Posts with #cisco switches - cisco firewall tag
Many small and medium sized businesses are requiring backup paths for their Internet connections while attempting to keep costs at a minimum. The Cisco ASA 5505 provides a feature called Dual ISP Backup where a company can utilize their main ISP and in the case of an outage, they can utilized a more cost effective solution such as DSL/Cable Internet. This solution does require a Security Plus license.
Let’s assume that a customer is assigned a static public IP address of 100.100.100.100 from their primary ISP and another static public IP address of 126.96.36.199 from their DSL/Cable provider. Ethernet 0/0 will connect to the primary ISP and will be assigned to any VLAN you choose, which in this case will be VLAN2. Ethernet 0/1 will be connected to the customer LAN and will be assigned VLAN1. Ethernet 0/2 will connect to the DSL/Cable provider and will reside in VLAN3.
ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown
ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown
ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown
ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.100.1 255.255.255.0
ASA5505(config-if)# no shutdown
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.100 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown
ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backupisp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 188.8.131.52 255.255.255.0
ASA5505(config-if)# no shutdown
Next, we will create our SLA statements which will track the availability of our primary ISP link. The commands are as follows:
sla monitor 10
type echo protocol ipIcmpEcho 184.108.40.206 interface outside
sla monitor schedule 1 life forever start-time now
track 1 rtr 10 reachability
We are sending 3 ICMP packets to 220.127.116.11 which will be 3 seconds apart. One active ICMP reply will keep the primary link online. The sla monitor statement tells the ASA to begin monitoring the primary link. The track 1 statement tells the ASA we are tracking sla statement 10 and using ICMP reachability as the mechanism.
Next, our static route default route statements can be edited to ensure the primary ISP route will follow the sla and the DSL/Cable link will become active in the event of a primary failure. We do that with the following statements:
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1 track 1
route backupisp 0.0.0.0 0.0.0.0 22.214.171.124 254
You can test the functionality by unplugging the primary ISP link from the ASA.
This solution comes in handy for smaller businesses who require redundant Internet connectivity at a price point. Cisco also has excellent documentation located on their website at
---Resource from ciscocentral.com.au
More Cisco Firewall Tips:
Here is a 3560 and 3550 comparison for anyone interested in the differences between the two switches.
Catalyst 3560 Only Features [12.2(25) SEE2]
- Access Switch Device Manager (SDM) Template
- IEEE 802.3af Power over Ethernet
- IGMP Throttling
- IPv6 (Internet Protocol Version 6)
- MLD Snooping
- Private VLANs
- VLAN-Based QoS on Physical Ports
- SRR (Shaped Round Robin)
- Weighted Tail Drop (WTD)
Note: The details of Catalyst 3560 Only Features you can visit Cisco.com's related pages.
Cisco 3560 Only Commands [12.2(25)SEE2]
- clear dot1x
- clear eap
- clear ipc
- clear mac address-table move update
- exception crashinfo
- ipv6 access-list
- ipv6 mld snooping
- ipv6 mld snooping last-listener-query-count
- ipv6 mld snooping last-listener-query-interval
- ipv6 mld snooping listener-message-suppression
- ipv6 mld snooping robustness-variable
- ipv6 mld snooping tcn
- ipv6 mld snooping vlan
- ipv6 traffic-filter
- ip vrf (global configuration) - Not Documented
- ip vrf (interface configuration) - Not Documented
- mdix auto
- mls qos queue-set output buffers
- mls qos queue-set output threshold
- mls qos rewrite ip dscp
- mls qos srr-queue input bandwidth
- mls qos srr-queue input buffers
- mls qos srr-queue input cos-map
- mls qos srr-queue input dscp-map
- mls qos srr-queue input priority-queue
- mls qos srr-queue input threshold
- mls qos srr-queue output cos-map
- mls qos srr-queue output dscp-map
- mls qos vlan-based
- power inline consumption
- renew ip dhcp snooping database
- radius-server dead-criteria
- show cable-diagnostics tdr
- show controllers power inline
- show eap
- show ipc
- show ipv6 access-list
- show ipv6 mld snooping
- show ipv6 mld snooping address
- show ipv6 mld snooping mrouter
- show ipv6 mld snooping querier
- show link state group
- show mac address-table move update
- show mls qos input-queue
- show mls qos queue-set
- show mls qos vlan
- srr-queue bandwidth limit
- srr-queue bandwidth shape
- srr-queue bandwidth share
- switchport mode private-vlan
- switchport private-vlan
- system env temperature threshold yellow
- test cable-diagnostics tdr
NOTE: More details Cisco 3560 Only Commands you can visit Cisco.com
Cisco 3550 Only Commands [12.2(25) SEE2]
- access-list hardware program nonblocking
- boot buffersize
- ip dhcp snooping information option format snmp-ifindex
- ip igmp snooping source-only-learning age-timer
- mls qos cos policy-map
- mls qos min-reserve
- show fm
- show fm interface
- show fm vlan
- show forward
- show tcam
- show tcam pbr
- show tcam qos
- wrr-queue bandwidth
- wrr-queue cos-map
- wrr-queue dscp-map
- wrr-queue min-reserve
- wrr-queue queue-limit
- wrr-queue random-detect max-threshold
- wrr-queue threshold
Catalyst 3560 - IPv6 routing is not documented in the 3560 command reference
Catalyst 3560 - IPv6 QoS not supported as of 12.2(25) SEE2
Cisco 3560 - The SDM needs to be changed to support IPv6 routing. This will require a reload to take effect. More...
Cisco 3560 - Support for bits per second when using Storm Control
Catalyst 3560 - Ports are set by default to dynamic auto as opposed to dynamic desirable. This means that two 3560's will not automatically trunk but a 3560 will trunk if connected to a 3550. More...
Catalyst 3560 - The SMI image is now called IP Base and the EMI image is now called IP Services
Catalyst 3550 - IPv6 can be bridged using fallback bridging
More Cisco Switch Tips and Tutorials you can visit: http://blog.router-switch.com/category/reviews/cisco-switches/
Q. What is Cisco ASA Software Release 9.0?
A. Cisco Adaptive Security Appliance (ASA) Software Release 9.0 is the latest release of the software that powers the Cisco ASA family. The same core ASA code delivers enterprise-class security capabilities for ASA devices in a variety of form factors, including a wide range of standalone appliances, hardware blades that integrate with the organization's existing network infrastructure and software that can secure and protect public and private clouds.
Q. What's new in Cisco ASA Software Release 9.0?
A. ASA Software Release 9.0 provides several enhancements. Major new features in this release include:
• The ability to join up to eight Cisco ASA 5585-X or 5580 Series adaptive security appliances in a single cluster, for a linear, predictable increase in performance while providing high availability for always-on data centers
• Integration with Cisco Cloud Web Security (formerly ScanSafe), which allows enterprises to enforce granular web access and web application policy while providing protection from viruses and malware
• Cisco TrustSec Security Group Tags (SGTs), which integrats security into the network fabric to extend the policy construct on the ASA platform
• Next-Generation Encryption, including the Suite B set of cryptographic algorithms, for much better confidentiality
• IPv6, including critical IPv4-to-IPv6 translation features, enabling ASA to be deployed in a mixed v4/v6 environment
• Dynamic routing and site-to-site VPN on a per-context basis, providing much better segmentation between departments or between customers
Q. What Cisco ASA models are supported by ASA 9.0?
Q. Does ASA 9.0 support clustering?
A. Yes. Cisco ASA Release 9.0 enables up to eight Cisco ASA 5585-X or 5580 Adaptive Security Appliance firewall modules to be joined in a single cluster to deliver up to 128 Gbps of multiprotocol throughput (300 Gbps max) and more than 50 million concurrent connections. Alternatively, slot 1 of each ASA 5585-X can be populated with an integrated Intrusion Protection System (IPS) module, for up to 60 Gbps of IPS throughput.
Q. What are some of the key features of the clustering architecture in Cisco ASA Release 9.0?
A. At the core of the clustering architecture in ASA 9.0 is the patent-pending Cisco Cluster Link Aggregation Control Protocol (cLACP). The protocol enables multiunit ASA clusters to function and be managed as a single entity, identifies the backup unit, and creates the session backup. Policies pushed to the cluster get replicated across all units within the cluster, and the health, performance, and capacity statistics of the entire cluster, as well as individual units within the cluster, can be assessed from the single management console.
Q. What ASA models will support clustering?
A. Initially, Cisco ASA Software Release 9.0 will enable clustering on the ASA 5580 and 5585-X Adaptive Security Appliances.
Q. What ASA modes are supported?
A. Clustered ASA appliances can operate in routed, transparent, or mixed-mode. All members of the cluster must be in the same mode.
Q. Do I have to purchase any license to enable clustering?
A. Yes. A cluster license must be purchased and enabled.
Q. How do feature licenses behave when ASA appliances are clustered?
A. Table 1 provides an explanation of the behavior of key features.
Table 1. Cluster Behavior of Different Cisco ASA Feature License Types
Behavior in Cluster
Enable/disable feature license
Only one unit in the cluster is required to have a license.
Security+ on the Cisco ASA 5585-X: License is only required on one unit.
The cluster capacity equals the sum of all licenses installed (subject to the total capacity of each individual appliance).
• 4-node cluster
• Node 1 = 200 SC
• Nodes 2,3, and 4 = 0
• Total capacity = 200
• 4-node cluster
• Node 1 = 200 SC
• Node2 = 100 SC
• Nodes 3 and 4 = 0
• Total capacity = 250 SC
If the feature is installed on one unit, it is automatically enabled on the entire cluster. The total duration of the license equals the sum of all remaining license durations.
If the botnet traffic filter is installed on one node, it becomes available to the entire cluster. If Node 1 has 9 months remaining and Node 2 has 7 months remaining, the total remaining duration of the botnet traffic filter feature will be 16 months for the entire cluster.
Q. What is meant by "scaling factor"?
A. Scaling factor is a measurement of expected performance and scale in a clustered environment. For example, if a 4-unit cluster is configured using 20-Gbps firewalls with a scaling factor of 0.8, the expected performance of that cluster will be: 0.8 x 4 x 20 Gbps = 64 Gbps.
Q. What is the expected performance and capacity with a 2-, 4-, and 8-unit cluster?
A. Cisco currently offers a scaling factor of between 0.7 and 1.0, depending on the traffic profile. Table 2 shows the expected performance of a 2-unit cluster with a multiprotocol traffic profile (the expected performance of 4- and 8-unit clusters can be calculated by multiplying the 2-unit cluster results by 2 and 4, respectively).
Table 2. Sample Data for a Two-Node Cluster
Q. What is the expected behavior if the cluster uses an integrated IPS module in slot 1 of each unit?
A. All IPS modules in the cluster are configured as independent IPSs, so no configuration sync is required. However, Cisco Security Manager and Cisco IPS Manager Express can be used to simplify configuration management across the IPS modules in the cluster. When the traffic enters the cluster, one specific unit becomes the owner for that specific session. When a policy dictates that traffic be redirected to an IPS for further analysis, the IPS module physically associated with that "owner" unit will be utilized. In other words, traffic from one firewall cannot be redirected to an IPS that is integrated with a different firewall in the cluster.
Q. How is session and configuration information synchronized across the cluster members?
A. Cisco ASA Software Release 9.0 uses Cluster Control Link (CCL) to synchronize all state information across the cluster.
Q. How is the cluster managed?
A. The clustered ASA appliances behave as a single firewall instance, so a single instance of Cisco Application Security Device Manager (ASDM) is capable of managing an 8-unit cluster as a single ASA unit. To simplify the configuration phase, cluster configuration steps have been added to the ASDM High Availability and Scalability wizard (Figure 1).
Figure 1. Cluster Configuration Steps in ASDM High Availability and Scalability Wizard
Once the cluster has been deployed, the ASDM Cluster Dashboard (Figure 2) shows the entire cluster on a single screen. The dashboard displays following information:
• Devices information (IP addresses, version, role, and so on)
• Health status: CPU and memory utilizations
• Average CPU and memory status across the cluster
• Control link usage
• Performance statistics: Connections per second and throughput
• Capacity information (number of connections)
Figure 2. ASDM Cluster Dashboard
Cloud Web Security Integration
Q. What are the advantages of cloud web security being integrated with the firewall?
A. Now that Cisco Cloud Web Security is integrated with Cisco ASA Software Release 9.0, organizations gain a centralized content security solution combined with localized network security. However, in contrast to Unified Threat Management appliances (UTMs), which suffer significant performance degradation when web security services are enabled, there is little to no impact on ASA performance because the content scanning is offloaded to the Cisco web security cloud. Administrators can choose to perform deep content scanning on a subset of traffic, based on network address, Microsoft Active Directory user or group name, or hosts residing inside a specific security context.
Q. How does Cisco ASA redirect traffic to Cisco Cloud Web Security?
A. The Cisco ASA Modular Policy Framework (MPF) allows flexible policies to be created to serve a wide range of needs. The outbound traffic can be classified based on user name, user group, source, or destination. The destination aspect can be further classified into three broad categories:
• Approved traffic: Traffic from known safe websites, that is approved by corporate policy
• VPN traffic: Traffic flowing through a site-to-site VPN tunnel
• Traffic redirected to Cisco Cloud Web Security: Traffic is sent to Cisco Cloud Web Security for granular web policy control, including URL filtering, antivirus scanning, web content scanning scansafe-scanlets, and web application visibility and control
The traffic classification criteria can also be mixed and matched (for example, a group of users such as guests, vendors, or interns can be selected for Cisco Cloud Web Security inspection).
Q. How does integrated Cisco Cloud Web Security compare with web security functionalities that are offered on-box from other firewall vendors?
A. The key challenge with all-in-one approaches to security is that all security functionalities (firewall, network access control, web, antivirus, VPN, and so on) compete for fixed computing resources (for example, CPU, Regex, and crypto). As a result, performance can drop significantly as more services are enabled. In contrast, with Cisco Cloud Web Security integrated into ASA 9.0, the antivirus and web security component is executed on the scalable Cisco Cloud Web Security cloud, while the network security component is executed on the Cisco ASA. As a result, both services achieve maximum security efficacy, with little or no performance impact.
Q. My deployment is not yet ready for identity enablement. Can I still use the Cisco Cloud Web Security Connector in Cisco ASA Software Release 9.0?
A. Yes. Traffic can be redirected to Cisco Cloud Web Security based on 5-tuples, or by using a cut-through-proxy and local database users on the Cisco ASA. However, either of these methods will disable user-level and group-level reporting, as well as policy control on both the ASA and Cisco Cloud Web Security.
Q. Is Cisco Cloud Web Security available when the Cisco ASA appliance is in multicontext mode?
A. Yes. When the ASA is configured for multicontext mode, managed security providers can enable Cisco Cloud Web Security on a per-context basis. Note, however, that Cisco Cloud Web Security is not supported when Cisco ASA is in transparent mode.
Q. What are some of the configuration steps required to integrate Cisco Cloud Web Security with Cisco ASA?
A. Cisco ASA configuration has two broad components: Cisco Cloud Web Security information and traffic classification. Traffic classifications are performed using the Cisco ASA Modular Policy Framework (MPF), while Cisco Cloud Web Security classifications require the following information:
• IP address of the Cisco Cloud Web Security tower (primary and backup)
• A valid license
• A designated "retry count" before declaring a tower "dead"
Q. Up to 10 percent of the employees in my organization are remote. How can I extend Cisco Cloud Web Security capabilities to those remote users?
A. Cisco Cloud Web Security capabilities are extended to remote users via the Cisco AnyConnect® Secure Mobility Client. The AnyConnect client performs split-tunneling of web and VPN traffic to eliminate the need to backhaul Internet traffic to company headquarters, thereby enabling complex remote access use cases. For example, if a user is traveling from the United States to Japan, AnyConnect will automatically find the closest Cisco Cloud Web Security tower in Japan, even if the VPN tunnel is terminated to the U.S. headquarters location.
Q. How can I enforce Web 2.0 policies on personal handhelds (iPhone and iPads)?
A. The Cisco AnyConnect Secure Mobility Client launches the tunnel to the Cisco ASA headend. The ASA redirects part of tunnel traffic (port 80 and port 443) to the Cisco web security cloud for Web 2.0 application enforcement. This entire process is transparent to the end user.
Q. Is Cisco Cloud Web Security integration available on all Cisco ASA platforms?
A. Yes. Cisco Cloud Web Security integration is available on all currently shipping Cisco ASA appliance platforms, including the Cisco ASA 5500 Series, the Cisco ASA 5500-X Series, and the Cisco Catalyst 6500 Series ASA Services Module. It is not yet available on the Cisco ASA 1000V Cloud Firewall.
Q. How does this integration achieve high availability?
A. There are two pieces to high availability (HA): Cisco Cloud Web Security Tower HA and Cisco ASA HA. When you configure Cisco Cloud Web Security tower information, you can configure a backup Cisco Cloud Web Security tower, which automatically redirects web traffic to the secondary tower if the primary tower goes down. If you are using Cisco ASA HA, the entire system - including the ASA and the Cisco Cloud Web Security tower - can achieve full redundancy in either active/passive or active/active mode. In exceptional circumstances, if both Cisco Cloud Web Security towers are unavailable (e.g., due to the loss of Internet connectivity), the ASA can be configured to either fail-open or fail-close.
Q. Where do I go for more information on the integrated Cisco Cloud Web Security?
A. More information on Cisco Cloud Web Security web AVC can found at Application Visibility and Control now available in Cisco Cloud Web Security.
Secure Remote Access
Q. Does ASA support IPv6 remote access connections?
A. Yes. IPv4/IPv6 dual stack has been supported inside SSL tunnels since ASA 8.4. ASA 9.0 expands this support to enable IPv4 and IPv6 on the public interface when used in conjunction with Cisco AnyConnect 3.1 or greater. ASA 9.0 also enables IPv6 clientless support.
Q. Does ASA 9.0 support Suite B cryptographic standards?
A. Yes. ASA 9.0 provides comprehensive next-generation encryption capabilities, which includes the Suite B cryptographic standards for remote access and site-to-site connections using an IPsec tunnel. For more information, see the "AnyConnect VPN - Next Generation Encryption" section of this document.
Q. Is next generation encryption available on all ASA platforms?
A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.
Q. Can we use the Cisco AnyConnect Secure Mobility Client with ASA 9.0?
A. Yes. The Cisco AnyConnect Secure Mobility Client is fully supported in ASA 9.0. Customers are encouraged to migrate to AnyConnect for VPN remote access as soon as possible.
Q. Does ASA 9.0 support Virtual Desktop Infrastructure (VDI)?
A. Yes. ASA native clientless support for Citrix VDI deployments has been updated in ASA 9.0 to include XenApp 6.5 and the latest versions of XenDesktop (up to 5.5) both laptops, desktops, and mobile devices (Citrix Mobile Receiver). Support for VMware VDI deployments is also offered (via SmartTunnels). As in past releases, Cisco AnyConnect supports Citrix and VMWare VDI deployments.
More Related Cisco ASA Tips
Cisco Catalyst 2960 Series, intelligent Ethernet switches, is popular with the larger enterprises and companies, as well as Cisco 3750 series.
Why Cisco 2960 and Cisco 3750 are welcomed by the larger companies? There are some tips, features and reviews of Catalyst 2960 switches & Cisco 3750 series shown why they are?
Cisco Catalyst 2960 Series
Cisco Catalyst 2960 Series Intelligent Ethernet switches, a new line of fixed-configuration standalone devices, provide desktop Fast Ethernet and Gigabit Ethernet connectivity for entry-level enterprise, mid-market, and branch office networks, helping enable enhanced LAN services.
The Catalyst 2960 Series offers integrated security, including network admission control (NAC), as well as advanced quality of service (QoS) and resiliency, delivering intelligent services for the network edge.
The series also includes a number of hardware enhancements for network managers, including configurations featuring dual-purpose (alternatively wired) uplinks for Gigabit Ethernet, allowing the network manager to use either a copper or a fiber uplink. Also included is a 24-port Gigabit Ethernet family member, accelerating Gigabit to the Desktop (GTTD) across the network.
Table 1 provides brief descriptions of the switches in the Catalyst 2960 Series.
The Catalyst 2960 Series offers the following benefits:
• Intelligent features at the network edge, such as sophisticated access control lists (ACL) and enhanced security.
• Dual-purpose uplinks for Gigabit Ethernet uplink flexibility, allowing use of either a copper or a fiber uplink. Each dual-purpose uplink port has one 10/100/1000 Ethernet port and one SFP-based Gigabit Ethernet port, with one port active at a time.
• Network control and bandwidth optimization through advanced QoS, granular rate-limiting, ACLs, and multicast services.
• Network security through a wide range of authentication methods, data encryption technologies, and network admission control based on users, ports, and MAC addresses.
• Easy network configuration, upgrades, and troubleshooting as part of the mid-market or branch solution using the embedded Device Manager and Cisco Network Assistant.
• Auto-configuration for specialized applications using Cisco Smartports.
Cisco Catalyst 3750 Switches
The Cisco Catalyst 3750 Series switches are a premier line of enterprise-class, stackable, multilayer switches that provide high availability, security, and quality of service (QoS) to enhance the operation of the network. Its innovative unified stack management raises the bar in stack management, redundancy, and failover.
With a range of Fast Ethernet and Gigabit Ethernet configurations, the Cisco Catalyst 3750 Series can serve as both a powerful access layer switch for medium enterprise wiring closets and as a backbone switch for mid-sized networks. Customers can deploy network wide intelligent services, such as advanced QoS, rate-limiting, Cisco security access control lists (ACLs), multicast management, and high-performance IP routing—while maintaining the simplicity of traditional LAN switching. Embedded in the Cisco Catalyst 3750 Series is the Cisco Cluster Management Suite (CMS) Software, which allows users to simultaneously configure and troubleshoot multiple Cisco Catalyst desktop switches using a standard Web browser.
Key Features & Benefits of Cisco 3750 Switches
Ease of Use: "Plug-and-Play" Configuration
A working stack is self-managing and self-configuring. When switches are added or removed, the master switch automatically loads the Cisco IOS Software revision running on the stack to the new switch, loads the global configuration parameters, and updates all the routing tables to reflect changes. Upgrades are applied universally and simultaneously to all members of the stack.
The Cisco 3750 Series stacks up to nine switches as a single logical unit for a total of 468 Ethernet or PoE 10/100 ports, or 468 Ethernet 10/100/1000 ports or PoE 10/100/1000 ports, or nine 10 Gigabit Ethernet ports.
Return on Investment through Lower Operations Costs
The automatic Cisco IOS Software version checking and loading of the global configuration parameters provide the first level of operational time saving. The second level is added during the event of an outage. When you remove a troubled switch from an existing stack of switches and replace it with another switch, the master switch will recognize this as a maintenance outage and automatically reload the port-level configuration that was on the previous switch without user intervention. This allows IT managers to have local personnel in remote locations perform maintenance tasks instead of sending costly technicians out for a few minutes of work, thus saving thousands of dollars in operational costs.
Mix-and-Match Switch Types: Pay as You Expand Your Network
Stacks can be created with any combination of Cisco Catalyst 3750 and Cisco Catalyst 3750-E series. Customers who need a mixture of 10/100 and 10/100/1000 ports, PoE, and wiring-closet aggregation capability can incrementally develop the access environment, paying only for what they need. When uplink capacity needs to be increased, you can easily upgrade your bandwidth by adding a 10 Gigabit Ethernet version to the stack and upgrade your Gigabit Ethernet links with 10 Gigabit Ethernet on the existing fiber.
Availability: Uninterrupted Performance at Layer 2 and Layer 3
The Cisco Catalyst 3750 switch increases availability for stackable switches. Each switch can operate as both a master controller and a forwarding processor. Each switch in the stack can serve as a master, creating a 1:N availability scheme for network control. In the unlikely event of a single unit failure, all other units continue to forward traffic and maintain operation.
Smart Multicast: A New Level of Efficiency for Converged Networks
With Cisco StackWise technology, the Cisco Catalyst 3750 Series offers greater efficiency for multicast applications such as video. Each data packet is put onto the backplane only once, which provides more effective support for more data streams.
Superior Quality of Service Across the Stack and at Wire Speed
The Cisco 3750 Series offers Gigabit and 10 Gigabit Ethernet speed with intelligent services that keep everything flowing smoothly, even at 10 times the normal network speed. Mechanisms for marking, classification, and scheduling deliver best-in-class performance for data, voice, and video traffic, all at wire speed.
Network Security: Granular Control for the Access Environment
The Cisco 3750 supports a comprehensive set of security features for connectivity and access control, including ACLs, authentication, port-level security, and identity-based network services with 802.1x and extensions. This set of comprehensive features not only helps prevent external attacks, but also defends the network against "man-in-the-middle" attacks, a primary concern in today's business environment.
Single IP Management: Many Switches, One Address
Each Cisco Catalyst 3750 Series stack is managed as a single object and has a single IP address. Single IP management is supported for activities such as fault detection, VLAN creation and modification, network security, and QoS controls.
Jumbo Frames: Support for High-Demand Applications
The Cisco 3750 Series Switch supports jumbo frames on the 10/100/1000 configurations for advanced data and video applications requiring very large frames.
The Catalyst 3750 Series supports IPv6 routing in hardware for maximum performance. As network devices grow and the need for larger addressing and higher security becomes critical, the Cisco 3750 switch will be ready to meet the requirement.
Standard PoE Support: Graceful Addition of IP Communications
The Cisco Catalyst 3750 and 3750G PoE models support Cisco IP phones and Cisco Aironet wireless LAN (WLAN) access points, as well as any IEEE 802.3af-compliant end device. The Cisco Catalyst 3750 and 3750G 24-port versions can support 24 simultaneous full-powered PoE ports at 15.4W for maximum powered device support. The 48-port versions can deliver the necessary power to support 24 ports at 15.4W, 48 ports at 7.7W, or any combination in between.
10 Gigabit Ethernet Support: Increased Uplink Bandwidth for Gigabit Ethernet Deployments
The Cisco Catalyst 3750 allows network managers to incrementally add IEEE 802.3ae-compliant 10 Gigabit Ethernet connectivity in their wiring closets or grid clusters, further facilitating and enhancing Gigabit Ethernet networks. This provides investment protection to customers who want to use their existing fiber plant, add uplink bandwidth capacity to their switching stacks, and provide higher performance to applications and users.
The Cisco 3750 Series switch offers both a superior command-line interface (CLI) for detailed configuration and Cisco Network Assistant Software, a Web-based tool for quick configuration based on preset templates. In addition, CiscoWorks supports the Cisco Catalyst 3750 Series for network wide management.
Models Comparison of Cisco 3750 Series Switches
Report from Cisco market and customers told us that Cisco Catalyst 3750G and Cisco 3750 V2 series are more welcomed than Cisco 3570-E series.
More Cisco 2960 and Cisco catalyst 3750 Info:
Video Offer: Cisco Catalyst 3560 and 3750 QoS Simplified
As Cisco user know, Cisco 2960s can route now. As of 12.2(55)SE, Cisco 2960s switches are layer 3 switches (with some limitations mentioned later).
Configuring 2960s to route is pretty simple. The Switch Database Management template (SDM) needs to be changed to “lanbase-routing”. A reboot is (always) needed after changing the SDM template. After reboot, it’s just like enabling routing on any other L3 switch with the command “ip routing” from global config.
First we’ll change the SDM template:
SwitchA(config)#sdm prefer lanbase-routing
Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
System configuration has been modified. Save? [yes/no]: y
Proceed with reload? [confirm]
After changing the SDM template, we are reminded that we’ll need to reboot and also given a command to verify the change after the next boot.
Now we verify:
SwitchA#show sdm prefer
The current template is "lanbase-routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 255 VLANs.
number of unicast mac addresses: 4K
number of IPv4 IGMP groups + multicast routes: 0.25K
number of IPv4 unicast routes: 4.25K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 0.25K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.125k
number of IPv4/MAC security aces: 0.375k
The change was successful and we’re given the details about this SDM template.
Now seems like a good time to touch on the limitations of the layer 3 capabilities on Cisco 2960s. As we see in the output above, we’re limited to 8 routed interfaces. These will be SVIs. At this point, thCatalyst e 2960s don’t support routed physical interfaces (“no switchport”). Another important note is that we’re only allowed 16 static routes and there is no dynamic routing capability.
Now we’ll enable IP routing and configure a couple SVIs:
SwitchA(config)#int vlan 15
SwitchA(config-if)#ip add 192.168.15.1 255.255.255.0
SwitchA(config-if)#int vlan 25
SwitchA(config-if)#ip add 192.168.25.1 255.255.255.0
SwitchA#sh ip route
C 192.168.15.0/24 is directly connected, Vlan15
C 192.168.25.0/24 is directly connected, Vlan25
We deployed some new Cisco Catalyst 6513 with Sup2T supervisor engines as access switches several days ago. During the initial configuration, we realized that Cisco had introduced some new reserved VLANs on IOS15 for internal usage:
VLAN id: 3990 is an internal vlan id - cannot use it to create a VTP VLAN.
Reserved VLANs can be checked with the command “sh vlan internal usage”:
switch #sh vlan internal usage
1006 online diag vlan0
1007 online diag vlan1
1008 online diag vlan2
1009 online diag vlan3
1010 online diag vlan4
1011 online diag vlan5
1012 PM vlan process (trunk tagging)
3968 MET reserved VLAN
3969 MET reserved VLAN
3970 MET reserved VLAN
3971 MET reserved VLAN
4030 MET reserved VLAN
4031 MET reserved VLAN
Due some code being backported from NX-OS to IOS 15, VLANs from 3968 to 4031 are now reserved for MET usage. However, if you are deploying these switches on working environments you may have the need to use some of these VLANs. If this is the case, you can change the VLAN range with the following command:
switch (config)#vlan internal reserved met vlan 3904
The new MET VLAN will take effect after reload.
Please reload, or no change will be made
Configuration MET VLAN value is 3904
Operation MET VLAN value is 3968
After you reload the switch the new VLAN range will be applied:
switch #sh vlan internal usage
3904 MET reserved VLAN
3905 MET reserved VLAN
3906 MET reserved VLAN
3965 MET reserved VLAN
3966 MET reserved VLAN
3967 MET reserved VLAN
---Original resources from packetpushers.net
Cisco ASA configuration may be a frustrating issue for many Cisco users. In fact, everyone has his own troublesome condition. Here Ethan Banks, a network engineer, share his experience of helping his VPN client access a remote office, as well as an example of Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration.
Let’s share the case:
“I ran into an issue over the weekend where a VPN client was unable to access a remote office connected via an L2L tunnel terminated on the same firewall. The symptoms were straightforward enough. The client was unable to either ping or open a URL at a specific server at the remote office, although this connectivity used to work. In this example, VPN client 192.168.100.100 was not able to access server 10.11.12.1, although access to resources in the 10.10.0.0/16 network was fine.
I confirmed the remote office firewall was unlikely to be the issue; the remote firewall had seen no changes. As I knew the headquarters Cisco ASA firewall HAD seen a few changes, that’s where I focused my attention. After reviewing the headquarters firewall rulebase, I knew that the VPN client IP pool had permission to access resources in the remote office.
Monitoring the firewall logs, I spotted several “110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port” messages tied directly to the VPN client trying to open a socket to 10.11.12.1. So, I reviewed the firewall routing table with “show route” and “show asp table routing” and found no issues…not that I expected to. If the routing table was having a problem, connectivity issues would have been more widespread.
Of course, NAT sprung to mind as a potential issue, but I couldn’t see an obvious problem. There was a NAT that exempted the entire VPN client pool from being translated to any RFC1918 destinations. As this clearly covered the remote office IP range, I was a little stumped. This confusion was compounded by the fact that the connectivity used to work. A perplexing issue.
Take a read “Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6-Setting General VPN Parameters”. A couple of highlights caught my eye:
- The “same-security-traffic permit intra-interface” is required. Fair enough, easy to implement, makes sense, and I’d already done that. No problem.
- Now the documentation got confusing because of two conflicting statements:
- “When the ASA sends encrypted VPN traffic back out this same interface NAT is optional. The VPN-to-VPN hairpinning works with or without NAT.” Okay – so I don’t need to write a NAT statement for the hairpinned traffic. NAT is optional, right? But then you next read…
- “To exempt the VPN-to-VPN traffic from NAT, add commands that implement NAT exemption for VPN-to-VPN traffic.” Uh, hang on. So I *do* need a NAT statement?
From my experience, I believe that, yes, you need a NAT exemption statement. I think all Cisco is trying to say is that you don’t have to actually translate the source or destination address into something else to be able to get through the hairpin.
Writing a NAT exemption statement is not an unusual thing to have to do in an ASA, but the magic in the context of hairpinning is in defining the ingress and egress interfaces. In a hairpin path, the traffic flows in and out the same interface. While I did have a NAT statement that matched source and destination addresses in question, the interfaces were only suitable for handling source VPN client to destination headquarters network traffic…not traffic headed from VPN client to the remote office network. Therefore, I needed a NAT statement like this: “nat (outside,outside) source static client_vpn_pool client_vpn_pool destination static remote_office_net remote_office_net“.
The order of the NAT statement also mattered, as NAT statements are processed in order. Once I moved my new NAT statement to the top of the list, the issue was resolved.”
More Related Cisco Contents http://blog.router-switch.com/category/cisco-certification/ccie/
Nexus 3500 will feature ultra-low latency, target Infiniband
Cisco has another Nexus Ethernet data center switch in the works, this one with ultra-low latency and a more formidable rival to Infiniband.
Details on the Nexus 3500 are unavailable. Cisco wouldn't discuss it when asked about an online adseeking a software engineer for it.
"This is to be announced later," a Cisco spokesperson e-mailed. "No details to share yet."
Sources, however, say the Nexus 3500 will feature 250 nanosecond port-to-port latency and integrated network address translation. They say it will give Infiniband a run for the money, especially when combined with a new NIC from Cisco called usNIC.
"If this product does come out with latency as stated, it will dominate the silicon industry slamming down on Broadcom and more importantly Fulcrum," the source says. "But also compete with Mellanox and close the gap with Infiniband. Cisco will be untouchable in ultra-low latency switching."
RedHat has apparently run tests of usNIC with its MRG-M high performance computing software. Slides 16-18 of this presentation appear to show performance improvements of MRG-M when running usNIC vs. Infiniband.
Red Hat was not immediately available for comment. But our source said it, along with the Nexus 3500, could be a viable alternative to Infiniband.
"That, combined with this new Nexus 3500 having 250ns latency would be a compelling solution against Infiniband," the source said. "If Cisco launches Nexus 3500 in the next few months and combines usNIC in the launch it will finally be the first Ethernet solution that can compete against (Infiniband)...(and) shows Cisco intent to kill Infiniband with Ethernet."
Mellanox is a leading Infiniband networking vendor. Requests to the company for comment were not answered by posting time.
Cisco currently offers the Nexus 3000 line for low-latency, top-of-rack switching targeted at high-frequency financial trading, as well as the Nexus 7000, 5000 and 2000 lines for data center fabric switching.
---Reading resource from networkworld.com
More Cisco Nexus Switch Tips & News:
By default the Cisco Catalyst 2950 is not configured for remote administration. Basic configuration to enable remote administration on the Cisco Catalyst 2950 includes configuring an IP address on the switch and also enabling telnet access. Once these configurations are completed, the Cisco Catalyst 2950 can be managed by IP address.
Things You'll Need
- Cisco serial console cable
- Windows XP computer connected to the local network
- Privileged exec password for the Cisco Catalyst 2950
- IP address, subnet mask and gateway IP address for the switch
Instructions to Manage Cisco Catalyst 2950 by IP Address
1. Connect the Cisco serial console cable into the console port on the Cisco Catalyst 2950 switch and connect the other end of the cable into the 9-pin serial port, which is usually located on the back or side of the Windows XP computer.
2. Click the "Start" button and select the "Run" box and type "hypertrm" and press the "Enter" key and the HyperTerminal program will appear. Type a name for the session, such as "Cisco 2950" in the "Name:" field and click the "OK" button. Click the "Connect using:" drop-down menu, then click the "Com port" used to connect the Windows XP computer to the Cisco 2950 switch. Press the "Enter" key. Then click the "Bits per second:" drop-down menu and select "9600." Click "None" in the "Flow Control" drop-down menu and press the "Enter" key.
3. Press the "Enter" key and the Cisco command prompt will appear. Type "enable" and press "Enter." Then enter the password if requested.
4. Type "config term" and press the "Enter" key to enter "Configuration Mode" on the switch.
5. Type "line vty 0 4" and press the "Enter" key. Type "password abcd," replacing "abcd" with the password you wish to use to secure telnet access. Press the "Enter" key. Then type "login" and then press the "Enter" key.
6. Type "interface Vlan1" and press the "Enter" key. Then type "ip address 10.0.0.1 255.0.0.0," replacing the "10.0.0.1 255.0.0.0" with the IP address and subnet mask assigned to the switch. Press the "Enter" key.
7. Type "exit" and press the "Enter" key. Then type "ip default-gateway x.x.x.x," replacing "x.x.x.x" with the gateway IP address for the switch. Press the "Enter" key. Then type "end" and press the "Enter" key. Type "copy run start" and press the "Enter" key to save the configuration. Type "exit" and press the "Enter" key.
8. Click "Start" on the Windows XP computer. Click "Run" and then type "cmd" and press the "Enter" key. Type "telnet x.x.x.x" on the command line, replacing "x.x.x.x" with the IP address just configured on the Cisco Catalyst 2950. Press the "Enter" key. Type the telnet password just programmed into the Cisco Catalyst 2950 when requested. Press the "Enter" key and the Cisco command prompt should display so you can now manage the switch over the network.
More Related to Cisco 2950 Series:
When Cisco came out with its Unified Compute System (UCS) blades a couple of years back, there was plenty of skepticism about how the company would do by venturing into the pastures new of the server landscape. Last month's announcement that the company passed the 10,000 customer milestone for UCS sales laid many of those doubts to rest.
With IDC rating blades as the fastest growing server segment during the next several years, this bodes well for Cisco's growing presence in the marketplace.
"We're hearing from customers who are reporting all-in savings in the range of 40 percent on the cost of computing," said Todd Brannon, senior manager, Data Center and Virtualization, Cisco. "The savings stem from a variety of sources: lower capex as the platform efficiently scales, reduced administrator time, density/power savings and reduced software licensing costs as more workload lands on fewer servers."
One customer told Brannon he could let his CTO take a Cisco blade straight out of the box, insert it into a chassis slot, and as the system identified and integrated the new resource into the available pool, they congratulated him on his first server deployment.
New Cisco UCS Blades
Since our last snapshot around two years ago, Cisco server blade releases have been largely in lock step with the roll-out of Intel Xeon processor roadmap. Two years ago, the company released the Cisco UCS B200 M1 and B250 M1 blades, which are based on the Intel Xeon processor 5500 series. In the past year, it introduced the Cisco UCS B200 M2 and B250 M2, both based on the Intel Xeon Processor 5600 series.
The UCS B200 blade server is a half-width, 2-socket blade server with up to 192 GB of memory. It can deliver substantial throughput and scalability.
The Cisco UCS B250 M2 Extended Memory Blade Server is aimed at maximizing performance and capacity for demanding virtualization and large dataset applications. It is a full-width, 2-socket blade server that supports up to 384 GB of memory.
In addition, the Cisco UCS B230 M2 and B440 M2 blade servers are based on the Intel Xeon processor E7 family. These two servers are follow-on models to earlier-released M1 versions that were based on the Intel Xeon Processor 7500 series
The Cisco UCS B230 M2 Blade Server is a two-socket server supporting up to 20 cores and 512 GB of memory. The B230 M2 extends the capabilities of the Cisco Unified Computing System by delivering higher levels of performance, efficiency and reliability in a more compact, half-width form factor.
The UCS B440 M2 is a 4-socket blade that can support up to 40 cores and 512GB of memory. It is best for enterprise-class applications.
"We will continue to roll out blades targeted at both infrastructure and enterprise-class applications," said Brannon. "Last year, we delivered nine benchmarking world records at the launch of the Intel Xeon processor E7 family."
Cisco UCS Racks
Cisco offers more than just blades. It also provides a range of UCS rack servers. Much like it has done with blades, Cisco has transitioned the rackmount servers from M1 to M2 models to support the newest Intel Xeon Processor 5600 or E7 family.
The Cisco UCS C200 M2 and UCS B210 M2 servers are high-density, 2-socket rackmount servers built for production-level network infrastructure, web services, and mainstream data center, branch and remote-office applications. The Cisco UCS C250 M2 server is a high-performance, memory-intensive, 2-socket, 2-rack unit (RU) rackmount server designed for virtualization and large dataset workloads.
Two rackmount servers use the Intel Xeon processor E7 family. The Cisco UCS C260 M2 Rack-Mount Server is a high-density, 2-socket platform that offers compact performance for enterprise-critical applications. The C260 M2 server's maximum 1TB of memory and 16 drives make it good for memory-bound or disk-intensive applications.
The Cisco UCS C460 M2 Rack-Mount Server has enough processing power, memory and local storage to house mission-critical applications, as well as server consolidation of resource-intense workloads.
"Cisco UCS is a next-generation data center server platform that unites compute, network, storage access and virtualization into a cohesive system designed to outperform previous server architectures, increase operational agility and flexibility while potentially dramatically reducing overall data center costs," said Brannon. "The system is programmable using single point, model-based management to simplify and speed deployment of applications and services running in bare-metal, virtualized, and cloud-computing environments."
---Reading from serverwatch.com
More Related Cisco UCS news: