Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco switches - cisco firewall tag

How to Troubleshoot Nexus 5500s and 1 GE SFPs?

May 23 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The newer versions of NX-OS support 1G or 10G on the N5K, but the Nexus5000 is not auto-speed sensing. A mini case study follows.

 

One of my customers just put some GLC-SX-MM optics and a fiber patch between a Catalyst 3750 and a Nexus5000. He happened to look at status on Network Assistant on the 3750, and this error appeared:

Description: Gi1/1/1: This port has been disabled because Non Compliant Gigabit Interface Converter (GBIC) connector detected.
Recommendation: Replace connector with cisco compliant Gigabit Interface Converter (GBIC) connector. Refer switch technical documentation to determine cisco compliant connector. Enable the port again.

 

This seemed odd, since the GLC-SX-MM is supported on both devices. I tried shut/no shut on both ends of the port, but that did not help. I then wondered - does he have a bad SFP? I poked around a bit.

The CLI show log info on the 3750 switch was also unhappy:

*Apr 16 01:48:41.190: %PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi1/1/1 is not supported
*Apr 16 01:48:41.190: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi1/1/1, putting Gi1/1/1 in err-disable state

 

Strange, the GLC-SX-MM is supported on the Catalyst 3750. The interface capabilities looked fine:

3750_sw1#sh int gig 1/1/1 capa
GigabitEthernet1/1/1
  Model:                 WS-C3750X-48P
  Type:                  1000BaseSX SFP
  Speed:                 1000
  Duplex:                full
  Trunk encap. type:     802.1Q,ISL
  Trunk mode:            on,off,desirable,nonegotiate
  Channel:               yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol:           rx-(off,on,desired),tx-(none)
  Fast Start:            yes
  QoS scheduling:        rx-(not configurable on per port basis),
                         tx-(4q3t) (3t: Two configurable values and one fixed.)
  CoS rewrite:           yes
  ToS rewrite:           yes
  UDLD:                  yes
  Inline power:          no
  SPAN:                  source/destination
  PortSecure:            yes

  Dot1x:                 yes
3750_sw1#

 

The status on the 3750 was not connected:

3750_sw1#sh int gig 1/1/1 status
Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/1/1                      notconnect   1            auto   auto 1000BaseSX SFP
3750_sw1#

 

I then went to look at the N5K. It claimed it has an invalid SFP of an unkown type:

N5K1# sh int e1/5 status
--------------------------------------------------------------------------------
Port          Name               Status    Vlan      Duplex  Speed   Type
--------------------------------------------------------------------------------
Eth1/5        --                 sfpInvali 1         full    10G     SFP-1000BAS
N5K1#
N5K1# sh int e1/5 capa
Ethernet1/5
  Model:                 N5K-C5548UP-SUP
  Type (SFP capable):    10Gbase-(unknown)
  Speed:                 1000,10000
  Duplex:                full
  Trunk encap. type:     802.1Q
  Channel:               yes
  Broadcast suppression: no
  Flowcontrol:           rx-(off/on),tx-(off/on)
  Rate mode:             none
  QOS scheduling:        rx-(6q1t),tx-(1p6q0t)
  CoS rewrite:           no
  ToS rewrite:           no
  SPAN:                  yes
  UDLD:                  yes
  Link Debounce:         yes
  Link Debounce Time:    yes
  MDIX:                  no
  Pvlan Trunk capable:   yes
  TDR capable:           no
  FabricPath capable:    yes
  Port mode:             Switched
  FEX Fabric:            yes
N5K1#

 

The Nexus5000 also claimed there was no transceiver:

N5K1#sh log | inc 1/5

...
2012 Apr 6 18:10:26 N5K1 %ETHPORT-5-IF_DOWN_NONE: Interface Ethernet1/5 is down (None)
...
2012 Apr 6 19:06:10 N5K1 %ETHPORT-5-IF_HARDWARE: Interface Ethernet1/5, hardware type changed to No-Transceiver

 

I scratched my head a bit, and then came up with the underlying issue - when installing 1GE optics in the N5K, you need to manually set the speed. If you look back, you will see the previous 'sh int e1/5 status' on the N5K shows a speed of 10G. So after the appropriate "speed 1000" command to the e1/5 interface on the N5K, the link came up on both ends.

N5K1# sh int e1/5 stat
--------------------------------------------------------------------------------
Port          Name               Status    Vlan      Duplex  Speed   Type
--------------------------------------------------------------------------------
Eth1/5        --                 connected 1         full    1000     SFP-1000BAS
N5K1#

Summary: The newer versions of NX-OS support 1G or 10G on the N5K, but the N5K is not auto-speed sensing. If you run into something similar, even error messages on the remote device, check the port speed on the N5K.

---Resource from http://www.netcraftsmen.net

More…

Cisco Nexus Switches: Layer 2 Configuration Strategies

Cisco Nexus 6000 Switches: High-Density, Compact Form Factor

Cisco Catalyst 6500 vs. Cisco Nexus 7000 Switch

To Answer the Questions from Cisco Nexus 1000V InterCloud Users and Analysts

Cisco New ASR 5500 is for Next-Generation Mobile Internet

Read more

How to Configure AAA Authentication on Cisco ASA Firewall

May 15 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

AAA stands for Authentication, Authorization, and Accounting. AAA is a mechanism that is used to tell the firewall appliance who the user is (Authentication), what actions the user is authorized to perform on the network (Authorization), and what the user did on the network after connecting (Accounting). In this post we will focus on the first element of AAA (that is Authentication).

Types of Authentication supported on ASA appliances

Three types of Authentication are available for Cisco ASA firewalls:

1. User Authentication for accessing the security appliance itself.

2. User Authentication for accessing services through the security appliance. This is also called “cut-through proxy” and is used to authenticate users for accessing Telnet, FTP, HTTP, and HTTPs services located in the network through the firewall.

3. User Authentication for VPN tunnel access (IPsec or SSL VPN).

 

We will see a configuration example for the first type (authentication for accessing the security appliance for management using Serial Console, SSH, and Telnet access).

 

Authentication configuration example

In this example we assume that we have already installed and configured a AAA server (e.g Cisco ACS) running the TACACS+ authentication protocol. On the AAA server, we have configured a username/password account that the firewall administrators will use to authenticate. Assume also that the AAA server is located on our internal LAN network with address 10.1.1.1

Authentication-configuration-example.jpg

Referring to the figure above, the firewall administrator (Admin) requests firewall access (serial console, SSH, or Telnet) (Arrow 1) for managing the appliance. The ASA firewall (Arrow 2) will request Authentication permission from the AAA server in order to prompt the admin user for Username/Password credentials. After the Admin successfully enters his credentials, the AAA server will give the permission to the Firewall to allow the user in.

Here is the configuration below:

! Specify a AAA server name (NY_AAA) and which protocol to use (Radius or TACACS+)
ASA(config)#  aaa-server NY_AAA protocol tacacs+

! Designate the Authentication server IP address and the authentication secret key
ASA(config)#  aaa-server NY_AAA (inside) host 10.1.1.1
ASA(config-aaa-server-host)#  key secretauthkey

! Enable Authentication for management access
ASA(config)#  aaa authentication serial console NY_AAA LOCAL
ASA(config)#  aaa authentication telnet console NY_AAA LOCAL
ASA(config)#  aaa authentication ssh console NY_AAA LOCAL

 

The “LOCAL” keyword at the end designates the use of the local firewall username database for authentication in case the AAA server authentication is not available (e.g AAA server is down).

Of course, to complete the scenario above, you need to properly configure the AAA Server with the internal IP address of the ASA firewall and the same authentication key (e.gsecretauthkey) as the one you configured on the ASA above.

---Article reference from http://www.tech21century.com/configuring-aaa-authentication-on-cisco-asa-firewall/

More…

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

Configuring Static NAT on a Cisco ASA Security Appliance

EIGRP on a Cisco ASA Firewall Configuration

How to Set up a Cisco ASA 5505 Firewall with a Wireless Router?

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco 2960s Can Route

May 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

As of 12.2(55) SE, Cisco 2960s are layer 3 switches. Configuring Catalyst 2960s to route is pretty simple. The Switch Database Management template (SDM) needs to be changed to “lanbase-routing”. A reboot is (always) needed after changing the SDM template. After reboot, it’s just like enabling routing on any other L3 switch with the command “ip routing” from global config.

 

First we’ll change the SDM template:

SwitchA(config)#sdm prefer lanbase-routing

Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.

Use 'show sdm prefer' to see what SDM preference is currently active.

SwitchA(config)#^Z

SwitchA#reload

System configuration has been modified. Save? [yes/no]: y

Proceed with reload? [confirm]

 

After changing the SDM template, we are reminded that we’ll need to reboot and also given a command to verify the change after the next boot.

 

Now we verify:

SwitchA#show sdm prefer

The current template is "lanbase-routing" template.

 The selected template optimizes the resources in

 the switch to support this level of features for

 8 routed interfaces and 255 VLANs.

  number of unicast mac addresses:                  4K

  number of IPv4 IGMP groups + multicast routes:    0.25K

  number of IPv4 unicast routes:                    4.25K

  number of directly-connected IPv4 hosts:          4K

  number of indirect IPv4 routes:                   0.25K

  number of IPv4 policy based routing aces:         0

  number of IPv4/MAC qos aces:                      0.125k

  number of IPv4/MAC security aces:                 0.375k

The change was successful and we’re given the details about this SDM template.

 

Now seems like a good time to touch on the limitations of the layer 3 capabilities on 2960s. As we see in the output above, we’re limited to 8 routed interfaces. These will be SVIs. At this point, the Cisco 2960s don’t support routed physical interfaces (“no switchport”). Another important note is that we’re only allowed 16 static routes and there is no dynamic routing capability.

 

Now we’ll enable IP routing and configure a couple SVIs:

SwitchA#conf t

SwitchA(config)#ip routing

SwitchA(config)#

SwitchA(config)#int vlan 15

SwitchA(config-if)#ip add 192.168.15.1 255.255.255.0

SwitchA(config-if)#

SwitchA(config-if)#int vlan 25

SwitchA(config-if)#ip add 192.168.25.1 255.255.255.0

SwitchA(config)#^Z

SwitchA#sh ip route

...

C    192.168.15.0/24 is directly connected, Vlan15

C    192.168.25.0/24 is directly connected, Vlan25

Even now, I’m still amazed that we can do this with a 2960. As expected, it’s working. We have two SVIs and we can see the routing table reflect this.

 

More Related Cisco 2960 Tips:

Cisco Catalyst 2960 Series Enables Routing

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

How to Configure a Cisco 2960 Switch/Layer 2 Switch?

Layer 2 Switches & Layer 3 switches

Read more

How to Configure SNMP V3 on Cisco ASA and IOS?

April 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Here we will focus on SNMP V3 configuration on Cisco ASAs with a brief overview of an IOS configuration. This article assumes a basic understanding of SNMP and its operation.

 

The most common and sought after reasoning behind an upgrade to SNMP V3 is security. SNMP versions 1 and 2(c) transmit data between the SNMP server and the SNMP agent “in the clear”.

 

This makes your infrastructure and corresponding infrastructure devices far more vulnerable to attack and or misuse. Weak SNMP provides attackers with low hanging fruit they sometimes need for improved attack vectors.

 

SNMP V3’s focus was to improve this security flaw. SNMP V3 adds authentication and privacy options to secure its communication between SNMP servers and SNMP agents.

 

SNMP V3 Security Models

The authentication (auth) and privacy (priv) options are grouped into security models.

  • NoAuthPriv – no authentication and no privacy
  • AuthNoPriv – authentication and no privacy
  • AuthPriv – you guessed it – authentication and privacy

 

SNMP Groups

SNMP groups provide an access control policy to which users are added. The user will inherit the security model of the group. If the SNMP group “SEC3” has the AuthPriv security model, users assigned to it will inherit the AuthPriv security model.

 

SNMP Users

SNMP users are assigned a username, a group to which they belong, authentication password, encryption password, and associated algorithms to use.

Authentication algorithms are MD5 and SHA
Encryption algorithms are DES, 3DES, and AES (128,192,256)

 

SNMP Host

An SNMP host is the server to which SNMP notifications and traps are sent. SNMP V3 hosts require the SNMP server IP address and SNMP username. Each SNMP host can only have one username associated with it. The user credentials on the NMS (CiscoWorks, Solarwinds, etc.) must match the SNMP username credentials.

Configuring SNMP V3:

Note – the brackets <> are used to indicate a variable you assign a name to. I used these brackets to emphasize these important variables.

  1. Enable SNMP
    snmp-server enable
  2. Enable the SNMP traps (this will change depending on environment and business requirements). The following example enables all but this could be limited to a subset of traps.
    snmp-server enable traps all
  3. Create the SNMP group
    Note the following meanings:
    auth indicates authention only
    noauth indicates no authentication or encryption
    priv indicates encryption and authentication
    snmp-server group  <GROUPNAME> v3 {auth | noauth | priv}
  4. Create the SNMP user
    snmp-server user <USERNAME> <GROUPNAME> v3 encrypted auth md5 <AUTHENTICATION-PASSWORD> priv AES 128 <ENCRYPTION-KEY>
  5. Create the SNMP Server host
    snmp-server host <INTERFACE-NAME> <HOSTNAME> version 3 <USERNAME>

 

Full Configuration Example for the Cisco ASA (Version 8.4)

snmp-server group SEC3 v3 priv

snmp-server user SNMPUSER3 SEC3GROUP v3 encrypted auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server host mgmt 10.20.30.10 version 3 SNMPUSER3

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps ipsec start stop

snmp-server enable traps remote-access session-threshold-exceeded

 

Full Configuration Example for the Cisco IOS

snmp-server view SNMPMGR iso included

snmp-server group SEC3GROUP v3 priv read SNMPMGR write SNMPMGR notify SNMPMGR

snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server enable traps config

 

Note – in IOS you won’t see the following line:
snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

IOS hides the authentication password and encryption key from the “show run” and “show startup”.

 

More Information

Cisco Configuration Guide for ASA 8.4 and 8.6

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.html#wp1239780

Cisco Configuration Guide for ASA 8.4 and 8.6 PDF

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.pdf

---Reference from

http://www.gomiocon.com/2012/04/29/configuring-snmp-v3-on-cisco-asa-and-ios/

 

More Related Cisco and Networking TOPICS:

How to Configure SNMP on Cisco IOS-based Router/Switch?

Read more

Basic Interface Configuration of Cisco ASA 5520

April 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The Cisco ASA 5520 is one of the mid-range ASAs. 4 Gigabit Ethernet ports. Max 450 Mbps throughput under ideal conditions. Good for mid-sized offices. Has an expansion slot where you can install an add-on card that does content filtering (e.g. email and web) or intrusion prevention. Or you can install an expansion card that gives your ASA more physical ports.

 

The lowest-end ASA is the Cisco ASA 5505 model, which is a more like a switch with VLANs. But on the 5510 models and up, interface config is akin to that of a router.

 

Factory Default Settings on the ASA 5520

Out of the box, or with the configure factory-default command, the ASA 5520 is configured thusly:

Interface

Name

Security Level

IP Address

State

GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3

no nameif

no security-level

no ip address

Shutdown

Management0/0

management

100

192.168.1.1

Management-only

 

Configuration Example

On a Cisco ASA 5520 with a factory default config, a show run interface coughs up this information:

interface GigabitEthernet0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

 

With nothing configured on the interfaces, the routing table on a factory default ASA shows only the loopback interface:

ciscoasa(config-if)# show route

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    127.0.0.0 255.255.0.0 is directly connected, cplane

 

To make an interface operational, it needs a name, an IP address, a security level and it needs to be administratively brought up with the no shutdown command.

 

So let’s give the GigabitEthernet0/0 interface a name and an IP address.

ciscoasa# con t

ciscoasa(config)# interface gigabitEthernet 0/0

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 5.5.5.1

 

When an interface is named “outside”, the ASA automatically assigns the interface a security level of 0. If an interface is named “inside”, it is automatically given a security level of 100.

To view the config on all interfaces, use the show run interface command. To view just one interface, use theshow run interface command and specify the interface:

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 shutdown

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.0.0.0

 

Because I did not specify a subnet mask when I configured the IP address, the interface was automatically assigned a classful subnet mask. I can specify the subnet mask in the ip address command.

ciscoasa(config-if)# ip address 5.5.5.1 255.255.255.0

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 shutdown

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

 

When I am ready to bring the interface up, I use the no shutdown command.

ciscoasa(config-if)# no shut

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

 

The show run ip address command shows all interfaces that have IP addresses.

ciscoasa(config-if)# sh ru ip

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

The show ip address command also displays all IP addresses, along with the method used to configure the IP address. (“System IP Addresses” refer to the primary IP addresses used for failover. “Current IP Addresses” are the currently-used IP addresses on the interface(s). So, in an active/standby ASA pair, the active ASA would have the same “System” and “Current” IP addresses. The standby ASA would have different “System” and “Current” IP addresses.)

ciscoasa(config-if)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual

Management0/0            management             192.168.1.1     255.255.255.0   manual

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual

Management0/0            management             192.168.1.1     255.255.255.0   manual

 

After a write memory and a reload, when you do show ip address, the “Method” on these manually-configured interfaces changes to CONFIG, signifying that they were loaded from the startup config:

ciscoasa# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

 

Now a show route command displays the directly-connected route to the 5.5.5.0 subnet.

ciscoasa(config-if)# sh ro

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    5.5.5.0 255.255.255.0 is directly connected, outside

C    127.0.0.0 255.255.0.0 is directly connected, cplane

 

From the show run interface command, we can see that there is nothing configured on the g 0/1 interface. Let’s set it as a DHCP client and bring it up.

ciscoasa(config-if)# sh ru int g 0/1

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip add dhcp

ciscoasa(config-if)# no shut

 

The show run interface command will show that g 0/1 is a DHCP client, but it will not display the dynamically-assigned IP address on the interface. To view the DHCP IP address, use the show ip address command.

ciscoasa(config-if)# sh ip add

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Note that the “Method” for g 0/1 is “DHCP”.

You can also display all IP addresses on all interfaces with the show interface ip brief command.

ciscoasa(config-if)# sh int ip b

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         5.5.5.1         YES CONFIG up                    up

GigabitEthernet0/1         10.30.1.101     YES DHCP   up                    up

GigabitEthernet0/2         unassigned      YES unset  administratively down down

GigabitEthernet0/3         unassigned      YES unset  administratively down down

Internal-Control0/0        127.0.1.1       YES unset  up                    up

Internal-Data0/0           unassigned      YES unset  up                    up

Management0/0              192.168.1.1     YES CONFIG down                  down

Virtual254                 unassigned      YES unset  up                    up

 

More Related Cisco ASA Tips:

Cisco ASA 5520 Basic Configuration Guide

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco ASA Pre-8.3 to 8.3 NAT Configuration Examples

April 5 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Static NAT/PAT

pre-8.3NAT.jpg

Pre-8.3NAT02.jpg

Detailed Reference:

ASA Pre-8.3 to 8.3 NAT Configuration Examples

https://supportforums.cisco.com/docs/DOC-9129

More Related Topics:

Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration

Read more

Cisco Unified Wired & Wireless Access into Its New Catalyst 3850 Switch

March 7 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Cisco has pushed its Unified Access networking strategy past the management layer by introducing a new edge switch, which has wireless LAN control functionality, and processes both wired and wireless traffic on the same platform.

 Cisco-Catalyst-3850-Switches.jpg

With this switch, enterprises will no longer have to tunnel traffic from wireless access points (APs) to a central controller. Instead they can terminate wireless traffic on an edge switch, where they will be able to secure and manage both wired and wireless traffic.

 

Cisco has "truly for the first time integrated their wired and wireless infrastructure in terms of having one box and using one ASIC [application-specific integrated circuit] that really handles traffic irrespective of whether it is coming in from the wired or wireless LAN standpoint," said Rohit Mehra, vice president of network infrastructure research at Framingham, Mass.-based IDC.

 

The new Cisco Catalyst 3850 switch, a successor to the workhorse 3750, is built with a new, programmable ASIC, the Unified Access Data Plane (UADP) chip, which gives it the wireless LAN control functionality. A single stack of Catalyst 3850 will support up to 50 access points and 2,000 clients with 40 Gbps of controller throughput.

 Cisco-3850-Modules.jpg

"In this day and age where wireless traffic has really exploded, and you're carrying all kinds of heavy, latency-sensitive wireless traffic like voice and video, routing all the traffic back to a controller adds an exceptionally large amount of overhead on the network, both local area and wide area," Mehra said.

 

Not only does this integrated wireless LAN control reduce load on the network, it also enhances traffic management and Quality of Service (QoS) functionality. Because traffic from the wireless LAN is no longer tunneled, it crosses the rest of the wired network as standard IP traffic. Enterprises can now apply the same policies and controls to wired and wireless traffic.

 

As a result, Cisco customers can do things like granular, hierarchical QoS across their entire infrastructure, said Rob Soderbery, senior vice president and general manager for Cisco's enterprise networking business.

 

"When you were processing [wired and wireless] streams in different places, doing QoS across that was difficult," he said. "Now you can see all the users and data in one place, and you can set tiered levels on QoS. You can do QoS on a given access point, so you can make sure no one is frozen out. You can then set QoS up to a switch and up to a branch and manage that entire path."

 

With the Catalyst 3850, wireless LAN traffic will become more efficient, particularly as users are moving from access point to access point, said Andre Kindness, senior analyst with Cambridge, Mass.-based Forrester Research Inc.

 

"When you're bouncing from AP to AP, you end up tunneling back [from the controller] to the AP where you started from and that's not always the best path possible, from a VoIP call and latency perspective. You want to follow the user. That's why there's this movement to pushing control back to the edge. You start enforcing policies based on users and applications and where the best connection is."

 

The Cisco Catalyst 3850 is a stackable switch that ships with either 24 or 48 Gigabit Ethernet (GbE) ports, with or without Power over Ethernet (PoE) and optional modules for 10 GbE uplinks. Its prices are identical to comparable configurations of the Catalyst 3750, although customers will have to pay an additional license to activate the wireless control functionality.

 

Goodbye AirOS: IOS to rule wireless LAN

In addition to the Catalyst 3850, Cisco introduced the Cisco 5760 wireless LAN controller for customers who are not yet ready to dump their controller-based systems. This premium device can manage 1,000 access points and 12,000 clients with 60 Gbps of throughput. It runs on the same ASIC platform as the Catalyst 3850 switch.

 

The 5760 is also the first Cisco wireless LAN controller to ever run IOS, marking a departure from the AirOS operating system that has powered the company's controllers since it acquired wireless networking vendors Airespace. Soderbery said Cisco will gradually upgrade all of its wireless controllers to run IOS instead of AirOS.

 

"All the training and learning that network managers have undergone with IOS, they can now use those skills and leverage them on just one platform, whether for wired or wireless," Mehra said.

Many enterprises will be slow to adopt the Catalyst 3850 with its wireless LAN control function, so central controllers running IOS will be important to Cisco's efforts to unify wired and wireless, Forrester's Kindness said.

 

Cisco is "worried about customers who just bought 3750s in the last year or two," he said. "Most edge switches are kept around for five to seven years so it doesn't make sense for them to replace the edge with this new switch."

 

Because the 5760 runs IOS, network managers can take advantage of the same services and features that are available on Cisco's switches, including Application Visibility and Control (AVC) and TrustSec. Users can also set policies, such as QoS, on the controller in the same way they do on switches and routers.

 

The 5760 controller has a base list price of $20,000.

 

ISE-MDM integration and Prime 360 Experience

Cisco also updated its Identity Services Engine (ISE) and Prime Infrastructure. ISE 1.2 now integrates with mobile device management (MDM) software from Good Technology, Airwatch, MobileIron, Zenprise and SAP.

 

Prime Infrastructure 2.0 has a new 360 Degree Experience that allows network managers to pivot their view of network activity by users, devices, applications and services. With this new feature, a network manager can click to see, for instance, all the network users who are using Twitter, or all the people who are connecting via an iPad, Soderbery said.

---Original From http://searchnetworking.techtarget.com/news/2240177385/New-Cisco-Catalyst-3850-switch-has-integrated-wireless-LAN-control

 

More Related Cisco Catalyst Switch Tips:

More Popular Topics Related to Cisco Catalyst 2960-S FlexStack

What is Exact Cisco Catalyst 2960-S FlexStack?

Cisco Nexus 6000 Switches: High-Density, Compact Form Factor

Cisco Catalyst 6500 vs. Cisco Nexus 7000 Switch

Feature Comparison of Cisco Main Catalyst Switches-Catalyst 2960, 2950, Catalyst 3560, 3550

How to Configure a Cisco 3750?

Read more

How to Set Up a Cisco ASA 5505 with a Wireless Router?

January 17 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

This walk-through on setting up a Cisco ASA 5505 firewall with a wireless router focuses on things you might encounter when doing the setup at home.

 

This piece focuses on common things you might encounter at home like not having a static IP from your ISP or utilizing your current wireless router. Here we’ll go over what you need to do at a high level, which should work with any wireless router.

 

The firewall setup can seem a little daunting, especially because you will most likely lose your Internet access while you’re doing it. Remember there are only four basic things you need to configure to get Internet access.

  1. You should configure the inside and outside interfaces.
  2. You need a default route that tells your devices where to go.
  3. You need to configure Port Address Translation (PAT). This is what allows you to only have one IP address from your ISP, but you can have several devices connected on your internal network in a many-to-one configuration.
  4. You need access rules that open ports so your devices can browse web pages, download from FTP sites, etc.

 

Initial Setup and Configuration of Interfaces

  1. Connect the network cable from the modem to port 0 (default outside port) on the ASA.
  2. Connect your computer to one of the other ports on the ASA, which should be on the inside network by default. Ports 6 and 7 are Power over Ethernet (PoE) ports; I recommend reserving those ports for any devices that can use PoE.
  3. Open a browser on your computer and go to 192.168.1.1, which is the default address for connecting to the ASA.
  4. Click Run ASDM. (Another option is to click Run Startup Wizard and do this entire configuration in the wizard.)
  5. Log in. There are no passwords configured yet, so just leave that blank.
  6. Click Configuration at the top.
  7. Click Device Setup.
  8. Click Interfaces.
  9. Edit the Inside Interface.
  10. Make sure it is enabled.
  11. Specify the internal address you want to use. By default this is 192.168.1.1, which you can leave it at.  This will indicate that you are using the 192.168.1.0/24 network as your inside network.
  12. Click OK.
  13. Edit the Outside Interface.
  14. Choose DHCP. If you happen to have a fixed IP at home, please use that. Many ISPs require you to have a business account to get a static IP, though.
  15. Make sure the interface is enabled.
  16. Put a check mark next to the option Obtain Default Route Using DHCP. This saves you the step of configuring a static route, and it saves you the hassle of having to change the static route every time your IP changes.
  17. Click OK.
  18. Put a check next to Enable Traffic Between Two Or More Interfaces Which Are Configured With The Same Security Levels and next to Enable Traffic Between Two Or More Hosts Connected To The Same Interface.

 

Those 18 steps take care of the first two basic things I spoke about before: configuring your interfaces and setting up a default route. Now to configure PAT and the access rules.

 

Configure PAT

  1. Click Firewall while still under the Configuration tab.
  2. Click NAT Rules.
  3. Click Add.
  4. Click Add Dynamic Rule.
  5. For the original source you can just leave it set at Any (or you can specify the inside network).
  6. For the translated interface put the outside interface.
  7. Click OK.

 

Configure Access Rules

You’ll most likely want to allow HTTP/HTTPS traffic on your ASA. Make sure you add rules for the inside and the outside to permit these, along with any other protocols that might be necessary such as FTP, ICMP, etc.  Use Figure A as a reference for the kind of configuration you may need.

Figure A

Configure-access-rules.png

 

Configure Your Wireless Router to Act like an Access Point

This covers setting up the ASA, but you still want to be able to use your wireless router to connect all your laptops, printers, Rokus, etc. The easiest way (though not the only way) to do this is to configure your wireless router to act just as an access point (AP).

 

In general, you’ll want to disconnect the network cable from the WAN, or outside, port on the AP. Then connect to the management interface of your AP, most likely via a browser while your computer is connected to the AP. Some newer APs have an option to just put a check next to AP Mode and it will do it automatically. However, if you don’t have that option, just make sure you turn off DHCP (use the ASA as your DHCP server) and configure the LAN settings to be on the same network as your ASA.

 

In my example, you might configure the AP with an IP of 192.168.1.15, a subnet mask of 255.255.255.0, and then the default gateway should be the IP address of the ASA. Now connect one of the LAN, or inside, ports to one of the inside ports on the Cisco ASA (ports 1-7). You may need to reboot the AP, but now you should be able to connect wirelessly and have Internet access through the firewall.

 

Resource from http://www.techrepublic.com written by Lauren Malhoit

More Related Tips of Cisco ASA 5505:

Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series

New Cisco ASA Clustering Feature Enables 320 Gbps Firewall

Example Show: How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device?

How to Configure Dual ISP on Cisco ASA 5505?

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco ASA 5505 Dual ISP Backup

January 11 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Many small and medium sized businesses are requiring backup paths for their Internet connections while attempting to keep costs at a minimum.  The Cisco ASA 5505 provides a feature called Dual ISP Backup where a company can utilize their main ISP and in the case of an outage, they can utilized a more cost effective solution such as DSL/Cable Internet.  This solution does require a Security Plus license.

 

Let’s assume that a customer is  assigned a static public IP address of 100.100.100.100 from their primary ISP and another static public IP address of 200.200.200.200 from their DSL/Cable provider.   Ethernet 0/0 will connect to the primary ISP and will be assigned to any VLAN you choose, which in this case will be VLAN2.  Ethernet 0/1 will be connected to the customer LAN and will be assigned VLAN1.  Ethernet 0/2 will connect to the DSL/Cable provider and will reside in VLAN3.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.100.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.100 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backupisp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 200.200.200.200 255.255.255.0
ASA5505(config-if)# no shutdown

 

Next, we will create our SLA statements which will track the availability of our primary ISP link.  The commands are as follows:

sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 3
sla monitor schedule 1 life forever start-time now
track 1 rtr 10 reachability

 

We are sending 3 ICMP packets to 4.2.2.2 which will be 3 seconds apart.  One active ICMP reply will keep the primary link online.  The sla monitor statement tells the ASA to begin monitoring the primary link.  The track 1 statement tells the ASA we are tracking sla statement 10 and using ICMP reachability as the mechanism.

 

Next, our static route default route statements can be edited to ensure the primary ISP route will follow the sla and the DSL/Cable link will become active in the event of a primary failure.  We do that with the following statements:

route outside 0.0.0.0 0.0.0.0 69.167.65.177 1 track 1
route backupisp 0.0.0.0 0.0.0.0 216.27.149.1 254

 

You can test the functionality by unplugging the primary ISP link from the ASA.

 

This solution comes in handy for smaller businesses who require redundant Internet connectivity at a price point.  Cisco also has excellent documentation located on their website at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

---Resource from ciscocentral.com.au

More Cisco Firewall Tips:

How to Configure Dual ISP on Cisco ASA 5505?

Example Show: How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device?

Cisco Released Cisco ASA Software 9.0

Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco Catalyst 3560 vs. Cisco 3550

December 13 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

 

Here is a 3560 and 3550 comparison for anyone interested in the differences between the two switches.

Catalyst-3560-and-Cisco-3550-Comparison.jpg

Catalyst 3560 Only Features [12.2(25) SEE2]

  • Access Switch Device Manager (SDM) Template
  • IEEE 802.3af Power over Ethernet
  • IGMP Throttling
  • IPv6 (Internet Protocol Version 6)
  • MLD Snooping
  • Private VLANs
  • VLAN-Based QoS on Physical Ports
  • SRR (Shaped Round Robin)
  • Weighted Tail Drop (WTD)
  • Auto-MDIX

 Note: The details of Catalyst 3560 Only Features you can visit Cisco.com's related pages.

Cisco 3560 Only Commands [12.2(25)SEE2]

  • clear dot1x
  • clear eap
  • clear ipc
  • clear mac address-table move update
  • exception crashinfo
  • ipv6 access-list
  • ipv6 mld snooping
  • ipv6 mld snooping last-listener-query-count
  • ipv6 mld snooping last-listener-query-interval
  • ipv6 mld snooping listener-message-suppression
  • ipv6 mld snooping robustness-variable
  • ipv6 mld snooping tcn
  • ipv6 mld snooping vlan
  • ipv6 traffic-filter
  • ip vrf (global configuration) - Not Documented
  • ip vrf (interface configuration) - Not Documented
  • mdix auto
  • mls qos queue-set output buffers
  • mls qos queue-set output threshold
  • mls qos rewrite ip dscp
  • mls qos srr-queue input bandwidth
  • mls qos srr-queue input buffers
  • mls qos srr-queue input cos-map
  • mls qos srr-queue input dscp-map
  • mls qos srr-queue input priority-queue
  • mls qos srr-queue input threshold
  • mls qos srr-queue output cos-map
  • mls qos srr-queue output dscp-map
  • mls qos vlan-based
  • power inline consumption
  • renew ip dhcp snooping database
  • queue-set
  • radius-server dead-criteria
  • show cable-diagnostics tdr
  • show controllers power inline
  • show eap
  • show ipc
  • show ipv6 access-list
  • show ipv6 mld snooping
  • show ipv6 mld snooping address
  • show ipv6 mld snooping mrouter
  • show ipv6 mld snooping querier
  • show link state group
  • show mac address-table move update
  • show mls qos input-queue
  • show mls qos queue-set
  • show mls qos vlan
  • srr-queue bandwidth limit
  • srr-queue bandwidth shape
  • srr-queue bandwidth share
  • switchport mode private-vlan
  • switchport private-vlan
  • system env temperature threshold yellow
  • test cable-diagnostics tdr

 NOTE: More details Cisco 3560 Only Commands you can visit Cisco.com

Cisco 3550 Only Commands [12.2(25) SEE2]

  • access-list hardware program nonblocking
  • boot buffersize
  • ip dhcp snooping information option format snmp-ifindex
  • ip igmp snooping source-only-learning age-timer
  • mls qos cos policy-map
  • mls qos min-reserve
  • show fm
  • show fm interface
  • show fm vlan
  • show forward
  • show tcam
  • show tcam pbr
  • show tcam qos
  • switchcore
  • wrr-queue bandwidth
  • wrr-queue cos-map
  • wrr-queue dscp-map
  • wrr-queue min-reserve
  • wrr-queue queue-limit
  • wrr-queue random-detect max-threshold
  • wrr-queue threshold

 

Additional Notes

Catalyst 3560 - IPv6 routing is not documented in the 3560 command reference
Catalyst 3560 - IPv6 QoS not supported as of 12.2(25) SEE2
Cisco 3560 - The SDM needs to be changed to support IPv6 routing.  This will require a reload to take effect.  More...
Cisco 3560 - Support for bits per second when using Storm Control
Catalyst 3560 - Ports are set by default to dynamic auto as opposed to dynamic desirable.  This means that two 3560's will not automatically trunk but a 3560 will trunk if connected to a 3550. More...
Catalyst 3560 - The SMI image is now called IP Base and the EMI image is now called IP Services
Catalyst 3550 - IPv6 can be bridged using fallback bridging 

 

More Cisco Switch Tips and Tutorials you can visit: http://blog.router-switch.com/category/reviews/cisco-switches/

More Related Cisco Catalyst Switch Tips:

Cisco Nexus Switches: Layer 2 Configuration Strategies

How to Configure DHCP Snooping in a Cisco Catalyst Switch?

How to Configure Private VLANs on Cisco 3560 Switches?

How to Configure Interfaces for the 3560 Switch?

 

Read more
<< < 1 2 3 4 5 6 7 8 9 10 > >>