|
jwh posted:Second generation IRS info is public now. I think you mean ISR. But yea, the 1900 series is nice, They basically all look like the 880, and they are definitely a long awaited upgrade to the lower level ISRs. The 3900's won't be coming for another year IIRC, but the 1900's and 2900's can replace 2800's and 3800's respectively. There is still some internal conflict about voice, placement and OS liscensing, but the hardware is nice. Oh also the 1900's mark the end of end-user trusted IOS loads. Basically before you could run any code you wanted on your router and no one would care except maybe TAC. Now the new code has the capability to have use licensing built in, tehy are still deciding to what extent to use this new capability, though I'll bet that the Field Account teams are against it. It makes it harder on the SEs to work with various customers.
|
#
?
Oct 23, 2009 05:25
|
|
|
|
| # ? May 31, 2024 22:39 |
|
|
Powercrazy posted:I think you mean ISR. Powercrazy posted:Oh also the 1900's mark the end of end-user trusted IOS loads. Basically before you could run any code you wanted on your router and no one would care except maybe TAC. Now the new code has the capability to have use licensing built in, tehy are still deciding to what extent to use this new capability, though I'll bet that the Field Account teams are against it. It makes it harder on the SEs to work with various customers.
|
|
#
?
Oct 23, 2009 05:37
|
|
|
Here a good comparison of x9xx routers and modules. While the aforementioned licensing issue will suck, at least they will have universal IOS images between the ISR platforms. They haven't updated their router performance pdf yet unfortunately. Also the 1900 looks like some old 30s radio.
|
|
#
?
Oct 23, 2009 15:13
|
|
|
Not Cisco related but this has the best concentration of people who would need this. Anyone have some recommendations on serial concentrators for OOB management? They need to have: An integrated POTS modem or an input to plug a modem into Not reboot Sun servers if it loses power. -48VDC option is a huge plus. RS232 with RJ45 outputs. Dual PSU or Dual PSU input is a huge plus. I'm currently using Cisco 3600s with async cards for it now and the Sun reboot issue along with the general flakiness of them is making me want to make a case to buy something purpose built for this.
|
|
#
?
Oct 23, 2009 21:33
|
|
|
FatCow posted:Not Cisco related but this has the best concentration of people who would need this. Anyone have some recommendations on serial concentrators for OOB management? They need to have: Yes, Lantronix SLC appliances. I love them. You will love them. Buy them. You should look specifically at the SLC04824T-02 product- 48 ports of RS232 over RJ45, dual DC power supplies, NEBS compliant. edit: to elaborate, they can be used a la Raritan, ie., web-based Java-delivered console applet, or by proxying the console ports as TCP ports on the management interface of the appliance, making device console ports SSH accessible. Authentication can be then tied to external protocols, such as tacacs+. It's very nice.
|
|
#
?
Oct 23, 2009 21:39
|
|
|
Is there any reason interesting traffic ACLs have to match exactly between ASAs on either end of a L2L connection? If ASA1: access-list asa1 extended permit ip 10.0.16.0 255.255.255.0 10.1.16.0 255.255.255.0 and ASA2: access-list asa2 extended permit ip host 10.1.16.1 10.0.16.0 255.255.255.0 access-list asa2 extended permit ip host 10.1.16.2 10.0.16.0 255.255.255.0 Source traffic on ASA1 is interesting if it is coming from the whole /24 destined for the other /24 Source traffic on ASA2 is interesting from those specific IPs only destined for the remote /24 I don't see an issue here, but I have another firewall admin furiously insisting that interesting traffic ACLs have to match.
|
|
#
?
Oct 23, 2009 22:14
|
|
|
I don't see an issue at all. Maybe the other admin is worried about asymmetric routing issues even though they don't apply in this case? Maybe he is just OCD? It is working, right?
|
|
#
?
Oct 23, 2009 23:40
|
|
|
What are your opinions of SRX (Juniper) vs ASAs? I'm looking into an SRX 240 for IPS/VPN/Firewalling, or a 5510. I wish we had a networking/enterprise/whatever subforum.
|
|
#
?
Oct 23, 2009 23:44
|
|
|
Powercrazy posted:I don't see an issue at all. Maybe the other admin is worried about asymmetric routing issues even though they don't apply in this case? Maybe he is just OCD? It's been working for two years until today. The tunnel dropped and the admin on the other side of the connection flipped the gently caress out. He said something about my policy not being correct and said he found this in his logs. Tunnel rejected: Policy not found for Src:10.0.64.0, Dst: 10.30.106.0! Meanwhile, my isakmp debug is returning <normal IKE/isakmp connection junk> Oct 23 15:37:00 [IKEv1]: Group = 2xx.xxx.xxx.xxx, IP = 2xx.xxx.xxx.xxx, Connection terminated for peer 2xx.xxx.xxx.xxx. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A Oct 23 15:37:00 [IKEv1]: Group = 2xx.xxx.xxx.xxx, IP = 2xx.xxx.xxx.xxx, Removing peer from correlator table failed, no match! I updated the ACL to match the specific hosts (which he kept calling a Policy. Not sure where he's getting that) and a few minutes later the tunnel is re-established. This happened at the same time as the application server on our end getting a process restarted so 
|
|
#
?
Oct 24, 2009 00:13
|
|
|
bell biv devoe posted:I wish we had a networking/enterprise/whatever subforum. I wouldn't mind if someone fired off a NSP questions thread for discussions of non CJ networking. Maybe it's just because I have very little Cisco kit in my network. FatCow fucked around with this message at 00:16 on Oct 24, 2009 |
|
#
?
Oct 24, 2009 00:13
|
|
|
FatCow posted:I wouldn't mind if someone fired off a NSP questions thread for discussions of non CJ networking. Maybe it's just because I have very little Cisco kit in my network. There's not really much of an xSP base to support a thread like that though.
|
|
#
?
Oct 24, 2009 02:31
|
|
|
bell biv devoe posted:What are your opinions of SRX (Juniper) vs ASAs? With real world traffic mix and features enabled discount the data sheet throughput #s by up to 25% on the SRX. Yes I work for Cisco. No I'm not in sales.
|
|
#
?
Oct 24, 2009 03:06
|
|
|
I'm trying to do policy based routing on the internal gig interface (g1/0/2) on a Etherswitch Module (NME-16ES-1G). I'm running 12.2(35)SE5 IPSERVICESK9-M which according to the CFN supports policy based routing. The feature is available on all the other physical interfaces, just not the one used for internal routing between the ISR and ES... has anyone else run into this?
|
|
#
?
Oct 26, 2009 18:50
|
|
|
tortilla_chip posted:I'm trying to do policy based routing on the internal gig interface (g1/0/2) on a Etherswitch Module (NME-16ES-1G). I'm running 12.2(35)SE5 IPSERVICESK9-M which according to the CFN supports policy based routing. The feature is available on all the other physical interfaces, just not the one used for internal routing between the ISR and ES... has anyone else run into this? I don't think you can apply PBR to a ESW interface, as the ESW interfaces can't be made routed interfaces. Can you apply the policy to a VLAN SVI?
|
|
#
?
Oct 26, 2009 20:02
|
|
|
I am under the impression that there is a difference between the ES and ESW models. The ES allows you to give an ip address to g1/0/2 on the ES and g1/0 (or whatever slot is applicable) on the ISR. Edit: Figured it out. Forgot to issue "no switchport" to g1/0/2 after nuking the config and upgrading IOS images. Edit 2: Also need "sdm prefer routing" tortilla_chip fucked around with this message at 00:29 on Oct 27, 2009 |
|
#
?
Oct 26, 2009 22:07
|
|
|
Does anyone have anything positive or negative to say about the ACE modules? I'm currently looking into building a new production environment for eCommerce and a pair of the standalone ACE 4710 devices look like it'll do a ton of poo poo I need - OWASP-compliant scanning (gently caress PCI), SSL termination, load balancing, etc. Plus it's vastly cheaper than the F5 BigIP line I'm using now.
|
|
#
?
Oct 30, 2009 21:16
|
|
|
lilbean posted:Does anyone have anything positive or negative to say about the ACE modules? I'm currently looking into building a new production environment for eCommerce and a pair of the standalone ACE 4710 devices look like it'll do a ton of poo poo I need - OWASP-compliant scanning (gently caress PCI), SSL termination, load balancing, etc. Plus it's vastly cheaper than the F5 BigIP line I'm using now. I evaluated the ACE a while back, we went with F5 because of some application dependencies that relied on SIP header rewrites. Since then we've solved our application dependency and moved to Netscaler as opposed to F5 or ACE, but feature wise I think the ACE works almost as well as the Netscaler. In the past I've used the CSS and while it worked it could have used more features, the same goes for the ACE. The Netscaler however has pretty much all the features as the F5, including "global" load balancing but missing the ability to rewrite SIP headers and iRules. It depends on what you want feature wise but if all you need is some basic load balancing and maybe SSL offload the ACE should fit you just fine.
|
|
#
?
Oct 31, 2009 06:35
|
|
|
I'm looking for some suggestions / advice on products to use and compatibility, so hopefully someone here knows. We have a central office (~30 users), 4 branch offices (~5 users each), and a small number (4, possibly going to 6 soon) mobile users. The 5 offices all have ADSL or ADSL2+ connections. We need to implement VPN tunnels between each branch office, and the central office. And we need mobile users to be able to connect to their relevant office, which could be the central office, or any branch office, depending which project they're assigned to at the time. So, from my view we need Central Office: Appliance to handle 4 or more concurrent permanent VPN tunnels, plus 4 or more concurrent VPN mobile client connections Branch offices: Appliance to handle 1 permanent VPN tunnel, plus 4 or more concurrent VPN mobile client connections. Should we look at IPSec or SSL? Does it matter? I've deal with PPTP and IPSec VPNs before but not SSL VPNs. What are suggestions for the appliances? I was wondering if we could go with an ASA 5505 at the central office and 861ISRs at the branches, but I don't fully understand the compatibility implications of using different models (and different product lines) in regards to connectivity. Will these devices talk to each other? Is there a better option? Will a single mobile client software connect to whatever devices we get at all the offices? All of the sites I believe have Linksys WAG200G routers at present. Can we keep these, and just point the DMZ to the new appliances?
|
|
#
?
Nov 3, 2009 22:47
|
|
|
You'll want to use IP Sec for your permanent VPN tunnels. SSL is great for particular applications over a web-browser or something, but IP Sec over a GRE tunnel is the standard way to handle VPN Tunnels. As far as hardware smaller ISRs (861s sound good) at the branch office with a slightly larger ISR, say a 2800 at the CO is a good plan. With how small your office is and how few remote users you have a separate ASA 5505 isn't necessary unless you are hosting significant web traffic or whatever. You don't need separate user VPN capability for your branch offices unless there is something specific there that you want access to in the case that your main office goes down, however if you want it I'm pretty sure that 861s can handle a small number of individual user VPNs. Generally you will have your remote users just log into the CO and access whatever resources they want that way. For your user VPN it depends if you want to pay for the Cisco VPN agent. I don't recall the licensing price offhand, but I imagine that if you talk to your account rep you can get a decent number of licenses for pretty cheap when you order all the gear. I haven't dealt with SSL VPN, but it might be the way to go if you don't trust the end user machine, or if they are using multiple non-standardized platforms, Windows, OSX, Linux, BeOS whatever. As far as your Linksys routers, I assume you want to keep the wireless on them? If that is the case all the ISRs can be equipped with wireless, the new 880's and 1900's have wireless N capability, but if you don't want to pay for that, then you can certainly do some double nat trickery and make them work, transparently to the end user. ate shit on live tv fucked around with this message at 23:39 on Nov 3, 2009 |
|
#
?
Nov 3, 2009 23:34
|
|
|
Powercrazy posted:As far as hardware smaller ISRs (861s sound good) at the branch office with a slightly larger ISR, say a 2800 at the CO is a good plan. Awesome, thanks for your advice. I'll get some pricing. The only reason we are interested in keeping the existing routers is because I didn't think the ISRs have built-in ADSL modems? If they can connect directly to the phone line for the DSL, great! We don't need the wireless capability.
|
|
#
?
Nov 3, 2009 23:43
|
|
|
Powercrazy posted:For your user VPN it depends if you want to pay for the Cisco VPN agent. I don't recall the licensing price offhand, but I imagine that if you talk to your account rep you can get a decent number of licenses for pretty cheap when you order all the gear. I haven't dealt with SSL VPN, but it might be the way to go if you don't trust the end user machine, or if they are using multiple non-standardized platforms, Windows, OSX, Linux, BeOS whatever. On the ASA platform there's a basic SSLVPN license now that lets you use remote access SSLVPN using the AnyConnect client for as many peers as you're licensed for IPsec RA peers, good thing too since they're discontinuing the IPsec RA client, and have no plans for an x64 version.
|
|
#
?
Nov 3, 2009 23:49
|
|
|
ragzilla posted:On the ASA platform there's a basic SSLVPN license now that lets you use remote access SSLVPN using the AnyConnect client for as many peers as you're licensed for IPsec RA peers, good thing too since they're discontinuing the IPsec RA client, and have no plans for an x64 version. Does that mean we should go with an ASA, so that we can use the SSL client? - we have some users with 64-bit editions of Windows 7.
|
|
#
?
Nov 3, 2009 23:55
|
|
|
Inphinity posted:Awesome, thanks for your advice. I'll get some pricing. Some of the 8xx line do iirc, but ISR and G2 would require you to purchase a ADSL interface card. Inphinity posted:Does that mean we should go with an ASA, so that we can use the SSL client? - we have some users with 64-bit editions of Windows 7. There is SSLVPN support on ISR and G2.
|
|
#
?
Nov 3, 2009 23:58
|
|
|
I just purchased four 7960 IP phones for $50 each from eBay for use with our Speakeasy hosted VOIP service. I wasn't very familiar with Cisco VOIP phones and didn't realize that changing firmware was going to be such a hassle. They came with MGCP firmware, and Speakeasy said it's on us to get the right version of SIP firmware on the phones. Unfortunately Cisco seems to require a service contract to download firmware for phones (this seems really stupid, but whatever). It seemed to me that Speakeasy would have firmware for the 7960s on their TFTP server, since they SELL 7960s (for $395) and I would imagine that they upgrade firmware once in a while. Unfortunately there is no OS79XX.txt on the TFTP server. So here are my questions: 1.) If I buy a Cisco service contract for one phone, is it legal to use that firmware on all of my phones? I may get more in the future and I wouldn't want to not pay Cisco their dues  2.) Is there another cheap or free, yet still legal way to put SIP firmware on these phones? Speakeasy said they specifically require version 03-08-07.
|
|
#
?
Nov 4, 2009 15:46
|
|
|
Not really, it's part of having a smartnet contract. Almost all IOS images are not available without a contract (with exception of some of the switch images). Once you have a contract for one phone you could theoretically install the same firmware on the rest of them but keep in mind this may violate the license with Cisco. Same with IOS images really - one contract gives you access to a lot of stuff. Cisco is starting to crack down on this and will eventually eliminate it with the universal images/license keys on the ISR2s.
|
|
#
?
Nov 4, 2009 16:11
|
|
|
Steve Slavery posted:I evaluated the ACE a while back, we went with F5 because of some application dependencies that relied on SIP header rewrites. Since then we've solved our application dependency and moved to Netscaler as opposed to F5 or ACE, but feature wise I think the ACE works almost as well as the Netscaler.
|
|
#
?
Nov 4, 2009 16:21
|
|
|
Erwin posted:I just purchased four 7960 IP phones for $50 each from eBay for use with our Speakeasy hosted VOIP service. I wasn't very familiar with Cisco VOIP phones and didn't realize that changing firmware was going to be such a hassle. I believe we provide free SW if the device is affected by a PSIRT. You'd have to open a TAC case, but I'd think that would be free too in that case.
|
|
#
?
Nov 4, 2009 17:54
|
|
|
Some douche is using an IP that is supposed to belong to me. We're both set to static. I would like to go to this douche and tell him to stop using my IP. Unfortunately, I don't know where he's at, and there are like 300 Computers here. I'm not going to check them all! I have his MAC address. A lookup on it tells me its from a Dell. We have a bunch of Cisco 2950 and 2960G switches. Is there a way for me to narrow down what port the MAC address may be on?
|
|
#
?
Nov 4, 2009 22:15
|
|
|
You should have: show mac-address-table address nnnn.mmmm.oooo or show mac address-table address nnnn.mmmm.oooo
|
|
#
?
Nov 4, 2009 22:30
|
|
|
Xenomorph posted:Some douche is using an IP that is supposed to belong to me. switch#show mac-address-table I think. Although with 300 pcs, you should probably do what the above post says. chestnut santabag fucked around with this message at 22:35 on Nov 4, 2009 |
|
#
?
Nov 4, 2009 22:31
|
|
|
Xenomorph posted:Some douche is using an IP that is supposed to belong to me. Layer 2 traceroute to find the switch, on that switch sh mac-address-table | inc the.mac.address.in.lowercase
|
|
#
?
Nov 4, 2009 22:53
|
|
|
Ciscoworks campus manager has the ability to poll switches periodically for their mac table and search the the location of the offender based on mac or IP. I realize using that is probably not an option, but it is a neat feature. Shutdown the punks switchport and wait for someone to call complaining their morezilla firefox isn't working anymore. *edit* apparently I'm un-ironically challenged at grammar
|
|
#
?
Nov 4, 2009 23:15
|
|
|
How do I do a do a Layer 2 traceroute? "traceroute mac" and "traceroute-mac" aren't valid commands on the switches I've connected to (mostly 2950s). Xenomorph fucked around with this message at 23:24 on Nov 4, 2009 |
|
#
?
Nov 4, 2009 23:21
|
|
|
Xenomorph posted:How do I do a do a Layer 2 traceroute? Traceroute mac, from privileged exec. Not all Routers/switches will support it, so you may be doing show mac add | include *mac* to find him.
|
|
#
?
Nov 4, 2009 23:25
|
|
|
Also try: sh arp | incl (ip address) That should tell you which port the switch is seeing the IP on. You will probably have to find keep going from switch to switch until you see the switch port that is directly connected to the computer in question.
|
|
#
?
Nov 5, 2009 00:27
|
|
|
Powercrazy posted:Also try: This is a terrible idea (show mac-address-table is the correct answer). Or if CiscoWorks Campus is out of your budget you could take a look at NetDisco which will perform a similar function for free[1]. 1: Assumes you consider implementing a Linux+Postgres+Perl+Mason stack with sparse documentation as 'free'.
|
|
#
?
Nov 5, 2009 01:14
|
|
|
ragzilla posted:This is a terrible idea (show mac-address-table is the correct answer). Whats wrong with sh arp? I used it all the time with sh mac- in order to hunt down duplicate ip addresses. Also there might be more than one other computer that has a duplicate IP Address, sh arp would tell him that, he might also have the wrong mac address, again, sh arp would let him verify that. And more generally how is running any show command a "terrible idea?" ate shit on live tv fucked around with this message at 02:38 on Nov 5, 2009 |
|
#
?
Nov 5, 2009 02:28
|
|
|
Powercrazy posted:Whats wrong with sh arp? I used it all the time with sh mac- in order to hunt down duplicate ip addresses. Also there might be more than one other computer that has a duplicate IP Address, sh arp would tell him that, he might also have the wrong mac address, again, sh arp would let him verify that. Unless you ping from your management vlan interface you aren't going to see anything on 2960/2950. I think that is his point anyhow.
|
|
#
?
Nov 5, 2009 02:57
|
|
|
Powercrazy posted:Whats wrong with sh arp? I used it all the time with sh mac- in order to hunt down duplicate ip addresses. Also there might be more than one other computer that has a duplicate IP Address, sh arp would tell him that, he might also have the wrong mac address, again, sh arp would let him verify that. sh arp is only going to be of any use if it's a layer 3 switch, and the device is actually communicating with the switch (I don't think the ARP table is updated for packets passing through an L3 switch), or tremblay's case where you ping/communicate with the device from the management svi of the switch and the management svi is the same vlan as the problem device. sh mac is always going to show the mac address table which is updated by pass-through frames. Pretty much what tremblay said.
|
|
#
?
Nov 5, 2009 03:28
|
|
|
|
| # ? May 31, 2024 22:39 |
|
|
Ah yea I see what you are saying, didn't think about that. But its still not a "terrible" idea, just a useless one. Terrible usually implies some kind of destructive behavior like say running clear ip bgp * on a 7600 or GSR at some CO.
|
|
#
?
Nov 5, 2009 03:45
|
|