|
Cheers, I'll give that a go next week.
|
# ? May 13, 2022 21:37 |
|
|
# ? Jun 10, 2024 07:12 |
|
Curious why you're tearing from rfc1918 space workout nat and expecting it to work? Or just checking if ISP not doing uRPF, which they do seem to be missing.
|
# ? May 14, 2022 03:09 |
|
That would be pretty weird; every Cisco platform I've seen will default to sourcing from the egress interface if you don't specify what you want as source for locally originated pings.
|
# ? May 14, 2022 14:36 |
|
All of my devices have loopbacks so they use that. In this case without one probs set the 'ip source-interface' command for various things to force a sane default
|
# ? May 14, 2022 14:45 |
|
I was given an unused Cisco Catalyst 2948G from work a few years ago, and it just sat in my basement. Now I have a new wifi router and my basement cameras aren’t able to connect to the 2.4 network. I was thinking of using the Catalyst to make a basement network, and move my Sinology NAS and other things down there. But the age of the Catalyst is off putting. It went end of life about a decade ago. But it it’s a gigabit switch, so I don’t know how much I have to worry. Other than I haven’t worked with this kind of equipment before, and don’t know how much configuration I have to do with this thing. Should I use it, or eBay it?
|
# ? May 14, 2022 22:09 |
|
If you're fine with how loud it is, how much power it takes, use it. Also see if they're even selling on eBay at all, if not -> in the bin. And I presume you don't mean a separate basement network? Connect them.
|
# ? May 14, 2022 22:17 |
|
If you don't need a load of managed switch features or 48 ports then buy an 8-port Netgear and enjoy the power savings.
|
# ? May 14, 2022 22:28 |
|
Yeah that’s one of the things I was worried about, but didn’t think about for the switch. Everything else was low power. Thanks.
|
# ? May 14, 2022 23:23 |
I once "acquired" an ASA 5505 I've been using as my router/firewall for ages. Makes no noise and I only occasionally have to deal with the utter poo poo that is Cisco firewall configuration. It makes no noise, isn't hot as hell, and has the appropriate number of ports. I've had switches laying around and ebayed every single one of them.
|
|
# ? May 16, 2022 16:07 |
|
Okay, after doing some struggling with my previous post I got a further and think I have a less stupid question: We have a firewall, its WAN port is basically plug and play. Our old network is fine in this. On the other side of things we have the ISP provided network termination box. Subnet is .48/30. This is the one that's set by them to be .49/30 So I have the Cisco inbetween. g0/0/0 is .50/30 and connects to the termination box. This part is fine. It routes 0.0.0.0/0 to .49 The ISP provided a routed host of .180/30, so I make g0/0/1 .181/30 and set the firewall WAN port to have an IP of .182/30 My machine plugged into the LAN of the firewall can ping to .181, but even with an ACL to "permit any" on both interfaces I cannot get traffic to go across from the .180/30 subnet to the .48/30 subnet. Am I once again missing something obvious? If you're wondering why I'm doing this it's because management didn't want to pay the ISP to rent a router that the ISP sets up and manages and I've been left to bang my head against metal instead. If you're wondering why not directly plug the termination into the firewall, it's because the Cisco is translating fibre to Cat 5e.
|
# ? May 24, 2022 15:45 |
|
Tesseraction posted:Okay, after doing some struggling with my previous post I got a further and think I have a less stupid question: If the issue really is .180/30 subnet can't reach .48/30 subnet then I'm pretty sure you can verify that by just doing "ping x.x.x.181 source x.x.x.50" on the cisco device to see if routing between the two interfaces is blocked for some reason. When you say ACLs, are you talking about on the router interfaces (G0/0/0 and G0/0/1)? Keep in mind it's stateless so you'll need to make sure you are allowing ingress and egress on each interface. Otherwise If your PC can ping .181 but not .50 either your firewall doesn’t know where .180 network is or your router doesnt know about your internal. ISP > Router > Firewall isn't that uncommon but if it's just to go from fiber to copper I'd be more inclined to use a managed switch with a fiber port. Cyks fucked around with this message at 18:02 on May 24, 2022 |
# ? May 24, 2022 17:54 |
|
Yeah, honestly wondering if that would be the better way to go about it with the switch. As for the ACLs yeah I originally used specific IPs for ingress/egress but after some confusion put in an explicit "deny any" at the bottom and found it was matching packets so went with permit any to see if I was just *that* poo poo at ACLs. It still comes out with no route to destination. The firewall knows that the wan port interface is also to the default route. Now I'm wondering if I need to set a static route to the default route...
|
# ? May 24, 2022 19:01 |
|
A WTF Cisco moment: Firepower 9300 running FTD and FMC managed will honor a static route even if the destination host is in a directly connected network.
|
# ? May 24, 2022 23:15 |
|
Honour it as in it will put it into the route table and if the physical interface drops it will use that route instead, or it will accept the route and ignore the on-link network?
|
# ? May 24, 2022 23:24 |
|
Thanks Ants posted:Honour it as in it will put it into the route table and if the physical interface drops it will use that route instead, or it will accept the route and ignore the on-link network? Will ignore on-link and use the static.
|
# ? May 24, 2022 23:56 |
|
Prescription Combs posted:A WTF Cisco moment: Is it more specific than the interface netmask?
|
# ? May 25, 2022 00:11 |
|
Tesseraction posted:Yeah, honestly wondering if that would be the better way to go about it with the switch. Does the router know how to get to the LAN subnet that your PC is connected to? When you do a "show ip route x.x.x.x" for your LAN network does the router come back with a path or does it come back with route not in the routing table. edit- though I suppose you'd be running NAT on the firewall. Cyks fucked around with this message at 03:12 on May 25, 2022 |
# ? May 25, 2022 03:08 |
|
Yeah the firewall is doing NAT from a 10./24 network to the .180/30. I did add an explicit static route on the Cisco as a hail-Mary but to no avail. For the time being I've ordered an SFP<->RJ45 converter to see if the direct connection works.
|
# ? May 25, 2022 09:52 |
|
Tesseraction posted:Yeah the firewall is doing NAT from a 10./24 network to the .180/30. I did add an explicit static route on the Cisco as a hail-Mary but to no avail. For the time being I've ordered an SFP<->RJ45 converter to see if the direct connection works. Can you do a quick diagram of your setup in draw.io and post a screenshot of it?
|
# ? May 25, 2022 10:33 |
|
Sure:
|
# ? May 25, 2022 12:19 |
|
As a quick test, address your laptop as .182/30 and set the gateway to .181/30, plug it into the ISR Do you get traffic both ways?
|
# ? May 25, 2022 12:50 |
|
Also create a loopback interface on the router for testing to rule out issues with the WAN interface.
|
# ? May 25, 2022 13:01 |
|
Just to double check as well, are your two /30s public IP ranges?
|
# ? May 25, 2022 13:10 |
|
Along the same line, are you sure they're routing the the fw subnet to the isr address .50 or did they provide two /30s for redundant equipment attached to the NTE?
|
# ? May 25, 2022 13:29 |
|
Aware posted:Along the same line, are you sure they're routing the the fw subnet to the isr address .50 or did they provide two /30s for redundant equipment attached to the NTE? If that's the case try turning on proxy arp on the router.
|
# ? May 25, 2022 13:41 |
|
falz posted:Is it more specific than the interface netmask? The routes were, yes. I thought directly connected always too precedence over statics due to the metric being zero? E: I've never seen this kind of behavior on ASA's or routers/switches before in the 10+ years I've been in the field Prescription Combs fucked around with this message at 15:48 on May 25, 2022 |
# ? May 25, 2022 15:43 |
|
Directly connected do take precedence over static for the same route. Directly connected 10.0.0.0/24 and static 10.0.0.50/32 are not the same route, so in this case, the more specific static 10.0.0.50/32 route will be installed into the routing table. Most specific route, then administrative distance. Filthy Lucre fucked around with this message at 15:55 on May 25, 2022 |
# ? May 25, 2022 15:49 |
|
Filthy Lucre posted:Directly connected do take precedence over static for the same route. That makes sense. I've been on load balancers and proxies too long, need to do some basics refreshers I guess
|
# ? May 25, 2022 15:55 |
|
Tesseraction posted:Diagram Easy way to tell if the routing is ok in your setup; On your ISR - ping .182 source .50 ping .49 source .181 Your ISR has routes to both as it is directly connected. If the ping from .50 to .182 fails, your firewall doesn't have a route back to .48/30 (or ICMP is being blocked). If the ping from .181 to .49 fails, the NTE doesn't have a route back to .180/30 (or ICMP is being blocked).
|
# ? May 25, 2022 16:03 |
|
Thanks all for the replies, will try those out and get back to you.uhhhhahhhhohahhh posted:Just to double check as well, are your two /30s public IP ranges? Yeah, both are public ranges. Aware posted:Along the same line, are you sure they're routing the the fw subnet to the isr address .50 or did they provide two /30s for redundant equipment attached to the NTE? SamDabbers posted:If that's the case try turning on proxy arp on the router. They claim it's for routing but I will also try this amongst the other suggestions.
|
# ? May 25, 2022 16:47 |
|
Prescription Combs posted:That makes sense. I've been on load balancers and proxies too long, need to do some basics refreshers I guess In your defence Firepower is trash.
|
# ? May 26, 2022 09:11 |
|
It is quite the dumpster fire.
|
# ? May 27, 2022 04:09 |
|
Anyone going to be at Live this year ?
|
# ? Jun 10, 2022 23:35 |
|
I am. Never been to Live or Vegas.
|
# ? Jun 10, 2022 23:37 |
|
Last time it was in vegas i did world of wonders for 2 hours then spent the entire rest of the trip in the poker room
|
# ? Jun 10, 2022 23:40 |
|
Sepist posted:Last time it was in vegas i did world of wonders for 2 hours then spent the entire rest of the trip in the poker room Same. I think that's why I didn't get chosen to go this year.
|
# ? Jun 11, 2022 00:07 |
|
Partycat posted:Anyone going to be at Live this year ? Ay, I'll be there. I manage our SX10/Roomkit environment so I'm just going for funsies!
|
# ? Jun 11, 2022 00:32 |
|
Yeah we have like 15 of those. I hate it. I chuck it to our MSP every chance I get.
|
# ? Jun 11, 2022 00:35 |
|
deong posted:Ay, I'll be there. I manage our SX10/Roomkit environment so I'm just going for funsies! Much to learn! Have some fun for sure Partycat fucked around with this message at 21:04 on Jun 11, 2022 |
# ? Jun 11, 2022 12:19 |
|
|
# ? Jun 10, 2024 07:12 |
|
So Cisco announced we can start importing catalyst switches into the Meraki dash and manage catalyst switches like Meraki switches. So my question is, why ever buy a Meraki switch?
|
# ? Jun 15, 2022 06:25 |