Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«431 »
 
  • Post
  • Reply
H110Hawk
Dec 28, 2006

M@ posted:

Edit: After loading 12.2.18 (I think) onto our Regular SUP we now see a "Supervisor Engine" in slot 5, but it's still saying unknown for the MAC. Trying a new IOS now :suicide:

That was going to be my suggestion. We're running: (s72033_rp-IPSERVICESK9-M) Version 12.2(18)SXF10

Again, we don't have that fancy pants sup. Honestly I doubt I could tell you anything you don't already know. I mainly wanted you to send it to me so it could get "lost in the mail." ;)

If you want, I can IM you with our CCIE contractor's contact information. He charges 1.5 arms, but no legs, and can almost certainly make the both of us feel like idiots for not getting it booting.

* # ? Mar 14, 2008 22:04
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 14, 2024 11:10
  • Quote
Tremblay
Oct 8, 2002
More dog whistles than a Petco

M@ posted:

There is no output :(

We threw a regular SUP720 in slot 6 and at first it didn't see anything in slot 5. Now it's seeing something in slot 5, but it's still showing Unknown.

I may throw this chassis in the back of my car and come up for a visit if we can't get this thing going soon!

Edit: After loading 12.2.18 (I think) onto our Regular SUP we now see a "Supervisor Engine" in slot 5, but it's still saying unknown for the MAC. Trying a new IOS now :suicide:

VS-S720-10G-3C you have to run 12.2.18SXH or SXH1. SXF doesn't have support for the HW (that I can see). Since the other CCIE was going to get 1.5 arms, can I get just a finger? (goon discount)

Make sure you pick CAT6000-VS-S720-10G/MSFC3 as the HW on the IOS upgrade planner.

* # ? Mar 14, 2008 22:27
  • Quote
M@
Jul 10, 2004

Tremblay posted:

VS-S720-10G-3C you have to run 12.2.18SXH or SXH1. SXF doesn't have support for the HW (that I can see). Since the other CCIE was going to get 1.5 arms, can I get just a finger? (goon discount)

Make sure you pick CAT6000-VS-S720-10G/MSFC3 as the HW on the IOS upgrade planner.

Well, the issue really is that the card won't even light up. We've tried it in our 6509-E and 6509 so far and no dice.

And, yes, I'll give you a finger if you get it working.

* # ? Mar 14, 2008 23:29
  • Quote
Tremblay
Oct 8, 2002
More dog whistles than a Petco

M@ posted:

Well, the issue really is that the card won't even light up. We've tried it in our 6509-E and 6509 so far and no dice.

And, yes, I'll give you a finger if you get it working.

Are you sure the HW is good? No rommon output + the hot SUP not being able to see discover the cards MAC leads me to believe its toast.

Sorry, when you guys were talking code I thought you were talking about the 10GE not the vanilla 720.

* # ? Mar 15, 2008 00:09
  • Quote
M@
Jul 10, 2004

Tremblay posted:

Are you sure the HW is good? No rommon output + the hot SUP not being able to see discover the cards MAC leads me to believe its toast.

Sorry, when you guys were talking code I thought you were talking about the 10GE not the vanilla 720.

That was my thought as well. The only other thing I can possibly think of is that it doesn't have enough power. Cisco says minimum required is 1 2500W, but I read something on their site about 4000W that now I cannot find. Fairly sure the card is toast. Going home to drink now.

* # ? Mar 15, 2008 00:38
  • Quote
Tremblay
Oct 8, 2002
More dog whistles than a Petco

M@ posted:

That was my thought as well. The only other thing I can possibly think of is that it doesn't have enough power. Cisco says minimum required is 1 2500W, but I read something on their site about 4000W that now I cannot find. Fairly sure the card is toast. Going home to drink now.

2500W should be fine. A redundant pair would suck down ~826 Watts.

Happy drinking.

* # ? Mar 15, 2008 01:59
  • Quote
M@
Jul 10, 2004

M@ posted:

That was my thought as well. The only other thing I can possibly think of is that it doesn't have enough power. Cisco says minimum required is 1 2500W, but I read something on their site about 4000W that now I cannot find. Fairly sure the card is toast. Going home to drink now.

So, uh, this should probably go without saying, but re-seating the daughter boards should always be your first move when you think something is bad. :crossarms:

* # ? Mar 18, 2008 16:23
  • Quote
jwh
Jun 12, 2002

 It's nice to be back- my account was locked out for a while.

I'm looking for suggestions on how to conditionally advertise a default with eBGP. I have a situation where my default is being learned on my edge and carried into my core via OSPF, where it then bumps up against a number of WAN routers. The WAN routers will then announce this default into eBGP (it's L3VPN MPLS).

Problem is, if I lose this default, it's re-learned via the WAN, redistributed into OSPF, and then advertised right back out via eBGP. To make matters worse, I can't solve the problem by tagging the route when it moves from BGP (WAN) to OSPF (core), because BGP doesn't support 'match tag' or 'match external' or 'match metric' in route-maps when applied in the out direction.

About the only solution I've been able to piece together is to turn up BGP in the core to carry the default and customer prefixes, which would then allow me to effectively use communities. This is not only a lot of work, but there's a number of firewalls in between the core and WAN routers that I don't want to have to think about turning up BGP on.

I'm kind of scratching my head here, because there has to be a way to match some kind of attribute as the prefix comes into the BGP RIB from OSPF, and then use that information to suppress the advertisement via eBGP, but if there is, I can't find it. It doesn't help that it's 0.0.0.0/0 either, since I seem to be running into a bunch of 'special handling' caveats.

edit: I just solved it, but it's gross:

quote:

(EDGE)
router ospf 1
default-information originate metric-type 1 route-map set-tag-999

route-map set-tag-999 permit 5
set tag 999

(WAN)
router bgp 65531
network 0.0.0.0 mask 0.0.0.0 route-map set-comm

route-map set-comm permit 5
match tag 999
set community no-advertise
!
route-map set-comm permit 10
set community internet
That's enough to make me feel nauseous.

jwh fucked around with this message at 22:15 on Mar 18, 2008

* # ? Mar 18, 2008 21:51
  • Quote
permanoob
Sep 28, 2004

Yeah it's a lot like that.
Basic and simple PIX question, I'm just pretty new to this.

I have currently have traffic passing through the firewall with no control other than a basic "Ok you can browse the internet" setup. I need to define more direction to the servers I have on the inside. What I could use is some help in understanding the nat to global translation. Let's say I have 4 interfaces on the inside of the firewall and I have a pool of 4 IP's on the outside. How do I go about setting this up?

Do I need set a NAT id for each internal interface then assign a global line to each NAT id? Is it that easy or am I missing something?

Current nat and global setup example is:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 204.228.142.236-204.228.142.238
global (outside) 1 204.228.142.235

Not sure that the second line in the global there is even necessary. Anyway, any help on this would be excellent. Thanks.

* # ? Mar 19, 2008 22:04
  • Quote
Tremblay
Oct 8, 2002
More dog whistles than a Petco

permanoob posted:

Basic and simple PIX question, I'm just pretty new to this.

I have currently have traffic passing through the firewall with no control other than a basic "Ok you can browse the internet" setup. I need to define more direction to the servers I have on the inside. What I could use is some help in understanding the nat to global translation. Let's say I have 4 interfaces on the inside of the firewall and I have a pool of 4 IP's on the outside. How do I go about setting this up?

Do I need set a NAT id for each internal interface then assign a global line to each NAT id? Is it that easy or am I missing something?

Current nat and global setup example is:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 204.228.142.236-204.228.142.238
global (outside) 1 204.228.142.235

Not sure that the second line in the global there is even necessary. Anyway, any help on this would be excellent. Thanks.

NAT+Global statements are for dynamic NAT/PAT. They cannot be used to allow a host from a lower sec level to a higher sec level. What you need are static NATs/PATs.

For instance if your interfaces were called Outside, and Inside. You have a webserver at 192.168.1.50 that you want to be accessible via the internet. The public IP you want to use is 1.1.1.1 you would do the following:


static (inside,outside) tcp 1.1.1.1 80 192.168.1.50 80

To map just port 80 from the internal IP to the external. You could do this:

static (inside,outside) 1.1.1.1 192.168.1.50

Which would map all ports/IP carried protocols. Make sure you add a permit to your outside access-list to permit hosts to hit the external IP.

More here:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/mngacl.html#wp1069973

* # ? Mar 19, 2008 22:27
  • Quote
permanoob
Sep 28, 2004

Yeah it's a lot like that.
Alright, I see what you're saying with static routes to pass port specific types of traffic from the outside ip to an inside ip.

Can PIX support having port 80 traffic from outside 1.1.1.1 route to inside 192.168.1.50 and have port 80 traffic from outside 1.1.1.4 route to inside 192.168.1.52?

Let's say I have two web servers running behind the firewall. Internally they're 192.168.1.50 and 192.168.1.51. My current outside interface on the firewall is 1.1.1.1. I want 1.50 and 1.51 accessible from the outside with different IP's. Say 1.1.1.1 for 1.50 and 1.1.1.2 for 1.51.

permanoob fucked around with this message at 23:15 on Mar 19, 2008

* # ? Mar 19, 2008 23:06
  • Quote
inignot
Sep 1, 2003

WWBCD?

jwh posted:

I'm looking for suggestions on how to conditionally advertise a default with eBGP.

I don't have my head fully around what you're attempting to accomplish, but you might want to look into BGP conditional advertisements.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml

There's also a BGP default originate command that works a little differently then using a network statement.

http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfbgp1.html#wp1152583

inignot fucked around with this message at 23:10 on Mar 19, 2008

* # ? Mar 19, 2008 23:07
  • Quote
Tremblay
Oct 8, 2002
More dog whistles than a Petco

permanoob posted:

Alright, I see what you're saying with static routes to pass port specific types of traffic from the outside ip to an inside ip.

Can PIX support having port 80 traffic from outside 1.1.1.1 route to inside 192.168.1.50 and have port 80 traffic from outside 1.1.1.4 route to inside 192.168.1.52?

Let's say I have two web servers running behind the firewall. Internally they're 192.168.1.50 and 192.168.1.51. My current outside interface on the firewall is 1.1.1.1. I want 1.50 and 1.51 accessible from the outside with different IP's. Say 1.1.1.1 for 1.50 and 1.1.1.2 for 1.51.

Yup it can, check out that link I posted. Also those commands are static PAT and static NAT respectively. They are not routes.

* # ? Mar 20, 2008 00:39
  • Quote
permanoob
Sep 28, 2004

Yeah it's a lot like that.

Tremblay posted:

Yup it can, check out that link I posted. Also those commands are static PAT and static NAT respectively. They are not routes.

Awesome. I see exactly what you mean. I'll work it out from here. Thanks a ton.

* # ? Mar 20, 2008 00:40
  • Quote
Herv
Mar 24, 2005

Soiled Meat

permanoob posted:

Awesome. I see exactly what you mean. I'll work it out from here. Thanks a ton.

The conduit command at least sounded more reasonable. I am opening a conduit to this host.

Ahh well, its all good in the hood.

* # ? Mar 20, 2008 18:51
  • Quote
jwh
Jun 12, 2002

inignot posted:

I don't have my head fully around what you're attempting to accomplish, but you might want to look into BGP conditional advertisements.

I originally looked at conditional advertisements, but they only seem to allow you to announce a prefix in the absence of another prefix in the FIB. Ie., when 1.2.3.0/24 does not exist in the FIB, advertise 4.5.6.0/24.

My problem here is that 0.0.0.0/0 never leaves the FIB, and can't then be used to trigger a conditional advertisement. I wasn't able to find any sort of conditional withdraw (ie., prefix A does not exist in FIB, therefore do not advertise prefix B).

Truth is, I shouldn't be taking the 0.0.0.0/0 prefix out of BGP in the first place.

* # ? Mar 20, 2008 19:34
  • Quote
permanoob
Sep 28, 2004

Yeah it's a lot like that.

Herv posted:

The conduit command at least sounded more reasonable. I am opening a conduit to this host.

Ahh well, its all good in the hood.

Looking at the usage of conduit, it looks to do a static route and routes specific traffic..? Nevermind, I'll just crack my book here.

Edit: That's what I thought. It's what access-group and access-list replaced.

permanoob fucked around with this message at 06:50 on Mar 21, 2008

* # ? Mar 21, 2008 06:41
  • Quote
Spazz
Nov 17, 2005

 I'm trying to get a 2600 router working with Comcast and I'm having trouble. I've gotten this far and from the router in CLI I can ping to anywhere and NAT is working fine, only I can't get it to route. When I release/renew I can ping the router, but I can't get NAT to work or get any external configurations.

Any help is appreciated. Here's the output from sh run

quote:

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
enable secret 5 <snip>
enable password 7 <snip>
!
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool home
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 68.87.64.146 68.87.75.194
lease 7
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
description Connected to Comcast
ip address dhcp
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
description Connected to LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip route-cache
full-duplex
!
router rip
version 2
passive-interface Ethernet1/0
network 192.168.1.0
no auto-summary
!
ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
snmp-server community public RO
snmp-server enable traps tty
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input ssh
!
ntp server 192.168.1.106
!
!
end
* # ? Mar 24, 2008 15:54
  • Quote
H110Hawk
Dec 28, 2006

Spazz posted:

I can't get it to route.

It looks like you're missing something along the lines of a route statement!

ip route 0.0.0.0 0.0.0.0 dhcp

* # ? Mar 24, 2008 16:16
  • Quote
CrazyLittle
Sep 11, 2001





Clapping Larry

Spazz posted:

I'm trying to get a 2600 router working with Comcast and I'm having trouble. I've gotten this far and from the router in CLI I can ping to anywhere and NAT is working fine, only I can't get it to route. When I release/renew I can ping the router, but I can't get NAT to work or get any external configurations.

Any help is appreciated. Here's the output from sh run


There's no default route, and your ACL is wrong:


interface Ethernet1/0
description Connected to LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip route-cache
full-duplex

ip nat inside source list 1 interface Ethernet0/0 overload

access-list 1 permit 192.168.0.0 0.0.0.255

* # ? Mar 24, 2008 16:16
  • Quote
H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue
You have no default route configured, unless you omitted it from your config.

ip route 0.0.0.0 0.0.0.0 interface Ethernet0/0 name DEFAULT

* # ? Mar 24, 2008 16:16
  • Quote
Spazz
Nov 17, 2005

 I had my default route on before, but then I took it off because once I did that I couldn't even get a ping to work in EXEC. here's my running config now. I've also fixed the ACL.

quote:

gateway#sh run
Building configuration...

Current configuration : 2730 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
enable secret 5 <snip>
enable password 7 <snip>
!
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool home
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 68.87.64.146 68.87.75.194
lease 7
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 10
ip ssh source-interface Ethernet0/0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
description Connected to Comcast
ip address dhcp
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
description Connected to LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip route-cache
full-duplex
!
ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 name DEFAULT
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
snmp-server community public RO
snmp-server enable traps tty
!
!
!
!
banner motd <snip>
!
line con 0
line aux 0
line vty 0 4
login
transport input ssh
!
ntp server 192.168.1.106
!
!
end
* # ? Mar 24, 2008 17:24
  • Quote
jwh
Jun 12, 2002

Spazz posted:

ip route 0.0.0.0 0.0.0.0 Ethernet0/0 name DEFAULT

I believe this will cause the router to arp for every non-local destination, and will require something else to be running proxy-arp (ie., cable CMTS) to function correctly. In other words, bad news.

You shouldn't need a static default in your running configuration. Applying 'ip address dhcp' on an interface will cause IOS to inject a default with a high administrative distance (254?) into the routing table based on information received in the DHCP lease.

Your biggest problem before was acl 1 being wrong; now that you've corrected that, what's working / not working?

* # ? Mar 24, 2008 17:49
  • Quote
Spazz
Nov 17, 2005

jwh posted:

I believe this will cause the router to arp for every non-local destination, and will require something else to be running proxy-arp (ie., cable CMTS) to function correctly. In other words, bad news.

You shouldn't need a static default in your running configuration. Applying 'ip address dhcp' on an interface will cause IOS to inject a default with a high administrative distance (254?) into the routing table based on information received in the DHCP lease.

Your biggest problem before was acl 1 being wrong; now that you've corrected that, what's working / not working?

I did a complete reload for good measure, and now I can ping from the router but I can't ping from my internal network. Here's my sh ver also.

quote:

gateway#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(5a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 25-Nov-03 06:00 by kellythw
Image text-base: 0x80008098, data-base: 0x819E4F8C

ROM: System Bootstrap, Version 12.2(6r), RELEASE SOFTWARE (fc1)

gateway uptime is 5 minutes
System returned to ROM by reload at 02:36:34 UTC Mon Mar 1 1993
System image file is "flash:c2600-ik9o3s3-mz.123-5a.bin"

cisco 2610 (MPC860) processor (revision 0x00) with 61440K/4096K bytes of memory.
Processor board ID JAD06240MXV (1145788371)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102
Here's a diagram to explain better though:

So for example, I can't ping outside on my Catalyst 3550, or on my many items connected directly to it.

Edit: Now after a few minutes of running I can't ping.

quote:

gateway#ping google.com
Translating "google.com"...domain server (68.87.64.146) (68.87.75.194)
% Unrecognized host or address, or protocol not running.
* # ? Mar 24, 2008 18:14
  • Quote
jwh
Jun 12, 2002

 When you try and ping from an inside machine to the internet, do you see the NAT translation being built on the router?

Use 'show ip nat trans'

Also, a 'sh ip ro' and 'show int e0/0' would be helpful.

* # ? Mar 24, 2008 19:00
  • Quote
Spazz
Nov 17, 2005

jwh posted:

When you try and ping from an inside machine to the internet, do you see the NAT translation being built on the router?

Use 'show ip nat trans'

Also, a 'sh ip ro' and 'show int e0/0' would be helpful.

Yeah, I see a lot being built, but it doesn't seem to be going anywhere. All that's being built are most likely NTP updates.

Here's sh ip ro
code:
gateway#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 68.81.106.1 to network 0.0.0.0

     68.0.0.0/24 is subnetted, 1 subnets
C       68.81.106.0 is directly connected, Ethernet0/0
C    192.168.1.0/24 is directly connected, Ethernet1/0
S*   0.0.0.0/0 [254/0] via 68.81.106.1
code:
gateway#sh int e0/0
Ethernet0/0 is up, line protocol is up
  Hardware is AmdP2, address is 0009.e8e5.8b60 (bia 0009.e8e5.8b60)
  Description: Connected to Comcast
  Internet address is 68.81.106.151/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:10:14, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/482/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 13000 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     46792 packets input, 30388750 bytes, 0 no buffer
     Received 27459 broadcasts, 0 runts, 0 giants, 0 throttles
     2699 input errors, 2405 CRC, 1163 frame, 0 overrun, 294 ignored
     0 input packets with dribble condition detected
     19154 packets output, 1424085 bytes, 0 underruns
     93 output errors, 0 collisions, 5 interface resets
     0 babbles, 0 late collision, 0 deferred
     93 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
* # ? Mar 24, 2008 19:07
  • Quote
H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue

Spazz posted:

code:
     2699 input errors, 2405 CRC, 1163 frame, 0 overrun, 294 ignored
     0 input packets with dribble condition detected
     19154 packets output, 1424085 bytes, 0 underruns
     93 output errors, 0 collisions, 5 interface resets

Wow! You just reloaded that router not too long ago right?

Check your cabling.

* # ? Mar 24, 2008 19:11
  • Quote
nerdz
Oct 12, 2004


Complex, statistically improbable things are by their nature more difficult to explain than simple, statistically probable things.
Grimey Drawer
Any VoIP goons around?

Dudes, I want to use a NM-HDV-1E1 module on a Cisco 3745 with IOS 12.4(7) for call hairpinning purposes (a cisco AS5300 router will be connected on the E1 controller so the 3745 can share its resources). The thing is, as i can see with a "show voice call status", call hairpinning uses no dsps:

code:
CallID     CID  ccVdb      Port      DSP/Ch  Called #   Codec    Dial-peers
0xB173B    112A 0x83E2D9AC 1/0:15.3  No dsp  91860974   None     70010/70011
0xB173C    112A 0x841744B8 1/1:15.29 No dsp *91860974   None     70011/70010
Since I will be using this module strictly for call hairpinning, is there a way to allocate all 31 timeslots on the E1 controller without assigning dsps? It's rather wasteful to be forced to buy pvdms just so i can assign dsps that will never be used.

* # ? Mar 24, 2008 19:48
  • Quote
Tremblay
Oct 8, 2002
More dog whistles than a Petco

jwh posted:

I believe this will cause the router to arp for every non-local destination, and will require something else to be running proxy-arp (ie., cable CMTS) to function correctly. In other words, bad news.

You shouldn't need a static default in your running configuration. Applying 'ip address dhcp' on an interface will cause IOS to inject a default with a high administrative distance (254?) into the routing table based on information received in the DHCP lease.

correct and correct.

We ask people that arp question in interviews. Its depressing how few figure it out.

* # ? Mar 24, 2008 20:19
  • Quote
permanoob
Sep 28, 2004

Yeah it's a lot like that.
Another quick question on this PIX. I'm trying to configure static routes between 5 IP's and 5 interfaces, with certain services/ports being allowed into each. I'm not able to access any of these services through the firewall currently. Here's my ACL config, I just can't seem to nail this down.

quote:

name 192.168.1.2 psdc
name 192.168.1.3 psapps
name 192.168.1.4 test1
name 192.168.1.5 test2
access-list isp2dc permit tcp any host psdc eq ftp
access-list isp2dc permit tcp any host psdc eq 1433
access-list isp2dc permit udp any host psdc eq 1434
access-list isp2apps permit tcp any host psapps eq www
access-list isp2test permit tcp any host test1 eq ftp
access-list isp2test permit tcp any host test1 eq 1433
access-list isp2test permit udp any host test1 eq 1434
access-list isp2test permit tcp any host test1 eq www
access-list isp2test permit tcp any host test2 eq ftp
access-list isp2test permit tcp any host test2 eq 1433
access-list isp2test permit udp any host test2 eq 1434
access-list isp2test permit tcp any host test2 eq www
* # ? Mar 25, 2008 15:55
  • Quote
H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue

permanoob posted:

Another quick question on this PIX. I'm trying to configure static routes between 5 IP's and 5 interfaces, with certain services/ports being allowed into each. I'm not able to access any of these services through the firewall currently. Here's my ACL config, I just can't seem to nail this down.


You are going to need to provide more of the config than those ACLs if you are trying to do any sort of routing in the PIX.

* # ? Mar 25, 2008 16:27
  • Quote
permanoob
Sep 28, 2004

Yeah it's a lot like that.
Yeah, I know the device doesn't route. Yeah, I used the word routes.

quote:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 192.168.1.2 psdc
name 192.168.1.3 psapps
name 192.168.1.4 test1
name 192.168.1.5 test2
access-list 101 permit tcp any host psdc eq ftp
access-list 101 permit tcp any host psdc eq 1433
access-list 101 permit udp any host psdc eq 1434
access-list 101 permit tcp any host psapps eq www
access-list 101 permit tcp any host test1 eq ftp
access-list 101 permit tcp any host test1 eq 1433
access-list 101 permit udp any host test1 eq 1434
access-list 101 permit tcp any host test1 eq www
access-list 101 permit tcp any host test2 eq ftp
access-list 101 permit tcp any host test2 eq 1433
access-list 101 permit udp any host test2 eq 1434
access-list 101 permit tcp any host test2 eq www
access-list acl_out permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
ip address outside 204.228.142.234 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 204.228.142.235 psdc netmask 255.255.255.255 0 0
static (inside,outside) 204.228.142.236 psapps netmask 255.255.255.255 0 0
static (inside,outside) 204.228.142.237 test1 netmask 255.255.255.255 0 0
static (inside,outside) 204.228.142.238 test2 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group acl_out in interface inside
Trimmed it up a little. The static nat I have setup seems to be working. I've checked from each server and they're reporting to have the global IP I've assigned to each. The problem just seems to lie in my acls.

permanoob fucked around with this message at 23:06 on Mar 25, 2008

* # ? Mar 25, 2008 16:46
  • Quote
Spazz
Nov 17, 2005

jbiel posted:

Wow! You just reloaded that router not too long ago right?

Check your cabling.

Well poo poo! It was the drat cable. Everything is working fine like a breeze now guys. Thanks again goons!

* # ? Mar 25, 2008 20:42
  • Quote
Tremblay
Oct 8, 2002
More dog whistles than a Petco

permanoob posted:

Yeah, I know the device doesn't route. Yeah, I used the word routes.

Trimmed it up a little. The static nat I have setup seems to be working. I've checked from each server and they're reporting to have the global IP I've assigned to each. The problem just seems to lie in my acls.

You are permitting access to private IP addresses on the outside interface.

access-list 101 permit tcp any host psdc eq ftp
access-list 101 permit tcp any host psdc eq 1433
access-list 101 permit udp any host psdc eq 1434
static (inside,outside) 204.228.142.235 psdc netmask 255.255.255.255 0 0

You need to be doing this:

access-list 101 permit tcp any host 204.228.142.235 eq ftp
access-list 101 permit tcp any host 204.228.142.235 eq 1433
access-list 101 permit udp any host 204.228.142.235 eq 1434

static (inside,outside) 204.228.142.235 psdc netmask 255.255.255.255 0 0


Remember where you are assigning the ACL and what direction its applied in :).

Tremblay fucked around with this message at 01:58 on Mar 26, 2008

* # ? Mar 26, 2008 01:55
  • Quote
permanoob
Sep 28, 2004

Yeah it's a lot like that.

Tremblay posted:

You need to be doing this:

access-list 101 permit tcp any host 204.228.142.235 eq ftp
access-list 101 permit tcp any host 204.228.142.235 eq 1433
access-list 101 permit udp any host 204.228.142.235 eq 1434

static (inside,outside) 204.228.142.235 psdc netmask 255.255.255.255 0 0

Remember where you are assigning the ACL and what direction its applied in :).

I see now. Hurf. I've applied these in context to all the other ACL's I need, but still can't access these services. Am I missing something still? In the meantime, I'll just submit a TAC request for assistance. Thanks for the help on this so far guys. I'm so young in my Cisco knowledge.

Nevermind. I've got things working. Your suggestion was obviously right. I was dumb and took it upon myself to delete an access-group that killed things. It's back in and everything is going swimmingly.

permanoob fucked around with this message at 23:51 on Mar 26, 2008

* # ? Mar 26, 2008 17:35
  • Quote
H110Hawk
Dec 28, 2006

permanoob posted:

In the meantime, I'll just submit a TAC request for assistance.

The TAC can be frustrating at times. We were trying to figure out why one of our etherchannel ports was getting 2x the bandwidth of the others, regardless of the balancing algorithm we picked. Lots of back and forth, disruptive troubleshooting, etc.

http://www.cisco.com/warp/public/473/4.html#cat6k

Fuckers. (Sorry for the rant.) Way to sell more switchports. Yesterday I had to burn 3 extra Cat6k GigE ports to make this actually not drop packets:

code:
  MTU 1500 bytes, BW 8000000 Kbit, DLY 10 usec,
  5 minute input rate 3572908000 bits/sec, 756909 packets/sec
  5 minute output rate 4257996000 bits/sec, 747013 packets/sec
(I can hear the cash register ringing in M@'s head.)

* # ? Mar 26, 2008 17:44
  • Quote
ragzilla
Sep 9, 2005
don't ask me, i only work here

H110Hawk posted:

The TAC can be frustrating at times. We were trying to figure out why one of our etherchannel ports was getting 2x the bandwidth of the others, regardless of the balancing algorithm we picked. Lots of back and forth, disruptive troubleshooting, etc.

http://www.cisco.com/warp/public/473/4.html#cat6k

Fuckers. (Sorry for the rant.) Way to sell more switchports. Yesterday I had to burn 3 extra Cat6k GigE ports to make this actually not drop packets:

code:
  MTU 1500 bytes, BW 8000000 Kbit, DLY 10 usec,
  5 minute input rate 3572908000 bits/sec, 756909 packets/sec
  5 minute output rate 4257996000 bits/sec, 747013 packets/sec
(I can hear the cash register ringing in M@'s head.)

What are you up to, 8GbE ports? Wouldn't it be cheaper at that point (assuming you're using 6724s) to get some 6704s in and do 1x10GbE instead of 8x1GbE etherchannel? Or could you just do OSPF ECMP over a pair of 2-3x1GbE etherchannels and load balance at layer 3?

* # ? Mar 26, 2008 17:52
  • Quote
jwh
Jun 12, 2002

H110Hawk posted:

Yesterday I had to burn 3 extra Cat6k GigE ports to make this actually not drop packets:

Wait, you had to burn three additional ports to solve the "odd-number" etherchannel bundle problem, or you had to burn three additional ports to work around some kind of asic limitation?

* # ? Mar 26, 2008 18:13
  • Quote
H110Hawk
Dec 28, 2006

Girdle Wax posted:

What are you up to, 8GbE ports? Wouldn't it be cheaper at that point (assuming you're using 6724s) to get some 6704s in and do 1x10GbE instead of 8x1GbE etherchannel? Or could you just do OSPF ECMP over a pair of 2-3x1GbE etherchannels and load balance at layer 3?

We're using 6748's hooked up to 4948's. Most of this is L2 traffic going from web servers to their NAS boxes. I could swap out the 4948 for a 4948-10GE and burn the last 10gig port on my 6708-10GE-3CXL, plus a few grand in X2 modules, but 8x1gig copper seems cheaper to me. :)

Perhaps I should put a second 6509 in place and just load it to the gills with 6748's and use it for rack aggregation? Use a 10gig etherchannel to get it to hit our BGP gateways, and move most of the OSPF stuff for those racks to the new copper monster.

jwh posted:

Wait, you had to burn three additional ports to solve the "odd-number" etherchannel bundle problem, or you had to burn three additional ports to work around some kind of asic limitation?

The odd-number etherchannel problem. I guesstimated my bandwidth needs at 4gigs, I was pretty drat close, honestly. I put on 2 more links, and then I was sitting at 900meg/900/500/500/500/500. Those 900 meg ports were dropping a few hundred pps (thousand? I didn't look closely, I jumped out of my chair and started pulling cables.)

* # ? Mar 26, 2008 20:49
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 14, 2024 11:10
  • Quote
ragzilla
Sep 9, 2005
don't ask me, i only work here

H110Hawk posted:

We're using 6748's hooked up to 4948's. Most of this is L2 traffic going from web servers to their NAS boxes. I could swap out the 4948 for a 4948-10GE and burn the last 10gig port on my 6708-10GE-3CXL, plus a few grand in X2 modules, but 8x1gig copper seems cheaper to me. :)

Perhaps I should put a second 6509 in place and just load it to the gills with 6748's and use it for rack aggregation? Use a 10gig etherchannel to get it to hit our BGP gateways, and move most of the OSPF stuff for those racks to the new copper monster.

If you don't need full tables, you could save some cash and do a 4500, (or if you really like the 6500, a Sup32), throw the 10GbE links on the sup (since assuming you run single sup if it's a manned facility, if the sup fails the node is down anyway) and load it up with 6548s (or the 4500 equiv). Then you could save some cash on the line cards since you won't get anything out of the fabric enabled cards- just have to make sure your total switching capacity (port-to-port and port-to-uplink) is under 32Gbps

* # ? Mar 26, 2008 21:06
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«431 »