Cisco :: 6500 IOS Switches - Compliance Management In LMS 3.2?
Oct 11, 2011
I'm having a hard time getting Compliance Manager to accept a "banner login" command I'm attempting to use on 6500 IOS switches. I've edited the template, tried cut-&-paste, looked for the archive file on the server to directly modify it (without success), among other things. I have this feature functioning correctly on CatOS switches, but can't seem to get it properly set on IOS switches. What's the limit, as far as the template is concerned, on the number of characters with this type of command? Where are the archive configs located on the server; in the "shadow" directory?
View 1 Replies
ADVERTISEMENT
Nov 6, 2011
i am currently trying to use LMS 3.2 Compliance management to verify and alter our access port configurations for 802.1x. Below is our current configuration
View 1 Replies
View Related
Mar 2, 2013
I would like to configure a Management ip address on 6500 by giving ip to the SVI. Following is the configuration done
1) int vlan X
ip address 10.1.1.1 255.255.255.0
no shut
However i am not able to reach this Switch IP from other subnet's. for ex:- 192.168.1.0/24.What next configuration should be done, in order to make this work. I dnt want to use any routing protocol.
View 4 Replies
View Related
Aug 7, 2011
Any snmpset commands to add, modify and delete vlan table entries on SG300-10 switches? I checked url... however this information is apparently only valid for catalysts. The latest firmware is installed and the provided MIB files are used.
View 8 Replies
View Related
Mar 28, 2012
I've just reset our WISM2 in the test lab back to factory default as I needed to reconfigure the 6500 and the WISM2 itself. Bearing in mind I had it working before.I've just renamed and re-addressed some of the vlans so things flow better and make it easier to add more WISM2s in the future.Now I've run through the initial configuration and it's rebooted ok and show WISM status is showing Oper-Up and there's a port channel 407 been created as I would expect. However, I am unable to get to the management interface via GUI or SSH. In fact from the 6500 I can't even ping the management interface (but I can the service port).The Vlans have been changed in the 6500 config so it knows the native-vlan and service vlan etc and all the vlans are up/up.
View 17 Replies
View Related
Nov 29, 2011
I just purchased 2 SF-300 48 port units for 2 customers. I want to be able to remotely manage them over the Internet with my browser. BUT, customer sites already use port 80 for web servers. So, how do I configure this switch to use some other port than 80?
I called support, and much to my surprise he said it cannot be changed. How bizarre that a device with many hundreds of configuration settings does not have one of the most basic settings...
At one customer site I can configure port forwarding and translation to get around this problem, but the other site's router does not offer port translation..
View 2 Replies
View Related
Jan 8, 2013
I am setting up a 3 host ESXi cluster. I am using a pair of stacked SG500-28 switches for switching redundancy. Each host has 8 NICs. 4 to each switch. I have successfully setup a 3 NIC LAG with 1 path to one switch and 2 paths to the other. These LAGs work. When I setup a 2NIC LAG via the console for management, and the associated ports on the switches, I lose managment communication with the host. Before setting up the LAG in the ESXi console, I set that vswitch properties to us IPHASH as instructed here bit.ly/VLaTEt I have attempted to follow those instructions as closely as possible. The one thing that I am wondering is whether the SG series supports etherchannel. I can't find any reference. Either way, it works on the other vswitch that is for vMotion. I can vmkping between the hosts over that LAG. But setting up a LAG on the management vSwitch doesn't?
View 5 Replies
View Related
Mar 12, 2013
In one of my client location I have deployed one Cisco 3560X (core switch) and one SG-200-18 (access switch). I’ve configured three vlans (vlan 2, vlan 3 and management vlan 1), relevant trunking and I’ve connected two pc to the access switch to vlan 2 and 3 respectively. So far everything (including inter-vlan communication) works fine, except that I couldn’t reach the vlan 1 (management vlan) devices (access switch and core switch) from any pc which is connected to either vlan 2 or 3.
I’ve configured the “port VLAN membership” settings in SG-300 as follows,
Interface mode Administrative vlans Operational vlans
GE 2 Access 2UP
[Code].....
View 4 Replies
View Related
Mar 25, 2012
I have a SG300 switch working in layer 3 mode. I created 3 VLANS and the intervlan communication is working fine. I want to know how to block acces to switch managment from the Vlans. One of the vlan is allowed to access the switch but not the others vlans. What is the best way to implement this? with ACL or with Managment Access Method, creating an access profile?
View 1 Replies
View Related
Jul 19, 2012
I am using a Catalyst 7600.
I set up a VLAN interface (VLAN 3) with an IP-address and I can connect to it using telnet and log in to the switch as admin.I call this my management interface.
How come I manage to log into the management interface when the native VLAN is default 1? I thought the native VLAN determines which VLAN I need to log into to access the switch?
Can I make management interfaces of all the 48 ports if I want?
View 5 Replies
View Related
Dec 21, 2012
I have a new SG300-28P, and have had occasional issues with being unable to connect to it via anything other than the serial port. I have connectivity between my machine and the switch (tested with ping each way), and in fact, have the same problem if I take a laptop to the switch and connect them directly.What happens is that though the switch is operating normally, http, https, ssh and telnet attempts to access all fail in one way or another. Ssh and telnet either yields no response or a refused connection (even though those services are enabled). For http and https, I'll occasionally get enough of the web page to be able to tell what it is ... but attempts to log in just don't work.While this is happening, the CPU and packet load on the switch is very, very low.Rebooting didn't work entirely, though it may have made it better. Resetting to factory defaults and then reconfiguring makes it work.This is using the latest firmware: 1.2.7.76.
View 3 Replies
View Related
Oct 12, 2011
I got question about Cisco SF300-24P- is it possible to have management vlan in other vlan than in default vlan?I have default vlan 10 and voice vlan 20, I need to reach switch through voice vlan so I need to set up, interface vlan 20 with ip address. I ask these, because in gui, under Management Interface, IPv4 interface,under Management VLAN, I can only choose vlan 10, which is my default vlan, I dont have option to set ,up, in this case, vlan 20 as management vlan.
View 2 Replies
View Related
Apr 29, 2012
We've got a SG200-18 switch that is to be used as a workgroup switch in our environment (SW Version 1.1.1.8). Working with CLI on big and mid-range Cisco-gear over the past two decades I'm having a hard time figuring out the following on the SG200:
o) I want to change the Management-VLAN from the default "1" to the management-VLAN used in our environment. Sure enough I created that vlan in the SG200-config, however when it comes to assigning the management-IP and VLAN for the management interface in the corresponding pulldown under "IPv4 interface -> Management VLAN" the only thing selectable is the default "1". (see screenshots enclosed)So how do I set a management VLAN different from 1?
o) How do I enable telnet/ssh-access to the SG200-18 - I'd be far more comfortable with a CLI-environment?
View 2 Replies
View Related
Jun 2, 2013
What tools are you using to manage multiple SG300 in a single network ? I can't find any good solutions on the cisco website.
View 1 Replies
View Related
Jul 12, 2012
I am the Systems Admin at LDM Media and am trying to get some support for one of the SRW224G4 managed switches we have in our rack. The issue is as follows:
Any endpoint connected to the switch is assigned an IP address in the range of 169.254.154.XXX regardless of the switches set IP range, the second issue is that I cannot access the web view management interface through the default IP address 192.168.1.254 (and I have tried to use the last IP in the range set by the router 169.254.154.254, to no avail)
How to regaining control of this supposedly smart switch?
View 3 Replies
View Related
Dec 15, 2009
I have couple of Linksys SRW 224G4 and SRW 2024 connected together with Cisco C3650 switches. For my part of network VLAN100 is used as administrative vlan and VLAN1 as defult (on trunks or unused ports).Altrough most of switches work fine, on all older models of SRW224G4 (hw 1.0, various firmware versions) there is no connectivity to management utilities (also ping won't work) via trunk (where of course VLAN100 is present). At the same time there is no problem with access from "local" ports (assigned to VLAN100) and there are no problems with traffic on VLAN 100 along the network.
For example:Two computers (A and B), two switches (sw1 - old SRW224G4 and sw2 - Cisco switch), are connected as follow:
A--VLAN100--sw1--TRUNK--sw2--VLAN100--B
Swicthes have VLAN100 as management VLAN, computers are connected to access ports (untagged).A has access to management on sw1 and sw2 and connectivity with B?B has access to management on sw2 and connectivity with B but has no access to management on sw1...If sw1 and sw2 are same, old SRW224G4 - everything works fine.Newer versions of SRW224G4, SRW2024 and SLM2024 works OK.Why it doesn't work?
View 2 Replies
View Related
May 6, 2013
what would be causing my management HTTPS session to a SF200-24 to suddenly timeout? I receive "The session has been timed out. You may log in again" few mins after logging into to switch.Sometime it happens within 45seconds, other times after 3mins, timouts are not consistent. And, i was not idle when it timed-out. My HTTPs idle time-out is set for 10mins.
I had a continuous PING going to managment IP, and it did not drop any pings when session timed-out.Interface stats are also clean. I tried IE, FireFox, Chrome and all are timming out.
I've changed the HTTP default idle-time out from 1 to 10 and my HTTPs stopped timing out. Management Access Authentication is cleary set for HTTPs, and the Idle-timeout for HTTPs was set for 10mins since install. Yet, adjusting the HTTP idle-timeout cleared the issue.
View 1 Replies
View Related
Jun 13, 2012
How to set the management interface on a SG300 Switch in Layer 3 mode? I've some vlans configured on the switch with interfaces in each of them:
Vlan 100 (10.0.1.254 /24)
Vlan 200 (10.0.2.254 /24)
Vlan 300 (10.0.3.254 /24)
...
Vlan 900 (10.0.9.254 /24)
Now, the management interface is listening on all interfaces (IPs). But I would like to configure the switch to only listen on 10.0.9.254. What I need to configure or whether it is possible?
View 3 Replies
View Related
Feb 3, 2013
Using LMS 3.2, I've started learning how to use the compliance templates.is there a regex to ignore case? For instance, if I have the line:
clock timezone est -5 in some configs, and
clock timezone EST -5 in others
is there a way to tell the template that upper case and lower case are acceptable matches?
View 1 Replies
View Related
Feb 1, 2012
I am installing a new 5520 with IPS for a client, and they were asking about the PCI compliance of the SSL(WebVPN) being self signed. I am not sure what document to find this information from under the PCI DSS. There was also mention about dual authentication being needed, but without seeing the actual requirements, I am just guessing at it.
What is required for making SSL PCI compliant.
View 5 Replies
View Related
May 25, 2012
During our recent VA we were told that the below vulnerabilities are exist in the ACS SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability on port 443
SSL Weak Cipher Suites Supported on port 2030
SSL Medium Strength Cipher Suites Supported on port 2030
View 0 Replies
View Related
Dec 16, 2012
We have two 6500 switches and I am unable to login to these switches anymore, but i was able to connect to them yesterday via Telnet. The strange part is that it happened for both switches at the same time.But now when i try to login, it gives me a message "password required, but none set". I can login to them via console.Is it because the 0 - 4 VTY connection are being used and there is no password set from VTY 5 to 15?The config has not changed.
SWITCH-1
line con 0
exec-timeout 0 0
password xxxxx
login
line vty 0 4
[code]....
View 4 Replies
View Related
Nov 2, 2011
I want to add the command "no logging event link-status" to all switchport mode access ports EXCEPT for the ones with the following switchport access vlans: 4022,4032,4042,4052,4072 & 4082. How do I create a compliance template to do this? LMS 3.2, RME 4.3.1
View 6 Replies
View Related
Feb 10, 2013
We are using CISCO Catalyst 6500 switches as collapsed core/distribution switches (2 layer architecture). I want to connect approximatly 10 application servers to the network. Can I connect the servers directly to the catalyst 6500 switches using WS-X6148E-GE-TX line cards? The other option is to use access switchs and then connect the servers to the catalyst 6500 through access switch(Catalyst 3750).
View 6 Replies
View Related
Feb 10, 2013
We are implementing NAC in our environment and unfortunately still some of our obsolete 6500 switches are running CATOS, the current (cat6000-sup2cvk9.8-6-4.bin) image does not support some of the commands related to NAC implementation. Therefore, I would like to urge you to provide me the 8.7 image which supports all the NAC related commands and will be easier to finish the long pending assignment.
We are in process of replacing the obselete hardware but that will take time.
So, 8.7 K9 CATOS image required.
View 4 Replies
View Related
Jun 5, 2013
I am trying to create a very basic template in compliance manager that checks for interfaces that aren't members of specific VLANs. VLAN 10 being one of them. I want to match interfaces assigned to VLAN 20. According to the documentation I have read, the following range statement should work because 10 falls between 3 and 19:
Submode: interface [#.*Ethernet.*#]
- switchport access vlan [#[3-19]#]
With the preceeding statement, however, interfaces assigned to both VLAN 10 and VLAN 20 are matching the rule. With this specific rule (not a range), only interfaces w/VLAN 20 are processed by the template, which is expected. We actually have numerous VLANs that we want to exclude/include. I only mentioned VLANs 10 and 20 for brevity.
View 1 Replies
View Related
Jan 27, 2013
working with a trial version of Cisco Prime 1.2. I am looking for a Configuration Compliance tool. I used it in Cisco Works LMS - but I dont see a way to do the same thing with Cisco Prime.
View 1 Replies
View Related
Apr 11, 2012
My task is to upgrade a couple of 6500 series switches, 6513 with SUP720/MSFC3 (WS-SUP720) and Policy Feature Card 3 (WS-F6K-PFC3B) installed. How to upgrade those switches if in SSO redundancy mode with two SUPs installed?
I understand that it is good to connect to the MSFC3 via console and upgrade this first, is this correct?
I also have to upgrade some 6509 but I only can test it on one 6509-E, how to get everything up to date. [code]
View 1 Replies
View Related
Mar 29, 2012
some of the features of 6500 are enabled by default and woudn't appear in the "Show run". See the command below and how do I make sure whether these featues are enabled by default or not. Would it appear in the config if enabled?
ip verify unicast source reachable-via rx
ip verify unicast source reachable-via any
storm-control broadcast level 70
what are the difference between the commands below and can they be enabled together.
spanning-tree guard root
vs
spanning-tree loopguard default
vs
spanning-tree guard loop
View 1 Replies
View Related
Dec 17, 2012
I have a customer asking if Cisco supporst CISPR11 - Class B. All Cisco switches appear to support CISPR11 - Class A only. What is the difference? Is Class B supported?
View 0 Replies
View Related
May 9, 2011
We use SecurityMetrics as our vendor for PCI compliance scanning. Of all our servers, only the video server fails their scan, and this is their result: "This scan is inconclusive. Though your server had open ports, we were unable to connect to any of them successfully. There is a high probability that some type of firewall or scan-detection software is blocking us from accurately scanning your server. Please configure any firewall or software that would interfere with our scans to allow all traffic from SecurityMetrics" Our streaming video server is our only public-facing server that has port tcp/udp 1755 open (for the mms protocol). All our other servers behind this firewall pass the test, but they only have standard email and http ports open. I am assuming that their scan of port 1755 triggers some sort of threat detection on the ASA. (I have "Basic Threat Detection" enabled only.)
View 1 Replies
View Related
Apr 29, 2012
how to check compliance for only one access list in cisco works.
Example:
I want to run a compliance template that only check access-list 13 to make sure it has the following and nothing else:
access-list 13 permit 1.1.1.1
access-list 13 permit 10.1.0.0 0.0.0.127
If something else is listed, then I'll deploy the template and it will remove any other entry besided the two above.
I have tried a Global config compliance on + access-list 13 permit 1.1.1.1 and it comes back and says it's not compliant and wants to remove everything else, which is every other access list. I have tried submodes thinking that it could check under ip access-list standard 13, but that didn't work either.
View 6 Replies
View Related
Jan 5, 2012
confirm whether the Catalyst 3550 with IOS Rel. 12.2(44)SE is compliant with POE IEEE 802.3af? I see some conflicting informaiton on Cisco's web site. Before Release 12.1(22)EA2, Catalyst 3550 PoE-capable switches (without intelligent power management support) caused high-power powered devices that supported intelligent power management to operate in low-power mode. Devices in low-power mode are not fully functional.
IEEE 802.3af—The major features of this standard are powered-device discovery, power administration, disconnect detection, and optional powered-device power classification. For more information, see the standard.
View 2 Replies
View Related
