Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Alright, can someone explain to me the significance of 0.0.0.0 being a default route?

Rtr-Inside#sho ip ro
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 199.185.48.6 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet1/0
199.185.48.0/29 is subnetted, 1 subnets
C 199.185.48.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 199.185.48.6
Rtr-Inside#

I've spent the last 2 hours googling for this and I've only managed to confuse myself further.

IF this picture helps I am in the cli of rtr inside and 199.185.48.6 is rtr outside.

Adbot
ADBOT LOVES YOU

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

So it's a broadcast? Or is it like "This packet is destined for whoever will accept it (hopefully another router)"

I keep changing my understanding of this from essentially a broadcast (just going off of the way subnets work) and no gateway (it doesn't need to use a gateway because it doesn't need to leave the lan)

Methanar fucked around with this message at 03:01 on Sep 7, 2014

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

I'm forgetting how to breathe currently.

10.0.0.0
200 subnets
determine info for fields below for the 4th subnet.


Subnet Address:0,32, 64, 92, 10.0.92.0
Subnet Mask: 255.255.224.0 /19
Host Range: 10.0.92.1 10.0.127.254
Broadcast Address: 10.0.127.255
Default Gateway: 10.0.127.254




This is right, right?

Subnet quota handled by 2^8

Block size from 128+64+32=224 224 > 200

256-224 = 32 (3rd octet)

Edit

Reviewed my text book and since 255.0.0.0 is the default mask. I would need to have 2^8 subnets (8 being 1 bitsfor the network portion) to exceed the 200 quota. So in reality my mask would be 255.255.0.0. That leaves me with 2^16 hosts.

I'm dumb and used the host bits to determine my number of subnets.

Subnet Address: 10.4.0.0
Subnet Mask: 255.255.0.0 /16
Host Range: 10.4.0.1 10.4.255.254
Broadcast Address: 10.4.255.255
Default Gateway: 10.4.255.254

real answers.

Methanar fucked around with this message at 04:22 on Oct 23, 2014

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

less than three posted:

10.0.0.0/8 or what?

How much space are you subnetting into 200.

In terms of classful subnetting.

The number of hosts doesn't matter. I need to determine the most appropriate (smallest) mask to use.

Methanar fucked around with this message at 03:29 on Oct 23, 2014

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Stupid question alert:


Given a network address of 172.24.0.0 and asked to create subnets that have at least 75 host addresses and no more than 125, what is the network address for the first 6 subnets?


This is impossible but I have a teacher who is swearing up and down that it is possible and isn't explaining why. I've discussed this with about 5 different people, including another teacher whose specialty is not networking and it was always unanimously Not Possible.

at 2^6-2 = 62. This satisfies the requirement of being <125 and does not for having =>75.

at 5^7-2 = 126. This satisfies the requirement of being =>75 but does not for having <125.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

madsushi posted:

I imagine it's the 128 example but the teacher is assuming like -1 network, -1 broadcast, -1 default gateway, to make it 125. Which is just getting semantic about "host addresses".

I thought about that, but he has never made that destinction before. Because a default gateway is obviously a host, unlike a broadcast.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Probably the wrong thread but,

In my college program I just got 93% on a theory exam and 59% on the practical
Minor OSPF, routing, switching, configuration, SSH, domains, understanding addressing and subnetting, dealing with spanning tree's poo poo and basic ACLs.

My 93% was the highest in the class of 25 so I know the material fairly well but I just cannot for the life of me actually do it.

The exams are done through packet tracer right now, so it's unbelievably specific and picky about everything. It also doesn't even tell you what you've gotten wrong. Is there any sort of exercise or mind set that I need going into these.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Slickdrac posted:

Also there is a very high likelihood that you'd be installing a backdoor into your network.

http://arstechnica.com/tech-policy/...etting-implant/



I think this will always be a concern, no matter where you buy your hardware from.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Does it really matter who puts in the backdoor though?

The problem is that you have a backdoor, whether it was put there by the US government, the Chinese government, or the manufacture.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Okay, route redistribution has been kicking my rear end for so long I tried to tab complete the word redistribution.

I have OSPF running for the two clusters and on rtr-lan 4. I have eigrp running in the yellow box and on rtr-lan 4. What is the proper way of redistributing the routes that lead off to the clusters to my eigrp AS. If it means anything I have all of the eigrp 13 AS being aggregated when being advertised to rtr-lan 4.

Ultimately, I want the bottom PCs to be able to access resources within the clusters.

If it matters here are the running configs and routing tables for the 2 important devices.

http://pastebin.com/bvX1F4RJ rtr a
http://pastebin.com/X8rFj2Rv rtr lan

Methanar fucked around with this message at 02:34 on Jan 30, 2015

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

goobernoodles posted:

Anyone have an opinion on Microwave internet? I'm looking into making some changes to move away from our current ISP and will need a primary internet connection. We currently have 20Mbps EoC to our main office. Looking at 50Mb fiber (1100-1400 depending on ISP) or Microwave options.

Atlas Networks can provide 100/100Mbps for $550/mo as well as 500/500Mbps for $1550. They more expanseive and burstable options as well.

ReallyFast.net can do 20/20 burstable to 100/100 for $450 as well as 100/100 burstable to 1000/1000 for 850.

I have no experience with Microwave and a fellow local goon mentioned that he sees spikes of up to 40ms on cloudy days on his 200/200 Atlas Microwave connection that acts as a backup to their main fiber connection. Fiber, is more expensive for less bandwidth - about 1100 to 1400/mo for 50Mb fiber from Comcast, CenturyLink, Windstream and Integra. No web servers except for web applications that are only accessed from the two offices, across offices and remotely over the VPN/RDS. I plan on pairing whatever primary connection with a backup coax or other cheap form of internet from a different ISP. Also, I'm probably going to get a Comcast point to point fiber connection between Seattle and Portland.

Make sure you can an absolute perfect line of sight.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

I don't really see the issue with standardizing common commands (helper-address for example)

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

So I've got a new ASA 5506-X to replace an ASA 5505.

I wanted to just copy/paste the running config from old to new, but it turns out that the 5506 doesn't have switching capabilities.

How do I do vlans?

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

psydude posted:

Are you trying to do router on a stick down to a layer 2 switch? In that case, it's as simple as creating a subinterface and then issuing the vlan configuration command to set the appropriate vlan tag. Make sure you assign an IP address as well and that the port on the L2 switch is configured as a trunk.

The firewall is doing NAT and traffic filtering. In the configs the interfaces have OSPF costs associated with them, but the firewall doesn't seem to have any real routing going on. We have a 2911 router doing something but nobody knows the password for it and I'm not allowed to recover the password.



I don't know anything about firewalls, routers and switches I'm pretty good at though. I'm ridiculously unqualified for this but I'm trying to be a hero.

The current 5505 has three interfaces and each interface is assigned a vlan. I can't check but I very strongly doubt any of the other devices actually use vlans.

Inside= f0/1 and f0/3 = vlan 1

outside = f0/0 and f0/4 = vlan 2

dmz = f0/2 = vlan 12

I've got something resembling this on the 5505 right now, so whats equivalent of this without switchport functionality?

quote:

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

I was thinking I could, for example, assign Inside to g1/8 and resuse the current IP address that the 5505 has set for Inside on the 5506 for Inside. I move everything currently plugged into a 5505 vlan 1 port into a switch that's plugged into the 5506's single Inside. To me the picture below makes sense, except the barracuda device is part of the Outside vlan, but it doesn't have an real public IP. I don't remember it having any special ACL rules either. Honestly it might not even be doing anything.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Okay I think I've figured that out.


It turns out the way NAT works has changed though. Right now all my live NAT rules are being called exemptions in the ASDM, but in the new one I don't even see the choice to create something called an exemption. Lots of my ACLs have incorrect syntax too. I don't suppose there's an easy way of fixing this, is there?

quote:

global (inside) 13 interface
global (outside) 13 interface
global (dmz) 13 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 13 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) MLP_LN2 MLP_LN1 netmask 255.255.255.255
static (inside,dmz) 129.129.30.0 129.129.30.0 netmask 255.255.255.0
static (inside,dmz) 172.16.25.0 172.16.25.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in_1 in interface dmz
access-list inside_nat0_outbound extended permit ip object-group MeadowNetwork S
erpong_HQ 255.255.0.0
access-list outside_1_cryptomap extended permit ip object-group MeadowNetwork Se
rpong_HQ 255.255.0.0

quote:

mlpasafirewall(config)# global (inside) 13 interface
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS



Ultimately all I want to do is replace the 5505 (left) with 5506 and have it still work. I don't have the option to create rule exemptions for the 5506.

I've already gone through that cisco link, but it's pretty far over my head right now.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Prescription Combs posted:

Based on what tidbits of info you gave:


code:
object-group network DMZ-NAT0-LOCAL-NETS
 network-object X
object-group network DMZ-NAT0-REMOTE-NETS
 network-object X
!
object-group network Serpong_HQ
 network-object X 255.255.0.0
!
nat (dmz,outside) source static DMZ-NAT0-LOCAL-NETS DMZ-NAT0-LOCAL-NETS destination static DMZ-NAT0-REMOTE-NETS DMZ-NAT0-REMOTE-NETS
!
nat (inside,outside) source static MeadowNetwork MeadowNetwork destination static Serpong_HQ Serpong_HQ
!
object network MLP_LN1
 host <MLP_LN1 IP>
 nat (inside,outside) static <MLP_LN2 IP>
!
object network obj-129.129.30.0
 subnet 129.129.30.0 255.255.255.0
 nat (inside,dmz) static 129.129.30.0
!
object network obj-172.16.25.0
 subnet 172.16.25.0 255.255.255.0 
 nat (inside,dmz) static 172.16.25.0
!
object network obj-INSIDE
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface
!


Okay this is very helpful.

quote:

object-group network DMZ-NAT0-LOCAL-NETS
network-object X
object-group network DMZ-NAT0-REMOTE-NETS
network-object X

I don't quite understand these though. Are the capitals and the X placeholders, if so for what?

nat (dmz,outside) source static DMZ-NAT0-LOCAL-NETS DMZ-NAT0-LOCAL-NETS destination static DMZ-NAT0-REMOTE-NETS DMZ-NAT0-REMOTE-NETS
!
nat (inside,outside) source static MeadowNetwork MeadowNetwork destination static Serpong_HQ Serpong_HQ
!

Kind of the same thing here, what are the capitals. Why is MeadowNetwork written twice in a row and what exactly is being sent to/from Serpong.

Sheep posted:

a local IT support company


lol

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Has anyone ever had a problem with an ASA where it will respond to every ARP query and say that he owns the IP address in question.

Because right now I have one that believes it owns every IP address not in 192.168.0.0/16

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Contingency posted:

Possibly a NAT statement causing proxy ARP.

How would I even begin to check something like that.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

http://pastebin.com/PstpCMue

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Honestly I just think it might be a bug.

Even with the configs totally wiped it still does it.

There are no references at all to 192.168 in our network because we use some stupid non rfc 1918 subnet internally. Proxy arp shouldn't be used.

I just thought I'd ask because Cisco hasn't been able to tell me anything either.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

ElCondemn posted:

Can you show us your arp table? Also how are you testing this? Is it possible your test is flawed?

I'm home now but the arp table is totally empty even after performing the test below.

I tested it by unplugging all ethernet cables from the asa and my computer. Clearing all arp tables and wiping assigned addresses (they were infact cleared properly). Turn on wireshark. Address the ASA and my computer with static IPs in the 172.16.1.0/24 subnet, 192.168.1.0/24, 192.168.128.0/23 and 216.10.5.0/24 subnet as tests. Then plug in an ethernet cable from my computer to the ASA. This has been tested with multiple ASA ports and computers with the same results. It's also possible I am a complete idiot and my test means nothing.


Wireshark will see arps being sent out asking if anyone has 172.16.1.1 or whatever address I gave my computer. The ASA will always respond that the mac address of the port I am plugged into already owns whatever IP I gave to my computer. With the exception of anything in 192.168.0.0/16.

Methanar fucked around with this message at 23:05 on Aug 10, 2015

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

ElCondemn posted:

Was that your whole config? Do you have any DHCP entries in your config (helper ip or anything)? Any "ip local pool" sections? Can you do a show route?

That was 90% of the config, I left out a bit of the VPN stuff which is unrelated and mostly just a list of the users.

There is a little bit of DHCP just to address incoming VPN connections. They're given out from a pool of 172.16.25.240-250.

Show route was empty when I tried it earlier today. These two static routes are really the only routing going on. The interfaces have ospf costs associated with them for no reason. We don't even have a routing protocol running.

route outside 0.0.0.0 0.0.0.0 12.12.12.12 1
route inside 129.129.30.0 255.255.255.0 172.16.25.254 1 .

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

That's why it's so bizarre. The ASA has been sitting on my desk for like 4 weeks now and is brand new. It's never been used for real. I've been preparing it to be put into the network but it just absolutely refuses to let anyone else have an address.

Being directly connected to my computer, and a few others just to troubleshoot, is all it's been.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Prescription Combs posted:

I'm pretty certain it's your NAT lines.

Try turning on sysopt noproxyarp.

conf t
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp outside


See if the behavior is still there.

Those 'any any' references on the nats literally mean any address even if not in the config.

Shutting off proxy arp fixed the IP conflict issue I was having.

Bad news is I'm stupid and shut it off for every interface and then tried to put it into the network. Since I have multiple publically addressed devices inside my network I must have proxy arp running for the outside interface and possibly the DMZ right?

I broke the whole network for a good 90 minutes before I got everything back together.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Okay so I think I know why I've had such a hard time learning how to use a firewall. The configs I've been working with and trying to understand are horrible.

I was always confused about the extra any any nat statements and I'm fairly sure they're completely useless now and Cisco agrees. I removed them all and turned proxy arp back on but I get the the IP conflict again.




Prescription Combs posted:

primarily does public > private NAT where public IPs generally don't reside behind the FWs

This would be the smart way of doing this.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

I didn't understand why my configs' nat rules were using Inside,Any so I changed them all to Inside,Outside for fun.

This fixed my issue of the asa believing it owned every IP without having to turn off proxy arp.

Can someone smarter than me tell me what I did?

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Well, yeah.

But how could that be fixing the issue I was having of the ASA claiming every address was in use on behalf of non existant devices behind nat?

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Contingency posted:

Let's say you have a /29, with 5 hosts usable--1.2.3.2-6.
1.2.3.1 is the upstream router.
ASA is assigned 1.2.3.2.
On the ASA, you forward 1.2.3.3 and 1.2.3.4 to internal hosts.

When traffic destined for 1.2.3.4 exits the router interface, that traffic isn't magically forwarded to your internal hosts. The ASA ARPs not only for 1.2.3.2, but also proxy ARPs for 1.2.3.3 and 1.2.3.4. The traffic is then received by the ASA and unNAT'd to your internal hosts. The ASA was doing this for your internal interface because of how your NAT rules were configured.

Okay I followed that.

So what are legitimate uses of natting to any interface assuming you have more than inside and outside?

Should you ever use any or always specifically choose interfaces.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Okay so in plain english this statement is saying


nat (inside,any) source static any any destination static obj-129.129.30.0 obj-129.129.30.0

Send traffic to the inside interface if: that it originates from anything, that it is from 0.0.0.0/0, and destined for 129.129.30.0/24



If traffic matches the above nat rule, but I have a static route that says traffic destined for 129.129.30.0/24 should go to g0/5, the dmz interface. The nat rule will take effect and send the traffic to g0/2, the inside interface.

Am I understanding that right?


I'm sorry for spamming this thread so much.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

adorai posted:

it took me almost a year to get a dumbass issue resolved with tac. The symptom was if a user had two phones in two different regions with the same DN, the phones did not get the terminate signal and would keep the call "active". after 3 calls, they had to restart their phones.

If you can guess the solution, you get a figurative cookie.

Use different DNs.

Restart the phones after every 3 calls.

Methanar fucked around with this message at 03:46 on Sep 3, 2015

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

TheMostFrench posted:

Can I ask a packet tracer question here? I'm trying to do inter-vlan routing using an L3 Switch but I cant find anything that explains how to set routes between vlans. If that isn't possible then I guess I am misunderstanding the task, and even the basic concepts.



e: Is there a way to minimise the code for sh run in the forum post so that i dont post several screens worth of information?

It's pretty easy, you just tell your routing protocol all of the vlan subnets that each device has access to.



My pkt file has quite a bit going on so just pay attention to the left most wing of clients and the HQ FLOOR1 mlsw. Each of the numbers beside a computer represents a vlan being serviced there. In my case I am using a default gateway of 10.192.x.254.

quote:

en
vlan database
vlan 101 name rnd 10.192.0.0 /21
vlan 102 name networkmanagement 10.192.8.0 /21
vlan 103 name executiveoffices 10.192.16.0 /22
vlan 104 name publicwireless 10.192.20.0 /23
vlan 105 name privatewireless 10.192.22.0 /24
vlan 106 name engineering 10.192.23.0 /24
vlan 107 name voice 10.192.24.0 /24
vlan 108 name specialprojects1 10.192.25.0 /24
vlan 109 name specialprojects2 10.192.26.0 /24
vlan 110 name specialprojects3 10.192.27.0 /24
vlan 111 name lab1 10.192.28.0 /24
vlan 112 name lab2 10.192.29.0 /24
vlan 113 name lab3 10.192.30.0 /24
vlan 114 name lab4 10.192.31.0 /24
vlan 115 name serverfarm 10.192.32.0 /24
vlan 116 name salesandmarketing 10.192.33.0 /25
vlan 117 name finance 10.192.33.128 /25
vlan 118 name designanddrafting 10.192.34.0 /26
vlan 119 name corporatecommunication 10.192.34.64 /26
vlan 120 name healthandhumanresources 10.192.34.128 /26
vlan 121 name shippingandreceiving 10.192.34.192 /26
vlan 122 name informationtechnologyservices 19.192.35.0 /26
exit

For floor1-sw1 I have the access ports set as

interface FastEthernet0/1
switchport access vlan 106
switchport voice vlan 107
spanning-tree portfast
spanning-tree guard root

And I have the floor1-mlsw default gateway's config resembling this long pastebin. Don't worry about the standby IPs, just know that the default gateway for every vlan in the left most pod terminates to floor1-mlsw You can see that eigrp has a network statement for all the vlans that this l3 switch is serving PLUS the physical interfaces that lead deeper into the network and I have enabled routing for the switch. The helper addresses just forward DHCP requests off to my DHCP server that is in a different subnet, because remember: broadcasts do not leave your local l2 lan. It is important to note that because f0/24 is handling all traffic for multiple vlans you MUST set it to be a trunk port.

http://pastebin.com/8VWq4cp3

router eigrp 1
network 10.192.255.0 0.0.0.3
network 10.192.255.24 0.0.0.3
network 10.192.23.0 0.0.0.255
network 10.192.0.0 0.0.7.255
network 10.192.25.0 0.0.0.255
network 10.192.26.0 0.0.0.255
network 10.192.27.0 0.0.0.255
network 10.192.28.0 0.0.0.255
network 10.192.29.0 0.0.0.255
network 10.192.30.0 0.0.0.255
network 10.192.31.0 0.0.0.255
no auto-summary

If you need more explanation just ask.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Charliegrs posted:

I have a couple Cisco 3500 switches. For whatever reason, I cannot create any VLANs. Its driving me nuts trying to figure out why and I havent had any luck googling it.

So I go into global config mode, enter the command: vlan 10 And I get back a invalid input detected message. I know for a fact that is how you create a vlan. Does anyone know what I might be doing wrong or if there is some setting I have to change to do this? These are used switches, and did have configurations already from the previous owner that I wiped.

The weird thing is I can go to a specific switch port and assign it to a vlan, thus actually creating the vlan. I dont know whats going on....

Switch(config)#int vlan 10
Switch(config-if)#no shut

Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Switch(config-if)#int fa0/1
Switch(config-if)#sw mode access
Switch(config-if)#sw access v 10
% Access VLAN does not exist. Creating vlan 10
Switch(config-if)#

Maybe try fiddling with the vlan database?


Switch#vlan data
Switch#vlan database
% Warning: It is recommended to configure VLAN from config mode,
as VLAN database mode is being deprecated. Please consult user
documentation for configuring VTP/VLAN in config mode.

Switch(vlan)#?
VLAN database editing buffer manipulation commands:
exit Apply changes, bump revision number, and exit mode
no Negate a command or set its defaults
vlan Add, delete, or modify values associated with a single VLAN
vtp Perform VTP administrative functions.
Switch(vlan)#vlan 10 ?
name Ascii name of the VLAN
<cr>
Switch(vlan)#vlan 10 name ?
WORD The ascii name for the VLAN
Switch(vlan)#vlan 10 name vlan10
VLAN 10 modified:
Name: vlan10
Switch(vlan)#
Switch#

Methanar fucked around with this message at 01:20 on Nov 3, 2015

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Can someone write some words about why you would ever want to use a software router/firewall like BIRD or vyOS instead of a hardware Cisco or Juniper product?

I'd imagine upfront cost, expected load and need of manufacturer support are the main motivators.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

psydude posted:

Yeah. They still use a lot of Cisco and Juniper at the edge and at their PoPs (and I'd imagine for their corporate networks). Their internal DC stuff is a lot of home baked stuff running crazy rear end SDN poo poo.


https://gigaom.com/2014/11/14/faceb...etworking-tech/

Yeah this clears things right up.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Japanese Dating Sim posted:

Working on CCENT and I'm missing something stupid. I've got three routers up in GNS3, and they're connected via their serial interfaces on 10.0.0.0/30. Router 1 can ping Router 2, but not Router 3. Router 3 can ping Router 2, but not Router 1. I've (I think) narrowed the issue down to the fact that Router 2 can't ping Router 3 if I use the interface that's connected to R1 as the source. I'm not sure if this is problem with how I've set up the static routers, or the ip address of the serial ports, or what. If anyone wants to spend a couple of minutes explaining what I've done wrong (or just pointing me where to look) I'd be pretty grateful.


[code]R2#show run | section interface



r3 needs to be aware of r1's networks and vice versa.

[from r3] ip route 192.168.10.0 255.255.255.0 10.0.0.5


If you wanted you could make a default route and tell R3 that any time he wants to find something you haven't explicitly defined, send it to R2 and hope he knows where to go.

ip route ip route 0.0.0.0 0.0.0.0 10.0.0.5

Methanar fucked around with this message at 03:17 on Dec 7, 2015

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Alright just for fun I'm playing with BGP and set up a simple network. All the basic configuration is done with ospf/eigrp redistributed into the bgp. Everything works.
I want to try and force the AS 200 router to send traffic destined for 30.30.30.0/24 over to AS 300 and then let AS 300 handle the traffic, instead of how it currently is where AS 200 sends directly to AS 100.




On the AS 200 router I set a weighting for the 86.55.14.2 neighbour so ALL traffic will be sent down that link, except for directly connected stuff. That's pretty cool but it's not quite what I wanted.

code:
AS200(config-router)# neighbor 86.55.14.2 weight 500

Next attempt was to create a route map to weight the traffic.

code:
AS200# configure terminal
AS200(config)# access-list 3 permit 30.30.30.0 0.0.0.255

AS200(config)# route-map MAP-30.30.30.0/24 permit 10
AS200(config-route-map)# match ip address 3
AS200(config-route-map)# set weight 100
AS200(config-route-map)# route-map MAP-30.30.30.0/24 permit 20

AS200(config)# router bgp 200
AS200(config-router)# neighbor 201.34.52.23 route-map MAP-30.30.30.0/24 in

Now, both of these worked, but if I had several hundred preferences with and across multiple AS's, with meaningful internal routing occurring this would be a nightmare. What is the proper way of handling bgp preferences? Do you you have to phone other network admins responsible for other AS numbers to request changes?

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

quote:

bgp

Neat.

While I'm at it, does anyone have some good ideas for interesting situations that I should try to model and play with?

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Powercrazy posted:

Create a transit AS with 5 or so AS's. Then figure out how to prevent it.

For extra credit think about why you normally wouldn't want to be a transit AS on the internet.

Because 50gbits of netflix

Adbot
ADBOT LOVES YOU

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Does anyone run a dual stack network or even a fully native ipv6 network?

If so, why and what are some of the benefits

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply