|
Nitr0 posted:He just means that you probably have an internal dns server that is passing requests for anything not in it's database off to the internet and it's coming back with the external ip address. Just create an entry in the local dns server with the same name as your web server and point it to the internal IP address. I admit, I don't know how to do this. I did add A records for the web server, but perhaps that is not what you are talking about. EDIT: Oh and I have googled this, or at least tried to and I couldn't find a nice little 1-2-3 walkthrough or anything to tell me how to mess with this. When I said I am not a big DNS guy, I meant I haven't worked with DNS, period.
|
#
?
Oct 15, 2011 18:55
|
|
|
|
| # ? May 14, 2024 21:12 |
|
|
Dns is not that difficult and you should be able to figure it out in less than an hour.
|
|
#
?
Oct 15, 2011 19:00
|
|
|
Bardlebee posted:I admit, I don't know how to do this. I did add A records for the web server, but perhaps that is not what you are talking about. If you really really don't want to deal with it, add the local IP to the hosts file on every machine. 
|
|
#
?
Oct 15, 2011 19:55
|
|
|
Bardlebee posted:I admit, I don't know how to do this. I did add A records for the web server, but perhaps that is not what you are talking about. The term for what you're trying to do is "split horizon DNS". When you added the A records, where did you add them? To your DNS provider? If so you need to do the same thing to the company's local resolvers but with the A record pointing to the internal webserver IP. Do they run active directory? If so, their DNS is probably managed by the active directory servers and you can add the zone and A records to those servers using whatever guide to active directory DNS you can find.
|
|
#
?
Oct 15, 2011 22:59
|
|
|
If your firewall is an ASA add DNS rewrite to your nat setup and it will handle it, providing that you're doing NAT and not PAT (unless there was a change in 8.3-.4 that I've missed). http://goo.gl/sCUXU
|
|
#
?
Oct 16, 2011 17:35
|
|
|
Harry Totterbottom posted:If your firewall is an ASA add DNS rewrite to your nat setup and it will handle it, providing that you're doing NAT and not PAT (unless there was a change in 8.3-.4 that I've missed). http://goo.gl/sCUXU This is pretty cool but would only work as long as your dns server was not on the local network.
|
|
#
?
Oct 16, 2011 19:17
|
|
|
FatCow posted:Can a device running IP SLA test to itself from one interface to another? You can if you put the interfaces in separate VRFs. Depends on what you are trying to do though. IP SLA is usually to test jitter/round-trip-time, both of which should be consistent and negligible through a device.
|
|
#
?
Oct 16, 2011 19:44
|
|
|
Nitr0 posted:This is pretty cool but would only work as long as your dns server was not on the local network. I thought that was the point.
|
|
#
?
Oct 16, 2011 20:20
|
|
|
Well we really have no idea what his configuration is like. If they've got an internal dns server then it won't make any difference. If it's external then the asa dns re-write would work fine.
|
|
#
?
Oct 16, 2011 21:03
|
|
|
Nitr0 posted:Well we really have no idea what his configuration is like. If they've got an internal dns server then it won't make any difference. If it's external then the asa dns re-write would work fine. In the internal DNS case, it's typical for the records on the DNS server to be internal records, then you let the PIX perform fixup on them as they're queried through the firewall.
|
|
#
?
Oct 16, 2011 21:38
|
|
|
ragzilla posted:In the internal DNS case, it's typical for the records on the DNS server to be internal records, then you let the PIX perform fixup on them as they're queried through the firewall. But if the dns server is on the same network as the pc doing the query then it won't even hit the asa, therefore can't do the translation. Unless I'm missing something?
|
|
#
?
Oct 16, 2011 21:39
|
|
|
Nitr0 posted:But if the dns server is on the same network as the pc doing the query then it won't even hit the asa, therefore can't do the translation. Unless I'm missing something? The DNS server is configured with the internal IP, when someone inside queries it they get internal, when someone outside queries they get external.
|
|
#
?
Oct 16, 2011 21:53
|
|
|
Whenever a router crashes, it creates a crashdump file. In this crash dump file is the last 20-50 commands last executed. Is there a way to see the last used commands, without that crash file? Basically I want to login to a router and see the last X commands executed.
|
|
#
?
Oct 17, 2011 14:01
|
|
|
tacacs command accounting 
|
|
#
?
Oct 17, 2011 15:54
|
|
|
I already have that enabled, but I know the local router already stores it as well. How can I look at the commands on the local router? What show commands etc?
|
|
#
?
Oct 17, 2011 16:09
|
|
|
sh history all
|
|
#
?
Oct 17, 2011 16:26
|
|
|
tortilla_chip posted:sh history all That's the command I was looking for. Thanks.
|
|
#
?
Oct 17, 2011 16:51
|
|
|
So I've inherited our core networking while our network admin is off being ill. I'm struggling to limit access out from a vlan, to other vlans on the same stack. What I've done so far is: ip access-list extended block_remote_desk_out deny tcp 10.170.239.0 0.0.0.255 any eq 3389 log permit ip any any And then put ip access-group block_remote_desk out on the vlan interface itself. Any ideas? Thanks. lazken fucked around with this message at 14:21 on Oct 18, 2011 |
|
#
?
Oct 18, 2011 12:55
|
|
|
ip access-group block_remote_desk_out in make it "in," not "out"
|
|
#
?
Oct 18, 2011 16:35
|
|
|
jwh posted:ip access-group block_remote_desk_out in Bollocks. I am an rear end. Thats the second time I've done that. Thanks, you're a star.
|
|
#
?
Oct 18, 2011 17:33
|
|
|
I've done that more times than I wish to admit. Also since 90% of my job is FWSM/ASA related I tend to do one of these in switch/routers: permit ip any 192.168.1.0 255.255.255.0 WHY IS IT NOT WORKING
|
|
#
?
Oct 18, 2011 19:28
|
|
|
I have a rather weird situation that I'm trying to work through. On one side, I have my ASAs trunked to my internet side switches which then patch into an ISP router. We have two different IP blocks from this ISP, and the ASAs have an interface in each block on their respective subinterface, as shown below. code:1) I have no more physical ports free on my ASAs 2) ASAs don't do secondary IPs 3) I have to use VLANs because the ASA will not let you do nameifs on subinterfaces unless they also have a VLAN assigned  So I have my two VLANs delivered successfully to my switch, and though I know that I could just bridge the two VLANs together with a patch cable going between access ports on the two different VLANs, such a solution is not elegant and will trigger my inner  . I know you can use bridge groups and BVIs to do various bridging magic with interfaces, however I want to bridge two VLANs together on the switch itself. Is this possible?I posed this question to a few Cisco TAC guys and got  in response.
Nuclearmonkee fucked around with this message at 21:41 on Oct 18, 2011 |
|
#
?
Oct 18, 2011 21:38
|
|
|
Why do you have two separate public networks from presumably two providers, but on only a single physical interface? I'd address that first. Having two networks like that seems unnecessarily complicated, and useless.
|
|
#
?
Oct 18, 2011 21:47
|
|
|
Powercrazy posted:Why do you have two separate public networks from presumably two providers, but on only a single physical interface? Two networks, same provider. They ran out of IPs and bought a second block. EDIT: And by "ran out" I mean the guy at this location doesn't know wtf he is doing. I am basically trying to get this working quickly for a specific purpose, not fix their entire (poorly configured) network. Nuclearmonkee fucked around with this message at 22:03 on Oct 18, 2011 |
|
#
?
Oct 18, 2011 21:59
|
|
|
I think the physical cable is your best bet. Disable spanning-tree or else you'll see bpdu mismatch errors (I think).
|
|
#
?
Oct 19, 2011 15:31
|
|
|
jwh posted:I think the physical cable is your best bet. Disable spanning-tree or else you'll see bpdu mismatch errors (I think). Yeah I bpdufiltered the port to prevent any angry errors from popping up and told the customer they need to pay for the network to be redone (at least the internet side mess) and not to bitch if there are problems because of the bandaids we slapped on. You don't get 99.999 when your topology looks like it was designed by a drunken chimpanzee. Nuclearmonkee fucked around with this message at 21:00 on Oct 19, 2011 |
|
#
?
Oct 19, 2011 20:56
|
|
|
Can the ISP simply route you the other block of IPs, let you advertise/allocate it as you want, and then just forward everything out of your network like normal? I don't understand the necessity of a completely different interface.
|
|
#
?
Oct 19, 2011 22:51
|
|
|
Zuhzuhzombie!! posted:Can the ISP simply route you the other block of IPs, let you advertise/allocate it as you want, and then just forward everything out of your network like normal? It is a complicated combination of people unwilling to purchase hardware that they should be using, along with the annoying limitations involving complex site to site VPN topologies using ASAs. I suppose I could write it all out tomorrow if you want the long version
|
|
#
?
Oct 19, 2011 22:56
|
|
|
Zuhzuhzombie!! posted:Can the ISP simply route you the other block of IPs, let you advertise/allocate it as you want, and then just forward everything out of your network like normal? This is the question I'd ask too. Why don't they just route the 2nd additional public subnet down to your ASA device instead of, presumably, having it as a secondary "connected" network on the interface on the ISP end. That's how I'm envisioning they're doing it, anyway. If they do it that way you can break the network out however you wish on your side.
|
|
#
?
Oct 20, 2011 15:38
|
|
|
In other news. "I can't access Wikipedia" Can you send me a traceroute? "Traceroute shows 200ms latency on Level 3 in Florida" But you can actually get to the site? "Yes, sometimes it's instantaneous, sometimes it's slow." ......... Moral of the story is that I need to go into the public sector. Zuhzuhzombie!! fucked around with this message at 16:09 on Oct 20, 2011 |
|
#
?
Oct 20, 2011 16:04
|
|
|
GOOCHY posted:This is the question I'd ask too. Why don't they just route the 2nd additional public subnet down to your ASA device instead of, presumably, having it as a secondary "connected" network on the interface on the ISP end. That's how I'm envisioning they're doing it, anyway. At another remote office, there is an ASA with two uplinks. On the other side, there is this messy ASA with the two blocks on one ISP. They want to have two active site to site tunnels going over each of these remote site uplinks over to their home ASA, which specific VPN traffic designated for each uplink. The ASA doesn't support single site to site VPNs with an active/active configuration like this (or at least not that I'm aware of, nor were the TAC guys aware), so the easiest way was to just add a secondary interface on the far ASA to function as an endpoint for this second VPN connection so that I could build rules to send appropriate traffic over each tunnel. The customer refused to buy hardware which does this kind of thing easily, and I was simply told to "make it work with what they have right now", which is exactly what they got.
|
|
#
?
Oct 20, 2011 17:27
|
|
|
Zuhzuhzombie!! posted:In other news. That is everywhere. You are networking so if "the internet is slow" then it's obviously your fault. You are personally responsible for every fiber line severed by a tractor, weather which knocks out cable service, and even the rogue squirrel who decides to snack on some of your dark fiber. Nuclearmonkee fucked around with this message at 17:32 on Oct 20, 2011 |
|
#
?
Oct 20, 2011 17:29
|
|
|
Zuhzuhzombie!! posted:In other news. The money is better in a lot of cases, but the work is actually worse.
|
|
#
?
Oct 20, 2011 20:41
|
|
|
Think I got it figured out. We provide internet and transport but a third party maintains the mesh between various buildings. And by Mesh I mean they committed fraud and instead of laying fiber lines, which is what the bidding was based on, they put up a WWAN. We wondered how the hell they managed to under bid us so low. So now this problem gets passed off to those fuckers.
|
|
#
?
Oct 20, 2011 22:01
|
|
|
Looking for some input, as I have never worked with the Nexus line. I have been tasked with getting a design together for our new data center (trailer) and have been looking at the Nexus 5500 line. I have priced up a bundle package that includes the following: 1x Nexus 5548P 6x Nexus 2248TP FEX 30x 10GB SR SFP Modules along with all the other standard goodies and standard base image. I was looking at getting two of these packages, giving me redundancy by placing two FEX per rack (single homed) and vPC for dual active/active uplinks between them. I would also have room to expand additional FEX into all 14 racks in the long term as top/back of rack switches. That, and converge our physically separate iSCSI network into the new infrastructure with added support for FC and FCoE. Besides asking about real world performance, my questions are: If I have dual single-homed uplinks from a FEX, does that count as 1 or 2 connections to my 24 FEX connection limit on the 5548P? If I put in a L3 daughter card so I can connect the 5548P pair to my core switch (6509E with a soon to be SUP720) and use EIGRP stub routing with SVIs (keeping VLANS only on the FEX), will I hit the 8 FEX reduction? I'm assuming I will since they are basically treated as remote line cards. We are not a high volume traffic site outside of the data center, but I would like to remove the need for 4 top of rack switches per rack as well as spanning tree. We just had an issue this week where directly writing data to a single LTO-5 drive brought our network to its knees due to the over-subscription. I would like to order some equipment while the fire is still hot and they are willing to spend. Figured I'd ask here while waiting for a sales engineer to (maybe) call me.
|
|
#
?
Oct 20, 2011 22:38
|
|
|
Why only one 5k?
|
|
#
?
Oct 21, 2011 02:07
|
|
|
jwh posted:Why only one 5k? I would be buying two of the bundles, so a total of 2 5548Ps. That would give me enough for 6 racks of FEX(es?).
|
|
#
?
Oct 21, 2011 02:13
|
|
|
Are your distances so great in the data center that you can't run Twinax cabling? The cost and power savings by using it are pretty awesome. Unless I am mistaken that FEX connection limit is against the total number of actual FEX's that you have connected into your 5k's, not the number of actual connections per FEX coming into the 5k's. If you are really concerned about over subscription, you ought to use Twinax cabling and hammer up all 4 of the 10G connections out of the 2248's to give you a 1.4 ratio. Not exactly a 1, but the likelyhood of every port firing on all cylinders is fairly low, right?
|
|
#
?
Oct 21, 2011 14:48
|
|
|
Cisco's site is hard to navigate. Is there a 1u switch with more than 2 but fewer than 24 10GE SFP+ ports available does anyone know? Doesn't need layer 3 stuff.
Sir Sidney Poitier fucked around with this message at 15:57 on Oct 21, 2011 |
|
#
?
Oct 21, 2011 15:47
|
|
|
|
| # ? May 14, 2024 21:12 |
|
|
workape posted:Are your distances so great in the data center that you can't run Twinax cabling? The cost and power savings by using it are pretty awesome. If these were regular racks, I would take the twinax approach. However, this is one of those fancy (ugh) data center trailers that have racks that pull out from the wall and cable management built in the top of the rack. I'm afraid that by the time the cable managemnet was done with it we would have 5 feet left of a 30 foot twinax cable. Oh, and 10:1 or better oversubscription is my goal. We currently have switches in our datacenter (3750s) oversubscribed 50:1+ due to switch chaining and single gig uplinks. BelDin fucked around with this message at 15:50 on Oct 21, 2011 |
|
#
?
Oct 21, 2011 15:48
|
|