|
Okay so in plain english this statement is saying nat (inside,any) source static any any destination static obj-129.129.30.0 obj-129.129.30.0 Send traffic to the inside interface if: that it originates from anything, that it is from 0.0.0.0/0, and destined for 129.129.30.0/24 If traffic matches the above nat rule, but I have a static route that says traffic destined for 129.129.30.0/24 should go to g0/5, the dmz interface. The nat rule will take effect and send the traffic to g0/2, the inside interface. Am I understanding that right? I'm sorry for spamming this thread so much.
|
#
?
Aug 13, 2015 05:56
|
|
|
|
| # ? Apr 26, 2024 00:27 |
|
|
(source interface,destination interface), so it would written as nat (any,inside) and 1) it isn't being overridden by a higher priority NAT rule and 2) passes the RPF check. The example I was referencing earlier was traffic coming in on an outside interface and being unNAT'd to an internal host, so it would process the NAT rule in reverse.
|
|
#
?
Aug 13, 2015 15:07
|
|
|
Contingency posted:Crypto map bound to correct interface? When initiating from your side, does interesting traffic kickstart VPN initialization? PM sent.
|
|
#
?
Aug 14, 2015 17:18
|
|
|
Does anyone have a recommendation for a basic Nexus deployment guide? I have a Nexus 6004, (2) 2348 FEX's, and a dozen 3650's for my access layer. I'm pouring through the Cisco documentation now. I'm after a very simple setup, just a handful of vlan's.
|
|
#
?
Aug 17, 2015 23:35
|
|
|
If my spoke loses connection to the DMVPN hub, its dynamic routes to my private networks disappear. If that happens, they dump a bunch of traffic destined to RFC1918 out over the internet connection, where it's dropped. Ugh. Is there a more elegant way to stop that than just an ACL denying 10.0.0.0/8 over the public interface?
|
|
#
?
Aug 18, 2015 20:11
|
|
|
KS posted:If my spoke loses connection to the DMVPN hub, its dynamic routes to my private networks disappear. If that happens, they dump a bunch of traffic destined to RFC1918 out over the internet connection, where it's dropped. Ugh. Null route all rfc1918 space (or at least an aggregate bigger than what you're allocating from). When your tunnel comes up you'll learn more specifics which will get the traffic where it needs to go.
|
|
#
?
Aug 18, 2015 23:12
|
|
|
I've not found a Fortigate or firewalls thread so I'm not aware of another place I could ask this... I've got a Fortigate firewall on "v4.0,build0689,141215 (MR3 Patch 18)" (it's what my company standardises on) and there is an IPSec tunnel to a 3rd party with a private /16 on our side and a private /24 on theirs. I have a simple policy set up to say to route traffic to and from these subnets over the tunnel. I don't have any interest in filtering traffic outbound to this customer but I would like to restrict some inbound traffic, however I've not found a way to do this. Does anyone know how I can keep the subnets exchanged the same but introduce restrictions on what connections the 3rd party can initiate towards our customer?
|
|
#
?
Aug 19, 2015 13:51
|
|
|
Either set an ACL policy from VPN to Internal interface (you may need the remote side to match it, I can't remember how picky Fortigate is on policy being 100% exactly the same), or put an ACL on the downstream router, if able.
|
|
#
?
Aug 19, 2015 15:24
|
|
|
Anjow posted:I've not found a Fortigate or firewalls thread so I'm not aware of another place I could ask this... It sounds like you've got the IPsec tunnel configured as a policy-based VPN on the FortiGate. If you configure it as a route-based VPN you can specify policies for both directions which will allow you to restrict inbound traffic. To do this you have to enable IPsec Interface Mode in the Phase 1 configuration of the tunnel. This will create a virtual interface which you can specify both inbound and outbound policies for. Here's a general configuration example: http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/gw-to-gw.114.13.html
|
|
#
?
Aug 19, 2015 16:31
|
|
|
WAP talk: is 600 million radio CRC errors in 60 seconds even possible? I've got an 1142 that's reporting that many, but apart from 1 client device there are no other 802.11 radios in the area.
Mr Chips fucked around with this message at 11:22 on Aug 20, 2015 |
|
#
?
Aug 20, 2015 11:15
|
|
|
So I migrated a switch config on to a new switch, got it all working. Except...the web interface. All of the links are broken, like the page loads but clicking on any of the links does nothing at all. I figured it was my web browser but nobody can get it to work for them, under any browser. Is this some stupid nonsense from my migration?
|
|
#
?
Aug 20, 2015 18:20
|
|
|
Spudalicious posted:So I migrated a switch config on to a new switch, got it all working. Except...the web interface. All of the links are broken, like the page loads but clicking on any of the links does nothing at all. I figured it was my web browser but nobody can get it to work for them, under any browser. Is this some stupid nonsense from my migration? You're probably missing all of the files on flash. Seriously though, don't use that poo poo: no http server no http secure-server
|
|
#
?
Aug 20, 2015 19:45
|
|
|
I have a 4500x where every access port is lit up even with nothing plugged in. Is that normal for the model and if not what could be wrong?
|
|
#
?
Aug 21, 2015 10:53
|
|
|
Where's a good point to start learning Cisco UCS? I've just started a new job where they have a small UCS deployment (two chassis + 2 Fabric switches) but it might be growing in the next year. Right now they only other sysadmin knows it somewhat from a management standpoint, but I'd like to take that knowledge one step farther so that we have to stop bringing in consultants to do things.
|
|
#
?
Aug 21, 2015 22:57
|
|
|
Bigass Moth posted:I have a 4500x where every access port is lit up even with nothing plugged in. Is that normal for the model and if not what could be wrong? Are they copper or fiber ports? Fiber ports are lit up even without an SFP.
|
|
#
?
Aug 22, 2015 02:49
|
|
|
psydude posted:Are they copper or fiber ports? Fiber ports are lit up even without an SFP. Every port was one gig rj45 sfp.
|
|
#
?
Aug 22, 2015 03:11
|
|
|
Wicaeed posted:Where's a good point to start learning Cisco UCS? There's a UCS Platform Emulator provided by Cisco which is a good way to get to grips with UCS Manager and how it all fits together (Note that the emulator is a virtual appliance so you'll need an ESXi or Hyper-V host to deploy the OVA to). As for learning it, can you convince your boss to send you on the DCUCI course?
|
|
#
?
Aug 22, 2015 06:32
|
|
|
Bigass Moth posted:I have a 4500x where every access port is lit up even with nothing plugged in. Is that normal for the model and if not what could be wrong? Yeah, a port with nothing in it will be amber iirc. I'll check mine on Monday.
|
|
#
?
Aug 23, 2015 08:33
|
|
|
No every port is green. They all have one gig rj45 adapters and with nothing plugged into those the status lights are green. I don't know if the gbics are tripping a sensor or something.
|
|
#
?
Aug 23, 2015 12:47
|
|
|
I have a ton of those out there and don't recall that. Should be amber on down, but green when up or maybe looped? Didn't think that was a thing on those. Maybe the LED isn't displaying status, but something else instead ?
|
|
#
?
Aug 26, 2015 00:48
|
|
|
Mr Chips posted:WAP talk: is 600 million radio CRC errors in 60 seconds even possible? I've got an 1142 that's reporting that many, but apart from 1 client device there are no other 802.11 radios in the area. Storm on the attached network? Bad radio?
|
|
#
?
Aug 26, 2015 00:49
|
|
|
http://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-6200-series-fabric-interconnects/data_sheet_c78-675245.html The hell Cisco, you don't offer a 2m TwinAx SFP cable for your UCS? The difference between having to run a 3 foot cable, and then having to jump to a 10 foot cable is retarded for someone who likes to keep a clean rack... /rant off
|
|
#
?
Aug 26, 2015 21:23
|
|
|
Wicaeed posted:http://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-6200-series-fabric-interconnects/data_sheet_c78-675245.html https://www.flexoptix.net/en/produkte/transceiver/sfp-plus-twinax-transceiver-10-gigabit-sm-dac.html And get their flexbox to program the EEPROMs to match Cisco.
|
|
#
?
Aug 26, 2015 22:13
|
|
|
Wicaeed posted:http://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-6200-series-fabric-interconnects/data_sheet_c78-675245.html There is absolutely a 2m cable. And a 1.5M cable. And a 2.5M cable. Not sure why it's not listed on that page.
|
|
#
?
Aug 26, 2015 23:29
|
|
|
Because it's a website maintained by Cisco would be my guess
|
|
#
?
Aug 26, 2015 23:37
|
|
|
KS posted:There is absolutely a 2m cable. And a 1.5M cable. And a 2.5M cable. Not sure why it's not listed on that page.
|
|
#
?
Aug 26, 2015 23:53
|
|
|
SFP+ direct attach confuses me. If you're connecting an Intel NIC to a Cisco switch then do you have to use Cisco cables or what? How about if you need to connect two different brands of switches together? Just use anything you want and disable the compatibility checks?
|
|
#
?
Aug 26, 2015 23:56
|
|
|
Thanks Ants posted:SFP+ direct attach confuses me. If you're connecting an Intel NIC to a Cisco switch then do you have to use Cisco cables or what?
|
|
#
?
Aug 27, 2015 00:41
|
|
|
It gets nuts too -- for instance, I couldn't make the X520-DA2 Intel NICs work with Cisco active cables >5M under ESXi, while QLE8242s work fine. Intel says they can work with the 10m cables but they require Intel Network Connections software, which I don't think exists for ESXi.
|
|
#
?
Aug 27, 2015 00:52
|
|
|
adorai posted:Hilariously, the 2m cable does not share compatibility with the 3m cable. We use the 3m for a number of things in our environment, and we ordered some 2m for a few items that were closer to the switches, and they didn't come up, after swapping cables around, we determined that it simply was not compatible with a number of devices that the 3m cable is. Odd. I know I used some 2m cables to wire my FIs to my 4500-Xs, but I probably used 1m from FI to blade chassis.
|
|
#
?
Aug 27, 2015 00:53
|
|
|
Partycat posted:Storm on the attached network? Bad radio?
|
|
#
?
Aug 27, 2015 02:10
|
|
|
Mr Chips posted:It seems to have been some sort of environmental interference, it's not occurred again Wireless video baby monitor
|
|
#
?
Aug 27, 2015 03:56
|
|
|
CrazyLittle posted:Wireless video baby monitor We have one of these in our house. RIP anyone trying to use 2.4 Ghz wifi when that sucker is powered on.
|
|
#
?
Aug 27, 2015 14:00
|
|
|
I want one attached to a pringles cantenna so I can point it at other buildings and soak up the tears. 'cause I swear that's what they're doing to me. Bastards.
|
|
#
?
Aug 27, 2015 19:32
|
|
|
CrazyLittle posted:Wireless video baby monitor That'd be a long shot, as it's an industrial estate in a mining town
|
|
#
?
Aug 28, 2015 01:59
|
|
|
Quick question, we have a bunch of 2800 routers hitting end of support and we need them all replaced. We're in the planning stage and I'd like suggestions on where to start looking. Traffic is minimal, they bookend t1 circuits to bridge remote locations to our internal network. We're also looking to update the t1s with mpls or ipsec vpn so the new solution needs to be able to handle either. Remote sites complain of slow connectivity so monitoring, policing, traffic shaping is a plus.
|
|
#
?
Aug 29, 2015 03:49
|
|
|
Judge Schnoopy posted:Quick question, we have a bunch of 2800 routers hitting end of support and we need them all replaced. We're in the planning stage and I'd like suggestions on where to start looking. If you're thinking of stick with Cisco and the ISR series, keep the throughput limitations in mind especially if you start doing IPSec tunnels. The last page here details throughput limitations when using advanced features like QoS, IPSec tunnels, and NAT. My company runs 1000+ 1921/1941 routers over DMVPN, and we struggle to surpass 20Mbps on the 1941s and about 15 on the 1921s. Unrelated question, have any of you played with Netmiko? I've been looking to do more with network automation and programming and this coupled with CiscoConfParse has been useful to play with. Any success stories? Tried anything else that worked well?
|
|
#
?
Aug 29, 2015 05:17
|
|
|
If you're going to stick with ISR, ISR G3 has been out for a while. Don't bother with G2. http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html
|
|
#
?
Aug 29, 2015 05:23
|
|
|
Here's a fun one. I have a Nexus 6004 with 24 QSFP ports, a 2348TQ FEX, and a dozen 3650's for distro. The goal was to replicate the existing network, but provide a high speed core for the HPC work we do. When we were spec'ing gear, I'm fairly certain we all forgot about the firewall side of things. Currently I'm having a hell of a time figuring out how to replicate what we have. The existing network looks like this: Firewall --------> HP 5400ZL (Core)------- HP 3800 (Distro) There are a half dozen VLAN's and we're using IP Routing/ Inter-vlan routing. There's a static route on both the firewall and the core switch point at each other, the firewall is directly connected to the core. Very simple. I setup the Nexus using the same model. Installed our LAN-BASE license, enabled feature interface-vlan, and setup my VLAN's. Everything internally to the network works. I can ping hosts in the different VLAN's, from different distro switches. Great. This is where I'm stuck. I decided to not use the default VRF and created a new one. Inside that VRF is a static route to our firewall. I then added all the VLAN's to the VRF and created a VLAN just for our firewall. The firewall is connected through a port on the 2348TQ FEX. I can ping the firewall from the Nexus(nexus#ping 192.168.1.2 vrf DFGW) and I can ping 8.8.8.8. However I can NOT ping 8.8.8.8 from any of the hosts on the different VLAN's. All of my default gateways are correct, I can ping the firewall and the firewall VLAN's gateway- but I can't get out. Oddly enough I can access the firewalls [url]https://[/url] login page- but I can't login. At this point, I'm assuming two things. 1) My routing is screwed up and 2) Using a FEX for anything L3 is a terrible idea. Any feedback is welcome, I'm trying to get this deployed this weekend and this is my last sticking point.
|
|
#
?
Sep 1, 2015 02:56
|
|
|
|
| # ? Apr 26, 2024 00:27 |
|
|
is your route in the same vrf as all of your other vlans? It sounds like you are testing from one vrf but your real traffic is in another.
|
|
#
?
Sep 1, 2015 03:46
|
|