Cisco

24K

Solutions

15K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I am trying to determine the root cause of slow file transfers to the internet from our backup appliance. We are seeing data transfer rates in the 3Mb/sec range, while performing a speed test on the same switch/VLAN/subnet yields a 300Mb/sec throughput.


Looking at the stats on the switch port connected to the appliance it would appear that the output rate (542Kbps) is way below that entering the port (20Mbs). Can anyone explain why the input/output appears to be so different and what might be done (if needed) to speed this up?



MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, medium is broadcast
  Port mode is access
  full-duplex, 10 Gb/s
  Beacon is turned off
  Auto-Negotiation is turned on, FEC mode is Auto
  Input flow-control is off, output flow-control is off
  Auto-mdix is turned off
  Switchport monitor is off
  EtherType is 0x8100
  EEE (efficient-ethernet) : n/a
  Last link flapped 6d00h
  Last clearing of "show interface" counters never
  3 interface resets
  30 seconds input rate 20774480 bits/sec, 1810 packets/sec
  30 seconds output rate 538656 bits/sec, 919 packets/sec
  Load-Interval #2: 5 minute (300 seconds)
    input rate 20.78 Mbps, 1.77 Kpps; output rate 542.22 Kbps, 899 pps
  RX
    159749599463 unicast packets  17391 multicast packets  146958 broadcast pack
ets
    159749763812 input packets  95785989605583 bytes
    0 jumbo packets  0 …
0
I have DMVPN with two hubs and an EIGRP relationship to a firewall (as well as to the spokes.)
The problem I am running into is that all of the DMVPN traffic is trying to egress Via one of the two VPN  hubs - HUB 1 - it's at capacity for passing encrypted traffic.

SPOKE----HUB 1----FW
SPOKE----HUB 2----FW

HUB1 is assigning a metric to the routes it learns from the spokes which is preferable to HUB2.
So that's why the FW is sending all the traffic to HUB1.

HUB1
 redistribute eigrp 300 metric 100000 0 255 1 1500 route-map EIGRP300-TO-EIGRP100

HUB2
 redistribute eigrp 300 metric 100000 10 255 1 1500 route-map EIGRP300-TO-EIGRP100

The firewall and the HUB DMVPN routers speak via EIGRP100. Hub to spokes via 300.

What I want to do is for the firewall to prefer one hub for half of the sites roughly. I could put in some static routes as a quick fix out of the traffic jam. I could remove HUB 1 from half of the spokes and that would make the HUB 2 the best path for half of the spokes. But surely there's a more elegant approach using route maps.

Something to the effect of..

If you match ACL SAVE-MY-DMVPN, you have a better metric than HUB 1. Otherwise you keep the same metric you have now and let HUB 1 keep doing its thing.

???
spiker.png
0
I am trying to get radius setup on this new switch,   Doing same thing I do for every switch. I get prompted to accept key, get the radius login and message but password not working.  Confirmed the secrets match with server.  I even have another 3548 I've copied exact. Not sure what I could have missed. Attached is config for another set of eyes
0
When you are running iSCSI, is TCP sliding window an important consideration? The situation is is Cisco UCS fabric interconnect to a Nexus 5k switch. The switch frequently drops packets inbound from the UCS and this appears to be an issue iSCSI frames from UCS being 1514 bytes which the interface on the Nexus is 1500 and jumbo framing is not enabled. I don't know why the vast majority of frames make it on through yet a significant number (in the millions) are dropped.
The port channel spikes up to about 10Gbps and most of that will be iSCSI. So the connection initiator to target works for the most part. I've planned to enable the jumbo frames as recommended by Cisco so that the 1514 iSCSI will be better processed and not dropped.

But my question is this: With iSCSI, are TCP conversations lengthy or very brief? To what degree would some dropped frames (.003%) in-path cause an issue for iSCSI TCP conversation? Or would this percentage just be noise that TCP connection orientedness should just deal with?
0
Hey all,

So I was asked to do something out of my realm and was wondering if someone could easily explain this to me.  Later I will be moving an access point from 1 location in someones office to another location, its basically unplugging it from 1 patch panel and installing it in another, however the trick is I need to move the configuration on the switch port to the new jack.   This is a Cisco POE switch.   Can someone tell me once I SSH/ Telnet into the switch how to move the port configuration then save it?  The new patch panel port would be A30 I dont know what the current patch number is but I have never done this before and do not want to mess anything up.   As always help is appreciated.
0
is there any way to apply a feature license to a Cisco 1100 via a serial terminal? the instructions suggest you should use tftp to get the .lic file to flash. I’d rather just enter a code and finish configuration with the full crypto set.
0
what's metadata.svc?

Hi there, I'm running a file report on Cisco Firepower services and I' noticing a lot of metadata.svc  between hosts. Is this something I should explore further?

thanks.
0
I'm running UCS 4.04 and I am not seeing in the GUI where port channels connecting upstream to the LAN are associated with which VLANs.
If I SSH to UCS I can see that the new VLANs I added on the server NICs appear to be (automagically?) appearing on the port channel to
the network. But if I go into LAN Uplinks Manager/VLANs/VLAN Manager I expecting to see the port channels underneath the VLANs with
which they are associated. But that is not the case. From nxos CLI note the VLANs and their association with the uplinks.Perhaps it's the case that if you don't specifically assign a VLAN to an uplink that all VLANs automatially are permitted on those uplinks?

Partial config from connect nxos:

vlan configuration 1,9-11,20,30,32
vlan 1,9-11,20,30,32


interface port-channel2
  description U: Uplink
  switchport mode trunk
  pinning border
  switchport trunk allowed vlan 1,9-11,20,30,32
  speed 10000
 
interface Ethernet1/1
  description U: Uplink
  pinning border
  switchport mode trunk
  switchport trunk allowed vlan 1,9-11,20,30,32
  udld disable
  channel-group 2 mode active
  no shutdown

interface Ethernet1/2
  description U: Uplink
  pinning border
  switchport mode trunk
  switchport trunk allowed vlan 1,9-11,20,30,32
  udld disable
  channel-group 2 mode active
  no shutdown

interface Ethernet1/3
  description U: Uplink
  pinning border
  switchport mode trunk
  switchport trunk allowed vlan 1,9-11,20,30,32
  udld disable
  …
0
I have been trying to get a Grandstream HT814 to communicate with Sonetel. It works fine when connected directly to the DSL line, but as soon as I put it behind the firewall it stops. It cannot make calls, when receiving a call it will ring, but with no sound.

I have tried with the SIP inspection on and off (in the config below it is disabled)

Cisco Config:

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)12
!

names
no mac-address auto

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute
 no pim
 no igmp
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address xxxxx
 no pim
 no igmp
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 domain-name xxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any host xxx
access-list inside_access_in extended permit ip any any

access-list global_mpc extended permit ip host xxx any inactive

pager lines 24
logging enable
logging asdm debugging

mtu outside 1500
mtu inside 1500
mtu Proxy 1500

arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384

nat (any,outside) source dynamic any interface

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout …
0
I'm in a new gig and I want to understand what happens if a site's Internet link goes down what takes over for their default route.
The routing protocol is EIGRP.

{DATA CENTER}-----WAN EIGRP-----{OFFICE}-----LAN EIGRP----[Cisco ASA]-----{INTERWEBS}

So the switches in the OFFICE are learning their path to the Internet from the Cisco ASA which advertises
a default route inward via EIGRP. The ASA learned it has the default via OSPF from an edge router
outside of it. My guess is that the DATA CENER's default route would propagate over the WAN to
the OFFICE in the event the Cisco ASA stopped advertising the default route inward.

How could I find out the behavior of the lost default route without causing an outage?

Thank you.
0
I have a SG200-26P that needs a firmware upgrade from Firmware Version (Active Image):
1.3.5.58.
 Each time I attempt to upgrade I get the following error message......

Bytes Transferred:
7011840
Status:
Copy failed
Error Message:
Copy: SW code file is over sized
0
We a couple of users that each time they login to the VPN, their AD accounts get locked out after they login. (server 2012 R2)
So there able to login but their AD do lockout after that.
If we reset their accounts after a few minutes their AD account locks out again.
They are using Cisco VPN.
Anyone have any idea on why it keeps locking out their AD account when logging into the VPN?
If they don't login to the vpn, their AD does not ever lock.
0
Hi,

I have a problem on cisco C892. At the moment I apply a ACL-IN ACL on external Dialer0 int, I lose the connectivity from LAN to internet (ping, dns, http, everything), which is unwanted. While I still have RDP access from internet 2.2.2.0 network to internal server at 192.168.1.37.
From LAN to INET I want to block just SMTP except from mail server.
From external network 2.2.2.0/24 I want to allow access to everything.
From other internet addresses I want to allow only what is specified in ACL-IN access list.
1.1.1.1 is my fixed public IP address I get on Dialer0 interface with pppoe connection.
(I have been said that the costumer has another 4 public IP addresses which are routed by ISP over 1.1.1.1 address, but they are not in use - if relevant)
Any ideas would be more than welcome.

Here is a relevant part of router configuration:

ip cef
ip domain name domain.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name WALL tcp
ip inspect name WALL udp
ip inspect name WALL tftp
ip inspect name WALL ftp
ip inspect name WALL realaudio
ip inspect name WALL icmp
ip inspect name WALL rtsp
ip inspect name WALL http
ip inspect name WALL https
ip inspect name WALL ssh
ip inspect name WALL sip
ip inspect name WALL h323
no ipv6 cef
!
interface FastEthernet8
 description ***INTERNET PPPoE***
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 load-interval 30
 duplex …
0
Hey everyone - I am trying to get my router up and running and having a slight issue getting it to connect the internet ( to the ISP ). My basic idea is connecting G0/0 going out to the ISP (Wan), G0/1 to my server. I know im missing something. I've included my running config.
Any help would be appreciated!!

Current configuration : 1735 bytes
!
! Last configuration change at 16:01:56 GMT Tue Jan 21 2020 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core_Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone GMT -8 0
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 10.24.1.1 10.24.1.10
!
ip dhcp pool core
 import all
 network 10.24.1.0 255.255.255.0
!
!
ip domain name xxxx.net
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2821 sn FTX1311A0C3
username admin privilege 15
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description PrimaryWANDesc_
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.24.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 no ip address
!
interface …
0
I want to connect a fresh Meraki switch to a Cisco ISR. By default the ports on the Meraki are native VLAN 1 and type Trunk. If I make the native VLAN 10 on the ISR's port attaching to the Meraki switch that would create a native VLAN mismatch - but still the two devices should be able to talk to each (assuming I have a DHCP scope on the ISR for VLAN 10).

If I have an ISR (say 4331) configured with inside trunked interface as follows:

Hostname(config)#interface FastEthernet0/1
Hostname(config-if)#no ip address

Hostname(config-if)#no shutdown

Hostname(config)#interface FastEthernet0/1.1
Hostname(config-if)#encapsulation dot1Q 1 native
Hostname(config-if)#ip address 10.10.100.1 255.255.255.0


Hostname(config-if)#interface FastEthernet0/1.2
Hostname(config-if)#encapsulation dot1Q 2
Hostname(config-if)#ip address 10.10.200.1 255.255.255.0

ip dhcp pool MGT
 network 10.10.100.0 255.255.255.0
 default-router 10.10.100.1
 domain-name acmefoo.com
 dns-server 8.8.8.8 4.2.2.2
!
ip dhcp pool DATA
 network 10.10.200.0 255.255.255.0
 default-router 10.10.200.1
 domain-name acmefoo.com
 dns-server  8.8.8.8

The meraki should pick up an address from DHCP for VLAN 10 10.10.100.0 owing
to the fact that those frames would be untagged despite the fact that the default
native vlan on the Meraki is on. Correct?
0
So I'm at this new gig any they have a 1Gbps Internet feed. If I plug in a work built laptop (HP Win 10) I am seeing like 12Mbps down and 20Mbps. But if I get a fresh laptop that has not been built out I am seeing about 100Mbps down and as much as 400, even 600Mbps up. This is on the very same 1Gbps network port on a Cisco enterprise switch the WS-4510R-E. No errors seen at those ports. They run Trend Micro on their standard issue. Could that slow down speed tests that much? I'm testing against AT&T speed test but have tried a bunch of others and they all tell essentially the same story. There's also VMWare Horizon drivers on there and some other. Any thoughts on how to track down what's the party pooper for the network speeds?
0
No NIC TeamingNIC TeamedHi,
 
 In the past, whenever I set up a new server that came with 2 network adapter cards, I used to disable one (of two NICs) and assigned static IP address to first NIC (192.168.1.1) and add Hyper-V role which creates virtual network card like "vEthernet Intel ... Virtual Switch" and I use this adapter under Network Settings in Virtual Machines.

 This time I like to be try NIC teaming on this server. I read some articles and watched some youtube videos about NIC teaming. Having said that, there is only one CISCO network switch and there is no plan to purchase 2nd  network switch for the purpose of NIC teaming.
 
 On this server, I have not added HyperV role yet because I was not sure whether it would be beneficial and what options I need to choose such as Teaming mode (Static Teaming/Switch Independent /LACP), Load Balancing Mode (Address Hash/Hyper-V Port) and Standby Adapter(None/NIC1/NIC2).
 
 There are 12 Windows 10 workstation computers on the network, 1 network switch. There will be two Virtual Machines - Domain Controller and Application Server/SQL server.

 (1) Is it worth creating NIC Teaming even though there is only one network switch?
 (2) If yes, What options do I need to choose in - Teaming mode, Load Balancing Mode and Standby Adapter
 (3) Are there potential pitfalls?
 (4) If I set up virtual machines based on Teamed vEthernet virtual switch and later go back to single NIC method, how easy is it?
0
Hello, I have a question about Cisco's Identity Services Engine. I have a Cisco phone that is being denied network access.

Endpoint Profile
Cisco-Device

Authentication Failure Reason
15039 Rejected per authorization profile

Authentication Policy
Internal Endpoints

Authorization Policy
Default

Authentication Protocol
Lookup

Would you please let me know how I can grant network access to this device?
0
How do I gracefully shut down a UCS chassis in spreparation to move it to another data center where it will be redeployed into another UCS
0
I have a meraki MS225 attached to a Cisco 2900 router configured for NAT. I can see the Meraki has a private IP and I can ping it locally and over VPN. I see NAT translations from it. But it fails to register to Meraki cloud. Any thoughts?

I also notice that sho cdp nei is failing to show it. But I can see the arp entries.
0
I have 3 cisco routers with gateway to gateway vpns setup. Location 2 can ping the local domain (mydomain.local which resides at Main Location1) and everything works just fine. Users can connect to the domain perfectly.

Location 3 cannot ping mydomain.local or the netbios name of the server at MainLocation1. I can ping the ip address of the server at MainLocation1.

MainLocation 1 (Where the server resides)
Location 2 (satellite office)
Location 3 (satellite office).

On the workstation at Location 3 I manually assigned dns 1 to the server's ip.

Other details: All of the routers are the same. Any help I can get would be much appreciated!
1
Can you see the light directly from an HBA card that’s connected to a transceiver (looking through the transceiver back of the servers hba) or do you need a FC cable-connected to be able to see the light on the end of the cable?
0
I've been converting a number of network sites from the use of wooden shelving to 19-inch rackmount.
I understand the rackmount post-mounting standards but didn't realize the wide variety of equipment manufacturer mounting bracket designs.
Also, I've done considerable web searches and don't find details for such seemingly mundane things.
To keep it simple enough here, I'm interested in L-brackets or "ears" that attach to the front corners of "19-inch" full-width devices: switches, routers, firewalls, etc.

Generally, the brackets are attached to the device with small flathead screws.
The simple question of "what size are those screws?" seems to be hard to determine.
Cisco
Netgear
Juniper Networks
I can imagine that there is variation in screw size within companies' product lines.  Is that a common situation?
What sizes?

Right now, I need a set of mounting brackets and screws for a Juniper Networks SRX340.  
Where can these be purchased?
0
refer to attached.

What does "20/30 sec" under "cp attack" mean?
Was googling for various Aruba docs but can't
locate any documentation on this.

Appreciate if can point me to the documentation
/link & indicate the page as need to explain to
Audit
Aruba_cpAttack.png
0
Which model of Meraki SD WAN (MX I think) device best suits the data center in a dual-hub and spoke toplogy? The MX84 I believe would work find in the remote office. Thank you.
0

Cisco

24K

Solutions

15K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).