|
Martytoof posted:Guys. I'm still kind of scratching my head here. This is basically a continuation on my last help for router recommendations. The 3640's software end at 12.4, and 2600XM's can run newer images with more features, (such as 12.4T). Other than that, a 3640 is more powerful: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf I probably would go with the 3640. It supports more NM's, is more powerful, and I really doubt anything in the CCNA refers to anything beyond 12.4. You'll also have lots of fun with the 3640 when you hose an IOS upgrade and have to do it over serial.
|
#
?
Mar 29, 2009 18:47
|
|
|
|
| # ? May 29, 2024 03:21 |
|
|
Yeah, I think I'm going to pull the trigger on the 3640s and a few support NMs. I don't have anything against the 2600XM but it looks like these will do just about everything I want in the forseeable future, at least through the CCNP track. Apples to apples the 2600XM is still a good deal because the NM-1FE2W is still pretty expensive but I only need one router to support FE at the moment, so dropping a hundred bucks on an NM-1FE-TX while loading the others with NM-1E2Ws and WIC-1Ts is a pretty economical compromise. Also it looks like this is basically a badass frame switch platform. Pick up a cheap 64/16 chassis, load it with four NM-4Ts and you'll never want for a lab serial port again 
some kinda jackal fucked around with this message at 19:57 on Mar 29, 2009 |
|
#
?
Mar 29, 2009 19:53
|
|
|
The ICND1 Official Exam Certification Guide, Second Edition (Wendell Odom) has this question on page 94: Imagine that PC1 needs to send some data to PC2, and PC1 and PC2 are separated by several routers. What are the largest entities that make it from PC1 to PC2? a. Frame b. Segment c. Packet d. L5 PDU e. L3 PDU f. L1 PDU The key says the answers are (c) and (e) and provides no further explanation. I can't see how a TCP segment (b) is wrong. There's no correction in the errata. What am I missing here?
|
|
#
?
Mar 31, 2009 05:38
|
|
|
i have an old mc3810 that wouldn't boot into the binary on the 32mb flash. i really don't know why it wouldn't, but eventually i said "gently caress it" and formatted the flash from rommon>, assuming that i could just tftpdnld a backup on to the flash file system. so i formatted the probably corrupt IOS off of the flash drive. then i realized that the rommon> did not have a tftpdnld command (i checked in 'priv' rommon mode too.) ok... so i'll just boot into boot helper and copy tftp: flash: right? nope. when i boot into the onboard boot helper (from ROM) the flash file system will not initialize. boot helper posted:Unable to initialize flash device at 0xC0000000 -- device not found. Flash fs init problem. so i go back into rommon> and use the flashsimm_init command to see if maybe it's the actualy flash SIMM that was originally hosed up instead of the IOS binary it contained. code:anyway... i check cisco's website and somewhere in the documentation on MC3810s it mentions that if you upgrade to a 32MB flash SIMM from like an 8 or 16MB, you need to upgrade the boot helper also. well gently caress me running, where the gently caress am i supposed to get a new boot helper image? my understanding is that once i get one, i use upgrade-bh from rommon> to do an x-modem upgrade of the boot helper ROM (EEPROM i assume?) but i want to know- if i upgrade the boot helper, will it finally recognize the flash SIMM and initialize it properly so that i can finally use copy tftp: flash:? oh also, if you're wondering why i don't use the xmodem command from rommon>, it's because it is not there either; my rommon> does not have the tftpdnld OR xmodem command. talk about a piece of poo poo right! thanks in advance for any help you can throw my way.
|
|
#
?
Mar 31, 2009 06:15
|
|
|
SalamiMonster posted:The ICND1 Official Exam Certification Guide, Second Edition (Wendell Odom) has this question on page 94: classic case of looking at the OSI model upside-down. you even had me confused for a minute (albeit not being hard to do.) the tcp segment is encapsulated WITHIN the IP packet; {frame}{packet}{segment}{data}{/segment}{/packet}{/frame} see now?
|
|
#
?
Mar 31, 2009 06:24
|
|
|
Spoony Bard posted:classic case of looking at the OSI model upside-down. you even had me confused for a minute (albeit not being hard to do.) the tcp segment is encapsulated WITHIN the IP packet; No, I don't. On the PC1 side, the TCP segment is encapsulated within the IP packet. When that IP packet arrives at PC2, it is decapsulated, and there's the TCP segment PC1 sent.
|
|
#
?
Mar 31, 2009 06:41
|
|
|
SalamiMonster posted:No, I don't. On the PC1 side, the TCP segment is encapsulated within the IP packet. When that IP packet arrives at PC2, it is decapsulated, and there's the TCP segment PC1 sent. Sorry, I think I just figured out my own dumb oversight. "Largest" in the original question means the largest PDU, in terms of bytes, that arrives at PC2 completely unchanged, which would be the IP packet. The IP packet is necessarily larger than the TCP segment it encapsulates.
|
|
#
?
Mar 31, 2009 06:44
|
|
|
the curriculum has caused you to quote yourself in a successive post. now would be a good time to take a break.
|
|
#
?
Mar 31, 2009 07:45
|
|
|
Just got a ridiculous one. Had a 3825 that had been very lightly used for terminating PPTP traffic for a few years now. Lightly meaning like 4 and 5 at a time. The traffic has just increased, and I found out it would accept exactly 14 clients until it started giving new client a 733 error. Got 2 complete morons at TAC first. Then I got pissed and asked for an escalation. The next guy still didn't know what the problem was, but suggested that we change the config on the PPTP virtual-template interface from having an IP address to ip unnumbered (which is what I would have done from the beginnng....but I inherited this config and come from the carrier-class network school of "don't touch things that don't appear to be broken). All of a sudden, everything works fine. We searched for bug reports, and there was nothing. I think this was just obscure enough to not show up. For what it's worth, c3825-advipservicesk9-mz.124-9.T7. Here's hoping someone else doesn't have to ride the pain train for as long as I did on this one.
|
|
#
?
Apr 1, 2009 21:53
|
|
|
But isn't the virtual-template cloned into a virtual-access upon client termination? How did that work with identical IP addresses? Did it copy over the IP?
|
|
#
?
Apr 1, 2009 23:51
|
|
|
jwh posted:But isn't the virtual-template cloned into a virtual-access upon client termination? How did that work with identical IP addresses? Did it copy over the IP? Nah...the client gets the address form peer default ip address pool <pool name>. And now I have another update on this....some very nasty old devices simply refused to work with this configuration. They connected, but wouldn't route traffic through the VPN (where the windows and mac built in pptp clients were fine). I upgraded to 12.4 24T, put the config back the way it was before, and I already have seen 18 active VPDN connections. So it looks like this was found and resolved at some point.
|
|
#
?
Apr 2, 2009 14:41
|
|
|
944 posted:Nah...the client gets the address form peer default ip address pool <pool name>. That's still a pretty nice bug though.
|
|
#
?
Apr 2, 2009 16:06
|
|
|
Let me preface this by saying I know nothing about QOS outside of doing auto qos on voice ports for switches. We have a streaming video site that our schools use. It's performance has been impacted by other web traffic lately. I want to give that site precedence at the internet gateway level. We don't control the layer 3 switch that brings us our internet connection, so the first piece of gear is our ASA 5510. I have the cisco press ASA book and it has a section on QOS. So, is doing this feasible at the ASA and should I even get myself into this?
|
|
#
?
Apr 2, 2009 21:02
|
|
|
I definitely used the QoS features on my voice traffic through the PIX with the 7.x OS came out, and since thereafter. I would bet 5 bucks it still exists in the ASA's, if unlocked. I remember it being a class map and policy type of approach. Shouldn't get too nasty especially if you come here with something specific. I only have a couple asa 5505's that are probably crippled for this feature.
|
|
#
?
Apr 2, 2009 21:41
|
|
|
InferiorWang posted:So, is doing this feasible at the ASA and should I even get myself into this? Probably not, for the reason that you're more than likely not the bottleneck, and the only quality of service decision you can make in the inbound direction is often to drop data- which doesn't help with your congestion issue. You can't queue it effectively, because it's already arrived. You may need to purchase more bandwidth, or consider purchasing a caching proxy to alleviate some of your web traffic problems.
|
|
#
?
Apr 2, 2009 21:51
|
|
|
Oops, missed the part where it was coming down. Sorry for skimming. I normally policy route web traffic off to a cheap broadband circuit these days (Cable, FiOS, DSL worst case). If getting more bandwidth on the primary pipe is too expensive, its an option at least. Jwh is on with the caching as well.
|
|
#
?
Apr 2, 2009 22:07
|
|
|
The inbound data already being at us makes perfect sense as to why it wouldn't really matter. Our web content filter has caching built in. Judging by the statistics on it, it seems as if the congestion is being caused by youtube. I can't outright block it, but I should be able to do some type of COS. Thanks fellas
|
|
#
?
Apr 3, 2009 14:25
|
|
|
I am either stupid, crazy or ignorant- pick one. I worked with cisco routers and switches but never ASA devices, until now. Taking over management from another firm, and cleaning up their access. In doing so, I changed the enable password. In ASDM I can change the enable password to whatever I want, and it recognizes the password as correct. If I do a "sh run" and copy the hash I can decode it back to the set password, verifying that I am not that crazy. When I login through CLI and attempt to enable it doesn't recognize the password. Is there something I am missing here?
|
|
#
?
Apr 3, 2009 14:32
|
|
|
Ok so I have my project of multiple BSSIDs and policy based routing working perfectly. Guests in our facilities now can connect to an SSID on a different VLAN and Policy Based routing plus some ACLs keep them on a separate, dedicated internet connection. Great! But now an unfortunate side effect. We recently had a guest absolutely suck the 2 meg internet pipe provided to that VLAN dry. I am trying to brainstorm a way to prevent this from happening in the future without having to spend too much money. Like for instance if there was a way to reset the connection every hour to blow away any large file transfers or something similar. I'm not sure that even makes sense I am just trying to brainstorm. For reference, the access points are 1130AGs and the routers handling the PBR are 1841s.
|
|
#
?
Apr 3, 2009 14:34
|
|
|
Studebaker Hawk posted:When I login through CLI and attempt to enable it doesn't recognize the password. Is there something I am missing here? Are you using SSH or telnet? Do you even get to user mode?
|
|
#
?
Apr 3, 2009 14:43
|
|
|
InferiorWang posted:Are you using SSH or telnet? Do you even get to user mode? Telnet, and yes I can get to user mode. I can add users and change the en pw through ASDM. I cannot enable from CLI as any user, using the password set in ASDM (or any other for that matter). To make matters worse, this is a production unit in a 24hour shop.
|
|
#
?
Apr 3, 2009 14:47
|
|
|
Studebaker Hawk posted:I am either stupid, crazy or ignorant- pick one. I worked with cisco routers and switches but never ASA devices, until now. Taking over management from another firm, and cleaning up their access. In doing so, I changed the enable password. They aren't using AAA/TACAS/RADIUS are they? I had that happen to me before where it would check the acs server then fail, and not even check the local database. Also, for telnet on the ASA I had to put a line: code:
|
|
#
?
Apr 3, 2009 15:24
|
|
|
BoNNo530 posted:They aren't using AAA/TACAS/RADIUS are they? I had that happen to me before where it would check the acs server then fail, and not even check the local database. Oh yeah. That's it, I removed the TACACS server but it is probably still looking for it. Silly me edit: or sort of. I thought I was thorough when doing this, everything is set to local authentication as far as I can tell...I must be missing something. code:Studebaker Hawk fucked around with this message at 15:50 on Apr 3, 2009 |
|
#
?
Apr 3, 2009 15:38
|
|
|
Studebaker Hawk posted:Oh yeah. That's it, I removed the TACACS server but it is probably still looking for it. Silly me can you get rid off AAA for the sake of this exercise? Or do other people rely on it?
|
|
#
?
Apr 3, 2009 15:52
|
|
|
BoNNo530 posted:can you get rid off AAA for the sake of this exercise? Or do other people rely on it? Sorry, I realized the second after I pasted that. Fixed and working ok. Overtired!
|
|
#
?
Apr 3, 2009 16:08
|
|
|
So I am setting up a LAN to LAN IPSEC VPN with an ASA 5505 and an ASA 5520. To make sure I know how these things work, I am following this guide: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml After getting all of that setup, when I do "show ipsec sa" or "show isakmp sa" there is nothing there. Both say there are no sas. When I do a "show ipsec stats" there haven't even been any attempts to build the tunnel. Do I need to do something to actually get it to build the tunnel? The ASAs can ping each other on the interfaces I am using as the IPSEC peers. I have a host on each inside interface waiting to try and communicate through the tunnel. Anyone have any experience with these? Thanks in advance!
|
|
#
?
Apr 6, 2009 19:52
|
|
|
Make sure you are using the latest firmware with the ASA's. VPN's do weird stuff sometimes, and that seems to fix it more often than not.
|
|
#
?
Apr 6, 2009 20:07
|
|
|
My IPSec experience is more in the IOS world; but yes, you do need traffic to match the acl in the crypto map for it to be put into the tunnel / initiate the tunnel to build.
|
|
#
?
Apr 6, 2009 20:07
|
|
|
inignot posted:My IPSec experience is more in the IOS world; but yes, you do need traffic to match the acl in the crypto map for it to be put into the tunnel / initiate the tunnel to build. I got everything setup to start capturing the traffic between them, started a ping between the hosts on each side and it built the tunnel and worked perfectly. I guess I was just doing something stupid before that. And I am indeed using the newest code. Thank you both for the quick responses!
|
|
#
?
Apr 6, 2009 20:19
|
|
|
Pinging from ASA to ASA probably didn't match the crypto map acl; pinging host to host probably did.
|
|
#
?
Apr 6, 2009 21:07
|
|
|
Yeah, I knew that. I may have been pinging from host to ASA interface on the other end mistakenly though.
|
|
#
?
Apr 7, 2009 01:15
|
|
|
On Callmanager 6.1.3, I can not get calls to us g722 for the life of me. I am trying to use some wideband handsets but they don't do much with out g722. I have it enabled in the region config, and in the enterprise parameters, and calls still come up as g711. Any ideas?
|
|
#
?
Apr 7, 2009 15:17
|
|
|
Lowen SoDium posted:On Callmanager 6.1.3, I can not get calls to us g722 for the life of me. I am trying to use some wideband handsets but they don't do much with out g722. Are these local calls, or going over your wan? If they are going over your wan you have to do some configuration on your voice gateways. If they are local, then I'm not sure what the problem is. Maybe reboot the phones so they can download their new configurations?
|
|
#
?
Apr 7, 2009 16:43
|
|
|
Powercrazy posted:Are these local calls, or going over your wan? If they are going over your wan you have to do some configuration on your voice gateways. If they are local, then I'm not sure what the problem is. Maybe reboot the phones so they can download their new configurations? Local calls. I rebooted the phones before I asked here. I guess I will try to reboot the Call Manager tonight and if that doesn't fix it I will open a TAC case.
|
|
#
?
Apr 7, 2009 17:05
|
|
|
Lowen SoDium posted:Local calls. What kind of phones are they? Just because you have a wideband handset, doesn't mean the phone can actually do Wideband.
|
|
#
?
Apr 7, 2009 17:53
|
|
|
I just took delivery of a bunch of 3640s and one of them has "bittorrent.pdlm" and "kazaa2.pdlm" listed when I 'show flash'. From what I gather this has something to do with QoS. Are these going to be safe to purge or are they somehow related to IOS?
|
|
#
?
Apr 7, 2009 19:45
|
|
|
Powercrazy posted:What kind of phones are they? Just because you have a wideband handset, doesn't mean the phone can actually do Wideband. They are 7941 phones. They are supposed to support wideband and g722.
|
|
#
?
Apr 7, 2009 19:48
|
|
|
Martytoof posted:I just took delivery of a bunch of 3640s and one of them has "bittorrent.pdlm" and "kazaa2.pdlm" listed when I 'show flash'. From what I gather this has something to do with QoS. Are these going to be safe to purge or are they somehow related to IOS? Those are protocol definition files for nbar recognition. Feel free to get rid of them, I think those definitions have been migrated into IOS at this point.
|
|
#
?
Apr 7, 2009 20:44
|
|
|
Lowen SoDium posted:They are 7941 phones. They are supposed to support wideband and g722. Hmm. I don't think the 7941's support Wideband. 7941G's do as well as 7942's and higher but the normal 7941, doesn't. Check Settings > User Preferences > Audio Preferences > Wideband Headset on the phone. If the Wideband Headset option isn't there then you are sol.
|
|
#
?
Apr 7, 2009 23:29
|
|
|
|
| # ? May 29, 2024 03:21 |
|
|
inignot posted:Those are protocol definition files for nbar recognition. Feel free to get rid of them, I think those definitions have been migrated into IOS at this point. Thanks, sounds like I'll be wiping these down then. Also, does anyone know why a 2620XM would report a network module as UNKNOWN? I've tried my NM-1E2W, NM-2E2W, and NM-1E1R2W, and none of the above registe any interfaces. Could it be a defective NM port on the router or does the 2620XM just not support older NMs? Edit: I just realized I didn't post any IOS versions or anything, I'll post those when I get back from my hockey game tonight. Sorry.
|
|
#
?
Apr 8, 2009 00:46
|
|