Showing posts with label Cisco. Show all posts
Showing posts with label Cisco. Show all posts

Saturday, November 10, 2018

Configure Cisco Enterprise Access Point 1142N As Home AP

Early of 2018, I got a chance to buy a Cisco Wireless Access Point with only $30, which is a great deal for AIR-LAP1142N-x-K9 - Dual-band Controller-based 802.11a/g/n. It is not 802.11ac ready AP, but as a replacement for my home wireless router, it is already enough.

Since this device is enterprise product, the configuration is not that straightforward, even after read some Cisco documents, it is still quite cumbersome to understand.

After a couple of hours working on it, I managed to bring both 2.4G and 5G radio up and set up two SSID for both radios. Here are my steps (Simplest steps to follow) with screenshots and video:

Thursday, September 27, 2018

Cisco Web Security Appliance (WSA) S190 - Web GUI

Cisco® IronPort Web Security Appliance (WSA) offers malware protection, application visibility and control, acceptable use policy controls, insightful reporting and secure mobility to enterprise network. 

The Cisco IronPort WSA is a forward proxy that can be deployed in either Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings) or Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers). WCCP-compatible devices, such as Cisco Catalyst® 6000 Series Switches, Cisco ASR 1000 Series Aggregation Services Routers, Cisco Integrated Services Routers, and Cisco ASA 5500-X Series Next-Generation Firewalls, reroute web traffic to the Cisco WSA. The Cisco WSA can proxy HTTP, HTTPS, SOCKS, native FTP, and FTP over HTTP traffic to deliver additional capabilities such as data-loss prevention, mobile user security, and advanced visibility and control. Cisco provides hardware appliances (Cisco S690, Cisco S690X, Cisco S680, Cisco S390, Cisco S380, Cisco S190, Cisco S170) and virtual appliances WSAV (S000v, S100v, S300v) for different requirements. In this post, S190 will be used to show the how web gui looks like.
The Cisco S190 appliance is typically installed as an additional layer in the network between clients and the Internet.

Disk Space
RAID Mirroring
SMB and Branch
(2x600 GB SAS)
Yes (RAID 1)
8 GB, DDR4
1 x 1.9 Ghz, 6C

Depending on how you deploy the appliance, you may or may not need a Layer 4 (L4) switch or a WCCP router to direct client traffic to the appliance.
Deployment options include:

  • Transparent Proxy—Web proxy with an L4 switch 
  • Transparent Proxy—Web proxy with a WCCP router 
  • Explicit Forward Proxy—Connection to a network switch 
  • L4 Traffic Monitor—Ethernet tap (simplex or duplex)

Thursday, August 23, 2018

Cisco IOS Command Tips and Tricks - Part 2

Cisco IOS command list is getting longer , and it has been split into two posts:

    1. Auto secure

    Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:

    auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]

    Monday, February 5, 2018

    Xen Server Switch Port is on Error Disable Mode

    Our network environment is completely supported by Cisco switches from 2960, 4500, 3850 ,etc. Virtual environment is using Citrix Xen and Vmware products.

    Starting from a couple of months ago ,after Xen environment upgraded to 7.2, we are facing switch port err-disable issue.

    Thursday, January 25, 2018

    Cisco ACI (Application Centric Infrastructure) Lab Test Drive

    • ACI is an open-source, centralized policy model that connects to all components of the data center and controls the network and information flow.
    • ACI is a principle of action by the business, synonymous with code and system.
    • A policy is a state of intent that is applied to the network, with the network being responsible for carrying out that intent.
    • Application logic through policy makes changes at any layer of the stack independent from each other.
    • Advantages of policy in the data center are abstraction, extensibility, and reusability.

    Unicast forwarding through the fabric occurs as follows:

    1.The packet is sourced from the VM attached to the ingress port group or directly from the physical server.
    2.The virtual switch (vSwitch) encapsulates the frame and forwards to the leaf.
    3.The leaf swaps ingress encapsulation with VXLAN and performs any required policy functions.
    4a. If the leaf has learned the inner [P to egress VTEP binding, the leaf will set the required VTEP address and forward directly to the egress leaf.
    4b. If the ingress leaf does not contain a cached entry of the IP to egress VTEP binding, the leaf will set the VTEP address as the anycast VTEP, which is in the spine. This setting will perform inline hardware lookup and perform egress VTEP rewrites. No additional latency or decrease in the throughput due to lookup will be realized assuming the packet was going through the spine anyway.
    5. The egress leaf will swap the outer VXLAN with the correct encapsulation and perform any required policy functions.
    6. The leaf then forwards the flame to the vSwitch.
    7. From there, the vSwitch will forward the flame or send directly to the physical server.

    1. Accessing the Remote Lab Environment

    Monday, November 20, 2017

    Cisco 3850 Mgmt VRF Configuration

    Ethernet Management Interface VRF

    New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet. This interface is isolated in its own VRF called "Mgmt-vrf'. Placing the management Ethernet interface in its own VRF has the following effects on the Management Ethernet interface:
    1. Many features must be configured or used inside the VRF, so the CLI may be different for certain Management Ethernet functions on other routers.
    2. Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface are automatically in different VRFs, no transit traffic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
    3. Improved security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the Management Ethernet interface if explicitly entered by a user.
    4. The Management Ethernet interface VRF supports both IPv4 and IPv6 address families.

    Sunday, November 5, 2017

    Upgrade Cisco 4500 Switches IOS and ROMM and Failed to Enable VSS (Virtual Switching System)

    In one of my clients environment, there are two Cisco 4510 running and HSRP has been configured. It has been discussed to upgrade it to VSS (Virtual Switching System) during last a couple of months. The main driven to get VSS is to have dual homed hosts run Etherchannel to connect to those two 4510R+E switches. Obviously converting the core switches to VSS (and having MEC - Multichassis EtherChannel - configured in dist/access switches) helps you to improve overall performance as both fabric will be active in VSS and traffic load-balanced. No more STP blocking port in the dist/access switches, while getting chassis-level redundancy.

    There were a try to implement VSS but failed. All steps were recorded here to future reference since it is still working on. The Error messages show IOS version mismatch although both 4510R+E are having same IOS version:

    *Oct 22 13:49:30.890: %C4K_REDUNDANCY-2-IOS_VERSION_CHECK_FAIL: STANDBY:IOS version mismatch. Active supervisor version is 15.2(2)E6 (cat4500es8-UNIVERSALK9-M). Standby supervisor version is 15.2(2)E6 (cat4500es8-UNIVERSALK9-M). Redundancy feature may not work as expected.

    Virtual Switching System 1440
    Compared to Traditional Network Design

    High Availability Network Design
    Simplified Using Virtual Switching System

    Monday, October 23, 2017

    Cisco Catalyst 3850 Data Stack and Power Stack

    Received a bunch of boxes for Cisco 3850, which will be used to build a switch stack for high availability switching environment.

    For 2960 series, there is previous post about it:

    Cisco Catalyst WS-C3850-48T-S and Components (Unboxed)

    Cisco Catalyst WS-C3850-48T-S and Components in the Boxes
    YouTube Video:

    Sunday, October 22, 2017

    Stacking Cisco Catalyst 2960X with 2960S

    Working on stacking two Cisco 2060X switches recently, and two 2960X Stack module and 0.5m stacking cables received today. Product name is C2960X-STACK= and description is Catalyst 2960-X FlexStack Plus Stacking Module optional. Part Number is CMUCAEGBAA.

    For 3850 switches, it is in this post:

    Monday, March 27, 2017

    Cisco Switch 2960x Memory Increasing Issue Troubleshooting - Memory Leak


    Our network monitoring software found memory usage on some new production switches keep increasing. Those switches are Cisco 2960X and coming with 15.0(2) EX3 IOS.

    As we know there are two types of memory in Cisco IOS: process memory and IO memory.
    • When a feature is enable on an IOS device (e.g. PIM, HSRP, and etc), IOS allocates process memory for the process.
    • IO memory is used when a software switched traffic hits the CPU. The CPU allocates IO memory to store the frame temporarily.
    Our case is process memory increasing. What we need to do is to find out which process.

    Wednesday, October 26, 2016

    Cisco Free Lab Website - dCloud

    Cisco dCloud has been moved to version 1.5 , now it is at version 2.

    Cisco dCloud lab as a service platform provides self-service training, demonstration and lab capabilities for Cisco partners. Learn about this free 24/7/365 resource which provides multiple labs in all Cisco architectures, plus documentation and instructions for conducting on-site demonstrations. For anybody to sell/buy/use Cisco products, Cisco dCloud is a great place to practice configuring.
    What DCloud does is give you the ability to test, demonstrate and run 131 different labs, demos and sandboxes.

    Experience a Cisco solution in dCloud:
    • Browse to Cisco dCloud. Select the location closest to you and then log in using your credentials.

    Wednesday, October 19, 2016

    Cisco Active Advisor - CAA

    Cisco Active Advisor is a free online cloud service that automates network discovery and analysis of your network inventory. Cisco Active Advisor reduces the overall risk of your network administration by keeping you up-to-date on:

    • Warranty and service contract status
    • Product advisories, including Product Security Incident Response Teams (PSIRTs) and field notices
    • End-of-life milestones for hardware and software
    Cisco Active Advisor log in with your Cisco CCO account:

    Friday, August 5, 2016

    Native VLAN mismatch Error on Access Port

    Cisco switches always have VLAN 1 as the default VLAN, which is needed for many protocol communication between switches like spanning-tree protocol for instance. Unfortunately you can't change or even delete the default VLAN, it is mandatory.
    The native VLAN is the only VLAN which is not tagged in a trunk, in other words, native VLAN frames are transmitted unchanged.
    Per default the native VLAN is VLAN 1 but you can change that.

    Monday, August 1, 2016

    Cisco CCP Installation and Basic Configuration

    Cisco Configuration Professional (Cisco CP) is a GUI based device management tool for Cisco access routers. This tool simplifies routing, firewall, IPS, VPN, unified communications, WAN and LAN configuration through GUI based easy-to-use wizards. It has been used to replace obsolete SDM (Security Device Manager) product.

    Cisco Configuration Professional offers smart wizards and advanced configuration support for LAN and WAN interfaces, Network Address Translation (NAT), stateful and application firewall policy, IPS, IPSec and SSL VPN, QoS, and Cisco Network Admission Control policy features. The firewall wizard allows a single-step deployment of high, medium, or low firewall policy settings. IT managers can easily organize and manage multiple routers at a single site.

    Wednesday, July 20, 2016

    Recover Cisco Device using TFTP Server or External Card from a Corrupt or Missing Image or in Rommon Mode

    Cisco Switch usually is quite robust and not give me hard time. When it happens, it happens. What I met is a situation Cisco 4500 switch got into Rommon mode and I have to find a quickest way to get in back in production before the maintenance window ends.

    The related posts in this blog:

    Tuesday, June 14, 2016

    Windows Network Policy Server Basic Radius Configuration for Cisco devices

    RADIUS Traffic 

    RADIUS server configuration on Cisco IOS is performed in two steps, one set of commnads are defined within the AAA paradigm and other set is run with the “radius” commands. The aaa configurations on the Cisco IOS needs to be done with named method lists or the default list can be used. The simplest way to start with the configurations is to use the built-in default method lists.

    1. Configuration on Cisco Switches and Routers

    Friday, June 3, 2016

    Password Recovery for Cisco Router 2900

    I have to reset one Cisco 2901 router to factory default. Unfortunately no one knows user name and password.

    Cisco documentation Password Recovery Procedure for the Cisco 2900 Integrated Services Router has listed all steps, but not enough detail how to "Remove the compact flash that is on the rear of the router."

    I understand Cisco 2900 series is using a different way to do password recovery than a usual way by press 'Break' key during booting process. Cisco 2900 will automatically boot into ROMMOM mode after you removed Compact Flash card. But how to remove CF card from the rear of router, it does not say enough from Password Recovery Procedure for the Cisco 2900 Integrated Services Router.

    Here are what I figured out by using a flat head screw driver. Lets find out where the compact flash card locates from following photo:

    Thursday, March 24, 2016

    Cisco IOS Command Tips and Tricks - Part 1

    This post is used to collect some small tips and tricks I found during my daily work. Since the list is getting longer  and longer, I am splitting it into two posts:

    1. Basic Troubleshooting Commands

    Show interfaces (show interfaces GigabitEthernet 3/6)
    Show ip interface
    Show ip route
    Show running-config
    Show startup-config
    show ip sockets
    show conn
    show tcp brief

    2. Archive Command

    • Configuration Change Logging and Save a copy of current configuration on local when write memory
    archive!!log all commands log config logging enable logging size 200 notify syslog contenttype plaintext hidekeys path flash:backup- maximum 8 write-memory
    • Compare Startup-Configuration with Running-configuration

    R1#show archive config differences 
    !Contextual Config Diffs:
    !No changes were found

    • show archive log config all
    • show archive

    3. Enable IPv6 on Cisco Switch 3550/3560
    sdm prefer dual-ipv4-and-ipv6 routing


    Switch:  interface f0/24 is connected to router P1R1
    interface FastEthernet0/24
    no switchport
    ip address
    ip authentication mode eigrp 1 md5
    ip authentication key-chain eigrp 1 EIGRP-KEY
    ipv6 address 2001:DB8:CAFE:201::/64 eui-64
    ipv6 rip 1 enable
    spanning-tree portfast

    Tunnel 0:
    interface Tunnel0
    no ip address
    ipv6 address 2001:DB8:CAFE:301::/64 eui-64
    ipv6 enable
    ipv6 rip 1 enable
    tunnel source FastEthernet0/24
    tunnel destination    !---> P1R1

    interface Tunnel0
    no ip address
    ipv6 address 2001:DB8:CAFE:301::/64 eui-64
    ipv6 enable
    ipv6 rip 1 enable
    tunnel source Ethernet0/0
    tunnel destination

    4. Using ftp to transfer files to flashcopy ftp://test:[email protected] flash:

    5. Clear IOS configuraiton
    write erase

    6. Delete flash: folder
    delete /force /recursive flash:/c2960-lanbase-mz.122-52.SE

    7. Basic Commands to Enable Telnet/SSH on Cisco Devices

    a. Telnet Access

    no aaa new-model
    username test privilege 15 secret test
    line vty 0 15
    login local
    no password
    transport input telnet

    b. SSH Access:

    hostname Switch1
    ip domain-name
    crypto key generate rsa general-usage modulus 2048
    ip ssh time-out 60
    ip ssh version 2
    line vty 0 15
    transport input ssh

    c. Console Access with username/password:

    line con 0
    login local

    8. Debug IP Traffic based on Access-list

    The debug procedure is the following:
    1) Turn "on" process switching under both interfaces in the router.
    Router(config)#interface g0/0
    Router(config-if)#no ip route-cache
    Router(config)#interface g0/1
    Router(config-if)#no ip route-cache

    2) Create an access-list. Define specific traffic you want to monitor between hosts. 
    Router(config)#access-list 199 permit tcp host eq host
    Router(config)#access-list 199 permit tcp host eq host

    3) If you are in a telnet session into the router turn "terminal monitor" on.
    Router#term mon
    If you are in a console session into the router, then the "logging console" command.
    Router(config)#logging console

    4)Finally the debug command.
    Router#debug ip packet 199 detail
    Where 199 is the access-list # we created.
    *Jul 23 20:25:30.616: IP: s= (local), d=, len 44, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

    5)Use the "un all" command to turn it off.
    Router#un all

    9. Kron command

    Kron command could use it to reboot router regularly, clear interface, save configuration, show routing table, etc. But it wont support any interactive command.

    Following is an example to use it save configuration on a regular basis. 

    Router# show kron schedule
    Kron Occurrence Schedule
    backup inactive, will run again in 2 days 22:03:46 at 22:00 on Mon

    Router# show running-configuration
    kron occurrence backup at 22:00 Mon recurring
     policy-list backup
    kron policy-list backup
     cli write

    Another example to run TCL script script.tcl with specific user jonny:kron occurrence tcl_occur user jonny in 12:0 recurring
    policy-list tclpol
    kron policy-list tclpol
    tclsh flash:/script.tcl

    10. Enable IP Accounting on interface

    IP accounting doesn’t quite provide much functionality, but it certainly provides a summary of traffic passing through a router. The router will only record packets that goes through the router. Any connections initiated from the router or terminates to the router are not counted.

    interface GigabitEthernet0/1
    ip address
    ip accounting output-packets
    duplex full
    speed 100

    R1#sh ip accounting
    Source Destination Packets Bytes 100.199.3853 6 241 4 183 1 104

    Accounting data age is 3w0d

    11. Show configuration without break/pause @Cisco Router/Switch
    terminal length 0

    @ASA Firewall
    terminal pager 0

    12. Debug commands at Cisco ASA 9.1(2)

    terminal monitor
    logging buffer-size 1048576
    logging buffered 7
    logging monitor 7
    debug crypto condition peer

    debug crypto ipsec 127
    debug crypto ikev1 127

    13. Display Cisco IOS Device Opened Ports

    R#show control-plane host open-ports
    Active internet connections (servers and established)
    Prot               Local Address             Foreign Address                  Service    State
     tcp                        *:22                         *:0               SSH-Server   LISTEN
     tcp                        *:23                         *:0                   Telnet   LISTEN
     udp                       *:161                         *:0                  IP SNMP   LISTEN
     udp                       *:162                         *:0                  IP SNMP   LISTEN
     udp                     *:65110                         *:0                  IP SNMP   LISTEN
     udp                      *:1975                         *:0                      IPC   LISTEN

    The method how to close ports 23 from external scan is in my post: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning

    14. Native VLAN mismatch

    062275: May 12 00:09:37.207 EDT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/3 (1), with Swtch1 GigabitEthernet0/5 (56).

    although both ports are set as access port and set to different vlan 56 and 1, it should not have this mismatch info.   Solution would be one global command :

    no cdp advertise-v2


    This solution: using different vtp domain name on those switches:

    Switch(config)# vtp mode transparent
    Switch(config)# vtp domain a_unique_name

    15. IOS Password Recovery Procedures

    • Shut down the router then Power on the router
    • Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into Rommon. (In some Keyboards, Pause key is used to enter into Rommon mode. You may not need Fn+Pause, or CTRL+ Break)
    • Once the Rommon1> prompt appears, enter this command: confreg 0x2142
      Then type reset to reboot Cisco device.
    • When you are prompted to enter the initial configuration, type No, and press Enter.
      At the Router> prompt, type enable.
    • At the Router# prompt, enter the configure memory command, and press Enter in order to copy the startup configuration to the running configuration.
    • Use the config t command in order to enter global configuration mode.
    • Use this command in order to create a new user name and password:
      router(config)#username test privilege 15 password test
    • Use this command in order to change the boot statement: config-register 0x2102
    • Use this command in order to save the configuration: write memory

    16. Reload Device in xx minutes 

    It is helpful for your remote work just in case you lost connection by mis-configuration
    R-Test-Lab#reload in 1
    Reload scheduled for 16:55:53 EDT Tue Aug 11 2015 (in 1 minute) by john on console
    Reload reason: Reload Command
    Proceed with reload? [confirm]
    *** --- SHUTDOWN in 0:01:00 ---
    R-Test-Lab##show reload
    Reload scheduled for 16:55:55 EDT Tue Aug 11 2015 (in 57 seconds) by john on console
    Reload reason: Reload Command
    R-Test-Lab#reload cancel
    *** --- SHUTDOWN ABORTED ---

    17. Load-Interval 30

    By default, the IOS calculate statistics by interval 5 minutes. The minimal interval is 30 seconds you can set.
    interface GigabitEthernet0/0
     ip flow ingress
    load-interval 30

     duplex auto
     speed auto
    Router#sh interfaces g0/0
    GigabitEthernet0/0 is up, line protocol is up
      Hardware is PQ3_TSEC, address is c464.139b.ee00 (bia c464.139b.ee00)
      Internet address is
      MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
         reliability 255/255, txload 1/255, rxload 3/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full Duplex, 1Gbps, media type is RJ45
      output flow-control is XON, input flow-control is XON
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:00, output 00:00:00, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/149/0 (size/max/drops/flushes); Total output drops: 15
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      30 second input rate 12706000 bits/sec, 1423 packets/sec  30 second output rate 966000 bits/sec, 957 packets/sec     7877466781 packets input, 4315500899841 bytes, 1023 no buffer
         Received 345354184 broadcasts (0 IP multicasts)
         0 runts, 0 giants, 13 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 520835 multicast, 2112 pause input
         7120190572 packets output, 2103538386166 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         121793930 unknown protocol drops
         0 babbles, 0 late collision, 0 deferred
         4 lost carrier, 0 no carrier, 58519 pause output
         0 output buffer failures, 0 output buffers swapped out
    18. Turn off IP Spoof Protection

    ip verify reverse-path interface outside
    "Deny IP spoof from ( to on interface inside"

    19. Create Read only Account

    method one.
    username local1 secret Cisco1234
    username local1 privilege 15 autocommand show running

    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa authorization console
    method two.
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa authorization console

    username local2 privilege 7 password Cisco1234
    privilege exec level 7 show config

    Saturday, March 5, 2016

    Installing Cisco Cloud Services Router CSR 1000V in Vmware

    The Cisco CSR 1000V Series lowers the barriers to enterprise adoption of a hybrid cloud model by extending the enterprise WAN to provider-hosted clouds.
    Primary features include:
    • Flexible virtual form factor designed for multi-tenant, provider-hosted clouds
    • Complete, hypervisor-isolated, multi-service router instance for each tenant
    • Proven, familiar, enterprise-class Cisco IOS Software networking services
    • Feature and operational consistency with Cisco physical form-factor routers
    • Component of end-to-end WAN architecture with Cisco Integrated Services Routers and Cisco Aggregation Services Routers
    Primary use cases include:
    • Secure VPN gateway
    • MPLS WAN termination
    • Data center network extension
    • Control and traffic redirection
    Primary Benefits:
    • Direct connectivity improves the response time of cloud-hosted applications
    • Private WAN integration improves security, performance, and predictability
    • Enterprise control, visibility, and policy consistency reduce security risks
    • Feature consistency and product familiarity improve operational efficiency
    • Extension of the data center network to a cloud simplifies application on-boarding

    1. Download CSR 1000v Software:
    you can start to download either one of following package from this page (Cisco IOS XE Software Link)

    • csr1000v-universalk9.03.12.00.S.154-2.S-std.ova
    • csr1000v-universalk9.03.12.00.S.154-2.S-std.iso

    Keep this in mind, CSR1000v itself comes with a 60 day license for 50Mbps throughput. After that expires it drops to 2.5Mbps.