Incomplete hardware address

Recently I was working on an issue where a VM with a load balancing function would lose network connectivity consistently every 10-15mins for approx. 5-10mins.

I traced the mac address entry back to the core which consisted of a set of 6500 switches.

The ARP table on the core showed an Incomplete hardware address. This generally occurs for one of two reasons – the host doesn’t exist or the switch is receiving packets for that IP address on another interface.

To get this to work I had to set a static ARP entry on the core with the configured IP address and the hardware address for the VM load balancer.

Allow ICMP through Cisco ASA

I have been working with an external vendor who has devices within our network. These devices require icmp access to their servers to download required configuration.

By default the Cisco ASA denies icmp packets externally. The policy-map global_policy specifies all the protocols to inspect. This is contained within the class inspection_default which specifies the default inspection traffic. By default, icmp is not in this list.

To get this to work I had to add icmp to the class inspection_default by adding the commands below.

Policy-map global

Class inspection_default

Inspect icmp

Inspect icmp error

Installing Cisco ACS 5.6 in VMware

Recently I completed the installation of Cisco ACS 5.6 in VMware. These are the steps I followed:

1. Login to your VMware client

2. Right click on the host where you would like to install the new VM

3. Select new virtual machine from the menu

4. Choose the Typical radio button and click Next

5. Give the VM a name and click Next

6. Select a data store with at least 500GB of free space available and click Next

7. Select Linux as the operating system and select ‘Linux 32-bit’ and click Next

8. Select a NIC and click Next

9. Configure a disk size of 500GB and select Thick Provisioned Lazy Zeroed and click Next

10. Check the Edit the VM settings before completion check box and click Next

11. Configure 4GB of Memory and 4 CPU’s

12. Configure the CD/DVD for Client device and check the connected and connect at power on check boxes and click OK

13. Power on the VM

14. Using the toolbar, connect the CD/DVD drive to the Cisco ACS ISO and reboot the VM for the ISO to load

15. Select option 1 at the boot prompt and press Enter

16. Type setup at the login screen to start configuring ACS and enter the required ACS parameters

As part of the setup, you will create a CLI username and password. This account can only be used to login to the CLI.

When you first login to the web interface, you will need to use the below credentials. 

Username: acsadmin

Password: default

You must then licence Cisco ACS.

Cisco ACI

This is a good Blog from Cisco showing that with ACI, the debugging process can be simple and quick with real-time visibility into the fabric. 

By examining the healthscore dashboard and app profile from a central managed location, APIC, a corrective action can be taken quickly.

Cisco ASA 5555-X Next-Generation Firewall

This week I had the pleasure of racking 2 x Cisco 5555-X ASA’s. The Next-Gen Firewalls offer:

  • Granular visibility and control
  • IPS to protect against known threats
  • Comprehensive protection from threats and advanced malware

The Cisco Next-Gen ASA Firewalls coupled with FirePOWER provides the following benefits:

  • ASA stateful firewall with advanced clustering
  • Cisco AnyConnect Secure Mobility Solution more securely extends corporate network access beyond corporate laptops to personal mobile devices, regardless of physical location
  • Granular Application Visibility and Control to support over 3000 application-layer and risk-based controls
  • Cisco FirePOWER Next-Generation IPS, which provide threat prevention and contextual awareness
  • Filters on hundreds of millions of URLs in over 80 categories
  • Discovery and protection against advanced malware and threats


Cisco SPAN

Recently I have been working with Cisco SPAN. Port mirroring. The goal was to capture rtp/voice traffic at a call centre and pipe the data out to a server which would store all the data.

At the call centre there are 4 x 3560 48port switches with trunks between switches. The destination port was positioned in such a way that the SVI and the destination SPAN port were located on the same switch.

In this case we were able to use Cisco SPAN as opposed to RSPAN or ERSPAN.

The commands were:
Monitor session 1 source vlan 112
Monitor session 1 destination interface fastethernet 0/46

When logging into the server, opening Wireshark, monitoring the capture NIC and filtering rtp we could see the rtp traffic flooding in.