getXML('Getting Started with LANs2797 nickc1976Jul 31, 2009, 5:46am PSTHi,<br /><br />Just over a week ago this forum helped to resolve a problem whereby a Cisco 857 could not connect to the internet following an upgrade to ADSL2+<br /><br />The router was working fine, then dropped the connection. The router is no longer connecting, yet when it is swapped for a Netgear 834, it connects straight away.<br /><br />Can anyone recommend any tests or settings I can check. Nothing has changed in the configuration, and as far as I know, nothing has changed on the ADSL line.<br /><br />Thanks<br /><br />Nick 30nickc1976Jul 31, 2009, 5:51am PSTAttached is the result of show dsl interface atm0<br /><br /><b>Attachment Keywords : </b> <br />1) dsl.txt<br />dsl.txt119169text/plaintext601507/31/2014no giuslarJul 31, 2009, 12:11pm PSTHello Nick,<br /><br />in the DS downstream direction<br /><br />Noise Margin: 0.0 dB 22.0 dB<br />Output Power: 20.5 dBm 12.0 dBm<br />Attenuation: 19.0 dB 8.0 dB<br /><br />noise margin is 0 means no possibility of transferring data without errors.<br /><br />It appears the ATU-R that is the modem in the router sees a weak signal coming from the central office ATU-C.<br /><br />But the signal is not really weak or also the other modem would not synchronize.<br /><br />I would do the following test:<br />power off the cisco router for some hours let it to cool then try again.<br /><br />Hope to help<br />Giuseppe<br /><br />nickc1976Aug 13, 2009, 7:17am PSTSince the connection was being dropped by the Cisco 857, the customer has been using a Netgear 834 without any connection issues. Today, I swapped the Netgear for a new Cisco 857. <br /><br />The connection worked for about 2 hours, then started to drop again (see attached results for a ping to the external ip address)<br /><br />I also did a show dsl interface atm0 again just after the connection dropped, also attached.<br /><br />Nick<br /><br /><b>Attachment Keywords : </b> <br />1) ping.txt<br />2) shdslint.txt<br />ping.txt119772text/plaintext1407908/13/2014noshdslint.txt119783text/plaintext360708/13/2014no giuslarAug 18, 2009, 9:07am PSTHello Nick,<br />this time the sh dsl interface looks like good enough specifically no errors are present.<br /><br />The question may be related to some other issue for example cpu and memory resources used by NAT or execessive ARP traffic if a default gateway ip address is missing or simply the noise margin is at a border line.<br /><br />I can say we have some DSL lines showing this kind of behaviour.<br /><br />We have roughly 100 remote sites with ADSL lines making ipsec vpn over the internet.<br /><br />It wold be nice to see what the noise margin is with the netgear.<br /><br />I see 31 -30 db noise margin on ADSL lines (not adsl2+) (we have some ADSL2+ lines but most are still ADSL)<br /><br />Hope to help<br />Giuseppe<br /><br /> <br /> i.cowleyOct 9, 2009, 1:19am PSTWe're having similar problems with 877s.<br />if you do a 'sh int atm0' you will see drops and 'sh buffers' will show failures in the Middle and Big buffers.<br />have used 3.0.33 and 4.0.15 dsl firmwarenickc1976Oct 9, 2009, 4:11am PSTHi,<br />We went out to this customer today. I have attached the Netgear stats. <br />Strangely, when we connected up the Cisco, it worked! We have left it in place over the weekend, so will see how it has coped on Monday.<br /><br /><b>Attachment Keywords : </b> <br />1) shdslintatm0.txt<br />2) RCA2.2Netgear.jpg<br />shdslintatm0.txt122016text/plaintext666010/09/2014noRCA2.2Netgear.jpg122057image/pjpegimage25023610/09/2014no giuslarOct 9, 2009, 10:11am PSTHello Nick,<br />the Cisco router has negotiated a lower DS bit rate 15346 kbps but with an higher noise margin 6.5 dB.<br /><br />netgear is using 24032 kbps but with only 3.2 dB noise margin.<br /><br />let's see what will happen.<br /><br />each line is different and the customer line looks like better then the other one.<br /><br />Hope to help<br />Giuseppe<br />nickc1976Oct 14, 2009, 7:17am PSTHi Giuseppe <br /><br />The Cisco router lost the connection again on Monday, so we had to swap it for the Netgear again.<br /><br />I have attached the output of "sh dsl int atm0" which was taken this morning. At the time, the Cisco was unable to connect. Swapping to the Netgear gave a connection straight away, so I have again attached the Netgear stats.<br /><br />Is there anything I can do to keep the Cisco connected?<br /><br />Nick<br /><br /><b>Attachment Keywords : </b> <br />1) interface.txt<br />2) RCA2.2Netgear1.jpg<br />interface.txt122226text/plaintext572710/14/2014noRCA2.2Netgear1.jpg122227image/pjpegimage27245510/14/2014no giuslarOct 14, 2009, 10:31am PSTHello Nick,<br /><br />>><br />Noise Margin: -5.5 dB 5.0 dB<br />Output Power: 18.5 dBm 12.5 dBm<br />Attenuation: 18.0 dB 8.0 dB<br />Defect Status: LCD LOM LOS LOF LCD<br /><br />with a noise margin of -5.5 dB and BER of order of 10E-0 there is little you can do.<br /><br />you see there is LOS = Loss of Signal<br />LOF = loss of frame<br />LCD = loss of cell delineation.<br /><br />or really this device performance becomes worse over time (thermal effect) or it is defective in something.<br /><br />Netgear shows the same numbers as last week with a noise margin of 3.3 dB.<br /><br />you should ask to the provider to use a fixed rate profile at 10 - 12 Mbps this may provide stability for the line.<br /><br />We had actually to ask speed reduction in some cases to get a more stable link (changing the device to a netgear was not an option for us)<br /><br />Hope to help<br />Giuseppe<br />nickc1976Oct 23, 2009, 5:26am PSTThanks for the advice.<br /><br />Do you know why it is that the Netgear can get a stable signal, but the Cisco cannot?<br /><br />Thanks<br /><br />Nick kmccourtOct 26, 2009, 5:21am PSTNot sure if this will help but Cisco have just released an updated firmware 4.0.18 for the 20190 ADSL chipset used in the 857/877. This fixes some specific interoperability issues with certain BT DSLAMs. It may be worth checking out.<br /><br />"ADSL firmware release 4.0.18 is the recommended firmware release to use on CPEs connecting to BT's network for ADSL2/2+ service. It should only be used to resolve ADSL2/2+ interop issues while connecting to the BT network. This release solves issues described in the following DDTS: CSCta54059, CSCta54040, and CSCtb31105." lordflasheartNov 17, 2009, 6:31am PSTThis is good news. Hundreds of those nasty little 877s getting migrated over to 2+ and had nothing but problems.par13@psu.eduNov 8, 2009, 4:46am PSTGood Morning,<br /><br />What are some best practices for getting started with SNMP and Syslog?<br /><br />is it bad to have both enable on the switch and/or it does not matter/<br /><br />Thanks 30 leolaohooNov 8, 2009, 1:40pm PSTEnable SNMP and Syslog is a very good practice. But you know what is even better? DAILY review of the logs!<br /><br />I my experience with the following, I have never come across a NOC who practice daily review of the syslogs. They just look at the SNMP alarms and thats it. I must've caught a number of major issues after reviewing syslogs daily. jclarkeNov 9, 2009, 8:31pm PSTActually, when dealing with best and leading practices the opposite is true for the long run. That is, one should manage be exception rather than try and comb through pages of logs each day. Eventually your mind will become numb, and you may miss important events.<br /><br />Instead, start by building a baseline of normal messages. You may choose to do this over a typical two-week period (i.e. two weeks devoid of holidays). This way, you get an idea of the types of messages you see, and especially the message severities. Then, you build exception rules. Messages that fall outside of the established norm are flagged, and reported to your operators. Of course, one should always pay close attention to sev 0, 1, and 2 messages as those are usually quite severe.<br /><br />Your baseline should always adapt, too. That is, as time goes on, you may notice a new pattern emerge. After careful auditing, you find that the new messages showing up (or the lack of old messages you used to see) are the new norm. Your baseline should change to accommodate this.<br /><br />As for SNMP, the suggestion to use SNMPv3 is a good one. However, even today it is not always possible to use v3 as not every management platform supports it. If you have to go with community string-based SNMP, choose a hard-to-guess community string, and use views and access-lists to limit the polling to certain required MIB branches, and from certain SNMP managers.<br /><br />A good article on securing SNMP can be found at:<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml')">http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml</A> lavramovNov 9, 2009, 10:56pm PSTI second Joe, well said.par13@psu.eduNov 10, 2009, 4:52am PSTHi,<br /><br />I entered this basic command that at least will get me some information from the switch. The syslog server is getting some of notifications. However, it is not telling me the what's the error and/or the cause of the error.<br /><br />logging trap alerts<br />logging 10.1.1.2<br />snmp-server location KC-218B<br />snmp-server enable traps snmp authen<br />snmp-server enable traps envmon<br />snmp-server enable traps syslog<br />snmp-server host 10.1.1.2 SW-AD<br /><br /> jclarkeNov 10, 2009, 8:57am PSTYour only sending very high severity messages to your syslog server which may not give you a complete picture of what is going on on the device. However, if you're seeing a specific message, and you're experiencing a specific problem, what is the message, and what are the symptoms?par13@psu.eduNov 11, 2009, 12:46pm PSTOne of the issues, I keep getting a message about a port UP and Down. I checked the devices connected to the port which is a network printer. <br /><br />I have setup the port in 100FD, 100HD, and Auto. The SNMP alarm keeps coming with port been up and down.<br /><br />Another message is this one which does not make any sense.<br /><br />Local02009-11-11172.31.13.90community=public, enterprise=1.3.6.1.4.1.11.2.14.12.1, uptime=8366117, agent_ip=172.31.13.90, generic_num=6, specificTrap_num=5, specificTrap_name=hpicfCommonTraps.5, version=Ver1, hpicfFfLogFaultType.2=3, hpicfFfLogAction.2=2, hpicfFfLogSeverity.2=medium, hpicfFfFaultInfoURL.0.2=<A HREF="javascript:newWin('http://172.31.13.90/cgi/fDetail?index=2')">http://172.31.13.90/cgi/fDetail?index=2</A> jclarkeNov 11, 2009, 1:38pm PSTIt could be that it is the printer side which is experiencing the problem, and not the switch. The trap details you have here come from an HP device, not a Cisco device.par13@psu.eduNov 11, 2009, 2:04pm PSTis there a way to filter these messages. I'm only concern of the switch hardware failer,etc.. jclarkeNov 12, 2009, 11:07am PSTI don't know what management software you're using. I'm also not sure if there is a way to disable these traps on the HP device (there probably is). Typically all trap managers do support a way of filtering certain traps.ohassairiNov 8, 2009, 9:09pm PSTtry to use SNMP v3 for security reasons.<br />some syslog msg are critical. you should not wait 24h to review them. try to send them immediatly via mail to your inbox.<br />some syslog servers/devices can do it. hobbeNov 12, 2009, 9:14am PSTExcelent question!<br /><br />Here is my view:<br /><br />Log as much as you possibly can.<br />log everything if possible it is not a bad idea to have lots and lots of logs the day something needs to be fixed or audited or whatever.<br />You can never have to much logs !<br />Some stuff in the logs are important to know quite immediately such as breakins from the firewall loggs or a server misbehaving and such things, somethings are not needed right now, but maybe a couple of days ago there was a problem and you get to hear about it from a complaining user only today, it is good to have something to go back to and find out that the user was right/wrong and if there is a problem such as a hacker attack actually be able to find out where it originated and what was targeted.<br /><br />tip 1: protect your syslog server (maybe an asa in transparent mode ?) it is a hacker prime target ! never forget that.<br />tip 2: a good syslogserver will be able to filter alarms to you on different levels. try kiwi syslog server, its a nice one.<br />tip 3: syslog compresses very well ie gzip/zip makes the syslog file become 1-10th of its original size or less.<br />tip 4: Grep is your friend !<br /><br />SNMP? YES! manage your switches and learn the patterns and how they work You will start out looking at several errors and dropped packets and such but that is just stuff you have missed before so just start sorting things out and with a little luck you will have a quick and happy network that runs smoothly.<br />You know the user that comes in complaining that the internet is slow or server x is slow and so on.<br />isnt it great to slap him over the face with the graphs telling him at that time he supposedly had the problem his computer was not on and the network had a average response time of 0.7ms topping 1.2ms and that server x had an average network load of 4 Mbit transmit and 2Mb recieve ?<br /><br />Hmm I wounder if this could be the reason we dont hear "oh that has to be a network problem" anymore from the guys who used it as a favorite explanation on why their software didnt work.<br /> leolaohooNov 15, 2009, 5:44pm PSTI used to work for EDS and when I had a stint (aka punishment) at the NOC, I was assigned to trawl through the syslogs daily every morning. Someone is always responsible for this task and that sorry bugger have better come up with a very good explanation if something is playing up and wasn't picked up in the morning trawl of the syslog.agata.czekalskaNov 6, 2009, 12:28am PSTHi Everybody!!!<br /><br />I have noticed that I can log in using almost every configured IP address on the device (here Catalyst 6500).<br /><br />I'm wondreing why? I'm not talking about source address, but the destination one.<br /><br />I have many vlan interfaces configured on the device. Almost every interface has assigned an IP address.<br /><br />And I can access remotely the switch using telnet or ssh protocol using every assigned IP address to Vlan interfaces.<br /><br />I'm wondering if it is desirable.<br /><br />Could someone explain it to me.<br /><br />Maybe there is a way to reduce the number of possible addresses, which I can use to log in (destination address). <br /><br />Best regards,<br />Agata Czekalska<br />Technical University of Lodz 30 naikumarNov 6, 2009, 1:30am PSTHi,<br /><br />You can configure an extended ACL to mention which destination address is allowed and assign the same under vty line as below,<br /><br />access-list 101 permit tcp <SOURCE> <MASK> <DEST> <MASK> eq telnet<br /><br />line vty 0 <end_line_numbr><br />access-class 101 in<br /><br />HTH,<br />Nagendra<br /> andrey.duginNov 6, 2009, 1:35am PSTYou can use routing on other device as firewall, router or fwsm. In this case you will not have a lot of VLAN-interfaces with assigned IP-address, only management one. mike_guy29Nov 6, 2009, 4:14am PSTHi,<br /><br />I would not apply an extended ACL to the VTY lines. You will probably end up locking yourself out if you are not careful! They do not work (certainly on switches I have used). By the time the data gets to the L7 VTY lines (where the ACL is referenced) the destination is stripped out so the ACL can only match by source. Always use a standard ACL on your VTY lines. With regards to restricting to certain interfaces I am not sure how you would do this. ACLs applied to interfaces (or VLAN interfaces) only apply to routed traffic and not traffic with a destination of the device itself (as far as I know)<br /><br />Regards<br />Mike rburtsNov 6, 2009, 8:43am PSTAgata <br /><br />What you describe is normal behavior. And I believe that most of us would say that it is desirable.<br /><br />If you think about it, telnet and SSH are remote access sessions to a device. When someone does telnet or SSH to your device I can understand wanting to control who can access your device (via authentication) and I can understand want to control where they come from (the source address controlled via access-class on the vty). But I do not understand being concerned about what address they use to get to the box.<br /><br />Is there something in your environment that makes it different if they telnet to the address of VLAN 3 or to the address of VLAN 5?<br /><br />HTH<br /><br />Rick srueNov 9, 2009, 7:53am PSTyou should be using a loopback anyway for management. hobbeNov 15, 2009, 6:03am PSTHi<br />Hmm Technical University.. <br />I am basing this on a couple of asumptions.<br />Assumption: this is one of the devices that services students/teachers/others<br />Assumption: students are intelligent and inquisitive.<br />Assumption: you are the only one/group that should have access to the device.<br /><br />First your 6500 chassi is/are available on several different VLANS. <br />this I would stop at once IF there is no special reason for it to be configured that way.<br /><br />My guess is that if it is not hacked, then it is not far from getting just that.<br />it does not mean that someone is doing anything malicious with it, but there might be misconfigurations and stuff that disrupts service.<br /><br />I would actually if possible stop all telnet/ssh/http/https traffic to the device itself.<br />Atleast stop telnet and http since they send the login information in cleartext.<br />if the student have a sniffer they will have the loginnames and passwords quickly.<br /><br />Get a firewall (asa5505?), and setup a pc behind it with a direct connected serial cable to the 6500 (and other switches maybe ?) to connect to the pc you would then open up the firewall only for appropriate communication means (ipsec vpn/ssl vpn/AAA TCP communication)<br /><br />use personal usernames and passwords so that everyone have their own username and password to login to the equipment.<br />dont forget to set up NTP. that will help not only with time, it will also help with who was last on.<br /><br />This method secures the device from malicious use or accidental missconfiguration from someone not authorised to use it in that way.<br /><br />if this is not possible or desireable in your case, ACLs are used to control what ip address are allowed to access the unit.<br /><br />HTH<br /> imranraheelNov 14, 2009, 3:49am PSTI have a 1841 on which i am terminating my ISP link, fortunately i have two IPS in that link . All the traffic is routed via one Static IP, what i want to do now is to create a particulat inside pool to access a particular outside pool using the secondary WAN IP on the interface.<br /><br /><br />Is that possible, the router is in production so i cant do much experiments 30 andrew.prince@monster.comNov 14, 2009, 9:37am PSTYes it is possible.<br /><br />Supply more information on what you are trying to do.<br /><br />HTH>northwest_trailNov 12, 2009, 4:39pm PSTHello,<br /><br />I'm attempting to configure a Cisco 1812 to interface between 3 distinct subnets (e.g. 10.1.x.x, 10.2.x.x, 10.3.x.x). I'm very new at this, and am trying to learn (without having a device in front of me, to play with!)<br /><br />Two of the subnets will interface through the two WAN ports (I don't need them for any WAN connections). The following is my configuration commands for one of them:<br /><br />> enable<br /><enter password at prompt><br /># config<br />(config)# interface FastEthernet0/0<br />(config-if)# ip address 10.1.1.1 255.255.255.0<br />(config-if)# no shutdown<br /><br />The other WAN inteface would be the same, excepting that I'm using the interface FastEthernet1/0 with the IP address 10.2.1.1.<br /><br />The switch port I configure as follows:<br /><br />> enable<br /><enter password at prompt><br /># vlan database<br />(vlan)# vlan 1<br />(vlan)# exit<br /># config<br />(config)# interface Vlan1<br />(config-if)# ip address 10.3.1.1 255.255.255.0<br />(config-if)# no shutdown<br /><br />Also, I'll configure FastEthernet0/0 as my default gateway, but I'll leave that part out of this post.<br /><br />As far as communications between the three subnets, through the three configured interfaces, does this above configuration look valid?<br /><br />Am I missing anything? Most particularly, I feel like I'm missing something in regards to configuring the SVI interface on the 8-port switch.<br /><br />Thank you very much for your time, and thank you in advance for your help. 30 leolaohooNov 12, 2009, 7:34pm PSTConfiguring InterVLAN Routing and ISL/802.1Q Trunking on a Catalyst 2900XL/3500XL/2950 Switch Using an External Router<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml')">http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml</A>northwest_trailNov 13, 2009, 11:19am PSTThank you for the link, that's a really good example.<br /><br />I have nearly the same configuration, excepting instead of the Catalyst switch I'm using a Cisco 1812 router.<br /><br />I'm not sure that I understand the necessity for VLAN Trunking. Could the same end result be accomplished using static routing from the Cisco 2621 to the Catalyst 3512 (specifying static routes for the VLAN 1 and VLAN 2 subnets)? I suppose perhaps the VLAN Trunking uses a protocol that makes configuration simpler?dimaggra015Nov 13, 2009, 5:40am PSTHello,<br />I just moved a 3750 switch from a stack where it was #4. I wiped out the config by holding in the mode button, then checked it through the console port.<br />Then I installed it in another stack as the #3 switch, removing the stack cables while the other 2 switches were powered up and connecting them to the unpowered switch #3.<br />I then powered up the #3 switch. Everthing seemed to work fine except that the switch shows up as #4 instead of three. Did I miss something here? 30 collin_clarkNov 13, 2009, 6:27am PSTYou can renumber the switch. See the <i>Add a Provisioned Switch to a Switch Stack</i> paragraph. The link should answer your other questions as well. For even more detailed info, check the configuration guide for the 3750s.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807811ad.shtml#Add')">http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807811ad.shtml#Add</A>asoka@people.net.auOct 20, 2009, 2:36am PSTThis network still at a design stage, My customer need to design a network for many as 100-200 subnets. But he is not satified with 10.0.0.0 address space available, his method is to dedicate one octate as a whole to identify the function. for example 10.4.0.0, 10.5.0.0 etc are the stores, and 3rd octate reserve for functions withing the stores.<br /><br />When he goes like that, he ran out of address space, and now he want to use 11.0.0.0, 12.0.0.0 etc for his expansion.<br /><br />How could I present a argument in a suttle manner to persuade them to comply with RFC1918, is there any guideline document I could use to build a address space for them<br /><br />Any help would be appreciated.<br /><br />Like that, 30 josephdohertyOct 20, 2009, 3:36am PSTWell you could ask his customer if he ever wants his internal 10 net to communicate with the Internet? If so, he'll have an address conflict, unless he does double NAT (oh joy).<br /><br />If your routing supports VLSM, how about the possibility of using more 8 bits for stores and moving it where it makes sense, perhaps such as reserving the least 10 bits for store address space and the next 10 bits for each store?<br /><br />As an alternative, show him IPv6 address space. ;)jfraaschNov 5, 2009, 12:11pm PSTThe subtle way of saying it is:<br /><br />YOU CANT USE IT.<br /><br />The most subtle way is for you to go to the subnet calculator, come up with a solution for him, and show him how you can work a solution even without using the space.<br /><br />I would suggest using as much as the existing space as possible so that he can see the implementation will still be relatively painless.<br /><br />Give him the solution that he doesnt yet know exists. giuslarOct 20, 2009, 3:37am PSTHello Ranjit,<br />RFC 1918 already provides enough reasons why private ip addresses should be used.<br /><br />or you can show a sh ip bgp 12.0.0.0 taken on a public route server to show they are used in the internet<br /><br />use <br /><A HREF="javascript:newWin('http://www.traceroute.org')">www.traceroute.org</A><br />to find out suitable public route server<br /><br />this is taken from an european looking glass<br /><br />show ip bgp 12.0.0.0<br />BGP routing table entry for 12.0.0.0/9, version 106420384<br />Bestpath Modifiers: deterministic-med<br />Paths: (4 available, best #1)<br /> Advertised to update-groups:<br /> 5 7 <br /> 7018<br /><br />Hope to help<br />Giuseppe<br />asoka@people.net.auOct 20, 2009, 3:52am PSTHi, Thanks for quick post, there argument is, this is not going to conenct with internet, may be for now.<br /><br />Do you guys have access to any good document "how to design scalable addressing space" kind of a document.<br /><br />Thanks gstefanickOct 21, 2009, 6:59pm PSTSince they are using 10.4.x ... thats a lot of unused space, correct? I have a hard time believing they are using that entire space for 1 store. <br /><br />Perhaps, see what the stores are using on average. 400 addresses?<br /><br />Then go store by store and start to split up the existing IPs and size them accordingly. <br /><br /><br /><br />ronyahmedOct 22, 2009, 10:45am PSTBy looking at your question .. I am already seeing 254 stores and 254 3rd octets for the functions. <br /><br />a 10.x.x.x is enough for any business thats needs a large block of addresses. <br /><br />the 12.x.x.x is owned by at&t and 11.0.0.0 is owned by the Department of defense. I dont think you wanna mess with these IPs unless you never envision connections to the internet. <br /><br />Few years ago I worked for a bank that were using 15.0.0.0 .. and Natted a smaller block to the internet. then it got acquired by HP and all of a sudden they had a problem because 15.0.0.0 is owned by HP. they could not talk in between because of the duplicates and guess who had to change all of their address ?? <br /><br />Its never a good idea to use someone's IP address. Its just bad planning. check ARIN for the reserved blocks if your boss has any questions. hobbeNov 12, 2009, 9:42am PSTHere are my 2 cents on the subject.<br />To do address spacing like the customer is doing right now is truly not a good idea.<br /><br />For one thing it is very easy to hide hacking equipment in a big address space.<br />Try searching a 10.5.x.y space for a rouge unit, with a portscanner or simply just by trying to ping it.<br />It will take you a while. Now do that 250 more times or so. get the point ?<br /><br />Design a network with what you need and be generous with addresses and make shure that the ones you think will grow have potential to atleast double in size.<br />fx 192.168.1.0 /24 might need to grow to 192.168.1.0 /23 or even /22.<br />plan ahead for things like that.<br />but build the network with 192.168.1.0/24 if you only need 150 addresses today, just leave space enough to grow so that you do not need to change addresses on the equipment, only subnetmask.<br /><br />if he does not want to use rfc 1918 addresses for some reason then let him know that any address he is using that is not an RFC 1918 address will simply not be reachable from the offices that uses those non rfc1918 addresses.<br />it is a routing thing. (unless he realy wants to make things complicated for himself with double nat and so on).<br /><br />One big problem was this problem that people used other companies internet addresses and got them selves into trouble.<br /><br />if he does not listen and understands this then think twice of taking the job.<br /><br />That said there are some good reasons why one would like to use Proper internet addresses but make shure they are registred to you if you actually do that.<br /><br />HTH205000jagNov 11, 2009, 2:24am PSTHi All,<br /><br />I have 5 Cisco switches 4 of them are 3750 Series and 5th switch is 3750 G series, 1st 4 switches are part of stack and 5th is not.<br /><br />Design for 4 stack switches is :<br /><br />Switch 1 Connect to Switch 4<br />Switch 1 also connects to switch 2 with a 2nd cable<br />Switch2 connects to switch 3 <br />Switch3 connects to switch4<br /><br />Can I remove the cable from second port from the switch4 which is connected to switch1 and plug switch 5 to switch4 and remove cable plug to 2nd port of the switch5.<br /><br />If do the above is there any specific configuration which I need to do?<br />What is the down time I am looking at.?<br /><br />Regards<br /> 30jfraaschNov 11, 2009, 6:46am PSTWould pre-configure the switch 5 to make sure it does not take over master relationship.<br /><br />My experience says this is a no downtime situation. Just adding another switch to the stack.<br /><br />James205000jagNov 11, 2009, 6:52am PSTThanks James,<br /><br />preconfigured means configure switch5 with the same IP which is using for stacked switches, <br /><br />for downtime, do you think when I remove cable from the 4th switch whic is connected to switch1 any effect that time??? and connect to switch5 then.<br /><br />is there way to know whic 1 is the master switch...?jfraaschNov 11, 2009, 8:53am PSTThe switches share the same ip. Shouldnt have to configure that.<br /><br />From each of the switches you should be able to do a "show switch" command and that will tell you if it is the master. There are a few other options with that command that will tell you more.<br /><br />You can config which switch number you want your switch to be. Possible numbers are 1-9. Here is the relevant information:<br /><br />Tips to Add a Switch as a Slave to the Stack<br /><br />To add a switch, as a slave, to a stack, complete these steps:<br /><br />Note: Make sure the switch that you add into the stack has the same IOS version as the switches in the stack. Refer to Catalyst 3750 Software Upgrade in a Stack Configuration with Use of the Command-Line Interface to upgrade the IOS in a catalyst 3750 switch.<br /><br /> 1.<br /><br /> Change the switch priority of the switch to be added to "1".<br /> switch stack-member-number priority new-priority-value<br /><br /> Note: This step is optional, but it will make sure that the switch has fewer chances to become a stackmaster in the future.<br /> 2.<br /><br /> Power off the switch that is to be added.<br /> 3.<br /><br /> Make sure that the stack is fully connected so that, when you connect the new switch, the stack will be at least in half connectivity and does not partition.<br /> 4.<br /><br /> Connect the new switch to the stack with the StackWise ports.<br /> 5.<br /><br /> Power on the newly added switch.<br /> 6.<br /><br /> After the new switch comes up, issue the command show switch to verify stack membership.<br />205000jagNov 11, 2009, 9:15am PSTThanks for the details james,<br /><br />its all make sense, but as I mentioned above 4 stack switches are 3570 series with IOS 12.1 and 5th non stack switch is 3750 G series with IOS 12.2<br />Now If I simply unplug the 2nd stack cable from the sw4 and plug to sw5 and 2nd on sw5 connect to sw1 as I mentioned the design above ...with no commands will it work? giuslarNov 12, 2009, 12:08am PSTHello Sohail,<br />are these the same switches we have discussed about in other thread in lan forum?<br /><br />I don't know if it is possible to stack swiches with a so different IOS version.<br /><br />I would keep it separated if it is the same scenario discussed in the other thread.<br /><br />Hope to help<br />Giuseppe<br />205000jagNov 12, 2009, 1:23am PSTHI Giuseppe,<br /><br />No, these are similar but different switches same company but different site.<br /><br />I think its not possible with with 2 different IOS.jfraaschNov 12, 2009, 5:16am PSTI also believe it must be same IOS. I think it can be different model though...as long as is still 3750 series.<br /><br />James hobbeNov 12, 2009, 8:42am PSTit will not work or rather it is not built to work that way.<br />You can have different 3750 hardware, but it is designed to have one and only one IOS.<br /><br />so if the switches ios is an old one start with upgrading all the switches to the same IOS then (that will cause a reload) Then you can add the single switch to the stack.<br /><br />Adding the switch should not cause any downtime however that said I would do it out of office hours since I have seen it crash even though it should not when adding switches to a stack.<br /><br />and of course make a backup of the config in the switches first otherwise you might get a not so nice surprise, hopefully the master will still be of the stack, but then you will need to reconfig the switch you are adding.<br />dont forget to set prioroty to the masterswitch that are master in the stack today.<br /><br />HTHtonyrabozaNov 4, 2009, 9:54pm PSTCan you suggest a software which can automate the backup of multiple Cisco routers/switches? This is most useful especially when you have a lot (50+) Cisco devices.<br /><br />Thanks.<br /><br /><br />Best,<br />Tony<br /><br /> 30 jorgemcseNov 4, 2009, 10:03pm PSTThere are quite few out there, you can try kiwi cattools <A HREF="javascript:newWin('http://www.solarwinds.com/products/kiwi_cattools/')">http://www.solarwinds.com/products/kiwi_cattools/</A><br /> medanNov 5, 2009, 7:36pm PSTHave that problem before but I don't like to use external software due to security. Luckily, Cisco added this archive feature. Now, everytime I execute "wr mem" it will send the config to an FTP server as hostname-0, hostname-1, hostname-2 and so on.<br /><br /><br /><A HREF="javascript:newWin('http://www.blindhog.net/cisco-automatic-configuration-backup/')">http://www.blindhog.net/cisco-automatic-configuration-backup/</A><br /> adamclarkukNov 11, 2009, 8:33am PSTJust to add one more to the mix, RANCID is a FREE tool that is a little more than just a config backup application, it will also allow you to diff configs which can be a great post morten tool when some thing goes wrong :-<br /><br /><A HREF="javascript:newWin('http://www.shrubbery.net/rancid/')">http://www.shrubbery.net/rancid/</A> collin_clarkNov 11, 2009, 8:45am PSTNot sure if this fits your requirements, but I use EEM.<br /><br /><A HREF="javascript:newWin('https://packetpros.com/cisco_kb/Email_Config.html')">https://packetpros.com/cisco_kb/Email_Config.html</A>StevenZallenNov 11, 2009, 8:34am PSTHi!<br /><br />I have 2 RV082 units, each connected directly to a Verizon FIOS ONT. On one side (Store) are 6 PCs and a printer, all with fixed IPs, on the otherside (WHSE) I have 1 PC and a printer, again with fixed IPs. I expect the number of PCs to increase in the WHSE. <br /><br />Each is a different subnet, and workgroup name (Yes, workgroup, not server\\domain). <br /><br />My requirement is to be able to access a couple of shared folders on one specific PC (with a fixed IP) in the subnet STORE from the subnet WHSE. Idealy I would like to connect to all PCs, and eventually run a phone system over this network.<br /><br />I have followed the docu for creating a VPN tunnel between the two networks, and can do the following:<br />*login to either router from either side with the 192.168.subnet.1 address<br />*print from one subnet to the other subnet with printers configured on tcpip ports<br />*ping the router in both directions<br />*ping most of the workstations (I think local AV/security is the reasson I can not conect to all)<br /><br />I have tried a number of different firewall rules, and have not been able to navigate between the two workgroups in explorer. On one side (WHSE) I can see the Workgroup for the STORE, but can not access it (The Network Path was not found). On the other side I can not see the WHSE workgroup.<br /><br />I am trying to keep config as simple as possible, and generaly configured fire wall rules to allow all port traffic, and specified various combinations of LAN, WAN1, WAN IPs, local gateway IPs and even the workstaion to workstaion IPs on both sides.<br /><br />I have noticed one curious thing. If I look at the statistics for the WHSE, it appears the the sent packets are 0, and the sent bytes extremly low, and all of the WAN numbers are a small percentage of the LAN numbers, except the recieved packets which is about 1/2 the LAN recieved packets(1PC). On the STORE side, numbers are similarly low, including the recieved packets (6PCs).<br /><br />I found the following on the inbound logs, outbound are empty.<br />ignoring Delete SA payload: IPSEC SA not found <br /><br />I have my DNS for the local fixed IP addresses set to that of the ISP, and suspect that this is not good. I also have this set up for the DNS in the DHCP screen, again I suspect not good. I do not understand how to configure the DNS Local Database in the DHCP section, or if I need it.<br /><br />When I try to run diagnostics against a PC name on the opposite subnet I am getting an IP from "elsewhere". As noted above, can ping most of the PCs in the opposite subnet.<br /><br />I am trying to get this "hobbling" by monday, and really do not want to set up servers, at least not in this time period. <br /><br />Any help is appreciated. <br /><br />Steven muniharreddyNov 5, 2009, 6:58am PSTHi,<br />This is munihar.In my lab we are using federo core 2 and 5 version os.we have tftpd software for backup.<br /><br />But we dont know how to install and use it correctly.actually we installed this tftpd s/w in /opt folder but still we couldn't access.<br /><br />any one can help me in this issue....<br /><br />Thanks for reading..<br />Bye 30 mmacdonald70Nov 8, 2009, 7:06am PSTThis is probably better directed at a Fedora community but some basic things to check:<br /><br /> - If there a firewall on the Fedora Box?<br /> - most tftp servers will not allow you to create files in with tftp. You would need to create the file first<br /> - Can you use SCP (copy startup-config scp: ScottMacNov 9, 2009, 6:29pm PSTTftp is a native application for those distributions. <br /><br />You should be able to enable them in the services admin tab. There is also likely a ftpd.conf file in /etc or a subdirectory below /etc, where you configure the target directory, access, and the rest of the details.<br />qudatheocelbatranNov 7, 2009, 6:12am PSTHi,<br />I have this link local adress:<br />FE80::A1:2345:6789<br />and this router global adress:<br />2001:AAAA:BBBB:CCCC:DDDD::1/64<br /><br />What is the statless autoconf global unicast address of my station?<br />2001:AAAA:BBBB:CCCC::A1:2345:6789<br />or<br />2001:AAAA:BBBB:CCCC:FE80::A1:2345:6789<br /><br />Thanks 30 naikumarNov 8, 2009, 6:36am PSTHi,<br /><br />The RA (Router Advertisement) message sent by IPv6 router will have the prefix which you mention using "ipv6 nd prefix-advertisement" command with autoconfig bit set. This prefix normally will be the global unicast prefix.<br /><br />In your case, if the RA sends 2001:AAAA:BBBB:CCCC/64 prefix, the receiving node will concatenate its interface identifier and make it a 128 but address and assign the same to the interface.<br /><br />For example, if the MAC address of your interface is XXXX.YYYY.ZZZZ, the interface identifier will be XXXX.YYFF.FEYY.ZZZZ and the ipv6 address will be 2001:AAAA:BBBB:CCCC:XXXX.YYFF.FEYY.ZZZZ<br /><br />HTH,<br />NagendraqudatheocelbatranNov 8, 2009, 8:08pm PSTYour recommended choice is not available in my test/quizz. Thanks anyway.<br /><br />Any other opinions pls ? giuslarNov 9, 2009, 4:04am PSTHello Theodor,<br />the answer that has been provided to you by Nagendra is the correct one.<br /><br />You should take in consideration the fact that your test/quiz can be wrong.<br /><br />Note also that providing a rating of 1 in these forums is regarded as unfair and in this case it is.<br /><br />read by yourself ipv6 basic addressing guide about stateless autoconfiguration<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html#wp1038169')">http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html#wp1038169</A><br /><br />it is IPV6 prefix /64 + EUI associated to device NIC mac address<br /><br />EUI is a 64 bits entity derived from MAC address<br /><br />Hope to help<br />Giuseppe<br />labibmakarNov 8, 2009, 5:08am PSTdear experts,<br />what is the defference between these interfaces? S0, S0/0, S0/0/0<br />thanks for your urgent reply 30 josephdohertyNov 8, 2009, 5:43am PSTNumber of zeros? (Just kidding.)<br /><br />Interface numbering depends on the architecture of the device. If there's just a main serial port, it would be numbered such as serial 0, serial 1, etc. If there's some kind of module that the port resides in, the first number would be module number and the second number the port number within the module, i.e. serial 0/0, serial 0/1, serial 1/0, serial 1/1, etc. Some devices have even more layers of architecture to identify the port, and for those you might have serial 0/0/0 or serial 1/0/3, etc.labibmakarNov 8, 2009, 6:16am PSTdear josephdoherty, thanks alot for your reply, would you like please explain this sentence you wrote above to me? (Some devices have even more layers of architecture to identify the port)what is meant by more layers of the architecture?, thanks alot for your help josephdohertyNov 8, 2009, 6:36am PSTIf you go back to an old 2500 module, you might see that its serial port in built directly into the box, much as its Ethernet port. So the box has Ethernet 0 and serial 0.<br /><br />On more recent routers that have replaced the 2500 series such as the 2800 series, serial ports aren't directly built into the box, instead there may be multiple module slots. When you place a multiple port card in such slots (e.g. HWIC-4T, see <A HREF="javascript:newWin('http://www.cisco.com/en/US/prod/collateral/modules/ps5949/ps6182/product_data_sheet0900aecd80274416.html')">http://www.cisco.com/en/US/prod/collateral/modules/ps5949/ps6182/product_data_sheet0900aecd80274416.html</A>), to identify an individual port, you need to identify both the slot and the port. One reason for this, i.e. where you just don't number all ports in sequence, since not all modules slots have to be used and when they are used they might host a different number of ports, other port numbers are not impacted. niall.wilkinsNov 5, 2009, 6:55am PSTIs their a way to run the dubug command to see what is happening on a specific sequence number within and ACL?<br />So for example if I have:<br />Extended IP access list 101<br />301 permit udp any eq ntp host 10.251.1.1 (12 matches)<br />310 permit udp host 10.214.1.2 host 10.251.1.3<br />320 permit tcp 10.0.0.0 0.255.255.255 host 10.251.134.81 eq www (12 matches)<br /><br />I want to run a debug on sequence number 310 and that is it. So I can see the type of traffic and stuff hitting this speficic sequence number of ACL 106 30 andrewswansonNov 5, 2009, 2:56pm PSTtry changing the acl line to:<br /><br />310 permit udp host 10.214.1.2 host 10.251.1.3 log <br /><br />add the global config command 'logging bufferred' and you can view the traffic hitting the logged acl line by using the command:<br />show log<br /><br />hth<br />andy mlundNov 6, 2009, 4:40am PSTHi<br /><br />Maybe You can try to create a new access-list with only one line.<br />Then use this specific list with debug.<br /><br />access-list 111 permit udp host 10.214.1.2 host 10.251.1.3 <br /><br />debug ip packet 111<br /><br />/Mikael tonyspcrepairsNov 4, 2009, 10:59am PSTI need to configure cisco equipment using a web browser on Fedora 11 but I've discovered that firefox, sea monkey, midori etc do not show the web interface properly - there are bits missing, like table sections and buttons and thus I can't control the cisco device properly.<br />The only browser I've found (so far) that's 100% reliable with cisco gear is internet explorer in ms windows, but I need a browser for linux that's fully compatible. Does anyone know of such a browser? 30 raisNov 4, 2009, 11:37am PSTIt looks like the page heavily relies on Microsoft extensions. If firefox is not working don't know which browser would. You may try VMWare. Another very basic browser on linux is lynx.<br /><br />Hth. tonyspcrepairsNov 5, 2009, 3:03am PSTthanks for your response rais and I did find a (weird) solution which was IEs4Linux:<br /><A HREF="javascript:newWin('http://www.tatanka.com.br/ies4linux/page/Installation')">http://www.tatanka.com.br/ies4linux/page/Installation</A><br />it felt strange using IE6 on a linux pc but at least now the cisco web interface works 100%spcannadyNov 3, 2009, 4:33pm PSTWorking some basic configs on a Cisco 871W that looked like had never been out of the box. (Did buy it on ebay). That said, just doing some basic config and testing it is not keeping the config that has been done. Just doing a simple change hostname and did both wr mem as well as copy running-config startup-config and it shows build and says ok but still when doing a reload for testing it resorts back to the default settings. Anyone give any suggestions on this? 30pkurdzielNov 3, 2009, 4:52pm PSTPost a show version g_thomas123Nov 3, 2009, 7:15pm PSTPlease check the config-register is set to 0x2102.spcannadyNov 4, 2009, 2:33am PSTAppreciate your feedback on that. I noticed that it was not set to that when I did some troubleshooting. I figured out how to change it to the correct setting. It seems to have resolved the issue. Appreciate your insight on the matter. Can you take a moment to explain what exactly that is and why it would have been that way fresh out of the box? spcannadyNov 4, 2009, 2:24am PSTRouter#sho ver<br />Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.3(8)YI1, RE LEASE SOFTWARE (fc1)<br />Synched to technology version 12.3(10.3)T2<br />Technical Support: <A HREF="javascript:newWin('http://www.cisco.com/techsupport')">http://www.cisco.com/techsupport</A><br />Copyright (c) 1986-2005 by Cisco Systems, Inc.<br />Compiled Fri 22-Apr-05 14:57 by ealyon<br /><br />ROM: System Bootstrap, Version 12.3(8r)YI, RELEASE SOFTWARE<br />ROM: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.3(8)YI 1, RELEASE SOFTWARE (fc1)<br /><br />Router uptime is 10 hours, 3 minutes<br />System returned to ROM by reload<br />System image file is "flash:c870-advsecurityk9-mz.123-8.YI1.bin"<br />Last reload reason: Reload command<br /><br /><br /><br />This product contains cryptographic features and is subject to United<br />States and local country laws governing import, export, transfer and<br />use. Delivery of Cisco cryptographic products does not imply<br />third-party authority to import, export, distribute or use encryption.<br />Importers, exporters, distributors and users are responsible for<br />compliance with U.S. and local country laws. By using this product you<br />agree to comply with applicable laws and regulations. If you are unable<br />to comply with U.S. and local laws, return this product immediately.<br /><br />A summary of U.S. laws governing Cisco cryptographic products may be found at:<br /><A HREF="javascript:newWin('http://www.cisco.com/wwl/export/crypto/tool/stqrg.html')">http://www.cisco.com/wwl/export/crypto/tool/stqrg.html</A><br /><br />If you require further assistance please contact us by sending email to<br /><A HREF="mailto:export@cisco.com">export@cisco.com</A>.<br /><br />Cisco 871W (MPC8272) processor (revision 0x100) with 236544K/25600K bytes of mem ory.<br />Processor board ID FHK094012GQ<br />MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10<br />5 FastEthernet interfaces<br />1 802.11 Radio<br />128K bytes of non-volatile configuration memory.<br />24576K bytes of processor board System flash (Intel Strataflash)<br /><br />Configuration register is 0x2142<br /><br />spcannadyNov 4, 2009, 2:25am PSTAppreciate you looking at it. g_thomas123Nov 4, 2009, 7:41am PSTThe config-register is modified to do a password recovery. When its set to 0x2142, each time you reload therouter it just cleans up the config. After we get a fresh config, we boot into and set a new password and copy the config over. After this is done, we have to change the config-register to 0x2102 so that it retains the config even after the device is reloaded.<br /><br />Hope this helps!!spcannadyNov 4, 2009, 3:15pm PSTThe information you provided to me helped tremendously. I appreciate you taking the time to first provide insight to the problem and also give the reason it was doing what it did. Thank you very much!<br /><br />Scott axfalkSep 18, 2009, 1:23pm PSTCould someone please tell me if a mac address is getting created as a result of creating a layer 2 Vlan?<br /><br />Thanks.. 30 lavramovSep 18, 2009, 2:05pm PSTMac address of what? A switch port?<br />Every switch port has a mac address. <br /><br />I dont understand your question. s.ballewOct 21, 2009, 1:17pm PSTNo, a MAC address is not created as a result of creating a layer 2 VLAN. A MAC address is a uniquue hadware identifier (expressed in hex format) and is present when a device comes out of the box. Each switch port has a MAC associated with it. Each host also has a MAC associated with it. nelson.garciaOct 28, 2009, 7:58am PSTMAC addresses can be mapped to VLANs when using STP with PVST+. PVST+ allows the switch to create an STP instance per VLAN and allows an STP topology PER Vlan, therefore, you'll have one root bridge per VLAN and a MAC address for each root bridge on these VLANs. Can someone correct me if I'm wrong?<br /><br />Sorry if this isn't the answer you're looking for, I'm new at answering questions. =]jfraaschNov 3, 2009, 11:47am PSTJust tested this on a Cisco 3750 on my desk.<br /><br />I had VLAN 1 Shutdown.<br /><br />I did a show mac-address-table and there was no MAC for Vlan 1.<br /><br />I unshut the VLAN 1 interface (no IP configured on it) and now there IS a mac-address entry in my table.<br /><br />Understand that this is different than just adding say VLAN 10 to your vlan database or something like that.<br /><br />If all you did was add a VLAN (re, not a virtual interface) to your vlan config then it will NOT create a mac-address entry.<br /><br />However, if you create an interface, it will.<br /><br />So the answer to your question is, it depends on what you are trying to do.<br /><br />Hope that helps!<br /><br />James niall-wilkinsOct 26, 2009, 11:21am PSTIs their a command that can be run on cisco routers that will turn off fragmentation? 30 dafreyOct 26, 2009, 12:18pm PSTHi Niall,<br />Route maps can set the DF bit; then apply to the interface.<br /><br />route-map DF permit 10<br /> set ip df 1<br /><br />interface <int><br /> ip policy route-map DF<br /><br />HTH,<br />Dan<br />jfraaschNov 3, 2009, 11:39am PSTThat's great to know. I run into this problem from time to time.<br /><br />Thanks!<br /><br />James dgalati000Oct 27, 2009, 2:44pm PSTI need to determine if I should go with a (new) L2 switch and mult VLANS and use router-on-a-stick for intervlan routing. Its conducive to what the cust has at his multiple sites.<br /><br />Or should I convince him to go with a L3 switch to the router instead ? <br /><br />My concern is that its a mobile wireless site with two different radio signals (CDMA and GSM) operating in the same site...and I don't want a bottleneck on the trunk between the switch and the router when intervlan routing using the L2 switch. That is, one of the vlans consuming all the 10/100 trunk bandwidth would not work in the L2 switch env - or is it ? <br /><br />Suggestions please ?? 30 josephdohertyOct 27, 2009, 5:37pm PSTBesides trunk bandwidth, most smaller routers don't offer high bandwidth routing (e.g. supporting even one gig). For LAN routing performance, a L3 switch is often a better choice.<br /><br />Don't overlook the 8 or 12 port 3560s. Neither are very expensive. justinmitchellOct 31, 2009, 5:09am PSTIt comes down to how many hosts you have on the LAN and if there is a lot of inter-vlan routing required. Other considerations are budget and cost of actual equipment. Unless there is a lot intervlan routing, I wouldn't think you would saturate the trunk. Using GSM and CDMA for your WAN(?) connection you won't experience saturation on the trunk from people downloading across the WAN anyway. keithglanvilleOct 27, 2009, 1:58am PSTI am more than a bit rusty and reconfiguring a network due the arrival of a new SBS office server. The new office server (and clients) needs to connect to the Internet via our Cisco 2610 router. The server is say 10.1.1.10 and the FastEthernet0 interface on the router is set to 10.1.1.200. The 2600 has a Serial0 interface that is connected to a leased line with an external IP address. We also have our own class C IP range used for web, mail and dns servers.<br /><br />So:<br /><br />OfficeServer (10.1.1.10)<----->FastEthernet0(10.1.1.200)[2600 ROUTER1]Serial0(123.123.123.54)<---leased line--->ISP(Internet)<br /><br /> <br />However, I also have a webserver etc in our office, with an external IP address from our range, that needs to, and can, see the Internet.<br /><br /> <br />So, we also have, on the same router:<br /><br />WebServer (90.4.123.35)<----->FastEthernet0(90.4.123.254)[2600 ROUTER1]Serial0(123.123.123.1)<---leased line--->ISP(Internet)<br /><br /> <br />interface FastEthernet0/0<br />ip address 10.1.1.200 255.255.0.0 secondary<br />ip address 90.4.123.254 255.255.255.0<br />ip nat inside<br />speed auto<br />full-duplex<br />!<br />interface Serial0/0<br />description Connection to NTL<br />ip address 123.123.123.54 255.255.255.252<br />ip broadcast-address 123.123.123.55<br />ip access-group inboundfilter in<br />ip access-group outboundfilter2 out<br />ip nat outside<br />encapsulation ppp<br />no fair-queue<br /><br /> <br />The FastEthernet0 interface has both an internet and external IP address mapped to it. Currently the office PCs use the external IP address as their gateway address and this works, however the new server is more secure and won't allow this.<br /><br />There is NAT and access-lists running on the Cisco and each office PC has an internal IP address that is NATted to a dedicated external IP.<br /><br /> <br />At the moment the webserver can see the Internet, but the office server cannot. Office PCs can see the Internet if they use the external IP address mapped to FastEthernet0/0 direct as their gateway address (although you get a message suggesting that this is not the way to go). So I am trying to resolve this whilst also trying to set it up better/properly.<br /><br /> <br />What is the best way to do this (all assistance appreciated)? <br /><br />Do I need to NAT the internal office server IP to an external IP address for it to see the internet? <br /><br />Do I need to NAT the internal gateway address to an external IP address or will the router be able to route this anyhow?<br /><br />Could it be DNS, so should I set the DNS server on the office server NIC to the ISPs DNS server, or to the Cisco<br /> 30 lgijsselOct 27, 2009, 2:50am PSTThe best solution is to renumber the webserver to an internal ip address and configure a static nat on the router:<br /><br />ip nat inside source static <br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/gt_ntsip.html')">http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/gt_ntsip.html</A><br /><br />regards,<br />Leo r.tacconOct 23, 2009, 10:16am PSTHi to All, <br /><br />I have multiple VLANs configured on a L2/L3 switch (cisco 3750) and one DHCP server configured on wan [using ip helper-address on the switch I forward the DHCP request on a L3 interface. <br /><br />It' s possible / How can I enable dhcp snooping on the switch ?<br />It's possible / How can I configure the TRUSTED PORT (the port vs the DHCP server)<br /><br /><br />FOLLOWING THE CONFIGURATION:<br /><br /><br />SWITCH<br /><br />!<br />! <br />interface GigabitEthernet1/0/1<br /> description ** DHCP pc 192.168.2.0/24 **<br /> switchport access vlan 2<br /> switchport mode access<br /> load-interval 30<br />! <br />interface GigabitEthernet1/0/2<br /> description ** DHCP pc 192.168.2.0/24 **<br /> switchport access vlan 2<br /> switchport mode access<br /> load-interval 30<br />! <br />interface GigabitEthernet1/0/3<br /> description ** DHCP pc 192.168.2.0/24 **<br /> switchport access vlan 2<br /> switchport mode access<br /> load-interval 30<br />!<br />interface GigabitEthernet1/0/24<br /> description ** TO WAN ROUTER **<br /> no switchport<br /> ip address 192.168.254.254 255.255.255.252<br />!<br />!<br />interface Vlan2<br /> description ** LAN **<br /> ip address 192.168.2.254 255.255.255.0<br /> ip helper-address 192.168.1.254<br />!<br />ip forward-protocol udp bootpc<br />!<br /><br /><br /><br /><br /><br />IF I TRY TO CONFIGURE THE DHCP SNOOPING I CAN'T CONFIGURE THE TRUST PORT (on the "wan" interface):<br /><br /><br />SWITCH#conf t<br />SWITCH(config)#ip dhcp snooping vlan 2<br />SWITCH(config)#<br />SWITCH(config)#<br />SWITCH(config)#interface GigabitEthernet1/0/24<br />SWITCH(config-if)#ip dhcp ?<br /> client DHCP client configuration<br /> limit Limit DHCP Lease<br /> relay DHCP relay configuration parameters<br /> server Configure DHCP server behavior<br /> 30 lgijsselOct 24, 2009, 5:48am PSTYou must also enable dhcp snooping globally, not just on the vlan. The steps are described here: <br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/dhcp.html#wp1073367')">http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/dhcp.html#wp1073367</A><br /><br />regards,<br />LeojillesmiedemaOct 23, 2009, 12:25am PSTin a 871w router i have a vlan wired vlan 1 10.10.10.0 and a wireless bridge bvi1 10.70.10.0<br /><br />i want the vlan 1 clients to see the bv1 clients as with an ip in the range 10.10.10.0<br /><br />they are both inside interfaces.<br /><br /><br /> 30 lgijsselOct 23, 2009, 1:17am PSTEither post your configuration or hire a professional to configure this for you.<br /><br />regards,<br />LeojillesmiedemaOct 23, 2009, 1:30am PSTcisco is a hobby, others do crosswords<br /><br /><b>Attachment Keywords : </b> <br />1) SDMConfig znder wachtwoorden.txt<br />SDMConfig znder wachtwoorden.txt122635text/plaintext703710/23/2014no lgijsselOct 24, 2009, 5:39am PSTThe bridge between wlan and wired is routing ip. This must be changed:<br />conf t<br />no bridge 1 route ip<br /><br />(i.e. now set to bridge ip)<br /><br />regards,<br />Leo<br /> zbigniewkozyraOct 22, 2009, 8:39pm PSTI posted this message on the "LAN,Switching and Routing" forum already but then I realized that "Getting started with LANs" is probably more proper place to start this type of topic. Posting in the two different forums was not intentional and I didn't do it to have more "visibility".<br /><br />And here is a topic:<br />I am building new LAN for my office. I have two 3560 running L3 connecting to MPLS, two 3750 and bunch of 2960 and 3560 PoE switches. Which would be the best design. Please look at 3 attached scenarios (diagrams) and express your professional opinion. Any ideas welcomed.<br /><br /><b>Attachment Keywords : </b> <br />1) New LAN 1.jpg<br />2) New LAN 2.jpg<br />3) New LAN 3.jpg<br /> New LAN 1.jpg122628image/jpegimage7348210/22/2014noNew LAN 2.jpg122629image/jpegimage7265910/22/2014noNew LAN 3.jpg122630image/jpegimage7156210/22/2014no30 leolaohooOct 22, 2009, 9:32pm PSTAwwww ... I already responded to your first post. lgijsselOct 23, 2009, 1:33am PSTThere is no real difference between LAN 1 and 2. They only cross-connect to another switch. <br />Functionally, you have a collapsed BB with the 3750-12's as core. This is connected to multiple SERs and one of those SERs uses a collapsed BB as well. <br />The point is that this SER also connects to the outside world, a link that would normally be on the network core routers. <br />Apart from this, diagram 2 seems the most logical. It will depend on how you configure the routing. <br />I would propose a routed link between each 3560 and 3750. Internal routing on the upper half goes via the 3560's, the lower half is routed via the 3750's. <br />Dynamic routing is required to enable failover. <br /><br />regards,<br />Leo<br /> josephdohertyOct 23, 2009, 4:03am PSTNone of the above, assuming the two 3750s are close enough to stack. If they are, once stacked, all the downlinks can become cross member Etherchannel connections. Physical toplogy would look like your LAN1 (again though, the 3750s are stacked). If your diagram shows the correct number of port usage, you would have just enough ports to make quad Etherchannel connections between the 3750 stack and the two 3560s.<br /><br />As for routing, I would suggest it be done on the 3750 stack and optionally retained on the two 3560s. rotranOct 21, 2009, 3:03am PSTHi all, <br /><br />Question: By default, how does etherchannel decide which link it will use when sending/receiving ? I've bundled two 10g links (i am not load-balancing at the moment) and I'm trying to determine which link at any given time it will use because I understand it doesn't split the traffic equally. Any help would be appreciated.<br /><br />Thanks 30massimiliano.serafinoOct 21, 2009, 3:34am PSTHi,<br />Look at <A HREF="javascript:newWin('http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml')">http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml</A><br /><br />Very interesting.<br />I hope this helps.<br />Best regards.<br />Massimiliano. rotranOct 22, 2009, 12:19pm PSTVery helpful - thank youHWangLoyaltyOct 21, 2009, 5:34am PSTI have to use xmodem to recover IOS for switch 3750 because the current ios was lost.<br />when i tried to type: copy xmodem: flash:c3750-ipbasek9-mz.122-35.SE5.bin<br />i got "Begin the Xmodem or Xmodem-1K transfer now...". So I began send file with xmodem, I got the error prompt "Xmodem operation was canceled by remote peer". I also could not finish the file transfer.<br />Please help me and give any advice, thx a lot! 30 inayathulla1Oct 21, 2009, 6:07am PSTHi,<br />Could you please check you hyperterminal settings once.<br />Also go though this link..<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a008015bfac.shtml#proc_3600')">http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a008015bfac.shtml#proc_3600</A><br /><br />HTH<br />Inayath.gabrielgrOct 13, 2009, 4:13am PSTHi all,<br />I´v a question related to throughput of 2960-48TT. We have hub (3560G) and spoke (2960-48TT,...and so on) LAN topology.<br />One spoke switch, 2960-48TT, connects all our servers. All of them are with GEth cards connectted to FEth ports of spoke switch. And now problem: from time to time we observe that we cannot copy files from\\to...server to client in speed reasonable speed. Speed is evidently slower.<br />How to resolve this issue?<br />Any idea?<br /><br />BR<br />gg 30 josephdohertyOct 13, 2009, 4:25am PSTHow slow is slow?<br /><br />From what you've defined, your two most likely bottlenecks are the 100 Mbps connections to the servers and single(?) gig link between server switch and 3560G.<br /><br />A 2960-48 has a 32 Gbps fabric and 10.1 Mpps (i.e. should support wire rate for all its ports). leolaohooOct 13, 2009, 1:17pm PSTIt's always a network fault. If the servers were mis-configured or the cluster has failed or some files get corrupted it's always a network fault. It's always easy for the server team to look at their very crude "diagnostics" tool and point the (dirty) finger at networks issue. <br /><br />Look at the link utilization of the ports to/from the servers, look for any potential problems, speed/duplex mismatch or line errors, etc. If your switch has been working without a hitch since the day you've put it on then most likely the servers are acting up. pnicoletteOct 14, 2009, 10:50am PSTAs was mentioned, first check the 2960 port counters for errors, and make sure none are running half-duplex. (Our servers and switchports are set to auto speed & duplex.)<br /><br />If you still have problems, consider finding the busiest server(s) and patching them directly to your 3560G so you can benefit from their Gig NICs and lighten the load on the server spoke link. We keep our servers near the hub switch (and stack 3750 hub switches if necessary) to make this easier.<br /><br />Also, look for output drops (more than a few) on "Show interface" at both ends of the server spoke link to see if it's oversubscribed. If so, and you don't already run multiple gig links (Etherchannel) between server spoke switch and hub, consider it. glen.grantOct 19, 2009, 1:16pm PST If the uplinks are the bottleneck you can try using a etherchannel up to the 3560. When its slow get on the 2960 and use the "show controllers utilization" command and it will tell you where the problem is as it will give port utilization rates of all ports along with the switch fabric utilization . That command will also work on your 3560.martone.mikeOct 15, 2009, 8:26am PSTI have a 1720 router and I just want to do a few quick things to get it up and running. I do not know much IOS.<br /><br />I want to connect to the WAN address on the 4ESW card, and my LAN (192.168.1.0) on the Ethernet port.<br /><br />I would like to ensure there is some minimal inbound security.<br /><br />Thx 30 medanOct 16, 2009, 4:39am PSTyou need to have basic knowledge of cisco networking for us to teach you how to plug the module, cables, and apply configuration.<br /><br />get someone in your locality to do it. they may charge though.<br /><br />if you know a friend who knows cisco networking, get your friend to do it. may not charge you :)<br /><br />in the long term, start studying cisco networking.jfraaschOct 16, 2009, 9:28am PSTThe quick and dirty might be to go through the startup configuration on the router. It will ask you basic questions and walk you through a basic setup.<br /><br />Otherwise.<br /><br />router>enable<br />router# config terminal<br />router(config)#interface s0 (or whatever the interface that connects to your WAN)<br />router(config-int)#ip address x.x.x.x (ip) y.y.y.y (mask(<br />router(config-int)#no shut<br />router(config-int)#interface e0<br />router(config-int)#ip address x.x.x.x y.y.y.y<br />router(config-int)#no shut<br />router(config-int)#exit<br />router(config)#ip route 0.0.0.0 0.0.0.0 s0 (or your interface that connects upstream)<br />router(config)#exit<br />router#write mem<br /><br />This config will give you an IP address on your wan interface (dont know if its serial T1 or ethernet) and a IP on your ethernet interface. The static ip route will route all packets from the ethernet/user segment upstream through your WAN interface.<br /><br />That would be a simple config to get a simple connection going. The trick is on the WAN side, you might need more info for a serial connection like encapsulation types and such.<br /><br />Give it a shot.<br /><br />JamespkurdzielOct 18, 2009, 3:46pm PSTType <br />enable<br />setup <br />and follow the prompts williamreedOct 15, 2009, 12:37pm PSTWe are trying to optimize our network set up, and would like to give our vpn concentrator a public ip.<br /><br /><br />Our ISP has given us a serial ip address of (ip address made up, but last 2 octets are real) 12.123.201.174 which is currently going to our cisco 2811 router.<br /><br />We have a public ip address range of 12.123.202.97-126 <br /><br />We would like to give the vpn concentrator a public ip of 12.123.202.115<br /><br />There is an hwic on the 2811 router which has 4 open switch ports.<br /><br />I ran a cable from one of these ports on the router to the vpn concentrator, but I don't know what gateway to tell the concentrator to use since the serial ip is not on the same subnet as our public ip range. <br /><br />Is there an optimal way to do this?<br /> 30 giuslarOct 15, 2009, 2:06pm PSTHello William,<br />in this case you should assign an IP address from the pool to the Vlan SVI interface to be able to act as default gateway for the VPN concentrator.<br /><br />the interface Vlan could be the first IP address on range:<br /><br />vlan database<br />vlan 10<br />apply<br />exit<br /><br /><br /><br />int vlan 10<br />ip address 12.123.202.97 255.255.255.224<br /><br /><br />the etherswitch port has to be associated to Vlan 10<br /><br />int fasx/y<br />switchport<br />switchport mode access<br />switchport access vlan 10<br />desc to vpn concentrator<br /><br />note:<br />you need also to exclude the ip address assigned to the vpn concentrator from the NAT pool definition.<br /><br />Hope to help<br />Giuseppe<br />william.hostetlerOct 14, 2009, 6:53pm PSTI want to gang up a couple of uplink ports on a 48 port 3560G and a 12 port fibered 3560. Where is the how to on this?<br /><br />thanks<br />Gary 30jon.marshallOct 14, 2009, 7:32pm PSTGary<br /><br />By "gang up" do you mean etherchannel ie. combine 2 or more ports into one logical connection ? If so here is the etherchannel config guide for the 3560 - <br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swethchl.html')">http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swethchl.html</A><br /><br />Jonwilliam.hostetlerOct 15, 2009, 2:20am PSTYep, I thought it was etherchannel but wasn't sure. thanksShinyheadOct 11, 2009, 9:30am PSTHello everybody,<br /><br />I am trying to setup a basic network for my new company. I have two sets of subnets which I would like to communicate to each other through my Linksys RVS4000 (enable VPN later).<br /><br />129.200.99.xxx<br />255.255.255.129<br /><br />192.168.1.xxx <br />255.255.255.0 (this subnet mask be changed, if it will solve the problem)<br /><br />How can I configure the RVS4000 so any pc with 192.168.1.xxx can communicate with my computers with 129.200.99.xxx?<br /><br />Thanks in advance! 30 tprendergastOct 14, 2009, 3:28pm PSTYou will need to set up a NAT pool.<br /><br />Example:<br /><br />192.168.1.xxx (inside network) --> rvs4000 --> internet --> 129.200.99.xxx<br /><br />At the rvs4000 hop, the device will need to do NAT translation from a set of static NAT entries or a NAT Pool/PAT. This means it changes 192.168.1.xxx into some address on the outside interface of your device, making it internet routable.<br /><br />RFC1918 includes 192.168.0.0/16 as non-routable ip address space. <br /><br />Hope that helps.')