|
nex posted:No, I did not try that. Might be worth a shot just for laughs. I'll actually be surprised if it works, but it's worth a shot.
|
#
?
Mar 23, 2010 21:19
|
|
|
|
| # ? May 14, 2024 02:28 |
|
|
nex posted:No, I did not try that. Might be worth a shot just for laughs. If it worked on other identical kit, it's probably going to be the card that's bad.
|
|
#
?
Mar 23, 2010 21:20
|
|
|
jwh posted:How is Microsoft NAP supposed to work? Does it have the ability to shunt machines off into remediation VLANs? I know that's a large part of Cisco's solution. From what I'm reading "yes." Now I haven't gotten it to work yet, I'm in the middle of testing/deploying it right now, but NPS (which comes with Server 2008) is apparently able to work with the Cisco 802.1x framework and tell the switches to put individual ports in remediation VLANs etc. based on a Host Health assessment and other factors, which the NPS server also handles. http://technet.microsoft.com/en-us/library/cc753655%28WS.10%29.aspx I'm using that guide as well as another 20-30 firefox tabs at work, and keep in mind its probably easier than what I'm doing but I am completely unfamiliar with AD or Group Policy or any of that. I know on the Cisco side all you have to do is create the VLANs, turn on the 802.1x framework per port, and point it to the NPS/ACS server. Harry Totterbottom posted:What's the general cost of NAC? The price tag of ACS is what kills it in my environment. NAC is actually "free" assuming your infrastructure already supports 802.1x, all Cisco 2950s and up support it, and I'm sure other vendors do as well. You also need some type of Certificate Authority Server (for PEAP-TLS, or MS-CHAPv2), and a 2008 Active Directory Domain or equivalent, in theory you shouldn't need ACS, but that is what this project is about right now. So we will see. We aren't using ACS because honestly its terrible, price tag aside. ate shit on live tv fucked around with this message at 23:19 on Mar 23, 2010 |
|
#
?
Mar 23, 2010 23:16
|
|
|
I didn't realize we had a Cisco thread, so I posted this thread asking how to pull configs off of Cisco IOS- and Nexus-based switches. To summarize that thread so far: I want to build a simple tool to periodically pull configs from Cisco Catalyst 4000-series (IOS-based) and Cisco Nexus 5000-series (NX-OS-based) switches. I want to (a) compare running and startup config and warn if they differ and (b) store these configs in a source control tool so we can track changes. RANCID is the usual tool for this, but there's no support for Nexus. I threw together a quick Python paramiko script to pull the config via SSH, and that works well, but the IOS-based switches don't have a user privilege level that allows "show running-config" but disallows changes, and I don't want to keep an admin password in a file. Even if I explicitly give "show run" permission to a privilege level < 15, IOS will not allow "show run" to include configuration options that the user is not authorized to change, so I get a blank config. I looked at using SNMP to pull it (like this module does), but that involves telling the switch to upload the config via TFTP. That would work, but it seems like a Rube Goldberg setup. Is there a simple way to make an IOS user that can get full "show run" and "show start" output without being able to make changes? Is there another way to get read-only access to the running and startup config? I would also be happy with a periodic push of the configs, but Nexus doesn't have kron. Any ideas there?
|
|
#
?
Mar 23, 2010 23:19
|
|
|
Stabby McDamage posted:Is there a simple way to make an IOS user that can get full "show run" and "show start" output without being able to make changes? TACACS+, with command authorization. (using shrubbery tacacs+ code) code:code:
|
|
#
?
Mar 24, 2010 00:01
|
|
|
Powercrazy posted:From what I'm reading "yes." Now I haven't gotten it to work yet, I'm in the middle of testing/deploying it right now, but NPS (which comes with Server 2008) is apparently able to work with the Cisco 802.1x framework and tell the switches to put individual ports in remediation VLANs etc. based on a Host Health assessment and other factors, which the NPS server also handles. NAC/NAP is kind of hinky and last I checked Cisco doesn't support those deployments any more. That might just be when its a NAP+Clean Access setup though. .1x is now referred to as IBNS, or identity based network security. There have been some really cool enhancements like MDA. Also ACS 5 is pretty spiffy give it a look.
|
|
#
?
Mar 24, 2010 05:02
|
|
|
Powercrazy posted:We aren't using ACS because honestly its terrible, price tag aside. It's not too bad once you understand how all of it's confounded pieces and parts fit together, and are able to overlook the fact that ACS4 looks like a Geocities page from 1998.
|
|
#
?
Mar 24, 2010 16:54
|
|
|
What do you guys think about Enterasys? We are looking at doing a core upgrade at one of our campuses but our budget is pretty tight. Considering looking at Enterasys for a solution. Anyone have any experience with them or know much about how their gear compares to Cisco's? For comparison, I believe we were looking at a Cisco 4928 for the core switch before engaging Enterasys. This really marks the first time we've even considered moving away from Cisco (actually we do use some business class linksys switches here and there) for networking needs.
|
|
#
?
Mar 24, 2010 21:50
|
|
|
para posted:What do you guys think about Enterasys? We are looking at doing a core upgrade at one of our campuses but our budget is pretty tight. Considering looking at Enterasys for a solution. Anyone have any experience with them or know much about how their gear compares to Cisco's? For comparison, I believe we were looking at a Cisco 4928 for the core switch before engaging Enterasys. It all depends what you're doing. PCs and Phones? Honestly any vendor (Cisco/Juniper/HP etc) can do that. Video conferencing? Be aware but its not a dealbreaker. Trading/Capital market feeds? Don't cheap out or everyone will lose.
|
|
#
?
Mar 25, 2010 05:54
|
|
|
inignot posted:
I'm finally getting back to this. There isn't a command for ip igmp join under physical interfaces. There does seem to be a ip igmp join-group command for the vlan interfaces. If I join a group on VLAN 11: ip igmp join-group 224.0.1.39 I still can't ping 224.0.1.39 from the switch.
|
|
#
?
Mar 25, 2010 16:06
|
|
|
Martytoof posted:Thank you, that does actually clear things up a little. So obviously I don't have a support contract with Cisco so this is entirely pie in the sky, but looking at Feature Navigator, is the best option for any given router still the "latest and greatest" according to Cisco as long as it fits within your memory and flash footprint? Or are there times where you'd actually look to put something other than the newest release on a device, if both the newest release and the older one support the same feature set? White Paper: Cisco IOS and NX-OS Software Reference Guide Covers the relationships between all the trains and their target markets.
|
|
#
?
Mar 25, 2010 16:42
|
|
|
Posted this up in the Asterisk thread because I forgot this one was here. Anyone know what's going on? We use a Cisco 5300 media gateway in our lab. We have a T1 coming into it from our test phones/faxes, and it spits out SIP to our core switches. We seem to intermittently have a problem with it puking all over the T38 fax training. It will spit out A5A5A5A5 in the payload of the training (should be all 0s), until it stops, goes to long training, does the same thing, etc etc until the call fails. I've tried raising the fax speed, lowering it, but it still doesn't work. Then it randomly goes away. We've replaced both the Audiocodes and the Cisco, so it's gotta be an IOS issue, but I've only been able to find one other person on the internet that has had the problem. Thing is, it's happening on some 12.2 version, as well as 12.3(16) and 12.3(22). Has anyone experienced it and know how to fix it? Any specific IOS that fixes it?  Click here for the full 717x512 image.
|
|
#
?
Mar 25, 2010 19:05
|
|
|
InferiorWang posted:I'm finally getting back to this. There isn't a command for ip igmp join under physical interfaces. There does seem to be a ip igmp join-group command for the vlan interfaces. If I join a group on VLAN 11: I've redone my config a bit. I made a loopback interface and gave it an IP address(192.168.199.1) which is pingable from a remote L3 switch. I set the RP of the Core and the remote switches to 192.168.199.1. I set up a test using mrm using this doc: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cftools.html However, when you get to the end of the document, it doesn't actually seem to tell you how you know a test is working nor any way of interpreting the results. Running the "ip mrm status-report" command seems to show 100% packet loss(I'm assuming that's what the column Pkt Loss/Dup actually means). However, I have no way of knowing what I have messed up along the way in the config and/or in the mrm test. Cisco needs multicast documentation for small children. Edit: Core/RP multicast relevent snippets: code:Remote L3 Switch multicast relevent snippets: code:Boner Buffet fucked around with this message at 20:03 on Mar 25, 2010 |
|
#
?
Mar 25, 2010 19:35
|
|
|
Yes, the ip igmp join command needs to go on a layer 3 interface. Based on your config, you're attempting to join an interface to reserved multicast address for RP announce. You can't use that for a multicast group. What is the multicast address your quicktime server is attempting to send to? Set it to that or for testing use 239.1.1.1, that's from the reserved private multicast range.
|
|
#
?
Mar 25, 2010 23:58
|
|
|
Edit: Huge post redacted because I'm an idiot who forgot that "ip default-gateway" doesn't do the same thing as "ip route 0.0.0.0 0.0.0.0" when using a router to emulate an end-device in a lab.
some kinda jackal fucked around with this message at 05:28 on Mar 26, 2010 |
|
#
?
Mar 26, 2010 05:10
|
|
|
inignot posted:Yes, the ip igmp join command needs to go on a layer 3 interface. For the time being, I'm completely ignoring the quicktime piece. I'm just trying to get multicast working using the mrm tools to test it. Once I get to that point, then I'll tackle the specific quicktime piece. I changed the testing group to 239.1.1.1 like you suggested, but I'm still getting 100% packet loss. The documentation is driving me nuts. They explain what a nail is, what a hammer is, but not how to use the hammer to pound on the nail. The docs take you part of the way there and then abruptly end.
|
|
#
?
Mar 26, 2010 14:01
|
|
|
I looked at your core / remote switch configs again. You need a pim running between those two devices somehow. Either via directly connected interfaces or a series of intermediate devices running pim. I don't see that represented in the config.
|
|
#
?
Mar 26, 2010 15:26
|
|
|
I thought it uses the unicast routing table to do that, or is that not what you're saying? Everything that isn't directly connected the RP is accessible via EIGRP routes and visa versa on the remote switch. This is becoming more than a short question. Sorry about that and thanks for the help. Edit: I think I get what you're saying. The two switches have addresses on the management vlan(vlan 1) and a backbone vlan(254). I'm assuming I could do "ip pim sparse-mode" on either vlan interface on both switches to accomplish what you're suggesting? Boner Buffet fucked around with this message at 15:47 on Mar 26, 2010 |
|
#
?
Mar 26, 2010 15:36
|
|
|
At the very least, the two switches can now see each other via "sh ip pim neighbor". The MRM test is still coming back broken, but the devices at least see each other within the context of pim.code:
|
|
#
?
Mar 26, 2010 16:10
|
|
|
PIM is used for tracking & communicating what interfaces should have multicast streams forwarded out them. It needs to be running throughout the network. Kind of like how all your routers have to run ospf for it to work. Multicast streams consist of a unicast source and an multicast group destination. PIM tracks the interfaces to forward multicast destined traffic out; and the unicast routing table is used to look back up the stream at the unicast source to ensure traffic is arriving via the best route back to a host. On a working multicast network you can look at show ip mroute and see the unicast source, the multicast destination; and the incoming & outgoing interfaces for that router; the RP for the group, etc. You may as well add pim to both vlan 1 and vlan 254 on both switches. Check with show ip pim neighbor on both switches. Manually join the remote switch vlan 96 (I presume that's where the clients are) to igmp group 239.1.1.1. Try to ping 239.1.1.1 from the core switch sourced from the RP loopback. At the very least you should see that show up as a multicast stream on the core switch when you look at show ip mroute. Optimally you should see a response from the unicast address of vlan 96 on the remote switch.
|
|
#
?
Mar 26, 2010 16:14
|
|
|
Pinging 192.168.96.1 from the Loopback100 interface, and 192.168.199.1 specifically does give me a response from 192.168.254.96(the vlan 254 interface ip which is the interface I have pim enabled on for the switches to talk to each other). I'm guessing in a typical environment if an end host wants to watch a multicast video, it basically automatically joins the group while for this test, I just manually joined the group in lieu of any real sources or end hosts. Quick question regarding a multicast source. On a generic source, do you specify the group address or is it automatically defined by the source host?
|
|
#
?
Mar 26, 2010 16:36
|
|
|
I presume you're actually pinging the multicast address & getting a response from the unicast addresses that have joined the group. As far as how this works outside of testing, it's kind of application dependent. A multicast source will spew traffic into your pim infrastructure at some group destination. That group address is going to be administratively specified (probably from the reserved private multicast range). Multicast traffic will be forwarded based on what routers have received igmp joins and communicated that back up the chain of pim devices. How the end stations produce that igmp join is application dependent. They could be getting the multicast group address via something embedded in a url or whatever.
|
|
#
?
Mar 26, 2010 16:47
|
|
|
That's actually what I've always found weird about multicast- in IPv4, the applications are responsible for getting IGMP "right". This led to a lot of frustration when I was troubleshooting multicast some time ago. I understand v6 does things differently, but I'm not sure if there's a generic facility for applications to participate in multicast outside application specific implementations.
|
|
#
?
Mar 26, 2010 18:49
|
|
|
I think I might actually have it working now. I was able to stream from the quick time server to a client. The quicktime server appeared in the igmp groups table on the RP/core switch. Testing from a host on the remote switch worked as well. Thanks for all the assistance inignot.
|
|
#
?
Mar 26, 2010 19:35
|
|
|
jwh posted:That's actually what I've always found weird about multicast- in IPv4, the applications are responsible for getting IGMP "right". This led to a lot of frustration when I was troubleshooting multicast some time ago. The thing that was driving me nuts is that the docs I read don't put the configurations into any client side context for the most part. Inignot's answer about group addresses and whether they are dynamic or manually configured was never covered in any capacity with the official cisco docs.
|
|
#
?
Mar 26, 2010 19:40
|
|
|
I've labbed up a lot of multicast stuff, but I've only done it once for production. There was some kind of box that took video from a camera and sent out a multicast stream. I recall the group address was specified in the appliance config, then the clients hit a url on this appliance which passed...whatever...to windows media player which then caused the clients to issue an igmp join to their local router. These seem like potentially useful bits of documentation: http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_verify_op_ps6441_TSD_Products_Configuration_Guide_Chapter.html http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_customize_igmp_ps6441_TSD_Products_Configuration_Guide_Chapter.html
|
|
#
?
Mar 26, 2010 20:21
|
|
|
That's what the quicktime broadcaster tool does. It creates an SDP file which has all the connection information it it. Quicktime on the remote hosts will read that file, and join whatever igmp group is specified in the file.
|
|
#
?
Mar 26, 2010 20:40
|
|
|
A funny side note, 5 minutes into the first successful test, our barracuda web filter stopped forwarding traffic and the air conditioner in our server room stopped working.
|
|
#
?
Mar 26, 2010 20:49
|
|
|
InferiorWang posted:A funny side note, 5 minutes into the first successful test, our barracuda web filter stopped forwarding traffic and the air conditioner in our server room stopped working. COINCIDENCE? YOU BE THE JUDGE!
|
|
#
?
Mar 26, 2010 20:55
|
|
|
It's looking like I'll be hunting for a new job soon and I have some random Cisco gear sitting around, so I'm wondering what kind of things I can set up to help train for various Cisco certs to pad my resume with. I have: 2x 1841, each with a T1 WIC. I think one has 128M RAM and the other has 256M, but I could be mistaken. One of them has the latest IOS it would run as of September '09, the other is unknown. 1x 2600, no idea which sub-model but it has one onboard 10/100 ethernet, 2 T1 WICs, and I have an ISDN NM for it somewhere. IOS 12.3(24) 1x Catalyst 2900XL 12 port 10/100 I also have a working GNS3 setup on a box with two NICs and two RS-232 serial links and a spare network interface on my pfSense router. Is this enough hardware/software to properly train for any of Cisco's certs? If not, any suggestions for configurations I can build with this that would be worthwhile to learn?
|
|
#
?
Mar 26, 2010 23:07
|
|
|
I'm having a bit of trouble with my 2600. I'm trying to connect it behind my modem and use/play/practice. I can ping google if I turn off ip routing, but if I turn it on I cannot. I cannot access the internet from my computer when plugged into fa0/1, but I can ping fa0/0. fa0/0 gets an IP via DHCP and it is the outside interface. IP routing is off during this screen grab. Here's the show run and then some. code:
|
|
#
?
Mar 26, 2010 23:09
|
|
|
ofwolfandan posted:Any ideas? Any help would be much appreciated. conf t ip routing access-list 1 permit ip 10.10.10.0 0.0.0.255 ip nat inside source list 1 interface fa0/0 overload give that a shot.
|
|
#
?
Mar 26, 2010 23:53
|
|
|
ofwolfandan posted:I cannot access the internet from my computer when plugged into fa0/1, but I can ping fa0/0. # ip nat inside source list 102 interface fa0/0 overload 102 specifies addresses that are allowed to be NATed, and it should do PAT to the outside fa0/0.
|
|
#
?
Mar 26, 2010 23:56
|
|
|
Awesome it worked. I had to mess around with it a little bit more but it worked. Here's the config that's working. code:
|
|
#
?
Mar 27, 2010 00:29
|
|
|
Anyone else have any issues using a windows 7 machine connecting to an ASA with telnet or ssh?
|
|
#
?
Mar 29, 2010 15:44
|
|
|
I don't normally use the native Windows telnet app, but instead use PuTTY, which works great on my Win7 x64 box.
|
|
#
?
Mar 29, 2010 16:03
|
|
|
InferiorWang posted:Anyone else have any issues using a windows 7 machine connecting to an ASA with telnet or ssh? I'm going to guess that the issues isn't so much your SSH/Telnet client, as it is with the network attached to the ASA. What issues are you having?
|
|
#
?
Mar 29, 2010 16:28
|
|
|
Telnet just kicks back a generic could not open connection error and putty says "server unexpectedly closed network connection". It works fine on my boss's laptop(64 bit win seven, same hardware). The asa is configured for allow telnet and ssh connections from my subnet. ASDM doens't work either, but that's probably a version/java issue. I guess I'll have to stop being lazy and use the XP machine to read some debugging logs with ASDM. edit: telnet works. I screwed up the config on the asa for that. SSH still doesn't seem to want to work though. Boner Buffet fucked around with this message at 17:08 on Mar 29, 2010 |
|
#
?
Mar 29, 2010 16:52
|
|
|
InferiorWang posted:Telnet just kicks back a generic could not open connection error and putty says "server unexpectedly closed network connection". It works fine on my boss's laptop(64 bit win seven, same hardware). The asa is configured for allow telnet and ssh connections from my subnet. ASDM doens't work either, but that's probably a version/java issue. does SSH work from your boss's laptop?
|
|
#
?
Mar 29, 2010 17:48
|
|
|
|
| # ? May 14, 2024 02:28 |
|
|
InferiorWang posted:Telnet just kicks back a generic could not open connection error and putty says "server unexpectedly closed network connection". It works fine on my boss's laptop(64 bit win seven, same hardware). The asa is configured for allow telnet and ssh connections from my subnet. ASDM doens't work either, but that's probably a version/java issue. If you setup the SSH admin stuff via the ASDM you'll need to manually generate your crypto map (crypto key generate rsa).
|
|
#
?
Mar 29, 2010 18:18
|
|