|
Oh btw to any that are interested. Our more junior networking guy is going to go into Windows Management and get out of networking, so we want a CCNP level type guy to replace him. If you don't have your CCNP and your name is jwh then we would be interested, if you have your CCNP or above we would also be interested. If you have a good amount of experience but haven't had time to get your CCNP that would be fine to, these aren't HR requirements they are practical ones. The position is in New York City. If you are interested send me an email at usedaegis at live .com and I'll give you more details then.
|
# ? Jul 13, 2010 22:22 |
|
|
# ? May 10, 2024 20:41 |
|
Brb booking a plane to new york
|
# ? Jul 14, 2010 00:53 |
|
Hey guys. This is kind of niche, but I figured I'd throw it out there. I work for a VoIP wholesale company that has grown to the point of needing to come into the 20th century and start using an SBC on all of our customer-facing SIP transactions. And actually, we'll possibly use it for our vendor-facing transactions as well. Basically, we're using Sonus GSXes as our core, and need a high availability SBC solution that will get us down to one customer-facing IP. We're only going to be using these as a SIP proxy to hunt between 7 Sonus switches on the back end. We've looked at several possibilities, but we feel they don't fit what we're looking for for various reasons. We had heard that Cisco has a newer product out that can and as an HA, high performance SIP proxy. We'd be looking at at least 1000 calls per second now, possibly to 1500 or more in the future. I think it's called a GSR? ASR? I can't remember what it was now. Does anyone know anything about these things? We were looking a bit at them, but nothing in the documentation we found were able to tell us any top-end stats about what its performance was. Any other suggestions would be sweet too, not just limited to Cisco. We've looked at Freeswitch, OpenSBC, Sonus SBC, Acme Packet, and maybe a couple others, and for once reason or another, these won't work for us. Anyone have any other suggestions?
|
# ? Jul 14, 2010 01:03 |
|
I feel dumb asking this in this thread, but does anyone have a recommendation for a wireless headset that works well with Cisco IP Communicator? USB or bluetooth are both good, hopefully under $100.
|
# ? Jul 14, 2010 02:42 |
|
Panthrax posted:Any other suggestions would be sweet too, not just limited to Cisco. We've looked at Freeswitch, OpenSBC, Sonus SBC, Acme Packet, and maybe a couple others, and for once reason or another, these won't work for us. Anyone have any other suggestions? Sup VoIP wholesaler buddy. We just front our Sonus network with OpenSIPS currently. There is a b2bua module there as well, I haven't used it in production yet but the 1.6.1 OpenSIPS is production grade. We generally run our production OpenSIPs proxies up to 100-150CPS but we're limited by the IO blocking to do database lookups. Without database lookups we've run it to over 1200CPS on a Dell 1950 with SIPp. Hit me up on AIM if you want more specifics. Using OpenSIPs as a completely stateless proxy with BGP anycast might also get you what you want. It'll take some support from the IP side of things. One thing I've noticed though is that customers who can't make/receive calls to multiple IPs generally don't have platforms that you want on your network. Sonus is also releasing what is basically a NBS/PSX/DSI in one box with no TDM. I don't have pricing on it yet but I hear it's not cheap. FatCow fucked around with this message at 02:52 on Jul 14, 2010 |
# ? Jul 14, 2010 02:45 |
|
Interesting, thanks for the reply. Not sure if we'd looked at OpenSIPS, but I'll mention it at work tomorrow. I know we've had some bad experiences with Freeswitch, which I think has soured our taste for open source, to be honest. How well does OpenSIPS allow for failover between two nodes? As in, do they trade call states between the boxes in case one fails, the other will take over seamlessly? How well does the backup handle the failover? Freeswitch doesn't save states between nodes, so once one node goes down, the other will take over and doesn't know poo poo about the calls that are currently up. Plus, it takes 2-4 minutes for the Sophia processes or whatever to kick in, so there's several minutes of either no response or 503s back to the customer. Do you know of any organizations that handle paid support, or is it all community based/hack it together yourself? And believe me, we know all about customers who can't do more than one or two IPs. Unfortunately, it's more the people who can't route past us on a 503, and have to continue to route to all of our switches until they exhaust all of our GSXes. That's primarily what we're trying to solve. And for the Sonus all-in-one, that's what I meant when I said the Sonus SBC. We had the sales engineers in a couple weeks back, and it looks pretty slick, but yeah, they're not cheap. A node runs right around the same price as a full-blown GSX setup, but I'm not sure if that was the price for just the GSX+cards or GSX/PSX/DSI, etc. Either way, it's expensive. Plus, they're going to be putting out the 1.1 version of code soon, which allows each node to talk to each other, so they really aren't even fully-functional in a large production environment yet. Anyway, sorry for the derail. If anyone else has suggestions I'll take them, and I'll definately hit you up, FatCow, if we have any questions.
|
# ? Jul 14, 2010 03:27 |
|
This is probably going to sound strange and perhaps has been answered before but I figure I'll go with it as I'm not sure where to start: I'm interning for a year in China for a company's IT department (finishing my Bachelor's in CS in the UK) and they're not quite sure what to do with me in terms of a role, so they've started me off by getting me to understand how their switches work (specifically the Catalyst 2960 with LAN Base software). I have no previous experience with Cisco routers or switches, so should I start reading CCNA material along with running a simulated switch to mess about with or is there a better way?
|
# ? Jul 14, 2010 08:34 |
|
You won't be able to run a simulated switch (switches are a distributed computing system that is difficult to simulate), but I wouldn't worry about it. Read some CCNA material, and the 2960's are just the tip of the iceberg. If you are in a position to get hands on familiarity with Cisco stuff that will be invaluable for teaching you the basics of networking.
|
# ? Jul 14, 2010 12:16 |
|
Powercrazy posted:So you have a private IP address on the outsdie interface? Presumably the public IP Space? If that is the case how would the ASA know where 192.168.2.1 is coming from, and how would it get back? Say I wanted to ping from the ASA at Site B to an address at Site A over the tunnel: code:
code:
|
# ? Jul 14, 2010 15:04 |
|
I have a question about setting up SPAN/Port Mirroring. I understand I can do the port mirror with these commands.code:
I've never had to do this before but we're trying to solve an issue and it looks like the only way to do it is to analyze what's crossing the wire.
|
# ? Jul 14, 2010 20:48 |
|
Wireshark will just do a dump of raw data that's coming in on the line, so I don't think an IP is even required. You just need to make sure the interface is up and in promiscuous mode. I do my SPAN traces on a Mac laptop with no IP on the ethernet interface, so I can at least vouch that it works. I don't have any experience with doing multi VLAN traffic on a SPAN trace so that's a good question. I'll have to fire up the lab and try it for myself later. My first guess would be that since you're just mirroring ports there will be no indication of what packet is from what VLAN so you'll have to decipher that from the IP or something. some kinda jackal fucked around with this message at 21:02 on Jul 14, 2010 |
# ? Jul 14, 2010 20:55 |
|
Martytoof posted:Wireshark will just do a dump of raw data that's coming in on the line, so I don't think an IP is even required. You just need to make sure the interface is up and in promiscuous mode. Thanks I'll give it a try, I just wanted to make sure I wasn't missing a big piece of how to do this. I'm assuming if it's VLAN traffic I should just see the dot1q tag in wireshark.
|
# ? Jul 14, 2010 21:11 |
|
Steve Slavery posted:Thanks I'll give it a try, I just wanted to make sure I wasn't missing a big piece of how to do this. I'm assuming if it's VLAN traffic I should just see the dot1q tag in wireshark. I'm not sure. I thought that d1q tags only went out on trunk ports. You've got me really curious now so I'm going to have to google this up
|
# ? Jul 14, 2010 21:13 |
|
Steve Slavery posted:I have a question about setting up SPAN/Port Mirroring. I understand I can do the port mirror with these commands. Disable TCP/IP on the network interface.
|
# ? Jul 14, 2010 21:14 |
|
Fortunately, Wireshark has a pretty good resource page for VLAN capturing: http://wiki.wireshark.org/CaptureSetup/VLAN You might need to change some registry setting to get your NIC to stop trimming off d1q tags.
|
# ? Jul 14, 2010 21:19 |
|
Richard Noggin posted:I have a pair of ASA 5505s with an IPSEC tunnel between them. Site A has a Windows NPS (RADIUS) server at 192.168.1.2 that I'd like to authenticate Site B's RA VPN users against. I have RADIUS clients configured in NPS for each of the ASAs. Site A's ASA can authenticate just fine when I do a "test aaa auth...". Site B's comes back with ERROR: Authentication Server not responding: No error I contacted TAC, and they were able to get this working. Since the request comes from the public IP on Site B, I had to add that to my crypto map ACL (and a mirrored one on the other side). code:
|
# ? Jul 15, 2010 15:15 |
|
I have couple ASA 5505 questions before I make the call between it and a Sonicwall. TZ 200 or 210. Background. We're redoing our internet connections from a T1 with business cable as a backup (manual failover through a solution I through together a couple of years back when our T1 died for almost 24 hours.) For cost and changes in how we do things reasons I want to replace the T1 with a 15/5 business cable connection and have a DSL backup. I'm looking for an appliance with firewall and dual WAN interfaces for failover or even better load balancing. If the Cable/ADSL doesn't seem to work I'm going to go to 10 Meg fiber, but considering our usage it doesn't seem like something we really need. As far as internet usage We have 20 office users using web based and apps, as well as building guests using wired and wireless access. We have an Exchange Server and SBS RWW server but those are the only applications that we host which need to be accessed from the outside world. In the small business router thread the ASA 5505 was pretty strongly recommended, but googling around I can't find too much about how the Dual WAN actually works except that it appears to be a licensed feature. For budgeting reason I'd like to keep whatever solution I buy over $1000CDN (because then it becomes a capital asset and for some reason that all works better with the accounting) and under $1500. I've also budgeted for about 5 hours of consulting on top of the hardware.
|
# ? Jul 15, 2010 21:17 |
|
|
# ? Jul 15, 2010 21:46 |
|
User count for an ASA is actually the arp table entries. Any IP enabled device on the subnet that tries to talk through the ASA will consume a license, including printers.
|
# ? Jul 15, 2010 22:52 |
|
Syano posted:User count for an ASA is actually the arp table entries. Any IP enabled device on the subnet that tries to talk through the ASA will consume a license, including printers. I guess this a moot point anyway since the Security plus seems to be unlimited.
|
# ? Jul 15, 2010 23:04 |
|
bob arctor posted:
Yes, and configuration is pretty easy. It does not do load balancing, however.
|
# ? Jul 16, 2010 13:41 |
|
So, I am back. I tested my tunnel VPN on the GUI and it complained about a NAT issue, I had it fix it by itself and it fixed it for the most part. Now the VPN is showing as up, however when I test it again it complains about the MTU size. I think this is the last hurdle I have.... how do I specify the MTU size in a VPN tunnel? Is that possible?
|
# ? Jul 16, 2010 14:43 |
|
Bardlebee posted:So, I am back. On the Cisco end this can be done using: code:
In conjunction the following command is used to handle any possible fragmentation issues: code:
What this does is adjust the frame size before it's encrypted such that it won't breach the 1500 cap when all of the extra encryption headers are tacked on, which will then prevent fragmentation issues.
|
# ? Jul 16, 2010 15:33 |
|
I think that 1476 is for GRE tunnels (20 byte extra IP header and a 4 byte GRE header.) If you're using IPSec it gets a little more complicated due to the different options. edit: you're using IPSec ESP, so subtract another 40 bytes for 1436. edit: oh boy let me look this up real quick it has been a couple of months edit: welp try ip mtu 1400 on the tunnel0 interface (your GRE tunnel) and that should cover any IPSec ESP configurations. What type of WAN interface are you on again? thiscommercialsucks fucked around with this message at 17:00 on Jul 16, 2010 |
# ? Jul 16, 2010 16:16 |
|
Does anyone know of any good documentation for tclsh or just tcl in general? I want to make some simple scripts just to play around with it, but its almost impossible to find any examples or command documentation. The feature seems extremely powerful, but I've no idea how to use it.
|
# ? Jul 20, 2010 15:13 |
|
Powercrazy posted:Does anyone know of any good documentation for tclsh or just tcl in general? He makes it sound like this book is a good starting point if you're new to tcl.
|
# ? Jul 20, 2010 17:23 |
|
You planning on running tcl scripts on a router or on some unix box? I know how to do about this much tcl on a router:code:
|
# ? Jul 20, 2010 20:31 |
|
It'll be a router, but I'm just trying to figure out the syntax. Also is there a way I can make and save scripts on the router, or would I need to make them in a unix environment and then transfer them over to the router?
|
# ? Jul 20, 2010 20:37 |
|
I actually have no idea if there's a way to store them in a router config or on flash or whatever. My scripts are so minimalist that I write them in notepad and paste them into the command line when I need to run them. For scripts that I have running against routers on a regular basis I keep them on a unix box and run them with cron. But I use expect for that. Well...rather I use autoexpect to record my command line interactions with a router and them clumsily edit the resulting expect script.
|
# ? Jul 20, 2010 20:53 |
|
You are not alone in your ignorance. Apparently no one on the internet except one guy whose blog alludes to all the cool stuff you can do in TCL even knows it exists. Even the Cisco documentation expects youto be familiar with writing and running your own TCL programs
|
# ? Jul 20, 2010 20:57 |
|
http://blog.ine.com/tag/tcl/ It looks like you can store them as a macro (toward the bottom of the article).
|
# ? Jul 20, 2010 21:12 |
|
I have a pile of GBIC adapters for our Fiber. TRENDnet TEG-MGBSX Finisar FTRJ8524P2BNV Cisco GLC-SX-MM 3Com 3CSFP91 The TRENDnet and Finisar work fine in our Qlogic SANbox fiber switch, but none of them work in a Cisco 2960 I am setting up. We have over a dozen other Cisco 2960s in production, all with fiber connections. My plan was to unplug the fiber connection on each to write down the model numbers on each GBIC that are currently functional. I've read that some Cisco GBIC adapters only work on Cisco, 3Com only on 3Com, etc. I didn't handle the initial purchases of any of our existing equipment, so I don't know what parts were ordered. Aren't these things "standard"? Edit, our Cisco guru said the "Cisco GLC-SX-MM" is what we should use for our Cisco 2960s. No lights come on with I plug it into our 2960, and a blinking "error" light is what flashes on our Qlogic fiber switch. It would suck if a $300 part is bad. If our other switches all have the Cisco GLC-SX-MM, then I will just order a new one I guess. Xenomorph fucked around with this message at 15:41 on Jul 21, 2010 |
# ? Jul 21, 2010 15:35 |
|
I think I am pretty close to getting this VPN up and running. I can actually ping the other network, however I keep getting the same error every minute or so on my router: *Jul 21 12:40:39.510: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=222.222.222.222, prot=50, spi=0xB279DC52(2994330706), srcaddr=444.444.444.444 I think it may be one of my other VPN's because it does not match the outside address that is coming from the VPN I am trying to setup, so I think I can ignore this message until I actually set that VPN up. However I still get the MTU message when setting up the VPN from Cisco SDM, here is a maybe-not-so-helpful image of my error: Click here for the full 1280x800 image. I did the crypto command under fa0, however I still get the message when testing the VPN. I don't know if I should be worried about this or not.
|
# ? Jul 21, 2010 16:17 |
|
You can try: service unsupported-transceiver Note that this disables DOM (may or may not be an issue for you). There are a few good threads on optics on C-NSP/NANOG. The gist being the Cisco optics are manufactured by the same few companies and then just have Cisco serial numbers applied in the firmware. You can get non-Cisco optics for a tenth the price on memorydealers.com
|
# ? Jul 21, 2010 18:31 |
|
bob arctor posted:I have couple ASA 5505 questions before I make the call between it and a Sonicwall. TZ 200 or 210. Dual WAN doesn't support load balancing. If your primary gateway drops off the face of the 'net then ASA will use your second connection. Depends, there is a host license limit for connections through the box. SSL and IPSEC nodes are also licensed separately. Make sure you get a new one that ships with extra RAM (required for 8.3+).
|
# ? Jul 21, 2010 19:49 |
|
tortilla_chip posted:You can try: Are you talking Optics as in fiber? Because we use nothing of the sort.
|
# ? Jul 21, 2010 20:33 |
|
Bardlebee posted:Are you talking Optics as in fiber? Because we use nothing of the sort. He's referencing the post above yours. On a side note Cisco TAC will get upset and it's about 50/50 whether they refuse to carry on with a TAC case if a 'sh tech' displays unsupported optics are installed in the system. Just forewarning.
|
# ? Jul 21, 2010 20:58 |
|
This is about all I see for TCL docs: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_script_tcl_ps10591_TSD_Products_Configuration_Guide_Chapter.html http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps10591_TSD_Products_Configuration_Guide_Chapter.html
|
# ? Jul 21, 2010 21:42 |
|
Xenomorph posted:Edit, our Cisco guru said the "Cisco GLC-SX-MM" is what we should use for our Cisco 2960s. No lights come on with I plug it into our 2960 It won't light up unless it is on and linked on anything I've used, unless you're staring into it to see if it "lights up". show inventory from the CLI should show it present as a pluggable in the system if it sees it there. This is also assuming that you know it works, we've had several with no light output but never right out of the box. ex: switch>sh inv NAME: "1", DESCR: "WS-C3750G-48PS" PID: WS-C3750G-48PS-S , VID: V05 , SN: FOCSHIT NAME: "GigabitEthernet1/0/49", DESCR: "1000BaseSX SFP" PID: , VID: , SN: H11CASH The 'unsupported' option sounds neat but, for the TAC reason mentioned above, we haven't yet done that, until we get into a good position with our deployment where we won't want to call TAC for issues they would case. Loving this new software though, can't see the log buffer unless enabled (?) ... Partycat fucked around with this message at 22:01 on Jul 21, 2010 |
# ? Jul 21, 2010 21:59 |
|
|
# ? May 10, 2024 20:41 |
|
Anyone have any ideas on how to make the DHCP server on my 871W respond faster? I tried reducing ip dhcp ping packets and timeout to really low values. Whenever I plug in a network cable, Windows sits at Acquiring IP address for so long it actually times out and assigns an automatic private IP, then the DHCP IP is assigned about 5 second later. I'm guessing the DHCP server is waiting for an authoritative DHCP server to respond first, is there any way I can tell it that it's the authoritative server?
|
# ? Jul 22, 2010 00:27 |