|
adorai posted:Does this require physical access to the device? Well it requires out of band management, which you should have anyway. You shouldn't need to do it though, its just an alternate way. Just use the boot system thing I posted.
|
# ? Aug 1, 2010 00:41 |
|
|
# ? Apr 28, 2024 22:12 |
|
This is more of just a general network question: Isn't it best practice, if you can to connect a switch to a router on a one per port basis. What I mean is currently at my new position the old IT people that they had outsourced setup the network to where the router is connected to one switch and then the other two switches are daisy chained onto each other. So Switch1 goes to router, Switch2 is connected to Switch1, and Switch3 is connected to Switch2. Wouldn't this create a lot of unnecessary network traffic? My cisco router that we just bought has 8 FastE ports on it, I would think it would be better from a network traffic point of view just to connect each one to a port. As in Router to Switch1, Router to Switch2, and Router to Switch3. Perhaps someone with more experience in this field could tell me if this matters or not.
|
# ? Aug 2, 2010 20:51 |
|
Bardlebee posted:This is more of just a general network question: I try not to daisy chain just because if one of the switches in the chain is unplugged or goes down for whatever reason, you lose connectivity to everything connected to any of the switches after it. I don't think daisy chaining switches causes extra network traffic though, it just goes through the normal switching process like anything else does.
|
# ? Aug 2, 2010 21:17 |
|
If you assume each switch is getting an equal amount of traffic and that most of that traffic is leaving the switch it is trivial to show that in a daisy chain topology the first switch is getting N Times* the amount of traffic as the last switch in the chain. What this means is that daisy chaining switches is not scalable, and every switch you add to the chain increases the amount of traffic of all other switches. However in practice in small networks, its not really a big deal. Though if you want set up trunks from each switch and attach each to the router. e:*Actually its (N(N-1))/2 times the amount of traffic, but bleh ate shit on live tv fucked around with this message at 00:06 on Aug 3, 2010 |
# ? Aug 2, 2010 23:53 |
|
Yeah, we have 120 users, so its not a huge deal, but I am going to take it off this daisy chain situation.
|
# ? Aug 3, 2010 05:40 |
|
Create redundant links between the switches and let spanning tree decide which path to take. If they're el-cheapo consumer switches that don't support spanning tree, be careful to not wire it into a loop.
|
# ? Aug 3, 2010 15:34 |
|
Bardlebee posted:My cisco router that we just bought has 8 FastE ports on it, I would think it would be better from a network traffic point of view just to connect each one to a port. As in Router to Switch1, Router to Switch2, and Router to Switch3. That's not going to work the way you want, I suspect, because your router's FastE ports are probably Layer3 interfaces. You'll discover that you can't stick them all on the same IP subnetwork (IOS will complain). You could work around this, yes, but the bigger problem is that your router is not a switch. It's going to store and forward packets in CPU, and that's going to impact your LAN performance. I would recommend you designate one of your three switches (S1) as the 'core', and connect S2 and S3 to S1. That's the most efficient topology for what you have to work with.
|
# ? Aug 3, 2010 17:05 |
|
code:
Seems like that would do it as far as router to switch is concerned?
|
# ? Aug 3, 2010 19:14 |
|
Can you have another switch hooked up to an access port, or is that only a problem if you have port security with a mac count enabled? I just assumed it wouldn't work because it won't form a trunk but I can't say I've ever actually tried to implement it any other way but explicitly setting both ends to trunk so vv some kinda jackal fucked around with this message at 19:27 on Aug 3, 2010 |
# ? Aug 3, 2010 19:24 |
|
No need to trunk a single vlan. If you don't have a trunk then it won't connect all vlans to all switches, but if they are already on the same vlan, then it will just see the next switch as more of the same broadcast domain. Assuming you don't have bpdu guard on or something like that, then its no problem. And of course access ports aren't even vlan aware, so if the two ports were on different vlans, they wouldn't realize it, but ti could potentially create a discontiguous network.
|
# ? Aug 3, 2010 19:29 |
|
yeah they are all unmanaged switches. I plugged them in separately into the router and they seem to work fine. Time will tell.
|
# ? Aug 3, 2010 20:17 |
|
I inherited a PIX 515E from a client. Is it worth doing anything with just for fun? Even worth eBaying? edit: Maybe nothing. It's been >30 minutes watching the console and it still hasn't booted past the PCI Device Table. Reseated the RAM (32MB), and removed an expansion Ethernet card, and did the tests you can do when you press ESC after power on. All good. But this fucker is perpetually sitting at the PCI Device Table. It lists everything, but nothing more. How long should I wait? Is there anything at all I can do? This unit was replaced about 6 months ago with a 5520. It was working at the time, and has been sitting in the rack powered down for 6 months. Today I thought to play around with it, and it's stuck. I'm positive it was working fine back when I replaced it. And it didn't take a day and a half to boot. gregday fucked around with this message at 21:20 on Aug 3, 2010 |
# ? Aug 3, 2010 20:40 |
|
gregday posted:I inherited a PIX 515E from a client. Is it worth doing anything with just for fun? Even worth eBaying? depends on what license it has on it. Do a "show version" and see what it's got
|
# ? Aug 3, 2010 21:02 |
|
EDIT: Fixed my own problem, for once :P I just want to thank those who made today possible. I installed my first Cisco router, with NAT, with five VPN's, and it was through your guys help that I was able to not only do it, but understand what I was typing in. Now I feel like this: It is worth mentioning when I installed the router for the first time, I had NO problems at all. Then an hour later there was an entire building power outage. Where the told piece of poo poo router would have flipped out and changed random IP numbers (I'm not joking and we have one of these stupid things still installed in my satellite locations) the Cisco took it like a champ. Bardlebee fucked around with this message at 22:18 on Aug 3, 2010 |
# ? Aug 3, 2010 21:43 |
|
Anecdotally I found two google results that replacing the BIOS battery might bring that 515E back to life. Who knows if that's really the problem.
|
# ? Aug 3, 2010 21:57 |
|
My 515E says it's version 6.3(3) with a Restricted license. Turns out it was a bad battery gregday fucked around with this message at 22:09 on Aug 3, 2010 |
# ? Aug 3, 2010 22:07 |
|
Very stupid question regarding ACLs on an ASA5501 (I'm probably complicating this more than I need to be): I need to allow access for RDP and SMTP traffic to the terminal and mail servers respectively from a remote network over the VPN and from the outside and POP/IMAP just over the VPN. Say I've got the PAT translation setup to point port 25 to the internal mail server address, do I need to configure the ACL to allow traffic on port 25 sent to the public ip address sourced from anywhere and then create another ACL to allow all traffic sourced from the remote network to access the mail server on port 25 or can I just create a single ACL allowing traffic to the internal mail server address from anywhere and assign it to the outside interface out (which I'm assuming would mean the translation has already been done so it sees the destination even from outside traffic as being the internal mail server?) If I have to do the former, how would I go about creating an ACL for VPN traffic? I've tried to read around and found people indicating that you need to put in sysopt connection permit-ipsec and then referencing the 'interesting traffic' ACL as the on that would do the filtering but I'm not sure what that means. Hopefully this question even makes sense, or I'm more lost than I think I am.
|
# ? Aug 6, 2010 05:08 |
|
Everything is going fine so far except that whatever computer has a static IP address cannot get out to the internet. I however can ping stuff via its IP address, so it almost seems like a DNS issue, but the computers that are set on dynamic IP can get out just fine. I am not sure what I am doing wrong exactly. Also, should I delete this following line? ip dhcp pool 192.168.2.0\24 dns-server 192.168.2.113 255.255.255.0 Here is my sh run, deleted the last octet of certain IP's for privacy: code:
|
# ? Aug 9, 2010 16:02 |
|
The computers with statically assigned IPs don't get DNS info because that is passed with the DHCP association. You'll need to point that computer so a DNS server, say 8.8.8.8 or 66.196.216.10 if you want to be consistent with the rest of your network. As far as deleting that line, sure go for it, I don't think you are using that pool anyway, and unless that is an internal DNS server or something I don' think you need it.
|
# ? Aug 9, 2010 18:53 |
|
Powercrazy posted:The computers with statically assigned IPs don't get DNS info because that is passed with the DHCP association. You'll need to point that computer so a DNS server, say 8.8.8.8 or 66.196.216.10 if you want to be consistent with the rest of your network. Yep. Devices with static IPs also need their default gateway and DNS servers assigned statically because they're never going to run a DHCP client to go out and "discover" what DNS servers they should be using. code:
I usually do mine like this: code:
|
# ? Aug 9, 2010 19:32 |
|
CrazyLittle posted:
I learn so much here. Thanks guys!
|
# ? Aug 9, 2010 19:50 |
|
So I've searched everywhere and I'm not sure how to turn off wireless control-plane access to an 851W router. The router is supposed to be a "home router" so it only has one vlan. It has 5 physical interfaces on it. One is the WAN port, the other 4 are switchports on vlan 1. It also has a dot11Radio0 interface that is also on vlan 1. What I want is to make it so that any client that is connected wirelessly to the router can't access the router. Can't SSH etc into it. Since everyone is on the same network I can't use access-lists to allow just specific networks. I'd have to do per host filtering but it seems like there has to be a more general method. Any ideas?
|
# ? Aug 9, 2010 20:15 |
|
Question, if I pick the DNS server to be my router 192.168.2.1 in that same static IP situation, shouldn't the router relay the DNS information? Do I really have to statically set every static PC (there aren't that many) with an outside DNS and not my router to automatically find or use my current one? isn't that what the command: dns-server 1.1.1.1 is for?
|
# ? Aug 9, 2010 22:37 |
|
Bardlebee posted:Question, if I pick the DNS server to be my router 192.168.2.1 in that same static IP situation, shouldn't the router relay the DNS information? Do I really have to statically set every static PC (there aren't that many) with an outside DNS and not my router to automatically find or use my current one? Everything that you put inside your DHCP pool declaration is strictly for DHCP clients. Static IP computers never see that info. If you're running a routher with 12.3 or greater, then you might have DNS forwarding abilities, but I wouldn't recommend it. A lot of cisco gear has just enough CPU power to handle the packet load of NAT and/or routing your interface cards, and not much more. We've brought an 1841 to its knees before with just 10mbits of NAT traffic. http://www.nil.com/ipcorner/RouterDNS/ <-- read this completely if you want to try the stuff below. code:
|
# ? Aug 9, 2010 22:55 |
|
DNS forwarding is not a cpu intensive process, at least not compared with per flow NATTING, or crypto, etc. So don't worry too much about that aspect. e: Not to say there arn't significant shortcomings to using the router as a dns forwarder. But CPU utilization isn't the most pressing concern. ate shit on live tv fucked around with this message at 02:22 on Aug 10, 2010 |
# ? Aug 10, 2010 02:17 |
|
FYI, I am selling the aforementioned PIX. http://forums.somethingawful.com/showthread.php?threadid=3337309 That is all.
|
# ? Aug 10, 2010 18:39 |
|
Is there a way to force PPP to re-negotiate authentication without bringing my serial line up and down administratively? I'm just playing with authentication options and shut/no shut seems a little inelegant.
|
# ? Aug 11, 2010 01:17 |
|
Martytoof posted:Is there a way to force PPP to re-negotiate authentication without bringing my serial line up and down administratively? You could try doing an 'encap hdlc' then 'encap ppp'. That might not bring down the physical interface but should ensure that PPP gets torn down and renegotiated. But in practice, why not just do shut/no shut and set 'serial restart-delay 0'
|
# ? Aug 11, 2010 02:46 |
|
Also a good option. I don't think there is actually any real world scenario where I'd need to renegotiate PPP authentication without being able to just issue a shut/no shut on the interface so I guess I can imagine why they don't have something like a renegotiate command. I think I was just being overly critical.
|
# ? Aug 11, 2010 07:50 |
|
Sigh. What's the cheapest/most practical option to run: 2x wic-1ADSL bonded with MLPPP 1x wic-1dsu-t1 plus failover with iBGP? My brain's not working today.
|
# ? Aug 11, 2010 20:17 |
|
Are you looking for cheap EOL units or current systems? I think a 2610XM with an NM-2W would hold the cards you need, and ADSL support is in from 12.3 IP Base IIRC. I'm so unfamiliar with current models that it's not even funny so I'll let someone recommend something newer
|
# ? Aug 11, 2010 20:30 |
|
Cheap EOL is fine. Re: 2610xm, what the hell is the difference between all the 2600XM models? I couldn't find a comparison because Cisco wiped all the documentation from their servers.
|
# ? Aug 11, 2010 21:07 |
|
Ports, mostly. Try this: http://www.andovercg.com/datasheets/cisco-2600-ch1.pdf The models that look the same in physical specs have upgraded processors for more processing, like the 2610xm and 2620xm are rated for 20 and 30kpps respectively. Also this: http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet0900aecd800fa5be.html some kinda jackal fucked around with this message at 21:20 on Aug 11, 2010 |
# ? Aug 11, 2010 21:14 |
|
26x0 has one ethernet interface, 26x1 has two ethernet interfaces. 261x is Ethernet (10mb), 262x is FastEthernet (100mb). This page is great to find out module compatibility and a bunch of other stuff: * http://www.cisco.com/web/partners/tools/quickreference/
|
# ? Aug 12, 2010 02:18 |
|
falz posted:* http://www.cisco.com/web/partners/tools/quickreference/ Thanks for this. I'm convinced Cisco goes out of its way to deliberately make their site difficult to browse or search.
|
# ? Aug 12, 2010 02:52 |
|
Recluse posted:Very stupid question regarding ACLs on an ASA5501 (I'm probably complicating this more than I need to be): I need to allow access for RDP and SMTP traffic to the terminal and mail servers respectively from a remote network over the VPN and from the outside and POP/IMAP just over the VPN. Say I've got the PAT translation setup to point port 25 to the internal mail server address, do I need to configure the ACL to allow traffic on port 25 sent to the public ip address sourced from anywhere and then create another ACL to allow all traffic sourced from the remote network to access the mail server on port 25 or can I just create a single ACL allowing traffic to the internal mail server address from anywhere and assign it to the outside interface out (which I'm assuming would mean the translation has already been done so it sees the destination even from outside traffic as being the internal mail server?) If I have to do the former, how would I go about creating an ACL for VPN traffic? I've tried to read around and found people indicating that you need to put in sysopt connection permit-ipsec and then referencing the 'interesting traffic' ACL as the on that would do the filtering but I'm not sure what that means. Hopefully this question even makes sense, or I'm more lost than I think I am. Here's what I came up with in regards to the quoted problem for an ASA5501, would anyone be willing to critique? access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 Rensselaer 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 Rensselaer 255.255.255.0 access-list outside_cryptomap_40 extended permit ip 192.168.1.0 255.255.255.0 Delphi 255.255.255.0 access-list outside_in_allow extended permit tcp any interface outside eq smtp access-list outside_in_allow extended permit tcp any interface outside eq 3389 access-list outside_in_allow extended permit tcp any interface outside eq https access-list outside_in_allow extended permit tcp any interface outside eq ftp access-list outside_in_allow extended permit tcp any interface outside eq ftp-data access-list vpn_allow extended permit tcp any 192.168.1.0 255.255.255.0 eq pop3 access-list vpn_allow extended permit tcp any any eq 995 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq www access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq https access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 8080 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq ftp access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 123 access-list outbound_allow extended permit tcp host 192.168.1.7 any eq smtp access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 1863 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 host 64.128.84.76 eq 8080 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 3389 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 6689 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq pop3 access-list outbound_allow extended permit tcp host 192.168.1.2 any eq domain access-list outbound_allow extended permit tcp host 192.168.1.253 any eq domain access-list outbound_allow extended permit tcp host 192.168.1.5 any eq domain access-list outbound_allow extended permit tcp host 192.168.1.7 any eq domain nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 access-group outside_in_allow in interface outside access-group outbound_allow out interface inside I had someone try to put it in and they said incoming mail wasn't working, so I know something's not right but thought I'd ask to see if it was obvious to anyone.
|
# ? Aug 12, 2010 15:40 |
|
we've got a 6500 series switch and we're looking at the logs and a couple of log entries have periods in front of them (before the date stamp) is there a reason that this would happen? or is it just terminal nonsense?
|
# ? Aug 12, 2010 18:10 |
|
That means your device wasn't synced with an ntp server at the time of the log entry. So the timestamp can't be considered authoritative.
|
# ? Aug 12, 2010 18:48 |
|
Has anyone received any new 4500's? We've been waiting months for the ones we ordered to be delivered but they keep saying there's a back order a mile long. Is anyone seeing these actually being delivered?
|
# ? Aug 12, 2010 20:41 |
|
|
# ? Apr 28, 2024 22:12 |
|
para posted:Has anyone received any new 4500's? We've been waiting months for the ones we ordered to be delivered but they keep saying there's a back order a mile long. Is anyone seeing these actually being delivered? I am waiting for one I ordered on the 13th of July, expected ship-date is the 8th of September. However I am happy to see that the status finally has changed to 'Building in Progress'.
|
# ? Aug 12, 2010 22:53 |