|
Girdle Wax posted:From the 2950 QoS FAQ. I've read that FAQ, but from my understanding all it does is override the COS with a different value, not strip it. Meaning I'd still be left with a COS value, be it 0, or something else. Am I wrong in this? The problem I'm having is one of the propriety devices on the network, a router of sorts, dropping all packets tagged with COS. This problem is being worked on a system level, but I was hoping to find an networking solution in the meanwhile.
|
#
?
Aug 24, 2007 16:02
|
|
|
|
| # ? Apr 19, 2024 19:48 |
|
|
Arkady posted:I've read that FAQ, but from my understanding all it does is override the COS with a different value, not strip it. Meaning I'd still be left with a COS value, be it 0, or something else. Am I wrong in this? You can't strip the 802.1p bits out of the frame- it's either there as part of the 802.1q header, or not there at all. At least, that's my understanding. What if you connect the router-like device to a port configured as static access?
|
|
#
?
Aug 24, 2007 17:16
|
|
|
Tremblay posted:There is a bug that was fixed in ASA code. Basically PPTP + PAT == no no in 7.x code. It does work in 6.x but it turned the nat tables into spaghetti. What version of code is on the PIX and what is the ASA running? behold, my running config: code:3389 to 10.0.1.99 32767 to 10.0.1.99 (lol files) 22 to 10.0.1.22 What commands or changes would need to be run to make this happen? - Is there any way to also punch 1723 through for PPTP VPN? I have a few devices (iPhone) that I can't install the cisco vpn client on? If so, what changes would need to be made? - I still have the problem accessing devices over the VPN ONLY if I am behind a Pix 515 (also running 7.2). Based on this config, can you guys make any suggestions? - Anything else that should be cleaned out of this config? I know extra crap got added in troubleshooting. Thanks!
|
|
#
?
Aug 24, 2007 18:50
|
|
|
I need to do a "show tech" on about 40 devices ranging from Catalyst 2950s to a 4506. What's the best tool to use for logging the enormous output? I figured I'd give putty a go. In the past, I used hyper terminal with logging getting the techs off of a couple of routers and the output was too much and some was chopped off in the output file.
|
|
#
?
Aug 24, 2007 19:24
|
|
|
Sorry, lame question. Putty works fine, nothing was cut off.
|
|
#
?
Aug 24, 2007 20:32
|
|
|
Arkady posted:I've read that FAQ, but from my understanding all it does is override the COS with a different value, not strip it. Meaning I'd still be left with a COS value, be it 0, or something else. Am I wrong in this? If that doesn't work, you could try using the dscp-to-cos map, assuming the device doesn't also set DSCP bits? http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swqos.html#wpmkr1026216
|
|
#
?
Aug 24, 2007 22:44
|
|
|
delslo posted:Now I ask you: I am currently on comcrap internets w/ DHCP. I would like to forward ports from outside to inside, for instance: I can't help you with the specific PIX questions, as I hate PIX and wish they would die... But I believe for your port forwarding needs you'd need to do something like this: code:
|
|
#
?
Aug 24, 2007 23:28
|
|
|
I'm looking for a 100mbit cheapish Cisco that can hook up a cable modem. I'm looking at the 804's(edit those are ISDN, i mean the 831's) the 1720s (i think thats the model at least), and the 2500's with a CSU/DSU, or WAN or what have you (would that even work?). I see the 2500's going for like 30 bucks shipped on ebay with a CSU/DSU (but not a DSU/WAN card, which is what i need for a cable modem, right?) From what I gather the 804's/1720s can do that out of the box? Does the 851w have a little brother that's cheap used perhaps. Doesn't really need to have wifi. I'm not looking for anything complicated as hell, just something that'd be rock solid stable for AIM and the like. My linksys regularly craps the bed, especially in the summer heat (I turn off the AC when I go to work.) and it's a huge pain in the rear end to come back to AIM dead. I used to get like 25 days online time easy before I started torrenting so I think (read: probably is, since this didnt happen before i used torrents regularly) that might be the cause. So primarily i want stability. My friend suggested I route with my bsd box, but 1) it's an old machine and any power variance (even a tenth of a second) ends up rebooting it and loving it up. Yeah, I could get a UPS, but hey. He also suggested a buffalo hp-54, but all those firmware hacks make me uncomfortable, and it's also not guaranteed stability. I'm not sure if I'll find my perfect router fit though it in this price range. Next up, I'd like QoS I'd like to limit torrents to say, 90 percent of the total bandwidth. Is there a way for Cisco's to assess maximum bandwidth on a cable modem? Say, 'within the last 24 hours, the max throughput on WAN was 9mbit down/1mbit up, so QoS everything but AIM to 8.5 mbit down/800kbit up), Sometimes my ISP bumps me up, so I'd like it to auto adjust, but that's probably asking too much. I pretty much want to limit all but AIM traffic to X percent (80/90) of the total bandwidth. Worse comes to worse I can manually adjust it. Sometimes I transfer big files across the network, I'd like to get speed, but I don't want the router to crash because of it. Once again I want WAN traffic to remain untouched and guaranteed, if theres a way to guarantee processing power on WAN if necessary (i.e., if a 1720 will crash on WAN if both torrenting/AIM/transfering files across the network at 100mbit) SNMP or something like FreeBSD's "bmon" in command prompt to realtime monitor bandwidth usage per port and maybe based on connection, would be nice but not necessary. Also VPN would be nice to gently caress around with (do those old cisco's even let you use the VPN client/how stable would it be. I read earlier in this thread that the ASA5510 is the most solid router for VPN some dudes ever used, but that's far out of my price range, as is the 851W or what have you.) None of these are even remotely necessary but would be nice. Wow, that was long. Sorry if this was just one big rant, or if these are entirely noob questions. There's a cheap 831 that I'd like to get if you guys think it'd be satisfactory for the criteria i outlined. wither fucked around with this message at 01:10 on Aug 25, 2007 |
|
#
?
Aug 25, 2007 00:13
|
|
|
wither posted:I'm looking for a 100mbit cheapish Cisco that can hook up a cable modem. I'm looking at the 804's(edit those are ISDN, i mean the 831's) the 1720s (i think thats the model at least), and the 2500's with a CSU/DSU, or WAN or what have you (would that even work?). I think a ASA 5505 would fit perfectly for you, but it is probably out of your price range at $450 or so. It does have a few 10/100 ports (that you can VLAN!) and a shitload of pretty cool firewall stuff. With a cable modem, you need a WIC-1ENET= for a 1700 series. Here's one at PCConnection: http://www.pcconnection.com/ProductDetail?Sku=223326 You can probably get one for under $100 off ebay, or get a 1700 with one already in for $200 or so.
|
|
#
?
Aug 25, 2007 00:45
|
|
|
What is everyone's favourite netflow graphing/display software? I've been using nfsen, but I was really hoping for something a little less complicated. Ideally, something that would provide users with a graph that says "this host send X bytes today", or even better "traffic between this network and that network averages X bytes/second". It seems like nfsen can do this, but it's too complicated for most clients I work with and even then the numbers aren't exactly what I'm looking for. It seems like all the data I need is being collected. Do I need to write a front end to the rrd data files to generate the graphs I want? Or is there a better (ideally free) netflow display application I should be suggesting to clients?
|
|
#
?
Aug 25, 2007 01:54
|
|
|
wither posted:1) Don't get a 2500 for any reason unless you really feel like learning old versions of IOS 2) Don't get a 1720 for routing ethernet WAN. Get a 2621 instead, which has two fast ethernet ports built in. 3) ASA's are a pain in the butt to configure for QoS, and PIX 501's simply don't support it. 2621's aren't that great for NAT unless you get a good amount of RAM in them. 4) Your router should never be routing LOCAL traffic, so the port speed of the LAN interface shouldn't matter as long as you have a switch that's not pure poo poo on the inside. 5) of the 8xx series, isn't the 871 the one that has 2-3 fast ethernet interfaces?
|
|
#
?
Aug 25, 2007 07:24
|
|
|
Ray_ posted:I think a ASA 5505 would fit perfectly for you, but it is probably out of your price range at $450 or so. It does have a few 10/100 ports (that you can VLAN!) and a shitload of pretty cool firewall stuff. the ASA 5505 "base package" (10 users, 3DES, etc. etc.) is $391 from newegg... shipped, it comes out to ~$400
|
|
#
?
Aug 25, 2007 15:57
|
|
|
Ninja Rope posted:What is everyone's favourite netflow graphing/display software? I've been using nfsen, but I was really hoping for something a little less complicated. Ideally, something that would provide users with a graph that says "this host send X bytes today", or even better "traffic between this network and that network averages X bytes/second". It seems like nfsen can do this, but it's too complicated for most clients I work with and even then the numbers aren't exactly what I'm looking for. Most of the networks I work with are monitored with either cricket or cacti. For core networks we also use weathermap, this runs off the cacti/cricket graphs and produces a network diagram with coloured lines showing how much bandwidth has been used.
|
|
#
?
Aug 25, 2007 17:08
|
|
|
I can't think of anywhere better to ask this, and don't want to make a new thread Has anyone here ever terminated/scoped 50micron multimode before? We typically stick to 62.5 but our 10GbE xenpaks won't shoot far enough over it. The terminate/polish on our 50 micron looks good but when we scope it the edge of the core looks 'fuzzy'. Just wondering it that's normal...
|
|
#
?
Aug 29, 2007 02:12
|
|
|
Sorry to cross-post but I figured this thread would be the most appropriate. The company I look for is looking to hire a couple of network engineers. If any of you are interested check out http://forums.somethingawful.com/showthread.php?threadid=2603757. I have received multiple responses from the thread and have one interview set up for later this week, hoping to hear from more people. Thanks!
|
|
#
?
Aug 29, 2007 18:18
|
|
|
I'm curious, who here has dealt with TAC and how are they with solving your issues?
|
|
#
?
Aug 31, 2007 01:42
|
|
|
CrazyLittle posted:
I believe it has 4 FE ports plus the WAN port. Analog LED fucked around with this message at 01:49 on Aug 31, 2007 |
|
#
?
Aug 31, 2007 01:45
|
|
|
Analog LED posted:I'm curious, who here has dealt with TAC and how are they with solving your issues? I deal with the TAC pretty often, as I'm sure most everybody else here does. I thought we even had a few people here that work in TAC. I'd say they're good at solving issues overall; there's occasionally problems relating to where your case is being worked from, versus where you are, which can lead to some delays in communicating, but on the whole they're a good group to work with. They've always been top-notch smart once you get your issue routed to the right group, at least in my experience.
|
|
#
?
Aug 31, 2007 02:01
|
|
|
jwh posted:I deal with the TAC pretty often, as I'm sure most everybody else here does. I thought we even had a few people here that work in TAC. I'm going on month 3 regarding OER. I just want a generic loving config I can hack GIVE IT TO ME YOU FUCKHEADS 
|
|
#
?
Aug 31, 2007 03:01
|
|
|
Analog LED posted:I'm curious, who here has dealt with TAC and how are they with solving your issues? TACs usefulness is inversely proportional to your level of experience. When you're first starting out & need to know how to get OSPF up on your point to point T1, TAC is seemingly god-like. When you have 10 years of experience and you ask them why your redistribution route map isn't applying tags to all the networks in your prefix list, and all you get from TAC is a blank stare, then you tend to think they suck.
|
|
#
?
Aug 31, 2007 03:37
|
|
|
What do you guys think is a good second step on CCNP after BCMSN? I'm set to take that in a week or so and I'm completely indecisive on where to go after it.
|
|
#
?
Aug 31, 2007 04:08
|
|
|
I'm working on a really old Pix that I'm having trouble figuring out. I have a device inside the network with a static IP which is making an outbound VPN connection to a data center using OpenVPN. It's a rather standard setup - T1 goes into Pix, Pix feeds switches which feed the internal network. The box making the VPN connection works fine - it connects and traffic routes all over the place just fine. However, the issue is with routing. Here's the setup: Pix: 192.168.41.1 VPN Box: 192.168.41.4 Remote Network: 192.168.208.x Now, everything on the .41.x subnet has the Pix as its default gateway. I have set up routes on the Pix to point traffic to the .208.x subnet to use .41.4 as the gateway. The VPN box forwards all traffic to .208.x to go over the VPN interface. If I set up static routes on individual machines inside the .41.x subnet to use .41.4 as the gateway for all .208.x traffic, it works. Of course, this is a horrible way to do things and I want the Pix to handle it all. The kicker is, I added the routes on the Pix to go to the .208.x subnet and it works just fine from the Pix. If I'm logged into the Pix I can ping anything on the .208.x subnet just fine. However, it doesn't seem to be properly routing traffic from anything on the inside network to use .41.4 as its gateway. Here's the routes code:Thanks. I rather suck at Cisco stuff so this is probably a pretty easy question.
|
|
#
?
Aug 31, 2007 16:51
|
|
|
Cidrick posted:I'm working on a really old Pix that I'm having trouble figuring out. I have a device inside the network with a static IP which is making an outbound VPN connection to a data center using OpenVPN. It's a rather standard setup - T1 goes into Pix, Pix feeds switches which feed the internal network. The box making the VPN connection works fine - it connects and traffic routes all over the place just fine. However, the issue is with routing. The PIX is not a router, it will only forward traffic through it or deny traffic on the same virtual interface. It is not possible to reroute traffic out of the same virtual interface on a PIX. dwarftosser fucked around with this message at 17:40 on Aug 31, 2007 |
|
#
?
Aug 31, 2007 17:34
|
|
|
dwarftosser posted:The PIX is not a router, it will only forward on deny traffic on the same virtual interface. It is not possible to reroute traffic out of the same virtual interface on a PIX. Crap. Guess I'll have to figure out how to make the Pix the VPN endpoint then.
|
|
#
?
Aug 31, 2007 17:38
|
|
|
Cidrick posted:Crap. Yup, I found that out the hard way the first time I ever installed a Cisco VPN Concentrator. If you've got another device that can act as a router for your local network that might be the easiest solution, and then it can redirect traffic to the PIX or VPN from there.
|
|
#
?
Aug 31, 2007 17:47
|
|
|
dwarftosser posted:Yup, I found that out the hard way the first time I ever installed a Cisco VPN Concentrator. If you've got another device that can act as a router for your local network that might be the easiest solution, and then it can redirect traffic to the PIX or VPN from there. Yeah, I could do that, but if I did I'd probably just end up tossing the Pix since there's not a whole lot it can do that my Linux firewall can't. Actually, now that I think about it, the easiest way to do this would probably be to make the VPN box the default gateway in DHCP, so that all traffic from the internal network has to hit it before going to the Pix without having to physically put it between the switches and the Pix. The only downside to this is that I'm introducing one extra point of failure. If I have a single point of failure, I'd rather it be a Cisco product than a Supermicro 1U server. Thanks for your help!
|
|
#
?
Aug 31, 2007 18:12
|
|
|
If anyone wants to buy some Cisco Catalyst 2950 24-port switches, I have 3 available in perfect condition. SA Mart thread: http://forums.somethingawful.com/showthread.php?s=&threadid=2610569
|
|
#
?
Aug 31, 2007 18:38
|
|
|
Cidrick posted:Pix feeds switches... What kind of switch do you have? If it does layer 3 you could do your routing there. Even if it's only layer 2 you (I think) can form a trunk with the pix & set up sub interfaces for more 'routing' on the pix.
|
|
#
?
Sep 1, 2007 01:50
|
|
|
CrazyLittle posted:3) ASA's are a pain in the butt to configure for QoS, and PIX 501's simply don't support it. 2621's aren't that great for NAT unless you get a good amount of RAM in them. These are the two most important facts. Slow lovely routers are terrible for vlan routing and acl's. If I had a nickel for every time I saw a 28XX or 26XX peg at %100 cpu time and stop responding because some dipshit thought it'd be a good "router on a stick" for vlan routing over fa speeds. FFS, it's a 200mhz proc. When the hardware based packet router gets overloaded it goes to the software based one, which blows balls, btw. I've gotten some very confused emails starting with, "well it worked XX months ago, what's different now?" "Have you added more users?" "uh, yeah" moral of the story is, routing at fa speeds through a 2XXX series router with any sort of acl's/policy based routing is a NO!
|
|
#
?
Sep 1, 2007 02:39
|
|
|
RabidFox posted:When the hardware based packet router gets overloaded it goes to the software based one, which blows balls, btw.
|
|
#
?
Sep 1, 2007 04:09
|
|
|
inignot posted:TACs usefulness is inversely proportional to your level of experience. When you're first starting out & need to know how to get OSPF up on your point to point T1, TAC is seemingly god-like. When you have 10 years of experience and you ask them why your redistribution route map isn't applying tags to all the networks in your prefix list, and all you get from TAC is a blank stare, then you tend to think they suck. Having worked for them, and then worked for a major internet provider and dealing with them (and the AS group at Cisco) this statement is 100% accurate. Seriously, for advanced routing issues, or getting them to admit to a bug (and internally getting the DEs to admit to a bug) was just a real pain in the rear end without overwhelming evidence. I am tracking multiple bugs with DSCP marking on the 7600 sup720 platform right now, and Cisco will not even try to help anymore. Grr. For basic/mid-level support, however? They seriously rock. And if they do not, escalate internally and get somebody that does - it shows up in the metrics pretty fast when somebody has a ton of requeues for bad service and action is taken.
|
|
#
?
Sep 3, 2007 08:46
|
|
|
jwh posted:Aren't 2600 and 2800 series software CEF only? What hardware are you talking about? oh balls, you're right. This was a cat 3XXX something, layer 3 switch, I had a 2XXX as a router on a stick with the same problem, ACL's with intervlan routing. The Cat was doing the same thing but it had policy based routing. NVM, then.
|
|
#
?
Sep 3, 2007 10:55
|
|
|
Just wanted to share this - I passed my 642-552 SND exam today. 975/1000. With any luck I can get CCSP out of the way by the end of the year and move on to CCIE Security.
|
|
#
?
Sep 6, 2007 03:22
|
|
|
This thread's getting lonely. I have a fun bit of news: I managed to get OER working on a 3640 with a T1 and DSL interface.
|
|
#
?
Sep 12, 2007 22:52
|
|
|
Is there any way to adjust DHCP client retries / timeouts on a Cisco 871W? It runs IOS, c870-advsecurityk9-mz.124-11.T1.bin to be specific. My braindead ISP only gives me an IP after the 4th or 5th DHCP REQUEST or after a certain time period has elapsed, but my 871W only issues 3 requests with a 5 sec timeout on each one before giving up for a minute. Windows and Mac both continue issuing requests with the same xid until they get a lease whereas the 871w picks a new xid after 3 failed attempts. The only timeout settings I could find seemed to be for the dhcp server. My router is acting as nothing more than a glorified switch at the moment until I can fix this. Any ideas?
|
|
#
?
Sep 13, 2007 00:26
|
|
|
CrazyLittle posted:This thread's getting lonely. I have a fun bit of news: I just saved a bunch of money on my car insurance. No wait, Cisco pushed the SRB2 release back to late september (28th I think?). And the PM team will not be providing interim builds even though it's been stable for 'a couple of weeks'. Oh, and the devices I need to put it on go live this weekend, so I guess I need yet another maint window in early oct to do the code upgrade and apply dcef-only switching mode...
|
|
#
?
Sep 13, 2007 00:58
|
|
|
CrazyLittle posted:I managed to get OER working on a 3640 with a T1 and DSL interface. Can you share sanitized configs, as well as which IOS image you're using? I'd love to see what you came up with.
|
|
#
?
Sep 13, 2007 04:52
|
|
|
jwh posted:Can you share sanitized configs, as well as which IOS image you're using? I'd love to see what you came up with. No! YOU MUST PAY ME FOR IT!!! MUA HAH AH AHHAHAHHA... (yeah - just gotta grab it from the router some how, and I seem to have locked myself out of telnet over the DSL interface :P )
|
|
#
?
Sep 13, 2007 04:53
|
|
|
R1CH posted:Is there any way to adjust DHCP client retries / timeouts on a Cisco 871W? Can you hard code the ID? I think there's an option for that. There's an option for hard-coding some client identifier, although it might not be the one you need. I haven't seen any options to tune the dhcp client, sadly. For that matter, why is your ISP so slow to reply to your request? Fifteen seconds is a long time.
|
|
#
?
Sep 13, 2007 04:54
|
|
|
|
| # ? Apr 19, 2024 19:48 |
|
|
CrazyLittle posted:No! YOU MUST PAY ME FOR IT!!! MUA HAH AH AHHAHAHHA... I'm prepared to offer you all of my returnable beer bottles, shipped at your expense, plus a cat. You can choose a grey cat, or an orange one. That is my final offer.
|
|
#
?
Sep 13, 2007 04:55
|
|