|
jwh posted:The only thing you might want to check is whether you have the Standard Multilayer Image (SMI) or Enhanced Multilayer Image (EMI). There's layer-3 stuff in the EMI that isn't in the SMI. Unfortunately Cisco has abandoned the easily understood EMI vs SMI classification and moved to a router IOS like feature classification system of IP base vs IP services vs IP security vs etc. It's substantially more confusing. http://www.cisco.com/en/US/products/hw/switches/ps5023/prod_release_note09186a008077459b.html#wp754685 jwh posted:1600's aren't worth very much, sadly. True, but I'd suggest keeping them around for lab testing or study purposes.
|
# ¿ Apr 15, 2007 14:36 |
|
|
# ¿ Apr 25, 2024 02:50 |
|
jwh posted:Still, I'm wondering if anybody has any ideas, or if they've heard of a snmp mib for IPSec SA's. You might try these: snmp-server enable traps isakmp policy add snmp-server enable traps isakmp policy delete snmp-server enable traps isakmp tunnel start snmp-server enable traps isakmp tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas
|
# ¿ Apr 23, 2007 23:23 |
|
CrazyLittle posted:How would I go about writing the routes to make traffic pass through from point A -> B: router eigrp 1 no auto-summary network 10.0.0.0 255.0.0.0 Out of curiosity; do you have, or know how to make, a t1 crossover cable?
|
# ¿ Apr 24, 2007 01:09 |
|
Korensky posted:Keep in mind this is only good for outbound traffic. You queue/shape/police/drop outbound. You really only mark inbound. There's no point dropping a packet once it's already on the wire. This is a key point to QOS that is often missed. It only works in the direction of transmit, so for the most part QOS is only usable within enterprise networks where QOS policies can be applied end to end.
|
# ¿ Apr 25, 2007 02:55 |
|
sirchode posted:We've got some offices on the other side of the country and I'm imagining having them set up as VLANs managed by our switches and routers over here in the CO, it's a very cool prospect. Think through the implications of a cross country broadcast domain before doing this.
|
# ¿ Apr 28, 2007 05:27 |
|
IBM posted:I always use Hyperterm and didn't know that there were better options. What do you guys recommend instead of Hyperterminal? Secure CRT. Once you have experienced the glory of the simultaneous cut+paste feature you'll regard hyperterminal as the neaderthal grade application that it truely is.
|
# ¿ Apr 28, 2007 20:22 |
|
Thermopyle posted:ip dhcp excluded-address 192.168.100.100 192.168.100.110 You might try taking that access list off the eth 0 interface. The initial dhcp request isn't going to have an address from 192.168.100.0/24 to source from. Alternately add a deny any any log to the end of the acl, debugging dhcp would also be a good idea.
|
# ¿ May 3, 2007 00:02 |
|
Ray_ posted:Am I missing something here? Should I add in something like a 3750 with 12 SFPs to ac t as a core switch (so it would be 2851->3750->->->->->2960)? OK, what is this "->->->->->" supposed to represent? It better not be a daisy chain of switches.
|
# ¿ May 4, 2007 02:39 |
|
Can any recent test takers comment on the accuracy of this doc on Cisco's site: http://www.cisco.com/comm/applications/CCSICom/Docs/EXAMSCORESSEPTEMBER2005.pdf
|
# ¿ May 4, 2007 17:57 |
|
Paul Boz_ posted:That's out dated. Go to https://www.cisco.com and look for the Careers/Certifications tab at the top. It'll have all of the certification information you need. Let me try this again, and this time I'll draw you a map. Does anyone know if the passing score for the bgp test 642-661 is indeed 755 as listed in the pdf I linked previously? Said document is obviously open to the public in error as Cisco does not publish their passing scores.
|
# ¿ May 4, 2007 23:47 |
|
Girdle Wax posted:Waiting 40 seconds for spanning tree to reconverge because a gig link dropped, really, really sucks. I think you're looking for uplinkfast & backbonefast. PVST has a bunch of knobs besides portfast & bpduguard. http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094641.shtml http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800c2548.shtml http://www.cisco.com/en/US/tech/tk389/tk621/tsd_technology_support_protocol_home.html
|
# ¿ May 18, 2007 15:41 |
|
^^^^ Blah blah blah spanning-tree blah blah enable portfast. http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml
|
# ¿ Jun 1, 2007 23:55 |
|
Weiz posted:OK here are 2 questions: There's a hardware dependency on support for AES/CCMP. When I messed around with that a year ago it was only supported in the access points. The integrated wireless in the 800/1800 and the wireless WIC didn't support it. Cisco dances around mentioning this in their documentation. If you look on the 1800 data sheet page; WPA2 is mentioned several times, but AES/CCMP isn't listed in the Wireless LAN Security Features table. http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd8028a95f.html inignot fucked around with this message at 17:09 on Jun 15, 2007 |
# ¿ Jun 15, 2007 15:54 |
|
jwh posted:Well, I'm no expert, particularly on RIP, but from what I was able to test in a lab, the reason IOS didn't pick up on the fact that you had an interface covered by the 192.168.0.0 statement, is because the RIP configuration is approaching things with a classful mentality. This seems to make a certain sense if you consider that RIPv1 was a classful protocol, and maybe for historical reasons, the IOS configuration was never retrofitted. ^^^^^^ This is correct. The Net Master Class CCIE labs will pound this into your head. RIP sucks, either deal with it's dumbass limitations or run a modern IGP. Pro tip: running a modern IGP is less effort.
|
# ¿ Jul 14, 2007 00:25 |
|
XakEp posted:So here's a question. I'm dinking with getting an 1811 and getting a second Internet connection, one DSL the other Cable. Whats the best way to load balance between the two interfaces? CEF or what? As noted I think you're going to be stuck with OERs "dick around with default routing based on ping tests to an upstream address" feature. Two equal metric default routes will load balance on a per session basis without you having to do anything (nat would need some work). The problem is that if you have an ethernet connection to an external dsl or cable modem, that interface isn't going to go down when the dsl or cable service does.
|
# ¿ Jul 25, 2007 23:58 |
|
Arkady posted:Also, how many of you are CCIE? I figured they would be pretty rare.. But they aren't, it seems. vv I'm driving to RTP tomorrow.
|
# ¿ Jul 28, 2007 23:28 |
|
jwh posted:Good luck! Routing and switching? Yeah, I'm going to go put in failure number 2. Given that I haven't even begun to study multicast & QoS I know I'm going to fail. At the very least I get to see another copy of the exam & sanity check my progress on IGP & EGP routing.
|
# ¿ Jul 29, 2007 16:32 |
|
XakEp posted:So how did it go? It ended much like the ever replayed ski jump by Vinko Bogataj. I was only able to attempt 73 points given my lack of multicast or qos knowledge. The more I study for this test the more I'm convinced it's just a stupid router tricks test. It's odd to see full reachability via TCL scripted pings of the environment from all devices, yet the score report indicates it was all so utterly wrong. When you are directed to route a network up your rear end on odd numbered Tuesdays I guess you're supposed to sit on it instead of using your hands to insert it. There was actually a substantial difference between the second test vs the first. I imporoved in IPv6, BGP did not go so well. I think I'm going to put some effort into trying out dynamips. Netmaster Class & Internetwork Expert are producing labs for dynamips. This renting rack time once a week stuff is getting old, and it's clearly not enough.
|
# ¿ Aug 1, 2007 04:15 |
|
TheCaptain posted:Is there a way to alter the access list of a PIX 515e on a live network without it being automatically removed from the interface? I have an entry that needs to go at the very top. Should I just write it up in notepad and execute it quick to minimize downtime? I'm worried about making typo or something and then I have a half finished ACL with erroneous entries that I have to clean up. I am crap at PIX, but I've had to write up a bunch of rule changes for our firewall gents to implement. I believe there is a feature for line numbers in PIX acls. Pull your existing ACL out & put it back in using gapped line numbers (line 10, line 20, etc) for future expansion.
|
# ¿ Aug 1, 2007 22:14 |
|
GOOCHY posted:The company I work for still deploys PIX firewalls like they're going out of style. We're about 5 years behind everybody else when it comes to updating hardware though. Maybe it's a Midwest thing - a lot of the technical contractors around here are still using them as well. I work with a federal agency that is running five year old pix 535's with 6.34 code. They still have CatOS on a couple of switches too. And they wonder why their gear can never support the latest hotshit feature they want, it's a special kind of dumb that I have no sympathy for.
|
# ¿ Aug 5, 2007 20:42 |
|
CrazyLittle posted:Because people who have to work with the stuff value reliability more than they value feature creep. This is a fine rationalization for a situation I'm not in. I work for cranks that run 3000 series vpn concentrators with four year old 3.6.7 code & cry that it doesn't support ssl vpns or NAC. Does not compute.
|
# ¿ Aug 6, 2007 00:19 |
|
TheRouterNinja posted:Good luck. You'll probably get Bobby Thorton, he's awesome, and was by far better than the folks at San Jose. I recently passed this on July 30th, and i'm still floating on the clouds. Really...that's the day I was in RTP taking the test. If you were in RTP on the same day I was, I assure you I wasn't the doughy Russian guy that was freaking out & bugging the proctor every 10 minutes. TheRouterNinja posted:BTW, I believe most people who claim to have their CCIE, are just talking about the pre-qualification exam, which isn't even a certification in itself. If they don't give you a number, they're probably not certified. Hell, a lot of the people that give you the number aren't even certified. I've caught a couple resumes with expired numbers. So which study vendor did you use? I'm using Net Master (hence the 'what would Bruce Caslow do?' avatar that I'm sure is lost on everyone) & Internetwork Expert.
|
# ¿ Aug 9, 2007 01:45 |
|
Girdle Wax posted:Anything with a Plus featureset is supposed to work: The software advisor won't build a 3640 + NM-2FE2W + WIC-1ADSL. It could just be the software advisor isn't up to date.
|
# ¿ Aug 12, 2007 15:06 |
|
Smegmatron posted:Does anybody know of any (free, preferably) software that makes a cisco config a little more presentable or easier for the not-cisco-intiated to read? Uh? If the customer wants their config audited, and they can't read a config, they probably aren't going to know what to do with your results. Just do what most security auditors do, run nmap, then wave around the results & blather loudly and dramaticly about some random port having a "hash checksum injection" vulnerability that is "serious business".
|
# ¿ Aug 16, 2007 12:37 |
|
Look into 802.1x to authenticate wireless users; it can use radius, which can in turn use AD.
|
# ¿ Aug 17, 2007 20:12 |
|
snadsnad posted:Thanks for this, should help me get a better idea of the big picture as to how everything is supposed to tie together. In the meantime I'm trying to rollout 2 SSIDs on the AP, both with WPA. The problem I've encountered is that I cannot get an IP via our domain DHCP server at all, I'm sure I'm missing an obvious setting but I've tried dhcp smart-relay and all sorts of other helper addresses. Here is the config: Remember you're creating a trunk on the ethernet port. What vlan on the switch gets you to your dhcp server? You may either have to set that as the native vlan on the switch side of the trunk; or create a new subinterface on the AP for that vlan. Compare a 'show int trunk' on both sides.
|
# ¿ Aug 23, 2007 14:05 |
|
Analog LED posted:I'm curious, who here has dealt with TAC and how are they with solving your issues? TACs usefulness is inversely proportional to your level of experience. When you're first starting out & need to know how to get OSPF up on your point to point T1, TAC is seemingly god-like. When you have 10 years of experience and you ask them why your redistribution route map isn't applying tags to all the networks in your prefix list, and all you get from TAC is a blank stare, then you tend to think they suck.
|
# ¿ Aug 31, 2007 03:37 |
|
Cidrick posted:Pix feeds switches... What kind of switch do you have? If it does layer 3 you could do your routing there. Even if it's only layer 2 you (I think) can form a trunk with the pix & set up sub interfaces for more 'routing' on the pix.
|
# ¿ Sep 1, 2007 01:50 |
|
luma posted:When I have a server that has multiple NICs tied into one switch I can bond those NICs and configure them to create one channel for both transmit and receive load balancing via LACP/802.3ad...blah blah blah Read this. http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a008089a821.shtml
|
# ¿ Oct 1, 2007 20:27 |
|
luma posted:My issue is that my configuration is hard-wired in a manner outlined in my second diagram, and the two switches themselves do not support clustering, which I'm told is a requirement. So the question standing is whether my third diagram could work. I don't think LACP is going to work in scenario 2 or 3. Active/Active load balanced connections need to terminate to the same switch (or switch stack). See if your nics or os support some kind of active/standby failover option based on link status or ping polling.
|
# ¿ Oct 1, 2007 21:55 |
|
You could try this: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/l2pt.html#wp999408 I have no idea if this will tunnel LACP. I've only ever used it once, and that was to tunnel CDP for ODR updates between two routers connected to a switch not running ODR, but only for an obtuse CCIE study scenario. I think the design concept is just screwed.
|
# ¿ Oct 2, 2007 17:26 |
|
Has anyone here ever successfully used the Certificate Authority feature of IOS for DMVPN authentication? ISAKMP wildcards are a no go in this environment. TAC has been giving me a blank stare for weeks, and my SE's don't know anyone that's used it either.
|
# ¿ Oct 15, 2007 22:29 |
|
jwh posted:Everything's gone great, generally, except for one older 4510R running an older IOS image (12.2(18)EW). -spanning-tree problem persists when topology reduced to no loops to block -nothing in logs -debug shows nothing Sounds like some obscure code issue. I dunno, try upgrading the code and see what happens. Other then that, try running the same debugs on whatever the 4510 is uplinked to.
|
# ¿ Oct 23, 2007 12:08 |
|
CrazyLittle posted:Is it possible to break out individual serial T1s (for MLPPP, bonded t1) from a ATM-IMA card? Eh? MLPPP and ATM-IMA are two totally different types of link bonding. I really doubt you're going to get anywhere with this. Actually, without a spare ATM switch I don't think you're going to be able to do anything with the IMA card.
|
# ¿ Oct 23, 2007 21:55 |
|
CrazyLittle posted:That's why I'm asking. MLPPP is a software implementation on top of whatever interfaces you put into the bundle, right? So if I could break out individual Serial T1's instead of using the IMA bundle, couldn't I do MLPPP? Basically I have that IMA card with 8 ports in my lab, and I've got a 2611 with two WIC-T1s in it. I was wondering what it would take to connect the two together. Ok, here's the short way to test this. Try to use "encap ppp" on one of your IMA interfaces.
|
# ¿ Oct 23, 2007 23:19 |
|
Girdle Wax posted:
That can be a misleading metric though, the whole point of the distributed switching cards is that intra slot switching doesn't have to touch the backplane.
|
# ¿ Nov 6, 2007 13:49 |
|
Yeah, I'm sure you can rig up some awful, contrived bridging config to do that. http://www.cisco.com/pcgi-bin/search/search.pl?siteToSearch=cisco.com&searchPhrase=bridging&country=US&language=en&filter=p&search=Search
|
# ¿ Nov 29, 2007 01:58 |
|
CrazyLittle posted:How often do any of you guys configure loopback interfaces on your routers, and what do you tend to use them for? I use loopbacks on all my routers. They are used for the routing protocol router id, the snmp trap source, the tacacs source, the ntp source, the syslog source, and the icmp/snmp polling destination.
|
# ¿ Nov 30, 2007 22:43 |
|
jwh posted:This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc). Call me old school (or just dumb) if you want, but every EZ-VPN example code I've ever seen has looked like incoherent gibberish. I'll take crypto maps, or tunnel protect, or DMVPN over that EZ-VPN nonsense any day.
|
# ¿ Dec 7, 2007 22:13 |
|
|
# ¿ Apr 25, 2024 02:50 |
|
I believe it only works on fast/gig ethernet interfaces. Ethernet (10Mbs) will not work.
|
# ¿ Dec 8, 2007 15:37 |