|
Alright, can someone explain to me the significance of 0.0.0.0 being a default route? Rtr-Inside#sho ip ro Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 199.185.48.6 to network 0.0.0.0 C 192.168.1.0/24 is directly connected, FastEthernet0/0 C 192.168.2.0/24 is directly connected, FastEthernet1/0 199.185.48.0/29 is subnetted, 1 subnets C 199.185.48.0 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via 199.185.48.6 Rtr-Inside# I've spent the last 2 hours googling for this and I've only managed to confuse myself further. IF this picture helps I am in the cli of rtr inside and 199.185.48.6 is rtr outside. 
|
#
¿
Sep 7, 2014 03:35
|
|
|
|
| # ¿ Apr 28, 2024 11:35 |
|
|
So it's a broadcast? Or is it like "This packet is destined for whoever will accept it (hopefully another router)" I keep changing my understanding of this from essentially a broadcast (just going off of the way subnets work) and no gateway (it doesn't need to use a gateway because it doesn't need to leave the lan) Methanar fucked around with this message at 04:01 on Sep 7, 2014 |
|
#
¿
Sep 7, 2014 03:59
|
|
|
I'm forgetting how to breathe currently. 10.0.0.0 200 subnets determine info for fields below for the 4th subnet. Subnet Address:0,32, 64, 92, 10.0.92.0 Subnet Mask: 255.255.224.0 /19 Host Range: 10.0.92.1 – 10.0.127.254 Broadcast Address: 10.0.127.255 Default Gateway: 10.0.127.254 This is right, right? Subnet quota handled by 2^8 Block size from 128+64+32=224 224 > 200 256-224 = 32 (3rd octet) Edit Reviewed my text book and since 255.0.0.0 is the default mask. I would need to have 2^8 subnets (8 being 1 bitsfor the network portion) to exceed the 200 quota. So in reality my mask would be 255.255.0.0. That leaves me with 2^16 hosts. I'm dumb and used the host bits to determine my number of subnets.  Subnet Address: 10.4.0.0 Subnet Mask: 255.255.0.0 /16 Host Range: 10.4.0.1 – 10.4.255.254 Broadcast Address: 10.4.255.255 Default Gateway: 10.4.255.254 real answers. Methanar fucked around with this message at 05:22 on Oct 23, 2014 |
|
#
¿
Oct 23, 2014 04:19
|
|
|
less than three posted:10.0.0.0/8 or what? In terms of classful subnetting. The number of hosts doesn't matter. I need to determine the most appropriate (smallest) mask to use. Methanar fucked around with this message at 04:29 on Oct 23, 2014 |
|
#
¿
Oct 23, 2014 04:27
|
|
|
Stupid question alert: Given a network address of 172.24.0.0 and asked to create subnets that have at least 75 host addresses and no more than 125, what is the network address for the first 6 subnets? This is impossible but I have a teacher who is swearing up and down that it is possible and isn't explaining why. I've discussed this with about 5 different people, including another teacher whose specialty is not networking and it was always unanimously Not Possible. at 2^6-2 = 62. This satisfies the requirement of being <125 and does not for having =>75. at 5^7-2 = 126. This satisfies the requirement of being =>75 but does not for having <125.
|
|
#
¿
Oct 31, 2014 00:24
|
|
|
madsushi posted:I imagine it's the 128 example but the teacher is assuming like -1 network, -1 broadcast, -1 default gateway, to make it 125. Which is just getting semantic about "host addresses". I thought about that, but he has never made that destinction before. Because a default gateway is obviously a host, unlike a broadcast.
|
|
#
¿
Oct 31, 2014 04:56
|
|
|
Probably the wrong thread but, In my college program I just got 93% on a theory exam and 59% on the practical  Minor OSPF, routing, switching, configuration, SSH, domains, understanding addressing and subnetting, dealing with spanning tree's poo poo and basic ACLs. My 93% was the highest in the class of 25 so I know the material fairly well but I just cannot for the life of me actually do it. The exams are done through packet tracer right now, so it's unbelievably specific and picky about everything. It also doesn't even tell you what you've gotten wrong. Is there any sort of exercise or mind set that I need going into these.
|
|
#
¿
Nov 12, 2014 21:17
|
|
|
Slickdrac posted:Also there is a very high likelihood that you'd be installing a backdoor into your network. http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/  I think this will always be a concern, no matter where you buy your hardware from.
|
|
#
¿
Jan 12, 2015 23:08
|
|
|
Does it really matter who puts in the backdoor though? The problem is that you have a backdoor, whether it was put there by the US government, the Chinese government, or the manufacture.
|
|
#
¿
Jan 12, 2015 23:25
|
|
|
Okay, route redistribution has been kicking my rear end for so long I tried to tab complete the word redistribution. I have OSPF running for the two clusters and on rtr-lan 4. I have eigrp running in the yellow box and on rtr-lan 4. What is the proper way of redistributing the routes that lead off to the clusters to my eigrp AS. If it means anything I have all of the eigrp 13 AS being aggregated when being advertised to rtr-lan 4. Ultimately, I want the bottom PCs to be able to access resources within the clusters. If it matters here are the running configs and routing tables for the 2 important devices. http://pastebin.com/bvX1F4RJ rtr a http://pastebin.com/X8rFj2Rv rtr lan 
Methanar fucked around with this message at 03:34 on Jan 30, 2015 |
|
#
¿
Jan 30, 2015 03:29
|
|
|
goobernoodles posted:Anyone have an opinion on Microwave internet? I'm looking into making some changes to move away from our current ISP and will need a primary internet connection. We currently have 20Mbps EoC to our main office. Looking at 50Mb fiber (1100-1400 depending on ISP) or Microwave options. Make sure you can an absolute perfect line of sight.
|
|
#
¿
Mar 25, 2015 02:44
|
|
|
I don't really see the issue with standardizing common commands (helper-address for example)
|
|
#
¿
Apr 17, 2015 02:55
|
|
|
So I've got a new ASA 5506-X to replace an ASA 5505. I wanted to just copy/paste the running config from old to new, but it turns out that the 5506 doesn't have switching capabilities. How do I do vlans?
|
|
#
¿
Jul 14, 2015 22:11
|
|
|
psydude posted:Are you trying to do router on a stick down to a layer 2 switch? In that case, it's as simple as creating a subinterface and then issuing the vlan configuration command to set the appropriate vlan tag. Make sure you assign an IP address as well and that the port on the L2 switch is configured as a trunk. The firewall is doing NAT and traffic filtering. In the configs the interfaces have OSPF costs associated with them, but the firewall doesn't seem to have any real routing going on. We have a 2911 router doing something but nobody knows the password for it and I'm not allowed to recover the password.  I don't know anything about firewalls, routers and switches I'm pretty good at though. I'm ridiculously unqualified for this but I'm trying to be a hero. The current 5505 has three interfaces and each interface is assigned a vlan. I can't check but I very strongly doubt any of the other devices actually use vlans. Inside= f0/1 and f0/3 = vlan 1 outside = f0/0 and f0/4 = vlan 2 dmz = f0/2 = vlan 12 I've got something resembling this on the 5505 right now, so whats equivalent of this without switchport functionality? quote:interface Ethernet0/0 I was thinking I could, for example, assign Inside to g1/8 and resuse the current IP address that the 5505 has set for Inside on the 5506 for Inside. I move everything currently plugged into a 5505 vlan 1 port into a switch that's plugged into the 5506's single Inside. To me the picture below makes sense, except the barracuda device is part of the Outside vlan, but it doesn't have an real public IP. I don't remember it having any special ACL rules either. Honestly it might not even be doing anything. 
|
|
#
¿
Jul 15, 2015 01:53
|
|
|
Okay I think I've figured that out. It turns out the way NAT works has changed though. Right now all my live NAT rules are being called exemptions in the ASDM, but in the new one I don't even see the choice to create something called an exemption. Lots of my ACLs have incorrect syntax too. I don't suppose there's an easy way of fixing this, is there? quote:global (inside) 13 interface quote:mlpasafirewall(config)# global (inside) 13 interface
|
|
#
¿
Jul 15, 2015 18:06
|
|
|
 Ultimately all I want to do is replace the 5505 (left) with 5506 and have it still work. I don't have the option to create rule exemptions for the 5506. I've already gone through that cisco link, but it's pretty far over my head right now.
|
|
#
¿
Jul 15, 2015 19:43
|
|
|
Prescription Combs posted:Based on what tidbits of info you gave: Okay this is very helpful. quote:object-group network DMZ-NAT0-LOCAL-NETS I don't quite understand these though. Are the capitals and the X placeholders, if so for what? nat (dmz,outside) source static DMZ-NAT0-LOCAL-NETS DMZ-NAT0-LOCAL-NETS destination static DMZ-NAT0-REMOTE-NETS DMZ-NAT0-REMOTE-NETS ! nat (inside,outside) source static MeadowNetwork MeadowNetwork destination static Serpong_HQ Serpong_HQ ! Kind of the same thing here, what are the capitals. Why is MeadowNetwork written twice in a row and what exactly is being sent to/from Serpong. Sheep posted:a local IT support company lol
|
|
#
¿
Jul 16, 2015 03:27
|
|
|
Has anyone ever had a problem with an ASA where it will respond to every ARP query and say that he owns the IP address in question. Because right now I have one that believes it owns every IP address not in 192.168.0.0/16
|
|
#
¿
Aug 10, 2015 15:08
|
|
|
Contingency posted:Possibly a NAT statement causing proxy ARP. How would I even begin to check something like that.
|
|
#
¿
Aug 10, 2015 18:30
|
|
|
http://pastebin.com/PstpCMue
|
|
#
¿
Aug 10, 2015 19:39
|
|
|
Honestly I just think it might be a bug. Even with the configs totally wiped it still does it. There are no references at all to 192.168 in our network because we use some stupid non rfc 1918 subnet internally. Proxy arp shouldn't be used. I just thought I'd ask because Cisco hasn't been able to tell me anything either.
|
|
#
¿
Aug 10, 2015 23:14
|
|
|
ElCondemn posted:Can you show us your arp table? Also how are you testing this? Is it possible your test is flawed? I'm home now but the arp table is totally empty even after performing the test below. I tested it by unplugging all ethernet cables from the asa and my computer. Clearing all arp tables and wiping assigned addresses (they were infact cleared properly). Turn on wireshark. Address the ASA and my computer with static IPs in the 172.16.1.0/24 subnet, 192.168.1.0/24, 192.168.128.0/23 and 216.10.5.0/24 subnet as tests. Then plug in an ethernet cable from my computer to the ASA. This has been tested with multiple ASA ports and computers with the same results. It's also possible I am a complete idiot and my test means nothing. Wireshark will see arps being sent out asking if anyone has 172.16.1.1 or whatever address I gave my computer. The ASA will always respond that the mac address of the port I am plugged into already owns whatever IP I gave to my computer. With the exception of anything in 192.168.0.0/16. Methanar fucked around with this message at 00:05 on Aug 11, 2015 |
|
#
¿
Aug 11, 2015 00:01
|
|
|
ElCondemn posted:Was that your whole config? Do you have any DHCP entries in your config (helper ip or anything)? Any "ip local pool" sections? Can you do a show route? That was 90% of the config, I left out a bit of the VPN stuff which is unrelated and mostly just a list of the users. There is a little bit of DHCP just to address incoming VPN connections. They're given out from a pool of 172.16.25.240-250. Show route was empty when I tried it earlier today. These two static routes are really the only routing going on. The interfaces have ospf costs associated with them for no reason. We don't even have a routing protocol running. route outside 0.0.0.0 0.0.0.0 12.12.12.12 1 route inside 129.129.30.0 255.255.255.0 172.16.25.254 1 .
|
|
#
¿
Aug 11, 2015 00:22
|
|
|
That's why it's so bizarre. The ASA has been sitting on my desk for like 4 weeks now and is brand new. It's never been used for real. I've been preparing it to be put into the network but it just absolutely refuses to let anyone else have an address. Being directly connected to my computer, and a few others just to troubleshoot, is all it's been.
|
|
#
¿
Aug 11, 2015 00:43
|
|
|
Prescription Combs posted:I'm pretty certain it's your NAT lines. Shutting off proxy arp fixed the IP conflict issue I was having. Bad news is I'm stupid and shut it off for every interface and then tried to put it into the network. Since I have multiple publically addressed devices inside my network I must have proxy arp running for the outside interface and possibly the DMZ right? I broke the whole network for a good 90 minutes before I got everything back together.
|
|
#
¿
Aug 11, 2015 17:11
|
|
|
Okay so I think I know why I've had such a hard time learning how to use a firewall. The configs I've been working with and trying to understand are horrible. I was always confused about the extra any any nat statements and I'm fairly sure they're completely useless now and Cisco agrees. I removed them all and turned proxy arp back on but I get the the IP conflict again.  Prescription Combs posted:primarily does public > private NAT where public IPs generally don't reside behind the FWs This would be the smart way of doing this.
|
|
#
¿
Aug 11, 2015 20:34
|
|
|
I didn't understand why my configs' nat rules were using Inside,Any so I changed them all to Inside,Outside for fun. This fixed my issue of the asa believing it owned every IP without having to turn off proxy arp. Can someone smarter than me tell me what I did?
|
|
#
¿
Aug 13, 2015 02:47
|
|
|
Well, yeah. But how could that be fixing the issue I was having of the ASA claiming every address was in use on behalf of non existant devices behind nat?
|
|
#
¿
Aug 13, 2015 04:25
|
|
|
Contingency posted:Let's say you have a /29, with 5 hosts usable--1.2.3.2-6. Okay I followed that. So what are legitimate uses of natting to any interface assuming you have more than inside and outside? Should you ever use any or always specifically choose interfaces.
|
|
#
¿
Aug 13, 2015 05:19
|
|
|
Okay so in plain english this statement is saying nat (inside,any) source static any any destination static obj-129.129.30.0 obj-129.129.30.0 Send traffic to the inside interface if: that it originates from anything, that it is from 0.0.0.0/0, and destined for 129.129.30.0/24 If traffic matches the above nat rule, but I have a static route that says traffic destined for 129.129.30.0/24 should go to g0/5, the dmz interface. The nat rule will take effect and send the traffic to g0/2, the inside interface. Am I understanding that right? I'm sorry for spamming this thread so much.
|
|
#
¿
Aug 13, 2015 05:56
|
|
|
adorai posted:it took me almost a year to get a dumbass issue resolved with tac. The symptom was if a user had two phones in two different regions with the same DN, the phones did not get the terminate signal and would keep the call "active". after 3 calls, they had to restart their phones. Use different DNs. Restart the phones after every 3 calls. Methanar fucked around with this message at 04:46 on Sep 3, 2015 |
|
#
¿
Sep 3, 2015 04:34
|
|
|
TheMostFrench posted:Can I ask a packet tracer question here? I'm trying to do inter-vlan routing using an L3 Switch but I cant find anything that explains how to set routes between vlans. If that isn't possible then I guess I am misunderstanding the task, and even the basic concepts. It's pretty easy, you just tell your routing protocol all of the vlan subnets that each device has access to.  My pkt file has quite a bit going on so just pay attention to the left most wing of clients and the HQ FLOOR1 mlsw. Each of the numbers beside a computer represents a vlan being serviced there. In my case I am using a default gateway of 10.192.x.254. quote:en For floor1-sw1 I have the access ports set as interface FastEthernet0/1 switchport access vlan 106 switchport voice vlan 107 spanning-tree portfast spanning-tree guard root And I have the floor1-mlsw default gateway's config resembling this long pastebin. Don't worry about the standby IPs, just know that the default gateway for every vlan in the left most pod terminates to floor1-mlsw You can see that eigrp has a network statement for all the vlans that this l3 switch is serving PLUS the physical interfaces that lead deeper into the network and I have enabled routing for the switch. The helper addresses just forward DHCP requests off to my DHCP server that is in a different subnet, because remember: broadcasts do not leave your local l2 lan. It is important to note that because f0/24 is handling all traffic for multiple vlans you MUST set it to be a trunk port. http://pastebin.com/8VWq4cp3 router eigrp 1 network 10.192.255.0 0.0.0.3 network 10.192.255.24 0.0.0.3 network 10.192.23.0 0.0.0.255 network 10.192.0.0 0.0.7.255 network 10.192.25.0 0.0.0.255 network 10.192.26.0 0.0.0.255 network 10.192.27.0 0.0.0.255 network 10.192.28.0 0.0.0.255 network 10.192.29.0 0.0.0.255 network 10.192.30.0 0.0.0.255 network 10.192.31.0 0.0.0.255 no auto-summary If you need more explanation just ask.
|
|
#
¿
Sep 17, 2015 01:10
|
|
|
Charliegrs posted:I have a couple Cisco 3500 switches. For whatever reason, I cannot create any VLANs. Its driving me nuts trying to figure out why and I havent had any luck googling it. Switch(config)#int vlan 10 Switch(config-if)#no shut Switch(config-if)# %LINK-5-CHANGED: Interface Vlan1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up Switch(config-if)#int fa0/1 Switch(config-if)#sw mode access Switch(config-if)#sw access v 10 % Access VLAN does not exist. Creating vlan 10 Switch(config-if)# Maybe try fiddling with the vlan database? Switch#vlan data Switch#vlan database % Warning: It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN in config mode. Switch(vlan)#? VLAN database editing buffer manipulation commands: exit Apply changes, bump revision number, and exit mode no Negate a command or set its defaults vlan Add, delete, or modify values associated with a single VLAN vtp Perform VTP administrative functions. Switch(vlan)#vlan 10 ? name Ascii name of the VLAN <cr> Switch(vlan)#vlan 10 name ? WORD The ascii name for the VLAN Switch(vlan)#vlan 10 name vlan10 VLAN 10 modified: Name: vlan10 Switch(vlan)# Switch# Methanar fucked around with this message at 02:20 on Nov 3, 2015 |
|
#
¿
Nov 3, 2015 02:17
|
|
|
Can someone write some words about why you would ever want to use a software router/firewall like BIRD or vyOS instead of a hardware Cisco or Juniper product? I'd imagine upfront cost, expected load and need of manufacturer support are the main motivators.
|
|
#
¿
Nov 29, 2015 01:47
|
|
|
psydude posted:Yeah. They still use a lot of Cisco and Juniper at the edge and at their PoPs (and I'd imagine for their corporate networks). Their internal DC stuff is a lot of home baked stuff running crazy rear end SDN poo poo.  https://gigaom.com/2014/11/14/facebook-shows-the-promise-of-sdn-with-new-networking-tech/ Yeah this clears things right up.
|
|
#
¿
Dec 1, 2015 05:02
|
|
|
Japanese Dating Sim posted:Working on CCENT and I'm missing something stupid. I've got three routers up in GNS3, and they're connected via their serial interfaces on 10.0.0.0/30. Router 1 can ping Router 2, but not Router 3. Router 3 can ping Router 2, but not Router 1. I've (I think) narrowed the issue down to the fact that Router 2 can't ping Router 3 if I use the interface that's connected to R1 as the source. I'm not sure if this is problem with how I've set up the static routers, or the ip address of the serial ports, or what. If anyone wants to spend a couple of minutes explaining what I've done wrong (or just pointing me where to look) I'd be pretty grateful. r3 needs to be aware of r1's networks and vice versa. [from r3] ip route 192.168.10.0 255.255.255.0 10.0.0.5 If you wanted you could make a default route and tell R3 that any time he wants to find something you haven't explicitly defined, send it to R2 and hope he knows where to go. ip route ip route 0.0.0.0 0.0.0.0 10.0.0.5 Methanar fucked around with this message at 04:17 on Dec 7, 2015 |
|
#
¿
Dec 7, 2015 04:15
|
|
|
Alright just for fun I'm playing with BGP and set up a simple network. All the basic configuration is done with ospf/eigrp redistributed into the bgp. Everything works. I want to try and force the AS 200 router to send traffic destined for 30.30.30.0/24 over to AS 300 and then let AS 300 handle the traffic, instead of how it currently is where AS 200 sends directly to AS 100.  On the AS 200 router I set a weighting for the 86.55.14.2 neighbour so ALL traffic will be sent down that link, except for directly connected stuff. That's pretty cool but it's not quite what I wanted. code:code:
|
|
#
¿
Dec 15, 2015 22:01
|
|
|
quote:bgp Neat. While I'm at it, does anyone have some good ideas for interesting situations that I should try to model and play with?
|
|
#
¿
Dec 17, 2015 19:47
|
|
|
Powercrazy posted:Create a transit AS with 5 or so AS's. Then figure out how to prevent it. Because 50gbits of netflix
|
|
#
¿
Dec 17, 2015 19:51
|
|
|
|
| # ¿ Apr 28, 2024 11:35 |
|
|
Does anyone run a dual stack network or even a fully native ipv6 network? If so, why and what are some of the benefits
|
|
#
¿
Jan 7, 2016 00:25
|
|