Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
164
Views
0
Helpful
2
Replies

Change VLAN the router pings from?

Group IT
Level 1
Level 1

‎05-08-2017 04:06 AM - edited ‎03-08-2019 10:29 AM

Hi all,

I'm no Cisco/network engineer, so I'm going on suspicion and wild speculation here, but I have an issue with an 887VA router I'm working on that is maybe to do which VLAN a router elects as its default?

Basically on my router, I shutdown VLAN1 and create VLAN102.

I setup an IPsec VPN tunnel, sending all VLAN102 (subnet 10.11.102.0/24) traffic over the tunnel to a remote ASA (the hub) and all tests are spot on (hosts can see each other and interact).

If I ping from the router to networks at the hub, all is good.

If I enable netflow on the router (on VLAN102), with the collector being on the hub network, all is good - traffic flows come through perfect.

Now, I add VLAN192 to the router to deal with a legacy network at the spoke (no netflow needed). This traffic should not be included in the VPN traffic, as it's just local stuff (this it isn't included in the VPN ACL).

My problem is that now netflow stops working. No netflow traffic appears to leave the router, despite all the netflow diagnostics looking fine.

I find that if I now ping from the router to a hub network, the pings fail UNLESS I specify which interface to ping from.

So, I am suspecting that my netflow has ceased working due to the same reason? I am guessing that VLAN192 somehow became a 'default' VLAN/interface for the router, so it's trying to send netflow traffic out over this interface. VLAN192 must be interfering in some way anyway.

My netflow setup is along the lines of:

'

ip flow-export destination 10.11.1.226 2055
ip flow-export version 9
ip flow-export source Dialer1
ip flow-cache timeout active 5
interface vlan102
  ip flow ingress
  ip flow egress

'

I have managed to resolve the issue for now, by using netflow monitor config, but it's still bugging me.

I was hoping someone could shed some light on why the extra VLAN broke the original netflow config, and if there's a simpler solution than using netflow monitors (by somehow globally changing the default VLAN the router uses)?

Thank you!

EJ

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-08-2017 05:09 AM

Are there any routes via VLAN192 (such as a default route, static route, dynamic route) or is it purely just a connected route?

Is this just a simple crypto map based IPSec VPN?  Or something else, like VTI, GRE over IPSec, etc?

0 Helpful

Group IT
Level 1
Level 1
In response to Philip D'Ath

‎05-08-2017 05:57 AM

Hi Philip,

Thank you for your response.

The only route configured on the router is:

ip route 0.0.0.0 0.0.0.0 Dialer1

As regards to the crypto map, I would imagine it's your first guess, that it's a straight forward IPSec VPN. A snippet of the relevant config:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxx address 81.128.123.123
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
set peer 81.128.123.123
set transform-set TS
match address VPN-TRAFFIC

Cheers :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card