Optics have to be DOM Compliant.
http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_8031.html
http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.pdf
Some of them will not work.
The command is show interface transceiver. If the transceiver supports DOM, it will show something like this:
show interface transceiver
Transceiver monitoring is disabled for all interfaces.
If device is externally calibrated, only calibrated values are printed.
++ : high alarm, + : high warning, - : low warning, -- : low alarm.
NA or N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).
Optical Optical
Temperature Voltage Current Tx Power Rx Power
Port (Celsius) (Volts) (mA) (dBm) (dBm)
---------- ----------- ------- -------- -------- --------
Te10/1 27.6 ++ 0.00 7.8 ++ -2.0 ++ -2.9 ++
Te10/2 27.4 ++ 0.00 7.8 ++ -2.0 ++ -3.1 ++
Te10/3 24.4 ++ 0.00 0.0 ++ N/A -40.0
Te10/4 23.6 ++ 0.00 0.0 ++ N/A -37.0 ++
Te10/5 25.3 ++ 0.00 0.0 ++ N/A -40.0
Te10/6 25.0 ++ 0.00 0.0 N/A -40.0
Te10/7 24.3 ++ 0.00 0.0 N/A -28.8 ++
Te10/8 26.0 ++ 0.00 0.0 N/A -30.0 ++
Tuesday, December 15, 2009
Friday, November 27, 2009
Trunking Dot1q - Applying allowed vlan in port - STP recalculation?
Some cisco switch ports have only the following configuration:
interface G2/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
Well, this configuration is simple, because you only have to create the VLAN in the switch and it is automatically passed throught the trunk. Well, good for implementation, bad for security, performance and growth:
- In a security persepective, you have an uncontrolled trunk, specially if you are connecting to another switch that is not managed by you or your team.
- In a performance perspective, you have STP calculations permanently running and is case of a failure is this port can cause a downtime in other areas in the network.
- In a growth perspective, it is not scalable to use switchports without allowed in a growing scenarios such as Datacenters.
In a situation where you have uncontrolled trunk switchports (without the switchport trunk allowed vlan XXXX,...) and you want to limit the vlans passed in this trunk, there is always the question:
- Will this bring any downtime or STP recalculation.
Actually, I had to convert some of these links to allowed vlan mode, with hundreds of Vlans passing in a switchport, in a 6500, and when applying the allowed there was no recalculation of STP or any cut in the traffic.
My 2 cents for the ceptics ...
interface G2/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
Well, this configuration is simple, because you only have to create the VLAN in the switch and it is automatically passed throught the trunk. Well, good for implementation, bad for security, performance and growth:
- In a security persepective, you have an uncontrolled trunk, specially if you are connecting to another switch that is not managed by you or your team.
- In a performance perspective, you have STP calculations permanently running and is case of a failure is this port can cause a downtime in other areas in the network.
- In a growth perspective, it is not scalable to use switchports without allowed in a growing scenarios such as Datacenters.
In a situation where you have uncontrolled trunk switchports (without the switchport trunk allowed vlan XXXX,...) and you want to limit the vlans passed in this trunk, there is always the question:
- Will this bring any downtime or STP recalculation.
Actually, I had to convert some of these links to allowed vlan mode, with hundreds of Vlans passing in a switchport, in a 6500, and when applying the allowed there was no recalculation of STP or any cut in the traffic.
My 2 cents for the ceptics ...
Monday, October 12, 2009
IP_SNMP-4-NOTRAPIP: SNMP trap source VlanXXXX has no ip address
The following error:
%IP_SNMP-4-NOTRAPIP: SNMP trap source VlanXXXX has no ip address
is caused by the change in the trap source. XXXX is the VID.
You can correct it with the following command:
snmp-server trap-source vlan XXXX
%IP_SNMP-4-NOTRAPIP: SNMP trap source VlanXXXX has no ip address
is caused by the change in the trap source. XXXX is the VID.
You can correct it with the following command:
snmp-server trap-source vlan XXXX
Friday, October 9, 2009
startup-config file open failed (Device or resource busy)
Error message:
"startup-config file open failed (Device or resource busy)"
The write to flash processo might have hang or might be in use by another user.
How to fix:
systat -> check which users are logged in
clear line vty X -> clear all the users from the router
write -> now you can write your config to flash
clear all lines. Any of the sessions is running a process that is writing to flash that might have been hang.
"startup-config file open failed (Device or resource busy)"
The write to flash processo might have hang or might be in use by another user.
How to fix:
systat -> check which users are logged in
clear line vty X -> clear all the users from the router
write -> now you can write your config to flash
clear all lines. Any of the sessions is running a process that is writing to flash that might have been hang.
Sunday, September 20, 2009
Running SDM 2.4 with Java 1.6.0_16
There is an exception when running SDM with Java version 1.6_16. The Java exception dump in the console is related with the class awt-eventqueue-2.
I was not able to correct the problem in this version. I have unselected the version 1.6_16 on my Java console control panel and I used a previously installed version 1.5 that I had. This corrected my problem.
I was not able to correct the problem in this version. I have unselected the version 1.6_16 on my Java console control panel and I used a previously installed version 1.5 that I had. This corrected my problem.
Monday, June 1, 2009
How to Check a Cisco Interface Last Change
Sometimes, customers ask:
"I would like to know when was the last time this port went down!"
Well, our aswer will always be, "we will investigate and let you know."
The problem is, how can I get this information.
Actually, you will find it, if you have a syslog server, but what if the syslog rotates de logs earlier then your think !
Well, there is another way to get some info. Although Cisco says that it is valid, all my tests have not give me any confidence for this data:
Anyway, here it is how to get it.
Cisco provides a MIB for the last change of an Interface:
snmpwalk -v 1 -c .iso.3.6.1.2.1.2.2.1.9
IF-MIB::ifLastChange.1 = Timeticks: (10995) 0:01:49.95
IF-MIB::ifLastChange.2002 = Timeticks: (14524) 0:02:25.24
IF-MIB::ifLastChange.5001 = Timeticks: (12082) 0:02:00.82
IF-MIB::ifLastChange.5002 = Timeticks: (96967443) 11 days, 5:21:14.43
IF-MIB::ifLastChange.10101 = Timeticks: (97498708) 11 days, 6:49:47.08
IF-MIB::ifLastChange.10102 = Timeticks: (97497760) 11 days, 6:49:37.60
IF-MIB::ifLastChange.10103 = Timeticks: (97497340) 11 days, 6:49:33.40
IF-MIB::ifLastChange.10104 = Timeticks: (97496849) 11 days, 6:49:28.49
IF-MIB::ifLastChange.10105 = Timeticks: (97495422) 11 days, 6:49:14.22
IF-MIB::ifLastChange.10106 = Timeticks: (97494025) 11 days, 6:49:00.25
IF-MIB::ifLastChange.10107 = Timeticks: (97494995) 11 days, 6:49:09.95
IF-MIB::ifLastChange.10108 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10109 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10110 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10111 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10112 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10113 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10114 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10115 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10116 = Timeticks: (97498710) 11 days, 6:49:47.10
IF-MIB::ifLastChange.10117 = Timeticks: (97497765) 11 days, 6:49:37.65
IF-MIB::ifLastChange.10118 = Timeticks: (97497353) 11 days, 6:49:33.53
IF-MIB::ifLastChange.10119 = Timeticks: (97496854) 11 days, 6:49:28.54
IF-MIB::ifLastChange.10120 = Timeticks: (97495448) 11 days, 6:49:14.48
IF-MIB::ifLastChange.10121 = Timeticks: (97494037) 11 days, 6:49:00.37
IF-MIB::ifLastChange.10122 = Timeticks: (97494996) 11 days, 6:49:09.96
IF-MIB::ifLastChange.10123 = Timeticks: (11333) 0:01:53.33
IF-MIB::ifLastChange.10124 = Timeticks: (11333) 0:01:53.33
IF-MIB::ifLastChange.10125 = Timeticks: (11333) 0:01:53.33
Use it in your own risk!
"I would like to know when was the last time this port went down!"
Well, our aswer will always be, "we will investigate and let you know."
The problem is, how can I get this information.
Actually, you will find it, if you have a syslog server, but what if the syslog rotates de logs earlier then your think !
Well, there is another way to get some info. Although Cisco says that it is valid, all my tests have not give me any confidence for this data:
Anyway, here it is how to get it.
Cisco provides a MIB for the last change of an Interface:
snmpwalk -v 1 -c
IF-MIB::ifLastChange.1 = Timeticks: (10995) 0:01:49.95
IF-MIB::ifLastChange.2002 = Timeticks: (14524) 0:02:25.24
IF-MIB::ifLastChange.5001 = Timeticks: (12082) 0:02:00.82
IF-MIB::ifLastChange.5002 = Timeticks: (96967443) 11 days, 5:21:14.43
IF-MIB::ifLastChange.10101 = Timeticks: (97498708) 11 days, 6:49:47.08
IF-MIB::ifLastChange.10102 = Timeticks: (97497760) 11 days, 6:49:37.60
IF-MIB::ifLastChange.10103 = Timeticks: (97497340) 11 days, 6:49:33.40
IF-MIB::ifLastChange.10104 = Timeticks: (97496849) 11 days, 6:49:28.49
IF-MIB::ifLastChange.10105 = Timeticks: (97495422) 11 days, 6:49:14.22
IF-MIB::ifLastChange.10106 = Timeticks: (97494025) 11 days, 6:49:00.25
IF-MIB::ifLastChange.10107 = Timeticks: (97494995) 11 days, 6:49:09.95
IF-MIB::ifLastChange.10108 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10109 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10110 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10111 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10112 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10113 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10114 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10115 = Timeticks: (11332) 0:01:53.32
IF-MIB::ifLastChange.10116 = Timeticks: (97498710) 11 days, 6:49:47.10
IF-MIB::ifLastChange.10117 = Timeticks: (97497765) 11 days, 6:49:37.65
IF-MIB::ifLastChange.10118 = Timeticks: (97497353) 11 days, 6:49:33.53
IF-MIB::ifLastChange.10119 = Timeticks: (97496854) 11 days, 6:49:28.54
IF-MIB::ifLastChange.10120 = Timeticks: (97495448) 11 days, 6:49:14.48
IF-MIB::ifLastChange.10121 = Timeticks: (97494037) 11 days, 6:49:00.37
IF-MIB::ifLastChange.10122 = Timeticks: (97494996) 11 days, 6:49:09.96
IF-MIB::ifLastChange.10123 = Timeticks: (11333) 0:01:53.33
IF-MIB::ifLastChange.10124 = Timeticks: (11333) 0:01:53.33
IF-MIB::ifLastChange.10125 = Timeticks: (11333) 0:01:53.33
Use it in your own risk!
Serial Interface Sync
There serial interface can be in a state where it is up but looped. This means that the circuit has a loop on the other side, but not connectivity to any other point.
In order to correctly read the status of the interface, use the option:
interface Serial0/0
down-when-looped
This will bring the status to:
Serial0/0 is up, line protocol is down (looped)
Hardware is PowerQUICC Serial
When the V.35 Layer 1 connection is actually estabilhed, the HDLC will also sync with the logs:
Serial0: HDLC myseq 3354903, mineseen 3354903*, yourseen 25701, line up
Serial0: HDLC myseq 3354904, mineseen 3354904*, yourseen 25702, line up
Serial0: HDLC myseq 3354905, mineseen 3354905*, yourseen 25703, line up
Serial0: HDLC myseq 3354906, mineseen 3354905, yourseen 25703, line up
May 28 14:12:54: %IP_SNMP-4-NOTRAPIP: SNMP trap source FastEthernet0/0 has no ip address
May 28 14:14:03: %IP_SNMP-4-NOTRAPIP: SNMP trap source FastEthernet0/0 has no ip address
6d03h: Serial0/0: HDLC myseq 53150, mineseen 53149*, yourseen 53150, line up (looped)
6d03h: Serial0/0: HDLC myseq 53151, mineseen 53150*, yourseen 53151, line up (looped)
6d03h: Serial0/0: attempting to restart
6d03h: PowerQUICC(0/0): DCD is up.
After this log, the serial will be in the state:
Serial0/0 is up, line protocol is up
In order to correctly read the status of the interface, use the option:
interface Serial0/0
down-when-looped
This will bring the status to:
Serial0/0 is up, line protocol is down (looped)
Hardware is PowerQUICC Serial
When the V.35 Layer 1 connection is actually estabilhed, the HDLC will also sync with the logs:
Serial0: HDLC myseq 3354903, mineseen 3354903*, yourseen 25701, line up
Serial0: HDLC myseq 3354904, mineseen 3354904*, yourseen 25702, line up
Serial0: HDLC myseq 3354905, mineseen 3354905*, yourseen 25703, line up
Serial0: HDLC myseq 3354906, mineseen 3354905, yourseen 25703, line up
May 28 14:12:54: %IP_SNMP-4-NOTRAPIP: SNMP trap source FastEthernet0/0 has no ip address
May 28 14:14:03: %IP_SNMP-4-NOTRAPIP: SNMP trap source FastEthernet0/0 has no ip address
6d03h: Serial0/0: HDLC myseq 53150, mineseen 53149*, yourseen 53150, line up (looped)
6d03h: Serial0/0: HDLC myseq 53151, mineseen 53150*, yourseen 53151, line up (looped)
6d03h: Serial0/0: attempting to restart
6d03h: PowerQUICC(0/0): DCD is up.
After this log, the serial will be in the state:
Serial0/0 is up, line protocol is up
Tuesday, May 19, 2009
Cisco 3750 Redundancy Test
The Cisco 3750 Catalyst Series offer high class switching functionality such as StackWise support with a 32 Gbit dual ring (16+16G). This means that you have a 32 Gigabit throughtput between Stack Switches.
During some testing with 2 stacked switches, I was able to simulate a failure by issuing the command:
reload slot 2 -> This will reload the module 2 switch.
switch# reload ?
LINE Reason for reload
at Reload at a specific time/date
cancel Cancel pending reload
in Reload after a time interval
slot Slot number card
standby-cpu Standby RP
Switch# sh switch det
Switch/Stack Mac Address : 0021.XXXX.XXXX
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 0021.XXXX.XXXX 15 1 Ready
2 Member 0022.XXXX.XXXX 1 1 Ready
Stack Port Status Neighbors
Switch# Port 1 Port 2 Port 1 Port 2
--------------------------------------------------------
1 Down Down None None
2 Ok Ok 1 1
During some testing with 2 stacked switches, I was able to simulate a failure by issuing the command:
reload slot 2 -> This will reload the module 2 switch.
switch# reload ?
LINE Reason for reload
at Reload at a specific time/date
cancel Cancel pending reload
in Reload after a time interval
slot Slot number card
standby-cpu Standby RP
Switch# sh switch det
Switch/Stack Mac Address : 0021.XXXX.XXXX
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 0021.XXXX.XXXX 15 1 Ready
2 Member 0022.XXXX.XXXX 1 1 Ready
Stack Port Status Neighbors
Switch# Port 1 Port 2 Port 1 Port 2
--------------------------------------------------------
1 Down Down None None
2 Ok Ok 1 1
Saturday, May 9, 2009
How to detect and diagnose cabling problems using Time Domain Reflector (TDR) in Cisco devices
Goal: diagnose and resolve cabling problems
What it does: The device sends a signal through the cable and compares the reflected signal to the initial signal sent.
Important:
- Only works with 10/100/1000 copper
- SFP and copper 10/100 not supported
- Run it with the IOS Command:
test cable-diagnostics tdr interface <..>
show cable-diagnostics tdr interface
TDR will detect these cabling problems:
- Open, broken, or cut twisted-pair wires. The wires are not connected to the wires from the remote device.
- Shorted twisted-pair wires. The wires are touching each other or the wires from the remote device.
Example:
SWITCH# test cable-diagnostics tdr interface GigabitEthernet 1/0/47
TDR test started on interface Gi1/0/47
A TDR test can take a few seconds to run on an interface
Use 'show cable-diagnostics tdr' to read the TDR results.
SWITCH#show cable-diagnostics tdr interface GigabitEthernet 1/0/47
TDR test last run on: March 04 19:37:15
Interface Speed Local pair Pair length Remote pair Pair status
--------- ----- ---------- ------------------ ----------- --------------------
Gi1/0/47 1000M Pair A 0 +/- 10 meters Pair B Normal
Pair B 0 +/- 10 meters Pair A Normal
Pair C 0 +/- 10 meters Pair D Normal
Pair D 0 +/- 10 meters Pair C Normal
The PRBS test can only be executed for TenG interfaces:
SWITCH# test cable-diagnostics prbs start interface TenGigabitEthernet ?
<1-9> TenGigabitEthernet interface number
What it does: The device sends a signal through the cable and compares the reflected signal to the initial signal sent.
Important:
- Only works with 10/100/1000 copper
- SFP and copper 10/100 not supported
- Run it with the IOS Command:
test cable-diagnostics tdr interface <..>
show cable-diagnostics tdr interface
TDR will detect these cabling problems:
- Open, broken, or cut twisted-pair wires. The wires are not connected to the wires from the remote device.
- Shorted twisted-pair wires. The wires are touching each other or the wires from the remote device.
Example:
SWITCH# test cable-diagnostics tdr interface GigabitEthernet 1/0/47
TDR test started on interface Gi1/0/47
A TDR test can take a few seconds to run on an interface
Use 'show cable-diagnostics tdr' to read the TDR results.
SWITCH#show cable-diagnostics tdr interface GigabitEthernet 1/0/47
TDR test last run on: March 04 19:37:15
Interface Speed Local pair Pair length Remote pair Pair status
--------- ----- ---------- ------------------ ----------- --------------------
Gi1/0/47 1000M Pair A 0 +/- 10 meters Pair B Normal
Pair B 0 +/- 10 meters Pair A Normal
Pair C 0 +/- 10 meters Pair D Normal
Pair D 0 +/- 10 meters Pair C Normal
The PRBS test can only be executed for TenG interfaces:
SWITCH# test cable-diagnostics prbs start interface TenGigabitEthernet ?
<1-9> TenGigabitEthernet interface number
Friday, May 8, 2009
line protocol is down (err-disabled)
SWITCH#sh int G0/18
GigabitEthernet0/18 is down, line protocol is down (err-disabled)
Hardware is Gigabit Ethernet, address is 001f.7777.7777 (bia 7777.7777.7777)
Description SWITCH-A
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255255, txload 1255, rxload 1255
Encapsulation ARPA, loopback not set
Keepalive not set
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type ARPA, ARP Timeout 040000
Last input never, output never, output hang never
Last clearing of show interface counters never
Input queue 07500 (sizemaxdropsflushes); Total output drops 0
Queueing strategy fifo
Output queue 040 (sizemax)
5 minute input rate 0 bitssec, 0 packetssec
5 minute output rate 0 bitssec, 0 packetssec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Produced logs:
%LINK-5-CHANGED: Interface GigabitEthernet0/18, changed state to administratively down
%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port Gi0/18 has bad crc
%PM-4-ERR_DISABLE: gbic-invalid error detected on Gi0/18, putting Gi0/18 in err-disable state
%LINK-3-UPDOWN: Interface GigabitEthernet0/18, changed state to down
This could be associated with a problem in SFP.
Check if the SFP is correctly connected, and if it is a Cisco SFP!
GigabitEthernet0/18 is down, line protocol is down (err-disabled)
Hardware is Gigabit Ethernet, address is 001f.7777.7777 (bia 7777.7777.7777)
Description SWITCH-A
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255255, txload 1255, rxload 1255
Encapsulation ARPA, loopback not set
Keepalive not set
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type ARPA, ARP Timeout 040000
Last input never, output never, output hang never
Last clearing of show interface counters never
Input queue 07500 (sizemaxdropsflushes); Total output drops 0
Queueing strategy fifo
Output queue 040 (sizemax)
5 minute input rate 0 bitssec, 0 packetssec
5 minute output rate 0 bitssec, 0 packetssec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Produced logs:
%LINK-5-CHANGED: Interface GigabitEthernet0/18, changed state to administratively down
%GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port Gi0/18 has bad crc
%PM-4-ERR_DISABLE: gbic-invalid error detected on Gi0/18, putting Gi0/18 in err-disable state
%LINK-3-UPDOWN: Interface GigabitEthernet0/18, changed state to down
This could be associated with a problem in SFP.
Check if the SFP is correctly connected, and if it is a Cisco SFP!
Sunday, March 29, 2009
Persistency of SNMP Ifindex
Some snmp monitoring tools grab the snmp index directly to monitor your interfaces. This causes no problem until you reload your router/switch.
The problem is that when you reload it, the ifindex are recalculated and might not be in the same order.
To avoid this problem, use:
snmp-server ifindex persist
The problem is that when you reload it, the ifindex are recalculated and might not be in the same order.
To avoid this problem, use:
snmp-server ifindex persist
Saturday, February 28, 2009
6500 command logging in CLI
Question: Can I monitorir which commands have been applied in a switch/router?
Answer is yes, always have been possible with logging commands. The problem is that you always needed a syslog server otherwise the buffer logging would be overriden.
Now, you can do this is another way:
archive
log config
logging enable
logging size 200
notify syslog
hidekeys
Check the commands by typing:
show archive log config all
Answer is yes, always have been possible with logging commands. The problem is that you always needed a syslog server otherwise the buffer logging would be overriden.
Now, you can do this is another way:
archive
log config
logging enable
logging size 200
notify syslog
hidekeys
Check the commands by typing:
show archive log config all
ASA Transparent Firewall Sample
: Saved
:
PIX Version 8.0(3)
!
firewall transparent
hostname pix-transp
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
!
interface Ethernet1
nameif inside
security-level 100
!
interface Ethernet2
shutdown
no nameif
no security-level
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside ethertype permit any
access-list inside ethertype permit any
access-list aclin_inside extended permit ip any any
access-list aclin_inside extended permit icmp any any
access-list aclin_outside extended permit ip any any
access-list aclin_outside extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
mtu inside 1500
mtu outside 1500
ip address 10.2.0.250 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
access-group inside in interface inside
access-group aclin_inside in interface inside
access-group outside in interface outside
access-group aclin_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.2.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:32b608ef458b708a14ea2858b1df25a2
: end
asdm image flash:/asdm
no asdm history enable
:
PIX Version 8.0(3)
!
firewall transparent
hostname pix-transp
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
!
interface Ethernet1
nameif inside
security-level 100
!
interface Ethernet2
shutdown
no nameif
no security-level
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside ethertype permit any
access-list inside ethertype permit any
access-list aclin_inside extended permit ip any any
access-list aclin_inside extended permit icmp any any
access-list aclin_outside extended permit ip any any
access-list aclin_outside extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
mtu inside 1500
mtu outside 1500
ip address 10.2.0.250 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
access-group inside in interface inside
access-group aclin_inside in interface inside
access-group outside in interface outside
access-group aclin_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.2.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:32b608ef458b708a14ea2858b1df25a2
: end
asdm image flash:/asdm
no asdm history enable
Format an IOS Flash
router1#
dir%Error opening disk0:/ (Invalid DOS media or no media in slot)
router1#show disk0:
Unformatted Partition, please format it.
router1#format disk0:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "disk0:". Continue? [confirm]
Primary Partition created...Size 64 MB
Drive communication & 1st Sector Write OK...
Writing Monlib sectors....
Monlib write complete
Format: All system sectors written. OK...
Format: Total sectors in formatted partition: 131040
Format: Total bytes in formatted partition: 67092480Format: Operation completed successfully.
Format of disk0: complete
router1#
dir%Error opening disk0:/ (Invalid DOS media or no media in slot)
router1#show disk0:
Unformatted Partition, please format it.
router1#format disk0:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "disk0:". Continue? [confirm]
Primary Partition created...Size 64 MB
Drive communication & 1st Sector Write OK...
Writing Monlib sectors....
Monlib write complete
Format: All system sectors written. OK...
Format: Total sectors in formatted partition: 131040
Format: Total bytes in formatted partition: 67092480Format: Operation completed successfully.
Format of disk0: complete
router1#
Get Vlan Interface Index
sh vlan ifindex
will give you the relation between the mib ifindex and the interface itself.
will give you the relation between the mib ifindex and the interface itself.
Tuesday, February 10, 2009
Check FWSM Resources
show resource allocation detail
show resource allo
sh resource usage
sh resource usage all
show np pc
show np block
show np all status
show resource allo
sh resource usage
sh resource usage all
show np pc
show np block
show np all status
Format IOS Flash
router1#dir
%Error opening disk0:/ (Invalid DOS media or no media in slot)router1#show disk0:Unformatted Partition, please format it.
router1#format disk0:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "disk0:". Continue? [confirm]
Primary Partition created...Size 64 MB
Drive communication & 1st Sector Write OK...
Writing Monlib sectors....
Monlib write complete
Format: All system sectors written. OK...
Format: Total sectors in formatted partition: 131040
Format: Total bytes in formatted partition: 67092480
Format: Operation completed successfully.
Format of disk0: complete
router1#
%Error opening disk0:/ (Invalid DOS media or no media in slot)router1#show disk0:Unformatted Partition, please format it.
router1#format disk0:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "disk0:". Continue? [confirm]
Primary Partition created...Size 64 MB
Drive communication & 1st Sector Write OK...
Writing Monlib sectors....
Monlib write complete
Format: All system sectors written. OK...
Format: Total sectors in formatted partition: 131040
Format: Total bytes in formatted partition: 67092480
Format: Operation completed successfully.
Format of disk0: complete
router1#
Thursday, January 29, 2009
How does DHCP relay redundancy works?
Having the following configuration:
interface X
ip helper-address 1.1.1.101
ip helper-address 1.1.1.102
This will configure DHCP relay in the router. It receives a broadcast DHCP request and converts it into a unicast message directed exclusivly to both DHCP servers.
The router "sees" the DHCPDISCOVER packet and forwards it to bothaddresses simultaneously. Then, both DHCP servers will make an offer (DHCPOFFER), if they are up and received the request.
The client will receive each offer at one time, one first then the other. if it finds the offer agreeable, itwill send another broadcast, a DHCPREQUEST, specifically requestingthose particular IP parameters. Why does the client broadcast therequest instead of unicasting it to the server? A broadcast is usedbecause the first message, the DHCPDISCOVER, may have reached more thanone DHCP server. If more than one server makes an offer, thebroadcasted DHCPREQUEST allows the other servers to know which offerwas accepted. The offer accepted is usually the first offer received.
Sometimes, in other to make one server responde faster then the other, you can configure the delay of response in the DHCP server.Also, for sincronization between DCHP server, either they support this feature or you will have to have your subnet divided betweenthe 2 servers without overlapping.
interface X
ip helper-address 1.1.1.101
ip helper-address 1.1.1.102
This will configure DHCP relay in the router. It receives a broadcast DHCP request and converts it into a unicast message directed exclusivly to both DHCP servers.
The router "sees" the DHCPDISCOVER packet and forwards it to bothaddresses simultaneously. Then, both DHCP servers will make an offer (DHCPOFFER), if they are up and received the request.
The client will receive each offer at one time, one first then the other. if it finds the offer agreeable, itwill send another broadcast, a DHCPREQUEST, specifically requestingthose particular IP parameters. Why does the client broadcast therequest instead of unicasting it to the server? A broadcast is usedbecause the first message, the DHCPDISCOVER, may have reached more thanone DHCP server. If more than one server makes an offer, thebroadcasted DHCPREQUEST allows the other servers to know which offerwas accepted. The offer accepted is usually the first offer received.
Sometimes, in other to make one server responde faster then the other, you can configure the delay of response in the DHCP server.Also, for sincronization between DCHP server, either they support this feature or you will have to have your subnet divided betweenthe 2 servers without overlapping.
Wednesday, January 21, 2009
Continuous reload of standby unit - FWSM Failover Configuration Syncronization problem
The following error message can be printed on standby:
Config Sync Error: Following command could not be executed on standby
<>Context: <>
******REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE, TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION, THE STANDBY UNIT WILL NOW REBOOT*******
The problem is that for some reason, the failover replication is stopped because one of the commands was not accepted on standby. For that reason and to avoid inconsistence states, it reloads.
In fact, the happens on version 2.3(2). On versions 3.X.X I believe that the problem will not occur. The problem is related to the configuration status on standby. When the maximum acl is achived on the blade (you can check it with thecommand "sh resource acl") the standby unit will also get to this state correctly synced. The problem in this situation was that when the active unit wanted to replicate the configuration in the limit acl config, the standby did not accept some of the rules and rejected at least one of the lines. This caused this situation.
How to fix it:
- Optimize your config and reduce your config size.
- If it does not sync correctly, clear the configuration on standby and sync it again.
Subscribe to:
Posts (Atom)