Vlan passing traffic between switches

I have a client that has two WAP321s, two Catalyst 2960s, one SG500X-48, and a Watchguard Router/Firewall (Model is not important).
I am trying to get the guest wireless network setup to pass traffic on VLAN2 to the router across the network. All regular traffic is on VLAN1. (yes I know it really should be on a different VLAN)
Background:  I had originally had everything working till one of the unmanaged switches died. I move one of the Catalyst 2960s to replace the dead switch and then replaced the Catalyst 2960 with a SG500X-48.
Network layout: One WAP321 is connected to one of the Catalyst 2960s, which is connected to the Firewall/Router. (All traffic is passed as expected on both VLANS)
The second WAP321 is connected to the second Catalyst 2960, which connects to the SG500X-48, which connects to the first Catalyst 2960, and then to the Firewall/Router. The Default VLAN 1 works fine. VLAN2 does not.
What I have tried to do is set the ports on the second Catalyst 2960 which is connected to the WAP321 and the SG500X-48 to Trunk. I also set the port on the first Cataylst 2960 that connects to the SG500X-48 to trunk. (Although it was not set and passing traffic before moving switches around.) When I do this all traffic between the first Catalyst 2960 and the SG500X-48 stops. The Catalyst 2960 reports a port error and then shuts down the port. Only way to recover is to clear the port setting and then reboot the switch.
Does anyone have any ideas as to what is happening and what I am doing wrong?  

Aniketalashe
I was able to get the port on the Catalyst 2960 set to trunk finally, not sure what did the trick, although that does not seem to be my problem.
Back to your question of the error report. I am unable to figure out how to get the log out of the 2960. I saw the error in the webGUI, when I moused over the port in question when the problem was happening.
I am starting to think that maybe the switch is starting to go.

Similar Messages

  • Encrypting vlan-trunk traffic between switches

    Hi,
    Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
    I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
    Thanks for any input,
    Regards,
    Oyvind Mathiesen
    mnemonic
    Norway

    Hi,
    Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
    We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
    The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
    We also need to encrypt the datatraversing this connectivity.
    MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
    And that would cause me to eat into the 100 MAC limit.
    Ridiculous I know, but we are looking for an out-of-the-norm plan...
    Thanks

  • Having issues on ASA 5510 pass traffic between interfaces

    I am trying to pass traffic between two internal interfaces but am unable to.  Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.5.1 255.255.255.0
    interface Ethernet0/2
    nameif ct-users
    security-level 100
    ip address 10.12.0.1 255.255.0.0
    same-security-traffic permit inter-interface
    access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 10.12.0.0 255.255.0.0
    access-list inside_access_in extended permit ip any any
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (ct-users) 0 access-list inside_nat0_outbound
    nat (ct-users) 1 0.0.0.0 0.0.0.0
    static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    access-group outside_access_in in interface outside
    access-group outside_access_ipv6_in in interface outside
    access-group inside_access_in in interface inside
    access-group inside_access_ipv6_in in interface inside
    access-group inside_access_in in interface ct-users
    access-group inside_access_ipv6_in in interface ct-users
    On both networks I am able to access the internet, just not traffic between each other.
    A packet-tracer reveals the following (it's hitting some weird rules on the way):
    cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab827020, priority=1, domain=permit, deny=false
    hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0100.0000.0000
    Phase: 2
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    NAT divert to egress interface ct-users
    Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any any
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad5bec88, priority=12, domain=permit, deny=false
    hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab829758, priority=0, domain=inspect-ip-options, deny=true
    hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 5
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false
    hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=192.168.5.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 6
    Type: NAT-EXEMPT
    Subtype:
    Result: ALLOW
    Config:
    match ip inside any ct-users 10.12.0.0 255.255.0.0
    NAT exempt
    translate_hits = 2, untranslate_hits = 2
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false
    hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
    Phase: 7
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
    match ip inside 192.168.5.0 255.255.255.0 ct-users any
    static translation to 192.168.5.0
    translate_hits = 1, untranslate_hits = 15
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xadf7a778, priority=5, domain=nat, deny=false
    hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0
    src ip=192.168.5.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 8
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255
    match udp inside host 192.168.5.2 eq 1514 outside any
    static translation to 184.73.2.1/1514
    translate_hits = 0, untranslate_hits = 0
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab8e2928, priority=5, domain=host, deny=false
    hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=192.168.5.2, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 9
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    Forward Flow based lookup yields rule:
    out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false
    hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
    Phase: 10
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    Reverse Flow based lookup yields rule:
    in id=0xada0cd38, priority=5, domain=host, deny=false
    hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=10.12.0.0, mask=255.255.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 11
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Reverse Flow based lookup yields rule:
    in id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true
    hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 12
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 189385494, packet dispatched to next module
    Module information for forward flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_tcp_normalizer
    snp_fp_translate
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Module information for reverse flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_translate
    snp_fp_tcp_normalizer
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: ct-users
    output-status: up
    output-line-status: up
    Action: allow

    how are you testing? if you are pinging between the subnets, make sure you have disabled windows firewall and/or any other firewall that is installed on the PCs (remember to re-enable it later).
    Are the NAT commands there because you were trying different things to get this working?  I suggest you use the command no nat-control instead.  Depending on the version of ASA you are running it may already be disabled by default.  In version 8.4 and later nat-control has been removed completely.
    Please remember to select a correct answer and rate helpful posts

  • Unable to pass traffic between sites

    I've read through dozens of posts and so far have had no luck getting any of the suggestions to work - combined with many of these posts being multiple years old...so I'm going to try posting something current and see if I get anywhere.
    Scenario:
    Site A - Cisco ASA 5510 running 8.4(4)1 with two interface connections to a Cisco ME 6500 (which I do not manage), one for internet and one for a MPLS connection.
    Site B – connecting to an unknown switch which is connected to the MPLS network.
    Site C – Cisco ASA 5505 running 7.2(3) with one connection to an unknown switch (which I do not manage) for internet access.
    Site A to Site B traffic flows between the two without issue.
    Site A to Site C is a site-to-site VPN connection. Traffic flows between the two without issue.
    The main issue I’m having is that Site B cannot talk to Site C and vice versa. Also my client VPN connections to Site A cannot get to Site B or Site C.
    My first question is; is this even possible? (I sure expected it to be). And if so, what the heck am I doing wrong???
    I’ve included a config from Site A which is where I’m guessing the problem is. Any insight is appreciated.

    "I'm not following what you mean by that."
    Your Site "A" and "B" connected through MPLS cloud and they are not connected through vpn-connection, right?  I assume that your site "B" cannot communicate to site "C", therefore you must permit site-B's subnet traffic transit between site "A" and site "C" i.e. Site-B should have access to "C", right ?
    "I may be misunderstanding, but isn't that what this is: "route MPLS 10.17.0.0 255.255.0.0 10.17.250.2 1"."
    Great 10.17.0.0/16 route meant for site "B", that is fine, you wouldn't need an additional one.
    "You completely lost me there :)"
    I presume that your Site "B" and "C" does not have direct MPLS connection, therefore Site "A" becomes a transit path for site "B" and "C".   You allow site-B's transit through the vpn-tunnel between site "A" and "C".  Your site "C" assumes that subnet belong to site "B" is directly connected at site "A" but in reality it connects via a MPLS cloud and one last thing is that a route needed at site-B to push site-C's traffic to Site "A", a static route would do that.
    As you would permit site-B's traffic to pass through vpn-tunnel site "A" and "C", in other words your "A" become a hub for traffic flowing between site "B" and "C".
    "Should the route be applied to the inside or the outside interface?"
    Outside.  Your tunnel terminated on the outside interface, right? If so then it must point to outside's default-gateway address.
    object network SiteB-network
     subnet 10.17.2.0 255.255.255.0
    this would allow you to access site-c subnet when you are remote-in to Site-A.
    nat (outside,outside) source static VPN-pool VPN-pool destination static SiteC-network SiteC-network
    this is to allow Site-B to access site-C subnet via the tunnel between site A and C.
    nat (MPLS,outside) source static SiteB-network SiteB-network destination static SiteC-network SiteC-network
    object network inside-network
     subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static inside-network inside-network destination static SiteC-network SiteC-network
    access-list outside_cryptomap extended permit ip object inside-network object SiteC-network
    this is allow Site-B to access site-C subnet via the tunnel between site A and C.
    access-list outside_cryptomap extended permit ip object SiteB-network object SiteC-network 
    Thanks
    Rizwan Rafeek

  • ASA5505 Can't pass traffic between inside (private) & outside (private)

    10.15.50.0/24 <---> 10.15.50.254 (inside / ASA5505 \ outside) 10.60.15.253 <---> 10.60.15.254 <--- (cloud) ---> (eventual destination 10.15.60.0/24)
    Goal:
    10.15.50.0/24 traffic will communicate with 10.15.60.0/24 while block all other.  Current config is any/any for troubleshooting.
    Example:
    10.15.50.249 pings 10.60.15.253 (inside of ASA) and fails.  Running it thru ASDM Packet Tracer shows the Outside ASA interface blocking but I have any/any on that interface.
    Question:
    What am I doing wrong?
    : Saved
    ASA Version 8.2(5)
    hostname SJ-HostB-ASA
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.15.50.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.60.15.253 255.255.255.252
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.60.15.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no sysopt connection permit-vpn
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 1
    lifetime 86400
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 30
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 30
    console timeout 30
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 10.15.50.243 source inside
    webvpn
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http
      destination address email
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    : end
    asdm image disk0:/asdm-645.bin
    no asdm history enable

    Hi,
    You can only PING / ICMP an ASA interface from behind that same interface.
    So users behind "inside" can PING / ICMP the "inside" interface IP address and users behind "outside" can PING / ICMP the "outside" interface IP address. Users can't PING / ICMP the remote interface from their perspective. The only exception is when users are coming through VPN connection and you use the "management-access " command. But this doesnt apply to your situation.
    You seem to be simulating an ICMP send from behind "inside" to the "outside" interface IP address if what you say is true.
    So attempt the Packet Tracer using some remote network IP address in the 10.15.60.0/24 network.
    You dont seem to have "nat-control" enabled so all traffic should be able to pass through the ASA without translation. So NAT shouldnt be a problem.
    You can also add the following configurations
    policy-map global_policy
    class inspection_default
      inspect icmp
      inspect icmp error
    - Jouni

  • Traffic Between 2 Ports on Different VLANs on the Same Switch

    Hi,
    This question probably results from a flaw in my understanding of network layer 2 versus layer 3 and VLANs so any additional context in that regard would be very welcome
    If I've got 2 systems on difference VLANs that are connected to ports on the same switch (e.g. 2950), with that switch being connected via an uplink to a router or layer 3 switch and i want to pass traffic between the 2 systems (e.g. copy a file from a folder shared on one system to another), will the traffic pass directly from one port on the 2950 to the other? Or will it need to go through the uplink? I guess it will need to go through the uplink initially as layer 3 needs to be involved for inter-VLAN routing but wondering if layer 2 MAC address will ultimately be learned, allowing traffic to pass directly between the systems, not over the uplink.
    Thanks in advance,
    cisco_reader.

    If the hosts are on different Layer 2 Vlans and you want to pass data between them, that data needs to be 'Routed'.
    In order to Route data from one Layer 2 Vlan to another, you need a device capable of Layer 3 Routing. That device can be a traditional Router or can be something called a Layer 3 switch.
    A 2950 switch is Layer 2 only so has the ability to create many Layer 2 Vlans which is what you have done. In order to route traffic between those Vlans, you can either use a router or a L3 switch.
    If you decided to use a router, look up something called 'Router on a Stick' which involves creating a Trunk link from the 2950 to the Router and then setting up Subinterfaces on the Routers port to act as the 'Default Gateway' for each of your Vlans.

  • Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

    Hello at all,
    is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
    All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
    To be more detailed:
    At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
    Thank you,
    Christian

    Hi Christian.
    This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
    "From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
    In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
    FlexConnect VLAN Central Switching Summary
    Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
    •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
    •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
    •If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
    •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
    Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
    •If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
    •If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
    •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
    Enjoy your weekend & I am sure you will be able to get this working.
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

    hello,
    i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
    FYI the asa's are different versions, one is 9.2 the other is 8.2
    Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
    Site A running config:
    Result of the command: "sh run"
    : Saved
    ASA Version 8.2(2)
    hostname csol-asa
    enable password WI19w3dXj6ANP8c6 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 192.168.1.0 san_antonio_inside
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.2.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 1.1.1.1 255.255.255.248
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns domain-lookup inside
    dns server-group DefaultDNS
     name-server 24.93.41.125
     name-server 24.93.41.126
    object-group network NETWORK_OBJ_192.168.2.0_24
    access-list inside_access_out extended permit ip any any
    access-list outside_access_out extended permit ip any any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in_1 extended permit icmp any interface outside
    access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
    access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
    access-list outside_access_in_1 extended permit udp any interface outside eq 8100
    access-list outside_access_in_1 extended permit udp any interface outside eq 1025
    access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
    access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
    access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
    access-list outside_access_in_1 extended permit tcp any interface outside eq www
    access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
    access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
    access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (inside) 2 interface
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
    static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
    static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
    static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
    static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
    static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
    static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
    access-group inside_access_out out interface inside
    access-group outside_access_in_1 in interface outside
    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 2.2.2.2 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map1 1 match address outside_1_cryptomap_1
    crypto map outside_map1 1 set peer 2.2.2.2
    crypto map outside_map1 1 set transform-set ESP-3DES-SHA
    crypto map outside_map1 interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.30-192.168.2.155 inside
    dhcpd dns 24.93.41.125 24.93.41.126 interface inside
    dhcpd domain corporatesolutionsfw.local interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    group-policy DfltGrpPolicy attributes
    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 ipsec-attributes
     pre-shared-key *****
    prompt hostname context
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:021cf43a4211a99232849372c380dda2
    : end
    Site A sh crypto isakmp sa:
    Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 2.2.2.2
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Site A sh ipsec sa:
    Result of the command: "sh ipsec sa"
    interface: outside
        Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
          access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
          local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
          current_peer: 2.2.2.2
          #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
          #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: C1074C40
          current inbound spi : B21273A9
        inbound esp sas:
          spi: 0xB21273A9 (2987553705)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1691648, crypto-map: outside_map1
             sa timing: remaining key lifetime (kB/sec): (3914989/27694)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xC1074C40 (3238480960)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1691648, crypto-map: outside_map1
             sa timing: remaining key lifetime (kB/sec): (3914999/27694)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    Site B running config:
    Result of the command: "sh run"
    : Saved
    : Serial Number: JMX184640WY
    : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    ASA Version 9.2(2)4
    hostname CSOLSAASA
    enable password WI19w3dXj6ANP8c6 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 2.2.2.2 255.255.255.248
    ftp mode passive
    object network NETWORK_OBJ_192.168.1.0_24
     subnet 192.168.1.0 255.255.255.0
    object network mcallen_network
     subnet 192.168.2.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
    access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-731-101.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
     protocol esp encryption des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
     protocol esp encryption 3des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
     protocol esp encryption aes
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
     protocol esp encryption aes-192
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
     protocol esp encryption aes-256
     protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map3 1 match address outside_cryptomap
    crypto map outside_map3 1 set peer 1.1.1.1
    crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map3 interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
     encryption aes-256
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 10
     encryption aes-192
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 20
     encryption aes
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 30
     encryption 3des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 40
     encryption des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd address 192.168.1.200-192.168.1.250 inside
    dhcpd dns 24.93.41.125 24.93.41.126 interface inside
    dhcpd domain CSOLSA.LOCAL interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol ikev1
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
     ikev1 pre-shared-key *****
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    prompt hostname context
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
    : end
    Site B sh crypto isakmp sa:
    Result of the command: "sh crypto isakmp sa"
    IKEv1 SAs:
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 1.1.1.1
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
    There are no IKEv2 SAs
    Site B sh ipsec sa:
    Result of the command: "sh ipsec sa"
    interface: outside
        Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
          access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
          local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
          current_peer: 1.1.1.1
          #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
          #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
          path mtu 1500, ipsec overhead 58(36), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: B21273A9
          current inbound spi : C1074C40
        inbound esp sas:
          spi: 0xC1074C40 (3238480960)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 28672, crypto-map: outside_map3
             sa timing: remaining key lifetime (kB/sec): (4373999/27456)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000003
        outbound esp sas:
          spi: 0xB21273A9 (2987553705)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 28672, crypto-map: outside_map3
             sa timing: remaining key lifetime (kB/sec): (4373987/27456)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

    Hi Keegan,
    Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
    I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
    HTH
    "Please rate useful posts"

  • Switch port in dot1x multi-auth mode stops passing traffic

    Dear All,
    I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
    interface GigabitEthernet2/34
    switchport mode access
    ip arp inspection limit rate 30
    authentication host-mode multi-auth
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    dot1x pae authenticator
    dot1x timeout tx-period 5
    dot1x max-reauth-req 6
    spanning-tree portfast
    ip verify source vlan dhcp-snooping
    end
    It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
    Did anyone experience a simmilar problem? Any advice?
    Thanks.
    Mirek

    We have the same issue on 3750E switch running 12.2.(58)SE

  • Which is the correct way to filter/block traffic between vlans?

      Hi all. My question is: Which is the correct way to filter/block traffic between vlans?
    i have a more than 15 vlans. I want to block traffic between them except 2 vlans.
    source vlan 3 deny destination vlan 4
    #access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
    and the oposite:
    #access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
    I have to do this for all VLANs, ono by one. Is that right?
    Thanks.

    There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.
    Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.
    For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • How to "trunk" VLANs between Switches in a Gigastack

    I got 3 catalyst 3548XL daisy chained by CX_GIGASTACK modules (half duplex). The 1. switch is connected to a L3 swicth via a trunk. On the 2. and 3. switch connected to the first vis gigastack modules, is it possible 2 have 2 VLANs passing the gigastack links to the 1. Switch?

    Hello,
    Thanks for your answer. Yes it answers my question - which I admit was not very clear, I was in a hurry. My concern was when the Gigastack module was in half duplex mode, then I was uncertain if it could be configured as trunk. As you se I managed to do that,
    Floor1#sh int status | incl Gi0/1
    Gi0/1 connected trunk a-half a-1000 1000BaseCX Gigastack
    In fact, I was'nt successful until I configured "switchport nonegotiate"
    interface GigabitEthernet0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    Once again THANKS.
    Simon

  • Connecting two untagged VLANS from two different switches

    I have a Cisco SG300-52P Small Business switch and hopefully I can explain well what's going on. We have a Juniper EX4200 L3 switch that has a bunch of our corporate VLANs (they are routed VLANs) and that allows communication between all of our corporate networks. We have several other L2 Netgear, HP Procurve, etc... on which we have split the ports down the middle and divided them into two broadcast domains by setting them as untagged VLANs. One cable goes from each of the different VLANs on the L2 switches into different VLANs on the L3 switch. As long as STP is disabled this seems to work fine. However, we tried this same scenario on this Cisco Small Business switch and only one of the two untagged VLANs on the Cisco will pass traffic at a time. I believe that whenever the VLAN that is on the default (VLAN 1) is plugged in, the other (the one we created) shuts down but when VLAN 1 is unplugged, the other VLAN immediately starts to work. What seems weird is that the Cisco seems to learn the Juniper's MAC on the VLAN that doesn't work and the Juniper learns the MAC on the one that does work. In other words, the Juniper does not learn the Cisco's MAC on both of the VLANs that the Cisco is plugged into, as it does with the other L2 switches that we have, and the Cisco does not learn the MACs of the Juniper on both of its VLANs. I hope this is making sense and please let me know if there is any way I can further clarify. I'm sure I'm just doing something dumb that I'm overlooking so feel free to slap me in the face. :-)
    Thank you in advance for your time!

    It sounds like there is a layer 2 loop in your network if spanning tree is shutting down the ports.  You should be able to do a show spanning-tree on the switch, or look in spanning tree rstp interface status.
    are there any other interconnects between devices?  Like un-managed hubs, WAPs with bridging, virtual servers with multiple NIC cards?
    Show spanning tree on each device might show what is going on, or at least tell you which ports are root ports, which ones are forwarding or blocking.  Best practice is to configure your spanning tree if you have more than 1 or 2 switches.
    A detail topology showing port numbers, (sanitized) IP addresses, vlans and purpose, trunks with what vlans are tagged, and  untagged .
    from your description,  your network looks like
    multiple vlans - layer 3 Juniper swtich - netgearS1 vlan`1 --procurveS2 vlan 1 -- ciscoS3 vlan1
                                                           \-- netgearS1 vlan2 - - procurveS2 vlan --  ciscoS3 vlan 2
    I'm having trouble visiualizing <<One cable goes from each of the different VLANs on the L2 switches into different VLANs on the L3 switch. >>
    are the cables for vlan 1 going to vlan 1 or are the cables for vlan1 going to a different vlan on the other switch?
    Can you reduce the complexity and number of interconnects by using trunking?
    What are the IPs and default gateway of all devices, L3 switch?
    These switches do STP, RSTP and multiple spanning tree, but will not do per vlan spanning tree.  so there may be some configuration required on all switches to get the correct root bridge (the Juniper I assume)

  • Differenet VLAN's on different switches

    In short, I have two SRW 2024 switches connected together.  The first one goes to the router, ASA 5510 (supports inter-vlan routing), on the native VLAN and the second one is trunked on port 12 to the first one.  I have been doing lots of research and have found ambiguous answers to my question.  My question is can I have different VLAN's on different switches?  Meaning can I have VLAN 10 on the first switch and VLAN 20 on the second but not have VLAN 20 on the first and VLAN 10 on the second?  So far, I have heard that I HAVE to have identical VLAN's on both switches in order for them to be able to talk to each other and I have also heard that that is not true because I can setup routes on my router to make them talk to eachother and get on the internet...  Does anyone have a definitive answer to my question?  I am totally pulling my hair out on this one...

    Well, reading this post now makes me wonder if we have the same understanding.
    What do you mean with "have VLAN 10 on the first switch" etc.? What do you mean with "have"?
    If you connect the ASA to switch 1, and switch 1 to switch 2. If you use VLAN 20 on the second switch and you want to give VLAN 20 access to the internet through the ASA switch 1 must know about the existence of VLAN 20. The switch will only forward frames for VLANs it knows of. If VLAN 20 does not exist on switch 1 VLAN 20 cannot pass through switch 1.
    If you use VLAN 10 only on switch 1 and not on switch 2, you could omit VLAN 10 on the second switch as no VLAN 10 traffic has to go to switch 2. However, generally it is better to have all VLANs on both switches because it makes management easier.
    This has nothing to do with routing, though, as the SRWs are only layer 2 switches. Routing allows you to connect a VLAN to another VLAN or LAN or internet.
    Think of a single VLAN like a normal switched LAN. Different VLANs are just like different, physically separated LANs.
    If you want to allow traffic between these separated LANs you'll need a router which routes traffic between them.
    A managed switch with VLANs allows you to run these different LANs on the same hardware, making the individual VLAN assignments configurable.
    A port on a managed switch usually is in on of two modes:
    * access mode: an access mode port connects to a normal device like a desktop, printer, or similar. An access mode port can be member of a single VLAN only, i.e. you have to decide to which VLAN it is supposed to belong to. In your case, you configure an access mode port for either VLAN 10 or VLAN 20.
    With a single switch things are clear now: some ports are VLAN 10 and some ports are VLAN 20. VLAN 10 can talk to each other. VLAN 20 can talk to each other. No traffic passes between VLAN 10 and VLAN 20.
    Of course, now you want to connect this switch to some other network devices, in particular the second SRW because you need additional ports or you have an additional location. And there is the ASA which provides internet access for these VLANs.
    * trunk mode: This is where trunk mode comes in. A trunk mode port can carry multiple VLANs on a single port. This is done using 802.1q tags. 802.1q tagged ethernet frames have an additional field for the VLAN to which the frame belongs to. With this, a switch can send frames for VLAN 10 and VLAN 20 through a single port to another switch or router. Each frame sent is tagged with 10 or 20 depending on which VLAN the frame belongs to. The receiver will accept each frame and assign it to the corresponding VLAN on the receiving side. This way the receiving switch or router is able to keep those VLANs strictly separated.
    So let's say you want two VLANs 10 & 20 in your network. You would create VLANs 10 & 20 on your ASA and both SRWs. (Create only means that the device knows this VLAN exists and is able to handle traffic for this VLAN). You would configure LAN port 1 of your ASA as trunk with members VLAN 10 & 20. You configure port 1 & 24 of your first SRW in trunk mode with members VLAN 10 & 20. You configure port 1 of your second SRW in trunk mode with members VLAN 10 & 20. Now you wire port 1 of your ASA to port 1 of your first SRW. Then you wire port 24 of your first SRW to port 1 of your second SRW.
    This creates the VLAN trunk through your network. Traffic in both VLANs can travel through this trunk between the switches and to the ASA and from there, if properly routed, into the internet.
    In a very simple scenario you configure all remaining port in access mode. For each access mode port you define whether this port belongs to VLAN 10 or 20. If port 2 is in access mode and member of VLAN 10 then the device connected to port 2 is in VLAN 10.
    You are completely free how to assign the VLANs. If you assign ports 2-24 on switch2 to VLAN 20 and ports 2-23 on switch 1 to VLAN 10 this is fine. In this case, you could reduce the VLAN configuration a little by not creating VLAN 10 on the switch 2 and not adding VLAN 10 on the trunk ports connecting switch1 and 2. However, as mentioned before, I would recommend not to do so. If at some point you decide to have a port in VLAN 10 on the second switch everything would already be set up if you created the VLAN 10 on the second switch and added it to the trunk.
    You must create all VLANs on your ASA and the first switch in your case. VLAN 20 traffic has to travel through switch 1 (even if there is no end device connected to VLAN 20 on switch 1). Thus, VLAN 20 must exist on switch 1 and the trunk between the ASA, switch 1 and switch2 must carry VLAN 20 for traffic to pass through. If VLAN 20 did not exist on switch 1 no VLAN 20 traffic could travel trough switch 1.
    As you only have two switches you will only have a few VLANs which you should be able to create in the beginning. If you really have to add a new VLAN you have to touch both switches and the ASA. But with some planning, it should not be necessary to add VLANs later. With two 24 port switches you won't have more then 48 VLANs anyway.
    Your VLANs "terminate" on the ASA. The ASA is a 802.1q capable router. You can trunk your VLANs to the ASA. The ASA allows you to define gateway interfaces in each VLAN which will operate as gateways for each VLAN. Through that VLANs can talk to the internet. You can also configure the ASA to allow inter-vlan-routing, i.e. let specific traffic be routed from one VLAN to the other. For instance, if you have a printer in one VLAN you could allow traffic to this printer from the other VLAN while still blocking any attempt to access other devices on the other VLAN.

  • Vlan on SRW2048 web switch

    I would like to set up a VLan on a SRW2048 Web Managed Switch to accomplish the following:
    Use two ports on the SRW2048 to pass traffic directly between two other switches located at different locations on our LAN.  Although I have no experience with VLans, I assume that a Vlan offers a chance to accomplish this goal.  

    Since you did not specifically mentioned on what goal do you want to achieve, please create your VLAN and see if VLAN will work for your network.
    To understand more of these,  you may visit the link below:
    http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=15746&p_created=1196...

  • Fiber link fails to pass traffic.

    Hello,
    I am a Systems Engineer working with a Cisco Channel Partner.
    A client of ours has a fiber backbone between two buildings on their campus.
    The fiber terminates on a Catalyst 6509 (at the data centre) and a Catalyst 3750 at the other end. Users at the far-end connect to servers located at the data center over this fiber.
    This connection has been working fine for the past 2 years, until a recent problem came up.
    For two weeks now, the usual occurrence is for the fiber link to stop passing traffic while working until the 3750 is rebooted or the fiber connectors removed from the SFP port and replugged.
    Meanwhile, the interface and line protocol remain UP on both switches during this abnormal behaviour. There are also no log messages occurring. Everything look fine on both switches. They just wouldnt pass traffic. The problem occurs about twice each day.
    It's difficult diagnosing the problem now. I need help pls.
    Regards,
    Felix

    I would do a few things:
    1. Scope and clean the fiber
    2. Measure all TX and RX levels with a power meter
    3. Perhaps replace the SFPs

Maybe you are looking for

  • Combine PDF Forms w/o merging fields?

    I have nearly 60 grant applications that were submitted to me by individuals, each in a Form I created that they downloaded from my website.  I need to combine these files into one document that can be numbered from beginning to end.  When I go to me

  • PO release data table

    Hi Is there any table where for a particular PO it should display the different levels of  approval of the PO? Regards, Kumar

  • Using Script in WAD

    Hi Friends, Can anyone help me in using the existing JAVA script in WAD. How to insert this Script in WAD. Kindlly help me in this. Thanks in advance, Regards, Ravish

  • Is Apple's email marketing database corrupted?

    Hi.. I am pleased to receive emailed marketing from: [email protected] However, it is being sent to the wrong address, and the system for changing it does not work! At the bottom of every email message it says: +"If you would prefer not to receive fu

  • Sales order details uploading using BAPI method in LSMW

    Hi Guys, Sales order details uploading using BAPI in LSMW, could you please suggest me, is any standard method or programs is available for this. I have some queries about this. 1) One header line having multiple line items, in this case  we able to