|
Powercrazy posted:For the first part I know that. For the second part. LACP can't be setup from a FEX at all. The problem is that we were expecting to setup etherchannels on all our dual nic servers so that if a single device failed, either a FEX or a N5K it would be transparent to the server. The server would just detect a lost link, but it wouldn't need to update its spanning tree or routes or anytihng. This is how we recommend to configure it. I don't have any handy to play with right now, can try to scare some up tomorrow. Stupid question but did you enable LACP on the 5ks (feature lacp from global config).
|
# ? Apr 27, 2010 00:12 |
|
|
# ? May 31, 2024 07:29 |
|
Yep, feature LACP is enabled. If you can get it working post the config/steps. Because the documentation implies that you can setup LACP on the FEXs but when I actually tried to do it, and asked TAC it looks like you can't. I'm using 2148T FEXs, if LACP works on a different type of fex let me know.
|
# ? Apr 27, 2010 00:59 |
|
Powercrazy posted:Yep, feature LACP is enabled. If you can get it working post the config/steps. Because the documentation implies that you can setup LACP on the FEXs but when I actually tried to do it, and asked TAC it looks like you can't. It will definitely work on the gen2 FEXs (2248,2232). Looks like its a no go on the 2148T for server side ports, sorry . Tremblay fucked around with this message at 01:22 on Apr 27, 2010 |
# ? Apr 27, 2010 01:10 |
|
Tremblay posted:You are creating a huge broadcast domain that will result in a lot of drops and high CPU utilization on your router since most broadcast traffic gets punted. Also its lazy and lovely design. Do it right the first time. How is this any different with subinterfaces vs. secondaries? I'm still going to have the same amount of bcast traffic hitting the router getting punted. If my customer wants extra addresses on their T1, I'm not going to force them to run dot1q between my router and their switch because secondaries are a "lazy/lovely" design (and they're not going to want to renumber into a bigger block either).
|
# ? Apr 27, 2010 02:11 |
|
ragzilla posted:How is this any different with subinterfaces vs. secondaries? I'm still going to have the same amount of bcast traffic hitting the router getting punted. I was speaking specifically LAN side. Wanna run secondaries on a T1? Knock your socks off. Impact depends on platform and VLAN. Some places tend to get lazy and keep heaping secondaries on, say a VLAN1 SVI.
|
# ? Apr 27, 2010 02:46 |
|
Tremblay posted:It will definitely work on the gen2 FEXs (2248,2232). Looks like its a no go on the 2148T for server side ports, sorry . Are you sure the 2nd gen fexs will do it? Can you link me some documentation about them? Becuase if the 2248s can do it, then it will become a purchase for us. I have to verify it though.
|
# ? Apr 27, 2010 04:29 |
|
Powercrazy posted:Are you sure the 2nd gen fexs will do it? Can you link me some documentation about them? Becuase if the 2248s can do it, then it will become a purchase for us. I have to verify it though. http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps10110/data_sheet_c78-507093.html "PortChannel on server ports (Cisco Nexus 2200 Series only)" Your SE should be able to verify that on Topic like I did . If not, lemme know.
|
# ? Apr 27, 2010 04:32 |
|
I don't have Plat so no PMs, but I do have aim.
|
# ? Apr 27, 2010 04:34 |
|
Anyone have any recommendations for a network management platform for an MPLS network? I've got 20 - 30 PE devices and 10-ish P devices. It's not large (a lot of stuff is aggregated on ethernet subinterfaces), but the number of vrfs & import / exports is daunting. It would be nice for instance to see a report of what devices & interfaces a given vrf is configured on.
|
# ? Apr 27, 2010 19:30 |
|
Trying to get cisco client VPN working on a router along side a site to site VPN (to a Sonicwall unfortunately). Client VPN works fine, tunnel is to 10.70.21.162 but it wants to do xauth for it. 'sh cry isak sa' shows 'CONF_XAUTH', debug logs confirm. Originally it would get stuck attempting to give this static IP an address from the client VPN which is wrong. I added the isakmp profiles/keyring stuff to attempt to alleviate this (per this and this. I have other IOS VPNs working for this customer without keyring and without client VPN that I'm not using isakmp profiles for and I can then specify 'no-xauth' in the "crypto isakmp key FOO address 10.70.21.162 no-xauth" command but that's not used in profiles. So, how does one disable xauth in this case for 10.70.21.162? 10.1/16 and 192.168.0/24 are inside, everything else is outside. code:
|
# ? Apr 27, 2010 21:05 |
|
inignot posted:MPLS Management sh run vrf NAME should get you what you need. It's supported on the 7600 platform.
|
# ? Apr 28, 2010 00:03 |
|
guys .. i got a 4006 chasis that is EOL but it was just announced so i'm sticking with it.. the sup card on its is a 4013 which is crap and gives me CatOS.. i'm thinking of going to a 4013+ which is just enough to give me L3 ability and Cisco IOS. Just want to bounce this off you guys. Am I correct in thinking a 4013+ card will give me L3 and Cisco IOS?
|
# ? Apr 28, 2010 16:13 |
|
Bicho6 posted:guys .. i got a 4006 chasis that is EOL but it was just announced so i'm sticking with it.. the sup card on its is a 4013 which is crap and gives me CatOS.. i'm thinking of going to a 4013+ which is just enough to give me L3 ability and Cisco IOS. Just want to bounce this off you guys. Am I correct in thinking a 4013+ card will give me L3 and Cisco IOS? Cisco IOS Software only on the Supervisor Engine II-Plus, III, IV, and V Uses Cisco IOS images: cat4000-is-mz or cat4000-i9s-mz (Basic L3 feature set) or cat4000-i5s (Enhanced L3 feature set), cat4500, that depends on the software release and Supervisor Engine From: http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094645.shtml
|
# ? Apr 28, 2010 19:29 |
|
Ok, here's a fun one. We haven't gotten deep into the debug process yet, but we have a site to site GRE tunnel that flaps at 8:05 EST every day, give or take 30 seconds. The interface this goes over is up/up, and the carrier sees no errors on the circuit. It flaps one time each day, and comes up after a few seconds. Always at the same time. We can't figure out what might be doing this, any guesses?
|
# ? Apr 29, 2010 05:56 |
|
XakEp posted:Ok, here's a fun one. We haven't gotten deep into the debug process yet, but we have a site to site GRE tunnel that flaps at 8:05 EST every day, give or take 30 seconds. The interface this goes over is up/up, and the carrier sees no errors on the circuit. Tech at the CO clocks in at 8:00am, begins his daily "checks" right away and your cable is what gets giggled during the "checks" That's my off the wall guess What is traffic normally like on the circuit/tunnel daily? Heavily used? Is this a link between datacenters? Could it be a traffic problem when some sort of high bandwidth file transfer kicks off? Heavy user logins? Automated script backup of the router configs around that time? Since you can set your watch by it, I would look for things that might be scheduled or always occur every day at that time or slightly before.
|
# ? Apr 29, 2010 12:51 |
|
What's the connectivity at each site? Has this slowly been moving forward or has it been relatively stable at 8:05 for months?
|
# ? Apr 29, 2010 13:01 |
|
So I'm having a stupid layer 1 problem, I'm sure. I've got a 2811 and a 2821 with WIC-1DSU-T1-V2 cards in each. I've connected them with a straight through ethernet cable. I imagine I need a T1 crossover? I'd rather not create a crossover cable if I don't have to, but is that what the problem is?
|
# ? Apr 29, 2010 17:38 |
|
Powercrazy posted:So I'm having a stupid layer 1 problem, I'm sure. I've got a 2811 and a 2821 with WIC-1DSU-T1-V2 cards in each. I've connected them with a straight through ethernet cable. I imagine I need a T1 crossover? I'd rather not create a crossover cable if I don't have to, but is that what the problem is? You're going to need to create a cross over cable. With a straight through you're putting the transmit against a transit and a receive against a receive. So your receive pins are always waiting for a transmission that's not coming and your transmit pins are sending transmissions and causing collisions. I would like to also say that an ethernet straight through is fine, but t1 needs a different pinout for crossover, but it seems like you know that from your post.
|
# ? Apr 29, 2010 17:47 |
|
Yea I was hoping there was a way to automagically swap pins within IOS, but I don't think that is the case. Oh well. Stupid legacy technology...
|
# ? Apr 29, 2010 18:13 |
|
Powercrazy posted:Yea I was hoping there was a way to automagically swap pins within IOS, but I don't think that is the case. Oh well. Stupid legacy technology... There is something like it, but it's exclusive to Ethernet interfaces . Even then it doesn't give you the option to swap pins automatically, but rather if it's connected to a like device (router to router, switch to switch) with a straight through, it can change it's pins so you don't need a cross over. This is called auto mdix. http://www.cisco.com/en/US/tech/tk389/tk214/technologies_tech_note09186a0080094781.shtml#appc
|
# ? Apr 29, 2010 18:46 |
|
Powercrazy posted:Yea I was hoping there was a way to automagically swap pins within IOS, but I don't think that is the case. Oh well. Stupid legacy technology... T1 crossover: Swap pair [1,2] with [5,4]. Extra pins are not needed.
|
# ? Apr 29, 2010 19:06 |
|
To think all this time I've been avoiding the RJ45 T1 cards because I thought you needed some more specialized equipment to cross-connect them. I could have avoided buying all of these loving serial cables for my lab. Oh well, at least I can simulate a frame switch convincingly. Maybe this is a dumb question, but which side sets the clock in a T1 crossover? some kinda jackal fucked around with this message at 20:09 on Apr 30, 2010 |
# ? Apr 30, 2010 20:01 |
|
T1 clocking can be done by either side (even independently), though typically the provider equipment will provide the timing because as you start to aggregate multiple T1s into T3s and eventually into OC3+'s the timing gets more and more precise. http://en.wikipedia.org/wiki/Synchronous_optical_networking#Synchronization
|
# ? Apr 30, 2010 21:14 |
|
tortilla_chip posted:sh run vrf NAME should get you what you need. It's supported on the 7600 platform. I was thinking more along the lines of something that would grab that information network wide and aggregate it together. CiscoWorks has an MPLS tool. Has anyone used it or anything with similar capabilities? http://www.cisco.com/en/US/products/sw/netmgtsw/ps5332/index.html
|
# ? Apr 30, 2010 21:37 |
|
Martytoof posted:To think all this time I've been avoiding the RJ45 T1 cards because I thought you needed some more specialized equipment to cross-connect them. I could have avoided buying all of these loving serial cables for my lab. Nope. In fact I sometimes use a RJ45 jack, some cross connect wire and a plug. CrazyLittle fucked around with this message at 00:47 on May 1, 2010 |
# ? May 1, 2010 00:38 |
|
Need ideas. I was planning on running eigrp across an IPSec w/ gre tunnel on an ASA. I just found out that you can't terminate gre on an asa. So I'm left trying to figure out how the hell I can make this work. I think I can run OSPF across the IPSec tunnel and then redistribute EIGRP into that. Or is there someway to get EIGRP working between 2 asa's over a tunnel that I am unable to find?
|
# ? May 3, 2010 22:45 |
|
Help me understand something. I have <public IP>. It was Natted to 10.0.2.20, but that server is being replaced by 10.0.3.16, so here's what I did to update my PIX: code:
I thought this kind of change would be immediate, so I'm confused as to what it takes for our public IP to get to the new internal IP of .3.16.
|
# ? May 4, 2010 00:06 |
|
You have to run clear xlate to make the change take effect. http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248 6.3, YMMV
|
# ? May 4, 2010 00:12 |
|
Aaaaaah, thank you! I had no idea about that one.
|
# ? May 4, 2010 00:24 |
|
Harry Totterbottom posted:Need ideas. In 8.x you should be able to run EIGRP using about the same procedure you found for OSPF since it looks like they have static neighbors (which is the main feature you need to enable tunneling the protocol over IPsec).
|
# ? May 4, 2010 00:39 |
|
Harry Totterbottom posted:Need ideas. ASAs are not routers, so no GRE Tunnels (by design). Typically for Site to Site Tunnels you want to use ISRs or something similar. Or have a router behind the ASA. You can still setup EIGRP/OSPF but they work differently, look up "receive only" for EIGRP and Nonbroadcast Multiaccess Networks for OSPF.
|
# ? May 4, 2010 00:41 |
|
I've got a couple 3825s and 2821s with T1 WICs in them, used as PRIs for voice calls. We want to monitor the PRIs for utilization, but can't seem to find a way to do so. Anyone have any ideas?
|
# ? May 4, 2010 01:46 |
|
n0tqu1tesane posted:I've got a couple 3825s and 2821s with T1 WICs in them, used as PRIs for voice calls. We want to monitor the PRIs for utilization, but can't seem to find a way to do so. As in just see how many channels are used at specific intervals? I apologize for not having an answer I was just curious to know what specifically you were looking to find out.
|
# ? May 4, 2010 02:35 |
|
Syano posted:As in just see how many channels are used at specific intervals? I apologize for not having an answer I was just curious to know what specifically you were looking to find out. Yeah, pretty much. Keep an eye on utilization so we can decide whether capacity needs increasing or can be decreased for cost savings.
|
# ? May 4, 2010 03:03 |
|
n0tqu1tesane posted:Yeah, pretty much. Keep an eye on utilization so we can decide whether capacity needs increasing or can be decreased for cost savings. I'm not a voice guy, but if you have the routers setup for Call Management I'm positive there is some command related to number of calls etc. If you want just periodic snapsots, you can use an SNMP trap, that will basically give you the output of "sh int ser0/0" or whatever for your T1 interfaces and then save the output with a script or something. If you want something more detailed you'll have to use netflow or something like that.
|
# ? May 4, 2010 04:34 |
|
Bleh, I wanted to avoid redistribution but I was able to get OSPF up and running between 2 of the links pretty painlessly. So I'll just redistribute as TAC is telling me it's not really possible to use eigrp across the ipsec tunnel. The big picture is this is for secondary paths for voice traffic as well as provide some simple load balancing for some of the data traffic going into our data center to pull the strain off the T-1 pairs.
|
# ? May 4, 2010 04:47 |
Just found some old Cisco gear laying around at work from an old contract that wasn't renewed, and they opted to just leave the stuff with us. I'm going to start setting up a CCNA lab for home; at the moment I've got: 2x 1721's w/ 32mb/16mb, 1 WIC 1enet + 1 WIC 1T serial each 2x PIX 501's 2x Aironet 1121 1x 871 Power cables / PSU's for all of them, one console cable (RJ45-Serial), one serial to dte cable. What's next ? Update their IOS versions, sort out what cables I need and buy 2-3 switches ? Beaucoup Haram fucked around with this message at 07:31 on May 4, 2010 |
|
# ? May 4, 2010 06:57 |
|
XakEp posted:Ok, here's a fun one. We haven't gotten deep into the debug process yet, but we have a site to site GRE tunnel that flaps at 8:05 EST every day, give or take 30 seconds. The interface this goes over is up/up, and the carrier sees no errors on the circuit. I know it's usually implied but are you using IPSec with the GRE tunnel? If so, the default ISAKMP lifetime is 86,400 seconds (24 hours) which might cause the tunnel to flap while it regenerates new SA keys. Now this part I haven't researched but maybe if you rekey the SA part of the ISAKMP/IKE transform sets at a particular time where it wouldn't be too harmful for the site to flap. I assume this would reset the countdown and make the time you re-entered the command as the new 24 hour interval.
|
# ? May 4, 2010 15:40 |
|
I'm doing something dumb but I don't know what. I'm setting up a simple GRE tunnel between two sites. And running EIGRP over them. However the network attached to each router will not be advertised across the tunnel. In my case I've got 10.1.1.1/24 on one side and 10.2.2.1/24 on the other, and I'd like those routes to come up ion EIGRP. Hub Router interface Tunnel0 ip address 192.168.1.1 255.255.255.0 ip mtu 1514 no ip next-hop-self eigrp 123 no ip split-horizon eigrp 123 tunnel source GigabitEthernet0/1 tunnel destination 20.2.2.2 router eigrp 123 network 10.1.1.0 0.0.0.255 network 192.168.1.0 auto-summary Spoke Router interface Tunnel0 ip address 192.168.1.2 255.255.255.0 tunnel source Serial0/0/0 tunnel destination 20.1.1.1 router eigrp 123 network 10.2.2.0 0.0.0.255 network 192.168.1.0 auto-summary As far as I can tell those networks should both be advertised but they aren't What is going on?
|
# ? May 5, 2010 17:24 |
|
|
# ? May 31, 2024 07:29 |
|
Powercrazy posted:I'm doing something dumb but I don't know what. I'm setting up a simple GRE tunnel between two sites. And running EIGRP over them. However the network attached to each router will not be advertised across the tunnel. Have you tried adding in the ip address of the neighbors under your eigrp process?
|
# ? May 5, 2010 18:29 |