|
Biggz posted:I'm still trying to get my head around this, but in the following example should it "share" the WAN connection, upstream at least, between the three ACLs? If you apply it to the right interface, yes.
|
# ? Jun 24, 2007 17:26 |
|
|
# ? May 4, 2024 16:58 |
|
Biggz posted:policy-map WAN Don't use 'priority', that turns on the low-latency queuing (llq) behavior, which you don't want. Packet throughput for that class above the configured LLQ rate will be dropped. You want 'bandwidth percent 33' or something similar. However, like I mentioned previously, the problem is that these percentages are percentages of the reported interface bandwidth, which is not necessarily the actual throughput of the interface (ie., your cisco is connected to a 10mbit ethernet interface, but your cable modem will only push 6mbit, or whatever). That's the problem with queuing on residential broadband.
|
# ? Jun 24, 2007 18:20 |
|
My WAN interface is Fast Ethernet so the percentages will split based on the speed of 100Mbit? The command "bandwidth" in "int fa4" lets me set a value, but is this assumed to be the same in upstream and downstream? I have 10MBit down, and 512Kbit up. If i set that to "bandwidth 512" this would, I assume, limit the downstream to that as well. In that case, could I get around this by giving the minimum bandwidth values as follows. code:
|
# ? Jun 24, 2007 19:08 |
|
Biggz posted:So in theory should this prioritize web traffic (or whatever matches in the 102 ACL) above everything else Hell no. Read up on how the priority queues work with CBWFQ. You wont be able to allocate this much into a PQ for starters (or shouldn't be able to). You want to use the priority queue for the "must be sent first" traffic then split the bandwidth that's remaining amongst the other queues using "police" or "shape". You'll also have to put a "max bandwidth allocated 100 percent" on the interface so you can allocate all of it (i forget the default maximum and the exact command - cisco.com).
|
# ? Jun 24, 2007 23:54 |
|
Biggz posted:My WAN interface is Fast Ethernet so the percentages will split based on the speed of 100Mbit? Biggz posted:The command "bandwidth" in "int fa4" lets me set a value, but is this assumed to be the same in upstream and downstream? I have 10MBit down, and 512Kbit up. If i set that to "bandwidth 512" this would, I assume, limit the downstream to that as well. Short answer, the bandwidth command isn't very useful for you. Biggz posted:In that case, could I get around this by giving the minimum bandwidth values as follows. This is all off the top of my head, so there's bound to be some problems with the following: code:
edit: By the way, you realize that none of this is going to prevent one of your housemates from clobbering your downstream bandwidth, right? Once the packet is on the wire, inbound, the only decision you can really make is whether to throw it away or not. Fancy high-end gear can do inbound service-policies, but I don't think most lower end or ISR line can. Could be wrong about that, but the fact is, what you're really doing here is just ensuring that your tcp ack's make it out the door. Also, you may want to tinker with the queue depth(s), as the defaults might be too large for you (40 packets per-class sounds familiar). Also, you might want to put random-detect on each class, which can be done by adding a 'random-detect' command to each class under the 'policy-map wan section'. Before you do that, read about random-detect first. Korensky posted:(i forget the default maximum and the exact command - cisco.com) jwh fucked around with this message at 04:38 on Jun 25, 2007 |
# ? Jun 25, 2007 04:31 |
|
quote:! For some reason this is just not clicking in my head. Only using FTP on VLAN2 and all the traffic is being identified by the "ip any any" yet I have, what I thought, was the correct statements for FTP above it. If I remove the "ip any any" then I lose any connectivity on the VLAN. Would someone point out the obvious to me as why no entries are being matched except the one.
|
# ? Jul 2, 2007 13:26 |
|
Are you sure you don't want "ip access-group vlan2 out" instead of "in"?
|
# ? Jul 2, 2007 15:28 |
|
jwh posted:Are you sure you don't want "ip access-group vlan2 out" instead of "in"? 40 permit tcp any host 10.18.22.10 eq ftp (16 matches) Well changing it to out seems to resolve the issue but just confused me. When the ACL on an interface is set to IN does it not compare the INBOUND traffic against it? So if I connected via FTP it would scan my packets prior to hitting the server and match it to the FTP part of the ACL. Thanks jwh! karttoon fucked around with this message at 15:47 on Jul 2, 2007 |
# ? Jul 2, 2007 15:36 |
|
It's from the perspective of the interface, if that's what you're asking, not flow direction from a nat inside / outside perspective. edit: Also remember FTP is stupid, and active mode likes to server-initiate the data channel, which it sounds like you might be running in to. Try passive mode ftp, which is less of an abomination. jwh fucked around with this message at 22:25 on Jul 2, 2007 |
# ? Jul 2, 2007 16:02 |
|
Has anyone figured out a way to get the Vista VPN client to cooperate with a PIX (in my case a 515E)? Vista dropped support for mschapv1, and unless I'm crazy, I don't see mschapv2 as an option for auth for a PPTP VPN on the 515Es. I've tried every combination of PAP (ugh) and CHAP on the PIX and on the client, but no dice. Maneki Neko fucked around with this message at 17:58 on Jul 2, 2007 |
# ? Jul 2, 2007 17:55 |
|
I have a semi obscure IOS error message. I'm not sure if it will affect anything large scale but I want to be sure before propagating the error throughout our labs management network. We use terminal servers to access all the devices in the lab. The servers are old school 2511 routers. We have 16 port async on each one, and we add a device using the ip host command. code:
however when I do a show host command I get a strange error message: quote:rcdspterm-6#show host I'm not sure what the stuff in quotes means and CCO isn't much help. Anyone know? e: ah I just figured it out. 'ip domain-name' was the command I was looking for heh. Oh well. ate shit on live tv fucked around with this message at 21:37 on Jul 3, 2007 |
# ? Jul 3, 2007 21:35 |
|
Wanted to post in here and let you fellow Cisco goons know that if you've got any Cisco stuff you want to buy or sell, let me know. I'm the Cisco broker for a company that sells used networking equipment. I get a pretty good discount on new stuff. I can't really sell IOSs or SMARTnet, but if you're looking for hardware, let me know via PM or AIM and I'll see what I can do. Ok, I hope that wasn't too spammy. Onto my question: I recently purchased 3 WS-X6704-10GE blades. While trying to install the WS-F6700-DFC3B daughter boards I noticed the heatsinks on the boards were too tall to allow the board to sit right on the standoffs. Has anyone ever had/heard of an issue like this? I know for a fact that daughter board works with that blade!
|
# ? Jul 4, 2007 03:25 |
|
M@ posted:Wanted to post in here and let you fellow Cisco goons know that if you've got any Cisco stuff you want to buy or sell, let me know. I'm the Cisco broker for a company that sells used networking equipment. I get a pretty good discount on new stuff. I can't really sell IOSs or SMARTnet, but if you're looking for hardware, let me know via PM or AIM and I'll see what I can do. I've installed lots of those, and the only thing I can say is are you sure you are installing it right? There isn't anything that tricky about installing the daughterboards, except that the screws suck.
|
# ? Jul 4, 2007 04:17 |
|
M@ posted:I recently purchased 3 WS-X6704-10GE blades. While trying to install the WS-F6700-DFC3B daughter boards I noticed the heatsinks on the boards were too tall to allow the board to sit right on the standoffs. Has anyone ever had/heard of an issue like this? I know for a fact that daughter board works with that blade! All I can suggest, without seeing pictures of your exact problem, is to remember that even though there are 2 rows of connectors for the DFC/CFC on the 6704, the DFC's only use the lower row and don't touch the upper row.
|
# ? Jul 4, 2007 09:51 |
|
M@ posted:I recently purchased 3 WS-X6704-10GE blades. While trying to install the WS-F6700-DFC3B daughter boards I noticed the heatsinks on the boards were too tall to allow the board to sit right on the standoffs. Has anyone ever had/heard of an issue like this? I know for a fact that daughter board works with that blade! Why not just save yourself the hassle and order the 6704 with the daughterboard pre-installed?
|
# ? Jul 4, 2007 10:42 |
|
atticus posted:Why not just save yourself the hassle and order the 6704 with the daughterboard pre-installed? Well I already had the 6704s so it was just a matter of buying some used daughter boards and installing them. This is the one where the heatsink fell off, but it also illustrates how it's a tad bit taller than the standoff. Linked for size
|
# ? Jul 4, 2007 19:30 |
|
M@ posted:I recently purchased 3 WS-X6704-10GE blades. While trying to install the WS-F6700-DFC3B daughter boards I noticed the heatsinks on the boards were too tall to allow the board to sit right on the standoffs. Has anyone ever had/heard of an issue like this? I know for a fact that daughter board works with that blade!
|
# ? Jul 5, 2007 04:48 |
|
One think has always annoyed me with access-lists on cisco gear, namely editing them. I´m aware that I can add / remove lines from it, but what about remarks, they are not numbered, so I guess it cant be done without cut ´n pasting the whole thing. Any suggestions?
|
# ? Jul 5, 2007 09:58 |
|
ior posted:One think has always annoyed me with access-lists on cisco gear, namely editing them. No sir, it's been either Text Pad, or VI for me for ages. Maneki Neko posted:
What OS version is on the 515? Is there a reason to stick with PPTP over L2TP? I have the Vista client using MSCHAP v2 handing auth over to AD via radius, but with L2TP, using PIX 7.2.2(19). I have to have a two factor auth system on ras to pass audits, whether with computer certs or pre-shared keys to get a phase 1 sa up so I can actually send the real user auth through. Something to consider sir.
|
# ? Jul 5, 2007 15:57 |
|
I'm having a bit of trouble getting intra-vlan routing working. Cisco devices in question are a PIX 515 functioning as a router-on-a-stick, and two Catalyst 2950s. Gliffy diagram: PIX config Right switch config I didn't publish the other switch's config as it's pretty similar to the above. The two IP Office switches and the VM Server are the only devices on vlan101. I can communicate between vlan101 hosts just fine, but I can't get any traffic from one vlan to the other. Both can get out to the internet just fine, as long as I'm using external DNS servers for my vlan101 hosts since they can't use mine So, what am I doing wrong here? Is it a security issue? Mierdaan fucked around with this message at 16:46 on Jul 5, 2007 |
# ? Jul 5, 2007 16:43 |
|
Mierdaan posted:I'm having a bit of trouble getting intra-vlan routing working. Cisco devices in question are a PIX 515 functioning as a router-on-a-stick, and two Catalyst 2950s. You need to define the allowed VLANs on the trunk. edit: wait, what? So the problem is that "you can't get any traffic from one vlan to the other" - I thought the only VLAN you were concerned about was VLAN101...? Care to clarify a bit more? For defining allowed vlans: code:
atticus fucked around with this message at 17:20 on Jul 5, 2007 |
# ? Jul 5, 2007 17:10 |
|
atticus posted:You need to define the allowed VLANs on the trunk. I am under the impression that all vlans are allowed across a trunked switchport unless explicitly pruned or enumerated. At least this is my experience on all COS/IOS switches. Then again this may be something new, I am part cobwebs. I think I ran into a similar issue as the fellow with the problem, but I haven't used pix os 6.x in a while. code:
Or this one for that matter. code:
Having said that, if things are still not working... Pull off your nat exclusion (nat 0) rules first. After all you just want to establish communication between the two networks. whether though nat or non-nat you should be able to get across. Herv fucked around with this message at 17:32 on Jul 5, 2007 |
# ? Jul 5, 2007 17:24 |
|
atticus posted:You need to define the allowed VLANs on the trunk. Sorry; what I mean is that I can't ping any device on vlan1 from vlan101, nor vice-versa. Communication between all vlan1 hosts is fine, and communication between all vlan101 hosts is fine, it's just communication between the two vlans that isn't working. Does that still point to trunking issues? I'd assume I'd have much bigger issues if there was something wrong with the trunk between the two catalysts.
|
# ? Jul 5, 2007 17:25 |
|
Mierdaan posted:Sorry; what I mean is that I can't ping any device on vlan1 from vlan101, nor vice-versa. Communication between all vlan1 hosts is fine, and communication between all vlan101 hosts is fine, it's just communication between the two vlans that isn't working. If you can get web traffic with an external DNS server, you do not have a layer 2 problem sir. Edit: got off my rear end and logged into a 3750, here's what a trunk config shows: interface GigabitEthernet1/0/24 description TRUNK_TO_2950-1 switchport trunk encapsulation dot1q switchport mode trunk mls qos trust cos no mdix auto Here's what the switchpoint shows with allowed vlans: Name: Gi1/0/24 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Herv fucked around with this message at 17:31 on Jul 5, 2007 |
# ? Jul 5, 2007 17:26 |
|
Herv posted:I am under the impression that all vlans are allowed across a trunked switchport unless explicitly pruned or enumerated. At least this is my experience on all COS/IOS switches. Yeah actually you're right... From reading his post that says "getting traffic from one VLAN to the other" I'm not sure what he means. In any case I don't think 2950's can do MLS, and I don't think a PIX can either. Someone correct me if I'm wrong please because my experience with PIX/ASA is very very very limited. edit: doh 2950's can! atticus fucked around with this message at 17:29 on Jul 5, 2007 |
# ? Jul 5, 2007 17:26 |
|
Mierdaan posted:Sorry; what I mean is that I can't ping any device on vlan1 from vlan101, nor vice-versa. Communication between all vlan1 hosts is fine, and communication between all vlan101 hosts is fine, it's just communication between the two vlans that isn't working. is the native VLAN the same on both sides of the trunk? atticus fucked around with this message at 17:36 on Jul 5, 2007 |
# ? Jul 5, 2007 17:27 |
|
Herv posted:Did you exclude those from the posted config? If not there's your starting point. I can find that line (you posted identical access-groups?) in the posted PIX config. I did exclude some things I thought were not relevant, which may not have been the smartest idea given that I can't get the damned thing working Clearly, I don't know what's relevant.
|
# ? Jul 5, 2007 17:29 |
|
No problem, I fixed that post. If the access list is referenced and applied to an interface, but no such list exists, you will get an implicit deny or perhaps some other wonkyness. That was the cut of my jib on that one.
|
# ? Jul 5, 2007 17:38 |
|
Herv posted:Name: Gi1/0/24 Here's what I've got: code:
|
# ? Jul 5, 2007 17:39 |
|
atticus posted:is the native VLAN the same on both sides of the trunk? Haha I called it try this on both sides: code:
|
# ? Jul 5, 2007 17:42 |
|
atticus posted:Haha I called it Hey buddy, last time I read that post it said "bogus post"! Let me give that a try...
|
# ? Jul 5, 2007 17:46 |
|
Mierdaan posted:Hey buddy, last time I read that post it said "bogus post"! Yeah sorry about that, I edited it a few minutes ago
|
# ? Jul 5, 2007 17:46 |
|
Looking at this further I don't think that's going to work. What I can see is that all you're doing is allowing multiple VLANs across a trunk, but they still won't be able to talk to each other without layer 3 functionality. As I mentioned before, I suck at PIX/ASA stuff, so if possible try to take the PIX out of the picture and enable ip routing globally on both of the 2950s. Or try to set up a couple static routes on the PIX maybe?
|
# ? Jul 5, 2007 18:02 |
|
In typical router-on-a-stick setups used for inter-vlan routing, subinterfaces have to be configured on the router's physical ethernet interfaces, with .1q trunking and IP addresses enabled on the subifs. From digging around online on PIX configs for inter-vlan routing I noticed somewhat of a similar setup, however I'm not sure if the PIX supports .1q trunking: code:
atticus fucked around with this message at 18:27 on Jul 5, 2007 |
# ? Jul 5, 2007 18:15 |
|
atticus posted:Looking at this further I don't think that's going to work. Yeah - it didn't. The PIX should be able to do the layer3 routing, so I'm trying to avoid hacking this together as much as possible.
|
# ? Jul 5, 2007 18:53 |
|
atticus posted:In typical router-on-a-stick setups used for inter-vlan routing, subinterfaces have to be configured on the router's physical ethernet interfaces, with .1q trunking and IP addresses enabled on the subifs. I'll compare this to the syntax I have right now and see how it matches up - headed to a meeting now. Thanks Atticus!
|
# ? Jul 5, 2007 18:55 |
|
nene posted:Whilst I realise it's not actually answering your question, how come you're installing DFC3Bs? As soon as you put it in a chassis with a Sup720 PFC3BXL it's going to downgrade that to 3B to match. The SUP is actually a SUP720-3B so no downgrade. I think I'm just going to end up hunting down a smaller heatsink and throwing it on there. It boggles the mind as to why Cisco would put that heatsink on this board.
|
# ? Jul 5, 2007 19:02 |
|
Mierdaan posted:Yeah - it didn't. The PIX is not a router. It will only forward traffic through it or deny traffic. It is impossible to redirect traffic out of a pix on the same port it comes in on.
|
# ? Jul 5, 2007 19:30 |
|
dwarftosser posted:The PIX is not a router. It will only forward traffic through it or deny traffic. It is impossible to redirect traffic out of a pix on the same port it comes in on. Can you provide some documentation to back this up? It is my understanding that you cannot send traffic back out over the same physical interface it came in on, but we're talking about logical interfaces when it comes to vlans - not physical.
|
# ? Jul 5, 2007 19:38 |
|
|
# ? May 4, 2024 16:58 |
|
dwarftosser posted:The PIX is not a router. It will only forward traffic through it or deny traffic. It is impossible to redirect traffic out of a pix on the same port it comes in on. PIX support RIP and static routes but that's about it. While it doesn't have as much layer 3 functionality as your typical router, it can in fact route.
|
# ? Jul 5, 2007 19:41 |