Cisco IOS – How To Find VLAN IPs (SVI’s)

KB ID 0001258 

Problem

If you have a complicated network, you can spend more time finding out how it’s configured, than actually doing any work on it!

Today I had a client that needed some changes made on their LAN, I knew their name, and their network address, and common sense told me which of the core switches they were connected to.

Solution

A quick search on the client name told me what VRF they were in, and what VLAN they were in (3000), let’s have a look at that;

[box]

Petes-Core-SW#show run vlan 3000
Building configuration...

Current configuration:
!
vlan 3000
 name CORP:NET
end

[/box]

That doesn’t yield much more than I already know, so I can either do this and get a LOT of information;

[box]

Petes-Core-SW#show interfaces vlan 3000
Vlan3000 is up, line protocol is up
 Hardware is EtherSVI, address is c062.6be3.3000 (bia c062.6be3.9d40)
 Description: CORP:NET
 Internet address is 192.168.1.100/24
 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, loopback not set
 Keepalive not supported
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 00:00:00, output never, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/40 (size/max)
 5 minute input rate 254000 bits/sec, 115 packets/sec
 5 minute output rate 504000 bits/sec, 119 packets/sec
 L2 Switched: ucast: 22179333 pkt, 1561846492 bytes - mcast: 0 pkt, 0 bytes
 L3 in Switched: ucast: 471521755 pkt, 367932934560 bytes - mcast: 0 pkt, 0 bytes
 L3 out Switched: ucast: 493390206 pkt, 464908773459 bytes - mcast: 0 pkt, 0 bytes
 475554223 packets input, 366284328453 bytes, 0 no buffer
 Received 0 broadcasts (1116 IP multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 493591347 packets output, 462947525840 bytes, 0 underruns
 0 output errors, 0 interface resets
 0 output buffer failures, 0 output buffers swapped out

[/box]

Or a more sensible;

[box]

Petes-Core-SW#show run interface vlan 3000
Building configuration...



Current configuration : 160 bytes
!
interface Vlan3000
 description CORP:NET
 mac-address c062.6be3.3000
 vrf forwarding CORP:NET
 ip address 192.168.1.100 255.255.255.0
end

[/box]

Find What VLAN An IP Address Is In

If you have the opposite problem, i.e. you know the IP, (or a part of the IP). You can get the VLAN number like so;

[box]

Petes-Core-SW#show ip int br | incl 192.168.1.100
Vlan3000               192.168.1.100     YES NVRAM  up                    up

[/box]

 

Related Articles, References, Credits, or External Links

NA

VPN Error – ‘CRYPTO-4-RECVD_PKT_NOT_IPSEC’

KB ID 0000936 

Problem

While setting up a simple site to site to site VPN, I was unable to get ISAKMP phase 1 to establish. When I had a look on the device at the far end. I saw this error logged in the console, every time I tried to bring up the tunnel.

[box]

*Mar 1 00:21:42.811: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.2.3, src_addr= 192.168.1.2, prot= 1

[/box]

Solution

After about 40 minutes of staring at the configs, I realised I’d applied the crypto-map (on the router I was trying to bring the tunnel up from), to the inside interface and not the outside one – Doh!

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Find The ‘Default Route’ For A VRF

KB ID 0001086 

Problem

Routing is one of my weaker subjects, and today I was trying to chase some routes though a network to locate all the firewalls. The core of the network has a bunch of 6500 Switches in various data centers. I tracked the network I was working on to an SVI on one of the core switches, that was in a VRF.

But how could I find the ‘next hop’, the routing table on these switches is very large.

Solution

Thankfully I’m surrounded by a team of routing ninjas, so I asked. The syntax is just;

[box]show ip route vrf {VRF Name}[/box]

Note: I you don’t know the name of the vrf;

[box]show running-config vrf

OR

show running-config vrf | incl <NAME>[/box]

Then as with any routing table, look for the default route.

For example;

[box]

Petes-Core-SW#show ip route vrf CORP:NET

Routing Table: CORP:NET
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 5.229.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 5.229.0.1
      10.0.0.0/8 is variably subnetted, 13 subnets, 5 masks
B        10.1.0.0/16 [200/0] via 123.123.123.1, 3w5d
B        5.219.28.0/24 [200/0] via 123.123.123.1, 3w5d
B        5.219.40.0/24 [200/0] via 123.123.123.1, 3w5d
B        5.219.241.0/24 [200/0] via 123.123.123.1, 3w5d
B        10.220.50.0/24 [200/0] via 123.123.123.1, 3w5d
C        5.229.0.0/29 is directly connected, GigabitEthernet2/28
L        5.229.0.2/32 is directly connected, GigabitEthernet2/28
C        5.229.1.0/24 is directly connected, Vlan229
L        5.229.1.1/32 is directly connected, Vlan229
B        5.229.60.0/24 [200/0] via 123.123.123.16, 3w4d
B        5.229.61.0/24 [200/0] via 123.123.123.16, 3w4d
B        5.229.255.0/30 [200/0] via 123.123.123.1, 3w5d
B        5.229.255.4/30 [200/0] via 123.123.123.16, 3w4d
      172.100.0.0/24 is subnetted, 1 subnets
B        172.100.100.0 [200/0] via 123.123.123.1, 3w5d
Petes-Core-SW#

Lets test connectivity

Petes-Core-SW# ping vrf CORP:NET 5.229.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.229.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Petes-Core-SW#

[/box]

Next hop is 5.229.0.1 (which turned out to be the firewall I was looking for).

To Ping Over a VFF

[box]ping vrf <VRF-NAME> <IP ADDRESS>

e.g.

ping vrf CORP:NET 192.168.1.100[/box]

To SSH Into Another IOS Device Over a VRF

[box]ssh -l <USER-NAME> -vrf <VRF_NAME> <IP-ADDRESS>

e.g.

ssh -l fredbloggs -vrf CORP:NET 192.168.1.123[/box]

Related Articles, References, Credits, or External Links

NA