|
quote:Routing responses.... Thanks fellas. Do you try to keep a 1:1 subnet to vlan ratio or does it just depend on the situation? I'm assuming you don't do vlan trunking to your remote sites?
|
# ? Dec 7, 2007 16:04 |
|
|
# ? Apr 28, 2024 13:21 |
|
XakEp posted:Well, you wont be using easyvpn for a remote access vpn, it's meant for site to site vpns. This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc).
|
# ? Dec 7, 2007 16:53 |
|
jwh posted:This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc). As I understood it, its meant for gateway to gateway type vpns. Am I wrong? I've dinked with a few with my PIX 520s, but didnt think it was meant for an RA style access model.
|
# ? Dec 7, 2007 16:59 |
|
XakEp posted:As I understood it, its meant for gateway to gateway type vpns. Am I wrong? I've dinked with a few with my PIX 520s, but didnt think it was meant for an RA style access model. It can do both, although for site-to-site VPN, something like DMVPN is probably more flexible. Check out: http://www.cisco.com/en/US/products/ps6635/products_qanda_item0900aecd805358e0.shtml quote:Q. What is CiscoŽ Easy VPN?
|
# ? Dec 7, 2007 17:06 |
|
Sweet, thanks! I love this thread - always something new to learn.
|
# ? Dec 7, 2007 17:09 |
|
Girdle Wax posted:Do you have ASDM installed on the device? If so, go to VPN in ASDM, click "VPN Wizard". It's probably the easiest and quickest way to configure VPN on an ASA/PIX. I don't believe its a firewall issue on my client side because I can connect to other L2TP VPNs just fine.
|
# ? Dec 7, 2007 18:24 |
|
brent78 posted:I used the wizard to create an L2TP VPN. When I try to connect from my Windows XP client I get "Error 789: The L2TP connection attempt failed because the security layer encountered a process error during initial negotiations with the remote computer". I had a similar issue on my PIX 520, I had to enable the l2tp passthrough. Dunno about the ASA, but I'd imagine its similar.
|
# ? Dec 7, 2007 18:42 |
|
brent78 posted:I used the wizard to create an L2TP VPN. When I try to connect from my Windows XP client I get "Error 789: The L2TP connection attempt failed because the security layer encountered a process error during initial negotiations with the remote computer". Never tried to use the L2TP/IPsec using the windows native client, I've always had to use the Cisco VPN client.
|
# ? Dec 7, 2007 18:44 |
|
jwh posted:This isn't exactly true- EasyVPN is the umbrella for the IPSec VPN parts and pieces- both client and server componentry. You can connect from the IPSec client to any Easy VPN server (IOS, ASA, etc). Call me old school (or just dumb) if you want, but every EZ-VPN example code I've ever seen has looked like incoherent gibberish. I'll take crypto maps, or tunnel protect, or DMVPN over that EZ-VPN nonsense any day.
|
# ? Dec 7, 2007 22:13 |
|
inignot posted:Call me old school (or just dumb) if you want, but every EZ-VPN example code I've ever seen has looked like incoherent gibberish. I'll take crypto maps, or tunnel protect, or DMVPN over that EZ-VPN nonsense any day. Well I think it was named EZ-VPN due to the minimal config needed on the client side. I agree with you completely that it is a pain in the rear end. And yes DMVPN/tunnel protect/anything is less convoluted.
|
# ? Dec 7, 2007 22:26 |
|
I have a 2507, and a 2900 series switch... switch: IOS (tm) C2900XL Software (C2900XL-H2-M), Version 11.2(8.5)SA6, MAINTENANCE INTERIM SOFTWARE 2507: IOS (tm) 2500 Software (C2500-I-L), Version 12.1(7), RELEASE SOFTWARE (fc1) Is it possible to do inter-VLAN routing between the two? The 2507 has a 16 port hub in it, and one actual ethernet interface. I try applying an ip address to a virtual interface and I get this: code:
InferiorWang posted:Would you guys talk to me a little bit about how you handle routing? What's your organization size, number of subnets, type of routing? Do you use static or dynamic? I'd like to read a bit about some real world applications. Last I checked we had about 2,500 peers and 27,016,151 ip addresses. Unfortunately, I am not involved in that high level equipment, I just fix circuits and CPE issues (EZ VPN in IOS) so I can't explain too much about the complexity of our backbone. However, we have multiple NOCs dedicated to different levels of the network. We have a group that does nothing but BGP troubleshooting, a group that repairs DS3s, a group that handles firewall issues, a group that performs hardware maintenance, a group for field dispatching, etc... The company has been through quite a few mergers and is a complete mess. We have everything from MPLS VPN solutions to old x.25 nodes that are still in use (compuserve?). Because of all of the mergers and lay offs we find ourselves getting trouble tickets for solutions that were put into place during the internet boom, and "the guy" that originally installed it has been gone for 4 years and we have no current documentation to use for troubleshooting. This often leads us to searching for some unknown group on the other side of the planet that will help us troubleshoot our appletalk tunneling over an x.25 network that performs load balancing via an unmanaged 3com based ISDN solution.
|
# ? Dec 7, 2007 23:08 |
|
I think (probably wrong) you might need a newer IOS on the router to do intravlan routing with a router on a stick config. Edit - yup, i was wrong. Anything over 12.0 will work. Try adding this before you apply an ip address encapsulation dot1q (vlanid) XakEp fucked around with this message at 23:14 on Dec 7, 2007 |
# ? Dec 7, 2007 23:11 |
|
Filthy_McGreasy posted:I have a 2507, and a 2900 series switch... According to this it won't work on a 25xx router: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#wp3932 Here's an example of an interface in one of our routers: quote:interface FastEthernet0/0.1
|
# ? Dec 7, 2007 23:18 |
|
CrazyLittle posted:According to this it won't work on a 25xx router: I've seen it done on a 2501, but it didnt work very well. It is not supported on 25xx routers, but it will work, sorta. We had timeouts and other issues.
|
# ? Dec 8, 2007 03:21 |
|
I believe it only works on fast/gig ethernet interfaces. Ethernet (10Mbs) will not work.
|
# ? Dec 8, 2007 15:37 |
|
inignot posted:I believe it only works on fast/gig ethernet interfaces. Ethernet (10Mbs) will not work. Do you have any suggestions on how to prepare for the CCIE? What equipment is good to practice with? Did you just purchase a set amount of hours on practice equipment? Any online articles that are worth reading before I get started?
|
# ? Dec 9, 2007 14:26 |
|
Filthy_McGreasy posted:Do you have any suggestions on how to prepare for the CCIE? What equipment is good to practice with? Did you just purchase a set amount of hours on practice equipment? Any online articles that are worth reading before I get started? Which track?
|
# ? Dec 9, 2007 17:59 |
|
Here is more info on error "789" when Windows XP tries to connect L2TP VPN to my ASA 5510. Says "Phase 2 Mismatch". I followed the sample on Cisco's site to the letter.code:
code:
brent78 fucked around with this message at 19:45 on Dec 9, 2007 |
# ? Dec 9, 2007 19:40 |
|
Tremblay posted:Which track? I am starting with routing/switching, but possibly exploring other options after I pass the test. I would love to hear some advice from anyone on this, regardless of the path chosen.
|
# ? Dec 9, 2007 20:27 |
|
Filthy_McGreasy posted:Do you have any suggestions on how to prepare for the CCIE? What equipment is good to practice with? Did you just purchase a set amount of hours on practice equipment? Any online articles that are worth reading before I get started? For the record I am not a CCIE, but I've put in two R&S lab attempts. I believe I took my second lab concurrent with another goon, "The Router Ninja", that passed. Here's the info from Cisco on the blueprint, equipment, and suggested reading: http://www.cisco.com/web/learning/le3/ccie/rs/lab_exam_blueprint.html http://www.cisco.com/web/learning/le3/ccie/rs/lab_equipment.html http://www.cisco.com/web/learning/le3/ccie/rs/book_list.html Go read the group study email list: http://www.groupstudy.com/archives/ccielab/ Now pick a study vendor for practice labs / classes: http://www.netmasterclass.net/ http://www.internetworkexpert.com/ http://www.ipexpert.com/ http://www.ccbootcamp.com/ Rent rack time from someone that offers your chosen vendor's practice topology: http://www.gigavelocity.com/ http://ccie2be.com/ccie2be.html http://www.cconlinelabs.com/ I hear a lot about the dynamips router emulator, but I've never messed with it. http://www.ipflow.utc.fr/blog/ Study and lab for six to eight months, then try a Cisco assessor test (or a graded test from your vendor of choice): http://www.cisco.com/web/learning/le3/ccie/preparation/index.html Based on your results continue to study or book a lab date, repeat as needed.
|
# ? Dec 9, 2007 21:09 |
|
brent78 posted:Here is more info on error "789" when Windows XP tries to connect L2TP VPN to my ASA 5510. Says "Phase 2 Mismatch". I followed the sample on Cisco's site to the letter. Can you debug isakmp, try the connection again, and post the results?
|
# ? Dec 9, 2007 21:22 |
|
inignot posted:For the record I am not a CCIE, but I've put in two R&S lab attempts. I believe I took my second lab concurrent with another goon, "The Router Ninja", that passed. If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? You mention studying for 6-8 months, is that 2 hours a week, or 2 hours a day? Is the exam environment stressful? From your previous comments it sounds like there would be many people sitting around in a room taking the test at the same time. Do they try to minimize the distractions? How much experience did you have before you decided to start on this?
|
# ? Dec 9, 2007 21:38 |
|
Filthy_McGreasy posted:If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? Do you have any of the other certifications? CCNA or CCNP?
|
# ? Dec 9, 2007 21:42 |
|
Filthy_McGreasy posted:If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? You mention studying for 6-8 months, is that 2 hours a week, or 2 hours a day? Is the exam environment stressful? From your previous comments it sounds like there would be many people sitting around in a room taking the test at the same time. Do they try to minimize the distractions? How much experience did you have before you decided to start on this? Only on SA would someone coin the term "poopsocking the CCIE training". I started putting serious effort into attaining the CCIE about a year ago. I had 8 years of experience as a network engineer at that point. The material is ludicrously non real world, so studying beyond what's required for your day to day job duties is absolutely required. I attempt to study at work when I can by reading and mocking up small scale scenarios with three 1700 series routers. Ideally I would get in one 8 hour rack session a week, though that rarely happens on a weekly basis. Drop the $250 or whatever the cost is for a Cisco assessor test; that will reality check you on what you need to learn. The lab may contain candidates testing for any of the CCIE tracks. Someone may be sitting next to you or across from you. During my last attempt the guy in front of me was visibly freaking out for the entire eight hours. I also think the 7:30am start time for the RTP lab is straight up dickish.
|
# ? Dec 9, 2007 23:12 |
|
code:
|
# ? Dec 10, 2007 01:11 |
|
Filthy_McGreasy posted:I am starting with routing/switching, but possibly exploring other options after I pass the test. I passed the security CCIE this past September. Most of it was OJT although I did have a study rack of equipment. For study guides I used IP Expert and Netmetric-Solutions. For security I thought Netmetric was better. For VOIP I know the IP Expert is excellent. Not sure for R&S. I completely agree with inignot. It seems like if there are two ways of accomplishing something, the most convoluted or assine method is the "right" method. Best thing to do is remember its just a test... Tremblay fucked around with this message at 02:01 on Dec 10, 2007 |
# ? Dec 10, 2007 01:23 |
|
What would cause computers to take forever to get a DHCP address? Win2k3 is handing out the DHCP addresses. Cisco 6513 switch set into vlan's. It is configured with the appropriate ip helper address. It can take 30 to 45 seconds to pull an address. Not really a huge issue, but one model of computers PXE rom times out before it can pull an address. I use a boot cd on those.
|
# ? Dec 10, 2007 02:01 |
|
Skip Dogg posted:What would cause computers to take forever to get a DHCP address? Take a packet capture from the host and the DHCP server end.
|
# ? Dec 10, 2007 02:02 |
|
Skip Dogg posted:What would cause computers to take forever to get a DHCP address? Is spanning tree enabled for that vlan/port/switch?
|
# ? Dec 10, 2007 04:45 |
|
Skip Dogg posted:What would cause computers to take forever to get a DHCP address? If it's a client port, enable portfast.
|
# ? Dec 10, 2007 05:38 |
|
jwh posted:Do you have any of the other certifications? CCNA or CCNP? Almost done with CCNP. While I haven't been poopsocking during my training time, I am going at about one test per month. Sounds like at this rate I will need to put in about one year of solid training before attempting the CCIE.
|
# ? Dec 10, 2007 05:39 |
|
Ninja Rope posted:Is spanning tree enabled for that vlan/port/switch? Seems to be. Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0017.0f5f.6c80 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec And then it lists all Vlans/ports under that. tortilla_chip posted:If it's a client port, enable portfast. I'm not the network person, so here is the config for a random port interface FastEthernet7/36 switchport switchport access vlan 20 switchport mode access no ip address
|
# ? Dec 10, 2007 06:05 |
|
Tremblay posted:
|
# ? Dec 10, 2007 06:25 |
|
Skip Dogg posted:Seems to be. add a: spanning-tree portfast to that.. problem solved
|
# ? Dec 10, 2007 06:48 |
|
mamboman posted:add a: spanning-tree portfast Although if you do portfast, you should also consider bpduguard.
|
# ? Dec 10, 2007 07:06 |
|
jwh posted:Although if you do portfast, you should also consider bpduguard. From what I'm reading up, portfast shouldn't do too much harm, this thing just connects to 300+ workstations, but I'm sure it's desirable to avoid switch loops. Can you change the time from 15 seconds to listen and 15 seconds to forward to maybe 10/10. That would give the pxe rom enough time to grab an IP. failing that I might be able to talk the network admin into portfast and bpduguard. Thanks for the help guys.
|
# ? Dec 10, 2007 07:50 |
|
What effect, if any, will GRE have on network performance (mainly in terms of latency)? We have a 100Mbit link through a provider network (MPLS), and I need my routers at each end to talk OSPF. I'm thinking GRE, but I'm not sure what effect it will really have. Latency now is really low (just a couple ms), but I don't want to start adding too much to that since we are running lots of voice traffic. That data is in fairly small packets (and properly QoS tagged), so those packets shouldn't be bothered by the possible fragmentation from GRE affecting MTU.
|
# ? Dec 10, 2007 09:55 |
|
ionn posted:What effect, if any, will GRE have on network performance (mainly in terms of latency)? You're correct that a GRE tunnel will carry OSPF multicast hellos, however you may as well encrypt the tunnel also. As long as you have an appropriately powerful router & crypto accelerator the latency overhead shouldn't be that bad. I think crypto accelerators are coming standard with the 2800/3800 series now. Throw a "ip tcp adjust-mss 1400" on GRE interface to dial down the TCP max segment size; that will work around most of your fragmentation problems (tune size as appropriate). There's example config for an IPSec/GRE tunnel in this thread (pay no attention to the crazy man advocating an SSL vpn for this purpose). http://forums.somethingawful.com/showthread.php?threadid=2697661 If this is for a private WAN connecting a bunch of offices together, look into DMVPN. It's can create dynamic inter-office tunnels. http://www.cisco.com/en/US/products/ps6658/products_ios_protocol_option_home.html
|
# ? Dec 10, 2007 13:20 |
|
What I have at the moment are a pair of 2801's, not sure how much they can take though I can definitely try with encryption as well. Wouldn't that router still have to fragment stuff, unless I were to lower the MTU of all hosts as well (or at least the couple of routers from which data can come, letting them fragment instead)? What does "ip tcp adjust-mss 1400" do that "mtu 1400" doesn't?
|
# ? Dec 10, 2007 14:31 |
|
|
# ? Apr 28, 2024 13:21 |
|
Filthy_McGreasy posted:If someone were to poopsock the CCIE training, and assuming a 100% retention rate for the information, how much of a time investment would it be? You mention studying for 6-8 months, is that 2 hours a week, or 2 hours a day? Is the exam environment stressful? From your previous comments it sounds like there would be many people sitting around in a room taking the test at the same time. Do they try to minimize the distractions? How much experience did you have before you decided to start on this? I'm actually going to start poopsocking for CCIE Security in January. I give myself 6 months or so to do the written, and 12-18 months for the lab. I expect to have to take the lab several times, but what the hell, I've got time. For the record, I've for CCNA, CCNP and (last week) CCSP. Its taken me 2 years to get this far, and a fair amount invested in equipment.
|
# ? Dec 10, 2007 16:35 |