Access console port on a Cisco Aironet 1200 Series

June 23, 2010 at 9:40 am (Uncategorized) (, )

You need the following serial settings to access the console port on a Cisco Aitonet 1200 Series AP.

9600 baud
Hardware Flow Control = OFF
Software Flow Control = OFF

If you can see output from the console, but your keystrokes are ignored; check the flow control settings.

Permalink Leave a Comment

Getting err-disable when trying to bring up EtherChannel.

June 21, 2010 at 11:51 am (Technology, TechTips, Uncategorized) (, , )

Recently I was trying to bring up a EtherChannel connection between a Catalyst 3750 and a Catalyst 4507.

I was going to join 4 ports together.  One from each of the first 4 blades on the 4507.  It is good to use several blades to protect against a blade failure.

However, when I went to bring up the bundle using LACP, within seconds all bundled ports were shut down and this logging message popped up:

%PM-4-ERR_DISABLE: channel-misconfig (STP) error detect on GigabitEthernet1/0/45.

I was really stumped as to what was causing this.  Google searching did not really return any clear answers.

The message was stating that there error was somehow related to Spanning Tree Protocol.  I turned on all Spanning Tree debugs and re-enabled just the first port again, but the debugs didn’t show anything unusual happening.  What was interesting is that this error was only occurring on the 3750, no errors were showing up on the 4507.  I double checked the STP root bridge priorities, etc.

I started to comb the running-config with a fine toothed comb on the 3750.  It was then that I noticed this config towards the top:

spanning-tree etherchannel guard misconfig

This config intrigued me.  I had not noticed it before and I was unclear as to what it might do.  I no’d out the command and again tried to bring up just the first interface in the bundle.  No cigar, same epic fail.  At this point, I saved the config (write me) and reloaded the switch.  Once the switch was back up, I again tried to bring the the bundle members, but in reverse order, starting with gi1/0/48 and moving towards gi1/0/45.  One by one, they were each able to join the bundle.  Finally, I went to  bring up the last interface, gi1/0/45.  It came up, however the command show etherchannel 2 summary showed that it was in the waiting state.  This is indicated by state w.  It seemed to stay in waiting for about a minute until it changed to I.  The status I indicates that the port is individual and not part of the bundle.

I thought that it was strange for gi1/0/45 to go to individual mode.  I then traced the cabling from gi1/0/45 on the 3750 to fa3/3 on the 4507.  “Now just you wait a sec!”  I found that I had accidentally cabled to port fa3/5 instead.  This was the wrong port and was not configured to be part of the etherchannel.

Wow, so

spanning-tree etherchannel guard misconfig

Was trying to tell me that I had a mis-cabled port!  That’s pretty sweet.  I did a quick google search on the command and found that essentially it allows EtherChannel to use STP to attempt to find misconfigurations (including messed up cabling).

This story has two morals:

1) Definitely configure STP etherchannel guard misconfig.  That command is just another of those that will watch your back.  You just gotta love those commands.

2) If your ports are going err-diable and your getting that odd STP misconfig error.  Remember to go check your cabling and which ports are config’d.

Happy Routing!

Permalink 3 Comments

How to verify that mod_security is working.

June 9, 2010 at 2:40 pm (Uncategorized) ()

Did you just install mod_security or restart apache?

Do you want to make sure that mod_security is working? Well, if you have installed the CRS, then you are in luck! Here is a simple way to test operation.

First, set up a tail -f on whatever file you have mod_security logging violations/alerts to.

Next, from another linux box that has wget installed, run this command:
wget -O – -U “webtrends security analyzer”

Finally, back in the audit log, you should see an alert logged. This is because the user agent “webtrends securiy analyzer” is blocked by CRS.

Permalink 5 Comments