|
Powercrazy posted:Well the idea is that if you are running a full wireless mesh infrastructure it is assumed you have wiring closets and have drops running to cubicles etc. Thus you will have either a small stack of 3750s, or a 4500 or 6500 chassis. The scenario to which this applies is large warehouses and shipping facilities where wireless scan guns are used for inventory control and processing. If you cant have homeruns to the core switching fabric (which in a big facility won't happen), youd need to have the data link / power from an access switch. There typically aren't many floor drops on a warehouse floor short of the various floor booth offices so spending 10-15k for access layer switch functionality (plus poe) is insane. 802.11n is great for warehouses because of the difficulties in fully meshing a warehouse for APs, with all the metal shelving and moving machinery. All the multipathing makes it a lot easier to ensure coverage. Granted this is a very specific scenario, but the lack of options in devices that can support Enhanced PoE is unfortunate.
|
#
?
Jan 4, 2009 20:44
|
|
|
|
| # ? May 14, 2024 00:49 |
|
|
Interesting scenario. 'n' is perfect for what you are describing. I'd say you do something like a centrally located switch with a fiber run to the aggregation switch. Thus you'd have around 600 feet to place APs. Depending on the size of the warehouse you could get away with only a few switches. OR you could daisy chain a few switches in a row across the warehouse and hang the APs off those. But yea, you'll have a lot of wasted ports unfortunately. You might just have to use plug-in APs. However remember the 802.3at and the 802.11n standard is still pretty new, just give it some time and I bet there will be smaller switches that will do ePoE/802.3at. As fast as technology moves, the market still moves faster.
|
|
#
?
Jan 4, 2009 23:59
|
|
|
Anyone know if you can map a DS1 to another DS1 on a 15327? The XTC works at the VT1.5 layer but I'm not sure if there are other shenanigans that would prevent this from happening.
|
|
#
?
Jan 5, 2009 16:24
|
|
|
I have a Cisco ASA in my office, and even light usage of legitimate torrents kills the internet connection about once a week. Can anyone point me in the right direction for a setting to adjust to keep this from happening?
|
|
#
?
Jan 5, 2009 17:11
|
|
|
hybr1d posted:I have a Cisco ASA in my office, and even light usage of legitimate torrents kills the internet connection about once a week. Can anyone point me in the right direction for a setting to adjust to keep this from happening? "Kills it" as in your Internet circuit becomes so congested that you can't effectively use it for something other than the torrent, or "kills it" in another way?
|
|
#
?
Jan 5, 2009 17:42
|
|
|
hybr1d posted:I have a Cisco ASA in my office, and even light usage of legitimate torrents kills the internet connection about once a week. Can anyone point me in the right direction for a setting to adjust to keep this from happening? What model of ASA is it? If its a 5505, exhaustion of the NAT table would be my first guess.
|
|
#
?
Jan 5, 2009 17:51
|
|
|
It's not congestion from the torrent, because stopping the torrent doesn't allow internet traffic to resume. I'm not sure what the error is because I don't have the console open when the problem happens. It is a Cisco 5505, is there a way to cap a specific IP to prevent it from exhausting the NAT table?
|
|
#
?
Jan 5, 2009 17:57
|
|
|
hybr1d posted:It's not congestion from the torrent, because stopping the torrent doesn't allow internet traffic to resume. I'm not sure what the error is because I don't have the console open when the problem happens. How many users are in this office going through the FW? What is the line capacity?
|
|
#
?
Jan 5, 2009 18:17
|
|
|
hybr1d posted:I have a Cisco ASA in my office, and even light usage of legitimate torrents kills the internet connection about once a week. Can anyone point me in the right direction for a setting to adjust to keep this from happening? I´d say memory leak, upgrade to 8.0(4).
|
|
#
?
Jan 5, 2009 18:33
|
|
|
ior posted:I´d say memory leak. This is much more likely then filling the NAT table to the gills. I've been running ASAs of various HW/SW combination at home for 2 years and haven't had issues with torrents. There could be other issues, like threat-detection shunning hosts due to packet rate (if you are on 8 code). We need a little more to go on here...
|
|
#
?
Jan 5, 2009 20:32
|
|
|
Quick question: I've got some Cisco FLASH Intel Series 2+ memory cards that my work had laying around, is there any way I can get these to be read in any PCMCIA slot in a laptop so that I can put a more recent IOS image on them? without having any of my Cisco devices connected to a network?
|
|
#
?
Jan 6, 2009 15:26
|
|
|
http://www.theregister.co.uk/2009/01/05/cisco_router_hijacking/quote:A researcher has discovered a way to reliably exploit a known security vulnerability in a wide class of Cisco System routers, a finding that for the first time allows attackers to hijack millions of devices with a single piece of code.
|
|
#
?
Jan 6, 2009 17:03
|
|
|
Wicaeed posted:Quick question: I've got some Cisco FLASH Intel Series 2+ memory cards that my work had laying around, is there any way I can get these to be read in any PCMCIA slot in a laptop so that I can put a more recent IOS image on them? without having any of my Cisco devices connected to a network? Most likely not, in order to read the cards you have to format them to FAT or FAT32, the older cisco routers cannot read FAT or FAT32. However, I think you might be able to do a "raw write" to them and put an image on it that way. And of course there is always zmodem.
|
|
#
?
Jan 6, 2009 17:18
|
|
|
The new 1140 APs will run on regular 802.3af and support n.
|
|
#
?
Jan 13, 2009 00:08
|
|
|
Has anyone performed an ACS 4.1 migration to current? There seem to be a lot of caveats to the process, and I'm very much worried about it.
|
|
#
?
Jan 13, 2009 00:36
|
|
|
jwh posted:Has anyone performed an ACS 4.1 migration to current? There seem to be a lot of caveats to the process, and I'm very much worried about it. One of my coworkers did from 3.3 to current. I think that the catch was that he had to go to 4.something before he could get to the newest version. We didn't have any issues with the upgrade(s). But we where not as worried about it because we run our ACS server on VMware so we had snapshots in case something went sideways on us. I wish I could tell you more about what he did, but I wasn't on that project and he isn't going to be at work for a while due to a family emergency. edit: you could do what we used to do before we had VMware. Replicate your database to a secondary ACS server, upgrade your primary, and if it doesn't work, use the secondary as the live ACS server till you can rebuild the old on at the version level you need.
|
|
#
?
Jan 13, 2009 01:43
|
|
|
Lowen SoDium posted:edit: you could do what we used to do before we had VMware. Replicate your database to a secondary ACS server, upgrade your primary, and if it doesn't work, use the secondary as the live ACS server till you can rebuild the old on at the version level you need. ACS on VMWare is a nice idea. I hadn't thought of that. We currently have the 1113 series appliances, which, as near as I can tell, are just rebadged IBM servers. We do have a redundant ACS appliance that is running a mirror config, so the suggestion to upgrade the primary and fall to the spare as necessary is probably what we'll do.
|
|
#
?
Jan 13, 2009 03:48
|
|
|
We only have about 10 total routers in our organization and really cannot fit in our budget tools like Solarwinds. Does anyone have any suggestions on something that could help us backup configs and reload them if necessary?
|
|
#
?
Jan 14, 2009 16:03
|
|
|
Syano posted:We only have about 10 total routers in our organization and really cannot fit in our budget tools like Solarwinds. Does anyone have any suggestions on something that could help us backup configs and reload them if necessary? I'm not sure about reloading routers, but I figure that's not something you're doing often. For backup purposes, check out Rancid: http://www.shrubbery.net/rancid/
|
|
#
?
Jan 14, 2009 16:06
|
|
|
InferiorWang posted:I'm not sure about reloading routers, but I figure that's not something you're doing often. For backup purposes, check out Rancid: We used RANCID with expect scripts for all of our device (over 300) at my last job. Couple that with login via TACACS and you can see who made the change and when they broke it.
|
|
#
?
Jan 14, 2009 16:31
|
|
|
InferiorWang posted:I'm not sure about reloading routers, but I figure that's not something you're doing often. For backup purposes, check out Rancid: I got excited until I looked around for a win32 version. Im not scared of some *nix I just have almost zero skillset there.
|
|
#
?
Jan 14, 2009 22:44
|
|
|
Syano posted:We only have about 10 total routers in our organization and really cannot fit in our budget tools like Solarwinds. Does anyone have any suggestions on something that could help us backup configs and reload them if necessary? I'm personally a fan of Kiwi CatTools. It's cheap (around 500 bucks) and emails out config difference reports / archives the configs daily. The free version will support up to 5 devices, so for 10 you'd have to spring for the full version. http://www.kiwisyslog.com/kiwi-cattools-overview/ Edit: now that I look through my emails, they jacked up the price $200 since last year. Oh well, that's possibly since Solarwinds bought Kiwi Enterprises, but it's still a good utility. jbusbysack fucked around with this message at 23:23 on Jan 14, 2009 |
|
#
?
Jan 14, 2009 23:10
|
|
|
Syano posted:I got excited until I looked around for a win32 version. Im not scared of some *nix I just have almost zero skillset there. Its really not that bad, promise.
|
|
#
?
Jan 15, 2009 02:26
|
|
|
coconono posted:do you(or anyone else here for that matter), know of a free tftp server alternative to Solarwinds? I'm having the same problem where I try to copy something over and their tftp server shuts down. I've been using tftputil for a bit. Clean and simple .NET app; hasn't failed me yet. The ancient cisco one really sucks.
|
|
#
?
Jan 16, 2009 06:32
|
|
|
Is anyone using WCS for rogue wireless detection? We've just (finally) got our lab environments built, and we're attempting to tune the detectors. 1131AGs are hot little radios- they're picking stuff up at over -90 rssi that's far, far away. I'm also interested in hearing about whether people who have done rogue wireless detection have gone in with RLDP (normal mode) or dedicated detector APs. We're leaning towards RLDP, but I'm concerned about not being able to confirm rogue AP's that are using passworded SSIDs. Also, is anyone doing 802.1x with the stock Microsoft XP 802.1x supplicant? I have some questions about that thing too.
|
|
#
?
Jan 16, 2009 17:13
|
|
|
jwh posted:Also, is anyone doing 802.1x with the stock Microsoft XP 802.1x supplicant? I have some questions about that thing too. No clue on the rogue detection stuff, but I am using the windows built in 802.11x EAP (PEAP) client with an 1130, using the microsoft radius server. Its been up for a couple years, very reliable. If you try to brute force in you lock out accounts if you actually guess one. Vista and Win7 seem to do a lot better with initial logons though. XP wants you to log in wired first it seems.
|
|
#
?
Jan 16, 2009 17:20
|
|
|
Herv posted:No clue on the rogue detection stuff, but I am using the windows built in 802.11x EAP (PEAP) client with an 1130, using the microsoft radius server. Do you experience significant delays with the stock 802.1x supplicant? I can't figure out whether it's Windows that's waiting to provide the EAP packet (for some reason), or if it's something on the back-end. Are you doing any kind of dynamic vlan assignment to 802.1x authenticated ports?
|
|
#
?
Jan 16, 2009 17:40
|
|
|
When I was using certificates instead of peap there seemed to be a 15 second pause when all the systems had to agree that you were legit. Thats about it. I am not doing any vlan assignment for authed users or guest vlans for those that dont (same for wired). It sounded pretty cool but I just didn't have a need for it. Small shop and all.
|
|
#
?
Jan 16, 2009 17:45
|
|
|
We use WCS but don't do anything with the rogues. They pop up but in this environment it does not matter. Hundreds of them anyways so it would be a mess. If anyone here does VoIP, I am curious to know with CIPC, if there is any way to disable native CDP with it, it pops up and gets the PC swung into a voice VLAN with hardware phones, which prompts the whole setup to pretty much stop working at that point. I'm sure there is a better/more appropriate way about it, but I can't seem to find anything that would be helpful.
|
|
#
?
Jan 16, 2009 19:02
|
|
|
I'm throwing an 1841 I have laying around in to my home network for a while so I can become more familiar with IOS and so I can test T1 gear at home. I know how to get it going with NAT and set up the port forwards I need, but I can't seem to find good information on what if any VoIP helper features it may have. Anyone who's familiar with SIP based VoIP systems knows they do not get along very well with NAT. Right now I'm alternating between an Edgemarc 200EW and an Edgemarc 4500, both of which are Linux-based NAT routers with explicit SIP proxy features to work around the NAT issue. Does Cisco offer anything similar in IOS so I can keep using my home phone without too much trouble?
|
|
#
?
Jan 17, 2009 20:06
|
|
|
jwh posted:Is anyone using WCS for rogue wireless detection? We've just (finally) got our lab environments built, and we're attempting to tune the detectors. 1131AGs are hot little radios- they're picking stuff up at over -90 rssi that's far, far away. We used WCS for this at this big convention we did, the organizers insisted on killing all rogue APs in sight. AFAIK we did very little tuning, ran in RLDP mode and just used the standard choices in WCS to deauth the clients and contain the APs. I tried it on my own client and it worked pretty flawlessly. There weren't really all that much too it, but I guess you can do loads of trickery if you want. Not sure about the passworded SSID part.. Using WCS and airmagnet to hunt and kill rogue APs for 3 days was a fun change from the daily grind at the office. :-)
|
|
#
?
Jan 18, 2009 01:13
|
|
|
wolrah posted:I'm throwing an 1841 I have laying around in to my home network for a while so I can become more familiar with IOS and so I can test T1 gear at home. I know how to get it going with NAT and set up the port forwards I need, but I can't seem to find good information on what if any VoIP helper features it may have. NAT/PAT engine in IOS is SIP aware, so you shouldn't have any issues.
|
|
#
?
Jan 18, 2009 01:36
|
|
|
nex posted:Not sure about the passworded SSID part.. Everything I'm reading says RLDP can join non-passworded SSIDs, but if you want to determine if a rogue AP is on your network, and it's using a passworded SSID, you need to deploy a radio in a dedicated detector role. That's good info though- thanks!
|
|
#
?
Jan 18, 2009 07:20
|
|
|
Can someone post or email a config for a Cisco AP1100 that's using WPA/TKIP, 802.1x / PEAP.
|
|
#
?
Jan 19, 2009 21:06
|
|
|
brent78 posted:Can someone post or email a config for a Cisco AP1100 that's using WPA/TKIP, 802.1x / PEAP. This config should work. If things still fall apart, you can debug things to a certain point. code:Herv fucked around with this message at 00:32 on Jan 22, 2009 |
|
#
?
Jan 19, 2009 23:55
|
|
|
jwh posted:1131AGs are hot little radios- they're picking stuff up at over -90 rssi that's far, far away. They literally run hot too!
|
|
#
?
Jan 20, 2009 21:53
|
|
|
InferiorWang posted:They literally run hot too! I'm surprised they haven't burned down buildings. You could cook an egg on them.
|
|
#
?
Jan 20, 2009 22:07
|
|
|
can anyone see any use of having a DCHP pool of one address with a very short lease? I have a problem that I think that might be a fix.
|
|
#
?
Jan 21, 2009 06:15
|
|
|
coconono posted:can anyone see any use of having a DCHP pool of one address with a very short lease? Guest access is the only thing that would come to mind. Standard guest access rules apply though: guest vlan, no internal access, only 80/443 to the web, yadda yadda What are you trying to fix?
|
|
#
?
Jan 21, 2009 11:42
|
|
|
|
| # ? May 14, 2024 00:49 |
|
|
We have several Xenpaks and SFPs that support Digital Optical Monitoring(DOM) that are used ad-hoc to get a overview in error situations. We now want to generate regular reports that read DOM from all supported devices and use that to catch degradation before it becomes a issue. What would be the best way to get these readings, if at all possible? Ive been thinking about doing a SNMP script at first, but I dont find anything in the MIBs to get these values.
|
|
#
?
Jan 21, 2009 12:15
|
|