|
Xenomorph posted:Some douche is using an IP that is supposed to belong to me. switch#show mac-address-table I think. Although with 300 pcs, you should probably do what the above post says. chestnut santabag fucked around with this message at 22:35 on Nov 4, 2009 |
# ¿ Nov 4, 2009 22:31 |
|
|
# ¿ Apr 28, 2024 01:36 |
|
Is it possible to set up two routers to connect to each other using frame relay without a frame relay switch?
|
# ¿ Dec 1, 2009 18:54 |
|
Cizzo posted:Excuse my ignorance but I'm not really getting this. From what I'm reading, it shows that to get the prefix you have to basically just do (16 * the number of nibbles being used). So can the prefix be 64 or less at that point? The prefix just shows the range of addresses and can be anything from 0 to 128. In your previous example of 2001:0:0:AB0::/60, it means an address range of 2001:0:0:AB0:: to 2001:0:0:ABF:FFFF:FFFF:FFFF:FFFF. If 2001:0:0:AB0::/60 is an IP address actually assigned to something then that is rather unusual but still valid. I have no idea what you mean by this: quote:From what I'm reading, it shows that to get the prefix you have to basically just do (16 * the number of nibbles being used). So can the prefix be 64 or less at that point?
|
# ¿ Dec 17, 2010 10:45 |
|
Bardlebee posted:Ah, very informative. Thank you. A switch can learn multiple MAC addresses per switchport and in this case would remember both. The first address would eventually get purged due to no activity from the MAC address after something like 5 minutes. You want a static NAT binding in addition to an existing NAT overload I think? code:
333.333.333.333
|
# ¿ Dec 28, 2010 23:40 |
|
Bardlebee posted:Oh, excellent that makes sense now. Thanks. I'd say that you would have to block it at either one of the tunnel endpoints - preferably before entering the tunnel - using an extended ACL.
|
# ¿ Dec 29, 2010 21:19 |
|
Sepist posted:Having an issue creating a port redirection nat because of an existing nat in place. We use inside outside static NAT's for the inside and outside IP's. They want to redirect port 8760 to port 80 on one web server, however when I do the following: My ASA is a little rusty but should not one of those netmasks be the actual netmask for the subnet?
|
# ¿ Feb 4, 2011 15:20 |
|
Here's something that's had me stumped for the past week. I'm currently implementing port based authentication using using Microsoft NPS for the RADIUS server. Everything seems to be working fine except for trying to access the switch itself be it through SSH or the console connection where the NPS appears to be rejecting the authentication message due to "message authenticator attribute not set where one is required". There is a checkbox for "message authenticator attribute required" in NPS and if it gets unchecked then the process works normally. I'm wondering why it isn't working properly for switch access when the box is checked making the message authenticator attribute mandatory yet works as expected for the regular dot1x stuff on the switchports.
|
# ¿ Jun 13, 2011 21:29 |
|
geera posted:We had a weird thing happen yesterday, hopefully someone can suggest a way to troubleshoot this. Are these Catalyst switches running IOS 12.1? I had the exact same issue last week with switches that were putting uplinks into error-disabled loopback state. A bit of research and I found out that 12.1 has keepalives enabled on uplinks by default whereas on 12.2, keepalives are disabled on the uplinks by default. Cisco recommends upgrading to 12.2 or newer: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml (scroll down to loopback) Otherwise possibly enable bpdu-guard on the switches and see if anything gets put into an error-disabled state.
|
# ¿ Jan 31, 2012 17:50 |
|
XMalaclypseX posted:So I have been tasked to replace 10 very old and aging 3Com switches for a basic, low utilized network. The 2960s are not Cisco Small Business, but proper Catalyst switches running proper IOS. The SGE2000 are Cisco Small Business switches which are rebranded Linksys switches. The SGE2000s primary means of management is a web based GUI that is horribly slow and a pain to manage over a slow connection. There is text based management but its a really basic menu based terminal accessed either through a serial port or telnet. This is also the only way to change the switch between a layer 2 and a 3 switch and between a stacked switch and a non-stacked switch. One of the advantages of CSB switches is that they can be converted to layer 3 switches. However you can't change the VLAN interface IP address without deleting it and readding it (I had to do this remotely and it involved pushing a config file to the startup config and restarting the switch and hoping that the config didn't have a typo or something causing it to not be loaded into the running config with no way of fixing it remotely). The 2960s have standard IOS with the standard IOS command line interface or the web browser GUI if you're one of those people. You're paying the extra for IOS more than anything else compared to the other switch. IOS is frequently updated with patches and features. The SGE2000 OS has had like one update since June last year and I doubt it'll get anymore. Both of those models can be stacked. The 2960s require a stack module which goes into the back and can be stacked to a maximum of four switches using 10Gigabit cables that go into the modules. The SGE2000s can be stacked to a maximum of eight switches using ports 12 and 24 on the front - the two rightmost RJ45 ports - this is especially great when you forget this and can't figure out why the gently caress poo poo isn't working when connected to these two ports. They become regular Ethernet ports though if stacking is disabled from the menu based terminal. Neither of those switch models are PoE. Both switches have 24 Gigabit ports and 4 Gigabit SFP ports. In short the 2960s are far easier to setup and manage, but if its a basic, low utilised network then once you get through the pain of setting up the SGEs then there shouldn't be much managing required. I am assuming that the topology is a flat network with no VLANs and that the default gateway is some other router. How would the switches be connected to one another? chestnut santabag fucked around with this message at 21:17 on Jun 13, 2012 |
# ¿ Jun 13, 2012 21:14 |
|
ior posted:Actually so can the 2960 - static routing only though. Oh right yeah, but you need 12.2(55)SE minimum and some SDM fuckery I think. I haven't tried routing on a 2960 yet as it doesn't seem to be recommended or mentioned much. I'm not sure how well the ASICs would cope. The one quad 2960 stack that I manage has like 60% average CPU utilisation (of which 20% seems to be from the LEDs) so I'm not too enthusiastic about doing any kind of routing through them. XMalaclypseX posted:Thanks for your input! It's literally the same switch with a Cisco logo on it. They didn't even change the model number: https://www.google.com/search?q=sge...iw=1597&bih=941 You can't even use the Cisco Small Business SFPs on regular Catalyst switches without the port getting automatically disabled. By SFP+ do you mean 10Gig links? Both of those models only have regular 1Gig SFPs. I did a similar installation to what you're doing with a 3750 as the core and CSB switches as the access switches at a simple low utilised nework. The only major difference is that those were PoE switches as the upgrade was for an IPT rollout which made things a bit more complicated but otherwise there haven't been any issues in the four or more months that it's been running. chestnut santabag fucked around with this message at 22:01 on Jun 13, 2012 |
# ¿ Jun 13, 2012 21:45 |
|
Zuhzuhzombie!! posted:Next morning - loving Granstream. Didn't know these little bastards had DHCP. Yeah DHCP snooping is local to a switch so you don't have to enable it on "trusted" switches. Just be sure to configure the uplinks to trusted on whatever switches you do enable DHCP snooping.
|
# ¿ Jul 15, 2012 22:19 |
|
routenull0 posted:That's dirty. I have a some experience with Nexus stuff - mainly 7000s, 5000s and 2000s.
|
# ¿ Jul 18, 2012 18:33 |
|
switchport trunk native vlan 731 Is there a setting in your netapp setting that recognises untagged traffic as being in vlan 731 like the above command? If you don't then you got a native vlan mismatch and your netapp is receiving untagged traffic that it doesn't know belongs to vlan 731.
|
# ¿ Sep 19, 2012 17:19 |
|
Zuhzuhzombie!! posted:Been asked to look into VSS. If you're implementing VSS on existing equipment, be extremely sure that the kit will be supported in a VSS deployment. If you're looking at new kit, be sure that it'll also be supported in a VSS deployment. My first VSS deployment came to a grinding halt when I saw that the switches were refusing to power up their 6148 modules.
|
# ¿ Dec 10, 2012 22:45 |
|
Zuhzuhzombie!! posted:Minimal IOS: 12.2(33)SXH1 WS-SUP720-3B is WS-SUP720-3B which doesn't support VSS: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet09186a0080159856.html You'd need to replace the supervisor with S720-10G or a 2T. Also yeah, VSS for 4500E (not regular 4500) with a SUP7 was just released as part of last week's IOS update. It also includes the 1U 4500X with which I'll be doing an installation soon.
|
# ¿ Dec 11, 2012 18:30 |
|
adorai posted:with a c4900m, would I typically just use one of the 10Gbe ports on each one to the other (in a pair). I didn't see anything about a cisco stackwise port on them, but having not seen one in person I wanted to make sure a pair of them would typically just have 7 usable ports each. Yeah, they're not stackable so you'd have to use a regular Ethernet port and treat them as separate switches. You also can't apply VSS to them like you can to 4500X's now. You might want to use two ports per switch if you can for redundancy.
|
# ¿ Dec 18, 2012 17:14 |
|
Has anybody else heard of 5 Gigabit Ethernet? Cisco's new small business switches - the 500 series - appear to have SFPs that can run at 5Gbps even though there isn't even an IEEE standard for it which sounds like vendor incompatibility hell. And probably incompatibility hell with Cisco's regular Catalyst switches!
|
# ¿ Dec 28, 2012 19:23 |
|
My first experience with 15.0 on 3750s led me to discover a wonderful out of the box bug where port SPAN session would just stop working and would have to be re-added to fix. Although thankfully this did get fixed pretty soon. 15.0 isn't related to Cisco's new licencing model. You get universal images for 12.2 and you get feature specific images for 15.0. Also 4500X VSS trip report: Easy enough to do except then I found out that the only dual active detection mechanism implemented is the PAGP one - no fast hello or the other one.
|
# ¿ Jan 3, 2013 20:42 |
|
teh z0rg posted:What is some pro kit for a Cisco lab? Licencing models seems to be tied to platform rather than to software version. Of Cisco's router lineup, its only the newer x900 routers that require license files to activate features as they only have the universal IOS images. Probably all of the x800 don't have any of the license file requirements even in their 15.x versions. Basically if the IOS image file is not a universal image, then its not going to require license files. Curiously the newer 3750s seem to have universal and non universal images in both their 12.2 and 15.0 versions although this might just be so that they can be compatibly stacked with older 3750s. Even then I've gotten 3750 stacks working with one 3750 with a universal image and an IP base license and the other with an IP base image.
|
# ¿ Jan 20, 2013 15:45 |
|
falz posted:The most info I've seen so far is here: I had a quick look at the images available to download for the 3850s. 200+MB images for an access switch
|
# ¿ Jan 24, 2013 20:27 |
|
aquaticrabbit posted:To whomever was asking about the 3850 switches earlier in the thread, Cisco just posted some information: http://www.cisco.com/en/US/products/ps12686/index.html quote:480 G stacking
|
# ¿ Jan 29, 2013 19:30 |
|
Powercrazy posted:Even the Cisco MD5 hash is extremely insecure, just not as readily reversible. It's 6 characters plus 2 characters of salt, md5 hashed. The salts are all known, so really you just have an MD5 hash of 6 characters. Hardly secure at all. I was playing around with one of the new 15.0 releases of IOS for 3750s and it looks like SHA256 (designated type 4) is replacing MD5 for secret hashing. Pity I had to revert to a slightly older version as the TenGig interface on a non master switch wouldn't come up automatically when the switch powers up. This is had the fun result of losing any commands that uses the new encryption method like enable secret as the older IOS doesn't recognise type 4 encryption.
|
# ¿ Feb 28, 2013 21:36 |
|
wolrah posted:Haven't seen anything posted about this yet: Yeah this cropped up at work today when a client requested to know if they were affected. Cisco is going to deprecate type 4 encryption, and revert to type 5 being the encryption used for secret passwords in future releases but still recognize type 4 encryption for compatibility - this will probably happen within the next couple of rebuilds. They say they'll also re-implement SHA encryption properly at some point in the future as a undecided type encryption but won't be type 4 as that will be retained as a sort of read only encryption for backwards compatibility. I think most major version 15 releases in the past 6 months were migrated to type 4 encryption but I couldn't find any mention of type 4 encryption being introduced in the various release notes for versions that have it - I think in some instances, it was introduced in rebuilds. I can confirm that version 15.0(2) for switches uses type 4 encryption with 15.0(1) using type 5 encryption. IOS XE also uses type 4 encryption but I couldn't say when it was introduced. Latest version of 15.0 on an 1841 doesn't seem to be using it but 15.1 upwards does seem to be using it although its not clear when it was introduced into those versions. And like the above said, you can still paste in a type 5 encrypted password generated from another device - you just can't tell the switch to encrypt entered plain text passwords using type 5, it'll only encrypt using type 4. Also if you do downgrade a device that has type 4 encypted passwords to an image that doesn't support type 4 passwords, upon rebooting, it rejects the enable secret and username secret commands from the startup configuration. chestnut santabag fucked around with this message at 22:26 on Mar 19, 2013 |
# ¿ Mar 19, 2013 22:24 |
|
DagPenge posted:I know this isn't the Wireless thread, but does anyone has any experience with Cisco Wireless equipment? Cisco offers a few wireless controllers made for this specific purpose, mainly the Flex 7500 controller and virtual wireless controller. What you will have to do though is make sure all the APs are configured to be Flex APs (formerly H-REAP) so that the traffic gets locally switched at the sites rather than being tunneled to the controller to enter the network. There's also their Meraki stuff which I don't know anything about but might be related.
|
# ¿ Apr 5, 2013 16:44 |
|
Isn't auto-MDIX a requirement for Gig ports to work? Otherwise yeah, try using a crossover cable - preferably a Gigabit crossover where all the pairs are swapped rather than just the 2nd and 3rd pairs.
|
# ¿ Apr 9, 2013 16:21 |
|
Powercrazy posted:Make sure you are looking at the "E" chassis. I did a quick check and it looks like they recently announced EoL for the R-E chassis' and replaced them with R+E chassis' with the original non E chassis' being announced EoL several years ago. The R chassis' are the ones that take redundant supervisors. Here's the announcements for if your resaler continues to push back: End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 4500 Non-E-Series Chassis End-of-Sale and End-of-Life Announcement for the Select Cisco Catalyst 4500E Series Chassis
|
# ¿ Apr 13, 2013 12:06 |
|
Gap In The Tooth posted:How long are the CCNP/CCIE written valid for? CCNA runs out after 3 years. CCNA and CCNP are valid for three years and CCIE is valid for two years I think. Although with CCIE, you only have to do the written exam to recertify.
|
# ¿ Apr 24, 2013 17:31 |
|
Gap In The Tooth posted:Thanks Langolas and BoNNo530, I'm using two 1841's with 12.4 Adv Security. x800 series routers use the same licensing model for 15 as they do for 12 - since you're using an Advanced Security 12.4 image then you'll just get an Advanced Security 15 image and upgrade it as you would normally.
|
# ¿ May 2, 2013 20:01 |
|
ragzilla posted:xr is more of a microkernel design under qnx, sounds like Marty was describing xe (used on ASR 1k) which is a Linux host OS running a monolithic IOS kernel as a processes. Yup, Cisco is moving towards IOS XE for their upcoming switches - the newer sups for 4500s, 4500x's and 3850s are already using it. I was told that it had something to do with single-core processors becoming less common and since regular IOS can only run on a single core, they're doing what ragzilla said above and running IOS as a process. It's also supposed to open up the possibility of running other software on the switches like Wireshark as well. They're also bringing out some new 2960s which will supposedly be upgradeable to IOS XE at some point - since they've got dual core processors, only one core would be usable until then. They're even supposed to be Netflow compatible on every single port! The next supervisors for the upcoming 6800 chassis' should also get IOS XE at some point if they don't come out with it already.
|
# ¿ May 28, 2013 19:18 |
|
Fatal posted:Anybody else loving the wonderfully non-functional 15.0.2(SE2+)? Lets see, 15.0.2(SE2) has a memory leak (on 2960Ss) where if you have too many devices requesting DHCP you lose console access until reboot. 15.02(SE3) has a TACACS bug (on 3560/3750s) that kills all access, yaaaaayyyyy for summer deployment ie, busiest time of the year for me. My favourite 15.0.2 bug that I found is that the TenGig interfaces connected to Nexus 7009s wouldn't come up when they boot up.
|
# ¿ Jun 27, 2013 17:58 |
|
psydude posted:Upgraded my test 3560g to 15.0(2)SE4 from 12.2 just to see what's new. Any major changes I should be aware of? As always, Cisco's documentation is impossible to find so I'm having difficulty finding a good changelog. Well they introduced their new SHA password encryption into the 15.0(2) code for switches after which it was soon discovered that their implementation of this new encryption method is actually less secure than the old MD5 encryption. Also SE3 was out for like a week before being pulled due to some bug causing 100% CPU utilisation from TACACS.
|
# ¿ Jul 18, 2013 21:09 |
|
Crackbone posted:Super simple (I think): "ip default-gateway" only applies when routing is disabled - "no ip routing" If routing is enabled, then the command does nothing, even though its in the running-config. This is fun to realise when you remotely enable routing on a switch and lose all connectivity due to the lack of a "ip route 0.0.0.0 0.0.0.0" statement.
|
# ¿ Jul 29, 2013 18:58 |
|
Zuhzuhzombie!! posted:Nope. 3750x not compatible with that ipbasek9 image. Nope, 3750G doesn't use universal images nor does it use the e images. You can still stack them though - if your 3750G is running c3750-ipbasek9-mz.150-1.SE1.bin, then your 3750X should be running c3750e-universalk9-mz.150-1.SE1.bin with at least an IPbase license or just the non-universal c3750e-ipbasek9-mz.150-1.SE1.bin although the latest builds are doing away with the non-universal images. chestnut santabag fucked around with this message at 20:08 on Nov 4, 2013 |
# ¿ Nov 4, 2013 20:05 |
|
Zuhzuhzombie!! posted:I figured there would be some negotiation/compatibility. I know stackwise will do that. Even though I'm running c3750e-universalk9-mz.150-2.SE1.bin and not c3750e-universalk9-mz.150-1.SE1.bin, should I downgrade the 3750x to c3750e-universalk9-mz.150-1.SE1.bin? Yeah you should have them running the same version - either downgrade the 3750X or upgrade the 3750G.
|
# ¿ Nov 4, 2013 23:34 |
|
Cisco just officially announced CCIE v5 a few days ago. The written and lab exams will be available from 4 June 2014 with the v4 exams being retired the day before. So if anybody else is studying for it then they should definitely take this into consideration. Fun highlights: quote:1.1.a Describe basic software architecture differences between IOS and IOS XE Potentially less basic Ethernet stuff like duplex settings. No more ISL. VSS concepts quote:2.3.c Describe WAN rate-based ethernet circuits ISIS is back! I can only assume that this is because of its adoption in various layer 2 technologies like fabric path. No more WCCP.
|
# ¿ Dec 5, 2013 20:00 |
|
Bob Morales posted:Possibly dumb question about fiber. I have this media converter on one end of a link: That's a 100Meg media converter - if you're attempting to plug it into a gigabit SFP then the link won't come up.
|
# ¿ Dec 10, 2013 21:14 |
|
CrazyLittle posted:Yep. That's it - you probably used a 1000-base SX fiber SFP in your switch. You probably need one of these for the switch instead: Of note is that Linksys SFPs (even the Cisco SMB branded ones) don't work in Catalyst switches without doing that one hidden command that voids all your warranties. I don't know of any regular Cisco branded 100Meg SFPs - would these work in Gig interfaces? Turns out there are and they do work in Gig interfaces: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6578/product_data_sheet0900aecd801f931c.html chestnut santabag fucked around with this message at 17:39 on Dec 11, 2013 |
# ¿ Dec 11, 2013 17:34 |
|
So I was playing around with some brand new stacked 3650s yesterday when I came across this fun little thing: Note that one of the features being touted by the new 3850s and even newer 3650s over the 3750s is that the stacking is meant to be SSO with no interruption should the "active" (ie the master switch) fail. code:
|
# ¿ Jan 16, 2014 19:21 |
|
gooby pls posted:We're looking at the 15.0 train on our 3750x stacks for 10g support. Still concerned by some of the reports of memory leakage, etc. What code revs are people happy with? I've got a site running on 15.0(1)SE3 for a while without any issues. I know there were some weird bugs with 15.0(2) but it looks like they've been sorted out. 15.0 isn't a requirement for 10gig though, minimum version is 12.2(53)SE2.
|
# ¿ Feb 20, 2014 19:27 |
|
|
# ¿ Apr 28, 2024 01:36 |
|
Tremblay posted:Been a while since I posted here. I'll try and check in more frequently. If anyone has questions about newer security products, ISE, etc. Let me know I'll do my best to answer. So how about that Nexus 7k firewall module?
|
# ¿ Mar 3, 2014 18:54 |