|
wolrah posted:Is there any way I can "bridge" a T1 to Ethernet with any Cisco devices? I have this setup with an E1 connection, done in the following fashion. This is all on a 2851. I guess this should work on any router with a T1 interface card and ethernet port. code:
|
# ? Nov 30, 2007 20:12 |
|
|
# ? May 15, 2024 02:48 |
|
CrazyLittle posted:How often do any of you guys configure loopback interfaces on your routers, and what do you tend to use them for? We're mostly using loopback interfaces to simplify in-band management and monitoring. We don't do any weird policy-based routing to loopback interface trickery, or anything like that. Nothing very unusual here. Actually, that's not entirely true, we have some IOS VPN routers that have a ton of loopback interfaces on a per-VRF basis, and then we tell Virtual-Template interfaces to go ip unnumbered to those loopbacks. Biggz posted:interface Serial0/1/0.2 point-to-point
|
# ? Nov 30, 2007 20:56 |
|
CrazyLittle posted:How often do any of you guys configure loopback interfaces on your routers, and what do you tend to use them for? I use loopbacks on all my routers. They are used for the routing protocol router id, the snmp trap source, the tacacs source, the ntp source, the syslog source, and the icmp/snmp polling destination.
|
# ? Nov 30, 2007 22:43 |
|
inignot posted:I use loopbacks on all my routers. They are used for the routing protocol router id, the snmp trap source, the tacacs source, the ntp source, the syslog source, and the icmp/snmp polling destination. Definitely. Interface addresses come and go, but a good loopback lasts forever.
|
# ? Dec 1, 2007 00:34 |
|
jwh posted:How is WCS at administering multiple client / sites from one installation? This is what WCS does good, however with just 300 radios why not go with a WISM and H-REAP? Administrating 120 controllers vs 1 is just going to cause you lots and lots of pain. CrazyLittle posted:How often do any of you guys configure loopback interfaces on your routers, and what do you tend to use them for? Always as source interfaces for routing protocols, as loopback interfaces never go down with interfaces.
|
# ? Dec 2, 2007 02:17 |
|
I'm using a Pix 515 and I'm trying to route traffic on ports 61000 and 61001 to our dmz webserver. With the dmz webserver's ip being 172.16.0.8, would this be incorrect? access-list acl_mdc_VLFrame_access_1 extended permit tcp any host 172.16.0.8 eq 61001 access-list acl_mdc_VLFrame_access_1 extended permit tcp any host 172.16.0.8 eq 61000
|
# ? Dec 2, 2007 21:00 |
|
permanoob posted:I'm using a Pix 515 and I'm trying to route traffic on ports 61000 and 61001 to our dmz webserver. With the dmz webserver's ip being 172.16.0.8, would this be incorrect? Are you doing any NAT with your firewall? If so there should also be a "static" rule somewhere in there that you need to check, incase you're only doing port forwarding instead of one-to-one static nats.
|
# ? Dec 2, 2007 22:21 |
|
I've got a 3524XL switch that I cant seem to be able to get console access to. I connect the cable and boot the switch up and I get nothing on my terminal software. The switch functions (devices plugged in can get IP address from an external DHCP server) but I cant configure the drat thing. Ideas on how to get in?
|
# ? Dec 3, 2007 04:04 |
|
XakEp posted:I've got a 3524XL switch that I cant seem to be able to get console access to. I connect the cable and boot the switch up and I get nothing on my terminal software. The switch functions (devices plugged in can get IP address from an external DHCP server) but I cant configure the drat thing. Ideas on how to get in? Somebody might have changed the line rate of the console port. Try 115200. If that doesn't work, you should be able to reset the switch by holding down the status button on the front face-plate (does this work on the 3500s?).
|
# ? Dec 3, 2007 05:25 |
|
jwh posted:Somebody might have changed the line rate of the console port. Try 115200. If that doesn't work, you should be able to reset the switch by holding down the status button on the front face-plate (does this work on the 3500s?). The procedure on a 3500 series is to hold down the mode button while the box is off, power it up and release the button when the port 1 LED turns off. I've done that, but still nothing on my terminal. Unless I have two bad cables/rj45 adapters I have no loving clue.
|
# ? Dec 3, 2007 05:38 |
|
XakEp posted:The procedure on a 3500 series is to hold down the mode button while the box is off, power it up and release the button when the port 1 LED turns off. I've done that, but still nothing on my terminal. If you're using an actual cisco rj45 adapter, you need to use a rollover cable between the adapter and the switch, do you have a molded cable, or can you make a rollover?
|
# ? Dec 3, 2007 05:50 |
|
Girdle Wax posted:If you're using an actual cisco rj45 adapter, you need to use a rollover cable between the adapter and the switch, do you have a molded cable, or can you make a rollover? Yeah, they're rollovers. One is the OEM light blue cable, the other isnt, but I can confirm its a rollover. I have a molded somewhere else, I'll see if I can dig it up. Edit - Got a molded one here at the office. I'll try it when I get home. vvvv My understanding is the default route will be used after all other routes in the routing table dont match vvvv XakEp fucked around with this message at 16:54 on Dec 3, 2007 |
# ? Dec 3, 2007 14:59 |
|
Here's the routing table from our 4506. 172.16.0.0/24 is the voip network. 10.0.0.0/8 is the data network. 10.6.4.2 is a pix 501 I use for VPN access. None of this was set up by me, I'm just trying to make sense of a few things in parallel with my CCNA course work. Does the default route supersede the directly connected and static routes? Is my Pix501 acting like a router while I'm accessing it with a standard home network network(192.168.1.0/24)? code:
Boner Buffet fucked around with this message at 15:23 on Dec 3, 2007 |
# ? Dec 3, 2007 15:09 |
|
XakEp posted:vvvv My understanding is the default route will be used after all other routes in the routing table dont match vvvv Confirming this, routing table (assuming static and no ECMP/UCMP dynamic routing is going on) routes based on: 1) Longest match. 2) Lowest metric/cost. So the most specific entry will take the traffic.
|
# ? Dec 3, 2007 17:19 |
|
CrazyLittle posted:Are you doing any NAT with your firewall? If so there should also be a "static" rule somewhere in there that you need to check, incase you're only doing port forwarding instead of one-to-one static nats. I'm still pretty new at this stuff so I'm going to go further here. I'd know a lot more about this had I been the one setting this up from the beginning but I feel like I'm diving into a shark tank without a cage. I'm looking over the running config and I can see where the vlan is setup for the DMZ. I see some static routes setup but it all seems to be for inter-network travel and a couple of outbound mappings. I can see the ACL I need to add what I need but I'm obviously not adding the right info. Here's the pertinent part of the running config, any chance I can get a hand with this? I need 61000 and 61001 traffic forwarded to the DMZ. permanoob fucked around with this message at 06:55 on Dec 4, 2007 |
# ? Dec 3, 2007 20:00 |
|
If someone has a box running 12.4(15)T1, or can get a box running 12.4(15)T1, I'd like to see if they can reproduce a CEF problem with SSL VPN and VRF. If somebody has hardware and an interest in helping, I can provide you with configs.
|
# ? Dec 3, 2007 22:29 |
|
jwh posted:If someone has a box running 12.4(15)T1, or can get a box running 12.4(15)T1, I'd like to see if they can reproduce a CEF problem with SSL VPN and VRF. Check your PMs.
|
# ? Dec 3, 2007 23:20 |
|
permanoob posted:I'm still pretty new at this stuff so I'm going to go further here. I'd know a lot more about this had I been the one setting this up from the beginning but I feel like I'm diving into a shark tank without a cage. Nevermind. Got it taken care off by adding an object group with the two ports I needed and applying it to the VLAN.
|
# ? Dec 3, 2007 23:46 |
|
Girdle Wax posted:If you're using an actual cisco rj45 adapter, you need to use a rollover cable between the adapter and the switch, do you have a molded cable, or can you make a rollover? well dip me in poo poo and fry me as a hush puppy - the molded cable worked! looks like I really did have 2 bad console cables!
|
# ? Dec 3, 2007 23:58 |
|
jwh posted:If someone has a box running 12.4(15)T1, or can get a box running 12.4(15)T1, I'd like to see if they can reproduce a CEF problem with SSL VPN and VRF. What kind of box? If you still need help that is.
|
# ? Dec 4, 2007 01:29 |
|
CrazyLittle posted:How often do any of you guys configure loopback interfaces on your routers, and what do you tend to use them for? Everyone router, sometimes multiple of them on a single router. Dynamic routing protocol source interfaces, ntp source interfaces, snmp source interfaces., etc.
|
# ? Dec 4, 2007 19:37 |
|
I have a pair of stacked 3750's with a couple VLANs. One VLAN is used for Internet based traffic and the other is private SAN traffic. I'd like to use an mtu of 9000 for the second vlan, however from what I've read the mtu can only be set system wide and not per interface or vlan. How will having a sys mtu of 9000 affect internet traffic that upstreams to a pair of ASA's that have an mtu of 1500?
|
# ? Dec 5, 2007 05:23 |
|
jwh posted:If someone has a box running 12.4(15)T1, or can get a box running 12.4(15)T1, I'd like to see if they can reproduce a CEF problem with SSL VPN and VRF.
|
# ? Dec 5, 2007 05:26 |
|
brent78 posted:I have a pair of stacked 3750's with a couple VLANs. One VLAN is used for Internet based traffic and the other is private SAN traffic. I'd like to use an mtu of 9000 for the second vlan, however from what I've read the mtu can only be set system wide and not per interface or vlan. How will having a sys mtu of 9000 affect internet traffic that upstreams to a pair of ASA's that have an mtu of 1500? http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/cr/cli2.htm#wp1949594 The SAN ports aren't routed (I assume) so you might be able to do system mtu jumbo. Also if you have path mtu discovery running it shouldn't be a big deal. jwh posted:If someone has a box running 12.4(15)T1, or can get a box running 12.4(15)T1, I'd like to see if they can reproduce a CEF problem with SSL VPN and VRF. I haven't forgotten about you, the last few days have just royally sucked. Tremblay fucked around with this message at 05:58 on Dec 5, 2007 |
# ? Dec 5, 2007 05:54 |
|
brent78 posted:Is that problem related to the router crashing? We have some 3825's running 12.4(15)T1 that crash after a while when users connect using the AnyConnect VPN client, we're using vrf as well. It's a known issue that will be fixed on the next release. I haven't seen the router crash yet- I'm just seeing all WebVPN traffic outbound from the router to a connected client stop. Seems to take from between fifteen seconds and two minutes to happen. I don't see the problem when I remove 'webvpn cef'. Tremblay posted:I haven't forgotten about you, the last few days have just royally sucked.
|
# ? Dec 5, 2007 06:11 |
|
brent78 posted:I have a pair of stacked 3750's with a couple VLANs. One VLAN is used for Internet based traffic and the other is private SAN traffic. I'd like to use an mtu of 9000 for the second vlan, however from what I've read the mtu can only be set system wide and not per interface or vlan. How will having a sys mtu of 9000 affect internet traffic that upstreams to a pair of ASA's that have an mtu of 1500? Shouldn't affect things at all, since it probably won't be the 3750's generating the traffic. If everyone else on the "internet" VLAN uses mtu 1500 (which they would unless explicitly told otherwise), noone will ever notice anything.
|
# ? Dec 5, 2007 07:57 |
|
I've been trying to come up with a solution to some network latency I have been experiencing recently, especially in regards to torrents. I'm looking for a way to throttle my Bittorent traffic not from my own computer, but over the network. And not really throttle it, but prioritize web traffic, in fact most other traffic over bittorent traffic, so I can browse the internet, play games, etc etc while dynamically throttleing the traffic? I know I can go and buy a router that supports QoS, but are there any OS based solutions that I can impliment between my router and DSL modem? Something that would act like an network fire wall, and as device that supports QoS? And it just so happens that my friend has an extra Cisco PIX 501 laying around his house he is gonna let me borrow. I'm about 3/4 of the way through my CCNA, and I'm wondering if this thing is gonna be completely beyond me...cryptotables and the like already have my brain aching. What I'd like to do is plug the PIX into my network (assuming it works this way) like this: Fa0/0 DSL Modem to internet Fa0/1 Wireless router w/AAA set up (gently caress you wardrivers) Fa0/2 Connects to Linksys BEFSR81 upstairs with 3 computers on it Fa0/3 Mom's Mac Can I do it like that? Or am I doing it wrong? I realize that what I am doing is so beyond what I need, but I really don't care, I need the experience. One other question: Does the PIX support uPnP?
|
# ? Dec 5, 2007 10:19 |
|
Wicaeed posted:I'm looking for a way to throttle my Bittorent traffic not from my own computer, but over the network. And not really throttle it, but prioritize web traffic, in fact most other traffic over bittorent traffic, so I can browse the internet, play games, etc etc while dynamically throttleing the traffic? I know I can go and buy a router that supports QoS, but are there any OS based solutions that I can impliment between my router and DSL modem? Something that would act like an network fire wall, and as device that supports QoS? Wicaeed posted:What I'd like to do is plug the PIX into my network (assuming it works this way) like this: Wicaeed posted:One other question: Does the PIX support uPnP? The one thing that'll suck on a 501 is that you're stuck on 6.0 code, PDM sucks compared to ASDM imo.
|
# ? Dec 5, 2007 13:55 |
|
Girdle Wax posted:The one thing that'll suck on a 501 is that you're stuck on 6.0 code, PDM sucks compared to ASDM imo. Java timeout issues too. If its what you have, it'll do the job, but dont expect it to be frustration free.
|
# ? Dec 5, 2007 14:43 |
|
I'm working through even more VPN client issues, and I'm being told from our systems people that we need our VPN connected clients to register themselves in DNS. Apparently when a remote user connects now, they're registering in WINS, but not in DNS, which is leading to all kinds of terrible things- if you're a Windows systems guy. Personally, I don't know if expecting VPN connected clients to have accurate forward or reverse DNS is a reasonable expectation in the first place, but it's being asked for. I've spent a day or two looking at DHCP Client Proxy features for Easy VPN on IOS, but it doesn't appear to want to work with VRF, and before I spend any more time on it, I have to ask how everyone else is solving this problem. Or, if this is even a problem for anyone else.
|
# ? Dec 6, 2007 22:18 |
|
jwh posted:I'm working through even more VPN client issues, and I'm being told from our systems people that we need our VPN connected clients to register themselves in DNS. It looks like you can do this with a concentrator. Not sure about ASA or IOS. Windows hosts have DDNS clients on them, why can't the host do it after the tunnel comes up?
|
# ? Dec 6, 2007 22:23 |
|
I'm not sure if I have ever seen the Windows DDNS function work properly for the virtual interfaces created from VPN or PPP or such things. On the other hand, I can't see why not having a DNS name should cause problems for a client connecting over VPN. Having DNS names for client PC's (from VPN or on a LAN) is nice to have, but rarely really needed for applications to work. Also, I thought the whole point of still having WINS is to be able to cover just that, some kind of naming service (to map a share at a client PC with a certain name or something) when DNS is not around. I have never had to bother with WINS since Windows 2000 (which speaks DNS well). Might be they can get by with just having any kind of proper DNS name, like if there is some app requiring a name in a certain domain to grant access. In that case, just generate a bunch of generic names (vpn-dynamic-123.foo.bar or something), forward and backward for the entire address pool I would make sure whoever requires it specifies for what purposes they need DNS names, and see if they really know what they're talking about. (this is in no way a solution, but getting rid of the problem altogether is always a good fix )
|
# ? Dec 6, 2007 22:44 |
|
Tremblay posted:It looks like you can do this with a concentrator. Not sure about ASA or IOS. Windows hosts have DDNS clients on them, why can't the host do it after the tunnel comes up? Good question. I don't know the answer. I suppose we would need a way to automatically launch that DDNS update process once a tunnel has been established, but I haven't seen a way to do this. ionn posted:I would make sure whoever requires it specifies for what purposes they need DNS names, and see if they really know what they're talking about. Personally, I think it's fairly stupid that this process is a 'push' as opposed to a 'pull' initiated by the client, but there's not a lot I can do about that. It's not a very good situation.
|
# ? Dec 6, 2007 23:23 |
|
Would you guys talk to me a little bit about how you handle routing? What's your organization size, number of subnets, type of routing? Do you use static or dynamic? I'd like to read a bit about some real world applications.
|
# ? Dec 7, 2007 03:47 |
|
InferiorWang posted:Would you guys talk to me a little bit about how you handle routing? What's your organization size, number of subnets, type of routing? Do you use static or dynamic? I'd like to read a bit about some real world applications. medium sized ISP/NSP/colo subnets: $ grep - route | grep -vi unused | wc -l 921 (roughly, all allocated all over the place too). we make heavy use of dynamic routing protocols (ospf containing customer routed subnets and loopback addresses, redist'd from statics on the actual layer3 device the customer connects to (we redist static/connected into ospf)), bgp just contains our aggregates, and prefixes learned from other bgp speakers (customers/peers/upstreams). ideally we should be doing more aggregation/hierarchy in our IGP (allocate a /22 or something to a customer agg router, and slice it up for bridges/customer prefixes) but that makes it harder renumbering/moving customers from router to router if we need to, so we haven't done any real aggregation of that kind except for remote POPs (null route a /24 on the 'edge'/'core' router of the remote POP, let that advertise back to the main network, then advertise more specifics inside the POP for customers/bridges.
|
# ? Dec 7, 2007 06:26 |
|
InferiorWang posted:Would you guys talk to me a little bit about how you handle routing? What's your organization size, number of subnets, type of routing? Do you use static or dynamic? I'd like to read a bit about some real world applications. About 150 sites, two datacenter / aggregation facilities. Datacenter IGP is OSPF, MPLS WAN is all BGP. EIGRP is used for DMVPN backup connectivity. It's more routing protocols than I would want, but there's not much of an alternative. We also run each datacenter as a standalone OSPF backbone, which was done to help 'contain' faults. We only advertise summary aggregates towards the WAN, while the datacenter(s) pick up everything as redistributed OSPF E2's. I think it's about 800 routes these days, total, including loopbacks.
|
# ? Dec 7, 2007 06:39 |
|
I want to VPN in to a ASA 5510. I'm confused by the webvpn, ssl vpn, easyvpn options. Can someone post a simple ipsec config for use with the cisco client, or even pptp if its supported. I want to authenticate local users only.
|
# ? Dec 7, 2007 08:01 |
|
InferiorWang posted:Would you guys talk to me a little bit about how you handle routing? What's your organization size, number of subnets, type of routing? Do you use static or dynamic? I'd like to read a bit about some real world applications. It depends on where you are and where you are looking. The various 16 or so WAN centers that are used tend to re-use the 10.0.0.0/16 network, although some have 172 and 192 addresses mixed in for added fun. Public IP addresses have been allocated per Data Centre, however some smart people pick free ranges from the middle and send them elsewhere. There are a mixture of BGP, OSPF and Static. It all depends on who designed the network and how long ago it was designed.
|
# ? Dec 7, 2007 14:27 |
|
brent78 posted:I want to VPN in to a ASA 5510. I'm confused by the webvpn, ssl vpn, easyvpn options. Can someone post a simple ipsec config for use with the cisco client, or even pptp if its supported. I want to authenticate local users only. Well, you wont be using easyvpn for a remote access vpn, it's meant for site to site vpns. For the other two you mentioned, its a whole different ball game. Someone correct me if I'm wrong, but the other two dont require the cisco vpn client. They're web based. An IPsec over UDP/NAT-T or IPsec over TCP (I know, I have them backwards in precedence) will require the cisco vpn client. Edit - http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/g_sslvpn.htm quote:The Cisco WebVPN feature provides remote access to enterprise sites by users from anywhere on the Internet. The Secure Socket Layer (SSL) Virtual Private Network (VPN) provides users with secure access to specific enterprise applications, such as e-mail and web browsing, without requiring them to have VPN client software installed on their end-user devices. Yeah, thought so. You dont need the vpn client for ssl/webvpn setups. XakEp fucked around with this message at 15:13 on Dec 7, 2007 |
# ? Dec 7, 2007 15:07 |
|
|
# ? May 15, 2024 02:48 |
|
brent78 posted:I want to VPN in to a ASA 5510. I'm confused by the webvpn, ssl vpn, easyvpn options. Can someone post a simple ipsec config for use with the cisco client, or even pptp if its supported. I want to authenticate local users only. Do you have ASDM installed on the device? If so, go to VPN in ASDM, click "VPN Wizard". It's probably the easiest and quickest way to configure VPN on an ASA/PIX.
|
# ? Dec 7, 2007 15:49 |