LAN Switches cannot be accessed by Telnet, SSH or console in native vlan
Hi to all of you:
I do have a question about tagging the native vlan.
In our network we do have about 90 L2 and L3 switches, 2950 the oldest, 2960, 2960S, 3560 PoE, 3750 and 4503E, and we are running VTP, and 43 vlans within the entire network.
our Native VLAN is still vlan 1, and there are many corporative applications running in this vlan.
We have upgraded the IOS for the switches to the latest IOS version about 6 months ago, and after that we started to have issues on the switches, related to accessing the switch, either by telnet, ssh, or even console. However, the switch is still working fine, I mean, doing all bridging and switching traffic.
I have to reset or reload (power cycle) if I want to access the switch.
I have read that having the native vlan can be a problem.
Could you please let me know if you have gone through this problem?
Thanks in advance for your help.
Javier F. Berthin H.
Hi Karhtick:
I guess you have the best answer, you suggested the memory command and I am attaching you as result.
Next step should be to downgrade the IOS?, because we did the upgrade just in order to have the latest IOS published by Cisco.
If you need the config please let me know, for complementary comments.
Thanks for your help.
Javier
Core_Toldos#
Core_Toldos#
Core_Toldos#sh processes memory sorted
Processor Pool Total: 57114592 Used: 42061488 Free: 15053104
I/O Pool Total: 12582912 Used: 9397428 Free: 3185484
Driver te Pool Total: 1048576 Used: 40 Free: 1048536
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 56706116 14325484 38372056 0 0 *Init*
197 0 4506712 2363500 1463652 0 0 Auth Manager
0 0 0 0 1443720 0 0 *MallocLite*
0 0 577244636 370831296 916016 12457311 3203234 *Dead*
236 0 532808 46152 507068 0 0 IP ARP Adjacency
303 0 1335768 890528 450448 0 0 ADJ resolve proc
230 0 27640244 15996 378344 10152 0 CDP Protocol
77 0 368260 14413456 377820 0 0 EEM ED ND
102 0 385848 232 362236 0 0 HLFM address lea
404 0 3397428 3069392 334928 0 0 hulc running con
192 0 307492 21604 294808 0 0 HL2MCM
193 0 356552 70624 294744 0 0 HL2MCM
357 0 265100 0 275260 100548 0 EEM ED Syslog
365 0 126849404 86726456 255248 0 0 EEM Server
87 0 569060 274864 244984 0 0 Stack Mgr Notifi
203 0 753032 492440 164316 0 0 DTP Protocol
201 0 737920 526656 159424 0 0 802.1x switch
13 0 505129716 504972016 156620 0 0 ARP Input
Core_Toldos#
Similar Messages
-
Does the dot1q native VLAN need to be defined on the switch?
I understand the issues with using VLAN 1 as the native VLAN on a dot1q trunk. I follow best practices and change the native VLAN to a VLAN that does not carry any other traffic (switchport trunk native vlan x). I usually go a step further and do not define the VLAN in the switch configuration. This way if traffic bleeds into the native VLAN because it is untagged then it cannot go anywhere. So if I use VLAN 999 as the native VLAN, I do not create VLAN 999 on the switch. I’m curious if anyone else does this or if there are any thoughts on whether this is a good or bad practice?
If you are tagging your native VLAN but do not have that VLAN in the vlan database - it makes no difference if the VLAN exists or not in my opinion. All the vlans on your trunks would be tagged anyway.
It seems like a clever idea, but not sure if it provides any benefit. -
Unable to Telnet / SSH to a particular cisco switch
Hello,
I have an unusual issue that I just can't seem to track down. We have a Windows Server 2008 R2 box that is unable to telnet or ssh to one switch in our network.
Server IP: 10.0.0.74
Cisco Switch IP: 10.1.0.7
I am able to access all other switches/routers on the 10.1.0.x network, but not this one. I ping and tracert by ip address and name.
We have a number other servers on our network and they all can access this switch
Example:
a. 10.0.0.73 can telnet/ssh to 10.1.0.7
b. 10.0.0.72 can telnet/ssh to 10.1.0.7
c. 10.0.0.50 can telnet/ssh to 10.1.0.7
d. My workstation (10.0.250.213) can telnet/ssh to 10.1.0.7
If anyone can help with troubleshooting further, I would greatly appreciate it.Thanks for the reply Philippe! Here is the route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.2 10.0.0.74 266
10.0.0.0 255.255.0.0 On-link 10.0.0.74 266
10.0.0.74 255.255.255.255 On-link 10.0.0.74 266
10.0.255.255 255.255.255.255 On-link 10.0.0.74 266
10.10.0.0 255.255.0.0 On-link 10.0.0.74 266
10.10.0.74 255.255.255.255 On-link 10.0.0.74 266
10.10.255.255 255.255.255.255 On-link 10.0.0.74 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.74 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.74 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.0.0.2 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Firewall is disabled and there is no active antivirus. Im pretty sure port blocking is not the issue. I am able to ssh and telnet from this box to every other switch/router in our network.
This server has Solarwinds on it and tracks the health of our network (servers, routers, switches, ups, ect.). The only reason we noticed an issue is because it stopped backing up the config for this particular switch. All other switchs/routers
config is backed up to this server every morning at 2:00AM.
With solarwinds, this server is also able to communicate with this switch via snmp / icmp and ping.
Thanks again for the help! -
Telnet/SSH Connection to Switch
I'm studying for the CCENT, and I have one issue and two general inquiries I'd like to present.
First of all, I'm having trouble connecting to my 2950 using Telnet/SSH, though I've applied a VTY password. As an aside, I'm able to connect through the console. I applied an IP address to the switch, and I'm wondering if there's a part of the process that I've missed. When using Putty to connect to the IP, I immediately receive the "Network Error: Connection refused" error; the same basic message happens, using Tera Term.
Here's my running config:
Switch#show running-config
Building configuration...
Current configuration : 2416 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
interface FastEthernet0/1
switchport mode access
interface FastEthernet0/2
switchport mode access
interface FastEthernet0/24
switchport access vlan 2
switchport mode access
interface FastEthernet0/25
interface FastEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan2
ip address 192.168.1.107 255.255.255.0
no ip route-cache
ip default-gateway 192.168.1.1
ip http server
line con 0
exec-timeout 0 0
password CCENT
logging synchronous
login
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
end
--More--
The physical connection I'm using is from my desktop's second NIC, and I've configured the IPv4 connection to the switch's listed IP, which is 192.168.1.107. Is there anything listed above that would be problematic?
One of my questions has to do with the IP address that's supposed to be used to receive rsa keys: why is it necessary? Also, I tried entering the "ip address dhcp" command to grab an address from my WRT54G and received the following:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-if)#ip address dhcp
^
% Invalid input detected at '^' marker.
I'm following the directions in Odom's book, and I don't see what I'm missing.
My other question has to do with passwords, in general. Entering the username/password on either the interface-subcommand or the global configuration area seems unimportant, here:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#transport input ssh telnet
Switch(config-line)#username DDDD password EEEE
Switch(config)#^Z
...and...
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#transport input ssh telnet
Switch(config-line)#exit
Switch(config)#username FFFF password GGGG
Switch(config)#^Z
Here's the running config, afterwards:
Switch#show running-config
Building configuration...
Current configuration : 2535 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
username BBBB password 0 CCCC
username DDDD password 0 EEEE
username FFFF password 0 GGGG
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
--More--
It doesn't appear as though exiting out of config-if mode made any difference for the usernames/passwords. Then again, I can't connect through Telnet/SSH, so I'm not able to test it, at the moment.
I'm really sorry for the huge post, but I didn't want to start multiple threads. Any help is much appreciated.
- BFirst of all, thank you all for the helpful responses!
My PC is currently connected through the router, from which a straight-through cable is connected to port Fa0/18, and it is indeed on vlan2, which is associated with 1.107.
I ran the arp -a command, and here's a portion of it:
Interface: 192.168.1.105 --- 0xc
Internet Address Physical Address Type
192.168.1.1 00-0c-41-d4-6d-a1 dynamic
192.168.1.104 64-a3-cb-3d-07-64 dynamic
192.168.1.107 00-0a-b7-13-e5-c0 dynamic
1.105 is one of the NICs on the desktop. The BIA listed for 1.107 is one of the static "CPU" addresses on the switch. Here's my current running config:
Switch#show running-config
Building configuration...
Current configuration : 2434 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
interface FastEthernet0/1
switchport mode access
interface FastEthernet0/2
switchport mode access
interface FastEthernet0/18
switchport access vlan 2
switchport mode access
interface FastEthernet0/19
switchport access vlan 2
switchport mode access
interface FastEthernet0/20
switchport access vlan 2
switchport mode access
interface FastEthernet0/21
switchport access vlan 2
switchport mode access
interface FastEthernet0/22
switchport access vlan 2
switchport mode access
interface FastEthernet0/23
switchport access vlan 2
switchport mode access
interface FastEthernet0/24
switchport access vlan 2
switchport mode access
interface FastEthernet0/25
interface FastEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan2
ip address 192.168.1.107 255.255.255.0
no ip route-cache
ip default-gateway 192.168.1.1
ip http server
line con 0
exec-timeout 0 0
password CCENT
logging synchronous
login
line vty 0 4
password NICE
login
transport input telnet ssh
line vty 5 15
password NICE
login
transport input telnet ssh
end
As you can see, I've added the VTY passwords, though I thought I had already done that. Actually, to what do the "CCNA" and "CCIE" passwords listed above apply? I'm assuming those are the local login credentials I added for the VTY lines.
I just got through disconnected the switch's straight-through cable from the router and connected it directly to my desktop's second NIC again, and I still can't connect, remotely. Where should the troubleshooting start, at this point? -
Cannot ping/telnet/ssh to GigabitEthernet interface of Cisco AP2602
I have a Cisco 2602 (ios ver 15.0)
I can connect trough it's SSID normally but I can't access to the AP itself. From the AP cannot ping to gateway, even though the AP can be seen on cdp from the switch.
But my other AP Cisco 1140 (ios 12.4) can be accessed with the same configuration on the switch (switchport mode trunk, allowed vlan 1 & 2)
vlan 1 is for user, vlan 2 for management...
Below is the configuration of the gigabitethernet interface of the AP 2602
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.2
encapsulation dot1Q 2
ip address 10.32.2.98 255.255.255.0
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
no ip address
no ip route-cache
ip default-gateway 10.32.2.1
please helpWith autonomous access point, the management has to be the native vlan. The issue is that your vlan 1 is native and that is for users, but your management is on vlan 2 which is management. This will not work as it is a requirement to keep management on a native vlan. You would have to move the users to a different vlan since vlan 1 is typically tagged so that you can define on the trunk port on the switch that vlan 2 is native.
-Scott -
ASA5520 - Management0/0 Telnet/SSH/Ping Access
hey all, hope this is an easy one.
- how can i setup the management interface so that we can ping to the mgmt interface from a subnet that is on a different subnet than the Management0/0 interface (source ip would be 192.168.100.0/24 which may conflict with the inside interface)
- i am able to telnet/ssh from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
- i am not able to ping the mgmt interface from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
- is a security level required on the mgmt interface? it does not work unless we put one. if so, what are you guys setting it to?
interface Ethernet0/0.101
description Outside
vlan 101
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
interface Ethernet0/1.102
description Inside Cat3750-VM G1/0/24 (PRI) G2/0/24 (STB)
vlan 102
nameif inside
security-level 100
ip address 192.168.100.100 255.255.252.0
interface Management0/0
nameif mgmt
security-level 90
ip address 192.168.253.100 255.255.255.0
management-only
ssh 192.168.100.0 255.255.255.0 mgmt
telnet 192.168.100.0 255.255.255.0 mgmt
I try to add a static route but get an error:
ASA5520(config)# route mgmt 192.168.0.0 255.255.252.0 192.168.253.1
ERROR: Cannot add route, connected route existsHello Robert,
by default the Managment interface of an ASA is going to be used just for managment traffic only.
Now in order to be able to use it as any other interface you will need to use the following command:
- Interface managment 0/0
- no managment-only
And just to let you know it is imposible to ping a distant interface as an example from a inside subnet to the outside interface ip .This as security measure.
Regards,
Julio -
Prime 4.2 Telnet/ SSH Connections to Switches
Hi everybody,
I have a problem with LMS 4.2 and use Telnet/ SSH tool to open network devices.
If I start the tool telnet/ssh, always starts a telnet session and no ssh session.
But telnet is disabled on all devices in my network. Can I change something to open automatically a ssh session with putty?
regards BjoernHi Bjoern,
I am assuming you refer to the Device Center > Tools > Telnet/SSH option.
The problem is not on LMS actually. What happens is that in the background, a telnet:// is being called.
What will happen is that your system will launch whatever application has been assigned to the telnet protocol, typically the Windows CMD, which will open a telnet session automatically.
In order to change this to use Putty for example, which would allow you to change to SSH connectivity (manually though) you can do the following:
1) BACKUP YOUR REGISTRY.
Go to Start > Run > Regedit > File > Export.
2) Locate the following key:
HKEY_CLASSES_ROOT > Telnet > shell > Open > command > (default)
3) Modify the key value to point to the location of your "putty.exe" file (make sure to include the double quotes).
Default value:
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l
New value (will open putty automatically to the selected IP):
"D:\Tools\putty.exe" %l
New value (will open putty normally, you will need to type the IP but can change the connection protocol/port if desired):
"D:\Tools\putty.exe"
This should make your system open Putty for any "telnet://" links, including the Telnet/SSH link in the Tools section of Device Center.
Best regards,
Luis
Message was edited by: Luis Jimenez
Message was edited by: Luis Jimenez -
Can't ping, telnet, SSH or find APs in ARP, but associated to WLC & has clients
Hi All,
I have an interesting problem. I have a Cisco 2504 WLC, and six Access Points that are associated to it. I can reach 4 of the access points, which are connected to Cisco 300 POE switches, but the other 2 I cannot ping, telnet, SSH or find in the ARP table on the network. However, they are both associated to the WLC and as far as I can tell, they have clients associated to them. If I reboot them from the WLC, they find their way back to the correct WLC, and the WLC sees them in CDP, but I still can't access them in any way.
The two problem APs appear to be connected to ports 3 & 4 on the WLC, which are the POE ports. I read some documentation that says that those ports don't support Access Points but basically that you can still connect them and have it work, but don't expect any help from Cisco if you run into problems. I've confirmed that POE is being supplied in the port configs, and I have other sites with WLC's that are configured identically with APs on ports 3 & 4 that are up and not having any issues.
Wondering if anyone has had similar issues and if so, can you shed any light on this strange behavior?
Thanks.please
https://supportforums.cisco.com/discussion/11288621/2500-wlc-attach-ap -
2851 router vpn to 851 router lan clients cannot ping
Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
So some stripped-down configs:
For the 2851:
no service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router2851
boot-start-marker
boot-end-marker
no logging buffered
no logging console
enable password mypassword2
no aaa new-model
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.0.1 172.20.6.1
ip dhcp excluded-address 172.20.6.254 172.20.15.254
ip dhcp pool Internal_2000
import all
network 172.20.0.0 255.255.240.0
domain-name myseconddomain.int
default-router 172.20.0.1
lease 7
no ip domain lookup
multilink bundle-name authenticated
voice-card 0
no dspfarm
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-2995823027
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.53.254.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.53.254.aaa
set peer 216.53.254.aaa
set transform-set ESP-3DES-SHA
match address 100
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 216.189.223.bbb 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
no shut
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 172.20.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.15.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 permit ip 172.20.0.0 0.0.15.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner motd ~This is a private computer system for authorized use only. And Stuff~
line con 0
line aux 0
line vty 0 4
privilege level 15
password mypassword
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
And for the 851:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router851
boot-start-marker
boot-end-marker
logging buffered 52000 debugging
no logging console
enable password mypassword
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 172.21.1.1 172.21.1.100
ip dhcp pool Internal_2101
import all
network 172.21.1.0 255.255.255.0
default-router 172.21.1.1
domain-name mydomain.int
dns-server 172.21.1.10
lease 4
ip cef
ip domain name mydomain.int
ip name-server 172.21.1.10
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-3077836316
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.189.223.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.189.223.bbb
set peer 216.189.223.bbb
set transform-set ESP-3DES-SHA2
match address 100
bridge irb
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description $ETH-WAN$
ip address 216.53.254.aaa 255.255.254.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
no shut
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 172.21.1.0 255.255.255.0 BVI1
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.21.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
bridge 1 route ip
banner motd ~This is a private computer system for authorized use only. And Stuff.~
line con 0
password mypassword
no modem enable
line aux 0
line vty 0 4
password mypassword
scheduler max-task-time 5000
end
Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
Regards,
Ted.Hi,
First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
1.In the RRAS server,Open Routing and Remote Access.
2.Right-click the server name,then click
properties.
3.On the General tab,select
IPv4 Router check box,and then click Local area network(LAN) routing only.
Then,announce the 172.16.0.0 network to the router.
To learn more details about enabling LAN routing, please refer to the link below,
http://technet.microsoft.com/en-us/library/dd458974.aspx
Best Regards,
Tina -
Telnet / SSH Software options?
Hello...
After 20 years of using PCs I switched and I'm very happy. I'm figuring most things out easily but cannot find graphical SSH client software.
I can use terminal but what I need is a software package that will store all my server accounts and passwords. Or am I missing something, some way I can do that with the built in terminal combined with the keychain?
On a PC I would use something like SecureCRT.
To reiterate, my main need here is the ability to store a list of servers, ids, and passwords that I connect to telnet (SSH). So I can pick a server and connect without having to lookup the id and password for each server.
Thanks for any guidance..I'm not sure this is exactly what you're looking for, but I use a program called sshkeychain to store these passwords:
www.sshkeychain.org/ -
anyone know what the average bandwidth for a company based on LAN games and Online games are?
(it could be any game)
what factors must take into account to design a LAN switched network based on hierarchical model?
cheersDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Joseph, How can I minimun latency in LAN as well no packet loss? with protocols, switches,...How packet transmission latency is reduced when all of hosts are connected to access switches on 100Mbps? why not 10 or 1000Mbps?
"... or gig." = 1000 Mbps
Why not 10 Mbps? Because transmission latency, for any size packets is reduced as bandwidth is increased.
How no packet loss? With sufficient bandwidth so there's little need to queue, and if you do need to queue (which again we want to avoid), sufferient buffering so packets aren't dropped.
on the other hand, imagine for a LAN game you need 1Mbps bandwidth. There are 4 VLANs(12,24,36,48 users in each VLAN) and you must use hierarchical model( access,distribution and core layers) and just are allowed to use VLAN,Trunk,VTP,DTP and Rapids PVST+.How can I reache to this amount of bandwidth in LAN?
Why must you use hierarchical model? Modern data center designs, which are aimed at minimum latency, often no longer use the 3 layer design.
If you have multiple VLANs, and we cannot route, hosts won't be able to contact hosts on other VLANs.
Don't understand your last question. -
WCS Global Telnet/SSH Parameter Change
I have almost 700 Wireless LAN Controllers in my environment, and due to security compliance, I need to update the local administrator account for each one of them. My concern is that when I push a template with a new admin password, WCS will lose Telnet/SSH access to all 700 controllers, because the Telnet/SSH Parameters for each controller are currently set as the local administrator.
Is it possible to update the Telnet/SSH parameters for every WLC? I know it is possible to update them one at a time through Configure > Controller and updating it via the Properties tab, but there doesn't seem to be a way to push a template to WCS itself which would update the telnet/ssh access globally.
The closest thing I can think of is re-adding every single controller via CSV file and changing the Telnet/SSH Parameters that way, but I would need to remove every controller from WCS first, and that's not really an acceptable solution.I don't know is it right answer for u or not:)
1. Choose Configure > Controller Template Launch Pad.
2. Click Local Management Users or choose Management > Local Management Users from the left sidebar menu.
Here create a new template with new username and password (with RW or RO) and apply to all controllers and if you want then delete old user from wlc.
Regards
Dont forget to rate helpful posts -
Applying the below to a Catalyst 3560 switch, I can only telnet/ssh using 10.1.0.1. Host 10.1.0.50 telnet/ssh is blocked.
Please advise.
access-list 101 permit host 10.1.0.1 any eg 22
access-list 101 permit host 10.1.0.1 any eg 23
access-list 101 permit host 10.1.0.50 any eg 22
access-list 101 permit host 10.1.0.50 any eg 22
line vty 0 4
access-class 101 inColm
If the first two lines work then I would expect the second two lines to also work. My first thought is that there may be some difference in what is actually configured and what you posted (especially since it is obvious that you just typed in the access list and did not copy it from the device config - the missing TCP parameter in the access list shows that. So copy the access list exactly from the device and post it.
Other possibilities that occur to me:
- is it possible that there is some IP connectivity issue which prevents 10.1.0.50 from connecting (or prevents responses from going back)?
- is it possible that there are interface access lists which prevent the connection?
Collin
While I agree with you that it is generally better to use standard access lists with access-class, I do not believe that changing from extended to standard access list will solve this problem. If the problem were the extended access list then how does 10.1.0.1 work?
HTH
Rick -
My iPhone 5 has frozen during an update and I cannot gain access?
The iphone has completly frozen mid an update the screen is black with the white apple and a portion of the update showing as downloaded approx 1 quarter.
iphone support needs the serial number but I cannot gain access to anything. it will not switch off and will not receive any calls either??? Help!You can use iTunes on your computer to restore your iPhone to factory settings then install the most recent iOS version > Use iTunes to restore your iOS device to factory settings
-
Transport input telnet ssh help
Hello,
I had two questions about remotely login to switch or router :
1. What is the default setting on switch or router to accept remote login (i.e., telnet or ssh)
2. If i configure...TRANSPORT INPUT TELNET SSH... which one is default and accepted first by switch or router. I mean I know that it will accept both but I want to know that If I configure both to accept then which one has the first priority or by default which one is accepted first, tenet or ssh.
Thanks1) Default settings on all VTYs are "transport input all" --> all the supported protocols, that includes both telnet and ssh.
2) There is no priority level on which one is accepted first. Basically it just listens on both protocols (telnet - tcp/23 and ssh - tcp/22) for remote management.
Here is the command description for your reference:
http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219
Hope that helps.
Maybe you are looking for
-
Hi All, We are in to Release 11.5.10.2.There is a specific requirement to Prevent users from creating Manual Sales Orders in Oracle and yet users should be able to book the Sales Orders Imported from CRM system into Orcale.Please advise.
-
Calculations based on Summarized data in Cross Tab
First off, I'm pretty experienced with Crystal. I've run accross something that seems like it should be realy easy to do, and the sort of thing you would expect to do in a cross tab... so maybe I'm missing something totally obvious. I'm doing a year
-
Cl_gui_html_viewer and javascript
hi, I wonder if I can add some javascript code with cl_gui_html_viewer. Let's says that if the user click on the container I would like to pop up a message. I try to do it with method set_script and event navigate_complete but I failled. Thank you
-
ExternalInterface not returning chinese characters
I've got a Flex application embedded in a PDF. Also in that PDF is a field (hidden text field) called Data containing XML that happens to contain chinese characters. The encoding for the XML data is UTF-16. To retrieve the data, I make a JS call (g
-
Spool Requests in Waiting not getting deleted by RSPO0041 or RSPO1041
Hello Experts, We are currently running report RSPO0041 in our system to delete old spool requests, this report is running fine and deleting other spool requests except in status "waiting". I have also done test run with RSPO1041, but even though the