It’s been a while since I’ve posted here but I’ll definitely be more active as of now.
It’s been quite a hectic couple of months due to moving house, work and study.
My exam is scheduled for 27/04/2011 and I can’t wait.
I’m feeling very confident and can’t wait to be CCNA certified and start studying for the CCNP.
Will post here again next Wednesday with the result 
Here are 10 commands that I seem to use everyday.
Hope these help!
We have a layer 2 link from one of our LANs to a colocation facility where the DMZ and internet connection for a particular business entity is.
A user has been experiencing FTP transfer speeds of 150-200KBytes per second from the LAN across the layer 2 link to an FTP server in the DMZ.
I drew up a bandwidth test matrix in excel to record the results of FTPing from the various networks to see if the shaping was from a certain network to another network, networks such as the LAN, DMZ, internal network at the colocation, a different sites LAN etc.
What I found was that from the LAN to the DMZ/internal network at the colo speeds were roughly 150-200KByte.
Transfering from the internal colo network back to the same server on the LAN which takes the exact same path on the network transfers at 1000Kbyte per second.
Transfering from another sites LAN to the DMZ/internal colo network transfers at 1000Kbyte per second as well.
I called the service provider and they confirmed that this link is a 2Mbit service which I thought does not make sense. How can I transfer at 1000kbyte on a 2Mbit service?
2Mbit / 8 = 250Kbyte = 2Mbit service
10Mbit / 8 = 1250Kbyte = 10Mbit service
I’ve come to an interesting conclusion that they are shaping bandwidth using an ACL or something similair with the source address of the LAN.
I’m not exactly sure what device is doing the shaping either as I haven’t visited this site yet but it will be interesting to see what is doing the shaping.
It’s an interesting way to cap a link and I probably wouldn’t use this method.
One thing I’ve learnt from this excersize is that using a bandwidth matrix in excel and recording your results saves you a lot of time by not going around in circles when testing to and from various sites.
Greetings…
I had a helpdesk ticket come my way the other day regarding a problem with 4 of our Polycom conference phones which were dropping out in the middle of the calls.
Our conference phones are Avaya 1692 IP Conference Phones’s.
Apparently this problem only started two to three weeks ago but I’m not sure about that. The only thing that has changed to the switches port configurations recently are the port security settings here:
switchport port-security maximum 25
switchport port-security violation shutdown
I doubt this would cause the issue we were having.
I checked out our syslog server (kiwi syslog server) and found the interface going down and then up but I can’t be sure that this was the time at which the calls dropped out.
I turned all port security off one of the ports that I know was being used that day and the user has confirmed that there were no drop outs.
To further isolate the problem I reconfigured the port with our standard access port configuration but turned off the following settings:
The interface range command makes it much easier and less time consuming to roll out changes to a range of interfaces on a switch or router, although I’ve never used it on a router.
Some of the reasons I use the interface range command are to assign a range of ports to a different VLAN such as a training room. I’ve also used it to roll out modifications to our access ports port security configuration.
We have switches where I work that not all of the fast ethernet ports are used as access ports but are connected to wireless access points, printers or some other device that requires an interface configuration different to that of a normal access port.
I’ve been thinking that it would a good idea to group all of these miscellaneous ports say from either 0/1-10 or 0/40-48 to make rolling out changes only require one range command and not 2,3 or even 5.
Here is how to do it.
Switch#
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface range fastEthernet 0/1 – 24
Switch(config-if-range)#switchport access vlan 550
Switch(config-if-range)#
This will obviously place ports 1 through to 24 into VLAN 550.
Hope this helps you
A nifty way to discover what IP addresses are used and responding to ping is to ping the broadcast address of a subnet on a Cisco router that the subnet is directly attached to.
To ping a broadcast address it’s just the same as any other old ping command you just ping that magic last address of the subnet, the broadcast address. So to ping the broadcast address of the network 10.10.10.0/24 you would ping the following:
ping 10.10.10.255
The IOS displays what addresses respond to ping like this.
Router#ping 10.10.10.255
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.255, timeout is 2 seconds:
Reply to request 0 from 10.10.10.62, 1 ms
Reply to request 0 from 10.10.10.55, 4 ms
Reply to request 0 from 10.10.10.53, 4 ms
Reply to request 0 from 10.10.10.25, 4 ms
Reply to request 0 from 10.10.10.124, 4 ms
Reply to request 0 from 10.10.10.22, 4 ms
Reply to request 0 from 10.10.10.24, 4 ms
Reply to request 0 from 10.10.10.54, 4 ms
Reply to request 0 from 10.10.10.51, 4 ms
Reply to request 1 from 10.10.10.55, 4 ms
Reply to request 1 from 10.10.10.53, 8 ms
Reply to request 1 from 10.10.10.22, 4 ms
Reply to request 1 from 10.10.10.25, 4 ms
Reply to request 1 from 10.10.10.124, 4 ms
Reply to request 1 from 10.10.10.24, 4 ms
Reply to request 1 from 10.10.10.54, 4 ms
Reply to request 1 from 10.10.10.62, 4 ms
Reply to request 1 from 10.10.10.51, 4 ms
This also creates an entry in the ARP cache of the router so you have the MAC to IP mapping of each device on the subnet which can help you identify what a particular device is.
Doing this from the router allows you to ping multiple subnets broadcast addresses if you have multiple subnets/VLANs on your network such as a data and a voice VLAN for example.
In the past I’ve used port scanners to discover what addresses are used but if you do this from a device not directly attached to the network you are pinging it can sometimes not give you the results you require if some devices do not have a default gateway configured so doing this from the router ensures you get every IP that is being used.
Port scanners also have to be loaded onto a computer on the network and this takes time. Having this built in ping sweep feature is definitely handy – USE IT.
While I was in Victoria at one of our sites I noticed in one particular area where we were sitting my laptop and colleagues would connect to the wireless network.
Noted down the IP of the access point and looked into it when I was back in Adelaide and found the following error message in the event log of the web interface for that particular access point.
RADIUS server 10.10.10.10:1645,1646 is not responding.
RADIUS server 10.10.10.10:1645,1646 has returned.
After a bit of searching I found the following Cisco article which advised that it is most likely that the pre shared key on the access point and the one configured on the Radius server are different.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml
Reconfiguring the pre shared key on the access point and the Radius server resolved the issue.
What is a secondary address?
A secondary IP address is just another address assigned to a routers interface. There are no limits on how many secondary addresses you can assign to an interface apart from how many addresses you have left in the subnet being used.
What is a secondary address used for?
From my experience I’ve used secondary addresses for a number of things such as:
Sometimes you might have the need to change a routers IP address to align the address with other routers in your WAN for example. As you are going to need to update each devices default gateway you might want to stage this approach. You assign the new address as a secondary address and then start migrating devices over and the devices that haven’t been migrated over still have a valid default gateway.
One of my previous places of employment’s LANs address range was 89.0.00/8. Needless to say when I started I noticed this straight away and we started planning a project to migrate this subnet to an RFC 1918 range. We did this in a staged approach and to do this the two networks need to be able to communicate. I know now it would have been best practice to setup a VLAN for the new subnet and setup the routers LAN interface as a trunk with sub interfaces, one for each VLAN but I wasn’t that experienced then. What I did was setup a secondary address on the LAN interface of the router in the new RFC 1918 subnet and this allowed the two subnets to communicate.
Just recently, today in fact I migrated a WAN link from one site to another and had to shuffle IP addresses around. Using secondary addresses when doing this gives you a fall back plan so when you change the primary address you have the secondary address which you know is working for if the primary address change for some reason does not work. I also recommend using the reload command when changing addresses to prevent yourself from locking yourself out of the router.
How to configure a secondary IP address?
Configuring a secondary IP address is the same as configuring a primary address you just append “secondary” on the end of the command like this.
ip address 10.10.10.1 255.255.255.0 secondary
I hope this helps you
We’ve been having an issue getting our Avaya softphone working over our Juniper SSL VPN connection. You would attempt to logon and it would logon and disconnect, logon and disconnect and keep doing this over and over each time displaying this error:
lineopen() :The phone driver could not be found
Before where I work moved to a new location it was all working OK and after the move a Cisco ASA was installed as an internal firewall to route between the many VLANs we have on our network.
This lead us to think it was the Cisco ASA causing issues, possibly one of the “inspect” policies. Doing a show run and a show service-policy we were expecting to see inspect h323 or something similar but the only inspect relating to VoIP were SIP and skinny and we knew our Avaya system used H.232 not SIP.
We changed our focus to the Check Point firewall and my colleague soon found this thread saying to try this:
Hi,
Avaya didn’t implement a H.323 protocol that is RFC conform. So you might want to install the following workaround first to expand your Avaya IP softphone experience.
In SmartDashboard, go to ‘Services > TCP’. Open the ‘H323′ object and change the port from 1720 to 1721. Create a new TCP object ‘H323_avaya’ with port 1720 and click on ‘Advanced’. Don’t touch the ‘Protocol Type’ select field and just uncheck ‘Match for Any’. Click ‘Ok’ and you are done. Install the policy and you finally enabled the workaround.
Now create a rule that allows the TCP Services ‘H323_ras_only’, ‘H323_avaya’ & ‘T.120′ between the hosts where you have installed Avaya’s IP softphone.
Have fun,
Danny Trommer
CCSA/CCSE/CCSE+
After doing this the softphone now works over VPN, thanks very much!
Howdy
I had an interesting issue the other day where I could ping and trace to the router fine and I could telnet from the local LAN but could not telnet from across the WAN.
Prior to this we’d been trying for 3-4 weeks to get into this router as the person who set it up configured it completely different to the rest of the routers at all of our sites which have a consistent configuration. We managed to guess the password and then cleaned up the config so it behaved like the rest of our routers except this last problem.
Anyways I obviously first thought that there was an ACL on an interface or the VTY lines stopping me from getting in. After further troubleshooting and investigation and a bit of help from a coworker I realized that the WAN interfaces subnet mask was incorrect and was a /26 instead of a /30 which is just completely random as none of our WAN interfaces masks are /26.
I changed the subnet mask to a /30 and I could telnet from across the WAN.
I don’t really understand why I could ping the address but could not telnet as there obviously wasn’t a routing issue?
If anyone knows and could shed some light please comment!
Cheers
