How to successfully run the dot1q tunneling on Cat4500 with Sup7L-E? I tried that on IOS XE 3.3 and newest 3.4. It is in feature navigator but i am not able to connect two access switching using trunk - only native vlan is translated. Apparently STP BPDU frames are dropped somewhere. I have the same configuration on 3750X with ip services licence and this works well.
View 2 RepliesI have a situation where the site-to-site tunnel is already established using PPTP IPSec VPN with non Cisco Gateways terminating the link on each end. These non Cisco Gateways do not support L2TP tunneling, and there is no plan to change them.Beyond the Gateways on both ends, we have a Cisco 4500 series switch. We need to forward the 802.1q tagged VLANs between the two sites. Is it possible to use 802.1Q tunneling in this case, going via a PPTP tunnel ?
Cisco's setup uses dot1q-tunnel over a L2protocol-tunnel to preserve the original client VLAN tagging, so does this mean that the only option we have is to setup a L2TP tunnel at the Cisco device endpoints, and have that tunnel go through the existing PPTP tunnel (established between the 2 non Cisco VPN Gateways) ?
Is it possible to do dot1q-tunneling on the new Cisco Calalyst 2960 Compact series switches? I know that the 3560 series support it, but im unable to find any information about the 2960C series, personally i doubt it as the standard 2960 series don't support it.
View 2 Replies View RelatedWhat is the correct way to lic VSS on a 4500 SUP7L-E ? url... Under Table 5 - Support by Image Type; VSS is listed as available on IP Base (SUP7E only) and a plain Yes under Enterprise Services, inferring that you need Enterprise Services lic on SUP7L-E to get VSS? url...Under Table 1 - Minimum License for VSS; IP Base or higher (7-E) or special license (7-LE and Catalyst 4500-X)Can find no option on CCO / configuration tools to list a 'special' VSS license for 4500R+E chasiss with dual SUP7L-E and IP Base.How are you meant to purchase/license VSS on 4500E Chassis + SUP7L-E ?
View 6 Replies View RelatedAny information on supervisor WS-X45-SUP7L-E? I saw that it has 520Gbps of backplane, but does it supports Netflow? How many uplink does it has?
View 6 Replies View RelatedDocumentation discusses "1-Gigabit Operation", where all 4 1-Gig SFP's on Sup7L-E are enabled. But it does not say __how__ to select either 10-G or 1-G operational modes.
View 3 Replies View RelatedI have two 1841 routers running different IOS versions:R1 running 15.0(1)M3 Advanced IP ServicesR2 running 15.1(4)M2 Advanced IP Services R1 supports the encapsulation dot1q second-dot1q on FastEthernet subinterfaces. Surprisingly, R2 with the newer IOS (of the same feature set) does not have the second-dot1q command option. I've done my Feature Navigator homework but I did not see any significant differences between these two IOS versions that would explain why the second-dot1q command is not available on R2. Am I missing something? Has the syntax changed, or a different feature set is needed for 15.1M and higher to get the second-dot1q command back?
View 2 Replies View RelatedAre there any plans to support a "shared backplane mode" like on SUP6-E that enables the use of four 10G oversubscripted uplink ports in redundant mode? now there is support for up to two active 10G links in redundant mode.
View 2 Replies View RelatedI upgraded IOS-XE on 4500E (SUP7L-E) to cat4500e-universalk9.SPA.03.03.00.SG.151-1. I encounter the log when i try to issue write mem commad
% VRF table-id 0 not activeCompressed configuration from 8947 bytes to 2140 bytes[OK].
I will go to buy a core 4506 but I'm comfusing about the Sup engines and the Fiber module. What is the different between the Sup7 and Sup7L?in the fiber module that I will go to buy is it contain the SFP inside or I have to buy the SFP ( WS-X4612-SFP-E ). also what is the different between the SFP and GBIC?
View 4 Replies View RelatedWhat is the case with redundant Sup engine 10GbE interfaces. We can only get one in active state, the other interface stays inactive? Can we have all four interfaces active sharing the backplane?
Mod Ports Card Type Model
---+-----+--------------------------------------+------------------+-----------
3 6 Sup 7L-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP7L-E
4 6 Sup 7L-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP7L-E
Mod Redundancy role Operating mode Redundancy status
----+-------------------+-------------------+----------------------------------
3 Active Supervisor SSO Active
4 Standby Supervisor SSO Standby hot
Im trying to span a trunk port and capture the dot1q headers on the destination. I'm positive I have it configured right (encap replicate) but wireshark just isn't seeing them. Im trying to capture them on a seperate NIC on my Windows 7 64bit pro box. The NIC is a realtek RTL8169 and it just won't capture the headers. I've also tried the built-in motherboard NIC (which is also a realtek) with the same results.
View 19 Replies View RelatedI am trying to config a 2620 Cisco router to perform subintreface (F0/0.1) for Vlan Trunk Protocol, however when I try to configure the encapsulation dot1q, I continue to receive error massage with ^ symbol below the 'c' See below, the platform version is a 12.3(26) which should be acceptable to perform an (encapsulation dot1q). The Ethernet is a fast-Ethernet 10/100 port. I also try the ISL, I receive the same massage.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int f0/0
[Code]....
We are planning for the first installation of 4500 switches containing these supervisor modules. I'm trying to determine the interface numbering convention for ports on the supervisors. Our existing 4500E all have SUP6 modules with twin-gig converters - so I am familiar with the numbering conventions used on those supervisors. How does this change with the software based selection command "hw-module uplink select" used in SUP7?
View 2 Replies View RelatedPrior to upgrade AIR AP1142-N (Version 12.4(25d)JA1) everything worked fine! After upgrade IOS (to new Version 15.2(2)JA) without any config modification, management interface (encapsulation dot1q 33) or any IP interface with encapsulation dot1q became unreachable... If set IP on SVI (or BVI) with native VLAN (encapsulation dot1q 4094 native), this IP is reachable. Probably, there are bug in new IOS and Dot1q encapsulation? (see 'tech-support' in attached files)
View 3 Replies View Relatedknow if it is supported connecting the SUP7L-E 10GE ports to a C3KX-NM-10G, using a SFP-H10GB-CU5M (or shorter).
View 3 Replies View Relatedi need to upgrade my cat4506 with sup7L-E engine to latest ipservices software. link of suitable software and upgrade methode?
View 2 Replies View Relatedi'm desperately trying to get LACP working over a dot1q Tunnel. The "Service Provider" Switches are two 4506-E Switches with SUP7-E connected via a 10G Link, running on cat4500e-universalk9.SPA.03.03.00.SG.151-1.SG
sample config:
dot1q tag vlan native
interface GigabitEthernet3/1
switchport access vlan 2001
[Code].....
If you have a router with multiple direct vanilla FE (non trunked) interfaces on a switch trying to send QOS tagged packets to a wifi bridge several switches away does the trunking in the switched infrastructure mess with the qos tags if no qos is configured on the switches.
Does it depend on the switch? We have new 2960's running 12.2 and a few older 2950's running 12.1
enable dot1q encapsulation on two ethernet ports on a 1721 router. I am able to configure it on the built in fastethernet port, but not on any interface provided by a WIC-1ENET or a WIC-4ESW. I have an application that requires two physical ethernet ports that support dot1q encapsulation.
View 4 Replies View RelatedI have a Catalyst 4500 L3 Switch Software (cat4500e UNIVERSAL-M), Version 03.02.00.XO RELEASE SOFTWARE (fc2). So I just wanted to verify that the switch only does dot1q encapsulation because the switchport trunk encapsulation dot1q command does not work.
View 3 Replies View RelatedIn fact i receive traffic on a one client per vlan basis (traffic is PPPoE), i receive all this traffic on a router, collecting all these vlan on a bridge where the pppoe packets are treated.When I use a transeiver to convert operator fiber arrival to my router copper media interface, i have no problem....
When I use dot1q-tunnel to make the same on my 3750, packets seems to be corrupted.I get PPPoE timeouts and packet loss, not regulary, totally stochastic...
I made dozen of tests and different settings, without success I first thougt of MTU issues. [code] I made tests with system MTU and/or system jumbo MTU above 1500, without success.I didn't found any known caveats on 3750 running Version 12.2(25r)SEE4 related to dot1q-tunnel.
I'm setting up a new 4900m running cat4500e-ipbase-mz.122-53.SG5.bin. I'm attempting to create Port-Channels as a Trunk for uplink to a 4503 running cat4500-ipbase-mz.122-37.SG1.bin.When I attempt the command "switchport trunk encapsulation dot1q" it errors out.
View 3 Replies View RelatedI am trying to configure a 4507 R chassis with Dual SUP but i cannot see teh switchpot mode trunk encapsulation dot1q?
I have typed:
interface GigabitEthernet5/1
description DOWNLINK toxxxxxx
switchport mode trunk
channel-group 11 mode on
!
I have have searched all other commands and sub-commands but could only find dot1q-tunnel which I beleive is for QINQ or some QoS featues and lot for L2 encapsulations?
the puzzling is:
XXX-Core4507#sh int gi5/1 trunk
Port Mode Encapsulation Status Native vlan
Gi5/1 off 802.1q notrnk-bndl 1
(Po11)
when I connect the dostribution switch a 3507 to this int gi 5/1, both interfaces do come up?
Example config
int g2/24
service-policy output test
#and/OR
int g2/24.10
encap dot1q 10
ip address 10.1.1.1 255.255.255.0
service-policy output test
3 different sites which are directly/indirectly connected to cisco VPN router RV042 and we want to make a vpn between them, how can we make it
View 2 Replies View RelatedI just moved our vpn over to using LDAP/DAP instead of the previous RADIUS we were using before. First of all, the group policy split tunnel is setup for Tunnel Network list Below Network list has a group of networks named "split-tunnel" setup with all of our internal subnets in it. Which seems to be working fine, users are hitting internal networks no problem.Where the issue lies is surfing the web while they are connected to the VPN.I think I know what one of the the issues are, I'm just not sure how to get around it. I have a proxy server setup that all domain traffic goes through say 10.20.30.40. That is obviously on our internal subnet. Our remote users has a policy on their laptops set to where if they can see/get to the proxy server then it pushes all traffic through there, however if they can not, it goes straight to the internet. That way they can still surf the web when they aren't connected to the domain network.
With the new DAP vpn policies, it seems as though they are trying to go through the proxy but failing so all http traffic is getting blocked on their computer as I can still ping say google.com...just can't open the web page.In my SALES-VPN access lists there isn't any acl that allows any traffic to 10.20.30.40(proxy server) so there isn't any reason their laptop would think it could get to it correct?I can't put an access-list SALES-VPN extended deny ip any any log critical at the end of the acl list because then it doesn't show up as an option to apply to the DAP since the acls have to be either permit or deny, not a mix.Also, if I just create an ACL access-list DENY-VPN extended deny ip any any log critical and apply it to the DAP *after* the SALES-VPN ACLs thinking all traffic would flow down as in go through all the permit acls first, and then hit the deny acl after, it just blocks all traffic.It almost seems that some traffic that isn't specifically being permitted by the permit acls is still getting through which is obviously not wanted. However, if I try to rdp into a server that isn't specifically permitted in the SALES-VPN acls it doesn't work so I'm kind of at a loss..
Is it possible to tunnel IPSec through a 6509 with an FWSM installed without the packets being interferred with?My question arises because myself and a colleague were attempting to form an IPSec tunnel in just this environment last week and no amount of resetting policies, key phrases etc would allow the tunnel to come up. The 2821 was complaining about Phase 2 not matching but the policies were definitely matching and configured the same on both ends. If there shouldn't be an issue with the 6509 and the FWSM then I will post configs from both ends. The 6509 is configured to all all ports through for the two IP addresses for now and is performing a one-to-one NAT for the PIX that is behind it.
View 5 Replies View RelatedI'm using an ASA5510 for remote access IP Sec VPN clients and it is configured for split-tunneling. The client computers are running Cisco VPN client software. All of the client computers running Win 7 work perfect, but the client computers running Win XP Pro cannot browse the internet, they only connect to the inside network.
1) Does XP Pro support split tunneling when using the Cisco VPN client software?
2) Does the ASA require a special config to support split tunneling with Win XP clients?
I am currently trying to configure an Easy VPN connection from an ASA 5505 to and ASA 5520. I have enabled split tunnelling and in the group policy defined the network to be tunneled but when I activate the VPN it tunnels everything from the host computer connected to the ASA 5505. I get no internet access. Have been trying to troubleshoot this for days.Hee are soe specifics, running version 8.2(5) on the 5505 and the 5520 and below is the local config on the 5505 for the Easy VPN:
vpnclient server **.***.***.**
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup dbernstein-5505 password *****
vpnclient username dbernstein password *****
vpnclient ipsec-over-tcp port 10000
vpnclient enable
and the downloaded dynamic policy:
Current Server : 12.***.163.**
Primary DNS : ***.160.***.39
Default Domain : cisco.com
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Split Tunnel Networks : ***.160.***.0/255.255.255.0
Backup Servers : None
Can a 2504 WLC on a remote site provide guest access on one SSID, drop taht out locally on that site and provide corporate access on a second WLC that it then tunnls to a 5508 at the main corporate site ?
View 4 Replies View Relatedmy company has used Split Tunneling for all of our VPN uses, however we recently purchased 2 ASA5505s for use at various jobsites, and have been running into problems with Local Network Administrators blocking certain traffic that we need to operate. They allow full VPN connectivity to traverse their networks, so we are able to use our LAN Resources over the split tunnel no problem.
We have it set up as a Dynamic L2L Connection, and this ASA is operating flawlessly minus the traffic being blocked upstream by the network admin. Our VPN topolgy is Hub & Spoke. Below is excerpts from our config on how the VPN is set up: [code]
What we'd like to achieve is being able to pass ALL traffic (LAN & Internet) through the VPN tunnel, then be processed by the Hub ASA (192.168.9.1) on the other end. I am guessing crypto map + routing would have to be changed?
access-list to_hq extended permit ip 192.168.101.0 255.255.255.0 0.0.0.0 0.0.0.0route inside 0.0.0.0 0.0.0.0 192.168.9.1Disable NAT on Spoke. Is this how I would go about doing this??? We need ip address dhcp setroute so our ASA can find the other end and form the VPN tunnel, and I am not sure how this would affect things. [code]
Is GRE tunneling technique for IPv6 based on RFC2473 or Cisco proprietary standard?
View 2 Replies View Related