|
jwh posted:I'm wondering if someone could help me understand what the limitations are of self-addresses on ASAs- what I mean is, i have an interface on an ASA, and it seems that when I test with / to that address, it plays by a very different set of (largely implied) rules. I got my first ASA in May; it's not a router, it's a firewall with delusions of grandeur. It was quite a shock to learn my quaint notions of traceroutes and extended ping were worthless. I did find that the packet-tracer command fills the otherwise "ping gets through = it works" role quite nicely though.
|
# ? Jan 16, 2013 02:32 |
|
|
# ? May 28, 2024 15:16 |
|
It's just bizarre (and infuriating) that ASA interfaces and addresses play by an entirely different set of rules. I did discover packet-tracer, which is helpful- though when you see phase 3 denials due to 'implicit rule' and then can't figure out which implicit rule we're talking about, it makes me want to Hulk Smash.
|
# ? Jan 16, 2013 03:34 |
|
jwh posted:It's just bizarre (and infuriating) that ASA interfaces and addresses play by an entirely different set of rules. Implicit rule means its hitting the end of the access-list and is then subject to permit/deny based on security level.
|
# ? Jan 16, 2013 03:42 |
|
It seems that, at least in some cases, traffic from interface addresses seems to completely ignore the rulebase- unless i'm wrong.
|
# ? Jan 16, 2013 17:08 |
After I finish this install I have another one that's been pending for awhile with 5585's and if the indian guy who got them to buy 5585's instead of a Palo Alto or SRX doesn't come through with the config and I need to muck with ASA's I'm going to kill him violently.
|
|
# ? Jan 17, 2013 03:30 |
|
In the DHCP IP Binding table, infinite lease = a statically assigned IP, correct?
|
# ? Jan 18, 2013 18:00 |
|
Zuhzuhzombie!! posted:In the DHCP IP Binding table, infinite lease = a statically assigned IP, correct? If you restart the equipment you will get a new lease, with new IP. That's bit me in the arse before!
|
# ? Jan 18, 2013 19:03 |
|
Biggz posted:If you restart the equipment you will get a new lease, with new IP. That's bit me in the arse before! No. If you restart the DHCP server then you will lose all the MAC-IP information, then if the device ever restarts, the server will have no way of knowing which MAC corresponded to which IP. Most DHCP systems will give the same IP to the same mac address, unless there are no free IP addresses left, then it will start overwriting expired MAC-IP leases. If you have unlimited lease, then once your scope is exhausted the DHCP server will not give out any additional IPs. tl;dr do not use unlimited lease.
|
# ? Jan 18, 2013 19:46 |
|
I don't have any formal Cisco training, but I'm the guy in the shop who knows the most about Cisco, so this is my problem. I'm having a weird issue. I have two Point to Point T1 lines that I'm using as a 3MB WAN link between two of my customers offices. I'll admit right away that I just copied the settings from another customer's multilink config, and tried to make them the same. The problem is I'm getting craploads CRC and input errors on both serial interfaces. AT&T has tested the lines several times and says the problem is customer premise equipment. I called Cisco and they had me perform loopback tests on the WIC cards, and we certified our dmarc extensions with the fancy cable tester we have. I noticed during the loopback test, that when we only had one T1 line connected and I cleared the counters, errors didn't increment on the serial line that was connected. Also, packet loss on my ping -t dropped off a lot. When I put the original settings back and connected the 2nd T1, the errors began immediately, in the 10000s every minute. I'm thinking there must be something wrong with my config, though the Cisco engineer said that the config shouldn't cause that kind of error. Here's what I've got on the interfaces: Main site, Cisco 2911 with a hwic-4t1/e1 code:
code:
|
# ? Jan 18, 2013 21:33 |
|
show your 'show controller t1' output.
|
# ? Jan 18, 2013 22:12 |
|
Thanks for the quick response, here's my show controller t1code:
|
# ? Jan 18, 2013 22:16 |
|
On the 2911:code:
|
# ? Jan 18, 2013 22:27 |
|
It's about a 100ft run on the 2911. On the 1941 we're using 3ft patch cables. All are crimped 568-B, if that matters, and all cables have been certified for Gigabit speeds. edit: Wow that seems to have helped a lot. I could have sworn that I tried adding that line, but maybe I was trying to add it to the serial interface rather than the controller. I'll let this stew over the weekend, but looks like that might have done it. Thanks for the help! Cheech Marinade fucked around with this message at 22:35 on Jan 18, 2013 |
# ? Jan 18, 2013 22:31 |
|
RabidFurby posted:It's about a 100ft run on the 2911. On the 1941 we're using 3ft patch cables. All are crimped 568-B, if that matters, and all cables have been certified for Gigabit speeds. On any T1 there has to be a clock source to keep sync. Either from the near end or far end, but it has to be there.
|
# ? Jan 18, 2013 23:08 |
|
RabidFurby posted:It's about a 100ft run on the 2911. On the 1941 we're using 3ft patch cables. All are crimped 568-B, if that matters, and all cables have been certified for Gigabit speeds. I recommend setting 'cablelength short' on those t1 controllers as well if the T1s are <133ft.
|
# ? Jan 18, 2013 23:17 |
|
quote:then if the device ever restarts, the server will have no way of knowing which MAC corresponded to which IP Isn't this what I said? In a simplified way.
|
# ? Jan 19, 2013 00:42 |
|
Biggz posted:Isn't this what I said? In a simplified way. The server will store MAC to IP info. Even if the device is restarted. So you'll get the same IP. But if anything ever happens to the DHCP Server then you'll lose all your leases.
|
# ? Jan 19, 2013 06:30 |
|
Powercrazy posted:The server will store MAC to IP info. Even if the device is restarted. So you'll get the same IP. But if anything ever happens to the DHCP Server then you'll lose all your leases. I made the assumption that this was for Cisco devices, and it could very well be different for higher end gear. I've mainly worked on 2800ISR and Catalyst switches. With the 2800s at least, if I just have a DHCP pool with an infite lease, the ISR wont remember the lease through a restart unless I create a manual binding. pre:ip dhcp pool whatever host address 192.168.1.25 255.255.255.0 client-identifier 01b7.0813.8811.66 default-router 192.168.1.1
|
# ? Jan 19, 2013 10:48 |
|
Biggz posted:I made the assumption that this was for Cisco devices, and it could very well be different for higher end gear. I've mainly worked on 2800ISR and Catalyst switches. With the 2800s at least, if I just have a DHCP pool with an infite lease, the ISR wont remember the lease through a restart unless I create a manual binding. nooslost(config)#ip dhcp database flash:/dhcp.db
|
# ? Jan 19, 2013 10:54 |
|
ior posted:nooslost(config)#ip dhcp database flash:/dhcp.db (thanks!)
|
# ? Jan 19, 2013 16:52 |
|
Just swapped a sup720-3bxl with a RSP720-3cxl-10ge. IPv6 here I come!
|
# ? Jan 20, 2013 05:43 |
What is some pro kit for a Cisco lab? I got rid of all the old poo poo and I'm hesitant to go 15.x because everything is licensed and I just want to load Advanced IP Services and call it a day. Will 3825's run 12.x?
|
|
# ? Jan 20, 2013 07:20 |
|
teh z0rg posted:What is some pro kit for a Cisco lab? 15.x gear is licensed with RTU licensing (right to use). Just input what you need, accept the EULA, reload and off you go.
|
# ? Jan 20, 2013 12:34 |
|
teh z0rg posted:Will 3825's run 12.x?
|
# ? Jan 20, 2013 15:25 |
|
teh z0rg posted:What is some pro kit for a Cisco lab? Licencing models seems to be tied to platform rather than to software version. Of Cisco's router lineup, its only the newer x900 routers that require license files to activate features as they only have the universal IOS images. Probably all of the x800 don't have any of the license file requirements even in their 15.x versions. Basically if the IOS image file is not a universal image, then its not going to require license files. Curiously the newer 3750s seem to have universal and non universal images in both their 12.2 and 15.0 versions although this might just be so that they can be compatibly stacked with older 3750s. Even then I've gotten 3750 stacks working with one 3750 with a universal image and an IP base license and the other with an IP base image.
|
# ? Jan 20, 2013 15:45 |
|
chestnut santabag posted:Licencing models seems to be tied to platform rather than to software version. None of these require license codes/files anymore (not even the universal ones). Read up on RTU licensing. ior posted:15.x gear is licensed with RTU licensing (right to use). Just input what you need, accept the EULA, reload and off you go.
|
# ? Jan 20, 2013 16:53 |
Cool thanks. It's amazing what you can get on Ebay nowadays.
|
|
# ? Jan 20, 2013 18:25 |
|
So what are you choosing for your gear? I've got a few 1800's some 2600's a couple of 3560's and a couple of 3550's and 2950's. Good enough to run frame relay, but i want to get back into Service Provider design. Enterprise switching/routing is boring as gently caress. Anyone have any good connections for ISPs I should look at?
|
# ? Jan 20, 2013 21:01 |
I'm running JUNOS in the core on an M7i split into 16 routers via logical-systems. The ciscos will be primarily edge along with some SRX and other things. I'm simply looking to replace my 2691s with some 38xx devices maybe to go along with my 2811 with CME. I have a 3550 and need to get two more switches since I gave my 2950s away. I'm thinking maybe another 3550 and an EX2200. I wish Juniper would push virtual chassis to the 2200 series even if only in a limited format with say 2 uplinks dedicated to VCP. I can't justify the price of EX4200's in a lab just for VC. Then I swap out my DL360g5 with a DL380G6 with two 6 core xeons and BOOM. Done with the lab for a few more years. I'd like to drop in a small Netapp but I have no idea where to even start with that.
|
|
# ? Jan 20, 2013 21:15 |
|
Does anyone have any info on the 3850 Catalyst Switches yet?
|
# ? Jan 21, 2013 07:41 |
|
Powercrazy posted:Enterprise switching/routing is boring as gently caress.
|
# ? Jan 21, 2013 08:29 |
|
adorai posted:As someone who runs an enterprise wan, this is a good thing. I literally add the site to ospf area 0, and move on with my life. I setup an MPLS cloud for a shared customer services cloud. It was really cool and I got to actually play with BGP_VPN. Learn a lot about VRF, and other SP cloud technologies. Maybe I'll call up my old account team at AT&T.
|
# ? Jan 21, 2013 09:52 |
|
nzspambot posted:Does anyone have any info on the 3850 Catalyst Switches yet? If they do it is under NDA, wait until Cisco live london.
|
# ? Jan 21, 2013 12:00 |
|
I work for an electronics recycler and we had a 7604 with two supervisors and an x6148a fall into our laps recently. How do I get this thing to route internet through the 6148 just so I can test the ports? Right now I just get solid orange lights on all the 6148's ports no matter what I connect, but it passes the minimal diagnostics and appears to be available through the console. I'm pretty much of a Cisco neophyte so any help would be appreciated. running-config: code:
|
# ? Jan 21, 2013 17:24 |
|
TheQat posted:I work for an electronics recycler and we had a 7604 with two supervisors and an x6148a fall into our laps recently. How do I get this thing to route internet through the 6148 just so I can test the ports? Right now I just get solid orange lights on all the 6148's ports no matter what I connect, but it passes the minimal diagnostics and appears to be available through the console. I'm pretty much of a Cisco neophyte so any help would be appreciated. conf t int range gig1/1 - 48, gig2/1 - 48, gig3/1 - 48 no shut exit exit wr Now its a big stupid switch. Also, give us the output of "show mod"
|
# ? Jan 21, 2013 17:32 |
|
ior posted:conf t Thanks so much, that worked perfectly. Show mod was code:
|
# ? Jan 21, 2013 17:37 |
Someone sell me a 6503-E with 720 sup. on the cheap.
|
|
# ? Jan 21, 2013 18:03 |
|
I got this thread going: http://forums.somethingawful.com/showthread.php?threadid=3529511 About my Mars PSU if you fellas have a moment. We're also having some issues with traffic from our VOIP vlan hitting some of our data vlan members. Run wireshark on my PC's NIC and I can see sip traffic, handshakes, phone numbers, etc. We're thinking it has to do with all of our trunks on this network using the data vlan as it's native trunk and that this voip traffic is bleeding over. Cisco seems to agree. Would the solution to this resolve by peforming a switchport trunk native vlan # on each trunk with # being a VLAN not in use? Currently no trunk is provisioned like this so I assume it's native vlan is either our data vlan or vlan 1. Would each trunk need it's own native VLAN or could each trunk use the same? Say, create VLAN 99 for all of them or 99, 100, 101, etc for each trunk on the network?
|
# ? Jan 21, 2013 18:24 |
|
teh z0rg posted:I wish Juniper would push virtual chassis to the 2200 series even if only in a limited format with say 2 uplinks dedicated to VCP. I can't justify the price of EX4200's in a lab just for VC. The latest JUNOS build allows you to make a VC of up to 4x EX2200 switches, fyi. You pick how many gig ports to use as uplink ports.
|
# ? Jan 21, 2013 18:25 |
|
|
# ? May 28, 2024 15:16 |
madsushi posted:The latest JUNOS build allows you to make a VC of up to 4x EX2200 switches, fyi. You pick how many gig ports to use as uplink ports. No poo poo? I wonder why they don't advertise it. WELP. Looks like im going EX2200 in lab.
|
|
# ? Jan 21, 2013 18:41 |