Cisco FWSM radius authentication

Cisco FWSM configuration for radius authentication:

aaa-server RADIUS-GRP protocol radius aaa-server RADIUS-GRP (<INTERFACE_NAME>) host <IP_ADDRESS>  timeout 2  key <RADIUS_PSK>  authentication-port 1812  accounting-port 1813 ! aaa authentication ssh console RADIUS-GRP LOCAL aaa authentication telnet console RADIUS-GRP LOCAL aaa accounting ssh console RADIUS-GRP aaa accounting telnet console RADIUS-GRP aaa accounting command RADIUS-GRP aaa accounting enable console RADIUS-GRP

Set the <INTERFACE_NAME> for the interface which used to access the radius server

Host <IP_ADDRESS> for the radius IP address

Key <RADIUS_KEY> the pre-shared key between the radius and the FWSM

Meraki cloud AP basic configuration

Finally I received my free Meraki AP (MR18), after participating in one hour webinar (https://meraki.cisco.com/webinars), and now it’s time to make the initial configuration and connect it to my network.

if you have firewall on the network you should open the M-Tunnel ports to allow the AP to connect to the cloud (follow this post: http://www.madari.co.il/2014/06/cisco-zbfw-policy-for-meraki-m-tunnel.html)

 

Then connect the AP to the switch port and set the port configuration to trunk mode:

interface FastEthernet1  description MERAKI_MR18  switchport mode trunk  no ip address  load-interval 30

Now configure the AP IP address (static or dynamic): 

And configure the SSID's - I have 2 SSID’s, one for my LAN and one for guests, which need to be tied to two VLAN’s, 1 and 10, accordingly. My LAN segment is 192.168.10.0/24

The SSID configuration for the LAN:

 

Note that no VLAN tagging is done on this SSID, as this is the network where the AP connects to Meraki cloud.

And the SSID for the guests:

 

Note that both SSID’s are bridging traffic into the assigned VLAN.

 

 

Cisco ZBFW policy for Meraki M-Tunnel

This is my ZBFW policy I have configured for Meraki MR18 access point to connect to Meraki cloud (using protocol called M-Tunnel):

ip access-list standard ACL_MERAKI_MR18  permit <AP_IP_ADDRESS> ! ip access-list extended ACL_M-TUNNEL_PROTO  permit udp any any eq 7351  permit tcp any any eq 7734  permit tcp any any eq 7752  permit udp any any eq 9350  permit udp any any range 32768 61000 ! class-map type inspect match-any CM_M-TUNNEL  match protocol http  match protocol https  match protocol ntp  match protocol dns  match access-group name ACL_M-TUNNEL_PROTO ! class-map type inspect match-all CM_MREAKI_MR18  match access-group name ACL_MERAKI_MR18  match class-map CM_M-TUNNEL ! policy-map type inspect PM_INSIDE_TO_OUTSIDE  class type inspect CM_MREAKI_MR18   inspect <OUTPUT OMMITED>

 

Cisco HSRP state monitor using PRTG

Here is a post which describes how to monitor HSRP state using PRTG network monitor.

Add SNMP custom (see this post for screenshots: http://www.madari.co.il/2014/04/prtg-monitors-pps-on-cisco-routers.html) with the following SNMP OID:

1.3.6.1.4.1.9.9.106.1.2.1.1.15.1.1

The sensor will retrieve integer value which will represent the state of the HSRP group.

And the result:

As we can see the router returns the value “6” which means that he is in active state, a value of “5” will indicate that he is in standby state.

Here is the SNMP object information taken from Cisco SNMP Object Navigator:

Object  cHsrpGrpStandbyState OID        1.3.6.1.4.1.9.9.106.1.2.1.1.15 Type      HsrpState 1:initial 2:learn 3:listen 4:speak 5:standby 6:active Permission          read-only Status   current MIB        CISCO-HSRP-MIB ;   -   View Supporting Images  this link will generate a new window Description         The current HSRP state of this group on this interface.

Switch NVRAM no space

Today I encountered very strange error while trying to save switch configuration:

Switch#wr Building configuration... % Warning: Saving this config to nvram may corrupt any network management or security files stored at the end of nvram. Continue? [no]: % Configuration buffer full, can't add command: ntp clock-period 36028830 %Aborting Save. Compress the config.[OK]

This error indicate that there is no free space on the NVRAM for saving the running-configuration into the startup configuration, as you may recall the nonvolatile random-access memory (NVRAM) is an EEPROM chip which holds the startup configuration file and retains content when router is powered down or restarted.

In order to view the contents of the NVRAM just type:

Switch#dir nvram: Directory of nvram:/    36  -rw-       20748                    <no date>  startup-config    37  ----        6592                    <no date>  private-config     1  -rw-         657                    <no date>  IL-SW-UC-2H-#3801.cer 65536 bytes total (37120 bytes free)

As you can see there is only 37KB free on the NVRAM and my configuration weight a little bit more:

Switch#sh running-config Building configuration... Current configuration : 38563 bytes ! ! Last configuration change at 14:27:26 gmt Sun Jun 8 2014 by xxx ! NVRAM config last updated at 14:28:46 gmt Sun Jun 8 2014 by xxx ! version 12.2 service nagle no service pad service tcp-keepalives-in <OUTPUT OMMITED>

There is an option to use service compress-configuration which will compress the startup configuration but it’s valid only for higher series switches (such as the 45xx and 65xx).

On my 2960 switch it will give the following output:

Switch(config)#service compress-config Boot ROMs do not support NVRAM compression. Disabling service compress-config. Switch(config)#

So in order to solve this issue I had to remove some configuration lines from the current configuration, after that I was able to save the running-config to the startup:

Switch#wr Building configuration... [OK]