Nick's Network Corner

One of the items that comes up from time to time is the configuration of the Wireless Control System (WCS) and the Wireless LAN Controller's (WLC). WCS handles the synchronization of configurations and as they  become out of sync it will highlight a "mismatch" has occurred.  For example, a change is made on the WLC for a new AP just installed. You want to change the grouping or SSID but, WCS does not know of this change it will think that there is a mismatched configuration for the system when in reality there isn't a mismatch the change made on the WLC was intentional so we have to update WCS with the most current configurations. WCS Mismatch : 1. Login to WCS 2. Go to Monitor Tab 3. Go to Controllers From above now we see that there is a configuration "mismatch" from WCS to WLC. The next step is to find out what kind of configuration mismatch is it. Is it just an AP ? Is it NTP? Is it......? 1. Go to 'Configure' tab 2. Click

An access-point is crashing or resetting and you need to  collect the crash logs: An example error in your Wireless LAN Controller Events :  Now we can check the AP and log into it directly to to check the log files by doing a                   "show log"                   "show stacks" These commands will display a couple items that you a generally looking for in regards to the AP continuously resetting or disconnecting. Reasoning codes, errors, crash log information upload. The Crashlog file of the AP is uploaded to the WLC with the reasons after the AP has come back online and reassociated itself. So to collect this complete log we can get it from the WLC because it should then be removed from the AP. After obtaining the information you can log into the WLC and do a show ap crash-file   this will show the file inside the flash of the WLC.      In order to obtain the crash file you can do a couple items: Get information fro

Router on a Stick Router on a stick :  The term router on a stick is used  widely, meaning one link that provides access to multiple networks ( vlans ). With this we configure a trunk from router to switch over ethernet. Above vlan 19, 20, 21 is what I'm using and we have no layer 3 switching or extra equipment to divide up the networks with multiple areas so we use what we have to make it work. DHCP: Each of the vlans will be giving off DHCP for the following subnets VLAN 19:      19.5.5.0   255.255.255.0 VLAN 20:      20.5.5.0   255.255.255.0 VLAN 21:      21.5.5.0    255.255.255.0 R1: ! hostname R1 ! ip dhcp excluded-address 20.5.5.1 ip dhcp excluded-address 19.5.5.1 ip dhcp excluded-address 21.5.5.1 ! ip dhcp pool vlan19    network 19.5.5.0 255.255.255.0    default-router 19.5.5.1  ! ip dhcp pool vlan20    network 20.5.5.0 255.255.255.0    default-router 20.5.5.1  ! ip dhcp pool vlan21    network 21.5.5.0 255.

While just messing around. I decided to do a quick little routing lab on GNS3 for fun. The table includes rip, eigrp, ospf, and static routing. Each of the 4 networks connects to a central hub that is pretty much the redistribution hub. The purpose of this was just to have 4 completely separate network zones with over 20+ network subnets pinging each other fully. After all said and done the routing table should like the following on the "HUB" or middle router: CONFIGURATION:  Nick Router: hostname NickRouter ! no ip domain lookup ip domain name lab.local ! interface Loopback0  ip address 1.1.1.1 255.255.255.0 ! interface Loopback1  ip address 1.1.2.1 255.255.255.0 ! interface Loopback2  ip address 1.1.3.1 255.255.255.0 ! interface Loopback3  ip address 1.1.4.1 255.255.255.0 ! interface Loopback4  ip address 1.1.5.1 255.255.255.0 ! interface Serial0/0  ip address 10.1.1.2 255.255.255.252  clock rate 8000000

Upgrading CUCM from 8.0.3 to 8.5.1   1. Login to the CUCM OS Administration Page  2. Select Software Upgrades (from menu)  3. Select Install / Upgrade  4. I'm installing from local disk so I select DVD/CD. ( Make sure the disk is actually in the CD Drive ) 5. Click Next 6. The CUCM system should acknowledge the CD in the drive and point you to the 8.5.1 ISO. ( The ISO for upgrades can be downloaded through your Cisco CCO Account). 7. Click Next 8. The page will display letting you know a backup is recommended and verify the MD5 Hash for integrity of the install.  Make sure you have a backup of your system or a snapshot that you can quickly revert back to.  9. Make sure " Do not reboot after upgrade" is selected  10. Click Next 11. The system should now be trying to run the install package for your system. 12. The status will become complete once finishing the install. The new update is now applied to the inactive partition of CU

When logging in normally to a CE500 Switch it is the normal graphical user interface seen above.  This is the systems primary interface for administration. It is not the normal CLI session via a DOS-like command prompt.  Well if you wanted to use CLI you would have to type the following at the end of your browser address.                                                               " level/15/exec/-/ " The full address will look like: http://<IP Address>/level/15/exec/-/ When you type in the address with the addition you should come to a web page that will allow you to use a GUI CLI like page where if you're more familiar with Cisco CLI it may be more effective for you.

3750-1#traceroute 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1   1 10.10.10.1 8 msec 0 msec 0 msec   2 10.11.11.2 0 msec 0 msec 0 msec   3 10.11.11.2 !A  *  !A The above is a sample traceroute of what you might have already seen. It was definitely something I came across and thought I would just jot down for future reference.  This is good for trouble shooting and understanding where the packet is actually going.          When doing ICMP variables like ping and traceroute its good to know the characters and functions behind what they actually mean; it helps with troubleshooting. Below is a table of these characters from Cisco. *                      The probe timed out A                       Administratively prohibited (example, access-list) Q                      Source quench (destination too busy) I                       User interrupted test U                       Port unreachable H                       

IPS Manager Express is a nice utility to use if you're managing IPS / IDS Modules. From a central interface you can do image upgrades, license upgrades, signature updates, reporting, and more. Overall From the above images you can see the state and the health of the IPS / IDS modules or appliances that you manage. Some of the Supported  IDS / IPS Systems are : • Cisco IPS 4240, 4255, 4260, and 4270 Sensors • Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Modules and Cards • Cisco ASA 5500 Series IPS Security Services Processors • Cisco ASA 5500 Series Adaptive Security Appliances • Cisco IPS Advanced Integration Module (AIM) • Cisco Catalyst ®  6500 Series Intrusion Detection System (IDSM-2) Services Module IPS Manager utilizes IOS version 6.1 and later. You can also add up to 10 systems to manage inside the central system. 

So running into a nice little error I was going to change the DHCP scope of the following range: dhcpd address 172.16..1.20-172.16.10.80 inside                                 TO  dhcpd address 172.16.1.50-172.16.1.250 inside Below is the error you may or may not receive(depends on your license): ASA5505(config)# dhcpd address 172.16.1.50-172.16.1.250 inside Warning, DHCP pool range is limited to 128 addresses, set address range as: 172.16.1.50-172.16.1.177 ASA5505(config)# OR in ASDM  The reason behind all this is a wonderful thing called Cisco! The licensing for the amount of hosts is the limiting factor of the DHCP scope. The default 5505 has 10 hosts. For the ASA 5505, the maximum number of DHCP client addresses varies depending on the license: • If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses. • If the limit is 50 hosts, the maximum available DHCP pool is 128 addresses. • If the number of hosts is un

CID DUMP Crash 2811 ISR Router - IPS Module Before going through below verify  that the module is configured for fail-open: Sh run int ids-sensor 0/1 interface IDS-Sensor0/1  ip unnumbered FastEthernet0/0   service-module fail-open – failover  hold-queue 60 out The license key on the AIM-IPS has expired. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. Error: Cannot communicate with mainApp (getVersion ). Please contact your system administrator. Would you like to run cidDump?[ no]: This will happen when the sensor cannot communicate correctly with the operating system that is running. Running a cidDump will give you a lot of information regarding the state of the IPS module just like that of ‘ show tech-support’ Router# service-module ids-Sensor 0/1 rel

So when upgrading IPS Modules you can do automatic signature updates: These updates will use the following URL's from Cisco and you will need a CCO account to down from the server. Prior to 7.0(8), it should look like this: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl From 7.0(8) and 7.1(5) and later, it should look like this: https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl Note:  Please do not edit the URL. The // is intentional and not a typo. CLI: IPS# config t IPS(config)# service host IPS(config-hos)# auto-upgrade IPS(config-hos-aut)#cisco-server enabled  After this you will end up scheduling the time and period and intervals in which you want to run the auto update schedule-option periodic-schedule start-time: interval: 2 hours (example) user-name : CCOACCOUNT password:  PASSWORD TO ACCOUNT cisco-url:   URL Provided earlier depending on IPS Version user-server disabled After all said