|
Harry Totterbottom posted:Have you tried adding in the ip address of the neighbors under your eigrp process? Well you don't want to do that because it disables Multicast on the tunnel interface, which is bad if you want to do DMVPN which is what I'll eventually do. http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a008012dac4.shtml#ten Anyway I figured out the problem, I need "no auto-summary" on the EIGRP process. Now to setup an IPSEC tunnel, and move to stage 2....
|
# ? May 5, 2010 18:43 |
|
|
# ? May 22, 2024 15:49 |
|
If you want DMVPN skeleton configs just ask. I can whip them up for you.
|
# ? May 5, 2010 21:41 |
|
OK- Nevermind. I figured out my problem with the PT Cloud finally. However, I am now having an even bigger issue which I can't even begin to troubleshoot past what I've already done. This is the scenario: Now, after I finally got ISP and R1 to communicate through the relay cloud, I thought I was in good shape, right? Wrong. For some reason, and I'm beginning to think it's an error with Packet Tracer, PC1 CANNOT ping PC0. However, PC0 CAN ping PC1. So, I figured I would put a quad zero IP route on R1 to go out S0/0/1 as well as a quad zero IP route on ISP to go out S0/0/0. Well, this made me able to ping from PC1 to all interfaces on the right side of the relay cloud AND S0/0/0 on ISP, but PC1 is still unable to ping ISP's Fa0/0 interface or PC0. After a little more troubleshooting (building the exact same network from the ground up and running pings after every change), I found it is definitely the static NAT that is causing problems. Also, if it matters at all, I'm running EIGRP between all three routers. My static NAT coding is very basic and there's nothing wrong from it that I can see? code:
sonikburn fucked around with this message at 20:36 on May 6, 2010 |
# ? May 6, 2010 03:14 |
|
jwh posted:If you want DMVPN skeleton configs just ask. I can whip them up for you. I'm using a few guides and working through things step-by-step. Right now I've got 2 spokes with 2-step encryption setup, shared-secret and then aes ipsec. I'm going to do the spoke to spoke setup tomorrow. Incidentally the spoke to spoke stuff is why I'm bothering with this anyway, as with a global network if our sites try to talk to each other we have to use traditional telephony which is much more expensive and since we already have the hardware in place, we might as well utilize it. It also makes adding new sites trivial, which is always a plus.
|
# ? May 6, 2010 07:03 |
|
Hey jwh, to do dynamic spoke-to-spoke tunnels do you need 12.4T? I'm running 12.4(18) and I don't have the "show dmvpn" command, so hopefully its just a different syntax and I don't need to move to the Pain Train.
|
# ? May 6, 2010 15:47 |
|
As far as I know dynamic spoke to spoke support is available if the code supports nhrp. Are all your gre interfaces set as point-to-multipoint? The spokes shouldn't have any gre destination interface set. I'd say check at the hub that all the relevant spokes show up in nhrp. Then check nhrp on a spoke for another spoke; then look at ipsec between the two spoke sites.
|
# ? May 6, 2010 20:27 |
|
Just edited the scenario I posted above, realized I explained it wrong. PC1 can ping all the way to S0/0/0 on ISP, just not PC0 or Fa0/0 on ISP.
|
# ? May 6, 2010 20:38 |
|
sonikburn posted:Just edited the scenario I posted above, realized I explained it wrong. PC1 can ping all the way to S0/0/0 on ISP, just not PC0 or Fa0/0 on ISP. What's the subnet mask on Fa0/0 on ISP?
|
# ? May 6, 2010 22:23 |
|
Nevermind, just got it! The problem was the static ip route was wrong on my ISP router. Since it didn't know where to go with packets for the 192.168.40.0 network, it was dropping them. So I added this line to send the 40.0 network packets to 30.1 and it fixed all:code:
sonikburn fucked around with this message at 02:35 on May 7, 2010 |
# ? May 6, 2010 23:50 |
|
inignot posted:As far as I know dynamic spoke to spoke support is available if the code supports nhrp. Are all your gre interfaces set as point-to-multipoint? The spokes shouldn't have any gre destination interface set. I got it working, it's pretty slick. Now I need to figure out an elegant way to allow traffic from a specific vlan to create dynamic tunnels but force all other traffic to head to the Hub then to the spoke. I imagine the way to do it is create a separate tunnel that has static mappings for its destination and source addresses. Route the interesting vlan into the dynamic tunnel and filter all the other traffic into the normal one. ate shit on live tv fucked around with this message at 15:02 on May 7, 2010 |
# ? May 7, 2010 14:58 |
|
Powercrazy posted:Hey jwh, to do dynamic spoke-to-spoke tunnels do you need 12.4T? I'm running 12.4(18) and I don't have the "show dmvpn" command, so hopefully its just a different syntax and I don't need to move to the Pain Train. "show dmvpn" and the like were added later, but DMVPN support was around earlier. I think the "show dmvpn" stuff shows up in the feature navigator under the heading "DMVPN usability improvements 2" or something like that. But yeah, 12.4 has DMVPN, even though "show dmvpn" didn't arrive until later.
|
# ? May 10, 2010 15:09 |
|
Simple summarization woes. I've got two branch routers that should have just a summary route to the hub router. Basically each one should see a 10.0.0.0/8 out of its tun0 interface, but right now each router is seeing a full route table. In addition for scalability the hub router should see only one /18 route to each branch, but it is seeing full routes as well. If I enable auto-summarization it will auto summarize to a /8 which will break the remote sites. What am I doing wrong? Relevant config (I think?) this is on all the router except the network statement is updated to reflect the local networks. router eigrp 123 network 10.1.0.0 0.0.63.255 !This is supposed to be a 10.1/18 but its advertising more... network 192.168.1.0 no auto-summary
|
# ? May 11, 2010 18:39 |
|
Completely unrelated to what you guys have been going on about but I have an issue. I'm not familiar at all with CallManager or the voice side of things outside of setting up QoS for it and doing some basic debugging. I'm also not familiar with DID lines, mostly pots lines so if anyone could provide some basic help that'd be great. I have a set of new DID line numbers that I need to add to the pool. How do I go about this? The CallManager gui is about as forgiving as a bear trap and my tinkering hasn't worked thus far. It doesn't help that this system I'm working on was setup years ago and ported over for the most recent CallManager version. The translation patterns are assanine and I'm astounded that this setup even works. If someone can just provide some real basic steps, nothing too detailed, I can figure it out I just don't know where to start. Do I need to create a new dial-peer on the router which the DID will be coming in through?
|
# ? May 11, 2010 19:12 |
|
Powercrazy posted:router eigrp 123 You aren't describing the routes that EIGRP should advertise, you're describing which matching interfaces will become part of that EIGRP process. For what you are trying to do, your best bet is to implement a distribute-list, ie: router eigrp 123 network 10.1.0.0 0.0.63.255 distribute-list prefix site-summaries out no auto-summary ip prefix-list site-summaries seq 5 permit 10.1.0.0/18 edit: I should be clear, you want to do this only if you have a 10.1.0.0/18 route in your IGP already. Which could be either a redistributed hold down or whatever, but just be advised. jwh fucked around with this message at 20:27 on May 11, 2010 |
# ? May 11, 2010 20:23 |
|
Thanks jwh. When I got back from lunch I realized what I did wrong. I need to summarize on the outgoing interfaces... In this case mGRE tunnels. So now I've got this: code:
|
# ? May 11, 2010 20:33 |
|
reborn posted:Completely unrelated to what you guys have been going on about but I have an issue. What version of CallManager? How are the lines coming into the system? T1/PRI? I've got access to a couple different versions of CCM, as well as a variety of hardware available, so I might be able to put together a walkthrough for you.
|
# ? May 11, 2010 21:15 |
|
What is it called when you allow only a specific vlan to create spoke-to-spoke tunnels? I know you can do it, but I'm looking for a generic way of doing it not necessarily voice only. So far I can't find an elegant way of doing it. I should be able to setup some way where if I ping from 10.3.3.0/24 to 10.2.3.0/24 two spoke sites, I should be able to use NHRP, whereas if I ping between two different networks then the traffic will pass through the Hub and not go site to site. There is a term for specifically what cisco uses, but I imagine I can do that same thing with any vendor that supports DMVPN. Hm...
|
# ? May 12, 2010 17:49 |
|
I don't know, that sounds complex. Can you enumerate your requirements for me, so we can see what we're dealing with?
|
# ? May 12, 2010 20:22 |
|
Sounds like a nightmare. As far as I know dynamic spoke to spoke vs everything goes to hub is a property of the spoke tunnel : point to multipoint vs point to point. I dunno...set up two tunnels? One P2MP & one P2P and run different routing processes on each? Crawl under your desk and weep?
|
# ? May 13, 2010 02:38 |
|
I'm a loving idiot so nvm
sterster fucked around with this message at 04:34 on May 13, 2010 |
# ? May 13, 2010 04:28 |
|
To clarify a little about what I'm doing: Its a proof of concept and it will be used for voice traffic eventually. The idea is that since voice is much more sensitive to latency/jitter etc, then in a geographically dispersed network you need dynamic spoke-to-spoke tunnels to carry voice traffic, so I've got this part working. Now because of security and regulation requirements all internet traffic needs to be monitored, and go through the hub. Spoke-to-spoke phone calls are monitored using rspan or a variety of other methods but a phonecall is actually bandwidth light compared to all the other traffic. What we don't want is the ability for someone to "shortcut" the firewall/monitoring stuff we have setup with other traffic. I figured this would be fairly straightforward as you only allow a particular network, the voice network to make NHRP requests, but I'm not sure the best way to do it. There is the multiple tunnel approach, Spoke ACLs perhaps, hmm. So thats where I'm stuck, what is the "best" way to do it?
|
# ? May 13, 2010 16:28 |
|
I may have asked something similar to this. I apologize if it has been covered. We got a notification that Windows system was sending out spam on our Network. We were given the offender's IP address. We could not ping the address (none of our Windows systems are joined to Active Directory, so its very likely the Firewall is up on the system). We checked the DHCPD lease pool and matched the IP to a MAC address. I manage 17 Cisco switches (around 15 are 2960s, maybe 2 are 2950s) that cover several floors of multiple buildings. I was logging into each one and doing "show arp". Each would show around 3 or 4 addresses total. None of the switches listed the MAC address I was looking for. We have maybe around 200 active connections. What command would I use to see what MAC is on which interface? Is there such a command to help me find where this MAC is?
|
# ? May 13, 2010 20:12 |
|
show mac-address-table or show mac address-table I forgot which one works on what.
|
# ? May 13, 2010 20:25 |
|
Xenomorph posted:What command would I use to see what MAC is on which interface? Is there such a command to help me find where this MAC is? code:
|
# ? May 13, 2010 20:27 |
|
Thanks d00ds. Multiple warning systems were tripped or something because a system on our network was detected running the "Storm" spambot or something, sending out crap like crazy. We got an email giving us the IP. We couldn't physically find the system. Turns out some building maintenance guy had his system (Windows box logged in ADMIN) wired into our network, off in a location I had no access to, using a connection left over from department that hasn't existed in years or something. That poo poo couldn't have happened if it were up to me, but I'm inheriting the department. Apparently a verbal handshake happened allowing them to use our connection, and it would piss off a ton of people if I kept them turned off (the port is currently disabled), so I will probably have to turn them back on after I know the system has been cleaned and/or wiped.
|
# ? May 13, 2010 21:05 |
|
How does the pix/asa inside host user licensing work? I have a pix 501 with a 10 user license, but I noticed that I can go over and it seems to just up the amount in the 'show local' command. code:
code:
Why is it saying 20 active, maximum active? para fucked around with this message at 01:54 on May 14, 2010 |
# ? May 14, 2010 01:42 |
|
Xenomorph posted:That poo poo couldn't have happened if it were up to me, but I'm inheriting the department. Apparently a verbal handshake happened allowing them to use our connection, and it would piss off a ton of people if I kept them turned off (the port is currently disabled), so I will probably have to turn them back on after I know the system has been cleaned and/or wiped. VLAN VLAN VLAN. Separate that guy from your production network at the very least.
|
# ? May 14, 2010 01:45 |
|
para posted:How does the pix/asa inside host user licensing work? The two times I've run into PIX/ASA licensing issues, given 10 licenses, the 11th device to try to go from inside-->outside could not.
|
# ? May 14, 2010 11:26 |
|
Well that was easy. The answer was right in front of me. code:
That's the spoke site. I just used the 'ip nhrp interest' command with an acl that permitted the "interesting" traffic. In this case the network 10.2.2.0/24. All other traffic will not trigger an NHRP shortcut tunnel. Can't believe it took me like 3-4 days to figure out something so simple. Oh well. Elegant and scalable, what more could you ask for?
|
# ? May 14, 2010 16:35 |
|
n0tqu1tesane posted:What version of CallManager? How are the lines coming into the system? T1/PRI? The latest version of CallManager and they are coming in through a PRI through a 2821.
|
# ? May 16, 2010 22:50 |
|
reborn posted:The latest version of CallManager and they are coming in through a PRI through a 2821. Do you already have working lines coming in through that PRI? Do you just want your external number to reach an internal extension?
|
# ? May 17, 2010 17:08 |
|
Is it possible to schedule a regular reboot of a Cisco ASA 5510? I don't know if there is an issue with the configuration, but once every month or two it seems to just stop letting traffic through. We can connect, but aren't able to access the network. Once we reboot the 5510, everyone can connect through it again and everything works. Through the ASDM software, I can schedule a 1-time reboot. Now, an hour from now, a week from now, next year, etc. But just once. I'd like to schedule it reboot once a week, around Sunday at 4AM or so.
|
# ? May 18, 2010 21:13 |
|
Xenomorph posted:
clear xlate?
|
# ? May 18, 2010 21:36 |
|
Xenomorph posted:Is it possible to schedule a regular reboot of a Cisco ASA 5510? No. Have you opened a case? This is more than likely a SW defect that we can fix...
|
# ? May 18, 2010 22:43 |
|
Tremblay posted:This is more than likely a SW defect that we can fix... You know what SW defect you NEED to fix? That TERRIBLE ios-menu-crap on the Small Business Switches. God that poo poo is terrible. Some how we put in an order for an older model switch and then vendor thought since it was EOS he would just get the equivalent and we ended up with one of those. I think we are using it to hold open a door now.. Just figured I would vent
|
# ? May 18, 2010 23:30 |
|
Haha I know exactly what you are talking about, its actually worse than the SDM thing.
|
# ? May 19, 2010 04:24 |
|
Super simple question here I hope, but I know I have no idea what the answer is. I've got a WS-C2924C-XL-EN switch, running some IOS that is only who knows how old (sh ver: http://pastebin.com/xa7L1ZTb). It's spitting out a tremendous number of errors related to some kind of processor deal, then some kind of timing stuff. That's only when I turn on debugging. I assume a new IOS might fix that, as per what Google told me. I'd like to know what version of IOS I can run so I can upgrade. However, my real problem is that I've got a bizarro setup that I can't trace the problem for. Right now I have a pfsense router setup with two NICs, one assigned as LAN and given a port on the switch. The other NIC is assigned to three virtual adapters, each given a separate VLAN. Each VLAN is going to be used for different internet connections, and will be routed later on. Right now I've got three more ports on the switch assigned to a single VLAN each and then connected to their respective modem. The port connected to the router is defined as a Trunk in the cisco software, and is passing data correctly. Everything seems to work, until I try and pass data, when all of a sudden the status light on the Trunk port goes into link-fault mode and blinks green/amber. Doing a "sh in fa0/19" tells me everything is alright, except it's receiving a large number of "runt" packets, which I assume is the issue. Speed doesn't seem to be a problem, but if something's not working right, how can I trace this issue down and fix it? EDIT: Never mind, I guess. Had a friend dig up the newer IOS for me, and after flashing all is well. CanOfMDAmp fucked around with this message at 05:49 on May 19, 2010 |
# ? May 19, 2010 04:40 |
|
If I wanted to spend like less than $150 used to start building a little lab what kind of switch should I get? I'd like at least 2 gbit ports... I was looking at the 2950T for $100 but if there is something newer that'd be cool.
|
# ? May 19, 2010 04:50 |
|
CanOfMDAmp posted:Super simple question here I hope, but I know I have no idea what the answer is. Your pastebin link isn't working, but Cisco's website says the following are the newest IOS images. c2900xl-c3h2s-mz.120-5.WC17.bin c2900xl-c3h2l9s-mz.120-5.WC17.bin However, that might not fix it. That switch is pretty old, the end of support date was Nov 2006. You should be able to get a comparable 2950 for less than $100 now.
|
# ? May 19, 2010 05:16 |
|
|
# ? May 22, 2024 15:49 |
|
Yeah, I picked it up on SA Mart from M@ for $40 I think, and didn't really think of ever using it much other than for LAN parties and whatnot. Either way, the new IOS fixed all my problems!
|
# ? May 19, 2010 05:50 |