Showing posts with label Cisco. Show all posts
Showing posts with label Cisco. Show all posts

Monday, February 12, 2018

Configure Cisco Enterprise Access Point 1142N As Home AP

Early of 2018, I got a chance to buy a Cisco Wireless Access Point with only $30, which is a great deal for AIR-LAP1142N-x-K9 - Dual-band Controller-based 802.11a/g/n. It is not 802.11ac ready AP, but as a replacement for my home wireless router, it is already enough.

Since this device is enterprise product, the configuration is not that straightforward, even after read some Cisco documents, it is still not easy job.

After a couple of hours working on it, I managed to bring both 2.4G and 5G radio up and set up two SSID for both radios. Here are my steps (Simplest steps to follow):

Monday, February 5, 2018

Xen Server Switch Port is on Error Disable Mode


Our network environment is completely supported by Cisco switches from 2960, 4500, 3850 ,etc. Virtual environment is using Citrix Xen and Vmware products.

Starting from a couple of months ago ,after Xen environment upgraded to 7.2, we are facing switch port err-disable issue.

Thursday, January 25, 2018

Cisco ACI (Application Centric Infrastructure) Lab Test Drive

Summary:
  • ACI is an open-source, centralized policy model that connects to all components of the data center and controls the network and information flow.
  • ACI is a principle of action by the business, synonymous with code and system.
  • A policy is a state of intent that is applied to the network, with the network being responsible for carrying out that intent.
  • Application logic through policy makes changes at any layer of the stack independent from each other.
  • Advantages of policy in the data center are abstraction, extensibility, and reusability.



Unicast forwarding through the fabric occurs as follows:

1.The packet is sourced from the VM attached to the ingress port group or directly from the physical server.
2.The virtual switch (vSwitch) encapsulates the frame and forwards to the leaf.
3.The leaf swaps ingress encapsulation with VXLAN and performs any required policy functions.
4a. If the leaf has learned the inner [P to egress VTEP binding, the leaf will set the required VTEP address and forward directly to the egress leaf.
4b. If the ingress leaf does not contain a cached entry of the IP to egress VTEP binding, the leaf will set the VTEP address as the anycast VTEP, which is in the spine. This setting will perform inline hardware lookup and perform egress VTEP rewrites. No additional latency or decrease in the throughput due to lookup will be realized assuming the packet was going through the spine anyway.
5. The egress leaf will swap the outer VXLAN with the correct encapsulation and perform any required policy functions.
6. The leaf then forwards the flame to the vSwitch.
7. From there, the vSwitch will forward the flame or send directly to the physical server.




1. Accessing the Remote Lab Environment
https://youtu.be/4YuxHklXQzQ



Monday, November 20, 2017

Cisco 3850 Mgmt VRF Configuration

Ethernet Management Interface VRF

New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet. This interface is isolated in its own VRF called "Mgmt-vrf'. Placing the management Ethernet interface in its own VRF has the following effects on the Management Ethernet interface:
  1. Many features must be configured or used inside the VRF, so the CLI may be different for certain Management Ethernet functions on other routers.
  2. Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface are automatically in different VRFs, no transit traffic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
  3. Improved security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the Management Ethernet interface if explicitly entered by a user.
  4. The Management Ethernet interface VRF supports both IPv4 and IPv6 address families.

Sunday, November 5, 2017

Upgrade Cisco 4500 Switches IOS and ROMM and Failed to Enable VSS (Virtual Switching System)

In one of my clients environment, there are two Cisco 4510 running and HSRP has been configured. It has been discussed to upgrade it to VSS (Virtual Switching System) during last a couple of months. The main driven to get VSS is to have dual homed hosts run Etherchannel to connect to those two 4510R+E switches. Obviously converting the core switches to VSS (and having MEC - Multichassis EtherChannel - configured in dist/access switches) helps you to improve overall performance as both fabric will be active in VSS and traffic load-balanced. No more STP blocking port in the dist/access switches, while getting chassis-level redundancy.

There were a try to implement VSS but failed. All steps were recorded here to future reference since it is still working on. The Error messages show IOS version mismatch although both 4510R+E are having same IOS version:

*Oct 22 13:49:30.890: %C4K_REDUNDANCY-2-IOS_VERSION_CHECK_FAIL: STANDBY:IOS version mismatch. Active supervisor version is 15.2(2)E6 (cat4500es8-UNIVERSALK9-M). Standby supervisor version is 15.2(2)E6 (cat4500es8-UNIVERSALK9-M). Redundancy feature may not work as expected.



Virtual Switching System 1440
Compared to Traditional Network Design

High Availability Network Design
Simplified Using Virtual Switching System

Monday, October 23, 2017

Cisco Catalyst 3850 Data Stack and Power Stack

Received a bunch of boxes for Cisco 3850, which will be used to build a switch stack for high availability switching environment.

For 2960 series, there is previous post about it:



Cisco Catalyst WS-C3850-48T-S and Components (Unboxed)

Cisco Catalyst WS-C3850-48T-S and Components in the Boxes


Sunday, October 22, 2017

Stacking Cisco Catalyst 2960X with 2960S

Working on stacking two Cisco 2060X switches recently, and two 2960X Stack module and 0.5m stacking cables received today. Product name is C2960X-STACK= and description is Catalyst 2960-X FlexStack Plus Stacking Module optional. Part Number is CMUCAEGBAA.

For 3850 switches, it is in this post:





Wednesday, September 6, 2017

Cisco IOS Command Tips and Tricks - Part 2

Cisco IOS command list is getting longer , and it has been split into two posts:

1. Auto secure

Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:

auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]


2. Change Site-to-Site VPN Idle time out to 5 minutes

For IOS Router

R1(config)#crypto ipsec security-association idle-time 300


For ASA

ASA1(config)#group-policy GP_1.1.1.2 attributes
ASA1(config-group-policy)#vpn-idle-timeout 300

ASA1(config-group-policy)#vpn-session-timeout none

Monday, March 27, 2017

Cisco Switch 2960x Memory Increasing Issue Troubleshooting - Memory Leak

Symptoms 

Our network monitoring software found memory usage on some new production switches keep increasing. Those switches are Cisco 2960X and coming with 15.0(2) EX3 IOS.

As we know there are two types of memory in Cisco IOS: process memory and IO memory.
  • When a feature is enable on an IOS device (e.g. PIM, HSRP, and etc), IOS allocates process memory for the process.
  • IO memory is used when a software switched traffic hits the CPU. The CPU allocates IO memory to store the frame temporarily.
Our case is process memory increasing. What we need to do is to find out which process.

Wednesday, October 26, 2016

Cisco Free Lab Website - dCloud

Cisco dCloud has been moved to version 1.5 , now it is at version 2.

Cisco dCloud lab as a service platform provides self-service training, demonstration and lab capabilities for Cisco partners. Learn about this free 24/7/365 resource which provides multiple labs in all Cisco architectures, plus documentation and instructions for conducting on-site demonstrations. For anybody to sell/buy/use Cisco products, Cisco dCloud is a great place to practice configuring.
What DCloud does is give you the ability to test, demonstrate and run 131 different labs, demos and sandboxes.


Experience a Cisco solution in dCloud:
  • Browse to Cisco dCloud. Select the location closest to you and then log in using your Cisco.com credentials.

Wednesday, October 19, 2016

Cisco Active Advisor - CAA

Cisco Active Advisor is a free online cloud service that automates network discovery and analysis of your network inventory. Cisco Active Advisor reduces the overall risk of your network administration by keeping you up-to-date on:

  • Warranty and service contract status
  • Product advisories, including Product Security Incident Response Teams (PSIRTs) and field notices
  • End-of-life milestones for hardware and software
Cisco Active Advisor log in with your Cisco CCO account:

Friday, August 5, 2016

Native VLAN mismatch Error on Access Port

Cisco switches always have VLAN 1 as the default VLAN, which is needed for many protocol communication between switches like spanning-tree protocol for instance. Unfortunately you can't change or even delete the default VLAN, it is mandatory.
The native VLAN is the only VLAN which is not tagged in a trunk, in other words, native VLAN frames are transmitted unchanged.
Per default the native VLAN is VLAN 1 but you can change that.


Monday, August 1, 2016

Cisco CCP Installation and Basic Configuration

Cisco Configuration Professional (Cisco CP) is a GUI based device management tool for Cisco access routers. This tool simplifies routing, firewall, IPS, VPN, unified communications, WAN and LAN configuration through GUI based easy-to-use wizards. It has been used to replace obsolete SDM (Security Device Manager) product.

Cisco Configuration Professional offers smart wizards and advanced configuration support for LAN and WAN interfaces, Network Address Translation (NAT), stateful and application firewall policy, IPS, IPSec and SSL VPN, QoS, and Cisco Network Admission Control policy features. The firewall wizard allows a single-step deployment of high, medium, or low firewall policy settings. IT managers can easily organize and manage multiple routers at a single site.

Wednesday, July 20, 2016

Recover Cisco Device using TFTP Server or External Card from a Corrupt or Missing Image or in Rommon Mode

Cisco Switch usually is quite robust and not give me hard time. When it happens, it happens. What I met is a situation Cisco 4500 switch got into Rommon mode and I have to find a quickest way to get in back in production before the maintenance window ends.

The related posts in this blog:


Tuesday, June 14, 2016

Windows Network Policy Server Basic Radius Configuration for Cisco devices

RADIUS Traffic 

RADIUS server configuration on Cisco IOS is performed in two steps, one set of commnads are defined within the AAA paradigm and other set is run with the “radius” commands. The aaa configurations on the Cisco IOS needs to be done with named method lists or the default list can be used. The simplest way to start with the configurations is to use the built-in default method lists.


1. Configuration on Cisco Switches and Routers

Friday, June 3, 2016

Password Recovery for Cisco Router 2900


I have to reset one Cisco 2901 router to factory default. Unfortunately no one knows user name and password.

Cisco documentation Password Recovery Procedure for the Cisco 2900 Integrated Services Router has listed all steps, but not enough detail how to "Remove the compact flash that is on the rear of the router."

I understand Cisco 2900 series is using a different way to do password recovery than a usual way by press 'Break' key during booting process. Cisco 2900 will automatically boot into ROMMOM mode after you removed Compact Flash card. But how to remove CF card from the rear of router, it does not say enough from Password Recovery Procedure for the Cisco 2900 Integrated Services Router.

Here are what I figured out by using a flat head screw driver. Lets find out where the compact flash card locates from following photo:




Thursday, March 24, 2016

Cisco IOS Command Tips and Tricks - Part 1


This post is used to collect some small tips and tricks I found during my daily work. Since the list is getting longer  and longer, I am splitting it into two posts:

1. Basic Troubleshooting Commands

Ping
Traceroute
Telnet
Show interfaces (show interfaces GigabitEthernet 3/6)
Show ip interface
Show ip route
Show running-config
Show startup-config
show ip sockets
show conn
show tcp brief

2. Archive Command

  • Configuration Change Logging and Save a copy of current configuration on local when write memory
archive
!!log all commands
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:backup-
maximum 8
write-memory
  • Compare Startup-Configuration with Running-configuration

R1#show archive config differences 
!Contextual Config Diffs:
!No changes were found

  • show archive log config all
  • show archive

Saturday, March 5, 2016

Installing Cisco Cloud Services Router CSR 1000V in Vmware

The Cisco CSR 1000V Series lowers the barriers to enterprise adoption of a hybrid cloud model by extending the enterprise WAN to provider-hosted clouds.
Primary features include:
  • Flexible virtual form factor designed for multi-tenant, provider-hosted clouds
  • Complete, hypervisor-isolated, multi-service router instance for each tenant
  • Proven, familiar, enterprise-class Cisco IOS Software networking services
  • Feature and operational consistency with Cisco physical form-factor routers
  • Component of end-to-end WAN architecture with Cisco Integrated Services Routers and Cisco Aggregation Services Routers
Primary use cases include:
  • Secure VPN gateway
  • MPLS WAN termination
  • Data center network extension
  • Control and traffic redirection
Primary Benefits:
  • Direct connectivity improves the response time of cloud-hosted applications
  • Private WAN integration improves security, performance, and predictability
  • Enterprise control, visibility, and policy consistency reduce security risks
  • Feature consistency and product familiarity improve operational efficiency
  • Extension of the data center network to a cloud simplifies application on-boarding

1. Download CSR 1000v Software:
you can start to download either one of following package from this page (Cisco IOS XE Software Link)

  • csr1000v-universalk9.03.12.00.S.154-2.S-std.ova
  • csr1000v-universalk9.03.12.00.S.154-2.S-std.iso

Keep this in mind, CSR1000v itself comes with a 60 day license for 50Mbps throughput. After that expires it drops to 2.5Mbps.

Cisco ASAv 9.5.1 200 and ASDM 7.5.1 in Workstation / ESXi

I were keeping testing Cisco ASA in Vmware environment for my own studying purpose. Recently I got ASAv 9.5.1 and installed into Vmware workstation 10 and ESXi 5.5.

Here are all related posts in this blog:
More configuration posts:
1. Download Software from Cisco Software Website:

The latest is 9.5.2 200. I am using 9.5.1 200 as an example for this post.


NetSec Youtube Videos