|
Powercrazy posted:Are ISRs really this lovely? I've got a simple network setup consisting of 3 routers, and 2 multilayer switches doing some BGP. What I want to do is create some DMVPN tunnels between the hub routers and the spokes, but my hub router is making GBS threads itself with memory problems. I've got an AIM module and everything. Surely this shouldn't be a problem.... The hub router is 1.1.1.1? It should be fine. What ISR? What code? DMVPN wasn't really usable until at least 12.4(8) or later. Not sure what you're running.
|
#
?
Mar 9, 2010 06:07
|
|
|
|
| # ? May 22, 2024 17:10 |
|
|
Yea, the hub is 1.1.1.1 They are all 2821s, with 256megs of ram. I made that diagram real quick before I left sorry about the sparse details. But basically 1.1.1.1 is running BGP peering with the 2 Layer 3 switches and redistributing its loopback (1.1.1.1) and the tunnel IP 192.168.0.1 via EIGRP into it. The idea is too have all of the spoke routers and the edge routers running a single EIGRP AS via mGRE tunnels. I'm wondering if I'm getting routing loops or something, where EIGRP is redistributing its routes into BGP over and over again via the tunnels.... I'm running 12.4(15r) on all of them I think. As far as features, I'm running Crypto (afaik you have to have VPN running to do dynamic tunnels?) mGRE, and a few routes from BGP and EIGRP. I'll post some configs tomorrow, but I'm inclined to think I'm doing something wrong because I just don't see why I'd be running out of memory. Also the two hub spoke routers both have two aim modules in them, but I don't think they will run in tandem, and even if they did I don't think that will fix the problem. In other news we finally got our Nexus 5K lab kit. We got 2 5010s and 4 2148T FEXs with 10 or so Fabric Extender cables. (I think SFP+s will allow you to extend the fabric as well, but I'm not sure). NX-OS is really familiar to IOS with some manageability improvements like stronger permissions, and install/commit features, similar to IOX. I haven't messed with it too much, but I did figure out how to actually turn on the FEXs, so that is a good start.
|
|
#
?
Mar 9, 2010 06:22
|
|
|
Powercrazy posted:Yea, the hub is 1.1.1.1 They are all 2821s, with 256megs of ram. I made that diagram real quick before I left sorry about the sparse details. But basically 1.1.1.1 is running BGP peering with the 2 Layer 3 switches and redistributing its loopback (1.1.1.1) and the tunnel IP 192.168.0.1 via EIGRP into it. You don't need crypto to do dynamic tunnels. Just make the mGRE interfaces an run NHRP. A 2821 should be able to handle this... Tremblay fucked around with this message at 07:23 on Mar 9, 2010 |
|
#
?
Mar 9, 2010 07:19
|
|
|
So I removed all the crypto, and that fixed the memory problems on the HubRouter, but now the tunnels won't come up and the NHRP Protocol isn't coming up at all. When I was running the Crypto, the NHRP database would populate, and the tunnels would come up, but would be torn down once the router ran out of memory, along with Traceback Errors etc. So I'm not sure what I'm doing wrong. Here is the config for the Hub Router. interface Tunnel0 ip address 192.168.1.1 255.255.255.0 no ip redirects ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp network-id 1 no ip split-horizon eigrp 1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface GigabitEthernet0/0 ip address 4.4.4.3 255.255.255.0 duplex auto speed auto ! router eigrp 1 network 1.1.1.0 0.0.0.255 network 192.168.1.0 auto-summary ! router bgp 101 no synchronization bgp log-neighbor-changes network 4.4.4.0 mask 255.255.255.0 redistribute eigrp 1 neighbor 4.4.4.1 remote-as 101 neighbor 4.4.4.2 remote-as 101 no auto-summary And one of the spokes... interface Loopback0 ip address 2.2.2.2 255.255.255.0 ! interface Tunnel0 ip address 192.168.1.2 255.255.255.0 no ip redirects ip nhrp authentication cisco123 ip nhrp map multicast dynamic ip nhrp map 192.168.1.1 4.4.4.3 ip nhrp map multicast 4.4.4.3 ip nhrp network-id 1 ip nhrp holdtime 60 ip nhrp nhs 192.168.1.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ! interface GigabitEthernet0/0 ip address 172.16.1.1 255.255.0.0 duplex auto speed auto ! router eigrp 1 network 2.2.2.0 0.0.0.255 network 172.16.0.0 network 192.168.1.0 auto-summary eigrp stub connected ! ip route 3.3.3.0 255.255.255.0 Tunnel0 Any ideas? HubRouter: 12.4(13r)T5 Spoke1: 12.4(1r) ate shit on live tv fucked around with this message at 16:54 on Mar 9, 2010 |
|
#
?
Mar 9, 2010 16:42
|
|
|
Powercrazy posted:And one of the spokes... Can you try removing the 'ip nhrp map multicast dynamic' from tu0 on your spoke please?
|
|
#
?
Mar 9, 2010 18:34
|
|
|
Ok did that. However the HubRouter tunnel still didn't come up. The spoke router can reach the HubRouters external IP 4.4.4.3, however I have to use a static route for that (I assume that shouldn't matter.) SpokeRouter1#debug ip nhrp NHRP protocol debugging is on SpokeRouter1# *Mar 9 21:37:05.125: NHRP: Attempting to send packet via DEST 192.168.1.1 *Mar 9 21:37:05.125: NHRP: Encapsulation succeeded. Tunnel IP addr 4.4.4.3 *Mar 9 21:37:05.125: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 84 *Mar 9 21:37:05.125: src: 192.168.1.2, dst: 192.168.1.1 *Mar 9 21:37:05.125: NHRP: 84 bytes out Tunnel0 *Mar 9 21:37:05.125: NHRP: Resetting retransmit due to hold-timer for 192.168.1.1 Hmm... It seems to be sending the NHRP registration request, via the tunnel, which obviously isn't established yet.... How do I debug the tunnel build up process?
|
|
#
?
Mar 9, 2010 21:26
|
|
|
Powercrazy posted:Ok did that. However the HubRouter tunnel still didn't come up. The spoke router can reach the HubRouters external IP 4.4.4.3, however I have to use a static route for that (I assume that shouldn't matter.) The tunnels are stateless iirc. You could try debug gre though. Can you ping the tunnel IPs? Ie., from Spoke1 can you ping 192.168.1.1?
|
|
#
?
Mar 9, 2010 22:31
|
|
|
Can't ping the tunnel ips, and unfortunately debug gre doesn't exist. Or rather, I can ping the tunnel interface (192.168.1.2) on Spoke 1 from itself. But I can't ping 192.168.1.1 from the HubRouter. According to sh ip int bri, the tunnel on spoke1 is up/up but the tunnel on HubRouter is up/down.
|
|
#
?
Mar 9, 2010 23:06
|
|
|
Your tunnels should be up so long as the physical interface they're tied to is also up. Hrm. It's actually one of the "problems" of DMVPN, depending on how you look at it. Can you wax that int tu0 on your hub and recreate it?
|
|
#
?
Mar 9, 2010 23:28
|
|
|
Powercrazy posted:Can't ping the tunnel ips, and unfortunately debug gre doesn't exist. Or rather, I can ping the tunnel interface (192.168.1.2) on Spoke 1 from itself. But I can't ping 192.168.1.1 from the HubRouter. Where are you sourcing the ping from?
|
|
#
?
Mar 10, 2010 01:37
|
|
|
Tremblay posted:Where are you sourcing the ping from? Spoke1, can ping its own tunnel address, as well as the Hubrouter's external IP address (4.4.4.3). HubRouter can't ping its own tunnel address and can ping 172.16.1.1 which is SPoke1's external address.
|
|
#
?
Mar 10, 2010 02:24
|
|
|
Powercrazy posted:Spoke1, can ping its own tunnel address, as well as the Hubrouter's external IP address (4.4.4.3). Recreate tun0 like jwh suggested. Although rebooting the router would have the same effect. Might also want to try making your other spoke the nhs and see if that works.
|
|
#
?
Mar 10, 2010 06:41
|
|
|
Nuked the tunnel and brought it back up and still nothing. Its strange that both the spoke tunnels show up/up, what do they think they are connected to? Just to make sure that I'm right about tunnels, two routers create a p2p tunnel by having a Tunnel IP address and a destination IP Address. The tunnel IP will obviously not be known by the remote router until the tunnel is up, but the destination IP needs to be reachable so that the originating router knows where to establish its tunnel. Are there any other requirements? The spokes can definitely reach the hub "public" IP Address....
|
|
#
?
Mar 10, 2010 16:15
|
|
|
Powercrazy posted:Nuked the tunnel and brought it back up and still nothing. Its strange that both the spoke tunnels show up/up, what do they think they are connected to? Powercrazy posted:Just to make sure that I'm right about tunnels, two routers create a p2p tunnel by having a Tunnel IP address and a destination IP Address. The tunnel IP will obviously not be known by the remote router until the tunnel is up, but the destination IP needs to be reachable so that the originating router knows where to establish its tunnel. Sort of, that's basically right. mGRE tunnels will learn reachability via the NHRP server running on the hub. Once that is known the same mGRE tunnel running on a spoke will communicate with other spokes directly via the learned NHRP information. In the case of DMVPN there will be an additional IPSEC phase as part of that establishment for each spoke-to-spoke communication. I still think there's something wrong with your hub- you Tu0 on the hub should be up/up, not up/down. I'm not sure why it's up/down either.
|
|
#
?
Mar 10, 2010 18:35
|
|
|
Not really a technical question, but I recently acquired a pallet load of Cisco equipment for next to nothing. I'm familiar with the average price(at least on eBay) of the smaller 2500/2600 series routers and 2900 series switches, but I'm not to sure about the others I have. Anyone have an idea on a fair price for these models? -Catalyst 5000 w/ one 48 port 10baseT ethernet switching module, two 10baseT group switching modules, and dual PSU's -C2980G-A 10/100/1000Mbps 80 port switch -3600 series router(can't find an exact model number) -4000 series router(no specifics again) I can't get any consistent numbers when looking around, people are either giving them away just to clear space or want 90% of the original MSRP.
|
|
#
?
Mar 12, 2010 05:08
|
|
|
marshviperX posted:Not really a technical question, but I recently acquired a pallet load of Cisco equipment for next to nothing. I'm familiar with the average price(at least on eBay) of the smaller 2500/2600 series routers and 2900 series switches, but I'm not to sure about the others I have. Anyone have an idea on a fair price for these models? The 5000 is worth a hundred bucks, approximately. You can't ship it anywhere, because the shipping costs are huge. You may get lucky and find somebody local to take it off your hands, but most likely you won't. The 2980G is a weird animal. I'm not sure how much it's worth now, but a while back M@ had one for I think a hundred bucks. The 3600 depends on what NMs are populated in the box- that will throw the price tremendously. A vacant 3600 isn't worth much. The 4000 (assuming 4000M) isn't worth much either. Sorry.
|
|
#
?
Mar 12, 2010 07:26
|
|
|
Anyone have any advice on the easiest way to setup the NPS services on Microsoft 2008 to authenticate users who are trying to log into a aironet 1140 ap. I can get regular WPA w/ pass phrase, but want to use radius to authenticate the user instead. I've configured the policy for 802.11 and am allowing all EAP types but I'm still getting malformed requests from the clients when I try to authenticate. I've got the CA root certificate trusted, so I'm spinning my gears trying to figure out what I'm missing. I've followed every guide I can and I'm able to debug the sends and see that it's making the attempt. I check the event viewer on the server and just keep getting Event ID 18 (An Access-Request message was received from RADIUS client 192.168.110.3 with a Message-Authenticator attribute that is not valid.) The client has been setup to send user name instead of machine name as well. For the record the NPS radius config is working fine for authenticating other switches/routers/firewalls/VPN users.
|
|
#
?
Mar 12, 2010 15:41
|
|
|
Do you guys ever us CNA? It seems like a good concept, but it's really clunky to use and doesn't work properly with every type of switch.
|
|
#
?
Mar 12, 2010 17:31
|
|
|
Its mired with internal politics as each of the various Cisco BUs has their own way of managing their devices. For Example the OTBU has CTC which works awesome for 15454s and at one point allowed you to manage CRSs GSRs and 7600s that had POS interfaces on them, but then the Core Routing and Switching BUs got pissed and wanted to promote their own successor to CNA (I forget what it was called but its vaporware now) and so they changed their POS cdp standards so they wouldn't work with CTC anymore. Basically CNA (and all of Cisco Management suites) is going to suck until Chambers makes a concerted effort to unify the BUs and force them to play nice with each other which he can't do for a myriad of crazy reasons.
|
|
#
?
Mar 12, 2010 17:41
|
|
|
Powercrazy posted:Its mired with internal politics as each of the various Cisco BUs has their own way of managing their devices. Routing has somewhat reversed their trend with the release of SRE, which now supports XML-PI NETCONF (RFC 4741/4742). But it's still buggy as gently caress and of limited usefulness. But it's a start.
|
|
#
?
Mar 12, 2010 18:22
|
|
|
Harry Totterbottom posted:Anyone have any advice on the easiest way to setup the NPS services on Microsoft 2008 to authenticate users who are trying to log into a aironet 1140 ap. I can get regular WPA w/ pass phrase, but want to use radius to authenticate the user instead. We've had the best success when using PEAP without trusting the cert (we don't have a well developed internal PKI, but that's a different story) and hooking the Windows login credentials automatically. We've also tested LEAP as known working. Of course all of this is using a ACS appliance on the backend.
|
|
#
?
Mar 12, 2010 18:47
|
|
|
jwh posted:What EAP are you using on the clients? PEAP? I'm guessing that part of the ease of getting this up and running is the lack of ACS. I'm going for PEAP, but at this point as long as it's authenticating using Radius in some way I'll be happy.
|
|
#
?
Mar 12, 2010 19:24
|
|
|
Harry Totterbottom posted:I'm guessing that part of the ease of getting this up and running is the lack of ACS. I've never poked at the RADIUS functionality on Server 2008, but do you have to make it aware of various EAP types?
|
|
#
?
Mar 12, 2010 19:28
|
|
|
jwh posted:I've never poked at the RADIUS functionality on Server 2008, but do you have to make it aware of various EAP types? Yes, that's done through the policy.  Click here for the full 728x590 image.  Click here for the full 728x593 image. I've tried this multiple ways with multiple variations that I've been able to google up to no avail.
|
|
#
?
Mar 12, 2010 19:47
|
|
|
Do you have any options when specifying the 1140 as a NAS in Server 2008? I'm wondering if the 1140 is sending Cisco specific VSAs or something dumb and the RADIUS engine is croaking.
|
|
#
?
Mar 12, 2010 20:54
|
|
|
The only options are 'Wireless - IEEE 802.11' and 'Wireless - Other' for the NAS Port type. I think I'm going to spin up a dedicated certificate server to see if there's an issue with the certificates being served from the Domain Controller.
|
|
#
?
Mar 12, 2010 21:18
|
|
|
freeRADIUS has an option to map non-standard cisco VSAs back to their standard compliant names. I haven't gotten to setting any of my Cisco kit up for radius yet so I can't tell you what they are.
FatCow fucked around with this message at 22:01 on Mar 12, 2010 |
|
#
?
Mar 12, 2010 21:57
|
|
|
Harry Totterbottom posted:The only options are 'Wireless - IEEE 802.11' and 'Wireless - Other' for the NAS Port type. Can you tell your XP supplicants to not validate the cert? That might aid in your testing.
|
|
#
?
Mar 12, 2010 23:37
|
|
|
Look what I just got in my LAB, 1 x OC768 (40G) and 2 x 8 10GbE. Going to be used at 'The Gathering' terminating the 30Gb/s internet connection  
|
|
#
?
Mar 13, 2010 00:10
|
|
|
ior posted:Look what I just got in my LAB, 1 x OC768 (40G) and 2 x 8 10GbE. Going to be used at 'The Gathering' terminating the 30Gb/s internet connection It shouldn't be a problem, but make sure you are aware that the 8x10ge is oversubscribed to the fabric. That has bit my company in the rear end a couple of times already!
|
|
#
?
Mar 13, 2010 00:19
|
|
|
ior posted:Look what I just got in my LAB, 1 x OC768 (40G) and 2 x 8 10GbE. Going to be used at 'The Gathering' terminating the 30Gb/s internet connection Can I come to the gathering this year to help? Also glad to see they are finally shipping the "Godzilla" cards.
|
|
#
?
Mar 13, 2010 01:00
|
|
|
I have a couple ISP-side ATM questions. I apologize for their newbish nature but I'm a server person who's just had a bunch of routers dropped in his lap. 1. Given the following configuration, would just reassigning pvc 4/45 from subint .105 to sunbint .110 change the customer's service speed or am I missing something? ! interface ATM0/0/0.105 multipoint description atm 384x384atm DHCP ip helper-address 10.10.10.5 no ip redirects no ip unreachables ip accounting access-violations class-int 384x384atm pvc 4/10 ! pvc 4/30 ! pvc 4/31 ! pvc 4/45 ! pvc 4/48 ! interface ATM0/0/0.110 multipoint description atm 768x128atm DHCP ip helper-address 10.10.10.5 no ip redirects no ip unreachables ip accounting access-violations class-int 768x128atm pvc 4/288 ! pvc 4/290 ! pvc 4/320 ! pvc 4/410 ! 2. The previous guy told me that x y and z problems can be fixed by 'rebuilding the pvc' but he didn't have time to explain. Wouldn't the telco whose DSL service we resell have to do this? The only pvc configuration I can find in the router is ATM subinterface assignment. Thanks in advance for any help - this week has been a crash course on the bottom half of the OSI model.
|
|
#
?
Mar 13, 2010 03:33
|
|
|
jwh posted:Can you tell your XP supplicants to not validate the cert? That might aid in your testing. No XP clients, everything is 7. I'm looking through more info and it looks like setup on Server 2k3 w/ ISA might be the route to go in terms of actual documented process and people with the same sort of issues I'm having reverting back to that setup and getting it working without much of a headache. I'm going to spin one up and then see if that works out better. The most frustrating part is that the 2k8 server works fine with authenticating all my other gear.
|
|
#
?
Mar 13, 2010 03:51
|
|
|
jwh posted:The 5000 is worth a ... Thanks a lot. I'm not disappointed by your post. There were 17 pieces on the pallet and I could recoup my cost by selling just three or four 2600/2900's. I was just curious about the other pieces. I'll more than likely hold onto them to toy around with or sell them to clients.
|
|
#
?
Mar 13, 2010 23:46
|
|
|
I'm looking to get some lab gear to study for my CCNA. I purchased a $80 piece of crap lab simulator software from Sybex and it doesn't even have a quarter of the commands available on it's 2600 router console. Since I feel as though I've been ripped off, so I'm looking for the real deal. I'm currently looking at a 851 router for around $115 on EBay. Does anyone have any idea if this router would be suitable for study purposes? Is this a good price? Can anyone recommend something better for study? I don't want to make the same mistake twice. Thanks guys.
|
|
#
?
Mar 15, 2010 08:32
|
|
|
Darkn1o posted:I'm looking to get some lab gear to study for my CCNA. I purchased a $80 piece of crap lab simulator software from Sybex and it doesn't even have a quarter of the commands available on it's 2600 router console. Since I feel as though I've been ripped off, so I'm looking for the real deal. I'm currently looking at a 851 router for around $115 on EBay. Does anyone have any idea if this router would be suitable for study purposes? Is this a good price? Can anyone recommend something better for study? I don't want to make the same mistake twice. Thanks guys. If you're still open to a simulation software, cisco's own packet tracer is excellent for CCNA (It's what it is specifically designed for). I would advise against cisco 851 though because it doesn't have the high speed serial interfaces and I don't think it does things PPP or frame relay. You need a cisco net academy login to download packet tracer directly from cisco, but it turns up with google search.
|
|
#
?
Mar 15, 2010 13:13
|
|
|
Darkn1o posted:I'm looking to get some lab gear to study for my CCNA. I purchased a $80 piece of crap lab simulator software from Sybex and it doesn't even have a quarter of the commands available on it's 2600 router console. Since I feel as though I've been ripped off, so I'm looking for the real deal. I'm currently looking at a 851 router for around $115 on EBay. Does anyone have any idea if this router would be suitable for study purposes? Is this a good price? Can anyone recommend something better for study? I don't want to make the same mistake twice. Thanks guys. A single router isn't going to help you much in the long run. Instead of a simulator, why don't you go to cablesandkits.com, buy a Cisco 2600 for like $50, then TFTP the IOS off of the router and use it in GNS3 (dynamips). 100% commands because you're emulating the hardware and running real IOS. And of course if you have access to IOS images then you don't even need to buy the router. If you're going to spend money on something, I would recommend emulating the routers and buying three 2950 switches to practice your switching component instead. You can still do things like physically connecting Dynamips to a network card to let you practice things like Router on a Stick. In the end though, there's no good way to patch this together. If you're going to go full-on hardware then you probably want to build a good CCNA lab which is at the very least two or three 2950 switches and probably at least two or three routers, though I think you can scrape by with 2500 series. If you don't like dynamips, I think like Sojourner said, packet tracer is probably your best bet. It might not have 100% of a real IOS' commands, but you can safely bet that if it's not a supported command then you won't need it to pass your CCNA. I would go that route personally, if I hadn't already built a thousand dollar lab 
|
|
#
?
Mar 15, 2010 14:05
|
|
|
What's the defacto standard for dealing with multicast? Is it IGMP snooping or CGMP?
|
|
#
?
Mar 16, 2010 20:51
|
|
|
InferiorWang posted:What's the defacto standard for dealing with multicast? Is it IGMP snooping or CGMP? IGMP snooping. CGMP is a proprietary Cisco protocol for routers to tell non-IGMP snooping switches (ie, XL series stuff) what MAC addresses are subscribed to what stream.
|
|
#
?
Mar 16, 2010 22:31
|
|
|
|
| # ? May 22, 2024 17:10 |
|
|
ragzilla posted:IGMP snooping. CGMP is a proprietary Cisco protocol for routers to tell non-IGMP snooping switches (ie, XL series stuff) what MAC addresses are subscribed to what stream. Yep. CGMP was a stopgap solution for when IGMP snooping hadn't been standardized yet, there is no reason to use it now, just like whatever the Cisco trunking protocol was.
|
|
#
?
Mar 17, 2010 03:43
|
|