Showing posts with label Cisco. Show all posts
Showing posts with label Cisco. Show all posts

Saturday, November 10, 2018

Configure Cisco Enterprise Access Point 1142N As Home AP

Early of 2018, I got a chance to buy a Cisco Wireless Access Point with only $30, which is a great deal for AIR-LAP1142N-x-K9 - Dual-band Controller-based 802.11a/g/n. It is not 802.11ac ready AP, but as a replacement for my home wireless router, it is already enough.

Since this device is enterprise product, the configuration is not that straightforward, even after read some Cisco documents, it is still quite cumbersome to understand.

After a couple of hours working on it, I managed to bring both 2.4G and 5G radio up and set up two SSID for both radios. Here are my steps (Simplest steps to follow) with screenshots and video:

Thursday, September 27, 2018

Cisco Web Security Appliance (WSA) S190 - Web GUI

Cisco® IronPort Web Security Appliance (WSA) offers malware protection, application visibility and control, acceptable use policy controls, insightful reporting and secure mobility to enterprise network. 

The Cisco IronPort WSA is a forward proxy that can be deployed in either Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings) or Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers). WCCP-compatible devices, such as Cisco Catalyst® 6000 Series Switches, Cisco ASR 1000 Series Aggregation Services Routers, Cisco Integrated Services Routers, and Cisco ASA 5500-X Series Next-Generation Firewalls, reroute web traffic to the Cisco WSA. The Cisco WSA can proxy HTTP, HTTPS, SOCKS, native FTP, and FTP over HTTP traffic to deliver additional capabilities such as data-loss prevention, mobile user security, and advanced visibility and control. Cisco provides hardware appliances (Cisco S690, Cisco S690X, Cisco S680, Cisco S390, Cisco S380, Cisco S190, Cisco S170) and virtual appliances WSAV (S000v, S100v, S300v) for different requirements. In this post, S190 will be used to show the how web gui looks like.
The Cisco S190 appliance is typically installed as an additional layer in the network between clients and the Internet.

Disk Space
RAID Mirroring
SMB and Branch
(2x600 GB SAS)
Yes (RAID 1)
8 GB, DDR4
1 x 1.9 Ghz, 6C

Depending on how you deploy the appliance, you may or may not need a Layer 4 (L4) switch or a WCCP router to direct client traffic to the appliance.
Deployment options include:

  • Transparent Proxy—Web proxy with an L4 switch 
  • Transparent Proxy—Web proxy with a WCCP router 
  • Explicit Forward Proxy—Connection to a network switch 
  • L4 Traffic Monitor—Ethernet tap (simplex or duplex)

Thursday, August 23, 2018

Cisco IOS Command Tips and Tricks - Part 2

Cisco IOS command list is getting longer , and it has been split into two posts:

    1. Auto secure

    Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:

    auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]

    Monday, February 5, 2018

    Xen Server Switch Port is on Error Disable Mode

    Our network environment is completely supported by Cisco switches from 2960, 4500, 3850 ,etc. Virtual environment is using Citrix Xen and Vmware products.

    Starting from a couple of months ago ,after Xen environment upgraded to 7.2, we are facing switch port err-disable issue.

    Thursday, January 25, 2018

    Cisco ACI (Application Centric Infrastructure) Lab Test Drive

    • ACI is an open-source, centralized policy model that connects to all components of the data center and controls the network and information flow.
    • ACI is a principle of action by the business, synonymous with code and system.
    • A policy is a state of intent that is applied to the network, with the network being responsible for carrying out that intent.
    • Application logic through policy makes changes at any layer of the stack independent from each other.
    • Advantages of policy in the data center are abstraction, extensibility, and reusability.

    Unicast forwarding through the fabric occurs as follows:

    1.The packet is sourced from the VM attached to the ingress port group or directly from the physical server.
    2.The virtual switch (vSwitch) encapsulates the frame and forwards to the leaf.
    3.The leaf swaps ingress encapsulation with VXLAN and performs any required policy functions.
    4a. If the leaf has learned the inner [P to egress VTEP binding, the leaf will set the required VTEP address and forward directly to the egress leaf.
    4b. If the ingress leaf does not contain a cached entry of the IP to egress VTEP binding, the leaf will set the VTEP address as the anycast VTEP, which is in the spine. This setting will perform inline hardware lookup and perform egress VTEP rewrites. No additional latency or decrease in the throughput due to lookup will be realized assuming the packet was going through the spine anyway.
    5. The egress leaf will swap the outer VXLAN with the correct encapsulation and perform any required policy functions.
    6. The leaf then forwards the flame to the vSwitch.
    7. From there, the vSwitch will forward the flame or send directly to the physical server.

    1. Accessing the Remote Lab Environment

    Monday, November 20, 2017

    Cisco 3850 Mgmt VRF Configuration

    Ethernet Management Interface VRF

    New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet. This interface is isolated in its own VRF called "Mgmt-vrf'. Placing the management Ethernet interface in its own VRF has the following effects on the Management Ethernet interface:
    1. Many features must be configured or used inside the VRF, so the CLI may be different for certain Management Ethernet functions on other routers.
    2. Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface are automatically in different VRFs, no transit traffic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
    3. Improved security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the Management Ethernet interface if explicitly entered by a user.
    4. The Management Ethernet interface VRF supports both IPv4 and IPv6 address families.

    Sunday, November 5, 2017

    Upgrade Cisco 4500 Switches IOS and ROMM and Failed to Enable VSS (Virtual Switching System)

    In one of my clients environment, there are two Cisco 4510 running and HSRP has been configured. It has been discussed to upgrade it to VSS (Virtual Switching System) during last a couple of months. The main driven to get VSS is to have dual homed hosts run Etherchannel to connect to those two 4510R+E switches. Obviously converting the core switches to VSS (and having MEC - Multichassis EtherChannel - configured in dist/access switches) helps you to improve overall performance as both fabric will be active in VSS and traffic load-balanced. No more STP blocking port in the dist/access switches, while getting chassis-level redundancy.

    There were a try to implement VSS but failed. All steps were recorded here to future reference since it is still working on. The Error messages show IOS version mismatch although both 4510R+E are having same IOS version:

    *Oct 22 13:49:30.890: %C4K_REDUNDANCY-2-IOS_VERSION_CHECK_FAIL: STANDBY:IOS version mismatch. Active supervisor version is 15.2(2)E6 (cat4500es8-UNIVERSALK9-M). Standby supervisor version is 15.2(2)E6 (cat4500es8-UNIVERSALK9-M). Redundancy feature may not work as expected.

    Virtual Switching System 1440
    Compared to Traditional Network Design

    High Availability Network Design
    Simplified Using Virtual Switching System

    Monday, October 23, 2017

    Cisco Catalyst 3850 Data Stack and Power Stack

    Received a bunch of boxes for Cisco 3850, which will be used to build a switch stack for high availability switching environment.

    For 2960 series, there is previous post about it:

    Cisco Catalyst WS-C3850-48T-S and Components (Unboxed)

    Cisco Catalyst WS-C3850-48T-S and Components in the Boxes
    YouTube Video:

    Sunday, October 22, 2017

    Stacking Cisco Catalyst 2960X with 2960S

    Working on stacking two Cisco 2060X switches recently, and two 2960X Stack module and 0.5m stacking cables received today. Product name is C2960X-STACK= and description is Catalyst 2960-X FlexStack Plus Stacking Module optional. Part Number is CMUCAEGBAA.

    For 3850 switches, it is in this post:

    Monday, March 27, 2017

    Cisco Switch 2960x Memory Increasing Issue Troubleshooting - Memory Leak


    Our network monitoring software found memory usage on some new production switches keep increasing. Those switches are Cisco 2960X and coming with 15.0(2) EX3 IOS.

    As we know there are two types of memory in Cisco IOS: process memory and IO memory.
    • When a feature is enable on an IOS device (e.g. PIM, HSRP, and etc), IOS allocates process memory for the process.
    • IO memory is used when a software switched traffic hits the CPU. The CPU allocates IO memory to store the frame temporarily.
    Our case is process memory increasing. What we need to do is to find out which process.

    Wednesday, October 26, 2016

    Cisco Free Lab Website - dCloud

    Cisco dCloud has been moved to version 1.5 , now it is at version 2.

    Cisco dCloud lab as a service platform provides self-service training, demonstration and lab capabilities for Cisco partners. Learn about this free 24/7/365 resource which provides multiple labs in all Cisco architectures, plus documentation and instructions for conducting on-site demonstrations. For anybody to sell/buy/use Cisco products, Cisco dCloud is a great place to practice configuring.
    What DCloud does is give you the ability to test, demonstrate and run 131 different labs, demos and sandboxes.

    Experience a Cisco solution in dCloud:
    • Browse to Cisco dCloud. Select the location closest to you and then log in using your credentials.

    Wednesday, October 19, 2016

    Cisco Active Advisor - CAA

    Cisco Active Advisor is a free online cloud service that automates network discovery and analysis of your network inventory. Cisco Active Advisor reduces the overall risk of your network administration by keeping you up-to-date on:

    • Warranty and service contract status
    • Product advisories, including Product Security Incident Response Teams (PSIRTs) and field notices
    • End-of-life milestones for hardware and software
    Cisco Active Advisor log in with your Cisco CCO account:

    Friday, August 5, 2016

    Native VLAN mismatch Error on Access Port

    Cisco switches always have VLAN 1 as the default VLAN, which is needed for many protocol communication between switches like spanning-tree protocol for instance. Unfortunately you can't change or even delete the default VLAN, it is mandatory.
    The native VLAN is the only VLAN which is not tagged in a trunk, in other words, native VLAN frames are transmitted unchanged.
    Per default the native VLAN is VLAN 1 but you can change that.

    Monday, August 1, 2016

    Cisco CCP Installation and Basic Configuration

    Cisco Configuration Professional (Cisco CP) is a GUI based device management tool for Cisco access routers. This tool simplifies routing, firewall, IPS, VPN, unified communications, WAN and LAN configuration through GUI based easy-to-use wizards. It has been used to replace obsolete SDM (Security Device Manager) product.

    Cisco Configuration Professional offers smart wizards and advanced configuration support for LAN and WAN interfaces, Network Address Translation (NAT), stateful and application firewall policy, IPS, IPSec and SSL VPN, QoS, and Cisco Network Admission Control policy features. The firewall wizard allows a single-step deployment of high, medium, or low firewall policy settings. IT managers can easily organize and manage multiple routers at a single site.

    Wednesday, July 20, 2016

    Recover Cisco Device using TFTP Server or External Card from a Corrupt or Missing Image or in Rommon Mode

    Cisco Switch usually is quite robust and not give me hard time. When it happens, it happens. What I met is a situation Cisco 4500 switch got into Rommon mode and I have to find a quickest way to get in back in production before the maintenance window ends.

    The related posts in this blog:

    Tuesday, June 14, 2016

    Windows Network Policy Server Basic Radius Configuration for Cisco devices

    RADIUS Traffic 

    RADIUS server configuration on Cisco IOS is performed in two steps, one set of commnads are defined within the AAA paradigm and other set is run with the “radius” commands. The aaa configurations on the Cisco IOS needs to be done with named method lists or the default list can be used. The simplest way to start with the configurations is to use the built-in default method lists.

    1. Configuration on Cisco Switches and Routers

    Friday, June 3, 2016

    Password Recovery for Cisco Router 2900

    I have to reset one Cisco 2901 router to factory default. Unfortunately no one knows user name and password.

    Cisco documentation Password Recovery Procedure for the Cisco 2900 Integrated Services Router has listed all steps, but not enough detail how to "Remove the compact flash that is on the rear of the router."

    I understand Cisco 2900 series is using a different way to do password recovery than a usual way by press 'Break' key during booting process. Cisco 2900 will automatically boot into ROMMOM mode after you removed Compact Flash card. But how to remove CF card from the rear of router, it does not say enough from Password Recovery Procedure for the Cisco 2900 Integrated Services Router.

    Here are what I figured out by using a flat head screw driver. Lets find out where the compact flash card locates from following photo:

    Thursday, March 24, 2016

    Cisco IOS Command Tips and Tricks - Part 1

    This post is used to collect some small tips and tricks I found during my daily work. Since the list is getting longer  and longer, I am splitting it into two posts:

    1. Basic Troubleshooting Commands

    Show interfaces (show interfaces GigabitEthernet 3/6)
    Show ip interface
    Show ip route
    Show running-config
    Show startup-config
    show ip sockets
    show conn
    show tcp brief

    Saturday, March 5, 2016

    Installing Cisco Cloud Services Router CSR 1000V in Vmware

    The Cisco CSR 1000V Series lowers the barriers to enterprise adoption of a hybrid cloud model by extending the enterprise WAN to provider-hosted clouds.
    Primary features include:
    • Flexible virtual form factor designed for multi-tenant, provider-hosted clouds
    • Complete, hypervisor-isolated, multi-service router instance for each tenant
    • Proven, familiar, enterprise-class Cisco IOS Software networking services
    • Feature and operational consistency with Cisco physical form-factor routers
    • Component of end-to-end WAN architecture with Cisco Integrated Services Routers and Cisco Aggregation Services Routers
    Primary use cases include:
    • Secure VPN gateway
    • MPLS WAN termination
    • Data center network extension
    • Control and traffic redirection
    Primary Benefits:
    • Direct connectivity improves the response time of cloud-hosted applications
    • Private WAN integration improves security, performance, and predictability
    • Enterprise control, visibility, and policy consistency reduce security risks
    • Feature consistency and product familiarity improve operational efficiency
    • Extension of the data center network to a cloud simplifies application on-boarding

    1. Download CSR 1000v Software:
    you can start to download either one of following package from this page (Cisco IOS XE Software Link)

    • csr1000v-universalk9.03.12.00.S.154-2.S-std.ova
    • csr1000v-universalk9.03.12.00.S.154-2.S-std.iso

    Keep this in mind, CSR1000v itself comes with a 60 day license for 50Mbps throughput. After that expires it drops to 2.5Mbps.