Cisco lan setup

Hi all, When setting up a proper 3 layer model, i.e core,distribution,access what do they normally do, would you put the vlans on the distribution and have them routed there, or routed at the core ?

The Core Layer :
The core layer provides an optimized and reliable transport structure by forwarding traffic at very high speeds. In other words, the core layer switches packets as fast as possible. Devices at the core layer should not be burdened with any processes that stand in the way of switching packets at top speed. This includes the following:
Access-list checking
Data encryption
Address translation
The Distribution Layer :
The distribution layer is located between the access and core layers and helps differentiate the core from the rest of the network. The purpose of this layer is to provide boundary definition using access lists and other filters to limit what gets into the core. Therefore, this layer defines policy for the network. A policy is an approach to handling certain kinds of traffic, including the following:
Routing updates
Route summaries
VLAN traffic
Address aggregation
Use these policies to secure networks and to preserve resources by preventing unnecessary traffic.
If a network has two or more routing protocols, such as Routing Information Protocol (RIP) and Interior Gateway Routing Protocol (IGRP), information between the different routing domains is shared, or redistributed, at the distribution layer.
The Access Layer :
The access layer supplies traffic to the network and performs network entry control. End users access network resources by way of the access layer. Acting as the front door to a network, the access layer employs access lists designed to prevent unauthorized users from gaining entry. The access layer can also give remote sites access to the network by way of a wide-area technology, such as Frame Relay, ISDN, or leased lines.
HTH,
Thanks
Raj

Similar Messages

HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN

we are connecting Cisco 887VA router with various other Non-Cisco routers.
VPN tunnels are up and we can ping devices on the remote network through the VPN.
However, we have a few devices (on the Cisco lan) that provide a web interface (NAS etc) and these are not accessible over the VPN, the connection seems to just hang like its waiting for a response but it never gets one and eventually the browser times out.
Strangely, if I request a page that does not exist from the NAS (eg. http://192.168.3.x/test) I will receive a 404 error so it is kind of working.
Similar problems with SMB, if I access \\192.168.3.x I can list the content (4 items) but if I go into one of those folders (containing 10+ items) it hangs and eventually gives up.
I have tried adjusting MTU and MSS with no change.
Any ideas cause I'm running out of hair
My config is attached, it is most likely a mess as this is my first Cisco device so please go easy

Hi,
i can get you a example VPN config (Cisco 1841) that works:
//192.168.49.0 INSIDE IP | 192.168.0.0/16 and 172.20.0.0/24 RemoteSite IP
access-list 102 permit ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 192.168.49.0 0.0.0.255 any
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CRYPTOKEYHERE address REMOTEWANIP
crypto isakmp keepalive 30
crypto ipsec transform-set SETNAME esp-aes esp-sha-hmac
crypto map B2B 10 ipsec-isakmp
description b2b-fw
set peer PEERWANIP
set security-association lifetime seconds 86400
set transform-set SETNAME
match address 102
interface FastEthernet0/0
description wan_primary
crypto map B2B
ip nat outside
interface FastEthernet0/1
ip nat inside
route-map nonat permit 10
match ip address 150
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Regards
Markus

ISE cannot push the profile to the cisco network setup assistant?

We have tried a few android devices with version 4.2+ but still got the error message ‘Unable to download profile.(Have you logged into the guest portal?)’ as shown at the bottom picture.
In fact, we are connecting the devices to an open SSID which performs MAC filtering, then redirect to CWA and login with AD credentials,
then redirect to Google play store and can successfully download the network setup assistant.
Could you please advise the possible reasons that would cause this error message and make ISE cannot push the profile to the cisco network setup assistant?

Here's a snipit from the Android spw.log. I see that there is an error trying to verify the hostname. Is it possible that this is caused by a non-trusted certificate? I'm using the self-signed cert built into ISE. I have an entry in the public DNS for guest.domain.com that resolves to the IP of my ISE server accessible from the guest subnet. I'm allowing all traffic from the guest VLAN to the ISE vlan on the firewall and all traffic to/from the ISE server in the provisioning ACL I have applied by ISE on the WLC during native supplicant provisioning. I know that guests can communicate with the ISE server since regular guest portal redirection works, just not the network setup assistant. I've renamed the domain to domain.com in this snipit.
2014.07.20 23:44:48 INFO:verion :4.4.4 SDK Level : 19
2014.07.20 23:44:48 INFO:State :START
2014.07.20 23:44:48 INFO:Starting Discovery
2014.07.20 23:44:48 INFO:Starting ISEDiscoveryAsynchTask
2014.07.20 23:44:48 INFO:DHCP Stringipaddr 192.168.30.110 gateway 192.168.30.1 netmask 255.255.255.0 dns1 208.67.222.222 dns2 208.67.220.220 DHCP server 192.168.30.1 lease 3600 seconds
2014.07.20 23:44:48 INFO:DHCP ipaddress192.168.30.110
2014.07.20 23:44:48 INFO:DHCP gateway192.168.30.1
2014.07.20 23:44:48 INFO:Discoverng ISE http return code :200
2014.07.20 23:44:48 INFO:ISEServer =guest.domain.com
2014.07.20 23:44:48 INFO:session =0516a8c000001932f37acc53
2014.07.20 23:44:48 INFO:Discovered using gateway :18786496
2014.07.20 23:44:48 INFO:Discovered ise server = guest.domain.com
2014.07.20 23:44:48 INFO:Discovered client mac = 5C-0A-5B-FC-37-0F
2014.07.20 23:44:48 INFO:Server:Key=guest.domain.com:0516a8c000001932f37acc53
2014.07.20 23:44:48 INFO:Downloading config fromguest.domain.com
2014.07.20 23:44:48 INFO:checkServerTrusted call
2014.07.20 23:44:48 INFO:checkServerTrusted call
2014.07.20 23:44:48 ERROR:DownloadprofileAsynchTask
2014.07.20 23:44:48 ERROR:java.io.IOException: Hostname 'guest.domain.com' was not verified
2014.07.20 23:44:48 ERROR:Hostname 'guest.domain.com' was not verified
2014.07.20 23:44:48 INFO:Internal system error.
On the ISE side, here is the snippet of logs during the same time as when the android network setup assistant was run.
2014-07-20 23:41:38,586 INFO [DefaultQuartzScheduler_Worker-6][] cisco.cpm.infrastructure.utils.NodeGroupFWUtil -:::::- Applied Firewall rules for node group.
2014-07-20 23:42:35,251 INFO [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -:::::- In AbandonedTransactionReaper : MaxActive : 20
0 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 2
2014-07-20 23:42:39,394 INFO [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -::::PDPInitialization:- In AbandonedTransactionReaper
: MaxActive : 200 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 0
2014-07-20 23:42:49,765 INFO [DataSourceListener Thread][] api.services.persistance.dao.DistributionDAO -:::::- In DAO getRepository method for HostConfig Type
: ACTIVE
2014-07-20 23:42:56,805 INFO [PDP-Heartbeats-0][] com.cisco.cpm.clustering.MnTClient -::::pdpha:- Removing session 0516a8c00000196f2a95cc53
2014-07-20 23:42:56,806 WARN [PDP-Heartbeats-0][] cpm.nsf.session.impl.SystemStateManager -::::pdpha:- Session 0516a8c00000196f2a95cc53 not found at complete
2014-07-20 23:43:35,441 INFO [portal-http-844314][] cisco.epm.license.flexlm.FlexlmFileHandler -:::::- Is License Valid for seId [1] = true
2014-07-20 23:43:35,441 INFO [portal-http-844314][] com.cisco.epm.license.LicensingManager -:::::- License is valid [true] for SeriveType [1]
2014-07-20 23:43:35,750 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:43:35,768 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:43:35,768 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- initializing page definit
ion
2014-07-20 23:43:35,769 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- Created guest theme page
def
2014-07-20 23:44:18,090 WARN [portal-http-844315][] cisco.cpm.guestportal.actions.SelfProvisioningAction -:test:0516a8c000001932f37acc53::guest:- ***BYOD Regi
stration Data***
macAddress: 5C:0A:5B:FC:37:0F
portalUser: test
authStoreName: Internal Users
authStoreGuid: 78954c30-e0f0-11e3-af67-005056bf4689
2014-07-20 23:44:18,113 INFO [portal-http-844315][] com.cisco.epm.jms.AQMessgeHandler -:test:0516a8c000001932f37acc53::guest:- Publishing message for event [T
xnCommit / commit] and message class[class com.cisco.epm.pap.api.transaction.Transaction]
2014-07-20 23:44:18,167 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- --- GuestPortalUtils
: Unable to determine language. Defaulting to English
2014-07-20 23:44:18,168 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- initializing page de
finition
2014-07-20 23:44:18,169 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.CoAExecutorService -:test:0516a8c000001932f37acc53::guest:- Issue CoA reauth i
n 2000 milliseconds for sessionName 0516a8c000001932f37acc53
2014-07-20 23:44:18,171 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- --- GuestPortalUtils
: Unable to determine language. Defaulting to English
2014-07-20 23:44:18,172 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- initializing page de
finition
2014-07-20 23:44:18,173 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- Created guest theme
page def
2014-07-20 23:44:20,171 INFO [pool-19-thread-4][] cisco.cpm.guestportal.utils.CoAReauthTask -:test:0516a8c000001932f37acc53::guest:- Running CoAReauthTask for
_sessionName 0516a8c000001932f37acc53
2014-07-20 23:44:20,194 INFO [pool-19-thread-4][] cisco.cpm.guestportal.utils.CoAReauthTask -:test:0516a8c000001932f37acc53::guest:- Issue Local CoA for sessi
on 0516a8c000001932f37acc53
2014-07-20 23:44:50,768 INFO [ContainerBackgroundProcessor[StandardEngine[Catalina]]][] cpm.admin.infra.action.SessionCounterListener -:::::- sessionDestroyed
- deducted one session from counter - Session ID - 0FFE9C73C9209D4EE2534558CB8F723B - Session Count - 0
2014-07-20 23:46:58,502 INFO [portal-http-844315][] cisco.epm.license.flexlm.FlexlmFileHandler -:::::- Is License Valid for seId [1] = true
2014-07-20 23:46:58,502 INFO [portal-http-844315][] com.cisco.epm.license.LicensingManager -:::::- License is valid [true] for SeriveType [1]
2014-07-20 23:46:58,693 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:46:58,702 INFO [portal-http-844315][] cisco.cpm.provisioning.cache.FlowStateCacheManager -::0516a8c000001932f37acc53::guest:- Deleted old flow st
ate session with device id 5C-0A-5B-FC-37-0F

Cisco Network Setup Assistant Unable to install the certificate on Android KitKat

Greetings,
I'm having issues with deploying the CA. Although the Cisco app fails, the user cert (but no CA) appears to install and is accessible during wifi setup. I am running the latest version of Cisco Network Setup Assistant 1.2.42. The phone is running Android KitKat 4.4.4, not rooted, running stock T-Mobile rom. I'm able to authenticate with the guest side, and get as far as Installing Certificates... Reference the screen shots attached.
Error message cisco Network Setup Assistant: "Unable to install the certificate. Exit the application and run it again to continue to the installation."
I have ran the application several times, it keeps returning to this same message.
After failure of the Cisco app, I noticed there is a certificate manager with CA cert and key, and than subsequently one new key continues to loop after until I cancel (also in screenshots).
I have tried decryption, removing all security, and clearing credentials, yet the problem persists. Any help is appreciated.

Greetings,
I'm having issues with deploying the CA. Although the Cisco app fails, the user cert (but no CA) appears to install and is accessible during wifi setup. I am running the latest version of Cisco Network Setup Assistant 1.2.42. The phone is running Android KitKat 4.4.4, not rooted, running stock T-Mobile rom. I'm able to authenticate with the guest side, and get as far as Installing Certificates... Reference the screen shots attached.
Error message cisco Network Setup Assistant: "Unable to install the certificate. Exit the application and run it again to continue to the installation."
I have ran the application several times, it keeps returning to this same message.
After failure of the Cisco app, I noticed there is a certificate manager with CA cert and key, and than subsequently one new key continues to loop after until I cancel (also in screenshots).
I have tried decryption, removing all security, and clearing credentials, yet the problem persists. Any help is appreciated.

Cisco Network Setup Assistant with WIndows8

Hi, I'm trying to provisioning on Windows 8(Surface pro)
When the Cisco Network setup Assistant is on, it asks 'network password' while the ssid is wpa2-enterprise.
and I configured as it is on NSP.
Is it a bug ??

Hi,
What version of ise are you on, also what is the windows native supplicant provisioning version? See if the release notes for 1.2 meet your current design.
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp378491
Thanks,
Tarik Admani
*Please rate helpful posts*

Cisco LAN Management Solution is required to support Cisco Nexus 5548P and 5596UP switches?

Hi,
Could someone help to know what Cisco LAN Management Solution is required to support Cisco Nexus 5548P switches and Cisco Nexus 5596UP switches?
These new Cisco switches are being implementing on customer network and he ask us that he requires these equipments be supported on a LMS solution (customer currently is using LMS 3.2.1)
Can someone help?
Thanks in advanced,
guruiz

Some very limited Nexus support is present in LMS 3.2.1 - see the supported device table here.
To get more complete support, including the 5596UP, they need to upgrade to LMS 4.x (e.g. LMS 4.2.2 is the latest and is sold under the Cisco Prime Infrastructure 1.2 umbrella). The major upgrade from 3.x to 4.x requires purchasing an upgrade license.
Some functions (namely User Tracking ) will not be available on the 5k due to non-support of the requisite MIB on the device. I believe LMS still doesn't let you do VLAN management on 5k's - you need to use DCNM for that if you want to do it from a GUI.
See the table here for LMS 4.2 device support.

PIX515E and simple LAN setup question

Hello all,
I am trying to setup an Cisco PIX 515E.
Outside interface is connected to internet.
Inside interface is connected to inside private LAN.
I am able to use http traffic from inside LAN. However, I have problem with DNS and Ping.
I can not ping inside FW interface from LAN clients (this is also GW for LAN clients), because LAN address is NATed to outside interface address. ( I see this with debug icmp trace)
I can not ping outside addresses from LAN clients. When debugging icmp at FW, I can see ping request is received back to FW, but not from FW to client.
DNS is not working. DNS server is public IP address. It seems DNS querys is not passed through FW.
Basicly, I want to access internet through PIX FW. Can anyone give me some tips what to do here?

Its not the outside interface I want to ping, Its outside hosts on the internet I want to ping through outside interface.
Here is my current config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password encrypted
passwd encrypted
hostname fw
domain-name something.no
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Internet tcp
description Standard Internet trafikk
port-object eq www
port-object eq https
access-list inside_access_in remark Traffic out
access-list inside_access_in remark
access-list inside_access_in permit icmp 172.16.1.0 255.255.255.0 any
access-list inside_access_in remark icmp
access-list inside_access_in permit tcp any any
access-list inside_access_in remark Trafic out
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 194.xx.xx.34 255.255.255.248
ip address inside 172.16.1.1 255.255.255.0
ip address DMZ 194.xx.xx.41 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 200 interface
global (inside) 200 interface
nat (inside) 200 172.16.1.0 255.255.255.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 194.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.200-172.16.1.210 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Cisco vlan setup w a windows 2003 dhcp server help

Can anyone give me some tips or point me to some documentation on setting up a catalyst 4500 series w vlans and a windows 2003 server w associated dhcp scopes? Just for curiosity, what is a good vlan design for a college. I was thinking a student, a staff, a faculty, and a guest and or mgmt vlan. Also, on the guest vlan how would I setup an outbound acl to only allow port 80 traffic? Thanks in advance.

Hi
Try to limit the number of users per vlan to no more than a class C subnet if you can. We use half a class C /25 network in our offices.
If you can break up the vlans to match the different type of users then that would be a good start. It means you can further down the line apply different security policies to the different vlans which in your situation you may well want to do. Don't worry if for example you need to use 2 or 3 vlans for students it's not a problem.
Attached is a link for 4500 configuration. You need to look at the following chapters primarily
1) Configuring VLAN's VTP & VMPS.
2) Configuring Layer 3 interfaces. Look at the section on logical layer 3 SVI's.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/conf.html
On the guest vlan you would need something like (assuming guest vlan subnet range is 192.168.1.0/24
access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list 120 deny ip 192.168.1.0 255.255.255.0 any
and apply it on the inbound vlan interface. ie. if your vlan for guest users is vlan 20
switch(config)# vlan 20
switch(config-if)# ip access-group 120 in
As for the W2003 server, not done much with windows. You will need DHCP manager which should be under admin tools. Make sure you exclude the addresses for each subnet that you allocate to the 4500 layer 3 interfaces ie
switch(config)# vlan 20
switch(config-t)# ip address 192.168.1.1 255.255.255.0
In your DHCP scope 192.168.1.1 will be the default gateway for your clients and you should exclude this from the scope.
Hope this is enough to get you started
Jon

Network LAN Setup Help

I have a cisco 891 router, and 3 unmanaged switches that i would like to use to segment my small office network into 3 VLANs groups to help reduce out current bottleneck we are having in our network. From everything i read i should be able to setup 3 VLANs on the router, and pick 3 out of the 8 ports on the router to be switchports for each of the 3 VLANs, and each of the 3 switches would connect to those.
My question is, when i setup the VLAN i cannot access the internet, though the inital VLAN 1 which currenlty has all our office computers sharing 1 switch and 1 VLAN works fine, any ideas? Is segmenting our network via 3 switches and 3 VLANs going to help with overall bandwidth?
My last question is, what are the proper steps to setup each VLAN on the router so i can access the internet with them and achieve the increased bandwidth through segmenting each office group?
I am new to cisco routers, so any help you can give me would be great.

Thanks for your help. I think ive helped myself on the bandwidth end by spliting up my office on to 3 switches, but still using 1 VLAN. Before we had 16 people using 1 100Mbps link to the router which was at times getting maxed. Now i have it split across 3. But for security reasons with accounting and such i still want to setup 3 vlans. Here is the version information on the router:
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 12.4(22)YB, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 27-Jan-09 02:48 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB3, RELEASE SOFTWARE (fc1)
yourname uptime is 3 days, 5 hours, 24 minutes
System returned to ROM by reload at 10:18:03 PCTime Fri Oct 8 2010
System image file is "flash:c890-universalk9-mz.124-22.YB.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 891 (MPC8300) processor (revision 1.0) with 498688K/25600K bytes of memory.
Processor board ID FTX134680PV
9 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
1 terminal line
256K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)
License Information for 'c890'
    License Level: advipservices   Type: Permanent
    Next reboot license Level: advipservices
Configuration register is 0x2102
Current configuration : 12609 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname yourname
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 ***********************
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2084037767
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2084037767
revocation-check none
rsakeypair TP-self-signed-2084037767
crypto pki certificate chain TP-self-signed-2084037767
certificate self-signed 01
        quit
no ip source-route
ip dhcp pool data-vlan-10
   import all
   network 10.10.10.0 255.255.255.0
   dns-server *****************(OUTSIDE IP)
   default-router 10.10.10.1
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server *****************(OUTSIDE IP)
ip name-server *****************(OUTSIDE IP)
ip port-map user-protocol--1 port tcp 3389
no ipv6 cef
multilink bundle-name authenticated
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group Everyone
key *********
crypto isakmp client configuration group user
key **********
pool SDM_POOL_1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ctcp port 10000
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 103
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any CCP-Voice-1
match dscp ef
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map match-any CCP-Management-1
match dscp cs2
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
    priority percent 33
class CCP-Signaling-1
    bandwidth percent 5
class CCP-Routing-1
    bandwidth percent 5
class CCP-Management-1
    bandwidth percent 5
class CCP-Transactional-1
    bandwidth percent 5
class class-default
    fair-queue
     random-detect
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class class-default
drop
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
interface Loopback0
description Do not delete - SDM WebVPN generated interface
ip address 192.168.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Null0
no ip unreachables
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address *****************(OUTSIDE IP) 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex full
speed 100
snmp trap ip verify drop-rate
service-policy output CCP-QoS-Policy-1
interface GigabitEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip local pool SDM_POOL_1 10.10.10.50 10.10.10.60
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 *****************(OUTSIDE IP) 2
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 6000
ip nat inside source list 100 interface FastEthernet8 overload
ip nat inside source static tcp 10.10.10.71 3389 interface FastEthernet8 3389
ip nat inside source static tcp 192.168.1.1 443 *****************(OUTSIDE IP) 4443 extendable
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip**********************(OUTSIDE IP) 0.0.0.7 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.10.71
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip any host *****************(OUTSIDE IP)
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you want to
use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username privilege 15 secret 0
no username cisco
Replace and with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
transport output telnet
Replace and with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
webvpn gateway gateway_1
ip address 72.242.1.187 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2084037767
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context VPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
   functions svc-enabled
   svc address-pool "SDM_POOL_1"
   svc keep-client-installed
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_3
gateway gateway_1 domain pwvpn
inservice
end
So thats the config right now, i have not added the vlans yet, because when i did it shutdown all our network, so i went back to our working config. So if you can tell me what steps i need to setup the vlans that would be great. I need to start another thread about VPNS, cause i cant get our VPN working either but thats another story

Cisco 857 setup

This post needs to go across a few forums but I will start here first.
I have an 857W router which I want to replace my home ADSL router with.
I can setup the ADSL / routing no problem but I am struggling to find a good resource on setting up the wireless.
Can anyone guide me to some basic setup guides to securing the wireless on this box.
Thanks

You can find some good all round examples:-
http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/enetintr.html

EA3500 Cisco Connect Setup problem?

So i recently resetted my Linksys EA3500 and i lost the CD so i download the Cisco Connect for the EA3500.I connected my EA3500 using the ethernet cable to my laptop,run the setup,and then on 25% it said that no wireless routers were found.I already connected it using an ethernet cable i dont understand why it is still not found.What should i do?

Hi geraldicg , make sure that the wireless switch on your computer is turned on. I recommend that you try another laptop (if available). If no luck, configure the router manually by accessing 192.168.1.1 or myrouter.local. Check this out:
Title: Accessing your Linksys Smart Wi-Fi Account through a web browser

Lan setup question....

ok, this is driving me nuts, i have been scouring these forums for a few days, and cannot find any help specifically related to my problem.
heres the deal. I use a PC as my gateway/firewall. i don't trust these router units hehe
so i have
internet--> firewall PC/ICS server/dhcp server --> ezxs55w switch(3 pcs connected FINE)
i recently got a wireless router (model befw11s4) and want to hang it off the switch as a wireless access point. i found several good posts about router to router connections, and a few on router and switch, but most were from router to switch, not the other way.
one post said to disable dhcp, set as router, and it makes the router into a wireless switch, but this doesn't seem to work.
could someone please advise on how to make this work?
the setup i want is such
inet->ics/firewall PC->(uplink)switch->pc's/wireless router
this all connects fine, the 3 pcs on the switch get net just fine, but the router is not getting its ip fomr the ics server, and will not pass on wireless connections for extra pcs...
any thoughts?
i think the problem is in the setup of the ips, i have the device ip set to 192.168.0.* (ms ICS used the 192.168.0.* range, so i set it to be on this lan) but nothing passes on..
i am missing something, and cannot figure it out...
thanks cryogen

update.... well..it's working now. i set the internet ip to 192.168.0.25, device ip to ...192.168.0.50 mode router, dhcp disabled, wireless bcast on.. my linux box with wireless usb picks it up fine...but it seemed to take a few mins hehe unfortunately i did all this at once, and something made it work, i'm not sure which...ideas? if anyone sees any glaring problems with this setup plz advise... thanks cryogen

Simple LAN setup question

Just got a new MBP 17incher, and I love it!
I simply want to be able to network my MBP when home via LAN to my PC desktop to access the 3 terabytes it contains of music and movies.
I went to the network properties on the MBP and set it to ethernet and manual so I could assign the IP 192.168.1.20.
Upon connecting the cable I lost my wireless connection... is there a way to keep my wireless connection but setup a smb share or something that would specifically use the gigabit port to access with windows machine as it is WAY faster using LAN.?? (crossover cable or direct connection is best)
please be possible other wise i'm gonna have to start punching holes in the wall to run cable down stairs to the router.

The following may help:
http://www.macdevcenter.com/pub/a/mac/2002/11/19/mac_pc.html
http://forums.macrumors.com/showthread.php?t=54704
http://joelshoemaker.com/computer/mac/macfilesharing.html
http://www.apple.com/support/tiger/network/
http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1161.html
http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1163.html
http://docs.info.apple.com/article.html?artnum=107369
http://docs.info.apple.com/article.html?artnum=106461
Why reward points?(Quoted from Discussions Terms of Use.)
The reward system helps to increase community participation. When a community member gives you (or another member) a reward for providing helpful advice or a solution to their question, your accumulated points will increase your status level within the community.
Members may reward you with 5 points if they deem that your reply is helpful and 10 points if you post a solution to their issue. Likewise, when you mark a reply as Helpful or Solved in your own created topic, you will be awarding the respondent with the same point values.

IP messenger in cisco lan

Hi ,
I want to block the IP Messenger in my university campus. I have multiple VLAN.
I have large LAN environment with cisco 2960 and cisco 3750 series switches.

georgemc wrote:
DrClap wrote:
How did you convert "DNS" into "JNDI"?Easy. Reverse the order of D and N, then split S into J and I. I is the 9th letter of the alphabet, J is the 10th, and S is the 19th. 10 + 9 is 19. Bookend ND with that, and Bob's yer uncleAnd since from your perspective, the above was written by "I", and since capital "I" looks like a number one, we see that 9 for I and 10 for J with 1 added becomes 9 and 11, which proves that you were responsible for the 9/11 attacks. And since your name is George, and an M is an upsidedown W and C is a play on "See", which you thought nobody ever would, you must be Dubya. Ergo, the attacks were a conspiracy at the highest levels of government, QED.

W-Lan setup problems

Hi,
I just bought a Macbook and now I have some problems to setup a W-Lan-Connection. Do I need a special hardware (airport) for the connection or how does it work?
Thanks for your help.
Regards

Hi,
I just bought a Macbook and now I have some problems to setup a W-Lan-Connection. Do I need a special hardware (airport) for the connection or how does it work?
Thanks for your help.
Regards

Cisco lan setup

Similar Messages

Maybe you are looking for