|
Does anyone have any experience with external federation with CUPS? We're bringing it online and I've got requests to be able to speak out with Google, AOL, Yahoo and Live. AOL and Google look simple, but Yahoo and Live are evading me in documentation.
|
#
?
Jun 1, 2012 19:55
|
|
|
|
| # ? May 30, 2024 07:03 |
|
|
Why in gods name did Juniper put an out band management port on the SRXs if you can't actually put it in it's own routing instance so it can be actually out of band?
|
|
#
?
Jun 1, 2012 20:07
|
|
|
FatCow posted:Why in gods name did Juniper put an out band management port on the SRXs if you can't actually put it in it's own routing instance so it can be actually out of band?
|
|
#
?
Jun 1, 2012 21:50
|
|
|
FatCow posted:Why in gods name did Juniper put an out band management port on the SRXs if you can't actually put it in it's own routing instance so it can be actually out of band? Are you talking about the FXP port?
|
|
#
?
Jun 2, 2012 15:51
|
|
|
Has anyone ever had a ASA drop the WAN link after 4-5 minutes? The interface shows as up then down, yet the link lights never change. I can ping, then I can not. I am starting to wonder if it is my crappy DSL modem.
|
|
#
?
Jun 3, 2012 05:45
|
|
|
the spyder posted:Has anyone ever had a ASA drop the WAN link after 4-5 minutes? The interface shows as up then down, yet the link lights never change. I can ping, then I can not. I am starting to wonder if it is my crappy DSL modem.
|
|
#
?
Jun 3, 2012 06:58
|
|
|
ragzilla posted:Is it like the GSR OOB which was in global table, but the fabric couldn't talk to it? Not quite that bad, but it appears you can't put it into a virtual router and I'm not licensed for logical routers. Also I've been using Junos for all of a week so there may be something obvious I'm missing. routenull0 posted:Are you talking about the FXP port? Yes.
|
|
#
?
Jun 3, 2012 16:15
|
|
|
FatCow posted:Not quite that bad, but it appears you can't put it into a virtual router and I'm not licensed for logical routers. Also I've been using Junos for all of a week so there may be something obvious I'm missing. Yeah the FXP is not designed to be anything other than an entry point for management only. You cannot route traffic through it out of the control-plane. You can source stuff from it like syslog, radius, etc if you wish.
|
|
#
?
Jun 3, 2012 16:32
|
|
|
Anyone have experience with Web Auth passthrough on Cisco WLC's? I'm having a problem with iphones where I will select a SSID that has passthrough configured the iphone's "Log-In" window pops up trying to load http://www.apple.com but can't, and never loads the web auth page. If I go into the network settings on the iphone and disable "auto-login" I can connect to the network, open a broswer, and get to the passthrough page. But this isn't a good solution for a public wifi network for a large municipality I am using Ubuntu Server with Bind9 as the DNS server and we have a 3rd party issued cert. We have a Cisco 5508 using 3502E AP's and NCS Image1 Image2
|
|
#
?
Jun 3, 2012 16:55
|
|
|
adorai posted:I've seen all sorts of cisco gear do this due to a speed/duplex mismatch or failure to auto negotiate (which is ultimately the same thing). Link comes up for a few minutes, then goes down. I remember reading about it, I will go ahead and manually set the speed and see if it helps.
|
|
#
?
Jun 4, 2012 04:06
|
|
|
the spyder posted:I remember reading about it, I will go ahead and manually set the speed and see if it helps. Look for runts and/or giants on the interface counters, that will point in the direction of speed/duplex mismatch. If you hard-code, you want to make sure the other end is hard-coded as well.
|
|
#
?
Jun 4, 2012 12:28
|
|
|
Turns out my crappy DSL modem does not like me. I wiped the config, rebuilt it with DHCP for my vlan 2 outside address + told it to get the default route from dhcp and all is well. It has been up for 10+ hours straight. Bit worried that I went a bit underpowered on the ASA5505 after doing some reading. I have three connections for this to handle, a 100mb Cable line + 5mb DSL + 100mb Fiber. I know we will be maxing the fiber pretty regularly. Thinking of upgrading to a 5515-x.
|
|
#
?
Jun 4, 2012 15:58
|
|
|
liveify posted:Anyone have experience with Web Auth passthrough on Cisco WLC's? Gotta be something with the iPhone itself, right? I don't recall having to do anything fancy to set our portal up. Just takes you to 1.1.1.1 with a UN/PW field.
|
|
#
?
Jun 4, 2012 18:41
|
|
|
adorai posted:I've seen all sorts of cisco gear do this due to a speed/duplex mismatch or failure to auto negotiate (which is ultimately the same thing). Link comes up for a few minutes, then goes down. Is there actually a good reason why Cisco (and other "enterprise" network gear, but most often Cisco) still can't seem to manage to autonegotiate properly? I have literally never once had an autonegotiation failure on consumer/SoHo hardware, but if there's something Cisco in play there's a 50/50 shot that at least one interface will end up hardcoded. Same with the non-Cisco but still "enterprise" switches Time Warner and others use for their fiber deployments. I really don't get this, why the crap $10 hardware can do it perfectly every time, but hardware costing hundreds or thousands can't.
|
|
#
?
Jun 4, 2012 18:45
|
|
|
On SOHO equipment if you get a duplex mismatch at the switch you'll never notice. On Cisco/Juniper etc you will. Also the GigE standard is fairly recent and when enterprise gear was first to market it hadn't been standardized yet, thus lots of GigE ports on say a 6500 aren't p to spec and will have lots of issues, whereas your new laptop will have no problem. Also the enterprise world is full of conflicting "industry" standards and it is usually a toss up which particular standard your equipment will support (sometimes both). Basically check this out: http://en.wikipedia.org/wiki/Gigabit_Ethernet#1000BASE-T
|
|
#
?
Jun 4, 2012 21:32
|
|
|
Zuhzuhzombie!! posted:Gotta be something with the iPhone itself, right? I don't recall having to do anything fancy to set our portal up. Just takes you to 1.1.1.1 with a UN/PW field. I've tried it on multiple iphone's. Same problem.
|
|
#
?
Jun 5, 2012 00:33
|
|
|
DrOgdenWernstrom posted:Anyone have experience with Web Auth passthrough on Cisco WLC's? Haven't tried this myself, but; Apple devices have a feature to detect the presence of a captive portal and generate an HTTP request to an Apple website - this allows non-browser applications to access the Internet without having to launch a web browser. Web Auth is done via a pop-up window. However the pop-up window does not allow the end user to accept self-signed certificates. WLC command to spoof the request to apple.com : config network web-auth captive-bypass enable
|
|
#
?
Jun 5, 2012 12:28
|
|
|
Ior, That command won't execute on my 5508. Tells me the command is invalid. We have a cert issued by a 3rd party.
|
|
#
?
Jun 5, 2012 14:30
|
|
|
FatCow posted:Not quite that bad, but it appears you can't put it into a virtual router and I'm not licensed for logical routers. Also I've been using Junos for all of a week so there may be something obvious I'm missing. Keep it in inet.0, place everything else in another VR called transit-vr or something. We ended up having to do this with a bunch of 3600s due to the OOB subnet being present from other sources (ospf, etc).
|
|
#
?
Jun 5, 2012 14:41
|
|
|
Is it best pratice to have the Ap-manager (Might be using the wrong terminology, the interface that has Enable Dynamic AP Management enabled) on a separate vlan from the Management interface on a Cisco 5508
|
|
#
?
Jun 5, 2012 17:25
|
|
|
 I've got a quick NAT question with ASA 8.2's. I have two sites, each with their own internet connection, and each connected together over a private WAN. Both of these offices have an ASA configured with standard PAT that allows users to get out to the internet. The company email server resides at Site A. The global MX records point to 50.1.1.1 with a backup record to 50.2.2.2. In the event Site A's internet connection goes down, we would like email to go to 50.2.2.2. So on Site B's ASA I have a static NAT.. code:I believe the solution to this may be outside NAT? I have never used outside NAT and am not sure how to set it up or if it is appropriate for this situation. code:
|
|
#
?
Jun 5, 2012 20:36
|
|
|
DrOgdenWernstrom posted:Ior, Upgrade to 7.2MR1  DrOgdenWernstrom posted:Is it best pratice to have the Ap-manager (Might be using the wrong terminology, the interface that has Enable Dynamic AP Management enabled) on a separate vlan from the Management interface on a Cisco 5508 Canīt think of a reason it should be. The APs need to communicate with both the ap-manager and the management interface anyhow. ior fucked around with this message at 22:49 on Jun 5, 2012 |
|
#
?
Jun 5, 2012 21:04
|
|
|
Soooo, I am sure everyone in here would be appalled at the setup I am working with, but this is one of the items coming up on my hit list to fix before I look for a better job. I am configuring a Catalyst 3750 do to some slight vlan/routing out at our newly acquired colo. I was browsing through the current config of these switches at my work (two of them in identical setups), and realized that we do not have any true management network setup. How unusual is this for a small/mid sized company (around 280 employees)? I understand that this leaves everything on my network open to everyone/everything. Thinking about it now, if someone wanted to be malicious and was not an idiot, it would not be too difficult. Also what are some best practices on this? Setup a completely different subnet for management that only certain workstations can access? Also, our 3750's are currently running iOS 12.2 (I believe). Is there much work behind getting that up to date? Moey fucked around with this message at 00:42 on Jun 6, 2012 |
|
#
?
Jun 6, 2012 00:37
|
|
|
Moey posted:How unusual is this for a small/mid sized company (around 280 employees)? I understand that this leaves everything on my network open to everyone/everything. Thinking about it now, if someone wanted to be malicious and was not an idiot, it would not be too difficult. Also what are some best practices on this? Setup a completely different subnet for management that only certain workstations can access? Moey posted:Also, our 3750's are currently running iOS 12.2 (I believe). Is there much work behind getting that up to date? Look at the release notes on Cisco.com and see if there's anything between your current version, and 12.2(55) you can't live without.
|
|
#
?
Jun 6, 2012 02:32
|
|
|
Moey posted:How unusual is this for a small/mid sized company (around 280 employees)?
|
|
#
?
Jun 6, 2012 03:38
|
|
|
No one here is dedicated to networking, or any item in general. I have pretty much taken over the VMware portion of everything. I have finally corrected everything on our two sites. We just got a colo, so now along with the rest I am looking into the networking, because I have a few days to get this together. As for software updates, I was told that we are still paying for updates, so I should be able to figure out how to update the iOS. Edit: on my phone right now, yes everything has passwords. Moey fucked around with this message at 05:32 on Jun 6, 2012 |
|
#
?
Jun 6, 2012 05:27
|
|
|
para posted:The problem with this is the email server sees the source as whatever the users global IP was and tries to sent it out to Internet A. Instead, it needs to go back out over Internet B. For example, under normal conditions your email server (10.1.1.100) tries to send a message to bob@gmail.com (173.194.77.27). That IP address isn't in the 10.1.1.100 subnet, so sends this to the default gateway (assuming 10.1.1.1). Your ASA receives this packet and sees it if has a learned or static route for 173.194.77.27. It doesn't, so it sends it to it's default route to "Internet A" and let's their routers decide on how to reach 173.194.77.27. There is much more detail I left out (like your email server querying DNS, and that NAT/PAT is translating on the ASA 10.1.1.100 to an external address) but this should be general flow when things are working normally. I think the quickest way to fix this is to add a second default/backup route with a higher administrative distance that will get to Site B's ASA. That would fix the problem when the actual interface goes down, but not fix it if the interface is up and the problem is upstream. If you want to fix that problem, you will need to track reachability of a given route to verify the connection is working. See this article for more info: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml Also I really hope you aren't actually using 50.1.1.1 and 50.2.2.2 as IP's in your network and just made those up for your diagram. (Unless you actually own this address space)
|
|
#
?
Jun 6, 2012 05:43
|
|
|
How is everyone's IPv6 day going?
|
|
#
?
Jun 6, 2012 11:45
|
|
|
inignot posted:How is everyone's IPv6 day going? I saw on NANOG that comcast turned up IPv6 for MX on comcast.com domain and around a minute later they got their first spam via IPv6. Even spammers are participating! quote:In preparation for the World IPv6 Launch, inbound (SMTP) email to the
|
|
#
?
Jun 6, 2012 13:05
|
|
|
Bluecobra posted:I don't understand what you mean here. There shouldn't be any NAT between Site A and Site B, and instead there should be static routes or routing protocols so you can reach hosts on either network. It sounds like inbound email is being delivered correctly when Internet A is down and the problem is outbound email isn't being delivered. My guess is that your mail server is trying to send mail outside its network so it goes to its default gateway (10.1.1.1), which likely has a default route to go Internet A's IP address. If the link to Internet A goes down, the static route gets removed from the routing table and all packets are discarded. Site B is a DR site and I don't want internet traffic to fail over to there if Site A's internet goes out. Site A has other, better ways to get out. The real problem here is incoming SMTP from the internet to Site B. With the static NAT on Site B's ASA, anything incoming to TCP25 is NATed to be sent to the email server (10.1.1.100). Since this is TCP two way communication is opened with the client (say 12.12.12.12). However the response back to 12.12.12.12 (the TCP handshake) would reach the user but appear to be coming from Site A's global IP of 50.1.1.1 instead of what the client actually tried to connect to (50.2.2.2). The end result needs to be that the client can open an SNMP session with either 50.1.1.1 or 50.2.2.2 and the actual session would connect to the email server at Site A.
|
|
#
?
Jun 6, 2012 14:11
|
|
|
ragzilla posted:This isn't uncommon at all. Everything has passwords right? Looks like we are running iOS 12.2(53)SE2, and the current for that switch is 12.2(55)SE5. Not worrying about features, should updating to the most current iOS be valuable from a security perspective (vulnerability patches)?
|
|
#
?
Jun 6, 2012 16:19
|
|
|
Moey posted:Looks like we are running iOS 12.2(53)SE2, and the current for that switch is 12.2(55)SE5. See if there are any PSIRT notices against the release you are running.
|
|
#
?
Jun 6, 2012 16:57
|
|
|
Tremblay posted:See if there are any PSIRT notices against the release you are running. Seems to be 5 published, I do not think any of them apply to our scope of use. Thanks for this! Now just to make myself a little more competent in getting this configured!
|
|
#
?
Jun 6, 2012 17:57
|
|
|
Do iPhones autocorrect IOS to iOS?
|
|
#
?
Jun 6, 2012 18:32
|
|
|
yes
|
|
#
?
Jun 6, 2012 18:34
|
|
|
inignot posted:How is everyone's IPv6 day going? A dog bit me and I can't find my favourite hat. loving IPv6 rollout.
|
|
#
?
Jun 6, 2012 21:50
|
|
|
I have two related questions regarding my lab build of ICM 8.5(3): Firstly, Ops Console shows my Unified CVP Call Server status as 'Partial' (rather than 'Up'). The last time I had this issue, it was because my CVP PG had a different logical ID configured than had been set on the AW, but I've already confirmed that's not the case this time around. Where else should I be looking to get my status to full 'Up'? Also, I can't seem to check up on my PIM status on the CVP PG because, in the move to Win 2008 R2, I've lost the handy taskbar terminal windows that track the status of processes. According to Cisco, the job now falls to EMSMON, but I can't seem to find a way to get it to tell me what I need to know. Can anyone help me with monitoring processes on Win 2008 R2 using EMSMON?
|
|
#
?
Jun 6, 2012 22:30
|
|
|
I'm really surprised how much IPv6 traffic we're getting. I thought it would be negligible but it's pretty significant. I almost want to go find what's misconfiguration in the monitoring.
|
|
#
?
Jun 6, 2012 23:55
|
|
|
I was thinking of checking that today but couldn't think of a simple way to separate the traffic since all transit interfaces are dual stack. What's your method?
|
|
#
?
Jun 7, 2012 00:03
|
|
|
|
| # ? May 30, 2024 07:03 |
|
|
Per-VIP statistics off of the load balancers. Cheating, I know.
|
|
#
?
Jun 7, 2012 00:42
|
|