The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›430 »

Ninja Rope: Oct 22, 2005; Wee.

I'm trying to throttle bandwidth on a switch port in order to somewhat simulate bandwidth restricted clients (ie, users on a DSL line). I'm not exactly sure what settings I should use for the policed rate and burst. Would a DSL line even have a "burst" ability? And how would that relate to the policed rate?

# ? Jan 7, 2011 01:08

Adbot: ADBOT LOVES YOU

# ? Apr 28, 2024 17:20

inignot: Sep 1, 2003; WWBCD?

jwh posted:

Cable management sucks though, as in, there isn't any.

This system is about the least awful I've used (on a 6506).

http://www.youtube.com/watch?v=W3HvmvRALHk&feature=related

The picture they flash up as an example of a spaghetti bowl looks disturbingly like a switch wiring job I unfucked recently.

# ? Jan 7, 2011 02:19

jwh: Jun 12, 2002

inignot posted:

This system is about the least awful I've used (on a 6506).

http://www.youtube.com/watch?v=W3HvmvRALHk&feature=related

The picture they flash up as an example of a spaghetti bowl looks disturbingly like a switch wiring job I unfucked recently.

That looks pretty good. I think my biggest complaint with the 4500 and 6500/7600 series is the fact that the blades are horizontal with a fan card on the left. I always seem to end up in environments where somebody has pulled cables to the left across the fan card, and I've had more fan cards go bad in 4500s than in any other platform I've worked with.

We have a lot of fixed configuration 1u 48 port switches in our user plant, and I've recently asked for a lot of neatpatch systems to clean it up. I don't know if we'll get them, but I think they're clean looking, for horizontal fixed configuration deployments. 96 ports of patch / termination in 10u with good management would be nice.

# ? Jan 7, 2011 05:00

CrazyLittle: Sep 11, 2001; Clapping Larry

jwh posted:

I've recently asked for a lot of neatpatch systems to clean it up.

I'm using neatpatch for 4 racks in my colo, and it's definitely better than panduit for intra-rack cable management between switches and patch panels, but I think either I did something wrong or their system isn't quite perfect when it comes to connecting patch panels to servers. My racks would have ended up a lot cleaner if I had gone with with vertical patching and vertical power. But then again it was hard enough getting the money for inter-rack patch panels.

# ? Jan 7, 2011 08:16

nzspambot: Mar 26, 2010

Ninja Rope posted:

I'm trying to throttle bandwidth on a switch port in order to somewhat simulate bandwidth restricted clients (ie, users on a DSL line). I'm not exactly sure what settings I should use for the policed rate and burst. Would a DSL line even have a "burst" ability? And how would that relate to the policed rate?

what switch?

try these 2 for a start

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swqos.html#wp1253412

http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml

# ? Jan 7, 2011 10:36

ragzilla: Sep 9, 2005; don't ask me, i only work here

jwh posted:

That looks pretty good. I think my biggest complaint with the 4500 and 6500/7600 series is the fact that the blades are horizontal with a fan card on the left. I always seem to end up in environments where somebody has pulled cables to the left across the fan card, and I've had more fan cards go bad in 4500s than in any other platform I've worked with.

We have a lot of fixed configuration 1u 48 port switches in our user plant, and I've recently asked for a lot of neatpatch systems to clean it up. I don't know if we'll get them, but I think they're clean looking, for horizontal fixed configuration deployments. 96 ports of patch / termination in 10u with good management would be nice.

Switch exclusively to 6509, NEBS variant (vertical LCs, front to back airflow) :v:

Or you could do cable harnesses out of the 6509 to patch panels if you're currently doing interconnect patching rather than full cross-connect patching, but it'll take up more rack space you might not have.

# ? Jan 7, 2011 13:38

jwh: Jun 12, 2002

Well, yeah I'd love to have the 6509-V-E's instead of what I have. I'm not even sure how much those chassis cost compared to a regular 6509-E chassis. Something tells me they're probably expensive.

The hard part of this particular redesign was trying to cram ~740 ports of voice and data, including patch panels, switches, and cable management, UPS, and an Avaya G450 into two and a half Chatsworth two-post racks. The problem is this particular space we're working with is only about seventy square feet.

# ? Jan 7, 2011 16:53

Richard Noggin: Jun 6, 2005; Redneck By Default

Another stupid question. Same 1900 router, trying to configure an ACL to allow SSH traffic from a particular internet host to several internal addresses (which get PATed to 2222-2225). I have NAT going on the router. All the ACL combinations (applying the access-group to dialer0 in or out) I've tried have prevented local hosts from reaching the internet. Here's the basic config I have:

code:

interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.25.1 255.255.255.0
 ip helper-address 192.168.25.4
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0.3
 encapsulation dot1Q 3
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1 service-name "dsl"
!
interface GigabitEthernet0/1.2
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxx
 ppp chap password 0 xxx
 ppp ipcp route default
 no cdp enable

ip nat inside source list 20 interface Dialer0 overload
ip nat inside source static tcp 192.168.25.5 22 interface Dialer0 2222
ip nat inside source static tcp 192.168.25.11 22 interface Dialer0 2223
ip nat inside source static tcp 192.168.25.12 22 interface Dialer0 2225
ip nat inside source static tcp 192.168.25.13 22 interface Dialer0 2224
ip route 0.0.0.0 0.0.0.0 Dialer0

dialer-list 1 protocol ip permit

Richard Noggin fucked around with this message at 19:37 on Jan 7, 2011

# ? Jan 7, 2011 17:08

Bardlebee: Feb 24, 2009; Im Blind.

I preface this with I am not very good at ACL's, but here is my shot on what it sounds like you are trying to do:

ip access-list <extended id> permit TCP <External Address> eq 23 <Internal Address>
ip access-list <extended id> permit any any

Did you forget to add the permit any any? Happens to us all. This would cause disconnection of all other people if you are applying it to that particular port.

EDIT: Access-group should be going inward from your external port, I think.
EDIT2: I guess if you don't want to permit any any, you could permit any any established.

Bardlebee fucked around with this message at 17:19 on Jan 7, 2011

# ? Jan 7, 2011 17:15

ragzilla: Sep 9, 2005; don't ask me, i only work here

jwh posted:

Well, yeah I'd love to have the 6509-V-E's instead of what I have. I'm not even sure how much those chassis cost compared to a regular 6509-E chassis. Something tells me they're probably expensive.

According to my pricelist, with no discount:
6509-E == $9500
6509-V-E == $9995

So not that much more.

They're a fair bit bigger than the regular 6509 though. 21RU vs. 15RU.

# ? Jan 7, 2011 17:45

Bardlebee: Feb 24, 2009; Im Blind.

Hey, I wanted to ask what is going on here with my FTP server, logically.

Right now my FTP servers ip is something internal like 192.168.2.240.

When I put the following command in to make it accessable to the internet, external users whom are connecting via my VPN IPSec setup can no longer connect to it.

ip nat inside source static <internal address> <external IP address> int faste0

What is the logic behind this? I am sure if I change their FTP program to reach <external address> then it would work just fine. I am just wondering what the heck the packets are doing.

Of course, this isn't going to stay FTP and I am moving them onto SFTP once I can find a good SFTP program to use for my server...

My guess is that its because 192.168.2.240 is currently being NAT'd on my access-list and that maybe I need to deny it from being NAT'd on my overload line. Though I have posted it quite a few times in this thread, here is a short show run:

EDIT: Can I debug certain static NAT connections?

code:

crypto map vpn 10 ipsec-isakmp
 description VPN CONNECTION Tunnel
 set peer 66.0.0.0
 set transform-set esp-3des-sha1
 set pfs group2
 match address 101
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel0
 no ip address
 ip mtu 1400
 ip tcp adjust-mss 1436
!
interface FastEthernet0
 description OUTSIDE INTERNET CONNECTION
 ip address 216.201.0.0 255.255.255.240
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map vpn
 crypto ipsec df-bit clear
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
 speed 100
!
interface Vlan1
 description INSIDE NETWORK
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <ISP gateway>
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload <--using ACL 102
ip nat inside source static <internal address> <external IP address> int faste0
!
logging 67.215.65.132
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 70 remark THIS WILL DENY HOST A FROM TELNET
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 remark SDM_ACL Category=18
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 60001
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 107 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 109 permit ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
!

# ? Jan 7, 2011 18:01

Richard Noggin: Jun 6, 2005; Redneck By Default

Bardlebee posted:

I preface this with I am not very good at ACL's, but here is my shot on what it sounds like you are trying to do:

ip access-list <extended id> permit TCP <External Address> eq 23 <Internal Address>
ip access-list <extended id> permit any any

Did you forget to add the permit any any? Happens to us all. This would cause disconnection of all other people if you are applying it to that particular port.

EDIT: Access-group should be going inward from your external port, I think.
EDIT2: I guess if you don't want to permit any any, you could permit any any established.

That's what I have tried, along with permit tcp any any established, but it still cut off access for internal systems to the internet. On an ASA, the following would do exactly what I want:

code:

global (outside) 1 interface
nat (inside) 1 192.168.25.0 255.255.255.0

static (inside,outside) tcp interface outside 2222 192.168.25.5 22 netmask 255.255.255.255
static (inside,outside) tcp interface outside 2223 192.168.25.11 22 netmask 255.255.255.255

access-list acl_out extended permit tcp host external_host host 192.168.25.5 eq 2222
access-list acl_out extended permit tcp host external_host host 192.168.25.11 eq 2223

access-group acl_out in interface outside

# ? Jan 7, 2011 18:01

Bardlebee: Feb 24, 2009; Im Blind.

Richard Noggin posted:

code:

global (outside) 1 interface
nat (inside) 1 192.168.25.0 255.255.255.0

static (inside,outside) tcp interface outside 2222 192.168.25.5 22 netmask 255.255.255.255
static (inside,outside) tcp interface outside 2223 192.168.25.11 22 netmask 255.255.255.255

access-list acl_out extended permit tcp host external_host host 192.168.25.5 eq 2222
access-list acl_out extended permit tcp host external_host host 192.168.25.11 eq 2223

access-group acl_out in interface outside

Hmmm... perhaps it is because you are attempting to do a permit any any on the outside interface coming in. Then when the packets go out of the inside interface it gets denied by NAT?

I am as lost as you.

EDIT: Ah, where did you place the permit any any? Inside or out? It is possible that peoples packets are being denied coming back from where they were headed.

# ? Jan 7, 2011 18:09

CrazyLittle: Sep 11, 2001; Clapping Larry

Bardlebee posted:

ip access-list <extended id> permit TCP <External Address> eq 23 <Internal Address>
ip access-list <extended id> permit any any

Ummm just FYI...

"permit any any" nullifies the need for the previous line, because you're allowing any traffic from anywhere to anywhere over any protocol.

# ? Jan 7, 2011 18:20

CrazyLittle: Sep 11, 2001; Clapping Larry

Richard Noggin posted:

Another stupid question. Same 1900 router, trying to configure an ACL to allow SSH traffic from a particular internet host to several internal addresses (which get PATed to 2222-2225). I have NAT going on the router. All the ACL combinations (applying the access-group to dialer0 in or out) I've tried have prevented local hosts from reaching the internet. Here's the basic config I have:
code:
*snip*

ip nat inside source list 20 interface Dialer0 overload
ip nat inside source static tcp 192.168.25.5 22 interface Dialer0 2222
ip nat inside source static tcp 192.168.25.11 22 interface Dialer0 2223
ip nat inside source static tcp 192.168.25.12 22 interface Dialer0 2225
ip nat inside source static tcp 192.168.25.13 22 interface Dialer0 2224
ip route 0.0.0.0 0.0.0.0 Dialer0

dialer-list 1 protocol ip permit

By default you don't need an ACL at all to make a PAT work. It functions on its own by virtue of the implicit "allow any" for traffic coming in to an interface. I think you're running into some other issue.

Also, you forgot to include any other ACLs that are in your config. As pasted above, your inside hosts wouldn't be able to surf the web, because there's no ACL 20

# ? Jan 7, 2011 18:27

Bardlebee: Feb 24, 2009; Im Blind.

CrazyLittle posted:

Ummm just FYI...

"permit any any" nullifies the need for the previous line, because you're allowing any traffic from anywhere to anywhere over any protocol.

I got excited because I just got done watching the access-list videos for CCNA. Heh, completely missed that.

# ? Jan 7, 2011 18:31

Richard Noggin: Jun 6, 2005; Redneck By Default

CrazyLittle posted:

By default you don't need an ACL at all to make a PAT work. It functions on its own by virtue of the implicit "allow any" for traffic coming in to an interface. I think you're running into some other issue.

Also, you forgot to include any other ACLs that are in your config. As pasted above, your inside hosts wouldn't be able to surf the web, because there's no ACL 20

I can SSH into any of the devices specified in the nat statements currently. I need to restrict that to just a selected set of hosts on the internet.

Here's ACL 20:

code:


bch-rtr#sh access-list
Standard IP access list 20
    10 permit 192.168.25.0, wildcard bits 0.0.0.255 (21930 matches)
    20 permit 192.168.1.0, wildcard bits 0.0.0.255 (1050 matches)
    30 permit 192.168.2.0, wildcard bits 0.0.0.255 (450 matches)

# ? Jan 7, 2011 19:35

CrazyLittle: Sep 11, 2001; Clapping Larry

Richard Noggin posted:

I can SSH into any of the devices specified in the nat statements currently. I need to restrict that to just a selected set of hosts on the internet.

Gotcha.

So really what you need is a "permit from hosts to these ports" followed by a "deny any to these ports"

Perhaps this:

code:

access-list 199 remark allow select outside hosts to reach ssh PAT
access-list 199 permit tcp host <allowed-host-ip1> range 2222 2224 host 222.222.222.222
access-list 199 permit tcp host <allowed-host-ip2> range 2222 2224 host 222.222.222.222
access-list 199 remark deny everyone else trying those ports
access-list 199 deny   tcp any range 2222 2224 host 222.222.222.222

interface Dialer0 
 ip access-group 199 in

The only caveat I can think of with the above ACL is twofold:
1) You have to write the ACL knowing what your outside IP is.
2) If the IP changes, the ACL will need to be changed too.

You could also try a variation on it that I'm too lazy to check if it would work. Its the same idea, but it's working under the assumption that you're not going to try to implement this ACL anywhere else, so only inbound traffic to your dialer will be selected.

code:

access-list 199 remark allow select outside hosts to reach ssh PAT
access-list 199 permit tcp host <allowed-host-ip1> range 2222 2224 any
access-list 199 permit tcp host <allowed-host-ip2> range 2222 2224 any
access-list 199 remark deny everyone else trying those ports
access-list 199 deny   tcp any range 2222 2224 any

interface Dialer0 
 ip access-group 199 in

# ? Jan 7, 2011 20:07

ate shit on live tv: Feb 15, 2004; by Azathoth

Here is a CCNP level question: What does the following output tell you, what was the command entered to produce this output?
_{code:

BGP router identifier 204.8.240.2, local AS number 32782
BGP table version is 89400417, main routing table version 89400417
351184 network entries using 41088528 bytes of memory
982943 path entries using 51113036 bytes of memory
211475/67170 BGP path/bestpath attribute entries using 33836000 bytes of memory
192671 BGP AS-PATH entries using 7336330 bytes of memory
358 BGP community entries using 14140 bytes of memory
2 BGP route-map cache entries using 64 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 133388098 total bytes of memory
Dampening enabled. 82 history paths, 330 dampened paths
BGP activity 1423577/1072393 prefixes, 26254342/25271399 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
77.67.78.45 4 3257 41332314 843665 89400400 0 0 4w3d 334374
118.84.4.69 4 4134 776880 240172 89400400 0 0 3w0d 18980
204.8.240.3 4 32782 23004143 27380822 89400418 0 0 42w5d 287687
204.8.240.5 4 32782 1458333 27433733 89400418 0 0 39w6d 6215
216.52.91.33 4 13789 142671464 429796 89400400 0 0 8w6d 335604}

# ? Jan 7, 2011 21:44

CrazyLittle: Sep 11, 2001; Clapping Larry

Powercrazy posted:

Tells me you work on Wall Street (not srs)

sh ip bgp sum

*edit* for some reason I thought you were US-East coast/NYC or something.

CrazyLittle fucked around with this message at 21:57 on Jan 7, 2011

# ? Jan 7, 2011 21:51

ate shit on live tv: Feb 15, 2004; by Azathoth

Well that is where I'm at, that is our internet edge, and that is of course the command that was run. Now for some harder questions that the BSCI loves to ask.

_{code:
edge6504a#sh ip bgp neighbors 77.67.78.45
BGP neighbor is 77.67.78.45, remote AS 3257, external link
Description: Tiscali 10G transit
BGP version 4, remote router ID 213.200.87.92
BGP state = Established, up for 4w3d
Last read 00:00:06, last write 00:00:28, hold time is 90, keepalive interval is 30 seconds
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Address family IPv4 Multicast: received
Graceful Restart Capability: received
Remote Restart timer is 120 seconds
Address families advertised by peer:
none}
Is this an iBGP or eBGP neighbor? How can you tell?
What if the router ID of the remote router was the same as the local router? What if it was on them same subnet as the local router?

# ? Jan 7, 2011 22:19

Ninja Rope: Oct 22, 2005; Wee.

jgbaker posted:

what switch?

try these 2 for a start

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swqos.html#wp1253412

http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml

Thanks for the links, I'll give them a read. It's a 4948 running 12.2, and I believe I've gotten pretty close to what I want with the smallest allowed burst size when policing. Since I'm simulating lots of small connections and from limited clients I think the smallest burst size is what I want. Obviously it doesn't get me near the max configured rate, but it's at least least somewhat consistent.

# ? Jan 7, 2011 23:24

ragzilla: Sep 9, 2005; don't ask me, i only work here

Powercrazy posted:

Well that is where I'm at, that is our internet edge, and that is of course the command that was run. Now for some harder questions that the BSCI loves to ask.

_{code:
edge6504a#sh ip bgp neighbors 77.67.78.45
BGP neighbor is 77.67.78.45, remote AS 3257, external link
Description: Tiscali 10G transit
BGP version 4, remote router ID 213.200.87.92
BGP state = Established, up for 4w3d
Last read 00:00:06, last write 00:00:28, hold time is 90, keepalive interval is 30 seconds
Neighbor capabilities:
Route refresh: advertised and received(new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Address family IPv4 Multicast: received
Graceful Restart Capability: received
Remote Restart timer is 120 seconds
Address families advertised by peer:
none}
Is this an iBGP or eBGP neighbor? How can you tell?
What if the router ID of the remote router was the same as the local router? What if it was on them same subnet as the local router?

First line says 'external link', eBGP.

PS Tell Brandon (or whoever your current ARIN Tech/Admin POC is) to validate their contact info with ARIN.

Powercrazy posted:

lol I think that I'm actually supposed to do that. Brandon was our old CIO.

Hope you still have access to his email address, otherwise ARIN is a bitch to get that sort of thing changed over. Expect requests for faxes or snail mail on letterhead.

ragzilla fucked around with this message at 23:54 on Jan 7, 2011

# ? Jan 7, 2011 23:42

ate shit on live tv: Feb 15, 2004; by Azathoth

lol I think that I'm actually supposed to do that. Brandon was our old CIO. :ohdear:

# ? Jan 7, 2011 23:46

CrazyLittle: Sep 11, 2001; Clapping Larry

Powercrazy posted:

Is this an iBGP or eBGP neighbor? How can you tell?
What if the router ID of the remote router was the same as the local router? What if it was on them same subnet as the local router?

eBGP because of the public butt#, whereas for iBGP you should be using private butts in the 65k-something range.

Not quite up to snuff on the router ID stuff. Local subnet should be less important (sic) because you can do eBGP over a peering link to some other router also exchanging BGP (and transit) with you. If they had the same router ID... bad news? *shrug*

I should really get off my rear end and go test CCNA so I can start working on a CCNP.

Also, how'd you get a gig doing BGP for Forex? Is it worthwhile trying to get into net-engineering for financial dbags?

# ? Jan 8, 2011 03:45

Jimmy Carter: Nov 3, 2005; THIS MOTHERDUCKER
FLIES IN STYLE

Out of curiosity:
I just tried enabling NBAR on my 871 to play around with QoS, and it dropped my throughput from 40 mbits down to about 30-ish. What level router supports that kind of sustained bandwidth?

# ? Jan 8, 2011 03:56

ragzilla: Sep 9, 2005; don't ask me, i only work here

CrazyLittle posted:

eBGP because of the public butt#, whereas for iBGP you should be using private butts in the 65k-something range.

iBGP/eBGP has nothing to do with if you're using private or public ASNs. eBGP/iBGP depends on if the 2 routers are configured to use the same BGP AS.

code:

[Router A - AS1]
        |
[Router B - AS1]
        |
[Router C - AS2]

A-B is an iBGP link. B-C is an eBGP link.

# ? Jan 8, 2011 04:05

CrazyLittle: Sep 11, 2001; Clapping Larry

ragzilla posted:

iBGP/eBGP has nothing to do with if you're using private or public ASNs. eBGP/iBGP depends on if the 2 routers are configured to use the same BGP AS.
code:
[Router A - AS1]
        |
[Router B - AS1]
        |
[Router C - AS2]
A-B is an iBGP link. B-C is an eBGP link.

oh poopy.
Yep. I should start up on my book learnin' again. This voip poo poo is giving me gray hair.

Jimmy Carter posted:

Out of curiosity:
I just tried enabling NBAR on my 871 to play around with QoS, and it dropped my throughput from 40 mbits down to about 30-ish. What level router supports that kind of sustained bandwidth?

40 mbits WITH nbar? 88x or 89x.
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

# ? Jan 8, 2011 04:59

ate shit on live tv: Feb 15, 2004; by Azathoth

As Ragzilla said since that neighbor is in a different BGP AS it is an eBGP neighbor. The other way to tell is the external link. If it were an internal link then it would be an iBGP neighbor. The public/private AS distinction is unimportant and the BGP process doesn't treat either one any different.

The router ID isn't an IP Address. It may use an IP Address for convenience and also to help ensure that it is unique, but it is just a number. Two routers cannot form a neighborship if they have the Same router-ID.

However a scenario like this:

[Router A]----[Router B]-----[Router C]

Where router A and C have the same router ID that is different from B is an acceptable scenario. And of course Router A and C would have to be in separate AS's.

# ? Jan 8, 2011 13:29

Bardlebee: Feb 24, 2009; Im Blind.

Can you guys recommend me a cheap router that has the Cisco IOS on it that I can use for my home router? I would like to setup NAT at home and practice there as well. I know there are sims, but I would like to set it up at home too.

It would be even more awesome if this router was not loud.

# ? Jan 10, 2011 18:45

CrazyLittle: Sep 11, 2001; Clapping Larry

Bardlebee posted:

Can you guys recommend me a cheap router that has the Cisco IOS on it that I can use for my home router? I would like to setup NAT at home and practice there as well. I know there are sims, but I would like to set it up at home too.

It would be even more awesome if this router was not loud.

Cisco 861/871/88x, or find a cheap 1841/1811 on eBay.

Example eBay listings:

871, $219 buy-it-now: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=120670257213
1811, $289 buy-in-now: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=110632828407

CrazyLittle fucked around with this message at 19:53 on Jan 10, 2011

# ? Jan 10, 2011 19:48

Bardlebee: Feb 24, 2009; Im Blind.

When setting up NAT overload for a home setting, I suppose the IP they give you will change once a month. Should I be concerned about that? Will I have to reconfigure my router for this every time my ISP changes its mind on my IP?

Thanks for the recommendation!

# ? Jan 10, 2011 19:57

Harry Totterbottom: Dec 19, 2008

Bardlebee posted:

When setting up NAT overload for a home setting, I suppose the IP they give you will change once a month. Should I be concerned about that? Will I have to reconfigure my router for this every time my ISP changes its mind on my IP?

Thanks for the recommendation!

Configure the WAN interface to use DHCP and you'll be fine.

# ? Jan 10, 2011 20:12

Bardlebee: Feb 24, 2009; Im Blind.

Harry Totterbottom posted:

Configure the WAN interface to use DHCP and you'll be fine.

I didn't know you could do this. Learn something new in this forum every day it seems.

Thanks

# ? Jan 10, 2011 20:53

Syano: Jul 13, 2005

I need a device suggestion if you dont mind. We want to standardize on a single platform for all our offices. Each office is going to have 2 internet connections that will both be ethernet handoff, so no need to support T1s or anything. Each office will need to VPN back to a central 'datacenter' and the vpn needs to failover if one of the connections goes down. I would love it if it could actually load balance over both connections. Am I looking at an ASA or an IOS device here?

# ? Jan 12, 2011 04:38

falz: Jan 29, 2005; 01100110 01100001 01101100 01111010

I've always leaned towards routers with the appropriate feature set as a more flexible option than PIX/ASA. Something like the fixed config 1811's are nice for such things since they come with Advanced IP services at minimum which may give you all of the features you need.

There's probably several ways you could handle your VPN failover requirement. We have a customer with similar requirements and routers with VTI tunnels and OSPF works extremely well. I'm pretty sure neither of these are supported on ASA.

# ? Jan 12, 2011 04:58

Tremblay: Oct 8, 2002; More dog whistles than a Petco

falz posted:

I've always leaned towards routers with the appropriate feature set as a more flexible option than PIX/ASA. Something like the fixed config 1811's are nice for such things since they come with Advanced IP services at minimum which may give you all of the features you need.

There's probably several ways you could handle your VPN failover requirement. We have a customer with similar requirements and routers with VTI tunnels and OSPF works extremely well. I'm pretty sure neither of these are supported on ASA.

OSPF? Yes. VTIs? No.

# ? Jan 12, 2011 05:22

CrazyLittle: Sep 11, 2001; Clapping Larry

Syano posted:

I need a device suggestion if you dont mind. We want to standardize on a single platform for all our offices. Each office is going to have 2 internet connections that will both be ethernet handoff, so no need to support T1s or anything. Each office will need to VPN back to a central 'datacenter' and the vpn needs to failover if one of the connections goes down. I would love it if it could actually load balance over both connections. Am I looking at an ASA or an IOS device here?

how fast are these connections?

# ? Jan 12, 2011 05:30

Syano: Jul 13, 2005

CrazyLittle posted:

how fast are these connections?

Generally speaking 5mb/s up and down, give or take a meg. Let me ask this while we are at it. Is it possible to have multiple VPNs open to the same subnet. In other words you have 2 sites, siteA and siteB. SiteA has two internet connections. SiteB has two internet connections. Is it possible to open VPNs accross both connections from siteA to both connections at SiteB?

Syano fucked around with this message at 14:10 on Jan 12, 2011

# ? Jan 12, 2011 14:07

Adbot: ADBOT LOVES YOU

# ? Apr 28, 2024 17:20

falz: Jan 29, 2005; 01100110 01100001 01101100 01111010

Tremblay posted:

OSPF? Yes. VTIs? No.

In his case OSPF seems somewhat useless without a way to tunnel it since ASA's can't do GRE/VTI/whatever.

# ? Jan 12, 2011 15:08

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›430 »