|
M@ posted:Edit: After loading 12.2.18 (I think) onto our Regular SUP we now see a "Supervisor Engine" in slot 5, but it's still saying unknown for the MAC. Trying a new IOS now That was going to be my suggestion. We're running: (s72033_rp-IPSERVICESK9-M) Version 12.2(18)SXF10 Again, we don't have that fancy pants sup. Honestly I doubt I could tell you anything you don't already know. I mainly wanted you to send it to me so it could get "lost in the mail." If you want, I can IM you with our CCIE contractor's contact information. He charges 1.5 arms, but no legs, and can almost certainly make the both of us feel like idiots for not getting it booting.
|
# ? Mar 14, 2008 22:04 |
|
|
# ? May 14, 2024 11:10 |
|
M@ posted:There is no output VS-S720-10G-3C you have to run 12.2.18SXH or SXH1. SXF doesn't have support for the HW (that I can see). Since the other CCIE was going to get 1.5 arms, can I get just a finger? (goon discount) Make sure you pick CAT6000-VS-S720-10G/MSFC3 as the HW on the IOS upgrade planner.
|
# ? Mar 14, 2008 22:27 |
|
Tremblay posted:VS-S720-10G-3C you have to run 12.2.18SXH or SXH1. SXF doesn't have support for the HW (that I can see). Since the other CCIE was going to get 1.5 arms, can I get just a finger? (goon discount) Well, the issue really is that the card won't even light up. We've tried it in our 6509-E and 6509 so far and no dice. And, yes, I'll give you a finger if you get it working.
|
# ? Mar 14, 2008 23:29 |
|
M@ posted:Well, the issue really is that the card won't even light up. We've tried it in our 6509-E and 6509 so far and no dice. Are you sure the HW is good? No rommon output + the hot SUP not being able to see discover the cards MAC leads me to believe its toast. Sorry, when you guys were talking code I thought you were talking about the 10GE not the vanilla 720.
|
# ? Mar 15, 2008 00:09 |
|
Tremblay posted:Are you sure the HW is good? No rommon output + the hot SUP not being able to see discover the cards MAC leads me to believe its toast. That was my thought as well. The only other thing I can possibly think of is that it doesn't have enough power. Cisco says minimum required is 1 2500W, but I read something on their site about 4000W that now I cannot find. Fairly sure the card is toast. Going home to drink now.
|
# ? Mar 15, 2008 00:38 |
|
M@ posted:That was my thought as well. The only other thing I can possibly think of is that it doesn't have enough power. Cisco says minimum required is 1 2500W, but I read something on their site about 4000W that now I cannot find. Fairly sure the card is toast. Going home to drink now. 2500W should be fine. A redundant pair would suck down ~826 Watts. Happy drinking.
|
# ? Mar 15, 2008 01:59 |
|
M@ posted:That was my thought as well. The only other thing I can possibly think of is that it doesn't have enough power. Cisco says minimum required is 1 2500W, but I read something on their site about 4000W that now I cannot find. Fairly sure the card is toast. Going home to drink now. So, uh, this should probably go without saying, but re-seating the daughter boards should always be your first move when you think something is bad.
|
# ? Mar 18, 2008 16:23 |
|
It's nice to be back- my account was locked out for a while. I'm looking for suggestions on how to conditionally advertise a default with eBGP. I have a situation where my default is being learned on my edge and carried into my core via OSPF, where it then bumps up against a number of WAN routers. The WAN routers will then announce this default into eBGP (it's L3VPN MPLS). Problem is, if I lose this default, it's re-learned via the WAN, redistributed into OSPF, and then advertised right back out via eBGP. To make matters worse, I can't solve the problem by tagging the route when it moves from BGP (WAN) to OSPF (core), because BGP doesn't support 'match tag' or 'match external' or 'match metric' in route-maps when applied in the out direction. About the only solution I've been able to piece together is to turn up BGP in the core to carry the default and customer prefixes, which would then allow me to effectively use communities. This is not only a lot of work, but there's a number of firewalls in between the core and WAN routers that I don't want to have to think about turning up BGP on. I'm kind of scratching my head here, because there has to be a way to match some kind of attribute as the prefix comes into the BGP RIB from OSPF, and then use that information to suppress the advertisement via eBGP, but if there is, I can't find it. It doesn't help that it's 0.0.0.0/0 either, since I seem to be running into a bunch of 'special handling' caveats. edit: I just solved it, but it's gross: quote:(EDGE) jwh fucked around with this message at 22:15 on Mar 18, 2008 |
# ? Mar 18, 2008 21:51 |
|
Basic and simple PIX question, I'm just pretty new to this. I have currently have traffic passing through the firewall with no control other than a basic "Ok you can browse the internet" setup. I need to define more direction to the servers I have on the inside. What I could use is some help in understanding the nat to global translation. Let's say I have 4 interfaces on the inside of the firewall and I have a pool of 4 IP's on the outside. How do I go about setting this up? Do I need set a NAT id for each internal interface then assign a global line to each NAT id? Is it that easy or am I missing something? Current nat and global setup example is: nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 204.228.142.236-204.228.142.238 global (outside) 1 204.228.142.235 Not sure that the second line in the global there is even necessary. Anyway, any help on this would be excellent. Thanks.
|
# ? Mar 19, 2008 22:04 |
|
permanoob posted:Basic and simple PIX question, I'm just pretty new to this. NAT+Global statements are for dynamic NAT/PAT. They cannot be used to allow a host from a lower sec level to a higher sec level. What you need are static NATs/PATs. For instance if your interfaces were called Outside, and Inside. You have a webserver at 192.168.1.50 that you want to be accessible via the internet. The public IP you want to use is 1.1.1.1 you would do the following: static (inside,outside) tcp 1.1.1.1 80 192.168.1.50 80 To map just port 80 from the internal IP to the external. You could do this: static (inside,outside) 1.1.1.1 192.168.1.50 Which would map all ports/IP carried protocols. Make sure you add a permit to your outside access-list to permit hosts to hit the external IP. More here: http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/mngacl.html#wp1069973
|
# ? Mar 19, 2008 22:27 |
|
Alright, I see what you're saying with static routes to pass port specific types of traffic from the outside ip to an inside ip. Can PIX support having port 80 traffic from outside 1.1.1.1 route to inside 192.168.1.50 and have port 80 traffic from outside 1.1.1.4 route to inside 192.168.1.52? Let's say I have two web servers running behind the firewall. Internally they're 192.168.1.50 and 192.168.1.51. My current outside interface on the firewall is 1.1.1.1. I want 1.50 and 1.51 accessible from the outside with different IP's. Say 1.1.1.1 for 1.50 and 1.1.1.2 for 1.51. permanoob fucked around with this message at 23:15 on Mar 19, 2008 |
# ? Mar 19, 2008 23:06 |
|
jwh posted:I'm looking for suggestions on how to conditionally advertise a default with eBGP. I don't have my head fully around what you're attempting to accomplish, but you might want to look into BGP conditional advertisements. http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml There's also a BGP default originate command that works a little differently then using a network statement. http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfbgp1.html#wp1152583 inignot fucked around with this message at 23:10 on Mar 19, 2008 |
# ? Mar 19, 2008 23:07 |
|
permanoob posted:Alright, I see what you're saying with static routes to pass port specific types of traffic from the outside ip to an inside ip. Yup it can, check out that link I posted. Also those commands are static PAT and static NAT respectively. They are not routes.
|
# ? Mar 20, 2008 00:39 |
|
Tremblay posted:Yup it can, check out that link I posted. Also those commands are static PAT and static NAT respectively. They are not routes. Awesome. I see exactly what you mean. I'll work it out from here. Thanks a ton.
|
# ? Mar 20, 2008 00:40 |
|
permanoob posted:Awesome. I see exactly what you mean. I'll work it out from here. Thanks a ton. The conduit command at least sounded more reasonable. I am opening a conduit to this host. Ahh well, its all good in the hood.
|
# ? Mar 20, 2008 18:51 |
|
inignot posted:I don't have my head fully around what you're attempting to accomplish, but you might want to look into BGP conditional advertisements. I originally looked at conditional advertisements, but they only seem to allow you to announce a prefix in the absence of another prefix in the FIB. Ie., when 1.2.3.0/24 does not exist in the FIB, advertise 4.5.6.0/24. My problem here is that 0.0.0.0/0 never leaves the FIB, and can't then be used to trigger a conditional advertisement. I wasn't able to find any sort of conditional withdraw (ie., prefix A does not exist in FIB, therefore do not advertise prefix B). Truth is, I shouldn't be taking the 0.0.0.0/0 prefix out of BGP in the first place.
|
# ? Mar 20, 2008 19:34 |
|
Herv posted:The conduit command at least sounded more reasonable. I am opening a conduit to this host. Looking at the usage of conduit, it looks to do a static route and routes specific traffic..? Nevermind, I'll just crack my book here. Edit: That's what I thought. It's what access-group and access-list replaced. permanoob fucked around with this message at 06:50 on Mar 21, 2008 |
# ? Mar 21, 2008 06:41 |
|
I'm trying to get a 2600 router working with Comcast and I'm having trouble. I've gotten this far and from the router in CLI I can ping to anywhere and NAT is working fine, only I can't get it to route. When I release/renew I can ping the router, but I can't get NAT to work or get any external configurations. Any help is appreciated. Here's the output from sh run quote:!
|
# ? Mar 24, 2008 15:54 |
|
Spazz posted:I can't get it to route. It looks like you're missing something along the lines of a route statement! ip route 0.0.0.0 0.0.0.0 dhcp
|
# ? Mar 24, 2008 16:16 |
|
Spazz posted:I'm trying to get a 2600 router working with Comcast and I'm having trouble. I've gotten this far and from the router in CLI I can ping to anywhere and NAT is working fine, only I can't get it to route. When I release/renew I can ping the router, but I can't get NAT to work or get any external configurations. There's no default route, and your ACL is wrong: interface Ethernet1/0 description Connected to LAN ip address 192.168.1.1 255.255.255.0 ip nat inside no ip route-cache full-duplex ip nat inside source list 1 interface Ethernet0/0 overload access-list 1 permit 192.168.0.0 0.0.0.255
|
# ? Mar 24, 2008 16:16 |
|
You have no default route configured, unless you omitted it from your config. ip route 0.0.0.0 0.0.0.0 interface Ethernet0/0 name DEFAULT
|
# ? Mar 24, 2008 16:16 |
|
I had my default route on before, but then I took it off because once I did that I couldn't even get a ping to work in EXEC. here's my running config now. I've also fixed the ACL.quote:gateway#sh run
|
# ? Mar 24, 2008 17:24 |
|
Spazz posted:ip route 0.0.0.0 0.0.0.0 Ethernet0/0 name DEFAULT I believe this will cause the router to arp for every non-local destination, and will require something else to be running proxy-arp (ie., cable CMTS) to function correctly. In other words, bad news. You shouldn't need a static default in your running configuration. Applying 'ip address dhcp' on an interface will cause IOS to inject a default with a high administrative distance (254?) into the routing table based on information received in the DHCP lease. Your biggest problem before was acl 1 being wrong; now that you've corrected that, what's working / not working?
|
# ? Mar 24, 2008 17:49 |
|
jwh posted:I believe this will cause the router to arp for every non-local destination, and will require something else to be running proxy-arp (ie., cable CMTS) to function correctly. In other words, bad news. I did a complete reload for good measure, and now I can ping from the router but I can't ping from my internal network. Here's my sh ver also. quote:gateway#sh ver So for example, I can't ping outside on my Catalyst 3550, or on my many items connected directly to it. Edit: Now after a few minutes of running I can't ping. quote:gateway#ping google.com
|
# ? Mar 24, 2008 18:14 |
|
When you try and ping from an inside machine to the internet, do you see the NAT translation being built on the router? Use 'show ip nat trans' Also, a 'sh ip ro' and 'show int e0/0' would be helpful.
|
# ? Mar 24, 2008 19:00 |
|
jwh posted:When you try and ping from an inside machine to the internet, do you see the NAT translation being built on the router? Yeah, I see a lot being built, but it doesn't seem to be going anywhere. All that's being built are most likely NTP updates. Here's sh ip ro code:
code:
|
# ? Mar 24, 2008 19:07 |
|
Spazz posted:
Wow! You just reloaded that router not too long ago right? Check your cabling.
|
# ? Mar 24, 2008 19:11 |
|
Any VoIP goons around? Dudes, I want to use a NM-HDV-1E1 module on a Cisco 3745 with IOS 12.4(7) for call hairpinning purposes (a cisco AS5300 router will be connected on the E1 controller so the 3745 can share its resources). The thing is, as i can see with a "show voice call status", call hairpinning uses no dsps: code:
|
# ? Mar 24, 2008 19:48 |
|
jwh posted:I believe this will cause the router to arp for every non-local destination, and will require something else to be running proxy-arp (ie., cable CMTS) to function correctly. In other words, bad news. correct and correct. We ask people that arp question in interviews. Its depressing how few figure it out.
|
# ? Mar 24, 2008 20:19 |
|
Another quick question on this PIX. I'm trying to configure static routes between 5 IP's and 5 interfaces, with certain services/ports being allowed into each. I'm not able to access any of these services through the firewall currently. Here's my ACL config, I just can't seem to nail this down.quote:name 192.168.1.2 psdc
|
# ? Mar 25, 2008 15:55 |
|
permanoob posted:Another quick question on this PIX. I'm trying to configure static routes between 5 IP's and 5 interfaces, with certain services/ports being allowed into each. I'm not able to access any of these services through the firewall currently. Here's my ACL config, I just can't seem to nail this down. You are going to need to provide more of the config than those ACLs if you are trying to do any sort of routing in the PIX.
|
# ? Mar 25, 2008 16:27 |
|
Yeah, I know the device doesn't route. Yeah, I used the word routes.quote:PIX Version 6.3(5) permanoob fucked around with this message at 23:06 on Mar 25, 2008 |
# ? Mar 25, 2008 16:46 |
|
jbiel posted:Wow! You just reloaded that router not too long ago right? Well poo poo! It was the drat cable. Everything is working fine like a breeze now guys. Thanks again goons!
|
# ? Mar 25, 2008 20:42 |
|
permanoob posted:Yeah, I know the device doesn't route. Yeah, I used the word routes. You are permitting access to private IP addresses on the outside interface. access-list 101 permit tcp any host psdc eq ftp access-list 101 permit tcp any host psdc eq 1433 access-list 101 permit udp any host psdc eq 1434 static (inside,outside) 204.228.142.235 psdc netmask 255.255.255.255 0 0 You need to be doing this: access-list 101 permit tcp any host 204.228.142.235 eq ftp access-list 101 permit tcp any host 204.228.142.235 eq 1433 access-list 101 permit udp any host 204.228.142.235 eq 1434 static (inside,outside) 204.228.142.235 psdc netmask 255.255.255.255 0 0 Remember where you are assigning the ACL and what direction its applied in . Tremblay fucked around with this message at 01:58 on Mar 26, 2008 |
# ? Mar 26, 2008 01:55 |
|
Tremblay posted:You need to be doing this: I see now. Hurf. I've applied these in context to all the other ACL's I need, but still can't access these services. Am I missing something still? In the meantime, I'll just submit a TAC request for assistance. Thanks for the help on this so far guys. I'm so young in my Cisco knowledge. Nevermind. I've got things working. Your suggestion was obviously right. I was dumb and took it upon myself to delete an access-group that killed things. It's back in and everything is going swimmingly. permanoob fucked around with this message at 23:51 on Mar 26, 2008 |
# ? Mar 26, 2008 17:35 |
|
permanoob posted:In the meantime, I'll just submit a TAC request for assistance. The TAC can be frustrating at times. We were trying to figure out why one of our etherchannel ports was getting 2x the bandwidth of the others, regardless of the balancing algorithm we picked. Lots of back and forth, disruptive troubleshooting, etc. http://www.cisco.com/warp/public/473/4.html#cat6k Fuckers. (Sorry for the rant.) Way to sell more switchports. Yesterday I had to burn 3 extra Cat6k GigE ports to make this actually not drop packets: code:
|
# ? Mar 26, 2008 17:44 |
|
H110Hawk posted:The TAC can be frustrating at times. We were trying to figure out why one of our etherchannel ports was getting 2x the bandwidth of the others, regardless of the balancing algorithm we picked. Lots of back and forth, disruptive troubleshooting, etc. What are you up to, 8GbE ports? Wouldn't it be cheaper at that point (assuming you're using 6724s) to get some 6704s in and do 1x10GbE instead of 8x1GbE etherchannel? Or could you just do OSPF ECMP over a pair of 2-3x1GbE etherchannels and load balance at layer 3?
|
# ? Mar 26, 2008 17:52 |
|
H110Hawk posted:Yesterday I had to burn 3 extra Cat6k GigE ports to make this actually not drop packets: Wait, you had to burn three additional ports to solve the "odd-number" etherchannel bundle problem, or you had to burn three additional ports to work around some kind of asic limitation?
|
# ? Mar 26, 2008 18:13 |
|
Girdle Wax posted:What are you up to, 8GbE ports? Wouldn't it be cheaper at that point (assuming you're using 6724s) to get some 6704s in and do 1x10GbE instead of 8x1GbE etherchannel? Or could you just do OSPF ECMP over a pair of 2-3x1GbE etherchannels and load balance at layer 3? We're using 6748's hooked up to 4948's. Most of this is L2 traffic going from web servers to their NAS boxes. I could swap out the 4948 for a 4948-10GE and burn the last 10gig port on my 6708-10GE-3CXL, plus a few grand in X2 modules, but 8x1gig copper seems cheaper to me. Perhaps I should put a second 6509 in place and just load it to the gills with 6748's and use it for rack aggregation? Use a 10gig etherchannel to get it to hit our BGP gateways, and move most of the OSPF stuff for those racks to the new copper monster. jwh posted:Wait, you had to burn three additional ports to solve the "odd-number" etherchannel bundle problem, or you had to burn three additional ports to work around some kind of asic limitation? The odd-number etherchannel problem. I guesstimated my bandwidth needs at 4gigs, I was pretty drat close, honestly. I put on 2 more links, and then I was sitting at 900meg/900/500/500/500/500. Those 900 meg ports were dropping a few hundred pps (thousand? I didn't look closely, I jumped out of my chair and started pulling cables.)
|
# ? Mar 26, 2008 20:49 |
|
|
# ? May 14, 2024 11:10 |
|
H110Hawk posted:We're using 6748's hooked up to 4948's. Most of this is L2 traffic going from web servers to their NAS boxes. I could swap out the 4948 for a 4948-10GE and burn the last 10gig port on my 6708-10GE-3CXL, plus a few grand in X2 modules, but 8x1gig copper seems cheaper to me. If you don't need full tables, you could save some cash and do a 4500, (or if you really like the 6500, a Sup32), throw the 10GbE links on the sup (since assuming you run single sup if it's a manned facility, if the sup fails the node is down anyway) and load it up with 6548s (or the 4500 equiv). Then you could save some cash on the line cards since you won't get anything out of the fabric enabled cards- just have to make sure your total switching capacity (port-to-port and port-to-uplink) is under 32Gbps
|
# ? Mar 26, 2008 21:06 |