Messages

[So instead, what I did as a one-off was log into the FMC with a browser and copy the tables from the browser and paste directly into MS Excel.]

There is a tool out there that will allow you to export it to a CSV. I had a brief look and it needed further understanding. I wasnt sure how much time would be required and I didnt want to waste time unnecessarily.

So instead, what I did as a one-off was log into the FMC with a browser and copy the tables from the browser and paste directly into MS Excel. Once I had all the rules copied into Excel, I simply used Excel to figure out all of the rules needing to be replicated across. Some rules were there that were no longer required or were there because of a previous ASA migration tool that messed up the config etc etc. I used colours and added additional lines in excel to expand on the ACL groups and other groups etc.

Another huge benefit to me by doing it this way is that by the time I got to installing rules for the new firewall, I had learnt most of the config and understood routes and rules placement and reasoning.

Thanks for the tip.
Not sure exactly how you would copy the tables from the browser. I must be missing something.
But even if I could I't doesn't seem more useful/feasible than getting it from the cli and then manipulating it out to a usable format.
Did you do this in a for a smallish environment?

There are about a dozen products built to answer that very question. Tufin, Firemon, and Algosec are some leaders in the firewall rule sanitation biz, well worth looking into. The thing here is that you have this one question today, but a tool would answer similar questions tomorrow and do so in an automated way that will help deal with configuration drift issues and compliance/governance audits.

I've used Tufin a good deal back when I worked at Global Megacorporation and it was so much easier to search on rules with that tool than with the native GUI/CLI for the firewalls. Even with the version I had 5-6 years ago, I could make reports like you're asking for easily and then take actions based on those reports.

Thanks Dean, will have to a talk internally about looking into those tools. Still I think it's sad that Cisco couldn't have a function for this builtin. But I guess I'm asking for to much.
As a side-note I had totally forgotten about making this post. The information turned out not to be needed at the time, then I got distracted with other things and totally forgot about it.

Greetings all.

Any FMC/firepower gurus here?
I'm trying to find a convenient way to create a report of all access list/policy rules in FMC going toward some specific subnets.
So far I've been unable to find a way to do so, short of simply taking the output from a CLI "show access-list xxxxx" and then manually go through it and filter out all rules that don't have any of the interesting subnets as destination.

The reverse direction was much easier since I could simply filter on input interface, but no such luck on the traffic going into that interface/vrf. (and we don't use destination zone in most of our rules.)

Sure I can do searches in the GUI, but I don't find those particularly helpful since I can't find an easy way to export the results to do further processing. And honestly the GUI filter for only showing matching filter doesn't always work so good.

So I thought I would check with you guys if you have any  suggestions/tips about how to get/generate such a list.

//matgar

The company is looking to buy 2 new switches to replace 2 old existing switches. (one is a Dell and the other is a Zyxel)
One will be used as a collapsed core to the access switches and one for the servers and storage.
The 10GB uplink would be used between the 2 new switches.
10GB uplink is partly for future proofing, but also that all storage and user profiles are centralized, so there is a fair amount of traffic on the interconnect link.
Currently there's only one 1GB link between them, that is easily overwhelmed.
Yes, ether-channel is a possibility but since the old switches are to be replaced going with 10GB uplinks seems like a good idea.
Looking at 10Gbase-T to avoid having to buy SFP+ modules at this time.
POE is needed.
L3 routing between VLANs is needed, static and/or RIP is fine.
ACL is needed.

HP procurve seems like it's not sold any longer, they seem to be HPE Aruba now.
The HPE Aruba 2930M 48G PoE+ 1-slot Switch (JL322A) seems to fill the requirements, but is about double the price compared to a SG250X-48P.
Does anyone have experience with these Aruba (HP) switches.

Hi guys.

I thought I would ask if any of you have experience with Ciscos Small Business switches.
Currently I'm looking at switch recommendations for a small non profit organisation, so on the cheaper side.
From what I can see the SG250X-48P seems to fill all the requirements. ok price,  48x1gb ports, POE+  2/2x10GB uplinks.
It seems to have a CLI (so that I hopefully feel at home from working with 2960s and 3560s previously)
Though previously when I worked with the Catalyst line of switches from Cisco I sometimes ran into some caveats with some of the cheaper models not supporting all the functions I was used to.
So the question is, have any of you guys run into any problems with the SG line of switches that surprised you.

Also, even though I'm tempted to buy Cisco products, that's not a requirement, I just don't want something that only has a clunky GUI for administration.
But if you have any recommendations on other products I can have a look at that would also be appreciated.

I guess its good advice. But as an Aspie just make friends with random successful it guy in the region runs into a bit of a problem with the whole "make friends with" part.

Whats wrong with the humble pen as a fidget device? click-click, clickety-click 

Though I do have a couple of power balls, but they take a bit of effort to get started.
And if you have to put it down rapidly for some reason it's likely to run of, they have quite some force in them at speed.
So not sure if they are fidget devices as such.

The simple answer (for CCNA level) is of course Router A.
The more complex answer is that if the Switch is a L3 it could just as well be the default gateway.
But for this scenario with vlan 10 extending to the Router and with it being a CCNA level Q the expected answer would be Router A.

My goal is to have inside my home my additional PC connect to the internet as well

Just a reality check here, do you actually have a need for the 2nd pc to be on a different subnet?

I don't know the capabilities of your router.
Can you create different VLAN's and assign them to different ports/SSID?
One basic thing is that you need a default gateway for internet traffic, if you don't have a gateway/default gateway you can only communicate with devices that are local to your L2 domain and* use the same IP subnet. (there are caveats but in general that's the case)

I've had to use consumer grade unmanaged switches such as Netgear and D-Link in between managed switches with trunk ports.
I can't recall any problems, they just passed the frames along unchanged.
It's of course far from ideal, but you do what you must to get things up and running.

It's a series. Don't have to read them all in order.

They cost 99 cents at first and then once they get on iTunes, the price at Amazon goes to zero with the price match. But, hey, 99 cents? Drop in the bucket for a great read, right? There should be some laughs in my chapters because that's how I write 'em.

99 cents?
While its still cheap I see if for    $1.24 amazon. Or is the 99 cents just without VAT?

Seems interesting, is this the 3rd edition so only need the latest, or is it a series of books where you should read them all?

Its a Cisco C3750. But as far I can see, the errors showed in graph are not in the "show interface" command.....

You could give this a try.

Code Select Expand


sh controllers ethernet-controller GigabitEthernet x/y/z


I also found this list of commands for trouble shooting links.

Code Select Expand


Show interface status | inc connected
Test cable-diagnostics tdr interface <>
Show cable-diagnostic tdr interface <>
Show interface <>
Show interface <> counters
Show interface <> counters errors
Show interface counter errors
Show controller Ethernet-controller <>
Show platform pm if-numbers
Show controllers Ethernet-controller port-asic statistics
Show platform port-asic stats drop <>


I had a brief stint in the MPLS provisioning team for an international SP here in Sweden back in 2008.
From what I can remember I did quite a bit of local-as and allow-as in.
But it was a limited position, ie check these boxes, fill in these values and hit commit type of work. If something doesn't work? Escalate and move on.
So I never did get a good understanding of the whole setup and I moved after a few months.