|
Sojourner posted:I've put together an SNMP trap monitoring system that will send an email when a given trap is received. What I need now are trap OIDs, and I'm having trouble finding what I want. ftp://ftp.cisco.com/pub/mibs/oid/ + SNMP object navigator
|
#
?
Feb 26, 2010 15:14
|
|
|
|
| # ? May 14, 2024 15:06 |
|
|
Sojourner posted:I've put together an SNMP trap monitoring system that will send an email when a given trap is received. What I need now are trap OIDs, and I'm having trouble finding what I want. (Hope you've looked at SNMPTT) http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&mibName=CISCO-ENVMON-MIB http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&mibName=CISCO-PORT-SECURITY-MIB
|
|
#
?
Feb 26, 2010 15:32
|
|
|
ragzilla posted:(Hope you've looked at SNMPTT) SNMPTT is what I'm using, I think it's pretty sweet. To me those links look like mibs, or something you'd poll the device to see, not a trap. But I could be missing something.
|
|
#
?
Feb 26, 2010 15:47
|
|
|
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a008021de3e.shtml Maybe this? So I'm going to be setting up a play lab with our extra equipment at work. I'll have full access to all the devices so I'm wondering what kind of topology I want to setup. I want to test several things, DMVPN w/failover, MPLS merging via junipers layer-2 network merging, Kompella draft (BGP-based and most scalable) and the Martini draft (LDP-based), I'd also like to be able to inject routes so I can test BGP path-selection and becoming a transit AS etc, what is the best way to do this? I'll have access to a large number of 2800's and layer 3 switches as well as some juniper routers, all I need now is what an "ideal" topology would be, and I'd like to avoid frame relay if I can, just because its going away (good riddance) and we don't use it for our internet access. Any Ideas?
|
|
#
?
Feb 26, 2010 18:17
|
|
|
Powercrazy posted:http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a008021de3e.shtml Exactly that 
|
|
#
?
Feb 26, 2010 19:08
|
|
|
Powercrazy posted:
Well, I can't answer all of your questions, but you can test DMVPN with as few as two routers. MPLS stuff i don't know, but I imagine you'd want to build at least two PEs and two Ps. That's kind of the smallest real MPLS environment you can build, insofar as looking at PE-P and P-P interaction. Nothing wrong with frame-relay. It's been dying for twenty years and it's still not dead. In some dark, dystopian future, amidst the irradiated wasteland, there will be two things: cockroaches and frame-relay.
|
|
#
?
Feb 27, 2010 02:03
|
|
|
jwh posted:Well, I can't answer all of your questions, but you can test DMVPN with as few as two routers. MPLS stuff i don't know, but I imagine you'd want to build at least two PEs and two Ps. That's kind of the smallest real MPLS environment you can build, insofar as looking at PE-P and P-P interaction. And x.25 And ATM Ethernet's going to be gone and replaced with something else, but all these ancient protocols will live on.
|
|
#
?
Feb 27, 2010 06:33
|
|
|
Is there something similar to show int trunk that returns useful trunk info on my 80 year old 2900xl switch? Took me a few minutes to remember that this bad boy defaults to ISL. Just one more nail in the 2900's coffin come payday <  >
|
|
#
?
Feb 27, 2010 18:19
|
|
|
Herv posted:Thanks. Got my escalation, now we are up to another hour of watching them 'gently caress a football' over a webex session. Unfortunately time is becoming a problem, higher ups already asking if I have other equip to meet the need. Dallas is still around.
|
|
#
?
Feb 27, 2010 22:35
|
|
|
I noticed that most BGP triggered blackhole configurations that I could find use an address within an IGP net as a target next-hop and then use a static route to point that out the null interface. I tried using a target next-hop that only had a single route, a static out the null interface:code:target next-hop within an IGP or connected net, with a more specific static out the null device: not inaccessible target next-hop within a static out the null device, no other routes to that address: inaccessible
|
|
#
?
Feb 27, 2010 22:55
|
|
|
jwh posted:It's been dying for twenty years and it's still not dead. In some dark, dystopian future, amidst the irradiated wasteland, there will be two things: cockroaches and frame-relay. Don't forget Keith Richards.
|
|
#
?
Mar 1, 2010 19:01
|
|
|
Just out of curiosity is there anyway to make Cisco Routers and Switches run a non-standard TCP/IP stack? i.e. is it possible to turn 127,239-254/8 into usable ip addresses? Obviously if I wanted any hosts to be able to access these routers they would have to be running nonstandard stacks as well. But I was thinking of just messing with stuff like that in my little lab as just something to mess around with.
|
|
#
?
Mar 2, 2010 20:18
|
|
|
Powercrazy posted:Just out of curiosity is there anyway to make Cisco Routers and Switches run a non-standard TCP/IP stack? i.e. is it possible to turn 127,239-254/8 into usable ip addresses? Obviously if I wanted any hosts to be able to access these routers they would have to be running nonstandard stacks as well. But I was thinking of just messing with stuff like that in my little lab as just something to mess around with. Not that I know of. It should fail the parser checks if you try to configure them. The 127.x.x.x space is uses internally on devices using EOBC, IIRC.
|
|
#
?
Mar 2, 2010 21:26
|
|
|
Powercrazy posted:Just out of curiosity is there anyway to make Cisco Routers and Switches run a non-standard TCP/IP stack? i.e. is it possible to turn 127,239-254/8 into usable ip addresses? Obviously if I wanted any hosts to be able to access these routers they would have to be running nonstandard stacks as well. But I was thinking of just messing with stuff like that in my little lab as just something to mess around with. Just curious, what purpose would this serve that normal private address ranges wouldn't? With almost 17.9 million addresses available in the three official private ranges and another 65k in the APIPA range that you technically could use without problems, I'm having trouble coming up with any reason to do this other than a very absurd and time-wasting form of security through obscurity. Of course this did lead me to wonder why an entire /8 is reserved for localhost. That seems like an incredible waste, though I guess it does make it easy to prevent idiots from using it without knowing since all network gear can filter on just the first few bits of the address field. That plus the lack of concern about address exhaustion when it was first assigned is pretty much the only reason I can think of to burn 16m IP addresses for computers talking to themselves. vvv Ah, well then, carry on. I can never complain about someone doing something just to see it work. vvv wolrah fucked around with this message at 08:06 on Mar 3, 2010 |
|
#
?
Mar 2, 2010 22:53
|
|
|
It would be completely useless, and non-interoperable. Just something to mess around with.
|
|
#
?
Mar 3, 2010 01:15
|
|
|
wolrah posted:Of course this did lead me to wonder why an entire /8 is reserved for localhost. The ironic thing is they fixed this for IPv6. It's a /128 Not sure why they just didn't make the IPv4 loopback a /32 around 1995.
|
|
#
?
Mar 3, 2010 21:24
|
|
|
It would confuse CJs who keep setting the gateway address of their computer to 127.0.0.1 and wondering why they couldn't get on the internet? Besides the IPv6 loopback is really elegant at ::1. If they wanted to change the ipv4 loopback address they should have made it 0.0.0.1. Alas, C'est la vie Hmm, when I start messing with IPv6 I might make my default gateway 0007:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF or 127::1 for short 
ate shit on live tv fucked around with this message at 21:57 on Mar 3, 2010 |
|
#
?
Mar 3, 2010 21:54
|
|
|
Herv posted:The ironic thing is they fixed this for IPv6. It's a /128 I wouldn't really say it's "fixed". Maybe more efficient use of reserved networks? RFC 3330 defines IPv4 loopback as 127.0.0.1/32 but the whole /8 is reserved anyway by IANA (there's not a lot stopping them from changing that to a reserved /24 and releasing the rest- except for the multitudes of broken stacks out there that still respect some classful boundaries). RFC 4291 defines IPv6 loopback as ::1/128, but still the entirety of 0000/8 is set aside as reserved much like 127/8 was in IPv4 (except in IPv6 that's a much smaller reservation). Oh and now we can use :: as the "unspecified" address before a host gets an address (not that it's much different from using 0.0.0.0 in IPv4, but I guess at least now both special use addresses are in the same block).
|
|
#
?
Mar 4, 2010 00:08
|
|
|
Well poo poo, how about that, they did spec out a /32 on the loopback. I never looked at that RFC. Learned something new there. Would you believe that whole /8 is still reserved on my Windows 7 PC? Then again they could just release a patch if someone starts hosting funny cat videos on the 127.0.2.2 and folks cant get there. <panic> Still not sure why they didn't take over the 127 network long ago. So they keep Windows 95, Solaris 4, Linux (Manhattan) from getting to that network until they are patched. Big whoop, you live without the 127 besides the loopback, you arent depending on any services. Same for routers, patch and bounce. By now all the newer OS's would have been OK from the get go. More rambling, I wish IPv6 was a 64 bit address space or so. I would think in 100 years we would have something else as a unique identifier. 128 bit is crazy big and saying it out loud takes too long. code:
|
|
#
?
Mar 4, 2010 01:08
|
|
|
Herv posted:More rambling, I wish IPv6 was a 64 bit address space or so. I don't know what the current thinking is (and I doubt people have agreed on this by now), but every time this comes up on NANOG it spins out into a sixty reply discussion that goes something like this: person a: everything should get a /64, it makes sense for autoconfiguration purposes person b: that is INSANITY that's half of the ipv6 bit space! person a: you don't understand how big 64 bits of hierarchy is person b: but that's INSANITY! :mind boggle: you're ruining everything! person a: you don't understand how big 64 bits of hierarchy is person c: discussion about ipv6 autoconfiguration person d: tangential discussion of dhcpv6 person e: everything should get a /64, it makes sense for autoconfiguration purposes person f: but that's INSANITY ad nauseum. edit: I should mention there are security concerns about ipv6 autoconfiguration also- stuffing your 48-bit mac address into the low order bits regardless of the preceding /64, etc.
|
|
#
?
Mar 4, 2010 04:48
|
|
|
jwh posted:edit: I should mention there are security concerns about ipv6 autoconfiguration also- stuffing your 48-bit mac address into the low order bits regardless of the preceding /64, etc. Obviated by RFC3041. Pretty sure most OSes support this out of the box now. Not sure how it works in a DHCPv6 environment though unless you're doing DHCPv6-PD Splitting the address space into [64 network bits][64 host bits] makes it a lot easier when you look at the routing tables, I never have to worry about a route for anything shorter than a /64 except for my loopbacks, and I guess I'm going to end up using /127s on P-t-P links, but I'll reserve a /64 for each of them for future expansion/hey why is this bugged (lol making GBS threads address space left and right). Also all assignments to customers being a /48 makes IP assignment much easier to wrap your head around, also makes planning for that new block (once you have 65000 /48s out of the /32 assigned) much easier to predict. ragzilla fucked around with this message at 05:20 on Mar 4, 2010 |
|
#
?
Mar 4, 2010 05:18
|
|
|
ragzilla posted:Obviated by RFC3041. Pretty sure most OSes support this out of the box now. Not sure how it works in a DHCPv6 environment though unless you're doing DHCPv6-PD Yeah I'm fine with /64s to everything and /127s for p-t-ps. It sounds fine to me. 64 bits of hierarchy is still really big. What is ARIN handing out to service providers? /32?
|
|
#
?
Mar 4, 2010 05:22
|
|
|
jwh posted:I haven't seen that. What did they decide to do? I guess I should go read it. The smallest allocation you can get as a SP is a /32. Bigger allocations available on request. I'm half tempted to go back and try to get a /31 instead of a /32 so I can advertise as 2 /32s to meet BCP16 for my authoritative DNS secondaries. However that doesn't seem to be well covered in the current ARIN NRPM. A micro-allocation won't work because they're not supposed to be routable.
|
|
#
?
Mar 4, 2010 06:01
|
|
|
I like the concept of IPv6, but its just so unwieldy... "Hey what is your IP Address I need to add it to the DNS" "Oh its d00d:edfc:1234:eedc:1f3c:8aa4:b00b:c0c4" Simple 
|
|
#
?
Mar 4, 2010 16:14
|
|
|
So I work for a university department with a pretty decent sized network. I noticed that our network admin doesn't actually prune any traffic on our network, I was wondering if there is an statistic you can look at on the switches to tell if turning on pruning would a be good idea (maybe compare the amount of broadcasts being received compared to the number of vlans that actually have ports on the switch)? Also I've read in Cisco documentation that manual pruning is more efficient because it removes portions of the network from the VLANS instance of STP, is it possible to combine manual and VTP pruning (we have some situations that manual pruning would work fine, but a good number where VTP pruning would be the only feasible option)?
|
|
#
?
Mar 4, 2010 23:23
|
|
|
captkirk posted:So I work for a university department with a pretty decent sized network. I noticed that our network admin doesn't actually prune any traffic on our network, I was wondering if there is an statistic you can look at on the switches to tell if turning on pruning would a be good idea (maybe compare the amount of broadcasts being received compared to the number of vlans that actually have ports on the switch)? captkirk posted:Also I've read in Cisco documentation that manual pruning is more efficient because it removes portions of the network from the VLANS instance of STP captkirk posted:is it possible to combine manual and VTP pruning (we have some situations that manual pruning would work fine, but a good number where VTP pruning would be the only feasible option)?
|
|
#
?
Mar 5, 2010 01:42
|
|
|
Is anyone familiar with block depletions on the PIX? Specifically, 1550 blocks? I know they are used for general packet processing, and I am trying to determine if when they are depleted is why our PIX decides to lock up and drop all traffic until it is rebooted. It looks like the issue is traffic from the inside to the DMZ, so I am thinking it is some sort of backup traffic as the queues numbers approach over 2000 on the output queue on the inside interface. The box is running 6.3.4 (I know, I know), and I think the block depletions are usually a sign that the firewall can't handle the traffic flowing through it, but I can't troubleshoot when it happens because the issue locks up the PIX and I lose visibility to any statistics most of the time - sometimes I get lucky and the block depletion happens without locking the entire thing up. When it does happen though, I cannot even connect to it via serial console. It just starts dropping all traffic and won't respond until rebooted. Any idea where I could try to start troubleshooting this? I can post some interface information when I have it available, but I wanted to get this out there while it is fresh in my head. The inside interface is connected to a router, and the FE interface on the router doesn't show anything errors or anything. The DMZ interface is connected to a switch and that interface doesn't show anything awry either. This issue is driving me nuts as it brings us to a halt until the unit is rebooted. Thanks! Let me know if I can provide any additional info.
|
|
#
?
Mar 5, 2010 02:04
|
|
|
jarodm posted:Is anyone familiar with block depletions on the PIX? Specifically, 1550 blocks? I know they are used for general packet processing, and I am trying to determine if when they are depleted is why our PIX decides to lock up and drop all traffic until it is rebooted. It looks like the issue is traffic from the inside to the DMZ, so I am thinking it is some sort of backup traffic as the queues numbers approach over 2000 on the output queue on the inside interface. Block depletions can happen during normal op. The whole locking up thing leads me to believe you could be dealing with a memory leak. The box just hangs dead to the world? Doesn't reboot on its own ever? Any output from show crash? How periodic are the hangs? Regular interval or random? Time of day consistent? etc
|
|
#
?
Mar 5, 2010 07:39
|
|
|
captkirk posted:So I work for a university department with a pretty decent sized network. I noticed that our network admin doesn't actually prune any traffic on our network, I was wondering if there is an statistic you can look at on the switches to tell if turning on pruning would a be good idea (maybe compare the amount of broadcasts being received compared to the number of vlans that actually have ports on the switch)? Also I've read in Cisco documentation that manual pruning is more efficient because it removes portions of the network from the VLANS instance of STP, is it possible to combine manual and VTP pruning (we have some situations that manual pruning would work fine, but a good number where VTP pruning would be the only feasible option)? I'm not sure why he wouldn't turn pruning on right off the bat, unless he has manually configured which VLANs are carried/allowed on each trunk, for each switch, which is basically what pruning does anyway, except automatically.
|
|
#
?
Mar 5, 2010 23:54
|
|
|
Tremblay posted:Block depletions can happen during normal op. The whole locking up thing leads me to believe you could be dealing with a memory leak. The box just hangs dead to the world? Doesn't reboot on its own ever? Any output from show crash? How periodic are the hangs? Regular interval or random? Time of day consistent? etc It does not reboot on its own. There is no crashinfo - it just hangs, unfortunately. I almost wish it would crash instead so that I don't have to call the NOC at the data center to reboot it. It is inconsistent/random as to the time of day - it can happen anytime during normal business hours. I recently bumped up the RAM from 64 to 128mb and that seemed to make it happen less often, but that may be anecdotal.
|
|
#
?
Mar 6, 2010 00:21
|
|
|
jarodm posted:It does not reboot on its own. There is no crashinfo - it just hangs, unfortunately. I almost wish it would crash instead so that I don't have to call the NOC at the data center to reboot it. It is inconsistent/random as to the time of day - it can happen anytime during normal business hours. Personally I'd open a case and ask for the latest 6.3.5 interim or move it to 7.0. Pretty sure you are dealing with a memory leak.
|
|
#
?
Mar 6, 2010 07:34
|
|
|
Has anyone ever had to bridge non-IP traffic between two Cisco 1721s over a VPN (both running 12.4(25b) advanced security)? I'm hoping that I can set it up such that I can just have one interface on router A bridged to one interface on router B. From what I've read up on it I could use GRE + IPsec, L2TPv3 + IPsec, or DLSw + IPsec. Anyone ever setup something like this before or have any idea which way would be the best to approach this? If you've got a sample config for this setup that'd be great too.
|
|
#
?
Mar 7, 2010 03:26
|
|
|
Kind of a shot in the dark here... Anyone have a Callmanager 7.0 or 7.1.2 installation DVD? I'm trying to do an upgrade from 5.1.3 to 7.1.3b via VMWARE but unfortunately the upgrade path from 5.1.3 to 7.1.3B is not good. I need an installation DVD for 7.0 or 7.1.2 :/ Cisco is so drat uptight with this stuff. midnj321 @ hotmail.com if you could save my week ;D
|
|
#
?
Mar 7, 2010 20:00
|
|
|
Midnj posted:Kind of a shot in the dark here... Anyone have a Callmanager 7.0 or 7.1.2 installation DVD? I'm trying to do an upgrade from 5.1.3 to 7.1.3b via VMWARE but unfortunately the upgrade path from 5.1.3 to 7.1.3B is not good. If you have SmartNET you can call and ask tac...
|
|
#
?
Mar 7, 2010 20:17
|
|
|
I have many smartnets, but never been able to get a installation DVD posted ever. I have the latest 7 media, just need 7.0 or 7.1.2 installation DVD. I also have many versions of 5 and 6.
|
|
#
?
Mar 7, 2010 20:32
|
|
|
Midnj posted:I have many smartnets, but never been able to get a installation DVD posted ever. I have the latest 7 media, just need 7.0 or 7.1.2 installation DVD. I also have many versions of 5 and 6. What does TAC say when you ask for it?
|
|
#
?
Mar 7, 2010 22:15
|
|
|
Midnj posted:I have many smartnets, but never been able to get a installation DVD posted ever. I have the latest 7 media, just need 7.0 or 7.1.2 installation DVD. I also have many versions of 5 and 6. If a TAC eng can't provide that for some reason then your sales team should be able to. Sometimes we can't/aren't allowed to distribute ISOs to customers. I don't remember CUCM being one of them though.
|
|
#
?
Mar 7, 2010 22:35
|
|
|
thiscommercialsucks posted:I'm not sure why he wouldn't turn pruning on right off the bat, unless he has manually configured which VLANs are carried/allowed on each trunk, for each switch, which is basically what pruning does anyway, except automatically.
|
|
#
?
Mar 8, 2010 01:03
|
|
|
Are ISRs really this lovely? I've got a simple network setup consisting of 3 routers, and 2 multilayer switches doing some BGP. What I want to do is create some DMVPN tunnels between the hub routers and the spokes, but my hub router is making GBS threads itself with memory problems. I've got an AIM module and everything. Surely this shouldn't be a problem....
|
|
#
?
Mar 9, 2010 01:01
|
|
|
|
| # ? May 14, 2024 15:06 |
|
|
Powercrazy posted:Are ISRs really this lovely? I've got a simple network setup consisting of 3 routers, and 2 multilayer switches doing some BGP. What I want to do is create some DMVPN tunnels between the hub routers and the spokes, but my hub router is making GBS threads itself with memory problems. I've got an AIM module and everything. Surely this shouldn't be a problem.... IIRC AIM doesn't offload GRE, just crypto. Have you tried a different IOS release? What other features are running? What HW platform? How much RAM in the box?
|
|
#
?
Mar 9, 2010 02:42
|
|