The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

Weissbier: Apr 8, 2007; good for the soul

Paul Boz_ posted:

I didn't get any ISDN poo poo on either of my tests, but had quite a few frame relay questions.

I'm confused. Is there one test for the 640-801 Cisco CCNA cert, or two? Thanks.

And they're going to change everything in May/June correct?

# ¿ Apr 29, 2007 16:58

Adbot: ADBOT LOVES YOU

# ¿ May 2, 2024 06:13

Weissbier: Apr 8, 2007; good for the soul

We have sshv2 loaded on a lot of our switches, and utilize putty to access them. Doing it the old way, telneting from a command prompt, we could telnet to another switch from that switch.

Is there a way to ssh into another ssh'd switch from priviledged mode?

# ¿ Aug 22, 2008 00:51

Weissbier: Apr 8, 2007; good for the soul

Thanks for the info on SSH.

Can you SSH from an ASA? If I putty into our ASA from home using SSH, how can I access the internal switches?

ASA commands are all different

# ¿ Aug 24, 2008 19:51

Weissbier: Apr 8, 2007; good for the soul

jbusbysack posted:

No you cannot and that is intentional. What is recommended is to create Remote Access VPN profiles and use those to gain internal network connectivity. This is because of the multi-interface functionality of the ASA and the desire to enforce the ingress/egress interface policies. Also it's just bad form in general, because if you're having to hop through your firewall there's problems abound anyway

We can paste scripts for that if so desired.

Thanks, I'm very ASA/Pix ignorant.

The way I'm doing it now is via a VPN account that someone else set up, remote into my box at work, then operate off of that. Is that what you're saying to do? Thanks

# ¿ Aug 24, 2008 23:33

Weissbier: Apr 8, 2007; good for the soul

Has anyone had success with the cisco anyconnect client? I don't know what I'm missing. We have an ASA 5540 running ASA 8.2(1)/ASDM 6.2(1)

The 5.0 client works fine; when I installed and ran the newer client I receive.

"Connection attempt has failed (timeout)."

I've read the installation guide at Cisco; I've googled and failed.

I've edited the .xml file, but there's a part where it asks for a hostname. Is it wanting a DNS resolvable record? Thanks for any help.

# ¿ Jun 12, 2009 01:16

Weissbier: Apr 8, 2007; good for the soul

It is in production. I opened up the xml but I don't see a webvpn section. I'm really lost here - The only part I see that needs to be changed from the sample xml is:

code:

</ClientInitialization>
- <!--         This section contains the list of hosts the user will be able to
        select from.
      
  --> 
- <ServerList>
- <!--             This is the data needed to attempt a connection to a specific
            host.
          
  --> 
- <HostEntry>
- <!--                 Can be an alias used to refer to the host or an  FQDN or
                IP address.  If an FQDN or IP address is used, a
                HostAddress is not required.
              
  --> 
  <HostName>hostname of asa?</HostName> 
  <HostAddress>IP of asa</HostAddress> 
  </HostEntry>
- <HostEntry>
  <HostName /> 
  <HostAddress /> 
- <!--                 If present, UserGroup will be used in conjunction with
                HostAddress to form a Group based URL.
                NOTE: Group based URL support requires ASA version 8.0.3 or
                      later.
              
  --> 
  <UserGroup>REPLACE_TunnelGroup</UserGroup>

# ¿ Jun 13, 2009 14:54

Weissbier: Apr 8, 2007; good for the soul

falz posted:

The 'webvpn' section I was talking about is in the actual ASA's config, nothing related to XML at all.

Sorry, as you can tell I'm seriously lost on this.

Sojourner posted:

At the top of the XML file where there is the help (massive block of comments) it should say what it wants for the hostname tag. I'll take a look at our ASA on Monday and confirm, it's been a while since we set it up. You can connect to it with the normal VPN client / SSL vpn client though, right?

I'll look at mine as well. I currently conenct using VPN client version 5.0.01.0600. It's the only client that I've ever connected with for this ASA and it must have been vendor configured a long time ago. The current client has a .pcf file, which if you open in a text editor seems relatively simple. This client doesn't work under Vista 64, and hence my attempted upgrade. Thanks

# ¿ Jun 15, 2009 02:35

Weissbier: Apr 8, 2007; good for the soul

I have a rather odd question about finding devices plugged into your cisco switches.

We have guys that are setting up Kronos time keeping equipment at a multitude of locations. These Kronos devices have a mac address that begins 0040.

If you happen to be on the right switch, then you can issue a:

sh mac-address-table | incl 0040
13 0040.5801.dd37 STATIC Fa0/20
13 0040.5801.dda7 STATIC Fa0/21

and of course if there's one on that switch, you'll the Fa port where it is attached.

If I'm not on the correct switch, I'll see the trunked Gi interface where it is:

sh mac-address-table | incl 0040
13 0040.5801.dd37 DYNAMIC Gi1/0/9
13 0040.5801.dda7 DYNAMIC Gi1/0/9

Here's where I'm stuck. I can issue a sh cdp neigh and it will tell me the hostname of gi1/0/9, but I have no means of really knowing what the ip of that switch is so I can connect to it. Is there any way to find these devices without ssh'ing into every switch to find that hostname?

# ¿ Aug 22, 2009 14:26

Weissbier: Apr 8, 2007; good for the soul

ior posted:

Use the 'detail' parameter to sh cdp nei.

code:

labcore01#sh cdp neighbors gigabitEthernet 1/8 detail
-------------------------
Device ID: sw21-1.core.emelab.net
Entry address(es): 
  IP address: 10.203.204.121
....
....
....

Awesome ior, thank you for that little tip!

# ¿ Aug 22, 2009 15:41

Weissbier: Apr 8, 2007; good for the soul

Anyone know a thing about multicasting?

Our core 6509 has the following global config:

code:

ip multicast-routing
ip pim rp-address 10.100.250.2

And the VLANS that we want to multicast across have this in their config:

code:

ip pim sparse-dense-mode

Multicasting works from one distribution point to a client on the same VLAN, however, it will not cross layer 3. Anyone?

# ¿ Jan 29, 2010 00:35

Weissbier: Apr 8, 2007; good for the soul

sh ip mroute:

code:

6509#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
       L - Local, P - Pruned, R - RP-bit set, F - Register flag,
       T - SPT-bit set, J - Join SPT, M - MSDP created entry,
       X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
       U - URD, I - Received Source Specific Host Report,
       Z - Multicast Tunnel, z - MDT-data group sender,
       Y - Joined MDT-data group, y - Sending to MDT-data group
       V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.192.152.143), 2w0d/00:02:04, RP 10.100.250.2, flags: SP
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list: Null

(*, 239.255.255.254), 7w0d/00:05:58, RP 10.100.250.2, flags: SP
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list: Null

(*, 239.255.255.250), 7w0d/00:02:56, RP 10.100.250.2, flags: SP
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list: Null

(*, 239.255.130.109), 3w1d/00:02:15, RP 10.100.250.2, flags: SP
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list: Null

(*, 224.0.1.24), 7w0d/00:05:51, RP 10.100.250.2, flags: SP
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list: Null

(*, 224.0.1.40), 7w0d/00:02:54, RP 10.100.250.2, flags: SPL
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list: Null

sh ip pim interface

code:

6509#sh ip pim interface

Address          Interface                Ver/   Nbr    Query  DR     DR
                                          Mode   Count  Intvl  Prior
10.100.2.2       Vlan2                    v2/SD  1      30     1      10.100.2.3
10.100.17.2      Vlan17                   v2/SD  1      30     1      10.100.17.3
10.100.15.2      Vlan15                   v2/SD  1      30     1      10.100.15.3
10.100.100.2     Vlan100                  v2/SD  1      30     1      10.100.100.3

sh ip pim neighbor

code:

6509#sh ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      P - Proxy Capable, S - State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
10.100.2.3        Vlan2                    17w1d/00:01:21    v2    1 / DR S P
10.100.17.3       Vlan17                   17w1d/00:01:30    v2    1 / DR S P
10.100.15.3       Vlan15                   17w1d/00:01:15    v2    1 / DR S P
10.100.100.3      Vlan100                  13w3d/00:01:27    v2    1 / DR S P

sh ip pim rp

code:

6509#sh ip pim rp
Group: 239.192.152.143, RP: 10.100.250.2, next RP-reachable in 00:00:34
Group: 239.255.255.254, RP: 10.100.250.2, next RP-reachable in 00:00:31
Group: 239.255.255.250, RP: 10.100.250.2, next RP-reachable in 00:00:50
Group: 239.255.130.109, RP: 10.100.250.2, next RP-reachable in 00:00:39
Group: 224.0.1.24, RP: 10.100.250.2, next RP-reachable in 00:00:13
Group: 224.0.1.40, RP: 10.100.250.2, next RP-reachable in 00:00:18

And from the previous posts, I don't see any ACL applied on the VLAN ints.

# ¿ Jan 29, 2010 01:51

Weissbier: Apr 8, 2007; good for the soul

10.100.250.2 is the ip of the 6509 itself - should that be 224.1.1.1?

code:

6509#sh ip pim rp ?
  Hostname or A.B.C.D  IP name or group address
  mapping              Show group-to-RP mappings
  metric               Show RP RPF metric
  |                    Output modifiers
  <cr>

65091#sh ip pim rp mapping
PIM Group-to-RP Mappings

Group(s): 224.0.0.0/4, Static
    RP: 10.100.250.2 (?)

# ¿ Jan 29, 2010 02:15

Weissbier: Apr 8, 2007; good for the soul

Herv posted:

Ok I would just yank out that line:

ip pim rp-address 10.100.250.2

for now and set the rp to auto discovery with this:

ip pim send-rp-discovery (says I am an RP mapping agent)
ip pim send-rp-announce (says I can be an RP)

only if just pulling the first doesn't fix things.

Not sure if you have to have some type of RP configured or not, sorry.

e: nevermind

No, THANK YOU for all the help last night. Going to review this information in detail today at work.

# ¿ Jan 29, 2010 14:01

Weissbier: Apr 8, 2007; good for the soul

I have a troubleshooting question:

Technician calls and says they "can't connect to the network" and supply me the port.

I ssh into the switch and the port in question has a mac address entry for the computer when I do sh mac-address-table.

I ssh into the edge switch for that facility and that computer's mac address is listed there.

Beyond the obvious answer, which in my mind is, try another device on that port, what else can I do remotely to see what's going on?

*edit* All other PCs on that facility are working.

Weissbier fucked around with this message at 17:37 on Feb 6, 2010

# ¿ Feb 6, 2010 17:29

Weissbier: Apr 8, 2007; good for the soul

Another question. Is there any way within the IOS of a 3560 to cross reference a MAC address to an IP address. sh arp just gives me the other l3 switches it sees.

# ¿ Feb 8, 2010 04:14

Weissbier: Apr 8, 2007; good for the soul

CrackTsunami posted:

sh arp on a L3 device to go from IP to MAC, sh mac-address-table on a L2 device to track this down to a specific port. L2 devices don't care about what the ip is, only the mac, so you need to go to the device which has the gateway for the vlan and track it down there.

Gotcha. Thanks!

# ¿ Feb 9, 2010 03:21

Weissbier: Apr 8, 2007; good for the soul

Can anyone explain why some devices connect at half duplex? I know the device and the switch negotiate duplex and speed - can it be cable quality at all?

# ¿ Sep 9, 2010 02:39

Weissbier: Apr 8, 2007; good for the soul

Here's an ongoing issue. Get a call that a Kronos clock is connected to the network but isn't working. I issue a "sh int fa 0/37" on the port its connected to and it shows up. However, typeing "sh mac address int fa 0/37" returns no mac address in the table.

What are some other trouble shooting steps I can do without going on site? Any ideas? Is it a layer 1 issue like a bad cable?

# ¿ Sep 23, 2010 04:23

Adbot: ADBOT LOVES YOU

# ¿ May 2, 2024 06:13

Weissbier: Apr 8, 2007; good for the soul

Tremblay posted:

Are you running new enough code to do a packet capture on the router? If so, setup a capture and try to ping the kronos. I'm guessing that you'll see that the clock isn't responding to ARP requests. is the interface clean?

As luck would have it, it started working on its own. It did have 3 input errors when I did a sh run on the int.

# ¿ Sep 27, 2010 23:16

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)