|
This might be a stupid question and if it is I hope this is the right thread for it: what command do you use on a Cisco 2801 to clear the counters that are shown when you run "show dsl interface atm"? I would have thought that simply running clear counters would work but apparently not. For reference the 2801 is running 12.4.
|
# ¿ Jun 1, 2012 18:33 |
|
|
# ¿ May 6, 2024 02:09 |
|
atticus posted:check out gear from OnPath - 3900 series. Those OnPath switches look ridiculous. At least they'd be easy to find in a rack I guess... Oh and you weren't joking about their stock photo choices in the 3900 series product sheet: That has to be a subtle goatse reference.
|
# ¿ Oct 11, 2012 11:09 |
|
BurgerQuest posted:For what it's worth I quite like Fortinet's two approaches for centralised management of their various routers/switches/AP's. Fortimanager ties everything in nicely and works in closed environments, managing firmware updates, tracking config changes etc. Forticloud is much less much and ofcourse requires the device to be able to talk to Forticloud over the internet, but it is nice when your device is behind weirdly NAT'd 3G networks/etc as it creates a secure tunnel back to Forticloud and from there you can manage/work with the device. You can even get FortiManager as a virtual appliance which is pretty sweet.
|
# ¿ Feb 28, 2013 13:43 |
|
This question has probably been asked a million times in this thread so apologies in advance: what is the currently recommended router/switch combo for setting up a home CCNA lab? I've had a look around on Google however most of the guides/sites I found were a year or two old and I'm worried about investing in something that may be obsolete or not support a relevant IOS version.
|
# ¿ Jul 25, 2013 17:02 |
|
Powercrazy posted:CCNA requires pretty much nothing equipment-wise. Get 2 switches as long as they run IOS so that you can figure out trunking and port channels, and get a router. Awesome thanks for the info. Regarding IOS versions would IP Base be fine across all the gear or would you recommend IP Advanced on the routers? GOOCHY posted:Just use Packet Tracer unless you absolutely need physical access to gear. That's an excellent point I completely forgot about Packet Tracer. Can you get Packet Tracer outside of being a registered academy student? I'll probably see if I can grab a copy from one of my work mates.
|
# ¿ Jul 25, 2013 18:29 |
|
Riverbed chat? I can dig that. My background is mostly with Citrix NetScaler appliances but at my current gig they are all Riverbed and so far I'm quite impressed. We have approximately 25 units deployed at branches and are seeing +50% data reduction:
|
# ¿ Aug 7, 2013 18:34 |
|
Does anyone know how to download the PKI private key in ACS 4.2?
Pile Of Garbage fucked around with this message at 05:57 on Nov 10, 2013 |
# ¿ Nov 10, 2013 05:19 |
|
Farking Bastage posted:Fortigate's are my second choice next to a Palo. Nice little boxes. Outside of going Mikrotik or a hacked up DD-WRT(lol), you can't find a $500 firewall that you can set up for dual WAN failover that I know of. Seconding the Fortigate love. You get a surprising amount of features even on their low-end, branch office models.
|
# ¿ Dec 5, 2013 16:58 |
|
jwh posted:2). If it's not working, it's almost always either a transform set mismatch, or a security association disagreement. If it's still not working, it's still a transform set or security association disagreement. If it's not working after that, it's an ACL issue. I'm a Cisco IOS/networking scrub yet I agree with this advice 1000%. If your tunnel doesn't come up it's almost always due to a phase 1 proposal mismatch. Also I've read the entire thread, albeit starting over 6 months ago! Good advice all round.
|
# ¿ Aug 26, 2014 14:32 |
|
Here's some advisories I've collected to save some time: Blue Coat: https://kb.bluecoat.com/index?page=content&id=SA82&actp=RSS Check Point: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673 Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash Polycom: http://supportdocs.polycom.com/PolycomService/support/global/documents/support/documentation/Security_Bulletin_bash_shellshocked_v1_0.pdf Riverbed: https://supportkb.riverbed.com/support/index?page=content&id=S24997 Also this guy is posting advisory updates for several vendors: http://www.mnemonic.no/en/Andre-sprak/English/Blog/Status-on-products-versus-vulnerability-in-Bash-CVE-2014-6271/
|
# ¿ Sep 26, 2014 20:41 |
|
On the subject of Cisco WLC: in the infinite wisdom of our customer's project manager we have deployed a managed WAP on an off-shore vessel. There is no WLC on-board the vessel so the WAP is being managed by the WLC back at our DC over a 500ms VSAT link. We are using 802.1x for authentication and due to the latency clients are unable to auth 90% of the time when trying to connect. We escalated to TAC who advised that the latency between the WAP and WLC needs to be <100ms for it to work properly. Has anyone else dealt with such a situation before? It's getting to the point where we will either have to deploy a WLC on the vessel or reconfigure the WAP in standalone mode, both of which I'd rather not do because gently caress going back offshore again. Are there any other options?
|
# ¿ Feb 13, 2015 21:11 |
|
Thanks Ants posted:Send someone else to do it? Yeah that would be nice however I'm the only person on the contract who has a BOSIET certificate. poo poo I'm a server engineer, not a networks guy. Hopefully I'll die in a derrick fire or helicopter crash or something.
|
# ¿ Feb 13, 2015 22:14 |
|
jwh posted:H-REAP won't help you if the radio is configured to 802.1x authenticate back to a remote server. I've just taken another look at the WLAN config on the WLC and it's setup to authenticate against RADIUS servers (Old-rear end Cisco 1113 ACS boxes) in our DC so even if we deploy a WLC on-site we could still have issues (I think). We have deployed WLCs at two sites in Korea but that was only to resolve performance issues caused by the back-and-forth of CAPWAP over WAN. jwh posted:With your BOSIET certification, aren't you certified to survive helicopter crashes? More like certified to experience them.
|
# ¿ Feb 13, 2015 23:03 |
|
Thanks for the suggestions jwh and ior. There are already DCs on-board the vessel so I'll push the business to deploy a WLC out there (Unless TAC can provide a better option which is doubtful).
|
# ¿ Feb 14, 2015 08:31 |
|
Ahdinko posted:I have a customer across three countries, UK, US and Australia. There is a WLC in each country, and all users authenticate with 802.1x which goes back to some boxes in the UK. The Aus-UK latency is 270-300ms and it works perfectly. So i guess the 802.1x stuff taking a while is ok, it must just be the AP>WLC communication that needs a shorter time? You've just reminded me of something: we've got an office in Aberdeen with WAPs and no WLC, latency between our DC and the Aberdeen office is ~260ms and AFAIK they have zero connection issues with WiFi out there. We sent debug logs from the WLC to TAC last week and are still waiting to hear back. Edit: poor choice of words. Pile Of Garbage fucked around with this message at 12:29 on Feb 16, 2015 |
# ¿ Feb 16, 2015 12:22 |
|
Has anyone encountered a situation where the IP address of each hop returned by a trace route is the same as the target IP address? I asked the networks team that I work with but they've never seen such an anomaly before. Background: we've got a remote site which is connected to our DC via an IPsec tunnel. The tunnel is from a Cisco 2911 at the remote site to an ASA 5555-X at the DC. When I perform a trace route from a server at the remote site to another server at the DC the IP address of each hop is the same as the target IP address. Example: pre:C:\>tracert -d 10.180.49.15 Tracing route to 10.180.49.15 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.180.112.126 2 * * * Request timed out. 3 54 ms 54 ms 53 ms 10.180.49.15 4 71 ms 55 ms 56 ms 10.180.49.15 5 55 ms 55 ms 56 ms 10.180.49.15 Trace complete. pre:C:\>tracert -d 10.180.112.1 Tracing route to 10.180.112.1 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.180.49.254 2 1 ms 1 ms 1 ms 10.180.255.1 3 1 ms 1 ms 1 ms 10.180.55.238 4 * * * Request timed out. 5 55 ms 56 ms 55 ms 10.180.112.1 Trace complete. I'm not really a networks person by trade but I know a fair bit and can provide config excerpts if need be. Any help would be much appreciated.
|
# ¿ Mar 12, 2015 20:35 |
|
Richard Noggin posted:What version of ASA code are you on? http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_27930769.html We're running 9.3(1). I don't have an Experts Exchange account so I can't read that thread. Is there a known issue with code-levels >9.0? Edit: the remote site 2911 is running 15.1(4)M8 if that's at all helpful. Pile Of Garbage fucked around with this message at 21:58 on Mar 12, 2015 |
# ¿ Mar 12, 2015 21:53 |
|
Moey posted:Stupid Experts Exchange. If you find the link on google, you can scroll all the way down and see the answer. But direct links make you have an account. Cool thanks for that. I've checked the ASA config and the statements for inspect icmp and inspect icmp error aren't present so that may very well be the issue. Of course if that fixes it then my suspicion that it was a symptom related to the half-open connection issue is probably incorrect. We're already escalating that one to Riverbed so it's their problem now. Honestly gently caress spurious inter-site traffic as it's the whole reason I've been dragged into this and it's become the bane of my existence (loving Lync 2010 client is the worst offender in a Windows AD environment).
|
# ¿ Mar 12, 2015 22:24 |
|
Anyone here familiar with Cisco Security Manager 4.7? I've been tasked with configuring it to use a SSL certificate issued by our internal-CA instead of the default self-signed one (Required to get AlgoSec to talk to it or something) and I'm having a hard time digging up good documentation. I've found some details in the built-in help but it's obtuse as hell and full of gaps (e.g. it says how to generate a CSR but it doesn't actually say where it puts it). I know what I'm doing when it comes to PKI however Cisco have managed to make it as difficult as possible. Can anyone point me towards some good documentation? Edit: I think I've got it nailed down, the process is extremely retarded on Windows:
Pile Of Garbage fucked around with this message at 05:22 on Mar 31, 2015 |
# ¿ Mar 31, 2015 04:18 |
|
cheese-cube posted:Anyone here familiar with Cisco Security Manager 4.7? I've been tasked with configuring it to use a SSL certificate issued by our internal-CA instead of the default self-signed one (Required to get AlgoSec to talk to it or something) and I'm having a hard time digging up good documentation. I've found some details in the built-in help but it's obtuse as hell and full of gaps (e.g. it says how to generate a CSR but it doesn't actually say where it puts it). I know what I'm doing when it comes to PKI however Cisco have managed to make it as difficult as possible. Just wanted to bring this back up incase anyone is having similar problems, turns out if you are using a Windows CA to sign the certificate then you are hosed, the certificate will verify and upload fine however Apache will fail to start and throw an exception in mod_ssl. Cisco TAC didn't believe me until I replicated the fault during a WebEx and they later confirmed the fault in their lab when using a Windows CA. We're still waiting on a fix from Cisco but honestly the CiscoWorks platform is rubbish and should be avoided. Any issue you have with it has to go to Cisco's internal development team and you won't hear much back.
|
# ¿ May 12, 2015 19:51 |
|
cheese-cube posted:Just wanted to bring this back up incase anyone is having similar problems, turns out if you are using a Windows CA to sign the certificate then you are hosed, the certificate will verify and upload fine however Apache will fail to start and throw an exception in mod_ssl. Cisco TAC didn't believe me until I replicated the fault during a WebEx and they later confirmed the fault in their lab when using a Windows CA. We're still waiting on a fix from Cisco but honestly the CiscoWorks platform is rubbish and should be avoided. Any issue you have with it has to go to Cisco's internal development team and you won't hear much back. Ok so we finally identified the root cause and managed to get it working. When you upload the certificate using the lovely "SSLUtil.pl" script it combines any root/intermediate CA certificates you give it into a single X.509 certificate file which it then drops in the "<CSM_INSTALL_DIR>\MDC\Apache\conf\ssl" directory along with the signed certificate. Turns out that the script was mangling the combined root/intermediate certificate chain file that it generates by inserting a bunch of random spaces. Manually editing the file to remove the spaces fixed it up and allowed Apache to start without throwing an error. gj cisco Partycat posted:+1 for WLC/NCS/PIM being utterly obnoxious and obtuse. Seconding NSC being obtuse as hell. I actually logged-on to our NSC install today for the first time as I was on a UCS Administration course and wanted to see how port-profiles are configured on our 1000Vs. I swear it took me a solid 10 minutes of clicking around to find the drat things. IMO NSC beats WLC for being obtuse by a wide margin. Pile Of Garbage fucked around with this message at 11:25 on May 15, 2015 |
# ¿ May 15, 2015 11:16 |
|
Having an issue with some Cisco Aironet 2600-series APs using Windows DHCP Server: the APs are getting a lease but are not picking up the WLC management IP from the DHCP options. I've tried using a vendor class with VCI "Cisco AP c2600" and option 241 defined within the class as well as just option 43 with the WLC management IP address specified in TLV format. We've already got 1100-series APs which are working fine using a vendor class on the Windows DHCP server. In addition we have other 2600-series APs at remote sites working using the local Cisco router as a DHCP server. I've tried searching around however all of the Cisco documentation is very vague when it comes to Windows DHCP Server. Has anyone encountered this issue before and/or have a working reference configuration? We're going to start doing proper diagnostics tomorrow but it would be swell if anyone could offer some advice.
|
# ¿ May 27, 2015 14:23 |
|
Powercrazy posted:I've had the same issue with 3600aps. Have you tried specifying option 43 with a HEX ip? Yeah we've tried option 43 in TLV format, thanks for the reply though. We've brought one of the APs to the office and are going to do some packet captures for diagnosis in a bit so I'm sure we'll get to the bottom of it. Edit: the guy from our networks team who I was working with just told me that it actually started working sometime after we left the office last night so NFI what was going on. Of course now we're getting a DTLS handshake error but that ain't my problem, I'm just a server guy heh Pile Of Garbage fucked around with this message at 00:54 on May 28, 2015 |
# ¿ May 28, 2015 00:29 |
|
Ahdinko posted:I've never done the option 43 method, i've always done them using DNS, with the CISCO-CAPWAP-CONTROLLER or whatever the record, maybe give that a go? Huh, never knew that you could use DNS for controller discovery. However in our situation that would not work as some of our remote sites have their own WLCs but use the same DNS zone.
|
# ¿ May 30, 2015 06:29 |
|
I've got a Cisco RV130W SMB router at home running firmware version 1.0.1.3 and I'd like to upgrade it to 1.0.2.7 which was released yesterday. However it appears that the "Administration > Firmware/Language Upgrade" section in the device's web interface is missing. I haven't had to do a firmware upgrade of the device since getting it in October, 2014 so I'm unsure when this issue arose. Tried Googling but no luck, has anyone encountered this issue before with Cisco SMB routers?
|
# ¿ Jul 25, 2015 10:17 |
|
Slickdrac posted:I can beat that. I told our trial hire guy to order 3 2960s. 1 to be standalone, the other two to be stacked. I can beat that. In my last job we had a new hire who apparently had their CCNA. A router at one of our customer's branch offices went down so we asked the new hire to load a config onto a spare 877 so we could swap it in at the site. He spent 15 minutes trying to plug the serial cable into the DB-9 monitor port on his computer.
|
# ¿ Aug 3, 2015 21:41 |
|
Partycat posted:
adorai posted:protip: VGA is DB-15 not DB-9. DB-9 is serial, and would be the correct port to use. Ugh I'm an idiot and should be fired. Out of a cannon. Into the sun.
|
# ¿ Aug 5, 2015 14:15 |
|
Anjow posted:I've not found a Fortigate or firewalls thread so I'm not aware of another place I could ask this... It sounds like you've got the IPsec tunnel configured as a policy-based VPN on the FortiGate. If you configure it as a route-based VPN you can specify policies for both directions which will allow you to restrict inbound traffic. To do this you have to enable IPsec Interface Mode in the Phase 1 configuration of the tunnel. This will create a virtual interface which you can specify both inbound and outbound policies for. Here's a general configuration example: http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/gw-to-gw.114.13.html
|
# ¿ Aug 19, 2015 16:31 |
|
Wicaeed posted:Where's a good point to start learning Cisco UCS? There's a UCS Platform Emulator provided by Cisco which is a good way to get to grips with UCS Manager and how it all fits together (Note that the emulator is a virtual appliance so you'll need an ESXi or Hyper-V host to deploy the OVA to). As for learning it, can you convince your boss to send you on the DCUCI course?
|
# ¿ Aug 22, 2015 06:32 |
|
Collateral Damage posted:Slightly off topic question, but I didn't see a general Enterprise Networking thread.. What's your favorite way to paint pretty pictures of your network? The stock Visio stencils are awful (at least in Visio 2010 which is what I have) and google hasn't helped me find something much better. Ideally I'd like some simple but attractive 2D shapes. Depends on what you're trying to draw. For higher-level diagrams the Cisco stencils are usually the defacto go-to. If you're diagramming complicated Layer 2/3 topologies then it's best to avoid stencils and just use simple shapes. For example, here's a snippet of a Layer 2 diagram: If you want some fancy shiny stencils (Or physical device stencils) then checkout VisioCafe.
|
# ¿ Sep 3, 2015 12:24 |
|
Reiz posted:I'm guilty of switchport trunk allowed vlan add x. Best part is I was working from home and my internet service went down right afterward, so I spent the next 5 minutes furiously racking my brain and trying to figure out how dropping the other vlans would sever my connection and pondering just how bad of an outage I had just caused. In my last job I worked with Fortigates a lot and built up a significant amount of FortiOS muscle memory. This is hazardous because you get used to typing sh whilst in config mode which on FortiOS shows the running configuration within your current context. Of course doing the same thing on IOS in interface config mode leads to hilarious results.
|
# ¿ Dec 5, 2015 08:29 |
|
adorai posted:i just count on my fingers. v4 on your fingers, v6 on the toes. count em if you got em
|
# ¿ Jan 14, 2016 05:19 |
|
Zero VGS posted:Er, I should specify it's HP Procurves... I don't see a mac-address-table command. I did "show mac-address [the mac address I want]" and it returns Port 19 and VLAN 16, I assume then there's a command to figure out the IP of whatever switch is on Port 19 so I can then Telnet into that and run show mac again? Zero VGS posted:I figured it out, "show lldp info remote" tells me the names of all the switches in the ports, then I was able to telnet into the edge switch and find the true port that MAC was connected to.
|
# ¿ Jan 16, 2016 06:07 |
|
Judge Schnoopy posted:Anybody here work with a Cisco blade server chassis? A word of warning, not sure if it's a regional thing (APAC) or our VAR's fault but we are seeing extremely high failure rates with our UCS B200 M3 blades. Last year we purchased 24 of the blades and we have experienced failure rates >20%. It's always the same issue: blade starts reporting a large amount of uncorrectable ECC errors on a single DIMM then the ESXi hypervisor PSODs and eventually the blade just dies completely. Each affected blade had to be replaced in its entirety. Honestly I'm amazed that Cisco haven't issued a product recall as there's obviously a batch of blades which are faulty. I'm really not sure if anyone else has experienced the same issue. Apart from that they're pretty good I guess. Just make sure your VAR has lots of spare parts in stock.
|
# ¿ Jan 29, 2016 00:42 |
|
Thanks Ants posted:Which led to this hilarity Hah I was reminded of that advisory when I was off-shore on a deep-sea pipe-lay vessel about two weeks ago. Both switches in the main stack had cables in Gi1/0/1 and the boots were pressing the button. I'm amazed that it never caused an issue but at the same time I didn't give a gently caress as the vessel finishes its campaign in three weeks... Edit: hang on I've just re-read that advisory, is the issue not present on 3750 switches? Because that would explain why we never had any issues on the vessel in question. Also I'm probably an idiot. Pile Of Garbage fucked around with this message at 14:26 on Mar 1, 2016 |
# ¿ Mar 1, 2016 13:31 |
|
Veth posted:Nope, although it's probably only 40 actual users at most. Undoubtedly, we're way off the "Best Practices" path, but day-to-day the three of us who share the IT burden manage OK. Cisco stuff is way over our heads, unfortunately. I hope you're getting two paychecks.
|
# ¿ May 21, 2016 06:17 |
|
Eletriarnation posted:If you decide you want to get a Cisco router as a home gateway, a used 2821 isn't a terrible choice to avoid paying a lot or getting limited performance. Its stock fans are pretty loud for home use but they're standard 80mm case fans, so you can buy some quieter ones meant for PCs to keep it cool enough without being distracting. It's still pretty big but you can just stick it in an out of the way place or stack things on it. Just get an old 877. I've got one and it works perfectly on my 19/2 DSL connection. If you want gig on LAN then stick a better router behind it.
|
# ¿ Jun 1, 2016 15:46 |
|
psydude posted:Speaking of, has anyone here ever blocked ad networks straight up on their perimeter devices? Only major downside I could see is that it might break some content-based sites. Unless you're relying on regularly updated URL categories for your proxy or whatever then you'd be fighting a losing battle really. Client-side extensions already do (For free) but with better targeting and greater efficacy. Of course I'm not saying it's impossible, just difficult and impractical. Would love to hear from anyone who's actually tried it.
|
# ¿ Sep 21, 2016 14:46 |
|
CrazyLittle posted:And as Dyn shows, they don't need a terabit to take you down when they can just attack your upstream, or attack portions of your secondary infrastructure. IMO next year we're going to see attacks which manage to cause collateral damage by saturating transit links between PoPs.
|
# ¿ Dec 22, 2016 17:41 |
|
|
# ¿ May 6, 2024 02:09 |
|
Jokes on them I'm already dead.
|
# ¿ Feb 2, 2017 16:37 |