|
Mierdaan posted:Hey, I just did this in reverse! Heh, we are all 'idiots' as we trod along towards the goal of proficiency. Just like snowboarding, everyone has a first day, month, year, decade. No one is above it! I will never forget trying to teach myself PIX (4.x?) when the Cisco documentation ran off a CD and was displayed in a cheezy tomcat web server on my laptop. "Bitches walk out my crib with a limp, cause I'm the motherfuggin pimp." (Flow provided by the PIX) I limped to my car on many an occasion in the 90's. Cheers
|
# ¿ Jul 31, 2009 15:30 |
|
|
# ¿ May 14, 2024 00:01 |
|
Cisco short question:(wireless) I have a user (owner) in Boca Raton with lovely wireless (871w). A quick look at his radio interface shows input, output, and CRC errors. I do a 'dot11 dot11Radio 0 carrier busy' test and get this: code:
code:
Thanks
|
# ¿ Aug 3, 2009 15:55 |
|
Well, 15 minutes on the initial call, 1 hour with the tech support, and they are sending me a new unit. While the carrier busy test @ 100 percent was a bug listed for other AP's, the unit would throw a ton of CRC errors with NO clients connected. I asked how long an 871w would be under warranty, and the initial support person really wasn't sure, but thought 1 year sounded good. The End (Hopefully). e: Here's the bug doco if anyone is interested. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl98287 Herv fucked around with this message at 18:59 on Aug 3, 2009 |
# ¿ Aug 3, 2009 18:30 |
|
Partycat posted:They can, for sure, bill you for it, however. Sometimes they can forget for years and years as well.
|
# ¿ Aug 5, 2009 16:07 |
|
Bumped into this little (forgotten) gem today. It hides in the telco closet passing VoIP traffic all day. 2950-4 uptime is 1 year, 20 weeks, 6 days, 11 hours, 3 minutes Quality was an issue so I wanted to check things end to end for the first time in forever. Not one error in just under 1.5 years, well poo poo. code:
|
# ¿ Aug 21, 2009 02:16 |
|
Tremblay posted:But yes, its nice when poo poo just runs . I saw that! Tellin yah.
|
# ¿ Aug 21, 2009 05:57 |
|
inignot posted:I can't claim credit for this, as I've only been at this place a year: Nice metrics there, sure its ancient, but I guess it's still slinging it as per spec at worst. There was an 'uptime' thread around here a few years back. I think some BSD box had the big score but poo poo 4+ years has to be a top 3 at least. Man, someone should bounce it just to be 'that guy'. Not me though.
|
# ¿ Aug 22, 2009 04:20 |
|
jbusbysack posted:June 30, 2010 is the end of the existing 4-exam CCNP track for non-Network Academy people. After that it's more or less mix and match of the old/exams, so really get running on it. The funny thing is that it used to be: Routing Switching Dial Up! Troubleshooting Thats what my CCNP was tested on and the courses were ACRC and whatnot. This is late 90's though. Figures they are changing, I recently started up the cert thing again, not really sure why but just in case I have to look for another gig and don't feel like using MS Project all the time.
|
# ¿ Dec 21, 2009 19:17 |
|
Weissbier posted:Anyone know a thing about multicasting? Well with what I have at the moment this is what I can add to what has been said: ip multicast-routing (this is the command to enable mrouting globally, sounds good) ip pim rp-address 10.100.250.2 (this is the hard coded rendezvous point of 10.100.250.2) This means that the local router thinks 10.100.250.2 is the root of the multicast tree. ip pim sparse-dense-mode This just states that the internal router will build both types of multicast trees, Sparse and Dense. Dense mode, assumes that a multicast group's recipients are located on every subnet. Sparse mode, the multicast tree is not extended to a router unless a host there already has joined the group. Here's the show commands, what are they giving? show ip mroute sh ip pim interface (should help see what routing interfaces are seeing what) sh ip pim neighbor show ip pim rp e: You should also make sure IGMP is enabled on all layer 3 interfaces in between point a and b. Should be version 2. Not sure if when you turn on pim this is taken care of. show ip igmp interface show ip igmp groups code:
show ip igmp snooping <vlan> show multicast router igmp show multicast group igmp Hope this helps, I have to get better with multicasting as well. Herv fucked around with this message at 01:52 on Jan 29, 2010 |
# ¿ Jan 29, 2010 01:31 |
|
Ok cool, for the last one (show ip pim rp) it looks like it wants to dump traffic to the 10.100.250.2 for all those multicast groups listed. Is that another router that the pc's are behind or what? Strange it's not showing up as a neighbor. theres a sh ip pim rp mappings that will show you where it thinks groups should go as well. Herv fucked around with this message at 02:05 on Jan 29, 2010 |
# ¿ Jan 29, 2010 02:02 |
|
Ok I would just yank out that line: ip pim rp-address 10.100.250.2 for now and set the rp to auto discovery with this: ip pim send-rp-discovery (says I am an RP mapping agent) ip pim send-rp-announce (says I can be an RP) only if just pulling the first doesn't fix things. Not sure if you have to have some type of RP configured or not, sorry. e: nevermind Herv fucked around with this message at 03:04 on Jan 29, 2010 |
# ¿ Jan 29, 2010 02:31 |
|
Cisco Short Question: I am trying to create an EAP Profile on an 871w. Normally, on an Aironet AP (e.g. 1131AG) I just issue the below command. It's not available in my image command set on the 871w though. Command I normally Use: code:
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3) Normally after 10 minutes of searching I can usually find anything, but coming up short here. I have the command on my 6506, but not 7206. This kind of crap is annoying. Any ideas? Thanks! Herv fucked around with this message at 19:24 on Feb 22, 2010 |
# ¿ Feb 22, 2010 19:22 |
|
Powercrazy posted:You have to get into identity profile mode first. I am not even getting that option. It would be a crime to have to send down another AP if the 871w cant do PEAP auth. code:
E: Wait a sec, bought this thing new just a few days ago. Going to have my engineer call up!
|
# ¿ Feb 22, 2010 21:32 |
|
Cisco Product Lit posted:Q. Do the integrated access points in the Cisco 800 Series Routers support local survivable authentication? Where's my PEAP? Not looking too good, crap. Still going to have to call in to make sure but looks like I will just have to send down an 871 and 1131 to get the job done.
|
# ¿ Feb 23, 2010 15:45 |
|
Wow, three hours on the phone with India and still nothing. They are telling me the device supports PEAP but the only auths they have been able to register with my radius server is EAP and PAP. I have an XP, 7 laptop, and 2 iphones that can't connect to the 871w but work fine on the other AP's. They tell me wait for 10 mins, then I get this: Hi Herv, I have checked the details and you should definitely be able to use PEAP on this router. Unfortunately my shift ends at 5:00pm EST and I have to leave now. As you need immediate assistance today to get this working, please call on 1-800-999-9999 and you will get an engineer immediately. I will come in tomorrow and view the case notes and comntact you. I have updated the case notes with the latest information and the config on the router. Please feel free to contact me anytime tomorrow. ... rear end kickin chicken baby...
|
# ¿ Feb 23, 2010 23:25 |
|
Tremblay posted:Tell them to escalate your case. Thanks. Got my escalation, now we are up to another hour of watching them 'gently caress a football' over a webex session. Unfortunately time is becoming a problem, higher ups already asking if I have other equip to meet the need. I need Dallas, he rocked when I had to work with him. Not sure if hes still with the TAC or not.
|
# ¿ Feb 24, 2010 17:11 |
|
Update: things work (well on a local LAN)! Apparently PEAP gets mangled across a VPN? Oh well, this is progress at least. Time to hack with the last details.code:
|
# ¿ Feb 24, 2010 17:56 |
|
jwh posted:It's been dying for twenty years and it's still not dead. In some dark, dystopian future, amidst the irradiated wasteland, there will be two things: cockroaches and frame-relay. Don't forget Keith Richards.
|
# ¿ Mar 1, 2010 19:01 |
|
wolrah posted:Of course this did lead me to wonder why an entire /8 is reserved for localhost. The ironic thing is they fixed this for IPv6. It's a /128 Not sure why they just didn't make the IPv4 loopback a /32 around 1995.
|
# ¿ Mar 3, 2010 21:24 |
|
Well poo poo, how about that, they did spec out a /32 on the loopback. I never looked at that RFC. Learned something new there. Would you believe that whole /8 is still reserved on my Windows 7 PC? Then again they could just release a patch if someone starts hosting funny cat videos on the 127.0.2.2 and folks cant get there. <panic> Still not sure why they didn't take over the 127 network long ago. So they keep Windows 95, Solaris 4, Linux (Manhattan) from getting to that network until they are patched. Big whoop, you live without the 127 besides the loopback, you arent depending on any services. Same for routers, patch and bounce. By now all the newer OS's would have been OK from the get go. More rambling, I wish IPv6 was a 64 bit address space or so. I would think in 100 years we would have something else as a unique identifier. 128 bit is crazy big and saying it out loud takes too long. code:
|
# ¿ Mar 4, 2010 01:08 |
|
Forgive me for not putting a proper effort, but I can't find a general AGS+ hardware guide. I have forgotten what cards are what, past the CPU/MCI's and am getting a lot of 404's on cisco.com. Was hoping to get old nelly up on the internet so she can see how much has changed. I have ethernet or FDDI, really hoping I can get the cards in the proper multibus/cbus slot and get the ethernet's connected properly. Gonna have to snag a better 8.x IOS as well.
|
# ¿ Jul 3, 2013 00:17 |
|
ragzilla posted:http://sobek.su/Docs/univercd/cc/td/doc/product/core/cisagspl/agscfig/43494.htm Thanks Ragz, I appreciate it. Stay tuned.
|
# ¿ Jul 3, 2013 01:18 |
|
Hrm, what's the MTU on both sides of the circuit? Sometimes mismatched MTU's will cause a silent drop of ethernet frames. I know, you are dumping link state (e: Kinda dropping link state) when trying to send data, and it works everywhere else, but hey might as well check it out. Trying a crossover cable (I know, shouldn't need it) shouldn't fry the transceiver(s) so theres another die to roll.
|
# ¿ Jul 9, 2013 21:31 |
|
CanOfMDAmp posted:As soon as I find one in this mess of a lab I'll give that a shot as well. Wouldn't surprise me to find that's the issue, it does seem to look like that. Hey, a win is a win! The 1600 was probably on a 1500 byte MTU for E0 anyhow which is fine for straight forward traffic (no encryption, tunnel encapsulation). I figured the mismatch would be on the other side (not a Cisco apologist). You can always make a bushmaster crossover by cutting a patch cable in half and manually twisting the wires to cross pins 1-2 and 3-6. Just be careful you don't make an etherkiller. Glad the short term setup has a chance!
|
# ¿ Jul 10, 2013 16:18 |
|
falz posted:Buy a used 3825 from eBay for $200. Buy another as a cold spare. This is usually what I do, but I have control over procurement for my org. I would rather purchase grey market, two of everything with as much automatic failover as possible, for 40 cents on the dollar. Works for me at least.
|
# ¿ Jul 16, 2013 14:50 |
|
While that does suck, can't you get Parallels or a similar product so you can manage the unit?
|
# ¿ Jul 29, 2013 21:28 |
|
Crackbone posted:Interesting. I would assume for the purposes of the ccna that you'd ignore that though - the only place study materials talk about ip default gateway on a switch is for remote management purposes. Its been forever but doesn't the CCNA focus on layer 2 switching?
|
# ¿ Jul 29, 2013 22:17 |
|
Huh, I'm trying to bring up a GRE tunnel on a 6500 that once had a VPN module, now removed, and getting ISAKMP errors. All the old config for the VPN module was removed before pulling it. This switch was doing software engine before the VPN module was used. I... I am at a total loss. code:
Stopped and started ISAKMP. Changed IOS versions, even though the original one was using the software engine prior to the VPN module usage. Currently running 'Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXI1, RELEASE SOFTWARE (fc3)' for IOS. Doing a show run | inc crypto brings back no surprises, with an | inc slot coming back null (VPN module configs). I really want to avoid booting a default config, what am I missing here? I hope its something stupid, thanks.
|
# ¿ Aug 1, 2013 00:31 |
|
jwh posted:Multicast is weird. One frame, going to a group mac address. Showing it to folks in the 90's was like magic... they were in disbelief until they saw it actually work. Ghost always had that support so it could get off the same image to multiple targets without killing the source, so when blasting out a 24 PC classroom for cert classes, using a pentium 90 machine with a 100mb adapter, you would only see the single conversation. Its still weird.
|
# ¿ Aug 10, 2013 00:49 |
|
QPZIL posted:Man, now that I have a cursory understanding of IPv6 from studying for the 640-816 exam, I want to be some sort of "IPv6 is the way of the future!" evangelist. Should have capped it at a 64 bit address space, max. 48 is even better. There's a reason or two its been sitting for what 10 years? I know we need all the IP4 bolt-ons to be integrated but gently caress, say 2 to the 128'th in english. Overkill in my opinion.
|
# ¿ Aug 19, 2013 15:34 |
|
Here is the answer to the problem: compute the exponential expression: 2 to the 64th 2 to the 64th = 18446744073709551616, that is to say 18,446,744,073,709,551,616 is read in English as: "eighteen quintillion, four hundred fourty-six quadrillion, seven hundred fourty-four trillion, seventy-four billion, seven hundred nine million, five hundred fifty-one thousand, six hundred sixteen." e: Oh yah, and a loopback address that doesn't consume an entire 'class A' net. Herv fucked around with this message at 16:22 on Aug 19, 2013 |
# ¿ Aug 19, 2013 16:13 |
|
Yep, even if we have 6 octets in an 'IP v7 address' the first 5 would stay rather static, with a padded out mask. 10.10.10.10.10.200 (Host) 255.255.255.255.255.0 (Mask) 10.10.10.10.10.254 (GW) That gives us a measly 281 Trillion address (2 to the 48th) to squeeze by with until we develop whatever the gently caress we use in 50 years. Still standing by my 48 bit proposal. I read DNS and Bind in the 90's but still... gently caress 128 bits in it's ear for a technical solution. I want IPv7 with a 48 bit address field.
|
# ¿ Aug 19, 2013 16:54 |
|
wolrah posted:
Believe it or not, we used to not NAT. I was using a 10 net for the ubiquity. What's probably clouding my judgement is that I have been at this for about 20 years, so I was a first hand witness to the bitness getting over allocated. I wouldn't call myself a Network Engineer these days. I'm just an old fart IT Director that used to be a Network Engineer. The first time I was asked to do NAT was in '96 or so, on a 'PIX Classic' that was already in production. It was firewalling (ok, ok, packet filtering) but not NAT'ing. There were publicly routable addresses to the desktops, and this was for a MS Gold Partner. It was the same at Bell Labs in the 90's too (6500 folks, one huge facility, PC and a SPARC on each desktop... where I cut my teeth thank god), routable addresses, but not NAT'd. It seems like everything has been crafted around address exhaustion since the late 90's and for good reason. OK, all bitness aside, how efficient do you see the skeleton to usable IP addresses play out? 50 percent loss to the network addressing vs host addresses? Take my 48 and 64 bit fields and split them up however inefficient you want to get, that's still some BIG math waiting for us to fill up. Keep routable addressing, but lose the NAT. 140 Trillion for 48, 14 Quintillion for 64 bits. Every house gets a fuggin Class A net (I know classes are deprecated looong ago) Having said that, the issue of all the bolt-ons have to be addressed (poo poo) but once again, RFC1918 was based on exhaustion no? e: Added the cut in half metrics for 48 and 64 bits. Herv fucked around with this message at 23:16 on Aug 19, 2013 |
# ¿ Aug 19, 2013 22:52 |
|
BurgerQuest posted:We run a tunnel from an IOS router to a Ha pair of ASA's in another country to NAT radius from two RADIUS clients to a server behind the ASA. This works great for a few weeks till it doesn't. 5 hours of troubleshooting later with no configuration changes on each and and multiple rebuilds of the tunnel, we Failover the ASAs and it starts working. We fail the back. Still working. What the gently caress. Just for s&g are the phase1 and 2 lifetimes matching? Does one side try to re-key after a certain data threshold?
|
# ¿ Aug 23, 2013 17:33 |
|
Herv posted:Just for s&g are the phase1 and 2 lifetimes matching? IOS Default P2 lifetime: 3600 secs (1 Hour) 4,608,000 kilobytes ASA Default P2 lifetime: 28,800 seconds (8 Hours) 4,608,000 kilobytes
|
# ¿ Aug 23, 2013 20:00 |
|
BurgerQuest posted:Yep, the ASA has the default and the router is set for 28800. After clearing the SAs the tunnel looked fine and in fact was encapsulating the data from the IOS side fine, but only data matching UDP 1812 appeared to get encapped on the ASA in return. The ASA wasn't encapsulating return data on 1813 or ICMP in return. So the client requests would hit the RADIUS server behind the ASA ok, the server would respond appropriately, but only some bits were encapsulated for the tunnel by the ASA. And to make it weirder, this only affected one client and not the other. Atleast I got to generate some pcap files out of the IOS router, which I haven't done much of before. Hrm, ok cool, since you are matching lifetimes, I'm assuming the nat exclusions are tight...but I am curious if/when it happens again, if the return traffic is somehow getting banished to the xlate table and never making it to the tunnel. Maybe just a bug in the ASA build? That sounds like a frustrating one to peg down. Good luck, hope you find the problem. e: Sorry for asking this here, but is there a 'SQL short questions thread'? I scanned the first few pages here but don't see anything. I am having weird issues with TDE encrypted databases and log shipping, the monitor isn't updating properly post encryption, and every secondary has the certificates, is restoring properly, but the logship monitor is deaf and dumb to some of the metrics. Herv fucked around with this message at 00:57 on Aug 24, 2013 |
# ¿ Aug 24, 2013 00:41 |
|
OK I don't give up easy. You say the radius servers behind the ASA need to talk to the clients through multiple channels due to (A reason I also don't know about). Can't you just add secondary IP's so you can point what traffic you want to client 1 and 2 on either the primary or secondary IP instead of the NAT tricks? I have a hard time picturing the exact details without a map. I can't tell if this is an old school transient ipsec tunnel, I try to avoid straight tunnels and do dmvpn wherever I can. (Don't think this is an option on PIX/ASA). Another question, are the encrypted radius calls not secure enough on their own? I know, could be policy... lots of moving parts. Anyhow, I love a good/weird problem here and there.
|
# ¿ Aug 24, 2013 03:04 |
|
I would have figured pruning would have done the trick but not sure if that is supported on those switches. At any rate static arp entries > arp spoofing. e: Oops can't tell difference between IP and ARP spoofing. Nevermind me. Herv fucked around with this message at 20:48 on Aug 27, 2013 |
# ¿ Aug 27, 2013 20:45 |
|
QPZIL posted:Yep. And actually I just set up a spare 3550 with the same configuration as the 2950, and the same issue occurs. I think it's an issue with the 3750 not wanting to change from "static access" to "trunk". Sorry if I missed it, but did you set the ports back to access mode, set them for vlan 1, then turn them back to trunks? No clue why one is white knuckling vlan 5, but thats what usually fixed native vlan mismatches for me. Lotta work for the untagged frames there.
|
# ¿ Aug 31, 2013 05:45 |
|
|
# ¿ May 14, 2024 00:01 |
|
I have a question about the Authentication Proxy feature. It's old and I was wondering if there was a newer system. The auth challenge is not working in Chrome with default settings, IE/Safari and the like do work with it still. Has there been a replacement to this feature? I have a new partner/tunnel set. The data they are accessing is classified/sensitive exam content (e.g. exams you have heard of) The remote partner has a /16, and two /24's on their end of the tunnel, with /24 on my end. I like to use auth-proxy since I can create granular radius policies that can have specific users receive ACL entries based on their identity after a successful auth with their AD account on my end. When a partner user auths, the radius server provides their ACL entries and they are applied to the ACL on the next hop interface once through the firewall. Then they have 8 hours till they have to re-auth. The auth-proxy is running on the vlan interface behind the firewall. That way, while the tunnel is open to all their LANs they still have to auth to get through the deny all ACL (with their entries placed at the top to bypass it), and I have a record of who/what came through the tunnel for accounting purposes. Anyone have a more recent suggestion? If not I have to make a custom HTML page that doesn't use whatever Chrome is blocking. Thanks Herv fucked around with this message at 04:54 on Sep 21, 2013 |
# ¿ Sep 21, 2013 04:41 |