Cisco IGESM Configuration
Guys,
Can the IBM BladeCenter chassis be used to connect the blade servers to different subnets (different physical segments also)?? The specific config that I have is using the Cisco IGESM switches.
Thanks guys.
Hello,
not sure if this is what you are asking, but I think you need an external router for that, that is, you can configure the ports IGESM ports for different VLANs, but in order to route between the VLANs, you need a routing device.
Check the ´Cisco Systems Intelligent Gigabit Ethernet Switch Modules Software Configuration Guide´ in the link below, and consult the chapter ´Configuring Interface Characteristics´ (Figure 7-1):
http://www.cisco.com/application/pdf/en/us/guest/products/ps6294/c1067/ccmigration_09186a00805b60d4.pdf
Regards,
GP
Similar Messages
-
Catalyst 2960 - IBM/Cisco IGESM - Trunk port configuration
Good day all!
I am new in Cisco world and try to configure a trunk between a Catalyst 2960 switch and a IBM Blade Center IGESM switch (manifactured by Cisco).
Unfortunately, it seems that the network traffic doesn't cross the trunk link.
I have followed (at least, I think so) the instructions given on the different Cisco documentation papers but I can't find the mistake in my configuration (lack of experience :-( !).
Both switches are using IOS. 2960 uses IOS 12.2(25)FX and IGESM uses IOS 12.2(22)EA8.
The ports are connected through a cross-over cable Cat5e.
Please find below the configuration for each ports:
Catalyst 2960:
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,99,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
IBM/Cisco IGESM:
Name: Gi0/20
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,99,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
For my test, I try to ping a blade (connected to IGESM) in VLAN 200 from a workstation connected to Catalyst 2960 (in VLAN 200 too). From a network anaylser (ethereal), I can see the ARP broadcast from each side but none are going across the trunk link.
I am a bit lost about this problem and would be grateful for any assistance in solving it!
Many, many thanks in advance for your time!
Best regards,
FabianHi Glen!
Both switches (Catalyst 2960 & IGESM) are brand new and most ports are still reflecting manufacturer's default configuration. Vlan 2 is the default native vlan for IGESM ports (excluding ports used for switch management which use vlan 1 as most Cisco switches).
I changed the native vlan for g0/5 on IGESM to 200. Now, ports g0/5 (access mode) and g0/20 (trunk mode) are on native vlan 200. On g0/5 is installed Windows 2003 instance (firewall disabled). The only purpose is to receive and send ping request to test connectivity.
My workstation is connected to 2960 switch on port fa0/1 (please find the configuration below). I can successfully ping other vlan 200 machines connected on the same switch. For testing purpose, I try to ping the blade machine connected on port g0/5 on IGESM.
Configuration of fa0/1:
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Is there any other information I could provide to better help you to understand the configuration?
Cheers!
Fabian -
Can't save Cisco ASA configuration in GNS3 via write memory command
Hi all,
I’m having a problem to save Cisco ASA configuration in GNS3 via write memory command.
ciscoasa(config)# wr mem
Building configuration…
Cryptochecksum: c066a7ab b5b9071e bb5ee1f6 2d93be53
%Error copying system:/running-config (Not enough space on device)
Error executing command
[FAILED]
ciscoasa(config)#
Here are the details of the lab setup.
PC DETAILS:
Windows 7 Enterprise SP1 64bit
GNS3 v0.8.6 all-in-one (installer for 32-bit and 64-bit which includes Dynamips, Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark)
ASA DETAILS:
13,279,888 asa802-k8.bin.unpacked.initrd
1,095,856 asa802-k8.bin.unpacked.vmlinuz
Please advise. Thanks in advance.
http://firewallengineer.wordpress.com/2014/02/19/problem-cisco-asa-in-gns3-error-copying-systemrunning-config-not-enough-space-on-device/instead of this:
To create a flash file
cd "C:\Program Files\GNS3\qemu-2.1.0"
qemu-img.exe create c:\FLASH 256M
try this:
To create a flash file
cd "C:\Program Files\GNS3\qemu-2.1.0"
qemu-img.exe create c:\User\usuario\GNS3\FLASH 256M
Let me know if is helpfull. -
Cisco dynamic configuration tool
Currently cisco dynamic configuration tool is not working. What can I do?
Richard,
The power supplies in the 6120 / 6140s are auto sensing for 120-240 VAC. Please see Table 9 in the Nexus 5000 document for all supported cables:
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/data_sheet_c78-461802.html
Thank you,
Matthew -
Cisco Aironet Configuration Manual
I am new to Cisco Wireless Configuration. Anyone know please is there any website I can surf for Cisco Wireless Configuration Manual. Thanks to anyone who drops me a response.
Try this:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/legacy/scg/
Shawn -
Need Cisco ISE Configuration Guide
Dear Friends,
Please send me cisco ISE configuration guide ASAP.
Thanks & Regards,
Rahul WankhadeCheck the following link for Step by step configuration guide it cover all the deployment related to ISE
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
************Do rate helpful posts********************** -
Cisco AnyConnect Configuration
Can someone assist me with configuring Cisco AnyConnect VPN? For some reason with the config below, I seem to get connected but then my internet connection randomly drops and reconnects. Ive tried several different times to get this to work properly but Im obivously missing something here. Any help is appreciated.
ASA Version 8.2(2)
hostname FW01
enable password .MlTybcgwEXNF1HM encrypted
passwd .MlTybcgwEXNF1HM encrypted
names
dns-guard
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
description ### Link to GUEST WIFI ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
interface Ethernet0/1
description ### Link to GUEST WIFI ###
switchport access vlan 3
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
banner exec
banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********
banner exec *
banner exec * This system is for the use of authorized users only.
banner exec * Individuals using this system are subject to having all of their
banner exec * activities on this system monitored and recorded by system
banner exec * personnel.
banner exec *
banner exec * Anyone using this system expressly consents to such monitoring
banner exec * and is advised that if such monitoring reveals possible
banner exec * evidence of criminal activity, system personnel may provide the
banner exec * evidence of such monitoring to law enforcement officials.
banner exec *
banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********
banner exec
banner exec
banner exec Name:.......FW01
banner exec Address:....172.16.1.1
banner exec Location:...CST -5
ftp mode passive
clock timezone CST -5
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit udp any host 172.16.1.102 eq domain
access-list guest extended permit udp any host 172.16.1.103 eq domain
access-list guest extended permit udp any any range bootps tftp
access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log
access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
access-list Outside_In extended permit tcp any any eq 3389
pager lines 50
logging enable
logging list TEST level alerts
logging buffered debugging
logging asdm informational
logging mail TEST
logging from-address [email protected]
logging recipient-address ************* level errors
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0
ip audit name FW01-INFO info action alarm
ip audit name FW01-ATTACK attack action alarm reset
ip audit interface outside FW01-INFO
ip audit interface outside FW01-ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any guest
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group Outside_In in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
sysopt noproxyarp outside
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.moore.net
subject-name CN=sslvpn.moore.net
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 956e1350
308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105
0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431
1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574
301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a
303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30
1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d
04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34
0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e
74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92
858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001
300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d
06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342
2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769
dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa
1c82f701 22969424 f6845937 a21568a1 ecaa0e
quit
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 211.233.40.78
ntp server 61.153.197.226
ntp server 202.150.213.154 prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 172.16.1.102 172.16.1.103
vpn-tunnel-protocol svc
default-domain value moore.net
address-pools value SSLClientPool
username gmoore_a password PNUmTwjDhevRqhkT encrypted privilege 15
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 68.1.17.8
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:847a9a2b25e6a8ea2d4b68d17cdd41d2
: end
no asdm history enableJavier,
Thanks for the explaination. I have one more question, maybe I should open a seperate discussion. If so please let me know...
After I got the Anyconnect VPN configuraiton working I tried to configure LDAP configuration. Now when I try to connect I get and error stating
"Login denied. Your environment does not meet the access criteria defined by your administrator."
Then at the bottom of the AnyConnect client I see
"Access Denied: Your system does not meet policy requirement (DAP)
Looking at the DAP configuration I cant see what the policy is not accepting. The partial config is below
ASA Version 8.2(2)
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit udp any host 172.16.1.102 eq domain
access-list guest extended permit udp any host 172.16.1.103 eq domain
access-list guest extended permit udp any any range bootps tftp
access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log
access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
access-list Outside_In extended permit tcp any any eq 3389
access-list SSLClientProfile_SPLIT standard permit 172.16.1.0 255.255.255.0
access-list SSLClientProfile_SPLIT standard permit 172.16.2.0 255.255.255.0
access-list nonat_inside extended permit ip 172.16.1.0 255.255.255.0 172.16.9.0 255.255.255.0
access-list nonat_insidewifi extended permit ip 172.16.2.0 255.255.255.0 172.16.9.0 255.255.255.0
pager lines 50
logging enable
logging list TEST level alerts
logging buffered debugging
logging asdm informational
logging mail TEST
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0
ip audit name FW01-INFO info action alarm
ip audit name FW01-ATTACK attack action alarm reset
ip audit interface outside FW01-INFO
ip audit interface outside FW01-ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any guest
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 0 access-list nonat_inside
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 0 access-list nonat_insidewifi
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group Outside_In in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record SSLVPNPolicy
description "SSL VPN Policy (AD Login)"
dynamic-access-policy-record DfltAccessPolicy
action terminate
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.16.1.102
server-port 389
ldap-base-dn DC=MOORE,DC=NET
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
sysopt noproxyarp outside
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.moore.net
subject-name CN=sslvpn.moore.net
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 956e1350
308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105
0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431
1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574
301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a
303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30
1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d
04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34
0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e
74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92
858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001
300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d
06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342
2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769
dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa
1c82f701 22969424 f6845937 a21568a1 ecaa0e
quit
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 211.233.40.78
ntp server 61.153.197.226
ntp server 202.150.213.154 prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 172.16.1.102 172.16.1.103
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLClientProfile_SPLIT
default-domain value moore.net
address-pools value SSLClientPool
username gmoore_a password PNUmTwjDhevRqhkT encrypted privilege 15
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group LDAP LOCAL
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 68.1.17.8
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:db7d3afda8f35ce1733b3fcd3f5f468d
: end
no asdm history enable -
Cisco devices configuration for CW-LMS
Hello,
I am new to CiscoWorks LMS. I am working with a LMS 3.2 fresh installation. I added all the devices (routers, switches and 3 ASAs) into the DCR. Now I need to know how to configure the devices to send relevant info to the CW LMS machine. I am looking for something similar to this:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap10.html#wp1056411
This is a deployment model for Cisco MARS, which shows what to configure on each device in the network to send the most relevant info (syslog, netflow) to the Cisco MARS.
Is there a best practice for CW LMS regarding this? For example, what syslog level should the routers send to the LMS?
Thank you!There is a deployment guide whitepaper for LMS at http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html . As for what to do syslog-wise, you should configure your logging facility to be local7 (this is the default on IOS, but not on ASA OS), and send at least sev 5 or higher messages. You may want to bump that up to sev 6 (informational), but sev 5 for IOS devices will be sufficient to get things like configuration change messages. For CatOS, you definitely want sev 6.
-
Why does management VLAN ID matter in Cisco AP541n configuration?
is working on configure AP541n AP, is able to connect to the AP wired, assign AP static IP with proper subnet mask & default gateway,
when it's done, everything looks perfectly, but since I changed the management VLAN ID from 1 to 2, I can't even connect to the AP wired from the PC, why does the change matter?
thanks.Hi,
When working with access points in IOS mode also known as autonomous the access point requiers that you configure an Ip address on the BVI1 which is linked to the bridge group 1 and set us untagged.
Now when working with VLANS if the access point has an ip address on vlan x then you will need to confiugre this as the native vlan and with the bridgroup 1.
If you do not do this then you will see the issue you are reporting.
In other words if the access point will have an ip address for vlan 30 the the native vlan on the ap will need to be vlan 30 and vlan or the subnet for vlan one linked to the bridge group 1
Sent from Cisco Technical Support iPhone App -
Hi,
I have another problem - after upgrade ios wirelles connection not work.
After reload i have :
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
STP: Unable to get the port parameters.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
SETUP: new interface NVI0 placed in "shutdown" state
my old configuration work propertly in the old software, but after update i have notificatio.
Old thread:
https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
my current sh run:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname cisco
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s.
aaa new-model
aaa session-id common
dot11 syslog
dot11 ssid ciscowifi
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 050D031D26595D0617
dot11 wpa handshake timeout 500
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.56.1
ip dhcp pool CLIENT
import all
network 192.168.56.0 255.255.255.0
default-router 192.168.56.1
dns-server 8.8.8.8 194.204.159.1 194.204.152.34
lease 0 2
ip cef
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
username marek password 7 00121A0908500A
archive
log config
hidekeys
ip tcp path-mtu-discovery
bridge irb
interface ATM0
description Polaczenie ADSL do ISP$ES_WAN$
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
hold-queue 224 in
interface FastEthernet0
description Edzia
interface FastEthernet1
description dom
interface FastEthernet2
description Dziadek
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip redirects
ip local-proxy-arp
ip nat inside
ip virtual-reassembly
no dot11 extension aironet
encryption vlan 1 mode ciphers tkip
encryption mode ciphers aes-ccm tkip
broadcast-key change 3600
ssid ciscowifi
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country AU indoor
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
description ciscowifi
encapsulation dot1Q 1 native
no cdp enable
interface Vlan1
no ip address
bridge-group 1
interface Dialer0
description Interfejs dzwoniacy
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
interface BVI1
description Polaczenie dla sieci LAN
ip address 192.168.56.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80
ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22
logging trap debugging
logging 192.168.56.10
access-list 100 permit ip 192.168.56.0 0.0.0.255 any
access-list 100 deny ip any any
no cdp run
snmp-server community ciskacz RO
snmp-server chassis-id ciskacz
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input ssh
scheduler max-task-time 5000
end
please help - thanks!Hello Marek,
I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
Remove the Dot11Radio0.1 subinterface entirely
In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
In the dot11 ssid ciscowifi section, remove the vlan 1 command
After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
Best regards,
Peter -
Tacacs+ and Cisco 2950 configuration
Hi everyone!
I want to authenticate to my Switch via Tacacs+. It runs fine as long as I define Users and passwords in the /etc/tac-plus/tacacs.conf. But when I try to authenticate against a MySQL DB or the /etc/passwd file, authentication fails.
With the config below, I'm able to login with username fred. In MySQL DB a user 'test' with password ENCRYPT('test') is correctly set up. I use the DB skel which comes with tacacs+ (in Debian it's in /usr/share/docs/tac-plus, manual from http://www.gazi.edu.tr/tacacs/docs/tacacs_db.txt)
My tacacs+ config:
# /etc/tac-plus/tacacs.conf
### TACACS+ Config
# Auth-Key
key = some_key
#default authentication = file /etc/passwd
default authentication = db mysql://user:password@localhost/tacacs/auth?usern&passwd
accounting file = /var/log/tac-plus/account.log
###### USER ######
user = DEFAULT {
default service = permit
#user = DEFAULT {
# service = ppp
# protocol = ip {
# Enable-User
#user = $enable$ {
# login = cleartext test
user = fred {
default service = permit
login = cleartext fred_pw
My Cisco config:
switch#sh ru
Building configuration...
[some info]
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname MySwitch
aaa new-model
aaa group server tacacs+ TACSERV
server 192.168.1.5
aaa authentication login default group TACSERV local line
enable secret secret_enable_pw
username rescue secret secret_rescue_pw
ip subnet-zero
spanning-tree extend system-id
interface FastEthernet0/1
switchport access vlan 180
switchport mode trunk
switchport nonegotiate
no ip address
[some FastEthernet and GigabitEthernet Configuration]
ip default-gateway 192.168.1.1
ip http server
tacacs-server host 192.168.1.5 key some_key
line con 0
exec-timeout 0 0
line vty 5 15
ntp server 192.168.1.60
end
It would be great if someone could help.
Greetings,
FredHi,
I realized that Debian only stores usernames in /etc/passwd - the user's password is stored in /etc/shadow.
I manually edited the passwd file to get the password in. Result: authentication works with /etc/passwd. But when I point to /etc/shadow in the configuration file, authentication doesn't work.
Is there a way to get tacacs+ to use the /etc/shadow properly or to configure Debian not to use /etc/shadow?
The other big problem - authentication against MySQL - doesn't work, yet.
Any Hints?
Thanks,
Fred -
Cisco prime configuration backup
Hi There,
In Cisco prime infrastructure there are two places that I can do backup of the WLCs.
1. Operate -> Configuration Archive & run schedule archive
2. Administration -> background Task -> Controller Configuration Backup
Can someone tell me what's the different between these two? What would be the issue if I have enable only option 1 not 2? If I want to get the running configuration of the controller to my PC How I would be able to do that?
Thx
SaraAn Intelligent Network Management Application doesn't have to depend on most basic tasks for user input.
It should be smart enough to start managing devices for configurations, inventory and Fault Management out of the box, as soon as the devices are added.
Under Mega-Menu like --> Design, Deploy and Operate their are many tasks which are user deployed and as per the network preferences and requirement.
Under Background Tasks we have System Defined Tasks to start many such device management activities by default.
Also, under Background task, you can configure an external TFTP/FTP server to archive the backup of the controllers configuration.
-Thanks
Vinod -
Cisco Prime Configuration Backup -Failure
My Customer use Cisco Prime Ver 1.4 U2
it Background Task in Configuration backup is show failure all Device
but I can Audit or syn config from WLC is success but config backup not success
i need workaround prove issue ?
ThankAre they reachable? do the controller have proper READ_WRITE community string? can you issue debug transfer tftp enable on controller and see the output
-
Cisco 5502 Configuration Example
I'm currently running a Cisco 5508 WLC. I currenlty want to use two Gigabit ports for Wireless traffic and I will only have 25 1142 Attached to this WLC. Reading the Cisco Wireless LAN Controller Configuration Guide, Release 6.0 it says :
5500 Series Controller Example
For a 5500 series controller, Cisco recommends having eight dynamic AP-manager interfaces and associating them to the controller's eight Gigabit ports. If you are using the management interface, which acts like an AP-manager interface by default, you need to create only 7 more dynamic AP-manager interfaces and associate them to the remaining seven Gigabit ports.
I was hoping to use LAG for these two ports and create a Port Channel on the switch for these ports. From Cisco's recommendation it sounds like I have to turn off LAG and create a dynamic interface for the second port and put that Port in a different VLAN. Can anyone please shed some light on this. Everything is working at the moment but I'm just curious why this recomendation. Any help would be greatly appreciated.Lag works just fine. can you send me the link to the document you are looking at?
-
Hello,
I have a cisco 2504 controller with 10 AP's. I have 3 WLANs. I would like to have one WLAN only broadcast to 2 of my 10 AP's? Is this possible? If so how would I configure the WLan?so i followed the configuration sheet that was listed in the article below
http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_wlan.html#wp1128591
Underneath the
Creating Access Point Groups
i followed it and made the modifications. But i am still able to see the one WLAN under all AP's?
Maybe you are looking for
-
F4 help for date in select options..
Hi Gurus, I want a search help for date field which belongs to select options. I know if it is a parameter we directly map the attribute value to that data element. Can some help me with this.. Best Regards, Navin Fernandes.
-
How to cancel workflow programmatically in sandbox environment
Hi, I have 3 workflows asscociated to a form library in our sandbox environment. Is it possible to cancel the running workflows / mark the status to cancelled for overall workflows and respective tasks programmatically rather than using Designer or p
-
How to configure a link in a popup window to open a tab in main window.
I have put videos in popup windows with a link to their relevant main windows. I have used a behaviors extention from adobe to close the popup with the same link button, but the page doesn't open in the main window. Here is the link: <h2><a href="htt
-
PTF check status is not updated
Dear Experts, Recenetly, as per the suggestion of SAP we have updated the PTF of the OS. After the updation when I check the PTF Check in DBACOCKPIT it still show the staus in red color where as if I check the same PTF's at OS level it shows installe
-
Accept recursive queeries from these networks only?
What is the correct terminology to identify your network in dns section accept recursive queeries from these networks only? if i put in my domain name it seems to stop all service to my NAT