|
InferiorWang posted:What's the defacto standard for dealing with multicast? Is it IGMP snooping or CGMP? But you get to choose between sparse mode, sparse-dense mode, dense mode, or source-specific-multicast. Get your developers to update their poo poo to use SSM.
|
#
?
Mar 17, 2010 05:12
|
|
|
|
| # ? May 30, 2024 23:34 |
|
|
Powercrazy posted:Yep. CGMP was a stopgap solution for when IGMP snooping hadn't been standardized yet, there is no reason to use it now, just like whatever the Cisco trunking protocol was. ISL. And the uplinkfast/backbonefast extensions to spanning-tree (now in 802.1w). tag-switching surprisingly transformed into MPLS without significant modification. If you have old XL series gear around still, CGMP is probably good to brush up on though. MrMoo posted:But you get to choose between sparse mode, sparse-dense mode, dense mode, or source-specific-multicast. Get your developers to update their poo poo to use SSM.
|
|
#
?
Mar 17, 2010 05:20
|
|
|
This might be a terrible question, but I'm having trouble wrapping my head around IOS releases. Are the release names strictly linear, wherein 12.3YZ line is always going to be preferable to the 12.3XD line? Why are we jumping from XD to YZ anyway? Is there any significance to the letters other than incremental tagging? If so, why not just tag them numerically like Cisco already apparently half-does. I don't mean the feature sets -- those I pretty much understand at this point. It was actually tooling around the Feature Navigator that got me wondering about this mish-mash of nomenclature. Also, desperately need more memory for my 3640s. 72pin SIMMs are so hard to come by these days 
some kinda jackal fucked around with this message at 08:25 on Mar 17, 2010 |
|
#
?
Mar 17, 2010 08:23
|
|
|
Hey, Just about ready to take my CCNA, besides a job in the industry, and besides books, whats the best medium for studying? (Reading does Noooooothing for me) Is there a creamy middle between the "watchability" of CBT nuggets and the all encompassing knowledge of the train signal videos?
|
|
#
?
Mar 17, 2010 09:41
|
|
|
Martytoof posted:This might be a terrible question, but I'm having trouble wrapping my head around IOS releases. Are the release names strictly linear, wherein 12.3YZ line is always going to be preferable to the 12.3XD line? Why are we jumping from XD to YZ anyway? Is there any significance to the letters other than incremental tagging? If so, why not just tag them numerically like Cisco already apparently half-does. Character designations signify a specific release train, it's a little more structured in the bigger platforms (6500,7200,7600,12k) where they have a 12.2SR (routers)/12.2SX (switches, ie 6500) then have a trailing letter for which feature train it is (eg D on routers, F on switches), then a trailing alpha/number (1, 1a, 2, etc) for the patch release. In general if they increment something on the letters immediately following the parentheses it's going to be for feature/hardware support. If they increment the following number/letters it identifies the bugfix/maintenance release. So to answer XD->YZ, it would be for feature/hardware support (given a jump like that, probably hardware support to simplify support for the new hardware so people don't try load earlier unsupported code). If it was XD1 -> XD1a it would be a minor bugfix (usually a quick patch release for something horribly broken). And XD1a -> XD2 would be a regular maintenance patch release. ragzilla fucked around with this message at 12:53 on Mar 17, 2010 |
|
#
?
Mar 17, 2010 12:50
|
|
|
Thanks guys. After reading a bit online I figured it was going to be IGMP snooping along the lines of using dot1q for trunking instead of the old cisco spec, but I thought I'd ask to be sure. Mrmoo, I have no developers. I just need the ability for someone to show students district wide streaming video without bringing the network to its knees.
|
|
#
?
Mar 17, 2010 15:00
|
|
|
ragzilla posted:In general if they increment something on the letters immediately following the parentheses it's going to be for feature/hardware support. If they increment the following number/letters it identifies the bugfix/maintenance release. Thank you, that does actually clear things up a little. So obviously I don't have a support contract with Cisco so this is entirely pie in the sky, but looking at Feature Navigator, is the best option for any given router still the "latest and greatest" according to Cisco as long as it fits within your memory and flash footprint? Or are there times where you'd actually look to put something other than the newest release on a device, if both the newest release and the older one support the same feature set? Sorry if the question is obvious, but I haven't had to deal with an IOS revisions since I worked with 7200s at a datacenter in the early 2000s, and then we had a contract with Cisco so I didn't really do much of the legwork. Most of my current experience is centred around my home lab where I just the newest 12.3 Telco IOS from one of my 3640s and deployed it across the remaining four after backing them up.
|
|
#
?
Mar 17, 2010 18:47
|
|
|
(sorry for the doublepost)KernelFailure posted:Hey, Just about ready to take my CCNA, besides a job in the industry, and besides books, whats the best medium for studying? (Reading does Noooooothing for me) Is there a creamy middle between the "watchability" of CBT nuggets and the all encompassing knowledge of the train signal videos? If you have the money, take the CCNA curriculum if offered at your local community college. I'm doing that now. I could probably fast track it and just cram for the exam, but I like the hands-on labs (not so much in CCNA1, but more throughout the rest). They teach from Cisco's own Exploration material which tends to be more concise than their own Official Certification Guides, so when you do have to do the reading yourself it's not incredibly dry like the book. I study better in a classroom environment myself. I've gone through both CBTNuggets and Train Signal multiple times, but being able to ask my instructor questions is much more helpful than listening to Jeremy crack jokes for five minutes between issuing an IOS command, or listening to Chris Bryant drone on like a robot for an hour. Which isn't to say that the other two haven't helped me by laying down the foundation. I typically hit the books only if there's something I really want to learn more about in detail. Also the CCNA command reference is pretty handy at times, but seems like more of a crutch than anything. If you're in a hurry, this probably isn't the best way to do your CCNA. It's a full year at least, or at least a few months if you can double-up on classes. I'm not in any particular hurry on the other hand, and being able to sit down and digest the classes for a week really helps. I'm not in any pissing contest with anyone to fast track the CCNA so this really is the best method for me. some kinda jackal fucked around with this message at 18:57 on Mar 17, 2010 |
|
#
?
Mar 17, 2010 18:55
|
|
|
Martytoof posted:Thank you, that does actually clear things up a little. So obviously I don't have a support contract with Cisco so this is entirely pie in the sky, but looking at Feature Navigator, is the best option for any given router still the "latest and greatest" according to Cisco as long as it fits within your memory and flash footprint? Or are there times where you'd actually look to put something other than the newest release on a device, if both the newest release and the older one support the same feature set? I work mostly with 7200/7600 these days ( 12.2(33)SR ), I try to wait until there's been a bugfix release or two when there's a new feature train I want to get on. Gives Cisco some time to get the bugs out (eg right now they have SRE out which brought IPv6 feature parity into IP Services code, however it's only half implemented which they're supposed to have sorted out in SRE1. It also has 4-byte ASN support, so it's a pretty attractive release for anyone running BGP and wanting to run IPv6 without investing in Advanced IP Services licensing). So as a general rule, if there's a feature in a specific train you want and you're going to need at least that train, and if it's something brand new expect it to be buggy until you're one or two bugfix releases in. If you don't gain anything you'd need by moving up to that even newer train I generally stick to the more mature one for the feature I'm after. 1700/3600/2600 series stuff we just throw on whatever the latest/greatest IP Plus code is. Just stay away from the T trains unless you really, REALLY, need a feature from it.
|
|
#
?
Mar 17, 2010 18:56
|
|
|
On the topic of multicast, I'm not going to do autorp, instead electing to do a static rp. I'm sort of confused what the RP is. I'm assuming it's the switch(4507), but I'm not sure what IP to give it. Am I making up a new, unused static address, or an address on an existing vlan interface?
|
|
#
?
Mar 17, 2010 19:10
|
|
|
How about running modems over the VG248 voice gateway to a 6600 CMM with a PRI connected ? Faxes work fine , voice works fine, no errors. I have line clock mgcp modem passthrough set for nse and g711ulaw fax relay disabled Active call readout shows "modempass" on the active call but all I get is a bunch of ear splitting squealing but it won't even come close to connecting. I've about given up on it, but, wondering if anyone else has had luck. The gateway could also just be trash. It was complaining about 3.3V supply too low but is still operative. --- I'm going to kick my own rear end if this turns out to be it , but , re-issued the proper commands and restarted the CMM. Now I get no audio on passthrough, diagnosing to make sure the firewall one of the other engineers slipped into our test network isn't causing a problem. Partycat fucked around with this message at 20:48 on Mar 18, 2010 |
|
#
?
Mar 18, 2010 14:50
|
|
|
 Click here for the full 896x706 image. Well here is what I've spent most of this week on, some testing and config of a pair of Nexus 5010s and 4 2148T FEXs. Neat stuff, even though NX-OS isn't feature complete yet. I can definitely see the advantage it will have. Though right now there are some quirks. The topology as is, is stable, and functional and can handle anything I've thrown at it so far. But getting it to that state is not straightforward at all. There is a particular order of operations one has to follow, especially with regards to the FEXs turning on, and configuration of them. I was also upset to find that I couldn't setup a port channel between the two vPC edge Fexs, so its not an active active topology for the server connected by the orange. If you want LACP you have to do it from the 5Ks, I assume in the future they will allow LACP from the FEXs, but not yet. Anyone have any experience or questions about it?
|
|
#
?
Mar 19, 2010 17:37
|
|
|
I'm having a bit of trouble with the SDM. On my main system(win7), icons/buttons don't show up, but I can still click on the general area where they should be. I'm completely new to the GUI and don't have the layout memorized, otherwise it wouldn't be too big of a deal. I'm assuming its an issue with Java, but when I tried uninstalling and downloading the latest version online, the SDM refuses to load anymore. Also, when I tried using it on another workstation running XP, I just get a page full of code instead of the GUI. Anyone have any idea what could be the issue? 
|
|
#
?
Mar 21, 2010 07:50
|
|
|
marshviperX posted:I'm having a bit of trouble with the SDM. On my main system(win7), icons/buttons don't show up, but I can still click on the general area where they should be. I'm completely new to the GUI and don't have the layout memorized, otherwise it wouldn't be too big of a deal. I'm assuming its an issue with Java, but when I tried uninstalling and downloading the latest version online, the SDM refuses to load anymore. Also, when I tried using it on another workstation running XP, I just get a page full of code instead of the GUI. Anyone have any idea what could be the issue? Is that the current version of the SDM? Personally I'd just stick with CLI because it doesn't do stupid things unless I tell it to do stupid things.
|
|
#
?
Mar 21, 2010 17:01
|
|
|
Harry Totterbottom posted:Is that the current version of the SDM? Personally I'd just stick with CLI because it doesn't do stupid things unless I tell it to do stupid things. Its ver 2.2. I'm not sure if that is the latest, it came on a CD with an 800 series router I purchased. I've tried to download an update, but I get an alert telling me that I have to be accessing the internet through the router to get it. I haven't had time lately to set up the router by CLI for internet access but I'll work on it in the next few days. I'm only trying to get a feel for the SDM because I'm taking my CCNA exams soon and they're covered in the curriculum.
|
|
#
?
Mar 21, 2010 23:32
|
|
|
I'm really struggling with this multicast stuff. Here's the pertinent multicast pieces from my config(4507):code:
|
|
#
?
Mar 22, 2010 15:11
|
|
|
All routers / L3 switches are going to need multicast routing enabled. If you're using a static RP it needs to be defined on all the devices in your L3 switching / routing infrastructure. All routers / L3 switches are going to need pim running on all their interfaces (well, anything facing clients, servers, or other routers / L3 switches). If you are using any RP at all you can run pim sparse mode. Test the infrastructure by manually joining an interface at the client end to the multicast group. Try to ping the multicast group address from the RP, you should see a response from whatever interface you manually joined to the group. If your network isn't running a dynamic unicast routing protocol this will be a lot harder. Here's some commands with approximate syntax: int whatever ip igmp join <group address> sh ip pim int sh ip pim nei sh ip igmp group sh ip mroute I don't have any idea how the quicktimes multicast application works.
|
|
#
?
Mar 22, 2010 15:36
|
|
|
marshviperX posted:Its ver 2.2. I'm not sure if that is the latest, it came on a CD with an 800 series router I purchased. I've tried to download an update, but I get an alert telling me that I have to be accessing the internet through the router to get it. I haven't had time lately to set up the router by CLI for internet access but I'll work on it in the next few days. I'm only trying to get a feel for the SDM because I'm taking my CCNA exams soon and they're covered in the curriculum. I'm just going to guess that the SDM you have is pretty old and is expecting an older version of java. Java is one of those things where "getting the latest version" usually breaks applications. In fact according to this: http://www.ciscocertified.info/en/US/docs/routers/access/cisco_router_and_security_device_manager/software/release/notes/SDMr25.html SDM is expecting Java 1.6, so uninstall the newest one and use 1.6 instead.
|
|
#
?
Mar 22, 2010 15:42
|
|
|
inignot posted:All routers / L3 switches are going to need multicast routing enabled. Thanks inignot. We have EIGRP configured throughout the network. I'm only working on the core switch as the source and clients are physically connected to this switch. As far as the interfaces go, is specifying the VLAN interface adequate or do I need to configure every physical interface? And is ip pim sparse-dense-mode ok or should I be more specific with ip pim sparse-mode?
|
|
#
?
Mar 22, 2010 15:58
|
|
|
Has anyone here put a Windows 7 wireless client on a Cisco access point via WPA2 / LEAP/ AES? I've got a series of autonomous 1131 APs providing wireless access via that config to Win XP clients. I get no love from Windows 7. Debugs & logs in ACS show the Win 7 machines authenticate, then something falls apart when they try to associate to the AP. If there are any known caveats give a yell.
|
|
#
?
Mar 22, 2010 15:59
|
|
|
inignot posted:Has anyone here put a Windows 7 wireless client on a Cisco access point via WPA2 / LEAP/ AES? I've got a series of autonomous 1131 APs providing wireless access via that config to Win XP clients. I get no love from Windows 7. Debugs & logs in ACS show the Win 7 machines authenticate, then something falls apart when they try to associate to the AP. If there are any known caveats give a yell. We have 1131 AP's deployed and Win7 connects to them with WPA2 with no problems. But, we have a WLAN controller on the back end so that might make a difference. Are you using windows to connect or a 3rd party utility like lenovo's access connections to do it?
|
|
#
?
Mar 22, 2010 16:04
|
|
|
InferiorWang posted:Thanks inignot. PIM only needs to be configured on L3 interfaces, so the vlan interfaces (svi) are fine. PIM is for tracking router to router multicast forwarding. IGMP is used on the edge with clients. Sparse mode will forward multicasts out only pim interfaces joined to the group (requires an RP) . Dense mode will forward multicasts out all pim interfaces (does not require an RP). Sparse-dense will run sparse if there is an RP and fall back to dense if there is no RP. If your clients & servers are all on the same L3 switch it probably doesn't matter what you run.
|
|
#
?
Mar 22, 2010 16:17
|
|
|
InferiorWang posted:We have 1131 AP's deployed and Win7 connects to them with WPA2 with no problems. But, we have a WLAN controller on the back end so that might make a difference. Are you using windows to connect or a 3rd party utility like lenovo's access connections to do it? I've got a Dell 630 for the Windows 7 client. I had to download intel drivers to get support for anything beyond the built in PEAP support. I'm using an intel app to create the wireless profile / browse & join the wireless network.
|
|
#
?
Mar 22, 2010 16:18
|
|
|
inignot posted:Has anyone here put a Windows 7 wireless client on a Cisco access point via WPA2 / LEAP/ AES?
|
|
#
?
Mar 22, 2010 17:29
|
|
|
inignot posted:I've got a Dell 630 for the Windows 7 client. I had to download intel drivers to get support for anything beyond the built in PEAP support. I'm using an intel app to create the wireless profile / browse & join the wireless network. Cisco leap will become an option under the windows network authentication method drop down after the Intel utility is installed, maybe try that? Also is your ACS server updated to the latest version, a quick google showed someone on sevenforums fixing this problem by updating to ACS 4.0
|
|
#
?
Mar 22, 2010 17:35
|
|
|
jwh posted:I thought LEAP was largely deprecated now? For all I know it is. I had never seriously looked at our wireless infrastructure prior to being asked to get the new Windows 7 laptops on. The first thing I noticed was we were running WPA / TKIP which I modified to WPA2 / AES prior to starting with the Windows 7 machines. Whatever the current authentication option is that points to radius is the one I want. There's no CA in place, but we do have ACS. Sojourner posted:Cisco leap will become an option under the windows network authentication method drop down after the Intel utility is installed, maybe try that? Also is your ACS server updated to the latest version, a quick google showed someone on sevenforums fixing this problem by updating to ACS 4.0 Yes, Cisco LEAP became available after installing the intel utility/drivers. ACS is version 3.3. I'd googled up a few forum posts that said move to ACS 4, but none of them included any reason or explanation for the failures of pre 4 ACS.
|
|
#
?
Mar 22, 2010 18:58
|
|
|
May want to try uninstalling the Intel tools and instead using the Microsoft drivers with PEAP (interior MSCHAPv2). We've had issues with the Intel / vendor drivers when it comes to 802.1x, but we're still an XPsp2 environment for the most part. Make sure your ACS is configured to do LEAP. I think it is by default, being Cisco, but I know you have to turn the other EAP types on manually. edit: and if you're not presenting a valid signed cert as part of the EAP negotiation, make sure your clients are configured to be okay with that.
|
|
#
?
Mar 22, 2010 19:14
|
|
|
So this seems like a similar train of thought. I'm designing a NAC solution for our user network. Since we already have a full Cisco infrastructure and we are only authenticating Windows boxes, it should be pretty straight forward, but I'm hitting a snag. We don't want to use Cisco's ACS at all. Is there a free alternative? We have a RADIUS server as well as TACACS+, but it appears these are not capable of integrating with 802.1x and Microsoft's NAP to provide a full NAC solution. Anyone have any experience with a free alternative or just an alternative in general to ACS?
|
|
#
?
Mar 23, 2010 16:27
|
|
|
marshviperX posted:I'm having a bit of trouble with the SDM. ... Anyone have any idea what could be the issue? Java. The issue is almost always as in 99.99999% of the time the version of Java on your machine. Update the version of SDM on your routers and/or downgrade the version of Java you are using.
|
|
#
?
Mar 23, 2010 16:48
|
|
|
Powercrazy posted:So this seems like a similar train of thought. People have nice things to say about FreeRADIUS. I've never used it. Which RADIUS server are you currently using?
|
|
#
?
Mar 23, 2010 17:05
|
|
|
Powercrazy posted:So this seems like a similar train of thought. After spending a week on trying to get this to work with IAS and NAP I ended up just scrapping it and using WPA. If you have any luck without using ACS please let me know what you do.
|
|
#
?
Mar 23, 2010 17:11
|
|
|
Harry Totterbottom posted:After spending a week on trying to get this to work with IAS and NAP I ended up just scrapping it and using WPA. If you have any luck without using ACS please let me know what you do. drat, after a lot of research this is what I've found as well, it seems no one has implemented Downloadable ACLs or 802.1x controls without ACS yet. It also doesn't help that people use ACS for all kinds of other things besides NAC. AS far as which particular RADIUS implementation, no clue probably some FreeBSD box running FreeRADIUS.
|
|
#
?
Mar 23, 2010 17:37
|
|
|
You should definitely be able to do basic 802.1x stuff with FreeRADIUS- not sure about Microsoft NAP things (I'm not sure what NAP is/does). But all ACS does is return IETF attributes- not even Cisco VSAs- for things like dynamic VLAN assignment. The only time I've seen a need for Cisco VSAs is with respect to pushing Airespace attributes and the like. Remember, WPA should work in conjunction with your EAP method. One isn't really a substitute for the other.
|
|
#
?
Mar 23, 2010 18:25
|
|
|
jwh posted:You should definitely be able to do basic 802.1x stuff with FreeRADIUS- not sure about Microsoft NAP things (I'm not sure what NAP is/does). NAP is the new version of IAS that runs on Microsoft Server 2k8. I'm 95% certain that the issues I was running into were directly related to something with the certificate piece not being configured correctly. Because I could see the authentication attempts via debug and then was just getting errors on the NAP server saying that the message wasn't formed correctly. Continued digging led to no actual solutions. The plan was to run PEAP with WPA on top of it, but due to not being able to get authentication with the server piece working I scrapped the PEAP piece until I've got more time to devote to figuring out what isn't setup correctly. The most annoying part though, is that all of my other Radius authenticated equipment is able to run without a hitch.
|
|
#
?
Mar 23, 2010 18:45
|
|
|
Yea that is what I've found as well. I'm currently deploying NAC in a test environment and it seems like if you have a 2008 domain, its actually pretty seemless. I've never messed with AD or Group Policy and in my little test domain (one router, one switch, 2 hosts, 4 users), it seems pretty straight forward so far. Cool stuff. Its not working yet, but so far so good.
|
|
#
?
Mar 23, 2010 20:42
|
|
|
Powercrazy posted:Yea that is what I've found as well. I'm currently deploying NAC in a test environment and it seems like if you have a 2008 domain, its actually pretty seemless. I've never messed with AD or Group Policy and in my little test domain (one router, one switch, 2 hosts, 4 users), it seems pretty straight forward so far. How is Microsoft NAP supposed to work? Does it have the ability to shunt machines off into remediation VLANs? I know that's a large part of Cisco's solution.
|
|
#
?
Mar 23, 2010 20:56
|
|
|
Powercrazy posted:Yea that is what I've found as well. I'm currently deploying NAC in a test environment and it seems like if you have a 2008 domain, its actually pretty seemless. I've never messed with AD or Group Policy and in my little test domain (one router, one switch, 2 hosts, 4 users), it seems pretty straight forward so far. What's the general cost of NAC? The price tag of ACS is what kills it in my environment.
|
|
#
?
Mar 23, 2010 21:02
|
|
|
I just had the strangest error ever last night when connecting some new switches to a core router: - Switch is connected to the router port, which has no config, and the link goes up/up. I can see it on CDP and all seems fine. - As soon as I start adding config to the interface(just a standard dot1q switchport trunk) the physical link goes down. No error messages in the log except the link going down. I then tried the following: Shut/no shut, removing all config from the interface, re-seating the SFP, changing fiberpatch and SFP, looping the interface on it self. Nothing worked, the interface refused to go up/up ever again. Measured RX and TX which both where normal. I didn't even get any entries in the log after the initial failure, except when doing shut/no shut. Moved to another port with no config in the line-card with the original SFP and the link goes right back up. Tried adding config again and the same scenario repeated itself. Did this 2 more times before giving up. The line-card in question has 15 other switches working perfect. I ended up having to install a new line-card in a free slot before I got it to work. My assumption some kind of software bug and that I might have to reload the line-card or router to fix it, but I found the whole scenario really strange. Anyone seen something similar or have suggestions on what I might try before reloading the card? This was on a 7606s with 1Gb 24-port SFP line-card. nex fucked around with this message at 21:08 on Mar 23, 2010 |
|
#
?
Mar 23, 2010 21:06
|
|
|
nex posted:I just had the strangest error ever last night when connecting some new switches to a core router: Random question, but did you try hard coding the port to 1000/full on both sides instead of auto?
|
|
#
?
Mar 23, 2010 21:08
|
|
|
|
| # ? May 30, 2024 23:34 |
|
|
No, I did not try that. Might be worth a shot just for laughs. This was in the middle of a physical and logical migration of 8 switches, where this only happened with 1 of them. There was no difference in config from the switches that worked, and I made no changes in the config before it worked on the new line-card. nex fucked around with this message at 21:15 on Mar 23, 2010 |
|
#
?
Mar 23, 2010 21:12
|
|