When creating a sub-interface for use with dot1q encapsulation. Do I have to match the name of the interface with the vlan number?
For example:
int g1/0/0.40
encap dot1q 40
or would this also work?
int g1/0/0.50
encap dot1q 40
I'm adding a new router to the OSPF setup. Everything seems to be fine with the configuration but the state remains as INIT/DROTHER. When I do a ping to 224.0.0.5 from the new router all I get is:
CB# ping 224.0.0.5
Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 224.0.0.5, timeout is 2 seconds: . CB#
Using ping to the same address at the other router is working fine.
Please advice.
ROUTER CB - 3825 advanced security 12.4(7c)
ROUTER IG - same router/IOS
ROUTER CB
version 12.4
!
hostname CB
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip cef
!
no ip dhcp use vrf connected
!
ip multicast-routing
!
interface Loopback1
ip address 10.200.204.1 255.255.255.224
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
negotiation auto
no mop enabled
!
interface GigabitEthernet0/0/0
ip address 10.10.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
negotiation auto
!
router ospf 1
log-adjacency-changes
network 10.10.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 10.10.1.1 permanent
ROUTER IG
version 12.4
!
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
!
hostname IG
!
no aaa new-model
!
resource policy
!
no ip source-route
ip cef
ip tcp synwait-time 10
!
interface Loopback1
ip address 10.200.200.1 255.255.255.0
!
interface GigabitEthernet0/0
description LAN Interface
bandwidth 1048576
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type rj45
negotiation auto
no mop enabled
!
interface GigabitEthernet0/1
description to CCTV1
ip address 172.10.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip pim dense-mode
ip virtual-reassembly
ip route-cache flow
ip ospf cost 10
ip ospf hello-interval 1
ip ospf dead-interval 2
ip ospf retransmit-interval 3
ip ospf transmit-delay 3
duplex auto
speed auto
media-type rj45
negotiation auto
no mop enabled
!
interface GigabitEthernet0/1/0
description Service Provider Fiber Link
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0.10
description to CCTV2
encapsulation dot1Q 10
ip address 172.10.2.1 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip ospf hello-interval 1
ip ospf dead-interval 2
ip ospf retransmit-interval 3
ip ospf transmit-delay 3
no snmp trap link-status
no cdp enable
!
interface GigabitEthernet0/1/0.32
description to CB
encapsulation dot1Q 32
ip address 10.10.1.1 255.255.255.252
no snmp trap link-status
no cdp enable
!
router ospf 1
log-adjacency-changes
network 10.10.1.0 0.0.0.3 area 0
network 172.10.1.0 0.0.0.3 area 0
network 172.10.2.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
In the past few months I have been testing two ISP that are providing a 10 Mbps link service to the internet. I have been able to properly verify that they are providing that bandwidth up to the equipments in their premises. Problem is that in my geographical area there is no local peering between all providers. So basically the traffic from any of my clients that want to access my web servers have to go through their ISP, up to the continental US (wherever NAP they are connected to), to "bounce" to the ISP providing me the service to finally reach my site. Because of that it was requested from the selected ISPs to provide the 10 Mbps service symmetrical (upload is very important to me), up to any point in the continental USA. Provider A have routers collocated at a site in Miami and I was able to properly test the service with those routers. Provider B connects through three other local providers and does not have a server or device in the continental US that I can use for the test. For that reason I test their performances using M-LABS network test servers, Speedtest servers and Speakeasy speed test servers. All test where conducted on same conditions (servers, time, etc). Test from those sites shown that Provider A was effectively providing the requested symmetrical 10 Mbps service when tested from my servers. With Provider B only the download is showing 10 Mbps but NOT the upload which give only from 5 up to 7 Mbps depending of the selected test site. Provider B is now telling me that my tests are not fair and that they are indeed providing the requested service. Then they show me some data to a server at Texas using Iperf but performing the test only with UDP and NOT TCP. They said that Speedtest, M-Labs, etc. are not valid test for reasons that I cannot understand.
I will like to get your feedback about this. Am I wrong the way I’m testing them? Can somebody please explain in simple terms why Speedtest or M-Labs cannot be use as a valid way to test ISPs? In my opinion what is equal offers no advantage and at this point I have to remove Provider B but I want to be fair with both providers and if I’m doing something wrong I’m willing to amend my mistake to give provider B another chance. How do you test and measure your ISP service? Am I right with my assertions about providing an excellent service to my clients in terms of traffic/bandwidth when there is no local peering?
Please give me any advice.
Thanks.
A single LAN with several switches and computers exist within a single VLAN behind each router. There are no more routers behind the ones describe on the image. OSPF Area 0 already exists. Router CBA already exists with static routes. LM and RH are new routers (sites) added to the network. IG site holds the main computer center. Router RH will provide communications for RH site computers and will become a disaster recovery site with a replica of servers from IG. Router LM will provide communications for LM site computers and a redundant link for RH and IG.
I need to add LM, RH and CBA to the OSPF "cloud"
What will be the advantage if I define OSPF Area X as part of area 0? Is it better to define Area X with a different area number? Why? How should I add CBA to the OSPF cloud? As part of area 0? as a separate area? as part of area X? If Area X is define as a different area, Will there be any advantage if Area X is define as a stub area? Why? Do you have any other recommendations before adding those routers to the OSPF domain?
Is there a method or service that gives me a detailed text report on the pornographic content or status of a particular web site? I need this to audit users account without having to get into a particular web page to view it contents and determine that it is inappropriate.
I want to know if it is possible to do HSRP with 3 or more routers.
Following the setup that I have for my Cisco devices, I got some basic level of functionality authenticating users that loggin to 3Com switches authenticated against a RADIUS server. Problem is that I can not get the user to obtain admin privileges. I'm using Microsoft's IAS service. According to 3Com documentation when configuring the access policy on IAS the value of 010600000003 have to be used to specify admin access level. That value have to be input in the Dial-in profile section:
010600000003 - indicates admin privileges 010600000002 - manager 010600000001 - monitor 010600000000 - visitor
Here is the configuration on the switch:
radius scheme system server-type standard primary authentication XXX.XXX.XXX.XXX accounting optional key authentication XXXXXX key accounting XXXXXX # domain system scheme radius-scheme system # local-user admin service-type ssh telnet terminal level 3 local-user manager service-type ssh telnet terminal level 2 local-user monitor service-type ssh telnet terminal level 1
The configuration is working with the IAS server because I can check user login events with the Eventviewer tool.
Here is the output of the DISPLAY RADIUS command at the switch:
[4500]disp radius ------------------------------------------------------------------ SchemeName =system Index=0 Type=standard Primary Auth IP =XXX.XXX.XXX.XXX Port=1645 State=active Primary Acct IP =127.0.0.1 Port=1646 State=active Second Auth IP =0.0.0.0 Port=1812 State=block Second Acct IP =0.0.0.0 Port=1813 State=block Auth Server Encryption Key= XXXXXX Acct Server Encryption Key= XXXXXX Accounting method = optional TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12 Permitted send realtime PKT failed counts =5 Retry sending times of noresponse acct-stop-PKT =500 Quiet-interval(min) =5 Username format =without-domain Data flow unit =Byte Packet unit =1 ------------------------------------------------------------------ Total 1 RADIUS scheme(s). 1 listed
Here is the output of the DISPLAY DOMAIN and DISPLAY CONNECTION commands after users log into the switch:
[4500]display domain 0 Domain = system State = Active RADIUS Scheme = system Access-limit = Disable Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable Default Domain Name: system Total 1 domain(s).1 listed. [4500]display connection Index=0 ,Username=admin@system IP=0.0.0.0 Index=2 ,Username=user@system IP=xxx.xxx.xxx.xxx On Unit 1:Total 2 connections matched, 2 listed. Total 2 connections matched, 2 listed. [4500]
Here is the DISP RADIUS STATISTICS:
[4500]
%Apr 2 00:23:39:957 2000 4500 SHELL/5/LOGIN:- 1 - ecajigas(xxx.xxx.xxx.xxx) in un it1 logindisp radius stat
state statistic(total=1048):
DEAD=1046 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=2
AcctStop=0 OnLine=2 Stop=0
StateErr=0
Received and Sent packets statistic:
Unit 1........................................
Sent PKT total :4 Received PKT total:1
Resend Times Resend total
1 1
2 1
Total 2
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code= 3,Num=0 ,Err=0
Code= 5,Num=0 ,Err=0
Code=11,Num=0 ,Err=0
Running statistic:
RADIUS received messages statistic:
Normal auth request , Num=1 , Err=0 , Succ=1
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=0 , Err=0 , Succ=0
PKT acct_timeout , Num=3 , Err=1 , Succ=2
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=1 , Err=0 , Succ=1
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
The other problem is that when the RADIUS server is not available I can not log in to the switch. The switch have 3 local accounts but none of them works. How can I specify the switch to use the local accounts in case that the RADIUS service is not available?
I have the following configuration on a switch that I testing for RADIUS authentication:
aaa new-model
aaa authenticaton login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
enable secret 5 XXXXXXXXX
!
username admin secret 5 XXXXXXXXX
!
ip radius source-interface FastEthernet0/1
radius-server host XXX.XXX.XXX.XXX auth-port 1812 acct-port 1813 key XXXXXXXXX
radius-server retransmit 3
!
line con 0
line vty 5 15
Radius authentication is working just fine but if the server is not available I can not log into the router with the ADMIN account.
What's wrong there?
Thanks!
I have the following configuration that is not working:
1) Using rsyslog with Centos 5. 2) Inside /etc/logrotate.d I have the file sj-piers-logs.
SJ-PIERS-LOGS:
/syslogrep/sjpiers-logs/0* {
weekly
missingok
notifempty
dateext
copytruncate
compress
olddir /syslogbackup/sjpiers-logs/backup
rotate 96
}
4) logrotate.conf have the default configuration:
LOGROTATE.CONF
weekly
rotate 4
create
include /etc/logrotate.d
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}
5) Syslogs are sent by network devices to /syslogrep. I want to rotate the log file, compress and move it to /syslogbackup.
I was told that the error reside in the use of wildcards in sj-piers-logs file but it seems that I can use them according the the man page. What I'm doing wrong?
On CENTOS I went to System - Preferences and then Remote Desktop. There I checked "Allow other users to view" and "Allow other users to control". The same dialog box said "Users can view your desktop using....." vncviewer name.server:0. Using UltraVNC from a Windows computer I type that but I get connection refused.
I also tried to edit /.vnc/xstartup The directory is there but not the file.
I want to create a desktop with a specific resolution and it to be persistent or permanent even if I restart the server.
I currently have syslog configuration files using local0 to local7 setup in such a way, that a particular device is assign to an specific local facility pointing to separate directories and files for the device, for example:
*Entries related to the SYSLOG SERVER
*DEVICE1
local1.=emerg /location/device1/00-emerg
local1.=alert /location/device1/01-alert
local1.=crit /location/device1/02-crit
*DEVICE2
local2.=emerg /location/device2/00-emerg
local2.=alert /miramar/device2/01-alert
local2.=crit /miramar/device2/02-crit
The problem is that this way only 8 devices can be specified How can I setup syslog to work with more than 8 devices?
Best regards