|
I'm having some trouble with a remote access VPN using the Cisco VPN Client to a 3825. When I attempt to connect, the VPN client spits out this in the logs:code:
Nothing seems to work! I'd appreciate any ideas you guys might have. Here's the router configuration: code:
|
# ¿ Sep 10, 2008 01:40 |
|
|
# ¿ May 14, 2024 14:04 |
|
Syano posted:Trying to figure out a way to integrate the device with least amount of effort. I want the 5510 to become the new default gateway for this network and it sure would be easy to tag on an additional address to eth0 instead of changing default gateways on tons of statically configured devices Keep in mind that an ASA is not a router; it's a security device. It'd be much easier to stick a layer 3 switch or a basic router with two FastEthernet ports in between it and your network like Girdle Wax posted above. Sub-interfaces are really only useful if you have multiple VLANs that need to connect up to the ASA.
|
# ¿ Sep 10, 2008 01:46 |
|
riske posted:I'm having some trouble with a remote access VPN using the Cisco VPN Client to a 3825. When I attempt to connect, the VPN client spits out this in the logs: I figured this out in case anyone was wondering. My RADIUS server wasn't handing out authorization information properly. When I changed this line: code:
code:
|
# ¿ Sep 11, 2008 19:43 |
|
Erwin posted:I have a question about NAT traversal for SIP (I think). We switched to a new VOIP provider for our 20+ VOIP phones. They recommended an 1841 router for our largest location with 17 phones. Now we're having a problem with a few phones randomly not registering to their SIP server, and from what I can tell, it's because the 1841 doesn't translate SIP packets when NATing. The VOIP provider's response is to use our Juniper SSG140 for NATing, turning the 1841 into a fancy T1 interface, and something I'd like to avoid. Try something like this: (assuming FastEthernet1 is your "inside" interface) code:
|
# ¿ Jul 28, 2010 15:46 |
|
That should be possible if you're on the same layer 2 segment, at least in theory.
|
# ¿ Nov 2, 2010 15:27 |
|
tortilla_chip posted:http://en.wikipedia.org/wiki/Digital_Signal_1 From the "bandwidth" section: Wikipedia posted:A DS1 is also a full-duplex circuit, which means the circuit transmits and receives 1.544 Mbit/s concurrently. Here's another source: NetworkDictionary.com posted:Within the communications network, copper twisted pairs are used. One pair for transmit, and another for receive making four wires for each T1. This allows T-carrier systems to transmit and receive simultaneously in both directions at full speed (full duplex).
|
# ¿ Nov 11, 2010 21:57 |
|
analogsoul posted:MTU 1500 bytes, BW 100 Kbit, DLY 100 usec, This might be your problem.
|
# ¿ Dec 15, 2010 00:56 |
|
Cizzo posted:Why does the following IPv6 address have a prefix of 60? It's a larger allocation that you can split into 16 (2^4) /64s.
|
# ¿ Dec 17, 2010 01:26 |
|
Is the switch port this router plugs into also configured for 100/full? It might be trying to negotiate speed and duplex.
|
# ¿ Mar 28, 2012 23:15 |
|
Having lots (hundreds) of hosts on a single subnet produces excessive broadcast traffic, which has to be propagated to every single machine on that VLAN. If your VLAN spans several buildings...think about it. A school I worked with had a similar setup; 3 buildings on one big VLAN (10.0.0.0/8), with 100Mbps wireless links between the buildings. Each building had a separate Internet connection and firewall, and they directed traffic by setting the appropriate default gateway. That network CRAWLED. They couldn't even get full speed out of a 20Mbps cable modem at any given site. Luckily, the sole IT guy had the foresight to number all the machines at each site with the same second octet (e.g. 10.5.0.0, 10.6.0.0, etc) so it was fairly simple to expand the subnet mask to a /16 for each building and make the firewalls route inter-building traffic. Network performance dramatically improved, especially for inter-building transfers. Word to the wise: bring in an expert to reorganize your network. You shouldn't need to pay for public addresses for machines that aren't running a public service, and judicious use of subnetting, routing, and even NAT will likely improve both performance and reliability, and make it easier to troubleshoot when something goes sideways.
|
# ¿ Apr 26, 2012 15:22 |
|
Zuhzuhzombie!! posted:So if the process ID has nothing to do with DR election, nothing to do with the router ID, and is only significant to the router it's on and can be duplicated on other routers, then what does it do exactly? What is it significant to? It is possible to have a router be a part of multiple separate OSPF networks. The process ID is simply a way to distinguish between them within the router's config.
|
# ¿ Apr 22, 2013 20:55 |
|
Zuhzuhzombie!! posted:So if a router is a member of multiple Areas it will use the process ID to manage that area membership/database/etc? No, the process ID indicates two completely separate OSPF clouds. Think VRFs. For example, ports Gig0/1 & Gig0/2 could be assigned to OSPF process 1 and exchange one set of LSAs with neighbors, and ports Gig0/3 & Gig0/4 could be on OSPF process 2 and have a completely separate set of LSAs to exchange with neighbors on those ports. Both OSPF processes can be assigned to the backbone area, but it would be two completely separate backbone areas.
|
# ¿ Apr 22, 2013 21:23 |
|
Zuhzuhzombie!! posted:Sorry, but I'm still confused! So... would it be more like running multiple instances of EIGPR via multiple AS numbers? Not really. Each EIGRP instance is analogous to an OSPF area. Read up on VRF for a use-case where you'd run multiple OSPF processes, or VRF-Lite if you don't want to get too deep into MPLS. The gist is that you can have multiple discrete routing tables coexisting in a single router, and each OSPF instance operates on a single routing table. Say that you're running a service provider backbone network, and you have a client who wants a Layer 3 (routed) VPN between their multiple sites. They run OSPF internally and use 10.0.0.0/8. You already run OSPF on your routers, and also use 10.0.0.0/8, so you don't want your routes distributed into the client's network or vice-versa. The solution is to assign the client-facing interfaces to a VRF (separate routing table) and set up a second OSPF process on your routers to peer with their routers and use the client VRF. That way, their routing table is propagated between their sites over your network, while your routing table remains isolated from theirs. SamDabbers fucked around with this message at 22:08 on Apr 22, 2013 |
# ¿ Apr 22, 2013 22:05 |
|
Sepist posted:Does anyone know of any good way to calculate bandwidth requirements for many online services? There is no baseline we can go by, company would start off with 20k OWA users, thousands of servers/workstations utilizing backup over the WAN, CRM, Webhosting and BES. I'm guestimating 3Gb based on past experience but I don't think I can present it that way. Maybe you could recommend going with a Metro Ethernet provider who can do a 10Gbps loop and instant-scalable bandwidth. Then you can start at, say, 2Gbps and turn it up if that turns out to be insufficient.
|
# ¿ Apr 22, 2013 22:41 |
|
Bluecobra posted:I'm almost tempted to setup a FreeBSD server with top shelf Xeons and a high-performance 10GbE NIC like a Solarflare 6122 to see what performance I can get from pf. IIRC, pf is still single-threaded, though there's someone working on a patch to make it multithreaded. That's not to say it performs poorly, but I'd go for more GHz over more cores when choosing a CPU.
|
# ¿ May 21, 2013 18:42 |
|
ToG posted:Can you explain this to me like I'm five? What's arista? Arista makes some really killer switches. The 'show donkeys' command appears to be an easter egg.
|
# ¿ May 24, 2013 14:56 |
|
ruro posted:Serious reply: Ubiquiti Edgerouter - http://www.ubnt.com/edgemax! Has a pretty UI. These are definitely nice for the $99 pricetag. They'll even do OpenVPN for remote access, but you'll have to configure it via CLI since the Web UI doesn't have that part implemented yet. It's basically Vyatta under the hood, so just about anything you can do with Vyatta, you can do with the Edgemax.
|
# ¿ Jul 15, 2013 22:49 |
|
QPZIL posted:"IPv6 is the way of the future!" Join us in the
|
# ¿ Aug 19, 2013 15:10 |
|
Why would it be better to cap it at 64 or 48 bits instead of 128? The whole point was to make it such a large address space that we'd never have to deal with the address exhaustion problem again, at least on this planet. Also, it allows for some cool features like mapping a 48-bit MAC address into the 64-bit host portion for auto-addressing within a subnet. You couldn't do that as easily with a 64 or 48 bit address.
|
# ¿ Aug 19, 2013 15:42 |
|
moron posted:... hooked into my DSL modem. I was kinda looking for something with decent gigabit performance though ... Do you really need a GigE interface for a DSL connection? That 1841 you have should rock anything through ADSL2+ speeds, and FastE would not be a bottleneck.
|
# ¿ Aug 21, 2013 21:22 |
|
ruro posted:I can't see SLAAC being terribly important on an enterprise network that uses DHCP. Particularly DHCP can be used to deliver non-addressing related options (NTP, TFTP, etc). You can use DHCPv6 to deliver the non-addressing related options AND use SLAAC. It doesn't have to be stateful DHCPv6.
|
# ¿ Aug 22, 2013 23:45 |
|
adorai posted:Is there a curmudgeons guide to ipv6 available somewhere on the internet? I'm a real IT person with real networking knowledge, but have done nothing with ipv6. I feel like I am way behind the times since I'm not even running it at home. Get a free tunnel and check out the tests/exercises here.
|
# ¿ Aug 23, 2013 01:16 |
|
ARIN will give you a /44 if you tell them you have two sites. It's great that the address space is so large because it's really easy to get roomy allocations.
|
# ¿ Aug 23, 2013 03:53 |
|
FatCow posted:I could get a /32 if I wanted to be a dick. That's the thing...the address space is so massive that the dickliness of taking up a /32 would be miniscule. Here's an illustration of just how big we're talking.
|
# ¿ Aug 23, 2013 05:28 |
|
sellouts posted:This is more of a Cisco hardware question vs a software question. Can you not just reuse the SFP from the switch you're replacing? Why are you replacing it to begin with?
|
# ¿ Aug 23, 2013 18:51 |
|
Protokoll posted:Each customer is going to be getting a port with a public address and it's their responsibility to protect their traffic. Why even bother with trying to isolate the traffic between customers? Set up DHCP snooping/ARP inspection to mitigate IP spoofing, put it all in a big layer 2 (to save addresses and complexity) and call it a day. This also saves you from having to devise a way for NOC personnel to permit desired customer-to-customer traffic later. Alternatively, what about PPPoE? Bump up the L2 MTU a little so the path is 1500 byte clean, ACL deny anything but PPPoE on the access ports, and all traffic goes through the router so you can filter to your heart's content. You can even pass ACL rules via RADIUS.
|
# ¿ Aug 27, 2013 04:51 |
|
What FHRP are you running on the firewalls? RFC-compliant VRRP should use a consistent MAC for the gateway IP to avoid this ARP caching issue entirely.
|
# ¿ Sep 30, 2013 17:55 |
|
psydude posted:I'm currently on a network that is using public IP addresses for internal addressing. What, you want to use NAT? jwh posted:I think it's ironic (tragic?) that I don't even have any IGPs running anymore. Especially considering all the work I had done with them formerly. No IGPs and no RFC1918...is this the future?
|
# ¿ Nov 3, 2013 14:50 |
|
You could sign up for an "eval account" if you'd rather not talk to your rep for some reason. The link is on the right of this page: http://www.juniper.net/support/downloads/?p=junosvfirefly-eval#sw
|
# ¿ Jan 29, 2014 01:04 |
|
Marvel posted:This isn't really Cisco-specific but I do have a networking question. Seems like a decent setup. Are you doing the cabling for the drops too, or is a cabling contractor taking care of that? Marvel posted:What do you do for all the super short cables you need to hook everything up? Seems overkill to make all those cables by hand? Buy all your cables from Monoprice.
|
# ¿ Feb 10, 2014 16:38 |
|
Marvel posted:My friend and I already muddled through the cabling this weekend. It only cost me 4 hours and a pizza so if I screwed something up I can redo it. I'm thinking of using a little PC Engines WRAP board running pfSense for the router (already on-hand). My upstream connection is pretty terrible so it won't be pushing too many packets. It apparently can do the QoS for the phones. Unless your office is stuck on <10Mbit DSL, that WRAP board is likely not powerful enough. You're already using UniFi APs, and an EdgeRouter Lite will blow the WRAP board out of the water for about $100.
|
# ¿ Feb 10, 2014 17:29 |
|
Begby posted:Not flat, we do have a vlan for phones. We recently changed the subnet of the network from /24 to /23 and change the voice subnet. The router may be sending ICMP Redirects if ASA, router, and hosts are on the same subnet. This will cause an entry to be made in the routing table of each host for each non-subnet-local address they try to reach. Maybe you could set no ip redirects on the router's LAN interface? You could probably also solve your ARP problem by putting your ASA on a dedicated (sub)interface on the router, instead of on the same subnet as the hosts. SamDabbers fucked around with this message at 18:35 on Mar 5, 2014 |
# ¿ Mar 5, 2014 18:30 |
|
ZergFluid posted:Can you use telnet/ssh to access a remote router or switch, and then use Cisco Discovery Protocol on the router/switch you're logged into to discover their neighbors? Assuming the neighbor devices speak CDP and have it enabled on the interface(s) connected to the device you're ssh'd into. sh cdp neigh
|
# ¿ Mar 23, 2014 15:41 |
|
Multichassis LACP seems to be what you're looking for.
|
# ¿ Mar 26, 2014 22:32 |
|
Cenodoxus posted:I was also considering an Ubiquiti EdgeRouter Lite, but I've heard mixed reviews and I can't get a solid answer on how well it supports/implements 802.1p. The EdgeRouter's hardware acceleration doesn't work if you enable QoS, but is that actually important for a 1Gbps connection? Stateful firewall, NAT, VLAN tags, and IPsec can all be offloaded for both IPv4 and IPv6. The beta firmware has support for PPPoE offload too, in case it's applicable to Google Fiber.
|
# ¿ Apr 17, 2014 20:21 |
|
Cenodoxus posted:Hmm, good to know. In this case, yes, it's important, but only for upload speeds. Here's the situation - Given these requirements, I'd go with an EdgeRouter Lite for bang-for-the-buck routing and a Netgear GS108T switch for VLAN/CoS tagging. It's probably the least expensive option (under $200) that can push several hundred kpps. I have both of these devices and tested the configuration successfully. The switch can assign an arbitrary priority tag to all packets coming in on an untagged interface and propagate it out a tagged port. Here are some screencaps. Interface g1 is connected to a desktop and configured to be untagged on VLAN 1; interface g3 is connected to a machine running Wireshark and is configured to receive tagged frames. The second screenshot shows the 802.1q header received on g3 before I set g1 to have a priority tag (it shows 0), and the third screenshot shows priority tag 3 applied.
|
# ¿ Apr 18, 2014 06:08 |
|
Most installations I've seen use 568B.
|
# ¿ Apr 25, 2014 14:10 |
|
Powercrazy posted:Any good resources for IPv6? If you're the learn-by-doing type, Hurricane Electric's tunnelbroker.net and "certification program" provide both connectivity and a set of tasks to complete (e.g. set up an IPv6-enabled email server, IPv6 DNS glue), and they'll give you a free t-shirt if you do all the tasks. Also, this presentation covers most of the basics, and this one covers subnetting. SamDabbers fucked around with this message at 18:02 on Apr 30, 2014 |
# ¿ Apr 30, 2014 16:59 |
|
Zero VGS posted:I was reading that about different subnets being required for Anyconnect and the LAN. There's no way around that? Because Steam "requires" the PCs to be found on the same subnet. Steam IHS uses IPv4 broadcast for discovery, so forwarding the ports between distinct subnets probably won't work. It seems like you'd need to bridge the VPN client onto the LAN, and I'm not sure if it's even possible to do bridging on an ASA. It is possible to have your VPN pool be a subset of the LAN subnet and use proxy arp, but that probably doesn't forward broadcast packets. I'd try setting up OpenVPN with a bridged TAP interface. Even if you can get the streaming to work via VPN, it probably won't work very well, but it's fun to try.
|
# ¿ Jun 13, 2014 17:14 |
|
|
# ¿ May 14, 2024 14:04 |
|
Zero VGS posted:OK, I'll research the OpenVPN bridged tap thingy. Again, the bridging issue. You could definitely do it with routers, but the ASA platform is pretty limited.
|
# ¿ Jun 13, 2014 17:45 |