I have a 2811 Router (config below) with VPN configured. I can connect through the VPN and access devices on the native VLAN but I can't access the 10.77.5.0 (VLAN 5) network (I don't care to access the 10.77.10.0 - VLAN 10 network). This issue has been plagueing me for quite a while. I believe it's a NAT or ACL issue. VPN client IP pool is 192.168.77.1 - 192.168.77.10. [code]
View 4 Replies
Just trying to figure out how LAP manage clients in a h-reap setup.Have a setup with native vlan on 144 (switch and AP) and ssid tagging in other vlan... Got this on switch:
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Wonder why clients MAC is seen on native vlan (and ofcourse also on taged vlan) ...?
I am trying to configure RV082 router with Mac Native VPN Client for my remote access. However, no matter what I did, I am not able to make it works. Can any one can give me an example of how to conguration my RV082 router and Mac Book Pro(Mountain Lion)?
View 2 Replies View RelatedI've been experimenting with the 'vlan dot1q tag native' command on a switch and it seems as though tagging the native vlan breaks vty access to my access point.With the 'vlan dot1q tag native' commnand applied, I lose management connectivity to the AP with 'no vlan dot1q tag native' applied, connectivity is restored. Why is this? Is it safe to say that one can access the AP via vty lines using ONLY untagged packets?
SWITCH
Model: WS-C3560G-24PS
Code: c3560-advipservicesk9-mz.122-46.SE
--Abbreviated CONF
vlan dot1q tag native
[code]....
what NATIVE VLAN is . What are the benifits of using this and when do we use this.
View 1 Replies View RelatedIphone 4S latest IOS5 V 5.1.1 installed?I'm not able to make native IPSEC VPN connection to work against my company Cisco 877 Instead, all my notebook and netbook with Cisco VPN Client installed work fine when they remotely connect to company's 877 Enabling 877 debug, it seems Iphone successfully pass the phase 1 ike connection (in fact Iphone asks me for phase2 user/pass) but it hung at phase2 giving me back the error "Negotiation with VPN server failed"
Here is how I configured my 877 VPN part :
R1(config)# aaa new-model
R1(config)# aaa authentication login default local
R1(config)# aaa authentication login vpn_xauth_ml_1 local
R1(config)# aaa authentication login sslvpn local
R1(config)# aaa authorization network vpn_group_ml_1 local
R1(config)# aaa session-id common
[code]....
It seems 877 even comes to allocate a local LAN ip address to Iphone (192.168.0.21) but then something goes wrong.....
I have the following problem in LMS 4.0. I see a lot of CDP syslog messages about Native Vlan Mismatch, but the LMS doesn't report it in the disrepancy report. Why?? The similar problem is with TRUNK VLAN Mismatch. The customer doesn't use VTP in his network. All switches are in the VTP transparent mode.
View 1 Replies View Relatedcan I use Windows 7 Native VPN client to connect to the ASA..and are there docs out there that support install and config ? I heard it is possible but not able to confirm .
View 1 Replies View RelatedIn our network environment, we have a 2960 switch sitting behind our router. Off of this we have a lot of external connections, like our external DNS, firewall, and VPN concentrators. I've configured a VLAN other than the default, moved everything into it and then shut VLAN 1. In this hardening guide it says that your native VLAN should be something other than the user VLAN, but if I am not using any trunk links, wouldn't I not really have a native VLAN? I attempted to make the link to our firewall a trunk link and then set the native VLAN to something else.
View 5 Replies View RelatedIs PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
I have a scenario where I have a prexisting production LAN of 192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
The original production LAN is connected via an unmanged switch.I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
I'm configuring this asa for to connect home users to my network using the native microsoft vpn clients with windows xp over internet.This asa have on the outside interface one public intenet ip and in the inside inferface have configured in the the network 192.168.0.x and i want to acces to this network from internet users using native vpn clients.I tested with one pc connected directly to the outside interface and works well, but when i connect this interface to internet and tried to connect on user to the vpn i can see in the logs this, and can't connect with error 800.TCP request discarded from "public_ip_client/61648" to outside:publicip_outside_interface/1723"
(running configuration)
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password *** encrypted
[code].....
I have a small home network currently using a cisco 841 which is working great. Host a web site and Exchange plus all 10 computers access the net using Verizon FIOS all works. I can even VPN in to my newtwork remotely.I can only VPN using the Cisco client. I would like to use the Native Windows Client and Ipads and Iphones. I believe they use PPTP and the Cisco client is using IPSEC.Which Cisco router can I get that would support all the above?
View 14 Replies View Related1 week ago, I got a call from a client that reported a network outage, the client told me that, 3 switch has crashed he try to console but it just hang. I ask him, did you change something? he said he didn't change anything, he just pluged a nortelswitch to the cisco switch number 9, but that switch doesn't crash like the others (3,4,8). I check the uptime, and yes the switch never been powered off..
the topology look like this
____ 6500 ____
/ / |
1 2 3 4 5 ...... 9
the vlan is end to end vlan, so vlan span between all those switches. transparant. this is collapsed topology, core and distribution is the 6500 itself all of the 1-9 access switch are in the same rack, with no loopguard, and bpdu guard configured. and connected to the core using etherchannel. the problem is there is no log available to start the troubleshooting/investigation.
SG-300 52 native VLAN blocking network packets
View 3 Replies View RelatedI am having trouble after creating a management vlan (99) on a 3550 switch.I have configured the vlan (99) and given it an IP (192.168.1.100) and a default gateway (my router address - 192.168.1.99).I can ping to the switch from a PC and vice versa. The management VLAN IP is fine but now I cannot ping to the router from either the PC or the switch.It seems that just by adding VLAN 99 with it's own IP address has now prevented pings from the switch/ PC to the router ?Due to the fact that I have created a new switch management VLAN with an IP, does this mean I have set up the router as a 'router on a stick' scenario ? [code]
View 4 Replies View RelatedWe are trying to setup a new configuration with 2960S as access switchs and a 4507 as a core switch.I want to protect the management IP VLAN of the swich using vrf on the 4507 so we :
SHUT VLAN 1 on every switch (2960 + 4507)
CREATE A NEW VLAN 289 (management vlan) -> IP network : 10.32.126.192/26
L3 VLAN on every switch
VLAN 289 in the VRF XXX on the 4507
create tunk between the switch and the 4507 :
switch mode trunk allowed vlan 200-230
sw trunk native vlan 289
so with this configuration on the 2960 the vlan 289 is UP/DOWN and UP/UP on the 4507 I can access to the 4507 using the IP in the VLAN 289 but i cannot access to the 2960 behind the 4507 CDP connectivity is ok?
I am migrating an existing LAN from 3550 to 3750X-12S. In the existing configuation, I´ve got some trunks with native VLAN <> 1. The native VLAN is also used for user data transport. With IOS 15.0(1)SE3 on 3750X I recognized, that per default behavior PVST is not active for a VLAN defined as native, even if the corresponding trunk is up and trunking. My current workaround is to add a "switchport access vlan" command on the trunk even this one never should become an access port. With this statement only the switch is activating the PVST for the native VLAN. For all other vlans PVST works as exspected. [code]
View 6 Replies View RelatedI have several closets with Cisco 3560 on the edge that I'd like to change the vlan that's used for the management vlan on each. In the core I have a Cisco 6509 with Sup720's.
I'd like to do this by changing the native vlan on the trunk port on the core 6509 interface that connects to the 3560. and leave the management vlan on the 3560 as vlan 1.
Seems trivial but what I tried didn't work and I didn't have the window to troubleshoot. I'll paste the simplified configs for the interfaces below
!
6509 configs:
!
interface Vlan50ip address 172.16.50.2 255.255.255.0!interface FastEthernet
[Code]....
We have a problem with CDP packets on sent by our Cisco 6509's. Unlike our other Cisco switches (4948G, 5020, etc.), the 6509 tags administrative traffic on the native vlan. As a result the CDP packets are sent with an 802.1Q header with a tag of 1. The other switches send the CDP packets untagged on the native vlan. This causes problems because we have non-Cisco devices in our lab that also receive and send CDP, but they do not process the packets that are tagged by the 6509. They see the packets from the 4948 and 5020 just fine.
How can I disable the administrative native vlan tagging on the 6509? Here is the current setup:
nwkdev-6509-1#show vlan dot1q tag native
dot1q native vlan tagging is disabled globally
nwkdev-6509-1#show interfaces gigabitEthernet 1/9/1 switchport
[Code].....
I have just configured up a sg500 with a lacp trunk to an upstream switch.
I am getting native vlan mismatch on the individual ports of the lacp team.
24-Jan-2013 12:54:48 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi1/1/24.
24-Jan-2013 12:57:35 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi1/1/48.
[Code].....
I was searching a lot , but I couldn't find any good example, how to configure DHCP server for our wireless clients on Cisco Autonomous AP. I'm looking for example how to configure Dot 11 radios and BVI interfaces.
I have no problem to configure DHCP server on BVI 1 and VLAN 1 ( native VLAN ) interfaces, but there is a problem with other BVI's and VLANs. Maybe this feature isn't supported? Maybe DHCP server feature is supported to work just with default BVI and native VLAN?
i'm running a 5510 asa and the vpn has been working great for a while. We recently change our network provider so i had to change the public ip, and dns on the firewall... now i can still connect via the vpn and browse accross my mpls to other sites, but cant really access anything on the native lan that the firewall resides on?
View 9 Replies View RelatedI am working with a client to implement QoS for their Lync environment. Lync 2010 has this feature to mark dscp values based on packets tagged with logical ports. As an example, packets on port 49000 til 49999 will be marked to dscp 46(ef). On Cisco 2811 router, I am basically honouring the markings by the application and placing bandwidth priority on them and sending it out to the WAN.
The behaviour that I notice is that when port based packets are marked with a certain dscp value on the application, the router policy map doesn't pick up any packet increment for that dscp. But when all packets without port assigning to it are marked with certain dscp value, I can see increment on the router policy map for that dscp match. Why is this so???
The client wants the Lync to mark the packets with dscp value and the router is suppose to honour the marking, schedule the priority and send it out. [code]
I have a cisco 2811 with security bundle with IOS 12.4(13r)T I am planing to use this router as a VPN gateway for company ( i.e)
1. LAN 2 LAN VPN ( Supporting if remote site is having dynamic IP)
2. Remote access VPN for VPN client
I have configured the router ( attached is the configuration) I have not tried to use the LAN to LAN VPN ( first i complete remote access VPN and then check L2L) I tried to use the remote access VPN I am able to connect from vpn client software and got the IP address but unable to ping the servers in LAN.
I'm generally pretty good with VPN issues and with SSL certs, but this is my first rodeo with VPN and certificates together. I've got a Cisco 2811 router running IOS Firewall (12.4(25)) and for a while now, I've had VPN clients connecting using PSK's and XAUTH. In order to tighten security, we'd like to move away from PSK's with Aggressive Mode and use certificates with Main Mode.I've been trying to use the Cisco 2811 as the CA, rather than use a Microsoft server or third-party provider. I think I'm pretty close to getting this to work, but something isn't quite right. My VPN client software does connect to the 2811, and I get prompted for the XAUTH creds. If I supply the right creds, I do see in my VPN log window that I've gotten assigned an IP address from the inside VPN pool, my split tunneling rules come through, but the VPN disconnects almost immediately and I never get a chance to try any pings or to send any other types of traffic. [code]
I have attached a sterilized copy of the 2811's current config (2811_sterile.txt), a copy of the 2811's debug output when the VPN client tries to connect (vpn_client_connect_sterile.txt), and a copy of the VPN client's log with IKE on High and Certificates on High (vpn_log_sterile.txt).FWIW, the 2811 is NOT behind NAT, but my VPN client IS behind NAT. However, I have tried using a direct connection with the VPN client and it didn't seem to change much so I'm not convinced this is a NAT issue.Again, I've never used a Cisco router as a CA and I've been battling this problem for several hours now so the 2811's config may have a lot of unneccessary lines in it at this point.
I have set up a 2811 with seperate VLANs for phones, and another for computers/printers. Fa0/0 is trunked to a 3560 switch, which has all end devices plugged in. I have enabled the IP Routing commands on both devices, and from advice turned off proxy-arp on the VLANs on the router (unsure if this is causing the issue). The setup is as follows
Computer VLAN = 192.168.20.0
Phone VLAN = 192.168.50.0
Both on the same subnet, along with a router loopback address in the same subnet, at 192.168.10.1.I am having an issue understanding why, but if I try to ping a phone from a PC it times out. Or if I try to type the phone's IP into an internet browser to get the phone's GUI on screen, it fails. This should not be happening as IP routing has been enabled on both, and everything is in the same subnet, correct? PC's can ping other PC's and network printing works fine. Phones register and operate fine, but the two VLAN's will not interoute.Furthermore if I try and ping the router's loopback from the switch, it fails. But the trunk is up and operational because DHCP and devices work within their own VLAN. If I try to ping end devices from the switch, it returns 100%. There seems to be an issue with the router looping the different networks together.
This is a 2811 rotuer running Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2) Not sure why this isn't working. Can see it expects to parse the command. Can see this device is vtp server. Can see other vlans were defined here.
Router(config)#vlan ?
accounting VLAN accounting configuration
ifdescr VLAN subinterface ifDescr
Router(config)#vlan 35
^
% Invalid input detected at '^' marker.
[code]....
I have a Cisco 2811 Router. I have two VLANS on the router. The first one of course is VLAN 1 and the second one is one that I created from reading everything from this forum.. it is called VLAN 531
On VLAN one I have an IP address of 10.8.1.1 and on VLAN 531 I have an IP Address of 172.16.1.1, now what I can do is this... I can.. from a workstation on the 10.8.0.0 segment, ping 172.16.1.1 and one server on that segment that has an IP address of 172.16.1.50, which is fine, but what I really want to be able to do is ping our email server which is on a 10.21.0.0 segment and I cannot. Any commands on what I would need to do to make this work as I would like the 172.16.0.0 segment to ping any other part of my LAN of my choosing.
i am stuck in a issue! unable to ping the SVI
i am design a small network for a office.
1 router 2811
1 switch 3750-e
Router is connected to the mpls cloud with ospf.
here re the config.
Router#
int fa0/0
ip 10.10.10.1 255.255.255.252
[Code]....
i connect my laptop and give ip 22.0.68.1 255.255.255.0 and default gateway 22.0.68.251but can not ping SVI VLAN 201 (22.0.68.251) ?
and from the SWITCH i can not ping the 20.20.20.2?
Aug 24 11:32:16.275 AEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan21, changed state to down
Aug 24 11:32:36.827 AEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan21, changed state to up
Aug 24 11:35:23.854 AEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1/2, changed state to down
Aug 24 11:35:24.854 AEST: %LINK-3-UPDOWN: Interface FastEthernet0/1/2, changed state to downesw_mrvl_vlan_port_remove : Unable to find entry for VLAN(1) dbnum(1)
esw_mrvl_vlan_port_remove : Unable to find entry for VLAN(1) dbnum(1)(code)
When the above problem happens, as work-around, we delete VLAN.DAT file on the Compact Flash of this 2811 router and recopy the VLAN>DAT file back to teh Compact Flash.
Then it runs for a few weeks and the same problem happened.
Then we put a new Compact Flash and recopied VLAN.DAT to new CF and it ran for 3 weeks and same problem started again.
Could be 2811 router motherboard? This customer has thousands of these 2811 routers in identical setups and this is the only router that is having this problem.
I have 2 ISPs terminating on 2 FE ports on my 2811 router.ISP1 had always been here, used for the following:Internet access to LAN usersInternet access with public IP mapping to servers in different security zones (VLANS)Site to Site VPN tunnels to 3rd party partnersRemote VPN access to 3rd party partners We recently got a second ISP, mainly for the following:Internet access and public IP mapping to servers on seperate security zones (VLANS)Site to Site VPN tunnels to 3rd party partners as above, but different hosts So far, ISP1 and all the above service have worked based on the config below. However, having added ISP2, I have not been able to successfully create the site-to-site VPN tunnels.
version 12.4
!
ip source-route
!
ip cef
!
ip name-server 4.2.2.2
ip name-server 137.65.1.1
ip inspect WAAS enable
[code]....
Whenver I try to establish a tunnel on SDM_CMAP_2 and run a test using CCP, I get 2 failure reasons:
1. The peer must be routed through the crypto map interface. The following peer(s) are routed through non-crypto map interface - 4.58.130.130
2. The tunnel traffic destination must be routed through the crypto map interface. The following destinations are routed through non-crypto map interface - 4.58.130.134
The tunnels on SDM_CMAP_1 are all active Do I need to include a default route for the second ISP on the router? If so, how do I get this done? When I tried it, I had loops on the user LAN segment of the network.
I am having issues configuring a vLAN network card on a Debian stable (Squeeze) client.The client is running in a ESXi version 4.1 environment.There are two vLANs: vLAN 8 and vLAN 14. The client is in vLAN 14. The domain controllers (as well as DNS and ISA servers) are in vLAN 8. Windows clients behave fine and they can connect to other vLANs just fine. However, I just can't get the Debian client to connect to any other vLAN than its own.I tried several methods, and non worked successfully thus far.One of the problems is that the client should only use one IP address. Using the vLAN package, its assumed that you have a different IP for each vLAN (I think), so that doesn't work out.There is one other Linux machine in the network. An Ubuntu client being in vLAN 8. That client works as it should and can ping to both local, and other vLANs.Until this problem is fixed, it is impossible to connect to the internet (because the ISA, DNS and DCs are in vLAN 8) so each time I want to install a package, I have to download either the .deb packages manually, or download source tarballs and then create an iso of those files, mount the iso and install the packages. You can imagine how much effort that costs.
View 14 Replies View RelatedI would like to get using of course SNMP, list of client IPs connected to VLAN in Cisco Catalyst 3600.So far, I have pseudo-algorithm made by me which obtains those IP addresses, but I am not sure if this is done in right way :
1) Receive all IP addresses from Catalyst using oid 1.3.6.1.2.1.4.20.1.2. I get something like :
IP-MIB::ipAdEntIfIndex.10.10.2.1 = INTEGER: 152
IP-MIB::ipAdEntIfIndex.10.10.2.251 = INTEGER: 152
IP-MIB::ipAdEntIfIndex.10.10.3.251 = INTEGER: 151 and so on.
2) Get ifIndex of VLAN (oid 1.3.6.1.2.1.4.20.1.2.10.10.2.1.<IP_ADDRESS>) for particular IP address from above list :
IP-MIB::ipAdEntIfIndex.10.10.2.1 = INTEGER: 152
IP-MIB::ipAdEntIfIndex.10.10.2.251 = INTEGER: 152
IP-MIB::ipAdEntIfIndex.10.10.3.251 = INTEGER: 151
3) Get VLAN name (oid 1.3.6.1.4.1.9.9.46.1.3.1.1.4.1.<IF_INDEX>) If_index is borrowed from list above :
IP-MIB::ipAdEntNetMask.152 = No Such Instance currently exists at this OID
IP-MIB::ipAdEntNetMask.151 = No Such Instance currently exists at this OID
In the third step I have this problem, that instance can not be found in OID. It is weird, because for about forty IP addresses i can find about their 10 VLAN names to which they are connected.
