|
Sergeant Hobo posted:Can someone confirm or deny this (latter preferred )? I've been too lazy to touch the ICND portion of the CCNA yet, but the INTRO portion as of Dec 06 was verbatim from the newest version of the Cisco Press books.
|
# ¿ Apr 21, 2007 01:04 |
|
|
# ¿ May 4, 2024 20:37 |
|
What is the typical order in which to tackle the CCNP? I've read that BSCI is a good starting point, but looking for other input.
|
# ¿ Jul 8, 2007 17:58 |
|
What do you guys think is a good second step on CCNP after BCMSN? I'm set to take that in a week or so and I'm completely indecisive on where to go after it.
|
# ¿ Aug 31, 2007 04:08 |
|
Any opinions on ASA codebase 8.x versus 7.2.X? Lately the 7.2.X has been going nuts, but I'm not sure if the 8.X is stable enough for production usage.
|
# ¿ Oct 9, 2007 01:22 |
|
mamboman posted:I've got a weird VPN hairpinning problem on an ASA 5540. Run it through packet-tracer. Although what an issue may be is a same-interface routing issue, as ASA's dislike sending packets back out the same int it received it on. Also note - technically a VPN client is considered to live on the outside interface. But really, packet-tracer is your new best friend.
|
# ¿ Dec 25, 2007 07:16 |
|
mamboman posted:Ok. I kinda found what the problem was (http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml) and i needed to put something in the ACL. Thats fine, its because the ASA treats it like a real packet - without any flow, or sequence numbers it assumes someone is running a packet-injection attack on you.
|
# ¿ Dec 30, 2007 07:24 |
|
atticus posted:I've just tried it on at least 3 of our production routers (2800s) and I get the same results. I tried it on two 6509's and two 3750 stacks and it works fine. What's the platform that you're having success on at work? It seems that 2800's with switch WIC cards work with Show int status. flash:c2800nm-advipservicesk9-mz.124-11.T2.bin which is a 2811 modular router it works on, while a 2811 with the same code version but without a switchcard does not have that functionality. jbusbysack fucked around with this message at 07:48 on Dec 30, 2007 |
# ¿ Dec 30, 2007 07:36 |
|
mamboman posted:Hm, well the ping still doesn't work. Post the packet-trace for both directions (client to remote network, and vice versa)
|
# ¿ Dec 30, 2007 20:30 |
|
ionn posted:The L2 switch interface modules work with "sh int status", since that is switch hardware. The built-in "real" FastEthernet interfaces aren't present in the output, are they? Correct. Since it's strictly a switch-based command, only the linecard ports are displayed in the output.
|
# ¿ Jan 4, 2008 04:30 |
|
Smegmatron posted:Is it possible to have two default routes with different metrics? This is usually done in the case of a backup WAN connection by using a floating static route. Basically the default route is learned via a dynamic routing protocol and a backup static route is put in place with a high metric. That static 'floats' until the dynamic one goes away and then becomes active.
|
# ¿ Feb 21, 2008 03:47 |
|
My impression of internap is quite positive. I cannot speak for their path selection, but diversity in paths between data centers in Chicago seems to be a strong suit of theirs. That and their knee-jerk reactions whenever they notice the line down, I was still in the process of configuring two routers and when I reloaded it we got a call asking if everything was alright. Impressed me.
|
# ¿ Feb 27, 2008 14:48 |
|
I am experiencing an issue where any RADIUS authentication calls that run through an ASA 5520 are coming back as false negatives. The device queries the RADIUS server, gets an affirmative response back (confirmed on the IAS server), yet states authentication denied. This is consistent across platforms and models. Is there something in the ASA itself that I am missing? This only is causing problems for devices that run through the firewall, anything that lives on the switches are fine. Static translations are being utilized to give the device access to the RADIUS server, so the return traffic isn't being NAT'd back to the device. Anyone run into this before? Edit, I should add that packet-tracers run clean as it talks to the IAS server just fine. &&&&&&&&&&&&&&&&&&&&&&& wanted to update this, I ran a capture outbound on those interfaces and the traffic was getting PAT'd to the interface even though an existing (inbound) flow was present. The device was rejecting the RADIUS call because it received a response from a device it did not try to contact, or in this case, the PAT'd address of a server it did not contact. I cleared out the static translations and put them back in and the RADIUS auths ran clean. Chalk that up to a crazy bug, this was on 7.2.3-18. jbusbysack fucked around with this message at 23:40 on Mar 3, 2008 |
# ¿ Feb 28, 2008 19:03 |
|
Tremblay posted:It sounds like you have a static that overlaps with a dynamic PAT policy. If that is the case then all bets are off. No dynamic PAT policies or route map craziness going on. It was just a bug that was fixed with re-entering the static translations.
|
# ¿ Mar 5, 2008 20:42 |
|
legalcondom posted:Stuff Here's how I envision your physical cabling: Use a L2 vlan to terminate the ISP handoffs into the switches, then out to the router (outside interface). Use a different L2 vlan to terminate the return-cabling (router inside interface) into the switches. You can then run an HSRP (or VRRP) group on the router-inside interfaces since they can both talk on the same L2 vlan and send their heartbeats etc etc. That's just a simple interface-level command of: standby (a_number) ip x.x.x.x standby (a_number) priority (0-255) standby (a_number) preempt Post your interface configs for the firewall network that is working and the firewall network that is not, as well as the ports that connect to the firewall so we don't start running down the wrong path in troubleshooting.
|
# ¿ Apr 4, 2008 08:37 |
|
The cisco ccnp ONT book is pretty good about WLCs and LWAPPs. Honestly though just toy around with the gear, I find it far easier to learn that way.
|
# ¿ Apr 9, 2008 03:11 |
|
jwh posted:Can you have somebody fund a pilot ahead of time? We just got a lot of Cisco's lightweight wireless stuff in a few months back, and I haven't been very impressed. If you're only buying a single controller, be advised the 2106 will only support 5 AP's I think, and only provides PoE on two of it's 8 ports. Not to nit-pick but 2106 will do 6 APs and yes has 2 PoE ports. However you can jam the AP into any old PoE switch and as long as its vlan is trunked across your network that AP can live wherever it needs to be. So you don't have to be restricted by the 2 PoE rule. For small offices, I am a big fan of the 2106 - however WCS is both awesome and expensive, not exactly in the small/mid market space.
|
# ¿ Apr 9, 2008 04:52 |
|
loosewire posted:Quick question If I read this right - you want to etherchannel a port on each supervisor to another 6513? If so - yes that works. Blades 5 and 6 are each respective SUP720 (and a fiber port). Port-channel: Po1 ------------ Age of the Port-channel = 67d:06h:11m:16s Logical slot/port = 14/1 Number of ports = 3 GC = 0x00010001 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = PAgP Fast-switchover = disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 1 49 Gi4/24 Desirable-Sl 3 2 92 Gi5/2 Desirable-Sl 3 0 24 Gi6/2 Desirable-Sl 2 Time since last port bundled: 67d:05h:53m:42s Gi4/24 Time since last port Un-bundled: 67d:05h:54m:01s Gi4/24
|
# ¿ Apr 9, 2008 23:52 |
|
brent78 posted:words... ipsec tunnel between two Cisco 3825's... words nevermind, just read IPSEC tunnel, not metro ethernet like I thought.
|
# ¿ Apr 11, 2008 00:47 |
|
brent78 posted:The two connect over metro ethernet... if that matter or not. I was going to say crank the MTU and window-size for the servers way up if you control the entire metro run. Basically you can kind of fake what a Bluecoat box does.
|
# ¿ Apr 11, 2008 01:18 |
|
jwh posted:If you connect two networks with a PIX or ASA, and you configure the interfaces with the same security level, will the PIX route between the two networks without explicit NAT configuration? I've never had reason to try to do it. With same-security-traffic permit inter-interface and/or same-security-traffic permit intra-interface you can. Otherwise no.
|
# ¿ Apr 11, 2008 22:53 |
|
XakEp posted:I've got a 3524XL thats giving me grief. I cannot figure this one out. All the ports are in Vlan1, and there are no other vlans. The devices can pull an IP address from the PIX firewall, but they cant ping each other or see each other at all. They can get out to the internet with no problems. Ideas? I'd say the best way to troubleshoot this would be to change the vlan to something arbitrary like 40, like jwh said about private vlans. I was going to suggest incomplete arp entries on the mac-address-table but if the PIX gave it an IP I don't think that applies. Is vlan1 a layer 3 network different from what the PIX gave out? The only thing I can think of is that the addresses attempt to find each other but they cannot find a gateway. Try something that floods native layer 2 broadcasts (like a chatty domain controller) and see if they show up on the other hosts' wireshark logs. jbusbysack fucked around with this message at 00:23 on Apr 14, 2008 |
# ¿ Apr 14, 2008 00:20 |
|
I'm personally a fan of Kiwi CatTools and Syslog.
|
# ¿ Apr 29, 2008 19:19 |
|
Straylight posted:How about a simpler (stupid) question: No vlan trunking means that multiple vlans' traffic cannot be passed over a single link. What you are referring to is the function a L3 switch or a router, assuming the router has a L3 interface for that vlan. Usually VLAN tagging is done on the switch, with the specific ports being designated to the various VLANs. It is technically possible to tag it on the device but that is rather unheard of.
|
# ¿ Apr 30, 2008 21:16 |
|
:edit: don't do PFS, I only read a snippet about the group, not the pfs = no portion of SWAN. It looks to me like SWAN is trying to do PFS from the medina config code:
code:
jbusbysack fucked around with this message at 04:02 on May 7, 2008 |
# ¿ May 6, 2008 22:03 |
|
Bank posted:Our company has a small lab that only a couple of people have access to. I'm looking to be part of this group, and one of the main things they need to get done is to reset a password for their Cisco 1800 series router. The previous lab owner recently left, so they'd like to keep a backup of the configuration in case things go south. Personally what I use is a USB/serial converter device that I then plug the rollover cable into. http://www.newegg.com/Product/Product.aspx?Item=N82E16812107108 for example. Don't mess around with ethernet jacks and console cables it's just a mess.
|
# ¿ May 8, 2008 01:31 |
|
I've recently been tasked with investigating multicasting as a routable solution. There are 3 main sites and the idea is to route multicast traffic between all 3 sites (that are all interconnected) over point-to-point links. Is there anything crazy I need to be aware of? From what I've researched it looks like MOSPF (ospf w/multicast) seems to be the solution. It's basically the same as rigging PVST+ with regards to segregating flow patterns.
|
# ¿ May 8, 2008 01:33 |
|
CrazyLittle posted:Get this one - it's cheaper and it's Vista compatible: Agreed, thats the actual one I use. Googling newegg serial usb converter lied! But look out if you lose the mini driver CD, its ridiculous to find them online.
|
# ¿ May 8, 2008 01:57 |
|
Girdle Wax posted:It seems like the de-facto mcast protocol (assuming you're running cisco kit everywhere) is pim sparse. Other than that the only option I'm aware of is DVMRP as Cisco doesn't support MOSPF/CBT. Or you can also carry mcast in MBGP. I looked up the pim sparse settings with declaring the match statement akin to a crypto map and setting the interfaces to flood the traffic out. Is there much more to it than that? Thank you for the links, will dive through those tonight.
|
# ¿ May 8, 2008 02:05 |
|
Girdle Wax posted:If it has the ssh client feature: To add onto Girdle Wax's comment, if you can SSH into a device you can SSH out of it.
|
# ¿ Aug 22, 2008 02:28 |
|
Weissbier posted:Thanks for the info on SSH. No you cannot and that is intentional. What is recommended is to create Remote Access VPN profiles and use those to gain internal network connectivity. This is because of the multi-interface functionality of the ASA and the desire to enforce the ingress/egress interface policies. Also it's just bad form in general, because if you're having to hop through your firewall there's problems abound anyway We can paste scripts for that if so desired.
|
# ¿ Aug 24, 2008 22:41 |
|
H110Hawk posted:I'm having an oddball problem with a port on our 6748-GE-TX w/ 6700 CFC line card in our 6509 chassis (Sup720-3BXL) when connected to a 4948 switch running the standard image. As a matter of habit I never let DTP have a crack at anything, as there's no need to negotiate ever between what I would assume is the core switch and a top-of-rack distribution switch. What happens when you change it to 'channel-group 5 mode on' ? I realize that moving physical ports works for you but I'm curious as to the result.
|
# ¿ Aug 30, 2008 02:08 |
|
atticus posted:DTP != aggregation protocols used for Etherchannel. Wow, I dunno why I called that DTP, but my question remains. Why allow it to negotiate instead of forcing the port bundling?
|
# ¿ Aug 31, 2008 04:36 |
|
ObamaisaTerrist posted:Thanks for the info. Tracking down which access (edge) switch a user and their associated IP address is plugged into from the core. Basically comparing arp / mac-add table and hopping around out various uplinks until you find the access switch/port that the user is in. This obviously doesn't work from a routed perspective but on local segments it is very helpful.
|
# ¿ Aug 31, 2008 18:28 |
|
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Internal IP: 10.0.1.22 ports: 80 (HTTP); 51413; I can figure the rest out from that &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& access-list outside_access_in extended permit tcp any host PUBLIC_IP eq 80 access-list outside_access_in extended permit tcp any host PUBLIC_IP eq 51413 access-group outside_access_in in int outside static (inside,outside) PUBLIC_IP 10.0.1.22 netmask 255.255.255.255
|
# ¿ Sep 7, 2008 08:53 |
|
ObamaisaTerrist posted:I learned recently that some organizations are moving towards a security setup involving a Mars box, IPS module for the ASA, and the Cisco Security Agent. I've seen this setup implemented - mostly in financial settings. Personally speaking I think it is a bit overkill, since MARS does the job of the IDS in the ASA anyway. The latest version of CSA apparently has horrible problems with heuristic pattern matching (ex: XXX-XX-XXXX aka SSN's). Lots of false positives.
|
# ¿ Sep 19, 2008 05:04 |
|
ObamaisaTerrist posted:One more question. What is everyone using to backup router/switch configs? We have so many at this point, that manually copying them to a tftp server is an administrative nightmare. I'm probably in the minority here but I'm a big fan of Kiwi (Cat Tools and Syslog). Its what - $395? Yes you can script stuff out yourself but why bother, that's not much to mess with for the ease and config comparisons you get emailed to you.
|
# ¿ Sep 19, 2008 05:10 |
|
The Beavis posted:I'm currently looking at the ASA 5500 line (specifically the 5510 or 5520) and interested in the CSC-SSM module, which does "Content Security" (i.e. anti-spam, anti-virus, etc). I compared this module + ASA to Websense + ASA and ended up going with the Websense combo. I like the trilogy of Websense + Antivirus + MXLogic for content security (and Cisco Secure Agent if youre all about data leakage). The rationale was future expansion in the 4ge expansion port, as well as licensing costs. Websense came ahead on $$.
|
# ¿ Sep 26, 2008 01:10 |
|
The Beavis posted:Thanks for the info. What sort of tests did you perform on the CSC-SSM? To be completely honest - if your target enterprise doesn't already have virus protection and spam protection, you already have bigger problems than which card to shove into your ASA. For testing we did none, the target implementation was a financial institution who was concerned about inbound virus/spam and data leakage/improper web surfing/protocol usage (IMs, https proxies etc). Post what you're trying to accomplish and in what industry/setting/executive mandate and we can all talk it over. CSC-SSM isn't completely useless, it just did not fit into the requirements I listed above.
|
# ¿ Sep 26, 2008 06:34 |
|
inignot posted:As it's been told to me, a PIX isn't a router. It has multiple interfaces, and it has a routing table, but it won't "route" traffic from one interface to another. Forwarding traffic between interfaces is accomplished via the nat translation statements, even if they aren't used to alter a source or destination address. You're half right. The device will route traffic, but it must also pass the ACL and NAT / security-level conditions as well. Edit: I'm approaching this from an ASA perspective, so apologies if pre-7 code PIX act differently.
|
# ¿ Sep 30, 2008 02:32 |
|
|
# ¿ May 4, 2024 20:37 |
|
ObamaisaTerrist posted:One more thing that is more an irritant. delete /all /recursive flash:/foldername
|
# ¿ Oct 13, 2008 13:34 |