PBSPlaza.nl

Since i configured a lot of site-2-site VPN those days, i created a VPN config snip which i have used as a template. So i you need to configure a site-2-site VPN on a Cisco ASA, you can use this template and customize the fields.

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list vpn_filter extended permit ip any any
!
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
!
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy <policy_name> internal
group-policy <policy_name> attributes
vpn-idle-timeout none
vpn-filter value vpn_filter
vpn-tunnel-protocol IPSec

!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy <policy_name>
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key <pre-shared-key>
!
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 1.1.1.1
crypto map outside_map 8 set transform-set ESP-AES-256-SHA
crypto map outside_map 8 set security-association lifetime seconds 3600
crypto map outside_map 8 set nat-t-disable

Sometimes, you want to see the serial number of a transceiver in a Cisco switch (e.g, a GLC-SX-MM=). You can see the transceiver serial number by typing the following command;

switch#sh idprom interface gigabitEthernet x/y | i Serial

The i serial is optional to filter out the Serial number.

The ip helper-address command on a router is a fairly used command in multilayer switched networks. When you enable this command on a router interface (for instance, a SVI on a multilayer switch), the following broadcasts are forwarded by default;

• TFTP – port 69
• Domain Name System (DNS) – port 53
• Time service – port 37
• NetBIOS Name Server – port 137
• NetBIOS Datagram Server – port 138
• Bootstrap Protocol (BOOTP) – port 67
• TACACS – port 49

You can disable the services that you don’t need. Disable this with the following command;

router(config)# no ip forward-protocol udp 69

source

By default Cisco routers and switches periodically test their (Fast) Ethernet links by sending out Loopback frames (ethertype 0×9000) addressed to themselves. Call it a “L2 self-ping” if you will. In a switched environment it can be used to test the functionality of the switch and/or keep the router’s MAC address in the switch’s address table. Another thing what this Loopback frames do, is to check for a loop. If there is a loop in the network, the resulting Loopback frame will be seen by the sending switch and the port will be err-disabled.

The folllowing picture shows a Loopback frame; As we can see, the SA=DA.

Recently I had a problem in a network which was caused by the loopback mechanism; when we tried to add a switch to the VTP domain with redundant connections, I noticed that this loopback mechanism had err-disabled all the uplink ports of a lot of edge switches! I couldn’t take my edgeswitches anymore and I had to manually take these ports out of the err-disbled state. The following syslog messages were generated on the switches;

ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on gig0/2

We activated the err-disabled recovery mechanism to eliminate this problem. You can also disable the keepalive on uplink ports with the no keepalive interface command for the uplink ports.

Cisco has documented this problem as bug ID CSCea46385. Cisco say’s that starting in 12.2SE based releases, keepalives are NO longer sent by default on fiber and uplink interfaces.

The nice thing working with Cisco is that you always hear about features from which you never heard before. This is also true for the following feature.

When you do a show run on – for instance – a Cisco router, you can press / to quickly find parts of the config. This is nice when you have very large configs.

The following output show me quickly the configuration for port Gi13/18 on a Cisco switch without scrolling through the entire config!

switch#sh run
Building configuration…

Current configuration : 63114 bytes
!
! Last configuration change at 12:20:34 MET-DST Sat Sep 20 2008 by xxx
! NVRAM config last updated at 12:20:35 MET-DST Sat Sep 20 2008 by xxx
!
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service counters max age 5
!
hostname switch
!
enable secret 5 xxx
!
aaa new-model
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
!
!
/13/18
filtering…
interface GigabitEthernet13/18
description server1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,11,12
switchport mode trunk
switchport nonegotiate
no ip address

Ever wanted to do something on a Cisco switch, but you cannot because the action will throw yourself out? I had it recently when I want to activate a new SVI on a Catalyst 2950. Since there can be only 1 SVI active at a time, a decided to do this with a macro. A macro can be placed in the switch, and can be applied manually. When it is applied, you will be sure the script runs from begin to end, without interruption.

I have used the following script;

macro name change_vlan
interface Vlan1
no desc
no ip address
shutdown
interface vlan250
description production
ip address 10.101.3.1 255.255.255.0
no shutdown @

To apply the macro, you have to enter;

switch(config)# macro global apply change_vlan