Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco switches - cisco firewall tag

Cisco Betters Its Catalyst 2000 Line

June 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Most popular Cisco Catalyst 2000 line extended with 2960-X, which doubles stack ports and bandwidth, cuts energy use

Cisco this week upgraded its best-selling Catalyst switch by doubling its stacked port density, stacking bandwidth, buffers and CPU performance.

The new Catalyst 2960-X stackable Gigabit Ethernet switch builds on the foundation of the 3-year-old Catalyst 2960-S/SF. It is available in 24- or 48-port configurations, with 10G uplinks and a stacking capacity of 40G-80G.

Cisco says the Catalyst 2000 line is its best-selling Ethernet switch based on number of units and ports shipped.

The 2960-X is designed to keep that momentum going. In a fully stacked configuration of eight switches, the 2960-X supports 384 Gigabit Ethernet ports and Cisco claims the switch uses up to 80% less power than competitive offerings.

If all comparable switch ports sold in 2012 -- 230 million Cisco says, citing data from IDC -- were Catalyst 2960-X switch ports, the energy savings could shut down Hoover Dam for more than three years, power all households in San Francisco for more than three years, make 76 round trips to Mars in a Toyota Prius or reduce CO2 emissions by 7.5 billion pounds, Cisco claims.

Per-port power consumption on the Catalyst 2960-X is 0.9 watts, vs. 2 watts on the 2960-S/SF. Energy efficiency is achieved through support of the IEEE's Energy Efficient Ethernet standard, as well as Cisco's own EnergyWise software. The switches can engage in two modes of "hibernation" during downtime: downlink mode, which powers down less active links; and switch mode, which powers down the switch itself.

Cisco says a 2960-X can be powered down as low as 6 watts from 50-85 watts in switch hibernation mode.

Cisco-2960-X-series.jpg

The 2960-X can also be stacked with existing 2960-S/SF switches, Cisco says. Like the 2960-S/SF, it also supports Power over Ethernet (PoE) and PoE+.

Other features of the 2960-X include Layer 3 routing based on RIP, OSPF and EIGRP protocols -- the 2960-S/SF are Layer 2-only -- and application visibility through NetFlow-Lite, a less CPU intensive "NetFlow-like" traffic monitoring capability.

The Catalyst 2960-X is also built for network programmability by being "onePK-ready."Cisco onePK is the company's API toolkit for software-defined network programmability.

Cisco said the 2960-X will be onePK programmable later this year. The switch is not equipped with the UADP programmable ASIC unveiled earlier this year, but another Cisco chip optimized for Layer 2/3 processing.

The 2960-X will be available in July. It costs $1,895 in a 24-port configuration and $3,395 in a 48-port model.

---Article News from http://www.networkworld.com/news/2013/060413-cisco-catalyst-270415.html

More Related:

Cisco Catalyst 2960-X Series Switches Debut at Cisco Partner Summit

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

Cisco Catalyst 2960 Series Enables Routing

What is Exact Cisco Catalyst 2960-S FlexStack?

More Popular Topics Related to Cisco Catalyst 2960-S FlexStack

Read more

Cisco ASA 5505 DMZ with Private VLAN Configuration

May 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The ASA 5505 is the only model that has an 8-port switch embedded in the device. All interfaces of the ASA5505 are Layer2 switch ports and thus they support some features that you can find on Cisco switches. One of these features is called “Private Vlan”.

 

The concept of “Private VLAN” is very useful in DMZ environments. Here is how it can be used: Let’s say you have a firewall with an Outside interface connected to Internet, an Inside interface connected to the secure LAN, and a DMZ Interface connected to a subnet which is hosting several publicly accessible servers (e.g Web Server, Email server etc). The DMZ servers are all on the same network subnet. Thus, if one of the DMZ servers gets compromised, then the attacker can easily use this hacked server as a “stepping-stone” to access the other servers in the DMZ. 

The above situation can be mitigated by using Private VLANs. Although the DMZ Layer2 VLAN number and Layer3 subnet will be the same for all servers, by designating each switch port of the DMZ as “Private VLAN” then the servers in the DMZ will not be allowed to communicate with each other.

Let’s see a diagram below to explain the concept of “Private VLAN”.

Cisco-ASA-5505-DMZ-with-Private-VLAN-Configuration.png

Let’s say we have an Cisco ASA5505 with three security Zones:

  • Outside Zone: Interface E0/0 in VLAN 10
  • Inside Zone: Interface E0/1 in VLAN 20
  • DMZ Zone: Interfaces E0/2, E0/3 in VLAN 30

Notice that in DMZ we have 2 publicly accessible servers (Web and Email Server) that they both belong in the same Layer2 vlan (VLAN30) and the same Layer3 network subnet (10.0.0.0/24).

If we don’t configure “Private Vlans”, then if the Web or Email server gets hacked, the attacker can access the other DMZ server as well. With Private VLANs, the Web and Email Servers can NOT communicate with each other although they are on the same Vlan and subnet. However, all other zones (outside and inside) are able to access the DMZ zone (and vice-versa) with no problems.

 

Configuration:

We are not going to see the complete config here, just the part that has to do with Private Vlan setup.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 10
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 20
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

ASA5505(config-if)# interface ethernet 0/3
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

 

The command “switchport protected“ configures the specific physical ports as “Private VLANs”. All ports that are configured as Private Vlans cannot communicate with each other.

---Resource from http://www.tech21century.com

More…

How to Set up a Cisco ASA 5505 Firewall with a Wireless Router?

The Way to Activate Your Cisco ASA 5500

Cisco ASA 5520 Basic Configuration Guide

Configuring Static NAT on a Cisco ASA Security Appliance

Read more

How to Troubleshoot Nexus 5500s and 1 GE SFPs?

May 23 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The newer versions of NX-OS support 1G or 10G on the N5K, but the Nexus5000 is not auto-speed sensing. A mini case study follows.

 

One of my customers just put some GLC-SX-MM optics and a fiber patch between a Catalyst 3750 and a Nexus5000. He happened to look at status on Network Assistant on the 3750, and this error appeared:

Description: Gi1/1/1: This port has been disabled because Non Compliant Gigabit Interface Converter (GBIC) connector detected.
Recommendation: Replace connector with cisco compliant Gigabit Interface Converter (GBIC) connector. Refer switch technical documentation to determine cisco compliant connector. Enable the port again.

 

This seemed odd, since the GLC-SX-MM is supported on both devices. I tried shut/no shut on both ends of the port, but that did not help. I then wondered - does he have a bad SFP? I poked around a bit.

The CLI show log info on the 3750 switch was also unhappy:

*Apr 16 01:48:41.190: %PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi1/1/1 is not supported
*Apr 16 01:48:41.190: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi1/1/1, putting Gi1/1/1 in err-disable state

 

Strange, the GLC-SX-MM is supported on the Catalyst 3750. The interface capabilities looked fine:

3750_sw1#sh int gig 1/1/1 capa
GigabitEthernet1/1/1
  Model:                 WS-C3750X-48P
  Type:                  1000BaseSX SFP
  Speed:                 1000
  Duplex:                full
  Trunk encap. type:     802.1Q,ISL
  Trunk mode:            on,off,desirable,nonegotiate
  Channel:               yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol:           rx-(off,on,desired),tx-(none)
  Fast Start:            yes
  QoS scheduling:        rx-(not configurable on per port basis),
                         tx-(4q3t) (3t: Two configurable values and one fixed.)
  CoS rewrite:           yes
  ToS rewrite:           yes
  UDLD:                  yes
  Inline power:          no
  SPAN:                  source/destination
  PortSecure:            yes

  Dot1x:                 yes
3750_sw1#

 

The status on the 3750 was not connected:

3750_sw1#sh int gig 1/1/1 status
Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/1/1                      notconnect   1            auto   auto 1000BaseSX SFP
3750_sw1#

 

I then went to look at the N5K. It claimed it has an invalid SFP of an unkown type:

N5K1# sh int e1/5 status
--------------------------------------------------------------------------------
Port          Name               Status    Vlan      Duplex  Speed   Type
--------------------------------------------------------------------------------
Eth1/5        --                 sfpInvali 1         full    10G     SFP-1000BAS
N5K1#
N5K1# sh int e1/5 capa
Ethernet1/5
  Model:                 N5K-C5548UP-SUP
  Type (SFP capable):    10Gbase-(unknown)
  Speed:                 1000,10000
  Duplex:                full
  Trunk encap. type:     802.1Q
  Channel:               yes
  Broadcast suppression: no
  Flowcontrol:           rx-(off/on),tx-(off/on)
  Rate mode:             none
  QOS scheduling:        rx-(6q1t),tx-(1p6q0t)
  CoS rewrite:           no
  ToS rewrite:           no
  SPAN:                  yes
  UDLD:                  yes
  Link Debounce:         yes
  Link Debounce Time:    yes
  MDIX:                  no
  Pvlan Trunk capable:   yes
  TDR capable:           no
  FabricPath capable:    yes
  Port mode:             Switched
  FEX Fabric:            yes
N5K1#

 

The Nexus5000 also claimed there was no transceiver:

N5K1#sh log | inc 1/5

...
2012 Apr 6 18:10:26 N5K1 %ETHPORT-5-IF_DOWN_NONE: Interface Ethernet1/5 is down (None)
...
2012 Apr 6 19:06:10 N5K1 %ETHPORT-5-IF_HARDWARE: Interface Ethernet1/5, hardware type changed to No-Transceiver

 

I scratched my head a bit, and then came up with the underlying issue - when installing 1GE optics in the N5K, you need to manually set the speed. If you look back, you will see the previous 'sh int e1/5 status' on the N5K shows a speed of 10G. So after the appropriate "speed 1000" command to the e1/5 interface on the N5K, the link came up on both ends.

N5K1# sh int e1/5 stat
--------------------------------------------------------------------------------
Port          Name               Status    Vlan      Duplex  Speed   Type
--------------------------------------------------------------------------------
Eth1/5        --                 connected 1         full    1000     SFP-1000BAS
N5K1#

Summary: The newer versions of NX-OS support 1G or 10G on the N5K, but the N5K is not auto-speed sensing. If you run into something similar, even error messages on the remote device, check the port speed on the N5K.

---Resource from http://www.netcraftsmen.net

More…

Cisco Nexus Switches: Layer 2 Configuration Strategies

Cisco Nexus 6000 Switches: High-Density, Compact Form Factor

Cisco Catalyst 6500 vs. Cisco Nexus 7000 Switch

To Answer the Questions from Cisco Nexus 1000V InterCloud Users and Analysts

Cisco New ASR 5500 is for Next-Generation Mobile Internet

Read more

How to Configure AAA Authentication on Cisco ASA Firewall

May 15 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

AAA stands for Authentication, Authorization, and Accounting. AAA is a mechanism that is used to tell the firewall appliance who the user is (Authentication), what actions the user is authorized to perform on the network (Authorization), and what the user did on the network after connecting (Accounting). In this post we will focus on the first element of AAA (that is Authentication).

Types of Authentication supported on ASA appliances

Three types of Authentication are available for Cisco ASA firewalls:

1. User Authentication for accessing the security appliance itself.

2. User Authentication for accessing services through the security appliance. This is also called “cut-through proxy” and is used to authenticate users for accessing Telnet, FTP, HTTP, and HTTPs services located in the network through the firewall.

3. User Authentication for VPN tunnel access (IPsec or SSL VPN).

 

We will see a configuration example for the first type (authentication for accessing the security appliance for management using Serial Console, SSH, and Telnet access).

 

Authentication configuration example

In this example we assume that we have already installed and configured a AAA server (e.g Cisco ACS) running the TACACS+ authentication protocol. On the AAA server, we have configured a username/password account that the firewall administrators will use to authenticate. Assume also that the AAA server is located on our internal LAN network with address 10.1.1.1

Authentication-configuration-example.jpg

Referring to the figure above, the firewall administrator (Admin) requests firewall access (serial console, SSH, or Telnet) (Arrow 1) for managing the appliance. The ASA firewall (Arrow 2) will request Authentication permission from the AAA server in order to prompt the admin user for Username/Password credentials. After the Admin successfully enters his credentials, the AAA server will give the permission to the Firewall to allow the user in.

Here is the configuration below:

! Specify a AAA server name (NY_AAA) and which protocol to use (Radius or TACACS+)
ASA(config)#  aaa-server NY_AAA protocol tacacs+

! Designate the Authentication server IP address and the authentication secret key
ASA(config)#  aaa-server NY_AAA (inside) host 10.1.1.1
ASA(config-aaa-server-host)#  key secretauthkey

! Enable Authentication for management access
ASA(config)#  aaa authentication serial console NY_AAA LOCAL
ASA(config)#  aaa authentication telnet console NY_AAA LOCAL
ASA(config)#  aaa authentication ssh console NY_AAA LOCAL

 

The “LOCAL” keyword at the end designates the use of the local firewall username database for authentication in case the AAA server authentication is not available (e.g AAA server is down).

Of course, to complete the scenario above, you need to properly configure the AAA Server with the internal IP address of the ASA firewall and the same authentication key (e.gsecretauthkey) as the one you configured on the ASA above.

---Article reference from http://www.tech21century.com/configuring-aaa-authentication-on-cisco-asa-firewall/

More…

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

Configuring Static NAT on a Cisco ASA Security Appliance

EIGRP on a Cisco ASA Firewall Configuration

How to Set up a Cisco ASA 5505 Firewall with a Wireless Router?

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco 2960s Can Route

May 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

As of 12.2(55) SE, Cisco 2960s are layer 3 switches. Configuring Catalyst 2960s to route is pretty simple. The Switch Database Management template (SDM) needs to be changed to “lanbase-routing”. A reboot is (always) needed after changing the SDM template. After reboot, it’s just like enabling routing on any other L3 switch with the command “ip routing” from global config.

 

First we’ll change the SDM template:

SwitchA(config)#sdm prefer lanbase-routing

Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.

Use 'show sdm prefer' to see what SDM preference is currently active.

SwitchA(config)#^Z

SwitchA#reload

System configuration has been modified. Save? [yes/no]: y

Proceed with reload? [confirm]

 

After changing the SDM template, we are reminded that we’ll need to reboot and also given a command to verify the change after the next boot.

 

Now we verify:

SwitchA#show sdm prefer

The current template is "lanbase-routing" template.

 The selected template optimizes the resources in

 the switch to support this level of features for

 8 routed interfaces and 255 VLANs.

  number of unicast mac addresses:                  4K

  number of IPv4 IGMP groups + multicast routes:    0.25K

  number of IPv4 unicast routes:                    4.25K

  number of directly-connected IPv4 hosts:          4K

  number of indirect IPv4 routes:                   0.25K

  number of IPv4 policy based routing aces:         0

  number of IPv4/MAC qos aces:                      0.125k

  number of IPv4/MAC security aces:                 0.375k

The change was successful and we’re given the details about this SDM template.

 

Now seems like a good time to touch on the limitations of the layer 3 capabilities on 2960s. As we see in the output above, we’re limited to 8 routed interfaces. These will be SVIs. At this point, the Cisco 2960s don’t support routed physical interfaces (“no switchport”). Another important note is that we’re only allowed 16 static routes and there is no dynamic routing capability.

 

Now we’ll enable IP routing and configure a couple SVIs:

SwitchA#conf t

SwitchA(config)#ip routing

SwitchA(config)#

SwitchA(config)#int vlan 15

SwitchA(config-if)#ip add 192.168.15.1 255.255.255.0

SwitchA(config-if)#

SwitchA(config-if)#int vlan 25

SwitchA(config-if)#ip add 192.168.25.1 255.255.255.0

SwitchA(config)#^Z

SwitchA#sh ip route

...

C    192.168.15.0/24 is directly connected, Vlan15

C    192.168.25.0/24 is directly connected, Vlan25

Even now, I’m still amazed that we can do this with a 2960. As expected, it’s working. We have two SVIs and we can see the routing table reflect this.

 

More Related Cisco 2960 Tips:

Cisco Catalyst 2960 Series Enables Routing

Cisco Catalyst 2960 LAN Base Series & Catalyst 2960 LAN Lite Series

How to Configure a Cisco 2960 Switch/Layer 2 Switch?

Layer 2 Switches & Layer 3 switches

Read more

How to Configure SNMP V3 on Cisco ASA and IOS?

April 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Here we will focus on SNMP V3 configuration on Cisco ASAs with a brief overview of an IOS configuration. This article assumes a basic understanding of SNMP and its operation.

 

The most common and sought after reasoning behind an upgrade to SNMP V3 is security. SNMP versions 1 and 2(c) transmit data between the SNMP server and the SNMP agent “in the clear”.

 

This makes your infrastructure and corresponding infrastructure devices far more vulnerable to attack and or misuse. Weak SNMP provides attackers with low hanging fruit they sometimes need for improved attack vectors.

 

SNMP V3’s focus was to improve this security flaw. SNMP V3 adds authentication and privacy options to secure its communication between SNMP servers and SNMP agents.

 

SNMP V3 Security Models

The authentication (auth) and privacy (priv) options are grouped into security models.

  • NoAuthPriv – no authentication and no privacy
  • AuthNoPriv – authentication and no privacy
  • AuthPriv – you guessed it – authentication and privacy

 

SNMP Groups

SNMP groups provide an access control policy to which users are added. The user will inherit the security model of the group. If the SNMP group “SEC3” has the AuthPriv security model, users assigned to it will inherit the AuthPriv security model.

 

SNMP Users

SNMP users are assigned a username, a group to which they belong, authentication password, encryption password, and associated algorithms to use.

Authentication algorithms are MD5 and SHA
Encryption algorithms are DES, 3DES, and AES (128,192,256)

 

SNMP Host

An SNMP host is the server to which SNMP notifications and traps are sent. SNMP V3 hosts require the SNMP server IP address and SNMP username. Each SNMP host can only have one username associated with it. The user credentials on the NMS (CiscoWorks, Solarwinds, etc.) must match the SNMP username credentials.

Configuring SNMP V3:

Note – the brackets <> are used to indicate a variable you assign a name to. I used these brackets to emphasize these important variables.

  1. Enable SNMP
    snmp-server enable
  2. Enable the SNMP traps (this will change depending on environment and business requirements). The following example enables all but this could be limited to a subset of traps.
    snmp-server enable traps all
  3. Create the SNMP group
    Note the following meanings:
    auth indicates authention only
    noauth indicates no authentication or encryption
    priv indicates encryption and authentication
    snmp-server group  <GROUPNAME> v3 {auth | noauth | priv}
  4. Create the SNMP user
    snmp-server user <USERNAME> <GROUPNAME> v3 encrypted auth md5 <AUTHENTICATION-PASSWORD> priv AES 128 <ENCRYPTION-KEY>
  5. Create the SNMP Server host
    snmp-server host <INTERFACE-NAME> <HOSTNAME> version 3 <USERNAME>

 

Full Configuration Example for the Cisco ASA (Version 8.4)

snmp-server group SEC3 v3 priv

snmp-server user SNMPUSER3 SEC3GROUP v3 encrypted auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server host mgmt 10.20.30.10 version 3 SNMPUSER3

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps ipsec start stop

snmp-server enable traps remote-access session-threshold-exceeded

 

Full Configuration Example for the Cisco IOS

snmp-server view SNMPMGR iso included

snmp-server group SEC3GROUP v3 priv read SNMPMGR write SNMPMGR notify SNMPMGR

snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server enable traps config

 

Note – in IOS you won’t see the following line:
snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

IOS hides the authentication password and encryption key from the “show run” and “show startup”.

 

More Information

Cisco Configuration Guide for ASA 8.4 and 8.6

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.html#wp1239780

Cisco Configuration Guide for ASA 8.4 and 8.6 PDF

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.pdf

---Reference from

http://www.gomiocon.com/2012/04/29/configuring-snmp-v3-on-cisco-asa-and-ios/

 

More Related Cisco and Networking TOPICS:

How to Configure SNMP on Cisco IOS-based Router/Switch?

Read more

Basic Interface Configuration of Cisco ASA 5520

April 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The Cisco ASA 5520 is one of the mid-range ASAs. 4 Gigabit Ethernet ports. Max 450 Mbps throughput under ideal conditions. Good for mid-sized offices. Has an expansion slot where you can install an add-on card that does content filtering (e.g. email and web) or intrusion prevention. Or you can install an expansion card that gives your ASA more physical ports.

 

The lowest-end ASA is the Cisco ASA 5505 model, which is a more like a switch with VLANs. But on the 5510 models and up, interface config is akin to that of a router.

 

Factory Default Settings on the ASA 5520

Out of the box, or with the configure factory-default command, the ASA 5520 is configured thusly:

Interface

Name

Security Level

IP Address

State

GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3

no nameif

no security-level

no ip address

Shutdown

Management0/0

management

100

192.168.1.1

Management-only

 

Configuration Example

On a Cisco ASA 5520 with a factory default config, a show run interface coughs up this information:

interface GigabitEthernet0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

 

With nothing configured on the interfaces, the routing table on a factory default ASA shows only the loopback interface:

ciscoasa(config-if)# show route

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    127.0.0.0 255.255.0.0 is directly connected, cplane

 

To make an interface operational, it needs a name, an IP address, a security level and it needs to be administratively brought up with the no shutdown command.

 

So let’s give the GigabitEthernet0/0 interface a name and an IP address.

ciscoasa# con t

ciscoasa(config)# interface gigabitEthernet 0/0

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 5.5.5.1

 

When an interface is named “outside”, the ASA automatically assigns the interface a security level of 0. If an interface is named “inside”, it is automatically given a security level of 100.

To view the config on all interfaces, use the show run interface command. To view just one interface, use theshow run interface command and specify the interface:

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 shutdown

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.0.0.0

 

Because I did not specify a subnet mask when I configured the IP address, the interface was automatically assigned a classful subnet mask. I can specify the subnet mask in the ip address command.

ciscoasa(config-if)# ip address 5.5.5.1 255.255.255.0

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 shutdown

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

 

When I am ready to bring the interface up, I use the no shutdown command.

ciscoasa(config-if)# no shut

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

 

The show run ip address command shows all interfaces that have IP addresses.

ciscoasa(config-if)# sh ru ip

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

The show ip address command also displays all IP addresses, along with the method used to configure the IP address. (“System IP Addresses” refer to the primary IP addresses used for failover. “Current IP Addresses” are the currently-used IP addresses on the interface(s). So, in an active/standby ASA pair, the active ASA would have the same “System” and “Current” IP addresses. The standby ASA would have different “System” and “Current” IP addresses.)

ciscoasa(config-if)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual

Management0/0            management             192.168.1.1     255.255.255.0   manual

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual

Management0/0            management             192.168.1.1     255.255.255.0   manual

 

After a write memory and a reload, when you do show ip address, the “Method” on these manually-configured interfaces changes to CONFIG, signifying that they were loaded from the startup config:

ciscoasa# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

 

Now a show route command displays the directly-connected route to the 5.5.5.0 subnet.

ciscoasa(config-if)# sh ro

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    5.5.5.0 255.255.255.0 is directly connected, outside

C    127.0.0.0 255.255.0.0 is directly connected, cplane

 

From the show run interface command, we can see that there is nothing configured on the g 0/1 interface. Let’s set it as a DHCP client and bring it up.

ciscoasa(config-if)# sh ru int g 0/1

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip add dhcp

ciscoasa(config-if)# no shut

 

The show run interface command will show that g 0/1 is a DHCP client, but it will not display the dynamically-assigned IP address on the interface. To view the DHCP IP address, use the show ip address command.

ciscoasa(config-if)# sh ip add

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Note that the “Method” for g 0/1 is “DHCP”.

You can also display all IP addresses on all interfaces with the show interface ip brief command.

ciscoasa(config-if)# sh int ip b

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         5.5.5.1         YES CONFIG up                    up

GigabitEthernet0/1         10.30.1.101     YES DHCP   up                    up

GigabitEthernet0/2         unassigned      YES unset  administratively down down

GigabitEthernet0/3         unassigned      YES unset  administratively down down

Internal-Control0/0        127.0.1.1       YES unset  up                    up

Internal-Data0/0           unassigned      YES unset  up                    up

Management0/0              192.168.1.1     YES CONFIG down                  down

Virtual254                 unassigned      YES unset  up                    up

 

More Related Cisco ASA Tips:

Cisco ASA 5520 Basic Configuration Guide

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco ASA Pre-8.3 to 8.3 NAT Configuration Examples

April 5 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Static NAT/PAT

pre-8.3NAT.jpg

Pre-8.3NAT02.jpg

Detailed Reference:

ASA Pre-8.3 to 8.3 NAT Configuration Examples

https://supportforums.cisco.com/docs/DOC-9129

More Related Topics:

Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration

Read more

Cisco Unified Wired & Wireless Access into Its New Catalyst 3850 Switch

March 7 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Cisco has pushed its Unified Access networking strategy past the management layer by introducing a new edge switch, which has wireless LAN control functionality, and processes both wired and wireless traffic on the same platform.

 Cisco-Catalyst-3850-Switches.jpg

With this switch, enterprises will no longer have to tunnel traffic from wireless access points (APs) to a central controller. Instead they can terminate wireless traffic on an edge switch, where they will be able to secure and manage both wired and wireless traffic.

 

Cisco has "truly for the first time integrated their wired and wireless infrastructure in terms of having one box and using one ASIC [application-specific integrated circuit] that really handles traffic irrespective of whether it is coming in from the wired or wireless LAN standpoint," said Rohit Mehra, vice president of network infrastructure research at Framingham, Mass.-based IDC.

 

The new Cisco Catalyst 3850 switch, a successor to the workhorse 3750, is built with a new, programmable ASIC, the Unified Access Data Plane (UADP) chip, which gives it the wireless LAN control functionality. A single stack of Catalyst 3850 will support up to 50 access points and 2,000 clients with 40 Gbps of controller throughput.

 Cisco-3850-Modules.jpg

"In this day and age where wireless traffic has really exploded, and you're carrying all kinds of heavy, latency-sensitive wireless traffic like voice and video, routing all the traffic back to a controller adds an exceptionally large amount of overhead on the network, both local area and wide area," Mehra said.

 

Not only does this integrated wireless LAN control reduce load on the network, it also enhances traffic management and Quality of Service (QoS) functionality. Because traffic from the wireless LAN is no longer tunneled, it crosses the rest of the wired network as standard IP traffic. Enterprises can now apply the same policies and controls to wired and wireless traffic.

 

As a result, Cisco customers can do things like granular, hierarchical QoS across their entire infrastructure, said Rob Soderbery, senior vice president and general manager for Cisco's enterprise networking business.

 

"When you were processing [wired and wireless] streams in different places, doing QoS across that was difficult," he said. "Now you can see all the users and data in one place, and you can set tiered levels on QoS. You can do QoS on a given access point, so you can make sure no one is frozen out. You can then set QoS up to a switch and up to a branch and manage that entire path."

 

With the Catalyst 3850, wireless LAN traffic will become more efficient, particularly as users are moving from access point to access point, said Andre Kindness, senior analyst with Cambridge, Mass.-based Forrester Research Inc.

 

"When you're bouncing from AP to AP, you end up tunneling back [from the controller] to the AP where you started from and that's not always the best path possible, from a VoIP call and latency perspective. You want to follow the user. That's why there's this movement to pushing control back to the edge. You start enforcing policies based on users and applications and where the best connection is."

 

The Cisco Catalyst 3850 is a stackable switch that ships with either 24 or 48 Gigabit Ethernet (GbE) ports, with or without Power over Ethernet (PoE) and optional modules for 10 GbE uplinks. Its prices are identical to comparable configurations of the Catalyst 3750, although customers will have to pay an additional license to activate the wireless control functionality.

 

Goodbye AirOS: IOS to rule wireless LAN

In addition to the Catalyst 3850, Cisco introduced the Cisco 5760 wireless LAN controller for customers who are not yet ready to dump their controller-based systems. This premium device can manage 1,000 access points and 12,000 clients with 60 Gbps of throughput. It runs on the same ASIC platform as the Catalyst 3850 switch.

 

The 5760 is also the first Cisco wireless LAN controller to ever run IOS, marking a departure from the AirOS operating system that has powered the company's controllers since it acquired wireless networking vendors Airespace. Soderbery said Cisco will gradually upgrade all of its wireless controllers to run IOS instead of AirOS.

 

"All the training and learning that network managers have undergone with IOS, they can now use those skills and leverage them on just one platform, whether for wired or wireless," Mehra said.

Many enterprises will be slow to adopt the Catalyst 3850 with its wireless LAN control function, so central controllers running IOS will be important to Cisco's efforts to unify wired and wireless, Forrester's Kindness said.

 

Cisco is "worried about customers who just bought 3750s in the last year or two," he said. "Most edge switches are kept around for five to seven years so it doesn't make sense for them to replace the edge with this new switch."

 

Because the 5760 runs IOS, network managers can take advantage of the same services and features that are available on Cisco's switches, including Application Visibility and Control (AVC) and TrustSec. Users can also set policies, such as QoS, on the controller in the same way they do on switches and routers.

 

The 5760 controller has a base list price of $20,000.

 

ISE-MDM integration and Prime 360 Experience

Cisco also updated its Identity Services Engine (ISE) and Prime Infrastructure. ISE 1.2 now integrates with mobile device management (MDM) software from Good Technology, Airwatch, MobileIron, Zenprise and SAP.

 

Prime Infrastructure 2.0 has a new 360 Degree Experience that allows network managers to pivot their view of network activity by users, devices, applications and services. With this new feature, a network manager can click to see, for instance, all the network users who are using Twitter, or all the people who are connecting via an iPad, Soderbery said.

---Original From http://searchnetworking.techtarget.com/news/2240177385/New-Cisco-Catalyst-3850-switch-has-integrated-wireless-LAN-control

 

More Related Cisco Catalyst Switch Tips:

More Popular Topics Related to Cisco Catalyst 2960-S FlexStack

What is Exact Cisco Catalyst 2960-S FlexStack?

Cisco Nexus 6000 Switches: High-Density, Compact Form Factor

Cisco Catalyst 6500 vs. Cisco Nexus 7000 Switch

Feature Comparison of Cisco Main Catalyst Switches-Catalyst 2960, 2950, Catalyst 3560, 3550

How to Configure a Cisco 3750?

Read more

How to Set Up a Cisco ASA 5505 with a Wireless Router?

January 17 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

This walk-through on setting up a Cisco ASA 5505 firewall with a wireless router focuses on things you might encounter when doing the setup at home.

 

This piece focuses on common things you might encounter at home like not having a static IP from your ISP or utilizing your current wireless router. Here we’ll go over what you need to do at a high level, which should work with any wireless router.

 

The firewall setup can seem a little daunting, especially because you will most likely lose your Internet access while you’re doing it. Remember there are only four basic things you need to configure to get Internet access.

  1. You should configure the inside and outside interfaces.
  2. You need a default route that tells your devices where to go.
  3. You need to configure Port Address Translation (PAT). This is what allows you to only have one IP address from your ISP, but you can have several devices connected on your internal network in a many-to-one configuration.
  4. You need access rules that open ports so your devices can browse web pages, download from FTP sites, etc.

 

Initial Setup and Configuration of Interfaces

  1. Connect the network cable from the modem to port 0 (default outside port) on the ASA.
  2. Connect your computer to one of the other ports on the ASA, which should be on the inside network by default. Ports 6 and 7 are Power over Ethernet (PoE) ports; I recommend reserving those ports for any devices that can use PoE.
  3. Open a browser on your computer and go to 192.168.1.1, which is the default address for connecting to the ASA.
  4. Click Run ASDM. (Another option is to click Run Startup Wizard and do this entire configuration in the wizard.)
  5. Log in. There are no passwords configured yet, so just leave that blank.
  6. Click Configuration at the top.
  7. Click Device Setup.
  8. Click Interfaces.
  9. Edit the Inside Interface.
  10. Make sure it is enabled.
  11. Specify the internal address you want to use. By default this is 192.168.1.1, which you can leave it at.  This will indicate that you are using the 192.168.1.0/24 network as your inside network.
  12. Click OK.
  13. Edit the Outside Interface.
  14. Choose DHCP. If you happen to have a fixed IP at home, please use that. Many ISPs require you to have a business account to get a static IP, though.
  15. Make sure the interface is enabled.
  16. Put a check mark next to the option Obtain Default Route Using DHCP. This saves you the step of configuring a static route, and it saves you the hassle of having to change the static route every time your IP changes.
  17. Click OK.
  18. Put a check next to Enable Traffic Between Two Or More Interfaces Which Are Configured With The Same Security Levels and next to Enable Traffic Between Two Or More Hosts Connected To The Same Interface.

 

Those 18 steps take care of the first two basic things I spoke about before: configuring your interfaces and setting up a default route. Now to configure PAT and the access rules.

 

Configure PAT

  1. Click Firewall while still under the Configuration tab.
  2. Click NAT Rules.
  3. Click Add.
  4. Click Add Dynamic Rule.
  5. For the original source you can just leave it set at Any (or you can specify the inside network).
  6. For the translated interface put the outside interface.
  7. Click OK.

 

Configure Access Rules

You’ll most likely want to allow HTTP/HTTPS traffic on your ASA. Make sure you add rules for the inside and the outside to permit these, along with any other protocols that might be necessary such as FTP, ICMP, etc.  Use Figure A as a reference for the kind of configuration you may need.

Figure A

Configure-access-rules.png

 

Configure Your Wireless Router to Act like an Access Point

This covers setting up the ASA, but you still want to be able to use your wireless router to connect all your laptops, printers, Rokus, etc. The easiest way (though not the only way) to do this is to configure your wireless router to act just as an access point (AP).

 

In general, you’ll want to disconnect the network cable from the WAN, or outside, port on the AP. Then connect to the management interface of your AP, most likely via a browser while your computer is connected to the AP. Some newer APs have an option to just put a check next to AP Mode and it will do it automatically. However, if you don’t have that option, just make sure you turn off DHCP (use the ASA as your DHCP server) and configure the LAN settings to be on the same network as your ASA.

 

In my example, you might configure the AP with an IP of 192.168.1.15, a subnet mask of 255.255.255.0, and then the default gateway should be the IP address of the ASA. Now connect one of the LAN, or inside, ports to one of the inside ports on the Cisco ASA (ports 1-7). You may need to reboot the AP, but now you should be able to connect wirelessly and have Internet access through the firewall.

 

Resource from http://www.techrepublic.com written by Lauren Malhoit

More Related Tips of Cisco ASA 5505:

Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series

New Cisco ASA Clustering Feature Enables 320 Gbps Firewall

Example Show: How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device?

How to Configure Dual ISP on Cisco ASA 5505?

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more
<< < 1 2 3 4 5 6 7 8 9 10 > >>