|
Pussy Noise posted:Have you looked at the Cisco feature navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp? Its a bit confusing, the platform is the model number, but is there any way just to search for unique model numbers? It lists 108,221 results for PGM, and bizarrely 123,926 for DLR enhancements (additional to PGM) MrMoo fucked around with this message at 03:56 on Apr 16, 2008 |
# ? Apr 16, 2008 03:53 |
|
|
# ? May 14, 2024 17:37 |
|
MrMoo posted:Its a bit confusing, the platform is the model number, but is there any way just to search for unique model numbers? It lists 108,221 results for PGM, and bizarrely 123,926 for DLR enhancements (additional to PGM) most cisco routers will support that... even the 8xx series routers which are a few hundred bucks. I'd go with a 2801 or 2811 though, they're great routers for the price.
|
# ? Apr 16, 2008 04:13 |
|
So to test a basic cascade like this, I could use two 1841's? I found a manufacturer refurb at $799.56 ($880 new) on compuvest, compared with $1,230 for 2801, and $1,423.32 for a 2811. http://www.compuvest.com/Description.jsp?iid=564912 http://www.compuvest.com/Description.jsp?iid=141936 http://www.compuvest.com/Description.jsp?iid=483093
|
# ? Apr 16, 2008 04:50 |
|
CrazyLittle posted:Have any of you guys used a Cisco multi-service router (like a 2800 series) to deliver a PRI to a PBX system? Hi, My organisation is using Cisco 3845s to provide trunks to their PABX's until we rip them out (and of course, to the telco). We're using the E1/T1 multiflex trunk VWIC2 modules and a Qsig card in the PABXs which are Plessey iSDX boxes. They are also providing the voice interconnects via some of the PABXs as we move away from our final ATM stuff onto a pure gigabit network (multiple sites that used to run over ATM are getting fibre! Yay!) Let's rip out ATM which was great at multiservice stuff fifteen years ago ... how the mighty have fallen. We will eventually have the 3845s gatewaying to the telco directly. I can PM you parts of the config if you are really interested.
|
# ? Apr 17, 2008 11:03 |
|
Here's a dumbass moment, courtesy of myself. I needed to daisy chain two 2950 switches via the gig ports. I could not get a link light. I tried changing the port configurations over and over. I tried wiping the switches to factory defaults. I even considered there was a bug in IOS and almost upgraded that. In all I spent about an hour trying to trouble shoot the issue. Turns out I was using a standard patch cable when I really needed a crossover. The worst part was that I knew I needed the cross over.
|
# ? Apr 17, 2008 16:47 |
|
evilZardoz posted:We will eventually have the 3845s gatewaying to the telco directly. Very interested. (You have PM's disabled.) So when you go direct to telco, are you going to get a PRI from them and then use a VWIC2 to act as a trunking card? InferiorWang posted:Turns out I was using a standard patch cable when I really needed a crossover. The worst part was that I knew I needed the cross over. I wish Cisco would get with the program and do auto-negotiation and auto-crossover like many cheaper devices seem to be able to do just fine. At least auto-crossover is built into the gigabit spec.
|
# ? Apr 17, 2008 17:21 |
|
The funny thing is the cheapest bunch of switches they have, the express switches, do just that. Or maybe they don't and ether/port channel handles that....
|
# ? Apr 17, 2008 17:35 |
|
CrazyLittle posted:Very interested. (You have PM's disabled.) So when you go direct to telco, are you going to get a PRI from them and then use a VWIC2 to act as a trunking card? I've always wondered why cisco does that. With 6500's or any of the Catalyst switches, it will do auto-crossover. However their 7600's or the Metro stuff, won't. There is no technical reason the switches can't do it, it's just not part of the non-catalyst derived IOS. Really strange. And stranger still, with fiber, on the newest cards like the ES40 or OC768 "Godzilla" cards and even some of the older fiber ports, it will autonegotiate. But only with fiber not Copper.... What's the dealio?
|
# ? Apr 17, 2008 19:09 |
|
Powercrazy posted:And stranger still, with fiber, on the newest cards like the ES40 or OC768 "Godzilla" cards and even some of the older fiber ports, it will autonegotiate. But only with fiber not Copper.... Swapping the optics on an SFP is somewhat different since they are an actual transceiver. One side is a receiver and the other a laser to transmit with, and what are you trying to autonegotiate over a POS interface?....
|
# ? Apr 18, 2008 09:53 |
|
Hey everyone! Thought I'd give this a bump with a question and probably a little shameless plug. So I've got an extra large EC2 instance (that's 15GB of RAM, and 4 dual-core 2GHz CPUs) and I'm planning on using it for Dynamips/Dynagen foo. Here's an additional side-note - I found the cheapest CCIE lab rack rental place I could find. You pay $13 for 4 hours worth of rack time. Keep that number in mind. Now, if you want to use an extra large EC2 instance, you pay 80 cents an hour. So, that's $4 for 4 hours (partial hours are pro-rated). Now dynamips can't do switching, but that's still a hell of a deal compared to fighting for lab time that fits into your schedule. I'm a Network Engineer for Amazon, so I get the "internal pricing plan" for EC2 - but if anyone's interested in learning about how to use EC2 for your dynamips foo, please shoot me a PM and we'll chat. Now, on to my question. I'm building an AMI for EC2 that has everything I need to use dynamips and dynagen, only I'm attempting to lock down the build so it's a little more secure. By default, when you invoke dynamips under Linux, you say "dynamips -H 7200 &" What I've found is that what this does is basically open that TCP port to the entire world. So, I think "ok we'll just tell dynamips to bind the port to the loopback address so the outside world can't connect to that port and only people that are actually on the box will be able to." No problem right? So I try: code:
code:
code:
So what's the workaround if you want to run multiple instances of Dynamips securely? Create multiple aliases to your loopback interface on your linux box and just tell Dynamips to run on all of them on port 7200, rather than running all the instances on the same loopback on different port numbers. See below (Sorry Windows folks, this won't work for you): Step One: Make an alias (or multiple aliases) of your Loopback interface on your linux box and give it another IP address. code:
Invoke dynamips on all of the loopbacks code:
code:
There's still another problem though, and I'm looking for a little help here. When I invoke dynagen on a lab, the routers all start up, and the console ports start up as expected on port 2000, incrementing. However, we run into the same problem as before, where port 2000 isn't just open to localhost and localhost only, but rather open to the entire world. This obviously isn't something I want. Any linux experts know of a way to "work around" this like I did with the localhost IP foo? If not, then my only two options are going to have to be to build some iptables stuff (not something I want to do) or bother the author of Dynamips to build some functionality into the application to allow for more security for stuff like this (also not something I'd want to do). Any ideas guys? EDIT: After trolling through the manpage for dynamips, I realized that it allows you to specify the console port on the command line, so the function I'm looking for is actually within Dynagen's realm, since it's essentially just a frontend for Dynamips written in Python. I suck at programming so I'm not even going to try to see if I can figure out what's going on under the hood, but I've posted a similar question in the hacki.at forums, and maybe I'll get somewhere by poking at the author of Dynagen. atticus fucked around with this message at 20:32 on Apr 23, 2008 |
# ? Apr 23, 2008 19:13 |
|
atticus posted:Any linux experts know of a way to "work around" this like I did with the localhost IP foo? If not, then my only two options are going to have to be to build some iptables stuff (not something I want to do) or bother the author of Dynamips to build some functionality into the application to allow for more security for stuff like this (also not something I'd want to do). code:
|
# ? Apr 28, 2008 00:44 |
|
How does everyone here use to keep track of your configs? CVS? Does cisco have any tools to make archiving configs more stream lined that cutting and pasting?
Boner Buffet fucked around with this message at 13:47 on Apr 29, 2008 |
# ? Apr 29, 2008 13:24 |
|
InferiorWang posted:How does everyone here use to keep track of your configs? CVS? Does cisco have any tools to make archiving configs more stream lined that cutting and pasting? You want (assuming you're looking for something free) RANCID. RANCID RANCID RANCID. http://www.shrubbery.net/rancid/ Which will back up most of your devices configs (as well as other info like "show ver" and hardware info) into CVS/SVN (although SVN is a bunch of work to set up). Otherwise Cisco has their own solution in CiscoWorks (Resource Manager) I believe. And Solarwinds also does config backups via their Cirrus product.
|
# ? Apr 29, 2008 14:54 |
|
Girdle Wax posted:You want (assuming you're looking for something free) RANCID. RANCID RANCID RANCID. Seconded! This is some awesome stuff right here. What, my slot6 went from Supervisor-720 to Supervisor-Other, you say? Time to get a case going with Cisco!
|
# ? Apr 29, 2008 15:42 |
|
Well then, I guess you all wouldn't mind if I brought this up then? I've been working on trying to get rancid running on a SLES 10 box and I'm getting this error in rancid/var/logs: code:
|
# ? Apr 29, 2008 17:01 |
|
InferiorWang posted:Well then, I guess you all wouldn't mind if I brought this up then? What you'll typically want to do for CVS (if I recall, it's been awhile). - create a local copy with your layout - commit this to a repository in a shared location on your server - delete/move your local copy - check out your local copy - check out another copy under your rancid user, and tell rancid to use that copy
|
# ? Apr 29, 2008 18:25 |
|
I'm personally a fan of Kiwi CatTools and Syslog.
|
# ? Apr 29, 2008 19:19 |
|
Just got rancid running after a half a day of irritation and swearing. I like dicking around with *nix, but it can really drive me up a wall with some of the vague documentation. Also, I hate pipermail!
|
# ? Apr 29, 2008 20:30 |
|
Girdle Wax posted:And Solarwinds also does config backups via their Cirrus product. We have about 400 devices in our Cirrus nightly pick-up, and we've started to see some real scaling problems.
|
# ? Apr 29, 2008 20:55 |
|
This question could likely be its own thread, but I think I've decided to use a Cisco solution so please bear with me. I'd appreciate some critique and recommendations. I'm being pressed into IT duty for a new architectural lighting and high-end light fixture company. Apparently being able to fix computers and build home networks makes you qualified to run the IT part of a small business. Based on their growth plans and a good assessment of the local market, using unmanaged SOHO gear will be a waste of time and money. The objective here is to start reasonably small but incorporate best practices and all that jazz. Environment: Office/warehouse/showroom "Business" DSL with telco-supplied shitbox gateway/WAP 4 on-site employees in wired offices -3 normal computers -1 accounting box 1 FTP server Email is Google Apps 1 credit card processor VPN -Need to be able to remotely admin -Need to be able to remotely access Quickbooks on accounting machine Wifi to begin with used for only visitor internet access. Wifi will be used in the future for wireless inventory scanners. Telephones are not VoIP (for now). No videoconferencing. Expansion plans: Employees to 10 Wireless inventory So the network would look like this: INTERNET---ASA/ISR device---LAN. Simple. For firewall duty, I think there are two options: ISR 1811 and ASA 5505, which can have similar prices depending on license. If I get the ASA, it can stay there even after I need a better router, whereas if I buy a router, I probably still need a dedicated firewall at some point? 1811 - better router, crappier everything else. Probably don't need a "real" router to terminate DSL. 5505 - better everything else, weaker router. Leaning this way. The only question there is the license - 10 user or Sec +. There is a $600 difference in price. The sec + bundle decision seems to hinge on: Do I need a DMZ for the FTP server? Sec + also gives more VLANs, but counting ports already taken up, I'm out of ports on the ASA and need a switch as it is, and that could handle my VLAN reqs, trunking, etc. So now I have a switch question: 2960 or Express 500? They are similarly priced, but the 500 is a newer product? I appreciate any comments and answers. I have more qeustions like, at what point does it make sense to set up domains and 2k3 SBS w/ ISA (or a linux solution)? Without ISA, what are my options for 802.1x? Looks like I can do it locally on the ASA, but that doesn't seem ideal. Straylight fucked around with this message at 06:21 on Apr 30, 2008 |
# ? Apr 30, 2008 06:17 |
|
How about a simpler (stupid) question: No VLAN trunking means that devices on one VLAN cannot talk to devices on another VLAN, correct? If VLANs require special setup on a user's computer, when a user connects to a public wireless network that is on its own VLAN but the user's computer has not been set up to see virtual interfaces, what happens? Also, repeating a question from above, is a DMZ really necessary? Straylight fucked around with this message at 18:24 on Apr 30, 2008 |
# ? Apr 30, 2008 18:12 |
|
Straylight posted:How about a simpler (stupid) question: No vlan trunking means that multiple vlans' traffic cannot be passed over a single link. What you are referring to is the function a L3 switch or a router, assuming the router has a L3 interface for that vlan. Usually VLAN tagging is done on the switch, with the specific ports being designated to the various VLANs. It is technically possible to tag it on the device but that is rather unheard of.
|
# ? Apr 30, 2008 21:16 |
|
I'm fighting with linking a Linux box running FreeSWAN to a PIX and it's making me want to kill things.... Relevant bit of PIX config, let me know if there's more you need to see. code:
code:
code:
|
# ? May 6, 2008 16:34 |
|
I've got an old 2501 to which I do not have the security password, and it's running IOS 11.0 which seems to be pretty outdated. What are my options if I just want to dick around with it for learning's sake (haven't touched any advanced networking voodoo since uni, so I have a vague memory of how to use IOS but no specifics)? I'm guessing I want to re-flash it with a "new" (even if it's the same version) OS...can the 2501 use IOS 12.x? What is generally required to flash it? I've successfully connected to the console port via Linux / rolled cable / serial port / minicom. I also don't remember offhand just what is possible, if anything, without entering the secure mode. What's the general breakdown between the two modes?
|
# ? May 6, 2008 18:18 |
|
wolrah posted:
I think your DH group in isakmp is mismatched. As I recall group 1 is 768 bits, and group 2 is 1024 bits. Try changing the pix thusly: code:
|
# ? May 6, 2008 18:36 |
|
inignot posted:I think your DH group in isakmp is mismatched. As I recall group 1 is 768 bits, and group 2 is 1024 bits. Try changing the pix thusly: Thanks, but that didn't change anything except the default group listed in the error on the debug output. It'd be useful if the PIX would say what it didn't like about the connection rather than just listing the rule that I already know from the config file. On the FreeSWAN side it just tells me that the other end didn't accept anything.
|
# ? May 6, 2008 21:14 |
|
:edit: don't do PFS, I only read a snippet about the group, not the pfs = no portion of SWAN. It looks to me like SWAN is trying to do PFS from the medina config code:
code:
jbusbysack fucked around with this message at 04:02 on May 7, 2008 |
# ? May 6, 2008 22:03 |
|
wolrah posted:Thanks, but that didn't change anything except the default group listed in the error on the debug output. I dunno what to tell you. I do a lot of VPNs, but they are IOS to IOS; not PIX to whatever. The debugs look like a phase 1 failure. I'd look at the preshared key and the isakmp policy settings.
|
# ? May 6, 2008 23:30 |
|
bitprophet posted:I've got an old 2501 to which I do not have the security password, and it's running IOS 11.0 which seems to be pretty outdated. What are my options if I just want to dick around with it for learning's sake (haven't touched any advanced networking voodoo since uni, so I have a vague memory of how to use IOS but no specifics)? The 2501 should support probably a 12.0 or 12.1 train code- but you'll probably have trouble getting your hands on it unless you have a CCO account to download it off cisco.com. That said you pretty much can't do anything without the enable password, so you'll probably want to use the enable secret recovery procedure to change the enable secret. flashing a new ios image to the router is typically done over tftp (it can be done over a console cable but it's excruciatingly slow), so you'd need to connect it via ethernet to a box running a tftp server (such as atftpd on linux, or tftpd32 on windows).
|
# ? May 7, 2008 12:20 |
|
Girdle Wax posted:The 2501 should support probably a 12.0 or 12.1 train code- but you'll probably have trouble getting your hands on it unless you have a CCO account to download it off cisco.com. That said you pretty much can't do anything without the enable password, so you'll probably want to use the enable secret recovery procedure to change the enable secret. Thanks! Hopefully one of those tips for recovering the password will work - that's probably my best bet. I don't have a CCO account so reinstalling sounds like it won't be possible.
|
# ? May 7, 2008 15:05 |
|
Anyone got some advice on the 642-845 ONT exam? I took/passed the composite and the ISCW so its the last one to take and I'm sitting it in a week. I'm studied up on all of the subjects which are covered but if anyone has advice on the test itself I'd appreciate it.bitprophet posted:Thanks! Hopefully one of those tips for recovering the password will work - that's probably my best bet. I don't have a CCO account so reinstalling sounds like it won't be possible. Here is the specific recovery document for the 2500 series access router. I had to do this a few weeks ago for my "new" console access router. Click Here Paul Boz_ fucked around with this message at 20:30 on May 7, 2008 |
# ? May 7, 2008 20:27 |
|
Our company has a small lab that only a couple of people have access to. I'm looking to be part of this group, and one of the main things they need to get done is to reset a password for their Cisco 1800 series router. The previous lab owner recently left, so they'd like to keep a backup of the configuration in case things go south. I found this link here: http://www.cisco.com/en/US/products/hw/routers/ps221/products_password_recovery09186a0080094773.shtml and it looks very straightforward, but I'm having trouble just connecting to the box. I tried a regular RJ45 cable and a crossover cable, but no go. I believe I need a "rollover" cable, RJ45 to RJ45, as my laptop doesn't have a serial port. I tried searching around some bigbox stores but they don't seem to have it in stock. Anyone know if Fry's will keep something like this in stock? The closest one is 30 miles away from me.. Other than that, is there anything else I should be looking out for when trying to reset the password? Will the configuration get blown out if I follow the instructions in the link, or will it stay?
|
# ? May 7, 2008 23:09 |
|
Bank posted:Our company has a small lab that only a couple of people have access to. I'm looking to be part of this group, and one of the main things they need to get done is to reset a password for their Cisco 1800 series router. The previous lab owner recently left, so they'd like to keep a backup of the configuration in case things go south. Personally what I use is a USB/serial converter device that I then plug the rollover cable into. http://www.newegg.com/Product/Product.aspx?Item=N82E16812107108 for example. Don't mess around with ethernet jacks and console cables it's just a mess.
|
# ? May 8, 2008 01:31 |
|
I've recently been tasked with investigating multicasting as a routable solution. There are 3 main sites and the idea is to route multicast traffic between all 3 sites (that are all interconnected) over point-to-point links. Is there anything crazy I need to be aware of? From what I've researched it looks like MOSPF (ospf w/multicast) seems to be the solution. It's basically the same as rigging PVST+ with regards to segregating flow patterns.
|
# ? May 8, 2008 01:33 |
|
jbusbysack posted:Personally what I use is a USB/serial converter device that I then plug the rollover cable into. http://www.newegg.com/Product/Product.aspx?Item=N82E16812107108 for example. Get this one - it's cheaper and it's Vista compatible: http://www.newegg.com/Product/Product.aspx?Item=N82E16812156003
|
# ? May 8, 2008 01:35 |
|
CrazyLittle posted:Get this one - it's cheaper and it's Vista compatible: Agreed, thats the actual one I use. Googling newegg serial usb converter lied! But look out if you lose the mini driver CD, its ridiculous to find them online.
|
# ? May 8, 2008 01:57 |
|
jbusbysack posted:I've recently been tasked with investigating multicasting as a routable solution. There are 3 main sites and the idea is to route multicast traffic between all 3 sites (that are all interconnected) over point-to-point links. It seems like the de-facto mcast protocol (assuming you're running cisco kit everywhere) is pim sparse. Other than that the only option I'm aware of is DVMRP as Cisco doesn't support MOSPF/CBT. Or you can also carry mcast in MBGP. The netcraftsmen papers have a pretty good basic coverage to get you up to speed with the various protocols and concepts: http://www.netcraftsmen.net/welcher/papers/multicast01.html
|
# ? May 8, 2008 02:03 |
|
Girdle Wax posted:It seems like the de-facto mcast protocol (assuming you're running cisco kit everywhere) is pim sparse. Other than that the only option I'm aware of is DVMRP as Cisco doesn't support MOSPF/CBT. Or you can also carry mcast in MBGP. I looked up the pim sparse settings with declaring the match statement akin to a crypto map and setting the interfaces to flood the traffic out. Is there much more to it than that? Thank you for the links, will dive through those tonight.
|
# ? May 8, 2008 02:05 |
|
jbusbysack posted:I looked up the pim sparse settings with declaring the match statement akin to a crypto map and setting the interfaces to flood the traffic out. Is there much more to it than that? You need to designate 1 or more RPs in your network, and tell all your PIM edges what the RP addresses are (this can be handled automatically with PIMv2). Papers 3 & 4 cover sparse mode, and RP strategies respectively.
|
# ? May 8, 2008 02:27 |
|
|
# ? May 14, 2024 17:37 |
|
jbusbysack posted:Personally what I use is a USB/serial converter device that I then plug the rollover cable into. http://www.newegg.com/Product/Product.aspx?Item=N82E16812107108 for example. Don't mess around with ethernet jacks and console cables it's just a mess. There can be only one. http://www.keyspan.com/products/usa19hs/ (Just a third opinion.)
|
# ? May 10, 2008 02:09 |