CISCO troubleshooting | Hardware configuration



Rep: (1)
CISCO troubleshooting

Attached Image


The theme was created to help with troubleshooting the configuration of CISCO equipment. Spread configs and describe problems. We will disassemble.


Post has been editedAndrewP_1 - 16.06.19, 15:26
Reason for editing: reshaping the header



Rep: (1051)
Greetings to all!!!
I have a question on networking with Cisco. Maybe someone configures. The question is as follows. I have configured the 2900 Series Cisco Router, everything is working fine. But there are 5 more Cisco Catalyst 2960 switches connected to each other on the network, and so I got confused about building Vlan. Everything is clear so. But upsets the lack of a layer 3 switch cisco Catalyst 3560 series to configure Vlan. Maybe the switch of level 2 2960 can be turned into level 3 by assigning a level 3 port on it and a link to the router to it or configure the router on the Vlan of the corresponding networks.
Advance ATP.



Rep: (2704)
configure the router on the Vlan related networks.
This is usually done. Trunk from switch to router and
encapsulation on the router subinterfaces
Router (config) #int f0 / 1.1
Router (config-subif) #description NATIVE
Router (config-subif) #encapsulation dot1Q 40native
Router (config-subif) #ip add 183.69.11.41 255.255.255.248
Router (config-subif) #int f0 / 1.2
Router (config-subif) #description GUEST
Router (config-subif) #encapsulation dot1Q 48
Router (config-subif) #ip add 183.69.11.49 255.255.255.240
Router (config-subif) #int f0 / 1.3
Router (config-subif) #description ENG
Router (config-subif) #encapsulation dot1Q 64
Router (config-subif) #ip add 183.69.11.65 255.255.255.224
Router (config-subif) #int f0 / 1.4
Router (config-subif) #description PROGRAMMERS
Router (config-subif) #encapsulation dot1Q 96
Router (config-subif) #ip add 183.69.11.97 255.255.255.224

and so on
Then add vlans to the routing table, like regular networks:


Router (config) #router ospf 1
Router (config-router) #network 183.69.11.40 0.0.0.7 area 0
Router (config-router) #network 183.69.11.48 0.0.0.15 area 0
Router (config-router) #network 183.69.11.64 0.0.0.31 area 0
Router (config-router) #network 183.69.11.96 0.0.0.31 area 0

Good resource for overall developmenthttp://linkmeup.ru/blog/14.html

Post has been editedShoore - 03.12.13, 10:47



Rep: (1051)
And again, Cisco ...
I distributed the scheme in Cisco Pocket Tracer, the scheme consisting of a Cisco 2901 router and 5 Cisco 2960 switches will be two different subnets 192.168.1.0 (Vlan2) and 192.168.2.0 (Vlan3) Ip will be distributed via DHCP to these subnets and, accordingly, everyone will need an Internet but did so that users from different Vlan did not see each other. DNS from the provider. Well, that's all. Maybe something to fix? ATP in advance. In Packet tracer everything seems to work, all clients get their IPs as needed, but there is no way to check the Internet.
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.2.2
!
ip dhcp pool Vlan2
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dns-server 192.168.1.2
ip dhcp pool Vlan3
network 192.168.2.0 255.255.255.0
default-router 192.168.2.2
dns-server 192.168.2.2
!

license udi pid CISCO2901 / K9 sn FTX1524AS0N
!

ip domain-name domain.local
ip name-server xx.xxx.xxx.xxx
!
spanning-tree mode pvst
!
interface GigabitEthernet0 / 0
ip address xx.xxx.xxxx.xxx 255.255.255.252
ip nat outside
duplex auto
speed auto
ipv6 ospf cost 1
!
interface GigabitEthernet0 / 1
no ip address
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0 / 1.1
encapsulation dot1Q 2
ip address 192.168.1.2 255.255.255.0
ip access-group 10 out
!
interface GigabitEthernet0 / 1.2
encapsulation dot1Q 3
ip address 192.168.2.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list NAT interface GigabitEthernet0 / 0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxxx.xxx
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
access-list 10 deny 192.168.2.0 0.0.0.255
access-list 10 permit any

!
line con 0
!
line aux 0
!
line vty 0 4
login

end


Post has been editediQrio - 16.12.13, 12:21



Rep: (2704)
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dns server192.168.1.2
ip dhcp pool Vlan3
network 192.168.2.0 255.255.255.0
default-router 192.168.2.2
dns server192.168.2.2
dns-server xxx.xxxx.xxxx.xxx (from the provider)!

It probably makes sense to add some public
ip name-server xx.xxx.xxx.xxx
ip name-server 4.2.2.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220

But, on the other hand, if Provo has all the buzzes, you can and do not need
: D

interface GigabitEthernet0 / 1
no ip address
ip nat inside
Most likely it will not work (not a fact, but in theory), since there is no IP on the interface, there is nothing to attach to for broadcasting, assignip nat insideon both subinterfaces.

ip access-list extended NAT
There is no point in the extended list, it’s more logical to use the standard one: scratch_one-s_head:
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

ipv6 ospf cost 1
Is this a string from Provo?

Post has been editedShoore - 17.12.13, 00:49



Rep: (1051)
Shoore @ 12.16.2013, 22:44*
dns-server xxx.xxxx.xxxx.xxx (from the provider)!

It probably makes sense to add some public
ip name-server xx.xxx.xxx.xxx
ip name-server 4.2.2.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220

But, on the other hand, if Provo has all the buzzes, you can and do not need

Yes of course. just Cisco Packet tracer does not add yet dnsk. on the router you can.
Shoore @ 12.16.2013, 22:44*
Most likely it will not work (not a fact, but in theory), since there is no IP on the interface, there is nothing to attach to for broadcasting, assign ip nat inside on both subinterfaces.

So did. All the same, I think I’ll also assign Ip for SSh access to the router on the main interface. Running with a laptop to the server is not comme il faut. : D But you have to take already from 3 subnets since 1 no longer gives 1.1 subinterface hanging on it. But in DHCP, DNS address I understand you need to specify the IP of their gateway.
Shoore @ 12.16.2013, 22:44*
Is this a string from Provo?

No, this is in the Pocket tracer, so this is not the case on the router.

Even in packet tracer, I can’t assign a specific Ip to clients at the poppy address in order to hack access to the external box. eg
ip dhcp pool security
host 192.168.2.63 255.255.255.0
client-identifier 0100.5263.3695.69
client name PC
Thanks in advance!

Post has been editediQrio - 17.12.13, 09:46



Rep: (2704)
in DHCP, DNS address I understand you need to specify the IP of their gateway
What for? And, for this, in my opinion, you need to raise the DNS service on the router.

I think on the main interface to assign Ip for access via SSh
It also makes no sense, there is
interface Vlan1
no ip address
shutdown
And g0 / 0 should be allowed on the inside from inside.
One more point, if for some reason you saved both of the first addresses in vlans, then they will also not hurt to add excluded to dhcp, it will be the first to issue them upon request.

I can’t assign a specific Ip to clients at the poppy address
Likeit worked, I remember exactly what I was doing: scratch_one-s_head:
No, it does not work, RT does not know how.

Post has been editedShoore - 17.12.13, 11:53



Rep: (1051)
Shoore @ 12.17.2013, 12:24*
What for? And, for this, in my opinion, you need to raise the DNS service on the router.

DNS for the DHCP pool serves as its gateway since there are no separate dns servers in my network, everything is provided by the provider. I registered the provider DNS on the router.
Shoore @ 12.17.2013, 12:24*
And g0 / 0 should be allowed on the inside from inside.

That is, it is enough to assign IP vlan 1 on the router or via sub-interface should let it through SSH to the router.
Shoore @ 12.17.2013, 12:24*
It seems to work like that
Router (dhcp-config) #host H.H.H.X.H.H.H.X
Router (dhcp-config) # client-identifier 00FE.802D.0D3FF.FEAE.887D
No ip dhcp pool secur

but after all, you first need to get into the DHCP pool by creating a new one, because in the already entered one it will no longer give to hosts by poppies.

And yet such a moment we have security on a watch, so he needs to hack access to the outside I made through the ACL, there is no access to the Internet at all only to the local network. But you need to open access for example to such programs as skype, icq and outlook mail. I thought I could do something like that via ip nat source inside or through extended ACLs.



Rep: (2704)
through extended ACLs.
In theory, it should be. Deny www and domain to start.
for DHCP pool its gateway serves also
Yes, immediately register the provider's server there, why cut the extra "circles".



Rep: (1051)
Shoore @ 12.17.2013, 13:15*
Yes, immediately register the provider's server there, why cut the extra "circles".

: thank_you: If there are two of them, the preferred and the alternative one will turn out like dns-server xx.xxx.xxx.xx xx.xxx.xxx.xx
Shoore @ 12.17.2013, 13:15*
In theory, it should be. Deny www and domain to start.

ip access-list extended security
deny tcp host 192.168.1.63 any eq www
permit ip 192.168.1.0 0.0.0.255 any

By the way, this is how it turned out, though in skype I changed the port to 12897 and earned



Rep: (2704)
Instead of 192.168.1.0 0.0.0.255, you can simply write any.



Rep: (1051)
p access-list extended security
deny tcp host 192.168.1.63 any eq www
permit ip 192.168.1.0 0.0.0.255 any

After applied this ACL on int g0 / 1 DHCP fell off on Cisco rewrote this rule on 100 and earned.



Rep: (1051)
Greetings guys! With the past holidays: thank_you: The question is ... There is an office network with cisco 2901 and 6 cataclysms 2960. There are two subnets 192.168.1.x and 192.168.2.x on this network. excellent, but I would like access to all 2960 via cccatch (ssh): D since the server on the first floor I'm at 4, it’s not comme il faut to go. SSH has already been configured but does not enter because I have Vlan 2 and Vlan 3, etc., and the access ports are unconditionally configured for the corresponding Vlan. What can you come up with? Maybe someone can assign an IP, although everything is configured for me according to DHCP. : thank_you:



Rep: (2704)
IQrio @ 01/08/2014, 17:56*
What can you come up with?
Duc, everything has been invented before us В©
sh run lay out some kind of cataclysm.
spanning-tree mode rapid-pvst
spanning-tree vlan 224 priority 24576
!
interface FastEthernet0 / 1
description V240
switchport access vlan 240
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 00E0.F94E.1C48
spanning-tree portfast
!
interface FastEthernet0 / 2
description V240
switchport access vlan 240
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 3
description V240
switchport access vlan 240
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 4
description V240
switchport access vlan 240
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 5
description V240
switchport access vlan 240
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 6
description V240
switchport access vlan 240
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 7
description V240
switchport access vlan 240
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 8
description V240
switchport access vlan 240
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 9
description V240
switchport access vlan 240
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 10
description V224
switchport access vlan 224
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0001.4329.450E
spanning-tree portfast
!
interface FastEthernet0 / 11
description V224
switchport access vlan 224
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 12
description V224
switchport access vlan 224
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 13
description V224
switchport access vlan 224
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 14
description V224
switchport access vlan 224
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 15
description V184
switchport access vlan 184
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 000A.F397.DB71
spanning-tree portfast
!
interface FastEthernet0 / 16
description V184
switchport access vlan 184
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 17
description V184
switchport access vlan 184
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 18
description V184
switchport access vlan 184
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 19
description V184
switchport access vlan 184
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 20
description V184
switchport access vlan 184
switchport mode access
spanning-tree portfast
shutdown
!
interface FastEthernet0 / 21
description V184
switchport access vlan 184
switchport mode access
spanning-tree portfast
shutdown
!

interface FastEthernet0 / 22
description TRUNK
switchport trunknative vlan 168
switchport mode trunk
!
interface FastEthernet0 / 23
description TRUNK
switchport trunknative vlan 168
switchport mode trunk
!
interface FastEthernet0 / 24
description TRUNK
switchport trunknative vlan 168
switchport mode trunk
!
interface GigabitEthernet1 / 1
shutdown
!
interface GigabitEthernet1 / 2
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan168
ip address 182.72.5.174 255.255.255.248

!
ip default-gateway 182.72.5.169
I registered an untagged vlan on trunks?
And on the router too
interface FastEthernet0 / 0.1
description NATIVE
encapsulation dot1Q 168native
ip address 182.72.5.169 255.255.255.248


Post has been editedShoore - 08.01.14, 18:16



Rep: (1051)
Shoore ,
: thank_you: Thank you, I forgot about Native.
Shoore @ 01/08/2014, 18:49*
sh run lay out some kind of cataclysm.

Sketched in RT
Cataclysm with Vlan 3
spanning-tree mode pvst
!
interface FastEthernet0 / 1
switchport trunk native vlan 2
switchport trunk allowed vlan 3
switchport mode trunk
!
interface FastEthernet0 / 2
switchport access vlan 3
switchport mode access
!
interface FastEthernet0 / 3
switchport access vlan 3
switchport mode access
!
interface FastEthernet0 / 4
switchport access vlan 3
switchport mode access
!
interface FastEthernet0 / 5
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1 / 2
!
interface Vlan1
no ip address
!
interface vlan2
ip address 192.168.1.245 255.255.255.0

Cataclysm with Vlan 2
spanning-tree mode pvst
!
interface FastEthernet0 / 1
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet0 / 2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0 / 3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0 / 4
switchport access vlan 2
switchport mode access
interface GigabitEthernet1 / 1
!
interface GigabitEthernet1 / 2
!
interface Vlan1
no ip address
!
interface vlan2
ip address 192.168.1.247 255.255.255.0
!

Cataclysm transport
spanning-tree mode pvst
!
interface FastEthernet0 / 1
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet0 / 2
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet0 / 3
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet0 / 4
switchport trunk native vlan 2
switchport trunk allowed vlan 1.3
switchport mode trunk
!
interface GigabitEthernet1 / 1
switchport trunk native vlan 2
switchport trunk allowed vlan 1-3
switchport mode trunk
!
!
interface Vlan1
no ip address
!
interface vlan2
ip address 192.168.1.244 255.255.255.0

Computers in Vlan 2 see their switches but they need to see the switch configured for vlan 3, but at the same time so that the networks do not overlap.





Rep: (2704)
iQrio, you made something up: use scratch_one-s_head: native vlan for management, you don't need to assign it to physical interfaces. Just select the third grid and distribute it across all devices. I do not see the default gateway either.
at the same time so that the networks do not cross
This is all done on the router by access lists.

switchport trunk native vlan 2
switchport trunk allowed vlan 3
switchport mode trunk
You actually allowed traffic to this trunk only for three: scratch_one-s_head:
I would not write tolerances on trunks at all, even if all vlans run by default.
purely for example
Six vlan and seventh for management. Five switches, one central.
Attached Image
Attached Image

Attached Image
router
interface FastEthernet0 / 0
no ip address
no shutdown
duplex auto
speed auto
!
interface FastEthernet0 / 0.1
description NATIVE
encapsulation dot1Q 168 native
ip address 182.72.5.169 255.255.255.248
!
interface FastEthernet0 / 0.2
description VLAN176
encapsulation dot1Q 176
ip address 182.72.5.177 255.255.255.248
!
interface FastEthernet0 / 0.3
description VLAN184
encapsulation dot1Q 184
ip address 182.72.5.185 255.255.255.248
!
interface FastEthernet0 / 0.4
description VLAN192
encapsulation dot1Q 192
ip address 182.72.5.193 255.255.255.240
!
interface FastEthernet0 / 0.5
description VLAN208
encapsulation dot1Q 208
ip address 182.72.5.209 255.255.255.240
!
interface FastEthernet0 / 0.6
description VLAN224
encapsulation dot1Q 224
ip address 182.72.5.225 255.255.255.240
!
interface FastEthernet0 / 0.7
description VLAN240
encapsulation dot1Q 240
ip address 182.72.5.241 255.255.255.240
!

The output of one of the switches above. On a central vtp server and spanning-tree root primary



Post has been editedShoore - 09.01.14, 18:59



Rep: (1051)
Shoore @ 01/09/2014, 19:36*
you made something up: scratch_one-s_head: native vlan is used for control, you do not need to assign it to physical interfaces. Just select the third grid and distribute it across all devices. I do not see the default gateway either.

: thank_you: Thank you for instructing me on the true path.
Shoore @ 01/09/2014, 19:36*
Just select the third grid and distribute it across all devices. I do not see the default gateway either.

My switch does not have a third level gateway, however, should not be.
Shoore @ 01/09/2014, 19:36*
This is all done on the router by access lists.

It’s already done like
10 access sheet
deny 192.168.2.0 0.0.0.255
permit any
and hung on the out interface of the subnet 192.168.1.0



Rep: (2704)
there should not be a gateway
Native needs a gateway, but you don’t want to run on floors. Something like 10.10.10.1 - 5/29 for the switches and on the DG router hang up (the sixth address), you will have Management vlan, you can even come up with an extended ACL for it, so that it would only start from your MAC.


Post has been editedShoore - 09.01.14, 20:40
Reason for editing: mixed up



Rep: (1051)
For native, you need a gateway, you don’t want to run on floors. Something like 10.10.10.1 - 5/29 for the switches and on the DG router hang up (the sixth address), you will have Management vlan, you can even come up with an extended ACL for it, so that it would only start from your MAC.

192.168.3.0 For the switches I will do then, 192.168.1.0 - there will be a LAN network, 192.168.2.0 - another. So I figured it out in the picture, but judging by your native circuit, the question of trunk ports is present on all switches and why in your example on the last switch in the config are 3 trunk ports and there are only two in the picture. And how the trunk port connecting the switch and the router is configured.



Rep: (2704)
in a config 3 trunk port and in the picture only two
They were simply prescribed in ranges for convenience, the port is empty, but they can still be connected to someone else for greater reliability. For example, the first cataclysm with the fourth: scratch_one-s_head:
how the trunk port connecting the switch and the router is configured
Just like everyone else on this switch
MainSwitch (config) #int range f0 / 1-5
MainSwitch (config-if-range) #switchport mode trunk
MainSwitch (config-if-range) #switchport trunk native vlan 168
MainSwitch (config-if-range) #ex
MainSwitch (config) #do wr



192.168.3.0
Yes to health, just do not do it "to the fullest", the 29th prefix for the eyes. Although the owner is the master.

Post has been editedShoore - 09.01.14, 20:38



Rep: (1051)
Just like everyone else on this switch

Now, the mustache is understandable: thank_you: Although it will be the native trunk, it will skip the others too only in your case 168 vlan is not tagged.
Yes to health, just do not do it "to the fullest", the 29th prefix for the eyes. Although the owner is the master.

: Dhttp://ip-calculator.ru/handy thing


Full version    

Help     rules

Now: 08/28/19, 18:29