Category: Configuration

Cisco Catalyst 6880-X VSS ISSU Upgrade Steps

This is a short version without comments and explanations for those that need to get things done quickly without reading through my extensive waffle.

For detailed update procedure with all the explanations check extended article: ISSU Upgrade of Cisco Catalyst 6880-X VSS cluster and its four 6800ia FEX extenders

Let’s start!

1. Get the info on which IOS version is supported to be upgraded with ISSU

Google for ISSU or EFSU IOS upgrade support or use this Cisco doc “SX_SY_EFSU_Compatibility_Matrix1” to select supported IOS for ISSU upgrade from your current version.

2. Upload IOS to both Chassis

copy ftp://admin:[email protected]/c6880x-adventerprisek9-mz.SPA.151-2.SY7.bin bootdisk:

and same for slavebootdisk:

| Continue Reading.. |


As you can see from my article list, I’m going through some VRF configuration in the last few weeks 🙂

I ran into this today and it sounded interesting enough to share it with you. The issue with TFTP IOS image copy to flash when having all interfaces in specific VRF and no interface in Global Routing Table.

Long story short, you kick in this command for normal IOS download to the router:

R1#copy tftp:// flash:
Destination filename [c890-universalk9-mz.154-3.M5.bin]? 
Accessing tftp://
%Error opening tftp:// (Timed out)

…and it isn’t working of course.

| Continue Reading.. |

Control Plane Protection in Cisco IOS

CoPP – Control Plane Protection or better Control Plain Policing. It is the only option to make some sort of flood protection or QoS for traffic going to control plane.

In the router normal operation the most important traffic is control plain traffic. Control plane traffic is traffic originated on router itself by protocol services running on it, destined to other router device on the network. In order to run properly, routers need to speak with each other. They speak with each other by rules defined in protocols and protocols are running in shape of router services.

Examples for this kind of protocols are routing protocols like BGP, EIGRP, OSPF or some other non-routing protocols like CDP etc..


Control Plane Policing is QoS applied on ingress sub-interfacess towards Route Processor

When router is making BGP neighbour adjacency with the neighbouring router, it means that both routers are running BGP protocol service on them. BGP service is generating control plane traffic, sending that traffic to BGP neighbour and receiving control plane traffic back from the neighbour.

Usage of Control Plane Protection is important on routers receiving heavy traffic of which to many packets are forwarded to Control Plane. In that case, we can filter traffic based on predefined priority classes that we are free to define based on our specific traffic pattern.

| Continue Reading.. |

Mitigate DoS Attack using TCP Intercept on Cisco Router

This is really cool feature on Cisco router not usually mentioned until you dig a little deeper inside Cisco IOS. But first a bit of theory…

What is TCP SYN flood attack

TCP 3-way handshake

SYN flood DoS attack happens when many sources start to send a flood of TCP SYN packets usually with fake source IP.

This attack uses TCP 3-way handshake to reserve all server available resources with fake SYN requests not allowing legitimate users to establish connection to the server. SYN packet is the first step in TCP 3-way handshake. This is the step where client sends connection synchronization request to the server. Server receives TCP SYN from client, the server replies back with SYN ACK. SYN ACK acknowledges synchronization request.

In that moment server is waiting the client to complete the handshake by sending an ACK back to server to acknowledge the SYN ACK. With this third step, TCP session is successfully established and communication between server and client begins.

If the ACK is not received from the client side, server will wait for it for some time and then the session will timeout and get dropped. When the server deletes the session, his resources will be released.

TCP SYN flood attack

TCP SYN flood attack sends first packet of 3-way handshake SYN packet to server many times to cause the server to allocate resources for sessions that will never become established. It means that client who is attacking will never respond to server SYN ACK and the session will remain on the second step of 3-way.

| Continue Reading.. |

How to Enable Dot1x – more complex setup for wired network

This one is long. Do not be afraid though, I made it just to give you the fastest way to deploy functional dot1x to your company HQ without reading even more documentation and searching for those little timer default settings.

I the article prior to this I showed you how to setup your environment with simple dot1x and make it as simple as possible. I will not repeat again the part about setting up Radius Clients on server side, everything else is here once again just more complex. Now is time for a more complex example that will make your implementation work out-of-the-box for end users and they will probably not even know that you completed the implementation of one nice but fairly complex network security enhancement.

So, as I said, this is a better way to do it because it will be less intrusive and people in the office will start to use it but without prompt starting to show on everybody’s PC.

What needs to be done:

Here are the steps needed on all systems so you do not forget some of them. Of course you will not forget, but I know people who did forget, for example, the whole client computer part.

  1. We will configure the switch for dot1x but with much more options now.
  2. We will create Radius NPS policy to enable our Windows machines to authenticate using user or computer certificate. (This will enable us to skip boring credentials prompts mentioned above)
    Here the Radius config skips radius client configuration mentioned in previous article about dot1x.
  3. We will setup a new GPO object that will automatically setup all PC’s for dot1x.

What will we get using dot1x:

It’s give you all descriptions of all possible options that you would need and the example in the end will show configuration of all those components together. You will see, it will be easy to recognise which command does what. If there would be some thing not clear enough, I am fairly quick with my comment replies 😉


Dot1x will allow access to network only to authenticated users on your wired LAN. It’s also used to authenticate users on Corporate WiFi network but we will skip that part now.

Give Internet only to unauthenticated users

Don’t be cruel, maybe you have some guests in your meeting room. If they connect and get denied they will tell you your network jacks are not working and blame you that you are not doing your job as network admin.

“Hey, network is not working in meeting room! Some guest are complaining, is bad publicity :)”

If the users are not authenticated switch port where they connected the cable does not get them access to the network. There is an option to use VLAN auto-configuration in conjunction to basic security feature to get unauthenticated users access to the network but only to some isolated or Internet only VLAN. Cool.

| Continue Reading.. |