#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 x.x.x.x YES NVRAM up up
GigabitEthernet0/0/1 10.0.137.5 YES NVRAM up up
GigabitEthernet0/0/2 192.168.2.5 YES NVRAM up up
GigabitEthernet0/0/3 192.168.3.5 YES NVRAM up up
GigabitEthernet0 10.0.0.11 YES NVRAM down down
Loopback1 10.130.0.3 YES NVRAM up up
Loopback2 x.x.x.x YES manual up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Virtual-Access2.1 10.130.0.3 YES unset up up
Virtual-Access3 unassigned YES unset down down
Virtual-Template1 10.130.0.3 YES unset down down
!GE0/0/1 is the destination of the ping and the source of the ping reply
!VI2.1 is where the ping is coming from and where the reply should be going
!Virtual-Template1 is the template vor VI2.1
!There is an L2TP Tunnel over which vi2.1 is dialling in on GE0/0/0
#show ip route connected
Gateway of last resort is x.x.x.x to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 2845 subnets, 6 masks
C 10.0.137.0/24 is directly connected, GigabitEthernet0/0/1
L 10.0.137.5/32 is directly connected, GigabitEthernet0/0/1
C 10.130.0.3/32 is directly connected, Loopback1
C 10.130.1.67/32 is directly connected, Virtual-Access2.1
x.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C x.x.x.x/30 is directly connected, GigabitEthernet0/0/0
L x.x.x.x/32 is directly connected, GigabitEthernet0/0/0
C x.x.x.x/30 is directly connected, Loopback2
L x.x.x.x/32 is directly connected, Loopback2
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.4/30 is directly connected, GigabitEthernet0/0/2
L 192.168.2.5/32 is directly connected, GigabitEthernet0/0/2
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.4/30 is directly connected, GigabitEthernet0/0/3
L 192.168.3.5/32 is directly connected, GigabitEthernet0/0/3
!Interface vi2.1 address is assigne via Radius and the routing displayed is correct
#show ip route static
Gateway of last resort is x.x.x.x to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via x.x.x.x
10.0.0.0/8 is variably subnetted, 2845 subnets, 6 masks
S 10.0.0.0/9 [1/0] via 10.0.137.1
S 172.16.0.0/15 [1/0] via 10.0.137.1
S 172.28.0.0/14 [1/0] via 10.0.137.1
#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.137.1 0 000d.b95a.5c79 ARPA GigabitEthernet0/0/1
Internet 10.0.137.2 0 000d.b95a.5ef1 ARPA GigabitEthernet0/0/1
Internet 10.0.137.5 - 5c71.0d6d.3221 ARPA GigabitEthernet0/0/1
Internet 10.0.137.8 1 244b.feb8.d970 ARPA GigabitEthernet0/0/1
Internet 10.0.137.55 29 0090.e89b.cfdd ARPA GigabitEthernet0/0/1
Internet 10.0.137.56 23 0090.e89b.cfde ARPA GigabitEthernet0/0/1
Internet x.x.x.x 117 08ec.f560.966b ARPA GigabitEthernet0/0/0
Internet x.x.x.x - 5c71.0d6d.3220 ARPA GigabitEthernet0/0/0
Internet 192.168.2.5 - 5c71.0d6d.3222 ARPA GigabitEthernet0/0/2
Internet 192.168.2.6 102 244b.feb8.d96f ARPA GigabitEthernet0/0/2
Internet 192.168.3.5 - 5c71.0d6d.3223 ARPA GigabitEthernet0/0/3
# show ip interface vi2.1
Virtual-Access2.1 is up, line protocol is up
Interface is unnumbered. Using address of Loopback1 (10.130.0.3)
Broadcast address is 255.255.255.255
Peer address is 10.130.1.67
MTU is 1300 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is 130
Inbound Common access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
Associated unicast routing topologies:
Topology "base", operation state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Virtual Fragment Reassembly, iEdge, MCI Check
Output features: iEdge
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
!even though this is using Access-list 130 outgoing that doesn't get any hits, not even if I use a catchall
!I snipped away irrelevant bigs of the config
#show run
Building configuration...
!snip
version 16.9
service timestamps debug datetime localtime year
service timestamps log datetime localtime year
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname sxxxx
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging count
logging buffered 32768
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius VPDN
server name xxx
server name xxx
server name xxx
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local none
aaa authorization commands 15 default if-authenticated
aaa authorization network VPDN group radius
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 1 0
clock summer-time CETS recurring last Sun Mar 2:00 last Sun Oct 2:00
call-home
!snip
!
no ip domain lookup
ip domain name alec.de
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
vpdn enable
vpdn multihop
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
no vpdn history failure cause normal
vpdn history failure table-size 50
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname xxxxxx
dsl-line-info-forwarding
source-ip x.x.x.x
lcp renegotiation always
l2tp tunnel password 7 xxxxxxxxxxxx
!
!
!
!
crypto pki trustpoint TP-self-signed-xxxxxxx
!snip
!
license udi pid ISR4451-X/K9 sn xxxxxxxxxxxx
license boot level securityk9 disable
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
archive
!snip
!
!
!
!
redundancy
mode none
!
!
!
no cdp run
!
!
!
!
!
interface Loopback1
ip address 10.130.0.3 255.255.255.255
ip nat outside
!
interface Loopback2
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/0/0
ip address x.x.x.x 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 10.0.137.5 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 192.168.2.5 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/3
ip address 192.168.3.5 255.255.255.252
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.0.0.11 255.255.255.0
negotiation auto
!
interface Virtual-Template1
mtu 1300
ip unnumbered Loopback1
no logging event link-status
peer match aaa-pools
no peer default ip address
ppp mtu adaptive
ppp authentication pap callin
ppp authorization VPDN
ip virtual-reassembly
!
router bgp 65145
!snip
!
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/1
ip nat inside source list NAT interface Loopback1 overload
ip nat inside source list RADIUSLOKAL interface GigabitEthernet0/0/2 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.0.0.0 255.128.0.0 10.0.137.1
ip route 172.16.0.0 255.254.0.0 10.0.137.1
ip route 172.28.0.0 255.252.0.0 10.0.137.1
!
ip ssh version 2
ip scp server enable
!
!
ip access-list extended xxx
!snip
logging history size 500
logging trap errors
logging host 10.0.0.155
!snip
ip access-list extended 129
!snip
ip access-list extended 130
!snip
ip access-list extended 131
!snip
ip access-list extended 132
!snip
ip access-list extended 133
!snip
ip access-list extended 199
!snip
!
!
radius-server retry method reorder
!snip
!
!
control-plane
!
!
line con 0
exec-timeout 5 0
logging synchronous
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
location Dortmund
access-class 1 in
exec-timeout 30 0
password 7 xxxxxxxxxxxxx
logging synchronous
history size 256
transport input ssh
escape-character 3
!
!
monitor session 1 type erspan-source
!snip
!
!
ntp server 192.53.103.104
ntp server 192.53.103.108
!
!
!
!
!
end
