Catalyst 6509 switch

Similar Messages

• Missinf FWSM in Catalyst 6509 switch

  I have a problem with a Catalyst 6509 switch.The problem initially I had was loggin into the switch.I was always sent to the rommon> anytime I tried logging into the switch until I was told to enter "boot bootflash:". I was able to enter the switch but could not find the FWSM module.The module was there until we tried upgrading the IOS of the MSFC.
  When I enter "show module" it does not show the FWSM module.
  Is there something anybody can please show me to do other to access the Firewall module.

  Thanks for your post.
  Below is the result of a sh version and sho module of the switch as well as a report that comes up upon bootup using the "boot bootflash:"
  core02>en
  Password:
  core02#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(12c)E4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2002 by cisco Systems, Inc.
  Compiled Mon 14-Oct-02 12:37 by hqluong
  Image text-base: 0x40008980, data-base: 0x41598000
  ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)
  BOOTLDR: c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(12c)E4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  core02 uptime is 4 minutes
  System returned to ROM by power-on (SP by power-on)
  System image file is "sup-bootflash:c6sup22-psv-mz.121-12c.E4.bin"
  cisco Catalyst 6000 (R7000) processor with 227328K/34816K bytes of memory.
  Processor board ID SAL08144260
  R7000 CPU at 300Mhz, Implementation 39, Rev 3.3, 256KB L2, 1024KB L3 Cache
  Last reset from power-on
  X.25 software, Version 3.0.0.
  Bridging software.
  8 Ethernet/IEEE 802.3 interface(s)
  --More-- 6 Virtual Ethernet/IEEE 802.3 interface(s)
  26 Gigabit Ethernet/IEEE 802.3 interface(s)
  381K bytes of non-volatile configuration memory.
  32768K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  core02#sh module
  Mod Ports Card Type Model Serial No.
  1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAL08154S4S
  2 8 unknown FRU type (major = 0x6003, mino WS-XSVC-K+BB-2 SAD081203ZV
  3 16 16 port GE RJ45 WS-X6316-GE-TX SAD08140999
  4 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAL081555Q1
  Mod MAC addresses Hw Fw Sw Status
  1 000f.8f9d.3510 to 000f.8f9d.3511 5.0 6.1(3) 7.2(0.90) Ok
  2 000f.8f5b.bd62 to 000f.8f5b.bd69 2.0 Unknown Unknown PwrDowo 0003.feae.f137 1.3 5.4(2) 7.2(0.90) Ok
  4 000f.f716.8dd0 to 000f.f716.8dd7 3.1 5.4(2) 7.2(0.90) Ok
  Copyright (c) 1986-2002 by cisco Systems, Inc.
  Compiled Mon 14-Oct-02 13:00 by hqluong
  00:00:54: %SNMP-5-COLDSTART: SNMP agent on host core02 is undergoing a cold star
  t
  00:00:56: %C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 2, power not allo
  wed: Unknown Card Type.
  00:00:56: %C6KPWR-SP-4-ENABLED: power to module in slot 3 set on
  00:00:57: %C6KPWR-SP-4-ENABLED: power to module in slot 4 set on
  00:00:56: %C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot 2, power not allo
  wed: Unknown Card Type.
  00:00:56: %C6KPWR-SP-4-ENABLED: power to module in slot 3 set on
  00:00:57: %C6KPWR-SP-4-ENABLED: power to module in slot 4 set on
  00:01:10: %DIAG-SP-6-RUN_MINIMUM: Module 1: Running Minimum Online Diagnostics..
  00:01:14: %DIAG-SP-6-DIAG_OK: Module 1: Passed Online Diagnostics
  00:01:14: %OIR-SP-6-INSCARD: Card inserted in slot 1, interfaces are now online
  00:01:25: %DIAG-SP-6-RUN_MINIMUM: Module 3: Running Minimum Online Diagnostics..
  00:01:28: %DIAG-SP-6-DIAG_OK: Module 3: Passed Online Diagnostics
  00:01:28: %OIR-SP-6-INSCARD: Card inserted in slot 3, interfaces are now online
  00:01:56: %DIAG-SP-6-RUN_MINIMUM: Module 4: Running Minimum Online Diagnostics..
  00:01:57: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
  00:01:57: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
  Mod Sub-Module Model Serial

• Catalyst 6509 switch GE and FE Modules

  Hi All,
  On a CAT-6509, when I remove the GE or FE modules from the chassis ,will that configuration on the GE/FE modules disappear and when I insert it back will that configuration is going to reappear ?
  Regards,
  Madan

  On a Native Mode yes, the configuration for that line card will remain in the running-configuration and therfore the same config will retunr upon insertion of that same line card, it's called "slot provisionining".
  Bug id CSCsb49891 is an enhancement to the IOS that clears the configuration of the removed line card or turns off the "slot provisioning".
  router(config)#module ?
  ContentServicesGateway Configure a CSG module
  ContentSwitchingModule configure a CSM SLB module
  clear-config To clear configuration when module is removed
  provision Configure module provision status
  router(config)#module clear-config
  The above CLI knob is present in 12.2(18)SXF or above so in your case, you will not have the knob, you need to reload the switch to remove the removed line card's configuration.
  Please rate all posts.

• How to find IP of SUP card from MSFC in Catalyst 6509 switch

  I have logged into the MSFC of 6509, and want to login to the SUP engine. I don't know the IP of SUP. Is there any way I can get the info from MSFC so that I can login to SUP or is there any command on MSFC like session <mod number> which we use to login to MSFC from SUP.

  Hi,
  Switch is running in hybrid mode. here is the output of sh mod and sh ver.
  Switch> sh module
  Mod Slot Ports Module-Type Model Sub Status
  1 1 2 1000BaseX Supervisor WS-X6K-SUP2-2GE yes ok
  15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok
  2 2 24 100BaseFX MM Ethernet WS-X6324-100FX-MM no ok
  3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 no ok
  Mod Module-Name Serial-Num
  1 SAL08144HGQ
  15 SAL0811W7M0
  2 SAD05400437
  3 SAL050212BD
  Mod MAC-Address(es) Hw Fw Sw
  1 00-0f-8f-9d-27-92 to 00-0f-8f-9d-27-93 5.0 7.1(1) 6.3(10)
  00-0f-8f-9d-27-90 to 00-0f-8f-9d-27-91
  00-07-84-f6-6a-c0 to 00-07-84-f6-6e-bf
  15 00-0f-34-39-fc-c0 to 00-0f-34-39-fc-ff 2.6 12.1(13)E1 12.1(13)E12
  2 00-03-32-85-6f-ec to 00-03-32-85-70-03 3.0 5.4(2) 6.3(10)
  3 00-05-5f-2a-83-08 to 00-05-5f-2a-83-37 3.1 5.4(2) 6.3(10)
  Mod Sub-Type Sub-Model Sub-Serial Sub-Hw
  1 L3 Switching Engine II WS-F6K-PFC2 SAL08144GQM 3.4
  Router>sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) MSFC2 Software (C6MSFC2-DSV-M), Version 12.1(13)E12, EARLY DEPLOYMENT R
  ELEASE SOFTWARE (fc1)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Sat 22-Nov-03 07:16 by hqluong
  Image text-base: 0x40008C00, data-base: 0x419F4000
  ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1)
  BOOTLDR: MSFC2 Software (C6MSFC2-BOOT-M), Version 12.1(13)E12, EARLY DEPLOYMENT
  RELEASE SOFTWARE (fc1)
  Router uptime is 2 days, 4 hours, 31 minutes
  System returned to ROM by power-on
  System image file is "bootflash:c6msfc2-dsv-mz.121-13.E12.bin"
  cisco Cat6k-MSFC2 (R7000) processor with 458752K/65536K bytes of memory.
  Processor board ID SAL0811W7M0
  R7000 CPU at 300Mhz, Implementation 39, Rev 3.3, 256KB L2, 1024KB L3 Cache
  Last reset from power-on
  Bridging software.
  X.25 software, Version 3.0.0.
  509K bytes of non-volatile configuration memory.
  32768K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x102

• Trying to interconnect Catalyst 4506 (IOS) & Catalyst 6509 (CatOS) using FS

  Hey all,
  I'm currently having a problem interconnecting a Catalyst 4506 using IOS and a Catalyst 6509 using CatOS via FSO. The FSO is all setup and they show that they are talking but when we plug the fiber optic cables into the switches, we get a notconnect status on the switches. The link lights on both switches don't light up either. I have configured both sides as follows
  6509 (the Gigabit Port is 2/6):
  set port negotiation 2/6 disable
  set trunk 2/6 nonegotiate dot1q 1-1005,1025-4094
  4506 (the Gigabit Port is 1/1):
  interface GigabitEthernet 1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  speed nonegotiate
  We were told by the FSO company that both ends must turn off negotiation in order for it to work. On the end with the Catalyst 6509, I have tried plugging another known working fiber optic line into the 2/6 port and the link light lights up so we know that the port isn't broken. Any ideas? I am lost.
  Background:
  We currently have a T1 line that serves as a point to point between the two buildings. We were trying to get rid of it and go with Free Space Optics (FSO) to increase bandwidth between the two buildings. We have 5 VLANs on each side (on the 4506 side, Vlans 110, 120, 132, 140, & 104 and on the 6509 side, Vlan 10, 20, 32, 40, 4) and the point to point is on the 200 network to interconnect the switches.

  Hie David,
  Just to start with are we sure that Rx of one switch terminates on Tx of other and vice versa. The fiber cable which is plugged in the trnasmitter of one switch must go to the receiver of another switch. You can just try swapping the TX and RX points at one switch.
  I doubt this because as you have said even the link light is not coming up.

• BigIP Network Failover on Catalyst 6500 Switches

  Pardon my ignorance on this, but I have had little experince with Catalyst switches.
  I have a problem with a Pair of Redundant F5 BigIP switches and the time it takes them to failover on the Network.
  According to F5 the BigIP should fail over in a matter of seconds if the Active unit is disconnected from the network, the standby unit is to take over. From what I have seen, it is taking 90 seconds to failover.
  It appears to be a problem with STP or some related configuration on the 6509 Switches. Both Active / Standby units are sharing a MAC address / IP address, so I do not beleive it is an ARP issue.
  I have each BigIp on seperate 6509s which are running HSRP. From what I have been reading it looks like I need to configure STP with Portfast on the Interfaces that are connected to the BigIPs.
  Has anyone seen this problem before or have ideas on what I might look at.
  We are running version 12.1(8a)E5.
  Regards,
  Carl aka "Dazed and Confused"

  Carl,
  The spanning-tree portfast command is what you need to use. Try it and see if it solves your problem.
  I dont think that it will because both your units have their interfaces up so when their is a failure on one unit or the link goes down the other unit is already in the forwarding state.
  (if using IOS - Replace with own interface)
  interface gig 1/1
  switchport
  spanning-tree portfast
  (is using CatOs - Replace with own interface )
  set spantree portfast 1/1
  Miron

• VSS Reconfiguration on Catalyst 6509

  Hello Team,
  I would like to know about the reconfiguration of VSS on Catalyst 6509. VSS is already running but we need to reconfigure it on other ports.
  Currently Its is running on the VS-S720-10G Supervisor 2x10-G ports but we need to reconfigure it on other 10G ports.
  We want to Configure VSS on 1 Port of 10Gbase-LX4 and 1 Port of 10Gbase-SR Transceiver.
  We thing I want to clarify with Experts:
  1: How to break the Current VSS on both Catalyst 6509
  2: I know we can run the VSS on 2 Different ports but what about if both Transceiver are different
  3: In my case I want to run the VSS on 1 port 10Gbase-SR  and 1 Port 10Gbase-LX4 transceiver
  Here is Detail about the Line Cards where I want to Run VSS
  VS-S720-10G      (10Gbase-SR Transceiver)
  WS-X6704-10GE (10Gbase-LX4 Transceiver)
  Thanks,
  JH

  That is ok.  The physical ports are part of the Porchannel.
  So, lets say ports te1/5/4 and 1/5/5 on switch 1 and ports te2/5/4 and 2/5/5 are part of portchannel 10
  and now you want to remove 1/5/5 and 2/5/5 from the portchannel.
  go under each physical interface and do this command:
  no channel-group 10 mode on
  this will remove ports 1/5/5 and 2/5/5 from po10 while 1/5/4 and 2/5/4 are not effected.
  now you can add whatever new interface from the blade you want to po10 to replace the once you removed.
  lets say you want to add interface te1/2/1 and 2/2/1
  under the interface add this command
  channel-group 10 mode on
  HTH

• Catalyst 6509 VSS IOS upgrade

  Hi,
  We have a Catalyst 6509 VSS system, each chassis have 2 supervisor engines. The IOS version is 12.2(33)SXI4a. We should upgrade to 12.2(33)SXI12.
  The following document mention 2 upgrade method : FSU & eFSU
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#wp1170391
  We can not use eFSU due to the images with release dates more than 18 months apart, so we can use FSU only. And there is some note for FSU :
  Note VSS mode supports only one supervisor engine in each chassis. If another supervisor engine resides in the chassis it will act as the DFC
  It make me some confuse.... What is the correct procedule to upgrade the Caytalyst 6509 VSS IOS ( each chassis with 2 supervisor engine )?
  Best Regards,

  Hello Jackson,
  Please take a on the next post which may answered your questions:
  https://supportforums.cisco.com/thread/2188244
  Intrachassis Availability
  The initial release of the Cisco Virtual Switching System supports only a single supervisor per chassis. If a second, or redundant, supervisor is installed in an individual chassis then the redundant supervisor will not fully boot. The redundant supervisor will stop the boot process at the ROMMON stage.
  In this configuration any device connected to the chassis in a single-homed, or single-attach, manner must rely on the availability of the single supervisor. Therefore the recommendation for connecting to the VSS is to always dual-attach devices.
  As a result of the single supervisor per chassis support the recovery period for replacing a failed supervisor module is undeterministic in that the recover process requires manual intervention in order to install and initialize a new supervisor in the chassis.
  Beginning in the 12.2(33)SXI4 software release, Quad-Sup Uplink Forwarding is supported which allows for a redundant supervisor to fully boot Cisco IOS Software, thereby providing a deterministic recovery option for redundant supervisors in a VSS chassis.
  Refer:
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/white_paper_c11_429338.pdf 
  The link that you mentioned describe how to configure a VSS from release 12.2(33)SXH1.
  Below is a step by step explanation of the upgrade process and the downtimes associated with each step:
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-729039.html
  ISSU restrictions and guidelines.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configu
  ration/guide/vss.html
  Video:
  https://supportforums.cisco.com/videos/2650
  Best regards,
  Haihua

• Catalyst 6509 and 3560G

  Hi,
  I want to extend the number of ports available in my network and have just purchased a Cisco 3560G. We have a Cisco 6509 running in Hybrid mode. The VTP mode on the 6509 is Transparent as we have created the VLANs and port assignments manually.
  I want to add the new switch and have it hanging of port 6/8 on the Catalyst 6509.
  Am I right if I set 6/8 to trunk with Gi0/1? I was ging to do the following in order to communicate between the two switches.
  Set port 6/8 to trunking mode dot1q.
  Create VLAN 150 and 151 on the 3560G. Add ports to each of the VLANS.
  My confusion is this... if the trunk port is on one of the VLANs then the other VLAN will not be able to communicate over it. i.e. if I add the trunk into VLAN 151 then ports in VLAN 150 will not be able to send traffic over it.
  What is the ideal way to set this up?
  Thanks
  Gavin

  Set the native vlan to be the same on both ends. Mismatched native VLANs can create problems even if trunk connects.
  802.1q doesn't tag native vlan frames. As such, anytime an untagged frame arrives the switch assumes that it belongs to that vlan. Let's say if the native vlan is set to 150 on one switch and the 2nd switch that receives an untagged ARP frame will assume the traffic came in on vlan 1 (default) and if the switch doesn't know the MAC then it would forward it to vlan 1 and trunk ports. As you can see it can create problems if there's mismatched native vlans.
  Hope this helps!

• MSFC2 Error on Catalyst 6509

  I have a Catalyst 6509 with the WS-X6K-SUP2-2GE and the WS-F6K-MSFC2. When I do a show mod, the Multilayer Switch Feature display "no Other". If I do a show port on 15 it displays the port in state "errdisable". I try to enable or even disable the port but it states it is not a feature on the module. When I session the the daughter card, there are no interfaces listed. Is there a fix to get this port out of this state?

  HI Marmour,
  There can be couple of reasons why MSFC show you in other state.
  1) A corrupted Cisco IOS Software image
  2) A misseated bootflash
  3) The drop of the MSFC or MSFC2 to ROM monitor (ROMMON)
  4) MSFC not properly seated on supervisor
  Check this link out
  http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfa9.shtml
  This link will guide you how to recover MSFC from any of the above mentioned problem.
  If you are not able to recover msfc with the above link I am afraid your msfc might have gone bad and you have to get your sup + msfc RMAed.
  Hope for the best and best of luck!!
  Regards,
  Ankur

• ACE10-6500-K9 module in catalyst 6509 gives this error

  Hello
  I have a module ACE10-6500-K9  inserted en module 8 of a catalyst 6509 that gave me this error yesterday.
  The workaround is to manually reset the slot ¿ok? I try to reload and the problem persists ¿is neccesary  hardware reset to solve this probem?
  Is due to a bug o hardware problem?
  %C6KPWR-SP-4-DISABLED: power to module in slot 8 set off (Module not responding to Keep Alive polling)
  Thanks you very much

  Hi, a.serrano
  The meaning of the message is as it says. Sup, to be specific,  Switch Processor of Sup sent continual keepalives through EOBC path and
  did  not hear back for keepalives from ACE in slot 8. So the Sup reset the  ACE blade in slot 8.
  I can only say that it could be h/w related or s/w related or due to  slack inserted blade with the message.
  If it is h/w related, whichever chassis slot, chassis eobc  path, ACE blade,  the first thing you need to check out is that
  failures  in generic on-line diagnostic (GOLD) from Sup side.
  Let's  see what diagnostic is running on ACE blade.
  Router#show  diagnostic content module 1
  Module 1: Application Control Engine Module
    Diagnostics test suite attributes:
       M/C/* - Minimal bootup level test / Complete bootup level test / NA
         B/* - Basic ondemand test / NA
       P/V/* - Per port test / Per device test / NA
       D/N/* - Disruptive test / Non-disruptive test / NA
         S/* - Only applicable to standby unit / NA
         X/* - Not a health monitoring test / NA
         F/* - Fixed monitoring interval test / NA
         E/* - Always enabled monitoring test / NA
         A/I - Monitoring is active / Monitoring is inactive
         R/* - Power-down line cards and need reload supervisor / NA
         K/* - Require resetting the line card after the test has completed  / NA
         T/* - Shut down all ports and need reload supervisor / NA
                                                            Test  Interval   Thre-
     ID   Test Name                          Attributes      day  hh:mm:ss.ms shold
     ==== ================================== ============     =============== =====
       1) TestEobcStressPing --------------> ***D*X**I***    not  configured  n/a
       2) TestFirmwareDiagStatus ----------> M**N****I***    000  00:00:15.00 10
       3) TestAsicSync --------------------> ***N****A***    000  00:00:15.00 10
  With ACE blade, "3) TestAsicSync" has "A" flag which means  "Monitoring is active".
  SP of Sup is sending  polling packets at a certain interval to check health of an Asic on ACE  blade.
  Now let's see failure count of that.
  Router#show diagnostic result module 1 detail
      3) TestAsicSync --------------------> .
            Error code ------------------> 0 (DIAG_SUCCESS)
             Total run count -------------> 47297
             Last test execution time ----> Feb 17 2011 05:52:34
             First test failure time -----> n/a
             Last test failure time ------> n/a
             Last test pass time ---------> Feb 17 2011 05:52:34
             Total failure count ---------> 0
             Consecutive failure count ---> 0
  If you see failure counters incremented,  check the same thing with other blades inserted in the chassis to know
  if  it is specific to slot 8 or seen with multiple slots. (different type  of blade has different type of diagnostic contents)
  Also, check  dropped and retry counters SCP as below.
  Router#remote  command switch show scp status
  Rx 22492903,  Tx 11717042,  scp_my_addr 0x5
  Id Sap      Channel name    current/peak/retry/dropped/total   time(queue/process/ack)
  0  20   SCP Unsolicited:20      0/    0/    0/      0/    0      0/    0/   0
  1  0    SCP Unsolicited:0       0/    3/    0/      0/8179027      0/    0/10036
  2  2    SCP Unsolicited:2       0/    2/    0/      0/8205700      0/    0/   0
  3  21   SCP Unsolicited:21      0/    0/    0/      0/    0      0/    0/   0
  4  1    SCP Unsolicited:1       0/    2/    0/      0/109393      0/    0/ 252
  5  18   SCP Unsolicited:18      0/    0/    0/      0/    0      0/    0/   0
  6  17   SCP Unsolicited:17      0/    0/    0/      0/    0      0/    0/   0
  7  16   SCP Unsolicited:16      0/    0/    0/      0/    0      0/    0/   0
  8  33   SCP async: LCP#6        0/   37/    0/      0/1779208    172/  240/  28
  9  32   SCP async: LCP#4        0/   24/    0/      0/2234291    296/  604/ 236
  10 37   SCP async: LCP#5        0/   61/    0/      0/1381933   1040/  716/ 236
  11 36   SCP async: LCP#1        0/ 1008/    0/      0/455925    1192/1184/ 236
  12 39   SCP async: LCP#2        0/  150/    0/      0/252763    696/  456/ 224
  Router#
  LCP# means that  "Line Card Processor of slot  #".
  If you see counters mentioned above incremented  continualy with the ACE blade in slot 8,
  try removing /  re-inserting the blade. If it persists, consider moving the ACE blade to  other slot.
  Even it persists after that, now consider h/w  replace.
  If moving slot or h/w replace do not fix the reset due to keepalive failure, or those counters incrementing,
  it might be s/w related issue.
  I do not know what  s/w version you use, however we always recommend to take the latest
  version  to have bug fixes and enhancements.
  Actually we had control plane  issue with ACE that could cause not responding to keepalive
  some  times ago.
  Let's isolate possibility of bad chassis and slack  inserted blade, then try s/w upgrading.
  If all those effort fails, pls consider h/w replace.
  If s/w upgrade is not easy option for you, try replacing ACE blade instead of s/w upgrade
  and keep s/w upgrade as the last option based on your environment.
  Regards,
  Kim

• NAT IN CATALYST 6509-HOW TO DO IT?

  Hello friends,
  The LAN CAMPUS is conformed by more than 20 VLANS and all the PCs can go to Internet.
  Now I have a new network cloud and I have to attach that network into my campus.
  To do that, I have a Public IP Pool to do translation.
  But I just need that some IPs (from diferent Vlans)could go to the new Network while keep having connecivity to Internet.
  So my Question is:
  I am not interested in perform Static NAT.
  I wonder if I can NAT a group of IPs (in different subnets) with the Public POOL. i.e: group to group.
  I have a PIX 525. I could do it in that PIX but I think It could be better to do it in the Catalyst 6509. (Because the Pix CPU percentage is High-and sometimes I have problems)
  How can I do NAT in C 6509?
  I am attaching a referecial picture.

  Hi bosalaza:
  yes, I think ACL will help so much...
  Look I need to translate only this IPs:
  172.16.8.56
  172.16.24.85
  172.16.33.95
  172.16.86.56
  172.16.125.81
  172.16.157.89
  To this Public IPs:
  200.xx.45.170
  200.xx.45.171
  200.xx.45.172
  200.xx.45.173
  200.xx.45.174
  200.xx.45.175
  But whitout Static NAT.
  And do it but in the C6509.
  I have no enough experience to perform NAt in C6509.
  Thanks in advance.

• Using Catalyst 3550 Switch with Linksys Home Router and Cable Internet

  I've about pulled what little hair I have out of my head on this one, and need some configuration help.
  I have a Cisco Catalyst 3550 switch with five Windows 7 desktops, an Avaya PBX and five Avaya IP phones attached.  All of these devices are on a 192.168.0.0/24 subnet, and are communicating properly.  I will refer to this as network # 1. I also have SEPARATE network, we'll call network # 2, using AT&T ADSL service and a Netgear 4-port/wireless router/ADSL modem combo device, which is functioning properly with a couple of other Windows 7 desktops over its own wired Ethernet network, using DHCP, and also on a 192.168.0.0/24 subnet.  I thought it would be a simple integration, just plugging one of the 3550's ports to one of the DSL router's ports, in order to give the five Windows 7 desktop computers on network # 1 internet access via the DSL modem. Guess I was wrong.  When I connect the two switches together, although I get a good connectivity (green lights on both ports) and am able to ping the DSL router's gateway address (192.168.0.252) from network # 1's computers, the computers on network # 1 cannot access the internet. Also, the working computers on network # 2 lose their internet access as long as the two switches are connected together. I am not a Cisco guru, but there's got to be a way to make this scenario work.  Can someone provide me with a 3550 configuration that will allow me to extend my internet service from network # 2 on the DSL router to my 3550 switch and their computers?  Here's what I am looking for:
  INTERNET ---> ADSL MODEM ---> NETGEAR ROUTER ---> CISCO 3550 SWITCH ---> NETWORK DEVICES WITH INTERNET ACCESS

  The Netgear router is probably what's doing the natting. Is the 3550 configured for routing or is it straight L2? If you have the 3550 configured as L3, then it's going to be easy to do what you want. Just add a static route on the Netgear to point the subnet that it doesn't know about to the 3550. For example, if the Netgear is addressed at 192.168.1.1 and the Cisco 3550 is addressed at 192.168.1.2, but it also knows about the 192.168.0.0/24 (separate vlan), then you would put a static route on your Netgear for 192.168.0.0/24 to go to 192.168.1.2.
  The way that I would do it is to create a separate vlan on the 3550 and assign an address to it. Once you do that, make the port that the other switch connects to an access port of that vlan. (It would need to be on the same subnet as the existing equipment.) All of your devices would use it as a default gateway and then you would do the rest as above. You could also use RIP between the Netgear and Cisco if you can't do static routing.
  HTH,
  John

• Catalyst 1900 switch issue - internal speed

  Hello,
  I have a catalyst 1900 switch which has been working for years without any issues. It is connected to a single subnet on one side (10 machines all on same class C) and to a service provider switch on the other.
  Recently the ftp speeds from machine to machine on the inside became very slow (20K) on a 10M port, slightly faster on the 100M port.
  The external (internet side) to internal machines however has not changed and is still fast as ever.
  Has anyone ever come across this sort of problem and if so where could I start to troubleshoot it ?
  Thank You
  Burt

  Hi,
  Thank you for your response.
  The switch (LAN side) is connected directly to 10 machines (these are webservers with multiple IPs configured)
  xx.xx.xx.6-250
  Switch itself is xx.xx.xx.254
  *** Uptime is 19days (after a reset to try to find this problem)
  *** STP (port fast mode) is enabled on all ports
  *** Monitoring the receive statstics for each port shows FCS errors and Alignment Errors about 2% (each) of the total good frames. I am not sure if this is normal however there were always some FCS and Alignment errors.
  *** Monitoring transmit statistics shows no errors.
  *** the switch reloads when reset
  *** not sure how to get crashinfo on this switch.
  You can contact me offlist at [email protected] if you need report info as this appears to be limited to 4000 chars.
  THank You
  Burt

• Configuring the Catalyst 6500 Switch for IPS Inline Operation of the IDSM

  I understand how to configure the Catalyst 6500 switch so that the monitoring ports are access ports in two separate VLAN's for inline operation.
  However, I don't see any documentation that describes how the desired VLAN traffic gets forced through the IPS.
  In promiscuous mode, you can use VACL's to copy/capture and forward the desired traffic to the IDSM for analysis. I'm not seeing how to get the desired traffic through the IPS.
  Note that the host 6500 is running native IOS 12.2(18)SXE.
  Thanks for any assistance.

  A tranparent firewall is a fairly good comparison.
  Let's say you have vlan 10 with 100 PCs and 1 Router for the network.
  If you want to apply a transparent firewall on that vlan you can not simply put one interface of the firewall on vlan 10. Nothing would go through the firewall.
  Instead you have to create a new vlan, let's say 1010. Now you place one interface of the firewall on vlan 10 and the other on vlan 1010. Still nothing is going through the firewall. So now you move that Router from vlan 10 to vlan 1010. All you do is change the vlan, the IP Address and netmask of the router stay the same.
  The transparent firewall bridges vlan 10 and vlan 1010. The PCs on vlan 10 ae still able to communicate to and through the router, but must go through the transparent firewall to do so.
  The firewall is transparent because it does not IP Route between 2 vlans, instead the same IP subnet exists on both vlans and the firewall transparently beidges traffic between the 2 vlans.
  The transparent firewall can do firewalling between the PCs on vlan 10 and the Router on vlan 1010. But is PC A on vlan 10 talks to PC B on vlan 10, then the transparent firewall does not see and can not block that traffic.
  An InLine sensor is very similar to the transparent firewall and will bridge between the 2 vlans. And similarly an InLine sensor is able to InLine monitor traffic between PCs on vlan 10 and the Router on vlan 1010, but will not be able to monitor traffic between 2 PCs on vlan 10.
  Now the router on one vlan and the PCs on the other vlan is a typical deployment for inline sensors, but your vlans do not Have to be divided that way. You could choose to place some servers in one vlan, and desktop PCs in the other vlan. You subdivide the vlans in what ever method makes sense for your deployment.
  Now for monitoring multiple vlans the same principle still applies. You can't monitor traffic between machines on the same vlan. So for each of the vlans you want to monitor you will need to create a new vlan and split the machines between the 2 vlans.
  In your case with Native IOS you are limited to only 1 pair of vlans for InLine monitoring, but your desired deployment would require 20 vlan pairs.
  The 5.1 IPS software has now the capability to handle the 20 pairs, but the Native IOS software does not have the capability to send the 40 vlans (20 pairs) to the IDSM-2.
  The Native IOS changes are in testing right now, but I have not heard a release date for those changes.
  Now Cat OS has already made these changes. So here is a basic breakdown of what you could do in Cat OS and you can use in preparation for a Native IOS deployment when it gets released.
  For vlans 10-20, and 300-310 that you want monitored you will need to break each of those vlans in to 2 vlans.
  Let's say we make it simple and add 500 to each vlan in order to create the new vlan for each pair.
  So you have the following pairs:
  10/510, 11/511, 12/512, etc...
  300/800, 301/801, 302/802, etc....
  You set up the sensor port to trunk all 40 vlans:
  set trunk 5/7 10-20,300-310,510-520,800-810
  (Then clear all other vlans off that trunk to keep things clean)
  In the IDSM-2 configuration create the 20 inline vlan pairs on interface GigabitEthernet0/7
  Nw on each of the 20 original vlans move the default router for each vlan from the original vlan to the 500+ vlan.
  At this point you should ordinarily be good to go. The IDSM-2 won't be monitoring traffic that stays within each of the original 20 vlans, but Would monitor traffic getting routed in and out of each of the 20 vlans.
  Because of a switch bug you may have to have an additional PC moved to the same vlan as the router if the switch/MSFC is being used as the router and you are deploying with an IDSM-2.