|
Totally depends on the device and train. For mainline stuff, 15 was just a renamed 12.4T. For service provider stuff, 12.2SR still has more/useful features and tweaks that never made it in to 15. MTU adjustment on FastEthernet interfaces on 7200 for example. 7600 will likely run 12.2SR as well. ISR and ISR2 you may want 15.
|
# ? Jan 18, 2012 03:04 |
|
|
# ? May 14, 2024 14:24 |
|
Sort of, as a general rule of thumb: 12.4 -> 15.0M 12.4T (Pain train) -> 15.0T 12.2SR -> 15.0S
|
# ? Jan 18, 2012 03:17 |
|
falz posted:Totally depends on the device and train. For mainline stuff, 15 was just a renamed 12.4T. For service provider stuff, 12.2SR still has more/useful features and tweaks that never made it in to 15. MTU adjustment on FastEthernet interfaces on 7200 for example. 7600 will likely run 12.2SR as well. ISR and ISR2 you may want 15. 7600 12.2sr is pretty much dead (sre is eos this year, q4 I think), most people will be looking for 15.1 or 15.2 I think at this point. Personally I'm waiting for an extended support 15.2 or later with v6 isis passive-only fix to standardize my IOS and XE boxes on.
|
# ? Jan 18, 2012 06:09 |
|
BelDin posted:Which ones? The 5K or the 7K? Good deal. Thanks! Gonna hit the website in a moment but figured I'd ask as well. Anyone know if there is a 7609/6500 compatible blade that has srr queuing as a feature? EDIT Not sure on what FEX means outside of having something to do with virtual interfaces? Is that right>? Zuhzuhzombie!! fucked around with this message at 18:25 on Jan 18, 2012 |
# ? Jan 18, 2012 18:08 |
|
Zuhzuhzombie!! posted:Good deal. Thanks! Only blades on the list are the newer 10G Sups, and the WS-X6708. FEX are fabric extenders.
|
# ? Jan 18, 2012 20:19 |
|
tortilla_chip posted:12.4T (Pain train) -> 15.0T All aboard!
|
# ? Jan 18, 2012 21:41 |
|
ragzilla posted:Only blades on the list are the newer 10G Sups, and the WS-X6708. Feck I have GOT to figure out a QoS method outside of policy maps.
|
# ? Jan 19, 2012 17:15 |
|
Any recommendations on IPS/IDS solutions? We're looking at the ASA AIP modules, but not sure if there's something else we should be looking at. We want to steer away from a pure snort solution and get something from a vendor for the support options.
|
# ? Jan 24, 2012 16:38 |
|
Harry Totterbottom posted:Any recommendations on IPS/IDS solutions? We're looking at the ASA AIP modules, but not sure if there's something else we should be looking at. We want to steer away from a pure snort solution and get something from a vendor for the support options. We use Sourcefire, but it is a snort solution, but has support for software/hardware appliances.
|
# ? Jan 24, 2012 17:32 |
|
Harry Totterbottom posted:Any recommendations on IPS/IDS solutions? We're looking at the ASA AIP modules, but not sure if there's something else we should be looking at. We want to steer away from a pure snort solution and get something from a vendor for the support options. I don't know what your throughput requirements are but unless they are obscenely low I'd stay away from AIP-SSM. Maybe the -4 or 60 fixed things by we always jokingly referred to them as NSMs (network slowness modules). Not sure what the price delta is but I'd go for a standalone appliance instead.
|
# ? Jan 24, 2012 21:16 |
|
Frozen-Solid posted:I didn't give more details because I wasn't even sure if it should work at all. As far as I was aware it didn't work at all pre-ICS so I was asking that before going any further. Is there an option to tweak the lifetime settings on the phone? It looks like P1 times out and racoon can't handle the rekey (which would be a bug on the phone to my mind).
|
# ? Jan 24, 2012 21:18 |
|
Tremblay posted:I don't know what your throughput requirements are but unless they are obscenely low I'd stay away from AIP-SSM. Maybe the -4 or 60 fixed things by we always jokingly referred to them as NSMs (network slowness modules). Not sure what the price delta is but I'd go for a standalone appliance instead. How low is obscenely low? Looking at our bandwidth reports we never seem to break 5 Mb/s combined. I've got demo's setup with Palo Alto, SecureWorks, and SourceFire about what they've got to offer. Any other recommendations on where I should be looking?
|
# ? Jan 24, 2012 22:17 |
|
Harry Totterbottom posted:How low is obscenely low? Looking at our bandwidth reports we never seem to break 5 Mb/s combined. IIRC each model has two throughput ratings. One is rich media or something like that and the other is vanilla traffic. Having a reasonable idea of what your overall traffic profile looks like will help with deciding which to go with. I put it this way. If you are running an ASA 5510 or possibly up to a 5520 AIPs make sense.
|
# ? Jan 25, 2012 00:41 |
|
We got a demo from Palo Alto as well.
|
# ? Jan 25, 2012 08:26 |
|
If I trunk a router which is acting as a VPN into a switch, can I have the router deposit me on a separate VLAN depending on what user I authenticate as? The short story is that I have a non-routable 172.16 VMware blade lab on campus. I'd like to sit a VPN enabled IOS device in front of it so I can dynamically attach to the blades as necessary. I have several VLANs, however. VMware Management and HP iLO, vMotion, VM Guest network, iSCSI, etc. Since all those networks live on two Cisco GESM interconnects in my blade enclosure I figured it would be a snap to just trunk a router into the two switches. Maybe it's the 1am but this seems like it should be an easy answer, yet my google-fu is failing me pretty hard right now. I am definitely not a VPN guy. Sort of makes me want to bone up on some CCNA-Sec material. And a follow-up question: Not an ideal situation, but to access the servers from home I would need to first VPN onto the private campus network, then VPN in again to my private VMware lab. Are there any caveats to running nested VPNs? I can foresee some MTU issues perhaps.
|
# ? Jan 27, 2012 07:11 |
|
The straight forward way to do what you want is to define different VPN pools with separate networks for each user. However that is neither scalable nor elegant, so the better but more complicated way to do it is to have your VPN authenticator also act as an 802.1x authenticator, then depending on the permissions assigned from AD, you could access whichever networks you were permitted. Unfortunately that isn't exactly an easily deployable solution. There may also be a more elegant solution, but I'm going to say that having the router/VPN end-point make the per-user decision isn't the road you want to go down. For nested VPNs latency becomes a much larger concern as it basically doubles the "lag" you experience when doing a TCP-over-TCP(-over-TCP) connection. It will technically work, but yea, fragmentation, latency, and all the usual VPN problems will be amplified.
|
# ? Jan 27, 2012 08:59 |
|
Tremblay posted:IIRC each model has two throughput ratings. One is rich media or something like that and the other is vanilla traffic. Having a reasonable idea of what your overall traffic profile looks like will help with deciding which to go with. We're running a pair of 5510's in active/standby and they're honestly under utilized. The one big issue that comes to mind is that since we want to also include the remote branches we'll need to grab a total of 4 modules (2 for the 5510's and 2 for 5505's in the branch offices). Thanks for the input btw Tremblay, you're always a fount of knowledge.
|
# ? Jan 27, 2012 15:51 |
|
Powercrazy posted:The straight forward way to do what you want is to define different VPN pools with separate networks for each user. However that is neither scalable nor elegant, so the better but more complicated way to do it is to have your VPN authenticator also act as an 802.1x authenticator, then depending on the permissions assigned from AD, you could access whichever networks you were permitted. In this case it's an entirely single-user (myself) one-off application of the technology so I'm not horribly concerned over how well it will scale, but it's good to know the best practices for something like this anyway. Thanks for the feedback. I'll try and see if there's any other way to get around what I want to do. There's a small chance I can get my VPN router publicly routable in which case I wouldn't need to double-vpn (from home), but that involves paperwork and project justification and signoffs, all things I was hoping to avoid for a personal pet project.
|
# ? Jan 27, 2012 17:33 |
|
If it is just you for a one-off single application, then sure, just create a new VPN connection with a different pre-shared password and use that whenever you need to access the specific resources remotely.
|
# ? Jan 27, 2012 18:16 |
|
Martytoof posted:In this case it's an entirely single-user (myself) one-off application of the technology so I'm not horribly concerned over how well it will scale Wait, if its just for you anyway, why don't you just setup a "vpn/management vlan" and have the router deposit your VPN'd connection to that vlan. Then setup some really basic routing between the subnets on your other vlans such that from the management vlan you can get to and from the handful of other vlans you have configured. You don't have to make everything routable after that or routable to the rest of the world; just routable between the vpn/management vlan you are setting up and the rest of them. Even if the switches in your enclosure aren't L3 switches, you could setup the trunk interface to your router as you were going to anyway, and then setup sub interfaces for each of the vlans on the trunk interface, and then handle the routing there. It doesn't have to be "fast" per se since you only expect to use it from your vpn client. You can use ACLs if you want to keep the various subnets from being able to speak to each other, and limit the communication to just the vpn/management vlan. Maybe I'm missing something here, but that seems like a much easier way to do this if you don't literally need to have an IP address on any of the current vlans.
|
# ? Jan 27, 2012 21:54 |
|
No, you're right, that is the simplest solution. I think in this case I wanted to make sure that there was no routing between VLANs just for the sake of knowing what's where in my lab, but I can easily achieve the same by just access-listing myself as the only one allowed to traverse the gateway. I think I tried to over-complicate this. Thanks for grounding me
|
# ? Jan 27, 2012 22:18 |
|
I'm learning about IS-IS, MPLS and LDP using GNS3 with emulated 7200s. I've set up a small topology of 4 devices, got IS-IS set up on all of them, then went to enable LDP. I found that unless I manually set the LDP router-id to the device's loopback LDP wouldn't talk on some links properly. The only way I got it to work was by doing 'mpls ldp router-id lo0 force'. I gather this is related to the device having routes to its peers over the correct interfaces. My question is is this the way it's meant to be done? Or is there another way I should be solving this problem? Second question: Is there a way to format a CF card from rommon mode in a 6500 series with a sup720? I'm not sure if I'm being specific enough, but it's a potential problem I encountered today. Googling shows a thread where someone asks the same thing and someone says "yes, but why would you want to" without saying how to do it. I ask because today on some test gear we encountered a magic number error but didn't have another, booted 6500 to format the card - only 7600s. Sir Sidney Poitier fucked around with this message at 18:12 on Jan 30, 2012 |
# ? Jan 29, 2012 19:54 |
|
Sorry if this has been asked, and I'm still reading through this thread, but is there a good resource for tips on building baby's first configuration? I'm looking at getting more familiar with the devices I see in the field, and beyond some really basic tasks (configuring the interface, managing ACLs), I'm woefully bad at doing relatively simple things (like building 1:1 NAT policies, port redirection, etc). To start, I'm looking for something oriented at step-by-step configs that deal with what you might see in a single device / small office environment, and then moving on from there. I can't really look at sorting out RIP when I literally don't even know how to configure telnet access to the unit. I deal with Sonicwall 20xx / 30xx series stuff quite a bit, I understand everything I've ever had to know for managing traffic and wider VPN deployments, and find it quite easy to wrap my head around. My eyes just start to glaze when I start googling for specifics on questions I have with IOS.
|
# ? Jan 31, 2012 00:32 |
|
Honestly, few things beat Cisco's Configuration Guides that you can get on their website. Their table of contents is sorted in the order things usually need to be configured and their examples are often spot-on unless you're doing something very non-standard. The docs usually begin with sections on management tasks like getting your CLI up and running. They're so helpful, I tend to read them even when configuring devices from other vendors because the other guy's documentation has tasks in alphabetical order, and Cisco usually has more comprehensive and better documented examples. Command References are sometimes critical, but usually if you know the command you want, Google and the combination of ? and Tab completion should let you stumble through the syntax. edit: example link http://www.cisco.com/en/US/products/ps6406/products_installation_and_configuration_guides_list.html for a 2960 switch. Check show ver and grab the one you need and off you go. ee: more relevant link (ASA 5500 series) http://www.cisco.com/en/US/customer/products/ps6120/products_installation_and_configuration_guides_list.html bort fucked around with this message at 01:50 on Jan 31, 2012 |
# ? Jan 31, 2012 01:29 |
|
Also make sure you understand what NAT, port redirection and a default route actually are, it makes configuration click much better. Are you a network "tech" or are you an engineer?
|
# ? Jan 31, 2012 02:34 |
|
Powercrazy posted:Also make sure you understand what NAT, port redirection and a default route actually are, it makes configuration click much better. Def not an engineer. Not really a "tech" either? I don't know. I do understand what a NAT defines, what I call port redirection is (external traffic on port say, 5050 to an internal host on another port, say 3389. Though I also consider this to be NAT), and default routes are. I'm a person that gets put in front of all kinds of things. Generally AD / Exchange deployment and admin nonsense, but configuring NAT policies, linking geographic sites, VLANs, securing access and such are all part of that. I've never run into any real problems, but my market is dominated by mid range sonicwall and juniper devices, both of which I like fine. When I get put in front of a Cisco of any kind I feel like I should know more about how to make it do things I want. For instance if I want to build a NAT rule that forces an internal host's outbound SMTP traffic to be seen as coming from an IP other than the default WAN IP, how would I best do this on a Cisco device? ip nat inside source static tcp [internal IP] 25 [new external IP] 25? Include this in which interface's access list? The external interface's outbound? I would have no problem setting something this up on something I normally work with, I consider it really simple and basic. But on a Cisco I'm gonna have to google it. It's shameful, I should know better Blame Pyrrhus fucked around with this message at 03:34 on Jan 31, 2012 |
# ? Jan 31, 2012 03:26 |
|
Configure it in the ASDM - it's a lot more newb friendly. Configure button -> NAT on the left hand side menu -> configure new NAT rule -> inside -> outside -> press OK. There's your 1:1 NAT.
|
# ? Jan 31, 2012 03:42 |
|
Yep, I started to recommend that, too: if you are used to SonicWall, ASDM will be more familiar. It's just that if you use both ASDM and CLI, configurations get messy pretty rapidly.
|
# ? Jan 31, 2012 17:16 |
|
I guess you could use a GUI if you want to get it up quicker. Is that your goal? If not use the cli and take baby steps. Conf outside interface, ping out, then get NAT working, then port forwarding, then vpn or whatever. Having said that, you mentioned IOS in your post. This runs on switches and routers, not Cisco firewalls. If you're configuring a Cisco router with NAT, its totally different (and easier imho) than ASA .
|
# ? Jan 31, 2012 17:27 |
|
We had a weird thing happen yesterday, hopefully someone can suggest a way to troubleshoot this. Around 9am, roughly one-third of our switches decided to disable their uplink ports because they detected a loopback on the network. It started in one area and spread out from there across the network, but didn't affect every switch, just some of them randomly. The only way to bring them back up was to plug in to each switch with a laptop and bounce the uplink ports. I also turned off keepalives on those ports so they wouldn't disable themselves again, but that doesn't fix the root issue of having a loop somewhere on the network. We haven't made any logical changes to the network in a long time and we inspected the switch rack closest to where the problem started and didn't find any switches plugged in to themselves or any other cabling weirdness. We haven't added any new hardware, however this is a medium-sized manufacturing plant spread across two buildings, and we have some electrical technicians that like to pretend they're IT ( ), so for all I know there may have been a hub or something plugged in somewhere. I don't know of any other way to track down the source of the loopback issue, but I'm still getting complaints of things running slowly today, so I'm concerned that the loop is still there and causing problems. Does anybody have any suggestions?
|
# ? Jan 31, 2012 17:33 |
|
geera posted:We had a weird thing happen yesterday, hopefully someone can suggest a way to troubleshoot this. Are these Catalyst switches running IOS 12.1? I had the exact same issue last week with switches that were putting uplinks into error-disabled loopback state. A bit of research and I found out that 12.1 has keepalives enabled on uplinks by default whereas on 12.2, keepalives are disabled on the uplinks by default. Cisco recommends upgrading to 12.2 or newer: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml (scroll down to loopback) Otherwise possibly enable bpdu-guard on the switches and see if anything gets put into an error-disabled state.
|
# ? Jan 31, 2012 17:50 |
|
Review your spanning-tree topology and ensure you're using the same bpdu, udld, etc settings on uplink ports. Make sure the switch you want to be the stp root really is the root for all of your vlans. Possibly enable automatic recovery of errordisable in X seconds for Y issue.
|
# ? Jan 31, 2012 18:10 |
|
falz posted:I guess you could use a GUI if you want to get it up quicker. Is that your goal? If not use the cli and take baby steps. Conf outside interface, ping out, then get NAT working, then port forwarding, then vpn or whatever. I don't actually have any device personally, though a guy I know has a couple 1841s that have been sitting unused for a couple of years. I could probably get my hands on one. I once tried to use the Java GUI thing and it was a mess, partially because it didn't play well with the already configured device. It reeked of afterthought and wasn't at all as easy to understand as the CLI. I prefer command driven interfaces, I come from a HPUX and linux background, and these days all I do is manage exchange servers using powershell. It isn't the same obviously, but CLI seems so much more deliberate, if that makes any sense. I called it IOS because I don't know any better. ASA seems to be their security oriented line? Is the CLI syntax and configuration methodology wildly different? I figure I've mostly dealt with the routers and some PIX 500 series devices. So far I get how to manage the interfaces, configure a basic masquerade to grant internet access, setup the initial ACL list, and even configure a general port forward. My questions are more like: If I have an IP range assigned to me by my ISP, say 87.43.56.2 - 87.43.56.8 I configure a basic setup on the router that gets the office internet access, and use 87.43.56.2 for the primary WAN facing interface. I already know how to do at least this much. I now want to define a 1:1 nat for an internal host sitting on say 192.168.1.50 for SMTP traffic to be seen as coming from 87.43.56.3, and not the default WAN interface's IP. As far as I can tell I would simply use the command "ip nat inside source static tcp 192.168.1.50 25 87.43.56.3 25"? How would I make the same true for inbound traffic? Do I need to define an "ip nat pool" first? A step-by-step guide for basic configurations like this would do wonders for my understanding on things I usually run into. My problem with the Cisco documentation I see on their site is that I'm dumber than dumb and don't understand things like "do I even require defining a nat pool for what I am trying to accomplish?"
|
# ? Jan 31, 2012 18:36 |
|
static (inside,outside) <public host> <private host> netmask 255.255.255.255 ! access-list outside_access_in extended permit tcp any host <public host> eq smtp log notifications That's a general 1:1 NAT scenario with an ACL entry allowing any source network to connect via SMTP, for example.
|
# ? Jan 31, 2012 21:54 |
|
I used the VPN Wizard on ASDM 6.4(7) with an ASA 5505 running 8.4(3) to create a config for SSL VPNs. The ASDM didn't configure split-tunneling, so I did that manually by creating the NONAT access list and applying it to the Group Policy. The Anyconnect client connects successfully with the appropriate routes, but I can't get any traffic going to the networks that I've VPNed into. The sanitized config is below. Any thoughts? code:
|
# ? Jan 31, 2012 21:55 |
|
aksuur posted:I used the VPN Wizard on ASDM 6.4(7) with an ASA 5505 running 8.4(3) to create a config for SSL VPNs. The ASDM didn't configure split-tunneling, so I did that manually by creating the NONAT access list and applying it to the Group Policy. You'll also want to use your NONAT (or a variant thereof) to NAT exempt the inside hosts to your VPN clients. Otherwise the ASA will try to NAT the traffic on the way through resulting in 'failed to create translation' logs for every connection attempt.
|
# ? Jan 31, 2012 23:50 |
|
Change your nat from inside,outside to inside,any
|
# ? Feb 1, 2012 17:59 |
|
Given the following scenario: - Network port on x.x.x.0/24 network which I have no administrative control over - Managed Cisco switch which I own - Host A which needs to reside on x.x.x.0/24, but REQUIRES my Cisco switch for network connectivity What would be the best way to seamlessly connect my Switch to the network as transparently as possible, to expose only the port on which host A communicates? My initial thought was something like this: vlan 990 name EXISTING-NETWORK int gig0/24 description Uplink to EXISTING NETWORK / x.x.x.0/24 switchport host switchport access vlan 990 no cdp enable int gig0/23 description Host A network port x.x.x.1/24 switchport host switchport access vlan 990 no cdp enable while everything else is a member of a different vlan. Thoughts? The two minute explanation is that I have a HP BladeSystem rack which uses Cisco interconnects. The blades don't have a physical network port, they just terminate right to the interconnect's switchports. I need to get one system on the existing network to act as a firewall, the remainder will be in a private non-routable subnet. The second I plug my switch in, my network port goes dead for five minutes. I assume I've tripped some sort of access violation on the existing network. My University Tech Services contact is out of the office for the next few days so I'm just sort of blindly stumbling while trying not to ruin anyone's day. I was hoping the above would be enough to emulate a dumbswitch, with which the existing network seems to have no problems, but apparently it isn't. I have a feeling this isn't something anyone can solve until we know more about the infrastructure on x.x.x.0/24 or get someone from UTS involved, but I'm throwing this out there since I'm brainstorming it. There's probably something infinitely boneheaded about what I'm doing, but I don't think I've ever really run across a scenario uplinking two switches where a trunk wasn't involved.
|
# ? Feb 1, 2012 18:47 |
So I'm working on a lab I've come up with to learn the basics of Layer 3 VLAN Routing and a few other things using a couple of 37050s. I am kind of stuck as to why one portion isn't happening, and its probably an easy question. Here is my Setup: Switch 1 - Trying to make this switch be the main DHCP server Vlan 1 - 192.168.1.1 Vlan 997 - 192.168.20.1 Switch 2 Vlan 1 - 192.168.2.1 Vlan 997 - 192.168.20.2 I have routes setup so both switches can talk to eachother no problem. I have a dhcp pool setup on Switch 1. I set Vlan 1 on Switch 2 to use Ip helper and pointed it to Switch 1. I still can't get any IP addresses on Switch 2 using that method. Now heres what I looked up to see if maybe I should setup switch 1 like this. Should I setup a dhcp server to setting similar to what is demonstrated here? http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html The goal is to have Switch 1 be my DHCP server and then do dhcp snooping on switch 2 so I can test that out and see how it works. I just need Switch 1 to give out addresses to switch 2 in the 192.168.2.0/24 range while anything plugged into switch 1 will get an ip in the 192.168.1.0/24 subnet If you guys want some configs I'll post them, Thanks!
|
|
# ? Feb 1, 2012 19:08 |
|
|
# ? May 14, 2024 14:24 |
|
Langolas posted:So I'm working on a lab I've come up with to learn the basics of Layer 3 VLAN Routing and a few other things using a couple of 37050s. I am kind of stuck as to why one portion isn't happening, and its probably an easy question. Try separating the VLANs and use one for the .1.x/24 network and the other for the .2.x/24 network. This probaby won't work as you are intending it to. helper addresses are used to turn certain broadcast traffic into unicast traffic. Since you are using the same VLAN for both network ranges, the broadcast will be picked up across the VLAN and does not need converted to unicast. Create two different VLANS and networks on Switch A using SVIs, enable basic routing (for inter-VLAN travel), trunk a port to switch B and set up your snooping, then make a DHCP pool with the two different subnetwork ranges and gateway/dns options. Once you do that, you should be serving on two different networks without using helper addresses. Here's some help on the DHCP syntax. If you REALLY want to use helper addresses, you will probably need to make a device other than a switch your DHCP server.
|
# ? Feb 1, 2012 19:40 |