Symmetriajato, ISO 7799?
SymmetriaI think that was the number
jato_I believe its abberviated form is 27K
jato_but its actually 2700...something
jato_Im still wrapping my head around it and deciding if its easier to quit or implement
Symmetriaheh jato, 27002
Symmetriawhich was developed from BS7799
jato_I have never even worked under one of these, let alone implemented it. Ive no idea why its been dropped in my lap
Symmetriajato, that standard is the basis of the CISSP certification
Symmetriaand implementing it, well, it depends to what level you want to implement it
Symmetriaif you want the entire thing, well, then you're at military grade and I hope you have some pretty huge budgets ;p
Symmetriajato the trick to doing that shit is to point out to management just what its going to cost to make it a complete reality
dissolveSymmetria: dare i ask why you arent voiced and what shall i do to achieve something near your position
Symmetriathey generally decide its not such a good idea
jato_I think I might just break down and cry in the corner, so far all management have given me is "This will be eaaaaasy, by the way do all your regular work still"
Symmetriadissolve lol, not voiced cause I don't have a CCIE, and to get a position like mine? 18 years of experience, hard work and getting lucky by being in the right place at the right time
twkmahh, so overtime was authorized ...
Symmetriaand working 12 - 18 hours a day to stay current on a lot more than just networking
dissolveyea... ive been doing that for a couple years now + school
Symmetriajato, go and get the CISSP bootcamp docs
Symmetriaand a copy of the standard
dissolveactually ive been doing that for like 8 years... but i dont want to be a contractor
Symmetriathen start making a list of expenses you will incur
Symmetriatrust me they will not want to go the whole way
dissolvef the expenses
Symmetriaheh I spent 2 years as a contractor till my biggest client made me an offer that I couldnt refuse
Symmetrianow I live a pretty good life and have moved to Kenya ;p
dissolveGC license# smoethign somethign on the wall behind me
dissolvedont care
dissolveso did u work + school combined for that entire time or did it just "come to you" with experience
Symmetriaheh, experience, I never even finished high school ;p
dissolveACTION fingers crossed "not the ladder..."
Symmetriabut I had certain key advantages most of which came from sheer luck and timing
dissolve<---27 how old r u if u don't mind me asking
SymmetriaI started one of the first security companies on my continent at the right time, when the IT industry and making money in it was dead easy, climbed out at the right time, and made a fair chunk of money, and money opened other doors
Symmetriaturning 35 in 16 days time ;p
newtmewtACTION is working from home :)
newtmewtKickStarRabbit you around?
dissolvewell gj
KickStarRabbityes sir!
dissolveill catch up buddy
newtmewtMTT 21874 hav ethey started it yet?
Symmetriadissolve lol, as I said, a lot of getting ahead in life comes down to luck
dissolveyea stuck in lakeland fl is not a place to throw luck around
SymmetriaJ. Paul Getty was once asked how you get really really rich
dissolve... something to that effect
Symmetriahe said, you get up in the morning and you work hard all day
KickStarRabbitping me newt
Symmetriayou go home, you sleep, you get up and do it all over again
newtmewti'll just call you :D
Symmetriaand somewhere along the way,... you get lucky and find oil
drkatSymmetria that's so not true ;)
KickStarRabbitgod no
drkatWe all know the secret to being rich is selling used cisco gear
drkatACTION nudges scrye
sartanme licks drkat
dissolvemoney is not so much as important as being able to get respect in irc!
Symmetriadrkat heh, hard work takes you a fair way, but its also timing and luck, the thing is, the hard work puts you in a position to take the chances when you get lucky and they come along
dissolverofl jk!
sartanone day i'll get respect
Symmetriayou gotta have a combination of both :)
drkatwell hello sartan
sartanACTION removes pants
sartanis this how you get people to like you?
drkatSymmetria agreed
dissolvesartan lol
drkatsartan it is.
sartanhmm, indeed, that's how i met your mother
Symmetriasartan no thats how you get an O-line on efnet but only if you have tits as well
drkatfunny.. she cant see, so i guess you had a good shot
dissolvek u r very distracting. i must get back to my extremely difficult homework lol
drkatbtw.. IE 11 == garbage
newtmewtdrkat: doesn't ie anything ==garbage
KickStarRabbitjust cleaned my outlook and I feel an overwhelming calmness
newtmewtKickStarRabbit: good, then answer my call so i can uncalm you :D
KickStarRabbiti am on hold with at at
KickStarRabbit2 in hold
drkatnewtmewt you know.. IE isnt a BAD browser, it's just misunderstood
Symmetriagod, for a company that makes routers to drive high speed links
Symmetriawhy cant cisco invest in some proper connectivity
newtmewtdrkat: its the best browser to download another browser with as my old boss said
drkatSymmetria cuz cisco is lacking
Symmetriaso when you need to download 2 or 3 gig IOS images from them it doesnt take 3 hours
drkatnewtmewt i agree
drkatSo i advised my customer how to move over his ISP connection
drkatI tell him.. So what you wanna do?
drkathe says move the isp
drkatno shit :)
drkatso Ive decided to re-read network warrior, this should be fun
Symmetriaif you're feeling masochistic and having nothing better to do
Symmetriayou could always go teach yourself ALU CLI ;p
dissolvenot to be racist.... of what descent are you mr Symmetria?
drkathes black
drkatbut totally white
dissolveand u too sartan
jato_Im reminded of a joke here somewhere...
drkatsartan is latino
drkatbut canadian so you could never tell
dissolvei can see that
drkathe's always saying EH anyway
newtmewtACTION loves having a t1 affected to bitch at you guys :D
dissolvewell i see
dissolveso yea
newtmewtand this one is in denver, right around the corer... you should go fix it
KickStarRabbitkicks newt in the balls
drkatshow me the bert test
Symmetriadissolve lol, I was born in South Africa, my parents were born in South Africa, my grandparents were british
drkatcant loop the CSU, your problem
Symmetriabut I consider myself african and always will
dissolvetrue african needing suntan gotcha
Symmetrialol since i moved to kenya Im even slowly starting to learn swahili ;p
Symmetriawhich is taking some doing
drkatacu cli? eww
dissolveso sartan
dissolveur mexican canadian?
dissolveis noone here indian??? i am very confused
dissolveseems like... nm
adamaindians don't waste their time talking about getting a CCNA on #cisco
adamathey actually get their CCNA instead
dissolve<--= fl cracker... err
drkatand work in a call center
KickStarRabbitthats a badass indian
sartanyeah, i'm mexicna-canadian
drkatesse eh
dissolvemexican canadians dont like to go to movies they like hockey and star wars...
dissolvewait that doesnt work
adamai walked out of a mexican cinema earlier
adamafuckers kept laughing really loudly
adamanever had that before, what the fuck
sartanprobably gang members
sartanthey feel their loud laughter will intimidate you
adamain yucatan? i doubt it!
drkatthey were laughing at his hair cut
dissolvegrr ccna coming up in 10 weeks.. should i even announce that probably not
adamalol ccna, etc
dissolvei took all 8 week courses tho! im sure u remember me bugging u
sartanGood luck dissolve, 10 weeks is a far time away
drkatwhy are we loling ccna?
sartanjust don't forget to keep studying, don't forget your course content
drkatccna is like a top rated search term from recruiters, so LOL!
dissolvemulti area ospf man! and everyones distracting me!
dissolveand u guys r mean dammit
twkmyou obviously didn't want to do the exercise.
drkattwkm he did, but irc came first
sartanIRC always comes first
sartanMy wife will call me to have sex and i'd rather be here on #idlerpg
drkati cant read a single chapter due to irc
dissolvenah i do the excercises i just get lonely doing them because everyone in my class is a fn dick
drkatsartan is this true?
sartantbh sometimes yes
drkatyeah same here
hjohnsonACTION still has fond memories of his spanish GF.
sartanwell your wife only gives you your nuts once every couple of weeks, right? she keeps them in the purse
hjohnsonI was on IRC and ignorring her... so eventually, ruffling of clothes, then she drops into my lap
drkatI was watching a show last night and I was really into it. She came down stairs and said :lets have sex and I was like in a sec..
drkati did not have sex
drkatsartan HA, not true
hjohnsonneedless to say, IRC was suddenly second priority
drkathjohnson she shouldve got under the desk while your irc'd
sartani get mad at her when she walks downstairs naked
sartanbitch there are flash games to play
sartandon't clickblock me
drkatyou know tbh my wife has been better lately.. kinda weird
hjohnsondrkat: then again, she was also insane.. she'd be so angry that she couldn't contain herself... just shaking (the whole petite spanish girl thing)... not angry at me.... then she'd pull her pants down and drag me upstairs
drkatstill a total bitch, but improving
drkatsounds hot
drkati had a mexican chick once..
drkatshe was umm..
drkatyeah, i didnt like her
hjohnsonshe was full blown spanish, from Matrid
hjohnsoner Madrid
drkatshe was full blown mexican.. from home depot
dissolvegot a teeny 4 month fetus maturing inside my 8 year gf behind me asleep but im blasting (quietly listenining to) some bull shit on ospf off youtube after reading all of the chapter.. irc took over tho
drkatwake her up and inpregnate her
dissolveSHE IS
hjohnsondrkat: Uhm, I don't think it works that way
dissolvei do
drkat4 monts huh?
newtmewtKickStarRabbit: allen is going to punch you for me :D
diozis she hot?
dissolveyea im scared
drkatyou should be.
dissolvei am
tmx1you have NO idea what it is to have a baby
tmx1little bitch!!!!!!!!!!!!!
tmx1you will cry
dissolveACTION chris rock flash back
drkatthink you're on irc now?
drkatenjoy it..
drkatcuz these days are gone
tmx1enjoy irc?
hjohnsonI love kids, but kids are like boats.. the only thing better than your own are other people's kids
tmx1you people must be on crack
dissolveI GOT IRC ON MY GALAXY S4 beyotch
hjohnsonthat way when they get fussy or smelly, you can hand them back.
drkatahh children
drkathow i loathe thee
dissolvei did not mean to bring this up
drkatits ok.
dissolvei dont want to think about this for another 3 months
hjohnsonnaw, I love kids.. they're especially tasty when basted with mint sauce.
drkat5 months really
drkatshoulda wrapped it
dissolvei wasnt trying to add
tmx1lets see you sleep 2hrs per night soon
tmx1if that
dissolvei was just trying to push that to the back of my mind
drkatmaybe over the span of 6 hours
tmx1babies are cute..
hjohnsoneh, kids get fun when they're 4 to 6
dissolvecouple of my buddies seem to make it ok
drkatdissolve oh its ok
drkathjohnson yea... sometimes
tmx1i was afraid at first.. but it's easy
KickStarRabbitoh i cant access the switch
tmx1then you love it
drkatthen youhave more
hjohnsonI'm doing a group vacation with a bunch of friends and their kids this march
hjohnsonmaybe I'm insane
drkathjohnson pedo
hjohnsondrkat: hah, naw, it's the only way I can get out and about with my friends now that they all have kids.
drkatim just playin
drkatnone of my buddies have kids
drkatso they dont come round
dissolve"when you're expecting" forced to watch that movie.. actually hilarious, but still i dont want to think about this till its near. shh
drkatits ok
drkatboy or girl?
dissolveb !
dissolvevery very lucky yes
tmx1itll be fun when you change diapers and all of a sudden pees on you
drkatnot that I'm mad, but I ended up with 2 girls
dissolvei dont want to worry about dudes hittin on..
sartanyour unborn child?
sartanWhy don't you have a seat right here.
drkatwell he may be gay
hjohnsoneh, if you have daughters, just get a 1ga
hjohnsoner 12ga
drkathjohnson heh
drkatyeah I have 2.. so I have to deal with assholes
tmx12 girls?
tmx1oh god
tmx1growing up in this fucked up society
drkatits all going to hell
hjohnsonACTION ponders buying a 3845
dissolve1gauge there we go
dissolvelittle bit of a kick
hjohnsondissolve: it's a pea shooter!
dissolvebfg9k style! pea shooter yes
hjohnsonnaw, what you really need is a punt gun
diss|learningmust minimize
adamasartan: I'd like to take a minute so just sit right there and I'll tell you all about how I came to be the prince of Juarez?
adama06:37 <+sartan> Why don't you have a seat right here.
sartanI was playin' my lowrider on the north side of Tijuana, and my mom got scared
sartanel paso|juarez?
sartanthey share a border right?
adamashe said you're moving with your tia and tio in juarez
adamayeah, i think it's those two
diss|learningoh yea
adamai watched the first episode of it the other day
adamai totally forgot there was a long version of the song
sartandiss|learning: this is why i hate youtube
sartanthat 9 minutes and 35 seconds could be summarized in probably 2 paragraphs and maybe a screenshot.
diss|learningwrong one
diss|learningand 3 years ago now that i look at it nm
drkatSo i'd like to thank cisco for updating the Security track
hjohnsonso my eyesight is as good as it ever could have been corrected due to glasses
t0m0_can someone explain to me the concept of 'conversational learning' with OTV?
n1njaACTION pokes Scrye 
KickStarRabbittickles scrye
veerst0m0_: OTV or fabricpath?
veerst0m0_: either way it basically just means that the devices only learn MACs that are relevant to it (i.e. sourced or addressed to something plugged into it)
t0m0_veers: OTV
KickStarRabbiti just tried to join #outlook so I can bitch
xousfuck outlook
t0m0_So if unicast flooding occurs, a switch won't installed that MAC into the CAM unless it's directly connected to one of its interfaces?
veersbasically no reason an OTV edge router needs to have every MAC at every site in the mac table
xousit's for noobs.
KickStarRabbiti just deleted EVERYTHING
KickStarRabbitI got a virgin outlook now
xousleave it that way
veerseither the source or the destination
KickStarRabbitACTION is resisting the urge to pop my o-cherry
xousI really gotta start reading my emails
drkatxous uses evolution
xousACTION uses google
KickStarRabbiti am setting a rule for ALL email to trash
veersso if I have 4 sites; and server A is talking to server B; then the switch at site A and the switch at site B will have the MAC of both in the CAM table; C and D's OTV ISIS process will just be aware but it won't install in those switch's CAM
veersunless a server at C or D decide to talk to server A for example
t0m0_That makes sense
t0m0_so the IS-IS process will have all MACs stored in its structures?
TimberWolf_xous, emails are overrated
veersif we were talking about fabricpath for example; none of the spine switches would have anything in the MAC table; only leaf switches
KickStarRabbitI love Spam
veersyeah OTV uses IS-IS to keep track of what MAC is where (like if you vmotion a virtual machine from one site to another)
t0m0_ok cool that makes sense.
t0m0_so in a FabricPath situation, the spine switches would just have topology information about other FP switches?
xousTimberWolf_: I delete most of them
veersyeap; they see fabricpath frames addressed to other switches so they don't bother to learn any of the MACs in the fabricpath frame
KickStarRabbitxous you could be missing out on meeting the russian girl of your dreams
veersjust the source/destination switch IDs
t0m0_ok cool
TimberWolf_always make sure to setup a rule to delete anything marked priority
xousKickStarRabbit: I could also have a 10ft wang
xousand make $1000/day
veersunless your default gateway's on the spine but then you're addressing stuff directly to it
KickStarRabbitI like emails from Nigeria....there priority
xousand look like I'm 20 when I'm actually 60
KickStarRabbiti forward to CEO
TimberWolf_don't forget that lifetime supply of free viagra
TimberWolf_forward all priority emails to upper management
KickStarRabbiti would like a 4 hour erection instead of my normal all day erection
xousI made two companies look like fucking retards today
drkatlike they were fucking retards?
drkatbad porno
xousidiots were going back and forther playing the blame game
xousthen they tried blaming the network
xousso the CEO comes to see me
xous(yes, he seriously talks like that.)
KickStarRabbitreset the card!
xousso I call up the server dick and ask him whats wrong
xous"software idiots can't access the database server"
KickStarRabbitpowercycle the port
xousso I get the details and log into the shit
xousping ip
xousopen MSSQL Management Studio
KickStarRabbithey does anyone wanna buy my CERJAC HDSL box
xouswtf would we want with tat shit
KickStarRabbiti think its got a adtran card in it
KickStarRabbitthe shipping would be more then its worth
xousI'd want whatever bell uses for slams
xousthat'd be interesting for lab shit
KickStarRabbittin can and a piece of wire
xousI'm not even sure if they know what they use
KickStarRabbitthere techs sure as wonder that too
xouslast time I called bell
xous"I have no idea how this works"
KickStarRabbiti am on hold with bell right now
xous"your port is access
xousand I'm like dude
KickStarRabbitlike 25 min and no answer
xousmy side is trunk
xousI have 4 functional 802.1q vlans on it
KickStarRabbitme:port you:trunk
drkatno you dont!
TimberWolf_ethernet slipter to 4 access ports
TimberWolf_all the rage these days
xousthen I suggest maybe you are poping the tags on at the other end?
xous"I dunno"
xouscalls me back an hour later
drkatI'm gonna pop some tags...
KickStarRabbitwhile I am on hold I am gonna do some head to head testing in my pants
xousyeah it was in the canoga view
drkatomg.. canoga
drkatcanoga perkins bitches
xouswhich is the cpe
xousdrkat: do you know how to break into that shit
xousI got one
drkatnot break into one
xousbell left it behind and nobody wants to be responsible to take it back
xousso I'm like
drkatshit I need a lab
xousbut I can't figure out how to reset it
drkatmight motivate me
xousor default
TimberWolf_have you tried a hammer?
xousTimberWolf_: nope
TimberWolf_hammers always seem to work well
cyberputzACTION crawls out of his grave 
xousthe one I got seems to go for 1k on ebay
KickStarRabbitwere you keeping the crypt keeper warm?
newtmewtsweet, your moron noc issue an outage KickStarRabbit
cyberputzBeen doing an intense QA cycle and then fucking with a VoIP lab at home for a few weeks, think I actually understand cme fairly well now.
cyberputzBeen too obsessed to irc :p
KickStarRabbitnewt thay did there best
KickStarRabbitnow hug it out
TimberWolf_ACTION sets cyberputz dial-peer hunt to random
KickStarRabbitthis bell south IVR keeps telling me to powercycle my equipment
xousKickStarRabbit: How do you like it?
KickStarRabbiti hope it lets me leave a voicemail
twkmit's always a joy to call "carriers".
TimberWolf_sounds like earthlinks tech support
cyberputzEarthLink still exists?
TimberWolf_cyberputz, sadly
KickStarRabbit"most technical issues can be resolved by a powercycle!"
twkmi've been tempted to try to enter a mac address when asked for my phone number.
TimberWolf_and every time i opena ticket with them they spend 4 hours trouble shooting the wrong circuit
xousdrkat: I rent to access to my lab. $10/h :P
freaxlab rats
twkmKickStarRabbit: i've had that suggested. i agree that i'll powercycle my device if they'll do theirs.
cyberputzHaha twkm
KickStarRabbityou do me i do you twkm?? :)
twkmi'll take the reach-around, if it'll get past level n-useful.
xoustwkm: haha.
KickStarRabbitif the wrap around will get me to tier 3 then i am in !
twkm(you learn to collect, horde and be careful with direct noc numbers)
newtmewthaha twkm
KickStarRabbitwhy cant I ping 11.11.1
xousI just lie
xous"Yep. power cycled it.
xousYep. just did it again."
xoususually when I tell them I have a hard loop on the line
KingPowerCycleri also love to re seat cables
xousand they keep saying they can't see it and power cycle my "equipment"
KingPowerCyclersumtin bout plugging in and out repeatedly
xousit's called exercising the jack
KingPowerCyclerI love asking end users "are you up?"
twkmi usually walk over to their mux or patch and disconnect ... "any alarms yet?"
drkatoh LOS?
drkatyup found it
twkmthat's me power cycling. hang on while it boots. then go get coffee.
onefst250rfun part about carrier gear is you can usually go take lunch
onefst250rcome back, itll be about done
twkmif i actually power cycled have this shit it'd be an easy 20 minutes.
xousor fucking supplier before scrye kept sending RG-58 instead of 734A
onefst250ryeah, carrier stuff does not like rebooting
xousI got in to a huge arguement with rogers
xousI see packet loss to the first hop
xous"i see no packet loss when I ping you"
xous"i've connected my laptop direct to the modem. still packet loss."
xous"get new modem"
xousluckily the rogers place was literally accross the street
drkatsure isnt the line condition
KingPowerCyclerco has an outage
xousso I was like fuck it
xousgot a new modem
xouscalled back 10 minutes later
xousstill packet loss
xous"nothing is wroong"
xous"asked for a escalation. they said someone would call me back."
xoustwo days later there is a rogers van outside the building as I'm leaving
xouscome back home and internet is fine
onefst250rinvoice is in the mail
xousI call 'em back and said I wanted a 2 month credit.
xousI got 1.
xouswasting my fucking time and lying to me
cosbycoinunless you have a competiter in your area
xousI have several
xoushell we are one
onefst250rhe IS the competitor
Harlockshaw has always been really good with me with such issues
xousI could sell myself a DSL
Harlockno lying
onefst250ryeah, get epik to pay for a metroe connection
cosbycoincox isn't as shitty as at&t is
xousheh. I wonder if I could make enough to warrant lighting the building
Harlocki had a weird periodic issue and they appreciated my rrd graphs
onefst250rhow much was the rogers circuit?
onefst250rback to your office
cosbycoin$65/m for 50mbs down 15/up
xousit's not point to point
xousit's just internet
onefst250rdidnt you get a quote for ethernet back to your office?
onefst250ror was that from a different carrier
xousbell in this area is like $650-1k for 100
onefst250rso find 10 nerds in the building, each chip in 100
xousthat would involve knowing my neighbours
onefst250rgood point
onefst250rput up a flyer in the common area?
onefst250r"Sick of ROgers? Better call xous!"
xousI know our sales dicks
xousthey'd take that cost and mark it up 30%
xousI know someone else that can do Bell L2's though
onefst250rthats why you just tell them that its a backdoor into your network for DR reasons
xousmaybe I'll get him to do a quote for shit
xousonefst250r: and I need a 100MB EVC instead of a 10 because?
onefst250rneed to sell it to you for 0 markup
onefst250rbecause configuring routers from the cli requires bandwidth
onefst250rbetter latency if the packets get serialized faster
xousfaster repair amirite
Harlock$650-1k for 100 to where
xousback to our colo
Harlocklike a leased line
Harlocknot metro-e
xousit's dedicated
Harlockthat is not bad
xousit is for home internet
Harlockit's not even internet
xouswell yeah
onefst250rMetro-E; the ethernet that spends lots of time in front of the mirror
xousI'd borrow some of our existing transit
Harlockhow far it is?
xousgoogle says 4.3k by car
onefst250rwhat is this "k" thing you speak of?
onefst250rdidnt you say it was like 11 blocks?
xousthat's to our OFFICE
Harlockis it sm fiber?
xouswhy would I haul it there just to haul it back to front anyway
xousalso the office only has a DS3
onefst250rwould it be shorter to the pop?
onefst250roh weaksauce
xousand we have customers there
onefst250rwho the fuck uses tdm for office stuff?
xousit was cheaper
onefst250rcheaper than ethernet? really?
xousand some asshat signed a contract saying we need $x number of ds3s
onefst250rMLPPP a few of them together then :)
xousI think our contract price is like $600/mo
onefst250rper ds3?
Harlocki should get some quotes myself
onefst250rthats not bad actually
Harlocki'm not liking the metro-e
onefst250rwho's the provider?
xousfucking dicks.
xoustelus sucks balls
Harlockwe in a contract though
Harlockthey did the fiber builds
xouswe have a customer maxing out one of the bell circuits
xous'oh noes when we go over 10Mbit/s shit gets dropped!"
Harlockone of the builds was a mile too
onefst250rhow much bandwidth?
Harlockright now we have 10m at each site on metro-e
onefst250rHarlock: lots of providers will just bury build costs in the monthly nowadays
onefst250rmost situations it works out better for them anyways as it gets more fiber they can sell to other customers
xousalways nice to have the first client cover the costs though :PO
Harlockif i can get 100m dedicated for $1k each that would be much better
onefst250ryou're paying more than that now?
Harlockaround 1k for each site
Harlock4 sites
onefst250rfor 10m?
onefst250rdo they at least give you a reacharound?
Harlockit l3 metro-e and they can't even set it up the way they said they were going to
xousbreach of contract
xousfind new provider :P
Harlocki'm sure they can get away with correcting the problems
onefst250rforce them to sell you dark for hte same price :)
Harlockone link is quite long though
Harlockwould be
xous20km/40km optics aren't that bad
Harlockdunno if that impacts pricing
onefst250rif its only gige, you can get like 120km
onefst250reven more if its decent fiber
xousif it's dark why not go 10G :P
onefst250rthere is that too
eirirs_I love discovering lots of dark fibers
eirirs_"whoohoo, where's it going to..."
xousjust pay for another dark strand to some place with cheap transit
xoussell the rest of your buildings to cover costs
Harlockit's 21k by road
onefst250reasy peasy
onefst250rprobably 30-40 by fiber
drkatfuck i gotta go to bed
Harlockya 3 dark links from 3 sites back to a forth would be nice
Harlockmesh would be nicer but i don;t think we need to jump that ditch
Harlockwouldn't get much benefit vs work and cost
Harlockself defence force
terabitACTION thinks he'll stick with iptables :P
xousI can't figure out why this 10G shit gives input errors
xousone link didn't like SMF
xousso I used that blue shit
xousthat worked
xousother think. nope..
xousother link*
xoussame optics same distance
xousso should I go back to the colo and move some cables around
blackOffthat really $260,000
blackOffactually pretty good looking specs
blackOffsuper expensive for only 10,000,000 friends
blackOff8,000,000 foes
xousyou still talkin' nonsense?
Olibertalkin crackah
xousso I wonder if I should do something silly.
xousHow silly?
blackOffless masturbating, more abstract
xousda fuck you talkin' about willis?
drew__260k for what
blackOffsome bad ass ASA
drew__260k for a fucking firewall??????
xousprobbably has 40G interface
blackOffxous, willis is dead
blackOfffound that out last year
blackOffi thought he was still acting, been dead like 10 year
xousdis rapid spanning tree shit isn't so rapid heh.
xousI lost about 30 packets when I just did a test.
FungiFoxxous: they are over here
hkklxous: most likely you haven't configured it correctly :)
xousprobably not
xousI just did spanning-tree mode rapid
MyssT30 packets is nothing if you're doing 100k/s to 1m pps on the interface
hkklxous: all edge ports are correctly set and no compability modes etc?
xousthere are a few more switches that aren't configured for rapid-pvst/don't support it.
zambalooking at 'sh int trunk' output, what's the difference between "Port Vlans allowed and active in management domain" and "Port Vlans in spanning tree forwarding state and not pruned"?
xroHi, i need a confirmation. I have 1 HSRP group with many standby IP inside (many VLAN gateways). If i add an interface to a HSRP group, there is no way to loose connectivity during the configuration? i mean active standby won't change?
Symmetria <=== do they look hungry enough to feed a vendor to them?
LalufuSymmetria: they're males. You want female lions.
hkklwell, if you kill, or incapacitate vendor first, i guess male lions will bother eat it
kuaharaok, so plugging in the db9 to usb adapter into this pc results in windows detecting a com3 device: "Prolific USB-to-serial comm Port", but it is unable to install the driver for it automatically.
kuaharais there a special driver that needs to be installed to be able to use these?
Balusewhat does this mean ?
BaluseI mean I dont get rj45 pin numbers
bhuddahwhat do you really want to know?
kuaharaheh, someone called it yesterday
kuaharathis stupid cable is a fake
Someonefromhellkuahara : I have a prolific cable as well, works fine
Someonefromhellwell, prolific-based tbh
kuaharathe one I bought gives me error code 10, device failed to start
kuaharathe prolific software that tests it fails to open a com port every time
kuaharathere's a driver installed for it
FrFluffyBottomwhat OS?
kuaharawin 7
kuaharaThis is the one I bought:
kuaharahe's 99.2% positive feedback with almost a half million reviews.
kuaharathink I'll just contact him
FrFluffyBottomDo you knwo if it's PL2303 based?
Someonefromhellmine looks like that as well, different color though
kuaharait says 2303 on the db9 end of the cable
FrFluffyBottomI've had mixed success with them - more luck in OS X than Windows; if you have a mac try that with hte PL2303 driver
FrFluffyBottomeliminate a system issue at the very least
kuaharaI don't have a mac
kuaharaI'll get a mac when the job absolutely requires it and alternatives are unacceptable
FrFluffyBottomACTION owns both a pl2303 clone and a keyspan device - teh keyspan is far more reliable and the drivers work on every system i've tried
FrFluffyBottomcost a lot more, but worth the avoidance of headaches
kuaharathat really sucks. all of that other equipment arrived today and I can test none of it
FrFluffyBottomDo they not have USB console ports?
kuaharathe 2821 router has 2 usb ports right next to the console port
FrFluffyBottomyeah sadly 2800 doesn't have usb console
kuaharathere's a 2821 and 2801 router
kuaharaand 2x 3550 switches
FrFluffyBottomDepending on what country you're in you cna buy 2303 in highstreet shops - in hte UK you can go to Maplin and they sell them; could test and return if it also doesn't work
MyssTI'm using pl2303 driver version 1.4.17 with my cables, they're also supported under linux so just boot a live cd?
kuaharaI have the windows driver
kuaharaI think the cable is just defective
kuaharaor doesn't work because it is a fake
MyssTit's true there are fake chinese pl2303 chips in some cables but they do work with older drivers you just have to get the right version
Baluse I dont get the numbers
Baluseat rj45 side.. are they in order or the pins ?
kuaharamysst any idea where I might find an older one
kuaharathe ones I've finding are labeled v1.9, but when you open the pdf that comes with it, it says for windows it is v3.4
bhuddahBaluse: i suggest getting a real cable and dissect that. rj-45 pins are numbered from one side to the other 1..8
Balusei did it and doesnt work
Balusei mean 4,3,2,7,8,5,6 mean the pins at rj45 ?
kuaharasomeone posted that the fake ones work with this specific driver version. Installed it... device still doesn't work.
MyssTkuahara: I give no guarantee or warranty on this file! it may or may not cause bouts of insanity or genital warts... Cable_PL-2303_Drivers -
kuaharaThe requested URL /IO was not found on this server.
kuaharathere's a %20 missing in your url =o
kuaharastill doesn't work. this time it changed to error code 1
kuahara"The system cannot find the file specified".
Baluseit isnt cisco though
xroHi, i have a very strange behavior on a 6500. I have a port channel with 2 members. The allowed vlan list is different on the Po and on the interfaces (don't know how it is possible).... When i do a sh int xxx switchport i see the list of trunking vlan configured on the Po (there are less vlan on the interfaces). Do you know this problem? is there a way to correct it without any loss?
Someonefromhellkuahara : let me clone the driver cd I got and up it
Someonefromhellkuahara :
xroIf someone already met my problem, can you just give me an input in PM (lunch time)... thank you!
kuaharaSomeonefromhell, thanks. downloading now
kuaharaSomeonefromhell, tried the installer located in: prolific_drivers\12.02.1089\Windows first, but still error code 1. Will uninstall and try the others as well.
kuaharaalso tried the installer located in: prolific_drivers\12.02.1071_12.02.1072\Driver_Release Note64_7840\Version1.3.10.0\Win64
kuaharasame error code
kuaharaThat last one I tried appears to come with something called MultiImp. Ran that and clicked Test, it says no high speed usb multiserial devices detected.
wfqHi guys
wfqa few months ago I bout a cisco ASA 5505. They guy who is now setting it up said that I need what is called DES
wfqcould anyone please advise what's the shortest way to obtain this?
Forge__you do the 40 year old encryption dance
wfqForge__ was that for me?
Forge__go here
Forge__I'm guessing this is what you need
wfqForge__ thanks. I will register first. I can guess that on the registration process I will be asked for any ide number identifying my hardware otherwise how would I obtain the license that I need
Forge__yes you need the serial number of your asa
eirirs_oh, nvm
wfqthanks a lot Forge. In the middle of it.
eirirs_I just read that this way:130215 < Forge__> yes you need the serial number of your ass
Forge__eirirs_: that too
Forge__wfq: I'm doubting the comptency of the guy configuring your asa if he can't obtain that license himeself
Forge__it's free now, I was a paid for license historically
eirirs_free? asa license?
eirirs_thats new to me
wfqForge__ to be honest I am wondering the same given that I found how to do it in a couple of minutes - Of course I came here to ask but at least I know where to ask :)
Forge__eirirs_: for strong encryption - 3DES/AES License
RedShifthi guys
RedShiftcan you make BGP selectively annouce routes based on ip track?
RedShift(using ip sla checks?)
Forge__sounds like something I've let the routing protocol do
Forge__you could do something with eem
Someonefromhelldepending on your design, yes
Forge__but sounds like you're hacking something
Forge__and going to cause yourself pain
Someonefromhellif you've got nullroutes for them ( if they're aggregates ), you can tie the rtr to a track to the static route
RedShiftwell the situation is, two WAN links, both dynamically configured (DHCP)
Someonefromhellor you could just give up on setting up a somewhat manual kind of hell, and go to automatic hell ( pfr )
RedShiftI put one WAN link in VRF A, and one in VRF B
RedShiftnow I need the route to be injected in the global routing table, depending on which VRF has internet (A or B)
Someonefromhellyou can do that with what I said ( tie the static to a track to an rtr ) but it's not really what I'd call good design...
RedShifthow would you improve on this?
SomeonefromhellI'd have to know more details and the requirements...and I'm too busy for that at the moment :p
RedShiftjust two ethernet cable modem connections... two ethernet interfaces on the router
gsmfaxanyone knows the best choice router for installing viop module for callshop?
mAniAk-_1does packets dropped by policing on a 7600 show up as output drops?
void64It may or may not, depends on how the software interacts with the asic, but you should see them in viewing the service policy on the interface
nierosmorning gents
mAniAk-_1void64: yeah I can see drops by the policer in sh policy-map, but do they show up as output drops on show interface or not? asking because some traffic in the a queue is policed, other is not, queue shows output queue drops
BejglimAniAk-_1: check sh queueing interface
twmjrmAniAk-_1: in general, the answer to your question is's possible it won't, but it's generally true that policer drops will appear as output drops...
mAniAk-_1Bejgli: yeah it shows drops on one queue, though is that drops after the policer did its thing or does it include the police drops
BejglimAniAk-_1: compare it with sh policy-map interface, that should should show policer drops only
mAniAk-_1Bejgli: fika now but ill check, iirc sh policy showed hem in bits, sh que in packets
void64Wow, every college I deal with… their internal networks are a disaster… and they wonder why they have connectivity issues
void64gee, a public facing /19 on an Ethernet interface, what could possibly go wrong
GraNNy-void64: who exactly wants to get paid crap that's any god?
myndI have a feature request from a receptionist: she wants to be able to dial a number and before the call is connected transfer to another internal extension. Any ideas? Looking at the softkey template on CUCM under "Ring Out" I don't see a transfer option
hkklbleh, yet another guy from tech department resigned.
hkklthat'll be fifth in 3 months
bamsefarhkkl: How many left?
bamsefarare left*
hkklei guess ~20
bamsefarSo in another year..
hkklmanaged services team has been worst, it has halved
hkklguys left are bit overworked
bamsefarhkkl: I can imagine
hkklwell, i'd really like to switch jobs too
pffsRats from a sinking ship?
hkklwell, i haven't heard about our last years revenues, but last indication was that we had growth, and quite much growth in profit, but both were lacking off budgeted.
myndhkkl: at the last gig, my whole team (albeit only 6 of use) left within 8 months of each other
hkkli guess market wasn't that easy last year though.
myndand they didn't hire on at a 1:1 to replacement
bamsefarhkkl: Where do you work?
GraNNy-hkkl shows how cool he is by using an AS :)
GraNNy-AS6461 babeeee
mAniAk-_14 number as
hkkl'my as is so large, oooh'
mardraumoh here we go
mAniAk-_1you guys suck
GraNNy-well, i did work for a 3-digit once
GraNNy-long time ago
GraNNy-but never a 2 or a 1
hkkli've been at 6667/790
GraNNy-i remember two of my AS's and that's about it, i'd have to look up the rest
mAniAk-_1Bejgli twmjr guess ill have to put it another queue to find out
KenMatlocklowest I've worked for I think was 3149
myndi've not worked at a company with a number :-(
pffsI have no idea what our AS is
hkkli always forget current employers 4th as (we also have 13276 and 33935), and 33901 we gave back to ripe at some point
pffshkkl: it's easier for profits to go up if you no longer have employees
hkklpffs: true!
myndpffs: should be able to find it using one of your external IPs and
hkklfourth one is 34484 it seems
pffsmynd: yeah I can look it up if I wanted
pffsjust haven't had any reason to dick with that particular router
hkklcan i import routes in ios-xr with set clause 'as-path tag'
hkklseems that i would need to do that for customer
wfqhow long does Cisco usually take to send a license? I'd swear I read in the screen that it would be sent within 1 hour
garrettskjwfq: lol no
wfqgarrettskj, sorry what? you mean that this takes a bit longer doesn't it?
hkklhmmh, it seems that 'prepend as-path' would be the command to use, but it seems to me that it don't have direct key word 'tag' or similar
hkklhmmh, so i would need to hardcode as-number to prepend, not really problem as this is single user case. but but, not scalable!
pffsI was under the impression that as-prepend tends to be a poor solution as not everyone honors it
pffsI think ATT strips all duplicate ASs in the path
hkklwith that, route that matches prefix-list and has tag 13276 would be advertised as 29422 13276, not 29422
hkklie. we are originating customers routes from his as-number
kmcelroy1wait, what?
kmcelroy1i walked in halfway :P
hkkli'd like to get that config as generic as that from ios to ios-xr :)
KenMatlockare you trying to prepend AS numbers that you don't own?
KenMatlockmaybe I missed something :)
kmcelroy1i missed a lot i think
hkklyes, and no. i'm not trying, i'm doing it, and we are prepending prefix with customers as number as he doesn't bother with bgp
hkkl(and we are prepending few prefixes with another of our own as-numbers)
kmcelroy1he doesn't have BGP, but you are adding his AS?
nierosprepend all the thinnnngs
kmcelroy1seems odd
kmcelroy1also seems pointless
VlanXanyone familiar with NAT1:1 here?
garrettskjask away VlanX
hkklwell, the prepend to our own prefix isn't totally pointless. and customer doesn't want to originate his own prefix from his liiittle internets, and parts of the network are routed to different places
hkkli guess it's good to 'show' that as-number is in use, so ripe doesn't try to take it back :)
hkkl(no, not common config :)
VlanXI have a cisco 877 behind a router that is not accessible (my ISP's modem) and I'm trying to understand if I can get my 877 to the internet with NAT 1:1 to be able to receive crypto requests from another router that's willing to initiate a tunnel
kmcelroy1if they don't use the AS number, RIPE should take it back
hkklthey are using it, their prefix originates from it!
garrettskjVlanX: only if you use certificates...
hkklby us sure, but it still is.
garrettskjVlanX: cisco doesn't allow for hostname isakmp identity with PSK
kmcelroy1except they really aren't using it
VlanXgarrettskj: who's talking about hostnames?
kmcelroy1you aren't supposed to get your own AS unless you are multihoming or are an ISP
garrettskjVlanX: I am..
kmcelroy1they are limited
hkklkmcelroy1: well, how can you tell they aren't using it in internal use?
kmcelroy1so it is really dumb for them to keep one they aren't using
garrettskjVlanX: because you can't do IKE identieis behind NAT
kmcelroy1you can use private internally
hkklnot necessarily
VlanXgarrettskj: not even 1:1 ?
garrettskjneg, the router still reports it's own IP address in the IKE negotiation
kmcelroy1if they aren't multihoming or an ISP, they do not require an AS and are not following the rules
garrettskjthe way around that, is to use "Crypto identity hostname"
kmcelroy1which causes issues for people who actually need AS numbers
kmcelroy1it is no different than the douchebags that squat on IP blocks
hkklkmcelroy1: they can be multhomed to single provider too
garrettskjbut that command isn't "listened to" without using RSA-SIG
hkkland for LIR multihoming isn't requirement
garrettskjsooo as long as you are doing certificates, you can have it behind the 1:1 nat and have it work.
hkklalso public-as needed if you ever really want to change upstreams without problems
VlanXgarrettskj: Is there any tutorial for this?
kmcelroy1yea, they don't need an AS
kmcelroy1i hope RIPE takes it baclk
arcskyBFD does it take much processes if i enable it ?
hkklimo they need
garrettskjalternatively, if you're setting up a vpn to a third party provider, some of them have the provision to change the IKE peer manually.
garrettskji know that sonicwall, palo alto, and F5 can do that.
kmcelroy1BFD is fairly light on resources
kmcelroy1hkkl: well, your opinion is wrong so far, you haven't given an actual reason for them to need it :P
arcskykmcelroy1: thanks
kmcelroy1just, well maybe they might need it, or they kinda might want it some day
drkatany logical reason ot use no ip route-cache?
VlanXgarrettskj: yeah I could set up a third party server
garrettskjVlanX: check this,
garrettskjhrmm.. looks like if you force agressive mode, it might work.
kmcelroy1drkat: you used to have to do that to use certain troubleshooting, it had to be punted so you could see it, but otherwise in production, no
garrettskjfollow that and tell me if it works. ;)
kmcelroy1it basically just stops it from using CEF
drkatyeah I was wondering why these 3550's had no ip route-cache on it
drkati knew it turned off cef, but
kmcelroy1if it is in layer 2 mode, it is normal
kmcelroy1if you have ip routing off
nieros3550s aren't really layer 2 switches are they?
nierosoh I see
kmcelroy1sh run | i ip routing
kmcelroy1if you see no ip routing, it is layer 2
drkatnot it has routing on
VlanXgarrettskj: Damn, this shit is hardcore
kmcelroy1then you should try to turn route-cache back on, unless there is a limitation to the switch, can't remember for sure
hkklkmcelroy1: but that really doesn't solve the other situation i commented, that we originate in .fi network some prefixes with international prefix
drkatbut having no ip-route cache turned on a layer 2 device makes no fucking sense anyway..
drkatmeh i digress
drkatlazy ass engineers
drkatCCNP = Cut Copy N' Paste
hkkland we don't have any routers in .fi on that as
hkkl(most of this shit is from multiple mergers :)
kmcelroy1drkat: it does it automatically on layer 2, likely just part of the IOS layout
drkatyeah, but this isnt a l2
drkati could understand some automatic output
kmcelroy1i gathered that
drkatgood.. :)
kmcelroy1mainly by when you said it was layer 3
kmcelroy1but you said it doesn't make sense on layer 2, i explained it is automatic
kmcelroy1so you have no choice in that instance
drkati got it now
drkatso who wants some snow?
drkatI have about 7 inches of it
kmcelroy1i kinda do
kmcelroy1right now it is just dreary and dead around here
drkatI need some fucking quiet time, this work at home shit is nuts
kmcelroy1throw your kids outside
KenMatlockdude, you got snow outside, make the kids get dressed and go play in it, or better yet, shovel it
drkatnot my kids really
drkatKenMatlock fuck that.. I dont shovel snow
KenMatlockno, make *them* shovel it
KenMatlockthat's what kids are for, cheap slave labor
kmcelroy1kids are legal slaves, you didn't know this?
drkatwhos gonna watch the kids outside?
kmcelroy1no one
kmcelroy1you just let them knock it out and hope they don't die
drkatso my 1 yr old is gonna go out and shovel snow unsupervised?
KenMatlockyou got windows?
kmcelroy1survival of the fittest man
kmcelroy1they figure it out
KenMatlockthe 1 year old probably needs a nap, kick the rest outside :P
drkatshe's stopped napping :(
drkatdamn kids
kmcelroy1not if you have whiskey and some nyquil!
drkatand my 7 yr old is sick
KenMatlockha! :)
kmcelroy1that is the nap maker
drkatand now my wife is sick and groaning over her stomach
drkatlike wtf..
drkatthe doctor needs to prescribe a little bit of man the fuck up
kmcelroy1drug your wife and bang her, drug the 1 year old, throw the other kids outside
kmcelroy1problem solved
drkathilarious -
drkatso i told my wife to man the fuck up and well..
drkatnot a good idea
mynddrkat: ha!
myndshe give you one of them there "stern" looks
kmcelroy1should have done what i told you
drkatalways the answe
kmcelroy1drug and bang and she will be reasonably quiet and happy
drkatso she pukes on me
kmcelroy1doggy man
kmcelroy1puke the other way
d00nsweet rainbow shower. normally got to pay extra for that .
drkaton my versace bed sheets?
kmcelroy1who said in bed
mynddrkat: put downa few towels
kmcelroy1just put her head in a bucket and knock it out
drkata bucket full of her own vomit
drkatthats umm..
kmcelroy1make the kids hose it out
kmcelroy1gives them something to do
myndonly after they shovel
drkatshit, mix it in the blender and feed it to em
kmcelroy1nah, then they puke
drkatwe aint rich round here
kmcelroy1pain in the ass
drkatfucking snow
kmcelroy1whiskey nyquil cocktails all around
drkatshit i should take one
drkatbest sleep ever
mynddrkat: you got like 7" of snow, eh? get a good layer of ice on top it?
drkatso I'm going to install win7 on this desktop I hope its supported
drkatmynd nah.. nice layer of ice underneath it
myndthink the news said 7" here as well, but with ice on top
drkatSo I found a Dual Core in the garage
drkatbut it has vista on it
drkati dont do vista
drkatmy 24" monitor should be here this week so Im gonna put this PC in, put together my computer desk, throw my old desk out and get a keyboard and mouse and have a nice clean setup
drkatsitting here on this 12.5" laptop really is hurting me ergonomically
gewtweather means my appointment is cancelled
tannermynd what does your receptionist want to do?
drkatall of it
myndtanner: she wants to be able to make a call and while it's still ringing, transfer to another internal extension
tannermynd so transfer an active call, and complete the transfer before the other end answers?
myndnot quite
myndthe call isn't considered active as it's still ringing
razorzHmm wonder how portable the config from an ASA5510 would be to an ASA5515X
tannermynd okay, so she wants to transfer the call ringing to her to another line
myndpicks up phone, dials a number, before they answer, she transfers it
myndshe initiates the call
tannerI don't follow, what is she transferring if she is initiating a call
myndhow i understand it is: she calls an outside number for another user, while the phone is still ringing, she transfers it to the user's phone
myndwhy the other user just doens't make the call, i'm not sure
tannergotcha, so she's effectively dialing for someone else
tannermynd possible with CTI or some other custom app; nothing native to do that
drkatyet her key system did it..
myndi've not done much with CTI's and nothing at all with a custom app
mynddrkat: yep
drkatwtg cisco
tannermynd that's why my company exists; we do just these kinds of things
myndtanner: so did you read the whole back log? or do you have hilights for specific words?
tanneranything voice related
myndmakes sense
myndi don't even know what to search for me to start looking into it
tannermynd you'd really want to already be familiar with cisco CTI programming and the like
myndi've looked into custom softkeys, but that doesn't seem like it'd end up doing what i want
tannermynd you might also consider putting the line on her phone as a shared extension, let her dial and put it on hold. the other person should be able to answer it, but they have to pick up manually
myndwhat about call park?
tanneryou could do that
tannerbut the person has to manually call the park number
tannersounds like she wants to dial and cold transfer when the other end answers?
myndcan you put a call on hold before it's answered?
drkatwhy cant she just take the fucking call?
myndshe wants to cold transfer *before* the other end answers
drkatshes a receptionsit
drkatthats what she DOES
tannermynd If they really want it, I could mock it up and have something by EOD. but they have to pay for it :)
mynddrkat: she's transferring an outgoing call that she makes
tannerdrkat she is making a call for someone else, effectively
myndtanner: I'm not sure my boss lady will go for it
drkatcall comes in, notices its so and so, while still ringing transfers to an external line?
drkator did I miss everything
tannermynd pitch it, you never know, they might want it bad enough =)
drkatjust tell boss lady to cut a check
drkatdid you witness the functionality on the previous key system?
worstadminIs there a way to just show interfaces with errors (reset/drop counters)
drkatshow int | include err|drop|whatever
worstadminbut then I dont know the interfaces
mynddrkat: i did not
drkatmynd god I hope the end user isnt imagining things
myndi think the reason the receptionist dialed for others before was the call restrictions that on the key systm
myndthe local IT support told me about it first, so I tend to believe
drkatoh ok
drkatwelp network warrior was boring me to death
kmcelroy1that good huh?
drkatoh yea
drkatkinda hard to get into route redistribution and shit when I have no need for it ;)
mInrOzHm, doing som NAT labing and im having problem to get router2 to answere.
mInrOzI think i got it working out from the internal network and it is hitting router 2
drkatIOS or ASA?
mInrOzBut router 2 cant respond to the ping
drkatkmcelroy1 I've also realized the last IOS router I was in was like 2 years ago
drkatASA is very popular
drkatit slices, it dices
drkatits the ASA!
generalshenanigatraffic goes in, traffic goes out, you can't explain that!
E1ephantI need help
mInrOzgeneralshenaniga: lol'd
mInrOzShould work right? Or?
twmjrmInrOz: you have a typo in your "nat inside source list" :)
E1ephantsomehow, I am losing my precious netflow bits between a cat6k and nfdump. I see flows under "show mls netflow ip"
E1ephantthey don't make it to nfdump :|
twmjrthe list name is not your acl name
mInrOztwmjr: .... lol
mInrOzdidnt see that
mInrOztwmjr: Ok now i got that fixed :) But it is stil timing out on the pings
mInrOzI can see the ip nat translations tho
twmjrsure it's a NAT problem? Can you ping the destination sourced directly from your F0/0 IP?
mgeorgelooks like new cases are coming forward where the NSA has violated attorney-client privleges
mgeorgethis case is sure to get the attention of every layer in the country
mInrOztwmjr: Pinging from the Router directly to the other router is no problem
mInrOzBut pinging from the "internal" interface failes
KenMatlockmgif by 'attention' you mean 'apathy' I agree with you :P
KenMatlockmgeorge: if by 'attention' you mean 'apathy' I agree with you
twmjrmInrOz: pastebin the nat trans? I just threw it into a gns3 setup, basically an identical config, and it works as expected
mInrOzhm, im doing it with Cisco Packet Tracer
mInrOzjust got an error when i did it in GNS3
myndtanner: found another way to do it
twmjrwonder if packet tracer doesn't handle the NAT properly when its sourced from a local intf on the router...don't have access to it so can't test that
myndtanner: user calls receptionist, she answers, they tell her what number, she then presses transfer, dials the number, then transfers the call
kmcelroy1packet tracer is buggy
myndi think that should do it as wlel
mInrOz% NBAR ERROR: symbol addition
mInrOz% NBAR Error : Activation failed due to insufficient dynamic memory
mInrOz% NBAR Error: Stile could not add protocol node
mInrOz%NAT: Error activating CNBAR on the interface FastEthernet0/1
mInrOzthats the error i kept getting on GNS3, if i increased the ram the router whouldnt start
mInrOztwmjr: But ok i configured NAT correctly... do i need to do something specific to the other router to make it respond to ping?
twmjrif it responds to ping when sourced from f0/0, looking at your NAT config I see no reason it should not also respond when sourced from F0/1 (or a theoretical host sitting behind it) guess is your config is fine & there is something funky with packet tracer
mInrOztwmjr: Hm ok... hope so, got my CCENT exam this friday :)
mInrOzThanks for the help
drkatahh.. certifications the only motivator for labbing
ciscotree1if i block countries by GEOIP in an ASA, can our internal traffic still reach those servers if there was a website hosted on an IP that falls under that country block?
void64ciscotree1: I would assume not
void64ciscotree1: wouldn't the return traffic be dropped?
ciscotree1that's what i assumed too
ciscotree1but if there is an existing connection, do the ACLs even get checked?
twmjrmInrOz: sorry...I just re-looked at it...
ciscotree1assuming it was intiaited from the inside
twmjrmInrOz: ip nat inside source list inside_nat interface FastEthernet0/1 overload <== you need to ref your WAN interface prior to "overload" ... this should read: ip nat inside source list inside_nat interface FastEthernet0/0 <=== overload
twmjrthe interface you specify there is the interface it will use the NAT the traffic to
ciscotree1void64: just found this: Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.
mInrOztwmjr: oh... stupid mistake. Will try it out
twmjrmInrOz: with that change, your exact config dropped into a GNS3 router hopefully packet tracer does as well :)
void64ciscotree1: yes, that's an EXISTING connection, thats normal
void64ciscotree1: but if it's a new connection out, I don't think the ACK would be allowed back
mInrOztwmjr: yay
void64ciscotree1: so I don't think the connection would setup
mInrOzthanks it works :D
tannermynd that works. still incredibly stupid
tannermynd sounds like a terrible workaround for an old system
twmjrnp...glad I double checked...
myndtanner: the reason they did it before was due to call restrictions and access codes
tannermynd yeah
tannermynd make it so they don't need to =)
ciscotree1void64: hmm, i guess its something i need to test. I would assume the connection would be setup if it was initiated from the inside. the returns packets should be allowed. even the initial ACK
ALucas I hate natting on the new IOS version
kmcelroy1if initiated from the inside, the reverse path will be allowed
kmcelroy1assuming it is allowed from inside to outside of course
myndtanner: apparently, the workers have been caught, on many an occasion, just chilling on the phone and running up the bill
myndthat's why they implemented passcodes in the legacy system
ciscotree1kmcelroy1: even if there is an ACL blocking the IPs that were connected to fromthe inside?
twmjrciscotree1: that's how it should work..."existing" I believe includes only a SYN sent out and waiting for response, presuming it was allowed to begin with
tannermynd gotcha. still, must be a better way around it
garrettskjALucas: don't wine. adjust ;)
kmcelroy1ciscotree1: i think you are missing some words in that statement
myndtbh, it's more of a policy issue and not a technilogical issue
ciscotree1kmcelroy1: haha if i was blocking on an outside ACL and an internal computer initiates a connection to, will the connection work?
kmcelroy1yo ucan test with packet tracer
ciscotree1thanks twmjr void64
ciscotree1good idea
kmcelroy1one of the better features of the ASA
drkatASA pwnz
kmcelroy1that and the packet capture, both quite nice
drkatthese sophos UTM's arent too bad either
drkathopefully be getting certifed in these little fuckers
ciscotree1packet capture is amazing
kmcelroy1IOS packet capture is nice too, but more of a pain in the ass compared to the ASA
drkatI havent seen much cisco deployed in the SMB other than ASA, those Sonicwall wanna be devices arent ramping up
drkatRV series
kmcelroy1cisco has a pretty meh attitude toward SMB
kmcelroy1if it happens, it happens, otherwise i don't think they give much of a shit
drkatthat they do
drkatunfortunately thats where I work :(
kmcelroy1SMBs are cheap and don't buy a lot of smartnet
drkator any
drkatenterprise 1000 users is where cisco starts to make sense
drkator SP
mepholicdrkat: hows ur vps
kmcelroy1they still want the market share, they just don't want to put out a lot of effort
drkatmepholic canceled it
drkatpain in the ass to setup and I dont have that kinda time
mepholicI paid $100 bux for a year of vps in detroit
mepholichaven't set it up yet
ALucas running on a rasberry pi :P
mepholicI think it's a 512MB KVM
mepholicrunning on dual L5560's
diozlet me set it up
pffsReally? Do you really need to come ask me how to wipe a config off a Juniper?
pffsWould it really have taken you more time to have typed that into Google instead of walking over here?
mepholicpffs: lool
pffsI try to make myself available to be helpful as much as possible
pffsbut sometimes I swear some of our junior engineers couldn't take a shit without someone placing their ass on the toilet for them.
diozare the females?
dioztoo bad
mepholicdioz: what does that have to do with anything?
pffsbecause you'd volunteer to help them shit?
pffsI don't know where you're going with this
diozsothey're males?
kmcelroy1i need an adult
terabitI think he wants males
ALucasOh god..
diozare they he-she's?
ALucasThe toilet paper at work is like sandpaper... I'm pretty sure I've broken my turd tunnel.
terabitpffs: are you a senior admin ?
terabitALucas: no match for my ass, I've used a phone book on it once!! and the phone book broke
diozi used a porkipine once
ALucasthat's some hardcore shit.
terabitliterally :)
pffsterabit: not even
pffsmore senior than they are
terabithehe,this sounds like a stupid question but as someone who has never worked in corporate iT or even in an office, may I ask if you guys work in offices,cubicles or just wander around routers and switches and cabling cabinets?
kmcelroy1i date rape switches
kmcelroy1but i have a cube :P
terabithow can you work in a cube ? don't you need immediate access to the switches ?
kmcelroy1for what?
ALucasterabit: They just moved our IT out in an open office (think Apple store setup) with a bunch of HTML script kiddie developers... soo annoying
kmcelroy1ssh bro
ALucasIt's not like we sit in the datacenter
ALucaswell.. mostly
kmcelroy1there was some guy at a colo we went to that worked out of it :P
kmcelroy1that must be awful
nemithi like open office layouyts
ALucasFuck open office layouts
kmcelroy1open office layouts are loud as fuck
kmcelroy1fuck that
Badgerpoodepends on the size and whos in them
kmcelroy1i like speakerphone
ALucasone side collaborates and disrupts everyone
drkatyeah fucking head sets
Badgerpoowe have an 8 person office with a really good dynamic here
nemithkmcelroy1: actually ours are very quiet
ALucasThis is like a 50 man open office.
ALucasso retarded.
kmcelroy1then you must have no one there or no one on the phone
nemithALucas: i think where my temp desk is in California it is more than that
nemithwhole campus is open office
ALucasThen I guess you don't have a bunch of people that need to "collaborate" or even talk. In a team envoriment it gets pretty chaotic
terabitkmcelroy1: what if ssh fails
kmcelroy1how would it fail? :P
terabityou guys never run cables ?
kmcelroy1fuck no
ALucasThat's typically reserved for techs. lol
ALucasIf SSH fails you've got a bigger problem lol
nemithALucas: nah there is still some, but for real discussions you get a conference room
kmcelroy1plus since we are a SP, it would be tough for me to wander to every POP to run cables and plug in :P
terabitbut wtf do you do then ? don't you install switches and routers and such ?
kmcelroy1rarely do i install anything
kmcelroy1i just set it up
terabitwhat else is there to do just monitor them?
ALucasI do
myndterabit: there's a whole host of things to do
ALucasterabit: this depends on the type of job you have.
myndterabit: there's also the non-tech side of the job too
terabitlike what ?going to office parties and mettings ?
mynddocumentation, for starters
kmcelroy1god, i hate documentation
terabitdon't you do that wheeen you install it
GraNNy-documentation, janitor duties, politics
ALucasyeah. it's never finished.
myndterabit: hahahahaha
ALucaspolitics.. ugh
GraNNy-terabit: you've never done janitor duties, have you?
myndkmcelroy1: think i have an allergic reaction to having to write documentation
kmcelroy1i just sit at my desk mostly and add things
kmcelroy1service provider is much less of a pain in that respect
myndkmcelroy1: like 1+1 :P
GraNNy-i like writing docs because nobody else likes it and I then don't have to do 4am maint windows
terabitGraNNy-: I've never worked in an office
kmcelroy1i don't mind the occasional maintenance window
terabitI'm working from home atm
hkklGraNNy-: i like 4am maintenance windows, can do whatever i want :)
terabitI'm thinking here you guys spend 16 hours troubleshooting bgp and ospf and shit :P
GraNNy-who says you do janitor duties in an office? you have no idea what i'm talking about i'm guessing
terabitunless you mean literal janitor
kmcelroy116 hours? jeez
kmcelroy18 hours normal day to day
ALucas16 hours would be a problem lol
GraNNy-janitor duties == wtf is this equipment doing here, oh you mean all the people who were working ont he project left, no docs, and shit is borked? you don't say!
ALucaslike loss of job problem
kmcelroy1then if shit blows up, maybe 16 hours, followed by comp time :P
GraNNy-you get comp time?!
kmcelroy1of course
kmcelroy1what am i an animal?
sng_I can do that one better.
kmcelroy1if i work late, i show up late the next day
sng_I get paid actual for reals time and a half over time for all that bullshit.
myndnormally ~8 days here too, but have done a few 16 hour days for about a week plus
ALucassng_, you fucker
kmcelroy1i have had some weeks when we do POP installs or upgrades that are long hour weeks
kmcelroy1but beyond that, not the norm
kmcelroy1and i always comp time to make up for it
kmcelroy1stroll in at 12 or just work from home at 1 or 2 or something
myndnot a fan of the boss' take on comptime here
GraNNy-kmcelroy1: your management seems to get it. a lot don't.
myndsays that since we are salary, we're expected to work if we are needed and that she only counts comptime if we work the weekend
kmcelroy1GraNNy-: my VP was a switch tech when he started :P
kmcelroy1we get shit done and know what we are doing, so they just let him run the department and he knows we need sleep, ha
myndwait .. sleep and you're in IT?? does not compute
kmcelroy1i have to have my 8 hours
GraNNy-kmcelroy1: too bad i can't move to dallas, i'd work my way in for a job ;)
kmcelroy1there is a reason i am still here
GraNNy-no kidding
kmcelroy1the pay isn't it
myndnot often i get that much. normally about 6
kmcelroy1it is the freedom and perks
kmcelroy1we are basically autonomous, we do our own thing as a group and no one really interferes
GraNNy-kmcelroy1: good managers are hard to come by. keep them if you can
kmcelroy1CEO trusts my VP implicitly, so it works out well
GraNNy-follow them around
kmcelroy1he isn't going anywhere :P
GraNNy-i've had two good managers my entire career
kmcelroy1if an exec annoys him, he makes them go away
kmcelroy1even before he got VP :P
ciscotree1anyone run pfsense for an enterprise?
drkatkmcelroy1 so he is a working vp?
kmcelroy1yup, he still goes to sites and does cabling and shit :P
terabiterr, the most intimidating part for me to do networking is the "office politics" everyone keeps talking about :P
kmcelroy1he likes it
drkati hate office politics
drkatso i shut up and ignore people
kmcelroy1he went with me to NY and LA for the colo build out and he was running power and shit
drkathe configures the bgp
terabitwhen I hear IT , I think of "the IT crowd" except with hot servers and ethernet cables and giant routers/mainframes and 2 guys lost in the maze trying to figure wtf is going on :P
rez410ACS 5.5 I am unable to use an sftp. I get the "Error reading directory on remote server" message. I have added the host-key. any ideas?
diozciscotree1: i'm pretty familliar with pfsense
diozi've used it for a few years
dioznever seen it in a corporate environment tho
diozjust small business
rez410worked with same repo in 5.2 and 5.4
ciscotree1thanks dioz
rez410ACS 5.5 I am unable to use an sftp. I get the "Error reading directory on remote server" message. I have added the host-key. any ideas?
diozi've always wanted to specifically sell solutions to small/medium businesses
diozas long as they want the setups tho
diozi'm not a big fan of trying to cold-call or dry-sell services
diozif they call and want someone to come in and discuss options that is what i like
GraNNy-rez410: sounds like a permissions issue
diozsup GraNNy- feeling better this week?
GraNNy-dioz: yes, thank you for asking
diozgood to hear
rez410I have tried several usernames
rez410i set up the account in my sftp just for the acs
rez410doesn't seem like it even tries to connect
rez410i don't get nothing in the sftp log
GraNNy-can you scp or ssh to it?
rez410let me check
diozis there a hpsa wic?
diozand does anyone know the name of it?
rez410GraNNy-, I can hit the server via ssh. i fail login but i do see the attempt in the solar winds sftp
dioznvm i found it
rez410didn't see the restore sftp attempt tho
drkat_cray cray
diozi want one tho
mepholiccray cray
rez410GraNNy-, I don't see the dir listing attempt either
drkat_yo yo
GraNNy-rez410: can you pastebin the logs of every step you take to get the error? or are you using an sftp gui client?
GraNNy-remember, PASTEBIN
GraNNy-rez410: e.g., check out
rez410I'm attempting sftp from the cli
rez410I configure the sftp repository with user name and password which matches creeds in solar winds sftp server
rez410i then run #show repository "repo name"
rez410then get the error
rez410solar winds does not detect the attempt whatsoever
rez410this all worked fine in 5.2 and 5.4
GraNNy-you have something like this, right?
diozthere's a party at the bar everybody put your glasses up
Panther_ModernIt's Wednesday
Panther_ModernIn the middle of the day
Panther_ModernDon't get drunk now
Panther_ModernGet drunk in the MORNING
diozeverything is so black and white to you
rez410GraNNy-, exactly except ints not "host-key sync" in 5.5
Panther_ModernI can't help it
Panther_ModernMy contrast setting is shot to hell
rez410its #crypto host-key add host x.x.x.x
GraNNy-rez410: do you have TAC provided assistance for your ACS servers? I have found that the path of solving problems with ACS most of the time is having TAC do it for me because the docs suck
ALucasWhat do you guys recommend for corporate wireless?
drkat_where the fuck is the nat config in the netscreen gui?
rez410GraNNy-, We should. I didn't want to have to go that route but looks like I will have to. thanks for your help
GraNNy-rez410: I'm sure it's something lame that has changed and you only need a little help
rez410drkat_, # that guy is terrible.
rez410drkat_, meant gui
drkat_its done via trust/untrust policies
rez410drkat_, I hate screenOS but I'm a pro at it bc I'm forced to use it :(
GraNNy-rez410: so are you sure there isn't some stupid firewalls in the middle that's not allowing the stfp to happen, either locally or something else?
rez410GraNNy-, nope no firewall. This all woeked prior to upgrade to 5.5
rez410GraNNy-, nothing changed but a fresh install of 5.5
rez410GraNNy-, worked with a fresh install of 5.4
bschipneed alittle insight on wireless... should I be using multicast on a cisco wlc 5508? We are having some video streaming performance issues alot buffering etc.. currently we do not have multicast enabled
rez410GraNNy-, do you think i would need #url sftp://x.x.x.x/S:/
drkat_no biggie, were getting rid of the screen
drkat_like a single box is using it.. no idea
rez410emphasis on the directory letter?
GraNNy-rez410: i'm looking at the user guide, it sucks
rez410GraNNy-, I agree
bschipneed alittle insight on wireless... should I be using multicast on a cisco wlc 5508? We are having some video streaming performance issues alot buffering etc.. currently we do not have multicast enabled
drkat_i have no idea
GraNNy-rez410: check out the usage guidelines in this link -
rez410GraNNy-, so in my case the sftp root is just the S:/ drive. Do I have to map a folder to this?
GraNNy-the example in the docs might help you better
GraNNy-rez410: doesn't look like it
rez410so I currently use #url sftp://
rez410what would that change to? the sftp root is the root of a drive
GraNNy-for grins and giggles can you make a directory called test, have it with the most permissive of permissions, and try that?
nierosWhy do people feel better when you put simple instructions into word format.
GraNNy-then do #url sftp:// or #url sftp://, not sure which one it's going to take from the docs
nierosI mean, a list of 15-20 one to two line steps doesn't need to be formatted.
nierosjust read the text file numbskulls
rez410GraNNy-, No luck
GraNNy-rez410: without knowing your network better, I don't think i'm going to be much more help
GraNNy-call the TAC, have them webex in and help you is still my suggestion 8-)
drkat_nieros, looks more professional than a .txt
rez410GraNNy-, ok, thanks for your help up to this point
drkat_god my computers are friggin slo
nierosdrkat_: for customer facing sure
drkat_old pieces of shit
rez410GraNNy-, did you notice when that paste bin that you linked was posted ? :p
nierosbut for internal documentation?
nierossuck a dick, word blows.
drkat_nieros, well not for internal
drkat_you should have a wiki
nierosI'd love to see a wiki
nierosno one wants one though
nieroseveryone gets hot and bothered about connectwise
drkat_lots of places Ive worked had a "info.txt" file on a file share
drkat_with everything
drkat_connectwise fucking blows for credential management and information
drkat_Im sorry.. but it does
drkat_very tedious
nierosI don't like keeping internal docs in connectwise
nierosit's problematic on a lot of levels.
drkat_PSA fucks you every step of the way
drkat_but people love it
drkat_autotask is nice
warriorforGodHas anybody had any luck installing CentOS 6.x on Cisco UCS C200 M3 servers?
myndwarriorforGod: directly on the hardware?
warriorforGodmynd: yes
rez410GraNNy-, Do you know of a way I can recover the Product Activation Key file from an ACS installation?
myndtbh, never thought about doing that
warriorforGodTAC stated that they do not support CentOS at all and only RHEL so they won't help.
myndwhat's the reasoning for it?
razorzfucking ACS
rez410mynd, Me?
warriorforGodBuilding an elastic search cluster.
myndrez410: was for warrior
warriorforGodWe have 32 C220 M3's connected up to UCS FI's.
myndi see
rez410Since I am unable to perform a recovery in 5.5, I will just reconfigure our new 5.5 installation butI need my key file
rez410mynd, oh ok
rez410I can see my key number but my new 5.5 is asking for a file
stoplitewarriorforGod: are you hitting issues getting it installed, or just looking for testimonial from someone who has it running and is happy with it
warriorforGodGetting it installed. Our kickstart pukes. We were able to install it from CD after going in and using fdisk to do the partitioning, but then they systems doesn't even see the hard drives to boot to it. Happening on multiple systems.
rez410can someone tell me the format that a Product Activation Key for Cisco ACS comes in?
rez410I have our PAK number but ACS wants a file
rez410so i figure ill put the number in a file but I need the format
rez410can someone tell me the format that a Product Activation Key for Cisco ACS comes in?
drkat_rez410, you need to activate the PAK online
drkat_then you'll get a link to download the license file
rez410drkat_, I have a an ACS installation up an running with the PAK already in use. I have another ACS instance (5.5) that I want to configure so I can replace the 5.2 instance.
drkat_im not sure if the lic is transferrable
drkat_you'll wanna reach out to cisco sales
rez410drkat_, ok. I wouldn't have to do this if the stupid 5.5 would just restore my backup
drkat_idk man
drkat_just saying
rez410drkat_, but it sucks at doing sftp
pffs"I already cabled up some switches and routers"
oisterwhew... through with my portion of the pci audit
pffswtf do you mean
pffswhy would you just start randomly move cable
pffsI wish I could stab techs through the phone
mynddamn ... finding it hard to stay alert atm
pffsmynd: go take a nap :)
drkat_i need a nap
drkat_a nap sounds fun
drkat_"Kids: the result of sex"
riz0nHello guys. I have two Cisco 1721 routers that have been reset. One is connecting to Internet, the other to my LAN. The two routers are connected together through a cable on Serial0. I need some pointers on setting them up so I can get connectivity to my LAN.
bschipany advice on multicast for a cisco wlc 5508 should it be enabled or not?
myndpffs: no place to do so
myndneed to work at one of those modern offices that have a room dedicated for naps
pffsmynd: bathroom?
myndsit on a stall?
myndfeet fall asleep ... i'd be walking all awkward for like 5 minutes after
rostamHI all, I am a newbie, and need some sample snmp code to manage cisco 3560-c switch. Any hint or pointer greatly appreciated? thx
drkat_yeah legs go numb
razorzCisco Cloud Web Security eh
drkat_i used to go to the bathroom to sleep
drkat_or run out to my car
drkat_i hated getting up early
pffsrostam: sample code insofar as what?
pffsmore than just snmp-server community IHATEMYLIFE RO
oistergood god the olympics this year are going to be a cluster fuck
rostampffs: I need to configure the switch as dhcp server, and some very basic funtionalties.
subunitpffs, thats kinda grim isnt it?
oisterjust use public ro and private rw
myndoister: why so?
oisterwinter olympics on a beach resort
toetI'm wondering if the following exists, i havent been able to find it by google. A desktop switch (5ish poorts) being powered by POE instead of an ac adapter.
myndoister: ??
myndtoet: yes
myndnetgear makes one
toetno ciscos?
myndtoet: i doubt it
toeti found but the data sheet says it does include an adapter
stoplitetoet there are a couple models of 2960C and 3560C that can be powered via PoE
myndstoplite: orly?!? didn't know that
stoplitethose are the only ones i know of
toetthanks! im gonna dive into these
oistermynd: sochi is the only place in russia with no snow... lol
myndoister: heh ... didn't know that
oisteryeah, they are having to make snow for the winter olympics
myndactually don't kknow much about Russia; well besides not to go to a .ru domain :)
myndthat seems odd
myndto make snow for the olympics, where there are many a place around with olympic stadiums that have snow
oisterwhats weird is of all the places in russia they are having it in the most southern part in a fucking beach resort town lol
mynd <-- says avg 52F and 75F in winter and summer, respectively
myndlol ... shawn white's gonna be wearing some hawaiian swim shorts when doing the half pipe
MrJayPCOh god this is the slowest usb pendrive ever..... 64gb and 5MB/s write speed
oisterhrm... womens skiing in bikinis?
myndi may actually watch than :-P
trash80its not like the SLC olympics was actually in SLC
trash80i imagine its the same for sochi
trash80in soviet russia, olympics winter you!
yangmI wanna know how to get info about this modem DPC3925, I want to make a IPSec VPN but I don't know what it supports and what not
yangmmynd, thanks, gonna read it
razorzBah, cant do netflow on a 3750G
yangmmy ISP got me this one, so I have not earned the manuals
sartani have one of those i think
sartanya i do
sartantreat it as a layer 3 hop only, or get your isp to put it in L2 mode
sartanignore all features
sartanget your own router that does ipsec
sartanit's a 'cisco' as in 'shitty linksys' cisco.
yangmsartan, tell me more about that
sartanwhat part?
sartanit's like a best buy router
sartanit's not very feature rich
sartanit can do simple wifi, upnp, and give you a nat gateway to the itnernet and not much else
sartani called my ISP (Shaw cable) and asked them to turn it into 'bridge mode', and i put my own openwrt router behind it to get my internet IP
yangmsartan, if I could I would be running a openwrt box righ now
yangmman, I love that os
sartanyour isp technical support line may be able to just flip a switch for you, and all you have to treat it is a cable->ethernet box at that point
sartanignore all the features. just turn off wifi first
yangmgonna try show how ridiculous it runs or doesn't run at all to my boss
yangmso I can get a box to put whatever I want in it
sartanis this for a small business cable line?
sartanor did some idiot buy it as a standalone router
yangmsartan, yeah, this limited thing is what provide us Internert
yangmwe are thinking about cutting the cord off and go voip, so it may only serve internet in the future
sartanyah it's not a very flexible box anyway
sartanit won't serve your ipsec requirement at all
yangmat home I got "my" thomson replaced by one of these because it died. only use it as bridge, it is not very competend at wifi or anything at all
sartani will say though that it's fast on the wire
yangmyeah, they got gigabit I think
yangmbut I can't understand why there is a useless USB port at all
sartanit might be able to share a printer
sartani don't recall, the default config lasted about an hour before i had it changed
MrJayPCDammit, I know the UK has always been a joke for it's bad weather but it's getting stupid now :/
yangmsartan, it didn't share my HP C4280 neither my USBs with fat32 or ntfs
sartani'nm probably wrong
sartanin any case yangm forget about using the router, get a more capable device to put behind the dpc router.
myndtanner: question on srst on CME: can you set a translation to take effect only when it can't reach CM?
tannermynd should be under call-manager-fallback
tannerfor dial plan related anyway
myndthanks for the pointer. i'll see what i can find
sartandial peers are also processed in order... if a previous dial peer fails the next one will work
sartandepending of course the cirucmstances of the fuckup
Apachezspeaking of which
Apachezwhat happend to all those modem pools?
Apachezis that gear being shipped to usa now? :P
ciscotree1how much impact with a 6000 line ACL have on a router? (2821)
Apachez2821 is a software router isnt it?
bamsefarWhat are you doing? :)
bamsefarApachez: Yes it is
Apachezso 6000 lines... first of... will you fit all those ?
ciscotree1i want to block China lol
ApachezI have seen 3550/3560 struggle with far less than 6000 lines :P
GraNNy-6000 == someone doens't know how to firewall well
ciscotree1as fun as that sounds
Apachezbut that depends on the ip / mask combos
Apachezalso with shitloads of acl's you should verify if your gear supports turbo acl
Apachezturbo acl will use more mem but will have like a constant lookup time
ciscotree1How else would one block of of China Subnets?
Apachezciscotree1: srcip= GEOIP(CN)
Apachezbut thats paloalto gear
Apachezdunno about cisco :P
sartana 6000 line acl...
ciscotree1cisco doesn't support it
ciscotree1lol yeah it sounds wrong to me too
ciscotree1that's why i don't want to implement it
sartanyou know what might be a better idea
sartanusing bgp and null route everything
sartanso the replies go to null0
GraNNy-sartan +1
oisteri used to maintain a huge null route list but it got too big
razorzHmm C3850 supports NetFlow without a module?
ciscotree1i'm thinking about switching to something with geoip for this reason. good to know PA supports it
ciscotree1pfsense being an option
ciscotree1as well
ciscotree1GraNNy-: Thanks for that block list
GraNNy-vlanX also had an excellent one
ciscotree1i was using this list:
sartanrazorz: most of the router-ISR stuff does
ciscotree1comes out to about 5262 subnets
ciscotree1some can be summorized
oisterand it changes a lot
sartanciscotree1: doing it in an acl will affect every packet... doing it in a null route will only affect what you want it to affect
oisterhow does PA update the list?
sartanthat's probably at echncial question but i bet they reevaluate regularly
oisterfirewall checks in to PA to get updates?
sartansomething like that i'd guess
sartanPA. nice boxes
Apachezhowever an acl can be hardware (like if you use 29xx or 35xx etc) compared to a null route which will consume system cpu if you are unlucky
therealnickcageApachez: TCAM
Apachezoister: geoip is included in every appdb updated
GraNNy-ciscotree1: you may also want to take a look at this -
sartantcam size is limited Apachez
sartanbuy 6 switches and daisy chain them, each with a different acl on l2 ports.
Apachezoister: with PA you can also apply dynamic acl's which will for example fetch a list of ip addresses and use that as src or dstip
sartanhey Apachez are you still doing a lot of arcsight stuf
Apachezso that blocklist you can put through your script so it will output just the netadress/mask
ciscotree1GraNNy-: beautiful thanks
Apachezand that dyanmic rule will like autoupdate itself every 5min or so
Apachezthe shitty part with such automation is that... imagine if somebody baxor your webserver with that blocklist and overwrite it with :P
bschipany advice on multicast for a cisco wlc 5508 should it be enabled or not?
sartani don't think wifi has many multicast applications that justify it
Apachezdo you need multicast?
Apachezif not, disable and block it
sartanit's basically a retransmit
sartanit's awful for performance and just slows everything down
sartanyou should isolate clients away from each other as much as possible to keep performance ship shape
bschipwe are not running it now
sartanshared medium blah blah
bschipbut not blocking it either
bschipwe are having some slow performance on our wireless though..
Apachezhave you dont channel planning and such?
Apachezalso tweaking beacon values etc...
therealnickcagewho is the youngest ccie in the world?
sartanwho cares
sartansome punk with no experience
therealnickcagewell who achieved CCIE the youngest
therealnickcageisn't it brian mcgahan?
therealnickcagehe got it at 20
GraNNy-therealnickcage: no
therealnickcageGraNNy-: who/
GraNNy-therealnickcage: goddammit, i forget his name. hold on
GraNNy-Andrew Frame I beleive, founder of Oooma
GraNNy-err Ooma
GraNNy-I think he was 16? 17? when he got his frist CCIE
therealnickcageholy fucking shit
therealnickcage17 years old
therealnickcageGraNNy-: fake
therealnickcagehe's not on
GraNNy-uh no
GraNNy-he's for real
therealnickcagebut he's not on cciehof
therealnickcageso he's a liar
therealnickcageit's brian mcgahan
GraNNy-frame is like R+S and Dial CCIE, he could be more, I have no idea anymore
GraNNy-old fucking school
ciscotree1that's pretty old school
therealnickcagewell he's a liar
therealnickcagebecause he's not on cciehof
GraNNy-neither is Dan Golding
therealnickcageeveryone who ever got a ccie is on cciehof
oistertherealnickcage: so they skipped numbers?
GraNNy-a lot of people who are/were ccie's aren't on cciehof
sartani dont even know how cciehof came to be
sartani got an email from the dude confirming me, and i don' tknow how he even got my address
_elgatoi feel like when my cousins talk about nascar, i have no idea who any of htese people are
therealnickcageis andrew frame a networking god
GraNNy-no shit dude
GraNNy-and he crashed Playboy parties on a regular basis
GraNNy-when he was younger
GraNNy-i wish I still had that video
therealnickcagea video of him crashing playboy parties?
GraNNy-but what I find interesting is that you call someone a liar, with the nickname therealnickcage :)
bschipbeacon values are set to 1
theleetnickcagethis guy is a fucking monster
theleetnickcagei never knew he existed
theleetnickcagei wonder what he's up to now
theleetnickcageand i wonder how many ccies he got
GraNNy-wallowing in his millions
theleetnickcagewasn't ooma a flop
dlotsI know this is a Cisco site, but I am hoping there is a Juniper guy in here some-where. I am looking at a SOHO Firewall, I want 3 zones Inside, Outside, and DMZ, VPN, Static and Dynamic nat, I am looking at the SSG5 but I know nothing about Juniper at all (but I do ALOT with Cisco) I am just wanting to make sure this doesn't have some gotcha that juniper people know but a Cisco guy wouldn't.
GraNNy-dlots: #juniper ?
E1ephantthere is a juniper channel
dlotsah ty :-)
GraNNy-dlots: you can stay here too though!
oistertheleetnickcage: are you 15?
theleetnickcageoister: why?
dlotsty :-)
oisterjust a hunch
toetjust do like everyone does, take the gotcha like a man
dlots#juniper people are less helpful than #cisco people :-P
oistertry #paloalto
Apachezless helpful?
Apachezyou have never been in a #perl channel right? :)
Apachez#perl is the definition of less helpful :)
GraNNy-apachez: what, do they kb you in perl for asking a question?
Apachezbeen there, got the ban - have this tshirt :P
GraNNy-sounds like efnet #cisco back in the day - they used to ban on keywords
toetperl people are just sad because its dying
jamesdApachez: and they have been known to swear out of the blue for no reason at all... $@$@#$!@#^@$
toetinstead of helping folks, they're just showing off their 27 years of experience in perl causing new ppl to buy that one alternative with gui instead. killing their own language even more
theleetnickcagejust like /r/networking
theleetnickcagepeople just go on there to hear themselves talk
jamesdyes les perl is being written, but i don't think its going away too much legacy code is written in perl
GraNNy-cobol hasn't died yet
oisterwhat do you think #cisco is mostly?
toetanonymous iosaholics?
E1ephantACTION spits on an ASA
jamesdoister: its Scrye secondary sales channel and where CCIE's can show off, and i can make bad jokes and poke fun at CCNA's
oisterjamesd: correct... and shit on ASAs
_bradk[08:01] * E1ephant spits on an ASA - hooray it's ASA hate hour!
jamesd_bradk: every hour is ASA hate hour.
E1ephantACTION takes a sledgehammer to his sup2a
_bradkwe manage quite a few ASA's here
_bradkit makes me sad
jamesdwe did have a PIX hate hour, but the load was too great for the ol'girl so we put it out of its missery.
_bradkalthough, when i got here they used to have old P3 desktops running Ubuntu with IPTABLES
_bradkso upgrading to the ASA was definitely better
toetyesterday i changed all my end-userports fromm trunk to access + voice during work hours, it gave me quite a rush
jamesdshorewall rocked, not sure it exists anymore since it can be replaced with a $20 device and get wifi as well
oistertoet: lol
_bradkreally confused why management decided to spend ~$5-6k on ASAs rather than ~$2-3k for something like a 1941
_bradktoet: hahaha
oister_bradk: you must not use failover
toeti tested it before, voice calls wouldnt drop,just a 0.5 seconds delay, and one ping missed. no citrix connections lost
toetit was really nice
jamesd_bradk: when isn't management confused... we have 250 parts in stock and no one knows why we are ordering more... but still they get ordered.
_bradkwe do
oister_bradk: how would you do that with 1941's ?
_bradkthey support hsrp, right?
oisterjust imagine if you swapped out all of your stateful failover firewalls with routers right now
oisterimagine how much fun that would be to maintain
toeti told my colleges i would do it, they told me to wait till after business hours, i was like "no i can do it, no one will notice it, but ok".
toet*awkward silence* did you notice anything? "no"
oistertoet: like making STP changes in the middle of the day
_bradkoister: why would it be more difficult to maintain?
oister_bradk: twice the configuration
_bradkoister: technically it wasn't me who caused the outage, it was spanning-tree!
oisteri usually blame stp
toastrcut that fucker down
drkatfuck stp
drkatlame ass
oisterrstp is pretty good though
oisternone of that 30 sec outage bullshit
sartantoastr: in my environment, that's considered an outage, 0.5s
sartanit disrupts connectivity and some tcp apps might poop
drkatso in otw sartan turns stp off
oistersartan: same here... ssh tunnels dont like that
toastrsartan: timber!!!
sartanyah fuck stp
sartanbpduguard and portfast for everyone
drkatFriends dont let friends switch
sartanessentialy, yes, turning off stp
drkatfortunate enough for me, none of my deployments even require any redundancy
oisterso you etherchannel... to only one switch? or to a VSS?
drkatcustomers barely have enough money for the switches let alone more than one
oisterah.. that explains it :P
diozi setup stp on all my linux bridges for vps
diozcause people are stupid
drkati usually do etherchannel though if i do.. do redundant switch connections
toetjust tell them that for every day they need to hire you, they can buy 1 switch
diozthese young white girls they'll be the death of me
drkatas opposed to old black girls?
diozblack girls don't like white boys
diozgimme a break
drkatnot true
drkatim married to a black chick
drkatand im white as fuck
diozheh i wear grinders and binders
toetdoes she know spanning-tree?
diozi don't think black chicks would go for me
drkattoet no
drkatgrinders and binders?
drkatno please explain
drkatlike some rammstein shit?
envirocbrAnyone here work with ASR1001?
oisteri have a couple 1002X's
sartanwhy would you need to run stp on a vps?
E1ephantBSDM related fun?
mepholicsartan: linux bridges enable it be default iirc
mepholicyou can do some funny things to the traffic on a host node with STP on a KVM vm
mepholicif it's not filtered properly
mepholicor disabled on the host node
E1ephantugh, libvirt and iptables feels like the biggest kludge ever :<
diozdrkat: braces and red laces?
_bradkoister: you have a good point re: keeping stateful info in sync, but in our client sites we only have 1-2 ASAs max
mepholicE1ephant: libvirt in general
_bradkand each has its own internet connection so the configuration isn't that bad
mepholicis like massive kludge
E1ephantmakes me want to just brctrl all the things
E1ephantI just got a /24 for the lab to do it as well :D
oister_bradk: ah, i thought you said you had a bunch of ASAs
envirocbrCan I use GLC-T SFPs in them?
_bradkyeah my bad, we have quite a few clients who have ASAs
_bradkrather than us being a huge environment with complex configuration :P
drkatASA. ASA.
drkatlike a mantre
drkatdouble cheeseburger pizza.. hmm
pffsoh hay, another study that people work like shit when you make them work too many hours
oisterdoesnt appear to support GLC-T
drkati feel like ive been on here all day
drkatwait.. i have
pffs90 minutes to go!
envirocbroister: Damnit, our ISP sent an ASR1001 with no SFps
drkatyou'll be on here all night
instigatoryo. whats does preshutdown do? is it same as shutdown? or does it perform something before shutdown?
oisterenvirocbr: doh
drkatthe bigger question is.. do I setup my desktop tonight
^WOLF^when you create a vlan and assign it an ip does that mean that the interfaces using it can only have that subnet?
terabityes that's what it means in ipv4
coolhvahello ;)
oisteryou can run more than one subnet on a vlan if you wish
toetyou dont assign a vlan an ip
terabitoister: on switches?
toetvlan=layer 2, ip=layer 3
oisteryou can use secondary addresses to use more than one network on a SVI
^WOLF^I have a few vlans that have ip's assigned and also have a ip helper address for my dhcp scope
Harlockoften the vlan interface is assigned an ip
^WOLF^so I am trying to figure out the purpose of that ip being assigned to the vlan
Harlockwhich i guess is what he is talking about
^WOLF^this is an existing conifg
Harlockthe switch might be doing the routing
Harlockor dhcp
Harlockor ip helper
toetmanagement or gateway
^WOLF^there is a static route for to send it to the firewall gw
^WOLF^which then has all the other staic routes
coolhvausing nat for a global /24 to a pool overload distributed via bgp (null route, redist conn) works, but someone knows how to use a failover in a different vrf with bgp?
^WOLF^I have to run but I will be back in a bit with a better question. thanks for the help
toetyou can have more than one subnet in the same vlan
oistercoolhva: that sounds kinda fugly
jamesdtoet: vlan is layer 1/2 .. subnets are layer 3.
coolhvaoister: yes it is :P let me explain a little bit
coolhvaI have global routing table with fa0/0.1972 with a /30 where an BGP session is established with the ISP
coolhvaI have multiple /24 networks (tennants) which are NAT-ed (overload) to an IP from a /29
coolhvathis /29 is sent over the BGP by redistributing conntected and a null route to the /29
coolhvathis works as expected
coolhvaI have a vrf ("lan") where I have fa0/0.1973 with a /30 and BGP and fa0/1.2 with a /29 (all public)
coolhvain vrf lan I also have an ATM0/0/0 with ppp and bgp
coolhvaso the fa0/1.2 /29 network is advertised over the two bgp sessions in vrf lan
coolhvawhat I want is when the fiber is not available I can advertise the /29 from the global routing table in the vrf lan and also to have NAT still working
coolhvaam I crazy? for sure, but can it be done?
rexwin_hi my pbxinaflash server sends ACK signal to sip phone correctly using the public ip address. but the sip phone is able to send response from its private address which is not going out to the PBXIAF probably due to NAT. There is no SIP-ALG setting for my wireless router. I tried permitting incoming/outgoing connection in my router page and the issue still persists. Calls get dropped at the dreaded 32 secs. any help is appreciated.
sartanwhat kind of router do you have?
ALucasyelling timber
sartananyone struggle with issues of tcp inspection on asa not monitoring the ocnnection for long enough and finding syn replies are being dropped frequently?
sartaneg my asa logs lots of drops from attacker IP to target IP
sartanbut is the service that is connected to
sartanit's kind of messing up my log analysis bigtime
oisterits dropping from a syn timeout?
^WOLF^rexwin: have you ruled out firewall issues? I maintain and deploy asterisk systems and almost always that issues is because the firewall starts rejecting the packets
sartanwell id o'nt know what's goin on.
sartanthe connection is gone by the time the webserver replies to the request
oistertimeout should be 30 secs
sartanthere's no application impact
oistermore than one firewall in the mix?
oisterif you have more than 2 firewalls inline then if one closes the connection the other gets a timeout
oisteri mean more than 1 firewall inline
sartansh asp drop is just a disaster of random stuff, sadly it's difficult to know what's going on right now
sartanthere's a packet-capture flow type asp you can do but i'm busy
^WOLF^rexwin also there is a page with pbxinaflash that you need to configure your external ip
^WOLF^that will often cause this issue
rexwin_^WOLF^, I know for sure the packets are getting dropped by the router. But there is no firewall setting in my router which prolink.
rexwin_prolink router +sartan
sartanthe configuration option wolf is describing would arbitrarily put in the public nat IP in the sip headers before they go out through your firewall, allowing you to forget about any sort of inspection
oistersartan: whats the full log message of the drop?
zookyany one use Fortinet for their router/firewall/ips needs?
sartanlet me find a raw log
sartanthis is harder than it sounds :P
karmaghiaany thoughts on Netgear's 10GbE switches to get into it
sartanall my logs i keep are transformed right no
oistersartan: that sucks... i keep everything in raw format
oisteri send everything to a server running syslog-ng and then pipe those logs off to my SIEM
sartani just haven't completed my project yet
sartani send the logs to an arcsight connector which slices them up into metadata, ant rhwost he original log away
sartani haven't teed them to an arcsight logger yet
oisterYeah we do something similar. The arcsight connector runs right on the syslog box
sartanbasically it should say soimething like Deny tcp src Web-DMZ: dst Outside: by access-gropu WEB-DMZ_IN
sartanwhich is just what you expect it to say
sartani'm using esm to analyze the data right now
sartanby the way i fucking love esm.
oisterits pretty sweet
sartani thought you were going splunk?
oisterwe use arcsight
sartannoted :)
sartani just installed it here a few weeks ago, slowly building it up
sartani'm avoiding consultants for about 5 or 6 months
sartani went to training a few weeks ago
oisterim about to do the ESM training in a few months
oisterhow was the training?
sartani did the arcsight express administration course.. if i were to do it again iw ould just take the ESM analyst course on CORE
sartannot that there was much difference
sartanso for full ESM there are.. uhm, three types of courses each very different
oisternoted, i think im signed up for analyst
sartanadministrator course is about managing the box itself, like disk, IO, and maybesome connector work
sartanthere's an architect/use case course (i might try ot take that later this year)
sartanand an esm analyst course, which focuses on the console and content
sartanthe course content itself was very great
MrPocketzwhen enabling sntmp logging on a cisco device, if i tell it logging trap notification, does that include ONLY notifications, or everything "more important" in addition?
oisterive installed enough connectors that i have that part down now. I havent done upgrades yet which is going to be fun
sartanMrPocketz: notification and up
sartanso notification, warning, error, critical
sartanconnectors are the hard part
MrPocketzgot it
sartaninstalling isn't.. difficult, but customizing is a bitch
sartanaggregation, filtering, re-maps, flexocnnector transforms
sartantrying to find a way to scale the design properly so i don't reproduce a lot of effort
sartanbought a software connector appliance, the repositpory feature is helpful
oisteryeah its a bit overwhelming
sartanbasically i'm only getting one or two log sources up everyfew days
oisterwe have about a dozen connectors right now and prob need a few more
sartanthe biggest challenge i'm looking at now are windows logs
oisterabout to start feeding it nessus scans
sartani thought the unified connector would use an lda query to automaticallly add log sources.
sartannope, it doesn't
sartanoister: heh funny you should mention that, i'm in the middle of fighting with nexpose scan data
sartansome big advice, do this immediately
sartanmodify the file and change the java heap sizes from 256mb to like 4gb
sartanthe xml export from nessus is too big and arcsight shits a brick almost instantly
sartanif you're running the connector interactively edit connector.bat or and do it there
sartan-XmX and -XmS i think
sartanmy nexpose scan xml files are about 65mb, and the docs say it only supports up to 12.
sartansadly i can't "split" the data
sartanit's running through a scan righ tnow
sartanholy smokes, it finished, like ten seconds ago
toastrheh nexpose data firehose
sartan=) yah
sartani'm about to start vuln scanning all of our desktosp too, this file is going to get pretty big
sartanoi used to only do a small sample
ALucas__hmm I've confused myself lol
ALucas__Trying to setup a site to site VPN to a natted DMZ interface to the public interface... getting a NAT Reverse route error. idr what I'm missing ^^
oisterALucas__: you have a static nat in place?
ALucas__static (CardholderIf,DMZIf) 10.X.255.6 10.10.X.14 netmask
ALucas__Then the site to site is coming from PublicBGPIf to DMZIf
oisterso you need a static to the public IP right?
ALucas__nat (DMZIf,PublicBGPif) source static IP-10-20-X-0 IP-10-20-X-0 destination IP-10-X-255-6 IP-10-X-255-6 no-proxy-arp route-lookup
ALucas__or are you saying
oisterit needs to nat to the public IP that they are going to hit over the tunnel
ALucas__So, I'd have to do a static to the endpoint IP on the other side for the natted IP?
oistersomething like static(dmz,public) <pub ip> <dmz ip>
ALucas__Okay, I'll see what I can come up with, thanks.. I get myself completely lost with NAT rules on the cisco lol
oisterim still lost with 8.3
ALucas__Yeah we just upgraded
ALucas__idk why but the syntax just confuses the fuck out of me
oisterah well snap... that static i gave you is 8.2
p3rrorplease I need to configure a vpn ipsec between an asa and a ubuntu client
p3rrorso I use vpnc
p3rrorwhen I run vpnc I get
mepholicpls do the needful
p3rrorvpnc: hash comparison failed: (ISAKMP_N_AUTHENTICATION_FAILED)(24)
p3rrorcheck group password!
p3rrorthat's mean that I did not set the right ipsec secret in my vpnc config file ?
p3rroris it ?
p3rrorplease how I get this parameter in the asa config ?
oisterALucas__: so i think you needf something like:
oistermepholic: lol
ALucas__Thanks, yeah.. lovely formatting change
oisterp3rror: pastebin your config
mepholicoister: I couldn't resist
oistersrsly making me laugh dude
Michaelmepholic: that phrase.. :|
oisterALucas__: oh, forgot part of it...
mepholicwell I hope I didn't hurt your sides too much
mepholicMichael: can u do the needful pls sir???
oisterforgot.. "sh run nat" doesnt give all the config... you have to sh run object and sh run nat then combine the two
oisterthanks obama!
ALucas__lol, thanks
mepholicpls sir i not sure how set up apache httpz
ALucas__ASP isnt working on my linux box
mepholicALucas__: you can do that no problem with mono
xousThis is #cisco
toastri need coldfusion halp kthx
mepholictoastr: go
socommPeople still use ASP?
ALucas__People still use ASP? :P
oisteri use GASP
mepholicALucas__: I take that back
ALucas__I'm a huge fan of acrobat and flash player
mepholicyou can do no problem with mono
mepholicnot asp
toastri'm a huge fan of old versions of acrobat and flash player when abusing metasploit ;)
oisterp3rror: what IP is your vpnc box on?
p3rroroister, not a static one
p3rroroister, I use nomad client
ALucas__mepholic, interesting
oisterp3rror: so RA vpn
mepholicit apparently works pretty well too ALucas__
mepholicI've never done it
mepholicbut I seen some stuff
mepholicand things
p3rroroister, so what do you think ?
oisterp3rror: whats the actual error message?
p3rroroister, vpnc: hash comparison failed: (ISAKMP_N_AUTHENTICATION_FAILED)(24)
p3rrorcheck group password!
hjohnsondamnit... temp IT guy said "it didnt' work, so I rebooted the network"
oisterp3rror: did you check the group password?
p3rroroister, you mean IPsec secret ?
xoushjohnson: fired?
hjohnsonxous: alas, I don't have the power to do so
mepholichjohnson: :|
oisterp3rror: not a vpnc expert but I'd guess thats right
hjohnsonI want to know what he rebooted though
p3rroroister, OK
hjohnsonrebooted the core switch
mepholichjohnson: remove his hands
p3rroroister, so I think that in the config is it not set ?
p3rroroister, is it ?
oisterp3rror: which group are you logging into? "ACCES-VPN" ?
rexwin_is there a channel for softphones?
p3rroroister, yes
hjohnsonof course, the network is so bogged down after being out for 7 hours, it's hard for me to do a post-mortem
hjohnson(7 hour power outage today)
oisterp3rror: then your PSK has to match whats configured in the tunnel group
hjohnsonoh, and joy.. network has just fallen off the air again
p3rroroister, in tunnel group I have pre-shared-key *
hjohnsonthough this time totally
mepholichjohnson: where's the UPS's and backup generators?
hjohnsonmepholic: oh, the UPSes did their job
Michaelhe did not do the needful, mepholic ;)
mepholicGOOD JOB hjohnson
hjohnsonmepholic: but the mid-point switch that linkes the satellite uplink to the main core only lives about 3 hours or so
hjohnsonbut now the uplink has gone kerblooie
hjohnsonhopefully it's because it's snowing
p3rroroister, please can you tell me what is the group password for ACCES-VPN tunnel group ?
mepholicp3rror: you should probably know that
p3rrormepholic, all I know is the username and the password
oisteryou need the group password for it to work
mepholicso change the psk
p3rrormepholic, psk ?
p3rrormepholic, you think that psk is not set ?
mepholicthe group password
hjohnsonand I can't remember the password for the receiver
p3rrormepholic, I think that it is not set
p3rror pre-shared-key *
mepholicit's set
p3rrormepholic, where
toastrit's set but it's masked
mepholicASA's hide the passwords with *
p3rrorI can not see it in the config
oistermore system:running-config
p3rrorAh OK
oisterbut its still encrypted
mepholicwhich is why I recommend changing it
mepholicif you can't change it because other clients are using it
mepholicget it from another client
ballI should go home, I suppose.
mepholicor change it and change it on the other clients
hjohnsondamnit, wtf did they drop off the air
oisterwait... its not encrypted
hjohnsonthat's it... i'm setting up a VPN tunnel over the Hughesnet so that I can backdoor into the system
mepholicoister: really?
oistermore system:running-config will give it to you
hjohnsonfuck this shit
p3rrorAh yes
p3rrorI see them now
mepholichjohnson: oh man hughesnet D:
p3rrorthanks a lot
oisterthe user passwords are encrypted though
oisterbut not the tunnel psk's
hjohnsonmepholic: the primary link is a 1.2mbps SCPC satellite link
hjohnsonmepholic: the Hughesnet is a backup
mepholicoister: yeah, he pasted all of his hashes in here
oisternow just paste your PSKs!
hjohnsonmepholic: single carrier per channel
hjohnsonmepholic: ie it's not a shared network
mepholicthat's neat
mepholicwhy satellite though?
hjohnsonmepholic: so yeah, it's slower than snot, but it's normally damned reliable, and actually handles VOIP nicely
mepholiconly option?
hjohnsonmepholic: single most isolated permanently inhabited location int he lower 48 states.
mepholicthat sounds fun
mepholichow many concurrent calls can you do?
hjohnsonmepholic: realistically? probably 10 or 20 or so... I've never seen more than 3 active at once.
oisterheh, ASA < 8.3 hashes arent salted either
hjohnsonmepholic: head end takes a PRI, runs H323 trunks across the satellite to the CME router in the vilalge.
KenMatlockMmmmm. salty hash....
hjohnsonmepholic: now count how many times you have to hit the zoom-out button before you see civilization.
oisterKenMatlock: you moved to CO right? :P
KenMatlocknever left CO
hjohnsonmepholic: eh, h323 or sip doesn't really matter... I actually don't care about the transport, that's just what the cisco uses by default
oisteryou bought your first ounce yet?
mepholic9 whole times
KenMatlockoister: nah, not my thing
hjohnsonmepholic: like I said, isolated.
mepholicthat's pretty redonk
mepholichow many actual miles to a decent internet connection?
oisterKenMatlock: i'm heading up to vail in a few weeks... hopefully there are some weed stores in place alreeady
hjohnsonmepholic: about 60
mepholichave you looked into line of site terrestrial wireless?............
hjohnsonmepholic: yes, would require the construction of two self-powered repeater stations, on national forest service land
mepholicyep nope
mepholicnot happening
mepholicin 1000000 years
mepholicand it would be way more expensive than it's worth
hjohnsonactually, it could be done, the permitting and so forth isn't that hard, especially if you let the Forest Service co-locate, say, their own radio repeater there.
hjohnsonmepholic: well, the curent satellite link is worth about $12k a month
mepholicthat's pretty expensive
hjohnsonmepholic: satellite is always expensive
hjohnsonmepholic: as a rule of thumb, satellite costs about $10/kbit/month on a two year contract (it's not actually sold in bits or whatever, but when you do the math of data->frequency that's what it works down to)
mepholichjohnson: is that IP or transport?
hjohnsonmepholic: it's fuzzy.... the actual satellite link is HDLC, but the modems do IP header compression etc... to improve performance
hjohnson(huge win on VOIP)
hjohnsonie it only sends every 20th packet header
mepholicI guess what I'm asking
mepholicis your satellite provider also your internet provider
mepholicor do they give you transport on the other side
mepholicat the downlink site
hjohnsonthe satellite provider just provides a frequency allocation
hjohnsonwe own 1.2MHz on SES-1
mepholicI don't really understand much about how satellite shit works
hjohnsonmepholic: a satellite is just a dumb radio repeater
mepholicyeah I know that
hjohnsonbasically dumb as a brick, no onboard intelligence
mepholicbent pipe etc
trash80that is not always true..
mepholicyeah I know trash80
mepholicthat's the majority of them though
mepholicso hjohnson hm
mepholicdo you have two radios at separate locations?
hjohnsonmepholic: well, our comms provider (which we partner with, nd I actually operate his network) has a main dish at his head end, and then adish in the vilalge
hjohnsonhe's primarily a rural telco, we're customers... but I know more about htis shit than he does.
mepholicso you just gave him your freq. allocation, he tuned in
mepholicand bam?
hjohnsonanyhow, our voice runs via PRI from his telco switch (oldschool NOrtel) to the cisco across the room. :)
hjohnsonnaw, the whole thing is his job
hjohnsonthough I actually run it. :P
mepholicI see
hjohnsonbasically this is what I did in my day job
hjohnsonso I volunteered to help it out... made it work infinitely better for everyone involved
hjohnsonused to be one huge fucking free-for-all with 80 people trying to hit 1mbps
hjohnsonas you can imagine that sucked balls
mepholicoh man
hjohnsonthrew some good QoS at it, some caching, local DNS, etc.... and now it's still slower than snot, but it's reliable.
mepholicthat's pretty neat
hjohnsonand the voice quality is near toll quality
mepholicyou been out to bumfuck nowhere to set shit up?
hjohnson(g729 over satellite... so eyah, it kinda sucks, but it's useable)
hjohnsonmepholic: yes, professionally as well.
mepholicthat's cool as shit
hjohnsondamnit... why is this not working
hjohnsonthis is where I wish i had a remote spectrum analyzer. :(
MrJayPC I know I shouldn't laugh but.... lol
Twizt3dDissolve what up loser
Twizt3dDon't know how ircs work never used one
MrJayPC Ohhh it's pretty tonight
halakaranyone here good with...gulp....Cisco Configuration Assistant (CCA) ??
halakarI'm trying to NAT port 443 to an inside host (web server), it doesn't appear to be working
halakarso, naturally after setting up the static NAT in CCA and that not working, I went and checked the security/firewall, and it looks like it's out of the box. wants me to select an outside interface - and there are also inside interfaces to select too
halakarI guess that is optional ? I dunno. New at this. Anyway, once I select fe0/0 (WAN), I can move the little slider and select a security level (low, med, high)
halakari'm assuming that if there isn't anything configured, it just blocks everything incoming on the WAN port?
Kruggerwhat are you configuring with the CCA?
halakarit's a UC540
halakarin my mind, I would select the inside(trusted) interface, then just move the slider to where I want it and click apply - however - what about the inside interfaces listed - two of which are Vlan1 and Vlan100
halakarerr, i'm sorry
halakari meant outside(untrusted)
envirocbrAnyone use a ASR1001 for OTV?
hjohnsonok.. mdoem came back
hjohnsonACTION is confused
jatoOne of our windows guys
jatoIs trying to help a customer using OSX troubleshoot stuff
jatoIts got to be the funniest shit ive ever heard
sartanOSX sucks
pffswoo workin from home tomorrow
toastr"workin" eh?
pffsmy wifes gonna be on da teevee
pffsso skipping work
mepholicso you can be on da teevee too?
sartanall we have to do is watch all the tv tomorrow and look for how hot or not pff's wife is
mepholiccause there's only one channel
mepholicdid u do the needful yet sir???
p3rrorI try to connect to a VPN IPSEC
p3rrorfrom my debian box
sartanconact your network administrator for more information
p3rrormepholic, yes
p3rrormepholic, the authentification works
p3rrormepholic, and now I get /usr/sbin/vpnc: no response from target
p3rrorI can not connect
mepholicauthentification is very important
p3rrorI'm behind a wireless router
garrettskjhow is the authentication working
mepholicno garrettskj
garrettskjif you aren't able to use vpnc
mepholicit's authentification
p3rrormepholic, I dont think so
p3rrorAll my vpn does not work
blackswani can use vpnc to connect to cisco's vpn from debian from behind a wireless router, so... it can be done
garrettskjoh sure, I use vpnc all the time.
p3rrorbut why I get this error
garrettskjbut "no response from target"
garrettskjisn't an authentication issue ;)
mepholicgarrettskj: it's authentification!!!!!
blackswanprobably - and this is just a guess - it's not getting a response from the target
garrettskjor an authentification issue either ;)
p3rrorgarrettskj, it is not authentification issue
garrettskjblackswan: damnit! why didn't I think of that ;)
garrettskjlol p3rror
toastrit's a layer 8 issue
blackswani have years of experience in detecting the obvious
p3rrorgarrettskj, All my passwords are correct
garrettskji'm sure.
p3rrorgarrettskj, nop
garrettskjmake sure that authentifying is good, and you can reach the host, and it's ok.
p3rrortoastr, so how to debug
garrettskjp3rror: are you connecting to a hostname, or an IP
blackswanthe timeout is 1 second, it makes 3 tries, if it gets no response, it gives that message
p3rrorgarrettskj, IP
blackswanbut what it's sending, no idea
garrettskjcan you ping the IP
p3rrorgarrettskj, yes
drkat_no response from target can be an auth issue
drkat_what vpn client
blackswanit's sending udp datagrams probably to port 500 or 4500
blackswanby default
garrettskjp3rror: go output a "Debug cry isa" to a pastebin
garrettskjand post the pastebin
blackswandoes your wireless router do NAT?
mepholicp3rror: on a serious note is it a nat issue
garrettskjmepholic: seriousfly?
blackswanit's probably NAT if it's pingable
mepholicNATification issue
toastrp3rror: clu by 4
garrettskjFeb 05 23:48:29 [IKEv1]: Group = DefaultL2LGroup, IP =, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
garrettskjnot RA
garrettskjpastebin your ASA config.
mepholicgarrettskj: hold
mepholic17:45:46 <p3rror> oister,
garrettskjoh i showed up late to the part ;)
garrettskjare you not handing out DHCP to your VPN clients?
p3rrorgarrettskj, You think that I need dhcp server
garrettskjI'm jsut ascertaining your configuration
garrettskjalso: what group ID are you using?
garrettskjGSajidRA20 ?
garrettskjwhy do you have: nem enable
garrettskjon a RA group policy
p3rrorgarrettskj, yes
garrettskjalso your split tunnel ACL...
garrettskjam i right in assuming your VPN clients are in the 10.100.100.x network? or
p3rrorgarrettskj, there are no vpn-addr-assign dhcp
p3rrorgarrettskj, so I think dhcp is disabled
garrettskjyes. but what addresses are you giving your clients
garrettskjon your tunnel group
garrettskjtunnel-group GSajidRA20 general-attributes
garrettskj authentication-server-group LOCAL
garrettskjthat should allow you use to authentication with "cisco" as a username
garrettskjI can't remember if that's the default in 8.2 or nto
garrettskjor if you had to specifically define it
p3rrorgarrettskj, really I did not understand
garrettskjtunnel-group GSajidRA20 general-attributes
garrettskjauthentication-server-group LOCAL
garrettskjadd that
p3rrorgarrettskj, yes
p3rror/usr/sbin/vpnc: expected xauth packet; rejected: (ISAKMP_N_UNEQUAL_PAYLOAD_LENGTHS)(30)
garrettskjtest plz
garrettskjmuch better.
p3rrorit is worked
p3rrorbut I get this error
garrettskjcrypto isakmp nat-traversal 20
p3rror Feb 06 00:16:20 [IKEv1]: Group = GSajidRA20, Username = system, IP =, Removing peer from peer table failed, no match!
p3rrorFeb 06 00:16:20 [IKEv1]: Group = GSajidRA20, Username = system, IP =, Error: Unable to remove PeerTblEntry
p3rror/usr/sbin/vpnc: no response from target
garrettskjlet's take this to a private room.
garrettskjotherwise we'll be drowning this room
KickStarRabbithey yo
garrettskjwhat u KickStarRabbit
KickStarRabbiterp me garrett
KickStarRabbitr u drinking with xous
garrettskjnah. trying to help someone get a VPN working
garrettskjbecause that's what I do
KickStarRabbitso vpn whats up
KickStarRabbitkinda quite tonight
mardraumquite quiet?
KickStarRabbitdamn u mar
KickStarRabbiti am really bad spiller
garrettskjyea, it's pretty silent, everyone must be working.
t0m0_or preparing for their performance review :P
t0m0_another year eh.
KickStarRabbiti did my perf already
KickStarRabbitmain point: i am so under utilized i force not sleeping at my desk
t0m0_Same with my KickStarRabbit
t0m0_Under utilized/under paid.
t0m0_The account i'm on is a government site though.
t0m0_so not a lot of project work to do
t0m0_especially since our state government lost their credit rating :/
t0m0_but we have money to bait sharks off our coastline
t0m0_ACTION returns from tangent
lkthomas_hey guys
lkthomasso for OSPF, I don't need to insert remote site IP info, OSPF itself would announce itself to neighbor, right ?
onefst250rACTION scratches head
onefst250rconfusing question is, confusing
lkthomasfor static IP route, each site have to insert neighbor info into local router
onefst250rwhen running a dynamic internal gateway protocol, you need to configure the router to avertise what links is has connected to it
onefst250rand, it will advertise what networks it has access to via those links
onefst250rso whats teh question?
garrettskji'm waiting tooo
garrettskjfor the qeustion
lkthomasnevermind, maybe I am confused by myself. Second question: for example area 0, contain two path network (first is acutal link, second is failover link), how long does it take for OSPF to detect first link failing and switch to second failover link ?
onefst250r3x hello timer
onefst250rso out of the box, 15 seconds
onefst250rif its all ethernet
garrettskj3? i thought it was 4 with ospf
garrettskjfirst time, and 3 retries
lkthomasgarrettskj: do you know where does cisco document that number ?
onefst250rgarrettskj: that might be right
garrettskjjust do a gns3 setup,a nd test for youself.
garrettskjlol you will find out real quick
garrettskjyou just need 2 routers
onefst250ri was thinking it was declared dead after missing 3
garrettskjyea, but I think that's it though
garrettskj3 retries it's dead...
garrettskjbut you still have the first time.
garrettskjso the time would be equivalent to 4
lkthomas4 seconds ?
onefst250rsomewhere between 3 and 4?
garrettskj4 hellos
onefst250r4 hellos
lkthomas15 seconds each hellos ?
KickStarRabbitif tier 1 asks me to powercycle a modem again i am gonna crack
garrettskjfinally got p3rror stuff figurred out
onefst250rdefault for ospf is 5 seconds
garrettskjso 20 seconds.
lkthomasI see, so 20 seconds
garrettskj1 x 5, 3 x 5 retries = 20
lkthomashow does it handle flapping link ?!
onefst250ryou can tune if you're so nerdy
onefst250rtbh, horribly
garrettskjok guys. i'll bbl. onefst250r hold down the fort
onefst250rthe protocol has to miss 3 hellos
lkthomasonefst250r: so it can't handle random packet loss ?
onefst250rif two miss, one gets through
onefst250rone misses, two get through
onefst250rthe protocol never signals a failover
onefst250ra better way at it nowadays is to run bfd
lkthomasbfd ?
lkthomasBi-directional forwarding detection
lkthomasACTION learn something new 
onefst250ror big fucking deal
onefst250rdepends on who you ask
hendrikzKickStarRabbit, tier1's can't reboot modems? crayy
lkthomasonefst250r: so basically I would just need to insert bfd interface... into configuration
onefst250rits a pretty simple configuration
lkthomasis it only OSPF "add-on" ?
lkthomasI mean, does BFD only for OSPF ?
onefst250rno, its a separate protocol
onefst250rand it works for multiple routing protocols
lkthomasI see
pffsKickStarRabbit: don't you love shit that has had zero tier 1 troubleshooting?
KickStarRabbiti hate noobs, tier 1, and wannabe hackers
lkthomasmy supervisor used to tell me "give the tier 1 a break, they are fucking busy"
KickStarRabbitsome of the shit I am told is crazy
pffsKickStarRabbit: I had a junior engineer walk over today and ask me how to wipe a juniper
pffsI was just like " you not know how to google?"
KickStarRabbitdid you refer to bathroom
lkthomasonefst250r: so BFD have a lot lower timer, like 50 ms
onefst250rthats the idea
lkthomasonefst250r: during failover situation, does traceroute from client side would show the packet is running on fail over route ?
lkthomasonefst250r: I see, so better monitor the route instead of monitor neighbor
lkthomasonefst250r: I am trying to understand how it works and implement monitoring system on links
onefst250rmonitor bfd
KickStarRabbitATT IVR can burn in hell!!!!
onefst250rlink failures = bfd failure = snmp/syslog trap
lkthomasonefst250r: honestly I don't trust trap :P
onefst250rso what do you do?
lkthomasonefst250r: SNMP poll ? :P
halakarhay guise
halakargot a UC540, trying to NAT to a web server behind the device, but it isn't working, at least according to a port scan tool -
halakarI thought something might be up with the firewall, so i NAT'ed to another port to the same box inside, it worked
halakarDoes this UC540 run its own https server that could be interfering? If so, how to get it out of there
onefst250rlkthomas: sure
lkthomasonefst250r: if BFD can't be use, what should I monitor on OSPF then?
lkthomason SNMP, which specific object should I monitor?!
onefst250rno clue
onefst250rim not an nms guy
onefst250ri have a noc for that
KickStarRabbitmy gf wants to get a 3- bedroom so she can have her own office
KickStarRabbiti just want her to work horizontal ... am i being unfair
lkthomasKickStarRabbit: cisco related ?
KickStarRabbitas I am a cisco tech
mgeorgecop arrests firefighter for not moving his truck which is protecting the response and emt crew
mgeorgestupid democratic cops
onefst250rKickStarRabbit: will she make monies in said office?
mepholicguys, consumer grade trendnets are production worthy core switches, right???
onefst250rif not, she should have to work it off somehow :P
onefst250r./kick mepholic
mgeorgetypically in most states
lkthomasmepholic: LOL
mgeorgethe fd has authority over an accident scene
mepholiconefst250r: thats what the last guy that had my job thought
KickStarRabbiti guess i gotta make her the sugar momma :)
mgeorgepd is required to provide security and direct traffic
onefst250rmepholic: hopefully he got fired for being a 'tard?
lkthomasthat one ?
mepholiconefst250r: ftr, he got fired for not documenting anything
lkthomasmepholic: he don't need to
onefst250rclose enough
lkthomasmepholic: because he know nothing
mepholicbecause he thought that if he didn't document anything, he'd have job security
lkthomasclosed mind thinking
onefst250rBoss says "Challenge Accepted"
mepholicmy boss is cool
onefst250rhow nice of them. you can emulate trendnet web gui's -
lkthomasonefst250r: it could be linux or BSD
lkthomasmepholic: I think that guy suggest trendnet have a reason: everything is on GUI
mepholici think it's that one
onefst250rusername/password is admin/admin! :)
onefst250ri actually have a trednet device in my soho....a poe N access point
onefst250rwas nice and cheap and does vlans
onefst250rthink i paid like 60 dorra
malaphusdorra, is that some kind of new virtual currency?
onefst250ror its me making fun of the japanese
onefst250rwhat kind of circuit are you?
Titaniumis there a modular trendnet switch?
Titaniumor is that just dell
nobitwas wondering if anyone here has experience with brocade routers. I'm a bit confused by virtual interfaces on brocade, like for example, interface ve 1 is a virtual interface. how would something like that look in cisco world?
civilliannobit: probably like an SVI
nobitso basically a vlan that can route ip traffic?
civillianNot a VLAN, it's a layer 3 interface
civillianso you attach the ve to a VLAN
Titaniumhave you ever used CATOS?
Titaniumin hybrid mode?
Titaniumit sounds like that
nobitcivillian, I see. thanks
circuitonefst250r: a funky one
Titaniumi found 2 bugs where each's workaround makes the other happen
onefst250rTitanium -- the bug maker
Titaniumthe developers make bugs
Titaniumi just find them
Titaniumprogramming - The process of adding bugs to code
circuitim so glad i didnt pursue programming
circuitfuck that
Titaniumme too :)
Titaniumi program for fun
Titaniumprogramming would be fun if it was done as a professional engineer
circuitcoding is fun though i will admit that
Twizt3dWhy can't it be done as a professional engineer?
Titaniumit can
Titaniumit just isnt
Twizt3dYou made it sound like it couldn't. Lol. Gotcha
Titaniumlike programming if a PE is going to stamp the code
Titaniumi only enjoy 2 languages :(
Titaniumand people hate them both
Twizt3dWhich ones?
circuityou dont hear too many people who choose verilog
Twizt3dPeople shouldn't hate Java that's one of the easiest out there
Titaniumits an irrational hate, from unimfirmed people
Twizt3dIt's not easy but I mean it's one of the object oriented ones
Titaniumyou can do so much in jave with so little effort
Titaniumand it can do threading so well, so the code runs fast
Titaniumverilog is insanely fast, and fun to write in
Twizt3dYou just have to know the right classes to use... Lol
Titaniumreal men make their own tools
Twizt3dI've never heard of that I need to look it up
Titaniumverilog isnt really programming
Twizt3dIs it a newer language?
Titaniumits a language to describe hardware
Twizt3dOh, ok.
Titaniumit all boils down to wires and gates sortof
Titaniuminstead of assembly
Twizt3dStill I should look it up though. Sounds interesting
Twizt3dLol what
Titanium^^ explain yourself
dissolve|no explanation necessary
Twizt3dI remember creating a and my hard drive died and I lost it. It was my first actual program that generated random IP addresses for class A B and Can depending on which one you chose
circuiti love watching the food network
Titaniumi made a calculator program that balanced redox reactions
dissolve|should have saved that
circuitthese fuckers are cooking huge octopus
Twizt3dI just wanted to see what I could do with the different classes I didn't think I could do that but I managed it it was pretty cool
Twizt3dThat's cool
Twizt3dYeah I should have saved it I did but on the hard drive that died
Twizt3dIt sucks
Titaniumalso back in middle school i made programs to do all the algebra II stuff
Titaniumin less time than the teacher took to teach it :D
Twizt3dI love to program. There are just so many classes it gets a little confusing about which to use because you can use a lot of classes for the same thing
Twizt3dHaha that's cool
Titaniumwrite your own
Twizt3dYeah I haven't tried that
Twizt3dI'd start doing that when I have more experience with it
dissolve|ACTION slaps Scrye around a bit with a large trout
baristatamACTION slaps Scrye around a bit with her large dick
pffsACTION slaps baristatam with his huge moobs
baristatambring it
onefst250rbaristaTam: it does not count if its big, black and rubber
pffspurple, the length of my forearm and causes ladies to scream
baristatamsudden infant death?
baristatammorbid, yo
pffsso is you whipping your dick out ._.
baristatamthat's not morbid
baristatamit's just vulgar
pffssays you
baristatamthere's a world of difference. but no, neither is tactful
baristatamI apologize
baristatamACTION puts her dick away
baristatamo/ drkat
baristatamto be fair drkat you joined after <dissolve|> slaps Scrye around a bit with a large trout
drkatfuck im tired
circuitdrkat: goto sleep doood
TimberWolf_take nyquil drkat