Cisco SFR Cant Ping its Default Gateway?

KB ID 0001575

Problem

This is a strange one? I was deploying FirePOWER to a pair of ASA 5550-8-X firewalls in Active / Standby failover last week. After each SFR was updated (via ASDM.) I could no longer ‘ping it’, the SFR itself could ping everything on the same VLAN, APART from its own default gateway, (which was an SVI on the Cisco 3750 switch it was connected to).

This happened every time I updated the SFR, (or re-imaged it.) Then after an hour or so it was fine?

Solution

If I connected to the switch that the SFR, (and firewall) was connected to, I could NOT ping the SFR. The interface was up/up on the switch, and the firewalls Management interface was also up/up.

[box]

Petes-3750#ping 10.2.1.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

[/box]

I did notice it was in the ARP table though, (with the correct MAC address), So I manually removed it;

[box]

Petes-3750#clear ip arp 10.2.1.252

[/box]

Then it was fine?

[box]

Petes-3750#ping 10.2.1.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

[/box]

Now the ASDM would connect fine without complaining about the FirePOWER module.

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Enabling LLDP

KB ID 0001289 

Problem

If you’re running Cisco IOS on all you devices then you can use CDP  to see what’s directly connected, (unless you are on a Cisco firewall, but I did say IOS devices). 

[box]

Petes-Switch#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Petes-CPE.petenetlive.com
                 Gig 1/0/19        148             R S I  CISCO2901 Gig 0/0
Petes-Switch#

[/box]

But just about every other vendor uses LLDP (Link Layer Discovery Protocol,) to do the same job. So how do you discover what ports you are plugged into on them, or what they are?

 

Solution

Well in most cases, (depending on your code) your devices also support LLDP, it’s just disabled by default. You simply turn it on with an ‘lldp run’ command.

[box]

Petes-Switch(config)#lldp run
Petes-Switch(config)#exit
Petes-Switch#show lldp ?
  entry      Information for specific neighbor entry
  errors     LLDP computational errors and overflows
  interface  LLDP interface status and configuration
  neighbors  LLDP neighbor entries
  traffic    LLDP statistics
  |          Output modifiers
  

[/box]

Now I see my neighbours, (yes that is how it’s spelt I’m English!) In my example below the neighbour is a Dell Switch.

[box]

Petes-Switch#show lldp neighbors
Capability codes:
    (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
    (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other

Device ID           Local Intf     Hold-time  Capability      Port ID
90b1.1cf4.39e1      Gi1/0/11       120                        ManagementEthernet 0/0
90b1.1cf4.39e1      Gi1/0/14       120                        TenGigabitEthernet 1/45
90b1.1cf4.39e1      Gi2/0/13       120                        TenGigabitEthernet 0/44
90b1.1cf4.39e1      Gi1/0/13       120                        TenGigabitEthernet 1/44
90b1.1cf4.39e1      Gi2/0/14       120                        TenGigabitEthernet 0/45
90b1.1cf4.39e1      Gi1/0/16       120                        TenGigabitEthernet 1/47
90b1.1cf4.39e1      Gi2/0/16       120                        TenGigabitEthernet 0/46
90b1.1cf4.39e1      Gi1/0/15       120                        TenGigabitEthernet 1/46
90b1.1cf4.39e1      Gi2/0/15       120                        TenGigabitEthernet 0/47

Total entries displayed: 9

[/box]

 

Related Articles, References, Credits, or External Links

HP Networking – Tracing Networks and Locating IP addresses

HP and Cisco – VLANs and Trunks Confusion!

KB ID 0000741

Problem

When I first started in IT, I went and did my Cisco CCNA. So I learned that to connect Cisco switches and pass VLAN traffic between them, I needed to create a ‘Trunk’ to pass the VLAN traffic. Fast forward a few years, and I now work for an HP reseller. Very early on I came to realise that what HP called a ‘trunk’ was very different from what I had been taught. Below is an article I did a while ago about setting up HP Trunks.

HP Networking ‘ProCurve’ – Trunking / Aggregating Ports

I was in some HP/Wireless training last week and once again I was struggling with their terminology, so today I lined up a bunch of switches on the test bench and worked out the differences.

Below you will find the following scenarios;

Scenario 1 Configuring Cisco Catalyst Switches with VLANs.

Scenario 2 Configuring HP Switches with VLANs.

Scenario 3 Setting up HP Switches with Trunked VLANs

Scenario 4 Setup VLANs via HP Trunks and Cisco Port Channels

Setting up VLANs on older Cisco Switches

Solution

Scenario 1 Configuring Cisco Catalyst Switches with VLANs.

In ‘Ciscoland’ All ports are either in access mode or trunk mode, the access mode allows the port to communicate with the VLAN. The trunk mode carries the VLAN traffic to another switch (or device). So to replicate the diagram above, this is what you would need to do. (Note: For older switches like the 3550XL the VLAN commands are a little different see here)

[box]

Switch01>
 Switch01>enable
 Password: xxxxxxxx
 Switch01#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch01(config)#vlan 10
 Switch01(config-vlan)#name Admin
 Switch01(config-vlan)#exit
 Switch01(config)#vlan 20
 Switch01(config-vlan)#name Data
 Switch01(config-vlan)#exit
 Switch01(config)#int f0/2
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 10
 Switch01(config-if)#exit
 Switch01(config)#inf f0/16
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 20
 Switch01(config-if)#exit
 Switch01(config)#int f0/23
 Switch01(config-if)#switchport mode trunk
 Switch02(config-if)#switchport trunk allowed vlan 1,10,20
 Switch01(config-if)#exit
 Switch01(config)#exit
 Switch01#write mem
 Building configuration...
 [OK]
 Switch01#
 
 
 
 Switch02>
 Switch02>enable
 Password: xxxxxxx
 Switch02#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch02(config)#vlan 10
 Switch02(config-vlan)#name Admin
 Switch02(config-vlan)#exit
 Switch02(config)#vlan 20
 Switch02(config-vlan)#name Data
 Switch02(config-vlan)#exit
 Switch02(config)#int f0/2
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 10
 Switch02(config-if)#exit
 Switch02(config)#inf f0/15
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 20
 Switch02(config-if)#exit
 Switch02(config)#int f0/1
 Switch02(config-if)#switchport mode trunk
 Switch02(config-if)#switchport trunk allowed vlan 1,10,20
 Switch02(config-if)#exit
 Switch02(config)#exit
 Switch02#write mem
 Building configuration...
 [OK]
 Switch02#[/box]

Scenario 2 Configuring HP Switches with VLANs.

With HP switches the terminology is different, here switch ports are either tagged members or untagged members of a VLAN.

What’s the difference between tagged and untagged? If a port is a tagged member it passes the VLAN information with the traffic it sends. If it is untagged it sends the VLAN traffic without adding in the VLAN tag. So you would only make a port a tagged member if the device that is plugged into it is VLAN aware, i.e. another switch, router, or machine with a VLAN aware NIC. (Note: The VLAN tag is the ID that gets inserted into the head of a network packet). So to do exactly the same as we did in scenario 1, but with HP switches, you would do the following:

BE AWARE: Any single port can only be untagged on one VLAN. Out of the box all ports are untagged on VLAN 1 (or the default VLAN), so if you untag a port into VLAN 20 (for example) it will automatically remove the ‘vlan 1 untagged’ property for that port.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged 13
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged 13
 Switch01(vlan-20)# exit
 Switch01(config)# write mem
 Switch01(config)#
 
 Switch02> enable
 Password:xxxxx
 Switch02# configure terminal
 Switch02(config)# vlan 10 name Admin
 Switch02(config)# vlan 20 name Data
 Switch02(config)# vlan 10
 Switch02(vlan-10)# untagged 4
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# untagged 20
 Switch02(vlan-20)# exit
 Switch02(config)# vlan 10
 Switch02(vlan-10)# tagged 23
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# tagged 23
 Switch02(vlan-20)# exit
 Switch02(config)# write mem
 Switch02(config)#[/box]

Scenario 3 Setting up HP Switches with Trunked VLANs

Remember with HP a Trunk is adding together lots of links, (if you’re a Cisco head think of port-channeling). So here we create a trunk, then use that trunk to pass tagged VLAN traffic across the switches.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch01(config)# write mem 
 Switch01(config)# 

 
 Switch02> enable
 Password:xxxxx
 Switch02# configure terminal
 Switch02(config)# vlan 10 name Admin
 Switch02(config)# vlan 20 name Data
 Switch02(config)# vlan 10
 Switch02(vlan-10)# untagged 4
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# untagged 20
 Switch02(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch02(config)# write mem
 Switch02(config)#

[/box]

Scenario 4 Setup VLANs via HP Trunks and Cisco Port Channels

Now we have gone full circle, we know what all the differences are, the final part is to get them to talk to each other. So I’ll set up a two cable HP Trunk, and connect it to Cisco LACP port channel, and then finally add in the VLAN traffic.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch01(config)# write mem 
 Switch01(config)# 

 
 Switch02>
 Switch02>enable
 Password: xxxxxxx
 Switch02#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch02(config)#vlan 10
 Switch02(config-vlan)#name Admin
 Switch02(config-vlan)#exit
 Switch02(config)#vlan 20
 Switch02(config-vlan)#name Data
 Switch02(config-vlan)#exit
 Switch02(config)#int f0/2
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 10
 Switch02(config-if)#exit
 Switch02(config)# interface range fa0/23 - 24
 Switch02(config-if-range)# spanning-tree portfast trunk
 %Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

Switch02(config-if-range)# channel-protocol lacp
 Switch02(config-if-range)# channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
 Switch02(config-if-range)# interface port-channel 1
 Switch02(config-if)# switchport mode trunk
 Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
 Switch02(config-if)#exit
 Switch02(config)#exit
 Switch02#write mem
 Building configuration...
 [OK]
 Switch02#

[/box]

Setting up VLANs on older Cisco Switches

Here’s an example using the older vlan database commands.

[box]

Switch01>
 Switch01>enable
 Password: 
 Switch01#
 Switch01#vlan database
 Switch01(vlan)#vlan 10 name Admin
 VLAN 10 modified:
 Name: Admin
 Switch01(vlan)#vlan 20 name Data
 VLAN 20 modified:
 Name: Data
 Switch01(vlan)#exit
 APPLY completed.
 Exiting....
 Switch01#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch01(config)#int f0/2
 Switch01(config-if)#switchport mode access 
 Switch01(config-if)#switchport access vlan 10
 Switch01(config-if)#exit
 Switch01(config)#int f0/16
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 20
 Switch01(config-if)#exit
 Switch01(config)#int f0/23
 Switch01(config-if)#switchport mode trunk
 Switch01(config-if)#switchport trunk encapsulation dot1q 
 Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
 Switch01(config-if)#exit
 Switch01(config)#exit
 Switch01#write mem
 Building configuration...
 
 Switch01#[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Valentin Bajramifor the feedback

 

Cisco Catalyst Switches – Set a Management IP and Allow Telnet and Web Management

KB ID 0000614 

Problem

If you want to manage your Cisco Catalyst switch it’s not always practical to plug a console cable in to change its settings or monitor what it is doing. Putting an IP address on it and enabling remote management via Telnet or from your web browser is a better alternative, particularly if you have a lot of switches.

Solution

Enable Telnet Management on Cisco Catalyst Switch

1. Connect to the Switch using a terminal emulation program like HyperTerminal or Putty,

2. Issue the following commands;

[box]

enable
{enter enable password if prompted}
conf t
line vty 0 15
password {password required}
login
exit 

[/box]

Add a Management IP to a Cisco Catalyst Switch

3. Whilst still in configure terminal mode issue the following commands;

[box]

int vlan1
ip address {IP address required} {Subnet required}
no shutdown
exit

[/box]

Cisco Catalyst Set an Enable Password

4. If you telnet in you cant change any system settings without an enable password being set.

[box]enable password {Password required}[/box]

Optional : Set the Cisco Catalyst Switches Default Gateway

5. Just in case you need to manage the switch from another subnet, you will need to set a default gateway.

[box]ip default-gateway {IP address required}[/box]

Enable Web Management on Cisco Catalyst Switch

6. To connect to and manage the switch from a web browser execute the following command, and then exit configure terminal mode.

[box]

ip http server
exit 

[/box]

7. Finally save the changes with a “write mem” command.

[box]write mem[/box]

Testing the Configuration

8. From a machine on the same network segment make sure you can ping the switch on its new IP address.

9. Then make sure you can “telnet” into it.

10. Open a web browser and navigate the the switches IP > Select ‘Web Console’.

Note: You will require Java for this to work.

11. After entering the enable password you should see the following.

Related Articles, References, Credits, or External Links

Cisco Catalyst Password Recovery / Reset