Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Can someone explain me on high level Cisco licensing differences?  I understand there are lanbase, ipbase, and ip services.
For some reason Cisco sold me core switches 3850 with lanbase, but access switches with ip base licensing.  Not a production impact but Cisco TAC  raised a concern.
I need to buy more access switches.  What licenses should I get for those?  And is there a pricing difference?

Thanks in advance.
0
Introducing Cloud Class® training courses
LVL 12
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

ASA Can ping between subnets, but not pass IP traffic (access rules in place)

have tried getting my ASA to route traffic between subnets, i got it working for 10 minutes but after some changes (unfortunately not an ASA expert) i have broken something.

One example is 192.168.35.0/24 and 192.168.42.0/24 pings OK but IP traffic does not flow, not sure what was changed so appreciate review of the config.

I have the following interfaces and objects attached Interface-Objects.txt

For debugging i have opened up the rules and applied rules to allow any traffic form user VLAN 35 to any other network, and vice versa to allow any traffic from VLAN 42 to any other.

I am able to ping from 192.168.35.3 to 192.168.42.5, but i cannot send any actual IP traffic. I ahve allowed IP traffic and sure that inter-subnet traffic is not being NAT, any ideas please what the issue could be?

Remaining relevant config Config.txt, thanks in advance.

Packet tracer reports OK from users to voice Packet-tracer-reports-OK-from-users-.txt

Voice to users Voice-to-users.txt

I hope that will help me resolve the issue. Is ASA v9.8 on a ASA 5506

Routes are fine on IP Office, it can ping the ASA on 192.168.42.1, it has internet access, but cannot do anything intervlan.

Switch on 172.16.35.249 can ping 192.168.42.5, but not vice versa…. there are some serious issues going on but to be honest refuse this can be so hard as checking the logs can see errors regarding “no matching session” …
0
I have one switch that is giving me a problem, randomly, once or twice a week, the trunk ports just shuts down.  I noticed all the ports have lights on them, except the trunk port.
I have restarted the switch and the port still doesn't come up.  If I unplug the cable and plug it into another port, then plug it back into the trunk port, then it comes back up.

I reviewed the config and as far as I can see, it's all the same except one switch is using the: spanning-tree portfast default  command.
I wonder if I should even be using that command, as I noticed some switches have the command and some do not.  
Besides that, the config is the same, so I wonder what is causing port 28 on switch .38 to shut down.  So port 28 on switch .38 is connect on port 50 switch .39.

I have attached the configs, if anyone has an idea's, I'm all open to hear them.
crack.txt
whub.txt
0
Can't access GUI on Cisco 2960S. Any ideas?

This is what I get when I try to use the GUI.
html
VoIPSwitch#sh flash

Directory of flash:/

    2  -rwx    10893632   Jan 1 1970 00:01:22 +00:00  c2960s-universalk9-mz.122-55.SE2.bin
    3  -rwx         676   Mar 1 1993 00:42:04 +00:00  vlan.dat
    4  drwx         512   Mar 1 1993 00:03:02 +00:00  online_diag
    5  -rwx        3096   Mar 1 1993 00:18:29 +00:00  multiple-fs
    6  -rwx        1915   Mar 1 1993 00:18:29 +00:00  private-config.text
    8  -rwx        7582   Mar 1 1993 00:18:29 +00:00  config.text


System image file is "flash:/c2960s-universalk9-mz.122-55.SE2.bin"



cisco WS-C2960S-48LPS-L



Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 52    WS-C2960S-48LPS-L  12.2(55)SE2           C2960S-UNIVERSALK9-M


Configuration register is 0xF

VoIPSwitch#
Here is the running config
VoIPSwitch#sh run
Building configuration...

Current configuration : 7582 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname VoIPSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7zA0
enable password 7 0000GqN8z/tU
!
username admin password 7 104359121112104359121112104359121112104359121112

!
no aaa new-model
switch 1 provision ws-c2960s-48lps-l
!
!
no ip …
0
On a cisco Nexus 3172 Chassis - if I enable flow control in and then out on an existing up/up port, will there be
an interruption in traffic flowing over the port? Generally these ports are part of an Etherchannel group. TY
0
I am researching and testing migrating to SNMPv3 from SNMPv2c on Cisco networking equipment. We are a small company (Approx. 30 routers and switches) and we monitor the network using SolarWinds NPM and have had no problems getting event notifications when gear bounces or monitored interfaces bounce.  Based on that alone I am thinking that what we have configured generates adequate information/notifications so that all that has to be done to migrate is peel off the SNMPv2c config and add SNMPv3 config.

My question is two fold.  Is my train of thought accurate? Secondly, if I specify OID(s) and or specific traps to be generated  will the only notifications we receive be the ones specified?



Current SNMPv2c config:
snmp-server community xxxxx RW
snmp-server location yyyyy
snmp-server contact zzzzz@iii.com
snmp-server chassis-id somerouter
snmp-server host x.x.x.x version 2c xxxxx


Proposed Config:
snmp-server group xxx v3 priv
snmp-server user someuser xxx v3 auth sha ooooo priv des ppppp
snmp-server location xyxyxyxyx
snmp-server contact zzzzz@iii.com
snmp-server chassis-id xxxxx
snmp-server host x.x.x.x version 3 priv xtrewq
0
Hello,

I have a Cisco 4500 as my core switch. I am not running ip routing, but rather have default-gateway setup. I have multiple VLANs and am routing them all to the Cisco ASA firewall. The VLANs are fed to the respective ASA interfaces as DMZs.

The DMZ servers have had to put in their respective DMZ's ASA IP as the default gateway for internet access. If they change it to their 4500's IP, which it should be, they lose internet access.

Please help.

Thank you.
0
I have a couple Cisco 3650's in a stack that act as my core switching in datacenter.  They do both L2/L3 for remote locations connected by a muni ring fiber deployment.  We also have several IDF is the same building but due to all the SFP slots in the core stack being populated, there isn't any room to run 10gb uplinks back to the core stack from all the other 3650's in the IDFs.. There also isn't enough available ports to do port channel back to the 3650, so what i was thinking was adding something else to the core stack that would accomodate the additional 8-10 SFP's we would need.  Looking for recommendations..obviously don't need another 48 port switch, was wondering if there was something specialized that could stack with the 3650s that could give me the additional capacity?
0
We have a Cisco M4 UCS server configured with email alerts through the CIMC console and it works perfectly. Just bought 4 UCS M5 servers and put the management on the same VLAN and everything is a mirror of the M4 and cant seem to get the alerts to work via email for anything. We just configured a new NetApp SAN as well and the same issue with email alerts not working.

Odd thing is that all management ports are on the same VLAN  and only the M4 server works. We thought possibly a firmware issue, but since NetApp has same issue its not a firmware issue with the M5s.

We are running Exchange 2013 on premise.

Any suggestions?
0
Has anyone got the CIsco Packet tracer, ver 7.1.1,  to work setting up a Ikev1 VPN tunnel site-to-site using 2 Cisco ASA 5505 with the default IOS of 8.4(2) . If so, I sure would like to see a sample config.
The debug command is not built into the ASA for 7.1.1, which makes things tougher to correct the issue.
The 2 firewalls are pingable to each other on the outside, but no SA's even when I try to ping inside either host

Here is my sample with the other ASA being mirrored other than IP's and reversed access lists.
PA-ASA#show run
: Saved
:
ASA Version 8.4(2)
!
hostname PA-ASA
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 96.93.17.170 255.255.255.240
!
object network MD_Network
 subnet 10.0.2.0 255.255.255.0
object network PA_Network
 subnet 10.0.0.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 96.93.17.169 1
!
access-list MD_Traffic extended permit tcp object PA_Network object MD_Network
access-list MD_Traffic extended permit icmp object PA_Network object MD_Network
access-list Enterprise_Traffic extended permit tcp object MD_Network object PA_Network
access-list Enterprise_Traffic extended permit …
0
Cloud Class® Course: Microsoft Azure 2017
LVL 12
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Hello,

 

 

I have a Cisco ASA 5510 Version 9.1(7)9 with multiple tunnels, (2) of which have duplicate hosts. These 2 tunnels are completely separate no communication between the two. The Chicago tunnel was just added and appears to be having issues with 105.180.90.16 passing traffic.

 

Can I have duplicate hosts like this  ? dev1 and Chicago-local share a local IP too 192.168.68.58

 

nat (INSIDE,OUTSIDE) source static dev1 dev1-Global destination static kansas kansas

 

object-group network kansas
network-object 105.180.90.16 255.255.255.255

 

object-group network Chicago-remote
network-object 105.180.90.16 255.255.255.255


nat (INSIDE,OUTSIDE) source static Chicago-local Chicago-local destination static Chicago-remote Chicago-remote no-proxy-arp route-lookup
0
Active backup
I have two switches cisco 2960 and two linux servers would like to configure bonding on the linux server with eth0 connected to switch 1 and eth1 connected to switch 2 so i can afford to have one switch fail. how do i make that configuration on the cisco switches?
i know i have to configure spanning tree on the switches but making sure one switch becomes active only when the other fails is what i want to configure
0
I have a Cisco ASA 5505 configured to send netflow to a flow collector.  I need to disable all firewalling on the ASA so it just routes (no NAT).  This is for a lab deployment to measure flows through the firewall, but not block any traffic.

I don't know how to configure the firewall to accomplish this (I want to use the 5505 and not some other device due to its supporting Netflow v9, and it's freely available in the lab for me to use for this purpose).

Or do I just set both interfaces to be "inside" named interfaces with similar security levels and that will accomplish the goal?
0
Our company has a pair of Cisco 2960x switch running in stackable mode (FlexStack plus). We already configured each and everyone of the switch ports to its corresponding VLAN, portfast, switch port mode access.   We have a new configuration requirement of configure two ports in a etherchannel group. We use the Channel-Group xx mode active to create the etherchannel group.

I try to do a "show run" but did not see the portfast, vlan etc. information on the newly created port channel interface. My question is do we have to goto the newly create port-channel interface to config the portfast, switch port, vlan information once again ? Also, moving forward, all the configuration of this channel-group bundled interface should be configured on the port-channel interface instead of the individual interface I assume ?

I am a bit new to the etherchannel setting so bare with me and your kind advice is appreciated.

Thanks & Regards
Patrick
0
Scenario 6
This article is about building a Route Based site to site VPN tunnels with Redundant Routers in DC (HUB) in Cisco CSR1000V router with IOS XE. There are four Route Based IPsec VPN tunnels configured on two CSR1000V routers as redundant routers pair.
0
I'm trying to connect a Watchguard T30 to an AP320 through a Cisco Catalyst 2960.

I'm able to set up trunking on the Cisco so that I can see the AP320 through the controller, however when I connect to the WLAN I get no DHCP address, and I can't get online even when I hard code the IP. Based on some logging information I've seen on the Watchguard, it almost looks as though the Cisco switch is sending packets to the wrong gateway address.

It looks like when a device was requesting an IP on the VLAN 192.168.5.1/24 subnet that request was sent to the lan 192.168.1.1 gateway.

I'm extremely new to Cisco so it's entirely possible I'm missing something obvious, but when the VLAN's are set up on the router and then trunking is configured for those VLAN's on the Cisco, is there a place where you need to specify what Gateway to use for each trunk?
0
14-router-1-confg14-router-1.txt
I need to configure some new routers (layer 3 switches: Catalyst 3560-CX). We have a few sites that already have them so I copied the config for one of them and modified it for the site the new router will be on. I have logged into the new router and done basic configuration so I can copy the modified file over using TFTP. Is there any settings I need to remove and add manually? I'm attaching a copy of the new config that I will be uploading (14-router-1) and the current config (14-router-1-confg). Any advice or input would be greatly appreciated.

Regards,
DJ
0
Hi - currently we have several Cisco 2960-24PC-S 10/100 POE switches, that we are going to be replacing with Cisco Catalyst 2960X-24PD-L POE switches, because of age and the need for the gigabit connection. My question is (my limited Cisco knowledge) that we have SFP Modules that we cant seem to figure out the model #. In the inventory on the switch it shows up next to the Description as "1000BaseSX SFP", and the serial number below it. Does anyone know if these are compatible with the 2960X switches?
0
I have setup a site to site Fortigate to Cisco VPN using the wizard.  I have 3 local subnets included in the P2.  Two of those subnets overlap with subnets on the Cisco end.  We have agreed on available subnets that can be used for VIP.  I have setup each subnet as a separate P2.  If I use the actual subnets in the P2s, only the nonconflicting subnet comes up.  If I replace the subnets with the VIP subnets, then all 3 subnets come up.  
After the VPN is brought up, I attempt to ping the Cisco end.  The ping fails.  No traffic is passing through the VPN.  I'm thinking the problem is with the policies on the VPN.  Perhaps the VIPs need to be included in the addresses.
I have searched the internet and the Fortinet site and have failed to find documentation that addresses this type of configuration.  The site to site Fortinet with overlapping subnets documents do not work.  Can you provide some guidance on how to troubleshoot this problem?
0
Ultimate Tool Kit for Technology Solution Provider
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Any recommendations on this Cisco Switch?
Cisco Cisco Catalyst 3650-48FS-S - Switch - L3 - Managed - 48 x 10/100/1000 (PoE+) + 4 x SFP - desktop, rack-mountable - PoE+ (775 W)
It is reasonably priced

I need 2 of them and also do I require just of these to link both switches?
Cisco Catalyst 3650 Stack
0
Hello Experts,
Cisco Configuration Professional unable to start after install of Java, please suggest.
0
Hello Everyone

We are building our first NetApp SAN (FAS 2650) and want to be sure we are running the most recent STABLE firmware. We have current version:
NetApp Release 9.3P2 but see the P5 is available. Any thoughts?

We are running a VMWare environment on Cisco UCS M5 servers and Nexus 3548 Switches
0
I have a Cisco ASA 5506 that I am trying to configure VPN Access.  I am able to connect using CIsco VPN Client but I cannot access or ping any devices on the network when connected.  Please see config below.  



es)
:
ASA Version 9.8(1)
!
hostname ciscoasa
enable password
names
ip local pool vpnpool 192.168.1.212-192.168.1.216 mask 255.255.255.0

!
interface GigabitEthernet1/1
 description Outside
 nameif outside
 security-level 0
 ip address 75.xxx.xxx.xx 255.255.255.252
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.252 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network …
0
Hi,
As I am new to Cisco UC and I have a scenario whereby there is a requirement to have cisco ip phone in a branch. The IP phones would be connected back to HQ call manager.  I would like to check on the advantage and disadvantage on the edge router whereby on using dual WAN connectivity links for high availability against a single WAN connectivity link and SRST.

For SRST, It seems that there is a regular SRST and using CME as SRST. May I check if there may be any reference documents on how it works/requirements and consideration.

Thanks.

Appreciate for any suggestion!
0
Can someone provide the specs for Cisco RJ-45 SFP for GigE Interface ASR 1002? We need to order this piece.
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).