|
I apologize if this is the wrong place to ask, but my friend recently obtained a Aironet 350 wireless B access point. I was wondering given the magic of IOS, could it be configured to to in reverse, say serve as a wireless bridge to allow an xbox onto the wireless network? Any advice would be appreciated.
|
# ? Nov 16, 2009 05:13 |
|
|
# ? Jun 10, 2024 12:19 |
|
RaptorFox posted:I apologize if this is the wrong place to ask, but my friend recently obtained a Aironet 350 wireless B access point. I was wondering given the magic of IOS, could it be configured to to in reverse, say serve as a wireless bridge to allow an xbox onto the wireless network? Any advice would be appreciated. If the 350B can be configured for bridging mode, then yes, yes it can! I've done just that with 1100/1130 AP's.
|
# ? Nov 16, 2009 13:31 |
|
RaptorFox posted:I apologize if this is the wrong place to ask, but my friend recently obtained a Aironet 350 wireless B access point. I was wondering given the magic of IOS, could it be configured to to in reverse, say serve as a wireless bridge to allow an xbox onto the wireless network? Any advice would be appreciated. To my recollection, the the Cisco Aironet 350 AP is one of the devices that Cisco pretty much bought directly when they purchased the whole Aironet company. (Kinda like how all their VOIP stuff is really just a Sipura device renamed.) That device doesn't have the capability to join another existing wireless network in client mode like you would want it to, in order to create a wired segment for your xbox. Those boxes didn't really have IOS like the routers and switches when I used them back in 2001. They just had a simplified serial console and a web gui.
|
# ? Nov 16, 2009 17:05 |
|
CrazyLittle posted:To my recollection, the the Cisco Aironet 350 AP is one of the devices that Cisco pretty much bought directly when they purchased the whole Aironet company. (Kinda like how all their VOIP stuff is really just a Sipura device renamed.) That device doesn't have the capability to join another existing wireless network in client mode like you would want it to, in order to create a wired segment for your xbox. Those boxes didn't really have IOS like the routers and switches when I used them back in 2001. They just had a simplified serial console and a web gui. I did little research this morning, and what this man says is the truth. Though they do make a 350 series wireless bridge, it is a separate appliance.
|
# ? Nov 16, 2009 18:05 |
|
Anyone have any experience configuring SSH access to an 1130AG? The documentation is pretty confusing. I just want to authenticate locally.
|
# ? Nov 18, 2009 18:20 |
|
Richard Noggin posted:Anyone have any experience configuring SSH access to an 1130AG? The documentation is pretty confusing. I just want to authenticate locally. not specific to 1130, but: generate rsa keys with crypto cmds (requires hostname/ip domain-name to be set) create user(s) set up aaa authorization (exec)/authentication (login) to use local turn on "login" on vtys http://www.ciscosystems.org.ro/application/pdf/paws/68789/ssh_enable_ap.pdf is for the 1200 but it should be similar.
|
# ? Nov 18, 2009 18:30 |
|
Can you elaborate on how to turn on login on vtys? Here's what I have:code:
Richard Noggin fucked around with this message at 19:54 on Nov 18, 2009 |
# ? Nov 18, 2009 18:43 |
|
Richard Noggin posted:Can you elaborate on how to turn on login on vtys? Here's what I have: code:
also you may want to turn off 'no exec' on the vtys if you want people to be able to ssh/telnet in.
|
# ? Nov 18, 2009 18:45 |
|
ragzilla posted:also you may want to turn off 'no exec' on the vtys if you want people to be able to ssh/telnet in. Ah, removing 'no exec' did the trick. Thanks!
|
# ? Nov 18, 2009 19:54 |
|
adorai posted:In my specific situation this is more in regard to procurve gear, but I think it is the same as cisco as far as this goes. STP runs on a per-vlan basis and is not like VTP, in that the "VTP Domain" name needs to be the same across all participating switches. i'm not sure what you're referring to when you say "the spanning tree config name," could you be more specific? edit: also i'm wondering, in what manner are you "setting up" STP? i would suggest just giving one switch a low priority (per vlan), so that it's elected root bridge, and then leave everything else alone. thiscommercialsucks fucked around with this message at 01:06 on Nov 19, 2009 |
# ? Nov 19, 2009 00:56 |
|
Not exactly Cisco related, but uh, merry Christmas to me. So happy to dump Checkpoint. Click here for the full 600x800 image.
|
# ? Nov 19, 2009 17:59 |
|
We just received a server from a vendor that needs remote access. We have an ASA 5510 that I created the VPN Group/Policy for. From the vendor's local machine(s), the only piece of equipment they can get to is their server. That server is in our "server vlan". I have two questions: 1. How do I specify an external ip range that is allowed to connect to the vpn using the policy/group I created for the vendor? I used ASDM to create the policy and split tunnel rules. Basically I don't want Joe Schmoe to have all the VPN credentials stored in a text file on his laptop, lose the laptop, and someone have access to the remote server from anywhere outside the vendor's network. edit: actually, I probably shouldn't have the associated vpn user enabled unless they need access so I know who is getting remote access in and when. 2. I want to create some ACLs on the switch that the server is plugged into. Once the vendor RDPs into the server, I don't want them to be able to access any network resources outside of internet access for windows updates. I was thinking of a named extended list assigned to the physical switchport. Students will have to access this server via port 80. I was thinking something like code:
|
# ? Nov 19, 2009 22:36 |
|
InferiorWang posted:We just received a server from a vendor that needs remote access. We have an ASA 5510 that I created the VPN Group/Policy for. From the vendor's local machine(s), the only piece of equipment they can get to is their server. That server is in our "server vlan". I have two questions: 1)an inbound extended ACL allowing access to the VPN tcp port from the customer's network 2)then allowing all other traffic on non-VPN tcp ports (so that you don't implicit deny all traffic) 3)and then the implicit denial, which would drop all remaining traffic (which would be all non-customers-network traffic destined for your VPN TCP port.) 4)ACL is placed as an inbound ACL on the interface closest to the REMOTE customer's network. that is, on your WAN facing interface. just don't accidentally block everything But like I said, I'm just pulling that one out of my rear end. quote:2. I want to create some ACLs on the switch that the server is plugged into. Once the vendor RDPs into the server, I don't want them to be able to access any network resources outside of internet access for windows updates. I was thinking of a named extended list assigned to the physical switchport. Students will have to access this server via port 80. I was thinking something like I don't think you can do an outbound ACL on a layer 2 switchport. So your ACL limiting the server's access to only port 80/443 becomes something you create as an "incoming" ACL for your router ethernet port facing the switch, looking more like this: Router(config)#access-list 101 10 permit ip host 192.168.12.23 <microsoft's-summary-network-address> established 20 deny ip host 192.168.12.23 any 30 permit ip any any and you'd apply that as an inbound ACL using Router(config)#interface fa0/1 or whatever router interface is facing your switch Router(config-if)#ip access-group 101 in If you're running a layer 3 switch then just take the same ACL and place it as an outbound ACL on the server's switchport (fa0/26 or whatever it's plugged into.) Are all of your various customers' servers in the same VLAN? Hopefully not. edit: aaaaand look how gay i am thiscommercialsucks fucked around with this message at 03:10 on Nov 20, 2009 |
# ? Nov 19, 2009 23:57 |
|
It's a 4507R. It's our core router and an access switch using a couple of copper blades.
|
# ? Nov 20, 2009 00:06 |
|
InferiorWang posted:It's a 4507R. It's our core router and an access switch using a couple of copper blades. If they are RDP'ing into the box, then they will have access to any resources that server vlan has allowed unless you build a vACL to prevent the box from talking to other boxes in the same subnet (vlan). Once they access the box, they are sourced as the boxes local IP, not their remote systems IP. Build a VPN policy that only permits their local IPs behind the VPN tunnel to only access this server. Then build a vACL that restrict that boxes local traffic. You can do an ACL at the router/vlan interface, but that will not stop the server from talking in its own subnet (vlan).
|
# ? Nov 20, 2009 01:00 |
|
routenull0 posted:If they are RDP'ing into the box, then they will have access to any resources that server vlan has allowed unless you build a vACL to prevent the box from talking to other boxes in the same subnet (vlan). Once they access the box, they are sourced as the boxes local IP, not their remote systems IP. Right, that was the whole problem. Doing the split tunnel at the VPN is easy enough, but once you're RDPed into the server, you can access whatever in the VLAN. I'll look into vACLs. Thanks
|
# ? Nov 20, 2009 14:34 |
|
I'm just screwing around on a catalyst 3550 sitting in my office. I have my laptop plugged into a port assigned to vlan 11. My config has these entries:code:
edit: :facepalm: I realized, while standing in line for lunch, that igmp isn't icmp. Boner Buffet fucked around with this message at 18:23 on Nov 20, 2009 |
# ? Nov 20, 2009 17:50 |
|
InferiorWang posted:I'm just screwing around on a catalyst 3550 sitting in my office. I have my laptop plugged into a port assigned to vlan 11. My config has these entries:
|
# ? Nov 20, 2009 18:24 |
|
Casimirus posted:IGMP isn't ICMP? Exactly.
|
# ? Nov 20, 2009 18:34 |
|
InferiorWang posted:I'm just screwing around on a catalyst 3550 sitting in my office. I have my laptop plugged into a port assigned to vlan 11. My config has these entries: access-list 100 permit tcp any any eq 80 And then apply the "action drop" command under the VACL sequence. This is different than writing a normal ACL to drop traffic on a routed interface, and it can be confusing for people coming from a conventional ACL background. You may have already been aware of this, but I figured it was worth mentioning.
|
# ? Nov 20, 2009 18:37 |
|
I didn't realize that. Thanks jwh.
|
# ? Nov 20, 2009 19:02 |
|
Can you only filter a vlan with one access map? code:
If I try to add vlan filter drop-icmp vlan-list 11, it overwrites the original. So I should assume that for each access-map, there is going to be one access-list, because you can only match a single access map to a single access list and filter on a vlan only using a single access map?
|
# ? Nov 20, 2009 20:29 |
|
I don't know the advanced answer but I think you want to put all of that in one access-map, with different matches and actions for each sequence number, e.g. vlan access-map mymap 10 match whatever action forward vlan access-map mymap 20 match whatever2 action drop then apply the one access-map. I don't whether or not you can apply more than one access-map though. InferiorWang posted:you can only match a single access map to a single access list This is the part maybe you're confused about, unless there's a reason you can't put everything into one.
|
# ? Nov 20, 2009 20:52 |
|
Casimirus posted:I don't know the advanced answer but I think you want to put all of that in one access-map, with different matches and actions for each sequence number, e.g. I think the matches with sequence numbers was the concept I was missing. Thanks Casimirus.
|
# ? Nov 20, 2009 21:03 |
|
Okay, Bigish problem. Installing a new IOS. We did back up the original IOS. We tried to install the newest version for the 2801 routers. We had a not enough memory message and decided to format flash. Now when we are trying to install the newest or the backed up IOS using ftp we are getting a socket error. Any advice? Edit Nevermind. we got the original IOS back on. Drumstick fucked around with this message at 21:24 on Nov 21, 2009 |
# ? Nov 21, 2009 21:01 |
|
Drumstick posted:not enough memory Use Cisco Feature Navigator in the future to download software. It will tell you the minimum RAM/Flash for your image as well as a bunch of other stuff.
|
# ? Nov 22, 2009 01:21 |
|
Thanks for the ACL help. For the Cisco VPN admins, how do you control vendor access? There doesn't seem to be an easy way to disable a vpn user account without removing it all together on our ASA 5510. I'd like the vendors to have to contact me or someone else in my department before they can authenticate to the VPN.
|
# ? Nov 23, 2009 22:23 |
|
InferiorWang posted:Thanks for the ACL help. I usually tie VPN authentication to a back-end RADIUS server, so it's pretty easy to enable/disable accounts.
|
# ? Nov 23, 2009 23:14 |
|
jbusbysack posted:I usually tie VPN authentication to a back-end RADIUS server, so it's pretty easy to enable/disable accounts. Yeah we always made their user accounts in Active Directory, that way they had to contact helpdesk to get in.
|
# ? Nov 24, 2009 00:03 |
|
routenull0 posted:Yeah we always made their user accounts in Active Directory, that way they had to contact helpdesk to get in. Do you use a direct ldap hook, or a radius server in between?
|
# ? Nov 24, 2009 01:46 |
|
InferiorWang posted:Do you use a direct ldap hook, or a radius server in between? We had a Win2000 domain when I did it, but we ran and IAS front-end that pushed auth against AD. I might be different for newer Windows domains now.
|
# ? Nov 24, 2009 04:03 |
|
routenull0 posted:We had a Win2000 domain when I did it, but we ran and IAS front-end that pushed auth against AD. I might be different for newer Windows domains now. This is how it is for windows server 2003.
|
# ? Nov 24, 2009 04:37 |
|
Sojourner posted:This is how it is for windows server 2003. For 08 it's the same concept, just with NPS.
|
# ? Nov 24, 2009 07:24 |
|
You can do that if you'd like to. ASA can also hook AD directly (it supports LDAP for AAA).
|
# ? Nov 24, 2009 15:22 |
|
Sojourner posted:I did little research this morning, and what this man says is the truth. Though they do make a 350 series wireless bridge, it is a separate appliance. This is true - however you can get an IOS image for the 350 series APs. There is even a conversion tool available to upgrade a VxWorks-based 350 to run IOS on it: cisco AIR-AP350-IOS-UPGRD (PowerPC860) processor with 14838K/1536K bytes of memory. PowerPC860 CPU at 49Mhz, revision number 0x0000 Last reset from power-on 1 FastEthernet interface 1 802.11 Radio(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:40:96:58:C8:FC Product/Model Number : AIR-AP350-IOS-UPGRD These make amazing 802.11b APs due to their 100mW radios (they basically use the Aironet 350 PC card internally). Only thing to watch for is the thermals - the only time I've seen these units act up has been when the card inside has suffered damage due to heat.
|
# ? Nov 24, 2009 15:39 |
|
Tremblay posted:You can do that if you'd like to. ASA can also hook AD directly (it supports LDAP for AAA). code snippet: aaa-server Chicago_Radius protocol radius aaa-server Chicago_Radius (inside) host x.x.x.x key XXXXX radius-common-pw XXXXX aaa-server Chicago_Radius (inside) host x.x.x.x key XXXXX radius-common-pw XXXXX aaa authentication ssh console Chicago_Radius LOCAL aaa authentication http console Chicago_Radius LOCAL aaa authentication enable console Chicago_Radius LOCAL group-policy CHI_Remote_Access internal group-policy CHI_Remote_Access attributes wins-server value x.x.x.x x.x.x.x dns-server value x.x.x.x x.x.x.x vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value CHI_Remote_Access_splitTunnelAcl default-domain value xxx.net tunnel-group CHI_Remote_Access type remote-access tunnel-group CHI_Remote_Access general-attributes address-pool CHI_RA_POOL authentication-server-group Chicago_Radius default-group-policy CHI_Remote_Access tunnel-group CHI_Remote_Access ipsec-attributes pre-shared-key * You would then need to configure IAS/NPS (depending on server version) to authenticate properly for that policy. Short list of policy to match: list the device (ASA) as a RADIUS client w/PSK Username is in a valid usergroup MS-CHAPv2
|
# ? Nov 24, 2009 16:34 |
|
Can anyone compare the QoS exam for the CCIP to the ONT exam for the CCNP? The ONT is very short on material, they pad it out with SDM stuff but it's still short, and I feel like if there was anything more to QoS they'd put it on the ONT. I also see the overlap between MPLS and ISCW, and BGP and BSCI, is the CCIP just a gimme after the CCNP?
|
# ? Dec 1, 2009 01:52 |
|
Anyone here with any experience doing the initial setup of a catalyst express switch with Windows 7? There seems to be an issue pulling DHCP from that model of switch(it's the web interface configuration).
|
# ? Dec 1, 2009 04:59 |
|
Casimirus posted:Can anyone compare the QoS exam for the CCIP to the ONT exam for the CCNP? The ONT is very short on material, they pad it out with SDM stuff but it's still short, and I feel like if there was anything more to QoS they'd put it on the ONT. I also see the overlap between MPLS and ISCW, and BGP and BSCI, is the CCIP just a gimme after the CCNP? Yep pretty much. Though for the CCIP you still need the BSCI, BGP, MPLS, QOS. Instead of BCMSN, ONT, ISCW. Really the difference is that the CCNP is more general for technical sales stuff, but the CCIP is more "practical" "real" stuff. So as a result, fewer people bother with the CCIP.
|
# ? Dec 1, 2009 11:28 |
|
|
# ? Jun 10, 2024 12:19 |
|
Casimirus posted:Can anyone compare the QoS exam for the CCIP to the ONT exam for the CCNP? The ONT is very short on material, they pad it out with SDM stuff but it's still short, and I feel like if there was anything more to QoS they'd put it on the ONT. I also see the overlap between MPLS and ISCW, and BGP and BSCI, is the CCIP just a gimme after the CCNP? The CCNP is going to be overhauled probably early 2010 so if you plan on doing that route, you should try to do it before the end of January. They are probably removing the ONT outright and probably the ISCW and replacing it with a troubleshooting exam.
|
# ? Dec 1, 2009 17:30 |