Posts with #cisco switches - cisco firewall tag
Q. What is Cisco ASA Software Release 9.0?
A. Cisco Adaptive Security Appliance (ASA) Software Release 9.0 is the latest release of the software that powers the Cisco ASA family. The same core ASA code delivers enterprise-class security capabilities for ASA devices in a variety of form factors, including a wide range of standalone appliances, hardware blades that integrate with the organization's existing network infrastructure and software that can secure and protect public and private clouds.
Q. What's new in Cisco ASA Software Release 9.0?
A. ASA Software Release 9.0 provides several enhancements. Major new features in this release include:
• The ability to join up to eight Cisco ASA 5585-X or 5580 Series adaptive security appliances in a single cluster, for a linear, predictable increase in performance while providing high availability for always-on data centers
• Integration with Cisco Cloud Web Security (formerly ScanSafe), which allows enterprises to enforce granular web access and web application policy while providing protection from viruses and malware
• Cisco TrustSec Security Group Tags (SGTs), which integrats security into the network fabric to extend the policy construct on the ASA platform
• Next-Generation Encryption, including the Suite B set of cryptographic algorithms, for much better confidentiality
• IPv6, including critical IPv4-to-IPv6 translation features, enabling ASA to be deployed in a mixed v4/v6 environment
• Dynamic routing and site-to-site VPN on a per-context basis, providing much better segmentation between departments or between customers
Q. What Cisco ASA models are supported by ASA 9.0?
Q. Does ASA 9.0 support clustering?
A. Yes. Cisco ASA Release 9.0 enables up to eight Cisco ASA 5585-X or 5580 Adaptive Security Appliance firewall modules to be joined in a single cluster to deliver up to 128 Gbps of multiprotocol throughput (300 Gbps max) and more than 50 million concurrent connections. Alternatively, slot 1 of each ASA 5585-X can be populated with an integrated Intrusion Protection System (IPS) module, for up to 60 Gbps of IPS throughput.
Q. What are some of the key features of the clustering architecture in Cisco ASA Release 9.0?
A. At the core of the clustering architecture in ASA 9.0 is the patent-pending Cisco Cluster Link Aggregation Control Protocol (cLACP). The protocol enables multiunit ASA clusters to function and be managed as a single entity, identifies the backup unit, and creates the session backup. Policies pushed to the cluster get replicated across all units within the cluster, and the health, performance, and capacity statistics of the entire cluster, as well as individual units within the cluster, can be assessed from the single management console.
Q. What ASA models will support clustering?
A. Initially, Cisco ASA Software Release 9.0 will enable clustering on the ASA 5580 and 5585-X Adaptive Security Appliances.
Q. What ASA modes are supported?
A. Clustered ASA appliances can operate in routed, transparent, or mixed-mode. All members of the cluster must be in the same mode.
Q. Do I have to purchase any license to enable clustering?
A. Yes. A cluster license must be purchased and enabled.
Q. How do feature licenses behave when ASA appliances are clustered?
A. Table 1 provides an explanation of the behavior of key features.
Table 1. Cluster Behavior of Different Cisco ASA Feature License Types
Behavior in Cluster
Enable/disable feature license
Only one unit in the cluster is required to have a license.
Security+ on the Cisco ASA 5585-X: License is only required on one unit.
The cluster capacity equals the sum of all licenses installed (subject to the total capacity of each individual appliance).
• 4-node cluster
• Node 1 = 200 SC
• Nodes 2,3, and 4 = 0
• Total capacity = 200
• 4-node cluster
• Node 1 = 200 SC
• Node2 = 100 SC
• Nodes 3 and 4 = 0
• Total capacity = 250 SC
If the feature is installed on one unit, it is automatically enabled on the entire cluster. The total duration of the license equals the sum of all remaining license durations.
If the botnet traffic filter is installed on one node, it becomes available to the entire cluster. If Node 1 has 9 months remaining and Node 2 has 7 months remaining, the total remaining duration of the botnet traffic filter feature will be 16 months for the entire cluster.
Q. What is meant by "scaling factor"?
A. Scaling factor is a measurement of expected performance and scale in a clustered environment. For example, if a 4-unit cluster is configured using 20-Gbps firewalls with a scaling factor of 0.8, the expected performance of that cluster will be: 0.8 x 4 x 20 Gbps = 64 Gbps.
Q. What is the expected performance and capacity with a 2-, 4-, and 8-unit cluster?
A. Cisco currently offers a scaling factor of between 0.7 and 1.0, depending on the traffic profile. Table 2 shows the expected performance of a 2-unit cluster with a multiprotocol traffic profile (the expected performance of 4- and 8-unit clusters can be calculated by multiplying the 2-unit cluster results by 2 and 4, respectively).
Table 2. Sample Data for a Two-Node Cluster
Q. What is the expected behavior if the cluster uses an integrated IPS module in slot 1 of each unit?
A. All IPS modules in the cluster are configured as independent IPSs, so no configuration sync is required. However, Cisco Security Manager and Cisco IPS Manager Express can be used to simplify configuration management across the IPS modules in the cluster. When the traffic enters the cluster, one specific unit becomes the owner for that specific session. When a policy dictates that traffic be redirected to an IPS for further analysis, the IPS module physically associated with that "owner" unit will be utilized. In other words, traffic from one firewall cannot be redirected to an IPS that is integrated with a different firewall in the cluster.
Q. How is session and configuration information synchronized across the cluster members?
A. Cisco ASA Software Release 9.0 uses Cluster Control Link (CCL) to synchronize all state information across the cluster.
Q. How is the cluster managed?
A. The clustered ASA appliances behave as a single firewall instance, so a single instance of Cisco Application Security Device Manager (ASDM) is capable of managing an 8-unit cluster as a single ASA unit. To simplify the configuration phase, cluster configuration steps have been added to the ASDM High Availability and Scalability wizard (Figure 1).
Figure 1. Cluster Configuration Steps in ASDM High Availability and Scalability Wizard
Once the cluster has been deployed, the ASDM Cluster Dashboard (Figure 2) shows the entire cluster on a single screen. The dashboard displays following information:
• Devices information (IP addresses, version, role, and so on)
• Health status: CPU and memory utilizations
• Average CPU and memory status across the cluster
• Control link usage
• Performance statistics: Connections per second and throughput
• Capacity information (number of connections)
Figure 2. ASDM Cluster Dashboard
Cloud Web Security Integration
Q. What are the advantages of cloud web security being integrated with the firewall?
A. Now that Cisco Cloud Web Security is integrated with Cisco ASA Software Release 9.0, organizations gain a centralized content security solution combined with localized network security. However, in contrast to Unified Threat Management appliances (UTMs), which suffer significant performance degradation when web security services are enabled, there is little to no impact on ASA performance because the content scanning is offloaded to the Cisco web security cloud. Administrators can choose to perform deep content scanning on a subset of traffic, based on network address, Microsoft Active Directory user or group name, or hosts residing inside a specific security context.
Q. How does Cisco ASA redirect traffic to Cisco Cloud Web Security?
A. The Cisco ASA Modular Policy Framework (MPF) allows flexible policies to be created to serve a wide range of needs. The outbound traffic can be classified based on user name, user group, source, or destination. The destination aspect can be further classified into three broad categories:
• Approved traffic: Traffic from known safe websites, that is approved by corporate policy
• VPN traffic: Traffic flowing through a site-to-site VPN tunnel
• Traffic redirected to Cisco Cloud Web Security: Traffic is sent to Cisco Cloud Web Security for granular web policy control, including URL filtering, antivirus scanning, web content scanning scansafe-scanlets, and web application visibility and control
The traffic classification criteria can also be mixed and matched (for example, a group of users such as guests, vendors, or interns can be selected for Cisco Cloud Web Security inspection).
Q. How does integrated Cisco Cloud Web Security compare with web security functionalities that are offered on-box from other firewall vendors?
A. The key challenge with all-in-one approaches to security is that all security functionalities (firewall, network access control, web, antivirus, VPN, and so on) compete for fixed computing resources (for example, CPU, Regex, and crypto). As a result, performance can drop significantly as more services are enabled. In contrast, with Cisco Cloud Web Security integrated into ASA 9.0, the antivirus and web security component is executed on the scalable Cisco Cloud Web Security cloud, while the network security component is executed on the Cisco ASA. As a result, both services achieve maximum security efficacy, with little or no performance impact.
Q. My deployment is not yet ready for identity enablement. Can I still use the Cisco Cloud Web Security Connector in Cisco ASA Software Release 9.0?
A. Yes. Traffic can be redirected to Cisco Cloud Web Security based on 5-tuples, or by using a cut-through-proxy and local database users on the Cisco ASA. However, either of these methods will disable user-level and group-level reporting, as well as policy control on both the ASA and Cisco Cloud Web Security.
Q. Is Cisco Cloud Web Security available when the Cisco ASA appliance is in multicontext mode?
A. Yes. When the ASA is configured for multicontext mode, managed security providers can enable Cisco Cloud Web Security on a per-context basis. Note, however, that Cisco Cloud Web Security is not supported when Cisco ASA is in transparent mode.
Q. What are some of the configuration steps required to integrate Cisco Cloud Web Security with Cisco ASA?
A. Cisco ASA configuration has two broad components: Cisco Cloud Web Security information and traffic classification. Traffic classifications are performed using the Cisco ASA Modular Policy Framework (MPF), while Cisco Cloud Web Security classifications require the following information:
• IP address of the Cisco Cloud Web Security tower (primary and backup)
• A valid license
• A designated "retry count" before declaring a tower "dead"
Q. Up to 10 percent of the employees in my organization are remote. How can I extend Cisco Cloud Web Security capabilities to those remote users?
A. Cisco Cloud Web Security capabilities are extended to remote users via the Cisco AnyConnect® Secure Mobility Client. The AnyConnect client performs split-tunneling of web and VPN traffic to eliminate the need to backhaul Internet traffic to company headquarters, thereby enabling complex remote access use cases. For example, if a user is traveling from the United States to Japan, AnyConnect will automatically find the closest Cisco Cloud Web Security tower in Japan, even if the VPN tunnel is terminated to the U.S. headquarters location.
Q. How can I enforce Web 2.0 policies on personal handhelds (iPhone and iPads)?
A. The Cisco AnyConnect Secure Mobility Client launches the tunnel to the Cisco ASA headend. The ASA redirects part of tunnel traffic (port 80 and port 443) to the Cisco web security cloud for Web 2.0 application enforcement. This entire process is transparent to the end user.
Q. Is Cisco Cloud Web Security integration available on all Cisco ASA platforms?
A. Yes. Cisco Cloud Web Security integration is available on all currently shipping Cisco ASA appliance platforms, including the Cisco ASA 5500 Series, the Cisco ASA 5500-X Series, and the Cisco Catalyst 6500 Series ASA Services Module. It is not yet available on the Cisco ASA 1000V Cloud Firewall.
Q. How does this integration achieve high availability?
A. There are two pieces to high availability (HA): Cisco Cloud Web Security Tower HA and Cisco ASA HA. When you configure Cisco Cloud Web Security tower information, you can configure a backup Cisco Cloud Web Security tower, which automatically redirects web traffic to the secondary tower if the primary tower goes down. If you are using Cisco ASA HA, the entire system - including the ASA and the Cisco Cloud Web Security tower - can achieve full redundancy in either active/passive or active/active mode. In exceptional circumstances, if both Cisco Cloud Web Security towers are unavailable (e.g., due to the loss of Internet connectivity), the ASA can be configured to either fail-open or fail-close.
Q. Where do I go for more information on the integrated Cisco Cloud Web Security?
A. More information on Cisco Cloud Web Security web AVC can found at Application Visibility and Control now available in Cisco Cloud Web Security.
Secure Remote Access
Q. Does ASA support IPv6 remote access connections?
A. Yes. IPv4/IPv6 dual stack has been supported inside SSL tunnels since ASA 8.4. ASA 9.0 expands this support to enable IPv4 and IPv6 on the public interface when used in conjunction with Cisco AnyConnect 3.1 or greater. ASA 9.0 also enables IPv6 clientless support.
Q. Does ASA 9.0 support Suite B cryptographic standards?
A. Yes. ASA 9.0 provides comprehensive next-generation encryption capabilities, which includes the Suite B cryptographic standards for remote access and site-to-site connections using an IPsec tunnel. For more information, see the "AnyConnect VPN - Next Generation Encryption" section of this document.
Q. Is next generation encryption available on all ASA platforms?
A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.
Q. Can we use the Cisco AnyConnect Secure Mobility Client with ASA 9.0?
A. Yes. The Cisco AnyConnect Secure Mobility Client is fully supported in ASA 9.0. Customers are encouraged to migrate to AnyConnect for VPN remote access as soon as possible.
Q. Does ASA 9.0 support Virtual Desktop Infrastructure (VDI)?
A. Yes. ASA native clientless support for Citrix VDI deployments has been updated in ASA 9.0 to include XenApp 6.5 and the latest versions of XenDesktop (up to 5.5) both laptops, desktops, and mobile devices (Citrix Mobile Receiver). Support for VMware VDI deployments is also offered (via SmartTunnels). As in past releases, Cisco AnyConnect supports Citrix and VMWare VDI deployments.
More Related Cisco ASA Tips
Cisco Catalyst 2960 Series, intelligent Ethernet switches, is popular with the larger enterprises and companies, as well as Cisco 3750 series.
Why Cisco 2960 and Cisco 3750 are welcomed by the larger companies? There are some tips, features and reviews of Catalyst 2960 switches & Cisco 3750 series shown why they are?
Cisco Catalyst 2960 Series
Cisco Catalyst 2960 Series Intelligent Ethernet switches, a new line of fixed-configuration standalone devices, provide desktop Fast Ethernet and Gigabit Ethernet connectivity for entry-level enterprise, mid-market, and branch office networks, helping enable enhanced LAN services.
The Catalyst 2960 Series offers integrated security, including network admission control (NAC), as well as advanced quality of service (QoS) and resiliency, delivering intelligent services for the network edge.
The series also includes a number of hardware enhancements for network managers, including configurations featuring dual-purpose (alternatively wired) uplinks for Gigabit Ethernet, allowing the network manager to use either a copper or a fiber uplink. Also included is a 24-port Gigabit Ethernet family member, accelerating Gigabit to the Desktop (GTTD) across the network.
Table 1 provides brief descriptions of the switches in the Catalyst 2960 Series.
The Catalyst 2960 Series offers the following benefits:
• Intelligent features at the network edge, such as sophisticated access control lists (ACL) and enhanced security.
• Dual-purpose uplinks for Gigabit Ethernet uplink flexibility, allowing use of either a copper or a fiber uplink. Each dual-purpose uplink port has one 10/100/1000 Ethernet port and one SFP-based Gigabit Ethernet port, with one port active at a time.
• Network control and bandwidth optimization through advanced QoS, granular rate-limiting, ACLs, and multicast services.
• Network security through a wide range of authentication methods, data encryption technologies, and network admission control based on users, ports, and MAC addresses.
• Easy network configuration, upgrades, and troubleshooting as part of the mid-market or branch solution using the embedded Device Manager and Cisco Network Assistant.
• Auto-configuration for specialized applications using Cisco Smartports.
Cisco Catalyst 3750 Switches
The Cisco Catalyst 3750 Series switches are a premier line of enterprise-class, stackable, multilayer switches that provide high availability, security, and quality of service (QoS) to enhance the operation of the network. Its innovative unified stack management raises the bar in stack management, redundancy, and failover.
With a range of Fast Ethernet and Gigabit Ethernet configurations, the Cisco Catalyst 3750 Series can serve as both a powerful access layer switch for medium enterprise wiring closets and as a backbone switch for mid-sized networks. Customers can deploy network wide intelligent services, such as advanced QoS, rate-limiting, Cisco security access control lists (ACLs), multicast management, and high-performance IP routing—while maintaining the simplicity of traditional LAN switching. Embedded in the Cisco Catalyst 3750 Series is the Cisco Cluster Management Suite (CMS) Software, which allows users to simultaneously configure and troubleshoot multiple Cisco Catalyst desktop switches using a standard Web browser.
Key Features & Benefits of Cisco 3750 Switches
Ease of Use: "Plug-and-Play" Configuration
A working stack is self-managing and self-configuring. When switches are added or removed, the master switch automatically loads the Cisco IOS Software revision running on the stack to the new switch, loads the global configuration parameters, and updates all the routing tables to reflect changes. Upgrades are applied universally and simultaneously to all members of the stack.
The Cisco 3750 Series stacks up to nine switches as a single logical unit for a total of 468 Ethernet or PoE 10/100 ports, or 468 Ethernet 10/100/1000 ports or PoE 10/100/1000 ports, or nine 10 Gigabit Ethernet ports.
Return on Investment through Lower Operations Costs
The automatic Cisco IOS Software version checking and loading of the global configuration parameters provide the first level of operational time saving. The second level is added during the event of an outage. When you remove a troubled switch from an existing stack of switches and replace it with another switch, the master switch will recognize this as a maintenance outage and automatically reload the port-level configuration that was on the previous switch without user intervention. This allows IT managers to have local personnel in remote locations perform maintenance tasks instead of sending costly technicians out for a few minutes of work, thus saving thousands of dollars in operational costs.
Mix-and-Match Switch Types: Pay as You Expand Your Network
Stacks can be created with any combination of Cisco Catalyst 3750 and Cisco Catalyst 3750-E series. Customers who need a mixture of 10/100 and 10/100/1000 ports, PoE, and wiring-closet aggregation capability can incrementally develop the access environment, paying only for what they need. When uplink capacity needs to be increased, you can easily upgrade your bandwidth by adding a 10 Gigabit Ethernet version to the stack and upgrade your Gigabit Ethernet links with 10 Gigabit Ethernet on the existing fiber.
Availability: Uninterrupted Performance at Layer 2 and Layer 3
The Cisco Catalyst 3750 switch increases availability for stackable switches. Each switch can operate as both a master controller and a forwarding processor. Each switch in the stack can serve as a master, creating a 1:N availability scheme for network control. In the unlikely event of a single unit failure, all other units continue to forward traffic and maintain operation.
Smart Multicast: A New Level of Efficiency for Converged Networks
With Cisco StackWise technology, the Cisco Catalyst 3750 Series offers greater efficiency for multicast applications such as video. Each data packet is put onto the backplane only once, which provides more effective support for more data streams.
Superior Quality of Service Across the Stack and at Wire Speed
The Cisco 3750 Series offers Gigabit and 10 Gigabit Ethernet speed with intelligent services that keep everything flowing smoothly, even at 10 times the normal network speed. Mechanisms for marking, classification, and scheduling deliver best-in-class performance for data, voice, and video traffic, all at wire speed.
Network Security: Granular Control for the Access Environment
The Cisco 3750 supports a comprehensive set of security features for connectivity and access control, including ACLs, authentication, port-level security, and identity-based network services with 802.1x and extensions. This set of comprehensive features not only helps prevent external attacks, but also defends the network against "man-in-the-middle" attacks, a primary concern in today's business environment.
Single IP Management: Many Switches, One Address
Each Cisco Catalyst 3750 Series stack is managed as a single object and has a single IP address. Single IP management is supported for activities such as fault detection, VLAN creation and modification, network security, and QoS controls.
Jumbo Frames: Support for High-Demand Applications
The Cisco 3750 Series Switch supports jumbo frames on the 10/100/1000 configurations for advanced data and video applications requiring very large frames.
The Catalyst 3750 Series supports IPv6 routing in hardware for maximum performance. As network devices grow and the need for larger addressing and higher security becomes critical, the Cisco 3750 switch will be ready to meet the requirement.
Standard PoE Support: Graceful Addition of IP Communications
The Cisco Catalyst 3750 and 3750G PoE models support Cisco IP phones and Cisco Aironet wireless LAN (WLAN) access points, as well as any IEEE 802.3af-compliant end device. The Cisco Catalyst 3750 and 3750G 24-port versions can support 24 simultaneous full-powered PoE ports at 15.4W for maximum powered device support. The 48-port versions can deliver the necessary power to support 24 ports at 15.4W, 48 ports at 7.7W, or any combination in between.
10 Gigabit Ethernet Support: Increased Uplink Bandwidth for Gigabit Ethernet Deployments
The Cisco Catalyst 3750 allows network managers to incrementally add IEEE 802.3ae-compliant 10 Gigabit Ethernet connectivity in their wiring closets or grid clusters, further facilitating and enhancing Gigabit Ethernet networks. This provides investment protection to customers who want to use their existing fiber plant, add uplink bandwidth capacity to their switching stacks, and provide higher performance to applications and users.
The Cisco 3750 Series switch offers both a superior command-line interface (CLI) for detailed configuration and Cisco Network Assistant Software, a Web-based tool for quick configuration based on preset templates. In addition, CiscoWorks supports the Cisco Catalyst 3750 Series for network wide management.
Models Comparison of Cisco 3750 Series Switches
Report from Cisco market and customers told us that Cisco Catalyst 3750G and Cisco 3750 V2 series are more welcomed than Cisco 3570-E series.
More Cisco 2960 and Cisco catalyst 3750 Info:
Video Offer: Cisco Catalyst 3560 and 3750 QoS Simplified
As Cisco user know, Cisco 2960s can route now. As of 12.2(55)SE, Cisco 2960s switches are layer 3 switches (with some limitations mentioned later).
Configuring 2960s to route is pretty simple. The Switch Database Management template (SDM) needs to be changed to “lanbase-routing”. A reboot is (always) needed after changing the SDM template. After reboot, it’s just like enabling routing on any other L3 switch with the command “ip routing” from global config.
First we’ll change the SDM template:
SwitchA(config)#sdm prefer lanbase-routing
Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
System configuration has been modified. Save? [yes/no]: y
Proceed with reload? [confirm]
After changing the SDM template, we are reminded that we’ll need to reboot and also given a command to verify the change after the next boot.
Now we verify:
SwitchA#show sdm prefer
The current template is "lanbase-routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 255 VLANs.
number of unicast mac addresses: 4K
number of IPv4 IGMP groups + multicast routes: 0.25K
number of IPv4 unicast routes: 4.25K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 0.25K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.125k
number of IPv4/MAC security aces: 0.375k
The change was successful and we’re given the details about this SDM template.
Now seems like a good time to touch on the limitations of the layer 3 capabilities on Cisco 2960s. As we see in the output above, we’re limited to 8 routed interfaces. These will be SVIs. At this point, thCatalyst e 2960s don’t support routed physical interfaces (“no switchport”). Another important note is that we’re only allowed 16 static routes and there is no dynamic routing capability.
Now we’ll enable IP routing and configure a couple SVIs:
SwitchA(config)#int vlan 15
SwitchA(config-if)#ip add 192.168.15.1 255.255.255.0
SwitchA(config-if)#int vlan 25
SwitchA(config-if)#ip add 192.168.25.1 255.255.255.0
SwitchA#sh ip route
C 192.168.15.0/24 is directly connected, Vlan15
C 192.168.25.0/24 is directly connected, Vlan25
We deployed some new Cisco Catalyst 6513 with Sup2T supervisor engines as access switches several days ago. During the initial configuration, we realized that Cisco had introduced some new reserved VLANs on IOS15 for internal usage:
VLAN id: 3990 is an internal vlan id - cannot use it to create a VTP VLAN.
Reserved VLANs can be checked with the command “sh vlan internal usage”:
switch #sh vlan internal usage
1006 online diag vlan0
1007 online diag vlan1
1008 online diag vlan2
1009 online diag vlan3
1010 online diag vlan4
1011 online diag vlan5
1012 PM vlan process (trunk tagging)
3968 MET reserved VLAN
3969 MET reserved VLAN
3970 MET reserved VLAN
3971 MET reserved VLAN
4030 MET reserved VLAN
4031 MET reserved VLAN
Due some code being backported from NX-OS to IOS 15, VLANs from 3968 to 4031 are now reserved for MET usage. However, if you are deploying these switches on working environments you may have the need to use some of these VLANs. If this is the case, you can change the VLAN range with the following command:
switch (config)#vlan internal reserved met vlan 3904
The new MET VLAN will take effect after reload.
Please reload, or no change will be made
Configuration MET VLAN value is 3904
Operation MET VLAN value is 3968
After you reload the switch the new VLAN range will be applied:
switch #sh vlan internal usage
3904 MET reserved VLAN
3905 MET reserved VLAN
3906 MET reserved VLAN
3965 MET reserved VLAN
3966 MET reserved VLAN
3967 MET reserved VLAN
---Original resources from packetpushers.net
Cisco ASA configuration may be a frustrating issue for many Cisco users. In fact, everyone has his own troublesome condition. Here Ethan Banks, a network engineer, share his experience of helping his VPN client access a remote office, as well as an example of Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration.
Let’s share the case:
“I ran into an issue over the weekend where a VPN client was unable to access a remote office connected via an L2L tunnel terminated on the same firewall. The symptoms were straightforward enough. The client was unable to either ping or open a URL at a specific server at the remote office, although this connectivity used to work. In this example, VPN client 192.168.100.100 was not able to access server 10.11.12.1, although access to resources in the 10.10.0.0/16 network was fine.
I confirmed the remote office firewall was unlikely to be the issue; the remote firewall had seen no changes. As I knew the headquarters Cisco ASA firewall HAD seen a few changes, that’s where I focused my attention. After reviewing the headquarters firewall rulebase, I knew that the VPN client IP pool had permission to access resources in the remote office.
Monitoring the firewall logs, I spotted several “110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port” messages tied directly to the VPN client trying to open a socket to 10.11.12.1. So, I reviewed the firewall routing table with “show route” and “show asp table routing” and found no issues…not that I expected to. If the routing table was having a problem, connectivity issues would have been more widespread.
Of course, NAT sprung to mind as a potential issue, but I couldn’t see an obvious problem. There was a NAT that exempted the entire VPN client pool from being translated to any RFC1918 destinations. As this clearly covered the remote office IP range, I was a little stumped. This confusion was compounded by the fact that the connectivity used to work. A perplexing issue.
Take a read “Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6-Setting General VPN Parameters”. A couple of highlights caught my eye:
- The “same-security-traffic permit intra-interface” is required. Fair enough, easy to implement, makes sense, and I’d already done that. No problem.
- Now the documentation got confusing because of two conflicting statements:
- “When the ASA sends encrypted VPN traffic back out this same interface NAT is optional. The VPN-to-VPN hairpinning works with or without NAT.” Okay – so I don’t need to write a NAT statement for the hairpinned traffic. NAT is optional, right? But then you next read…
- “To exempt the VPN-to-VPN traffic from NAT, add commands that implement NAT exemption for VPN-to-VPN traffic.” Uh, hang on. So I *do* need a NAT statement?
From my experience, I believe that, yes, you need a NAT exemption statement. I think all Cisco is trying to say is that you don’t have to actually translate the source or destination address into something else to be able to get through the hairpin.
Writing a NAT exemption statement is not an unusual thing to have to do in an ASA, but the magic in the context of hairpinning is in defining the ingress and egress interfaces. In a hairpin path, the traffic flows in and out the same interface. While I did have a NAT statement that matched source and destination addresses in question, the interfaces were only suitable for handling source VPN client to destination headquarters network traffic…not traffic headed from VPN client to the remote office network. Therefore, I needed a NAT statement like this: “nat (outside,outside) source static client_vpn_pool client_vpn_pool destination static remote_office_net remote_office_net“.
The order of the NAT statement also mattered, as NAT statements are processed in order. Once I moved my new NAT statement to the top of the list, the issue was resolved.”
More Related Cisco Contents http://blog.router-switch.com/category/cisco-certification/ccie/
Nexus 3500 will feature ultra-low latency, target Infiniband
Cisco has another Nexus Ethernet data center switch in the works, this one with ultra-low latency and a more formidable rival to Infiniband.
Details on the Nexus 3500 are unavailable. Cisco wouldn't discuss it when asked about an online adseeking a software engineer for it.
"This is to be announced later," a Cisco spokesperson e-mailed. "No details to share yet."
Sources, however, say the Nexus 3500 will feature 250 nanosecond port-to-port latency and integrated network address translation. They say it will give Infiniband a run for the money, especially when combined with a new NIC from Cisco called usNIC.
"If this product does come out with latency as stated, it will dominate the silicon industry slamming down on Broadcom and more importantly Fulcrum," the source says. "But also compete with Mellanox and close the gap with Infiniband. Cisco will be untouchable in ultra-low latency switching."
RedHat has apparently run tests of usNIC with its MRG-M high performance computing software. Slides 16-18 of this presentation appear to show performance improvements of MRG-M when running usNIC vs. Infiniband.
Red Hat was not immediately available for comment. But our source said it, along with the Nexus 3500, could be a viable alternative to Infiniband.
"That, combined with this new Nexus 3500 having 250ns latency would be a compelling solution against Infiniband," the source said. "If Cisco launches Nexus 3500 in the next few months and combines usNIC in the launch it will finally be the first Ethernet solution that can compete against (Infiniband)...(and) shows Cisco intent to kill Infiniband with Ethernet."
Mellanox is a leading Infiniband networking vendor. Requests to the company for comment were not answered by posting time.
Cisco currently offers the Nexus 3000 line for low-latency, top-of-rack switching targeted at high-frequency financial trading, as well as the Nexus 7000, 5000 and 2000 lines for data center fabric switching.
---Reading resource from networkworld.com
More Cisco Nexus Switch Tips & News:
By default the Cisco Catalyst 2950 is not configured for remote administration. Basic configuration to enable remote administration on the Cisco Catalyst 2950 includes configuring an IP address on the switch and also enabling telnet access. Once these configurations are completed, the Cisco Catalyst 2950 can be managed by IP address.
Things You'll Need
- Cisco serial console cable
- Windows XP computer connected to the local network
- Privileged exec password for the Cisco Catalyst 2950
- IP address, subnet mask and gateway IP address for the switch
Instructions to Manage Cisco Catalyst 2950 by IP Address
1. Connect the Cisco serial console cable into the console port on the Cisco Catalyst 2950 switch and connect the other end of the cable into the 9-pin serial port, which is usually located on the back or side of the Windows XP computer.
2. Click the "Start" button and select the "Run" box and type "hypertrm" and press the "Enter" key and the HyperTerminal program will appear. Type a name for the session, such as "Cisco 2950" in the "Name:" field and click the "OK" button. Click the "Connect using:" drop-down menu, then click the "Com port" used to connect the Windows XP computer to the Cisco 2950 switch. Press the "Enter" key. Then click the "Bits per second:" drop-down menu and select "9600." Click "None" in the "Flow Control" drop-down menu and press the "Enter" key.
3. Press the "Enter" key and the Cisco command prompt will appear. Type "enable" and press "Enter." Then enter the password if requested.
4. Type "config term" and press the "Enter" key to enter "Configuration Mode" on the switch.
5. Type "line vty 0 4" and press the "Enter" key. Type "password abcd," replacing "abcd" with the password you wish to use to secure telnet access. Press the "Enter" key. Then type "login" and then press the "Enter" key.
6. Type "interface Vlan1" and press the "Enter" key. Then type "ip address 10.0.0.1 255.0.0.0," replacing the "10.0.0.1 255.0.0.0" with the IP address and subnet mask assigned to the switch. Press the "Enter" key.
7. Type "exit" and press the "Enter" key. Then type "ip default-gateway x.x.x.x," replacing "x.x.x.x" with the gateway IP address for the switch. Press the "Enter" key. Then type "end" and press the "Enter" key. Type "copy run start" and press the "Enter" key to save the configuration. Type "exit" and press the "Enter" key.
8. Click "Start" on the Windows XP computer. Click "Run" and then type "cmd" and press the "Enter" key. Type "telnet x.x.x.x" on the command line, replacing "x.x.x.x" with the IP address just configured on the Cisco Catalyst 2950. Press the "Enter" key. Type the telnet password just programmed into the Cisco Catalyst 2950 when requested. Press the "Enter" key and the Cisco command prompt should display so you can now manage the switch over the network.
More Related to Cisco 2950 Series:
When Cisco came out with its Unified Compute System (UCS) blades a couple of years back, there was plenty of skepticism about how the company would do by venturing into the pastures new of the server landscape. Last month's announcement that the company passed the 10,000 customer milestone for UCS sales laid many of those doubts to rest.
With IDC rating blades as the fastest growing server segment during the next several years, this bodes well for Cisco's growing presence in the marketplace.
"We're hearing from customers who are reporting all-in savings in the range of 40 percent on the cost of computing," said Todd Brannon, senior manager, Data Center and Virtualization, Cisco. "The savings stem from a variety of sources: lower capex as the platform efficiently scales, reduced administrator time, density/power savings and reduced software licensing costs as more workload lands on fewer servers."
One customer told Brannon he could let his CTO take a Cisco blade straight out of the box, insert it into a chassis slot, and as the system identified and integrated the new resource into the available pool, they congratulated him on his first server deployment.
New Cisco UCS Blades
Since our last snapshot around two years ago, Cisco server blade releases have been largely in lock step with the roll-out of Intel Xeon processor roadmap. Two years ago, the company released the Cisco UCS B200 M1 and B250 M1 blades, which are based on the Intel Xeon processor 5500 series. In the past year, it introduced the Cisco UCS B200 M2 and B250 M2, both based on the Intel Xeon Processor 5600 series.
The UCS B200 blade server is a half-width, 2-socket blade server with up to 192 GB of memory. It can deliver substantial throughput and scalability.
The Cisco UCS B250 M2 Extended Memory Blade Server is aimed at maximizing performance and capacity for demanding virtualization and large dataset applications. It is a full-width, 2-socket blade server that supports up to 384 GB of memory.
In addition, the Cisco UCS B230 M2 and B440 M2 blade servers are based on the Intel Xeon processor E7 family. These two servers are follow-on models to earlier-released M1 versions that were based on the Intel Xeon Processor 7500 series
The Cisco UCS B230 M2 Blade Server is a two-socket server supporting up to 20 cores and 512 GB of memory. The B230 M2 extends the capabilities of the Cisco Unified Computing System by delivering higher levels of performance, efficiency and reliability in a more compact, half-width form factor.
The UCS B440 M2 is a 4-socket blade that can support up to 40 cores and 512GB of memory. It is best for enterprise-class applications.
"We will continue to roll out blades targeted at both infrastructure and enterprise-class applications," said Brannon. "Last year, we delivered nine benchmarking world records at the launch of the Intel Xeon processor E7 family."
Cisco UCS Racks
Cisco offers more than just blades. It also provides a range of UCS rack servers. Much like it has done with blades, Cisco has transitioned the rackmount servers from M1 to M2 models to support the newest Intel Xeon Processor 5600 or E7 family.
The Cisco UCS C200 M2 and UCS B210 M2 servers are high-density, 2-socket rackmount servers built for production-level network infrastructure, web services, and mainstream data center, branch and remote-office applications. The Cisco UCS C250 M2 server is a high-performance, memory-intensive, 2-socket, 2-rack unit (RU) rackmount server designed for virtualization and large dataset workloads.
Two rackmount servers use the Intel Xeon processor E7 family. The Cisco UCS C260 M2 Rack-Mount Server is a high-density, 2-socket platform that offers compact performance for enterprise-critical applications. The C260 M2 server's maximum 1TB of memory and 16 drives make it good for memory-bound or disk-intensive applications.
The Cisco UCS C460 M2 Rack-Mount Server has enough processing power, memory and local storage to house mission-critical applications, as well as server consolidation of resource-intense workloads.
"Cisco UCS is a next-generation data center server platform that unites compute, network, storage access and virtualization into a cohesive system designed to outperform previous server architectures, increase operational agility and flexibility while potentially dramatically reducing overall data center costs," said Brannon. "The system is programmable using single point, model-based management to simplify and speed deployment of applications and services running in bare-metal, virtualized, and cloud-computing environments."
---Reading from serverwatch.com
More Related Cisco UCS news:
It is important to understand how to access switch ports. The 3550 switch uses the type slot/port command, just like a 2621 router and just like the 3550 switch. For example, Fastethernet 0/3 is 10/100BaseT port 3.
The 3550 switch type slot/port command can be used with either the interface command or the show command. The interface command allows you to set interface specific configurations. The 3550 switch has only one slot: zero (0), just like the 1900.
Network Layout: Work with the saved network that you used to configure devices in lab 8.27.
1. To configure an interface on a 3550 switch, go to global configuration mode and use the interface command as shown.
Enter configuration commands, one per line. End with CTRL/Z
Async Async interface
BVI Bridge-Group Virtual Interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Lex Lex interface
Loopback Loopback interface
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Transparent Transparent interface
Tunnel Tunnel interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan Catalyst Vlans
fcpa Fiber Channel
range interface range command
2. The next output asks for the slot. Since the 3550 switch is not modular, there is only one slot, which is 0, although it lists 0-2 for some odd reason. However, you can only type in 0 as the slot in this program. Any other slot number will give you an error. The next output gives us a slash (/) to separate the slot/port configuration.
3550A(config)#interface fastethernet ?
<0-2> FastEthernet interface number
3550A(config)#interface fastethernet 0?
3550A(config)#interface fastethernet 0/?
<0-12> FastEthernet interface number
3. After the 0/configuration command, the above output shows the amount of ports you can configure. The output below shows the completed command.
3550A(config)#interface fastethernet 0/4
4. Once you are in interface configuration mode, the prompt changes to (config-if). After you are at the interface prompt, you can use the help commands to see the available commands.
Interface configuration commands:
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
channel-group Etherchannel/port bundling configuration
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
dot1x IEEE 802.1X subsystem
duplex Configure duplex operation.
exit Exit from interface configuration mode
help Description of the interactive help system
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
keepalive Enable keepalive
load-interval Specify interval for load calculation for an interface
logging Configure logging for interface
mac-address Manually set interface MAC address
mls mls interface commands
mvr MVR per port configuration
no Negate a command or set its defaults
ntp Configure NTP
You can switch between interface configurations by using the int fa 0/# command at any time from global configuration mode.
5. Let’s look at the duplex and speed configurations for a switch port.
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
10 Force 10 Mbps operation
100 Force 100 Mbps operation
auto Enable AUTO speed configuration
6. Since the switch port’s duplex and speed settings are already set to auto by default, you do not need to change the switch port settings. It is recommended that you allow the switch port to auto negotiate speed and duplex settings in most situations. In a rare situation, when it is required to manually set the speed and duplex of a switch port, you can use the following configuration.
Duplex will not be set until speed is set to non-auto value
full duplex - transmission of data in two directions simultaneously. It has a higher throughput than half duplex.
There are no collision domains with this setting
Both sides must have the capability of being set to full duplex
Both sides of the connection must be configured with full duplex
Each side transmits and receives at full bandwidth in both directions
7. Notice in the above command that to run full duplex, you must set the speed to non-auto value.
8. In addition to the duplex and speed commands that can be configured on the switch port, you also can turn on what is called portfast. The portfast command allows a switch port to come up quickly. Typically a switch port waits 50 seconds for spanning-tree to go through its"gotta make sure there are no loops!" cycle. However, if you turn port fast on, then you better be sure you do not create a physical loop on the switch network. A spanning tree loop can severely hurt or bring your network down. Here is how you would enable port fast on a switch port.
bpdufilter Don't send or receive BPDUs on this interface
bpduguard Don't accept BPDUs on this interface
cost Change an interface's spanning tree port path cost
guard Change an interface's spanning tree guard mode
link-type Specify a link type for spanning tree protocol use
port-priority Change an interface's spanning tree port priority
portfast Enable an interface to move directly to forwarding on link up
stack-port Enable stack port
vlan VLAN Switch Spanning Tree
9. The command above shows the available options for the spanning-tree command. We want to use the portfast command.
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/4 but will only
have effect when the interface is in a non-trunking mode.
10. Notice the message the switch provides when enabling portfast. Although it seems like the command did not take effect, as long as the port is in access mode (discussed in a minute), the port will now be in portfast mode.
11. After you make any changes you want to the interfaces, you can view the different interfaces with the show interface command. The switch output below shows the command used to view a 10/100BaseT interface on the 3550 switch.
3550A#sh int f0/4
FastEthernet0/4 is up, line protocol is up
Hardware is Fast Ethernet, address is 00b0.c5e4.e2cf (bia 00b0.c5e4.e2cf)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full duplex, 100Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 1w6d, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1 packets input, 64 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
12. In addition to the show interface command, you can use the show running-config command to see the interface configuration as well.
switchport mode dynamic desirable
switchport mode dynamic desirable
13. You can administratively set a name for each interface on the 3550 switch. Like the hostname, the descriptions are only locally significant. For the 3550 series switch, use the description command. You can use spaces with the description command, but you can use underlines if you need to.
To set the descriptions, you need to be in interface configuration mode. From interface configuration mode, use the description command to describe each interface.
Enter configuration commands, one per line. End with CTRL/Z
3550A(config)#int fa 0/4
3550A(config-if)#description Marketing VLAN
3550A(config-if)#int fa 0/10
3550A(config-if)#description trunk to Building 3
In the configuration example above, we set the description on both port 4 and 10.
14. Once you have configured the descriptions you want on each interface, you can then view the descriptions with either the show interface command, or show running-configcommand. View the configuration of the Ethernet interface 0/9 by using the show interface ethernet 0/4 command.
3550A#sh int fa 0/4
FastEthernet0/4 is up, line protocol is up
Hardware is Fast Ethernet, address is 00b0.1a09.2097 (bia 00b0.1a09.2097)
Description: Marketing VLAN
15. Use the show running-config command to view the interface configurations as well.
description "Marketing VLAN"
Notice in the above switch output that the sh int fa0/4 command and the show run command both show the description command set on an interface.
---Original reading at content.digiex.net
More Cisco 3560 Tutorials and Tips:
When an enterprise needs more network ports in a conference room or an extra jack for a printer in an office, a network administrator has traditionally had very few good choices. There was the expensive option of pulling more cables from the wiring closet, or the option of plugging in an unmanaged 8-port switch from a low-cost vendor into an existing port, complicating campus network design.
Now that port shortage problem has reached beyond the conference room as enterprises of all kinds are adding a multitude of IP devices and stretching the edge of the LAN beyond the wiring closet. Companies now deploy large numbers of IP phones and video surveillance cameras, schools have more computers and IP-based instructional technology and retail shops have deployed more IP-connected kiosks and point-of-sales stations. While 802.11n wireless LAN technology and cheap unmanaged switches have mitigated the port shortage to some extent, a better answer may lie in enterprise-class compact switches.
Cisco Systems unveiled a new family of compact switches targeting this problem. The switches are part of the Catalyst C-Series and consist of the Catalyst 2960-C and the 3560-C. There are five models and 8 to 12 Fast Ethernet or Gigabit Ethernet (GbE) ports with dual GbE uplinks. These switches do not require their own power source since each device has a new Power-over-Ethernet (PoE+) "pass-through" feature, which allows them to be powered by an upstream closet switch. They are then in turn able to pass the PoE power downstream to IP-connected devices like phones and cameras.
The Catalyst C switches also have many enterprise-class features that low-cost switches lack, such as auto-configuration, IPv6 acceleration and access control lists (ACL). They also have several features central to Cisco's broader Borderless Networks architecture, including Cisco security functions, TrustSec and the IEEE standard MACSec, and Cisco's EnergyWise energy management. The product compares somewhat to a port extender released by Extreme Networks in 2009, the ReachNXT 100-8t port extender, an 8-port device.
For Jordan Martin, technical services manager at a Pennsylvania-based healthcare enterprise, an enterprise-class 8-port switch would simplify his campus network design.
"We have all kinds of little, unmanaged switches lying around places where there just aren't enough jacks to facilitate what we need. Unfortunately a lot of our wiring in our building was done without a ton of forethought,” Martin said.
"We have a campus here with a guard shack and we need to be able to process fiber in and Ethernet out, so we need a decent capability switch out there. But I don't want to spend $3,000 for one guy with a computer and a phone."
Using unmanaged switches from a low-cost vendor has been adequate at times within his network, but such devices don’t scale well, Martin said. Replacing them with enterprise-class 8-port switches could improve operations, management and visibility into the edge of his network.
"In a non-managed switch, if you're having trouble with a device, it could be the switch; it could be the cabling. Being able to take a look at the interface and see if it's a duplex mismatch or whatever the issue may be without having to go out to the location and put some tap on the line… That remote diagnostic capability of an enterprise switch is big for us."
Campus network design: Even with good forethought you'll need the occasional 8-port switch
Eric Steel, network engineer with Georgia-based law firm Constangy, Brooks & Smith, said he usually avoids the need for switches beyond the wiring closet by planning ahead and making sure he has plenty of ports across the network.
"But in those cases where we can't, we end up putting in a cheap mini-switch -- Linksys or Netgear," he said. "
Those switches bring various operational challenges. Steel has to properly configure them for spanning tree protocol so that they don't loop into the LAN, and getting power to the device is also a frequent challenge. "Security is, of course, another headache, because you now have some open ports for people to plug into accidentally or maliciously," Steel said.
Replacing an unmanaged 8-port switch with compact enterprise-class switches allows users to have a network management and security feature set from the core to the edge, said Mike Spanbauer, principal analyst with Current Analysis.
"It offers the ability for the end user to basically standardize on a specific security configuration or software image," he said. "And if they have Catalyst 3560s in the closet and these 3560-Cs remotely deployed in a conference room, which offers the ability to simplify management."
These compact switches also give new campus network design options to enterprises with large numbers of small branches or locations with a light network footprint.
The Catalyst C switches replace a collection of older 8-port Fast Ethernet Catalyst 2960 switches which lacked the Borderless Networks capabilities, memory, PoE pass-through and dual uplinks of these new models.
---Original news from searchnetworking.techtarget.com
More Cisco Catalyst Switch Tips and Cisco Switch Info: