I’m pretty sure everyone how works on networking stuff had to trace packets, monitor a port on a switch and things like that.
If you need to see what’s going through a specific port on a Cisco switch, the solution is the port spanning.
It allows you to reproduce the traffic of a port on to another one!

I could have done a post describing some basic configuration of a span but quite often, Cisco has a good page on their site to explain in details what it is and how to configure it.

So here is the link to a Cisco article about SPAN.
Switched Port Analyzer

And here the PDF

As I’m working on a project related to our new network infrastructure, I’ll post some of the stuff I’m doing here so the next few post will likely be all related to Cisco, security, VPN and other things like that.

Here I’ll just quickly show how to configure ssh on a Cisco PIX. If you need to configure a switch or a router, you first have to make sure that your IOS support it, but then, the config will be slightly different.

pix(config)#hostname pix
pix(config)#domain-name mydomain.co.uk
pix(config)#passwd securePassword
pix(config)#ca gen rsa key 2048
pix(config)#ssh 10.20.128.128 255.255.255.255 inside
pix(config)#ssh timeout 60
pix(config)#ca save all

The 3 fist lines are not specific to an SSH configuration, you probably already have that configured as its usually one of the fist things you change!

The ca gen will generate the key, you can choose something smaller that 2048 but is the standard now (and also the maximum on a PIX)

The line after that is a specific access list that say only 10.20.128.128 can establish an SSH connection from the inside interface. Should you want to get your PIX accessible from everywhere (which is a bit silly but good for testing), here is what you need:

pix(config)#ssh 0.0.0.0 0.0.0.0 outside

Just to clarify one little thing, if you arrive from a site-to-site VPN connection, you’ll hit the inside connection… so if your remote network is say 10.21.0.0 255.255.255.0 and you want to SSH your PIX from there, you should have something like that:

pix(config)#ssh 10.21.0.0 255.255.255.0 inside

As this is a SSH connection, you need to provide a login and a password. The default login is “pix”

so from a linux client you would do

ssh pix@ip_addr_pix

if you want to add some more user, you have to proceed that way:

! add user
user name password *x!7&@a4
!
pix(config)#aaa authentication ssh console LOCAL

Of course you can also authenticate your ssh session against a TACACS or a Radius server but aaa authentication is not covered here

This is a very quick post to explain how to update your ASA firewall. Nothing big as it’s very easy but since I had to put together the info to get that documented for my colleagues, I thought I could post it here too.

1. Copy the file on a FTP (CI33024)
2. Logon to the firewall
3. Issue the following commands:
en
copy ftp://[ipaddress]/[filename] disk0:[filename]

You‘ll have to confirm the parameters and then you should see something like that:
Accessing tftp://172.16.31.1/asa722-k8.bin...!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa722-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
8312832 bytes copied in 163.350 secs (50998 bytes/sec)

4. Chech that the file has been copied correctly

show disk0:

You should see something similar:
-#- --length-- -----date/time------ path
6 5124096 Jan 01 2003 00:06:22 asa702-k8.bin
7 5623108 Feb 12 2010 00:23:48 asdm-631.bin
10 5539756 Feb 12 2007 00:14:18 asdm-521.bin
11 8294400 Dec 07 2006 05:47:20 asa721-24-k8.bin
12 6002680 Dec 21 2006 03:58:30 asdm-52034.bin
13 8312832 Feb 12 2010 22:46:30 asa831-k8.bin

23949312 bytes available (38932480 bytes used)

5. Go to the configuration mode (conf t) and type the following command:
boot system disk0:/asa831-k8.bin

This will replace the path of the image the firewall boot on.
If you update de asdm, the command is slightly different.

asdm image disk0:/asdm-631.bin

6. Save the config:
write memory

7. Reload the config:
reload

Last week I came across a very strange error. I needed to create a new VLAN on our core switch. no problem to create a layer2 VLAN, but impossible to create a layer3…

here is the error that pop up

********(config)#in vlan 299
%Cannot create a VLAN interface
Maximum allowed interfaces reached
^
% Invalid input detected at '^' marker.

We don’t have thousands and thousands of VLAN so it was obviously something else. Is there a much smaller limit on layer 3 VLAN than on layer 2 ? Yes, but the smaller cisco devices can support 4000 interfaces (including vlans and other virtual interfaces) . And our switch has got a limit of 12000…

Goggling this error won’t give you much information and I have to say that the error point you easily in the wrong direction. This is only when you have a look at the logs that you can see something a bit more interesting.

entry number 215 : INTERFACE_API-1-NOMORESWIDB
No more SWIDB can be allocated, maximum allowed 12000

Here is some theory to get a better understanding of what an IDB is:

SWIDB stand for “Software for Interface Descriptor Block”. you have two type of IDBs, SW (software) and HW (hardware). Cisco website describe an IDB as following:

An Interface Descriptor Block (IDB) is a special control structure internal to the Cisco IOS software that contains information such as the IP address, interface state, and packet statistics. Cisco IOS software maintains one IDB for each interface present on a platform and one IDB for each subinterface.

A HWIDB represents a physical interface, which includes physical ports and channelized interface definitions. A SWIDB represents a logical sub-interface (Permanent Virtual Circuit (PVC) or virtual LAN (VLAN)), or a Layer 2 encapsulation (Point-to-Point Protocol (PPP), High-Level Data Link Control (HDLC), and so forth).

Each physical interface on the router consumes a minimum of two IDBs:

• One HWIDB for the physical port
• One SWIDB for the Layer 2 encapsulation

A channelized port consumes N+1 HWIDBs, where N is the number of channels within the physical port, plus a minimum of N SWIDBs (Level 2 encapsulation per channel). Any sub-interfaces that you define each add another SWIDB.

Each tunnel interface definition, such as Universal Transport Interface (UTI), Generic Routing Encapsulation (GRE), Multiprotocol Label Switching Traffic Engineering (MPLS TE), or Any Transport over MPLS (AToM) consumes an HWIDB plus one SWIDB per tunnel, plus an additional SWIDB for each additional sub-interface, for example, a Frame Relay PVC, that is tunneled. The tunnel IDBs are in addition to the original interface(s) that are tunneled.

You can have a look at your IDB used with the command:

sh idb

So my problem is that I actually reached 12000 interfaces? Impossible! Unfortunately it is!

when I saw the output of that command I directly understood what’s happened…

A couple of week before, we installed a new blade chassis. But a error on the configuration created some kind of loop and as a consequence, new  interfaces keep registering themselves on the core switch until the IDB limit is reached. something you don’t realize until you need to configure a new interface…

What is the fix then?

unfortunately, there is no easy fix or I should say there is only one and very quick fix, reloading the IOS… just crazy on a prod switch, even more knowing its the core switch… but unfortunately, even a fail-over of the modules does not resolve this issue! (according to Cisco)

this issue just amaze me because you can clear all sort of things on the cisco IOS, but not a table of IDBs… I suppose it doesn’t get full every day but still, I don’t understand why there is not another way to clean this table.