|
CrazyLittle posted:Very interested. (You have PM's disabled.) So when you go direct to telco, are you going to get a PRI from them and then use a VWIC2 to act as a trunking card? PMs are enabled now. Whoopsies! That's right, we'll just plug our PRI's into the 3845s via the VWIC2 cards.
|
# ? May 12, 2008 11:24 |
|
|
# ? May 14, 2024 16:44 |
|
H110Hawk posted:There can be only one. This Keyspan one gave me a lot of grief in Vista and would frequently crash PuTTY.
|
# ? May 13, 2008 07:24 |
|
CrazyLittle posted:This Keyspan one gave me a lot of grief in Vista and would frequently crash PuTTY. Both of those problems sound self-inflicted, honestly. The Keyspan driver for mac is also very picky. If you don't do it exactly as indicated on the packaging it will never work on that mac, near as I can tell.
|
# ? May 13, 2008 15:12 |
|
Can the ASA 5505 throttle site-to-site VPN bandwidth?
|
# ? May 13, 2008 16:06 |
|
I have seem to run across a similar problem lately that aggravates the absolute poo poo out of me. "logging trap debug" should dump any and all systems messages to syslog specified. I tail the log file when turn up anything new and hardly poo poo shows up other than "so and so configured console via vty", I am not even getting the rate-limited messages, just nothing. This became a big issue when turning up some eBGP sessions yesterday, so even resorting to "debug bgp all" and "logging mon debug" gave me nothing as we worked with route-maps and bpg resets. This has happened across multiple router series, and hell even on switches when troubleshooting stuff. Am I going blind or what? My area of work requires debug to be turned up on anything and everything, including BGP changes, so needing to fill up my syslog server with the most possible bullshit data is a must.
|
# ? May 15, 2008 13:11 |
|
Here's what we use to log ACL hits (which should catch debug since they are priority 7 messages): logging buffered notifications no logging console no logging monitor logging trap debugging logging facility local5 logging <SYSLOG_IP_ADDR>
|
# ? May 15, 2008 16:58 |
|
tortilla_chip posted:Here's what we use to log ACL hits (which should catch debug since they are priority 7 messages): Ours is pretty much the same. I usually get all ACL messages, but nothing about BGP exchanges other than neighbor up / down style stuff. Just aggravating at times.
|
# ? May 15, 2008 18:22 |
|
jbiel posted:Ours is pretty much the same. I usually get all ACL messages, but nothing about BGP exchanges other than neighbor up / down style stuff. Just aggravating at times. oh, nm, you are seeing neighbor up/down, what kind of BGP messages are you expecting to see in the logs? logging trap debugging & setting up the appropriate debug statements should send the debug to syslog, and if that's not working, you want to call TAC and see if they have a solution? ragzilla fucked around with this message at 18:47 on May 15, 2008 |
# ? May 15, 2008 18:44 |
|
Girdle Wax posted:oh, nm, you are seeing neighbor up/down, what kind of BGP messages are you expecting to see in the logs? logging trap debug should catch EVERY message, from neighbor up / down to route exchanges etc to my understanding. I shouldn't have to turn on "debug bgp all" as well. Not from what I gather, but I have been so fed up at it, I could be reading it wrong.
|
# ? May 15, 2008 20:14 |
|
jbiel posted:logging trap debug should catch EVERY message, from neighbor up / down to route exchanges etc to my understanding. I shouldn't have to turn on "debug bgp all" as well. Not from what I gather, but I have been so fed up at it, I could be reading it wrong. But it'll only work if the message is actually created- which I don't think it is unless the debug statement is turned on.
|
# ? May 15, 2008 20:16 |
|
Girdle Wax posted:But it'll only work if the message is actually created- which I don't think it is unless the debug statement is turned on. That sounds correct to me. Unrelated question- who has deployed SSL based remote-access VPN with either ASA or IOS? I'm looking for client-side registry checking functionality, as a means to allow only preapproved company assets to connect via VPN. I see some mention of this with CSD on ASA, but not IOS. Definitely can't find any configuration guides for IOS, even if it does exist.
|
# ? May 15, 2008 20:51 |
|
Girdle Wax posted:But it'll only work if the message is actually created- which I don't think it is unless the debug statement is turned on. I will certainly check tomorrow then.
|
# ? May 16, 2008 01:18 |
|
jwh posted:That sounds correct to me. Quoting myself because I found out a few useful pieces of information: 1). All CSD features have to be configured through the CSD Admin web interface. 2). The CSD configuration never appears in the running / startup configuration. This is not a good thing, in my opinion. The whole reason I like IOS, is because it doesn't hide important junk away in secret hidey-holes. WebVPN was always bad for this, partly because it requires the installation of additional software packages in addition to the IOS, which are not preserved as part of normal image maintenance, and partly because WebVPN does things to the running configuration that don't restore well from a clean slate (certificate trustpoint namely). Has anyone worked with Juniper's SSL based VPN concentrators?
|
# ? May 19, 2008 18:32 |
|
Hey I'm in a bit of a situation, one of my routers stopped working correctly last night and I've rebuilt my configuration and yet I have not resolved my problem. the players Internet Router A can talk to B and the internet and can not talk to Server A Router B can talk to A and the internet and talk to Server A server A can talk to Router B but not A or the internet. I'm guessing I've just made a simple mistake, would you mide looking this over its the simplest configuration ever.. Here is my config: service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Ctrl-Dfwr-1 ! boot-start-marker boot-end-marker ! enable secret 5 ************ enable password *********** ! no aaa new-model ip subnet-zero ! ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 description External Network ip address 208.75.219.250 255.255.255.240 duplex full speed 100 ! interface FastEthernet0/1 description Internal Network ip address 208.75.218.225 255.255.255.224 duplex auto speed auto ! interface Serial1/0 no ip address shutdown serial restart-delay 0 no fair-queue ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! no ip classless ip route 0.0.0.0 0.0.0.0 208.75.219.254 no ip http server no ip http secure-server ! ! ! ! ! ! line con 0 transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 login transport preferred all transport input all transport output all ! !
|
# ? May 20, 2008 17:50 |
|
Godfrey posted:Hey I'm in a bit of a situation, one of my routers stopped working correctly last night and I've rebuilt my configuration and yet I have not resolved my problem. You need to supply more information about your environment before we can help you.
|
# ? May 20, 2008 18:12 |
|
What is the IP address of the server? What is the config for router B/can you draw a quick diagram of how it is setup?
|
# ? May 20, 2008 18:13 |
|
sorry I was being rushing a bit. See attachment: Router A's job is to run BGP, she works fine. Router B's job is to be the Border router for one of our smaller parent companies, she is getting out to the internet fine, but is not permitting systems from the 208.75.218.x range out, but she will let traffic out that originates from the 218.225 address. Server A is a SBS for the small parent company.
|
# ? May 20, 2008 19:14 |
|
Is it possible to get a config for the BGP router as well? I'm guessing you are missing a route back to the server network there.
|
# ? May 20, 2008 20:01 |
|
I found it, its was very strange the subnetmask of the route in the BGP router had changed only allowing 3 IP addresses in thus my ability to get to the router but nothing else. now why it just randomly changed is the question.
|
# ? May 20, 2008 20:14 |
|
I have a question that might not necessarily be cisco specific but I figured you all are the people who would answer it anyway. We have had issues with our internet access lately. Unfortunately, dumping the provider is not a possibility due to political reasons. To cut to the chase, I want to be able to either load balance or use another service to eliminate downtime. I'd like to possibly leverage some of the more "consumer" oriented connections that we get for free, to maintain our ability to access the web. I'm under the understanding that without using BGP and creating an AS, email and other internet services would go to poo poo, but I'd like to be able to maintain web traffic without having to go reconfigure anything manually in the event of a failure with our main ISP. Is this possible?
|
# ? May 21, 2008 15:40 |
|
InferiorWang posted:Is this possible? Sure, you should be able to do that. How you do it depends on what kind of equipment you have at your disposal and what your current architecture looks like. So what kind of equipment do you have at your disposal?
|
# ? May 21, 2008 16:11 |
|
By the time the end of the summer rolls around, in our server room where most of these connections will terminate, I'll have the following available: - 4507R - ASA 5510 - 2800 Series router which is going to be a voice gateway between our Voip and legacy PBX phone systems. It will also be taking a PRI or two in the near future as we eliminate the legacy PBX system. - A stack of unused Catalyst 2950s - A linksys router.
|
# ? May 21, 2008 16:17 |
|
Can you clarify what this means?InferiorWang posted:
Is this a general statement, or a statement that applies to your architecture? You can get away with this without using BGP at all...
|
# ? May 21, 2008 21:56 |
|
I'm under the impression that I needed to use BGP to create an autonomous system which would allow to build redundancy into my network as far as internet access, inbound and outbound, is concerned. So our mail server, webserver, and a few other services are registered in DNS with public IP addresses provided by the ISP. If I up and switch the ISP, those public IP addresses will no longer "be ours". But I can still use the new connection to outbound web requests for internet surfing. Am I wrong in this line of thought?
|
# ? May 21, 2008 23:18 |
|
You aren't going to get any ISP to do BGP peering on a consumer grade service. Optimized Edge Routing will do what you want. I've never used it, yet somehow I always end up posting the link to it when this issue comes up. http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/oer-overview.html
|
# ? May 22, 2008 00:39 |
|
inignot posted:Optimized Edge Routing will do what you want. I've never used it, yet somehow I always end up posting the link to it when this issue comes up. OER only does outbound traffic. Return traffic is still dependent on the return routing of any public IPs you have published. BGP solves that half, but like you said, no ISP is going to do BGP with a small connection. Well, -my- company does but only for our biggest client, and they pay a lot for that.
|
# ? May 22, 2008 02:28 |
|
Well I took/passed the ONT exam today and now I am a CCNP InferiorWang posted:I'm under the impression that I needed to use BGP to create an autonomous system which would allow to build redundancy into my network as far as internet access, inbound and outbound, is concerned. So our mail server, webserver, and a few other services are registered in DNS with public IP addresses provided by the ISP. If I up and switch the ISP, those public IP addresses will no longer "be ours". But I can still use the new connection to outbound web requests for internet surfing. BGP would indeed do what you want but you'd need some much more powerful routers to be able to pull full routing tables from multiple providers. Ideally you'd have three BGP-capable routers with one router per peer, with a third running iBGP and doing the path selection to either peer. If having your email and website up 100% of the time is that important to you you may want have it hosted in a colo. Data center costs are way down these days. Paul Boz_ fucked around with this message at 01:37 on May 24, 2008 |
# ? May 24, 2008 01:27 |
|
Paul Boz_ posted:Well I took/passed the ONT exam today and now I am a CCNP How was the test? Can you share any details?
|
# ? May 24, 2008 07:01 |
|
jwh posted:Congratulations! That's pretty awesome. Thanks. The test wasn't bad. It was the easiest of the three (I took the three test route).
|
# ? May 24, 2008 07:59 |
|
I would like to set up a test environment in my office where I can simulate all the different WAN link types a customer may have. What I currently have is an 1841 with a single T1 card and a /27 block of IPs. I also have an assortment of 2600s. I'd like to be able to host within my office the following link types: Ethernet Static IP (easy) Ethernet DHCP (easy) Ethernet PPPoE (unknown, should be fairly easy) T1 Cisco HDLC Static IP (easy) T1 Std. HDLC Static IP (unknown) T1 PPP Static IP (easy) T1 ANSI Frame Relay Static IP (unknown) ADSL PPPoE ATM Encap ADSL DHCP ATM Encap ADSL Static IP ATM Encap DOCSIS DHCP DOCSIS Static IP The different T1 encapsulations I assume should all be supported and if I can't run PPPoE off the Cisco I know I can host it from one of my BSD boxes. What I'm really interested in is whether I can get cards to allow any of my boxes to be the host end of either ADSL or DOCSIS systems so that I can test modems and integrated devices without having to use my customers or my own home connections as guinea pigs. I'm not looking to host a usable system for distribution, just something that I can run 25 feet of Cat5 or RG6 respectively out of over to my office and plug an off-the-shelf modem in to.
|
# ? Jun 10, 2008 18:47 |
|
Does anyone have a working anyconnect sslvpn configuration for IOS? (damnit I want search back!)
|
# ? Jun 11, 2008 11:44 |
|
Is anybody using SNMPv3? If so, you should update your rooters. http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
|
# ? Jun 11, 2008 17:48 |
|
ior posted:Does anyone have a working anyconnect sslvpn configuration for IOS? (damnit I want search back!) Yeah, I do. I still think webvpn is broken in CEF under 12.4(15)T1, but we were never able to prove it. Anyway, I'm on vacation, but I can get the configs to you on Monday. Actually, I may have already posted them in this thread, but I don't know where.
|
# ? Jun 12, 2008 05:23 |
|
We have a consulting firm in doing an audit / security check of our network the consultant they sent left me a little worried about skill level. They asked for a list of our current firewall openings/port mappings since the firewall is managed by our ISP not us I emailed the ISP for the most up to date list and was sent a long list that looked like this. I replaced IPs and outside port numbers with caps for obvious reasons. tcp PRIVATEIP 3389 PUBLICIP RANDOMPORT# extendable tcp PRIVATEIP 3389 PUBLICIP RANDOMPORT# extendable Besides the word extendable which I don't really understand it looks to me like standard router/firewall configuration. Which looks to be pretty straight forward and easy to make sense of. The only ugly thing as far as I am concerned was the fact there weren't line breaks in the file I was sent. I forwarded it on to the consultant (who works for a reputable firm) and he emailed me back asking be for column headers for protocol, port etc. So I have two questions. The first being is that a reasonable question for a consultant from a respectable firm to ask? Second what does the extendable mean?
|
# ? Jun 12, 2008 22:49 |
|
Sounds like the consultant is lazy and wants you to insert the line breaks for him. Go here for some info on the extendable command: http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html
|
# ? Jun 12, 2008 23:17 |
|
is the "ip nat inside source static" shown on the link above and the quote below redundant? All the examples I see online seem to show it however the files I got don't. random text file found on net posted:ip nat inside source static tcp 192.168.1.71 1723 134.215.211.123 1723 extendable
|
# ? Jun 12, 2008 23:42 |
|
Those commands are required to make the NAT translation work, why your files provided by the ISP do not have it is something you will have to ask them.
|
# ? Jun 13, 2008 00:18 |
|
I've began monitoring on our Cisco equipment at work. I'm monitoring the interface load and its over 100 at some points during the day. I need to know more about how interface load is calculated. Anyone know of any documentation or ideas as to how it's done?
|
# ? Jun 13, 2008 16:47 |
|
I'm having some issues getting SQL connections through my PIX. I'm running 6.3(5) and here's what my acl setup looks like:quote:access-list 101 permit tcp any host pubip1 eq ftp Edit: I've double checked on the SQL client and it is attempting access through port 1433. So that shouldn't be the issue. permanoob fucked around with this message at 17:20 on Jun 13, 2008 |
# ? Jun 13, 2008 17:12 |
|
|
# ? May 14, 2024 16:44 |
|
permanoob posted:I'm having some issues getting SQL connections through my PIX. I'm running 6.3(5) and here's what my acl setup looks like: Is there a static NAT or PAT statement for the inside SQL box?
|
# ? Jun 13, 2008 18:00 |