|
Tremblay posted:Is there a static NAT or PAT statement for the inside SQL box? Yeap quote:nat (inside) 0 access-list inside_outbound_nat0_acl
|
#
?
Jun 13, 2008 20:32
|
|
|
|
| # ? May 15, 2024 19:36 |
|
|
jwh posted:Anyway, I'm on vacation, but I can get the configs to you on Monday. Actually, I may have already posted them in this thread, but I don't know where. Here's a rough skeleton configuration. You'll need to tweak it, and load the package files onto the flash. You'll also want to drop the VRF stuff if you aren't doing Multi-VRF on the box. Oh, and you'll have to run the IOS HTTP server on a different port than the standard 80 or 443 if you want to use the CSD Admin console. Let me know if you run into any trouble. code:
|
|
#
?
Jun 16, 2008 15:22
|
|
|
I'm going to be embarking on a CCNA course with a company who will provide me with 'lab kit' which comprises of:quote:2 x Cisco 2610 routers with a WIC1T interface each & 2 x Cisco Catalyst 2900 switches + all the necessary cables I know bugger all about Cisco hardware, how does one actually access the interface for these devices to program them? Is it via SSH or something? I'm assuming whatever it is will be OS independent? I'm planning to get them to send me the hardware before I start the course so I can have a fiddle in advance. I'll probably want to do it with my Macbook. I don't see these two devices listed on the Cisco site, so I'm assuming they're slightly outdated. Will they still be alright for learning/practising on?
|
|
#
?
Jun 17, 2008 22:17
|
|
|
Anjow posted:I'm going to be embarking on a CCNA course with a company who will provide me with 'lab kit' which comprises of: You'll access them via a console cable, which can connect to your serial port on your computer. Although if you're going to use your Macbook, you might need to pick up a USB to Serial converter. Once you have them configured enough to be reachable on your network, you can talk to them via telnet, or optionally SSH (provided you're running an IOS image that supports SSH). They're older routers, but they're fine for learning.
|
|
#
?
Jun 17, 2008 22:49
|
|
|
Twlight posted:I've began monitoring on our Cisco equipment at work. I'm monitoring the interface load and its over 100 at some points during the day. I need to know more about how interface load is calculated. Anyone know of any documentation or ideas as to how it's done? What are you looking at to get the number that's over 100? If it's from show int the load is displayed as some value/255, so 125/255 would be around 50%. Also, input and output loads are tracked separately.
|
|
#
?
Jun 17, 2008 23:28
|
|
|
hah, wrong topic, sorry
|
|
#
?
Jun 17, 2008 23:38
|
|
|
I am currently planning to study to get my CCNA. I have a question about IOS in general. At my current place of employment I have installed and configured an 1841 to work as our incoming router on a second T1 line. I'd really like to pull the IOS image off of it and use it with GNS3. Will the IOS image from an 1800 series router work as an image on the 2600 series router?
|
|
#
?
Jun 18, 2008 15:47
|
|
|
zycl0n posted:Will the IOS image from an 1800 series router work as an image on the 2600 series router? Unfortunately, the answer is no. Although, and here's the good news, you can pull the image off the 1800 and use it with Dynamips.
|
|
#
?
Jun 18, 2008 16:01
|
|
|
I have had a request from my manager to teach a couple of co-workers the CCNA material. We are a cisco partner so can get equipment on Not for resale deals quite cheaply. I have looked for CCNA lab suggestions and they appear to be CCNA labs "on a budget" on old equipment. We will be buying the new equipment shortly, what *new* hardware would you recommend? I would only need to be teaching 2 people so the one lab would do. Also, but i'm not holding my breath about this one, is it possible to get a hold of the CCNA teaching materials? When I did my CCNA at a netacademy there were brilliant slide shows and presentations along with a Lab book. I can probably find my old lab book but I think CCNA has been updated since mine was published and I'd much rather teach the new course. Has anyone done anything similar to this and what approach did you take?
|
|
#
?
Jun 18, 2008 18:49
|
|
|
Are there any good resources out there for DMVPN? Our company uses this at a ton of sites. The senior engineer put it all together and doesn't have time to really explain/train the material. The director is sending me to a SNRS class but they only have one lab centered around DMVPN. I also have an old CCSP book with nothing on DMVPN. 
|
|
#
?
Jun 19, 2008 15:15
|
|
|
BoNNo530 posted:Are there any good resources out there for DMVPN? I was principal architect on a pretty big DMVPN project- the doc that helped me the most was this one: http://www.cisco.com/univercd/cc/td/doc/solution/dmvpn_x.pdf If you have any questions about DMVPN, feel free to ask away, and I'll do my best to help out.
|
|
#
?
Jun 19, 2008 15:46
|
|
|
Biggz posted:We will be buying the new equipment shortly, what *new* hardware would you recommend? I would pick up a couple of L3 capable 12-port switches, and a few small routers with WIC's you can hook together. I don't have any specific model recommendation, but you really only need 5 total boxes to play with everything the ccna books suggest. I would get the units they sell the most of in that feature range, so that they can be familiar with the units they sell. I assume this means something like a Cat4948, Cat 3570? Whats the new hot poo poo stacking switch? And then something like a 2600 or 1800 series router. Or, you know, just throw a pile of 6500 series chassis into a room with various sups and line cards, then see what they can get routing!
|
|
#
?
Jun 19, 2008 17:05
|
|
|
H110Hawk posted:Or, you know, just throw a pile of 6500 series chassis into a room with various sups and line cards, then see what they can get routing! Why would you suggest that? They're cheap pieces of crap!
|
|
#
?
Jun 19, 2008 21:24
|
|
|
BoNNo530 posted:Are there any good resources out there for DMVPN? Here's a few: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6658/DMVPN_Overview.pdf http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml#intro I did a dmvpn project, it wasn't that bad. Setting up an IOS based Certificate Authority to authenticate the dmvpn sessions made me want to get down on my knees and cry like a woman though.
|
|
#
?
Jun 19, 2008 21:38
|
|
|
inignot posted:Here's a few: I was too much of a wuss to try to get that working. The wildcard isakmp key seems to work ok, although I'm still a little weird on the whole idea. Truth is, after several weeks of poking at the tunnel interface configurations, I realized that things were far more likely to not work than to work, and anybody crafty enough to derive the isakmp key, the tunnel key, the nhrp key, the nhrp network id, and then get the routing working correctly probably deserved to get on the network. Hell, I'd probably try to hire them.
|
|
#
?
Jun 19, 2008 21:44
|
|
|
jwh posted:I was principal architect on a pretty big DMVPN project- the doc that helped me the most was this one: http://www.cisco.com/univercd/cc/td/doc/solution/dmvpn_x.pdf THANKS! inignot posted:Here's a few: Thank you! Both of these look helpful.
|
|
#
?
Jun 20, 2008 12:49
|
|
|
I've got a fun one. Got my hands on a 4230 IDS (yes, I know its ancient - its for playing with not deployment) and the guy I got it from did not know the password/username for it. I cant get into the darn thing, does anyone know how to do a hard reset of the box? I dont know what version the software is running.
|
|
#
?
Jun 21, 2008 19:08
|
|
|
I'm fairly new to Cisco. I'm currently reading through the ICND2 Cisco Press book, have bought a couple routers and a switch from ebay, and am prepping for taking the CCNA exam. I have a Cisco 2621 that I am trying to test out as an internet access router on my cable connection (to temporarily replace my WRT54G Linksys). So I set it up to be a DHCP client on the internet port, a DHCP server for the clients, and NAT for internet access. I am now trying to add a static NAT rule that will allow external devices who are accessing port 80 to be sent to my internal web server machine, 192.168.1.102. I can't seem to get this to work -- it looks like it's okay in the 'show ip nat translations' table, but it is failing when I try to access it in a browser. Any ideas on what I could be doing wrong? This is my first time configuring NAT. It seemed easy enough, until I cought this little snag. code:code:
|
|
#
?
Jun 21, 2008 23:13
|
|
|
If you're trying to access your web server via the outside world there's a good chance your ISP is blocking port 80. We did that at my previous employer and caused a few residential customers problems similar to what you're experiencing. Can you post your NAT xlate table? Your config is right on with the doccd as far as the static nat port mapping. http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1011696 Paul Boz_ fucked around with this message at 00:17 on Jun 22, 2008 |
|
#
?
Jun 22, 2008 00:02
|
|
|
I have a question regarding the number of routes and memory on a 6509. We have 2 6509s taking full BGP routes and they are both dying horribly. It appears that the problem is running out of memory for routes and defaulting to software routing. What I don't quite understand is that the WS-SUP720-3BXL should be able to do 1M routes I don't seem to be able to get anywhere near there. code:FatCow fucked around with this message at 22:03 on Jun 22, 2008 |
|
#
?
Jun 22, 2008 22:00
|
|
|
gaaaaah. finally got into the darn IDS, but now I keep getting an error. Error: No active virtual sensor. wtf - i cant find anything on working this problem anywhere for v4.1. to make this even more annoying i cant access the command/control interface over the network. wont ping a thing. ugh.
|
|
#
?
Jun 23, 2008 01:52
|
|
|
FatCow posted:Do we need to use WS-F6K-DFC3BXL to be able to use the full 1M of routes the 720-3BXL can do? I believe the switch will drop to the lowest common denominator pfc/dfc wise. what's your output from "# show platform hardware pfc mode"?
|
|
#
?
Jun 23, 2008 04:45
|
|
|
code:FatCow fucked around with this message at 05:11 on Jun 23, 2008 |
|
#
?
Jun 23, 2008 05:08
|
|
|
FatCow posted:
No- the DFCs take the place of the usual daughtercard that permits PFC based operation (the CFC). If you still have your CFCs on the shelf you can pull the linecards and swap the DFC for the CFC.
|
|
#
?
Jun 23, 2008 13:58
|
|
|
para posted:I feel stupid not being able to figure this out. Show and debug commands are the way to figure these things out, not staring at the config and waiting for the error to jump out at you. Do roughly this: code:
|
|
#
?
Jun 23, 2008 15:10
|
|
|
Anybody know how to do a "configure replace" on an ASA device? Edit: found an answer : "write erase; copy tftp start" ILikeVoltron fucked around with this message at 19:27 on Jun 23, 2008 |
|
#
?
Jun 23, 2008 15:44
|
|
|
ILikeVoltron posted:Anybody know how to do a "configure replace" on an ASA device? Yeah, I checked the master command reference (http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html) and found no trace of it. Just replace the startup config with a good backup or reloading the ASA without writing changes to the startup. [edit] Didn't see your edit 
|
|
#
?
Jun 23, 2008 19:32
|
|
|
FatCow posted:
shutting down DFC's isn't something you really want to do. what's CEF looking like on the box? Also what does show mls cef summary show mls cef maximum-routes say atticus fucked around with this message at 19:26 on Jun 24, 2008 |
|
#
?
Jun 24, 2008 19:13
|
|
|
I've been Googling around for like an hour today, and I can't find an answer how to do this. I need to enable a dial-peer to send DTMF via INFO, not in-band or rfc2833. According to a few docs on cisco.com you can do it, but it doesn't actually tell you HOW to do it, and there's no other options in the help menu other than rtp-nte, or proprietary/h245 poo poo. We're running IOS 12.3(22). Any ideas?
|
|
#
?
Jun 24, 2008 22:49
|
|
|
atticus posted:shutting down DFC's isn't something you really want to do. Running without DFC´s works just fine, 90% of my customers are running CFC mode with no ill effects, just keep in mind that you loose out on local switching and is therefore limited by the 40Gbps/slot backplane.
|
|
#
?
Jun 24, 2008 23:16
|
|
|
ior posted:Running without DFC´s works just fine, 90% of my customers are running CFC mode with no ill effects, just keep in mind that you loose out on local switching and is therefore limited by the 40Gbps/slot backplane. Sure, running without DFC's works, but it depends on the function. If you're pushing a fuckton of multicast like we do, the amount of replication required can eat a CFC alive. CFC's "work" but if you have DFCs, why disable them? That's like spending the money on a decent monitor but only running it at 800x600.
|
|
#
?
Jun 25, 2008 00:43
|
|
|
atticus posted:shutting down DFC's isn't something you really want to do. We worked around it by filtering .* for BGP and setting a default route. There is nothing full routes gives us that we need or even use. We have the proper DFCs on order and I'll be doing a bunch of remote hands soon.
|
|
#
?
Jun 25, 2008 01:12
|
|
|
XakEp posted:gaaaaah. finally got into the darn IDS, but now I keep getting an error. Error: No active virtual sensor. wtf - i cant find anything on working this problem anywhere for v4.1. to make this even more annoying i cant access the command/control interface over the network. wont ping a thing. ugh. 4.1? Holy crap old. You will not be able to reach the box until you run setup. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/index.htm IP addresses are entered as x.x.x.x/mask_bits Also pay attention to the ACL section of setup, most people blow through that while doing everything else right.
|
|
#
?
Jun 25, 2008 01:31
|
|
|
FatCow posted:We worked around it by filtering .* for BGP and setting a default route. There is nothing full routes gives us that we need or even use. You should also be able to tell your provider to put you on a default-only route map, so they send you a default and nothing else, that way when you're ready to go full tables you just call them back and tell them to switch you back to their regular customer route map, you "soft clear in" and bam, instant full tables.
|
|
#
?
Jun 25, 2008 11:08
|
|
|
Girdle Wax posted:You should also be able to tell your provider to put you on a default-only route map, so they send you a default and nothing else, that way when you're ready to go full tables you just call them back and tell them to switch you back to their regular customer route map, you "soft clear in" and bam, instant full tables. This is what we did at my last ISP job. At our peering points we only had one provider, but multiple links to them, so def-route was better than pulling full tables on old 7513s with RSP8s
H.R. Paperstacks fucked around with this message at 13:26 on Jun 25, 2008 |
|
#
?
Jun 25, 2008 13:20
|
|
|
You guys hear about the new CCNA-Security, CCNA-Wireless, and CCNA-Voice? I got the CCNA-Sec book via Safari and its actually pretty good for a Cisco Press book. I'll probably snag the sec and voice. jbiel posted:This is what we did at my last ISP job. At our peering points we only had one provider, but multiple links to them, so def-route was better than pulling full tables on old 7513s with RSP8s Same here. We had one guy that swore full tables on 7206vxr's with crazy prepending was the best solution. Definitely a no-go.
|
|
#
?
Jun 28, 2008 21:30
|
|
|
I have something interesting going on in the office, so thought I'd contribute to the thread. We're in the middle of deploying a Nexus 7000-series for our core data center IP and Ethernet-SAN (ATA-over-Ethernet) distribution and switching needs. If anybody has any questions about the platform (NX-OS, which is kind of a SAN-OS offshoot, not IOS) or the switch itself, I'll try to get to them. I will note the following, though: * NX-OS is still buggy as hell. They've been releasing new code every 3-4 weeks. Some of the bugs are severe. ( see: http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_0/nx-os/release/notes/401_nx-os_release_note.html#wp93388 ) * NX-OS has no stateful firewall services and no stateful firewall modules exist for the N7K. Neither of these things are roadmapped for the switch. It also can't do Reflexive ACL's, which are kind-of stateful. For a DMZ, you wind up having to configure switch ports as untrusted and use a number of L2/L3 switch features to make up for it in an imperfect but practical way (Port Security, Unicast RFP, Dynamic ARP Inspection, IP Source Guard, and then ACL's once your switchports are locked down). * I've only got 48-port GbE modules until the switch proves itself and the 32-port 10GbE modules drop in price a little, although those modules will be coming sooner rather than later as I have a 10GbE network to build up next year. * Important note: I am not a fancy Cisco certified engineer, I got all my experience working for service providers and data centers on 7500-series routers, and 5500/6500-series catalyst switches. But, I did spend an entire month doing homework on this switch prior to suggesting we spend six figures on it (we were long overdue for an upgrade, with most of our network on some 6500's with sup2's and 16-port GbE cards). So, if you have any questions you don't want to bother a Cisco rep with about this switch, I probably already have and know the answer.
|
|
#
?
Jun 28, 2008 22:57
|
|
|
The Nexus is cool but until they get a lot of the bugs out I don't see it as a six figure switch. I'm quite content with 10k's  Bias aside, how different is the OS from IOS?
|
|
#
?
Jun 29, 2008 02:12
|
|
|
Paul Boz_ posted:The Nexus is cool but until they get a lot of the bugs out I don't see it as a six figure switch. I'm quite content with 10k's It's not really that bad from the documentation. I'll have more live time on it next week. We're not fully up and running yet, all I've done so far is power it up just enough to insure everything was working and have a look at it. They actually got us the switch three weeks early from their estimate, and we only had 1 spare 220V L6 receptacle wired up and need to get 4 new ones wired up for it for production, which happens next week. I do have to say it looks awfully pretty once racked up and installed properly, especially when you're staring at a huge mess of a couple 6500's right beside it. The areas that are different are very well clarified in the relevant sections of the NX-OS documentation, with a huge text block that says "Warning: Configuration blah blah in this section blah blah differs from IOS considerably blah blah.", and usually it's not even that different, it just takes a little time to research when you run into it, but considering that most of the configuration bloat on this thing is going to be the L2/L3 security features we used to ignore on the 6500's since we had good firewalls, I don't have a lot of familiarity with those areas anyway so learning them on the N7K is not a big deal. If anything the hardest thing to deal with in our new configuration are the ASA's we're putting on the perimeter, which don't configure much like FWSM's, and there's a lot of considerations to make with those since they don't just plug into the switch and work magically. Oddly enough (or not), it wasn't the switch itself that was the six figures. In fact, we got an amazing deal and I've been on the phone with an awful lot of people from Cisco who helped develop this thing (because we're their guinea pigs). It was having to buy a couple ASA 5540's to replace our FWSM's and a 7201 to do IP-SLB (and replace our CSM's) that added to the cost considerably (for the record, 7201's are about half the price of the ACE's, and the ACE has a load of L4-7 security features we have in place elsewhere). I was also pretty darn biased against this thing until I saw what everyone else's 10GbE switch options looked like. I might have to deal with some bugs up front, but at least Cisco isn't going to release a switch backplane upgrade in the future that immediately renders everything else in the chassis obsolete. I kinda got offtopic here, but wanted to share one last thing: The funniest thing so far with this thing is that all of the install documents have huge disclaimers about how they are a work in progress, etc, etc, all over them. There are still editors notes, along with responses from engineers, which are basically both groups bickering with each other. They also forgot to document how to install that nice fancy cover to the front of the chassis entirely, which led to a bit of taking the front of the switch apart to try to figure out how to get it on there.
|
|
#
?
Jun 29, 2008 02:43
|
|
|
|
| # ? May 15, 2024 19:36 |
|
|
Emailed you about Nexus docs.
|
|
#
?
Jun 29, 2008 08:00
|
|