|
Anyone have any experience bonding links which terminate on different routers? We have several 7200s which terminate channelized DS3s for customer T1 lines. We usually use PPP Multilink to bond T1s together for customers who require more bandwidth, but we now need to bond T1 lines which terminate to DS3s on different chassis. Any ideas?
|
# ? Jul 22, 2008 18:34 |
|
|
# ? May 14, 2024 16:41 |
|
CrazyLittle posted:It's pretty easy. You just have to pick what method fits your needs. What device in that diagram is doing your NAT? That's probably the best place to implement any failover plan as your external IP dictates the return path (unless you've got BGP peers). The 1812 is doing our NAT. The 2811 is all new as of last week.
|
# ? Jul 22, 2008 19:06 |
|
Kreg posted:Anyone have any experience bonding links which terminate on different routers? The short answer is you can't. The longer answer(s) are you can but: a) You use CEF load balancing to put 2 routes into your IGP (one from each cust agg router) for the customer's routed prefix. Your upstream equipment should see the 2 paths and use CEF to load balance appropriately. Traffic from host-to-host will be restricted to the max speed of a single link due to the default CEF load balancing algorithm (per destination vs. per packet). b) You buy a DACS/DCS (if you're under 12 total DS3s inbound, or when you consider how the DACS grooms stuff if you're under 24 total in+out (in from carrier, out to 7200)- you could look at an older Cisco 15454 with an XC-VT) and use the DACS to groom your DS3s from your carriers onto different channels of DS3s going to your aggregation routers. However the but in this case is "it's going to cost you". But it's a once off CapEx (and associated OpEx if you choose to get maintenance/SmartNET on it) and gives you a lot more flexibility with where you get/bring in circuits. -edit- Forgot the comedy old school variant on option B. You get a bunch of M13 multiplexers, wire them up to a bunch of DSX shelves and do manual cross connects from the telco mux->aggregation router mux. You still have a wire-wrap tool right? -/edit- ragzilla fucked around with this message at 20:04 on Jul 22, 2008 |
# ? Jul 22, 2008 20:00 |
|
Girdle Wax posted:use the DACS to groom your DS3s from your carriers onto different channels of DS3s going to your aggregation routers. Cisco has something called multichassis multilink ppp, but it looks like a big mess that doesn't attempt to solve the problem in this case. Unless of course it does, but even if it did, I'd be nervous.
|
# ? Jul 22, 2008 20:37 |
|
Bob Morales posted:The 1812 is doing our NAT. And what's the handoff for the 2811? Routed IP space or more NAT?
|
# ? Jul 22, 2008 22:02 |
|
How is the DHCP discovery sent? I mean, the packet's got the IP address 255.255.255.255, but if it doesn't know a default gateway how does that get to the DHCP server?
|
# ? Jul 22, 2008 22:33 |
|
The DHCP server is on the same broadcast domain as the DHCP client, or some device is forwarding/proxying the DHCP requests to the correct location on the client's behalf.
|
# ? Jul 22, 2008 23:02 |
|
Dr. Ron Paul posted:How is the DHCP discovery sent? I mean, the packet's got the IP address 255.255.255.255, but if it doesn't know a default gateway how does that get to the DHCP server? The DHCP server is either in the same broadcast domain, or the DHCP discovery is forwarded by a router configured to intercept and unicast these packets (ie., dhcp-helper).
|
# ? Jul 22, 2008 23:03 |
|
Kreg posted:Anyone have any experience bonding links which terminate on different routers? Shew... may just want to do a CFA move and kick one or the other T1 over to the other channelized DS3 so they're both riding the same one.
|
# ? Jul 23, 2008 01:35 |
|
jwh posted:That's a fun idea. I'd like to see what kind of hilarious things happen once the ds1 mapping documentation dies on the vine, and nobody can remember what's going where. The '15454 as a DACS' keeps pretty good documentation internally (you get like 80 characters for a circuit name) - we stick to a pretty standard <customer name> -( <x>/<y> -) <carrier circuit id>. The carrier you can pick up from the port it comes in on since you get to label those too. As a backup you can back up the node database from inside the software, and we also keep docs of where every circuit comes in (and the 'where it goes' can be gleaned from router docs)- though we've never lost a database and the low level software is pretty much rock solid since Cisco didn't initially write it (they bought up a company called Cerent and slapped a new label on the front). But yeah, I'd stab myself in the eyes if I had to manage 15 or so carriers with multiple different handoffs to us (CT3, OC3- mix of native VT1.5 mapped STS-1s and CT3 inside STS-1, OC12) and still had to do it with a mixture of DS3s going direct into my agg routers and some muxes to break out the occasional channel.
|
# ? Jul 23, 2008 03:43 |
|
Ninja Rope posted:The DHCP server is on the same broadcast domain as the DHCP client, or some device is forwarding/proxying the DHCP requests to the correct location on the client's behalf. jwh posted:The DHCP server is either in the same broadcast domain, or the DHCP discovery is forwarded by a router configured to intercept and unicast these packets (ie., dhcp-helper). Thanks guys
|
# ? Jul 23, 2008 15:15 |
|
so I had an entertaining night last night. I was mistakenly asked to do a password recovery on an 1841 router that was setup by AT&T. never doing that again. Evidently they fudged the memory register stuff around so that you couldn't do confreg 0x2142 and bypass the startup config during the boot process. I'm thinking that might be a neat thing to know because I have several assets in CoLos that aren't exactly good about keeping people from messing with other people's stuff. Anyone know how they did it?
|
# ? Jul 24, 2008 20:04 |
|
coconono posted:so I had an entertaining night last night. I was mistakenly asked to do a password recovery on an 1841 router that was setup by AT&T. http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a00801d8113.shtml 'no service password-recovery' but uh, make sure you have lots of backups first.
|
# ? Jul 24, 2008 22:14 |
|
Girdle Wax posted:http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a00801d8113.shtml mighty cool. thanks. I think AT&T did something different, like actually changing the memory addresses that loaded the boot image. But this will work nicely.
|
# ? Jul 25, 2008 01:42 |
|
Stuff like that should probably only be needed where you cannot be sure of the physical access to your equipment. Colos or equipment at 3rd party sites that you mention however, is just where it might be useful. Where possible good physical security is always better, and if so, protecting against someone resetting your gear should be unnecessary. We had a couple of routers at us where the provider had superglued blank RJ-45 plugs in the console ports...
|
# ? Jul 25, 2008 06:33 |
|
Girdle Wax posted:As a backup you can back up the node database from inside the software, and we also keep docs of where every circuit comes in (and the 'where it goes' can be gleaned from router docs)- though we've never lost a database and the low level software is pretty much rock solid since Cisco didn't initially write it (they bought up a company called Cerent and slapped a new label on the front). That "low level software" is called TL1 and it's been around since the 70's. Once you learn how to use there is no reason to use the CTC GUI stuff. With TL1 you can configure an almost limitless number of boxes with a few macros, all you need is the initial OSC circuits up. Fun bit of trivia. In CTC version 4 or less (they are up to 8.5 now I think) the default username was "petaluma" as in California, the headquarters of Cerent. So if you ever have the unfortunate task of updating a bunch of 15454s from CTC version 2, to 4 (change TCCs here) to 7 then finally to 8 you'll need to know that. Trust me I know.
|
# ? Jul 25, 2008 08:41 |
|
Can anyone point me in the direction of a Linux/Unix-based freeware Netflow collector, that's quick and easy to set up? I'm after the quickest way to start capturing data, and having it presented in a viewable format eg via Apache. I've got experience with nfacapd (yuck) and NFdump, but both require a fair bit of configuration before they're able to provide useful data. Ideally I want to install it, then configure the router to dump netflow data to it, and be able to view this data straight away with minimal config on the collector. Am I asking too much? [edit] answering my own question. Have gone for the free version of this since I'm only monitoring one interface: http://manageengine.adventnet.com/products/netflow/index.html?1 [/edit] heresy fucked around with this message at 11:55 on Jul 25, 2008 |
# ? Jul 25, 2008 10:38 |
|
heresy posted:Can anyone point me in the direction of a Linux/Unix-based freeware Netflow collector, that's quick and easy to set up? I'm after the quickest way to start capturing data, and having it presented in a viewable format eg via Apache. I've got experience with nfacapd (yuck) and NFdump, but both require a fair bit of configuration before they're able to provide useful data. https://www.ntop.org
|
# ? Jul 25, 2008 11:59 |
|
Powercrazy posted:That "low level software" is called TL1 and it's been around since the 70's. Once you learn how to use there is no reason to use the CTC GUI stuff. With TL1 you can configure an almost limitless number of boxes with a few macros, all you need is the initial OSC circuits up. That's version 3 and below, 4 was the first cisco version where they started using the username CISCO15 (all my shelves are still on 4.6 since we only just got TCC2s). TL1s more a language than the underlying software- it's defined by a standard somewhere as the standard language for interacting with telco equipment. I guess the stability more comes from the fact that everything is relatively "simple" since the software is just programming the hardware to tell it which STS/VT1.5 to interconnect to where and since the hardware is solid the software ends up being that way too.
|
# ? Jul 25, 2008 12:40 |
|
Ah, I was off by one then. I'm still amazed by how many telco's are using TCCs or TCC+'s. When I was working in the Richardson SP lab, we had an upgrade almost every month. Usually from version 3 or 4. Occasionally from 7 to 8 (that is a nightmare upgrade as well, because your old highspeed slot OC48 cards don't work in 8.) CISCO15 otbu+1
|
# ? Jul 25, 2008 19:31 |
|
Powercrazy posted:Ah, I was off by one then. I'm still amazed by how many telco's are using TCCs or TCC+'s. When I was working in the Richardson SP lab, we had an upgrade almost every month. Usually from version 3 or 4. Occasionally from 7 to 8 (that is a nightmare upgrade as well, because your old highspeed slot OC48 cards don't work in 8.) We're about to do a 4 -> 4.6 -> 7 -> 8 upgrade, any advice? Mostly single port OC12, 4 port OC3 and DS3XM6 cards.
|
# ? Jul 25, 2008 21:24 |
|
Any "high speed slot" (the triangles) cards, MAY not work in 8. But otherwise you should be ok, unless that 4 port OC3 is really old (there's a particular revision of the multi-port cards that have been around forever and won't work in 8, unfortunetly I can't recall the exact part number). I take it this is a live system at a telco or something? If it is, then there aren't really any tricks except of course ensuring that your cards are compatible. Are you going to 8.0 or 8.5 or something like that? 8.5 fixes a lot of the "overlooked" problems of 8.0. There are also some incremental releases that fix some specific issues with certain SFPs and XFPs. But it looks like you are dealing with fixed optics, so you are probably just fine. I won't have my CCO access back until monday, so I can't look up the exact internal engineering documents, but I will certainly check them out when I can. When are you doing the upgrade? I'd like to keep in contact because it will be a nice refresher course for me on the 15454. I've been out of the loop for about 6 months.
|
# ? Jul 25, 2008 22:38 |
|
Yeah, it's our live production rings between our buildings, probably ~ 400-500 VT1.5s riding it. Codewise- yeah we licensed for 8.5 for the shelves we're keeping service so we should be able to go 7->8.5 (iirc we need to stop at 7 after 4.6 for some database upgrade reason). A handful of the OC3s could be pretty old... one of the shelves is a Cerent original. Upgradewise I'm trying to get us to do this in the next couple of weeks- we need to upgrade so we can bring a new shelf into the mix running vxc-10gs and mrc-12- planning to consolidate a pair of our existing shelves into a single new shelf.
|
# ? Jul 25, 2008 23:34 |
|
Quick question: I currently have a single 3750G. I have another 3750G that I would like to add to the stack. What do I need to do to the new 3750G's configuration to make it so it will just become a slave to the currently active 3750G when it is connected to the stack? Anything? Or do I just need to make sure they are both running the same version of the IOS software?
|
# ? Jul 28, 2008 15:29 |
|
HypeTelecon posted:Quick question: Same version of IOS yes, but you can also manually modify the stack member election priority. This document may help you: http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807811ad.shtml
|
# ? Jul 28, 2008 16:01 |
|
I think the default priority for most stackable switches out of the box is 1. The higher the switch priority, the more likely it is to become the master. Check your existing switch prioritycode:
code:
On your new switch, make sure the priority is lower than 15 (same command as above) and yes, make sure they're running the same version of code. After that, you should just be able to hook them up (loop-style - stack port 1 on switch 1 to stack port 2 on switch 2, stack port 1 on switch 2 to stack port 2 on switch 1) and power on the second switch.
|
# ? Jul 28, 2008 18:38 |
|
We have a 4948-10GE and a 4948. I would like to reclaim the 4948 to move it to another project but it has a SFP shooting 1000BaseSX to a customer. The 4948-10GE has a 10000BaseSR that is un-used. Is it possible to use the 10000BaseSR GBIC to send 1000BaseSX. I'm leaning towards no but they both use the same wavelength light so I'm holding out some hope. Alternatively does anyone make a 1000BaseSX GBIC that will fit into the 10GE's X2 port? Just moving the 4948-10GE is out of the question since it is running traffic now and we need to have the fiber ports from the 4948.
|
# ? Jul 28, 2008 22:37 |
|
FatCow posted:We have a 4948-10GE and a 4948. I would like to reclaim the 4948 to move it to another project but it has a SFP shooting 1000BaseSX to a customer. The 4948-10GE has a 10000BaseSR that is un-used. The 4948-10GE doesn't support the TwinGig adapter, so there's no way to do this to my knowledge without an external piece of equipment (1000BaseSX fiber transceiver, plug into one of the copper ports on the 4948)
|
# ? Jul 29, 2008 00:19 |
|
Doing a bit of research on Cisco's site it appears one of the sell up features of the add in IPS sensor for the ISR routers is it has a "complete" IPS signature set. Is it really that much different from the built in IPS on say the 1841?
|
# ? Jul 29, 2008 04:00 |
|
To start - I'm loving green when it comes to Cisco stuff. I have a client with a PIX 515 and a T1. Something is sucking up all the bandwidth on the T1, and I'm having trouble figuring out what. I have a trial of Fireplotter that's showing the culprit is source 111.111.111.111. I have no idea what this address is, but it's got active connections to the outside world on multiple ports. edit: Looks like Fireplotter displays 111.111.111.111 if it can't find the name. Fuuuuuuck. Richard Noggin fucked around with this message at 17:20 on Jul 29, 2008 |
# ? Jul 29, 2008 17:13 |
|
What kind of a switch do you have? You can possibly try setting up a SPAN to a PC running Wireshark or some other packet sniffer and look for suspicious activity that way...ftp sessions that look out of place or bit torrent.
|
# ? Jul 29, 2008 17:51 |
|
Syano posted:Doing a bit of research on Cisco's site it appears one of the sell up features of the add in IPS sensor for the ISR routers is it has a "complete" IPS signature set. Is it really that much different from the built in IPS on say the 1841? Yes, and with AIM-IPS you get hardware acceleration. I don't know how much traffic you are pushing so I can't really comment as to what is appropriate. Give presales a call?
|
# ? Jul 29, 2008 18:00 |
|
Syano posted:Doing a bit of research on Cisco's site it appears one of the sell up features of the add in IPS sensor for the ISR routers is it has a "complete" IPS signature set. Is it really that much different from the built in IPS on say the 1841? I hardly ever hear anything about IPS on ISRs, but allegedly the IPS AIM is functionally similar to the 4200 series sensor, or the ASA's IPS engine. Richard Noggin posted:I have a client with a PIX 515 and a T1. Something is sucking up all the bandwidth on the T1, and I'm having trouble figuring out what. I have a trial of Fireplotter that's showing the culprit is source 111.111.111.111. I have no idea what this address is, but it's got active connections to the outside world on multiple ports.
|
# ? Jul 29, 2008 18:01 |
|
Richard Noggin posted:To start - I'm loving green when it comes to Cisco stuff. Look at your NAT translations for those same ports.
|
# ? Jul 29, 2008 18:38 |
|
Richard Noggin posted:To start - I'm loving green when it comes to Cisco stuff. I'd get into whatever router is routing for the T1 and do ip-accounting on the relevant interface. "sh ip nat trans" may be helpful as well?
|
# ? Jul 29, 2008 23:15 |
|
The problem was one rogue notebook with some sort of malware - I haven't been able to get my hands on it yet, as the site is about 800 miles away. This is a new site we're in charge of, and I had (have) no Cisco experience whatsoever. I'm getting the hang of it, but have a long, long way to go. Thanks everyone for their help.
|
# ? Jul 30, 2008 01:26 |
|
Tremblay posted:Yes, and with AIM-IPS you get hardware acceleration. I don't know how much traffic you are pushing so I can't really comment as to what is appropriate. Give presales a call? Not much traffic at all really. The idea is to come up with a complete firewall solution for this branch in question. There is going to be an ASA 5510 with the CSC-SSM installed. The office already has an 1841 in place and we just didn't know if there was that much of a feature difference to use the add on sensor vs the built in IPS in the IOS.
|
# ? Jul 30, 2008 02:55 |
|
Next question: A PIX-PIX VPN as such: 192.168.0.0/24 --PIX--INTERNET--PIX--192.168.10.0/24 Each PIX is at .1 in its respective subnet. How do I permit snmp polling from 192.168.0.10 to 192.168.10.1? Here's output of sh run on 192.168.10.1: code:
Richard Noggin fucked around with this message at 21:44 on Jul 30, 2008 |
# ? Jul 30, 2008 17:41 |
|
We have an application server that queries a webserver on our network, with an ASA doing HTTP inspection between them. The configuration has been set up in such a way that in most cases it should only log alerts generated by the inspection, but still allow them to pass:code:
code:
If I remove the 'inspect http to_webserver_httpmap' from outgoing_verification the connections stop being blocked and users no long report problems. Is there any reason that it'd be dropping connections even though it should just be logging the alert and allowing them through? Furthermore, why does it think the connections aren't being answered? As far as I can tell the webserver is responding to the requests fine.
|
# ? Jul 31, 2008 04:33 |
|
|
# ? May 14, 2024 16:41 |
|
Is there a way to debug UDP packets so that I can see which VLAN/subinterface they are received on? The router is a 2611XM, IOS 12.3(9a).
|
# ? Jul 31, 2008 14:16 |