|
Ratmtattat posted:I have a question. Has anybody had experience with Cisco's Clean Access stuff? I'm having an issue with laptops right now and was told that there is a client that will automatically connect with credentials to an access point upon startup, but nobody is helpful and will tell me what it is or where to get it. Has anybody heard of this or knows what it is? http://cisco.com/en/US/products/ps6128/index.html HW that is unauthenticated is put in an untrusted VLAN. Once the supplicant auths then the client is moved to your trusted VLAN and they have full connectivity. There is more to it than that, but I don't really know enough to get into specifics. Its pretty popular (especially with education).
|
#
?
Jan 8, 2008 21:34
|
|
|
|
| # ? May 15, 2024 11:19 |
|
|
Anyone have any ideas how using two DHCP servers on one line might work? Ethernet Drop -> Cisco IP Phone <-built in switch-> PC The Cisco IP Phone(7960G/7911G) would be getting a DHCP address from a Win2000 call manager box, the PC would draw from a NetWare DHCP server. Can you differentiate what pulls what address?
|
|
#
?
Jan 9, 2008 15:04
|
|
|
InferiorWang posted:Anyone have any ideas how using two DHCP servers on one line might work? Seperate data & voip vlans = seperate dhcp scopes. Cisco phones will build a trunk to the switch & pass another data vlan to the pc.
|
|
#
?
Jan 9, 2008 15:09
|
|
|
InferiorWang posted:Anyone have any ideas how using two DHCP servers on one line might work? Putting two DHCP servers on the same broadcast domain won't work. inignot's solution will. Edit: vvv That's a good point, you could filter based on the vendor ID of the MAC or other client identifiers. I actually wrote a DHCP server in Perl to do this (mostly for learning experience), but I'm sure there are other DHCP servers that allow those filtering options. Ninja Rope fucked around with this message at 16:49 on Jan 9, 2008 |
|
#
?
Jan 9, 2008 16:25
|
|
|
Ninja Rope posted:Putting two DHCP servers on the same broadcast domain won't work. inignot's solution will. Actually... you could configure your DHCP servers with manual/sticky leases, or if you were using something like isc-dhcpd you could tell it to filter based on the MAC address, so only 1 server would answer for a particular subset of MACs, and the other server would be configured to not answer for that subset. But that'd require a fair bit of configuration, and not all DHCP servers support that level of tweaking, so best practice would be putting it on separate voice VLAN.
|
|
#
?
Jan 9, 2008 16:36
|
|
|
Gents, What is the most cost effective Cisco switch with 24 GbE ports? Average Ebay pricing is welcome. I need to replace a big noisy Extreme Networks Summit 7i box with something in a 1U package.
|
|
#
?
Jan 9, 2008 17:30
|
|
|
R-Type posted:Gents, Talk to M@, he'll hook you up.
|
|
#
?
Jan 9, 2008 17:38
|
|
|
R-Type posted:Gents, Thanks Ninja Rope! Probably looking at a WS-C2960G-24TC-L. Looks like they're running about $1800 on ebay, which is around what I could do it for.
|
|
#
?
Jan 9, 2008 18:11
|
|
|
Makes sense. Thanks fellas. I'm working with an outside firm to rebuild our network along with expanding our current VoIP installed base. We're subnetting the data network they way it should be(I was saddled with a 10.0.0.0/8 data network when I took the job). The voice network is already in its own VLAN so that route is probably the most viable. I'm sure the guys I'm working with know how to do this already, but we haven't gotten to that point of the build and I was just curious myself, so I figured I'd pick your brains.
|
|
#
?
Jan 9, 2008 19:05
|
|
|
I have a Cisco 877 which has been giving me good service. I enabled the Easy VPN Server via SDM to enable remote users to access files on PC on the internal network via the cisco vpn software client. The local office network is 192.168.0.X and the remote users are put into their own pool on 192.168.1.X. The remote users have no problems accessing the network and getting files, RDP etc, however if one user asks for assistance I cannot ping, remote desktop or traceroute to the remote client on 192.168.1.X from the local network of 192.168.0.X. My question do the VPN tunnels only work one way when using the cisco software client and 877's Easy VPN server? Or can I make the tunnel both ways? Or is the tunnel both ways by default, and it's most likely have some shitastic rule somehere screwing the whole show (Not surprising, I've set this all up by SDM)? Will post config if last option. Also of note is that we have a site to site VPN running as well and it's almost bulletproof. I can browse computers on their side and they to us with not issues at all.
|
|
#
?
Jan 11, 2008 03:38
|
|
|
I've just picked up a couple of 837 ADSL routers, to link some sites together, but it appears that to download the latest IOS images, I need a SmartNet contract. Is that all I need, will it give me a CCO login?
|
|
#
?
Jan 11, 2008 12:59
|
|
|
Hades posted:Is that all I need, will it give me a CCO login? I might be mistaken, but you don't need the contract for a CCO login. However, it's really just a guest login and you need the various support contracts to unlock parts of the site. Off that topic, does anyone have any thoughts or opinions on the ASA 5510, specifically how it might stack up against PfSense? Right now I have a carped/pfsync pfsense setup with two PCs. It seems to work well, but the marketing speak for the ASA talks about Application Inspection, voice protection, VLAN capabilities, and of course VPN duties. None of those are supported by pfsense as far as I know. We have roughly 900 workstations and 30 servers. The biggest drawback I see is that I'm losing the redundancy I have right now.
|
|
#
?
Jan 11, 2008 18:06
|
|
|
InferiorWang posted:I might be mistaken, but you don't need the contract for a CCO login. However, it's really just a guest login and you need the various support contracts to unlock parts of the site. Correct. InferiorWang posted:Off that topic, does anyone have any thoughts or opinions on the ASA 5510, specifically how it might stack up against PfSense? Right now I have a carped/pfsync pfsense setup with two PCs. It seems to work well, but the marketing speak for the ASA talks about Application Inspection, voice protection, VLAN capabilities, and of course VPN duties. None of those are supported by pfsense as far as I know. We have roughly 900 workstations and 30 servers. The biggest drawback I see is that I'm losing the redundancy I have right now. I work for Cisco. ASA is a good box. You can have redundancy, you'll just need to buy two of them. The marketing stuff will tell you we do sub-second failover. In most cases this is correct. I do a lot of work on these guys so if you have questions fire away, I'll do my best to answer. Tremblay fucked around with this message at 20:27 on Jan 11, 2008 |
|
#
?
Jan 11, 2008 20:25
|
|
|
InferiorWang posted:I might be mistaken, but you don't need the contract for a CCO login. However, it's really just a guest login and you need the various support contracts to unlock parts of the site. pfSense will do VLANs, and VPN (PPTP, IPSec, and OpenVPN). Probably the biggest advantage with going to a commercial firewall is that you can pay for support- so if the one guy that knows how to deal with the firewalls is on holidays and unreachable you can actually make an attempt at getting them fixed without needing to track him down. CrazyLittle posted:This is more valuable than you would even guess until you actually need it. There's hundreds of Cisco techs around who are a phone call away 24/7. The same can't be said for PfSense and m0n0wall. ragzilla fucked around with this message at 04:57 on Jan 12, 2008 |
|
#
?
Jan 12, 2008 04:21
|
|
|
Girdle Wax posted:pfSense will do VLANs, and VPN (PPTP, IPSec, and OpenVPN). This is more valuable than you would even guess until you actually need it. There's hundreds of Cisco techs around who are a phone call away 24/7. The same can't be said for PfSense and m0n0wall.
|
|
#
?
Jan 12, 2008 04:49
|
|
|
Though, to be fair, there are also plenty of techs who are familiar with Linux (and even BSD) firewalls, though no major companies. At best you could find a VAR who would help, but nothing on the scale of TAC. If you're evaluating replacement firewalls, Juniper/Netscreen makes great gear and also has great support.
|
|
#
?
Jan 12, 2008 08:18
|
|
|
Cheers. I think I have to spend some more time looking at the pfsense docs!
|
|
#
?
Jan 13, 2008 05:20
|
|
|
I have a Cisco 837 that I got off eBay. It seems to be one of the old 837s with only 32mb onboard, and its got a 16mb dram card (total 48mb). A lot of the new IOS images like to have 64, is there a 32mbit dram card that would fit? The Cisco ones only go up to 16mb.
|
|
#
?
Jan 14, 2008 13:24
|
|
|
Hades posted:I have a Cisco 837 that I got off eBay. What's wrong with the IOS that came with the device?
|
|
#
?
Jan 14, 2008 14:54
|
|
|
Hades posted:I have a Cisco 837 that I got off eBay. Max mem on those guys is 48D/16F
|
|
#
?
Jan 14, 2008 20:13
|
|
|
M@ posted:Max mem on those guys is 48D/16F Ninja Rope posted:What's wrong with the IOS that came with the device? It's just quite an old version (from 2002). Hades fucked around with this message at 01:56 on Jan 15, 2008 |
|
#
?
Jan 15, 2008 00:05
|
|
|
Hades posted:It's just quite an old version (from 2002). As far as router images go, I'm not sure if you can go solely by age to determine the value of the IOS. It really comes down to features and what you really need. As far as I can tell, you can have a newer IOS images with less features than an older one. At least that's what I've been able to determine from my somewhat limited cisco experience.
|
|
#
?
Jan 15, 2008 01:54
|
|
|
Here's a weird situation that we're still trying to wrap our head around: This morning, we took a call from a branch office of ours that had been contacted by their broadband provider. The broadband provider, who happens to be a small independent cable operator, was saying that customers, their customers, were routing through our infrastructure, and they had trace-routes to prove it. Sure enough, trace routes provided showed that other cable customers were routing (or trying to route) through our 1841. Access-lists were stopping things for the most part, although the trace-routes were working asymmetrically (probe packets received in one direction, icmp ttl-exceeded returned in another). So we immediately thought it was a proxy-arp problem, since proxy-arp is enabled by default. We've shut it off, got our service restored, and things are back to normal. My question is, we have about a hundred and fifty similar installations, and we've never seen this happen before. I don't have any understanding of uBR's, or cable infrastructure, but is this what happens if you don't pvlan your cable subscribers? Is that even relevant here? It's my best guess, but I'm grasping at straws. Really weird morning.
|
|
#
?
Jan 18, 2008 18:09
|
|
|
You should have complained to them about the performance impact. A carrier's network needs to be able to protect itself from customer misconfiguration, ignorance, and potential malice. Don't take any guff from those swine. That said, I have no idea how that would happen. If you & the other customers shared a broadcast domain; you could spoof the mac of the carrier's gateway and do man in the middle. But that doesn't happen by accident.
|
|
#
?
Jan 18, 2008 18:45
|
|
|
inignot posted:You should have complained to them about the performance impact. A carrier's network needs to be able to protect itself from customer misconfiguration, ignorance, and potential malice. Don't take any guff from those swine. Believe it or not, we weren't even the ones who noticed- other customers of this operator were attempting to route via our 1841 in a partial capacity, and they were then calling the cable operator's help desk to complain. Took them a good long while to figure out the problem, I guess. We're on the same page, believe me: there is no reason why my configuration should adversely affect other subscribers, but that's what happened. I'm curious how that could happen. Definitely has something to do with ip proxy-arp being enabled by default, but I still can't figure out who or what was generating gratuitous arps, and why they weren't contained between the subscriber and the CMTS.
|
|
#
?
Jan 18, 2008 19:19
|
|
|
inignot posted:If you & the other customers shared a broadcast domain; you could spoof the mac of the carrier's gateway and do man in the middle. Yeah, why on earth would (or do) carriers put business customers together within the same broadcast domain. Isn't that just a recipe for disaster?
|
|
#
?
Jan 18, 2008 20:35
|
|
|
CrazyLittle posted:Yeah, why on earth would (or do) carriers put business customers together within the same broadcast domain. Isn't that just a recipe for disaster? No kidding. I think you guys ought to consider switching providers unless nothing else is available, in which case a long conversation with your account manager at the current provider might be in order...
|
|
#
?
Jan 18, 2008 23:07
|
|
|
Okay, really silly question from a really cheap bastard here. I just got a switch from M@ in the SA Mart thread, and I want to start setting it up and all. It's a 2924XL-C. Problem is, I don't have the serial console kit, and I am trying to make my own cables. What I am doing is running a female DB-9 connector right to an RJ-45 port with punchdowns and all, not crimping. I followed the pinout on cisco's site, and whilst they say to make this little adapter and use it with a rollover cable, I went ahead and used the pinout that it would be if I had used the rollover, but with a straight through cable. I know this should work (assuming the rollover cable doesn't do something really interesting other than just reverse the wires), but I can't get my switch to output anything on the console port. I have tested this adapter on other computers and everything, this switch just refuses to react. I tried holding the mode button down on boot, but it still refuses to do anything. Is there some step I am missing to get a serial console to come up, or am I better off trying to figure out the IP of it when it is on the network and then connecting that way?
|
|
#
?
Jan 22, 2008 03:20
|
|
|
CanOfMDAmp posted:Problem is, I don't have the serial console kit, and I am trying to make my own cables. I'll sell/send you a DB-9 console cable for the cost of shipping. Wiring DB9 cables isn't worth the time or effort, really. I'm actually kinda surprised that the switch didn't come with a console cable.
|
|
#
?
Jan 22, 2008 03:25
|
|
|
CrazyLittle posted:I'll sell/send you a DB-9 console cable for the cost of shipping. Wiring DB9 cables isn't worth the time or effort, really. Will I need any kind of rollover or anything?
|
|
#
?
Jan 22, 2008 03:27
|
|
|
CanOfMDAmp posted:Will I need any kind of rollover or anything? One end is DB9, the other end is RJ45. Pre-wired to plug into a COM port and a Cisco CON port.
|
|
#
?
Jan 22, 2008 03:27
|
|
|
CrazyLittle posted:One end is DB9, the other end is RJ45. Pre-wired to plug into a COM port and a Cisco CON port. Sounds good, what will shipping be to zip 60013?
|
|
#
?
Jan 22, 2008 04:13
|
|
|
CanOfMDAmp posted:Sounds good, what will shipping be to zip 60013? 3oz envelope: $1.60 paypal usps 1st class, or $5.05 paypal usps priority. Catch me AIM or PM me. This is what I'm talking about 
|
|
#
?
Jan 22, 2008 06:02
|
|
|
I'm trying to setup my router to use an authenticated ntp server. I have the key, etc, but it is not wanting to work. Primarily I need it to output debugging messages onto a virtual terminal session, or into `show log`. Here is the nitty gritty:code:H110Hawk fucked around with this message at 06:12 on Jan 23, 2008 |
|
#
?
Jan 23, 2008 06:10
|
|
|
12.4(15)T1 is really spotty. Can you try another IOS?
|
|
#
?
Jan 23, 2008 06:15
|
|
|
H110Hawk posted:Primarily I need it to output debugging messages onto a virtual terminal session, or into `show log`. If you've already turned on the debugs, you should be able to use the command 'term mon' to have it drop debug prints to your vty Usually when troubleshooting NTP I try to go to the other end and just sniff there and see what's going on.
|
|
#
?
Jan 23, 2008 06:16
|
|
|
Girdle Wax posted:If you've already turned on the debugs, you should be able to use the command 'term mon' to have it drop debug prints to your vty Thanks! Unfortunately, I cannot sniff the other side.  jwh posted:12.4(15)T1 is really spotty. Can you try another IOS? Yeah, perhaps tomorrow when people leave I'll reload to our old stable revision. Our CCIE had me load that one while troubleshooting ezvpn bullshit. c2800nm-advipservicesk9-mz.124-18.bin is the other version we have on there. If you are suggesting a different version, which one would that be?
|
|
#
?
Jan 23, 2008 08:06
|
|
|
jwh posted:12.4(15)T1 is really spotty. Can you try another IOS? What do you recommend in the T line, since that's the only thing that supports HWIC-1FE or HWIC-2FE
|
|
#
?
Jan 23, 2008 08:32
|
|
|
CrazyLittle posted:What do you recommend in the T line, since that's the only thing that supports HWIC-1FE or HWIC-2FE I don't have any good recommendations in the T line. HWIC-xFE were first supported in 12.4(15)T I think, so you might not have many options. 12.4(15)T isn't bad per se, it just has a lot of new stuff that I'm not sure works 100% correctly all of the time.
|
|
#
?
Jan 23, 2008 17:16
|
|
|
|
| # ? May 15, 2024 11:19 |
|
|
jwh posted:I don't have any good recommendations in the T line. HWIC-xFE were first supported in 12.4(15)T I think, so you might not have many options. Yeah I figured we were stuck. We're doing cross-connected router meshes for failover using 3825s at one of our customer sites, so we need all the ethernet interfaces we can get.
|
|
#
?
Jan 23, 2008 17:37
|
|