11-20-2013 08:03 AM - edited 03-07-2019 04:42 PM
Hi All,
I have a Cisco 2911 router which seems to be having some issues with switching across interfaces properly. I migrated the config over from a Cisco 2901 router and the config was successfully working on that router. Additionally, I do not have any issues with the WAN connection for the "GigabitEthernet0/1.9" interface. This interface seems to work perfectly and allow all machines to connect onto the .10 subnet, however, interfaces "GigabitEthernet0/1.2" and "GigabitEthernet0/2", while both showing up/up, would not get a connection and would not communicate with the rest of the network. I was able to ping the gateways of these interfaces (192.168.9.1 and 192.168.2.1). Can someone please tell me if they notice anything out of place in the config that could be causing the issue? I am not seeing anything and I have worn myself out looking.
!
version 15.2
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service linenumber
!
hostname THEBig
!
boot-start-marker
boot-end-marker
!
logging buffered 8000
no logging console
enable password 7 XXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
ip name-server 68.94.156.1
ip name-server 68.94.157.1
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-227086793
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-227086793
revocation-check none
rsakeypair TP-self-signed-227086793
!
!
crypto pki certificate chain TP-self-signed-227086793
certificate self-signed 01 nvram:IOS-Self-Sig#5.cer
license udi pid CISCO2901/K9 sn FTX15040DWA
!
!
!!!This is where the users were!!!
!
redundancy
!
!
ip tcp selective-ack
ip tcp path-mtu-discovery
ip telnet source-interface GigabitEthernet0/0
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 7200
!
crypto isakmp policy 2
hash md5
authentication pre-share
lifetime 7200
!
crypto isakmp policy 3
hash md5
authentication pre-share
lifetime 7200
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address XXX.XXX.XXX.XXX no-xauth
crypto isakmp key cisco address XXX.XXX.XXX.XXX no-xauth
crypto isakmp key cisco address XXX.XXX.XXX.XXX no-xauth
!
crypto isakmp client configuration group NMTrans
key XXXXXXXX
dns 192.168.10.254
wins 192.168.10.16
domain XXXXXXXXX
pool ippool
acl 130
!
!
crypto ipsec transform-set SBC_Baldwin esp-des esp-sha-hmac
crypto ipsec transform-set SBC_Eldridge esp-des esp-sha-hmac
crypto ipsec transform-set SBC_Eis esp-des esp-sha-hmac
crypto ipsec transform-set SBC_Remote esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set SBC_Remote
!
!
crypto map SBC client authentication list userauthen
crypto map SBC isakmp authorization list groupauthor
crypto map SBC client configuration address respond
crypto map SBC 1 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set security-association lifetime seconds 900
set transform-set SBC_Baldwin
match address 101
crypto map SBC 2 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set security-association lifetime seconds 900
set transform-set SBC_Eldridge
match address 102
crypto map SBC 3 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set security-association lifetime seconds 900
set transform-set SBC_Eis
match address 103
crypto map SBC 5 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no cdp enable
!
!
interface GigabitEthernet0/0.50
description WAN to ATT Internet Service
encapsulation dot1Q 50
ip address 12.252.76.50 255.255.255.252
ip access-group 109 in
ip nat outside
ip virtual-reassembly
no keepalive
no cdp enable
crypto map SBC
!
!
interface GigabitEthernet0/1
no ip address
no ip redirects
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
description Server VLAN
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip access-group 100 in
ip virtual-reassembly
ip policy route-map rmap
!
interface GigabitEthernet0/1.9
description User VLAN
encapsulation dot1Q 9 native
ip address 192.168.10.9 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip access-group 100 in
ip virtual-reassembly
ip policy route-map rmap
!
interface GigabitEthernet0/2
ip address 192.168.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map rmap
duplex auto
speed auto
!
!
ip local pool ippool 192.168.8.100 192.168.8.200
no ip forward-protocol nd
no ip forward-protocol udp
!
ip http server
ip http secure-server
ip flow-cache timeout active 5
ip flow-export source GigabitEthernet0/1.2
ip flow-export version 5
ip flow-export destination 192.168.2.22 9996
!
ip nat inside source list 110 interface GigabitEthernet0/0.50 overload
ip nat inside source static tcp 192.168.2.16 1414 XXX.XXX.XXX.XXX 1414 extendable
ip nat inside source static tcp 192.168.10.254 20 XXX.XXX.XXX.XXX 20 extendable
ip nat inside source static tcp 192.168.10.254 21 XXX.XXX.XXX.XXX 21 extendable
ip nat inside source static tcp 192.168.10.254 22 XXX.XXX.XXX.XXX 22 extendable
ip nat inside source static tcp 192.168.10.254 25 XXX.XXX.XXX.XXX 25 extendable
ip nat inside source static tcp 192.168.10.254 80 XXX.XXX.XXX.XXX 80 extendable
ip nat inside source static tcp 192.168.10.254 5432 XXX.XXX.XXX.XXX 5432 extendable
ip nat inside source static tcp 192.168.10.254 9095 XXX.XXX.XXX.XXX 9095 extendable
ip nat inside source static tcp 192.168.10.254 9096 XXX.XXX.XXX.XXX 9096 extendable
ip nat inside source static tcp 192.168.10.44 20 XXX.XXX.XXX.XXX 20 extendable
ip nat inside source static tcp 192.168.10.44 21 XXX.XXX.XXX.XXX 21 extendable
ip nat inside source static tcp 192.168.10.44 22 XXX.XXX.XXX.XXX 22 extendable
ip nat inside source static tcp 192.168.10.44 25 XXX.XXX.XXX.XXX 25 extendable
ip nat inside source static tcp 192.168.10.44 80 XXX.XXX.XXX.XXX 80 extendable
ip nat inside source static tcp 192.168.10.44 5432 XXX.XXX.XXX.XXX 5432 extendable
ip nat inside source static tcp 192.168.2.25 25 XXX.XXX.XXX.XXX 25 extendable
ip nat inside source static tcp 192.168.2.25 80 XXX.XXX.XXX.XXX 80 extendable
ip nat inside source static tcp 192.168.2.25 443 XXX.XXX.XXX.XXX 443 extendable
ip nat inside source static udp 192.168.2.25 443 XXX.XXX.XXX.XXX 443 extendable
ip nat inside source static tcp 192.168.2.26 80 XXX.XXX.XXX.XXX 80 extendable
ip nat inside source static tcp 192.168.10.12 1414 XXX.XXX.XXX.XXX 1414 extendable
ip nat inside source static 192.168.10.206 XXX.XXX.XXX.XXX
ip nat inside source static tcp 192.168.2.25 25 XXX.XXX.XXX.XXX 25 extendable
ip nat inside source static tcp 192.168.2.25 80 XXX.XXX.XXX.XXX 80 extendable
ip nat inside source static tcp 192.168.2.25 443 XXX.XXX.XXX.XXX 443 extendable
ip nat inside source static udp 192.168.2.25 443 XXX.XXX.XXX.XXX 443 extendable
ip nat inside source static tcp 192.168.2.28 80 XXX.XXX.XXX.XXX 80 extendable
ip nat inside source static tcp 192.168.2.28 443 XXX.XXX.XXX.XXX 443 extendable
ip nat inside source static tcp 192.168.2.28 8181 XXX.XXX.XXX.XXX 8181 extendable
ip route 0.0.0.0 0.0.0.0 12.252.76.49
ip route 192.168.1.0 255.255.255.0 192.168.10.14
!
ip tacacs source-interface GigabitEthernet0/0.50
!
logging source-interface GigabitEthernet0/0.50
!
access-list 100 permit tcp host 192.168.2.16 192.168.10.0 0.0.0.255 eq 1414
access-list 100 permit tcp host 192.168.10.19 192.168.2.0 0.0.0.255 eq 1984
access-list 100 permit tcp host 192.168.2.29 192.168.10.0 0.0.0.255 eq smtp
access-list 100 permit tcp host 192.168.2.25 any eq smtp
access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.2.25 eq smtp
access-list 100 permit tcp 192.168.9.0 0.0.0.255 host 192.168.2.25 eq smtp
access-list 100 deny tcp any any eq smtp
access-list 100 permit ip any any
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 101 permit ip 192.168.9.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 103 permit ip 192.168.9.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 103 permit ip 192.168.2.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 109 permit ip any any
access-list 110 deny ip 192.168.2.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 110 deny ip 192.168.9.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 110 deny ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 110 deny ip 192.168.9.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.9.0 0.0.0.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 120 permit ip 192.168.9.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 120 permit ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 120 permit ip 192.168.9.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 120 permit ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 130 permit ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 140 permit icmp host 10.5.1.1 any
access-list 140 permit icmp 135.89.154.144 0.0.0.15 any
access-list 140 permit icmp 135.89.154.16 0.0.0.15 any
access-list 140 permit icmp 135.89.157.160 0.0.0.15 any
access-list 140 permit icmp 135.89.152.48 0.0.0.15 any
access-list 140 permit icmp 135.89.152.144 0.0.0.15 any
access-list 140 permit icmp 135.89.152.128 0.0.0.15 any
access-list 140 permit icmp 135.89.183.192 0.0.0.63 any
access-list 140 permit icmp 135.89.183.64 0.0.0.63 any
access-list 140 deny icmp any any
access-list 140 permit ip any any
!
no cdp run
!
!
!
route-map rmap permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
!
snmp-server community public RO
snmp-server ifindex persist
!
control-plane
!
!
!
line con 0
password 7 XXXXXXXXXXXX
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXX
!
scheduler allocate 20000 1000
end
Any assistance anyone could offer would be highly appreciated!
Thanks,
- Shaun
11-20-2013 03:36 PM
It's probably an issue on the switchports that connects to each of those ports on the router. Can you post the config for the switchports?
Thanks.
11-21-2013 08:26 AM
After removing the route-map rmap, I am able to get devices connected to both the 192.168.10.9 and 192.168.9.1 gateways and can ping devices which are connect to the 10.9 gateway from 9.1 gateway devices and vice versa. Additionally, I am able to ping the 192.168.2.1 gateway from devices connected to either the 10.9 gateway or the 9.1 gateway. My big issue now is that I am unable to get devices connected to the 192.168.2.1 gateway. I have tried adding a switch with VLAN2 enabled and set the VLAN2 IP address to 192.168.2.2. I also configured the interface for VLAN2 to "switchport mode access" and "switchport access vlan 2". The switch itself is still unable to ping the 2.1 gateway.
Additional information: I have a 2901 Integrated Services Router in production which is using the exact same config and is working perfectly fine. This 2911 router is new (purchased a week ago). All interfaces say Up/Up on the 2911, except Embedded-Services-Engine0/1.
11-21-2013 01:25 AM
Nothing obviously wrong on the config of those ports.
You said you can ping the L3 addresses on these interfaces. Where did you ping 'from'?
Can you show the switchport side of the config?
If you are able to ping the interfaces from the switch then packets are flowing correctly so to speak. Can you elaborate on what the actual issue is? Are users getting IP addresses but not able to access the internet? Can you ping the default gateway from a host on those subnets?
Thanks
11-21-2013 08:27 AM
Please see the response above.
11-21-2013 03:10 AM
Hi,
Can you remove the PBR route-map rmap and verify if it is working without it
Regards
Alain
Don't forget to rate helpful posts.
11-21-2013 08:27 AM
Please see the response above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide