Oh Cisco, how can you so royally screw up here?
Make sure the port-channel on the switch is configured for the IEEE standard Link Aggregation Control Protocol (LACP), not the Cisco proprietary Port Aggregation Protocol (PAgP).
But then you give configuration for nailed-up LAG (not using LACP or PAGP):
channel-group <id> mode on
You should be clear and say "do not use any negotiation protocol".
... View more
I am researching this design and come across this post. Thanks for this. The reason for this research is exactly the same reason that your implemented yours. How are you going with it if you don't mind me asking? I have to brush up on my bgp. I recall something about bgp not coming up unless the route table has a route
... View more
Hey all, unrelated to this exact issue but I have a 5515-X which I specifically loaded on the 9.7.1 release to utilise VTI IPSEC VPN tunnels. The tunnels come UP/UP but when you route data-plane traffic across them (ie actual data) the hardware appliance crashes with a page fault. Luckily for me, I have a HA pair of ASA's, so the 2nd one took over but then unfortunately for me immediately crashed with the same page fault error.
Leaving the tunnels up/up but not routing any traffic across them does not exhibit a page fault crash.
TAC advised me that they were already aware of this issue with an internal-only bug ID: CSCvc35378
This is fixed in 9.7.2 which I am now using. Does IRB work in 9.7.2?
What annoyed me is that the release notes did not mention that VTI tunnels aren't actually functional in 9.7.1, as the bug ID is internal to Cisco only this doesn't help me and resulted in a outage and potential loss of earnings.
... View more
I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. My firewall is simple: inside to outside - inspect tcp, udp and icmp outside to inside - drop all traffic except some specifically defined ports outside to SELF - drop all traffic except management ports (ssh etc) SELF to outside - No policy : : Permit all traffic so that it is not a requirement to inspect (firewall was set up at a time when Self to outside inspection was not working due to a bug) Here is my configuration: version 15.2 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname CG-2911 ! boot-start-marker boot-end-marker ! ! security authentication failure rate 3 log logging buffered 51200 warnings enable secret 4 OmFIbRBJhBai/2o. ! aaa new-model ! ! aaa authentication login default local aaa authorization console ! ! ! ! ! aaa session-id common clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 ! no ip source-route ip cef ! ! ! ! ! ! no ip bootp server ip domain name yourdomain.com no ipv6 cef ! parameter-map type ooo global tcp reassembly queue length 64 multilink bundle-name authenticated ! ! ! object-group network SIP-TIPICALL-NETS host 184.108.40.206 host 220.127.116.11 ! object-group service TELEWORKER-INBOUND description Ports required opened to Teleworker DMZ from Internet tcp eq 3300 udp range 20000 23000 tcp eq 2114 tcp eq 2116 tcp range 6801 6802 tcp eq 3998 tcp eq 6880 tcp eq 37000 tcp eq 35000 tcp eq www tcp eq 443 ! vtp mode transparent username admin privilege 15 secret 4 OmFIbRbCOARHxaBJhBai/2o. ! redundancy ! ! ! ! ! ip tcp synwait-time 10 no ip ftp passive lldp run ! class-map type inspect match-any PING match protocol icmp class-map type inspect match-any DEF-VOICE-INSP match protocol h323 match protocol sip class-map type inspect match-all ALLOW-SIP-ITSP-IN match protocol sip match access-group name ALLOW-TIPICALL-ITSP class-map type inspect match-any GRE-INSPECT match access-group name GRE class-map type inspect match-any DEFAULT-INSPECT match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any SDM-ESP match access-group name SDM-ESP class-map type inspect match-any OFFICE-MGMT match protocol icmp match protocol ssh match protocol https class-map type inspect match-any NTP match protocol ntp class-map type inspect match-any TELEWORKER-PORTS match access-group name TELEWORKER-INBOUND-PORTS class-map type inspect match-all MGMT-TO-SELF match class-map OFFICE-MGMT match access-group name CS-SUPPORT-NETS class-map type inspect match-any VPN-PROTOCOLS match protocol isakmp match protocol ipsec-msft match class-map SDM-ESP class-map type inspect match-all TELEWORKER-IN match access-group name TELEWORKER-DMZ match class-map TELEWORKER-PORTS class-map type inspect match-all ALLOW-NTP match class-map NTP match access-group name NTP ! policy-map type inspect GUEST-OUTSIDE class type inspect DEFAULT-INSPECT inspect class class-default pass policy-map type inspect INSPECT-OUTBOUND class type inspect DEFAULT-INSPECT inspect class type inspect DEF-VOICE-INSP inspect class class-default pass policy-map type inspect OUT-SELFBOUND class type inspect PING pass class type inspect MGMT-TO-SELF pass class type inspect ALLOW-NTP pass class type inspect VPN-PROTOCOLS pass class class-default drop log policy-map type inspect OUTSIDE-GUEST class class-default drop log policy-map type inspect INSPECT-INBOUND class type inspect GRE-INSPECT pass class type inspect ALLOW-SIP-ITSP-IN inspect class type inspect TELEWORKER-IN inspect class class-default drop log ! zone security OUTSIDE zone security INSIDE zone security GUEST zone-pair security INSIDE-OUT source INSIDE destination OUTSIDE service-policy type inspect INSPECT-OUTBOUND zone-pair security OUTSIDE-IN source OUTSIDE destination INSIDE service-policy type inspect INSPECT-INBOUND zone-pair security OUT-SELF source OUTSIDE destination self service-policy type inspect OUT-SELFBOUND zone-pair security GUEST-OUTSIDE source GUEST destination OUTSIDE service-policy type inspect GUEST-OUTSIDE zone-pair security OUTSIDE-GUEST source OUTSIDE destination GUEST service-policy type inspect OUTSIDE-GUEST ! ! ! interface Loopback0 description Loopback Interface for OSPF process ip address 172.22.255.127 255.255.255.255 no ip redirects no ip unreachables ip flow ingress ! ! interface Null0 no ip unreachables ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description WAN facing Internet 10MB Auto link ip address 18.104.22.168 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip verify unicast reverse-path ip flow ingress ip nat enable ip virtual-reassembly in max-reassemblies 256 zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 description LAN facing interface$FW_INSIDE$$ETH-LAN$ ip address 172.23.131.252 255.255.255.0 ip helper-address 172.23.128.31 ip helper-address 172.23.128.32 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat enable zone-member security INSIDE ip ospf message-digest-key 1 md5 7 130647 ip ospf hello-interval 1 ip ospf cost 20 standby 131 ip 172.23.131.254 standby 131 timers 1 4 standby 131 priority 90 standby 131 preempt delay minimum 60 reload 60 duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.441 description Office DMZ interface encapsulation dot1Q 441 ip address 172.23.141.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat enable zone-member security INSIDE ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto ! ! interface Vlan1 no ip address ! router ospf 1 passive-interface default no passive-interface GigabitEthernet0/1 no passive-interface Tunnel438 no passive-interface Tunnel439 network 172.23.131.0 0.0.0.255 area 0 network 172.23.132.0 0.0.0.255 area 0 network 172.23.138.0 0.0.0.255 area 0 network 172.23.139.0 0.0.0.255 area 0 network 172.23.140.0 0.0.0.255 area 0 ! ip forward-protocol nd no ip forward-protocol udp tftp no ip forward-protocol udp nameserver no ip forward-protocol udp domain no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs ! ip http server ip http access-class 80 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat source static tcp 172.23.132.240 5060 interface GigabitEthernet0/0 5060 ip nat source static udp 172.23.132.240 5060 interface GigabitEthernet0/0 5060 ip nat source route-map NAT-MAP interface GigabitEthernet0/0 overload ip nat source static 22.214.171.124 172.23.128.31 ip nat source static 126.96.36.199 172.23.128.32 ip nat source static 172.23.141.241 188.8.131.52 ip route 0.0.0.0 0.0.0.0 184.108.40.206 ! ip access-list standard VTY-ACCESS permit 192.168.250.0 0.0.1.255 permit 172.23.32.0 0.0.0.255 permit 172.23.131.0 0.0.0.255 ! ip access-list extended ALLOW-TIPICALL-ITSP permit ip object-group SIP-TIPICALL-NETS host 172.23.132.240 ip access-list extended CS-NETS permit ip host 220.127.116.11 any ip access-list extended GRE permit gre any any ip access-list extended NAT permit ip 172.23.128.0 0.0.15.255 any ip access-list extended NTP permit ip host 130.88. ip access-list extended SDM-ESP permit esp any any ip access-list extended TELEWORKER-DMZ permit ip any host 172.23.141.241 ip access-list extended TELEWORKER-INBOUND-PORTS permit object-group TELEWORKER-INBOUND any any ! access-list 80 permit 172.23.32.0 0.0.0.255 access-list 80 permit 172.23.128.0 0.0.15.255 access-list 80 permit 192.168.250.0 0.0.1.255 ! route-map NAT-MAP permit 100 match ip address NAT ! ! ! ! ! control-plane ! ! ! line con 0 logging synchronous transport output telnet line aux 0 transport output telnet line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class VTY-ACCESS in privilege level 15 transport input telnet ssh line vty 5 1114 access-class VTY-ACCESS in privilege level 15 transport input telnet ssh ! scheduler allocate 20000 1000 ntp update-calendar ntp server 130.88. ! end
... View more
My company ripped these phones out and installed a Mitel system Client now happy. We still have the UC560 but we're going to bin the phones. I'm going to bring in some 79xx and a 9971 to demo some better phones on the same system The UC560 was grief from the beginning but I blame the phones. I use a CUCME / 2901 at home, no issue there.
... View more
I have an issue. When I place an inbound call to my CUCME, my skinny phones are good and they match the calling number with the entry in the directory, but my SIP phones do not. Why is this? I ran a lot of debugs and CUCME does not send the calling name to the SIP phones. Has anyone else noticed this?
... View more
I've been playing with my home lab and I thought that the delayed offer was the default? I've been packet capturing and all of my INVITE messages are using an early offer with the SDP in the INVITE message. Early offer is not enabled globally or on the dial-peer. It seems when I enable it on the dial-peer it doesnt have any effect. This is not causing a problem other than I'm trying to study, but has anyone else had this?
... View more