Cisco ASA: VPN Doesnt Work After Deleting And Reapplying Interesting Traffic ACL

I dont recall running into this before (maybe once), but this client is running code 8.4(5) and I ran into this little problem.  I decided I needed to redo one of the site to site VPN ACLs.  So, I deleted it and added it back in again (with a different criteria).  here is what I did:

ASA(config)# clear configure access-list remote_vpn

ASA(config)#access-list remote_vpn  permit ip  host 10.98.1.28 host 172.16.1.38

When I went to test this out, I noticed my VPN didnt come back up.  Normally, I dont think I have ever had to go back and reapply the crypto map 'match' statement.  But, in this case, I did have to.  Im not sure if this was a code thing or if my memory just fails me of all the times in the past where I have had to redo an ACL for a site to site VPN.  But I DID have to reapply it.  

ASA(config)# crypto map S2SVPN 30 match add remote_vpn

I thought I would share this if someone has problems getting their site to site VPN back up after deleting and reapplying an ACL for a VPN.  

Cisco 3560: "Copy Startup-config Running-config" Default Route Problem

I ran into this problem on an Cisco 3560 a few weeks ago.  I was having some problems with an Internet provider (meaning the customer turned off service to the Internet provider they were using by accident).  Since they had another T1 for servers only, I swung everyone over to the Internet that did work.  With that, I didn't want to save any config on the 3560, because they have many vlans and many route-maps doing different things on the network.  So, my plan was to do a "copy start run" when I got the 'downed' Internet back up.  However, when I got the ISP to turn the service back on, when I did that "copy start run", I found the following problem:
ip route 0.0.0.0 0.0.0.0 10.1.10.1
ip route 0.0.0.0 0.0.0.0 192.168.1.1

There was only supposed to be one default route.  However, when I ran the command, it did not take out the 'new' default route.  Im not sure why.  I just scrambled to get that out and everything was fine after that.  I think this may have been a bug in the software, but I dont recall the version of the IOS.  Shame on my for not getting that.

More Sabotage In The Work Place

Unbelievable.  And this was for a Valcom paging solution.  Why???  Its just paging.

Cable unplugged, so no POE or Ethernet connectivity.

This was also unplugged, which is the power for the external speakers.

Palo Alto: What Does It Mean To Put A Palo Alto In 'Tap' Mode?

If you are not used to Palo Alto, you might not understand 'tap' mode.  The Palo Alto 'tap' port is directly connected to the 'mirrored' port on the core switch (or any switch). You are 'tapped' into the mirrored port of the switch.  See the below topology.  Its just like putting your laptop on the network with Wireshark so that you can capture data.  Same with the Palo.

SIP: Anatomy Of The Registration Process For A Valcom Paging 801 Unit To A Cisco CallManager (CUCM)

This is pretty cool stuff to me.  Im learning more about SIP these days and so as I went to troubleshoot a paging problem at one of my customers, I decided to fix the problem first, then do a packet capture of the registration process from startup of the valcom unit.  Below is what I captured, using Wireshark.

New Job

All, I have decided about a week ago to take a new job.  I will be starting next week, and Im pretty excited about it.
So, why am I telling you this?  Well, because I think that my posting here on this blog will slow down a little.  I try to post here often with my experiences in the IT services position I currently have.  And if you know much about IT services, you see a lot of stuff out there and a lot of stuff comes at you fast.  Its a pretty fast paced environment.  So for this blog, I get a lot of good things to post about.
With that said, I'm not sure if Ill have as much to post about with my new position.  Im really hoping that I will.  Just as much as I do now.  So, if I don't post as often as I do now, keep checking back.  Ill do my best to post about my experiences there as often as possible.

Also, if you would be interested in doing some 'guest posts' on this blog, contact me (using the right side 'contact me' on this page).  I'm currently looking for some folks to post about their experiences in IT if anyone has any interest in writing about them.
Thank you all for reading.
-- Shane Killen

Cisco: "CME Upgrade" -- by Alan Visnyai

Alan has been kind enough to share his experience in an CallManager Express upgrade he went through.  Very good guest posting by Alan Visnyai.  -Shane Killen

CME upgrade: by Alan Visnyai

I wanted to update you on the UC520 upgrade.  No licensing issues were encountered.  From what I gathered, the licensing for the UC500-series only deals with number of users/features, not the version of software that's loaded.

I did encounter a couple of speed bumps (as usual), which I will share later in this message.  Just to recap, the system was upgraded from CME 7.0.0/CUE 3.2.1/IOS uc500-advipservicesk9-mz.124-20.T2 to CME 8.1/CUE 8.0.6/IOS uc500-advipservicesk9-mz.151-2.T4.

======
OS Description  Cisco Internetwork Operating System
Cisco IOS (tm) UC500
Cisco IOS Software  UC500-ADVIPSERVICESK9-M
Software Version  15.1(2)T4 / CME 8.1
Feature Package  IP|IPv6|BGP|IS-IS|FIREWALL|VOICE|PLUS|QoS|HA|NAT|3DES|MPLS|VPN|SSH|IPSE
GUI Version  8.0.0.0 (Compatible with IOS 12.5(1)XA)
======
UC500-CUE# sh soft pack

Installed Packages:

 - Installer (Installer application) (8.0.6.0)
 - Thirdparty (Service Engine Thirdparty Code) (8.0.6)
 - Bootloader (Primary) (Service Engine Bootloader) (1.0.3)
 - Infrastructure (Service Engine Infrastructure) (8.0.6)
 - Global (Global manifest) (8.0.6)
 - Service Engine license (License for the Service Engine) (2.1.2.0)
 - Auto Attendant (Service Engine Telephony Infrastructure) (8.0.6)
 - Voice Mail (Voicemail application) (8.0.6)
 - Bootloader (Secondary) (Service Engine Bootloader) (1.0.3.0)
 - Core (Service Engine OS Core) (8.0.6)
 - GPL Infrastructure (Service Engine GPL Infrastructure) (8.0.6)

Installed Plug-ins:

 - CUE Voicemail Language Support (Languages global pack) (8.0.6)
 - CUE Voicemail US English (English language pack) (8.0.6)

UC500-CUE# sh soft ver
Cisco Unity Express version (8.0.6)
Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc.

Components:

 - CUE Voicemail Language Support version  8.0.6

UC500-CUE#
===========

I connected a card reader to my PC and copied the IOS and CME files directly to the CF card.  (I've encountered issues in the past where, for some reason, when the router read the CF, it changed the case of some filenames and directories, and since case is important, it would break certain features.  Thought I'd try it anyhow.)
I downloaded the CUE upgrade files to the CUE, just to save time during the actual upgrade process.
After inserting the CF card in the UC520 and rebooting, my VLAN interfaces showed in an up/down state.  After some head-scratching and a quick Internet search, discovered that the VLANs were not there (forgot that vlan.dat needed to reside on the CF; I copied it from the nvram of the system, but did not copy it to the CF).  Once the VLANs were created, traffic flowed.
The CME GUI did not work.  Ended up the gui folder was renamed to GUI.  After renaming the folder from GUI to gui, I was able to access the GUI login screen, but the drop-down menu items did not work.  The sn folder contained flash files that controlled the menus, and that folder was renamed SN.  After doing the rename "game" again, the CME GUI worked (and was pretty responsive).
I was able to perform a direct upgrade of CUE and retain the existing saved messages, trees, etc.  For some reason, I could not upgrade from the files I (at least thought) downloaded to the CUE.  No worries, I just configured FTP on my laptop and had CUE read the files from there and perform the upgrade.  It took 15-20 minutes from the start of the upgrade until it came on-line.  The 8.0 CUE GUI looked very different than the 3.2.1 version (the new format fits the Small Business GUI theme, and it seemed to work well).  The upgrade retained all of the saved voice messages, AA tree, etc.
Configuring CME to serve the correct phone firmware has always been trial-and-error for me.  I discovered that the version of 7941/7961 and 7975 firmware provided with the package was too new for the phones.  Had to perform a 2-step upgrade. (The 524G and 7921 phones upgraded in one step.)

Hopefully my experience will help others.  -- Alan Visnyai

Cisco ASA 8.3/8.4: Adding A New Remote Site For Internet Access Through Your Main Site Firewall

Have you ever needed to add a new remote site to your network and add it to your ASA with 8.3 or higher code?  I mean, you already have the ASA setup and doing what you want it to do.  You just need to add the new site for Internet access.  Here is what you do.

The ASA needs to know about the new remote site.  192.168.7.0/24 is the new network.
object network obj-192.168.7.0
 subnet 192.168.7.0 255.255.255.0

You have to have a route pointing back to the internal core switch (10.10.1.1) to get to the new remote site.
route inside 192.168.7.0 255.255.255.0 10.10.1.1 

This was already in the config and no change needed, since it encompasses all internal networks.
object network obj_any
 nat (inside,outside) dynamic interface

Or, you could say this for the NAT translation:
object network obj-192.168.7.0
nat (inside,outside) dynamic interface

Palo Alto: How To Clear The ARP Cache

How do you clear the ARP cache?  This is not too hard.  Just SSH into the Palo Alto box.  Then run the command:

skillen@PA-3020> clear arp all

All ARP entries are cleared.
skillen@PA-3020>

Cisco CME: How To Recover If Your Flash Card (CF) Goes Bad In Your CallManager Express Router

I got an email from someone asking about upgrading the CME.  This is for if you have NO files on your flash card.  In this case, the flash went bad and he will lose his files when the CME reboots. I have run into this before, so below is what I did to get a file back on the new flash to get back booted up to get started again.  Here it is if you are curious.

Readonly ROMMON initialized
rommon 1 > IP_ADDRESS=10.50.1.251
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=10.50.1.250
rommon 4 > TFTP_SERVER=10.50.1.250
rommon 5 > TFTP_FILE=c1841-advsecurityk9-mz.124-3h.bin
rommon 6 > tftpdnld

          IP_ADDRESS: 10.50.1.251
      IP_SUBNET_MASK: 255.255.255.0
     DEFAULT_GATEWAY: 10.50.1.250
         TFTP_SERVER: 10.50.1.250
           TFTP_FILE: c1841-advsecurityk9-mz.124-3h.bin
        TFTP_MACADDR: 00:1e:13:71:10:12
        TFTP_VERBOSE: Progress
    TFTP_RETRY_COUNT: 18
        TFTP_TIMEOUT: 7200
       TFTP_CHECKSUM: Yes
             FE_PORT: 0
       FE_SPEED_MODE: Auto Detect

Invoke this command for disaster recovery only.
WARNING: all existing data in all partitions on flash: will be lost!
Do you wish to continue? y/n:  [n]:  y
.
Receiving c1841-advsecurityk9-mz.124-3h.bin from 10.50.1.250 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
File reception completed.
Validating checksum.
Copying file c1841-advsecurityk9-mz.124-3h.bin to flash:.
program load complete, entry point: 0x8000f000, size: 0xcb80

Format: Drive communication & 1st Sector Write OK...
Writing Monlib sectors.
.......................................................................................................
Monlib write complete

Format: All system sectors written. OK...
Format: Operation completed successfully.

Format of flash: complete
program load complete, entry point: 0x8000f000, size: 0xcb80

rommon 7 > reboot

Palo Alto: What is the Maximum Number of ARP Entries The PA-3020 Firewall can Handle?

The quick answer is 1500.  I was asked to go redo one of the school's topology where the "bring your own device" network was having problems.  They had around 1700 devices that would attach to this network.  So what happens when 1501 entries get put in the ARP table on the PA-3020?  Nothing, except that 1501 cant be in the ARP table.  The PA-3020 is limited to 1500 entries.  Therefor, there will never be 1501 entries on this device.  I verified this on Palo Alto's site:
https://live.paloaltonetworks.com/docs/DOC-4011

Here is the topology:

I had to do a few things to get this going.  Create a vlan between the Palo Alto and the Brocade Core Switch.  IP the wireless vlan to be the default gateway (that used to be the Palo Alto, now the Core Switch).  Add a static route on the Palo Alto to point the wireless network to the Core Switch.  And add a route-map on the Brocade Core Switch so that the wireless traffic wont take the default route, but the path of the Palo Alto.

So, why did we change the topology?  Because the Brocade Core Switch can handle a whole lot more ARP entries than the Palo Alto.

More Sweet Home Alabama

Cisco Gateway/CME: SIP Attacks And One Thing To Do To Help Prevent Them

First and foremost, this is not an exhaustive list on how to prevent toll fraud.  I have posted before things to do in the Cisco CME/Gateways on this topic.  Im certainly not an expert at this, although Im trying to make strides to learn more on this topic.  If you are an expert at toll fraud, or know more that what I have posted, I certainly would like to have at least an email conversation with you (to learn some things from you).  So, if you do know a lot about toll fraud and I have missed something, or if your experience is such that you think my posts are spot on, I would like to know your thoughts.  Anyway, see here below for more info on this post:
http://www.shanekillen.com/2013/03/how-to-prevent-toll-fraud-on.html

Ok, on for this post.  This really gets to me.  Look at the message below from one of the UC500s I put in:

Sep  9 21:12:25.938: %SEC-6-IPACCESSLOGP: list 101 denied udp 188.138.41.34(5166) -> 4.4.4.10(5060), 1 packet
Sep  9 21:15:02.718: %SEC-6-IPACCESSLOGP: list 101 denied udp 72.55.143.164(5060) -> 4.4.4.10(5060), 1 packet

This looks like someone is trying to get in on my Cisco UC500 (a customer of mine).  This is really aggravating to me.  I DO NOT like toll fraud, at all.  And I think this is one attempt that someone has made to do just that.  That is why you need to block SIP traffic coming into the phone system.

access-list 101 deny   udp any any range 5060 5061 log
access-list 101 deny   tcp any any range 5060 5061 log

The ACL above applied to the outside interface should block that kind of traffic.  If you dont do SIP, just block it.  No need to open yourself up to the outside and this kind of attack.  This company has a PRI, so you might as well close off  H.323 as well.

access-list 101 deny   tcp any any range 1720 1721 log

Brocade: "detection failed - out of range capacitor" PART 2

This is a part two from an earlier post I did.  You can find PART 1 here:
http://www.shanekillen.com/2011/12/brocade-foundry-poe-insufficiency.html

I was asked the following question:
What causes the error "detection failed - out of range capacitor"? (for the Brocade switches)

So, I did some research, because I was not quite sure.  Here is what I found:
http://www.foundrynet.com/services/documentation/fastiron_config/fsx04001&fgs04200/FI_POE.12.10.html
OF INTEREST:
detection failed - out of range capacitor – The port failed capacitor detection (legacy PD detection) because of an out-of-range capacitor value. This can occur when connecting a non-PD on the port.

Now, my question is this:  What does 'non-PD' mean exactly?  I 'think' it refers to a 'non powered device', based on what I read.  Nothing spells that out clearly, but I do think that is what it means.

I see this to back this up on the above link:
802.3AF-PD – The powered device connected to this port is 802.3af-compliant.

Ports Off-No-PD - The number of ports on the Interface module to which no powered devices are connected.

WAN Response Times And How Traffic Can Affect WAN Speed

Here below is just a thought on WAN response times.  In this case, I just went to speakeasy.com to do a speed test.  This was on a 3Meg bonded T1 circuit and it did the normal download and upload of the test.  See below the response times:

Cisco Catalyst 1900: Can You Do Trunking With This Switch?

Well, the short answer is Yes AND No.  I went onsite with another engineer and found that the request that was being made was to add a IP Phone (a Yealink) to the voice vlan of the Cisco infrastructure.  In these trailers, they had two Cisco 1900s and one Cisco 2600.  Pretty old stuff.  So, do these older switches support trunking?  See the topology, then lets discuss more.

Yes, the 2600 does support trunking.  It has one command that is slightly different, of which I can not recall at this time.
Yes and No on the 1900s.  Yes, the 1900 can do trunking IF you have the Enterprise version of IOS.  If you have the Standard version, then the answer is No.  Here is what the documentation says:
The Catalyst 1900 runs two versions of images, namely the Standard and Enterprise editions. Trunking is only supported on the Enterprise images, and it only supports ISL encapsulation and does not support 802.1q. This limits the capability of the Catalyst 1900 to form a trunk with other Catalyst switches that can support ISL trunking. Furthermore, trunking can only be configured on the two x 100 Mbps uplink ports on the Catalyst 1900. These are the last two ports on the switch normally marked Ax and Bx. You can configure up to 1005 VLANs on the Catalyst 1900 Enterprise image. The Command Line Interface (CLI) (similar to the Cisco IOS® CLI) is only available on the Enterprise image of the Catalyst 1900.

Oh, and here is a small look at what the console looks like, just in case you are curious:

        Catalyst 1900 - Main Menu

     [C] Console Settings
     [S] System
     [N] Network Management
     [P] Port Configuration
     [A] Port Addressing
     [D] Port Statistics Detail
     [M] Monitoring
     [B] Bridge Group
     [R] Multicast Registration
     [F] Firmware
     [I] RS-232 Interface
     [U] Usage Summaries
     [H] Help

     [X] Exit Management Console


Enter Selection:  F

Brocade Reliable Firmware/IOS Revisions Update

My Brocade SE sent me an update on stable firmware revisions.  Im reposting them here for you all to see.

FSX 7.3.00f (make sure to look through release notes for supported modules)
FCX 7.3.00f (02.1.0 poe firmware)
6610 7.3.00f (02.1.0 poe firmware)
64xx 7.4d (02.1.0 poe firmware)
FWS 7.3.00f
FGS 7.2.02 latest

Routing Administrative Distance Values: Which Routing Protocol Has The Higher Priority?

If you need to know, which if you are a network guy you do need to know, here are the AD values for the different routing protocols.  Static routes and directly connected routes are always more reliable than anything else.

Cisco Router: How To Do A Password Recovery (i.e. Break Into A Router)

What is the real difference.  If you are a good guy, you call it password recovery.  If you are a bad guy, you call it "breaking into the router".  Either way, the process is the same.  You just need physical access to the router.  In this case, I have a Cisco 837 I need to get into.  They dont know the password, and I need to make routing changes.  No password?  No problem.  Give me 10 minutes and Ill get it squared away.
Reboot the router.
I use Tera Term, so I do an "Alt/B" to stop the boot (on the console).
At the rommon prompt, I type in: confreg 0x2142
Then I type: reset
The router reboots like its never been configured.  I say "No" to the lazy mans way to config (the prompts).
I type in "copy start run" to get the config back in place, after I have typed in enable to get to the main prompt.
Then I type in a new userID and password, along with a new enable secret password.
I also type in: config-reg 0x2102 to get the router to boot back normally again by using the startup-config file.
Lastly, I do the wr mem and Im good to go.

Done.  It shouldnt be this easy to break into a router, but it is.

Cisco Router: Defining The Card Type For PRI/T1 Modules/Module Does Not Show Up

There are some types of T1 wic modules that will not show up in the config until you tell it what type of card it is.  Here in the US, we us T1 lines with these types of modules, not E1 (although Im not sure why, E1 is faster).  In this case, I have a VWIC3-1MFT-T1/E1 module.
Notice the picture below BEFORE I type in the command to enable the card.

Now, lets enable this module in the router:
Router(config)#card type t1 0 1
Router(config)#

Notice the LED is now on.

How To Compact The GMS Accounting Software Access Database

If you have the GMS accounting software, it is recommended that you compact the database once a day.  I had to figure this process out, so I thought I would post how to do this here on this blog.

Go into windows explorer (right click on start at the bottom right hand corner, then select 'open windows explorer').
Once the window comes up, then on the left side, select the share where your database resides.
On the right side of Windows Explorer, open the "Convert" folder.
Find the file "Conversion.MDB", and double click on it.
Microsoft Access will open, and it will ask you for a password to get into it.  The password is "XXXX".
NOTE: This is the GMS database that you are currently in.
Now that you are into the database, go to the top left hand corner, where you see the Microsoft symbol (4 color squares).
Click on the symbol, and go down to "Manager".
Once you are on "Manage", the next menu comes up and you want to select "Compact and Repair Database".
Once you click on this, it will start the process.  No one can be in the GMS program at this time.

Cisco ASA/Pix: What Is The Default Username When Using Only A Password To Login

There have been times when I come across a customer that has a ASA or Pix where they only have a password set.   I dont prefer that, because it becomes an easy guess for some people.  The default username for a 'password only' login is 'pix'.  See below as I logged into an ASA with this login.

Sabatoge In The Workplace?

I got a call about a remote warehouse being down across a point to point bridge.  I went onsite and found the below problem with the AP.  I guess sometimes your workers need a break.

Cisco FSX Module: How Can I Tell If My FSX Module Is Working Properly?

Sometimes getting your dial-peers working right can be a difficult, under certain circumstances.  However, a good indication is if you make a call and you see the LED light up on the port you are trying to forward the call to.  See the picture below.  I have a fax machine at the other end of the FXS port.  I make the call in with my cell phone and the dial-peer appears to be working fine, along with the FXS module (indicated by the LED lighting up when I make the call in).  Now, just wait for the fax to answer.

Cisco: How To Install A T1 Module (Or An FXS/FXO/Ect) Into A Cisco Router

Its not too hard really.  You just pull out the cover insert and push in your module, with the power off preferably.  In this sequence, I had to have the cover off because of some other troubleshooting, but I thought Id show you what happens on the inside as well.

Step 1:

Step 2:

Brocade AP1220 Wireless Install

A lot of Brocade 1220 APs waiting to go in.  Brocade has a pretty good wireless solution.  With that said, I have heard of mixed opinions on Brocade's wireless, which is really based off of Motorola's wireless implementation.  I personally like it.