Category Archives: Cisco

Configuring HTTP on Cisco

Connect to the Cisco switch and go into elevated privilege mode:

enable

Now go into the configuration mode:

configure terminal

Enable HTTP:

ip http server
ip http authentication local

If necessary, you can disable HTTP and HTTPS as follows:

no ip http server
no ip http secure-server

Add a user if it does not exist:

username NAME privilege 15 secret PASSWORD

If you want to allow HTTP access to only certain IPs, then let’s see what rules there are on the switch:

exit
show access-list
show ip access-lists
configure terminal

If there is no necessary rule, then we will create:

access-list 10 permit 192.168.1.22
access-list 10 permit 192.168.3.10

See my article – Restricting access to the Cisco Catalyst 6500 management

Apply the rule to HTTP:

ip http access-class 10

To cancel it is possible so:

no ip http access-class 10

If you need to specify the maximum number of connection attempts:

ip admission max-login-attempts 5
show ip admission configuration

Leave their configuration mode and save the configuration:

exit
write

See also:
Configuring Cisco devices

Using third-party SFP modules in Cisco switches

Suppose we connected a third-party module to the first SFP port, we’ll look at the information about it:

show idprom int GigabitEthernet 1/1

In my case, on the Cisco Catalyst 6509-E, very many ports with third-party SFP modules after some time they turned off and in the logs information was written that the module was not supported.

Now go into the configuration mode:

enable
config t

And we will make sure that the interfaces are not disabled when third-party SFP modules are enabled by entering the following commands:

service unsupported-transceiver
no errdisable detect cause sfp-config-mismatch
no errdisable detect cause gbic-invalid

After that, everything worked well.

See also:
Configure Cisco Catalyst 6509-E

Configuring NetFlow on Cisco

Let’s say we have a collector running like I wrote in this article – Installing and using flow-tools

Now connect to the Cisco switch, for the test, I connect to the Cisco Catalyst 6509-E.
Now go into the configuration mode:

enable
configure terminal

Enable NetFlow:

mls netflow

Specify NetFlow parameters, collector address, port and version:

mls flow ip interface-full
mls nde sender version 5
ip flow-export version 5
ip flow-export destination 192.168.1.25 555
ip flow-cache timeout active 1

Suppose you need to collect statistics from the interface vlan 995:

interface vlan 995
ip route-cache flow
exit

Done, the statistics should be sent to the collector (via the vlan interface which is closer to the collector (if there are several), and not from which statistics are collected, respectively, on the collector, you need to specify the IP correctly).

To cancel execute the commands:

interface vlan 995
no ip route-cache flow
exit

An example of viewing the age of records:

show mls netflow aging
show mls netflow table-contention detailed

You can also set the MLS aging time (default is 300 seconds), in the range 32 – 4092 seconds:

show mls netflow aging
mls aging normal 300
mls aging {fast [threshold {1-128} | time {1-128}] | long 64-1920 | normal 32-4092}

Viewing the installed mask:

show mls netflow flowmask

View collected statistics:

show mls netflow ip nowrap

Configuring Protected Ports on Cisco

On the test, I will configure the Cisco Catalyst WS-C3750-48TS-S.

And so, all ports are configured as access, except for the first Gigabit uplink port, it is configured as a trunk and the Internet on the client vlan with the tag comes to it.
We need all the ports on this switch to not see each other and see only the first gigabit ulink port.

To do this, connect to the switch and go into the configuration mode:

enable
configure terminal

Then, we issue the switchport protected command for all access ports:

interface range fastEthernet 1/0/1-48
switchport protected
interface range gigabitEthernet 1/0/2-4
switchport protected
exit
exit

Save the configuration:

write

Apparently interface gigabitEthernet 1/0/1 we did not touch.
Now the ports on which the switchport protected command is registered do not see the other ports on which this command is also registered, they see only the ports where it is not registered, that is, in our case the first gigabit ulink port, and it sees all the ports with the command and without.

Information about ports can be viewed by the command:

show interfaces NAME switchport

View full configuration:

show running-config

See also:
Port isolation on Huawei switches
Port isolation on the ZyXEL MES-3528 switch

Blocking social networks on Cisco

On the test I use the Cisco Catalyst 6509-E switch.
Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.

First, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “http://bgp.he.net/AS47541#_prefixes”.

And create an extended ACL for example with the name BLOCKSOCIAL:

ip access-list extended BLOCKSOCIAL
deny ip any 87.240.128.0 0.0.63.255
deny ip any 93.186.224.0 0.0.7.255
deny ip any 93.186.232.0 0.0.7.255
deny ip any 95.142.192.0 0.0.15.255
deny ip any 95.213.0.0 0.0.63.255
deny ip any 185.29.130.0 0.0.0.255
deny ip any 185.32.248.0 0.0.3.255
permit ip any any
exit

The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources.
You can specify as a source a specific network or for example one address to deny access to another address:

deny ip host 192.168.5.1 host 192.168.11.54

The line “permit ip any any” should be necessary at the end.

Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
/17 – 0.0.127.255
/18 – 0.0.63.255
/19 – 0.0.31.255
/20 – 0.0.15.255
/21 – 0.0.7.255
/22 – 0.0.3.255
/23 – 0.0.1.255
/24 – 0.0.0.255

If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.

Apply the created ACL to the port looking towards the clients:

interface GigabitEthernet1/1
ip access-group BLOCKSOCIAL in

Or, to write less only to the server’s server port on the Internet, if there is one:

interface TenGigabitEthernet3/2
ip access-group BLOCKSOCIAL in

You can cancel the ACL interface as follows:

no ip access-group BLOCKSOCIAL in

Delete the ACL like this:

no ip access-list extended BLOCKSOCIAL

If you block sites on the port from the server to the clients, then in the ACL rule we will change the addresses in the following places:

ip access-list extended BLOCKSOCIAL
deny ip 87.240.128.0 0.0.63.255 any
deny ip 93.186.224.0 0.0.7.255 any
deny ip 93.186.232.0 0.0.7.255 any
deny ip 95.142.192.0 0.0.15.255 any
deny ip 95.213.0.0 0.0.63.255 any
deny ip 185.29.130.0 0.0.0.255 any
deny ip 185.32.248.0 0.0.3.255 any
deny ip host 192.168.5.1 any
permit ip any any
exit

See also my articles:
Blocking social networks on Mikrotik routers
Blocking social networks using iptables

Configuring link aggregation on the Cisco Catalyst 6500

For the test, I will configure the aggregation on the Cisco Catalyst 6509-E.

Suppose I configured the first port as I need, I registered the necessary VLANs, now with the last commands we add the port to the aggregation channel:

interface GigabitEthernet1/7
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 111,144-190
switchport mode trunk
no cdp enable
lacp rate fast
channel-protocol lacp
channel-group 1 mode active

The second port should be configured in the same way and add the last commands to the aggregation channel as well:

interface GigabitEthernet1/8
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 111,144-190
switchport mode trunk
no cdp enable
lacp rate fast
channel-protocol lacp
channel-group 1 mode active

After the above commands, the Port-channel1 interface was automatically created, use the description command to add a note and enable it:

interface Port-channel1
description GPON OLT link aggregation
no shutdown

The port aggregation configuration is completed, you can connect to them.
I note that it is better to configure aggregation with a pair of links, since a non-pair link is usually less load.
Personally, I prefer not to use channel aggregation, but to use 10Gb/s and 40Gb/s links.

If you need to delete several VLANs, then it is enough to delete them on Port-channel1 (on the ports included in the aggregation, they are deleted automatically):

interface Port-channel1
switchport trunk allowed vlan remove 180-190

An example of viewing various information about aggregation:

show lacp 1 internal
show etherchannel 1 detail
show etherchannel summary
show etherchannel load-balance
show interfaces gi1/7
show interfaces gi1/8
show ip int brief
show cdp neighbor
show lldp neighbor
show interfaces status err-disabled

See also my articles:
Solution “Port is not compatible with aggregators in channel 1 and cannot attach to them”
Configuring link aggregation on Huawei SmartAX MA5600

The solution to the error “IP overlaps with VlanXXX. VlanXXX: incorrect IP address assignment”

It was necessary to replace the L3 switch of HP with Cisco once and after a similar switch configuration Cisco noticed an error:

172.16.63.0 overlaps with Vlan111
Vlan121: incorrect IP address assignment

As it turned out the network Vlan111 172.16.0.0/18 was ending at 172.16.63.254, it crossed with Vlan121 172.16.63.0/24.

The HP 5800 switch was configured before that and he did not say anything about it, and Cisco refused to accept the command.

Therefore, since IP addresses were used little in the Vlan111 172.16.0.0/18 network, the problem was solved by reducing the mask to 172.16.0.0/19.

After that, the IP address was successfully registered to the Vlan121 interface.

Done.

Connecting SFP-RJ45 Modules to the Cisco 6500

It took a couple of days ago to the Cisco Catalyst 6509-E in which there were modules only with SFP ports to connect a few links with RJ45.

Since RJ45 links are small, it was more economical to use SFP-RJ45 modules, so they were ordered.
I connected them to the ports WS-X6724-SFP, but nothing was displayed in the logs.

Let’s write commands so that Cisco does not disable ports when inserting unsupported modules:

service unsupported-transceiver
no errdisable detect cause sfp-config-mismatch
no errdisable detect cause gbic-invalid

I note that the ports WS-X6724-SFP in my case work only at 1Gb speed, so the link will not naturally rise to 100Mb or 10MB, although the Foxgate SFP-RJ45 modules that we had and support 10/100/1000.

In confirmation of this I checked the commands:

configure t
interface gigabitEthernet 1/1
speed ?

What was the opportunity to specify the speed of the port only in 1000.

See also:
Configure Cisco Catalyst 6509-E

Configuring DHCP relay on Cisco

On the test, I’ll take the Cisco Catalyst 6509-E switch and configure it to forward DHCP packets to the DHCP server.
The switch is configured as L3 with assigned IP addresses in each VLAN.

Connect to the switch through the console or telnet and go to the configuration mode:

enable
configure t

Let’s assume the DHCP server address is 192.168.11.1 and we want to configure the transfer of DHCP broadcast packets to it on VLAN 100, for this we execute the commands:

interface Vlan100
ip helper-address 192.168.11.1
exit

Exit the configuration mode and save the configuration:

exit
write

Done.