|
I'd guess they are loaners from Cisco.
|
#
?
Apr 6, 2012 02:44
|
|
|
|
| # ? May 31, 2024 14:33 |
|
|
Is it basically just a show of force? I am not sure how even something as big as that would use 200Gbps - that's more than 3x what BBC iPlayer does worldwide (yay freedom of information act requests). And how does it get there? Is there a dark fibre to the stadium? I'm struggling to figure out how it is financially justified 
|
|
#
?
Apr 6, 2012 08:43
|
|
|
ior posted:Short status report from The Gathering 2012: What software do you use for the weather map?
|
|
#
?
Apr 6, 2012 15:40
|
|
|
Anjow posted:Is it basically just a show of force? I am not sure how even something as big as that would use 200Gbps - that's more than 3x what BBC iPlayer does worldwide (yay freedom of information act requests). And how does it get there? Is there a dark fibre to the stadium? I'm struggling to figure out how it is financially justified Yes there is dark fibre all the way from Oslo to the stadium in Hamar (100km or so away). We run 2x100GB channels over a DWDM system put in place just for the event. Basically a huge proof of concept for the WDM manufacturer. FatCow posted:I'd guess they are loaners from Cisco. You are correct. We loan everything except the edge switches which are owned by the party. Zuhzuhzombie!! posted:What software do you use for the weather map? php-weathermap - the config is public if you want it. Fatal posted:Out of curiosity, what does the equipment do the other 11 months out of the year? The core network is returned to Cisco - the edge switches are rented out to other parties in the area.
|
|
#
?
Apr 6, 2012 16:30
|
|
|
Zuhzuhzombie!! posted:What software do you use for the weather map? http://www.network-weathermap.com/ The MadIX Exchange has a nice weathermap as well. Go Wisconsin! http://stats.net.wisc.edu/ feld fucked around with this message at 16:40 on Apr 6, 2012 |
|
#
?
Apr 6, 2012 16:36
|
|
|
Weathermap is nice - as I figure anything that gives you a better bird's eye view of problems should be investigated, for network health. Anything that does it faster (than say, scrolling syslogs like the Matrix or configuring some crazy coorelative event mangement system) is even better. Plus it looks neat. As far as IPT goes - I was sent to ACCMU and have been tinkering with our VoIP system, which is a 6 node cluster running over 8k endpoints. I have some basic VoIP background from my own experiences with Asterisk, and most of it makes some logical sense. I realized about a year ago we are sort of boned though. We built our dialplan based on management mandate to push transparency to our users, who are all in the same area code. We went with 7 digit extensions, no "dial 9" prefixing, and basically shot ourselves in the foot. Our dialplan wasn't designed with anything in mind, and the engineers we have working on this didn't come into the organization with any expertise - they are learning it themselves - so we're all hitting speedbumps. As an example, since we ran flat dialing, all 7 digit extensions would hit a [2-9]XXXXXX route pattern in the local calling CSS and route out the gateway. What we ran into was DIDs pointed to our system but not defined or allocated would come in the gateway with 7 digits ( Verizon  ) and then route back out and around again until it ate up a bunch of resources or did a max forwards type thing. Now we moved to UCM 8 because our UCCX was going out of support, the new version didn't work with UCM 6.1.2 , and there's a shitpot full of new features and things which have bit us we were not prepared for - because we're way off from the base deployment guide.As per the earlier job posting, setting up a clustered system with 2500 endpoints and some basic call routing is not hard - but man is it easy to get way in over your head. I have my CCNA, reading some NP materials, but also having to poke into voice and wireless. With Cisco's unquenchable thirst to do everything this is getting to be pretty tough.
|
|
#
?
Apr 7, 2012 17:28
|
|
|
It really pays to have someone who's done it for a while successfully to look over your shoulder.
|
|
#
?
Apr 8, 2012 01:50
|
|
|
Weird problem with an ASA 5505. I am not yet sure what is happening as this has only occurred a couple times over the past week, but I'll spontaneously lose internet connectivity. This may or may not be because the modem has reset, not yet sure. Either way, the link comes back up but the ASA loses the default route. When I shut/no shut the outside interface vlan it comes back up. Why is it not inserting it back into the routing table? code:code:code:code:
|
|
#
?
Apr 8, 2012 22:15
|
|
|
Was the vlan interface down before you shut/no shut it? Also check logs.
|
|
#
?
Apr 8, 2012 22:47
|
|
|
This might help: http://ogenstad.net/2007/11/14/cisco-asa-5500-and-the-hunt-for-the-lost-gateway/ tl;dr: Upgrade to 8.0(3) A comment on that site mentions ICMP rules. Maybe the ASA assumes the gateway is down if it can not ping it due to a rule that forbids ICMP traffic to outside? ZeitGeits fucked around with this message at 23:02 on Apr 8, 2012 |
|
#
?
Apr 8, 2012 22:56
|
|
|
We've got a central datacentre and racks in a few other sites. I'm installing wireless access points in the others for my own convenience and I'm trying to figure out the way of doing it with the least mess but also the fewest changes to our existing setup. The one site up and running already os configured like this: DHCP server in our main DC on VLAN 222 VLAN 222 carried by our aggregation 7600s VLAN 222 trunked on a link between an aggregation 7600 and a backbone 7600 The backbone router side of that link has a subinterface with encapsulation dot1q 222 and an MPLS xconnect to an ME 3600 at the other site (since it would be messy to go trunking the VLAN over the backbone links in between) Access point on a switch port of the ME 3600, which is set to access mode on interface VLAN 222, which is configured as the other side of the xconnect (don't know why, but we can't do subinterfaces on it and have to put the xconnects inside interface VLANs). This setup is working fine for this one access point. The problem that I am met with now is that I can't create a second xconnect from the backbone 7600 to another site - I get: %Configuration of multiple subinterfaces of the same main interface with the same VID (222) is not permitted. This VID is already configured on GigabitEthernet2/9.1222. Does anyone have any suggestions on how to best set this up? I need to avoid trunking VLAN 222 over our backbone (I have colleagues to contend with who wouldn't like it), I don't want to set up separate physical links between the aggregation and backbone 7600s just to do separate xconnects. We've got 2 more sites to get the access points in, one uses another ME 3600 and the other a 7600.
|
|
#
?
Apr 9, 2012 08:40
|
|
|
Anjow posted:Access point on a switch port of the ME 3600, which is set to access mode on interface VLAN 222, which is configured as the other side of the xconnect (don't know why, but we can't do subinterfaces on it and have to put the xconnects inside interface VLANs). Why do you want to use xconnect for this setup? If you have a working MPLS backbone (which you have, judging by xconnect), there should be no problem creating a separate vrf just for wifi. You will just need one vlan and subnet per site to terminate AP on PE. Afterwards you can easily add/remove additional sites. AtmaHorizon fucked around with this message at 11:38 on Apr 9, 2012 |
|
#
?
Apr 9, 2012 11:35
|
|
|
The ME3600 doesn't support xconnect via subints. It uses EVC+SVI or possibly just under the EVC (SE told me real soon now). At layer 2 if you can get away with seperate trunks per AP you can use regular EoMPLS, if you need all the APs in the same broadcast domain setup VPLS. Or as was previously mentioned if a layer 3 solution will work for you setup a seperate VRF.
tortilla_chip fucked around with this message at 20:57 on Apr 9, 2012 |
|
#
?
Apr 9, 2012 16:18
|
|
|
Thanks - I'll look into the VRF solution.
|
|
#
?
Apr 9, 2012 16:39
|
|
|
ZeitGeits posted:This might help: http://ogenstad.net/2007/11/14/cisco-asa-5500-and-the-hunt-for-the-lost-gateway/ ICMP doesn't have anything to do with this. If you are configuring a static route and do not see that route in the table check ARP. If the next hop can't be resolved in ARP the rule will not be inserted in the table. This is consistent across all Cisco devices to the best of my knowledge. Additionally connected routes that are SVI based will not be populated unless the SVI is up/up. Depending on configuration that requires an access port that is up and assigned to that VLAN or the VLAN is being trunked. But yes 7.2.2 is ancient and I can't begin to tell you the # of bugs that are fixed from release to release. Additionally access-lists that are bound to interfaces on ASA should only effect traffic through the box. There is a control-plane option (or something like that) that you can add which then deals with to/from the box traffic. This is similar to ssh/telnet/icmp x.x.x.x commands just with greater fidelity. EDIT: In some cases if you see traffic getting black holed double check that the next hop is in ARP as well. Sometimes Tremblay fucked around with this message at 05:28 on Apr 11, 2012 |
|
#
?
Apr 10, 2012 21:49
|
|
|
To preface this question I am only just getting started in Cisco configuration so I don't know the advanced stuff yet. That said my boss wants us to somehow find a way to stop wireless devices from working when plugged in unless we add the mac to a filter or something. Is there any way using cisco layer 3 switches, core switches, or ASA's to do this that wouldnt be a nightmare? Or is a NAC the solution?
|
|
#
?
Apr 10, 2012 23:30
|
|
|
Does he mean Wireless Access points, or does he want the wireless on say a laptop to not work if they are plugged in via copper ethernet?
|
|
#
?
Apr 11, 2012 01:13
|
|
|
Powercrazy posted:Does he mean Wireless Access points, or does he want the wireless on say a laptop to not work if they are plugged in via copper ethernet? He means access points.
|
|
#
?
Apr 11, 2012 01:49
|
|
|
Senior Funkenstien posted:He means access points.
|
|
#
?
Apr 11, 2012 03:05
|
|
|
Senior Funkenstien posted:He means access points. Will users always connect to the same physical ports or will they be moving stuff around? Port-Security will be easy to implement if the devices don't move around. If they do then you'll want to use 802.1x. It's not that horrible an experience to setup especially on a small deployment.
|
|
#
?
Apr 11, 2012 05:31
|
|
|
If you're setting up a 'private' WAN using MPLS or metro ethernet or something, is there a good reason to have full-on firewalls at each office, or can you just hook them together with plain old Cisco routers? I can understand if you're using a secondary internet connection (and just using the WAN for accessing the internet corporate network), you'd want to have a 'real' firewall because of that. But if you're just tying into the home office, is it really needed?
|
|
#
?
Apr 11, 2012 14:10
|
|
|
Senior Funkenstien posted:He means access points. Turn on BPDU Guard, APs are basically switches, and so they will send bpdu's. The other option is to turn on port-security and limit each port to a single MAC address. quote:MPLS Firewalls Otherwise having the usual router security feature in-place is good enough. ate shit on live tv fucked around with this message at 15:32 on Apr 11, 2012 |
|
#
?
Apr 11, 2012 15:29
|
|
|
There are major caveats to Cisco's rogue AP detection. For instance, it relies on the ability of the radios to connect to a visible SSID and send probe packets back to their controller, of which there are myriad reasons why that probe may not succeed. I think the general consensus is that it's better than nothing, but I certainly wouldn't rely on it.
|
|
#
?
Apr 11, 2012 16:32
|
|
|
jwh posted:There are major caveats to Cisco's rogue AP detection. For instance, it relies on the ability of the radios to connect to a visible SSID and send probe packets back to their controller, of which there are myriad reasons why that probe may not succeed. I think the Rogue on the wire feature is OK. But it does need to be able to see the rogue ssid and pick up its mac-address to search the switches for which port its connected to. I love being able to find that device that way though. Combine the rogue detection with dhcp snooping and a few other things and you've got yourself an ok setup. It is better than nothing in my opinion. Question: I just put DHCP snooping on a switch stack in a campus building. We have two fiber links over to it in port channel to connect to our core,just like all my wiring closets I have in my own building. I put dhcp snooping trust on the port channel line that goes to my core switches, and turned it on for the vlans I wanted just like my switch closets and it started dropping the dhcp requests. The only difference in this situation is that I have a 2nd stack of 3750's coming off the first stack via two gbic's and copper using a port channel as well. Heres the bits I used in my config ip dhcp snooping ip dhcp snooping vlan 1,x-y,Z int po1 ip dhcp snooping trust Am I missing something? I did the exact same thing on 7 other stacks of switches and haven't had a problem. My stacks go Core--->po1 two fiber links to Stack 1---> Two copper links to Stack 2 I put the IP dhcp snooping trust on the port channel going TO my core switches on Stack 1. Then I put the dhcp snooping trust on the port channel going from Stack 2 to Stack 1. I did NOT put dhcp snooping trust on the port channel located on Stack 1 that connects to Stack 2. In my mind that would say "any dhcp request that could come from Stack 2 via a rogue device would be accepted dhcp packets on Stack 1"
|
|
#
?
Apr 11, 2012 17:55
|
|
|
Langolas posted:I think the Rogue on the wire feature is OK. But it does need to be able to see the rogue ssid and pick up its mac-address to search the switches for which port its connected to. I love being able to find that device that way though. Combine the rogue detection with dhcp snooping and a few other things and you've got yourself an ok setup. It is better than nothing in my opinion. NCS can do this http://www.cisco.com/en/US/prod/collateral/wireless/ps5755/ps11682/ps11686/ps11688/data_sheet_c78-650051.html
|
|
#
?
Apr 11, 2012 20:21
|
|
|
Powercrazy posted:With a Private MPLS carrier there is no reason to have a firewall setup between branch and head office unless your intent is to protect your datacenter from your international branch offices. I guess my response is that if you trust your carrier, there is no reason to do it, but if you don't trust them, it might not be a terrible idea. I do need to add this disclaimer: I don't trust anyone.
|
|
#
?
Apr 12, 2012 00:43
|
|
|
adorai posted:I don't necessarily agree. We have contemplated running ipsec VPNs over our MPLS links to protect ourselves against unscrupulous carrier technicians or colo employees. While the possibility of a breach from these sources is unlikely, it is not completely impossible to rule out. There is even the potential of a paperwork problem or a fat finger putting someone else on your MPLS network, though that is also very remote. Now a VPN is on a different level than a firewall, but ultimately they try to accomplish the same thing -- limiting access. I guess I find myself agreeing with everything you say here.
|
|
#
?
Apr 12, 2012 04:54
|
|
|
adorai posted:...There is even the potential of a paperwork problem or a fat finger putting someone else on your MPLS network... This has happened several times to my organization, and while it didn't take long to identify what had happened it was a huge wtf moment for us.
|
|
#
?
Apr 12, 2012 08:39
|
|
|
Sorry if this isn't the right type of question for this thread. Our company is moving offices. We're a small shop, so we have outsourced our IT infrastructure management. As part of the move, we have asked the IT management company to move our ASA and hook it back up at the new place. The line item on the estimate for configuring the firewall in the new office is $2200. We're not changing any firewall rules, or anything like that. We just want it configured for the new location. My only experience even remotely in this area is working with m0n0wall 6 years ago, but even to me, this seems like a lot for what they're doing. My boss _did_ make the mistake of telling them that we're cancelling their contract before they gave us this estimate, so part of me feels like they're trying to take us for as much as they can while we're still on the hook. Am I missing something?
|
|
#
?
Apr 12, 2012 13:38
|
|
|
adorai posted:I don't necessarily agree. We have contemplated running ipsec VPNs over our MPLS links to protect ourselves against unscrupulous carrier technicians or colo employees. While the possibility of a breach from these sources is unlikely, it is not completely impossible to rule out. There is even the potential of a paperwork problem or a fat finger putting someone else on your MPLS network, though that is also very remote. Now a VPN is on a different level than a firewall, but ultimately they try to accomplish the same thing -- limiting access.
|
|
#
?
Apr 12, 2012 15:43
|
|
|
Being provisioned into the wrong vrf happens all the time.
|
|
#
?
Apr 12, 2012 15:56
|
|
|
gold brick posted:Sorry if this isn't the right type of question for this thread. I don't think you are. Are they saying it's X hours of work at a certain rate or is it just flat $2200? Just as a swag rate I bill out at $68-75 an hour on side jobs. I can guarantee you that it wouldn't take me 30 hours to do what you are asking for.
|
|
#
?
Apr 12, 2012 17:28
|
|
|
gold brick posted:Am I missing something?
|
|
#
?
Apr 12, 2012 17:32
|
|
|
I have a short Cisco question and no idea where else to ask it. I was just given 2x IEM-3000-8FM expansion modules that a customer returned but our supplier wouldn't take back. What the hell are they worth, and anyone want them/know somewhere I could unload them? They are NIB. I'm seeing like 800-1500 a pop for prices online, but I don't even know where to begin trying to unload them. Anyone need one? 
|
|
#
?
Apr 12, 2012 18:39
|
|
|
eBay! We've bought loads of Cisco stuff from eBay. I was astonished when I first saw the guys doing it, but we've not been burned yet, after more than $100k spent.
|
|
#
?
Apr 12, 2012 20:19
|
|
|
Anjow posted:eBay! We've bought loads of Cisco stuff from eBay. I was astonished when I first saw the guys doing it, but we've not been burned yet, after more than $100k spent. What do you do for support contracts?
|
|
#
?
Apr 12, 2012 20:47
|
|
|
Fatal posted:What do you do for support contracts?
|
|
#
?
Apr 12, 2012 20:50
|
|
|
aksuur posted:Sounds like they're taking you for a ride, assuming you have just one internet connection. Maybe if you're load balancing or doing some kind of failover it might be more involved, but still nowhere near what they're asking. Since you've announced the intention to stop doing business with them, have they provided you the administrative credentials for the box? Or that could be their generic "reconfigure a firewall" price. Maybe they're not interested in the job if it's just changing one line, or maybe that's what they charge regardless of how much work it is, or maybe they're anticipating testing every port forward, ACL rule, etc?
|
|
#
?
Apr 12, 2012 21:26
|
|
|
Ninja Rope posted:Or that could be their generic "reconfigure a firewall" price. Maybe they're not interested in the job if it's just changing one line, or maybe that's what they charge regardless of how much work it is, or maybe they're anticipating testing every port forward, ACL rule, etc?
|
|
#
?
Apr 12, 2012 22:28
|
|
|
|
| # ? May 31, 2024 14:33 |
|
|
Bluecobra posted:In the case of a something like a Catalyst 6500, you get smartnet on the chassis which will cover all the line cards on the chassis. You do assume the risk of getting stolen/counterfeit hardware though. Yeah. Only once or twice has my company run into hardware that cisco won't sell smartnet on, and then there are third-party vendors who will be happy to take your money in exchange for hardware/softawre support.
|
|
#
?
Apr 13, 2012 01:42
|
|
