I was checking the VSL link on a network and I have found a lot of giant:
show int Te1/5/5TenGigabitEthernet1/5/4 is up, line protocol is up (connected)
8 runts, 1739095 giants, 0 throttles
I have searched on cisco.com and I have found the following:
The VSL carries data traffic and in-band control
traffic between the two chassis. All frames forwarded over the VSL link
are encapsulated with a special 32-byte header, which provides
information for the VSS to forward the packet on the peer chassis.
I guess if a packet close to1500 MTU is received and a 32-byte header is added, we have giant packet. If I'm wrong, don't hesitate to correct me.
Thursday, August 23, 2012
Thursday, August 9, 2012
VPN connexion and Internet Access
When you are connected to a VPN session, normally you can access to the corporate LAN.
However, it's also possible to have access (in the same time) to Internet.
To do this on ASA, you have to configure some NAT rule.
All traffic that will go to Internet have to use the Internet facing interface like source IP address.
The configuration below is an example that can be applied:
All traffic with VPN IP Pool source address and with Internet destination will match this NAT rule.
Source address will be modified with the outside interface.
However, it's also possible to have access (in the same time) to Internet.
To do this on ASA, you have to configure some NAT rule.
All traffic that will go to Internet have to use the Internet facing interface like source IP address.
The configuration below is an example that can be applied:
ip local pool Pool_VPN 192.168.40.10-192.168.40.250 mask 255.255.255.0
!
interface GigabitEthernet0/1
description Outside Facing Interface
nameif INTERNET
security-level 0
ip address 199.199.199.199 255.255.255.240
!
object network NAT-VPN-POOL
subnet 192.168.40.0 255.255.255.0
description Pool VPN
!
object network NAT-VPN-POOL
nat (any,INTERNET) dynamic interface
All traffic with VPN IP Pool source address and with Internet destination will match this NAT rule.
Source address will be modified with the outside interface.
Thursday, July 5, 2012
Are you impacted by DNS Changer ?
You can test if you are impacted by the virus DNS changer with the web site below:
http://www.dns-ok.ca/
Wednesday, April 25, 2012
SUP2T and access to CMP
Just a quick post to talk about the SUP2T and the CMP. CMP (Connectivity Management Processor) is an equivalent of the 'aux' port. On our lab we have decided to test this new feature.
But to access to this interface we need an IP address, but which address ? Maybe, there is DHCP server on this interface ?
We have tested and there is nothing. So we have decided looking for on the cisco web site without success. We have just found on a forum someone who has already encountered this issue.
And, the solution to access to the CMP (and configure it) is to use his default IP which is 192.168.1.101/24 (GW 192.168.1.1).
I hope this will help you. And you will not search everywhere on the cisco web site like us.
But to access to this interface we need an IP address, but which address ? Maybe, there is DHCP server on this interface ?
We have tested and there is nothing. So we have decided looking for on the cisco web site without success. We have just found on a forum someone who has already encountered this issue.
And, the solution to access to the CMP (and configure it) is to use his default IP which is 192.168.1.101/24 (GW 192.168.1.1).
I hope this will help you. And you will not search everywhere on the cisco web site like us.
Tuesday, March 13, 2012
Good bye ARP, welcome ICMPv6
Today I was working on an IPv6 lab. I wanted discover the relation between an address MAC and an IP address. So, on the windows machine I execute the command 'arp -a'. It's a bad reflex, why ? ARP no longer exists in IPv6. The equivalent is now realized with ICMPv6. So to discover the correlation between MAC and IP address we have to use these commands:
Interface 14: LAB
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
fe80::2 00-14-1c-c9-d9-a8 Stale (Router)
fe80::214:1cff:fec9:d9a8 00-14-1c-c9-d9-a8 Stale (Router)
ff02::2 33-33-00-00-00-02 Permanent
ff02::5 33-33-00-00-00-05 Permanent
ff02::c 33-33-00-00-00-0c Permanent
ff02::16 33-33-00-00-00-16 Permanent
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
ff02::1:ff00:2 33-33-ff-00-00-02 Permanent
ff02::1:ff00:d 33-33-ff-00-00-0d Permanent
ff02::1:ff00:f 33-33-ff-00-00-0f Permanent
ff02::1:ff08:c77 33-33-ff-08-0c-77 Permanent
ff02::1:ffae:564d 33-33-ff-ae-56-4d Permanent
ff02::1:ffc9:d9a8 33-33-ff-c9-d9-a8 Permanent
- On a windows laptop:
Interface 14: LAB
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
fe80::2 00-14-1c-c9-d9-a8 Stale (Router)
fe80::214:1cff:fec9:d9a8 00-14-1c-c9-d9-a8 Stale (Router)
ff02::2 33-33-00-00-00-02 Permanent
ff02::5 33-33-00-00-00-05 Permanent
ff02::c 33-33-00-00-00-0c Permanent
ff02::16 33-33-00-00-00-16 Permanent
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
ff02::1:ff00:2 33-33-ff-00-00-02 Permanent
ff02::1:ff00:d 33-33-ff-00-00-0d Permanent
ff02::1:ff00:f 33-33-ff-00-00-0f Permanent
ff02::1:ff08:c77 33-33-ff-08-0c-77 Permanent
ff02::1:ffae:564d 33-33-ff-ae-56-4d Permanent
ff02::1:ffc9:d9a8 33-33-ff-c9-d9-a8 Permanent
- On a Linux laptop (has to be validated):
- On a Cisco router:
R2#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
FE80::4491:69A9:39F3:7344 5 000c.2928.4c53 STALE Fa0/0
2001:DB9:1:1:DD52:657C:D340:F2FF 19 000c.2980.fc6c STALE Fa0/0
2001:DB9:1:1:B140:2298:3E92:A99B 6 000c.2928.4c53 STALE Fa0/0
FE80::1 4 0016.479a.f630 STALE Fa0/0
FE80::20C:29FF:FE80:FC6C 19 000c.2980.fc6c STALE Fa0/0
2001:DB9:1:1::1 22 0016.479a.f630 STALE Fa0/0
IPv6 Address Age Link-layer Addr State Interface
FE80::4491:69A9:39F3:7344 5 000c.2928.4c53 STALE Fa0/0
2001:DB9:1:1:DD52:657C:D340:F2FF 19 000c.2980.fc6c STALE Fa0/0
2001:DB9:1:1:B140:2298:3E92:A99B 6 000c.2928.4c53 STALE Fa0/0
FE80::1 4 0016.479a.f630 STALE Fa0/0
FE80::20C:29FF:FE80:FC6C 19 000c.2980.fc6c STALE Fa0/0
2001:DB9:1:1::1 22 0016.479a.f630 STALE Fa0/0
Saturday, February 25, 2012
kron and backup
Today, I have looked my auto archive to see if they work properly. Surprise, all was ok except for the 3560 switch. When someone execute a 'write memory' all work fine but the schedule backup creates an empty file. There are just these four rows:
After some investigations on Internet I have discovered that I was not the first to occur this issue with these equipement. So I have decided to use another solution. It's the kron which is the equivalent of the cron on an unix machine. The configuration looks like this example:
archive
path ftp://10.10.10.10/PATH/MY-SWITCH/$h-
write-memory
no time-period 10080
!
kron occurrence backup at 22:00 25 recurring
policy-list backup
!
kron policy-list backup
cli archive config
I have kept all the configuration of the archive except the 'time-period'. I have just added policy backup which is schedule by a kron. The policy executes the command 'archive config' and the kron starts one time par month every 25th at 10pm. Also, it's very important to have NTP server if you don't want encountered problem to execute a kron.
!
!
!
end
After some investigations on Internet I have discovered that I was not the first to occur this issue with these equipement. So I have decided to use another solution. It's the kron which is the equivalent of the cron on an unix machine. The configuration looks like this example:
archive
path ftp://10.10.10.10/PATH/MY-SWITCH/$h-
write-memory
no time-period 10080
!
kron occurrence backup at 22:00 25 recurring
policy-list backup
!
kron policy-list backup
cli archive config
I have kept all the configuration of the archive except the 'time-period'. I have just added policy backup which is schedule by a kron. The policy executes the command 'archive config' and the kron starts one time par month every 25th at 10pm. Also, it's very important to have NTP server if you don't want encountered problem to execute a kron.
Sunday, February 19, 2012
Add a mount point for an ASA
I have found a nice feature on the Cisco ASA. You can create a mount point to a server FTP.
Below you can find a sample of the configuration to apply:
mount Backup-ASA type ftp
server 10.10.10.10
path /root/Backup
username userFTP
password passwordFT
mode passive
status enable
To check all the configuration available on this particular folder you can use the command 'dir':
ASA# dir Backup-ASA:
server 10.10.10.10
path /root/Backup
username userFTP
password passwordFT
mode passive
status enable
To check all the configuration available on this particular folder you can use the command 'dir':
ASA# dir Backup-ASA:
Directory of Backup-ASA:/
-rwx 71147 19:37:00 Jul 14 2011 ASA-14jul11.txt
-rwx 79337 16:41:00 Jan 31 2012 ASA-09-02-2012.txt
-rwx 79337 16:41:00 Jan 31 2012 ASA-09-02-2012.txt
0 bytes total (2146293760 bytes free)
This trick can be useful to backup easily the running configuration on remote folder:
This trick can be useful to backup easily the running configuration on remote folder:
ASA#copy running-config Backup-ASA
Thursday, February 9, 2012
Archive configuration on a Cisco Switch
In a previously post I have written a script (python) to automatically backup cisco config.
There is another method to backup this configuration. Used the archive command. By this way, it's possible to backup the configuration on a remote FTP server. Below, you will find an example:
ip ftp username user1
ip ftp password password1
!
archive
path ftp://10.10.10.10/folder/My-switch.cfg
write-memory
time-period 1440
The write memory command trigger an automatic backup on the ftp server.
1440 means one backup generate every day.
If you make a mistake and you decide to come back on an old version, it's possible to restore the configuration. The better way is using this command:
configure replace path ftp://10.10.10.10/folder/My-switch.cfg--9-09-00-23-0
To see the state of the archive you can use the 'show archive' command:
SWITCH#show archive
The maximum archive configurations allowed is 14.
The next archive file will be named ftp://10.10.10.10/folder/My-switch.cfg-%3Ctimestamp%3E-2
Archive # Name
1 ftp://10.10.10.10/folder/My-switch.cfgFeb--9-09-00-23-0
2 ftp:// 10.10.10.10/folder/My-switch.cfgFeb--9-09-00-37-1 <- Most Recent
3
4
There is another method to backup this configuration. Used the archive command. By this way, it's possible to backup the configuration on a remote FTP server. Below, you will find an example:
ip ftp username user1
ip ftp password password1
!
archive
path ftp://10.10.10.10/folder/My-switch.cfg
write-memory
time-period 1440
The write memory command trigger an automatic backup on the ftp server.
1440 means one backup generate every day.
If you make a mistake and you decide to come back on an old version, it's possible to restore the configuration. The better way is using this command:
configure replace path ftp://10.10.10.10/folder/My-switch.cfg--9-09-00-23-0
To see the state of the archive you can use the 'show archive' command:
SWITCH#show archive
The maximum archive configurations allowed is 14.
The next archive file will be named ftp://10.10.10.10/folder/My-switch.cfg-%3Ctimestamp%3E-2
Archive # Name
1 ftp://10.10.10.10/folder/My-switch.cfgFeb--9-09-00-23-0
2 ftp:// 10.10.10.10/folder/My-switch.cfgFeb--9-09-00-37-1 <- Most Recent
3
4
Wednesday, February 8, 2012
Multi Instances with PuttyCM
By default you can just start one puttyCM instance. For example if several users want to use a puttyCM on server via RDP it's impossible by default. To open several session you need to modify a key register on windows. Below this key:
HKEY_CURRENT_USER\Software\ACS\PuTTY Connection Manager\
AllowMultipleInstances REG_DWORD 1
HKEY_CURRENT_USER\Software\ACS\PuTTY Connection Manager\
AllowMultipleInstances REG_DWORD 1
Saturday, January 21, 2012
Used IPv6 stateful Autoconfiguration
I would like add some details to my post vista and DHCPv6 (in french). I would like detailed which mechanisms is used to choose between stateless and stateful configuration. The DHCPv6 client used 2 bits in the RA (Routers Advertisements send by the router) in order to know if DHCPv6 server is available:
- O bit: with this bit, a IPv6 host can use DHCPv6 to collect some parameters like DNS server address. However DHCPv6 server doesn't provide the client's IP address. Host use stateless configuration.
- M bit: with this bit, a IPv6 host can use DHCPv6 to collect a IPv6 address and others parameters from the server.
- Without these bits set, the IPv6 host will use stateless autoconfiguration.
Subscribe to:
Posts (Atom)