Reddit Feeds

Sign up and stay connected to your favorite communities.

sign uplog in
6

Hello all,

I'm setting up a port-channel between my two Nexus 3524X switches and two 3750x switches (they are stacked). I'm wondering if you folks can take a quick gander at my config and see if I'm missing something? TIA!

Nexus1:

interface port-channel10

description PORT-CHANNEL TO xxstack

switchport mode trunk

spanning-tree port type normal

vpc 10

interface Ethernet1/1

description PORT-CHANNEL xxstack[INT:Te1/1/1]

switchport mode trunk

spanning-tree port type normal

channel-group 10 mode active

no shutdown

interface Ethernet1/2

description PORT-CHANNEL TO xxstack[INT:Te2/1/1]

switchport mode trunk

spanning-tree port type normal

channel-group 10 mode active

no shutdown

Nexus2:

interface port-channel10

speed 10000

description PORT-CHANNEL TO xxstack

switchport mode trunk

spanning-tree port type normal

vpc 10

interface Ethernet1/1

description PORT-CHANNEL TO xxstack [INT:Te1/1/2]

switchport mode trunk

spanning-tree port type normal

channel-group 10 mode active

no shutdown

interface Ethernet1/2

description PORT-CHANNEL TO xxstack [INT:Te2/1/2]

switchport mode trunk

spanning-tree port type normal

channel-group 10 mode active

no shutdown

3750x Stack:

interface Port-channel10

description 3750x stack Port-Channel Interface to NEXUS

switchport trunk encapsulation dot1q

switchport mode trunk

end

interface TenGigabitEthernet1/1/1

description PORT-CHANNEL TO nexus1 [INT:ETH1/1]

switchport trunk encapsulation dot1q

switchport mode trunk

shutdown

channel-group 10 mode active

end

interface TenGigabitEthernet2/1/1

description PORT-CHANNEL TO nexus1 [INT:ETH/2]

switchport trunk encapsulation dot1q

switchport mode trunk

shutdown

channel-group 10 mode active

end

interface TenGigabitEthernet1/1/2

description PORT-CHANNEL TO nexus2 [INT:ETH1/1]

switchport trunk encapsulation dot1q

switchport mode trunk

shutdown

channel-group 10 mode active

end

interface TenGigabitEthernet2/1/2

description PORT-CHANNEL TO nexus 2 [INT:ETH1/2]

switchport trunk encapsulation dot1q

switchport mode trunk

shutdown

channel-group 10 mode active

end

4

Saw this post from a few days back, wanted to get some clarification.

We are in an environment where TACACS+/RADIUS is currently not an option, so we are really limited to what we have on the switch. We aren't using Role Based CLI either.

What we want to do is create a low privilege user account that is allowed to run ALL "show" commands only.

My question is:

If I assign "Show" to privilege 2, does that allow every command that starts with "show" to be executed, or would I need to assign "Show ip" for all commands that start with "show ip" ?

2

All I'm having a hell of a time with a specific issue.

I'm trying to set up a site-to-site VPN to a third party. And they aren't the most helpful at all.

Host I am trying to reach on their internal network is: 192.100.100.5/24

My internal network: 192.168.1.0/24

They require the following:

  • Static, 1:1 policy NAT of "intersting traffic" to host 195.100.1.25/32
  • IPSec ACL from host 195.100.1.25/32 to 192.100.100.0/24

When I setup the VPN ignoring their recommendations of the 1:1 NAT and just try to ping the 192.100.100.5 address the VPN is initiated but then torn down. I have my static nat's in place:

nat (inside,outside) source static MYINTERNALNETWORK MYINTERNALNETWORK source static THEIRINTERNALNETWORK THEIRINTERNALNETWORK no-proxy-arp route-lookup

But if I try to setup the 1:1 nat and the IPSEC ACL as they specify no traffic gets moved at ALL and vpn does not even try to initaite.

I think I'm getting tripped up on the nat assignments, any input?

0

Hello,

So ive have been trying for some days at this.
Cannot seem to get the asa vpn to connect to the CityCampus router vpn.
I got the firewall to allow access to the server, though not sure in the right way.
The LAN below the main router works fine dhcp, voice, trunks etc. But i just cant get these firewall configs down.
Not very good with firewalls, and the guide i find seem to not match up with the one in packet tracer.

Here is a link to the pkt FILE

Would appreciate it if anyone could help me set up that vpn.
Any feedback appreciated!

comment
1

Hi gents,

I've recently bought a stock of compatbile SFP for our 2960x (WS-C2960X-24TS-LL) from fs.com , the correct model is: https://www.fs.com/products/20358.html

It seems to be compatible with my switch... I've already striked the 2 commands required for getting unsupported SFP to work but with no luck .. still getting error %PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi0/25 is not supported

when connecting the SFP, and no result in "show inventory"

My boss is gonna kill me... Any help would be very appreciated

17

I spent the better part of a day trying to figure out why I was getting the dreaded "Invoke-RestMethod : The underlying connection was closed: The connection was closed unexpectedly" error in Powershell when trying to do a simple GET request using Invoke-RestMethod to my Cisco ASA. At first I thought it was because I had a self-signed cert on the Inside interface and tried all sorts of things to ignore the SSL security but in the end it was one line:

PowerShell:

[System.Net.ServicePointManager]::Expect100Continue = $false;

C#/.NET:

System.Net.ServicePointManager.Expect100Continue = false;

I don't have any SSL security bypass or anything like that, just that line before my Invoke-RestMethod or HttWebRequest.

This helpful post on StackOverflow is what finally got me past "connect was closed unexpectedly" error: https://stackoverflow.com/a/12764845/7092295

Cheers

comment
2

Q1: In an environment where AlwaysOn VPN is established and Firepower + AMP license is enabled, is there a need for AMP for endpoint? What functionality is gained or lost other than AMP-E providing fancy Cloud based management access.

Q2:If for whatever reason - we have both the licenses, do I need to install FireAMP as well as AMP-E agent on the endpoints? conflicts?

Q3: Learned that agent is mandatory for Amp-for-Endpoint, how about FireAMP?

Thanks in advance,

0

Hi Everyone, anyone can clarify that we may use 32A breakers (each module) to power up all the power supplies module. I know rated input current draw maximum set by Cisco is 49A at -48V. However, we do have similar setup (line card + rsp + pwr module) that using around 8A - 10A on full load capacity. So is it possible to use lower breaker rating (16A/32A) for each power supplies module? Thank you.

https://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-aggregation-services-routers/data_sheet_c78-501767.html

6

I've got three Aironet 1142s (all at 15.3), one on each floor of my home. Carrying Apple mobile devices (iOS 11.x) from one floor to another often causes the device to lose network access. Wi-Fi appears active, but there's no access to the network. All APs are configured identically. I have enabled 11r, but most other settings are default. 2.4 & 5 GHz are configured with same SSID & security. All radios are max transmit power.

I'm not a network, or IOS, pro and am looking for suggestions before I get click-happy in the web interface. Any advice you can offer will be greatly appreciated.

16

When Cisco ONE originally came out, I understood why it was bundled in. However, why is Prime included with DNA Licenses? I understand that Prime is likely going to go away, but why is it bundled with another management solution?

7

we've had intermittent connection issues all day. This morning I connected to the ASA to see the syslogs and notice floods of "deny udp reverse path check from 1.0.254.169 to 255.255.255.255 on interface inside" That IP looks like its from Thailand but I'm more concerned that its on the inside interface. Google suggested disabling reverse path check or using a BOGON ACL but none of the example issues are the same situation I'm facing. I'm seeing a completely foreign IP checking against an invalid IP.

Any tips for how I should deal with this? Is this a LAND Attack?

7

So I'm sort of trying to get a good explanation on the point of having "Spanning-tree portfast network" setup between two switches.

Is this something they're suggesting over no portfast simply saying that Bridge assurance should protect against any loops? Or is this just for certain specific situations?

Thanks for any clarification.

4

Does anyone know what to look out for, so hard to spot fakes :/

Cisco is introducing new security features on the labels attached to products from Transceiver Module Group - What are the features??

6

Hello everyone.

While doing a lab I noticed that when connecting to a Router 2911 through PC with SSH, the MOTD is not shown.

However, if I try to connect with TELNET or with a TERMINAL the MOTD is there.

Everything else works fine.

The message I get after enabling SSH ver2 with a command it says its version 1.99, could this be the issue?

Packet Tracer is the current latest version of 7.1.1

Thanks!

EDIT:

Ah, so I tried the both login and motd banners, none of them work while trying to SSH. They both show in Terminal and Telnet. Is there a config command to enable banners in SSH?

15

I want to allow a specific user to only view show commands and not be able to do anything else. How do I make that happen?

1

My inside interface consists of only 5 lines , the 4th line is a 'permit ip any any' , the first 3 just deny individual hosts, the fifth line is a 'deny ip any any'. I am on a purely IP based network and I am seeing packets denied by line 5 in a certain scenario. How can the access-list reach 5 to deny IP when line 4 should pass it ? The scenario is that normally I am Natting the inside (192.168.x.y) addresses to (10.159.x.y) to a less trusted interface. If a user was to give himself an address on the inside as 10.159.x.y would the above scenario be created i.e would it get denied at line 5 (deny ip any any) seemingly jumping over the line 4 (permit ip any any) ?

EDIT: The firewall is routing via OSPF.

7

I was using the following to block a specific host to a whole VLAN:

access-list 101 deny ip host 10.10.10.75 192.168.0.0 0.0.0.255

But how do I make a block only between two the hosts instead of one host to a whole VLAN?

2

I'm using an ASR 9001-S as a PPPoE Server with about 6k subscribers. I'm looking for a way to monitor the subscribers' interface traffic via SNMP but, I've got some issues. The interfaces' name is like random, and every time the subscriber reconnects its name changes, so I'm unable to keep graphs running on these interfaces. Is there anything I can do? or another way to monitor these interfaces?

7

Hello!

Quick question: I understand that best practices have us putting unused ports in a blackhole/bit bucket vlan in a suspend state. My question is, do these ports need to have "switchport mode access" configured on the port to be effective?

I.E, would a BH/BB VLAN still be effective on a port configured as follows:

GigabitEthernet1/1
 switchport access vlan 666
 shutdown

or would it have to be as follows:

GigabitEthernet1/1
 switchport access vlan 666
 switchport mode access
 shutdown

Thanks!

9

I had a blade go out (or so I think) on a Catalyst 4510R. My first troubleshooting attempt was the unseat the blade for a bit and reseat it. Nope, still a red PoE light. Luckily(?) I have a spare 4510R sitting next to it so I swapped out a blade in it, but still red light.

Did a reload but have not been able to cut power to the switch due to the live environment. I'm not sure if bumping power would even fix it. Is it safe to say that the backplane is failing? Sadly 4510Rs left support with Cisco (EOL) on April 30th so I'm sailing in uncharted waters now.

5

Hi, I've got a C3560G-48TS that I think is dead following a power outage. The switch does not pass traffic, respond to pings or telnet (which it did before the outage), gives no console output whatsoever, and when plugged in the fans stay at 100% and the five lights on the left are all green. The switch doesn't give any link lights on any ports. Thankfully I had a nightly backup and a spare 3560G to replace it with. Is this switch dead or might there be a way to recover it? I'm aware that this model is EOL, but getting my employer to buy new switches is near impossible. Thanks.

73

I have created a video on how VRF's work, which I'd like to share here.

I hope you find it useful, or at least interesting.

It covers what they are, why we use them, and includes a lab (with downloadable config) if you want to try on your own.

https://youtu.be/D0IT6ZKY3tg

4

Trying to make an access list that will only allow 2 hosts SSH access to my network devices, and deny all other IP's. I currently have all of the VTY lines set to transport input/output SSH. Would that be as simple as:

ip access-list extended SSH

permit ip host 172.16.0.2 any log

permit ip host 172.16.0.3 any log

deny ip any any

line vty 0 4

ip access-list extended SSH in

Would this prevent all connections minus those two hosts access to my infrastructure devices from the VTY lines?

6

Quick question. I have a Cisco ASA 5505. I just added an ESX host with 2 VM's on it. I'm wondering why the ESX host's ip is now appearing in the object group for our inside hosts. Doing show object-group, we have a group called inside_host that now lists that IP. However, it does not list the VM's ip address (which I can ping from the ASA).

My question is, does the ASA auto discover new ip's, or because interfaces 3-7 (ESX is on 4) are for inside hosts, did it auto discover the ESX ip and add it to the inside hosts group? If this is the case, why weren't the VM's added, might they have to be added manually?

Thanks.

2

I have a SF300-48PP with lasted firmware and and have the error i2c_status fail or

Cisco Bug: CSCuv51342 - SF300 :POE Error(i2c_read_mem failed addr 0x139e dev_num 0 va1 0x0)

Any idea?

Community Details

16.7k

Subscribers

78

Online

Create Post

r/Cisco Rules

1.
No Brain Dumps
2.
No direct sales of equipment
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.