|
I have a little bit of a problem. I need to make changes to all nodes in the WAN at once. I was wondering if there is a script/tool that can do this. I figured there might be a solarwinds plug-in that can go through our current nodes, log in with a user and password, and then issue commands. For example Solarwinds might have 10.0.80.1 10.0.81.1 10.0.101.1 Could I run something that will log in and then run int t10 ip nhrp multicast xx.xx.xx.xx ip nhs 10.0.1.1 for instance.. is this possible? Let me just come out and say, is there a fast way to change all router passwords at once?
|
#
?
Jan 21, 2009 22:41
|
|
|
|
| # ? May 15, 2024 00:04 |
|
|
BoNNo530 posted:I have a little bit of a problem. I need to make changes to all nodes in the WAN at once. I was wondering if there is a script/tool that can do this. I figured there might be a solarwinds plug-in that can go through our current nodes, log in with a user and password, and then issue commands. For example We always used custom scripts that were written with Expect in linux to do password changes and 100+ node changes. If you want free, scripting is your way, if you want to pay, you can buy Cisco Configuration Network Engine. http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/index.html
|
|
#
?
Jan 21, 2009 23:00
|
|
|
BoNNo530 posted:I have a little bit of a problem. I need to make changes to all nodes in the WAN at once. I was wondering if there is a script/tool that can do this. I figured there might be a solarwinds plug-in that can go through our current nodes, log in with a user and password, and then issue commands. For example As to your second question, you should be authenticating back to a centralized aaa server, and you should have aaa configs that authenticate to the network and then fallback to local recovery accounts. That's how you change router passwords. But if you need to change local accounts, then you're pretty much stuck running a script of some sort. We change our local recovery accounts quarterly, and it's a pain in the rear end.
|
|
#
?
Jan 21, 2009 23:30
|
|
|
nex posted:We have several Xenpaks and SFPs that support Digital Optical Monitoring(DOM) that are used ad-hoc to get a overview in error situations. If you are using these optics on CRS-1s or 7600's then I believe there is already a utility that runs in IOS-XR, and perhaps a module on the 7600 that allows you to monitor the degradation before traffic loss. Unfortunately I don't remember how we did it when we were testing failover for video streams. I'll check around.
|
|
#
?
Jan 22, 2009 00:28
|
|
|
jwh posted:As to your first question, we use Solarwinds Cirrus, which is a textual configuration engine. It does daily archiving and can push config 'snippets' similar to what you have above to a handful of devices at a time. It's not perfect, but it works pretty well. I'm not familiar with Rancid, but maybe that can push configurations out too? I dunno. Is Cirrus a plug-in? I am looking through our SolarWinds box now to see if I can find it. Edit: Found it! Thanks! BoNNo530 fucked around with this message at 01:07 on Jan 22, 2009 |
|
#
?
Jan 22, 2009 00:57
|
|
|
Powercrazy posted:If you are using these optics on CRS-1s or 7600's then I believe there is already a utility that runs in IOS-XR, and perhaps a module on the 7600 that allows you to monitor the degradation before traffic loss. Unfortunately I don't remember how we did it when we were testing failover for video streams. Our core is 7600 and CRS-1 only so that would be really awesome, thanks. The major concern for us too is the IP-TV part, so it seems we have a pretty similar scenario.
|
|
#
?
Jan 22, 2009 08:09
|
|
|
Ok this has been giving me nothing but grief the past week. I have a Cisco 871 behind a cable modem with 5 public IPs. I have configured the WAN for one of the IPs, and have configured the VLAN (192.168.1.0) for the 4 switch ports. I can access the internet fine, but NAT does not seem to work. Basically I am using the four remaining public IPs for NAT. For instance, I have a FTP server with a local address of 192.168.1.135 which I translated to one of the public IPs but I cannot connect from the outside. I made sure that the WAN port is set to outside and the VLAN is set to inside for NAT. I also disabled the firewall in case that is causing any problems with the same result. Does anyone have any ideas why NAT isn't working? Here is my running config: !---------------------------------------------------------------------------- !version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! no logging buffered ! no aaa new-model ! crypto pki trustpoint TP-self-signed-347216607 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-347216607 revocation-check none rsakeypair TP-self-signed-347216607 ! ! crypto pki certificate chain TP-self-signed-347216607 certificate self-signed 01 3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33343732 31363630 37301E17 0D303230 33303130 32313433 395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3334 37323136 36303730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 9EF4D057 57F6C330 04BFBC5E FB7607BD 5A847AC6 92DF48B0 AE904273 B4239368 694180E4 DD3AA4EE 4355990A 22131CAB 45715FB7 A9369769 79586DA4 C30C92E6 401095F3 685BB987 C65707FF 3C376734 E1F79D1B D1B11AB7 90AD0A7E EACB3CE2 E48B5758 8AB7EEEF 903C6BE5 CAF0D7EF B5832F05 449BC56E 1CEEE70E 63B923E7 02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D 11040A30 08820652 6F757465 72301F06 03551D23 04183016 8014EC17 7E4A4165 76CACE0A 632CA698 5B887207 8554301D 0603551D 0E041604 14EC177E 4A416576 CACE0A63 2CA6985B 88720785 54300D06 092A8648 86F70D01 01040500 03818100 8FFB6964 A80A00A0 9F6483AD 4C0D7327 38BAAC3E 6F382AFF 265A3E48 D0A70360 D052E80C CD34F7D7 8CC29457 353F8929 D05B1C0D 42094DB9 DCFB91F8 1DB97587 622962CE E51A593C 4D2CE247 1B7092DA F17F5B3F 9616980F EBADA7F4 1A74312D A39F3757 16B6DED6 3A9210C4 2394BFE3 B3DFA2A7 A4C12CB6 4284B0F5 4C095AC4 quit dot11 syslog ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.100 ! ip dhcp pool pool2 import all network 192.168.1.0 255.255.255.0 dns-server 66.75.164.89 66.75.164.90 default-router 192.168.1.1 netbios-name-server 192.168.1.100 ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! username XXXXX privilege 15 password 0 XXXXXX ! ! archive log config hidekeys ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address x.x.x.y 255.255.255.248 ip nat outside ip virtual-reassembly shutdown duplex auto speed auto ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 x.x.x.y (Cable Modem Gateway) ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 1 interface FastEthernet4 overload ip nat inside source static tcp 192.168.1.135 21 x.x.x.y 21 extendable ip nat inside source static tcp 192.168.1.189 631 x.x.x.y 631 extendable ip nat inside source static tcp 192.168.1.155 3389 x.x.x.y 3389 extendable ip nat inside source static tcp 192.168.1.154 5905 x.x.x.y 5905 extendable ip nat inside source static tcp 192.168.1.144 5908 x.x.x.y 5908 extendable ip nat inside source static tcp 192.168.1.106 55353 x.x.x.y 55353 extendable ip nat inside source static tcp 192.168.1.142 80 x.x.x.y 80 extendable ip nat inside source static tcp 192.168.1.142 3389 x.x.x.y 3389 extendable ip nat inside source static tcp 192.168.1.142 8080 x.x.x.y 8080 extendable ip nat inside source static tcp 192.168.1.191 80 x.x.x.y 80 extendable ip nat inside source static tcp 192.168.1.160 5809 x.x.x.y 5809 extendable ip nat inside source static tcp 192.168.1.191 5903 x.x.x.y 5903 extendable ip nat inside source static tcp 192.168.1.109 5904 x.x.x.y 5904 extendable ip nat inside source static tcp 192.168.1.186 5911 x.x.x.y 5911 extendable ip nat inside source static tcp 192.168.1.159 5915 x.x.x.y 5915 extendable ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 ! ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 end
|
|
#
?
Jan 22, 2009 19:22
|
|
|
The wan port in that config is shutdown. Aside from that, I don't see any problem with the nat overload config. Debug nat and see what shows up in the logs.
|
|
#
?
Jan 22, 2009 19:45
|
|
|
When I exported the running config, the router wasn't connected to the network, so that's why WAN is shutdown. I'll Debug nat and look at the logs later tonight. The weird thing is I have an old Netopia R910 (which is what the cisco router is replacing) that has no problem with the same NAT configuration. The reason I'm replacing it, is that it's starting to drop packets. Thanks analogsoul fucked around with this message at 20:01 on Jan 22, 2009 |
|
#
?
Jan 22, 2009 19:56
|
|
|
analogsoul posted:interface FastEthernet4 Shouldn't there be a pool of public IP addresses to NAT to? Something like... code:
|
|
#
?
Jan 22, 2009 21:12
|
|
|
para posted:Shouldn't there be a pool of public IP addresses to NAT to? Something like... I'll try that. I thought that since these are static translations, that I didn't need a pool, but it is definitely worth a try. Should I include the public IP that I assigned the WAN in that pool?
|
|
#
?
Jan 22, 2009 21:52
|
|
|
You shouldn't need a pool. Could you try dropping your overload? I wonder if there's some ambiguity between access list 1 on the overload and the static translations. debug ip nat will probably tell you what's going on pretty quickly too.
|
|
#
?
Jan 22, 2009 22:07
|
|
|
nex posted:Our core is 7600 and CRS-1 only so that would be really awesome, thanks. The major concern for us too is the IP-TV part, so it seems we have a pretty similar scenario. Bad news, but hopefully you figured out the problem. What we were doing didn't use DoM. We used a feature that was created specifically for SAVVIS in the CRS only. It worked by monitoring FEC Errors, when the number of errors got too high it would fail over. I'm not sure if this feature has been implemented in the mainline IOX code. If you are interested in the feature and it isn't implemented yet, see if you can talk to a Cisco rep about Service Provider .pie files for your CRS. You'll need to talk to a Verizon, AT&T, or SAVVIS SE. Though I assume if you bought several CRS's you might actually have access to it, and just didn't know. Hopefully that will help for what you guys want to do.
|
|
#
?
Jan 23, 2009 23:33
|
|
|
I had a WRT54G linksys a while back, and I have a DNS entry for my global IP called, say, para.com. On one of the computers on my LAN I'm running a web server on port 80, but I noticed a lot of buffer overflow attempts coming from the outside so I set my router to statically NAT from para.com:85 to 192.168.1.108:80. With the linksys, while inside the LAN, I was still able to access 192.168.1.108:80 by opening a browser and going to para.com:85, which was great in case a web application I was running required the address to be hardcoded to the global address. Now I have a cisco 871, which is a great router, but this particular feature is no longer functioning. It appears that if I try to go to para.com:85, it routes to the fa4 (WAN) port and stops there rather than being looped back around and NAT'ed out. Is there a way to configure my cisco to be able to perform this type of action?
|
|
#
?
Jan 25, 2009 03:22
|
|
|
para posted:I had a WRT54G linksys a while back, and I have a DNS entry for my global IP called, say, para.com. On one of the computers on my LAN I'm running a web server on port 80, but I noticed a lot of buffer overflow attempts coming from the outside so I set my router to statically NAT from para.com:85 to 192.168.1.108:80. code:A simpler way would be to just edit your local hosts file for the IP, but I never recommend doing this as it's easily forgotten.
|
|
#
?
Jan 25, 2009 17:46
|
|
|
I have a pair of stacked 3750's (love em), with a few vlans. One vlan carries public traffic, another is dedicated to SAN (iSCSI). I'd like to set the system mtu to 9000 to use jumbo frames on the SAN for better performance. What's going to happen to traffic on my public vlan that uses an mtu of 1500? Will it work?
|
|
#
?
Jan 25, 2009 23:16
|
|
|
brent78 posted:I have a pair of stacked 3750's (love em), with a few vlans. One vlan carries public traffic, another is dedicated to SAN (iSCSI). I'd like to set the system mtu to 9000 to use jumbo frames on the SAN for better performance. What's going to happen to traffic on my public vlan that uses an mtu of 1500? Will it work? I have mixed and matched 1500 with 9000 no problem, and it was on a 3750 for what it's worth. Did the 1100AP get going or what?
|
|
#
?
Jan 26, 2009 00:30
|
|
|
I'm having a bit of a problem getting Windows VPN client to connect to an ASA 5505. I have got the Cisco VPN Client to connect fine by following the IPSec VPN Wizard for Remote Clients but this doesn't seem to work for me for the Windows VPN Client. Does anyone have any articles or configuration guides about this as all I can find on Cisco's site / google is guides for ASA with the Cisco Client. I have ASDM and CLI access. Thanks
|
|
#
?
Jan 26, 2009 11:14
|
|
|
Biggz posted:I'm having a bit of a problem getting Windows VPN client to connect to an ASA 5505.
|
|
#
?
Jan 26, 2009 16:44
|
|
|
jwh posted:What version of Windows are you using? I know that there were NAT-T problems with the Microsoft VPN client prior to XPsp2. I'm using Vista Ultimate 32bit. The only thing i've found regarding Vista and ASAs is that more than one cant connect using Windows VPN at one time, as per http://support.microsoft.com/kb/942429 I'm the only one connecting as the ASA is currently on my colleague's desk.
|
|
#
?
Jan 26, 2009 17:07
|
|
|
Biggz posted:I'm using Vista Ultimate 32bit. The only thing i've found regarding Vista and ASAs is that more than one cant connect using Windows VPN at one time, as per http://support.microsoft.com/kb/942429 That's L2TP with IPSec, not IPSec directly. You'll want to configure your ASA for L2TP.
|
|
#
?
Jan 26, 2009 17:32
|
|
|
I don't like posting new threads so I will just post this here. We are looking for a Cisco Engineer to fill a position at our company. The person would need a minimum of a CCNA, and 1-2 years experience with routing and switching. Also, PIX firewall experience is a plus and as much VPN experience as possible. PM or IM me for the details. BoNNo530 fucked around with this message at 18:41 on Jan 26, 2009 |
|
#
?
Jan 26, 2009 18:39
|
|
|
brent78 posted:I have a pair of stacked 3750's (love em), with a few vlans. One vlan carries public traffic, another is dedicated to SAN (iSCSI). I'd like to set the system mtu to 9000 to use jumbo frames on the SAN for better performance. What's going to happen to traffic on my public vlan that uses an mtu of 1500? Will it work? If you mix/match MTUs it may cause problems with traffic originated from the device with a raised MTU (most commonly causes an issue with things like OSPF/EIGRP). You'll want to set 'ip mtu 1500' on any layer 3 interface that will be going through a device with a 1500 MTU.
|
|
#
?
Jan 26, 2009 21:13
|
|
|
I have a lot of guest access machines on private VLANs that are eating up my internet bandwidth with connections to windows update after a big patch release day (like yesterday). Is there a way to configure an ASA with a firewall rule that blocks access to windowsupdate to everyone but my WSUS server?
|
|
#
?
Jan 28, 2009 23:24
|
|
|
Powercrazy posted:Bad news, but hopefully you figured out the problem. What we were doing didn't use DoM. We used a feature that was created specifically for SAVVIS in the CRS only. It worked by monitoring FEC Errors, when the number of errors got too high it would fail over. I'm not sure if this feature has been implemented in the mainline IOX code. Thanks for the detailed reply, I will look into if we have that feature on our CRS-1s. Meanwhile I dug up the commands to activate SNMP traps for DOM in IOS and have started hacking up the most important links in Cacti. A bit static for my taste, but combined with Thold it should do the trick. If anyone is interested: "transceiver type all monitoring" in running config will enable you to use "snmp-server enable trap transceiver" to trap and CISCO-ENTITY-SENSOR-MIB to graph DOM capable interfaces on the 6500 and 7600 platform.
|
|
#
?
Jan 28, 2009 23:51
|
|
|
Syano posted:I have a lot of guest access machines on private VLANs that are eating up my internet bandwidth with connections to windows update after a big patch release day (like yesterday). Is there a way to configure an ASA with a firewall rule that blocks access to windowsupdate to everyone but my WSUS server? I am not sure if WSUS will allow you to download from it if the machine isn't a part of the domain, hence why the guest machines are going to the internet for the updates. In the end, you can build a rule to block all dest port 80 traffic to windowsupdate IP space with the ASA. You are just going to add the rule to the outbound ACL for your inside interface.
|
|
#
?
Jan 29, 2009 01:50
|
|
|
How to stop ARP Spam? So I get home from work and my internet is going slow as poo poo. I assume it is my roomate bit torrenting so I log into my Cisco851w just to look at the traffic. But then I notice something odd:quote:ARP statistics: Obviously that is a little excessive. Since the ARP is coming from the internet I can't actually stop it at the source, but I figure I can at least stop my router from processing all the requests. But I'm not sure how to do it. I want to receive one arp from my cable modem which we will assume is 20.20.20.20 but I want to block all others. I'm getting ARPs from both the same subnet as well as some apparently unrelated addresses from elsewhere. So I know the solution is Access-lists, but how would I configure it to only apply to ARPs? Also is there another way to do it? Semi-related, does anyone have a "hardened" IOS config they can post? You know the usual stuff, outbound ACLs, Inbound ACLs appropiate services disabled etc? Whatever other "tricks" there are. I'm not very security savvy, so any help would be appreciated.
|
|
#
?
Feb 4, 2009 03:36
|
|
|
Powercrazy posted:How to stop ARP Spam? So I get home from work and my internet is going slow as poo poo. I assume it is my roomate bit torrenting so I log into my Cisco851w just to look at the traffic. But then I notice something odd: Don´t. You wont gain any measurable performance from it and it will break your connectivity with people in the same subnet as you (which tends to be quite big with cable).
|
|
#
?
Feb 4, 2009 11:24
|
|
|
Powercrazy posted:Obviously that is a little excessive. Since the ARP is coming from the internet I can't actually stop it at the source, but I figure I can at least stop my router from processing all the requests. But I'm not sure how to do it. I want to receive one arp from my cable modem which we will assume is 20.20.20.20 but I want to block all others. How long of a time period is that sample for? Cable networks tend to have a lot of ARP traffic going around. I just did 'tcpdump -i eth1 arp' on my router and captured 90 ARP packets in one minute on a low traffic node. At that rate I'd hit your number in about 28 days. As for "unrelated" subnets, you'll see ARP traffic for every subnet configured on your node as the headend sends them out. I know my local cable company runs every subnet as a /24, so from that I can see at least 14 unique subnets in that one minute of captured traffic. Short answer: what you're seeing looks perfectly normal to me.
|
|
#
?
Feb 4, 2009 15:01
|
|
|
quote:Sent: 3324 requests, 8639 replies (56 proxy), 0 reverse Anyway, 'show proc cpu | i ARP' and see what your ARP process is doing. More than likely, it's not chewing any substantial cycles.
|
|
#
?
Feb 4, 2009 18:21
|
|
|
Is it possible to do unequal cost load balancing with multilinks? I have multilink3 (bonded t-1 DIA) and multilink6 (3Mb Point to Point). They are both in separate routers at the same site, but I am wondering if it would be better just to migrate them to one router. The preferred route right now is through a DMVPN tunnel on the DIA that goes to the 2nd site. I would rather traffic flow through the 2851 with the Point to Point bundle. I also want to avoid static routes since they always come back to haunt me.
|
|
#
?
Feb 5, 2009 19:20
|
|
|
EIGRP will do unequal cost load balancing. http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009437d.shtml
|
|
#
?
Feb 5, 2009 21:35
|
|
|
Speaking of load balancing, does port-channel(lacp) automatically load balance or are they in some sort of active/standby mode? I'm having trouble finding an explanation in the docs.
|
|
#
?
Feb 5, 2009 21:50
|
|
|
InferiorWang posted:Speaking of load balancing, does port-channel(lacp) automatically load balance or are they in some sort of active/standby mode? I'm having trouble finding an explanation in the docs. This might be helpful: http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml#catalyst para fucked around with this message at 23:42 on Feb 5, 2009 |
|
#
?
Feb 5, 2009 22:17
|
|
|
Is there a way to do an access list entry to block or allow an IP's access to a specific URL? I am using a Cisco ASA.
|
|
#
?
Feb 6, 2009 00:23
|
|
|
hybr1d posted:Is there a way to do an access list entry to block or allow an IP's access to a specific URL? I am using a Cisco ASA. You can filter specific URLs with the ASA without need for an ACL.
|
|
#
?
Feb 6, 2009 02:02
|
|
|
routenull0 posted:You can filter specific URLs with the ASA without need for an ACL. Can you tell me how? The UI seems to require a 3rd party Web Filter server/appliance to handle URL filtering. I need to block certain URLs and for a couple IPs, only allow a handful of URLs.
|
|
#
?
Feb 6, 2009 02:17
|
|
|
hybr1d posted:Can you tell me how? The UI seems to require a 3rd party Web Filter server/appliance to handle URL filtering. I need to block certain URLs and for a couple IPs, only allow a handful of URLs. If the sites you are blocking are on a static IPs and not part of some CDN you can just build an access-list to deny traffic to those sites and apply it to the inside interface on the inbound direction. Without seeing your ASA config in full, its hard to give you the best way to do it.
|
|
#
?
Feb 6, 2009 03:09
|
|
|
hybr1d posted:Can you tell me how? The UI seems to require a 3rd party Web Filter server/appliance to handle URL filtering. I need to block certain URLs and for a couple IPs, only allow a handful of URLs. Is NBAR on ASA? If so that should do the trick (use regexp rules to block certain URLs).
|
|
#
?
Feb 6, 2009 03:41
|
|
|
|
| # ? May 15, 2024 00:04 |
|
|
para posted:I think that LACP and PAgP just negotiate the etherchannel. Once a channel is up then it's a standard 'port channel' link and they automatically "load balance", if I recall correctly, but it's not a true bit for bit load balancing. It does some type of weird load balancing where it can use bits from the source mac, dest mac, or source and dest IP address. It then can XOR those bits to determine what link in the group to use. It's explained in the Cisco Press BCMSN book in chapter 7, if you have it. Good find. Thanks for the link.
|
|
#
?
Feb 6, 2009 04:50
|
|