|
Seconding CBWFQ. It'll give you some serious granularity in your control.
|
# ¿ Jun 20, 2007 01:21 |
|
|
# ¿ May 4, 2024 06:53 |
|
Biggz posted:I'm still trying to get my head around this, but in the following example should it "share" the WAN connection, upstream at least, between the three ACLs? If you apply it to the right interface, yes.
|
# ¿ Jun 24, 2007 17:26 |
|
So here's a question. I'm dinking with getting an 1811 and getting a second Internet connection, one DSL the other Cable. Whats the best way to load balance between the two interfaces? CEF or what?
|
# ¿ Jul 25, 2007 03:42 |
|
jwh posted:All I know about OER is what I found in the design doc "Cisco IOS Optimized Edge Routing Configuration Guide, Release 12.4T". I haven't used it myself. I'll be running it on a single router. No need to get really fancy. If I run into problems I'll post them up here. Thanks!
|
# ¿ Jul 25, 2007 23:32 |
|
inignot posted:As noted I think you're going to be stuck with OERs "dick around with default routing based on ping tests to an upstream address" feature. Yeah, I'd thought of this. Not sure what to do, other than possibly do a straight 50/50 split.
|
# ¿ Jul 26, 2007 01:12 |
|
inignot posted:Yeah, I'm going to go put in failure number 2. Given that I haven't even begun to study multicast & QoS I know I'm going to fail. At the very least I get to see another copy of the exam & sanity check my progress on IGP & EGP routing. Best of luck - here's to hoping you at least ace your IGP and EGP sections.
|
# ¿ Jul 29, 2007 18:19 |
|
inignot posted:Yeah, I'm going to go put in failure number 2. Given that I haven't even begun to study multicast & QoS I know I'm going to fail. At the very least I get to see another copy of the exam & sanity check my progress on IGP & EGP routing. So how did it go?
|
# ¿ Aug 1, 2007 00:57 |
|
inignot posted:It ended much like the ever replayed ski jump by Vinko Bogataj. I was only able to attempt 73 points given my lack of multicast or qos knowledge. Sorry to hear that. I've been toying with the idea of getting my CCIE, but I know its years away. Edit - Ok cisco gurus, I have a question for you. Yesterday here at work, we had a sudden outage in our core network. One of the core switches was experiencing "extensive memory errors and high cpu usage". He failed over to the backup switch the problem went away. He's claiming that we had a network loop because STP is disabled because of incompatibility between vendor equipment. 1) How do you disable STP and why the hell would you do that? Wouldnt disabling it reduce your switch to a hub? What does a cisco switch use instead of STP if STP isnt in use? 2) Does this sound like bullshit to anyone else? I'm responsible for signing off on this report, and its not making a whole lot of sense. 3) We've apparently had STP disabled for a long time now, why would we only just NOW suddenly develop a network loop that would take down our network? 4) How is it possible that only one switch would be effected by a network loop? XakEp fucked around with this message at 15:10 on Aug 1, 2007 |
# ¿ Aug 1, 2007 13:35 |
|
Fleshpeg posted:Without seeing what the actual errors were, "Extensive memory errors" is most likely bad hardware. http://www.dell.com/downloads/global/products/pwcnt/en/app_note_1.pdf quote:Without STP, all switches “flood” any frames they receive with an unknown destination media access control (MAC) address. The switches will forward the frame to all interfaces, introducing duplicate frames and leading to a “loop” in which all switches continually forward all frames. This is not only inefficient but also extremely taxing on network resources. Besides violating IEEE protocols, duplicate frames can create “broadcast storms” that pose a threat to network and application stability Having never disabled STP on a switch, I have no idea what would happen, but looking through cisco's site I cant really get a clear idea of what would happen. quote:2/3. If you've had your network running for a long time, I'd be pretty surprised to suddenly get an STP loop out of the blue. Agreed, this doesnt make any sense at all. quote:4. Um... if you looped two ports on the same switch together you could do it. But seriously, different switches might have different symptoms (high CPU/no symptoms other than loss of traffic) depending on what type of frame is looping. In any case, the explanation you got doesn't sound right. No one was in the data center at the time of the outage, so I dunno how that could have happened.
|
# ¿ Aug 1, 2007 15:55 |
|
Fleshpeg posted:Imagine you have two switches (A and B) connected to each other with a single link and two PCs (1 and 2) connected to switch A. PC #1 ARPs or somehow sends an L2 broadcast. It goes to switch A, which needs to send it to all its ports. It gets sent to both switch B and to PC #2. Switch B gets the frame and sends it to all its other ports. If you have spanning tree turned on in this scenario and plugged in a new PC or attached another switch, you'd have to wait for STP to converge (about 30 seconds or so) before traffic would be allowed to go through it. But since you don't have any loops, you can turn it off and can send traffic as soon as something is plugged in. THen the question is, with STP disabled does the switch still learn mac addys at all or does it function like a hub and just forward packets out every port? Learning Mac addys is core to STP. With STP off, what does the switch do in absence of this?
|
# ¿ Aug 1, 2007 16:49 |
|
ior posted:Not really. Now I feel dumb. Time to go read up.
|
# ¿ Aug 1, 2007 18:02 |
|
Just wanted to share this - I passed my 642-552 SND exam today. 975/1000. With any luck I can get CCSP out of the way by the end of the year and move on to CCIE Security.
|
# ¿ Sep 6, 2007 03:22 |
|
CrazyLittle posted:So here's the thing that gets me. When watching the console logging, I can see the OER master watching, picking, choosing and rerouting the traffic... but I can't get it to route to BOTH interface at the same time. It seems to be switching over everything completely. Any thoughts on that, or should I file a new ticket with Cisco TAC and wait another 6 months to be ignored... only to figure it out by myself? As I understand it, thats what its supposed to do. Pick best path routing and route the traffic over the links that'll get the data there faster. As one route gets congested, it switches over. http://www.cisco.com/en/US/products/ps6628/products_ios_protocol_option_home.html
|
# ¿ Sep 14, 2007 01:41 |
|
CrazyLittle posted:Yeah but shouldn't it be a soft cutover, where current traffic on that line keeps flowing? I'm getting the impression that it's just doing a hopping dance between the two lines, completely moving everything over at the slightest hint of congestion, instead of balancing load across both links simultaneously. If a TCP connection has been established, it cant just cut over to a new IP address and route mid stream. Especially if there's encryption involved - it cant be easily reassembled.
|
# ¿ Sep 14, 2007 22:53 |
|
brent78 posted:I setup a VPN on a PIX 515e and connect with the Cisco VPN client software. It works great, however I'm no longer able to route to the Internet, just the private internal network. Is there a way to have it route ALL my traffic through the PIX. I know a split tunnel is possible, but I don't want to do that. I heard somewhere that a PIX can't route traffic out the same interface it comes in on, so what I'm asking may not be possible without a VPN concentrator or whatnot. Out of curiosity, why dont you want to do a split tunnel?
|
# ¿ Sep 23, 2007 00:54 |
|
wwb posted:So, I managed to kind of force myself to upgrade to Vista 64 bit the other day (long story). Everything is peachy, save one thing--there appears to be no 64-bit friendly Cisco VPN Client software that can do IPsec. Which, unfortunately, I need to connect to a few things. According to Cisco, this ain't happening quite yet. Is there any hope besides doing some sort of hokey "run virtual XP box to access other network" angle? From what I've heard from other people in the same boat, there's nothing else you can do.
|
# ¿ Nov 5, 2007 15:57 |
|
I've got a 3524XL switch that I cant seem to be able to get console access to. I connect the cable and boot the switch up and I get nothing on my terminal software. The switch functions (devices plugged in can get IP address from an external DHCP server) but I cant configure the drat thing. Ideas on how to get in?
|
# ¿ Dec 3, 2007 04:04 |
|
jwh posted:Somebody might have changed the line rate of the console port. Try 115200. If that doesn't work, you should be able to reset the switch by holding down the status button on the front face-plate (does this work on the 3500s?). The procedure on a 3500 series is to hold down the mode button while the box is off, power it up and release the button when the port 1 LED turns off. I've done that, but still nothing on my terminal. Unless I have two bad cables/rj45 adapters I have no loving clue.
|
# ¿ Dec 3, 2007 05:38 |
|
Girdle Wax posted:If you're using an actual cisco rj45 adapter, you need to use a rollover cable between the adapter and the switch, do you have a molded cable, or can you make a rollover? Yeah, they're rollovers. One is the OEM light blue cable, the other isnt, but I can confirm its a rollover. I have a molded somewhere else, I'll see if I can dig it up. Edit - Got a molded one here at the office. I'll try it when I get home. vvvv My understanding is the default route will be used after all other routes in the routing table dont match vvvv XakEp fucked around with this message at 16:54 on Dec 3, 2007 |
# ¿ Dec 3, 2007 14:59 |
|
Girdle Wax posted:If you're using an actual cisco rj45 adapter, you need to use a rollover cable between the adapter and the switch, do you have a molded cable, or can you make a rollover? well dip me in poo poo and fry me as a hush puppy - the molded cable worked! looks like I really did have 2 bad console cables!
|
# ¿ Dec 3, 2007 23:58 |
|
Girdle Wax posted:The one thing that'll suck on a 501 is that you're stuck on 6.0 code, PDM sucks compared to ASDM imo. Java timeout issues too. If its what you have, it'll do the job, but dont expect it to be frustration free.
|
# ¿ Dec 5, 2007 14:43 |
|
brent78 posted:I want to VPN in to a ASA 5510. I'm confused by the webvpn, ssl vpn, easyvpn options. Can someone post a simple ipsec config for use with the cisco client, or even pptp if its supported. I want to authenticate local users only. Well, you wont be using easyvpn for a remote access vpn, it's meant for site to site vpns. For the other two you mentioned, its a whole different ball game. Someone correct me if I'm wrong, but the other two dont require the cisco vpn client. They're web based. An IPsec over UDP/NAT-T or IPsec over TCP (I know, I have them backwards in precedence) will require the cisco vpn client. Edit - http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/g_sslvpn.htm quote:The Cisco WebVPN feature provides remote access to enterprise sites by users from anywhere on the Internet. The Secure Socket Layer (SSL) Virtual Private Network (VPN) provides users with secure access to specific enterprise applications, such as e-mail and web browsing, without requiring them to have VPN client software installed on their end-user devices. Yeah, thought so. You dont need the vpn client for ssl/webvpn setups. XakEp fucked around with this message at 15:13 on Dec 7, 2007 |
# ¿ Dec 7, 2007 15:07 |
|
jwh posted:This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc). As I understood it, its meant for gateway to gateway type vpns. Am I wrong? I've dinked with a few with my PIX 520s, but didnt think it was meant for an RA style access model.
|
# ¿ Dec 7, 2007 16:59 |
|
Sweet, thanks! I love this thread - always something new to learn.
|
# ¿ Dec 7, 2007 17:09 |
|
brent78 posted:I used the wizard to create an L2TP VPN. When I try to connect from my Windows XP client I get "Error 789: The L2TP connection attempt failed because the security layer encountered a process error during initial negotiations with the remote computer". I had a similar issue on my PIX 520, I had to enable the l2tp passthrough. Dunno about the ASA, but I'd imagine its similar.
|
# ¿ Dec 7, 2007 18:42 |
|
I think (probably wrong) you might need a newer IOS on the router to do intravlan routing with a router on a stick config. Edit - yup, i was wrong. Anything over 12.0 will work. Try adding this before you apply an ip address encapsulation dot1q (vlanid) XakEp fucked around with this message at 23:14 on Dec 7, 2007 |
# ¿ Dec 7, 2007 23:11 |
|
CrazyLittle posted:According to this it won't work on a 25xx router: I've seen it done on a 2501, but it didnt work very well. It is not supported on 25xx routers, but it will work, sorta. We had timeouts and other issues.
|
# ¿ Dec 8, 2007 03:21 |
|
Filthy_McGreasy posted:If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? You mention studying for 6-8 months, is that 2 hours a week, or 2 hours a day? Is the exam environment stressful? From your previous comments it sounds like there would be many people sitting around in a room taking the test at the same time. Do they try to minimize the distractions? How much experience did you have before you decided to start on this? I'm actually going to start poopsocking for CCIE Security in January. I give myself 6 months or so to do the written, and 12-18 months for the lab. I expect to have to take the lab several times, but what the hell, I've got time. For the record, I've for CCNA, CCNP and (last week) CCSP. Its taken me 2 years to get this far, and a fair amount invested in equipment.
|
# ¿ Dec 10, 2007 16:35 |
|
chutwig posted:A tangentially related question about Cisco stuff - I'm looking to pick up a CCNA to sweeten my resume a bit while I search for a new job. I already have 3 years of networking experience, and I've been taking the practice exams on Cisco's site without too much difficulty. Is the CCNA the sort of exam where I can buy the self-study materials, study for a few weeks, and go in and pass it without having an IOS simulator, or am I stuck either shelling out for a simulator or some old Cisco hardware? Dynamips is free, and 2 pages back there's a link to a thread in SA where lots of good cheap gear was for sale.
|
# ¿ Dec 10, 2007 18:32 |
|
chutwig posted:I'm looking at M@'s thread now. What sort of equipment in there should I be looking to purchase for the CCNA? It seems like the 2950 is what gets kicked around as being the "standard", and I freely admit I don't know enough about Cisco equipment to know what the differences are between all these model numbers, and whether the differences might disqualify something from being a good testbed for the CCNA. 2 2924 switches, a 2620 router and maybe a 3640 and you'll be good through most CCNP stuff. Drop the 3640 and you'll have a perfect CCNA lab.
|
# ¿ Dec 10, 2007 19:01 |
|
Filthy_McGreasy posted:Does anyone have some suggestions for learning new IOS commands? I am going through the self-study CCNP program and I am constantly seeing new commands. I know I am going to have to memorize these for the test, and it is getting hard to juggle all of this new information. When I see the new configs, I write them down and then practice them a few times in a small lab. Does anyone have any suggestions on how to improve retention for these commmands? Open a DOS window and type them a million times. Get them into your hands.
|
# ¿ Dec 19, 2007 04:37 |
|
Two 2600 routers and 2 2954 switches are all you will need.
|
# ¿ Dec 20, 2007 01:35 |
|
jwh posted:Is MPLS on the CCNP now? If so, what do they ask you to know? MPLS is CCIP territory, not CCNP.
|
# ¿ Dec 20, 2007 23:28 |
|
Spazz posted:So I'm not far enough into my cirriculum to know who to work with this yet, but I have a 2511-DC that I got and I have a LOT of equipment I plan to learn off of. Is there a way to configure Async 1-16 to plug into the CONSOLE port to manage multiple pieces of equipment via SSH or other means? Or am I just pissing into the wind? I've personally setup mine so it'll do it, and I've used it. Works great.
|
# ¿ Dec 29, 2007 17:44 |
|
I've got a 3524XL thats giving me grief. I cannot figure this one out. All the ports are in Vlan1, and there are no other vlans. The devices can pull an IP address from the PIX firewall, but they cant ping each other or see each other at all. They can get out to the internet with no problems. Ideas?
|
# ¿ Apr 13, 2008 20:06 |
|
jwh posted:pvlan going on? Not that I'm aware of. I've reset the config, and its still doing it.
|
# ¿ Apr 14, 2008 01:25 |
|
Midnj posted:XakEp, can you post the config? I'll grab it when I get home tonight. There's nothing in it to speak of, its been reset to default config and its still not working. jwh posted:Windows firewall? Not likely. I can plug them into my linksys broadband router (not being used on my network so dont give me poo poo) and the problem goes away. In fact, I can plug into any other switch and it works. PVLANs arent setup by default are they?
|
# ¿ Apr 14, 2008 13:38 |
|
I'll go ahead and do this when I get home - I'll post up when I do this. Thanks!
|
# ¿ Apr 14, 2008 15:32 |
|
Girdle Wax posted:Not unless it's stored in the vlan database. If you don't mind fully resetting the switch, try the following commands while enabled: Didnt work. Here's the config. code:
|
# ¿ Apr 14, 2008 21:40 |
|
|
# ¿ May 4, 2024 06:53 |
|
H110Hawk posted:I doubt it matters with vlan1, but have you tried entering "vlan 1" ? Entering it for what?
|
# ¿ Apr 14, 2008 22:40 |