Tuesday, May 24, 2005

Q: I bought 34 switches with Smartnet. How do I get the Smartnet tied to my CCO ID?

A:
Here's the way it worked on my recent Cisco switch purchase. I bought 8x5xNBD Smartnet on all 34 of the switches in the order. There were three different types of switches. It was then up to the vendor to notify Cisco. I had to remind them to do this for me. At the same time, and separately, I opened a case with Cisco customer support informing them of the situation, giving them the vendor name and order number, and asking them to help me get the contract info tied to my CCO account. This enabled Cisco to contact me once they had received the info from the vendor and created my entitlement. I then had to reply by email to the Cisco person working the case and give them my CCO ID and the IDs of all others at my company so that we could all access CCO based on the contract entitlement. Cisco promised to add the contract to all our IDs once I did that.

Q: How do I restrict a switchport or VLAN to a list of valid MAC addresses?

A:
It looks like there are multiple methods and a lot of limitations. There's "port-security". This looks easiest to config. However, the switchport cannot be a trunk port, or a member of an etherchannel, so it can't be used at the core or distribution switch; it has to be applied on all of the access switches. There's another way: you create an extended mac access-list containing src-dest MAC address pairs you want to allow. Then there are two options: you could apply that access-list to all of the switch interfaces, or apply it to a VLAN. The mac access-list itself would look something like this:
(c)#mac access-list extended myfriends
(c-e-m)#permit host 1234.5678.90AB any
(c-e-m)#permit host AB12.3456.7890 any
(c-e-m)#deny any any                
(c-e-m)#end
Note the deny any any. On testing I found that this type of access-list does not include an implicit deny. To apply it to an interface (you would have to do all interfaces on the switch to be fully protected) to the following:
(c)#int ran f1/0/1 - 48 , f2/0/1 - 48
(c-i)#mac access-group myfriends in
Or, you create a vlan access-map with action forward for matches to that access list. Then you use the vlan filter command to apply that access-map to a VLAN or list of VLANs.
(c)#vlan access-map wksta 10
(c-a-m)#match mac address myfriends
(c-a-m)#end

(c)#vlan filter wksta vlan-list 20-23,51
Here's another possibility: VMPS. One guy says: There is a tool I use called VMPS that is in with the IOS of every Cisco Switch. VMPS means VLAN Membership Policy Server. This is a text file that lives on my Linux box that one of my Primary VMPS Switches queries at the time I configured on it. Then, all my other switches ask the Primary switch for the same info (a lot faster since they have a gig link to my Primary and the VMPS file lives in RAM). Now, in that file, I can group what switches belong to a group or what MAC address belong to a group (i.e., accounting) and say that port 1-18 are only accessible for accounting. After some research, I have concluded that VMPS is a CATOS-only featrue, so doesn't apply to my situation.

Q: How do I set the lifetime for CAM table entries on switches?

A:
Working on it...

Monday, May 09, 2005

Q: How do I reverse telnet out my aux port?

A:
If you connect one router's aux port to another device's console port, you can telnet to the router, then use reverse telnet to connect to the other device's console via your aux port. Here's how to set it up.
  1. Connect your router's aux port to another device's console port using a Cisco flat crossover cable.
  2. TELNET to your router, enable, and set the aux port up as follows:
    # conf t
    # line aux 0
    (config-line)# modem InOut
    (config-line)# transport preferred all
    (config-line)# transport input all
    (config-line)# transport output all
    ^z
    
  3. Make sure you have an address on your lo0 interface, and the interface is up.
  4. Back in enable mode, find out the line number of your AUX port with #show line. It will look something like this:
       Tty Typ     Tx/Rx    A Modem
         0 CTY              -    - 
    *   97 AUX   9600/9600  - inout
    *   98 VTY              -    - 
        99 VTY              -    - 
       100 VTY              -    - 
       101 VTY              -    - 
       102 VTY              -    - 
    
    On this router it is line 97. It's different from router to router but I've never seen it change.
  5. Now all you need to do is add 2000 to the line number, and telnet to your lo0 address, port 2097.
  6. I like to set up two aliases to save time:
    (c)# alias exec auxup telnet 127.0.0.11 2097
    (c)# alias exec auxdown clear line 97
    

With the setup above, you just connect the router's aux port to the target device. Then from the command line on the router, type auxup. This gives you a console connection to the target device. To end the connection, hit [<shift><ctrl>6] x, then type auxdown.

Update: it looks like the disconnect command (entered after the [<shift><ctrl>6] x) might be the proper way to end the telnet session.