|
I'm driving myself insane trying to configure DHCP snooping on my 2960 I enable DHCP snooping on VLAN 10(testing vlan) and I set the trunk port as trusted, testing port as untrusted. I've got another PC on that vlan/switch listening with wireshark. The discover packetisn't making it to the dhcp server (it doesn't get a response) nor is it making it to my other PC. Is it because my DHCP server is behind a router?
|
#
¿
May 7, 2009 20:10
|
|
|
|
| # ¿ May 15, 2024 06:54 |
|
|
routenull0 posted:Routers do not by default forward what type of packets? When DHCP snooping is not enabled, it can get an address. The trusted port is the gig trunk. I actually mistyped my earlier post , its a 2950 that's giving me a problem. The funny thing is I do have it working on a 2960 in my test environment, but the same thing being applied to the 2950 just cause no dhcp packets to be forwarded past the switchport. My config for the 2960 and 2950 both are: All Switch ports untrusted, rate limited to 60 pps Trunk port trusted (no limit set) Option 82 enabled/disabled (tried both) Any thoughts? (sitting beside 2950 currently, console cable in hand)
|
|
#
¿
May 8, 2009 14:39
|
|
|
Beyond a routed interface, behind the trunk. But so is the 2960 and that works. It is a mystery. *edit* Maybe if I included what I'm trying to do someone could point out other solutions. A few months ago we were attacked by a virus that made each infected PC a rogue DHCP server and it was causing some network problems, obviously. We were looking to stop that at the edge switches, and DHCP snooping seems to be the way to do it. If anyone knows of a better way, I'm open to suggestions. Sojourner fucked around with this message at 15:10 on May 8, 2009 |
|
#
¿
May 8, 2009 15:05
|
|
|
routenull0 posted:iphelper has to be configured on that routed interface then. That would explain why it is working without DHCP snooping enabled. A helper address is set , still nothing  .*edit* Problem has been solved, id1ot error. Option 82 is implicitly enabled unless otherwise disabled, and it was causing forwarded packets to go off to neverland, and never return. Thank you cisco debug processes 
Sojourner fucked around with this message at 17:02 on May 8, 2009 |
|
#
¿
May 8, 2009 15:12
|
|
|
Here's one that's stumped the guys at the office for a bit: about 5 or 6 of our switches, older ones (3524s) are no longer accessible via telnet. If you telnet to them you are prompted by a greeting that says "FreeBSD 4.10 (STABLE) Kernel 2.6.27 on an i686 login:" It isn't an IP mixup and we hit a freebsd machine by mistake, its a corrupt IOS so soon I'm going to go up and xmodem a new image, but for curiosity has anyone seen this before? Google came up with nothing.
|
|
#
¿
Jun 3, 2009 18:59
|
|
|
It's not arp spoofing, I said the same thing when word of this first got to me. It doesn't make any sense at all really. The intrusion detection system isn't being set off, I plugged myself into the management net and wiresharked it, and just for fun and the sake of using a pricey toy, used our fluke etherscope to resolve all the mac addresses to an IP on the network and found no duplicates. Tomorrow at lunch I'm going to investigate more while people are at lunch. What will come of it, public humiliation or the most bizzare IOS error of all time, stay tuned to find out!
|
|
#
¿
Jun 3, 2009 20:16
|
|
|
falz posted:That's a linux kernel version, which has nothing to do with FreeBSD. You sure someone didn't just modify the banner to confuse people or be funny? It'd be more then a login banner change because the login prompt is different then IOS. Before I left work I checked the mac address that was associated with the IP and it was coming up as a cisco one, and did a quick nmap/zenmap scan and it said the telnet daemon was the cisco version.
|
|
#
¿
Jun 4, 2009 02:31
|
|
|
Now for the thrilling conclusion of Sojous Super Switch Mystery! Cisco blah blah...wait BSD? this is a screen shot taken when I used a console cable to plug into the switch. In total, there are two switches inaccessible due to this. I need book the time a week in advance to take down those switches to insert a new image with xmodem, but this with all certainty eliminates the possibility of an arp-spoof. Anyone got any ideas (And no, no its not an access point..thats from an older hyperterm session.) *edit* Third switch found.. an old 2912. *second edit* Holy table break batman! Image cut down.. Sojourner fucked around with this message at 15:25 on Jun 4, 2009 |
|
#
¿
Jun 4, 2009 14:39
|
|
|
ragzilla posted:Marvel at the wonder that is realizing some joker set your banner to the FreeBSD/kernel stuff.
|
|
#
¿
Jun 4, 2009 18:32
|
|
|
Weissbier posted:I've edited the .xml file, but there's a part where it asks for a hostname. Is it wanting a DNS resolvable record? Thanks for any help. At the top of the XML file where there is the help (massive block of comments) it should say what it wants for the hostname tag. I'll take a look at our ASA on Monday and confirm, it's been a while since we set it up. You can connect to it with the normal VPN client / SSL vpn client though, right?
|
|
#
¿
Jun 13, 2009 20:11
|
|
|
WT Wally posted:There is a Cisco VG248 that I need to get "show tech-support" output from. When I telnet into it, I am presented with this totally alien GUI. Is there a way to bring up the command line on this thing, or a way to get the show tech out of the GUI? Is getting physical access to the switch and using a console cable an option? and when you say alien gui do you mean like weird crazy characters or "linux kernel 2.6.27"(or whatever it was)? Also I forgot I was spending my monday in an un-air conditioned comms closet patching so I'll look at the vpn as soon as I can get a chance.
|
|
#
¿
Jun 16, 2009 00:18
|
|
|
WT Wally posted:I just meant alien as in non-Cisco-like. It's actually a pretty good gui. It gives me options to pull a show version, show running-config, etc. I just can't see the option for show tech in there anywhere. I'm about 3,000 miles away from the device, unfortunately. Can you ctrl+c / shift+ctrl+6 out ? There is a way in there somewhere to get to a CLI I bet, or even a way in the menu to get into the CLI. Here is a quick google book on cisco, in particular the menu part and it may be able to help, good luck! http://books.google.ca/books?id=BYc...result&resnum=5
|
|
#
¿
Jun 16, 2009 03:54
|
|
|
We had a fan tray die in out 6509 today and we're getting a new one RMA'd tomorrow morning. Are they hot swappable, or do I have to kill the core and pray it turns back on to replace the fan tray? *edit* accidentally quoted. Sojourner fucked around with this message at 17:32 on Jun 25, 2009 |
|
#
¿
Jun 25, 2009 17:28
|
|
|
Here's a doozy of a problem that I've been dealing with since yesterday afternoon/today so far. We're replacing some dinosaur cisco switches with some new hp procurve. The new/old switch is fed with multimode fiber from a distribution switch. In the closet, I've got the HP running in the rack above the cisco, and I change over the fiber cable from a GBIC end to one with an end for an SFP, plug it into the HP and...nothing. The interface won't come up. It's not a hardware problem, I've tried 3 sfps, two different HP switches/multiple SFP slots and 2 fiber patch cables. I don't believe it is a config issue because even if my running configs were ASCII drawings the interface would still be up (unless they were shut down, which they are not). Any suggestions or trouble shooting steps I could take would be much appreciated.
|
|
#
¿
Aug 6, 2009 13:55
|
|
|
Thanks for chiming in to help guys, but after many prayers to the lord and attempts I got it. Turns out, The original cable I brought with me was bad, and the original SFP was good. I assumed the SFP was broken first, so I swapped that out for an (unbenknownst to me) dead SFP. Then it still didn't work, so I swapped the cable out. That didn't work on the first SFP so I went back to the original cable. Now the that I was using the dead cable with the three SFP's it wasn't working. This was all just before my post, somewheres around the time of my post I got a notification on my pc that the link came up, so I checked it out and it was just getting an insane amount errors. So I checked it out, swapped the cable again and tried the working cable with an SFP, didn't work, tried a different SFP, worked and almost had a heart attack. Two DOA parts in one day from different vendors. Shortly after I tried to hook up an SX link to another closet in the building and the link wasn't coming up, and I had a very dramatic "not again" moment, but fortunately no one was around. I walked over to the other closet the switch that this one was going to be feeding had died since the last time I had been in the room. One of those days.
|
|
#
¿
Aug 6, 2009 21:09
|
|
|
I have a question about IOS licensing. Let's say that I acquired a 3750 with a smartnet contract on it, the firmware it came installed with was not crypto. Let's say I update the firmware, and when I do so I install the crypto image, is this frowned upon in anyway if I were to issue an RMA or other TAC service? I'm willing to bust out my water jug paper cup turned dunce cap if the answer for this one is an obvious, resounding no. Regardless of anything else, 3750s to play with and a shiny new 6509-e on the way  .
|
|
#
¿
Sep 4, 2009 17:57
|
|
|
ragzilla posted:
A thousand times this. I've seen a lot of media converters fail, and the PSU also goes in them too. My first time fixing one I was foolish and only changed out the actual converter, and that didn't bring my link back up so I spent the next 3 hours trying everything in the book until my boss told me the same thing happened at the same place years ago and that the media converter power supply needs to be changed. Ever since that day I've had a hate on for media converters, and myself.
|
|
#
¿
Sep 17, 2009 13:43
|
|
|
What's everyone here using for a netflow monitor/collector/listener? I've looked around and they all seem to boast mostly the same feature set and are about the same in price. Bonus points if there is a free/oss one that anyone can suggest.
|
|
#
¿
Sep 25, 2009 17:42
|
|
|
Thanks for the recommendation! Nfsen is pretty great, while not as slick looking as solarwinds/wug etc it gets the job done and it doesn't look bad at all. I had it working all morning but managed to break the netflow on router with a command and I'm not entirely sure what it is. That'll learn me for not keeping good config revisions, even on a testing system.
|
|
#
¿
Sep 30, 2009 18:53
|
|
|
Harry Totterbottom posted:Using an ASA 5505 I'm not quite sure if I read that correctly, but DNS rewrite is not compatible with PAT (port forwarding) and that could be your problem. Here's some literature: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
|
|
#
¿
Oct 13, 2009 17:17
|
|
|
Ciscoworks campus manager has the ability to poll switches periodically for their mac table and search the the location of the offender based on mac or IP. I realize using that is probably not an option, but it is a neat feature. Shutdown the punks switchport and wait for someone to call complaining their morezilla firefox isn't working anymore. *edit* apparently I'm un-ironically challenged at grammar
|
|
#
¿
Nov 4, 2009 23:15
|
|
|
Xenomorph posted:How do I do a do a Layer 2 traceroute? Traceroute mac, from privileged exec. Not all Routers/switches will support it, so you may be doing show mac add | include *mac* to find him.
|
|
#
¿
Nov 4, 2009 23:25
|
|
|
What would be the easiest way to deny users from plugging in their own home router/access points on our network? In IOS 12.4, it looks like you can just use an ACL statement that looks at the TTL of a packet, but unfortunately the latest update for our router (6509-e/sup-720) is only 12.2.
|
|
#
¿
Nov 9, 2009 20:27
|
|
|
Thanks, I'll throw some updates/check the software advisor and see if it won't support the TTL ACL statement. Here's hoping!
|
|
#
¿
Nov 10, 2009 14:08
|
|
|
tortilla_chip posted:Sounds like a job for CFN! This is a neat tool, and way easier to use then software advisor, thanks! Unfortunately it just confirmed that the 6509-e will not be doing TTL ACLs... :'( Looks like rogue access points will continue to be there.
|
|
#
¿
Nov 10, 2009 18:35
|
|
|
Wicaeed posted:Got a question for you VPN geniuses: It looks like a subnet mask problem. It looks like your 10.10.8.12 network is with a /22 mask, so traffic on the inside would assume 10.10.9.* would be on their local subnet, and would use ARP to look up the host instead of forwarding it to the default gateway. Try making your VPN net something that will not overlap, or changing the subnet mask to /24 on your 10.10.8 subnet, which looks like is what you wanted all along.
|
|
#
¿
Nov 11, 2009 23:18
|
|
|
Wicaeed posted:Teardown TCP connection for 259 for outside: 10.10.9.1/50227 to inside: 10.10.8.12/22 duration 0:00:30 bytes 0 SYN Timeout In your post describing the problem, you said 10.10.8.0 was /24 but this log says it's /22. Reinforcing this needs to be looked at.
|
|
#
¿
Nov 12, 2009 00:59
|
|
|
On my asa 5510, I just tried to update the anyconnect client executables. When I try to enable the second with with "svc image disk0:/anyconnect-macosx.pkg 2", it says I need to increase the "cache-fs" size with the cache-fs command. When i try to use cache-fs it says the command does not exists, and I've tried it in global config, webvpn, cache and any other cli mode you could think of. Any insight? *edit* Fixed the problem by going into cache mode, and doing 'disable' then 'no disable', but I'd still REALLY like to know where the hell that cache-fs command is. Sojourner fucked around with this message at 20:25 on Nov 12, 2009 |
|
#
¿
Nov 12, 2009 19:58
|
|
|
RaptorFox posted:I apologize if this is the wrong place to ask, but my friend recently obtained a Aironet 350 wireless B access point. I was wondering given the magic of IOS, could it be configured to to in reverse, say serve as a wireless bridge to allow an xbox onto the wireless network? Any advice would be appreciated. If the 350B can be configured for bridging mode, then yes, yes it can! I've done just that with 1100/1130 AP's.
|
|
#
¿
Nov 16, 2009 13:31
|
|
|
CrazyLittle posted:To my recollection, the the Cisco Aironet 350 AP is one of the devices that Cisco pretty much bought directly when they purchased the whole Aironet company. (Kinda like how all their VOIP stuff is really just a Sipura device renamed.) That device doesn't have the capability to join another existing wireless network in client mode like you would want it to, in order to create a wired segment for your xbox. Those boxes didn't really have IOS like the routers and switches when I used them back in 2001. They just had a simplified serial console and a web gui. I did little research this morning, and what this man says is the truth. Though they do make a 350 series wireless bridge, it is a separate appliance.
|
|
#
¿
Nov 16, 2009 18:05
|
|
|
routenull0 posted:We had a Win2000 domain when I did it, but we ran and IAS front-end that pushed auth against AD. I might be different for newer Windows domains now. This is how it is for windows server 2003.
|
|
#
¿
Nov 24, 2009 04:37
|
|
|
I'd just like to give a heads up to anyone using a TFTP server on windows 7. It never seems to transfer the file correctly. I've transferring from 2 different TFTP servers(solar winds and one I got off of sourceforge) on windows 7 to Fortinet and Cisco devices and had them fail each and everytime (it would transfer, but it would fail when trying to install), then from the exact same hardware running linux had the transfer work the first time right away. Hopefully no one tries to update the IOS on a remote router from a win 7 PC, unless there is a client out there that works that I haven't tried yet.
|
|
#
¿
Dec 7, 2009 19:45
|
|
|
Tremblay posted:have you tried TFTPd32? Yes actually, same deal.
|
|
#
¿
Dec 7, 2009 20:36
|
|
|
hermand posted:Works fine on RC 7 here - I've been messing around for my CCNA. Maybe there is some differences between 7 rc and RTM. I don't think I'm crazy cause I tried from a different win 7 PC and got the same thing. At least nothing in production got interrupted.
|
|
#
¿
Dec 7, 2009 21:15
|
|
|
My google fu is weak today. Can someone tell me how to force a failover on a 6500 sup720 so the hot engine will come online?
|
|
#
¿
Dec 8, 2009 15:26
|
|
|
ragzilla posted:Not sure if there's a redundancy command, but you can always use the hw-module command to power cycle the active sup. I get the error "cannot reset self!" when trying to do that.
|
|
#
¿
Dec 8, 2009 18:06
|
|
|
ragzilla posted:
Worked like a charm , thanks.
|
|
#
¿
Dec 8, 2009 20:07
|
|
|
Wireless access points that you want to fit interesting places with a 100 meter power cord are a great use of poe.
|
|
#
¿
Jan 6, 2010 20:55
|
|
|
Tremblay posted:The 2ks? They are ONLY gigE... They should still go through the auto negotiate process so you don't have to hard code speed/duplex it on the device it's connected to.
|
|
#
¿
Jan 12, 2010 04:40
|
|
|
|
| # ¿ May 15, 2024 06:54 |
|
|
Richard Noggin posted:I'm having some trouble with ACLs on a 3560. I have the following: Could be because it's a blank ACL it just ignores it. Try adding the deny manually and see if it makes a difference.
|
|
#
¿
Jan 20, 2010 15:23
|
|