|
We're merging two large networks together, both of which have extensive IPv4 address conflicts (both networks make extensive use of 10/8, etc.). I suggested running NAT for essential services between the networks while we decide how to do IPv6. Alas I was more or less shot down by the internal application developers who probably still hard code IP addresses. Yay IPv6 day! 
|
#
?
Jun 7, 2012 05:42
|
|
|
|
| # ? May 2, 2024 11:40 |
|
|
Developers certainly shouldn't be network decision makers. Or for systems. Or for.. anything really.
|
|
#
?
Jun 7, 2012 13:14
|
|
|
I agree, but politics .
|
|
#
?
Jun 8, 2012 23:10
|
|
|
Why does not a single supplier have a pair of ASA 5515-x's in stock?
|
|
#
?
Jun 8, 2012 23:25
|
|
|
This may be a dumb question but I was just curious since I don't have access to any of the higher end cisco router's / switches. Do all Cisco router's and switches have the same password recovery procedure? Does this also apply to the ASA line?
|
|
#
?
Jun 9, 2012 00:11
|
|
|
the spyder posted:Why does not a single supplier have a pair of ASA 5515-x's in stock? Welcome to the wonderful world of Cisco supply chain management. How it was explained to me when I worked for a VAR was with higher end gear, and especially towards the end of the quarter/fiscal year, they like to have as little inventory on hand as possible for budgetary reasons. A 1-2 month lag between order and drop-ship is unfortunately not at all uncommon.
|
|
#
?
Jun 9, 2012 00:57
|
|
|
ElvisG posted:This may be a dumb question but I was just curious since I don't have access to any of the higher end cisco router's / switches. Do all Cisco router's and switches have the same password recovery procedure? Does this also apply to the ASA line? Mostly, you can pull up Cisco white papers on individual models to double check if needed. Cisco has that process very well documented
|
|
#
?
Jun 9, 2012 01:11
|
|
|
ElvisG posted:This may be a dumb question but I was just curious since I don't have access to any of the higher end cisco router's / switches. Do all Cisco router's and switches have the same password recovery procedure? Does this also apply to the ASA line? Generally speaking there are 3 broad categories of password recovery I'm aware of- ASA/PIX- interrupt boot sequence, tftp load password recovery bin specific to your code version (obtainable from cco). Fixed config switches- interrupt boot sequence, flash_init, load_helper, move config.text config.old, boot Routers/modular switches (anything with ROMMON)- interrupt boot sequence, confreg 0x2142, boot I haven't had to dig into password recovery on XR platforms (CRS/ASR/GSRXR), I imagine it's a little more in depth.
|
|
#
?
Jun 9, 2012 02:51
|
|
|
para posted:There is a lot of stuff I left out of this because it wasn't really part of the problem I'm trying to solve. For example, the email server sends all outgoing email to a spam filter at Site A. So in the event the internet there is down a relay server can be administratively configured to send it over to Site B where it would then go out to the internet there. Here is my interpretation of your problem that I simulated with basic Cisco routers/switches in Packet Manager. In my simulation, I was using an HTTP server instead:  1. A person on their PC in Site X (a random person on the Internet) opens a web browser and tries to access http://50.2.2.2. 2. Since this IP is outside its subnet, it is sent to the default gateway (192.168.1.1). 3. The router receives the packet and finds that this IP isn't in its routing table, so it sends out its default route. This router is using NAT to overload its inside global address and replaces 192.168.1.1 with 95.22.111.2. 4. This packet gets routed to ISP B's router and is sent to 50.2.2.2 at Site B. 5. Site B's router has a static NAT translation going to 10.1.1.100. It knows how to get to 10.1.1.0/24 since it has a static route in its routing table and forwards the packet to 10.5.1.1. 6. The router at Site A receives this packet and sends it to 10.1.1.100. 7. The server 10.1.1.100 receives the packet and sends a SYN-ACK back to 95.22.111.2. Since this IP is outside its subnet, it is sent to the default gateway (10.1.1.1). 8. Site A's router sees a destination of 95.22.111.2 in the packet. This isn't in the routing table, so it sends it out so it sends out its default route. This router is using NAT to overload its inside global address and replaces the source IP address with 50.1.1.1. 9. ISP A receives a packet from 50.1.1.1 and routes it back to 95.222.111.2. This packet gets discarded because the IP address 50.2.2.2 got changed to 50.1.1.2. I only found two ways to get around this problem: One was to add a second default route on 10.1.1.1 with a higher administrative distance and then manually shutdown the port to Internet A. The other way I "fixed" the problem was to add a static route on 10.1.1.1 for 95.22.111.2 to go to Site B's router, but that doesn't help much. Another possible fix is to look into using Postini for your inbound/outbound spam filtering. Basically, you just point your MX records to them and they will deliver it to your mail servers. They have specific IP ranges that you can setup static routes for so you can have backup routes that will use Site B in case of an outage.
|
|
#
?
Jun 11, 2012 18:18
|
|
|
So here's a bizarre question for the thread (I think I already know the answer is no, but it never hurts to ask I guess). I have a 7937G conference phone and an ATA 186 analog adapter. Is there any way to make the 7937 use the ATA 186 to dial out on an analog line? I know the ATA is designed to adapt analog lines TO a CM or CME system, but can't seem to find if it could possibly work in the reverse. The PBX behind this system is not a CM or CME, so I'd need these devices to work autonomously, which is why I suspect it isn't possible. Thanks.
|
|
#
?
Jun 11, 2012 18:40
|
|
|
The ATA186 provides two FXS ports, which are used to feed ordinary analog phones. To attach it to an existing line for use to place/receive calls, you need a device with FXO ports. There are a number of cheap ATAs with FXO ports, the Sipura/Linksys/CiscoSB SPA-3102 being a popular one. You can register a SIP phone to one of these to use its FXO port. Unfortunately however, the 7937G appears to be Cisco SCCP only and does not seem to support SIP, eliminating pretty much every analog gateway on the market. Hooray Cisco and their proprietary poo poo. It's nothing but a rebadged Polycom Soundstation IP 7000, so you might be able to get a SIP firmware for it or flash the Polycom firmware, but you're on your own there. If you can't get that, the phone is absolutely dependent on a PBX of some sort (Cisco Call Manager officially, Asterisk and others have varying levels of support for SCCP devices).
|
|
#
?
Jun 11, 2012 18:48
|
|
|
Bluecobra posted:I've been racking my brain the last few days about this problem. What if he ran smtpd on port 25 and say 26. Have the ASA in site b forward the connection to port 26 instead of port 25, and then put an iptables rule on the smtp box to set the next-hop of the site b ASA (if the site b ASA is reachable via layer 2) or whatever the router is between site a and b and set up a policy based route for port 26?
|
|
#
?
Jun 11, 2012 19:11
|
|
|
wolrah posted:The ATA186 provides two FXS ports, which are used to feed ordinary analog phones. To attach it to an existing line for use to place/receive calls, you need a device with FXO ports. Thanks for the excellent info. That's about what I suspected, but I just wanted to make sure before I moved on to another solution. It'd be so much easier if we just used the loving 2821 we bought for another office and bought more phones and just replaced this stupid old PBX system here, but no, we can't spend any money and instead we'll let this hardware rot. Awesome. Sigh. Thanks again!
|
|
#
?
Jun 11, 2012 19:15
|
|
|
Bluecobra posted:I've been racking my brain the last few days about this problem. I believe we have found a way around the problem though. You touched on it with the postini. We'll have two spam firewalls at Site A, and one at Site B. Site B's ASA will NAT to the inbound spam firewall at Site A, but I think we can also do outside NAT. That will (should, haven't tested yet) replace the source IP with the ASA's internal IP, so routing back will work correctly. That will complete the SMTP session and Site A's spam filter will deliver to the mail server. For outbound, all email currently goes to an outbound spam filter at Site A. We have decided it is ok to take manual action if our primary internet link for email were to go down. We can go into the filter and set the relay server to be Site B's outbound spam filter. The only question is if the outside NAT will work. I don't see why it wouldn't as it's the same type of NAT as going from inside to outside, just in reverse. I'll let you know how it works out.
|
|
#
?
Jun 12, 2012 00:06
|
|
|
Bluecobra posted:I've been racking my brain the last few days about this problem. I was studying for the CCNA exam and I thought this would be a fun problem to tackle. (I passed, woohoo!) I even went as far as to recreate a simulated network in Cisco Packet Tracer. I went over this problem our senior network engineer and we don't think there is a way around this problem. Email traffic originating at 50.2.2.2 is always going to get asymmetrically routed from 50.1.1.1 since it is hitting Site A's default route. Since you don't want add a backup default route, my suggestion is to have a second email server at Site B with a lower MX record. Why is the static NAT configured on 50.2.2.2 and not on 50.1.1.1 when that's the site that hosts the server anyway?
|
|
#
?
Jun 12, 2012 00:10
|
|
|
abigserve posted:Why is the static NAT configured on 50.2.2.2 and not on 50.1.1.1 when that's the site that hosts the server anyway? It is configured at both sites. Their email server is at Site A, and they also want to be able to use Site B as a backup to continue to send/receive email, so their MX records would be configured something like this: 10 mx1.company.com (resolves to 50.1.1.1) 20 mx2.company.com (resolves to 50.2.2.2) We have something similar to this at my company, but both sites have email servers. Granted, spammers don't give two shits about RFC's and will send email to higher preference servers anyways.
|
|
#
?
Jun 12, 2012 05:28
|
|
|
New job, and I am now an ASA jockey! Oh the humanity!
|
|
#
?
Jun 12, 2012 20:31
|
|
|
jwh posted:New job, and I am now an ASA jockey! Oh the humanity! welp. 
|
|
#
?
Jun 12, 2012 20:39
|
|
|
jwh posted:New job, and I am now an ASA jockey! Oh the humanity! That is terrible. Unless you are excited about ACLs?
|
|
#
?
Jun 12, 2012 21:57
|
|
|
jwh posted:New job, and I am now an ASA jockey! Oh the humanity! This does not seem like a career upgrade for you, based on your posts.
|
|
#
?
Jun 12, 2012 22:23
|
|
|
jwh posted:New job, and I am now an ASA jockey! Oh the humanity! Congrats on the huge pay increase, as I'm sure that's the only way anyone would've accepted that position.
|
|
#
?
Jun 12, 2012 22:58
|
|
|
jwh posted:New job, and I am now an ASA jockey! Oh the humanity! It's not so bad, join the dark side.
|
|
#
?
Jun 13, 2012 02:29
|
|
|
jwh posted:New job, and I am now an ASA jockey! Oh the humanity! My condolences. I guess where one fun story ends, a new one begins. Just got approval to migrate every last one of our ASA's to Palo Altos over the next year or so.
|
|
#
?
Jun 13, 2012 03:41
|
|
|
I'm the biggest Palo Alto evangelist around, but believe me, there are some major stability issues with the 4.x train of code. I wish it wasn't the case, either, since I like their product more than any other firewall or UTM product I've worked with. But you know what? All of that doesn't mean much when the boxes are crashing regularly. Last I spoke with my Palo Alto representatives, before leaving my last position, was to tell them that I really want to use them, but I simply can't recommend them at this time, under the 4.x code train. And that sucks, too, because 4.x is where the cool stuff lives. Well, at least, most of the cool stuff. So be careful. I wish you the best, of course. As for a job upgrade, it wasn't really about that, exactly: I was bored at my last place, where I had been for six years. Most of the engineering work I had done, and was proud of, was done within my first three years. So this time, I took a job with a firm in Florida, while I'll continue to live in Massachusetts. It's just something different. Change of scenery, travel, etc. My dream right now is to find a way to do network design and illustration full time, say, for a consulting agency. I love to diagram, and I have an art background, so that's really where I want to spend my time. In the mean time, if any of you are in the Boca Raton area, hit me up. I'll be down here an awful lot. madsushi posted:Congrats on the huge pay increase, as I'm sure that's the only way anyone would've accepted that position. $5.25 an hour, not including tips! jwh fucked around with this message at 18:14 on Jun 13, 2012 |
|
#
?
Jun 13, 2012 18:12
|
|
|
So I have been tasked to replace 10 very old and aging 3Com switches for a basic, low utilized network. My choices have come down to either the WS-C2960S-24TS-L or the SGE2000. Both are classified as Cisco Small Business and they seem very similar in features but the C2960S is significantly more expensive and I cant seem to tell why. Anyone have any experience with these switches and if so, which would you choose?
|
|
#
?
Jun 13, 2012 19:37
|
|
|
XMalaclypseX posted:So I have been tasked to replace 10 very old and aging 3Com switches for a basic, low utilized network. The 2960s are not Cisco Small Business, but proper Catalyst switches running proper IOS. The SGE2000 are Cisco Small Business switches which are rebranded Linksys switches. The SGE2000s primary means of management is a web based GUI that is horribly slow and a pain to manage over a slow connection. There is text based management but its a really basic menu based terminal accessed either through a serial port or telnet. This is also the only way to change the switch between a layer 2 and a 3 switch and between a stacked switch and a non-stacked switch. One of the advantages of CSB switches is that they can be converted to layer 3 switches. However you can't change the VLAN interface IP address without deleting it and readding it (I had to do this remotely and it involved pushing a config file to the startup config and restarting the switch and hoping that the config didn't have a typo or something causing it to not be loaded into the running config with no way of fixing it remotely). The 2960s have standard IOS with the standard IOS command line interface or the web browser GUI if you're one of those people. You're paying the extra for IOS more than anything else compared to the other switch. IOS is frequently updated with patches and features. The SGE2000 OS has had like one update since June last year and I doubt it'll get anymore. Both of those models can be stacked. The 2960s require a stack module which goes into the back and can be stacked to a maximum of four switches using 10Gigabit cables that go into the modules. The SGE2000s can be stacked to a maximum of eight switches using ports 12 and 24 on the front - the two rightmost RJ45 ports - this is especially great when you forget this and can't figure out why the gently caress poo poo isn't working when connected to these two ports. They become regular Ethernet ports though if stacking is disabled from the menu based terminal. Neither of those switch models are PoE. Both switches have 24 Gigabit ports and 4 Gigabit SFP ports. In short the 2960s are far easier to setup and manage, but if its a basic, low utilised network then once you get through the pain of setting up the SGEs then there shouldn't be much managing required. I am assuming that the topology is a flat network with no VLANs and that the default gateway is some other router. How would the switches be connected to one another? chestnut santabag fucked around with this message at 21:17 on Jun 13, 2012 |
|
#
?
Jun 13, 2012 21:14
|
|
|
chestnut santabag posted:One of the advantages of CSB switches is that they can be converted to layer 3 switches. Actually so can the 2960 - static routing only though.
|
|
#
?
Jun 13, 2012 21:23
|
|
|
chestnut santabag posted:The 2960s are not Cisco Small Business, but proper Catalyst switches running proper IOS. Thanks for your input! This pretty much confirms my suspicions and is a giant plus in favor of the Catalyst switch. Has the overall quality of their hardware gotten any better since their takeover by Cisco? The switches will be connected via SPF+ to a WS-C3750X-12S-S which will serve as a core switch. Right now its just a flat network but I want the ability to be as flexible as possible.
|
|
#
?
Jun 13, 2012 21:37
|
|
|
ior posted:Actually so can the 2960 - static routing only though. Oh right yeah, but you need 12.2(55)SE minimum and some SDM fuckery I think. I haven't tried routing on a 2960 yet as it doesn't seem to be recommended or mentioned much. I'm not sure how well the ASICs would cope. The one quad 2960 stack that I manage has like 60% average CPU utilisation (of which 20% seems to be from the LEDs) so I'm not too enthusiastic about doing any kind of routing through them. XMalaclypseX posted:Thanks for your input! It's literally the same switch with a Cisco logo on it. They didn't even change the model number: https://www.google.com/search?q=sge...iw=1597&bih=941 You can't even use the Cisco Small Business SFPs on regular Catalyst switches without the port getting automatically disabled. By SFP+ do you mean 10Gig links? Both of those models only have regular 1Gig SFPs. I did a similar installation to what you're doing with a 3750 as the core and CSB switches as the access switches at a simple low utilised nework. The only major difference is that those were PoE switches as the upgrade was for an IPT rollout which made things a bit more complicated but otherwise there haven't been any issues in the four or more months that it's been running. chestnut santabag fucked around with this message at 22:01 on Jun 13, 2012 |
|
#
?
Jun 13, 2012 21:45
|
|
|
quote:You can't even use the Cisco Small Business SFPs on regular Catalyst switches without the port getting automatically disabled. 1Gig. Don't know how that plus got there.
|
|
#
?
Jun 13, 2012 22:47
|
|
|
chestnut santabag posted:Oh right yeah, but you need 12.2(55)SE minimum and some SDM fuckery I think. The CPU utilization on the 2960S's is a known bug in the code having to do with SNMP CPU reporting. The CPU isn't actually being maxed out. You can verify this by logging in for about a minute or two and then doing a sh processes cpu history. 2960S's are also PoE capable (at least some models are) and are pretty slick switches with all Console/Management/USB ports on the front. Uplinking them to a 3750 stack and using etherchannels is a perfect use-case for them. I wouldn't touch the "small business class" switches made by anyone except maybe Mitel.
|
|
#
?
Jun 14, 2012 00:26
|
|
|
jwh posted:I'm the biggest Palo Alto evangelist around, but believe me, there are some major stability issues with the 4.x train of code. We've been running 4.1 code for a while with ~200 users on one site and ~1000 at another with the only issues being around matching users up in AD, no crashes at all. We have a handful of servers with minimal hits/day at the larger location. It's going to be a slow roll-out, we're going to test out site to site VPNs next, etc. Data centers being dead last. What type of issues were you running into outside of crashes, and were you in an HA setup?
|
|
#
?
Jun 14, 2012 02:20
|
|
|
Powercrazy posted:2960S's are also PoE capable (at least some models are) and are pretty slick switches with all Console/Management/USB ports on the front.
|
|
#
?
Jun 14, 2012 03:42
|
|
|
CaptainGimpy posted:What type of issues were you running into outside of crashes, and were you in an HA setup? We were in a 4020 HA active/passive setup with virtual systems enabled (5 total vsys), and we were seeing frequent routed crashes during automatic commits for av updates or manual commits. There were myriad issues, however, going back to the 3.x train. Don't get me wrong, a lot of it was cosmetic, but the crashes we experienced over the past several years were a bumpy ride.
|
|
#
?
Jun 14, 2012 16:02
|
|
|
So my company is moving to a new building. I'm inheriting 4 stacked Catalyst 3750g switches and a Cisco 1841 router. Where is a good place to read up about managing these other than the Cisco site, which I've read through. Just wondering if there was another place where it's explained a little clearer, as I've never touched a piece of Cisco equipment before.
|
|
#
?
Jun 15, 2012 05:44
|
|
|
blackmanjew posted:So my company is moving to a new building. I'm inheriting 4 stacked Catalyst 3750g switches and a Cisco 1841 router. Where is a good place to read up about managing these other than the Cisco site, which I've read through. Just wondering if there was another place where it's explained a little clearer, as I've never touched a piece of Cisco equipment before. Well it 100% depends on what you want to do with them. I'd say pick up a CCNA book. I'd recommend the Sybex book by Lammle. It's very thorough. For your setup, you will probably want to focus on Switching, so if you like you can look for the CCNA Exploration switching materials and go from there. You won't be able to do too much with a single router, though they are Layer 3 routers and you might be able to set up a nice little network if you have the right IOS loaded.
|
|
#
?
Jun 15, 2012 05:50
|
|
|
Martytoof posted:Well it 100% depends on what you want to do with them. Thanks! I basically just need them to work like a standard consumer level switch because I don't want to spend much time on them  I'll pick that book up though, thanks for the recommendation. Edit: There seems to be quite a few books by Lammle, could you recommend a specific one? ddiddles fucked around with this message at 06:07 on Jun 15, 2012 |
|
#
?
Jun 15, 2012 06:03
|
|
|
blackmanjew posted:Edit: There seems to be quite a few books by Lammle, could you recommend a specific one? Back when I started to learn about Cisco, my first book was: http://tinyurl.com/cc5zaot Good book which introduces you to various technologies. Presentation is simple and there are some relaxing humorous real life stories. It can be considered as good first book on Cisco, since Cisco Press books are a little dry (bought them also but didn't read much). Latest edition: http://tinyurl.com/dyrux25 As was mentionet, it is thorough in basics and will provide good insight. I can't comment on latest edition, though.
|
|
#
?
Jun 15, 2012 07:02
|
|
|
AtmaHorizon posted:Back when I started to learn about Cisco, my first book was: A, good deal, thanks! I picked up a used copy for about $10.
|
|
#
?
Jun 15, 2012 07:13
|
|
|
|
| # ? May 2, 2024 11:40 |
|
|
jwh posted:New job, and I am now an ASA jockey! Oh the humanity! Belated congratulations and condolences.
|
|
#
?
Jun 15, 2012 11:22
|
|
