Hi! I know this concept and approaching it but now i'm trying to troubleshoot this configuration. It works on other 50 routers but this.
BTW, won't there be performance issues with VRFs on 880 series routers? They're not so powerful and i'm afraid off 1,5-2x performance cut there.
... View more
I've got one branch Cisco 881 with 2 ISPs on it (on Fa4 and Vlan100)
There are 2 IPSEc/GRE channels on both ISPs to diferent Hubs
Default route to 1st ISP, static to 2nd HUB via 2nd ISP
The problem is:
IPSec won't negotiate on 2nd channel in normal situation.
But when I stop 1st ISP and default route goes to 2nd ISP (ip sla, track), then in several minutes, ISAKMP negotiates and 2nd GRE channel goes up.
Moreover, in this situation channel stays up even after ISP1 goes back and during 1-2 days (while ISAKMP is not expired).
If I turn off IPSec on the tunnel, then it immediately goes up.
What could be wrong and what debugs to show?
! track 1 ip sla 1 reachability delay down 30 up 60 ! track 2 ip sla 2 reachability delay down 70 up 40 ! crypto isakmp policy 100 encr aes 256 authentication pre-share group 15 crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxx address 0.0.0.0 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 60 10 crypto isakmp nat keepalive 30 ! ! crypto ipsec transform-set DmvpnSet esp-aes esp-sha-hmac mode transport ! crypto ipsec profile ISP1 set transform-set DmvpnSet ! crypto ipsec profile ISP2 set transform-set DmvpnSet ! interface Tunnel0 description Sec - Sec ip address 10.0.204.2 255.255.255.252 ip mtu 1400 ip flow ingress ip flow egress ip virtual-reassembly in ip tcp adjust-mss 1360 delay 10000 tunnel source Dialer0 tunnel destination HUB2 tunnel path-mtu-discovery tunnel protection ipsec profile ISP2 shared ! interface Tunnel1001 description DMVPN Cloud 1 Spoke bandwidth 100 ip address 10.255.1.204 255.255.255.0 no ip redirects ip mtu 1400 ip nat inside ip nhrp authentication dmvpn1 ip nhrp map multicast HUB1 ip nhrp map 10.255.1.1 HUB1 ip nhrp network-id 1001 ip nhrp holdtime 600 ip nhrp nhs 10.255.1.1 ip virtual-reassembly in ip tcp adjust-mss 1360 tunnel source Vlan100 tunnel mode gre multipoint tunnel key 1001 tunnel path-mtu-discovery tunnel protection ipsec profile ISP1 shared ! interface FastEthernet0 switchport access vlan 100 no ip address ! interface FastEthernet4 ip flow ingress ip flow egress ip nat outside ip virtual-reassembly in duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 ! interface Vlan1 description $LAN$ ip address 192.168.204.1 255.255.255.0 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in ! interface Vlan100 description WAN ISP1 ip address ISP1ip.101 255.255.255.192 ip nat outside ip virtual-reassembly in ! interface Dialer0 description WAN ISP2 ip address negotiated ip flow ingress ip flow egress ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1436 dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname xxxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxxxxxx no cdp enable ! ! ! ip nat inside source route-map DSL interface FastEthernet4 overload ip nat inside source route-map RTKM interface Vlan100 overload ip nat inside source route-map RTKM-pppoe interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 ISP1ip.65 5 track 1 ip route 0.0.0.0 0.0.0.0 Dialer0 6 track 2 ip route 0.0.0.0 0.0.0.0 ISP1ip.65 10 ip route 0.0.0.0 0.0.0.0 Dialer0 11 ip route 126.96.36.199 255.255.255.255 Dialer0 permanent ip route 188.8.131.52 255.255.255.255 ISP1ip.65 permanent ip route HUB2 255.255.255.255 Dialer0 ip route HUB1 255.255.255.255 ISP1ip.65 permanent ip tacacs source-interface Vlan1 ! ip sla auto discovery ip sla 1 icmp-echo 184.108.40.206 source-interface Vlan100 frequency 10 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo 220.127.116.11 source-interface Dialer0 frequency 30 ip sla schedule 2 life forever start-time now dialer-list 1 protocol ip permit ! route-map RTKM permit 10 match ip address 105 match interface Vlan100 ! route-map RTKM-pppoe permit 10 match ip address 105 match interface Dialer0 ! route-map DSL permit 10 match ip address 101 match interface FastEthernet4 ! !
... View more
Where speed limit on ISR 4000 is applied?
Is it sum of all traffic on all interfaces leaving the ISR?
Do switch interfaces count? Do internal interfaces count? do inter-VRF routing count?
What do these 50 mbit/s mean?
... View more
I've got Cisco 881 connected to the network in a branch office.
Sometimes (may occur once a week or three times a day) I see STP starts blocking port:
VLAN1 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, address 649e.f33b.7dfa
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 2 last change occurred 01:50:39 ago
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 1, topology change 0, notification 0, aging 300
Port 4 (FastEthernet3) of VLAN1 is blocking
Port path cost 19, Port priority 128, Port Identifier 128.4.
Designated root has priority 32768, address 649e.f33b.7dfa
Designated bridge has priority 32768, address 649e.f33b.7dfa
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 502925, received 1807
It recovers only by shutdown/unshutdown port (or cable plug out/in).
If there were loop, this state should not recover after shutdown, but it does.
There are switches behind cisco, but they are not manageable.
Any ideas where is the problem and how to auto-recover from the blocking STP state?
... View more
Hi! While trying to reply to your answer, turned on maximum possible debugs for the login and saw this: Nov 16 10:00:29.186: RADIUS/ENCODE(0000000F): dropping service type, "radius-server attribute 6 on-for-login-auth" is off so put the command to the config: radius-server attribute 6 on-for-login-auth and then in every request for authentication i see: for Login: Nov 16 11:02:12.303: RADIUS: Service-Type  6 Login  for PPPoE/ PPTP/... Nov 16 11:02:37.475: RADIUS: Service-Type  6 Framed  This answers my question. By the way, this command is mandatory for ISE according to this post http://www.ajsnetworking.com/switch-configuration-for-ise-integration-part-2-radius-server-config/ Thanks for you participating!
... View more
Hi! Trying to configure telnet (exec) and VPN authentication via the same RADIUS server. How can differentiate EXEC and VPN logins on radius server? Cisco sends Service-Type when PPPoE or some other type of auth but doesn't send it smth when I login via telnet. So, I cannot see if client logins via telnet. Have I missed something?
... View more
There's a problem configuring wifi: Network is built on cisco mesh 1510. Wifi Access Point DLink as a client to cisco mesh net (look on the picture #1). AXIS video encoder connected to Dlink. If i ping AXIS from wired lan (from catalyst 3750), it cannot be pinged. If I connect DLink client ap to AXIS through switch and also pc there, ASIS can be pinged well. If I add static arp to that 3750 (it acts as a core router). If I connect this dlink to another (picture 2), all works ok. Who can tell what's the matter? Thanks!
... View more
Hi! I've got 1811 on my network. Try to connect my lan to 2 ISPs. --- version 12.4 ! ip cef ! multilink bundle-name authenticated ! ip tcp synwait-time 10 ! track 10 rtr 110 reachability delay down 30 up 60 ! track 11 rtr 111 reachability delay down 30 up 60 ! interface FastEthernet0 description ptkom uplink$ETH-WAN$$FW_OUTSIDE$ ip address 192.168.116.14 255.255.255.0 secondary ip address 18.104.22.168 255.255.255.192 no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 description enforta uplink$ETH-WAN$$FW_OUTSIDE$ ip address 22.214.171.124 255.255.255.252 no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly shutdown duplex auto speed auto ! interface FastEthernet2 description EnfortaVPN switchport access vlan 2 ! interface Vlan1 description Morozova LAN$ES_LAN$$FW_INSIDE$ ip address 192.168.52.254 255.255.255.0 no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 126.96.36.199 track 10 ip route 0.0.0.0 0.0.0.0 188.8.131.52 track 11 ip route 184.108.40.206 255.255.255.252 FastEthernet1 permanent ip route 220.127.116.11 255.255.255.192 FastEthernet0 permanent ip route 172.16.248.0 255.255.255.240 172.16.248.17 ip route 172.16.248.32 255.255.255.240 172.16.248.17 ip route 192.168.6.0 255.255.255.0 172.16.248.2 ip route 192.168.7.0 255.255.255.0 172.16.248.34 ! ! ip nat inside source route-map RM-enforta interface FastEthernet1 overload ip nat inside source route-map RM-ptkom interface FastEthernet0 overload ip nat inside source static tcp 192.168.52.7 2443 18.104.22.168 2443 extendable ip nat inside source static tcp 192.168.52.7 3389 22.214.171.124 3389 extendable ip nat inside source static tcp 192.168.52.7 25 126.96.36.199 25 extendable ip nat inside source static tcp 192.168.52.7 110 188.8.131.52 110 extendable ip nat inside source static tcp 192.168.52.7 2443 184.108.40.206 2443 extendable ip nat inside source static tcp 192.168.52.7 3389 220.127.116.11 3389 extendable ip nat inside source static tcp 192.168.52.8 3389 18.104.22.168 3390 extendable ! ip access-list extended LANs permit ip 192.168.52.0 0.0.0.255 any permit ip 192.168.6.0 0.0.0.255 any permit ip 192.168.43.0 0.0.0.255 any remark Put All inside LANs here ip access-list extended NAT remark SDM_ACL Category=18 deny ip any 192.168.6.0 0.0.0.255 deny ip any 192.168.7.0 0.0.0.255 deny ip any 192.168.52.0 0.0.0.255 permit ip 192.168.6.0 0.0.0.255 any permit ip 192.168.7.0 0.0.0.255 any permit ip 192.168.52.0 0.0.0.255 any ! ip sla 110 icmp-echo 22.214.171.124 source-ip 126.96.36.199 frequency 10 ip sla schedule 110 life forever start-time now ip sla 111 icmp-echo 188.8.131.52 source-ip 184.108.40.206 frequency 10 ip sla schedule 111 life forever start-time now no logging trap access-list 116 permit ip any 192.168.6.0 0.0.0.255 access-list 117 permit ip any 192.168.7.0 0.0.0.255 no cdp run ! route-map RM-enforta permit 10 match ip address NAT match interface FastEthernet1 ! route-map RM-ptkom permit 10 match ip address NAT match interface FastEthernet0 ! ! end --- Everything worked fine until i tried to add the following (i have to access 192.168.227.0/24 with nat, but from 192.168.116.14 ip): ---- ip route 192.168.227.0 255.255.255.0 192.168.116.1 ip nat pool PortMAN 192.168.116.14 192.168.116.14 netmask 255.255.255.0 ip nat inside source route-map RM-PortMAN pool PortMAN overload ip access-list extended PortMAN permit ip any 192.168.116.0 0.0.0.255 permit ip any 192.168.227.0 0.0.0.255 route-map RM-PortMAN permit 10 match ip address PortMAN match interface FastEthernet0 --- After that my port forwardings (from wan to lan) became inaccessible. I think because they come in from one route and get out from another. What should i do? Now, even after deletion of the rules, port forwardings do not work Any ideas?
... View more