|
inignot posted:I don't think LACP is going to work in scenario 2 or 3. Active/Active load balanced connections need to terminate to the same switch (or switch stack). See if your nics or os support some kind of active/standby failover option based on link status or ping polling. Alternately you could run your Active/Active at layer 3 instead of layer 2, by running a routing protocol on the server (like ospf using quagga), and let CEF/OSPF ECMP do your load balancing at layer 3.
|
# ¿ Oct 2, 2007 02:25 |
|
|
# ¿ May 15, 2024 06:08 |
|
ChimpyMonkey posted:Dear Cisco, I've used it to find (and even monitor!) bug IDs that TAC claim are affecting us, but trying to find anything yourself is usually a losing proposition unless it's sev1/sev2.
|
# ¿ Oct 3, 2007 00:08 |
|
dwarftosser posted:Well that depends, what they mean is when your first connection goes down you need someway to notify the outside world that they need to take a different route to get into your network. To do this seamlessly, you need to have your own ASN and have BGP properly configured. Or a global load balancing appliance sitting out in a datacenter somewhere, but that's just swapping 1 SPoF for another.
|
# ¿ Oct 23, 2007 05:51 |
|
jwh posted:Or, alternatively, make your native vlan a dedicated management vlan. Things get weird when you've got two production vlans, one of which happens to also be the trunk native, versus the other, tagged vlan. Better off leaving your native as a go-nowhere VLAN (on 12.1+ switch IOS code I think you can even prune the native off of trunks by not including it in "switchport trunk allowed vlans"). Native as a management isn't a good practice since you can plug stuff you didn't mean to into your management network by accident, rather than having to make a conscious decision to put something in there.
|
# ¿ Nov 3, 2007 00:40 |
|
mezoth posted:A side note : did you know the CRS 8x10g cards are oversubscribed? Only 40g backplane per linecard! I wonder if that's something they can upgrade with new fabric modules in the field, it would suck if IEEE decides to standardize on 100GbE instead of 40GbE and everyone who bought into CRS had to forklift to get non-oversubscribed interfaces. The 6500/7600 8x 10GbE cards are also 2:1 oversubscribed (Cisco seems to like their 40G/slot fabrics)
|
# ¿ Nov 6, 2007 13:44 |
|
jwh posted:Everything old is new again: I see your 4500-E, and raise you a Catalyst Virtual Switching System (VSS) 1440: http://cisco.com/en/US/products/ps9336/index.html inignot posted:That can be a misleading metric though, the whole point of the distributed switching cards is that intra slot switching doesn't have to touch the backplane.
|
# ¿ Nov 6, 2007 21:24 |
|
XakEp posted:The procedure on a 3500 series is to hold down the mode button while the box is off, power it up and release the button when the port 1 LED turns off. I've done that, but still nothing on my terminal. If you're using an actual cisco rj45 adapter, you need to use a rollover cable between the adapter and the switch, do you have a molded cable, or can you make a rollover?
|
# ¿ Dec 3, 2007 05:50 |
|
XakEp posted:vvvv My understanding is the default route will be used after all other routes in the routing table dont match vvvv Confirming this, routing table (assuming static and no ECMP/UCMP dynamic routing is going on) routes based on: 1) Longest match. 2) Lowest metric/cost. So the most specific entry will take the traffic.
|
# ¿ Dec 3, 2007 17:19 |
|
Wicaeed posted:I'm looking for a way to throttle my Bittorent traffic not from my own computer, but over the network. And not really throttle it, but prioritize web traffic, in fact most other traffic over bittorent traffic, so I can browse the internet, play games, etc etc while dynamically throttleing the traffic? I know I can go and buy a router that supports QoS, but are there any OS based solutions that I can impliment between my router and DSL modem? Something that would act like an network fire wall, and as device that supports QoS? Wicaeed posted:What I'd like to do is plug the PIX into my network (assuming it works this way) like this: Wicaeed posted:One other question: Does the PIX support uPnP? The one thing that'll suck on a 501 is that you're stuck on 6.0 code, PDM sucks compared to ASDM imo.
|
# ¿ Dec 5, 2007 13:55 |
|
InferiorWang posted:Would you guys talk to me a little bit about how you handle routing? What's your organization size, number of subnets, type of routing? Do you use static or dynamic? I'd like to read a bit about some real world applications. medium sized ISP/NSP/colo subnets: $ grep - route | grep -vi unused | wc -l 921 (roughly, all allocated all over the place too). we make heavy use of dynamic routing protocols (ospf containing customer routed subnets and loopback addresses, redist'd from statics on the actual layer3 device the customer connects to (we redist static/connected into ospf)), bgp just contains our aggregates, and prefixes learned from other bgp speakers (customers/peers/upstreams). ideally we should be doing more aggregation/hierarchy in our IGP (allocate a /22 or something to a customer agg router, and slice it up for bridges/customer prefixes) but that makes it harder renumbering/moving customers from router to router if we need to, so we haven't done any real aggregation of that kind except for remote POPs (null route a /24 on the 'edge'/'core' router of the remote POP, let that advertise back to the main network, then advertise more specifics inside the POP for customers/bridges.
|
# ¿ Dec 7, 2007 06:26 |
|
brent78 posted:I want to VPN in to a ASA 5510. I'm confused by the webvpn, ssl vpn, easyvpn options. Can someone post a simple ipsec config for use with the cisco client, or even pptp if its supported. I want to authenticate local users only. Do you have ASDM installed on the device? If so, go to VPN in ASDM, click "VPN Wizard". It's probably the easiest and quickest way to configure VPN on an ASA/PIX.
|
# ¿ Dec 7, 2007 15:49 |
|
brent78 posted:I used the wizard to create an L2TP VPN. When I try to connect from my Windows XP client I get "Error 789: The L2TP connection attempt failed because the security layer encountered a process error during initial negotiations with the remote computer". Never tried to use the L2TP/IPsec using the windows native client, I've always had to use the Cisco VPN client.
|
# ¿ Dec 7, 2007 18:44 |
|
CrazyLittle posted:motherf- yep that was it. Thanks! 12.4(15)T have you tried 12.4.15T1? It's under ED code on the upgrade planner. T is the 'experimental' train I believe, for features to be included in mainline 12.5, the HWIC-1FE stuff might not be in mainline 12.4 yet.
|
# ¿ Dec 11, 2007 01:34 |
|
Spazz posted:Stupid question: What does the XM mean on the tail of router models? ie: 2620 vs 2620XM. I don't know that it stands for anything, but the XM routers came out after the 2600 series, replacing them for the most part. The major difference is new proc / support for more memory/flash/WICs.
|
# ¿ Jan 7, 2008 03:22 |
|
para posted:Also telnet and ssh don't seem to let me redirect std input into them so I can't send a bunch of prewritten commands to the router. If I want to run a bunch of prewritten commands on a router and perhaps capture the output (equivalent to '# cat input.txt | ssh admin@router > output.txt' if ssh would let me do that) what would be the choice method of doing it? You probably want to look into a tool called RANCID (from shrubbery networks), in particular, the 'clogin' command distributed with it: http://www.shrubbery.net/rancid/man/clogin.1.html
|
# ¿ Jan 8, 2008 01:30 |
|
Ninja Rope posted:Putting two DHCP servers on the same broadcast domain won't work. inignot's solution will. Actually... you could configure your DHCP servers with manual/sticky leases, or if you were using something like isc-dhcpd you could tell it to filter based on the MAC address, so only 1 server would answer for a particular subset of MACs, and the other server would be configured to not answer for that subset. But that'd require a fair bit of configuration, and not all DHCP servers support that level of tweaking, so best practice would be putting it on separate voice VLAN.
|
# ¿ Jan 9, 2008 16:36 |
|
InferiorWang posted:I might be mistaken, but you don't need the contract for a CCO login. However, it's really just a guest login and you need the various support contracts to unlock parts of the site. pfSense will do VLANs, and VPN (PPTP, IPSec, and OpenVPN). Probably the biggest advantage with going to a commercial firewall is that you can pay for support- so if the one guy that knows how to deal with the firewalls is on holidays and unreachable you can actually make an attempt at getting them fixed without needing to track him down. CrazyLittle posted:This is more valuable than you would even guess until you actually need it. There's hundreds of Cisco techs around who are a phone call away 24/7. The same can't be said for PfSense and m0n0wall. ragzilla fucked around with this message at 04:57 on Jan 12, 2008 |
# ¿ Jan 12, 2008 04:21 |
|
H110Hawk posted:Primarily I need it to output debugging messages onto a virtual terminal session, or into `show log`. If you've already turned on the debugs, you should be able to use the command 'term mon' to have it drop debug prints to your vty Usually when troubleshooting NTP I try to go to the other end and just sniff there and see what's going on.
|
# ¿ Jan 23, 2008 06:16 |
|
one big catch on the 3560G/3750 platforms is that you're only supposed to set up 8 (or is it 12?) SVIs or routed ports, while they will run with more than the recommended number, it's not supported by TAC.
|
# ¿ Jan 24, 2008 01:14 |
|
jwh posted:Really? That sounds bad. Yeah, the 4948 (internally based off a 4500 I believe) will do (supported) layer 3 on every single port, up to 2048 SVIs or something crazy. But it'll cost you. From the docs, the 3550/3560/3750 there's no "hard" limit, but sdm tells you not to go over 8 SVIs.
|
# ¿ Jan 24, 2008 02:38 |
|
ionn posted:If the limit somehow really is "8 SVI's at full speed and everything else with reduced performance", it would be no problem at all. Can anyone find any hard facts about this recommendation? The 8 SVIs is really a recommendation on Cisco's part. The true limit is the TCAM size, so long as you can stay within the TCAM limits it will do full wire speed on as many SVIs as you want. But once you run out of TCAM space you'll be hurting due to traffic getting punted.
|
# ¿ Jan 24, 2008 13:50 |
|
jwh posted:There are newer 'xl' PFCs that support up to 512k prefixes, tunable to 1024k. I don't know much about them. They're exactly the same as the non-XL PFCs (and DFCs), the only difference is prefix count. Pretty much everyone running full internet tables should be on XLs now, unless they're planning on filtering prefixes... code:
|
# ¿ Jan 24, 2008 22:46 |
|
H110Hawk posted:So why do you have less entries using more ram? 3BXLs have the same prefix table size as the 3CXL, all the 3CXL has (which requires the RSP720 anyway) is a bigger Ethernet TCAM- since it's aimed at the carrier ethernet aggregation market. YOu're fine with the 3BXLs. Also, I think our mem usage is a bit higher because someone probably turned on soft reconfig, how many (full table) sessions do you have on that box? -edit- code:
ragzilla fucked around with this message at 02:56 on Jan 25, 2008 |
# ¿ Jan 25, 2008 02:51 |
|
Recluse posted:I too would be interested in this, or something similar. We currently are using two 7120s and were attacked 3 times in the past week with tens of thousands of UDP packets per second to our internal NAT server from three different probably spoofed IP addresses. We're looking for something that could hopefully limit the pps per IP address; or, if someone has any other ideas about preventing/stopping a DoS attack I'd really like to hear it. Preventing/Stopping a DoS attack on the customer side of a circuit is going to be difficult as chances are your pipe out to the world is the smallest link, so the attacker can just saturate that and it doesn't matter what kind of rate limiting or filtering you have on your side of the connection. The best solution to this (if you're talking BGP w/ your provider) is to use BGP remote triggered blackholing, where you can send a /32 prefix up to your provider over your BGP session with them, with a community tag that tells your provider to null route / blackhole the traffic before sending it to you. You can only do this for your own IPs though, so you lose whatever apps are running on the IP you blackhole, but it saves you the bandwidth to your provider so everything else keeps running.
|
# ¿ Jan 28, 2008 16:37 |
|
jwh posted:I'm also willing to bet that NX-OS will never see feature-parity to IOS. The way they're talking about NX-OS, it sounds a LOT like what they're claiming/pushing with regards to IOS-XR... quote:Virtual Device Contexts (VDCs) to maximize software and hardware resource utilization while providing strong security and software fault isolation quote:Comprehensive XML API for total platform control I'm guessing the next version will be the multi-chassis nexus system like the CRS-1 multi-chassis, where you throw some fabric shelves in your switching room, then drop NEXUS line card shelves out near your servers, and run a bunch of fiber between the LC shelf and your central point, giving you FC/Ethernet/whatever you want all in 1 giant fabric. H110Hawk posted:If those are what I believe them to be, there are two of them in our datacenter already. DirecTV has a pair of them. They came in HUGE crates. They're pretty awesome looking, and they seem to be consolidating a lot of bandwidth onto them. Near as I can tell they're turning 5 racks of metro fiber gear into a pair of those. If DirecTV already has some, they're probably not Nexus since I don't think it's shipping yet, the other Cisco full rack routers would be the CRS-1 single chassis, and I think there's also a GSR (XR) that takes up a full bay. ragzilla fucked around with this message at 02:04 on Jan 29, 2008 |
# ¿ Jan 29, 2008 02:02 |
|
MrZodiac posted:I keep tabs on NANOG when work gets slow and I heard from there and other places that the replacement cable for the Sicily-Egypt line that recently went down is going to be pushing 10Tbit/s. What the hell terminates that kind of line? Is it a cage full of 6513s? Even with the 720 sup you're looking at at least 15 units, and that's with all of them running at near capacity. The capacity is usually listed as TDM/SONET capacity, not all of that gets used for internet. You land it into DWDM equipment initially, which then splits the 'white' light on the undersea cable off into a the different lambdas/colors that make it up. Then depending on what kind of DWDM gear you use and what channel separation it provides, you can do either 10G or 40G over each lambda, I think Alcatel/Lucent has a box that does 128 lambdas @ 40G each for a total of 5.12Tb/s
|
# ¿ Feb 1, 2008 03:06 |
|
Have you tried running packet tracer to see what rule (or lack thereof) it points to as the problem? You're going to need a NAT rule, _and_ an incoming access rule on the Outside interface.
|
# ¿ Feb 7, 2008 03:53 |
|
inignot posted:1. Since their black magic routes differ from native BGP they are by definition creating asymmetric routing. Granted, this may or may not happen on the internet anyway. inignot posted:Multihoming with internap and another ISP would be an adventure as well. You would have to prepend the AS path with the non internap ISP since the internap connection has their clown AS between you and the ISPs they are connected to.
|
# ¿ Feb 27, 2008 02:02 |
|
CrazyLittle posted:Have any of you guys used a Cisco multi-service router (like a 2800 series) to deliver a PRI to a PBX system? Not quite an ISR/MSR, but we use 2431s for this purpose: code:
code:
|
# ¿ Mar 5, 2008 00:40 |
|
H110Hawk posted:The TAC can be frustrating at times. We were trying to figure out why one of our etherchannel ports was getting 2x the bandwidth of the others, regardless of the balancing algorithm we picked. Lots of back and forth, disruptive troubleshooting, etc. What are you up to, 8GbE ports? Wouldn't it be cheaper at that point (assuming you're using 6724s) to get some 6704s in and do 1x10GbE instead of 8x1GbE etherchannel? Or could you just do OSPF ECMP over a pair of 2-3x1GbE etherchannels and load balance at layer 3?
|
# ¿ Mar 26, 2008 17:52 |
|
H110Hawk posted:We're using 6748's hooked up to 4948's. Most of this is L2 traffic going from web servers to their NAS boxes. I could swap out the 4948 for a 4948-10GE and burn the last 10gig port on my 6708-10GE-3CXL, plus a few grand in X2 modules, but 8x1gig copper seems cheaper to me. If you don't need full tables, you could save some cash and do a 4500, (or if you really like the 6500, a Sup32), throw the 10GbE links on the sup (since assuming you run single sup if it's a manned facility, if the sup fails the node is down anyway) and load it up with 6548s (or the 4500 equiv). Then you could save some cash on the line cards since you won't get anything out of the fabric enabled cards- just have to make sure your total switching capacity (port-to-port and port-to-uplink) is under 32Gbps
|
# ¿ Mar 26, 2008 21:06 |
|
CrazyLittle posted:Stupid question: I wouldn't recommend it, is the equipment on both sides 'trusted'? You could run something like EIGRP between the nodes and do unequal-cost-multipath and let CEF load balance for you.
|
# ¿ Apr 9, 2008 00:56 |
|
XakEp posted:Not likely. I can plug them into my linksys broadband router (not being used on my network so dont give me poo poo) and the problem goes away. In fact, I can plug into any other switch and it works. PVLANs arent setup by default are they? Not unless it's stored in the vlan database. If you don't mind fully resetting the switch, try the following commands while enabled: code:
|
# ¿ Apr 14, 2008 13:49 |
|
InferiorWang posted:How does everyone here use to keep track of your configs? CVS? Does cisco have any tools to make archiving configs more stream lined that cutting and pasting? You want (assuming you're looking for something free) RANCID. RANCID RANCID RANCID. http://www.shrubbery.net/rancid/ Which will back up most of your devices configs (as well as other info like "show ver" and hardware info) into CVS/SVN (although SVN is a bunch of work to set up). Otherwise Cisco has their own solution in CiscoWorks (Resource Manager) I believe. And Solarwinds also does config backups via their Cirrus product.
|
# ¿ Apr 29, 2008 14:54 |
|
InferiorWang posted:Well then, I guess you all wouldn't mind if I brought this up then? What you'll typically want to do for CVS (if I recall, it's been awhile). - create a local copy with your layout - commit this to a repository in a shared location on your server - delete/move your local copy - check out your local copy - check out another copy under your rancid user, and tell rancid to use that copy
|
# ¿ Apr 29, 2008 18:25 |
|
bitprophet posted:I've got an old 2501 to which I do not have the security password, and it's running IOS 11.0 which seems to be pretty outdated. What are my options if I just want to dick around with it for learning's sake (haven't touched any advanced networking voodoo since uni, so I have a vague memory of how to use IOS but no specifics)? The 2501 should support probably a 12.0 or 12.1 train code- but you'll probably have trouble getting your hands on it unless you have a CCO account to download it off cisco.com. That said you pretty much can't do anything without the enable password, so you'll probably want to use the enable secret recovery procedure to change the enable secret. flashing a new ios image to the router is typically done over tftp (it can be done over a console cable but it's excruciatingly slow), so you'd need to connect it via ethernet to a box running a tftp server (such as atftpd on linux, or tftpd32 on windows).
|
# ¿ May 7, 2008 12:20 |
|
jbusbysack posted:I've recently been tasked with investigating multicasting as a routable solution. There are 3 main sites and the idea is to route multicast traffic between all 3 sites (that are all interconnected) over point-to-point links. It seems like the de-facto mcast protocol (assuming you're running cisco kit everywhere) is pim sparse. Other than that the only option I'm aware of is DVMRP as Cisco doesn't support MOSPF/CBT. Or you can also carry mcast in MBGP. The netcraftsmen papers have a pretty good basic coverage to get you up to speed with the various protocols and concepts: http://www.netcraftsmen.net/welcher/papers/multicast01.html
|
# ¿ May 8, 2008 02:03 |
|
jbusbysack posted:I looked up the pim sparse settings with declaring the match statement akin to a crypto map and setting the interfaces to flood the traffic out. Is there much more to it than that? You need to designate 1 or more RPs in your network, and tell all your PIM edges what the RP addresses are (this can be handled automatically with PIMv2). Papers 3 & 4 cover sparse mode, and RP strategies respectively.
|
# ¿ May 8, 2008 02:27 |
|
jbiel posted:Ours is pretty much the same. I usually get all ACL messages, but nothing about BGP exchanges other than neighbor up / down style stuff. Just aggravating at times. oh, nm, you are seeing neighbor up/down, what kind of BGP messages are you expecting to see in the logs? logging trap debugging & setting up the appropriate debug statements should send the debug to syslog, and if that's not working, you want to call TAC and see if they have a solution? ragzilla fucked around with this message at 18:47 on May 15, 2008 |
# ¿ May 15, 2008 18:44 |
|
|
# ¿ May 15, 2024 06:08 |
|
jbiel posted:logging trap debug should catch EVERY message, from neighbor up / down to route exchanges etc to my understanding. I shouldn't have to turn on "debug bgp all" as well. Not from what I gather, but I have been so fed up at it, I could be reading it wrong. But it'll only work if the message is actually created- which I don't think it is unless the debug statement is turned on.
|
# ¿ May 15, 2008 20:16 |