I have a 2800 IPSec VPN router with around 20 external networks connecting in, IOS 12.4(9) Today, one of the external links failed, everything else was fine. I tried to reset the connection 'clear crypto isakmp sa' but there was no connection ID to clear. The network engineer at the other end asked me to remove the line crypto isakmp key ------- address <his peer> from my config and then to reapply the line as this would help to reset the connection !!! Has anyone heard of this as being a solution ? I cannot find any references and I cannot find any relevant bugs in 12.4(9). I'm curious as the link came up about 4 minutes later. PS: How long should a IPSec VPN take to come up if all the config is good, I would think immediately.
We are upgrading our internet access here at HQ from 100 mbit to 200 mbit (so 200 up and 200 down). I have a ISR4331 laying around, specs say that it is capable of 300mbits. Is that a hard limit or a soft estimate based on minimum performance will all options enabled (MPLS, Encryption, SVIs, inter-vlan routing, etc)?
We wont be running any advanced features beyond BGP to the provider and basic QOS. Am I going to be hard limited to 150 up / 150 down? Which means buy a new router.
So i'm running into an issue that is quite puzzling to figure out.
I've install Cisco Jabber 12.0/12.1 on a Thinkpad Tiny pc and I can call from Jabber to Jabber/Deskphone and have two-way audio, but when I use the Jabber client and place an outbound external (mobile/Pots/etc) call I only have 1 way audio. I can hear the termination end, but they can't hear me.
When I run a packet capture on the PC, Switch, and right before the Media Gateway, I can hear two-way audio.
If I call the Jabber user from my mobile device, the call establishes fine without any issues.
We've checked different settings and codecs etc but generally can't figure it out.
We recently upgraded our 8350 Firepower devices to
184.108.40.206 , after upgrade we are experiencing something strange. our connections no longer appear Statefule.
We have a Access Control Rule for Geoblocking non-USA countries. Before upgrade our 10.x.x.x hosts could initiate connection to Canada 148.x.x.x for example and connections would not be dropped.
After upgrade - our 10.x.x.x hosts will connect to Canada 148.x.x.x and it's almost like Canada 148.x.x.x ACK back is being blocked by our GEOblocking rule which in turn is not allowing our users to get to some websites. This makes me think connections are now acting stateless.
Has anyone else experienced this? Support has not been helpful as of yet.
I am trying to install Cisco ACS 5.8 on a Cisco Secure Network Server, the error I receive is "Error, unsupported hardware detected! Cisco UDI not found on this appliance. " I googled it and and tried every solution and work around that I could find. Including attempting to install ACS on a VM, and installing through the console. Both methods resulted in the same error as before. I do not have any Cisco training or certification, but I am the only person at my location who can work on this server.
Edit: I am aware that this equipment and software is near/at End-Of-Life. My organization is working to replace it with updated software and equipment. I am looking for a way to use this temporarily due to some upcoming network work that cannot be rescheduled.
I'm trying to confirm if VLAN's within a switch are limited to 1Gigabit per second. I have a Cisco switch with ip-routing enabled and an SVI (interface vlan X) created on that vlan. It's a 48 port switch with all the ports being 1G/s speed.
Could I have 7 trunk ports each sending 500M through this switch without getting packet/frame loss?
My assumption is that VLAN X can handle much more than just 1G/s, but I can't find any documentation to prove this. Should I be looking into the switch's backplane characteristics? I found this quote from Cisco documentation and don't completely understand it.
"There is no set recommended value of bandwidth on a VLAN interface (SVI). The default is BW 1000000 Kbit (1 Gigabit), because the route processor internal inband is only 1 Gigabit by design. The bandwidth parameter on the show interface vlan output is not fixed bandwidth used by SVI as traffic is routed on the switch backplane. The bandwidth number can be used in order to manipulate routing metrics, calculate interface load statistics, and so forth."
If anyone can point me in the right direction it would be appreciated.
Good morning guys !
We are implementing a new environment for a customer and we will put some different devices. One of those is Cisco C93180YC (Multisite solution). Per environment we have one of this switches per rack (2 racks per environment) connected to the spine nexus 9504 through uplink port and the thing is:
If the question its not clear, please, let me know, thanks in advice :)
Hi! I'm trying to set up a network with a firewall using cisco products in my small to medium sized manufacturing/sales business that has 10-15 employees who use computer systems on a daily basis. Frontier communications isn't being all that helpful (shocking, right?) so I've decided to set up a router and firewall network by myself. What products from Cisco, in your experience, work the best for this kind of business? And where should I look to get started?
I was wondering if it was possible to connect a Cisco Console to a laptop using a rollover rJ45-rj45 cable, and an ethernet to USB converter, such as this one:
Will These in combination work to connect and manage the switch?
I'm doing my CCNA-Security since I just finished with my CCNA-R&S and now I'm hearing about this CCP software. I've got it installed and been messing with it, but the only devices I have that work with it are basically routers. Is this how it's basically designed? My switches get discovered but really can't do anything with them. My 5510 and 5506-X don't seem to work with it at all. The book seems to push I need to know how to use this because it's on the CCNA-Security. Is this a widely popular used tool? I've never seen/heard of it before now.
I'm little confused here, I'm having a tour in a company, so i found out that they are working with one IP address on two interfaces from one router, as i know every interface have it's IP address!
Can you please explain this to me and if it's possible how i can do it in Cisco packet tracer.
Thanks in advance.
SW version 220.127.116.11 ( date 10-Jul-2017 time 17:14:12 )
Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 )
HW version V01
Initial Config ``` sh ru config-file-header v18.104.22.168 / R800_NIK_1_4_202_008 CLI v1.0 set system mode switch
file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 ! vlan database vlan 11,21,25,506 exit voice vlan id 506 voice vlan oui-table add 0001e3 SiemensAG_phone_______ voice vlan oui-table add 00036b Ciscophone____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3CAolynk_____________ voice vlan oui-table add 0060b9 Philipsand_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone__________ voice vlan oui-table add 00e075 Polycom/Veritelphone__ voice vlan oui-table add 00e0bb 3Comphone_____________ ! interface fastethernet1 no spanning-tree portfast switchport trunk allowed vlan add 506 switchport trunk native vlan 25 ! ```
After I plug this phone in
config-file-header v22.214.171.124 / R800_NIK_1_4_202_008 CLI v1.0 set system mode switch
file SSD indicator encrypted
ssd file passphrase control unrestricted
no ssd file integrity control
voice vlan id 506
voice vlan oui-table add 0001e3 SiemensAG_phone_______
voice vlan oui-table add 00036b Ciscophone____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3CAolynk_____________
voice vlan oui-table add 0060b9 Philipsand_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone__________
voice vlan oui-table add 00e075 Polycom/Veritelphone__
voice vlan oui-table add 00e0bb 3Comphone_____________
storm-control broadcast enable
storm-control broadcast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
switchport trunk allowed vlan add 506
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop ! ```
I tried googling around but I can find the setting for it to keep the configured native vlan. Has anyone set this up before?
We are looking to support some remote workers. We have some Call Manager/UCCX requirements. For business users CSF phones through MRA is fine however, CSFs through MRA do not support CTI and call recording so for UCCX agents, this solution doesn't work. Only 7800s and 8800s support bidirectional CTI and call recording through MRA. So knowing this, we are trying to come up with ways to deliver CSFs to end users AND get CTI and Call Recording working properly. The obvious solution to this is to extend the network to the end user somehow.
One of the scenarios that we wanted to investigate, is sending a user a small device that can establish a S2S vpn tunnel and perhaps give us some QoS metrics across the line. Ideally we would put together a package for an end user that would include a laptop/workstation preloaded with software and a device that they hardwire into their own network. I am looking for a small "magic box" of some sort that we could potentially buy and manage for user connectivity to help us ensure delivery of service. I saw the following two products:
Looks like they run between $400 and $800 bucks. Does anyone have any other thoughts/ideas? Solution is for one worker in a single household attached to a home user's internet connection. Again, this is just one scenario. We have an AnyConnect based architecture that we are looking at and an MRA enabled 7800 or 8800 solution as well. This would just be a plan C option.
I have a ASA5585. For an example, let’s say I have a public IP of 126.96.36.199, and a wildcard DNS record of *example.com that sends all traffic to that IP. That traffic is sent from an ASA to a load balancer. Is there a way for me to block certain inbound traffic to a specific URL inside my network? Say I want to block INBOUND traffic to cisco.example.com but allow all other traffic to example.com? Remember this is INBOUND traffic not OUTBOUND. I don’t believe I can do this but maybe I’m wrong.
Cisco Support has confirmed that this is possible using regex and class-maps, but is very unusual for inbound traffic, and of course it will not work for HTTPS traffic because regex on the ASA does not do deep packet inspection.
I find myself in the position I have to plan the networking for a LAN party with up to 2000 participants. This is a bit of a challenge, as until now we've done 350 people max. This obviosuly means we're going to need to get some new eqipment.
Currently, we use 4948 switches for the edges. I'm thinking to continue with this, but mix in a few 4948-10GE as well.
For the core we use a 4900M, but obviously that won't do the trick anymore.
We're currently running a 2x1Gb LAG between edge and core, and I'd like to continue with this.
I looked at the Catalyst 6500 ,but as far as I can tell the backplane is a lot weaker leading to bad oversubscripion ratios for the line cards.
After looking around some more, I'm thinking the Nexus 7009, 7010 or similar (depending on what we can get cheaply on ebay) would do the trick.
If anyone has any other suggestions I'm open for that, too.
So, looking at pricing for used parts on eBay, what I'm thinking is ... Nexus 7009 chassis, with:
Can you guys confirm that these are compatible?
Any nasty surprises I should be aware of?
I have an old UCS 560 with a SIP trunk that I want to add some internet redundancy to. I have two net links managed by a Meraki MX 100. Basically it port forwards to the target device from the two different ISP connections to an internal private IP. Meanwhile my SIP provider can be configured with multiple origination IPs with a priority list so if the primary link goes down, it will start sending calls into the second one.
My problem is, I need to rewrite the SIP headers to keep the calls alive, else they'll drop after about 10 seconds due to a keepalive lack of response (hope I'm using the right turn, basically an ACK and OK response). I get around that by rewriting SIP headers from the internal private IP to the public IP.
voice class sip-profiles 1 response ANY sip-header Contact modify "192.168.0.2" "188.8.131.52" request ANY sip-header Contact modify "192.168.0.2" "184.108.40.206" response ANY sdp-header Audio-Connection-Info modify "192.168.0.2" "220.127.116.11" response ANY sdp-header Connection-Info modify "192.168.0.2" "18.104.22.168" response ANY sdp-header Session-Owner modify "192.168.0.2" "22.214.171.124" request ANY sdp-header Audio-Connection-Info modify "192.168.0.2" "126.96.36.199" request ANY sdp-header Connection-Info modify "192.168.0.2" "188.8.131.52" request ANY sdp-header Session-Owner modify "192.168.0.226" "184.108.40.206"
My problem comes in when a call comes in via the secondary IP. The headers are still rewritten to the primary IP so the call drops after about 10 seconds when the keepalive fails to return an OK.
Is there any way I can have my cake and eat it to in this scenario? Or an alternate plan of attack that doesn't require header rewrites?
Not sure where else to ask this. I got a new router because my old one was having problems. The old wifi system (let’s call this wifi A) was a cisco “system”. it had 3 units or parts to it. there was the main router, then connected to that was an ethernet switch. neither the router nor the switch gave off a signal though, in order to get a wireless signal, we had to connect these antennas. they were more than just an antenna you would connect to the router though, it was like a separate extender that you would have to connect to the router via an ethernet.
okay now that you know how the old system worked, let’s get to the problem. i got this new router, it’s NOT a cisco router. i want to use the extenders or antennas from the old system with this new router to boost the connection around the house. however, when i plug in the extenders to the new router, they give off the network signal and name for the old system. when i try to connect to wifi on the devise, the name from the old system comes up along with the name for the new system. the extenders seem to be giving off signal for system A still even though they are connected to the new router.
is there any way i could fix this problem??
A few days ago I posted about a network outage that involved a rather large network. After another full day of hair-pulling, the culprit was found: a broken port channel. The upstream switch had two ports configured for "channel-group mode on". The downstream switch had been replaced recently and cabled incorrectly.
SW1 Gi0/1 ---- SW2 Gi0/1 SW1 Gi0/2 ---- SW2 Gi0/2
SW1 Gi0/1 ---- SW2 Gi0/2 SW1 Gi0/2 ---- SW2 Gi0/3
SW1 Gi0/1-2 are set for "mode on", SW2 Gi0/2 is set for "mode on", and SW2 Gi0/3 is just an access port. Since "mode on" doesn't do any sanity checking, SW1 assumes that both ports on the other side are in a port channel and happily sends data. No one bothered to setup BDPU guard on access ports (and most were set for "switchport mode desirable" to boot), so SW2 happily accepts whatever is sent to it and MACs start flapping all over the place.
It took so long to track down because the entire network is a single L2 domain, so a problem in building 1 manifests as MAC flaps in buildings 2, 3, 4, & 5 as well. We had to verify every single trunk port to catch the problem. Now they gotta go check switch configs in ALL of their locations (over 1,200 switches) because the vendor used the same broken template for everything.
TL;DR LACP = good, "channel-group mode on" = bad
I am trying to install Cisco anyconnect clients on windows 10 HP laptops. The installation would hang as it gets very close to the finish point and complain that: "There is a problem with this windows Installer package. A program run as part of the setup did not finish as expected. Conact your support personnel or package vendor"
I have tried to disable all of my firewall and disable antivirus software. I have also added my ASA address as a trust site in the "Internet Options".
If you have any workaround, please help
I'm not really sure where to start here. My 4948E reaches the end of the blurb I posted below and then waits for about 10 seconds. The status light then switches to orange from green and then it shuts down shortly after. Does anyone have any idea whats wrong with this? I don't have any diagnostic messages after what I posted to help me out. Any help would be appreciated, Thanks!
Power-on-self-test for Module 1: WS-C4948E
Test Status: (. = Pass, F = Fail, U = Untested)
CPU Subsystem Tests ...
Traffic: L3 Looopback ...
Test Results: Pass
Traffic: L2 Loopback ...
Test Results: Pass
Switching Subsystem Memory ...
Packet Memory Test Results: Pass
Module 1 Passed
Rommon reg: 0x00000780
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-LANBASE-M), Version 12.2(54)SG, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Sun 27-Jun-10 08:37 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x12823FA8
cisco WS-C4948E (MPC8548) processor (revision 5) with 1048576K bytes of memory.
Processor board ID CAT1524S2PD
MPC8548 CPU at 1GHz, Cisco Catalyst 4948E
Last reset from Push Button Reset
1 Virtual Ethernet interface
48 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
I have some questions about some log messages I have been seeing. Not sure if this is working properly or I have some configuration error somewhere I need to fix. On the 7th I updated the IOS on a switch that is directly connected to our core, and of course I had to reboot it. Everything went well and no issues, but I saw these log messages on the core:
Aug 7 2018 19:04:43.785: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 18 on TenGigabitEthernet1/1/22 VLAN1.
Aug 7 2018 19:04:43.785: %SPANTREE-2-BLOCK_PVID_PEER: Blocking TenGigabitEthernet1/1/22 on VLAN0018. Inconsistent peer vlan.
Aug 7 2018 19:04:43.786: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking TenGigabitEthernet1/1/22 on VLAN0001. Inconsistent local vlan.
Aug 7 2018 19:04:43.786: %SPANTREE-2-BLOCK_PVID_PEER: Blocking TenGigabitEthernet1/1/22 on VLAN0025. Inconsistent peer vlan.
Aug 7 2018 19:04:43.786: %SPANTREE-2-BLOCK_PVID_PEER: Blocking TenGigabitEthernet1/1/22 on VLAN0040. Inconsistent peer vlan.
Aug 7 2018 19:04:59.860: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking TenGigabitEthernet1/1/22 on VLAN0018. Port consistency restored.
Aug 7 2018 19:04:59.940: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking TenGigabitEthernet1/1/22 on VLAN0025. Port consistency restored.
Aug 7 2018 19:05:00.176: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking TenGigabitEthernet1/1/22 on VLAN0040. Port consistency restored.
Aug 7 2018 19:05:00.177: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking TenGigabitEthernet1/1/22 on VLAN0001. Port consistency restored.
Then today I created a new VLAN on our core and then added it to a couple other switches and saw these messages on the core:
Aug 14 2018 08:28:51.262: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 37 on Port-channel3 VLAN999.
Aug 14 2018 08:28:51.263: %SPANTREE-2-BLOCK_PVID_PEER: Blocking Port-channel3 on VLAN0037. Inconsistent peer vlan.
Aug 14 2018 08:28:51.263: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking Port-channel3 on VLAN0999. Inconsistent local vlan.
Aug 14 2018 08:29:06.260: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel3 on VLAN0037. Port consistency restored.
Aug 14 2018 08:29:06.260: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel3 on VLAN0999. Port consistency restored.
Is this normal? Or do I need to fix something?