|
When you say one local admin account, is that local to the 2800, or local to ACS? You may want to try and create a local account in ACS to test with, just to rule out some of the glue. I've seen a lot of bizarro issues with the AD agents. Did you install the CSWinAgent stuff on your domain controller? You can hop on there and check logs if you suspect you're hitting a backend problem. The fact that your not seeing any failures logged to the ACS failure log makes me suspicious.
|
#
?
Aug 20, 2008 19:34
|
|
|
|
| # ? May 22, 2024 08:50 |
|
|
I mentioned to my friend the other day that I was thinking about setting up a residential VOIP for my apartment, nothing fancy. Both of us don't know too much about providers but he offered me a used Cisco 79XX series phone. More than likely a 60 or 70 if I could get a VOIP service that works with it. Is this possible and if so how? Any idea on what provider and how to configure the phone? I thought they were only for businesses but oh well...
|
|
#
?
Aug 20, 2008 23:15
|
|
|
Roving Reporter posted:I mentioned to my friend the other day that I was thinking about setting up a residential VOIP for my apartment, nothing fancy. Both of us don't know too much about providers but he offered me a used Cisco 79XX series phone. More than likely a 60 or 70 if I could get a VOIP service that works with it. Is this possible and if so how? Any provider that works with SIP will work with the 79(40|60|70) once you switch out the code for SIP code (which is a minor challenge, but easily overcome if you can set up a tftp server). You may also want to poke your head in at the Asterisk thread if you have an old box / a box sitting around running linux- then you could set up your 79xx to talk to that, and use the Asterisk box to talk to your SIP/IAX providers.
|
|
#
?
Aug 21, 2008 00:22
|
|
|
I have an ASA 5505 running Version 8.0(3). Is there a way to schedule a weekly reboot? Like, say, every Sunday at 3am? Before anyone ask, this is a band-aid to get around an ISP problem that I am currently working on, but don't expect to have resolved anytime soon. Lowen SoDium fucked around with this message at 18:22 on Aug 21, 2008 |
|
#
?
Aug 21, 2008 16:30
|
|
|
jwh posted:When you say one local admin account, is that local to the 2800, or local to ACS? You may want to try and create a local account in ACS to test with, just to rule out some of the glue. I decided to uninstall it and put it on a domain controller. I imported the domain and everything is working fine now. I guess maybe 4.2 has to be on a domain controller? That is weird because we used 3.3 fine on a regular server. Oh well.
|
|
#
?
Aug 21, 2008 17:15
|
|
|
BoNNo530 posted:I decided to uninstall it and put it on a domain controller. I imported the domain and everything is working fine now. I guess maybe 4.2 has to be on a domain controller? That is weird because we used 3.3 fine on a regular server. Oh well. ACS is weird, CSWinAgent is weird, and I'm amazed it works even half the time. Glad you got it working though!
|
|
#
?
Aug 21, 2008 17:18
|
|
|
Lowen SoDium posted:I have an ASA 5505 running Version 8.0(3). Unless the ASA supports the "kron" command, the best you're probably going to get is setting yourself a scheduled task to log into it every Friday and set up a "reload at" command every week. Or you could script that with clogin or similar.
|
|
#
?
Aug 21, 2008 23:46
|
|
|
Girdle Wax posted:Unless the ASA supports the "kron" command, the best you're probably going to get is setting yourself a scheduled task to log into it every Friday and set up a "reload at" command every week. Yeah, that's what I figured. ASA doesn't seem to support kron as of 8.0(3).
|
|
#
?
Aug 21, 2008 23:49
|
|
|
We have sshv2 loaded on a lot of our switches, and utilize putty to access them. Doing it the old way, telneting from a command prompt, we could telnet to another switch from that switch. Is there a way to ssh into another ssh'd switch from priviledged mode?
|
|
#
?
Aug 22, 2008 00:51
|
|
|
Weissbier posted:We have sshv2 loaded on a lot of our switches, and utilize putty to access them. Doing it the old way, telneting from a command prompt, we could telnet to another switch from that switch. If it has the ssh client feature: code:
|
|
#
?
Aug 22, 2008 01:12
|
|
|
Girdle Wax posted:If it has the ssh client feature: To add onto Girdle Wax's comment, if you can SSH into a device you can SSH out of it.
|
|
#
?
Aug 22, 2008 02:28
|
|
|
Need help with some pretty basic NAT and routing. I have an office network (192.168.1.0/24) and a new internet connection from XO that comes into the phone closet as Ethernet. XO gave me two sets of addresses: WAN side: 65.47.xx.20/30 LAN side: 216.x.105.64/27 The LAN side addresses are the public IP range that was assigned to the company. What I need to do is configure a Cisco 1841 with two FastEthernet interfaces to provide the office with internet access. It will also need to pass some selected traffic (DNS, web) back into servers located in the internal office network. This is where my confusion sets in... I only have FE0/0 and FE0/1 to work with, yet I have three address blocks that need to be handled. So if FE0/0 gets 65.47.xx.21 to talk to XO, and FE0/1 gets 216.x.105.65 to be my LAN side gateway, where the hell does the NAT and a physical connection to the internal network happen? If I had two routers, this would be easy to do. But I have to imagine this is a pretty common configuration for people using Ciscos with their ISPs... what trick am I missing?
|
|
#
?
Aug 24, 2008 06:29
|
|
|
XO is routing the /27 to the 65.47.xx.20/30 IP. What you do with the /27 at that point is up to you- you don't have to stick the /27 on a spare ethernet interface. In fact, what makes more sense, is to simply carry the XO /30 on Fa0/0, and your existing internal network (192.168.1.0/24) on Fa0/1 (or vice versa, whichever you prefer), and then statically nat from your /27 allocation towards your internal resources that require it. You should probably null route the /27. Or, you could build a DMZ network on a separate VLAN, and then bring your 192.168.1.0/24 and new DMZ into Fa0/1 as dot1q subinterfaces for some additional access control. Or buy an additional ethernet interface for your 1841- the HWIC-4ESW etherswitch module is like $600 I think, and you get four ports (although you need to build SVIs for your layer 3 interfaces). I think they also have a new HWIC-1E routed interface now.
|
|
#
?
Aug 24, 2008 08:05
|
|
|
Thanks for the info on SSH. Can you SSH from an ASA? If I putty into our ASA from home using SSH, how can I access the internal switches? ASA commands are all different 
|
|
#
?
Aug 24, 2008 19:51
|
|
|
Weissbier posted:Thanks for the info on SSH. No you cannot and that is intentional. What is recommended is to create Remote Access VPN profiles and use those to gain internal network connectivity. This is because of the multi-interface functionality of the ASA and the desire to enforce the ingress/egress interface policies. Also it's just bad form in general, because if you're having to hop through your firewall there's problems abound anyway  We can paste scripts for that if so desired.
|
|
#
?
Aug 24, 2008 22:41
|
|
|
jbusbysack posted:No you cannot and that is intentional. What is recommended is to create Remote Access VPN profiles and use those to gain internal network connectivity. This is because of the multi-interface functionality of the ASA and the desire to enforce the ingress/egress interface policies. Also it's just bad form in general, because if you're having to hop through your firewall there's problems abound anyway Thanks, I'm very ASA/Pix ignorant. The way I'm doing it now is via a VPN account that someone else set up, remote into my box at work, then operate off of that. Is that what you're saying to do? Thanks
|
|
#
?
Aug 24, 2008 23:33
|
|
|
code:Edit: removed the serials to protect the guilty. ior fucked around with this message at 23:53 on Aug 25, 2008 |
|
#
?
Aug 25, 2008 23:48
|
|
|
ior posted:
I believe in the past the consensus on c-nsp (and the few Cisco folks that post on it): It's unsupported. While they won't intentionally break it, don't count on it continuing to work if you upgrade.
|
|
#
?
Aug 26, 2008 00:38
|
|
|
jwh posted:In fact, what makes more sense, is to simply carry the XO /30 on Fa0/0, and your existing internal network (192.168.1.0/24) on Fa0/1 (or vice versa, whichever you prefer), and then statically nat from your /27 allocation towards your internal resources that require it. You should probably null route the /27. code:
|
|
#
?
Aug 26, 2008 06:50
|
|
|
Alowishus posted:Ok, I think I see where you're going... but in Cisco config terms if I have: Alowishus posted:I see how I could probably write 'ip nat inside source static 192.168.1.10 216.x.105.65' to get the static NAT going for a particular inside machine, but what if I want the rest of the internal network's outbound traffic to also be NATted behind one of the LAN side addresses? Well, let's do it this way: we'll create an access list describing your inside LAN address space, and then we'll create an overload NAT that will NAT packets from your LAN to your Fa0/0 interface's IP address. access-list 80 permit 192.168.1.0 0.0.0.255 ip nat inside source list 80 interface Fa0/0 overload That'll NAT everything to the 65.47.xx.20 address, but it sounds like that's not exactly what you want, so we can try something else: access-list 80 permit 192.168.1.0 0.0.0.255 ip nat pool pool1 216.xx.105.65 216.xx.105.65 prefix-length 32 ip nat inside source list 80 pool pool1 overload I haven't tested it, but that should work, I bet.
|
|
#
?
Aug 26, 2008 16:40
|
|
|
Does anyone use putty for serial connections? When you "sh run" and space through on a switch with lots of ports and settings putty will choke on itself and lock up. From what I've read so far, it's a known problem but apparently fixed in 0.60.0.
|
|
#
?
Aug 26, 2008 17:57
|
|
|
InferiorWang posted:Does anyone use putty for serial connections? When you "sh run" and space through on a switch with lots of ports and settings putty will choke on itself and lock up. From what I've read so far, it's a known problem but apparently fixed in 0.60.0. Hyperterm TeraTerm Pro Both far better than putty for any console port setups.
|
|
#
?
Aug 26, 2008 18:34
|
|
|
Has anyone ever found a resource for looking up Cisco IOS debug messages? The error decoder doesn't accept debug output. I've got (yet another) vpn to hammer into shape. This one is between a router and a concentrator (ugh). It's giving me a problem after phase 1 completes successfully. The debug logs referencing message ids and payload type numbers look tantalizingly explicit in their descriptiveness; but I can't find anything that offers an interpretation. Googling them hasn't led me anywhere either. code:inignot fucked around with this message at 23:07 on Aug 26, 2008 |
|
#
?
Aug 26, 2008 18:42
|
|
|
I'm setting up a domain for a 70~ client network and need some firewall and routing security. Is my best bet to go with a 5500 appliance? Also, looking at different 5500 appliances, some say 10 user, some say 50 user? Is that VPN users or LAN users? Both? If it's both, should I go for a 50 user setup and just buy another license for more users? I'm also reading about VLAN/DMZ communication limitations? What are they?
|
|
#
?
Aug 27, 2008 00:02
|
|
|
I might be possible that I can work my way up through my place of work - all the way to the Cisco stuff. So, instead of going back to school get a degree in CompSCi. I could just get my CCNA and move up through the ranks. I'd probably try to teach myself everything, make my own lab with a bunch of old switches/routers. I suppose it'd take me three-four months before I'd be ready to get certified? Anyway, can someone describe how the typical day goes? The good and the bad.
|
|
#
?
Aug 27, 2008 04:01
|
|
|
Tab8715 posted:Anyway, can someone describe how the typical day goes? The good and the bad. IT, and especially network engineering, is a lesson in apprehensive living- there is no predicting the good days from the crisis days. Everything you do right will go largely unnoticed, and everything you do wrong will be illuminated with a spotlight. This has been my experience, at least. But this is not necessarily a bad thing, as it encourages proper network engineering behavior, which is to say, the practice of leaving yourself plenty of outs. The goal of every network engineer worth his salt is to lose half his poo poo and not be woken up. At least, that's been my goal and benchmark. Typical day to day for me involves answering trouble tickets that are escalated beyond our help desk, which is maybe one or two per day. The rest of the time, I'm coordinating circuit installations or doing configuration work. The time that's left over, I'm doing preliminary engineering work on new stuff, like wireless, or SSL VPN. Or administrative work, like working SMARTnet renewals, or project planning inside the network group. Oh, and drinking plenty of coffee, and reading important news on the Internet, which is to say, the forums, aldaily, and joystiq.com. It's not a bad career by any stretch, but like most careers, you should be interested in the material beyond it being a means to an end, or else you'll never survive. For whatever it's worth, if you're seriously considering a change in career, ask yourself what you'd be doing even if you weren't working, and then find a way to have somebody pay you to do that. You'll be much happier in the end.
|
|
#
?
Aug 27, 2008 04:50
|
|
|
jwh do you work with me? His typical day is exactly like mine, but on top of that I get to deal with slow government purchasing, redtape, and the all fun network certifications, where a guy with no network engineering experience gets to come in and argue with you about why you do this one thing that way.
|
|
#
?
Aug 27, 2008 12:07
|
|
|
inignot posted:Has anyone ever found a resource for looking up Cisco IOS debug messages? The error decoder doesn't accept debug output. If you ever find a tool that can turn ISAKMP log messages into anything resembling English that will deserve its own thread. Firstly, I assume the encryption domains match exactly on both sides? Looks like NAT-T is enabled - do you actually need that in this case? It shouldn't do much harm if you don't, assuming both ends are using the same NAT-T draft and the moon is in the right phase. Do both ends have Dead Peer Detection enabled? If one doesn't that can cause issues, especially if different vendors are involved. Also I would like to nominate this for error message of the day : code:
|
|
#
?
Aug 27, 2008 14:44
|
|
|
Network design! Our SSR routers from the dark ages need to go, and I want to get Cisco gear instead. The thing is, I don't have a clue what is the best deal for us in terms of what hardware to get. Here's the deal: * 10 or so directly connected networks (with varying load and population). At least three of them need gigabit interfaces. * Don't really need "wirespeed gigabit" routing between the nets, a couple hundred Mbits would do fine. * 3 Ethernet WAN links between sites (10-100Mbit). * Need to support OSPF, GRE, HSRP * The network (one big OSPF area) has about 10 routers and just over 100 routes (including loopbacks and redistributed statics). Need room to grow to maybe twice that, in all not a horribly large routing table. * One single organization, no access lists or crap in between. * Need some QoS support (our VoIP traffic is tagged and ready) * No single points of failure, meaning anything mentioned below is just half the stack * On a rather tight budget. I can get what is needed, but probably nothing more. Since gigabit ports are rather expensive in a "real" router, I'm thinking about how to get by with as few as possible, by using switches to "break out" more ports. I basically have these ideas on how to do it: * One router (Cisco 2821?), use both gig ports as a portchannel to a L2 switch (such as a 2960G). All the networks go as VLANs, to various ports on the switch (which are connected to access switches, or straight to the "important" servers and such). Maybe get separate 100Mbit interfaces for the main WAN links. Downside is everything between LANs has to pass through the portchannel via the router, and I don't know how it likes routing between VLAN interfaces. * Same router, with a portchannel to a L3 switch (3560G/3750G). L3 switch acts as router between the local networks, with static routes (possibly RIP?) between the switch and the router, and the router speaks OSPF to the rest of the world and handles all the other stuff. Probably good performance, but seems a bit stupid with static routes and stuff. * Just use an L3 switch (3560G/3750G/4948?) with "enhanced" image to do it all in one box. Not sure how those L3 switches act as routers, or how the feature set is. * 2821/2851/3845 and more gig interfaces. "Proper" solution, but more expensive. Can only buy this stuff if necessary, and after fighting a bit with the finance people. I really have just very vague ideas on where to go. I've asked some contacts for suggestions, but since they want to sell the hardware I assume they will try to sell me more than I need. In my last job this would have been solved by throwing several bags of money at it (a quite similar network there had 6509/Sup720 in the middle, 3845 at remote sites, and 6509/Sup32 as access switches), but that's not going to happen here... What should I do to get adequate performance for my budget (need to get new firewalls as well), and that won't fall apart on me?
|
|
#
?
Aug 27, 2008 18:19
|
|
|
ionn posted:* Just use an L3 switch (3560G/3750G/4948?) with "enhanced" image to do it all in one box. Not sure how those L3 switches act as routers, or how the feature set is. If you don't need synchronous interfaces (T1s, DS3s, etc) this is an excellent way to go. Performance on layer 3 switches is excellent so long as you don't exceed the TCAM limitations (which with 100 routes, you're probably not likely to).
|
|
#
?
Aug 27, 2008 19:44
|
|
|
Girdle Wax posted:If you don't need synchronous interfaces (T1s, DS3s, etc) this is an excellent way to go. Performance on layer 3 switches is excellent so long as you don't exceed the TCAM limitations (which with 100 routes, you're probably not likely to). I do not. The last such circuit was decomissioned a couple of years ago, and the chances are very small we will ever get anything without an ethernet interface (as long as ethernet is the networking standard). And if we do, we can get a separate router + interface just for that. Using some kind of "this is how much the TCAM can hold" (MAC addresses + VLANs + routes) number from Cisco, it seemed to me like the 3560G could take roughly our current network + projected growth x10. And if it runs out, I guess we could split things up when the need arises. Then, what is the best stuff? From what I can tell, the difference between 3560 and 3750 is mainly the stacking and 10Gig capabilities. Stacking seems well enough for switches, but can it really be a good idea for two routers? I'll have to make a better count of the ports needed. 2 24-port units should hold most stuff, but 2x48 would take just about "everything" (with all important servers having one port on each unit). 4948 seems really good, but 3560/3750 looks very capable indeed (and cheaper).
|
|
#
?
Aug 27, 2008 20:32
|
|
|
ionn posted:* 3 Ethernet WAN links between sites (10-100Mbit). Are you going to carry your WAN links into the same devices as your connected servers? If so, are there security implications? ionn posted:* Need to support OSPF, GRE, HSRP What is your GRE requirement? 3560G and 3750G will not do GRE in hardware, which means it may as well not do it at all. ionn posted:* Need some QoS support (our VoIP traffic is tagged and ready) QoS support is great on 3560G/3750G- four queues per-port with a configurable priority queue. It's not easy to configure, though, so you may need to do some reading. ionn posted:* On a rather tight budget. I can get what is needed, but probably nothing more. Well, 3560Gs are roughly five-thousand a pop, and maintenance is about $350 a year for SMARTnet 8x5xNBD(SNT), although the 3560Gs have a limited lifetime warranty covering the hardware. ionn posted:What should I do to get adequate performance for my budget (need to get new firewalls as well), and that won't fall apart on me? If you're buying separate firewall devices, 3560Gs are great switches. At this point, I'd be concerned about your GRE requirement, and whether your access control platform is going to cost you an arm and a leg to support the kind of throughput you're suggesting (in the hundreds of megabits area).
|
|
#
?
Aug 27, 2008 20:46
|
|
|
You may want to check out the Catalyst 4500 series. Not the new expensive series you mentioned Sure, they are a bit more expensive compared to a 3560, but you can have redundant powersupplies, redundant supervisors, there is room for an IPS or firewall or whateveryouwant module. If you can squeeze it in your budget or get your budget increased to support it, it will meet your goal and it will let you sleep soundly at night, since fatal hardware failure is unlikely. CrazyDutchie fucked around with this message at 21:45 on Aug 27, 2008 |
|
#
?
Aug 27, 2008 21:43
|
|
|
jwh posted:Are you going to carry your WAN links into the same devices as your connected servers? If so, are there security implications? The WAN links between our sites are private links (mostly layer 2 links), and can be considered secure. We need no security restrictions for those connections. The stuff that needs protecting, is already behind a separate firewall. jwh posted:What is your GRE requirement? 3560G and 3750G will not do GRE in hardware, which means it may as well not do it at all. We only use GRE to be able to do OSPF over a couple of backup links (IPSec VPN tunnels and such). GRE is only used for encapsulation, not for any encryption, as that is handled by separate VPN devices. We do not require much from it in terms of performance, if it can push through a few megabits of unencrypted traffic over GRE, that is good enough. jwh posted:QoS support is great on 3560G/3750G- four queues per-port with a configurable priority queue. It's not easy to configure, though, so you may need to do some reading. While I understand the basics of what QoS does, it's still a big scary numbers game to me. I definitely need some reading up on it before giving it a go. We are getting by without it just because we have bandwidth to spare, but eventually I want it in there. I do have lab equipment to try it out, so I think I can pull it off given some time. jwh posted:Well, 3560Gs are roughly five-thousand a pop, and maintenance is about $350 a year for SMARTnet 8x5xNBD(SNT), although the 3560Gs have a limited lifetime warranty covering the hardware. Since we are mainly planning on having hardware doubled up (as even an hour production downtime would be very costly, and losing these routers would kill pretty much everything), I don't think we'd need anything too extravagant for hardware support. Something that can give us hardware replacements covered for a few years would do nicely. I can easily sell something that costs 10% of the hardware cost per year to management, and we still pay loads more for support on the PBX (which is only slightly more important, and less stable). Prices are slightly different here (Sweden), and we are really a very small Cisco customer with no kinds of sweet deals. I'll check up on prices on the various L3 switches and see what I'll end up with. We are looking at new firewalls as well, and we might end up buying a few ASA-somethings at the same time. In all it's the usual deal. Management wants something that can't break, but they do not really want to pay for it even if a single outage will probably cost way more. jwh posted:If you're buying separate firewall devices, 3560Gs are great switches. At this point, I'd be concerned about your GRE requirement, and whether your access control platform is going to cost you an arm and a leg to support the kind of throughput you're suggesting (in the hundreds of megabits area). We have separate firewall and VPN endpoint equipment (a mix of different devices) for any kind of encryption, and none of that is really performance-critical. Looking closer, the 3750 really does nothing that the 3560 does not, that we might ever need in a router. 10Gig models are out of the question, and stacking routers seems silly. Question is, will a 4948 do me any extra good? It's (probably) not that much more expensive than a 48-port 3560G, and does offer better performance, I'm just not sure we'd need it. CrazyDutchie posted:You may want to check out the Catalyst 4500 series. Not the new expensive series you mentioned A pair of 3560G-24TS-E would fit in my budget, and it can probably be stretched to 3560G-48 or 4948, but a 4500 with dual stuff would simply not be possible... Also, I would actually rather have two separate units with no redundancy each, than a single one with "dual everything". I have seen a faulty line card bring down a 6509 with dual Sup32's, and I would put more trust in two separate 3560's. Also, the 4948 can do dual PSU's after all.
|
|
#
?
Aug 27, 2008 23:23
|
|
|
Reefer Inc. posted:If you ever find a tool that can turn ISAKMP log messages into anything resembling English that will deserve its own thread. I don't own both ends of the VPN, if I did I would have already been done. Based on the config the other guy sent me for his 3000 series VPN concentrator, it looked like nat-t wasn't enabled. I suggested he enable it, and the tunnel started working yesterday. Only having access to one end of a VPN tunnel that doesn't work is the exact scenario for which it would be great to get a real read on debug output. Some programmer at Cisco had to have code the error message that contains : DELETE_WITH_REASON payload, message ID = 974969034; and that message ID means something.
|
|
#
?
Aug 27, 2008 23:42
|
|
|
ionn posted:if it can push through a few megabits of unencrypted traffic over GRE, that is good enough. ionn posted:While I understand the basics of what QoS does, it's still a big scary numbers game to me. ionn posted:Question is, will a 4948 do me any extra good? It's (probably) not that much more expensive than a 48-port 3560G, and does offer better performance, I'm just not sure we'd need it. With comprehensive access control off the table, the 3560Gs will be great switches. I'm still worried about the GRE throughput, but, worst case scenario, you could put a little ISR in instead (ie., 2800) to terminate the GRE.
|
|
#
?
Aug 28, 2008 04:54
|
|
|
jwh posted:I don't know how much 4948s are off the top of my head, and we never quoted them out, but they have a reputation for being extremely fast, and extremely expensive. I'll just have to get quotes in for 3560 vs 4948 and see what it boils down to. It really comes down to how much room we have to spare in terms of capacity for growth, I think. Looking at the list prices it seems rather expensive with the "standard" image, but the difference is smaller comparing the "enhanced" ones. I have a weaker 3560 (the 100Mbit variant) currently unused I can play with and see how well it does GRE (don't tell Cisco I have the enhanced image lying around). The GRE stuff is handled by 2801/2811's as it is, and that could continue to be a way out of that.
|
|
#
?
Aug 28, 2008 07:02
|
|
|
inignot posted:Some programmer at Cisco had to have code the error message that contains : DELETE_WITH_REASON payload, message ID = 974969034; and that message ID means something. The Message ID is probably a random sequence number unique to that particular session, so I expect all they could have told you was that the remote end sent a payload with a message they didn't understand. Really the only useful bit of information is it sending that message immediately after your end tried to use the NAT-T port (4500). IPSEC logging sucks pretty hard in a largely vendor neutral way.
|
|
#
?
Aug 28, 2008 14:10
|
|
|
I'm having an oddball problem with a port on our 6748-GE-TX w/ 6700 CFC line card in our 6509 chassis (Sup720-3BXL) when connected to a 4948 switch running the standard image. We have it in a 4 port etherchannel, both sides configured identically using the range command. When the ports are connected, the 6509 side just blinks slowly green/off, nothing in logs, and it always makes me nervous to turn those on debugging/logging on that switch. The other side shows nothing, turned on all event logging for that interface and nothing comes up in the logs. Changed ports on the 6748 and it links up just fine. I suspect the port is simply hosed. Ideas? code:
|
|
#
?
Aug 29, 2008 21:38
|
|
|
|
| # ? May 22, 2024 08:50 |
|
|
H110Hawk posted:I'm having an oddball problem with a port on our 6748-GE-TX w/ 6700 CFC line card in our 6509 chassis (Sup720-3BXL) when connected to a 4948 switch running the standard image. As a matter of habit I never let DTP have a crack at anything, as there's no need to negotiate ever between what I would assume is the core switch and a top-of-rack distribution switch. What happens when you change it to 'channel-group 5 mode on' ? I realize that moving physical ports works for you but I'm curious as to the result.
|
|
#
?
Aug 30, 2008 02:08
|
|