Securing Telnet access on Cisco routers (access class)

Similar Messages

• Only 1 pc unknowingly block access to Cisco ASA5505 (SSH.Telnet, ASDM)

  Hi,
  i have setup a new ASA5505, most of our pc getting DHCP from ASA5505, all my pc/laptop can SSH/ and ASDM into the Cisco ASA for administration.
  however there is 1 Lenovo Laptop (Window XP) unable to ping, unable to ASDM into cisco asas5505, this pc is getting DHCP from ASA5505 as well and able to surf net as other PCs do.
  from ASA can ping to this Lenovo Laptop ip address, however only this Lenovo Laptop unable to access the cisco asa management portal.
  would you advise what is the likely cause and what could be check?
  Thank you

  try to check the firewall setting on that laptop, perhaps it's not allowing some services e.g. ssl/tsl. try to check the access-list rule and the pool addresses for the dhcp on the asa, make sure the access-list is not allowing only some parts of ip addresses in that pool. 

• Ask the Expert: Plan, Design, and Implement Mobile Remote Access, the Cisco Collaboration Edge Architecture

  Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
  Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
  For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide. 
  Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
  Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
  Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response. 
  Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Marcelo,
     Yes, there are some requirements for certificates in Expressway.
  Expressway Core (Exp-C)
  - Can be signed by either External or Internal CA
  - Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
  - Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
  - If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
  - The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
  - For TLS b/w CUCM, IM-P & Exp-C
    + If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
    + If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
    + Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
    + Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
  Expressway Edge (Exp-E)
  - Signed by External CA
  - Configured Unified Communications domain as Subject Alternate Name
  - If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
  - If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
  For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
  http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
  - Aashish

• Slow connection in one server if accessing through Cisco ACE

  Hi,
  Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
  What need to do in my configuration? Below is my configuration
  logging enable
  logging timestamp
  logging trap 7
  logging buffered 7
  logging monitor 7
  logging host 167.81.126.5 udp/514
  logging host 137.55.152.147 udp/514
  resource-class SG_01
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 10.00 maximum equal-to-min
  boot system image:c4710ace-mz.A3_2_0.bin
  login timeout 30
  peer hostname singapore-ace2
  hostname singapore-ace1
  interface gigabitEthernet 1/1
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/2
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/3
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/4
    channel-group 14
    no shutdown
  interface port-channel 14
    description ISOLAN-ACE-TRUNK
    ft-port vlan 99
    switchport trunk native vlan 1
    switchport trunk allowed vlan 12,14,112
    no shutdown
  clock timezone SGT 8 0
  ntp server 137.55.152.1
  context Admin
    member SG_01
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 9 extended permit icmp any any
  ip domain-name ysn.psg.philips.com
  probe http singapore_01
    description This probe used to monitor application url-app-script
    interval 5
    passdetect interval 5
    request method get url /insiteserverstatus/insiteserverstatus.aspx
    expect status 200 200
    open 1
  probe http singapore_02
    description This probe used to monitor IIS-login-page
    interval 5
    passdetect interval 5
    request method get url /InSiteLumiledsApplication/
    expect status 200 200
    open 1
  probe icmp uplink
    description This probe used in conjunction with ft track host
    interval 2
    faildetect 2
    passdetect interval 3
  parameter-map type connection PARAM_L4STICKY-IP
    exceed-mss allow
  rserver host sggysnysn1ms013
    ip address 137.55.152.135
    inservice
  rserver host sggysnysn1ms014
    ip address 137.55.152.136
    inservice
  rserver host sggysnysn1ms018
    ip address 137.55.152.145
    inservice
  serverfarm host PLI9058
    probe singapore_01
    probe singapore_02
    rserver sggysnysn1ms013
      inservice
    rserver sggysnysn1ms014
      inservice
    rserver sggysnysn1ms018
      inservice
  sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
    timeout 720
    replicate sticky
    serverfarm PLI9058
  class-map type management match-any HTTPS-ALLOW_CLASS
  class-map match-all L4STICKY-IP_141:ANY_CLASS
    2 match virtual-address 137.55.152.141 any
  class-map type http loadbalance match-any NO_MS018
    50 match source-address 137.55.155.31 255.255.254.0
  class-map type management match-any SSH-ALLOW_CLASS
    2 match protocol ssh source-address 167.81.124.0 255.255.255.192
    3 match protocol ssh source-address 167.81.126.0 255.255.255.192
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
    class class-default
      sticky-serverfarm SG_GROUP_01
      insert-http X-Forwarded-For header-value "%is"
  policy-map multi-match PLI9058-VIPs_POLICY
    class L4STICKY-IP_141:ANY_CLASS
      loadbalance vip inservice
      loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
      loadbalance vip icmp-reply
      connection advanced-options PARAM_L4STICKY-IP
  interface vlan 12
    description Client-side vlan
    bridge-group 1
    no normalization
    mac-sticky enable
    access-group input ALL
    access-group output ALL
    service-policy input PLI9058-VIPs_POLICY
    no shutdown
  interface vlan 14
    ip address 137.55.152.236 255.255.255.248
    peer ip address 137.55.152.237 255.255.255.248
    service-policy input remote_mgmt_allow_policy
    no shutdown
  interface vlan 112
    description Server-side vlan
    bridge-group 1
    no normalization
    access-group input ALL
    access-group output ALL
    nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
    no shutdown
  interface bvi 1
    ip address 137.55.152.189 255.255.255.192
    alias 137.55.152.188 255.255.255.192
    peer ip address 137.55.152.190 255.255.255.192
    description Bridge-Group 1 Virtual Interface
    no shutdown
  ft interface vlan 99
    ip address 192.168.1.1 255.255.255.252
    peer ip address 192.168.1.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 100
    heartbeat count 10
    ft-interface vlan 99
  ft group 1
    peer 1
    priority 150
    peer priority 50
    associate-context Admin
    inservice
  ft track host test1
    track-host 137.55.152.234
    peer track-host 137.55.152.235
    peer probe uplink priority 50
    probe uplink priority 50
  ip route 0.0.0.0 0.0.0.0 137.55.152.233

  Hi Earsdale,
  All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
  I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
  Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
  If you need help with this troubleshooting, you can always open a TAC service request
  Regards
  Daniel

• 802.1x (DOT1x) and Cisco Clean Access 3140

  Hi,
  We have about 300 remote sites and would like to implement an authentication mechanism to authenticate end-devices (Windows PCs) before allowing access to the network. We thought we could implement DOT1x on our Cisco 2960, 3750 and 4500 series switches and send the "PC-switch" access requests to our centrally located Cisco Clean Access 3140 NAC servers -back at the HQ sites. We understand the NAC servers will be used to authenticate (among other things) the end-users workstations to ensure each workstation is a company owned PC and all  the security parameters are installed and up today. -RIGHT?
  Can the Cisco Clean Access 3140 server perform the Authentication security checks from the 802.1x (DOT1x) enabled switches?
  Does the Cisco Clean Access 3140 server have to be inline (on the users subnet) and/or be centrally located?
  Is the Cisco Clean Access 3140 still usable?
  Thanks
  Frank

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Removing Cisco Clean Access Agent 4.5 (CCA)

  I'm more or less having trouble with uninstalling Cisco Clean Access Agent 4.5.0.0, so I can install CCA 4.1...
  I removed CCAAgent 4.5 + the files within "Library/ApplicationSupport/" and in "Library/Receipts"...yet when I try to install 4.1, it tells me there's a newer version of the software on this disk & won't let me install.
  I am on Snow Leopard, too - by the way.
  Any solutions to this?

  Tim:
  Seen this page yet....anything there help?
  http://www.cisco.com/en/US/docs/security/nac/appliance/configurationguide/45/cam/magntd.html#wp1276391
  Do you have a fresh backup if needed? Have you tried repairing permissions and checking for hidden files with a similar name?

• How To Migrate Cisco Clean Access to Cisco ISE

  We have a Cisco Clean Access 3.6.3 (3140 Appliance) in which we would love to migrate to Cisco ISE 1.1 (3315 Appliance).  Does anyone have an idea on how to do this?
  I was wondering if I need to upgrade the a later version of Cisco Clean Access and them back it up the CCA.  Backup the CCA and then restore/import the backup to the ISE.
  Any help will be greatly appreciated?
  Thanks.

  Hi Mate,
  Refer to below instructions for hosting licenses on ISRs:
  http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001047
  Rehosting a License
  Prerequisites:
  • Valid Cisco.com account (username/password)
  • Retrieve Product Id and Serial Number with either the IOS "show license udi" command or label tray from both the source and destination devices.
  • Retrieve Source Device Credentials by issue the following IOS commands in exec mode:
  – license save credential flash0:CredentialFileName
  – more flash0:CredentialFileName
  • The source device has rehostable licenses.
  Rehosting a License with Cisco's Licensing Portal
  This process can be used when the source and the destination device cannot communicate directly with Cisco licensing portal
  Summary Steps:
  1. Obtain UDI and device credentials from the source and destination devices using IOS CLI commands
  2. Contact the Product License Registration page on Cisco.com and enter the source Device Credentials and UDI into the license transfer portal tool.
  3. The portal will display licenses that can be transferred from the source device.
  4. Select the licenses that need to be transferred. A permission ticked is issued. You can use this permission ticket to start the rehost process using Cisco IOS c  for any further help.ommands.
  5. Apply the permissions ticket to the source device using the license revoke command. The source device will then provide a rehost ticket indicating proof of revocation. A sixty day grace period license is also installed on the device to allow enough time to transfer the licenses to destination device.
  6. Enter the rehost ticket into the license transfer portal tool on Cisco.com along with destination device UDI.
  7. Receive the license key via E-mail
  8. Install the license key on the destination device.
  You can also email [email protected]
  -Terry
  Please rate all helpful posts

• Cisco Works Access Levels

  I was wondering if anyone could maybe point me to where it states that access levels cisco works needs. We have some core switches that we only want cisco works to store log and configuration settings, but not necessarily allow it to access to change these. Any ideas? or any documentation anyone can point me to?
  Thanks
  AJ

  AJ,
  So you want Ciscoworks to store syslog messages and device configurations?  Not the settings?
  For Ciscoworks to be able to retrieve and store the device configurations, the server will need at least SNMP ReadOnly-ReadWrite access to pull the configs from the devices via an snmp set using tftp.  The only other way Ciscoworks can pull configs is through telnet or ssh where it needs access to the enable prompt to get the configs.
  For Syslog, as long as RME can classify the type of Cisco device and knows what kind fo device it is syslog messages will be stored in RME.
  Again, these answers apply to the clarification question I first stated.
  Rob

• Bootup order on Cisco Aironet Access Points

  Hello folks 
  Could you please help me in clarifying the bootup order on Cisco Aironet Access Points 
  Does the SNMP Agent on the device start before the Startup config is copied to Running Config ?
  Because everytime the Cisco Aironet Access Point restart , SNMP trap  is generated from Admin down WLAN interfaces (Dot11Radio1/Dot11Radio0) mentioning "Administratively down " . 
  So my best assumption is that 
  Access point Restarts - > SNMP Engine starts -> Startup Config is copied to Running config -> Interface is made admin down -> SNMP Trap is sent 
  Is that correct?
  Please help !
  Anup

  The Clean Access Manager (CAM) manages out-of-band Clean Access Servers (CASs) and switches through the admin network. The trusted interface of the CAS connects to the admin/management network, and the untrusted interface of the CAS connects to the managed client network.
  When a client connects to a managed port on a managed switch, the port is set to the authentication VLAN and the traffic to/from the client goes through the Clean Access Server. After the client is authenticated and certified through the Clean Access Server, the port connected to the client is changed to the access VLAN. Once on the access VLAN, traffic to and from certified clients bypasses the Clean Access Server.
  In most OOB deployments (except L2 OOB Virtual Gateway where the Default Access VLAN is the Access VLAN in the Port profile), the client needs to acquire a different IP address from the Access VLAN after posture assessment.
  For Real-IP/NAT-Gateway setup, the client port is bounced to prompt the client to acquire a new IP address from the admin/access VLAN.
  The below URL describe the configuration steps needed to set up your OOB deployment:
  •Configure Your Switches
  •Configure OOB Switch Management in the CAM
  •Configure Access to Authentication VLAN Change Detection
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAM/m_oob.html#wp1175744

• LAN network design - Core/access with Cisco 6513

  Hi,
  I have been tasked with setting up a new branch office, with 100+ users, a stack of servers (1Gb-based) and some wireless access points, WAN block (ASA 5520 and a couple of routers.)
  At the moment, port requirement is around 400. 
  As there's not enough space and it's only a single floor office, I'm thinking to go ahead with one of Cisco 6500 models, specifically Catalyst 6513-E, as a core and access switch. This way, there won't be any need to try to install 48-port switches around the small office area.
  I'm not too sure about the pricing at the moment. It may be a better/cheaper option to go with a couple of 3750s as core/aggregation and 2960s for access switch installed all in the same rack. If I go with small switches, it would be roughly x7 48-port access switches and one stack of two 3750s, which gives about 450-60. 
  I believe I won't utilise half of the capacity if I go ahead with 6513, however my manager wants to minimise the overhead managing this branch office hence this all-in-all one switch option has resurfaced.
  Is there anyone using this kind of similar setup in the environment? If so, can you please share your opinions?
  Also, would there be a huge difference in terms of pricing?
  Catalyst 6503-E
  Catalyst 6504-E
  Catalyst 6506-E
  Catalyst 6509-E
  Catalyst 6513-E
  Catalyst 6509-V-E
  Slots
  3
  4
  6
  9
  13
  9 vertical
  Max 10/100/1000 ports
  97
  145
  241
  385
  529
  385
  Max 1 GE ports1
  99
  147
  243
  387
  534
  387
  Max 10 GE ports2
  34
  50
  82
  130
  180
  130
  Max 40 GE ports
  8
  12
  20
  32
  44
  32
  Maximum forwarding performance (IPv4)
  150 Mpps
  210 Mpps
  330 Mpps
  510 Mpps
  720 Mpps
  510 Mpps
  Height (RU)
  4
  5
  11
  14
  19
  21
  Weight (chassis)
  33 lbs
  (15 kg)
  40 lbs
  (17.8 kg)
  50 lbs
  (22.7 kg)
  60 lbs
  (27.3 kg)
  79.1 lbs
  (35.9 kg)
  121 lbs
  (54.9 kg )
  Thanks

  Thanks a lot for your input, Joseph.
  I was just going over 4510R+E for a potential winner; It seems to have 10 slots, which gives me about 390 Gig ports, with two dual sups. Given that a single sup 8E can provide throughput as below table, I should think about going forward with a single sup.
  Given that most users will be on 100Mbps at peak time and all other miscellaneous traffic, it would come down to around 20Gbps.
  Model
  Supervisor 8E
  Supervisor 7E
  Supervisor 7LE
  Supervisor 6E
  Supervisor 6LE
  Supervisor V 10 GE
  Documentation
  Data Sheet
  Data Sheet
  Data Sheet
  Data Sheet
  Data Sheet
  Data Sheet
  Performance
  Supervisor 8E
  Supervisor 7E
  Supervisor 7LE
  Supervisor 6E
  Supervisor 6LE
  Supervisor V 10 GE
  Switching Capacity
  928 Gbps
  848 Gbps
  520 Gbps
  320 Gbps
  280 Gbps
  136 Gbps
  IPv4 Throughput
  250 Mpps
  250 Mpps
  225 Mpps
  250 Mpps
  225 Mpps
  102 Mpps
  IPv6 Throughput
  125 Mpps
  125 Mpps
  110 Mpps
  125 Mpps
  110 Mpps
  Software Switched
  Bandwidth/Slot
  48 Gbps
  48 Gbps
  48 Gbps
  24 Gbps
  24 Gbps
  6 Gbps
  Scalability
  Supervisor 8E
  Supervisor 7E
  Supervisor 7LE
  Supervisor 6E
  Supervisor 6LE
  Supervisor V 10 GE
  Number of Routes
  256K for IPv4
  128K for IPv6
  256K for IPv4
  128K for IPv6
  64K for IPv4
  32K for IPv6
  256K for IPv4
  128K for IPv6
  64K for IPv4
  32K for IPv6
  128K for IPv4
  1K for IPv6
  Number of Packet Buffers
  128K
  128K
  128K
  64K
  64K
  32K
  NetFlow Entries
  128K
  128K
  128K
  85K
  MAC Learning Rate per Second
  20K
  20K
  14K
  13K
  8K
  8K
  Dynamic Host Control Protocol (DHCP) Snoop Entries
  12K
  12K
  12K
  12K
  3K
  6K
  Number of 10/100/1000 Ports
  Up to 384 access
  Up to 384 access
  Up to 240 access
  Up to 384 access
  Up to 240 access
  Up to 384 access
  10 GE and 1 GE Uplinks
  8 10 GE / 1 GE
  4 10 GE / 1 GE
  2 10 GE / 4 1 GE
  2 10 GE / 4 1 GE (TwinGig)
  2 10 GE / 4 1 GE (TwinGig)
  2 10 GE + 4 1 GE
  1 GE Non-Blocking Fiber Ports
  192
  192
  120
  138
  120
  48
  10 GE Fiber Ports
  96
  96
  60
  30
  30

• Accessing the ServletContext from a class that is not a Servlet?

  Is there any way of accessing the ServletContext from a class that is not a
            Servlet? The class is being used as part of a Web Application.
            Thanks.
            

  http://www.mozilla.org/mirrors.html
  Mozilla has download mirrors around the globe. If it is on the list, it is trustworthy.

• How to access a method of a class which just known class name as String

  Hi,
  Now I have several class and I want to access the method of these class. But what I have is a String which contain the complete name of the class.
  For example, I have two class name class1and class2, there are method getValue in each class. Now I have a String containing one class name of these two class. I want to access the method and get the return value.
  How could I do?
  With Class.forName().newInstance I can get a Object. but it doesn't help to access and execute the method I want .
  Could anybody help me?
  Thanks

  Or, if Class1 and Class2 have a common parent class or interface (and they should if you're handling them the same way in the same codepath)...Class c = Class.forName("ClassName");
  Object o = c.newInstance(); // assumes there's a public no-arg constructor
  ParentClassOrInterface pcoi = (ParentClassOrInterface)o;
  Something result = pcoi.someMethod(); Or, if you're on 5.0, I think generics let you do it this way: Class<ParentClassOrInterface> c = Class.forName("ClassName");
  // or maybe
  Class<C extends ParentClassOrInterface> c = Class.forName("ClassName");
  ParentClassOrInterface pcoi = c.newInstance();
  Something result = pcoi.someMethod();

• Problem with Cisco 1240AG Access Points

  I have a Cisco 1240AG Access point (P/N ? AIR-LAP1242AG-A-K9).
  It has come in the lightweight mode.
  I just want to know whether I can put it to the autonomous mode.

  Hi Indika,
  Here is a conversion method (look most of the way down the attached doc);
  Reverting the Access Point Back to Autonomous Mode
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
  You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.
  Using a TFTP Server to Return to a Previous Release
  Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
  Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
  Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
  Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.
  Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
  Step 5 Disconnect power from the access point.
  Step 6 Press and hold MODE while you reconnect power to the access point.
  Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
  Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
  Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
  From this doc;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
  Hope this helps!
  Rob

• Two Cisco Routers in one class-c network

  Hello,
  i have two cisco routers, which are connected to one switch. On this switch, there are several servers connected as well.
  When i connected the second cisco router, i got messages on the first router, that there is an ip address conflict. After a few minutes it seems as if the vpn tunnel on the first router breaks down because of this conflict. I'm not sure about this, but when i disconnected the second router again, the vpn tunnel could be established again. The vpn tunnel goes to another router via WAN and ends in the local class-c network, where both routers are in.
  Router1
  LAN 192.168.105.254 (255.255.255.0)
  WAN 212.xxx.xxx.xxx
  ||
  ||
  Cisco Switch
  ||
  ||
  Router2
  LAN IP 192.168.105.253 (255.255.255.0)
  WAN IP 217.xxx.xxx.xxx
  Router1
  int fa 0/1
  ip address 192.168.105.254 255.255.255.0
  Router2
  int fa 0/1
  ip address 192.168.105.253 255.255.255.0
  Could the /24 mask on the interfaces cause the conflicts?
  From the servers, none has the ip 192.168.105.253 or 192.168.105.254 and if i disconnect Router2, the IP 192.168.105.253 is not reachable from any system on the switch.
  So how does this ip address conflict occur?

  hello,
  can you check the router 1 log. with error message you should have a mac address
  May 10 05:32:20.489: %IP-4-DUPADDR: Duplicate address 10.10.10.1 on GigabitEthernet0/1.1, sourced by 0003.oc12.a2c3
  This should help you to identify host already with 192.168.105.253.
  Before connecting Router 2, from Router 1 ping 192.168.105.253 and do a sh arp ?
  HTH,
  regards,
  cisand

• I get a security warning whenever I try to access anything

  I get a security warning whenever I try to access anything - even a Google search. Just started within the last few days and I haven't updated or anything like that. If I click "Continue", I can then proceed - but it's annoying.
  Can't see anything to turn off that might help.
  Any ideas ?
  I'm using Firefox 25 and I don't want to update as I will loose some addons I want to keep.
  Regards,
  Robert.

  For freecorder, you need to update to freecorder 8 (http://www.freecorder.com/)
  You also need to update wondershare, http://www.wondershare.com/convert-video-audio/firefox-youtube-downloader.html
  You have a lot of add-ons that all do one thing (download youtube videos) maybe try to condense to just one that works really well?