Want an easy way to find out what speeds your interface supports? Or what encapsulation it supports? Then show interface capabilites is the command you want. Lets look at an sample output:
This shows that the port is gigabit capable (gigabitethernet kind of gives that away) but it shows that speed can be set to 10, 100 or 1000. Some gigabit ports are fixed speed. It has support for both 802.1Q and ISL, Ciscos proprietary trunking method. The port supports storm-control, it supports rewriting CoS and ToS headers, we have four egress queues for QoS with three thresholds and two of them are configurable. We can use SPAN and the port can be a source or a destination. We also have support for 802.1X. So this command gives us a brief and concise output of all features the interface supports. I will post some other useful commands later on as well.
My plan is to do the CCIE two years from now. I plan on doing the written in late 2010 or early 2011 and after that prepare for about a year for the lab. Many people do like 1/3 reading and 2/3 labs but I think I will be closer to 50/50. My goal is to know the theory so well that doing the labs is not that difficult since it’s just an extension of the theory. We will see if my plan holds up I also now have an OK from work to go for it, which is nice. Right now I have too much work to do any studying there but we will see what happens later on. At least I know I will get the support I need. I’ve done about 50 hours of reading so far and I think I will need at least 300 hours reading and some basic labs on that before taking the written. Doing the whole preparation will probably take more than 1000 hours.
It’s getting more common to use dual ISPs since most companys now a days are dependant on a functioning network and Internet connection. In this scenario we will be using a leased line as a primary connection, this connection won’t be encrypted since it is a private point to point connection. The second connection is a VPN tunnel over the Internet, this is what our network looks like:
We will be using a function called sla monitor to achieve our goal. Lets start with the interface config:
We have three interfaces with a security level of 100 for inside, 50 for the leased line and 0 for the Internet connection. We need access-lists to allow the traffic in on our OUTSIDE interfaces:
The access-list VPN_TRAFFIC is for defining “interesting” traffic to trigger the VPN tunnel. Apply the access-lists to the relevant interfaces:
We need routing for the inside network at the other end:
The track 1 statement refers to that we are tracking the static route in case it goes down and the other route is called a floating static route with an administrative distance of 254. This is the config that relates to the tracking:
We are sending 5 ICMP packets with 5 seconds a part to the other end of the leased line. We only need to receive one successful answer to stay on the primary line. If you want to do it differently you could set it to 1 or whatever value suits your topology. This is the configuration that relates to the VPN tunnel, if you don’t need VPN just remove it:
With the new switches like 3560-X it is possible to run a universal IOS image with support for different feature sets like LAN Base, IP Base and IP Services where IP services is the most feature rich version. I did an upgrade from LAN Base to IP Base and thought it would be a good idea to show how it’s done.
The universal image has a name like this: c3560e-universalk9-mz.122-53.SE2.bin. To get the licenses you need to register your Product Activation Key (PAK) that you receive after ordering the license. You also need to now the productnumber and the serial number for the device that the license is for. The product number can be WS-C3560X-24T-L and the serial number is a string of letters and numbers, the same goes for the PAK number.
When the registration is done you will receive a .lic file whic is a combination of the PAK number, a date and some other numbers. You will need to upload this file to the switch. I used FTP to upload the file:
The file is now copied to flash. After that we need to install the license, the syntax is license install:
The license is now installed but we need to reboot the switch before it goes active. We will also get a message logged to the console that looks like this:
After the reboot we can use show license to see what licenses are installed:
We can see here that there is an IP Services license available for evaluation if we need to do that. And that is how licensing works.
Trivial File Transfer Protocol (TFTP) has been the natural choice for transfering files on a Cisco device for a long time but it has some weaknesses:
- It’s not reliable, since it doesn’t use TCP
- Since it’s not using TCP every packet has to be acknowledged before the next one can be sent
- No support for encryption of traffic
- Takes long time to transfer large files
So why do we still use TFTP, mostly because it’s simple to setup and that we are used to it. File Transfer Protocol (FTP) overcomes most of the weaknesses of TFTP. It’s reliable because it uses TCP for transport. We send several packets before needing to acknowledge. It’s much faster. It is not encrypted but if that is a must Secure Copy (SCP) can be used.
Transfering a file from a FTP server to a Cisco ASA is very easy. First you need a FTP server, I use Quick ‘n Easy FTP Server Lite. This is the syntax to transfer a file:
Change user and password to the real user and password and the servip is the IP used by the FTP-server. Filename is the name of the file to transfer. Disk0 is the destination for the file. I did some upgrades of ASA last week and I was shocked how much faster it is than TFTP so I highly recommend you start using it.
I’m trying to read as much as I can and I’m almost halfway through the certification guide. It’s a good read so far and knowing that Narbik has checked the content means it’s good technical quality. It doesn’t go very deep into all areas because then the book would be 5000 pages instead of 1000 but it gives you a good feeling for what you need to study and I would imagine that this book would be essential for anyone going after the IE. When I’m done with this I’ll probably go with the Doyle books next.
I recently upgraded some ASA firewalls to version 8.3(2) and ASDM 6.3(2). ASDM relies on JAVA to work. I had JAVA 1.6.0(20) installed on my Windows 7 laptop but ASDM would not work with this version. What’s strange and very lame is that when you try to connect to the firewall with ASDM and the JAVA version is not OK nothing happens. The page just times out, no error message or anything. So you start to think that you have configured something wrong but no you haven’t. I had to downgrade to 1.6.0 to get it to work. Surely Cisco could output an error message or a tool for testing if your JAVA is OK. Rant over…
Newer Cisco switches and routers have the ability to connect to the console port with an USB cable. The RJ45 is still there, no need to worry about that yet. To connect you need a cable that has a male type A to a male mini B contact. See the picture below:
You can order a cable when you order your switch/router but unless you want to pay a lot more for it just buy it in a regular electronics store. I paid about 6$ for mine (converted from swedish currency) and Ciscos list price is 30$ for a 6 ft cable.
You need to download drivers from Ciscos website (requires a login). Go to the download software section and choose a device like a 3560 switch and then choose USB console driver:
The file is a zip, download it to somewhere and then unzip the file. You will have a few different folders depending on what operating system you run. I used the setup file from the Windows_32 folder. This will install the software. When you insert the USB cable into your computer Windows will detect it and install the driver. You will have a new COM port in device manager that looks like this:
Create a regular connection with your favourite terminal program and use the regular settings, 9600 bits, 8 data bits, no parity and 1 stop bit.
So what have gained from using the USB cable instead? Not that much, we don’t need the USB to serial converter any more and it’s cheaper to buy an USB cable instead of a converter. A cable we might already have if we have devices like a digital camera. As long as the regular console port is left we now have two options which is good.
I’m about to setup two Cisco 3560-X at work and the plan is to interconnect with fibre. However when I was about to order C3KX-NM-1G I was told by my distributor that they can’t be delivered until November. Guess I will have to go with copper for now
The previous post talked about autonegotiation. This time I will talk about cables and pinouts and how auto MDIX works. Although I’m not very old I still like to do it the old school way. I don’t rely on auto MDIX, instead I use the right cable. Lets look at a pinout for T568B:
A regular end device like a PC transmits on pin one and two and receives on pin three and six. Although we have four pairs only two are actually used, unless we are using gigabit Ethernet but that is another topic. A device like a switch does the opposite, it receives on pin one and two and sends on three and six. This is why we use a straight through cable. When connecting similar devices like a switch to a switch we need to use a cross over cable since they want to send on the same pins and receive on the same. So when choosing a cable remember that similar devices requires cross over and different devices needs a straight through.
An engineer at HP developed the auto MDIX standard since he was tired of looking for cross over cables. But how does it work?
The NIC expects to receive Fast Link Pulses (FLP) on pins three and six. If it receives FLPs it will know that the configuration is correct. If it doesn’t receive FLP’s it will switch over to MDI-X mode. This is a very simplified view of it, the process involves different timers and a XOR algorithm. If you want to know more check out the IEEE 802.3 specification section 3, clause 40.4.4.