SBR and cisco routers/switches
HI all,
i have a juniper SBR and large no of cisco devices as RAS/NAS.
i would like to have level 1 team to have just read only profile .
and level 2 team to have read and write access . i guess to accomplish this on a non cisco aaa product ,
1) DO i need to downlaod cisco radius attribute dictonary file . if yes where is the downlaod link ?
2) As user profiles are basic one ., their should be a standard attribute which has this feature . in case this is true which ietf attribute i can use ?
3) what aer vsa ? does cisco vsa help me in accomplishing my goals with SBR?
4) if i get above answers i can move in right direction accompleshing the same with firewall vendor a , ssl vpn vendor b , wifi controller vendor c , dslamp vendor e ....
Any response will be much appreciated .
I have a 3750X and an SG300 trunked together and they are both running RSTP.
I set my 3750X to rapid-pvst
I set my SG300 to rstp
A "show spanning" on both devices yields: "Spanning tree enabled protocol rstp".
Both seem to be communicating STP fine.
Similar Messages
-
Can Cisco Routers, Switches, or Firewalls run AV?
Can anyone point me to a document or official statement from Cisco stating that their routers, switches, and firewalls are not capable of running Anti-Virus/Anti-Malware to protect their IOS? NERC CIP standards require that all devices contained within the Electronic Security Perimeter run Anti-Virus/Anti-Malware software "where technically feasible", if the devices cannot run AV/AM you have to submit a "Technical Feasibility Exception"....done that...now they want proof that Cisco devices (routers, switches, firewalls) are not capable of running AV/AM to protect their IOS. Please don't confuse this with all of the offering that Cisco has to protect end-user devices...this applies only to the routers, switches, and firewalls.
Any answers would be greatly appreciated, even comments from others dealing with this issue.A couple of years ago in a conference there was a presentation that claimed to install a rootkit to Cisco IOS devices.
Here is the response from Cisco http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml
That is the closest I can think of that could help you.
PK -
Remote Command Tool for Cisco Routers/Switches
Is anyone aware of any tools or scripts out there which allow preconfigured commands to be remotely run again Cisco Router/Switches and display the output result?
I'm looking for a tool which I can give our Service Desk personnel that will allow them to select from a list of commands enter a target IP Address of a router/switch and then the tool will display the vlan table or the running config of a particular switch-port so they can see if its configured on the correct data vlan or its missing its voice vlan etc.
For example a Service Desk Operator needs to check what vlan a switch-port is on. So they open the tool, enter the switches IP address and the port number and select an option like "display a switch-ports vlan" and the tool will login into the switch in the background run a show command on the switch and then output the result.
Thanks.Check out rConfig. You will be able to run multiple instances of it i.e. one instance for your standard configuration backups and another for more specific configuration downloads info like show vlan bri commands etc for service desk staff to view.
You could also use the IOS menu function and create menus or role based access on each of your devices for your users.
Regards
Stephen
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful -
Emergency Responder and Cisco 3850 Switches
I'm running Cisco ER V8.5, and recently installed new Cisco 3850 Switches. All the phones connected to the 3850 switches show a "unlocated" status. I've check the hardware compatibility Matrix for ER V8.5 and the 3850 is not on it.
What are my options for locating these phones in ER and assigning them to an ERL. Manually defining the phones? Is there a patch or update to ER V8.5 that would make a 3850 compatible?I haven't used the 3850's with ER yet so can't speak to that specifically, but generally speaking you have more flexibility using location by subnets vs switches. Scalability-wise, you can add way more subnets than switches. There's more going on under the hood if you're locating by switches so the process overhead is greater.
The only downside with using subnets is if you need to get more granular with your locations than your deployed subnets allow (ie a single voice subnet for an entire building but you need to define and assign locations at the floor level). As long as you've been a little forward thinking on the route/switch side, you'll be fine.
hope that helps,
will -
AAA and Cisco MDS switches.........
have configured Cisco ACS 4.0 (TACACS) with Windows AD for all Cisco MDS switches and it is working fine. But local "admin" access to the Cisco MDS switches via telnet is not working. At the same time , if I create a user with "network-admin" role locally, that works but not the default admin user.
Could anyone help me in this regard.local. Below is the script I used to configure TACACS (Cisco ACS 4.0) on Cisco MDS switches.
config t
# Enable TACACS+
tacacs+ enable
tacacs-server host nnn.nnn.nnn.nnn key 0 xxxxxx
tacacs-server host mmm.mmm.mmm.mmm key 0 xxxxx
# Specify TACACS+ Server groups
aaa group server tacacs+ tacgrp
server nnn.nnn.nnn.nnn
server mmm.mmm.mmm.mmm
aaa authentication login default group tacgrp
aaa authentication login console local
# Enable TACACS+ Accounting
aaa accounting default group tacgrp local
end
copy running-config startup-config
Thanks
MOhan -
Difference between setting up a vpn with windows 7 and cisco routers
Hi.I was wondering what the main difference Is between setting up a vpn with windows 7 or configuring It on cisco routers.
When you setup the vpn on windows 7 or xp do the client and server pc's take care of the encryption and decryption whereas configuring vpn on routers , the encryption and decryption Is done solely by the routers?
If I want to setup a connection where an IP In the same Internal lan Is assigned to the client pc I'm guessing I'd have to use a router configuration.
ThanksThank you for the response, lucky for me there was another option. Threatened to cancel with the ISP on the NAT side unless they assigned us a public static ip/gateway/subnet. They ended up doing that and the VPN connected as soon as the changes were made in the Linksys.
-
Ericsson MD110 and Cisco routers ISDN PRI Q-Sig
Anybody has experience with MD110 and Cisco integration using ISDN PRI Q-Sig... Have problems with "idle-busy" channels on MD110. It looks like PBX does not recognize disconnect signal coming from the router.
Tks
BraniMC,
Ericsson MD110, BC12 SP7
ROUTE CATEGORY DATA
ROU SEL TRM SERV NODG DIST DISL TRAF SIG BCAP
175 0110017500000010 5 3110000000 0 30 128 00080812 511110120031 111111
157 0110017500000010 5 3110000000 0 30 128 00080812 511110120031 111111
END
ROUTE DATA
ROU TYPE VARC VARI VARO FILTER
175 SL60 H'00000310 H'15420000 H'46300000 NO
157 SL60 H'00000310 H'15420000 H'46300000 NO
END
EXTERNAL DESTINATION ROUTE DATA
DEST DRN ROU CHO CUST ADC TRC SRT NUMACK PRE
175 175 1606100000000250006000000 0 1 0
157 1 2606100000000250006000000 0 1 0
END
Cisco IOS 12.3-3 (c2600-jsx-mz.123-3.bin)
Cisco config attached.....
Our serial links are satellite based so min delay is about 500ms
Tks
Brani -
Having a problem with PEAP and Cisco 2960 Switch
Hi All,
I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant. I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS. If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan. Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius?
The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
Any ideas?Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work. I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client. I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2. I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
CSSC Client pops out:
14:25:08.453 Network Connection requested from user context.
14:25:08.468 Connection authentication started using the logged in user's credentials.
14:25:08.468 Port state transition to AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:25:08.796 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
14:25:09.828 Port state transition to AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:25:09.843 Identity has been requested from the network.
14:25:09.875 Identity has been sent to the network.
14:25:09.890 Authentication started using method type EAP-PEAP, level 0
14:25:09.890 The server has requested using authentication type: EAP-PEAP
14:25:09.890 The client has requested using authentication type: EAP-PEAP
14:25:09.968 Profile does not require server validation.
14:25:10.031 Identity has been requested from the network.
14:25:10.031 Identity has been sent to the network.
14:25:10.046 Authentication started using method type EAP-MSCHAP-V2, level 1
14:25:10.046 The server has requested using authentication type: EAP-MSCHAP-V2
14:25:10.046 The client has requested using authentication type: EAP-MSCHAP-V2
14:25:10.078 Port state transition to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:25:10.078 The authentication process has succeeded.
*************************Raidus Ouptut for PEAP:**************************
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for anonymous
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
Waking up in 0.7 seconds.
Waking up in 3.7 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
**************************Radius ouput for EAP******************************
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Ready to process requests.
Hope that Helps. -
Configuring rcp on ciscoworks LMS 2.5 and cisco 3560 switch
Dear All,
i am having LMS 2.5 and nearly 50 cisco 3560 in my network. And I want to configure rcp. How can I do it. Kindly help
regards,
RAHIL KHANHave a look at this link for the server:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0/user/guide/swmgt.html#wp1328314
For the device you'll need something like:
username cwuser password 7 000C1C0A05
ip rcmd rcp-enable
ip rcmd remote-host cwuser 172.17.246.221 cwuser enable
ip rcmd remote-username cwuser -
ACE 4700 and Cisco ACS aaa authentication
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
<A.B.C.D> TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)#
Why am I getting this error? I have full
connectivity between the ACE and the ACS
server. Furthermore, the ACS server
works fine with other Cisco IOS devices.
Please help. Thanks.Thanks. Now I have another problem. I CAN
log into the ACE via tacacs+ account(s).
However, I get error when I try going into
configuration mode:
ACE-lab login: ngx1
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
ACE-lab/Admin# conf t
^
% invalid command detected at '^' marker.
ACE-lab/Admin#
The ngx1 account can access other Cisco
routers/switches just fine and can go into
enable mode just fine. Only issue on the ACE.
Any ideas? Thanks. -
Access Server 2511 can't access Routers & Switch
Hi,
i recently bought Cisco Routers, Switch, Access Server and Frame-relay for my CCNP home lab, but problem is that my Access Server 2511 can't connect to any other devices like router or switch, i have configure "loopback 200.1.1.1" than setup "ip host Router1 2001 200.1.1.1" command for all of my other devices, when i try to connect to other devices it give me this message but do not show prompt for that device...
(Router#f2
Translating "f2"
Trying f2 (200.1.1.1, 2001)... Open)
i leave this message for a long time but Prompt never come....
i also use CLEAR line command to clear but problem still exist.
Please help me to resolve this problem...
Regards,
ABDULHi
Thank you for your guidance, i have done changes which you were suggested, but problem still exit ..this is my fifth day battling with this issue..i can connect and work on all devices through network using # telnet (ip address of any device) ..i am using the right cable (72-0845-01) Cisco Cab-Octal-Async 8 Lead Octal Cable (68 pin to 8 Male RJ-45s)... now i am thinking that there is a problem with cable or Access Server 2511 physically not with configuration..any way i am waiting for your reply...
tserver#sh run
Building configuration...
Current configuration : 1054 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname tserver
boot-start-marker
boot-end-marker
enable secret 5 $1$sWZ2$iNhMYtvWsbwBSGLnYtphr/
enable password cisco
no aaa new-model
ip subnet-zero
no ip domain lookup
ip host f1 2001 172.168.1.1
ip host s1 2002 172.168.1.1
ip host r1 2007 172.168.1.1
ip host f2 2009 172.168.1.1
ip host s2 2010 172.168.1.1
ip host r2 2016 172.168.1.1
interface Loopback0
ip address 172.168.1.1 255.255.255.0
interface Ethernet0
no ip address
shutdown
interface Serial0
no ip address
shutdown
no fair-queue
interface Serial1
no ip address
shutdown
ip http server
ip classless
dialer-list 1 protocol ip permit
line con 0
password cisco
login
transport output telnet
telnet speed 9600 38400
line 1 16
transport input telnet
transport output telnet
flowcontrol hardware
line aux 0
line vty 0 4
password cisco
login
transport input telnet
transport output telnet
telnet speed 9600 38400
end -
Securing Telnet access on Cisco routers (access class)
Dear All,
In all my network i have cisco catalyst switch and cisco routers deployed in my WAN. In cisco routers, it was activated an ACL to secure telnet access to WAN devices. only 3 hosts (remote) were autorized to access these devises. I need to modify this secuirty to have access from the LAN (locally).
The ACL was implmented in all routers, and activated using access class in.
in there any idea without changing more the configuration and only tell the router to apply this ACL for WAN and not access for the LAN ?
Thanks for your help,
Best regards,Hi,
here is the ip int brief.
thanks
CISCO1841#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES NVRAM up up
FastEthernet0/1 192.168.2.1 YES NVRAM up up
ATM0/0/0 unassigned YES NVRAM up up
Dot11Radio0/1/0 unassigned YES NVRAM up up
Dot11Radio0/1/0.1 192.168.2.129 YES NVRAM up up
Dot11Radio0/1/0.2 192.168.3.1 YES NVRAM up up
NVI0 unassigned NO unset up up
Virtual-Access1 unassigned YES unset up up
Dialer1 151.16.203.203 YES IPCP up up -
Facing issue in using SNMPV3 on Cisco Routers
Hi,
Actually, i am trying to implement SNMPV3 on Cisco Routers & Switches to manage & monitor these devices in a more secure manner using NMS called Orion (NPM) Network Performance Monitor.
When i am going to add the node on Orion (NPM), it is showing me an error that the device does not support the interfaces MIB.
The Routers IOS Version and its feature set is as under:
Cisco 3800 & 2800 (IOS version 12.4(20)T2 Advance IP Services).
Configuration as under:
snmp-server DEPT_GRP V3 auth context DEPT_CTX read DEPT_VIEW
snmp-server view DEPT_VIEW iso included
snmp-server view DEPT_VIEW internet included
snmp-server view DEPT_VIEW interfaces included
snmp-server view DEPT_VIEW system included
snmp-server view DEPT_VIEW chassis included
snmp-server context DEPT_CTX
snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
snmp-server host 213.42.48.158 version 3 auth SNMPADMIN
At Orion parameters are given as under:
username :- SNMPADMIN
SNMPV3 context :- DEPT_CTX
SNMPV3 Authentication :- SHA1
SNMPV3 Privacy/Encryption :- DES56
Password Key :- cisco123 (All the places)
Kindly help me out and advise me where i am going wrong. Kindly check the configuration above is anything missing in it regarding the SNMPV3 configuration.
Rgds,
Ayaz AliHi Joe,
Thanks for your response. As per your reply, i had removed the context and views which were configured earlier on the router and followed the same instructions as you mentioned in your reply, but i would like to tell you one thing about the configuration that i had done for snmp v3.
Your configuration is :-
snmp-server group DEPT_GRP v3 auth read v1default
snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
My Configuration is :-
snmp-server group DEPT_GRP v3 priv read v1default
snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
In your configuration, you are using Authentication (Auth) for the SNMP v3 group and if u select auth (Keyword) then you have to only provide authentication method (SHA,MD5) no privacy keys for encryption (DES,AES) in snmp user configuration, otherwise it will give you an error that credential not matched on the host when you try to poll the device.
In my configuration, I am using privacy (priv) for the SNMP v3 group, thats why i had given both authentication and encryption keys under SNMP user configuration.
In short, user settings are dependent on the group settings if you are using auth then it only support authentication but no privacy and if you are using priv then it allow both authentication and encryption (privacy).
Thanks for your support, it really helped me out in solving the issue. Now, i am able to poll my all routers using snmp v3.
Rgds,
Ayaz Ali -
Communication problem between Cisco 3560 and Cisco SG300.
Dear Support,
I have a Cisco SG300 and Cisco 3560 switches.
3560 is my Core Switch and SG300 is access switch.
From 3560 VLAN information is not passed to SG300.
3560 Configuration:
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,10,11
switchport mode trunk
SG300 Configuration:
interface gigabitethernet49
spanning-tree link-type point-to-point
switchport mode general
switchport general allowed vlan add 2,10-11 tagged
macro description switch
Please suggest how this issue is resolve.
Regards,
JItesh Mahajan.Dear Aleksandra,
Below Configuration is right or wrong for 3560 and SG300.
3560 Configuration:
interface GigabitEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan remove VLAN 1
switchport native vlan 1
switchport trunk allowed vlan 1,2,10,11
switchport mode trunk
SG300 Configuration:
interface gigabitethernet49
spanning-tree link-type point-to-point
switchport mode general
switchport general allowed vlan add 2,10-11 tagged
macro description switch
Regards,
JItesh Mahajan. -
Configuration of Routers/SWitches
I would like to know what is the best configuration to connect 2 Routers 7206 to 2 Switches 3750 . The best configuration between Routers , between Switches and between Routers/switches . Thanks .
wrong forum.
Try "LAN, Switching and Routing"
Gilles.
Maybe you are looking for
-
CALLER ID NOT WORKING ON LANDLINE
My caller ID was working great. Then it quit and the local Tech fixed it. Power/Phone went out now it wont work again. I unplugged and tested phones. Tech says protocols or credentials has to be reset but no one understands this when I call Repai
-
Hi Gurus, I have scheduled init data for datasource 2LIS_11_VASCL in BIQ. The data is in warning state for a long time. The status tab shows : Information was stored in the source system. Diagnosis The system has written an application log in the sou
-
Must a EntityBean map with data table?
I know Not every data table will map with Entity bean but must a EntityBean map with a datatable? rgds
-
Hi All, I have a req where I need to add a company image on every report in all the dashboards. So when i download a report to an excel the image should be included in the report too. Any suggestions are appreciated Thanks
-
I recently installed Firefox OS Beta on my Nexus 7 tablet.