Solution “Port is not compatible with aggregators in channel 1 and cannot attach to them”

Once on Cisco Catalyst 6509-E, when I collected an aggregation of three ports, traffic began to go through only two ports and a message appeared in the logs:

Continue reading “Solution “Port is not compatible with aggregators in channel 1 and cannot attach to them””

Configure IP Unnumbered on Cisco

On the test I will configure IP Unnumbered on Cisco Catalyst 6509E with firmware 12.2(33)SXJ7, on other switches the setup is similar.
IP Unnumbered is useful, for example, when it is necessary to divide a large network into several VLANs and use the same IP addresses and also to issue white IPs in any VLAN using one gateway.

Connect to the terminal device through the console, telnet or SSH.

Continue reading “Configure IP Unnumbered on Cisco”

Back Up Cisco Catalyst 6500 Configuration

For the test, I sketched a Cisco Catalyst 6509-E automatic backup configuration script.

Actually the script itself:

# Backup CISCO config
sleep 5
echo "user"
sleep 4
echo "password"
sleep 4
echo "copy running-config tftp:"
sleep 2
echo ""
sleep 2
echo "cisco.cfg"
sleep 6

echo "exit"
) | telnet
mv /srv/tftp/cisco.cfg /backups/devices/cisco/`date +%Y-%m-%d`_cisco.cfg

find /backups/devices/cisco/ -type f -mtime +30 -exec rm {} \;

Add the contents of the script, for example, to the file and add it to cron, adding the following line to the /etc/crontab file:

0 2 * * * root /backups/scripts/ > /dev/null 2>&1

The file can be opened for example in the text editor nano (Ctrl+X to exit, y/n to save or cancel changes):

sudo nano /etc/crontab

The script connects via telnet to and copies the configuration to the tftp server, then the file is moved to a convenient directory for storage.
The last line in the script deletes files older than 30 days.
How to start the tftp server, see my articles: Installing and Configuring a TFTP Server in Ubuntu or Starting a TFTP server in Windows.
See also: Using and configuring CRON.

Configuring ports in Cisco switches

For the test I will configure ports on Cisco Catalyst 6509-E.

I’ll give an example of setting Access of the port (the traffic goes only over one specified vlan without a tag):

interface GigabitEthernet1/1
description TEXT
switchport access vlan 226
switchport mode access
no shutdown

Now I’ll give an example of setting Trunk of the port (traffic goes through one or several vlan with a tag only):

interface GigabitEthernet1/2
description TEXT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 207,228
switchport mode trunk
no shutdown

And the third option, Hybrid port (traffic goes only on one vlan without a tag and on one or several vlan with a tag):

interface GigabitEthernet1/3
description TEXT
switchport trunk encapsulation dot1q
switchport trunk native vlan 226
switchport trunk allowed vlan 207,226
switchport mode trunk
no shutdown

To specify parameters for several ports at once:

interface range GigabitEthernet1/1-24

We prohibit automatic switching of the port to access or trunk mode:

interface range GigabitEthernet1/1-24
switchport nonegotiate

See also my article – Configuring link aggregation on the Cisco Catalyst 6500

Blocking third-party DHCP on Cisco via DHCP Snooping

On the test, I configure DHCP Snooping on the Cisco Catalyst 6509-E to block third-party DHCP servers, on the other Cisco switches, the configuration is basically the same.

After connecting to the device immediately go to the configuration mode:


Continue reading “Blocking third-party DHCP on Cisco via DHCP Snooping”

Configuring HTTP on Cisco

Connect to the Cisco switch and go into elevated privilege mode:


Now go into the configuration mode:

configure terminal

Enable HTTP:

ip http server
ip http authentication local

If necessary, you can disable HTTP and HTTPS as follows:

no ip http server
no ip http secure-server

Add a user if it does not exist:

username NAME privilege 15 secret PASSWORD

If you want to allow HTTP access to only certain IPs, then let’s see what rules there are on the switch:

show access-list
show ip access-lists
configure terminal

If there is no necessary rule, then we will create:

access-list 10 permit
access-list 10 permit

See my article – Restricting access to the Cisco Catalyst 6500 management

Apply the rule to HTTP:

ip http access-class 10

To cancel it is possible so:

no ip http access-class 10

If you need to specify the maximum number of connection attempts:

ip admission max-login-attempts 5
show ip admission configuration

Leave their configuration mode and save the configuration:


See also:
Configuring Cisco devices