Questions

Cisco 871W - VLAN Int won't come up

+
0 Votes
Locked

Cisco 871W - VLAN Int won't come up

crondthaler
Hi,

I have configured configued our company's Cisco 871W per suggested configs, found here and on the cisco web site, however, VLAN1, VLAN10 and VLAN20 interfaces won't come up (e.g. up/down) and it's preventing communication. Guess I'm expecting this to behave like at layer-2 layer 3 swt/rtr (i.e. 3560). Can anyone help me on this?

Here is the config:


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$NUbh$IHfFjo8hU8P18OOXDbgaM/
enable password xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name xxxxxxxxxxxxxxxx
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name xxxxxxxxxxxx
lease 4
!
!
no ip domain lookup
ip domain name xxxxxxxxx
!
!
crypto pki trustpoint TP-self-signed-1485172728
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1485172728
revocation-check none
rsakeypair TP-self-signed-1485172728
!
!
crypto pki certificate chain TP-self-signed-1485172728
certificate self-signed 01

<--------some output omitted--------->
!
interface FastEthernet0
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet4
ip address 10.2.5.1 255.255.0.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
no ip address
!
interface Vlan10
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description Guest Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
<--------------output omitted---------->

We are not concerned with the wireless portion of the config at this point.

End


Any insight is appreciated.

Thanks!
Chris
News Corp.
+
0 Votes
CG IT

dont' see VTP in there, don't see a static map or a trunk line.

+
0 Votes
crondthaler

Thanks, I'll look VLANs on this device... guess this is different than what I'm used to... I tried enabling dot.q on VLAN10 and the gateway interface fa4, but still 'up/down'.

-I'll post my findings and how I see that is is different than what I'm used to.

Thanks for the quick response!

-Chris
News Corp.

+
0 Votes
CG IT

I wasn't going to say your configuration is wrong on line blah or line blah, rather point out that VLANs don't communicate with each other unless there is a layer 3 device which can route traffic between them. Since your using a layer 3 device that has VLAN capabilities, your router needs something to tell it to allow communications between VLANs. A static mapping or run VTP. Unless the router knows to route traffic desgined from VLAN1 to VLAN10 it won't do it.

+
0 Votes
crondthaler

If IP routing is on, then it should be able to route between directly attached routes, yes? This is what is confusing. And, why are the VLAN interfaces down (e.g. up/down <-- the line protocol is down)?

I know i'm missing something simple here but I don't get it - any chance anyone has an example for this w-router?

+
0 Votes
CG IT

have to put in the configuration

no shutdown

send a message to Dave Davis or George Ou resident Techrepublic Cisco gurus

+
0 Votes
crondthaler

Wow, ok - not sure how to send a direct message but I'll see if David or George can help.

Thank for your help.
-Chris
News Corp.

+
0 Votes
scott_heath

... we don't use multiple VLANs. Here's my config with some items modified, like keys and ip addresses. It's a bit long as we use DMVPN and BGP, but maybe it will help. It sounds crazy, but maybe you need to run 'no shut' on the VLAN## interface.

service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname 871-Test
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 32768 debugging
no logging console
enable secret _password
!
aaa new-model
!
!
aaa authentication login default none
aaa authentication login login-check group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
!
resource policy
!
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
no ip source-route
!
!
no ip dhcp use vrf connected
!
!
ip tcp mss 1492
ip cef
ip tftp source-interface Tunnel0
ip domain name _domainname.com
no ip bootp server
ip inspect log drop-pkt
ip inspect name DSLINSPECT tcp
ip inspect name DSLINSPECT udp
ip inspect name DSLINSPECT fragment maximum 256 timeout 1
ip inspect name DSLINSPECT icmp
no ip ips deny-action ips-interface
ip ips signature 2000 0 disable
ip ips name AUDIT
ip ssh time-out 60
ip ssh authentication-retries 2
!
chat-script Dialout ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 45 CONNECT \c
modemcap entry multitech:MSC=&F0S0=1&k3&C1&D3$SB115200
modemcap entry usr_v34:MSC=&f1&u3&n16
!
!
username _userid privilege 15 secret _password
!
!
track 10 ip route _10.10.0.0 255.255.255.128 reachability
!
track 11 ip route _10.11.0.0 255.255.255.0 reachability
!
track 20 list boolean and
object 10 not
object 11 not
!
class-map match-any POS
match access-group name POS
class-map match-any VIDEO
match access-group name VIDEO
class-map match-all DiamondSelector
match access-group name DiamondSelector
class-map match-all IPP5
match ip precedence 5
class-map match-all IPP4
match ip precedence 4
!
!
policy-map QOS
class IPP5
bandwidth percent 30
class IPP4
bandwidth percent 25
class DiamondSelector
bandwidth percent 20
class class-default
fair-queue
set ip precedence 0
policy-map SetBits
class POS
set ip precedence 5
class VIDEO
set ip precedence 4
class class-default
set ip precedence 0
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key _biglongkey address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set gre_set esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile gre_prof
set transform-set gre_set
!
!
!
!
interface Tunnel4
description GRE Tunnel to Dialup
bandwidth 115
ip address 10.10.72.11 255.255.240.0
ip mtu 1400
ip nhrp authentication Dial
ip nhrp map 10.10.79.254 10.10.65.199
ip nhrp network-id 199
ip nhrp holdtime 600
ip nhrp nhs 10.10.79.254
ip virtual-reassembly
delay 1000
qos pre-classify
tunnel source Dialer1
tunnel destination 10.10.65.199
tunnel protection ipsec profile gre_prof
!
interface Tunnel2
description GRE Tunnel to Datacenter 1
bandwidth 384
ip address 10.10.40.21 255.255.240.0
ip mtu 1400
ip nhrp authentication nsite3
ip nhrp map 10.10.47.254 10.10.65.197
ip nhrp network-id 103
ip nhrp holdtime 600
ip nhrp nhs 10.10.47.254
ip virtual-reassembly
delay 1000
qos pre-classify
tunnel source Fastethernet 4
tunnel destination 10.10.65.197
tunnel protection ipsec profile gre_prof
!
interface Tunnel3
description GRE Tunnel to Datacenter 2
bandwidth 384
ip address 10.10.56.21 255.255.240.0
ip mtu 1400
ip nhrp authentication nsite4
ip nhrp map 10.10.63.254 10.10.65.198
ip nhrp network-id 104
ip nhrp holdtime 600
ip nhrp nhs 10.10.63.254
ip virtual-reassembly
delay 1000
qos pre-classify
tunnel source Fastethernet 4
tunnel destination 10.10.65.198
tunnel protection ipsec profile gre_prof
!
interface Tunnel0
description GRE Tunnel to Internal 1
bandwidth 384
ip address 10.10.8.21 255.255.240.0
ip mtu 1400
ip nhrp authentication nsite
ip nhrp map 10.10.15.254 10.10.0.172
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.10.15.254
ip virtual-reassembly
delay 1000
qos pre-classify
tunnel source Fastethernet 4
tunnel destination 10.10.0.172
tunnel protection ipsec profile gre_prof
!
interface Tunnel1
description GRE Tunnel to Internal 2
bandwidth 384
ip address 10.10.24.21 255.255.240.0
ip mtu 1400
ip nhrp authentication nsite1
ip nhrp map 10.10.31.254 10.10.67.135
ip nhrp network-id 102
ip nhrp holdtime 600
ip nhrp nhs 10.10.31.254
ip virtual-reassembly
delay 1000
qos pre-classify
tunnel source Fastethernet 4
tunnel destination 10.10.67.135
tunnel protection ipsec profile gre_prof
!
interface Vlan2
description Private Network
ip address 10.10.177.65 255.255.255.192
ip virtual-reassembly
ip route-cache flow
ip policy route-map cleardf
service-policy input SetBits
no shut
!
interface Fastethernet 4
description ** WAN Interface **
bandwidth 384
ip address 10.10.99.236 255.255.255.0
ip access-group From_Internet in
ip access-group To_Internet out
ip mtu 1492
ip inspect DSLINSPECT out
ip ips AUDIT in
ip route-cache flow
duplex auto
speed auto
no cdp enable
max-reserved-bandwidth 80
service-policy output QOS
no shut

!
interface FastEthernet0
description ** DV-Dallas **
switchport access vlan 2
no cdp enable
no shut
!
interface FastEthernet1
description ** POS **
switchport access vlan 2
no cdp enable
no shut
!
interface FastEthernet2
switchport access vlan 2
no cdp enable
no shut
!
interface FastEthernet3
switchport access vlan 2
no cdp enable
no shut
!
interface Async1
no ip address
encapsulation ppp
no ip route-cache cef
dialer in-band
dialer pool-member 1
dialer-group 1
async mode dedicated
keepalive 5 5
service-policy output QOS
routing dynamic
!
interface Dialer1
bandwidth 64
ip address negotiated
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer string 5551239175
dialer-group 1
peer default ip address 10.10.177.126
no cdp enable
ppp authentication pap callin
ppp pap sent-username _userid password _password
hold-queue 10 out
no shut
!
router rip
version 2
redistribute connected
passive-interface Tunnel2
passive-interface Tunnel3
passive-interface Tunnel0
passive-interface Tunnel1
network 10.0.0.0
distribute-list 20 out
!
router bgp 5000
no synchronization
bgp log-neighbor-changes
network 10.10.177.64 mask 255.255.255.192
neighbor 10.10.0.7 remote-as 5000
neighbor 10.10.0.7 update-source Tunnel2
neighbor 10.10.0.7 timers 10 60
neighbor 10.10.0.7 route-map local-pref-PRIMARY out
neighbor 10.10.0.8 remote-as 5000
neighbor 10.10.0.8 update-source Tunnel3
neighbor 10.10.0.8 timers 10 60
neighbor 10.10.0.8 route-map local-pref-BACKUP out
neighbor 10.10.1.9 remote-as 5000
neighbor 10.10.1.9 update-source Tunnel0
neighbor 10.10.1.9 timers 10 60
neighbor 10.10.1.9 route-map local-pref-PRIMARY out
neighbor 10.10.1.10 remote-as 5000
neighbor 10.10.1.10 update-source Tunnel1
neighbor 10.10.1.10 timers 10 60
neighbor 10.10.1.10 route-map local-pref-BACKUP out
no auto-summary
!
ip classless
ip route 10.10.68.0 255.255.254.0 Dialer1 200 track 20
ip route 10.10.65.199 255.255.255.255 Dialer1 track 20
ip route 10.10.68.0 255.255.254.0 10.10.79.254 track 20
ip route 10.10.181.32 255.255.255.255 10.10.79.254 track 20
ip route 0.0.0.0 0.0.0.0 10.10.99.1
ip route 10.10.177.126 255.255.255.255 Dialer1
ip route 10.10.0.7 255.255.255.255 10.10.47.254
ip route 10.10.0.8 255.255.255.255 10.10.63.254
ip route 10.10.1.9 255.255.255.255 10.10.15.254
ip route 10.10.1.10 255.255.255.255 10.10.31.254
!
ip tacacs source-interface Tunnel0
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
!
ip access-list standard SNMP-ACL
permit 10.10.142.176 0.0.0.7
!
ip access-list extended DiamondSelector
permit ip any host 10.10.68.87
ip access-list extended From_Internet
remark Restrict traffic from the Internet
permit esp any any
permit udp any any eq isakmp
permit icmp any any echo
permit tcp any any eq 22 log
permit udp any any eq non500-isakmp
permit gre any any
permit udp any eq bootps any
permit udp any any eq ntp
deny ip any any
ip access-list extended To_Internet
deny ip 10.10.0.0 0.0.255.255 any
permit ip any any
ip access-list extended POS
permit tcp any any range 26020 26029
permit udp any any range 26020 26029
permit tcp any any eq 1524
permit udp any any eq 1524
permit tcp any any eq 1433
permit udp any any eq 1433
permit ip any host 10.10.68.69
permit ip any host 10.10.68.71
permit tcp any any range 9090 9099
permit udp any any range 9090 9099
permit tcp any any range 9990 9999
permit udp any any range 9990 9999
ip access-list extended VIDEO
permit ip any host 10.10.0.123
!
logging trap debugging
access-list 20 deny 10.10.177.126
access-list 20 permit 10.10.0.0 0.0.255.255
access-list 20 deny any
access-list 195 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community _Community RO SNMP-ACL
snmp-server trap-source Tunnel0
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server host 10.10.142.177 Zale_5074
no cdp run
!
ip flow-export source vlan2
ip flow-export version 5
ip flow-export destination 10.10.68.96 2055
!
route-map local-pref-PRIMARY permit 10
set local-preference 100
!
route-map local-pref-BACKUP permit 20
set local-preference 50
!
route-map cleardf permit 10
match ip address 195
set ip df 0
!
tacacs-server host 10.10.142.178
tacacs-server directed-request
tacacs-server key 7 _biglongkey
!
control-plane
!
banner login ^CCCC


**********************************************************

* 871-Test *

* WARNING - Unauthorized access is strictly prohibited. *

* VIOLATERS WILL BE PROSECUTED *

* ALL ACTIVITY IS MONITORED AND LOGGED *

**********************************************************^C
privilege exec level 1 show crypto isakmp key
privilege exec level 1 show crypto isakmp policy
privilege exec level 1 show crypto isakmp sa
privilege exec level 1 show crypto isakmp
privilege exec level 1 show crypto ipsec sa identity
privilege exec level 1 show crypto ipsec sa
privilege exec level 1 show crypto ipsec
privilege exec level 1 show crypto
privilege exec level 1 show
privilege exec level 1 clear crypto sa peer
privilege exec level 1 clear crypto sa
privilege exec level 1 clear crypto
privilege exec level 1 clear
!
line con 0
exec-timeout 5 0
privilege level 15
logging synchronous
login authentication login-check
modem enable
stopbits 1
line aux 0
exec-timeout 15 0
script dialer Dialout
login authentication login-check
modem InOut
modem autoconfigure type usr_v34
transport input telnet
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication login-check
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17180123
ntp server 192.5.41.40

+
0 Votes

Hello, I believe the original poster mentioned that the interfaces (e.g up/down), by that one could assume that the interfaces are administratively up and the network is down. As I understand it that would not be possible if the interface was shut down.

+
0 Votes
crondthaler

Right...

+
0 Votes
crondthaler

Thank you. I'll have a look at this - I'm sure it'll help.

I ran 'no shut' more times than I can remember. Reload, powered down... : ).

Thank you!
-Chris
News Corp.

+
0 Votes

: )

scott_heath

Hope suggesting it didn't sound offensive. I know I've over looked easy things in my quest to find the more complicated cause.

+
0 Votes
Cincinnerdi

I know this is an old thread, but seems unresolved. I believe you must have the an upgraded IOS. Cisco site says "Support for 2 VLANs with Base Image. One VLAN dedicated to DMZ" and "4 802.1q VLANs on Advanced IP Services IOS image."