LMS 4.2.3: Catalyst 6500 with SUP-2T is invisible in Inventory
Catalyst 6506 with SUP-2T (s2t54-advipservicesk9-mz.SPA.151-1.SY1.bin) was discovered by LMS, but he is invisible in Inventory. I see this switch on Topology and Cisco View is working fine, but I never seen him in Hardware Summary Tab for example. How to fix this problem ?
That's odd.
I'd imagine your system package updates are current given that you're on 4.2.3. Just in case, you would check via Admin > System > Software Center >Device Update. Check the Inventory Config And Image Management check box, and click Check for Updates.
Once that's confirmed, please let us know does it show up at all in the DCR Inventory? (Reference) If not, what if you add it manually there?
Similar Messages
-
Hi, I have a Catalyst 6500 with X6K-SUP2-2ge, the IOS and bootlader image been wiped out, it starts in ROMmon SP modw and I can't switch to RP to start download the IOS using Xmodem, though Xmodem shouldn't work in ROMmon SP mode but the it's not gving the
not executable message, the slot0: and disk0: are not accessable can't see the files inside, when I try the dir slot0: or dir disk0: it says it can't be opened and when I try to boot from them there's noting as well, what can I do to load an IOS image to the booflash: or slot0: ,each time I load the image using Xmodem at the end it gives me *** System received a Software forced crash ***
signal=0x17, code=0x5, context=0x0
When I run the command:
rommom1> boot bootflash:
boot: cannot determine first file name on deice "bootflash:"
rommon2> boot slot0:
boot: cannot open "slot0:"
boot: cannot dtermine first file name on device "slot0:"
BTW System Bootstrap, version 7.1
I''m looking to format the PCMCIA using a PC and format it to FAT16 and copy the boot image into it and then try to load from the PCMCIA afterward if it works I'll format it using the Supervisor engine 2.
Any one have another new idea I can use, thanks in advanceThis is a potentially complex issue.
Is this SUP configured to run as IOS native or CatOS Hybrid?
While in ROMMON can you do the 'dev' command and see whad drives are recognized. Then 'dir' the drives that the SUP recognizes.
Can you provide the screen captures as it boots?
You would be bette served by hacing a TAC case. -
Catalyst 6500 with CatOS ISCSI
Hi, I'm configuring a Catalyst 6500 with for ISCSI.
Following the recommendations I have to configure: portfast, jumbo frames, flow control and disable unicast storm control
- Portfast: on the server and ISCSI SAN ports
>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
set spantree portfast
- Jumbo frames: Set port jumbo
- Flow Control:
> set port flow control receive desired
Questions:
1. Where I have to configure flow control? only on the SAN ports and NIC servers? or server ports too?
2. Unicast Storm control: how can i configure this option?
ThanksWe are having the same exact problem. We've done what you've tried with no luck also. Strange thing is that in another building we have the same setup but only with a 6148V blade and that Tandberg has no issues. We're using a 6148AF with the one we're having problems with. We've tried with a 6348 blade and it works fine. I'm thinking it's something with the 6148AF firmware (ver. 8.2(2)).
Were you able to solve your problem? -
Cisco 6500 with SUP 720 - Invalid boot Image
Diagnostic sanity check on the 6500 reports Invalid boot image "bootdisk:<output omitted>
The boot statement on the 6500 is :-
boot system bootdisk:<filename.bin> and the 6500 boots fine.
Please advise.
Thank You.Hi ,
I have found bug which is internally found by cisco.The bug is CSCsc98471 and following are details of bug .
The command "show diagnostic sanity" checks amongst other things, if the current bootstring is matching pointing to an existing file.
Since ION bootstring format has been extended (assuming an installed image) this check fails although the bootstring is correct.
Can be easily reproduced by entering the "show diagnostic sanity" command.
6500-6#show diagnostic sanity
Pinging default gateway 172.26.197.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.26.197.33, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Could not verify boot image "sup-bootdisk:/newsys/s72033/base/s72033-adventerprisek9_wan_dbg-vm," specified in the boot string.
6500-6#show bootvar
BOOT variable = sup-bootdisk:/newsys/s72033/base/s72033-adventerprisek9_wan_dbg-vm,12;
6500-6#dir sup-bootflash:/newsys/s72033/base/
Directory of sup-bootdisk:/newsys/s72033/base/
84 -rwx 1375696 Jan 5 2006 20:51:24 -08:00 imf.tar
85 -rwx 12873200 Jan 5 2006 20:51:22 -08:00 s72033-adventerprisek9_wan_dbg-vm
It is found in 12.2(18.09.20)SX3.39.
*** open a TAC case so that the same bug is fixed in 12.2(18)SXF4.
Hope it helps you.Plz rate it.
Thanks,
satish -
What are the differences between Easy VSS and Traditional VSS on Catalyst 4500E with Sup 8E ?
I would like to know which feature is different between Easy VSS and Traditional VSS.
I know "Easy VSS is a new way of implementing VSS by using a single command" but I cannot find more information about it.
Please help.
Thank you.
NashEasy VSS is a simplified and automated way of configuring VSS for first time. Once a VSS is configured then it same as traditional VSS in functionality.
There is no concept of layer 2 or layer 3 VSL link. VSL is the internal portchannel link and you cannot configure as layer 2 or layer 3 portchannel.
Following is the link of Easy VSS steps.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-6-0E/15-22E/configuration/guide/xe-360-config/vss.html#60764 -
Can anyone help figure out why the Catalyst 6509 is not able to assign an IPv6 address? Thank you.
Cisco Catalyst 6500 version 12.2(33)SXI13 configured as DHCP server for a VLAN responds to Windows 7 client with status code NOADDRS-AVAIL(2). My configuration on the 6500 for the DHCPv6 server is:
ipv6 dhcp database disk0://DHCPV6-DB
ipv6 dhcp pool VLAN206IPV6
prefix-delegation pool VLAN206IPV6-POOL
dns-server 2620:B700:0:1001::53
domain-name global.bio.com
ipv6 local pool VLAN206IPV6-POOL 2620:B700:0:12C7::/65 65
interface Vlan206
description *** IPv6 Subnet ***
ip address 10.2.104.2 255.255.255.0
ipv6 address 2620:B700:0:12C7::2/64
ipv6 nd prefix 2620:B700:0:12C7::/64 14400 14400 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server VLAN206IPV6
standby version 2
standby 0 ip 10.2.104.1
standby 0 preempt
standby 6 ipv6 2620:B700:0:12C7::1/64
standby 6 preempt
I'm getting a result from my debug as follows:
Apr 10 16:28:02.873 PDT: %LINK-3-UPDOWN: Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:02.873 PDT: %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:02.877 PDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Received SOLICIT from FE80::5D5E:7EBD:CDBF:2519 on Vlan206
Apr 10 16:28:03.861 PDT: IPv6 DHCP: detailed packet contents
Apr 10 16:28:03.861 PDT: src FE80::5D5E:7EBD:CDBF:2519 (Vlan206)
Apr 10 16:28:03.861 PDT: dst FF02::1:2
Apr 10 16:28:03.861 PDT: type SOLICIT(1), xid 8277025
Apr 10 16:28:03.861 PDT: option ELAPSED-TIME(8), len 2
Apr 10 16:28:03.861 PDT: elapsed-time 101
Apr 10 16:28:03.861 PDT: option CLIENTID(1), len 14
Apr 10 16:28:03.861 PDT: 00010001195FD895F01FAF10689E
Apr 10 16:28:03.861 PDT: option IA-NA(3), len 12
Apr 10 16:28:03.861 PDT: IAID 0x0FF01FAF, T1 0, T2 0
Apr 10 16:28:03.861 PDT: option UNKNOWN(39), len 32
Apr 10 16:28:03.861 PDT: option VENDOR-CLASS(16), len 14
Apr 10 16:28:03.861 PDT: option ORO(6), len 8
Apr 10 16:28:03.861 PDT: DOMAIN-LIST,DNS-SERVERS,VENDOR-OPTS,UNKNOWN
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Option IA-NA(3) is not supported yet
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Sending ADVERTISE to FE80::5D5E:7EBD:CDBF:2519 on Vlan206
Apr 10 16:28:03.861 PDT: IPv6 DHCP: detailed packet contents
Apr 10 16:28:03.861 PDT: src FE80::21D:E6FF:FEE4:4400
Apr 10 16:28:03.861 PDT: dst FE80::5D5E:7EBD:CDBF:2519 (Vlan206)
Apr 10 16:28:03.861 PDT: type ADVERTISE(2), xid 8277025
Apr 10 16:28:03.861 PDT: option SERVERID(2), len 10
Apr 10 16:28:03.865 PDT: 00030001001DE6E44400
Apr 10 16:28:03.865 PDT: option CLIENTID(1), len 14
Apr 10 16:28:03.865 PDT: 00010001195FD895F01FAF10689E
Apr 10 16:28:03.865 PDT: option STATUS-CODE(13), len 15
Apr 10 16:28:03.865 PDT: status code NOADDRS-AVAIL(2)
Apr 10 16:28:03.865 PDT: status message: NOADDRS-AVAILHello,
maybe hitting the following bug.
Pv6 Address Assignment Support for IPv6 DHCP Server
CSCse81385
Hope this helps -
Two Nexus 5020 vPC etherchannel with Two Catalyst 6500 VSS
Hi,
we are fighting with an 40 Gbps etherchannel between 2 Nx 5000 and 2 Catalyst 6500 but the etherchannel never comes up. Here is the config:
NK5-1
interface port-channel30
description Trunk hacia VSS 6500
switchport mode trunk
vpc 30
switchport trunk allowed vlan 50-54
speed 10000
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30
NK5-2
interface port-channel30
description Trunk hacia VSS 6500
switchport mode trunk
vpc 30
switchport trunk allowed vlan 50-54
speed 10000
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
beacon
channel-group 30
Catalyst 6500 VSS
interface Port-channel30
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
interface TenGigabitEthernet2/1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet2/1/3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet1/1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
interface TenGigabitEthernet1/1/3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
channel-protocol lacp
channel-group 30 mode passive
The "Show vpc 30" is as follows
N5K-2# sh vpc 30
vPC status
id Port Status Consistency Reason Active vlans
30 Po30 down* success success -
But the "Show vpc Consistency-parameters vpc 30" is
N5K-2# sh vpc consistency-parameters vpc 30
Legend:
Type 1 : vPC will be suspended in case of mismatch
Name Type Local Value Peer Value
Shut Lan 1 No No
STP Port Type 1 Default Default
STP Port Guard 1 None None
STP MST Simulate PVST 1 Default Default
mode 1 on -
Speed 1 10 Gb/s -
Duplex 1 full -
Port Mode 1 trunk -
Native Vlan 1 1 -
MTU 1 1500 -
Allowed VLANs - 50-54 50-54
Local suspended VLANs - - -
We will apreciate any advice,
Thank you very much for your time...
JoseHi Lucien,
here is the "show vpc brief"
N5K-2# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 5
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status: success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 2
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
vPC Peer-link status
id Port Status Active vlans
1 Po5 up 50-54
vPC status
id Port Status Consistency Reason Active vlans
30 Po30 down* success success -
31 Po31 down* failed Consistency Check Not -
Performed
*************************************************************************+
*************************************************************************+
N5K-1# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 5
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status: success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 2
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
vPC Peer-link status
id Port Status Active vlans
1 Po5 up 50-54
vPC status
id Port Status Consistency Reason Active vlans
30 Po30 down* failed Consistency Check Not -
Performed
31 Po31 down* failed Consistency Check Not -
Performed
I have changed the lacp on both devices to active:
On Nexus N5K-1/-2
interface Ethernet1/3
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30 mode active
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 50-54
channel-group 30 mode active
On Catalyst 6500
interface TenGigabitEthernet2/1/2-3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
switchport mode trunk
channel-protocol lacp
channel-group 30 mode active
interface TenGigabitEthernet1/1/2-3
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 50-54
switchport mode trunk
channel-protocol lacp
channel-group 30 mode active
Thanks for your time.
Jose -
6506, 6509 Chassis Exchange along with SUP 720-3B and SUP 2T-10G
Hi friends,
I have a situation which looks straight forward but since I have not done this before, I thought I should put this here to have some ideas and gottchas related suggestions to look for.
Situation 1:
Basically I have a situation where there is an existing 6506 chassis with SUP32-GE-3B. for some business reasons we have to replace that with a 6509 chassis with SUP720-3B keeping the configuration intact.
Situation 2:
In another situation, we need to replace an existing standalone chassis 6509 with SUP-2T-10G with a pair of 6506 with SUP-2T-10G on each running VSS. Is there any gottachas around this work?
Also, while I was trying to boot the spare 6506 with SUP-2T card, it constantly went to monitor mode with the following error messages
System Bootstrap, Version 12.2(50r)SYS3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2012 by cisco Systems, Inc.
PYRAMID platform with 2097152 Kbytes of main memory
rommon 1 >
rommon 1 > boot
PCMCIA bootdisk: device is not initialized
open: read error...requested 0x4 bytes, got 0x0
trouble reading device magic number
boot: cannot open "bootdisk:"
boot: cannot determine first file name on device "bootdisk:"
rommon 2 >
Any suggestions for this? It looks like the bootflash memory is missing from the SUP. I am not sure if this flash is usually onboard on this SUP or it should be like an external PCMCIA card.
Look forward for your help and suggestions.
Thanks in advance.
Regards,
MohitHi SJ
The 16-port 10 Gigabit Ethernet module is interoperable with all models of the Cisco Catalyst 6500 Series Virtual Switching Supervisor Engine 720 with 10 Gigabit Ethernet uplinks or Cisco Catalyst 6500 Series Supervisor Engine 720, including VS-S720-10G-3C, VS-S720-10G-3CXL, WS-Sup720, WS-Sup720-3B, and WS-Sup720-3BXL. When mixing DFCs in the same chassis, the chassis will operate in the mode of the lowest common denominator.
see link below
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_bulletin_cisco_catalyst_6500_series_16port_10gigabit_ethernet_module.html
Regards,
Yaseen -
QoS Packets not matching on 6500 with SUP720-10GE and SU2T
Hi,
I do not see packets matching in policy.
output below:
Switch#sh policy-map interface vlan 2232
Vlan2232
Service-policy input: HARDPHONE-VVLAN
Class-map: VOICETRAFFIC (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name VOICETRAFFIC
Class-map: VOICESIGNALING (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name VOICESIGNALING
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
0 packets, 0 bytes
5 minute rate 0 bps
I also not find packets matching ACL:
switch#sh access-lists
Extended IP access list VIDEOTRAFFIC
10 permit udp any any range 16384 32767
Extended IP access list VOICESIGNALING
10 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
20 permit tcp any 10.128.0.0 0.3.255.255 eq 5060
30 permit udp any 10.128.0.0 0.3.255.255 eq 5060
40 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
50 permit tcp any 172.20.10.0 0.0.1.255 eq 5060
60 permit udp any 172.20.10.0 0.0.1.255 eq 5060
Extended IP access list VOICETRAFFIC
10 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255 range 16384 32767
I checked policies, they looks applied correctly.
On SUP-720-10GE, I modified ACL to 'permit udp any any' but not found any matching packets. There are plenty of IP phones connected directly to this switch belongs to voice VLAN. I applied VLAN based QoS under voice VLAN and other VLANs too.
I observed different thing on SUP 2T. I saw packets matching ACL statement 'permit udp any any' but when I took off this line, ACL was not showing packets matching.
OUTPUT of IP phones connected to switch:
switch#sh cdp neighbors | in SEP
SEP0008308A5D7B Gig 13/38 143 H P M IP Phone Port 1
SEP0008308A5DE0 Gig 10/1 121 H P M IP Phone Port 1
SEP0023049C6348 Gig 3/42 152 H P M IP Phone Port 1
SEP0021A02D64D4 Gig 9/28 120 H P M IP Phone Port 1
SEP1C6A7AE0588E Gig 3/9 127 H P M IP Phone Port 1
SEP00229059969E Gig 12/48 166 H P M IP Phone Port 1
SEP0008308AF26F Gig 2/7 161 H P M IP Phone Port 1
SEP00235EB7BE0E Gig 4/2 154 H P M IP Phone Port 1
SEP00229059BE5A Gig 6/37 158 H P M IP Phone Port 1
SEP1CAA07115CF3 Gig 12/29 148 H P M IP Phone Port 1
SEP00235EB7884F Gig 9/3 156 H P M IP Phone Port 1
SEP0008308B03FB Gig 2/30 178 H P M IP Phone Port 1
SEP006440B42CD3 Gig 3/45 132 H P M IP Phone Port 1
SEP0022905991C9 Gig 11/4 145 H P M IP Phone Port 1
SEP0008308A5E6C Gig 6/36 124 H P M IP Phone Port 1
SEP006440B427CA Gig 13/31 170 H P M IP Phone Port 1
SEP006440B425FF Gig 3/19 168 H P M IP Phone Port 1
SEP0008308A7AD7 Gig 2/3 159 H P M IP Phone Port 1
SEP0008308A3EB2 Gig 10/4 132 H P M IP Phone Port 1
SEP002414B45A0E Gig 10/28 170 H P M IP Phone Port 1
SEP04C5A4B19C8B Gig 2/15 162 H P M IP Phone Port 1
SEP006440B43DE6 Gig 9/48 162 H P M IP Phone Port 1
SEP006440B42B0D Gig 9/23 179 H P M IP Phone Port 1
Could anyone please help, how to make sure that packets are hitting correct ACL and policy on 6500 with SUP720-10GE and SUP2T.
Thanks,
PruthviPlease note that 6500 is used as L2 switch only and SVI are used for applying policies only.
Configuration below:
class-map match-all VOICESIGNALING
match access-group name VOICESIGNALING
class-map match-all VOICETRAFFIC
match access-group name VOICETRAFFIC
class-map match-all VIDEOTRAFFIC
match access-group name VIDEOTRAFFIC
policy-map HARDPHONE-VVLAN
class VOICETRAFFIC
police flow mask src-only 128000 8000 conform-action set-dscp-transmit ef exceed-action drop
class VOICESIGNALING
police flow mask src-only 32000 8000 conform-action set-dscp-transmit cs3 exceed-action policed-dscp-transmit
class class-default
police flow mask src-only 32000 8000 conform-action set-dscp-transmit default exceed-action policed-dscp-transmit
policy-map STUDENT-DVLAN
class class-default
police flow mask src-only 25000000 1562500 conform-action set-dscp-transmit default exceed-action policed-dscp-transmit
policy-map STAFF-DVLAN
class VOICESIGNALING
police flow mask src-only 32000 8000 conform-action set-dscp-transmit cs3 exceed-action policed-dscp-transmit
class VOICETRAFFIC
police flow mask src-only 128000 8000 conform-action set-dscp-transmit ef exceed-action drop
class VIDEOTRAFFIC
police flow mask src-only 2000000 150000 conform-action set-dscp-transmit ef exceed-action drop
class class-default
police flow mask src-only 50000000 1000000 conform-action set-dscp-transmit ef exceed-action drop
ip access-list extended VOICESIGNALING
remark Skinny and SIP protocols From Phones to Voice Core Infrastructure
permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
permit tcp any 10.128.0.0 0.3.255.255 eq 5060
permit udp any 10.128.0.0 0.3.255.255 eq 5060
permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
permit tcp any 172.20.10.0 0.0.1.255 eq 5060
permit udp any 172.20.10.0 0.0.1.255 eq 5060
ip access-list extended VOICETRAFFIC
permit udp any any dscp ef
permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255
permit udp any any range 16384 32767 dscp ef
ip access-list extended VOICESIGNALING
remark Skinny and SIP protocols From Phones to Voice Core Infrastructure
permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
permit tcp any 10.128.0.0 0.3.255.255 eq 5060
permit udp any 10.128.0.0 0.3.255.255 eq 5060
permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
permit tcp any 172.20.10.0 0.0.1.255 eq 5060
permit udp any 172.20.10.0 0.0.1.255 eq 5060
ip access-list extended VIDEOTRAFFIC
permit udp any any range 16384 32767 dscp ef
interface Vlan104
description PolicyOnlyInt
no ip address
service-policy input STAFF-DVLAN
interface Vlan105
description PolicyOnlyInt
no ip address
service-policy input STAFF-DVLAN
interface Vlan573
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
interface Vlan604
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
interface Vlan654
description PolicyOnlyInt
no ip address
service-policy input STUDENT-DVLAN
interface Vlan674
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
interface Vlan807
ip address 172.18.128.5 255.255.255.0
interface Vlan860
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
interface Vlan2016
description PolicyOnlyInt
no ip address
service-policy input HARDPHONE-VVLAN
interface Vlan3124
description PolicyOnlyInt
no ip address
shutdown
service-policy input HARDPHONE-VVLAN
switch#sh access-lists
Extended IP access list VOICESIGNALING
10 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
20 permit tcp any 10.128.0.0 0.3.255.255 eq 5060
30 permit udp any 10.128.0.0 0.3.255.255 eq 5060
40 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
50 permit tcp any 172.20.10.0 0.0.1.255 eq 5060
60 permit udp any 172.20.10.0 0.0.1.255 eq 5060
Extended IP access list VOICETRAFFIC
10 permit udp any any dscp ef <----- not showing any match
11 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255 <----not shwoing any match
12 permit udp any any range 16384 32767 dscp ef<----not shwoing any match
If I user "permit udp any any ", acl is showing match.
switch#sh access-lists
Extended IP access list VOICETRAFFIC
10 permit udp any any dscp ef
11 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255
12 permit udp any any range 16384 32767 dscp ef
13 permit udp any any (527055 matches) -
I have an LC/APC fiber patch cord infrastructure and I want to connect it to Cisco Catalyst 6500 & Cisco Access 3750 Switches. what type of transceiver should be used?
I read a note on Cisco website stating the following for Cisco SFP+ transceivers:
Note: "Only connections with patch cords with PC or UPC connectors are supported. Patch cords with APC connectors are not supported. All cables and cable assemblies used must be compliant with the standards specified in the standards section"Thank you, but my question is that I have a single mode fiber patch cord with LC/APC connector while cisco stating a note that only use LC/PC or LC/UPC type of connectors with SFP+ transceiver.
So what type of transceiver should I use to connect LC/APC patch cord to cisco switches? Is there another type or SFP+ still can be used? -
Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM
I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
Note that the host 6500 is running native IOS 12.2(18)SXE.
Thanks for any assistance.A tranparent firewall is a fairly good comparison.
Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
So you have the following pairs:
10/510, 11/511, 12/512, etc...
300/800, 301/801, 302/802, etc....
You set up the sensor port to trunk all 40 vlans:
set trunk 5/7 10-20,300-310,510-520,800-810
(Then clear all other vlans off that trunk to keep things clean)
In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2. -
I have a peculiar problem with two gbic modules of Catalyst 6500.
First problem, I have a gbic port in module 7, which was a trunkport to Catalyst 2950, that does not allow conection to switch Catalyst 2950, and besides it harmed the yield of Catalyst 6500. I have to disconnect the optical fiber cable so that everything returned to normality.
Second problem. A port gbic in module 8, I let work and I disconnect of the network to one of the servants, by such reason I had to connect the fiber cable in another one gbic of he himself I module.
My question is: is necessary to change I modulate 7 and 8 not to have network problems on watch? or single to change gbic affected in each one of the modules?
Thank you,Failure to get GBIC up during installation could be as a result of system requirements not met, incorrect cable installed, lack of power to the device, configuration errors or hardware failure. Verify that the GBIC cable is connected to another active network device and that the port is not shut down. Replace cable with a known good cable. Make sure GBICs are matched on either side of the connection. Make sure the flow control and port negotiation settings are consistent on both sides of the link. There may be incompatibilities in the implementation of these features if the switches being connected are from different vendors. If in doubt, turn these features off on both switches. Swap GBIC to a different slot. Also, try using a spare GBIC to see if it works. For more information, refer to Troubleshooting link :
http://www.cisco.com/en/US/products/hw/switches/ps628/products_installation_guide_chapter09186a00800d7681.html -
Booting IOS Image from PCMCIA flash on Catalyst 6500 in Native Mode
I have a couple 6500 switches (Sup 720/MSFC 3) to upgrade. They are currently running IP Base, but I'd like to run Advanced Enterprise in order to use the full Firewall features.
Since the images are over 70 MB, I will need to boot from the PCMCIA flash cards (disk0 and disk1). The problem is, when trying to boot from those devices, I get "bad magic number" (wasn't able to capure the exact output, sorry). I tried "boot disk0:" and "boot bootflash:" with the same problems. Finally, did a "boot sup-bootflash:" and it loaded my old image. It appeared as if the bootstrap wasn't recognizing any filesystem other than sup-bootflash.
In know in Mixed mode, you must first boot a small boot image for the MSFC, then IOS, i.e.:
boot bootldr bootflash:
boot system flash disk0:
How should the boot from disk0 be handled in Native IOS?Hello,
In native IOS you just need to specify the boot system.
boot system flash disk0:blahblahblah.SX4.bin
Patrick Laidlaw -
IDSM on catalyst 6500 to provide IOS Inline mode support
I am currently evaluating what kind of method to apply in my 6500. I would like to ask if IOS Version 12.2(33)SXI2a support inline mode and inline vlan pair mode with IDSM-2???what configuration should be done with the switch in order for the multiple vlan traffic to flow with an inline interface of the IDSM2??? In my case I have 16 user vlans and 1 server vlan on catalyst 6500...The task is to protect the servers from users....The requirement is to configure inline mode to monitor the traffic from these 16 vlans when they access the servers...But as we know the IDSM-2 has only two logical sensing ports...So my question is how will you configure the switch to forward the traffic from these 16 vlans to the IDSM-2 module via only ONE sensing port, since the other sensing port will be configured in the server vlan??? Because as far as i know, when you configure inline mode on IOS,you will have to configure the sensing ports in access mode( While in CatOS, you configure these as TRUNK ports)...But this will work when you have only two vlans...But in my case, I have 16 vlans to monitor in inline mode..Please suggest any solution.
Any urgent reply will be much grateful...
Many Thanks in advanceHi Mubin,
If you're looking to monitor all the traffic from the user VLANs to the server VLANs then the simplest way to configure the IDSM-2 would be inline on the server VLAN segment. All traffic destined to the servers (from the users or anywhere else) has to traverse that VLAN. Assuming you have something like this to start:
VLAN 100-120 (users) ====== Switch ------ VLAN 200 (servers)
you'd drop the IDSM-2 inline on VLAN 200 by using a helper VLAN:
VLAN 100-120 (users) ====== Switch ----- VLAN 201 (server gateway) ----- IDSM-2 (bridging 201 to 200) ----- VLAN 200 (servers)
To do this you'll need to perform the following steps:
1. Designate a new VLAN to use as a helper VLAN for your current server VLAN. I'll use 201 for this example and assume your current server VLAN is 200.
Create the helper VLAN on the switch:
switch# conf t
switch(config)# vlan 201
2. Configure the IDSM-2 to bridge the helper VLAN and the server VLAN (200-201)
sensor# conf t
sensor(config)# service interface
sensor(config-int)# phsyical-interface GigabitEthernet0/7
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 200
sensor(config-int-phy-inl-sub)# vlan2 201
sensor(config-int-phy-inl-sub)# description Server-Helper pair
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes:?[yes]:
3. Configure the switch to trunk the helper and server VLANs to the IDSM-2 module. I assume the module is in slot 5 in the example. Replace the 5 with the correct slot for your deployment:
switch# conf t
switch(config)# intrusion-detection module 5 data-port 1 trunk allowed-vlan 200,201
switch(config)# intrusion-detection module 5 data-port 1 autostate include
*Warning! This next step may cause an outage if everything is configured correctly. You'll probably want to schedule a window to do this.*
4. Finally, force the traffic from the server VLAN through the IDSM-2 by moving the server VLAN gateway from VLAN 200 (where it is currently) to the helper VLAN you created. To do this, remove the SVI from VLAN 200 and apply the same IP address to VLAN 201. I assume the current server gateway is 192.168.1.1/24
switch# conf t
switch(config)#int vlan 200
switch(config-int)#no ip addr
switch(config-int)#int vlan 201
switch(config-int)#ip addr 192.168.1.1 255.255.255.0
switch(config-int)#exit
switch(config)#exit
switch# wr mem
Now, when the servers try to contact 192.168.1.1 (their gateway) they'll have to be bridged through the IDSM-2 to reach VLAN 201 and in the process all traffic destined to them or sourced from them will be inspected. Do not put any hosts or servers in the helper VLAN (201) or they will not be inspected.
Best Regards,
Justin -
Hello guys,
I'm designing small-medium branch office (from 100 users scalable up to 500).
My idea was to build this around a pair of 6506-E switches (as collapsed core, utilizing VSS), then at each floor (1 floor = 100 users) have a stack of 3750 switches.
Now, to my question, I want a pair of security appliances, one per each breakout. I was looking at a possibility of putting ASA module into each 6500.
Is it possible, to use 10G X2 module, which are build into 6500's SUP as WAN interface and direct everything it receives on those ports directly into ASA? (I want to have all traffic which will come to the 6500 via SUP's X2 modules to pass through ASA before any further action will be taken).
As fair as I know in order to use VSS together with ASA modules in active/active mode (I will load balance through uplinks on both 6500) I need to use SUP 720-10G, am I right?
Thanks in advance for you insights.
MichalThanks guys. Appreciate your feedback!
I will most likely go for the option "Existing ASA 5540 with IPS module" . I hope the IPS module does not limit any bandwidth capability or processing issue of the ASA. My current throughput is 250 Mbps bidirectional.
After looking at the IPS option I am sloghly confused which one I need. Cisco website say:
"...adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM."
Do I need SSM only or both SSM and SSC or CSC SSM? How many module cana be installed on 5540?
Fawad
Maybe you are looking for
-
Taking too much time in Rules(DTP Schedule run)
Hi, I am Scheduling the DTP which have filters to minimize the load data. when i run the DTP it is taking too much time in the "rules" (i can see the DTP monitor ststus package by pakage and step by step like "Start routine" "rules" and "End Routine
-
Hi guys, I am new of iBooks Author and I am not HTML code savvy (expect the very basics). I have to send an iBooks for an University exam and I can't open my file anymore. I was working on it since Saturday, I saved many times and I have quit the iBo
-
Sound should come while saving a form
Hi All, I am currently facing with a requirement where whenever user saves the changes in a form, the Ding sound should also come. Is there any changes that should be done with respect to the application server? Appreciate your help Thanks & Regards
-
Why Kona Lhi drivers aren't recognized by Premiere Pro CC/Win8 ?
Using Adobe Premiere Pro CC and Windows 8, the Kona Lhi drivers which show as working under Device Manager, don't get recognized by Premiere 50% of the time and, consequently, I have to reboot or install the latest driver to get sound. Has anyone el
-
Hi all, following the SAP notes 193554 and 415349 the table MARDH is updated for previous period if there is a material movement within the current periode. I would like to ask, whether there is also the table MBEWH each time updated, it the MARDH is