Unable to add vrf to Vlan interface

Running 3750 in stack Version 15.0(2)SE2
I am geting error when trying to add vrf vlan int
switch(config)#interface Vlan101
switch(config-if)#ip vrf forwarding dummy
% CEF table 0x6 does not exist (Vlan101).
switch(config-if)#^Z
Please help

Yes Cef is by default on the switch i believe
switch#sh ip cef
Prefix               Next Hop             Interface
0.0.0.0/0            10.34.68.1           FastEthernet0
0.0.0.0/8            drop
0.0.0.0/32           receive
10.34.68.0/24        attached             FastEthernet0
10.34.68.0/32        receive              FastEthernet0
10.34.68.1/32        attached             FastEthernet0
10.34.68.2/32        attached             FastEthernet0
10.34.68.11/32       attached             FastEthernet0
10.34.68.13/32       attached             FastEthernet0
10.34.68.14/32       attached             FastEthernet0
10.34.68.15/32       receive              FastEthernet0
10.34.68.255/32      receive              FastEthernet0
10.145.172.0/32      receive              Virtual3
127.0.0.0/8          drop
224.0.0.0/4          drop
224.0.0.0/24         receive
240.0.0.0/4          drop
255.255.255.255/32   receive

Similar Messages

Unable to add allowed VLANs to TenGig trunk port

Hi,
I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
I've tried adding single VLANs and multiples, but no joy. Any ideas?
Here's what I've done:
SWITCH_1631(config)#default int t4/1
Interface TenGigabitEthernet4/1 set to default configuration
SWITCH_1631#sh ru int t4/12
Building configuration...
Current configuration : 65 bytes
interface TenGigabitEthernet4/12
no ip address
shutdown
end
SWITCH_1631(config)#int t4/1
SWITCH_1631(config-if)#switchport
SWITCH_1631(config-if)#switchport mode trunk
SWITCH_1631(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
SWITCH_1631(config-if)#
SWITCH_1631#sh vlan id 700
VLAN Name Status Ports
700 VLAN_NAME active <snip>
SWITCH_1631#sh ru int t4/1
Building configuration...
Current configuration : 74 bytes
interface TenGigabitEthernet4/1
switchport
switchport mode trunk
end

Steve,
Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
Port Mode Encapsulation Status Native vlan
Gi3/39 on 802.1q trunking 1
Te4/1 on 802.1q trunking 1
Po1 on 802.1q trunking 50
Po2 on 802.1q trunking 50
Po3 on 802.1q trunking 50
Po4 on 802.1q trunking 50
Po5 on 802.1q trunking 50
Port Vlans allowed on trunk
Gi3/39 15-16,20-23,30,401,608
Te4/1 1-4094
Po1 10,13,20-21,25,30,50,52,61,70,600,700-701,950
Po2 10,20,30,50,52,61,70,600,700-701,950
Po3 10,20,30,50,61,70,600,700-701,950
Po4 10,20,30,50,61,70,600,700-701,950
Po5 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
Then I realised what the problem was trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed!

Cisco ASA 5505 VPN connection issue ("Unable to add route")

I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?

Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

Unable to add QOS command

Hi,
I am unable to add the "service-policy output QOS" on a vlan interface on cisco 3925 router.
(Version 15.0(1r)M13, RELEASE SOFTWARE (fc1))
Was able to add the command on the vlan interface for our other cisco 3925 router with a different version.
(Version 15.0(1r)M16, RELEASE SOFTWARE (fc1))
Though the version is slightly different I don't think that is the reason.
Any thoughts?

Rajeevsh,
Please look below. When I apply the policy on the interface it gives a 'Configuration failed!' message.
class-map match-any CAsip
match protocol sip
match protocol rtcp
match protocol rtp
match protocol rtsp
policy-map QOS
class CAsip
priority percent 65
set dscp ef

Unable to add switches to CAM via SNMP

Hello all,
I am now starting some POC work and was progressing well until I came to adding some 4510 switches to the CAM to control OOB devices.
I have full IP connectivity between the switch management VLAN interface (the switch is running in layer 2 only) and the CAM eth0 interface over the network with no firewalls in the way.
I have tried configuring both SNMP versions on the CAM and I have captured the SNMP communication between the switch and the CAM which is being received by the switch and is being responded to. So I have proved that SNMP packets are reaching the various devices. There is no routing or switching issues.
Would someone please mind giving me a hand and tell me why the CAM cannot control the switch. When you try to add the switch it comes up with a message like "unable to control 10.108.2.15" This is the management VLAN2 on the test switch. I have used test communities public and private respectively on the CAM to match the switch.
SNMP switch config snippet below. The CAM is at 10.108.100.10.
snmp-server engineID local 800000090300001D4572F86E
snmp-server community public RO 10
snmp-server community private RW 10
snmp-server trap-source Vlan2
snmp-server enable traps snmp linkdown
snmp-server enable traps mac-notification change move threshold
snmp-server host 10.108.100.10 version 2c private
snmp-server host 10.108.100.10 version 2c public
access-list 10 permit 10.108.100.10 (This is the CAM referenced in ACL 10 so the poll will work)
Thanks kindly,
Oliver

Hi again Faisal,
The switch is a 4510R-R with 2 x SUP6-E's running code 12.2.53SG so the code is very recent. As the SUP6-E's are based on 4900 code I think that may be clue as to why things are not working however the SUP6-E should have full NAC support according to all documentation.
I would just like to add that our 5508 WLC's cannot be added to the CAM either and they are running version 6.0 WLC code. Again very recent code.
I can add 3750 switches fine so I know the configs are correct.
Doing this testing is most frustrating indeed as the NAC products just do not work as they should. I have asked for this to escalated to our SE so we should get a TAC case raised.
Faisal if you could be of any additional assistance this would be most appreciated.
Thanks,
Oliver

SG300-20 - Configure DHCP on VLAN interface

I have been reading the various related discussions on the SG300 and SG500 switches regarding setting up VLAN's and DHCP on those VLAN's. For whatever reason I have been unable to even get this simple task to work.
First thing I did was to update my firmware and boot version as follows:
SW version    1.3.7.18 ( date 12-Jan-2014 time 18:02:59 )
Boot version    1.3.5.06 ( date 21-Jul-2013 time 15:12:10 )
HW version    V02
When I reloaded the SG300 after the SW/Boot updates the startup config was wiped out and I had to setup my switch from scratch. The intent is to have two VLAN's:
VLAN 1: all devices, servers, etc.
VLAN 2: basic subnet that hands out DHCP addresses
The SG300-20 is connected to an Asus RT-AC66U router on the 192.168.1.x subnet and provides internal network access and WiFi access (router IP address is 192.168.1.1 and is default gateway). All that works with no issues. So my task is simply to create VLAN 2 on 192.168.2.x subnet and use DHCP to allocate addresses. I have spent many hours on this and I still can't get it to work. When I connect a laptop to the port (GI8) assigned to VLAN 2, I end up getting some wonky 169.254.x.x address. I certainly thought something this "easy" wouldn't be that hard to setup, but apparently I was wrong.
The SG300 is running in L3 mode as shown in my running-config below.
Does anyone happen to see something that might be preventing my laptop client from recieving IP addresses from the VLAN 2 DHCP interface that are not in the 192.168.2.x subnet?
Any ideas / suggestions would be greatly appreciated!
Here's my running-config:
config-file-header
MYSTICSW1
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
vlan database
vlan 2
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname MYSTICSW1
logging host 192.168.1.15
logging origin-id hostname
username cisco password encrypted b4a0fcf20b2cd9d80a55b06ab8f83277f9733904 privilege 15
snmp-server location Office
clock timezone " " -5
clock summer-time web recurring usa
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 192.168.1.10 poll
interface vlan 1
ip address 192.168.1.254 255.255.255.0
no ip address dhcp
interface vlan 2
name MysticWAN
ip address 192.168.2.254 255.255.255.0
interface gigabitethernet8
switchport mode access
switchport access vlan 2
exit
ip default-gateway 192.168.1.1
Thanks in advance!
Clint Lambert

Tom,
Thanks ... I followed the steps you outlined and it worked! The only difference being that I have an Asus RT-AC66U router and the there is no "enable multiple subnet" option. So, I just followed your instructions on creating the static routes in the RT-AC66U and everything worked. The DHCP addresses were correct and I had internet connectivity when I plugged a laptop into the gi8 port.
I did make one tweak to the Network Pools screen as follows:
My DHCP configuration for gi8 on VLAN 2 now looks like:
ip dhcp server
ip dhcp pool network InternalWAN
address low 192.168.2.1 high 192.168.2.99 255.255.255.0
lease infinite
domain-name MYSTIC
default-router 192.168.2.254
dns-server 8.8.8.8
Previously I had followed your advice in the article "Need help configuring SG300-10 switch" and had setup everything using CLI. However, I didn't think about needing the static routes. So, I think it was probably setup correctly beforehand but had no chance to work because the routes were not setup.
Thanks very much for your help!
Clint

Netflow on 6509 in Native Mode from Vlan Interface

I'm trying to get a 6509-E, running Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.
2(33)SXI9, RELEASE SOFTWARE (fc2), to send netflow traffic from a vlan interface to a Solarwinds server.
The server is not seeing all the vlan traffic, but does see all the traffic on the layer 2 ports (not netflow).
I've seen that a command, ip flow ingress layer2-switched vlan, needs to be enabled, but the OS I have does not support that command.
Or could it be that MLS is not configured except for a couple commands:
mls netflow interface
mls cef error action reset
netflow setup:
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
    Source(1)       10.31.101.1 (Vlan52)
    Destination(1) 10.30.2.196 (2055)
Version 5 flow records
14927339 flows exported in 615072 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to Card not being able to export
interface:
interface Vlan52
description AN.VDI.stu
ip address 10.31.101.1 255.255.255.0
ip helper-address 10.31.149.200
no ip redirects
ip flow ingress
ip flow egress
ip pim neighbor-filter 98
ip pim sparse-dense-mode
ip cgmp

Enabling MLS was the fix.
mls netflow interface
mls flow ip interface-full
mls nde sender version 5
mls cef error action reset

Unable to create or remove VLAN

I'm unable to create or remove any VLAN on my cisco switch...
C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6
Error:
APP-SW-LAN-CISCO-#5(config)#no vlan 10
Error on initialize VLAN database 1: VTP feature not yet initialized
when i give "show run".... im receiving below error...
LAN-CISCO-#5#sh run
Building configuration...
Error on initialize VLAN database 1: VTP feature not yet initialized
Wat is the cause.... any suggestion...

If you don't use VTP features try to add these command:
vtp domain CISCO
vtp mode transparent
Now you should be able to add and remove vlan.
Regards.

Flexconnect on VRF guest vlan

Hi all, I have a multi site customer with a vrf guest vlan in any site.
Now I have to place a WLC on the HQ to manage all the wifi for HQ and other office, all the APs in the remote sites are in flexconnect mode.
On the VLAN mapping for AP I set the correct guest vlan for every AP/site but the guest network over vrf seems not working properly.
For the AP in the HQ if I turn off flexconnect and use the AP in local mode the vrf guest works well (using the internal DHCP of WLC).
Anyone have tried a config like this?
Thanks

Cool, We fixed our DHCP issue it was related to how we had several APs advertising the SSID . One was transmitting at a higher power than the other/plus it had no DHCP -assigned ot the interface. The weaker transmitter did so it would ping pong to the stronger signal and back to the weaker . LOL

FWSM vlan interface

Hello, quick question I hope someone can help with.
Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
Hope that makes sense, let me know if you have further questions.
Thanks

Thanks Marvin. You do understand the question, and it occurred to me after writing the above that I could just use a single FWSM inside interface and route in and out of each VRF via that 1 interface (All VRF's belong to a single customer, just required for segregation of internal traffic).
The third 6500 running HSRP will be located in a DC 100km away connected via dual 1Gb circuits (3ms latency), and has it's own default route to a pair of ASA 5520's. If both FWSM's go down then the gateway will go live in the second site and traffic will be switched over our SP qinq tunnel to that gateway. Relevant BGP bits (MED), etc. will also be in place for seemless failover and traffic flow to and from the /23 pi range peered with the same ISP in each location..
Thanks again.
Chris

3750X - Dropped multicat traffic flooding on all switchport vlan interfaces

Hello forum,
I have a problem on source multicast blocking. I have a switch with a vlan interface (Ex. vlan 20 )and on that vlan interface an extended ACL is present. That ACL block specific multicast groups. Furtehrmore I have many switchport access interfaces on vlan 20 with different sources connected.
If one source start streaming with multicast destination IP blocked by ACL, dropped traffic is flooaded on all switchports on source's vlan
IGMP snooping on this vlan is enabled but seems that dropped traffic stay on L2 vlan without it.
Device used: C3750X
IOS: 15.0(2)SE5
Thank you for help

Hi Michal,
thanks for your reply!
Yes, probably i've captured all lines of access-list... but I've to change my approach because my access-list is a extended "named" access-list and, on other post, I've read that "named" access-list cannot be debugged...
Now i've deleted all access-lists entries that refer to vlan2 and I've created new one "numerical":
#ip access-list extended 100
#10 ip permit 172.16.2.0 0.0.0.15 any log
In this mode the debug shows only access-list 100 traffic + bcast + mcast.
But, the strange thing is another one now...
I've bought a multifunction printer, that send scanned document to a email account, the printer haven't internal smtp, it makes a connection to hp servers that forward scans to real destination address...
I was curious to find out how this connection works because, my private/confidential documents are send on internet and, i would hope that hp use a secure connection from my printer to its server...
Well, if I add "log" switch command at the end of access-list, or I enable access-list debug, the printer stop to comunicate to hp services/server... if I turn off debug or rewrite access-list without "log" feature, incredibly the printer re-start to comunicate with hp...
Have you any idea that explain that? I'm going crazy...

Unable to add volumes (Data Area Full)

Hello,
The data area in our MAXDB is 100 % full and the database does not come up in Online mode. It gives the following error - "-24798 data area is full [db_online -f]".
As it does not come up in online mode, I am unable to add data volumes using the GUI.
Can you please let me know the steps to add disk files ? I believe I need to use command line interface and a few commands to achieve this. It would be great if you could let me know these commands to add new space in admin mode.
This is MAXDB 7.6 on Windows.
Thanks and Regards,
Parag.

Parag,
if the database ran full during startup, it was not possible to add a data volume in MaxDB releases from 7.6.03.03 up to 7.6.04.04 - neither with the gui nor the command line.
To fix the situation, you can start the database into admin mode and add a data volume prior going online.
regards,
Henrik

Browser Sets Empty Unable to Add

Hi, I am using the online version of browserlab and when I enter a url I am asked to choose a browser set. When I go to the browser set window there are no sets defined and I am unable to add a new one by clicking the add new set button. Any ideas?

As far as we know those suggestions worked for the other users... as Mike said "If the problem persists please let us know and we will work with you to resolve the issue". We haven't heard anything back after that.
I think this is an issue with not being properly signed in. Somehow the login step is being skipped. Can you try clicking the Logout link in the upper right corner of the BrowserLab interface and try logging in again. If that doesn't work for you post back here.
Mark

ACL on Vlan interface

I am trying to apply an acl on my vlan interfaces that would allow the vlan to initiate tcp traffic. When I apply it I am unable to surf the web from the vlan but I can tftp from the vlan .

This is normal behavior. The first packet coming from the station on the VLAN would not be considered as established.
On the other hand, the established keyword could be configured on an outbound ACL applied to the same VLAN. This would only allow TCP traffic initiated from the VLAN to reenter that same VLAN.
Hope this helps,

Vlan Interface on a 2691 router

Hi,
I am trying to create an vlan interface on a 2691 router but can't do it. What switch module do I need and what code. Argh!! I've searcehed all over cisco but I can't find it. What am I mmissing??
Thanks,
Lee

Can you give us more information about what is it that you're trying to do?
Your IOS is the latest and greatest in the 12.3 line as of the date of this posting. And your Feature Set is Advanced Enterprise Services, which is the fullest Feature Set you can get. (The "Plus" capabilities were folded into Enterprise Services when Cisco reorganized the Feature Sets they offer.)
Going back to your original situation. I may have misunderstood exactly what you are trying to do.
RE: "I am trying to create an vlan interface on a 2691 router but can't do it."
If by this you mean you are tring to create an "interface Vlan2" or "interface Vlan10" or "interface Vlan18" like you can do on the Cisco Catalyst switches, and then put interface-specific commands underneath it, then I don't think you can. Even though you can enter "interface ?" and it shows Vlan as one of the options, it is my understanding that you do it as I outlined above in my previous post.
If you are going to carry multiple VLANs on a single router port connected to an 802.1Q trunking switch port, then if you need IPX capabilities on a particular sub-interface, just add the IPX network address and IPX frame/encapsulation type under the sub-interface.
If you're just trying to dedicate one router LAN port to act as a default gateway for a particular VLAN, then connect the router to a switch port that is defined as an access port for that VLAN. Assign the appropriate IP and IPX addressing under the router's LAN interface and you're done. No need for sub-interfaces, or bothering to configure the router with any Layer 2 VLAN information, except maybe a description assigned to the port that tells you what VLAN on the switch you're connecting it to.
RE: "What switch module do I need and what code."
If you're trying to host multiple 10/100 switching ports within the router, then you are looking for some version of Cisco's 16-port EtherSwitch Network Module. The model number NM-16ESW-something, where the "something" designates support for inline power or an optional Gigabit Ethernet interface. This should run on the code you have.
The NM-16ESW supports 802.1Q, according to the documentation. But I have never worked with one, so I couldn't tell you how the interfaces are numbered (Fa1/0 through Fa1/15?). Also, I have no idea how the router communicates with the switching network module internally: are there 16 separate FastEthernet ports now, each one configurable as the router's own LAN ports are? Or is there some common, internal backplane-type connection between the network module and the router's CPU, configured like a Gigabit Ethernet VLAN trunk port when you implement multiple access VLANs on the 10/100 ports?
Rather than use an NM-16ESW in a router to handle multiple VLANs, I would just use a Cisco Layer 3 switch if it were only for routing IP. 3550 or 3750 would be fine. But if you need IPX routing, then in Cisco's line you either need routers or chassis switches running Enterprise code. Other manufacturers support IPX and IP in a stackable size: Foundry, HP, and Extreme Networks, for example. In fact, Foundry and HP (who OEMs some product from Foundry) use a CLI very much like Cisco's. I've even seen HP switches show up as CDP neighbors to a Cisco router.
There are times to use routers and times to use Layer 3 switches. And times when you need both. It all depends on what you're doing, and what you're trying to do it with...

Unable to add vrf to Vlan interface

Similar Messages

Maybe you are looking for