|
citywok posted:we've got a cisco 48 port POE gbit switch, and the thing takes like 6 weeks to enable a port. it causes TFTP/DHCP timeout issues, and makes the switch really irritating to work with. Is there a way to not make it take 90 - 120 seconds to enable a port? "spanning-tree portfast" should be applied to all ports facing anything that's not another switch. This will tell the switch to skip the learning phase of spanning tree and go straight to forwarding.
|
# ? Sep 3, 2009 01:10 |
|
|
# ? May 22, 2024 14:07 |
|
Unless someone has done some bizarre spt timer changes, it's 50 seconds for a port to run through all the pvst spanning tree states. So, yeah, turn on portfast.
|
# ? Sep 3, 2009 01:11 |
|
I have a question about IOS licensing. Let's say that I acquired a 3750 with a smartnet contract on it, the firmware it came installed with was not crypto. Let's say I update the firmware, and when I do so I install the crypto image, is this frowned upon in anyway if I were to issue an RMA or other TAC service? I'm willing to bust out my water jug paper cup turned dunce cap if the answer for this one is an obvious, resounding no. Regardless of anything else, 3750s to play with and a shiny new 6509-e on the way .
|
# ? Sep 4, 2009 17:57 |
|
Sojourner posted:I have a question about IOS licensing. Let's say that I acquired a 3750 with a smartnet contract on it, the firmware it came installed with was not crypto. Let's say I update the firmware, and when I do so I install the crypto image, is this frowned upon in anyway if I were to issue an RMA or other TAC service? I'm willing to bust out my water jug paper cup turned dunce cap if the answer for this one is an obvious, resounding no. Going regular to crypto is fine as long as you're in a country allowed to download a crypto image, and you do not plan to export it. Cisco have to ship all devices with non-crypto firmware in case it's going to be exported.
|
# ? Sep 4, 2009 18:05 |
|
ragzilla posted:"spanning-tree portfast" should be applied to all ports facing anything that's not another switch. This will tell the switch to skip the learning phase of spanning tree and go straight to forwarding. that's the one i'm sure. i'll play with it when i'm back in the office next week. thanks!!!
|
# ? Sep 4, 2009 18:43 |
|
ragzilla posted:"spanning-tree portfast" should be applied to all ports facing anything that's not another switch. This will tell the switch to skip the learning phase of spanning tree and go straight to forwarding. If you're going to do this you should always do it in conjunction with the "spanning-tree bpduguard enable" command to stop unauthorised switches going straight to forwarding and potentially introducing loops. I usually put no auto-mdix on access ports too for good measure.
|
# ? Sep 5, 2009 08:35 |
|
Davethehedgehog posted:If you're going to do this you should always do it in conjunction with the "spanning-tree bpduguard enable" command to stop unauthorised switches going straight to forwarding and potentially introducing loops. I usually put no auto-mdix on access ports too for good measure. You can do this for all portfast ports with a global command - "spanning-tree portfast bpdugard default". Note, you should run bpduguard and NOT bpdufilter in general. If you run bpduguard and bpdufilter on the same port, then filter takes precedence, and therefore it is impossible to detect that someone has caused a forwarding loop.
|
# ? Sep 5, 2009 11:16 |
|
citywok posted:we've got a cisco 48 port POE gbit switch, and the thing takes like 6 weeks to enable a port. it causes TFTP/DHCP timeout issues, and makes the switch really irritating to work with. Is there a way to not make it take 90 - 120 seconds to enable a port? It's all about telling the myriad of port turn-up processes to avoid negotiation by hard-setting them. Techrepublic has a pretty comprehensive overview here. In short: - spanning tree's already been mentioned. It's 50% of the problem. - 'switchport host' disables trunk and etherchannel negotiation - 'power inline static' supposedly reduces PoE negotiation times - hard-coding speed and duplex shaves off some milliseconds but many avoid it because it causes problems Good luck - I had the same problem with PXE-booting hosts and the 'switchport host' thing saved my butt. Edit: apparently for some coderevs 'switchport nonegotiate' is required to disable DTP negotiation. OutputBufferFailure fucked around with this message at 00:45 on Sep 6, 2009 |
# ? Sep 5, 2009 23:33 |
|
Are there any good resources for EOL Cisco gear? The IOS Software Selector is useless for anything old and biased against switches, and the Feature Navigator is only a little better. I've got a choice between a WS-C2950-24, a WS-C3548-XL-EN, and a WS-C2924M-XL-EN, any of those for free, and only one of those was in the feature navigator. Apparently the WS-C2950-24 can run 12.1(22)EA13, but to find information on the other two I had to google the model number + "show version" and dig through results, or browse IOS filesharing sites to see what images were available for download, just to figure out which versions they can run. I'm leaning towards the WS-C2950-24, does anyone think different? I've got GNS/Dynamips for certification stuff, but I need a switch at home anyways, and if it can help for that, it's a bonus.
|
# ? Sep 6, 2009 18:02 |
|
Casimirus posted:Are there any good resources for EOL Cisco gear? The IOS Software Selector is useless for anything old and biased against switches, and the Feature Navigator is only a little better. You can browse switch software here which will give you release dates for each platform. You do of course need a CCO login. Getting a login is probably really what you nead. Just get support on the cheapest device you have, it shouldn't cost that much. * http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438038 If it helps any, the latest are: * 2900XL: "c2900xl-c3h2l9s-mz.120-5.WC17.bin Release Date: 10/Apr/2007" * 3500XL: "c3500xl-c3h2s-mz.120-5.WC17.bin Release Date: 10/Apr/2007" * 2950: "c2950-i6k2l2q4-mz.121-22.EA13.bin Release Date: 03/Mar/2009" falz fucked around with this message at 18:23 on Sep 6, 2009 |
# ? Sep 6, 2009 18:21 |
|
Trying to decide between a Cataalyst 3750G-48TS and a 4948(which is cheaper than the 3750) are there any major differences? Just glancing through the CDW networking readout It says that ACL's are supported on the 3750, but on the 4948 model I'm looking at it doesn't have them listed. These will be our core switches / routers in the DC so I want to make sure that we have a pretty wide feature set available.
|
# ? Sep 11, 2009 16:20 |
|
Harry Totterbottom posted:Trying to decide between a Cataalyst 3750G-48TS and a 4948(which is cheaper than the 3750) are there any major differences? Just glancing through the CDW networking readout It says that ACL's are supported on the 3750, but on the 4948 model I'm looking at it doesn't have them listed. These will be our core switches / routers in the DC so I want to make sure that we have a pretty wide feature set available. The 4948 is a more capable switch in every way (except for stacking ). Yes ACLs are supported on it.
|
# ? Sep 11, 2009 17:18 |
|
ior posted:The 4948 is a more capable switch in every way (except for stacking ). Yes ACLs are supported on it. Awesome, we're a small enough shop that we aren't even looking at stacking for that location. Thanks!
|
# ? Sep 11, 2009 17:40 |
|
Harry Totterbottom posted:Awesome, we're a small enough shop that we aren't even looking at stacking for that location. Thanks! On another note, if you want to save money, go for a 3560 instead, it is the same as a 3750 but without stacking.
|
# ? Sep 11, 2009 18:28 |
|
ior posted:On another note, if you want to save money, go for a 3560 instead, it is the same as a 3750 but without stacking. Will do, trying to avoid going dell 6248s if possible, but the price mark might be the deal maker.
|
# ? Sep 11, 2009 18:37 |
|
Harry Totterbottom posted:Will do, trying to avoid going dell 6248s if possible, but the price mark might be the deal maker. Just going to throw this out there. We bought several Dell switches a couple years back because the price points were so far apart we thought it made sense at the time. Since that purchase, 2 out of the three we bought have had problems of a hardware nature and required replacing. In the 4 years I have been in my current gig we have yet to lose a Cisco. I know its anecdotal but for us we wont buy anything else anymore.
|
# ? Sep 11, 2009 20:18 |
|
Syano posted:Just going to throw this out there. We bought several Dell switches a couple years back because the price points were so far apart we thought it made sense at the time. Since that purchase, 2 out of the three we bought have had problems of a hardware nature and required replacing. In the 4 years I have been in my current gig we have yet to lose a Cisco. I know its anecdotal but for us we wont buy anything else anymore. We also had some older 2nd generation Dell switches that constantly died. The issue ended up being that the closet they were in was very hot and they were far less tolerant than Cisco or even HP for environmental issues. They also had some very bad bugs we had to call Dell about. They gave us some secret firmware that fixed the issue. However, this firmware isn't on Dell's website, no idea why it's not. I would probably use a Dell switch at my house or in a small isolated single switch LAN environment, but not really anywhere else. I'm pretty sure they're just rebranded SMC's as well. Also the CLI is stupid because it groups settings for each port in different areas (vlan in one spot, description in another, duplex/speed in another).
|
# ? Sep 12, 2009 17:06 |
|
Can anyone tell me if anything in the 2800 series can terminate a T3 coax line? I know Cisco recommends a 3845, but funds are sparse for this project so I need to know if I should start looking at re-mans or old gen's, etc.
|
# ? Sep 15, 2009 03:28 |
|
J Crewl posted:Can anyone tell me if anything in the 2800 series can terminate a T3 coax line? I know Cisco recommends a 3845, but funds are sparse for this project so I need to know if I should start looking at re-mans or old gen's, etc. The NM-1A-T3/E3 fits in 2800 and 3800 series routers.
|
# ? Sep 15, 2009 03:35 |
|
J Crewl posted:Can anyone tell me if anything in the 2800 series can terminate a T3 coax line? I know Cisco recommends a 3845, but funds are sparse for this project so I need to know if I should start looking at re-mans or old gen's, etc. While it can terminate it without issue, Cisco only recommends a Subrate, not a full rate. code:
|
# ? Sep 15, 2009 13:24 |
|
The NM-1T3 is ~$2000 used? If money is an issue, get a PA-T3 or PA-2T3 (~$300 used) for a 7200. I see complete used 7206 VXR's w/ NPE-400 and PA-T3 cards for $2k on ebay, any reputable reseller will probably be in this ballpark. VXR's aren't EOL and will kick the snot out of a 2800. The only downside I see is that they're just physically larger (3u) vs 1-2u for a 2800. Edit: I see that the NM-1A-T3 is much less than NM-1T3. Still recommending VXR.
|
# ? Sep 15, 2009 15:16 |
|
falz posted:The NM-1T3 is ~$2000 used? If money is an issue, get a PA-T3 or PA-2T3 (~$300 used) for a 7200. I see complete used 7206 VXR's w/ NPE-400 and PA-T3 cards for $2k on ebay, any reputable reseller will probably be in this ballpark. VXR's aren't EOL and will kick the snot out of a 2800. The only downside I see is that they're just physically larger (3u) vs 1-2u for a 2800. If he doesn't need any of the ISR features a 7200 VXR is definitely the way to go.
|
# ? Sep 15, 2009 15:54 |
|
The VXRs themselves are not EOL if you put a NPE-G1 or G2 in there. Support for the NPE400 is EOL from what we were told by our cisco rep. Also the -1A- cards are EOL too. They were replaced by A3 cards which cost significantly more. That still doesn't change the fact that 7200VXR's really are awesome little boxes for the money.
|
# ? Sep 15, 2009 16:51 |
|
CrazyLittle posted:The VXRs themselves are not EOL if you put a NPE-G1 or G2 in there. Support for the NPE400 is EOL from what we were told by our cisco rep. Also the -1A- cards are EOL too. They were replaced by A3 cards which cost significantly more. That still doesn't change the fact that 7200VXR's really are awesome little boxes for the money. And an NPE-300 (dirt cheap) is more than enough to max out a DS3 assuming you're not loading it up with features, and don't care about them being EOL. http://cgi.ebay.com/CIsco-7206VXR-N...id=p3286.c0.m14 $3750 for an NPE-400 + 2 port T3 + 8 port T1
|
# ? Sep 15, 2009 17:35 |
|
CrazyLittle posted:The VXRs themselves are not EOL if you put a NPE-G1 or G2 in there. Support for the NPE400 is EOL from what we were told by our cisco rep. Also the -1A- cards are EOL too. They were replaced by A3 cards which cost significantly more. That still doesn't change the fact that 7200VXR's really are awesome little boxes for the money. This is probably posted somewhere in this thread, but this page for hardware compatibility (and more) is a great reference: * http://www.cisco.com/web/partners/tools/quickreference/ falz fucked around with this message at 19:03 on Sep 15, 2009 |
# ? Sep 15, 2009 19:01 |
|
Thanks for the feedback everyone. The site in question is a larger 'branch office' that will be made our DR site. The T3 will do some BGP (default routes only) and will have light use until backups are pushed or poo poo goes down at our main office. Feature-wise, it won't need to do much other than route, BGP, and ACLs really. I would also say that even in the event of a main office web outage or disaster recovery scenario, we wouldn't max out the T3. I appreciate the 720x recommendations. I'm not sure what ballpark we're even in for pricing, so I'll keep that as a valid cheap, albeit used option. If I could stuff the NM-1A-T3 into a *new 2811 or higher and be fine, it looks like that puts us in roughly the same range as buying a more powerful used device. I feel like I'm comparing apples to oranges here.
|
# ? Sep 15, 2009 21:33 |
|
You really are. 7200's are great routers, but really shouldn't be compared to ISRs. ISRs are service routers meanign all the neat stuff that business have been doing since the figured out this internet thing (VPN, Voice, WAAS, Firewall etc). Whereas 7200's are more for traditional WAN/internet routing and the layer 3 services. If you are using the router for offsite disaster recovery, the 7200 might be what you need.
|
# ? Sep 15, 2009 22:08 |
|
How much NAT throughput can you get out of a Catalyst 3750? I've got a customer who wants to use fiber in his riser closet, and they rely on us to do their NAT'ing for them on 10mbps service. OR, is there a better/cheaper device that would take an SX gbic and nat it out to Cat5 ethernet? CrazyLittle fucked around with this message at 17:46 on Sep 16, 2009 |
# ? Sep 16, 2009 17:43 |
|
CrazyLittle posted:How much NAT throughput can you get out of a Catalyst 3750? I've got a customer who wants to use fiber in his riser closet, and they rely on us to do their NAT'ing for them on 10mbps service.
|
# ? Sep 16, 2009 17:47 |
|
falz posted:None, 3750's don't do NAT. You could get a media converter instead of a router supporting GBIC's if you wanted. Yeah... finding that out. Blah.
|
# ? Sep 16, 2009 18:17 |
|
CrazyLittle posted:How much NAT throughput can you get out of a Catalyst 3750? I've got a customer who wants to use fiber in his riser closet, and they rely on us to do their NAT'ing for them on 10mbps service. 10mbit? Are they too cheap to buy a linksys router and use that as their 'firewall'?
|
# ? Sep 16, 2009 18:21 |
|
Also, GBIC's are more likely to be found on a switch. Plenty of older/cheap switches will support GBIC's. Have a VLAN on the switch that's a TX port to a router and the GBIC port and you're good.
|
# ? Sep 16, 2009 18:31 |
|
Nah, I'm probably going to go with the media converter route, as part of the whole point is to reduce the total amount of energy consumption, so that it could be put on a small battery backup. A full switch and router with GBICs etc, would consume far more energy than a simple media converter + ASA. These guys are doing 10mbit symmetric that needs to be queue-shaped, and the soho boxes/linksys routers don't cope well with high-throughput bidirectional traffic, or IPSEC VPN, remote vpn, etc.
|
# ? Sep 16, 2009 19:43 |
|
CrazyLittle posted:Nah, I'm probably going to go with the media converter route, as part of the whole point is to reduce the total amount of energy consumption, so that it could be put on a small battery backup. A full switch and router with GBICs etc, would consume far more energy than a simple media converter + ASA. These guys are doing 10mbit symmetric that needs to be queue-shaped, and the soho boxes/linksys routers don't cope well with high-throughput bidirectional traffic, or IPSEC VPN, remote vpn, etc. Don't know if you have a media converter picked out yet, but I think we usually use these (but usually the LX/ZX versions): http://fluxlightinc.com/prod.php?id=124 Keep a spare on-hand, we've had a few fail (usually the PSU, but usually only fails if there's no AC so it ends up overheating).
|
# ? Sep 17, 2009 00:14 |
|
Thanks!
|
# ? Sep 17, 2009 00:32 |
|
ragzilla posted:
A thousand times this. I've seen a lot of media converters fail, and the PSU also goes in them too. My first time fixing one I was foolish and only changed out the actual converter, and that didn't bring my link back up so I spent the next 3 hours trying everything in the book until my boss told me the same thing happened at the same place years ago and that the media converter power supply needs to be changed. Ever since that day I've had a hate on for media converters, and myself.
|
# ? Sep 17, 2009 13:43 |
|
I have a customer I hate because their interconnection is a massive one-off in my network. I only want them to grow so I can get rid of the media converter that I need when they are running 100base-FX. What is the accepted way to prevent an ASA from looping packets? I use a ASA5510 as a site-to-site VPN concentrator. If the source address doesn't match the crypto map or for whatever other reason the ASA will receive the packet then match the default route and send it back to the switch which routes it back to the ASA and so on so forth. I tried null routing the subnet but it seems that static routes take precedence over VPN tunnel matches. I think I mitigated a lot of the scenarios by adding firewall rules that deny the traffic that is destined to a VPN'd subnet but has an incorrect source. I don't have RRI currently enabled currently but if RRI as well as the firewall rules would keep me in the clear I'll go ahead and do it.
|
# ? Sep 18, 2009 03:28 |
|
FatCow posted:I have a customer I hate because their interconnection is a massive one-off in my network. I only want them to grow so I can get rid of the media converter that I need when they are running 100base-FX. So the packet is getting looped off the outside interface to the upstream L3 device and then back down? If this is the case you could turn on verify reverse path forwarding on the outside int. That should kill it. I take it you have same-security-traffic permit intra interface on? Why? RA VPN?
|
# ? Sep 18, 2009 17:10 |
|
I've got a 2821 router with the CUE voicemail module in it. I've got a user that has left, but the account and mailbox and extension are all still in the system. I have the extension that this user had ringing through to their manager. What I can't figure out, though, is why when I call the extension it rings the manager's phone, but when there is no answer instead of going to the manager's mailbox it tries to go to the user's, which the system replies with "No mailbox configured" since I have the user's account on a null primary extension. How can I get it to go to the manager's mailbox regardless of whether his extension or the user's is being dialed into? Do I just setup the user's account to use the manager's extension? Do I have to setup a general mailbox? It is version 3.2, if that matters.
|
# ? Sep 18, 2009 17:24 |
|
|
# ? May 22, 2024 14:07 |
|
Pvt. Public posted:I've got a 2821 router with the CUE voicemail module in it. I've got a user that has left, but the account and mailbox and extension are all still in the system. I have the extension that this user had ringing through to their manager. Well, this depends on the call handling software you're using and what you've done with it. With CME if you'd used a 'call-forward all' it will just pass the call to the next extension, meaning if that rings out it'll go to the 'call-forward noan' location specified for that extension. Version 3.2? If that is CME (Call Manager Express) then that is pretty old and retarded, version 7.0 does things so much more intelligently and logically (actual hunt groups and associated functionality rather than playing the overlay dn game). If it's Call Manager properly, then I don't know it and apparently it's all menu driven rather than CLI so I don't know where to even start. Do a 'show telephony-service' and you'll get something like this if you're running CME: code:
|
# ? Sep 21, 2009 05:38 |