Hi All I hope you can give me some feedback on what I am looking to design. I have a DC with multiple landing sites with dark fibre connections to each site. I need to VPN traffic back across these links encrypted and I''m looking to use 4110 NGFW. A couple of the sites have quite a load on bandwidth so I have chosen the 4110 as the datasheets support the encrypted traffic load and also to standardise hardware as we have a number of 4110 already in our solutions. Here is what I am trying to achieve. Any help would be much appreciated indeed. Thanks
... View more
I'm struggling to find a replacement for the Catalyst 3850, none of the new 9xxx series seem to offer a full SFP+ solution? Is there a direct replacement for this switch?
... View more
I have a dilemma, I have some low speed locations like a VoIP solution for instance and also some locations with low amount of users. I have to switch stack and duel link for redundancy back to the distribution from the access but this will require runs over 100m so will need to be fiber. I have been asked to spec the Catalyst 9000 series, so please correct me if I’m wrong but I can’t find a module for the 9200 series that supports 1Gb SFP (like Catalyst 29xx that are going EOL)?
Does this mean I have to use the Catalyst 9300 series if we intend to use fiber? If we do I can only see the 8x 10GB SFP+ modules and fitting them in all the locations along with having to use the higher spec 9300 will be considerably overkill and expensive? This seems backwards as the Catalyst family has always supported SFP with inbuilt options for 2 or 4 links?
Any help would be much appreciated
... View more
I have a couple if issues on my network at present and I'm sure im chassing my tail so want to verify that my port channel from my Cisco 2960 to Cisco SG300 is setup corectly. I've read a host of post's that mention Native VLAN giving problems and I also enitionaly had issue's with the Port Channel coming up but have solved that on. Anyhow here's my configuration;
-----SG300---- interface vlan 77 ip address 10.0.77.16 255.255.255.0 ! interface gigabitethernet1 description LAG_TO_CORE_SW channel-group 1 mode auto ! interface gigabitethernet2 description LAG_TO_CORE_SW channel-group 1 mode auto ! interface gigabitethernet28 description LINK_TO_MG_SWITCH switchport mode access switchport access vlan 77 ! interface Port-channel1 description "PORT CHANNEL TO CS" switchport trunk allowed vlan add 77 ! ip default-gateway 10.0.77.1
SG300#show interfaces status Port-Channel 1 Flow Link Ch Type Duplex Speed Neg control State -------- ------- ------ ----- -------- ------- ----------- Po1 1G Full 1000 Enabled Off Up
-----Cisco 2960-------- ! interface Port-channel3 description **Po-3 to MGMT Switch** switchport trunk allowed vlan 77 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet1/0/2 description **Po-3 to MGMT Switch** switchport trunk allowed vlan 77 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 3 mode active ! interface GigabitEthernet2/0/2 description **Po-3 to MGMT Switch** switchport trunk allowed vlan 77 switchport mode trunk switchport nonegotiate channel-protocol lacp channel-group 3 mode active ! interface Vlan1 no ip address shutdown ! interface Vlan77 ip address 10.0.77.10 255.255.255.0 ! ip default-gateway 10.0.77.1
2960#show etherchannel sum Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator
M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port
Number of channel-groups in use: 3 Number of aggregators: 3
Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 1 Po1(SU) LACP Gi1/0/1(P) Gi2/0/1(P) 2 Po2(SU) LACP Gi1/0/4(P) Gi2/0/4(P) 3 Po3(SU) LACP Gi1/0/2(P) Gi2/0/2(P)
2960#show interfaces port-channel 3 Port-channel3 is up, line protocol is up (connected) Hardware is EtherChannel, address is 50f7.2201.5c82 (bia 50f7.2201.5c82) Description: **Po-3 to MGMT Switch** MTU 1500 bytes, BW 2000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, link type is auto, media type is unknown input flow-control is off, output flow-control is unsupported Members in this channel: Gi1/0/2 Gi2/0/2 ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 9924 packets input, 888899 bytes, 0 no buffer Received 8986 broadcasts (8600 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 8600 multicast, 0 pause input 0 input packets with dribble condition detected 10392 packets output, 1009650 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out
... View more
I did the following and can now connect to the dedicated Management port.
interface Management0/0 management-only nameif management security-level 100 ip address 172.16.80.1 255.255.255.0 ! crypto key generate rsa modulus 1024 ssh 10.0.44.0 255.255.255.0 vlan44 ssh 172.16.80.0 255.255.255.0 management asdm image flash:/asdm-713.bin username XXXXX password XXXXXXXX privilege 15
... View more
After running clear "configure all" to get my ASA5512 back to default, I then re entered my desired configuration and now I can't access the ASDM. I can access the website that gives me the HTTPS warning then a username/password box pop's up but i can't get passed this. I also get a strange message re the "Privilege 15". The configuration I have is the same as a working ASA5512 at a different location so i'm at a loss to why I can't access this after a day of messing around. My configuration as follows;
interface GigabitEthernet0/5 description VLAN2 nameif VLAN2 security-level 90 ip address 10.0.2.1 255.255.255.0
http server enable http 10.0.44.0 255.255.255.0 vlan44 http 10.0.2.0 255.255.255.0 VLAN2
username cisco password cisco privilege 15
I also tried adding the following as well
asdm image disk0:/asdm-713.bin
May worth a mention I cannot SSH to the ASA, It connects but will not authenticate. I've tried different PC's as well that already have ASDM Java installed and are known to work.
... View more
Hi All When setting up Cisco ASA firewalls, we prefer to install them in pairs. A High Availability (HA) pair is our usual deployment and works well for our particular solution model. Our current customer has forced us down the route of a single firewall and a switchstack of 2x 2960’s "without" a standby firewall. Our single firewall needs to be connected to both switch’s for redundancy even though we only have one firewall. I appreciate this is not ideal and our common practice but I have to work with what I have and come up with a viable solution. At present I only have 2x Gig links from the firewall to the switch stack but need to pass 3x VLAN’s across them to control access across the subnets. Normally this would be achieved by the following configuration (If I had access to 2 Firewalls) interface Redundant1 member-interface GigabitEthernet0/1 member-interface GigabitEthernet0/2 nameif VLAN_Redundant_Interface security-level 50 no ip address ! interface Redundant1.77 description VLAN 77 Example vlan 77 nameif VLAN_77 security-level 50 ip address 192.168.77.1 255.255.255.0 ! interface Redundant1.21 description VLAN 21 - Example vlan 21 nameif VLAN_21 security-level 50 ip address 192.168.21.1 255.255.255.0 ! interface Redundant1.31 description VLAN 31 - Example vlan 31 nameif VLAN_31 security-level 50 ip address 192.168.31.1 255.255.255.0 I currently don’t have two firewalls so cant create “interface Redundant” as far as I know and am looking for a way to pass the 3 VLANs I have with only the 2x GIG links from my single firewall. Hope this makes some sense and I know it’s not best practice but at present nobody is willing to put there hand in their pocket and pay for the additional firewall. If it helps I can post an images but don't have one to hand just now
... View more