I recently stacked 3750x-48pf-s running ip base with 3750v2-24. I originally attempted to use 12.2(55) but the stack failed to initialize, almost like the stack ports on the 3750x were err-disabling.

After some hair pulling I downgraded to 12.2(53) ( lowest version supported by both) and it did a full EEPROM rewrite on the 3750x. The stacking worked properly after that.

That is exactly my problem!

I’m currently installing 12.2(53) and it’s running a lengthy microcode update. I mean lengthy. This better work!

Update: Downgrading all of the switches to 12.2(53) worked although the new 3750x decided to be master and wiped out my config. Good thing we had a backup.

My focus was on the switching section so this review really only addresses that part. I’ve been taking Cisco tests for a while so the process was familiar to me. I also had a good foundation in switching technologies. The book does a good job of breaking down the separate areas that the test focuses on. You couldn’t use this book to study for the CCNP if you’re coming right from the CCNA. It’s strictly a refresher level of knowledge. What I found was that there were several parts of the test that were more obscure but were referenced in the book. It wasn’t verbatim of course, but it was familiar enough to help me pass.

Another thing I found relevant is that the distilled information in this book is good for reminding me of the little things that can be done to tweak a network. I think most of us are content to worry about HSRP priorities and STP roots. We don’t so much focus on the other loop prevention tools that Cisco’s made available. Thanks to the short and direct content in this book, you can quickly get a sense for the other technologies at your disposal.

And I passed. Highly recommended!

On the Cisco switch:
interface Port-channel98
no ip address
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet8/5
no ip address
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 98 mode on

etc...


On the Extreme switch:
enable sharing 1:1 grouping 1:1,1:2,1:3,1:4 algorithm port-based
configure vlan "out_of_band" ipaddress 172.16.0.254 255.255.254.0
configure vlan "out_of_band" add port 7:1 untagged
configure vlan "out_of_band" add port 1:1 tagged

out_of_band was used for testing. I put a PC on port 7:1 on the Extreme switch to make sure I could get to a PC on the Cisco switch.

Turns out I did full documentation on the test process and actually kept the doc! I was amazed! My notes suggest the only delay was when re-connecting ports that are part of the group they would not start forwarding for about 3 seconds. Otherwise it worked great!

failover exec standby copy /noconfirm tftp://{ip address}/{file name} disk0:/{file name}

Without the /noconfirm it’ll fail. You also need a standby ip address on the interface facing the tftp server and I haven’t confirmed this but I think it might also need to be on the same subnet. I’m still having some trouble with a situation where the standby ASA would have to reach another subnet.

Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.

And now the code:

aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_2 local

ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any

The license does work as advertised. It’s a replacement for the IPSEC based client that Cisco seems to have stopped development on. I’ve been using it in numerous situations and it works great!

I just have a funny situation though where my client was exploring alternatives to Cisco. We got pricing for a couple of competitors including Sonicwall and Juniper and let me tell you…whoo-boy! I guess the others haven’t felt compelled to follow Cisco’s lead and they are still charging ridiculous sums for the SSL VPN clients. Of course there were howls of protest about how their clients did so much more and that if you wanted the same level of functionality you had to pay for Cisco’s full SSL VPN solution. All true, but who cares????

I want a simple client based SSL VPN to replace the IPSEC clients of old. I don’t need all the fancy clientless stuff. I suspect that’s true for a lot of customers. Cisco’s pricing strategy for the AnyConnect Essentials is smart not just because they don’t want to continue to develop the IPSEC client but because it drives business away from their competitors.

Cisco, your choice in focus these days mostly pisses me off but this is a real winner. A small bright spot in an otherwise dreary path you’ve taken. Now, if you could find a way to ship ASA’s before the summer I’d be happy.

Oddly enough, IOS wouldn’t allow the bad line to simply be deleted. The “;” had to be removed so that the no command included “at&ampt”

Probably some sort of a regex problem or an ascii escape character but it’s still kind of strange.

I’ve known for a long time that Cisco ASA’s don’t support sending ICMP redirects. Because of this the IPS’s default gateway couldn’t be set to the FW interface. If I did that they would never be redirected to reach the internal networks. I’ve never had a problem with IOS doing ICMP redirects though, so the IPS’s have been using the switch VLAN interface as the default gateway. The switch sends ICMP redirects when the IPS needs to get out to the internet and the traffic goes direct to the firewall.

Except it doesn’t. I could swear it did at one time in the past. Either my memory is faulty or an image update on the IPS broke it. Now, it seems the IPS tosses ICMP redirects. My guess is it worries about man in the middle attacks and and ICMP redirect is a possible sign of that. So even though the switch is doing the correct thing the IPS disregards it.

Moved the IPS management interface to one of the internal LAN’s and all is happy now.

I’m such a geek. The one cool new feature is that they have finally put in a USB console port. Actually mini USB. I’m not sure of the wisdom of using that over the already present regular USB ports, but that’s ok. I can’t find anything about how that’s going to work. I expect you’ll have to install a driver for USB to COM on windows just like you do with the USB to Serial dongles but this should be Cisco provided.

How cool would it be if there’s a hidden driver for that in Windows 7 already.

Now all we need is a wireless USB KVM and you could manage a whole data center of routers without running more cables. Better have some good security on that!