Cisco Firewall :: 6509E / FWSM Default Port Channel?
Jan 22, 2012
I'm doing some L2 cleanups across mutliple 6509E environments and I've found something consistent that I can't find in documentation. On all my pairs of 6509s where I have FWSMs bundled (6509-A has FWSM-1 is Slot 1 and 6509-B has FWSM-2 in Slot 1) I also have a port channel 305. Obviously when I do a "show run" or "show int desc" I don't see anything in slot one. It's a service module. But the port channel is referencing ports 1/1-6. And it's all in service/up. I was about to delete this as I thought it was some leftover config (TEST 6509s) until I went and saw the same things on our PROD 6509s. Is it cosmetic? Necessary? Can I delete it as part of my audit cleanup? Don't want to mess with it even in TEST without some information. Nothing on google that's clear and I can't find anything on CCO.
#################################################################################
6509-1#sho etherch 305 summ
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
[code]....
View 1 Replies
ADVERTISEMENT
Sep 11, 2012
I have two Core 6509E SUP2T configued as VSS and has two 48 ports fiber blades. I have two 3750s, I have two gig on each 3750 port-channle to po1 and connected to both the core, one link to each core.Now, I was asked ot add two more links on each 3750 switch to make it a total of 4 gigs on each 3750s (all 4 gig ports/uplinks will be in used an dtwo links to core one an dtwo links to core 2).when i added two additional links on 3750s and bundled them to po1, I created another port channel on core and bundeled the additional two gigs on each core to accomodate for the two additional links (ports on core switches are not consequtives).
adding these two additional ports makes the 3750 switches flap between managemnet vlan and po1.now, i am not sure if I must have added the two additional links on the core to teh current port-channel or core!? I have created another port-channel on core to accomodate for this currently!?
View 26 Replies
View Related
Jun 6, 2013
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.With that in mind, whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
View 1 Replies
View Related
Jan 10, 2011
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
View 9 Replies
View Related
Nov 14, 2011
I want to set up FWSM 4.1 on Cat6509 with multiple bridge groups in one transparent context. (as the manual says it can support up to 8 bridge-groups and the intent is to save security contexts) For a host in VLAN21 (b1_inside) to talk to a host in VLAN41 (b2_inside), traffic needs to be go out to MSFC which routed back the traffic through the FWSM. My question is how can I define a default route per bridge-group, I would assume FWSM should take the following two default routes per bridge-group interface but it won't;
route b1_outside 0.0.0.0 0.0.0.0 10.11.75.1 1
route b2_outside 0.0.0.0 0.0.0.0 10.11.76.1 1
seems like it allows only one default route per the context and gives me an error - "ERROR: Cannot add route entry, possible conflict with existing route"
How can I achieve outside per individual bridge-group?
FWSM context config:
Interface VLAN11
nameif b1_outside
bridge-group 1
security-level 0
!
Interface VLAN21
nameif b1_inside
[code]...
View 2 Replies
View Related
Mar 14, 2012
We are running a FWSM and have created ACL's for a new Lync install. One of the rules needs to have port 5061 access from any source to our front edge server for communication. When looking at the logs I see a hit on the ACL but nothing ever actually connects.
One possible issue I see is possibly in the inspect:
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
class class_sip_tcp
inspect sip
In the inspect sip this is only for port 5060. How do I set this up to allow port 5061?
View 1 Replies
View Related
Jul 16, 2012
We have configured BGP on Cisco Switch 6509E, firewall module on the switch is making nat for all users,but users is not going to internet yet, I do not know hot to configure 6509E to give internet access to users.If I route default route to FWSM,then BGP will not work? If I route default route what is the meaning of BGP then?
I do not want to write static route because BGP should work (4 ISPs redundancy)
How to let users to go out to the internet throug BGP, but nat is being done on the firewall module on 6509, routing is beiing done on 6509,to to configure it?
View 4 Replies
View Related
Jun 11, 2013
So everything I've read on Cisco's documentation here: URL says that I can create a port-channel on two physical interfaces that will uplink to a VSS pair. However, the command is not recognized. What am I missing? I've tried executing "channel-group #" on the physical interface and tried creating the port-channel 1st and neither commands exist. I haven't seen it listed anywhere if it is only available after a specific piece of ASA software. If it is the software what version at a minimum I need to upgrade to? Below is an output from a show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-(code)
View 2 Replies
View Related
Dec 2, 2011
So here is my network.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
and here is my dilemma.
I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.
The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.
show asp table socket
TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN
how do i make it listen on different port?
Here is relevent config for SSH for cisco 1841 (port forwarding)
ON ASA
object network ROUTER
host 10.10.1.1
[Code].....
View 28 Replies
View Related
Nov 20, 2012
Create a port channel out of interface 3 and 4 of ASAConfigure 2 sub-interfaces in those Po interface (my inside vlan and the dmz)At the 4948, configure a trunked port channel out of a single interface (funny ), then do the same in the second 4948Connect ASA port 3 to the 1st 4948's single-interfaced port channel, ASA port 4 connects the same on the 2nd 4948.
View 4 Replies
View Related
Dec 17, 2012
Anyway, here's the situation I'm trying to configure several VLANs on my ASA to uniquely allocate to contexts, the VLANs will be trunked from my VSS. Unfortunately I'm not clear on how to achieve this, the configuration guide for 8.4 talks about multiple contexts and routed setups all which don't appear to apply exactly. I've configured the port channel at both ends and I've configured sub-interfaces on the port channel and assigned VLAN IDs. These sub-interfaces are then allocated to the contexts to set 'ip address' etc. I've not been able to successfully test this configuration and I am concerned that it is incorrect..
View 1 Replies
View Related
Mar 12, 2013
The network gods recently updated our 6500 and upon reboot, the FWSM booted to CF:1 maintence partition,which caused an immediate outage. On the router, I ran the following command to set the default FWSM boot partition to the configuration with:Router#boot device module 4 cf:5 However, it appears the "show boot device" command has been replaced with "show bootvar" which doesn't show me which partition the router will boot the FWSM to. Is there a command I can run from the Router that will actually confirm the boot partition for the FWSM if the router reloads.
View 1 Replies
View Related
Jun 20, 2011
when opening SSH service to a Database Administrator within my LAN, that has a RV016 as the default gateway. So confidence, I just set up a port forwarding in Setup > Forwarding and everything works fine, cool.
However, I do not want this to be a public access, I need a specific firewall rule for a specific external IP address (only the DBA fixed IP Internet might connect to my database server through SSH).
O noticed that when a port forwarding is created within RV016, it bypass the firewall default rules and wide-opens the service (port) to the web. Conceptually, this is correct, as port forwarding is a network translation, but I expected that my firewall had work over this.
My current solution was to create a "Deny from all" rule at port 22 and then create one additional rule that allows traffic from an specific IP at port 22.
View 3 Replies
View Related
Dec 29, 2011
Looking at the specs for WS-X6704-10GE, it shows the port buffers at 16M per port. This doesn't seem like very much for a 10G port. Is this upgradable or related to how much RAM is in the blade?
View 4 Replies
View Related
Feb 9, 2012
I'm unable to assign port E2/1 to port channel. I get following error:
NEXUS5K(config)# int e2/1
NEXUS5K(config-if)# switchport mode trunk
NEXUS5K(config-if)# channel-group 14 mode active
[Code].....
View 2 Replies
View Related
May 22, 2012
What is the cause of having a huge number ( 875349) of total output drops on one of my gigabit utp port gi 2/12 which is connected to Cisco 1841 fa0/0 router by mean of cat5e cable.I did change the cable from cat5e to cat 6 and tried to increase hold queue to 4096 and to tweak wrr queue bandwidth
View 4 Replies
View Related
Oct 28, 2012
I have one Catalyst 6509E chassis and two SUP720. The bootup sequence on SUP 720 (standby hot) failed . Messages that appear on SUP 720, on the console port indicate o software crash. I don't have a flash card in SUP720.
This is the bootup process:
System Bootstrap, Version 8.5(3)
Copyright (c) 1994-2008 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory
[code].....
View 1 Replies
View Related
Mar 11, 2013
we have installed and implemented a FWSM on cisco catalyst 6509E and defined two virtual contexts.one of contexts work as datacenter firewall. initially it is configured to allow all traffic to datacenter VLAN. (permit any any) on test, it worked fine, except for one problem: all web services had degradation in performance, all server-client (non web) services worked very fine. additionally all https servies worked well.
Users connect to the web server bypassing the proxy, web services are expected to act just like other ones.
View 1 Replies
View Related
May 3, 2011
We have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
View 2 Replies
View Related
Sep 2, 2012
I have Cisco 3845 with two Gigabit interfaces configured as port-channel with sub interface and with QoS. However shape does not work.
[code]...
View 8 Replies
View Related
Dec 20, 2010
We have a 6509 that was connected to 2 other locations(location A and B) and our local lan (location MAIN). We wanted to move the location A and B to a 3750 switch and only allow the traffic that needed to access our location MAIN to come through the firewall. The only problem I ran into is that before location A and B were on different interfaces so in the 6509 firewall the routes for traffic to our MAIN location was done by static routes.
I.E.
static (MAIN_intf,A_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0
static (MAIN_intf,B_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0
[Code]....
because it has a static overlap, which makes sense to me, but my question is how do I configure the network to get this to work? Do I have to reconfigure my network and access-list? Do I need to add more ports between the 6509 and 3750? I'm not sure if this is the best way to do what we want. If something is not clear I'll try my best to explain the setup, but I just took over for our I.T. guy when he left.
I put 10.10.10.72 instead I should have put 10.94.10.72. the routed port is on a different subnet than the computer I'm trying to access.
View 4 Replies
View Related
Feb 7, 2013
what is active/passive port-channel..? and how it will do load balancing when my network traffic is flowing on both the ports.
View 5 Replies
View Related
Sep 13, 2012
I have Cisco 3845 with two Gigabit interfaces configured as port-channel with subinterface and with QoS.However shape does not work, why? [code]
View 1 Replies
View Related
Nov 2, 2012
are port-channel interfaces supported in 6500s -w- SUP-2T?
Inquiring if able to bundle a couple of 10GB ports on a 6908 via port-channeling.
12.33 IOS doesn't it, but haven't completely confirm whether 15.1 IOS does.
View 3 Replies
View Related
Mar 6, 2012
So I have a current port-channel between two 6ks that I need to upgrade. There's too much traffic and the port buffers on the SUP7203B sort of suck. Microbursts are causing overruns like mad. Im going to move the 2x1gig port-channel to a 6724 and make it a 3x1gig port-channel. The switches carry production traffic across the link to the tune of about 400 meg during the lowest load time. Initially, I thought that I couldn't move the port channel without temporarily taking down the link but I think I have a workable solution now. Has anyone done this successfully before? Im curious what others have done. Also, to make matters worse, the existing port-channel is 'mode on' and I want to migrate to 'mode active' in the new channel
View 7 Replies
View Related
Oct 30, 2012
I want to do the inter vlan routing packet tracer file url...configuration of MLS are as bellow can anyone tell me why vlan on switch0 can not ping vlan on switch1. [code]
View 12 Replies
View Related
Jan 18, 2013
I have just been setting up a WISM2 in a test lab and for some reason the Supervisor is not creating a port channel on my 6500 as suggested in the WISM2 Deployment Guide. WISM2 is installed in an appropriate slot (according to same doco) and have attempted reset to factory defaults, removing and power cycling several times.
View 1 Replies
View Related
Jan 5, 2012
Is it possible to configure a Cisco 2801 router with Multipoint Port Channeling? A service provider dropped a 4.5Mbps ( 3x T1s ) to one of our customers without any equipment. They assume the CPE responsible. If so, any links to documentation on this configuration. If not, what device will they need to buy from Cisco that can bundle these 3 T1s together then feed it into their router?
View 6 Replies
View Related
Jan 16, 2011
I have configured my Nexus 7018 and 5548 as follow (see diag attached).Both 7000 and 5500 are vPC pair(po1and po2). Now I have created port-chanel between 7018and 5548 as port channel PO3 on 5500. Would it give me 20g bandwidth as PO3?or 10g only uplink to 7018? Do I need to config all four 10g links in PO3 on both 5500 and 7000 switches to achieve max b/w and failover?
View 4 Replies
View Related
May 22, 2012
I have port-channel configured on Nexus 5K (version 5.0.3) with below configuration.
interface Ethernet1/9
switchport mode trunk
switchport trunk allowed vlan 60
speed 1000
channel-group 105 mode active
[code]....
We have added GLC-SX-LH module to E1/1 and E1/10 and speed is set to 1000 (1Gig) Now other side of E1/9 and E1/10 are not connected. Port-channel status is down
Po105 1 eth trunk down No operational members 1000(D) lacp
show interface port-channel 105 shows different bandwidth (100) MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec,question is under interface port-channel105 speed 1000 command inserted automatically.Now if we connect otherisde of interface, during port-channel comes up.what will be the port-channel interface bandwidth ? will it change to 2Gig(2000). Why speed 1000 command inserted automatically on port-channel.Since it is migration, we want to be more specific on the port-channel configuration?
View 1 Replies
View Related
Jul 17, 2011
What is the load balance method of 3750 port channel ( by source ip , or by source mac ) to diver traffic to paths? I have tried to use 10.242.104.101 and 10.242.104.102 as source ip, it will travel to the same link (G0/1) within one port channel (G0/1+G0/2). Howerver, if I later use 10.242.104.109, then this time it will traffic to G0/2 link. What's the concept behind.
View 1 Replies
View Related
Sep 12, 2012
Have 2 N2K with dual-connections to both 2 N5K, will all 4-ports of N5K will be the same port-channel. N2K as well ?
View 1 Replies
View Related
Jan 27, 2013
I need to increase the link capacity of 10GE to 20GE between two Cisco7609, so I feel the need to configure port channel between them, my little problem is that I have a SCE 8080 in the middle of both 7600 currently is configured inline. The SCE has 4 modules 1X10GE-L-V2 (currently in use 2), I was investigated and the truth is that I not found anything concrete about how to configure the SCE to "pass" etherchannel through it? What the SCE needs to support 20GE of traffic? (configuration and software)
I have two 10GE ports available on the SCE
View 1 Replies
View Related
