The ranting of an IT Professional » Cisco

Cisco WLC with PEAP authentication on a MS Radius server

Jason Tramer — Thu, 30 Jun 2011 19:49:43 +0000

Just set up 802.1x authentication on a Cisco Wireless LAN controller WLAN for the first time. My objective is to get Active Directory authentication working for my WLAN, accessible by both corporate laptops as well as blackberry and iphones.

I set up my WLAN with 802.1x auth pointing to a radius server. The Radius server in question is a Windows server 2008 R2 virtual machine with the Network Policy Server role. I installed IIS and submitted a cert request with the internal FQDN of the server. I got my trusted cert back and imported it into the Radius server. I then configured my network and connection policy with PEAP authentication (specifying that certificate and everything worked perfectly.

Cisco acquires NewScale

Jason Tramer — Tue, 29 Mar 2011 16:10:26 +0000

Take a look:

http://www.theregister.co.uk/2011/03/29/cisco_buys_newscale/

Cloud computing is really becoming a overused term. Everyone is signing on to it, but most people don’t even really understand it. This will either be the future of IT or a complete fad. I give it 50/50 odds.

The dangers of Mirror ports and Etherchannel

Jason Tramer — Tue, 08 Mar 2011 18:38:05 +0000

I was brought in to troubleshoot an interesting issue with some Cisco switches yesterday. I had a stack of 3750′s(Core) and a stack of 2960S’s. Etherchannel was set up on both sides to connect the two stack’s together. Each time they were connected they would work for about 20-30 minutes and then bring the network down. i immediately suspected Spanning Tree to be at fault but after some investigation with a colleague we found that Spanning tree wasn’t the issue.

In troubleshooting we discovered that when we plugged in the port channel there was immediately a massive amount of data transversing it, far too much to be normal. Doing some digging we discovered there was some mirror port configuration on the switch which was mirroring one port of my Etherchannel to another port on the Etherchannel thus causing a type of traffic loop which eventually completely floods the switch.

Not likely an issue I will see again but a valuable lesson on pruning old configurations after they no longer apply.

ICMP redirect cache is empty

Jason Tramer — Mon, 07 Mar 2011 16:17:17 +0000

I was deploying a new Cisco 1921 router and couldn’t get an internet connection going. I did a Show IP route and saw no routes (not even my static) and got the message “ICMP redirect cache is empty”. After double checking that IP routing was enabled (it was), I rebooted but had the same issue. I did a “debug ip routing static” and then removed and re-added my static route. I then got an error dealing with the routing database.

In the end I turn off routing with a “No IP routing” and then turned it right back on with “IP Routing” and that immediately resolved the issue. It was very weird though.

Cisco Partner exams

Jason Tramer — Mon, 28 Feb 2011 19:16:04 +0000

Working in the consulting field generally means that you partner with big vendors i.e. Cisco, Microsoft, Citrix etc. Generally these companies require you have certain certifications to maintain that partner status. Most of these companies just use their normal everyday certifications i.e. have X number of MCSE’s for Microsoft partner level X. What annoys me is that Cisco on top of this has their own specialty partner exams they make you do. It would be simple if to be certified to sell voice you need to have 3 CCVP’s or something, but no. You need three CCVP’s and then each one has to do 3-4 specialty exams on top of this. It really is a pain and frankly I don’t see the point. Why should I have to do my CCDA and then a design specialty exam, isn’t the CCDA the design specialty certification anyways?!?

Upgrade the firmware on a Cisco lightweight access point

Jason Tramer — Wed, 02 Feb 2011 20:56:02 +0000

Need to roll out a new firmware revision to all your access points connected to your controller? Maybe you need to convert some into autonomous mode?

Easy and simple way to accomplish this. Load up your IOS file onto a TFTP server and then connect to the CLI of your controller.

Enter this command for each AP:

config ap tftp-downgrade tftp-server-ip-address filename access-point-name

Your access point will download the image, update and reboot itself and you can do all this from the safety and comfort of your desk. Remember a good network admin is a lazy network admin.

Cisco phones not discovering Voice VLAN on HP Procurve switches

Jason Tramer — Sun, 23 Jan 2011 14:57:05 +0000

I encountered this issue and luckily I was able to find a blog entry about it:

http://mikemcarthur.net/article.php?story=20100602220125153

Essentially Cisco phones use CDP to discover their voice vlan. HP procurve phone’s use LLDP to accomplish the same goals. Now apparently this works fine with the Cisco 79XX model phones which are there Enterprise class phones.

However I was trying it with the Small Business line 500 series phones and it does not work. According to the article you need to manually disable CDP on the phones to make this work. The other alternative (which is what I did) is manually input the voice VLAN into the phone.

Hope this helps

Routing within an interface on a ASA and my triumphant return

Jason Tramer — Sat, 22 Jan 2011 14:27:37 +0000

Well it has been a long time, but I am back! Sadly elements in my personal life have kept me focused on other matters for the last 8 months or so and I apologize for that but I am ready and eager to return.

For my first issue I want to talk about is with Cisco ASA’s and concerns how to set up a static route on an interface to point to another router for certain routes.

Let me give an example. You have your inside interface, lets say 192.168.1.0/24, and on this interface your have a router with an IP address of 192.168.1.10 which connects to a network of 10.0.0.0/24. Now you need your devices on the 192.168.1.0/24 network to get to the 10.0.0.0/24 network via 192.168.1.10 but that is not their default gateway. How do you do it?

Well obviously you could use static routes on the machines but that is bad practice. So you do it on the ASA.

You would set up your static route and NAT exempt as normal but it will not work. The ASA will be able to ping the 10.0.0.0 network but not the devices. Packet tracer will tell you that you have a Access List issue but you don’t.

You need to other commands to make this work:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

This will allow your traffic to function as you intended

Cisco completes Tandberg offer!

Jason Tramer — Wed, 21 Apr 2010 19:37:21 +0000

A long time coming, but awesome news none the less.

http://newsroom.cisco.com/dlls/2010/corp_041910.html?sid=BAC-NewsWire

I have it on good authority that Cisco has a lot of plans already on how to integrate this into their existing UC line. The best part is that Tandberg devices already support SCCP so it will be very very easy to tie this in with Unified Communications.

New Blackberry supports Cisco Compatible Extenstions

Jason Tramer — Thu, 25 Feb 2010 20:38:52 +0000

Great news for people who use Cisco WLAN controllers, the new Blackberry Bold 9700 supports CCX and all the great features that represents. As a big fan of Cisco Wireless products this is really nice to see.