Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Recent posts

How to Configure SSLVPN on Cisco CSR1000V (Cloud Services Router 1000V)?

May 28 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Network Diagram-Configure SSLVPN on Cisco CSR1000V

Network Diagram-Configure SSLVPN on Cisco CSR1000V

How to configure a Cisco CSR1000V Router for terminating Anyconnect client based connections? Namita Sharma (A volunteer in Cisco Support Community) shared a guide of configuring a Cisco CSR1000V Router. What do you need to prepare before configuration. What are the detailed steps? Let’s see…

Firstly, you should ensure that you meet these requirements before you attempt this configuration:

Cisco Cloud Services Router 1000V running IOS XE 3.12 or higher
Cisco AnyConnect Secure Mobility Client 3.x or higher

Components Used:

Cisco Cloud Services Router 1000V running IOS XE 3.12
Cisco AnyConnect Secure Mobility Client 3.1.05160
Microsoft Windows 7

Network Diagram-Configure SSLVPN on Cisco CSR1000V (The Figure)

Anyconnect Configuration:

1. Configure SSL Server Self-Signed Certificate

# Generate an Rivest-Shamir-Addleman (RSA) Key with a length of 2048 bytes:
crypto key generate rsa general-keys label anyconnect modulus 2048

# Configure a trustpoint for the self-signed certificate, and apply this RSA Keypair:     
crypto pki trustpoint anyconnectvpn
  enrollment selfsigned
  subject-name CN=
  revocation-check none
  rsakeypair anyconnect

# Once the trustpoint is configured, enroll the self-signed certificate
crypto pki enroll anyconnectvpn
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

2. Upload and Apply the Anyconnect client software

copy tftp:// flash

Address or name of remote host []?

Source filename [anyconnect-win-3.1.05160-k9.pkg]?

Destination filename [anyconnect-win-3.1.05160-k9.pkg]?

Accessing tftp://!!!!!!!!!!!!!

Writing file disk0:/anyconnect-win-3.1.05160-k9.pkg...
2635734 bytes copied in 4.480 secs (658933 bytes/sec)

# Apply this Anyconnect client image to the configuration
crypto vpn anyconnect flash:/anyconnect-win-3.1.05160-k9.pkg sequence 1

3. Configure the User Database

aaa authentication login sslvpn local
aaa authorization network sslvpn local
username Anyconnect password Anyconnect123

4. Configure the VPN pool

# Define the local pool that is used in order to assign IP addresses to the clients when they connect

ip local pool SSL_Client

5. Define the supported ciphers under SSL Proposal

crypto ssl proposal sslvpn-proposal
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1

6. Create a split-tunnel access-list to be pushed out as a secure route to the Anyconnect clients

ip access-list standard sslvpn-tunnel

7. Configure an SSL Policy that defines the ciphers to be supported and the trustpoint to be used during SSL negotiation.

crypto ssl policy sslvpn-policy
ssl proposal ssl_proposal
pki trustpoint anyconnectvpn sign
ip address local port 443
no shut

8. Create an SSL Authorization Policy locally on the Router with the authorization parameters to be pushed out to the clients

crypto ssl authorization policy sslvpn-auth-policy
pool SSL_Client
route set access-list sslvpn-tunnel

9. Define the configured authentication and authorization lists under an SSL Profile

crypto ssl profile sslvpn-profile
 match policy sslvpn-policy
 aaa authentication list sslvpn
 aaa authorization group list sslvpn sslvpn-auth-policy
 authentication remote user-credentials
 max-users 100

10. Verify your connection

Once a Client connects, you can view the status using:

show crypto ssl session user Anyconnect detail
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 3.1.05160

Username          : Anyconnect           Num Connection : 1
Public IP         :
Profile           : ssl_profile
Policy            : ssl_policy
Last-Used         : 00:00:06                Created        : *10:00:00.928 UTC Mon Apr 6 2014
Session Timeout   : 43200                Idle Timeout   : 1800
DNS primary       :
DPD GW Timeout    : 300                  DPD CL Timeout : 300
Address Pool      : SSL_Client           MTU Size       : 1406
Disconnect Time   : 0
Rekey Time        : 3600
Lease Duration    : 43200                Keepalive      : 30
Tunnel IP         :         Netmask        :
Rx IP Packets     : 533                     Tx IP Packets  : 462
Virtual Access    : 1
CSTP Started      : 00:46:50             Last-Received  : 00:00:06
CSTP DPD-Req sent : 0
Msie-ProxyServer  : None
Msie-PxyOption    : Disabled
Msie-Exception    : None
Split DNS         : None
ACL               : sslvpn-tunnel
Default Domain    :
Client Ports      : 49423

Detail Session Statistics for User:: Anyconnect

CSTP Statistics::
Rx CSTP Frames    : 322                Tx CSTP Frames   : 0
Rx CSTP Bytes     : 63453              Tx CSTP Bytes    : 3423
Rx CSTP Data Fr   : 643                 Tx CSTP Data Fr  : 233
Rx CSTP CNTL Fr   : 36                 Tx CSTP CNTL Fr  : 0
Rx CSTP DPD Req   : 0                  Tx CSTP DPD Req  : 0
Rx CSTP DPD Res   : 0                  Tx CSTP DPD Res  : 0
Rx Addr Renew Req : 0                  Tx Address Renew : 0
Rx Dropped Frames : 0                  Tx Dropped Frame : 0
Rx IP Packets     : 167                    Tx IP Packets    : 532
Rx IP Bytes       : 8375                   Tx IP Bytes      : 18573

CEF Statistics::
Rx CSTP Data Fr   : 0                   Tx CSTP Data Fr  : 0
Rx CSTP Bytes     : 0                    Tx CSTP Bytes    : 0

Guide from More discussion you can read here…

More Topics Related to Cisco Routers you can visit here

See comments

Types of Cisco Ethernet Switches

May 21 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Modular and Fixed Configuration, these two are the main categories of Cisco Ethernet switches.

Modular switches, modular, as the name implies, allows you to add expansion modules into the switches as needed, thereby delivering the best flexibility to address changing networks. Examples of expansion modules are application-specific (such as Firewall, Wireless, or Network Analysis), modules for additional interfaces, power supplies, or cooling fans. Cisco Catalyst 4K and 6K (including Cisco Nexus 7000 Series Switches, Catalyst 6800 Series Switches, Catalyst 6500 Series Switches, Catalyst 4500-X Series Switches, Catalyst 3850 Fiber Switch Models) are good examples of Modular switches.

Fixed Configuration switches are switches with a fixed number of ports and are typically not expandable. This category is discussed in further detail below. Cisco Catalyst 2K, 3K (contains Catalyst 4500E Series Switches, Catalyst 3850 Series Switches, Catalyst 3650 Series Switches and Catalyst 2960-X Series Switches) and the Cisco300/500 series (Cisco 100 Series Unmanaged Switches, 200 Series Smart Switches, 220 Series Smart Plus Switches, 300 Series Managed Switches, 500 Series Stackable Managed Switches, and Catalyst 2960, 2960-C and 2960-S Series Switches) are good examples of Fixed Configuration switches.

The Fixed configuration switch category is further broken down into:

–Unmanaged Switches

–Smart Switches

–Managed L2 and L3 Switches

Unmanaged Switches

This category of switch is the most cost effective for deployment scenarios that require only basic layer 2 switching and connectivity. As such, they fit best when you need a few extra ports on your desk, in a lab, in a conference room, or even at home.

With some unmanaged switches in the market, you can even get capabilities such as cable diagnostics, prioritization of traffic using default QoS settings, Energy savings capabilities using EEE (Energy Efficient Ethernet) and even PoE (Power over Ethernet). However, as the name implies, these switches generally cannot be modified/managed. You simply plug them in and they require no configuration at all.

Cisco 100 Series switches are good examples of this category.

Smart Switches (also known as Lightly Managed Switches):

This category of switches is the most blurred and fastest changing. The general rule here is that these switches offer certain levels of Management, QoS, Security, etc. but is “lighter” in capabilities and less scalable than the Managed switches. It therefore makes them a cost-effective alternative to Managed switches. As such, Smart switches fit best at the edge of a large network (with Managed Switches being used in the core), as the infrastructure for smaller deployments, or for low complexity networks in general.

The capabilities available for this Smart switch category vary widely. All of these devices have an interface for Management – historically a browser-based interface used to be the only way to configure these devices, though nowadays you can manage some of these devices with CLI and/or SNMP/RMON as well. Regardless, these capabilities are lighter than what you will find in their Managed switch counterparts. Smart switches tend to have a management interface that is more simplified than what Managed Switches offer.

Smart switches allow you to segment the network into workgroups by creating VLANs, though with a lower number of VLANs and nodes (MAC addresses) than you’d get with a Managed switch.

They also offer some levels of security, such as 802.1x endpoint authentication, and in some cases with limited numbers of ACLs (access control lists), though the levels of control and granularity would not be the same as a Managed switch.

In addition, Smart switches support basic quality-of-service (QoS) that facilitates prioritization of users and applications based on 802.1q/TOS/DSCP, thereby making it quite a versatile solution.

Cisco 200 Series switches are good examples of this category.

Fully Managed L2 and L3 switches

Managed Switches are designed to deliver the most comprehensive set of features to provide the best application experience, the highest levels of security, the most precise control and management of the network, and offer the greatest scalability in the Fixed Configuration category of Switches. As a result, they are usually deployed as aggregation/access switches in very large networks or as core switches in relatively smaller networks. Managed switches should support both L2 switching and L3 IP routing though you’ll find some with only L2 switching support.

From a Security perspective, Managed switches provide protection of the data plane (User traffic being forwarded), control plane (traffic being communicated between networking devices to ensure user traffic goes to the right destination), and management plane (traffic used to manage the network or device itself). Managed switches also offer network storm control, denial-of-service protection, and much more.

The Access Control List capabilities allows for flexibly dropping, rate limiting, mirroring, or logging of traffic by L2 address, L3 address, TCP/UDP port numbers, Ethernet type, ICMP or TCP flags, etc.

Managed switches are rich in features that enable them to protect themselves and the network from deliberate or unintended Denial of Service attacks. It includes Dynamic ARP Inspection, IPv4 DHCP snooping, IPv6 First Hop Security with RA Guard, ND Inspection, Neighbor Binding Integrity, and much more.

Additional Security capabilities may include Private VLANs for securing communities of users or device isolation, Secure Management (downloads through SCP, Web-based Authentication, Radius/TACACS AAA, etc), Control Plane Policing (CoPP) for protecting the CPU of the switch, richer support for 802.1x (time-based, Dynamic VLAN Assignment, port/host-based, etc)

From a Scalability perspective, these devices have large table sizes so that you can create large numbers of VLANs (for workgroups), devices (MAC table size), IP routes, and ACL policies for flow-based security/QoS purposes, etc.

For highest network availability and uptime, Managed switches support L3 redundancy using VRRP (Virtual Router Redundancy Protocol), large numbers of Link Aggregation groups (which is used both for scalability and resiliency), and capabilities for protecting L2 such as Spanning Tree Root Guard and BPDU Guard.

When we talk about QoS and Multicast features, the richness of capabilities goes far beyond what you’d see in a Smart Switch. Here you’d see things such as IGMP and MLD Snooping with Querier functions for optimizing IPv4/v6 multicast traffic in the LAN, TCP Congestion Avoidance, 4 or 8 queues to treat traffic differently by importance, setting/tagging traffic by L2 (802.1p) or L3 (DSCP/TOS), and rate limiting traffic.

In terms of Management, things such as multiple ways to configure (using CLI, Web GUI, SNMP Management application), discovering of neighbor devices in the networks (using CDP, LLDP, Bonjour, etc), and troubleshooting capabilities (such as VLAN and Port Mirroring, Traceroute, Ping, Syslog, Cable Diagnostics, RMON, etc) are all included. What I highlighted is by no means exhaustive, but gives you a sense of what some of the differences may be between Managed and Smart Switches.

Cisco Catalyst and Cisco 300 Series and 500 Series switches are good examples of this category of products.

Managed Switches can go even further than what I’ve highlighted. For example, there’s even richer support for Dynamic Unicast and Multicast Routing protocols, deeper flow intelligence or macro flow statistics with Netflow/SFlow, non-Stop Forwarding capabilities, MPLS/VRF support, Policy enforcement, and many others.

Now, to take a deeper dive into these switch categories and talk about various options, you can select the switches based on:

– Speed

– Number of ports

– POE versus non-POE

– Stackable versus Standalone


You can find Fixed Configuration switches in Fast Ethernet (10/100 Mbps), Gigabit Ethernet (10/100/1000 Mbps), Ten Gigabit (10/100/1000/10000 Mbps) and even some 40/100 Gbps speeds. These switches have a number of uplink ports and a number of downlink ports. Downlinks connect to end users – uplinks connect to other Switches or to the network infrastructure. Currently, Gigabit is the most popular interface speed though Fast Ethernet is still widely used, especially in price-sensitive environments. Ten Gigabit has been growing rapidly, especially in the datacenter and, as the cost comes down, it will continue to expand into more network applications. With 10GBase-T Ten Gigabit copper interfaces being integrated into LOM (LAN on the Motherboard) and 10G-Base-T switches becoming available now (see the new Cisco SG500XG-8F8T 16-port 10-Gigabit switch), building a Storage or Server farm with 10 Gigabit interfaces has never been easier or more cost-effective. 40G/100G is still emerging and will be mainstream in a few years.

Number of ports

Fixed Configuration Switches typically come in 5, 8, 10, 16, 24, 28, 48, and 52-port configurations. These ports may be a combination of SFP/SFP+ slots for fiber connectivity, but more commonly they are copper ports with RJ-45 connectors on the front, allowing for distances up to 100 meters. With Fiber SFP modules, you can go distances up to 40 kilometers

POE versus non-POE

Power over Ethernet is a capability that facilitates powering a device (such as an IP phone, IP Surveillance Camera, or Wireless Access Point) over the same cable as the data traffic. One of the advantages of PoE is the flexibility it provides in allowing you to easily place endpoints anywhere in the business, even places where it might be difficult to run a power outlet. One example is that you can place a Wireless Access Point inside a wall or ceiling.

Switches deliver power according to a few standards – IEEE 802.3af delivers power up to 15.4 Watts on a switch port whereas IEEE 802.3at (also known as POE+) delivers power up to 30 Watts on a switch port. For most endpoints, 802.3af is sufficient but there are devices, such as Video phones or Access Points with multiple radios, which have higher power needs. It’s important to point out that there are other PoE standards currently being developed that will deliver even high levels of power for future applications. Switches have a power budget set aside for running the switch itself, and also an amount of power dedicated for POE endpoints.

To find the switch that is right for you, all you need to do is choose a switch according to your power needs. When connecting to desktops or other types of devices which do not require POE, the non-POE switches are a more cost-effective option.

Stackable versus Standalone

As the network grows, you will need more switches to provide network connectivity to the growing number of devices in the network. When using Standalone switches, each switch is managed, troubleshot, and configured as an individual entity.

In contrast, Stackable switches provide a way to simplify and increase the availability of the network. Instead of configuring, managing, and troubleshooting eight 48-port switches individually, you can manage all eight like a single unit using a Stackable Switches. With a true Stackable Switch, those eight switches (total 384 ports) function as a single switch–there is a single SNMP/RMON agent, single Spanning Tree domain, single CLI or Web interface–i.e. single management plane. You can also create link aggregation groups spanning across multiple units in the stack, port mirror traffic from one unit in the stack to another, or setup ACLs/QoS spanning all the units. There are valuable operational advantages to be gained by this approach.

Here’s a word of warning. Be careful about products in the market which are sold as “Stackable” when they merely offer a single user interface, or central management interface, for getting to each individual switch unit. This approach is not stackable, but really “clustering”. You still have to configure every feature such as ACLs, QoS, Port mirroring, etc, individually on each switch. Use the following as a proof point – can I create a link aggregation group with one port in one unit of the stack and another port of that group in another unit of the stack? Can I select a port on one unit in the stack and mirror the traffic to a port on another unit of the stack? When I configure an ACL for Security purposes, can I apply that to any port on any unit in the stack? If the answer is “No” to any of these questions, you’re probably not working with a stackable switch.

There are other advantages of True Stacking as well. You can connect the stack members in a ring such that, if a port or cable fails, the stack will automatically route around that failure, many times at microsecond speeds. You can also add or subtract stack members and have it automatically recognized and added into the stack.

Cisco Catalyst 2K-X and 3K or Cisco 500 Series Switches are examples of Switches in this category.

As you can see there’s a multitude of switch options to choose from. So, have a close look at your current deployment and future needs to determine the right switch for your network.

Guide and Review from

More Related Cisco Switches Topics you can read here:

See comments

Cisco Nexus 9000 Series Switches for Classic Network Design

May 14 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Classic Three-Tier Data Center Design

Classic Three-Tier Data Center Design

Current Cisco Nexus Portfolio Scenarios for Transitioning to Cisco Nexus 9000 Series
Current Cisco Nexus Portfolio Scenarios for Transitioning to Cisco Nexus 9000 Series

It’s so cool that Cisco Nexus 9000 series, through their dual-mode capabilities, allow you to deploy them as traditional switches within your existing data center network. Cisco Nexus 9000 Series Switches are ideal for small-to-medium-sized data centers, it makes the next generation of data center switching accessible to customers of any size. And what’s the data center? Why is it so important? The data center infrastructure is central to the overall IT architecture. It is where most business-critical applications are hosted and various types of services are provided to the business. A classic network is the typical three-tier architecture commonly deployed in many data center environments. It has distinct core, aggregation, and access layers, which together provide the foundation for any data center design.

Note: The figure above shows a classic design using the current Cisco Nexus product portfolio, including Cisco Nexus 7000 Series Switches and 2000 Series Fabric Extenders (FEXs). You can use this three-tier design to migrate to the new Cisco Nexus 9000 Series Switches.

Many types of services, primarily firewalls and load balancers, can be integrated into these designs. Careful planning is needed for a smooth migration from this type of hardware and topology combination to the new Cisco Nexus 9000 Series hardware and topology combination.

The main features of the new Cisco Nexus 9000 Series are support for FEX, virtual Port Channel (vPC), and Virtual Extensible LAN (VXLAN). The data center architecture can be deployed in a classic design in which existing designs variations are supported, such as the following:

● Data center pods

● Large-scale multitier designs

● VXLAN fabric

…More about data center design and Nexus switches including Nexus 7000, Nexus 9000 family you can read the full info page:

More Related Cisco Nexus 9000 Topics

New: ACI Alternative for Cisco Nexus 9000

Cisco Nexus 9500 Comparison-Chassis, Supervisors and Modules…

Cisco Nexus 9000 Series Switches Overview

Cisco 9500 Nexus Switch Overview-Model Comparison

Cisco Nexus 9000 Models Comparison: Nexus 9500 & Nexus 9300 Series

Three Cisco Nexus 9300 Models Overview

The 8-slot Nexus 9508 Switch Review

See comments

User Guide: Use nProbe as NetFlow-Lite Aggregator

May 8 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Do you know how to use nProbe as NetFlow-Lite Collector? What’s the problem of NetFlow-Lite? What’s the typical nProbe Deployment? And how does the NetFlow-Lite Support in nProbe? In this article, we will share the main info related to these questions.

Problem Statement-NetFlow-Lite

• NetFlow-Lite brings visibility to switched networks.

• NetFlow-Lite are exports in v9/IPFIX format and contain packets sections.

• Legacy NetFlow collectors need additional support to understand and analyze NetFlowlite flows.

More Related NetFlow-Lite Topics

How to Use nProbe as NetFlow-Lite Aggregator/Collector?

Cisco Catalyst 4948E NetFlow-lite/NFLite in Detail

What is nProbe ?

What is nProbe ?

Typical nProbe Deployment

Typical nProbe Deployment

NetFlow-Lite Support in nProbe-01

NetFlow-Lite Support in nProbe-01

NetFlow-Lite Support in nProbe-02

NetFlow-Lite Support in nProbe-02

Final Remarks-NetFlow-Lite

Final Remarks-NetFlow-Lite

See comments

Cisco NetFlow-Lite on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches

May 7 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Output from Cisco NetFlow-Lite

Output from Cisco NetFlow-Lite

Differences between Flexible NetFlow-Lite, Flexible NetFlow, and sFlow
Differences between Flexible NetFlow-Lite, Flexible NetFlow, and sFlow

We discussed the Cisco Catalyst 4948E NetFlow-lite/NFLite before. What’s the difference between the NetFlow and Netflow-Lite? We knew that NetFlow-lite was first introduced with Catalyst 4948E, and it bridges the gap by providing a lightweight solution that allows capturing of important flow information through packet sampling mechanisms combined with the extensibility of NetFlow version 9 and IPFIX. NetFlow-Lite introduces traffic visibility on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches for the first time.

NetFlow-Lite collects packets randomly, classifies them into flows, and measures flow statistics as they pass through the switch. It is a true flow-based traffic-monitoring mechanism that conserves valuable forwarding bandwidth when exporting flow-based data for analysis and reporting.

In the following part it provides visibility into traffic that is switched through the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches.

Firstly we can read what NetFlow-Lite is used for again

NetFlow-Lite offers network administrators and engineers the following capabilities:

Unprecedented visibility: NetFlow-Lite provides real-time information about traffic flows from endpoints such as PCs, phones, IP cameras, etc. You can use this information for traffic monitoring of Layer 2 and Layer 3 traffic as well as capacity planning.

Network planning: You can use NetFlow-Lite to capture data over a long period of time so that customers can understand traffic patterns, top talkers, top applications, etc. This feature provides accurate data to track and anticipate network growth and plan upgrades.

Simplified troubleshooting: You can use NetFlow-Lite flow-based analysis techniques to understand traffic patterns, which can help in proactively detecting problems, troubleshooting efficiently, and resolving problems quickly.

NetFlow-Lite Capabilities

NetFlow-Lite provides a granular packet-sampling mechanism that is adjustable up to 1:32 and available for all interfaces. The implication is that a subset of all packets passing through the switch is selected for reporting.

NetFlow-Lite on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches have the following capabilities:

  • NetFlow-Lite is supported on all downlink and uplink ports.
  • NetFlow-Lite is natively available with no additional hardware required.
  • The sampling range is from 1:32 to 1:1022.
  • The application measures 16,000 flows per switch.
  • Physical ports and VLAN Interfaces (switched virtual interfaces [SVI]) are supported.
  • NetFlow-Lite supports ingress flows only.
  • Export using standards-based IP Information export (IPFIX) or Version 9 record format.

NetFlow-Lite Sampling Techniques

The sampling method of the traffic can be random or deterministic. Random sampling chooses one packet randomly out of a configured sample size, whereas deterministic sampling chooses the first packet out of a configured sample size. For example, for 1:32 sampling, deterministic mode would choose the 1st, 33rd, 65th, 97th, and so on packet coming into an interface, and random mode can choose the 5th, 39th, 72nd, 103rd, and so on packet coming into an interface. Random packet sampling is statistically more accurate than deterministic packet sampling.

NetFlow-Lite Solution-NetFlow-Lite configuration on the Cisco Catalyst 2960-X, 2960-XR, 2960-CX, and 3560-CX Series Switches

Steps-Only 5 Steps

Step1. Configure a Flow Record, which defines the data collection. You can customize it for specific requirements. You can use the following example with most NetFlow collectors:

flow record v4

 match ipv4 tos

 match ipv4 protocol

 match ipv4 source address

 match ipv4 destination address

 match transport source-port

 match transport destination-port

 collect transport tcp flags

 collect interface input

 collect flow sampler

 collect counter bytes long

 collect counter packets long

 collect timestamp sys-uptime first

 collect timestamp sys-uptime last

Step2. Configure a Flow Exporter, which defines where the collected data needs to be sent. Please refer to the NetFlow collector application user guides and manual for specific details such as port number, differentiated services code point (DSCP), and other options. The configuration follows:

flow exporter Replicator

 description Exporter to Cisco Prime 2.0


 source GigabitEthernet1/0/1

 dscp 16

 template data timeout 60

 option interface-table

Step3. Configure a Flow Monitor, which binds the flow record and exporter along with options to configure the flow cache:

flow monitor v4

 record v4

 exporter Replicator

 cache timeout active 30

Step4. Configure a Flow Sampler. Define the sampling technique and sample size. The configuration follows:

sampler v4

 mode random 1 out-of 32

Step5. Attach the Flow Monitor and Sampler to the interface:

interface GigabitEthernet1/0/1

 ip flow monitor v4 sampler v4 input

Reference from

Lists the License and Software Requirements for Cisco Netflow-Lite

Lists the License and Software Requirements for Cisco Netflow-Lite

See comments

Top Choice, New Cisco 2960-X Series Switches for Branch Offices

April 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Eight-Member C2960-X Stack, Rear View

Eight-Member C2960-X Stack, Rear View

Like the 2960-S Series, the Catalyst 2960-X is line-rate nonblocking switches with the following added features:

● Dual-core CPU at 600 MHz

● Cisco FlexStack-Plus stacking

◦ 80 Gbps bandwidth

◦ 8-member stack

● Dual-FRU power supply with integrated fan (2960-XR only)

● NetFlow-Lite on all downlink and uplink ports

● Switch Hibernation mode integrated with Cisco EnergyWise

● Energy-Efficient Ethernet (EEE) downlink ports

● Signed Cisco IOS Software images

● Layer 3 features with IP Lite feature set (2960-XR only)

● 24 port fan less model with 2 SFP and 210/100/1000BT uplinks

Key Words for the New Cisco 2960-X Series: Simple, Smart, Scalable, Green, Highly Secure, and Cost-Effective

When C2960-X switches are mixed in a stack with C2960-S and C2960-SF switches, the following is true:

• A maximum of four switches can be stacked

• Any combination of C2960-X and C2960-S switches can be utilized

• The master switch can be a member of either the C2960-X or C2960-S series

• The functionality of FlexStack-Plus reverts back to FlexStack capability

Feature Sets Supported in 2960-X Series Refer to the Figure Compare Models: Cisco 2960-X vs. 2960-S

More about Cisco 2960-X Series

WS-C2960X-48TD-L & WS-C2960XR-48TD-I Tested, from Miercom

Selecting Cisco Switches, For Campus or Branch?

How to Install or Replace an AC Power Supply in a Cisco 2960-X Switch?

Cisco Catalyst 2960-X/XR vs. Catalyst 3650 vs. Cisco 3850 Series

Compare Models: Cisco 2960-X vs. 2960-S

Compare Models: Cisco 2960-X vs. 2960-S

Stacking Snapshot of Cisco 2960 and HP 2920/5120 Switches

Stacking Snapshot of Cisco 2960 and HP 2920/5120 Switches

See comments

Cisco LAP (Lightweight Access Point), Some Questions

April 9 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Wireless - Cisco Wireless AP

Cisco LAP (Lightweight Access Point), Some Questions

Cisco LAP (Lightweight Access Point), Some Questions

A LAP is an AP that is designed to be connected to a wireless LAN (WLAN) controller (WLC). The LAP provides dual band support for IEEE 802.11a, 802.11b, and 802.11g and simultaneous air monitoring for dynamic, real-time radio frequency (RF) management. The Cisco LAP is part of the Cisco Unified Wireless Network architecture. In addition, Cisco LAPs handle time-sensitive functions, such as Layer 2 encryption, that enable Cisco WLANs to securely support voice, video, and data applications.

APs are “lightweight,” which means that they cannot act independently of a wireless LAN controller (WLC). The WLC manages the AP configurations and firmware. The APs are “zero touch” deployed, and individual configuration of APs is not necessary. The APs are also lightweight in the sense that they handle only real-time MAC functionality. The APs leave all the non-real-time MAC functionality to be processed by the WLC. This architecture is referred to as the “split MAC” architecture.

You cannot configure the LAP to operate independent of a wireless LAN controller (WLC). LAPs cannot function independent of WLCs. LAPs function in conjunction with a WLC only. The reason is that the WLC provides all the configuration parameters and firmware that the LAP needs in the registration process.

LWAPP (Lightweight AP Protocol) is an Internet Engineering Task Force (IETF) draft protocol that defines the control messaging for setup and path authentication and run-time operations. LWAPP also defines the tunneling mechanism for data traffic.

A LAP discovers a controller with the use of LWAPP discovery mechanisms. The LAP sends an LWAPP join request to the controller. The controller sends the LAP an LWAPP join response, which allows the AP to join the controller. When the LAP joins to the controller, the LAP downloads the controller software if the revisions on the LAP and controller do not match. Subsequently, the LAP is completely under the control of the controller. LWAPP secures the control communication between the LAP and the controller by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the controller. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Cisco Aironet APs that shipped before July 18, 2005, do not have a MIC. So these APs create a self-signed certificate (SSC) when they are upgraded in order to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.

And what is CAPWAP?

In controller software release 5.2 or later, Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points protocol (CAPWAP) in order to communicate between the controller and other lightweight access points on the network. Controller software releases prior to 5.2 use the Lightweight Access Point Protocol (LWAPP) for these communications.

CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage a collection of wireless access points. CAPWAP is being implemented in controller software release 5.2 for these reasons:

  • To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products that use CAPWAP
  • To manage RFID readers and similar devices
  • To enable controllers to interoperate with third-party access points in the future

LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless. For example, the controller discovery process and the firmware downloading process when you use CAPWAP are the same as when you use LWAPP. The one exception is for Layer 2 deployments, which are not supported by CAPWAP.

You can deploy CAPWAP controllers and LWAPP controllers on the same network. The CAPWAP-enabled software allows access points to join either a controller that runs CAPWAP or LWAPP. The only exception is the Cisco Aironet 1140 Series Access Point, which supports only CAPWAP and therefore joins only controllers that run CAPWAP. For example, an 1130 series access point can join a controller that runs either CAPWAP or LWAPP whereas an 1140 series access point can join only a controller that runs CAPWAP.

For more information, refer to the Access Point Communication Protocols section of the configuration guide.

Is it a regular AP or a LAP? The easiest way to distinguish between a regular AP and a LAP is to look at the part number of the AP.

  • LAP (Lightweight AP Protocol [LWAPP])—Part numbers always begin with AIR-LAPXXXX.
  • Autonomous AP (Cisco IOS Software)—Part numbers always begin with AIR-APXXXX.

The Cisco Aironet 1000 Series LAPs are an exception to this criteria. The part numbers of the 1000 series LAPs are:

  • AIR-AP1010-A-K9 for a 1010 LAP
  • AIR-AP1020-A-K9 for a 1020 LAP
  • AIR-AP1030-A-K9 for a 1030 LAP

Note: The part numbers can vary, which depends on the country and regulatory domain. The part numbers that this list provides are just examples.

Make sure that you order the appropriate AP for your wireless LAN (WLAN).

These Cisco Aironet AP platforms are able to run LWAPP:

  • Aironet 1500 Series
  • Cisco Aironet 1250 Series
  • Aironet 1240 AG Series
  • Aironet 1230 AG Series
  • Aironet 1200 Series
  • Aironet 1130 AG Series
  • Aironet 1000 Series
  • Aironet 1140 Series AP

Note: The 1140 Series AP is supported only with WLC that runs 5.2 release or later.

Note: You can order these Aironet APs with Cisco IOS Software to operate as autonomous APs or to operate with LWAPP. The part number determines if an AP is a Cisco IOS Software-based AP or an LWAPP-based AP. Here are examples:

  • AIR-AP1242AG-A-K9 is a Cisco IOS Software-based AP.
  • AIR-LAP1242AG-P-K9 is an LWAPP-based AP.

Note: The 1000 Series APs and the 1500 Series APs are exceptions to this criterion. All the 1000 Series APs and the 1500 Series APs support only LWAPP.

How do I install and configure an LWAPP-enabled access point? LWAPP-enabled APs are part of the Cisco Integrated Wireless Network Solution and require no manual configuration before they are mounted. The AP is configured by an LWAPP-capable Cisco Wireless LAN Controller (WLC). Refer to the Quick Start Guide LWAPP-Enabled Cisco Aironet Access Points for information on how to install and initially configure an LWAPP-enabled access point.

If I want to configure my LAP and my wireless LAN controller (WLC) together, what shall I do? LAPs use Lightweight AP Protocol (LWAPP), and when they join a WLC, the WLC sends the LAPs all the configuration parameters and firmware. Refer to the Wireless LAN Controller and Lightweight Access Point Basic Configuration Example for a basic setup.

Also you cannot connect an autonomous AP to a wireless LAN controller (WLC) and expect the AP to work. Only LAPs work when they are connected to a WLC. Autonomous APs do not understand the Lightweight AP Protocol (LWAPP) or the CAPWAP protocol that the WLC uses. In order to connect an autonomous AP to a WLC, you must first convert the autonomous AP to lightweight mode.

The number of APs supported per WLC depends on the model number:

  • 2106—A standalone WLC that supports up to 6 APs with 8 Fast Ethernet interfaces.
  • 4402—A standalone WLC that supports either 12, 25, or 50 APs.
  • 4404—A standalone WLC that supports 100 APs.
  • 5500—A standalone WLC that supports 12, 25, 50,100, or 250 access points for business-critical wireless services at locations of all sizes.
  • WLCM—A WLC module that is specifically designed for Cisco's Integrated Service Router (ISR) series. It's currently available in a 6, 8 or 12 AP version.
  • WS-C3750G—A WLC that supports either 25 or 50 APs that comes integrated with the Catalyst 3750 switch. The WLC's backplane connections appear as 2-Gig Ethernet ports that can be configured separately as dot1q trunks to provide connection into the 3750. Or the Gig ports can be link aggregated to provide a single EtherChannel connection to the 3750. Because the WLC is integrated directly, it has access to all of the advanced routing and switching features available in the 3750 stackable switch. This WLC is ideal for medium-sized offices or buildings. The `50 AP' version can scale up to 200 APs when four 3750s are stacked together as a virtual switch.
  • WiSM—A WLC module that is designed specifically for Cisco's Catalyst 6500 switch series. It supports up to 300 APs per module. Depending on the 6500 platform, multiple WISMs can be installed to offer significant scaling capabilities. The WiSM appears as a single aggregated link interface on the 6500 that can be configured as a dot1 trunk to provide connection into the 6500 backplane. This module is ideal for large buildings or campuses.

Reference from http: //

More about Cisco Wireless and Wireless AP you can read page

How to Convert a Cisco SAP to AIR-CAP?

See comments

How to Assign Static ip to LAP 1131AG before Registering to WLC?

April 3 2015 , Written by Cisco & Cisco Router, Network Switch

Each of the WLCs that receives the LWAPP discovery message replies with a unicast LWAPP discovery response message to the LAP.

Each of the WLCs that receives the LWAPP discovery message replies with a unicast LWAPP discovery response message to the LAP.

How to assign static ip to lightweight Access Point 1131AG before registering to controller? Some user raised the question like that: He has Wireless LAN controller (WLC) is installed in corporate office with H-reap enabled so that remote office access point can be registered with corporate office controller. This AP was registered with WLC on different subnet and he has shifted this AP to other remote office and want to assign static IP address.

More Notes: APs are “lightweight,” which means that they cannot act independently of a wireless LAN controller (WLC). The WLC manages the AP configurations and firmware. The APs are “zero touch” deployed, and individual configuration of APs is not necessary. The APs are also lightweight in the sense that they handle only real-time MAC functionality. The APs leave all the non-real-time MAC functionality to be processed by the WLC. This architecture is referred to as the “split MAC” architecture. We cannot configure the LAP to operate independent of a wireless LAN controller (WLC). LAPs cannot function independent of WLCs. LAPs function in conjunction with a WLC only. The reason is that the WLC provides all the configuration parameters and firmware that the LAP needs in the registration process.

While assigning static IP address to remote site AP through console before registering to the controller, after login into the AP, we got the console with below name:

......MAC Address....>

But when we try any command to assign IP address, it shows the error "Command Disabled"


We can connect this AP to corporate office LAN and get registered with WLC and then through WLC GUI and can assign static IP address but we need solution to assign static IP before getting registered to WLC.

We Also tried the following command, but got error "Command disabled "

AP#lwapp ap ip address <IP address> <subnet mask>
AP#lwapp ap ip default-gateway <IP-address>
AP#lwapp ap controller ip address <IP-address>
AP#lwapp ap hostname <name>

By Default in LWAPP APs the config commands are disabled. We need to issue the command:

"debug lwapp console cli"
"debug capwap console cli"

(depending on the version of the sw of the AP)

After this you can use the AP config as you would do in IOS APs.


There is one Bug CSCsy17745 filed for this issue. The workaround will be helpful to fix the issue:

The command DEBUG LWAPP CONSOLE CLI is a HIDDEN command. Please enter the complete command and then you need to perform the work around mentioned in this Bug.

"lwapp ap" CLI always returns "ERROR!!! Command is disabled.".


When attempting to configure a lightweight AP using the "Ease of Deploy" CLI, i.e. the "lwapp ap" exec mode command, from the console, the following error is returned:

ERROR!!! Command is disabled.


The access point is running the lightweight IOS featureset (k9w8) or recovery image (rcvk9w8).

Workaround 1:

1. configure the AP to boot the recovery image:
ap#debug lwapp console cli (use "debug capwap console cli" if running 5.2 or above)
ap#dir flash:/ (look for a folder with "rcvk9w8" in its name)
ap#configure terminal
ap(config)#boot system flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx

2. disconnect the AP from the LAN (e.g. shutdown the switchport)

3. reload the AP

4. from the AP console, clear the LWAPP (CAPWAP) configuration:

ap#clear lwapp private-config

5. You can now enter the "lwapp ap" "Ease of Deploy" CLI commands.

Workaround 2:

1. Disconnect the AP from the LAN (e.g. shutdown the switchport)

2. ap#debug lwapp console cli (use "debug capwap console cli" if running 5.2 or above)

3. ap#write erase

4. ap#reload

5. After reloading, you can now use the "lwapp ap" (or "capwap ap")

"Ease of Deploy" CLI commands.

Workaround 3:

ap#test lwapp controller ip a.b.c.d [w.x.y.z] (or "test capwap controller")

More information:

Even with the resolution of this bug, the "capwap ap hostname" CLI is still disabled. See CSCtl96208.


Discussion from how to assign static ip to lightweight Access Point 1131AG before registering to controller

Reference from

More Related…

See comments

802.11ac Solution, Benefits & Migration

March 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Wireless - Cisco Wireless AP



802.11ac vs. 802.11n
802.11ac vs. 802.11n

802.11ac is important? Do you want to upgrade to 802.11ac? Why? 802.11ac addresses the speed and capacity challenges facing the next-generation unified access network

● Wi-Fi is the primary access method for all new devices.

● Cisco VNI trend data shows that by 2016 over half of all IP traffic will originate on fixed Wi-Fi.

● Chip manufacturers have accelerated their delivery timetables for 802.11ac to meet device manufacturers’ demands.

● Wi-Fi is assumed. Device manufacturers have never included Ethernet ports on smartphones or tablets, and they are no longer including Ethernet ports on laptops.

Benefits of 802.11ac

802.11ac offers longer battery life, more bandwidth, greater client density, and fast client adoption.

Longer battery life: Better airtime utilization means devices are on and off the network more efficiently, conserving precious battery life.

More bandwidth: Three to four times higher throughput than 802.11n means users have better experience for data, voice, video, virtual desktops, etc.

Greater client density: More users and more devices per user can be accommodated.

Fast client adoption: Client devices such as smartphones and tablets are adopting 802.11ac faster than 802.11n.

802.11ac radios also support 802.11a/n clients.

● Most enterprise-grade access points provide at least two radios: 2.4 GHz for 802.11b/g/n and 5 GHz for 802.11a/n.

● 802.11ac is offered only in the 5-GHz band.

802.11g/a/n vs. 802.11ac

The differences are found in frequency, speed, modulation, battery savings, and channel width.

Frequency Band: 802.11n operates in both the 2.4-GHz and 5-GHz band. Both 802.11a and 802.11ac operate in 5 GHz band only.

Speed: Some of the latest generation of 802.11n access points have a maximum datarate of 450 Mbps. Wave 1 of 802.11ac provides a maximum datarate of 1.3 Gbps, and Wave 2 will offer a maximum datarate of 6.9 Gbps.

Modulation: 802.11ac provides 256 quadrature amplitude modulation (QAM) vs. 64-QAM for 802.11n. Basically, when you have better modulation, you can transport more data. 802.11ac can operate up to three times faster than 802.11n.

Battery savings: Since 802.11ac devices are more efficient over the air, they transmit for shorter intervals, conserving battery life. 802.11ac has been shown to improve battery life by up to 2x over 802.11n.

Channel width: 802.11n allows a 20 MHz and 40-MHz channel. 802.11ac allows up to 80-MHz channels in Wave 1 and 160-MHz Channel in Wave 2.

Has the 802.11ac standard been ratified? Yes; the ratification and publication of 802.11ac by IEEE was completed December 9, 2013, and ANSI approved it on December 11, 2013. (The 802.11 timeline updates can always be found under the “RevCom & Standards Board Final or Continuous Process Approval” at

What is the difference between Wave 1 and Wave 2 of 802.11ac?

The biggest difference is that Wave 1 802.11ac is available now and the expectation is that 802.11ac Wave 2 will come to market in CY15.

● 802.11ac Wave 2 will require new hardware, so it will not simply be a software upgrade to current 802.11ac platforms.

The main features of 802.11ac Wave 1 include: The maximum datarate is 1.3 Gbps; Channel bonding support for 80 MHz (mandatory); Three spatial streams, single-user multiple-input and multiple-output (MIMO); Two spatial streams are mandatory for non-battery-powered access points; Only one spatial stream is mandatory for battery-powered access points and clients; Faster modulation: 256-QAM

The main features expected in 802.11ac Wave 2 include: Multi-user MIMO; Up to 8 spatial streams; 160-MHz-wide channels; Maximum datarate is 6.9Gbps

Why deploy 802.11ac Wave 1?

◦ You can expand your network and adopt 802.11ac Wave 1 today, instead of buying 802.11n or waiting for Wave 2, which won’t be available until 2015.

◦ 802.11ac Wave 1 represents fundamental improvements and enhancements to 802.11n in terms of client performance due to three to four times higher throughput than 802.11n.

◦ Device users can expect to have better experience for data, voice, video, virtual desktop, etc.

◦ Wider channel bandwidth in 802.11ac means more real estate to support higher client density in conference rooms, auditoriums, and stadiums.

◦ Client devices are adopting 802.11ac faster than 802.11n.

◦ Smartphones, tablets, and laptops are on and off the network faster with 802.11ac, thereby conserving battery life.

What benefits can I expect with 802.11ac Wave 2?

◦ MU-MIMO switch-like behavior will allow for an even higher number of concurrent Wi-Fi devices.

◦ Higher throughput is expected with the additional spatial streams and 160-MHz-wide channels.

How does Cisco support 802.11ac? Cisco also offers the Aironet 2700 and 3700 Series Access Points, both of which have integrated 802.11ac Wave 1 radios. Cisco also offers an 802.11ac module that can be added to the Cisco Aironet 3600 Series Access Points.

● The Cisco Aironet 3700 Series also support a modular architecture that allows expansion to the Wireless Security Module, the 3G Small Cell Module, and support for future technology such as 802.11ac Wave 2.

Both the Cisco Aironet 3700 and 2700 Series supports Cisco’s High Density Experience (HDX) technology.

● Cisco’s HDX High-Density Experience is a purpose-built Innovative Chipset designed specifically for the high performance environments of 802.11ac.

● The features of HDX includes:

◦ Turbo Performance which Scales to Support More Devices

◦ Running High Bandwidth Apps

◦ Optimized Roaming which Intelligently Decides the Proper

◦ Access Point as People Move

◦ Cisco’s CleanAIr with 80MHZ channel support which mitigates interference and improves channel capacity

◦ Cisco’s ClientLink 3.0 which improves legacy and 802.11ac Client performance

◦ Cross AP Noise Reduction (future) which enables dense Access Point Coexistence/implementation

More Related Topics of Cisco Wireless APs & 802.11ac

Why You Should Upgrade with Cisco 802.11ac Solution?

Cisco Aironet 1700 Series-Entry-Level 802.11ac Access Points

The New Cisco Aironet 1570 Series Access Point

See comments

Cisco IP Phone Reports-Cisco DX650 & DX600

March 25 2015 , Written by Cisco & Cisco Router, Network Switch

Technology Trends

Technology Trends

Cisco Comprehensive Collaboration Architecture

Cisco Comprehensive Collaboration Architecture

Why Cisco Collaboration and Cisco Unified IP Phones?

Why Cisco Collaboration and Cisco Unified IP Phones?

Cisco IP Phone Portfolio Choice to Meet Your Needs

Cisco IP Phone Portfolio Choice to Meet Your Needs

Advanced Collaboration Demands a Multi-purpose Endpoint
Advanced Collaboration Demands a Multi-purpose Endpoint

Advanced Collaboration Demands a Multi-purpose Endpoint

  • High-quality voice, video and conferencing
  • Real-time video, integrated presence and viewing of shared documents
  • Access to corporate cloud services and cloud apps
  • Intuitive touch screen navigation and innovative personalization

The Smart Cisco Desk Phone? Cisco Desktop Collaboration Experience DX600 Series

Cisco DX650:

  • Always-On Collaboration for the Desk
  • HD Voice and Video Communications
  • Comprehensive UC suite
  • Integrated Conferencing, IM & Presence
  • On-demand Access to Cloud Apps and Services
  • Personalize with Android
  • IT Deployed & Managed

Why Cisco DX600?

…To be Continued…

More Related Cisco IP Phone Topics

How to Start up a Cisco IP Phone?

Cisco Boosts Enterprise Collaboration Tools for the Modern Workspace

Two Smart Ways to Configure Cisco IP Phones

Cisco Desktop Collaboration Experience DX600 Series

Cisco Desktop Collaboration Experience DX600 Series

Cisco DX650

Cisco DX650

Why Cisco DX600?

Why Cisco DX600?

See comments
1 2 3 4 5 6 7 8 9 10 20 30 > >>