|
Post the ASA config, sanitize the external IPs and account info. Not much to go on there with the info you provided.
|
# ? Jan 29, 2013 22:24 |
|
|
# ? May 30, 2024 12:03 |
|
Any reason why only the lowest 24port 3850 is stackable?
|
# ? Jan 29, 2013 22:59 |
|
Zuhzuhzombie!! posted:Any reason why only the lowest 24port 3850 is stackable? Documentation bug, they all support both stackpower and stacking.
|
# ? Jan 30, 2013 00:14 |
|
aquaticrabbit posted:To whomever was asking about the 3850 switches earlier in the thread, Cisco just posted some information: http://www.cisco.com/en/US/products/ps12686/index.html Whats interesting about the platform is not that it can be a wireless controller but that it can terminate CAPWAP traffic in a wireless solution in conjunction with a wireless controller. So instead of handling your wireless traffic(backhauling to a wlc in your core) and wired traffic differently you now can decapsulate it right at the edge of your network and use the same security and qos policies on both your wired and wireless traffic. Or in Cisco speak; One policy, one management, one network. ior fucked around with this message at 00:28 on Jan 30, 2013 |
# ? Jan 30, 2013 00:18 |
|
*Edit- VLAN internet issue fixed. Site to site VPN will not come up. The other router is a twin of this. Here is the config: REMOVED the spyder fucked around with this message at 09:15 on Jan 30, 2013 |
# ? Jan 30, 2013 00:20 |
|
BelDin posted:I just anticipate that the helpdesk will complain that they have to log in to the CLI in order to execute the commands. You could use an error disable recovery time. It will revert the port to working state after some specific amount of time. It's an imperfect solution, but your setup sounds terrible.
|
# ? Jan 30, 2013 01:26 |
|
Normally I'd expect to see the isakmp config options in a site-to-site VPN tunnel config on an ASA. I also don't think that static route is doing what you want it to do. Edit: This is an example of a basic site-to-site config I turned up earlier in the week with a remote peer from an ASA running 8.2, I believe. There was a NAT exemption that was necessary also but this is somewhat what the config will look like. crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set pfs crypto map outside_map 1 set peer <remote peer public host> crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp am-disable ! tunnel-group <remote peer public host> type ipsec-l2l tunnel-group <remote peer public host> ipsec-attributes pre-shared-key <pre-shared-key> ! ! access-list outside_cryptomap_1 extended permit ip <local network/network mask> <remote network/network mask> GOOCHY fucked around with this message at 01:36 on Jan 30, 2013 |
# ? Jan 30, 2013 01:30 |
|
the spyder posted:object network PATTOCOMCAST This is why traffic doesn't work from the other subnet, change PATTOCOMCAST to be 10.20.0.0/16 the spyder posted:route OutsideComcast 0.0.0.0 0.0.0.0 50.196.x.x 1 And I don't see a crypto map anywhere in your config, unless they changed that in 8.6 you'll need one of those to match the "interesting traffic" as it egresses the Outside interface. Unless you're familiar with ASA CLI I'd recommend opening up ASDM and fixing your VPN from there, it might be easier to just tear it out (the VPN config) and run the wizard from scratch. ragzilla fucked around with this message at 02:17 on Jan 30, 2013 |
# ? Jan 30, 2013 02:05 |
|
inignot posted:You could use an error disable recovery time. It will revert the port to working state after some specific amount of time. It's an imperfect solution, but your setup sounds terrible. Nope. Every port security incident triggers a cyber security investigation. Welcome to the wonderful world of small business gubment contracting. At least the network is stable now... it used to be much worse.
|
# ? Jan 30, 2013 04:49 |
|
ragzilla posted:This is why traffic doesn't work from the other subnet, change PATTOCOMCAST to be 10.20.0.0/16 I owe you a beer if your ever in Portland. Thank you. This makes complete sense, in my test lab I built the PAT- here I was going off what the contractor set it as. I swear I stared at this for a good hour today looking for anything like this. My head was exploding, haha. I re-upped the full config. I built the VPN using the wizard and I am familiar with the CLI. It must be the route, if I login to the ASA and traceroute the router for the second site, it goes straight to my outside interface, not the Site2Site interface. *Fixed- Added a static route to the remote subnet via the site2site link. route Site2site 10.10.0.0 255.255.0.0 10.15.1.100 1 the spyder fucked around with this message at 09:14 on Jan 30, 2013 |
# ? Jan 30, 2013 04:58 |
|
inignot posted:It's an imperfect solution, but your setup sounds terrible. It's a DoD thing; deploy 802.1x or "port-security with sticky mac, violation = shutdown"
|
# ? Jan 30, 2013 05:02 |
|
routenull0 posted:It's a DoD thing; deploy 802.1x or "port-security with sticky mac, violation = shutdown" yet another reason i'll never work for the government in any technical capacity.
|
# ? Jan 30, 2013 14:30 |
|
ior posted:Whats interesting about the platform is not that it can be a wireless controller but that it can terminate CAPWAP traffic in a wireless solution in conjunction with a wireless controller. So instead of handling your wireless traffic(backhauling to a wlc in your core) and wired traffic differently you now can decapsulate it right at the edge of your network and use the same security and qos policies on both your wired and wireless traffic. I'm pretty sure you can do this with the newer WLCs and APs without any specific switch requirements. At least, that's what some of my coworkers have been discussing recently.
|
# ? Jan 30, 2013 15:18 |
|
n0tqu1tesane posted:I'm pretty sure you can do this with the newer WLCs and APs without any specific switch requirements. At least, that's what some of my coworkers have been discussing recently. That is called Flexconnect (was H-REAP) and yes it will switch out the traffic locally but you will lose a lot of functionality. (good qos, airtime fairness, avc, fast roaming etc). Edit: also it is priced exactly the same as 3750-X so no reason not to buy it if you were a 3750-X customer. Capwap termination at the switch requires no license (other than ip base). ior fucked around with this message at 16:18 on Jan 30, 2013 |
# ? Jan 30, 2013 16:15 |
|
Figures. I've just been halfway listening to sales and sales engineers trying to work out those sorts of solutions for customers without putting a WLC at every site. EDIT: How many 3850s will you need at each site? One?
|
# ? Jan 30, 2013 16:24 |
|
n0tqu1tesane posted:Figures. I've just been halfway listening to sales and sales engineers trying to work out those sorts of solutions for customers without putting a WLC at every site. Ouch, that hurts... I´m an SE (*SYSTEMS* Engineer). APs must be directly connected to the 3850, so depends on your cabling and AP density.
|
# ? Jan 30, 2013 16:35 |
|
Solutions Engineer.
|
# ? Jan 30, 2013 17:29 |
|
Has anyone ever seen the error "Unable to switch, a similar or higher priority condition exists on peer or far-end card" when trying to force a protection switchover on a 15454? I have a ULSR OC12 from Level 3 and it won't let me switch to the work and switches over to the protect whenever it is IS. Once the protect comes up it switches away from the work.
|
# ? Jan 30, 2013 22:56 |
|
FatCow posted:Has anyone ever seen the error "Unable to switch, a similar or higher priority condition exists on peer or far-end card" when trying to force a protection switchover on a 15454? Have you asked level3 if they're showing alarms on their end? Also what conditions do you see on the ports involved?
|
# ? Jan 30, 2013 23:23 |
|
No alarms on either side, all the counters are clear as well. Only conditions are payload related.
|
# ? Jan 31, 2013 00:02 |
|
Powercrazy posted:yet another reason i'll never work for the government in any technical capacity. It has it's places, especially when you move up in classification levels, there has to be an audit trail for security events with manual intervention. Do I understand that sticky-mac can be defeated rather easily? Sure, but hey, they pay me 6 figures+ without a degree, so I won't argue
|
# ? Feb 1, 2013 00:48 |
|
routenull0 posted:It has it's places, especially when you move up in classification levels, there has to be an audit trail for security events with manual intervention. Do I understand that sticky-mac can be defeated rather easily? Sure, but hey, they pay me 6 figures+ without a degree, so I won't argue I don't know if I should be happy or sad that most of my work comes from a NIST 800-53 checklist. The good news is that we have better security measures than stickies in place. We have MAC filtering and WPA2/PSK on our wireless network! My proposal to use EAP-TLS was shot down as too complicated.
|
# ? Feb 1, 2013 05:15 |
|
I'm once again stumped by my Nexus'es unwillingness to do my bidding. The problem is that I can't get my port-channels to some new ESXi hosts to get/stay up. Config: (indentical on both switches) code:
code:
Log file: code:
ESXi config: vSwitch1 vmnic5: vmnic4: teaming: evil_bunnY fucked around with this message at 16:30 on Feb 4, 2013 |
# ? Feb 4, 2013 14:57 |
|
evil_bunnY posted:teaming: This is the General tab, not the Teaming one?
|
# ? Feb 4, 2013 16:19 |
|
ragzilla posted:This is the General tab, not the Teaming one?
|
# ? Feb 4, 2013 16:30 |
|
The default port channel setting in esxi is passive. You've got your ports set to active. Either get rid of that in the switch or do this. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034277
|
# ? Feb 4, 2013 17:43 |
|
Nitr0 posted:The default port channel setting in esxi is passive. You've got your ports set to active. Either get rid of that in the switch or do this. If it was 'passive' it'd technically still work. The standard vSwitch just doesn't support LACP period and you'll have to statically configure any etherchannels.
|
# ? Feb 4, 2013 18:48 |
|
I noticed you had "spanning-tree port type edge trunk" on the port channel but not the physical interface. NexusOS may be different than IOS in this regard, but on my 7609s I often have trouble getting a port channel to stay up/up if the interfaces are not provisioned exactly the same as the actual port channel. Maybe help? Dunno. Hope so!
|
# ? Feb 4, 2013 19:58 |
|
1000101 posted:If it was 'passive' it'd technically still work. The standard vSwitch just doesn't support LACP period and you'll have to statically configure any etherchannels. This is a standard vSwitch. Zuhzuhzombie!! posted:Maybe help? Dunno. Hope so! evil_bunnY fucked around with this message at 20:18 on Feb 4, 2013 |
# ? Feb 4, 2013 20:11 |
|
NX-OS should push that down to member ports. It definitely won't come up without a 'channel-group X mode on' though.
|
# ? Feb 4, 2013 20:40 |
|
I had similar issues with setting up an etherchannel to our Fuji network and a few ESX servers as well as HP's switches.
|
# ? Feb 4, 2013 20:40 |
|
Most cases I don't even bother with etherchannel and just go with an originating port ID policy in VMware. It's a simple configuration and I still get some measure of load distribution. It also fails over fairly easy as well.
|
# ? Feb 4, 2013 20:50 |
|
1000101 posted:Most cases I don't even bother with etherchannel and just go with an originating port ID policy in VMware. It's a simple configuration and I still get some measure of load distribution. It also fails over fairly easy as well. I've also seen a case where one of the switches lost the etherchannel on one port (but not the link) and VMware still sees the link status as up, so it blackholed some traffic. Either use probe or originating port ID. I prefer the latter, less to go wrong.
|
# ? Feb 4, 2013 21:07 |
|
Zuhzuhzombie!! posted:I noticed you had "spanning-tree port type edge trunk" on the port channel but not the physical interface. NexusOS may be different than IOS in this regard, but on my 7609s I often have trouble getting a port channel to stay up/up if the interfaces are not provisioned exactly the same as the actual port channel. NX-OS is different, you can't even put commands under the physical interfaces once they join the portchannel (with some exceptions like speed, duplex, etc.). This is a catch for new players because they might set their portchannels as edge ports but not their underlying interfaces, which can be a problem for hosts that are connecting to LACP enabled ports without actually running LACP. The solution is to fully provision your physical interfaces as if they were stand-alone before adding them to a portchannel.
|
# ? Feb 4, 2013 22:21 |
|
1000101 posted:If it was 'passive' it'd technically still work. The standard vSwitch just doesn't support LACP period and you'll have to statically configure any etherchannels.
|
# ? Feb 5, 2013 18:36 |
|
Two 3750s with IPv6 on. p2p between the two on the same subnet. Under IPv6 EIGRP we have redistribute static and connected. No default route. PC has an IPv6 p2p on one switch with corresponding IP address on it's interface. Same as the other. PCs can ping each IPv6 address but not each other. Each PC can ping their interface side of the p2p and each other's interface. Two XP machines. We put in one Windows 7 machine that can BE pinged. Put in two Windows 7 machines that could not ping each other (though I had my Firewall turned on). Pings come back to each PC is "deliverable". Traceroutes to each PC do not even show it hitting the p2p interface for the respective PCs. Any ideas? What am I missing? Only outlier is that one switch has a temp license for IPv6 testing, and one interface for PC does not have an IPv4 address on it. Gonna test that now. edit Put two Fedora boxes on the network and can ping across switches and each box under Linux. Lookin like a Windows issue. code:
code:
Zuhzuhzombie!! fucked around with this message at 22:12 on Feb 5, 2013 |
# ? Feb 5, 2013 18:45 |
|
evil_bunnY posted:This allowed me to bring up the channel, but I still don't have any IP connectivity. port-channel load-balance ethernet source-destination-ip on both of your switches. That will probably fix it assuming you're using IP hash. Make sure you do it on both sides. Also make sure your portgroups are setup to tag appropriate vlans.
|
# ? Feb 5, 2013 18:59 |
|
1000101 posted:port-channel load-balance ethernet source-destination-ip on both of your switches.
|
# ? Feb 5, 2013 19:51 |
|
evil_bunnY posted:Did that already 8( Verify you don't have a portgroup override set to Originating port ID or MAC hash or something. Optionally; since you're on 10GbE you may consider ditching etherchannel and going with originating port ID. Any specific reason you need IP hash? edit: if you're testing with a management portgroup I believe by default it overrides itself to port ID but you can manually flip it.
|
# ? Feb 6, 2013 00:13 |
|
|
# ? May 30, 2024 12:03 |
|
Fixed it. Thanks a lot 1000101 and everyone with suggestions.
|
# ? Feb 6, 2013 17:02 |