SG200-50P and Cisco Router Issue
I have just recently replaced a WS-CE500-24LC switch with a SG200-50P. I have plugged in a Cisco 1760 router with a fast ethernet into the switch. On the console of the router I now see these messages:
Jun 30 16:17:30.492: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:18:30.495: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:19:30.498: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:20:30.501: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:21:30.504: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:22:30.514: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:23:30.517: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:24:30.520: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:25:30.523: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:26:30.526: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:27:30.528: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:28:30.531: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:29:30.534: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:30:30.537: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:31:30.540: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:32:30.543: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
problem?
cisco1760#
Jun 30 16:33:30.545: %PQUICC_ETHER-1-LOSTCARR: Unit 0, lost carrier. Transceiver
What does this mean and how do I fix the issue. As far as I am aware both ends of the link are set to autonegotiate the speed and duplex.
Thanks for helping.
Dave,
1. Thanks for explaning what the error message means. I never saw this message when the router was plugged into the WS-CE500-24LC switch.
2. I did upgrade to the new firmware, even before I had connected the router to the switch. I also replaced the cable. It did not fix the issue.
3a. Other than the log messages every minute, I do see any impact to the network that I am aware of.
Interface counts:
cisco1760#sh int fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is PQUICC_FEC, address is 000c.ce05.d68c (bia 000c.ce05.d68c)
Description: "Primary LAN Segment"
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 2/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/948/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 895000 bits/sec, 245 packets/sec
5 minute output rate 978000 bits/sec, 293 packets/sec
199852941 packets input, 838336294 bytes
Received 1945096 broadcasts, 0 runts, 0 giants, 0 throttles
482 input errors, 0 CRC, 0 frame, 482 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
234783382 packets output, 4015540432 bytes, 9 underruns
9 output errors, 0 collisions, 13 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
cisco1760#sh int fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is PQUICC_FEC, address is 000c.ce05.d68c (bia 000c.ce05.d68c)
Description: "Primary LAN Segment"
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 2/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/948/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 878000 bits/sec, 238 packets/sec
5 minute output rate 962000 bits/sec, 286 packets/sec
199880510 packets input, 851437952 bytes
Received 1945469 broadcasts, 0 runts, 0 giants, 0 throttles
482 input errors, 0 CRC, 0 frame, 482 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
234816750 packets output, 4029944015 bytes, 9 underruns
9 output errors, 0 collisions, 13 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
cisco1760#
cisco1760#sh int fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is PQUICC_FEC, address is 000c.ce05.d68c (bia 000c.ce05.d68c)
Description: "Primary LAN Segment"
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 2/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/948/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 895000 bits/sec, 245 packets/sec
5 minute output rate 978000 bits/sec, 293 packets/sec
199852941 packets input, 838336294 bytes
Received 1945096 broadcasts, 0 runts, 0 giants, 0 throttles
482 input errors, 0 CRC, 0 frame, 482 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
234783382 packets output, 4015540432 bytes, 9 underruns
9 output errors, 0 collisions, 13 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
A minute later...
cisco1760#sh int fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is PQUICC_FEC, address is 000c.ce05.d68c (bia 000c.ce05.d68c)
Description: "Primary LAN Segment"
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 2/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/948/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 878000 bits/sec, 238 packets/sec
5 minute output rate 962000 bits/sec, 286 packets/sec
199880510 packets input, 851437952 bytes
Received 1945469 broadcasts, 0 runts, 0 giants, 0 throttles
482 input errors, 0 CRC, 0 frame, 482 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
234816750 packets output, 4029944015 bytes, 9 underruns
9 output errors, 0 collisions, 13 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
cisco1760#
It appears that just the byte and packet counts are increasing. Nothing shown in the log of the SG200-50P. Logging level set to informational in RAM.
I set both side to 10 M / half-duplex and that also did not affect the messages.
Do you have any thoughts on the carrier-delay or keepalive settings on the fast ethernet interface of the router?
Thanks.
Similar Messages
-
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
Administration of ASA5520 and cisco router mpls 1900
Hi
i just want to administor cisco
ASA5520 and cisco router mpls 1900
can some tell me as admin what to check as u get into office /reguraly in cisco asa 5520 and vpn mpls router for administrator ,right now its working as configured by supplier for remote sites to connect HQ and access several server
My interest to know what are the basic day to day checkup on cisco asa5520 working as ips and cisco asa 5520 working as content filtering and cisco vpn mpls
thx ,attached pic for ur view
JHello Malai,
This question is subjective, I mean you can check the statistics on the CSC module for logs of the users going to blacklisted sites.
You can check the CPU for the ASA's and IPS.
You can monitor the amount of traffic traversing the interfaces of the ASA, you can determine witch host is using most of the bandwith,etc.
Its pretty basic administration stuff
Regards,
Julio
Rate all the helpful posts -
IPSec ikev2 between ASA and Cisco Router
Hi,
i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
- Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
- Authentication with Certificats
- integrity sha2
I try a lot of configurations without success.
Thanks for your help.
MicThe more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
There are two (three) better options:
Best option with very little needed configuration:
Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
Best option with a little stronger crypto but more configuration:
Move to AnyConnect with IPsec/IKEv2.
Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
For option 1) and 2) there is an extra license needed, but thats not very expensive. -
Community,
I just purchased a SG200-50P switch to replace a WS-CE500-24LC, that had a limited amount (4) of PoE ports. I was running Cisco 7940 IP Phone, Cisco AP1231 and AP1100 series access points via PoE off of this switch.
When I attempt to plug in these device types into the SG200-50P they do not power up. What is going on? Why do these devices (7940 IP Phone, 7960 IP Phone, AP1100 series access point, AP1231 series access point) not get PoE from the SG200-50P switch?
Is there a setting to enable these devices to receive PoE from the switch?
Thanks for your help.Hi
The modern SGx00 series switches accept 802.3af compliant devices.
From a coursory look these devices, they are pre-standard POE. Check the Q&A URL below for answers regarding at least the phones.
But no where in the datasheet for the AP1231 can I see that the AP 1231 is 802.3af compliant.
There is a solution within the URL below, which is to choose a switch that can provide both pre-standard and compliant POE.
http://www.cisco.com/en/US/products/hw/phones/ps379/products_qanda_item09186a00808996f3.shtml?referring_site=smartnavRD
regards Dave -
Internal DNS server and NAT routing issue.
Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
ThanksIs there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying. -
Cisco Transparent firewall and cisco switch issues.
Dears,
I have a very plain scenario
LAN cisco switch <2 vlans> ----------> cisco transparent firwall with bvi interface ------------> crypto box ---------> cisco router ------ <remote/other site>
i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.Well,
i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1
moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
i have requested the client to verify his part. do let me know further tips if you have any.
[ moreover we cannot try to use packet-tracer from cli in transparent mode ] -
Not able to telnet or ssh to outside interface of ASA and Cisco Router
Dear All
Please help me with following question, I have set up testing lab, but still not work.
it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
Hub -- Juniper SRX
Spoke One - Cisco ASA with version 9.1(5)
spoke two - Cisco router with version 12.3
site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
When I tested it, of cause site to site vpn still up and running.
Thanks
YKHello YK,
On this case on the ASA, you should have the following:
CConfiguring Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
To specify an interface as a mangement-only interface, enter the following command:
hostname(config)# management access management_interface
where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
You can define only one management-access interface
Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
SSH
- ssh 0 0 outside
- aaa authentication ssh console LOCAL
- Make sure you have a default RSA key, or create a new one either ways, with this command:
*crypto key generate rsa modulus 2048
Telnet
- telnet 0 0 outside
- aaa authentication telnet console LOCAL
Afterwards, if this works you can define the subnets that should be permitted.
On the router:
!--- Step 1: Configure the hostname if you have not previously done so.
hostname Router
!--- aaa new-model causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the router's DNS domain.
ip domain-name yourdomain.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
!--- Step 4: By default the vtys' transport is Telnet. In this case,
!--- Telnet and SSH is supported with transport input all
line vty 0 4
transport input All
*!--- Instead of aaa new-model, the login local command may be used.
no aaa new-model
line vty 0 4
login local
Let me know how it works out!
Please don't forget to Rate and mark as correct the helpful Post!
David Castro,
Regards, -
Will Time Capsule work with a Cisco Router E4200 that is connected to a Worldbook NAS?
I do not need it to serve as a router, only a sytematic backup solution fro all of our Macs in the network. We use the NAS as a company client File store and share internally to our staff.The TC can be bridged and plonked into the network with no problems.
Decide how you will treat wireless.. you can handle it several different ways.. but completely off might be best. Or if you are buying a new AC model, then turn off the wireless in the E4200 and see if the TC works better.
Or if you have some ethernet cabling.. place the TC in wireless dark area and set it up in roaming profile.
That means you set the same SSID=Wireless name. Same Security WPA2 AES = WPA2 Personal. Same password. But lock channels on both devices.. make sure each is as far apart as possible.. so for example for 2.4ghz wireless set one to channel 1 and the other to channel 11. For 5ghz similarly set them sufficiently far apart that there can be no overlap. -
OS X 10.6.8 and Cisco Router WRT110
Just upgraded my Macbook Pro to OS X 10.6.8 and am having to reboot my Cisco router continuously to maintain internet connectivity. Is it the 2 year old router?
Make sure your firmware is updated for the router.
-
I have a netgear managed switch and a cisco 1750 router. I would like to set up 2 vlans. the first one is a wan, with a residential cable model connected to it. the other vlan is for my private lan. I will then have the cisco router connected to one port on the switch set up as a trunk. I'm no pro, but from what I've read so far, it should work that way, right? the part I need help with is setting up the cisco router as a gateway and dns proxy, accepting the dynamic ip, gateway, and dns addresses from the cable modem.
I did see this http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcef50
router in a stick *write that down* so my setup should work if I can figure out the router configuration. a good online tutorial or something would be helpful for this. I have plenty of cisco books, but maybe something for dummies would help me get started, before digging into the tough stuff.In order to set up inter vlan routing or a "router on a stick" with a netgear switch you will need a router that supports IEEE 802.1q VLAN Support.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#28767
On the router interface that is "trunked" to the switch you will need to have a configuration that looks like the what I have below.
Router(config)#interface FastEthernet0/1.1
Router(config-subif)#encapsulation dot1Q 1 native
Router(config-subif)#ip address 10.xx.xx.16 255.255.255.xxx
Router(config-subif)#interface FastEthernet0/1.2
Router(config-subif)#encapsulation dot1Q 2
Router(config-subif)#ip address 10.xx.xx.130 255.255.255.xxx
The sub-interface 1."2" corresponds to the vlan id on the trunk. In this case the .2 is vlan 2.
I have attahced a link that exlains the intricate details on inter vlan routing below:
http://www.cisco.com/warp/public/473/50.shtml
Lastly you may want to check the Cisco IOS feature Navigator. I was looking at it and I did not see that the 1750 has IEEE 802.1q VLAN Support. It looks like the 1751 is the first platform in the 1700 series that does. -
Site-Site VPN PIX501 and CISCO Router
Hello Experts,
I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).
Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.YES! IT FINALLY WORKS NOW! Here's the updated running-config
: Saved
PIX Version 7.2(2)
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name aida.com
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 192.168.1.0 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username mark password MwHKvxGV7kdXuSQG encrypted
http server enable
http 192.168.1.3 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
prompt hostname context
Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
: end
ROUTER:
R9#sh run
Building configuration...
Current configuration : 3313 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R9
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization config-commands
aaa authorization exec default local
aaa session-id common
resource policy
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name aida.com
ip ssh version 2
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
crypto pki certificate chain TP-self-signed-998521732
A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
9EE305FF 63
quit
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
end -
Time Capsule and Linksys Router Issues
The internet cable is connected to the WAN port and the Time Capsule is connected is to one of the ports of the Linksys router. I can successfully backup my MacPro and use the internet for Mail and Safari.
I want to take advantage of the high speed ethernet performance of Time Capsule. However, I don't know if the Time Capsule is really faster than my Linksys router. Where do I get this information? I suspect the Time Capsule is much faster because I just purchased the Time Capsule. The router is at least 5 years old.
In spite my concern about the speeds of the Time Capsule and Linksys router, I tried to attach the Time capsule as recommended by Apple for a "first time set up." It failed. The Time Capsule using the AirPort Utility cannot make a network connection. I reestablished the devices as given in paragraph one. WiFi runs again.Ethernet speed on your local network is determined by the slowest connected device which most likely will be the LinkSys router or your computer.
-
VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)
Hi, I've been pulling my hair out trying to get simple vlan trunking working between these devices.
Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200. I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc). Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
VLAN 1 - inside (has separate dhcp scope assigned by ASA)
VLAN 99 - guest (has separate dhcp scope assigned by ASA)
SG200
purpose
ASA 5505 (Sec Plus license)
purpose
g2
Trunk 1UP,99T
Ubiquiti AP (VLAN 1 works, VLAN 99 does not
g3
Access port 99T
vlan 99 does not work
g8
Trunk 1UP, 99T
< Trunk between switch and ASA >
Int e0/2
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Int e0/3
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Second ubiquiti AP
Both VLAN 1 and VLAN 99 clients work properlyFrustrated - yes. Confused - maybe not as much, but I could have put some more effort into the overall picture.
There are two VLANs (1 - native) and (99 - guest). There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.
No clients connected to the SG200 on VLAN 99 are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP. The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
Anything connected to the SG200 on the native VLAN works properly.
Anything connected to the ASA VLANs (1 or 99) works properly
I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
SG200 g2 - trunk port (1UP, 99T) -- Access Point
SG200 g2 - access port (99U)
SG200 g8 - trunk port (1UP, 99T) connected to ASA5505 e0/3
ASA5505 e0/3 (switchport trunk allowed vlan 1,99, switchport trunk native vlan 1, switchport mode trunk)
Thanks, -
F3507g mobile broadband driver - Windows 7 - and Cisco Vpn issue
Hi All,
After 3 days trying to install / update latest drivers on my X200/ Windows 7 / 32b, it seems now that my F3507g is now installed correctly…
I can go the a connection over internet and ping some servers BUT when I initiate my Cisco Vpn, ( working perfectly with my Ethernet connection and my Wifi 5300 AGN ) the connection is ok but no incoming or outgoing traffic !!!
Any idea on how to solve that issue ?Yes, this is a problem with the IPSEC VPN NDIS driver binding your Mobile Broadband driver. You need to read this article and it is explains why and how to work around this issue:
http://www.customsoftwareframeworks.com/blog/fix-vpn-problems-cellular-win7
Good luck
Maybe you are looking for
-
Since downloading Itunes 11.0.1 (12), Itunes can't locate or play many songs but the same songs still play on my synched iPod. I have a MacBook Air, Lion OS, Itunes version 11.0.1 (12). I didn't see this problem with older versions of Itunes. I do
-
Display text on click of a button on a popup in a BADI.
Hi, I have implemented a BADI in which I am calling a FM 'POPUP_TO_CONFIRM'. Now I need to display some text on the click of one of the buttons of the pop-up.Can someone sugeest how to go about this. Thanks.
-
Hi, I have a new Dell Desktop PC, running Windows 8.1. I have a fresh install of VS 2013 Professional, I created the simplest C++ console application. If I set the breakpoints before debug starts, everything is fine. but once inside a debug ses
-
Black screan on pavilion dv6-6102sa
Hi, Can you help? I have a HP Pavilion dv6-6102sa and when I turn it on all I get is a black screen, the enter button light flashes 5 times in a repeated sequence also the f12 (wifi button) is red. Would appreciate any help. Cheers Andy
-
Hi, I thought of putting my question in the forum. The question is, when we are doing some changes in the forms applications in oracle apps and save the data, is there anyway that i can know to how many and which tables the data is getting saved to??