Cisco :: C1921 Router - How To Tell AP To Get New Root CA Certification
Oct 20, 2011
I'm currently trying to set up a new infrasturcture with PEAP.
So, i've got redundant CA routers (c1921), an ACS server and 1262 AP's. Everything is working fine and as i want it to.Certificates are autoenrolled and so on, but if the CA root certificate expires, how to tell the AP to get the new root CA cert.
The root-certs are made by auto-rollover, and rolled on the CA router, but I got no change to get this root-cert on the AP.Is there a way to get them in an automated way, like rollover or enrollment?
We have a problem with a Cisco 1400 Bridge. This equipment can not bridge to the other root or not root mode. I can see a message "Interface Dot11Radio0 Radio transmit power out of range" and the MAC Address of Dot11Radio0 appears with 0000.0000.0000.I set the local power to 18 but the MAC Address is still in 0000.0000.0000.
i got the problem with 1300 bridges,root bridge with omni antenna and non root with sector antenna , it can associate and can pin each other , but whenever i try to browse several web pages its get timed out and radio was down.
Any working configuration between two BR1310's in Root/Non-root mode? The documentation is vary vague and i can't find anything more secure than WEP. Is it possible to use WPA with radius authentication?
Traffic Generator TG connected to R1 via switch SW . One end of the R1 is LAN1 interface and other end is WAN1. LAN1 is connected to switch SW. WAN1 is connected to R2 WAN0 interface..
Wen I pass traffic say 5000 from TG, I'm to recieve 5000 at R1 lan1 interface but I'm not to recieve at R2 WAN1 interface and hence not to R2 WAN0 interface.
Config at TG:' ----------------- Destination IP : R2 WAN interfavce IP Destination MAC : R1 LAN mac
I'm studying for a Cisco certification and I'm trying to wrap my head around the routing. I understand how routers work for the most part and how the get updates about networks and how many hops away they are, but I don't get what happens when a router doesn't know the path to a network.
New firmware for the Linksys E4200 was released this morning that adds certification for DLNA, IPv6 Gold log, and UPnP. It also addresses the Media Server issues that have been identified here in the community.Sept 28, 2011Last Firmware version: 1.0.03 (build 14)- Added supports of Native IPv6 over PPPoE Internet connection when only keep alive option is selected.- Added supports of Native IPv6 on guest network if there are more than two available IPv6 subnets- Added supports of Native IPv6 on Parental Control- Added supports of 3TB Hard drive with NTFS and HFS+ format- Improved firmware upgrade stability- Improved IPv6 WAN performance- Fixed media server unstable issue- Fixed Cisco LED flashing issue- Fixed some minor bugs- DLNA certified- IPv6 Gold logo certified- UPnP certified
I have a brand new C1921 with EHWIC-4G-LTE-G using Vodafone to build an internet connection. First I did the setup like shown in the config guides and got the internet connection, but it was unstable.
Then I found some issues with the old LTE- card firmware in the support forum. Following that hint, I did an IOS upgrade to 15.2(4)M3 and the LTE- card update to Modem Firmware Version = SWI9200X_03.05.19.04. Post-checks after the update were all fine.
After that, I reconfigured the router again meeting the config guides. Establishing the internet connection, I get an IP address on the cellular profile, but it's not bound to the cellular interface.
sh cellular 0/0/0 profile Profile password Encryption level: 7
Profile 1 = ACTIVE*--------PDP Type = IPv4PDP address = 10.25.124.59Access Point Name (APN) =Authentication = None Username:Password: 05 Primary DNS address = 139.7.30.125 Secondary DNS address = 139.7.30.126 [code]......
Before the upgrade the IP- address was bound to the cellular0/0/0 interface and I was able to reach the internet.
I observed that when I was trying to troubleshoot a field issue using two routers I had in the lab, that one of them (an ancient C3620) did not like the PIMv2 Hello messages sent to it by the newer one (C1921).
The symptom observed with multicast routing is that when a source connected to the C1921 tries to register with an RP running on the C3620, the multicast route stays in the "registering" state forever. But going "the other way" - with the source connected to the C3620 and the RP running on the C1921 worked fine.
what I see in the C1921 when it tried to register a connection to the group 224.0.0.39 (for Auto-RP). Note: The two routers are connected via a GRE tunnel. [code] PIM debugging on the C3620 showed the following when the two exchanged. [code]
I believe that the issue is down to the firmware in the C3620 simply being too old and not understanding the PIM options defined in RFC3973 or the Cisco private PIM option 65004 being sent by the C1921 (though the PIM debug does not make it clear whether it is just the unknown options that are ignored or the whole Hello message)
Is there any global or interface-specific PIM option I can use in the C1921 to "dumb down" the Hello message so that the old C3620 accepts it?
I am running two ADSL lines into one C1921 router with 2 ADSLoPOTS cards installed.If I copy the firmware flash file on to the router (adsl_alc_20190.bin) and reboot, only one card shows the new firmware (slot 0).So sh dsl int atm 0/0/0 shows new firmware but sh dsl int atm 0/1/0 shows no change.How do I upgrade them both?
C1921, running version 15.1(4)M2, with licence for "IP base" feature set only.Trying to pass multicast via a PPTP VPN from a Windows XP machine to work around a non multicast-aware WAN link
1. With the IP Base feature set I am able to create a plain PPTP VPN without any encryption; the Windows XP machine can bring it up and unicast data passes through it OK in both directions.
2. But when trying to send multicast, only one-way traffic is observed:i. Windows XP host on far end of PPTP VPN and a local PC both running old Microsoft tool "MPING.EXE", sending and listening for traffic on the groiup 225.100.101.102i. The distant host receives and echoes back the packets received from the local machine + sending its own (confirmed with Wireshark running at the far end)ii. But the local machine directly connected to the C1921 router does not hear any packets from the far end; Wireshark shows only the ones it is sending.
3. Group status ("show ip igmp membership") as far as the C1921 is concerned shows both ends (192.168.50.10 (local end) and 192.168.50.201 (distant end via the PPTP VPN)) joined to the group [code]
4. But "show ip mroute" for that group shows an error; for the source on the far end of the PPTP VPN (having the IP address 192.168.50.201), the source interface is incorrectly shown as GigabitEthernet0/0 (should be Virtual-Access2.1 for that PPTP VPN) and the outgoing interface is shown as Virtual-Access2.1 [code]
5. I have tried adding static mroutes and messing about with parameters for the virtual-template interface for the PPTP VPN, but the problem remains. And if I put another local PC onto a different Ethernet port of the router, the multicast traffic does flow both ways - so the issue is solely with the PPTP VPN.After a week of head-scratching I am getting more and more convinced that it's a bug... but wonder if it is already-known, has a workaround, or a fix in newer firmware?
In regards to becoming a Network Technician with the certification. Are there other passes as such that need to be obtained that i could slowly gather up, such as safe pass and so onIm thinking ahead and like to be well prepared.In regards to my CCENT course, thnigs are going pretty well and if all going well, my college is willing to give me a days work experience out side of my current work commitments to gain some crucial experienceHopefully when the time comes and i receive my CCENT qualification i can put experience along side it on my cv aswell as the above mentioned safe passes if needed.
I would like to upload the signed certification to LMS 4.2.2.After checking ( 4. option ) I choosed the 6. option and press "y" for questions and the perl script is freezing.
I want ACS 5 to authenticate the wireless users validating each user with a certificate. The ACS is connected to the AD but, is it possible to do that using user/password from the certificate?, i need to do that with certificate and independant of the AD certificates of each user, so it will be scalable.
it seems that if i want to get IBM Cognos 10 BI OLAP Developer certification i have to pass COG-635 exam. it is said exampdf has released the latest COG-635 study guides.
I am currently working on an example for a CCNP Spanning Tree Protocol example.I have some lectures on video and getting confused with an example they have provided. It has me baffled as I have compared it against numerous other websites, trawled forums and tried to get other examples to compare it against.Anyway, I have posted screenshots of the topology. They are as follows:
1) topology showing links so can assign costs (100mbps = STP cost 19, 1000mbps = STP cost 4)
2) topology show priority and MAC addresses (priority left at default so root bridge elected by lowest MAC address)
3) topology showing elected root ports **which I do not agree with for switches E & F**
4) topology showing subsequent blocked ports **which I do not agree with for switches D & F, even if I accepted the previous given root port election*** I understand for same cost paths to root bridge that lowest bridge ID wins. So here are my queries:
1) switch E has 2 equal cost paths to root bridge (A):
-via: E > D > A (4 + 19) -via: E > C > A (4 + 19)
so I think pick the next hop switch with lower bridge ID. Switch C right? In this example it says pick port going to switch D. I am confused! Why pick port going toward switch D?
2) switch F has 2 equal cost paths to root bridge (A):
-via: F > C > A (4 + 19) -via: F > D > A (4 + 19)
so I think pick the next hop switch with lower bridge ID. Switch C right? In this example it says pick port going to switch D. I am confused! Why pick port going toward switch? tell if the example in the diagram (topology 3) is wrong? If it is correct explain why?Now on to issue number 2...If I accept the root port election given in the topology, I go through the process of assigning designated ports and blocked ports.I understand for each link there is at least 1 designated port. If it is a redundant link, one side will be designated, one side blocked. The designated port will be on the side of the lowest bridge ID (priority + MAC address). So here are my queries:
1) there is a redundant link between switch C and switch F
-one side must be designated
-one side must be blocked
-pick the side with lowest bridge ID (priority + MAC address) for designated port
-switch C has same priority as switch F, so based off MAC address, switch C wins i.e. designated port on switch C side, blocked port switch F side.
-In this example it says port from switch C is blocked and port from switch F designated. I am confused! Why pick port going from switch F as designated?
2) there is a redundant link between switch D and switch C
-one side must be designated
-one side must be blocked
-pick the side with lowest bridge ID (priority + MAC address) for designated port
-switch C has same priority as switch D, so based off MAC address, switch C wins i.e. designated port on switch C side, blocked port switch D side.
-In this example it says port from switch C is blocked and port from switch D designated. I am confused! Why pick port going from switch D as designated?
I am trying to configure repeater mode on an AP, but the authentication is not working.It seems the authentication is seen as EAP-TLS on the ACS 5.2, but im trying to do LEAP.
I have a very problematic situation here.I have configure on a Cisco 2960 the vty line in a wrong manner and now I am stock.To configure those vty to enable ssh I have typed :
line vty 0 4 login local password xxxx line vty 5 15 login local password xxxx exit
Problem, I work remotely (I was on telnet while doing this). I have no username configure as I thought that root user would work.Now when I issue an ssh to my switch, I always failed authentication.how I could recover access to my switch without being physically there ? I have write the config in memory, otherwise it would have been too easy.
I have installed Windows Server 2008R2 on a virtual machine and have setup AD and a domain name called nuggetlab.com and is the first DC. I've created another VM and again installed Windows Server2008r2 and want to add a second DC to the forest root domain. When i run dcpromo and at the option 'Choose deployment conifiguration' wizard i select Existig forest >Add a domain controller to an existing domain > Next, the next screen appears and i type in the domain as nuggetlab.com but when i enter the credentials under 'Alternatate credentials' and enter the admin username and password, i receive an error saying that it cannot be contacted. When i press the details button i can see the description[CODE]
is it possible to join the ACS 5.1 to a rootdomain (AD) with a subdomain and to authenticate against the subdomain? Or do I need different ACS' for the root and the subdomain?
I've not found much detail regarding election of a root port other than "The root port is the switch port with the lowest path cost to the root bridge" they also expand on this a bit more for the case below, (italics)." When there are two switch ports that have the same path cost to the root bridge and both are the lowest path costs on the switch, the switch needs to determine which switch port is the root port. The switch uses the customizable port priority value, or the lowest port ID if both port priority values are the same".They explain that on S2, F0/1 is root port because it's lower than F0/2 but don't go beyond this.My understanding is that the following order is true with regards to priority of criteria (in this case), am I right?:
1. Lowest cumulative path cost back to the root bridge 2. In case of tie, the device with lowest Bridge ID 3. In case of tie, the port with the lowest received priority # 4. In case of tie, the port with the lowest local ID #
So, shouldn't this demonstration factor in the BIDs of S3 and S4 before the port priority and IDs of S2 ? For instance, if the BID of S3 was lower than that of S4, wouldn't F0/2 on S2 become the root port? I'm hoping I'm correct in this? Also I've not actually seen these four bullets in any of my official material for STP which I thought was a bit odd. I wondering if anyone else who has seen this before, considered the bridge ID aspect.
I am trying to confirm which of my cisco switch is the spanning-tree root. I know which I prefer to hold the spanning-tree and I ran the command spanning-tree vlan 1 root on this switch,I would now like to check that this command has worked and so I ran the command 'show spanning-tree root active' and received the detail below.To make sense of this and determine which port the mac address references (From this I take it that 00b0.d0f5.cf31 is the root, how can I determine which port this is).
I have been getting overrun errors on 3 different ASA 5550 HA pairs with traffic rates less than 100Mbps total. I was told by one TAC guy to split the traffic between the two slots so that traffic comes in one and exits the other to maximize throughput because the 5550 was designed to work that way. Another TAC guy told me to enable ethernet flow control to alleviate the overrun errors because the traffic was bursty, but this doesn't seem to address the root cause of the problem to either. TCP traffic is bursty by nature and has it own flow control mechanism. I can't seem to find any detailed info on why traffic needs to be split for 100Mbps when the marketting throughput number is 1.2G. Is this a design flaw or limitation? Is there a way to alleviate overrun errors?
The upgrade process for ANM virtual appliance 4.2 involves doing a backup and restore as root user. I have looked through the documentation and have even reinstalled the virtual appliance to see if the install script gives away the root password for the OS but without luck.
Now I thought the command "sh spanning-tree int gi2/3 root" showed cost to the root bridge. So with everything being zero, its implied this the root, which it is but not for vlan 111 and actually all 1XX Vlans have a different root. Why does vlan111 show its root as out int gi 2/3 but the root cost shows zero?
Issue is we have a issue where a 2950 is acting as root bridge for our wireless vlans, wrong....it should be the 6509, but before I change it over, was wondering about the root port/cost question.
I have a setup where - I have a cisco stack (4X SGE2010 Switches) trunking over to a 3COM switch. Both switches believe to be the "ROOT" of the network. Note The 3COM is running RSTP as opposed to the Cisco Stack which is running normal STP. To my understanding of STP - Essentially STP is not functioning! Both switches believe to be the "ROOT" so they don't shut ports down. (We are currently having major issues with ports going up and down for seconds at a time on both switches)
I config vlans 21-23 on 3750 A and B switches.I config B switch to be Root Bridge for all vlansspanning-tree vlan 1,21-23, priority 4096 sh span tree on B switch 3750B# sh spanning-tree.
