Posts Tagged ‘Cisco’

Recently I had to tag some Access points to a new Vlan on a Cisco switch , the cisco support website is the worst readability so notes for future reference

Find the Port of the Access point by getting the Mac address then listing all the Macs on the switch via

show mac address-table

Tagging port

Ok next we change the port from an access port on the default Vlan ( 1 ) to a trunk to it can carry multiple Vlans in this case 1,5. Warning this will drop the network device for a few pings

conf t

int gi1/0/21

Switchport mode trunk
Switchport trunk allowed vlan 1,5 

If it doesn’t work you can always wipe the config via

default interface gi1/0/21

To untag a port on vlan 5

 switchport access vlan 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Meraki MX Router

Enable Vlans

Go to Security Appliance then Addressing & VLANs

Next setup the Subnet ID ( Number ) for your Vlans and the Address of the Router in each Vlan 

Next Change the Uplink to the Switch to a VLAN and set the Native Vlan ( this is the default usually 1 ) and the other Vlans which will pass down this trunk. The Native VLAN will need to be the same on both sides of Meraki and Cisco Switch

DHCP

Go to Security Appliance then DHCP

What device will be the DHCP on this new Subnet? You can set the Meraki or if its a Windows Network point the IP Helper to your main DHCP server

Cisco Switch

Uplink

On the uplink of your switch to the Meraki set e.g. GigabitEthernet1/0/1

 

conf t
int gi1/0/1
switchport trunk native vlan 1
switchport trunk allowed vlan 1,5
switchport mode trunk
end

You might see the native vlan 1 not showing in the config , this is because 1 is always the native vlan

UnTag Port on new Vlan

This changes the port to use Vlan 5

conf t
int gi1/0/2
switchport acccess vlan 5
switchport mode access
end
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Connect to http://wired.meraki.com/#configure on a PC/Server connect to the meraki. The default username is the serial number of the device which can be got from the Cloud Dashboard and password is blank

The following will restart the Meraki so make sure you arrange downtime.

Change Port 2 to Internet from LAN and add the IP details and click Save

Make sure all ethernets are set to Auto for Negotiation

By default the Meraki will put the connections on Active / Passive , to enable Active / Active 

Login to your Meraki Cloud Dashboard and Enable Load Balancing : 

This will spread both inbound and outbound via both links

To force one port e.g. to a specific Link , add an Internet Traffic Flow setting

e.g.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Switch-A(config)#interface port-channel 1
Switch-A(config-if)#switchport trunk encapsulation dot1q
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate

Switch-A(config)#interface GigabitEthernet1/1/1
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate
Switch-A(config-if)#channel-group 1 mode active

Switch-A(config)#interface GigabitEthernet2/1/1
Switch-A(config-if)#switchport mode trunk
Switch-A(config-if)#speed nonegotiate
Switch-A(config-if)#channel-group 1 mode active
——————————————————-

Switch-B(config)#interface port-channel 1
Switch-B(config-if)#switchport trunk encapsulation dot1q
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate

Switch-B(config)#interface GigabitEthernet1/1/1
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate
Switch-B(config-if)#channel-group 1 mode active

Switch-B(config)#interface GigabitEthernet2/1/1
Switch-B(config-if)#switchport mode trunk
Switch-B(config-if)#speed nonegotiate
Switch-B(config-if)#channel-group 1 mode active

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to enable LCAP on a Cross Stack Cisco Switch via EtherChannel.

On Enabling this I got an error on juw5 one side of the LACP Switch :

suspended: LACP currently not enabled on the remote port.

I broke the Port Channel , and set it back to switch mode trunk

Then re-enabled the Portchannel in order

Switch 1 Port One

Switch 2 Port One

Switch 2 Port Two

Switch 1 Port Two

VN:F [1.9.22_1171]
Rating: 8.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently a client had ordered some 10GB SFP+ for his new and old Cisco 3650 Switches , however his old ones only have 4 x 1GB Ports. The 10GB SFP+’s cannot downgrade to 1GB speed on the old or new devices! 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When going through the commands to enable WPA on cisco Wireless Account point


ap(config)#interface Dot11Radio0
ap(config-if)# encryption mode ciphers aes-ccm

Then


ap(config-ssid)#authentication open
ap(config-ssid)#authentication key-management wpa version 2

I was shown Error: Encryption mode cipher is not configured.

Turns out this setting needs to be applied to each VLAN presented to the SSID

ap(config)#interface Dot11Radio0

ap(config-if)#encryption vlan 13 mode ciphers aes-ccm tkip

I could then run

ap(config-ssid)#authentication open

ap(config-ssid)#authentication key-management wpa version 2

ap(config-ssid)#guest-mode

ap(config-ssid)#wpa-psk ascii WirelessPassword

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

cisco-asa-5520-and-55501The inspection engine is looking at the ftp protocol and finding something objectionable in that user’s sessions. Exactly what is hard to say without debugging or capturing a live failing session.

You can disable ftp inspection as follows (in global configuration mode of course):

policy-map global_policy

class inspection_default

no inspect ftp

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Get the port number on the switch , if you stack you should get the switch number as well

You can use show int to list all the interfaces , get the switch port value e.g. gi/1/0.8

Use sh int gi1/0/8 to list the port details to make sure its up etc

Next run :

show mac address-table int gi1/0/8

( copy the address it gives you Address )

Next Run this

show arp | incl %macaddressofabove%

If it doesn’t show anything the device might not have an IP ( check port is on correct Vlan )

** A cheat , on a computer connected to the switch on the same Vlan and IP range , you can manually add an IP to the mac address then try and ping/access the device :

In Windows Xp

arp -s %spareip% %macAddress%

In Windows 7

netsh -c interface ipv4 add neighbors “Network Card Name” “IP Address” “MAC Address”
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)