Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
psydude
Apr 1, 2008

Heartache is powerful, but democracy is *subtle*.
Are you using QoS?

Adbot
ADBOT LOVES YOU

Zero VGS
Aug 16, 2002
ASK ME ABOUT HOW HUMAN LIVES THAT MADE VIDEO GAME CONTROLLERS ARE WORTH MORE
Lipstick Apathy

psydude posted:

Are you using QoS?

I got a Cisco guy on the phone and we determined that while my predecessors set up QOS for the voice VLAN it wasn't entirely correct. The voice vlan 20 had a "voice" command saved in it, but we also added:

Core Switch:
config t: "qos type-of-service diff-services"
vlan 20: "qos dscp 011110"

Edge Switches:
config t: "qos type-of-service diff-services"
vlan 20: "qos priority 6"

We're only at 20 simultaneous calls right now but things seem to maybe be better; all calls are holding steady at 0% packet loss with a few showing maybe 8 dropped packets every ten minutes. I guess I'll find out the hard way if it worked tomorrow at prime time.

Sir Sidney Poitier
Aug 14, 2006

My favourite actor


I work for an ISP and one of our customers is a multi-tenant campus with many different companies on it. We have a requirement from a company to provide a QinQ service from one of their offices on site to another of their offices on site - importantly they need to be able to pass whatever VLAN tags they like over this circuit.

Ordinarily, this would be a very simple service to deliver - either QinQ if we had layer 2 infrastructure between the two points, or an MPLS xconnect if we had layer 3 infrastructure between the two points. The issue here is that the whole site is fed by a pair of Ciso 6880-X-LE chassis in VSS running 15.2(1)SY0a, with 6800IA-48FPD switches configured as fabric extensions. In essence, the entire estate is operating as one device. Is anyone aware of a method by which I can set this service up on this platform? Have a port on one FEX interface into which the customer can send any and all traffic, only to have it emerge in the same state on another FEX port of the same core? Obviously we also need to keep this isolated from our own traffic and that of our other customers.

I'm pretty new to the platform so if there's any more detail you need me to provide I can probably find it out.

tortilla_chip
Jun 13, 2007

k-partite
Can you configure EVCs on the FEX ports? If so just tie them into the same bridge domain and allow all encaps across.

jwh
Jun 12, 2002

Anjow posted:

I work for an ISP and one of our customers is a multi-tenant campus with many different companies on it. We have a requirement from a company to provide a QinQ service from one of their offices on site to another of their offices on site - importantly they need to be able to pass whatever VLAN tags they like over this circuit.

Ordinarily, this would be a very simple service to deliver - either QinQ if we had layer 2 infrastructure between the two points, or an MPLS xconnect if we had layer 3 infrastructure between the two points. The issue here is that the whole site is fed by a pair of Ciso 6880-X-LE chassis in VSS running 15.2(1)SY0a, with 6800IA-48FPD switches configured as fabric extensions. In essence, the entire estate is operating as one device. Is anyone aware of a method by which I can set this service up on this platform? Have a port on one FEX interface into which the customer can send any and all traffic, only to have it emerge in the same state on another FEX port of the same core? Obviously we also need to keep this isolated from our own traffic and that of our other customers.

I'm pretty new to the platform so if there's any more detail you need me to provide I can probably find it out.

One idea would be to take two ports on your 6880s and just set them both up with your 'transit' vlan, then cable the two of them together. That should give you the ability to have qinq packets encapsulated, leave the switch, then be received by the same switch for decapsulation.

I'm not entirely sure it'll work with that particular platform, but people have used this trick before.

ragzilla
Sep 9, 2005
don't ask me, i only work here


Anjow posted:

Is anyone aware of a method by which I can set this service up on this platform? Have a port on one FEX interface into which the customer can send any and all traffic, only to have it emerge in the same state on another FEX port of the same core? Obviously we also need to keep this isolated from our own traffic and that of our other customers.

I'm pretty new to the platform so if there's any more detail you need me to provide I can probably find it out.

Assuming you have control of the 6880s, what's stopping you from creating a new VLAN, assigning the ports to it, and setting them as mode dot1q-tunnel? Seems q-in-q is supported on 6880 still.

drewmoney
Mar 11, 2004
I have two Cisco ASA 5505's in a test environment. I want them to have the same configuration on each, with one minor difference between them. Hopefully the difference is something that's a bit difficult to find through "normal" means. Anyone have any suggestions? I'm only running them with a basic license so can't do things like Failover.

Long shot but is anyone able to supply me configs to use?

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k
What's the purpose of the minor difference? Is it for training purposes or to be able to differentiate them?

drewmoney
Mar 11, 2004

Sepist posted:

What's the purpose of the minor difference? Is it for training purposes or to be able to differentiate them?

My company scans configurations and then displays differences between them. So want something to scan the configuration and show "Hey look, A is different to B but shouldn't be!".

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k
Well since they're not in failover mode the IP addressing will be different. You can add an ACL without referencing it if you want something more than an interface:

access-list firewall-mcfirewallface extended permit ip any any

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
Are you just talking about RANCID and diffs viewable via email and or a web svn viewer?

ate shit on live tv
Feb 15, 2004

by Azathoth

drewmoney posted:

I have two Cisco ASA 5505's in a test environment. I want them to have the same configuration on each, with one minor difference between them. Hopefully the difference is something that's a bit difficult to find through "normal" means. Anyone have any suggestions? I'm only running them with a basic license so can't do things like Failover.

Long shot but is anyone able to supply me configs to use?

Can you give them different Config-Registers. I don't think those show up on Rancid diffs.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
Config reg does show up in rancid. If something doesn't, 3.x makes it really easy to add a new user defined command to run anyway.

ate shit on live tv
Feb 15, 2004

by Azathoth
Well it won't show up in the running-config, but it would show up in "show version" etc.

Methanar
Sep 26, 2013

by the sex ghost
I need to scrape the output of show mac address-table. I'm accessing the switch through a Linux jump box. I need to be able to dump the output of my show command to a file on the jump box so I can further manipulate the data.

What is the proper way of scripting this? Preferably Bash.

1000101
May 14, 2003

BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY FRUITCAKE!
you could just do:

script myrun.out

ssh user@yourdevice

show mac-address table
show ANYTHINGELSE

exit
exist

This would create a text file called myrun.out on your jump box. Then you can clean that up and figure out what combinations of regex you need to get your data out that you care about.

Methanar
Sep 26, 2013

by the sex ghost

1000101 posted:

you could just do:

script myrun.out

ssh user@yourdevice

show mac-address table
show ANYTHINGELSE

exit
exit

This would create a text file called myrun.out on your jump box. Then you can clean that up and figure out what combinations of regex you need to get your data out that you care about.

That's kind of cool, I never knew about the script command. Is there any good way of encapsulating the whole thing into a bash script? I tried a few things but it would hang after the script command. My goal is to automate a system to pull mac addresses and port numbers from a whole bunch of switches to be further processed and ultimately used to generate configurations for a convoluted PXE boot process, all in the same pipeline.

ragzilla
Sep 9, 2005
don't ask me, i only work here


Methanar posted:

I need to scrape the output of show mac address-table. I'm accessing the switch through a Linux jump box. I need to be able to dump the output of my show command to a file on the jump box so I can further manipulate the data.

What is the proper way of scripting this? Preferably Bash.

If you really just want to run the single command:

ssh <device> 'show mac address-table dynamic'

You'll need to filter for MAC addresses because you'll get banner/headers/etc.

Methanar
Sep 26, 2013

by the sex ghost

ragzilla posted:

If you really just want to run the single command:

ssh <device> 'show mac address-table dynamic'

You'll need to filter for MAC addresses because you'll get banner/headers/etc.

I've been wasting like 2 hours trying to nest Expect into a bash script to get this to work quite right and that's all I needed.

I might still need to embed Expect somehow to automate the SSH password part.

1000101
May 14, 2003

BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY FRUITCAKE!

Methanar posted:

I've been wasting like 2 hours trying to nest Expect into a bash script to get this to work quite right and that's all I needed.

I might still need to embed Expect somehow to automate the SSH password part.

At that point I might look at using Python's paramiko library.

ElCondemn
Aug 7, 2005


Methanar posted:

I've been wasting like 2 hours trying to nest Expect into a bash script to get this to work quite right and that's all I needed.

I might still need to embed Expect somehow to automate the SSH password part.

This is the expect script I use, probably found a sample online and modified it for my own needs. I've since modified it for use with all kinds of systems. You could also use RANCID clogin to get similar results.

code:
#!/usr/bin/expect -f
#
# Connect to SSH server and execute command script
# Usage ./cisco_connect.sh <host> <command file>

set timeout -1

if { $argc != 2 } {
    puts "Usage $argv0 <host> <command file>"
    exit 1
}

set user "<username>"
set pass "<password>"
set enablepass "<enable>"

set server [lindex $argv 0]
set cmdfile [lindex $argv 1]


# Load Commands
if { [catch {set cmdfilehandler [open $cmdfile r]} err_msg] } {
        puts stderr "Could not open $cmdfile for reading\n$err_msg"
        exit 1
}

set commands [read $cmdfilehandler 10000]
close $cmdfilehandler

# Connect to server via ssh
send_user "connecting to $server\n"
spawn ssh $user@$server

# Login
expect {
        "(yes/no)? " {
                send "yes\n"
                expect {
                        "assword: " {
                                send "$pass\n"
                                expect {
                                        ">" { }
                                        "$" { }
                                        "#" { }
                                }
                        }
                }
        }
        "assword: " {
                send "$pass\n"
                expect {
                        ">" { }
                        "$" { }
                        "#" { }
                }
        }
        default {
                send_user "Login failed\n"
                exit
        }
}

expect {
        ">" {}
        default {}
}

send "enable\n"

# Enable
expect {
        "assword: " {
                send "$enablepass\n"
                expect {
                        ">" { }
                        "$" { }
                        "#" { }
                }
        }
        default {
                send_user "Login failed\n"
                exit
        }
}

send "terminal length 0\n"
send "terminal width 0\n"

# Send Commands
foreach line [split $commands \n] {
        send "$line\n"

        expect {
                "#" {}
                default {}
        }
}

expect {
        "#" {}
        default {}
}

# Logout
send "exit\n"

expect {
        "#" {}
        default {}
}

send_user "finished\n"

RANCID
code:
clogin -c 'show mac address-table dynamic' router1 router2 router3

ragzilla
Sep 9, 2005
don't ask me, i only work here


1000101 posted:

At that point I might look at using Python's paramiko library.

Or if you want expect like semantics, pexpect.

tortilla_chip
Jun 13, 2007

k-partite
NAPALM is nice too. It's unfortunate that IOS doesn't support structured I/O (still)

MrMoo
Sep 14, 2000

Methanar posted:

I might still need to embed Expect somehow to automate the SSH password part.

Just add SSH keys, simplifies everything?

Partycat
Oct 25, 2004

MrMoo posted:

Just add SSH keys, simplifies everything?

And you do that with switches and routers, how?

You can also use eem and kron to reverse connect to you and send you info.

1000101
May 14, 2003

BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY FRUITCAKE!

Partycat posted:

And you do that with switches and routers, how?

You can also use eem and kron to reverse connect to you and send you info.

ip ssh pubkey-chain
username foo
key-string
YOURPUBLICKEYHERE
exit
exit

edit:
My one wish is that I could store my pubkey in TACACS+ :( someone please tell me I just haven't figured out how yet...

ragzilla
Sep 9, 2005
don't ask me, i only work here


tortilla_chip posted:

NAPALM is nice too. It's unfortunate that IOS doesn't support structured I/O (still)

Some platforms have NETCONF support, not sure how widespread it is.

ate shit on live tv
Feb 15, 2004

by Azathoth

1000101 posted:

ip ssh pubkey-chain
username foo
key-string
YOURPUBLICKEYHERE
exit
exit

edit:
My one wish is that I could store my pubkey in TACACS+ :( someone please tell me I just haven't figured out how yet...

I'm pretty sure you'd need to have a Kerberos setup to automate that.

CrazyLittle
Sep 11, 2001





Clapping Larry
I was looking around for some switches, and I notice that there's a bunch of Cisco Nexus 7k's on eBay getting sold for seemingly ridiculously low prices. Is there something I'm missing here? Are these things getting dumped for some reason?

ragzilla
Sep 9, 2005
don't ask me, i only work here


CrazyLittle posted:

I was looking around for some switches, and I notice that there's a bunch of Cisco Nexus 7k's on eBay getting sold for seemingly ridiculously low prices. Is there something I'm missing here? Are these things getting dumped for some reason?

Is it older Sup1/F1 stuff? If so probably due to them being retired for newer kit, and being out of new smartnet attachment period.

psydude
Apr 1, 2008

Heartache is powerful, but democracy is *subtle*.
TIL: don't source SPAN sessions from multiple VLANs in an instant access setup.

CrazyLittle
Sep 11, 2001





Clapping Larry

ragzilla posted:

Is it older Sup1/F1 stuff? If so probably due to them being retired for newer kit, and being out of new smartnet attachment period.

Ah yeah that's what it was. Thanks

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k

psydude posted:

TIL: don't source SPAN sessions from multiple VLANs in an instant access setup.

Bug? Architecture limitation?

psydude
Apr 1, 2008

Heartache is powerful, but democracy is *subtle*.

Sepist posted:

Bug? Architecture limitation?

Since the control plane for the 6800IA switches is managed by the IA parent, configuring a VLAN as a source will draw traffic from every single switch port in the infrastructure configured with that VLAN.

jwh
Jun 12, 2002

psydude posted:

Since the control plane for the 6800IA switches is managed by the IA parent, configuring a VLAN as a source will draw traffic from every single switch port in the infrastructure configured with that VLAN.

Yikes, that's not good.

How are the 6800IA switches? I've been out of the game for a while now, since going over to a firewall company.

ate shit on live tv
Feb 15, 2004

by Azathoth
They have to be a legacy clusterfuck since afaik, a 6800 is just a 6509 backplane with all the limitations therein.

psydude
Apr 1, 2008

Heartache is powerful, but democracy is *subtle*.

Powercrazy posted:

They have to be a legacy clusterfuck since afaik, a 6800 is just a 6509 backplane with all the limitations therein.

The new Sup6s are supposed to be better. On the whole they're not too bad; it's nice to have a central point of management with the whole FEX thing and VSS is easier to manage than VPC (no HSRP, etc.).

Cisco's discontinuing them in a few years though, since they don't support ~SDN~ and everyone knows how important SDN is in campus switching.

e: I'm still a big fan of 9ks at the core and 36/3850s for access.

ragzilla
Sep 9, 2005
don't ask me, i only work here


psydude posted:


e: I'm still a big fan of 9ks at the core and 36/3850s for access.

Have you looked at the 900s/920s? I have a serious love affair going on with the 920 platform. EVC and double tag matching in a sub 2k platform? Yes please. And MPLS for not much money either.

Methanar
Sep 26, 2013

by the sex ghost
What is the best way to do a shitload of 1:1 Natting?

Say up to 40gbit worth.

Just IPtables with big network adapters and routes pointing for each network?

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.2 -j SNAT --to-source 11.1.1.1
iptables -t nat -A PREROUTING -i eth0 -d 11.1.1.1 -j DNAT --to-destination 192.168.1.2
iptables -A FORWARD -s 11.1.1.1 -j ACCEPT
iptables -A FORWARD -d 192.168.1.2 -j ACCEPT

Adbot
ADBOT LOVES YOU

ElCondemn
Aug 7, 2005


Methanar posted:

What is the best way to do a shitload of 1:1 Natting?

Say up to 40gbit worth.

Just IPtables with big network adapters and routes pointing for each network?

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.2 -j SNAT --to-source 11.1.1.1
iptables -t nat -A PREROUTING -i eth0 -d 11.1.1.1 -j DNAT --to-destination 192.168.1.2
iptables -A FORWARD -s 11.1.1.1 -j ACCEPT
iptables -A FORWARD -d 192.168.1.2 -j ACCEPT

Pretty much, you can look into BIRD or Quagga for dynamic routing protocols.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply