|
I have a kind of stupid and probably simple problem, just don't want to open up a TAC case yet.. I have 7 48 port catalyst's in a flex stack. Every couple of days a few ports randomly die and provide limited connectivity according to windows. Lately I've just been shutting and unshutting the interfaces and it fixes it. sh int status shows that its connected and i can see which MAC address is connected to it.. I really wonder if its a Windows thing since i've been seeing windows 10 set our wireless network to 'unidentified' until the adapter is repaired recently. But has anybody had to play weird interface whack a mole with catalysts? I checked the flex stack status and it all checks out. e: id also like to take a moment to say that iOS would be cooler if you could set config changes and then just apply them rather than the 'instantly apply!!' behavior. We're setting up a new vlan at this site because we need to re-ip them with minimal downtime. Sitting around changing access vlans as the sys admins change the statics on our servers and printers 1 by 1 is loving tedious, since we're not ready to fully cut over to the new vlan I can't just apply them to all access ports. Would be nice to modify the config, and just jump on to apply the config rather than sitting there the entire change period tonight. Tetramin fucked around with this message at 16:59 on Mar 13, 2019 |
#
¿
Mar 13, 2019 16:54
|
|
|
|
| # ¿ Apr 28, 2024 17:47 |
|
|
GreenNight posted:Our current model desk phones are the 7942g which is 10/100 switch inside. What's the cheapest gig phone that looks similar? 7945? Yeah probably. The 8 series models are more reliable IME but like quadruple the price of the 7945 so I’d go with that on a tight budget.
|
|
#
¿
Mar 15, 2019 00:31
|
|
|
Man I wish we could do that for replacements. Our IPT bucket for random replacements and poo poo is 10k, I have like 5 requests for 8811 replacements and a few requesting new 8961s... that’s gonna eat up most of our phone budget and it’s only March.
|
|
#
¿
Mar 15, 2019 00:56
|
|
|
Partycat posted:As I’ve said about a million times they are end of life - UCM 14+ will not support any model that is past end of support dates so you’re doing yourself a disservice. This guys environment is still running CAD lol. They’re not getting anywhere close to current for a very very long time. E: I’ve convinced the bosses to get uccx for the 25 person call center at a recent acquisition, which is our only choice to replace their current functionality. Our CTO is loving making GBS threads himself at what were about to pay, but long term I guess it’s cheaper than paying for their PRIs. Tetramin fucked around with this message at 02:04 on Mar 15, 2019 |
|
#
¿
Mar 15, 2019 02:01
|
|
|
Oh lol. Years dealing with phones makes me associate with Cisco agent desktop, especially because you brought it up while talking about 7942s
|
|
#
¿
Mar 15, 2019 02:08
|
|
|
Using a 5500 wireless controller. Trying to move a network from Vlan 1 to 10, have the switchports trunked with a native vlan of 10. The wireless clients can't get DHCP addresses. They do show 'auth: no' for each client but forgetting and rejoining the network doesn't work. We are using flexconnect to define each SSID's vlan. I've read about defining a new interface where you can set DHCP servers, but i thought flexconnect overrides the interface settings? Obviously the flexconnect vlan tagging is changed from 1 to 10, and I set the VLAN settings in advanced like this: (we use centralized DHCP, and the guest VLAN and VoIP vlan work fine). I really think I should define an interface for this new vlan but I'm getting pushback so I can't try creating it.  Anybody have any idea?
|
|
#
¿
Mar 23, 2019 03:57
|
|
|
We have ip helper on the router pointing to centralized DHCP. adorai posted:if 10 is the native, why are you telling it to tag? So yeah I think you nailed it here. I got a TAC person to help out and they changed the tagging in flex connect back to 1, and it started working. If the trunked switch ports have a native vlan specified you really just set the tagging to 1? The TAC engineer seemed extremely confused that this worked so I still don’t really have a clear answer. E: yeah I’ve always just changed the vlan tagging in flex connect. The screenshot was from the Advanced page and I only set it as a test when things weren’t working to see if it helped. Tetramin fucked around with this message at 22:45 on Mar 23, 2019 |
|
#
¿
Mar 23, 2019 22:43
|
|
|
Proteus Jones posted:For a trunk, the native vlan is untagged. All other VLANs carried by the trunk get tagged. If you're not using other VLANs, then why have it as a trunk? I am using seperate vlans for both voice and guest WiFi... so yeah that’s why. Thanks for the info though that makes sense. I’m surprised the Cisco engineer was so confused.
|
|
#
¿
Mar 24, 2019 02:41
|
|
|
Judge Schnoopy posted:Our Network engineers have to spin up 2 - 6 ASAs a month. Their current method is some Excel file that they copy into flat text, manually change template values for the specific deployment, and then copy it in over step by step into the CLI. it'd be pretty cool if i could script the deployment of new ASAs from copying images to installing and configuring SFR to putting the correct config for the site on there... We rolled out about 35 ASA's that are subject to a hardware defect and it's been hell replacing them. At the point now where I've got about 15 ASA's to configure(all the rest have been sent/replaced) and just installing the SFR image over FTP takes like 2.5 hours by itself. I do the imaging and configuration locally at my desk before sending them out though. I haven't done much digging besides checking out the Ansible docs but I have a hard time understanding how you can script the config part to pull the correct info and stuff.. Would be cool to hear more. Tetramin fucked around with this message at 02:12 on Mar 28, 2019 |
|
#
¿
Mar 28, 2019 02:09
|
|
|
9.6(3)1 over here
|
|
#
¿
Apr 18, 2019 17:25
|
|
|
Going on a lunch date with our Cisco guy tomorrow. Anybody have any flirting tips, things they like, turn ons, that sort of thing? He seems cute and I don’t want to blow it. E: my stack of PO numbers is coming too
|
|
#
¿
Apr 19, 2019 05:28
|
|
|
GreenNight posted:Our call center uses CIPC but we’re migrating them all to Multiline jabber. we're working on getting ccx in place for the call center at an acquisition, they all use some avaya softphone. im really pushing to upgrade cucm so we can get them multiline jabber when we convert them to cucm rather than deploying IP communicator or some poo poo but i doubt it's gonna happen. we are on 11.5 so most people dont see a need to upgrade
|
|
#
¿
Apr 21, 2019 02:45
|
|
|
Partycat posted:Multi line works on 11.5 - Jabber 12 shipped with a COP that enables this if you aren’t up on SU . SU6 just came out. Oh awesome I’ll look into that. Thanks.
|
|
#
¿
Apr 22, 2019 00:44
|
|
|
CrazyLittle posted:This. If you're thinking of AT&T's metro ethernet products, you can actually request they do exactly this ^^^: "please set my port to auto-negotiate advertising only 100/full" on a 100mbit port. Yeah, I just experienced this at a new site with metro Ethernet. Our “100mb symmetrical” link was auto negotiating to 100/half duplex giving us like 10mb actual speed. Got to experience the hell that is ATTs support too, after 3 auto closed tickets they finally fixed it. I dont think the speed 100 was an actual problem but it negotiates at 1000/full now and speeds are what I expected.
|
|
#
¿
May 24, 2019 21:27
|
|
|
Found out 8961's are discontinued today when trying to make a purchase for a phone conversion at a couple of our locations.. Is the 8861 the closest replacement? We have some 8811/8841s but I don't really love those phones, and the 8861 seems pretty similar.
|
|
#
¿
Jun 7, 2019 21:31
|
|
|
GreenNight posted:We need some UCCX report automation software. Anyone have any recommendations? We’ve been doing it manually for ages and we’re getting to big for that. Doesn’t CUIC have something for that? I dunno if that’s what it’s still called but it’s always worked fine. We are currently using infortel’s ISI until our uccx implementation is done and it loving sucks Otherwise some workforce management type softwares out there probably do what you need, but for a high price if all you want is reporting
|
|
#
¿
Jun 11, 2019 03:14
|
|
|
GreenNight posted:Yeah I've spent the last few weeks migrating users to using Jabber as a softphone. You need the server software to be v12+ and then setup a phone on CallManager that uses Jabber instead of a hard phone. Cucm doesn’t need to be 12+ for jabber. We run soft phones on 11.5 just fine. E: err did not see the whole new page. Beaten.
|
|
#
¿
Jun 18, 2019 23:31
|
|
|
I’ve accidentally blown away NATs doing the exact same thing, I have not found a way around it but I hope somebody else has an answer. It seems ASAs like to delete config statements that have dependencies without telling you before. Same thing with removing an ACL(iirc) will delete your matching cryptomap match statement
|
|
#
¿
Jun 21, 2019 00:09
|
|
|
Been getting flooded reports from nearly all of our locations of wireless phones dropping calls. Checked the AP settings in the controller and the flexconnect tagging for or voice subnet was set back to 1 on about HALF of our APs so phones were reregistering with a VLAN 1 ip when they roamed. How the gently caress could this happen? They were absolutely all set correctly before. At least the web UI for the wireless controller is a piece of poo poo and loses your search after you go into an AP and fix it.. its great. e: it looks like the tagging settings for the affected APs got set to 'wlan specific' which isnt configured, the ones that remain correct are all AP-specific, hmm.
|
|
#
¿
Jun 28, 2019 21:05
|
|
|
Big cucm conversion coming up, I’ll be on site all week deploying 120 phones, a paging system, speakers etc. These people are extremely used to their current system, and had a bad experience with the conversion to our corporate CMS so they’re understandably nervous. Finished up setting poo poo up to clone the functionality they currently have today but I wonder how hard the transition will be for them since poo poo is gonna be different. Also, on a call this week we told them were going to need some hands to help deploy phones because we fly in at noon, and the DID port will take place at 5 and we don’t know where anybody sits. This was met with a long silence.. I’ll probably be getting a 20k in running around the building and will be lucky to get to bed by 2am on the first day.
|
|
#
¿
Jul 13, 2019 00:21
|
|
|
Bigass Moth posted:Been there done that. Assume they know nothing and will not be helpful at all. Nobody will have a seating chart or even any idea of who the people working there are. Lol, yeah i've done a few of these conversions before but nothing this big. The other locations generally had an administrator who was crazy helpful, but this one is shaping up to be a nightmare.
|
|
#
¿
Jul 13, 2019 02:05
|
|
|
Partycat posted:You can save yourself some of the headache by marketing it right I guess Yes this is the goal for this one, but we are trying to keep the features they use a lot on their PRI. They’re already set up very different from our standard because we were compelled to give them a bit of the sweetheart treatment. They’ll adapt to anything else that’s different. One of our locations we allowed them to request 3 digit dials for people they call often, 200+ translation patterns later that is something we now absolutely shut down and show them how to save contacts in Jabber. This particular site has two different names they operate under so we had to give them the ability to dial out as one or the other, and the ability to know which line the caller dialed so they can say “you’ve reached company x/y” and gave them separate VM boxes for each “company” because apparently customers get confused when they call and it’s a totally different company name. that’s about all we want to do for custom features. If we had our pending UCCX deployed that would make some of that stuff way easier, but even when we do, it’s going to be hard to convince management to pay the licensing for more than the one acquisition that needs it.
|
|
#
¿
Jul 14, 2019 04:13
|
|
|
Ancient Chinese proverb: Using Cisco, password cisco
|
|
#
¿
Aug 3, 2019 01:06
|
|
|
I added firepower alerts for our “security analyst”. Not sure what exactly they do but it definitely doesn’t involve even sending the service desk tickets about potentially dangerous machines on our network. They do send out fake phishing campaigns every couple weeks.
|
|
#
¿
Aug 5, 2019 03:49
|
|
|
Eletriarnation posted:Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to. Yes
|
|
#
¿
Aug 12, 2019 22:38
|
|
|
What are some cheap options for syslog software? We did the free trial of kiwi and it seems fine, haven’t really looked into anything else. I think it’s only like $250 so I assume it’s hard to beat price-wise, but I’m curious what other people prefer.
|
|
#
¿
Aug 13, 2019 23:44
|
|
|
falz posted:Are you specifically looking for a Windows syslog server? Hmm maybe I’ll try to replace the syslog server I had our system guys build with a Linux box then. They built me a windows box but if it’s free I can probably change that. I have no attachment to OS for this. Thanks
|
|
#
¿
Aug 13, 2019 23:49
|
|
|
I got a large capacity
Tetramin fucked around with this message at 09:22 on Sep 7, 2019 |
|
#
¿
Sep 7, 2019 08:24
|
|
|
I am losing management access to ASAs all across my network, getting connection refused and pcaps show the ASA resetting the connection. Running iOS 9.6.3.1. I have a case with TAC since the ASA at my office is currently affected and I can serial into this one, but we aren’t getting anywhere. He told me removing the SSH config and re adding would fix but it didn’t. Rebooting the device resolves until it happens again. Anybody have any loving idea? Even ASDM access breaks when this happens. In other news our Cisco TAM is takin me to a ball game in a suite on Thursday lol
|
|
#
¿
Sep 17, 2019 23:00
|
|
|
Thanks Ants posted:Also Spark. And everything Meraki that isn't their APs. We just had meraki pitched to us and we’ve been fairly interested. Could you elaborate on your problems with it? Bosses really want to turn down MPLS circuits at locations where we can get two DIA connections and meraki seemed fairly decent for our needs. We aren’t planning to switch to their switches or even really APs at the moment, we’d just be getting their edge devices.
|
|
#
¿
Sep 17, 2019 23:08
|
|
|
We are already in static route hell at our head end. No bgp advertisement is a bit of a pain, we are already needing to maintain static routes at the head end like crazy. I am going to use what you said in a bit of a pitch against it if it comes up though, thanks. I have a feeling this push to cut opex by cancelling MPLS is gonna go away by the time they see the licensing costs anyways.
|
|
#
¿
Sep 18, 2019 01:55
|
|
|
Nuclearmonkee posted:Did you try loving with firmware? I’m on 9.8 train but since it’s ASA I’d try 9.6.4 or something on your local one just to see if it makes a difference That’s been kind of my last resort option. Been holding off on upgrading it until TAC tells me to but it’s been tough connecting with the engineer cause shits been crazy busy for me lately. Maybe I will just go ahead and do that.
|
|
#
¿
Sep 19, 2019 00:42
|
|
|
This might not be the correct thread, but we were getting some Orion alerts for high interface usage on one of our ASAs this morning. According to Netflow this is all HOPOPT traffic, which I've been doing a bit of reading on and it seems like it's possible this could be some kind of attack? Or could this be some sort of error with the Netflow gathering? Screenshot from Orion:  The source/dests are all strange too, like 0.101.0.53 or similar. Didn't notice any performance issues during the time of the traffic, but I just spotted whatever this is and I'm a bit confused.
|
|
#
¿
Oct 1, 2019 22:02
|
|
|
Nuclearmonkee posted:That's an IP null attack which will show as HOPOPT. Should we be checking for compromised devices on that network then? Or could this be coming from the outside? falz posted:Doesn't it show the protocols and ports? Orion is giving me the protocol in the Netflow but for some reason I’m not seeing ports or really anything that makes it easy to narrow down. I found it late in the day so I’ll do some more checking tomorrow, Im not very familiar with the net flow interface in Orion yet.
|
|
#
¿
Oct 2, 2019 00:29
|
|
|
Was troubleshooting an ASA that was replacing a sonicwall, the ipsec tunnel was up, and the FW could reach google DNS, but anything behind the firewall was unable to reach anything either on the other side of the tunnel, or public internet. I was beating my head against the wall because I've done dozens of these replacements and never had this much trouble. Called TAC and the tech was pretty confused too, then he removed sfr fail-open from our policy, replacing it with sfr fail-open monitor. I guess I forgot to configure SFR because when I ran it, we got the EULA etc. The tech told me 'oh yeah sfr fail-open will block all traffic if the module is down' and it was like 11pm so I said ok, its working so whatever. I checked the documentation this morning which confirmed my suspicion: 'The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is unavailable.'. It seems like this is doing the exact opposite of that? I have a bunch of ASA's that aren't using SFR with the setting turned on and no issues. Can anybody explain this? I'm waiting on a response from TAC, I kind of feel like he was just shooting in the dark and when it worked he mumbled about it being expected behavior.
|
|
#
¿
Oct 18, 2019 18:48
|
|
|
Nuclearmonkee posted:I've had sfr fail-open let things through when the module was completely broken and non-functional. I thought that was the whole point of the command. Yeah in my experience fail-open lets everything through, that does indeed seem to be the use purpose of it. As to your question, yeah that's the exact state the device is in. SFR is installed and upgraded to the version we use, but I never went through the EULA and network configuration and it was blocking all traffic until we changed it to fail-open-monitor.
|
|
#
¿
Oct 18, 2019 20:08
|
|
|
I PMd you if you can’t find it through googling. Idk if I can get it since I don’t have that device in my environment, but maybe Cisco portal access is enough..
|
|
#
¿
Nov 16, 2019 22:28
|
|
|
Prescription Combs posted:Old as poo poo topic but unless you absolutely need to capture every connection to syslog, enable syslog permit host down or that ASA will block all traffic if that syslog server goes down. Yeah I found this out the hard way. That’s such a stupid default setting, especially in an environment that patches servers every week.
|
|
#
¿
Dec 1, 2019 19:28
|
|
|
falz posted:Speaking of ASA and syslog, how does one get ASA's to stop syslogging things about every rule? Stuff like: Can’t you just adjust the logging to some other threshold? https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#95407 Verbose logging actually saved my rear end with our CIO because a third party vendors monitoring device got infected because they left it with default creds and demanded I open up ssh to the public. The thing was bringing our biggest site down for like 2 weeks until I stood up the logging server and found that. I have zero respect for executives but he is rightfully nervous about things after this year of infrastructure failures. Also after we sent their device back they let me know that port 22 actually didn’t need to be open so that was pretty fuckin cool.
|
|
#
¿
Dec 1, 2019 20:05
|
|
|
|
| # ¿ Apr 28, 2024 17:47 |
|
|
I have a really stupid, slightly embarrassing question. When creating ACLs do you need to consider usable hosts in a subnet? Like, if you have 8 hosts, would all 8 hosts pass if you filter with 255.255.255.248?
|
|
#
¿
Aug 25, 2023 18:10
|
|