|
CrazyLittle posted:Is there any way to get an WIC-1ADSL to work inside a NM-2FE2W inside a Cisco 3640? I'm getting tired of trying different IOS loads. Anything with a Plus featureset is supposed to work: http://www.cisco.com/en/US/products/hw/routers/ps214/products_tech_note09186a00800ae37f.shtml Latest GD/LD/ED loads from FN: code:
|
# ? Aug 10, 2007 01:00 |
|
|
# ? Apr 26, 2024 10:17 |
|
TheCaptain posted:Cisco's site is down! words. Analog LED fucked around with this message at 18:19 on Aug 13, 2007 |
# ? Aug 10, 2007 01:19 |
|
jwh posted:Should work I think, is the WIC known good? Yeah it's known good. I'll have to get back to you on that - I borked the IOS by loading an unstable one without having a backup IOS left on flash. Girdle Wax posted:Anything with a Plus featureset is supposed to work: I'm 8mb short on flash. I tried loading an ED and that's what put me in my current situation. CrazyLittle fucked around with this message at 01:48 on Aug 10, 2007 |
# ? Aug 10, 2007 01:44 |
|
Paul Boz_ posted:Oh well, I Thought the 2500 was more modular than that, but I've really only worked with 2600's+. I don't want to spend $300 on a properly equipped 2600 though :/ I ended up going to Weird Stuff and I found their stack of 2500's. It looks like some models have 3 slots, some with CSU/DSU cards in them, but I don't know they're the same as the WIC slots you'd find on a newer router. They also had a Cat 5000 (with a 10/100 module!), if anyone needs CatOS practice.
|
# ? Aug 10, 2007 02:30 |
|
Analog LED posted:Words. Do you really think you should be talking about this?
|
# ? Aug 10, 2007 04:00 |
|
Tremblay posted:Do you really think you should be talking about this? Nothing he said there hasn't already been said on NANOG/C-NSP/Cisco Blog...
|
# ? Aug 10, 2007 04:08 |
|
Girdle Wax posted:Nothing he said there hasn't already been said on NANOG/C-NSP/Cisco Blog... Fair enough, some higher ups get tweaked over stupid poo poo. Thats all.
|
# ? Aug 10, 2007 07:28 |
|
What are some good cisco blogs to check out?
|
# ? Aug 10, 2007 18:15 |
|
jwh posted:What's 'sh inventory raw' say about the WIC? Huh. There's definitely something weird going on here. The NM isn't starting up properly. code:
code:
code:
|
# ? Aug 11, 2007 19:37 |
|
Girdle Wax posted:Anything with a Plus featureset is supposed to work: The software advisor won't build a 3640 + NM-2FE2W + WIC-1ADSL. It could just be the software advisor isn't up to date.
|
# ? Aug 12, 2007 15:06 |
|
I have 2 questions relating to my ASA5505 that I had posted earlier about getting. 1) Comcast gives me a DHCP public IP, they said they won't offer static to home users. Is there a way/trick/whatever to get port forwarding to work with a dynamic IP on the outside interface? I already have a dyndns.org hostname pointing to the correct IP (updating using the windows client). The guy who was helping me had no clue how to do it because he couldn't just plug the outside IP in. For two examples, I'd like to forward: Port 3389 to 10.0.1.99 Port 22 to 10.0.1.22 2) I set up VPN using the wizard, installed the OS X client on my Macbook Pro, everything works GREAT. Split tunneling is very nice, 3DES is also nice, the whole thing connects very quickly and access to internal resources is nice and snappy. However, at one of my clients, I'm behind a Pix 515 firewall that has PPTP passthrough enabled and is the endpoint for a handful of site-to-site VPN connections. The issue is this: I can connect to my home VPN from behind the Pix, but I cannot access any resources (ping/RDC/shares/etc.). Any idea where the issue is or what needs to be fixed? Thanks! edit: I'd post my running config, but thanks to #2, I can't access the config from here.
|
# ? Aug 13, 2007 15:13 |
|
delslo posted:I have 2 questions relating to my ASA5505 that I had posted earlier about getting. The cisco VPN is not using PPTP, it's using IPSec/L2TP so there's a couple of things to check: Do you have NAT traversal turned on on _your_ VPN config on the ASA? (Labelled NAT-T I believe in ASDM). Is the PIX blocking AH or ESP protocols?
|
# ? Aug 13, 2007 15:41 |
|
delslo posted:I have 2 questions relating to my ASA5505 that I had posted earlier about getting. 1) Forward from the interface, like so: code:
code:
|
# ? Aug 13, 2007 15:41 |
|
Girdle Wax posted:The cisco VPN is not using PPTP, it's using IPSec/L2TP so there's a couple of things to check: The ASA is set up to allow NAT traversal. Thanks guys, I'm going to take a look at the Pix first, if I can get to the ASA from here, I'll make the changes to that as well, if not, I'll have to wait till I get home.
|
# ? Aug 13, 2007 16:40 |
|
Not exactly a Cisco item, but ouch: 08/13/2007,13:35:39 [RoBo ][PROG][PROGRESS/STATUS MESSAGE FROM AT&T] There are 128 Core T3??s failed of which 100 are restored in Palm Springs, CA (LSANCA03 PHNXAZMA). The AT&T T3 Group has isolated this to a fiber cut in Palm Springs, CA. There is no ETTR available at this time. That has to be a bad day for somebody.
|
# ? Aug 13, 2007 22:00 |
|
jwh posted:There is no ETTR available at this time. That's what really hurts right there.
|
# ? Aug 13, 2007 22:35 |
|
delslo posted:I should have clarified, the Pix 515 I'm behind is set up for PPTP Passthrough to a Windows server running Routing and Remote Access. I know, I know, but that's how it's set up. There is a bug that was fixed in ASA code. Basically PPTP + PAT == no no in 7.x code. It does work in 6.x but it turned the nat tables into spaghetti. What version of code is on the PIX and what is the ASA running?
|
# ? Aug 14, 2007 03:47 |
|
inignot posted:Really...that's the day I was in RTP taking the test. If you were in RTP on the same day I was, I assure you I wasn't the doughy Russian guy that was freaking out & bugging the proctor every 10 minutes. Hey! I was the guy that was talking to the doughy Russian guy in the beginning about the time I spent in Iraq....small world huh? Yeah, I was getting a little irritated on hearing him argue with the proctor about how something was supposed to work. At any rate, I went through the IPExpert, and the Internetwork workbooks...but it wasn't until I passed one of the Netmaster mock labs that I truly felt ready again. Sadly this was attempt #5 for me...but that was due to a lot of factors...mainly study habits, and time between lab attempts. I hope you did well on that day as well!
|
# ? Aug 15, 2007 03:17 |
|
CrazyLittle posted:What's the length of qualification for a CCIE? The average CCIE makes 116K, that's enough to make most convert to the dark side =) http://tcpmag.com/salarysurveys/2007/charts/chart8.aspx Also, I've never met a CCIE that had only two years of experience, although I have met guys that have taken two years off to study for it. I agree with you though... you shouldn't go for this cert unless you live and breathe Cisco. This is not a paper cert by any stretch of imagination.
|
# ? Aug 15, 2007 03:25 |
|
The small office I work for is replacing their WRT54G with a Cisco 1811W. It's fallen to me to help out after I finished the stuff I was working on. I'm using the web app to configure it, but I'm unable to get a basic NAT box up and running properly. I managed to configure one interface as the upstream link to the ISP, configured as a DHCP client. I can ping the outside world from the router. Any clients connected to the switch interfaces get configured properly from the DHCP server on the router. I can ping through the router to the uplink interface, but I'm unable to get any further than that. It says the firewall is off, do I need to turn it on and apply "allow any" rules or something? Is there some small, but vital detail I'm missing? I'd just like to get it up and running the way DD-WRT was before and handle the other features later. Is there a basic guide for using these things geared towards people who know networking, but don't have a lot of Cisco experience anywhere on the net?
|
# ? Aug 15, 2007 03:52 |
|
Does anybody know of any (free, preferably) software that makes a cisco config a little more presentable or easier for the not-cisco-intiated to read? I'm in the middle of doing the paperwork side of a security audit, and part of what the client wants is their firewall/router configs examined, any weaknesses identified, etc, etc. This means it has to go in the audit document. This means my awesome document now looks crap. Anybody know of anything at all?
|
# ? Aug 16, 2007 07:44 |
|
Smegmatron posted:Does anybody know of any (free, preferably) software that makes a cisco config a little more presentable or easier for the not-cisco-intiated to read? Uh? If the customer wants their config audited, and they can't read a config, they probably aren't going to know what to do with your results. Just do what most security auditors do, run nmap, then wave around the results & blather loudly and dramaticly about some random port having a "hash checksum injection" vulnerability that is "serious business".
|
# ? Aug 16, 2007 12:37 |
|
off topic but:quote:c:>ssh -l root https://www.cia.gov That is loving hilarious. Also why does the Debug All command even exist? It crashes all routers/switches immediately. I see no reason to use it ever.
|
# ? Aug 16, 2007 16:30 |
|
sund posted:The small office I work for is replacing their WRT54G with a Cisco 1811W. It's fallen to me to help out after I finished the stuff I was working on. I'm using the web app to configure it, but I'm unable to get a basic NAT box up and running properly. I managed to configure one interface as the upstream link to the ISP, configured as a DHCP client. I can ping the outside world from the router. Any clients connected to the switch interfaces get configured properly from the DHCP server on the router. I can ping through the router to the uplink interface, but I'm unable to get any further than that. It says the firewall is off, do I need to turn it on and apply "allow any" rules or something? Is there some small, but vital detail I'm missing? I'd just like to get it up and running the way DD-WRT was before and handle the other features later. This is for SDM 2.3, but 2.4 is basically the same: http://cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a008065604a.html
|
# ? Aug 16, 2007 17:12 |
|
CrazyLittle posted:Huh. There's definitely something weird going on here. The NM isn't starting up properly. Figured it out: bad RAM
|
# ? Aug 16, 2007 18:46 |
|
Ninja Rope posted:I ended up going to Weird Stuff and I found their stack of 2500's. Dude could I paypal you the money for a 2500 with wic slot? That is, if that place isn't too far out of the way. jwh posted:Not exactly a Cisco item, but ouch: Somebody backho'd both rings of one of my OC48's last week. It was a nightmare.
|
# ? Aug 16, 2007 22:31 |
|
Paul Boz_ posted:Dude could I paypal you the money for a 2500 with wic slot? That is, if that place isn't too far out of the way. Sure, it's right down the street from where I work. Normally you can order stuff directly from their website (https://www.weirdstuff.com), but they don't have much of their Cisco gear on there. I'm not sure what that means, but they sure do have a bunch in stock. The ones with the WIC slots/CSU+DSU cards are $30 each. AIM's in my profile.
|
# ? Aug 16, 2007 23:20 |
|
inignot posted:Uh? If the customer wants their config audited, and they can't read a config, they probably aren't going to know what to do with your results. They're a weird mob (lawyers) and they like pretty things and whatnot in presentations, but the nmap plan was already put into action ages ago. Nessus, too, purely because of aforementioned pretty output.
|
# ? Aug 17, 2007 06:27 |
|
Paul Boz_ posted:Dude could I paypal you the money for a 2500 with wic slot? That is, if that place isn't too far out of the way. They're not regular WICs, you know that, right?
|
# ? Aug 17, 2007 06:55 |
|
jwh posted:They're not regular WICs, you know that, right? Yeah, like I said, they don't seem to be the same as normal WICs. Make sure whatever you want to put into them works, don't assume any old FE WIC will work. Edit: Per Cisco, apparently it supports the following "WAN interface options":
* 4-wire 56/64-DSU/CSU (RJ-48S) * Fractional T1/T1 DSU/CSU (RJ-48C) * Five-in-one synchronous serial (DB-60) * ISDN BRI (RJ-45) * ISDN BRI with integrated NT1 (RJ-45) Ninja Rope fucked around with this message at 07:12 on Aug 17, 2007 |
# ? Aug 17, 2007 07:03 |
|
I have a question about configuring a 1231G AP, multiple SSIDs, and Active Directory authentication. Basically I want the 1231G to advertise two SSIDs, this appears to be the easy part. One SSID will be the guest SSID with the following ACL applied to it: code:
The second SSID would be for actual employees to use and should automatically accept or reject their connection based on their current logged-in Windows credentials. The biggest thing I'm concerned about is deploying these APs without having to configure EAP individually on each PC or deal with certificates manually. I just want it so if the user's AD account is in some sort of "WiFi" group then it will allow them access. Right now we authenticate logins to our Cisco device through ACS 3.3 based on our AD logins, so it sounds like I will be using this to authenticate the end users with AD. I guess if someone can at least point me in the direction of a guide or at least give me some keywords or technologies I need to look at that would help. However if someone wants to actually help with the config I'm not going to stop you.
|
# ? Aug 17, 2007 17:01 |
|
Look into 802.1x to authenticate wireless users; it can use radius, which can in turn use AD.
|
# ? Aug 17, 2007 20:12 |
|
Powercrazy posted:off topic but: Probably one of those boobytraps that Cisco likes to setup. I always wondered why switches were pre-configured as vtp server mode instead of transparent. Seems to cause 80% of the outages in any large-scale deployment.
|
# ? Aug 18, 2007 12:19 |
|
inignot posted:Look into 802.1x to authenticate wireless users; it can use radius, which can in turn use AD. This, plus on the Microsoft side, you'll need to install IAS(Internet Authentication Services) on the AD box. Do a google search for IAS and dot1x, and you should have it made....ah heck i'm feeling nice. Here ya go: http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
|
# ? Aug 18, 2007 12:29 |
|
TheRouterNinja posted:This, plus on the Microsoft side, you'll need to install IAS(Internet Authentication Services) on the AD box. Do a google search for IAS and dot1x, and you should have it made....ah heck i'm feeling nice. Here ya go: Thanks for this, should help me get a better idea of the big picture as to how everything is supposed to tie together. In the meantime I'm trying to rollout 2 SSIDs on the AP, both with WPA. The problem I've encountered is that I cannot get an IP via our domain DHCP server at all, I'm sure I'm missing an obvious setting but I've tried dhcp smart-relay and all sorts of other helper addresses. Here is the config: code:
|
# ? Aug 20, 2007 16:34 |
|
Does anyone know of a way to make a 2950/60 switch or a 1800 series router to strip the 802.1p tagging? I have a device on my network that drops all data that is tagged with QoS (802.1p). That's not good. Now I need to find a way to completely strip that tag. Like a reverse "switchport priority default". So far I have found ways to add such a tag or to change it, but not ways to remove it. It would be swell if someone could help me figure it out. Edit: The image is standard, not enhanced. Arkady fucked around with this message at 08:19 on Aug 23, 2007 |
# ? Aug 23, 2007 07:59 |
|
snadsnad posted:Thanks for this, should help me get a better idea of the big picture as to how everything is supposed to tie together. In the meantime I'm trying to rollout 2 SSIDs on the AP, both with WPA. The problem I've encountered is that I cannot get an IP via our domain DHCP server at all, I'm sure I'm missing an obvious setting but I've tried dhcp smart-relay and all sorts of other helper addresses. Here is the config: Remember you're creating a trunk on the ethernet port. What vlan on the switch gets you to your dhcp server? You may either have to set that as the native vlan on the switch side of the trunk; or create a new subinterface on the AP for that vlan. Compare a 'show int trunk' on both sides.
|
# ? Aug 23, 2007 14:05 |
|
I got my dual homed 1811W up and running with a basic NAT configuration. It turns out that router configuration doesn't matter if the person responsible for paying the ISP isn't doing their job. Oh, and the ISP doesn't completely shut off the pipe, but allows DHCP packets to trickle through, throwing off debugging. Anyways, the hosts on the LAN can now access the internet, but are being offered 4 DNS servers, 2 from each ISP. Each ISP will only answer name lookup requests from their own network. What's the best way to handle this? Static routes directing DNS traffic to the right interface? Should I be using DNS spoofing? edit: I'm an idiot, static routing is the key. yippee cahier fucked around with this message at 21:32 on Aug 23, 2007 |
# ? Aug 23, 2007 16:23 |
|
sund posted:Each ISP will only answer name lookup requests from their own network. What's the best way to handle this? Static routes directing DNS traffic to the right interface? Should I be using DNS spoofing? Are you trying to answer specific name results at the ISP? Why would you need that?
|
# ? Aug 23, 2007 16:24 |
|
|
# ? Apr 26, 2024 10:17 |
|
Arkady posted:Does anyone know of a way to make a 2950/60 switch or a 1800 series router to strip the 802.1p tagging? From the 2950 QoS FAQ. quote:Q. Can I override the incoming class of service (CoS) to a specific CoS value? code:
|
# ? Aug 24, 2007 00:51 |