|
Biggz posted:policy-map WAN Don't use 'priority', that turns on the low-latency queuing (llq) behavior, which you don't want. Packet throughput for that class above the configured LLQ rate will be dropped. You want 'bandwidth percent 33' or something similar. However, like I mentioned previously, the problem is that these percentages are percentages of the reported interface bandwidth, which is not necessarily the actual throughput of the interface (ie., your cisco is connected to a 10mbit ethernet interface, but your cable modem will only push 6mbit, or whatever). That's the problem with queuing on residential broadband.
|
#
¿
Jun 24, 2007 18:20
|
|
|
|
| # ¿ May 14, 2024 11:49 |
|
|
Biggz posted:My WAN interface is Fast Ethernet so the percentages will split based on the speed of 100Mbit? Biggz posted:The command "bandwidth" in "int fa4" lets me set a value, but is this assumed to be the same in upstream and downstream? I have 10MBit down, and 512Kbit up. If i set that to "bandwidth 512" this would, I assume, limit the downstream to that as well. Short answer, the bandwidth command isn't very useful for you. Biggz posted:In that case, could I get around this by giving the minimum bandwidth values as follows. This is all off the top of my head, so there's bound to be some problems with the following: code:edit: By the way, you realize that none of this is going to prevent one of your housemates from clobbering your downstream bandwidth, right? Once the packet is on the wire, inbound, the only decision you can really make is whether to throw it away or not. Fancy high-end gear can do inbound service-policies, but I don't think most lower end or ISR line can. Could be wrong about that, but the fact is, what you're really doing here is just ensuring that your tcp ack's make it out the door. Also, you may want to tinker with the queue depth(s), as the defaults might be too large for you (40 packets per-class sounds familiar). Also, you might want to put random-detect on each class, which can be done by adding a 'random-detect' command to each class under the 'policy-map wan section'. Before you do that, read about random-detect first. Korensky posted:(i forget the default maximum and the exact command - cisco.com) jwh fucked around with this message at 04:38 on Jun 25, 2007 |
|
#
¿
Jun 25, 2007 04:31
|
|
|
Are you sure you don't want "ip access-group vlan2 out" instead of "in"?
|
|
#
¿
Jul 2, 2007 15:28
|
|
|
It's from the perspective of the interface, if that's what you're asking, not flow direction from a nat inside / outside perspective. edit: Also remember FTP is stupid, and active mode likes to server-initiate the data channel, which it sounds like you might be running in to. Try passive mode ftp, which is less of an abomination. jwh fucked around with this message at 22:25 on Jul 2, 2007 |
|
#
¿
Jul 2, 2007 16:02
|
|
|
Mierdaan posted:Yes, our network here is 10.10.0.0/16. How is that supposed to work when the voice network (vlan101) is a subnet of the inside interface's address space? Wouldn't clients on the inside network just arp for 10.10.7.x hosts? Is the pix doing proxy-arp? quote:
|
|
#
¿
Jul 5, 2007 20:12
|
|
|
atticus posted:Yeah that also caught my eye... technically they should both be /24's shouldn't they? You can proxy-arp to fake it (clients in 10.10/16 arp for what they think is local, gateway responds with it's own MAC), but I don't know if proxy-arp is enabled by default on pix interfaces. It probably is, because it's been like that on IOS devices forever, but I don't know for certain. If I had to guess, it's probably enabled by default, and isn't really the problem here. You also used to be able to set yourself as your gateway in windows, and it would cause the stack to arp for _everything_, which was pretty cool.
|
|
#
¿
Jul 5, 2007 20:29
|
|
|
Herv posted:If the clients are running a /16 subnet mask they sure as heck won't hit the gateway. Pretty weird.
|
|
#
¿
Jul 5, 2007 20:35
|
|
|
Don't know if anybody saw this over on Network World, but apparently Len Bosack has a start-up that's making a little 1U DWDM box. They have CLI manuals online: http://www.xkl.com/products/product-literature Looks kind of interesting.
|
|
#
¿
Jul 9, 2007 18:08
|
|
|
Arkady posted:The issue is why doesn't the router advertise RIP to a 192.168.0.0 network. R2#sh run | b router rip router rip version 2 network 192.168.0.0 ^Z R2#sh ip proto Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 0 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 192.168.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) R2#sh ip rip data R2#sh run int ser1/0 Building configuration... Current configuration : 88 bytes ! interface Serial1/0 ip address 192.168.4.26 255.255.0.0 serial restart-delay 0 end R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#router rip R2(config-router)#network 192.168.4.0 R2(config-router)#exit *Jul 12 15:21:57.495: RIP: add Serial1/0 to RIP idb list *Jul 12 15:21:57.499: RIP-DB: redist 192.168.0.0/16(metric 0, last interface Serial1/0) to RIP *Jul 12 15:21:57.503: RIP-DB: Get redist for network 192.168.0.0 *Jul 12 15:21:57.503: RIP-DB: adding 192.168.0.0/16 (metric 0) via 0.0.0.0 on Serial1/0 to RIP database *Jul 12 15:21:57.507: RIP-DB: add 192.168.0.0/16 (metric 0) via 0.0.0.0 on Serial1/0 (donot_age) *Jul 12 15:21:57.511: RIP-DB: Adding new rndb entry 192.168.0.0/16 R2(config)#exit R2# *Jul 12 15:22:00.651: %SYS-5-CONFIG_I: Configured from console by console *Jul 12 15:22:03.675: RIP-TIMER: age timer expired R2# R2#sh ip rip data 192.168.0.0/16 directly connected, Serial1/0 R2# R2(config)#access-list 1 permit any R2(config)#exit R2#debug ip pack 1 IP packet debugging is on for access list 1 R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# R2(config)#int ser1/0 R2(config-if)#shut R2(config-if)#no shut R2(config-if)#exit R2(config)# *Jul 12 15:26:26.427: rip_route_adjust for Serial1/0 going down *Jul 12 15:26:26.431: RIP: Removing everything from Serial1/0's retrans queue and stopping the retrans timer. *Jul 12 15:26:26.435: RIP-DB: flush route of 192.168.0.0/16 on Serial1/0 *Jul 12 15:26:26.435: RIP-DB: Remove 192.168.0.0/16, (metric 4294967295) via 0.0.0.0, Serial1/0(permanent) *Jul 12 15:26:26.563: RIP-DB: redist 192.168.0.0/16(metric 0, last interface Serial1/0) to RIP *Jul 12 15:26:26.563: RIP-DB: Get redist for network 192.168.0.0 *Jul 12 15:26:27.047: RIP-DB: redist 192.168.0.0/16(metric 0, last interface Serial1/0) to RIP *Jul 12 15:26:27.051: RIP-DB: Get redist for network 192.168.0.0 *Jul 12 15:26:27.051: RIP-DB: adding 192.168.0.0/16 (metric 0) via 0.0.0.0 on Serial1/0 to RIP database *Jul 12 15:26:27.055: RIP-DB: add 192.168.0.0/16 (metric 0) via 0.0.0.0 on Serial1/0 (donot_age) *Jul 12 15:26:27.059: rip_route_adjust for Serial1/0 coming up *Jul 12 15:26:27.063: IP: s=192.168.4.26 (local), d=224.0.0.9 (Serial1/0), len 52, sending broad/multicast *Jul 12 15:26:27.067: RIP: sending request on Serial1/0 to 224.0.0.9
|
|
#
¿
Jul 12, 2007 20:46
|
|
|
Arkady posted:I'm still not entirely sure why doesn't the router recognise the 192.168.4.26 interface in the 192.168 /16 network. Are you saying that even though the network is /16, the interface is being recognised with the /24 mask? Well, I'm no expert, particularly on RIP, but from what I was able to test in a lab, the reason IOS didn't pick up on the fact that you had an interface covered by the 192.168.0.0 statement, is because the RIP configuration is approaching things with a classful mentality. This seems to make a certain sense if you consider that RIPv1 was a classful protocol, and maybe for historical reasons, the IOS configuration was never retrofitted. So in other words, it looks to me like IOS uses the RIP network statement along classful boundaries. Even though your interface is technically 'covered' by the larger supernet of 192.168.0.0/16, IOS is considering 192.168.0.0 classfully, which would match the 192.168.0 portion of the network, because 192.168 is part of class C or /24 classful address space. That's my theory anyway, it seems to be true, even if it is a little brain-dead on the part of IOS. Debugging commands were 'debug ip rip event' and 'debug ip rip database' I think, and then the 'debug ip packet' example that's included in the text I wrote. Be careful with debug ip packet, because I have successfully killed production devices with it.
|
|
#
¿
Jul 13, 2007 23:41
|
|
|
Jeff73 posted:I'm buying a doberman. How about some of these? http://www.speedysigns.com/signs/DANGER_High_Voltage.asp
|
|
#
¿
Jul 24, 2007 23:56
|
|
|
Jeff73 posted:Interesting. I suspect I'd need to buy a version that doesn't require reading. By the way, did 8.0(2)'s VPN VLAN support resolve your default route problem a few pages back? In other words, you can drop users into vlans on the inside no problem, but good luck getting them out of there with any intelligence. We've scrapped the ASA's for now, and are looking to do vpn remote-access termination with an IOS based platform and new PA-VSA or whatever the successor to the VAM2+ is. IOS is much smarter at routing than ASA, which is to be expected, so it's a good fit. Ultimately, we just needed VRF capabilities. I've labbed the entire thing out, and we'll be going to a phase 2 limited production deployment soon. There are still a few issues, namely IOS vtemplate manager not reclaiming cloned virtual-access interfaces all the time, and IP local pools not always being freed up when a client disconnects unexpectedly- pool IP's show tied up by IKE hwidb's. Anyway, speaking of spanning-tree, when is it worth going to MST? I'm not much of a spanning-tree wizard, and currently we're toting around somewhere in the neighborhood of ~100 vlans on our most critical trunks, but with a collapsed distribution/access model and vtp pruning enabled. Everything right now is PVST, but we're not utilizing per-vlan cost features. Worth considering MST at this point?
|
|
#
¿
Jul 25, 2007 01:53
|
|
|
XakEp posted:So here's a question. I'm dinking with getting an 1811 and getting a second Internet connection, one DSL the other Cable. Whats the best way to load balance between the two interfaces? CEF or what? Check out OER: http://www.cisco.com/en/US/products/ps6628/products_ios_protocol_option_home.html That's actually a good price for the 2620. A WIC-1DSU-T1 version one or two is still fairly expensive to begin with. You won't have access to 12.4 IOS, but that's probably fine.
|
|
#
¿
Jul 25, 2007 15:58
|
|
|
All I know about OER is what I found in the design doc "Cisco IOS Optimized Edge Routing Configuration Guide, Release 12.4T". I haven't used it myself. OER is one of those things that's apparently new enough to not work correctly unless you stumble upon the one IOS image that was broken in such a way as to accidentally fix it. Are you running OER MC/BR on a single router, or distributed?
|
|
#
¿
Jul 25, 2007 17:29
|
|
|
inignot posted:The problem is that if you have an ethernet connection to an external dsl or cable modem, that interface isn't going to go down when the dsl or cable service does. Ugh, this is the thing I hate the most about cable/dsl. We have a deployed base of about 100 broadband sites, and we can't use our standard monitoring packages to detect link failure, because the link doesn't typically go down. I don't understand why cable/dsl modems can't be configured to down the ethernet side if the cable/dsl side is down. It would make life so much easier.
|
|
#
¿
Jul 26, 2007 01:31
|
|
|
inignot posted:I'm driving to RTP tomorrow. Good luck! Routing and switching?
|
|
#
¿
Jul 29, 2007 05:25
|
|
|
I have yet to encounter a firewall that didn't make me at least partially irate. I don't like my PIX 501, and I didn't like the ASA's, although they're markedly better to work with. I'm not too crazy about NetScreen's either. We're a big CheckPoint shop, and I don't even like them very much come to think of it.
|
|
#
¿
Aug 1, 2007 02:16
|
|
|
Checkpoint has a few good things going for it, and a truckload of bad things going for it. The logging is nice, although it doesn't scale well- lots of enforcement modules logging thousands upon thousands of entries per day with nightly rotation can make scouring through logs late in the evening a real chore. You can rotate out faster, but that means having to pull up hourly chunks of data at a time. There's also the issue of the object database, which is a tremendous source of entropy. My biggest problem with Checkpoint is that it's sugar-coated to appear easy to use, but the underlying mechanisms are obscure, unnecessarily complicated, and potentially disastrous. Anybody could add a few rules to a Checkpoint policy, but if the enforcement module croaks on you, or the policy corrupts, you are in a nightmare world of suffering. There's also the issue of Checkpoint not naming anything sensibly. SmartView Dashboard is the policy tool, for instance. Recently Checkpoint decided to screw around with their code train names, leading to nonsense like "RG62 NGX," whatever the christ that is. Oh well, at least the Nokia IP series boxes are pretty painless, even if the routing engines leave something to be desired. I want to like the PIX, but it just never feels right. It seems like the 7.x code is trying to make things more like IOS, which is a good thing, but it's still just different enough to irritate the living hell out of me.
|
|
#
¿
Aug 1, 2007 03:08
|
|
|
CrazyLittle posted:Are they honest-to-god real Cisco cards? We've had 3 out of a 4-card purchase of WIC-T1-V2's and that's pretty much because they're all cheap chinese counterfeit WICs Are they WIC-1T's, or WIC-1DSU-T1? Apparently there are a lot of counterfit WIC-1DSU-T1's around, especially the V1's with the four big Taiwanese capacitors.
|
|
#
¿
Aug 3, 2007 18:42
|
|
|
Does anyone have any experience with the NM form factor WLC's? We're looking into a big wireless deployment for our customer associations, and while I'm not on the project myself, I'm trying to stay ahead of what's being proposed. Cisco came in and proposed WiSMs, but they would trash our customer security model, so the revised proposal is for a boatload of NM WLC's and 140 site ISR fork-lift upgrades 
|
|
#
¿
Aug 7, 2007 17:07
|
|
|
And right after that NHRP PSIRT notice went out. 
|
|
#
¿
Aug 8, 2007 19:35
|
|
|
Should work I think, is the WIC known good? What's 'sh inventory raw' say about the WIC?
|
|
#
¿
Aug 10, 2007 00:50
|
|
|
Not exactly a Cisco item, but ouch: 08/13/2007,13:35:39 [RoBo ][PROG][PROGRESS/STATUS MESSAGE FROM AT&T] There are 128 Core T3??s failed of which 100 are restored in Palm Springs, CA (LSANCA03 PHNXAZMA). The AT&T T3 Group has isolated this to a fiber cut in Palm Springs, CA. There is no ETTR available at this time. That has to be a bad day for somebody.
|
|
#
¿
Aug 13, 2007 22:00
|
|
|
Paul Boz_ posted:Dude could I paypal you the money for a 2500 with wic slot? That is, if that place isn't too far out of the way. They're not regular WICs, you know that, right?
|
|
#
¿
Aug 17, 2007 06:55
|
|
|
Arkady posted:I've read that FAQ, but from my understanding all it does is override the COS with a different value, not strip it. Meaning I'd still be left with a COS value, be it 0, or something else. Am I wrong in this? You can't strip the 802.1p bits out of the frame- it's either there as part of the 802.1q header, or not there at all. At least, that's my understanding. What if you connect the router-like device to a port configured as static access?
|
|
#
¿
Aug 24, 2007 17:16
|
|
|
Analog LED posted:I'm curious, who here has dealt with TAC and how are they with solving your issues? I deal with the TAC pretty often, as I'm sure most everybody else here does. I thought we even had a few people here that work in TAC. I'd say they're good at solving issues overall; there's occasionally problems relating to where your case is being worked from, versus where you are, which can lead to some delays in communicating, but on the whole they're a good group to work with. They've always been top-notch smart once you get your issue routed to the right group, at least in my experience.
|
|
#
¿
Aug 31, 2007 02:01
|
|
|
RabidFox posted:When the hardware based packet router gets overloaded it goes to the software based one, which blows balls, btw.
|
|
#
¿
Sep 1, 2007 04:09
|
|
|
CrazyLittle posted:I managed to get OER working on a 3640 with a T1 and DSL interface. Can you share sanitized configs, as well as which IOS image you're using? I'd love to see what you came up with.
|
|
#
¿
Sep 13, 2007 04:52
|
|
|
R1CH posted:Is there any way to adjust DHCP client retries / timeouts on a Cisco 871W? Can you hard code the ID? I think there's an option for that. There's an option for hard-coding some client identifier, although it might not be the one you need. I haven't seen any options to tune the dhcp client, sadly. For that matter, why is your ISP so slow to reply to your request? Fifteen seconds is a long time.
|
|
#
¿
Sep 13, 2007 04:54
|
|
|
CrazyLittle posted:No! YOU MUST PAY ME FOR IT!!! MUA HAH AH AHHAHAHHA... I'm prepared to offer you all of my returnable beer bottles, shipped at your expense, plus a cat. You can choose a grey cat, or an orange one. That is my final offer.
|
|
#
¿
Sep 13, 2007 04:55
|
|
|
I feel like I'm beating a dead horse here, but Cisco came back to me finally and told me that, more or less, "IPSec client VPN termination against IOS is an afterthought," and that the recommended platform for client VPN termination is an ASA. Well, no kidding, I'd love to use my two ASA5540's, since I already paid for them. Problem is, they have no VRF capabilities, and that's what I need. So as near as I can tell, Cisco's remote access VPN offering can be described as follows: PIX/ASA: Platform of choice, provided you don't need VRF termination IOS: Sort of an afterthought; you get VRF termination, but lose most other features. AT&T does large-scale virtualized VPN termination; what the hell are they using?
|
|
#
¿
Sep 24, 2007 15:51
|
|
|
ashgromnies posted:Where can I learn this stuff/suggestions? IPSec is the collection of protocols commonly brought to use as 'VPN'. IOS is the operating system of Cisco routers and switches. ASA is Cisco's 'Adaptive Security Appliance', which is more or less the successor to the PIX, which had been Cisco's security product. The best way to learn is probably to read, ask questions, and then read some more.
|
|
#
¿
Sep 24, 2007 19:13
|
|
|
Tremblay posted:6k/7ks with VPN-SPAs I think. I understand you need VRF support but what other features are you looking to implement that IOS doesn't provide for RA? I appreciate it; I'm finding remote access VPN on IOS (ie., Easy VPN with Dynamic Virtual Tunnel Interfaces: http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd803645b5.shtml ), to work great, except with respect to control and administration. This makes sense, like I mention, because IOS is focused on site-to-site VPN configurations, and user VPN termination isn't as feature-rich as it is on the PIX/ASA. Some of the issues I've run into include not having any correlation between cloned virtual-access interfaces and the user that it's been cloned for, and a general clumsiness with administration- for instance, if I don't know who's on what interface, it's difficult to troubleshoot remote access problems. Things like 'show crypto session' don't produce any information about which user is occupying which crypto socket, either. Don't get me wrong, I can understand why the limitations are there, and I'm well aware that I'm operating outside the norm on this one. I guess my dream, would be for the ASA to receive full VRF support, with it's full range of VPN features intact, or for IOS to receive remote access VPN administration improvements. edit: By clumsiness, I mean things like not sending the virtual-access information as part of radius data, as either Cisco VSA or NAS-Port. jwh fucked around with this message at 21:05 on Sep 24, 2007 |
|
#
¿
Sep 24, 2007 21:03
|
|
|
Going through the 12.4(15)T release notes pdf, and there's some neat stuff worth mentioning: Beginning in 12.4(11)T, apparently the ISR IP Base line gets BGP, and BGP support in Advanced Security as well. Wish that had happened last year, since we bought about 90 IOS upgrade licenses from Advanced Security to Advanced IP Services. ISR's get BFD SSL VPN VRF integration (which sounds good). Rommon booting from usbflash. Bunch of AToM junk I only have two routers running 12.4(15)T, because they need to do Active Directory password changes via RADIUS, which is also a new feature, but so far it's been pretty swell. PDF is here: http://cisco.com/application/pdf/en/us/guest/products/ps8258/c1161/cdccont_0900aecd80679ce3.pdf
|
|
#
¿
Sep 25, 2007 18:35
|
|
|
InferiorWang posted:What is the general opinion on refurbed cisco gear? Seeing as I work for a not for profit shop, is refurbished equipment, specifically a 45xx series core switch, a bad idea? Can you put the refurbished switch under smartnet? If so, it sounds like it would be fine.
|
|
#
¿
Sep 28, 2007 16:21
|
|
|
jwh posted:I feel like I'm beating a dead horse here, but Cisco came back to me finally and told me that, more or less, "IPSec client VPN termination against IOS is an afterthought," and that the recommended platform for client VPN termination is an ASA. Just figured I'd come back and mention that after a conference call with Cisco last week, I've been told that AT&T does in fact use SPA's for their virtualized remote-access stuff, as someone had suggested. Also, I was told that remote-access VPN on an IOS based platform isn't really a bad idea, provided you a). know what you're doing, b)., need the router functionality not presently available in the ASA code, or c). need fantastically huge pps (ala VPN SPA). Needless to say, I feel a little better. At least I don't feel like I'm teetering on the edge of the cliff.
|
|
#
¿
Oct 15, 2007 21:28
|
|
|
Help me out here guys, I'm having a bit of a problem. I spent the weekend bringing up a second 6509 in one of our datacenters, and redoing all of our access switches. All of the access switches now have trunks to both core switches (clearly this is a fascinating new idea that is going to change the way the industry thinks about switching). Everything's gone great, generally, except for one older 4510R running an older IOS image (12.2(18)EW). Whenever rapid spanning-tree is enabled on the 4510, it works fine for a while, and then suddenly whole vlans will stop forwarding for between five and thirty seconds. Then everything goes back to normal, and there's no indication of what might have happened. Spanning-tree debugging doesn't indicate a root bridge change, and I've disconnected all redundant trunks to this switch, but the problem persists. Since it's Monday morning now, and this is an end-user facing switch, I had to disable spanning tree entirely to stop the problem, but that isn't tenable in the long run. I've already opened a Sev3 with the tac, but I'm just wondering if anybody has any thoughts, or has run into anything weird like this. I'm not very layer-2 savvy, so it's entirely possible I'm just doing something stupid.
|
|
#
¿
Oct 22, 2007 20:09
|
|
|
inignot posted:Sounds like some obscure code issue. I dunno, try upgrading the code and see what happens. Other then that, try running the same debugs on whatever the 4510 is uplinked to. Yeah, it's looking like a code issue- at least, that's my read on it. We didn't have time to try and upgrade the code before I had to get on the airplane, unfortunately. Oh well, they can run with a single trunk for a while.
|
|
#
¿
Oct 24, 2007 00:50
|
|
|
CrazyLittle posted:Personally I use the Keyspan one, but that's because I use a macbook pro, and it was the only compatible one on the market at the time I bought it. What serial console software do you use? I have an older G4 PowerBook that I wouldn't mind carrying around instead of my heavier Dell.
|
|
#
¿
Oct 31, 2007 16:01
|
|
|
|
| # ¿ May 14, 2024 11:49 |
|
|
ILikeVoltron posted:Anybody have any ideas why this is happening? Each side has a different dot1q native vlan, causing spanning tree to receive BPDU's into the wrong VLAN. Make sure both sides are configured as dot1q trunks with the same native vlan.
|
|
#
¿
Nov 2, 2007 22:39
|
|