VLAN Routing between 2 Routers

Similar Messages

• VLAN Routing between Interfaces

  Please see attached Diagram.  With my current setup, it doesn't seem like traffic is moving from FE8 to FE7 on Switch #2.  Any suggestions?
  My Desired Outcome:
  Have Multiple VLANS on FE8 on Switch #2 talk with their respective VLANS on FE7
  My current setup:
  Switch #1:
  FE1 - VLAN 1001 Untagged
  FE2 - VLAN 1002 Untagged
  FE3 - VLAN 1003 Untagged
  FE8 - VLANs 1001 Tagged, 1002 Tagged, 1003 Tagged (Trunk to Wireless Bridge #1)
  Wireless Bridge #1 & #2:
  Straight Bridge, passes all VLANS (Tested)
  Switch #2:
  FE8 - VLANs 1001 Tagged, 1002 Tagged, 1003 Tagged (Trunk to Wireless Bridge #2)
  FE7 - VLANs 1001 Tagged, 1002 Tagged, 1003 Tagged (Trunk to MultiPoint Antenna #1)
  MultiPoint Antenna:
  Transmits VLANs, with receivers set to only pickup their individual VLANS.

  Hi Brian,
  By the look of the description of the problem, you know vlans.
  Make sure the switches are using the current firmware, 1.1.2.0
  The easiest test to perform is to also put the following on switch two;
  FE1 - VLAN 1001 Untagged
  FE2 - VLAN 1002 Untagged
  FE3 - VLAN 1003 Untagged
  And plug a PC on FE1 of both switches, manually set the IP address to be in the same network and see if they can communicate via ping. This will prove if the wireless bridge propagates VLAN tag information.
  But, I'm guessing you have  a misconfiguration of the tagging of vlans or old old firmware..
  You could verify the vlan configuration by looking at the following, to see if the vlan configuration is really there.
  A screen shot / capture of the following page from both switches  could help me.
  But I left the switch ports in the default trunk mode. 
  This allows for one untagged vlan (default vlan)  and multiple  tagged vlans to exist on each switch port...perfect.
  I also use wireshark to check out vlans, but had to modify my PC,  to allow wireshark show me the vlan packets coming into a wireshark trace.
  Believe it or not wouldn't wouldn't show me vlans,   till I modified my windows registry. You might be luckier.  It was a windows issue and not a wireshark issue.
  You  have the option if you wish to mirror port 8 on switch 1 and 2 to check if vlan tagged packets, even arp frames  are coming over to/from the wireless bridge.
  To me it seems like you need to do  a bit of 'foot work'  to see if the vlans are being propagated to wireless bridge #1 through mirroring port 8 of both switches. And then trying to ping between devices on the same vlan.
  confirm your switch firmware is version 1.1.2.0
  Check your VLAN configuration with a couple of screen capture.
  You can mirror switch port 8 on both switches and use wireshark to see if the VLAN frames are propagated between switches.
  Seems like there is a lot of steps you could perform to validate if vlans are being propagated.
  regards Dave

• Wi-fi bridge between two routers TP-LINK WR841ND (WDS).  HP 1536 dnf MFP connect to one of this routers (copper).  My Ipad or Iphone can't find HP 1536 dnf MFP (using Eprint). Ipad and iphone connect   to router across WiFi.

  Hello.
  I have wi-fi bridge between two routers TP-LINK WR841ND.
  The name of this technology - WDS.
  HP Laser JET 1536 dnf MFP connect to one of this routers (copper).
  Second device (my NETBOOK) connect to second router (WiFi).
  I have good communication between NETBOOK and HP Laser JET 1536 dnf MFP via WiFI-bridge.
  In usual case NETBOOK can find (and can Ping) network printer and make a print some files.
  But my Ipad or Iphone can't find HP Laser JET 1536 dnf MFP (using Eprint). Ipad and iphone connect
  to router across WiFi.
  Please, help!

  Are you using the ePrint Mobile App, the ePrint Printer Control App, or just trying to send an email to the printer's ePrint email address?
  Does AirPrint work?
  -------------How do I give Kudos? | How do I mark a post as Solved? --------------------------------------------------------

• SG300: How to set up routing between VLANs?

  I have recently purchased a Cisco SG300-10.  I need it to perform routing between two VLANs on the switch. Seems like this should be quick and easy to do from the built in GUI. When I configure it according to the documentation, it does not ropute between the VLANs.
  I have set the system mode to L3 (for level 3 switching).
  I have followed the instructions on pages 26 through 33 of the attached PDF (which I obtained from the Cisco site). I used the same ports on the switch and the same IP addresses as shown in the document.
  Everything works until I attempt the step "ping 10.1.1.10" on page 33. This is the step to verify the level 3 switching between the 2 PCs (on separate VLANs).
  The switch Firmware Version (Active Image): 1.3.5.58
  I have attached the running configuration from the switch. It is the file named "running-config.txt".   
  The 2 PCs that I am using are running Windows 7 and Windows 8.

  Hi jkst,
  There is a very minimum requirement to obtain layer 3 intervlan routing
  1- 2 VLAN in layer 3 mode assigned an IP address
  config t
  vlan database
  vlan 2
  int vlan 1
  ip address 192.168.1.1 /24
  int vlan 2
  ip address 192.168.2.1 /24
  2 - Active link state on each VLAN - Define a port for the second vlan then connect an IP device to that port and another device to another port since the rest of the ports will default to vlan 1
  config t
  int gi2
  switchport mode access
  switchport access vlan 2
  3 - Assign your device #1 that connects to any port an ip address on the same subnet as vlan 1
  Computer in vlan 1 IP info=
  192.168.1.100
  255.255.255.0
  192.168.1.1
  Computer in vlan 2 IP info-
  192.168.2.100
  255.255.255.0
  192.168.2.1
  Assuming these devices respond to ping and do not have external wireless communication, this will provide basic IP connectivity through the switch across vlans.
  -Tom
  Please mark answered for helpful posts

• Prevent routing between 2 logical networks without a VLAN

  Background: We have some older hubs in our network. As such, we cannot implement a VLAN yet. We have a 10/100 ethernet network across our campus for our production users. We have multiple buildings on the campus and one physical network. We are installing Cisco 1100 WAPs to provide our guests with wireless internet access. Our DHCP server is configured to hand out 192.168.1.x addresses to our guests. Our DHCP server has 192.168.0.x reservations for our production machines.
  Questions:
  1) Would this ACL prevent traffic from routing between the 192.168.0.x and 192.168.1.x networks?
  access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
  2) Does anyone have a better solution for preventing our guests from accessing our production machines? Once all the hubs are replaced with switches, we plan to implement a VLAN.
  TIA,
  Mark

  Are you sure you want to protect your Guest WLAN from your production Network, not the otherway round? Your access-list states that the .0 network (production) is not allowed to access the .1 (wlan) network. Then, i don't see in your config the activation of any of your access-list. They are just defined without being activated on any of your interfaces. Plus there is missing the allow at the end of the access-list, because there is an implicite deny at the end of any access-list.

• VLAN's on 3524 VLAN enable issue (I don't want to route between them)

  I have segmented a 3524 switch into three different VLANs. One is the managment VLAN 1 and the other two are for my Test Lab and Production network. I don't want either VLAN to see the other (router between them). My problem is my VLAN10 and VLAN12 will not come out of a shutdown state. They stay administratively down even after I issue the no shut command from within the VLAN Interface. What am I doing wrong here?

  My guess is that you created 3 SVI's instead of creating the layer 2 vlans that you need . Do a show vlan ", do all 3 of your vlans show up ? If you created 3 different layer 3 SVI's , (conf t , interface vlan 10 and or 12 then the switch will only enable 1 because this is strictly used to manage the switch . To create your vlans I believe on this switch you need to use the vlan database. At the switch prompt type vlan database, enter. Then type vlan 10 , hit enter , then type vlan 12 and hit enter . This activates the layer 2 vlans .Exit out to the command line and do a show vlan and see if all 3 show up now.Apply the vlans to the ports as needed . These should now show up when you do a "show vlan" . I think you gettting confused between the layer 3 SVI's and the layer 2 vlans .

• Routing between 2 switches layer 3

  Hi.
  I am having  troubles with this layer  3 switches. Since I have been working with just switches layer 2  and routers.
  So Here is what I need to do. I will describe it as simple as I can.
  I have 2 switches. 3 layer both
  So I going to have  vlan 10-20-30 in the first one an vlan 40-50-60 in the other.
  So all Vlans needs to ping each other. My main problem is the trunk:Since I need to configure it.the routing.  I dont now how to do it since in trunk mode I cannot configure it  a ip address between the switches.
  I not sure how to do this. I need an example.
  Let me know if you have a good example.

  Routing between VLANs on a L3 switch is actually the default.  You have to make ACLs to prevent routing or unwanted traffic.  The trunk on those switches should configure automatically, but you can also tell it to tag all VLANs since it sounds like that is what you want.  Then it is important that you assign an IP address to each VLAN and use that as the default gateway for the clients connected to each VLAN.

• Problem of routing between inside and outside on ASA5505

  I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
  I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
  a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
  WAE#ping 10.10.10.250
  PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
  --- 10.10.10.250 ping statistics ---
  5 packets transmitted, 0 packets received, 100% packet loss
  WAE#sh arp
  Protocol Address Flags Hardware Addr Type Interface
  Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
  Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
  Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
  b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
  Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
  ASA# sh route
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
  N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
  E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
  i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
  * - candidate default, U - per-user static route, o - ODR
  P - periodic downloaded static route
  Gateway of last resort is 172.26.18.1 to network 0.0.0.0
  C 172.26.18.0 255.255.255.0 is directly connected, outside
  C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
  C 10.10.10.0 255.255.255.0 is directly connected, inside
  d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  All other ports are in vlan 1 by default.

  I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
  port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
  port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
  I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
  If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
  Thanks a lot

• Cisco ASA 5505 Routing between internal networks

  Hi,
  I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
  1. Outside
  2. DMZ
  3. ServerNet1
  4. Inside
  ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
  Here is the running conf:
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 20
  interface Ethernet0/2
  switchport access vlan 19
  interface Ethernet0/3
  switchport access vlan 10
  switchport trunk allowed vlan 10,19-20
  switchport trunk native vlan 1
  interface Ethernet0/4
  switchport access vlan 10
  interface Ethernet0/5
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/6
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/7
  switchport access vlan 10
  interface Vlan10
  nameif inside
  security-level 90
  ip address 192.168.2.1 255.255.255.0
  interface Vlan11
  nameif ServerNet1
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  interface Vlan19
  nameif DMZ
  security-level 10
  ip address 192.168.3.1 255.255.255.0
  interface Vlan20
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network DNS
  host 192.168.2.10
  description DNS Liikenne
  object network Srv2
  host 192.168.2.10
  description DC, DNS, DNCP
  object network obj-192.168.4.0
  subnet 192.168.4.0 255.255.255.0
  object network ServerNet1
  subnet 192.168.4.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network RFC1918
  object-group network InternalNetworks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq domain
  service-object udp destination eq domain
  service-object udp destination eq nameserver
  service-object udp destination eq ntp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
  port-object eq ftp-data
  object-group service rdp tcp-udp
  description Microsoft RDP
  port-object eq 3389
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_SERVICE_2
  service-object tcp destination eq domain
  service-object udp destination eq domain
  object-group network DM_INLINE_NETWORK_1
  network-object object obj-192.168.2.0
  network-object object obj-192.168.4.0
  access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
  access-list dmz_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
  access-list DMZ_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
  access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
  access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
  access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
  access-list ServerNet1_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu ServerNet1 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
  nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
  access-group ServerNet1_access_in in interface ServerNet1
  access-group inside_access_in in interface inside
  access-group DMZ_access_in in interface DMZ
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.4.0 255.255.255.0 ServerNet1
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.4.0 255.255.255.0 ServerNet1
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

  Hi Jouni,
  Yep, Finnish would be good also =)
  In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
  If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
  Here is the conf now, still doesnt work:
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 20
  interface Ethernet0/2
  switchport access vlan 19
  interface Ethernet0/3
  switchport access vlan 10
  switchport trunk allowed vlan 10,19-20
  switchport trunk native vlan 1
  interface Ethernet0/4
  switchport access vlan 10
  interface Ethernet0/5
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/6
  switchport access vlan 10
  switchport trunk allowed vlan 10-11,19-20
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/7
  switchport access vlan 10
  interface Vlan10
  nameif inside
  security-level 90
  ip address 192.168.2.1 255.255.255.0
  interface Vlan11
  nameif ServerNet1
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  interface Vlan19
  nameif DMZ
  security-level 10
  ip address 192.168.3.1 255.255.255.0
  interface Vlan20
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network DNS
  host 192.168.2.10
  description DNS Liikenne
  object network Srv2
  host 192.168.2.10
  description DC, DNS, DNCP
  object network obj-192.168.4.0
  subnet 192.168.4.0 255.255.255.0
  object network ServerNet1
  subnet 192.168.4.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network RFC1918
  object-group network InternalNetworks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq domain
  service-object udp destination eq domain
  service-object udp destination eq nameserver
  service-object udp destination eq ntp
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
  port-object eq ftp-data
  object-group service rdp tcp-udp
  description Microsoft RDP
  port-object eq 3389
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_SERVICE_2
  service-object tcp destination eq domain
  service-object udp destination eq domain
  object-group network DM_INLINE_NETWORK_1
  network-object object obj-192.168.2.0
  network-object object obj-192.168.4.0
  object-group network DEFAULT-PAT-SOURCE
  description Default PAT source networks
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  network-object 192.168.4.0 255.255.255.0
  access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
  access-list dmz_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
  access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
  access-list DMZ_access_in extended deny ip any object-group InternalNetworks
  access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
  access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
  access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
  access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
  access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
  access-list ServerNet1_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu ServerNet1 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  access-group ServerNet1_access_in in interface ServerNet1
  access-group inside_access_in in interface inside
  access-group DMZ_access_in in interface DMZ
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.4.0 255.255.255.0 ServerNet1
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.4.0 255.255.255.0 ServerNet1
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

• The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

  Hello
  I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
  Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
  PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
  Is it possible to integrate into Cisco Router such as Cisco 891F ?
  In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
  I think there might be any unsupported feature on Cisco 891F.
  I appreciate any information. thank you very much in advance.
  Best Regards,
  Masanobu Hiyoshi

  Many time in interviews asked comaprison between cisco  routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
  Ummmm ... The most common question I get is "what is the difference between a router and a switch".
  However, if you get a question like this, then my impression to this line of questioning are:
  1.  The candidate they are looking for has in-depth knowledge of routers and switches.  And I mean IN-DEPTH!;
  2.  They are not looking for a candidate.  They just want to stroke their ego.  There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger.  And if you do happen to know the answer, then and there, then expect a tougher follow-up question. 

• Vlan routing with Linksys sge2000

  hi I have a Linksys sge2000 with two vlans, one has interface 192.168.50.10 /18 and the second has 192.168.30.10 /24, I need to get communication between these networks, because few computers must access to other network,  so that’s why I ask you for some help, because  until now I couldn’t  find if its possible in this switch thank you in advanceDaniel

  it is not possible for those 2 vlans to communicate with each other unless you hook up a router to those 2 vlans. the device is not capable for inter vlan routing alone so you will need to use layer 3 device.

• Setting up back-to-back async connection between 2 routers

  Hi,
  I am trying to setup a back-to-back async connection between 2 routers via the async serial interface. The connection between the two routers are via a smart serial to RS232 male(CAB-SS-232MT) cable connecting to another RS232 female to smart serial (CAB-SS-232FC) cable. What I am trying to do is to push the async data from one router (Router A) to another router (Router B).
  When I try to capture the async data from the async serial interface on the source router (Router A) while disconnecting the back-to-back connection from Router B, it is showing the correct data. The data capture is via the smart serial to RS232 male cable connecting to Router A, to a PC via hyperterminal. But however, when the back-to-back connection is connected and I try to do a reverse telnet at Router B opening up the port for the async interface on Router B, it seems to be showing incorrect data. I have confirmed that the speed and configurations on both routers are matched.
  Does it require to have two physical async modems in between both routers for signalling? Any experts who are familiar with such setups can advise on why the async data at Router B appear as incorrect with unreadable characters? Any help is greatly appreciated.

  Hey Sebastian,
  Had the same issue, which I just managed to get it resolved.
  When you insert the modem, the router will create an Async interface for it lets say Async 0/1/0
  then all what you've to do is:
  chat-script DialOut ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 45 CONNECT \c
  line 0/1/0
  exec-timeout 0 0
  script dialer DialOut
  modem InOut
  transport preferred none
  transport input all
  transport output all
  stopbits 1
  speed 115200
  flowcontrol hardware
  and to dial a the remote router all what's required is:
  reverse telnet to the above line (show line to know the line number) then type atdt
  Let me know in case you still get issues

• OTV vlans routing on the 1 device and switching on the other

  Hi there seems to having OTV issues where the odd vlana are on agg1 is showing as routing and even vlan are using the OTV .  and on AGG 2 vice versa
  my presumption was that using OTV all vlans configured for access would use OTV instead of routing
  agg1# show ip route  10.128.105.133
  IP Route Table for VRF "default"
  '*' denotes best ucast next-hop
  '**' denotes best mcast next-hop
  '[x/y]' denotes [preference/metric]
  10.128.105.128/25, ubest/mbest: 1/0
      *via 192.168.28.50, Po5, [19/51456], 4d00h, eigrp-128, external
       via 10.101.0.25, [200/51712], 4d00h, bgp-65149, internal, tag 65149
  agg1# show ip route  10.128.106.133
  IP Route Table for VRF "default"
  '*' denotes best ucast next-hop
  '**' denotes best mcast next-hop
  '[x/y]' denotes [preference/metric]
  10.128.106.128/25, ubest/mbest: 1/0, attached
      *via 10.128.106.130, Vlan806, [0/0], 4d02h, direct
       via 10.101.0.25, [200/51712], 3d20h, bgp-65149, internal, tag 65149
  agg2 show ip route  10.128.106.133
  IP Route Table for VRF "default"
  '*' denotes best ucast next-hop
  '**' denotes best mcast next-hop
  '[x/y]' denotes [preference/metric]
  10.128.106.128/25, ubest/mbest: 1/0
      *via 192.168.28.49, Po5, [19/51456], 4d00h, eigrp-128, external
       via 10.101.0.25, [200/51712], 3d20h, bgp-65149, internal, tag 65149
  agg2# show ip route  10.128.105.133
  IP Route Table for VRF "default"
  '*' denotes best ucast next-hop
  '**' denotes best mcast next-hop
  '[x/y]' denotes [preference/metric]
  10.128.105.128/25, ubest/mbest: 1/0, attached
      *via 10.128.105.132, Vlan805, [0/0], 4d00h, direct
       via 10.101.0.25, [200/51712], 4d00h, bgp-65149, internal, tag 65149
  how otv adjacency
  Overlay Adjacency database
  Overlay-Interface Overlay1  :
  Hostname                         System-ID      Dest Addr       Up Time   State
  MCC-N7K2-OTV                     04c5.a4ea.8b42 192.168.26.54   4d12h     UP  
                                   04c5.a4ea.93c2 192.168.28.42   4d09h     UP  
  LDC-N7K2-OTV                     04c5.a4ea.6042 192.168.28.46   1d22h     UP 
  Does the OTV device need to be physically connected to each other
  It seem that vlans at layer 2 do no span across the AGG switches
  diagram

  You did not configure PBR on the CSS since it does not have this function.
  You simply configured static routing.
  As so, the CSS will route between the vlans.
  If you want a firewall to protect every vlan from the other ones, you should have a one-armed design where the firewall does the routing between the vlans and the CSS is doing the loadbalancing.
  ie:
  ........vlan1
  ..........|
  .vlan2 ---FW----- CSS
  ..........|
  ........Vlan2
  You'll need to do client nat on the css or implement some form of PBR on the firewall.
  PBR means routing based on another factore than the destination ip address. In this case, it is necessary to route based on the source port.
  That might be too complex, so an easier choice would be
  ..vlan1(ext).....vlan2(ext)
  ....|...............|
  ....+-------FW------+
  .............|
  ..........+-CSS-+
  ..........|.....|
  ........vlan3 vlan4
  there is no protection between internal vlan but you don't need policy routing or client nat.
  Gilles.

• Switch VLANs/Routing

  I'm interested in best practice design for the following:
  lan1 --- switch1 --(g1/0/28)-- GigaMAN Link --(g1/0/28)-- switch2 --- lan2
  lan1 and lan2 are different subnets. I would like to know the best way to configure the ports/VLANS/etc so that traffic can be routed between them. both switch1 and switch2 support routing.

  Treat the sw1 and sw2 just like a router. Make the link between them a L3 interface and then you can use routing to get the lan 1 talking to lan 2. For example:
  sw1:
  conf t
  int g 1/0/1 >> to a PC in lan 1
  switchport
  interface g 1/0/28
  no switchport
  ip address 10.1.1.1 255.255.255.252
  interface vlan 1
  ip address 1.1.1.1 255.255.255.0
  ip route 2.1.1.0 0.0.0.255 10.1.1.2
  sw2:
  conf t
  interface gig 1/0/1 >> to PC in Lan2
  switchport
  inter gig 1/0/28
  ip address 10.1.1.2 255.255.255.252
  inter vlan 1
  ip address 2.1.1.1 255.255.255.0
  ip route 1.1.1.0 0.0.0.255 10.1.1.1

• Two quick VLAN routing questions

  lets say I have a L3 switch routing 4 VLANs
  VLAN 1 is 192.168.10.0/24, the switch's virtual interface is 192.168.10.254 inside this vlan
  VLAN 2 is 192.168.20.0/24, the switch's virtual interface is 192.168.20.254 inside this vlan
  VLAN 3 is 192.168.30.0/24, the switch's virtual interface is 192.168.30.254 inside this vlan
  VLAN 4 is 192.168.40.0/24, the switch's virtual interface is 192.168.40.254 inside this vlan
  there is only one router going out from this switch to the net, and lets say it is in VLAN 1 and it's address is 192.168.10.1
  first question-- inside of the L3 switch I will need to add a default route of 0.0.0.0 0.0.0.0 192.168.10.1
  so that all traffic not corresponding to a 192.168.x.x address knows where to get out to the net, correct?
  secondly- when configuring that router, is there a difference if I use the following static route:
  192.168.20.0 255.255.255.0 192.168.10.254
  instead of
  192.168.20.0 255.255.255.0 192.168.20.254
  either way, the packet gets to the L3 switch, but in one case it gets there via the VLAN interface inside of VLAN 1, and in the other case, it gets there via the VLAN interface inside of the VLAN for which the traffic is destined anyway. what im trying to figure out is, will this make any difference at all? especially in terms of broadcast packets?
  if it makes no difference, then is it safe to say that the following static route would be optimal?
  192.168.0.0 255.255.0.0 192.168.10.254
  Solved!
  Go to Solution.

  Re "firstly". Correct. The L3 switch will route traffic according to its routing table. By default it knows all IP subnets to which it is directly connected to, i.e. all the VLAN subnets. If you have to add a default route manually or not depends on the exact implementation. It may well be that the L3 switch will use the any default gateway for routing which you use for the IP settings of the switch itself (if there is an option in the web interface to set a default gateway). If you cannot define a default gateway on the L3 switch you probably have to add a static route manually. The easiest way should be to check the current routing table and see if there is a default gateway or not.
  Re "secondly". A router can only forward packets to the next hop router. The next hop router must be connected to that router. The route "192.168.20.0 255.255.255.0 192.168.10.254" is correct for a router with IP address 192.168.10.1 and subnet mask 255.255.255.0 as 192.168.10.254 is connected to the router. "192.168.20.0 255.255.255.0 192.168.20.254" is not correct. The router cannot learn the path to a specific subnet 192.168.20.0/255.255.255.0 by using a gateway in that subnet. It is not correct to use that kind of a route and you should not use it even if it might even work (because the router does a plain ARP request to find the MAC address of 192.168.20.254 and your L3 switch will respond to the ARP request even if it is on the internet of 192.168.10.254). The very moment when there would be another router between the 10 and 20 subnets it would not work anymore...
  Re your conclusion: I would recommend to keep four static routes for the existing subnets on the L3 switch instead of putting everything into a larger single subnet which includes a lot of addresses which are not connected there. Technically it works if you only use working IP addresses. But you will see some loops if you send something to 192.168.55.50 or similar. The gateway router will send it to the L3 switch which will send it back to the gateway. They should figure it's a loop but still I would not recommend this kind of setup... Add routes for each of the L3 switch subnet...