The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›430 »

Boner Buffet: Feb 16, 2006

quote:

Routing responses....

Thanks fellas. Do you try to keep a 1:1 subnet to vlan ratio or does it just depend on the situation? I'm assuming you don't do vlan trunking to your remote sites?

# ? Dec 7, 2007 16:04

Adbot: ADBOT LOVES YOU

# ? Apr 25, 2024 23:50

jwh: Jun 12, 2002

XakEp posted:

Well, you wont be using easyvpn for a remote access vpn, it's meant for site to site vpns.

This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc).

# ? Dec 7, 2007 16:53

XakEp: Dec 20, 2002; Amor est vitae essentia

jwh posted:

This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc).

As I understood it, its meant for gateway to gateway type vpns. Am I wrong? I've dinked with a few with my PIX 520s, but didnt think it was meant for an RA style access model.

# ? Dec 7, 2007 16:59

jwh: Jun 12, 2002

XakEp posted:

As I understood it, its meant for gateway to gateway type vpns. Am I wrong? I've dinked with a few with my PIX 520s, but didnt think it was meant for an RA style access model.

It can do both, although for site-to-site VPN, something like DMVPN is probably more flexible. Check out: http://www.cisco.com/en/US/products/ps6635/products_qanda_item0900aecd805358e0.shtml

quote:

Q. What is Cisco� Easy VPN?
A. Cisco Easy VPN is an IP Security (IPsec) virtual private network (VPN) solution supported by Cisco routers and security appliances. It greatly simplifies VPN deployment for remote offices and mobile workers. Cisco Easy VPN is based on the Cisco Unity� Client Framework, which centralizes VPN management across all Cisco VPN devices, thus reducing the management complexity of VPN deployments. There are three components of the Cisco Easy VPN solution: Easy VPN Client, Easy VPN Remote, and Easy VPN Server.

# ? Dec 7, 2007 17:06

XakEp: Dec 20, 2002; Amor est vitae essentia

Sweet, thanks! I love this thread - always something new to learn.

# ? Dec 7, 2007 17:09

brent78: Jun 23, 2004; I killed your cat, you druggie bitch.

Girdle Wax posted:

Do you have ASDM installed on the device? If so, go to VPN in ASDM, click "VPN Wizard". It's probably the easiest and quickest way to configure VPN on an ASA/PIX.

I used the wizard to create an L2TP VPN. When I try to connect from my Windows XP client I get "Error 789: The L2TP connection attempt failed because the security layer encountered a process error during initial negotiations with the remote computer".

I don't believe its a firewall issue on my client side because I can connect to other L2TP VPNs just fine.

# ? Dec 7, 2007 18:24

XakEp: Dec 20, 2002; Amor est vitae essentia

brent78 posted:

I used the wizard to create an L2TP VPN. When I try to connect from my Windows XP client I get "Error 789: The L2TP connection attempt failed because the security layer encountered a process error during initial negotiations with the remote computer".

I don't believe its a firewall issue on my client side because I can connect to other L2TP VPNs just fine.

I had a similar issue on my PIX 520, I had to enable the l2tp passthrough. Dunno about the ASA, but I'd imagine its similar.

# ? Dec 7, 2007 18:42

ragzilla: Sep 9, 2005; don't ask me, i only work here

brent78 posted:

I used the wizard to create an L2TP VPN. When I try to connect from my Windows XP client I get "Error 789: The L2TP connection attempt failed because the security layer encountered a process error during initial negotiations with the remote computer".

I don't believe its a firewall issue on my client side because I can connect to other L2TP VPNs just fine.

Never tried to use the L2TP/IPsec using the windows native client, I've always had to use the Cisco VPN client.

# ? Dec 7, 2007 18:44

inignot: Sep 1, 2003; WWBCD?

jwh posted:

This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc).

Call me old school (or just dumb) if you want, but every EZ-VPN example code I've ever seen has looked like incoherent gibberish. I'll take crypto maps, or tunnel protect, or DMVPN over that EZ-VPN nonsense any day.

# ? Dec 7, 2007 22:13

Tremblay: Oct 8, 2002; More dog whistles than a Petco

inignot posted:

Call me old school (or just dumb) if you want, but every EZ-VPN example code I've ever seen has looked like incoherent gibberish. I'll take crypto maps, or tunnel protect, or DMVPN over that EZ-VPN nonsense any day.

Well I think it was named EZ-VPN due to the minimal config needed on the client side. I agree with you completely that it is a pain in the rear end. And yes DMVPN/tunnel protect/anything is less convoluted.

# ? Dec 7, 2007 22:26

Filthy_McGreasy: Aug 14, 2004; Greasy!

I have a 2507, and a 2900 series switch...

switch:
IOS (tm) C2900XL Software (C2900XL-H2-M), Version 11.2(8.5)SA6, MAINTENANCE INTERIM SOFTWARE

2507:
IOS (tm) 2500 Software (C2500-I-L), Version 12.1(7), RELEASE SOFTWARE (fc1)

Is it possible to do inter-VLAN routing between the two? The 2507 has a 16 port hub in it, and one actual ethernet interface. I try applying an ip address to a virtual interface and I get this:

code:

rtr2507#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
rtr2507(config)#int e0.1
rtr2507(config-subif)#ip add 10.1.0.1 255.255.255.0

Configuring IP routing on a LAN subinterface is only allowed if that
subinterface is already configured as part of an IEEE 802.10, IEEE 802.1Q, or ISL vLAN.

rtr2507(config-subif)#
rtr2507(config-subif)#?
Interface configuration commands:
  arp            Set arp type (arpa, probe, snap) or timeout
  backup         Modify backup parameters
  bandwidth      Set bandwidth informational parameter
  bridge-group   Transparent bridging interface parameters
  carrier-delay  Specify delay for interface transitions
  cdp            CDP interface subcommands
  default        Set a command to its defaults
  delay          Specify interface throughput delay
  description    Interface specific description
  exit           Exit from interface configuration mode
  ip             Interface Internet Protocol config commands
  llc2           LLC2 Interface Subcommands
  mtu            Set the interface Maximum Transmission Unit (MTU)
  netbios        Use a defined NETBIOS access list or enable name-caching
  no             Negate a command or set its defaults
  ntp            Configure NTP
  rate-limit     Rate Limit
  shutdown       Shutdown the selected interface
  snapshot       Configure snapshot support on the interface
  standby        Hot standby interface subcommands
  timeout        Define timeout values for this interface
  traffic-shape  Enable Traffic Shaping on an Interface or Sub-Interface

rtr2507(config-subif)#

InferiorWang posted:

Would you guys talk to me a little bit about how you handle routing? What's your organization size, number of subnets, type of routing? Do you use static or dynamic? I'd like to read a bit about some real world applications.

Last I checked we had about 2,500 peers and 27,016,151 ip addresses. :clint:

Unfortunately, I am not involved in that high level equipment, I just fix circuits and CPE issues (EZ VPN in IOS) so I can't explain too much about the complexity of our backbone. However, we have multiple NOCs dedicated to different levels of the network. We have a group that does nothing but BGP troubleshooting, a group that repairs DS3s, a group that handles firewall issues, a group that performs hardware maintenance, a group for field dispatching, etc... The company has been through quite a few mergers and is a complete mess. We have everything from MPLS VPN solutions to old x.25 nodes that are still in use (compuserve?). Because of all of the mergers and lay offs we find ourselves getting trouble tickets for solutions that were put into place during the internet boom, and "the guy" that originally installed it has been gone for 4 years and we have no current documentation to use for troubleshooting. This often leads us to searching for some unknown group on the other side of the planet that will help us troubleshoot our appletalk tunneling over an x.25 network that performs load balancing via an unmanaged 3com based ISDN solution. :waycool:

# ? Dec 7, 2007 23:08

XakEp: Dec 20, 2002; Amor est vitae essentia

I think (probably wrong) you might need a newer IOS on the router to do intravlan routing with a router on a stick config.

Edit - yup, i was wrong. Anything over 12.0 will work.

Try adding this before you apply an ip address

encapsulation dot1q (vlanid)

XakEp fucked around with this message at 23:14 on Dec 7, 2007

# ? Dec 7, 2007 23:11

CrazyLittle: Sep 11, 2001; Clapping Larry

Filthy_McGreasy posted:

I have a 2507, and a 2900 series switch...

2507:
IOS (tm) 2500 Software (C2500-I-L), Version 12.1(7), RELEASE SOFTWARE (fc1)

Is it possible to do inter-VLAN routing between the two? The 2507 has a 16 port hub in it, and one actual ethernet interface. I try applying an ip address to a virtual interface and I get this:

According to this it won't work on a 25xx router:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#wp3932

Here's an example of an interface in one of our routers:

quote:

interface FastEthernet0/0.1
encapsulation dot1Q 11
ip address 10.0.0.1 255.255.255.0

# ? Dec 7, 2007 23:18

XakEp: Dec 20, 2002; Amor est vitae essentia

CrazyLittle posted:

According to this it won't work on a 25xx router:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#wp3932

Here's an example of an interface in one of our routers:

I've seen it done on a 2501, but it didnt work very well. It is not supported on 25xx routers, but it will work, sorta. We had timeouts and other issues.

# ? Dec 8, 2007 03:21

inignot: Sep 1, 2003; WWBCD?

I believe it only works on fast/gig ethernet interfaces. Ethernet (10Mbs) will not work.

# ? Dec 8, 2007 15:37

Filthy_McGreasy: Aug 14, 2004; Greasy!

inignot posted:

I believe it only works on fast/gig ethernet interfaces. Ethernet (10Mbs) will not work.

Do you have any suggestions on how to prepare for the CCIE? What equipment is good to practice with? Did you just purchase a set amount of hours on practice equipment? Any online articles that are worth reading before I get started?

# ? Dec 9, 2007 14:26

Tremblay: Oct 8, 2002; More dog whistles than a Petco

Filthy_McGreasy posted:

Do you have any suggestions on how to prepare for the CCIE? What equipment is good to practice with? Did you just purchase a set amount of hours on practice equipment? Any online articles that are worth reading before I get started?

Which track?

# ? Dec 9, 2007 17:59

brent78: Jun 23, 2004; I killed your cat, you druggie bitch.

Here is more info on error "789" when Windows XP tries to connect L2TP VPN to my ASA 5510. Says "Phase 2 Mismatch". I followed the sample on Cisco's site to the letter.

code:

Dec  9 10:23:36 Group = DefaultRAGroup, IP = 63.197.134.218, PHASE 1 COMPLETED
Dec  9 10:23:36 IP = 63.197.134.218, Keep-alives configured on but peer does not support keep-alives (type = None)
Dec  9 10:23:36 Group = DefaultRAGroup, IP = 63.197.134.218, QM FSM error (P2 struct &0xd6154930, mess id 0xfd5fc287)!
Dec  9 10:23:36 Group = DefaultRAGroup, IP = 63.197.134.218, Removing peer from correlator table failed, no match!
Dec  9 10:23:36 Group = DefaultRAGroup, Username = , IP = 63.197.134.218, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Relevant config:

code:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
crypto isakmp ipsec-over-tcp port 10000 
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.3 4.2.2.4
 vpn-tunnel-protocol IPSec l2tp-ipsec 
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
 authorization-server-group LOCAL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication chap

brent78 fucked around with this message at 19:45 on Dec 9, 2007

# ? Dec 9, 2007 19:40

Filthy_McGreasy: Aug 14, 2004; Greasy!

Tremblay posted:

Which track?

I am starting with routing/switching, but possibly exploring other options after I pass the test.

I would love to hear some advice from anyone on this, regardless of the path chosen.

# ? Dec 9, 2007 20:27

inignot: Sep 1, 2003; WWBCD?

Filthy_McGreasy posted:

Do you have any suggestions on how to prepare for the CCIE? What equipment is good to practice with? Did you just purchase a set amount of hours on practice equipment? Any online articles that are worth reading before I get started?

For the record I am not a CCIE, but I've put in two R&S lab attempts. I believe I took my second lab concurrent with another goon, "The Router Ninja", that passed.

Here's the info from Cisco on the blueprint, equipment, and suggested reading:
http://www.cisco.com/web/learning/le3/ccie/rs/lab_exam_blueprint.html
http://www.cisco.com/web/learning/le3/ccie/rs/lab_equipment.html
http://www.cisco.com/web/learning/le3/ccie/rs/book_list.html

Go read the group study email list:
http://www.groupstudy.com/archives/ccielab/

Now pick a study vendor for practice labs / classes:
http://www.netmasterclass.net/
http://www.internetworkexpert.com/
http://www.ipexpert.com/
http://www.ccbootcamp.com/

Rent rack time from someone that offers your chosen vendor's practice topology:
http://www.gigavelocity.com/
http://ccie2be.com/ccie2be.html
http://www.cconlinelabs.com/

I hear a lot about the dynamips router emulator, but I've never messed with it.
http://www.ipflow.utc.fr/blog/

Study and lab for six to eight months, then try a Cisco assessor test (or a graded test from your vendor of choice):
http://www.cisco.com/web/learning/le3/ccie/preparation/index.html

Based on your results continue to study or book a lab date, repeat as needed.

# ? Dec 9, 2007 21:09

jwh: Jun 12, 2002

brent78 posted:

Here is more info on error "789" when Windows XP tries to connect L2TP VPN to my ASA 5510. Says "Phase 2 Mismatch". I followed the sample on Cisco's site to the letter.

ISAKMP phase 2 quick mode is failing, but it's not clear why.

Can you debug isakmp, try the connection again, and post the results?

# ? Dec 9, 2007 21:22

Filthy_McGreasy: Aug 14, 2004; Greasy!

inignot posted:

For the record I am not a CCIE, but I've put in two R&S lab attempts. I believe I took my second lab concurrent with another goon, "The Router Ninja", that passed.

Here's the info from Cisco on the blueprint, equipment, and suggested reading:
http://www.cisco.com/web/learning/le3/ccie/rs/lab_exam_blueprint.html
http://www.cisco.com/web/learning/le3/ccie/rs/lab_equipment.html
http://www.cisco.com/web/learning/le3/ccie/rs/book_list.html

Go read the group study email list:
http://www.groupstudy.com/archives/ccielab/

Now pick a study vendor for practice labs / classes:
http://www.netmasterclass.net/
http://www.internetworkexpert.com/
http://www.ipexpert.com/
http://www.ccbootcamp.com/

Rent rack time from someone that offers your chosen vendor's practice topology:
http://www.gigavelocity.com/
http://ccie2be.com/ccie2be.html
http://www.cconlinelabs.com/

I hear a lot about the dynamips router emulator, but I've never messed with it.
http://www.ipflow.utc.fr/blog/

Study and lab for six to eight months, then try a Cisco assessor test (or a graded test from your vendor of choice):
http://www.cisco.com/web/learning/le3/ccie/preparation/index.html

Based on your results continue to study or book a lab date, repeat as needed.

If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? You mention studying for 6-8 months, is that 2 hours a week, or 2 hours a day? Is the exam environment stressful? From your previous comments it sounds like there would be many people sitting around in a room taking the test at the same time. Do they try to minimize the distractions? How much experience did you have before you decided to start on this?

# ? Dec 9, 2007 21:38

jwh: Jun 12, 2002

Filthy_McGreasy posted:

If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be?

Do you have any of the other certifications? CCNA or CCNP?

# ? Dec 9, 2007 21:42

inignot: Sep 1, 2003; WWBCD?

Filthy_McGreasy posted:

If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? You mention studying for 6-8 months, is that 2 hours a week, or 2 hours a day? Is the exam environment stressful? From your previous comments it sounds like there would be many people sitting around in a room taking the test at the same time. Do they try to minimize the distractions? How much experience did you have before you decided to start on this?

Only on SA would someone coin the term "poopsocking the CCIE training".

I started putting serious effort into attaining the CCIE about a year ago. I had 8 years of experience as a network engineer at that point. The material is ludicrously non real world, so studying beyond what's required for your day to day job duties is absolutely required.

I attempt to study at work when I can by reading and mocking up small scale scenarios with three 1700 series routers. Ideally I would get in one 8 hour rack session a week, though that rarely happens on a weekly basis. Drop the $250 or whatever the cost is for a Cisco assessor test; that will reality check you on what you need to learn.

The lab may contain candidates testing for any of the CCIE tracks. Someone may be sitting next to you or across from you. During my last attempt the guy in front of me was visibly freaking out for the entire eight hours. I also think the 7:30am start time for the RTP lab is straight up dickish.

# ? Dec 9, 2007 23:12

Tremblay: Oct 8, 2002; More dog whistles than a Petco

code:

Dec  9 10:23:36 Group = DefaultRAGroup, IP = 63.197.134.218, QM FSM error (P2 struct &0xd6154930, mess id 0xfd5fc287)!

Make sure your crypto ACL on the ASA and the traffic you specified on the Windows host match.

# ? Dec 10, 2007 01:11

Tremblay: Oct 8, 2002; More dog whistles than a Petco

Filthy_McGreasy posted:

I am starting with routing/switching, but possibly exploring other options after I pass the test.

I would love to hear some advice from anyone on this, regardless of the path chosen.

I passed the security CCIE this past September. Most of it was OJT although I did have a study rack of equipment. For study guides I used IP Expert and Netmetric-Solutions. For security I thought Netmetric was better. For VOIP I know the IP Expert is excellent. Not sure for R&S.

I completely agree with inignot. It seems like if there are two ways of accomplishing something, the most convoluted or assine method is the "right" method. Best thing to do is remember its just a test...

Tremblay fucked around with this message at 02:01 on Dec 10, 2007

# ? Dec 10, 2007 01:23

skipdogg: Nov 29, 2004; Resident SRT-4 Expert

What would cause computers to take forever to get a DHCP address?

Win2k3 is handing out the DHCP addresses.

Cisco 6513 switch set into vlan's. It is configured with the appropriate ip helper address.

It can take 30 to 45 seconds to pull an address. Not really a huge issue, but one model of computers PXE rom times out before it can pull an address. I use a boot cd on those.

# ? Dec 10, 2007 02:01

Tremblay: Oct 8, 2002; More dog whistles than a Petco

Skip Dogg posted:

What would cause computers to take forever to get a DHCP address?

Win2k3 is handing out the DHCP addresses.

Cisco 6513 switch set into vlan's. It is configured with the appropriate ip helper address.

It can take 30 to 45 seconds to pull an address. Not really a huge issue, but one model of computers PXE rom times out before it can pull an address. I use a boot cd on those.

Take a packet capture from the host and the DHCP server end.

# ? Dec 10, 2007 02:02

Ninja Rope: Oct 22, 2005; Wee.

Skip Dogg posted:

What would cause computers to take forever to get a DHCP address?

Win2k3 is handing out the DHCP addresses.

Cisco 6513 switch set into vlan's. It is configured with the appropriate ip helper address.

It can take 30 to 45 seconds to pull an address. Not really a huge issue, but one model of computers PXE rom times out before it can pull an address. I use a boot cd on those.

Is spanning tree enabled for that vlan/port/switch?

# ? Dec 10, 2007 04:45

tortilla_chip: Jun 13, 2007; k-partite

Skip Dogg posted:

What would cause computers to take forever to get a DHCP address?

If it's a client port, enable portfast.

# ? Dec 10, 2007 05:38

Filthy_McGreasy: Aug 14, 2004; Greasy!

jwh posted:

Do you have any of the other certifications? CCNA or CCNP?

Almost done with CCNP. While I haven't been poopsocking during my training time, I am going at about one test per month. Sounds like at this rate I will need to put in about one year of solid training before attempting the CCIE.

# ? Dec 10, 2007 05:39

skipdogg: Nov 29, 2004; Resident SRT-4 Expert

Ninja Rope posted:

Is spanning tree enabled for that vlan/port/switch?

Seems to be.

Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0017.0f5f.6c80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

And then it lists all Vlans/ports under that.

tortilla_chip posted:

If it's a client port, enable portfast.

I'm not the network person, so here is the config for a random port

interface FastEthernet7/36
switchport
switchport access vlan 20
switchport mode access
no ip address

# ? Dec 10, 2007 06:05

brent78: Jun 23, 2004; I killed your cat, you druggie bitch.

Tremblay posted:

code:
Dec  9 10:23:36 Group = DefaultRAGroup, IP = 63.197.134.218, QM FSM error (P2 struct &0xd6154930, mess id 0xfd5fc287)!
Make sure your crypto ACL on the ASA and the traffic you specified on the Windows host match.

I don't have any ACL's setup for the VPN connection.. perhaps thats my problem, I'll go give it a look now.

# ? Dec 10, 2007 06:25

mamboman: Jun 3, 2001; I miss you Bill..

Skip Dogg posted:

Seems to be.

Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0017.0f5f.6c80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

And then it lists all Vlans/ports under that.

I'm not the network person, so here is the config for a random port

interface FastEthernet7/36
switchport
switchport access vlan 20
switchport mode access
no ip address

add a: spanning-tree portfast

to that.. problem solved

# ? Dec 10, 2007 06:48

jwh: Jun 12, 2002

mamboman posted:

add a: spanning-tree portfast

to that.. problem solved

Although if you do portfast, you should also consider bpduguard.

# ? Dec 10, 2007 07:06

skipdogg: Nov 29, 2004; Resident SRT-4 Expert

jwh posted:

Although if you do portfast, you should also consider bpduguard.

From what I'm reading up, portfast shouldn't do too much harm, this thing just connects to 300+ workstations, but I'm sure it's desirable to avoid switch loops.

Can you change the time from 15 seconds to listen and 15 seconds to forward to maybe 10/10. That would give the pxe rom enough time to grab an IP.

failing that I might be able to talk the network admin into portfast and bpduguard.

Thanks for the help guys.

# ? Dec 10, 2007 07:50

ionn: Jan 23, 2004; Din morsa.; Grimey Drawer

What effect, if any, will GRE have on network performance (mainly in terms of latency)?
We have a 100Mbit link through a provider network (MPLS), and I need my routers at each end to talk OSPF. I'm thinking GRE, but I'm not sure what effect it will really have.
Latency now is really low (just a couple ms), but I don't want to start adding too much to that since we are running lots of voice traffic. That data is in fairly small packets (and properly QoS tagged), so those packets shouldn't be bothered by the possible fragmentation from GRE affecting MTU.

# ? Dec 10, 2007 09:55

inignot: Sep 1, 2003; WWBCD?

ionn posted:

What effect, if any, will GRE have on network performance (mainly in terms of latency)?
We have a 100Mbit link through a provider network (MPLS), and I need my routers at each end to talk OSPF. I'm thinking GRE, but I'm not sure what effect it will really have.
Latency now is really low (just a couple ms), but I don't want to start adding too much to that since we are running lots of voice traffic. That data is in fairly small packets (and properly QoS tagged), so those packets shouldn't be bothered by the possible fragmentation from GRE affecting MTU.

You're correct that a GRE tunnel will carry OSPF multicast hellos, however you may as well encrypt the tunnel also. As long as you have an appropriately powerful router & crypto accelerator the latency overhead shouldn't be that bad. I think crypto accelerators are coming standard with the 2800/3800 series now.

Throw a "ip tcp adjust-mss 1400" on GRE interface to dial down the TCP max segment size; that will work around most of your fragmentation problems (tune size as appropriate).

There's example config for an IPSec/GRE tunnel in this thread (pay no attention to the crazy man advocating an SSL vpn for this purpose).
http://forums.somethingawful.com/showthread.php?threadid=2697661

If this is for a private WAN connecting a bunch of offices together, look into DMVPN. It's can create dynamic inter-office tunnels.

http://www.cisco.com/en/US/products/ps6658/products_ios_protocol_option_home.html

# ? Dec 10, 2007 13:20

ionn: Jan 23, 2004; Din morsa.; Grimey Drawer

What I have at the moment are a pair of 2801's, not sure how much they can take though I can definitely try with encryption as well.

Wouldn't that router still have to fragment stuff, unless I were to lower the MTU of all hosts as well (or at least the couple of routers from which data can come, letting them fragment instead)?
What does "ip tcp adjust-mss 1400" do that "mtu 1400" doesn't?

# ? Dec 10, 2007 14:31

Adbot: ADBOT LOVES YOU

# ? Apr 25, 2024 23:50

XakEp: Dec 20, 2002; Amor est vitae essentia

Filthy_McGreasy posted:

If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? You mention studying for 6-8 months, is that 2 hours a week, or 2 hours a day? Is the exam environment stressful? From your previous comments it sounds like there would be many people sitting around in a room taking the test at the same time. Do they try to minimize the distractions? How much experience did you have before you decided to start on this?

I'm actually going to start poopsocking for CCIE Security in January. I give myself 6 months or so to do the written, and 12-18 months for the lab. I expect to have to take the lab several times, but what the hell, I've got time.

For the record, I've for CCNA, CCNP and (last week) CCSP. Its taken me 2 years to get this far, and a fair amount invested in equipment.

# ? Dec 10, 2007 16:35

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›430 »