|
Putty and Hyperterminal in Windows XP. Putty will only ever output gibberish, but when I go to hyperterminal and fudge with settings I can get maybe 5-10 characters that are immediately recognizable at 9600-8-N-1 and then it returns to gibberish. I've tested the console setting on a Cisco 2500 series router and it works fine, so it's either someone fudged with the console settings on this PIX or there's something wrong with it. I am thinking there is something wrong with it because when I attach an ethernet cable to E1 and try DHCP, it gives me a 169.254.x.x ip address, and when I manually configure for a 192.168.1.x subnet IP, I can ping the 1.1 gateway, but I can't access the PDM page in either Firefox or IE through https://192.168.1.1/startup.html
|
# ? Jun 24, 2009 23:40 |
|
|
# ? May 22, 2024 07:43 |
|
This is a console speed issue. Docs usually recommend 57600 or 115200, so try those first.
|
# ? Jun 25, 2009 00:06 |
|
Tried all the console speeds that my computer supports from hyperterminal, same results on all of them. Occasionally I will get 5 or 10 lines of text that I can actually read, but it eventually goes back to strange symbols and whatnot. edit: I'm not too worried, I bought it from a friend for 5 bucks so it's not like it matters if this thing is broken Wicaeed fucked around with this message at 00:42 on Jun 25, 2009 |
# ? Jun 25, 2009 00:32 |
|
We had a fan tray die in out 6509 today and we're getting a new one RMA'd tomorrow morning. Are they hot swappable, or do I have to kill the core and pray it turns back on to replace the fan tray? *edit* accidentally quoted. Sojourner fucked around with this message at 17:32 on Jun 25, 2009 |
# ? Jun 25, 2009 17:28 |
|
Sojourner posted:We had a fan tray die in out 6509 today and we're getting a new one RMA'd tomorrow morning. Are they hot swappable, or do I have to kill the core and pray it turns back on to replace the fan tray? All modules are hot swappable, including fan trays and power supplies* *Being that your entire system can run on the max output of a single power supply. You cannot hot swap port adapters, you hvae to pull the full flexwan, swap the PA then put it back in as one unit. (extra info)
|
# ? Jun 25, 2009 18:18 |
|
I'm learning about BGP from a CCIE book (Routing TCP/IP Volume II). Some questions I've got so far: 1. When setting up iBGP peerings is it typical to do so over a point-to-point link or over a link which traverses some routers (e.g. see the diagram below)? 2. I have this configuration: See end of post for show run output Telluride and Vail both advertise their routes from BGP into OSPF. This causes routes learned via iBGP to have a higher admin distance. Is this down to bad config or should I expect it? Is it a bad thing? 3. In the config from the book the /30 subnets on the serial links in the diagram aren't advertised. Again, is this good or bad? What is a typical way of handling this? I ask as I've just wasted a load of time trying to ping from Alta to Tahoe and having it fail, only to realise this is because the source address isn't part of a known route. If I use the extended commands part of ping and set the source address to be part of a BGP-advertised route then all is well. show run Telluride (full conf here): code:
code:
|
# ? Jun 28, 2009 13:09 |
|
huzzah posted:This causes routes learned via iBGP to have a higher admin distance. Default AD's for platforms are listed here: http://www.inetdaemon.com/tutorials/internet/ip/routing/administrative_distance.shtml OSPF defaults to 110, IBGP defaults to 200. If you want your point to point links to be advertised I would normally add another 'network' statement in your router ospf section for the /30's such as: code:
|
# ? Jun 28, 2009 18:14 |
|
huzzah posted:I'm learning about BGP from a CCIE book (Routing TCP/IP Volume II). Some questions I've got so far: That's a fairly old book. I don't think Doyle put out an updated Volume II. The BGP design and Implementation book is good. huzzah posted:3. In the config from the book the /30 subnets on the serial links in the diagram aren't advertised. Again, is this good or bad? What is a typical way of handling this? The /30s may go into the IGP. Alternately you can use next hop self for iBGP neighbors if you're having a next hop reachability problem. In any case, they don't go in BGP.
|
# ? Jun 28, 2009 22:17 |
|
For your first question. BGP is router resource intensive, compared to other protocols. Thus in a particular AS, you won't have all your routers running BGP, usually only routers that are peering with eBGP neighbors. There is an obvious requirement that all iBGP routers have full reachability provided by the IGP, in this case OSPF. The only requirement however is reachability, thus not every router in the AS needs to be or should be an iBGP neighbor. For the AD of iBGP, that is intentional. For your IGP you don't want to use iBGP. Its really inefficient, and certainly unnecessary for when you have less than 10,000 routes. Basically use OSPF, EIGRP, or even RIP or ISIS on routers that you control for your network. If you only have one path out of your AS, then use a static route, but if you have multiple pathways out then use BGP, and make sure the edge routers are iBGP peers.
|
# ? Jun 29, 2009 10:38 |
|
Has anyone else run into a situation where basic ACL functionality fails on a 6500/sup720? We had a list similar to this applied to a VLAN SVI code:
It looked like an error in the ACL merge process or maybe some sort of TCAM corruption, as the issue went away after a reboot.
|
# ? Jun 29, 2009 23:24 |
|
tortilla_chip posted:Has anyone else run into a situation where basic ACL functionality fails on a 6500/sup720? I might have had this yesterday on a UC500. Had an ACL in to prevent traffic between the voice and data VLANs, but from the voice VLAN I could ping hosts on the data VLAN. Wonder if it's a bug..
|
# ? Jun 29, 2009 23:44 |
|
Total long-shot, but I'm wondering if anyone is using the same RADIUS servers (such as ACS servers) for authenticating wireless and guest wireless users. I'm encountering a problem where when I authenticate "normal" wireless users via WPA2/802.1x, I'm able to filter by SSID (which is visible to ACS as a DNIS string), whereas when I authenticate guest wireless users via web portal, no SSID is sent as an av-pair, which means that anybody can authenticate via the web portal. I'm not even sure why it works that way, as my ACS NAR is built to permit only specific test SSIDs, and I would think that no SSID av-pair would be interpretted as a deny, but, oh well.
|
# ? Jul 1, 2009 19:08 |
|
This day has been hell, after almost a week of blistering hot weather we get a cold front with some serious fog and humidity. Cue me waking up to 13 busted 4500 PSUs and 3 rectifiers. On top of that some WDM gear in the field poo poo the bed and a customers power went out and took down our CE switch at their location. 12 hours later I'm ready do die.. At least our vendor is having to work for the huge support-fee we pay them!
|
# ? Jul 1, 2009 19:27 |
|
You lost 13 4500 power supplies in one day? Holy smokes.
|
# ? Jul 1, 2009 19:39 |
|
Yea, still dealing with some of the fallout. Thankfully I had enough spare parts squirreled away to fix the critical stuff at once. Got 11 new units this morning, thank god for "Same Day Shipping". Its times like this that make service agreements worth your while.
|
# ? Jul 2, 2009 20:10 |
|
If anyone is doing 802.1x on their wired LAN, I'd be interested in hearing about it. I've been doing a lot of 802.1x wired-side lab work, and boy, it's a mixed bag. I've tested the native XP supplicant doing PEAP and the Cisco Secure Services Client doing EAP-FAST with anonymous in-band PAC provisioning. Both sort of work, I guess, but I'm unhappy with both for different reasons. I'd like to use PEAP with something other than the XP native supplicant, but you need to buy licenses to unlock the full functionality of the Cisco SSC, and at ~$40/seat, that's not happening. I haven't looked at Juniper's OAC, yet, for the same reason. EAP-FAST is hard to debug because everything of substance is happening inside TLS, which is inside EAP, which is inside RADIUS. Honestly, the fact that it works at all is something of a technological miracle. I'm inclined to simply wait for Windows 7 to supplant XP before even attempting to bring 802.1x to the wired LAN, but that's kind of a shame, really.
|
# ? Jul 2, 2009 20:34 |
|
PIX VPN help needed! I have a site-to-site IPSEC VPN set up between 2 PIX 501s running 6.3(3). I wanted to add a remote access VPN so that a user could work from home. I got the remote access VPN working fine, but it broke the site-to-site . Here's what I have: PIX1 Original Config code:
code:
PIX1 Config with working RA VPN, but broken site-to-site VPN: code:
code:
Richard Noggin fucked around with this message at 15:16 on Jul 3, 2009 |
# ? Jul 2, 2009 21:08 |
|
Hey there. You used to have: crypto map toCottage interface outside Now you have: crypto map raMap interface outside One crypto map per interface, at least that's how it used to work. What you want to do is make sure the same crypto map is used, but with separate sequence numbers. I always put a higher number than what is in use, to keep my assburgers at bay. Hope this helps. Edit: a loose example. crypto dynamic-map raDynMap 30 set transform-set raVPN crypto map OutsideMap 20 ipsec-isakmp crypto map OutsideMap 20 match address vpn crypto map OutsideMap 20 set peer cottage-pix crypto map OutsideMap 20 set transform-set strong crypto map OutsideMap 30 ipsec-isakmp dynamic raDynMap Since crypto maps are applied to interfaces, I name them after the interface, then put descriptions in each of the separate crypto maps themselves. Former 'PIX Classic' survivor here, I can taste the pain and bewilderment! Herv fucked around with this message at 21:45 on Jul 2, 2009 |
# ? Jul 2, 2009 21:42 |
|
Herv posted:words of wisdom Awesome, thanks. I'll give it a shot on Monday! edit: Here's the text from the command reference that deals with the crypto map command: quote:A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num. Richard Noggin fucked around with this message at 14:05 on Jul 6, 2009 |
# ? Jul 2, 2009 21:47 |
|
What the heck does "Config mode cannot be entered during Standby initialization" mean? I'm trying to configure my 6506 and it wont let me. This is the only cisco unit we have at that location so I'm not sure what standby mode it's trying to kick in. Additionally, I'm not the Net Eng, I just play one when they aren't around. edit: I think I found the relevant part of my rancid logs - !Slot 5: type Supervisor Engine 720 (Active), 2 ports - !Slot 5: part WS-SUP720-3B, serial SAL09169HPH - !Slot 5: hvers 4.3, firmware 8.1(3), sw 12.2(33)SXI + !Slot 5: type Unknown (Other), 0 ports + !Slot 5: part Unknown, serial Unknown + !Slot 5: hvers 0.0, firmware Unknown, sw Unknown - !Slot 6: type Supervisor Engine 720 (Hot), 2 ports + !Slot 6: type Supervisor Engine 720 (Active), 2 ports I'm guessing I just lost a 720 spoon daddy fucked around with this message at 04:31 on Jul 3, 2009 |
# ? Jul 3, 2009 04:19 |
|
Most likely. Do a "show inventory", or "show power" and you will be able to tell what state the supervisor is in. Since you are a remote do a "no power slot 7" or something like that, to turn the standby sup off. Then once the standby sup is off, you should be able to make changes to the config, and eventually get someone to replace or onsite troubleshoot the sup.
|
# ? Jul 4, 2009 00:12 |
|
Powercrazy posted:Most likely. Do a "show inventory", or "show power" and you will be able to tell what state the supervisor is in. Called Cisco. Turns out that my two 720s had their configs out of sync with one having names for all my vlans and one having no names for my vlan(added names about a week ago). I removed the vlan names and everything went back to normal.
|
# ? Jul 4, 2009 09:31 |
|
spoon daddy posted:Called Cisco. Turns out that my two 720s had their configs out of sync with one having names for all my vlans and one having no names for my vlan(added names about a week ago). I removed the vlan names and everything went back to normal. Huh? When you make changes on the active SUP, they should be replicated to the standby SUP. Did they give you a reason for why that didn't happen?
|
# ? Jul 4, 2009 14:53 |
|
spoon daddy posted:Called Cisco. Turns out that my two 720s had their configs out of sync with one having names for all my vlans and one having no names for my vlan(added names about a week ago). I removed the vlan names and everything went back to normal. I'm also curious about this. Unless for some reason you were consoled in to the standby supervisor or something.
|
# ? Jul 4, 2009 16:19 |
|
routenull0 posted:Huh? When you make changes on the active SUP, they should be replicated to the standby SUP. Did they give you a reason for why that didn't happen? Still waiting on a response as to how this happened. Me and my colleagues are just as stumped as you guys are. To be fair, I wasn't the engineer who called into Cisco so maybe I'm missing something(likely). However, the solutions was directly related to removing the vlan names so the configs matched. I saw that much in the email exchange. spoon daddy fucked around with this message at 02:06 on Jul 5, 2009 |
# ? Jul 5, 2009 01:59 |
|
DP sorry
|
# ? Jul 5, 2009 02:06 |
|
Thanks for the replies people. That's cleared stuff up nicely.inignot posted:That's a fairly old book. I don't think Doyle put out an updated Volume II. The BGP design and Implementation book is good. Thanks for the book recommendation. There is an updated Vol I but I've been trawling lots of book sellers and can't find an updated Vol II.
|
# ? Jul 5, 2009 14:48 |
|
Question about Cisco PIX IOS: I eventually got my PIX working, it just magically stopped feeding gibberish one day. However now my problem is that I have no idea what the enable pw for this thing is, will Cisco give out older firmware versions (6.x) for the 501 or am I hosed?
|
# ? Jul 6, 2009 11:02 |
|
Wicaeed posted:Question about Cisco PIX IOS: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml That will show you how to do a password recovery. You can download any version of the PIX OS you system will run with a valid login and contract number.
|
# ? Jul 6, 2009 11:54 |
|
What sort of performance can I expect from an 1130ag radio? What I mean is for instance what is the maximum number of connected clients and what sort of bandwidth can this thing chug out with multiple clients connected? I have a vendor that is trying to steer me away from running multiple VLANs on a set of these things because of the potential for it to impact business application performance. I am trying to figure out if he is just trying to sell me more stuff or if his fear holds water.
|
# ? Jul 6, 2009 22:31 |
|
I'm in a bit of a bind trying to block all outbound mail from our internal users and allowing only mail from our mail server. I've tried copying the following from an RBL website that we are on but it ends up blocking all mail, including our mailserver. We are running on an ASA 5505. "CISCO These are generally applicable to most (all?) CISCO firewalls: First you need to create an access list describing the traffic (X.X.X.X is the IP address of your mail server. Add more lines if you have more than one) access-list acl_out permit tcp host X.X.X.X any eq 25 access-list acl_out deny tcp any any eq 25 ... any other outbound rules you may want go here ... access-list acl_out permit ip any any Then you need to apply that access-list to the inside interface (because it is being checked on the inside before it goes out) access-group acl_out in interface inside" So i've setup the following: access-list acl_out extended permit tcp host 192.168.111.240 any eq smtp access-list acl_out extended permit tcp host 192.168.111.250 any eq smtp access-list acl_out extended deny tcp any any eq smtp access-list acl_out extended permit ip any any and then did "access-group acl_out in interface inside" Here is the list of our vlans if that helps. interface Vlan1 nameif inside security-level 100 ip address 192.168.111.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address XXX.XXX.XXX.243 255.255.255.248 ! Anyone have any clue what i'm doing wrong?
|
# ? Jul 6, 2009 22:51 |
|
Job opening in Southwest Florida: http://21stcenturyoncology.com/jobs_nondr.asp go down to "senior network administrator" and apply using that link. Do not pay too much attention to the req. We will take a junior as well. CCNA and a year of experience will qualify you for a phone interview. I need to fill this position ASAP. Please PM me or email me at bonno800@yahoo.com if you submit your resume- I can pull it out of the pool first.
|
# ? Jul 7, 2009 02:54 |
|
Syano posted:What sort of performance can I expect from an 1130ag radio? What I mean is for instance what is the maximum number of connected clients and what sort of bandwidth can this thing chug out with multiple clients connected? I have a vendor that is trying to steer me away from running multiple VLANs on a set of these things because of the potential for it to impact business application performance. I am trying to figure out if he is just trying to sell me more stuff or if his fear holds water. We try to limit the number if concurrent users to max 20 but there really is no limit. However they all share the available bandwidth in the (im assuming) 2.4ghz band which will give you about 22Mbit/s per non-overlapping channel. In the 5ghz band there are lots and lots of channels, but the same applies there.
|
# ? Jul 7, 2009 07:48 |
|
GerbilNut posted:Anyone have any clue what i'm doing wrong? Hrm, on the surface things look good. Someone would have pointed something out by now I would think. Just curious, what source IP addresses are the mail servers using? Is that their only IP? 192.168.111.240 and .250, when they send email to each other (do a telnet SMTP session) what shows up in the server SMTP logs? (You might have to enable logging) I am wondering if the ASA is seeing a different IP address than the one you are listing. I have had that issue plenty of times before if the server/switch has multiple IP's. You can also look at it from the other end and see what the ASA logs say (might have to enable logging for the rules you are setting, check the GUI if you have to and read the logs there). See what is getting denied outbound on 25 when you apply that access list. I think your problem may be with the traffic flow, not the config on the FW. Just a hunch.
|
# ? Jul 7, 2009 11:53 |
|
Herv posted:Hrm, on the surface things look good. Someone would have pointed something out by now I would think. I finally tracked it down and it looks like the mail server was not sending out on the .250 address like it was supposed to. The SMTP server was configured to do so, but it was coming from another address on the nic, .254 which screwed up everything. So that's fixed and blocking, yay. But our outbound address is still blocked in a bunch of RBL's. Is it possible to setup a route somehow that all outbound smtp traffic from .254 uses a different IP? The following static routes were setup, but i don't know if it's possible to do an outbound route, like smtp traffic from .254 appears to come from xx.xx.190.245 for example. static (inside,outside) tcp xx.xx.190.242 smtp 192.168.111.240 smtp netmask 255.255.255.255 static (inside,outside) tcp xx.xx.190.242 pop3 192.168.111.250 pop3 netmask 255.255.255.255 static (inside,outside) tcp xx.xx.190.244 www 192.168.111.250 www netmask 255.255.255.255 static (inside,outside) tcp xx.xx.190.245 www 192.168.111.252 www netmask 255.255.255.255 static (inside,outside) tcp xx.xx.190.242 www 192.168.111.240 www netmask 255.255.255.255 static (inside,outside) tcp xx.xx.190.245 1468 192.168.111.254 1468 netmask 255.255.255.255 static (inside,outside) udp xx.xx.190.245 syslog 192.168.111.254 syslog netmask 255.255.255.255 GerbilNut fucked around with this message at 13:36 on Jul 7, 2009 |
# ? Jul 7, 2009 13:31 |
|
ior posted:We try to limit the number if concurrent users to max 20 but there really is no limit. However they all share the available bandwidth in the (im assuming) 2.4ghz band which will give you about 22Mbit/s per non-overlapping channel. In the 5ghz band there are lots and lots of channels, but the same applies there. This is interesting information. I can definately see a potential problem if I had multiple users choking down some torrents or streaming video or something. I can also really see the advantage of toggling my A radio bands on, if only my clients could use them. Lucky thing is though I am only going to be pushing RDP traffic on the business end of things and the bottleneck for anyone else is going to be the 3 meg internet pipe and not the radios. Thanks for the information
|
# ? Jul 7, 2009 13:48 |
|
GerbilNut posted:I finally tracked it down and it looks like the mail server was not sending out on the .250 address like it was supposed to. The SMTP server was configured to do so, but it was coming from another address on the nic, .254 which screwed up everything. Yep, the public IP address will be what the 5505 is NAT'ing the .250 on (not the base outside ip address). To keep things simple, start with a one to one static nat for the SMTP server. Just get things going with the 250 on SMTP before you PAT stuff out to multiple hosts and whatnot. That may be blowing things up, I haven't tried to PAT out to multiple hosts in a long time, but that's what inbound rotary NAT used to do when you needed a poor mans load balancer so meh, just start with the single NAT 1 to 1 for your .250.
|
# ? Jul 7, 2009 14:41 |
|
Completely out of left field but... I'm continuing to do more and more work with Cisco devices for clients and am currently on track going through certification exams like my life depended upon it but I have one bothersome question. What does everyone use for configuration version control and the like. Perferably someone who deals with multiple clients. For configuration I use Notepad++ with a custom userlanguage for highlighting important items incase I miss them. I also currently just manually tftp a config before and after any changes are made. Seeing as how I've been the lead engineer for two major projects that span over 50 devices each I've been having a rough time keeping things updated and the like. I doubt my company will drop the coin on something like Solarwind's Orion config manager so any recommendations that don't cost upwards of $2000 would be appreciated. (Especially opensource or free ones!)
|
# ? Jul 7, 2009 15:25 |
|
reborn posted:Completely out of left field but... RANCID should do what you want. For hand storing multiple copies of documents you can use Visual Source Safe or CVS or some other version control system. RANCID's Clogin is next to godly.
|
# ? Jul 7, 2009 15:50 |
|
|
# ? May 22, 2024 07:43 |
|
Kiwi CatTools. http://www.kiwisyslog.com/kiwi-cattools-overview/ Free for up to 20 devices, want to say $500 for unlimited.
|
# ? Jul 7, 2009 16:51 |