|
OSPF question. I'm only familiar with OSPF at a CCNA level so I don't have too much background on summarization across ABRs. Purely a thought experiment right now: If you have an ABR in area 1 responsible for the following subnets: 172.16.0.0 - 172.16.7.0 192.168.0.0 - 192.168.7.0 Both of these can be summarized down to a /21, but since you issue an area 1 range command, am I right in assuming that you can only summarize one of these down, while the other would remain unsummarized? Or can you issue multiple area 1 range commands without them overwriting each other? Furthermore, is it just bad network design to put two dissimilar subnets which will never have a chance of summarizing down in the same area? I'm guessing it is, unless there's something I'm not seeing. Edit: Oh wait nevermind you can have multiple area N range commands in any given area, I'm not sure why I thought otherwise. I just summarized down a ton of dissimilar subnets down to two or three. GNS3 some kinda jackal fucked around with this message at 19:28 on Jun 21, 2010 |
# ? Jun 21, 2010 18:51 |
|
|
# ? May 22, 2024 08:41 |
|
Hey guys, I have not had the chance to test out my NAT settings yet, unfortunately I have to wait till tomorrow. But here is another question. With my Cisco 1811 router, can I block websites? I only want to block about five websites and I would really rather not have to buy extra equipment. Not that I don't want to, but management won't. Is there a way I cann re-route a domain name such as facebook.com and shoot it to something useless like 0.0.0.0? Or block it all together?
|
# ? Jun 23, 2010 14:59 |
|
Bardlebee posted:Hey guys, I have not had the chance to test out my NAT settings yet, unfortunately I have to wait till tomorrow. But here is another question. The only thing you can really do is block ip addresses. If you had an ASA you might be able to add in regular expressions to block (haven't played with this so I'm not sure). You might be able to get away with using the free OpenDNS web filtering so you don't have to purchase a new device.
|
# ? Jun 23, 2010 15:56 |
|
Harry Totterbottom posted:The only thing you can really do is block ip addresses. If you had an ASA you might be able to add in regular expressions to block (haven't played with this so I'm not sure). You might be able to get away with using the free OpenDNS web filtering so you don't have to purchase a new device. Doing more research before I found this post, I used OpenDNS and it has worked very well. Beyond what I expected. I only need to block about five, but it allows for a free account with up to 25 blocks/whitelists. So I think I am good and thanks for the suggestion! Now if only I can convince my employer to have a domain controller in our 100 user company
|
# ? Jun 23, 2010 16:21 |
|
Woohoo! It looks like ASA 5505s are starting to be stocked again.
|
# ? Jun 23, 2010 21:25 |
|
Pussy Noise posted:
|
# ? Jun 24, 2010 11:17 |
|
I don't know if there are any BGP experts here, but I have a question. We have Qwest for our MPLS connections between our 30 remote sites. Qwest had a snafu and our HUB BGP routers which usually have around 30 networks suddenly got 3000+ routes, which killed connectivity to our remote sites. They were bad routes that went elsewhere in the Qwest cloud and not to our remote offices. So in order to prevent that in the future the only solutiopn we can come up with is route white list so that only our remote sites will be in the routing tables. The problem is that we have to apply this map everywhere, and if we add a new site we have to update all of our offices. Obviously this sucks, so anyone know a better or correct way of doing this? We can't use community values because Qwest won't support them, we are also in the process of getting another MPLS provider, but that is a slow expensive process.
|
# ? Jun 24, 2010 15:25 |
|
Powercrazy posted:I don't know if there are any BGP experts here, but I have a question.
|
# ? Jun 24, 2010 18:09 |
|
Powercrazy posted:We can't use community values because Qwest won't support them, we are also in the process of getting another MPLS provider, but that is a slow expensive process. Qwest won't forward your communities if you send them (try sending them, see if they show up)? The only other option would be what jwh is thinking (set up as-path filters), anything else would be an ugly hack.
|
# ? Jun 24, 2010 19:01 |
|
Hmm, as-path filters eh? Here is a subset of the paths we were getting. *> 1.0.0.1/32 208.46.155.225 0 209 65002 i *> 1.0.0.2/32 208.46.155.225 0 209 65003 i *> 3.3.3.0/30 208.46.155.225 0 209 209 ? *> 10.0.0.0/24 208.46.155.225 0 209 i *> 10.0.0.0/23 208.46.155.225 0 209 209 ? *> 10.0.0.0/16 208.46.155.225 0 209 ? *> 10.0.0.0/12 208.46.155.225 0 209 209 ? *> 10.0.0.0 208.46.155.225 0 209 i *> 10.0.0.1/32 208.46.155.225 0 209 2005 ? *> 10.0.0.2/32 208.46.155.225 0 209 2005 ? *> 10.0.0.200/32 208.46.155.225 0 209 209 i *> 10.0.1.0/24 208.46.155.225 0 209 65000 i *> 10.0.2.0/24 208.46.155.225 0 209 i *> 10.0.56.0/24 208.46.155.225 0 209 65000 i *> 10.0.77.0/24 208.46.155.225 0 209 65065 i *> 10.1.0.0/24 208.46.155.225 0 209 ? *> 10.1.0.0/16 208.46.155.225 0 209 ? *> 10.1.1.0/24 208.46.155.225 0 209 ? *> 10.1.1.224/27 208.46.155.225 0 209 65200 i *> 10.1.2.0/28 208.46.155.225 0 209 2006 2009 116 i *> 10.1.2.0/24 208.46.155.225 0 209 ? *> 10.1.129.0/24 208.46.155.225 0 209 65024 65004 11158 65007 i And here is what we normally get.... *> 10.1.41.92/30 208.46.155.225 0 209 4755 ? *> 10.255.255.0/30 208.46.155.225 0 209 i *> 10.255.255.4/30 208.46.155.225 0 209 i *> 63.149.44.72/30 208.46.155.225 0 209 ? *> 63.226.75.124/30 208.46.155.225 0 209 ? *> 63.227.224.144/30 208.46.155.225 0 209 ? *> 63.229.104.184/30 208.46.155.225 0 209 i *> 63.231.5.100/30 208.46.155.225 0 209 ? *> 65.100.13.28/30 208.46.155.225 0 209 i *> 65.115.53.64/30 208.46.155.225 0 209 ? *> 65.115.53.66/32 208.46.155.225 0 209 ? *> 67.131.252.240/30 208.46.155.225 0 209 i *> 67.131.252.244/30 208.46.155.225 0 209 ? *> 67.131.252.246/32 208.46.155.225 0 209 ? *> 67.148.31.112/30 208.46.155.225 0 209 ? *> 67.148.89.248/30 208.46.155.225 0 209 i *> 67.148.141.176/30 208.46.155.225 0 209 ? *> 67.148.251.88/30 208.46.155.225 0 209 i *> 72.164.125.240/30 208.46.155.225 0 0 209 ? *> 72.164.126.48/30 208.46.155.225 0 0 209 ? *> 146.198.158.48/30 208.46.155.225 0 209 2006 i See the problem is the bogus routes we are getting are similar to what we are expecting, so... ate shit on live tv fucked around with this message at 19:26 on Jun 24, 2010 |
# ? Jun 24, 2010 19:14 |
|
Well, there's not a lot you can do in that case. Particularly because the only decision you can really make is whether to move data into the provider's network, and if they're leaking routes between VRFs accidentally, you're not going to be able to influence forwarding inside their core anyhow.
|
# ? Jun 24, 2010 21:35 |
|
Martytoof posted:OSPF question. I'm only familiar with OSPF at a CCNA level so I don't have too much background on summarization across ABRs. Purely a thought experiment right now: quote:Furthermore, is it just bad network design to put two dissimilar subnets which will never have a chance of summarizing down in the same area? I'm guessing it is, unless there's something I'm not seeing. quote:Edit: Oh wait nevermind you can have multiple area N range commands in any given area, I'm not sure why I thought otherwise. I just summarized down a ton of dissimilar subnets down to two or three.
|
# ? Jun 25, 2010 04:43 |
|
jwh posted:Well, there's not a lot you can do in that case. Particularly because the only decision you can really make is whether to move data into the provider's network, and if they're leaking routes between VRFs accidentally, you're not going to be able to influence forwarding inside their core anyhow. Yea I was afraid of this. I'm going to try to prepend our AS a few times and then see if I can white list only those routes which have our AS in them 3 times. Its not an elegant solution, but its better than using a route white list for all our remote sites.
|
# ? Jun 25, 2010 14:32 |
|
Going back to my NAT issue, I am testing it tonight, but I have some new information that I wanted to give you all in case it's important in my NAT config. There is a Cisco 2600 attached to the current router (the lovely retail one) that goes from the lovely retail's WAN port to its Fastethernet port, there is a cable going from the Cisco 2600 labeled T1/CSU/DSU, this goes to a white box which I assume is the modem. My assumption is that the router connects to this Cisco 2600, which is a T1 line and then connects to the modem. I don't think this should cause an issue and if it doesn't work I am going to draw a pretty picture with descriptive labels. Side Note: If I want to have a dhcp pool of 192.168.2.100-199, would I use an exclude command?
|
# ? Jun 25, 2010 17:46 |
|
I'm having issues with multicasting between vlan's on the same stack. I've got a 3750 stack with a bunch of phones on it. The voip server which the phones must communicate with is on VLAN100, while the phones are all on VLAN10. I have multicast routing enabled via ip multicast-routing distributed as that was all I could do with this IOS revision. I've got ip pim sparse-dense-mode enabled on each of the vlan's but when I try and page (our paging system uses multicast) and do a show ip mroute the outgoing interface list only shows VLAN100 and not VLAN10. Also if I do a debug session and watch the log nothing ever responds on VLAN10. The TTL is 3 hops for the multicasts so that isn't it. I'm just lost and put a call in with TAC but they are slow as hell right now.
|
# ? Jun 25, 2010 17:51 |
|
The only advice I have to go download mcast.exe and start putting some data on the wire. That in conjunction with appropriate debugs on the 3750.
|
# ? Jun 25, 2010 18:41 |
|
Bardlebee posted:Going back to my NAT issue, I am testing it tonight, but I have some new information that I wanted to give you all in case it's important in my NAT config. Depends how you have the lovely retail router set up; RIP? Static route? NAT of the WAN port? Which device is going to do NAT? For DHCP configuration, yeah you'll want to use ip dhcp excluded-address 192.168.2.1 192.168.2.99 and ip dhcp excluded-address 192.168.2.200 192.168.2.254 under global config mode
|
# ? Jun 25, 2010 23:03 |
|
So I've found a better solution than per-site filtering for BGP routes.pre:m2821a-germany#sh ip bgp *> 67.148.251.88/30 63.229.104.185 0 209 i *> 72.164.125.240/30 63.229.104.185 0 209 ? *> 72.164.126.48/30 63.229.104.185 0 209 ? *> 146.198.158.48/30 63.229.104.185 0 209 2006 i *> 172.16.77.0/24 63.229.104.185 0 209 209 209 209 209 209 i *> 172.16.88.1/32 63.229.104.185 0 209 209 209 209 209 209 i I created a route filter for our outgoing routes and prepended the transit AS to it 4 or 5 times. So then presumably we can filter based on the number of AS prepends. Kind of a hack job, but there we go. Now all I need to do is whip-up an inclusive regex.
|
# ? Jun 26, 2010 19:18 |
|
I'm finding that if I power on a router which has no startup-config, but has an ethernet link out of the lab rack into my home router, then that router will put the interface into DHCP mode automatically, without any explicit configuration on my part. This has happened on both my 2620XM 12.4(5) and 3640 12.4(8). I'm looking for some article on Cisco's site which might document this behaviour, but so far I'm coming up empty. do any of you guys have any leads? This might be obvious behaviour to some of you guys, but honestly it just startled me that Cisco would put any interface into auto DHCP and issue a 'no shutdown' without your express request. Edit: Oh ok I found it: AutoInstall. Seriously didn't know it existed. A little aggravating that I can't disable it out of the box in rommon or something, because this way I have to keep the uplink unplugged until I boot the router or face a mountain of TFTP error messages and a DHCP IP. some kinda jackal fucked around with this message at 00:04 on Jun 27, 2010 |
# ? Jun 26, 2010 21:17 |
|
Ok, so I tried using the NAT config recommended and I was half successful. When I do a ping 8.8.8.8 to googles DNS it works fine on the router. I can even do a traceroute all the way there. However, when I plug a computer into the Fastethernet 9 port I can't get out, however I do get an IP address of 192.168.2.2 so DHCP is working fine. I attempt a ping 8.8.8.8 on the computer and I can't ping anything outside my network. I am sure its just one config line I am missing, but I can't figure out what. Is my VLAN1 supposed to have my internal IP? This is what I get from a show run, sh int fastethernet 9, and a sh ip int brief. I am not sure what I am missing, but I have a feeling it is something to do with the vlan configuration. code:
|
# ? Jun 28, 2010 14:03 |
|
sh xlate This should show if you're getting translations or not. Also ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113 That will only translate tcp, ping is icmp. You might want to kill that line, as well as the one below. no ip nat inside source list 1 interface Vlan1 overload Harry Totterbottom fucked around with this message at 15:16 on Jun 28, 2010 |
# ? Jun 28, 2010 14:56 |
|
Harry Totterbottom posted:sh xlate I don't think I really need any static can I kill this line? EDIT: Killing the Vlan inside line won't stop my NAT? Ill try both and get back to you on this. Thanks!
|
# ? Jun 28, 2010 15:17 |
|
Bardlebee posted:I don't think I really need any static can I kill this line? You're not killing the Vlan inside line, you're killing the nat line that says use VLAN1 as your nat IP address. You're leaving ip nat inside source list 102 interface FastEthernet0 overload So that's saying the inside source list 102 will use interface FEth0 as the address that is translated to in overload mode. The line above it (that you'll remove) says nat the inside source list 1 and use interface VLAN1 as the address that is translated to in overload. Which is basically saying take ip's in access list 1 (which is the ip range in VLAN1) and nat it using the ip's in VLAN1.
|
# ? Jun 28, 2010 15:39 |
|
Bardlebee posted:I don't think I really need any static can I kill this line? Yes kill that line, you snuck in before my edits. so no ip nat inside source list 1 interface Vlan1 overload no ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113 then attempt to send traffic across the wire show xlate You should then see stuff in that table.
|
# ? Jun 28, 2010 15:45 |
|
Harry Totterbottom posted:Yes kill that line, you snuck in before my edits. Oh ok, thanks for clearing that up. Will show xlate only work when its connected to the wire? I cannot test it until early morning tomorrow and it does not recognize (nor does it have a command when I ? it.) for show xlate... the commands I get from x? are: x25, x28, x29, xconnect, and xsm. I'll let you know what I find.
|
# ? Jun 28, 2010 16:33 |
|
Bardlebee posted:Oh ok, thanks for clearing that up. Will show xlate only work when its connected to the wire? show xlate is for pix / ASA, you want show ip nat trans
|
# ? Jun 28, 2010 18:25 |
|
ior posted:show xlate is for pix / ASA, you want show ip nat trans Doh, right here. I'm only doing nat on my firewalls so I forgot to check the syntax difference.
|
# ? Jun 28, 2010 19:59 |
|
Say I have some internal hosts that need temporary RDP access from outside. I have two spare public IP addresses. Will this snippet work on the ASA? Does the access-list need to know the port numbers for the public IP addresses I'm using (33891, 33892, 33893), or does it only care about the destination ports? code:
|
# ? Jun 28, 2010 21:37 |
|
Harry Totterbottom posted:Doh, right here. I'm only doing nat on my firewalls so I forgot to check the syntax difference. Thanks for the help! Finally got NAT to work and I was able to reach out. Most of all I learned a little in the process! I will be doing the final step which is doing the five VPN's we have, they're pretty basic so I am going to give it a shot.
|
# ? Jun 29, 2010 14:02 |
|
Bardlebee posted:Thanks for the help! Glad it worked.
|
# ? Jun 29, 2010 14:47 |
|
ozmunkeh posted:Say I have some internal hosts that need temporary RDP access from outside. I have two spare public IP addresses. Will this snippet work on the ASA? You'll need to specify all the mapped addresses in the ACL or object-group. NAT is applied only if traffic matches an ACL entry. code:
|
# ? Jun 29, 2010 16:32 |
|
Actually, yes, that makes total sense. Thanks!
|
# ? Jun 29, 2010 16:49 |
|
Is there any way to specify which phones will fall into SRST mode on CallManager or the local router? We've got several sites with 2821s and more than 50 phones, and want to specify which phones will fall into SRST modes, and which phones just won't work. Any ideas? EDIT: CallManager 7.1 and Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(13a), RELEASE SOFTWARE (fc1) n0tqu1tesane fucked around with this message at 22:20 on Jun 29, 2010 |
# ? Jun 29, 2010 22:17 |
|
So I took a few days to research the topic of setting up a VPN, however I think I might be over my head as I am just a CCENT currently. Here are the images of the two routers currently in place. Main ROUTER being replaced by my Cisco 1811 Click here for the full 1280x800 image. Router I want to VPN to Click here for the full 1280x800 image. I found this site HERE Which is informative, yet doesn't help in the sense that my setup could be dramatically different. My question is, it seems that I am currently using DES3 encryption. My authentication is Secret and my password is: password (not my real password) I guess really the part I am confused on is how to setup my crypto commands and how NAT complicates this process. Router1 LAN: 192.168.2.0 Router1 Outside: 111.111.111.111 Router2 LAN: 192.168.11.0 Router2 Outside: 222.222.222.222 Sorry for the excess EDIT: Some things I was going to try here: crypto isakmp policy 3 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group 3000client key password pool ippool Bardlebee fucked around with this message at 17:52 on Jun 30, 2010 |
# ? Jun 30, 2010 17:46 |
|
I think you should consider doing DMVPN. I can get you some skeletal configurations, if you like. Or you can Google them, they're pretty straightforward. We may even have some posted in this thread, somewhere.
|
# ? Jun 30, 2010 21:05 |
|
jwh posted:I think you should consider doing DMVPN. I can get you some skeletal configurations, if you like. Or you can Google them, they're pretty straightforward. Looking up info on DMVPN, its basically what its named. Dynamic VPN's, meaning that I don't have to adjust the 'spoke' router (i.e. the 1811 I am implementing) if I change an IP address in another site? Or is it just when I add a VPN at another site? This sounds interesting, if not complicated. I would be interested in this, however I do not know where to start. I am having trouble just getting started and learning VPN as it is. I think I will have to watch some videos for it. EDIT: Also, would it matter that the other five satellite sites are NOT Cisco routers and are indeed lovely retail VPN routers?
|
# ? Jun 30, 2010 21:56 |
|
jwh posted:I think you should consider doing DMVPN. I can get you some skeletal configurations, if you like. Or you can Google them, they're pretty straightforward. I think I may have even posted them. If not I can post some configs tomorrow.
|
# ? Jun 30, 2010 23:54 |
|
As an aside, is VPN done in-depth anywhere in the CCNP or is that more of a CCNA Security thing?
|
# ? Jul 1, 2010 00:00 |
|
The concept of security certificates etc is introduced on the (now defunct) ISCW exam. But not super in depth, I have no idea why it isn't covered in more depth honestly. Even Tunneling is only covered a little on the BSCI.
|
# ? Jul 1, 2010 00:08 |
|
|
# ? May 22, 2024 08:41 |
|
Powercrazy posted:The concept of security certificates etc is introduced on the (now defunct) ISCW exam. But not super in depth, I have no idea why it isn't covered in more depth honestly. Even Tunneling is only covered a little on the BSCI. There's a GRE tunnel on the Tshoot topology, but I think the biggest thing that is ever mentioned is just making sure that your crypto maps match.
|
# ? Jul 1, 2010 00:14 |