|
Xenomorph posted:I apologize for this being vague. I am working with someone else on this, and I don't see everything they are seeing. They were unable to add an interface via command line, so I was trying to do it via ASDM. Wouldn't be the first time i've had something do this.. **edit Don't know what differs betwen 5505 and 5550, also do not know anything about vlans and what a named vlan is. Just wanted to suggest something.
|
#
?
Aug 16, 2012 00:04
|
|
|
|
| # ? Apr 25, 2024 07:07 |
|
|
Xenomorph posted:I apologize for this being vague. I am working with someone else on this, and I don't see everything they are seeing. They were unable to add an interface via command line, so I was trying to do it via ASDM. do a sh ver and find these lines. Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual
|
|
#
?
Aug 16, 2012 00:09
|
|
|
jwh posted:Is it true, in this year of our Lord, 2012, that you cannot drop a shell session directly into priv 15 on an ASA?
|
|
#
?
Aug 16, 2012 00:22
|
|
|
Martytoof posted:Hey, speaking of the Nexus, can you game the system and install multiple 60 day trials after they expire? I want to pick up some experience but there's no way I can do it in 60 days since I'm all over the place right now. You can actually! Just keep redoing the install from scratch and yeah it'll keep regenerating demo licenses. Don't recall having to need to flatten vcenter or the esxi hosts. Pretty sure you don't have to.
|
|
#
?
Aug 16, 2012 00:26
|
|
|
Nitr0 posted:do a sh ver and find these lines. It tells me "Licensed features for this user context:". We figured it out; * I could not add interfaces because my access level doesn't permit that (it's a shared firewall that I do not own). * The other user (who does have access) wasn't typing the command right. * The "You cannot have more than 3 named VLANs in your system." error only happens in ASDM (possible bug?). I could set VLAN names (unlimited) just fine from the command line.
|
|
#
?
Aug 16, 2012 04:10
|
|
|
This is not a Cisco question, but this seems to be the only enterprise networking thread. We use rancid to back up the config of our backbone devices (all Cisco) and it works very well. We now need something to back up the config of our edge switches but I'm told that it doesn't work with Dell or HP (how about Brocade?). Does anyone know of a solution for backing up the config of Dell/HP/Brocade devices?
|
|
#
?
Aug 16, 2012 07:33
|
|
|
RANCID backs up all sorts of things. I'm pretty sure those are all supported. Check out 'hrancid' and 'brancid'. Edit: brancid is baynet. francid is brocade (foundry). srancid is dell (SMC). http://www.shrubbery.net/rancid/CHANGES falz fucked around with this message at 13:50 on Aug 16, 2012 |
|
#
?
Aug 16, 2012 12:53
|
|
|
Anjow posted:This is not a Cisco question, but this seems to be the only enterprise networking thread. The rancid site will have scripts for most network devices, as users have created them.
|
|
#
?
Aug 16, 2012 13:33
|
|
|
1000101 posted:You can actually! Just keep redoing the install from scratch and yeah it'll keep regenerating demo licenses. Don't recall having to need to flatten vcenter or the esxi hosts. Pretty sure you don't have to. Thank christ for that. Thanks! I'll probably end up doing that at some point soon then.
|
|
#
?
Aug 16, 2012 15:10
|
|
|
I am looking at the QOS config on an MPLS router and I've never been more confused. I had a few questions: 1. When bandwidth percentages are used, what happens to traffic that doesn't fall into any of those access groups? 2. The DSCP tags come from a VOIP phone system. How do these two policies interact with each other given that one is applied to the interface facing the core and the other applied to the DS3 serial interface? 3. Is this as broken as I suspect it is? My replication traffic is falling behind while the circuit sits at 40% util, and I suspect this may be why. It comes from a subnet not covered in the policy. There are Riverbed Steelheads between the core and this router, if it matters. The circuit is 45mbit on both sides with a ~65ms latency. code:KS fucked around with this message at 17:04 on Aug 16, 2012 |
|
#
?
Aug 16, 2012 16:46
|
|
|
KS posted:I am looking at the QOS config on an MPLS router and I've never been more confused. I had a few questions: Your MPLs config is usually done if your don't have CAR with your MPLS provider, CAR lets you just send tagged priority traffic to them and they won't strip it out. Sepist fucked around with this message at 17:34 on Aug 16, 2012 |
|
#
?
Aug 16, 2012 17:28
|
|
|
What network is your replication traffic coming from? Source IP? Those configs don't look too bad, although i would expect a "max-reserved-bandwidth 100" on ser1/0, based on the way that policy-map is built. Really the only thing I would improve upon would be to use GTS in an embedded policy for shaping, but that's more an academic point than anything else.
|
|
#
?
Aug 16, 2012 18:12
|
|
|
jwh posted:What network is your replication traffic coming from? Source IP? 172.31.0.0/24 and 172.31.8.0/24 Thanks for the check up. I know the four priority queues are shared with our MPLS provider (Qwest/Centurylink). I will have to get the details.
|
|
#
?
Aug 16, 2012 20:01
|
|
|
Any recommendations to blocking out traffic from China on an ASA other than just creating an object group with over 2000+ lines in it? The data center provider won't do it on their end because we're on a shared core switch, so my first device in line would be my ASA pair.
|
|
#
?
Aug 17, 2012 02:32
|
|
|
Look through the APNIC allocations, I'm sure it will be less then 2000 lines. However, what is it you are trying to accomplish? There's plenty of run of the mill virus / scanning crap that comes out of China. But if you're trying to block a Chinese APT group, dropping Chinese IP space is of no help. Those groups have virtualized their attack machines and they move them around between various hosted providers all over the world all the time.
|
|
#
?
Aug 17, 2012 12:24
|
|
|
inignot posted:Look through the APNIC allocations, I'm sure it will be less then 2000 lines. Every 3-4 months we get hit with a DDOS batch, most of it resolves either to China or Russia. I've tossed some stuff into our htaccess files to stop it at the server, but I'd like to just reject it outright so I don't get panicked called when I'm eating dinner that our website is down (when no one really goes to it anyway). I know it's sort of the whack-a-mole game, but knocking out some of the connections would mean I have to stop giving extra resources to a VM's that doesn't need them except for these sporadic events. And it's not under 2000 lines once you toss in a few other choice countries that we don't have or need a presence in.
|
|
#
?
Aug 17, 2012 14:08
|
|
|
The DDoS is using http?
|
|
#
?
Aug 17, 2012 15:57
|
|
|
falz posted:The DDoS is using http? I'm seeing lots of foreign IP's hitting pages in rapid succession. So it might just be a bot farm going to town looking for vulnerabilities. Putting the blocks in the access file though has at least dropped the number of active connections that the server was dealing with during the peak of traffic.
|
|
#
?
Aug 17, 2012 18:42
|
|
|
Harry Totterbottom posted:And it's not under 2000 lines once you toss in a few other choice countries that we don't have or need a presence in.
|
|
#
?
Aug 18, 2012 03:41
|
|
|
buffers, buffers buffers Seem my colleagues at my old/new job thought a 3750-X stack would be a-ok for a EMC iSCSI (10Gb). Seems not (not surprised at all) I've tuned the buffers etc but now it's time to look at new switches I know ideally it would be a 4948 or a N5K but I don't know if budget will stretch. Any other alternatives? I thought brocade had a switch with 240+mb of buffers but cannot figure out which one it was. Dell have a nice one but at 31K might be a bit high. Suggestions? And I wasted a couple of hours troubleshooting a issue then looked at the docs and found that that vlan was never going to work for testing 
|
|
#
?
Aug 19, 2012 07:56
|
|
|
What is your budget? Typically I would recommend a pair of 5010's. You can get them a lot cheaper than MSRP but you gotta work at it.
|
|
#
?
Aug 19, 2012 19:18
|
|
|
We got our pair of n5k switches for around $35k.
|
|
#
?
Aug 19, 2012 20:44
|
|
|
nzspambot posted:buffers, buffers buffers Nexus and 4900E's aren't super pricy, if you can't afford those, then I'm not really sure what you will be able to afford.
|
|
#
?
Aug 19, 2012 21:06
|
|
|
Powercrazy posted:Nexus and 4900E's aren't super pricy, if you can't afford those, then I'm not really sure what you will be able to afford. well a small company located in the South Pacific tends not to get the best price on gear. Not to mention that the budget for the project won't cover this since it was speced wrong so the cost will fall onto us. Which is why I'm interested in things which aren't Cisco since we're between a rock and hard place. And it may be the case that it will be cheaper if we just change the EMC SPs to 1Gb down from 10Gb since the DR SAN has only 1GB and performs better than the Prod SAN edit: For example a 4948 10Gb switch is our buy 13.5K + tax NZD Add some optics and times by 2 will be up-towards 30K NZD before any special pricing. nzspambot fucked around with this message at 02:22 on Aug 20, 2012 |
|
#
?
Aug 20, 2012 02:14
|
|
|
Switch from iscsi to nfs? 
|
|
#
?
Aug 20, 2012 16:04
|
|
|
an option, I wonder how much EMC will want for a licence.
|
|
#
?
Aug 20, 2012 21:30
|
|
|
I'm sure jwh is being somewhat sarcastic, but the security and file access semantics are very different between nfs and iscsi. Just so you're aware. 
|
|
#
?
Aug 20, 2012 22:03
|
|
|
Ninja Rope posted:I'm sure jwh is being somewhat sarcastic, but the security and file access semantics are very different between nfs and iscsi. Just so you're aware. yeah I know, it was an option I was thinking about anyway but it dons't sort out the overall issue of the switch not performing.
|
|
#
?
Aug 21, 2012 00:48
|
|
|
Would the 1751 be a good choice for a CCNA Lab? I can get a few of the for cheap if so.
|
|
#
?
Aug 22, 2012 19:07
|
|
|
Anyone have a favorite 208VAC to -48VDC rectifier? Wanted to get the one Eaton sells but apparently they are on a slow boat from China and won't be here until after I need them up and running. Only need like ~900W
|
|
#
?
Aug 22, 2012 19:35
|
|
|
taishi28012 posted:Would the 1751 be a good choice for a CCNA Lab? I can get a few of the for cheap if so. If it's got ios it's good for the CCNA lab. If you can get your hands on Packet Tracer then that's even better.
|
|
#
?
Aug 22, 2012 20:05
|
|
|
FatCow posted:Anyone have a favorite 208VAC to -48VDC rectifier? Wanted to get the one Eaton sells but apparently they are on a slow boat from China and won't be here until after I need them up and running. We have a couple of (now GE Energy I think) Lineage units we quite like. CPS/SPS are small 1U shelves which are perfect for single device POPs. ragzilla fucked around with this message at 01:46 on Aug 23, 2012 |
|
#
?
Aug 23, 2012 01:43
|
|
|
This is the Cisco thread, but probably still the best thread for this question: What's the general opinion of Force10 products for SMB switching? We've got a network of mostly 2950/2960/3560 Cisco gear, and a new VAR that we're talking to is trying to sell us on Force10 gear since they're married to Dell.
|
|
#
?
Aug 23, 2012 20:53
|
|
|
Mierdaan posted:This is the Cisco thread, but probably still the best thread for this question: What's the general opinion of Force10 products for SMB switching? We've got a network of mostly 2950/2960/3560 Cisco gear, and a new VAR that we're talking to is trying to sell us on Force10 gear since they're married to Dell. I'd take my 2950's from my cisco lab over the Force10 gear I've had the displeasure of using. Your mileage may vary but I'm not a fan of force10 gear personally. Get some demo units out of them and try em out!
|
|
#
?
Aug 23, 2012 21:11
|
|
|
Mierdaan posted:This is the Cisco thread, but probably still the best thread for this question: What's the general opinion of Force10 products for SMB switching? We've got a network of mostly 2950/2960/3560 Cisco gear, and a new VAR that we're talking to is trying to sell us on Force10 gear since they're married to Dell. They're IOSsy enough that there is very little transition, but have a few key changes that take a little getting used to. For example, port channel configuration varies whether you're doing LACP or not. You put your allowed VLANs in the VLAN interface configuration instead of on the trunk interface. One small change that rocks that IOS doesn't have: if you're in an interface or other sub-configuration, show config does the equivalent of do show run int <current interface>. Stacking configuration is a little strange, if you do that -- you have to be careful how you set priorities to make sure master behavior is consistent. Major drawbacks: Documentation. I pine for a Cisco-style configuration guide, where the tasks are laid out in approximate order of how you perform them. Force10s docs are laid out alphabetically, so you have to know exactly where you're going and they won't help you if you forget a step. You may run into undocumented weirdness if you push your switching beyond normal edge switching applications. Another one is if you use Cisco-based protocols: VTP, having to change from CDP to LLDP, and routing issues if you move into the layer 3 space. I love EIGRP so much and it sucks to have to leave it behind. Sales idiosyncrasies: they will give you lead times that will make you blow your stack and then deliver much more quickly than anticipated. I think they got a lot of business when Cisco was having delivery problems and so try to wow customers by beating their advertised lead times. The other thing that's not a good sign: a lot of the old guard who started with Force10 are starting to leave now that they're Dell. Nothing wrong with the hardware, just make them deeply discount anything. You are changing something pretty significant when you buy non-Cisco. Make them woo you.
|
|
#
?
Aug 24, 2012 02:07
|
|
|
Thanks man, that's the kinda stuff I was looking for.
|
|
#
?
Aug 24, 2012 02:24
|
|
|
I'm posting too many negatives for how happy I am with the Force10 equipment, but I run into this every friggin' day and it makes me type things twice: IOS: show run | inc Vlan show run | begin net0/1 FTOS: show run | grep Vlan show run | find net0/1 edit: funny stuff that really doesn't matter: when they got bought out, there was an FTOS update for most of the S series that pretty much did nothing but change "Force10" to "Dell" everywhere in your configs. And now that I've changed all my closet/data centers from Cisco blue to Force10 gray, new chassis that get delivered are Dell black!  
bort fucked around with this message at 03:06 on Aug 24, 2012 |
|
#
?
Aug 24, 2012 02:48
|
|
|
bort posted:I have a lot of experience with Force10, having converted almost all of my Cisco switching to Force10. The S50s/S55s are terrific switches and are cheaper and will at least give you comparable performance. Force10 will claim they're faster and wire speed and whatnot, but I don't know what kind of deployment you'd be needing wire speed out of copper 1GB switching anymore. I personally think they'll rock the three switches you have listed there and at least keep pace with any 3750 gear. If you're interested in info about their higher end gear, the S4810s loving rule, and the C series chassis have some very nice features for a dense wiring closet. Looks like you did have a very different experience than I did, but thats why I told the poster asking about them to get some demo units from the sales guy. Asking about things is nice but everyone needs to get their hands on some units to see how they work for them. It never hurts to take a peak into other vendors technologies because you may find something that will work better for your situation... And cost less which always is a plus
|
|
#
?
Aug 24, 2012 22:42
|
|
|
taishi28012 posted:Would the 1751 be a good choice for a CCNA Lab? I can get a few of the for cheap if so. My portable lab (forward deployed, the really nice stuff is back at the house) is a stack of 5 1721’s , 1 AS2511-RJ, 1 2523 and a teltone ILS-2000 (they really cheap these days, and ISDN is not testable these days, but I already owned it). Throw in some WICs with cables (I use switches from work, you will need to get two), and you have a cheap kit that should cover your blueprint.
|
|
#
?
Aug 25, 2012 07:28
|
|
|
|
| # ? Apr 25, 2024 07:07 |
|
|
Is 802.1x fairly straight forward? Turn it on globally, already have AAA and Radius servers defined and working with SSH logins (we're even doing AAA login groups and the like on certain devices). I'll need to "add aaa authentication dot1x default group radius". Turn it on on the interfaces, have it set port control to auto, etc? Are there any changes I need to make on a Radius server or for an eventual NAC server? Anything I need to do with VLANs?
|
|
#
?
Aug 26, 2012 22:56
|
|