Cisco IOS – An interface whose trunk encapsulation is “Auto” can not be configured to “trunk” mode.

KB ID0001167

Problem

If you try and change a ports status, to make it a trunk port, you may see this error;

[box]

Petes-Switch(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.

[/box]

Trunk Settings

I don’t know if this is a throwback to when we had ISL trunking and 802.1q, but you need to specify the encapsulation before you can specify a trunk.

[box]

Petes-Switch(config-if)#switchport mode trunk
Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode.
Petes-Switch(config-if)#switchport trunk encapsulation dot1q
Petes-Switch(config-if)#switchport mode trunk
Petes-Switch(config-if)#

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco Simple GRE Tunnels (With IPSEC)

KB ID 0000951

Problem

I’ve spent years setting up VPN tunnels between firewalls. The only time I’ve ever dealt with GRE is for letting VPN client software though firewalls. GRE’s job is to ‘encapsulate’ other protocols and transport those protocols inside a virtual point to point link. Below is the topology, I’m going to use.

The tunnel will run form Router R1 to Router R3, once complete I should be able to ping Host2 from Host1.

Solution

Configure Router R1 for GRE

1. Create and configure a tunnel interface on the R1 Router. It will need an IP address, (here I’m using 10.0.0.1/30). Then you need to specify the source and destination of the GRE tunnel. Finally I’ve changed some MTU settings because typically MTU’s are set to 1500 and GRE adds an overhead, I’m dropping the MTU to 1400 and setting the maximum segment size to 1360.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface Tunnel0
*Mar 1 00:01:27.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#ip mtu 1400
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.1
R1(config-if)#exit

[/box]

2. Then we need to add a static route to the router’s routing table so it knows to use that tunnel for traffic destined for the 192.168.2.0/24 network.

[box]

R1(config)#ip route 192.168.2.0 255.255.255.0 Tunnel0

[/box]

Configure Router R3 for GRE

3. This is simply a mirror image, of the configuration you carried our on router R1.

[box]

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface Tunnel0
*Mar 1 00:01:30.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#ip address 10.0.0.1 255.255.255.252
R3(config-if)#ip mtu 1400
R3(config-if)#ip tcp adjust-mss 1360
R3(config-if)#tunnel source 2.2.2.1
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#exit
R3(config)#ip route 192.168.1.0 255.255.255.0 Tunnel0
[/box]

Verify GRE Tunnel

 

4. Use the following command to check the status of the GRE tunnel.

[box]

R1# show interface tunnel 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.0.0.1/30
  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 2.2.2.1
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

[/box]

5. Then make sure that traffic passes over the tunnel.

[box]

R1#ping 192.168.2.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/64/88 ms
R1#

[/box]

Securing the Tunnel with IPsec

6. Our traffic is now going where we want it to, and it’s encapsulated, but it’s still being ‘sent in clear’ if traffic is intercepted ‘in flight’ it can be read. So we need to secure that traffic by encrypting it. First Job is to create an ISAKMP policy that will establish ‘phase-1’ of our secure tunnel. I’m using AES, with Diffie Hellman group 2, and SHA hashing. Ive specified that I will be using a pre-shared-key so that’s been created with the last command, and is assigned to the IP of the ‘other end’ of the VPN tunnel.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 Sh@reds3cret address 2.2.2.1

[/box]

7. Phase 2 of our tunnel (IPsec) is encrypted and hashed with a ‘transform set’ again I’m using AES and SHA, then I create a profile that uses my transform set.

[box]

R3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile PF-PNL
R1(ipsec-profile)#set transform-set TFS-PNL
R1(ipsec-profile)#exit

[/box]

8. The last job is to apply the profile I created above, to our GRE tunnel interface.

[box]

R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
*Mar 1 00:20:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:20:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:20:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]

9. Again configure router 3 as a mirror image.

[box]

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes
R3(config-isakmp)#group 2
R3(config-isakmp)#hash sha
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 Sh@reds3cret address 1.1.1.1
R3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile PF-PNL
R3(ipsec-profile)#set transform-set TFS-PNL
R3(ipsec-profile)#exit
R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
R3(config-if)#
*Mar 1 00:25:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:25:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:25:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]

Cisco IOS Verify IPsec VPN Tunnel Is Up

 

Note: To bring up the tunnel simply send some traffic over it by pinging something on the other side of the tunnel. If you get a reply then the tunnel is up! But to check it status firstly make sure phase 1 has established.

[box]

R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         2.2.2.1         QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R3#

[/box]

QM_IDLE means that phase 1 has established (in Quick Mode), and is in an idle state (this is what you want to see, if you see any other state message you may need to start debugging things).

Once you know phase 1 is established you need to check phase 2.

[box]

R3#show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 2.2.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x3AA3F6B0(983824048)

     inbound esp sas:
      spi: 0x5C5C5EF1(1549557489)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4559832/3506)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3AA3F6B0(983824048)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4559832/3506)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – Sub Interfaces and VLANS

KB ID 0001085 

Problem

You can take the physical interface of a Cisco ASA firewall, (or an ether channel) and split it down into further sub-interfaces. This way you can set multiple VLANs to use this interface as a gateway at the same time whilst still separating the traffic.

In this scenario I’m going to have two VLANs, one for my wired clients, and one for a ‘Guest WiFi’ that I’m setting up. I want the guest WiFi to run in its own separate VLAN, so it can’t touch my corporate network. And I want to NAT both networks to my public IP.

Maximum number of sub interfaces, depends on the hardware model maximum number of VLANs so;

Model
Max VLANS
5506-X 5 (30 with Security Plus)
5506-W-X 5 (30 with Security Plus)
5506-H-X 30
5508-X 50
5510 50 (100 with Security Plus)
5512-X 10 (100 with Security Plus)
5515-X 100
5516-X 100
5520 150
5525-X 200
5540 200
5545-X 300
5550 250
5555-X 500
5580 250
5585-X 1024

Note: Sub interfaces are NOT supported on the ASA 5505. (But you can have up to 20 VLANs with a ‘security-plus‘ licence, or 3 (DMZ restricted) with a ‘base‘ licence).

Solution

To create sub interfaces on a physical interface, that interface must have no settings on it (other than it should not be shutdown).

[box]

 Petes-ASA # configure terminal 
 Petes-ASA(config)# clear interface gigabitEthernet 1

[/box] Then create a sub-interface for each of my VLANs. [box]

 Create Sub interface for VLAN 2 

Petes-ASA(config)# interface gigabitEthernet 1.2
 Petes-ASA(config-subif)# vlan 2
 Petes-ASA(config-subif)# nameif Corp-LAN
 INFO: Security level for "Corp-LAN" set to 0 by default.
 Petes-ASA(config-subif)# security-level 100
 Petes-ASA(config-subif)# ip address 10.2.2.254 255.255.0.0
 Petes-ASA(config-subif)# exit
 Petes-ASA(config)#

Create Sub interface for VLAN 3

Petes-ASA(config)# interface gigabitEthernet 1.3
 Petes-ASA(config-subif)# vlan 3
 Petes-ASA(config-subif)# nameif Corp-WiFi
 INFO: Security level for "Corp-Wifi” set to 0 by default.
 Petes-ASA(config-subif)# security-level 90
 Petes-ASA(config-subif)# ip address 10.3.3.254 255.255.0.0
 Petes-ASA(config-subif)# exit
 Petes-ASA(config)#

[/box]

Note: I’ve manually set the security levels and made the corp-lan interface more trusted.

So my firewall config now looks like this;

[box]

!
 interface GigabitEthernet1
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet1.2
 vlan 2
 nameif Corp-LAN
 security-level 100
 ip address 10.2.2.254 255.255.0.0 
 !
 interface GigabitEthernet1.3
 vlan 3
 nameif Corp-WiFi
 security-level 90
 ip address 10.3.3.254 255.255.0.0 
 !

[/box]

NAT/PAT Traffic From Your Sub-Interfaces

Taking all traffic from both subnets (10.2.0.0/16 and 10.3.0.0/16), and I’m going to NAT both of these to my public IP. (Note: I’m actually going to PAT the addresses, but that’s just semantics).

[box]

Petes-ASA(config)# object network Corp-LAN-PAT
 Petes-ASA(config-network-object)# subnet 10.2.0.0 255.255.0.0
 Petes-ASA(config-network-object)# nat (Corp-LAN,outside) dynamic interface 
 Petes-ASA(config-network-object)# exit
 Petes-ASA(config)# object network Corp-Wifi
 Petes-ASA(config-network-object)# subnet 10.3.0.0 255.255.0.0
 Petes-ASA(config-network-object)# nat (Corp-WiFi,outside) dynamic interface
 Petes-ASA(config-network-object)# exit

[/box]

If you have ACLs you will need to allow the traffic out, and if you want to test connectivity by pinging a public IP address you will need to have ICMP inspection configured on the firewall.

What if you want the WiFi VLAN to have a different Public IP?

If you want to use another public IP from your public range, here is an example of the config;

<[box]

 !
 interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.0 
 !
 interface GigabitEthernet1
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet1.2
 vlan 2
 nameif Corp-LAN
 security-level 100
 ip address 10.2.2.254 255.255.0.0 
 !
 interface GigabitEthernet1.3
 vlan 3
 nameif Corp-WiFi
 security-level 90
 ip address 10.3.3.254 255.255.0.0 
 ! 
 object network Corp-LAN-PAT
 subnet 10.2.0.0 255.255.0.0
 nat (Corp-LAN,outside) dynamic interface
 !
 object network Corp-Wifi
 subnet 10.3.0.0 255.255.0.0
 nat (Corp-WiFi,outside) dynamic 123.123.123.124 
 ! 
 route outside 0.0.0.0 0.0.0.0 123.123.123.124
 ! 

[/box]

OR, If you want the traffic to leave by another public interface (i.e. connected to another ISP) you can do the following;

[box]

!
 interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.0 
 !
 interface GigabitEthernet1
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet1.2
 vlan 2
 nameif Corp-LAN
 security-level 100
 ip address 10.2.2.254 255.255.0.0 
 !
 interface GigabitEthernet1.3
 vlan 3
 nameif Corp-WiFi
 security-level 90
 ip address 10.3.3.254 255.255.0.0 
 !
 interface GigabitEthernet2
 nameif outside-WiFi
 security-level 0
 ip address 234.234.234.234 255.255.255.252 
 ! 
 object network Corp-LAN-PAT
 subnet 10.2.0.0 255.255.0.0
 nat (Corp-LAN,outside) dynamic interface
 !
 object network Corp-Wifi
 subnet 10.3.0.0 255.255.0.0
 nat (Corp-WiFi,outside-WiFi) dynamic interface
 !
 route outside 0.0.0.0 0.0.0.0 123.123.123.124
 route outside-wifi 0.0.0.0 0.0.0.0 234.234.234.235
 ! 
 

[/box]

Setting Up The Switch

This will depend upon the vendor, but essentially if it’s a Cisco Switch you make the uplink switch port a ‘trunk-port’, and either allow ALL or VLAN 2 and 3. Then every wired connection will connect to a port you have setup as a ‘access-port’ on VLAN 2. All the wireless equipment will plug into ports that you have made ‘access-ports’ on VLAN 3.

For other vendors you would need to ‘tag’ VLANs 2 and 3 onto the firewall uplink port. Then ‘untag’ VLAN 2 on all the wired ports. Then finally ‘untagVLAN 3 on all the wireless ports.

See the following article for more information;

HP and Cisco – VLANs and Trunks Confusion!

Related Articles, References, Credits, or External Links

NA