Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5882
Views
0
Helpful
6
Replies

C1111-8P VLAN dot1Q problem

leosoft
Level 1
Level 1

‎06-13-2021 07:07 AM - edited ‎06-13-2021 07:08 AM

Hi all,

The following simple configuration run flawlessly on my C1111-8P and IOS XE 16.  As you can see, I have a trunk ethernet port connected to a switch feeding my router with two VLANs (1 and 2).  And both of my VLANS are bridged on two separate BDI interfaces witch are serving DHCP.

!
mac access-list extended MACAllowedVLAN1
permit host bbbb.cccc.dddd any
deny any any
!
mac access-list extended MACDeniedVLAN2
deny host aaaa.bbbb.cccc any
permit any any
!
interface GigabitEthernet0/1/0
 switchport mode trunk
!
interface Vlan1
no ip address
no autostate
service instance 1 ethernet
encapsulation untagged , dot1q 1
mac access-group MACAllowedVLAN1 in
bridge-domain 1
!
interface Vlan2
 no ip address
 no autostate
 service instance 2 ethernet
  encapsulation dot1q 2
  rewrite ingress tag pop 1 symmetric
  mac access-group MACDeniedVLAN2 in
  bridge-domain 2
!
interface BDI1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
ip mtu 1476
ip nat inside
zone-member security Inside
ip tcp adjust-mss 1436
ip virtual-reassembly
!
interface BDI2
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip mtu 1476
 ip nat inside
 zone-member security InsideGuests
 ip tcp adjust-mss 1436
 encapsulation dot1Q 2
 service-policy input guest-fw
 ip virtual-reassembly
!

As I said in the beginning, this configuration works perfectly on IOS XE 16 but when I run it under any version of 17, the VLAN2 seems that is not working.  Clients are able to request and take an IP address from vlan's DHCP (192.168.2.0/24) but then no packet can come or go from and to the router (192.168.2.1).  Even ping directly from router# is not working for any client attached on VLAN2. 

And now the most weird thing....  if you give:

router# conf t
router(config-if)# int bd2
router(config-if)# no encapsulation dot1Q 2
router(config-if)# encapsulation dot1Q 2
router(config-if)#

Then all clients are up and running freely !!! All packets can come and go from and to router without any problem.  The first thing passed from my mind was that this could be a bug issue for version 17. And I tried many 17 subversions (17.02.xx till 17.05.xx) but the problem still exist.  I also tried to skip the encapsulation command from BDI2 since it is already there in vlan2 service instance but this didn't not work even in version 16. 

Does anyone run into a similar problem?

 

Thanks for your time

 

0 Helpful
6 Replies 6

Georg Pauwen
VIP Alumni
VIP Alumni

‎06-14-2021 12:18 AM

Hello,

 

that sounds like a  bug, somehow, in version 17, but I could not find one that is related. I somewhere recall that the MAC addresses of the SVI and the corresponding BVI need to be the same, so under the BVI, make sure the command 'mac-address' specifies the exact same MAC address the SVI uses. Not sure if and how this could relate to your specific issue, but it might be worth checking...

0 Helpful

leosoft
Level 1
Level 1
In response to Georg Pauwen

‎06-14-2021 01:54 AM

Hello,

Since we read the same thread probably, It was one of the very first things I tried but unfortunately no luck.

 

0 Helpful

Georg Pauwen
VIP Alumni
VIP Alumni
In response to leosoft

‎06-14-2021 03:14 AM

Hello,

 

that definitely sounds like an undocumented bug. How often do you have to have to enter that sequence, just once ?

 

router(config-if)# no encapsulation dot1Q 2
router(config-if)# encapsulation dot1Q 2

0 Helpful

leosoft
Level 1
Level 1
In response to Georg Pauwen

‎06-14-2021 06:06 AM

Hello,

You need to do this sequence for every new IP registered in this subnet (DHCP or not).   And every time you do it again, all IPs becoming frozen (...no ping no data from and to) till you re-enter encapsulation dot1q 2.

If finally is a bug, I really cannot believe that nobody else reported till now.

Regards,

0 Helpful

Georg Pauwen
VIP Alumni
VIP Alumni
In response to leosoft

‎06-14-2021 07:01 AM

Hello,

 

odd indeed. Can you post the full running config ? Maybe we can spot something that could cause this...

0 Helpful

leosoft
Level 1
Level 1
In response to Georg Pauwen

‎06-14-2021 09:22 AM

Hello,

Took me some time to prepare the configuration for publishing.... Take an look and let me know if you notice something dubious 🙂

!
version 17.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 250000
!
hostname myrouter
!
boot-start-marker
boot system flash bootflash:c1100-universalk9.17.03.03.SPA.bin
boot-end-marker
!
!
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authentication dot1x default local
aaa authorization network default local
aaa authorization auth-proxy default local

!
!
aaa session-id common
clock timezone EET 2 0
clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 3:00
no ip gratuitous-arps
!
ip multicast-routing distributed
!
ip nbar protocol-pack bootflash:pp-adv-isr1100-173.1a-40-56.0.0.pack
!
!
!
!
!
!
!

ip name-server 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1
ip domain list ipv6.myISP.com
ip domain name mydomain.com
ip admission proxy http login expired page file flash:expired.htm
ip admission proxy http login page file flash:login.htm
ip admission proxy http success page file flash:success.htm
ip admission proxy http failure page file flash:fail.htm
ip admission init-state-time 5
ip admission inactivity-timer 120
ip admission name web_auth consent inactivity-time 120 list proxy_list
ip admission name web_auth proxy http inactivity-time 120 list proxy_list
ip ddns update method dyndns
 HTTP
  add https://username:password@<s>/v3/update?hostname=<h>&myip=<a>
 interval maximum 0 0 15 0
 interval minimum 0 0 5 0
!
ip cef load-sharing algorithm original
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.192
ip dhcp excluded-address 192.168.2.1 192.168.2.3
!
ip dhcp pool VLAN1
 import all
 network 192.168.1.0 255.255.255.0
 update dns
 default-router 192.168.1.1
 domain-name mydomain.com
 dns-server 192.168.1.68
 lease 0 2
 update arp
!
ip dhcp pool VLAN2
 import all
 network 192.168.2.0 255.255.255.0
 update dns
 default-router 192.168.2.1
 domain-name mydomain.com
 dns-server 8.8.8.8 8.8.4.4
 lease 0 2
 update arp
!
!
!
login block-for 180 attempts 3 within 45
login delay 10
login quiet-mode access-class 104
login on-failure log
login on-success log
no ipv6 source-route
ipv6 unicast-routing
ipv6 dhcp pool BDI1_DHCPv6
 import dns-server
 import domain-name
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
vtp mode transparent
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 lcp renegotiation on-mismatch
 l2tp tunnel password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 l2tp tunnel receive-window 128
 ip mtu adjust
!
no device-tracking logging theft
!
!
!
!
!
!
!
password encryption aes
!
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-xxxxxxxxxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxxx
 revocation-check none
 rsakeypair TP-self-signed-xxxxxxxxxxxx
!
crypto pki trustpoint mykey
 enrollment pkcs12
 revocation-check none
 rsakeypair mykeyname
!
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01 nvram:CiscoLicensi#1CA.cer
crypto pki certificate chain TP-self-signed-xxxxxxxxxxxxx
crypto pki certificate chain mykeyname
 certificate 01 nvram:mykeyname#1.cer
 certificate ca XXXXXXXXXXXXXXXXXXX nvram:mykeyname#XXXXXX.cer
!
!
!
!
!
!
!
!
!
license feature hseck9
license udi pid C1111-8P sn FCZXXXXXXXX
license boot suite FoundationSuiteK9
license boot level uck9
memory free low-watermark processor 71830
!
!
!
!
!
object-group fqdn Black_Listed
 pattern myspace\.com
 pattern badurl\.com
 pattern notgood\.com
!
object-group network Cosmote_RTP
 195.167.17.0 255.255.255.0
 195.167.22.0 255.255.255.0
!
object-group network Cosmote_SIP
 195.167.16.0 255.255.255.0
!
object-group network Dyndns_IPs
 host 204.13.248.114
 host 91.198.22.70
 host 216.146.39.70
 host 216.146.38.70
 host 204.2.154.193
 host 204.2.154.194
 host 204.2.154.195
 host 204.2.154.196
 212.118.142.0 255.255.255.0
 103.11.200.0 255.255.255.0
 103.11.201.0 255.255.255.0
 216.146.45.0 255.255.255.0
 162.88.64.0 255.255.192.0
 203.62.195.0 255.255.255.0
 204.13.248.0 255.255.252.0
 204.13.248.0 255.255.254.0
 204.13.250.0 255.255.254.0
 204.13.248.0 255.255.255.0
 204.13.249.0 255.255.255.0
 204.13.250.0 255.255.255.0
 204.13.251.0 255.255.255.0
 208.78.68.0 255.255.252.0
 208.78.68.0 255.255.254.0
 208.78.70.0 255.255.254.0
 208.78.68.0 255.255.255.0
 208.78.69.0 255.255.255.0
 208.78.70.0 255.255.255.0
 208.78.71.0 255.255.255.0
 162.88.57.0 255.255.255.0
 91.198.22.0 255.255.255.0
 204.2.154.192 255.255.255.240
 80.231.219.0 255.255.255.0
 80.231.25.0 255.255.255.0
 103.11.200.0 255.255.252.0
 198.153.192.0 255.255.252.0
 208.76.56.0 255.255.248.0
 216.146.32.0 255.255.240.0
 162.88.58.0 255.255.255.0
 162.88.59.0 255.255.255.0
 162.88.0.0 255.255.192.0
 162.88.0.0 255.255.240.0
 162.88.0.0 255.255.128.0
 162.88.0.0 255.255.248.0
 162.88.0.0 255.255.252.0
 162.88.0.0 255.255.255.0
 162.88.0.0 255.255.224.0
 162.88.0.0 255.255.254.0
 216.146.46.0 255.255.254.0
 216.146.35.0 255.255.255.0
 216.146.34.0 255.255.255.0
 216.146.34.0 255.255.254.0
 216.146.33.0 255.255.255.0
 216.146.32.0 255.255.255.0
 216.146.37.0 255.255.255.0
 216.146.36.0 255.255.255.0
 216.146.36.0 255.255.254.0
 216.146.42.0 255.255.254.0
 198.153.192.0 255.255.254.0
 198.153.192.0 255.255.255.0
 198.153.193.0 255.255.255.0
 198.153.194.0 255.255.254.0
 198.153.194.0 255.255.255.0
 198.153.195.0 255.255.255.0
 208.76.56.0 255.255.255.0
 208.76.57.0 255.255.255.0
 216.146.44.0 255.255.255.0
 216.146.40.0 255.255.255.0
 216.146.38.0 255.255.255.0
 208.76.59.0 255.255.255.0
 208.76.58.0 255.255.255.0
 216.146.41.0 255.255.255.0
 216.146.39.0 255.255.255.0
 216.146.46.0 255.255.255.0
 216.146.47.0 255.255.255.0
 216.146.42.0 255.255.255.0
 216.146.43.0 255.255.255.0
 103.11.202.0 255.255.255.0
 103.11.203.0 255.255.255.0
 199.19.0.0 255.255.248.0
 185.38.96.0 255.255.255.0
 162.88.0.0 255.255.0.0
 162.88.240.0 255.255.252.0
 162.88.244.0 255.255.252.0
 162.88.192.0 255.255.255.0
 162.88.193.0 255.255.255.0
 162.88.194.0 255.255.255.0
 162.88.195.0 255.255.255.0
 162.88.196.0 255.255.252.0
 162.88.200.0 255.255.252.0
 185.38.97.0 255.255.255.0
 162.88.4.0 255.255.255.0
 162.88.36.0 255.255.255.0
 162.88.16.0 255.255.255.0
 162.88.32.0 255.255.255.0
 162.88.48.0 255.255.255.0
 162.88.8.0 255.255.255.0
 162.88.24.0 255.255.255.0
 162.88.40.0 255.255.255.0
 162.88.56.0 255.255.255.0
 108.59.174.0 255.255.255.0
 108.59.175.0 255.255.255.0
 108.59.174.0 255.255.254.0
 162.88.128.0 255.255.224.0
 162.88.160.0 255.255.224.0
 162.88.232.0 255.255.255.0
 162.88.234.0 255.255.255.0
 162.88.60.0 255.255.255.0
 162.88.61.0 255.255.255.0
 162.88.62.0 255.255.255.0
 162.88.63.0 255.255.255.0
 162.88.37.0 255.255.255.0
 162.88.36.0 255.255.254.0
 162.88.5.0 255.255.255.0
 162.88.4.0 255.255.254.0
 162.88.2.0 255.255.255.0
 162.88.18.0 255.255.255.0
 162.88.34.0 255.255.255.0
 162.88.50.0 255.255.255.0
 162.88.52.0 255.255.255.0
 162.88.53.0 255.255.255.0
 162.88.64.0 255.255.252.0
 162.88.68.0 255.255.252.0
 162.88.72.0 255.255.252.0
 162.88.76.0 255.255.252.0
 162.88.80.0 255.255.252.0
 162.88.84.0 255.255.252.0
 162.88.88.0 255.255.252.0
 162.88.92.0 255.255.252.0
 162.88.96.0 255.255.252.0
 162.88.100.0 255.255.252.0
 162.88.104.0 255.255.252.0
 162.88.108.0 255.255.252.0
 162.88.112.0 255.255.252.0
 162.88.116.0 255.255.252.0
 162.88.120.0 255.255.252.0
 162.88.124.0 255.255.252.0
 162.88.6.0 255.255.255.0
 162.88.40.0 255.255.252.0
 195.160.237.0 255.255.255.0
 162.88.12.0 255.255.252.0
 162.88.12.0 255.255.255.0
 162.88.13.0 255.255.255.0
 162.88.14.0 255.255.255.0
 162.88.15.0 255.255.255.0
 195.160.236.0 255.255.252.0
 162.88.11.0 255.255.255.0
 162.88.254.0 255.255.255.0
 162.88.253.0 255.255.255.0
 162.88.240.0 255.255.248.0
 162.88.248.0 255.255.248.0
 162.88.244.0 255.255.255.0
 162.88.247.0 255.255.255.0
 162.88.24.0 255.255.252.0
 162.88.28.0 255.255.252.0
 162.88.20.0 255.255.255.0
 131.186.0.0 255.255.0.0
!
object-group network Netflix_IPs
 69.53.224.0 255.255.224.0
 208.75.76.0 255.255.252.0
 37.77.184.0 255.255.248.0
 208.75.76.0 255.255.255.0
 208.75.77.0 255.255.255.0
 208.75.78.0 255.255.255.0
 208.75.79.0 255.255.255.0
 108.175.32.0 255.255.240.0
 198.38.96.0 255.255.224.0
 198.45.48.0 255.255.240.0
 185.2.220.0 255.255.252.0
 185.2.220.0 255.255.255.0
 185.2.221.0 255.255.255.0
 192.173.64.0 255.255.192.0
 23.246.0.0 255.255.192.0
 185.9.188.0 255.255.252.0
 198.38.116.0 255.255.255.0
 198.38.117.0 255.255.255.0
 198.38.118.0 255.255.255.0
 198.38.119.0 255.255.255.0
 198.38.120.0 255.255.255.0
 198.38.121.0 255.255.255.0
 45.57.0.0 255.255.128.0
 64.120.128.0 255.255.128.0
 66.197.128.0 255.255.128.0
 23.246.20.0 255.255.255.0
 23.246.30.0 255.255.255.0
 23.246.31.0 255.255.255.0
 69.53.242.0 255.255.255.0
 45.57.42.0 255.255.255.0
 45.57.16.0 255.255.255.0
 45.57.17.0 255.255.255.0
 45.57.74.0 255.255.255.0
 45.57.75.0 255.255.255.0
 23.246.50.0 255.255.255.0
 45.57.78.0 255.255.255.0
 45.57.79.0 255.255.255.0
 45.57.60.0 255.255.255.0
 37.77.186.0 255.255.255.0
 37.77.187.0 255.255.255.0
 23.246.55.0 255.255.255.0
 45.57.72.0 255.255.255.0
 45.57.73.0 255.255.255.0
 37.77.184.0 255.255.254.0
 37.77.186.0 255.255.254.0
 37.77.188.0 255.255.254.0
 23.246.15.0 255.255.255.0
 108.175.47.0 255.255.255.0
 23.246.29.0 255.255.255.0
 23.246.28.0 255.255.255.0
!
object-group network YOUTUBE.RTMP
 173.194.0.0 255.255.0.0
 74.125.0.0 255.255.0.0
 104.132.0.0 255.255.0.0
 130.211.0.0 255.255.0.0
 172.217.0.0 255.255.0.0
 172.253.0.0 255.255.0.0
 142.250.0.0 255.255.0.0
 216.58.0.0 255.255.0.0
!
object-group network feedback-from-otenet-ftp
 host 192.168.1.12
 host 192.168.1.33
 host 192.168.1.43
 host 192.168.1.68
 host 192.168.1.69
 host 192.168.1.190
!
diagnostic bootup level minimal
!
no spanning-tree bridge assurance
spanning-tree extend system-id
!
mac access-list extended MACAllowedVLAN1
 permit host aaaa.bbbb.cccc any
 permit host aaaa.bbbb.cccc any
 permit host aaaa.bbbb.cccc any
 permit host aaaa.bbbb.cccc any
 permit host aaaa.bbbb.cccc any
 permit host aaaa.bbbb.cccc any
 permit host aaaa.bbbb.cccc any
 permit host aaaa.bbbb.cccc any
 permit host aaaa.bbbb.cccc any
 deny   any any
mac access-list extended MACDeniedVLAN2
 deny    host aaaa.bbbb.cccc any
 permit  any any
!
fallback profile web_auth_profile
 ip access-group preauth_list in
 ip admission web_auth
!
!
username USER aaa attribute list auth_list privilege 0 user-maxlinks 1 password 0 PASSWORD
!
redundancy
 mode none
!
bridge-domain 1
bridge-domain 2
!
!
!
!
!
vlan dot1q tag native
vlan internal allocation policy ascending
!
vlan 2
 name Guests
!
vlan 4
 name LTE6
!
no cdp run
!
track 10 ip sla 1 reachability
 delay down 10 up 10
!
track 20 ip sla 2 reachability
 delay down 10 up 10
!
track 40 ip sla 4 reachability
 delay down 10 up 10
!
!
class-map match-all CAMERADATA
 match access-group name OTENET
class-map type inspect match-any VPN_ACCESS
 match protocol pptp
 match protocol l2tp
 match protocol ipsec-msft
class-map match-any PEER2PEER
 match protocol fasttrack
 match protocol gnutella
 match protocol bittorrent
 match protocol bittorrent-networking
 match protocol encrypted-bittorrent
 match protocol edonkey
 match protocol edonkey-static
 match protocol kazaa2
class-map type inspect match-any Web_Protocol
 match protocol http
 match protocol https
class-map type inspect match-any Outbound
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol ftp
 match protocol dns
 match protocol https
 match protocol sip
 match protocol ntp
class-map type inspect match-any Access_Protocols
 match protocol x11
 match protocol dns
 match protocol ntp
 match protocol ssh
 match protocol http
 match protocol https
class-map type inspect match-any My_Safe_Targets_Feedbacks
 match access-group name COSMOTE_FEEDBACK
 match access-group name OTENET_FEEDBACK
 match access-group name VPN_TRAFFIC_FEEDBACK
class-map match-any YOUTUBEUPLOAD
 match access-group name YOUTUBE
class-map type inspect match-any My_Safe_Targets
 match access-group name COSMOTE
 match access-group name OTENET
 match access-group name VPN_TRAFFIC
class-map match-any VoIP-SIG
 match ip dscp cs5
 match ip dscp af31
 match protocol sip
class-map type inspect match-any bad-urls
 match access-group 190
class-map match-all VoIP-RTP
 match ip dscp ef
class-map match-any Forbidden4guests
 match access-group name YOUTUBE
 match access-group name YOUTUBEMOB
class-map type inspect match-any Access
 match class-map Access_Protocols
 match access-group name AllowedIn
 match class-map VPN_ACCESS
!
policy-map type inspect Out2In
 class type inspect My_Safe_Targets_Feedbacks
  pass
 class type inspect Access
  inspect
 class class-default
  drop log
policy-map type inspect In2Out4Guests
 class type inspect Web_Protocol
  inspect
 class type inspect Outbound
  inspect
 class class-default
  drop log
policy-map type inspect In2Out
 class type inspect My_Safe_Targets
  pass
 class type inspect bad-urls
  drop
 class type inspect Web_Protocol
  inspect
 class type inspect Outbound
  inspect
 class class-default
  drop log
policy-map type inspect Pptp2In
 class type inspect Outbound
  inspect
 class class-default
  drop
policy-map guest-fw
 class PEER2PEER
  police 8000 1000 1000 conform-action drop  exceed-action drop  violate-action drop
 class Forbidden4guests
  police 8000 1000 1000 conform-action drop  exceed-action drop  violate-action drop
policy-map voice-and-data-4-ethernet
 description Attension: On ATA186 TOS value must be 0x0000A0B8
 class VoIP-SIG
  priority percent 3
 class VoIP-RTP
  priority percent 5
 class CAMERADATA
  priority percent 10
 class YOUTUBEUPLOAD
  priority percent 71
 class class-default
  fair-queue
!
!
zone security Inside
 description Inside network
zone security Outside
 description Outside network
zone security InsideGuests
 description Inside network for Guests only
zone security pptp
 description Inside for PPTP
zone-pair security In2Out source Inside destination Outside
 service-policy type inspect In2Out
zone-pair security In2Out4Guests source InsideGuests destination Outside
 service-policy type inspect In2Out4Guests
zone-pair security Out2In source Outside destination Inside
 service-policy type inspect Out2In
zone-pair security Pptp2In source pptp destination Inside
 service-policy type inspect Pptp2In
!
!
!
!
!
!
crypto isakmp policy 1
 encryption 3des
 hash md5
 group 2
 lifetime 7200
!
crypto isakmp policy 5
 encryption 3des
 authentication pre-share
 group 2
 lifetime 10000
crypto isakmp key 6 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address 0.0.0.0         no-xauth
crypto isakmp identity dn
crypto isakmp keepalive 20 5
!
!
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set L2TP-TS esp-3des esp-sha-hmac
 mode transport
crypto ipsec df-bit clear
!
!
crypto ipsec profile myprofile
 set security-association lifetime seconds 900
 set transform-set STRONG L2TP-TS
!
!
crypto identity myprofile
 dn cn=mydomain.com
 dn o=COMPANYNAME
 dn l=CITY
 dn st=STATE
 dn c=CC
 dn e=me@mydomain.com
!
!
crypto dynamic-map dynvpn 5
 set nat demux
 set transform-set L2TP-TS
 qos pre-classify
!
!
crypto map CRYPTOMAP 5 ipsec-isakmp dynamic dynvpn
!
bridge irb
!
!
!
!
!
!
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip directed-broadcast
 ip mtu 1394
 ip nhrp map multicast XX.XXX.XXX.XXX
 ip nhrp map 10.0.0.1 XX.XXX.XXX.XXX
 ip nhrp network-id 99
 ip nhrp holdtime 300
 ip nhrp nhs 10.0.0.1
 ip access-group 105 in
 zone-member security Inside
 ip tcp adjust-mss 1354
 qos pre-classify
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key XXXXX
 tunnel protection ipsec profile myprofile
!
interface GigabitEthernet0/0/0
 bandwidth 4999
 bandwidth receive 25000
 no ip address
 media-type rj45
 negotiation auto
 spanning-tree portfast disable
 service-policy output voice-and-data-4-ethernet
!
interface GigabitEthernet0/0/0.835
 encapsulation dot1Q 835 native
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
 bandwidth 2700
 bandwidth receive 22000
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 media-type rj45
 negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 2
 spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
 switchport mode trunk
!
interface GigabitEthernet0/1/1
 no ip address
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Virtual-Template1
 ip unnumbered BDI1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip verify unicast source reachable-via rx
 zone-member security pptp
 ip tcp header-compression
 ip tcp adjust-mss 1376
 peer default ip address dhcp-pool VLAN1
 qos pre-classify
 no keepalive
 ppp mtu adaptive
 ppp encrypt mppe auto
 ppp authentication ms-chap ms-chap-v2 chap
 ppp ipcp header-compression ack
 ppp ipcp address required
 ppp ipcp address unique
 ip virtual-reassembly
!
interface Vlan1
 no ip address
 no autostate
 service instance 1 ethernet
  encapsulation untagged , dot1q 1
  mac access-group MACAllowedVLAN1 in
  bridge-domain 1
!
interface Vlan2
 no ip address
 no autostate
 service instance 2 ethernet
  encapsulation dot1q 2
  rewrite ingress tag pop 1 symmetric
  mac access-group MACDeniedVLAN2 in
  bridge-domain 2
!
interface Vlan4
 description LTE6
 bandwidth 4500
 bandwidth receive 30000
 ip address 192.168.5.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 zone-member security Outside
 ip virtual-reassembly
!
interface Dialer1
 description connected to Internet through Gig0/0/0
 mtu 1492
 ip ddns update hostname xxxxxxx.dyndns.org
 ip ddns update dyndns host members.dyndns.org
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 zone-member security Outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 no cdp enable
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd ASSIGNED-PREFIX
 ipv6 verify unicast reverse-path
 ipv6 traffic-filter IPV6IN in
 ppp authentication chap pap callin
 ppp chap hostname xxxx@xxxxxxx.xx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxx
 ppp pap sent-username xxxx@xxxxxx.xx password 7 xxxxxxxxxxxxxxx
 ppp ipcp dns request accept
 crypto map CRYPTOMAP
 ip virtual-reassembly
!
interface Dialer2
 description connected to Internet through Gig0/0/0
 mtu 1492
 ip ddns update hostname yyyyyyyyyyyyy.dyndns.org
 ip ddns update dyndns host members.dyndns.org
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 zone-member security Outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 2
 dialer idle-timeout 0
 dialer-group 2
 no cdp enable
 ipv6 address autoconfig
 ipv6 enable
 ipv6 dhcp client pd ASSIGNED-PREFIX-DIALER2
 ipv6 verify unicast reverse-path
 ipv6 traffic-filter IPV6IN in
 ppp authentication chap pap callin
 ppp chap hostname xxxx@xxxxxxx.xx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxx
 ppp pap sent-username xxxx@xxxxxx.xx password 7 xxxxxxxxxxxxxxx
 ppp ipcp dns request accept
 crypto map CRYPTOMAP
 ip virtual-reassembly
!
interface BDI1
 mac-address 7cad.4f0b.08f4
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip mtu 1476
 ip nat inside
 ip access-group 100 in
 ip access-group 122 out
 zone-member security Inside
 ip tcp adjust-mss 1436
 ip policy route-map NAT-RETURN-BDI1
 ipv6 address ASSIGNED-PREFIX-DIALER2 ::/64 eui-64
 ipv6 address ASSIGNED-PREFIX ::/64 eui-64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server BDI1_DHCPv6
 ipv6 verify unicast reverse-path
 ip virtual-reassembly
!
interface BDI2
 mac-address 7cad.4f0b.08f4
 device-tracking
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip mtu 1476
 ip nat inside
 zone-member security InsideGuests
 ip tcp adjust-mss 1436
 encapsulation dot1Q 2
 authentication order webauth
 authentication fallback web_auth_profile
 service-policy input guest-fw
 ip virtual-reassembly
!
router bgp 65002
 bgp router-id 10.0.0.1
 bgp log-neighbor-changes
 network 192.168.1.0
 network 192.168.2.0
 neighbor 10.0.0.1 remote-as 65001
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip tftp blocksize 8192
ip dns server
ip nat translation port-timeout udp 5060 1800
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.XX 6000 interface Dialer1 XXXXXX
ip nat inside source static tcp 192.168.1.XX 22 interface Dialer1 XXXXXXX
ip nat inside source static udp 192.168.1.XX 5060 interface Dialer1 XXXXXX
ip nat inside source route-map main interface Dialer1 overload
ip nat inside source route-map metroback interface Dialer2 overload
ip nat inside source route-map wlte6 interface Vlan4 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 10
ip route 0.0.0.0 0.0.0.0 Dialer2 track 20
ip route 0.0.0.0 0.0.0.0 Vlan4 192.168.5.1 track 40
ip route 8.8.8.8 255.255.255.255 Dialer1
ip route 1.1.1.1 255.255.255.255 Dialer1
ip route 195.167.16.0 255.255.255.0 Dialer1
ip route 195.167.17.0 255.255.255.0 Dialer1
ip route 195.167.22.0 255.255.255.0 Dialer1
ip route 212.205.212.205 255.255.255.255 Dialer1
ip route 1.0.0.1 255.255.255.255 Dialer2
ip route 8.8.4.4 255.255.255.255 Dialer2
ip route 195.170.0.1 255.255.255.255 Dialer2
ip route 208.67.222.222 255.255.255.255 Vlan4 192.168.5.1
ip route 213.249.29.116 255.255.255.255 Vlan4 192.168.5.1
ip ssh rsa keypair-name mykeynane
ip ssh logging events
ip ssh version 2
ip ssh pubkey-chain
  username myusername
   key-hash ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
no ip ssh server authenticate user keyboard
no ip ssh server authenticate user password
!
!
ip access-list extended AllowedIn
 10 permit ip host xx.xxx.xxx.xxx any
 20 permit tcp any any eq xxxxxx
 40 permit 58 any any
 50 permit 41 any any
 60 permit icmp any any host-unreachable
 70 permit icmp any any port-unreachable
 80 permit icmp any any ttl-exceeded
 90 permit icmp any any packet-too-big
 100 permit icmp any any echo-reply
 110 permit icmp any any time-exceeded
 120 permit icmp any any unreachable
ip access-list extended COSMOTE
 10 permit udp any object-group Cosmote_SIP eq 5060
 20 permit icmp any object-group Cosmote_SIP
 30 permit udp any range 8500 12000 object-group Cosmote_RTP
 40 permit icmp any object-group Cosmote_RTP
ip access-list extended COSMOTE_FEEDBACK
 10 permit udp object-group Cosmote_SIP eq 5060 any
 20 permit icmp object-group Cosmote_SIP any
 30 permit udp object-group Cosmote_RTP any range 8500 12000
 40 permit icmp object-group Cosmote_RTP any
ip access-list extended OTENET
 10 permit tcp any host 195.170.8.34 eq ftp
 20 permit tcp any host 195.170.8.34 eq ftp-data
 30 permit icmp any host 195.170.8.34
ip access-list extended OTENET_FEEDBACK
 10 permit tcp host 195.170.8.34 eq ftp object-group feedback-from-otenet-ftp
 20 permit tcp host 195.170.8.34 eq ftp-data object-group feedback-from-otenet-ftp
 30 permit icmp host 195.170.8.34 object-group feedback-from-otenet-ftp
ip access-list extended RUT955_TRAFFIC
 10 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended VPN_TRAFFIC
 10 permit gre any any
 20 permit esp any any
 30 permit ahp any any
 40 permit udp any any eq isakmp
 50 permit udp any any eq non500-isakmp
 60 permit tcp any any eq 1723
 70 permit udp any any eq 1701
 80 permit ip any 192.168.4.0 0.0.0.255
ip access-list extended VPN_TRAFFIC_FEEDBACK
 10 permit udp any eq isakmp any
 20 permit udp any eq non500-isakmp any
 30 permit tcp any eq 1723 any
 40 permit udp any eq 1701 any
 50 permit ip 192.168.4.0 0.0.0.255 any
ip access-list extended YOUTUBE
 10 permit tcp any object-group YOUTUBE.RTMP eq 1935
ip access-list extended YOUTUBE_FEEDBACK
 permit tcp object-group YOUTUBE.RTMP eq 1935 any
ip access-list extended YOUTUBEMOB
 10 permit udp any object-group YOUTUBE.RTMP eq 19305
ip access-list extended YOUTUBEMOB_FEEDBACK
 permit udp object-group YOUTUBE.RTMP eq 19305 any
ip access-list extended NAT-FEEDBACK-BDI1
 10 permit tcp host 192.168.1.XX eq 6000 any
 20 permit tcp host 192.168.1.XX eq 22 any
 30 permit udp host 192.168.1.XX eq 5060 any
 40 permit udp host 192.168.1.XX range XXXXX XXXXX any
 50 permit tcp host 192.168.1.XX any eq 1935
ip access-list extended NAT-INSIDE
 10 permit ip 192.168.1.0 0.0.0.255 any
 20 permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended NAT-DENY-VLAN4
 10 permit udp host 192.168.1.1 any eq ntp
 20 permit ip host 192.168.1.XX any
ip access-list extended proxy_list
 10 permit ip 192.168.2.0 0.0.0.255 any
 20 deny   ip any any
ip access-list extended preauth_list
 10 permit udp any any range bootps bootpc
 20 permit udp any any eq domain
 125 deny   ip any object-group Netflix_IPs
 130 deny   ip any host 213.249.29.116
 135 deny   ip any 192.168.0.0 0.0.0.255
 140 deny   ip any 192.168.1.0 0.0.0.255
 150 deny   ip any 192.168.2.0 0.0.0.255
 170 deny   ip any 192.168.4.0 0.0.0.255
 175 deny   ip any 192.168.5.0 0.0.0.255
 220 deny   ip host 255.255.255.255 any
 230 deny   ip 127.0.0.0 0.255.255.255 any
!
ip sla 1
 icmp-echo 8.8.8.8 source-interface Dialer1
  frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 8.8.4.4 source-interface Dialer2
  frequency 10
ip sla schedule 2 life forever start-time now
ip sla 4
 icmp-echo 208.67.222.222 source-interface Vlan4
  frequency 10
ip sla schedule 4 life forever start-time now
ip access-list extended 100
 10 deny   ip host 192.168.1.7 any
 20 deny   ip any 192.168.2.0 0.0.0.255
 35 permit tcp any host 192.168.5.1 eq 8291
 38 deny   ip any 192.168.5.0 0.0.0.255
 80 deny   ip host 255.255.255.255 any
 90 deny   ip 127.0.0.0 0.255.255.255 any
 100 permit ip any any
ip access-list extended 104
 10 deny   ip 192.168.2.0 0.0.0.255 any
 30 permit ip 192.168.0.0 0.0.0.255 any
 40 permit ip 192.168.1.0 0.0.0.255 any
 60 permit ip 192.168.4.0 0.0.0.255 any
 65 permit ip 192.168.5.0 0.0.0.255 any
 90 permit tcp any any eq 22
 100 deny   ip any any
ip access-list extended 105
 10 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 20 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
 30 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
 40 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
 50 permit ip 10.0.0.0 0.0.0.255 any
 60 permit ip any 10.0.0.0 0.0.0.255
 70 deny   ip any any
ip access-list extended 111
 10 permit ip any any
ip access-list extended 112
 10 permit ip any any
ip access-list extended 122
 10 permit ip any any
ip access-list extended 190
 10 deny   ip 192.168.0.0 0.0.255.255 fqdn-group Black_Listed
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
arp 192.168.1.XX xxxx.xxxx.xxxx ARPA
dialer-list 1 protocol ip list 111
dialer-list 2 protocol ip list 112
ipv6 route 2001:4860:4860::8844/128 Dialer2
ipv6 route 2606:4700:4700::1001/128 Dialer2
ipv6 route 2A02:587:101:0:195:170:0:1/128 Dialer2
ipv6 route ::/0 Dialer1
ipv6 route ::/0 Dialer2
!
route-map main permit 10
 match ip address NAT-INSIDE
 match interface Dialer1
!
route-map metroback permit 10
 match ip address NAT-INSIDE
 match interface Dialer2
!
route-map wlte6 deny 10
 match ip address NAT-DENY-VLAN4 YOUTUBE YOUTUBEMOB
 match interface Vlan4
!
route-map wlte6 permit 20
 match ip address NAT-INSIDE
 match interface Vlan4
!
route-map NAT-RETURN-BDI1 permit 10
 match ip address NAT-FEEDBACK-BDI1
 set interface Dialer1
!
!
!
!
!
!
!
ipv6 access-list IPV6IN
 sequence 10 permit tcp any any established
 sequence 20 permit udp any eq domain any gt 1023
 sequence 30 permit udp FE80::/10 any
 sequence 40 permit icmp 2A02:587::/32 any
 sequence 50 remark -- permit some more icmp
 sequence 60 permit icmp any any echo-request
 sequence 70 permit icmp any any echo-reply
 sequence 80 permit icmp any any packet-too-big
 sequence 90 permit icmp any any time-exceeded
 sequence 100 permit icmp any any nd-na
 sequence 110 permit icmp any any nd-ns
 sequence 120 permit icmp any any router-advertisement
 sequence 130 permit icmp any any router-solicitation
 sequence 140 remark -- permit ntp protocol
 sequence 150 permit udp any eq ntp any eq ntp
 sequence 160 remark -- deny all other
 sequence 170 deny ipv6 any any log
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 exec-timeout 60 0
 privilege level 15
 transport input none
 stopbits 1
 speed 115200
line vty 0 4
 access-class 104 in
 exec-timeout 900 0
 privilege level 15
 length 0
 transport preferred ssh
 transport input telnet ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
ntp source Dialer1
ntp server 130.149.17.8
ntp server 193.93.167.241
ntp server 141.89.226.2
ntp server 79.107.99.220
ntp server 129.132.2.21
ntp server 130.149.17.21
ntp server 192.36.143.150
ntp server 150.254.183.15
ntp server 192.108.114.23
ntp server 192.36.143.151
!
!
!
!
!
event manager applet Dialer1Down
 event track 10 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer1 track 10"
 action 4.0 cli command "exit"
 action 5.0 cli command "clear ip nat translation forced"
 action 6.0 cli command "end"
event manager applet Dialer1Up
 event track 10 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer1 track 10"
 action 4.0 cli command "exit"
 action 5.0 cli command "clear ip nat translation forced"
 action 6.0 cli command "end"
event manager applet Dialer2Down
 event track 20 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer2 track 20"
 action 4.0 cli command "exit"
 action 5.0 cli command "clear ip nat translation forced"
 action 6.0 cli command "end"
event manager applet Dialer2Up
 event track 20 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer2 track 20"
 action 4.0 cli command "exit"
 action 5.0 cli command "clear ip nat translation forced"
 action 6.0 cli command "end"
event manager applet Vlan4Down
 event track 40 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Vlan4 192.168.5.1 track 40"
 action 4.0 cli command "exit"
 action 5.0 cli command "clear ip nat translation forced"
 action 6.0 cli command "end"
event manager applet Vlan4Up
 event track 40 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Vlan4 192.168.5.1 track 40"
 action 4.0 cli command "exit"
 action 5.0 cli command "clear ip nat translation forced"
 action 6.0 cli command "end"
!
end
0 Helpful
Customers Also Viewed These Support Documents