Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
permanoob
Sep 28, 2004

Yeah it's a lot like that.
You'll be looking at the access-lists (sh access-list) and making sure you have allowances for icmp traffic on the inside to get out.

Adbot
ADBOT LOVES YOU

ragzilla
Sep 9, 2005
don't ask me, i only work here


Syano posted:

In the same vein as the previous post, I had an ASA 5505 preconfiged and shipped out to a remote site by a vendor. The device is responding to pings on its outside interface, the vpn back home is up, I can ssh in, I can talk to hosts on the inside of the ASA, however the ASA itself will not respond to my pings from its inside interface nor can I get into the ASDM. I can ssh into the outside interface but I am worthless once at the console. What should I be looking for?

icmp permit any inside
http <inside mgmt host> 255.255.255.255 inside

Syano
Jul 13, 2005
Fanatastic. I will learn this crap yet.

Ok here is another one. I have an 1841 at a branch office with the following interfaces:

Serial 0/0 - Private WAN link back to home office
Eth 0/0 - Internet connection for this branch office
Eth 0/1.1 - VLAN1 for branch office users
Eth 0/1.2 - VLAN2 for guest wireless access

I need to set up ACLs that allow the VLAN2 users to only route through Eth 0/0 to get to the internet and prevent them from getting to any of the private network segments. I was playing with ACLs Friday afternoon on this device and Im not sure how but in one single click of apply through the SDM I brought the entire building down and locked myself out from fixing it. Had to drive 30 minutes after work to bring it back up.

Mierdaan
Sep 14, 2004

Pillbug
Who's the goon who resells used Cisco gear?

jwh
Jun 12, 2002

Mierdaan posted:

Who's the goon who resells used Cisco gear?

M@

Mierdaan
Sep 14, 2004

Pillbug
Thanks jwh.

jwh
Jun 12, 2002

Syano posted:

Fanatastic. I will learn this crap yet.

Ok here is another one. I have an 1841 at a branch office with the following interfaces:

Serial 0/0 - Private WAN link back to home office
Eth 0/0 - Internet connection for this branch office
Eth 0/1.1 - VLAN1 for branch office users
Eth 0/1.2 - VLAN2 for guest wireless access

I need to set up ACLs that allow the VLAN2 users to only route through Eth 0/0 to get to the internet and prevent them from getting to any of the private network segments. I was playing with ACLs Friday afternoon on this device and Im not sure how but in one single click of apply through the SDM I brought the entire building down and locked myself out from fixing it. Had to drive 30 minutes after work to bring it back up.

access-lists are dangerous. Don't forget that the moment you configure one, it automatically gives itself an implicit default deny at the end.

As to your question, how you build that access-list will depend on where you want to filter the traffic. If this network is for guest wireless access, which presumably means guest Internet access, then life gets a little bit more challenging, because of the "any" assumption that comes with Internet access.

You could, for instance, build an access-list applied in the 'in' direction on Fa0/1.2 that denies traffic to each of your production network(s), but ends with 'permit ip any any'.

Alternately, you could instead configure an access-list on Fa0/1.1 in the 'out' direction that does a 'deny ip <whatever your guest IP space is> any' followed by a 'permit ip any any'.

You could also maybe policy route something when the outgoing interface matches Fa0/1.2, like:

route-map test
match interface fa0/1.1
set interface null0

conf t
int fa0/1.2
ip policy route-map test


Although I bet the CPU hit on the PBR is more than doing the acl, maybe. Don't honestly know.

Syano
Jul 13, 2005
Criminey. I didnt know about the implicit deny once you build the ACL. That sure explains a ton

So does that in turn mean without any ACLs that there is no implicit deny?

Syano fucked around with this message at 22:19 on Oct 6, 2008

jwh
Jun 12, 2002

Syano posted:

Criminey. I didnt know about the implicit deny once you build the ACL. That sure explains a ton

So does that in turn mean without any ACLs that there is no implicit deny?

Correct.

Things get interesting when you have access-lists configured but the access-lists don't actually exist yet- interfaces will continue to move traffic right up until you configure the first line in that access-list, at which point, the default deny will appear unbeknown to you, and your interface will no longer pass traffic.

Things get even more interesting when you look at how processor-originated traffic won't trigger outbound acls. This can make for some real confusion, because you can, for instance, do this:

conf t
int s0/0
ip address 172.29.2.1 255.255.255.252
access-group 100 out
^Z

Now, without access-list 100 existing, that interface will move traffic just fine.

Now imagine you want to create an access-list to only allow a host, say, 1.1.1.1, out this interface.

conf t
access-list 100 permit ip host 1.1.1.1 any
^Z

And then, to see if it's "working", you do:

ping 172.29.2.2

The ping will work, and you most likely won't realize that s0/0 just stopped passing traffic for everybody other than 1.1.1.1. This is counter-intuitive, because the access-list is working, but your local ping just said otherwise.

I don't know whether the PIX/ASA has the same kind of behavior with respect to locally originated traffic. But IOS definitely has some very real caveats you need to understand. Unfortunately, even if you do understand them, you don't tend to remember then until they hurt you terribly.

edit: rewritten slightly to make things clearer.

jwh fucked around with this message at 22:49 on Oct 6, 2008

Wizzle
Jun 7, 2004

Most
Parochial
Poster


Is it possible to make an Ethernet connection participate in a Multilink interface?

I currently have 2 T1 lines to a remote office. They're setup using standard WIC-1DSU cards. Each interface has PPP encapsulation and they are members of multilink1 which is where I do all of my routing. We're getting a 10Mb fiber connection now between the 2 offices. It has an Ethernet hand-off. I'm using Cisco1841s with Advanced IP Services.

I'd like to build some sort of virtual point-to-point interface on FE0/1 and have it joined to multilink1. The contracts for the T1s will still be active for a few months, not to mention that since the fiber is new it'd be nice to have the T1s to fall back on.

Is any of this even possible?

ragzilla
Sep 9, 2005
don't ask me, i only work here


Wizzle posted:

Is it possible to make an Ethernet connection participate in a Multilink interface?

I currently have 2 T1 lines to a remote office. They're setup using standard WIC-1DSU cards. Each interface has PPP encapsulation and they are members of multilink1 which is where I do all of my routing. We're getting a 10Mb fiber connection now between the 2 offices. It has an Ethernet hand-off. I'm using Cisco1841s with Advanced IP Services.

I'd like to build some sort of virtual point-to-point interface on FE0/1 and have it joined to multilink1. The contracts for the T1s will still be active for a few months, not to mention that since the fiber is new it'd be nice to have the T1s to fall back on.

Is any of this even possible?

Not that easily, you'd need to set up some kind of IGP between the routers at either end (OSPF, EIGRP) and use that to fail over between the 2 separate links.

Syano
Jul 13, 2005

jwh posted:

access-lists are dangerous. Don't forget that the moment you configure one, it automatically gives itself an implicit default deny at the end.

As to your question, how you build that access-list will depend on where you want to filter the traffic. If this network is for guest wireless access, which presumably means guest Internet access, then life gets a little bit more challenging, because of the "any" assumption that comes with Internet access.

You could, for instance, build an access-list applied in the 'in' direction on Fa0/1.2 that denies traffic to each of your production network(s), but ends with 'permit ip any any'.

Alternately, you could instead configure an access-list on Fa0/1.1 in the 'out' direction that does a 'deny ip <whatever your guest IP space is> any' followed by a 'permit ip any any'.

You could also maybe policy route something when the outgoing interface matches Fa0/1.2, like:

route-map test
match interface fa0/1.1
set interface null0

conf t
int fa0/1.2
ip policy route-map test


Although I bet the CPU hit on the PBR is more than doing the acl, maybe. Don't honestly know.

That really is mind boggling. I understand why my network guy took a better offer now. On the other hand I am extremely glad I am learning this stuff. I think I will set up an ACL on the 'in' direction of my guest VLAN to deny traffic to the production networks.

Provided this project works fine, my next one is going to be to set up a VPN across the internet connection that production network users can use if the serial connection ever fails.

Syano
Jul 13, 2005
Edit: Double post

J Crewl
Dec 11, 2005
Question on redundant supervisor engines.

I didn't know a thing about them until earlier today when the network hiccuped and nothing could be reached. It boiled down to being the core L3 switch - a 4507 with redundant sups. Reminded us of that time about 2 weeks ago when the switch rebooted for a still undetermined reason (by abort something or other 0x0 - but I digress). Anyways, the difference is that according to the uptime counter, it hadn't rebooted since that time 2 weeks ago. We grabbed the output of the 'show redund history' command. Can someone give me a brief overview of what it means, particularly why it looks like the second sup wasn't in standby until this morning. Why did the switch become temporarily unavailable this morning? Could it not even be related to the sups whatsoever? Assume no work was being done on the device at that time this morning.

1w5d RF_STATUS_PEER_COMM(401) Redundancy Mode RF(29) op=0
1w5d RF_STATUS_PEER_COMM(401) GALIOS_CONFIG_SYNC(55) op=0
1w5d *my state = STANDBY COLD(4) *peer state = DISABLED(1)
1w5d Reloading peer (communication down)
1w5d *my state = ACTIVE-FAST(9) peer state = DISABLED(1)
1w5d RF_STATUS_MAINTENANCE_ENABLE(403) Redundancy Mode RF(29) op=0
1w5d RF_STATUS_MAINTENANCE_ENABLE(403) GALIOS_CONFIG_SYNC(55) op=0
1w5d RF_PROG_ACTIVE_FAST(200) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE_FAST(200) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE_FAST(200) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE_FAST(200) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d *my state = ACTIVE-DRAIN(10) peer state = DISABLED(1)
1w5d RF_PROG_ACTIVE_DRAIN(201) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE_DRAIN(201) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE_DRAIN(201) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE_DRAIN(201) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d *my state = ACTIVE_PRECONFIG(11) peer state = DISABLED(1)
1w5d RF_PROG_ACTIVE_PRECONFIG(202) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE_PRECONFIG(202) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE_PRECONFIG(202) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE_PRECONFIG(202) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d *my state = ACTIVE_POSTCONFIG(12) peer state = DISABLED(1)
1w5d RF_PROG_ACTIVE_POSTCONFIG(203) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE_POSTCONFIG(203) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE_POSTCONFIG(203) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE_POSTCONFIG(203) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d *my state = ACTIVE(13) peer state = DISABLED(1)
1w5d RF_PROG_ACTIVE(204) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE(204) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE(204) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE(204) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d RF_STATUS_PEER_PRESENCE(400) Redundancy Mode RF(29) op=0
1w5d RF_STATUS_PEER_PRESENCE(400) GALIOS_CONFIG_SYNC(55) op=0
1w5d Reloading peer (peer presence lost)
1w5d RF_EVENT_GO_ACTIVE(511) op=0
1w5d Configuration parsing complete
1w5d System initialization complete
Oct 7 08:43:42 Changing to system clock timestamps at uptime 1w5d
Oct 7 08:43:42 RF_STATUS_PEER_PRESENCE(400) Redundancy Mode RF(29) op=1
Oct 7 08:43:42 RF_STATUS_PEER_PRESENCE(400) GALIOS_CONFIG_SYNC(55) op=1
Oct 7 08:43:47 *my state = ACTIVE(13) *peer state = UNKNOWN(0)
Oct 7 08:43:47 RF_STATUS_PEER_COMM(401) Redundancy Mode RF(29) op=1
Oct 7 08:43:47 RF_STATUS_PEER_COMM(401) GALIOS_CONFIG_SYNC(55) op=1
Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) RF_INTERNAL_MSG(0) op=0 rc=11
Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) Redundancy Mode RF(29) op=0 rc=11
Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) GALIOS_CONFIG_SYNC(55) op=0 rc=0
Oct 7 08:43:47 RF_EVENT_CLIENT_PROGRESSION(503) GALIOS_CONFIG_SYNC(55) op=1 rc=0
Oct 7 08:43:50 RF_EVENT_PEER_PROG_DONE(506) GALIOS_CONFIG_SYNC(55) op=300
Oct 7 08:43:50 RF_PROG_PLATFORM_SYNC(300) RF_LAST_CLIENT(65000) op=0 rc=0
Oct 7 08:43:50 RF_EVENT_CLIENT_PROGRESSION(503) RF_LAST_CLIENT(65000) op=1 rc=0
Oct 7 08:43:50 RF_EVENT_PEER_PROG_DONE(506) RF_LAST_CLIENT(65000) op=300
Oct 7 08:43:56 *my state = ACTIVE(13) *peer state = STANDBY COLD(4)

H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue

J Crewl posted:

Question on redundant supervisor engines.

I didn't know a thing about them until earlier today when the network hiccuped and nothing could be reached. It boiled down to being the core L3 switch - a 4507 with redundant sups. Reminded us of that time about 2 weeks ago when the switch rebooted for a still undetermined reason (by abort something or other 0x0 - but I digress). Anyways, the difference is that according to the uptime counter, it hadn't rebooted since that time 2 weeks ago. We grabbed the output of the 'show redund history' command. Can someone give me a brief overview of what it means, particularly why it looks like the second sup wasn't in standby until this morning. Why did the switch become temporarily unavailable this morning? Could it not even be related to the sups whatsoever? Assume no work was being done on the device at that time this morning.

1w5d RF_STATUS_PEER_COMM(401) Redundancy Mode RF(29) op=0
1w5d RF_STATUS_PEER_COMM(401) GALIOS_CONFIG_SYNC(55) op=0
1w5d *my state = STANDBY COLD(4) *peer state = DISABLED(1)
1w5d Reloading peer (communication down)
1w5d *my state = ACTIVE-FAST(9) peer state = DISABLED(1)
1w5d RF_STATUS_MAINTENANCE_ENABLE(403) Redundancy Mode RF(29) op=0
1w5d RF_STATUS_MAINTENANCE_ENABLE(403) GALIOS_CONFIG_SYNC(55) op=0
1w5d RF_PROG_ACTIVE_FAST(200) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE_FAST(200) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE_FAST(200) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE_FAST(200) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d *my state = ACTIVE-DRAIN(10) peer state = DISABLED(1)
1w5d RF_PROG_ACTIVE_DRAIN(201) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE_DRAIN(201) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE_DRAIN(201) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE_DRAIN(201) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d *my state = ACTIVE_PRECONFIG(11) peer state = DISABLED(1)
1w5d RF_PROG_ACTIVE_PRECONFIG(202) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE_PRECONFIG(202) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE_PRECONFIG(202) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE_PRECONFIG(202) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d *my state = ACTIVE_POSTCONFIG(12) peer state = DISABLED(1)
1w5d RF_PROG_ACTIVE_POSTCONFIG(203) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE_POSTCONFIG(203) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE_POSTCONFIG(203) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE_POSTCONFIG(203) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d *my state = ACTIVE(13) peer state = DISABLED(1)
1w5d RF_PROG_ACTIVE(204) RF_INTERNAL_MSG(0) op=0 rc=11
1w5d RF_PROG_ACTIVE(204) Redundancy Mode RF(29) op=0 rc=11
1w5d RF_PROG_ACTIVE(204) GALIOS_CONFIG_SYNC(55) op=0 rc=11
1w5d RF_PROG_ACTIVE(204) RF_LAST_CLIENT(65000) op=0 rc=11
1w5d RF_STATUS_PEER_PRESENCE(400) Redundancy Mode RF(29) op=0
1w5d RF_STATUS_PEER_PRESENCE(400) GALIOS_CONFIG_SYNC(55) op=0
1w5d Reloading peer (peer presence lost)
1w5d RF_EVENT_GO_ACTIVE(511) op=0
1w5d Configuration parsing complete
1w5d System initialization complete
Oct 7 08:43:42 Changing to system clock timestamps at uptime 1w5d
Oct 7 08:43:42 RF_STATUS_PEER_PRESENCE(400) Redundancy Mode RF(29) op=1
Oct 7 08:43:42 RF_STATUS_PEER_PRESENCE(400) GALIOS_CONFIG_SYNC(55) op=1
Oct 7 08:43:47 *my state = ACTIVE(13) *peer state = UNKNOWN(0)
Oct 7 08:43:47 RF_STATUS_PEER_COMM(401) Redundancy Mode RF(29) op=1
Oct 7 08:43:47 RF_STATUS_PEER_COMM(401) GALIOS_CONFIG_SYNC(55) op=1
Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) RF_INTERNAL_MSG(0) op=0 rc=11
Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) Redundancy Mode RF(29) op=0 rc=11
Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) GALIOS_CONFIG_SYNC(55) op=0 rc=0
Oct 7 08:43:47 RF_EVENT_CLIENT_PROGRESSION(503) GALIOS_CONFIG_SYNC(55) op=1 rc=0
Oct 7 08:43:50 RF_EVENT_PEER_PROG_DONE(506) GALIOS_CONFIG_SYNC(55) op=300
Oct 7 08:43:50 RF_PROG_PLATFORM_SYNC(300) RF_LAST_CLIENT(65000) op=0 rc=0
Oct 7 08:43:50 RF_EVENT_CLIENT_PROGRESSION(503) RF_LAST_CLIENT(65000) op=1 rc=0
Oct 7 08:43:50 RF_EVENT_PEER_PROG_DONE(506) RF_LAST_CLIENT(65000) op=300
Oct 7 08:43:56 *my state = ACTIVE(13) *peer state = STANDBY COLD(4)

What version of code? Assuming the sups are identical, you are running in SSO mode correct?

Can you paste the redundancy configuration section?

I have handfuls of 6500s, 7600s and these 4500s in the field and from time to time we notice the Hot sup loses connectivity with the Standby for a split second and then eventually recovers, but this shouldn't cause any network issues. Only time you should see a hiccup is when the Hot Sup goes offline and the Standby recovers, and at that point, you might drop a ping or two, nothing more (if properly configured). Cisco's common answer "re-seat the modules" for the first few times, eventually they will replace the Sup if it continues.

H.R. Paperstacks fucked around with this message at 12:09 on Oct 8, 2008

J Crewl
Dec 11, 2005
Thanks for your reply, null0. I'm 99% sure it is NOT running SSO mode. I'll check today what it is using - just don't know the command off the top of my head. IOS version is 12.1(12c) lol. Anything else?

wolrah
May 8, 2006
what?

Wizzle posted:

Is it possible to make an Ethernet connection participate in a Multilink interface?

I currently have 2 T1 lines to a remote office. They're setup using standard WIC-1DSU cards. Each interface has PPP encapsulation and they are members of multilink1 which is where I do all of my routing. We're getting a 10Mb fiber connection now between the 2 offices. It has an Ethernet hand-off. I'm using Cisco1841s with Advanced IP Services.

I'd like to build some sort of virtual point-to-point interface on FE0/1 and have it joined to multilink1. The contracts for the T1s will still be active for a few months, not to mention that since the fiber is new it'd be nice to have the T1s to fall back on.

Is any of this even possible?

I'm just talking out of my rear end here, but if you can establish a PPP-like connection over it you may be able to add it to the multilink group. PPPoE and PPTP both appear the same as straight PPP on Linux boxes and I have seen people use MLPPP over PPPoE before. I have no idea whether Cisco treats it the same way or if one can use two different types of PPP links in one multilink bundle.

H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue

J Crewl posted:

Thanks for your reply, null0. I'm 99% sure it is NOT running SSO mode. I'll check today what it is using - just don't know the command off the top of my head. IOS version is 12.1(12c) lol. Anything else?

Is there a reason why you are not running SSO? Are their routed interfaces on the 4507?

If you so a "sh redundancy" you will see:

code:
sh redundancy         
Redundant System Information :
------------------------------
       Available system uptime = 14 weeks, 1 day, 1 hour, 56 minutes
Switchovers system experienced = 4
              Standby failures = 0
        Last switchover reason = user forced

                 Hardware Mode = Duplex
    Configured Redundancy Mode = Stateful Switchover
     Operating Redundancy Mode = Stateful Switchover
              Maintenance Mode = Disabled
                Communications = Up
Look for this section in the config:

code:
redundancy
 mode sso
 main-cpu
  auto-sync startup-config
  auto-sync config-register
  auto-sync bootvar
  auto-sync standard

H.R. Paperstacks fucked around with this message at 16:46 on Oct 8, 2008

Winston_Wolf
Jun 9, 2005
I've got a good one:

Does PIX (v8) support stateful inspection for both BEA Weblogic's T3/T3s protocols as well as FTPS (FTP over ssl, not SFTP, all traffic is sent on 21)

This is a 5 million dollar question to my company at the moment... Anyone seen T3 work with PIX 8 or ASA?

J Crewl
Dec 11, 2005

routenull0 posted:

Is there a reason why you are not running SSO? Are their routed interfaces on the 4507?
Let's go with "a lack of understanding of all the available options." No, no routed interfaces.

routenull0 posted:

If you do a "sh redundancy" you will see:
Incomplete command, so I did a "sh redund states":

my state = 13 -ACTIVE
peer state = 4 -STANDBY COLD
Mode = Duplex
Unit = Secondary
Unit ID = 2

Redundancy Mode (Operational) = RPR
Redundancy Mode (Configured) = RPR
Split Mode = Disabled
Manual Swact = Enabled
Communications = Up
client count = 4
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 0
keep_alive threshold = 18
RF debug mask = 0x0

routenull0 posted:

Look for this section in the config:
I found:
redundancy
mode rpr
main-cpu
auto-sync standard

Bonus points if someone can lead me in the direction of why this happened two weeks ago:
System returned to ROM by abort at PC 0x0
It's sort of a non-issue, except that if this device is starting to have issues or goes down for any period of time we are f'ed.

J Crewl fucked around with this message at 02:02 on Oct 9, 2008

H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue

J Crewl posted:

Let's go with "a lack of understanding of all the available options." No, no routed interfaces.

Incomplete command, so I did a "sh redund states":

my state = 13 -ACTIVE
peer state = 4 -STANDBY COLD
Mode = Duplex
Unit = Secondary
Unit ID = 2

Redundancy Mode (Operational) = RPR
Redundancy Mode (Configured) = RPR
Split Mode = Disabled
Manual Swact = Enabled
Communications = Up
client count = 4
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 0
keep_alive threshold = 18
RF debug mask = 0x0

I found:
redundancy
mode rpr
main-cpu
auto-sync standard

Bonus points if someone can lead me in the direction of why this happened two weeks ago:
System returned to ROM by abort at PC 0x0
It's sort of a non-issue, except that if this device is starting to have issues or goes down for any period of time we are f'ed.


I'd start by getting off the 12.1 tree, get on to something like 12.2.xx, it is a bit more stable, but it depends on what SUP engines you have, you can list them via "sh module".

Once on a newer version of code, if the SUPs are the same hardware (memory, etc), ptu them into SSO mode via the "redundancy" command in global config. Honestly, copy what I pasted and apply it to your config when ready, that keeps all the configs sync'd between the two. SSO will only work if both SUPs are identical though.

(Unless you have some reason to not wanting to go to 12.1 that is. The upgrade procedure can be an in depth process requiring some downtime to hardboot the standby on the new code and such, so if you are not comfortable with restarting the entire system, you might want to get a consultant in there.)

Here is some basic info on RPR / RPR+ / SSO: http://www.networksystemsdesignline.com/howto/showArticle.jhtml?articleId=192202366&pgno=3

SSO is the newer version of RPR / RPR+.

H.R. Paperstacks fucked around with this message at 13:04 on Oct 9, 2008

Wizzle
Jun 7, 2004

Most
Parochial
Poster


wolrah posted:

I'm just talking out of my rear end here, but if you can establish a PPP-like connection over it you may be able to add it to the multilink group. PPPoE and PPTP both appear the same as straight PPP on Linux boxes and I have seen people use MLPPP over PPPoE before. I have no idea whether Cisco treats it the same way or if one can use two different types of PPP links in one multilink bundle.

This was what I was wondering as well. But my experience with PPPoE is pretty much limited to lovely Linksys devices on lovely DSL connections.

jwh
Jun 12, 2002

Wizzle posted:

Is any of this even possible?

Not that I know of- is the ethernet circuit from the same provider as the T1s?

inignot
Sep 1, 2003

WWBCD?

Wizzle posted:

Is any of this even possible?

Possible and advisable are two different things. Take the previous advice about running an IGP; it's less effort and more sane.

Wizzle
Jun 7, 2004

Most
Parochial
Poster


jwh posted:

Not that I know of- is the ethernet circuit from the same provider as the T1s?

No, thankfully, it's not the same provider. (Customer service is awful).

inignot posted:

Possible and advisable are two different things. Take the previous advice about running an IGP; it's less effort and more sane.

Sounds reasonable enough. I'll plan on doing that.

Wizzle fucked around with this message at 04:48 on Oct 10, 2008

jwh
Jun 12, 2002

Wizzle posted:

No, thankfully, it's not the same provider. (Customer service is awful).

In that case, MLPPP is probably not going to work- MLPPP fragments need to be reassembled by the same next-hop to function correctly.

wolrah
May 8, 2006
what?

jwh posted:

In that case, MLPPP is probably not going to work- MLPPP fragments need to be reassembled by the same next-hop to function correctly.

If I'm interpreting the first post on this topic correctly, the T1s are direct point-to-point, so the next hop is the other side. If the fiber is treated the same way (basically if a broadcast packet would make it to the other side) one could establish PPPoE over it and in theory MLPPP should work. If the fiber is routed, a PPTP link could be used instead of PPPoE.

I know MLPPP is supported on "virtual" PPP links like PPPoE and PPTP, the question is whether the devices on each end can support putting different types of PPP links all in the same MLPPP bundle.

CrazyLittle
Sep 11, 2001





Clapping Larry

wolrah posted:

I know MLPPP is supported on "virtual" PPP links like PPPoE and PPTP, the question is whether the devices on each end can support putting different types of PPP links all in the same MLPPP bundle.

No. All the connections in a bundle pretty much need to be the same media because the packets have to arrive in the same order or else you'll get a ton of errors on the line. I tried doing a DSL+T1 MLPPP bundle once and it ran slower than a single T1. Two DSL lines in a bundle is very nice though.

wolrah
May 8, 2006
what?

CrazyLittle posted:

No. All the connections in a bundle pretty much need to be the same media because the packets have to arrive in the same order or else you'll get a ton of errors on the line. I tried doing a DSL+T1 MLPPP bundle once and it ran slower than a single T1. Two DSL lines in a bundle is very nice though.

Good to know. I've only ever run MLPPP on T1s, so I've never had to dive in to the specifics.

ObamaisaTerrist
Jul 26, 2008

The truth is out there.
Can anyone recommend something to monitor bandwidth on Cisco equipment? We have CSME lines from ATT, and they said they have no means of making reports on bandwidth usage.

The only thing I know to do is do s sh gi 1/0/1 on a remote port, but that just gives me bytes in/out over a 5 minute interval.

*EDIT* On one important switch, we are using MRTG(PRTG?) with SNMP, but to do this for every switch...Sheesh.

ObamaisaTerrist
Jul 26, 2008

The truth is out there.
One more thing that is more an irritant.

I upgraded the IOS on one switch to one that supported SSHv2. I'm anal retentive and wanted to clean up (delete) the old .BIN.

I ended up having to delete what seemed like a ton of files/directories....HTML...Info, etc. Is there a simpler way to delete all those directories without having to CD into the directory and delete each file, then CD out to delete the directory? Thanks

jbusbysack
Sep 6, 2002
i heart syd

ObamaisaTerrist posted:

One more thing that is more an irritant.

I upgraded the IOS on one switch to one that supported SSHv2. I'm anal retentive and wanted to clean up (delete) the old .BIN.

I ended up having to delete what seemed like a ton of files/directories....HTML...Info, etc. Is there a simpler way to delete all those directories without having to CD into the directory and delete each file, then CD out to delete the directory? Thanks


delete /all /recursive flash:/foldername

Syano
Jul 13, 2005
Is route failover possible using static routes? What I have is an 1841 with a serial connection and also a vpn connection to my home office. If I simply build two static routes, one with higher cost, will route failover occur if the lower cost route becomes unavailable?

H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue

ObamaisaTerrist posted:

Can anyone recommend something to monitor bandwidth on Cisco equipment? We have CSME lines from ATT, and they said they have no means of making reports on bandwidth usage.

The only thing I know to do is do s sh gi 1/0/1 on a remote port, but that just gives me bytes in/out over a 5 minute interval.

*EDIT* On one important switch, we are using MRTG(PRTG?) with SNMP, but to do this for every switch...Sheesh.

Setup cacti, it isn't very hard and is very useful for the time invested in setting it up.

https://www.cacti.net

inignot
Sep 1, 2003

WWBCD?

Syano posted:

Is route failover possible using static routes? What I have is an 1841 with a serial connection and also a vpn connection to my home office. If I simply build two static routes, one with higher cost, will route failover occur if the lower cost route becomes unavailable?

Eh...it depends. If you set up two static routes with different admin distances, the one with the lower admin distance will remain in the routing table unless it's outgoing physical interface goes down; then the higher admin distance route comes into the routing table. Under that scenario a physical interface has to go down to trigger the routing change, that may or may not fit your purpose.

There's also object tracking:

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

Syano
Jul 13, 2005

This is.... well, fantastic. I'm astounded more every day how much the SDM sucks. Good grief

Kreg
Sep 2, 2006

routenull0 posted:

Setup cacti, it isn't very hard and is very useful for the time invested in setting it up.

https://www.cacti.net

I was going to suggest this. We just got this setup on our core routers and it was well worth the time it took to setup and learn.

Lowen SoDium
Jun 5, 2003

Highen Fiber
Clapping Larry
I have several cisco IP phones that are registered to a Call Manager (not express) at a remote office. These phones are set to get their DHCP from the 2811 router in the building. The Router is set to get NTP from our main router here, which gets it from the internet.

All of the phones at that location display time several hours off (I can't remember if they are showing GMT or not, but they are not showing CST like they should be). Looking at the web interface on any of the phones there show the correct time and date, but the Time Zone field is blank.

All the phones in our HQ building get their DHCP from a windows DHCP server, and they show the correct time on their display. Looking at the web interface on any of the phones there show the correct time and date and the Time Zone field correctly shows "Central Standard/Daylight Time"

This leads me to believe that the problem is the DHCP server on the router does not tell the phones what time zone they show be in.

Does anyone know how to set that on IOS's DHCP server, or have any other explanation for what the problem is?

wolrah
May 8, 2006
what?

Lowen SoDium posted:

Does anyone know how to set that on IOS's DHCP server, or have any other explanation for what the problem is?

option 2 hex ffff.aba0

That's assuming CST is also correct for this location.

Otherwise, look here for the hex code.

Adbot
ADBOT LOVES YOU

Lowen SoDium
Jun 5, 2003

Highen Fiber
Clapping Larry

wolrah posted:

option 2 hex ffff.aba0

That's assuming CST is also correct for this location.

Otherwise, look here for the hex code.

That didn't fix the time, or show the time zone on the web interface.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply