Archive
What can my interface do? – Show interface capabilities
Want an easy way to find out what speeds your interface supports? Or what encapsulation it supports? Then show interface capabilites is the command you want. Lets look at an sample output:
Switch#sh int gi0/1 capabilities
GigabitEthernet0/1
Model: WS-C3560X-24
Type: 10/100/1000BaseTX
Speed: 10,100,1000,auto
Duplex: half,full,auto
Trunk encap. type: 802.1Q,ISL
Trunk mode: on,off,desirable,nonegotiate
Channel: yes
Broadcast suppression: percentage(0-100)
Flowcontrol: rx-(off,on,desired),tx-(none)
Fast Start: yes
QoS scheduling: rx-(not configurable on per port basis),
tx-(4q3t) (3t: Two configurable values and one fixed.)
CoS rewrite: yes
ToS rewrite: yes
UDLD: yes
Inline power: no
SPAN: source/destination
PortSecure: yes
Dot1x: yes
This shows that the port is gigabit capable (gigabitethernet kind of gives that away) but it shows that speed can be set to 10, 100 or 1000. Some gigabit ports are fixed speed. It has support for both 802.1Q and ISL, Ciscos proprietary trunking method. The port supports storm-control, it supports rewriting CoS and ToS headers, we have four egress queues for QoS with three thresholds and two of them are configurable. We can use SPAN and the port can be a source or a destination. We also have support for 802.1X. So this command gives us a brief and concise output of all features the interface supports. I will post some other useful commands later on as well.
CCIE – 2 years from now
My plan is to do the CCIE two years from now. I plan on doing the written in late 2010 or early 2011 and after that prepare for about a year for the lab. Many people do like 1/3 reading and 2/3 labs but I think I will be closer to 50/50. My goal is to know the theory so well that doing the labs is not that difficult since it’s just an extension of the theory. We will see if my plan holds up 
I also now have an OK from work to go for it, which is nice. Right now I have too much work to do any studying there but we will see what happens later on. At least I know I will get the support I need. I’ve done about 50 hours of reading so far and I think I will need at least 300 hours reading and some basic labs on that before taking the written. Doing the whole preparation will probably take more than 1000 hours.
Using Cisco ASA with dual ISPs
It’s getting more common to use dual ISPs since most companys now a days are dependant on a functioning network and Internet connection. In this scenario we will be using a leased line as a primary connection, this connection won’t be encrypted since it is a private point to point connection. The second connection is a VPN tunnel over the Internet, this is what our network looks like:
We will be using a function called sla monitor to achieve our goal. Lets start with the interface config:
interface Ethernet0/0
nameif OUTSIDE-LEASED
security-level 50
ip address 10.255.0.1 255.255.255.252
!
interface Ethernet0/1
nameif OUTSIDE-INTERNET
security-level 0
ip address 10.255.0.5 255.255.255.252
!
interface Ethernet0/2
nameif INSIDE
security-level 100
ip address 172.16.0.1 255.255.255.0
We have three interfaces with a security level of 100 for inside, 50 for the leased line and 0 for the Internet connection. We need access-lists to allow the traffic in on our OUTSIDE interfaces:
access-list OUTSIDE_IN extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list VPN_TRAFFIC extended permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0
The access-list VPN_TRAFFIC is for defining “interesting” traffic to trigger the VPN tunnel. Apply the access-lists to the relevant interfaces:
access-group OUTSIDE_IN in interface OUTSIDE-LEASED
access-group OUTSIDE_IN in interface OUTSIDE-INTERNET
We need routing for the inside network at the other end:
route OUTSIDE-LEASED 192.168.0.0 255.255.255.0 10.255.0.2 1 track 1
route OUTSIDE-INTERNET 192.168.0.0 255.255.255.0 10.255.0.6 254
The track 1 statement refers to that we are tracking the static route in case it goes down and the other route is called a floating static route with an administrative distance of 254. This is the config that relates to the tracking:
sla monitor 1
type echo protocol ipIcmpEcho 10.255.0.2 interface OUTSIDE-LEASED
num-packets 5
frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
We are sending 5 ICMP packets with 5 seconds a part to the other end of the leased line. We only need to receive one successful answer to stay on the primary line. If you want to do it differently you could set it to 1 or whatever value suits your topology. This is the configuration that relates to the VPN tunnel, if you don’t need VPN just remove it:
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 match address VPN_TRAFFIC
crypto map VPN-MAP 1 set peer 10.255.0.6
crypto map VPN-MAP 1 set transform-set 3DES-SHA
crypto map VPN-MAP interface OUTSIDE-INTERNET
crypto isakmp enable OUTSIDE-INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 10.255.0.6 type ipsec-l2l
tunnel-group 10.255.0.6 ipsec-attributes
pre-shared-key secret
Upgrading the license on a Cisco 3560/3750
With the new switches like 3560-X it is possible to run a universal IOS image with support for different feature sets like LAN Base, IP Base and IP Services where IP services is the most feature rich version. I did an upgrade from LAN Base to IP Base and thought it would be a good idea to show how it’s done.
The universal image has a name like this: c3560e-universalk9-mz.122-53.SE2.bin. To get the licenses you need to register your Product Activation Key (PAK) that you receive after ordering the license. You also need to now the productnumber and the serial number for the device that the license is for. The product number can be WS-C3560X-24T-L and the serial number is a string of letters and numbers, the same goes for the PAK number.
When the registration is done you will receive a .lic file whic is a combination of the PAK number, a date and some other numbers. You will need to upload this file to the switch. I used FTP to upload the file:
copy ftp://user:password@1.2.3.4/filename.lic flash:
Accessing ftp://user:password@1.2.3.4/filename.lic…
Loading filename.lic !
[OK - 1152/4096 bytes]
1152 bytes copied in 0.092 secs (12522 bytes/sec)
The file is now copied to flash. After that we need to install the license, the syntax is license install:
Switch#license install flash:filename.lic
Installing licenses from “flash:filename.lic”
Installing…Feature:ipbase…Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install
The license is now installed but we need to reboot the switch before it goes active. We will also get a message logged to the console that looks like this:
*Mar 1 00:07:42.279: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c3560x Next reboot level = ipbase and License = ipbase
*Mar 1 00:07:42.539: %LICENSE-6-INSTALL: Feature ipbase 1.0 was installed in this device. UDI=WS-C3560X-24T-L:$PAKNR StoreIndex=1:Primary License Storage
After the reboot we can use show license to see what licenses are installed:
Switch#sh license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
We can see here that there is an IP Services license available for evaluation if we need to do that. And that is how licensing works.
Transfering files with FTP (Cisco ASA)
Trivial File Transfer Protocol (TFTP) has been the natural choice for transfering files on a Cisco device for a long time but it has some weaknesses:
- It’s not reliable, since it doesn’t use TCP
- Since it’s not using TCP every packet has to be acknowledged before the next one can be sent
- No support for encryption of traffic
- Takes long time to transfer large files
So why do we still use TFTP, mostly because it’s simple to setup and that we are used to it. File Transfer Protocol (FTP) overcomes most of the weaknesses of TFTP. It’s reliable because it uses TCP for transport. We send several packets before needing to acknowledge. It’s much faster. It is not encrypted but if that is a must Secure Copy (SCP) can be used.
Transfering a file from a FTP server to a Cisco ASA is very easy. First you need a FTP server, I use Quick ‘n Easy FTP Server Lite. This is the syntax to transfer a file:
copy ftp://user:password@serverip/filename disk0:
Change user and password to the real user and password and the servip is the IP used by the FTP-server. Filename is the name of the file to transfer. Disk0 is the destination for the file. I did some upgrades of ASA last week and I was shocked how much faster it is than TFTP so I highly recommend you start using it.
CCIE certification guide
I’m trying to read as much as I can and I’m almost halfway through the certification guide. It’s a good read so far and knowing that Narbik has checked the content means it’s good technical quality. It doesn’t go very deep into all areas because then the book would be 5000 pages instead of 1000 but it gives you a good feeling for what you need to study and I would imagine that this book would be essential for anyone going after the IE. When I’m done with this I’ll probably go with the Doyle books next.
Caveats with new Java versions for Cisco ASA
I recently upgraded some ASA firewalls to version 8.3(2) and ASDM 6.3(2). ASDM relies on JAVA to work. I had JAVA 1.6.0(20) installed on my Windows 7 laptop but ASDM would not work with this version. What’s strange and very lame is that when you try to connect to the firewall with ASDM and the JAVA version is not OK nothing happens. The page just times out, no error message or anything. So you start to think that you have configured something wrong but no you haven’t. I had to downgrade to 1.6.0 to get it to work. Surely Cisco could output an error message or a tool for testing if your JAVA is OK. Rant over…
Connecting to a Cisco console with an USB cable
Newer Cisco switches and routers have the ability to connect to the console port with an USB cable. The RJ45 is still there, no need to worry about that yet. To connect you need a cable that has a male type A to a male mini B contact. See the picture below:
You can order a cable when you order your switch/router but unless you want to pay a lot more for it just buy it in a regular electronics store. I paid about 6$ for mine (converted from swedish currency) and Ciscos list price is 30$ for a 6 ft cable.
You need to download drivers from Ciscos website (requires a login). Go to the download software section and choose a device like a 3560 switch and then choose USB console driver:
The file is a zip, download it to somewhere and then unzip the file. You will have a few different folders depending on what operating system you run. I used the setup file from the Windows_32 folder. This will install the software. When you insert the USB cable into your computer Windows will detect it and install the driver. You will have a new COM port in device manager that looks like this:
Create a regular connection with your favourite terminal program and use the regular settings, 9600 bits, 8 data bits, no parity and 1 stop bit.
So what have gained from using the USB cable instead? Not that much, we don’t need the USB to serial converter any more and it’s cheaper to buy an USB cable instead of a converter. A cable we might already have if we have devices like a digital camera. As long as the regular console port is left we now have two options which is good.
Cisco lead times – give me a break!
I’m about to setup two Cisco 3560-X at work and the plan is to interconnect with fibre. However when I was about to order C3KX-NM-1G I was told by my distributor that they can’t be delivered until November. Guess I will have to go with copper for now 
The facts of Ethernet – Round three
The previous post talked about autonegotiation. This time I will talk about cables and pinouts and how auto MDIX works. Although I’m not very old I still like to do it the old school way. I don’t rely on auto MDIX, instead I use the right cable. Lets look at a pinout for T568B:
A regular end device like a PC transmits on pin one and two and receives on pin three and six. Although we have four pairs only two are actually used, unless we are using gigabit Ethernet but that is another topic. A device like a switch does the opposite, it receives on pin one and two and sends on three and six. This is why we use a straight through cable. When connecting similar devices like a switch to a switch we need to use a cross over cable since they want to send on the same pins and receive on the same. So when choosing a cable remember that similar devices requires cross over and different devices needs a straight through.
An engineer at HP developed the auto MDIX standard since he was tired of looking for cross over cables. But how does it work?
The NIC expects to receive Fast Link Pulses (FLP) on pins three and six. If it receives FLPs it will know that the configuration is correct. If it doesn’t receive FLP’s it will switch over to MDI-X mode. This is a very simplified view of it, the process involves different timers and a XOR algorithm. If you want to know more check out the IEEE 802.3 specification section 3, clause 40.4.4.
