Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
6
Replies

2900 router can't ping new workstation from all interfaces

tnshurtm1
Level 1
Level 1

‎04-28-2014 05:41 AM - edited ‎03-04-2019 10:51 PM

We have a 2900 router that acts as DHCP server and can not ping a new workstation that is not DHCP.  I can ping the new workstation from the 10.45.4.1 interface, but not from any other.  I can ping existing workstations from all interfaces.  Is it some access list that is only allowing for DHCP addresses to be pingable?  There is some legacy stuff in the router (BGP) that isn't being used.  Here is the config:

Building configuration...

Current configuration : 22818 bytes
!
! Last configuration change at 15:58:47 EDT Fri Apr 25 2014 by 
! NVRAM config last updated at 11:09:52 EDT Sat Apr 5 2014 by 
! NVRAM config last updated at 11:09:52 EDT Sat Apr 5 2014 by 
version 15.1
service timestamps debug datetime localtime
service timestamps log datetime msec
no service password-encryption
!
hostname 
!
boot-start-marker
boot-end-marker
!
!
logging buffered informational
no logging console
!
no aaa new-model
ida-client server url https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl
!
clock timezone EDT -4 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.45.4.1 10.45.4.9
ip dhcp excluded-address 10.45.8.1 10.45.8.9
ip dhcp excluded-address 10.45.30.1 10.45.30.9
ip dhcp excluded-address 10.45.31.1 10.45.31.9
ip dhcp excluded-address 10.45.32.1 10.45.32.9
ip dhcp excluded-address 10.45.33.1 10.45.33.9
ip dhcp excluded-address 10.45.34.1 10.45.34.9
ip dhcp excluded-address 10.45.35.1 10.45.35.9
ip dhcp excluded-address 10.45.80.1 10.45.80.9
!
ip dhcp pool DataVLAN
 network 10.45.4.0 255.255.255.0
 default-router 10.45.4.1
 dns-server 10.44.80.249 10.44.80.252
 option 156 ascii ftpservers=10.44.8.2,country=1,language=1,layer2tagging= 1,vlanid=25
!
ip dhcp pool VoiceVLAN
 network 10.45.8.0 255.255.255.0
 default-router 10.45.8.1
 dns-server 10.44.80.249 10.44.80.241
 option 156 ascii ftpservers=10.44.8.2,country=1,language=1,layer2tagging= 1,vlanid=25
!
ip dhcp pool Access-Points
 network 10.45.30.0 255.255.255.0
 default-router 10.45.30.1
 dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool Guest-Wireless
 network 10.45.31.0 255.255.255.0
 default-router 10.45.31.1
 dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool Staff-Wireless
 network 10.45.32.0 255.255.255.0
 default-router 10.45.32.1
 dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool Voice-Wireless
 network 10.45.33.0 255.255.255.0
 default-router 10.45.33.1
 dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool Mobile-Wireless
 network 10.45.34.0 255.255.255.0
 default-router 10.45.34.1
 dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool WAAS
 network 10.45.35.0 255.255.255.0
 default-router 10.45.35.1
 dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool New Server
 network 10.45.80.0 255.255.255.0
 default-router 10.45.80.1
 dns-server 10.1.0.10 192.168.254.204
!
ip dhcp pool voicevlan
 dns-server 10.44.80.249 10.44.80.252
!
!
ip flow-cache timeout active 1
ip domain lookup source-interface GigabitEthernet0/1.21
ip name-server 10.44.80.249
ip name-server 10.44.80.241
ip ips config location flash:ips retries 1
ip ips name IPS_1 list IPS_ACL
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!

ip ips auto-update
 occur-at weekly 0-6 50 0-23
 url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint 
 enrollment selfsigned
 subject-name 
 revocation-check none
 rsakeypair 
!
crypto pki trustpoint root
 enrollment terminal
 revocation-check none
!
crypto pki trustpoint rootVeriSub
 enrollment terminal
 revocation-check none
!
!
crypto pki certificate chain 
 certificate self-signed 01
  
        quit
crypto pki certificate chain root
 certificate ca 01A
  
        quit
crypto pki certificate chain rootVeriSub
 certificate ca 07271446
  
        quit
license udi pid CISCO2911/K9 sn FTX1604F049
!
!
archive
 log config
  hidekeys
 path 
 write-memory
username Orlansinfrastructure password 0 
username rancid privilege 15 secret 5 
username orlans2 privilege 15 secret 5 
!
redundancy
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
   
  quit
!
!
!
!
no ip ftp passive
ip tftp source-interface GigabitEthernet0/1.21
ip ssh version 2
!
class-map match-any COS2-Video
 match ip dscp af41
 match protocol telnet
 match access-group name COS2-Video
class-map match-any bad-traffic
 match protocol bittorrent
 match protocol edonkey
 match protocol gnutella
 match protocol fasttrack
 match protocol kazaa2
 match protocol winmx
 match protocol directconnect
 match protocol gopher
class-map match-any voice-out
 match ip dscp ef
 match access-group name VOIP_TRAFFIC
class-map match-any sig-out
 match ip dscp cs3
class-map match-any AutoQoS-VoIP-Remark
 match ip dscp ef
 match ip dscp cs3
 match ip dscp af31
class-map match-any sig-in
 match ip dscp cs3  af31
 match ip precedence 3
 match ip precedence 4
class-map match-any voice-in
 match ip dscp cs5  ef
 match ip precedence 5
 match protocol skinny
 match protocol sip
 match access-group name VOIP_TRAFFIC
class-map match-any AutoQoS-VoIP-Control-UnTrust
 match access-group name AutoQoS-VoIP-Control
class-map match-any COS5
 match ip dscp af11
 match access-group name COS5
class-map match-any COS4
 match ip dscp default
 match access-group name COS4
class-map match-any COS3
 match ip dscp af21
 match access-group name COS3
class-map match-any COS2
 match ip dscp cs3  af31
 match protocol telnet
 match access-group name COS2
class-map match-any AutoQoS-VoIP-RTP-UnTrust
 match protocol rtp audio
 match access-group name AutoQoS-VoIP-RTCP
!
!
policy-map AutoQoS-Policy-UnTrust
 class AutoQoS-VoIP-RTP-UnTrust
  priority percent 70
  set dscp ef
 class AutoQoS-VoIP-Control-UnTrust
  bandwidth percent 5
  set dscp af31
 class AutoQoS-VoIP-Remark
  set dscp default
 class class-default
  fair-queue
policy-map QOS-MPLS-ISI
 class voice-out
  set ip dscp ef
  priority percent 40
 class sig-in
  bandwidth remaining percent 5
 class COS2-Video
  set ip dscp af41
  bandwidth remaining percent 30
 class COS2
  set ip dscp af31
  bandwidth remaining percent 30
 class COS3
  set ip dscp af21
  bandwidth remaining percent 15
 class COS4
  set ip dscp default
  bandwidth remaining percent 4
 class COS5
  set ip dscp af11
 class bad-traffic
  drop
policy-map VOICE-INBOUND
 class voice-in
  set ip dscp ef
 class sig-in
  set ip dscp cs3
policy-map VOICE-OUTBOUND
 class voice-out
  priority percent 55
 class sig-out
  bandwidth percent 5
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set esp-aes esp-sha-hmac
crypto ipsec transform-set esp-3des esp-sha-hmac
!
crypto ipsec profile 
 set transform-set 
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel 
 set peer 
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
!

!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description ****connection to 
 ip address 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.20
 description 
 encapsulation dot1Q 20
 ip address 10.45.0.1 255.255.255.0
!
interface GigabitEthernet0/1.21
 description ***USER VLAN ****
 encapsulation dot1Q 21
 ip address 10.45.4.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.25
 encapsulation dot1Q 25
 ip address 10.45.8.1 255.255.255.0
 ip flow ingress
 ip flow egress
!

!
interface GigabitEthernet0/2
 description EPL$ES_LAN$
 ip address 172.17.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!

!
router eigrp 100
 network 10.45.0.0 0.0.0.255
 network 10.45.4.0 0.0.0.255
 network 10.45.8.0 0.0.0.255
 network 10.45.30.0 0.0.0.255
 network 10.45.31.0 0.0.0.255
 network 10.45.32.0 0.0.0.255
 network 10.45.33.0 0.0.0.255
 network 10.45.34.0 0.0.0.255
 network 10.45.35.0 0.0.0.255
 network 10.45.80.0 0.0.0.255
 network 172.16.38.0 0.0.0.255
 distance eigrp 201 201
 passive-interface default
 no passive-interface Tunnel2
!
!
router eigrp 101
 network 10.45.0.0 0.0.0.255
 network 10.45.4.0 0.0.0.255
 network 10.45.8.0 0.0.0.255
 network 10.45.30.0 0.0.0.255
 network 10.45.31.0 0.0.0.255
 network 10.45.32.0 0.0.0.255
 network 10.45.33.0 0.0.0.255
 network 10.45.34.0 0.0.0.255
 network 10.45.35.0 0.0.0.255
 network 10.45.80.0 0.0.0.255
 network 172.16.39.0 0.0.0.255
 distance eigrp 200 200
 passive-interface default
 no passive-interface Tunnel1
!
router bgp 65011
 bgp router-id 66.251.39.122
 bgp log-neighbor-changes
 network 10.45.0.0 mask 255.255.255.0
 network 10.45.4.0 mask 255.255.255.0
 network 10.45.8.0 mask 255.255.255.0
 network 10.45.30.0 mask 255.255.255.0
 network 10.45.31.0 mask 255.255.255.0
 network 10.45.32.0 mask 255.255.255.0
 network 10.45.33.0 mask 255.255.255.0
 neighbor remote-as 15270
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip flow-export source GigabitEthernet0/1.20
ip flow-export version 5
ip flow-export destination 10.44.80.251 9996
!
ip nat inside source route-map NATLIST interface GigabitEthernet0/0 overload
ip nat inside source static 10.44.80.250 
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.44.0.0 255.255.255.0 172.17.1.1
ip route 10.44.4.0 255.255.255.0 172.17.1.1
ip route 10.44.8.0 255.255.255.0 172.17.1.1
ip route 10.44.31.0 255.255.255.0 172.17.1.1
ip route 10.44.32.0 255.255.255.0 172.17.1.1
ip route 10.44.80.0 255.255.255.0 172.17.1.1
ip route 10.44.100.0 255.255.255.0 172.17.1.1
ip route 192.168.1.0 255.255.255.0 172.17.1.1
!
ip access-list standard SNMP_ACCESS
 permit 10.44.80.251
 deny   any
!
ip access-list extended AutoQoS-VoIP-Control
 permit tcp any any eq 1720
 permit tcp any any range 11000 11999
 permit udp any any eq 2427
 permit tcp any any eq 2428
 permit tcp any any range 2000 2002
 permit udp any any eq 1719
 permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
 permit udp any any range 16384 32767
ip access-list extended COS2-Video
 permit ip any host 10.44.80.235
 permit ip any host 10.44.80.236
ip access-list extended COS3
 remark COS3 - DSCP AF21
 permit tcp any any eq 389
 permit tcp any any eq 8471
ip access-list extended COS4
 remark COS4 - DSCP 0
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq 143
 permit tcp any any eq 2525
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp any any eq 139
 permit tcp any any eq 445
 permit tcp any any eq 137
 permit tcp any any eq 8473
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
ip access-list extended COS5
 remark DEFAULT TRAFFIC
 permit ip any any
ip access-list extended INTERNET_FILTER
 permit tcp 10.0.0.0 0.0.0.255 any
 permit udp 10.0.0.0 0.0.0.255 any
 permit tcp 172.16.0.0 0.0.255.255 any
 permit udp 172.16.0.0 0.0.255.255 any
 permit tcp 192.168.0.0 0.0.255.255 any
 permit udp 192.168.0.0 0.0.255.255 any
 permit tcp any any established
 permit tcp any any eq smtp
 deny   ip any any
ip access-list extended IPS_ACL
 remark ACL Traffic to be scanned
 permit ip any any
ip access-list extended NAT_ACL
 remark CCP_ACL Category=18
 remark IPSec Rule
 deny   ip 10.45.4.0 0.0.0.255 10.44.0.0 0.0.255.255
 permit ip 10.45.4.0 0.0.0.255 any
 permit ip 10.45.31.0 0.0.0.255 any
 permit ip 10.45.32.0 0.0.0.255 any
 permit ip 10.45.34.0 0.0.0.255 any
 permit ip 10.45.80.0 0.0.0.255 any
 permit ip 10.45.0.0 0.0.0.255 any
 permit ip 10.44.4.0 0.0.0.255 any
 permit ip 10.44.80.0 0.0.0.255 any
 permit ip 172.17.1.0 0.0.0.255 any
 permit ip any any
!
logging 10.44.80.251
access-list 5 permit 10.44.8.235
access-list 5 permit 10.45.4.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.45.0.0 0.0.255.255 10.44.0.0 0.0.255.255
access-list 144 permit ip host 10.45.4.60 host 10.44.80.235
access-list 144 permit ip host 10.44.80.235 host 10.45.4.60
!
!
!
!
route-map NATLIST permit 10
 match ip address NAT_ACL
!
!

!
control-plane
!
!
banner exec ^CC

!

!
scheduler allocate 20000 1000
ntp server 10.44.0.1
end

Labels:
0 Helpful
6 Replies 6

tnshurtm1
Level 1
Level 1

‎04-28-2014 05:50 AM

The IP of the workstation in question is 10.45.4.9.  If I traceroute from something connected to G0/2, it gets to G0/2 and dies.

0 Helpful

Wietse Hensen
Level 1
Level 1

‎04-29-2014 01:20 PM

Have you set a default gateway to your client? And have you set the right vlan to the switchport where the workstation is connected?

0 Helpful

tnshurtm1
Level 1
Level 1
In response to Wietse Hensen

‎05-01-2014 08:07 AM

Yes.  The default gateway is set to G0/1.21 and the vlan is correct.  I can ping the workstation from the switch it is plugged into and from the G0/1 interface on the router.

0 Helpful

Wietse Hensen
Level 1
Level 1

‎05-01-2014 08:46 AM

What happens when you change the settings of the workstation to dhcp? Have you tried changing the workstation to a different physical switchport?
0 Helpful

tnshurtm1
Level 1
Level 1
In response to Wietse Hensen

‎05-01-2014 08:51 AM

Did not try different switchport.  Manually assigned an ip of 10.45.4.60 and it works fine.  Why won't it work with 10.45.4.9?  The device can not be set to DHCP.

0 Helpful

Wietse Hensen
Level 1
Level 1

‎05-01-2014 11:16 AM

access-list 144 allows 10.45.4.60, but access-list is not connected to any interface on this router.
Can you try another ip-address. Not listed in any access-list. You can try to take an existing dhcp workstation set to a manual ip address. So you can decide the new workstation is the problem or the router.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card