Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
1

Good morning guys !

We are implementing a new environment for a customer and we will put some different devices. One of those is Cisco C93180YC (Multisite solution). Per environment we have one of this switches per rack (2 racks per environment) connected to the spine nexus 9504 through uplink port and the thing is:

  • Its mandatory to have a direct cable between the multisite switches in order to interconnect them? Or this connection can be done through the connectivity between spines?

If the question its not clear, please, let me know, thanks in advice :)

1
1 comment
5

Customer wants the layout new box to match old.

Help! Thank you

5
2 comments
5

I'm looking at buying a SG350X-24 switch, the one with the four sfp+ sockets on it. Are the four sfp+ sockets labeled expansion slot, standard switch ports?

5
4 comments
1

I was wondering if it was possible to connect a Cisco Console to a laptop using a rollover rJ45-rj45 cable, and an ethernet to USB converter, such as this one:

https://www.bol.com/nl/p/usb-naar-internet-ethernet-lan-netwerk-adapter-zwart/9200000065763613/?Referrer=ADVNLGOO002013-G-49170247355-S-446365929732-9200000065763613&gclid=EAIaIQobChMImsPfzYvw3AIVCL7tCh3_pgrHEAQYAiABEgJeZvD_BwE&gclsrc=aw.ds&language=en

Will These in combination work to connect and manage the switch?

Edit: terminology

1
7 comments
12

Where to NAT? Where to run BGP? Check out our latest tutorial presenting the dual ISP with BGP - NAT Configuration.

12
comment
0

Im getting Invalid Code version number with any image I try to load

https://i.imgur.com/Db4c0FV.png

am I doing something wrong?

0
6 comments
1

I'm doing my CCNA-Security since I just finished with my CCNA-R&S and now I'm hearing about this CCP software. I've got it installed and been messing with it, but the only devices I have that work with it are basically routers. Is this how it's basically designed? My switches get discovered but really can't do anything with them. My 5510 and 5506-X don't seem to work with it at all. The book seems to push I need to know how to use this because it's on the CCNA-Security. Is this a widely popular used tool? I've never seen/heard of it before now.

1
10 comments
4

Hello everyone,

I'm little confused here, I'm having a tour in a company, so i found out that they are working with one IP address on two interfaces from one router, as i know every interface have it's IP address!
Can you please explain this to me and if it's possible how i can do it in Cisco packet tracer.
Thanks in advance.

4
18 comments
1

sh ver SW version 1.4.8.6 ( date 10-Jul-2017 time 17:14:12 ) Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 ) HW version V01

Initial Config ``` sh ru config-file-header v1.4.8.6 / R800_NIK_1_4_202_008 CLI v1.0 set system mode switch

file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 ! vlan database vlan 11,21,25,506 exit voice vlan id 506 voice vlan oui-table add 0001e3 SiemensAG_phone_______ voice vlan oui-table add 00036b Ciscophone____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3CAolynk_____________ voice vlan oui-table add 0060b9 Philipsand_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone__________ voice vlan oui-table add 00e075 Polycom/Veritelphone__ voice vlan oui-table add 00e0bb 3Comphone_____________ ! interface fastethernet1 no spanning-tree portfast switchport trunk allowed vlan add 506 switchport trunk native vlan 25 ! ```

After I plug this phone in ``` sh ru
config-file-header v1.4.8.6 / R800_NIK_1_4_202_008 CLI v1.0 set system mode switch

file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 ! vlan database vlan 11,21,25,506 exit voice vlan id 506 voice vlan oui-table add 0001e3 SiemensAG_phone_______ voice vlan oui-table add 00036b Ciscophone____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3CAolynk_____________ voice vlan oui-table add 0060b9 Philipsand_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone__________ voice vlan oui-table add 00e075 Polycom/Veritelphone__ voice vlan oui-table add 00e0bb 3Comphone_____________ ! interface fastethernet1 storm-control broadcast enable storm-control broadcast level 10 storm-control include-multicast port security max 10 port security mode max-addresses port security discard trap 60 spanning-tree portfast switchport trunk allowed vlan add 506 macro description ip_phone_desktop !next command is internal.
macro auto smartport dynamic_type ip_phone_desktop ! ```

I tried googling around but I can find the setting for it to keep the configured native vlan. Has anyone set this up before?

1
1 comment
1

We are looking to support some remote workers. We have some Call Manager/UCCX requirements. For business users CSF phones through MRA is fine however, CSFs through MRA do not support CTI and call recording so for UCCX agents, this solution doesn't work. Only 7800s and 8800s support bidirectional CTI and call recording through MRA. So knowing this, we are trying to come up with ways to deliver CSFs to end users AND get CTI and Call Recording working properly. The obvious solution to this is to extend the network to the end user somehow.

One of the scenarios that we wanted to investigate, is sending a user a small device that can establish a S2S vpn tunnel and perhaps give us some QoS metrics across the line. Ideally we would put together a package for an end user that would include a laptop/workstation preloaded with software and a device that they hardwire into their own network. I am looking for a small "magic box" of some sort that we could potentially buy and manage for user connectivity to help us ensure delivery of service. I saw the following two products:

  • Meraki x64
  • Meraki x65

Looks like they run between $400 and $800 bucks. Does anyone have any other thoughts/ideas? Solution is for one worker in a single household attached to a home user's internet connection. Again, this is just one scenario. We have an AnyConnect based architecture that we are looking at and an MRA enabled 7800 or 8800 solution as well. This would just be a plan C option.

1
7 comments
3

I have a ASA5585. For an example, let’s say I have a public IP of 1.1.1.1, and a wildcard DNS record of *example.com that sends all traffic to that IP. That traffic is sent from an ASA to a load balancer. Is there a way for me to block certain inbound traffic to a specific URL inside my network? Say I want to block INBOUND traffic to cisco.example.com but allow all other traffic to example.com? Remember this is INBOUND traffic not OUTBOUND. I don’t believe I can do this but maybe I’m wrong.

UPDATE:

Cisco Support has confirmed that this is possible using regex and class-maps, but is very unusual for inbound traffic, and of course it will not work for HTTPS traffic because regex on the ASA does not do deep packet inspection.

3
19 comments
1

Hey,

what do you set your logging trap level on your access and core switches to for your general syslog hosts?

1
4 comments
20

Hi guys,

I find myself in the position I have to plan the networking for a LAN party with up to 2000 participants. This is a bit of a challenge, as until now we've done 350 people max. This obviosuly means we're going to need to get some new eqipment.

Currently, we use 4948 switches for the edges. I'm thinking to continue with this, but mix in a few 4948-10GE as well.

For the core we use a 4900M, but obviously that won't do the trick anymore.

We're currently running a 2x1Gb LAG between edge and core, and I'd like to continue with this.

I looked at the Catalyst 6500 ,but as far as I can tell the backplane is a lot weaker leading to bad oversubscripion ratios for the line cards.

After looking around some more, I'm thinking the Nexus 7009, 7010 or similar (depending on what we can get cheaply on ebay) would do the trick.

If anyone has any other suggestions I'm open for that, too.

So, looking at pricing for used parts on eBay, what I'm thinking is ... Nexus 7009 chassis, with:

2x N7K-SUP1

5x N7K-C7009-FAB-2

1x N7K-M148GT-11

3x N7K-F248XP-25E

Can you guys confirm that these are compatible?

Any nasty surprises I should be aware of?

20
96 comments
2

I have an old UCS 560 with a SIP trunk that I want to add some internet redundancy to. I have two net links managed by a Meraki MX 100. Basically it port forwards to the target device from the two different ISP connections to an internal private IP. Meanwhile my SIP provider can be configured with multiple origination IPs with a priority list so if the primary link goes down, it will start sending calls into the second one.

My problem is, I need to rewrite the SIP headers to keep the calls alive, else they'll drop after about 10 seconds due to a keepalive lack of response (hope I'm using the right turn, basically an ACK and OK response). I get around that by rewriting SIP headers from the internal private IP to the public IP.

Example:

voice class sip-profiles 1
     response ANY sip-header Contact modify "192.168.0.2" "1.1.1.1" 
     request ANY sip-header Contact modify "192.168.0.2" "1.1.1.1" 
     response ANY sdp-header Audio-Connection-Info modify "192.168.0.2" "1.1.1.1" 
     response ANY sdp-header Connection-Info modify "192.168.0.2" "1.1.1.1" 
     response ANY sdp-header Session-Owner modify "192.168.0.2" "1.1.1.1" 
     request ANY sdp-header Audio-Connection-Info modify "192.168.0.2" "1.1.1.1" 
     request ANY sdp-header Connection-Info modify "192.168.0.2" "1.1.1.1" 
     request ANY sdp-header Session-Owner modify "192.168.0.226" "1.1.1.1" 

My problem comes in when a call comes in via the secondary IP. The headers are still rewritten to the primary IP so the call drops after about 10 seconds when the keepalive fails to return an OK.

Is there any way I can have my cake and eat it to in this scenario? Or an alternate plan of attack that doesn't require header rewrites?

Thanks.

2
5 comments
1

Not sure where else to ask this. I got a new router because my old one was having problems. The old wifi system (let’s call this wifi A) was a cisco “system”. it had 3 units or parts to it. there was the main router, then connected to that was an ethernet switch. neither the router nor the switch gave off a signal though, in order to get a wireless signal, we had to connect these antennas. they were more than just an antenna you would connect to the router though, it was like a separate extender that you would have to connect to the router via an ethernet.

okay now that you know how the old system worked, let’s get to the problem. i got this new router, it’s NOT a cisco router. i want to use the extenders or antennas from the old system with this new router to boost the connection around the house. however, when i plug in the extenders to the new router, they give off the network signal and name for the old system. when i try to connect to wifi on the devise, the name from the old system comes up along with the name for the new system. the extenders seem to be giving off signal for system A still even though they are connected to the new router.

is there any way i could fix this problem??

1
6 comments
27

A few days ago I posted about a network outage that involved a rather large network. After another full day of hair-pulling, the culprit was found: a broken port channel. The upstream switch had two ports configured for "channel-group mode on". The downstream switch had been replaced recently and cabled incorrectly.

Correct way:

SW1 Gi0/1 ---- SW2 Gi0/1
SW1 Gi0/2 ---- SW2 Gi0/2

Outage way:

SW1 Gi0/1 ---- SW2 Gi0/2
SW1 Gi0/2 ---- SW2 Gi0/3

SW1 Gi0/1-2 are set for "mode on", SW2 Gi0/2 is set for "mode on", and SW2 Gi0/3 is just an access port. Since "mode on" doesn't do any sanity checking, SW1 assumes that both ports on the other side are in a port channel and happily sends data. No one bothered to setup BDPU guard on access ports (and most were set for "switchport mode desirable" to boot), so SW2 happily accepts whatever is sent to it and MACs start flapping all over the place.

It took so long to track down because the entire network is a single L2 domain, so a problem in building 1 manifests as MAC flaps in buildings 2, 3, 4, & 5 as well. We had to verify every single trunk port to catch the problem. Now they gotta go check switch configs in ALL of their locations (over 1,200 switches) because the vendor used the same broken template for everything.

TL;DR LACP = good, "channel-group mode on" = bad

27
21 comments
0
Comments are locked

There are never too many cooks in the kitchen! Sign up for Reddit Gifts CookBook exchange by August 19th and share the love!

0
comment
2

Hi all,

I am trying to install Cisco anyconnect clients on windows 10 HP laptops. The installation would hang as it gets very close to the finish point and complain that: "There is a problem with this windows Installer package. A program run as part of the setup did not finish as expected. Conact your support personnel or package vendor"

I have tried to disable all of my firewall and disable antivirus software. I have also added my ASA address as a trust site in the "Internet Options".

If you have any workaround, please help

2
10 comments
2

I'm not really sure where to start here. My 4948E reaches the end of the blurb I posted below and then waits for about 10 seconds. The status light then switches to orange from green and then it shuts down shortly after. Does anyone have any idea whats wrong with this? I don't have any diagnostic messages after what I posted to help me out. Any help would be appreciated, Thanks!

Power-on-self-test for Module 1: WS-C4948E

Test Status: (. = Pass, F = Fail, U = Untested)

CPU Subsystem Tests ...

seeprom: Pass

Traffic: L3 Looopback ...

Test Results: Pass

Traffic: L2 Loopback ...

Test Results: Pass

Switching Subsystem Memory ...

Packet Memory Test Results: Pass

Module 1 Passed

Rommon reg: 0x00000780

##############################################################

Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-LANBASE-M), Version 12.2(54)SG, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Sun 27-Jun-10 08:37 by prod_rel_team

Image text-base: 0x10000000, data-base: 0x12823FA8

cisco WS-C4948E (MPC8548) processor (revision 5) with 1048576K bytes of memory.

Processor board ID CAT1524S2PD

MPC8548 CPU at 1GHz, Cisco Catalyst 4948E

Last reset from Push Button Reset

1 Virtual Ethernet interface

48 Gigabit Ethernet interfaces

4 Ten Gigabit Ethernet interfaces

511K bytes of non-volatile configuration memory.

2
2 comments
1

Hey /r/Cisco,

I have some questions about some log messages I have been seeing. Not sure if this is working properly or I have some configuration error somewhere I need to fix. On the 7th I updated the IOS on a switch that is directly connected to our core, and of course I had to reboot it. Everything went well and no issues, but I saw these log messages on the core:

Aug 7 2018 19:04:43.785: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 18 on TenGigabitEthernet1/1/22 VLAN1.

Aug 7 2018 19:04:43.785: %SPANTREE-2-BLOCK_PVID_PEER: Blocking TenGigabitEthernet1/1/22 on VLAN0018. Inconsistent peer vlan.

Aug 7 2018 19:04:43.786: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking TenGigabitEthernet1/1/22 on VLAN0001. Inconsistent local vlan.

Aug 7 2018 19:04:43.786: %SPANTREE-2-BLOCK_PVID_PEER: Blocking TenGigabitEthernet1/1/22 on VLAN0025. Inconsistent peer vlan.

Aug 7 2018 19:04:43.786: %SPANTREE-2-BLOCK_PVID_PEER: Blocking TenGigabitEthernet1/1/22 on VLAN0040. Inconsistent peer vlan.

Aug 7 2018 19:04:59.860: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking TenGigabitEthernet1/1/22 on VLAN0018. Port consistency restored.

Aug 7 2018 19:04:59.940: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking TenGigabitEthernet1/1/22 on VLAN0025. Port consistency restored.

Aug 7 2018 19:05:00.176: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking TenGigabitEthernet1/1/22 on VLAN0040. Port consistency restored.

Aug 7 2018 19:05:00.177: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking TenGigabitEthernet1/1/22 on VLAN0001. Port consistency restored.

Then today I created a new VLAN on our core and then added it to a couple other switches and saw these messages on the core:

Aug 14 2018 08:28:51.262: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 37 on Port-channel3 VLAN999.

Aug 14 2018 08:28:51.263: %SPANTREE-2-BLOCK_PVID_PEER: Blocking Port-channel3 on VLAN0037. Inconsistent peer vlan.

Aug 14 2018 08:28:51.263: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking Port-channel3 on VLAN0999. Inconsistent local vlan.

Aug 14 2018 08:29:06.260: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel3 on VLAN0037. Port consistency restored.

Aug 14 2018 08:29:06.260: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel3 on VLAN0999. Port consistency restored.

Is this normal? Or do I need to fix something?

1
6 comments
0

Hi,

anyone gotten it to work? the one thats in ciscos repo on github is really broken and only works with scp for me. i really would like tftp instead for simplicity.

anyone got any updated ones, cant find one in the download center either.

0
4 comments
1

We have a ASA 5508-X and regularly experience bandwidth issues when someone is downloading files. Internet connection is 30/30 Mbps, but when I download a large iso file for example, internet is unusable for all other users..
I know I can create a service policy matching http/https with QoS and limit the bandwidth to x Mbps, but I don't think that's what I need since this is probably applied globally and not per ip or per session.
How can I prevent single users or services (WSUS for example) from saturating the entire internet connection?

1
6 comments
1

Why do i get this warning:

"File policy rule targeting application protocol "any" may never be triggered due to application selection.

Here is the rule i made:

https://i.redd.it/lucr1tj280g11.jpg

https://i.redd.it/dpsy8wcz42g11.jpg

1
6 comments
0

What does everyone use to archive the traffic from FMC long term? Also to explore the data. The FMC is nice but I run the Virtual which logs for less than 3 hours of data at the moment.

0
8 comments
2

I inherited a virtual Cisco FirePOWER appliance. My only experience was one integrated with an ASA. I’m having trouble understanding how traffic is being forwarded to the virtual appliance for inspection? I assume there is a SPAN port somewhere. How do I determine how the virtual appliance is getting the packets? It is NOT inline.

2
9 comments
7

I've got a high profile user who's computer, I believe, goes unauthed after long periods of inactivity. I am pretty sure the PC might be going into sleep mode or disabling the NIC for low power mode but seeing as how this has been an ongoing issue, it's falling to me to deal with.

I have ready tried a few different things:

  • Turning up/turning down the frequency of "authentication periodic"
  • Turning off "authentication periodic"
  • I've setup PRTG to alert me when the port is "down" but the port doesn't appear to go down (makes sense, layer 1 probably never drops completely, the nic probably just goes inactive or the PC stops handing off the certificate).
  • By the time the user comes over to my desk to complain that the he's getting "no login servers available", the port is already coming up in "Auth" state so I never actually "catch" the issue as it's going.

I have basic log output going to my syslog collectors. I need to figure out a way I can get an Unauth message to go to an alert. If I can get the port status of "unauth" to report to my syslog, I can get Splunk to report on it. Anyone have any thoughts on this?

7
15 comments
Community Details

17.9k

Subscribers

127

Online

Create Post
r/Cisco Rules
1.
No Brain Dumps
2.
No direct sales of equipment
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.