|
Ok so I have my CCNA, making good progress on my CCNP but do not work at all with Cisco gear. I don't even do networking for that matter. So what I want to know is, while I'm on the hunt for a networking job (hopefully at where I currently work) what would you guys recommend as the best way to 'practice' to keep the skills and knowledge relatively fresh in my head? Ideally I'd like to buy a poo poo ton of equipment (right now I have a 2924xl, 2610xm, 1231ga that I have my home network setup with) and just setup random different networks. Would also like to find some kind of Cisco forum where people ask for help and I could try to help/research/figure out real problems. Anyone know of such a forum or have any other suggestions?
|
# ? May 27, 2007 15:30 |
|
|
# ? May 15, 2024 04:15 |
|
Goons, A shiney plat or archives if anyone can solve this as it's rapidly driving me insane. I'm trying to set up a PIX 515 to PIX 506e IPSEC VPN. The first PIX (vpn-01) is sat in our collocated data centre (which has access to our entire 10.0.0.0 network) and the second (vpn-02) is in a remote office. The aim of the VPN is to allow the users in the remote office access to 10.0.0.0/255.0.0.0 and visa-versa. Currently it looks like this: [vpn-02] attached network 10.160.0.0 inside 10.160.2.8 outside 82.*.*.37 <-- Internet --> [vpn-01] attached network 10.0.0.0 inside 10.10.2.90 outside 192.168.10.90 (NATed from 85.*.*.72) I've been toiling with it on and off for about a week now but am pretty much stuck. I've managed to get phase 1 to complete but phase 2 stops with: "IPSEC(validate_transform_proposal): proxy identities not supported" Everything I've found related to this error points to a mismatch in the ACLs between the hub and spoke PIX's. However as it's an EasyVPN setup, as far as understand from my Cisco book and Cisco website docs, you don't set a ACL on the spoke PIX as it's unneccessary. The configs that I have are as follows: vpn-01 (collocation hub): PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password GRePyfvSUgEmkwRU encrypted passwd GRePyfvSUgEmkwRU encrypted hostname vpn-01 domain-name hoarelea.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list remoteofficeAllowAllInternal permit ip 10.0.0.0 255.0.0.0 10.160.0.0 255.255.0.0 access-list remoteofficeAllowSplitTunnel permit ip 10.0.0.0 255.0.0.0 10.160.0.0 255.255.0.0 pager lines 24 logging on logging timestamp logging standby logging buffered informational logging trap errors logging facility 19 logging host inside *.*.*.* icmp permit any echo outside icmp permit any echo-reply outside mtu outside 1500 mtu inside 1500 ip address outside 192.168.10.90 255.255.255.0 ip address inside 10.10.2.90 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 route outside 0.0.0.0 0.0.0.0 192.168.10.8 2 route inside 10.0.0.0 255.0.0.0 10.10.2.8 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.0.0.0 255.0.0.0 inside snmp-server host inside 10.10.2.26 snmp-server location collocation no snmp-server contact snmp-server community ******* snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set remoteofficetrmset1 esp-aes-256 esp-sha-hmac crypto map map1 10 ipsec-isakmp crypto map map1 10 match address remoteofficeAllowSplitTunnel crypto map map1 10 set peer 82.*.*.37 crypto map map1 10 set transform-set remoteofficetrmset1 crypto map map1 client authentication LOCAL crypto map map1 interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 10 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup remoteofficegroup dns-server 10.10.2.3 vpngroup remoteofficegroup wins-server 10.10.2.3 vpngroup remoteofficegroup default-domain ******.local vpngroup remoteofficegroup idle-time 1800 vpngroup remoteofficegroup password ******** telnet 10.0.0.0 255.0.0.0 inside telnet timeout 10 ssh timeout 5 console timeout 15 username remoteoffice password DjuV6qUmVH8HCPlZ encrypted privilege 2 terminal width 80 and the remote office PIX (vpn-02 spoke): PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password GRePyfvSUgEmkwRU encrypted passwd GRePyfvSUgEmkwRU encrypted hostname vpn-02 domain-name *******.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 82.*.*.37 255.255.255.240 ip address inside 10.160.2.8 255.255.0.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any echo-reply route outside 0.0.0.0 0.0.0.0 82.*.*.33 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http 10.160.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 10.0.0.0 255.0.0.0 inside telnet timeout 15 ssh timeout 5 console timeout 15 username remoteoffice password DjuV6qUmVH8HCPlZ encrypted privilege 2 vpnclient server 85.*.*.72 vpnclient mode network-extension-mode vpnclient vpngroup remoteofficegroup password ******** vpnclient username remoteoffice password ******** vpnclient enable terminal width 80 As mentioned, phase 1 is ok: vpn-01# sh cry isakmp sa Total : 1 Embryonic : 0 dst src state pending created 192.168.10.90 82.*.*.37 QM_IDLE 0 0 but phase two debug output is this: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 192.168.10.90, src= 82.211.81.37, dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), src_proxy= 10.160.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes-256 esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 192.168.10.90, src= 82.211.81.37, dest_proxy= 10.160.0.0/255.255.0.0/0/0 (type=4), src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes-256 esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 2, hmac_alg 1) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 11, hmac_alg 1) not supported IPSEC(validate_proposal): transform proposal (prot 3, trans 11, hmac_alg 2) not supported Apologies for all the text. I thought it best to include everything. The only thing I can think of that might be causing a problem is the fact that the outside address on vpn-01 is NATed and that the NATed address is shown in the 'sh crypto isakmp sa' output rather than the real public IP. I thought nat-traversal would take care of that though. Or perhaps it's something to do with the hub PIX being on a 10.0.0.0 /8 network which the 10.160.0.0 subnet is essentially part of. I've not been able to find any examples of people doing this - only people creating VPN tunnels between clearly defined /24's but I'd think it would work... All this is fairly new to me as I've recently been promoted in my job and had to teach myself from a Cisco book in a hurry, so any help would be greatly appreciated. I did try abandoning EasyVPN and following a LAN2LAN example but got even less far with that. Brinx fucked around with this message at 13:49 on May 29, 2007 |
# ? May 29, 2007 13:43 |
|
karttoon posted:what would you guys recommend as the best way to 'practice' to keep the skills and knowledge relatively fresh in my head? I would recommend buying a used 3640 with a 12.4 IOS. Then you can steal the IOS image and use it with Dynamips/Dynagen to emulate a handful of 3640's.
|
# ? May 29, 2007 15:05 |
|
karttoon posted:Ok so I have my CCNA, making good progress on my CCNP but do not work at all with Cisco gear. I don't even do networking for that matter. So what I want to know is, while I'm on the hunt for a networking job (hopefully at where I currently work) what would you guys recommend as the best way to 'practice' to keep the skills and knowledge relatively fresh in my head? You've probably got a slightly better chance at moving up to a neteng position at your current job than leaving your position and trying to get one of those with just a CCNP and no hands-on experience with production equipment. groupstudy.com has a lot of CCIE's that are studying for their lab exam - if you want ideas/scenarios to blow your mind, that's probably a decent place to start.
|
# ? May 29, 2007 19:01 |
|
Sorry for the double post but I am sad I missed the beginnings of this thread.
|
# ? May 29, 2007 19:02 |
|
Brinx posted:IPSEC Stuff with overlapping IP4 subnets. I do not think it would be possible to create a phase 2 sa when network 1 is a subnet of network 2. (e.g. 10.10.1.0/24 to a 10.0.0.0/8) You want to get more specific on your 10.0.0.0/8 classification at the colo/hq/hub fw. You also want to exclude any network that will traverse the VPN tunnel from NAT. Or just restrict all of RFC 1918 from nating. The reason being is that NAT is processed before IPSEC, even if you get the tunnel up by fixing the overlapping subnets, the source IP of all that traffic will be the public IP they are NAT'd behind. At least that's how it used to work... Hope this helps. Herv fucked around with this message at 21:14 on May 29, 2007 |
# ? May 29, 2007 21:03 |
|
I've got a question. Here's a short disclaimer: I recently completed my CCNP, and I should really be punched in the face for not understanding this by now. Now that that's out the way, here's the question: So this has ALWAYS confused me, and I can't seem to find a clear answer on my own. I have a 3750 here, which I've added 5 loopbacks to: int lo0 ip address 10.1.1.1 255.255.255.0 int lo1 ip address 10.1.2.1 255.255.255.0 int lo2 ip address 10.1.3.1 255.255.255.0 int lo3 ip address 10.1.4.1 255.255.255.0 int lo4 ip address 10.1.5.1 255.255.255.0 Each with a /24 mask. Here's the output of "show ip route" code:
code:
code:
Thanks atticus fucked around with this message at 15:53 on May 30, 2007 |
# ? May 30, 2007 15:49 |
|
atticus posted:Now you can clearly see how even further I get confused, using my logic: how can you possibly "subnet" a /32?!? Can you guys shed some light as to WHY Cisco does this? I sure would appreciate it. It's a bit of a historical hold-over from the days before VLSM. For instance: code:
If you subnet variably within the same space, ie., 10.0.1.0/24, 10.1.0.0/16, then IOS reports the natural classful mask, and says "10.0.0.0/8 is variably subnetted, X subnets, Y masks" You're good to pick up on it in the first place, since most people don't even notice. I hope that sort of explains what's going on.
|
# ? May 30, 2007 16:06 |
|
jwh, as always, is welcome to have my cisco babies.
|
# ? May 30, 2007 16:13 |
|
Herv posted:I do not think it would be possible to create a phase 2 sa when network 1 is a subnet of network 2. (e.g. 10.10.1.0/24 to a 10.0.0.0/8) Great, thanks. That's set me in the right direction. Phase 2 completes now so hopefully just a bit of fiddling with the routing at the far end and it'll be up and running. Appreciate the help.
|
# ? May 30, 2007 20:35 |
|
I'm not quite following the difference between SNMP Inform and SNMP Trap in the context of a CAT 2950. What is the difference?
|
# ? Jun 1, 2007 20:22 |
|
InferiorWang posted:I'm not quite following the difference between SNMP Inform and SNMP Trap in the context of a CAT 2950. What is the difference? Short answer: SNMP trap simply sends a trap on an event to the host config'd to recieve. SNMP inform sends an inform the the host config'd to recieve, which then sends back an ack with an SNMP response PDU. These are generally more reliable than traps, but are only supported with devices that support SNMP v2c. Cat 2950 config docs where this is covered: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea2/configuration/guide/swsnmp.html
|
# ? Jun 1, 2007 22:36 |
|
We came into possession of a new Catalyst 2950 switch and not having anything better to do we decided to use it for our build network to replace a tiny netgear soho switch. We just took it out of the box and plugged it in, not knowing anything about these things particularly. Anyway, it works ok, the only slight issue I've noticed is that when I network boot a PC with RIS, it takes quite a long time to pick up a DHCP address and boot into RIS, certainly much slower than on the old netgear. I'm sure this is some simple config issue, since like I say we didn't touch it in any way out of the box apart from plug it in. Is this a simple fix or shall I just put up with it, not exactly a show stopper adding like 30 seconds wait time before I can press enter to set off the ghosting.
|
# ? Jun 1, 2007 23:07 |
|
^^^^ Blah blah blah spanning-tree blah blah enable portfast. http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml
|
# ? Jun 1, 2007 23:55 |
|
inignot posted:^^^^ Tremendous, I'll give that a whirl on Monday.
|
# ? Jun 2, 2007 00:15 |
|
A client of ours has two computers running some proprietary software connected over an IPSEC VPN using PIX 501s. He claims that every 15 minutes, if someone isn't doing something on the computer, the connection will drop. using a sh isakmp sa shows: Total : 1 Embryonic : 0 dst src state pending created xx.xxx.xxx.xxx yy.yyy.yyy.yyy QM_IDLE 0 1 which I believe show's that it's up and running. This is the configuration file, and while I think it looks like it shouldn't idle out for a day, I was wondering if there was anyone who could tell me what I may be doing wrong? I've had very little experience with these so any help at all would be greatly appreciated. I'm not totally convinced its the VPN that's disconnecting either. PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password notreal encrypted passwd notreal encrypted hostname thisisdifferent domain-name zzzz.zzz fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 access-list 50 permit tcp xx.xxx.xxx.x 255.255.255.128 any access-list 50 permit tcp host xx.xxx.xxx.xxx any access-list 50 permit tcp any any eq ssh access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list inmap permit tcp any host yy.yyy.yyy.yyy eq 5613 access-list inmap permit tcp any host yy.yyy.yyy.yyy eq telnet pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside yy.yyy.yyy.yyy 255.255.255.192 ip address inside 10.0.1.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 10.0.1.0 255.255.255.0 inside pdm location 192.168.1.0 255.255.255.0 inside pdm location 10.0.2.0 255.255.255.0 outside pdm location xx.xxx.xxx.xxx 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list no-nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface telnet 10.0.1.10 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5613 10.0.1.10 5613 netmask 255.255.255.255 0 0 access-group inmap in interface outside route outside 0.0.0.0 0.0.0.0 gg.ggg.ggg.ggg 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 10.0.1.0 255.255.255.0 inside snmp-server host outside zz.zzz.zzz.zz no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set idaville esp-des esp-md5-hmac crypto map otherplace 1 ipsec-isakmp crypto map otherplace 1 match address 90 crypto map otherplace 1 set peer xx.xxx.xxx.xxx crypto map otherplace 1 set transform-set idaville crypto map otherplace 1 set security-association lifetime seconds 86400 kilobytes 4608000 crypto map idaville interface outside isakmp enable outside isakmp key ******** address xx.xxx.xxx.xxx netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh zz.zz.zzz.z 255.255.255.255 outside ssh 10.0.1.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd auto_config outside username admin password VQLdnwypBeKc65uW encrypted privilege 15 terminal width 80 Cryptochecksum:cc6428afd782ea604c007237f38292f9 : end
|
# ? Jun 7, 2007 13:34 |
|
quote:sh isakmp sa shows: That just shows the Main Mode/ Phase 1 SA. You want to check the Quick Mode/ Phase 2 SA with a 'sh cry ip sa'. If that is dropping then it will jibe with what they are seeing. Do the phase 1 and 2 SA lifetimes match up on both firewalls? Worst case make a startup script that runs silently, pinging across constantly.
|
# ? Jun 7, 2007 16:37 |
|
Does "connection drop" mean the client suspects the tunnel is failing, or his application socket is failing? The latter seems more likely.
|
# ? Jun 7, 2007 16:57 |
|
I'm looking for some feedback on a current project. We're migrating our user vpn to a pair of ASA5540's, and we intend to terminate users into separate pools, which will correspond to separate 802.1q vlan subinterfaces. I think that will work at least. However, I'm confused about whether the client gateway is the ASA, and if that's set via tunnel-group parameters, or if the client gateway is the next-hop from the ASA on that specific 802.1q subinterface. I'm trying to figure out if this is going to work at all, because the ASA is sitting on a heavily segregated VRF-lite environment, and the ASA isn't like an IOS device with multiple routing tables. Contexts would maybe solve this, except for the fact that apparently you can't run multiple contexts and terminate remote access VPN on the same ASA. Or run OSPF. Boo. I can't even just turn up OSPF in single-context mode because there's identical routes in each VRF that would collide, and I don't even want to think about what kind of unlivable hell that would cause. Long story short, I want per-tunnel group default routes, or something like that I guess.
|
# ? Jun 8, 2007 22:15 |
|
OK here are 2 questions: 1) Is it somehow possible to enter a question mark into the router and not have it interpret that as me querying what commands are available (lets say for a complex password) 2) We have this 1811W at the office, I've managed to fumble my way around setting up Wi-Fi with WPA-PSK using TKIP however I didnt manage to find anything referencing the use of AES/CCMP. Am I missing something or is the feature simply not there? code:
|
# ? Jun 15, 2007 14:26 |
|
Try going to 12.4(11)XJ or newer. It looks like that's when AES CCMP showed up on the 1800s.
|
# ? Jun 15, 2007 14:37 |
|
Weiz posted:OK here are 2 questions: There's a hardware dependency on support for AES/CCMP. When I messed around with that a year ago it was only supported in the access points. The integrated wireless in the 800/1800 and the wireless WIC didn't support it. Cisco dances around mentioning this in their documentation. If you look on the 1800 data sheet page; WPA2 is mentioned several times, but AES/CCMP isn't listed in the Wireless LAN Security Features table. http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd8028a95f.html inignot fucked around with this message at 17:09 on Jun 15, 2007 |
# ? Jun 15, 2007 15:54 |
|
ASA 8.0(2) up on cco as of today. Looks like lots of SSL VPN enchancements, and the thing I had been waiting for: Platform Enhancements VLAN support for remote access VPN connections Provides support for mapping (tagging) of client traffic at the group or user level. This feature is compatible with clientless as well as IPsec and SSL tunnel-based connections.
|
# ? Jun 19, 2007 18:31 |
|
Ive got a 1720 Router connected via E0 to a lovely DSL modem. I configured DHCP client on the relevant interface (IP addr dhcp) and it works fine. Problem is when the ISP changes addresses, the cisco just kinda freaks out, unassigns it's ip address and then nothing. "fixing" it is nothing more than going on-site, powercycling the modem, and shut/no shut of E0.. Shouldn't it retry to get a DHCP address after some point? Is there anyway to detect this condition(losing its address) and force it to reconnect? Is there any DHCP renew command that I'm just not seeing? VVVV Will do next time I'm out there. Thanks! Fart.Bleed.Repeat. fucked around with this message at 20:58 on Jun 19, 2007 |
# ? Jun 19, 2007 19:17 |
|
buspAss posted:Shouldn't it retry to get a DHCP address after some point? Is there anyway to detect this condition(losing its address) and force it to reconnect? Is there any DHCP renew command that I'm just not seeing? Check out these commands: show ip dhcp binding and in global config: ip dhcp binding cleanup interval <n seconds> You should be able to glean the lease information in the show command, and perhaps have it check for cleanups and re-binding at that interval. Might help, might not. Cheers
|
# ? Jun 19, 2007 20:13 |
|
Hi goons, I've recently purchased an 871 router to use with my cable internet. The WAN port is Ethernet and grabs ip via DHCP from the cable modem. I've got a CCNA so I can set it up as far as that knowledge goes. However i'm wanting to implement QoS, which was not covered in CCNA as far as I remember. I'm wanting to set up a list of ports to prioritise over everything else. Can anyone point me in the right direction? Hell, helping me navigate the cisco documentation website would be a great start as i'm sure the information is buried away in there somewhere If it's relevent i've got fa0 through to fa3 in vlan1 acting as a 4port switch, and fa4 is the WAN port. thanks for your help.
|
# ? Jun 19, 2007 22:35 |
|
Biggz posted:However i'm wanting to implement QoS One of the challenges with shaping on consumer broadband is that your router doesn't generally know what kind of bandwidth is actually available, versus the reported link speed. For instance, I'm willing to bet the 871's wan interface isn't really sitting on 10, or 100mbps upstream. You could artificially shape to a predetermined rate, and then implement a queuing scheme within that, but my recommendation would be to not bother with QoS unless you feel you really need it. The 'interface-time' of outbound packets leaving the 871 is really short, so there's little chance of a queue building, as opposed to a T1, for instance. If you really want to do it anyway, I'd look at nested hierarchical policy-maps (CBWFQ inside GTS): http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt4/qcfcbshp.htm I'm not even sure if that's supported on an 871, someone correct me if I'm wrong.
|
# ? Jun 19, 2007 23:54 |
|
Cisco.com posted:Q. What QoS features are supported on the Cisco 870 platforms? Thanks for the suggestion JWF, i'll have a better read of that in the morning when i'm more awake, but from my initial read of your link I cant see how I would classify the traffic for prioritization. I should have read the router spec before because I can at least search cisco documentation on the different types of QoS and specifically your suggestion.
|
# ? Jun 20, 2007 00:18 |
|
Seconding CBWFQ. It'll give you some serious granularity in your control.
|
# ? Jun 20, 2007 01:21 |
|
jwh posted:Provides support for mapping (tagging) of client traffic at the group or user level. edit: this is dot1q tagging right?
|
# ? Jun 20, 2007 01:46 |
|
StabbinHobo posted:ooooooohhhh. Now I have to go re-think my plan. I had talked myself out of needing this, but it was half sour grapes. Yeah, dot1q tags, but there's a problem- I was really close to posting on c-nsp about it, but I thought I better open a TAC case tomorrow before I go shooting my mouth off. What I can't figure out is this: 8.0(2) offers support for trapping remote access users in 802.1q vlans, but the ASA still only has one tunnel default gateway / routing table. So, unless I'm seeing this wrong, "vlan mapping" doesn't buy you much at second glance. In other words, you can trap people to vlans on the inside, but the ASA still only knows how to route users with a single routing table. This might be fine if your network lines up right (ie., vlans correspond correctly to customer networks), but I need more routing flexibility. Mostly, I need to drop users in vlans, and then supply them with specific routes. So I dunno, TAC case tomorrow to find out whether this will work, or if I'm going to instead use ipsec DVTI's with ivrf/fvrf on an IOS based platform. jwh fucked around with this message at 03:55 on Jun 20, 2007 |
# ? Jun 20, 2007 03:46 |
|
Alright is not really a short question but.... I am retarded when it comes to VPNs I've only set one or two up correctly but this does not stop me from thinking my boss is doing it completely backasswards. I was wondering if one of you would give me a good example of a properly set up VPN between two Ciscos and just so you know we run our operations on 7100s and 7200s running Version 12.2 I know this really isn't specifically a Cisco question but the people that watch this thread are the kind of peeps I would like to hear from.
|
# ? Jun 20, 2007 17:57 |
|
jwh posted:(CBWFQ inside GTS): Yeah CBWFQ is supported on the 87x routers. Just to try to apply it to a ADSL interface... you'll run into the multiple deadends I am right now. I've got a customer that was provisioned a 1720 (IOS 12.3.9a, 32d+8f) w/ ADSL-WIC with a PIX 501. The key ingredients to this setup is that they want the pix, and they want to run VOIP over the DSL, and therefore they need QoS on the DSL so that calls don't drop. The problem? I can't get the loving ADSL connection to work properly. Normally when I configure ADSL wics, I'm using IRB and bonding the connection to a BVI... Except CBWFQ is not supported over IRB. So how do I configure a ADSL connection without subinterfaces or IRB or a BVI interface? Here's what I've got so far, and the error that trickled up: quote:*Mar 1 15:55:04.376: %IP-4-ZERO_ADDR: Zero MAC address for <WAN IP> in ARP cache code:
Oh, and Biggz - in the example above, here's the parts which configure CBWFQ: code:
CrazyLittle fucked around with this message at 18:10 on Jun 20, 2007 |
# ? Jun 20, 2007 18:02 |
|
Well, IRB was superceded by RBE (route bridge encapsulation) but I still use a sub-interface. Try it on the main interface though. http://www.cisco.com/warp/public/121/atm_bridging.html Here's an RBE example. I do not believe I can enter an 'atm route-bridged ip' without being in a sub interface. code:
The PIX will strip off any qos tags set by the phone, so I hope the voip can be classified by IP if possible (e.g. not going over a vpn with a bunch of other traffic). Edit: I have done a combo with Priority Queuing on the IOS-FW so the DSL router gets the important traffic first. PIX 501's suck rear end for voip compared to a 2600 with IOS-FW. Herv fucked around with this message at 18:29 on Jun 20, 2007 |
# ? Jun 20, 2007 18:13 |
|
Herv posted:The PIX will strip off any qos tags set by the phone, so I hope the voip can be classified by IP if possible (e.g. not going over a vpn with a bunch of other traffic). Believe me, if I could I would have reconfigured the entire package, because the hardware in this is all wrong. These guys don't even need cisco gear really as it all could be performed by a Adtran DSL router or even these wacky little "Draytek" ones we have which work surprisingly well. It was a customer demand to supply a PIX.
|
# ? Jun 20, 2007 18:34 |
|
Godfrey posted:Alright is not really a short question but.... I am retarded when it comes to VPNs I've only set one or two up correctly but this does not stop me from thinking my boss is doing it completely backasswards. I like to use ipsec protected GRE tunnels. It's super easy to configure, and they configure up like actual routed interfaces. None of this dynamic crypto map wacky nonsense. http://www.cisco.com/univercd/cc/td/doc/solution/p2pgre_x.pdf
|
# ? Jun 20, 2007 19:10 |
|
jwh posted:What do you mean? What is he doing? Thank you I will read this (well most of it, I also have a Cisco VPN book coming to me in the mail) but he is using crypto maps and it just seems unnecessarily messy especially with five of them.
|
# ? Jun 20, 2007 20:29 |
|
Thanks for the help guys, I was reading more in work today, amongst other things so I couldnt really go through it that well. Here is my scenario. It's in a house setup with three people total. Ideally, i'd like to be able to set three ACLs, one for each person. I'd reserve IPs for each device and put them in their respective owners ACL. Then, set each ACL with a minimum of 33% outgoing bandwidth. Would this let each user use all of upload if it isnt in use and 33% minimum if everyone is using it? Then, if its possible, prioritise by protocol/port. Voip first, HTTP second etc... Or if that isnt possible I can just handle QoS based on protocol/port. Another question which I'm not sure if its possible. Is it possible to do UPnP on cisco routers? Or anything similar which would enable MSN to send files? I've been looking and not found anything apart from this which was posted back in 2003. Cisco posted:We will definitely be implementing "full" support for Messenger (and other popular IM's) however it's not obvious that UPnP is the best way to do it. We are VERY concerned about security aspects or lack there of in UPnP To tell you the truth i've not tested the 871 with MSN as I just figured it wouldnt work without UPnP.
|
# ? Jun 20, 2007 21:14 |
|
So in theory should this prioritize web traffic (or whatever matches in the 102 ACL) above everything elsecode:
code:
|
# ? Jun 23, 2007 17:57 |
|
|
# ? May 15, 2024 04:15 |
|
inignot posted:There's a hardware dependency on support for AES/CCMP. When I messed around with that a year ago it was only supported in the access points. The integrated wireless in the 800/1800 and the wireless WIC didn't support it. Cisco dances around mentioning this in their documentation. If you look on the 1800 data sheet page; WPA2 is mentioned several times, but AES/CCMP isn't listed in the Wireless LAN Security Features table.
|
# ? Jun 24, 2007 17:20 |