The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›431 »

M@: Jul 10, 2004

H110Hawk posted:

(I can hear the cash register ringing in M@'s head.)

I thought you were on vacation!

If any of you guys have PA-MC-2T3+ that you (or your company) are looking to get rid of, I need to buy many of them, and I will pay you lots of money for them.

# ? Mar 28, 2008 00:44

Adbot: ADBOT LOVES YOU

# ? May 29, 2024 20:11

skeevy achievements: Feb 25, 2008; by merry exmarx

I'm building a house and hope to scrape together enough cash to wire it up with Cisco products, in the meantime I have need for a new wireless access point and I thought I might pick up an Aironet to connect to my Soekris Net 5501. My questions are:

1. I think I need an "autonomous" model, otherwise I'll need a separate wireless LAN controller, is that right?

2. Will I need to learn a lot of IOS to make this thing work, or can I just plug it into my Soekris and go?

3. My number one priority is stability. In terms of actual models, the Aironet 1130 AG seems like the sort of product I should be looking at but I don't have a problem with used gear as long as it's a stable model. Are there any recommended 802.11g models from the Aironet line?

4. Are there any other downsides (besides price and initial configuration complexity) to using Aironet at home versus consumer gear, and if so do you have any alternate recommendations?

Any advice would be helpful goons, thanks!

# ? Mar 28, 2008 18:29

jwh: Jun 12, 2002

Correct, you'll want something autonomous, unless you also want to spend the money on a wireless controller (ie., Cisco 2106), which you would only want to do if you plan on having a bunch of radios.

I don't have any experience with running 1130s in heavy (autonomous) mode, so I can't comment on how much IOS you'll need to know. You will need to do some configuration- these aren't exactly plug and play.

Also, 1130s get very very hot, so be careful where you stick the thing.

# ? Mar 28, 2008 20:09

tortilla_chip: Jun 13, 2007; k-partite

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37frst.html

This should help with getting your initial configuration going. One caveat with the 1100s is the fixed antenna configuration, so just be aware of that.

# ? Mar 28, 2008 20:39

namol: Mar 21, 2007

I'm looking to build a kit for the new CCNA exam and I was wondering what hardware I would need and if anyone has taken it.

# ? Mar 28, 2008 21:24

Boner Buffet: Feb 16, 2006

I haven't taken it, but I am working through the material via the Sybex CCNA book instead of any Cisco press books. You can purchase a special set which comes with a net sim. I believe it's pretty much restricted to the labs, but it probably has some use. If you're looking for real equipment, a couple of 2940/2950/2960 switches plus a few lower end routers with two ethernet ports per router and capable of doing EIGRP should be sufficient for most of the material I'm working through. Again, I'm not using the Cisco press books so I'm not sure how that might effect requirements.

# ? Mar 28, 2008 22:51

namol: Mar 21, 2007

I'm using the Sybex books by Todd Lamlle also. His company makes a product called router sim and I was wondering if that would be worth it instead of hardware.

# ? Mar 29, 2008 02:46

Weiz: Dec 12, 2003; Fishman is not just an understanding financial organisation.

OK goons, heres a question for you.

Recently I've been thinking of all the really long (or annoying) commands that I use often and making somewhat shorter aliases for them, I've included some below.

code:

alias exec cpu show processes cpu sorted
alias exec nda no debug all
alias exec sna show ntp associations
alias exec silp show ip local pool

The thing is that some of our users are horrible at typing and unfortunately the situation regularly arises where we have to debug various functions in order to demonstrate to them that its their typing skills and not our systems that are the problem.

My question is this, is it possible to make some kind of alias like function where I can run multiple commands from a single line?

# ? Mar 29, 2008 06:09

jwh: Jun 12, 2002

Has anyone used Lantronix SLC console servers? I'm looking for something to replace our Avocents, which I do not like very much.

# ? Mar 31, 2008 22:16

H110Hawk: Dec 28, 2006

jwh posted:

Has anyone used Lantronix SLC console servers? I'm looking for something to replace our Avocents, which I do not like very much.

I've never used either, but we really love the Digi CM 48-port console servers. :3:

# ? Mar 31, 2008 23:19

Spazz: Nov 17, 2005

I purchased a handful of equipment recently and with it I got a VConsole ISDN Simulator. Unfortunately it doesn't have the disk that carries the ISDN Manager software with it. Do you goons know of any alternative way to configure or manage it? Or have the software on them?

I can't seem to find it on their site, unless I looked in all the wrong places.

# ? Apr 1, 2008 03:48

Joss Laypeg: Oct 11, 2007; A psychotic is a guy who's just found out what's going on. - WSB

namol posted:

I'm looking to build a kit for the new CCNA exam and I was wondering what hardware I would need and if anyone has taken it.

Unless you are planning to go straight on to CCNP or further, you might be better off going with Dynamips/Dynagen instead. It's not a simulator - it actually emulates the hardware and runs real IOS images on your PC (Windows or Linux). You can run multiple routers and connect them up via a virtual network (or bridge them to a real network) and do virtually anything you can do on a real router. The only major thing that it can't do is emulate ISDN interfaces. But if you want to do ISDN with real kit, you will likely need rather expensive ISDN simulator hardware anyway.

Obviously you're not going to get the performance of a real router, but it's a million times better than any simulator. I'm pretty sure there's some discussion about it earlier in this thread.

# ? Apr 1, 2008 16:22

Boner Buffet: Feb 16, 2006

Reefer Inc. posted:

Obviously you're not going to get the performance of a real router, but it's a million times better than any simulator. I'm pretty sure there's some discussion about it earlier in this thread.

As was mentioned earlier in this thread, there is no switch emulation. You can add a switch to your topology, but that's about it.

# ? Apr 1, 2008 17:46

CrazyLittle: Sep 11, 2001; Clapping Larry

jwh posted:

Has anyone used Lantronix SLC console servers? I'm looking for something to replace our Avocents, which I do not like very much.

I have a couple of Lantronix SCS400s at remote sites and they're fairly nice and feature packed, but some aspects of the interface make me think they're not all that secure. You can telnet direct-to-port and I don't think there's any real authentication on that feature. Beyond that though you can wire one up to be in/out on any port with or without modems, and even SSH/telnet out from the device. It's really flexible.

# ? Apr 1, 2008 18:00

jwh: Jun 12, 2002

CrazyLittle posted:

I have a couple of Lantronix SCS400s at remote sites and they're fairly nice and feature packed, but some aspects of the interface make me think they're not all that secure. You can telnet direct-to-port and I don't think there's any real authentication on that feature. Beyond that though you can wire one up to be in/out on any port with or without modems, and even SSH/telnet out from the device. It's really flexible.

That still sounds a hell of a lot better than what we get with the Avocents, and apparently the Lantronix devices are cheaper.

I just read through some of the Lantronix user docs, and I guess you can set them up to authenticate via tacacs / radius, but who knows. I like the fact that they claim to be able to watch console ports and alert based on regex matches seen.

# ? Apr 1, 2008 18:29

Spazz: Nov 17, 2005

Here's my problem: I'm on Comcast. Any time I connect directly to my router I have no issues with speed. When I connect with a Cisco 2610 my speeds are throttled down to 30kb/sec max unless I open multiple threads (like on USENET) to 180kb/sec. Do you guys see anything on my config that could cause this? Here's my config and sh ver:

code:

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
logging rate-limit all 10000
enable secret 5 <snip>
enable password 7 <snip>
!
username taylor secret 5 <snip>
aaa new-model
!
!
aaa authentication attempts login 1
aaa authentication login default enable
aaa session-id common
ip subnet-zero
no ip source-route
ip telnet source-interface Ethernet1/0
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool home
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 68.87.64.146 68.87.75.194 
   domain-name spazztic.net
   lease 7
!
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
ip ssh time-out 10
ip ssh authentication-retries 1
ip ssh source-interface Ethernet1/0
ip scp server enable
!
! 
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 description External Interface
 ip address dhcp
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 full-duplex
 no cdp enable
!
interface Serial0/0
 ip address 10.0.0.5 255.0.0.0
 no cdp enable
!
interface BRI0/0
 no ip address
 shutdown
!
interface Ethernet1/0
 description Internal Interface
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no ip route-cache
 full-duplex
!
ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
no ip classless
!
!
logging trap debugging
logging 192.168.1.107
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.1.1
access-list 10 deny   any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny   udp any any eq snmp log
access-list 101 permit ip any any
access-list 110 deny   tcp any any eq 3724 log
access-list 120 permit tcp any any eq nntp
!
!
!
!
!
banner motd <snip>
!
line con 0
 exec-timeout 5 0
line aux 0
 exec-timeout 0 1
 password 7 <snip>
 no exec
 transport output none
line vty 0 4
 exec-timeout 5 0
 transport input ssh
!
ntp clock-period 17208310
ntp source Ethernet1/0
ntp server 192.168.1.106
!
!
end

And sh ver

code:

gateway#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(5a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 25-Nov-03 06:00 by kellythw
Image text-base: 0x80008098, data-base: 0x819E4F8C

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

gateway uptime is 18 minutes
System returned to ROM by reload at 18:01:16 UTC Tue Apr 1 2008
System restarted at 18:04:28 UTC Tue Apr 1 2008
System image file is "flash:c2600-ik9o3s3-mz.123-5a.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
[url]http://www.cisco.com/wwl/export/crypto/tool/stqrg.html[/url]

If you require further assistance please contact us by sending email to
[email]export@cisco.com[/email].

cisco 2610 (MPC860) processor (revision 0x300) with 61440K/4096K bytes of memory.
Processor board ID JAD05460RPE (3252677181)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

# ? Apr 1, 2008 19:24

jwh: Jun 12, 2002

Spazz posted:

Here's my problem: I'm on Comcast. Any time I connect directly to my router I have no issues with speed. When I connect with a Cisco 2610 my speeds are throttled down to 30kb/sec max unless I open multiple threads (like on USENET) to 180kb/sec. Do you guys see anything on my config that could cause this? Here's my config and sh ver

Can you do a 'show int switching'?

# ? Apr 1, 2008 21:53

Spazz: Nov 17, 2005

jwh posted:

Can you do a 'show int switching'?

code:

gateway#show int switching
Ethernet0/0 External Interface
          Throttle count          0
                   Drops         RP        589         SP          0
             SPD Flushes       Fast          0        SSE          0
             SPD Aggress       Fast          0
            SPD Priority     Inputs          0      Drops          0

    Protocol  IP
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process       3477     884168       1791     140250
            Cache misses          0          -          -          -
                    Fast      11788   14234305       9508    1201027
               Auton/SSE          0          0          0          0

    Protocol  ARP
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process     204733   12283980          6        360
            Cache misses          0          -          -          -
                    Fast          0          0          0          0
               Auton/SSE          0          0          0          0

    Protocol  Other
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process          0          0       1049      62940
            Cache misses          0          -          -          -
                    Fast          0          0          0          0
               Auton/SSE          0          0          0          0

    NOTE: all counts are cumulative and reset only after a reload.
Serial0/0

    All statistics for this interface are zero.

Interface BRI0/0 is disabled


Interface BRI0/0:1 is disabled


Interface BRI0/0:2 is disabled

Ethernet1/0 Internal Interface

    Protocol  IP
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process       2562     205766       2212     233183
            Cache misses          0          -          -          -
                    Fast       9511    1201297      11791   14225126
               Auton/SSE          0          0          0          0

    Protocol  ARP
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process        298      17880        238      14280
            Cache misses          0          -          -          -
                    Fast          0          0          0          0
               Auton/SSE          0          0          0          0

    Protocol  CDP
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process        175      73150        175      56366
            Cache misses          0          -          -          -
                    Fast          0          0          0          0
               Auton/SSE          0          0          0          0

    Protocol  Other
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
                 Process        351      16848       1050      63000
            Cache misses          0          -          -          -
                    Fast          0          0          0          0
               Auton/SSE          0          0          0          0

    NOTE: all counts are cumulative and reset only after a reload.

Done.

# ? Apr 1, 2008 22:00

jwh: Jun 12, 2002

Spazz posted:

code:

gateway#show int switching

Well, NAT's in the CEF path, so that's not the problem.

I don't really know, except to suggest you try another (later) 12.3 mainline image, or look at your interface counters and 'show controller' output for anything abnormal.

Are the switch(es) your ethernet ports are connected to aware that you've hard-coded to full duplex? If your switches are expecting autonegotation they're failing back to half-duplex while you're coded to full.

# ? Apr 1, 2008 22:24

Spazz: Nov 17, 2005

jwh posted:

Well, NAT's in the CEF path, so that's not the problem.

I don't really know, except to suggest you try another (later) 12.3 mainline image, or look at your interface counters and 'show controller' output for anything abnormal.

Are the switch(es) your ethernet ports are connected to aware that you've hard-coded to full duplex? If your switches are expecting autonegotation they're failing back to half-duplex while you're coded to full.

Yeah, I was previously getting CDP errors on my Catalyst 3550 I had it hooked into. I changed it to force full duplex on eth1/0. I then went into the FastEth 0/1 and set it to full duplex. Here's show controllers for each interface.

code:

gateway#show controllers Ethernet 0/0
Interface Ethernet0/0
Hardware is AMD Unknown
ADDR: 82BAE368, FASTSEND: 8001FAB4, MCI_INDEX: 0
DIST ROUTE ENABLED: 0
Route Cache Flag: 11
 LADRF=0x0000 0x0000 0x0000 0x0000
 CSR0  =0x00000072, CSR3  =0x00001044, CSR4  =0x0000491D, CSR15 =0x00000000
 CSR80 =0x0000D900, CSR114=0x00000000, CRDA  =0x03D176F0, CXDA  =0x03D17840
 BCR9 =0x00000001 (full-duplex)
 HW filtering information:
  Promiscuous Mode Disabled, PHY Addr Enabled, Broadcast Addr Enabled
  PHY Addr=0007.EBFF.3300, Multicast Filter=0x0000 0x0000 0x0000 0x0000
 amdp2_instance=0x82BAFB10, registers=0x40000000, ib=0x3D17540
 rx ring entries=32, tx ring entries=64
 rxring=0x3D175A0, rxr shadow=0x82BAFD80, rx_head=21, rx_tail=0
 txring=0x3D177E0, txr shadow=0x82BAFE2C, tx_head=6, tx_tail=6, tx_count=0
 Software MAC address filter(hash:length/addr/mask/hits):
 spurious_idon=0, throttled=0, enabled=0, disabled=0
 rx_framing_err=0, rx_overflow_err=0, rx_buffer_err=0
 rx_bpe_err=0, rx_soft_overflow_err=0, rx_no_enp=0, rx_discard=0
 tx_one_col_err=0, tx_more_col_err=0, tx_no_enp=0, tx_deferred_err=0
 tx_underrun_err=0, tx_late_collision_err=0, tx_loss_carrier_err=462
 tx_exc_collision_err=0, tx_buff_err=0, fatal_tx_err=0
 hsrp_conf=0, need_af_check=0
 tx_limited=0(64)

gateway#show controllers Ethernet 1/0
Interface Ethernet1/0
Hardware is AMD Unknown
ADDR: 82BEC8D0, FASTSEND: 8001FAB4, MCI_INDEX: 0
DIST ROUTE ENABLED: 0
Route Cache Flag: 20
 LADRF=0x0000 0x0100 0x0000 0x0000
 CSR0  =0x00000072, CSR3  =0x00001044, CSR4  =0x0000491D, CSR15 =0x00000000
 CSR80 =0x0000D900, CSR114=0x00000000, CRDA  =0x03D7A4B0, CXDA  =0x03D7AAA0
 BCR9 =0x00000001 (full-duplex)
 HW filtering information:
  Promiscuous Mode Disabled, PHY Addr Enabled, Broadcast Addr Enabled
  PHY Addr=0007.EBFF.3310, Multicast Filter=0x0000 0x0100 0x0000 0x0000
 amdp2_instance=0x82BEE078, registers=0x40800000, ib=0x3D7A420
 rx ring entries=32, tx ring entries=64
 rxring=0x3D7A480, rxr shadow=0x82BEE2E8, rx_head=3, rx_tail=0
 txring=0x3D7A6C0, txr shadow=0x82BEE394, tx_head=62, tx_tail=62, tx_count=0
 Software MAC address filter(hash:length/addr/mask/hits):
  0xC0:  0  0100.0ccc.cccc  0000.0000.0000         0
 spurious_idon=0, throttled=0, enabled=0, disabled=0
 rx_framing_err=0, rx_overflow_err=0, rx_buffer_err=0
 rx_bpe_err=0, rx_soft_overflow_err=0, rx_no_enp=0, rx_discard=0
 tx_one_col_err=0, tx_more_col_err=0, tx_no_enp=0, tx_deferred_err=0
 tx_underrun_err=0, tx_late_collision_err=0, tx_loss_carrier_err=0
 tx_exc_collision_err=0, tx_buff_err=0, fatal_tx_err=0
 hsrp_conf=0, need_af_check=0
 tx_limited=0(64)

Here's the interface details on my switch for Fa0/1.

code:

top_3550#sh int fa 0/1
FastEthernet0/1 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 0012.43e3.9d01 (bia 0012.43e3.9d01)
  Description: Gateway to Main Network
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 10Mb/s, media type is unknown media type
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:50, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     122981681 packets input, 1237984574 bytes, 0 no buffer
     Received 118448 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 108188 multicast, 0 pause input
     0 input packets with dribble condition detected
     57356811 packets output, 108919004 bytes, 202 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     202 output buffer failures, 0 output buffers swapped out

# ? Apr 1, 2008 22:33

jwh: Jun 12, 2002

Spazz posted:

Yeah, I was previously getting CDP errors on my Catalyst 3550 I had it hooked into. I changed it to force full duplex on eth1/0. I then went into the FastEth 0/1 and set it to full duplex.

What about your outside e0/0 interface? Is that connected to something hard-coded for full-duplex too?

# ? Apr 1, 2008 23:21

Spazz: Nov 17, 2005

jwh posted:

What about your outside e0/0 interface? Is that connected to something hard-coded for full-duplex too?

Kicked her down to half duplex and that fixed it.

Once again, I owe you goons.

# ? Apr 1, 2008 23:25

Pussy Noise: Aug 1, 2003

Oh boy have I got a stumper.

PE is Cisco 7206VXR, IOS (C7200-P-M), Version 12.2(25)S
CE is Cisco 2821, IOS (C2800NM-SPSERVICESK9-M), Version 12.4(5a)

The three VLANs are used for three separate MPLS VPNs, respective subinterfaces are directly connected via /30 point-to-point networks. Right now we have a static route setup going, but the customer needs a backup connection, so I'm setting up BGP peering between PE and CE. Evertything's fine except the BGP session across VLAN 212, because a TCP connection can't be established between the point-to-point addresses.

The point-to-point networks for VLANs 210 and 211 are just fine, ICMP goes both ways and BGP sessions are established. There are no access lists, the switch has all three VLANs allowed in its trunk ports, and I can see both ends of the point-to-point networks in both ARP tables for VLAN 212:

code:

PE#sh ip arp vrf customer-vpn-3 Gi0/1.212
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.36.237           -   aaaa.bbbb.cccc  ARPA   GigabitEthernet0/1.212
Internet  172.16.36.238           0   xxxx.yyyy.zzzz  ARPA   GigabitEthernet0/1.212

CE#sh ip arp vrf vpn-3 Gi0/0.212
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.36.237           0   aaaa.bbbb.cccc  ARPA   GigabitEthernet0/0.212
Internet  172.16.36.238           -   xxxx.yyyy.zzzz  ARPA   GigabitEthernet0/0.212

However:

code:

CE#ping vrf vpn-3 172.16.36.237 source Gi0/0.212

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.36.237, timeout is 2 seconds:
Packet sent with a source address of 172.16.36.238
.....
Success rate is 0 percent (0/5)

I've verified with the customer that all traffic in that VPN flows fine. Just for shits and giggles, let's ping any address that's elsewhere in the VPN, e.g.:

code:

CE#ping vrf vpn-3 172.16.36.94 source Gi0/0.212

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.36.94, timeout is 2 seconds:
Packet sent with a source address of 172.16.36.238
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms

What the gently caress. I've shut/no shut the subinterfaces n+1 times, there is nothing wrong with the configuration, and I've even reloaded CE. There's nothing in the log of either PE or CE that would indicate anything weird at all. I'm guessing I might have to reload PE (uptime is 2 years, 7 weeks, 9 hours, 54 minutes), but it's not like that's something we want to do willy-nilly.

Here's the interface configuration, as straightforward as it gets:

PE

code:

interface GigabitEthernet0/1.210
 description XXXX
 encapsulation dot1Q 210
 ip vrf forwarding customer-vpn-1
 ip address 172.16.36.229 255.255.255.252
!
interface GigabitEthernet0/1.211
 description XXXX
 encapsulation dot1Q 211
 ip vrf forwarding customer-vpn-2
 ip address 172.16.36.233 255.255.255.252
!
interface GigabitEthernet0/1.212
 description XXXX
 encapsulation dot1Q 212
 ip vrf forwarding customer-vpn-3
 ip address 172.16.36.237 255.255.255.252
!

code:

interface GigabitEthernet0/0.210
 description XXXX
 encapsulation dot1Q 210
 ip address 172.16.36.230 255.255.255.252
 no snmp trap link-status
!
interface GigabitEthernet0/0.211
 description XXXX
 encapsulation dot1Q 211
 ip vrf forwarding vpn-2
 ip address 172.16.36.234 255.255.255.252
 no snmp trap link-status
!
interface GigabitEthernet0/0.212
 description XXXX
 encapsulation dot1Q 212
 ip vrf forwarding vpn-3
 ip address 172.16.36.238 255.255.255.252
 no snmp trap link-status
!

he;lp

# ? Apr 3, 2008 11:19

inignot: Sep 1, 2003; WWBCD?

Irrespective of the failed ping, does the address arp successfully?

# ? Apr 3, 2008 15:05

jwh: Jun 12, 2002

If you debug icmp on the PE router, do you see echo requests arriving over vlan 212 when you conduct your ping? Also what's CEF say about the 172.16.36.238 adjacency?

# ? Apr 3, 2008 16:17

Pussy Noise: Aug 1, 2003

inignot posted:

Irrespective of the failed ping, does the address arp successfully?

Yeah, there's constant heavy traffic across the link.

jwh posted:

If you debug icmp on the PE router, do you see echo requests arriving over vlan 212 when you conduct your ping? Also what's CEF say about the 172.16.36.238 adjacency?

Echo replies are logged on PE when pinging it from CE; nothing on CE when pinging it from PE.

CEF says

code:

PE#sh ip cef vrf customer-vpn-3 g0/1.212
---8<---
172.16.36.236/30     attached             GigabitEthernet0/1.212
---8<---
PE#sh ip cef vrf customer-vpn-3 172.16.36.238
172.16.36.238/32
  attached to GigabitEthernet0/1.212

CE#sh ip cef vrf vpn-3 g0/0.212
Prefix              Next Hop             Interface
0.0.0.0/0           172.16.36.237        GigabitEthernet0/0.212
172.16.36.236/30    attached             GigabitEthernet0/0.212
172.16.36.237/32    172.16.36.237        GigabitEthernet0/0.212
CE#sh ip cef vrf vpn-3 172.16.36.237
172.16.36.237/32, version 94, epoch 0, connected, cached adjacency 172.16.36.237
0 packets, 0 bytes
  via 172.16.36.237, GigabitEthernet0/0.212, 1 dependency
    next hop 172.16.36.237, GigabitEthernet0/0.212
    valid cached adjacency

# ? Apr 4, 2008 06:25

ElCondemn: Aug 7, 2005

What are some good books on configuring VRRP and in general networking equipment?

I think I've come to the limit of my networking knowledge but at work I'm being tasked as a "network admin" on top of my normal duties, mainly because it's incredibly hard to find anyone worthwhile around here to interview. I'll explain my problem(s) so that you guys can point me to the resources (books, online courses etc.) to solve this.

I have the following equipment
2 3845 routers (with 16 port 10/100 etherswitch)
2 ASA 5520s
2 3750G switches

I have two ip subnets each with two physical uplinks an active and a backup that are basically just uplinks from different switches on the same vlan
123.123.123.0/24
123.123.124.0/24

Because we're having half of the network behind the firewalls and the other half in front of them they are split into the following subnets

1) 123.123.123.0/25 (dmz)
2) 123.123.123.128/25 (filtered by firewall)
3) 123.123.124.0/25 (dmz)
4) 123.123.124.128/25 (filtered by firewall)

Right now I have network 1 working properly, I also have network 2 assigned on the other side of the firewall and I'm using router 1 as a switch with a vlan for the filtered network and that works fine to distribute to my load balancers. I also have another vlan setup for network 3 and I am able to ping that interface.

The problem I'm having right now is getting network 4 to route to the firewall and filter through like network 2. I'm using the router as an L2 switch right now but that's what I'm used to so that's what I've been doing but I think how I'm doing it is fundamentally wrong.

Eventually I need to get router 1 and 2 working in an active/passive mode, so that if one router goes down the other will take over and vice versa. In addition to that I also have to have the firewall working in much the same way. What books, or resources are there out there for me to find out the best practices and apply this network. Currently it's going through one router, to one firewall, and out another interface to one device and then to the switches.

# ? Apr 4, 2008 07:35

jbusbysack: Sep 6, 2002; i heart syd

legalcondom posted:

Stuff

Here's how I envision your physical cabling:

Use a L2 vlan to terminate the ISP handoffs into the switches, then out to the router (outside interface). Use a different L2 vlan to terminate the return-cabling (router inside interface) into the switches.

You can then run an HSRP (or VRRP) group on the router-inside interfaces since they can both talk on the same L2 vlan and send their heartbeats etc etc. That's just a simple interface-level command of:

standby (a_number) ip x.x.x.x
standby (a_number) priority (0-255)
standby (a_number) preempt

Post your interface configs for the firewall network that is working and the firewall network that is not, as well as the ports that connect to the firewall so we don't start running down the wrong path in troubleshooting.

# ? Apr 4, 2008 08:37

jwh: Jun 12, 2002

Pussy Noise posted:

Echo replies are logged on PE when pinging it from CE; nothing on CE when pinging it from PE.

Yucky. I'm sorry man, it sounds like you're running into a bug of some sort.

Have you tried putting Gig0/1.212 on PE into another VRF, and then putting it back into vpn-3?

# ? Apr 4, 2008 15:09

Pussy Noise: Aug 1, 2003

jwh posted:

Yucky. I'm sorry man, it sounds like you're running into a bug of some sort.

Have you tried putting Gig0/1.212 on PE into another VRF, and then putting it back into vpn-3?

Yeah, I kind of think so too

Thanks tho'! I haven't tried that yet, but I will on Sunday. The circuit is in production so I can't gently caress with it too disruptively during the week.

# ? Apr 4, 2008 15:24

ElCondemn: Aug 7, 2005

jbusbysack posted:

Here's how I envision your physical cabling:

Use a L2 vlan to terminate the ISP handoffs into the switches, then out to the router (outside interface). Use a different L2 vlan to terminate the return-cabling (router inside interface) into the switches.

You can then run an HSRP (or VRRP) group on the router-inside interfaces since they can both talk on the same L2 vlan and send their heartbeats etc etc. That's just a simple interface-level command of:

standby (a_number) ip x.x.x.x
standby (a_number) priority (0-255)
standby (a_number) preempt

Post your interface configs for the firewall network that is working and the firewall network that is not, as well as the ports that connect to the firewall so we don't start running down the wrong path in troubleshooting.

The way I currently have it is the ISP terminating into the routers on an l2 vlan, there are 4 physical connections and I'm putting a link from each subnet on each router on its own vlan (2 links per router, "primary" and "secondary").

From there I plug them straight down to my ASAs, and from the ASAs I run a line back to each router which terminate on their own seperate vlans for my "filtered" network.

From that seperate vlan for the filtered I then go to my load balancers and to my switches which go to my servers, from my asa I also run a line directly to my switches but that's really only used to provide a gateway that's not the F5 and to manage the servers etc. over the VPN.

Here is a visio I threw together a while back explaining how I think it should be connected to provide the highest availability. I'll throw up some configs once I get in to work today.

If the ASAs had 6 ports instead of 4 I would have run one more blue one between the opposite switch and one more orange one between the opposite router but we'll have to live with this.

edit: this image was made for my boss to show the board, it's more pretty than anything but it does show our physical connections, and each different color is a separate vlan. Also I'm not asking anyone to solve this for me but to show me where I can find good resources to solve this myself, we're having some contractors come out but that's a few weeks out (scheduling etc.) and they want this done way before then.

ElCondemn fucked around with this message at 16:41 on Apr 4, 2008

# ? Apr 4, 2008 16:38

CrazyLittle: Sep 11, 2001; Clapping Larry

Stupid question:

Can you throw dissimilar interfaces into one multilink MLPPP bundle? IE - 2x ADSL + 1 ISDN + 1 DSU = fat pipe?

# ? Apr 8, 2008 18:47

Oddhair: Mar 21, 2004

I have a couple of questions for you guys:

I saw last summer (ca. page 5-10) that people were positive about buying 26xx routers in pairs with T1 WICs for a lab setup. Now, I see reference to EIGRP on everyone's CCNA preparedness lists - is there a simple way to know which (software) versions support which features? I think the 2610s available to me have 48MB DRAM and 16MB Flash, and support software versions 12.3 and below, but I can't be sure, and Cisco's site is not geared toward novice users...
If I am interested in pursuing Cisco certs, it seems that routing between Cisco platforms is the usual way to go, but I also have a couple of 1720 routers available, which support the same T1 WICs, as well as some 3Com Router 5009, 5012, and 3033 that also support T1 (if indeed they support any other WAN connection at all.) My next question, then, is whether a Router 5012 (or 3016, or 3033, or 5009) would even be an asset? It could provide a different set of tools, if I'm ever working in a mixed or non-Cisco shop (like now), as well as being a more capable router for my use if I get tired of my m0n0wall setup, though part of my assessment of this as 'more capable' is that Cisco 10/100 WICs are a little more difficult to come by cheaply - for instance, I can find 1720 routers for ~$20 all day on ebay, but the 10/100 WICs go for $100+. Outside of a lab, a T1 WIC doesn't do me much good unless I want a real T1, and the 2610 has only one ethernet port.

~~I guess it's all moot if the 2610 and version 12.3 don't support EIGRP~~ I found reference to EIGRP in 12.0(7)T, so that's that question answered.

I guess I just want to know if I should even try to buy this crap? I just sold one of the lot, and it went for its starting price of $24.99. Any help anyone can give would be greatly appreciated, as it's driving how I structure my auctions and what I make direct offers on.

# ? Apr 8, 2008 20:07

CrazyLittle: Sep 11, 2001; Clapping Larry

Oddhair posted:

is there a simple way to know which (software) versions support which features?

Not really without a Cisco smartnet login.

For EIGRP, here's all the feature sets that support EIGRP on a 2610-2613, IOS 12.3(26):

code:

FEATURE SET             FILENAME                        DRAM   FLASH
ENTERPRISE BASIC	c2600-j1s3-mz.123-26.bin	64	16
IP			c2600-i-mz.123-26.bin		32	8
IP PLUS BASIC W/O HD ANALOG/AIM ATM/VOICE	c2600-is5-mz.123-26.bin	64	16
IP PLUS BASIC W/O SWITCHING	c2600-is4-mz.123-26.bin	64	16
IP/FW/IDS		c2600-io3-mz.123-26.bin	32	16
IP/FW/IDS PLUS IPSEC 3DES BASIC	c2600-ik9o3s3-mz.123-26.bin	64	16
IP/H323	c2600-ix-mz.123-26.bin	48	16
IP/H323 PLUS BASIC	c2600-is3x-mz.123-26.bin	64	16
IP/IPX/APPLETALK	c2600-bin-mz.123-26.bin	32	16
IP/IPX/AT/FW/IDS PLUS BASIC	c2600-bino3s3-mz.123-26.bin	64	16
REMOTE ACCESS SERVER	c2600-c-mz.123-26.bin	32	8
TELCO FEATURE SET	c2600-telco-mz.123-26.bin	48	16

Oddhair posted:

I think the 2610s available to me have 48MB DRAM and 16MB Flash, and support software versions 12.3 and below...
...that Cisco 10/100 WICs are a little more difficult to come by cheaply

Yes, the Cisco 26xx series (not 26xx-XM) were EOL after 12.3, but you can run the IP BASE feature set on pretty much any 26xx with 32D/8F and that should give you 99% of the features you need to get started on cert labs. Ideally you would want 2621s as they have two FastEthernet interfaces already built in. WIC-1DSU-T1 are handy cards to have because wiring T1 and T1-xover is pretty simple to do. Otherwise you might try finding serial WICs and external CSU/DSU boxes (which are largely a waste of space, electricity and time.)

CrazyLittle fucked around with this message at 21:34 on Apr 8, 2008

# ? Apr 8, 2008 20:52

jwh: Jun 12, 2002

CrazyLittle posted:

Otherwise you might try finding serial WICs and external CSU/DSU boxes (which are largely a waste of space, electricity and time.)

You can use those 60-pin back-to-back serial cables and avoid TDM altogether, although you miss out on learning the black arts of DS1 framing and coding.

2600s are fine little routers for learning, although they really don't have enough horse to do anything useful. I have two 2621's and I'd never expect them to push anything near FastEthernet bandwidth.

# ? Apr 8, 2008 21:42

CrazyLittle: Sep 11, 2001; Clapping Larry

jwh posted:

although you miss out on learning the black arts of DS1 framing and coding.

2600s are fine little routers for learning, although they really don't have enough horse to do anything useful. I have two 2621's and I'd never expect them to push anything near FastEthernet bandwidth.

Yeah - they're perfect for T1 and MLPPP T1 configurations though, which is what I use them for on my company's customer sites.

jwh - got any ideas on my question:

CrazyLittle posted:

Stupid question:

Can you throw dissimilar interfaces into one multilink MLPPP bundle? IE - 2x ADSL + 1 ISDN + 1 DSU = fat pipe?

# ? Apr 8, 2008 21:50

inignot: Sep 1, 2003; WWBCD?

CrazyLittle posted:

Stupid question:

Can you throw dissimilar interfaces into one multilink MLPPP bundle? IE - 2x ADSL + 1 ISDN + 1 DSU = fat pipe?

Dare I ask..."What are you trying to accomplish with this?".

# ? Apr 8, 2008 22:18

jwh: Jun 12, 2002

CrazyLittle posted:

jwh - got any ideas on my question:

I've been running around like crazy this afternoon, and I haven't had a chance to look into it. I don't do any MLPPP, so I don't know off the top of my head.

I've heard it's not recommended, but I don't know much more than that.

# ? Apr 8, 2008 22:23

ragzilla: Sep 9, 2005; don't ask me, i only work here

CrazyLittle posted:

Stupid question:

Can you throw dissimilar interfaces into one multilink MLPPP bundle? IE - 2x ADSL + 1 ISDN + 1 DSU = fat pipe?

I wouldn't recommend it, is the equipment on both sides 'trusted'? You could run something like EIGRP between the nodes and do unequal-cost-multipath and let CEF load balance for you.

# ? Apr 9, 2008 00:56

Adbot: ADBOT LOVES YOU

# ? May 29, 2024 20:11

CrazyLittle: Sep 11, 2001; Clapping Larry

Girdle Wax posted:

I wouldn't recommend it, is the equipment on both sides 'trusted'? You could run something like EIGRP between the nodes and do unequal-cost-multipath and let CEF load balance for you.

Ideally I want to get away/around using OER for multi-connect / large pipe clients who we throw T1s and ADSL lines together to get large download streams with T1 uptime / repair response time. We control both ends of the connection - both the CPE and the data center router.

With OER and other load balancing options that only load balances for the egress connection and the return path is not really accounted for. That doesn't work for customers of ours who run small employee internet-visible portals or VPN servers.

So why do you "not recommend" using MLPPP to form a big pipe out of dissimilar interfaces? We already do a lot of multiple-T1 bonding with MLPPP. It just doesn't make sense to have 4xT1 circuits just so that two people can VPN in while the office gets a 6mb download speed.

(oh, and just for fun my office moved, and I setup a bonded ADSL pair connection because we could only get 3mb/768k)

CrazyLittle fucked around with this message at 01:51 on Apr 9, 2008

# ? Apr 9, 2008 01:45

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›431 »