|
Lowen SoDium posted:That didn't fix the time, or show the time zone on the web interface. I'm not familiar with Cisco phones on the "Skinny" firmware that's the default on CCM, but I have a few 7940s on SIP firmware, a 7941 on SIP, and a variety of Linksys and Polycom phones all getting their time information from DHCP and using that option to set their time zone. My DHCP server isn't a Cisco, but according to the docs I've found that is how to set it and at least the value is correct. IIRC the time zone can also be set in the config file the phones download, so check the CM's configuration.
|
#
?
Oct 13, 2008 21:50
|
|
|
|
| # ? May 14, 2024 22:23 |
|
|
Lowen SoDium posted:That didn't fix the time, or show the time zone on the web interface. What version of Call Manager? The phone gets the time zone from the CM and the time from wherever you set the CM's NTP reference. What date/time group is assigned to that phone's Device Pool? If you're running 5x or higher there is also a Phone NTP Reference under the System menu as well. edit: you can see the device pool from Device > Phone. Then click detail next to the assigned device pool. Device Pool, Date Time group and Phone NTP reference are all located under the System menu in CM Administration.
|
|
#
?
Oct 14, 2008 05:38
|
|
|
jwh posted:I'm wondering if anybody has any advice for DMVPN tunnel monitoring. Because the mGRE tunnels don't ever go down/down (unless the associated physical interface goes down), it's not very practical to simply watch the tunnel interface itself. Normally, the IGP keeps the interfaces > 0 bps over the polling interval, so this works great.
|
|
#
?
Oct 14, 2008 05:52
|
|
|
jbusbysack posted:delete /all /recursive flash:/foldername You are fantastic. Thanks! *edit* And I will look into Cacti. Thanks again ObamaisaTerrist fucked around with this message at 12:15 on Oct 14, 2008 |
|
#
?
Oct 14, 2008 12:07
|
|
|
Ok I want to say this is possible, but... What I want to do is make a layer 2 network over my existing internet connection. The terminating points will be either 2x851s (ISR) or 2x3560's (layer 3 switch) or both if needed. My gut tells me there should be a way to encapsulate a layer 2 payload into ip, and have it come out one of the interfaces on my router, or a separate vlan on my switch. Unfortunelty I don't know if it's possible, or if it is, how to even start doing it. Can anyone point me in the right direction?
|
|
#
?
Oct 14, 2008 20:36
|
|
|
I've never done it, but what you seek is L2TP.
|
|
#
?
Oct 14, 2008 21:01
|
|
|
Powercrazy posted:Ok I want to say this is possible, but... I posted L2TPv3 configs back on page two or three or so of this thread. You may want to check that out. I also included a link to the design document that I used. If I remember correctly, the 3560s won't do L2TPv3. The hardware wasn't built to do it. Dunno about the metro variant.
|
|
#
?
Oct 14, 2008 23:13
|
|
|
I found L2TP after I posted, but it doesn't look like quite what I'm looking for. That seems to be some kind of dial in tunnel. I just want to connect to a remote IP (cisco router) and have it pipe a layer 2 connection from one of my router's ports to one of it's ports. I looked at something called a "pseudo-wire" and I know that has to do with MPLS but I'm wondering if I can use it for my purposes. Anyone have any experience with pseudo wires? Or a suggestion for what I'm trying to do, or a way to do the L2TP but without the dial in authentication? I'll check those configs you posted jwh. Thanks.
|
|
#
?
Oct 15, 2008 04:13
|
|
|
Powercrazy posted:I found L2TP after I posted, but it doesn't look like quite what I'm looking for. L2TPv3 will do what you want, without the dial-in stuffs. Here's a direct link. http://forums.somethingawful.com/showthread.php?threadid=2430375&userid=0&perpage=40&pagenumber=3#post326785001
|
|
#
?
Oct 15, 2008 05:25
|
|
|
jwh posted:L2TPv3 will do what you want, without the dial-in stuffs. Here's a direct link. Ah, cool. I missed that when I was looking last night. Thanks again.
|
|
#
?
Oct 15, 2008 14:51
|
|
|
Is there a good resource that would explain how IPIP tunneling works? I couldn't find much information on Cisco's site about it, presumably because it's not used these days. We're working on a lab for one of my networking classes and we have to set up an IPIP tunnel and so far it's been hell.
|
|
#
?
Oct 15, 2008 15:58
|
|
|
TOMSOVERBAGHDAD posted:Is there a good resource that would explain how IPIP tunneling works? I couldn't find much information on Cisco's site about it, presumably because it's not used these days. We're working on a lab for one of my networking classes and we have to set up an IPIP tunnel and so far it's been hell. router1: int loop0 ip addr 172.29.0.1 255.255.255.255 int tu0 ip address 1.1.1.1 255.255.255.252 tunnel mode ipip tunnel source loop0 tunnel destination 172.29.0.2 no shut router 2: int loop0 ip addr 172.29.0.2 255.255.255.255 int tu0 ip address 1.1.1.2 255.255.255.252 tunnel mode ipip tunnel source loop0 tunnel destination 172.29.0.1 no shut ^Z Router2# debug tunnel Router2# ping 1.1.1.1.1 Tunnel0: IP/IP encapsulated 172.29.0.2>172.29.0.1 (linktype=7, len=120) Tunnel0: decapsulated IP/IP packet 1.1.1.1->1.1.1.2 (len=100 ttl=255) !!!!! etc. Let me know if you run into trouble. edit: Make sure your loopback IP's are being carried in your IGP. Or, if you aren't running an IGP, and need reachability, add some static routes to point the loopback IP's to the appropriate next-hops.
|
|
#
?
Oct 15, 2008 19:12
|
|
|
EDIT: I've got web browser access so looks like I'm on track. Thanks anyway. The normal "CISCO Guy" at our work is away so I've been handed this job to do, and I have no idea where to even start! I've got a brand new CISCO ADE 1010 and they want me to set it up as a ASA Radius Server. Am I able to do this? I've connected the VGA cable + keyboard and been through the setup. I can then get to the config section like a normal CISCO device but the options seem limited. Apparently it's supposed to have a web front end, but I can't get it to load if there is one... Haven't given much information, but is anyone able to help me or send me to a link? drewmoney fucked around with this message at 06:02 on Oct 20, 2008 |
|
#
?
Oct 20, 2008 05:47
|
|
|
This is more general networking than Cisco specific, but I figured this was as good a place as any. I've got an interview coming up for a network engineering position with a company focused on info security. I've been googling around and reading up, but is there anything definitive I should be reading on network security, pen testing, etc? I've got ~9 months networking experience, so any input or advice would be helpful. Thanks!
|
|
#
?
Oct 20, 2008 14:54
|
|
|
Ive got a server 2003 machine I am trying to run ASDM on and every time I do, I log in, the software downloads, then it crashes and closes. I've tried uninstalling and reinstalling both Java and the ASDM launcher to no effect. Has anyone seen this behavior before? Man I hate Java.
|
|
#
?
Oct 22, 2008 15:02
|
|
|
I've inherited some old 2950G-48s .. I thought they did SSH, but it appears not. Is this something released with later firmware versions? These are running the original IOS (from 2003)
|
|
#
?
Oct 22, 2008 21:04
|
|
|
oversteer posted:I've inherited some old 2950G-48s .. I thought they did SSH, but it appears not. Is this something released with later firmware versions? These are running the original IOS (from 2003) Those are nice switches to inherit. There should be SSH for the 2950's in later code. You'll need a maintenance contract and appropriate licensing to download it from CCO.
|
|
#
?
Oct 22, 2008 21:06
|
|
|
Syano posted:Ive got a server 2003 machine I am trying to run ASDM on and every time I do, I log in, the software downloads, then it crashes and closes. I've tried uninstalling and reinstalling both Java and the ASDM launcher to no effect. Has anyone seen this behavior before? Try upgrading to the latest ASDM image - if you have Smartnet you can grab it from the downloads section for your product. ASDM is a buggy piece of crap and it works most of the time, but if you're doing a huge roll out of supported devices you may want to consider Cisco Security Manager which is slightly less buggy but still a piece of crap and has a lot more features (but if you don't have at least 4-5 ASA's its not worth the cost to license). It's almost always worthwhile to use the CLI to maintain everything you can. ADSM is nice though for managing VPN on ASA platforms (for example) since there's a lot of redundant configuration it takes care of for you. CSM can do that job as well but it's more complicated since you have to define policies then apply them to devices.
|
|
#
?
Oct 27, 2008 04:48
|
|
|
jwh posted:Those are nice switches to inherit. Looking at Cisco.com the newest version of IOS you can get for them is 12.1.22. There isn't an Advanced IP services release, so either the Crypto Base release supports it, or you are SOL. Looking at my 3560G with IP Base w/crypto, there isn't an SSH option. Oh well just set up RADIUS and use that instead. They are nice switches though.
|
|
#
?
Oct 27, 2008 06:31
|
|
|
Powercrazy posted:Looking at Cisco.com the newest version of IOS you can get for them is 12.1.22. There isn't an Advanced IP services release, so either the Crypto Base release supports it, or you are SOL. The 2950s are Layer2 only so they'll only have Base/Enterprise software (and there's not much difference between them). Anything on an xx50 or above with crypto support (a k9 image) should support SSH, to enable it you need to go into config t, then use the 'crypto key generate ...' command to create the RSA keypair. Once you have the RSA keypair generated you can go into 'line vty 0 15' and set 'transport input ssh' to turn off telnet and turn on ssh. Before logging out make sure you test this or you'll have to do a password recovery to get yourself back in (I think other requirements for SSH are 'aaa new-model' and having either local users, or radius/tacacs+ set up- I don't think there's any way to use line passwords for SSH auth)
|
|
#
?
Oct 27, 2008 15:16
|
|
|
ragzilla posted:(I think other requirements for SSH are 'aaa new-model' and having either local users, or radius/tacacs+ set up- I don't think there's any way to use line passwords for SSH auth) And ip domain-name. I don't think it lets you generate the keypair without a domain name. Which is weird.
|
|
#
?
Oct 27, 2008 16:18
|
|
|
jwh posted:And ip domain-name. I don't think it lets you generate the key pair without a domain name. Which is weird. ip domain-name has to go in first before crypto key generate since the key pair is built in conjunction with the domain name. If you ever change the hostname on a switch, you have to re-generate the key pair because you will get a mis-match when you try to re-connect: Don't ask me how I know.
|
|
#
?
Oct 27, 2008 16:25
|
|
|
It's not the end of the world, they'll be on their own VLAN anyway. Other than being newer, how do the 2950G's compare to the 3548? Also the network has a rather elderly 3508, did anything replace this (SX GBICs) or did it all move to copper now ? The 3508 dates from 1999 and is rather due replacing with something from this millenium at least 
|
|
#
?
Oct 27, 2008 19:50
|
|
|
oversteer posted:It's not the end of the world, they'll be on their own VLAN anyway. I recently migrated an old 3508's connections into a WS-C3750G-12S joined to the existing stack. It saves on SFPs and fiber as well as making management easier. The only downside is that you have to get rid of GBICs and buy SFPs (1000BaseSX SFP replaces what you mentioned) to fill the slots of the 3750G-12S, but everyone should be moving to LC connectors on fiber for space's sake already.
|
|
#
?
Oct 27, 2008 20:31
|
|
|
oversteer posted:It's not the end of the world, they'll be on their own VLAN anyway. Eh, the 3508 is a good solid switch, we still have a handful of them production (but no longer in the core) 
|
|
#
?
Oct 27, 2008 20:55
|
|
|
Powercrazy posted:Looking at Cisco.com the newest version of IOS you can get for them is 12.1.22. There isn't an Advanced IP services release, so either the Crypto Base release supports it, or you are SOL. They should support it, assuming they are no different than the 24s. All our 2950s are running crypto image with ssh. I'll find out what version of ios they are on tomorrow.
|
|
#
?
Oct 28, 2008 16:12
|
|
|
Anyone have experience with the 850 series? I recently inherited (i.e. thrown at me with no background info) an issue which had not been resolved in a few months by the first guy (who no longer works with us go figure) and it's giving me major heartburn. I cannot for the life of me pinpoint what the problem is and I'm getting all kinds of pressure from above. Pretty sure I'm overlooking something simple here. We have a remote site that connects to our corporate office via a GRE tunnel over the internet. Assume all the necessary routes and ACL's are in place at corporate to reach the remote site (let's call it the 10.15.0.0 /24 net). I'm able to telnet to the remote device (an 850 series we'll call router B) so we know the tunnel works. I can ping the remote vlan1 interface from my desk. Router B has 2 manual IP routes: 10.0.0.0/8 goes over the tunnel to corporate and everything else goes to the cable modem/router/Internet. Issue: I CANNOT ping a server on the remote LAN from my desk or any device on the remote LAN for that matter (using their private 10.15 IPs) and they cannot get to our file servers. I CAN ping the server from router B itself(not using ping extended). Router B has only two working interfaces: the WAN port with a public IP (uplinks to cable modem router device) and Fa0 which is in the vlan 1 (downlinks to the LAN switch). Assume PAT is set up correctly*. Show ip route shows me that the router knows 10.15.0.0 /24 is directly connect vlan 1. 10.0.0.0 /8 goes over the tunnel and 0.0.0.0 goes to the public Internet. Setup of remote site: code:Do I need something like "ip route 10.13.0.0 255.255.255.0 vlan 1? I shouldn't since it's directly connected. I'm also assuming it's not firewall/acl related on router b because i see a few acls, but no ip access-group actually applying them. I can provide any additional info/clarification if needed but at this point you now know pretty much what I do. I'm getting visual clarification next week on what plugs into what just in case since I am new to this myself. *poo poo wait a minute, what comes first, the natting being done or the routing over the tunnel. That would explain everything if it's natted. EDIT: NVM forget it. 3 different people assured me the default gateway was set to 10.15.0.2 in dhcp, well guess what? It wasn't. 
J Crewl fucked around with this message at 00:49 on Nov 4, 2008 |
|
#
?
Nov 1, 2008 18:30
|
|
|
I'm wrestling with some STP problems on a 3750G-24T running IOS 12.1(11)AX. Over the weekend I set up inter-vlan routing along with OSPF for our two cores (Foundry BigIron 4000's). When I hook up a cable going from core2 to the 3750, STP doesn't get past blocking state, but the link from core1 to the 3750 is fine. I've connected it to configured and completely unconfigured ports on both cores with STP enabled and disabled, to the same result. I went in with a laptop and it got through to forwarding though. It has a fair amount of live traffic going through core1 just fine, so I can't do very intrusive testing. I have debug spanning-tree switch state on, and this is what it shows when plugging in the cable. code:code:code:
|
|
#
?
Nov 4, 2008 02:37
|
|
|
Bruno_me posted:I'm almost positive just disabling STP on Gi1/0/1 and Gi1/0/13 will fix the problem, because neither core does any bridging whatsoever, but I want to make sure that's not a dumb idea and STP is actually doing what it's supposed to be doing. If Core 1 is your spanning-tree root, the link between the 3750 and Core 2 should block as part of normal spanning-tree operation. If you're trying to load balance between the uplinks, you'll need to look at equal-cost multipath with routed interfaces. edit: edit to say that for the sake of clarity, the above is true only if VLAN 2 is in fact existing in a forwarding state between the cores. The fact that the 3750 uplink to core 2 blocks would tell me that this is indeed what is going on. jwh fucked around with this message at 03:20 on Nov 4, 2008 |
|
#
?
Nov 4, 2008 03:18
|
|
|
^^^^^^^efb^^^^^^^ If spanning tree is running between your two core switches, and it probably is, then spanning tree is running as intended. The three links in your diagram form a loop, one of the links will be blocked. Either move your links to L3, or keep the links L2 & move your L3 interfaces all onto the core with HSRP between the core switches.
|
|
#
?
Nov 4, 2008 03:23
|
|
|
inignot posted:Either move your links to L3, or keep the links L2 & move your L3 interfaces all onto the core with HSRP between the core switches. This is the suggested method for L2 access. Honestly you should be running HSRP at the core anyway.
|
|
#
?
Nov 4, 2008 05:15
|
|
|
I don't think I worded it correctly, but each of those devices are set up as L3 routers- the fiber link is a /30 that I included for completeness. There's IBGP going on between the cores, and OSPF to everything else. The idea of laying it out how it is in the diagram is that there's a /29 on the 3750's vlan2, in which each core and the 3750 have an address so they can participate in the same OSPF area, since they're in the same broadcast domain. The reason we decided not to go with HSRP/VRRP is so we can add/move upstreams to core2, which is going to happen fairly soon. edit: I guess if that's a dumb way to do it, that's good to know too 
Bruno_me fucked around with this message at 08:31 on Nov 4, 2008 |
|
#
?
Nov 4, 2008 08:27
|
|
|
Broadcast domain = VLAN = L2 = spanning-tree. If you want to go L3 then use a seperate /30 between each device. Do a 'no switchport' on the 3750 interface & put your ip address there.
|
|
#
?
Nov 4, 2008 14:22
|
|
|
Is it possible to load balance across a point to point private link and an internet connected VPN? I am installing backup connections in several branch offices and thought to myself "self, that would be a pretty neat use of resources if the backup connection could actually team up with the primary connection during normal business"
|
|
#
?
Nov 6, 2008 20:21
|
|
|
I'll preface this by stating that this is a really nebulous question/situation, but I thought I might get an idea or two of how to start attacking this issue. The hardware involved is an ASA 5510. I set up a VPN account for one of our vendors to access some internal server for support reasons. I have tested it from an internet connection outside of our network and even at home and everything works fine. The vendor, however, cannot connect properly. They can attach to our network via the VPN, but once they are attached, they are not able to RDP to the servers they would be supporting. Originally I set up access lists so that they would only have direct access to those servers. My next step when they claimed they couldn't connect was to take the ACLs off. That didn't help matters either. Seeing as I have no problems accessing the resources via the VPN connection and the vendor can even attach to the VPN(just not the resources), I'm at a bit of a loss on how I can start to trouble shoot this... help!
|
|
#
?
Nov 6, 2008 21:07
|
|
|
Syano posted:Is it possible to load balance across a point to point private link and an internet connected VPN? I am installing backup connections in several branch offices and thought to myself "self, that would be a pretty neat use of resources if the backup connection could actually team up with the primary connection during normal business" If both connections are running a dynamic routing protocol & you can fiddle around with the metric such that they are equal, then yes. I would suspect the two connections have differing bandwidth & latency characteristics , so load balancing could result in unpredictable consequences.
|
|
#
?
Nov 6, 2008 22:03
|
|
|
InferiorWang posted:I set up a VPN account for one of our vendors to access some internal server for support reasons. I have tested it from an internet connection outside of our network and even at home and everything works fine. The vendor, however, cannot connect properly. They can attach to our network via the VPN, but once they are attached, they are not able to RDP to the servers they would be supporting. Originally I set up access lists so that they would only have direct access to those servers. My next step when they claimed they couldn't connect was to take the ACLs off. That didn't help matters either. Can they ping the server they need to rdp to? If ping works and RDP doesn't, it's probably an mtu issue. Fiddle around with varying the ping size with the don't fragment bit set until you figure out the mtu for the VPN. I don't know what facilities the ASA has for modifying a tunnel mtu or clearing df bits though.
|
|
#
?
Nov 6, 2008 22:05
|
|
|
inignot, they cannot ping the servers. Again, I can ping them when I test it. I can't help but wonder if something on their end is butchering the packets. They claim that they have no problems with other clients.
|
|
#
?
Nov 6, 2008 22:33
|
|
|
InferiorWang posted:inignot, they cannot ping the servers. Again, I can ping them when I test it. I can't help but wonder if something on their end is butchering the packets. They claim that they have no problems with other clients. I'm betting it's a nat-traversal issue. Check your end's setting relating to Nat-T.
|
|
#
?
Nov 7, 2008 08:05
|
|
|
|
| # ? May 14, 2024 22:23 |
|
|
Is there any way a bad config could cause a flow collector to only capture half of the traffic going through a router? We've been moving stuff to a new data centre and I've just noticed the new collector is only seeing inbound traffic for our address range. I'm not sure if it's flow-tools or whether the routers are misconfigured.
|
|
#
?
Nov 7, 2008 09:33
|
|
