Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Recent posts

Cisco Mobility Express Solution for K-12

November 18 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Deploy and Manage Your School’s Wi-Fi Network in a Snap

Deploy and Manage Your School’s Wi-Fi Network in a Snap

What does the Cisco Mobility Express Solution can do for you? It sounds good that Cisco Mobility Express Solution can easily help you deploy a wireless network with all Cisco advanced wireless innovations, using a simple, over-the-air configuration interface.

Nowadays, at your school, students might be using digital textbooks. And you might be required to provide a tablet or laptop for every student. Network connections will probably be wireless for the flexibility to use devices from anywhere on campus. Faculty and administrative personnel, too, rely on wireless networking for internal communications that are part of their jobs.

If your IT staff is tiny or nonexistent, how can you deploy and manage the wireless network? Especially if there are multiple schools scattered throughout the district to cover?

Cisco Mobility Express Solution targets just such situations. Mobility Express is built into Cisco Aironet 1850 and 1830 Series Access Points, which support 802.11ac Wave 2. Wave 2 is the very latest Wi-Fi standard, supporting gigabit speeds and protecting your Wi-Fi access point investment into the future.


  • Ideal for schools needing up to 25 Wi-Fi access points
  • Supports Cisco’s industry-leading features with no price premium
  • Non-IT personnel can set up the wireless network in less than 10 minutes
  • Three-step, wizard-based setup means no command lines to learn
  • Delivers 802.11ac Wave 2, the latest and fastest wireless LAN technology on the market
  • Bundles virtual WLAN controller management capabilities into the AP at no extra cost
  • Cisco Connected Mobile Experience (CMX) can be added to boost customer engagement and give you presence-based analytics

Be Prepared for Wave 2 Client Devices--New 802.11ac Wave 2 client devices will soon appear on your network as students, faculty, and staff upgrade their smartphones and tablets.

Installing a Wave 2 Wi-Fi access point prepares you to deliver the most robust performance possible to them from day one. Turn to Cisco, a leader in helping advance the 802.11ac specifications, to help you stay ahead of the growing Wi-Fi traffic volumes that the new devices will generate.

1, 2, 3, and You’re Up

Supported on the Cisco Aironet 1850 and 1830 Series Access Points, the Mobility Express Solution lets you deploy your wireless LAN in less than 10 minutes. You can simultaneosly configure multiple Aironet access points with industry best-practice settings already enabled by default. Follow just three steps to configure your network:

  1. Connect to an 1850 or 1830 access point using any wireless device
  2. Use the Cisco WLAN Express Setup Wizard to configure multiple access points simultaneously. Your wireless network can contain a mix of Cisco Aironet 1850, 1830, 1600, 2600, 3600, 1700, 2700 and 3700 Series Access Points. You just need an 1850 or 1830 for the control function.
  3. Access the management dashboard – available via a browser or a mobile app – to operate, monitor, and troubleshoot your network.

When you want to access your Mobility Express dashboard from your mobile device, use the Cisco Wireless app, available at the Google Play Store and Apple App Store.

Built-In Management

Using a virtual wireless LAN controller built right into the Cisco Aironet 1850 and 1830 access points, you can manage all your access points from a central console. You can easily manage up to 25 APs and 500 clients for each Mobility Express virtual controller you deploy. That means if you are a smaller venue, you can now deliver the same quality user experiences as large enterprises. There’s no price premium, and you don’t have to understand command-line interfaces.

There’s no longer the burden of having to manage autonomous APs one at a time, and no need to invest in a separate WLAN controller appliance for management.

To learn more about Cisco Mobility Express Solution, Cisco Aironet 1850 and 1830 Series Access Points, and 802.11ac Wave 2, visit: http://www.cisco.com/go/mobilityexpress.

Original from http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/mobility-express/at-a-glance-c45-734261.pdf

More Related…

Cisco Mobility Express Solution Release Notes

What’s the Cisco Mobility Express Solution and Can DO…

What a Cisco Mobility Express Bundle!

Read more

IPv6 Feature Support on the Cisco ASA Firewall

November 12 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Technology - IT News, #Cisco Switches - Cisco Firewall

It is well known that Cisco ASA series supports IPv6 and it can be setup very easily and quickly. In the following part it focuses on a basic ASA setup for a native IPv6 network. As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.

Here is a quick way to configure up your ASA firewall for IPv6 connectivity.


Step 1

In this step we assign a link local address to the interface. There are 2 ways to assign a link local address to the interface

Step 1.1.

Configure the interface to generate a link local address from its MAC address.

interface GigabitEthernet 0/0

no shutdown

nameif inside

ipv6 enable

When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).

Step 1.2.

Configure a link local address manually.

interface GigabitEthernet 0/0

no shutdown

nameif inside

ipv6 address <ipv6-address> link-local

Using the above command you can assign a link local address to the interface manually.

You can verify the link local address by executing the “show ipv6 interface” command.

Step 2

Next we have to assign the global address to the interface. There are 2 ways of doing this.

Step 2.1.

You can manually assign a global IPv6 address to the interface.

interface GigabitEthernet 0/0

ipv6 address 2001::db8:2:3::1/64

With the IPv6 address command above, you are manually specifying the global IPv6 address for the interface. You can specify more than one IPv6 addresses for the interface using the command.

Step 2.2.

You can configure the interface to obtain the address automatically using stateless address autoconfiguration.

interface GigabitEthernet 0/0

ipv6 address autoconfig

Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages.

NOTE: There was a defect (CSCuq62164) in the ASA software that caused the ASA to not assign an address if it received a RA message with both the M and A flags set. This has been fixed in 9.3(1) release and hence we recommend this version if you intend to use SLAAC for configuring the address on ASA interfaces.

Step 3

Verify IPv6 configuration.


show ipv6 interface

inside is up, line protocol is up

IPv6 is enabled, link-local address is fe80::e6c7:22ff:fe84:eb2

Global unicast address(es):

2001:db8:2:3::1, subnet is 2001:db8:2:3::/64

Joined group address(es):





ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND advertised reachable time is 0 milliseconds

ND advertised retransmit interval is 1000 milliseconds

ND router advertisements are sent every 200 seconds

ND router advertisements live for 1800 seconds

Hosts use stateless autoconfig for addresses.

Step 4 (Optional)

Suppress Router Advertisement messages on an interface.

By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the security appliance to supply the IPv6 prefix (for example, the outside interface).

Enter the following command to suppress Router Advertisement messages on an interface:

ipv6 nd suppress-ra

Neighbor discovery will continue to be operational even though RA suppression has been configured.

Step 5

Define an IPv6 default route.

ipv6 route outside ::/0 next_hop_ipv6_addr

Using ::/0 is equivalent to “any”. The IPv6 route command is functionally similar to the IPv4 route.

Step 6

Define access-lists.

Using the regular access-list command define the access-lists with IPv6 addresses in them so as to permit the required traffic to flow through the ASA.


access-list test permit tcp any host 2001:db8::203:a0ff:fed6:162d

access-group test in interface outside

The above is permitting traffic to a specific server 2001:db8::203:a0ff:fed6:162d.


If you plan to configure autoconfig for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network. This will help prevent the ASA from being auto configured from unknown routers.

access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement

access-list outsideACL deny icmp6 any any router-advertisement

access-group outsideACL in interface outside

interface GigabitEthernet 0/0

nameif outside

security-level 0

ipv6 address autoconfig

ipv6 enable

The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified. All other RAs will be denied.

Configuring ASA to help autoconfigure IPv6 addresses on hosts behind the ASA

The hosts in the network behind the ASA might be configured to autoconfigure their IPv6 address. Dynamic address assignment happens in 2 ways on IPv6 networks. It could either be a stateful address assignment or stateless address assignment.

Stateful dynamic address assignment

For stateful address assignment, a DHCPv6 server needs to be configured on the network that can assign address to hosts upon request. ASA currently does not have the ability to host a DHCPv6 server on its interfaces. But the ASA can act as a DHCPv6 relay agent. In order to enable stateful dynamic address assignment to hosts behind the ASA, the DHCPv6 relay agent needs to be configured on the ASA.

To configure the DHCPv6 relay agent the following configuration is needed:

ipv6 dhcprelay server 2001:db8:c18:6:a8bb:ccff:fe03:2701

ipv6 dhcprelay enable inside

The first command specifies the address of a DHCPv6 server to which the DHCP requests are forwarded. The command also accepts an optional interface name that specifies the output interface for the destination. The second command enables DHCP relay on an interface. When DHCP relay is enabled on an interface, all the DHCP requests coming on that interface get forwarded to the configured DHCP server.

Stateless dynamic address assignment

In Stateless Autoconfiguration (SLAAC) the client picks up its own address based on the prefix being advertised by the ASA. The prefix is advertised by means of an IPv6 router advertisement. ASA sends out IPv6 router advertisements by default from any interface on which a global IPv6 address is configured. Additionally, a DHCPv6 relay agent can be configured to point to a DHCPv6 server that can advertise a DNS server address and a domain name only.

IPv6 Prefix delegation

ASA does not support IPv6 prefix delegation yet. If the network behind the ASA requires to be assigned IPv6 addresses based on the prefix delegated by a delegation router, then we need to place an ASA between the provider edge (PE) router and the IPv6 capable customer premise router. The ASA must be in transparent mode. This way the ASA protects the entire IPv6 network, including the infrastructure router, on the customer premises. All ICMP6 traffic must be permitted on the ASA running in transparent mode.

The following must be configured on the ASA:

firewall transparent

interface BVI1

no ip address

ipv6 enable

interface GigabitEthernet0/0

nameif outside

bridge-group 1

security-level 0

interface GigabitEthernet0/1

nameif inside

bridge-group 1

security-level 100

access-list permit_icmp6 extended permit icmp6 any6 any6

access-group permit_icmp6 global

This example uses a link-local IPv6 address on the BVI interface. You can also configure an explicit IPv6 address for in-band management purposes.

The original article was shared from https://supportforums.cisco.com/document/61451/cisco-asa-ipv6-quick-start

More Cisco Firewall & Network Security Topics you can read here...http://blog.router-switch.com/category/reviews/cisco-firewalls-security/

Read more

The Cisco 3850-Standalone- IOS XE Upgrade…Details…

November 6 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches-Software

New Cisco Catalyst 3850 Switches

New Cisco Catalyst 3850 Switches

There are 2 methods of booting and running IOS XE software in 3850 switch/stack.

By default, the switches are shipped in Install mode.

Bundle mode: Bundle mode is where we boot the switch/stack using the .bin file. This is the traditional method of booting the switch where the switch extracts the .bin file to the RAM of the switch and run from there.

Install Mode: Install mode is where we pre-extract the .bin file in the flash and boot the witch/stack using the packages.conf file created during the extraction.


Install mode is the recommended mode of running the switch. Not all features may be available in this Bundle mode

IOS XE installation and software rollback are supported only when the switch is running in “Install” mode. (i.e.: The commands “software install” and “software rollback”.)

Use “software expand” command to convert the switch into Install mode from Bundle mode. The steps are mentioned below.

Upgrading a stand-alone switch:

The packages and provisioning file used to boot in installed mode must reside in the flash.

Booting in installed mode from usbflash0: or TFTP is not supported.

Booting a bundle in bundle mode is just like booting a monolithic IOS image.

For example: boot flash:cat3k_caa-universalk9.SSA.03.08.83.EMD.150-8.83.EMD.bin

Hence, the boot variable should not be pointing to the .bin file. If so, the switch will boot in Bundle mode. The boot variable should be pointing to the “packages.conf” file in order for the switch to boot in Install mode.

Before doing the upgrade, we need to check the mode in which the switch is currently booted in.

C3850#show version | begin Switch Port

Switch Ports Model SW Version SW Image Mode

------ ----- ----- ---------- ---------- ----

* 1 32 WS-C3850-24T 03.03.01SE cat3k_caa-universalk9 INSTALL •ß Install mode

Upgrading from Install mode:

By default, switches are shipped in Install mode.

In order to upgrade the switch from Install mode, please follow the below-mentioned procedure.

  • •1. Download the new image from the TFTP server to the flash / USB on the switch. (optional)

Copy tftp: flash:


Copy tftp: usbflash0:

  • •2. Use the command “software install” to install the newly downloaded image (or) the image present in the network.

C3850-01#software install file <source>:<filename.bin> new

The “new” keyword is used so that that the post-install package set should contain only the packages being installed. The old packages file will be renamed for future rollback purpose. Without this option, the post-install package set is a merged set of the currently installed software and the new packages being installed.

The source can be

  • flash: or usbflash0: (or a sub-directory of these)
  • The network via tftp, ftp or http

NOTE: When performing ‘software install’ on a switch with a source bundle that resides in the network, the source bundle is first downloaded to RAM on switch. The source bundle is deleted from RAM when the operation completes.

Refer to the configuration guide to know about the other optional parameters of this command,


C3850#dir flash:

Directory of flash:/


29511 -rwx 220716072 Oct 15 2012 12:57:59 +00:00 cat3k_caa-universalk9.SSA.03.08.88.EMP.150-8.88.EMP.bin

C3850#software install file flash:cat3k_caa-universalk9.SSA.03.08.88.EMP.150-8.88.EMP.bin


[1 ]: Creating pending provisioning file

[1 ]: Finished installing software. New software will load on reboot.

[1 ]: Committing provisioning file

[1 ]: Do you want to proceed with reload? [yes/no]: n


Once the installation is completed, reload the switch and it will boot into the newly installed IOS XE image.

From Bundle mode:

If the switch is currently running in “Bundle” mode, then we need to use the “software expand” command to convert the switch into the Install mode first and then install the new IOS XE.

The ‘software expand’ exec command is used to extract the package files and the provisioning file (packages.conf) from a source bundle (possibly the running bundle) and copy them to the specified destination directory in a local storage device.

This command will typically be used to convert from the bundle running mode to the installed running mode.

NOTE: When performing ‘software expand’ on a switch with a source bundle that resides in local storage, the source bundle is first copied to the corresponding local storage device on the switch. The source bundle used for the expand operation is left intact after it is expanded.

NOTE: When performing ‘software expand’ on a switch with a source bundle that resides in the network, the source bundle is first downloaded to RAM of the switch. The source bundle is deleted from RAM on the switch when the operation completes.

This example uses the following steps to prepare a switch for booting in installed mode, i.e., booting a package provisioning file (packages.conf)

  1. Boot in bundle mode using ‘boot flash:<bundle name>’

Can also boot from usbflash0: or via tftp

  1. Use the ‘software clean file flash:’ command to remove any unused package, bundle and provisioning files from flash:
  2. Use the ‘software expand running to flash:’ command to expand the running bundle to flash:
  3. Reload the switch
  4. Boot the installed packages using ‘boot flash:packages.conf’

Software Rollback:

The 'software rollback' exec command can be used to revert to a previous version of the installed software package set (i.e., an older packages.conf file)

This functionality relies on the existence of one or more 'rollback provisioning files’ in flash:, along with all of the .pkg files listed in the rollback provisioning file(s)

  • The rollback provisioning files are visible in flash: as packages.conf.00-, packages.conf.01-, etc.
  • packages.conf.00- is a snapshot of the packages.conf file as it looked prior to the last installation operation
  • packages.conf.01- is a snapshot of the packages.conf file as it looked two installations ago
  • And so on

When the 'software rollback' command is used, packages.conf.00- becomes packages.conf. packages.conf.01- becomes packages.conf.00-. And so on

Note: If the 'software clean' command is used, future attempts to do a software rollback are likely to fail

More Related…

Cisco Catalyst 3850 Switch Stacking Tips

Cisco Catalyst 3850 Models Comparison

Read more

How to Verify Cisco Switch Network Status and Operational State?

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In the last article we talked the “Nine Switch Commands Every Cisco Network Engineer Needs to Know”. For Cisco or many other vendors, new commands are introduced at each progressive level of system verification. Do you know what commands you should use to verify a network switch’s status and operation? In this article we will look at five essential commands that are used to verify a network switch’s status and operation. They are:

  • ping
  • traceroute
  • telnet
  • ssh
  • show cdp neighbors


Available on almost all operating system platforms, including Cisco IOS, the ping command is used to verify the reachability of a targeted device. It does this by sending an Internet Control Message Protocol (ICMP) echo message to the target; if the target receives the message (and is not configured to drop it), it responds to the initial sender with an ICMP echo-reply message. In a perfect world, with no firewalls, and all devices configured to respond to these messages, the ping command would work perfectly. However, many devices (or devices en route, like firewalls) are purposely configured to ignore ICMP echo messages automatically, in order to hide their existence and avoid being targeted by attackers. In these cases, engineers must decide whether the unsuccessful ping is a real problem or a purposeful part of a network’s design.

TIP: As a general rule, don’t worry about devices that are outside your organization’s control.

Cisco IOS also has an extended version of the ping command that allows for more complex command configurations. For example, an engineer has the ability to control the source IP used (which makes sense when being run from a router configured with multiple IP addresses), the size of the messages being sent, and the content of the messages, among other options.


The traceroute command is typically used along with the ping command to further determine the reachability of a destination. traceroute works a bit differently from ping; instead of simply sending a message to the destination directly, it aims to find the path from the source to the target destination. It does this by using either ICMP echo messages on Windows or the User Datagram Protocol (UDP) probe messages on Linux and Cisco IOS. It figures out the path by taking advantage of the IP Time to Live (TTL) field.

It’s important to understand what the TTL field does. In normal circumstances, the TTL is used as a loop-prevention mechanism; it works by being set to a number which is then decremented at every respective IP “’hop.” If the TTL reaches a device and is decremented to 0, the packet is dropped and an ICMP “destination unreachable” message is sent back to the source device. When used by the traceroute command, the TTL finds each of the hops in the path between the source and the destination:

  1. Initially the source sends an ICMP or UDP message to the destination with a TTL of1.
  2. When the packet reaches the first hop, the TTL is decremented to 0; the device drops the packet and sends back an ICMP “destination unreachable” message.
  3. To find the second hop, the TTL is set to 2, for the third hop it’s set to 3, and so on; typically three packets are sent for each step toward the destination (three with a TTL set to 1, three with a TTL set to 2, and so on).
  4. These ICMP “destination unreachable” messages are received by the runningtraceroute command and interpreted into a readable output showing the path toward the destination.

As with the ping command, many organizations block the ICMP echo messages and some of the UDP messages; and the output should be read with this fact in mind.

The traceroute command on Cisco IOS is extended in the same way as the ping command variant that allows for extended command configurations. The options offered by traceroutemirror most of the options available in an extended ping.


The telnet command has been around for a long time, allowing users to manage devices via a command-line interface. Its very simple operation provides an unsecured Transmission Control Protocol (TCP) session between the source and destination. Characters entered on the source are immediately relayed to the destination, providing an experience on Cisco IOS (and Linux) that is the same as if the user were directly connected into the device locally.


A key term to take from this description is unsecured, the username and login information are sent between the source and destination in clear text.

The telnet command uses TCP port 23.


The ssh (secure shell) command works similarly to the telnet command but creates a secure communications channel between source and destination. This means that the username and password are not sent in clear text and are protected (at least to some level) from anyone listening in on the conversation.

The ssh command uses TCP port 22.

show cdp neighbors

The show cdp neighbors command is used on a Cisco IOS device to view neighboring devices discovered by the Cisco Discovery Protocol (CDP). CDP is a Cisco proprietary protocol used for Layer 2 discovery; it has the ability to discover all other supporting CDP devices on a shared segment. (It doesn’t work across Layer 3 devices.) The following example shows some typical output of this command:

R1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

R2               Fas 0/0            172              R    7206VXR   Fas 0/0


In this example, we learn that the remote device (R2) is connected via R1’s FastEthernet0/0 interface and is connected to R2’s FastEthernet0/0 interface, and R2 is a Cisco 7206VXR router. This information is very helpful when mapping out unfamiliar networks. It can also be used to help ensure that a device is connected to the correct remote device(s) on the correct interface; as engineers often must configure devices remotely, this command is useful when installing new equipment, to ensure that physical interfaces are connected to the appropriate networks.

Keep in mind that CDP is a proprietary protocol and will not work to discover most other non-Cisco devices; this command is enabled by default on Cisco devices. A standards-based alternative to CDP is the Link Layer Discovery Protocol (LLDP)—IEEE 802.1AB, which is supported by many other vendors, but is not enabled by default on Cisco devices.

Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420613

More Related

Nine Switch Commands Every Cisco Network Engineer Needs to Know

Read more

Nine Switch Commands Every Cisco Network Engineer Needs to Know

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

It’s no doubt that a Cisco network engineers needs experience with a wide variety of commands used with network technology. And at the Cisco Certified Network Associate (CCNA) level, Cisco has indicated a number of commands that should be known initially for Cisco network switches.

In this article it covers these commands, explaining what the Cisco Network Engineer do and how they alter the behavior and/or use of a Cisco switch.

Some terms you need read with examples

#1: hostname hostname

One of the most basic network commands, hostname configures the hostname used for a device. This hostname identifies the device to other locally connected devices for protocols such as the Cisco Discovery Protocol (CDP), which helps in the identification of devices attached directly to the network. Although it is not case-sensitive, the hostname must follow certain rules: It must begin with a letter and end in a letter or digit, and interior characters must be letters, digits, or hyphens (-).

#2: ip default-gateway gateway

The ip default-gateway command configures the default gateway for a switch when IP routing is not enabled (with the ip routing global configuration command), which is typical when lower-level Layer 2 switches are being configured. The easiest way to determine whether IP routing has been enabled is to run the show ip route command. When IP routing has not been enabled, the output will look similar to the following example:

SW1#show ip route

Default gateway is

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty


When IP routing is enabled, the output looks similar to the output displayed on a router:

SW1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set is variably subnetted, 2 subnets, 2 masks

C is directly connected, Vlan1

L is directly connected, Vlan1


NOTE: The configuration entered with the ip default-gateway command has no effect when IP routing is enabled.

#3: username username {password | secret} password

The username command configures a username and associates a password with it. Using the password or secret version of this command is a matter of security:

  • The password version of this command will do one of two things with the configured password:
    • Place the password into the configuration in plaintext (if the service password-encryption command is not enabled).
    • Put the password through a Cisco-proprietary encryption algorithm before placing it into the configuration. (Note that this encryption is easily reversed.)
  • The secret version of this command will create an MD5 hash with the configured password and then place it into the configuration. This reconfigured password is much harder to crack than the encrypted version created with the password version of this command.

This username/password can be used for a number of different features, including Telnet and SSH.

#4: enable {password | secret} password

The enable command configures the password that will be used to access a switch's privileged configuration mode. Because all configuration of a Cisco IOS switch requires privileged configuration mode, keeping this password private is very important. As with the username command, this command has two options: password and secret. The differences between these two options are the same as those for the username command in the preceding section. The enable secret version of the command should be used in all production environments.

Console and Terminal Login Commands

Five commands are used to configure login via the control and virtual terminal (VTY) lines of a switch:

  • password
  • login
  • exec-timeout
  • service password-encryption
  • copy running-config startup-config

The following sections describe these individual commands.

Password password

When entered in line-configuration mode (console or terminal), the password command is used to configure the password that will be used to access a switch from that specific line, depending on the line mode (console or terminal). However, the password configured with this command is used only if the login command is used (which is the default).

Login [local]

The login command is used to enable password checking on an interface. If this command is used without any parameters, the system will check the password entered with the login against the one entered with the password command discussed in the preceding section. If used with the local parameter, both username and password will be prompted, and the entries will then be checked against the local username database that was created with theusername command discussed previously.

Exec-timeout minutes [seconds]

The exec-timeout command is used to configure the amount of time that can pass before a device considers the connection idle and disconnects. By default, timeout is set to 10 minutes. This timeout can be disabled with the no exec-timeout command. (This command is a shortcut and actually enters the exec-timeout 0 0 command into the configuration.)

Service password-encryption

The service password-encryption command is used to enable the encryption of configured passwords on a device. The passwords referenced with this command are the ones configured with a command's password parameter, such as username password and enablepassword. The passwords encrypted with this command are not highly encrypted and can be broken relatively easily. By and large this command is deprecated, as most network engineers will use the secret version of the appropriate commands; however, even weak protection is better than nothing.

Copy running-config startup-config

The copy running-config startup-config command (popularly shortened to copy run start) is one of the most fundamental commands learned by new Cisco network engineers. It copies the active configuration (running-config) on a device to non-volatile memory (NVRAM)(startup-config), which maintains a configuration across a reload. Without this command, a configuration can be lost when a device is reloaded or powered off. The copy command can also be extended to save configuration and IOS images to and from a local device, as well as to and from different locations on the local device.

Network engineers must learn many Cisco OS commands in the process of becoming a CCNA (and beyond), and understanding these basic management commands is where the process starts. Without the knowledge of how to access devices, the complex commands are useless. You must understand when learning these concepts that they are intended to be stacked on top of each other. Lack of knowledge of a few base concepts undermines learning other, more advanced concepts that build on top of those basics.

The Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420612

Read more

Cisco’s IoT Part-Cisco Mobile IP Gateway 2450

September 25 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network, #Cisco Technology - IT News

The MIG-2450 is a gateway specifically designed for transportation solutions in environments such as buses, trains and planes.

The MIG-2450 is a gateway specifically designed for transportation solutions in environments such as buses, trains and planes.

Now, Cisco is focusing on the Internet of Things and delivering more than a dozen new IoT-focused products and a handful of services for channel partners. IoT can do many things for industries.

The IoT is transforming the mass transportation industry. With smart, connected devices, transit companies can monitor hundreds of details about vehicles, tracks, environmental conditions, and much more. IoT technology can also help businesses deliver the value-add services passengers are beginning to expect, such as onboard Wi-Fi.

The challenge for today’s transportation companies is to find secure, efficient ways to put this IoT technology to work. Connecting devices and endpoints across a complex, wide-ranging transportation network can take a lot of time and resources.

Cisco designed the Cisco Mobile IP Gateway 2450 to help simplify these tasks.

The MIG-2450 is a mobile connectivity gateway that delivers high availability communications between central offices, trackside operators, and transit vehicles by integrating GPS, Ethernet, Wi-Fi, and mobile broadband modems.

The MIG-2450 helps you comply with safety and interoperability regulations. It also gives you a way to collect and analyze data without the need for yet another piece of hardware to fit onboard a vehicle. And its modular design provides powerful connectivity for the services and applications that enhance the transportation experience for passengers and workers alike.


Automate and improve communication between the back office and transit vehicles.

Boost efficiency and simplify decision making with visibility into vehicles, workers, and security system statuses.

• Enhance the user experience with new, value-added Wi-Fi services for passengers.

• Improve safety for passengers and employees with telematics, driver performance monitoring, and systems analytics applications.

• Reduce operational costs by automating systems management and streamlining PTC compliance for safety and speed enforcement.

Built for a Wide Range of Use Cases

The Cisco Mobile IP Gateway 2450 helps make your transportation operations more efficient, cleaner, and safer. And less costly to run.

With this critical component in your network infrastructure, you can:

• Provide high-performance passenger Wi-Fi

• Implement and manage onboard information systems

• Make transportation safer with wireless surveillance

• Comply more easily with safety and speed regulations

• Remotely monitor and manage mobile assets

• Monitor driver and vehicle performance in real time

• Run systems analytics applications

Offering Options for the Way You Do Business

The MIG-2450 delivers the following features:

• Hardened, scalable industrial system with a compact form factor, wide operating temperature range, fanless operation, and compliance with AAR Standard S-9401 and EN-50155

• Centralized management to allow operators to remotely monitor, control, and perform diagnostics

• Support for up to 4 Type-1 or 10 Type-2 interface cards for extensible connectivity

• Robust connectivity with support for quality of service (QoS), dynamic roaming, multilink load balancing and failover, and link monitoring

• Durable security through Internet Protocol Security (IPsec), Secure Shell (SSH), AES encryption, and datagram transport layer security (DTLS)

Info from http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/at-a-glance-c45-735028.pdf

More new IoT-related products announced from Cisco (15 in total) include:

  • IE5000 purpose-built switch designed for manufacturing and cities.
  • IW3702 wireless access point for mass transit systems and city-wide wi-fi deployments.
  • IR 809 and IR 829 series of industrial routers with wi-fi and 4G/LTE connectivity for transportation organizations.
  • 4G/LTE modules for CGR 1000 for utility companies, 5921 Embedded Services Routers for industrial networking in remote locations.
  • 360° 5MP & 720p IP cameras for situational awareness. They're also outfitted with audio and digital sensors.
  • Physical security analytics applications that connect to the IP cameras.
  • Fog computing data services for the creation of policies that can monitor and then take action on data that flows through an IoT environment.
  • IoT Field Network Director for monitoring and customizing IoT network infrastructure.
  • Fog Director for centrally management apps that run at the network's edge.

More Related

Cisco’s IoT Part-The Cisco 829 Industrial Integrated Services Routers

What Does the New Cisco IoT System Can Do for You?

Read more

The Latest Cisco Industrial Router Family

September 22 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers, #Cisco Technology - IT News

Cisco IoT---Securely and Reliably Connect All Areas of Your Business

Cisco IoT---Securely and Reliably Connect All Areas of Your Business

Cisco fleshed out its Internet of things system, and product line in early June this year.

IoT, the Internet of Things, is one of the most profound transitions in technology today.

The Cisco IoT System is a comprehensive set of technologies and products for enterprises to help accelerate the transition to an intelligent, IoT-based infrastructure. This broad portfolio of infrastructure technologies and products can enable customers to connect, manage, and control previously unconnected devices.

Gain deeper insights with analytics on IoT data. Better secure your physical and digital assets and data. And innovate by creating and deploying IoT applications from the cloud to the fog.

Cisco IoT System can enable industries such as manufacturing, energy, transportation, public safety, and smart cities to deploy and accelerate IoT solutions.

In San Francisco, an integrated, Internet of Things (IoT)-based network with parking, garage, and roadway sensors reduced parking search time by 43 percent. And parking citations dropped by 23 percent.

On the Aegean Motorway in Greece, IoT sensors deliver real-time traffic and weather information, speeding emergency response and improving safety and travel time.

The Internet of Things is driving efficiencies and innovation in industries ranging from energy and utilities to manufacturing, public safety, and transportation. But to realize the potential of IoT, you need reliable, high-quality, high-speed network connections to collect and transmit data from a multitude of deployed devices.

The Cisco industrial router portfolio includes a range of compact, ruggedized modular platforms on which you can build a highly secure, reliable, and scalable communications infrastructure. These products are certified to meet harsh environmental standards. They support a variety of communications interfaces, such as Ethernet, serial, fiber, cellular, WiFi, Wi-SUN RF mesh, and others.


• Reduce downtime and maintain continuous access to applications, data, and content with highly reliable platforms

• Prioritize operational traffic from SCADA networks and allocate network bandwidth using advanced quality-of-service features

• Lower operational costs and simplify new device deployments with zero-touch provisioning; manage, monitor, and update devices remotely

• Improve security with cyber and physical networkwide security policies, secure VPNs, and stateful firewalls, and gain unparalleled visibility and control

• Improve application resilience by distributing intelligence across the network using Cisco IOx, an open, extensible environment for hosting applications

• Boost efficiency and better decision making by tracking and monitoring equipment, assets, workers, and important business system components

The Cisco Industrial Router Portfolio

The complete line of industrial routers include:

Cisco 1000 Series Connected Grid Routers: Rugged routers designed for harsh environments, like those found in the utilities industry. Ideal for integrating multiple applications, such as advanced metering infrastructure (AMI), distribution automation, distributed energy resources (DER), street lighting, and remote workforce automation, onto a single platform.

Cisco 2000 Series Connected Grid Routers: Highly secure, reliable routers for the energy and utilities industries positioned for SCADA monitoring for transmission and distribution.

Cisco ASR 903 Aggregation Services Routers: Full-featured, modular, small-footprint, and fully redundant aggregation platforms. They offer service flexibility and deliver Layer 2, IP, and Multiprotocol Label Switching (MPLS) transport for advanced Layer 2 VPN, Layer 3 VPN, and multicast services

Cisco 500 Series WPAN Industrial Routers: Wi-SUN RF Mesh ruggedized router provide unlicensed 915-MHz, ISM-band wireless personal-area network (WPAN) communications that enables IoT applications, including smart metering, distribution automation, street lighting, and remote supervisory control and data acquisition (SCADA) monitoring.

Cisco 809 Industrial Integrated Services Routers: Very compact cellular (3G and 4G/LTE) industrial routers for remote deployment in various industries. They enable reliable and secure cellular connectivity for remote asset monitoring and machine-to-machine (M2M) solutions such as distribution automation, pipeline monitoring, and roadside infrastructure monitoring

Cisco 819 Integrated Services Routers: Compact, hardened, form factor cellular (3G, WLAN, or 4G options) routers that allow businesses to deploy secure 3G WWAN services and applications, like ATMs, wireless kiosks, digital signage, and more.

Cisco 829 Industrial Integrated Services Routers: Highly ruggedized compact cellular (3G and 4G LTE with GPS and dual SIM) and WLAN (2.4/5GHz) industrial routers supporting for scalable, reliable, and secure management of fleet vehicles and mass transit applications.

Cisco 910 Industrial Router: Highly adaptable routers that you can easily integrate with third-party solutions to deliver smart city applications, such as environmental monitoring, smart parking, smart metering, and more.

Capabilities for Rugged, Industrial Settings

We designed the Cisco industrial routers to withstand harsh operating environments and to offer high-speed connectivity with the scale to handle thousands of devices. Key features include:

  1. Design for industrial applications, including extended environmental, shock, vibration, and surge ratings; a complete set of power input options; convection cooling; and DIN rail, 19-inch rack or wall mounting.
  2. Advanced security such as Dynamic Multipoint VPN, stateful firewall, and access control lists to provide multi-layered security architecture across different places in the network.
  3. Diverse modular interfaces (Ethernet, T1/E1, 3G and 4G LTE cellular, asynch/synch, serial, and others) to interface and backhaul for different existing infrastructures.
  4. Advanced quality-of-service (QoS) capabilities to support mission-critical communications, such as substation communications or SCADA.
  5. Cisco IOx, an open, extensible environment for hosting applications at the network edge for distributed intelligence.
  6. Easy and user-friendly deployment, setup, operation, and management using network management tools such as IoT Field Network Director and Industrial Operations Kit.

Reference from http://www.cisco.com/c/dam/en/us/products/collateral/routers/809-industrial-router/at-a-glance-c45-735008.pdf

More Related Topics of Cisco Industrial Routers

Cisco’s IoT Part-The Cisco 829 Industrial Integrated Services Routers

Why Upgrade to the New Cisco 860VAE ISRs?

Cisco 890 Series ISR Info Update 2015

Compare Cisco Products and Solutions

Read more

LICENSING on Cisco 2960/3560/3750 Series

August 31 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco License

In this article, we will talk about the licensing issue on the Cisco 2900/3500/3700, including the main Cisco catalyst switches---Cisco 2960-S, 3560X/3750-X. You will read these main contents in this article:

  • License
  • Temporary License
  • 2960/2960-S
  • 3560/3750, 3560-G/3750-G, 3560-V2/3750-V2
  • 3560-E / 3750-E
  • 3560-X / 3750-X
  • Installing Software Licenses Using CLI
  • Removing Software Licenses Using CLI
  • License Installation on Switch Stacks.
  • List of Commands


These are the 3 feature sets available on 3K platform of switches

  • LAN Base: Enterprise access Layer 2 switching features.
  • IP Base: Enterprise access Layer 3 switching features.
  • IP Services: Advanced Layer 3 switching (IPv4 and IPv6) features

(IP Services has all the feature sets that Advipservices had; advipservices is End Of Sale: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7077/eol_c51_519629.html)

Cisco 3560-E and 3750-E Series support the IP Base and IP Services feature sets

Catalyst 3560-X and 3750-X Series support the LAN Base, IP Base, and IP Services feature sets.

The software licenses are not affected by Cisco IOS software upgrades. A software license applies only to a specific feature set. A switch can have more than one software license, but you can enable only one license at a time.

-Software Activation is a feature that is preinstalled on the switch, which allows you to install the software license for a feature set.

-This Software Activation License is unique to a specific device. In other words, licenses are locked to the switch's unique device identifier(UDI).

-A unique device identifier is made up of two components: the product ID (PID) and serial number (SN). Serial number is an 11-digit number that uniquely identifies a device. The product ID identifies the type of device. This information can be found using the "show license udi" command on the switch CLI. So when you request for a license on the switch, the first thing that you need to have is this "UDI" of the device

Switch# show license udi

Device# PID SN UDI


*2 WS-C3750E-48PD-S CAT1033R1XU WS-C3750E-48PD-S:CAT1033R1XU

5 WS-C3750E-48PD-S CAT1033R1KF WS-C3750E-48PD-S:CAT1033R1KF

Temporary License

- A temporary software license is limited to a usage period (around 60 days). After the usage period expires, the switch continues to use the temporary software license until it is restarted. Before it restarts, warning messages state the switch is running the feature set without a valid license. After the switch restarts, the switch uses a valid software license based on the hierarchy (ipservices>ipbase>lanbase). If the switch does not have a valid license, it uses the IP base software license.

Switch#show license
Index 1 Feature: ipservices
       Period left: 8  weeks 4  days    <<<<<<< Limited usage period
        License Type: Evaluation
        License State: Active, Not in Use, EULA not accepted
        License Priority: None
        License Count: Non-Counted
Index 2 Feature: ipbase
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Priority: Medium
        License Count: Non-Counted

Here is the link that you could use to request for a temporary license:


Note: On this link you should give the correct UDI of the switch (use "show license udi")

Cisco 2960/2960-S

Catalyst 2960 and 2960S switches run one of these images:

1. The LAN base software image: which provides enterprise-class intelligent services such as ACLs and QoS features. On a Catalyst 2960-S switch, stacking is also supported.

2. The LAN Lite image: This image provides reduced functionality.

Catalyst 2960S image ships with universal image that includes cryptographic functionality. The software image on the switch is either the LAN base or LAN Lite image, depending on the switch model.

How to determine which image your switch is running on 2960?

i. Switches running the LAN Lite image do not support the FlexStack module. They do not have a FlexStack module slot on the rear of the switch.(more on FlexStack: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html)

ii. On the front of the switch, the label in the top right corner ends in –S if the switch model runs the LAN Lite image.

iii. Enter the show version privileged EXEC command. The line that shows the product ID also ends in either –L (if running the LAN base image) or –S (if running the LAN Lite image). For example, WS-C2960S-48PD-L is running LAN base; WS-C2960S-24TS-S is running LAN Lite image.

Cisco 3560/3750, 3560G/3750G, 3560V2/3750V2

Catalyst 3750 and 3560 switches run feature-specific software releases and do not support software activation. The Catalyst 3560 switch is supported by either the IP base image or the IP services image. Hence the show license command doesn't work.

3560G#show license
% Invalid input detected at '^' marker.
3560G#show license ?
% Unrecognized command

Cisco 3560E / 3750E

Catalyst 3750-E and 3560-E switches run the universal software image that has the Cisco IOS code for multiple feature sets (ipbase & ipservices). To enable a specific feature set, you must use the software activation feature to install the software license for that feature set. Catalyst 3750-E and 3560-E switches support either the noncryptographic or the cryptographic(k9 image) universal software image.

They support two software feature sets: IP Base and IP Services

Beginning with Cisco IOS Release 12.2(46)SE, the switches support these features:

- Temporary software licenses

- Rehosting a software license

- Cisco License Call Home


If the switch is running a software image earlier than Cisco IOS 12.2(46)SE, to run IP base feature - remove the IP services license from the switch, save the switch running configuration, and reload the switch. If the switch is running Cisco IOS Release 12.2(46)SE or later, enter thelicense boot level ipbase privileged EXEC command, save the switch running configuration, and reload the switch.

- If all the licenses are installed on the switch, the switch uses the highest license level, the IP services feature set.

Cisco 3560X / 3750X

Catalyst 3750-X/3560-X system is also loaded with a universal Cisco IOS Software image. Universal Cisco IOS Software images contain all Cisco IOS Software features. The level of Cisco IOS Software functionality available is determined by the combination of one (or more) licenses installed on the device. They support three software feature sets: LAN Base, IP Base, and IP Services.


For the Cisco Catalyst 3750-X/3560-X Series, in addition to universalk9 images, there are also images with the universalk9-npedesignation in the image name. The reason for this alternate image type is that some countries have import regulations that require that the device does not support any strong data-plane crypto functionality, such as IEEE 802.1AE, in any form. To satisfy the import requirements of those countries, this universal image does not support any strong payload encryption (that is, it is of the nonpayload encryption type).

Installing Software Licenses Using CLI

Step1: Log in to the switch by using the console port, the Ethernet management port, or a Telnet session.

Step2: copy license file onto the flash: device from the tftp server.

Step3: Install the license on the switch with the following command in the privilege mode:

license install file-sys:file-sys//lic-location

Once the license gets installed a log message similar to this should be seen: "%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Next reboot level = ipservices and License = ipservices"


Switch#license install flash:FDO1229V28R_20100704203238635.lic
     Installing licenses from "flash:FDO1229V28R_20100704203238635.lic"
     Extension licenses are being installed in the device with
     UDI "WS-C3560E-48PD-S:FDO1229V28R" for the following features:
Feature Name: ipservices
    You hereby  acknowledge  and  agree that  the  product feature  license
     is terminable and that the product  feature  enabled  by  such  license
     may  be  shut  down or  terminated by  Cisco  after  expiration of  the
     applicable  term  of  the license  (e.g., 30-day  trial  period). Cisco
     reserves the  right to terminate or shut down  any such product feature
     electronically  or by  any other  means available. While alerts or such
     messages  may  be provided, it is  your sole  responsibility to monitor
     your terminable  usage of any  product  feature enabled by  the license
     and to ensure that your systems and  networks are prepared for the shut
     down of the product feature. You acknowledge  and agree that Cisco will
     not have any liability  whatsoever for  any damages, including, but not
     limited to, direct, indirect, special, or consequential damages related
     to any product  feature  being shutdown or terminated. By clicking  the
     "accept" button  or typing "yes" you are  indicating  you have read and
     agree to be bound by all the terms provided herein.
     ACCEPT? (yes/[no]): yes
     1/1 licenses were successfully installed
     0/1 licenses were existing licenses
     0/1 licenses were failed to install
     5w2d: %LICENSE-6-EULA_ACCEPTED: EULA for feature ipservices 1.0 has been accepted. UDI=WS-C3560E-48PD-S:FDO1229V28R;     StoreIndex=-1:UNKNOWN License Store
     5w2d:  %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c3560e  Next reboot level = ipservices and License =     ipservices

Step4: The license is installed once you have accepted the EULA, but to enable the feature set after installing the license, you need to reload the device. Before reloading the device, the next license boot level of the switch has to be changed, use the following command to do so:

(In config mode) - license boot level license-level [switch switch-num]

If the show license all command displays the license as "Active, Not in Use, EULA not accepted," you can use the license boot level command to enable the license and accept the end-user license agreement (EULA).

Step5: Verify if the new license was installed:

- show version | in License|license

Switch#show ver | in license|License
     License Level: ipservices
     License Type: Evaluation
     Next reload license Level: ipservices

- show license detail (it’s very important to check if the EULA is accepted or not from the command).

Switch#show license det
     Index: 1        Feature: ipservices                     Version: 1.0
             License Type: Evaluation
             License State: Active, In Use
                 Evaluation total period: 8  weeks 4  days
                 Evaluation period left: 8  weeks 3  days
                 Expiry date: Apr 30 1993 00:00:25
             License Priority: Low
             License Count: Non-Counted
             Store Index: 0
             Store Name: Evaluation License Storage
     Index: 2        Feature: ipbase                            Version: 1.0
             License Type: Permanent
             License State: Active, Not in Use
             License Priority: Medium
             License Count: Non-Counted
             Store Index: 0
             Store Name: Primary License Storage

The above mentioned commands are sufficient for troubleshooting purposes, however there are other commands as well that might help under different circumstances:

- show license feature

Switch#show license feature
Feature name             Enforcement  Evaluation  Clear Allowed  Enabled
advipservices                 yes               yes              yes            yes
ipservices                       yes               yes              yes            no
ipbase                              no                 no               yes            no

(use this command to check the allowed features on the switch, as you can see this command gives you some more detail about what you could do with these features on the switch & each feature's its status)

- show license udi .
Switch#show license udi
Device#   PID                             SN                             UDI
*0        WS-C3560E-48PD-S      FDO1229V28R     WS-C3560E-48PD-S:FDO1229V28R

(this command displays the Unique Device Identifier for each switch - which can be used during license generation. If you do not provide the correct UDI while requesting for a license (from TAC OR from the license portal), then you will not be able to install that license on the switch)

Removing Software Licenses Using CLI

In software releases earlier than Cisco IOS Release 12.2(46)SE, you have the license clear license-level [switch switch-num] privileged EXEC command. Use the license-level parameter to specify the software license to remove. Use the switch switch-num parameter to specify the stack member. The switch switch-num option is supported only on Catalyst 3750-E switches.

In Cisco IOS Release 12.2(46)SE or later, if the software license is in use (active):

  • •a. Enter the “license boot level license-level” global configuration command to specify a license level different from the current one.
  • •b. Restart the switch to enable new software license.
  • •c. Enter the license clear license-level [switch switch-num] privileged EXEC command to remove previous software license.
·         Switch#license clear ipservices
·         Feature: ipservices
·             1   License Type: Evaluation
·                 License State: Active, Not in Use, EULA accepted
·                     Evaluation total period: 8  weeks 4  days
·                     Evaluation period left: 0  minute  0  second
·                 License Addition: Additive
·                 License Count: Non-Counted
·                 Comment:
·                 Store Index: 1
·                 Store Name: Primary License Storage
·         Are you sure you want to clear? (yes/[no]): yes
·         Switch#
·         5w2d:  %LICENSE-6-REMOVE: Feature ipservices 1.0 was removed from this device.  UDI=WS-C3560E-48PD-S:FDO1229V28R; StoreIndex=1:Primary License Storage
·         Backing up and saving software license information—Enter the license save {credential url | url} privileged EXEC command.

License Installation on Switch Stack



List of Commands

  • Show license [all/detail]
  • Show license udi
  • Show version | in license|License
  • Show license feature
  • License install flash:filename.lic
  • License boot level feature-set
  • License clear license-level (ex: license clear ipservices)

Reference from https://supportforums.cisco.com/document/69361/licensing-290035003700

More about Cisco’s Licensing

Cisco ONE Software Licensing Program

How to Upgrade the License from IP Base to IP Services on 3750-X Stack?

Cisco Licenses on Cisco ISR G2

Cisco 800 Series Licensing Options

Read more

GRE tunnel vs. IPsec tunnel

August 14 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In the article How to Configure a GRE Tunnel?” we talked about what tunneling is and how to configure a GRE Tunnel…In this article we continue to say something about the GRE tunnel and IPsec tunnel—what are the differences?

Encapsulating a packet for secure transportation on the network can be done using either GRE or IPsec protocols. This tip explains under what circumstances each protocol works best.

Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

Use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.


  • IPsec stands for Internet Protocol Security while GRE stands for Generic Routing Encapsulation.
  • IPsec is the primary protocol of the Internet while GRE is not.
  • GRE can carry other routed protocols as well as IP packets in an IP network while IPSec cannot.
  • IPsec offers more security than GRE does because of its authentication feature.

More Related Topics

Tips & Examples: Configuring a GRE Tunnel

Read more

Configuring WCCP? GRE Redirection in WCCP Creates New Tunnel Interfaces

August 11 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Data Center

The WCCP (Web Cache Communication Protocol) was initially designed as a component of IOS whose purpose was to intercept HTTP traffic traversing a router and redirects that traffic to a local cache with the aim of reducing access times to web sites and conserving wide area bandwidth. Typically the packets are redirected from their destination web server on the Internet to a content engine that is local to the client. In some WCCP deployment scenarios, redirection of traffic may also be required from the web server to the client. WCCP enables you to integrate content engines into your network infrastructure. With the introduction of WCCPv2 the scope of the protocol widened to include traffic types other than HTTP allowing the protocol to be used as a more general interception mechanism. In WCCPv2 clients specify the nature of the traffic to be intercepted and forwarded to external devices which are then in a position to provide services, based upon the traffic type, such as WAN optimisation and application acceleration.

Cisco IOS Release 12.1 and later releases allow the use of either WCCP Version 1 (WCCPv1) or Version 2 (WCCPv2).

WCCP VRF Support

The WCCP VRF Support feature enhances the existing WCCPv2 protocol by implementing support for virtual routing and forwarding (VRF).

The WCCP VRF Support feature allows service groups to be configured on a per VRF basis in addition to those defined globally.

Along with the service identifier, the VRF of WCCP protocol packets arriving at the router is used to associate cache-engines with a configured service group.

The interface on which redirection is applied, the interface which is connected to cache engine, and the interface on which the packet would have left if it had not been redirected must be in the same VRF.

In Cisco IOS Release 12.2(33) SRE, this feature is supported only on Cisco 7200 NPE-G2 and Cisco 7304-NPE-G100 routers.

Configuring WCCP

Until you configure a WCCP service using the ip wccp {web-cache | service-number} global configuration command, WCCP is disabled on the router. The first use of a form of the ip wccp command enables WCCP. By default WCCPv2 is used for services, but you can use WCCPv1 functionality instead. To change the running version of WCCP from Version 2 to Version 1, or to return to WCCPv2 after an initial change, use the ip wccp version command in global configuration mode.

If a function is not allowed in WCCPv1, an error prompt will be printed to the screen. For example, if WCCPv1 is running on the router and you try to configure a dynamic service, the following message will be displayed: "WCCP V1 only supports the web-cache service." The show ip wccp EXEC command will display the WCCP protocol version number that is currently running on your router.

Using the ip wccp web-cache password command, you can set a password for a router and the content engines in a service group. MD5 password security requires that each router and content engine that wants to join a service group be configured with the service group password. The password can consist of up to eight characters. Each content engine or router in the service group will authenticate the security component in a received WCCP packet immediately after validating the WCCP message header. Packets failing authentication will be discarded.


1. enable

2. configure terminal

3. ip wccp version {1 | 2}

4. ip wccp [vrf vrf-name] {web-cache | service-number} [group-address group-address] [redirect-list access-list] [group-list access-list] [password password [0| 7]]

5. interface type number

6. ip wccp [vrf vrf-name] {web-cache | service-number} redirect {out | in}

7. exit

8. interface type number

9. ip wccp redirect exclude in

Tunnel Interfaces

In IOS versions where WCCP is VRF aware, such as 15.0M and 15.1T, the use of GRE redirection will result in some new tunnel interfaces appearing. On the ASR platform these tunnel interfaces are also present from IOS XE release 2.5 onwards (although VRF support within WCCP on the ASR platform is not present until IOS XE release 3.1).

Examples of the new tunnel interfaces are shown below:

Router#show ip wccp summary
WCCP version 2 enabled, 3 services

Service     Clients   Routers   Assign      Redirect   Bypass    
-------     -------   -------   ------      --------   ------    
Default routing table (Router Id:
web-cache   1         1         HASH        GRE        GRE       
61          1         1         HASH        GRE        GRE       
62          1         1         HASH        GRE        GRE       

Router#show ip interface brief | include Tun
Tunnel0            YES unset  up                    up     
Tunnel1            YES unset  up                    up     
Tunnel2            YES unset  up                    up     
Tunnel3            YES unset  up                    up     

The tunnels are created automatically to process outgoing GRE encapsulated traffic for WCCP. They appear when a cache engine connects and requests GRE redirection. They're not created directly by WCCP, but indirectly via a tunnel API. WCCP has no direct knowledge of these tunnel interfaces, but knows enough to cause packets to be redirected to them. This results in the appropriate encapsulation being applied, after which the packet is then sent to the cache engine. Note that these interfaces are not used in connection with incoming WCCP GRE return packets.

There is one tunnel created per service group that is using GRE redirection, plus one additional tunnel to provide an IP address to allow the other tunnel group interfaces to be unnumbered but still enabled for IPv4. Some information about the tunnels is shown with the command show tunnel groups wccp, although this is unlikely to be useful to the end-user other than to confirm the connection between the tunnels and WCCP.

Router#show tunnel groups wccp             
 WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel0, locally sourced
 WCCP : service group 317 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel3, locally sourced
 WCCP : service group 318 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel2, locally sourced
Router#show tunnel interface t0
   Mode:multi-GRE/IP, Destination UNKNOWN, Source
   Application ID 2: WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t1
   Mode:multi-GRE/IP, Destination UNKNOWN, Source
   Application ID 2: unspecified
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t2
   Mode:multi-GRE/IP, Destination UNKNOWN, Source
   Application ID 2: WCCP : service group 318 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t3
   Mode:multi-GRE/IP, Destination UNKNOWN, Source
   Application ID 2: WCCP : service group 317 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up

Note that service group number shown above is the internal tunnel representation of the WCCP service group number. Group 0 is the web-cache service, but for dynamic services subtract 256 to convert to the WCCP service group number. For interfaces used for redirection, the source address shown is the WCCP router ID.

Information relating to the connected cache engines and encapsulation, including software packet counters, can be seen with the command "show adjacency <tunnel-interface> ...":

Router#show adjacency t0              
Protocol Interface                 Address
IP       Tunnel0         
Router#show adjacency t0 encapsulation
Protocol Interface                 Address
IP       Tunnel0         
  Encap length 28
  Provider: TUNNEL
  Protocol header count in macstring: 3
    HDR 0: ipv4
       dst: static,
       src: static,
      prot: static, 47
       ttl: static, 255
        df: static, cleared
      per packet fields: tos ident tl chksm
    HDR 1: gre
      prot: static, 0x883E
      per packet fields: none
    HDR 2: wccpv2
       dyn: static, cleared
      sgID: static, 0
      per packet fields: alt altB priB
Router#show adjacency t0 detail
Protocol Interface                 Address
IP       Tunnel0         
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 1
                                   Encap length 28
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of Ethernet0/0, addr
Router#show adjacency t0 internal
Protocol Interface                 Address
IP       Tunnel0         
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 1
                                   Encap length 28
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of Ethernet0/0, addr
                                    parent oce 0x4BC76A8
                                    frame originated locally (Null0)
                                   L3 mtu 17856
                                   Flags (0x2808C4)
                                   Fixup enabled (0x40000000)
                                         GRE WCCP redirection
                                   HWIDB/IDB pointers 0x55A13E0/0x35F5A80
                                   IP redirect disabled
                                   Switching vector: IPv4 midchain adj oce
                                   IP Tunnel stack to in Default (0x0)
                                    nh tracking enabled:
                                    IP adj out of Ethernet0/0, addr
                                   Adjacency pointer 0x4BC74D8

For more information on configuring WCCP, please refer to the following document:


Related Information

Common WAAS/WCCP issues on interactions with Security Devices

Troubleshooting Prepositioning on WAAS 4.1.1 and above

Topic from https://supportforums.cisco.com/document/60636/gre-redirection-wccp-creates-new-tunnel-interfaces

More Cisco and IT...Networking Topics you can visit: http://blog.router-switch.com/

Read more
1 2 3 4 5 6 7 8 9 10 20 30 > >>