|
jwh posted:I'm prepared to offer you all of my returnable beer bottles, shipped at your expense, plus a cat. You can choose a grey cat, or an orange one. That is my final offer. OER, as it pertained to the connections I'm using. This setup has a single computer behind a:
Supplemental links: 1) OER in a single-router setup 2) Cisco IOS 12.3T OER reference (lots of good hints) code:
Yeah, I'm kinda bitter at TAC right now. CrazyLittle fucked around with this message at 05:36 on Sep 13, 2007 |
# ? Sep 13, 2007 05:05 |
|
|
# ? May 15, 2024 04:18 |
|
jwh posted:Can you hard code the ID? I think there's an option for that. There's an option for hard-coding some client identifier, although it might not be the one you need.
|
# ? Sep 13, 2007 06:19 |
|
CrazyLittle posted:So here's the thing that gets me. When watching the console logging, I can see the OER master watching, picking, choosing and rerouting the traffic... but I can't get it to route to BOTH interface at the same time. It seems to be switching over everything completely. Any thoughts on that, or should I file a new ticket with Cisco TAC and wait another 6 months to be ignored... only to figure it out by myself? As I understand it, thats what its supposed to do. Pick best path routing and route the traffic over the links that'll get the data there faster. As one route gets congested, it switches over. http://www.cisco.com/en/US/products/ps6628/products_ios_protocol_option_home.html
|
# ? Sep 14, 2007 01:41 |
|
XakEp posted:As I understand it, thats what its supposed to do. Pick best path routing and route the traffic over the links that'll get the data there faster. As one route gets congested, it switches over. Yeah but shouldn't it be a soft cutover, where current traffic on that line keeps flowing? I'm getting the impression that it's just doing a hopping dance between the two lines, completely moving everything over at the slightest hint of congestion, instead of balancing load across both links simultaneously.
|
# ? Sep 14, 2007 08:08 |
|
CrazyLittle posted:Yeah but shouldn't it be a soft cutover, where current traffic on that line keeps flowing? I'm getting the impression that it's just doing a hopping dance between the two lines, completely moving everything over at the slightest hint of congestion, instead of balancing load across both links simultaneously. If a TCP connection has been established, it cant just cut over to a new IP address and route mid stream. Especially if there's encryption involved - it cant be easily reassembled.
|
# ? Sep 14, 2007 22:53 |
|
Thanks for this thread, it contains a lot of really good information and was a great read. Just so this bump isnt worthless, here is a fluff piece Cisco wrote about the company I work for: http://www.cisco.com/en/US/netsol/ns577/networking_solutions_customer_profile0900aecd806a1efe.html
|
# ? Sep 21, 2007 16:33 |
|
I setup a VPN on a PIX 515e and connect with the Cisco VPN client software. It works great, however I'm no longer able to route to the Internet, just the private internal network. Is there a way to have it route ALL my traffic through the PIX. I know a split tunnel is possible, but I don't want to do that. I heard somewhere that a PIX can't route traffic out the same interface it comes in on, so what I'm asking may not be possible without a VPN concentrator or whatnot.
|
# ? Sep 22, 2007 20:54 |
|
brent78 posted:I setup a VPN on a PIX 515e and connect with the Cisco VPN client software. It works great, however I'm no longer able to route to the Internet, just the private internal network. Is there a way to have it route ALL my traffic through the PIX. I know a split tunnel is possible, but I don't want to do that. I heard somewhere that a PIX can't route traffic out the same interface it comes in on, so what I'm asking may not be possible without a VPN concentrator or whatnot. Out of curiosity, why dont you want to do a split tunnel?
|
# ? Sep 23, 2007 00:54 |
|
XakEp posted:Out of curiosity, why dont you want to do a split tunnel?
|
# ? Sep 23, 2007 04:58 |
|
brent78 posted:I setup a VPN on a PIX 515e and connect with the Cisco VPN client software. It works great, however I'm no longer able to route to the Internet, just the private internal network. Is there a way to have it route ALL my traffic through the PIX. I know a split tunnel is possible, but I don't want to do that. I heard somewhere that a PIX can't route traffic out the same interface it comes in on, so what I'm asking may not be possible without a VPN concentrator or whatnot. Is the PIX running 6, 7, or 8? This is applicable to 7 and 8. If your are running 6 let me know and I can dig up that too. http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
|
# ? Sep 23, 2007 11:09 |
|
Tremblay posted:This is applicable to 7 and 8. If your are running 6 let me know and I can dig up that too.
|
# ? Sep 23, 2007 15:14 |
|
I feel like I'm beating a dead horse here, but Cisco came back to me finally and told me that, more or less, "IPSec client VPN termination against IOS is an afterthought," and that the recommended platform for client VPN termination is an ASA. Well, no kidding, I'd love to use my two ASA5540's, since I already paid for them. Problem is, they have no VRF capabilities, and that's what I need. So as near as I can tell, Cisco's remote access VPN offering can be described as follows: PIX/ASA: Platform of choice, provided you don't need VRF termination IOS: Sort of an afterthought; you get VRF termination, but lose most other features. AT&T does large-scale virtualized VPN termination; what the hell are they using?
|
# ? Sep 24, 2007 15:51 |
|
I don't know poo poo about networking and reading through this thread and all its acronyms is confusing me quite a bit. IPSec? IOS? ASA? Anyways, I need to set up a network that would support about 30 people via wireless or hard-wired connections with drops in different rooms. The internet connection is supplied via Comcast cable internet. Right now there is a lovely Linksys wireless router hooked into a Cisco switch and it's a piece of garbage and we are plagued by terrible network speeds and reliability. Where can I learn this stuff/suggestions?
|
# ? Sep 24, 2007 19:07 |
|
ashgromnies posted:Where can I learn this stuff/suggestions? IPSec is the collection of protocols commonly brought to use as 'VPN'. IOS is the operating system of Cisco routers and switches. ASA is Cisco's 'Adaptive Security Appliance', which is more or less the successor to the PIX, which had been Cisco's security product. The best way to learn is probably to read, ask questions, and then read some more.
|
# ? Sep 24, 2007 19:13 |
|
jwh posted:I feel like I'm beating a dead horse here, but Cisco came back to me finally and told me that, more or less, "IPSec client VPN termination against IOS is an afterthought," and that the recommended platform for client VPN termination is an ASA. 6k/7ks with VPN-SPAs I think. I understand you need VRF support but what other features are you looking to implement that IOS doesn't provide for RA? EDIT: I'm not a VPN eng but I'll do what I can to help.
|
# ? Sep 24, 2007 19:55 |
|
Tremblay posted:6k/7ks with VPN-SPAs I think. I understand you need VRF support but what other features are you looking to implement that IOS doesn't provide for RA? I appreciate it; I'm finding remote access VPN on IOS (ie., Easy VPN with Dynamic Virtual Tunnel Interfaces: http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd803645b5.shtml ), to work great, except with respect to control and administration. This makes sense, like I mention, because IOS is focused on site-to-site VPN configurations, and user VPN termination isn't as feature-rich as it is on the PIX/ASA. Some of the issues I've run into include not having any correlation between cloned virtual-access interfaces and the user that it's been cloned for, and a general clumsiness with administration- for instance, if I don't know who's on what interface, it's difficult to troubleshoot remote access problems. Things like 'show crypto session' don't produce any information about which user is occupying which crypto socket, either. Don't get me wrong, I can understand why the limitations are there, and I'm well aware that I'm operating outside the norm on this one. I guess my dream, would be for the ASA to receive full VRF support, with it's full range of VPN features intact, or for IOS to receive remote access VPN administration improvements. edit: By clumsiness, I mean things like not sending the virtual-access information as part of radius data, as either Cisco VSA or NAS-Port. jwh fucked around with this message at 21:05 on Sep 24, 2007 |
# ? Sep 24, 2007 21:03 |
|
Going through the 12.4(15)T release notes pdf, and there's some neat stuff worth mentioning: Beginning in 12.4(11)T, apparently the ISR IP Base line gets BGP, and BGP support in Advanced Security as well. Wish that had happened last year, since we bought about 90 IOS upgrade licenses from Advanced Security to Advanced IP Services. ISR's get BFD SSL VPN VRF integration (which sounds good). Rommon booting from usbflash. Bunch of AToM junk I only have two routers running 12.4(15)T, because they need to do Active Directory password changes via RADIUS, which is also a new feature, but so far it's been pretty swell. PDF is here: http://cisco.com/application/pdf/en/us/guest/products/ps8258/c1161/cdccont_0900aecd80679ce3.pdf
|
# ? Sep 25, 2007 18:35 |
|
What is the general opinion on refurbed cisco gear? Seeing as I work for a not for profit shop, is refurbished equipment, specifically a 45xx series core switch, a bad idea?
|
# ? Sep 27, 2007 20:13 |
|
Anyone here running 12.2(33)SXH on a Sup32? We were previously running SXF on the same box, upgraded to SXH a couple of days ago. Now we have no rate-limit or traffic-shape available to us. Our SE seems to think that these features were not functioning under SXF at all either, but that they were cosmetically available. Anyone have a 6500 running SXF and either of these able to confirm for me? We never really tested the rate-limiting or traff-shaping we had applied to customers (1000s of km away). I'm curious as to if it wasn't working under SXF at all, or our SE is pulling our leg.
|
# ? Sep 28, 2007 09:45 |
|
InferiorWang posted:What is the general opinion on refurbed cisco gear? Seeing as I work for a not for profit shop, is refurbished equipment, specifically a 45xx series core switch, a bad idea? Can you put the refurbished switch under smartnet? If so, it sounds like it would be fine.
|
# ? Sep 28, 2007 16:21 |
|
http://www.cisco.com/web/ordering/ciscocapital/refurbished/ According to that page, the warranty and service options are the same as new equipment.
|
# ? Sep 28, 2007 17:35 |
|
jwh posted:Can you put the refurbished switch under smartnet? If so, it sounds like it would be fine. You can for now, which makes it a great option. However I hear Cisco is going to limit what products you can and cannot get a smartnet on sometime in the near future to try to curb the massive explosion of Used / Refurbed dealers that seem to be around now.
|
# ? Sep 28, 2007 18:14 |
|
dwarftosser posted:You can for now, which makes it a great option. However I hear Cisco is going to limit what products you can and cannot get a smartnet on sometime in the near future to try to curb the massive explosion of Used / Refurbed dealers that seem to be around now. For what its worth I've heard no talk of this.
|
# ? Sep 28, 2007 18:35 |
|
ChimpyMonkey posted:Anyone here running 12.2(33)SXH on a Sup32? We were previously running SXF on the same box, upgraded to SXH a couple of days ago. Now we have no rate-limit or traffic-shape available to us. Possibly. I'll try to check this out today.
|
# ? Sep 28, 2007 18:35 |
|
Tremblay posted:For what its worth I've heard no talk of this. Hopefully it's just speculation then, because I like buying used. I heard it from a friend I used to work with who is an SE3 in in Cisco's DoD division while we were golfing a few weeks ago.
|
# ? Sep 28, 2007 18:43 |
|
dwarftosser posted:Hopefully it's just speculation then, because I like buying used. I heard it from a friend I used to work with who is an SE3 in in Cisco's DoD division while we were golfing a few weeks ago. They're certainly trying like hell to stomp out the used market. They like painting the "grey" market as stolen/counterfeit gear and don't have any problem telling customers that. I've had them tell a customer of mine (I sell used equipment) that everything I was selling them was either fake, or stolen off the back of a truck, which is extremely false. Luckily my customer laughed it off and forwarded me the email. As of now, yes, you can put used switches (used Cisco anything, for that matter) under smartnet, as long as they've never been covered under smartnet previously. Actually, that's not 100% true, you can softline used gear that's already been covered but it's a major pain in the rear end so I don't ever even bring it up. Let's just hope Cisco keeps allowing smartnet on used equipment
|
# ? Sep 28, 2007 20:04 |
|
M@ posted:They're certainly trying like hell to stomp out the used market. They like painting the "grey" market as stolen/counterfeit gear and don't have any problem telling customers that. Part of that reasoning is that they can't have any real knowledge of the chain of ownership on any given part, and stuff like T1 WIC cards are easily counterfeited. I've had at least 3 couterfeit WICs pass my desk in the past 3 months, and two of them went bad within 30 days. If Cisco had to support that, it would be a monetary black hole.
|
# ? Sep 28, 2007 20:13 |
|
CrazyLittle posted:Part of that reasoning is that they can't have any real knowledge of the chain of ownership on any given part, and stuff like T1 WIC cards are easily counterfeited. I've had at least 3 couterfeit WICs pass my desk in the past 3 months, and two of them went bad within 30 days. If Cisco had to support that, it would be a monetary black hole. Certainly. I don't, however, think it's fair to lump legitimate dealers, who test their equipment and know to spot fakes, with the dudes on eBay selling Chisco WICs for $2/ea. Since I know a lot of you guys buy used Cisco, I'll plug an organization I'm part of. Try to buy your used gear from someone who is part of: quote:UNEDA is an alliance of more than 300 of the top used network equipment dealers worldwide. These secondary market suppliers work together to promote industry best practices, ensure the highest standards of product quality, and eradicate counterfeit and fraud in the secondary market. That's what we're doing to fight Cisco's witch hunt. Who knows if it'll work.
|
# ? Sep 28, 2007 23:53 |
|
M@ posted:That's what we're doing to fight Cisco's witch hunt. Who knows if it'll work. You really can't blame Cisco for that though. The margin that Cisco runs is so high that its actually more cost effective to give away used gear then to sell and support it. Internally Cisco has a list called Reverse Logistics that is a bunch of returned Cisco Gear from customers, oversells etc. They just pass the list around to various organizations inside of Cisco (like the lab I work with), and we pick whatever we want off of the list. This actually saves Cisco more money then if they tried to sell that same equipment as used themselves.
|
# ? Oct 1, 2007 17:21 |
|
When I have a server that has multiple NICs tied into one switch I can bond those NICs and configure them to create one channel for both transmit and receive load balancing via LACP/802.3ad, effectively doubling my throughput in either direction. The requirement is that the NICs are all talking to one switch, or in the Cisco world, talking to multiple switches that are configured as a cluster. Here then is the question: If I have a single server with 2 NICs which are connected to 2 switches (in this case, bladed Catalyst 3020s), and these switches cannot be clustered, if these two switches are themselves connected to a single core switch (say a Cat 6000 series) might I still be able to enable link aggregation for both transmit and receive? Here’s a recap in half-assed crappy drawings: This I know works, both for transmit and recieve: This I’m pretty certain doesn’t work (transmit balancing will work, but not receive): So the question is this – would something like the following work to load balance traffic both in and out from the core?
|
# ? Oct 1, 2007 17:41 |
|
luma posted:When I have a server that has multiple NICs tied into one switch I can bond those NICs and configure them to create one channel for both transmit and receive load balancing via LACP/802.3ad, effectively doubling my throughput in either direction. The requirement is that the NICs are all talking to one switch, or in the Cisco world, talking to multiple switches that are configured as a cluster. Here then is the question: If I have a single server with 2 NICs which are connected to 2 switches (in this case, bladed Catalyst 3020s), and these switches cannot be clustered, if these two switches are themselves connected to a single core switch (say a Cat 6000 series) might I still be able to enable link aggregation for both transmit and receive? I'd question why you were doing that (why pass through those switches at all.) But otherwise if you did some kind of transparent pass-through of those switches and went directly to the Core switch you could get link-aggregation. Of course the disadvantage is that you can't directly talk to any of the devices connected to either of those pass-through switches. It would require you to configure the ports you were connected to on the switches into a transparent link. I'm not sure of the actual term.
|
# ? Oct 1, 2007 20:01 |
|
Powercrazy posted:I'd question why you were doing that (why pass through those switches at all.)
|
# ? Oct 1, 2007 20:26 |
|
luma posted:When I have a server that has multiple NICs tied into one switch I can bond those NICs and configure them to create one channel for both transmit and receive load balancing via LACP/802.3ad...blah blah blah Read this. http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a008089a821.shtml
|
# ? Oct 1, 2007 20:27 |
|
inignot posted:Read this.
|
# ? Oct 1, 2007 20:54 |
|
luma posted:My issue is that my configuration is hard-wired in a manner outlined in my second diagram, and the two switches themselves do not support clustering, which I'm told is a requirement. So the question standing is whether my third diagram could work. I don't think LACP is going to work in scenario 2 or 3. Active/Active load balanced connections need to terminate to the same switch (or switch stack). See if your nics or os support some kind of active/standby failover option based on link status or ping polling.
|
# ? Oct 1, 2007 21:55 |
|
The 3020s do support trunking/port-channeling between each other (see 'media-type internal'; you lose one or more of the 'external' ports, numbered 17-24 on each switch), but you can't do what Nortel refers to as 'split-MLT'. Unfortunately, you're going to be doing active/passive if you want to diversify your connectivity. We have the exact same setup in our environment (HP C-class, Cisco 3020s uplinked to a pair of 4948s, uplinked to a pair of 6509s) and I don't believe that you'll be able to do actual load-balancing on the switches, like you have described.
|
# ? Oct 2, 2007 01:21 |
|
inignot posted:I don't think LACP is going to work in scenario 2 or 3. Active/Active load balanced connections need to terminate to the same switch (or switch stack). See if your nics or os support some kind of active/standby failover option based on link status or ping polling. Alternately you could run your Active/Active at layer 3 instead of layer 2, by running a routing protocol on the server (like ospf using quagga), and let CEF/OSPF ECMP do your load balancing at layer 3.
|
# ? Oct 2, 2007 02:25 |
|
Dear Cisco, Please make a working bug toolkit, with accurate data for current IOS releases. Thank you, The Internet Anyone actually seen the "new" bug toolkit work? I keep trying but all I ever get is this error: "Error occurred while fetching bug summary from database. Please try later."
|
# ? Oct 2, 2007 03:57 |
|
multiprotocol posted:The 3020s do support trunking/port-channeling between each other (see 'media-type internal'; you lose one or more of the 'external' ports, numbered 17-24 on each switch), but you can't do what Nortel refers to as 'split-MLT'. Unfortunately, you're going to be doing active/passive if you want to diversify your connectivity. This is pretty much as I expected. Now I just have to break it to my customers that the NICs I've been selling them aren't going to help. At all. Also, the ports that cross connect on the C-Class are 23-24 (for the "media-type internal" thing). 17-22 are purely external.
|
# ? Oct 2, 2007 14:49 |
|
|
# ? May 15, 2024 04:18 |
|
You could try this: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/l2pt.html#wp999408 I have no idea if this will tunnel LACP. I've only ever used it once, and that was to tunnel CDP for ODR updates between two routers connected to a switch not running ODR, but only for an obtuse CCIE study scenario. I think the design concept is just screwed.
|
# ? Oct 2, 2007 17:26 |