/r/Cisco
Ask questions, create discussions or post news! This subreddit is for all things Cisco related!
New user accounts are moderated.
This subreddit is not affiliated with Cisco Systems.
The Reddit Cisco Ring
- Cisco
- CCNA
- CCDA
- CCNP
- CCDP
- CCIE
Useful Links
Rules
NOTE: The "Reddit Cisco Ring", its associates, subreddits, and creator "mechman991" are not endorsed, sponsored, or officially associated with Cisco Systems Inc. All opinions stated are those of the poster only, and do not reflect the opinion of Cisco Systems Inc., or its affiliates.
/r/Cisco
Hi there,
I'm experiencing an issue with the Cisco ASDM client. It's getting stuck on the "Validating Running Configuration" step. I’ve been trying to resolve this for a day now, but nothing changes.
During the validation process, I can see the syslog events working fine, so the system isn't entirely unresponsive.
My colleague can use the ASDM client without any issues.
Do you have any tips on how to fix this?
Hello,
I am designing a network for low-bandwidth communication - resilience is in favor over performance.
Customer has their own fibres between sites.
Redundancy based on Layer 3 routing. this is a quite small network, with around 2 core switches, 2 distribution switches, 5 access switches with need for redundant connection to distribution switches, and ~30 access switches that does not have need for redundant links to distribution.
Core is based on 2x L3 switches with virtual stacking.
Access based on a mix of L3 and L2 switches - L3 for switches with need for redundant links to distribution L2 for switches with no need for redundant uplinks.
Now I need advise for OSPF config - do you see any issues in defining this as one single Area 0 with this simple topology and low number of switches (routing loops etc.)? any other limitations or things I need to take into consideration?
Simple topology as as shown in image - all links are L3, unless those notes as L2 (no all access switches are shown in drawing)
I've got a homelab with a 2851 router with a VIc3 4FXS/DID card and a WIC-1AM-V2 card, I've managed to configure the fxs card to allow dialing from one port to another but I can't figure out how to configure the 1am card to allow me to dial into it to get access to the internet.
I currently can plug two laptops into the fxs card and dial one to the other to get internet access but I'd like to remove the second laptop.
I've got the 1am card in 0/3/0 and my config, so I hope someone here who has more knowledge could point me the right way.
I am having a hell of time enabling ssh on a 2960. Ive created the hostname domain name generated keys at 1024 VTY 0 15 is set to transport input ssh but when I do a show ip ssh it says ssh is disabled. Any thoughts?
Hello everyone! This is another CCNA exam preparation post.
I started working as a network engineer back in 2022. Until now I have gained a lot of experience with Cisco, Fortinet, CheckPoint and Alcatel products, even gained some very valuable certifications but not on Cisco.
However, even if I have been certified mainly on Firewalls, I want to get a certification which by aquiring, I will prove to myself that I have properly and officialy studied a plain networking “journey”, and not only from hands on experience, and not clearly related to Firewalls.
From what I have been talked to, it is very possible for me to go straight to CCNP. However I want to do it with no skipping, which means I have to try CCNA for real this time. When I say for real, I mean that when I began to work as a network engineer with no experience, to help me get on track, I read many chapters carefully from Todd Lamle book, I watched the whole David Bombal Udemy 80h class and spending enough valuable time on his labs, watching all Neil Anderson’s Udemy class (which I did not like too much because it was only theory and I doubt it gave all the info required for each topic for the Ccna level), and afterwards very much day to day experience.
So I have a question, to go for the CCNA as someone who wants to refresh everything learned in 3 years “”officialy”” and take the exam, what should I go for? I want to know if for example Neil Anderson or Jeremy material is enough for the CCNA scope theory wise. I intend to study each “chapter” like for example OSPF, keep notes of the theory and lab it until I learn things that I did not know exist. I am just curious if what I will find is enough and not miss important information which may be examed.
Sorry for long post 🙏
How much someone with no experience can earn with the ccna certification?
Hi all,
Is anyone in here CCNA certified with an Cisco instructor cert?
If so I have questions….
Thanks!
Hi everyone,
I'm a bit stuck and hoping someone here can help me out. I'm not very experienced with IPv6, but I'm eager to learn. My current IPv6 setup is a bit unusual, and it's giving me some trouble.
My ISP has provided me with a /48 IPv6 subnet, but it’s configured as a static IP address with a gateway—no DHCPv6 or anything similar. I simply assign a static address to the outside interface, set up a route, and it works. I can ping the gateway and reach external IPv6 addresses like Google DNS without any issues.
Now, I'm trying to configure my VLANs to use /64 subnets derived from the /48 subnet assigned to the outside interface. I managed to achieve this using autoconfiguration, and my clients are successfully getting IPv6 addresses. However, the clients can't access any external IPv6 addresses—they can’t reach Google DNS or other IPv6 resources outside the network.
I suspect I need to configure an access list to fix this, but even with the rules I've created so far, it still doesn't work.
I'm working with a Cisco ASA 5506. Could someone help me figure out what I'm missing?
Thanks in advance!
This is my config:
ASA Version 9.14(4)24
!
hostname ASA
domain-name example.com
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
!
!
interface GigabitEthernet0/0
description UPLINK
nameif OUTSIDE
security-level 0
ip address 185.X.X.X 255.255.255.224
ipv6 address 2a0d:XXXX:XXXX::2/48
ipv6 address autoconfig
ipv6 enable
ipv6 nd suppress-ra
!
interface GigabitEthernet0/1
description HQ
nameif VLAN1
security-level 100
ip address 10.0.0.254 255.255.255.0
ipv6 address autoconfig
ipv6 enable
ipv6 nd prefix default 86400 86400
ipv6 nd prefix 2a0d:XXXX:XXXX:96::/64 86400 86400
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
interface BVI1
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-14-4-24-smp-k8.bin
ftp mode passive
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name example.com
object network ANY-subnet
subnet 0.0.0.0 0.0.0.0
object network VLAN1-subnet
subnet 10.0.0.0 255.255.255.0
object network VLAN1-ipv6-subnet
subnet 2a0d:XXXX:XXXX:96::/64
access-list vlan1_out extended permit gre object VLAN1-subnet any
access-list vlan1_out extended permit ip object VLAN1-subnet any
access-list vlan1_out extended permit ip object VLAN1-ipv6-subnet any
access-list vlan1_out extended permit gre object VLAN1-ipv6-subnet any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu VLAN1 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
object network ANY-subnet
nat (any,OUTSIDE) dynamic interface
access-group vlan1_out in interface VLAN1
ipv6 icmp permit any OUTSIDE
ipv6 icmp permit any VLAN1
ipv6 route OUTSIDE ::/0 2a0d:XXXX:XXXX::1
route OUTSIDE 0.0.0.0 0.0.0.0 185.X.X.X.X 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
ssh X.X.X.X 255.255.255.255 OUTSIDE
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 185.255.55.20
ntp server 185.244.27.221 prefer
ntp server 162.159.200.1
dynamic-access-policy-record DfltAccessPolicy
username beheer password ***** pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1024
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect snmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8997b777f1d0e9e3400c0dba1f303046
: end
I need to configure an IPSec VPN between my ASA and the client's XYZ firewall. They have requested me to perform a source NAT for my source network. Could you please guide me on how to configure it.
I am capable of configuring an IPSec VPN using both IKEv1 and IKEv2, but unfortunately, I lack the knowledge for NAT
Hi,
I've got a Cisco Nexus 9k that's affected by the 21260 bug if we check the s/n on https://snvui.cisco.com/snv/FN72150.
The thing is, on the field notice (https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72150.html) says that the affected models are Micron_M500IT with firmware MU01 or MC02, but my switch has SHMST064G3FECTLP51 and FW1159.
I've tried to apply the patch but i get some errors, on another cisco nexus 9k i had, i could apply it without any problem (it was a Micron MU01)
So is it affected? What's the "right" thing to check?
I just got a used Cisco 896VAG-LTE and wanted to configure it, for some reason there is an Ubiquiti EdgeOS IOS installed and I can't find any documentation about this weird third-party IOS. By default it has ssh enabled, which I assume has a random password which could be seen in the EdgeOS Web UI, but I don't even know the credentials of that. Has anyone ever heard of that weird third-party IOS or knows how I either can access it after a factory reset or restore the original one without an Console Cable via rommon? I don't know if this is the right sub for that
Hello friends.
Next autumn I am planning for going to college for a 3 year program. Until then I will have a decent amount of time over to prepare and study, plan is to get some ccst certifications and maybe even CCNA.
My studyplan looks something like this:
So basically, do you guys think this is a decent plan? It will take some time to finish and convert this into lasting knowledge. Do you have any inputs?
Quick question.
Do all 2960-X series switches support LACP fast rate, or is it limited to certain models or sub-series?
Due to the increasing number of wired users
I'm going to use the C1000 by connecting it to the existing CBS250 model as a hub.
When the C1000 is connected, neither the CBS250 nor the C1000 is wired.
Previously, when only the CBS250 model was used, it was used normally.
And if you connect the C1000 to the SG220 model as a hub instead of CBS250, it will be serviced normally.
Is it a compatibility problem between models?
Or is it a setup problem?
Good day everyone :)
I missed the 40% off doorbuster after I accidentally slept. Now the promo is 25% off after I wake up. Will there be another huge sale this month of December? I am planning to buy the cml.
Hello everyone!
We currently have some Cisco Firepower 2130s w/ FTD deployed that a very small set of users connect to off-site for VPN access. We use Azure AD SAML SSO to authenticate and handle MFA for the VPN connection. Once a user successfully authenticates and passes MFA, they are given pretty unrestricted network access.
Recently, we've gotten more ingrained with Cisco ISE and applying dACLs to on-prem users to restrict access and we're now looking towards restricting the access that VPN users get. I'm hoping that I can have users authenticate with SSO still and then get passed to Cisco ISE to receive policy and ACLs based on whatever criteria or groups that I have available to me.
For example, I have a user in our business office that only needs to access one server. I'd like the process to be where they attempt to connect to the VPN, get the Azure AD auth screen and pass MFA, then get connected to the network but receive a policy from ISE that only allows access to the server that they need access to (among other things like DNS, etc.) Is this possible?
If so, I'm getting stuck on where to start getting this set up. Cisco ISE doesn't currently know about the FTD/FMC and vice versa. I know I would need to get the FTDs and possibly FMC as well put into ISE as network devices. However, when a user connects to AnyConnect, is it the FTD that would ask ISE what policy to apply to the VPN user or the FMC that does that?
Googling gives me bits and pieces of my desired environment but never the full picture. Also, Cisco TAC has been terrible lately when it comes to looking for configuration assistance.
Thank you to anyone who can help point me in the right direction!
Is there anything I need to do extra to prepare for this upcoming class, I do have my CCNA but honestly it's been some time and at my environment I more or less focus on the switching rather than the routing so how should I best prepare for this class ?
We have CBS 350 switches at office. They have strange behavior. When unplugging SFP with optical cable from any port and plugging it into another one: it works. When plugging it back to its previous port it does not work, link is down. I do it in operating mode. Logs are clear, administrative mode of ports are up. After a while, let's say after restarting switch or after month, that port starts to work when plugging it back.. What can be the reason? Who had such situation? Thanks.
On the Network Access Users List screen in ISE, you want to change the password for one account.
When you try to make a change, you will see the following statement.
'password change for self is allowed only from admin users page or from admin dialog popup'
Do you know the solution?
Id like to add wireless voip phones to my environment, was wondering if someone could tell me if the 8821 handhelds would work with freepbx or not. If not, could you recommend a handheld?
Need assistance with getting my pcs and severs to connect in packet tracer. The subnet masks are all matching.Devices and servers can only ping themselves.
Working with a 3850 switch and I've bugged up the voice VLAN somehow. Data/Access is working perfectly, but my 3 voip phones (Polycom 650 with CDP) won't register.
All of my ports are configured similarly:
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 20
trust device cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
switchport voice vlan 20
trust device cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
!
***** etc EXCEPT PORT 48 (it's plugged into a non-stacked 3850)
!
interface GigabitEthernet1/0/48
switchport access vlan 10
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport voice vlan 20
trust device cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
VLANs are setup:
VLAN Name status Ports
1 default active
10 Data_VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, <snip>, Gi1/0/47
20 Voice_VLAN active Gi1/0/1, Gi1/0/2, Gi1/0/3, <snip>, Gi1/0/47
Misc things:
I think I'm missing something obvious, but it's not feeling obvious right now. Any thoughts?
Hey, so I have a Cisco 7940 IP Phone that a work friend gave from her husband. But when i power it on and plug in the wifi the Protocol Application Invalid screen always pops up. None of the settings and other buttons work, When i factory reset it that doesn't work. Anyone know how to fix this! (I do not have CUCM)
Hey ciscoians, I am interested in checking out the CSAP program (specifically ASR) as a soon to be bachelor graduate. Is there any information as to when applications open or am I just missing where to apply? Any information helps.
My company is moving user access from a typical Core-Distribution-Access model over to SDA. We have one location where the SDA fabric site is running along side the traditional network deployment, and have moved almost everything over to SDA, with some networks being new (user and voice) and others extended into the SDA fabric site by an L2 border but still routed by the legacy distribution router. We're looking to begin our first full migration of a different location in about two weeks.
I noticed that attempts to reach out to the internet from the underlay do not work; I think I had previously attributed this to the firewall simply not permitting the traffic, and didn't dwell on it too much because it didn't seem to cause any negative impact; DNAC, ISE, DNS, and all other internal services were reachable. Earlier this week, I was doing some troubleshooting and found a much more immediate reason the underlay couldn't reach out to the internet--traffic that follows default in the underlay (though not any of the overlays) is looping between border routers.
The problem seems to arise from what I believe is LAN Automation-deployed config. My understanding is that to facilitate adding fabric sites, DNAC deploys a simple IS-IS config in the underlay, which includes a default-information originate
. It deploys this on all routers assigned the border node role at a site. If there's only a single border node, this seems like it wouldn't be a problem--all traffic from the site's underlay would see only the default originated from the single border, follow it for any non-local destination and land on the border, which would then follow whatever default it was getting from upstream.
If more than one border node exists at a site and both are advertising default, this seems to cause a loop in the underlay. We're using EIGRP with VRF-lite to extend the underlay throughout our core so our ABNs are reachable. The default route is redistributed from BGP, so in EIGRP it has an AD of 170. IS-IS has an AD of 115, so when both border nodes at a site are originating default into IS-IS, they see each others' default routes as being better than the one they're learning from the network core routers through EIGRP, so traffic matching default just loops. (In one of our fabric sites, the borders are running IS-IS over their direct connection with each other, while in the other they aren't, but the net effect is the same in both cases; where they are direct IS-IS neighbors, they advertise default directly to each other, and where they aren't, they'll still get each others' defaults reflected back at them through any downstream fabric edges they are both peered with.)
There are two solutions I can think of for this:
I played with altering the AD of IS-IS to be higher than that of EIGRP external today, and while that fixed the issue for the default route, it rendered the fabric site's underlay (apart from the borders themselves) unreachable because the same problem would happen in reverse; both borders redistribute the underlay IS-IS-learned prefixes into EIGRP so the fabric site is reachable, and if both borders are preferring EIGRP over IS-IS, then they'll each prefer the routes redistributed into EIGRP from IS-IS over the ones they're learning directly from IS-IS. I think this solution can still work, but I would need to modify the northbound EIGRP config, maybe adding an aggregate-address statement so only a summary of the fabric site's underlay space is advertised into EIGRP and not the more specifics, so when traffic to something in the underlay (e.g. a fabric edge) lands on a border node, it will forward traffic based on the more specific IS-IS prefix learned from downstream instead of the summary route it's learning through EIGRP upstream from the other border node.
Add in config on the borders' IS-IS to prevent them from installing a default route learned from IS-IS, either through a route-map applied to each interface that denies default (and permits anything else) or maybe a distribute-list in
config on the router isis
process.
Is this something anyone else has encountered? Do either of the two solutions above seem like they would work, or is there a better way?
This question comes from not ever seeing a CVE for a Meraki Product - I assume customers don’t get this level of information unless it’s like a 10/10 CVSS score?
I keep my patching up to date and don’t seem to get caught out with any security findings from any third party pen tests etc.
Has anyone ever dealt with slow to login Windows 11 issues when using a Domain Guest Account on a CISCO ISE SDA network utilizing Machine 802.1X Authentication? We have seen this when using our AD DG account can take around 10 minute for Windows to load completely.
I have an issue I can’t resolve. I’ve set up a VM (VMware Workstation Pro) in NAT mode with the VM assigned IP 10.10.0.102 and gateway 10.10.0.1. The host’s IP is 192.168.100.174, and I’ve also configured port forwarding (host port 22 forwarded to VM port 22 on host IP 192.168.100.174). Additionally, I’m using WireGuard to establish a VPN connection (host-to-LAN) between the host and my home network. My home LAN is 192.168.200.0/24.
At this point, I’m able to SSH from the VM to devices in my home LAN (e.g., a Cisco router at 192.168.200.50). However, the reverse does not work. If I try to SSH into the VM from the 192.168.200.0/24 network, I’m unable to connect. Moreover, I can’t even ping the VM or the physical host on the 192.168.100.0/24 network (host IP: 192.168.100.174).
Why is this happening? How can I fix it?
I’m looking for a technical explanation and possible solutions to this issue.
I have been used the C2960 switches since 2015. I hope Cisco would bring this model back instead of the dreaded C9200, which costs five times as much.
Is there a chance that we can avail discount for CCNA certification exam during Black Friday Sale?