cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1298
Views
0
Helpful
6
Replies

Cisco 2911 Router Interfaces Not Switching Properly

FlufyNudel
Level 1
Level 1

Hi All,

I have a Cisco 2911 router which seems to be having some issues with switching across interfaces properly. I migrated the config over from a Cisco 2901 router and the config was successfully working on that router. Additionally, I do not have any issues with the WAN connection for the "GigabitEthernet0/1.9" interface. This interface seems to work perfectly and allow all machines to connect onto the .10 subnet, however, interfaces "GigabitEthernet0/1.2" and "GigabitEthernet0/2", while both showing up/up, would not get a connection and would not communicate with the rest of the network. I was able to ping the gateways of these interfaces (192.168.9.1 and 192.168.2.1). Can someone please tell me if they notice anything out of place in the config that could be causing the issue? I am not seeing anything and I have worn myself out looking.

!

version 15.2

service timestamps debug uptime

service timestamps log datetime

service password-encryption

service linenumber

!

hostname THEBig

!

boot-start-marker

boot-end-marker

!

logging buffered 8000

no logging console

enable password 7 XXXXXXXXXXXXXX

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

!

!

!

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

ip name-server 68.94.156.1

ip name-server 68.94.157.1

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-227086793

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-227086793

revocation-check none

rsakeypair TP-self-signed-227086793

!

!

crypto pki certificate chain TP-self-signed-227086793

certificate self-signed 01 nvram:IOS-Self-Sig#5.cer

license udi pid CISCO2901/K9 sn FTX15040DWA

!

!

!!!This is where the users were!!!

!

redundancy

!

!

ip tcp selective-ack

ip tcp path-mtu-discovery

ip telnet source-interface GigabitEthernet0/0

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 7200

!

crypto isakmp policy 2

hash md5

authentication pre-share

lifetime 7200

!

crypto isakmp policy 3

hash md5

authentication pre-share

lifetime 7200

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address XXX.XXX.XXX.XXX no-xauth

crypto isakmp key cisco address XXX.XXX.XXX.XXX no-xauth

crypto isakmp key cisco address XXX.XXX.XXX.XXX no-xauth

!

crypto isakmp client configuration group NMTrans

key XXXXXXXX

dns 192.168.10.254

wins 192.168.10.16

domain XXXXXXXXX

pool ippool

acl 130

!

!

crypto ipsec transform-set SBC_Baldwin esp-des esp-sha-hmac

crypto ipsec transform-set SBC_Eldridge esp-des esp-sha-hmac

crypto ipsec transform-set SBC_Eis esp-des esp-sha-hmac

crypto ipsec transform-set SBC_Remote esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 5

set transform-set SBC_Remote

!

!

crypto map SBC client authentication list userauthen

crypto map SBC isakmp authorization list groupauthor

crypto map SBC client configuration address respond

crypto map SBC 1 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set security-association lifetime seconds 900

set transform-set SBC_Baldwin

match address 101

crypto map SBC 2 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set security-association lifetime seconds 900

set transform-set SBC_Eldridge

match address 102

crypto map SBC 3 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set security-association lifetime seconds 900

set transform-set SBC_Eis

match address 103

crypto map SBC 5 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface Loopback1

ip address 1.1.1.1 255.255.255.0

!

!

interface GigabitEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

no cdp enable

!

!

interface GigabitEthernet0/0.50

description WAN to ATT Internet Service

encapsulation dot1Q 50

ip address 12.252.76.50 255.255.255.252

ip access-group 109 in

ip nat outside

ip virtual-reassembly

no keepalive

no cdp enable

crypto map SBC

!

!

interface GigabitEthernet0/1

no ip address

no ip redirects

duplex auto

speed auto

!

interface GigabitEthernet0/1.2

description Server VLAN

encapsulation dot1Q 2

ip address 192.168.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip access-group 100 in

ip virtual-reassembly

ip policy route-map rmap

!

interface GigabitEthernet0/1.9

description User VLAN

encapsulation dot1Q 9 native

ip address 192.168.10.9 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip access-group 100 in

ip virtual-reassembly

ip policy route-map rmap

!

interface GigabitEthernet0/2

ip address 192.168.9.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip route-cache policy

ip policy route-map rmap

duplex auto

speed auto

!

!

ip local pool ippool 192.168.8.100 192.168.8.200

no ip forward-protocol nd

no ip forward-protocol udp

!

ip http server

ip http secure-server

ip flow-cache timeout active 5

ip flow-export source GigabitEthernet0/1.2

ip flow-export version 5

ip flow-export destination 192.168.2.22 9996

!

ip nat inside source list 110 interface GigabitEthernet0/0.50 overload

ip nat inside source static tcp 192.168.2.16 1414 XXX.XXX.XXX.XXX 1414 extendable

ip nat inside source static tcp 192.168.10.254 20 XXX.XXX.XXX.XXX 20 extendable

ip nat inside source static tcp 192.168.10.254 21 XXX.XXX.XXX.XXX 21 extendable

ip nat inside source static tcp 192.168.10.254 22 XXX.XXX.XXX.XXX 22 extendable

ip nat inside source static tcp 192.168.10.254 25 XXX.XXX.XXX.XXX 25 extendable

ip nat inside source static tcp 192.168.10.254 80 XXX.XXX.XXX.XXX 80 extendable

ip nat inside source static tcp 192.168.10.254 5432 XXX.XXX.XXX.XXX 5432 extendable

ip nat inside source static tcp 192.168.10.254 9095 XXX.XXX.XXX.XXX 9095 extendable

ip nat inside source static tcp 192.168.10.254 9096 XXX.XXX.XXX.XXX 9096 extendable

ip nat inside source static tcp 192.168.10.44 20 XXX.XXX.XXX.XXX 20 extendable

ip nat inside source static tcp 192.168.10.44 21 XXX.XXX.XXX.XXX 21 extendable

ip nat inside source static tcp 192.168.10.44 22 XXX.XXX.XXX.XXX 22 extendable

ip nat inside source static tcp 192.168.10.44 25 XXX.XXX.XXX.XXX 25 extendable

ip nat inside source static tcp 192.168.10.44 80 XXX.XXX.XXX.XXX 80 extendable

ip nat inside source static tcp 192.168.10.44 5432 XXX.XXX.XXX.XXX 5432 extendable

ip nat inside source static tcp 192.168.2.25 25 XXX.XXX.XXX.XXX 25 extendable

ip nat inside source static tcp 192.168.2.25 80 XXX.XXX.XXX.XXX 80 extendable

ip nat inside source static tcp 192.168.2.25 443 XXX.XXX.XXX.XXX 443 extendable

ip nat inside source static udp 192.168.2.25 443 XXX.XXX.XXX.XXX 443 extendable

ip nat inside source static tcp 192.168.2.26 80 XXX.XXX.XXX.XXX 80 extendable

ip nat inside source static tcp 192.168.10.12 1414 XXX.XXX.XXX.XXX 1414 extendable

ip nat inside source static 192.168.10.206 XXX.XXX.XXX.XXX

ip nat inside source static tcp 192.168.2.25 25 XXX.XXX.XXX.XXX 25 extendable

ip nat inside source static tcp 192.168.2.25 80 XXX.XXX.XXX.XXX 80 extendable

ip nat inside source static tcp 192.168.2.25 443 XXX.XXX.XXX.XXX 443 extendable

ip nat inside source static udp 192.168.2.25 443 XXX.XXX.XXX.XXX 443 extendable

ip nat inside source static tcp 192.168.2.28 80 XXX.XXX.XXX.XXX 80 extendable

ip nat inside source static tcp 192.168.2.28 443 XXX.XXX.XXX.XXX 443 extendable

ip nat inside source static tcp 192.168.2.28 8181 XXX.XXX.XXX.XXX 8181 extendable

ip route 0.0.0.0 0.0.0.0 12.252.76.49

ip route 192.168.1.0 255.255.255.0 192.168.10.14

!

ip tacacs source-interface GigabitEthernet0/0.50

!

logging source-interface GigabitEthernet0/0.50

!

access-list 100 permit tcp host 192.168.2.16 192.168.10.0 0.0.0.255 eq 1414

access-list 100 permit tcp host 192.168.10.19 192.168.2.0 0.0.0.255 eq 1984

access-list 100 permit tcp host 192.168.2.29 192.168.10.0 0.0.0.255 eq smtp

access-list 100 permit tcp host 192.168.2.25 any eq smtp

access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.2.25 eq smtp

access-list 100 permit tcp 192.168.9.0 0.0.0.255 host 192.168.2.25 eq smtp

access-list 100 deny   tcp any any eq smtp

access-list 100 permit ip any any

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 101 permit ip 192.168.9.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 102 permit ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 103 permit ip 192.168.10.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 103 permit ip 192.168.9.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 103 permit ip 192.168.2.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 109 permit ip any any

access-list 110 deny   ip 192.168.2.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 110 deny   ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 110 deny   ip 192.168.2.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 110 deny   ip 192.168.9.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 110 deny   ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 110 deny   ip 192.168.9.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 110 deny   ip 192.168.10.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 110 deny   ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 deny   ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 110 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 110 deny   ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 110 permit ip 192.168.2.0 0.0.0.255 any

access-list 110 permit ip 192.168.9.0 0.0.0.255 any

access-list 110 permit ip 192.168.10.0 0.0.0.255 any

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 120 permit ip 192.168.10.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 120 permit ip 192.168.2.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 120 permit ip 192.168.9.0 0.0.0.255 10.5.1.0 0.0.0.255

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 120 permit ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 120 permit ip 192.168.9.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 120 permit ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 130 permit ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 140 permit icmp host 10.5.1.1 any

access-list 140 permit icmp 135.89.154.144 0.0.0.15 any

access-list 140 permit icmp 135.89.154.16 0.0.0.15 any

access-list 140 permit icmp 135.89.157.160 0.0.0.15 any

access-list 140 permit icmp 135.89.152.48 0.0.0.15 any

access-list 140 permit icmp 135.89.152.144 0.0.0.15 any

access-list 140 permit icmp 135.89.152.128 0.0.0.15 any

access-list 140 permit icmp 135.89.183.192 0.0.0.63 any

access-list 140 permit icmp 135.89.183.64 0.0.0.63 any

access-list 140 deny   icmp any any

access-list 140 permit ip any any

!

no cdp run

!

!

!

route-map rmap permit 10

match ip address 120

set ip next-hop 1.1.1.2

!

!

snmp-server community public RO

snmp-server ifindex persist

!

control-plane

!

!

!

line con 0

password 7 XXXXXXXXXXXX

line aux 0

line vty 0 4

password 7 XXXXXXXXXXXX

!

scheduler allocate 20000 1000

end

Any assistance anyone could offer would be highly appreciated!

Thanks,

- Shaun

6 Replies 6

rfalconer.sffcu
Level 3
Level 3

It's probably an issue on the switchports that connects to each of those ports on the router. Can you post the config for the switchports?

Thanks.

After removing the route-map rmap, I am able to get devices connected to both the 192.168.10.9 and 192.168.9.1 gateways and can ping devices which are connect to the 10.9 gateway from 9.1 gateway devices and vice versa. Additionally, I am able to ping the 192.168.2.1 gateway from devices connected to either the 10.9 gateway or the 9.1 gateway. My big issue now is that I am unable to get devices connected to the 192.168.2.1 gateway. I have tried adding a switch with VLAN2 enabled and set the VLAN2 IP address to 192.168.2.2. I also configured the interface for VLAN2 to "switchport mode access" and "switchport access vlan 2". The switch itself is still unable to ping the 2.1 gateway.

Additional information: I have a 2901 Integrated Services Router in production which is using the exact same config and is working perfectly fine. This 2911 router is new (purchased a week ago). All interfaces say Up/Up on the 2911, except Embedded-Services-Engine0/1.

devils_advocate
Level 7
Level 7

Nothing obviously wrong on the config of those ports.

You said you can ping the L3 addresses on these interfaces. Where did you ping 'from'?

Can you show the switchport side of the config?

If you are able to ping the interfaces from the switch then packets are flowing correctly so to speak. Can you elaborate on what the actual issue is? Are users getting IP addresses but not able to access the internet? Can you ping the default gateway from a host on those subnets?

Thanks

Please see the response above.

cadet alain
VIP Alumni
VIP Alumni

Hi,

Can you remove the PBR route-map rmap and verify if it is working without it

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Please see the response above.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: