|
One of our 3750X switches suffered some damage. Anyone know if the StackWise module is replaceable? I can't find any info on removing it or a part number. 
|
#
?
Jul 16, 2012 18:54
|
|
|
|
| # ? May 15, 2024 00:12 |
|
|
Does 'show module' or 'show diag' (or whatever) show it as a module? If so it tends to list a part number.
|
|
#
?
Jul 16, 2012 19:27
|
|
|
I think for this switch/OS it's show inventory. Unfortunately it only shows the power supplies, 1 and 10 gig modules, and SFPs. Funny that it doesn't show the fans, because those are hot swappable as well.
|
|
#
?
Jul 16, 2012 20:05
|
|
|
show inventory raw I think it is.
|
|
#
?
Jul 16, 2012 21:39
|
|
|
If you are running 15.0 code, I believe sh ver, will break down all the parts. As well as the handy licensing...
|
|
#
?
Jul 16, 2012 22:04
|
|
|
No luck on any of those, but thanks  I guess we'll run it by our Cisco rep and see what we can do.
|
|
#
?
Jul 17, 2012 15:01
|
|
|
VR Cowboy posted:One of our 3750X switches suffered some damage. Anyone know if the StackWise module is replaceable? I can't find any info on removing it or a part number. Can't you also run these with just one stacking cable? I know the bandwidth is going to be reduced but at least it's not useless.
|
|
#
?
Jul 17, 2012 16:41
|
|
|
Fatal posted:Can't you also run these with just one stacking cable? I know the bandwidth is going to be reduced but at least it's not useless. We were for a long time and finally had a maintenance night to swap in a new one. Stacked switches are so nice.
|
|
#
?
Jul 17, 2012 16:48
|
|
|
My IOS-fu is weak, maybe you guys can help. I changed numbers here but the concept is the same: our subnet: 192.168.1.0/24 our server: 192.168.1.200 their subnet: 192.168.2.0/24 VPN is currently verified up and working with a loopback interface (10.20.30.40) on the UC. Remote site wants to see traffic coming from $SERVER_IP as 10.20.30.40 through this tunnel. It's the only machine on our network that will talk over this link. Traffic from 192.168.2.0/24 should be able to go back to this server, too. I know it's some NAT magic to make it work, but I'm having trouble determining where to put the statements. And I assume something will have to be done with the loopback.
|
|
#
?
Jul 17, 2012 17:42
|
|
|
aeflux posted:My IOS-fu is weak, maybe you guys can help. I changed numbers here but the concept is the same: code:falz fucked around with this message at 17:58 on Jul 17, 2012 |
|
#
?
Jul 17, 2012 17:55
|
|
|
The guy I talked to said this company has lots of VPN connections so they want to see our traffic coming as 10.20.30.40 instead of 192.168.1.200. To clarify: 10.20.30.40 is a loopback set for testing this VPN (before the server arrived). I can get rid of it. I have those natacls set up on fa0/0 for the VPN and everything works just peachy. Now I have to translate the traffic destined for 192.168.2.0 from 192.168.1.200 to 10.20.30.40.
|
|
#
?
Jul 17, 2012 18:07
|
|
|
Found an overlap writeup on Cisco similar to what is going on. Time to RTFM: http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml We don't have an overlap on our side (they do) so I can let the 192.168.2.0/24 traffic go right to 192.168.1.200.
|
|
#
?
Jul 17, 2012 19:20
|
|
|
aeflux posted:The guy I talked to said this company has lots of VPN connections so they want to see our traffic coming as 10.20.30.40 instead of 192.168.1.200. 
|
|
#
?
Jul 17, 2012 21:36
|
|
|
jwh posted:You should have told him that that was fine, he was free to NAT your packets however he liked Have literally done that before when we were running BGP with a bunch of clients.
|
|
#
?
Jul 18, 2012 03:11
|
|
|
jwh posted:You should have told him that that was fine, he was free to NAT your packets however he liked Then his boss gets an angry email from the business parter about how the security engineer isn't being helpful. Usually when that comes up I'll just force them to NAT too "Oh yeah, the IPs you're telling me to encrypt to are used in one of my intermediate segments, so you'll need to NAT as well". Share my pain.
|
|
#
?
Jul 18, 2012 03:42
|
|
|
ragzilla posted:Then his boss gets an angry email from the business parter about how the security engineer isn't being helpful. That's dirty. Anyone using Nexus 2248's for ToR?
|
|
#
?
Jul 18, 2012 13:46
|
|
|
Quick question, for Cisco ASA. Does anyone use the CLI to configure\manage access rules? Or is everyone using the ASDM?
|
|
#
?
Jul 18, 2012 16:19
|
|
|
I'm scared of managing the rules via CLI. On a side note, I'm glad Cisco finally created a way to do a global policy, as opposed to interface-specific policy. It makes things much easier when porting from other global-rule platforms.
|
|
#
?
Jul 18, 2012 16:24
|
|
|
jwh posted:I'm scared of managing the rules via CLI. Whereas I'm scared of changing things via the ASDM. I put a vpn-session-timeout in via the ASDM and when rancid picked up the change it let me know that somehow a vpn-tunnel-protocol statement went in too. Thankfully rancid noticed before my users did...
|
|
#
?
Jul 18, 2012 17:07
|
|
|
I work with ASA's and FWSM's every day and it's mostly via the ASDM. Rarely I'll have an issue that seems to be easier to shake out via CLI.
|
|
#
?
Jul 18, 2012 17:22
|
|
|
Tied game. I only use ASDM to configure some VPN policies, mostly RA.
|
|
#
?
Jul 18, 2012 17:33
|
|
|
I've never touched ASDM, worked pretty extensively with 7.x to 8.5 code. I kind of giggle when I see a ASA littered with DM_INLINE object groups
|
|
#
?
Jul 18, 2012 18:01
|
|
|
We use ASDM exclusively to guarantee that each tech does the same thing as the previous one. The only time we tend to delve into CLI is to tell someone's VPN partner that they're doing something stupid (like sending us a P1 proposal of only DES/MD5/DH2).
|
|
#
?
Jul 18, 2012 18:08
|
|
|
routenull0 posted:That's dirty. I have a some experience with Nexus stuff - mainly 7000s, 5000s and 2000s.
|
|
#
?
Jul 18, 2012 18:33
|
|
|
ASDM for vpn and ssl vpn configuration. CLI for everything else.
|
|
#
?
Jul 18, 2012 19:13
|
|
|
ASDM for everything because we have 3 folks that can make changes. That way there aren't multiple naming conventions, etc. FWIW, the CCNP Security exam uses ASDM.
|
|
#
?
Jul 18, 2012 19:20
|
|
|
lol internet. posted:Quick question, for Cisco ASA. Does anyone use the CLI to configure\manage access rules? Or is everyone using the ASDM? I don't deal with ASAs myself, but some people at my company do and nobody uses ASDM for anything, including this. I've come across a couple of customers using ASDM though.
|
|
#
?
Jul 18, 2012 19:25
|
|
|
What's the consensus on gear/hardware for setting up a small home ccna lab for studying? I've done some poking around on ebay for "CCNA Kits" and a lot of them are coming with 3 switches (2950s) and 2 routers (2610). I'm looking for something that can help me get my ccna but also be usable for the ccnp etc. Does anyone have any recommended sources besides ebay for looking for hardware?
|
|
#
?
Jul 18, 2012 19:58
|
|
|
Buy a few used switches from mfreeman@ecsunix.com who is/was a goon and use GNS3/Dynamips and a bunch of NICs to emulate the routers.
|
|
#
?
Jul 18, 2012 20:12
|
|
|
lol internet. posted:Quick question, for Cisco ASA. Does anyone use the CLI to configure\manage access rules? Or is everyone using the ASDM? I prefer CLI because notepad is my best friend. Also prefer the show commands for the troubleshooting.
|
|
#
?
Jul 18, 2012 21:51
|
|
|
One thing that is nice with ASDM is the CLI window. If you have a metric fuckton of poo poo you are trying to merge into a new ASA it works better than cut/paste into a Putty session.
|
|
#
?
Jul 19, 2012 00:59
|
|
|
namol posted:What's the consensus on gear/hardware for setting up a small home ccna lab for studying? I've done some poking around on ebay for "CCNA Kits" and a lot of them are coming with 3 switches (2950s) and 2 routers (2610). I'm looking for something that can help me get my ccna but also be usable for the ccnp etc. Does anyone have any recommended sources besides ebay for looking for hardware? From first hand experience you don't need to buy a kit for that. What is good to do is find some lab books you want to use and then plan your layout from that. A simple kit, 5 1721s, 1 AS2511-RJ, 1 2523, 2 3550s, a few WIC2Ts, some rollover cables for the access server, crossovers and patch cables.
|
|
#
?
Jul 19, 2012 04:58
|
|
|
namol posted:What's the consensus on gear/hardware for setting up a small home ccna lab for studying? I've done some poking around on ebay for "CCNA Kits" and a lot of them are coming with 3 switches (2950s) and 2 routers (2610). I'm looking for something that can help me get my ccna but also be usable for the ccnp etc. Does anyone have any recommended sources besides ebay for looking for hardware? If you want to plan for CCNP, you probably want to get at least one Layer-3 switch. The rest you can probably do in GNS3, as was mentioned above.
|
|
#
?
Jul 19, 2012 05:17
|
|
|
Tremblay posted:One thing that is nice with ASDM is the CLI window. If you have a metric fuckton of poo poo you are trying to merge into a new ASA it works better than cut/paste into a Putty session.
|
|
#
?
Jul 19, 2012 23:11
|
|
|
falz posted:What exactly does its CLI do differently? Except require java. It sends the commands line by line, unlike putty which just spews out a bunch of poo poo and loses random lines while the processor on the ASA isn't answering interrupts because it's busy with the last 20 lines. Alternatively there are serial clients which will line buffer and paste over time which also prevents this.
|
|
#
?
Jul 20, 2012 00:40
|
|
|
ragzilla posted:It sends the commands line by line, unlike putty which just spews out a bunch of poo poo and loses random lines while the processor on the ASA isn't answering interrupts because it's busy with the last 20 lines.
|
|
#
?
Jul 20, 2012 01:05
|
|
|
Anyone know anything about an Edgemarc device? We're using it as an edge device for a customer. /30 on the circuit, routing them a /29. The Edgemarc does NAT for a private range just fine, but he wants public devices on the /29 to sit directly off the Edgemarc. Another employee configures these for a separate department. He says "Proxy ARP" has to be setup with the /29 but each IP has to be placed in the range as a /32. Problem is that any device with an IP from the /29 can't access the net with the Edgemarc's /32 as the default gateway. I don't know what to do since I've confirmed routing and made sure all of my Cisco stuff is humming. I'm not exactly sure what to do since it's something I normally don't work with and got stuck with by happenstance. Also I'm worried about the lack of a firewall and a non Cisco device is a security risk.
|
|
#
?
Jul 20, 2012 04:08
|
|
|
aeflux posted:My IOS-fu is weak, maybe you guys can help. I changed numbers here but the concept is the same: Got SB support on the line since it was getting close to deadline. There's the usual VPN setup for this (see falz's post) with a few twists: Applied to the crypto map: code:code:code:
|
|
#
?
Jul 20, 2012 20:03
|
|
|
I'm probably getting ahead of myself, but I'm just studying for the CCNA and wanted to know what happens to UDP traffic in a setup with load-ballancing? UDP doesn't offer any sort of error-recovery or reordering of packets, so if the traffic gets load ballanced over unequal links, how come it doesn't become scrambled on the other end?
|
|
#
?
Jul 21, 2012 14:40
|
|
|
|
| # ? May 15, 2024 00:12 |
|
|
zalmoxes posted:I'm probably getting ahead of myself, but I'm just studying for the CCNA and wanted to know what happens to UDP traffic in a setup with load-ballancing? UDP doesn't offer any sort of error-recovery or reordering of packets, so if the traffic gets load ballanced over unequal links, how come it doesn't become scrambled on the other end? quote:Cisco Express Forwarding (CEF) can perform per-packet or per-destination (actually source/destination IP address pair) load-sharing with no performance degradation (without CEF, per-packet load-sharing requires process switching). Even though there is no performance impact on the router, per-packet load sharing will almost always result in out-of-order packets. The packet reordering might degrade TCP throughput in high-speed environments (in low-speed/few-flows scenarios, per-packet load-sharing actually improves the per-flow throughput) or severely impact applications that cannot survive out-of-order packet delivery, such as Fast Sequenced Transport for SNA over IP or voice/video streams.
|
|
#
?
Jul 21, 2012 15:55
|
|
