|
We're looking to buy an rear end load of mobile computer labs(laptop carts) and by the grace of god it looks like we're going to buy cisco wireless APs and a WLAN controller instead of a stack of dlink access points or something along those lines. Any suggestion on books/websites to get up to speed with Cisco's wireless environment?
|
# ? Apr 9, 2008 02:39 |
|
|
# ? May 17, 2024 06:44 |
|
The cisco ccnp ONT book is pretty good about WLCs and LWAPPs. Honestly though just toy around with the gear, I find it far easier to learn that way.
|
# ? Apr 9, 2008 03:11 |
|
InferiorWang posted:Any suggestion on books/websites to get up to speed with Cisco's wireless environment? Can you have somebody fund a pilot ahead of time? We just got a lot of Cisco's lightweight wireless stuff in a few months back, and I haven't been very impressed. If you're only buying a single controller, be advised the 2106 will only support 5 AP's I think, and only provides PoE on two of it's 8 ports. Additionally, be advised that if you have a reason to support more than a dozen controllers, you almost have to start looking at WCS, which is a real big ticket item, and also it's very own obnoxious pain in the rear end. If you have any specific questions I'll do my best to answer. There are other people here that know more than I do about the lightweight wireless equipment also. quote:So why do you "not recommend" using MLPPP to form a big pipe out of dissimilar interfaces? We already do a lot of multiple-T1 bonding with MLPPP. It just doesn't make sense to have 4xT1 circuits just so that two people can VPN in while the office gets a 6mb download speed.
|
# ? Apr 9, 2008 04:46 |
|
jwh posted:Can you have somebody fund a pilot ahead of time? We just got a lot of Cisco's lightweight wireless stuff in a few months back, and I haven't been very impressed. If you're only buying a single controller, be advised the 2106 will only support 5 AP's I think, and only provides PoE on two of it's 8 ports. Not to nit-pick but 2106 will do 6 APs and yes has 2 PoE ports. However you can jam the AP into any old PoE switch and as long as its vlan is trunked across your network that AP can live wherever it needs to be. So you don't have to be restricted by the 2 PoE rule. For small offices, I am a big fan of the 2106 - however WCS is both awesome and expensive, not exactly in the small/mid market space.
|
# ? Apr 9, 2008 04:52 |
|
jwh posted:My understanding is that you do not want to run into out-of-order arrival problems with an MLPPP bundle, and that that is more likely to happen when you mix and match interfaces with different serialization delays and end-to-end latencies. Ahh that makes sense. I'd guess that the router would freak out, error out, or just lock the connection until things arrived in order, and all three of those scenarios are equally bad. I'll stick to bundling same interfaces, but it would be nice if I could find some simple ingress load-balancing.
|
# ? Apr 9, 2008 04:57 |
|
jwh posted:Can you have somebody fund a pilot ahead of time? We just got a lot of Cisco's lightweight wireless stuff in a few months back, and I haven't been very impressed. If you're only buying a single controller, be advised the 2106 will only support 5 AP's I think, and only provides PoE on two of it's 8 ports. As what jbusbysack said, I was under the impression that I can inegrate the WLAN controller into my LAN, and run the APs off of POE switches. If there's one thing we have now, we have a poo poo ton of available POE ports. We really have to go wireless with these laptop carts, regardless of manufacturer, so that's the scope of this wireless project. We're not doing all of our schools, or even all of the school where these carts will live. In essence, this is almost like a pilot program. I'd prefer to stick with Cisco instead of rolling out cheap consumer grade APs and management seems to agree. According to what is being spec'ed out(which I wasn't involved with at any high level, but will of course be tasked to maintain) is a 4400 series controller and 1131 APs.
|
# ? Apr 9, 2008 18:18 |
|
Quick question using Redundant Supervisor 32's in a 6513 is it possible to run an ethernet connection from both supervisors inbuilt wired ethernet ports to an identical unit and have them both work at the same time (i.e a gigabit etherchannel) or will it only work with the active supervisor ?
|
# ? Apr 9, 2008 22:40 |
|
loosewire posted:Quick question If I read this right - you want to etherchannel a port on each supervisor to another 6513? If so - yes that works. Blades 5 and 6 are each respective SUP720 (and a fiber port). Port-channel: Po1 ------------ Age of the Port-channel = 67d:06h:11m:16s Logical slot/port = 14/1 Number of ports = 3 GC = 0x00010001 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = PAgP Fast-switchover = disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 1 49 Gi4/24 Desirable-Sl 3 2 92 Gi5/2 Desirable-Sl 3 0 24 Gi6/2 Desirable-Sl 2 Time since last port bundled: 67d:05h:53m:42s Gi4/24 Time since last port Un-bundled: 67d:05h:54m:01s Gi4/24
|
# ? Apr 9, 2008 23:52 |
|
jbusbysack posted:The cisco ccnp ONT book is pretty good about WLCs and LWAPPs. Honestly though just toy around with the gear, I find it far easier to learn that way. I haven't dived hard into the CCNP curriculum yet, and I've only been douching around with it so far and I've learned a LOT just doing that alone. I suggest people do that before they get into the curriculum just so they can get an idea of how to work it all, the CLI, etc.
|
# ? Apr 10, 2008 01:54 |
|
I'm seeing poor speeds over an ipsec tunnel between two Cisco 3825's. I noticed that our DFS shares at each location are only replicating at about half the speed they should. I have outbound QOS on the routers set to 10 Mbit, however I never really see more than 5 Mbit. This got me thinking that maybe it's a MTU issue? netperf shows double the speed when using a udp_stream over tcp. netperf -t TCP_STREAM -H rwc-vm-dev Recv Send Send Socket Socket Message Elapsed Size Size Size Time Throughput bytes bytes bytes secs. 10^6bits/sec 87380 16384 16384 10.10 500.21 netperf -t UDP_STREAM -H rwc-vm-dev Socket Message Elapsed Messages Size Size Time Okay Errors Throughput bytes bytes secs # # 10^6bits/sec 126976 65507 10.00 18319 0 959.94 126976 10.00 0 0.00
|
# ? Apr 10, 2008 23:33 |
|
brent78 posted:words... ipsec tunnel between two Cisco 3825's... words nevermind, just read IPSEC tunnel, not metro ethernet like I thought.
|
# ? Apr 11, 2008 00:47 |
|
brent78 posted:This got me thinking that maybe it's a MTU issue? Stick "ip tcp adjust-mss 1400" on both ends for a quick check/fix. Alternately sniff the traffic before it goes into the tunnel to see if there is an mtu issue. Most of the time when I have mtu over VPN problems, things just don't work as opposed to performing badly. You do have hardware acceleration for the crypto right? Hell, add compression to the crypto transform just for shits and giggles.
|
# ? Apr 11, 2008 00:55 |
|
jbusbysack posted:nevermind, just read IPSEC tunnel, not metro ethernet like I thought.
|
# ? Apr 11, 2008 01:13 |
|
brent78 posted:The two connect over metro ethernet... if that matter or not. I was going to say crank the MTU and window-size for the servers way up if you control the entire metro run. Basically you can kind of fake what a Bluecoat box does.
|
# ? Apr 11, 2008 01:18 |
|
On a ASA 5505, how can you make anything from the outside interface ping anything on the inside interface without doing a 1-to-1 nat rule for each host? ASA Version 8.0(3) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.20.2 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.25.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted boot system disk0:/asa803-k8.bin ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit ip any any pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-603.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.25.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.20.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:d88d8f3e3ed7472e6e1d8b9e9edfdd6e : end
|
# ? Apr 11, 2008 17:29 |
|
XMalaclypseX posted:On a ASA 5505, how can you make anything from the outside interface ping anything on the inside interface without doing a 1-to-1 nat rule for each host? Traffic from a lower security interface requires: static NAT Permits in the low security interface's ACL For ICMP also toss in "inspect icmp" Think about it, how could it possibly work without using statics?
|
# ? Apr 11, 2008 18:51 |
|
Tremblay posted:Traffic from a lower security interface requires: Just wondering if it could be made to work like a regular router. I'm new to Cisco stuff.
|
# ? Apr 11, 2008 20:19 |
|
XMalaclypseX posted:Just wondering if it could be made to work like a regular router. I'm new to Cisco stuff. Even on a regular router doing PAT what you've said wouldn't work.
|
# ? Apr 11, 2008 21:50 |
|
Tremblay posted:Even on a regular router doing PAT what you've said wouldn't work. If you connect two networks with a PIX or ASA, and you configure the interfaces with the same security level, will the PIX route between the two networks without explicit NAT configuration? I've never had reason to try to do it.
|
# ? Apr 11, 2008 22:14 |
|
jwh posted:If you connect two networks with a PIX or ASA, and you configure the interfaces with the same security level, will the PIX route between the two networks without explicit NAT configuration? I've never had reason to try to do it. With same-security-traffic permit inter-interface and/or same-security-traffic permit intra-interface you can. Otherwise no.
|
# ? Apr 11, 2008 22:53 |
|
jbusbysack posted:With same-security-traffic permit inter-interface and/or same-security-traffic permit intra-interface you can. Otherwise no. ^ What he said. No way in PIX 6 and earlier, but 7+ it works.
|
# ? Apr 12, 2008 00:05 |
|
Ok. Thanks a lot. That worked fine. I am still having one major problem which tied into the last one. I am using a dual layer firewall layout on both a HQ and Remote site. We have a PTP T1 link on the internal network and the outer firewalls are linked via a site-to-site vpn in the case of failure of the T1. The VPN seems to be working correctly but I may have a routing problem. For clarity, with the T1 disabled heres what can ping: 192.168.15.2 can ping to 192.168.10.0 192.168.10.0 can ping to 192.168.25.1 192.168.25.2 can ping to 192.168.20.0 192.168.20.0 can ping to 192.168.15.1 192.168.10.0 cannot ping to 192.168.20.0 192.168.20.0 cannot ping to 192.168.10.0 Everything has internet access and all firewall rules are ANY IP IN, ANY IP OUT. We've tried putting these routes in on the inside firewalls and they don't work. route outside 192.168.20.0 255.255.255.0 192.168.25.1 1 route outside 192.168.11.0 255.255.255.0 192.168.15.1 1 route outside 192.168.10.0 255.255.255.0 192.168.15.1 1 Thanks for any help you can provide. edit: Nevermind. Figured it out. XMalaclypseX fucked around with this message at 14:30 on Apr 15, 2008 |
# ? Apr 12, 2008 17:56 |
|
I've got a 3524XL thats giving me grief. I cannot figure this one out. All the ports are in Vlan1, and there are no other vlans. The devices can pull an IP address from the PIX firewall, but they cant ping each other or see each other at all. They can get out to the internet with no problems. Ideas?
|
# ? Apr 13, 2008 20:06 |
|
XakEp posted:I've got a 3524XL thats giving me grief. I cannot figure this one out. All the ports are in Vlan1, and there are no other vlans. The devices can pull an IP address from the PIX firewall, but they cant ping each other or see each other at all. They can get out to the internet with no problems. Ideas? pvlan going on?
|
# ? Apr 13, 2008 23:14 |
|
XakEp posted:I've got a 3524XL thats giving me grief. I cannot figure this one out. All the ports are in Vlan1, and there are no other vlans. The devices can pull an IP address from the PIX firewall, but they cant ping each other or see each other at all. They can get out to the internet with no problems. Ideas? I'd say the best way to troubleshoot this would be to change the vlan to something arbitrary like 40, like jwh said about private vlans. I was going to suggest incomplete arp entries on the mac-address-table but if the PIX gave it an IP I don't think that applies. Is vlan1 a layer 3 network different from what the PIX gave out? The only thing I can think of is that the addresses attempt to find each other but they cannot find a gateway. Try something that floods native layer 2 broadcasts (like a chatty domain controller) and see if they show up on the other hosts' wireshark logs. jbusbysack fucked around with this message at 00:23 on Apr 14, 2008 |
# ? Apr 14, 2008 00:20 |
|
jwh posted:pvlan going on? Not that I'm aware of. I've reset the config, and its still doing it.
|
# ? Apr 14, 2008 01:25 |
|
XakEp, can you post the config?
|
# ? Apr 14, 2008 04:15 |
|
XakEp posted:Not that I'm aware of. I've reset the config, and its still doing it. Windows firewall?
|
# ? Apr 14, 2008 05:56 |
|
Midnj posted:XakEp, can you post the config? I'll grab it when I get home tonight. There's nothing in it to speak of, its been reset to default config and its still not working. jwh posted:Windows firewall? Not likely. I can plug them into my linksys broadband router (not being used on my network so dont give me poo poo) and the problem goes away. In fact, I can plug into any other switch and it works. PVLANs arent setup by default are they?
|
# ? Apr 14, 2008 13:38 |
|
XakEp posted:Not likely. I can plug them into my linksys broadband router (not being used on my network so dont give me poo poo) and the problem goes away. In fact, I can plug into any other switch and it works. PVLANs arent setup by default are they? Not unless it's stored in the vlan database. If you don't mind fully resetting the switch, try the following commands while enabled: code:
|
# ? Apr 14, 2008 13:49 |
|
I'll go ahead and do this when I get home - I'll post up when I do this. Thanks!
|
# ? Apr 14, 2008 15:32 |
|
Girdle Wax posted:Not unless it's stored in the vlan database. If you don't mind fully resetting the switch, try the following commands while enabled: Didnt work. Here's the config. code:
|
# ? Apr 14, 2008 21:40 |
|
XakEp posted:
I doubt it matters with vlan1, but have you tried entering "vlan 1" ?
|
# ? Apr 14, 2008 22:28 |
|
H110Hawk posted:I doubt it matters with vlan1, but have you tried entering "vlan 1" ? Entering it for what?
|
# ? Apr 14, 2008 22:40 |
|
XakEp posted:Entering it for what? Just enter it in as a configuration line, then bail out. conf t vlan 1 exit/^z/whatever.
|
# ? Apr 14, 2008 22:59 |
|
H110Hawk posted:Just enter it in as a configuration line, then bail out. Its gotta be Vlan1
|
# ? Apr 15, 2008 00:47 |
|
XakEp posted:What does a dir /all show?
|
# ? Apr 15, 2008 04:20 |
|
tortilla_chip posted:What does a dir /all show? code:
|
# ? Apr 15, 2008 05:05 |
|
I'm looking for a Cisco router for internal testing, one functional requirement is for PGM Router Assist, however only the 12.0(5)T notes list supported platforms, and most of those are now eol: http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/pgmscale.html quote:•Cisco 1600 series What is the cheapest model I could get today that supports PGM Router Assist, performance not an issue? I have quote at HK$74,100 for the 3825. Network diagram would be something like this: code:
|
# ? Apr 15, 2008 10:04 |
|
|
# ? May 17, 2024 06:44 |
|
I don't have any general answer, but I just checked on my plaything 1841, and it can do PGM Router Assist. It's running IOS version 12.4(5), advipservices feature set. I bet you could get a 1841 for significantly cheaper than HK$74,100. Have you looked at the Cisco feature navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp?
|
# ? Apr 15, 2008 20:14 |