Cisco – Page 4

Using third-party SFP modules in Cisco switches

Suppose we connected a third-party module to the first SFP port, we’ll look at the information about it:

show idprom int GigabitEthernet 1/1

In my case, on the Cisco Catalyst 6509-E, very many ports with third-party SFP modules after some time they turned off and in the logs information was written that the module was not supported.

Now go into the configuration mode:

enable
config t

And we will make sure that the interfaces are not disabled when third-party SFP modules are enabled by entering the following commands:

service unsupported-transceiver
no errdisable detect cause sfp-config-mismatch
no errdisable detect cause gbic-invalid

After that, everything worked well.

Configuring NetFlow on Cisco

Let’s say we have a collector running like I wrote in this article – Installing and using flow-tools

Now connect to the Cisco switch, for the test, I connect to the Cisco Catalyst 6509-E.
Now go into the configuration mode:

Configuring Protected Ports on Cisco

On the test, I will configure the Cisco Catalyst WS-C3750-48TS-S.

And so, all ports are configured as access, except for the first Gigabit uplink port, it is configured as a trunk and the Internet on the client vlan with the tag comes to it.
We need all the ports on this switch to not see each other and see only the first gigabit ulink port.

To do this, connect to the switch and go into the configuration mode:

enable
configure terminal

Then, we issue the switchport protected command for all access ports:

interface range fastEthernet 1/0/1-48
switchport protected
interface range gigabitEthernet 1/0/2-4
switchport protected
exit
exit

Save the configuration:

write

Apparently interface gigabitEthernet 1/0/1 we did not touch.
Now the ports on which the switchport protected command is registered do not see the other ports on which this command is also registered, they see only the ports where it is not registered, that is, in our case the first gigabit ulink port, and it sees all the ports with the command and without.

Information about ports can be viewed by the command:

show interfaces NAME switchport

View full configuration:

show running-config

Blocking social networks on Cisco

On the test I use the Cisco Catalyst 6509-E switch.
Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.

First, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “http://bgp.he.net/AS47541#_prefixes”.

And create an extended ACL for example with the name BLOCKSOCIAL:

ip access-list extended BLOCKSOCIAL
deny ip any 87.240.128.0 0.0.63.255
deny ip any 93.186.224.0 0.0.7.255
deny ip any 93.186.232.0 0.0.7.255
deny ip any 95.142.192.0 0.0.15.255
deny ip any 95.213.0.0 0.0.63.255
deny ip any 185.29.130.0 0.0.0.255
deny ip any 185.32.248.0 0.0.3.255
permit ip any any
exit

The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources.
You can specify as a source a specific network or for example one address to deny access to another address:

deny ip host 192.168.5.1 host 192.168.11.54

The line “permit ip any any” should be necessary at the end.

Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
/17 – 0.0.127.255
/18 – 0.0.63.255
/19 – 0.0.31.255
/20 – 0.0.15.255
/21 – 0.0.7.255
/22 – 0.0.3.255
/23 – 0.0.1.255
/24 – 0.0.0.255

If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.

Apply the created ACL to the port looking towards the clients:

interface GigabitEthernet1/1
ip access-group BLOCKSOCIAL in

Or, to write less only to the server’s server port on the Internet, if there is one:

interface TenGigabitEthernet3/2
ip access-group BLOCKSOCIAL in

You can cancel the ACL interface as follows:

no ip access-group BLOCKSOCIAL in

Delete the ACL like this:

no ip access-list extended BLOCKSOCIAL

If you block sites on the port from the server to the clients, then in the ACL rule we will change the addresses in the following places:

ip access-list extended BLOCKSOCIAL
deny ip 87.240.128.0 0.0.63.255 any
deny ip 93.186.224.0 0.0.7.255 any
deny ip 93.186.232.0 0.0.7.255 any
deny ip 95.142.192.0 0.0.15.255 any
deny ip 95.213.0.0 0.0.63.255 any
deny ip 185.29.130.0 0.0.0.255 any
deny ip 185.32.248.0 0.0.3.255 any
deny ip host 192.168.5.1 any
permit ip any any
exit

Configuring link aggregation on the Cisco Catalyst 6500

For the test, I will configure the aggregation on the Cisco Catalyst 6509-E.

The solution to the error “IP overlaps with VlanXXX. VlanXXX: incorrect IP address assignment”

It was necessary to replace the L3 switch of HP with Cisco once and after a similar switch configuration Cisco noticed an error:

172.16.63.0 overlaps with Vlan111
Vlan121: incorrect IP address assignment

As it turned out the network Vlan111 172.16.0.0/18 was ending at 172.16.63.254, it crossed with Vlan121 172.16.63.0/24.

The HP 5800 switch was configured before that and he did not say anything about it, and Cisco refused to accept the command.

Therefore, since IP addresses were used little in the Vlan111 172.16.0.0/18 network, the problem was solved by reducing the mask to 172.16.0.0/19.

After that, the IP address was successfully registered to the Vlan121 interface.

Done.

Connecting SFP-RJ45 Modules to the Cisco 6500

It took a couple of days ago to the Cisco Catalyst 6509-E in which there were modules only with SFP ports to connect a few links with RJ45.

Since RJ45 links are small, it was more economical to use SFP-RJ45 modules, so they were ordered.
I connected them to the ports WS-X6724-SFP, but nothing was displayed in the logs.

Let’s write commands so that Cisco does not disable ports when inserting unsupported modules:

service unsupported-transceiver
no errdisable detect cause sfp-config-mismatch
no errdisable detect cause gbic-invalid

I note that the ports WS-X6724-SFP in my case work only at 1Gb speed, so the link will not naturally rise to 100Mb or 10MB, although the Foxgate SFP-RJ45 modules that we had and support 10/100/1000.

In confirmation of this I checked the commands:

configure t
interface gigabitEthernet 1/1
speed ?

What was the opportunity to specify the speed of the port only in 1000.

Installation of the second control module in Cisco

On the test I use the Cisco Catalyst 6509-E with WS-SUP720-3BXL control module installed.

There is a second similar control module WS-SUP720-3BXL.

Configuring DHCP relay on Cisco

On the test, I’ll take the Cisco Catalyst 6509-E switch and configure it to forward DHCP packets to the DHCP server.
The switch is configured as L3 with assigned IP addresses in each VLAN.

Connect to the switch through the console or telnet and go to the configuration mode:

enable
configure t

Let’s assume the DHCP server address is 192.168.11.1 and we want to configure the transfer of DHCP broadcast packets to it on VLAN 100, for this we execute the commands:

interface Vlan100
ip helper-address 192.168.11.1
exit

Exit the configuration mode and save the configuration:

exit
write

Done.

How to view ARP and MAC addresses on Cisco

Here is an example of searching ARP records for mac address: