Confused about meaning of SE and EX releases in cisco IOS

I have been looking into this for a while now, but I can’t find an explanation anywhere (the closest I could find was in wikipedia and cisco )
The switch is a 2960s that I need to stack to a 2960x (so I need the exact ios versions on both), I can download these two versions for the 2960S 15.0.2-EX5(ED) and 15.0.2-SE10a(MD)

Basically it seems to say that:

  • S Consolidates mainline, E, and other S, which supports
    high-end backbone routers, and fixes defects.
  • E Targets enterprise core and SP edge, supports
    advanced QoS, voice, security, and firewall, and fixes

But what means SE? It’s a mix of S and E? What means the X in EX?


Stand-alone Cisco switch in BladeCenter is un-pingable

After un-stacking a Cisco switch in my IBM blade center I can no longer ping the management IP I had configured on my management VLAN. The only item I see that changed is that the Bladecenter AMM added a internal Ethernet management port. There has been some discussion on reddit. Prior to un-stacking this VLAN interface was working.

I still haven’t found a resolution that would explain why this isn’t working or how to allow access over the current management VLAN. If possible I would like to keep L3 routing off on the switch.

As far as testing I have configured an access port and truck port native to the management VLAN. I connected a laptop with a static IP within the management VLAN range to these ports and was not able to ping or access the swith. When the switch is connected it does pass traffic, as expected, on all ports/VLANs. However I was still unable to ping or SSH the switch directly.

For testing purposes:

  • I have configured an access port and truck port native to the management VLAN, I’ve configured a laptop with a IP in the management VLAN to connect to these test ports.
  • I’ve devices on other VLAN are able to connect and pass traffic though this switch.
  • The switch its self cannot ping other devices when using no source, the FE interface as source, or the management VLAN IP as the source.
  • I’ve removed the management VLAN IP, and configured the FastEthernet port with the management VLAN IP.
    • I suspect this doesn’t work as I cannot set a VLAN onto the FastEthernet port
  • I’ve removed the default gateway with, and without, the VLAN ID configured and with the FasEthernet port configured.

Here is a partial config

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname sw-7-tsting
enable secret ...
username ....
no aaa new-model
clock timezone EST -5 0
switch 1 provision ws-cbs3110g-s-i
system mtu routing 1500
ip domain-name abc.def
vtp mode transparent
crypto pki ...
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree pathcost method long
no spanning-tree vlan 1-4094
port-channel load-balance src-dst-ip
vlan internal allocation policy ascending
vlan N
 name traffic N
vlan NN
 name traffic NN
vlan NNN
 name traffic NNN
vlan XXX
 name network management
ip ssh time-out 60
ip ssh version 2
interface FastEthernet0
 ip address 192.168.x.x
interface GigabitEthernet1/0/17
 description used to test all vlans
 switchport trunk native vlan XXX
 switchport trunk allowed vlan N,NN,NNN,XXX
 switchport mode trunk
 switchport nonegotiate
interface GigabitEthernet1/0/18
 description used to test network VLAN XXX
 switchport access vlan XXX
 switchport mode access
 switchport nonegotiate
interface Vlan1
 no ip address
interface Vlan XXX
 ip address 10.XXX.200.236
ip default-gateway 10.XXX.200.1
ip http server
ip http secure-server
snmp-server community public RO
snmp-server host 10.XXX.200.30 version 2c public udp-port 161
line con 0
line vty 0 4
 transport input ssh
line vty 5 15
ntp server


Automating Cisco ACL changes

I’ve recently started taking on more network management tasks to help our short staffed networking team. I’m very comfortable with network theory and have configured an number of IOS devices, but am hardly a IOS guru.

One of the first large tasks I was assigned was to add some ACL rules to a hundred plus ACLs we have. Coming from the sys admin side of things, I was baffled to find out that these changes are all made by hand.

Is there not a way to automate these types of configuration issues? What tools should I be learning to use for changing configurations in a scripted fashion across many devices/ACLs? So far my Googlefu has only pointed to Python with pexpect. Just seems like this is such a common task that there would be better tools already setup for it.

I understand that this could be a fairly broad question, but I’m just looking for a starting place to work from.

Note: If there is a commercial tool that is a perfect fit for this case, just assume that we didn’t pay for it. That is normally how it goes.


Gre Tunnel Cisco Linux traffic forwarding

I setup a gre tunnel a cisco router and a Linux machine, the tunnel interface in the Linux box named pic.
Well i have to forward traffic coming from cisco through the Linux box.
the rules i’ve set in the Linux box is described as follow:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables  -A INPUT -p 47 -j ACCEPT
iptables  -A FORWARD -i ppp0 -j ACCEPT
iptables  -A FORWARD -i pic  -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables  -A FORWARD -i ppp0 -o pic -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables  -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

I see the traffic coming from tunnel and forwarded to internet but no reply from sent packet.

May i miss something like a routing rule.


Problems with getting both ingress and egress Netflow data

I have a Cisco 6500 switch that I want to capture all vlan8 traffic incoming and outgoing. I talked with my networking group and they set me up with the following commands. (May not be exact commands but this was an example I gave them)

conf t
ip flow-export version
ip flow-export destination 1234
int vlan8
ip flow
ip flow ingress
route-cache flow

I am currently capturing this data using Ntop and we are getting a lot of traffic. I see all incoming and outgoing traffic from all vlan8 machines ( However for any machine that is not in vlan8, but is talking to vlan8, I only see the received traffic from them.

Ex. goes to a website on
I only see received traffic from the machine and no sent traffic. Obviously it has sent traffic because received the website.

I just wanted to verify that this is how Netflow captures data and that everything is working correctly. It kinda makes sense to me that sense isn’t in vlan8 it may not get the outbound traffic (even though it sends it to vlan8). Ideally I’d want sent and received traffic from anything that touches vlan8. Thanks.