The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›3 »

Herv: Mar 24, 2005; Soiled Meat

Welp if you are talking about 802.1q QoS when you mention "VLAN QoS" then yes, those bits are turned on/off (CoS= Class of Service) in a layer 2 802.1q frame header I believe. Somewhere there if it's not the header, been a long time since I read about it. 5 bits total to turn on and off abouts.

You can just set a manual CoS on all traffic coming in on a switchport or start just picking out traffic by trusting the bit(s) as it as set by the endpoint device.

There's a few options to play with.

Edit: Here's the simple config example you would slap on a switchport interface:

code:

interface GigabitEthernet1/0/9
 description SHORETEL-24
 switchport mode trunk
 switchport trunk encapsulation mode dot1q
 mls qos trust cos 
<probably the one you want if you are setting 802.1q CoS bits on the endpoint>
 mls qos cos 5 
<example of forcing everything incoming on that port to get priority 5 of 7 (7 being emergency)>
 mls qos trust dscp 
<example of trusting any DiffServ bits if the device is setting them>
  no mdix auto
 spanning-tree portfast

3750-1#sh mls qos interface gigabitEthernet 1/0/9
GigabitEthernet1/0/9
trust state: trust cos <if you are setting it on the endpoint and trusting it at the switch>
trust mode: trust cos
trust enabled flag: ena
COS override: ena <if you set it>
default COS: 5 <if you set it>
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

3750-1#sh mls qos interface gigabitEthernet 1/0/9 statistics
GigabitEthernet1/0/9

  dscp: incoming
-------------------------------

  0 -  4 :      577239            0            0            0            0
  5 -  9 :           0            0            0            0            0
 10 - 14 :           0            0            0            0            0
 15 - 19 :           0            0            0            0            0
 20 - 24 :           0            0            0            0            0
 25 - 29 :           0            0            0            0            0
 30 - 34 :           0            0            0            0            0
 35 - 39 :           0            0            0            0            0
 40 - 44 :           0            0            0            0            0
 45 - 49 :           0      3875949            0            0            0
 50 - 54 :           0            0            0            0            0
 55 - 59 :           0            0            0            0            0
 60 - 64 :           0            0            0            0
  dscp: outgoing
-------------------------------

  0 -  4 :     1646292            0            0            0            0
  5 -  9 :           0            0            0            0            0
 10 - 14 :           0            0            0            0            0
 15 - 19 :           0            0            0            0            0
 20 - 24 :           0            0            0            0            0
 25 - 29 :           0            0            0            0            0
 30 - 34 :           0            0            0            0            0
 35 - 39 :           0            0            0            0            0
 40 - 44 :     1502676            0            0            0            0
 45 - 49 :           0        21426            0          608            0
 50 - 54 :           0            0            0            0            0
 55 - 59 :           0       538839            0            0            0
 60 - 64 :           0            0            0            0
  [b]cos: incoming
-------------------------------

  0 -  4 :         902            0            0            0            0
  5 -  7 :     4455186            0            0                            
(Here you can see the massive amount of marked up traffic with a cos > 4)
  cos: outgoing
-------------------------------

  0 -  4 :     2817803            0            2            0            0
  5 -  7 :     1603844          608       539033                       
(Here you can see the massive amount of marked up traffic with a cos > 4)
Policer: Inprofile:            0 OutofProfile:            0

[/b]

Herv fucked around with this message at 21:52 on Apr 16, 2007

# ¿ Apr 16, 2007 21:21

Adbot: ADBOT LOVES YOU

# ¿ Apr 29, 2024 01:56

Herv: Mar 24, 2005; Soiled Meat

Powercrazy posted:

Well crap. I can't enable NBAR on a Cisco 851W and that is the easiest way to do what I want to do. Now I'm going to have to gently caress with access-lists and things. Sigh.

Here's some PQ stuffs, should help you figure out if you can do it or not.

code:

interface Serial0/0
 ip address 151.204.xxx.xx 255.255.255.252
 ip route-cache flow
 [b]priority-group 1[/b]
...
priority-list 1 protocol ip high list 100
priority-list 1 protocol ip low list 102
priority-list 1 protocol ip medium list 103
priority-list 1 queue-limit 10000 1000 1000 10000

access-list 103 permit esp any any
access-list 102 permit tcp any any eq <bit torrent tcp port>
access-list 100 permit <time sensitive traffic>

c3640#sh queueing priority
Current priority queue configuration:

List   Queue  Args
1      high   protocol ip          list 100
1      low    protocol ip          list 102
1      medium protocol ip          list 103
1      high   limit 10000
1      medium limit 1000
1      normal limit 1000
1      low    limit 10000

c3640#sh queueing interface serial 0/0
Interface Serial0/0 queueing strategy: priority

Output queue utilization (queue/count)
        high/5394275 medium/3079405 normal/7600868 low/2661963

I am sure you can get help with the access lists you need to classify your traffic here as well.

# ¿ Apr 25, 2007 02:17

Herv: Mar 24, 2005; Soiled Meat

Korensky posted:

Keep in mind this is only good for outbound traffic. You queue/shape/police/drop outbound. You really only mark inbound. There's no point dropping a packet once it's already on the wire.

Yeah I always found it wierd when folks talked about inbound QoS (with TCP sliding windows or something) on an interface.

Only so much can come in on the pipe, classify it inbound, mark it up/mark it down/dump it/ take action on it outbound.

PQ is cool, but you can also start dumping packets (why I increase the queue size) if a higher priority queue is active past the timeout of the lesser traffic's queue.

Class Based Weighted Fair Queueing is where it's at in my opinion. 256 classes/levels as opposed to 4 queues with PQ.
Can get it to play with 802.1q tags as well as the TCP stuff, for handing off to a switch.
(e.g. time sensitive traffic comes in on UDP 5000, gets put in a high preference queue for transmission on the router's inside interface, but also gets an 802.1q COS tag of 5, which the switch is trusting, recognizes it and queues it up accordingly as it travels through the layer 2 network from switch to switch)

Korensky posted:

Use a BT client that supports TOS configuration on outgoing packets, set them to a classification you know nothing else in your network uses and setup a class-map to match the TOS into a class and a policy-map to queue it behind other priority traffic.

I guess there's a few ways to skin this cat so to speak. If I just wanted to be quick about it, I would mark up all traffic that I knew had a destination port > TCP 1024 that was NOT BT, say YOUR GAME or something that sticks to TCP 17000 for example (medium queue mebbe), then mark the rest down... all traffic with a destination TCP port >1024 to the low queue (what BT app isnt running TCP 5000+), and let web traffic and other things you want to get preference on high, medium or just default to normal.

Grats!
\/\/\/\/

Herv fucked around with this message at 13:37 on Apr 25, 2007

# ¿ Apr 25, 2007 12:12

Herv: Mar 24, 2005; Soiled Meat

Paul Boz_ posted:

I didn't get any ISDN poo poo on either of my tests, but had quite a few frame relay questions.

It could be worse, DECnet and Apollo were pretty scary as well.

I actually had ISDN back in 97! Using a Brouter.

So JWH will you be using the L2TP instead of GRE now for routing over tunnels? Not sure about the details, haven't played with it yet, although that's what I am gleaning.

# ¿ Apr 27, 2007 17:56

Herv: Mar 24, 2005; Soiled Meat

/\ /\ /\ /\

I had a 7507 with a fast ethernet controller on it, but it was about 6 years ago, couldn't for the life of me remember what type it was. I do remember I had 2-100mbit connections trunked to the router with autoneg on the link speed/duplex but once again, not sure on the actual card. I guess it's a mileage may vary thing there.

Girdle Wax posted:

Fixed.

I still can't believe how horribly unreliable autonegotiation Cisco-to-Cisco is. It's crazy that in this day and age we still have to go through and manually force speed/duplex on ports to stop Cisco gear from doing something stupid.

Wierd, I have rarely had problems with auto negotiation with both sides being in auto. Having said that, 3Com 905x and the Cisco 6509/3xxx LAN switches certainly have made my day go poorly.

Herv fucked around with this message at 20:44 on May 10, 2007

# ¿ May 10, 2007 19:30

Herv: Mar 24, 2005; Soiled Meat

GhostSeven posted:

I have a SoHo 97 with the god awful web admin.

I have an 8 IP block so would like to set it to unnumbered, my setup is as follows

Internet <---> CISCO GOES HERE <--> IP Cop Box <--> Rest Of Network

Ok when you say you want IP unnumbered you want your block of 8 public IP addresses to be where?

Would the outside interface of the IP Cop Box hold some/all of the public ip addresses? If so then you just want to bridge the DSL interface to the ethernet interface and then let IP run on the IP Cop Box.

Here's an example of a SOHO97 with bridging, for Verizon DSL (ISP settings may vary). You will need the DSL specific information as well. (e.g. pvc 0/35)

code:

interface ATM0
     no ip address
     bridge-group 1
     PVC 0/35
          protocol bridge broadcast
          encapsulation aal5snap

interface Ethernet0
     no ip address
     bridge-group 1



bridge 1 protocol ieee

Disclaimer: Hand typed it, don't have a config handy as I am running IP on my DSL interface.

What the above will do (sans mistakes/syntax) is bridge the DSL circuit to the front of the IP Cop Box so to speak, transparently providing the first useable IP address to a device behind the soho97 router.

Good luck, any specifics just ask away, should be able to get you up.

I have used a SOHO97 bridged and running IP on an ATM subinterface for what its worth.

# ¿ May 11, 2007 19:40

Herv: Mar 24, 2005; Soiled Meat

GhostSeven posted:

Just read your reply again and I think the config you posted will do exactly what i want by the sounds of it, sorry for this post as it may have not been required!

Thanks again

Yep, sounds like it will work for you. The Firewall (IP Cop) will have to have the ISP gateway as the default route if it isn't defined already.

Cheers

# ¿ May 11, 2007 22:41

Herv: Mar 24, 2005; Soiled Meat

code:

C827(config-subif)#service-policy output esp
CBWFQ : Not supported on subinterfaces

I was able to get it on the pvc though, but it's not showing up as cbwfq.

# ¿ May 15, 2007 22:50

Herv: Mar 24, 2005; Soiled Meat

Girdle Wax posted:

Lotta stuff, but STP is killing me.

I haven't tested this in ages, but the last time I had redundant trunks i did a load balancing / failover situation, certainly tested it and did not notice any real convergence time that would make me nervous.

Here's a quick and dirty example of how it worked beween core and dist for example:

code:

Core Switch

Trunk 1  
              Unix Vlan 2 Primary
              Wintel Vlan 3 Secondary (blocked)

Trunk2
              Wintel Vlan 3 Primary
              Unix Vlan 2 Secondary (blocked)

Data Center Switch

I had both wintel and sparc in the data center, no chance for downtime. I forget if I messed with any STP parameters, but when I dumped trunk 1, the Unix traffic would failover to the second trunk rather quickly. This was the symptom I would experience throughout the campus.

Sorry time is dulling my memory of this, but I would certainly remember the 45 sec pucker time for sure.

# ¿ May 18, 2007 15:18

Herv: Mar 24, 2005; Soiled Meat

CrazyLittle posted:

Yeah, drat. I was hoping somebody knew of a "magic" build of 12.3 that would fit in there, but then again 2621's are pretty drat old.

I got a better question actually though. I'm trying to use OER on a 1841 across a DSL connection and a T1 connection. I setup the route maps to send mail traffic over the T1, but for some reason the ACL isn't matching, or the route-map isn't setting the next hop properly:

Config without the interface configs showing route-maps.
[/code]

Well you can get 3rd party memory rather cheap. I still use a 2600 just maxed out the memory/flash.

I use this place, never had a problem with their 3rd party.

http://www.ciscomemoryupgrades.com/cisco-memory.html

code:

c2611#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.3(22), RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-J1S3-M), Version 12.3(22), RELEASE SOFTWARE (fc2)

System image file is "flash:c2600-j1s3-mz.123-22.bin"

cisco 2611 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
1 ATM network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Why not classify the email traffic using TCP 25? (edit) Or the client protocols, whatever you want to policy-route.

You are applying the correct route-map to the correct interface?

You can only have one route-map per interface by the way. Have to use sequence numbers like crypto-maps.

Cisco posted:

Router(config-if)# ip policy route-map map-tag

Identifies the route map to use for PBR. One interface can have only one route map tag; but you can have several route map entries, each with its own sequence number. Entries are evaluated in order of their sequence numbers until the first match occurs. If no match occurs, packets are routed as usual.

Doc

# ¿ May 22, 2007 14:36

Herv: Mar 24, 2005; Soiled Meat

CrazyLittle posted:

That was the answer - the ACL I added would never get matched because it trying to match on the wrong vlan. Adding a route-map on the correct interface with a higher precedence number fixed it.

Good deal, glad to help.

By the way, have you had luck failing over to the second ip addresses in your set ip next-hop statements?

# ¿ May 23, 2007 00:23

Herv: Mar 24, 2005; Soiled Meat

CrazyLittle posted:

Yeah actually. It takes about 20-30 seconds for the initial hop to "fail" with concrete results, but it actually does roll over. That suggestion came from the Cisco TAC group. It's a shame they're too dumb to implement a -real- OER configuration though It turns out the configuration I have running on that 1841 is an orphaned OER border/master that does nothing while the Policy-based routing does all the heavy lifting.

I wasn't sure if NAT was being used as well, saw the word a few times, but didn't know the interface configs. That can add another stick in the spokes for the set ip next hop, at least it did for me.

Go get some ram! :buddy:

# ¿ May 23, 2007 11:54

Herv: Mar 24, 2005; Soiled Meat

Girdle Wax posted:

I don't think any 1600/1700 series hardware can do that. Your best bet's probably a 2621 or 2621XM which has 2 FE's built in, and 2 WIC slots (1 for WIC-1DSU-T1 and another for an ADSL WIC). Be forewarned that the ADSL WICs are quite expensive, it might be more cost effective to add another ethernet (with a WIC-1ENET) and plugging into a DSL modem/bridge.

I just bought a pair of WIC1 DSL's, off ebay, never had a problem.

# ¿ May 24, 2007 13:32

Herv: Mar 24, 2005; Soiled Meat

Brinx posted:

IPSEC Stuff with overlapping IP4 subnets.
I didn't post my NAT configs, so I don't know if my VPN traffic is shooting out to the internet instead of my peer fw.

I do not think it would be possible to create a phase 2 sa when network 1 is a subnet of network 2. (e.g. 10.10.1.0/24 to a 10.0.0.0/8)

You want to get more specific on your 10.0.0.0/8 classification at the colo/hq/hub fw.

You also want to exclude any network that will traverse the VPN tunnel from NAT. Or just restrict all of RFC 1918 from nating.

The reason being is that NAT is processed before IPSEC, even if you get the tunnel up by fixing the overlapping subnets, the source IP of all that traffic will be the public IP they are NAT'd behind.

At least that's how it used to work...
Hope this helps.

Herv fucked around with this message at 21:14 on May 29, 2007

# ¿ May 29, 2007 21:03

Herv: Mar 24, 2005; Soiled Meat

quote:

sh isakmp sa shows:

That just shows the Main Mode/ Phase 1 SA. You want to check the Quick Mode/ Phase 2 SA with a 'sh cry ip sa'. If that is dropping then it will jibe with what they are seeing.

Do the phase 1 and 2 SA lifetimes match up on both firewalls?

Worst case make a startup script that runs silently, pinging across constantly. :shobon:

# ¿ Jun 7, 2007 16:37

Herv: Mar 24, 2005; Soiled Meat

buspAss posted:

Shouldn't it retry to get a DHCP address after some point? Is there anyway to detect this condition(losing its address) and force it to reconnect? Is there any DHCP renew command that I'm just not seeing?

Check out these commands:

show ip dhcp binding

and in global config:

ip dhcp binding cleanup interval <n seconds>

You should be able to glean the lease information in the show command, and perhaps have it check for cleanups and re-binding at that interval.

Might help, might not.

Cheers

# ¿ Jun 19, 2007 20:13

Herv: Mar 24, 2005; Soiled Meat

Well, IRB was superceded by RBE (route bridge encapsulation) but I still use a sub-interface. Try it on the main interface though.

http://www.cisco.com/warp/public/121/atm_bridging.html

Here's an RBE example. I do not believe I can enter an 'atm route-bridged ip' without being in a sub interface.

code:

interface ATM0/1
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/1.1 point-to-point
 ip address 151.204.xxx.xxx 255.255.255.0
 ip nat outside
 [b]atm route-bridged ip[/b]
 pvc 0/35
  encapsulation aal5snap

CBWFQ will not work on an ATM interface. Fair Queuing can though, too busy to find the articles though.

The PIX will strip off any qos tags set by the phone, so I hope the voip can be classified by IP if possible (e.g. not going over a vpn with a bunch of other traffic).

Edit: I have done a combo with Priority Queuing on the IOS-FW so the DSL router gets the important traffic first.

PIX 501's suck rear end for voip compared to a 2600 with IOS-FW.

Herv fucked around with this message at 18:29 on Jun 20, 2007

# ¿ Jun 20, 2007 18:13

Herv: Mar 24, 2005; Soiled Meat

ior posted:

One think has always annoyed me with access-lists on cisco gear, namely editing them.
I�m aware that I can add / remove lines from it, but what about remarks, they are not numbered, so I guess it cant be done without cut �n pasting the whole thing. Any suggestions?

No sir, it's been either Text Pad, or VI for me for ages.

Maneki Neko posted:

Has anyone figured out a way to get the Vista VPN client to cooperate with a PIX (in my case a 515E)? Vista dropped support for mschapv1, and unless I'm crazy, I don't see mschapv2 as an option for auth for a PPTP VPN on the 515Es.

I've tried every combination of PAP (ugh) and CHAP on the PIX and on the client, but no dice.

What OS version is on the 515? Is there a reason to stick with PPTP over L2TP? I have the Vista client using MSCHAP v2 handing auth over to AD via radius, but with L2TP, using PIX 7.2.2(19).

I have to have a two factor auth system on ras to pass audits, whether with computer certs or pre-shared keys to get a phase 1 sa up so I can actually send the real user auth through.

Something to consider sir.

# ¿ Jul 5, 2007 15:57

Herv: Mar 24, 2005; Soiled Meat

atticus posted:

You need to define the allowed VLANs on the trunk.

I am under the impression that all vlans are allowed across a trunked switchport unless explicitly pruned or enumerated. At least this is my experience on all COS/IOS switches. Then again this may be something new, I am part cobwebs.

I think I ran into a similar issue as the fellow with the problem, but I haven't used pix os 6.x in a while.

code:

access-group in_access_out in interface inside

I cannot find this access-list in your config.

Or this one for that matter.

code:

access-group outside_access_in in interface outside

Did you exclude those from the posted config? If not there's your starting point.

Having said that, if things are still not working...

Pull off your nat exclusion (nat 0) rules first. After all you just want to establish communication between the two networks. whether though nat or non-nat you should be able to get across.

Herv fucked around with this message at 17:32 on Jul 5, 2007

# ¿ Jul 5, 2007 17:24

Herv: Mar 24, 2005; Soiled Meat

Mierdaan posted:

Sorry; what I mean is that I can't ping any device on vlan1 from vlan101, nor vice-versa. Communication between all vlan1 hosts is fine, and communication between all vlan101 hosts is fine, it's just communication between the two vlans that isn't working.

Does that still point to trunking issues? I'd assume I'd have much bigger issues if there was something wrong with the trunk between the two catalysts.

If you can get web traffic with an external DNS server, you do not have a layer 2 problem sir.

Edit: got off my rear end and logged into a 3750, here's what a trunk config shows:

interface GigabitEthernet1/0/24
description TRUNK_TO_2950-1
switchport trunk encapsulation dot1q
switchport mode trunk
mls qos trust cos
no mdix auto

Here's what the switchpoint shows with allowed vlans:

Name: Gi1/0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Herv fucked around with this message at 17:31 on Jul 5, 2007

# ¿ Jul 5, 2007 17:26

Herv: Mar 24, 2005; Soiled Meat

No problem, I fixed that post. If the access list is referenced and applied to an interface, but no such list exists, you will get an implicit deny or perhaps some other wonkyness.

That was the cut of my jib on that one.

# ¿ Jul 5, 2007 17:38

Herv: Mar 24, 2005; Soiled Meat

jwh posted:

How is that supposed to work when the voice network (vlan101) is a subnet of the inside interface's address space?

Wouldn't clients on the inside network just arp for 10.10.7.x hosts? Is the pix doing proxy-arp?

If the clients are running a /16 subnet mask they sure as heck won't hit the gateway.

The PIX should be able to figure out things just like a router in regards to 'subnetted' networks. Show route should... show that.

In an earlier post, some guy had overlapping IP 4 subnets (for defining lan to lan VPN) that would have not worked unless he changed his local 10/8 to a 10/24.

# ¿ Jul 5, 2007 20:31

Herv: Mar 24, 2005; Soiled Meat

delslo posted:

update: while troubleshooting a Watchguard Edge device for a client today, I became so annoyed with it and the idea that ANYONE, much less a MANAGER* at my company would recommend such a pile of poo poo to one of our clients... that I placed my order for the ASA 5505 as soon as I got off the phone.

Seriously, you shouldn't have to tell a client that: "when someone in your office can't get to the internet, please power cycle your brand new firewall" (that some rear end in a top hat didn't spec right for you guys) to allow that person to get on (while kicking someone else off)

What, is it doing a nat pool with no pat overload?

# ¿ Aug 1, 2007 02:12

Herv: Mar 24, 2005; Soiled Meat

The thing that pissed me off about Checkpoint was that so much hung off of pushing the policy and being the hero. This was version 4.x though. The NG seemed to be a bit better, and less wacky to bring up trust points (fw putkey, fw putlic, wow).

Once you wanted to get a little deeper past the gui, the config files were a little cumbersome. They were seemed made to be edited with a gui only.

Having said that, I love CP because it runs (ran) on anything, the logging/filtering is the bees knees. Well it was last time I checked.

501 was a real let down. I am still pissed I didn't keep my PIX 'Classic'. Cool looking piece, even if it was a pc with 3 intel nics and booted off an ISA Flash card.

# ¿ Aug 1, 2007 02:45

Herv: Mar 24, 2005; Soiled Meat

inignot posted:

It ended much like the ever replayed ski jump by Vinko Bogataj. I was only able to attempt 73 points given my lack of multicast or qos knowledge.

Congratulations on getting further sir. I have to start all over again and shake the rust off my skill set in that area.

I remember failing my first certification test. I was really let down, but then a friend told me 'The guy that gets up last, wins'. I got the wind back and passed it on the next try.

Of course that was a dos 6.2 / win 3.1 exam. I am sure the average failing rate for any ccie is a bit higher!

Looking forward to your 'I did it' post.

# ¿ Aug 1, 2007 15:21

Herv: Mar 24, 2005; Soiled Meat

ILikeVoltron posted:

My config has changed a bit on both sides, following some of the info I've found in the Cisco article @ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#CLI seems to have pointed to stuff I'm not really sure about, such as this line

nat (inside) 0 access-list inside_nat0_outbound

Site1:

code:

nat (inside) 0 access-list nonat_inside
nat (inside) 10 0.0.0.0 0.0.0.0

code:

access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.10.0 255.255.255.0 
access-list ouside_cryptomap_1 extended permit ip 10.0.1.0 255.255.255.0 10.0.10.0 255.255.255.0

code:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set hunts-aes-md5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address ouside_cryptomap_1
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 220.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

code:

tunnel-group 220.x.x.x type ipsec-l2l
tunnel-group 220.x.x.x ipsec-attributes
 pre-shared-key *

Site2:

code:

nat (inside) 1 10.0.10.0 255.255.255.0

code:

access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 10.0.1.0 255.255.255.0 
access-list ouside_cryptomap_1 extended permit ip 10.0.10.0 255.255.255.0 10.0.1.0 255.255.255.0

code:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set hunts-aes-md5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address ouside_cryptomap_1
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 206.x.x.x 
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

code:

tunnel-group 206.x.x.x type ipsec-l2l
tunnel-group 206.x.x.x ipsec-attributes
 pre-shared-key *

edit: Also, I did a debug icmp trace 250 and got the following responses when trying to ping 10.0.10.14 from my box

code:

ICMP echo request from inside:10.0.1.57 to outside:10.0.10.14 ID=2382 seq=8 len=56
ICMP echo request translating inside:10.0.1.57 to outside:206.x.x.x

The 206 address is my outside interface, so its not even trying to use the vpn tunnel AFAIK.

Hi there Mr Voltron Lover. I have poked around a PIX or 2 over the years as a hack. I think we should be able to get you up on the crypto maps. The first thing I was going to mention was NAT exclusion for the subnets in question.

NAT is processed before IPSEC on a PIX so if you don't exclude the traffic it goes over the tunnel (or misfires entirely and goes out on the internet)with the public IP address NAT/PAT is using. Looks like that is what's happening with your ping.

I don't see a NAT0 on the second device. NAT 0 means 'don't nat' essentially. The GUI/wizard should cover this these days pretty well if you get stuck.

Hope this helps!

Herv fucked around with this message at 14:42 on Feb 3, 2008

# ¿ Feb 3, 2008 14:39

Herv: Mar 24, 2005; Soiled Meat

Ask for a Visio, or make one yourself and send it over for modifications. Without seeing the forest from the trees you are in for a rough ride.

Hope this helps.

# ¿ Feb 5, 2008 20:25

Herv: Mar 24, 2005; Soiled Meat

reborn posted:

I have a pretty simple question in theory but I'm having some real trouble with it. I have a Cisco ASA 5505 running 7.2(1). It's sitting behind a cable router setup in bridge mode. The issue is that I want to run a public server behind the firewall. I have it setup, however the captures show that all of the packets hit the firewall then drop like they have nowhere to go. They are not dropping due to the acl so I was thinking the NAT but I have a specific NAT tied to the external IP address back into my internal server IP address. I mean this isn't a difficult task at all... in fact it's the most basic and simple of tasks but it just will not work.

Now my hunch is that there may be some issue with only having an outside interface ip pool of 1 for static NATing?

<Cloud> -> Cable Bridge -> DHCP Outside interface -> NAT to internal IP / ACL allow -> Inside interface -> Server/Switch

I mean I've watched the packets and the logs on the firewall and it points me straight at a NAT issue everytime but nothing else has a problem transversing the interfaces except for these inbound connections.

You are going to have to allow the port(s) you are NAT'ing to the outside interface acl. I am not sure where your acl is just yet.

code:

access-list 101 permit tcp any <outside_interface> eq 80

Post your config sans public info and I am sure we can get you going.

# ¿ Feb 7, 2008 03:55

Herv: Mar 24, 2005; Soiled Meat

OK the one x factor is I don't use these things in Bridged mode, just Routed. I was assuming that traffic was working outbound, and that inbound port forwarding wasn't. Looking at the config, I am surprised it is working at all, but this may be due to 'bridged mode'.

Having said that (could all be wrong based on that one fact) looking at the config you are NAT'ing the entire outside interface to the 192.168.1.29 host. Normally on single IP interfaces you would do a static tcp map.

code:

static (inside,outside) tcp interface 6060 192.168.1.29 6060 netmask 255.255.255.255

NAT'ing the port is one step, but you have to let it through the ACL properly.

code:

access-list outside_access_in permit tcp any <outside interface> eq 6060

What IP address is Reborn-Outside? Try to replace that with <outside interface>

I don't see a NAT 1 statement to correspond with your GLOBAL 1. poo poo, not sure if that is due to bridged, but there should be a

code:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

in there at the very least.

The Global 2 is another weird one, but we can leave that alone for now.

I never use outbound access lists, but I am not sure your about your local living arrangements and such.

Hope this helps a bit.

# ¿ Feb 7, 2008 07:41

Herv: Mar 24, 2005; Soiled Meat

reborn posted:

Ignore the router being in bridged mode. Look at it this way. When I take the firewall out of the picture there are no issues. With the firewall in I have trouble but the packets are getting to the firewall. The blanket NAT really is just to cover my bases. I was beating my head against the wall so hard with this that I decided to take out all the random problems that could come up. I've tried a blanket ACL for all ports, I've tried the blanket NAT, and I've tried just about everything. I'll try adding a NAT 1 statement and narrowing my port NAT to the ports I need.

Oh, router in bridged mode. Once again, I misunderstood. The PIX/ASA can operate as a router or bridge, hehe. But let's keep it simple and not talk about bridging firewalls, they are too loving weird.

Ok in a nutshell:

NAT 1 statement will allow OUTBOUND connetions, and it latches onto its corresponding GLOBAL 1 statement. This means that NAT 1 0.0.0.0 0.0.0.0 0 0 will allow ANY ip address behind the firewall to make an outbound connection, using the outside interfaces IP address.

Your 'blanket' NAT will actually break things if you only have one public ip address. Bottom line, you do not want to forward all 65535 TCP, UDP, and ALL IP PROTOCOLS from your ASA's outside interface to the inside PC. The ASA actually needs to receive some traffic, not forward it ALL to the inside PC. Hope this is becoming more clear.

Having said that, do you see how weird your GLOBAL 2 is just sitting there, with no corresponding NAT statement. In fact, delete that poo poo.

Take out the NAT statement you have, put in a nat 1 0.0.0.0 0.0.0.0 for the simplest version of that line.

You should immediately be able to surf the web, if not blocked by ACL's.

Now for inbound connections, make the TCP nat statements as needed. On both interfaces (just for troubleshooting) put PERMIT IP ANY ANY at the top of the ACL, use the GUI for this.

Once you know you can pass traffic put an ACL on the outside interface, BUT keep in mind it doesn't matter if you are NAT'ing a single IP address. If the port isn't NAT'd its not going through.

With wide open ACL's you are just left with NAT to govern the network traffic which is where your stick in the spokes is.

This advice is now guaranteed(tm) seeing how your router is bridged and the firewall is in 'routed' mode.

Just forget anything I said about a bridging firewall, they are just too fugggin wierd and I was going to ask you what the gently caress you were doing with a bridging firewall on a home network, but nevermind that.

Hope this get's yer ASA going, and if all else fails wipe it and use the setup wizard!

# ¿ Feb 7, 2008 14:57

Herv: Mar 24, 2005; Soiled Meat

ionn posted:

What can cause a router to not see any CDP neighbors (and not show up on other routers)?

I have a 2801 router, which simply doesn't see anyone else on CDP. I'm pretty sure it used to, but now it plain refuses to.
It is actually the 2801 I'm having some NAT questions about. It has a twin brother (they serve the same client networks with HSRP), and that one looks just as it should.
HSRP works fine, it seems to have settled down without any further errors. OSPF neighbors show up as they should, but CDP is completely silent. Looks like this:

I tried reloading router01 (hence the low packet count), with no change (HSRP still worked fine during the reload). router01 and router02 have nearly identical config, with no access lists blocking stuff on Fa0/0 or Fa0/1.37, and no statements at all regarding cdp. I've done "cdp run" and "cdp enable" (on the interfaces), but just as expected, it doesn't change anything since that's the default.

It's a Chinese knock off. They never got CDP right.

# ¿ Feb 19, 2008 02:17

Herv: Mar 24, 2005; Soiled Meat

permanoob posted:

Awesome. I see exactly what you mean. I'll work it out from here. Thanks a ton.

The conduit command at least sounded more reasonable. I am opening a conduit to this host.

Ahh well, its all good in the hood.

# ¿ Mar 20, 2008 18:51

Herv: Mar 24, 2005; Soiled Meat

jwh posted:

Also, is anyone doing 802.1x with the stock Microsoft XP 802.1x supplicant? I have some questions about that thing too.

No clue on the rogue detection stuff, but I am using the windows built in 802.11x EAP (PEAP) client with an 1130, using the microsoft radius server.

Its been up for a couple years, very reliable. If you try to brute force in you lock out accounts if you actually guess one.

Vista and Win7 seem to do a lot better with initial logons though. XP wants you to log in wired first it seems.

# ¿ Jan 16, 2009 17:20

Herv: Mar 24, 2005; Soiled Meat

When I was using certificates instead of peap there seemed to be a 15 second pause when all the systems had to agree that you were legit. Thats about it.

I am not doing any vlan assignment for authed users or guest vlans for those that dont (same for wired). It sounded pretty cool but I just didn't have a need for it. Small shop and all.

# ¿ Jan 16, 2009 17:45

Herv: Mar 24, 2005; Soiled Meat

brent78 posted:

Can someone post or email a config for a Cisco AP1100 that's using WPA/TKIP, 802.1x / PEAP.

This config should work. If things still fall apart, you can debug things to a certain point.

code:

1130AG#sh run
Building configuration...

Current configuration : 2907 bytes
!
! Last configuration change at 09:33:17 GMT Tue Jun 3 2008 by admin
! NVRAM config last updated at 10:09:13 GMT Sun Aug 24 2008 by admin
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1130AG
!
enable secret 5 *****************************
!
clock timezone GMT -5
ip subnet-zero
ip domain name company.com
ip name-server 10.5.1.99
!
!
aaa new-model
!
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad-scci
 server 10.5.1.48 auth-port 1645 acct-port 1646
!
aaa authentication login eapprofile1 group rad-scci local
aaa authentication dot1x eapprofile1 group rad-scci
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid SSID-WPA
   authentication open eap eapprofile1
   authentication key-management wpa
   information-element ssidl advertisement wps
!
power inline negotiation prestandard source
eap profile eapprofile1
 method mschapv2
!
!
!
username admin password 7 ***************
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid SSID-WPA
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 hold-queue 160 in
!
interface BVI1
 ip address 10.11.1.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.11.1.254
ip http server
no ip http secure-server
ip http help-path [url]http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag[/url]
ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.5.1.48 auth-port 1645 acct-port 1646 key 7 ***************************
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 exec-timeout 35791 0
 privilege level 15
!
sntp server 10.5.1.254
sntp broadcast client
end

Edit: Cleaned up some minor crap in case someone tries to use this later on.

Herv fucked around with this message at 00:32 on Jan 22, 2009

# ¿ Jan 19, 2009 23:55

Herv: Mar 24, 2005; Soiled Meat

brent78 posted:

I have a pair of stacked 3750's (love em), with a few vlans. One vlan carries public traffic, another is dedicated to SAN (iSCSI). I'd like to set the system mtu to 9000 to use jumbo frames on the SAN for better performance. What's going to happen to traffic on my public vlan that uses an mtu of 1500? Will it work?

I have mixed and matched 1500 with 9000 no problem, and it was on a 3750 for what it's worth.

Did the 1100AP get going or what?

# ¿ Jan 26, 2009 00:30

Herv: Mar 24, 2005; Soiled Meat

If CBWFQ is not enabled in your image, how about Priority Queuing?

Basically you want to tag the traffic inbound from the lan (and on the switch if you run dot1q between switch and router) and apply the policy on your wan interface.

If you can't classify the traffic (no CBWFQ) with layer 2 or 3 QoS bits you want to downgrade, you can still use access lists. Make an access list with all the traffic you want to give priority to like esp, or whatever your IP phone is using to get to the server, web surfing, etc. By default the traffic not classified in that list will get the normal queue.

You get 4 queues; High, Medium, Normal, Low

3660-1#sh queueing interface serial 3/0
Interface Serial3/0 queueing strategy: priority

Output queue utilization (queue/count)
high/350169 medium/0 normal/19073366 low/0

This is some T1 that is doing a simple queue to make sure some guy's IP phone calls aren't lovely when others are banging away at the circuit grabbing source code or something not as time sensitive.

If the router says it supports QoS, I would assume that it will read various QoS settings (layer 2 802.1q cos tags, layer 3 IP Precedence and DSCP bits), and 'trust' the value. Not sure how it would act on it if its crippled. Maybe there is a default config and you cant touch it?

e: In a perfect world, your IP phone would hit the switchport on a dot1q trunk. The phone is probably throwing out dot1q cos 5 tags if you set it to trunk. If it is coming out with a cos of 1 you can just change the tag right there to a 5 on ingress. The PC is on another switchport, banging away at a cos of 1. When the IP phone frame exits the switch into the router once again they agree on the cos5 for the ethernet frame that contains the voice stream. The router sees the cos5 tag, checks it's queuing strategy and policy and sticks it in the high priority queue like the guy's vpn in the example above. For traffic coming within a node, just classify it in an access list by inclusion or exclusion upstream.

e2: Not sure why I thought the guy had DSL. See if you can do show commands against the default global policy.

Herv fucked around with this message at 01:41 on Feb 11, 2009

# ¿ Feb 11, 2009 00:46

Herv: Mar 24, 2005; Soiled Meat

jwh posted:

Correct me if I'm wrong, but he doesn't have a Cisco IP Phone. He has a 3560G, a PC, and a 851.

Yep you are right, my post was pretty cluttered. I had thought he was eventually going to get one in, but wanted to fake out the 851 since apparently the product lit says it can support some basic QoS. The 'IP Phone' here is the end station what he is trying to tag with Precedence ToS and DSCP Values to fake out the 851. I could have been more clear but thats what I get for trying to make an all in one QoS post.

I still find it sad that they crippled the 851 like that. You can get a 2621 doing everything (DMVPN, AES192, OSPF, NAT/PAT, RAS VPN, CBWFQ/PQ on a FiOS 20/5 @ 30 percent on the CPU while encrypting an IP phone conference hosting 5 callers) except the wireless for 50 bucks, how lovely. I just checked an 871 (c870-advipservicesk9-mz.124-22.T.bin) and was able to set up a quick class and policy map, and give it priority. Looking at the images for the 851 (c850-advsecurityk9-mz.124-15.T8.bin) you would think some of the same features were available. I don't have one, I can't check. Must be the ip in the file name. I thought the image features were the 'k9-mz' part of the filename, but haven't looked it up in ages.

My asa 5505 is crippled unless I want to buy an upgrade license, this must be some new thing. I thought that Failover and Physical interface count were the limiting factors. I have an 871, but it has no PoE for my IP Phone. I just cant win.
It's very important that my office extension is available with all features like hosting conferences. It's the easiest way to sham it and work in your PJ's. My home office chair is more comfortable, nobody can hear the difference.

The IP Phone in a Perfect World example using the Queuing was more of a general outbound QoS situation in one of the trickier situations with end to end priority.

I didn't even cover pulling inbound traffic off the wan circuit, marking it up and sending it out to beat up all the other ethernet frames in the layer 2 switch yard.

e: Added part to ios images.

Herv fucked around with this message at 08:55 on Feb 11, 2009

# ¿ Feb 11, 2009 08:25

Herv: Mar 24, 2005; Soiled Meat

Oh cool, thanks I didn't know that.

Here's a quick and dirty PQ setup, and it will do what you need on the uplink to push ahead of any BT or otherwise unspecified traffic.

interface Serial3/0
ip address 151.204.xxx.xxx 255.255.255.252
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip route-cache flow
priority-group 1

access-list 120 permit <my important data e.g. TCP> any any eq <my important port>

priority-list 1 protocol ip high list 120

I usually max the memory on everything, makes it safe to deepen the queues.
priority-list 1 queue-limit 32767 32767 32767 32767

Each queue will hold 32k packets, if you have enough packet memory.

One warning of course is that traffic in a lower queue will not go out until a higher queue is empty. You can/will drop traffic if you try to queue more than the max 32k packets, the show commands will see if it is happening. I didn't make the product, I only use it.

Hope it works!

e: I just have normal access to images, and couldn't find anything but the same advanced services in 12.4 or 12.3. The old IOS image site just lists one image set for the 851.

By standard commands, I figured you were talking about the lack of CBWFQ commands from before.

Herv fucked around with this message at 09:41 on Feb 11, 2009

# ¿ Feb 11, 2009 09:36

Adbot: ADBOT LOVES YOU

# ¿ Apr 29, 2024 01:56

Herv: Mar 24, 2005; Soiled Meat

Powercrazy posted:

Also ironically enough, when I googled for 851 QoS, it brought me to this thread on page 3, where I'm asking the same question. With my better experience and overall knowledge I'm able to understand better the solutions that were presented to me, or rather understand why they won't work on my router.

Jesus, and yeah I answered back then too, early 07, this thread really is toddler age now. Sorry for pushing the PQ on yah 2 times.

# ¿ Feb 11, 2009 15:51

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›3 »