Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«7 »
  • Post
  • Reply
inignot
Aug 31, 2003

WWBCD?

jwh posted:

The only thing you might want to check is whether you have the Standard Multilayer Image (SMI) or Enhanced Multilayer Image (EMI). There's layer-3 stuff in the EMI that isn't in the SMI.

Unfortunately Cisco has abandoned the easily understood EMI vs SMI classification and moved to a router IOS like feature classification system of IP base vs IP services vs IP security vs etc. It's substantially more confusing.

http://www.cisco.com/en/US/products...b.html#wp754685

jwh posted:

1600's aren't worth very much, sadly.

True, but I'd suggest keeping them around for lab testing or study purposes.

Adbot
ADBOT LOVES YOU

inignot
Aug 31, 2003

WWBCD?

jwh posted:

Still, I'm wondering if anybody has any ideas, or if they've heard of a snmp mib for IPSec SA's.

You might try these:

snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas

inignot
Aug 31, 2003

WWBCD?

CrazyLittle posted:

How would I go about writing the routes to make traffic pass through from point A -> B:
Use 10.whatever on all your interfaces, then enable eigrp per below.

router eigrp 1
no auto-summary
network 10.0.0.0 255.0.0.0

Out of curiosity; do you have, or know how to make, a t1 crossover cable?

inignot
Aug 31, 2003

WWBCD?

Korensky posted:

Keep in mind this is only good for outbound traffic. You queue/shape/police/drop outbound. You really only mark inbound. There's no point dropping a packet once it's already on the wire.

This is a key point to QOS that is often missed. It only works in the direction of transmit, so for the most part QOS is only usable within enterprise networks where QOS policies can be applied end to end.

inignot
Aug 31, 2003

WWBCD?

sirchode posted:

We've got some offices on the other side of the country and I'm imagining having them set up as VLANs managed by our switches and routers over here in the CO, it's a very cool prospect.

Think through the implications of a cross country broadcast domain before doing this.

inignot
Aug 31, 2003

WWBCD?

IBM posted:

I always use Hyperterm and didn't know that there were better options. What do you guys recommend instead of Hyperterminal?

Secure CRT. Once you have experienced the glory of the simultaneous cut+paste feature you'll regard hyperterminal as the neaderthal grade application that it truely is.

inignot
Aug 31, 2003

WWBCD?

Thermopyle posted:

ip dhcp excluded-address 192.168.100.100 192.168.100.110
!
ip dhcp pool DHCPPOOL
network 192.168.100.0 255.255.255.0
dns-server 208.207.96.10 208.207.96.12
default-router 192.168.100.100
lease infinite

interface Ethernet0
ip address 192.168.100.100 255.255.255.0
ip access-group 101 in
no ip proxy-arp
ip nat inside

access-list 101 deny udp any eq netbios-dgm any
access-list 101 deny udp any eq netbios-ns any
access-list 101 deny udp any eq netbios-ss any
access-list 101 deny tcp any eq 137 any
access-list 101 deny tcp any eq 138 any
access-list 101 deny tcp any eq 139 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any

You might try taking that access list off the eth 0 interface. The initial dhcp request isn't going to have an address from 192.168.100.0/24 to source from. Alternately add a deny any any log to the end of the acl, debugging dhcp would also be a good idea.

inignot
Aug 31, 2003

WWBCD?

Ray_ posted:

Am I missing something here? Should I add in something like a 3750 with 12 SFPs to ac t as a core switch (so it would be 2851->3750->->->->->2960)?

OK, what is this "->->->->->" supposed to represent? It better not be a daisy chain of switches.

inignot
Aug 31, 2003

WWBCD?

Can any recent test takers comment on the accuracy of this doc on Cisco's site:

http://www.cisco.com/comm/applicati...PTEMBER2005.pdf

inignot
Aug 31, 2003

WWBCD?

Paul Boz_ posted:

That's out dated. Go to http://www.cisco.com and look for the Careers/Certifications tab at the top. It'll have all of the certification information you need.

Let me try this again, and this time I'll draw you a map. Does anyone know if the passing score for the bgp test 642-661 is indeed 755 as listed in the pdf I linked previously? Said document is obviously open to the public in error as Cisco does not publish their passing scores.

inignot
Aug 31, 2003

WWBCD?

Girdle Wax posted:

Waiting 40 seconds for spanning tree to reconverge because a gig link dropped, really, really sucks.

I think you're looking for uplinkfast & backbonefast. PVST has a bunch of knobs besides portfast & bpduguard.

http://www.cisco.com/en/US/tech/tk3...080094641.shtml
http://www.cisco.com/en/US/tech/tk3...0800c2548.shtml
http://www.cisco.com/en/US/tech/tk3...tocol_home.html

inignot
Aug 31, 2003

WWBCD?

^^^^

Blah blah blah spanning-tree blah blah enable portfast.

http://www.cisco.com/en/US/products...0800b1500.shtml

inignot
Aug 31, 2003

WWBCD?

Weiz posted:

OK here are 2 questions:

2) We have this 1811W at the office, I've managed to fumble my way around setting up Wi-Fi with WPA-PSK using TKIP however I didnt manage to find anything referencing the use of AES/CCMP. Am I missing something or is the feature simply not there?

There's a hardware dependency on support for AES/CCMP. When I messed around with that a year ago it was only supported in the access points. The integrated wireless in the 800/1800 and the wireless WIC didn't support it. Cisco dances around mentioning this in their documentation. If you look on the 1800 data sheet page; WPA2 is mentioned several times, but AES/CCMP isn't listed in the Wireless LAN Security Features table.

http://www.cisco.com/en/US/products...cd8028a95f.html

inignot fucked around with this message at Jun 15, 2007 around 16:09

inignot
Aug 31, 2003

WWBCD?

jwh posted:

Well, I'm no expert, particularly on RIP, but from what I was able to test in a lab, the reason IOS didn't pick up on the fact that you had an interface covered by the 192.168.0.0 statement, is because the RIP configuration is approaching things with a classful mentality. This seems to make a certain sense if you consider that RIPv1 was a classful protocol, and maybe for historical reasons, the IOS configuration was never retrofitted.

So in other words, it looks to me like IOS uses the RIP network statement along classful boundaries. Even though your interface is technically 'covered' by the larger supernet of 192.168.0.0/16, IOS is considering 192.168.0.0 classfully, which would match the 192.168.0 portion of the network, because 192.168 is part of class C or /24 classful address space.

That's my theory anyway, it seems to be true, even if it is a little brain-dead on the part of IOS.

Debugging commands were 'debug ip rip event' and 'debug ip rip database' I think, and then the 'debug ip packet' example that's included in the text I wrote. Be careful with debug ip packet, because I have successfully killed production devices with it.



^^^^^^
This is correct. The Net Master Class CCIE labs will pound this into your head.

RIP sucks, either deal with it's dumbass limitations or run a modern IGP. Pro tip: running a modern IGP is less effort.

inignot
Aug 31, 2003

WWBCD?

XakEp posted:

So here's a question. I'm dinking with getting an 1811 and getting a second Internet connection, one DSL the other Cable. Whats the best way to load balance between the two interfaces? CEF or what?

As noted I think you're going to be stuck with OERs "dick around with default routing based on ping tests to an upstream address" feature.

Two equal metric default routes will load balance on a per session basis without you having to do anything (nat would need some work). The problem is that if you have an ethernet connection to an external dsl or cable modem, that interface isn't going to go down when the dsl or cable service does.

inignot
Aug 31, 2003

WWBCD?

Arkady posted:

Also, how many of you are CCIE? I figured they would be pretty rare.. But they aren't, it seems. vv

I'm driving to RTP tomorrow.

inignot
Aug 31, 2003

WWBCD?

jwh posted:

Good luck! Routing and switching?

Yeah, I'm going to go put in failure number 2. Given that I haven't even begun to study multicast & QoS I know I'm going to fail. At the very least I get to see another copy of the exam & sanity check my progress on IGP & EGP routing.

inignot
Aug 31, 2003

WWBCD?

XakEp posted:

So how did it go?

It ended much like the ever replayed ski jump by Vinko Bogataj. I was only able to attempt 73 points given my lack of multicast or qos knowledge.

The more I study for this test the more I'm convinced it's just a stupid router tricks test. It's odd to see full reachability via TCL scripted pings of the environment from all devices, yet the score report indicates it was all so utterly wrong. When you are directed to route a network up your rear end on odd numbered Tuesdays I guess you're supposed to sit on it instead of using your hands to insert it.

There was actually a substantial difference between the second test vs the first. I imporoved in IPv6, BGP did not go so well.

I think I'm going to put some effort into trying out dynamips. Netmaster Class & Internetwork Expert are producing labs for dynamips. This renting rack time once a week stuff is getting old, and it's clearly not enough.

inignot
Aug 31, 2003

WWBCD?

TheCaptain posted:

Is there a way to alter the access list of a PIX 515e on a live network without it being automatically removed from the interface? I have an entry that needs to go at the very top. Should I just write it up in notepad and execute it quick to minimize downtime? I'm worried about making typo or something and then I have a half finished ACL with erroneous entries that I have to clean up.

So, editing a firewall ACL without downtime. Impossible?

I am crap at PIX, but I've had to write up a bunch of rule changes for our firewall gents to implement. I believe there is a feature for line numbers in PIX acls. Pull your existing ACL out & put it back in using gapped line numbers (line 10, line 20, etc) for future expansion.

inignot
Aug 31, 2003

WWBCD?

GOOCHY posted:

The company I work for still deploys PIX firewalls like they're going out of style. We're about 5 years behind everybody else when it comes to updating hardware though. Maybe it's a Midwest thing - a lot of the technical contractors around here are still using them as well.

I work with a federal agency that is running five year old pix 535's with 6.34 code. They still have CatOS on a couple of switches too. And they wonder why their gear can never support the latest hotshit feature they want, it's a special kind of dumb that I have no sympathy for.

inignot
Aug 31, 2003

WWBCD?

CrazyLittle posted:

Because people who have to work with the stuff value reliability more than they value feature creep.

This is a fine rationalization for a situation I'm not in. I work for cranks that run 3000 series vpn concentrators with four year old 3.6.7 code & cry that it doesn't support ssl vpns or NAC. Does not compute.

inignot
Aug 31, 2003

WWBCD?

TheRouterNinja posted:

Good luck. You'll probably get Bobby Thorton, he's awesome, and was by far better than the folks at San Jose. I recently passed this on July 30th, and i'm still floating on the clouds.

Really...that's the day I was in RTP taking the test. If you were in RTP on the same day I was, I assure you I wasn't the doughy Russian guy that was freaking out & bugging the proctor every 10 minutes.

TheRouterNinja posted:

BTW, I believe most people who claim to have their CCIE, are just talking about the pre-qualification exam, which isn't even a certification in itself. If they don't give you a number, they're probably not certified.

Hell, a lot of the people that give you the number aren't even certified. I've caught a couple resumes with expired numbers.

So which study vendor did you use? I'm using Net Master (hence the 'what would Bruce Caslow do?' avatar that I'm sure is lost on everyone) & Internetwork Expert.

inignot
Aug 31, 2003

WWBCD?

Girdle Wax posted:

Anything with a Plus featureset is supposed to work:
http://www.cisco.com/en/US/products...0800ae37f.shtml

The software advisor won't build a 3640 + NM-2FE2W + WIC-1ADSL. It could just be the software advisor isn't up to date.

inignot
Aug 31, 2003

WWBCD?

Smegmatron posted:

Does anybody know of any (free, preferably) software that makes a cisco config a little more presentable or easier for the not-cisco-intiated to read?

I'm in the middle of doing the paperwork side of a security audit, and part of what the client wants is their firewall/router configs examined, any weaknesses identified, etc, etc. This means it has to go in the audit document. This means my awesome document now looks crap.

Anybody know of anything at all?

Uh? If the customer wants their config audited, and they can't read a config, they probably aren't going to know what to do with your results.

Just do what most security auditors do, run nmap, then wave around the results & blather loudly and dramaticly about some random port having a "hash checksum injection" vulnerability that is "serious business".

inignot
Aug 31, 2003

WWBCD?

Look into 802.1x to authenticate wireless users; it can use radius, which can in turn use AD.

inignot
Aug 31, 2003

WWBCD?

snadsnad posted:

Thanks for this, should help me get a better idea of the big picture as to how everything is supposed to tie together. In the meantime I'm trying to rollout 2 SSIDs on the AP, both with WPA. The problem I've encountered is that I cannot get an IP via our domain DHCP server at all, I'm sure I'm missing an obvious setting but I've tried dhcp smart-relay and all sorts of other helper addresses. Here is the config:

code:
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 hold-queue 160 in
!
interface BVI1
 ip address dhcp client-id FastEthernet0
 no ip route-cache
!

Remember you're creating a trunk on the ethernet port. What vlan on the switch gets you to your dhcp server? You may either have to set that as the native vlan on the switch side of the trunk; or create a new subinterface on the AP for that vlan. Compare a 'show int trunk' on both sides.

inignot
Aug 31, 2003

WWBCD?

Analog LED posted:

I'm curious, who here has dealt with TAC and how are they with solving your issues?

TACs usefulness is inversely proportional to your level of experience. When you're first starting out & need to know how to get OSPF up on your point to point T1, TAC is seemingly god-like. When you have 10 years of experience and you ask them why your redistribution route map isn't applying tags to all the networks in your prefix list, and all you get from TAC is a blank stare, then you tend to think they suck.

inignot
Aug 31, 2003

WWBCD?

Cidrick posted:

Pix feeds switches...

What kind of switch do you have? If it does layer 3 you could do your routing there. Even if it's only layer 2 you (I think) can form a trunk with the pix & set up sub interfaces for more 'routing' on the pix.

inignot
Aug 31, 2003

WWBCD?

luma posted:

When I have a server that has multiple NICs tied into one switch I can bond those NICs and configure them to create one channel for both transmit and receive load balancing via LACP/802.3ad...blah blah blah

Read this.

http://www.cisco.com/en/US/tech/tk3...08089a821.shtml

inignot
Aug 31, 2003

WWBCD?

luma posted:

My issue is that my configuration is hard-wired in a manner outlined in my second diagram, and the two switches themselves do not support clustering, which I'm told is a requirement. So the question standing is whether my third diagram could work.

I don't think LACP is going to work in scenario 2 or 3. Active/Active load balanced connections need to terminate to the same switch (or switch stack). See if your nics or os support some kind of active/standby failover option based on link status or ping polling.

inignot
Aug 31, 2003

WWBCD?

You could try this:

http://www.cisco.com/en/US/docs/swi...t.html#wp999408

I have no idea if this will tunnel LACP. I've only ever used it once, and that was to tunnel CDP for ODR updates between two routers connected to a switch not running ODR, but only for an obtuse CCIE study scenario.

I think the design concept is just screwed.

inignot
Aug 31, 2003

WWBCD?

Has anyone here ever successfully used the Certificate Authority feature of IOS for DMVPN authentication? ISAKMP wildcards are a no go in this environment. TAC has been giving me a blank stare for weeks, and my SE's don't know anyone that's used it either.

inignot
Aug 31, 2003

WWBCD?

jwh posted:

Everything's gone great, generally, except for one older 4510R running an older IOS image (12.2(18)EW).

Whenever rapid spanning-tree is enabled on the 4510, it works fine for a while, and then suddenly whole vlans will stop forwarding for between five and thirty seconds. Then everything goes back to normal, and there's no indication of what might have happened. Spanning-tree debugging doesn't indicate a root bridge change, and I've disconnected all redundant trunks to this switch, but the problem persists.

-spanning-tree problem persists when topology reduced to no loops to block
-nothing in logs
-debug shows nothing

Sounds like some obscure code issue. I dunno, try upgrading the code and see what happens. Other then that, try running the same debugs on whatever the 4510 is uplinked to.

inignot
Aug 31, 2003

WWBCD?

CrazyLittle posted:

Is it possible to break out individual serial T1s (for MLPPP, bonded t1) from a ATM-IMA card?

Eh? MLPPP and ATM-IMA are two totally different types of link bonding. I really doubt you're going to get anywhere with this. Actually, without a spare ATM switch I don't think you're going to be able to do anything with the IMA card.

inignot
Aug 31, 2003

WWBCD?

CrazyLittle posted:

That's why I'm asking. MLPPP is a software implementation on top of whatever interfaces you put into the bundle, right? So if I could break out individual Serial T1's instead of using the IMA bundle, couldn't I do MLPPP? Basically I have that IMA card with 8 ports in my lab, and I've got a 2611 with two WIC-T1s in it. I was wondering what it would take to connect the two together.

Ok, here's the short way to test this. Try to use "encap ppp" on one of your IMA interfaces.

inignot
Aug 31, 2003

WWBCD?

Girdle Wax posted:


The 6500/7600 8x 10GbE cards are also 2:1 oversubscribed (Cisco seems to like their 40G/slot fabrics)

That can be a misleading metric though, the whole point of the distributed switching cards is that intra slot switching doesn't have to touch the backplane.

inignot
Aug 31, 2003

WWBCD?

Yeah, I'm sure you can rig up some awful, contrived bridging config to do that.

http://www.cisco.com/pcgi-bin/searc...p&search=Search

inignot
Aug 31, 2003

WWBCD?

CrazyLittle posted:

How often do any of you guys configure loopback interfaces on your routers, and what do you tend to use them for?

I use loopbacks on all my routers. They are used for the routing protocol router id, the snmp trap source, the tacacs source, the ntp source, the syslog source, and the icmp/snmp polling destination.

inignot
Aug 31, 2003

WWBCD?

jwh posted:

This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc).

Call me old school (or just dumb) if you want, but every EZ-VPN example code I've ever seen has looked like incoherent gibberish. I'll take crypto maps, or tunnel protect, or DMVPN over that EZ-VPN nonsense any day.

Adbot
ADBOT LOVES YOU

inignot
Aug 31, 2003

WWBCD?

I believe it only works on fast/gig ethernet interfaces. Ethernet (10Mbs) will not work.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«7 »