We help IT Professionals succeed at work.

Cisco

24K

Solutions

15K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

I'm looking for help determining the best solution for our environment for wireless.  We currently have an 8 year old Cisco 5508 Wireless LAN Controller, and 94 Aironet access points split between really 3 buildings.  We are due for a refresh and have a bid in from a vendor who is recommending using Meraki WiFi6 with licensed cloud controller, and did not suggest using a locally managed WLC with Aironet APs.

We are a school district and need feedback as this is a vendor I have not dealt with before so I have trust issues.  I like the idea of not having a physical piece of hardware on site that if fails my wireless is down, but I don't like paying costly yearly licensing fees either.  Any insight?
0
I have an ASA adjacent to a router with the following redistribution into the EIGRP AS shared with the Cisco ASA:

redistribute eigrp 100 metric 100000 0    255    1      1500 route-map EIGRP100-TO-EIGRP10

When I look on the ASA route table it's showing an AD of 170 and a metric of 25856 for the routes in EIGRP 10 that were redistributed from EIGRP 100.

EIGRP Metric = 256 * ( (K1*Bw) + ( (K2*Bw) / (256-Load) ) + (K3*Delay) ) * (K5 / (Reliability + K4) ) )    {I'm assuming default K values 1 0 1 0 0 }

256*((1*100,000)+((0*bw/256-load))+(1*0)   *    (0/255+0) => 25,600,000
           K`1*BW            K2*Bw                    K3*dely    K5/Rel+K4

Anyhow the ASA is seeing traffic taking this route as 25856. I can not figure out where that number is coming from. The actual bandwidth between the ASA and router is 1Gbps.

Any insight appreciated!
0
Dear Experts,

I would like to find out what would be the best suited network certification to obtain for myself.
I have a mish-mash background, after getting M.S. in computer science with software engineering emphasis, I was working as a software/field engineer, then software project manager.
After taking time off to raise children, I started my own business as an IT consultant, where I did everything from hardware/software installation, infrastructure management, training, and troubleshooting for small businesses.  All of my knowledge came from basically learning as I needed from vendors and other sources.
A few more jobs later, I am now bouncing back and forth between Sr. System/Network Admin roles at my current employer.
My problem is, besides my degree, I do not have any certification, but I can administer Cisco/Fortinet Firewalls, switches, Windows servers, Exchange servers, and am versed in PowerShell scripts as well as Java, VBA.  I feel very non-standardized, and would like to have some type of certification.  Since I really don't need to learn more about Windows servers or Azure AD, I was leaning towards some type of network certification.  Cisco, CompTIA Network+, etc.  I do have basic theoretic knowledge on networking from my graduate courses, however I have a feeling some of those are outdated at this point.
Please advise.
0
I am needing extra server ports to my Cisco UCS 6248UP fabric interconnect. I already have the
expansion module but I need still more ports. The Cisco config limits doc notes

There is a limit of twenty FEX for each UCS domain. For example, you can either have ten 2232 FEX for each FI or a combination of ten chassis and ten FEX.
Does that refer to the 2232PP FEX in the second URL below? So long as I purchase the license would that allow me to add more chassis?

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/Reference-Docs/Configuration-Limits/4-0/b_UCS_Configuration_Limits_4_0.html

https://www.serversupply.com/products/part_search/pid_lookup.asp?pid=176024&gclid=Cj0KCQiA-
bjyBRCcARIsAFboWg35eKbXronC3785BVy0zhu4LuvZV2y_ljRAfulzqlypF2FGVcAD0mQaAm1vEALw_wcB
0
I am trying to determine the root cause of slow file transfers to the internet from our backup appliance. We are seeing data transfer rates in the 3Mb/sec range, while performing a speed test on the same switch/VLAN/subnet yields a 300Mb/sec throughput.


Looking at the stats on the switch port connected to the appliance it would appear that the output rate (542Kbps) is way below that entering the port (20Mbs). Can anyone explain why the input/output appears to be so different and what might be done (if needed) to speed this up?



MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, medium is broadcast
  Port mode is access
  full-duplex, 10 Gb/s
  Beacon is turned off
  Auto-Negotiation is turned on, FEC mode is Auto
  Input flow-control is off, output flow-control is off
  Auto-mdix is turned off
  Switchport monitor is off
  EtherType is 0x8100
  EEE (efficient-ethernet) : n/a
  Last link flapped 6d00h
  Last clearing of "show interface" counters never
  3 interface resets
  30 seconds input rate 20774480 bits/sec, 1810 packets/sec
  30 seconds output rate 538656 bits/sec, 919 packets/sec
  Load-Interval #2: 5 minute (300 seconds)
    input rate 20.78 Mbps, 1.77 Kpps; output rate 542.22 Kbps, 899 pps
  RX
    159749599463 unicast packets  17391 multicast packets  146958 broadcast pack
ets
    159749763812 input packets  95785989605583 bytes
    0 jumbo packets  0 …
0
I have DMVPN with two hubs and an EIGRP relationship to a firewall (as well as to the spokes.)
The problem I am running into is that all of the DMVPN traffic is trying to egress Via one of the two VPN  hubs - HUB 1 - it's at capacity for passing encrypted traffic.

SPOKE----HUB 1----FW
SPOKE----HUB 2----FW

HUB1 is assigning a metric to the routes it learns from the spokes which is preferable to HUB2.
So that's why the FW is sending all the traffic to HUB1.

HUB1
 redistribute eigrp 300 metric 100000 0 255 1 1500 route-map EIGRP300-TO-EIGRP100

HUB2
 redistribute eigrp 300 metric 100000 10 255 1 1500 route-map EIGRP300-TO-EIGRP100

The firewall and the HUB DMVPN routers speak via EIGRP100. Hub to spokes via 300.

What I want to do is for the firewall to prefer one hub for half of the sites roughly. I could put in some static routes as a quick fix out of the traffic jam. I could remove HUB 1 from half of the spokes and that would make the HUB 2 the best path for half of the spokes. But surely there's a more elegant approach using route maps.

Something to the effect of..

If you match ACL SAVE-MY-DMVPN, you have a better metric than HUB 1. Otherwise you keep the same metric you have now and let HUB 1 keep doing its thing.

???
spiker.png
0
I am trying to get radius setup on this new switch,   Doing same thing I do for every switch. I get prompted to accept key, get the radius login and message but password not working.  Confirmed the secrets match with server.  I even have another 3548 I've copied exact. Not sure what I could have missed. Attached is config for another set of eyes
0
We are getting a new building and it is pre-wired for LAN and is coming with 14 Alcatel-Lucent switches.  The previous occupants are going to wipe the switches to factory defaults.  I am, unfortunately, not familiar with those switches.  Can I get a translation of the following.

Vlan (to add some)
Interface Vlan (To put IP addresses on Vlans for SVI)
IP address x.x.x.x x.x.x.x
Switchport mode trunk
Switchport trunk encapsulation
Switchport trunk allowed
Switchport trunk native vlan 1

Switchport mode access
Switchport access vlan

I also need a routed port
For Cisco it is no switchport and then IP add

Do VLANs get propagated to connected switches using something like VTP?

Basically I am very familiar with Cisco IOS.  I need to configure two 6860s to communicate with 12 6850s, two of which are 6850E-P48.

One of the 6860s will connect to a Cisco ISR and then to the ISP.

Thanks in advance
1
When you are running iSCSI, is TCP sliding window an important consideration? The situation is is Cisco UCS fabric interconnect to a Nexus 5k switch. The switch frequently drops packets inbound from the UCS and this appears to be an issue iSCSI frames from UCS being 1514 bytes which the interface on the Nexus is 1500 and jumbo framing is not enabled. I don't know why the vast majority of frames make it on through yet a significant number (in the millions) are dropped.
The port channel spikes up to about 10Gbps and most of that will be iSCSI. So the connection initiator to target works for the most part. I've planned to enable the jumbo frames as recommended by Cisco so that the 1514 iSCSI will be better processed and not dropped.

But my question is this: With iSCSI, are TCP conversations lengthy or very brief? To what degree would some dropped frames (.003%) in-path cause an issue for iSCSI TCP conversation? Or would this percentage just be noise that TCP connection orientedness should just deal with?
0
Hey all,

So I was asked to do something out of my realm and was wondering if someone could easily explain this to me.  Later I will be moving an access point from 1 location in someones office to another location, its basically unplugging it from 1 patch panel and installing it in another, however the trick is I need to move the configuration on the switch port to the new jack.   This is a Cisco POE switch.   Can someone tell me once I SSH/ Telnet into the switch how to move the port configuration then save it?  The new patch panel port would be A30 I dont know what the current patch number is but I have never done this before and do not want to mess anything up.   As always help is appreciated.
0
is there any way to apply a feature license to a Cisco 1100 via a serial terminal? the instructions suggest you should use tftp to get the .lic file to flash. I’d rather just enter a code and finish configuration with the full crypto set.
0
what's metadata.svc?

Hi there, I'm running a file report on Cisco Firepower services and I' noticing a lot of metadata.svc  between hosts. Is this something I should explore further?

thanks.
0
I'm running UCS 4.04 and I am not seeing in the GUI where port channels connecting upstream to the LAN are associated with which VLANs.
If I SSH to UCS I can see that the new VLANs I added on the server NICs appear to be (automagically?) appearing on the port channel to
the network. But if I go into LAN Uplinks Manager/VLANs/VLAN Manager I expecting to see the port channels underneath the VLANs with
which they are associated. But that is not the case. From nxos CLI note the VLANs and their association with the uplinks.Perhaps it's the case that if you don't specifically assign a VLAN to an uplink that all VLANs automatially are permitted on those uplinks?

Partial config from connect nxos:

vlan configuration 1,9-11,20,30,32
vlan 1,9-11,20,30,32


interface port-channel2
  description U: Uplink
  switchport mode trunk
  pinning border
  switchport trunk allowed vlan 1,9-11,20,30,32
  speed 10000
 
interface Ethernet1/1
  description U: Uplink
  pinning border
  switchport mode trunk
  switchport trunk allowed vlan 1,9-11,20,30,32
  udld disable
  channel-group 2 mode active
  no shutdown

interface Ethernet1/2
  description U: Uplink
  pinning border
  switchport mode trunk
  switchport trunk allowed vlan 1,9-11,20,30,32
  udld disable
  channel-group 2 mode active
  no shutdown

interface Ethernet1/3
  description U: Uplink
  pinning border
  switchport mode trunk
  switchport trunk allowed vlan 1,9-11,20,30,32
  udld disable
  …
0
I have been trying to get a Grandstream HT814 to communicate with Sonetel. It works fine when connected directly to the DSL line, but as soon as I put it behind the firewall it stops. It cannot make calls, when receiving a call it will ring, but with no sound.

I have tried with the SIP inspection on and off (in the config below it is disabled)

Cisco Config:

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)12
!

names
no mac-address auto

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute
 no pim
 no igmp
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address xxxxx
 no pim
 no igmp
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 domain-name xxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any host xxx
access-list inside_access_in extended permit ip any any

access-list global_mpc extended permit ip host xxx any inactive

pager lines 24
logging enable
logging asdm debugging

mtu outside 1500
mtu inside 1500
mtu Proxy 1500

arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384

nat (any,outside) source dynamic any interface

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout …
0
I'm in a new gig and I want to understand what happens if a site's Internet link goes down what takes over for their default route.
The routing protocol is EIGRP.

{DATA CENTER}-----WAN EIGRP-----{OFFICE}-----LAN EIGRP----[Cisco ASA]-----{INTERWEBS}

So the switches in the OFFICE are learning their path to the Internet from the Cisco ASA which advertises
a default route inward via EIGRP. The ASA learned it has the default via OSPF from an edge router
outside of it. My guess is that the DATA CENER's default route would propagate over the WAN to
the OFFICE in the event the Cisco ASA stopped advertising the default route inward.

How could I find out the behavior of the lost default route without causing an outage?

Thank you.
0
I have a SG200-26P that needs a firmware upgrade from Firmware Version (Active Image):
1.3.5.58.
 Each time I attempt to upgrade I get the following error message......

Bytes Transferred:
7011840
Status:
Copy failed
Error Message:
Copy: SW code file is over sized
0
We a couple of users that each time they login to the VPN, their AD accounts get locked out after they login. (server 2012 R2)
So there able to login but their AD do lockout after that.
If we reset their accounts after a few minutes their AD account locks out again.
They are using Cisco VPN.
Anyone have any idea on why it keeps locking out their AD account when logging into the VPN?
If they don't login to the vpn, their AD does not ever lock.
0
Hi,

I have a problem on cisco C892. At the moment I apply a ACL-IN ACL on external Dialer0 int, I lose the connectivity from LAN to internet (ping, dns, http, everything), which is unwanted. While I still have RDP access from internet 2.2.2.0 network to internal server at 192.168.1.37.
From LAN to INET I want to block just SMTP except from mail server.
From external network 2.2.2.0/24 I want to allow access to everything.
From other internet addresses I want to allow only what is specified in ACL-IN access list.
1.1.1.1 is my fixed public IP address I get on Dialer0 interface with pppoe connection.
(I have been said that the costumer has another 4 public IP addresses which are routed by ISP over 1.1.1.1 address, but they are not in use - if relevant)
Any ideas would be more than welcome.

Here is a relevant part of router configuration:

ip cef
ip domain name domain.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name WALL tcp
ip inspect name WALL udp
ip inspect name WALL tftp
ip inspect name WALL ftp
ip inspect name WALL realaudio
ip inspect name WALL icmp
ip inspect name WALL rtsp
ip inspect name WALL http
ip inspect name WALL https
ip inspect name WALL ssh
ip inspect name WALL sip
ip inspect name WALL h323
no ipv6 cef
!
interface FastEthernet8
 description ***INTERNET PPPoE***
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 load-interval 30
 duplex …
0
Hey everyone - I am trying to get my router up and running and having a slight issue getting it to connect the internet ( to the ISP ). My basic idea is connecting G0/0 going out to the ISP (Wan), G0/1 to my server. I know im missing something. I've included my running config.
Any help would be appreciated!!

Current configuration : 1735 bytes
!
! Last configuration change at 16:01:56 GMT Tue Jan 21 2020 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core_Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone GMT -8 0
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 10.24.1.1 10.24.1.10
!
ip dhcp pool core
 import all
 network 10.24.1.0 255.255.255.0
!
!
ip domain name xxxx.net
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2821 sn FTX1311A0C3
username admin privilege 15
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description PrimaryWANDesc_
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.24.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 no ip address
!
interface …
0
I want to connect a fresh Meraki switch to a Cisco ISR. By default the ports on the Meraki are native VLAN 1 and type Trunk. If I make the native VLAN 10 on the ISR's port attaching to the Meraki switch that would create a native VLAN mismatch - but still the two devices should be able to talk to each (assuming I have a DHCP scope on the ISR for VLAN 10).

If I have an ISR (say 4331) configured with inside trunked interface as follows:

Hostname(config)#interface FastEthernet0/1
Hostname(config-if)#no ip address

Hostname(config-if)#no shutdown

Hostname(config)#interface FastEthernet0/1.1
Hostname(config-if)#encapsulation dot1Q 1 native
Hostname(config-if)#ip address 10.10.100.1 255.255.255.0


Hostname(config-if)#interface FastEthernet0/1.2
Hostname(config-if)#encapsulation dot1Q 2
Hostname(config-if)#ip address 10.10.200.1 255.255.255.0

ip dhcp pool MGT
 network 10.10.100.0 255.255.255.0
 default-router 10.10.100.1
 domain-name acmefoo.com
 dns-server 8.8.8.8 4.2.2.2
!
ip dhcp pool DATA
 network 10.10.200.0 255.255.255.0
 default-router 10.10.200.1
 domain-name acmefoo.com
 dns-server  8.8.8.8

The meraki should pick up an address from DHCP for VLAN 10 10.10.100.0 owing
to the fact that those frames would be untagged despite the fact that the default
native vlan on the Meraki is on. Correct?
0
So I'm at this new gig any they have a 1Gbps Internet feed. If I plug in a work built laptop (HP Win 10) I am seeing like 12Mbps down and 20Mbps. But if I get a fresh laptop that has not been built out I am seeing about 100Mbps down and as much as 400, even 600Mbps up. This is on the very same 1Gbps network port on a Cisco enterprise switch the WS-4510R-E. No errors seen at those ports. They run Trend Micro on their standard issue. Could that slow down speed tests that much? I'm testing against AT&T speed test but have tried a bunch of others and they all tell essentially the same story. There's also VMWare Horizon drivers on there and some other. Any thoughts on how to track down what's the party pooper for the network speeds?
0
No NIC TeamingNIC TeamedHi,
 
 In the past, whenever I set up a new server that came with 2 network adapter cards, I used to disable one (of two NICs) and assigned static IP address to first NIC (192.168.1.1) and add Hyper-V role which creates virtual network card like "vEthernet Intel ... Virtual Switch" and I use this adapter under Network Settings in Virtual Machines.

 This time I like to be try NIC teaming on this server. I read some articles and watched some youtube videos about NIC teaming. Having said that, there is only one CISCO network switch and there is no plan to purchase 2nd  network switch for the purpose of NIC teaming.
 
 On this server, I have not added HyperV role yet because I was not sure whether it would be beneficial and what options I need to choose such as Teaming mode (Static Teaming/Switch Independent /LACP), Load Balancing Mode (Address Hash/Hyper-V Port) and Standby Adapter(None/NIC1/NIC2).
 
 There are 12 Windows 10 workstation computers on the network, 1 network switch. There will be two Virtual Machines - Domain Controller and Application Server/SQL server.

 (1) Is it worth creating NIC Teaming even though there is only one network switch?
 (2) If yes, What options do I need to choose in - Teaming mode, Load Balancing Mode and Standby Adapter
 (3) Are there potential pitfalls?
 (4) If I set up virtual machines based on Teamed vEthernet virtual switch and later go back to single NIC method, how easy is it?
0
Hello, I have a question about Cisco's Identity Services Engine. I have a Cisco phone that is being denied network access.

Endpoint Profile
Cisco-Device

Authentication Failure Reason
15039 Rejected per authorization profile

Authentication Policy
Internal Endpoints

Authorization Policy
Default

Authentication Protocol
Lookup

Would you please let me know how I can grant network access to this device?
0
How do I gracefully shut down a UCS chassis in spreparation to move it to another data center where it will be redeployed into another UCS
0
I have a meraki MS225 attached to a Cisco 2900 router configured for NAT. I can see the Meraki has a private IP and I can ping it locally and over VPN. I see NAT translations from it. But it fails to register to Meraki cloud. Any thoughts?

I also notice that sho cdp nei is failing to show it. But I can see the arp entries.
0

Cisco

24K

Solutions

15K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).