|
Lets say we have some remote offices and we are going to connect back to our datacenter via some ipsec tunnels. The offices are using SRX240s HA setup, and the datacenter is using two standalone SRX1400s. I created two ipsec tunnels, with dynamic endpoints one to each datacenter device, and they've come up and I can ping across them nicely. Now what routing protocol should I use? I tried OSPF because that is what we run everywhere, but the datacenter SRX public IPs are in our OSPF domain, additionally these tunnels are just for management traffic, local user traffic should follow the default route out to the internet. User traffic bound for our datacenter should be over their own OpenVPN connection. I also just want to inject a single summary route for each office. e.g. Office 1 would be 10.1.0.0/16 Office 2 would be 10.2.0.0/16 etc. So what's the best way to do that? I don't think OSPF allows the type of filtering or summarization that I'd like, but maybe I just don't know how to do it. This is all Juniper so route filtering in OSPF is limited to the RFC.
|
#
?
Jun 10, 2016 16:02
|
|
|
|
| # ? Apr 25, 2024 05:19 |
|
|
Powercrazy posted:Lets say we have some remote offices and we are going to connect back to our datacenter via some ipsec tunnels. The offices are using SRX240s HA setup, and the datacenter is using two standalone SRX1400s. I created two ipsec tunnels, with dynamic endpoints one to each datacenter device, and they've come up and I can ping across them nicely. Now what routing protocol should I use? If it's just a single site and you don't intend to route office 2 through office 1 for any reason, I'd just use static routes. As for OSPF on the SRXes, in your case if you really wanted to use a routing protocol I'd suggest creating a separate area for inter-site connectivity and only distribute the private subnets.
|
|
#
?
Jun 10, 2016 18:11
|
|
|
When typing "clear counters interface gi0/1" it asks you to confirm if you really want to reset the counters. If's it's a sleepy Monday morning and you instead type "clear interface gi0/1" it will gladly without confirmation reset the interface and take all your users offline. 
|
|
#
?
Jun 15, 2016 05:34
|
|
|
commit confirmed needs to be stolen by every other vendor.
|
|
#
?
Jun 15, 2016 08:02
|
|
|
Thanks Ants posted:commit confirmed needs to be stolen by every other vendor. Cisco has had Commit Confirmed since like IOS 9. Simply write a TCL script.....
|
|
#
?
Jun 15, 2016 20:02
|
|
|
Huh... Clear counters is run from just non configuration mode, default interface from config. Not sure what you did. My fav is adding a new vlan and typing 'switchport trunk allowed vlan #' . Time to get the car keys and serial cable. Whoops.
|
|
#
?
Jun 15, 2016 23:12
|
|
|
Partycat posted:Huh... Clear counters is run from just non configuration mode, default interface from config. Not sure what you did. I've done this once and learned an important lesson.
|
|
#
?
Jun 15, 2016 23:35
|
|
|
adorai posted:I've done this once and learned an important lesson.  Ahh the gas-powered serial cable fallback method.
|
|
#
?
Jun 15, 2016 23:56
|
|
|
Partycat posted:My fav is adding a new vlan and typing 'switchport trunk allowed vlan #' . Time to get the car keys and serial cable. Whoops. I too have done this. Luckily it didn't cut off my access but it did gently caress up an oracle db sync. The db team tried to make a stink but they were at the CM meeting and approved the change window so gently caress them. It did royally gently caress up the db though.
|
|
#
?
Jun 16, 2016 00:20
|
|
|
Partycat posted:Huh... Clear counters is run from just non configuration mode, default interface from config. Not sure what you did. The "clear interface" exec command will reset the hardware controller for the specified interface, which is similar to a shut/no shut on the specified interface.
|
|
#
?
Jun 16, 2016 01:24
|
|
|
ragzilla posted:The "clear interface" exec command will reset the hardware controller for the specified interface, which is similar to a shut/no shut on the specified interface. Thanks for telling me before I tried it this morning and annoyed some people! Or maybe I will..... Hmm....
|
|
#
?
Jun 16, 2016 12:31
|
|
|
I'm the guy who fat fingered wr e instead of wr mem on an ASA during an overnight change window. Fortunately I made a backup of the config before the final write.
|
|
#
?
Jun 16, 2016 18:01
|
|
|
psydude posted:I'm the guy who fat fingered wr e instead of wr mem on an ASA during an overnight change window. Fortunately I made a backup of the config before the final write. It sounds like you need http://www.shrubbery.net/rancid/ or https://github.com/ytti/oxidized
|
|
#
?
Jun 16, 2016 18:30
|
|
|
1000101 posted:It sounds like you need http://www.shrubbery.net/rancid/ or https://github.com/ytti/oxidized On this subject, has anyone here tried oxidized yet?
|
|
#
?
Jun 16, 2016 19:15
|
|
|
ragzilla posted:On this subject, has anyone here tried oxidized yet? It's supported device list seems sane. Dunno about the Ruby on rails or whatever dev environment though. I'll stick with ghetto expect scripts and perl I guess.
|
|
#
?
Jun 16, 2016 22:57
|
|
|
falz posted:It's supported device list seems sane. Dunno about the Ruby on rails or whatever dev environment though. I'll stick with ghetto expect scripts and perl I guess. I'm partial to the native multi threading/scheduling (so I don't need to do my own rancid hacks to either set parallel ridiculously high, or do my own consistent hash to bucket things out and spread load), and the better built in functionality for pushing stuff to top of queue (instead of running rancid-run yourself from sec). Oh and being able to add/remove devices through an API instead of reading/writing the db files and pushing to $scm.
|
|
#
?
Jun 16, 2016 23:32
|
|
|
1000101 posted:It sounds like you need http://www.shrubbery.net/rancid/ or https://github.com/ytti/oxidized Rancid has saved my rear end more than a few times. Even when you automatically make changes to device config literally (yes) every 45 seconds (don't ask.) It's great being able to revert to arbitrary times in the past. I'll have to look at oxidized though. It sounds interesting, although it may be missing some devices I need. I'll have to see how easy it is to drop in some custom devices.
|
|
#
?
Jun 16, 2016 23:55
|
|
|
ragzilla posted:On this subject, has anyone here tried oxidized yet? Yup. We have it integrated with LibreNMS. Works fine for our needs, although we're a small Cisco shop.
|
|
#
?
Jun 17, 2016 13:07
|
|
|
Anyone running BYOD in their network with Cisco wlc's and ISE? I'm trying to figure out if the acl referenced in the radius access-accept should have deny's for the traffic I want to send to ISE self registration portal or permits. Doesn't seem like either are working but I won't really know for sure until further testing Monday.
|
|
#
?
Jun 18, 2016 00:39
|
|
|
Whoever it was Cisco who approved rail kits for the Nexus switches with the one hole that's just too small for M6 screws should be fired out of a cannon into the sun.
|
|
#
?
Jun 18, 2016 06:35
|
|
|
poo poo, that reminds me. Is there any good way to get any practice in with Nexus gear without actually having access to Nexus gear? I'm starting a new job as a network implementation guy for a Cisco partner and I just realized that means I'll probably end up working with Nexus switches on larger projects. I have plenty of IOS and ASA experience but no NX-OS experience at all. Basically what I'm looking for is something a la GNS3 for Nexus kit.
|
|
#
?
Jun 18, 2016 06:45
|
|
|
Kazinsal posted:poo poo, that reminds me. Is there any good way to get any practice in with Nexus gear without actually having access to Nexus gear? I'm starting a new job as a network implementation guy for a Cisco partner and I just realized that means I'll probably end up working with Nexus switches on larger projects. I have plenty of IOS and ASA experience but no NX-OS experience at all. http://virl.cisco.com/
|
|
#
?
Jun 18, 2016 06:52
|
|
|
Kazinsal posted:poo poo, that reminds me. Is there any good way to get any practice in with Nexus gear without actually having access to Nexus gear? I'm starting a new job as a network implementation guy for a Cisco partner and I just realized that means I'll probably end up working with Nexus switches on larger projects. I have plenty of IOS and ASA experience but no NX-OS experience at all. NX-OS is basically a mixture of IOS and ASA. Biggest thing is that it's modular, so you load features as you need them. Also, VLANs don't work unless you explicitly call them with the VLAN command. Otherwise, VDCs are the same as security contexts and there's no more do command.
|
|
#
?
Jun 18, 2016 07:25
|
|
|
Can we take a second to talk about how loving dumb the rack mounts for the 6807s are.
|
|
#
?
Jun 22, 2016 03:38
|
|
|
Better than the 2 post rack mounting solution for the 1U 9300s. Put it on a shelf
|
|
#
?
Jun 22, 2016 03:54
|
|
|
FatCow posted:Better than the 2 post rack mounting solution for the 1U 9300s. Agreed. Unfortunately this is customer equipment so I have what I have. Although I'll probably tell presales to start selling shelves with them.
|
|
#
?
Jun 22, 2016 04:23
|
|
|
One of the smaller CRS chassis, I think it's the 8-slot, had the screw holes on the rails set so far back that any normal screwdriver's handle would run into the frame of the rack or the chassis itself trying to get lined up on a screw. The only options appeared to be either getting one of those really short stubby ones and stuffing your hand entirely into the rack with it around the corner of the chassis, or what I happened to have which was a screwdriver with an 18" shaft. I still don't know if I was missing something while installing them or if having an 18" screwdriver on hand was actually the recommended method.
|
|
#
?
Jun 22, 2016 16:40
|
|
|
Why, after site power failures, do switches sometimes have to be power cycled to restore service. Its friggin annoying and takes up so much time.
|
|
#
?
Jun 23, 2016 14:08
|
|
|
What lovely switch is that? What does the local serial console say when it's not functioning?
|
|
#
?
Jun 23, 2016 19:15
|
|
|
3560s. I've got thousands of them in the field and it's usually the SFP slots that don't come up right. Usually more effort to get someone who knows what they are doing to console into the thing and tell me whats going on than to just have a site person power cycle.
|
|
#
?
Jun 23, 2016 19:56
|
|
|
Is there a pattern with SFP types and not coming up?
|
|
#
?
Jun 23, 2016 20:30
|
|
|
Sounds like it could also be an IOS bug - I've run into bugs where SFP ports don't come up after a device boots.
|
|
#
?
Jun 23, 2016 21:17
|
|
|
err-disable from broadcast storms?
|
|
#
?
Jun 23, 2016 22:43
|
|
|
They used to bug out and come up with the speed and duplex saying 'auto' even though they are running. Then the etherchannel doesn't bundle. Probably fucks up spanning tree too. IOS upgrade fixed that. Our collection of 'G' series items are starting to show tcam and flash failures, which will also often cause reload failure and require a power cycle. Lifetime replacement on those ends soon.
|
|
#
?
Jun 24, 2016 11:53
|
|
|
It's probably the ports in err disable. More of an annoyance than anything
|
|
#
?
Jun 26, 2016 02:10
|
|
|
If you're rebooting switches because of err-disabled ports then enabling err-disable recovery will make them fix themselves automatically after a few minutes.
|
|
#
?
Jun 26, 2016 09:12
|
|
|
Yeah it's not that. There is some horseshit with the controller where they will struggle between down and 1000M for a bit, then run at 100M. Reload clears it. No idea, the cause seems to have something to do with the attached cable and ohmic properties but I can't be bothered to figure it out. Moving it to a new port is faster.
|
|
#
?
Jun 29, 2016 01:06
|
|
|
I have one Core Switch with 16 edge switches going into it. All are Procurve. I just fired up a new VoIP phone system yesterday, and now with 50 simultaneous calls today I'm seeing around 2% packet loss reported by our phone server per call. What is going on? A packet storm or something? Or are the switches just not able to switch this much bandwidth? I'm calling in a network tech for help but yeah I'd at least like to get a handle on what's going on here: code:Zero VGS fucked around with this message at 16:11 on Aug 2, 2016 |
|
#
?
Aug 2, 2016 16:04
|
|
|
What are the switch models and how many clients are you connecting to each port (as in how big are the 'edge' switches)?
|
|
#
?
Aug 2, 2016 17:11
|
|
|
|
| # ? Apr 25, 2024 05:19 |
|
|
Thanks Ants posted:What are the switch models and how many clients are you connecting to each port (as in how big are the 'edge' switches)? The core switch is HP J8693A Switch 3500yl-48G 48 of the gig ports with 10k uplink The edge switches are ProCurve J9089A Switch 2610-48-PWR, 48 of the 100mbit ports with gig uplink Some edge switches have up to all 48 ports used but they average maybe 30 each.
|
|
#
?
Aug 2, 2016 19:06
|
|