Questions

Cisco 871W - VLAN Int won't come up

Tags:
+
0 Votes
Locked

Cisco 871W - VLAN Int won't come up

crondthaler
Hi,

I have configured configued our company's Cisco 871W per suggested configs, found here and on the cisco web site, however, VLAN1, VLAN10 and VLAN20 interfaces won't come up (e.g. up/down) and it's preventing communication. Guess I'm expecting this to behave like at layer-2 layer 3 swt/rtr (i.e. 3560). Can anyone help me on this?

Here is the config:


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$NUbh$IHfFjo8hU8P18OOXDbgaM/
enable password xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name xxxxxxxxxxxxxxxx
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name xxxxxxxxxxxx
lease 4
!
!
no ip domain lookup
ip domain name xxxxxxxxx
!
!
crypto pki trustpoint TP-self-signed-1485172728
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1485172728
revocation-check none
rsakeypair TP-self-signed-1485172728
!
!
crypto pki certificate chain TP-self-signed-1485172728
certificate self-signed 01

<--------some output omitted--------->
!
interface FastEthernet0
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet4
ip address 10.2.5.1 255.255.0.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
no ip address
!
interface Vlan10
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description Guest Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
<--------------output omitted---------->

We are not concerned with the wireless portion of the config at this point.

End


Any insight is appreciated.

Thanks!
Chris
News Corp.
  • +
    0 Votes
    CG IT

    dont' see VTP in there, don't see a static map or a trunk line.

    +
    0 Votes
    crondthaler

    Thanks, I'll look VLANs on this device... guess this is different than what I'm used to... I tried enabling dot.q on VLAN10 and the gateway interface fa4, but still 'up/down'.

    -I'll post my findings and how I see that is is different than what I'm used to.

    Thanks for the quick response!

    -Chris
    News Corp.

    +
    0 Votes
    CG IT

    I wasn't going to say your configuration is wrong on line blah or line blah, rather point out that VLANs don't communicate with each other unless there is a layer 3 device which can route traffic between them. Since your using a layer 3 device that has VLAN capabilities, your router needs something to tell it to allow communications between VLANs. A static mapping or run VTP. Unless the router knows to route traffic desgined from VLAN1 to VLAN10 it won't do it.

    +
    0 Votes
    crondthaler

    If IP routing is on, then it should be able to route between directly attached routes, yes? This is what is confusing. And, why are the VLAN interfaces down (e.g. up/down <-- the line protocol is down)?

    I know i'm missing something simple here but I don't get it - any chance anyone has an example for this w-router?

    +
    0 Votes
    CG IT

    have to put in the configuration

    no shutdown

    send a message to Dave Davis or George Ou resident Techrepublic Cisco gurus

    +
    0 Votes
    crondthaler

    Wow, ok - not sure how to send a direct message but I'll see if David or George can help.

    Thank for your help.
    -Chris
    News Corp.

    +
    0 Votes
    scott_heath

    ... we don't use multiple VLANs. Here's my config with some items modified, like keys and ip addresses. It's a bit long as we use DMVPN and BGP, but maybe it will help. It sounds crazy, but maybe you need to run 'no shut' on the VLAN## interface.

    service nagle
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    service password-encryption
    !
    hostname 871-Test
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    logging buffered 32768 debugging
    no logging console
    enable secret _password
    !
    aaa new-model
    !
    !
    aaa authentication login default none
    aaa authentication login login-check group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authentication ppp default local
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone CST -6
    clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
    ip subnet-zero
    no ip source-route
    !
    !
    no ip dhcp use vrf connected
    !
    !
    ip tcp mss 1492
    ip cef
    ip tftp source-interface Tunnel0
    ip domain name _domainname.com
    no ip bootp server
    ip inspect log drop-pkt
    ip inspect name DSLINSPECT tcp
    ip inspect name DSLINSPECT udp
    ip inspect name DSLINSPECT fragment maximum 256 timeout 1
    ip inspect name DSLINSPECT icmp
    no ip ips deny-action ips-interface
    ip ips signature 2000 0 disable
    ip ips name AUDIT
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    chat-script Dialout ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 45 CONNECT \c
    modemcap entry multitech:MSC=&F0S0=1&k3&C1&D3$SB115200
    modemcap entry usr_v34:MSC=&f1&u3&n16
    !
    !
    username _userid privilege 15 secret _password
    !
    !
    track 10 ip route _10.10.0.0 255.255.255.128 reachability
    !
    track 11 ip route _10.11.0.0 255.255.255.0 reachability
    !
    track 20 list boolean and
    object 10 not
    object 11 not
    !
    class-map match-any POS
    match access-group name POS
    class-map match-any VIDEO
    match access-group name VIDEO
    class-map match-all DiamondSelector
    match access-group name DiamondSelector
    class-map match-all IPP5
    match ip precedence 5
    class-map match-all IPP4
    match ip precedence 4
    !
    !
    policy-map QOS
    class IPP5
    bandwidth percent 30
    class IPP4
    bandwidth percent 25
    class DiamondSelector
    bandwidth percent 20
    class class-default
    fair-queue
    set ip precedence 0
    policy-map SetBits
    class POS
    set ip precedence 5
    class VIDEO
    set ip precedence 4
    class class-default
    set ip precedence 0
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key _biglongkey address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 60
    !
    !
    crypto ipsec transform-set gre_set esp-3des esp-sha-hmac
    mode transport
    !
    crypto ipsec profile gre_prof
    set transform-set gre_set
    !
    !
    !
    !
    interface Tunnel4
    description GRE Tunnel to Dialup
    bandwidth 115
    ip address 10.10.72.11 255.255.240.0
    ip mtu 1400
    ip nhrp authentication Dial
    ip nhrp map 10.10.79.254 10.10.65.199
    ip nhrp network-id 199
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.79.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Dialer1
    tunnel destination 10.10.65.199
    tunnel protection ipsec profile gre_prof
    !
    interface Tunnel2
    description GRE Tunnel to Datacenter 1
    bandwidth 384
    ip address 10.10.40.21 255.255.240.0
    ip mtu 1400
    ip nhrp authentication nsite3
    ip nhrp map 10.10.47.254 10.10.65.197
    ip nhrp network-id 103
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.47.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Fastethernet 4
    tunnel destination 10.10.65.197
    tunnel protection ipsec profile gre_prof
    !
    interface Tunnel3
    description GRE Tunnel to Datacenter 2
    bandwidth 384
    ip address 10.10.56.21 255.255.240.0
    ip mtu 1400
    ip nhrp authentication nsite4
    ip nhrp map 10.10.63.254 10.10.65.198
    ip nhrp network-id 104
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.63.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Fastethernet 4
    tunnel destination 10.10.65.198
    tunnel protection ipsec profile gre_prof
    !
    interface Tunnel0
    description GRE Tunnel to Internal 1
    bandwidth 384
    ip address 10.10.8.21 255.255.240.0
    ip mtu 1400
    ip nhrp authentication nsite
    ip nhrp map 10.10.15.254 10.10.0.172
    ip nhrp network-id 101
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.15.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Fastethernet 4
    tunnel destination 10.10.0.172
    tunnel protection ipsec profile gre_prof
    !
    interface Tunnel1
    description GRE Tunnel to Internal 2
    bandwidth 384
    ip address 10.10.24.21 255.255.240.0
    ip mtu 1400
    ip nhrp authentication nsite1
    ip nhrp map 10.10.31.254 10.10.67.135
    ip nhrp network-id 102
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.31.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Fastethernet 4
    tunnel destination 10.10.67.135
    tunnel protection ipsec profile gre_prof
    !
    interface Vlan2
    description Private Network
    ip address 10.10.177.65 255.255.255.192
    ip virtual-reassembly
    ip route-cache flow
    ip policy route-map cleardf
    service-policy input SetBits
    no shut
    !
    interface Fastethernet 4
    description ** WAN Interface **
    bandwidth 384
    ip address 10.10.99.236 255.255.255.0
    ip access-group From_Internet in
    ip access-group To_Internet out
    ip mtu 1492
    ip inspect DSLINSPECT out
    ip ips AUDIT in
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    max-reserved-bandwidth 80
    service-policy output QOS
    no shut

    !
    interface FastEthernet0
    description ** DV-Dallas **
    switchport access vlan 2
    no cdp enable
    no shut
    !
    interface FastEthernet1
    description ** POS **
    switchport access vlan 2
    no cdp enable
    no shut
    !
    interface FastEthernet2
    switchport access vlan 2
    no cdp enable
    no shut
    !
    interface FastEthernet3
    switchport access vlan 2
    no cdp enable
    no shut
    !
    interface Async1
    no ip address
    encapsulation ppp
    no ip route-cache cef
    dialer in-band
    dialer pool-member 1
    dialer-group 1
    async mode dedicated
    keepalive 5 5
    service-policy output QOS
    routing dynamic
    !
    interface Dialer1
    bandwidth 64
    ip address negotiated
    ip virtual-reassembly
    encapsulation ppp
    no ip route-cache cef
    no ip route-cache
    dialer pool 1
    dialer string 5551239175
    dialer-group 1
    peer default ip address 10.10.177.126
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username _userid password _password
    hold-queue 10 out
    no shut
    !
    router rip
    version 2
    redistribute connected
    passive-interface Tunnel2
    passive-interface Tunnel3
    passive-interface Tunnel0
    passive-interface Tunnel1
    network 10.0.0.0
    distribute-list 20 out
    !
    router bgp 5000
    no synchronization
    bgp log-neighbor-changes
    network 10.10.177.64 mask 255.255.255.192
    neighbor 10.10.0.7 remote-as 5000
    neighbor 10.10.0.7 update-source Tunnel2
    neighbor 10.10.0.7 timers 10 60
    neighbor 10.10.0.7 route-map local-pref-PRIMARY out
    neighbor 10.10.0.8 remote-as 5000
    neighbor 10.10.0.8 update-source Tunnel3
    neighbor 10.10.0.8 timers 10 60
    neighbor 10.10.0.8 route-map local-pref-BACKUP out
    neighbor 10.10.1.9 remote-as 5000
    neighbor 10.10.1.9 update-source Tunnel0
    neighbor 10.10.1.9 timers 10 60
    neighbor 10.10.1.9 route-map local-pref-PRIMARY out
    neighbor 10.10.1.10 remote-as 5000
    neighbor 10.10.1.10 update-source Tunnel1
    neighbor 10.10.1.10 timers 10 60
    neighbor 10.10.1.10 route-map local-pref-BACKUP out
    no auto-summary
    !
    ip classless
    ip route 10.10.68.0 255.255.254.0 Dialer1 200 track 20
    ip route 10.10.65.199 255.255.255.255 Dialer1 track 20
    ip route 10.10.68.0 255.255.254.0 10.10.79.254 track 20
    ip route 10.10.181.32 255.255.255.255 10.10.79.254 track 20
    ip route 0.0.0.0 0.0.0.0 10.10.99.1
    ip route 10.10.177.126 255.255.255.255 Dialer1
    ip route 10.10.0.7 255.255.255.255 10.10.47.254
    ip route 10.10.0.8 255.255.255.255 10.10.63.254
    ip route 10.10.1.9 255.255.255.255 10.10.15.254
    ip route 10.10.1.10 255.255.255.255 10.10.31.254
    !
    ip tacacs source-interface Tunnel0
    no ip http server
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    !
    !
    !
    ip access-list standard SNMP-ACL
    permit 10.10.142.176 0.0.0.7
    !
    ip access-list extended DiamondSelector
    permit ip any host 10.10.68.87
    ip access-list extended From_Internet
    remark Restrict traffic from the Internet
    permit esp any any
    permit udp any any eq isakmp
    permit icmp any any echo
    permit tcp any any eq 22 log
    permit udp any any eq non500-isakmp
    permit gre any any
    permit udp any eq bootps any
    permit udp any any eq ntp
    deny ip any any
    ip access-list extended To_Internet
    deny ip 10.10.0.0 0.0.255.255 any
    permit ip any any
    ip access-list extended POS
    permit tcp any any range 26020 26029
    permit udp any any range 26020 26029
    permit tcp any any eq 1524
    permit udp any any eq 1524
    permit tcp any any eq 1433
    permit udp any any eq 1433
    permit ip any host 10.10.68.69
    permit ip any host 10.10.68.71
    permit tcp any any range 9090 9099
    permit udp any any range 9090 9099
    permit tcp any any range 9990 9999
    permit udp any any range 9990 9999
    ip access-list extended VIDEO
    permit ip any host 10.10.0.123
    !
    logging trap debugging
    access-list 20 deny 10.10.177.126
    access-list 20 permit 10.10.0.0 0.0.255.255
    access-list 20 deny any
    access-list 195 permit ip any any
    dialer-list 1 protocol ip permit
    snmp-server community _Community RO SNMP-ACL
    snmp-server trap-source Tunnel0
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps tty
    snmp-server enable traps isakmp tunnel start
    snmp-server enable traps isakmp tunnel stop
    snmp-server host 10.10.142.177 Zale_5074
    no cdp run
    !
    ip flow-export source vlan2
    ip flow-export version 5
    ip flow-export destination 10.10.68.96 2055
    !
    route-map local-pref-PRIMARY permit 10
    set local-preference 100
    !
    route-map local-pref-BACKUP permit 20
    set local-preference 50
    !
    route-map cleardf permit 10
    match ip address 195
    set ip df 0
    !
    tacacs-server host 10.10.142.178
    tacacs-server directed-request
    tacacs-server key 7 _biglongkey
    !
    control-plane
    !
    banner login ^CCCC


    **********************************************************

    * 871-Test *

    * WARNING - Unauthorized access is strictly prohibited. *

    * VIOLATERS WILL BE PROSECUTED *

    * ALL ACTIVITY IS MONITORED AND LOGGED *

    **********************************************************^C
    privilege exec level 1 show crypto isakmp key
    privilege exec level 1 show crypto isakmp policy
    privilege exec level 1 show crypto isakmp sa
    privilege exec level 1 show crypto isakmp
    privilege exec level 1 show crypto ipsec sa identity
    privilege exec level 1 show crypto ipsec sa
    privilege exec level 1 show crypto ipsec
    privilege exec level 1 show crypto
    privilege exec level 1 show
    privilege exec level 1 clear crypto sa peer
    privilege exec level 1 clear crypto sa
    privilege exec level 1 clear crypto
    privilege exec level 1 clear
    !
    line con 0
    exec-timeout 5 0
    privilege level 15
    logging synchronous
    login authentication login-check
    modem enable
    stopbits 1
    line aux 0
    exec-timeout 15 0
    script dialer Dialout
    login authentication login-check
    modem InOut
    modem autoconfigure type usr_v34
    transport input telnet
    stopbits 1
    speed 115200
    flowcontrol hardware
    line vty 0 4
    exec-timeout 15 0
    privilege level 15
    logging synchronous
    login authentication login-check
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    ntp clock-period 17180123
    ntp server 192.5.41.40

    +
    0 Votes

    Hello, I believe the original poster mentioned that the interfaces (e.g up/down), by that one could assume that the interfaces are administratively up and the network is down. As I understand it that would not be possible if the interface was shut down.

    +
    0 Votes
    crondthaler

    Right...

    +
    0 Votes
    crondthaler

    Thank you. I'll have a look at this - I'm sure it'll help.

    I ran 'no shut' more times than I can remember. Reload, powered down... : ).

    Thank you!
    -Chris
    News Corp.

    +
    0 Votes

    : )

    scott_heath

    Hope suggesting it didn't sound offensive. I know I've over looked easy things in my quest to find the more complicated cause.

    +
    0 Votes
    Cincinnerdi

    I know this is an old thread, but seems unresolved. I believe you must have the an upgraded IOS. Cisco site says "Support for 2 VLANs with Base Image. One VLAN dedicated to DMZ" and "4 802.1q VLANs on Advanced IP Services IOS image."

    +
    0 Votes
    Cincinnerdi

    I know this is an old thread, but seems unresolved. I believe you must have the an upgraded IOS. Cisco site says "Support for 2 VLANs with Base Image. One VLAN dedicated to DMZ" and "4 802.1q VLANs on Advanced IP Services IOS image."

  • +
    0 Votes
    CG IT

    dont' see VTP in there, don't see a static map or a trunk line.

    +
    0 Votes
    crondthaler

    Thanks, I'll look VLANs on this device... guess this is different than what I'm used to... I tried enabling dot.q on VLAN10 and the gateway interface fa4, but still 'up/down'.

    -I'll post my findings and how I see that is is different than what I'm used to.

    Thanks for the quick response!

    -Chris
    News Corp.

    +
    0 Votes
    CG IT

    I wasn't going to say your configuration is wrong on line blah or line blah, rather point out that VLANs don't communicate with each other unless there is a layer 3 device which can route traffic between them. Since your using a layer 3 device that has VLAN capabilities, your router needs something to tell it to allow communications between VLANs. A static mapping or run VTP. Unless the router knows to route traffic desgined from VLAN1 to VLAN10 it won't do it.

    +
    0 Votes
    crondthaler

    If IP routing is on, then it should be able to route between directly attached routes, yes? This is what is confusing. And, why are the VLAN interfaces down (e.g. up/down <-- the line protocol is down)?

    I know i'm missing something simple here but I don't get it - any chance anyone has an example for this w-router?

    +
    0 Votes
    CG IT

    have to put in the configuration

    no shutdown

    send a message to Dave Davis or George Ou resident Techrepublic Cisco gurus

    +
    0 Votes
    crondthaler

    Wow, ok - not sure how to send a direct message but I'll see if David or George can help.

    Thank for your help.
    -Chris
    News Corp.

    +
    0 Votes
    scott_heath

    ... we don't use multiple VLANs. Here's my config with some items modified, like keys and ip addresses. It's a bit long as we use DMVPN and BGP, but maybe it will help. It sounds crazy, but maybe you need to run 'no shut' on the VLAN## interface.

    service nagle
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    service password-encryption
    !
    hostname 871-Test
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    logging buffered 32768 debugging
    no logging console
    enable secret _password
    !
    aaa new-model
    !
    !
    aaa authentication login default none
    aaa authentication login login-check group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authentication ppp default local
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone CST -6
    clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
    ip subnet-zero
    no ip source-route
    !
    !
    no ip dhcp use vrf connected
    !
    !
    ip tcp mss 1492
    ip cef
    ip tftp source-interface Tunnel0
    ip domain name _domainname.com
    no ip bootp server
    ip inspect log drop-pkt
    ip inspect name DSLINSPECT tcp
    ip inspect name DSLINSPECT udp
    ip inspect name DSLINSPECT fragment maximum 256 timeout 1
    ip inspect name DSLINSPECT icmp
    no ip ips deny-action ips-interface
    ip ips signature 2000 0 disable
    ip ips name AUDIT
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    chat-script Dialout ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 45 CONNECT \c
    modemcap entry multitech:MSC=&F0S0=1&k3&C1&D3$SB115200
    modemcap entry usr_v34:MSC=&f1&u3&n16
    !
    !
    username _userid privilege 15 secret _password
    !
    !
    track 10 ip route _10.10.0.0 255.255.255.128 reachability
    !
    track 11 ip route _10.11.0.0 255.255.255.0 reachability
    !
    track 20 list boolean and
    object 10 not
    object 11 not
    !
    class-map match-any POS
    match access-group name POS
    class-map match-any VIDEO
    match access-group name VIDEO
    class-map match-all DiamondSelector
    match access-group name DiamondSelector
    class-map match-all IPP5
    match ip precedence 5
    class-map match-all IPP4
    match ip precedence 4
    !
    !
    policy-map QOS
    class IPP5
    bandwidth percent 30
    class IPP4
    bandwidth percent 25
    class DiamondSelector
    bandwidth percent 20
    class class-default
    fair-queue
    set ip precedence 0
    policy-map SetBits
    class POS
    set ip precedence 5
    class VIDEO
    set ip precedence 4
    class class-default
    set ip precedence 0
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key _biglongkey address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 60
    !
    !
    crypto ipsec transform-set gre_set esp-3des esp-sha-hmac
    mode transport
    !
    crypto ipsec profile gre_prof
    set transform-set gre_set
    !
    !
    !
    !
    interface Tunnel4
    description GRE Tunnel to Dialup
    bandwidth 115
    ip address 10.10.72.11 255.255.240.0
    ip mtu 1400
    ip nhrp authentication Dial
    ip nhrp map 10.10.79.254 10.10.65.199
    ip nhrp network-id 199
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.79.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Dialer1
    tunnel destination 10.10.65.199
    tunnel protection ipsec profile gre_prof
    !
    interface Tunnel2
    description GRE Tunnel to Datacenter 1
    bandwidth 384
    ip address 10.10.40.21 255.255.240.0
    ip mtu 1400
    ip nhrp authentication nsite3
    ip nhrp map 10.10.47.254 10.10.65.197
    ip nhrp network-id 103
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.47.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Fastethernet 4
    tunnel destination 10.10.65.197
    tunnel protection ipsec profile gre_prof
    !
    interface Tunnel3
    description GRE Tunnel to Datacenter 2
    bandwidth 384
    ip address 10.10.56.21 255.255.240.0
    ip mtu 1400
    ip nhrp authentication nsite4
    ip nhrp map 10.10.63.254 10.10.65.198
    ip nhrp network-id 104
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.63.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Fastethernet 4
    tunnel destination 10.10.65.198
    tunnel protection ipsec profile gre_prof
    !
    interface Tunnel0
    description GRE Tunnel to Internal 1
    bandwidth 384
    ip address 10.10.8.21 255.255.240.0
    ip mtu 1400
    ip nhrp authentication nsite
    ip nhrp map 10.10.15.254 10.10.0.172
    ip nhrp network-id 101
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.15.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Fastethernet 4
    tunnel destination 10.10.0.172
    tunnel protection ipsec profile gre_prof
    !
    interface Tunnel1
    description GRE Tunnel to Internal 2
    bandwidth 384
    ip address 10.10.24.21 255.255.240.0
    ip mtu 1400
    ip nhrp authentication nsite1
    ip nhrp map 10.10.31.254 10.10.67.135
    ip nhrp network-id 102
    ip nhrp holdtime 600
    ip nhrp nhs 10.10.31.254
    ip virtual-reassembly
    delay 1000
    qos pre-classify
    tunnel source Fastethernet 4
    tunnel destination 10.10.67.135
    tunnel protection ipsec profile gre_prof
    !
    interface Vlan2
    description Private Network
    ip address 10.10.177.65 255.255.255.192
    ip virtual-reassembly
    ip route-cache flow
    ip policy route-map cleardf
    service-policy input SetBits
    no shut
    !
    interface Fastethernet 4
    description ** WAN Interface **
    bandwidth 384
    ip address 10.10.99.236 255.255.255.0
    ip access-group From_Internet in
    ip access-group To_Internet out
    ip mtu 1492
    ip inspect DSLINSPECT out
    ip ips AUDIT in
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    max-reserved-bandwidth 80
    service-policy output QOS
    no shut

    !
    interface FastEthernet0
    description ** DV-Dallas **
    switchport access vlan 2
    no cdp enable
    no shut
    !
    interface FastEthernet1
    description ** POS **
    switchport access vlan 2
    no cdp enable
    no shut
    !
    interface FastEthernet2
    switchport access vlan 2
    no cdp enable
    no shut
    !
    interface FastEthernet3
    switchport access vlan 2
    no cdp enable
    no shut
    !
    interface Async1
    no ip address
    encapsulation ppp
    no ip route-cache cef
    dialer in-band
    dialer pool-member 1
    dialer-group 1
    async mode dedicated
    keepalive 5 5
    service-policy output QOS
    routing dynamic
    !
    interface Dialer1
    bandwidth 64
    ip address negotiated
    ip virtual-reassembly
    encapsulation ppp
    no ip route-cache cef
    no ip route-cache
    dialer pool 1
    dialer string 5551239175
    dialer-group 1
    peer default ip address 10.10.177.126
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username _userid password _password
    hold-queue 10 out
    no shut
    !
    router rip
    version 2
    redistribute connected
    passive-interface Tunnel2
    passive-interface Tunnel3
    passive-interface Tunnel0
    passive-interface Tunnel1
    network 10.0.0.0
    distribute-list 20 out
    !
    router bgp 5000
    no synchronization
    bgp log-neighbor-changes
    network 10.10.177.64 mask 255.255.255.192
    neighbor 10.10.0.7 remote-as 5000
    neighbor 10.10.0.7 update-source Tunnel2
    neighbor 10.10.0.7 timers 10 60
    neighbor 10.10.0.7 route-map local-pref-PRIMARY out
    neighbor 10.10.0.8 remote-as 5000
    neighbor 10.10.0.8 update-source Tunnel3
    neighbor 10.10.0.8 timers 10 60
    neighbor 10.10.0.8 route-map local-pref-BACKUP out
    neighbor 10.10.1.9 remote-as 5000
    neighbor 10.10.1.9 update-source Tunnel0
    neighbor 10.10.1.9 timers 10 60
    neighbor 10.10.1.9 route-map local-pref-PRIMARY out
    neighbor 10.10.1.10 remote-as 5000
    neighbor 10.10.1.10 update-source Tunnel1
    neighbor 10.10.1.10 timers 10 60
    neighbor 10.10.1.10 route-map local-pref-BACKUP out
    no auto-summary
    !
    ip classless
    ip route 10.10.68.0 255.255.254.0 Dialer1 200 track 20
    ip route 10.10.65.199 255.255.255.255 Dialer1 track 20
    ip route 10.10.68.0 255.255.254.0 10.10.79.254 track 20
    ip route 10.10.181.32 255.255.255.255 10.10.79.254 track 20
    ip route 0.0.0.0 0.0.0.0 10.10.99.1
    ip route 10.10.177.126 255.255.255.255 Dialer1
    ip route 10.10.0.7 255.255.255.255 10.10.47.254
    ip route 10.10.0.8 255.255.255.255 10.10.63.254
    ip route 10.10.1.9 255.255.255.255 10.10.15.254
    ip route 10.10.1.10 255.255.255.255 10.10.31.254
    !
    ip tacacs source-interface Tunnel0
    no ip http server
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    !
    !
    !
    ip access-list standard SNMP-ACL
    permit 10.10.142.176 0.0.0.7
    !
    ip access-list extended DiamondSelector
    permit ip any host 10.10.68.87
    ip access-list extended From_Internet
    remark Restrict traffic from the Internet
    permit esp any any
    permit udp any any eq isakmp
    permit icmp any any echo
    permit tcp any any eq 22 log
    permit udp any any eq non500-isakmp
    permit gre any any
    permit udp any eq bootps any
    permit udp any any eq ntp
    deny ip any any
    ip access-list extended To_Internet
    deny ip 10.10.0.0 0.0.255.255 any
    permit ip any any
    ip access-list extended POS
    permit tcp any any range 26020 26029
    permit udp any any range 26020 26029
    permit tcp any any eq 1524
    permit udp any any eq 1524
    permit tcp any any eq 1433
    permit udp any any eq 1433
    permit ip any host 10.10.68.69
    permit ip any host 10.10.68.71
    permit tcp any any range 9090 9099
    permit udp any any range 9090 9099
    permit tcp any any range 9990 9999
    permit udp any any range 9990 9999
    ip access-list extended VIDEO
    permit ip any host 10.10.0.123
    !
    logging trap debugging
    access-list 20 deny 10.10.177.126
    access-list 20 permit 10.10.0.0 0.0.255.255
    access-list 20 deny any
    access-list 195 permit ip any any
    dialer-list 1 protocol ip permit
    snmp-server community _Community RO SNMP-ACL
    snmp-server trap-source Tunnel0
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps tty
    snmp-server enable traps isakmp tunnel start
    snmp-server enable traps isakmp tunnel stop
    snmp-server host 10.10.142.177 Zale_5074
    no cdp run
    !
    ip flow-export source vlan2
    ip flow-export version 5
    ip flow-export destination 10.10.68.96 2055
    !
    route-map local-pref-PRIMARY permit 10
    set local-preference 100
    !
    route-map local-pref-BACKUP permit 20
    set local-preference 50
    !
    route-map cleardf permit 10
    match ip address 195
    set ip df 0
    !
    tacacs-server host 10.10.142.178
    tacacs-server directed-request
    tacacs-server key 7 _biglongkey
    !
    control-plane
    !
    banner login ^CCCC


    **********************************************************

    * 871-Test *

    * WARNING - Unauthorized access is strictly prohibited. *

    * VIOLATERS WILL BE PROSECUTED *

    * ALL ACTIVITY IS MONITORED AND LOGGED *

    **********************************************************^C
    privilege exec level 1 show crypto isakmp key
    privilege exec level 1 show crypto isakmp policy
    privilege exec level 1 show crypto isakmp sa
    privilege exec level 1 show crypto isakmp
    privilege exec level 1 show crypto ipsec sa identity
    privilege exec level 1 show crypto ipsec sa
    privilege exec level 1 show crypto ipsec
    privilege exec level 1 show crypto
    privilege exec level 1 show
    privilege exec level 1 clear crypto sa peer
    privilege exec level 1 clear crypto sa
    privilege exec level 1 clear crypto
    privilege exec level 1 clear
    !
    line con 0
    exec-timeout 5 0
    privilege level 15
    logging synchronous
    login authentication login-check
    modem enable
    stopbits 1
    line aux 0
    exec-timeout 15 0
    script dialer Dialout
    login authentication login-check
    modem InOut
    modem autoconfigure type usr_v34
    transport input telnet
    stopbits 1
    speed 115200
    flowcontrol hardware
    line vty 0 4
    exec-timeout 15 0
    privilege level 15
    logging synchronous
    login authentication login-check
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    ntp clock-period 17180123
    ntp server 192.5.41.40

    +
    0 Votes

    Hello, I believe the original poster mentioned that the interfaces (e.g up/down), by that one could assume that the interfaces are administratively up and the network is down. As I understand it that would not be possible if the interface was shut down.

    +
    0 Votes
    crondthaler

    Right...

    +
    0 Votes
    crondthaler

    Thank you. I'll have a look at this - I'm sure it'll help.

    I ran 'no shut' more times than I can remember. Reload, powered down... : ).

    Thank you!
    -Chris
    News Corp.

    +
    0 Votes

    : )

    scott_heath

    Hope suggesting it didn't sound offensive. I know I've over looked easy things in my quest to find the more complicated cause.

    +
    0 Votes
    Cincinnerdi

    I know this is an old thread, but seems unresolved. I believe you must have the an upgraded IOS. Cisco site says "Support for 2 VLANs with Base Image. One VLAN dedicated to DMZ" and "4 802.1q VLANs on Advanced IP Services IOS image."

    +
    0 Votes
    Cincinnerdi

    I know this is an old thread, but seems unresolved. I believe you must have the an upgraded IOS. Cisco site says "Support for 2 VLANs with Base Image. One VLAN dedicated to DMZ" and "4 802.1q VLANs on Advanced IP Services IOS image."