Having the following configuration:
interface X
ip helper-address 1.1.1.101
ip helper-address 1.1.1.102
This will configure DHCP relay in the router. It receives a broadcast DHCP request and converts it into a unicast message directed exclusivly to both DHCP servers.
The router "sees" the DHCPDISCOVER packet and forwards it to bothaddresses simultaneously. Then, both DHCP servers will make an offer (DHCPOFFER), if they are up and received the request.
The client will receive each offer at one time, one first then the other. if it finds the offer agreeable, itwill send another broadcast, a DHCPREQUEST, specifically requestingthose particular IP parameters. Why does the client broadcast therequest instead of unicasting it to the server? A broadcast is usedbecause the first message, the DHCPDISCOVER, may have reached more thanone DHCP server. If more than one server makes an offer, thebroadcasted DHCPREQUEST allows the other servers to know which offerwas accepted. The offer accepted is usually the first offer received.
Sometimes, in other to make one server responde faster then the other, you can configure the delay of response in the DHCP server.Also, for sincronization between DCHP server, either they support this feature or you will have to have your subnet divided betweenthe 2 servers without overlapping.
Thursday, January 29, 2009
Wednesday, January 21, 2009
Continuous reload of standby unit - FWSM Failover Configuration Syncronization problem
The following error message can be printed on standby:
Config Sync Error: Following command could not be executed on standby
<>Context: <>
******REPLICATION OF CONFIGURATION FROM ACTIVE TO STANDBY UNIT IS INCOMPLETE, TO PREVENT THE STANDBY UNIT TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION, THE STANDBY UNIT WILL NOW REBOOT*******
The problem is that for some reason, the failover replication is stopped because one of the commands was not accepted on standby. For that reason and to avoid inconsistence states, it reloads.
In fact, the happens on version 2.3(2). On versions 3.X.X I believe that the problem will not occur. The problem is related to the configuration status on standby. When the maximum acl is achived on the blade (you can check it with thecommand "sh resource acl") the standby unit will also get to this state correctly synced. The problem in this situation was that when the active unit wanted to replicate the configuration in the limit acl config, the standby did not accept some of the rules and rejected at least one of the lines. This caused this situation.
How to fix it:
- Optimize your config and reduce your config size.
- If it does not sync correctly, clear the configuration on standby and sync it again.
Sunday, December 21, 2008
Rack Unit Size
For Europeans information, the size of Rack Unit is:
1 Rack unit = 4.44500 centimeters
1 Rack unit = 4.44500 centimeters
Wednesday, November 5, 2008
Vlan configuration mismatch on FWSM and pseudo-Standby state
There are some conditions that can lead fwsm failover pair to go to the pseudo-Standby state. This is caused because there is a vlan mismatch between the 2 fwsm in failover mode.
In the pseudo-standby blade, you will find when you try to activate the standby unit with the command:
failover
you get:
Detected an Active mate
Vlan configuration mismatch
Failover will be disabled
After checking the configuration on context system, verifying the firewall vlan-group on both supervisors, all the configurations are exactly the same.
The problem can only be seen if you type "show vlan" in the system context. This command will show you exactly which interfaces are used by the fwsm. You will find any inconsistence by comparing the output of "show vlan" in both system contexts.
To fix the problem, remove the vlan from the supervisor and add it again.
For example, if the inconsistence is with the vlan 10, do the following on both modules:
no firewall vlan-group 1 10
firewall vlan-group 1 10
After this compare again the "show vlan" command and verify that the inconsistence is gone.
Now , type the following command in the pseudo-standby one:
failover
You will see it syncing config.
The status will change in this sequence in the "show failover" (this happened in the primary unit):
This host: Primary - Cold Standby
..
This host: Primary - Sync Config
..
End configuration replication from mate.
..
This host: Primary - Bulk Sync
..
This host: Primary - Standby Ready
Good luck! :)
In the pseudo-standby blade, you will find when you try to activate the standby unit with the command:
failover
you get:
Detected an Active mate
Vlan configuration mismatch
Failover will be disabled
After checking the configuration on context system, verifying the firewall vlan-group on both supervisors, all the configurations are exactly the same.
The problem can only be seen if you type "show vlan" in the system context. This command will show you exactly which interfaces are used by the fwsm. You will find any inconsistence by comparing the output of "show vlan" in both system contexts.
To fix the problem, remove the vlan from the supervisor and add it again.
For example, if the inconsistence is with the vlan 10, do the following on both modules:
no firewall vlan-group 1 10
firewall vlan-group 1 10
After this compare again the "show vlan" command and verify that the inconsistence is gone.
Now , type the following command in the pseudo-standby one:
failover
You will see it syncing config.
The status will change in this sequence in the "show failover" (this happened in the primary unit):
This host: Primary - Cold Standby
..
This host: Primary - Sync Config
..
End configuration replication from mate.
..
This host: Primary - Bulk Sync
..
This host: Primary - Standby Ready
Good luck! :)
Saturday, November 1, 2008
ASA Virtualization context configuration
ASA licensing will allow you or not to use virtual contexts.
In order to use them, will will have first to change the mode of the firewall:
firewall(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] yes
After the reboot, just create your admin-context
firewall(config)#
firewall(config)# admin-context admin
Creating context 'admin'... Done. (13)
Alocating interfaces:
firewall(config)# context admin
firewall(config-ctx)# allocate-interface GigabitEthernet0/0.101
firewall(config-ctx)# allocate-interface GigabitEthernet0/1.102
firewall(config-ctx)# allocate-interface Management0/0
firewall(config-ctx)# config-url disk0:/admin.cfg
in FWSM you can add Vlans L3 as interfaces:
fwsm(config)# context Internet
fwsm(config-ctx)# allocate-interface Vlan1000
fwsm(config-ctx)# allocate-interface Vlan1001
fwsm(config-ctx)# config-url disk0:/internet.cfg
In order to use them, will will have first to change the mode of the firewall:
firewall(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] yes
After the reboot, just create your admin-context
firewall(config)#
firewall(config)# admin-context admin
Creating context 'admin'... Done. (13)
Alocating interfaces:
firewall(config)# context admin
firewall(config-ctx)# allocate-interface GigabitEthernet0/0.101
firewall(config-ctx)# allocate-interface GigabitEthernet0/1.102
firewall(config-ctx)# allocate-interface Management0/0
firewall(config-ctx)# config-url disk0:/admin.cfg
in FWSM you can add Vlans L3 as interfaces:
fwsm(config)# context Internet
fwsm(config-ctx)# allocate-interface Vlan1000
fwsm(config-ctx)# allocate-interface Vlan1001
fwsm(config-ctx)# config-url disk0:/internet.cfg
Wednesday, October 29, 2008
FWSM/ASA/PIX must have generated certicate for ssh session to be established
In order to iniciate an SSH session to the firewall , you must enter the following command:
Prior to version FWSM 2.X or PIX 6.X:
ca generate rsa key 1024
After those version use:
crypto key generate rsa modulus 1024
Prior to version FWSM 2.X or PIX 6.X:
ca generate rsa key 1024
After those version use:
crypto key generate rsa modulus 1024
Monday, October 27, 2008
6513 Slot Usage for WS-67XX (WS-X6816-GBIC, WS-X6748-GE-TX, WS-X6704-10GE, WS-X6708-10GE-3C, WS-X6708-10GE-3CX, WS-X6748-SFP)
In Cisco Catalyst 6513, the dual fabric slots must be inserted in the module 9 - 13.
-WS-X6816-GBIC
- WS-X6748-GE-TX
- WS-X6704-10GE
- WS-X6708-10GE-3C
- WS-X6708-10GE-3CX
- WS-X6748-SFP
Only 9 - 13 are dual fabric as oposed to 1-6 which are single fabric.For the Cisco Catalyst 6509, all the slots are dual fabric.
-WS-X6816-GBIC
- WS-X6748-GE-TX
- WS-X6704-10GE
- WS-X6708-10GE-3C
- WS-X6708-10GE-3CX
- WS-X6748-SFP
Only 9 - 13 are dual fabric as oposed to 1-6 which are single fabric.For the Cisco Catalyst 6509, all the slots are dual fabric.
Thursday, October 23, 2008
IOS Extended Ping in a single line in CLI
Extended ping can be very annoying if you are doing it for several hours in a troubleshooting session.
ping vrfip 10.0.0.10 data 0000 repeat 500 size 18000 validate source Vlan111
ping vrf
Tuesday, October 14, 2008
Check Switch Temperature
sh env all
FAN is OK
TEMPERATURE is OK
Temperature Value: 55 Degree Celsius
Temperature State: GREEN
Yellow Threshold : 56 Degree Celsius
Red Threshold : 66 Degree Celsius
SW PID Serial# Status Sys Pwr PoE Pwr Watts
-- ------------------ ---------- --------------- ------- ------- ----- 1 Fixed Good
SW Status RPS Name RPS Serial# RPS Port#
-- ------------- ---------------- ----------- ---------
1 Not Present <>
FAN is OK
TEMPERATURE is OK
Temperature Value: 55 Degree Celsius
Temperature State: GREEN
Yellow Threshold : 56 Degree Celsius
Red Threshold : 66 Degree Celsius
SW PID Serial# Status Sys Pwr PoE Pwr Watts
-- ------------------ ---------- --------------- ------- ------- ----- 1 Fixed Good
SW Status RPS Name RPS Serial# RPS Port#
-- ------------- ---------------- ----------- ---------
1 Not Present <>
Saturday, September 27, 2008
Howto FWSM Hardware reset
Sometimes ... and unfortunatly ... the FWSM is not that stable. It has happened that, in a FWSM failover pair, when one fails, the other doesn't take over and simply hangs. In order to reset the blade run this command in the supervisor:
hw-mod module 9 reset (for module 9)
hw-mod module 9 shutdown (power off to the module. Keep in mind that if the 6500/7600 is reloaded, the FWSM blade will power on anyway, even if previously this command has been called)
hw-mod module 9 reset (for module 9)
hw-mod module 9 shutdown (power off to the module. Keep in mind that if the 6500/7600 is reloaded, the FWSM blade will power on anyway, even if previously this command has been called)
Howto enable TACACS in CATOS
Although CATOS is becaming history, they are still produtive and running quite well ... so we still have to live with them.
When integrating the login cli with tacacs ... here are the commands:
set tacacs server primary
set tacacs key
set authentication login local enable telnet
set authentication login tacacs enable telnet primary
When integrating the login cli with tacacs ... here are the commands:
set tacacs server
set tacacs key
set authentication login local enable telnet
set authentication login tacacs enable telnet primary
Secrets about traceroute
Traceroute is a protocol that can work with icmp or udp:
Windows - ICMP
Unix, Linux and IOS - UDP.
This means that, when you are running a connetivity test using traceroute, the results will different depending on the OS you are using. The reason is because icmp might be open in a firewall while UDP won't.
If you are using icmp traceroute, icmp will be open.
If you are using udp, the following udp ports must be open: 33434-33534
Windows - ICMP
Unix, Linux and IOS - UDP.
This means that, when you are running a connetivity test using traceroute, the results will different depending on the OS you are using. The reason is because icmp might be open in a firewall while UDP won't.
If you are using icmp traceroute, icmp will be open.
If you are using udp, the following udp ports must be open: 33434-33534
Howto Connect a modem to a Cisco Router Console
The goal is to control remotely a Cisco Router, connecting directly to console port. It was done with a US Robotics Courier 56k Business Modem, PN USR813453C.
Some tips:
- In the bottom of the router, select the DIPS 1,7 ,10 down and all the other up
- Connect the db-25 adapter to the modem
- Connect the db-9 blue cisco cable to the console
Some tips:
- In the bottom of the router, select the DIPS 1,7 ,10 down and all the other up
- Connect the db-25 adapter to the modem
- Connect the db-9 blue cisco cable to the console
My first post ...
Well ... I'ts been some time that I wanted to start a blog ... today is the kickoff. I am Cisco Fellow, working in the networking industry for quite a while. My main goal is to post here some of my daily work problems that can help some others with the same problemas ... enjoy!
Subscribe to:
Posts (Atom)