Hi Richard,
Below are the details ,
route-map guest permit 10 match ip address XXX set ip next-hop XXX
interface VlanXXX ip policy route-map guest
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map guest has unsupported options for Policy-Based Routing. It has been removed from interface, if applied.
... View more
Hi Richard,
Thanks for the suggestion , however that is not helps
Feb 11 19:59:32.263: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map guest has unsupported options for Policy-Based Routing. It has been removed from interface, if applied.
... View more
Hi Sergey,
Thanks for the Response and below is the details
Original config
route-map guest permit 10 match ip address XXX set ip df 0 set ip next-hop XXX
interface VlanXXX description GUEST ip address XXX 255.255.255.0 ip access-group XXX in ip policy route-map guest
... View more
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map "XXX " has unsupported options for Policy-Based Routing. It has been removed from interface, if applied.
Hi All ,
Need your advice to fix the error given above on my new device -3850
My site has Legacy setup with Guest Tunnel on the Core switch to the Hub and I'm working on upgrade from 6500 to 3850
while trying to add the original config route-map , however getting an error also the policy-map line completely removed from the interface
will below configuration helps the same legacy feature ?
==================================
interface VlanXX description GUEST ip address X.X.X.X 255.255.255.0
route-map "XXXX" permit 10 match ip address 111 set ip df 0 set ip next-hop X.X.X.X set interface VlanXX
111 -ACL
===================================
... View more
Need some depth understanding Avaya & PC works together. Can anyone please answer the below question How Avaya phone & PC start communicate to switch first? Who will send CDP to Cisco switch, either Avaya (since CDP Cisco proprietary) or Cisco switch first? First packet from both the device carries which vlan (native or respective Vlans)? How the DHCP server discover happening? Is that possible can anyone please explains the process at the moment when PC and phone gets connected together to network?
... View more
Hi Jose, As per your answer ,in P2P we couldn't get the result as per the attached DOC If i have HUB and spoke (IPSEC/DMVPN) as per the above document will get the IP header in wireshark? Like Tunnel mode =>source ip tunnel ip Transport mode =>Source ip physical My understand completely wrong ?.Need your help understand what below attached diagram says ============================================== What is a new IP header ? in Tunnel mode What is original IP header ? in Transport mode Please find the attachment here also
... View more
Hi Jose Thank u so much.. You are right once i removed the keep alive conf and the tunnel started to work...no idea how its working? why " IPSEC profile" with keep alive its not working ? same keep alive configure with "IPSEC crypto map" it's working. I have one more question here, In ipsec profile how the interesting traffic took automatically ? no interesting traffic has been defined myself . Is this the advantage of creating a ipsec profile instead of old tech (crypto map)? R1#sh crypto map Crypto Map "Tunnel1-head-0" 65536 ipsec-isakmp Profile name: vino Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ ge3vpn: { esp-3des esp-sha-hmac } , } Crypto Map "Tunnel1-head-0" 65537 ipsec-isakmp Map is a PROFILE INSTANCE. Peer = 192.168.23.3 Extended IP access list access-list permit gre host 192.168.12.1 host 192.168.23.3 Current peer: 192.168.23.3 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ ge3vpn: { esp-3des esp-sha-hmac } , } Interfaces using crypto map Tunnel1-head-0: Tunnel1 R1#
... View more
Source Physical IP : 192.168.12.1 Destnation Physical IP : 192.168.23.3 Tunnel Source IP : 192.168.13.1 Tunnel Destination IP : 192.168.13.3 Tunnel mode with esp: ++++++++++++++++++++ crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac =>When i am using the i could see below Frame in wireshark [Protocols in Frame: eth:ip:esp] complete packet encapsulated including tunnel ip only could see physical ip's Here i have attache the diagram which i referred for the tunnel mode & transport mode. As per the diagram for tunnel mode with esp, it shows NEW IP header will add in top of the original header. original header tunnel ip or physical ip ? Could you please guide me if my understanding is wrong that would help me to correct myself. Transport with AH header +++++++++++++++++++++++ crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac =>When i am using the i could see below Frame in wireshark This header as correct as per the DOC [Protocols in Frame: eth:ip:ah:ip:gre:ipgre]
... View more
Hi Rick, Thanks DOC says ,IPSEC Tunnel mode => First Header will have the tunnel ip on top of the original IP header. Transport header will have the Physical ip will be the first header Can you please clarify me ..
... View more
Hi Joseph Doherty , Thanks for your update. Let me remove the keep alive and check & i will share you my complete configuration as soon as possible. When i came across the Cisco document 1)IPSEC Tunnel mode means the source IP would be the Tunnel IP. 2)IPSEC Transport means the source IP would be the Physical IP. Please correct me If i am wrong. i have tested same through GNS3-wire shark .However i am seeing for Tunnel mode /Transport mode (IP header) for both source IP is my physical interface only.
... View more
Hi All, I have tried the GRE-IPSEC tunnel in GNS3 first i have created crypto-map and everything working fine without any issues. With the same set-up, i have tried with ipsec profie and removed crypto .once i applied the tunnel protection the GRE tunnel is showing up down Need your help on this .Below are the configuration =================================================================== 1) Before applying IPSEC profile in Tunnel interface. R1#sh ip int br Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES NVRAM administratively down down FastEthernet1/0 unassigned YES NVRAM administratively down down FastEthernet1/1 192.168.12.1 YES NVRAM up up SSLVPN-VIF0 unassigned NO unset up up Loopback0 192.15.38.104 YES manual up up Loopback1 unassigned YES NVRAM up up Tunnel1 192.168.13.1 YES NVRAM up up R1# IP-EIGRP neighbors for process 13 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.13.3 Tu1 13 00:02:29 1315 5000 0 35 R1# ============================================================ R2#sh ip int br Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES NVRAM administratively down down FastEthernet1/0 unassigned YES NVRAM up up FastEthernet1/1 192.168.23.3 YES NVRAM up up SSLVPN-VIF0 unassigned NO unset up up Loopback0 192.35.38.103 YES manual up up Loopback1 unassigned YES NVRAM administratively down down Tunnel1 192.168.13.3 YES NVRAM up up R2# R2#sh ip ei ne IP-EIGRP neighbors for process 13 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.13.1 Tu1 13 00:01:54 116 1362 0 35 R2# ========================================================== IPSEC CONFIGURATION: R1#sh run | sec crypto crypto isakmp policy 10 authentication pre-share crypto isakmp key vino address 192.168.23.3 crypto ipsec transform-set tset esp-3des esp-md5-hmac crypto ipsec profile IPSEC-PROFILE set transform-set tset R1# R2#sh run | sec crypto crypto isakmp policy 10 authentication pre-share crypto isakmp key vino address 192.168.12.1 crypto ipsec transform-set tset esp-3des esp-md5-hmac crypto ipsec profile IPSEC-PROFILE set transform-set tset R2# ============================================== 2)After applying the tunnel protection in tunnel eigrp peer as well tunnel protocol shows down R2#sh run int tunnel 1 Building configuration... Current configuration : 228 bytes ! interface Tunnel1 ip address 192.168.13.3 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 10 3 tunnel source FastEthernet1/1 tunnel destination 192.168.12. tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE end R2# R1#sh run int tunnel 1 Building configuration... Current configuration : 228 bytes ! interface Tunnel1 ip address 192.168.13.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 10 3 tunnel source FastEthernet1/1 tunnel destination 192.168.23.3 tunnel mode ipsec ipv4 ===>After applying only the ipsec tuunel formed but no encryption tunnel protection ipsec profile IPSEC-PROFILE end R1# R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 192.168.12.1 192.168.23.3 QM_IDLE 1006 ACTIVE IPv6 Crypto ISAKMP SA But no encryption /decryption R1#sh crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, T - cTCP encapsulation X - IKE Extended Authentication, F - IKE Fragmentation Interface: Tunnel1 Uptime: 00:02:15 Session status: UP-ACTIVE Peer: 192.168.23.3 port 500 fvrf: (none) ivrf: (none) Phase1_id: 192.168.23.3 Desc: (none) IKE SA: local 192.168.12.1/500 remote 192.168.23.3/500 Active Capabilities:(none) connid:1006 lifetime:23:57:43 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4381706/3464 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4381706/3464 R1# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ R1# R1#sh int description Interface Status Protocol Description Fa0/0 admin down down Fa1/0 admin down down TESTING IPSEC R2 Fa1/1 up up **** connect to ISP**** SS0 up up Lo0 up up Lo1 up up Tu1 up down R1# R2#sh run int tunnel 1 Building configuration... Current configuration : 228 bytes ! interface Tunnel1 ip address 192.168.13.3 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 10 3 tunnel source FastEthernet1/1 tunnel destination 192.168.12.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROFILE end R2# R2#sh int description Interface Status Protocol Description Fa0/0 admin down down Fa1/0 up up Fa1/1 up up *** TO ISP **** SS0 up up Lo0 up up Lo1 admin down down Tu1 up down R2# R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 192.168.12.1 192.168.23.3 QM_IDLE 1006 ACTIVE IPv6 Crypto ISAKMP SA R2# R2#sh crypto session de Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, T - cTCP encapsulation X - IKE Extended Authentication, F - IKE Fragmentation Interface: Tunnel1 Uptime: 00:02:39 Session status: UP-ACTIVE Peer: 192.168.12.1 port 500 fvrf: (none) ivrf: (none) Phase1_id: 192.168.12.1 Desc: (none) IKE SA: local 192.168.23.3/500 remote 192.168.12.1/500 Active Capabilities:(none) connid:1006 lifetime:23:57:20 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4506558/3440 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4506558/3440 R2# =========================================================
... View more