WS-F6700-DFC3C SAL13442EG9 1.4 Ok
2 Distributed Forwarding Card WS-F6700-DFC3C SAL13442H9T 1.4 Ok
3 Centralized Forwarding Card WS-F6700-CFC SAL13442HU9 4.1 Ok
4 Centralized Forwarding Card WS-SVC-WISM-1-K9-D SAD133200D6 2.1 Ok
5 Policy Feature Card 3 VS-F6K-PFC3C SAL13442E5S 1.1 Ok
5 MSFC3 Daughterboard VS-F6K-MSFC3 SAL13421AJZ 2.0 Ok
Mod Online Diag Status
1 Pass
2 Pass
3 Pass
4 Pass
5 Pass
HO2NET0001#sh vlan
300 WiSM_Service_Vlan active Gi1/4/9, Gi1/4/10
The service IP is supposed to have been populated with an address from the dhcp pool. I am also unable to connect to access it by console as well as doing a session switch 1 slot 4 processor 1. I get the following upon attempting to do so:
Through Console.
It is giving following & then got stuck.
Bootloader 3.2.202.0 (Nov 13 2007 - 19:35:12)
Motorola PowerPC ProcessorID=00000000 Rev. PVR=80200020
CPU: 999 MHz
CCB: 333 MHz
DDR: 166 MHz
LBC: 41 MHz
L1 D-cache 32KB, L1 I-cache 32KB enabled.
I2C: ready
DTT: 1 is 33 C
DRAM: DDR module detected, total size:512MB.
512 MB
8540 in PCI Host Mode.
8540 not PCI Arbiter.
Memory Test PASS
FLASH:
Flash Bank 0: portsize = 2, size = 8 MB in 142 Sectors
8 MB
L2 cache enabled: 256KB
Card Id: 1537
Card Revision Id: 1
Card CPU Id: 1287
Number of MAC Addresses: 32
Number of Slots Supported: 4
Serial Number: FAM133200D6
Manufacturers ID: 30464
Board Maintenance Level: 00
In: serial
Out: serial
Err: serial
.o88b. d888888b .d8888. .o88b. .d88b.
d8P Y8 `88' 88' YP d8P Y8 .8P Y8.
8P 88 `8bo. 8P 88 88
8b 88 `Y8b. 8b 88 88
Y8b d8 .88. db 8D Y8b d8 `8b d8'
`Y88P' Y888888P `8888Y' `Y88P' `Y88P'
Model SVC-WiSM S/N: FAM133200D6
Net: TSEC ETHERNET
IDE: Bus 0: OK
Device 0: Model: STI Flash 8.0.0 Firm: 01/17/07 Ser#: STI1MMJ109198093647
Type: Removable Hard Disk
Capacity: 488.7 MB = 0.4 GB (1000944 x 512)
Device 1: not available
Booting Primary Image...
Press <ESC> now for additional boot options...
Detecting Hardware . . .
Cryptographic library self-test....passed!
XML config selected
Validating XML configuration
Cisco is a trademark of Cisco Systems, Inc.
Software Copyright Cisco Systems, Inc. All rights reserved.
Cisco AireOS Version 5.2.178.0
Initializing OS Services: ok
Initializing Serial Services: ok
Initializing Internal Interfaces: ok
Initializing Network Services: ok
Initializing Licensing Services: ok
Starting ARP Services: ok
Starting Trap Manager: ok
Starting Network Interface Management Services: ok
Starting System Services: ok
Starting FIPS Features: ok : Not enabled
Starting Fast Path Hardware Acceleration: ok
Starting Switching Services: ok
Starting QoS Services: ok
Starting Policy Manager: ok
Starting Data Transport Link Layer: ok
Starting Access Control List Services: ok
Starting System Interfaces: ok
Starting Client Troubleshooting Service: ok
Starting Management Frame Protection: ok
Starting LWAPP: ok
Starting CAPWAP: ok
Starting Certificate Database: ok
Starting VPN Services: ok
Starting Security Services: ok
Starting Policy Manager: ok
Starting Authentication Engine: ok
Starting Mobility Management: ok
Starting LOCP: ok
Starting Virtual AP Services: ok
Starting AireWave Director: ok
Starting Network Time Services: ok
Starting Cisco Discovery Protocol: ok
Starting Broadcast Services: ok
Starting Logging Services: ok
Starting DHCP Server: ok
Starting IDS Signature Manager: ok
Starting RFID Tag Tracking: ok
Starting WLAN Control Protocol (WCP): ok
Starting Mesh Services: ok
Starting TSM: ok
Starting CIDS Services: ok
Starting Ethernet-over-IP: ok
Starting DTLS server: enabled in CAPWAP
Starting FMC HS: ok
Starting WIPS: ok
Starting SSHPM LSC PROV LIST: ok
Starting Management Services:
Web Server: ok
CLI: ok
Secure Web: Web Authentication Certificate not found (error). If you cannot access management interface via HTTPS please reconfigure Virtual Interface.
(Cisco Controller)
Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
Would you like to terminate autoinstall? [yes]:
AUTO-INSTALL: starting now...
Through Session
HO2NET0001##session switch 1 slot 4 proc 1
The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 0.0.0.0 ...
Any assistance or ideas offered will be greatly appreciated.
Thanks,Hi Tabish,
How many times do you have to open this same topic?
In my opinion, this is your THIRD thread for the same topic. -
C4507R-E Sup 6L-E 10GE and X4648-RJ45V+E: Strange Port behavior in one VLAN
Hello all!
I need some help, because i got some really strange thing. We got the 4500 with named SUP and Linecard and around 10 VLANs on it.
If I configure on the linecard a Port into VLAN 500 (access or trunk, doesnt matter) the Host on this port with the correct IP Net gets an error if trying to ping the GW. The Host on this port even cant ping itself.
If you do the Port into another VLAN, in our test VLAN 300, with VLAN300 Subnet, Ping on GW and Ping on itself is working. When you configure the Subnet of VLAN500, but keep the Port in VLAN300, the Host can ping itself and get a correct time out on GW ping. After the Host is configured and you configure the port after into VLAN500, also the Ping to Host and Ping to GW works (which didnt before). If you disconnect / connect the cable, the same problem in VLAN500 is back again.
This whole problem can only be reproduced in this single VLAN 500 - every other VLAN is working normal
Anyone know a Bug to this or had the same problem?Hello all!
I need some help, because i got some really strange thing. We got the 4500 with named SUP and Linecard and around 10 VLANs on it.
If I configure on the linecard a Port into VLAN 500 (access or trunk, doesnt matter) the Host on this port with the correct IP Net gets an error if trying to ping the GW. The Host on this port even cant ping itself.
If you do the Port into another VLAN, in our test VLAN 300, with VLAN300 Subnet, Ping on GW and Ping on itself is working. When you configure the Subnet of VLAN500, but keep the Port in VLAN300, the Host can ping itself and get a correct time out on GW ping. After the Host is configured and you configure the port after into VLAN500, also the Ping to Host and Ping to GW works (which didnt before). If you disconnect / connect the cable, the same problem in VLAN500 is back again.
This whole problem can only be reproduced in this single VLAN 500 - every other VLAN is working normal
Anyone know a Bug to this or had the same problem? -
WiSM having trouble getting the IP from service-vlan DHCP
WiSM WLAN Service Module WS-SVC-WISM-1-K9 in 6509e running VSS IOs s72033-ipservicesk9_wan-mz.122-33.SXI2a.bin having trouble to get the IP from service-vlan DHCP.
The pertinent config is as follows.
vlan 300
name WiSM_Service_Vlan
interface Vlan300
description *** WiSM Service-Vlan
ip address 192.168.200.1 255.255.255.0
ip dhcp excluded-address 192.168.200.1
ip dhcp pool WiSM_Service-Vlan_300
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
wism service-vlan 300
vlan 183
name WiSM_Management
interface Vlan183
description *** WiSM Management Vlan ***
ip address 10.39.139.254 255.255.255.0
wism switch 1 module 4 controller 1 allowed-vlan 125,126,183,300
wism switch 1 module 4 controller 2 allowed-vlan 125,126,183,300
wism switch 2 module 4 controller 1 allowed-vlan 125,126,183,300
wism switch 2 module 4 controller 2 allowed-vlan 125,126,183,300
wism switch 1 module 4 controller 1 native-vlan 183
wism switch 1 module 4 controller 2 native-vlan 183
wism switch 2 module 4 controller 1 native-vlan 183
wism switch 2 module 4 controller 2 native-vlan 183
HO2NET0001#sh wism status
Service Vlan : 300, Service IP Subnet : 192.168.200.1/255.255.255.0
WLAN
Slot Controller Service IP Management IP SW Version Status
----+-----------+----------------+----------------+-----------+---------------
20 1 0.0.0.0 0.0.0.0 Service Port Up
20 2 0.0.0.0 0.0.0.0 Service Port Up
HO2NET0001#sh module
Mod Ports Card Type Model Serial No.
1 8 CEF720 8 port 10GE with DFC WS-X6708-10GE SAL13442Q5N
2 8 CEF720 8 port 10GE with DFC WS-X6708-10GE SAL13442GAL
3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL13410N8P
4 10 WiSM WLAN Service Module WS-SVC-WISM-1-K9 SAD133101UY
5 5 Supervisor Engine 720 10GE (Active) VS-S720-10G SAL13442JE4
Mod MAC addresses Hw Fw Sw Status
1 0025.84f1.55b8 to 0025.84f1.55bf 2.1 12.2(18r)S1 12.2(33)SXI2 Ok
2 0025.84f1.4e58 to 0025.84f1.4e5f 2.1 12.2(18r)S1 12.2(33)SXI2 Ok
3 0027.0da7.c240 to 0027.0da7.c26f 3.2 12.2(18r)S1 12.2(33)SXI2 Ok
4 0023.5e25.7168 to 0023.5e25.7177 2.3 12.2(14r)S5 12.2(33)SXI2 Ok
5 001f.9e2a.2608 to 001f.9e2a.260f 3.1 8.5(3) 12.2(33)SXI2 Ok
Mod Sub-Module Model Serial Hw Status
1 Distributed Forwarding Card WS-F6700-DFC3C SAL13442EG9 1.4 Ok
2 Distributed Forwarding Card WS-F6700-DFC3C SAL13442H9T 1.4 Ok
3 Centralized Forwarding Card WS-F6700-CFC SAL13442HU9 4.1 Ok
4 Centralized Forwarding Card WS-SVC-WISM-1-K9-D SAD133200D6 2.1 Ok
5 Policy Feature Card 3 VS-F6K-PFC3C SAL13442E5S 1.1 Ok
5 MSFC3 Daughterboard VS-F6K-MSFC3 SAL13421AJZ 2.0 Ok
Mod Online Diag Status
1 Pass
2 Pass
3 Pass
4 Pass
5 Pass
HO2NET0001#sh vlan
300 WiSM_Service_Vlan active Gi1/4/9, Gi1/4/10
The service IP is supposed to have been populated with an address from the dhcp pool. I am also unable to connect to it by doing a session switch 1 slot 4 processor 1. I get the following upon attempting to do so:
HO2NET0001##session switch 1 slot 4 proc 1
The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 0.0.0.0 ...
Any assistance or ideas offered will be greatly appreciated.
Thanks,wired client is working & able to get IP from vlan 300 DHCP pool.
Here is the complete configuration.
Core-Switch6509#sh run
Building configuration...
Current configuration : 21462 bytes
upgrade fpd auto
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service counters max age 5
hostname
boot-start-marker
boot system flash sup-bootdisk:
boot-end-marker
security passwords min-length 1
logging buffered 8192
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.200.1 192.168.200.2
ip dhcp pool wism-service-port
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
ip dhcp pool voiceFLR1
network 10.39.103.128 255.255.255.128
default-router 10.39.103.254
option 150 ip 10.39.139.240 10.39.139.241
ip dhcp pool voiceFLR2
network 10.39.104.128 255.255.255.128
default-router 10.39.104.254
option 150 ip 10.39.139.240 10.39.139.241
ip dhcp pool voiceFLR3
network 10.39.105.128 255.255.255.128
default-router 10.39.105.254
option 150 ip 10.39.139.240 10.39.139.241
no ip domain-lookup
vtp domain
vtp mode transparent
switch virtual domain 100
switch mode virtual
mls netflow interface
mls cef error action reset
spanning-tree mode pvst
spanning-tree extend system-id
wism service-vlan 300
wism switch 1 module 4 controller 1 allowed-vlan 125,126,183,300
wism switch 1 module 4 controller 2 allowed-vlan 125,126,183,300
wism switch 2 module 4 controller 1 allowed-vlan 125,126,183,300
wism switch 2 module 4 controller 2 allowed-vlan 125,126,183,300
wism switch 1 module 4 controller 1 native-vlan 183
wism switch 1 module 4 controller 2 native-vlan 183
wism switch 2 module 4 controller 1 native-vlan 183
wism switch 2 module 4 controller 2 native-vlan 183
diagnostic bootup level minimal
redundancy
main-cpu
auto-sync running-config
mode sso
vlan internal allocation policy ascending
vlan dot1q tag native
vlan access-log ratelimit 2000
vlan 101
name Grd_FLR_Data_Vlan
vlan 102
name Grd_FLR_Voice_Vlan
vlan 103
name MZ_FLR_Data_Vlan
vlan 104
name MZ_FLR_Voice_Vlan
vlan 105
name 1st_FLR_Data_Vlan
vlan 106
name 1st_FLR_Voice_Vlan
vlan 107
name 2nd_FLR_Data_Vlan
vlan 108
name 2nd_FLR_Voice_Vlan
vlan 109
name 3rd_FLR_Data_Vlan
vlan 110
name 3rd_FLR_Voice_Vlan
vlan 111
name 4th_FLR_Data_Vlan
vlan 112
name 4th_FLR_Voice_Vlan
vlan 113
name 5th_FLR_Data_Vlan
vlan 114
name 5th_FLR_Voice_Vlan
vlan 115
name 6th_FLR_Data_Vlan
vlan 116
name 6th_FLR_Voice_Vlan
vlan 117
name 7th_FLR_Data_Vlan
vlan 118
name 7th_FLR_Voice_Vlan
vlan 119
name 8th_FLR_Data_Vlan
vlan 120
name 8th_FLR_Voice_Vlan
vlan 121
name 9th_FLR_Data_Vlan
vlan 122
name 9th_FLR_Voice_Vlan
vlan 123
name 10th_FLR_Data_Vlan
vlan 124
name 10th_FLR_Voice_Vlan
vlan 125
name Wireless_Users
vlan 126
name Wireless_Guest
vlan 150
name Printer
vlan 151
name v151
vlan 152
name v152
vlan 153
name v153
vlan 154
name v154
vlan 155
name v155
vlan 183
name Network_Management
vlan 300
name WiSM_Service_Vlan
interface Port-channel1
description *** For 1st Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel2
description *** For 2nd Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel3
description *** For 3rd Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel4
description *** For 4th Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel5
description *** For 5th Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel6
description *** For 6th Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel7
description *** For 7th Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel8
description *** For 8th Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel9
description *** For 9th Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel10
no switchport
no ip address
switch virtual link 1
mls qos trust cos
no mls qos channel-consistency
interface Port-channel11
description *** For 10th Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel12
description *** For Ground Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel13
description *** For MZ Floor ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel20
no switchport
no ip address
switch virtual link 2
mls qos trust cos
no mls qos channel-consistency
interface TenGigabitEthernet1/1/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
interface TenGigabitEthernet1/1/2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
interface TenGigabitEthernet1/1/3
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface TenGigabitEthernet1/1/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on
interface TenGigabitEthernet1/1/5
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 3 mode on
interface TenGigabitEthernet1/1/6
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 4 mode on
interface TenGigabitEthernet1/1/7
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 5 mode on
interface TenGigabitEthernet1/1/8
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 6 mode on
interface TenGigabitEthernet1/2/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 7 mode on
interface TenGigabitEthernet1/2/2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 8 mode on
interface TenGigabitEthernet1/2/3
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 9 mode on
interface TenGigabitEthernet1/2/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 11 mode on
interface TenGigabitEthernet1/2/5
description *** Connected to Juniper Port Ten 0 Inside ***
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface TenGigabitEthernet1/2/6
no switchport
no ip address
interface TenGigabitEthernet1/2/7
no switchport
no ip address
interface TenGigabitEthernet1/2/8
no switchport
no ip address
interface GigabitEthernet1/3/1
switchport
switchport access vlan 183
switchport mode access
interface GigabitEthernet1/3/2
switchport
switchport access vlan 183
switchport mode access
interface GigabitEthernet1/3/3
switchport
switchport access vlan 183
switchport mode access
interface GigabitEthernet1/3/4
switchport
switchport access vlan 183
switchport mode access
interface GigabitEthernet1/3/5
switchport
switchport access vlan 154
interface GigabitEthernet1/3/6
switchport
switchport access vlan 154
interface GigabitEthernet1/3/7
switchport
switchport access vlan 154
interface GigabitEthernet1/3/8
switchport
switchport access vlan 154
interface GigabitEthernet1/3/9
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/10
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/11
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/12
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/13
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/14
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/15
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/16
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/17
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/18
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/19
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/20
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/21
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/22
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/23
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/24
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/25
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/26
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/27
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/28
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/29
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/30
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/31
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/32
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/33
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/34
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/35
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/36
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/37
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/38
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/39
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/40
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/41
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/42
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/43
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/44
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/45
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/46
no switchport
no ip address
shutdown
interface GigabitEthernet1/3/47
switchport
switchport access vlan 107
switchport mode access
spanning-tree portfast edge
interface GigabitEthernet1/3/48
switchport
switchport access vlan 152
switchport mode access
interface GigabitEthernet1/5/1
no switchport
no ip address
shutdown
interface GigabitEthernet1/5/2
no switchport
no ip address
shutdown
interface GigabitEthernet1/5/3
no switchport
no ip address
shutdown
interface TenGigabitEthernet1/5/4
description *** Connected to CS-2 Port Ten 2/5/4 ***
no switchport
no ip address
mls qos trust cos
channel-group 10 mode on
interface TenGigabitEthernet1/5/5
description *** Connected to CS-2 Port Ten 2/5/5 ***
no switchport
no ip address
mls qos trust cos
channel-group 10 mode on
interface TenGigabitEthernet2/1/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
interface TenGigabitEthernet2/1/2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
interface TenGigabitEthernet2/1/3
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface TenGigabitEthernet2/1/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on
interface TenGigabitEthernet2/1/5
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 3 mode on
interface TenGigabitEthernet2/1/6
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 4 mode on
interface TenGigabitEthernet2/1/7
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 5 mode on
interface TenGigabitEthernet2/1/8
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 6 mode on
interface TenGigabitEthernet2/2/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 7 mode on
interface TenGigabitEthernet2/2/2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 8 mode on
interface TenGigabitEthernet2/2/3
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 9 mode on
interface TenGigabitEthernet2/2/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 11 mode on
interface TenGigabitEthernet2/2/5
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface TenGigabitEthernet2/2/6
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface TenGigabitEthernet2/2/7
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface TenGigabitEthernet2/2/8
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet2/3/1
switchport
switchport access vlan 183
switchport mode access
interface GigabitEthernet2/3/2
switchport
switchport access vlan 183
switchport mode access
interface GigabitEthernet2/3/3
switchport
switchport access vlan 183
switchport mode access
interface GigabitEthernet2/3/4
switchport
switchport access vlan 183
switchport mode access
interface GigabitEthernet2/3/5
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/6
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/7
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/8
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/9
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/10
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/11
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/12
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/13
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/14
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/15
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/16
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/17
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/18
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/19
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/20
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/21
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/22
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/23
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/24
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/25
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/26
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/27
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/28
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/29
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/30
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/31
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/32
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/33
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/34
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/35
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/36
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/37
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/38
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/39
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/40
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/41
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/42
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/43
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/44
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/45
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/46
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/47
no switchport
no ip address
shutdown
interface GigabitEthernet2/3/48
no switchport
no ip address
shutdown
interface GigabitEthernet2/5/1
no switchport
no ip address
shutdown
interface GigabitEthernet2/5/2
no switchport
no ip address
shutdown
interface GigabitEthernet2/5/3
no switchport
no ip address
shutdown
interface TenGigabitEthernet2/5/4
description *** Connected to CS-1 Port Ten 1/5/4 ***
no switchport
no ip address
mls qos trust cos
channel-group 20 mode on
interface TenGigabitEthernet2/5/5
description *** Connected to CS-1 Port Ten 1/5/5 ***
no switchport
no ip address
mls qos trust cos
channel-group 20 mode on
interface Vlan1
no ip address
interface Vlan101
description *** Grd Floor Data Vlan ***
ip address 10.39.101.126 255.255.255.128
interface Vlan102
description *** Grd Floor Voice Vlan ***
ip address 10.39.101.254 255.255.255.128
interface Vlan103
description *** MZ Floor Data Vlan ***
ip address 10.39.102.126 255.255.255.128
interface Vlan104
description *** MZ Floor Voice Vlan ***
ip address 10.39.102.254 255.255.255.128
interface Vlan105
description *** 1st Floor Data Vlan ***
ip address 10.39.103.126 255.255.255.128
interface Vlan106
description *** 1st Floor Voice Vlan ***
ip address 10.39.103.254 255.255.255.128
interface Vlan107
description *** 2nd Floor Data Vlan ***
ip address 10.39.104.126 255.255.255.128
interface Vlan108
description *** 2nd Floor Voice Vlan ***
ip address 10.39.104.254 255.255.255.128
interface Vlan109
description *** 3rd Floor Data Vlan ***
ip address 10.39.105.126 255.255.255.128
interface Vlan110
description *** 3rd Floor Voice Vlan ***
ip address 10.39.105.254 255.255.255.128
interface Vlan111
description *** 4th Floor Data Vlan ***
ip address 10.39.106.126 255.255.255.128
interface Vlan112
description *** 4th Floor Voice Vlan ***
ip address 10.39.106.254 255.255.255.128
interface Vlan113
description *** 5th Floor Data Vlan ***
ip address 10.39.107.126 255.255.255.128
interface Vlan114
description *** 5th Floor Voice Vlan ***
ip address 10.39.107.254 255.255.255.128
interface Vlan115
description *** 6th Floor Data Vlan ***
ip address 10.39.108.126 255.255.255.128
interface Vlan116
description *** 6th Floor Voice Vlan ***
ip address 10.39.108.254 255.255.255.128
interface Vlan117
description *** 7th Floor Data Vlan ***
ip address 10.39.109.126 255.255.255.128
interface Vlan118
description *** 7th Floor Voice Vlan ***
ip address 10.39.109.254 255.255.255.128
interface Vlan119
description *** 8th Floor Data Vlan ***
ip address 10.39.110.126 255.255.255.128
interface Vlan120
description *** 8th Floor Voice Vlan ***
ip address 10.39.110.254 255.255.255.128
interface Vlan121
description *** 9th Floor Voice Vlan ***
ip address 10.39.111.126 255.255.255.128
interface Vlan122
description *** 9th Floor Voice Vlan ***
ip address 10.39.111.254 255.255.255.128
interface Vlan123
description *** 10th Floor Voice Vlan ***
ip address 10.39.112.126 255.255.255.128
interface Vlan124
description *** 10th Floor Voice Vlan ***
ip address 10.39.112.254 255.255.255.128
interface Vlan150
description *** Printer Vlan ***
ip address 10.39.120.254 255.255.255.0
interface Vlan151
description *** Connected to Juniper FW Port Ten 0 ***
ip address 10.39.121.1 255.255.255.240
interface Vlan183
description *** Network Management Vlan ***
ip address 10.39.139.254 255.255.255.0
interface Vlan300
ip address 192.168.200.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 10.39.140.169
ip route 0.0.0.0 0.0.0.0 10.39.121.14
no ip http server
no ip http secure-server
control-plane
dial-peer cor custom
line con 0
login local
line vty 0 4
login local
line vty 5 15
login local
mac-address-table aging-time 480
no event manager policy Mandatory.go_switchbus.tcl type system
module provision switch 1
slot 1 slot-type 227 port-type 60 number 8 virtual-slot 17
slot 2 slot-type 227 port-type 60 number 8 virtual-slot 18
slot 3 slot-type 147 port-type 61 number 48 virtual-slot 19
slot 4 slot-type 242 port-type 31 number 10 virtual-slot 20
slot 5 slot-type 254 port-type 31 number 2 port-type 61 number 1 port-type 60 number 2 virtual-slot 21
module provision switch 2
slot 1 slot-type 227 port-type 60 number 8 virtual-slot 33
slot 2 slot-type 227 port-type 60 number 8 virtual-slot 34
slot 3 slot-type 147 port-type 61 number 48 virtual-slot 35
slot 4 slot-type 242 port-type 31 number 10 virtual-slot 36
slot 5 slot-type 254 port-type 31 number 2 port-type 61 number 1 port-type 60 number 2 virtual-slot 37
end
Thanks & Awaiting for response. -
Cisco 300 series: my PCs cannot reach the 2nd subnet
Dear Community/Support:
setting up our new series 300-28 in Layer3 Mode with a very basic network setup:
LAN: 192.168.0.0/24
VOIP Switch: 10.128.0.1 -- attached to GE24
default VLAN1- 192.168.0.254
added IPv4 Interface: GE24-10.128.0.254
which added the IPv4 route to the subnet 10.128.0.0
which added the ARP entry for 10.128.0.1
so in the admin interface the 300 can ping 10.128.0.1,
but my PCs in VLAN1 cannot reach it at all.
300-28 has DHCP enabled, IP Range 192.168.0.9-99/24, Gateway 192.168.0.254
Help Please,
i simply fail to understand why :(Sorry I don't really know the 300 series range of products. On other devices you would need to enable IP routing.
Have a look at this link it talks about changing the system mode to layer 3?
https://supportforums.cisco.com/discussion/11520346/cisco-sg300-10-how-set-inter-vlan-routing -
Snom phones in secondary subnet unable to call out - SIP CANCEL in SIP log
I've been trying to diagnose this very strange problem we are having. All our servers and some SNOM phones are in the subnet 192.168.100.0, the main building. They all work fine. Phones located in two other buildings connected with high-speed fiber use subnets
192.168.1.0 and 192.168.200.0. They can receive calls but are unable to call out. This doesn't affect the Lync 2010 and 2013 desktop clients with enterprise voice...they work fine anywhere, even externally.
We are running Lync Server 2013 Standard Edition, with the latest updates applied. Mediation role is co-located. Edge server is setup and I think I have configured everything correctly. I have two network adapters, one external facing and one internal facing.
External facing one has dns settings and gateway, internal facing has neither. I have setup persistent routes that enable the edge server to ping hosts in 1.0 and 200.0 no problem. DNS is setup internally so anyone anywhere can ping the edge server (its dns
entry is routable lync2013edge.network.domain.ca). Phones used are the SNOM 720, I have the latest updates applied (8.8.3.27 UC)
On the actual SNOM phone, I will dial 7804636201. It will call and start ringing the other party. Almost exactly 10 seconds later I will hear a busy signal and then the phone displays "Media Connectivity Failure". I ran a log on SIP from the FE
Standard Edition server, here are some entries that I noticed that may have something to do with it (see bottom four paragraphs for SIP CANCEL)
TL_VERBOSE(TF_PARSE) [0]411C.2DE8::02/24/2015-17:23:42.240.0008db5d (SIPStack,CSIPMessage::ParseBufferChain:SIPMessage.cpp(694))( 0000005F03D806F0 ) Start Line: INVITE sip:7804636201;[email protected];user=phone SIP/2.0
TL_INFO(TF_PROTOCOL) [0]411C.2DE8::02/24/2015-17:23:42.269.0009106f (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[3706963737] $$begin_record
Trace-Correlation-Id: 3706963737
Instance-Id: 2F91
Direction: outgoing
Peer: lync2013.network.caedm.ca:5070
Message-Type: request
Start-Line: INVITE sip:[email protected]:5070;user=phone;maddr=lync2013.network.caedm.ca SIP/2.0
From: "Joel Smith" <sip:[email protected]>;tag=2ksjs48fxg;epid=000413774E0401
To: <sip:7804636201;[email protected];user=phone>
Call-ID: 3faa35f677ef48719b27c796251b0519
CSeq: 1 INVITE
Contact: <sip:[email protected];opaque=user:epid:cO0WSS9wCFqUnP0dpEh6uQAA;gruu>;reg-id=1
Via: SIP/2.0/TLS 192.168.100.17:55489;branch=z9hG4bKE036484A.405BD23C943B158E;branched=TRUE
Via: SIP/2.0/TLS 192.168.1.201:51470;branch=z9hG4bK-fdh7rhbbvsri;rport;ms-received-port=51470;ms-received-cid=600
Record-Route: <sip:Lync2013.network.caedm.ca:5061;transport=tls;opaque=state:T;lr>;tag=B39FB8145D545F357B2737F43833CEB4
Max-Forwards: 69
Content-Length: 3563
Content-Type: multipart/alternative;boundary="next_part_u00iwyrezkkuxf3d"
P-Asserted-Identity: "Joel Smith"<tel:+17808092404;ext=2404>
Message-Body: --next_part_u00iwyrezkkuxf3d
Content-Type: application/sdp
Content-Transfer-Encoding: 7bit
Content-Dis; handling=optional; ms-proxy-2007fallback
TL_INFO(TF_DIAG) [0]411C.2DE8::02/24/2015-17:23:42.270.000915ec (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[3706963737] $$begin_record
Severity: information
Text: Routed a locally generated response
SIP-Start-Line: SIP/2.0 100 Trying
SIP-Call-ID: 3faa35f677ef48719b27c796251b0519
SIP-CSeq: 1 INVITE
Peer: 192.168.1.201:51470
Data: destination="[email protected]"
$$end_record
TL_INFO(TF_PROTOCOL) [0]411C.2DE8::02/24/2015-17:23:42.274.000928d4 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[3706963737] $$begin_record
Trace-Correlation-Id: 3706963737
Instance-Id: 2F93
Direction: outgoing;source="local"
Peer: 192.168.1.201:51470
Message-Type: response
Start-Line: SIP/2.0 101 Progress Report
From: "Joel Smith" <sip:[email protected]>;tag=2ksjs48fxg;epid=000413774E0401
To: <sip:7804636201;[email protected];user=phone>
Call-ID: 3faa35f677ef48719b27c796251b0519
CSeq: 1 INVITE
Via: SIP/2.0/TLS 192.168.1.201:51470;branch=z9hG4bK-fdh7rhbbvsri;rport;ms-received-port=51470;ms-received-cid=600
Content-Length: 0
ms-diagnostics: 12006;reason="Trying next hop";source="LYNC2013.NETWORK.CAEDM.CA";PhoneUsage="Long Distance";PhoneRoute="LocalRoute";Gateway="208.68.17.53";appName="OutboundRouting"
$$end_record
TL_INFO(TF_PROTOCOL) [1]411C.2DE8::02/24/2015-17:23:42.488.000930bc (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[741182734] $$begin_record
Trace-Correlation-Id: 741182734
Instance-Id: 2F96
Direction: incoming
Peer: lync2013.network.caedm.ca:5070
Message-Type: response
Start-Line: SIP/2.0 183 Session Progress
FROM: "Joel Smith"<sip:[email protected]>;tag=2ksjs48fxg;epid=000413774E0401
TO: <sip:7804636201;[email protected];user=phone>;tag=d265bdc1c8;epid=0A24894D6D
CALL-ID: 3faa35f677ef48719b27c796251b0519
CSEQ: 1 INVITE
CONTACT: <sip:[email protected];gruu;opaque=srvr:MediationServer:0wzNMLUTNFKXO5KjW1mbdQAA>;isGateway
VIA: SIP/2.0/TLS 192.168.100.17:55489;branch=z9hG4bKE036484A.405BD23C943B158E;branched=TRUE,SIP/2.0/TLS 192.168.1.201:51470;branch=z9hG4bK-fdh7rhbbvsri;rport;ms-received-port=51470;ms-received-cid=600
RECORD-ROUTE: <sip:Lync2013.network.caedm.ca:5061;transport=tls;opaque=state:T;lr>;tag=B39FB8145D545F357B2737F43833CEB4
CONTENT-LENGTH: 1388
CONTENT-TYPE: application/sdp
TL_VERBOSE(TF_NETWORK) [0]411C.2DE8::02/24/2015-17:23:51.369.00098f6b (SIPStack,CRecvContext::CreateIncomingRequest:RecvContext.cpp(920))[3030787245]( 0000005F01E739D0 ) creating SIP_MID_CANCEL request
TL_VERBOSE(TF_PARSE) [0]411C.2DE8::02/24/2015-17:23:51.369.00098f90 (SIPStack,CSIPMessage::ParseBufferChain:SIPMessage.cpp(694))( 0000005F03D7E2E0 ) Start Line: CANCEL sip:7804636201;[email protected];user=phone SIP/2.0
TL_VERBOSE(TF_PARSE) [0]411C.2DE8::02/24/2015-17:23:51.369.00099054 (SIPStack,CSIPMessage::ParseNextHeader:SIPMessage.cpp(1532))( 0000005F03D7E2E0 ) Found Header: Reason: SIP;cause=488;text="Media Connectivity Failure"
TL_INFO(TF_PROTOCOL) [0]411C.2DE8::02/24/2015-17:23:51.369.000990c6 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[3706963737] $$begin_record
Trace-Correlation-Id: 3706963737
Instance-Id: 2FA0
Direction: incoming
Peer: 192.168.1.201:51470
Message-Type: request
Start-Line: CANCEL sip:7804636201;[email protected];user=phone SIP/2.0
From: "Joel Smith" <sip:[email protected]>;tag=2ksjs48fxg;epid=000413774E0401
To: <sip:7804636201;[email protected];user=phone>
Call-ID: 3faa35f677ef48719b27c796251b0519
CSeq: 1 CANCEL
Via: SIP/2.0/TLS 192.168.1.201:51470;branch=z9hG4bK-fdh7rhbbvsri;rport
Max-Forwards: 70
Content-Length: 0
$$end_record
I thought it might be a timeout issue, so I tried following these steps located here:
http://ipfone.hu/lync-mediation-server-cancel-problem/ After rebooting the server no changes were noticed.
I also checked out this website
http://blog.insidelync.com/2013/04/sip-trunking-101-with-lync-server-2013/ regarding disabling the check box "enable outbound routing failover timeout". Doing that had no effect.
Any other ideas would be appreciated.Hi,
yes I see the config file is very simple and standard.
So the issue with snom on branch sites is random, it's correct?
From what I read in your answer, sometimes you can establish a correct communication between a snom and the called number +17804636201.
Have you tried to collect a network capture on a snom at branch location?
Do you have some other version of snom phone (300, 710, 821) to test?
Do you have some LPE ip-phone (Polycom CX600 o HP4110-4120) to test?
Regards
Luca
Luca Vitali | MCITP Lync/Exchange | snom Certified Engineer | Sonus SBC1000 Engineer -
Issues with multiple subnets - ASA5510 to Vigor 2820 VPN
Hi there,
I am hoping someone here can help. I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office. We have an ASA 5510 in London, talking to a Vigor 2820 in Edinburgh.
The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall.
The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there.
I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel. However, I have had much trouble adding additional subnets for our VLANs in London.
What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules. Looking at these rules though, I can't spot the problem. Multiple changes of order of the rules, and reloads have not sorted out the problem. When I run a packet trace on the main subnet it works fine. I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
Firstly, here's the ASA config that seemed relevant. I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5 group 1 lifetime 28800crypto isakmp nat-traversal 30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
Note: [branch peer ip] replaces any instances of the branch office outside IP address
I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem. I'd really appreciate any suggestions on how to track this down.
Here's the vigor config:
So it looks to match ok to me at both ends, unless there is something I missed. The vigor routing table shows:
Key: C - connected, S - static, R - RIP, * - default, ~ - private* 0.0.0.0/ 0.0.0.0 via [ISP gateway server], WAN1S [branch peer ip]/ 255.255.255.255 via [branch peer ip], WAN1S~ 192.168.40.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.50.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.10.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.0.0/ 255.255.255.0 via [London office ip], VPNC~ 192.168.2.0/ 255.255.255.0 is directly connected, LANS~ 192.168.7.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.30.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.20.0/ 255.255.255.0 via [London office ip], VPN* [ISP dns server]/ 255.255.255.255 via [ISP gateway server], WAN1
I have replaced IPs here as is shown. You can see the vigor seems to want to route the appropriate traffic over the VPN.
Finally, here is the packet trace output:
ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 192.168.50.0 255.255.255.0 insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in id=0x4529e48, priority=12, domain=permit, deny=false hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0 src ip=192.168.2.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4 Type: IP-OPTIONSSubtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x44057f0, priority=0, domain=permit-ip-option, deny=true hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5 Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.2.0, mask=255.255.255.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6 Type: NAT Subtype: rpf-checkResult: ALLOW Config: nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any dynamic translation to pool 10 (external [Interface PAT]) translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any dynamic translation to pool 10 (external [Interface PAT]) translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9 Type: VPN Subtype: encryptResult: DROP Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=192.168.2.0, mask=255.255.255.0, port=0Result: input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop Drop-reason: (acl-drop) Flow is denied by configured rule
So it seems to find the rule, which it ought to match, but then returns DENY. What's going on here? Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
For further information, this is output for the WORKING subnet - I have just taken a small part here though:
Phase: 10 Type: VPN Subtype: encryptResult: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0 src ip=192.168.0.0, mask=255.255.255.0, port=0 dst ip=192.168.2.0, mask=255.255.255.0, port=0
Thanks very much in advance for any help you can provide - I've been really stuck on this one!
ChrisHi,
Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
Also issue the command twice.
Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
And looking at your configurations, it should be like this
access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
- Jouni -
Q-sig Integration AS5400 / Hicon 300 E
I have a AS5400 router, and it has two E1/R2 interfaces and One E1/PRI(ISDN/QSIG).The first E1(6/7) are linked with PBX (ISDN Q-Sig) and the second E1 I used to remote access with E1 R2 linked with PSTN it's work fine.
The problem is with ISDN/Q-SIG voice works:
Below the configuration: (sh ver, Debug q931 and 921)
Phone -- PABX/Hicom 300 -- E1/PRI(ISDN-Qsig) -- AS5400 --- 2621 -- E1/R2 -- PABX/Hicom 300 Phone
AS5400#sh run
Building configuration...
Current configuration : 6990 bytes
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service pt-vty-logging
hostname AS5400
boot system flash c5400-is-mz.122-15.T1.bin
no boot startup-test
logging queue-limit 100
no logging rate-limit
no logging console
resource-pool disable
clock timezone BRA -3
spe country e1-default
spe default-firmware spe-firmware-1
ip subnet-zero
no ip source-route
ip cef
isdn switch-type primary-qsig
isdn voice-call-failure 0
voice call send-alert
voice call convert-discpi-to-prog
voice call carrier capacity active
voice rtp send-recv
voice service voip
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback none
h323
voice class codec 1
codec preference 1 g726r32
voice class codec 2
codec preference 1 g729br8
codec preference 5 g726r32
no voice hpi capture buffer
no voice hpi capture destination
mta receive maximum-recipients 0
controller E1 6/0
framing NO-CRC4
ds0-group 0 timeslots 1-15,17-31 type r2-digital r2-compelled ani
ds0 busyout 27-31 soft
cas-custom 0
country brazil
metering
seizure-ack-time 2
category 2
answer-signal group-b 1
dnis-digits min 3 max 12
answer-guard-time 1
description *** E1/R2 / PABX ***
controller E1 6/1
framing NO-CRC4
ds0-group 0 timeslots 1-15,17-31 type r2-digital r2-compelled
cas-custom 0
country brazil
metering
seizure-ack-time 2
category 2
answer-signal group-b 1
dnis-digits min 3 max 12
answer-guard-time 1
description *** E1/R2 / PABX ***
controller E1 6/2
controller E1 6/3
controller E1 6/4
controller E1 6/5
controller E1 6/6
controller E1 6/7
pri-group timeslots 1-8,16
description *** E1/PRI ISDN Q-sig / PABX ***
interface FastEthernet0/0
ip address xxxxxxxxxxxxxxxxxx
ip route-cache flow
duplex full
speed 100
no cdp enable
interface FastEthernet0/1
ip address xxxxxxxxxxxxxxxxxxxx
load-interval 30
duplex full
speed auto
no cdp enable
hold-queue 75 in
interface Serial6/7:15
no ip address
isdn switch-type primary-qsig
isdn overlap-receiving
isdn incoming-voice modem
isdn guard-timer 3000
isdn contiguous-bchan
isdn bchan-number-order ascending
isdn sending-complete
no cdp enable
interface Group-Async0
no ip address
group-range 1/00 3/107
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxxxxxx
no ip http server
call rsvp-sync
call progress tone country brazil
voice-port 6/0:0
input gain -5
output attenuation -5
compand-type a-law
cptone BR
timeouts initial 0
timeouts interdigit 0
timeouts call-disconnect 3
timeouts wait-release 3
voice-port 6/1:0
input gain -5
output attenuation -5
compand-type a-law
cptone BR
voice-port 6/7:D
bearer-cap Speech
mgcp profile default
dial-peer cor custom
dial-peer voice 1 pots
description *** xxxxxxxxxxxxxxxx ***
preference 1
destination-pattern 514...
progress_ind alert enable 8
direct-inward-dial
port 6/0:0
prefix 4
dial-peer voice 4 voip
description *** xxxxxxxxxxx ***
destination-pattern 0115509....
voice-class codec 1
session target ipv4:xxxxxxxxxx
fax rate 14400
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback none
dial-peer voice 150 voip
description *** xxxxxxxxxxxxxx ***
preference 3
destination-pattern 2301T
progress_ind setup enable 3
voice-class codec 1
session target ipv4:xxxxxxxxx
fax rate 14400
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback none
dial-peer voice 5 pots
description *** xxxxxxxxxxxxxxxx ***
preference 5
destination-pattern 514...
direct-inward-dial
port 6/1:0
forward-digits 3
prefix 4
dial-peer voice 7 pots
description *** xxxxxxxxxxxxxxx ***
preference 3
destination-pattern 515T
direct-inward-dial
port 6/1:0
forward-digits 3
prefix 5
dial-peer voice 100 voip
description *** xxxxxxxxxxxx ***
destination-pattern 110T
voice-class codec 1
session target ipv4:xxxxxxxxxx
fax rate 14400
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback none
dial-peer voice 159 voip
description *** ISDN-Qsig ***
destination-pattern 590115509....
voice-class codec 1
session target ipv4:xxxx
no vad
line 3/00 3/107
no flush-at-activation
modem InOut
scheduler allocate 10000 400
end
AS5400#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 5400 Software (C5400-IS-M), Version 12.2(15)T1, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 27-Mar-03 07:42 by ccai
Image text-base: 0x6000895C, data-base: 0x61600000
ROM: System Bootstrap, Version 12.2(1r)1, RELEASE SOFTWARE (fc1)
BOOTLDR: 5400 Software (C5400-BOOT-M), Version 12.1(1)XD1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
voz2-poa uptime is 21 hours, 15 minutes
System returned to ROM by reload at 12:24:43 BRA Thu Apr 24 2003
System image file is "flash:c5400-is-mz.122-15.T1.bin"
cisco AS5400 (R7K) processor (revision T) with 262144K/65536K bytes of memory.
Processor board ID JAE053503JM
R7000 CPU at 250Mhz, Implementation 39, Rev 1.0, 256KB L2, 2048KB L3 Cache
Last reset from IOS reload
Channelized E1, Version 1.0.
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
Primary Rate ISDN software, Version 1.1.
Manufacture Cookie Info:
EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x31,
Board Hardware Version 3.27, Item Number 800-5171-02,
Board Revision A0, Serial Number JAE053503JM,
PLD/ISP Version 2.2, Manufacture Date 3-Sep-2001.
Processor 0x14, MAC Address 0x0653455054
Backplane HW Revision 1.0, Flash Type 5V
2 FastEthernet/IEEE 802.3 interface(s)
19 Serial network interface(s)
276 terminal line(s)
16 Channelized E1/PRI port(s)
512K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
8192K bytes of processor board Boot flash (Read/Write)
Configuration register is 0x2102
AS5400#
AS5400#debug isdn q931
debug isdn q931 is ON.
voz2-poa#debug isdn q921
debug isdn q921 is ON.
voz2-poa#
*Apr 24 10:34:01.444 BRA: ISDN Se6/7:15 Q921: User RX <- RRp sapi=0 tei=0 nr=0
*Apr 24 10:34:01.444 BRA: ISDN Se6/7:15 Q921: User TX -> RRf sapi=0 tei=0 nr=66
*Apr 24 10:34:10.096 BRA: ISDN Se6/7:15 Q921: User RX <- INFO sapi=0 tei=0, ns=66 nr=0
*Apr 24 10:34:10.096 BRA: ISDN Se6/7:15 Q931: SEGMENT pd = 8 callref = 0x007F
Segmented Message i = 0x8105
1st segment. Segments remaining : 1
*Apr 24 10:34:10.096 BRA: ISDN Se6/7:15 Q921: User TX -> RR sapi=0 tei=0 nr=67
*Apr 24 10:34:10.120 BRA: ISDN Se6/7:15 Q921: User RX <- INFO sapi=0 tei=0, ns=67 nr=0
*Apr 24 10:34:10.120 BRA: ISDN Se6/7:15 Q931: SEGMENT pd = 8 callref = 0x007F
Segmented Message i = 0x0005
Segments remaining : 0
*Apr 24 10:34:10.120 BRA: ISDN Se6/7:15 Q921: User TX -> RR sapi=0 tei=0 nr=68
*Apr 24 10:34:10.120 BRA: ISDN Se6/7:15 Q931: RX <-
*Apr 24 10:34:10.120 BRA: ISDN Se6/7:15 Q931: SETUP pd = 8 callref = 0x007F (re-assembled)
Bearer Capability i = 0x9090A3
Standard = CCITT
Transer Capability = 3.1kHz Audio
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0xA98382
Exclusive, Channel 2
Facility i = 0x91AA068001008201008B0100A1150202243006082B0C02885302010603050101000000
Facility i = 0x91AA068001018201018B0100A1580202244006082B0C0288530201073048A2463044810100820101A30BA0098004343136310A0100A40B80033230313004800200C8A50C8004343136313004800200C8A614800D353930313135353039393035303003800164
Facility i = 0x91AA068001018201018B0100A1300202245006082B0C0288530201043020800332303102030ACB48800332303102030ACB49A004800200C8A104800200C8
Facility i = 0x91AA068001008201008B0102A1140202246002013B300B30090A01050A01030A0104
Facility i = 0x91AA068001008201008B0100A11C0202247006042B0C0900A110040B4A4F414F204152414E4441020101
Facility i = 0x91AA068001008201018B0100A1330202248006082B0C0288530201003023822101039E00A0031A0200000001000000000000840E38208F0480C500000404008884
Progress Ind i = 0x8183 - Origination address is non-ISDN
Calling Party Number i = 0x0083, '4161'
Plan:Unknown, Type:Unknown
Called Party Number i = 0x80, '5901155099050'
Plan:Unknown, Type:Unknown
*Apr 24 10:34:10.120 BRA: ISDN **ERROR**: Module-CCPQSIG Function-CCPQSIG_CallOffered Error-Unknown event 0x4E
*Apr 24 10:34:14.064 BRA: ISDN Se6/7:15 Q921: User RX <- INFO sapi=0 tei=0, ns=68 nr=0
*Apr 24 10:34:14.064 BRA: ISDN Se6/7:15 Q931: RELEASE_COMP pd = 8 callref = 0x007F
Cause i = 0x80E6333033 - Recovery on timer expiry
*Apr 24 10:34:14.064 BRA: ISDN Se6/7:15 Q921: User TX -> RR sapi=0 tei=0 nr=69
AS5400#
Any idea?
Can someone help me?
RegardsThe call received on AS5400 over isdn-qsig line was disconnected because of CALL-PROCEEDING was not received by PBX/Hicom switch.
So number 5901155099050 will match the voip dial-peer 159 and ip call will be initiated to 2621. Now 2621 will initiate the call over E1-R2 to pbx/switch and call-proceeding has to be generated by that switch which will be forwarded back to isdn-qsig switch/pbx. I think that delayed too much and finally switch may have timedout and disconnect the call.
So turn on "debug voip ccapi inout" and "debug isdn q931" on both the gateways involved to see what happened with that call. -
Howto: Zones in private subnets using ipfilter's NAT and Port forwarding
This setup supports the following features:
* Requires 1 Network interface total.
* Supports 1 or more public ips.
* Allows Zone to Zone private network traffic.
* Allows internet access from the global zones.
* Allows direct (via ipfilter) internet access to ports in non-global zones.
(change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
Network setup:
iprb0 65.38.103.1/24
defaultrouter 65.38.103.254
iprb0:1 192.168.1.1/24 (in global zone)
Create a zone on iprb0 with an ip of 192.168.1.2
### Example /etc/ipf/ipnat.conf
# forward from a public port to a private zone port
rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
# force outbound zone traffic thru a certain ip address
# required for mail servers because of reverse lookup
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
map iprb0 192.168.1.2/32 -> 65.38.103.1
# allow any 192.168.1.x zone to use the internet
map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
Create /etc/init.d/zone_route_hack
Link this file to /etc/rc3.d/S99zone_route_hack.
#/bin/sh
# based on information found at
# http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
# http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
fake_router=192.168.1.254
public_net=65.38.103.0
router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
# send some data to the real network router so we look up it's arp address
ping -sn $router 1 1 >/dev/null
# record the arp address of the real router
router_arp=`arp $router | nawk '{print $4}'`
# delete any existing arp address entry for our fake private subnet router
arp -d $fake_router >/dev/null
# assign the real routers arp address to our fake private subnet router
arp -s $fake_router $router_arp
# route our private subnet through our fake private subnet router
route add default $fake_router
# Can't create this route until the zone/interface are loaded
# Adjust this based on your hardware and number of zones
sleep 300
# Duplicate this line for every non-global zone with a private ip that
# will have ipfilter rdr (redirects) pointing to it
route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
The following /etc/ipf/ipf.conf defaults to deny.
# ipf.conf
# IP Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# INCOMING DEFAULT DENY
block in all
block return-rst in proto tcp all
# two open ports one of which is redirected in ipnat.conf
pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
# INCOMING PING
pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
# INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
#pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
# OUTGOING RULES
block out all
# ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
# remove/edit as needed to actually talk to local private physical networks
block out quick from any to 192.168.0.0/16
block out quick from any to 172.16.0.0/12
block out quick from any to 10.0.0.0/8
block out quick from any to 0.0.0.0/8
block out quick from any to 127.0.0.0/8
block out quick from any to 169.254.0.0/16
block out quick from any to 192.0.2.0/24
block out quick from any to 204.152.64.0/23
block out quick from any to 224.0.0.0/3
# Allow traffic out the public interface on the public address
pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
# Allow traffic out the public interface on the private address (needs nat and router arp hack)
pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
# INCOMING TRACEROUTE FIX PART 2
#pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.Instead of using the script as a legacy_run script, set it up in SMF.
First create the file /var/svc/manifest/system/ip-route-hack.xml with
the following
---Start---
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
ident "@(#)ip-route-hack.xml 1.0 09/21/06"
-->
<service_bundle type='manifest' name='NATtrans:ip-route-hack'>
<service
name='system/ip-route-hack'
type='service'
version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency
name='physical'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/physical:default' />
</dependency>
<dependency
name='loopback'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/loopback:default' />
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/svc-ip-route-hack start'
timeout_seconds='0' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring'
value='transient' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>
Hack to allow zone to NAT translate.
</loctext>
</common_name>
<documentation>
<manpage
title='zones'
section='1M'
manpath='/usr/share/man' />
</documentation>
</template>
</service>
</service_bundle>
---End---
then modify /var/svc/manfiest/system/zones.xml and add the following
dependancy
---Start---
<dependency
name='inet-ip-route-hack'
type='service'
grouping='require_all'
restart_on='none'>
<service_fmri value='svc:/system/ip-route-hack' />
</dependency>
---End---
Finally create the file /lib/svc/method/svc-ip-route-hack with the
contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
import /var/svc/manifest/system/zones.xml'.
This will guarantee that ip-route-hack is run before zones are started,
but after the interfaces are brought on line. It is worth noting that
zones.xml may get overwritten during a patch, so if it suddenly stops
working, that could be why. -
All the subnets are not reachable over the VPN
Hi all,
We have a EZVPN connection to one of our branch office. Connectivity diagram is attached with this discussion.
HO LAN (10.1.0.0/16 & 192.6.14.0/24) --------- ASA5520-------- Internet ---------- Cisco2911-------- LAN of remote location (10.2.0.0/16)
we are using 10.2.0.0/26 subnet at remote office and 10.1.0.0/16 & 192.6.14.0/24 subnets at HO. From HO through 10.1.0.0/16 & 192.6.14.0/24 all the devices are reachable except the firewall which is connected with GigabitEthernet0/2 interface of cisco2911 router(on which VPN is created).
Its a fortigate firewall and it is reachable locally from the network 10.2.0.0/16. I believe its an issue with phase2 ACLs but didn't able to resolve the issue.
I'm not able to take GUI / CLI interfaces of fortigate firewall even i'm not able to ping the IP of GigabitEthernet0/2 interface of cisco2911.
kindly advise on same.
Below is the configuration of ASA5520 of HO and cisco2911 router of branch office
ASA5520:-
access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list Outside_cryptomap_65534.191 extended permit ip object-group DM_INLINE_NETWORK_103 10.2.0.0 255.255.0.0
jashanmalasa/sec/act# sho run obj
jashanmalasa/sec/act# sho run object-group | b DM_INLINE_NETWORK_103
object-group network DM_INLINE_NETWORK_103
network-object 10.1.0.0 255.255.0.0
network-object 192.6.14.0 255.255.255.0
group-policy AUHNEW internal
group-policy AUHNEW attributes
dns-server value 192.6.14.189 192.6.14.182
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
ip-comp disable
re-xauth disable
pfs enable
ipsec-udp disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
default-domain value xxxxxx
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
tunnel-group AUHNEW type remote-access
tunnel-group AUHNEW general-attributes
authorization-server-group LOCAL
default-group-policy AUHNEW
tunnel-group AUHNEW ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp ikev1-user-authentication none
Cisco2911:-
Current configuration : 10258 bytes
! Last configuration change at 19:06:18 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname AUHOffice_RTR
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
card type e1 0 0
no aaa new-model
clock timezone AST 4 0
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip name-server 213.42.xxx.xxx
multilink bundle-name authenticated
isdn switch-type primary-net5
crypto pki token default removal timeout 0
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
fax protocol pass-through g711ulaw
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
codec preference 4 g729br8
voice class h323 1
h225 timeout tcp establish 3
voice translation-rule 1
rule 1 /^9\(.*\)/ /\1/
voice translation-rule 2
rule 1 /^0\(2.......\)$/ /00\1/
rule 2 /^0\(3.......\)$/ /00\1/
rule 3 /^0\(4.......\)$/ /00\1/
rule 4 /^0\(5........\)$/ /00\1/
rule 5 /^0\(6.......\)$/ /00\1/
rule 6 /^0\(7.......\)$/ /00\1/
rule 7 /^0\(9.......\)$/ /00\1/
rule 8 /^00\(.*\)/ /0\1/
rule 9 /^.......$/ /0&/
rule 10 // /000\1/
voice translation-rule 3
rule 1 /^3../ /026969&/
voice translation-profile FROM_PSTN
translate calling 2
translate called 1
voice translation-profile TO_PSTN
translate calling 3
license udi pid CISCO2911/K9 sn xxxxxxxxx
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module pvdm 0/0
hw-module sm 1
username admin privilege 15 secret 4 Ckg/sS5mzi4xFYrh1ggXo92THcL6Z0c6ng70wM9oOxg
redundancy
controller E1 0/0/0
framing NO-CRC4
pri-group timeslots 1-10,16
crypto ipsec client ezvpn jashanvpn
connect auto
group AUHNEW key jashvpn786
mode network-extension
peer 83.111.xxx.xxx
acl 150
nat allow
nat acl 110
xauth userid mode interactive
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.2.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1430
ip policy route-map temp
duplex auto
speed auto
crypto ipsec client ezvpn jashanvpn inside
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.2.0.1
interface GigabitEthernet0/1
description *** Connected to 40MB Internet ***
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
ip address 10.2.0.11 255.255.255.248
duplex auto
speed auto
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
interface SM1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.2.0.3 255.255.255.248
!Application: CUE Running on SM
service-module ip default-gateway 10.2.0.1
interface SM1/1
description Internal switch interface connected to Service Module
no ip address
interface Vlan1
no ip address
interface Dialer0
description *** JASHANMAL 40MB Internet ***
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 0252150B0C0D5B2748
ppp pap sent-username xxxxxx password 7 15461A5C03217F222C
crypto ipsec client ezvpn jashanvpn
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.2.0.0 255.255.248.0 10.2.0.2
ip route 10.2.0.3 255.255.255.255 SM1/0
ip route 10.2.6.1 255.255.255.255 10.2.0.2
ip route 10.2.7.1 255.255.255.255 10.2.0.2
ip route 172.16.5.0 255.255.255.0 10.2.0.2
access-list 100 deny ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 100 deny ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 deny ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 100 deny ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 deny ip 172.16.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 100 permit ip 10.2.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 110 deny ip 10.2.0.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.2.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.3.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.1.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.3.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny ip 10.2.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny ip 10.2.6.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.2.6.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny ip 172.16.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip host 10.2.6.1 any
access-list 110 permit ip host 10.2.6.2 any
access-list 110 permit ip host 10.2.6.3 any
access-list 110 permit ip host 10.2.6.4 any
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.201.72 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.254.136 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 216.52.207.67 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.151.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.148.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.149.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.150.22 eq www
access-list 110 permit tcp 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.4.0 0.0.0.255 any
access-list 150 permit ip 10.2.0.0 0.0.0.255 any
access-list 150 permit ip 10.2.1.0 0.0.0.255 any
access-list 150 permit ip 10.2.2.0 0.0.0.255 any
access-list 150 permit ip 10.2.3.0 0.0.0.255 any
access-list 150 permit ip 10.2.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.6.0 0.0.0.255 any
access-list 150 permit ip 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.7.0 0.0.0.255 any
route-map temp permit 100
match ip address 100
set ip next-hop 10.2.0.9
route-map temp permit 110
route-map nonat permit 10
match ip address 110
snmp-server community xxxxxxxx
snmp-server location JNC AbuDhabi Office
snmp-server contact xxxxxxxx
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host xxxxx version 2c jash
control-plane
voice-port 0/0/0:15
translation-profile incoming FROM_PSTN
bearer-cap Speech
voice-port 0/1/0
voice-port 0/1/1
voice-port 0/1/2
voice-port 0/1/3
mgcp profile default
dial-peer cor custom
name CCM
name 0
name 00
dial-peer cor list CCM
member CCM
member 0
member 00
dial-peer cor list 0
member 0
dial-peer cor list 00
member 0
member 00
dial-peer voice 100 voip
corlist incoming CCM
preference 1
destination-pattern [1-8]..
session target ipv4:10.1.2.12
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 101 voip
corlist incoming CCM
huntstop
preference 2
destination-pattern [1-8]..
session target ipv4:10.1.2.11
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 201 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 0[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
dial-peer voice 202 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 00[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 0
dial-peer voice 203 pots
corlist outgoing 00
translation-profile outgoing TO_PSTN
destination-pattern 000T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 00
gateway
timer receive-rtp 1200
gatekeeper
shutdown
call-manager-fallback
secondary-dialtone 0
max-conferences 8 gain -6
transfer-system full-consult
timeouts interdigit 4
ip source-address 10.2.0.1 port 2000
max-ephones 58
max-dn 100
system message primary Your Current Options SRST Mode
transfer-pattern .T
alias 1 300 to 279
call-forward pattern .T
time-zone 35
date-format dd-mm-yy
cor incoming 0 1 100 - 899
line con 0
password 7 030359065206234104
login local
line aux 0
password 7 030359065206234104
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 110E1B08431B09014E
login local
transport input all
line vty 5 15
password 7 030359065206234104
login local
transport input all
scheduler allocate 20000 1000
ntp master 1
endAttached is the result from packet tracer of ASA5520-ASDM
-
Want to make an isolated subnet
I am wanting to set up an isolated subnet subordinate to my main subnet, but am seeking guidance before I go out and spend a bunch of money on stuff then find out that it won't work.
I want to place some (outdoor, in weather-proof enclosures) wireless network webcam servers onto my existing subnet. The wireless network webcam servers are TrendNet TV-IP301W (link opens in new browser window).
My existing network consists of a combo DSL modem with router and wireless. I rent the modem/router/WAP from my ISP. It does WPA2-AES, and all wireless computers connect to it using WPA2-AES.
The TrendNet webcam servers do NOT support WPA2-AES. The manufacturer has advised me that they have no plans of upgrading the firmware in that device to do so. At $300+ each, they are not something that I want to just throw away or take a big loss on eBay trying to sell.
So, I would like to hang an "isolated" WPA1-TKIP subnet (192.168.1.x) off of my existing (192.168.0.x) DSL modem subnet. My initial cut at a network topology design can be seen here (link opens in new browser window).
One of my main goals for this topology is to continue using the existing routing capabilities of the DSL modem (it can port forward to computers by hostname not IP address and those computers can have DHCP-assigned IP addresses). And, of course, the principal goal is to provide an isolated WPA1-TKIP wireless subnet for the TrendNets, from which rogue users, if they were able to surreptitiously affiliate to that subnet, could neither access any of the Macs affiliated to the 192.168.0.x home subnet nor leech free internet service at my expense.
I am looking at using two LinkSys WAP-54G routers, one in "client" mode so that its WAN side gets a DHCP-issued IPA from my DSL modem/router. The plan would be to strap it back-to-back with another WAP-54G, which would serve as the router for the TrendNets. Problem is, the first WAP54G apparently only works with another WAP54G, not with my ISP's combo modem/router/WAP.
However, it is my understanding that one of the versions of dd-wrt firmware may allow allow the first WAP-54G, when configured in client mode, to connect to a non-Linksys router. At least, this website suggests that this is the case.
The TrendNets are servers, so the only traffic that I want originating from any wirelessly affiliated device on the WPA1-TKIP subnet are "answers" to incoming webserver requests to the TrendNets. Those incoming requests would either be from computers on the 192.168.0.x subnet or from external internet traffic tunneled via ssh to one of the computers ("quicksilver") on the 192.168.0.x subnet. It would be desired to prevent rogue users affiliated to the 192.168.1.x subnet from initiating any connections going external to that 192.168.1.x.
So (finally!) my questions:
(1) has anybody ever flashed a WAP54G with this dd-wrt firmware and connected in client mode, using WPA2-AES, to a non-Linksys product?
(2) there seem to be several versions of the dd-wrt firmware loads out there, and it is not clear to me whatsoever how to select the correct one -- which one should I use?
(3) any problems seen with my proposed network topology?
(3) any hints or suggestions on how to quarantine any rogue traffic (i.e., traffic that is not TrendNet port 80 traffic) as described in the previous paragraph?
Thanks for any help that anyone can provide.Hi j.v.
Have you tried the Linksys forums? I think you may get more help from a network type forum that uses the WAP54G than the Apple forums.
regards -
Multiple vlans configuration issue with RV016 router and SG 300-10MP witch
Hi,
I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
Router (RV016 10/100 16-Port VPN Router) as gateway mode:
IP : 172.16.0.1/24
DHCP Server :
IP : 172.16.0.2/24 GW: 172.16.0.1
2 subnets :
172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
IP 172.16.0.254 (vlan 8 default)
Vlan 1 : 172.16.1.1
Vlan 2 : 172.16.2.1
1 device connected on each vlan
a workstation on the vlan 1
a laptop on the vlan 2
In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
I hope the explanations are clear enough and my English too
Any help will be highly appreciated,
ZoubeirHi Eric, the small business group doesn't support the ASA config, but I can help with the switch.
A couple things I notice in your description-
48 port (192.168.1.254) and the other 24P (192.168.1.253) we have a second vlan 20 set up on the 24P switch (192.168.2.253) we have ports 1-12 set for vlan20 (untagged and trunk), the remaining ports on on the default vlan 1.
The connection between the switches, is it 1u, 2t?
The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
We have the 24p and 48p switches connect using GE1 and GE1. We are unable to ping a device on vlan 20 ( on the 24p switch
The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
We have a static route set on the 24p switch (0.0.0.0 192.168.1.0).
Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
-Tom
Please rate helpful posts -
How to create routed port in Cisco SF-300 Switch
I am trying to create routed ports in SF 300 small business 8 port switch.
I have 3 different LAN say 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24
I have 3 unmanaged linsys switch where I have connected all these computers.
Now what I have to do is to create routed ports in SF300 and route this networks properly.
Can anybody help me on this? Thanks in advance.Dear Shereef,
Thank you for reaching Small Business Support Community.
In Layer 3 system mode, the device can have multiple IP addresses. Each IP address can be assigned to specified ports, LAGs, or VLANs. Operating in Layer 3 mode, the device routes traffic between the directly attached IP subnets configured on the device. In addition, you can manually define default routes.
Configuring the device to work in Layer 3 mode is performed in the Administration >System Settings page.
To define IP addresses on the ports:
IP Configuration > IPv4 Management and Interfaces > IPv4 Interface
To define an IP static route:
Click IP Configuration > IPv4 Management and Interfaces > IPv4 Routes
Just in case you can check on the admin guide, chapter 16 for a more detailed step by step description;
http://www.cisco.com/en/US/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
I hope you find this information useful and please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
Hi,
We have 2 XServes, and over 300 Mac Client machines. Users authenticate via AD and receive forced preferences via OD. The main Mac Suite area is on a VLAN, due to needing our own Broadcast domain for multicast purposes.
I have some Labs that are not within our broadcast domain, on another subnet, they can connect via LDAP to our servers and login but I cannot see them in the Computer list in WGM, I believe this is because this information is received via Bonjour ?? which is a broadcast.
I can (as i have tested it) connect a Mac up here on this domain to the Server via OD then put on the other subnet and forced prefs are still forced out. However, I have over 40 Macs that are not within this subnet, so it would be a pain to do that individually.
I can bind to the AD Server and pull over in WGM the machines to the specified Groups but forced prefs do not work. There are no MAC address' contained within the copied over comptuer info.
My questions are;
1, Do OD listed Computers need to have the MAC address in order to force permissions? Or how does OD force over forced prefs?
2, is there a way of adding the out of subnet computers to the OD list without allowing multicast on the VLAN?
3, Anybody have and resolved a similar issue?
All I want to do is force Application, Dock and some System Prefs over to the client Macs without using Parental Controls.
Any help always appreciated,
CI assume that each server is on its own subnet... Make one the OD master and the other a replica preferences will replicate from one to the other and distribute from the server on the subnet they reside in so long as you bind the computers in that subnet to the appropriate server in Directory Utility. You can then manage all the preferences you want from either server since it will write back and forth.
-
2 WLSM's in different subnets to support up to 600 AP's ???
Would like to know if the following is possible.
I have 2 WLSM's in different subnets, the idea is to have up to 300 AP's supported in one WLSM and another 300 AP's pointing toward the other blade in another chassis.
Can I use the same vlans I have defined in all AP's, but just point half of them to the other WLSM? Or, should I create new vlans for the second set of AP's connecting to the 2nd WLSM balde. The AP's native vlan would be different for the each of the WLSM blades.
Thanks in advance. MikeThanks Lisa - I'm still unclear ... when you say that you must have the same native vlan (say vlan 1) trunked through the campus. So both WLSM's will use the same vlan for control traffic to the AP's???
I have read this document several times but does not show how to install 2 or say 10 WLSM's in a given network. Won't the native vlan have so much overhead and broadcast that it would make it a problem?
I was going to point half of my ap's at one wlsm and the other half at wlsm-2 use differnt native vlans for each wlsm but use the same data vlans for ap data traffic.
Do you see any problems with this style of configuration?
Maybe you are looking for
-
Plug ins for InDesign CS6 deleted in error. Now program won't load.
Unable to download it again, because the Adobe web site shows my copy as "up to date."
-
Connecting my ipod to windows after replacing screen
after i correctly replaced the screen for my 5th generation ipod it wouldn't appear on windows when hooked up or charge, but when you try a wall charger it is fine. i've tried different wires and different computers and apple won't help me fix it. he
-
In KDE you can select an option for the number of screens available 1, 4 ,6, etc. is there a similar option in gnome and how do I find it.
-
Help me - imported captions disappear when published!
Help! I published my Captivate movie as an .exe file. To create it, I had imported several slides from two other Captivate files. Both of these files run fine. I imported the slides and objects, and everything shows up in the "final" .cp file. Howeve
-
Can you recover purchased music through Itunes?
I had a skipping issue with my Ipod and finally re-sync-ed it with Itunes but lost about $150 worth of music (that was already on there, all purchased through Itunes but on my dead computer, hence not recoverable)is there any way to recover the music