|
edit: Nvm figured it out, user has a DSL connection so it isn't transferring the source IP of the external machine.
Sepist fucked around with this message at 16:46 on Dec 3, 2010 |
# ¿ Dec 3, 2010 16:07 |
|
|
# ¿ Apr 27, 2024 19:05 |
|
Does anyone have any good information links for IPSec tunnels building and troubleshooting? I have a good grasp of ICND1 level work in the cisco environment, there is a position that needs to be filled in our company that I have a recommendation from my boss to fill but our Network Architect asks that I learn how to build a IPSec tunnel and be able to determine whether it is local or remote issues causing traffic not to pass.
|
# ¿ Dec 30, 2010 14:24 |
|
Thanks for the debug tip and your previous posts Bardlebee - I was able to get a IPSec tunnel up in an hour or so, gonna throw it on our test lab instead of Cisco Packet Tracer and see how it goes.
|
# ¿ Dec 30, 2010 19:00 |
|
Update to last post, after getting a router - router IPSec tunnel running I moved onto an ASA - Router set up. I've been working on this since the last post and have been unsuccessful. If I take out the commands on the router I can ping the ASA but once I add them I can no longer ping them, I'm guessing because it is now trying to pass IPSec traffic which the ASA is not answering to. This is a test lab that someone else touches and I think our work is colliding. Here's the ASA's config then the router, anything with CISCO or JOSH is my work: : ASA Version 7.0(8) ! hostname LAB-ASA names dns-guard ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.10.10.5 255.255.255.0 ! interface GigabitEthernet0/1 no nameif no security-level ip address 192.168.10.5 255.255.255.0 ! interface GigabitEthernet0/2 nameif joshtest security-level 0 ip address 172.16.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif andrewlabvpn security-level 100 ip address 172.16.100.2 255.255.0.0 ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive access-list 121_list extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0 access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list andrewvpn3 extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0 access-list ipsec-conn extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0 pager lines 24 logging buffered debugging mtu outside 1500 mtu andrewlabvpn 1500 mtu joshtest 1500 no failover icmp permit any outside icmp permit any joshtest asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 nat-control access-group 121_list in interface outside access-group 121_list out interface outside access-group 121_list in interface andrewlabvpn access-group 121_list out interface andrewlabvpn route outside 0.0.0.0 0.0.0.0 10.10.10.6 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set andrewvpn3 esp-3des esp-none crypto ipsec transform-set 192.168.20.4 esp-3des esp-none crypto ipsec transform-set CISCO esp-3des esp-none crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map vpnforandrew 1 match address andrewvpn3 crypto map vpnforandrew 1 set peer 192.168.20.4 crypto map vpnforandrew 1 set security-association lifetime seconds 28800 crypto map vpnforandrew 1 set security-association lifetime kilobytes 4608000 crypto map andrewvpn3 1 set security-association lifetime seconds 28800 crypto map andrewvpn3 1 set security-association lifetime kilobytes 4608000 crypto map ANDREWVPN 1 set transform-set andrewvpn3 crypto map ANDREWVPN 1 set security-association lifetime seconds 28800 crypto map ANDREWVPN 1 set security-association lifetime kilobytes 4608000 crypto map 192.168.20.4 1 match address 121_list crypto map 192.168.20.4 1 set peer 192.168.20.4 crypto map 192.168.20.4 1 set transform-set 192.168.20.4 crypto map 192.168.20.4 1 set security-association lifetime seconds 28800 crypto map 192.168.20.4 1 set security-association lifetime kilobytes 4608000 crypto map 192.168.20.4 interface outside crypto map CISCO 10 match address ipsec-conn crypto map CISCO 10 set peer 10.10.10.4 crypto map CISCO 10 set transform-set CISCO crypto map CISCO 10 set security-association lifetime seconds 28800 crypto map CISCO 10 set security-association lifetime kilobytes 4608000 isakmp identity address isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 60 retry 2 tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 60 retry 2 tunnel-group 10.10.10.2 type ipsec-l2l tunnel-group 10.10.10.2 ipsec-attributes pre-shared-key * isakmp keepalive threshold 60 retry 2 tunnel-group 192.168.20.4 type ipsec-l2l tunnel-group 192.168.20.4 ipsec-attributes pre-shared-key * tunnel-group 10.10.10.3 type ipsec-l2l tunnel-group 10.10.10.3 ipsec-attributes pre-shared-key * tunnel-group 10.10.10.4 type ipsec-l2l tunnel-group 10.10.10.4 ipsec-attributes pre-shared-key * telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:eeb9f41dafbecd59f40595a40d181582 : end And here is the Router R4#sh run Building configuration... Current configuration : 6178 bytes ! ! Last configuration change at 15:03:01 EST Thu Dec 30 2010 by scott ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! aaa new-model ! ! aaa authentication login default local ! aaa session-id common clock timezone EST -5 ip cef ! ! ! ! ip domain name lab.com ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! template vpn ! ! crypto pki trustpoint R2 enrollment url http://10.10.10.2:80 serial-number revocation-check none ! crypto pki trustpoint TP-self-signed-3106161338 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3106161338 revocation-check none rsakeypair TP-self-signed-3106161338 ! ! crypto pki certificate chain R2 certificate ca 01 308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030 0D310B30 09060355 04031302 5232301E 170D3130 31323038 31333532 35375A17 0D313331 32303731 33353235 375A300D 310B3009 06035504 03130252 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B92E 0CBD911E 1C110EB2 3F241A23 1918A970 3337A265 CF847A14 C9EDD8FC 949C87EA D63A5843 83D03E7E 5B1F198B A770C867 F67BC68C 28B08C3F F39324F8 C4E6BE38 4060A7FB C631373D 36962CB2 1667AB6F D2291E6F E183B5CE 20BDC773 388D6EDD D764418F 663418DF BFAAEBFE 0E26BE4E 804C6FA1 200C3EB2 690CDA75 A2230203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14CB0CBF 4CD016E4 C3F8F233 2DCE0654 DA666E16 0A301D06 03551D0E 04160414 CB0CBF4C D016E4C3 F8F2332D CE0654DA 666E160A 300D0609 2A864886 F70D0101 04050003 81810018 41A0AD17 7A9C9C27 C6E31296 854D1B3F EBABC791 D51ED1D2 8BC76089 074B033F 1A9BA6D5 9E2113CF 2CAA4E31 14A490AC 96BA97E6 4CEE6A3E AACDD7F4 D573AC5D F0541530 48FD23C6 C65158A4 2C3F40B7 6120A622 0D6A5E7A C6FCBBD5 10BF9710 DF695DDF C6319847 AD27A7C7 5455E247 66DD49A4 60023E1F 29C6EC29 0121D9 quit crypto pki certificate chain TP-self-signed-3106161338 certificate self-signed 01 30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33313036 31363133 3338301E 170D3130 31323239 30383034 31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31303631 36313333 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C0C1 B3BC813E 8BF0E40D 034CD7B2 1BD70809 6F2D29EF 6C27CD24 253EDB82 34159342 9DBB2B19 021C58AD CEE59E87 2A0A91EF 01B6B85B B0BAD2F4 1594514B 408CBD5D 721F0515 16BE189B 93AE078E 6417F37C A459C3C9 0C108125 F5CBC632 AA60A498 4B3313DD 9F298E26 22814D5E 3191B21D EF14872E 306DC7DE A6CD2902 53C70203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603 551D1104 0E300C82 0A52342E 6C61622E 636F6D30 1F060355 1D230418 30168014 AF37CBB6 2D67E755 AA54B6EC BCC65DCC B7BA047E 301D0603 551D0E04 160414AF 37CBB62D 67E755AA 54B6ECBC C65DCCB7 BA047E30 0D06092A 864886F7 0D010104 05000381 8100A90E 22A77D9C 7FFA0A91 7EB5B0C9 86286860 9C99926E D7A33ECD D60AF92F 3D8AD106 5678CE16 797B5B0C 752E47C8 7307C408 9CAD7802 8E63667E 1C57A192 FCBCC297 8B41A087 F37C2452 582779E3 F5F6A9E9 A8E6A8EF 051CF8A7 786F342D 214C9941 3C1248B6 EE31025B B9FF7EF9 ABACD33E 2C103FA8 7455483C A4B0E2D3 89E5 quit ! ! ip ssh version 1 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 ! crypto isakmp policy 5 encr aes hash md5 authentication pre-share group 2 lifetime 3600 ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key 1234567890 address 10.10.10.2 no-xauth crypto isakmp key JOSH address 10.10.10.5 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 60 crypto isakmp nat keepalive 60 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set CISCO esp-3des ! crypto ipsec profile andrew description TO LEARN TO VPN ! ! crypto dynamic-map dynmap 10 reverse-route ! ! crypto map CISCO 10 ipsec-isakmp set peer 10.10.10.5 set transform-set CISCO match address 115 ! crypto map SDM_CMAP_1 client authentication list sdm40.3 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address initiate crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 5 ipsec-isakmp dynamic dynmap crypto map SDM_CMAP_1 10 ipsec-isakmp description vpn tunnel set peer 10.10.10.2 set transform-set ESP-3DES-SHA match address 102 ! ! ! interface Loopback1 ip address 192.168.1.4 255.255.255.0 ! interface Loopback2 no ip address ! interface FastEthernet0/0 description OUTSIDE ETHERNET ip address 10.10.10.4 255.255.255.0 ip virtual-reassembly duplex auto speed auto crypto map CISCO ! interface FastEthernet0/1 ip address 192.168.20.4 255.255.255.0 duplex auto speed auto no keepalive ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.10.10.6 ! ! ip http server ip http authentication local ip http secure-server ! access-list 1 permit any access-list 1 remark PLEASE WORK drat YOU access-list 44 remark andrew access-list 44 deny 1.1.1.1 access-list 102 remark ###bypassnat access-list 102 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255 access-list 105 remark ###split tunnel access-list 105 permit ip 172.16.0.0 0.0.255.255 192.168.20.0 0.0.0.255 access-list 115 permit ip 0.0.0.4 255.255.255.0 0.0.0.5 255.255.255.0 ! route-map bypass_nat permit 1 match ip address 102 ! route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 transport input telnet ! scheduler allocate 20000 1000 ntp authentication-key 1 md5 00071A150754 7 ntp authenticate ntp trusted-key 1 ntp clock-period 17178150 ntp server 10.10.10.2 end
|
# ¿ Dec 30, 2010 21:50 |
|
Powercrazy posted:access-list 115 permit ip 0.0.0.4 255.255.255.0 0.0.0.5 255.255.255.0 Thank you! I was also missing `crypto map CISCO interface outside` on the ASA, got it to work when I came in this morning Now I just need to set up a remote access vpn
|
# ¿ Dec 31, 2010 14:53 |
|
Quick question, doing some ACL modifications at work I came across a working ACL but it seemed backwards. I don't have it in front of me but it looked like: object-group network External_Location_Net_ogn network-object host ExternalIP network-object host ExternalIP network-object host ExternalIP access-list name permit tcp External_Location_Net NattedExternalIPofServer I've always thought the first IP has to be the destination and the second the source, however in the above it's backwards
|
# ¿ Jan 21, 2011 03:48 |
|
jbusbysack posted:ACLs run source to dest. Now its possible that ACL is being used for some kind of conditional NAT statement, or for inbound traffic on the outside interface. Thanks, I'm having some kind of surreal brain fart here. I'm fairly new to this and between looking at router ACL's for interesting ipsec traffic and ASA object groups ACLs I'm screwing stuff up in my head.
|
# ¿ Jan 21, 2011 17:39 |
|
That will probably be very later down the line. As it is right now I have a project handed down to me before they consider doing any core upgrades that hasn't been completed in 5 years. Need to write up documentation on all the specifics of our core network, including all clients on each of our 500+ vlans all interfaces. I really wish there was an easy button for this. fml.
|
# ¿ Jan 21, 2011 17:57 |
|
tortilla_chip posted:If you use Visio it supports XML so you might be able to parse out what you need from configs to at least get started. Whoa hey now didn't know about that, thanks! Is there a certain way to do this or is there some kind of drop down in visio that lets me paste in the config?
|
# ¿ Jan 22, 2011 23:01 |
|
Looking at our core routing, I'm seeing that we have an interface setup on our core routers for every vlan in our network. This is unusual to me since on the CCENT study the vlans are configured on the switches only. I asked our network architect about it, he said the interfaces are configured on the router so that the individual vlans have a route out. What I don't understand is why is it done this way if you can just configure a default route on the switch and be set - I'm thinking it's because we have HSRP on our core routers and if one goes down the route is still advertised when the default route goes down. I would have kept bothering him but he's studying for another CCIE and I didn't want to be an annoying tard.
|
# ¿ Jan 25, 2011 15:43 |
|
They're all virtual interfaces from what I can tell VlanXXX is up, line protocol is up Hardware is Cat6k RP Virtual Ethernet, address is ** Description: Internet address is SUBNET MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00
|
# ¿ Jan 25, 2011 16:26 |
|
optik posted:And to add another point, although you may be using this as a core router, the show command that you posted show's it is a Cat6k which is actually a switch (a very powerful multilayer one at that, but still just a switch with routing capabilities) Thanks for the clarification on that. I just went back in the DC to take a physical look at all of this, I'm overwhelmed to say the least, will be nice when I actually get a grasp of what's going on back there. In the past 3 years I been here I was only working in the noc, so aside from walking past this equipment and going "god drat that thing is big" I don't really have a firm grasp on it. There are a lot of msfc's and a few fwsm's tied to 6 6k's, so I'm way out of any element I could possibly be in. Right now I'm just trying to figure out where the vlan's connect to physically so I can start there and work my way to the telco equipment. I think I found the blade that houses the connections from the patch panel (I forget what those big multi-twisted pair connections are called) so I think I can work from that.
|
# ¿ Jan 25, 2011 19:01 |
|
I had a customer ask me to enable a errdisabled switchport. Looking at the config I can see it's an access port for one specific vlan, what I can't figure out is why it errdisabled, the switchstack doesn't have verbose logging enabled so there's no history on it. They had connected a five port switch to this switchport so I'm guessing someone tried to trunk it and it went into errdisabled mode. Am I right in this train of thought based on the interface config: interface GigabitEthernetPORT switchport access vlan ** duplex full speed 1000 mls qos trust dscp storm-control broadcast level 30.00 storm-control multicast level 70.00 spanning-tree portfast
|
# ¿ Feb 3, 2011 18:19 |
|
That did it thanks, showed reason as Loopback so at least now I know that little switch brought down the port. Is there something I can change on that interfaces config to not bring it down due to loopback? I thought switchport access would do it but I guess not.
Sepist fucked around with this message at 19:50 on Feb 3, 2011 |
# ¿ Feb 3, 2011 19:43 |
|
Having an issue creating a port redirection nat because of an existing nat in place. We use inside outside static NAT's for the inside and outside IP's. They want to redirect port 8760 to port 80 on one web server, however when I do the following: access-list Outside_in extended permit tcp any host OUTSIDE IP eq 8760 static (COMPANY,outside) tcp OUTSIDEIP 8760 INSIDEIP www netmask 255.255.255.255 I would, as you guess, get the error ERROR: mapped-address conflict with existing static Due to the existing: static (COMPANY,outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255 Is there an easy way around this on the ASA or would I be better off just creating a new inside IP on the server and creating a new static entry for that on the ASA?
|
# ¿ Feb 4, 2011 14:32 |
|
Thank you for the reply but ultimately this cannot be done. The static nat is also used to route interesting traffic over their IPSec tunnel to us, simply removing the existing nat will cut connectivity unless I remap all of the ports they need to use, and I'm not really up for that. I told them to change the listening port in IIS to the one they want me to open
|
# ¿ Feb 4, 2011 15:58 |
|
A 2k8 Read only domain controller would be your best bet. That way you only need to open 135, 53248, 389 plus the RODC can't do any damage to the domain if compromised. Edit: For some reason one of our 65xx devices was laying on the ground lonely, I decided to give it some props and snap a picture Sepist fucked around with this message at 00:27 on Feb 15, 2011 |
# ¿ Feb 15, 2011 00:20 |
|
We're using 7609 routers for our 4 GigE pipe's and we still run the firewall modules at the access layer inside of our 6509's.
Sepist fucked around with this message at 19:09 on Feb 16, 2011 |
# ¿ Feb 16, 2011 19:07 |
|
Does anyone have a writeup on why cisco changed their kernel for the 8.0 ASA and decided to completely change how rules and objects are written? It fills me with such raaaaaaage Completely annoying as a newbie when you're writing ACL's and wondering why they aren't working until you finally do a show ver
|
# ¿ Feb 17, 2011 20:11 |
|
I can't stand cacti, I do like netflow analyzer though. Pretty graphs and all that jazz.
|
# ¿ Feb 18, 2011 19:08 |
|
Careful you might drink him into alcohol poisoning with a question like that I remember NAP from my MCSA, christ that is something I'm glad I never had to look at outside of a lab and you have my sympathy on needing to roll its cisco counterpart out.
Sepist fucked around with this message at 15:23 on Feb 23, 2011 |
# ¿ Feb 23, 2011 15:19 |
|
This is a pretty vague question, but anyone think of a good reason why a port scan would crash redundant Sup2's on a 6509 along with the MSFC and switch modules yet the FWSM stayed up? Thinking routing loop but nothings in the logs. Also whhoop whoop got my official promotion, now a network engineer by title.
|
# ¿ Feb 25, 2011 22:55 |
|
Tremblay posted:Getting the crash dumps analyzed would be a good place to start. I'll say that in general high rate scans against network devices don't tend to turn out well in my experience. Everything is designed to pass traffic as fast as possible. To the box traffic being punted to the CPU, and a moderate scan could crater a SUP2 pretty easy. FWSM PC was probably saved by NP1/NP2. Thanks, I will see if I can check the dump tomorrow. I usually run these scans daily and don't have a problem so it was unexpected to see this happen today.
|
# ¿ Feb 26, 2011 05:56 |
|
Does anyone have any experience with iPad IPSec tunnels? We have some clients trying to connect through our shared concentrator using them and they are failing. They are getting a negotiation error; from the research I've done it looks like it's due to the iPad only supporting AES 256 encryption as the transform set. I don't want to add AES unless absolutely needed to since it will burden the shared device unnecessarily. Has anyone been able to set this up without AES? Also, the "weird issue" we had with scans crashing or Sup's is apparently a known issue with TAC due to our software version, what an oddity.
|
# ¿ Mar 3, 2011 13:04 |
|
We have redundant accelerator cards installed so yes I suppose.
|
# ¿ Mar 3, 2011 17:30 |
|
I figured as much, we're passing over 14k pps through that device though so we really don't want to end up serving too much AES. I don't think it will be an issue as AES is going to be the second choice if the client doesn't support 3DES.
|
# ¿ Mar 3, 2011 20:11 |
|
I was under the impression AES was more processor intensive than 3DES/DES, looking it up now it seems to be opposite. The accelerator module we have also performs AES encryption so I will have to bring this up, thanks for pointing it out.
|
# ¿ Mar 4, 2011 13:20 |
|
Look at it from an experience perspective, will you learn more than what you currently can? Just passing your CCNA you can't expect a large pay increase as you've just completed fundamentals but haven't really had the chance to see them in action or apply them in a production environment. Baby steps.. If you're going to work in a team of qualified engineers I would go for it as they will have things to show you that you won't see being by yourself.
|
# ¿ Mar 8, 2011 03:02 |
|
Why do you want to get out of small business so bad? There are a many different markets in small business where it isn't just you supporting a group of uneducated computer users - places like MSP's will allow you to do a lot of production support without any customer interaction while supporting many unique environments. I'm just a bit jaded of big business myself, the amount of red tape required to get work done is excruciating sometimes. While I do enjoy following a change control process, sometimes you just gotta get in there and make a quick change. Also I believe 2 years is somewhat of an average for turnover time in IT; I heard this a few years ago so it could be antiquated statistics by now..
|
# ¿ Mar 8, 2011 04:32 |
|
I'm working on a client project and have run into a problem, hoping someone here can see an option I'm not seeing. We set up a client's cabinet with ASA5510 pair connected to a switch stack 2960G's. Afetrwards they did their own project without asking us about the connectivity, they set up an ASA5505 and Juniper switch pair in another cabinet on another subnet and ran a crossconnect between the switches in each cabinet. They now want to be able to communicate on separate vlans between the switches. Realizing they didn't buy L3 switches, I think they're screwed, because: 1. The 5505 doesn't have a SLA for dot11 trunking and doesn't do subinterfaces 2. They don't want a L2L tunnel between the two cabinets because these are Gigabit switches, the ASA's are 10/100 and the 5505 is Ethernet The saving grace might be that the Juniper switches are L3, I had a moment to look at the GUI and I think I saw a Routing config tab, if that's the case I can atleast put both Vlans on the Juniper switches but I still think it's not going to work. I also considered using ip secondary on the vlans but I'm fairly green and not sure if secondary's are on routers only or if they can be on switches. Anyone have any idea what else I could do for them?
|
# ¿ Mar 11, 2011 02:05 |
|
Tremblay posted:Best option Juniper SWs support L3. IP secondary on the 2960Gs isn't gonna buy you anything. I meant putting them in the same Vlan and using ip secondary. Terrible alternative
|
# ¿ Mar 11, 2011 03:34 |
|
Just finished making one of these bad boys, a RS232 bluetooth adapter connected to a short length console cable, now I can take a seat at the end of the row instead of sitting in the hot/cold rows. This is too little too late as I spent 6 hours in a hot row yesterday configuring that vlan crap I posted about earlier. Customer misconfigured their Juniper and it took me way too long to realize that, then took 5 minutes to start from scratch and bring the network up. Oi. Sepist fucked around with this message at 20:22 on Mar 12, 2011 |
# ¿ Mar 12, 2011 20:18 |
|
http://www.usconverters.com/index.php?main_page=product_info&products_id=228 Was the cheapest and confirmed working one I could find (plus it is self powered with a mini-usb energizer battery attached)
|
# ¿ Mar 12, 2011 20:43 |
|
Do you need to see the traffic on the outside interface? If not why not just span the uplink to your ASA on your switch?
|
# ¿ Mar 14, 2011 00:14 |
|
I would imagine the 1811's support HSRP, just throw it on both, give the 15Mb connection a higher priority and only use the T1 for backup.
|
# ¿ Mar 14, 2011 17:20 |
|
I may have mistaken you, I thought you were going to have 2 1811's, need 2 routers for HSRP. In the event that I didn't mistaken you, no you don't NEED to have the T1 plugged in since HSRP is configured on the inside interface, but for it to actually failover the WAN connection would need to be up. edit: I guess you mean you only have one card? I guess it could be hot swappable - don't really know as I haven't had to touch any cards yet..
|
# ¿ Mar 14, 2011 17:28 |
|
Being completely honest with your answers, try not to say "I guess", keep a smile and being genuinely interested in what you're going to be doing will get you the job. Also, I'm sure they're going to ask you why you want to leave your current position, try not to give any negative connotations when you answer that one.
|
# ¿ Mar 15, 2011 16:23 |
|
In my last interview I told them I work quickly and multitask well but my attention to detail suffers due to this. It seemed to work well and actually was a good trait for the position at the time.
|
# ¿ Mar 15, 2011 16:44 |
|
If anyone asks what HSRP is just tell them it's like a toilet; Deciding where to send your load.
|
# ¿ Mar 15, 2011 21:12 |
|
|
# ¿ Apr 27, 2024 19:05 |
|
If you had asked me what STP did when I was a system admin just touching network stuff compared to now I'd just give you a blank stare so yea I guess it's not that bad of a question.
|
# ¿ Mar 16, 2011 13:20 |