Sub-interface Removal

We have created a Gigabitethernet sub-interface on a router, But when removing this with command :-
Router(config)#no int gig2/3.1
It is not removed and still showing in interface list with "deleted" status (i.e Gi2/3.1 deleted down).
Please share the process for permanently removing the sub-interface from list.
Thxns

Txns..Srry but last querry now.I have created a sub-interface Gig2/3.1 with configs.Router#sh run int Gig2/3.1
Building configuration...Current configuration : 186 bytes
interface GigabitEthernet2/3.1
description CONNECTED TO NetCore
encapsulation dot1Q 99
ip address 172.50.140.1 255.255.255.252
endBut
with this configs, The remote end IP of this interface (172.50.140.2)
was reachable but there are drops(approx 30 drops) on the same after
every 40-50 replies. one of my freind suggested me for configuring
below commands under sub-interface(but he seems to be confused about
the purpose of this commands).ip rip send version 1 2
ip rip receive version 1 2After
executing abne cmmds , now there is no drops. What these commds are
doing wht is the purpose of the command, after executing these why ping
/ reachability drops problems rectified. is this standard to configure
this commands under sub-interface...? pls***
Hi,
Those commands are useful to send and recieve RIP version to be sent or recive in interface with counter part neighbour.
To control which RIP version an interface sends, use one of the following commands in interface configuration mode:
ip rip send version 1 2 Configure an interface to send RIP Version 1 and Version 2 packets.
Similarly, to control how packets received from an interface are processed, use one of the following commands in interface configuration mode:
ip rip receive version 1 2 Configure an interface to accept either RIP Version 1 or 2 packets.
Hope to Help !!
If helpful do rate the useful post
Ganesh.H

Similar Messages

ATOM on dot1q sub interfaces

Hello, networkers!
Long time no see ;-)
Straight on question now. Imagine a MPLS network with the following topology:
A B C D E
(X) --- (X) --- (X) --- (X) --- (X)
CE PE P PE CE
Router A & E are customer's routers.
Router B & D are PE routers
Let's say that we have created MPLS ATOM using Xconnect in between routers B and D. They are both using FastEthernet interfaces with sub-interfaces configured on. Router D is configured to RouterE in this way:
interface FastEthernet0/0.15
description ** RouterD->RouterE **
encapsulation dot1Q 15
no cdp enable
xconnect 2.2.2.2 666 encapsulation mpls
on the other end, router B is configured as follow:
interface FastEthernet0/0.26
description ** RouterB->RouterA **
encapsulation dot1Q 26
no cdp enable
xconnect 1.1.1.1 666 encapsulation mpls
end
Where 1.1.1.1 is RouterD loopback and 2.2.2.2 is Router B lo0.
What do you think about that scenario? Should it work with this configuration when the dot1q vlans differs? In my opinion this shouldn't work as expected as long as MPLS is doing just transparent transport of entire L2 frame (instead of using internetworking on IP level)
Can anyone, please explain how does Cisco handle this? I remember that I've read somewhere during my CCIE journey that there are different types of AtOM VC's which can either carry the dot1q tag or not.
Thank you in advance!
Kind regards,
Dani Petrov
P.p. I tried it in a few different configurations and the results are very interesting but please first share your thoughts ;-)

Hi,
You can't force the vc-type and don't need to.
To summarize:
- switchport trunk mode and subinterfaces will always pop the outer tag
- EVC interfaces do nothing by default.
On top of that vc-type 4 will add a service-delimiter tag to the frame received from the AC. It's the responsibility of the egress router to know what to do with this tag (rewrite or remove it).
GSR and 7200 will negotiate a vc-type 4 if the AC is a subinterface. 7600 will always negotiate a vc-type 5 except if the peer wants a vc-type 4.
HTH
Laurent.

IPSec tunnel on sub-interface on ASA 5510

Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
Muds

Hi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds

The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

Hello
I think the following topologies are supported for Cisco Routers
And the Physical interface also can be using as Native VLAN interface right?
Topology 1.
R1 Gi0.1 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
R1 - configuration
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.255.255.0
Topology 2.
R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3
Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4 (same VLAN-ID)
R1 - configuration
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet8.20
encapsulation dot1Q 20
ip address 20.0.0.1 255.255.255.0
Any information is very appreciated. but if there is any CCO document please let me know.
Thank you very much and regards,
Masanobu Hiyoshi

Hello,
The diagram is helpful.
If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
Best regards,
Peter

Asa 5505 sub interface plus ports

I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?

The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
You find more on this topic on the Config-Guide:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html

NAT on sub-interface with no internet access

Good morning,
Please I have a router 2901, which I configured tow sub-interfaces for Voice and Data. Everything seems to be working fine but I can't access the internet after configuring NAT.
Config below
Router1#sh config
Using 5392 out of 262136 bytes
! No configuration change since last restart
! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
version 15.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname A
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
logging buffered 51200 warnings
enable secret 4 U3/EVMmZsx9ys3vbB8aDhHy.5h4qh2V8/DkTGNsxvTA
enable password 7 06150E2C5F5B071E
aaa new-model
aaa authentication login default local
aaa session-id common
memory-size iomem 25
ip cef
ip dhcp excluded-address 10.10.36.1 10.10.36.25
ip dhcp excluded-address 10.10.36.200 10.10.36.254
ip dhcp pool DATA
network 10.10.36.0 255.255.255.0
default-router 10.10.36.1
dns-server 8.8.8.8 4.2.2.2
ip dhcp pool VOICE
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.10.36.4
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3112445314
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3112445314
revocation-check none
rsakeypair TP-self-signed-3112445314
crypto pki certificate chain TP-self-signed-3112445314
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
voice-card 0
license udi pid CISCO2901/K9 sn FCZ1808C4L8
hw-module pvdm 0/0
username a password 7 1416111F05557C
username e privilege 15 password 7 1437455E0E2A25382525260B67
username c password 7 030B580E0701284F165B5C
username a password 7 01000709481E0808
redundancy
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address #.#.#.58 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.10.36.1 255.255.255.0
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
ip route 0.0.0.0 0.0.0.0 #.#.#.57
ip access-list extended LAN_NAT_POLICY
permit ip 10.0.0.0 0.255.255.255 any
access-list 23 permit 10.10.36.0 0.0.0.255
access-list 23 permit 10.10.0.0 0.0.0.255
access-list 23 permit 10.10.0.0 0.0.255.255
access-list 101 permit tcp 10.10.36.0 0.0.0.255 host 10.10.36.1 eq telnet
control-plane
mgcp profile default
gatekeeper
shutdown
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you hav
already used the username "cisco" to login to the router and your IOS imag
supports the "one-time" user option, then this username has already expire
You will not be able to login to the router with this username after you e
this session.
It is strongly suggested that you create a new username with a privilege l
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want
use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
password 7 13041406025D52
line aux 0
exec-timeout 0 1
no exec
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 094D4D1D105441
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp master
ntp server 10.10.36.1
end
Please I need a quick response
Thank you.

Can you change the interface to outside interface in this command
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
can you try this below command
ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/0 ov
Regards
PrajithTR

How to make ASR9000 bridge domain forward traffic between sub interfaces of same physical interface?

Hi,
I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/10.3122 l2transport
description CUSTOMER A CORE
encapsulation dot1q 3122
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
   interface GigabitEthernet0/0/0/5.21
   interface GigabitEthernet0/0/0/10.3122
When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/5.22 l2transport
description CUSTOMER A WAN2
encapsulation dot1q 22
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
   interface GigabitEthernet0/0/0/5.21
   interface GigabitEthernet0/0/0/5.22
If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
Is this because tag rewrites are not happening since packets don't leave the physical interface?
How can I work around this and establish a L2 connection between the two subinterfaces?
Thank you

a vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
that might give a hint to what the precise issue in your forwarding is.
regards
xander

Load balancing on sub-interfaces (3 links)

Hello.
I am trying to load balance between the three links of a bundle. Traffic comes and goes with the same bundle interface.
Launched 5 threads TCP\UDP with different SRC DST IP addresses and see the following balances:
IOS-XR               Monitor Time: 00:00:30          SysUptime: 106:39:28
                          Last Clear:   00:00:22
Protocol:General
Interface             In(pps)      Out(pps)      InPkts/Delta   OutPkts/Delta
Te0/1/0/0             11381           628        102062/25512       256/64
Te0/1/0/1             33849         55965        303244/75700    505364/126230
Te0/1/0/2             11363             0        100800/25200         0/0
Quit='q',     Clear='c',    Freeze='f', Thaw='t',
Next set='n', Prev set='p', Bytes='y', Packets='k'
(General='g', IPv4 Uni='4u', IPv4 Multi='4m', IPv6 Uni='6u', IPv6 Multi='6m')
We have 10G switch connected to asr9010 three ports and the following configuration:
interface TenGigE0/1/0/0
bundle id 1 mode active
bundle port-priority 2
interface TenGigE0/1/0/1
bundle id 1 mode active
bundle port-priority 2
interface TenGigE0/1/0/2
bundle id 1 mode active
interface Bundle-Ether1.75
ipv4 address 25.0.0.1 255.255.255.252
encapsulation dot1q 75
interface Bundle-Ether1.76
ipv4 address 26.0.0.1 255.255.255.252
encapsulation dot1q 76
RP/0/RSP0/CPU0: ios # sh bundle load-balancing bundle-e1 detail location 0/1/CPU0
Tue Jun 4 07:03:07.605 UTC
Bundle-Ether1
Type: Ether (L3)
Members <current/max>: 3/3
Total Weighting: 3
Load balance: Default
Locality threshold: 65
Avoid rebalancing? False
Sub-interfaces: 3
Member Information:
    Port: LON ULID BW
    Te0/1/0/0 0 0 1
    Te0/1/0/1 1 1 1
    Te0/1/0/2 2 2 1
Sub-interface Information:
    Sub-interface Type Load Balance Locality
                                        Hash Threshold
    Bundle-Ether1.76 L3 Default 65
    Bundle-Ether1.75 L3 Default 65
    Bundle-Ether1.100 L3 Default 65
Platform Information:
=====================
                  * Bundle Summary Information *
Interface: Bundle-Ether1 Ifhandle: 0x08000160
Lag ID: 1 Virtual Port: 255
Number of Members: 3 Local to LC: Yes
Hash Modulo Index: 3
Member Information:
LON Interface ifhandle SFP port slot remote / rack_id
Te0/1/0/0 0x02000140 0 12 0 1 0/0
Te0/1/0/1 0x02000180 1 13 0 1 0/0
Te0/1/0/2 0x020001c0 11 2 0 1 0/0
                   * Bundle Table Information *
[NP 0]:
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
[NP 1]
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
[NP 2]:
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
[NP 3]
   Unicast (Global) LAG table | Multicast (Local) LAG table
idx local LON VQI port | idx local LON VQI port
   1 0 0 12 0 1 1 2 11 0
   2 0 1 13 0 2 0 0 0 0
   3 1 2 11 0 3 0 0 0 0
[NP 4]:
   Unicast (Global) LAG table | Multicast (Local) LAG table
idx local LON VQI port | idx local LON VQI port
   1 1 0 12 0 1 1 0 12 0
   2 0 1 13 0 2 0 0 0 0
   3 0 2 11 0 3 0 0 0 0
[NP 5]
   Unicast (Global) LAG table | Multicast (Local) LAG table
idx local LON VQI port | idx local LON VQI port
   1 0 0 12 0 1 1 1 13 0
   2 1 1 13 0 2 0 0 0 0
   3 0 2 11 0 3 0 0 0 0
[NP 6]
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
[NP 7]
   Unicast (Global) LAG table
idx local LON VQI port
   1 0 0 12 0
   2 0 1 13 0
   3 0 2 11 0
================================================== =============================

20 flows and a bit better result:
IOS-XR               Monitor Time: 00:00:08          SysUptime: 133:33:44
                     Last Clear:   00:00:06
Protocol:General
Interface             In(pps)      Out(pps)      InPkts/Delta   OutPkts/Delta
Te0/1/0/0             11794         14977             0/44696         0/44484
Te0/1/0/1             10682          8786             0/37924         0/25456
Te0/1/0/2             18243         16958             0/44596         0/57579
Quit='q',     Clear='c',    Freeze='f', Thaw='t',
Next set='n', Prev set='p', Bytes='y', Packets='k'
(General='g', IPv4 Uni='4u', IPv4 Multi='4m', IPv6 Uni='6u', IPv6 Multi='6m')
Can the ASR9K more or less normal balance on uneven number of links?

LMS 4.2 sub-interface not available in the instance selection window creating poller

Hi All,
I have sub-interfaces created on the switch and are in active(up/up) state,but these sub-interface not available for selection in the instance window while creating the poller, and am not able to monitor the traffic on these sub interface in the performance management.
LMS will not display the interfaces in the instance selection window if they are not active,but here the sub-interface are in active state but these are
not available. can anyboody help me out ??
Thanks,
Channa

Any Idea..??

Issue in Sub-interface traffic on cisco 7609-s router

Hello please support,
I configured sub-interfaces and it is working properly, but some time sub-interface show traffic more then physical interface .
Like
int gi 3/32 0.13 Mbps 12:00 PM
int gi 3/32.11 855 Mbps 12:00 PM
as per my knowledge physical interface have cumulative traffic of all sub-interfaces.
interface GigabitEthernet3/32
no ip address
interface GigabitEthernet3/32.10
encapsulation dot1Q 10
ip address 172.20.128.77 255.255.255.252
ip ospf network point-to-point
ip ospf bfd
bfd interval 50 min_rx 50 multiplier 5
no bfd echo
no cdp enable
interface GigabitEthernet3/32.11
description interlink MPLS
encapsulation dot1Q 11
ip address 172.20.129.73 255.255.255.252
ip ospf network point-to-point
mpls ip
mpls label protocol ldp
Regards,
Damodar Nagar

I have not that graph so I am just guessing that you are noticing the difference between policing and shaping. It seems to me you are applying these techniques on each platform on a different way. Try to shape/police in the same order or only to shape.
Hope to help
Alessio
Sent from Cisco Technical Support iPad App

Sub-interfaces on n5k

Hi, I am trying to connect N5k (layer-3) and ASA, there is a requirement where some of the security-sensitive vlans have their layer-3 on the ASA and for those vlans who are less-sensitive have their svis on the N5k. I am doing a POC in my lab gear first. The n5k and the ASA are connected by 1 physical link having sub-interfaces on both the ends. There is a sub-int with vlan 10 (10.1.1.0/30) on both sides and the ASA injects a default-route to the N5k over this. so in case a non-secure vlan needs to talks to a secure-vlan it goes through via this path. My issue is that, if i create a sub-intf on the ASA, give it a vlan tag of 20, and on my N5k i add a port in that same vlan, i cannot ping my GW (ASA) from the laptop. I have also created a similar sub-int on the N5k side as well with tag 20, BUT still does not work.
attached visio.
Any clues??
Thnx
Sandev

Hello Sande,
That is correct! Please mark this question as answered so future users having a similar problem can learn from your
solution.
Regards,
Julio

Include multiple sub-interfaces in Cisco ASA for VPN tunnel

I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

Sub-interface numbering setup

I can't find it officially stated in any Sun documentation, but I'm assuming that when a global zones boots, it checks /etc/zones/*.xml, using the XML file when starting up each zone to assign the appropriate resources?
Is that correct? I'm just wanting to confirm how a global zone configures the interfaces for a local zone.
For example:
root@global00:/etc/zones> ifconfig -a
e1000g0:23: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone wlsdva27
inet xxx netmask ffffff00 broadcast xxxx
I'm not sure how to make sure that this interface configuration would survive from a complete restart of the entire server. In other words, that :23 would still be assigned the same IP after a complete server restart.
I understood that Solaris 9/10 needed /etc/hostname.interface to be setup:
root@glocal00:/etc/zones> ls /etc/host*
/etc/hostname.e1000g0 /etc/xxx /etc/xxxx
/etc/hosts /etc/xxx /etc/xxxx
root@global00:/etc/zones> cat /etc/hostname.e1000g0
global00
root@global00:/etc/zones>
I don't see any /etc/hostname.* files for any of the virtual interfaces... Would/should there be?
So, basically, with a system with multiple zones/containers, how does the global zone re-assign the same sub-interfaces to the same zone/container? I realize sub-interface numbering may not be all that important, but I was still wondering.

It's first-come first-serve on virtual interfaces. They are not assigned statically.

Can I rate-limit on the sub-interface in cisco asr 1013?

Hi,
I am looking for the command of rate-limit on a sub-interface in cisco asr 1013.
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S, RELEASE SOFTWARE (fc1)
IOS XE Version: 03.06.00.S
Please let me know if it is possible in cisco asr 1013. If yes then what are the commands.
Zobair

The ASR no longer supports the rate-limit command, but it does support the same functionality in a QoS policy.
Please find a sample configuration -
ASR1004(config)#policy-map test
ASR1004(config-pmap)#class class-default
ASR1004(config-pmap-c)#shape average 10000
Applying for both ingress and egress : -
ASR1004(config)#int gig1/1/0
ASR1004(config-if)#service-policy output test
or
ASR1004(config-if)#service-policy input test

Prime 2.0 monitor sub interface

Can you monitor a sub-interface using Prime 2.0 - TenGigabitEthernet4/7.2010? If so how? When we select Design | Management Tools | Port Grouping | Add to Group | Select Group | WAN Interfaces we do not see any sub-interfaces

Step 1 Download the appropriate point patch to a local resource in your environment:
a. With the Cisco Download Software navigator displayed in your browser, select Products > Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Cisco Prime Infrastructure .
b. Select the version of Cisco Prime Infrastructure that most closely matches the one you are currently using (e.g., Cisco Prime Infrastructure 1.2 ).
c. Click Prime Infrastructure Patches to see the list of available patches for that version of the product.
d. Next to each patch that is required, click Download , then follow the prompts to download the file.
Step 2 Open a command-line interface session with the Prime Infrastructure server (see Connecting Via CLI in the Cisco Prime Infrastructure 2.1 Administrator Guide ).
Step 3 Copy the downloaded patch file to the default local repository. For example:
admin# copy source path /defaultRepo
Where:
source is the downloaded patch file’s location and name (for example: ftp://MyFTPServer/pi_9.3.1.0_update.tar.gz).
path is the complete path to the default local backup repository, defaultRepo.
Step 4 Install the patch:
admin# patch install patchFile defaultRepo
Where patchFile is the name of the patch file you copied to defaultRepo.
or check this Bug
CSCun11428
Upgrade from Prime Infrastructure 2.0 to 2.1 failed.

Sub-interface Removal

Similar Messages

Maybe you are looking for