CatOS router on a stick configuration
in [Cisco]
|
From: T0nyD on 22 Jan 2010 11:27 Hi I'm having an issue setting up a router on a stick configuration with a 4006 running CatOS and a 2621 router. I have set up vlans on the 4006, and set up sub interfaces on the 2621 that corrospond to the different vlan's however when I connect a workstation to the vlan I can only ping out to the ip address of the subinterface on the router not the other VLAN's or to the internal interface on the PIX or internet. I've had this config working on a 2621 previously when working with an IOS switch so I'm wondering if the issue is just my lack of knowledge of CatOS. I have posted the configs of the different devices below as well as the topology, any help with this would be appreciated. Internet || PIX || 2621 || 4006 || VLAN106 VLAN104 4006 Configuration This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. .................. ........................... ........................... ... begin ! # ***** NON-DEFAULT CONFIGURATION ***** ! ! #time: Fri Jan 22 2010, 07:12:02 ! #version 7.6(17) ! ! #system web interface version(s) ! --More-- #dot1x set feature dot1x-radius-keepalive disable ! #frame distribution method set port channel all distribution mac both ! #vtp set vtp mode transparent set vlan 1 name default type ethernet mtu 1500 said 100001 state active set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state active stp ieee set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active stp ibm set vlan 104,106 set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state active mode srb aremaxhop 7 stemaxhop 7 backupcrf off ! #ip set interface sc0 1 192.168.1.14/255.255.255.0 192.168.1.255 set interface sl0 down set interface me1 down set ip route 0.0.0.0/0.0.0.0 192.168.1.1 ! #set boot command set boot config-register 0x2 --More-- set boot system flash bootflash:cat4000-k8.7-6-17.bin set boot system flash bootflash:cat4000-k8.7-6-5.bin ! #multicast filter set igmp filter disable ! #module 1 : 2-port 1000BaseX Supervisor set trunk 1/2 on dot1q 1-1005,1025-4094 ! #module 2 : 6-port 1000BaseX Ethernet ! #module 3 : 48-port 10/100BaseTx Ethernet set vlan 104 3/25-36 set vlan 106 3/13-24 set port speed 3/1-48 100 set port duplex 3/1-48 full set trunk 3/48 desirable dot1q 1-1005,1025-4094 ! #module 4 empty ! #module 5 empty ! #module 6 empty 2621 Configuration version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname tstrtr ! boot-start-marker boot-end-marker ! enable secret ################### ! no aaa new-model ip subnet-zero no ip source-route --More-- ! ! no ip domain lookup ! no ip bootp server ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 description Connection to Edge ip address 10.1.2.254 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address speed 100 full-duplex ! interface FastEthernet0/1.1 description Management VLAN encapsulation dot1Q 1 native ip address 192.168.1.1 255.255.255.0 ! interface FastEthernet0/1.4 description Home VLAN encapsulation dot1Q 104 ip address 192.168.104.1 255.255.255.0 ! interface FastEthernet0/1.6 description Work VLAN encapsulation dot1Q 106 ip address 192.168.106.1 255.255.255.0 ! router rip network 10.0.0.0 network 192.0.0.0 ! no ip http server ip classless ip route 0.0.0.0 0.0.0.0 10.1.2.1 ! ! ! ! ! ! dial-peer cor custom ! ! ! ! line con 0 exec-timeout 15 0 password ############ logging synchronous login length 22 history size 30 line aux 0 exec-timeout 5 0 login length 22 transport output none line vty 0 4 exec-timeout 20 30 password ############### login length 22 history size 30 PIX Configuration PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ################## encrypted passwd ################# encrypted hostname testpix domain-name testdomain.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 <--- More ---> names access-list 101 permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0 access-list 102 permit icmp any any access-list 102 permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list 103 permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 111.111.111.111 255.255.255.252 ip address inside 10.1.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool pptp-pool 10.2.3.10-10.2.3.50 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 111.111.111.111 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 <--- More ---> timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp telnet 192.168.0.0 255.255.0.0 inside telnet 10.0.0.0 255.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap <--- More ---> vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto vpdn group 1 client configuration address local pptp-pool vpdn group 1 client configuration dns 192.168.6.50 vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username testuser password ********* vpdn enable outside dhcpd lease 3600 dhcpd ping_timeout 750 username cisco password ############### encrypted privilege 15 terminal width 80
From: Doug McIntyre on 22 Jan 2010 13:32 T0nyD <tony.dixson(a)gmail.com> writes: >Hi I'm having an issue setting up a router on a stick configuration >with a 4006 running CatOS and a 2621 router. I have set up vlans on >the 4006, and set up sub interfaces on the 2621 that corrospond to the >different vlan's however when I connect a workstation to the vlan I >can only ping out to the ip address of the subinterface on the router >not the other VLAN's or to the internal interface on the PIX or >internet. I've had this config working on a 2621 previously when >working with an IOS switch so I'm wondering if the issue is just my >lack of knowledge of CatOS. I have posted the configs of the >different devices below as well as the topology, any help with this >would be appreciated. >#module 3 : 48-port 10/100BaseTx Ethernet >set vlan 104 3/25-36 >set vlan 106 3/13-24 >set port speed 3/1-48 100 >set port duplex 3/1-48 full Why are you hard coding the speed/duplex? Unless you specific set the duplex on your workstations (which can be difficult to find), you'll have a duplex conflict on every one. I'd recommend auto speed, auto duplex on everything. >set trunk 3/48 desirable dot1q 1-1005,1025-4094 Most likely this is the problematic line. I'd recommend getting 'desireable' out, as that signals the switch to try to negotiate dynamic trunking protocol with the switch on the other side. You don't have a switch on the other side, and a router isn't going to talk dynamic trunking protocol. Is this port in trunking mode now? What does the port status show? show trunk 3/48
From: T0nyD on 22 Jan 2010 19:38 On Jan 22, 12:32 pm, Doug McIntyre <mer...(a)geeks.org> wrote: > T0nyD <tony.dix...(a)gmail.com> writes: > >Hi I'm having an issue setting up a router on a stick configuration > >with a 4006 running CatOS and a 2621 router. I have set up vlans on > >the 4006, and set up sub interfaces on the 2621 that corrospond to the > >different vlan's however when I connect a workstation to the vlan I > >can only ping out to the ip address of the subinterface on the router > >not the other VLAN's or to the internal interface on the PIX or > >internet. I've had this config working on a 2621 previously when > >working with an IOS switch so I'm wondering if the issue is just my > >lack of knowledge of CatOS. I have posted the configs of the > >different devices below as well as the topology, any help with this > >would be appreciated. > >#module 3 : 48-port 10/100BaseTx Ethernet > >set vlan 104 3/25-36 > >set vlan 106 3/13-24 > >set port speed 3/1-48 100 > >set port duplex 3/1-48 full > > Why are you hard coding the speed/duplex? Unless you specific set the > duplex on your workstations (which can be difficult to find), you'll > have a duplex conflict on every one. I'd recommend auto speed, auto > duplex on everything. > > >set trunk 3/48 desirable dot1q 1-1005,1025-4094 > > Most likely this is the problematic line. I'd recommend getting 'desireable' > out, as that signals the switch to try to negotiate dynamic trunking > protocol with the switch on the other side. You don't have a switch on > the other side, and a router isn't going to talk dynamic trunking protocol. > > Is this port in trunking mode now? What does the port status show? > show trunk 3/48- Hide quoted text - > > - Show quoted text - I can take out the hard coded speed, I had read that it was best to hard code the speed and duplex on both ends of the trunk at least The status does show trunking. What should I use for this line? set trunk 3/48 desirable dot1q 1-1005,1025-4094 I also tried below with the same results. set trunk 3/48 on dot1q 1-1005,1025-4094
From: Doug McIntyre on 25 Jan 2010 14:21 T0nyD <tony.dixson(a)gmail.com> writes: >I can take out the hard coded speed, I had read that it was best to >hard code the speed and duplex on both ends of the trunk at least A long long time ago. Auto is definately desireable, especially since GigE requires it. >The status does show trunking. Hmm, should be working then. >What should I use for this line? >set trunk 3/48 desirable dot1q 1-1005,1025-4094 > I also tried below with the same results. >set trunk 3/48 on dot1q 1-1005,1025-4094 That is the proper form. Make sure the VLANs exist the same on both sides (show vlan). Use VTP transparent mode (I'd avoid VTP altogether, transparent mode makes it invisible). Here are config snippets out of a working config exactly as you are trying to do, albeit slightly different gear. set vtp mode transparent vlan set vlan 103 2/20-29 set vlan 104 2/30-39 set trunk 2/48 on dot1q 1-1005,1025-4094 set trunk 2/49 on dot1q 1-1005,1025-4094 interface FastEthernet2/0.103 description Open encapsulation dot1Q 103 ip address ... interface FastEthernet2/0.104 description Open encapsulation dot1Q 104 ip address ...
|
Pages: 1 Prev: NAT and access lists and IP INSPECT Next: ACL: Reflective versus established |