|
casseopei posted:Inbound on an extended IP access list: Try 10 permit tcp any any eq ftp established 20 permit tcp any any eq ftp-data established Passive mode uses "ephemeral" ports and the access list is doing it's job and blocking them...
|
# ¿ Oct 16, 2007 21:32 |
|
|
# ¿ Apr 27, 2024 02:50 |
|
casseopei posted:Thanks very much for the information, unfortunately it still doesn't work. I altered the above by replacing 10 and 20 with your entries and when that didn't work tried a second time by adding my old entries as 15 and 25. Hurf, that makes sense. You'll need some statement that explicitly allows the port negotiation. E.g.: code:
code:
|
# ¿ Oct 17, 2007 18:55 |
|
I'd guess that your NAT rule restricting it to port 80 stops the return traffic from an HTTP request, which comes on a high port. Sort of the same problem as your passive mode issue. I'm having a difficult time visualizing your network setup, so I can't write a rule for you.
|
# ¿ Oct 19, 2007 15:43 |
|
Doug posted:I'm looking to kinda do a dual purpose set-up for my house. I want something I can use for a decent ccna(p?) lab but as well replace my linksys home router. It's got wireless which I hardly ever use anyway so losing it wouldn't be a big deal, but with the 2 switches listed and the router, would I have a good lab as well as a functioning router for my home? Also, if I wanted to add wireless, what would be the cost/equipment for something like that? Ballpark ebay costs: 2620 router with a couple of interfaces: $300-400 2924 switches: $70-100 apiece 1100 or 1200 series wireless access point: $100 or less Many consumer-grade Linksys routers have firewall capabilities, too. You want to consider that you're removing that functionality from your network before you go and do it. You can make a 2600 series act like a firewall, but it's a chore to maintain and you may need more NVRAM/RAM than most of them have, and it's not for the cisco-dumb.
|
# ¿ Dec 12, 2007 20:48 |
|
Eyecannon posted:Thanks for the help guys. I realized that I could easily do what I wanted if I just had VPN clients given a sub-subnet of 10.0.0.0/24 that was unused. This way, I am able to speak to (well listen back from) anything on 10.0.0.0/24. It's not ideal from a security perspective -- if I have one of your user's passwords and a VPN certificate, I have your network to play with. If you can lock down specific ports and addresses, that might be better. This might be fine for you; the trick with security is determining the value of what you're protecting and the relative risk vs. the cost/effort of setting it up with more hardened, fine-grained protection.
|
# ¿ Sep 5, 2008 21:36 |
|
JHVH-1 posted:I was able to reset the config, and I can now get in the switch. I guess I need to know what I should do next to start learning everything. Is there a specific book that is recommended to start with? Maybe some kind of project setup just to test out things. Not a whole lot to a 3548, but here's pretty much everything: http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc3/swg/Swgover.html
|
# ¿ Sep 9, 2008 22:34 |
|
I've never done it, but what you seek is L2TP.
|
# ¿ Oct 14, 2008 21:01 |
|
What's to not understand? code:
|
# ¿ Feb 12, 2009 17:30 |
|
My advice: don't get fancy. The time it saves you versus the potential for it to a) not work or even do harm or b) be yet another thing you have to troubleshoot that slows down your execution. Get downtime scheduled and approved. Format it in the router, transfer the software and config to it and go. Shouldn't be down that long, and if their downtime requirements are so stringent they can't let you change software, why can't they afford redundant/test infrastructure? Presumably there's income you're interrupting, to put a finer point on it.
|
# ¿ Sep 2, 2011 03:09 |
|
StabbinHobo posted:So anyone have disaster stories with Dell 6248s? jwh posted:I don't work with them directly, as we have storage networking folks that handle them, but they have a reputation (the 9148s) for being very nice boxes.
|
# ¿ Oct 25, 2011 22:38 |
|
jwh posted:Had a 2960G wig out today in the weirdest way: of the ten we had deployed at this particular site, one of them decided it'd be fun to start arbitrarily dropping layer-3 specific traffic. The stations affected were all in one physical area. We moved the stations to a different VLAN and they had no trouble. Moved them back, problem gone. Hasn't recurred, to my simultaneous relief and frustration. edit much later: Frozen-Solid posted:Any idea what this is, or if it's something I should even worry about? We've had random complaints that "everything is slow" for the past few weeks, that we've slowly been fixing various issues trying to track things down. Today we had a report while this weird spike was going on, but I have no way of knowing if it's related. What a newbie network guy should focus on fixing: interface errors, and logging errors. Look at show interface and show logging. Are errors non-zero? Are there errors spamming the logs for some reason? Find out why and try to fix it and you're on your way. Also, show run. show run interface <blah>. If you have a Cisco Smartnet contract, you can get a login to Cisco.com that gives you access to tools and documentation. The output interpreter is your friend. Read the articles it links to. Do a lot of preparation and reading and call the TAC if you can. Don't get fancy, configure what you set out to do and write mem when you can confirm beyond a doubt it works. Then you can always reboot and go back to the old config if you mess up and things are broken. If your users tell you the network is slow, talk to them and make them show you, if you can't confirm that yourself somehow remotely. The users who tell you it's slow are often the ones who really use it and will have the most information about what is wrong. A properly configured network should only be as slow as it's smallest link. Now there is where cacti is useful: are your interface graphs spiking and plateauing similarly? Then you may be undersized, and it's difficult to tweak anything to make a link send more traffic than it's designed to. At that point, traffic and protocol analysis (sniffing) will tell you if it's production traffic saturating your links or not, and if you can justify the cost or have to tell/make users to knock it off. bort fucked around with this message at 04:50 on Nov 18, 2011 |
# ¿ Nov 18, 2011 01:35 |
|
Honestly, few things beat Cisco's Configuration Guides that you can get on their website. Their table of contents is sorted in the order things usually need to be configured and their examples are often spot-on unless you're doing something very non-standard. The docs usually begin with sections on management tasks like getting your CLI up and running. They're so helpful, I tend to read them even when configuring devices from other vendors because the other guy's documentation has tasks in alphabetical order, and Cisco usually has more comprehensive and better documented examples. Command References are sometimes critical, but usually if you know the command you want, Google and the combination of ? and Tab completion should let you stumble through the syntax. edit: example link http://www.cisco.com/en/US/products/ps6406/products_installation_and_configuration_guides_list.html for a 2960 switch. Check show ver and grab the one you need and off you go. ee: more relevant link (ASA 5500 series) http://www.cisco.com/en/US/customer/products/ps6120/products_installation_and_configuration_guides_list.html bort fucked around with this message at 01:50 on Jan 31, 2012 |
# ¿ Jan 31, 2012 01:29 |
|
Yep, I started to recommend that, too: if you are used to SonicWall, ASDM will be more familiar. It's just that if you use both ASDM and CLI, configurations get messy pretty rapidly.
|
# ¿ Jan 31, 2012 17:16 |
|
Single mode interfaces have a gaping hole in your checkbook area. Very hard to miss.
|
# ¿ Mar 26, 2012 19:58 |
|
CrazyLittle posted:There are third-party vendors who will be happy to take your money in exchange for software support! Does such a thing really exist? I keep paying for Smartnet for fear that I'll need a software update.
|
# ¿ Apr 16, 2012 20:56 |
|
You have the right destination port in your span session?
|
# ¿ Apr 19, 2012 22:01 |
|
On the controller CLI, you can run config ap syslog host global <syslog host ip>. This will set all your APs to log to syslog (instead of broadcast, which they do by default).
|
# ¿ Aug 13, 2012 22:59 |
|
jwh posted:Is it true, in this year of our Lord, 2012, that you cannot drop a shell session directly into priv 15 on an ASA?
|
# ¿ Aug 16, 2012 00:22 |
|
Mierdaan posted:This is the Cisco thread, but probably still the best thread for this question: What's the general opinion of Force10 products for SMB switching? We've got a network of mostly 2950/2960/3560 Cisco gear, and a new VAR that we're talking to is trying to sell us on Force10 gear since they're married to Dell. They're IOSsy enough that there is very little transition, but have a few key changes that take a little getting used to. For example, port channel configuration varies whether you're doing LACP or not. You put your allowed VLANs in the VLAN interface configuration instead of on the trunk interface. One small change that rocks that IOS doesn't have: if you're in an interface or other sub-configuration, show config does the equivalent of do show run int <current interface>. Stacking configuration is a little strange, if you do that -- you have to be careful how you set priorities to make sure master behavior is consistent. Major drawbacks: Documentation. I pine for a Cisco-style configuration guide, where the tasks are laid out in approximate order of how you perform them. Force10s docs are laid out alphabetically, so you have to know exactly where you're going and they won't help you if you forget a step. You may run into undocumented weirdness if you push your switching beyond normal edge switching applications. Another one is if you use Cisco-based protocols: VTP, having to change from CDP to LLDP, and routing issues if you move into the layer 3 space. I love EIGRP so much and it sucks to have to leave it behind. Sales idiosyncrasies: they will give you lead times that will make you blow your stack and then deliver much more quickly than anticipated. I think they got a lot of business when Cisco was having delivery problems and so try to wow customers by beating their advertised lead times. The other thing that's not a good sign: a lot of the old guard who started with Force10 are starting to leave now that they're Dell. Nothing wrong with the hardware, just make them deeply discount anything. You are changing something pretty significant when you buy non-Cisco. Make them woo you.
|
# ¿ Aug 24, 2012 02:07 |
|
I'm posting too many negatives for how happy I am with the Force10 equipment, but I run into this every friggin' day and it makes me type things twice: IOS: show run | inc Vlan show run | begin net0/1 FTOS: show run | grep Vlan show run | find net0/1 edit: funny stuff that really doesn't matter: when they got bought out, there was an FTOS update for most of the S series that pretty much did nothing but change "Force10" to "Dell" everywhere in your configs. And now that I've changed all my closet/data centers from Cisco blue to Force10 gray, new chassis that get delivered are Dell black! bort fucked around with this message at 03:06 on Aug 24, 2012 |
# ¿ Aug 24, 2012 02:48 |
|
We got talked into purchasing Prime to replace WCS, so please post any hints you come up with on NAC. It's not something I really want to deploy, but sounds like Cisco's trying to press the issue. I can't have a meeting with my rep without some hard-sell presales engineer FUDding me about how I'm not doing NAC.
|
# ¿ Aug 27, 2012 15:44 |
|
Yeah, that's what I thought. I'm hoping I can duplicate my current WCS functionality in Prime and ignore anything related to wired auth.
|
# ¿ Aug 27, 2012 18:54 |
|
I just had this problem. Enabling Fast SSID change on the controller fixed it for me. Supposedly 7.2.110.0 has better Apple support. I'm still on old locators so I have to stay on the 6 train (next stop: Brooklyn Bridge!) edit: beaten, but bolsters the case real edit: those 3502s are monsters. Serious radio range. bort fucked around with this message at 06:49 on Aug 31, 2012 |
# ¿ Aug 31, 2012 06:45 |
|
Xenomorph posted:What kind of range? How many devices can be connected to one? The people installing them here are seriously putting them about 30 feet apart. If you want to get serious, get Ekahau heatmapper (or Fluke, etc. if you have budget) and put yourself through a survey. That's really the only way you can see what's up -- even though WCS has heatmaps, they're not terribly reliable for decision making and you need to survey it with clients on it. The other answer to "how many devices can connect to one" has to do with the uplink: how many clients do you want to link to a single 1Gbit connection? And how many of them are 2.4GHz clients that are competing for three non-overlapping channels? One problematic client can slow the rest down. The 3502s are pretty terrific at problem isolation, finding where bluetooth or microwaves or (in my case) radar are interfering with your wireless and dynamically working around that. e: I have two of them in a 30-person office in Australia and the people go across the street to the coffee shop and still have wireless. ee: WLC best practices is a really good doc. I was especially happy with config ap syslog host global to log what my APs are doing. bort fucked around with this message at 00:30 on Sep 1, 2012 |
# ¿ Sep 1, 2012 00:18 |
|
I would approach it that your boss is being unfair to the helpdesk guy. An ASA is a non-trivial responsibility, a complex device and puts a neophyte in a position where s/he can put the business at risk. I think both have their hearts in the right place -- it's good to want to elevate lower-tier IT personnel and I like someone who wants to learn. But the person put in a security position needs to understand the stakes and be trained properly. If your boss won't listen to you, then it's his risk to absorb and you warned him. Maybe that horse ain't thirsty.
|
# ¿ Sep 7, 2012 00:48 |
|
Devil's advocate: there are people I've underestimated who improved dramatically once they got out of the constantly-interrupted world of helpdesk/desktop support. Having to follow instructions to perform a process may only mean the person has no time to absorb the how/why because they need to get back to helping that executive secretary with her Outlook. But you're not wrong to be concerned.
|
# ¿ Sep 7, 2012 00:58 |
|
GOOCHY posted:Annoying...
|
# ¿ Sep 8, 2012 00:13 |
|
Only the first subnet. These get lumped together because of how the binary works. The last subnet in your example (the "all ones" subnet) is not affected by whether ip subnet-zero is on or not. The class C network with the /26 mask would have the .192 subnet available, regardless. It was recommended that you didn't use the all-ones subnet since, for example 192.168.1.255/24 and 192.168.1.255/26 1 in binary, subnet bolded: /24: 11000000 10101000 00000001 11111111 /26: 11000000 10101000 00000001 11111111 bort fucked around with this message at 03:12 on Sep 13, 2012 |
# ¿ Sep 13, 2012 02:57 |
|
It used to be recommended that you didn't use either all-zeroes or all-ones. That might be why they're saying that. I'd wager the test definitely won't pull a gotcha question on that one, but I don't know for sure.
|
# ¿ Sep 13, 2012 03:14 |
|
No, use 'em or lose 'em. You have to work to engineer your network to have a problem with zeroes or ones networks. edit: DHCP servers don't misconfigure subnet masks. And some guy in 1995 says not using them is obsolete. http://www.ietf.org/rfc/rfc1878.txt Bluecobra posted:I also recently found a reseller that sells Twinax 10GbE cables for dirt cheap which helps keep connectivity costs down for shorter cable runs. bort fucked around with this message at 03:44 on Sep 13, 2012 |
# ¿ Sep 13, 2012 03:39 |
|
Anyone who tells you subnetting was easy while they were learning it is either lying or really loving smart. For me, it really helped to break it down to the binary. Subnet mask calculators can often do this for you.abigserve posted:If you are already a cisco switching shop then it's a no-brainer, any benefit (cost or otherwise) you might get from going Arista or Force10 would be immediately lost by having to support another product from another vendor. Equipment that runs right doesn't need supporting... bort fucked around with this message at 03:57 on Sep 13, 2012 |
# ¿ Sep 13, 2012 03:48 |
|
Thanks, Bluecobra, that is great info. Are you running 8.3.12 on your S4810s? We deployed an early version (8.3.7.3) because it had stacking capability. We recently ran into a bug where a pair came unstacked and have to upgrade.
|
# ¿ Sep 13, 2012 19:48 |
|
Yeah, I have similar constraints. I pretty much never upgrade unless I need a fix or a feature. I, too, lack test infrastructure -- somehow that S4810/Z9000 test lab I posit always gets struck from the budget... I figured the full stack had to reboot for the upgrade, but was going to search to see if they had some "warm upgrade" path. So you saved me that time -- thanks again. [/force10chat]
|
# ¿ Sep 13, 2012 21:54 |
|
Sepist posted:My coworker uses ASDM and I use CLI, I can confirm the eye bleeding. I love Cisco docs
|
# ¿ Sep 19, 2012 01:30 |
|
A lot of cable modems listen on 192.168.100.1, if you can try it on the network the inside interface is on. It's often not configurable, but will give you the SNR metrics and whatnot. edit: rain would also imply a problem at the physical layer. Maybe a splitter with a rusty or loose connection outside needs replacing or tightening? bort fucked around with this message at 01:26 on Sep 20, 2012 |
# ¿ Sep 20, 2012 01:11 |
|
I see the overload now. bort fucked around with this message at 04:20 on Sep 20, 2012 |
# ¿ Sep 20, 2012 04:07 |
|
I think what you want is: ip nat inside source list 1 interface FastEthernet4 overload e: I'd also remove: ip route 192.168.1.0 255.255.255.0 Vlan1 That's a connected route on the router and shouldn't need to be static. bort fucked around with this message at 05:36 on Sep 20, 2012 |
# ¿ Sep 20, 2012 05:09 |
|
Give a thought to Powercrazy's recommendation. I didn't know that was available, and anything that makes NAT simpler is okay in my book.
|
# ¿ Sep 20, 2012 14:09 |
|
Well, then, a world called zor is laughing his rear end off directly at you.
|
# ¿ Sep 28, 2012 11:12 |
|
|
# ¿ Apr 27, 2024 02:50 |
|
He's moved on to bragging about his switch from 2007.
|
# ¿ Sep 29, 2012 06:19 |