Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Recent posts

How to Verify Cisco Switch Network Status and Operational State?

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In the last article we talked the “Nine Switch Commands Every Cisco Network Engineer Needs to Know”. For Cisco or many other vendors, new commands are introduced at each progressive level of system verification. Do you know what commands you should use to verify a network switch’s status and operation? In this article we will look at five essential commands that are used to verify a network switch’s status and operation. They are:

  • ping
  • traceroute
  • telnet
  • ssh
  • show cdp neighbors

ping

Available on almost all operating system platforms, including Cisco IOS, the ping command is used to verify the reachability of a targeted device. It does this by sending an Internet Control Message Protocol (ICMP) echo message to the target; if the target receives the message (and is not configured to drop it), it responds to the initial sender with an ICMP echo-reply message. In a perfect world, with no firewalls, and all devices configured to respond to these messages, the ping command would work perfectly. However, many devices (or devices en route, like firewalls) are purposely configured to ignore ICMP echo messages automatically, in order to hide their existence and avoid being targeted by attackers. In these cases, engineers must decide whether the unsuccessful ping is a real problem or a purposeful part of a network’s design.

TIP: As a general rule, don’t worry about devices that are outside your organization’s control.

Cisco IOS also has an extended version of the ping command that allows for more complex command configurations. For example, an engineer has the ability to control the source IP used (which makes sense when being run from a router configured with multiple IP addresses), the size of the messages being sent, and the content of the messages, among other options.

traceroute

The traceroute command is typically used along with the ping command to further determine the reachability of a destination. traceroute works a bit differently from ping; instead of simply sending a message to the destination directly, it aims to find the path from the source to the target destination. It does this by using either ICMP echo messages on Windows or the User Datagram Protocol (UDP) probe messages on Linux and Cisco IOS. It figures out the path by taking advantage of the IP Time to Live (TTL) field.

It’s important to understand what the TTL field does. In normal circumstances, the TTL is used as a loop-prevention mechanism; it works by being set to a number which is then decremented at every respective IP “’hop.” If the TTL reaches a device and is decremented to 0, the packet is dropped and an ICMP “destination unreachable” message is sent back to the source device. When used by the traceroute command, the TTL finds each of the hops in the path between the source and the destination:

  1. Initially the source sends an ICMP or UDP message to the destination with a TTL of1.
  2. When the packet reaches the first hop, the TTL is decremented to 0; the device drops the packet and sends back an ICMP “destination unreachable” message.
  3. To find the second hop, the TTL is set to 2, for the third hop it’s set to 3, and so on; typically three packets are sent for each step toward the destination (three with a TTL set to 1, three with a TTL set to 2, and so on).
  4. These ICMP “destination unreachable” messages are received by the runningtraceroute command and interpreted into a readable output showing the path toward the destination.

As with the ping command, many organizations block the ICMP echo messages and some of the UDP messages; and the output should be read with this fact in mind.

The traceroute command on Cisco IOS is extended in the same way as the ping command variant that allows for extended command configurations. The options offered by traceroutemirror most of the options available in an extended ping.

telnet

The telnet command has been around for a long time, allowing users to manage devices via a command-line interface. Its very simple operation provides an unsecured Transmission Control Protocol (TCP) session between the source and destination. Characters entered on the source are immediately relayed to the destination, providing an experience on Cisco IOS (and Linux) that is the same as if the user were directly connected into the device locally.

CAUTION

A key term to take from this description is unsecured, the username and login information are sent between the source and destination in clear text.

The telnet command uses TCP port 23.

ssh

The ssh (secure shell) command works similarly to the telnet command but creates a secure communications channel between source and destination. This means that the username and password are not sent in clear text and are protected (at least to some level) from anyone listening in on the conversation.

The ssh command uses TCP port 22.

show cdp neighbors

The show cdp neighbors command is used on a Cisco IOS device to view neighboring devices discovered by the Cisco Discovery Protocol (CDP). CDP is a Cisco proprietary protocol used for Layer 2 discovery; it has the ability to discover all other supporting CDP devices on a shared segment. (It doesn’t work across Layer 3 devices.) The following example shows some typical output of this command:

R1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

R2               Fas 0/0            172              R    7206VXR   Fas 0/0

R1#

In this example, we learn that the remote device (R2) is connected via R1’s FastEthernet0/0 interface and is connected to R2’s FastEthernet0/0 interface, and R2 is a Cisco 7206VXR router. This information is very helpful when mapping out unfamiliar networks. It can also be used to help ensure that a device is connected to the correct remote device(s) on the correct interface; as engineers often must configure devices remotely, this command is useful when installing new equipment, to ensure that physical interfaces are connected to the appropriate networks.

Keep in mind that CDP is a proprietary protocol and will not work to discover most other non-Cisco devices; this command is enabled by default on Cisco devices. A standards-based alternative to CDP is the Link Layer Discovery Protocol (LLDP)—IEEE 802.1AB, which is supported by many other vendors, but is not enabled by default on Cisco devices.

Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420613

More Related

Nine Switch Commands Every Cisco Network Engineer Needs to Know

Read more

Nine Switch Commands Every Cisco Network Engineer Needs to Know

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

It’s no doubt that a Cisco network engineers needs experience with a wide variety of commands used with network technology. And at the Cisco Certified Network Associate (CCNA) level, Cisco has indicated a number of commands that should be known initially for Cisco network switches.

In this article it covers these commands, explaining what the Cisco Network Engineer do and how they alter the behavior and/or use of a Cisco switch.

Some terms you need read with examples

#1: hostname hostname

One of the most basic network commands, hostname configures the hostname used for a device. This hostname identifies the device to other locally connected devices for protocols such as the Cisco Discovery Protocol (CDP), which helps in the identification of devices attached directly to the network. Although it is not case-sensitive, the hostname must follow certain rules: It must begin with a letter and end in a letter or digit, and interior characters must be letters, digits, or hyphens (-).

#2: ip default-gateway gateway

The ip default-gateway command configures the default gateway for a switch when IP routing is not enabled (with the ip routing global configuration command), which is typical when lower-level Layer 2 switches are being configured. The easiest way to determine whether IP routing has been enabled is to run the show ip route command. When IP routing has not been enabled, the output will look similar to the following example:

SW1#show ip route

Default gateway is 10.10.10.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

SW1#

When IP routing is enabled, the output looks similar to the output displayed on a router:

SW1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.10.10.0/24 is directly connected, Vlan1

L        10.10.10.10/32 is directly connected, Vlan1

SW1#

NOTE: The configuration entered with the ip default-gateway command has no effect when IP routing is enabled.

#3: username username {password | secret} password

The username command configures a username and associates a password with it. Using the password or secret version of this command is a matter of security:

  • The password version of this command will do one of two things with the configured password:
    • Place the password into the configuration in plaintext (if the service password-encryption command is not enabled).
    • Put the password through a Cisco-proprietary encryption algorithm before placing it into the configuration. (Note that this encryption is easily reversed.)
  • The secret version of this command will create an MD5 hash with the configured password and then place it into the configuration. This reconfigured password is much harder to crack than the encrypted version created with the password version of this command.

This username/password can be used for a number of different features, including Telnet and SSH.

#4: enable {password | secret} password

The enable command configures the password that will be used to access a switch's privileged configuration mode. Because all configuration of a Cisco IOS switch requires privileged configuration mode, keeping this password private is very important. As with the username command, this command has two options: password and secret. The differences between these two options are the same as those for the username command in the preceding section. The enable secret version of the command should be used in all production environments.

Console and Terminal Login Commands

Five commands are used to configure login via the control and virtual terminal (VTY) lines of a switch:

  • password
  • login
  • exec-timeout
  • service password-encryption
  • copy running-config startup-config

The following sections describe these individual commands.

Password password

When entered in line-configuration mode (console or terminal), the password command is used to configure the password that will be used to access a switch from that specific line, depending on the line mode (console or terminal). However, the password configured with this command is used only if the login command is used (which is the default).

Login [local]

The login command is used to enable password checking on an interface. If this command is used without any parameters, the system will check the password entered with the login against the one entered with the password command discussed in the preceding section. If used with the local parameter, both username and password will be prompted, and the entries will then be checked against the local username database that was created with theusername command discussed previously.

Exec-timeout minutes [seconds]

The exec-timeout command is used to configure the amount of time that can pass before a device considers the connection idle and disconnects. By default, timeout is set to 10 minutes. This timeout can be disabled with the no exec-timeout command. (This command is a shortcut and actually enters the exec-timeout 0 0 command into the configuration.)

Service password-encryption

The service password-encryption command is used to enable the encryption of configured passwords on a device. The passwords referenced with this command are the ones configured with a command's password parameter, such as username password and enablepassword. The passwords encrypted with this command are not highly encrypted and can be broken relatively easily. By and large this command is deprecated, as most network engineers will use the secret version of the appropriate commands; however, even weak protection is better than nothing.

Copy running-config startup-config

The copy running-config startup-config command (popularly shortened to copy run start) is one of the most fundamental commands learned by new Cisco network engineers. It copies the active configuration (running-config) on a device to non-volatile memory (NVRAM)(startup-config), which maintains a configuration across a reload. Without this command, a configuration can be lost when a device is reloaded or powered off. The copy command can also be extended to save configuration and IOS images to and from a local device, as well as to and from different locations on the local device.

Network engineers must learn many Cisco OS commands in the process of becoming a CCNA (and beyond), and understanding these basic management commands is where the process starts. Without the knowledge of how to access devices, the complex commands are useless. You must understand when learning these concepts that they are intended to be stacked on top of each other. Lack of knowledge of a few base concepts undermines learning other, more advanced concepts that build on top of those basics.

The Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420612

Read more

Cisco’s IoT Part-Cisco Mobile IP Gateway 2450

September 25 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network, #Cisco Technology - IT News

The MIG-2450 is a gateway specifically designed for transportation solutions in environments such as buses, trains and planes.

The MIG-2450 is a gateway specifically designed for transportation solutions in environments such as buses, trains and planes.

Now, Cisco is focusing on the Internet of Things and delivering more than a dozen new IoT-focused products and a handful of services for channel partners. IoT can do many things for industries.

The IoT is transforming the mass transportation industry. With smart, connected devices, transit companies can monitor hundreds of details about vehicles, tracks, environmental conditions, and much more. IoT technology can also help businesses deliver the value-add services passengers are beginning to expect, such as onboard Wi-Fi.

The challenge for today’s transportation companies is to find secure, efficient ways to put this IoT technology to work. Connecting devices and endpoints across a complex, wide-ranging transportation network can take a lot of time and resources.

Cisco designed the Cisco Mobile IP Gateway 2450 to help simplify these tasks.

The MIG-2450 is a mobile connectivity gateway that delivers high availability communications between central offices, trackside operators, and transit vehicles by integrating GPS, Ethernet, Wi-Fi, and mobile broadband modems.

The MIG-2450 helps you comply with safety and interoperability regulations. It also gives you a way to collect and analyze data without the need for yet another piece of hardware to fit onboard a vehicle. And its modular design provides powerful connectivity for the services and applications that enhance the transportation experience for passengers and workers alike.

Benefits

Automate and improve communication between the back office and transit vehicles.

Boost efficiency and simplify decision making with visibility into vehicles, workers, and security system statuses.

• Enhance the user experience with new, value-added Wi-Fi services for passengers.

• Improve safety for passengers and employees with telematics, driver performance monitoring, and systems analytics applications.

• Reduce operational costs by automating systems management and streamlining PTC compliance for safety and speed enforcement.

Built for a Wide Range of Use Cases

The Cisco Mobile IP Gateway 2450 helps make your transportation operations more efficient, cleaner, and safer. And less costly to run.

With this critical component in your network infrastructure, you can:

• Provide high-performance passenger Wi-Fi

• Implement and manage onboard information systems

• Make transportation safer with wireless surveillance

• Comply more easily with safety and speed regulations

• Remotely monitor and manage mobile assets

• Monitor driver and vehicle performance in real time

• Run systems analytics applications

Offering Options for the Way You Do Business

The MIG-2450 delivers the following features:

• Hardened, scalable industrial system with a compact form factor, wide operating temperature range, fanless operation, and compliance with AAR Standard S-9401 and EN-50155

• Centralized management to allow operators to remotely monitor, control, and perform diagnostics

• Support for up to 4 Type-1 or 10 Type-2 interface cards for extensible connectivity

• Robust connectivity with support for quality of service (QoS), dynamic roaming, multilink load balancing and failover, and link monitoring

• Durable security through Internet Protocol Security (IPsec), Secure Shell (SSH), AES encryption, and datagram transport layer security (DTLS)

Info from http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/at-a-glance-c45-735028.pdf

More new IoT-related products announced from Cisco (15 in total) include:

  • IE5000 purpose-built switch designed for manufacturing and cities.
  • IW3702 wireless access point for mass transit systems and city-wide wi-fi deployments.
  • IR 809 and IR 829 series of industrial routers with wi-fi and 4G/LTE connectivity for transportation organizations.
  • 4G/LTE modules for CGR 1000 for utility companies, 5921 Embedded Services Routers for industrial networking in remote locations.
  • 360° 5MP & 720p IP cameras for situational awareness. They're also outfitted with audio and digital sensors.
  • Physical security analytics applications that connect to the IP cameras.
  • Fog computing data services for the creation of policies that can monitor and then take action on data that flows through an IoT environment.
  • IoT Field Network Director for monitoring and customizing IoT network infrastructure.
  • Fog Director for centrally management apps that run at the network's edge.

More Related

Cisco’s IoT Part-The Cisco 829 Industrial Integrated Services Routers

What Does the New Cisco IoT System Can Do for You?

Read more

The Latest Cisco Industrial Router Family

September 22 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers, #Cisco Technology - IT News

Cisco IoT---Securely and Reliably Connect All Areas of Your Business

Cisco IoT---Securely and Reliably Connect All Areas of Your Business

Cisco fleshed out its Internet of things system, and product line in early June this year.

IoT, the Internet of Things, is one of the most profound transitions in technology today.

The Cisco IoT System is a comprehensive set of technologies and products for enterprises to help accelerate the transition to an intelligent, IoT-based infrastructure. This broad portfolio of infrastructure technologies and products can enable customers to connect, manage, and control previously unconnected devices.

Gain deeper insights with analytics on IoT data. Better secure your physical and digital assets and data. And innovate by creating and deploying IoT applications from the cloud to the fog.

Cisco IoT System can enable industries such as manufacturing, energy, transportation, public safety, and smart cities to deploy and accelerate IoT solutions.

In San Francisco, an integrated, Internet of Things (IoT)-based network with parking, garage, and roadway sensors reduced parking search time by 43 percent. And parking citations dropped by 23 percent.

On the Aegean Motorway in Greece, IoT sensors deliver real-time traffic and weather information, speeding emergency response and improving safety and travel time.

The Internet of Things is driving efficiencies and innovation in industries ranging from energy and utilities to manufacturing, public safety, and transportation. But to realize the potential of IoT, you need reliable, high-quality, high-speed network connections to collect and transmit data from a multitude of deployed devices.

The Cisco industrial router portfolio includes a range of compact, ruggedized modular platforms on which you can build a highly secure, reliable, and scalable communications infrastructure. These products are certified to meet harsh environmental standards. They support a variety of communications interfaces, such as Ethernet, serial, fiber, cellular, WiFi, Wi-SUN RF mesh, and others.

Benefits

• Reduce downtime and maintain continuous access to applications, data, and content with highly reliable platforms

• Prioritize operational traffic from SCADA networks and allocate network bandwidth using advanced quality-of-service features

• Lower operational costs and simplify new device deployments with zero-touch provisioning; manage, monitor, and update devices remotely

• Improve security with cyber and physical networkwide security policies, secure VPNs, and stateful firewalls, and gain unparalleled visibility and control

• Improve application resilience by distributing intelligence across the network using Cisco IOx, an open, extensible environment for hosting applications

• Boost efficiency and better decision making by tracking and monitoring equipment, assets, workers, and important business system components

The Cisco Industrial Router Portfolio

The complete line of industrial routers include:

Cisco 1000 Series Connected Grid Routers: Rugged routers designed for harsh environments, like those found in the utilities industry. Ideal for integrating multiple applications, such as advanced metering infrastructure (AMI), distribution automation, distributed energy resources (DER), street lighting, and remote workforce automation, onto a single platform.

Cisco 2000 Series Connected Grid Routers: Highly secure, reliable routers for the energy and utilities industries positioned for SCADA monitoring for transmission and distribution.

Cisco ASR 903 Aggregation Services Routers: Full-featured, modular, small-footprint, and fully redundant aggregation platforms. They offer service flexibility and deliver Layer 2, IP, and Multiprotocol Label Switching (MPLS) transport for advanced Layer 2 VPN, Layer 3 VPN, and multicast services

Cisco 500 Series WPAN Industrial Routers: Wi-SUN RF Mesh ruggedized router provide unlicensed 915-MHz, ISM-band wireless personal-area network (WPAN) communications that enables IoT applications, including smart metering, distribution automation, street lighting, and remote supervisory control and data acquisition (SCADA) monitoring.

Cisco 809 Industrial Integrated Services Routers: Very compact cellular (3G and 4G/LTE) industrial routers for remote deployment in various industries. They enable reliable and secure cellular connectivity for remote asset monitoring and machine-to-machine (M2M) solutions such as distribution automation, pipeline monitoring, and roadside infrastructure monitoring

Cisco 819 Integrated Services Routers: Compact, hardened, form factor cellular (3G, WLAN, or 4G options) routers that allow businesses to deploy secure 3G WWAN services and applications, like ATMs, wireless kiosks, digital signage, and more.

Cisco 829 Industrial Integrated Services Routers: Highly ruggedized compact cellular (3G and 4G LTE with GPS and dual SIM) and WLAN (2.4/5GHz) industrial routers supporting for scalable, reliable, and secure management of fleet vehicles and mass transit applications.

Cisco 910 Industrial Router: Highly adaptable routers that you can easily integrate with third-party solutions to deliver smart city applications, such as environmental monitoring, smart parking, smart metering, and more.

Capabilities for Rugged, Industrial Settings

We designed the Cisco industrial routers to withstand harsh operating environments and to offer high-speed connectivity with the scale to handle thousands of devices. Key features include:

  1. Design for industrial applications, including extended environmental, shock, vibration, and surge ratings; a complete set of power input options; convection cooling; and DIN rail, 19-inch rack or wall mounting.
  2. Advanced security such as Dynamic Multipoint VPN, stateful firewall, and access control lists to provide multi-layered security architecture across different places in the network.
  3. Diverse modular interfaces (Ethernet, T1/E1, 3G and 4G LTE cellular, asynch/synch, serial, and others) to interface and backhaul for different existing infrastructures.
  4. Advanced quality-of-service (QoS) capabilities to support mission-critical communications, such as substation communications or SCADA.
  5. Cisco IOx, an open, extensible environment for hosting applications at the network edge for distributed intelligence.
  6. Easy and user-friendly deployment, setup, operation, and management using network management tools such as IoT Field Network Director and Industrial Operations Kit.

Reference from http://www.cisco.com/c/dam/en/us/products/collateral/routers/809-industrial-router/at-a-glance-c45-735008.pdf

More Related Topics of Cisco Industrial Routers

Cisco’s IoT Part-The Cisco 829 Industrial Integrated Services Routers

Why Upgrade to the New Cisco 860VAE ISRs?

Cisco 890 Series ISR Info Update 2015

Compare Cisco Products and Solutions

Read more

LICENSING on Cisco 2960/3560/3750 Series

August 31 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco License

In this article, we will talk about the licensing issue on the Cisco 2900/3500/3700, including the main Cisco catalyst switches---Cisco 2960-S, 3560X/3750-X. You will read these main contents in this article:

  • License
  • Temporary License
  • 2960/2960-S
  • 3560/3750, 3560-G/3750-G, 3560-V2/3750-V2
  • 3560-E / 3750-E
  • 3560-X / 3750-X
  • Installing Software Licenses Using CLI
  • Removing Software Licenses Using CLI
  • License Installation on Switch Stacks.
  • List of Commands

License

These are the 3 feature sets available on 3K platform of switches

  • LAN Base: Enterprise access Layer 2 switching features.
  • IP Base: Enterprise access Layer 3 switching features.
  • IP Services: Advanced Layer 3 switching (IPv4 and IPv6) features

(IP Services has all the feature sets that Advipservices had; advipservices is End Of Sale: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7077/eol_c51_519629.html)

Cisco 3560-E and 3750-E Series support the IP Base and IP Services feature sets

Catalyst 3560-X and 3750-X Series support the LAN Base, IP Base, and IP Services feature sets.

The software licenses are not affected by Cisco IOS software upgrades. A software license applies only to a specific feature set. A switch can have more than one software license, but you can enable only one license at a time.

-Software Activation is a feature that is preinstalled on the switch, which allows you to install the software license for a feature set.

-This Software Activation License is unique to a specific device. In other words, licenses are locked to the switch's unique device identifier(UDI).

-A unique device identifier is made up of two components: the product ID (PID) and serial number (SN). Serial number is an 11-digit number that uniquely identifies a device. The product ID identifies the type of device. This information can be found using the "show license udi" command on the switch CLI. So when you request for a license on the switch, the first thing that you need to have is this "UDI" of the device

Switch# show license udi

Device# PID SN UDI

-----------------------------------------------------------------------------------------------------------

*2 WS-C3750E-48PD-S CAT1033R1XU WS-C3750E-48PD-S:CAT1033R1XU

5 WS-C3750E-48PD-S CAT1033R1KF WS-C3750E-48PD-S:CAT1033R1KF

Temporary License

- A temporary software license is limited to a usage period (around 60 days). After the usage period expires, the switch continues to use the temporary software license until it is restarted. Before it restarts, warning messages state the switch is running the feature set without a valid license. After the switch restarts, the switch uses a valid software license based on the hierarchy (ipservices>ipbase>lanbase). If the switch does not have a valid license, it uses the IP base software license.

Switch#show license
 
Index 1 Feature: ipservices
 
       Period left: 8  weeks 4  days    <<<<<<< Limited usage period
        License Type: Evaluation
        License State: Active, Not in Use, EULA not accepted
        License Priority: None
        License Count: Non-Counted
 
Index 2 Feature: ipbase
 
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Priority: Medium
        License Count: Non-Counted

Here is the link that you could use to request for a temporary license:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

Note: On this link you should give the correct UDI of the switch (use "show license udi")

Cisco 2960/2960-S

Catalyst 2960 and 2960S switches run one of these images:

1. The LAN base software image: which provides enterprise-class intelligent services such as ACLs and QoS features. On a Catalyst 2960-S switch, stacking is also supported.

2. The LAN Lite image: This image provides reduced functionality.

Catalyst 2960S image ships with universal image that includes cryptographic functionality. The software image on the switch is either the LAN base or LAN Lite image, depending on the switch model.

How to determine which image your switch is running on 2960?

i. Switches running the LAN Lite image do not support the FlexStack module. They do not have a FlexStack module slot on the rear of the switch.(more on FlexStack: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html)

ii. On the front of the switch, the label in the top right corner ends in –S if the switch model runs the LAN Lite image.

iii. Enter the show version privileged EXEC command. The line that shows the product ID also ends in either –L (if running the LAN base image) or –S (if running the LAN Lite image). For example, WS-C2960S-48PD-L is running LAN base; WS-C2960S-24TS-S is running LAN Lite image.

Cisco 3560/3750, 3560G/3750G, 3560V2/3750V2

Catalyst 3750 and 3560 switches run feature-specific software releases and do not support software activation. The Catalyst 3560 switch is supported by either the IP base image or the IP services image. Hence the show license command doesn't work.

3560G#show license
             ^
% Invalid input detected at '^' marker.
 
3560G#show license ?
% Unrecognized command

Cisco 3560E / 3750E

Catalyst 3750-E and 3560-E switches run the universal software image that has the Cisco IOS code for multiple feature sets (ipbase & ipservices). To enable a specific feature set, you must use the software activation feature to install the software license for that feature set. Catalyst 3750-E and 3560-E switches support either the noncryptographic or the cryptographic(k9 image) universal software image.

They support two software feature sets: IP Base and IP Services

Beginning with Cisco IOS Release 12.2(46)SE, the switches support these features:

- Temporary software licenses

- Rehosting a software license

- Cisco License Call Home

Note:

If the switch is running a software image earlier than Cisco IOS 12.2(46)SE, to run IP base feature - remove the IP services license from the switch, save the switch running configuration, and reload the switch. If the switch is running Cisco IOS Release 12.2(46)SE or later, enter thelicense boot level ipbase privileged EXEC command, save the switch running configuration, and reload the switch.

- If all the licenses are installed on the switch, the switch uses the highest license level, the IP services feature set.

Cisco 3560X / 3750X

Catalyst 3750-X/3560-X system is also loaded with a universal Cisco IOS Software image. Universal Cisco IOS Software images contain all Cisco IOS Software features. The level of Cisco IOS Software functionality available is determined by the combination of one (or more) licenses installed on the device. They support three software feature sets: LAN Base, IP Base, and IP Services.

Note:

For the Cisco Catalyst 3750-X/3560-X Series, in addition to universalk9 images, there are also images with the universalk9-npedesignation in the image name. The reason for this alternate image type is that some countries have import regulations that require that the device does not support any strong data-plane crypto functionality, such as IEEE 802.1AE, in any form. To satisfy the import requirements of those countries, this universal image does not support any strong payload encryption (that is, it is of the nonpayload encryption type).

Installing Software Licenses Using CLI

Step1: Log in to the switch by using the console port, the Ethernet management port, or a Telnet session.

Step2: copy license file onto the flash: device from the tftp server.

Step3: Install the license on the switch with the following command in the privilege mode:

license install file-sys:file-sys//lic-location

Once the license gets installed a log message similar to this should be seen: "%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Next reboot level = ipservices and License = ipservices"

Example:

Switch#license install flash:FDO1229V28R_20100704203238635.lic
 
     Installing licenses from "flash:FDO1229V28R_20100704203238635.lic"
     Extension licenses are being installed in the device with
     UDI "WS-C3560E-48PD-S:FDO1229V28R" for the following features:
            
Feature Name: ipservices
     PLEASE  READ THE  FOLLOWING TERMS  CAREFULLY. INSTALLING THE LICENSE OR
     LICENSE  KEY  PROVIDED FOR  ANY CISCO  PRODUCT  FEATURE  OR  USING SUCH
     PRODUCT  FEATURE  CONSTITUTES  YOUR  FULL ACCEPTANCE  OF  THE FOLLOWING
     TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO  BE BOUND
     BY ALL THE TERMS SET FORTH HEREIN.
 
    You hereby  acknowledge  and  agree that  the  product feature  license
     is terminable and that the product  feature  enabled  by  such  license
     may  be  shut  down or  terminated by  Cisco  after  expiration of  the
     applicable  term  of  the license  (e.g., 30-day  trial  period). Cisco
     reserves the  right to terminate or shut down  any such product feature
     electronically  or by  any other  means available. While alerts or such
     messages  may  be provided, it is  your sole  responsibility to monitor
     your terminable  usage of any  product  feature enabled by  the license
     and to ensure that your systems and  networks are prepared for the shut
     down of the product feature. You acknowledge  and agree that Cisco will
     not have any liability  whatsoever for  any damages, including, but not
     limited to, direct, indirect, special, or consequential damages related
     to any product  feature  being shutdown or terminated. By clicking  the
     "accept" button  or typing "yes" you are  indicating  you have read and
     agree to be bound by all the terms provided herein.
 
     ACCEPT? (yes/[no]): yes
     Installing...Feature:ipservices...Successful:Supported
 
     1/1 licenses were successfully installed
 
     0/1 licenses were existing licenses
 
     0/1 licenses were failed to install
 
     Switch#
 
     5w2d: %LICENSE-6-EULA_ACCEPTED: EULA for feature ipservices 1.0 has been accepted. UDI=WS-C3560E-48PD-S:FDO1229V28R;     StoreIndex=-1:UNKNOWN License Store
     5w2d:  %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c3560e  Next reboot level = ipservices and License =     ipservices

Step4: The license is installed once you have accepted the EULA, but to enable the feature set after installing the license, you need to reload the device. Before reloading the device, the next license boot level of the switch has to be changed, use the following command to do so:

(In config mode) - license boot level license-level [switch switch-num]

If the show license all command displays the license as "Active, Not in Use, EULA not accepted," you can use the license boot level command to enable the license and accept the end-user license agreement (EULA).

Step5: Verify if the new license was installed:

- show version | in License|license

Switch#show ver | in license|License
     License Level: ipservices
     License Type: Evaluation
     Next reload license Level: ipservices

- show license detail (it’s very important to check if the EULA is accepted or not from the command).

Switch#show license det
 
     Index: 1        Feature: ipservices                     Version: 1.0
             License Type: Evaluation
             License State: Active, In Use
 
                 Evaluation total period: 8  weeks 4  days
                 Evaluation period left: 8  weeks 3  days
                 Expiry date: Apr 30 1993 00:00:25
 
             License Priority: Low
             License Count: Non-Counted
             Store Index: 0
             Store Name: Evaluation License Storage
 
 
     Index: 2        Feature: ipbase                            Version: 1.0
 
             License Type: Permanent
             License State: Active, Not in Use
             License Priority: Medium
             License Count: Non-Counted
             Store Index: 0
             Store Name: Primary License Storage

The above mentioned commands are sufficient for troubleshooting purposes, however there are other commands as well that might help under different circumstances:

- show license feature

Switch#show license feature
 
Feature name             Enforcement  Evaluation  Clear Allowed  Enabled
advipservices                 yes               yes              yes            yes
ipservices                       yes               yes              yes            no
ipbase                              no                 no               yes            no

(use this command to check the allowed features on the switch, as you can see this command gives you some more detail about what you could do with these features on the switch & each feature's its status)

- show license udi .
Switch#show license udi
Device#   PID                             SN                             UDI
------------------------------------------------------------------------------------------------------------------------------------
*0        WS-C3560E-48PD-S      FDO1229V28R     WS-C3560E-48PD-S:FDO1229V28R

(this command displays the Unique Device Identifier for each switch - which can be used during license generation. If you do not provide the correct UDI while requesting for a license (from TAC OR from the license portal), then you will not be able to install that license on the switch)

Removing Software Licenses Using CLI

In software releases earlier than Cisco IOS Release 12.2(46)SE, you have the license clear license-level [switch switch-num] privileged EXEC command. Use the license-level parameter to specify the software license to remove. Use the switch switch-num parameter to specify the stack member. The switch switch-num option is supported only on Catalyst 3750-E switches.

In Cisco IOS Release 12.2(46)SE or later, if the software license is in use (active):

  • •a. Enter the “license boot level license-level” global configuration command to specify a license level different from the current one.
  • •b. Restart the switch to enable new software license.
  • •c. Enter the license clear license-level [switch switch-num] privileged EXEC command to remove previous software license.
·         Switch#license clear ipservices
·          
·         Feature: ipservices
·          
·             1   License Type: Evaluation
·                 License State: Active, Not in Use, EULA accepted
·                     Evaluation total period: 8  weeks 4  days
·                     Evaluation period left: 0  minute  0  second
·                 License Addition: Additive
·                 License Count: Non-Counted
·                 Comment:
·                 Store Index: 1
·                 Store Name: Primary License Storage
·         Are you sure you want to clear? (yes/[no]): yes
·          
·         Switch#
·          
·         5w2d:  %LICENSE-6-REMOVE: Feature ipservices 1.0 was removed from this device.  UDI=WS-C3560E-48PD-S:FDO1229V28R; StoreIndex=1:Primary License Storage
·          
·         Backing up and saving software license information—Enter the license save {credential url | url} privileged EXEC command.

License Installation on Switch Stack

https://supportforums.cisco.com/docs/DOC-16501

https://supportforums.cisco.com/thread/2080956

List of Commands

  • Show license [all/detail]
  • Show license udi
  • Show version | in license|License
  • Show license feature
  • License install flash:filename.lic
  • License boot level feature-set
  • License clear license-level (ex: license clear ipservices)

Reference from https://supportforums.cisco.com/document/69361/licensing-290035003700

More about Cisco’s Licensing

Cisco ONE Software Licensing Program

How to Upgrade the License from IP Base to IP Services on 3750-X Stack?

Cisco Licenses on Cisco ISR G2

Cisco 800 Series Licensing Options

Read more

GRE tunnel vs. IPsec tunnel

August 14 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In the article How to Configure a GRE Tunnel?” we talked about what tunneling is and how to configure a GRE Tunnel…In this article we continue to say something about the GRE tunnel and IPsec tunnel—what are the differences?

Encapsulating a packet for secure transportation on the network can be done using either GRE or IPsec protocols. This tip explains under what circumstances each protocol works best.

Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

Use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.

So,

  • IPsec stands for Internet Protocol Security while GRE stands for Generic Routing Encapsulation.
  • IPsec is the primary protocol of the Internet while GRE is not.
  • GRE can carry other routed protocols as well as IP packets in an IP network while IPSec cannot.
  • IPsec offers more security than GRE does because of its authentication feature.

More Related Topics

Tips & Examples: Configuring a GRE Tunnel

Read more

Configuring WCCP? GRE Redirection in WCCP Creates New Tunnel Interfaces

August 11 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Data Center

The WCCP (Web Cache Communication Protocol) was initially designed as a component of IOS whose purpose was to intercept HTTP traffic traversing a router and redirects that traffic to a local cache with the aim of reducing access times to web sites and conserving wide area bandwidth. Typically the packets are redirected from their destination web server on the Internet to a content engine that is local to the client. In some WCCP deployment scenarios, redirection of traffic may also be required from the web server to the client. WCCP enables you to integrate content engines into your network infrastructure. With the introduction of WCCPv2 the scope of the protocol widened to include traffic types other than HTTP allowing the protocol to be used as a more general interception mechanism. In WCCPv2 clients specify the nature of the traffic to be intercepted and forwarded to external devices which are then in a position to provide services, based upon the traffic type, such as WAN optimisation and application acceleration.

Cisco IOS Release 12.1 and later releases allow the use of either WCCP Version 1 (WCCPv1) or Version 2 (WCCPv2).

WCCP VRF Support

The WCCP VRF Support feature enhances the existing WCCPv2 protocol by implementing support for virtual routing and forwarding (VRF).

The WCCP VRF Support feature allows service groups to be configured on a per VRF basis in addition to those defined globally.

Along with the service identifier, the VRF of WCCP protocol packets arriving at the router is used to associate cache-engines with a configured service group.

The interface on which redirection is applied, the interface which is connected to cache engine, and the interface on which the packet would have left if it had not been redirected must be in the same VRF.

In Cisco IOS Release 12.2(33) SRE, this feature is supported only on Cisco 7200 NPE-G2 and Cisco 7304-NPE-G100 routers.

Configuring WCCP

Until you configure a WCCP service using the ip wccp {web-cache | service-number} global configuration command, WCCP is disabled on the router. The first use of a form of the ip wccp command enables WCCP. By default WCCPv2 is used for services, but you can use WCCPv1 functionality instead. To change the running version of WCCP from Version 2 to Version 1, or to return to WCCPv2 after an initial change, use the ip wccp version command in global configuration mode.

If a function is not allowed in WCCPv1, an error prompt will be printed to the screen. For example, if WCCPv1 is running on the router and you try to configure a dynamic service, the following message will be displayed: "WCCP V1 only supports the web-cache service." The show ip wccp EXEC command will display the WCCP protocol version number that is currently running on your router.

Using the ip wccp web-cache password command, you can set a password for a router and the content engines in a service group. MD5 password security requires that each router and content engine that wants to join a service group be configured with the service group password. The password can consist of up to eight characters. Each content engine or router in the service group will authenticate the security component in a received WCCP packet immediately after validating the WCCP message header. Packets failing authentication will be discarded.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip wccp version {1 | 2}

4. ip wccp [vrf vrf-name] {web-cache | service-number} [group-address group-address] [redirect-list access-list] [group-list access-list] [password password [0| 7]]

5. interface type number

6. ip wccp [vrf vrf-name] {web-cache | service-number} redirect {out | in}

7. exit

8. interface type number

9. ip wccp redirect exclude in

Tunnel Interfaces

In IOS versions where WCCP is VRF aware, such as 15.0M and 15.1T, the use of GRE redirection will result in some new tunnel interfaces appearing. On the ASR platform these tunnel interfaces are also present from IOS XE release 2.5 onwards (although VRF support within WCCP on the ASR platform is not present until IOS XE release 3.1).

Examples of the new tunnel interfaces are shown below:

Router#show ip wccp summary
WCCP version 2 enabled, 3 services

Service     Clients   Routers   Assign      Redirect   Bypass    
-------     -------   -------   ------      --------   ------    
Default routing table (Router Id: 30.1.1.80):
web-cache   1         1         HASH        GRE        GRE       
61          1         1         HASH        GRE        GRE       
62          1         1         HASH        GRE        GRE       

Router#show ip interface brief | include Tun
Tunnel0                172.16.0.1      YES unset  up                    up     
Tunnel1                172.16.0.1      YES unset  up                    up     
Tunnel2                172.16.0.1      YES unset  up                    up     
Tunnel3                172.16.0.1      YES unset  up                    up     
Router#

The tunnels are created automatically to process outgoing GRE encapsulated traffic for WCCP. They appear when a cache engine connects and requests GRE redirection. They're not created directly by WCCP, but indirectly via a tunnel API. WCCP has no direct knowledge of these tunnel interfaces, but knows enough to cause packets to be redirected to them. This results in the appropriate encapsulation being applied, after which the packet is then sent to the cache engine. Note that these interfaces are not used in connection with incoming WCCP GRE return packets.

There is one tunnel created per service group that is using GRE redirection, plus one additional tunnel to provide an IP address to allow the other tunnel group interfaces to be unnumbered but still enabled for IPv4. Some information about the tunnels is shown with the command show tunnel groups wccp, although this is unlikely to be useful to the end-user other than to confirm the connection between the tunnels and WCCP.

Router#show tunnel groups wccp             
 WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel0, locally sourced
 WCCP : service group 317 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel3, locally sourced
 WCCP : service group 318 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel2, locally sourced
Router#show tunnel interface t0
Tunnel0
   Mode:multi-GRE/IP, Destination UNKNOWN, Source 30.1.1.80
   Application ID 2: WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t1
Tunnel1
   Mode:multi-GRE/IP, Destination UNKNOWN, Source 172.16.0.1
   Application ID 2: unspecified
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t2
Tunnel2
   Mode:multi-GRE/IP, Destination UNKNOWN, Source 30.1.1.80
   Application ID 2: WCCP : service group 318 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t3
Tunnel3
   Mode:multi-GRE/IP, Destination UNKNOWN, Source 30.1.1.80
   Application ID 2: WCCP : service group 317 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#

Note that service group number shown above is the internal tunnel representation of the WCCP service group number. Group 0 is the web-cache service, but for dynamic services subtract 256 to convert to the WCCP service group number. For interfaces used for redirection, the source address shown is the WCCP router ID.

Information relating to the connected cache engines and encapsulation, including software packet counters, can be seen with the command "show adjacency <tunnel-interface> ...":

Router#show adjacency t0              
Protocol Interface                 Address
IP       Tunnel0                   30.1.1.82(3)
Router#show adjacency t0 encapsulation
Protocol Interface                 Address
IP       Tunnel0                   30.1.1.82(3)
  Encap length 28
  4500000000000000FF2F7D2B1E010150
  1E0101520000883E00000000
  Provider: TUNNEL
  Protocol header count in macstring: 3
    HDR 0: ipv4
       dst: static, 30.1.1.82
       src: static, 30.1.1.80
      prot: static, 47
       ttl: static, 255
        df: static, cleared
      per packet fields: tos ident tl chksm
    HDR 1: gre
      prot: static, 0x883E
      per packet fields: none
    HDR 2: wccpv2
       dyn: static, cleared
      sgID: static, 0
      per packet fields: alt altB priB
Router#show adjacency t0 detail
Protocol Interface                 Address
IP       Tunnel0                   30.1.1.82(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 1
                                   Encap length 28
                                   4500000000000000FF2F7D2B1E010150
                                   1E0101520000883E00000000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of Ethernet0/0, addr 30.1.1.82
Router#show adjacency t0 internal
Protocol Interface                 Address
IP       Tunnel0                   30.1.1.82(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 1
                                   Encap length 28
                                   4500000000000000FF2F7D2B1E010150
                                   1E0101520000883E00000000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of Ethernet0/0, addr 30.1.1.82
                                    parent oce 0x4BC76A8
                                    frame originated locally (Null0)
                                   L3 mtu 17856
                                   Flags (0x2808C4)
                                   Fixup enabled (0x40000000)
                                         GRE WCCP redirection
                                   HWIDB/IDB pointers 0x55A13E0/0x35F5A80
                                   IP redirect disabled
                                   Switching vector: IPv4 midchain adj oce
                                   IP Tunnel stack to 30.1.1.82 in Default (0x0)
                                    nh tracking enabled: 30.1.1.82/32
                                    IP adj out of Ethernet0/0, addr 30.1.1.82
                                   Adjacency pointer 0x4BC74D8
                                   Next-hop 30.1.1.82
Router#

For more information on configuring WCCP, please refer to the following document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/15-1mt/iap-wccp.html

Related Information

Common WAAS/WCCP issues on interactions with Security Devices

Troubleshooting Prepositioning on WAAS 4.1.1 and above

Topic from https://supportforums.cisco.com/document/60636/gre-redirection-wccp-creates-new-tunnel-interfaces

More Cisco and IT...Networking Topics you can visit: http://blog.router-switch.com/

Read more

How to Stack Cisco 3750E and 3750X Switches?

August 7 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The issue: “There are two Cisco 3750 switches: WS-C3750E-48PD-SF and WS-C3750X-48PF-L. Both have universal IOS. So can we make the stacking of these two Cisco switches?”

How to STACK the Cisco 3750E and 3750X one? Firstly, we should know the license the two 3750s have. Well, the switch 3750E has IP Base license and the 3750X has LAN Base license. In fact, the 3750E and the 3750x-LAN base are not compatible to stack.

Cisco 3750x LanBase can only stack with other LanBase. 3750x IPBase can stack with any other 3750 (with the exeption of 3750x lanbase and some older 3750 with 16 Mb of memory)

So we need to have a license upgrade the 3750x from lanbase to ipbase and then they are able to stack with each other.

It is a license thing: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/data_sheet_c78-584733.html "The Cisco Catalyst 3750-X Series Switches with LAN Base feature set can only stack with other Cisco Catalyst 3750-X Series LAN Base switches. A mixed stack of LAN Base switch with IP Base or IP Services features set is not supported."

A Cisco 3750 switch can be stacked with any other model of Cisco 3750 switches but 3750X to

Participate IP services feature set enabled otherwise Basic routing functions, including static routing and the Routing Information Protocol (RIP) will be in use.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807811ad.shtml

In stacking 3750, 3750G or 3750X IOS should be identical.

https://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_white_paper09186a00801b096a.html

This discussion you can read here…

https://supportforums.cisco.com/discussion/11623571/stacking-switch-3750e-and-3750x

More Related Topics

How to Upgrade the License from IP Base to IP Services on 3750-X Stack?

Cisco Switch Stacking Using a Couple of Cisco Catalyst 3650

Cisco 3750 Stacking Configuration

Read more

An Example to Upgrade IOS on Cisco 4500X Switch

July 22 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Kingston 32Gb USB Flash with Metal Casing-Using a Kingston USB stick to upgrade the IOS on a Cisco 4500X Switch

Kingston 32Gb USB Flash with Metal Casing-Using a Kingston USB stick to upgrade the IOS on a Cisco 4500X Switch

How to upgrade the IOS/Software on a Cisco 4500X switch? A Consultant named Roger Perkin (Who is for a Cisco Gold Partner in the UK) shared his experience of Upgrading IOS on Cisco 4500X Switch. What’s it? Let’s have a look.

Roger Perkin said that it will not be covering how to do a hitless upgrade using ISSU with 2 switches in a VSS pair. This process is performed on two switches which are not in production. So to perform the upgrade he has disconnected the VSS link and will upgrade each switch in turn and will then connect the VSS link again.

First copy your image file into the bootflash: of the switch, this can be done via TFTP or USB.

USB is the much easier solution, for this to work you need a compatible USB stick, I have always used a Kingston brand and have never had any problems.(This is the exact USB stick he used for upgrading IOS on Cisco Switches)

Insert the USB stick into the slot on the front of the Cisco 4500X switch as shown above.

From the CLI issue the command dir usbb0: If you get (No such device) your USB is not supported

4500X-SW-01#dir usb0:

%Error opening usb0:/ (No such device)

If your USB is supported this is the output you will see

4500X-SW-01#dir usb0:

Directory of usb0:/

176 -rwx 173555452 Mar 23 2015 18:59:44 +00:00 cat4500e-universalk9.SPA.03.05.03.E

You now need to copy this image from the USB to the bootflash: using the following command

copy usb0:cat4500e-universalk9.SPA.03.05.03.E.152-1.E3.bin bootflash:

This will copy the image onto the bootflash of the switch.

You now need to tell the switch to boot this image.

There are 2 options to do this – Option 1 Rename old IOS

By default the config-register of the switches will be set to 0x2101 when the appliance is shipped out.

The last octet of “1” basically tells the appliance to IGNORE the boot variable string and boot the first valid IOS
(from top to bottom) found in the bootflash.

So you can either delete the old image or rename it. I prefer to rename it.

rename bootflash:OLD_IOS_filename.bin bootflash:OLD_IOS_filename.bin

If you now reload the switch it will boot the newer image.

Option 2 – change boot variable and config-register

The second option is to create a new boot variable

In global config enter the command.

boot system flash bootflash:cat4500e-universalk9.SPA.03.05.03.E.152-1.E3.bin (or your new image name)

Just this will not do anything as with the config register set to 0X2101 it will ignore the boot variable set.

If you change the config-register to 0X2102 the switch will then reference the boot variable.

In global config

config-register 0x2102

Save the config and reload the switch.

You may need to delete any other boot variable settings

Check this with sh ver | inc boot

If there is a second one referencing the old image delete it.

Repeat this operation on the second switch and when both have booted using the new image connect up the VSS link.

Reference from http://www.rogerperkin.co.uk/ccie/switching/4500x/how-to-upgrade-ios-on-cisco-4500x-switch/

More Topics Related to Cisco 4500 Series

What’s New on Cisco Catalyst 4500 VSS?

VSS on Cisco 4500/4500X Switches

Cisco VSS Configuration: Cisco Catalyst 6500 Virtual Switching System

A Sample VSS Configuration for 2x Cisco Cat6500 with Supervisor 720

Cisco 4500 VSS Requirement-Software, Hardware and Licensing

Cisco Catalyst Switches for the Different Types of Campuses

Read more

What’s The New of Cisco Catalyst 4507R+E and 4510R+E Chassis?

July 17 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

WS-C4507R-E and WS-C4510R-E-Redundant Sups

WS-C4507R-E and WS-C4510R-E-Redundant Sups

Two new redundant chassis, the Catalyst 4507R+E and 4510R+E had been introduced to Cisco Catalyst 4500E family. What’s the new of them? WS-C4507R+E, as the name, is a new 7-slot redundant chassis. And WS-C4510R+E, is a 10-slot redundant chassis. WS-C4507R+E continues to support five line card slots and two supervisor slots, like the WS-C4507R-E chassis. Similarly, the WS-C4510R+E chassis continues to support eight line card slots and two supervisor slots, like the WS-C4510R-E chassis.

Compared to the previous WS-C4507R-E and WS-C4510R-E (they are End-of-Sale & End-of-Life), the new WS-C4507R+E and WS-C4510R+E chassis support 48 Gbps bandwidth per line card slot. Also, WS-C4503-E and WS-C4506-E are already capable of supporting 48 Gbps bandwidth per line card slot.

The Cisco Catalyst 4507R+E and 4510R+E chassis offer the following benefits:

Bandwidth capacity: The new chassis are capable of providing up to 848 Gbps switching capacity at 48 Gb per slot. This provides investment protection and the capability to meet future high-bandwidth requirements in the network.

Redundant power supplies: The Cisco Catalyst 4507R+E and 4510R+E chassis have two bays for the power supplies to help maximize system uptime.

Redundant supervisor engines: To facilitate nonstop operations, the new chassis have two dedicated slots for supervisor engines.

AC and DC power options: The new chassis support both AC and DC power supply options. For AC power, 1300 watts (W), 1400W, 2800W, 4200W, and 6000W power supplies are available. For DC power, 1400W DC power supplies are available.

Standards compliance: The Cisco Catalyst 407R+E and 4510R+E comply with Network Equipment Building Standards (NEBS).

WS-C4507R+E and WS-C4510R+E, both support Supervisor Engine 8-E, Supervisor Engine 7L-E and Supervisor Engine 7-E.

Note: Refer to your software release notes for the minimum software release versions required to support the supervisor engines.

  • Supervisor engines must be installed in slot 3 or in slot 4.
  • Supervisor engine redundancy is supported in this chassis.

Note: The Catalyst 4507R+E and 4510R+E switch supports 1+1 supervisor-engine redundancy. With the support of stateful switchover (SSO), the secondary supervisor engine serves as a backup to immediately take over after a primary supervisor failure. During the switchover, Layer 2 links are maintained transparently without the need to renegotiate sessions.

The Catalyst 4507R+E and 4510R+E switch support one or two power supplies. The following power supplies are supported:

–1000 W AC-input power supply (PWR-C45-1000AC)

–1400 W AC-input power supply (PWR-C45-1400AC)

–1300 W AC-input power supply (PWR-C45-1300ACV)

–2800 W AC-input power supply (PWR-C45-2800ACV)

–4200 W AC-input power supply (PWR-C45-4200ACV)

–6000 W AC-input power supply (PWR-C45-6000ACV)

–9000 W AC-input power supply (PWR-C45-9000ACV)

–1400 W DC-input power supply, triple-input (PWR-C45-1400DC)

–1400 W DC-input power supply with integrated PEM (PWR-C45-1400DC-P)

–External AC power shelf (WS-P4502-1PSU)

  • All Catalyst 4500 series AC-input power supplies require single-phase source AC.
  • Source AC can be out of phase between multiple power supplies or multiple AC-power plugs on the same power supply because all AC power supply inputs are isolated.
  • Single power supplies are installed in the left power supply bay. The second power supply is installed in the right power supply bay.

Note: For proper operation of the power supply OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal.

…More info: Some simple questions about the New Cisco Catalyst 4500 E-Series Redundant Chassis you can read here

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/qa_c67_610073.html

More Related Cisco 4500E Topics

Supervisor Engine 6-E vs. Supervisor Engine 7-E vs. Supervisor Engine 8-E

Cisco Catalyst 4500E Supervisor Engine 8-E Review

Power Supplies for the Cisco Catalyst 4500-E Series

Read more
<< < 1 2 3 4 5 6 7 8 9 10 20 30 40 > >>