|
I need to uplink a stack of Dell powerconnect 3548s to a Cisco catalyst 3560. Would a cisco sfp interconnect cable work or am I going to need to go buy SFP transcievers?
|
# ¿ Jul 10, 2008 22:55 |
|
|
# ¿ Apr 27, 2024 19:51 |
|
Forgive a virtual repost from 1 page ago but I am having a bear of a time with vendors here and am finding difficult to find the information I need. I have 2 Dell 3548s in a stacked config and I need to uplink these things to a Catalyst 3560G. Those Dells are going to be pretty loaded and I figured I would use the sfp ports to uplink since I didn't want to push 96 ports worth of fast ethernet traffic over a single fast ethernet uplink. My problem is my Dell rep says their sfp transceivers will not work in the Catalyst and vice versa. Is he full of crap or is that pretty much the way it works? Also, if you have any other brilliant solutions to my project I am all ears.
|
# ¿ Jul 15, 2008 15:24 |
|
jwh posted:Buy a Dell SFP, and then buy a Cisco SFP. Multimode. Thanks for the quick response jwh. Coming from you I will take this suggestion as my preferred route.
|
# ¿ Jul 15, 2008 16:59 |
|
Yeah I know. My problem is through that the 3560 is acting as the core switch at a branch office for about 8 servers so I needed a simple way to uplink the 96 ports of fast ethernet traffic from the dell 3548s to it. I figured I would use the sfp ports since they were already there not doing anything.
|
# ¿ Jul 15, 2008 18:56 |
|
Doing a bit of research on Cisco's site it appears one of the sell up features of the add in IPS sensor for the ISR routers is it has a "complete" IPS signature set. Is it really that much different from the built in IPS on say the 1841?
|
# ¿ Jul 29, 2008 04:00 |
|
Tremblay posted:Yes, and with AIM-IPS you get hardware acceleration. I don't know how much traffic you are pushing so I can't really comment as to what is appropriate. Give presales a call? Not much traffic at all really. The idea is to come up with a complete firewall solution for this branch in question. There is going to be an ASA 5510 with the CSC-SSM installed. The office already has an 1841 in place and we just didn't know if there was that much of a feature difference to use the add on sensor vs the built in IPS in the IOS.
|
# ¿ Jul 30, 2008 02:55 |
|
Two small questions: 1) We just put an ASA 5510 with CSC SSM in at our home office. We have an 1841 in place now doing routing and NAT. Does the ASA have the same capabilities as the 1841 and could I replace the 1841 entirely? 2) If I set up an 1841 as a DNS forwader at a remote site, will it forward dynamic DNS registrations?
|
# ¿ Sep 5, 2008 21:20 |
|
Is it possible to assign two IPs to the same interface on an ASA 5510?
|
# ¿ Sep 9, 2008 21:44 |
|
Powercrazy posted:I'd imagine that you can do sub-interfaces. But I'd have to ask what you are trying to do.
|
# ¿ Sep 10, 2008 01:41 |
|
We are using the CSC-SSM with the plus license. It was entirely worth it. Having the edge device kill smtp connections based on reputation services has saved quite a bit in bandwidth usage. Which brings me to a question: I would desperately like some method of reporting on traffic in and out of the ASA (total usage in 24 hour period, top talkers, etc) but the ASA 5510 doesnt have netflow. My gut keeps telling me that syslog is the answer and I am dicking around with kiwi right now but Im still missing something. What piece of the puzzle would I need here to be able to put together a traffic analysis system for not much moola?
|
# ¿ Sep 26, 2008 19:57 |
|
jwh posted:I'm no PIX expert, but I think you need to trigger the NAT engine regardless- even if it's rewriting an address back to what it was originally. We are doing exactly this so I would say that is an affirmative
|
# ¿ Sep 29, 2008 21:25 |
|
Oh. So you mean he wanted to actually assign the host itself a public IP and have that route through the ASA and have it translated to the same IP? Yeah thats goofy just use 1 to 1 NAT
|
# ¿ Sep 30, 2008 18:00 |
|
In the same vein as the previous post, I had an ASA 5505 preconfiged and shipped out to a remote site by a vendor. The device is responding to pings on its outside interface, the vpn back home is up, I can ssh in, I can talk to hosts on the inside of the ASA, however the ASA itself will not respond to my pings from its inside interface nor can I get into the ASDM. I can ssh into the outside interface but I am worthless once at the console. What should I be looking for?
|
# ¿ Oct 4, 2008 00:50 |
|
Fanatastic. I will learn this crap yet. Ok here is another one. I have an 1841 at a branch office with the following interfaces: Serial 0/0 - Private WAN link back to home office Eth 0/0 - Internet connection for this branch office Eth 0/1.1 - VLAN1 for branch office users Eth 0/1.2 - VLAN2 for guest wireless access I need to set up ACLs that allow the VLAN2 users to only route through Eth 0/0 to get to the internet and prevent them from getting to any of the private network segments. I was playing with ACLs Friday afternoon on this device and Im not sure how but in one single click of apply through the SDM I brought the entire building down and locked myself out from fixing it. Had to drive 30 minutes after work to bring it back up.
|
# ¿ Oct 5, 2008 14:47 |
|
Criminey. I didnt know about the implicit deny once you build the ACL. That sure explains a ton So does that in turn mean without any ACLs that there is no implicit deny? Syano fucked around with this message at 22:19 on Oct 6, 2008 |
# ¿ Oct 6, 2008 22:15 |
|
jwh posted:access-lists are dangerous. Don't forget that the moment you configure one, it automatically gives itself an implicit default deny at the end. That really is mind boggling. I understand why my network guy took a better offer now. On the other hand I am extremely glad I am learning this stuff. I think I will set up an ACL on the 'in' direction of my guest VLAN to deny traffic to the production networks. Provided this project works fine, my next one is going to be to set up a VPN across the internet connection that production network users can use if the serial connection ever fails.
|
# ¿ Oct 7, 2008 02:46 |
|
Edit: Double post
|
# ¿ Oct 7, 2008 02:46 |
|
Is route failover possible using static routes? What I have is an 1841 with a serial connection and also a vpn connection to my home office. If I simply build two static routes, one with higher cost, will route failover occur if the lower cost route becomes unavailable?
|
# ¿ Oct 13, 2008 14:33 |
|
inignot posted:
This is.... well, fantastic. I'm astounded more every day how much the SDM sucks. Good grief
|
# ¿ Oct 13, 2008 17:01 |
|
Ive got a server 2003 machine I am trying to run ASDM on and every time I do, I log in, the software downloads, then it crashes and closes. I've tried uninstalling and reinstalling both Java and the ASDM launcher to no effect. Has anyone seen this behavior before? Man I hate Java.
|
# ¿ Oct 22, 2008 15:02 |
|
Is it possible to load balance across a point to point private link and an internet connected VPN? I am installing backup connections in several branch offices and thought to myself "self, that would be a pretty neat use of resources if the backup connection could actually team up with the primary connection during normal business"
|
# ¿ Nov 6, 2008 20:21 |
|
inignot posted:If both connections are running a dynamic routing protocol & you can fiddle around with the metric such that they are equal, then yes. I would suspect the two connections have differing bandwidth & latency characteristics , so load balancing could result in unpredictable consequences. I like that answer. I had a local vendor tell me it wasn't possible but I didn't see a reason why it wouldn't in my small mind.
|
# ¿ Nov 7, 2008 14:48 |
|
jwh posted:I'd bet you'll run into some issues. Differences in effective MTU being one of them. I'm not sure how well machines using both paths will cope with that. You think even if I did per destination balancing to ensure the same flow stays on one link?
|
# ¿ Nov 7, 2008 15:36 |
|
jwh posted:That would probably be okay, but (and you already know this), a single flow will never see the combined bandwidth. I guess if you're just looking for load sharing, then, yes, this would probably work pretty well. Awesome. This is what I was hoping for. As long as the secondary link is actually doing something and not just sitting there then the goal is accomplished. Even if I am not getting anywhere near a 50/50 balance, I am still having the secondary link hold some load and this is good for everyone. Edit: Haha my Cisco sales rep's engineer just called me to talk about this and he said it sounded like a great idea in theory he was just concerned about the complexity of the setup and the difficulty in troubleshooting should there be a problem. Nothing like taking the local expert to a solution he's never done before. Syano fucked around with this message at 16:35 on Nov 7, 2008 |
# ¿ Nov 7, 2008 16:25 |
|
Syano posted:Awesome. This is what I was hoping for. As long as the secondary link is actually doing something and not just sitting there then the goal is accomplished. Even if I am not getting anywhere near a 50/50 balance, I am still having the secondary link hold some load and this is good for everyone. For anyone that cares, my vendor engineer and I game planned the setup this morning for a solution like I was mentioning and we definately found a couple caveats. What we are going to end up doing is GRE tunnels with EIGRP and in theory this should load balance across the private t1 and the vpn just fine.
|
# ¿ Nov 11, 2008 18:52 |
|
jwh posted:So you decided to do equal cost multipath?
|
# ¿ Nov 11, 2008 19:12 |
|
jwh posted:Does the tunnel and the T1 terminate on the same device at the other end? It will. Part of the solution is to upgrade us to a 3825 with enough WICs to terminate all our private leased lines along with all the internet VPNs at the home office and each branch office will terminate the vpn and leased line at an 1841. That way we will have a single core device making routing and failover decisions. Syano fucked around with this message at 22:04 on Nov 11, 2008 |
# ¿ Nov 11, 2008 21:58 |
|
Although unsolicted, I wanted to throw this out there because it has been a thorn in my side for weeks now. I was having a huge bear of a time with VLANs and policy based routing until I found one small little config error. To get an outside interface to work with PBR you have to run 'no ip verify unicast reverse-path'. Until then it will act like it wants to work and has been a monster for me to troubleshoot.
|
# ¿ Nov 14, 2008 16:44 |
|
I have an ASA 5505 at a remote site that I am having a bit of an issue with. I only have the base 10 user license, but at the same time there are only a total of 7 ip hosts in the office. Ive got a couple hosts inside that are refusing to talk outside that remote LAN. The ASA shows that all 10 licenses are in use and syslog is telling me it is denying connections based on number of licenses being exceeded. I SSHed into the device and ran clear xlate but I can't seem clear up the number of used licenses. What am I missing here? EDIT: I had a user at the remote site power cycle the device and it is now working properly. Does clear xlate not clean up licensing issues? Syano fucked around with this message at 22:09 on Dec 10, 2008 |
# ¿ Dec 10, 2008 20:50 |
|
I have got an ASA 5510 with the CSC SSM installed that is freaking out. The ASA itself it sitting right aroung 85% memory usage and climbing. The CSC SSM is even higher and last night delivered a failure to download virus defs, which is the first time it has even done that. Then this morning, it emails me and says I am in liscense violation to the tune of oh about 134 MILLION licenses. Um, what is this thing doing?
|
# ¿ Jan 1, 2009 17:28 |
|
We only have about 10 total routers in our organization and really cannot fit in our budget tools like Solarwinds. Does anyone have any suggestions on something that could help us backup configs and reload them if necessary?
|
# ¿ Jan 14, 2009 16:03 |
|
InferiorWang posted:I'm not sure about reloading routers, but I figure that's not something you're doing often. For backup purposes, check out Rancid: I got excited until I looked around for a win32 version. Im not scared of some *nix I just have almost zero skillset there.
|
# ¿ Jan 14, 2009 22:44 |
|
I have a lot of guest access machines on private VLANs that are eating up my internet bandwidth with connections to windows update after a big patch release day (like yesterday). Is there a way to configure an ASA with a firewall rule that blocks access to windowsupdate to everyone but my WSUS server?
|
# ¿ Jan 28, 2009 23:24 |
|
Speaking of controllers, at what point does one make sense and where do you put it? We will have, after this month, a total of 53 1130AGs in the field all on multiple VLANs with at least 2 SSIDs. Can a controller even handle that many APs?
|
# ¿ Feb 17, 2009 18:20 |
|
Ok so I set up a syslog server today and enabled logging on my core router and started receiving syslogs. Next, I move to one of my remote routers, enable logging, and nada. I dick around with it for about an hour and finally have a vendor confirm he can receive syslogs from the device (an 1841 ISR by the way) but I still can't. As is the case a lot of the times, I figure I move on to the next project and let this problem marinate til I figure out whats up. Well, my next project is starting to archive configs of these same devices. So I fire up Pumpkin, log in to the same 1841 and try to tftp the config. Again, nada. Session times out with no bytes transferred. Then it hit me, syslog and tftp are both UDP traffic. What in the world could be preventing UDP traffic from coming across this link? For the details it is a point to point T1 with an 1841 at the remote site and an Adtran Netvanta 3200 at the home site. Both routers are pretty darn vanilla with their configs. No fancy ACLs or what not. The remote router has PBR enabled but that is about the only thing out of what I would call the ordinary. Could dhcp relay be redirecting all UDP traffic instead of just dhcp? I know this is not strictly a Cisco question but I hated to start a new thread just for this small issue.
|
# ¿ Feb 21, 2009 04:02 |
|
jwh posted:Craft an acl to match syslog traffic, and then term mon, followed by debug ip pack xxx detailed where xxx is your acl you created. Make your acl as specific as possible, because routers hate debug ip packet. Excellent. Debugging is something new for me in my journey through the world of Cisco. Looks like I have a project come Monday morning
|
# ¿ Feb 21, 2009 15:31 |
|
Ok so I have my project of multiple BSSIDs and policy based routing working perfectly. Guests in our facilities now can connect to an SSID on a different VLAN and Policy Based routing plus some ACLs keep them on a separate, dedicated internet connection. Great! But now an unfortunate side effect. We recently had a guest absolutely suck the 2 meg internet pipe provided to that VLAN dry. I am trying to brainstorm a way to prevent this from happening in the future without having to spend too much money. Like for instance if there was a way to reset the connection every hour to blow away any large file transfers or something similar. I'm not sure that even makes sense I am just trying to brainstorm. For reference, the access points are 1130AGs and the routers handling the PBR are 1841s.
|
# ¿ Apr 3, 2009 14:34 |
|
Here is something you guys might find interesting. I had an 1841 set up with 1 point to point t1 and an internet connection along with 2 sub interfaces on 2 separate vlans. I had policy based routing enabled and ACLs put in place so that traffic on vlan 2 would only route across the internet connection. Well, when it was all set up, I found that I had IP connectivity with no trouble whatsoever, but name resolution would absolutely not occur via this vlan. I went back and forth with this for days thinking I was insane. So, me being a relative newbie with cisco gear, call up my vendor and have them sick their engineer on it. He also is having a huge time figuring this out. He goes so far as to get in tough with the ISP and finds that what is happening is that the name resolution requests are getting sent properly but they are being sourced from the wrong interface, so therefore the responses are not getting back. They both end up spending about a week in testing with cisco's engineers and lo and behold: we found a new previously unknown IOS bug. Just thought it was interesting. I have never been privy to finding unknown flaws or bugs before.
|
# ¿ May 20, 2009 15:01 |
|
What sort of performance can I expect from an 1130ag radio? What I mean is for instance what is the maximum number of connected clients and what sort of bandwidth can this thing chug out with multiple clients connected? I have a vendor that is trying to steer me away from running multiple VLANs on a set of these things because of the potential for it to impact business application performance. I am trying to figure out if he is just trying to sell me more stuff or if his fear holds water.
|
# ¿ Jul 6, 2009 22:31 |
|
|
# ¿ Apr 27, 2024 19:51 |
|
ior posted:We try to limit the number if concurrent users to max 20 but there really is no limit. However they all share the available bandwidth in the (im assuming) 2.4ghz band which will give you about 22Mbit/s per non-overlapping channel. In the 5ghz band there are lots and lots of channels, but the same applies there. This is interesting information. I can definately see a potential problem if I had multiple users choking down some torrents or streaming video or something. I can also really see the advantage of toggling my A radio bands on, if only my clients could use them. Lucky thing is though I am only going to be pushing RDP traffic on the business end of things and the bottleneck for anyone else is going to be the 3 meg internet pipe and not the radios. Thanks for the information
|
# ¿ Jul 7, 2009 13:48 |