We help IT Professionals succeed at work.






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

We have two locations.  A main office and a small remote office over 200 miles away.   I have been asked to update the VPN connection between the two sites to allow a second VPN to communicate between the sites.  

This is a production system in use 24/7 and there is no one at the remote site who can assist with this so I want to make sure I only have to go down there once, get it done as quickly as possible and don't cause any issues.  

In the main office we have a primary switch which acts as our router, a second switch is connected to it for local connections, an ASA used for a VPN connection to the remote site and a cable internet connection with its own firewall.    

On the switch used a a router we have the following vlans defined
vlan 10 (private) IP ports 1/1
vlan 20 (data) IP ports 1/2-1/45
vlan 30 (voice) IP ports 1/2-1/45
vlan 100 (VPN) IP port 1/46


VLAN 100 Port 46 is connected to the ASA LAN port

At the remote site we have an ASA and a switch
The following VLANS are defined on the switch
vlan 110 (data) IP  ports 1/2-1/46
vlan 120 (voice) ip …
Cisco ASA vpn syslog messages.
Hi there, I'm using an asa running v. 9.10. I want to find a way to send only vpn messages to an internal syslog server. I"m able to send some or a tons of messages to the syslog server but i'm only interested in vpn related messages.

my config is:
logging enable
logging trap informational
logging host inside syslog-server-ip
logging permit-hostdown
logging message 722051 level informational
logging message 722022 level informational

any help is greatly appreciated
Hi Guys,
I'm starting to get interested in the technicalities of fiber connections
In this case I've a cisco SLM2024 switch with 2 SFP port.
My question is how to understand what type of SFP transceivers the switch support?
AIR-AP1852E-B-K AP wont connect to Cisco 2504 Controller.  Is there a way to reset the device and have the controller see it without a console cable being involved?
For a switchport mode trunk, does it allow any VLAN to pass through by default on Cisco router ?

  • Cisco 2821 router with HWIC SFP port, hard-set to 1gb (unconfigurable).
  • Dell PowerConnect 5548p switch with 10gb SFP port, manually hard-set down to 1gb.
  • SFP copper-direct cable.  

According to documentation, the Cisco HWIC port supports only 1gb, so opposite port must be hard-set same.

Both ports show link lights, and status says they're UP, but no traffic is passed.  Tested more than one cable, and tested more than one port on the Dell switch.  Cisco router has no other SFP port for testing.

This seems like it should be a very simple network connection.  Anyone have any insights on this?

Config settings and status info is below.  

Cisco 2821 port config:
interface GigabitEthernet0/0/0
 ip address
 no negotiation auto

Open in new window

Dell PowerConnect 5548p port config:
interface tengigabitethernet1/0/1
 speed 1000

Open in new window

Cisco 2821 "sho int gi0/0/0":
router#sho int gi0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
 Hardware is PM-3387, address is 001d.a188.c1eb (bia 001d.a188.c1eb)
 Internet address is
 MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
    reliability 128/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, loopback not set
 Keepalive set (10 sec)
 Full-duplex, 1000Mb/s, link type is force-up, media type is
 output flow-control is XON, input flow-control is XON
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 00:11:27, 

Open in new window

I have a Nexus 6k connecting to UCS Fabric Interconnect. What's puzzling to me is that there are are "jumbo packet" - millions of them counted in the sho interface commands. But the MTU on the Nexus side is 1500. And the same thing is true if I log onto the FI - I see jumbo packet counters highly incremented and yet the interfaces are all set to 1500 MTU. Any thought as to how I could be seeing these big counts of jumbo "packets" (Frames would have been a better term no?) when I don't think I have jumbo framing configured on either side of these links?

RTR01# sho int Eth 1/3
Ethernet1/3 is up
Dedicated Interface
  Belongs to Po2
  Hardware: 1000/10000 Ethernet, address: 002a.5cc2.4aca (bia 002a.5cc2.4aca)
  Description: TO-MY-UCS01-A
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
  reliability 255/255, txload 89/255, rxload 4/255
  Encapsulation ARPA
  Port mode is trunk
  full-duplex, 10 Gb/s, media type is 10G
  Beacon is turned off
  Input flow-control is off, output flow-control is off
  Rate mode is dedicated
  Switchport monitor is off
  EtherType is 0x8100
  Last link flapped 4d02h
  Last clearing of "show interface" counters 17w1d
  1 interface resets
  30 seconds input rate 109418408 bits/sec, 19662 packets/sec
  30 seconds output rate 3958742016 bits/sec, 346160 packets/sec
  Load-Interval #2: 5 minute (300 seconds)
    input rate 166.25 Mbps, 24.08 Kpps; output rate 3.51 Gbps, 309.55 Kpps
    411181255573 unicast packets  8610632 …
I'm at a new gig. The customer has a UCS where the Fabric Interconnect connects to a Nexus switch - A has 4 10Gbps and B has 4 10Gbps bundled to a VPC with 802.1Q trunking on it. And right in the middle of all the allowed and active VLANs on the trunks is the iSCSI VLAN. There have been complaints about the storage performance so this lack of isolation is one of the first things that jumps out as a potential issue. Tegile is the storage target array.

My question is - would it be possible to seemlessly migrate the ISCSI VLAN to dedicated ports on the fabric interconnect with only the the ISCSI VLAN on it? Any other thoughts?
I just upgrade from ESX 4.5 to 6.7 and the controller can not longer see the access points. There have been some changes in ESX for the interfaces, but for some reason it is not working. (I can see one new difference is that the switch and the port can be configured for Promiscuous mode, I tried both but neither work)

Virtual Switch:
1. Allow promiscuous mode Yes
2. Allow forged transmits Yes
3. Allow MAC changes      Yes

Data Port:
1. VLAN ID: 4095
2. Allow promiscuous mode Yes
3. Allow forged transmits Yes
4. Allow MAC changes Yes

Service Port
1. VLAN ID: 0
2. Allow promiscuous mode No
3. Allow forged transmits No
4. Allow MAC changes No

Switch Config:
interface GigabitEthernet0/1
 description trunked port
 switchport trunk native vlan 30
 switchport trunk allowed vlan 21,30,31,40,41
 switchport mode trunk
 spanning-tree bpdufilter enable
 ip dhcp snooping trust
I am on a new gig where the client has small spoke sites talking to a hub at the data over DMVPN with IPSec encryption. The edge devices at the spoke sites are Cisco ISRs. They complain about the performance of Horizon VDI not infrequently. One thing I was wondering is - what would be the performance knock of their sending their already secure PCOIP traffic over the encrypted DMVPN? It seems they could just send the traffic to the VDI farm without it needing to travel through the tunnel. Might it improve VDI performance from the perspective of the end  to have those connection bypass the tunnel and just traverse the Internet without a second encryption operation.
Hi Experts

I am on a personal mission to under a little bit more about VoIP.

So we run a Gamma \ Horizon system at work. All configured and working via Cisco.

Our Wifi is controlled via Unfi USG, Switches etc. I've plugged in (With Consent) one of our spare Voip phones into a spare port on one of the Unifi switches and configure on it own Vlan etc.

The phone can call external numbers no problem, but if I try to ring an internal ext the internal phone rings but once connected I can not hear the person on the other end.

I get that something is blocking it or its not configure I just do know where to start trouble shooting,

Maybe someone could point me in the right direction?


Although I have worked on Cisco routers for many years I have little experience on Cisco ASA. Recently I have started managing a site that uses ASA between two offices. The foreign office is managed by another Vendor. I sometimes feel like the foreign offices vendor is feeding me BS as things sometimes seem to fix themselves overnight with out change on his part "apparently"

Example. the following packet tracer was performed

packet-tracer input inside udp domain domain
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
nat (inside,outside-tm) source static NO-NAT-LOCAL NO-NAT-LOCAL destination static NO-NAT-REMOTE NO-NAT-REMOTE
Additional Information:
NAT divert to egress interface outside-tm
Untranslate to
Phase: 2
Subtype: log
Result: ALLOW
access-group global global
access-list global extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Result: ALLOW
nat (inside,outside-tm) source static NO-NAT-LOCAL NO-NAT-LOCAL destination static NO-NAT-REMOTE NO-NAT-REMOTE
Additional Information:
Static translate to
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Additional Information:
Phase: 5
Result: ALLOW
Additional Information:
Phase: 6
Subtype: np-inspect
Result: ALLOW
class-map …
Where is the MFA configuration screen in the Azure CLOUD portal?  We need to configure MFA to integrate our Cisco VPN service with 2FA, and cannot find the MFA configuration screen in our Azure AD cloud portal.  Thank you
Today ,our Dell N2048P server switch can not power up ,i try to loan the switch from Vendor ,they loan me Cisco 3750G. I had configure all the switch port all is working fine except switch port 49,50 (SFP) ,i receive the error "%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port Gi1/0/49 has bad crc " so i guest is the GBIC is not compatible .I need expert advice me below:

1.The originally in Dell N2048P is using SFP+ GBIC and now i use back the GBIC plug to the Cisco SFP port ,may i know will this work.?
*This uplink is connect to our Core Switch which is fiber switch Dell N4032F.
I'm currently using Cisco UCS and NetApp with boot from iSCSI LUNs.  Within NetApp there are SVMs created and they have iSCSI target names and IPs which i can input into the UCS template.  Then from there they use the IQNs configured in the UCS profile (based on updating template) to reach the LUN in the SVM.  This system works great.

However we are migrating to Nimble.  Does anybody know if Nimbles have a similar setup for the SVM iSCSI target names and IPs, that I can place into the UCS templates or does Nimble only require the IQN and the IP which would be placed on the service profile not the template?
HI, I wanted to get a Cisco RV340 and use it for vpn for remote clients.  I'm trying to find info on it, but it's confusing to me.

So it looks like there is a client called AnyConnect by Cisco that works with the 340, but there is a cost for it, and I have to find a reseller, that seems strange to me.  I used the PPTP client on other RV's for years.  

I hear the 340 has IPSEC for remote clients, but can't verify that.

Question, can I connect a Windows or Mac client using the native IPSEc software to an RV340?

Thanks All.
We have remote VPN through a Cisco firewall.  It works fine for most users.  It’s a little slow of course.  However, we have one user who remotes in to troubleshoot issues with PLC’s (this is a manufacturing facility).  He has a hard time staying connected to the PLCs.  Otherwise, his VPN works fine.  Are there special considerations for VPN when remoting to PLCs?
I am using the Juniper migration tool but is this the best method when you are changing vendors from Cisco to Juniper as it relates to access switches. I need to be 100% accurate with the configs . Any suggestions much appreciated.
I need to re-IP all the voice VLANs in a company. My first thought was to just renumber the SVIs at each site related to VOIP. But that would then cut me off from being able to reset the phones from the Call Manager because the gateway no longer works. OR would it be the case that losing connectivity to the Call Manager, the phones might just reboot themselves?

If not that - might there be a way to recycle the inline power at the switches to force the phones to reboot? e.g

int range Gi 2/0/1 - 47
    power inline never


    power inline auto

Any other thought on the most efficient means to reboot all the phones on a switch when they can't talk to the Call Manager?
How to backup the existing running configuration of Cisco routers and switches? So that l can load the configuration to another replacement device if failure

I am trying to setup Hot standby DHCP server2012 (two DHCP server with multi-scope)
I am using two servers with fail-over DHCP configuration. (Hot standby) with IP address for server 1 and for server 2

In the Cisco 3750 switch I created 3 vlans
Vlan 10 with an IP address
Vlan 20  with an IP address
Vlan 30  with an IP address

In the configuration I added IP helper-address command to refer DHCP servers
Under each Vlan interface I added two IP helper address

Under Vlan 10
ip helper-address
ip helper-address

And so on for Vlan 20 and Vlan 30

The computers work fine and got IP address and getaway for each Vlan. However, I tried to test the fail-over DHCP and I shut down the DHCP server with an IP address and waited to get computer an IP from second DHCP server but it's not working. I Release and renew IP and nothing changed.

Is there any missing part of my configuration?

I have ordered 1 GB internet service (BW) hand off from Bell. The firewall will be the gateway for 5 offices with total 200 users. I would like to install CISCO ASA 5500 series as internet gateway. ASA will have VPN to AZZURE as well for AD and SQL sync. Can you suggest the ASA model best fit for us? Current firewall is 5508 X which handles 1 office (40 users) and 200 GB hand off but we are upgrading the circuit to 1 GB and adding 4 more offices (total of 200 users).
I have some cisco access points (air-1121g) that have SSIDs broadcast and I need to change the password.

How can I change the password via the CLI (command line, iOS)?
I have two 4500 32 port Cisco switches running build 3.11. They are connected via SFP stack cables. What do I need to do in the switch so  the primary switch can see the connected switches ports so they appear as one large switch?
I have a Cisco Voice Gateway 4331 that handles all of our calls in conjunction with Cisco Call Manager.  The voice gateway has a PRI circuit connected to a port and three POTS lines using the remaining three ports.  In this example, I want to have the internal extension 3337 use the specific port of a POTS line on port 0/2/2.  This is for a fax machine (attached to CUCM via an ATA 190) that only sends and I am having trouble with it being reliable over the PRI.  I was hoping to tie it to a POTS line to avoid trouble.

I tried the following and it did not seem to work correctly.  I feel like I am missing an important component:

dial-peer voice 3199 pots
desc ***** Send faxes over pots lines for mailroom *****
preference 1
answer-address 3337
port 0/2/2
forward-digits all

In the above, I am attempting to identify the internal extension of the fax machine (3337) so that it can be directed to use the POTS line on port 0/2/2.  Is there another set of commands that I might be missing?






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).