SFE2000 & ACL to stop VLAN traffic
Hi All,
I have setup a new SFE2000 switch to work in Layer 3 mode using the IP address 192.168.100.254 on VLAN 1
Additional VLAN's are:
VLAN2 192.168.102.x To be used for guest wireless access
VLAN3 192.168.103.x
VLAN4 192.168.104.x
I would like VLAN1, 2, 3 and 4 to be able to communicate with each other while VLAN2 (Guest) needs to be restricted from everything except web access and dhcp assignment from our server.
I have been playing with various ACL's in an effort to accomplish this but so far I have drawn a blank in getting this working.
Can any one draw any light to a managed switch newbie
Thanks in advance
James
I was able to get this working with ACLs and setting a static route from the router (in my case Sonicwall TZ 180) back to the SG300 network. I have enclosed screen shots of the config from the GUI. You need to bind the ACL to whatever
ports you want to filter the guest traffic either where they would connect a hard wired connection or where you would connect your Wireless AP. The ACL I have created allows VLAN 13 to get a DHCP address and communicate through DNS but nothing else. 192.168.9.254 is the Sonicwall router which I wanted on a different VLAN.
Hope this helps others with their setup.
Similar Messages
-
Switch port in dot1x multi-auth mode stops passing traffic
Dear All,
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
interface GigabitEthernet2/34
switchport mode access
ip arp inspection limit rate 30
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 6
spanning-tree portfast
ip verify source vlan dhcp-snooping
end
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
Did anyone experience a simmilar problem? Any advice?
Thanks.
MirekWe have the same issue on 3750E switch running 12.2.(58)SE
-
I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.
ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
Additional permit statements omited.HMidkiff wrote:I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
HMidkiff wrote:I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.
Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.
Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -
permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp
etc..
Jon -
Hello !!
We have a Switch Catalyst 3550 - 12G
IOS : Version 12.2(25)SEA
I need to implement ACL security in VLAN's. But, it did't work.
VLAN 11 Definition :
interface Vlan11
description VLAN - RED WAN
ip address 192.168.21.1 255.255.255.0
Interface association (g0/7) with VLAN 11 and extended ACL (ip1)
interface GigabitEthernet0/7
switchport access vlan 11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11
switchport mode dynamic desirable
ip access-group ip1 in
ACL definition :
ip access-list extended ip1
permit ip 192.168.70.0 0.0.0.255 any
deny ip any any
This configuration must allow ip communication between 192.168.70.0 / 24 and 192.168.21.0 / 24. However it does't work.
Inter VLAN communication are ok.
Any Suggest ?
.... Switch Conf. attach
Tks.
John Nanez E.Try putting on the SVI for vlan 11 (interface vlan 11) . don't think you can put it on a individual interface and have it work . Also they way you wrote it you'll have to put it as out on the vlan because you are permitting a address from another network to the vlan 11 address space thus it would have to block the traffic "out" to the devices on vlan 11 .
-
Wireshark capture on access port displays different vlan traffic
Hi Guys,
i have a nexus 4001i Blade Center Switch where i have a server connected in mode access to a particular vlan.
when i use wireshark on this port, i see different traffic conversations of different servers in different vlans which seems strange to me.
anybody have an idea why a server in mode access with wireshark is able to view different vlan traffic? I also see non multicast and non broadcast converations.
the port the server is connected to is not a monitor port but only in switch port mode access.
thanks in advance for you feedbackHi,
So it looks like you're getting unicast traffic flooded to all ports. There are a couple of reasons I've come across that can cause this.
Asymmetric routing: See Unicast Flooding in Switched Campus Networks and/or Case Study #8: Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers That Run HSRP) for details of why it happens and how to prevent it.
Microsoft Network Load Balancing. As per the Microsoft Troubleshooting NLB:
In unicast mode (the default Forefront TMG cluster operation mode) NLB induces switch flooding, by design, relaying packets sent to the VIP addresses to all cluster hosts. Switch flooding is part of the NLB strategy for obtaining the best throughput for any specific load of client requests. However, if the NLB interfaces share the switch with other (non-cluster) computers, switch flooding can add to the other computers' network overhead by including them in the flooding and consequently have a detrimental effect on network and/or server performance.
Regards -
Vlan traffic is not passing through Wireless Bridge
Hi,
Recently we have placed wireless bridge in our network (Cisco AIR-BR1410A-E-K9 model). Now after installing the bridge we are facing the issue like only the management interface traffic is reachable through bridge, but not able to reach other vlan traffic.
like management range is in vlan 1 (which inlcudes AP' Switch and router) and the bridge IP's are also in Vlan 1.
Switch port is kept in trunk mode both ends of bridge. still other vlan traffic is not reachable, do we have to place any special configuration for this ?
all the business users are in Vlan 3
all the sale team users are in vlan 123.
now problem is other end switches are reachable for me through bridge that is in vlan 1, but vlan 3 and vlan 123 are not reachable for me.users are not getting IP's, when we assigned the static ip address and tested still it is not working.
i am attaching my wireless bridge configuration in the discussion, please help on this issue.
Root Bridge ---- Non--Rootbridge--- Cisco Switch--Cisco Switch..
now i am able to those two switch also, but not able to reach the vlan 3 users who are connected to that switches.Hi,
infrastructure-ssid has been placed at both end still not able to get IP's to the devices.
I am not able to attach txt files in the reply, could you please let me know your email ID so that i will send the config files to your ID. -
Stop DHCP traffic from passing across interfaces
I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.
Example of setup
Company 1 connected to interface 1 has its own dhcp server
Company 2 connected to interface 2 has its own dhcp server.
Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.
Is there anyway to stop dhcp traffic from crossing interfaces
Shaneusually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.
To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:
* Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
* Incoming packets from any address to 255.255.255.255
* Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients
An example in an ASA would similar to the following.
For blocking client:
access-list TEST extended deny udp any any eq bootpc
For blocking server:
or access-list TEST extended deny udp any any eq bootps
Hope that helps. -
CCE 507 stops forwarding traffic to internet
Our CE (which is our proxy server) constantly stops forwarding traffic to the internet. The engine does not freeze or lock up because I can telnet into it and reload and everything is fine then. This has starting happening in the last two weeks. The engine is integraded with Websense filtering. Could I be experiencing hardware issues? I did recently upgraded websense to the latest version and also upgraded the PIX 515 Firewall IOS to the latest. I am thinking maybe upgrade the IOS on the engine. Any guidance would be appreciated. Thanks in advance.
Apparently the version of Websense that I was running was not making the CE very happy. I upgraded to a new version and ever since the problem has not arise. But I am having one issue with the CE. There is one website that generates errors when going through the CE proxy server. Although when bypassing the proxy server(CE), there are no errors generated. It is only when going through the proxy that the error is generated. The error does not reflect a Websense blocking page. So it only leads me to believe that the problem is on the CE. I would like to upgrade the IOS on the CE to the latest software in an effort to resolve this. If I upgrade, should I be aware of any problems with the configuration not working after the upgrade. The device is a CE 507 with software version 2.51. Any history on this type of problem? Any help would be appreciated. I have pasted the exact error generated from the site. Thanks again.
Network Error
The server yearbookavenue1.jostens.com returned an invalid response to your request for http://yearbookavenue1.jostens.com/cgi-bin/exe2004/year2004.exe?f_4194e967209 -
I moved from 2500 series routers to a switched network using a Catalyst 3750 and 3560 switches over the course of the last year. In my routed network I used MRTG to monitor traffic on my interfaces. In my switched network environment I have not been able to find a free or low cost tool that will monitor VLAN traffic. Any suggestions?
I have the same problem and found these links that provided answers:
http://forums.cacti.net/about29656.html&highlight=
http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_23738165.html
Vlans on 3560s, 3750s and 3550s do not show stats. The packets are forwarded with the ASIC chips and do not cross the CPU for actual processing. To actually see the traffic you will need to turn off CEF, which decrases the performance significantly (not recommended, see links above). -
Hi all
I have a 2900XL core switches which in turn connected to several 2950 switches. All are connected to VLAN 1.
I have a few questions:
When people say broadcast traffic should not be more than 20% of the VLAN traffic.
1. Does it mean the broadcast of a single port in the 2950 switch or the core switch ?
2. How do i know the VLAN traffic ?
Any tools etc and how is the setup?
Hope comeone can help. :)
Thanks in Advance.
AlanHi Narayanan,
This is Guru Prasad.R from Saksoft Ltd. I am working as Network Engineer for past 1 year here. Also i had worked as part-time technical assistace in Networking Environment for 3 years too.
Since, i am new guy to this networking world i may require your guidance, support for making my career the best one.
I had finished my CCNA & 2-MCP exams one for Server 03 & another for Exchange Server 03. Also currently i doing with CCNP-Switching[BCMSN] exam.
Kindly help me to make my career the best one. Expeting your kindness on the same.
I had noted down ur contact number in Cisco profile. Below given my contact details:
Guru Prasad.R
Mobile: +91-9840822258
Mail id: [email protected]
Expecting your reply mail for the same.
Thanks & Regards,
Guru Prasad .R -
ACLs never apply to traffic generated by the router
http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?Thanks Rick,,,I need some clarification about the below scenario please:
suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
the ip address for e0/0 172.16.0.1/16.
R1(config)=access-list 101 deny ip any any
R1(config)#interafec serial 0/0
R1(config-if)#ip access-group out
R1(config)=access-list 150 deny ip any any
R1(config)#interafec fastethernet 0/0
R1(config-if)#ip access-group in
Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
1- ((The inbound ACL will deny all traffic)).
This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
The source and destination ip addresses still matching the condition of ACL , why should't it be
denied ? -
5505 stops passing traffic with 9.1.3
I have a 5505 setup in my home office. It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days. I figured this was just the interim release blues and waited until 9.1.3 came out. However, with 9.1.3 the problem is even worse. I'm actually not exactly sure what's going on. Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set. This seems like it might have some relation to the problem:
UDP outside 216.218.130.2:53 inside 192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
I also get these in 9.1.2 (which works fine), but far fewer. When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet. I can't ping my Comcast router (actually in my office, L2 adjacent to ASA). I also have some SLA probes going to the Internet which fail. If I do a clear conn all, then everything starts working again for a while. The BTF (dynamic-filter) feature seems to make it worse. If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
policy-map global_policy
class inspection_default
inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag. I don't believe that should be possible so perhaps a bug?
Ideas?I have a 5505 setup in my home office. It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days. I figured this was just the interim release blues and waited until 9.1.3 came out. However, with 9.1.3 the problem is even worse. I'm actually not exactly sure what's going on. Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set. This seems like it might have some relation to the problem:
UDP outside 216.218.130.2:53 inside 192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
I also get these in 9.1.2 (which works fine), but far fewer. When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet. I can't ping my Comcast router (actually in my office, L2 adjacent to ASA). I also have some SLA probes going to the Internet which fail. If I do a clear conn all, then everything starts working again for a while. The BTF (dynamic-filter) feature seems to make it worse. If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
policy-map global_policy
class inspection_default
inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag. I don't believe that should be possible so perhaps a bug?
Ideas? -
Is it possible to route VLAN traffic?
We have two buildings, each with several Catalyst 2950s and a 2651 router hosting several VLANS.
Can we connect the 2651s together and expand the VLANs into the other building?HI
Can u give info about how these two buildings are connected to each-other.and as far routing in concerned u can configure sub-interfaces under u r physical inteface on u r router.Are this 2950's connected in 2651,if they how r u r vlans spread.r u using any sort of vtp.if u r 2950's are connected to 2651 then u can go for sub-interfaces per vlan.
for example if u r having 3 vlans then u can configure the the physical interface on u r router as
interface f0/0.1
encapsulation dot1q 1
ip address 192.168.1.1 255.255.255.0
and so on
Thanks
Mahmood -
Wifi stops passing traffic on original ipad and ipad 2 running ios 5.0.1
I actually just started having this issue with my Original iPad and my iPad 2. From what I'm seeing is not a loss of signal but a loss of connectivity, they just stop passing traffic. When this is happening its sometimes to both iPads but not always. And both our iPhones do not experience the issue while the iPads are having the problem. (all devices running ios 5 and connected to the same AP). Wired devices also do not have any issues wile this is happening to the iPads.
What I have tried so far:
1. Changing Channels on the AP to a less congested channel (didn't help)
2. Shutting wifi off on ipad, then turning back on, solves issue for a random amount of time, then it happens again
3. Rebooting ipad, sometimes does not help at all until you turn off the radio on the ipad, then back on
I was ready to get a new router/ap but after reading some other comments, this may be an issue with other people.I have exactly the same issue on my brand new iPad2 running iOS5.
I have also changed the channel, tried different settings, etc. to no avail.
It tends to happen when streaming video - Skype, YouTube. Also during movie downloads.
My pc does not have this problem.
We're you able to find a reliable solution?
Thanks! -
VPN stops forwarding traffic on subsequent connections (Cisco 861)
Hello everyone,
I have a very strange problem on 2 (independent) Cisco 861 routers in different places.
They are both configured as easyVPN servers. One uses UDP, the other TCP. VPN clients connect by using Cisco VPN client software. This cannot be changed because the customer expects it this way. Both routers have the same problem:
* the first VPN connection after a reset works fine. Traffic passes through and it is perfectly usable. I can ping the internal network interface on the router side from the client without problems.
* the second connection (and all subsequent ones from different client machines etc.) connects fine, no errors on the client whatsoever (not sure I evaluated all possible debug output on the "server" side). However, no traffic passes through. Pings do not come back from the 861 anymore through the VPN tunnel.
I already enabled ICMP debugging and saw that pings are actually answered by the 861, but do not reach the client.The same seems to happen to any and all other packets as well.
* If I restart the 861 the very same thing happens: first VPN connection works fine. You disconnect, try another connection from the very same client computer, and it does not work anymore until the next router reset.
I append the configuration for sake of completeness. confidential parts are represented by XXX. Some ACLs are not in use right now; I used them for testing.
Quite frankly, I am out of ideas (and desperate).
Any ideas?
Best Regards
Mike
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname XXX
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 XXX
enable password 7 XXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone Berlin 1
crypto pki trustpoint TP-self-signed-2638506017
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2638506017
revocation-check none
rsakeypair TP-self-signed-2638506017
no ip source-route
ip cef
no ip bootp server
ip domain name local
license udi pid CISCO861-K9 sn XXX
archive
log config
hidekeys
no spanning-tree vlan 1
username root privilege 15 secret 5 XXX
username remote secret 5 XXX
crypto ctcp port 10000
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group vpn
key XXX
pool SDM_POOL_1
acl 104
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
client configuration group vpn
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
ip address 192.168.234.1 255.255.255.0
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.233.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 192.168.234.2 192.168.234.127
ip forward-protocol nd
no ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 10.179.232.0 255.255.255.0 192.168.233.2
ip route 172.16.0.0 255.255.0.0 192.168.233.2
ip access-list log-update threshold 10
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.233.0 0.0.0.255
access-list 100 remark XXX
access-list 100 permit ip 192.168.233.0 0.0.0.255 any
access-list 100 permit ip 192.168.234.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.233.0 0.0.0.255 any
access-list 101 permit ip 192.168.234.0 0.0.0.255 any
access-list 102 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
access-list 103 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255 log
access-list 103 permit ip 192.168.234.0 0.0.0.255 192.168.233.0 0.0.0.255 log
access-list 104 permit ip 192.168.233.0 0.0.0.255 any log-input
access-list 104 permit ip 192.168.234.0 0.0.0.255 any log-input
no cdp run
control-plane
banner exec ^CCC
XXX
^C
banner login ^CCC
XXX
^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
endHi,
I addded a dynamic crypto map to the configuration according to the document you sent. However, it does not work yet.
There must be some stupid mistake or mixup with the old config.
The router logs:
000038: *Mar 1 01:19:24.047 Berlin: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at XXX
000039: *Mar 1 01:19:29.403 Berlin: CTCP: cTCP connection entry not found. Dropping the packet
Correspondingly, the client retransmits a few times during a connection attempt and then fails.
The current configuration is:
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname XXX
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret XXX
enable password XXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone Berlin 1
crypto pki trustpoint TP-self-signed-2638506017
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2638506017
revocation-check none
rsakeypair TP-self-signed-2638506017
no ip source-route
no ip cef
no ip bootp server
ip domain name local
license udi pid CISCO861-K9 sn XXX
archive
log config
hidekeys
no spanning-tree vlan 1
username root privilege 15 secret 5 XXX
username remote secret 5 XXX
crypto ctcp keepalive 10
crypto ctcp port 10000
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group vpn
key XXX
pool SDM_POOL_1
acl 105
netmask 255.255.255.0
crypto isakmp client configuration group testgroup
key XXX
pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
client configuration group vpn
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto dynamic-map dynmap 5
set transform-set ESP-3DES-SHA
set isakmp-profile VPNclient
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 192.168.234.1 255.255.255.0
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
mtu 1300
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
crypto map mymap
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.233.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 192.168.234.2 192.168.234.127
ip forward-protocol nd
no ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 10.179.232.0 255.255.255.0 192.168.233.2
ip route 172.16.0.0 255.255.0.0 192.168.233.2
ip access-list log-update threshold 10
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.233.0 0.0.0.255
access-list 100 remark XXX
access-list 100 permit ip 192.168.233.0 0.0.0.255 any
access-list 100 permit ip 192.168.234.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.233.0 0.0.0.255 any
access-list 101 permit ip 192.168.234.0 0.0.0.255 any
access-list 102 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
access-list 103 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255 log
access-list 103 permit ip 192.168.234.0 0.0.0.255 192.168.233.0 0.0.0.255 log
access-list 104 permit ip 192.168.233.0 0.0.0.255 any log-input
access-list 104 permit ip 192.168.234.0 0.0.0.255 any log-input
access-list 105 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
no cdp run
control-plane
banner exec ^CCC
XXX
^C
banner login ^CCC
XXX
^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Maybe you are looking for
-
I can't see pdf attachments in emails once downloaded but I can see it in iBooks
Hey All, Need help. It's for my co-workers iphone 5. He gets sent emails and when I try to open the attachment - pdf - It doesn't show it. However if I select to Open in iBooks it is visble. Other twist to the story is that I tried to forward it to m
-
Copy and Paste with Firefox 3.5
Hello forum!! Does anyone know how to enable Copy&Paste in a Planning Form using Mozilla Firefox? Planning version: 11.1.2.1 Firefox version: 3.5.19 Thank you! Daniele
-
HT201335 how do I get full screen to play on air play?
trying to get my mirrored screen to show full screen on my tv?
-
No Longer Accepting My Login?
Our Apple ID login/password no longer seems to allow us to administer our account but can be used elsewhere. Who could we contact?
-
White Bar Deleting Everything on Adobe Products
I have had Photoshop Elements on my Mac laptop for about three years. Last week, a small white horizontal bar popped up in the bottom of my screen. After the white bar appears, even if I click on the X and close it out, anything I click on on Photosh