|
wolrah posted:It's all good, it's pretty simple between two *nix boxes. Awesome, thanks! I'm going to try this soon.
|
#
?
May 22, 2015 16:17
|
|
|
|
| # ? Apr 23, 2024 07:09 |
|
|
Does anybody use IOS.sh? I noticed that it is supported on ISR routers and some others and was wondering if it is at all useful.
|
|
#
?
May 25, 2015 01:21
|
|
|
Having an issue with some Cisco Aironet 2600-series APs using Windows DHCP Server: the APs are getting a lease but are not picking up the WLC management IP from the DHCP options. I've tried using a vendor class with VCI "Cisco AP c2600" and option 241 defined within the class as well as just option 43 with the WLC management IP address specified in TLV format. We've already got 1100-series APs which are working fine using a vendor class on the Windows DHCP server. In addition we have other 2600-series APs at remote sites working using the local Cisco router as a DHCP server. I've tried searching around however all of the Cisco documentation is very vague when it comes to Windows DHCP Server. Has anyone encountered this issue before and/or have a working reference configuration? We're going to start doing proper diagnostics tomorrow but it would be swell if anyone could offer some advice.
|
|
#
?
May 27, 2015 14:23
|
|
|
I've had the same issue with 3600aps. Have you tried specifying option 43 with a HEX ip? This is how I have it setup on my ISR that I'm using as a DHCP server. ip dhcp pool AccessPoints import all network 172.18.0.0 255.255.255.240 default-router 172.18.0.1 option 43 hex f104.0a01.0a0f lease 7 option 43 is 10.1.10.15 in hex. with an ethertype (i think) prefixed. quote:The hex string is assembled by concatenating the TLV values shown below: ate shit on live tv fucked around with this message at 20:41 on May 27, 2015 |
|
#
?
May 27, 2015 20:38
|
|
|
Powercrazy posted:I've had the same issue with 3600aps. Have you tried specifying option 43 with a HEX ip? Yeah we've tried option 43 in TLV format, thanks for the reply though. We've brought one of the APs to the office and are going to do some packet captures for diagnosis in a bit so I'm sure we'll get to the bottom of it. Edit: the guy from our networks team who I was working with just told me that it actually started working sometime after we left the office last night so NFI what was going on. Of course now we're getting a DTLS handshake error but that ain't my problem, I'm just a server guy heh Pile Of Garbage fucked around with this message at 00:54 on May 28, 2015 |
|
#
?
May 28, 2015 00:29
|
|
|
Networking moron over here: I need to wire a temporary space, which has PoE phones which pass internet along to laptops. If I plug a stock Procurve PoE switch into the core switch, the phones turn on and pass internet to the laptops, but they don't connect to the voice VLAN and/or get their own IP. If I instead plug an unmanaged 4-port PoE switch in and use that it works fine and seems to pass along all DHCP/VLAN info. If I can console into this Procurve, is there any kind of quick config I can give it to make it act like the unmanaged switch?
|
|
#
?
May 28, 2015 16:11
|
|
|
Zero VGS posted:Networking moron over here: If I remember correctly, making all of the ports access ports with no VLANs works.
|
|
#
?
May 28, 2015 16:31
|
|
|
Zero VGS posted:Networking moron over here: config t vlan 3 voice tagged 1-24 would be what you need to do make your phones connect to the voice vlan. I don't know about making it a dumb switch.
|
|
#
?
May 28, 2015 16:37
|
|
|
adorai posted:if your voice vlan is 3 Thanks, I'll try this. Ashley Madison posted:If I remember correctly, making all of the ports access ports with no VLANs works. I'll check into this too, I might program one of the cold standby switches this way so I can get get a blown switch back up as fast as possible.
|
|
#
?
May 28, 2015 16:47
|
|
|
Hmm, I entered these commands over console cable, then when I connected this switch to the core switch on port 1, two of my other random switches in the 12 switch stack froze. They both lost all phones and internet from that switch until I powered-cycled it. Now, I do have contractors in that room installing air conditioning right now, so they might have tripped over something, but I don't want to rule out that it was me. I've seen these Procurve switches occasionally crash and need to be power-cycled on other occasions (even when I'm not loving with anything). Is there any way to give them some kind of automated recovery? I do have networked power strips that can turn individual outlets on/off now, it'd be neat if they can respond to a lack of heartbeat or something.
|
|
#
?
May 28, 2015 18:07
|
|
|
If your switches are crashing then they are broken or are running a buggy firmware. The fix for either of those problems is not a power strip to reset them. Edit: That came across a bit harsh. You should definitely have monitoring in place so you know when poo poo fucks up, but having stuff in place so you know when things crash isn't a substitute for having an environment that doesn't randomly fall over. Thanks Ants fucked around with this message at 18:32 on May 28, 2015 |
|
#
?
May 28, 2015 18:26
|
|
|
Thanks Ants posted:If your switches are crashing then they are broken or are running a buggy firmware. The fix for either of those problems is not a power strip to reset them. Yeah, the next couple weeks is the opportunity where I get to tell a Cisco tech to fix how willy-nilly our poo poo was set up. Plus if I get good at figuring out how to interchange these switches myself, I can start to swap spares in for production switches and send those to HP for warranty service until I get some that don't crash. For this new switch right now I'm about to try out this configuration, which I copied from another member switch, changing a few numbers: code:
|
|
#
?
May 28, 2015 18:47
|
|
|
Woo, it worked! I win! Thanks for the help all.
|
|
#
?
May 28, 2015 19:18
|
|
|
It kind of depends on your environment but I would be really hesitant to change spanning tree priorities unless you know exactly what you're doing. That being said - I think having a random access switch with a spanning tree priority of 4 is bonkers insane, so maybe it's me who has no idea what he's doing.
|
|
#
?
May 28, 2015 19:25
|
|
|
I mean the dopes who configured random access switches 2-10 made them priority 2-10 to match. Even with me having no idea how STP works, that sounds wrong to me, but I'm sure following their lead will be okay for a few weeks until I get the entire network config overhauled.
|
|
#
?
May 28, 2015 19:28
|
|
|
Yeah, that will probably be fine. The short version of the spanning tree priority value is that the device with the lowest priority becomes the 'root bridge', which basically means that when STP decides to block the redundant links that have the highest "cost", it calculates "cost" as "distance from this link to the root bridge". It's a little bit more complicated than that, and TBH I haven't really had to gently caress with anything STP related in a long time, but basically yeah as long as you don't setup random access switch 1 and set the STP priority as 1 nothing should actually change. I believe spanning tree priority is a 16-bit number so 1-65535? And the default is whatever is in the middle of that, for reference.
|
|
#
?
May 28, 2015 19:36
|
|
|
Default STP priority is 32768, priority values are 0-65535 have to be multiple of 4096. Zero is the best priority, 65535 the worst. Not sure what the HP is doing if it is accepting priority values of 11. Using 11*4096, maybe? Edit: had my Max STP value off by one. Filthy Lucre fucked around with this message at 21:06 on May 28, 2015 |
|
#
?
May 28, 2015 20:45
|
|
|
This http://www.hp.com/rnd/support/manuals/pdf/release_06628_07110/Bk2_Ch5_STP.pdf seems to suggest they use 0-65535 as well, but doesn't mention the multiples. What does the running config show as the spanning tree priority? If you don't get an error typing in "spanning-tree priority 11" then I guess it's rounding somewhere. Come to think of it, surely if these switches are stacked then the stack is the root bridge? STP confuses me.
|
|
#
?
May 28, 2015 20:57
|
|
|
Yeah I've never ran into a situation where I need to use multiples. It doesn't make sense, actually, from a software perspective to store the value in a 16bit int and then only use increments of 12 bits. They could just use 4 bits in that case. Edit: Actually, this makes sense I guess: http://communitystring.com/2008/07/why-the-stp-bridge-priority-must-be-a-multiple-of-4096/ There are actually only 4 bits in use. 12 rats tied together fucked around with this message at 22:05 on May 28, 2015 |
|
#
?
May 28, 2015 22:00
|
|
|
cheese-cube posted:Yeah we've tried option 43 in TLV format, thanks for the reply though. We've brought one of the APs to the office and are going to do some packet captures for diagnosis in a bit so I'm sure we'll get to the bottom of it. I've never done the option 43 method, i've always done them using DNS, with the CISCO-CAPWAP-CONTROLLER or whatever the record, maybe give that a go?
|
|
#
?
May 29, 2015 11:15
|
|
|
I am having some problems with my ASA (of course). I can't figure out how to get simple ICMP traceroute to work outbound through the ASA. I have a server inside my network (private network, 10.0.0.238/8) and I want to traceroute to Google. I see my default gateway (a switch), nothing, nothing, nothing, and eventually get a reply from 8.8.8.8 and that's it. The server is using the outside interface for outbound NAT, and its ACL allows full ICMP outbound. I have both "inspect icmp" and "inspect icmp error" turned on. code:code:code:code:code:
|
|
#
?
May 29, 2015 22:34
|
|
|
madsushi posted:For my ACLs / NAT, I allowed any What's in icmp_inline? Are you allowing inbound time-exceeded?
|
|
#
?
May 29, 2015 22:43
|
|
|
ragzilla posted:What's in icmp_inline? Are you allowing inbound time-exceeded? Yes, I should be. One question I have is how that NAT for that even works (it's an ACL on the outside interface, but I don't have an outside->inside NAT statement set up, but whatever).
|
|
#
?
May 29, 2015 22:47
|
|
|
madsushi posted:Yes, I should be. One question I have is how that NAT for that even works (it's an ACL on the outside interface, but I don't have an outside->inside NAT statement set up, but whatever). Something upstream blocking time-exceeded? That's the right message to allow.
|
|
#
?
May 29, 2015 22:54
|
|
|
ragzilla posted:Something upstream blocking time-exceeded? That's the right message to allow. Here's the traceroute from the ASA itself (which is in an ASA cluster): quote:fw01/fw01# traceroute 8.8.8.8 e: apparently it's a known bug in my ASA version (9.2), but Cisco's lovely spelling made it impossible to find in the Bug Search: code:madsushi fucked around with this message at 00:00 on May 30, 2015 |
|
#
?
May 29, 2015 22:59
|
|
|
Ahdinko posted:I've never done the option 43 method, i've always done them using DNS, with the CISCO-CAPWAP-CONTROLLER or whatever the record, maybe give that a go? Huh, never knew that you could use DNS for controller discovery. However in our situation that would not work as some of our remote sites have their own WLCs but use the same DNS zone.
|
|
#
?
May 30, 2015 06:29
|
|
|
cheese-cube posted:Huh, never knew that you could use DNS for controller discovery. However in our situation that would not work as some of our remote sites have their own WLCs but use the same DNS zone. Well, if you can get them on a controller once, it's pretty easy to bounce them over to the correct controller, and they'll stay there. Just designate one controller as the "controller for lost and lonely APs", and use it to bounce new/reset APs to the correct controller using the high availability settings.
|
|
#
?
May 30, 2015 15:58
|
|
|
What is the best way to reserve bandwidth for traffic that absolutely must not be shaped/dropped/etc in any way? I'm transporting DTV ASI over IP which is very sensitive to jitter and I'm using a 13 E1 Multilink to do it. Total ASI bandwidth is 24.2Mbit and 13 E1s gives me 26624kbit. I'd like to have the rest of the bandwidth available for general traffic, monitoring of devices etc. I'm using MPLS TE tunnels to transport the DTV data. At the moment what I've done is just apply a rate limit input/output on the subinterface for the miscellaneous traffic and I'm running jperf across the link. I'm thinking it's probably just jperf not allowing me to test it properly but the initial spike when running the jperf test knocks out the DTV traffic. In any event, I don't want that to be something that can ever occur, the DTV traffic needs to be retained at all costs.
|
|
#
?
Jun 1, 2015 02:11
|
|
|
What is the best solution for a scenario where you need to establish a B2B tunnel with an outside vendor who needs a non-RFC 1918 from your end so that there isn't a conflict on their firewall with the private addresses of other companies they connect to? So far, I'm thinking I need to NAT my internal LAN to one of the public IP's from the public IP pool provided by our ISP which will be given to the vendor as the protected network from our side. My concern though is that we only really want outbound telnet traffic to go to the vendor while all other (mostly web) traffic goes to the Internet from the same outbound interface on the ASA. Can this be defined in the ACL's? Also, I know it's possible to configure a second IP on the outbound ASA interface, but is it also possible to only have the VPN tunnel configured for the extra IP on the same outbound interface? Say, the interface has an IP with .222 and the extra IP is .220 to which I want all the telnet traffic NAT'd. Which would I provide to the vendor as our peer IP?
|
|
#
?
Jun 1, 2015 15:39
|
|
|
along the way posted:What is the best solution for a scenario where you need to establish a B2B tunnel with an outside vendor who needs a non-RFC 1918 from your end so that there isn't a conflict on their firewall with the private addresses of other companies they connect to? Nat your internal to the new public IP, as you say, using an ACL and just set the crypto map for their internal or NATted addresses. It will only go to the tunnel if it matches the Crypto Map ACL, otherwise it just goes to internet. You should be able to use the same ACL for both the NAT filter and the Crypto Map. AFAIK, you can only apply the tunnel endpoint to an interface, so you'd have to make a different logical interface to tie it to, which it won't let you do unless you do some subnetting and break your public range into pieces. But you can NAT the traffic to the 2nd IP and not apply it to the interface and it should work providing your ISP is pointing the entire range down to your gateway.
|
|
#
?
Jun 1, 2015 15:58
|
|
|
Slickdrac posted:Nat your internal to the new public IP, as you say, using an ACL and just set the crypto map for their internal or NATted addresses. It will only go to the tunnel if it matches the Crypto Map ACL, otherwise it just goes to internet. You should be able to use the same ACL for both the NAT filter and the Crypto Map. Our ISP is routing our allocated range to our gateway, so yeah, this is perfect. Thanks.
|
|
#
?
Jun 1, 2015 16:13
|
|
|
falz posted:Any nerds in this thread at NANOG63? Any nerds in this thread at NANOG64?
|
|
#
?
Jun 2, 2015 00:00
|
|
|
CrazyLittle posted:Any nerds in this thread at NANOG64? No but let get ahead of this and say see ya'll at NANOG65 
|
|
#
?
Jun 2, 2015 21:24
|
|
|
greatapoc posted:What is the best way to reserve bandwidth for traffic that absolutely must not be shaped/dropped/etc in any way? I'm transporting DTV ASI over IP which is very sensitive to jitter and I'm using a 13 E1 Multilink to do it. Total ASI bandwidth is 24.2Mbit and 13 E1s gives me 26624kbit. I'd like to have the rest of the bandwidth available for general traffic, monitoring of devices etc. I'm using MPLS TE tunnels to transport the DTV data. Do you have an output service-policy setup on the multilink with priority assigned to the DTV traffic? Half-assed config below: code:
|
|
#
?
Jun 3, 2015 06:54
|
|
|
SamDabbers posted:I've had good experiences with HP 2510s and 2530s. The 2530-48G-POE+ goes for $1800 new and the 2530-24G (non-PoE) goes for about $525. They're definitely a step up from anything Netgear. There are also models with 10GbE SFP+ ports if you need them, but obviously they're more expensive. It's been months but I got the HP's! 
|
|
#
?
Jun 4, 2015 19:56
|
|
HP's lifetime warranty. Good poo poo.
|
Nice firewall
|
|
#
?
Jun 4, 2015 20:01
|
|
|
HP really does make some solid switches, and free software upgrades make them an even better value. I'll also echo that their lifetime warranty service is fantastic; I had a few ports on a second hand HP switch die on me and they overnighted me a replacement with no questions asked, beyond "what's wrong with it, and what's your shipping address?"
|
|
#
?
Jun 4, 2015 20:13
|
|
|
I like HP switches but I really, really do not care for the arcane VLAN management on Netgear ones.
|
|
#
?
Jun 5, 2015 00:38
|
|
|
Who's going to Cisco Live next week? Not me!
|
|
#
?
Jun 5, 2015 03:51
|
|
|
|
| # ? Apr 23, 2024 07:09 |
|
|
SamDabbers posted:HP really does make some solid switches, and free software upgrades make them an even better value. This, I bought several dozen 10/100 PoE Procurves off eBay for$150 each, I had one come up with some faulty ports, and HP just sends that poo poo no questions asked. I buy a lot of used HP laptops with active warranties on eBay and same thing, I can pick out the flaky ones and RMA-churn them.
|
|
#
?
Jun 5, 2015 05:01
|
|