Virtual tunnel between 2950 switches

Similar Messages

• Secure Tunneling Between Two Switches

  Hi,
  We have 3 buildings in a campus.  We occupy building 1 and 3.  Building 2 belongs to someone else.  However, building 2 switch connects both building 1 and 3.  How do I create a point-to-point secure tunnel between the two 3560v2 layer 2 switches in building 1 and 3 thru the transit switch in building 2 in a layer 2 environment?
  QinQ does not meet the requirement because we want to prevent man-in-the-middle access from the transit switch in Building 2.
  Thanks!
  Kevin

  Encryption of the uplink is the way to go but your 3560v2 switch does NOT support MACSec.
  MACSec support starts with 3560X/3750X, 3650/3850.

• L2 tunnel between me3600x and 3925

  Hello,
  We are currently trying to configure a l2tunnel between a ME3600X (running 15.3(3)S3 with the AdvancedMetroIPAccess licence) and a 3925 (running 15.0(1)M2 with the datak9 licence).
  We are part of a CsC architecture, playing the role of the customer carrier, using BGP for label distribution between the Backbone carrier and the Customer carrier.
  Our architecture is quite flat as the CE and PE roles are on the same routers.
  we have the view on the following architecture and can configure the R1, RCV1, RCV2 and R2 routers :
  R1 --- RCV1---(Backbone Carrier)---RCV2--- R2
  We have 3 sites  A,B and C but only 2 dark fibers to connect them.
  We are using the CsC to build a L2 tunnel and close the triangle :
      A-ME=tun=3925-B
       df                    df
                 C
  For year were using a 2911 and a 3900 to build the tunnel and it was good. The tunnel was build with an xconnect l2tpv3.
  we replaced our 2911 for a ME3600X few weeks ago following the advice of our backbone CsC contact, and we are now facing the following problem :
  the configuration we used is not working any more : we can build the tunnel but the spanning tree BDPU are not passing through (We use rstp for spanning-tree protocol).
  3925 : ______________
  pseudowire-class backup-sro-ypa
   encapsulation l2tpv3
   ip local interface GigabitEthernet0/0/0.777
  interface GigabitEthernet0/1
   description interface connecting site B
   no ip address
   duplex auto
   speed auto
   no keepalive
   no cdp enable
   xconnect 10.193.32.50 5 pw-class backup-sro-ypa
  interface GigabitEthernet0/0/0.777
   description interface facing the CsC
   encapsulation dot1Q 777
   ip address 10.193.32.42 255.255.255.252
   mpls bgp forwarding
  ME3600 : ______________
  pseudowire-class backup-ypa-sro
   encapsulation l2tpv3
   sequencing both
   ip local interface Vlan777
  interface GigabitEthernet0/1
   description interface facing the CsC
   switchport trunk allowed vlan none
   switchport mode trunk
   mtu 1512
   service instance 777 ethernet
    description *** Transport vers to CsC***
    encapsulation dot1q 777
    rewrite ingress tag pop 1 symmetric
    l2protocol tunnel
    bridge-domain 777
  interface GigabitEthernet0/2
   description interface connecting site A
   no switchport
   no ip address
   xconnect 10.193.32.42 5 encapsulation l2tpv3 pw-class backup-ypa-sro
  interface Vlan777
   description vers RCV
   dampening
   mtu 1512
   ip address 10.193.32.50 255.255.255.252
   no ip unreachables
   mpls bgp forwarding
  As we have no experience with the ME3600X and their EVC and service instance concepts we have a hard time figuring out what solution to use :
  - According to this post l2tpv3 is not supported on the ME3600X : https://supportforums.cisco.com/discussion/11919131/configuring-pseudowire-between-3800-router-and-me3600x
  - According to this one it seems possible to interoperate a tunnel between a 2911 and a Me3600 : https://supportforums.cisco.com/discussion/11848451/eompls-and-layer-2-tunneling
  Our need is slightly different though, as we are trying to pass a dot1Q trunk in the tunnel.
  We tried to switch to encapsulation mpls, with no luck so far...
  Any help or feedback would be greatly appreciated.
  Best Regards,
  Jérôme Schlumberger

  News from the lab...
  I decided to start again my config from scratch :
  On the ME3600X___________ :
  pseudowire-class backup-ypa-sro
   encapsulation l2tpv3
   ip local interface Vlan777
   sequencing both 
  interface GigabitEthernet0/2
   description *** Backup L2 VLans Internes avec RSROHES1 ***
   no switchport
   no ip address
   no keepalive
   no cdp enable
   xconnect 10.193.32.42 5 pw-class backup-ypa-sro
  On the 3900___________
  pseudowire-class backup-sro-ypa
   encapsulation l2tpv3
   ip local interface GigabitEthernet0/0/0.777
   sequencing both
  interface GigabitEthernet0/1
   description Tunnel_BB_HEIGVD
   no ip address
   duplex auto
   speed auto
   no keepalive
   no cdp enable
   xconnect 10.193.32.50 5 pw-class backup-sro-ypa
   -> The "sequencing both" is mandatory to get the tunnel UP.
  -> I configured l3 interfaces on the devices facing the ends of the tunnel and I can't ping them. Looking a little bit more carefully, I noticed that the arp table does not fill on the 3900, but it does on the 3600. I guessed that's a limitation on the 3600, but still not sure.
  I then tried to switch to mpls encapsulation with the following configuration :
  On the ME3600X_____________________________
  pseudowire-class backup-ypa-sro
   encapsulation mpls
  interface GigabitEthernet0/2
   description *** Backup L2 VLans Internes avec RSROHES1 ***
   no switchport
   no ip address
   no cdp enable
   xconnect 10.193.32.42 5  pw-class backup-ypa-sro
  On the 3900___________
  pseudowire-class backup-sro-ypa
   encapsulation mpls
  interface GigabitEthernet0/1
   description Tunnel_BB_HEIGVD
   no ip address
   duplex auto
   speed auto
   no keepalive
   no cdp enable
   xconnect 10.193.32.50 5 pw-class backup-sro-ypa
  This time, impossible to get the tunnel UP :
  sh xconnect all detail :
  XC ST  Segment 1                         S1 Segment 2                         S2
  ------+---------------------------------+--+---------------------------------+--
  DN     ac   Gi0/1(Ethernet)              UP mpls 10.193.32.50:5               DN
              Interworking: none                   Local VC label 147             
                                                   Remote VC label unassigned     
                                                   pw-class: backup-sro-ypa      
  Actually, as I am in a CsC architecture using BGB for label distribution with the CsC core, there is not ldp neighbor, and it seems to be the reason why I can't get the tunnel UP.
  I am now trying to avoid ldp for the signaling of the tunnel using AToM Static Pseudowire Provisioning but I am to much of a newbie for that. I get a  "Incomplete AToM manual config" when configuring the xconnect on the me3600...
  Here is my config on the ME3600x so far :
  pseudowire-class backup-ypa-sro
   encapsulation mpls
   protocol none
  interface GigabitEthernet0/2
   description *** Backup L2 VLans Internes avec RSROHES1 ***
   no switchport
   no ip address
   no cdp enable
   xconnect 10.193.32.42 5 encapsulation mpls manual pw-class backup-ypa-sro
    ! Incomplete AToM manual config
  Funny, I tried to configure
  RYPRC01(config-if-xconn)#mpls label 0 1048500
  on the xconnect sub config section of the interface, but it won't appear in the config...
  I am really stuck, and any help would really be appreciated.
  Best Regards,
  Jérôme Schlumberger

• Trunks between 2950s stop working and wont come back

  I've seen this happen on 2 different 'pairs' of 2950s, so it's time to investigate. The scenareo:
  simple trunk (no vlan definitions) between 2 2950s. 1 switch looses power, when power is restored, the switch that didn't lose power doesn't pass any traffic. The interface is up (link and administrativly up) the logs don't show anything other than the interface went down and came back up. here's a sample port:
  interface FastEthernet0/23
  description new Feed from phone room switch
  switchport mode trunk
  no ip address
  I'm not using spanning-tree, there aren't any redunant paths. Its worked fine for months (until a ups failure), I set up a new port on the switch and swing the cable and it comes up. Any ideas?
  thanks!

  Hello,
  I know this is an old post... but I am posting here in case this is viewed by anyone with a possible solution.
  Our organization has multiple locations configured the same way:
  (x2) cross connected 2950 switches in trunk mode, configured the follwing way per each interface (fa0/19):
  interface FastEthernet0/19
  no ip address
  duplex full
  speed 100
  no cdp enable
  spanning-tree portfast
  Our problem is similar to the one explained in this initial post. The switches are auto-trunked via port #19.
  Let's call one switch "A" and one switch "B"
  Whenever power is removed from one of the switches (Switch A), and it has completed a restart, the opposite switch (Switch B ..the one which was not powered off) will not return to a "Trunked" state. When you run the "show int status" command, it shows that the port is "connected". Even though the switch which was initially restarted returns to "Trunked" mode.
  We have seen this with a few of our 2950's across the infrastructure.
  The bottom line is that restarting one of the switches causes the other to lose the trunked state. The only was to correct the issue is to restart the opposite switch as well.
  The IOS version is 12.1 (9) EA1d .. I know it's old, however we cannot upgrade it at this time due to policies within the organization.
  Could anybody shed some light on this?
  Thanks in advance..

• Vlan between 2950 and 3550

  We are attempting to setup an additional VLAN between a 2950 and a 3550. There are 2 connections between the switches using the GI0/1 and 2 interfaces. One is set to Static Access on the current vlan and the other is set to Trunk Desirable for all other traffic. We need to add the additional VLAN using one of the existing links between the two switches. We have spare ports on both switches but have limited knowledge of configuration required. Not sure if further info is required but happy to provide.

  You can find lot of information on this link
  http://cisco.com/en/US/tech/tk389/tk390/tech_configuration_examples_list.html

• Crc error between 2950 and 3620 router

  I have connected the 2950 to the 3620, and the running-config of 2950 below:
  2950#show running-config
  Building configuration...
  Current configuration : 1279 bytes
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname 2950
  enable secret xxxx
  no ip subnet-zero
  no ip finger
  no ip domain-lookup
  interface FastEthernet0/1
  duplex half
  speed 10
  interface FastEthernet0/2
  interface FastEthernet0/23
  interface FastEthernet0/24
  interface FastEthernet0/24.122
  interface FastEthernet0/24.123
  interface Vlan1
  bandwidth 10000
  ip address 192.168.10.200 255.255.255.0
  no ip route-cache
  delay 100
  ip default-gateway 192.168.10.254
  no ip http server
  line con 0
  transport input none
  line vty 0 4
  password xxx
  login
  line vty 5 15
  login
  end
  And the 3620 router just set the interface ethernet0/3:
  interface Ethernet0/3
  ip address 192.168.10.254 255.255.255.0
  half-duplex
  I have connected the f0/1 of switch to the eth0/3 of router. There are many crc errors between the switch and router, and try to change the duplex and speed rate, but it didn't take effect. I ensure the cable is good.
  Thank you for your suggestion!

  First, thank you for your notice of my problems.
  Yes. When I ping from both directions, I'm seeing the CRC error only in the switch. And I have cleared the counters in both ends.
  And I try to connect to another port of the router, It exists the same problem.
  I'm seeing both of the input errors and CRC errors.
  The interface of f0/1 (in switch)is following:
  2950#show int f0/1
  FastEthernet0/1 is up, line protocol is up
  Hardware is Fast Ethernet, address is 0007.84fc.d1c1 (bia 0007.84fc.d
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
  reliability 219/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 10Mb/s
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:03:10, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:11:25
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 1000 bits/sec, 3 packets/sec
  299 packets input, 39511 bytes, 0 no buffer
  Received 5 broadcasts, 0 runts, 0 giants, 0 throttles
  164 input errors, 164 CRC, 0 frame, 0 overrun, 33 ignored
  0 input packets with dribble condition detected
  1058 packets output, 81544 bytes, 0 underruns
  0 output errors, 0 collisions, 0 interface resets
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier
  0 output buffer failures, 0 output buffers swapped out
  2950#

• Virtual Leash between iPhone and iPad mini

  Hello,
  Is there any application working like a virtual leash between an Iphone 4S and an Ipad mini?
  My problem is I already use bluetooth between my Iphone and Ipad for getting internet from the Iphone to the Ipad.
  Devices I have seen are using bluetooth as well and will stop my connection for internet I guess.
  Thank's for your help.
  Etienne

  No. You can sync Apps by using the Same apple ID on both devices. But the Apps contents remains on the device unless it has a specific feature that backs up to the cloud or something similar that can then be retrieved on the other device.

• Site to Site Tunnel between 2 ASAs

  Hello,
  I have a strange problem. I have been able to establish a l2l tunnel between 2 ASAs at sites A and B. But I cant ping or access the network on the remote end. I have checked all my access lists on both end and they permit the traffic. At site A, I have multiple tunnels from the ASA to other sites and they work fine. The problem is with this tunnel to site B which is another ASA. At site B, the ASA connects to the internet via a cisco 837 ADSL router. Is this a problem with ASAs. How can I resolve this??

  Try this:
  Remove the Crypto map in interfaces and reapply the crypto map again.
  Ensure that there no overlapping in network.
  Refer this link:
  http://www.cisco.com/en/US/products/ps6120/products_getting_started_guide_chapter09186a00805e2929.html

• Difference between core switch types WS-C3750X-12S-S and N3K-C3524P-10G?

  Hello All,
  I am new to this domain and yet have to look after the setup of our datacenter for a new branch. Could any one of you provide difference between core switch types WS-C3750X-12S-S and N3K-C3524P-10G!
  Thanks in advance!!

  N3K-C3524P-10G
  24 fixed 1/10-Gbps SFP+ ports; upgradeable to 48 with a valid license
  Line-rate Layer 2 and Layer 3 throughput of up to 480 Gbps
  Compact 1RU form factor
  Dual redundant color-coded power supplies
  Four redundant color-coded fans

• Application timeouts w/ subnet devices using 2950 switching

  I am having problems with process critical PC workstations that access other workstations and servers.
  This consists of a standalone subnet network (static IP's) using a 2950 switch that is also part of a LAN domain.
  It appears when there is a LAN issue my subnet workstations experiences problems trying to access it's dedicated servers that are wired all within the subnet 2950 switch.
  Could this be that the 2950 switch is looking for the DCHP or domain controller, slowing down my standalone devices?

  No, it's not likely.
  The only thing affected by DHCP or domain info would be for managemnt (like being able to telnet into the switch).
  Switches see the frame, look at the MACs, and either forward or flood the frame. That's all they do (acting as yer basic plain ol' switch).
  Other features, such as broadcast/storm control, bad media (cabling), excessive broadcasts (broadcasts are also propagated out all ports and consume considerable bandwidth everywhere), and other things, like QOS settings, buffer parameters, spanning tree can also have a serious negative impact on your throughput, including many disappearing frames.
  SO ... let's start by taking a look at a Show Version, and (at least) a Show Run (sanitized, if necessary).
  It would also help if you could describe the nature of the traffic that is being dropped / lost / filtered (i,e., database, large graphics files, multicast streaming, file transfers, etc.
  What troubleshooting have you tried so far?
  Did it ever work, worked ... but not very well, worked well until you updated the IOS ....
  Have you checked your LAN for virus / worm / trojan traffic (getting back to huge broadcasts)?
  Are you getting any media errors? (Show interface)
  Do you run many-to-one, many-to-many, any trunks? any EtherChannel?
  Are you getting any "Duplex Mismatch" errors?
  Have you tried another switch (for diagnostics to rule out the workstations & media)?
  This ought to be enough to get started. get it collected and post it, then we can take another shot at it.
  Good Luck
  Scott

• VLAN between SFE2000P switches

  Dear friends,
  I've connected two sites with the following configuration:
  Site 1:
  Stack Linksys SFE2000P - Firmware version 1.0.0.X
  Port 1/g3 connected to a FO link to site 2
  Oficina 2:
  Stack Linksys SFE2000P - Firmware version 3.0.0.X
  Port 1/g3 connected to a FO link to site1
  I've tried to create a VLAN to communicate only a few ports of both sites:
  4/e23 y 4/e24 of site 1
  7/e23 y 7/e24 of site 2
  To do this, I tried the following:
  Port 1/g3 (site1) -> VLAN 50 (tagged) - Trunk
  Port 1/g3 (site 2) -> VLAN 50 (tagged) - Trunk
  Port 4/e23 y 4/e24 (site1) -> VLAN 50 (untagged)
  Port 7/e23 y 7/e24 (site 2) -> VLAN 50 (untagged)
  It doesn't work!!!. In the same stack of each site it works without problems. Could you help me??? There is some misconfiguration???
  I've stablished other VLANs between Linksys and 3Com Switches, but now it doesn't work at all.
  Thanks in advance!

  I Did find a same article on this forum. Maybe this would help you. an article coming from GV.
  * access mode: an access mode port connects to a normal device like a desktop, printer, or similar. An access mode port can be member of a single VLAN only, i.e. you have to decide to which VLAN it is supposed to belong to. In your case, you configure an access mode port for either VLAN 10 or VLAN 20.
  With a single switch things are clear now: some ports are VLAN 10 and some ports are VLAN 20. VLAN 10 can talk to each other. VLAN 20 can talk to each other. No traffic passes between VLAN 10 and VLAN 20.
  Of course, now you want to connect this switch to some other network devices, in particular the second SRW because you need additional ports or you have an additional location. And there is the ASA which provides internet access for these VLANs.
  * trunk mode: This is where trunk mode comes in. A trunk mode port can carry multiple VLANs on a single port. This is done using 802.1q tags. 802.1q tagged ethernet frames have an additional field for the VLAN to which the frame belongs to. With this, a switch can send frames for VLAN 10 and VLAN 20 through a single port to another switch or router. Each frame sent is tagged with 10 or 20 depending on which VLAN the frame belongs to. The receiver will accept each frame and assign it to the corresponding VLAN on the receiving side. This way the receiving switch or router is able to keep those VLANs strictly separated.
  So let's say you want two VLANs 10 & 20 in your network. You would create VLANs 10 & 20 on your ASA and both SRWs. (Create only means that the device knows this VLAN exists and is able to handle traffic for this VLAN). You would configure LAN port 1 of your ASA as trunk with members VLAN 10 & 20. You configure port 1 & 24 of your first SRW in trunk mode with members VLAN 10 & 20. You configure port 1 of your second SRW in trunk mode with members VLAN 10 & 20. Now you wire port 1 of your ASA to port 1 of your first SRW. Then you wire port 24 of your first SRW to port 1 of your second SRW.
  This creates the VLAN trunk through your network. Traffic in both VLANs can travel through this trunk between the switches and to the ASA and from there, if properly routed, into the internet.
  here is the Link
  As the SFE2000P is now part of Cisco Small Business I would recommend you ask your question in the Cisco Small Business Support Community. There are a few Cisco people over there which maybe able to reproduce your problem in a lab environment and check with the developers...

• Maintaining clock settings on a 2950 switch?

  I have set up external NTP synchronization on a 2950 switch which works fine while the switch is powered on. However if the switch is cycled with a "reload" command, the time established is way off once the switch comes back up. Is this the expected behaviour?
  Thanks.

  BTW:
  Also sometimes difficult finding mention whether the hardware supports an on-board calendar. I've found using the ntp update-calendar both often a fast method to help in determining this, and a great way to keep the calendar accurate across reboots/reloads (if you're using NTP).

• Can I use straight cable to connect trunk ports between 2 switches?

  Hi,
  Am I able to use straight instead of cross cable to connect trunk ports between 2 switches??
  thanks!

  Hi Devang,
  When a 10/100 Fast Ethernet interface is enabled, one end of the link must perform media dependent interface (MDI) crossover (MDIX), so that the transmitter on one end of the data link is connected to the receiver on the other end of the data link (a crossover cable is typically used).
  The Auto-MDIX feature eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase.
  HTH, if yes please rate the post.
  Ankur

• Two separate L2L tunnels between same two ASA

  I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access.  I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
  I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels.  I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
  Is there a way of creating two separate L2L tunnels between the two ASA's?  Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
  Does anyone have another possible solution to the problem? 
  Gene

  You should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
  Hope this helps.

• Oracle VM 3.1.1: Cloning virtual disks between local filesystems

  Hi all,
  Is it possible to clone virtual disk between two repositories where each repository is based on own local filesystem?
  I receive an error when trying to do such clone in OVM Manager:
  OVMAPI_7262E Unable to find an owned and running server to perform copy_file operation on +diskname+thanks in advance,
  Miroslaw

  You can clone disks between repositories, if both repositories are presented to at least one server at the same time.