Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I am totally new to Cisco gear, but I managed to pick up a brand new 7912G for 28, looking at this guide:

http://www.voip-info.org/wiki/view/Cisco+7905%252F7912+IP+Phones

It says I need a service contact to be able to download the latest firmware for it. Where can I buy these service contracts from, and what's the part number I'm after? Cisco's CCO site is less than helpful.

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Here's hopefully a simple problem. I've recently bought an 867VAE for a remote site that has ADSL and an old router that is dieing slowly, and they wanted something a little more robust. I know nothing about IOS and figured that CP Express / Configuration Professional would sort the basic configuration out for me, but they seem to be completely useless.

This is the config I'm running at the moment, built with Configuration Professional 2.6.

code:
surtrcollshop#show run
Building configuration...

Current configuration : 2278 bytes
!
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname surtrcollshop
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
wan mode dsl
!
!
!
ip dhcp excluded-address 192.168.21.1 192.168.21.49
ip dhcp excluded-address 192.168.21.101 192.168.21.254
!
ip dhcp pool ccp-pool1
 network 192.168.21.0 255.255.255.0
 dns-server 8.8.8.8 8.8.4.4
 default-router 192.168.21.1
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
!
!
!
!
!
username XXXXX privilege 15 secret 4 XXXXX
!
!
controller VDSL 0
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 description $ETH-WAN$
 ip address dhcp client-id GigabitEthernet1
 ip nat outside
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.21.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 ip address dhcp
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username user@domain.net password 0 XXXXX
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet1 overload
!
dialer-list 1 protocol ip permit
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.21.0 0.0.0.255
!
line con 0
 login local
 no modem enable
line aux 0
 login local
line vty 0 4
 login local
 transport input all
!
scheduler allocate 60000 1000
!
end
This setup was orignally tested on my desk routing from GE1 (the Ethernet WAN port) and was passing traffic. I then changed the WAN in Configuration Professional to use ADSL and I get a solid ADSL link LED and solid act LED, but no traffic passes. CP shows the ATM0.1 link as having no IP address.

I'm aware that I should probably be using the CLI and not any of the terrible GUI tools, and it's my intention to learn and get my employer to put me through a CCNA course, but for now I just need this thing working.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I think that's left over from me testing it at my desk using GE1 as the WAN, the WAN now is/should be the ADSL modem (PPPoA).

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

lol internet. posted:

I know this is a Cisco thread but I didn't want to create a new thread for this question and since Cisco bought out Meraki, I figured I'd ask here.

I'm probably going to get a Meraki MX60 router. I was wondering if anyone has experience with any of their products. I'm wondering if I can just use it as a home router with the features, or will I need the subscription licenses? I've been having trouble finding info on this online.

You need the license for it to be usable. I've had some Meraki kit, the MX60 arrived with a dead port and it took a while to convince the support guy I wasn't an idiot and to swap it. Then an MR16 died and it took two weeks to get the replacement shipped.

The management is nice and it's really easy, but the quality control of the products and the support sucks poo poo.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Would the 867VAE not do what you want?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

NetExtender is the Sonicwall SSL VPN solution, and it's pretty bad.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

http://msdn.microsoft.com/en-us/lib...e/dn133793.aspx

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Look very carefully at the throughput figures. The Netgear stuff is a completely different class and if you had a reason to purchase 5515-X's there is nothing in the Netgear range that won't be slower than your internet connection once you turn up the security features.

CLIs for networking kit is nearly all IOS-esque, at least as far as switching goes.

Thanks Ants fucked around with this message at 19:29 on Dec 22, 2014

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I think you'd be better off sticking with the ASAs and pushing for some training rather than chucking them out and buying something worse, it will serve you better for the future.

The 5515-X supports failover, so if you have a pair then they might already be set up like that.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

DHCP assigns the search suffixes for you. For the reasons you're finding I massively prefer VPNs that come with a client because then there's something at the other end to configure the endpoint, and you can do split tunnelling without having to manually add routes.

But yes, if you're doing DHCP over the VPN then that should be able to push a suffix for you, as well as the DNS servers.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

You can have one primary suffix and then a list of others. I think it's option 119 or something.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

MTU mismatch?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

cheese-cube posted:

Are there any other options?

Send someone else to do it?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Tremblay posted:

The number of cases that come in are staggering, and the range from mundane, to holy poo poo wtf is happening is pretty wide too. I think I one point I was working 100 cases simultaneously. There was another guy on my team that was up around 140.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

If your switches are crashing then they are broken or are running a buggy firmware. The fix for either of those problems is not a power strip to reset them.

Edit: That came across a bit harsh. You should definitely have monitoring in place so you know when poo poo fucks up, but having stuff in place so you know when things crash isn't a substitute for having an environment that doesn't randomly fall over.

Thanks Ants fucked around with this message at 17:32 on May 28, 2015

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

This http://www.hp.com/rnd/support/manua...Bk2_Ch5_STP.pdf seems to suggest they use 0-65535 as well, but doesn't mention the multiples.

What does the running config show as the spanning tree priority? If you don't get an error typing in "spanning-tree priority 11" then I guess it's rounding somewhere.

Come to think of it, surely if these switches are stacked then the stack is the root bridge? STP confuses me.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Nice firewall

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

If you want that then you deploy Aironet or not-Cisco.

Aerohive strike a decent balance - cloud managed but the APs don't require the cloud to be available. If you stop paying your bills then the APs chug on as usual, and you can configure them through SSH if you really want to.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Are the firewalls still horrific to configure rules on? Last I checked you couldn't do port translation in a 1:1 NAT scenario, and there was no concept of service groups.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Throw the Netgears away before they send you crazy.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I just had a Netgear bonfire with some switches that randomly wouldn't pass broadcast traffic and kept dropping packets and shutting ports down at random. gently caress those things.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Do you find the performance of the VPNs over "the Internet" and contended links is acceptable in terms of latency/jitter etc? Or are your FTTC lines generally from the same providers as the other circuits so you don't have to deal with peering congestion?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Normally the point of a demarc is that your service provider can monitor it to be able to manage the circuit effectively. An unmanaged one being supplied by yourself sort of defeats the purpose of it.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

That's given to you by the service provider though, and they get to decide what is their problem and what is yours. Whether this is an NTE or just a dumb socket on a wall.

Are you a service provider looking for equipment to deploy or something?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Unless it's a really old CGA monitor

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Because it's a website maintained by Cisco would be my guess

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

SFP+ direct attach confuses me. If you're connecting an Intel NIC to a Cisco switch then do you have to use Cisco cables or what?

How about if you need to connect two different brands of switches together? Just use anything you want and disable the compatibility checks?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Are you sure the Windows (I assume) DHCP server is bound to the new adapter?

You might also be performing DHCP snooping, so look at that.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

You will also need to add a default route pointing at your router IP/virtual IP if you're running HSRP or whatever. And update your DHCP pools to use this address for the gateway.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

http://www.cisco.com/c/en/us/td/doc...l#pgfId-2560852

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I have no real issues with ISP handing off with a port set manually, but tell me what you set it to in your circuit documentation! I've even had issues where I've been told to use 100/Full and it turns out their documentation was out of date and autonegotiate was the way to go.

Come on guys, this is important.

Incidentally, I'm quite new to all this (going through my CCNA at the moment) - are the console messages about duplex mismatch a feature of CDP, or does Cisco stuff use some other voodoo to work out that you might have an issue?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

show firewall

Just by itself?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Why do you want layer 3 switches for running two VLANs across a couple of switches? It doesn't sound like there's much requiring routing between the voice and data VLAN so it's fine to let the ASA do that.

As for models, I see a lot of 2960-X being used.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

It could be as complicated as a public IP address in a /31 subnet and then another subnet of routable IP addresses to use on the inside interface to sit in front of your firewall, but it's probably 30 minutes work including flashing an IOS image if required.

Just make sure that whatever you buy can cope with 100Mbps throughput at Internet-typical packets (I think 512 bytes are used as an average to turn PPS into Mbps numbers). Normal suggestions if you want to take more of a hobbyist approach are Mikrotik as stated already, or an Ubiquiti EdgeRouter. I would expect handoff on copper Ethernet from a piece of NTE equipment.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Martytoof posted:

I've got an ASA at work that I've got set up behind a NAT. I've got a Fortigate at home that I have set up using a dynamic DNS name.

I'd like to configure the ASA to create an IPsec tunnel between itself and my home Fortigate, but the VPN wizard in ASDM doesn't allow a domain name for a peer identifier -- it needs an IP address. I don't want to have to re-build the config every time my IP changes at home.

I've had this set up before using two Fortigates since it supports a Dyndns type peer identifier off the bat. Obviously the device at work will have to initiate the connection as it is NATted, itself.

Thoughts?

Can you set the far end IP to 0.0.0.0 and use something other than the IP address as the IKE ID?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Would running a virtual router on a cloud provider and pointing your work ASA and home Fortigate at that be an option?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I'm intrigued into what you're doing where you can set up an ASA to tunnel back out to your home with no issues from corporate, but running a VPN client on your PC and cracking open an RDP session isn't an option.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Are you sure you aren't over-thinking this if it's just for a home network? Is is going to cause you problems if your switches are blowing warm air at the front of your rack?

Could you just open the switches up and flip the fans around?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Did I dream something about the Sourcefire and ASDM stuff being rolled into a new web UI later this year?

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe


Cool. Do you have any idea what I should be throwing into Google to keep up-to-date with this? I've failed miserably so far.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply