|
I did it. I finally finished reading all 300 pages of this thread over the course of 8 months (Jesus). Does anyone have a handy "VPN for Dummies" guide they learned from or use as a reference? I got by at my last job for four years configuring site-to-site tunnels on Cisco ASAs via saved templates. While I pray that I never have to configure another one, I'd like to at least learn how a site-to-site tunnel authenticates, what kinds of key exchanges exist, what PFS is, what isakmp is, and how it all fits together really. According to Amazon reviews the actual "VPN for Dummies" book isn't very good.
|
#
¿
Aug 22, 2014 04:53
|
|
|
|
| # ¿ May 14, 2024 02:05 |
|
|
inignot posted:Cisco has so many different ways to implement a vpn that the technology is bottomless. I mean, look at this: less than three posted:And even when you decide on a VPN type, then there's a million ways to do each one. Thanks. It sounds like debugging, troubleshooting, and studying a specific vendor's implementation (Cisco's IPSec VPN on a Cisco ASA for instance) may be the best way to start. Partycat posted:It looks like all the SIP traffic from the CUBE is process switched and punted from CEF. It's all working, but that stack instantly draining to 0 is sort of not good looking. Interesting. Is it a 2921?
|
|
#
¿
Aug 23, 2014 05:00
|
|
|
jwh posted:If you want to just learn the fundamentals, you may want to spin up two linux VMs (or whatever) running openswan / strongswan, and screw around with that. It's miles away from the Cisco configuration, but you'll be able to look at the phase 1 and phase 2 parameters, and see how they work (or usually don't work). Thanks. I'd heard of and forgotten about OpenSwan. If it provides clear logging/debugging of what's going on I'll give it a shot. jwh posted:3). Don't build your tunnels to rfc 1918 space, even though the other party is saying it's their only option, and that "other people do it," and that "we have to have this running today/tomorrow/this year". It'll end in heartache. Seconded. My last gig ran into these issues and the resolutions were all miserable. inignot posted:RSA key pairs would have to be generated & shared for every VPN endpoint. Good luck doing that on something like DMVPN. Also you can encrypt the preshared key inside the router config so it's non readable. Correct me if I'm wrong, but isn't the article SamDabbers linked to arguing that you only need to give the far-end your public key instead of generating a new pair for each endpoint?
|
|
#
¿
Sep 2, 2014 16:13
|
|
|
I'm studying for CVOICE and one particular scenario regarding token buckets and excess burst (Be) has ground my studying to a halt until I can confirm my suspicions. Quick scenario: * T1 circuit w/access rate of 1544000 bps. * CIR is 56000 bps. * A single-rate, dual-token bucket w/shape average configured. * Tc = 10 ms * Bc = 560 bps * Be = 560 bps Say the router allocates 560 tokens (bits) to the Bc during one time interval (Tc). However, due to massive congestion none of those tokens are sent on the wire, so they are all moved to Be. Let's say for the next thousand time intervals (10 seconds) that the router is constantly allocating 560 bits exactly each Tc to the Bc bucket. My question: Does this mean that there is a remote possibility the tokens in the Be bucket could never be sent given the router continues completely filling the Bc bucket every Tc? When I originally considered this scenario my first thought was that the Be bucket contents would eventually be moved over to the Bc bucket so it would be emptied, but maybe this makes no sense for some reason that I'm not sure of. I do understand that Bc + Be can be sent together during one time interval given that Bc is not completely filled (is idle in other words) and it conforms to the average CIR. EDIT: Corrected some fallacies in explanation and understanding of Bc/Be usage for shaping, I think. funk_mata fucked around with this message at 21:15 on Oct 18, 2014 |
|
#
¿
Oct 18, 2014 20:35
|
|
|
Hopefully a simple question that Google isn't helping with. On a Cisco Catalyst 3750 each interface has a 1p3q2t QoS egress capability. I understand the priority (p) and queue (q) pieces, but what I don't understand are thresholds. There are two configurable thresholds and a third fixed threshold set to 100%. What is the point of having two configurable thresholds? I can understand why you would have one configurable threshold where you could set it to 80% for a specific queue and traffic will start dropping at that level, but what's the point of having a second configurable threshold?
|
|
#
¿
Dec 9, 2014 06:13
|
|
|
Richard Noggin posted:I think it has to do with the size of the buffer allocated to the queue. http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/116102-qanda-egress-00.html Thanks for the article. It pointed me in the right direction and I found a blog post that confirmed I was looking at thresholds incorrectly. My original thought process was: "A traffic class (DSCP) is both assigned to a queue and given three drop thresholds (two configurable and one set to 100%)." In reality the answer is: "A traffic class (DSCP) is assigned to a queue and is also assigned to one of the three drop thresholds given to that queue." Which makes more sense. Here's the article if you're interested http://reggle.wordpress.com/2013/05/14/qos-part-v-hardware-queues-on-35603750-switch-platform/
|
|
#
¿
Dec 11, 2014 02:34
|
|
|
Martytoof posted:Anyone done a firmware load onto a 7962 phone using tftpd32? Make sure that every file that's listed in term62.defaults.loads file (if you didn't know, you can open it in notepad to see said list) has been downloaded and is sitting in the same directory being served via tftp32. That's usually all I've needed to do in the past.
|
|
#
¿
Mar 9, 2015 04:30
|
|
|
greatapoc posted:What is the best way to reserve bandwidth for traffic that absolutely must not be shaped/dropped/etc in any way? I'm transporting DTV ASI over IP which is very sensitive to jitter and I'm using a 13 E1 Multilink to do it. Total ASI bandwidth is 24.2Mbit and 13 E1s gives me 26624kbit. I'd like to have the rest of the bandwidth available for general traffic, monitoring of devices etc. I'm using MPLS TE tunnels to transport the DTV data. Do you have an output service-policy setup on the multilink with priority assigned to the DTV traffic? Half-assed config below: code:
|
|
#
¿
Jun 3, 2015 06:54
|
|
|
adorai posted:I have a 60+ branch network. I am considering installing two internet services at each branch and cancelling my mpls and metro ethernet services. We use voip. This is the cool thing to do nowadays. I think it's okay as long as VoIP is dedicated to one of the circuits and data to the other, the branches are okay with a "best effort" approach to VoIP quality troubleshooting, and you are okay with the nightmare of working with multiple ISPs for the various outages you experience. If you can't tell, the last point was the pain point when I was part of managing a similar environment.
|
|
#
¿
Jul 11, 2015 02:15
|
|
|
|
| # ¿ May 14, 2024 02:05 |
|
|
I'm doing some network studying for the hell of it and I'm curious... Has there been widespread adoption of TRILL or SPB in enterprises? The last I heard of those two technologies was that vendors were charging an arm and a leg for the feature. I figured if that were the case then admins would throw up their hands and say RSTP is good enough, or maybe the "advent" of leaf-spine and L3 to the TOR made the technology obsolete.
|
|
#
¿
Sep 8, 2023 05:22
|
|