Hi, Have you tried using the no switchport command and then applying an IP address to the etherswitch port that connects to another router? This would make it a routed port, which may be what you need. Regards, Ash. ... View more

Hi Rechard, Is there a route from the HQ internet router back to the branch network, via the ASA vpn tunnel? Regards, Ash. ... View more

Hi Steve, Are all switches definitely running the same IOS? Silly question as I am sure they probably are, but worth an ask! Regards, Ash, ... View more

Your ping by default will use the ip address of the egress interface. e.g. R1:f0/0  --> R2:f0/0 if you did a vanilla ipv4 ping from R1 to any R2 interface, it would use the source ip address of R1:f0/0 In your specific scenario, it would depend on the switch layer2/layer3 vlan and trunk design. Can you pass over the configs of the two switches and the ping commands you are trying that fail? Regards, Ash. ... View more

Hi desrochj1 Interesting problem.  Do these retransmissions correlate against any tcp window sizes? TCP retransmissions would effectively be requested by the receiver through use of selective acks etc, so it implies that the segmentsd are either not reaching the destination or the acknowledgements are not reaching the sender properly. If you have the time, I would set up a small file transfer first using ssh then ftp etc and capture at each interface in the path. Time consuming, but you could then compare the tcp streams to isolate at which point the problem occurs. There may be far simpler and helpful troubleshooting methods than mine that are posted however! Regards, Ash. ... View more

Hi Colin, I would expect phones/pcs to use the 3750 svi as their dfg, but if you think about it we have a trunk configured up to the wan router - this implies that that the wan router also has interfaces in each of the data and voice vlans. Purely conjecture, but i cant see why else there would be a trunk! I think the switch may be proxy-arping on the uplink to the router - it would be interesting to see what is happening at l2 and l3 on this link. My personal preference for this design would be for an L3 point-to-point link from 3750 to router running a dynamic routing protocol - check out the SBA below for wan branch design: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Enterprise_WAN_Configuration_Guide_H2CY10.pdf Regards, Ash. ... View more

Hi Colin, I guess the only reason you would need a trunk up to the router is if it had a view of the vlans - i.e. wan provider had a sub-interface for each vlan which it would use to advertise each subnet into your wan. Which is what you want of course! I can't see why your coinfig wouldn't work - there is more than one way to skin a cat after all!  But without a copy of the wan router config we are left to second guess how the provider is doing it. The only problem I can see (and it is minor) is if you needed to add a new vlan/subnet in the future, e.g. for servers etc.  There will be a required change with the provider to create the vlan subinterface on their router and update their routing.  If you used a routed link and peered using eighp or something then you would have control over what networeks to add and remove from the wan. Regards, Ash. ... View more

Hi Colin, From the config below, it looks like you have your voice and data vlans configured on the switch, with L3 SVI's also. I imagine the previous configuration using the 3560's was to trunk upto the router, woith the router then splitting the vlans and performing the inter-vlan routing? If it was me, I would keep the same design and configuration as all of my other branch sites to maintain a consistent template - aids support/troubleshooting etc. If you want to bring layer 3 down from the router to the 3750, I would probably configure the 3750 to router port as Layer 3 also, and use IP routing rather than a Layer 2 IP default-gateway.  This would require a new point-to-point subnet however. Or if you want, maybe you could add the uplink as an access port in vlan 3 (data) and use the default gateway 10.177.56.1 (the router i assume) which should also work. Remember to advertise the voice network however on the wan router or connectivity may not be there! Regards, Ash. ... View more

I think for your inbound traffic (outside to inside) you will require a static nat translation. e.g. static (outside,inside) 10.149.241.0 172.16.0.0 netmask 255.255.255.0 0 0 I don't think that specific example will work for you due to subnet mask mis-match, but the theory may be  on the right lines. Alternatively, I found a post discussing the method you were trying, also finding similar issues: http://www.groupstudy.com/archives/security/200306/msg00000.html It may be worth a read - especially the conduit permit ip command and debugging they are using to troubleshoot. Regards, Ash. ... View more

I second Mel's post - using an EtherChannel also allows you to make use of both links (or however many interfaces are in the channel) whereas using multple L2 links without EtherChannel would result in Spanning Tree blocking. Therefore more bandwidth as well as more resiliency! It is also worth reviewing this document to understand the default load-balancing behaviour and how it can be tuned: http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml Kind regards, Ash. ... View more

The network statement in bgp for 189.1.1.0 may be clashing, so I would remove this. To test redistribution from OSPF to BGP, we must first check that OSPF is enabled for the interface and that the network (and appropriate LSA) is in our OSPF link database. Can we have output for:      border1# show ip ospf int -> ensure fa0/0 is present      border1# show ip ospf data data -> check for type 2 lsa for 189.1.1.0/24 Also, redistribution will only occur if the source routing protocol has the route in the routing table:      border1# show ip route ospf -> check for 189.1.1.0/24 net Finally, if the above is correct border1 should redistribute from ospf to bgp - check the bgp table to make sure:      border1# show ip bgp -> check for 189.1.1.0/24 net If that is all good, the problem may be with the ebgp exchange process - but lets test the above first! Regards, Ash. ... View more

Is your computer local to the adsl router, and what interface are you pinging? How many local devices are on this network? If you can send the config and log over I can sanity check it for any problems. Going forward, you need to isolate the problem domain - is it lan/wan?  Router, switch or client?  Layer 1, 2 or 3? Regards, Ash. ... View more

Hi Vin, I would check the Cisco SBA and Validated Design Zone as a first pass. Lots of great design documents there. As for how I would create a high level design - keep it simple.  You just want an overview of the connectivity - e.g. for a dual-site head office with 100+ branch wan, I would only show a single branch site as a template. Every network is different, but the more documentation you write and read the more you will define your own style. Apologies I can't give you any of my customer's documentation - NDA's and everything! Regards, Ash, ... View more