|
para posted:I had a WRT54G linksys a while back, and I have a DNS entry for my global IP called, say, para.com. On one of the computers on my LAN I'm running a web server on port 80, but I noticed a lot of buffer overflow attempts coming from the outside so I set my router to statically NAT from para.com:85 to 192.168.1.108:80. code:
A simpler way would be to just edit your local hosts file for the IP, but I never recommend doing this as it's easily forgotten.
|
# ¿ Jan 25, 2009 17:46 |
|
|
# ¿ May 6, 2024 03:52 |
|
hybr1d posted:Can you tell me how? The UI seems to require a 3rd party Web Filter server/appliance to handle URL filtering. I need to block certain URLs and for a couple IPs, only allow a handful of URLs. Is NBAR on ASA? If so that should do the trick (use regexp rules to block certain URLs).
|
# ¿ Feb 6, 2009 03:41 |
|
jwh posted:Have you seen similar behavior outside the T train? T train is the pain train. 12.4(15)T8 is allegedly decent, at least compared to other 12.4T's- It's 12.5. I'm surprized a 3600 can run that at all. 3620 ended at 12.3, 3640 at 12.4, and looks like 3660 at 12.5.
|
# ¿ Feb 17, 2009 00:51 |
|
Powercrazy posted:Basically I want to connect to my switch and shutdown or bring up an interface, by just running a simple command.
|
# ¿ Mar 9, 2009 23:59 |
|
Martytoof posted:Guys. I'm still kind of scratching my head here. This is basically a continuation on my last help for router recommendations. The 3640's software end at 12.4, and 2600XM's can run newer images with more features, (such as 12.4T). Other than that, a 3640 is more powerful: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf I probably would go with the 3640. It supports more NM's, is more powerful, and I really doubt anything in the CCNA refers to anything beyond 12.4. You'll also have lots of fun with the 3640 when you hose an IOS upgrade and have to do it over serial.
|
# ¿ Mar 29, 2009 18:47 |
|
Your backup route won't actually kick in unless the ethernet interface facing that direction actually goes down. You can use IP SLA to track some service (ping 4.2.2.2 for example). If the response fails (cable modem down), it will change your route. This was the first hit that google turned up for it and has a decent example: http://www.inacom-sby.net/Shawn/post/2007/11/Cisco-IP-SLA-for-failover.aspx
|
# ¿ Apr 14, 2009 23:34 |
|
jwh posted:I should point out that that is different than the way Juniper does RDP on their IVE boxes, in that IVE based RDP simply calls the machines native mstsc.exe and directs it towards a local socket that is proxied through the SSL tunnel.
|
# ¿ Apr 25, 2009 00:32 |
|
nex posted:What is your routine when upgrading remote critical routers?
|
# ¿ May 26, 2009 02:11 |
|
Sojourner posted:"FreeBSD 4.10 (STABLE)
|
# ¿ Jun 4, 2009 02:25 |
|
Sojourner posted:It'd be more then a login banner change because the login prompt is different then IOS. Before I left work I checked the mac address that was associated with the IP and it was coming up as a cisco one, and did a quick nmap/zenmap scan and it said the telnet daemon was the cisco version.
|
# ¿ Jun 4, 2009 04:02 |
|
Weissbier posted:Has anyone had success with the cisco anyconnect client? I don't know what I'm missing. We have an ASA 5540 running ASA 8.2(1)/ASDM 6.2(1)
|
# ¿ Jun 12, 2009 16:02 |
|
Weissbier posted:It is in production. I opened up the xml but I don't see a webvpn section. I'm really lost here - The only part I see that needs to be changed from the sample xml is:
|
# ¿ Jun 13, 2009 15:50 |
|
Mierdaan posted:Anyone want to give me a high-level overview of best practices for setting up a site-to-site VPN link between a PIX 515E and a 871 Integrated Services Router? The PIX is running 6.3(5), not sure about the 871 since it's at a remote site I haven't been to yet.
|
# ¿ Jun 24, 2009 21:58 |
|
huzzah posted:This causes routes learned via iBGP to have a higher admin distance. Default AD's for platforms are listed here: http://www.inetdaemon.com/tutorials/internet/ip/routing/administrative_distance.shtml OSPF defaults to 110, IBGP defaults to 200. If you want your point to point links to be advertised I would normally add another 'network' statement in your router ospf section for the /30's such as: code:
|
# ¿ Jun 28, 2009 18:14 |
|
Mackieman posted:Yeah, I figured that was part of the issue. Any ideas on how to resolve that little gem? code:
|
# ¿ Jul 18, 2009 17:24 |
|
That access list is sorely in need of some udp/53 for DNS to work.
|
# ¿ Jul 20, 2009 22:42 |
|
wolrah posted:Wonderfully comforting when Cisco.com goes down and the entire Cisco-owned /24 it's in disappears from BGP. I know they're hosted by Akamai, but it kinda feels like if I called AT&T and got "The number you have dialed has been disconnected."
|
# ¿ Aug 4, 2009 16:31 |
|
Tony Montana posted:Ok I've been doing some reading.
|
# ¿ Aug 7, 2009 13:17 |
|
Wyznewski posted:I have a question about setting up a VPN to do certificate authentication on a PIX506. All the documentation I can find says you have to request a certificate from a third party, or use a Microsoft certificate authority server. Can anyone confirm that? Is there any way to self-sign a certificate on a Linux platform? Thanks.
|
# ¿ Aug 12, 2009 18:07 |
|
Casimirus posted:Are there any good resources for EOL Cisco gear? The IOS Software Selector is useless for anything old and biased against switches, and the Feature Navigator is only a little better. You can browse switch software here which will give you release dates for each platform. You do of course need a CCO login. Getting a login is probably really what you nead. Just get support on the cheapest device you have, it shouldn't cost that much. * http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438038 If it helps any, the latest are: * 2900XL: "c2900xl-c3h2l9s-mz.120-5.WC17.bin Release Date: 10/Apr/2007" * 3500XL: "c3500xl-c3h2s-mz.120-5.WC17.bin Release Date: 10/Apr/2007" * 2950: "c2950-i6k2l2q4-mz.121-22.EA13.bin Release Date: 03/Mar/2009" falz fucked around with this message at 18:23 on Sep 6, 2009 |
# ¿ Sep 6, 2009 18:21 |
|
Syano posted:Just going to throw this out there. We bought several Dell switches a couple years back because the price points were so far apart we thought it made sense at the time. Since that purchase, 2 out of the three we bought have had problems of a hardware nature and required replacing. In the 4 years I have been in my current gig we have yet to lose a Cisco. I know its anecdotal but for us we wont buy anything else anymore. We also had some older 2nd generation Dell switches that constantly died. The issue ended up being that the closet they were in was very hot and they were far less tolerant than Cisco or even HP for environmental issues. They also had some very bad bugs we had to call Dell about. They gave us some secret firmware that fixed the issue. However, this firmware isn't on Dell's website, no idea why it's not. I would probably use a Dell switch at my house or in a small isolated single switch LAN environment, but not really anywhere else. I'm pretty sure they're just rebranded SMC's as well. Also the CLI is stupid because it groups settings for each port in different areas (vlan in one spot, description in another, duplex/speed in another).
|
# ¿ Sep 12, 2009 17:06 |
|
The NM-1T3 is ~$2000 used? If money is an issue, get a PA-T3 or PA-2T3 (~$300 used) for a 7200. I see complete used 7206 VXR's w/ NPE-400 and PA-T3 cards for $2k on ebay, any reputable reseller will probably be in this ballpark. VXR's aren't EOL and will kick the snot out of a 2800. The only downside I see is that they're just physically larger (3u) vs 1-2u for a 2800. Edit: I see that the NM-1A-T3 is much less than NM-1T3. Still recommending VXR.
|
# ¿ Sep 15, 2009 15:16 |
|
CrazyLittle posted:The VXRs themselves are not EOL if you put a NPE-G1 or G2 in there. Support for the NPE400 is EOL from what we were told by our cisco rep. Also the -1A- cards are EOL too. They were replaced by A3 cards which cost significantly more. That still doesn't change the fact that 7200VXR's really are awesome little boxes for the money. This is probably posted somewhere in this thread, but this page for hardware compatibility (and more) is a great reference: * http://www.cisco.com/web/partners/tools/quickreference/ falz fucked around with this message at 19:03 on Sep 15, 2009 |
# ¿ Sep 15, 2009 19:01 |
|
CrazyLittle posted:How much NAT throughput can you get out of a Catalyst 3750? I've got a customer who wants to use fiber in his riser closet, and they rely on us to do their NAT'ing for them on 10mbps service.
|
# ¿ Sep 16, 2009 17:47 |
|
Also, GBIC's are more likely to be found on a switch. Plenty of older/cheap switches will support GBIC's. Have a VLAN on the switch that's a TX port to a router and the GBIC port and you're good.
|
# ¿ Sep 16, 2009 18:31 |
|
ragzilla posted:We use nfsen - really depends what your goals are for netflow collection- for us it's just used for evaluating potential and existing peers. jwh's shop uses the solarwinds netflow package and seem to like it. We use both in our orginizataion. Nfsen will let you do tcpdump like syntax to get detail, the other tutorial will give you customizeable graphs and "top talkers" data that auto updates.
|
# ¿ Sep 26, 2009 04:45 |
|
Sojourner posted:Thanks for the recommendation! Nfsen is pretty great, while not as slick looking as solarwinds/wug etc it gets the job done and it doesn't look bad at all. I had it working all morning but managed to break the netflow on router with a command and I'm not entirely sure what it is.
|
# ¿ Oct 1, 2009 04:39 |
|
Here a good comparison of x9xx routers and modules. While the aforementioned licensing issue will suck, at least they will have universal IOS images between the ISR platforms. They haven't updated their router performance pdf yet unfortunately. Also the 1900 looks like some old 30s radio.
|
# ¿ Oct 23, 2009 15:13 |
|
Ethereal/Wireshark will show CDP packets and is free.
|
# ¿ Nov 6, 2009 00:16 |
|
Drumstick posted:not enough memory Use Cisco Feature Navigator in the future to download software. It will tell you the minimum RAM/Flash for your image as well as a bunch of other stuff.
|
# ¿ Nov 22, 2009 01:21 |
|
hermand posted:kit
|
# ¿ Dec 20, 2009 20:59 |
|
Powercrazy posted:Its probably because Cisco gear is known as expensive and whenever you have some expensive stuff (watches, labgear, a car, or mods for a car, etc) its some "expensive kit." Anyway, on to a real question. My goal is to get MPLS working between various 6500s and 7200s w/ NPE-400's and FastEthernet interfaces, and one 2800 that has no user settable MTU. (MPLS requires > 1500 MTU). OSPF requires MTU to match, and this is where I'm having the problem. 12.2SB on 7200s allow me to adjust MTU up to 1530 on FE's. These are connected to Gigabit interfaces on the 6500 that only allow an MTU setting of 9216 or 1500. The real IP on the 6500s lives on an SVI (vlan) interface. I also have one 2800 that's a member of area 0 that has no user settable MTU, so it's 1500. This 2800 will not partake in MPLS but since it's on the same subnet and in area 0, my goal is to get OSPF working @ MTU 1500 while the MPLS routers can operate at 1530 (max possible on 7200 FE's). In dynamips I've been testing between 7200 & 2600 and found that: - I can set 'ip ospf mtu-ignore' on the lower MTU side (2600) and OSPF works. OR - I can set 'ip mtu 1500' on the 7200 (which has mtu 1530) and OSPF works. Clearly 'ip mtu 1500' is making the 7200's originating OSPF packets say it actually has an MTU of 1500. 'ip ospf mtu-ignore' does exactly what it sounds like. Does the 'ip mtu' command force the router to NEVER generate a packet that's larger than 1500 (generate as in OSPF neighbors, BGP peers)? This works in an emulator but in real life I would suspect I'd have some OSPF packets that are larger than 1500 and possibly some problems due to that.
|
# ¿ Dec 21, 2009 19:08 |
|
hermand posted:http://www.askoxford.com/concise_oed/kit_1?view=uk falz posted:mtu ospf mtu ospf.. Will setting "ip mtu 1500" on an interface ensure that packets created by this router (OSPF) will not be larger than 1500 or could it still create packets up to the interface's MTU setting ("mtu 1530")?
|
# ¿ Dec 21, 2009 22:51 |
|
inignot posted:One of the first things on Cisco's site for "ip mtu". I'm sure if you dig more some docs from a recent IOS will come up. Sounds roughly like a control plane vs data plane distinction. - ip mtu - ipv6 mtu - mpls mtu From there you can feel free to set any of the above lower to keep that protocol happy. Also, 'ip mtu' shuld really be called 'ipv4 mtu'.
|
# ¿ Dec 22, 2009 21:33 |
|
Powercrazy posted:So I know this is the Cisco thread and all, but I'm looking for something (Cisco or otherwise) that can handle ~1500 dual homed servers with layer 2 adjacency with low latency multicast being the most important aspect. Force 10 (http://www.force10networks.com/products/ethernetsr.asp) is supposed to be quite good in the low latency department. I've never used them though. Edit: or why not just 6500s loaded with WS-X6748-GE-TX? falz fucked around with this message at 03:11 on Jan 26, 2010 |
# ¿ Jan 26, 2010 03:07 |
|
Powercrazy posted:http://www.eantc.com/fileadmin/eantc/downloads/test_reports/2006-2008/Cisco-Force10/EANTC-Exec-Summary-F10_Cisco.pdf I have no expertise with Force10 gear, I just know that we have a customer that ditched some other switches (3750s? I don't remember) for some Force 10 gear. Customer claims that the F10's helped tremendously with latency issues in their database infrastructure which consists of a few racks of servers and SSD disk arrays/trays. Having said that, those [hilarious] results were commissioned by Cisco and clearly it's worded as such. Hell there's a link to a video in it that allegedly shows the Force 10 gear overheating (I say allegedly because it doesn't play on my non-windows laptop). I'm not at all surprised that Cisco "won" that battle.
|
# ¿ Jan 28, 2010 01:19 |
|
Powercrazy posted:And now for something completely different. Anyone know of a "4-eyes" administration system. Where say any one of a group of people can make a change to any of the production devices, but the change won't be committed until one of the others approves it. Its not a trust issue, its an external auditing issue. Another one I was evaluating is ManageEngine DeviceExpert. It's much cleaner and works better but it's missing a few features that we use from BCAN. I'd say demo DeviceExpert first then try BCAN if it doesn't suffice. falz fucked around with this message at 01:58 on Feb 3, 2010 |
# ¿ Feb 3, 2010 01:52 |
|
Something with a Prolific chipset, like this should work fine on anything. We use them on FreeBSD, Linux, OSX, Win32. Monoprice also has serial PCI cards if you wanted to put one in a machine.
|
# ¿ Feb 3, 2010 14:22 |
|
wang souffle posted:Apparently some idiot is downloading public torrents on our corporate network. I assume it's easy to run a report on the amount of traffic done on each port over a certain time period?
|
# ¿ Feb 5, 2010 19:55 |
|
|
# ¿ May 6, 2024 03:52 |
|
Does it even route traffic? It looks like you're missing a NAT command. I'm guessing ACL 100 was intended for a nat command like:code:
|
# ¿ Feb 6, 2010 06:16 |