LACP hash between N3048 and CISCO SG300/SG200 + question Twinax attach direct cable
Hello
In my network I have deployed two new N3048 with 2 transceivers SPF + and SPF module back + as core switches are connected to other 3 switches from edge of N2048 using optical fiber and I reused my previous CISCO SG300 and SG200 goes to serve the other two boxes of my campus via the spine in copper.
I have 4 copper cable which starts from the hub of the SG300 network and 2 the SG200 brass. I set up to have a redundant connection using 2 + 2 with SG300 and 1 + 1 with SG200 RSTP.
So for the SG300 I re LAG + LACP to have two channels of the N3048s port, but now that a single cable is connected because I don't know what kind of LACP hash mode should I put on N3048 to have a compatible hash between Dell and Cisco switches.
My N3048 have mode 7 (Advanced hash) as default but I guess that cisco models do not understand... so, what mode is the best for LACP work perfectly with small business cisco switches?
I also received my twinax cables to connect my two N3048 via SPF + back modules... conhot can I plug the cables into the slots SPF + (already mounted) without turning off my basic switches?
Thank you!
See you soon
Cables can be connected/disconnected, but I don't know if the real module SFP + for the rear of the N3000 is hot plug.
Tags: Dell Switches
Similar Questions
-
VPN between ASA and cisco router [phase2 question]
Hi all
I have a problem with IPSEC VPN between ASA and cisco router
I think that there is a problem in the phase 2
Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified belowLooking forward for your help
Phase 1 is like that
Cisco_router #sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVEand ASA
ASA # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEPhase 2 on SAA
ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393ABSAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: YPhase 2 on cisco router
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
VPN configuration is less in cisco router
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectaccess-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectsheep allowed 10 route map
corresponds to the IP 105Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset
mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.
You currently have:
Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIt should be:
Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)
To remove it and add it to the bottom:
105 extended IP access list
not 5
IP 172.19.194.0 allow 60 0.0.0.255 any
Then ' delete ip nat trans. "
and it should work now.
-
Difference between Csico and Cisco Unity Connection unit
What are the main differences between Cisco Unity and Cisco Unity Connection (version 7)
as: 1. in Cisco Unity servers are active - failover Mode and about unity, the servers are in active-active mode
2 Cisco Unity, knows about unity and unified messaging, integrated messaging
What is the major difference between Unified Messaging and integrated messaging?
Please provide some points of difference between the two...
This may well be true today, but the gap could soon close... otherwise disappear. Cisco is currently in EFT (field-tested at the beginning) or testing "beta" for the connection of the Unit 8.5 (1), which aims to add features of Unified Messaging Unit connection using WebDav for Exchange 2003 and Exchange Web Services (EWS) for Exchange 2007/2010. Just a nugget to think when you consider the timing of your client to install and what platform would be best suited to most environments. Take a look at this blog for more information/thoughts:
Hailey
Please note the useful messages!
-
EZVPN between ASA and Cisco 2801
Hi Experts,
Need help with establishing ezvpn. I have a Cisco 2801 with the following configuration:
router version 124 - 24.T3 (advanceipservicesk9)
Crypto ipsec client ezvpn BOS-BACKUP
connect auto
Group bosnsw keys clar3nc3
client mode
peer 202.47.85.1
xauth userid interactive modeinterface FastEthernet0/0
IP 10.80.3.85 255.255.255.0
automatic duplex
automatic speed
Crypto ipsec client ezvpn BOS-BACKUP insidethe Cellular0/1/0 interface
the negotiated IP address
encapsulation ppp
load-interval 60
Broadband Dialer
GSM Transmitter station
Dialer-Group 2
interactive asynchronous mode
no fair queue
a model of PPP chap hostname
PPP chap 0 dummy password
PPP ipcp dns request
Crypto ipsec client ezvpn BOS-BACKUP
!
IP route 0.0.0.0 0.0.0.0 Cellular0/1/0
!
Dialer-list 2 ip protocol allowCeluular interface is up and the router is able to ping the exchange of vpn:
Router # ping 202.47.85.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 202.47.85.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 396/473/780 msThe ASA configuration:
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5card crypto OUTSIDE_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
OUTSIDE_map interface card crypto OUTSIDEcrypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400username password encrypted UaV1j04bjTagjYnj privilege 0 bosnsw
username bosnsw attributes
VPN-group-policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
No vpn-framed-ip-addresstype tunnel-group bosnsw remote access
tunnel-group bosnsw General-attributes
address BOS_CORPORATE pool
No ipv6 address pool
authentication-server-group LOCAL ACS_AUTH
secondary-authentication-server-group no
no accounting server group
Group Policy - by default-BOS_CORPORATE
No dhcp server
No band Kingdom
no password-management
No substitution-disabling the account
No band group
gap required
certificate-CN user name OR
secondary username-certificate CN OR
authentication-attr-of primary server
authenticated-session-user principal name
tunnel-group bosnsw webvpn-attributes
catch-fail-group policy DfltGrpPolicy
personalization DfltCustomization
the aaa authentication
No substitution-svc-download
No message of rejection-RADIUS-
no proxy-auth sdi
no pre-fill-username-ssl client
no pre-fill-username without client
No school-pre-fill-name user-customer ssl
No school-pre-fill-user without customer name
DNS-Group DefaultDNS
not without CSD
bosnsw group of tunnel ipsec-attributes
pre-shared-key *.
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 300 keepalive 2
no RADIUS-sdi-xauth
ISAKMP xauth user ikev1-authenticationBOS-NRD-IT-FW1 # sh cry isa his
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 21 peer IKE: 112.213.172.108
Type: user role: answering machine
Generate a new key: no State: AM_TM_INIT_XAUTH_V6HI've attached the output of debugging of router and firewall. Hope someone can shed some light on this issue. Thanks in advance.
Thats is correct! You must configure the network extension mode if you want to change the IP address
Here is the guide to configure the router and ASA in network extension mode. Hope you find it useful.
Thank you
Françoise
-
OSPF between 6224 and Cisco please!
It is easily possible to Exchange routes using a 6224 for a Cisco 7204 OSPF? My cisco has always been eigrp between all other routers.
I have OSPF enabled on the cisco as follows:
router ospf 100
Log-adjacency-changes
redistribute subnets eigrp 1
network 172.0.0.0 0.0.0.0 area 1What should I exactly say the 6224 to accept the cisco roads?
I can find samples for the 6024, but not the 6224
-
Active FTP problem between Checkpoint and Cisco PIX
Hello
I am facing a strange problem.
Many of our customers have achieved a Checkpoint FW-1/VPN-1 4.1 SP6 (the last before NG). When they try to connect to an FTP server that is located behind a Cisco PIX firewall, they are not able to transfer data: the connection is established, the authentication to follow, but at the stage of the 'LIST' the connection 'freeze' and the user must close the FTP client.
Users are facing this problem ONLY in Active mode: passive mode works very well. Turn passive mode FTP client isn't acceptable workaround for most of my clients.
The problem seems to be related only to the firewall Cisco PIX and active FTP.
Please, what is someone encountered the same problem?
Could someone give me any help?
Thank you in advance.
Paolo
Yes it is a (global) problem, even with the last checkpoint firewalls. What happens with Active FTP, it's that each command (get, list, etc.) causes another log on the client (source port) to the server on port 21. If you run netstat from the customer you can check this for yourself.
What normally happens, with HTTP, FTP, telnet, which have are, it's that the client makes a connection to port 21, 23 etc then returns with a port source such as 1936, 1980, 3000, etc..
Connect problem with statefull firewall is they do not allow multiple sessions control port number on a destination, as well as a source port can be bound to a destination port, in this case, 21 for FTP. I Don t see it changed, an extreme security risk any time soon, since it s, someone else might be hopping session and block this type of traffic, it's what the stateful firewall are all about and FTP servers are problably the machines more pirated on the planet.
You´ve mentioned the workaround solution, unfortunately that s the only way, change your passive customers, I think that Unix/Linux customers have a problem with this, change your FTP server can also help, there are multiple servers that can be configured to disable Active FTP, I wouldn know exactly, I only network & firewall... maybe someone else can move on this...
-
My question is - is it possible for me to fix this error at the level of external table definition? Please advice
Here is the data file I am trying to download...
KSEA | 08-10 - 2015-17.00.00 | 83.000000 | 32.000000 | 5.800000
KBFI | 2015-08-06 - 15.00.00 | 78.000000 | 35.000000 | 0.000000
KSEA | 08-10 - 2015-11.00.00 | 73.000000 | 55.000000 | 5.800000
KSEA | 08-08 - 2015-05.00.00 | 61.000000 | 90.000000 | 5.800000
KBFI | 2015-08-06 - 16.00.00 | 78.000000 | 36.000000 | 5.800000
KSEA | 2015-08-07 - 18.00.00 | 82.000000 | 31.000000 | 10.400000
KSEA | 08-10 - 2015-00.00.00 | 65.000000 | 61.000000 | 4.600000
KBFI | 08-08 - 2015-07.00.00 | 63.000000 | 84.000000 | 4.600000
KSEA | 08-10 - 2015-15.00.00 | 81.000000 | 34.000000 | 8.100000
This is the external table script
CREATE TABLE MWATCH. MWATCH. WEATHER_EXT ".
(
LOCATION_SAN VARCHAR2 (120 BYTE),
DATE OF WEATHER_DATETIME,
NUMBER (16) TEMP.
NUMBER (16) OF MOISTURE,
WIND_SPEED NUMBER (16)
)
EXTERNAL ORGANIZATION
(TYPE ORACLE_LOADER
THE DEFAULT DIRECTORY METERWATCH
ACCESS SETTINGS
(records delimited by newline
BadFile "METERWATCH": "weather_bad" logfile 'METERWATCH': 'weather_log '.
fields ended by ' |' missing field values are null
(location_san, WEATHER_DATETIME char date_format DATE mask "YYYY-mm-dd - hh.mi.ss", TEMPERATURE, MOISTURE, wind_speed)
)
LOCATION (METERWATCH: 'weather.dat')
)
REJECT LIMIT UNLIMITED
PARALLEL (DEGREE 5 1 INSTANCES)
NOMONITORING;
Here is the error in the weather_bad which is generated files...
column WEATHER_DATETIME of 55 error processing in the 1st row to the /export/home/camsdocd/meterwatch/weather.dat data file ORA - 01849ther_log.log 55 56 error processing column WEATHER_DATETIME in the row 1 for the /export/home/camsdocd/meterwatch/weather.dat data file 57 56 ORA - 01849ther_log.log: time must be between 1 and 12 58 column WEATHER_DATETIME 57 error during treatment number 2 for the /export/home/camsdocd/meterwatch/weather.dat data file 59 ORA-58 01849: time must be between 1 and 12 60 column WEATHER_DATETIME of 59 error processing 5th for the /export/home/camsdocd/meterwatch/weather.dat data file 61 ORA-60 01849: time must be between 1 and 12 62 column WEATHER_DATETIME of 61 error treatment in line 6 to the /export/home/camsdocd/meterwatch/weather.dat data file 63 ORA-62 01849: time must be between 1 and 12 64 column WEATHER_DATETIME of 63 error treatment in row 7 for datafile /export/home/camsdocd/meterwatch/weather.dat 65 ORA-64 01849: time must be between 1 and 12 66 column WEATHER_DATETIME of 65 error treatment 9 for the /export/home/camsdocd/meterwatch/weather.dat data file online 67: time must be between 1 and 12 My question is - is it possible for me to fix this error at the level of external table definition? Please advice
Yes it is possible. Let's not your date mask. You're masking for 12-hour format when your data is in 24-hour format. Change the mask of your date to be "YYYY-mm-dd-hh24. MI.ss ". Notice the change in "BOLD".
-
Cannot connect the switch Cisco Cisco SG300 - 28 p spend and traffic through VLANS
Try to connect the Cisco SG300 - 28 p switch to another switch and proceed 2 VLANS between them. Not doing any circuit. If I connect a computer to the port on the SG300 - 28 p I can access the VLAN 2 and take a DHCP address. However, when I connect to another switch on the port and connect it to a port on another switch secondary I am unable to access VLAN 2 and pull an IP address. I checked that the works of secondary switch (WS-C3560G-48PS-S) connected to the other 3500 s, but not this latest SG300 - 28 p. Here's the configuration for both, I'm leaving areas that shouldn't matter and add if necessary. Try to connect the SG300 - 28 p Port 26-WS-C3560 Port 1 port. Once again, if I connect a computer to port 26 on the SG300 - 28 p I access the VLAN 2 as expected, but not when I connect to channel 2 on the secondary switch.
Cisco SG300 - 28 p
!
interface vlan 1
Internet name
!
interface vlan 2
LAN name
IP 172.20.5.11 255.255.0.0
no ip address dhcp (this is the VLAN I'm moving)
!
interface vlan 3
private name
!
interface vlan 4
name of Nortel
!
interface vlan 101
name Video_Project
!
interface gigabitethernet26
Description VLAN2-ACCESS-CISCO3500
switchport mode access
switchport access vlan 2 (this goes to port 1 on the other Cisco 3500 switch to provide access 2 VLAN)Cisco 3500
!
interface Vlan1
NATCO Internet description
no ip address
no ip route cache
no ip mroute-cache
!
interface Vlan2
NATCO LAN description
IP 172.20.5.13 255.255.0.0
no ip route cache
no ip mroute-cache (this is the VLAN I'm moving)!
interface Vlan3
Description LHPrivate
no ip address
no ip route cache
no ip mroute-cache
!
interface GigabitEthernet0/1
switchport access vlan 2 (this is the port that I connect to the SG300 - 28 p)!
interface GigabitEthernet0/2
switchport access vlan 2 (this is the port I hang my computer to and trying to access VLAN 2 other switch)Hello
Yes, STP is the problem here. As you can see on your release of the Cisco 3500 switch, port Gi0/1 is BKN (The FEW is a shortened form of "Broken").
This is caused by an incompatibility of versions PLEASE used between the two switches. Small businesses (including series SG300) switches are use legacy STP or Rapid STP (your case), but uses templates to business (such as catalyst 3500) PVST + (each VLAN spanning tree version of STP).
Two versions between group of switches are compatible only under certain conditions. Important condition is that the two switchports needs to use a VLAN 1, vlan access/native and not any other number VLAN.
It is to make your communication work, you must:
- disable the STP at least 3500 Cisco switch:
- on overall global (Switch (config) # no vlan spanning tree 2)
- or by the base interface (switch(config-if) # no vlan spanning tree 2)
- change the configuration of your connection between two switches by following the path:
- change the switchport trunk (trunk switchport mode) mode
- do 1 VLAN as native vlan (vlan switchport trunk native 1)
- Towing VLAN 2 as vlan tagged on that Stump (switchport trunk allow vlan add 2)
- disable the STP at least 3500 Cisco switch:
-
LAN-to-LAN tunnel between VPN 3000 and Cisco 1721
Hello
I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).
When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.
However, I would like to Turn off encryption for some time getting the speed improvements, so I changed
Encryption = null esp (in 1721) and to "null" in VPN-3000.
Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721
% C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0
Has anyone seen this behavior?
All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?
Thanx------Naman
Naman,
Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.
Kurtis Durrett
-
difference between cisco NAC agent and cisco Clean Access Agent
Hi all
If anyone has the idea on different between cisco NAC agent and cisco Clean Access Agent, please let us know your ideas.
Thank you
In 4.6, the agent has been revised and is now called the NAC agent. Previous versions were called the clean access Agent. So roughly, 4.5 and 4.1.3.2 agent are own access agents, and agents 4.6.x and 4.7.x are called NAC agents.
Some of the changes are moving a lot of the agent configuration in an XML file, redesign of the GUI, adding a service portion (of the sort that the agent of heel is no longer necessary) and the best journaling agent.
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
-
Cisco SG300-10 Cisco 6513 and Shoretel phones
I have a new ShoreTel phone system will soon. Configure a dhcp, including option 156 scope which is required for ShoreTel to obtain the configuration on ShoreTel phones and in order to get on the vlan correct voice on the phone. I also created a new vlan 112 for the vlan voice. When I plug directly into the Cisco 6513 Core switch, the phone starts fine, it gets its configuration and on the VLAN correct 112.
We have a training room in which there will be a lot of users. I ordered 6 Cisco small business 10port SG-300 POE switches for this training room. I plugged the switch in a cable coming off the 6513 which is just an access port and in the vlan voice I created for phones shoretel VOIP:
interface FastEthernet10/11
switchport
switchport mode access
switchport voice vlan 112
priority queue queue-limit 20
WRR-queue random - detect min-threshold 1 30 40 50 60 70 80 90 100
WRR-queue random - detect min-threshold 2 30 40 50 60 70 80 90 100
WRR-queue random detection threshold min 3 30 40 50 60 70 80 90 100
WRR-queue random detection max-threshold 1 70 80 90 100 100 100 100 100
WRR-queue random detection max-threshold 2 70 80 90 100 100 100 100 100
WRR-queue random detection threshold 3 70 80 90 100 100 100 100 100 max
WRR-queue cos-map 1-3-1
WRR-queue cos-1 6 4 map
WRR-queue cos-map 2 6 0
WRR-queue cos-map 2 8 2
WRR-queue cos-map 3 1 7
WRR-queue cos-map 3 8 3 6
MLS qos trust dscp
Storm-control broadcasts 20 h 00
spanning tree portfastWhen I plug a phone directly into this cable the phone works very well. When I plug a cheap cisco POE switch in I can get 3 phones works very well, but due to the amount of energy needed for this cheap a cisco switch it will give only 3 phones power.
The real problem here is plug into small business cisco SG300-10port POE managed switch. I thought I could just connect the switch to the port configured above right out of the box and plug in phones without a problem. When I plug the switch and start plugging in ShoreTel phones, they do not start coming in and upward and actually had a few phones upward but then finally there is no tone and also later, they appear on the screen as a service not available.
I have to configure a trunk port on a port on the SG300 and the Cisco 6513 for this to work? Also I will need to VLAN configuration manually on the SG300. Looks like that when I just plugged it in to the above configured the port on the SG300 it automatically create the vlan 112.
Any help would be appreciated
Thank you
Dave
Double post.
Go HERE.
-
Hello experts,
I create links between 2 2960 switches and a SG300-20 but only on SG300 pops up an error: "% CDP-W-NATIVE_VLAN_MISMATCH: incompatibility of VLAN native detected."
I have attached the file of configuration here for ease of analysis,
Any help is appreciate
Best regards
Why assign ip addresses on vlan 97 (native) the SG300-20? Native didn't need the ip address or the SVI (L3) see related for example configuration based on your attachments. Note: represents XXX with any number of your choice.
-
Cisco SG300 - 28 p - Port security issue.
Hi, I would like to activate the port security on a Cisco SG300 PoE 28 p Switch. I would like to know how this can be done in cases where port is more connected to desktop switches 8 ports and in cases where computers are connected directly to the switch.
Thanking you in advance,
Parth.
This is described in detail in the section 'Configuration of Port Security' on page 326 to 329 of the document Cisco Small Business 300 Series Managed Switch Administration Guide.
The difference between a port serving a desktop switch and the other directly serving endpoint is just the number of MAC addresses that you want to leave.
You have any specific questions?
-
Cisco SG300 / ASA 5505 intervlan routing problem
Dear all
I have a problem with the configuration correctly sg300 layer 3 behind the ASA 5505 switch (incl. license more security)
The configuration is the following:
CISCO SG300 is configured as a layer 3 switch
VLAN native 1: 192.168.1.254, default route ip address (inside interface ASA 192.168.1.1)
VLAN defined additional switch
VLAN 100 with 192.168.100.0/24, default gateway 192.168.100.254
VLAN 110 with 192.168.110.0/24, default gateway 192.168.110.254
VLAN 120 with 172.16.0.0/16, default gateway 172.16.10.254
Of the VLANS (100,110,120) different, I am able to connect to all devices on the other VIRTUAL local networks (with the exception of Native VLAN 1; is not the ping requests)
From the switch cli I can ping my firewall (192.168.1.1) and all the other gateways of VLANs and vlan (VLAN1, 100, 110, 120) devices
Asa cli I can only ping my switch (192.168.1.254) port, but no other devices in other VLAN
My question is this. What should I change or installation in the switch configuration or asa so that other VLANs to access the Internet through the ASA. I will not use the ASA as intervlan routing device, because the switch does this for me
I tried to change the asa int e0/1 in trunkport (uplink port switch also), to enable all the VLANS, but as soon as I do that, I can not ping 192.168.1.254 ASA cli more.
Any help is greatly appreciated
Concerning
Edwin
Hi Edwin, because the switch is layer 3, the only necessary behavior is to ensure that default gateways to the computer are set on the SVI interface connection to the switch to make sure that the switch is transfer traffic wished to the ASA.
The configuration between the ASA and the switch must stay true by dot1q, such as the vlan all other, unidentified native VLAN tagged.
Also, if I'm not wrong, on the SAA you must set the security level of the port to 100.
-Tom
Please evaluate the useful messages
Maybe you are looking for
-
Heb een HP Pavilion T3340.nl through pc recorvery opnieuw installeren like heb ik welke. Alles works weer, echter usb poorten achter pc wel, maar Van poorten usb werken aan werken deny meer als ook reageert niet meer card reader. Wat is doing frills
-
Question on install the last WGA
Dear all professional,. I use Windows XP for my day to day work. On last week, my Update window ask me to install the latest version of WGA, but during the installation it pop up to ask a "license agreement for the term and" However, the button "Next
-
My fan continues to run away, just bought today
Hi, I just bought the new laptop HP, but the fan continues to run away even if when I'm not working on it. Is this normal or should I make some adjustments? Thankx
-
After I loaded Turbo Tax 2011, after that I connect to my PC, I get a blank screen with only the cursor showing. I picked up at an earlier date and reloaded the software TT 3 times with the same result. I tried of caraa start windows Explorer by usin
-
Size of PSU or of connector HP 6100 (F3185WT)
Hello I have an old HP6100 (F3185WT) with a touch of bad connector on the power supply. Can someone tell me the exact connector size please? It is 1.7 x 4.8 mm by 11mm long? Having a hard time finding a diet including the correct end to this topi