Limited Privilage rights to user on 2900 Series.3500 Series switches

Similar Messages

• Psecure violation in 2900 series switch

  Hi,
  could any one plz tell me the reason for pseure violation.
  m using 2924 model switch with ver 12.0(s)wc17, how can i configure errdisable recovery commands in this switch?
  In this switch Errdisable recovery option is available only for  "udld" but not for  "psecure violation". How can i rectify this psecure violation problem
  in cisco 2900 series switch?
  regards,
  rammi

  hi
  By default the port security any violation happed it automaticaly the port goes shutdown state
  here some examples for configuring port security
  Switch(config)# interface FastEthernet1/0/1
  Switch(config-if)# switchport access vlan 21
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport voice vlan 22
  Switch(config-if)# switchport port-security
  Switch(config-if)# switchport port-security maximum 20
  Switch(config-if)# switchport port-security violation restrict
  Switch(config-if)# switchport port-security mac-address sticky
  Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002
  Switch(config-if)# switchport port-security mac-address 0000.0000.0003
  Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice
  Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice
  Switch(config-if)# switchport port-security maximum 10 vlan access
  Switch(config-if)# switchport port-security maximum 10 vlan voice
  regards
  krishna kumar

• Setting uplink port on Catalyst 2900 series Switch

  Greetings, I'm working on my CCNA and I want to copy down the IOS to my Linux box via TFTP before making any major configuration changes (basically back it up).
  I've noticed I don't have an uplink port on the Switch and not really sure how to go about this.
  Also can I use CAT5 or will I have to use Cross-Over?
  thanks

  [quote]
  As long as the speed and duplex are set to auto then MDI/MDI-X is enabled.
  [/quote]
  I'm not sure how to confirm if MDI/MDI-X is enabled or not on the Switch.
  Forgot to include this other detail.  All of the devices (Linux pc and Cisco Switch) are connected to a Linksys SOHO Router/Switch.  Will this make a difference?  I wouldn't think so as long both devices can ping each other.
  thanks

• 2900 Series Router - Over 700 failed login attempts - How do I find the source IP?

  There is a 2900 series router  Version 15.0(1)M1, in our company, recently the logs show that there were over 700 failed login attempts to try and gain privelege level 15 access. Is there a way to see the source IP from the host that is attempting the logins?

  There is a 2900 series router  Version 15.0(1)M1, in our company, recently the logs show that there were over 700 failed login attempts to try and gain privelege level 15 access. Is there a way to see the source IP from the host that is attempting the logins?

• WDJ - Right click- User settings , not working at all times

  We are working on SAP Netweaver 7.4.
  We have developed WDJ applications in PO server and are displaying the application in SAP EP using the remote iview method.
  Our requirement: We need to show the users , right click ->User settings so that they can modify the view.
  Steps taken: The allowuserpersonalisation has been set to True.
  Issue:
  Not all of the remote WDJ application are showing the User settings.
  For e.g: If it is working for WDJ application A, it is not working for WDJ application B.
  Here is where it gets more confusing !!!:
  If role A contains WDJ application A and role B contains WDJ application B.
  then:
  1) if WDJ application B is assigned to the role A, then the User settings start working for it
  2) if WDJ application A is assigned to the role B, then the User settings still work for it
  3) if WDJ application B is assigned to the role C, then the User settings do not work.
  Can anyone please help?

  Hi,
  normal right mouseclick is disabled as of 710 I guess, I assume you mean the ctrl+alt+right mouse click, right?
  Also , I am not sure I fully understand your A-B-C example. Can you please elaborate it in a less abstract way? Can you show concrete examples what is not working regarding the end-user personalization? Are all wd java applications running in a non-standalone way when you test end-user personalization?
  Cheers,
  Ervin

• Limited privileges for ReSA users

  Hi Experts,
  Can someone help me create users in Oracle Retail Sales Audit. Granting limited privileges to RMS users that only can only access Sales Audit or what script shall I use
  to grant limited privileges to roles like Manager and accounting Clerk?
  Thanks,
  Jeremy

  You may be able to do things with a script.
  Typical "Changing the EUL tables is a risky thing and could cause all sorts of problems..." disclaimers apply.
  I'm not sure how things work with responsibilities, but here's how they work for users.
  The query governor restrictions are stored in the EUL5EUL_USERS table. The "Warn user if predicted time exceeds..." value is stored in the EU_QUERY_EST_LMT column. The "Prevent queries from running longer than..." value is stored in the EU_QUERY_TIME_LMT column. The "Limit retrieved data to..." value is stored in the EU_ROW_FETCH_LIMIT column.
  You should be able to update these values with a simple update statement. Setting the values to 0 essentially acts as if there is no limit

• Definer rights vs. user rights

  I must be having a senior moment .... ;-)
  Trying to demo definer rights vs. user rights on execution of a procedure.. With apologies to Daniel, I created this test, and then in trying to find the answer to my question I found his nearly identical example at psoug.
  SQL> --
  SQL> conn system/halftrack@vmora01
  Connected.
  SQL> drop user bert cascade;
  User dropped.
  SQL> drop user ernie cascade;
  User dropped.
  SQL> drop role ernies_role;
  Role dropped.
  SQL> --
  SQL> create user bert identified by bert
    2  default tablespace users
    3  temporary tablespace temp
    4  quota 10m on users;
  User created.
  SQL> --
  SQL> grant create session, create table, create procedure to bert;
  Grant succeeded.
  SQL> --
  SQL> create table bert.berts_table (empid varchar2(15));
  Table created.
  SQL> --
  SQL> CREATE OR REPLACE PROCEDURE bert.user_test  AUTHID current_user IS
    2  v_empcnt number;
    3  BEGIN
    4   select count(*)
    5   into v_empcnt
    6   from bert.berts_table;
    7  END user_test;
    8  /
  Procedure created.
  SQL> --
  SQL> CREATE OR REPLACE PROCEDURE bert.definer_test  AUTHID DEFINER IS
    2  v_empcnt number;
    3  BEGIN
    4   select count(*)
    5   into v_empcnt
    6   from bert.berts_table;
    7  END definer_test;
    8  /
  Procedure created.
  SQL> --
  SQL> create user ernie identified by ernie
    2  default tablespace users
    3  temporary tablespace temp
    4  quota 10m on users;
  User created.
  SQL> --
  SQL> create role ernies_role;
  Role created.
  SQL> --
  SQL> grant create session to ernies_role;
  Grant succeeded.
  SQL> grant select on bert.berts_table to ernies_role;
  Grant succeeded.
  SQL> grant execute on bert.definer_test to ernies_role;
  Grant succeeded.
  SQL> grant execute on bert.user_test to ernies_role;
  Grant succeeded.
  SQL> grant ernies_role to ernie;
  Grant succeeded.
  SQL> --
  SQL> conn ernie/ernie@vmora01
  Connected.
  SQL> --
  SQL> -- this should succeed
  SQL> --
  SQL> execute bert.user_test;
  PL/SQL procedure successfully completed.
  SQL> --
  SQL> -- this should fail --
  SQL> --
  SQL> execute bert.definer_test;
  PL/SQL procedure successfully completed.
  SQL> spo offOk, the only rights ernie has are via ernies_role. So I would expect his execution of bert.definer_test to fail, but it didn't.

  mbobak wrote:
  Hi Ed,
  In the definer rights case, as long as ernie can execute the procedure owned by bert, he'll be able to successfully execute it, cause definer rights mean that the object (owned/defined by bert) executes w/ bert's rights, and the only object access in the procedure is on bert's objects. So, no problem there.
  In the invoker rights case, it works cause even though the proc is owned by bert, ernie is executing and so, rights have to be granted to ernie, and they are.
  I don't see a problem in either case. Am I missing something?
  My guess is, what you're overlooking is the fact that, in the case of invokers rights, it's ok for necessary privileges to be granted via a role. The restriction against roles, is only on a definers rights procedure.
  -Mark
  PS See here for more info:
  http://download.oracle.com/docs/cd/E11882_01/network.112/e10574/authorization.htm#DBSEG50010
  Ok, as I read the explanation in the linked reference, that makes sense. So now I'm having a hard time imagining the situation where inheriting privs via a role comes into play as a problem in dealing with pl/sql blocks.

• Does Cisco 2900 series support any HWIC-AP module?

  Hi Everybody:
  I would like to deploy a Cisco 2911 router with a built in AP feature. I found that there are some HWIC-AP modules but they are only supported by ISGR1 series router. Is there any option to do this for ISGR2 routers?
  Thanks!!

  Do you have a computer plugged into the back of the phone?  I assume so ... but figured I would ask.  If not, then simply placing the port into the correct vlan is all that is needed.
  Any chance you would consider our SPA500 series phones instead?  As these phones support CDP for vlan and poe assignments.  Humm ... I know this is not exactly the answer you are looking for, but with the ESW series switches, we are a bit limited.
  If the computers plug into the phones, can you have the computers and phones on the same vlans?  The default QoS config settings given more preference to higher DSCP values.
  HTH,
  Andrew

• All possible alarms from Cisco VG 202, 204 and ISR G2 2900 Series Routers

  Hello,
  I am working on a project that involves integrating Cisco Voice Gateways and ISR G2 routers to our NetCool NMS. The project team wanted a list of all possible alarms that could be generated by these Voice Gateways and ISR 2900 series routers.
  Does anyone know somewhere I can get a list of these alarms?

  This issue is now resolved.  Removing the codec entries under DSPFarm and replacing them fixed things. I'd done this in the past so I'm not sure why it worked this time around.  Anyway, here's the final config section that is allowing video sessions to operate (loudest speaker mode) between three or more video phones:
  saccavgw01#sh run | s dsp
  voice-service dsp-reservation 0
  dspfarm
  dsp services dspfarm
  dspfarm profile 1 conference video homogeneous 
  codec g729ar8
  codec g722-64
  codec g711ulaw
  codec h264 cif frame-rate 30 bitrate 320kbps
  maximum conference-participants 8
  maximum sessions 8
  associate application SCCP

• Can I set up a community limited to certain iPAD users on this discussion site?

  Can I set up a community ---limited to certain iPAD users ---on this discussion site?

  No. Users cannot set up private forums here. If you need a private area, you'll need to find some other web site to host it.
  Regards.

• Re:Can't able to access shared folders from different VLANs in SG300 series switches

  Hi All,
  I supplied 3 numbers of SG300 series switches for the sole reason to have inter-vlan routing. I created 4 VLANs in the switches and made one switch as Layer 3 switch and other 2 as Layer 2 switch. Inter-Vlan routing is working fine. I am able to ping PCs from different VLANs. But I am not to access shared folders. Customer has installed Window 2003 server installed and it is in VLAN 1. There are some folders created in this server and it is very important for users to have access to the folders.Also, I am not able to access shared folders in other VLANs. I have created a case with Cisco small business and I got a reply saying that the switches will not support shared folder feature, which I think is not real. I am getting a very time to implement this solution in the network. I have a Sonicwall firewall after Core switch which is connected to ISP.
  ISP<----->Sonicwall FW<----->Core Switch<------>Layer 2 switch<------>Layer 2 switch
  Kindly help me out to resolve this issue.
  Regards,
  Prashant K

  Hi Prashant,
  I think you're running into a Windows firewall issue. SMB file sharing, by default I believe, is only allowed on your local subnet. Please try disabling windows firewall on the computer hosting the shared folder, then see if you can access the shared file.
  Best,
  David
  PS: It looks like this post got published twice. You can delete the other one using the task bar on the right.
  Please remember to rate helpful resonses and identify correct answers.

• Ask the Expert: Cisco Nexus 2000, 5000, and 6000 Series Switches

  with Cisco Expert Vinayak Sudame
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions how to configure and troubleshoot the Cisco Nexus 2000, 5000 and 6000 Series Switches with Cisco subject matter expert Vinayak Sudame. You can ask any question on configuration, troubleshooting, features, design and Fiber Channel over Ethernet (FCoE).
  Vinayak Sudame is a Technical Lead in Data Center Switching Support Team within Cisco's Technical Services in RTP, North Carolina. His current responsibilities include but are not limited to Troubleshooting Technical support problems and Escalations in the areas of Nexus 5000, Nexus 2000, FCoE. Vinayak is also involved in developing technical content for Cisco Internal as well as external. eg, Nexus 5000 Troubleshooting Guide (CCO), Nexus 5000 portal (partners), etc. This involves cross team collaboration and working with multiple different teams within Cisco. Vinayak has also contributed to training account teams and partners in CAE (Customer Assurance Engineering) bootcamp dealing with Nexus 5000 technologies. In the past, Vinayak's responsibilities included supporting MDS platform (Fiber Channel Technologies) and work with EMC support on Escalated MDS cases. Vinayak was the Subject Matter Expert for Santap Technologies before moving to Nexus 5000 support. Vinayak holds a Masters in Electrical Engineering with Specialization in Networking from Wichita State University, Kansas. He also holds Cisco Certification CCIE (#20672) in Routing and Switching.
  Remember to use the rating system to let Vinayak know if you have received an adequate response.
  Vinayak might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community, Other Data Center Topics discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

  Hi Vinayak,
  Output of "show cfs internal ethernet-peer database"
  Switch 1
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b7:c2:80 [Local]
  20:00:54:7f:ee:b6:3f:80 16000005
  Total number of entries = 2
  Switch 2
  ETH Fabric
  Switch WWN              logical-if_index
  20:00:54:7f:ee:b6:3f:80 [Local]
  20:00:54:7f:ee:b7:c2:80 16000005
  Total number of entries = 2
  Output of "show system internal csm info trace"
  Switch 1 in which "show cfs peers" show proper output
  Mon Jul  1 05:46:19.145339  (CSM_T) csm_sp_buf_cmd_tbl_expand_range(8604): No range command in buf_cmd_tbl.
  Mon Jul  1 05:46:19.145280  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Mon Jul  1 05:46:19.145188  (CSM_T) csm_sp_handle_local_verify_commit(4291):
  Mon Jul  1 05:46:19.145131  csm_continue_verify_ac[597]: peer is not reachable over CFS so continuing with local verify/commit
  Mon Jul  1 05:46:19.145071  csm_tl_lock(766): Peer information not found for IP address: '172.16.1.54'
  Mon Jul  1 05:46:19.145011  csm_tl_lock(737):
  Mon Jul  1 05:46:19.144955  (CSM_EV) csm_sp_build_tl_lock_req_n_send(941): sending lock-request for CONF_SYNC_TL_SESSION_TYPE_VERIFY subtype 0 to Peer ip = (172.16.1.54)
  Mon Jul  1 05:46:19.143819  (CSM_T) csm_copy_image_and_internal_versions(788): sw_img_ver: 5.2(1)N1(2a), int_rev: 1
  Mon Jul  1 05:46:19.143761  (CSM_T) csm_sp_get_peer_sync_rev(329): found the peer with address=172.16.1.54 and sync_rev=78
  Mon Jul  1 05:46:19.143699  (CSM_T) csm_sp_get_peer_sync_rev(315):
  Mon Jul  1 05:46:19.143641  (CSM_EV) csm_sp_build_tl_lock_req_n_send(838): Entered fn
  Mon Jul  1 05:46:19.143582  (CSM_T) csm_set_sync_status(6257): Peer RT status PSSed
  Switch 2 in which "show cfs peers" does not show proper output
  Mon Jul  1 06:13:11.885354  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 77 seq 482
  Mon Jul  1 06:13:11.884992  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 357 seq 369
  Mon Jul  1 06:13:11.884932  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 357 seq 368
  Mon Jul  1 06:13:11.884872  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 357 seq 367
  Mon Jul  1 06:13:11.884811  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 357 seq 366
  Mon Jul  1 06:13:11.884750  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd channel-group 51 mode active, cmd pseq 352 seq 365
  Mon Jul  1 06:13:11.884690  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport trunk allowed vlan 2, 11, cmd pseq 352 seq 364
  Mon Jul  1 06:13:11.884630  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd switchport mode trunk, cmd pseq 352 seq 363
  Mon Jul  1 06:13:11.884568  (CSM_ERR) csm_pss_cmd_tree_walk_cb(2057): Parent command not found for cmd description process_vpc, cmd pseq 352 seq 362
  Mon Jul  1 06:13:11.884207  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733916569.txt
  Mon Jul  1 06:13:11.878695  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:13:11.878638  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 06:12:29.527840  (CSM_T) csm_pss_del_seq_tbl(1989): Freeing seq tbl data
  Mon Jul  1 06:12:29.513255  (CSM_T) csm_sp_acfg_gen_handler(3106): Done acfg file write
  Mon Jul  1 06:12:29.513179  (CSM_EV) csm_sp_acfg_gen_handler(3011):  Preparing config into /tmp/csm_sp_acfg_1733911262.txt
  Mon Jul  1 06:12:29.508859  csm_get_locked_ssn_ctxt[539]: Lock not yet taken.
  Mon Jul  1 06:12:29.508803  (CSM_EV) csm_sp_acfg_gen_handler(2937): Recieved sp acfg merge request for type: running cfg
  Mon Jul  1 05:53:17.651236  Collecting peer info
  Mon Jul  1 05:53:17.651181  Failed to get the argumentvalue for 'ip-address'
  Mon Jul  1 05:40:59.262736  DB Unlocked Successfully
  Mon Jul  1 05:40:59.262654  Unlocking DB, Lock Owner Details:Client:1 ID:1
  Mon Jul  1 05:40:59.262570  (CSM_T) csm_sp_del_buf_cmd(1713): Deleting comand with Id = 1
  Mon Jul  1 05:40:59.262513  DB Lock Successful by Client:1 ID:1
  Mon Jul  1 05:40:59.262435  Recieved lock request by Client:1 ID:1
  Mon Jul  1 05:40:41.741224  ssnmgr_ssn_handle_create_get: Session FSM already present, ID:1
  Mon Jul  1 05:40:41.741167  ssnmgr_handle_mgmt_request: Create/Get request received for session[process_n5kprof]
  show cfs lock gives no output.
  Just to further clarify, we have 4 5548UP switches in the same management vlan. 2 switches are in one location lets say location A and they are CFS peers and are working fine.
  These two switches which are having problem are in location B. All the switches are in the same vlan. Essentially the all CFS multicast messages will be seen by all 5548 switches as they are in the same vlan. I am assuming that this might not create any problems as we specify the peers in the respective configurations. Or do we have to change the CFSoIPv4 multicast addresses in location B or may be configure a different region.
  Regards.

• Ask the Expert: Different Flavors and Design with vPC on Cisco Nexus 5000 Series Switches

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco® NX-OS.
  The biggest limitation to a classic port channel communication is that the port channel operates only between two devices. To overcome this limitation, Cisco NX-OS has a technology called virtual port channel (vPC). A pair of switches acting as a vPC peer endpoint looks like a single logical entity to port channel attached devices. The two devices that act as the logical port channel endpoint are actually two separate devices. This setup has the benefits of hardware redundancy combined with the benefits offered by a port channel, for example, loop management.
  vPC technology is the main factor for success of Cisco Nexus® data center switches such as the Cisco Nexus 5000 Series, Nexus 7000 Series, and Nexus 2000 Series Switches.
  This event is focused on discussing all possible types of vPC along-with best practices, failure scenarios, Cisco Technical Assistance Center (TAC) recommendations and troubleshooting
  Vishal Mehta is a customer support engineer for the Cisco Data Center Server Virtualization Technical Assistance Center (TAC) team based in San Jose, California. He has been working in TAC for the past 3 years with a primary focus on data center technologies, such as the Cisco Nexus 5000 Series Switches, Cisco Unified Computing System™ (Cisco UCS®), Cisco Nexus 1000V Switch, and virtualization. He presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE® certification (number 37139) in routing and switching, and service provider.
  Nimit Pathak is a customer support engineer for the Cisco Data Center Server Virtualization TAC team based in San Jose, California, with primary focus on data center technologies, such as Cisco UCS, the Cisco Nexus 1000v Switch, and virtualization. Nimit holds a master's degree in electrical engineering from Bridgeport University, has CCNA® and CCNP® Nimit is also working on a Cisco data center CCIE® certification While also pursuing an MBA degree from Santa Clara University.
  Remember to use the rating system to let Vishal and Nimit know if you have received an adequate response. 
  Because of the volume expected during this event, Vishal and Nimit might not be able to answer every question. Remember that you can continue the conversation in the Network Infrastructure Community, under the subcommunity LAN, Switching & Routing, shortly after the event. This event lasts through August 29, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Gustavo
  Please see my responses to your questions:
  Yes almost all routing protocols use Multicast to establish adjacencies. We are dealing with two different type of traffic –Control Plane and Data Plane.
  Control Plane: To establish Routing adjacency, the first packet (hello) is punted to CPU. So in the case of triangle routed VPC topology as specified on the Operations Guide Link, multicast for routing adjacencies will work. The hellos packets will be exchanged across all 3 routers and adjacency will be formed over VPC links
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_L3_w_vpc_5500platform.html#wp999181
  Now for Data Plane we have two types of traffic – Unicast and Multicast.
  The Unicast traffic will not have any forwarding issues, but because the Layer 3 ECMP and port channel run independent hash calculations there is a possibility that when the Layer 3 ECMP chooses N5k-1 as the Layer 3 next hop for a destination address while the port channel hashing chooses the physical link toward N5k-2. In this scenario,N5k-2 receives packets from R with the N5k-1 MAC as the destination MAC.
  Sending traffic over the peer-link to the correct gateway is acceptable for data forwarding, but it is suboptimal because it makes traffic cross the peer link when the traffic could be routed directly.
  For that topology, Multicast Traffic might have complete traffic loss due to the fact that when a PIM router is connected to Cisco Nexus 5500 Platform switches in a vPC topology, the PIM join messages are received only by one switch. The multicast data might be received by the other switch.
  The Loop avoidance works little different across Nexus 5000 and Nexus 7000.
  Similarity: For both products, loop avoidance is possible due to VSL bit
  The VSL bit is set in the DBUS header internal to the Nexus.
  It is not something that is set in the ethernet packet that can be identified. The VSL bit is set on the port asic for the port used for the vPC peer link, so if you have Nexus A and Nexus B configured for vPC and a packet leaves Nexus A towards Nexus B, Nexus B will set the VSL bit on the ingress port ASIC. This is not something that would traverse the peer link.
  This mechanism is used for loop prevention within the chassis.
  The idea being that if the port came in the peer link from the vPC peer, the system makes the assumption that the vPC peer would have forwarded this packet out the vPC-enabled port-channels towards the end device, so the egress vpc interface's port-asic will filter the packet on egress.
  Differences:  In Nexus 5000 when it has to do L3-to-L2 lookup for forwarding traffic, the VSL bit is cleared and so the traffic is not dropped as compared to Nexus 7000 and Nexus 3000.
  It still does loop prevention but the L3-to-L2 lookup is different in Nexus 5000 and Nexus 7000.
  For more details please see below presentation:
  https://supportforums.cisco.com/sites/default/files/session_14-_nexus.pdf
  DCI Scenario:  If 2 pairs are of Nexus 5000 then separation of L3/L2 links is not needed.
  But in most scenarios I have seen pair of Nexus 5000 with pair of Nexus 7000 over DCI or 2 pairs of Nexus 7000 over DCI. If Nexus 7000 are used then L3 and L2 links are required for sure as mentioned on above presentation link.
  Let us know if you have further questions.
  Thanks,
  Vishal

• SSH on SG200 series switches

  Community,
  Can someone tell me what the intention behind adding SSH to the SG200 series switches was.  Is it to allow SCP copies to and from the switch for configuration and firmware updates OR is it to allow CLI access to the switches.
  I have tried to SSH to the switch using PuTTY from Windows and native SSH from Linux/Unix clients, but nothing happens.
  Is there some other area of configuration to enable communcation via SSH?
  Thanks.                  

  Hi, any access feature would be under security -> tcp/udp services
  SSH, telnet, etc is not included there.
  The only SG200 switch which supports a CLI is the SG200E models (which has supported CLI for as long as I can remember , at least 2 yrs).
  Please reference the documentation, Chapter 18 start page 276.
  http://www.cisco.com/en/US/docs/switches/lan/csbss/sf20x_sg20x/administration_guide/78-21139.pdf
  As far as I can tell this is for things like Secure Copy.
  There is also CLI information in chapter 19, here's the excerpt. This is in context with SSD.
  The Menu CLI interface is only allowed to users if their read permissions are Both
  or Plaintext Only. Other users are rejected. Sensitive data in the Menu CLI is always
  displayed as plaintext.
  Password recovery is currently activated from the boot menu and allows the user
  to log on to the terminal without authentica
  tion. If SSD is supported, this option is
  only permitted if the local passphrase is identical to the default passphrase. If a
  device is configured with a user-defined passphrase, the user is unable to activate
  password recovery.
  -Tom
  Please mark answered for helpful posts

• Increasing TFTP block size for 2960 series switches

  I have read that some Cisco components can increase the default TFTP block size to values greater than 512 bytes by using the command -
  ip tftp blocksize xxxx
  This doesn't seem to be available on Cisco 2960 series switches. Is there a way to do this with the 2960's?

  I have moved a WS-C2960-24LC-S running LanLite to 12.2(55)SE9 - the current end of the line for this switch - and indeed the command is not present. Sooo....this appears to be a limitation of LanLite.
  My predecessor implemented about 70 switches with LanLite. I put a stop to this about a year ago but it is going to take some time to flush them out of the inventory.
  Thanks for your response.