Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
StabbinHobo
Oct 18, 2002

by Jeffrey of YOSPOS
In the vein of the OS X, Windows, and Linux "short questions" threads I've caught myself thinking on several occasions "I'd love to ask this stupid little 6500 config question but its not worth a whole thread". So after bouncing it off jwh and Dr. Fred here it is, the "Cisco Short/Stupid Questions Thread."

Guidelines:
  • Please please please don't get into vendor debates or open-source debates. It would be trollish to crash the Linux thread with "kde sux buy a mac", its just as trollish to poo poo up this thread with monowall/mikrotik/etc.
  • "sh run" output is a must for nearly any troubleshooting, don't wait for someone to ask, put it in your question post.
  • Pictures! Any kind of visio, gliffy, or even mspaint will be hugely helpful in understanding what you're talking about.
Resources: CCNA:
  • I'm sure there'll be tons of ccna questions here so when links crop up I'll edit them into the OP

StabbinHobo fucked around with this message at 22:13 on May 29, 2016

Adbot
ADBOT LOVES YOU

Korensky
Jan 13, 2004

The Doco site is also pretty handy to keep bookmarked (and is about the only thing you have access to for reference in your CCIE lab exam) -- http://www.cisco.com/univercd/

It's a pain to navigate, but all the content is there (provided you know where to look) and it doesn't require a login.

Drighton
Nov 30, 2005

I create RMAs for faulty Cisco equipment. If you think your hardware has failed, try these troubleshooting steps to confirm it.

• Reseat/Reset/Power cycle - physically pull the part out and put it back in or power on and off. Certain errors (coil for instance) will disappear after this.
• Move the faulty part to a different slot or chassis - if the part comes up, obviously the problem lies elsewhere.
• Check your IOS - sometimes is just this simple, make sure the IOS supports the product and upgrade if necessary.
• Use a spare - not everyone has them, but they can save your rear end and is pretty much the end all of troubleshooting. If the spare comes up then obviously there is a problem with the part that was replaced.
• Orange/Amber and Red LEDs = failure.


When you open a case with Cisco for a RMA, if you want fast results incude this information, because we're going to ask you for it anyways.

• Serial number(s) - for entitlement. Usually 11 characters long and starts with three letters. Some are numeric (Pixes usually start with an 8 or a 4).
• Part/model number (if you know it) - we can get part numbers from the serial number, or possibly (though not always) from a description of the part, but these aren't always correct. If you provide the part number then it eliminates the guessing and possibility of error.
• Description of the problem. This does not mean "Hardware Failure", "Part has failed", "Need RMA", etc. Include the symptoms and the troubleshooting you've performed. If you have orange/amber or red LEDs, include this fact.
• If you have error messages or diagnostics that blatantly states "Part has failed", capture the text and include it in the case. Not absolutely necessary, but it seals the deal.
• Where you want the replacement shipped and a site contact with phone number


Hope this helps

langer34
Mar 3, 2004
<-- Granpappy Wasn't No Monkey
Does anyone have any experience configuring multiple SSID's using different security protocols on a Cisco 1130 Aironet Access Point?

SuperJens
May 1, 2003

No need for text here please thanks you very much come again
I "inherited" a bunch of great Cisco equipment (two 3560's, two 3550's) through contracts that were cancelled, so what are my options for upgrading the IOS on these and getting real Cisco support? I'm guessing I have to pay for something now?

edit: Also, I have four 1600 routers but have absolutely no use for them. Are they worth anything or should I just chuck them in the dumpster?

SuperJens fucked around with this message at 07:06 on Apr 15, 2007

jwh
Jun 12, 2002

SuperJens posted:

I "inherited" a bunch of great Cisco equipment (two 3560's, two 3550's) through contracts that were cancelled, so what are my options for upgrading the IOS on these and getting real Cisco support? I'm guessing I have to pay for something now?

edit: Also, I have four 1600 routers but have absolutely no use for them. Are they worth anything or should I just chuck them in the dumpster?

Switch images tend to be fairly robust, compared to the router images. I wouldn't worry with upgrading unless you're missing specific features, or are running into problems. In the case of the 3560's, those are very new, and probably have a reasonably current image anyhow. They're also very nice switches. The only thing you might want to check is whether you have the Standard Multilayer Image (SMI) or Enhanced Multilayer Image (EMI). There's layer-3 stuff in the EMI that isn't in the SMI.

If you do want to get them under maintenance, you'll have to buy a smartnet contract, which is going to be more money than you'll want to spend, more than likely.

1600's aren't worth very much, sadly.

quicksand
Nov 21, 2002

A woman is only a woman, but a good cigar is a smoke.

SuperJens posted:

I "inherited" a bunch of great Cisco equipment (two 3560's, two 3550's) through contracts that were cancelled, so what are my options for upgrading the IOS on these and getting real Cisco support? I'm guessing I have to pay for something now?

edit: Also, I have four 1600 routers but have absolutely no use for them. Are they worth anything or should I just chuck them in the dumpster?

you can send them to me :q:
no really.

ior
Nov 21, 2003

What's a fuckass?

langer34 posted:

Does anyone have any experience configuring multiple SSID's using different security protocols on a Cisco 1130 Aironet Access Point?

Yes. (This is handwritten and might have some errors!)
code:

dot11 mbssid
dot11 ssid guestzone
 vlan 10
 authentication open
 mbssid guest-mode

dot11 ssid internal
 vlan 20
 authentication open
 authentication key-management wpa
 wpa-psk ascii foobar
 mbssid guest-mode

int fa0.10
encap dot1q 10
bridge-group 10

int fa0.20
encap dot1q 20
bridge-group 20

int dot11radio0.10
encap dot1q 10
bridge-group 10

int dot11radio0.20
encap dot1q 20
bridge-group 20

int dot11radio0
 encryption vlan 20 mode ciphers tkip aes-ccm
 ssid internal
 ssid guestzone

inignot
Sep 1, 2003

WWBCD?

jwh posted:

The only thing you might want to check is whether you have the Standard Multilayer Image (SMI) or Enhanced Multilayer Image (EMI). There's layer-3 stuff in the EMI that isn't in the SMI.

Unfortunately Cisco has abandoned the easily understood EMI vs SMI classification and moved to a router IOS like feature classification system of IP base vs IP services vs IP security vs etc. It's substantially more confusing.

http://www.cisco.com/en/US/products/hw/switches/ps5023/prod_release_note09186a008077459b.html#wp754685

jwh posted:

1600's aren't worth very much, sadly.

True, but I'd suggest keeping them around for lab testing or study purposes.

amishpurple
Jul 21, 2006

I'm not insane, I'm just not user-friendly!

SuperJens posted:

edit: Also, I have four 1600 routers but have absolutely no use for them. Are they worth anything or should I just chuck them in the dumpster?

I'll paypal you some money to cover shipping costs to send one to me if you're just going to trash them.

poopcutter
Oct 4, 2003

by Ozma
Can anyone tell me where I can find a CCNA exam location?

I do not want a boot camp. I just want to take the test.

Boner Buffet
Feb 16, 2006
I'm looking at a 2960G as the "backbone" for an iScsi HA cluster. What sort of configuration considerations should I have as far as VLANs go? Also, should I keep it isolated from the rest of the network, just have it connect via uplink, or have other non clustered servers on the switch as well? I'm worried about bandwidth issues on the switch.

http://www.cdwg.com/shop/products/default.aspx?EDC=850884

NinjaPablo
Nov 20, 2003

Ewww it's all sticky...
Grimey Drawer
Can anyone point me in the direction or explain how IOS version numbers work? A while back, this vulnerability came out - http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

12.0T is listed as vulnerable, as is 12.1T. Output from show ver on a router here shows:

code:
IOS (tm) C2600 Software (C2600-I-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 02:12 by phanguye
Image text-base: 0x80008088, data-base: 0x807AAF70

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

gateway uptime is 9 weeks, 6 days, 14 hours, 11 minutes
System returned to ROM by power-on
System image file is "flash:c2600-i-mz.120-7.T"
When I called Cisco, they said it wasn't vulnerable. I guess all the stuff in ()s in the version confuses me.

Mighty Zoltar
Aug 18, 2004

I AM A PIECE OF SHIT. IF YOU SEE ME ON THE STREET, PLEASE STAB ME.

SuperJens posted:

I "inherited" a bunch of great Cisco equipment (two 3560's, two 3550's) through contracts that were cancelled, so what are my options for upgrading the IOS on these and getting real Cisco support? I'm guessing I have to pay for something now?

edit: Also, I have four 1600 routers but have absolutely no use for them. Are they worth anything or should I just chuck them in the dumpster?

Depending on the models on 3560 and 3550 you have, Smartnet list puts you at between $500 and $1000 per chassis per year for Smartnet support. That's a hell of a lot of money to pay to get IOS updates, so unless you need to get IOS to bug fix, I wouldn't even bother.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

NinjaPablo posted:

When I called Cisco, they said it wasn't vulnerable. I guess all the stuff in ()s in the version confuses me.

I have a feeling the difference lies in the 12.1T vs the 12.1T2 image, of which you are running the latter and I can only assume is more current.

amishpurple posted:

I'll paypal you some money to cover shipping costs to send one to me if you're just going to trash them.

No kidding. I have jack-squat for experience with Cisco equiptment because I have never been at an office that uses the stuff. If I could send you some cash for shipping and a few beers so I had a router to give myself a crash course in, I would love you forever.

brent78
Jun 23, 2004

I killed your cat, you druggie bitch.

InferiorWang posted:

I'm looking at a 2960G as the "backbone" for an iScsi HA cluster. What sort of configuration considerations should I have as far as VLANs go?
I second this question. I'm also looking at 2960G to connect 3 SAN shelves (each with dual gigabit in a portchannel) to 12 servers. I'm worried about the backplane bandwidth.

Daddyo
Nov 3, 2000
I've got a pretty new 3570 that's just decided to reboot itself on a random basis. Whats the best logging option to capture exactly whats going on so I can either a) resolve it or b) return it?

Daddyo
Nov 3, 2000

brent78 posted:

I second this question. I'm also looking at 2960G to connect 3 SAN shelves (each with dual gigabit in a portchannel) to 12 servers. I'm worried about the backplane bandwidth.

What's on the backend that the switches will be connecting to?

ate shit on live tv
Feb 15, 2004

by Azathoth

Daddyo posted:

I've got a pretty new 3570 that's just decided to reboot itself on a random basis. Whats the best logging option to capture exactly whats going on so I can either a) resolve it or b) return it?

Console connection logging through Hyperterminal?

Thats typically what we do in the Lab. It should also save a crash log to the bootflash.

jwh
Jun 12, 2002

InferiorWang posted:

I'm looking at a 2960G as the "backbone" for an iScsi HA cluster. What sort of configuration considerations should I have as far as VLANs go? Also, should I keep it isolated from the rest of the network, just have it connect via uplink, or have other non clustered servers on the switch as well? I'm worried about bandwidth issues on the switch.

All of the 2960G family has a 32 gbps switching fabric, while the non "G" has 16.

• 16 Gbps switching fabric (Catalyst 2960-8TC, Catalyst 2960-24TT, Catalyst 2960-24TC, Catalyst 2960-48TT, Catalyst 2960-48TC)
• 32 Gbps switching fabric (Catalyst 2960G-8TC, Catalyst 2960G-24TC, Catalyst 2960G-48TC)

Doesn't look like the 2960 family can switch layer-3, although I could be looking at it wrong.

Here's a datasheet: http://www.cisco.com/en/US/products/ps6406/products_data_sheet0900aecd80322c0c.html

Daddyo posted:

I've got a pretty new 3570 that's just decided to reboot itself on a random basis. Whats the best logging option to capture exactly whats going on so I can either a) resolve it or b) return it?

When you do a 'sh ver', what does the "System returned to ROM by" say? That's usually the first place I go, when something is rebooting, ie., power-on versus bus error. Do you have a service contract on the device?

jwh
Jun 12, 2002

inignot posted:

Unfortunately Cisco has abandoned the easily understood EMI vs SMI classification and moved to a router IOS like feature classification system of IP base vs IP services vs IP security vs etc. It's substantially more confusing.
This caught me completely by surprise; I didn't even know this was coming. I knew Cisco was planning on going to license-key based feature sets (instead of specific feature-set images), maybe this is just lining themselves up to make it happen.

inignot posted:

True, but I'd suggest keeping them around for lab testing or study purposes.

I'm curious what WICs are in the 1600s- A WIC-1DSU-T1 is probably worth more than the 1600 itself.

Boner Buffet
Feb 16, 2006

jwh posted:


Doesn't look like the 2960 family can switch layer-3, although I could be looking at it wrong.

Does that mean I'm going to have issues VLANing with QoS?

jwh
Jun 12, 2002

InferiorWang posted:

Does that mean I'm going to have issues VLANing with QoS?

If the 2960G doesn't do layer-3 switching, it means that you can't switch between VLANs on the 2960G. In other words, no inter-vlan routing (layer-3 switching) on the platform. You can carry multiple VLANs just fine, but they'll need to terminate elsewhere (ie., somewhere else you have 'int vlan5, ip address 1.2.3.4').

As for QoS, the 2960 has what appears to be pretty fancy stuff, like four hardware queues per-port, your usual policing controls, and dscp manipulation.

Like I said, I don't have a 2960 here to poke at, but it doesn't look like it's a layer-3 switch, based on the data sheet.

Boner Buffet
Feb 16, 2006
I don't think I'll be doing any VLAN switching. The only QoS stuff I'm worried about is the cluster heart beat, and the cluster won't span past the device anyway. Thanks for the heads up though jwh.

Herv
Mar 24, 2005

Soiled Meat
Welp if you are talking about 802.1q QoS when you mention "VLAN QoS" then yes, those bits are turned on/off (CoS= Class of Service) in a layer 2 802.1q frame header I believe. Somewhere there if it's not the header, been a long time since I read about it. 5 bits total to turn on and off abouts.

You can just set a manual CoS on all traffic coming in on a switchport or start just picking out traffic by trusting the bit(s) as it as set by the endpoint device.

There's a few options to play with.

Edit: Here's the simple config example you would slap on a switchport interface:
code:
interface GigabitEthernet1/0/9
 description SHORETEL-24
 switchport mode trunk
 switchport trunk encapsulation mode dot1q
 mls qos trust cos 
<probably the one you want if you are setting 802.1q CoS bits on the endpoint>
 mls qos cos 5 
<example of forcing everything incoming on that port to get priority 5 of 7 (7 being emergency)>
 mls qos trust dscp 
<example of trusting any DiffServ bits if the device is setting them>
  no mdix auto
 spanning-tree portfast

3750-1#sh mls qos interface gigabitEthernet 1/0/9
GigabitEthernet1/0/9
trust state: trust cos <if you are setting it on the endpoint and trusting it at the switch>
trust mode: trust cos
trust enabled flag: ena
COS override: ena <if you set it>
default COS: 5 <if you set it>
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based

3750-1#sh mls qos interface gigabitEthernet 1/0/9 statistics
GigabitEthernet1/0/9

  dscp: incoming
-------------------------------

  0 -  4 :      577239            0            0            0            0
  5 -  9 :           0            0            0            0            0
 10 - 14 :           0            0            0            0            0
 15 - 19 :           0            0            0            0            0
 20 - 24 :           0            0            0            0            0
 25 - 29 :           0            0            0            0            0
 30 - 34 :           0            0            0            0            0
 35 - 39 :           0            0            0            0            0
 40 - 44 :           0            0            0            0            0
 45 - 49 :           0      3875949            0            0            0
 50 - 54 :           0            0            0            0            0
 55 - 59 :           0            0            0            0            0
 60 - 64 :           0            0            0            0
  dscp: outgoing
-------------------------------

  0 -  4 :     1646292            0            0            0            0
  5 -  9 :           0            0            0            0            0
 10 - 14 :           0            0            0            0            0
 15 - 19 :           0            0            0            0            0
 20 - 24 :           0            0            0            0            0
 25 - 29 :           0            0            0            0            0
 30 - 34 :           0            0            0            0            0
 35 - 39 :           0            0            0            0            0
 40 - 44 :     1502676            0            0            0            0
 45 - 49 :           0        21426            0          608            0
 50 - 54 :           0            0            0            0            0
 55 - 59 :           0       538839            0            0            0
 60 - 64 :           0            0            0            0
  [b]cos: incoming
-------------------------------

  0 -  4 :         902            0            0            0            0
  5 -  7 :     4455186            0            0                            
(Here you can see the massive amount of marked up traffic with a cos > 4)
  cos: outgoing
-------------------------------

  0 -  4 :     2817803            0            2            0            0
  5 -  7 :     1603844          608       539033                       
(Here you can see the massive amount of marked up traffic with a cos > 4)
Policer: Inprofile:            0 OutofProfile:            0

[/b]

Herv fucked around with this message at 21:52 on Apr 16, 2007

ragzilla
Sep 9, 2005
don't ask me, i only work here


NinjaPablo posted:

Can anyone point me in the direction or explain how IOS version numbers work?
...
I guess all the stuff in ()s in the version confuses me.
I'm sure there's a better link, but http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a00800a998b.shtml#23

For your example of 12.1(3r)T2:
12.1- Major release.
(3r)- 3rd maintenance release, r'th rebuild (starts at a)
T- Consolidated Technology release train (there are typically several trains of IOS available depending on platform, where you get different features, S trains (service providers) have different features than say an E train which is enterprise feature set).
2- Release rebuild counter, in this case this is the second rebuild of 12.1(3r)T

-edit-
found a better one
http://www.cisco.com/warp/customer/620/1.html
-/edit-

ragzilla fucked around with this message at 22:06 on Apr 16, 2007

jwh
Jun 12, 2002

I'm curious what kind of failure rates people are seeing with Cisco CF cards and ISR motherboards.

We just lost another field 1841 today to a bad 64Mb CF card, bringing our twelve-month total up to four.

And last week, we burned out two WIC-2MFT-T1's to a posessed HWIC slot in a 2811.

On the whole, our failure rates are still well below 5% of our deployed base, but I get clammy hands when thinking about how new our field routers are (130 or so ISRs), and what might be coming down the road.

Paul Boz_
Dec 21, 2003

Sin City

jwh posted:

I'm curious what kind of failure rates people are seeing with Cisco CF cards and ISR motherboards.

We just lost another field 1841 today to a bad 64Mb CF card, bringing our twelve-month total up to four.

And last week, we burned out two WIC-2MFT-T1's to a posessed HWIC slot in a 2811.

On the whole, our failure rates are still well below 5% of our deployed base, but I get clammy hands when thinking about how new our field routers are (130 or so ISRs), and what might be coming down the road.

http://www.cisco.com/en/US/products/hw/routers/ps282/products_field_notice09186a00804a7abf.shtml

sirchode
Jun 25, 2004

Catalyst question: Is there a way to get a list of all VLANs showing me which switch is acting as spantree root for each one? I've got hundreds of VLANs so going through each one individually isn't very desirable and I'd like to be able to see at a glance which ones need to be fixed

ragzilla
Sep 9, 2005
don't ask me, i only work here


sirchode posted:

Catalyst question: Is there a way to get a list of all VLANs showing me which switch is acting as spantree root for each one? I've got hundreds of VLANs so going through each one individually isn't very desirable and I'd like to be able to see at a glance which ones need to be fixed

# show spanning-tree detail | inc (is executing the|Current root|We are)

gets the mac address of the root bridge, up to you to map mac addr->switch (tested on 3750, might need some changes for other platforms).

sirchode
Jun 25, 2004

Girdle Wax posted:

# show spanning-tree detail | inc (is executing the|Current root|We are)

gets the mac address of the root bridge, up to you to map mac addr->switch (tested on 3750, might need some changes for other platforms).
Edit: misunderstood you

Please hold, your call is important to us

Edit 2: Okay I'm not following you here. My routers (7507s/12.3(15a)) aren't letting me do a sh spanning-tree detail, I've got sh spanning-tree root and sh spanning-tree root address but both return blank lines.

The switch is a 5500 by the way (should have specified, sorry)

Google isn't much help either, I'm wondering if I'm just out of luck on this one

sirchode fucked around with this message at 17:16 on Apr 17, 2007

WalaWala
Jul 2, 2002
I have a cisco 1800 series router, currently in a pickle.
Here is the outside interface:
interface FastEthernet0/1
ip address xx.xx.xx.xx 255.255.255.248
ip access-group 111 in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!

Now I have a pool of outside IP addresses available to me.
How do I use them on the router? I need to set them up for a new server with ports 80 and 443 open. I currently have my mail server with ports 80 and 443 using the ip address from the above interface. How do I add two more outside ip addresses, or since I have the masking down it should know?

Here is the complete config some info change to protect the innocent.

grouter#show config
Using 6582 out of 196600 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname grouter
!
boot-start-marker
boot-end-marker
!
no logging buffered

!

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip inspect name mtfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 3600
ip inspect name myfw udp timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip dhcp excluded-address 192.168.192.2
ip dhcp excluded-address 192.168.192.50
ip dhcp excluded-address 192.168.192.237
!
!
ip ips po max-events 100
ip domain name somename.com
ip name-server xx.xx.xx.xx
ip name-server 192.168.192.2
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group somename
key asldkfasljdflasdjflaskjdflaj
dns 192.168.192.2 64.65.208.6
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.192.254 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group 122 out
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
hold-queue 32 in
!
interface FastEthernet0/1
ip address xx.xx.xx.xx 255.255.255.248
ip access-group 111 in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.191.100 192.168.191.125
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.192.50 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.192.50 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.192.50 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.192.2 25 interface FastEthernet0/1 25
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
!
access-list 102 remark SDM_ACL Category=16
access-list 102 deny ip any host 192.168.191.100
access-list 102 deny ip any host 192.168.191.101
access-list 102 deny ip any host 192.168.191.102
access-list 102 deny ip any host 192.168.191.103
access-list 102 deny ip any host 192.168.191.104
access-list 102 deny ip any host 192.168.191.105
access-list 102 deny ip any host 192.168.191.106
access-list 102 deny ip any host 192.168.191.107
access-list 102 deny ip any host 192.168.191.108
access-list 102 deny ip any host 192.168.191.109
access-list 102 deny ip any host 192.168.191.110
access-list 102 deny ip any host 192.168.191.111
access-list 102 deny ip any host 192.168.191.112
access-list 102 deny ip any host 192.168.191.113
access-list 102 deny ip any host 192.168.191.114
access-list 102 deny ip any host 192.168.191.115
access-list 102 deny ip any host 192.168.191.116
access-list 102 deny ip any host 192.168.191.117
access-list 102 deny ip any host 192.168.191.118
access-list 102 deny ip any host 192.168.191.119
access-list 102 deny ip any host 192.168.191.120
access-list 102 deny ip any host 192.168.191.121
access-list 102 deny ip any host 192.168.191.122
access-list 102 deny ip any host 192.168.191.123
access-list 102 deny ip any host 192.168.191.124
access-list 102 deny ip any host 192.168.191.125
access-list 102 permit tcp host 192.168.192.50 any eq smtp
access-list 102 deny tcp 192.168.192.0 0.0.0.255 any eq smtp
access-list 102 permit ip 192.168.192.0 0.0.0.255 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any any eq telnet
access-list 111 permit ip any host xx.xx.xx.xx
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
end

Grambo
Jan 18, 2005

Vice Admiral of the S.S. FUCKINGKICKYOURASS.

WalaWala posted:

I need to set them up for a new server with ports 80 and 443 open. I currently have my mail server with ports 80 and 443 using the ip address from the above interface. How do I add two more outside ip addresses, or since I have the masking down it should know?

ip nat inside source static tcp 192.168.192.50 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.192.50 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.192.50 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.192.2 25 interface FastEthernet0/1 25
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

The IP Nat Inside Source command allows you to forward to an IP of an external interface, or to an other IP address.

Let's say the host you're setting up is 192.168.192.51 and the IP address you want to use from the pool is 200.1.1.45
use these commands:
ip nat inside source static tcp 192.168.192.51 80 200.1.1.45 80 extendable
ip nat inside source static tcp 192.168.192.51 443 200.1.1.45 443 extendable

that should allow you to "extend" a port forward to another external IP address

ragzilla
Sep 9, 2005
don't ask me, i only work here


sirchode posted:

Edit: misunderstood you

Please hold, your call is important to us

Edit 2: Okay I'm not following you here. My routers (7507s/12.3(15a)) aren't letting me do a sh spanning-tree detail, I've got sh spanning-tree root and sh spanning-tree root address but both return blank lines.

The switch is a 5500 by the way (should have specified, sorry)

Google isn't much help either, I'm wondering if I'm just out of luck on this one

sh spanning-tree is only going to work on catalyst platforms like the 5500. I've never done IRB in routing platforms but there may be some spanning tree info on the 7500s in show bridging / show irb

WangNV
Mar 22, 2001
I'm so lonely
I have a piece of stupid software that uses the built-in windows XP FTP shell to connect to an outside server. This means no passive ftp, as XP's shell doesn't support passive mode. I have a PIX 515E running IOS 6.3(5) that does NAT on that network, and has a static address (not pooled) for the machine that does the ftp.

FTP fixup is turned on for ports 20 and 21. The ftp client connects fine, but file transfers fail, or download at a whopping 1.7k a sec. (Even when the host is in the DMZ outside the firewall and thus on the same 100 BASE-T network). Can anybody else think of what might be causing this?

Passive FTP connections work great, but the software won't do it. I've tried configuring reverse DNS records like they (cisco) say, but I still get nothing. What gives?

WangNV fucked around with this message at 04:59 on Apr 18, 2007

markus876
Aug 19, 2002

I am a comedy trap.

jwh posted:

Like I said, I don't have a 2960 here to poke at, but it doesn't look like it's a layer-3 switch, based on the data sheet.

I have a 2960g here and confirm that it does not support any of the EMI images / layer-3 functionality.

Thanks Ants
May 21, 2004

#essereFerrari


I am totally new to Cisco gear, but I managed to pick up a brand new 7912G for £28, looking at this guide:

http://www.voip-info.org/wiki/view/Cisco+7905%252F7912+IP+Phones

It says I need a service contact to be able to download the latest firmware for it. Where can I buy these service contracts from, and what's the part number I'm after? Cisco's CCO site is less than helpful.

LordHop
Oct 26, 2003
Is there any type of software emulator i can use that pretends to be a cisco box so i can start to learn how to use these things?

Boner Buffet
Feb 16, 2006

markus876 posted:

I have a 2960g here and confirm that it does not support any of the EMI images / layer-3 functionality.

Beyond that, any issues you have ran into with it?

Adbot
ADBOT LOVES YOU

jwh
Jun 12, 2002

LordHop posted:

Is there any type of software emulator i can use that pretends to be a cisco box so i can start to learn how to use these things?

There's dynamips, which you can google for, except it requires you supply your own IOS image. Alternatively, there's the Boson NetSim demo.

Without an IOS image, your best bet is to buy some cheap hardware. You could also buy a 3600 series router, which can be had for about two-hundred dollars, and then steal it's IOS image for use with dynamips. You can occasionally find a real bargain on ebay.

Caged posted:

It says I need a service contact to be able to download the latest firmware for it. Where can I buy these service contracts from, and what's the part number I'm after? Cisco's CCO site is less than helpful.
You'll want to contact a Cisco reseller and ask them to quote you a smartnet contract. Not for the faint of heart.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply