|
Girdle Wax posted:If DirecTV already has some, they're probably not Nexus since I don't think it's shipping yet, the other Cisco full rack routers would be the CRS-1 single chassis, and I think there's also a GSR (XR) that takes up a full bay.
|
#
?
Jan 29, 2008 06:37
|
|
|
|
| # ? May 14, 2024 11:07 |
|
|
Just noticed this one, the new Catalyst 4900M. 320-Gbps, 250 mpps. 4900M Data Sheet
|
|
#
?
Jan 30, 2008 20:19
|
|
|
M@ posted:Just noticed this one, the new Catalyst 4900M. 320-Gbps, 250 mpps. It's ugly as sin! And no Advanced IP Services image either, which is too bad. Although it only supports 256k hardware FIB entries anyhow. Looks like it's based on a Sup 6E. Man, I just can't get over how ugly it is. It's like a throwback to 1995 Bay Networks.
|
|
#
?
Jan 30, 2008 21:09
|
|
|
I'm currently tearing my hair out trying to get my company's Cisco 1811 router to play nicely with Verizon DSL through a Westell 6100 modem. The problem seems to be that this particular modem is actually a modem/router combination, and tries to do PPPoE and act as a DHCP server itself. I've seen some tutorials online about swithing the modem to bridge mode and then handling the PPPoE through the router, but unfortunately Verizon's firmware doesn't let me do this. The way I believe the network should be set up is as follows: 1. Modem does PPPoE, gets IP (xxx.xxx.xxx.xxx) from Verizon. Modem is accessible to router as 192.168.1.1. Modem acts as DHCP server to the router 2. Router requests IP from modem via DHCP, and is given 192.168.1.15 for example. This is configured as the FastEthernet0, outside interface within the router. The router acts as DHCP server to all computers connected to it. 3. VLan1 is the inside interface. VLan1 is accessible to other computers as 192.168.2.1. Other computers connect through VLan1, using DHCP getting IPs in the range 192.168.2.2 - 192.168.2.255. This seems sensible to me. However, when I try configuring it like that through Cisco's SDM, when it checks the configuration, it fails on the "Pinging destination host" step. I've tried making the FastEthernet0 interface have a static IP of 192.168.1.15, but this had the same result. Is my only option to somehow switch the firmware and disable DHCP/PPPoE on the modem, and then set it up on the router instead? Let me know if you want to see my running-config; I didn't paste it in because it's rather long and I'm not sure exactly what's relevant because I haven't done this before.
|
|
#
?
Jan 30, 2008 22:50
|
|
|
Ok sorry for being such a cisco noob, but I use the SDM to manage my 2811. I've noticed some Input Errors on my FastEthernet 0/0 interface. How do I find out what these errors are. All the graphical interface tells me is the number of them that have happened.
|
|
#
?
Jan 30, 2008 23:20
|
|
|
I've got a site-to-site vpn I'm working on, maybe somebody over there can shed some light on. I've run a "debug crypto isakmp 250" on both sites and get nothing back about this tunnel. Any ideas? Anybody? Site1: code:code:code:code:code:code:
|
|
#
?
Jan 31, 2008 00:26
|
|
|
GLUE posted:1. Modem does PPPoE, gets IP (xxx.xxx.xxx.xxx) from Verizon. Modem is accessible to router as 192.168.1.1. Modem acts as DHCP server to the router We have a very similar setup. Your basic configuration is going to be: code:
|
|
#
?
Jan 31, 2008 00:30
|
|
|
Hmm, I tried implementing your set up but to no avail. I'm confused about why you have FE0 as inside and VLAN1 as outside; it seems like it should be the other way to me? In any case, I didn't have much success either way. The only info I've been able to find online tells me to make the router handle the PPPoE, so maybe I'll just have to flash the firmware tomorrow and do that.
|
|
#
?
Jan 31, 2008 02:36
|
|
|
GLUE posted:Hmm, I tried implementing your set up but to no avail. I'm confused about why you have FE0 as inside and VLAN1 as outside; it seems like it should be the other way to me? In any case, I didn't have much success either way. Actually, come to think of it, you might not need that Vlan1 junk in there at all. Our router is setup with a little 4-port switch inside it. Try sticking all that onto Fe1 and adjusting the various lines. Note that I have Fe0 hooked up to your interior office switch, and Fe1 hooked up directly to your router/modem's LAN port.
|
|
#
?
Jan 31, 2008 05:02
|
|
|
If anyone in the Birmingham, AL area has a few extra hours Friday or Monday to test some equipment I purchased out there, let me know via PM or AIM. You should be able to turn on a few switches (one 6509-E and fifteen 3750s), ping test a few ports, sh vers, sh invs and all the good stuff I'd need to feel confident the equipment is working. I'd certainly compensate you for your time (I thinking a couple hundred+ depending on how long it takes; I don't forsee it taking more than a couple hours, really). I'd do it myself but I've got a new baby and Alabama's a two day trip 
|
|
#
?
Jan 31, 2008 05:55
|
|
|
I'm guessing I'm being an idiot, but I'm a total Cisco noob. I bought an Aironet 1231AG, and I'm trying to configure the local RADIUS server, in order to use WPA2 enterprise. The web control thing blows, and I've been trying to figure out the right way to write a config file, but it's not coming across simply to me, I guess. Any helpful guidance on where to start looking/reading?
|
|
#
?
Jan 31, 2008 06:42
|
|
|
Noghri_ViR posted:Ok sorry for being such a cisco noob, but I use the SDM to manage my 2811. I've noticed some Input Errors on my FastEthernet 0/0 interface. How do I find out what these errors are. All the graphical interface tells me is the number of them that have happened. You can ssh / telnet to the router with the same IP and log in. Once logged in, perform: 'sh int fa0/0' and you will get a breakdown on the interface and you can see if they are CRC, runts, etc. Paste that output and we can go from there.
|
|
#
?
Jan 31, 2008 14:53
|
|
|
drjay posted:I bought an Aironet 1231AG, and I'm trying to configure the local RADIUS server http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38local.html That might be worth a read.
|
|
#
?
Jan 31, 2008 19:11
|
|
|
ILikeVoltron posted:I've got a site-to-site vpn I'm working on, maybe somebody over there can shed some light on. I've run a "debug crypto isakmp 250" on both sites and get nothing back about this tunnel. Any ideas? Anybody? What kind of devices are on each side of this? I'm terrible with crypto-maps, but we could maybe try moving you to GRE/IPSec VPN and get you up and running. Or, somebody else who understands crypto-maps could maybe help out.
|
|
#
?
Jan 31, 2008 22:24
|
|
|
jwh posted:What kind of devices are on each side of this? It's a Cisco 5505 over in india and a 5520 here in the states. I'm not sure what a GRE/IPSec would offer over the one I'm using now though.
|
|
#
?
Jan 31, 2008 23:18
|
|
|
ILikeVoltron posted:It's a Cisco 5505 over in india and a 5520 here in the states. Oh, if they're ASA's I don't think you can do GRE/IPSec. Scratch that idea. I guess you're going to need a PIX/ASA person to weigh in on your crypto-maps.
|
|
#
?
Jan 31, 2008 23:20
|
|
|
I can do drat near any kind of site to site VPN with IOS aside from EZVPN. I got nuthin for the ASA though. My magic stare and compare skills find this command: crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map only on one device per the provided configs, though I have no idea if that's significant or not.
|
|
#
?
Jan 31, 2008 23:30
|
|
|
I keep tabs on NANOG when work gets slow and I heard from there and other places that the replacement cable for the Sicily-Egypt line that recently went down is going to be pushing 10Tbit/s. What the hell terminates that kind of line? Is it a cage full of 6513s? Even with the 720 sup you're looking at at least 15 units, and that's with all of them running at near capacity.
|
|
#
?
Feb 1, 2008 02:41
|
|
|
jwh posted:Oh, if they're ASA's I don't think you can do GRE/IPSec. Scratch that idea. I took a gander at the configuration in question and it seems right to me but I'm a skitch rusty. asaunit# show running Does that return any incomplete command warnings? If I make a mistake that's usually where it happens. asaunit# show crypto isakmp sa Anything on there either? I ran into a problem once where I set up a site to site VPN much like you're doing between a PIX running 6.3 and an ASA running something in the 7.x branch. The symptoms were similar to what you described here. And at the time my memory told me I didn't have to reboot either device for the tunnels to come up. But sure enough that's what did it, even though my configuration was perfect.
|
|
#
?
Feb 1, 2008 02:48
|
|
|
MrZodiac posted:going to be pushing 10Tbit/s. What the hell terminates that kind of line? Hopes, dreams and a little bit of magic. That's what.
|
|
#
?
Feb 1, 2008 02:56
|
|
|
MrZodiac posted:I keep tabs on NANOG when work gets slow and I heard from there and other places that the replacement cable for the Sicily-Egypt line that recently went down is going to be pushing 10Tbit/s. What the hell terminates that kind of line? Is it a cage full of 6513s? Even with the 720 sup you're looking at at least 15 units, and that's with all of them running at near capacity. The capacity is usually listed as TDM/SONET capacity, not all of that gets used for internet. You land it into DWDM equipment initially, which then splits the 'white' light on the undersea cable off into a the different lambdas/colors that make it up. Then depending on what kind of DWDM gear you use and what channel separation it provides, you can do either 10G or 40G over each lambda, I think Alcatel/Lucent has a box that does 128 lambdas @ 40G each for a total of 5.12Tb/s
|
|
#
?
Feb 1, 2008 03:06
|
|
|
MrZodiac posted:I took a gander at the configuration in question and it seems right to me but I'm a skitch rusty. 5505# show crypto isakmp sa There are no isakmp sas and on the 5520 we have a few working tunnels. edit: Also, there both running 7.2. One of them is 7.2(1) and one is 7.2(2) ILikeVoltron fucked around with this message at 18:20 on Feb 1, 2008 |
|
#
?
Feb 1, 2008 17:59
|
|
|
jbiel posted:You can ssh / telnet to the router with the same IP and log in. Ok got it: code:
|
|
#
?
Feb 1, 2008 19:41
|
|
|
Noghri_ViR posted:Ok got it: Whatever is coming inbound to that interface is where your errors are. I assume that terminates your WAN connection?
|
|
#
?
Feb 1, 2008 19:48
|
|
|
jbiel posted:Whatever is coming inbound to that interface is where your errors are. I assume that terminates your WAN connection? It's a POE switch. I've been guessing that's where the source of our problems are and I've been thinking about replacing it. So are you say this confirms my suspicion? /edit: oops I'm wrong. Actually the 0/1 is connected to the POE switch. This interface is connected to our fortigate 500a firewall and the fortigate does the routing between the 15.x network (the cisco 2811) and our 16.x and 245.x networks. Noghri_ViR fucked around with this message at 20:40 on Feb 1, 2008 |
|
#
?
Feb 1, 2008 20:36
|
|
|
code:
|
|
#
?
Feb 1, 2008 20:55
|
|
|
Noghri_ViR posted:
Step 1 : clear counters Step 2 : wait Step 3 : look again later Step 4 : if more errors, then something is bad; else drink beer.
|
|
#
?
Feb 1, 2008 23:11
|
|
|
My config has changed a bit on both sides, following some of the info I've found in the Cisco article @ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#CLI seems to have pointed to stuff I'm not really sure about, such as this line nat (inside) 0 access-list inside_nat0_outbound Site1: code:code:code:code:code:code:code:code:code:ILikeVoltron fucked around with this message at 23:29 on Feb 1, 2008 |
|
#
?
Feb 1, 2008 23:17
|
|
|
Ninja Rope posted:
Like inignot said, without a clear counter on the interface you cannot effectively say this is nothing to worry about, as you cannot say when the errors started happening. Clear the counters, watch for an hour and post the results.
|
|
#
?
Feb 2, 2008 19:46
|
|
|
ILikeVoltron posted:My config has changed a bit on both sides, following some of the info I've found in the Cisco article @ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#CLI seems to have pointed to stuff I'm not really sure about, such as this line Hi there Mr Voltron Lover. I have poked around a PIX or 2 over the years as a hack. I think we should be able to get you up on the crypto maps. The first thing I was going to mention was NAT exclusion for the subnets in question. NAT is processed before IPSEC on a PIX so if you don't exclude the traffic it goes over the tunnel (or misfires entirely and goes out on the internet)with the public IP address NAT/PAT is using. Looks like that is what's happening with your ping. I don't see a NAT0 on the second device. NAT 0 means 'don't nat' essentially. The GUI/wizard should cover this these days pretty well if you get stuck. Hope this helps! Herv fucked around with this message at 14:42 on Feb 3, 2008 |
|
#
?
Feb 3, 2008 14:39
|
|
|
I have a HWIC-4ESW inside an ISR running 12.4(8), and we noticed today that it's taken a high number of input-queue drops. Now, from what I understand, the input queue isn't exactly a queue, and 'input queue drops' only occur when a process can't handle something, Thing is, it looks like everything shows up as being process-switched on these cards, because they're not regular routed interfaces: code:
|
|
#
?
Feb 4, 2008 21:03
|
|
|
I need some help getting VPN to pass through a 2600 series router. I've done work on Cisco equipment but it's been several years and I never really dealt with routers much. Here's the nitty-gritty: Cisco 2691 IOS Version 12.4(18) Trying to get Microsoft VPN software (pptp) to pass through the device. I've read that we need to enable GRE pass through, which I found a note about on Cisco's website, but of course there's no mention of the commands that do this. Right now the client gets an error 721 "Remote PPP peer is not responding". Any advice would be great. Edit: Fixed a typo in the first line. If you need anymore config information I'd be more than happy to provide it. I'm not sure what would be applicable in this situation. The traffic is going out a multilink connection on the router. LoKout fucked around with this message at 22:24 on Feb 4, 2008 |
|
#
?
Feb 4, 2008 21:09
|
|
|
This isn't a cisco specific question, but I figure anyone who could answer a cisco question could probably help with this. I have been doing small business network administration work for a long time, I feel I am pretty competent at the stuff - set up plenty of VPNs, database servers, terminal services and clients, etc... but I have never worked in a large office environment. I got asked to set up a quote for a MS SBS 2003 server for a small 5 user business running out of a large office building recently, and quickly accepted. I got put in contact with the IT firm doing the work for the infrastructure for the building, however, and am quickly feeling out of my league. I told them basically what I wanted to do - install a SBS server for the people in this office, and get an external IP or two for remote access / exchange stuff. So, they come back to me and let me know that they advise to put my server in a DMZ, and VLAN off the ports on the switch in the office which will be running my workstations. That's great and makes sense, but I am feeling a little nervous and do not want to make a misstep or look like a loving idiot from a best practices standpoint. How, in this situation (I am assuming their office is set up internet->firewall->dmz->firewall->trusted network), would my SBS provide active directory services for my workstations in the trusted VLAN? I mean, ideally in a larger type setup, you would have another active directory server inside the trusted network and set up replication / trusts that way, but I am not going to suggest buying two servers for something small and simple like this. Is it implied / assumed that my SBS will be multihomed, and provide the firewalling / gatewaying for my VLAN? I really just don't know how things work in more serious settings like this.  help someone hold my handddddd
|
|
#
?
Feb 5, 2008 16:38
|
|
|
mindphlux posted:This isn't a cisco specific question, but I figure anyone who could answer a cisco question could probably help with this. Basically, they are isolating you from the rest of the network in the building. I assume what they have is (internet)>router/firewall>(multiple dmz interfaces) Each DMZ interface being offices that need their own special network connectivity. What they will do is configure all the ports you equipment will plug into inside its very own VLAN and drop you and uplink into one of those DMZ zones they have carved out. Depening on how they want to handle internet access back and forth, you could be potentially setting up some sort of proxy access for the devices on your network via ISA server.
|
|
#
?
Feb 5, 2008 17:04
|
|
|
jbiel posted:Basically, they are isolating you from the rest of the network in the building. So my entire VLAN will effectively be a DMZ, and just ports forwarded from the public internet ip to my server? I guess for some reason I had it stuck in my head that the DMZ would be like a servers only place, and then my workstations VLAN would be on a different subnet, firewalled off. I don't know why this was stuck in my head.
|
|
#
?
Feb 5, 2008 20:21
|
|
|
mindphlux posted:So my entire VLAN will effectively be a DMZ? I guess for some reason I had it stuck in my head that the DMZ would be like a servers only place, and then my workstations VLAN would be on a different subnet, firewalled off. I don't know why this was stuck in my head. That could still be the case based on what I'm reading. You should really ask them for clarification as to what they're proposing.
|
|
#
?
Feb 5, 2008 20:22
|
|
|
jwh posted:That could still be the case based on what I'm reading. You should really ask them for clarification as to what they're proposing. agg, yeah, and I will - I just don't wanna seem completely ignorant, and am not sure if it's that they haven't given me enough information, or if I am just missing something. ohwell, I will e-mail them in a bit.
|
|
#
?
Feb 5, 2008 20:24
|
|
|
Ask for a Visio, or make one yourself and send it over for modifications. Without seeing the forest from the trees you are in for a rough ride. Hope this helps.
|
|
#
?
Feb 5, 2008 20:25
|
|
|
I've been advised that I need to get a Cisco 2620 to handle the Ethernet Handoff from our ISP. It looks like Cisco 2620's offer only a LAN port and a Wan Interface Card is needed to offer a WAN connection. But there looks to be a shitload of different kinds. What kind of WIC do I need?
|
|
#
?
Feb 5, 2008 20:56
|
|
|
|
| # ? May 14, 2024 11:07 |
|
|
mindphlux posted:So my entire VLAN will effectively be a DMZ, and just ports forwarded from the public internet ip to my server? I guess for some reason I had it stuck in my head that the DMZ would be like a servers only place, and then my workstations VLAN would be on a different subnet, firewalled off. I don't know why this was stuck in my head. You are essentially firewall'd off, twice. Once by them and once by your ISA server. They are going to route all traffic for the IP(s) they give you to your ISA server, which will then proxy your connections back inbound to your workstations / servers. Depending what you want to run, you can NAT most of it so that only 1 VLAN is needed, but if you really really want public IPs on boxes in a DMZ, request 3. VLAN002 - Connection between them and your outside ISA interface VLAN003 - Your DMZ hand off from ISA server VLAN004 - Your inside (trusted) network. That would require one more NIC in your server for a dedicated DMZ and inside zones.
|
|
#
?
Feb 5, 2008 21:02
|
|