|
CrazyLittle posted:Come to think about it, what happens to auto duplex negotiation when you disable CDP? CDP has nothing to do with the negotiation. It can just giving you warnings based on the CDP info from the other side, which if more than often wrong.
|
# ¿ Sep 8, 2010 20:14 |
|
|
# ¿ May 22, 2024 18:35 |
|
sterster posted:OK so here is an image of the topology, and a link for the pastebin with the configs for both routers and switches ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 is nasty and I am not sure it would work in your setup. Specify the next hop IP instead. (192.168.215.112) Also you might want to explain what is not working, and do some traceroutes / pings and explain what works and what doesn't.
|
# ¿ Sep 10, 2010 18:58 |
|
sterster posted:Yeah I know that is not proper technique for default route but it is working. As joels router does have access to the outside world without issue. There is actually only one item ( the cloud that can receive the info from the Fa0/0 ) What IP does the PCs have? Edit: Nevermind that, should work better if you turn on ip nat inside on all the subinterfaces on Timīs router. ior fucked around with this message at 19:28 on Sep 10, 2010 |
# ¿ Sep 10, 2010 19:25 |
|
Harry Totterbottom posted:Does it break all of the nat config from prior versions? (Haven't upgraded because we haven't tossed in more RAM yet.) I have done 15 or so upgrades and the automatic conversion process only failed once. So you should probably be fine if you donīt have a very complex config.
|
# ¿ Sep 10, 2010 19:41 |
|
Bardlebee posted:
dns-server 1.1.1.1 2.2.2.2
|
# ¿ Sep 15, 2010 20:23 |
|
falz posted:Cisco's SSLVPN can work in two ways. The web based portal that you're describing above that essentially is a series of links to internal resources is one of them. The other still uses an SSL based login to a website but it lets you launch a client (Anyconnect) that will establish a VPN tunnel just as you're using now. This has the nice added benefit of it working work in many cases where IPSec doesn't such as behind unknown NAT devices at hotels that block it. Or to make it even easier you can roll out the Anyconnect client with certificate authentication (meaning no username / password). And it can even auto connect if it detects that it is not on the corporate LAN.
|
# ¿ Sep 19, 2010 11:14 |
|
Syano posted:This almost sounds too good to be true but honestly is exactly what I was looking for. Time now to go get some pricing on licenses. If you already have the ASA boxes then all you need is: Anyconnect Essentials (to get Anyconnect), For the 5510 (max 250 sim. users): 150$ For the 5520 (max 750 sim. users): 250$ For the 5540 (max 2500 sim. users): 350$ and AnyConnect Mobile VPN (to get the auto-connect feature, requires 8.3), For the 5510: 150$ For the 5520: 250$ For the 5540: 350$ These are GPL prices, you should expect to pay about 60-70%. Prices are not per-user but for the whole box, or cluster if running 8.3+. ior fucked around with this message at 14:05 on Sep 19, 2010 |
# ¿ Sep 19, 2010 14:01 |
|
jwh posted:Did they ever enable SSLVPN on the ASA while it's running in multiple context mode? Not yet
|
# ¿ Sep 21, 2010 17:19 |
|
jwh posted:I'd be really interested in seeing a working configuration for an iPhone/iPad doing IPSec to an IOS based router with certificate based authentication. Save yourself some trouble and go with Anyconnect/SSLVPN.
|
# ¿ Sep 30, 2010 20:20 |
|
sigh, the end result of 4 RMAs and one pissed of customer, newly created bug id: CSCtj20996 Symptom: When using some blue-tooth serial adapters connected to the console port of the ct5508 controller, the unit will go into a continuous crash loop until the blue-tooth serial adapter is removed from the console port. Workaround: Remove the blue-tooth serial adapter and allow the unit to fully boot, once booted, you can reinstall the blue-tooth serial adapter and use it normally. Cisco, I do not love you today!
|
# ¿ Oct 3, 2010 12:32 |
|
ragzilla posted:Was it generating serial breaks? Nope. I have been using this bluetooth adapter without trouble for 2 years now on both routers and switches, I would notice if it was generating breaks.
|
# ¿ Oct 3, 2010 17:25 |
|
jwh posted:DMVPN would be easier. That's what I'd recommend. +1 for DMVPN which is awesome.
|
# ¿ Nov 19, 2010 18:43 |
|
jwh posted:ASA's are licensed based on how many users (read as: visible MACs seen by the device's LAN port, or something). The 5505 is the only model with this kind of licensing.
|
# ¿ Dec 3, 2010 22:24 |
|
jwh posted:I didn't know that, but that explains why we didn't have to buy user licensing for our 5540s. I would say their SSLVPN licensing is resonable. I just bought 750 users for my ASA5520 for ~100USD
|
# ¿ Dec 3, 2010 23:52 |
|
falz posted:It's not comparible to Juniper. The $100 mentioned is AnyConnect Essentials which is more or less the Network Connect portion of Juniper IVE. If you want to get the portal area and such it's also very expensive, like with Juniper. I'm pretty sure they only came out with the Essentials cheap license since they said the fat client was EOL and would never run on 64bit OS's. They then went ahead and added support for that sometime this summer anyway. This is true, however I still havent found a good reason for using the web portal, in my opinion it kinda sucks with the whole java ordeal. The new generation client (3.0) dont even require reboot after installation and the installer is 4Mb so quite lightweight.
|
# ¿ Dec 4, 2010 12:03 |
|
Drumstick posted:Will cdp show me the HP switches that are connected to the cisco switch? I know that it supposedly does not, by in WCS the cisco WAPs are showing the HP switches they are connected to in cdp. Older HP gear actually does run CDP.
|
# ¿ Feb 7, 2011 21:48 |
|
pairofdimes posted:Which ASR do you mean? The ASR9k runs IOS-XR, but the ASR1k runs IOS. The ASR1k runs IOS-XE.
|
# ¿ Feb 18, 2011 16:01 |
|
This is just too exciting to be silent about. 100 vs 1Gbe optics comparison; I will be using these to deliver internet access to the worlds second largest computer party, 100Gbps internet, yessir! More pictures: http://gallery.fnutt.net/tg11/ ior fucked around with this message at 23:54 on Apr 2, 2011 |
# ¿ Apr 2, 2011 21:11 |
|
nex posted:Aha, so you are the one working on the routers for TG. Small world. That is awesome! Have I talked to you before or just your colleagues? ior fucked around with this message at 22:31 on Apr 2, 2011 |
# ¿ Apr 2, 2011 22:22 |
|
Powercrazy posted:I saw the prototype 40G "Godzilla" cards about 4 years ago. Cool how far we've come. Whats the range, and what is delivering that? Is the CRS actually Aggregating 10 OC-192's or what? Unfortunately I can't tell you much about the 100G optics. However it is correct that our ISPs CRS-3 will be aggregating 11 or so OC-192's and then feeding 100G to our CRS-3 which in itself will be aggregating 12 OC-192īs. ior fucked around with this message at 14:42 on Apr 3, 2011 |
# ¿ Apr 3, 2011 10:52 |
|
ragzilla posted:Looks like a colorized syslog tail (possibly MultiTail). Correct, tail -f cisco.log | ccze
|
# ¿ Apr 9, 2011 21:50 |
|
CrazyLittle posted:Nah if his internet connection really is 85mbit then it'll CRUSH an 1841 even if he does straight static routing. 1841's only good for 40-45mbit Nope, my 1811 which is slightly slower than the 1841 does about 38% cpu at 50Mbit/s with NAT. The 1841 is good for 38Mbit/s in 64 byte packets, much more with a more reasonable traffic mix. He should be fine. ior fucked around with this message at 19:07 on May 19, 2011 |
# ¿ May 19, 2011 19:05 |
|
Powercrazy posted:Anyone know of an equivalent command "sh int status" or even better "service unsupported-transceiver" for an ISR, specifically, a Cisco-3845? igr-tg2#sh int gig0/1 GigabitEthernet0/1 is up, line protocol is up Hardware is PQ3_TSEC, address is e05f.b945.c381 (bia e05f.b945.c381) Description: xxxx MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45
|
# ¿ Jun 10, 2011 09:37 |
|
J Crewl posted:I have a stupid question about wireless access points. If an AP, let's say it's the 3500 series running 802.11n, is dual band with both 2.4 and 5GHz radios, it can only operate one at a time? I was planning on using strictly the 5GHz, but what if a client is only capable of 2.4, do I need more AP's? It can run both 2.4 and 5ghz at the same time.
|
# ¿ Jun 17, 2011 13:59 |
|
elite burrito posted:If they implemented roll-backs and commits wouldn't you have less incentive to buy CiscoWorks? Not really, Ciscoworks cant save you as a commit / rollback would be able to.
|
# ¿ Jul 10, 2011 20:06 |
|
Harry Totterbottom posted:Clients are unable to authenticate onto the wireless network. The WLAN controller is able to use Radius to authenticate ssh login without a problem. Check the server certificate in the EAP settings on the NPS. Zuhzuhzombie!! posted:TAC's going through the show tech now. What they've found that's strange is that, according to them, the flash file structure looks like we decompressed a .tar image for the install. Would you mind sending me the TAC SRN? Really curious about this one. ior fucked around with this message at 22:39 on Jul 11, 2011 |
# ¿ Jul 11, 2011 22:36 |
|
Zuhzuhzombie!! posted:eMail? daniel@fnutt.net Harry Totterbottom posted:Thanks man this put me on the right track. I had been using the main CA cert on the NPS box and flipped it over to a PEAP issued one I had setup, made some changes to the SSID settings on my laptop and it looks like it's working. Great Trying to interpret the NPS logs is hell on earth.
|
# ¿ Jul 12, 2011 18:47 |
|
Harry Totterbottom posted:Any recommendations on QoS testing software? I need to check the jitter on a P2P Wireless connection to determine if it's feasible to run VOIP traffic over it. Bandwidth wise things look great in iperf, buf I just want to verify that this is going to work right before relocating everything from the main office to the Data Center. Ixia IxChariot is totally awesome and really expensive. On the cheap side: ip sla (in IOS) Qcheck http://www.ixchariot.com/products/datasheets/qcheck.html
|
# ¿ Jul 13, 2011 18:10 |
|
Bardlebee posted:When talking VPN's, what type of VPN's are out there? I know of the following: SSL MPLS EVN
|
# ¿ Jul 13, 2011 20:12 |
|
Zuhzuhzombie!! posted:%PM-4-ERR_DISABLE: link-flap error detected on Gi1/0/27, putting Gi1/0/27 in err-disable state Anything is possible. If it keeps happening I would say you have bad cable though.
|
# ¿ Jul 20, 2011 18:50 |
|
Sepist posted:I have a client who's ASA pair hovers below 24% free memory, weekly I'm having to do a failover and reboot the primary then vise versa. I opened a TAC case for it and they told me to downgrade from 8.2 to 8.0 but we had upgraded to 8.2 from 8.0 due to another issue in which TAC told us to upgrade (they ignored this note). Downgrade? Iīd say its time to move on to 8.3 or 8.4 (8.4 will require a memory upgrade).
|
# ¿ Jul 30, 2011 10:38 |
|
StabbinHobo posted:Should I be reading up on the 2k, 3k, 4k, or 5k range of nexi? For that size I would say dual 5k (VPC rocks) with 2k extenders as TOR switches. Keep in mind the 5k is L2 only until you add a L3 module.
|
# ¿ Aug 8, 2011 12:01 |
|
jbusbysack posted:To add to this - I would alter that and use 4900Ms as core (L3) and use 5k +2k fex for TOR. The only downside is the small nature of 4 racks/60 servers Why 4900M over 5k with L3 module?
|
# ¿ Aug 9, 2011 11:42 |
|
Langolas posted:Does anyone know if theres a way to have someones profile.xml deleted or re-downloaded when they connect with the anyconnect client? I was thinking of just creating a new .xml profile and associating it with the tunnel and then my clients anyconnect would default off of that profile when the program loads. Make your changes to the profile in ASDM and the clients will automatically update the next time they connect.
|
# ¿ Aug 20, 2011 17:13 |
|
Bardlebee posted:I am going to be taking two WAP's and connecting it to a basic 861 router. I wish to keep both WAP's on separate networks, so I figure I would make one 192.168.1.0 and the other 192.168.2.0. As this is written by hand I might have missed something, but it should get you started. The VRF makes the guest traffic totally isolated from the inside network so there should not be any security issues. The config assumes your outside interface is called fa4 so change accordingly. code:
ior fucked around with this message at 12:05 on Sep 1, 2011 |
# ¿ Sep 1, 2011 11:51 |
|
inignot posted:They are for storage, just like a flash slot. Good for charging your bluetooth serialport. Or storage, that works too.
|
# ¿ Sep 2, 2011 21:16 |
|
Bob Morales posted:It'd be nice if you could use them as a serial interface since laptops don't come with serial ports anymore, and are starting to not come with ethernet ports either. Many of the newer Cisco devices come with a USB serial port. Have a look at the 1900 for example.
|
# ¿ Sep 4, 2011 10:20 |
|
Sepist posted:If I wanted to set up a Dynamic VPN where only authorized laptops would be allowed to VPN in, would the best solution be Certificate based and only allowing administrators to import the client side certificate with a password? Joining the relevant computers into a AD group that enrolls them with a certificate would probably be the way to go.
|
# ¿ Oct 1, 2011 10:57 |
|
BelDin posted:We are a prime government contractor of about 150 people providing IT (among many other things) infrastructure support services to the main site contract of about 1600. This will probably go to about 2000 over the next year. Beeing a SE hopefully I can help you get in touch with the right people. Send me a PM or email (daniel@fnutt.net) if you want help.
|
# ¿ Oct 26, 2011 17:03 |
|
|
# ¿ May 22, 2024 18:35 |
|
ruro posted:Does anybody know of a decent product for managing ACLs? At the moment I'm using baseline configurations in Ciscoworks to keep ACLs consistent across our network devices but it's pretty cludgy. I know there used to be an ACL manager product for ciscoworks but its long been end of sale. Cisco security manager!
|
# ¿ Oct 27, 2011 05:25 |