|
Welp if you are talking about 802.1q QoS when you mention "VLAN QoS" then yes, those bits are turned on/off (CoS= Class of Service) in a layer 2 802.1q frame header I believe. Somewhere there if it's not the header, been a long time since I read about it. 5 bits total to turn on and off abouts. You can just set a manual CoS on all traffic coming in on a switchport or start just picking out traffic by trusting the bit(s) as it as set by the endpoint device. There's a few options to play with. Edit: Here's the simple config example you would slap on a switchport interface: code:
Herv fucked around with this message at 21:52 on Apr 16, 2007 |
# ¿ Apr 16, 2007 21:21 |
|
|
# ¿ Apr 29, 2024 01:56 |
|
Powercrazy posted:Well crap. I can't enable NBAR on a Cisco 851W and that is the easiest way to do what I want to do. Now I'm going to have to gently caress with access-lists and things. Sigh. Here's some PQ stuffs, should help you figure out if you can do it or not. code:
|
# ¿ Apr 25, 2007 02:17 |
|
Korensky posted:Keep in mind this is only good for outbound traffic. You queue/shape/police/drop outbound. You really only mark inbound. There's no point dropping a packet once it's already on the wire. Yeah I always found it wierd when folks talked about inbound QoS (with TCP sliding windows or something) on an interface. Only so much can come in on the pipe, classify it inbound, mark it up/mark it down/dump it/ take action on it outbound. PQ is cool, but you can also start dumping packets (why I increase the queue size) if a higher priority queue is active past the timeout of the lesser traffic's queue. Class Based Weighted Fair Queueing is where it's at in my opinion. 256 classes/levels as opposed to 4 queues with PQ. Can get it to play with 802.1q tags as well as the TCP stuff, for handing off to a switch. (e.g. time sensitive traffic comes in on UDP 5000, gets put in a high preference queue for transmission on the router's inside interface, but also gets an 802.1q COS tag of 5, which the switch is trusting, recognizes it and queues it up accordingly as it travels through the layer 2 network from switch to switch) Korensky posted:Use a BT client that supports TOS configuration on outgoing packets, set them to a classification you know nothing else in your network uses and setup a class-map to match the TOS into a class and a policy-map to queue it behind other priority traffic. I guess there's a few ways to skin this cat so to speak. If I just wanted to be quick about it, I would mark up all traffic that I knew had a destination port > TCP 1024 that was NOT BT, say YOUR GAME or something that sticks to TCP 17000 for example (medium queue mebbe), then mark the rest down... all traffic with a destination TCP port >1024 to the low queue (what BT app isnt running TCP 5000+), and let web traffic and other things you want to get preference on high, medium or just default to normal. Grats! \/\/\/\/ Herv fucked around with this message at 13:37 on Apr 25, 2007 |
# ¿ Apr 25, 2007 12:12 |
|
Paul Boz_ posted:I didn't get any ISDN poo poo on either of my tests, but had quite a few frame relay questions. It could be worse, DECnet and Apollo were pretty scary as well. I actually had ISDN back in 97! Using a Brouter. So JWH will you be using the L2TP instead of GRE now for routing over tunnels? Not sure about the details, haven't played with it yet, although that's what I am gleaning.
|
# ¿ Apr 27, 2007 17:56 |
|
/\ /\ /\ /\ I had a 7507 with a fast ethernet controller on it, but it was about 6 years ago, couldn't for the life of me remember what type it was. I do remember I had 2-100mbit connections trunked to the router with autoneg on the link speed/duplex but once again, not sure on the actual card. I guess it's a mileage may vary thing there. Girdle Wax posted:Fixed. Wierd, I have rarely had problems with auto negotiation with both sides being in auto. Having said that, 3Com 905x and the Cisco 6509/3xxx LAN switches certainly have made my day go poorly. Herv fucked around with this message at 20:44 on May 10, 2007 |
# ¿ May 10, 2007 19:30 |
|
GhostSeven posted:I have a SoHo 97 with the god awful web admin. Ok when you say you want IP unnumbered you want your block of 8 public IP addresses to be where? Would the outside interface of the IP Cop Box hold some/all of the public ip addresses? If so then you just want to bridge the DSL interface to the ethernet interface and then let IP run on the IP Cop Box. Here's an example of a SOHO97 with bridging, for Verizon DSL (ISP settings may vary). You will need the DSL specific information as well. (e.g. pvc 0/35) code:
What the above will do (sans mistakes/syntax) is bridge the DSL circuit to the front of the IP Cop Box so to speak, transparently providing the first useable IP address to a device behind the soho97 router. Good luck, any specifics just ask away, should be able to get you up. I have used a SOHO97 bridged and running IP on an ATM subinterface for what its worth.
|
# ¿ May 11, 2007 19:40 |
|
GhostSeven posted:Just read your reply again and I think the config you posted will do exactly what i want by the sounds of it, sorry for this post as it may have not been required! Yep, sounds like it will work for you. The Firewall (IP Cop) will have to have the ISP gateway as the default route if it isn't defined already. Cheers
|
# ¿ May 11, 2007 22:41 |
|
code:
|
# ¿ May 15, 2007 22:50 |
|
Girdle Wax posted:Lotta stuff, but STP is killing me. I haven't tested this in ages, but the last time I had redundant trunks i did a load balancing / failover situation, certainly tested it and did not notice any real convergence time that would make me nervous. Here's a quick and dirty example of how it worked beween core and dist for example: code:
Sorry time is dulling my memory of this, but I would certainly remember the 45 sec pucker time for sure.
|
# ¿ May 18, 2007 15:18 |
|
CrazyLittle posted:Yeah, drat. I was hoping somebody knew of a "magic" build of 12.3 that would fit in there, but then again 2621's are pretty drat old. Well you can get 3rd party memory rather cheap. I still use a 2600 just maxed out the memory/flash. I use this place, never had a problem with their 3rd party. http://www.ciscomemoryupgrades.com/cisco-memory.html code:
You are applying the correct route-map to the correct interface? You can only have one route-map per interface by the way. Have to use sequence numbers like crypto-maps. Cisco posted:Router(config-if)# ip policy route-map map-tag Doc
|
# ¿ May 22, 2007 14:36 |
|
CrazyLittle posted:That was the answer - the ACL I added would never get matched because it trying to match on the wrong vlan. Adding a route-map on the correct interface with a higher precedence number fixed it. Good deal, glad to help. By the way, have you had luck failing over to the second ip addresses in your set ip next-hop statements?
|
# ¿ May 23, 2007 00:23 |
|
CrazyLittle posted:Yeah actually. It takes about 20-30 seconds for the initial hop to "fail" with concrete results, but it actually does roll over. That suggestion came from the Cisco TAC group. It's a shame they're too dumb to implement a -real- OER configuration though It turns out the configuration I have running on that 1841 is an orphaned OER border/master that does nothing while the Policy-based routing does all the heavy lifting. I wasn't sure if NAT was being used as well, saw the word a few times, but didn't know the interface configs. That can add another stick in the spokes for the set ip next hop, at least it did for me. Go get some ram!
|
# ¿ May 23, 2007 11:54 |
|
Girdle Wax posted:I don't think any 1600/1700 series hardware can do that. Your best bet's probably a 2621 or 2621XM which has 2 FE's built in, and 2 WIC slots (1 for WIC-1DSU-T1 and another for an ADSL WIC). Be forewarned that the ADSL WICs are quite expensive, it might be more cost effective to add another ethernet (with a WIC-1ENET) and plugging into a DSL modem/bridge. I just bought a pair of WIC1 DSL's, off ebay, never had a problem.
|
# ¿ May 24, 2007 13:32 |
|
Brinx posted:IPSEC Stuff with overlapping IP4 subnets. I do not think it would be possible to create a phase 2 sa when network 1 is a subnet of network 2. (e.g. 10.10.1.0/24 to a 10.0.0.0/8) You want to get more specific on your 10.0.0.0/8 classification at the colo/hq/hub fw. You also want to exclude any network that will traverse the VPN tunnel from NAT. Or just restrict all of RFC 1918 from nating. The reason being is that NAT is processed before IPSEC, even if you get the tunnel up by fixing the overlapping subnets, the source IP of all that traffic will be the public IP they are NAT'd behind. At least that's how it used to work... Hope this helps. Herv fucked around with this message at 21:14 on May 29, 2007 |
# ¿ May 29, 2007 21:03 |
|
quote:sh isakmp sa shows: That just shows the Main Mode/ Phase 1 SA. You want to check the Quick Mode/ Phase 2 SA with a 'sh cry ip sa'. If that is dropping then it will jibe with what they are seeing. Do the phase 1 and 2 SA lifetimes match up on both firewalls? Worst case make a startup script that runs silently, pinging across constantly.
|
# ¿ Jun 7, 2007 16:37 |
|
buspAss posted:Shouldn't it retry to get a DHCP address after some point? Is there anyway to detect this condition(losing its address) and force it to reconnect? Is there any DHCP renew command that I'm just not seeing? Check out these commands: show ip dhcp binding and in global config: ip dhcp binding cleanup interval <n seconds> You should be able to glean the lease information in the show command, and perhaps have it check for cleanups and re-binding at that interval. Might help, might not. Cheers
|
# ¿ Jun 19, 2007 20:13 |
|
Well, IRB was superceded by RBE (route bridge encapsulation) but I still use a sub-interface. Try it on the main interface though. http://www.cisco.com/warp/public/121/atm_bridging.html Here's an RBE example. I do not believe I can enter an 'atm route-bridged ip' without being in a sub interface. code:
The PIX will strip off any qos tags set by the phone, so I hope the voip can be classified by IP if possible (e.g. not going over a vpn with a bunch of other traffic). Edit: I have done a combo with Priority Queuing on the IOS-FW so the DSL router gets the important traffic first. PIX 501's suck rear end for voip compared to a 2600 with IOS-FW. Herv fucked around with this message at 18:29 on Jun 20, 2007 |
# ¿ Jun 20, 2007 18:13 |
|
ior posted:One think has always annoyed me with access-lists on cisco gear, namely editing them. No sir, it's been either Text Pad, or VI for me for ages. Maneki Neko posted:
What OS version is on the 515? Is there a reason to stick with PPTP over L2TP? I have the Vista client using MSCHAP v2 handing auth over to AD via radius, but with L2TP, using PIX 7.2.2(19). I have to have a two factor auth system on ras to pass audits, whether with computer certs or pre-shared keys to get a phase 1 sa up so I can actually send the real user auth through. Something to consider sir.
|
# ¿ Jul 5, 2007 15:57 |
|
atticus posted:You need to define the allowed VLANs on the trunk. I am under the impression that all vlans are allowed across a trunked switchport unless explicitly pruned or enumerated. At least this is my experience on all COS/IOS switches. Then again this may be something new, I am part cobwebs. I think I ran into a similar issue as the fellow with the problem, but I haven't used pix os 6.x in a while. code:
Or this one for that matter. code:
Having said that, if things are still not working... Pull off your nat exclusion (nat 0) rules first. After all you just want to establish communication between the two networks. whether though nat or non-nat you should be able to get across. Herv fucked around with this message at 17:32 on Jul 5, 2007 |
# ¿ Jul 5, 2007 17:24 |
|
Mierdaan posted:Sorry; what I mean is that I can't ping any device on vlan1 from vlan101, nor vice-versa. Communication between all vlan1 hosts is fine, and communication between all vlan101 hosts is fine, it's just communication between the two vlans that isn't working. If you can get web traffic with an external DNS server, you do not have a layer 2 problem sir. Edit: got off my rear end and logged into a 3750, here's what a trunk config shows: interface GigabitEthernet1/0/24 description TRUNK_TO_2950-1 switchport trunk encapsulation dot1q switchport mode trunk mls qos trust cos no mdix auto Here's what the switchpoint shows with allowed vlans: Name: Gi1/0/24 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Herv fucked around with this message at 17:31 on Jul 5, 2007 |
# ¿ Jul 5, 2007 17:26 |
|
No problem, I fixed that post. If the access list is referenced and applied to an interface, but no such list exists, you will get an implicit deny or perhaps some other wonkyness. That was the cut of my jib on that one.
|
# ¿ Jul 5, 2007 17:38 |
|
jwh posted:How is that supposed to work when the voice network (vlan101) is a subnet of the inside interface's address space? If the clients are running a /16 subnet mask they sure as heck won't hit the gateway. The PIX should be able to figure out things just like a router in regards to 'subnetted' networks. Show route should... show that. In an earlier post, some guy had overlapping IP 4 subnets (for defining lan to lan VPN) that would have not worked unless he changed his local 10/8 to a 10/24.
|
# ¿ Jul 5, 2007 20:31 |
|
delslo posted:update: while troubleshooting a Watchguard Edge device for a client today, I became so annoyed with it and the idea that ANYONE, much less a MANAGER* at my company would recommend such a pile of poo poo to one of our clients... that I placed my order for the ASA 5505 as soon as I got off the phone. What, is it doing a nat pool with no pat overload?
|
# ¿ Aug 1, 2007 02:12 |
|
The thing that pissed me off about Checkpoint was that so much hung off of pushing the policy and being the hero. This was version 4.x though. The NG seemed to be a bit better, and less wacky to bring up trust points (fw putkey, fw putlic, wow). Once you wanted to get a little deeper past the gui, the config files were a little cumbersome. They were seemed made to be edited with a gui only. Having said that, I love CP because it runs (ran) on anything, the logging/filtering is the bees knees. Well it was last time I checked. 501 was a real let down. I am still pissed I didn't keep my PIX 'Classic'. Cool looking piece, even if it was a pc with 3 intel nics and booted off an ISA Flash card.
|
# ¿ Aug 1, 2007 02:45 |
|
inignot posted:It ended much like the ever replayed ski jump by Vinko Bogataj. I was only able to attempt 73 points given my lack of multicast or qos knowledge. Congratulations on getting further sir. I have to start all over again and shake the rust off my skill set in that area. I remember failing my first certification test. I was really let down, but then a friend told me 'The guy that gets up last, wins'. I got the wind back and passed it on the next try. Of course that was a dos 6.2 / win 3.1 exam. I am sure the average failing rate for any ccie is a bit higher! Looking forward to your 'I did it' post.
|
# ¿ Aug 1, 2007 15:21 |
|
ILikeVoltron posted:My config has changed a bit on both sides, following some of the info I've found in the Cisco article @ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#CLI seems to have pointed to stuff I'm not really sure about, such as this line Hi there Mr Voltron Lover. I have poked around a PIX or 2 over the years as a hack. I think we should be able to get you up on the crypto maps. The first thing I was going to mention was NAT exclusion for the subnets in question. NAT is processed before IPSEC on a PIX so if you don't exclude the traffic it goes over the tunnel (or misfires entirely and goes out on the internet)with the public IP address NAT/PAT is using. Looks like that is what's happening with your ping. I don't see a NAT0 on the second device. NAT 0 means 'don't nat' essentially. The GUI/wizard should cover this these days pretty well if you get stuck. Hope this helps! Herv fucked around with this message at 14:42 on Feb 3, 2008 |
# ¿ Feb 3, 2008 14:39 |
|
Ask for a Visio, or make one yourself and send it over for modifications. Without seeing the forest from the trees you are in for a rough ride. Hope this helps.
|
# ¿ Feb 5, 2008 20:25 |
|
reborn posted:I have a pretty simple question in theory but I'm having some real trouble with it. I have a Cisco ASA 5505 running 7.2(1). It's sitting behind a cable router setup in bridge mode. The issue is that I want to run a public server behind the firewall. I have it setup, however the captures show that all of the packets hit the firewall then drop like they have nowhere to go. They are not dropping due to the acl so I was thinking the NAT but I have a specific NAT tied to the external IP address back into my internal server IP address. I mean this isn't a difficult task at all... in fact it's the most basic and simple of tasks but it just will not work. You are going to have to allow the port(s) you are NAT'ing to the outside interface acl. I am not sure where your acl is just yet. code:
|
# ¿ Feb 7, 2008 03:55 |
|
OK the one x factor is I don't use these things in Bridged mode, just Routed. I was assuming that traffic was working outbound, and that inbound port forwarding wasn't. Looking at the config, I am surprised it is working at all, but this may be due to 'bridged mode'. Having said that (could all be wrong based on that one fact) looking at the config you are NAT'ing the entire outside interface to the 192.168.1.29 host. Normally on single IP interfaces you would do a static tcp map. code:
code:
I don't see a NAT 1 statement to correspond with your GLOBAL 1. poo poo, not sure if that is due to bridged, but there should be a code:
The Global 2 is another weird one, but we can leave that alone for now. I never use outbound access lists, but I am not sure your about your local living arrangements and such. Hope this helps a bit.
|
# ¿ Feb 7, 2008 07:41 |
|
reborn posted:Ignore the router being in bridged mode. Look at it this way. When I take the firewall out of the picture there are no issues. With the firewall in I have trouble but the packets are getting to the firewall. The blanket NAT really is just to cover my bases. I was beating my head against the wall so hard with this that I decided to take out all the random problems that could come up. I've tried a blanket ACL for all ports, I've tried the blanket NAT, and I've tried just about everything. I'll try adding a NAT 1 statement and narrowing my port NAT to the ports I need. Oh, router in bridged mode. Once again, I misunderstood. The PIX/ASA can operate as a router or bridge, hehe. But let's keep it simple and not talk about bridging firewalls, they are too loving weird. Ok in a nutshell: NAT 1 statement will allow OUTBOUND connetions, and it latches onto its corresponding GLOBAL 1 statement. This means that NAT 1 0.0.0.0 0.0.0.0 0 0 will allow ANY ip address behind the firewall to make an outbound connection, using the outside interfaces IP address. Your 'blanket' NAT will actually break things if you only have one public ip address. Bottom line, you do not want to forward all 65535 TCP, UDP, and ALL IP PROTOCOLS from your ASA's outside interface to the inside PC. The ASA actually needs to receive some traffic, not forward it ALL to the inside PC. Hope this is becoming more clear. Having said that, do you see how weird your GLOBAL 2 is just sitting there, with no corresponding NAT statement. In fact, delete that poo poo. Take out the NAT statement you have, put in a nat 1 0.0.0.0 0.0.0.0 for the simplest version of that line. You should immediately be able to surf the web, if not blocked by ACL's. Now for inbound connections, make the TCP nat statements as needed. On both interfaces (just for troubleshooting) put PERMIT IP ANY ANY at the top of the ACL, use the GUI for this. Once you know you can pass traffic put an ACL on the outside interface, BUT keep in mind it doesn't matter if you are NAT'ing a single IP address. If the port isn't NAT'd its not going through. With wide open ACL's you are just left with NAT to govern the network traffic which is where your stick in the spokes is. This advice is now guaranteed(tm) seeing how your router is bridged and the firewall is in 'routed' mode. Just forget anything I said about a bridging firewall, they are just too fugggin wierd and I was going to ask you what the gently caress you were doing with a bridging firewall on a home network, but nevermind that. Hope this get's yer ASA going, and if all else fails wipe it and use the setup wizard!
|
# ¿ Feb 7, 2008 14:57 |
|
ionn posted:What can cause a router to not see any CDP neighbors (and not show up on other routers)? It's a Chinese knock off. They never got CDP right.
|
# ¿ Feb 19, 2008 02:17 |
|
permanoob posted:Awesome. I see exactly what you mean. I'll work it out from here. Thanks a ton. The conduit command at least sounded more reasonable. I am opening a conduit to this host. Ahh well, its all good in the hood.
|
# ¿ Mar 20, 2008 18:51 |
|
jwh posted:Also, is anyone doing 802.1x with the stock Microsoft XP 802.1x supplicant? I have some questions about that thing too. No clue on the rogue detection stuff, but I am using the windows built in 802.11x EAP (PEAP) client with an 1130, using the microsoft radius server. Its been up for a couple years, very reliable. If you try to brute force in you lock out accounts if you actually guess one. Vista and Win7 seem to do a lot better with initial logons though. XP wants you to log in wired first it seems.
|
# ¿ Jan 16, 2009 17:20 |
|
When I was using certificates instead of peap there seemed to be a 15 second pause when all the systems had to agree that you were legit. Thats about it. I am not doing any vlan assignment for authed users or guest vlans for those that dont (same for wired). It sounded pretty cool but I just didn't have a need for it. Small shop and all.
|
# ¿ Jan 16, 2009 17:45 |
|
brent78 posted:Can someone post or email a config for a Cisco AP1100 that's using WPA/TKIP, 802.1x / PEAP. This config should work. If things still fall apart, you can debug things to a certain point. code:
Herv fucked around with this message at 00:32 on Jan 22, 2009 |
# ¿ Jan 19, 2009 23:55 |
|
brent78 posted:I have a pair of stacked 3750's (love em), with a few vlans. One vlan carries public traffic, another is dedicated to SAN (iSCSI). I'd like to set the system mtu to 9000 to use jumbo frames on the SAN for better performance. What's going to happen to traffic on my public vlan that uses an mtu of 1500? Will it work? I have mixed and matched 1500 with 9000 no problem, and it was on a 3750 for what it's worth. Did the 1100AP get going or what?
|
# ¿ Jan 26, 2009 00:30 |
|
If CBWFQ is not enabled in your image, how about Priority Queuing? Basically you want to tag the traffic inbound from the lan (and on the switch if you run dot1q between switch and router) and apply the policy on your wan interface. If you can't classify the traffic (no CBWFQ) with layer 2 or 3 QoS bits you want to downgrade, you can still use access lists. Make an access list with all the traffic you want to give priority to like esp, or whatever your IP phone is using to get to the server, web surfing, etc. By default the traffic not classified in that list will get the normal queue. You get 4 queues; High, Medium, Normal, Low 3660-1#sh queueing interface serial 3/0 Interface Serial3/0 queueing strategy: priority Output queue utilization (queue/count) high/350169 medium/0 normal/19073366 low/0 This is some T1 that is doing a simple queue to make sure some guy's IP phone calls aren't lovely when others are banging away at the circuit grabbing source code or something not as time sensitive. If the router says it supports QoS, I would assume that it will read various QoS settings (layer 2 802.1q cos tags, layer 3 IP Precedence and DSCP bits), and 'trust' the value. Not sure how it would act on it if its crippled. Maybe there is a default config and you cant touch it? e: In a perfect world, your IP phone would hit the switchport on a dot1q trunk. The phone is probably throwing out dot1q cos 5 tags if you set it to trunk. If it is coming out with a cos of 1 you can just change the tag right there to a 5 on ingress. The PC is on another switchport, banging away at a cos of 1. When the IP phone frame exits the switch into the router once again they agree on the cos5 for the ethernet frame that contains the voice stream. The router sees the cos5 tag, checks it's queuing strategy and policy and sticks it in the high priority queue like the guy's vpn in the example above. For traffic coming within a node, just classify it in an access list by inclusion or exclusion upstream. e2: Not sure why I thought the guy had DSL. See if you can do show commands against the default global policy. Herv fucked around with this message at 01:41 on Feb 11, 2009 |
# ¿ Feb 11, 2009 00:46 |
|
jwh posted:Correct me if I'm wrong, but he doesn't have a Cisco IP Phone. He has a 3560G, a PC, and a 851. Yep you are right, my post was pretty cluttered. I had thought he was eventually going to get one in, but wanted to fake out the 851 since apparently the product lit says it can support some basic QoS. The 'IP Phone' here is the end station what he is trying to tag with Precedence ToS and DSCP Values to fake out the 851. I could have been more clear but thats what I get for trying to make an all in one QoS post. I still find it sad that they crippled the 851 like that. You can get a 2621 doing everything (DMVPN, AES192, OSPF, NAT/PAT, RAS VPN, CBWFQ/PQ on a FiOS 20/5 @ 30 percent on the CPU while encrypting an IP phone conference hosting 5 callers) except the wireless for 50 bucks, how lovely. I just checked an 871 (c870-advipservicesk9-mz.124-22.T.bin) and was able to set up a quick class and policy map, and give it priority. Looking at the images for the 851 (c850-advsecurityk9-mz.124-15.T8.bin) you would think some of the same features were available. I don't have one, I can't check. Must be the ip in the file name. I thought the image features were the 'k9-mz' part of the filename, but haven't looked it up in ages. My asa 5505 is crippled unless I want to buy an upgrade license, this must be some new thing. I thought that Failover and Physical interface count were the limiting factors. I have an 871, but it has no PoE for my IP Phone. I just cant win. It's very important that my office extension is available with all features like hosting conferences. It's the easiest way to sham it and work in your PJ's. My home office chair is more comfortable, nobody can hear the difference. The IP Phone in a Perfect World example using the Queuing was more of a general outbound QoS situation in one of the trickier situations with end to end priority. I didn't even cover pulling inbound traffic off the wan circuit, marking it up and sending it out to beat up all the other ethernet frames in the layer 2 switch yard. e: Added part to ios images. Herv fucked around with this message at 08:55 on Feb 11, 2009 |
# ¿ Feb 11, 2009 08:25 |
|
Oh cool, thanks I didn't know that. Here's a quick and dirty PQ setup, and it will do what you need on the uplink to push ahead of any BT or otherwise unspecified traffic. interface Serial3/0 ip address 151.204.xxx.xxx 255.255.255.252 no ip redirects no ip unreachables ip nbar protocol-discovery ip route-cache flow priority-group 1 access-list 120 permit <my important data e.g. TCP> any any eq <my important port> priority-list 1 protocol ip high list 120 I usually max the memory on everything, makes it safe to deepen the queues. priority-list 1 queue-limit 32767 32767 32767 32767 Each queue will hold 32k packets, if you have enough packet memory. One warning of course is that traffic in a lower queue will not go out until a higher queue is empty. You can/will drop traffic if you try to queue more than the max 32k packets, the show commands will see if it is happening. I didn't make the product, I only use it. Hope it works! e: I just have normal access to images, and couldn't find anything but the same advanced services in 12.4 or 12.3. The old IOS image site just lists one image set for the 851. By standard commands, I figured you were talking about the lack of CBWFQ commands from before. Herv fucked around with this message at 09:41 on Feb 11, 2009 |
# ¿ Feb 11, 2009 09:36 |
|
|
# ¿ Apr 29, 2024 01:56 |
|
Powercrazy posted:Also ironically enough, when I googled for 851 QoS, it brought me to this thread on page 3, where I'm asking the same question. With my better experience and overall knowledge I'm able to understand better the solutions that were presented to me, or rather understand why they won't work on my router. Jesus, and yeah I answered back then too, early 07, this thread really is toddler age now. Sorry for pushing the PQ on yah 2 times.
|
# ¿ Feb 11, 2009 15:51 |