ASA 5505 mac address allocation issue - cisco

I have a ASA 5505 in transparent mode with a Security plus licence
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
Whilst attempting to edit a vlan with the command: int vlan 7
I receive back ERROR: % Cannot allocate MAC address to interface
Is this related to the error message in the ASDM when clicking add new interface i receive the error message "You cannot have more than 3 vlans in your system"? And if so why do i get this message?
ASA Version 9.1(6)8
!
firewall transparent
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
shutdown
!
interface Ethernet0/3
switchport access vlan 4
shutdown
!
interface Ethernet0/4
switchport access vlan 5
shutdown
!
interface Ethernet0/5
switchport access vlan 6
shutdown
!
interface Ethernet0/6
switchport access vlan 7
!
interface Ethernet0/7
switchport access vlan 8
!
interface Vlan1
description Management Pc Connection
nameif inside
bridge-group 1
security-level 100
!
interface Vlan2
description Dead End - No Connection
nameif outside
bridge-group 1
security-level 0
!
interface Vlan8
description Management Pc Connection
nameif ManPc-HpILO
bridge-group 4
security-level 100
!
interface BVI1
description ASA Management Bridge Group
ip address
!
interface BVI3
description Vmware Bridge Group
ip address
!
interface BVI4
description HP ILO 4 Bridge Group
ip address
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
mtu ManPc-HpILO 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e02cea00fefdea428cbbd8994f237335
: end

I was not aware that transparent mode does not quite share the licence allowance.
According to Cisco,
Security Plus License + Transparent Mode
3 active VLANs
(2 active VLANs in 1 bridge group, plus 1 active VLAN for failover)

Related

How to set up a RaspberryPi & Nftables for masquerading between to interfaces?

I'm trying to set up a RaspberryPi running Nftables as a "router". It's running on RaspberryPi OS 64 bits with kernel 5.15.32-v8+ and Nftables v0.9.8 (E.D.S.). I would like it to allow traffic between the LAN it's connected to through its WiFi interface and an Android phone sharing it's cellular data connection through USB.
The RPi is connected to a LAN through it's WiFi interface. There is a DHCP server running on that LAN. It serves clients class C private addresses like 192.168.80.X/24. The RaspberryPi gets served as below. The network configuration allows for a range of IP addresses to be assigned manually, shall that be needed.
- RaspberryPi : interface wlan0
- IP address : 192.168.80.157
- Subnet : 255.255.255.0
- Gateway : 192.168.80.2
- DNS : 192.168.200.1 (firewall living an another VLAN) / 8.8.8.8
An Android phone is connected to the RaspberryPi through a USB cable and acts as a USB modem, sharing its cellular data. It assigns the RPi a class C private address like 192.168.X.Y/24. It changes each time I plug the Android phone in / reboot, and I can't tune the range of addresses served by the phone.
- RaspberryPi : interface usb0 (Android phone)
- IP address : 192.168.42.48 (at the moment)
- Subnet : 255.255.255.0
- Gateway : 192.168.42.105
- DNS : 192.168.42.105 (same as gateway)
I have enabled IP forwarding in the sysctl.conf
net.ipv4.ip_forward=1
Nftables is configured as follow (example from here :
table ip nat_antoine {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip protocol icmp counter meta nftrace set 1
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "usb0" masquerade
}
}
I ran the following tests. I disabled nftables and SSH'd into the RPi through the wlan0 interface. If I configure the firewall at 192.168.200.1 to allow internet access to the RPi (and disconnect the Android phone "usb0"), it works : the RPi can ping / curl / ssh into the "outside" world.
Then I revoked the internet access through wlan0 and plugged the Android phone "usb0" in. Same : I can ping / curl / ssh into the "outside" world. I have made sure that the traffic is going through usb0 and not wlan0.
Issues arise when I enable nftables and try to access internet via the RPi through another client. I took another android phone, connected it to the 192.168.80.0/24 LAN and manually configured the gateway address to be the RPi's wlan0 interface address (DNS from Quad9). Best I can get is pinging the wlan0 interface on the RPi.
"nft monitor" output when pinging 192.168.80.157 from an Android client (client gets an answer) :
trace id 98bebc6f ip nat_antoine prerouting packet: iif "wlan0" ether saddr d0:1b:49:f1:01:29 ether daddr dc:a6:32:65:a2:f4 ip saddr 192.168.80.20 ip daddr 192.168.80.157 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 40158 ip length 84 icmp code net-unreachable icmp id 30 icmp sequence 1 #th,64,96 820786881435526521749372928
trace id 98bebc6f ip nat_antoine prerouting rule ip protocol icmp counter packets 1 bytes 84 meta nftrace set 1 (verdict continue)
trace id 98bebc6f ip nat_antoine prerouting verdict continue
trace id 98bebc6f ip nat_antoine prerouting policy accept
"nft monitor" output when pinging 192.168.42.48 from the same Android client (client gets no answer) :
trace id c59a6b89 ip nat_antoine prerouting packet: iif "wlan0" ether saddr d0:1b:49:f1:01:29 ether daddr dc:a6:32:65:a2:f4 ip saddr 192.168.80.20 ip daddr 192.168.42.48 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 29620 ip length 84 icmp code net-unreachable icmp id 31 icmp sequence 1 #th,64,96 56218603639456293821148039936
trace id c59a6b89 ip nat_antoine prerouting rule ip protocol icmp counter packets 1 bytes 84 meta nftrace set 1 (verdict continue)
trace id c59a6b89 ip nat_antoine prerouting verdict continue
trace id c59a6b89 ip nat_antoine prerouting policy accept
Can someone please help me / point me to the right direction for fixing this ?
Thank you very much.

Scapy traffic generator for DPDK L3FWD application

I am new to DPDK and trying to run L3FWD app using scapy to send traffic to it.
I have two Hosts. Host A(Ubuntu 4.15.0-154-generic) for Scapy to send the traffic. Host B (Ubuntu 5.11.0-25-generic) for DPDK(21.08.0) and Host B has vfio-pci module and two NICs (Ethernet Controller XXV710) binded to it.
I have huge pages inserted like below
mkdir -p /dev/hugepages
mountpoint -q /dev/hugepages || mount -t hugetlbfs nodev /dev/hugepages
echo 1024 > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
echo 1024 > /sys/devices/system/node/node1/hugepages/hugepages-2048kB/nr_hugepages
I verified the connectivity between Hosts using Scapy on Host A and tcpdump on Host B. (Traffic is coming in from Host A to B)
I build the DPDK and its example apps. I am trying to run L3FWD with this arguments on Host B.
./dpdk-l3fwd -l 1,2 -n 4 -- -p 0x3 --config="(0,0,1),(1,0,2)"
And I tried many ways of sending the traffic from Host A to B using Scapy like below and still not able to see the output of L3FWD on Host B.
way 1)
sendp(Ether()/IP(src="1X.1X.2x.1x"), iface="enp25s0f0",count=1000)
using sendp command, I didn't see traffic on Host B with L3FWD running. Please note, for src ip add i have replaced numeric values with x here
way 2)
send(IP(src="1x.1x.2x.1x"), iface="enp25s0f0",count=1000)
using send command, I didn't see traffic on Host B with L3FWD running
way 3)>>
x = Ether(src='xc:xd:xe:a9:x9:x0', dst='xC:xx:xx:Ax:Bx:x1')
sendp(x, iface='enp25s0f0',count=10000)
This also didn't work
pls Note I have replaced above actual MAC and IP addr with few 'x'.
Output of L3FWD is as below
./build/examples/dpdk-l3fwd -l 1,2 -n 4 -- -p 0x3 --config="(0,0,1),(1,0,2)"
EAL: Detected 56 lcore(s)
EAL: Detected 2 NUMA nodes
EAL: Detected static linkage of DPDK
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'PA'
**EAL: No available 1048576 kB hugepages reported**
EAL: VFIO support initialized
EAL: Using IOMMU type 8 (No-IOMMU)
EAL: Probe PCI driver: net_i40e (8086:158b) device: 0000:18:00.0 (socket 0)
EAL: Probe PCI driver: net_i40e (8086:158b) device: 0000:18:00.1 (socket 0)
**TELEMETRY: No legacy callbacks, legacy socket not created**
Neither LPM, EM, or FIB selected, defaulting to LPM
Initializing port 0 ... Creating queues: nb_rxq=1 nb_txq=2... Port 0 modified RSS hash function based on hardware support,requested:0xa38c configured:0x2288
Address:xx:xx:xx:xx:xx:xx, Destination:02:00:00:00:00:00, Allocated mbuf pool on socket 0
LPM: Adding route 198.18.0.0 / 24 (0)
LPM: Adding route 198.18.1.0 / 24 (1)
LPM: Adding route 2001:200:: / 64 (0)
LPM: Adding route 2001:200:0:1:: / 64 (1)
txq=1,0,0 txq=2,1,0
Initializing port 1 ... Creating queues: nb_rxq=1 nb_txq=2... Port 1 modified RSS hash function based on hardware support,requested:0xa38c configured:0x2288
Address:xx:xx:xx:xx:xx:xx, Destination:02:00:00:00:00:01, txq=1,0,0 txq=2,1,0
Initializing rx queues on lcore 1 ... rxq=0,0,0
Initializing rx queues on lcore 2 ... rxq=1,0,0
Checking link status........done
Port 0 Link up at 25 Gbps FDX Autoneg
Port 1 Link up at 25 Gbps FDX Autoneg
L3FWD: entering main loop on lcore 1
L3FWD: -- lcoreid=1 portid=0 rxqueueid=0
L3FWD: entering main loop on lcore 2
L3FWD: -- lcoreid=2 portid=1 rxqueueid=0
Output of L3FWD doesn't go forward after this point.
Can any of you please help me find out where i am going wrong. Or help me know how to send traffic from Host A to run L3FWD app on Host B.
Thanks for your responses.
[EDIT] the solution mentioned in the answer is tried and tested on both HOST and Virtual machines and it works.
There are a couple of ways to check if L3fwd is actually receiving and sending the matches rule traffic. One can check the statistics
using DPDK secondary application dpdk-procinfo for DPDK ports
checking the statistics at the HOST-B PF port via ethtool
checking stats at the sender (scapy) on Host-A
For your specific use cases there 2 factors to match
Since DPDK ports on Host-B is created via VF over single PF interface, you would at least have to send packets with VF-1 MAC address to allow the packet to be received in.
For packets to send out from VF-2, the mac address of the packet has to be modified to allow be forwarded out from Host-B PF to Host-A.
Note: If you were having 2 separate PF NIC on Host-B one need to configure ports on Host-A to promiscuous mode to receive with any MAC address.
Solution:
Program Scapy to send ETH-IP packet with MAC address of VF-1 (assuming MAC-VLAN is not enabled on PF) and Dest IP Address of LPM table entry as 198.18.X.X (where X stands for wild card byte value)
check with the dpdk secondary application for Port-0 (VF-1) and Port-1 (VF-2) to confirm packets are indeed received and transmitted out.
Check on Host-B statistics of PF using cat /proc/net/dev to see if packets are received, transmitted or dropped.
Note: the sample program can be easily edited with print and rte_pktmbuf_dump too.

Port with VLAN not working on Cisco switch [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I'm having issues with a cisco SG550X-24 switch.
The switch is showing 100U as an administrative VLAN but not an operation VLAN. I'm unsure why this is, and plugging into this port doesn't work. The switch functions normally and other ports work fine.
Screenshot of config page attached:
cisco vlan config
1 and 19 are configured exactly and same, port 19 works fine with 100U but port 1 doesn't.
Any ideas? Is there a setting I'm missing that disables the port or VLAN?
Thanks
config-file-header
CB-BR-Radon233
v2.5.5.47 / RTESLA2.5.5_930_364_286
CLI v1.0
file SSD indicator encrypted
#
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type unit 2 network gi uplink te
unit-type unit 3 network gi uplink te
unit-type unit 4 network gi uplink te
unit-type unit 5 network gi uplink te
unit-type unit 6 network gi uplink te
unit-type unit 7 network gi uplink te
unit-type unit 8 network gi uplink te
unit-type-control-end
!
port jumbo-frame
vlan database
vlan 2,69,100,201
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
link-flap prevention disable
no boot host auto-config
no boot host auto-update
bonjour interface range vlan 1
hostname IMS-CB-BR-Radon233
no passwords complexity enable
username root password encrypted 777f99c04f34de13899c397960ac60d7548cfeb4 privilege 15
username cisco password encrypted ffd1c8e37222f7a9f61aec3e1179e951695fdeba privilege 15
ip ssh server
snmp-server location CB-BR-Radon233
snmp-server contact
clock timezone J 0 minutes 0
!
interface vlan 1
ip address 192.168.1.233 255.255.255.0
no ip address dhcp
!
interface vlan 2
name Phone
!
interface vlan 69
name Dirty
!
interface vlan 100
name Admin
ip address 192.168.100.233 255.255.255.0
!
interface vlan 201
name Mocap
!
interface GigabitEthernet1/0/1
no switchport
switchport access vlan 100
switchport trunk native vlan 100
!
interface GigabitEthernet1/0/3
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport trunk allowed vlan 1
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
!
interface GigabitEthernet1/0/4
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport access vlan 2
switchport trunk allowed vlan 1
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
!
interface GigabitEthernet1/0/7
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport trunk allowed vlan 1
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
!
interface GigabitEthernet1/0/11
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport access vlan 2
switchport trunk allowed vlan 1
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
!
interface GigabitEthernet1/0/12
channel-group 1 mode auto
!
interface GigabitEthernet1/0/13
switchport mode trunk
switchport access vlan 100
switchport trunk allowed vlan none
!
interface GigabitEthernet1/0/19
switchport access vlan 100
switchport trunk native vlan 100
!
interface GigabitEthernet1/0/24
channel-group 1 mode auto
!
interface TenGigabitEthernet1/0/1
channel-group 2 mode auto
!
interface TenGigabitEthernet1/0/2
channel-group 2 mode auto
!
interface TenGigabitEthernet1/0/3
spanning-tree link-type point-to-point
switchport mode trunk
switchport trunk allowed vlan 1-2,69,100,201
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface Port-Channel1
description EthTrunk
spanning-tree link-type point-to-point
switchport mode trunk
switchport general allowed vlan add 2,69,100,201 tagged
switchport general allowed vlan add 1 untagged
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface Port-Channel2
description X1Trunk
switchport mode trunk
!
exit
assuming you're using the same device and the same ethernet-cable when connecting to port 1 and port 19, correct?
would you mind to SSH into the switch and collect a "show run" for port 1 and 19?
...ok, with the config provided:
this is weird, port 1 is configured as routed port but the vlan-settings are still there.
my first try would be:
(in the ssh shell)
conf t
interface GigabitEthernet1/0/1
switchport
end
that should fix the vlan-membership.
a good practice for end-user-facing interfaces would be to add:
conf t
interface GigabitEthernet1/0/1
spanning-tree portfast
spanning-tree bpduguard enable
end

SMA390 RPC port not responding for public facing IP

I have been working on CISCO's SMA390 and the RPC port for the device is not responsive when connected to a core switch.
1. The core switch is for public-facing IP/ CIMC IP of the device.
2. The IP's are configured and using ipmitool command.
3. The port is responding when tried to configure over a private network(laptop to device connection).
I have tried ping command after checking that the IP's are configured and its failing while the gateway is responding.
ipmitool lan print 1
ipmitool lan set 1 ipsrc static
ipmitool lan set 1 ipaddr 10.10.1.5
ipmitool lan set 1 netmask 255.255.255.0
ipmitool lan set 1 defgw ipaddr 10.10.1.1
ipmitool lan set 1 access on
ipmitool raw 0x36 0x52 0x0f
I want the ping and the ssh to be enabled.
I figured out after some more troubleshooting that CISCO x90 devices by default work on 100G bandwidth connection. The default provided on x95 devices is 1000G bandwidth connection. Hence the RPC port didn't respond.
If you face this issue, try
1. using a 100G connection.
2. change the default connection acceptance bandwidth of your device(i.e x90 here).

Configuring Ports on a Cisco Switch

I am very new to Cisco networking (haven't done any course either). I have been trying to learn a bit of networking myself and had no trouble in doing some of the basic stuff which i needed for my personal work. But i am planning to buy a new Cisco switch(a gigabit switch) and configure it to 2 different networks (1 being an internet and other being a separate network for a specific job). I want to configure the ports in such a way that the first few slots for normal internet and the rest for my other network. For example if its a Cisco 2950 48 port switch, the first 1-16 port for my local internet network and the ports from 17-32 for my other network. Can somebody give me a run down on how to achieve this? Sorry for such a long but basic question, i am just trying to save few $$ and learning something new. Any help would be appreciated. Cheers
You can just create the 2 different Vlans and Give the Access port to the 1st vlan with port 1 - 16 , And for Second vlan Give access port remaining Ports. As well you can also configure 2 different network on Single Switch .
Vlans can separate the network traffic away from each other. For Example
Int range gi 0/1 - 16
Desc Local Internet Network
Switchport access vlan 444
Switch port mode access
Int range gi 0/17 - 32
Desc Other Network
Switchport access vlan 555
Switch port mode access
Of course it depends on what you plug into the ports? depends on what type of switchport it is going to be.
Switch#configure terminal
Switch(config)#vlan 10
Switch(config-vlan)#name Local_Internet_Network
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name my_other_network
Switch(config-vlan)#exit
Switch(config)#interface range gigabitEthernet 0/1-16
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#exit
Switch(config)#interface range gigabitEthernet 0/17-32
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#exit
Switch(config)#exit
Switch#write memory
and check on trunk
The 2950 switch was a L2 switch only last time I checked so it will not be able to route between the VLANs. You may want to consider a small firewall in order to provide the layer 3 element (routing) and block any internet traffic from hitting your LAN. You can then also utilise a switch with this topology.
The respective switch VLANs for Internet and LAN would be connected to the relevant Internet /LAN firewall ports and your servers would be connected to the LAN. The switch management port should also be on the trusted LAN network or a dedicated management VLAN.

Resources