Cisco 2504 OEAP NAT directly connect AP's no ip

Similar Messages

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....

• Cisco 3850 - Direct Connect APs

  Can you non-directly connect APs to a 3850. For example if you had multiple offices within one branch site and your 3850 MC was in the server rack and had 2960s in the other offices. Could you connect your APs to the 2960 switch and have them joined to the 3850 MC?
  I've read that APs need to be directly connected to the 3850 however it supports flexconnect?
  Would appreciate if anyone could shed some light.
  Thanks,

  3850 won't support flexconnect. Also you have to directly connect AP to 3850 (not via transient switches like 2960).
  Refer this Q&A to find answer to your both queries
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html
  HTH
  Rasika

• Cannot ping Cisco C series server using direct connect to UCSM

  We have connected 2 Cisco C series servers (VIC 1225 Cards) with direct connect to Fabric Interconnects and managed via UCSM but cannot get network working.
  Service profiles have been created and pushed with only 1 VLAN and the default VLAN as native but cannot communicate with IP address configured.  Mac address is learnt at the Nexus 5K northbound switches.  Seems to be a VLAN tagging issue somewhere

  We do not use the CIMC as the server is all managed from UCSM and the CIMC has to be set to default for this mode
  Sorry I was not clear; I mean of course that even with UCSM, your C-series server will get an IP address for CIMC, which is used if you open a KVM session. You should be able to ping this IP address.

• Wi-Fi Installation in large property W/Cisco 2504

  Hi,
  I have an interesting job where i am having to fit a wifi network through a large property. I was advised to use the Cisco 2504 WLC and 9 x Cisco AIR-AP1142N access points.
  I know that out of the box the AP's (in standalone versions) have the GUI enabled.
  Not being completley up with CLI etc, is the WLC GUI enabled straight out of the box? if not, is it complicated to get it up and running? I'm pretty good at learning/understanding these things just as long as i have a rough idea of what to do!
  Thanks in advance,
  Josh                  

  Thats great, Thanks steve.
  I have the Controller (although AP's are still on order - out of stock ) but i have one final question before i start to set it up!
  I'm looking at this guide: http://www.cisco.com/en/US/docs/wireless/controller/2500/quick/guide/ctr2504_q_s.html#wp34023 and it talks about Management interface. I presume the management IP address would be the fixed ip of the controller if you like.
  So if i had a network with a DHCP server. The Router/Server was 192.168.2.1 and the DHCP range started from .10, i could set this to be 192.168.2.2 with the router of the management interface to be .2.1. I then could set the VLAN id to be 0 as i don't need a seperate managment lan (it's only for a house afterall, and if i lock it down with passwords it should be fine).
  With the Management Port, i presume that can be the port that connects into the main PoE Switch, similalry the Management DHCP server would be 192.168.2.1?
  Virtual Gateway IP address i guess is irelevant as there will be no mobility group?
  And DHCP bridging, like on any other wifi system/AP would be 'No' as the Router will be dealing with all DHCP requests?
  Thanks again for your fantastic help so far!
  Josh

• How do you promote a static route over a directly connected?

  Hi all,
  I have a need for a static route to be used instead of a directly connected route. (Long story - involving firewalls and anti-spoofing.. but can go further if required)
  I am using a Cisco 3750 switch. I notice directly connected routes have a metric of 0, and the highest metric I can give a static route is 1.
  Therefore, how is it possible for me to make the switch use the static route and not the directly connected?
  Any help would be appreciated!
  Cheers,
  Ben

  Hi Rick,
  Thanks for your patience.
  Maybe I should start again.
  Initially we had 16 VLANs within the 10.0/16 address space. We have some Cisco 3750's connected by dark fibre accross a couple of kms and then lower access switches all hanging of these by some means. The network is flat.
  We have a checkpoint firewall hanging off one of the 3750s connected using a TRUNK port. The firewall has an IP address on all VLANs and is used to route traffic between VLANs based on its ruleset.
  So if I have a user in VLAN 10 who wants to talk to VLAN 20, they travel to the firewall, if a rule permits the access, the firewall routes the packet on to VLAN 2 and the switches deliver at Layer 2.
  The switches all have their default VLAN 1 disabled, and have an IP address on our management VLAN to allow us to manage the switches.
  Its quite important that this IP is on a secured management VLAN as we don't want just anyone being able to snoop switch logins etc..
  If we need to login to a switch, the firewall routes our traffic from whatever VLAN we are on to the Management VLAN.
  One of our VLANs (the Desktop VLAN) is quite large (approx 1300 hosts) and suffers a great deal from too much arp broadcast traffic.
  As we have a flat switched network across several kms, the cost of putting in routers to subnet this large VLAN is excessive.
  However, the 3750's we have are perfectly capable of routing between VLANs, so we decide to create a load of new VLANs instead of subnetting our large VLAN. We don't want to use the firewall to route between these new VLANs as thats just giving the firewall more to do, and previously all these hosts were on a single subnet, so we have no need for any strict security - at most we can use ACLs on the switches if we even need that!
  So far so good.
  With 1300 hosts, we obviously can't make sudden topology changes. Therefore we need to be able to route between the Desktop VLAN and the new VLANs.
  We therefore introduce the static routes between the firewall and the switches.
  So the firewall says:
  route 10.1.0.0/16 via Multilayer switch IP on 10.1.0.0/16
  The multilayer switch says:
  route 10.0.0.0/16 via Firewall IP on 10.1.0.0/16
  This allows routing perfectly between the Desktop VLAN and the new VLANs.
  However the moment we enable ip routing on the switches we break access between the desktop VLAN and the Management VLAN.
  A packet leaves the desktop VLAN through the default gateway on the firewall. This is then routed to the Management VLAN. The return packet doesn't use the Management VLAN default gateway (firewall), it follows the static route on the switch and ends up at the firewall on 10.1.0.0/16. This is subsequently dropped as the firewall knows the packet hasn't come from the 10.1.0.0/16 network, it originally came from the desktop VLAN on 10.0.0.0/16.
  It might seem we can define a route on the switch to say:
  route 10.0.50.0/24 (management VLAN) via 10.0.50.254 (firewall). However, this would result in all packets from 10.1.0.0/16 being dropped by the firewall.
  The other problem is that if we are on a new VLAN and want to talk to the management VLAN. The packet goes to its default gateway on the switch. The switch says - "I have an IP on the management VLAN, its directly connected" - therefore it ignores the static route, and passes the packet on its way. We have now bypassed the firewall, which is bad.
  Incidentally the return packets get routed through the firewall and dropped, as the original packet didn't come through the firewall, there is no entry in the state table for its return.
  I think if we turned off the management interface on the switch and managed it through the interface on 10.1.0.0/16, I assume everything would work. However, we don't want to do this for a whole load of other reasons I wont go into.
  Im sure there must be a fairly simple solution - I just don't have enough experience!
  Cheers,
  Ben

• Direct connect to UCS FI from EMC VNX 5300

  Hi,
  I'm looking for any configuration recommendations or best practices for configuring a VNX 5300 unified for direct connect to UCS Fabric Interconnects.
  The direct connect wil be 10GB on both the file and block side.
  Are their any guides or recommendations anyone may have?
  I've looked and cannot find much.

  Hi Manuel,
  Two things:
  1) Take a look at the following matrix for the supported version
  http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/interoperability/matrix/Matrix8.html
  2) Currently the direct attch FC is supported under a restricted to topologies in which the zoning  database is provided from an upstream Cisco MDS 9000 switch or Nexus  5000 or 5500 switch. Hence you would still have to conenct an MDS or a N5K to the FIs for the zoning info.
  ./Abhinav

• Direct Connect OSPF and BGP AWS failover setup

  Hi,
  We recently installed AWS Direct Connect which was successful but now we are looking at the best way to  automatically fail over if our Direct Connect fails to route via our back VPN.
  The setup
  Cisco 6500 distributes routes via OSPF internally to all production environments with one area set.
  A second Cisco 2901 was installed to support the AWS Direct Connect which uses BGP with a single ASN. This router is connected to the Cisco 6500 and now within the OSPF area.  Static routes exist to the Cisco 2901 currently which unless we physically detach from the network fail over wont work.
  What we want to achieve
  The Cisco 2901 Direct Connect to be the default AWS route until we have a link issue or alike and dynamically fail over to our VPN via the firewall to AWS.  What we are confused is do we advertise these BGP routes within OSPF or should we setup BGP on the Cisco 6500? 
  I appreciate your time.

  Hi,
  We recently installed AWS Direct Connect which was successful but now we are looking at the best way to  automatically fail over if our Direct Connect fails to route via our back VPN.
  The setup
  Cisco 6500 distributes routes via OSPF internally to all production environments with one area set.
  A second Cisco 2901 was installed to support the AWS Direct Connect which uses BGP with a single ASN. This router is connected to the Cisco 6500 and now within the OSPF area.  Static routes exist to the Cisco 2901 currently which unless we physically detach from the network fail over wont work.
  What we want to achieve
  The Cisco 2901 Direct Connect to be the default AWS route until we have a link issue or alike and dynamically fail over to our VPN via the firewall to AWS.  What we are confused is do we advertise these BGP routes within OSPF or should we setup BGP on the Cisco 6500? 
  I appreciate your time.

• Help required to implement Cisco 2504 WLC and 1042 Access Points

  Hi,
  My name is Vidya Sagar. I am new to Wireless technology. We are planning to implement Wireless in our office. I have given the requirements below. Kindly go through the details and let me know how to start.
  We have purchased Cisco 2504 Wireless Controller (One) and Ciscon 1042 Access Points (Five). At present I am going to use 3 access points only.
  I have attached a simple diagram of our office network. We have more than 30 VLANs configured in Core Switch, we are planning to give wifi access to only 3 VLANs.
  1. VLAN 121 ( IP Segment - 10.52.121.0 /24)
  2. VLAN 116 ( IP Segment - 10.52.116.0 /24)
  3. VLAN 100 ( IP Segment - 192.168.100.0 /24) (Guest)
  Please give me a implementation plan to do this. I would like to use LDAP or ACS for authentication purpose.
  Regards,
  Vidya Sagar

  Lets just do this simple first before you start using ACS as that will require a certificate installed on the ACS for using PEAP.
  So first off, the WLC we will say is in vlan 10. When you are going through the startup wizard, make sure you define the vlan tag to 10 on the management interface. Make sure your virtual interface is an IP address that is not routed in your network, like an out of band IP.
  Make sure the WLC time is correct or use NTP!!!!
  Now you should be able to http or https to the WLC. I would upgrade the code to v7.4 and install the FUS image. Please reference this link for the upgrade procedure. You don't have to upgrade now... I would wait till you get everything working first.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74.html
  Now I would connect the APs on the same vlan as the WLC for now. Make sure there is dhcp on that subnet. Once the APs have joined, then you can move them to any subnet you want. Since you don't have many APs it would be okay to leave them in the same vlan as the WLC management or out them on any other vlan you choose. The APs will be connected to an access port NOT a trunk port!!!!
  The WLC will need to be connected on a dot1q trunk port only allowing vlans 10,100,116,121. The 2504 running v7.4 will support LAG (etherchannel). Any ways, your switch port should look like this for example only
  Interface gigabit1/0/1
  description WLC2504
  switch port trunk encapsulation dot1q
  switchoort mode trunk
  switch trunk allowed vlans 10,100,116,121
  spanning-tree portfast trunk
  channel-mode group 10 mode on << only for v7.4 if you use lag
  Don't connect all four ports right now, just port one!!!!
  Your Guest vlan, you will need to create an ACL to block traffic from accessing the internal network. You might want to allow dhcp and DNS bit I would leave it open first until you can verify everything is working.
  Now on the WLC you need to create a dynamic interface for vlan 100, 116, and 121. If you click on the Controller tab in the GUI and click on interfaces on the left hand side, that will take you to where you can add/delete/modify your interfaces. When creating these interfaces, make sure you add the dhcp server IP address for the primary and or backup.
  Now that you have your dynamic interfaces created, its time I create your SSID. Now click on the WLAN tab on the GUI and click on WLAN and then on the too right select Create New and then click go. Select WLAN on the drop down menu and then for the profile name I would use the SSID name also for simplicity.lean e the WLAN id to 1 for this and 2 for the next and so on. After defining these and clicking Apply you can now define your SSID. On the General tab, enable the status and leave the radio policy to all for now, you can decide later what you want to use. Choose your interface you wan to place this SSID on and enable Broadcast SSID for now and leave everything else alone. Now click on the Security tab and on the layer 2 Security, leave it at WPA + WPA2, only check WPA2 Policy and for WPA2 encryption choose AES only. Now go to the bottom of that screen and choose PSk. We will do pre shared key for now so you get to understand the setup and make sure everything is working first. Now on the PSK format, choose ASCII and put your pre shared key in the input box. Make this simple to for testing. You don't want to put in symbols or anything like that. When you are don with that, check apply on the top right and test.
  Now you can repeat this with your other SSIDs just to test. Your guest network you can leave open for now to test open authentication.
  Here are some links for the WebAuth feature:
  https://supportforums.cisco.com/docs/DOC-13954
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b1a506.shtml
  Now if you want to use ACS with PEAP, here is some links for that:
  https://supportforums.cisco.com/videos/2499
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bd1100.shtml
  https://www.google.com/url?sa=t&source=web&cd=8&ved=0CFQQtwIwBw&url=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DWk_bRdmsQlA&ei=_BEyUeCYM8TdqAHHsICAAw&usg=AFQjCNF8PiVBQK1Kipb4j8AzD153bKtmgA&sig2=smHhNVmCr2of2NzbnDhGmw
  Well that is it, hopefully you can get the wireless up for testing and verifying everything works!
  Sent from Cisco Technical Support iPhone App

• Limitations associated with Direct Connecting arrays to UCS FIs.

  I understand that in order to direct connect an array to UCS, the FIs have to be put into Switch mode(NPIV).  But once the FI's are in Switch Mode, is it impossible to attach other SAN switches to the fabric interconnects?
  It is my understanding that you could accomplish this because it wouldn't be much different then an extended SAN fabric in which an array's traffic would have to travel through 2 FC switches to arrive at a host.  But perhaps I'm missing something.
  Thanks in advance.

  You can have directly attached storage and FC switches at the same time, in fact until recently it was required since UCS did not do zoning. 
  http://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-infrastructure-ucs-manager-software/116082-config-ucs-das-00.html
  The questions is whether you really want to do it that way, I think for 95% of deployments, if not more, end host mode is recommended. 
  If you're already planning to attach FC switches, best to place storage on them. 
  Have a look at FlexPod (of Vblock) designs.

• Direct Connection between clients using sockets

  Hi, I'm a new user and i have a problem with sockets:
  The question is how can i directly connect two users that are already connected to a server in other machine???
  I mean
  user1 is connected to server
  user2 is connected to server
  user1 tries to communicate with user1 but don't want to use the server, and the server only provides the client1's ip
  I first thought to do this:
  user2 asks to server for the info of a client1-server waiting for connections, and i think it could work fine, but only if the ports are not closed by firewall, because client-server will be running in a transparent mode for user and user may not know anything about servers, sockets, ports, etc. the user only will work with a gui or something else and that's all
  Does anybody know what can i do to make this possible???
  PD
  Sorry for my bad English

  It can be implemented like you said. Make one of the clients open a serversocket and pass the ip and port number through the server to the other client with information on where to connect.
  If you're going to use direct connection between clients a lot then I would recommend that every client open a default serversocket at startup and register that information with the server and then every other client can ask the server for the ip and port to whatever client they wish to open a direct connection to.
  Be aware that clients often are behind NATs and firewalls, so if need to deal with those issues you got to use hole punching (http://en.wikipedia.org/wiki/hole_punching) - pref on a known port like 80 - and to deal with the less frequently used application firewalls you can use http encapsulation in addition.

• Unable to directly connect WTI CMS-16 to a SG200-26 switch

  Hello,
  We recently replaced a Netgear 16-port JGS516 gigabit switch with a Cisco SG200-26 switch.  When we did, we lost our ability to talk to our WTI CMS-16 (Western Telematics 16-port serial lines).   The CMS-16 has a 10Base-T Ethernet, RJ45 connector that provides telnet access to 16 serial ports.
  When we put a Netgear DS104 hub in between the CMS-16 and the SG200-26, all is well.  Packets flow back and forth and we are able to ping and telnet to the CMS-16 through the hub.
  When we directly connect the CMS-16 to the SG200-26 and ping the CMS-16, the "Status & Statistics"->Interface records transmitted packets and "nil" received packets. By "nil" we mean that if we wait long enough the statistics reports an occasional (about once every few minutes) 68-octet Unicast packet was received.
  When the CMS-16 is directly connected, the SG200-26 link light is lit. We cannot Administration->Diagnostics->"Copper Test" because the "Copper Test" button is greyed out.
  When the CMS-16 is plugged into the Netgear DS104 hub, the CMS-16 port has its 10M LED lit, and the port connected to the SG200-26 has its 100M LED lit.
  Our SG200-26 switch is running firmware version 1.1.0.73.   We are using a single LVAN ... nothing fancy.  The CMS-16 is running firmware version 2.06.
  Do we need to configure the port on the SG200-26 in some special way to deal with this legacy CMS-16 device?
  chongo (Landon Curt Noll) /\oo/\

  Hello Dave,
  We tried your idea by making the following change on the SG200-26:
  Administration -> Port Management -> Port Settings -> 7 -> ((Click Edit))
      ((unplug the cms-16 from Port 7))
      Interface: GE7
      Port Description: cms-16
      Administrative Status: (*) Up
      Reactivate Suspected Port: [x]
      Auto Negoation: [ ] Enable
      Administrative Port Speed: (*) 10M
      Administrative Duplex Mode: (*) Half
      MDI/MDIX: (*) Auto
      ((Click Apply))
      ((Plug in ithe cms-16 to Port 7))
  Unfortunately that did not fix the problem.  Namely:
  When we directly connect the CMS-16 to the SG200-26 and ping the CMS-16, the "Status & Statistics"->Interface records transmitted packets and "nil" received packets. By "nil" we mean that if we wait long enough the statistics reports an occasional (about once every few minutes) 68-octet Unicast packet was received. We cannot Administration->Diagnostics->"Copper Test" because the "Copper Test" button is greyed out.
  When we put a Netgear DS104 Dual-Speed "hub" in between the CMS-16 and the SG200-26, all is well.  Packets flow back and forth and we are able to ping and telnet to the CMS-16 through the hub.  Now both the CMS-16 port and the port connected to the SG200-26 has both of their 10M LEDs lit.  (i.e., the above configuration change DID force the port to operate at 10M).
  Are there other parametes we need to change on the SG200-26?
  Thanks for your help.
  chongo (Landon Curt Noll) /\oo/\
  p.s. We have two Network Power Switches, also by the same manufacturer (WTI) and of the same "vintage" (c. 2000) that operate just fine at 10M and Half Duplex.

• Catalyst 3650 as MC with non-directly connected APs

  Hello,
  I have a Catalyst 3650 operating as a Mobility Controller.  I had to change the interfaces on the 3650 that connected to the access points to explicit access ports (switchport mode access).  Before that command was configured, the APs sparatically dropped from the controller - now they are fine.  I have a few other APs in the building that cannot be directly connected to the 3650, but need to terminate CAPWAP with it.  The uplink from another switch (Access Switch 1) to the 3650 is a trunk, and the port from Acccess Switch 1 to the AP is an access port, however I getting the same message in the 3650's logs about it not being an access port and the AP is dropping connection to the MC.
  How can I properly terminate CAPWAP from an AP connecting to Access Switch 1 through a trunk to the 3650 operating as a Mobility Controller?
  Thanks

  with the 3850, the AP needs to be directly connected to the switch for it to be able to terminat the CAPWAP tunnel.  If your other closet switch is a 3850, you can put it in MA mode, and build the SPG to the MC.
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/deployment_guide_c07-727067.html
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• C220 w/ VIC 1225 directly connected to NAS

  Hello, does anyone know if I can directly connect a VIC1225 port to a 10GB port on a NAS system? I would be using a twinax cable to do so. My only concern is that since they are like devices, I could need some sort of twinax crossover cable. Could it be that either the VIC1225 or the NAS 10GB port have auto sensing capabilities to switch the send/receive pair?

  Hi Denny,
  Please find this document, as this would be useful for troubleshooting.
  http://www.cisco.com/en/US/prod/collateral/modules/ps10277/ps12571/data_sheet_c78-708295.html

• Cisco Nexus 3K Layer 3 Connectivity Issue while using Optical SFP

  Dear All,
  Am facing L3 reachability issue between N3k switched, even in same subnet. Also checked that VLAN is allowed under trunk port.
  I can able to see the switch details as CDP neighbour.
  We are using SVI, and found all the SVI and Interface protocol status is up/up. So to test I use a host to directly connect N3k with Optical SFP in access port, found failure on reachability, but while replacing with SFP ethernet module instead of SFP optical module reachability is okay.
  Please help me to resolve this issue.
  Thanks,
  Kannan,

  Hello Amit,
  Pls find the following details..
  We use SFP-10G-LR Modules on both end, we also replaced and checked with SFP-10G-SR modules as well..
  Software
    BIOS:      version 1.9.0
    loader:    version N/A
    kickstart: version 6.0(2)A1(1b)
    system:    version 6.0(2)A1(1b)
    Power Sequencer Firmware:
               Module 1: version v3.1
    BIOS compile time:       10/13/2012
    kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
    kickstart compile time:  9/5/2013 14:00:00 [09/05/2013 22:37:16]
    system image file is:    bootflash:///n3500-uk9.6.0.2.A1.1b.bin
    system compile time:     9/5/2013 14:00:00 [09/06/2013 02:25:01]
  Hardware
    cisco Nexus 3548 Chassis ("48x10GE Supervisor")
  Thanks for the reply,and sry for my delayed response..