Overblog
Follow this blog Administration + Create my blog
Cisco & Cisco Network Hardware News and Technology
Recent posts

How to Recover the Password on Cisco Catalyst 3850?

January 2 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

How to recover the password on a Cisco 3850 switch when you lost or forgot it? It is easy to solve it for it’s so common for a network user. Here we list some tips and basic steps to help you recover password on catalyst 3850 again.

Tips and Steps to Recover the Password on Cisco Catalyst 3850

On a switch, power off the standalone switch or the entire switch stack. Reconnect the power cord to the active switch. Within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until all the system LEDs turn on and remain solid; then release the Mode button.

Several lines of information about the software appear with instructions, informing you if the password recovery procedure has been disabled or not.

If you see a message that begins with this:

The system has been interrupted prior to initializing the flash file system.

The following commands will initialize the flash file system proceed to the below steps

Step1 Initialize the flash file system.

Switch: flash_init 

Step2 Ignore the startup configuration with the following command:

Switch: SWITCH_IGNORE_STARTUP_CFG=1

Step3 Boot the switch with the packages.conf file from flash.

Switch: boot flash:packages.conf

Step4 Terminate the initial configuration dialog by answering No.

Would you like to enter the initial configuration dialog? [yes/no]: No

Step5 At the switch prompt, enter privileged EXEC mode.

Switch> enable     

Switch#  

Step 6 Copy the startup configuration to running configuration.

Switch# copy startup-config running-config Destination filename [running-config]?

Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.

Step7 Enter global configuration mode and change the enable password.

Switch# configure terminalSwitch(config)# 

Step8 Write the running configuration to the startup configuration file.

Switch# copy running-config startup-config     

Step9 Confirm that manual boot mode is enabled.

Switch# show boot

BOOT variable = flash:packages.conf;

Manual Boot = yes

Enable Break = yes 

Step10 Reload the switch.

Switch# reload

Step11 Return the Bootloader parameters (previously changed in Steps 2 and 3) to their original values.

Switch: SWITCH_DISABLE_PASSWORD_RECOVERY=1 

Switch: switch: SWITCH_IGNORE_STARTUP_CFG=0

Step12 Boot the switch with the packages.conf file from flash.

Switch: boot flash:packages.conf

Step13 After the switch boots up, disable manual boot on the switch.

 Switch(config)# no boot manual

Refer to https://supportforums.cisco.com/docs/DOC-35289

More Cisco 3850 Tips:

Cisco Catalyst 3850 Series- the Industry’s first Fixed, Stackable GE Switch

More Cisco switch review, news and Topics you can see at: http://blog.router-switch.com/category/reviews/cisco-switches/

Read more

Show ip route command

December 25 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

Displays the entire IP route table, a summary of the routing table or route information for specific IP addresses, network masks or protocols.

Syntax: show ip route [[ipAddress [mask]] [bgp | connected | mpls [ipAddress] [ipAddress/PrefLen] [ipAddress mask] [detail] | isis | ospf | static | summary | multicast |unicast]

ipAddress

Specify an IP address for the IP routes to display.

mask

Specify an IP address mask for the specified IP address.

PrefLen

Specify a Prefix Length for the specified IP address. Valid values = 0 - 31.

Description: Use the show ip route command with no arguments to display all IP routes.

Use the show ip route command with the address argument to display routes to a specific IP address.

Use the show ip route command with the mask argument to display routes with a specific network mask.

Use the show ip route command with the bgpisisospf keyword to display summary information about all routes for the specified protocol.

Use the show ip route multicast command to display active routes used by Multicast protocols.

Use the show ip route unicast command to display active routes used for unicast forwarding.

Use the show ip route connected command to display summary information about all directly connected routes.

Use the show ip route mpls command to display all tunnel related route statistics.

use the show ip route mpls detail to display detailed information of all the tunnels by which each route/prefix is reachable. The detail keyword can optionally be used with all ipAddress variants of mpls.

Use the show ip route static command to display summary information about all statically configured routes.

Use the show ip route summary command to display summary information about all IP routes.

Factory Default: None.

Command Mode: Executive and privileged.

Example 1: In the following example, the show ip route command with no arguments displays all routes:

router>show ip route

Codes: C - connected O - OSPF i - IS-IS

S - static UD - Up/Down bit 1 L1 - level-1

B - BGP E1 - external type 1 L2 - level-2

M - MPLS E2 - external type 2

* - candidate default

m - route's metric

d - administrative distance

S * 0.0.0.0/0 via 10.200.0.1 [d:1 m:0]

S 9.9.9.9/32 via 127.0.0.1 [d:1 m:0]

C 10.200.0.0/16 directly connected to Ethernet 0

i UD 12.2.41.19/32 via 55.55.55.1 [d:115 m:35]

i UD 12.2.41.20/32 via 55.55.55.1 [d:115 m:35]

i UD 12.2.41.21/32 via 55.55.55.1 [d:115 m:35]

i UD 12.2.41.22/32 via 55.55.55.1 [d:115 m:35]

i UD 12.2.41.23/32 via 55.55.55.1 [d:115 m:35]

.

.

.

C 55.55.55.0/24 directly connected to GBE 1/19/2

C 55.55.55.3/32 directly connected to Null 0

S 127.0.0.0/8 via 127.0.0.1 [d:0 m:0]

C 127.0.0.1/32 directly connected to Null 0

i L1 191.191.191.191/32 via 55.55.55.1 [d:115 m:28]

i L1 191.194.1.0/24 via 55.55.55.1 [d:115 m:28]

C 193.193.193.193/32 directly connected to Loopback 0

i L1 194.10.1.0/24 via 55.55.55.1 [d:115 m:28]

C 194.10.2.0/24 directly connected to POS 1/14/2

C 194.10.2.1/32 directly connected to POS 1/14/2

C 194.10.2.2/32 directly connected to Null 0

S 200.1.1.0/24 via 127.0.0.1 [d:1 m:0]

S 200.1.2.0/24 via 127.0.0.1 [d:1 m:0]

S 200.1.3.0/24 via 127.0.0.1 [d:1 m:0]

.

.

.

The following table describes the fields displayed by the show ip route command.

Table 1-8. Fields Displayed by show ip route 

Field

Description

connected

Specifies the route was learned as a result of configuring the interface.

static

Specifies the route was explicitly configured using the ip route command.

BGP

Specifies the route was received from BGP protocol advertisements.

MPLS

Specifies this route carries MPLS data.

external type 1

Specifies the route was imported into the OSPF area from an Autonomous System Boundary Router (ASBR). Further, this route used the cost associated with the link between the ASBR and this router as part of the cost of the route.

external type 2

Specifies the route was imported into the OSPF area from an Autonomous System Boundary Router (ASBR). Further, this route does not use the cost associated with the link between the ASBR and this router as part of the cost of the route.

isis

Specifies this route was received from IS-IS protocol advertisements.

N.N.N.N/nn

Network address and mask of the remote network.

via N.N.N.N

Indicates the next router in the remote network.

directly connected to

Indicates the network is directly connected to a local interface.

UD

Indicates the Up/Down bit is set and that the route was leaked from L2 into L1.

d:

The administrative distance assigned to this route.

m:

The metric assigned to this route.

Example 2: In the following example, the show ip route static command displays information about statically configured routes:

router>show ip route static

S 0.0.0.0/0 via 10.5.0.1 [w:1 m:0]

S 127.0.0.0/8 via 127.0.0.1 [w:0 m:0]

S 131.1.1.0/24 via 127.0.0.1 [w:1 m:0]

S 131.1.2.0/24 via 127.0.0.1 [w:1 m:0]

S 131.1.3.0/24 via 127.0.0.1 [w:1 m:0]

S 131.1.4.0/24 via 127.0.0.1 [w:1 m:0]

Example 3: In the following example, the show ip route summary command displays summary information about all IP routes:

router#show ip route summary 



Route source Networks

connected 12

static 2

bgp 100654

ospf intra-area 1785

total 102453 

The following table defines the fields displayed in the show ip route summary command:

Table 1-9. Fields Displayed by show ip route summary 

Field

Description

connected

These routes were learned as a result of configuring the interface

kernel

These routes were in the kernel before the routing task started running.

static

The number of routes that were explicitly configured using the ip route command.

bgp

The number of routes received from BGP protocol advertisements.

ospf intra-area

The number of routes learned from within this area.

ospf inter-area

The number of routes received from other OSPF areas.

ospf external-1

These routes were imported into the OSPF area from an Autonomous System Boundary Router (ASBR). Further, these routes use the cost associated with the link between the ASBR and this router as part of the cost of the route.

ospf external-2

These routes were imported into the OSPF area from an Autonomous System Boundary Router (ASBR). Further, these routes do not use the cost associated with the link between the ASBR and this router as part of the cost of the route.

isis

The number of routes received from IS-IS protocol advertisements.

total

The total number of routes in the IP route table.

Refer to http://www.powerfast.net

More Related Cisco IOS Command Topics:

Show memory Command

Show module command

Show controllers command

Show interfaces

Show running-config

Cisco Show Version Command

Top 10 Commands Every Cisco IOS User Should Know

Configure logging in Cisco IOS

Read more

Logging Options in the Cisco IOS

December 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

For any network administrator, it is a necessary to know how to properly use logging. The Cisco IOS offers a great many options for logging. To help you know them well, we will discuss how to configure logging, how to view the log and its status, and list three common errors when it comes to logging.

The logging command in Global Configuration Mode and the show logging command in Privileged Mode are two simple but powerful tools to configure and show all Cisco IOS logging options. Let's take a closer look.

Configure logging in the Cisco IOS

When configuring logging, the most important command to know is the logging command, used when in Global Configuration Mode. Here's an example of this command and its options.

Configure-logging-in-the-Cisco-IOS-01.jpg

In order to help you know these options in a good way, let’s look at the most common ones.

You can configure the router to send buffered logging of its events to the memory. (Rebooting the router will lose all events stored in the buffered log.) Here's an example:

Router(config)# logging buffered 16384

You can also send the router's events to a syslog server. This is an external server running on your network. Most likely, the syslog server is running on a Linux or Windows server. Because it's external to the router, there's an added benefit: It preserves events even if the router loses power. A syslog server also provides for centralized logging for all network devices.

To configure syslog logging, all you need to do is use the logging command and the hostname or IP address of the syslog server. So, to configure your Cisco device to use a syslog server, use the following command:

Router(config)# logging 10.1.1.1

The Cisco IOS enables logging to the console, monitor, and syslog by default. But there's a catch: There's no syslog host configured, so that output goes nowhere.

There are eight different logging levels.

0—emergencies

1—alerts

2—critical

3—errors

4—warnings

5—notification

6—informational

7—debugging

The default level for console, monitor, and syslog is debugging. The logging on command is the default. To disable all logging, use the no logging on command.

By default, the router logs anything at the level of debugging and greater. That means that logging occurs from level 7 (debugging) up to level 0 (emergencies). If you want to par down what the system logs, use something like the logging console notifications command.

In addition, the router doesn't enable logging to the system buffer by default. That's why you must use the logging buffered command to enable it.

View the status of logging and the logging itself

To view the status of your logging as well as the local buffered log, use the show loggingcommand. Here's an example:

View-the-status-of-logging-and-the-logging-itself.jpg

Note that this router has enabled syslog logging and is sending it to host 10.1.1.1. In addition, console logging is at the debugging level, and the setting for local buffered logging is 10,000,000 bytes.

Three common logging errors

Logging can be frustrating at times. To help prevent some of that frustration, let's look at three common errors.

Not setting the terminal to monitor logging

If you Telnet into a router and can't see some of the logging you're expecting, check to see if you've set your terminal to monitor the logging. You can enable this with the terminal monitor command. To disable it, use the terminal no monitor command.

To determine whether you've enabled monitoring, use the show terminal command, and look for the following:

Capabilities: Receives Logging Output

If you see this, you're monitoring logging output. If it returns none for capabilities, then the monitoring is off.

Using the incorrect logging level

If you can't see logging output, you should also check whether you've set the level correctly. For example, if you've set the console logging to emergencies but you're running debugging, you won't see any debugging output on the console.

To determine the set level, use the show logging command. Keep in mind that you need to set the level to a higher number to see all levels below it. For example, setting logging at debugging shows you every other level.

In addition, make sure you match the type of logging that you want to see with the level you're configuring. If you configure monitor logging to debug but you're on the console and you've set it to informational, you won't see the debug output on the console.

Displaying the incorrect time and date in logs

You may see log messages that don't exhibit the correct date and time. There are a variety of options to control the date and time that appear on logging output (either to the screen or to the buffer). To control this, use the following command:

Router(config)# service timestamps debug ?

  datetime      Timestamp with date and time

  uptime        Timestamp with system uptime

More Notes: Remember that many problems require some kind of historical log to help find a solution. That's why it's important to make sure you've properly configured logging so you can use your logs to see the past.

Reference from http://www.techrepublic.com/

More Related Cisco IOS Commands Topics:

Show logging

Configure logging in Cisco IOS

Read more

Show logging

December 11 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

Use the show logging EXEC command to display the state of logging (syslog).

show logging [history]

Syntax Description: history (Optional) Display information in the syslog history table only.

Command Mode: EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This command displays the state of syslog error and event logging, including host addresses, and whether console logging is enabled. This command also displays Simple Network Management Protocol (SNMP) configuration parameters and protocol activity.

When you use the optional history keyword, information about the syslog history table is displayed such as the table size, the status of messages, and text of messages stored in the table. Messages stored in the table are governed by the logging history global configuration command.

Sample Display

The following is sample output from the show logging command:

Router# show logging

Syslog logging: enabled

     Console logging: disabled

     Monitor logging: level debugging, 266 messages logged.

     Trap logging: level informational, 266 messages logged.

     Logging to 192.180.2.238

SNMP logging: disabled, retransmission after 30 seconds

    0 messages logged

 

The following table describes significant fields shown in the display.

Field

Description

Syslog logging

When enabled, system logging messages are sent to a UNIX host that acts as a syslog server; that is, it captures and saves the messages.

Console logging

If enabled, states the level; otherwise, this field displays disabled.

Monitor logging

Minimum level of severity required for a log message to be sent to a monitor terminal (not the console).

Trap logging

Minimum level of severity required for a log message to be sent to a syslog server.

SNMP logging

Shows whether SNMP logging is enabled and the number of messages logged, and the retransmission interval.

The following is sample output from the show logging history command:

Router# show logging history

Syslog History Table: 1 maximum table entry, saving level notifications or higher

0 messages ignored, 0 dropped, 15 table entries flushed,

SNMP notifications not enabled

  entry number 16: SYS-5-CONFIG_I

  Configured from console by console

  timestamp: 1110

 

The following table describes the significant fields shown in the display.

Field

Description

maximum table entry

Number of messages that can be stored in the history table. Set with the logging history size command.

saving level notifications or higher

Level of messages that are stored in the history table and sent to the SNMP server (if SNMP notification is enabled). Set with the logging history command.

messages ignored

Number of messages not stored in the history table because the severity level is greater than that specified with the logging history command.

dropped

Number of messages that could not be processed due to lack of system resources. Dropped messages do not appear in the history table and are not sent to the SNMP server.

table entries flushed

Number of messages that have been removed from the history table to make room for newer messages.

SNMP notifications

Whether syslog traps of the appropriate level are sent to the SNMP server. Syslog traps are either enabled or not enabled through the snmp-server enable command.

entry number

Number of the message entry in the history table.

SYS-5-CONFIG_I
Configured from console by console

Cisco IOS syslog message consisting of the facility name (SYS) which indicates where the message came from, the severity level (5), the message name (CONFIG_I), and the message text.

timestamp

Time, based on the router's up time, that the message was generated.

More Related Cisco IOS Commands Reviews:

Show controllers command

Show interfaces

Show running-config

Cisco Show Version Command

Top 10 Commands Every Cisco IOS User Should Know

Configure logging in Cisco IOS

Read more

Adaptive Radio Modules for Cisco Aironet 3600

December 5 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Wireless - Cisco Wireless AP

The Adaptive Radio Modules are a family of solutions in a modular form factor that allow customers to adapt their wireless network to their current and future needs. The modules provide a dedicated third radio that can be field-upgraded on the 3600 Series access point. These modules allow customers to integrate advanced technology into their existing network without having to replace equipment or install additional equipment. Also, by adding a third radio, the Adaptive Radio Modules expands the access point’s performance and capacity.

Cisco offers three adaptive radio modules for the 3600 Access Point:

 

  • 802.11ac Module
  • Wireless Security and Spectrum Intelligence (WSSI) Module
  • 3G Small Cell Radio Module

Cisco-3G-Small-Cell-Module-for-Cisco-Aironet.jpg

These modules allow customers to integrate advanced technology into their existing network without having to replace or install additional equipment. Also, by adding a third radio, it expands the access point’s capability in terms of performance and capacity.

 

For example, the addition of the WSSI module in a 3600 Access Point allows for advanced security and monitoring features such as CleanAir, wIPS and rogue detection to operate fully on both the 2.4 and 5GHz band without affecting the client traffic associated with the other 2 radios.

Because the module is operating as a dedicated radio, the access point can provide these advanced security features while also services the client traffic. The addition of an adaptive radio module is like adding an additional processor to your access point. Advanced features such as Security and Spectrum Monitoring can operate on a dedicated radio while the access point maintains throughput and performance by serving the client traffic on the two Wi-Fi radios.

 

Special Features, Adaptive Radio Modules

Adaptive Radio Modules allow for the diverse requirements of today’s networks, while future-proofing for the technology of tomorrow. The three flavors of adaptive radio modules provide customers with a leg up on various networking challenges.

-The 802.11ac radio module is the first of its kind in the industry and offers wire-like performance ideal for supporting HD video and high client density deployments

-The WSSI Module delivers always-on spectrum intelligence and proactive security scanning without effecting client performance

-The 3G Small Cell Module allows operators to concurrently offer a Wi-Fi/3G cellular infrastructure in a single access point

What makes Cisco unique is that our 3600 AP is modular designed so it can support different radio types to address emerging client needs, as well as providing investment protection for new and existing deployments.

 

With our Adaptive Radio Modules, Cisco’s strong portfolio touts:

-The first Enterprise Class Access Point to support the new 802.11ac Wave 1 standard

-The first solution to deliver combined Wi-Fi Serving, Spectrum Analysis and Threat Detection & Mitigation into a single Access Point

-The only solution to concurrently provide 3G Small Cell support and state of the art 802.11n-based 4x4 MIMO Wi-Fi

 

Adaptive Radio Modules can be used in the enterprise

Without the flexibility of the Adaptive Radio Modules, a customer in the case of the 802.11ac module and the 3G Small Cell would have to deploy an overlay network to support these additional radios. In the case of the WSSI Module, a customer would have to deploy an additional access point that exclusively monitors the traffic for security and spectrum issues.

In all cases, adding additional equipment to the network is costly in terms of deployment and maintenance but there is a cost factor with running Ethernet cables for the additional equipment and the cost of an Ethernet port that has to be taken up on a switch.

With the Adaptive Radio Modules deployed, there is a reduction in this cost since this technology can be added to an existing deployed network. Cisco estimates that there is a 30%+ CAPEX cost savings by eliminating the need for a separate:

  •  Overlay of additional access points to support 802.11ac, 3G or Security Monitors
  •  Ethernet cabling and Access Layer port required by each additional Access Point
  •  Typical cabling infrastructure costs typically running from $750-$1000 per pull – including labor
  •  Within the Healthcare industry, this cost is typically  2-3 times more

 

With the Adaptive Radio Modules, not only does the customer get the benefits of being able to deploy advanced technology but there is a significant cost saving to be gained as well.

Reference from http://blogs.cisco.com/wireless/adaptive-radio-modules-for-the-3600-series-ap-best-of-interop-2013-finalist/

More Cisco network Module Reviews:

Cisco 802.11ac Module for the Cisco 3600 Access Point

Cisco Enterprise-level Access Points Top Out at Nearly 400Mbps

How to Connect Cisco Wireless Access Point?

Read more

Cisco Catalyst 3650 Series Fixed GE Access Switch

December 2 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The Cisco Catalyst 3650 Series Switch delivers converged wired and wireless access on a single platform, creating an uncompromised user experience in any workspace. The converged system provides a single platform for wired and wireless networkwide visibility for faster troubleshooting, advanced security and quality of service (QoS) control, maximum resiliency with fast stateful recovery, and scale with distributed wired and wireless data plane.

 

The Cisco Catalyst 3650 is built on the advanced Cisco StackWise-160, and takes advantage of the new Cisco Unified Access Data Plane (UADP) application-specific integrated circuit (ASIC). This switch can enable uniform wired-wireless policy enforcement, application visibility, flexibility, application optimization, and superior resiliency. The Cisco Catalyst 3650 Series Switches support full IEEE 802.3at Power over Ethernet Plus (PoE+), and offer modular and field-replaceable redundant fans and power supplies. They can help you increase wireless productivity and reduce your TCO.

 

All Cisco Catalyst 3650 Series Switches have fixed, built-in uplink ports. Customers can choose from three types of uplink ports at the time of the switch purchase:

• 4 x Gigabit Ethernet with Small Form-Factor Pluggable (SFP)

• 2 x 10 Gigabit Ethernet with SFP+ or 4 x Gigabit Ethernet with SFP

• 4 x 10 Gigabit Ethernet with SFP+ or 4 x Gigabit Ethernet with SFP

 

The SFP+ interface supports both 10 Gigabit Ethernet and Gigabit Ethernet ports. Refer to Table 1 for a description of the basic switch models and the corresponding uplink ports. Refer to Table 2 for a description of the various uplink port interface options.

 

Cisco Catalyst 3650 Highlights

Built on Cisco Unified Access Data Plane (UADP) application-specific integrated circuit (ASIC) with programmability to support Cisco ONE Enterprise Networks

Architecture and software-defined networking (SDN)

Integrated wireless LAN controller functionality

Native Flexible NetFlow (FnF) on all ports

Granular, hierarchical bandwidth management

Cisco TrustSec support

 

Cisco Catalyst 3650 Primary Features

Integrated wireless LAN controller capability with:

- Up to 40G of wireless capacity per switch (48-port models)

- Support for up to 25 access points and 1000 wireless clients on each switch or stack

24 and 48 10/100/1000 data and Power over Ethernet Plus (PoE+) models with Energy-Efficient Ethernet (EEE)

-Optional Cisco StackWise-160 technology provides scalability and resiliency with 160 Gbps of stack throughput (for additional wired and wireless capabilities, please visit the Cisco Catalyst 3850 Series Switches page)

- Fixed, built-in 4 x Gigabit Ethernet, 2 x 10 Gigabit Ethernet, or 4 x 10 Gigabit

Ethernet Small Form-Factor Pluggable (SFP) and SFP+ uplink ports

- Dual redundant power supplies and three modular fans, providing higher redundancy

- Full IEEE 802.3at (PoE+) with 30W power on all ports in 1 rack unit (RU) form factor

Software support for IPv4 and IPv6 routing, multicast routing, modular QoS, FnF Version 9, and advanced security features

Single, consistent Cisco IOS XE Software image across all license levels, providing an easy upgrade path for access points and software features

Enhanced limited lifetime warranty (E-LLW) with next business day (NBD) advance hardware replacement and 90-day access to Cisco Technical Assistance Center (TAC) support

 

Switch Configurations

The Cisco Catalyst 3650 Series Switches are available in LAN Base, IP Base, and IP Services feature sets. All switches ship with a default AC power supply. A DC power supply can be purchased as an option or spare. The base switch does not include any access point licenses. Figure 1 shows the Cisco Catalyst 3650 Series.

Figure1. Cisco Catalyst 3650 Series Switches (Front and Back)

Cisco-Catalyst-3650-Series-Switches--Front-and-Back-.jpg

Table1. Compare different switch models.

Model-Comparison-for-Cisco-Catalyst-3650-Series-Switches.jpg

StackWise-160 Technology

The Cisco Catalyst 3650 provides maximum data, power, and wireless resiliency using Cisco StackWise-160 technology, which is built on the highly successful industryleading CiscoStackWise technology. The StackWise-160 technology provides optional stacking with 160 Gbps of bandwidth for providing resiliency within the stack. The stack behaves as a single switching unit that is managed by an active switch elected from one of the member switches. The active switch creates and updates all the switching, routing, and wireless tables. In an event of the active member failure, the standby member assumes the role of the active switch, continuing to keep the stack operational.

 

Cisco Catalyst 3650 Primary Advantages

Converged Wired and Wireless Platform

The Cisco Catalyst 3650 is a stackable platform that converges wired and wireless services on a Cisco IOS XE Software based platform. The CAPWAP tunnels from the access points terminate at the 3650 switch, enabling users to configure and apply software features such as QoS, security, and FnF across wired ports and wireless SSIDs on the same switch at the same time. The converged wired and wireless platform supports the Cisco Unified Access solution. With “one policy, one management, one network,” the Cisco Catalyst 3650 and Cisco Unified Access help IT spend less time running the network and more time on business innovation.

Advanced Security

The Cisco Catalyst 3650 is hardware capable of supporting Cisco TrustSec functionality. Cisco TrustSec uses the device and user credentials acquired during authentication for classifying the packets by security groups as they enter the network with scalability and simplified management. The classification is maintained through the network by the security group tag (SGT) and through integration with the Cisco Identity Services Engine. The Cisco Catalyst 3650 is also hardware-ready for link layer MACsec encryption, which provides networkwide encryption to protect data traffic across the network.

Application Visibility and Control (AVC)

With the native support for FnF on all the ports, the Cisco Catalyst 3650 can monitor both east-west and north-south wired traffic at the same time. The Cisco Catalyst 3650 switch terminates the wireless CAPWAP tunnels from the access point, providing full visibility into the wireless traffic at the switch. Because the wireless traffic is now isible at the switch, it is possible to identify wireless traffic using FnF and prioritize the traffic using advanced QoS capabilities for an improved user experience and faster troubleshooting.

SmartOperations

The Cisco Catalyst 3650 supports Cisco Catalyst SmartOperations. SmartOperations features such as Auto Smartports, Auto QoS, and Smart Install reduce deployment time by automating most of the basic switch and port configurations.

Foundation for Cisco ONE Enterprise Networks Architecture

The Cisco Catalyst 3650 is built on the UADP ASIC, which provides wire-rate hardware performance with software programmability. The UADP ASIC features a programmable data plane, enabling deployment of SDN services and support of future software features over the product lifetime. The Cisco Catalyst 3650 supports the Cisco ONE Enterprise Networks Architecture for openness, programmability, and operational simplicity.

Reduced Total Cost of Ownership

The Cisco Catalyst 3650 reduces the total cost of ownership and provides superior investment protection through:

Built-in wireless controller functionality

Optional stacking

Support for fixed GE or 10 GE uplink

Support for IP Base and IP Services software options

Dual redundant power supply and three individual fans to help ensure high availability

E-LLW with NBD advance hardware replacement and 90-day access to Cisco TAC support

 

More Related Cisco 3650 Series News:

New Catalyst 3650 Series, Main FEATURES, Comparisons, Modules and Supports

Cisco to Unveil New Catalyst Access Switch to Converge Wired&Wireless Networking

Cisco Released Wave 2-Ready 802.11ac Access Point and Catalyst 3650

Read more

Cisco Business Edition 6000 General Qs

November 26 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Cisco Business Edition 6000 (BE 6000) is a packaged solution optimized for medium-sized business requirements. It is a combination of Cisco Unified Communications applications on the Cisco Unified Computing System (Cisco UCS) that offers midsize customers’ business agility and reduced TCO through server consolidation, operational efficiency and scalability, improved business continuity, and greater investment leverage.

Cisco BE 6000 consists of the following foundational elements:

• Cisco UCS C220 M3 Rack-Mount Server

• Cisco UC Virtualization Hypervisor

• Cisco Licensing

• Cisco Unified Communications Manager

• Cisco Instant Messaging and Presence with the Cisco Jabber messaging integration platform

• Cisco Unity Connection

• Cisco Prime Collaboration Provisioning

You can optionally install the following applications to the BE 6000 solution:

• Advance Video with Cisco TelePresence conferencing application

• Cisco Unified Contact Center Express

• Cisco Emergency Responder

• Cisco Paging Server

• Cisco Unified Provisioning Manger (older option of management application)

• Cisco Unified Attendant Console (not preloaded; needs to be purchased separately)

In addition, Cisco BE 6000 integrates with cloud-based Cisco WebEx Software-as-a-Service offerings including WebEx Connect IM and Presence, as well as WebEx Web Conferencing.

Cisco BE 6000 comes with two hardware options of Cisco UCS 220 M3 Server:

1. The Medium Density server supports a maximum of five virtual machines (four collaboration applications and one management application) - support for a maximum of 1200 devices.

2. The High Density server supports a maximum of nine virtual machines (eight collaboration applications and one management application) - support for a maximum of 2500 devices.

Note: Both options support a maximum 0f 1000 users.

What is the difference between Cisco Business Edition 6000 and generic unified communications applications on Cisco UCS ("UC on UCS")? The table will show you the Differences between Cisco BE 6000 and Deployments with Unified Communications Applications on Cisco UCS

Differences-Between-Cisco-BE-6000-and-Deployments-with-Unif.jpg

Maximum Capacities of Cisco BE 6000

Attribute

Capacity

Maximum number of users

1000 users

Maximum number of mailboxes and voicemail ports

1000 mailboxes and 24 voicemail ports per server

Message storage

Approximately 72,944 G.711 codec minutes

Number of contact center agents

100 agents and 10 supervisors

Number of presence users

1000 presence users

Number of devices supported

Medium Density server: 1200

High Density server: 2500

Maximum number of co-resident applications per server

Medium Density server: Five applications (4 collaboration + 1 management)

High Density server: Nine applications (8 collaboration + 1 management)

Busy-hour call attempts

5000

About Deployment Model-Cisco Business Edition 6000

Cisco BE 6000 supports fully featured redundancy for both LAN and WAN environments. You can deploy a redundant server for Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, and Cisco Unified Contact Center Express applications in a remote location over your WAN.

The Cisco BE 6000 Medium Density server supports up to five co-resident applications. However, the Cisco Virtualization Hypervisor software with license comes standard with Cisco BE 6000, and is entitled for two CPU sockets and 16 GB of virtual memory to deploy additional applications. Following are configuration scenario examples:

Scenario 1: Fully redundant configuration

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, Cisco Unified Contact Center Express, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, and Cisco Unified Contact Center Express (secondary)

• Cisco BE6000 Medium Density server 3: Cisco Unified Attendant Console

Scenario 2: Redundancy for Cisco Unified Communications Manager with Cisco Unified Contact Center Express only

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, Cisco Unified Contact Center Express, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unified Attendant Console, and Cisco Unified Contact Center Express (secondary)

Scenario 3: Cloud-based IM and presence

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Contact Center Express, Cisco Unified Attendant Console, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unity Connection, and Cisco Unified Contact Center Express (secondary)

Optional Cisco Virtualization Foundation Edition is entitled for two CPU sockets and 32 GB of virtual memory and enables the VMware vCenter compatibility feature.

Cisco Business Edition 6000 supports more than two nodes in the cluster. You can deploy Cisco BE 6000 with more than three nodes in the cluster as long as the user count does not exceed 1000 users.

Is Cisco Prime Collaboration Provisioning bundled with Business Edition 6000 different from the enterprise version of Cisco Prime Collaboration Provisioning? I have been using Cisco Unified Provisioning Manager Business Edition to manage Business Edition 6000. How do I migrate to the new management application Cisco Prime Collaboration Provisioning? Can I install Cisco Business Edition 6000 on a different specifications-based Cisco UCS Server or on a third-party server? Can I install any third-party application server on Cisco Business Edition 6000 hardware? Etc. More Qs about Cisco BE6000 and its licensing options you can read the full page Cisco Business Edition 6000 Q&A

More Cisco BE6000 REVIEWS:

Cisco BE6000 (Business Edition 6000) Solution

Read more

Common Issues with ASA 8.6 Version

November 14 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In this article it describes the issue faced by a user on ASA 8.6.

Here the Problem is:

User is using ASA 5525 with 8.6 versions, and he is trying to ping through different interfaces, however he is not able to do that. The test results are mentioned below:

     Can PING between the outside interface and the next hop (same subnet)

     Cannot PING between the inside interface and the next hop (same subnet)

     Cannot PING between the DMZ interface and the next hop (same subnet)

Please see below configuration for firewall for reference.

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 16.x.x.x 255.255.255.248

interface GigabitEthernet0/1

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/1.16

vlan 16

nameif inside

security-level 100

ip address 17.x.x.x 255.255.255.0

interface GigabitEthernet0/3

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/3.69

vlan 69

nameif dmz

security-level 50

ip address 18.x.x.x 255.255.255.0

access-list o_inside extended permit icmp any any

access-list o_inside extended permit icmp any any echo

access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0 

access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0

 

access-list o_dmz extended permit icmp any any

access-list outside extended permit icmp any any

access-list outside extended permit icmp any any echo-reply

icmp permit any outside

icmp permit any dmz

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

 

route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1

route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1

route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1

User wants to know what should be added to achive the above mentioned result.

 

Solution:

ASA should by default without any configurations accept ICMP on its interface.

Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.

 

The 4 "static" configurations above are pretty basic but 2 of them are Static Identity NAT configurations that you probably won’t need in the new software

The below 2 configurations probably won’t need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

 

The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, use generic "object" names.

static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255

static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255

object network STATIC-1

host 192.168.1.56

nat (dmz,outside) static 200.190.70.87

 

object network STATIC-2

host 192.168.1.85

nat (dmz,outside) static 200.190.70.85

 

The best way to find possible problems with the ASA configurations is to use the "packet-tracer" command. This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT

 

For a connection coming from behind "outside" you can use this format of the command

packet-tracer input outside tcp <source ip> 12345 <server nat ip> <destination port>

To test anything else you naturally just switch the "input <interface name>" to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.

 

Taking the output of the following commands should help you to troubleshoot possible problems

 

You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.

 

If you are doing Dynamic PAT from "inside" to "dmz" then you should remove the above "static" commands that refer to "(inside,dmz)" then user wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why Dynamic PAT is not encouraged between local interfaces. It causes complexity for the NAT configurations when user have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT

 

For the "management" interface you probably need any new NAT configuration.

 

The Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.

nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global

 

More Related Cisco ASA Topics:

Cisco Released Cisco ASA Software 9.0

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Read more

How to Configure a Cisco Console Router?

November 5 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

How to set up a console server? And first we should know what a console server is.

A console server is a device which, via serial ports, has access to the physical console port of several different devices commonly located in the same rack. These are most commonly seen in two different environments: labs, where a number of different pieces of equipment will be located in close proximity and constant access to the console is essential (as the configuration changes often) and the second is in remote environments where companies locate equipment without easy access to remote personnel.

Cisco Console Router Basics

For those looking to set up a reasonably priced lab environment the older Cisco 2509 (8 ports) and 2511 (16 ports) should be considered. While these are certainly a bit dated they still work fine in many environments and operate on little power and in flexible environmental conditions. For those looking to get a more modern equivalent device there are now HWIC modules (HWIC-8A, HWIC-16A) that support the same number of serial ports as the older 2509 and 2511 devices.

In either case, they utilize what is referred to as an octal cable which connects to the device with a single connector and has 8 different serial RJ-45 connectors on the other side which connect directly to the serial port of other Cisco devices. These cables can be found online for a reasonable price.

8-port Cisco Octal Cable

8-port-Cisco-Octal-Cable.jpg
Cisco Console Router Configuration

The configuration of a console router is not overly complex. Since most Cisco (and other) equipment defaults to the same console settings (9600, 8, 1, Hardware) only some minor changes need to be added to ensure a good console experience. The steps to configure the console lines are shown in Table 1:

Table1–Console Line Configuration

1

Enter privileged EXEC mode

Console>enable

2

Enter device configuration mode

Console#configure terminal

3

Enter line configuration mode
Note: the numbers that are used depend on the specific platform; for the 2509 they are ‘line 1 8’ for a 2511 they are ‘line 1 16’

Console(config)#line 1 16

4

Disable EXEC processing
Note: This ensures that an EXEC process can’t capture the line for incoming connections

Console(config-line)#no exec

5

Disable EXEC timeout
Note: This ensures that the line is kept open until purposefully closed

Console(config-line)#exec-timeout 0 0

6

Enable input telnet transport
Note: The type of connection used to connect to another device’s console port through a console router is referred to as a ‘reverse telnet’

Console(config-line)#transport input telnet

The next part is to configure easy access to those connected devices, but first let’s cover why this is necessary. To create a connection from the console router to another connected device’s console port the user has to initiate a telnet connection to the console router using a port number that maps to the specific line.

For example, on the 2511, if a device’s console was connected to line 5 then a telnet connection would be initiated to console_router_ip_address using port number 2005 (for the 2511 line 1 maps to 2001 and line 16 maps to 2016 with the other lines mapping following this order). The specific mapping that is used depends on the platform. On platforms where the console ports are connected off an add-on module then what slot the add-on module was inserted into would also affect the port number to use. 

Once these numbers have been initially mapped out it is certainly not that convenient to remember each of these port numbers every time access to the lab is needed. To get around this it is common to configure a local hostname list. For example, if Router1 was connected off of line 6 and Switch 1 was connected off of line 12 the user would either have to access the console and telnet to the specific ports (2006 and 2012, respectively) or a hostname could be associated with a hostname/IP address/Port. Table 2 shows an example of the configuration needed to perform this:

Table2–IP Hostname List Configuration

7

Exit into global configuration mode

Console(config-line)#exit

8

Configure a local host entry
Note: An example of this would be:
Console(config)#ip host Router1 2006console-ip-address

Console(config)#ip host hostname port-number ip-address

For small lab environments it is common for console routers to only be accessed via a single Ethernet connection. This is fine for lab environments, but if the console server is being used as part of a larger Out-Of-Band management plan for a production network, this single point-of-failure is unacceptable. In these situations, multiple points of access to the console router are often required to meet redundancy requirements.

On newer platforms this can be done through multiple Ethernet connections through diverse switches and/or via a backup method like dial-up. In both cases the IP address being used to access the device is different depending on the access method. It is because of this that loopback IP addresses are typically configured on console routers which are then used in the console routers ip host statements. This way, regardless of access method, the ip host statements would still work and connect the user to the correct device. The configuration for this is shown in Table 3:

Table 3–Loopback Interface Configuration

9

Create a loopback interface

Console(config)#interface loopback 0

10

Configure an IP address for the interface
Note: The IP address used can be used only locally or it can be integrated into a wider IP addressing plan

Console(config-if)#ip address 10.10.10.10 255.255.255.255

Assuming the configuration shown in Table 3 was entered, the configuration for Router1 shown above would be ip host Router1 2006 10.10.10.10. To access it via the console router the command telnet Router1 would be used.

As the cost of used Cisco hardware continues to come down and the interest in Cisco certification continues to rise, it is becoming more common for those getting into the field to invest in a lab. Adding a console router to this environment makes the access to the lab easy and allows the student to play around with a number of different configurations without having to worry about physical access or by inadvertently closing access to the device.

For those looking to deploy console routers into production environments, the question is why have you waited this long? Out-Of-Band options are an important part of any production environment and should be a consideration from the beginning of the planning stages.

Regardless of the environment it is the intention of this article to get the console router up and going as soon as possible.

More about Cisco Router Topics you can visit:

http://blog.router-switch.com/category/reviews/cisco-routers/

Read more

Cisco Fixes Serious Security Flaws in Networking, Communications Products

November 1 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Cisco released software security updates to address denial-of-service and arbitrary command execution vulnerabilities in several products, including a known flaw in the Apache Struts development framework used by some of them.Cisco.png

The company released new versions of Cisco IOS XR Software to fix an issue with handling fragmented packets that can be exploited to trigger a denial-of-service condition on various Cisco CRS Route Processor cards. The affected cards and the patched software versions available for them are listed in a Cisco advisory.

The company also released security updates for Cisco Identity Services Engine (ISE), a security policy management platform for wired, wireless, and VPN connections. The updates fix a vulnerability that could be exploited by authenticated remote attackers to execute arbitrary commands on the underlying operating system and a separate vulnerability that could allow attackers to bypass authentication and download the product’s configuration or other sensitive information, including administrative credentials.

Cisco also released updates that fix a known Apache Struts vulnerability in several of its products, including ISE. Apache Struts is a popular open-source framework for developing Java-based Web applications.

The vulnerability, identified as CVE-2013-2251, is located in Struts’ DefaultActionMapper component and was patched by Apache in Struts version 2.3.15.1 which was released in July.

The new Cisco updates integrate that patch into the Struts version used by Cisco Business Edition 3000, Cisco Identity Services Engine, Cisco Media Experience Engine (MXE) 3500 Series and Cisco Unified SIP Proxy.

“The impact of this vulnerability on Cisco products varies depending on the affected product,” Cisco said in an advisory. “Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system.”

No authentication is needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy, but the flaw’s successful exploitation on Cisco Business Edition 3000 requires the attacker to have valid credentials or trick a user with valid credentials into executing a malicious URL, the company said.

“Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product,” Cisco said.

Security researchers from Trend Micro reported in August that Chinese hackers are attacking servers running Apache Struts applications by using an automated tool that exploits several Apache Struts remote command execution vulnerabilities, including CVE-2013-2251.

The existence of an attack tool in the cybercriminal underground for exploiting Struts vulnerabilities increases the risk for organizations using the affected Cisco products.

In addition, since patching CVE-2013-2251 the Apache Struts developers have further hardened the DefaultActionMapper component in more recent releases.

Struts version 2.3.15.2, which was released in September, made some changes to the DefaultActionMapper “action:” prefix that’s used to attach navigational information to buttons within forms in order to mitigate an issue that could be exploited to circumvent security constraints. The issue has been assigned the CVE-2013-4310 identifier.

Struts 2.3.15.3, released on Oct. 17, turned off support for the “action:” prefix by default and added two new settings called “struts.mapper.action.prefix.enabled” and “struts.mapper.action.prefix.crossNamespaces” that can be used to better control the behavior of DefaultActionMapper.

The Struts developers said that upgrading to Struts 2.3.15.3 is strongly recommended, but held back on releasing more details about CVE-2013-4310 until the patch is widely adopted.

It’s not clear when or if Cisco will patch CVE-2013-4310 in its products, giving that the fix appears to involve disabling support for the “action:” prefix. If the Struts applications in those products use the “action:” prefix the company might need to rework some of their code.

Original News refer to http://www.pcworld.com/article/2057660/cisco-fixes-serious-security-flaws-in-networking-communications-products.html

More Related Cisco Network Topics:

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

Cisco Patches Flaw in Security Appliances, Switches, Routers

Cisco ASA CX–Next Generation Firewall or Enterprise Firewall?

Read more