|
http://tools.ietf.org/html/draft-farinacci-lisp-12 So I've been reading about LISP and I really don't know what advantages it provides that aren't addressed by private IP Addressing. Private IPs are already independent of publicly routable IPs, private networks can already move from provider to provider without changing their internal addressing scheme. The onyl think that might be an advantage as far as I can tell is quote:2. More cost-effective multihoming for sites that connect to Although I'm not sure how much work it takes for service provider routers to speak BGP with its partial peers, like for a small organization that wants to multihome. Oh well, I guess I won't worry about it anymore, but it is still puzzling.
|
#
?
Feb 12, 2010 19:12
|
|
|
|
| # ? Apr 29, 2024 03:43 |
|
|
Does the PC get the ARP entry for 10.10.12.254? Maybe the 6500 is seeing the ARP reply come in 8/47 and dumping it since it is one of it's own MACs? Not really sure, that is a strange one. Where does everyone buy their SFPs from? We've been using CDW but their prices generally suck and the volume I'm ordering them in is starting to go up.
|
|
#
?
Feb 12, 2010 21:11
|
|
|
FatCow posted:Does the PC get the ARP entry for 10.10.12.254? Maybe the 6500 is seeing the ARP reply come in 8/47 and dumping it since it is one of it's own MACs? Not really sure, that is a strange one.
|
|
#
?
Feb 12, 2010 21:25
|
|
|
FatCow posted:Where does everyone buy their SFPs from? We've been using CDW but their prices generally suck and the volume I'm ordering them in is starting to go up. Fluxlight. Get their Fluxlight branded, Cisco-compatible ones. Alternately, we've also had good luck with the optics Candela sells on eBay, assuming you don't mind rolling with "service unsupported-transciever"
|
|
#
?
Feb 12, 2010 22:49
|
|
|
jwh posted:This topology should work fine, assuming you have nothing special in your configuration for the ports - the layer2 ports should be on a vlan, the layer3 port is just a routed interface (as your diagram indicates). Even assuming the router is trying to populate the cam-table with its own mac-address from the l3 port (something you could test by changing the mac-address of the l3 port) and failing, the worst case that should happen is that all traffic to your gateway floods instead of gets switched - it should not fail. Being that the box you are evaluating is a DPI acceleration box, I would think it has no issues, but you could always throw another l2 switch in its place to validate the issues are not it and belong to the topology. I think everything I said holds true if you are not using a sup2 and not a sup720, but it has been a few years since I did extensive testing there. Thinking about it, I am pretty sure you are going to need to change the mac-address of the routed port however to prevent the flooding from happening.
|
|
#
?
Feb 13, 2010 06:20
|
|
|
I had a weird problem at a place a help out now and then. Their layer two switching is all handled by 2960/2960Gs, with one legacy dumb Netgear switch they refuse to abandon for some reason. IOS is pretty standard, although they do have portfast enabled by default on most of the switches, instead of by port for some reason. They are currently in the process of moving away from some consumer grade wireless and gateway products (pair of Linksys WRT54GLs running Tomato doing QoS) to some 3560 and 3750/ASAs. So anyway they had some rain and a lot of their T1s had issues/CRC errors at the beginning of the week. .1 3Mbit Metro PtP, solid (old main gateway for servers) .2 4.5MBit Flex VOIP/Internet (main gateway for workstations, the Tomatos) .5 10Mbit Metro PtP, CRC errors on one of the bonded T1s. So I get this call saying that the site 2960s refused to talk to any of the non-Cisco equipment overnight. Came in, the .5 interface had been moved to a different switch by someone, and was alternating between normal green to blinking amber leds. I checked the MPoE, and there's a bunch of errors on the smart jacks, so I disconnect it. The main switch still refused to see anything on the Netgear/Linksys switches. So I check IOS, no error messages pop out at me so I do a fast reload. Still it looks like either the routing table or switch fabric is hosed. Eventually the only thing that let it talk to the non-Cisco gear was a completely power cycle of the 2960, Netgear, and Linksys. I also turned off portfast on it as it shouldn't have been on the switch ports anyway, and swapped to different switch ports. Was it just transport errors on the metro link that caused the port to freak out and kill switching to the non-Cisco gear? I didn't see any obvious loops that would make portfast get pissy, but it's off now regardless. I'm not a Cisco guy or even a sysadmin, but sometimes I get weird calls from people I've helped out and this one stumped me.
|
|
#
?
Feb 13, 2010 09:57
|
|
|
You should have done a sh log, sh mac-address-table and debug spanning-tree on the switch with the amber/green port for starters. If the port was flapping, its very possible the spanning-tree topology is unstable because of a loop and some flapping interface, its also possible port fast was err-disabling the switch because it was getting bpdu's on that port. It's hard to say without knowing the topology or seeing any of the logs or anything. Restarting Cisco gear rarely fixes anything, there are a wealth of clear and reset commands that can be used to fix 90% of problems in IOS.
|
|
#
?
Feb 13, 2010 14:49
|
|
|
Yeah, I should have dug in deeper, I just had about ten minutes before I had to leave for my actual job and just wanted it fixed now, heh. But yeah their network is pretty weird, but it's getting better as they finally get new equipment. Either way, thanks!
|
|
#
?
Feb 13, 2010 18:15
|
|
|
Sounds like they need someone to go in over a weekend and reconfigure everything from scratch. Will probably save a lot of headaches in the long run!
|
|
#
?
Feb 13, 2010 20:05
|
|
|
mezoth posted:Being that the box you are evaluating is a DPI acceleration box, I would think it has no issues, but you could always throw another l2 switch in its place to validate the issues are not it and belong to the topology. I'm going to try and look into it further this week, but in the interim we got our Steelhead 5050 up and running by putting an 1841 in between it and Gig8/45. Adds some complexity (and there are throughput concerns now), but at least we can get the thing working.
|
|
#
?
Feb 14, 2010 03:35
|
|
|
jwh posted:We actually crossed over Gig8/45 to Gig8/47 and we see the same issue. It's really confounding. If you are running a sup720, I would suggest trying the mac-address change for the routed interface. If anything, the router is probably getting tripped up on seeing its own mac-address in the CAM table. If I might ask, what code version are you running?
|
|
#
?
Feb 14, 2010 04:49
|
|
|
ragzilla posted:Is this using RADIUS, or IOS users for auto-enable? If so, you'll need to tell RANCID that it's being autoenabled using something similar to: A bit late, but I've been on vacation for the last two weeks. The autoenable directive solved this, thanks.
|
|
#
?
Feb 15, 2010 16:41
|
|
|
mezoth posted:If you are running a sup720, I would suggest trying the mac-address change for the routed interface. If anything, the router is probably getting tripped up on seeing its own mac-address in the CAM table. If I might ask, what code version are you running? Yeah, Sup720. I'll try the mac-address change. Code is 12.2(18)SXE1
|
|
#
?
Feb 17, 2010 17:03
|
|
|
jwh posted:Yeah, Sup720. I'll try the mac-address change. Also, i assume the port is not err-disabling? You might have to do "no keepalives" and "no cdp" on the port as well.
|
|
#
?
Feb 18, 2010 02:16
|
|
|
mezoth posted:Also, i assume the port is not err-disabling? You might have to do "no keepalives" and "no cdp" on the port as well. Yeah, not going err-disabled. Haven't tried the mac change yet, was out on Tuesday and was busy with other (far worse) stuff today.
|
|
#
?
Feb 18, 2010 05:06
|
|
|
Cisco Short Question: I am trying to create an EAP Profile on an 871w. Normally, on an Aironet AP (e.g. 1131AG) I just issue the below command. It's not available in my image command set on the 871w though. Command I normally Use: code:Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3) Normally after 10 minutes of searching I can usually find anything, but coming up short here. I have the command on my 6506, but not 7206. This kind of crap is annoying. Any ideas? Thanks! Herv fucked around with this message at 19:24 on Feb 22, 2010 |
|
#
?
Feb 22, 2010 19:22
|
|
|
You have to get into identity profile mode first. Router (config)# identity profile dot1x Router (config-identity-prof)# eap username user1
|
|
#
?
Feb 22, 2010 20:22
|
|
|
Powercrazy posted:You have to get into identity profile mode first. I am not even getting that option. It would be a crime to have to send down another AP if the 871w cant do PEAP auth. code:E: Wait a sec, bought this thing new just a few days ago. Going to have my engineer call up! 
|
|
#
?
Feb 22, 2010 21:32
|
|
|
Herv posted:I am not even getting that option. It would be a crime to have to send down another AP if the 871w cant do PEAP auth. You get TAC free for the first 30 or 60days I think.
|
|
#
?
Feb 22, 2010 22:58
|
|
|
My company is shutting down a branch office, and as I was present to help with the server room decommissioning I got my grubby paws on a Cisco 3825 loaded with two HWIC 4-port FXO cards, a 6 AP wireless controller, and a 24 port 10/100 PoE w/ 2 stack port line card. I also got 5 7971 VoIP handsets, new in box. My knowledge with high-end Cisco gear is limited to in-the-field configuration of 3750s, 4948s, 1130 and 1250 series APs using the Cisco configuration guides off their website. Where do I start learning about and configuring this stuff? I can go back to our home office and get configurations utilities and what not, but I don't even know what to ask for. I'm assuming there's not a PDF somewhere that says "this is how to setup a VoIP system using a 3800 series, CallManager, and some phones". Anyone have any books they recommend?
|
|
#
?
Feb 23, 2010 00:51
|
|
|
NeuralSpark posted:My company is shutting down a branch office, and as I was present to help with the server room decommissioning I got my grubby paws on a Cisco 3825 loaded with two HWIC 4-port FXO cards, a 6 AP wireless controller, and a 24 port 10/100 PoE w/ 2 stack port line card. I also got 5 7971 VoIP handsets, new in box. Quite honestly, the way its phrased i read it as it's yours for the keeping. If so I would sell that if I were you, you're looking at around 18k+ list for that setup depending on IOS licensing.
|
|
#
?
Feb 23, 2010 05:02
|
|
|
jbusbysack posted:Quite honestly, the way its phrased i read it as it's yours for the keeping. If so I would sell that if I were you, you're looking at around 18k+ list for that setup depending on IOS licensing. It's mine for my dev lab at my office (read: house), not mine personally so I can't really sell it even though I'd REALLY like to. I've got a 3750G-48 and 2 3750G-24s with the advanced IP services image on them, which all rolled up, would make for a downpayment on a very nice house. We supposedly have access to all things Cisco through a vendor agreement, but I'd like to educate myself on the technology and what I'd need without sounding like "what button I gotta mash to make it do", which is what I'm afraid I sound like here already. 
|
|
#
?
Feb 23, 2010 05:27
|
|
|
Cisco Product Lit posted:Q. Do the integrated access points in the Cisco 800 Series Routers support local survivable authentication? Where's my PEAP? Not looking too good, crap. Still going to have to call in to make sure but looks like I will just have to send down an 871 and 1131 to get the job done.
|
|
#
?
Feb 23, 2010 15:45
|
|
|
NeuralSpark posted:My company is shutting down a branch office, and as I was present to help with the server room decommissioning I got my grubby paws on a Cisco 3825 loaded with two HWIC 4-port FXO cards, a 6 AP wireless controller, and a 24 port 10/100 PoE w/ 2 stack port line card. I also got 5 7971 VoIP handsets, new in box. That stuff is nice pricewise, but too bad its like the perfect storm of useless for you. The 4-port FXO card is for connecting phone lines up to the ISR. The Wireless controller is useless without some Access Points, the phones are useless without a call manager. So it looks like you got a 3825 (which isn't bad) and some old PoE switches, I assume 2950s. If you get CCO access, and the ISR has some PVDMS in it probably does, then you can setup call manager express and if you still have a land line for some reason you can actually setup a cisco voice solution in your house. If you don't have the software access, then you can tool around in IOS and learn some stuff. Skip the configuration utilities for now. The command line IOS is where all the magic happens. Console in, use '?' a lot, look up a few configuration guides for basic stuff like router on a stick etc, just to get familiar with how IOS works. Then you are only limited by your imagination.
|
|
#
?
Feb 23, 2010 16:24
|
|
|
Powercrazy posted:Skip the configuration utilities for now. The command line IOS is where all the magic happens. Console in, use '?' a lot, look up a few configuration guides for basic stuff like router on a stick etc, just to get familiar with how IOS works. Then you are only limited by your imagination. I realized the FXO cards are useless to me without landlines, but I've already got it running NAT and QoS for my cable modem. I've got a 3750E-24PD stacked to it powering every CAT5 port in the house and 2 1252s and an 1131 are currently in stand-alone mode providing wireless. I'm pretty comfortable with IOS, I just have no idea where to start with the VoIP stuff on the CLI. The small VoIP system you mention is really my goal in all this, just to learn. The wireless controller is really just a perk since the APs are already running, but it's there so why not play with it? I'll see if I can get CME from our Cisco guys. NeuralSpark fucked around with this message at 17:18 on Feb 23, 2010 |
|
#
?
Feb 23, 2010 17:12
|
|
|
Wow, three hours on the phone with India and still nothing. They are telling me the device supports PEAP but the only auths they have been able to register with my radius server is EAP and PAP. I have an XP, 7 laptop, and 2 iphones that can't connect to the 871w but work fine on the other AP's. They tell me wait for 10 mins, then I get this: Hi Herv, I have checked the details and you should definitely be able to use PEAP on this router. Unfortunately my shift ends at 5:00pm EST and I have to leave now. As you need immediate assistance today to get this working, please call on 1-800-999-9999 and you will get an engineer immediately. I will come in tomorrow and view the case notes and comntact you. I have updated the case notes with the latest information and the config on the router. Please feel free to contact me anytime tomorrow. ... rear end kickin chicken baby...
|
|
#
?
Feb 23, 2010 23:25
|
|
|
NeuralSpark posted:I realized the FXO cards are useless to me without landlines, but I've already got it running NAT and QoS for my cable modem. I've got a 3750E-24PD stacked to it powering every CAT5 port in the house and 2 1252s and an 1131 are currently in stand-alone mode providing wireless. If you can't get CME or call manager access, you might be able to play around with some SRST stuff with the router and phones. Might want to pick up a Magic Jack or something to plug into an FXO port to have fun with that.
|
|
#
?
Feb 23, 2010 23:32
|
|
|
But SRST won't do poo poo without a call manager.
|
|
#
?
Feb 24, 2010 01:21
|
|
|
Herv posted:Wow, three hours on the phone with India and still nothing. They are telling me the device supports PEAP but the only auths they have been able to register with my radius server is EAP and PAP. Tell them to escalate your case.
|
|
#
?
Feb 24, 2010 01:58
|
|
|
Quick background, although not all may be relevent. We've got around 50 sites connected via frame relay (various circuit sizes depending on office size) with GET VPN for encryption. Pretty much three hub and spoke topologies, one per lata. We don't directly manage the routers or circuits, but are expected to work the provider to make sure they are working properly. We've been having issues with exchange/outlook running in cached mode saturating our circuits (exchange servers located at the hubs). This usually occurs when a traveling user logs into a new box, downloading their entire mailbox, or an e-mail with an attachment (sometimes as small as 3 MB) is sent to a distribution list and all the cached clients try to download simultaneously. Our opinion has always been, "yeah its going to make the whole office suck, you're clogging the pipe." But there's been some questioning of how much latency should be incurred when we hit saturation or "how bad should it suck". What kind of factors determine how much latency is incured during circuit saturation assuming no qos? Number of flows? Router hardware? Should there be a difference in latency the rest of the office experiences when a single session app clogs the pipe (outlook mailbox download) vs when many sessions are competing for the bandwidth? Sorry if this isn't exactly cisco specific.
|
|
#
?
Feb 24, 2010 03:28
|
|
|
Ninshack posted:What kind of factors determine how much latency is incured during circuit saturation assuming no qos? Number of flows? Router hardware? Should there be a difference in latency the rest of the office experiences when a single session app clogs the pipe (outlook mailbox download) vs when many sessions are competing for the bandwidth? Congestion without QoS means that poo poo hits the fan, do you really mean latency? Latency in that case would only matter if you had an application that was OK with packet loss but was still latency sensitive. Even without classifying traffic at all, there are still QoS options. Look into the problems that WFQ and WRED solve.
|
|
#
?
Feb 24, 2010 05:12
|
|
|
I was assuming latency was what they were experienceing (is it more likely packet loss?). Telnet sessions to mainframe start slowing way down, end users complain that web browsing is painful, in some cases outlook disconnects, etc. Thanks for the info, I'll look into WFQ and WRED.
|
|
#
?
Feb 24, 2010 05:20
|
|
|
Ninshack posted:Quick background, although not all may be relevent. We've got around 50 sites connected via frame relay (various circuit sizes depending on office size) with GET VPN for encryption. Pretty much three hub and spoke topologies, one per lata. We don't directly manage the routers or circuits, but are expected to work the provider to make sure they are working properly. Wan accelerators is the answer. What was the question again? Wait, what am I saying, it doesn't matter.
|
|
#
?
Feb 24, 2010 05:31
|
|
|
We actually have WAAS in place, I need to update code for the new MAPI features (that and have them disable the TLS from client to exchange). That might solve the attachment issue, but I don't think it'll touch the e-mail profile downloads. Anyone have any experience with Exchange and WAAS? Is it worth the effort?
|
|
#
?
Feb 24, 2010 05:52
|
|
|
Ninshack posted:What kind of factors determine how much latency is incured during circuit saturation assuming no qos? Number of flows? Router hardware? Should there be a difference in latency the rest of the office experiences when a single session app clogs the pipe (outlook mailbox download) vs when many sessions are competing for the bandwidth? Many factors determine latency during circuit saturation. T1s have high serialization time anyway, as a function of their bandwidth being somewhat low. For instance, it takes nearly 8 ms to serialize a 1500 byte IP packet onto a full T1. Figure default FIFO queues of 40 deep, and given, say, an average packet size of 512 bytes, and that's approximately 100ms of worst-case serialization time ahead of you before your new packet can begin to serialize to the wire. And that's before you incur any number of other sources of latency, such as your GETVPN transform latency at both the ingress and egress sides of your tunnel, your native WAN latency, your access control / security appliance latency. To answer your question about a single stream versus many streams, the answer is yes, there is a difference. WFQ will prevent the single stream from starving the others, but you're still going to see queuing delays as packet particles wait to be dequeued to the network. You can affect things with fancy queuing strategies, but with the exception of priority queuing QoS doesn't make some applications better, it makes other applications worse. We run a lot of branch offices in Outlook cached mode, and we have the same issues you have. It doesn't help that Outlook is incredibly pissy about anything less than ideal network conditions. Ninshack posted:Anyone have any experience with Exchange and WAAS? Is it worth the effort? We're evaluating Riverbed / Silver Peak / Cisco right now, and Exchange is one of our apps under test. I don't have any figures yet though. I'd expect block / bit pattern technologies to perform better for Exchange data, but that's just a guess. Some vendors utilize additional tunnels (Silver Peak uses GRE, for instance) that can complicate matters, particularly if you have access control requirements at your WAN edge.
|
|
#
?
Feb 24, 2010 07:23
|
|
|
Tremblay posted:Tell them to escalate your case. Thanks. Got my escalation, now we are up to another hour of watching them 'gently caress a football' over a webex session. Unfortunately time is becoming a problem, higher ups already asking if I have other equip to meet the need. I need Dallas, he rocked when I had to work with him. Not sure if hes still with the TAC or not.
|
|
#
?
Feb 24, 2010 17:11
|
|
|
Herv posted:now we are up to another hour of watching them 'gently caress a football' over a webex session. I usually hang up the phone if the first thing the TAC askes is something like "can you ping the other side of your circuit?" .....when I am troubleshooting a downed router.
|
|
#
?
Feb 24, 2010 17:17
|
|
|
Update: things work (well on a local LAN)! Apparently PEAP gets mangled across a VPN? Oh well, this is progress at least. Time to hack with the last details.code:
|
|
#
?
Feb 24, 2010 17:56
|
|
|
Anyone have experience running automated TCL/EEM scripts? I have a script from Cisco's community site that I'd like to run, but can't seem to find any documentation on where to get started.
|
|
#
?
Feb 24, 2010 22:06
|
|
|
|
| # ? Apr 29, 2024 03:43 |
|
|
I've put together an SNMP trap monitoring system that will send an email when a given trap is received. What I need now are trap OIDs, and I'm having trouble finding what I want. Can anyone point me in the right direction of finding trap OIDs? Envmon and port security are two ones that I'm really looking for.
|
|
#
?
Feb 26, 2010 14:35
|
|
