|
para posted:I'm just starting to get into networking and Cisco. I've bought a book and have some other resources at my disposal, and I'm planning on taking the CCENT as soon as I finish reading and practicing the material. I personally think it's ridiculous to get hardware just for the CCNA. If you're going to get hardware, get it for the CCNP (MPLS). 85% of the CCNA is subnetting and ACLs.
|
# ? Dec 20, 2007 02:10 |
|
|
# ? May 17, 2024 07:04 |
|
dongkeyotay posted:If you're going to get hardware, get it for the CCNP (MPLS). Is MPLS on the CCNP now? If so, what do they ask you to know?
|
# ? Dec 20, 2007 02:34 |
|
I'm looking to block all inbound traffic to one public host via ACLs but I'm not sure what syntax to use. Could someone point me in the right direction?
|
# ? Dec 20, 2007 21:07 |
|
A_Line posted:I'm looking to block all inbound traffic to one public host via ACLs but I'm not sure what syntax to use. Could someone point me in the right direction? On an router, or an ASA/PIX? On a router you could do: access-list 100 deny ip any 1.2.3.4 access-list 100 permit ip any any int fa0/0 ip access-group 100 in
|
# ? Dec 20, 2007 22:07 |
|
InferiorWang posted:http://www.gns3.net/ I've tried it. One day it's going to be a very useful app, but at the moment it's very limited in features and more of an interesting concept than anything else. It couldn't even import or export a Dynagen config file when I looked at it last, and it also prevented you from using a lot of the standard Dynamips options if you chose to run it from GNS3. But the development seemed to be moving pretty fast and I wouldn't be surprised if they'd added a lot of the missing features by now. Definitely one to watch...
|
# ? Dec 20, 2007 22:35 |
|
jwh posted:Is MPLS on the CCNP now? If so, what do they ask you to know? MPLS is CCIP territory, not CCNP.
|
# ? Dec 20, 2007 23:28 |
|
Reefer Inc. posted:I've tried it. One day it's going to be a very useful app, but at the moment it's very limited in features and more of an interesting concept than anything else. It couldn't even import or export a Dynagen config file when I looked at it last, and it also prevented you from using a lot of the standard Dynamips options if you chose to run it from GNS3. But the development seemed to be moving pretty fast and I wouldn't be surprised if they'd added a lot of the missing features by now. Definitely one to watch... GNS3 actually generates dynagen config files when saving or loading (and is built on dynagen stuff to launch dynamips). And the graphical topology and general gui-ness sure is useful at times. It is still a bit too bug-riddled, but I'm sure it will get better.
|
# ? Dec 20, 2007 23:52 |
|
I've got a weird VPN hairpinning problem on an ASA 5540. I am using an ASA 5540 VPN edition to terminate VPN connections from software clients and PIX/ASA boxes using EasyVPN (in network extension mode). I am trying to get the PIX/ASA remote networks and the VPN Clients to talk to each other (they both have no problems talking to the core) but intra-spoke communication is intermittent. Just as an example, I was trying to ping from a client (192.168.200.4) to a remote network (192.168.8.1) and it wouldn't work, but when I initiated the ping from the remote network side (192.168.8.1) it started working "magically." same-security-traffic permit intra-interface is enabled on the core pix. Here is some of the relevant config: access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.1.129.0 255.255.255.192 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.129.0 255.255.255.192 access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.1.129.0 255.255.255.192 access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 10.1.129.0 255.255.255.192 access-list inside_nat0_outbound extended permit ip any 10.1.131.0 255.255.255.224 access-list inside_nat0_outbound extended permit ip any 10.1.129.0 255.255.255.128 access-list inside_nat0_outbound extended permit ip any 10.1.129.0 255.255.255.192 access-list inside_nat0_outbound extended permit ip any 10.1.6.192 255.255.255.192 access-list inside_nat0_outbound extended permit ip 10.1.6.0 255.255.255.0 10.1.6.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 10.0.0.0 255.0.0.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0 access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.254.0.0 access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.254.0.0 access-list inside_nat0_outbound extended permit ip 172.17.0.0 255.255.0.0 192.168.0.0 255.254.0.0 access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.0.0 192.168.0.0 255.254.0.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 ip local pool VPN_CLIENTS 192.168.200.1-192.168.207.254 mask 255.255.248.0 global (outside) 1 209.17.173.11 netmask 255.255.255.0 global (outside) 101 209.17.173.9 netmask 255.255.255.192 global (DMZ) 101 209.17.173.9 netmask 255.255.255.192 global (DMZ) 2 192.168.1.8 nat (outside) 0 access-list inside_nat0_outbound nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 10.2.4.0 255.255.255.0 nat (inside) 101 172.18.1.0 255.255.255.0 nat (inside) 101 172.16.0.0 255.255.0.0 nat (inside) 101 10.0.0.0 255.0.0.0 nat (DMZ) 0 access-list inside_nat0_outbound Help?
|
# ? Dec 21, 2007 20:41 |
|
jwh posted:Is MPLS on the CCNP now? If so, what do they ask you to know? Yes, the new CCNP exam (ISCW - replaced the BCRAN) now covers frame-mode MPLS. Exam blueprint here. As far as I know though, MPLS is still much more heavy in the CCIP certification track; there's still an entire exam dedicated to it.
|
# ? Dec 25, 2007 06:13 |
|
mamboman posted:I've got a weird VPN hairpinning problem on an ASA 5540. Run it through packet-tracer. Although what an issue may be is a same-interface routing issue, as ASA's dislike sending packets back out the same int it received it on. Also note - technically a VPN client is considered to live on the outside interface. But really, packet-tracer is your new best friend.
|
# ? Dec 25, 2007 07:16 |
|
Can anyone think of any issues plugging a 10Base-T nic into a fast ethernet port? A UPS I'm looking at only has the option to add a 10BT card for SNMP abilities.
|
# ? Dec 28, 2007 03:49 |
|
For those of you who have taken a cisco netacademy class before and missed the 640-801 deadline, you should still be eligible to still take the old exam. I was checking out the prepcenter to try and see some of the new test questions when I stumbled back into the netacademy site. I decided to log back in and check out the site. I found access to packet tracer and the coupon voucher for the old exam. I took this class at least 1.5 years ago. Thrilled, I tried to schedule an exam by phone in the upcoming week and it worked. If you have the code and a netacademy id, you should be good to go. I won't mind looking over the new material after I pass the exam. cheers
|
# ? Dec 28, 2007 18:41 |
|
mamboman posted:I've got a weird VPN hairpinning problem on an ASA 5540. You need a nat (outside) statement to translate VPNC IPs to globals. ie. nat (outside) 1 <RA VPN Subnet> netmask <mask> also you say same sec intra is on the core PIX... It needs to be on this ASA since it is terminating the tunnels (unless I misread that bit).
|
# ? Dec 28, 2007 18:46 |
|
I have a pair of ASA 5520's protecting a cluster of around 40 servers. I want to create a class-map that will rate limit SSH and FTP connections by source IP to 5 per minute to cut down on dictionary attacks and the like. Can someone help be find the configuration I'm looking for?
|
# ? Dec 28, 2007 20:11 |
|
brent78 posted:I have a pair of ASA 5520's protecting a cluster of around 40 servers. I want to create a class-map that will rate limit SSH and FTP connections by source IP to 5 per minute to cut down on dictionary attacks and the like. Can someone help be find the configuration I'm looking for? Not sure that is possible. Best way I can think to do something like that is to use auth proxy. For FTP the ASA can do inline authentication. However we don't do inline for SSH, IIRC. Do these need to be publicly accessible? If its only employees that need access just force them to connect to VPN first.
|
# ? Dec 28, 2007 20:44 |
|
So I'm not far enough into my cirriculum to know who to work with this yet, but I have a 2511-DC that I got and I have a LOT of equipment I plan to learn off of. Is there a way to configure Async 1-16 to plug into the CONSOLE port to manage multiple pieces of equipment via SSH or other means? Or am I just pissing into the wind? Love the thread, guys.
|
# ? Dec 29, 2007 04:18 |
|
Spazz posted:So I'm not far enough into my cirriculum to know who to work with this yet, but I have a 2511-DC that I got and I have a LOT of equipment I plan to learn off of. Is there a way to configure Async 1-16 to plug into the CONSOLE port to manage multiple pieces of equipment via SSH or other means? Or am I just pissing into the wind? Okay so I'm totally off about that point. I thought you were talking about a serial wic. Anyways you'll need an octal cable. Here's one on eBay: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=320199361010 CrazyLittle fucked around with this message at 19:28 on Dec 29, 2007 |
# ? Dec 29, 2007 07:01 |
|
Spazz posted:So I'm not far enough into my cirriculum to know who to work with this yet, but I have a 2511-DC that I got and I have a LOT of equipment I plan to learn off of. Is there a way to configure Async 1-16 to plug into the CONSOLE port to manage multiple pieces of equipment via SSH or other means? Or am I just pissing into the wind? It will work fine, that's how everyone sets up a console server for a CCIE study lab. http://www.cisco.com/en/US/products/hw/routers/ps233/products_data_sheet09186a008009204c.html http://mail.cynico.net/~hucke/network/notes-2511.html
|
# ? Dec 29, 2007 12:14 |
|
Spazz posted:So I'm not far enough into my cirriculum to know who to work with this yet, but I have a 2511-DC that I got and I have a LOT of equipment I plan to learn off of. Is there a way to configure Async 1-16 to plug into the CONSOLE port to manage multiple pieces of equipment via SSH or other means? Or am I just pissing into the wind? I've personally setup mine so it'll do it, and I've used it. Works great.
|
# ? Dec 29, 2007 17:44 |
|
Tremblay posted:You need a nat (outside) statement to translate VPNC IPs to globals. ie. nat (outside) 1 <RA VPN Subnet> netmask <mask> The PIXes are just remote network boxes with network extension mode. The core ASA is terminating all the tunnels and has the same sec intra command enabled. I tried putting a global address on but I get no joy
|
# ? Dec 30, 2007 01:34 |
|
Is there any particular reason "sh int status" just comes up blank? Using IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.3(21), RELEASE SOFTWARE (fc2) on a 2610XM router.
|
# ? Dec 30, 2007 02:33 |
|
karttoon posted:Is there any particular reason "sh int status" just comes up blank? Using IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.3(21), RELEASE SOFTWARE (fc2) on a 2610XM router. "sh int status" only works on switch platforms, use "sh ip int bri" instead. atticus fucked around with this message at 04:03 on Dec 30, 2007 |
# ? Dec 30, 2007 03:56 |
|
mamboman posted:The PIXes are just remote network boxes with network extension mode. The core ASA is terminating all the tunnels and has the same sec intra command enabled. I tried putting a global address on but I get no joy Ok. I kinda found what the problem was (http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml) and i needed to put something in the ACL. But now I get IPSEC Spoof Detected when running packet-trace
|
# ? Dec 30, 2007 04:01 |
|
atticus posted:"sh int status" only works on switch platforms, use "sh ip int bri" instead. I use sh int status on our routers at work all day. Also, sh ip int bri doesn't include duplex/speed/port type which is what I want. 'sh int <int> status' returns a blank line too.
|
# ? Dec 30, 2007 06:28 |
|
karttoon posted:I use sh int status on our routers at work all day. Also, sh ip int bri doesn't include duplex/speed/port type which is what I want. 'sh int <int> status' returns a blank line too. I've just tried it on at least 3 of our production routers (2800s) and I get the same results. I tried it on two 6509's and two 3750 stacks and it works fine. What's the platform that you're having success on at work?
|
# ? Dec 30, 2007 06:44 |
|
mamboman posted:Ok. I kinda found what the problem was (http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml) and i needed to put something in the ACL. Thats fine, its because the ASA treats it like a real packet - without any flow, or sequence numbers it assumes someone is running a packet-injection attack on you.
|
# ? Dec 30, 2007 07:24 |
|
atticus posted:I've just tried it on at least 3 of our production routers (2800s) and I get the same results. I tried it on two 6509's and two 3750 stacks and it works fine. What's the platform that you're having success on at work? It seems that 2800's with switch WIC cards work with Show int status. flash:c2800nm-advipservicesk9-mz.124-11.T2.bin which is a 2811 modular router it works on, while a 2811 with the same code version but without a switchcard does not have that functionality. jbusbysack fucked around with this message at 07:48 on Dec 30, 2007 |
# ? Dec 30, 2007 07:36 |
|
jbusbysack posted:Thats fine, its because the ASA treats it like a real packet - without any flow, or sequence numbers it assumes someone is running a packet-injection attack on you. Hm, well the ping still doesn't work.
|
# ? Dec 30, 2007 19:32 |
|
mamboman posted:Hm, well the ping still doesn't work. Post the packet-trace for both directions (client to remote network, and vice versa)
|
# ? Dec 30, 2007 20:30 |
|
jbusbysack posted:Post the packet-trace for both directions (client to remote network, and vice versa) Was just about to do that >< Found something interesting. code:
|
# ? Dec 30, 2007 20:43 |
|
Well.. i don't know what I did but I am getting a different output from packet trace now. Phase: 14 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x4e4c070, priority=70, domain=encrypt, deny=false hits=27, user_data=0x0, cs_id=0x7bdbd68, reverse, flags=0x0, protocol=0 src ip=192.168.200.0, mask=255.255.248.0, port=0 dst ip=192.168.0.0, mask=255.255.0.0, port=0 It will drop the VPN packets going from software client to PIX remote networks, but not vice-versa. I am not quite sure which rule it is looking up though, because I am using EasyVPN client mode.
|
# ? Dec 31, 2007 00:08 |
|
jbusbysack posted:It seems that 2800's with switch WIC cards work with Show int status. The L2 switch interface modules work with "sh int status", since that is switch hardware. The built-in "real" FastEthernet interfaces aren't present in the output, are they?
|
# ? Jan 4, 2008 00:51 |
|
ionn posted:The L2 switch interface modules work with "sh int status", since that is switch hardware. The built-in "real" FastEthernet interfaces aren't present in the output, are they? Correct. Since it's strictly a switch-based command, only the linecard ports are displayed in the output.
|
# ? Jan 4, 2008 04:30 |
|
Stupid question: What does the XM mean on the tail of router models? ie: 2620 vs 2620XM. Thanks
|
# ? Jan 7, 2008 03:15 |
|
Spazz posted:Stupid question: What does the XM mean on the tail of router models? ie: 2620 vs 2620XM. I don't know that it stands for anything, but the XM routers came out after the 2600 series, replacing them for the most part. The major difference is new proc / support for more memory/flash/WICs.
|
# ? Jan 7, 2008 03:22 |
|
This may be a question for its own thread, but what kind of admin tools do you guys prefer? I haven't really gotten into the IOS yet (I'm new to networking in general), but when I do it might be helpful to know what kinds of tools are the most efficient and feature rich. Do you just use the terminal and use telnet/ssh, or do you use something a little more specific to the task. For analyzing network traffic I've read of the NetFlow protocol and a program called Scrutinizer, but I've been told that it only logs traffic through the router in one direction (I've forgotten if he said it was either in or out) and it seems rather pointless to not have both if you are looking at network utilization. Also telnet and ssh don't seem to let me redirect std input into them so I can't send a bunch of prewritten commands to the router. If I want to run a bunch of prewritten commands on a router and perhaps capture the output (equivalent to '# cat input.txt | ssh admin@router > output.txt' if ssh would let me do that) what would be the choice method of doing it? I hope this question wasn't too long for this thread. Thanks.
|
# ? Jan 8, 2008 01:04 |
|
para posted:Also telnet and ssh don't seem to let me redirect std input into them so I can't send a bunch of prewritten commands to the router. If I want to run a bunch of prewritten commands on a router and perhaps capture the output (equivalent to '# cat input.txt | ssh admin@router > output.txt' if ssh would let me do that) what would be the choice method of doing it? You probably want to look into a tool called RANCID (from shrubbery networks), in particular, the 'clogin' command distributed with it: http://www.shrubbery.net/rancid/man/clogin.1.html
|
# ? Jan 8, 2008 01:30 |
|
para posted:This may be a question for its own thread, but what kind of admin tools do you guys prefer? What do you mean when you say "send pre-written commands to the router"? If you're looking for something interactive, I know that people have had good luck with Expect scripts, however you should just be able to paste a bunch of commands from notepad into your console or ssh session, and IOS should interpret them sequentially...
|
# ? Jan 8, 2008 17:51 |
|
para posted:For analyzing network traffic I've read of the NetFlow protocol and a program called Scrutinizer, but I've been told that it only logs traffic through the router in one direction (I've forgotten if he said it was either in or out) and it seems rather pointless to not have both if you are looking at network utilization. Version 5 NetFlow flows are unidirectional, and are built on packet ingress. In practice, all this really means is that you'll want to apply NetFlow on all of your interfaces that a bidirectional flow could traverse. In other words, so long as you have NetFlow enabled on all of the interfaces, you won't "miss" any utilization information.
|
# ? Jan 8, 2008 18:05 |
|
|
# ? May 17, 2024 07:04 |
|
I have a question. Has anybody had experience with Cisco's Clean Access stuff? I'm having an issue with laptops right now and was told that there is a client that will automatically connect with credentials to an access point upon startup, but nobody is helpful and will tell me what it is or where to get it. Has anybody heard of this or knows what it is?
|
# ? Jan 8, 2008 18:08 |