|
What are some good books on configuring VRRP and in general networking equipment? I think I've come to the limit of my networking knowledge but at work I'm being tasked as a "network admin" on top of my normal duties, mainly because it's incredibly hard to find anyone worthwhile around here to interview. I'll explain my problem(s) so that you guys can point me to the resources (books, online courses etc.) to solve this. I have the following equipment 2 3845 routers (with 16 port 10/100 etherswitch) 2 ASA 5520s 2 3750G switches I have two ip subnets each with two physical uplinks an active and a backup that are basically just uplinks from different switches on the same vlan 123.123.123.0/24 123.123.124.0/24 Because we're having half of the network behind the firewalls and the other half in front of them they are split into the following subnets 1) 123.123.123.0/25 (dmz) 2) 123.123.123.128/25 (filtered by firewall) 3) 123.123.124.0/25 (dmz) 4) 123.123.124.128/25 (filtered by firewall) Right now I have network 1 working properly, I also have network 2 assigned on the other side of the firewall and I'm using router 1 as a switch with a vlan for the filtered network and that works fine to distribute to my load balancers. I also have another vlan setup for network 3 and I am able to ping that interface. The problem I'm having right now is getting network 4 to route to the firewall and filter through like network 2. I'm using the router as an L2 switch right now but that's what I'm used to so that's what I've been doing but I think how I'm doing it is fundamentally wrong. Eventually I need to get router 1 and 2 working in an active/passive mode, so that if one router goes down the other will take over and vice versa. In addition to that I also have to have the firewall working in much the same way. What books, or resources are there out there for me to find out the best practices and apply this network. Currently it's going through one router, to one firewall, and out another interface to one device and then to the switches.
|
# ¿ Apr 4, 2008 07:35 |
|
|
# ¿ Apr 28, 2024 06:08 |
|
jbusbysack posted:Here's how I envision your physical cabling: The way I currently have it is the ISP terminating into the routers on an l2 vlan, there are 4 physical connections and I'm putting a link from each subnet on each router on its own vlan (2 links per router, "primary" and "secondary"). From there I plug them straight down to my ASAs, and from the ASAs I run a line back to each router which terminate on their own seperate vlans for my "filtered" network. From that seperate vlan for the filtered I then go to my load balancers and to my switches which go to my servers, from my asa I also run a line directly to my switches but that's really only used to provide a gateway that's not the F5 and to manage the servers etc. over the VPN. Here is a visio I threw together a while back explaining how I think it should be connected to provide the highest availability. I'll throw up some configs once I get in to work today. If the ASAs had 6 ports instead of 4 I would have run one more blue one between the opposite switch and one more orange one between the opposite router but we'll have to live with this. edit: this image was made for my boss to show the board, it's more pretty than anything but it does show our physical connections, and each different color is a separate vlan. Also I'm not asking anyone to solve this for me but to show me where I can find good resources to solve this myself, we're having some contractors come out but that's a few weeks out (scheduling etc.) and they want this done way before then. ElCondemn fucked around with this message at 16:41 on Apr 4, 2008 |
# ¿ Apr 4, 2008 16:38 |
|
I had a weird problem earlier today, not sure if anyone has run into it and knows why it might be happening. I was setting up an ASA 5510 with an l2l vpn tunnel to some crappy checkpoint firewall and while it all looked good yesterday when I left (minus me forgetting to add access lists that allow access between the networks which I had planned to do today), today I come back and find that the connection between the two is broken. running a 'show crypto isakmp sa' gave me something similar to... code:
code:
This isn't something that requires high availability, but I would still like to figure out what could have caused the problem. If anyone has any clues it would be much appreciated. edit: it's possible I had the transform-set wrong in the original config but I could have sworn it wasn't showing any problems yesterday.
|
# ¿ Jun 18, 2009 18:47 |
|
Herv posted:RANCID should do what you want. For hand storing multiple copies of documents you can use Visual Source Safe or CVS or some other version control system. Another recommendation for RANCID, it's essentially a bunch of scripts that run with crontab and dump your configs into CVS or SVN. I have mine setup to be redundant so it'll keep all changes stored in a semi-fault tolerant way. It's great if you have more than one net admin, if any changes are made you're emailed and if it's wrong or stupid you can totally know about it and revert changes if you have to. It also works with all kind of switches and network gear and it's free.
|
# ¿ Jul 7, 2009 18:05 |
|
My philosophy is to use whatever you know and like, and most importantly gets the job done on your desktop but for servers and services you use what makes sense for your environment. If you work for a company that has mostly windows servers try to keep things simple and the same. The more varied your environments the more you'll have to maintain in terms of updates, hot fixes and security. I tend to let the developers or whoever dictate what kinds of systems they want to use for their servers and make suggestions based on what I know. I would however suggest you at least be comfortable with BASH because more often than not you will eventually run into a device that is based on UNIX/Linux/BSD (Load Balancers, DDoS Mitigators, NetFlow Appliances, etc.). Personally I use mainly OSX and sometimes Windows but I know plenty of net admins that use Linux only and Windows only. Also as for something like RANCID for windows... I haven't really used many but I think SolarWinds has something but it costs money.
|
# ¿ Jul 9, 2009 00:36 |
|
Partycat posted:I have a vendor attempting to configure and send us an ASA 5510 . The idea was that we were going to have one interface on the device, publicly addressed (all our stuff is) . The device establishes a tunnel off to somewhere else, we route traffic to it internally for that range on the other end of the tunnel, it spits out the encrypted traffic towards the gateway, and it rolls over the internet. With VPNs you cannot have your peer address in the same subnet as the subnet you're tunneling. How is your firewall (and theirs) supposed to know to transport encrypted traffic over "itself"? You always need an ip on a different subnet for your peer address. Usually it isn't a problem because the address space you're tunneling is usually an internal network but sometimes it isn't.
|
# ¿ Jul 31, 2009 17:30 |
|
Tony Montana posted:So another little question. I'll start doing my own research into this, but some sage words from people that have been down this road already will probably save me hours with Google. Use RANCID if you want to save and version your running config.
|
# ¿ Aug 10, 2009 08:20 |
|
Tony Montana posted:RANCID doesn't run in Windows. Maybe neither does bash, but I'd like to be able to write customized stuff anyway. In one environment I worked with we used to use perl to manage and monitor or switches, you can use Net::Perl, it's pretty drat easy. There is also Net::Telnet::Cisco which I think you can use with SSH but it's not "built in", I think the idea is that you spawn SSH and you direct your I/O to the SSH tty. Perl works just fine under windows too.
|
# ¿ Aug 10, 2009 21:15 |
|
J Crewl posted:Can anyone tell me if anything in the 2800 series can terminate a T3 coax line? I know Cisco recommends a 3845, but funds are sparse for this project so I need to know if I should start looking at re-mans or old gen's, etc. The NM-1A-T3/E3 fits in 2800 and 3800 series routers.
|
# ¿ Sep 15, 2009 03:35 |
|
falz posted:The NM-1T3 is ~$2000 used? If money is an issue, get a PA-T3 or PA-2T3 (~$300 used) for a 7200. I see complete used 7206 VXR's w/ NPE-400 and PA-T3 cards for $2k on ebay, any reputable reseller will probably be in this ballpark. VXR's aren't EOL and will kick the snot out of a 2800. The only downside I see is that they're just physically larger (3u) vs 1-2u for a 2800. If he doesn't need any of the ISR features a 7200 VXR is definitely the way to go.
|
# ¿ Sep 15, 2009 15:54 |
|
lilbean posted:Does anyone have anything positive or negative to say about the ACE modules? I'm currently looking into building a new production environment for eCommerce and a pair of the standalone ACE 4710 devices look like it'll do a ton of poo poo I need - OWASP-compliant scanning (gently caress PCI), SSL termination, load balancing, etc. Plus it's vastly cheaper than the F5 BigIP line I'm using now. I evaluated the ACE a while back, we went with F5 because of some application dependencies that relied on SIP header rewrites. Since then we've solved our application dependency and moved to Netscaler as opposed to F5 or ACE, but feature wise I think the ACE works almost as well as the Netscaler. In the past I've used the CSS and while it worked it could have used more features, the same goes for the ACE. The Netscaler however has pretty much all the features as the F5, including "global" load balancing but missing the ability to rewrite SIP headers and iRules. It depends on what you want feature wise but if all you need is some basic load balancing and maybe SSL offload the ACE should fit you just fine.
|
# ¿ Oct 31, 2009 06:35 |
|
Martytoof posted:Does anyone have any suggestions for a good MacOS serial capable terminal emulator? I have a USB-serial dongle that I can talk to using 'screen', but somehow that always comes off feeling like a pretty inelegant solution. I exclusively use minicom for all my terminal needs, all my cisco, hp, force10 and other random serial devices get configured using minicom. It's much nicer than running hyperterminal under windows (though I use putty when I only have windows), it's like using telnet or ssh.
|
# ¿ Dec 23, 2009 19:10 |
|
InferiorWang posted:Telnet just kicks back a generic could not open connection error and putty says "server unexpectedly closed network connection". It works fine on my boss's laptop(64 bit win seven, same hardware). The asa is configured for allow telnet and ssh connections from my subnet. ASDM doens't work either, but that's probably a version/java issue. does SSH work from your boss's laptop?
|
# ¿ Mar 29, 2010 17:48 |
|
I have a VPN setup on a pair of 3845s and I can't seem to get it to work correctly. I have two vlans, one external (vlan11) and one internal (vlan200) I am trying to make traffic coming from the internal vlan traverse the VPN tunnel that is on the external vlan. code:
code:
code:
Maybe I need to use a dynamic routing protocol? How would I even make that work since the VPN isn't an actual interface?
|
# ¿ Apr 22, 2010 22:29 |
|
inignot posted:50% packet loss sounds really specific. When you added the static routes to point the relevant traffic into the VPN, was there a pre-existing set of routes you removed? If there's two sets of routes you may be load balancing between the vpn path and another path. But just now I added the routes back to the second router and it seems to be working fine without packet loss, I have no idea why...
|
# ¿ Apr 23, 2010 19:54 |
|
I have a question about setting up SPAN/Port Mirroring. I understand I can do the port mirror with these commands.code:
I've never had to do this before but we're trying to solve an issue and it looks like the only way to do it is to analyze what's crossing the wire.
|
# ¿ Jul 14, 2010 20:48 |
|
Martytoof posted:Wireshark will just do a dump of raw data that's coming in on the line, so I don't think an IP is even required. You just need to make sure the interface is up and in promiscuous mode. Thanks I'll give it a try, I just wanted to make sure I wasn't missing a big piece of how to do this. I'm assuming if it's VLAN traffic I should just see the dot1q tag in wireshark.
|
# ¿ Jul 14, 2010 21:11 |
|
Bardlebee posted:This is more of just a general network question: I try not to daisy chain just because if one of the switches in the chain is unplugged or goes down for whatever reason, you lose connectivity to everything connected to any of the switches after it. I don't think daisy chaining switches causes extra network traffic though, it just goes through the normal switching process like anything else does.
|
# ¿ Aug 2, 2010 21:17 |
|
BelDin posted:I've been trying to wrap my head around HSRP, and had a question that is probably simpler than I can describe it. I'm pretty sure that EIGRP is not affected by the state of HSRP. You should probably give one route a higher cost so that you know which switch is the active one. edit: didn't notice the next page heh, beaten to death ElCondemn fucked around with this message at 23:28 on Sep 15, 2010 |
# ¿ Sep 15, 2010 23:26 |
|
Are T1 interfaces full-duplex? I'm trying to figure out what our capacity is but serial interfaces don't seem to show duplex settings, I can't seem to find anywhere in the cisco documentation that says our specific T1/E1 vwics are full-duplex or not. We're using VWIC-2MFT-E1, does anyone have any documentation that shows if this is full-duplex or some way to get that information out of the router?
|
# ¿ Nov 11, 2010 20:27 |
|
tortilla_chip posted:They are full duplex in the sense that you have a dedicated send/receive pair. I thought this was the case since the cable diagram shows seperate pairs for RX and TX but I can't seem to find any documentation that explains this. I'm trying to show my bosses what are capacity is but they don't seem to believe that T1s can have 1.5Mbps down and 1.5Mbps up simultaneously. Is there any documentation that shows this anywhere?
|
# ¿ Nov 11, 2010 21:42 |
|
SamDabbers posted:From the "bandwidth" section: Thanks, I've been searching for specific specs/information about our gear, hopefully this is good enough to make my case.
|
# ¿ Nov 11, 2010 22:15 |
|
I have a VPN between a 3800 and an ASA, on the 3800 side I use HSRP and I terminate the VPN to the HSRP address. The other day I changed the subnet on the interface from a /28 to a /29 and the VPN stopped working. After a few minutes I noticed that the SA was showing the interface IP instead of the HSRP address like it should. I cleared the SA several times but it didn't seem to want to go back to using the HSRP address. The way I fixed it was by removing the crypto map from the interface all together and then re-adding the exact same crypto map without making any changes. Why does changing the subnet cause the VPN to change IPs and why did the fix require removing and re-adding the exact same config?
|
# ¿ Jan 27, 2011 17:28 |
|
Powercrazy posted:When you change interface settings, in this case changing the ip address from a /28 to a /29 it disassociates all crypto_maps from the interface. I suspect if you had checked your running config you would have seen that the crypto_map had been removed. I checked the running config, it didn't remove the crypto map and RANCID doesn't show that it was removed. So it was pretty confusing to see the config looking alright but the actual VPN wasn't working properly. I'll keep that in mind in the future though.
|
# ¿ Jan 27, 2011 19:22 |
|
ruro posted:You'll find bugs all the time. If you're bleeding edge enough you'll be the one reporting them for the first time too! Having worked a lot with F5 and Netscalers I've found at least a few new bugs for each platform. Netscaler has been really good about implementing fixes for me though, which is pretty awesome. As far as Cisco I've only run into one weird buggy issue that I couldn't find info on and they gave me a work around after a few days of debugging (turning off cef on the interface, what?)
|
# ¿ Apr 14, 2011 17:31 |
|
Bob Morales posted:What magical company do you work at? I was going to say I have the exact opposite experience. Usually we're seen as a cost center because we just keep asking for more when what we have "already works". The best part is when something does fail we can tell them exactly why because we proposed a solution to prevent this kind of thing but they chose the cheaper route. We just make the poo poo work, they don't see us as important unless things go wrong.
|
# ¿ Apr 15, 2011 16:38 |
|
Tony Montana posted:Let me just add something, if I already haven't said enough. Honestly your job sounds terrible and you seem like kind of an idiot. You don't need to be an IT mercenary to make a good living or enjoy working. The only part that really sucks about working as a service provider or internal IT is when you have to fight to justify some new expenses for a project to someone who doesn't understand the technology. Unrelated to that, the corp IT guys at work are having trouble with some access points (dlink, not sure the model) and they asked me to take a look. The access points auth with 802.1X to a radius server (IAS) and then they get their DHCP lease from some other windows server. The problem I'm seeing is that the clients can auth but they aren't getting a DHCP lease, rebooting the AP seems to allow new DHCP leases but I don't think that's a viable solution. What kind of access point should I suggest to replace these? I was looking at the aironet 3500 series, and I'm seeing them going for about 600 online. Do I just need the access points or is there more to it? ElCondemn fucked around with this message at 03:17 on Apr 16, 2011 |
# ¿ Apr 16, 2011 03:11 |
|
Thanks for the input guys, I'll do some research on Aruba and Cisco WLC. With the little I've researched so far it looks like it should be pretty straight forward. I've never had to configure any wireless networks before so it should be fun. Are there any specific models I should ask about for roughly 100 active clients? Also yes I run wtfserve.com and I have it on my resume, I also didn't go to college and I don't have any certs. I do pretty well for myself and I like my work.
|
# ¿ Apr 16, 2011 09:15 |
|
Bardlebee posted:So I have recently heard of F5 by hearing someone ask me if I had "F5 experience". I tried to figure out what it was from its product page, but is this something that is new to the network engineering field? Is it another product such like Juniper or Cisco? It's just a load balancer, the big difference between all the platforms is that F5 supports "irules" which is basically just TCL script that lets you do fun stuff like header rewrites and traffic routing. They also have SSL/VPN devices and global DNS appliances. If you want experience with the basics of F5 big-ip they offer a free VM you can use to evaluate it now which is pretty cool. Also I would suggest trying out the Citrix netscaler VM which is also free and allows something like 5Mbps of throughput for free. I personally have a strong dislike for F5 because their support sucks and their iRules and features don't work exactly the same between all their different platforms. Also when I found bugs in their code they wanted us to pay for consulting to resolve the issue. As opposed to Citrix and Cisco, when I found bugs they gave me workarounds as well as escalation to developers who actually fixed the issues and patched them in their next release. ElCondemn fucked around with this message at 00:11 on May 24, 2011 |
# ¿ May 24, 2011 00:06 |
|
jwh posted:Hmm really? I have a handful of BIG-IP hardware with the LTM module and their support guys have been some of the best that I've worked with. I agree that iRules sound great and can be very useful but there are issues. We had some irules running in our lab environment which were working great, the problem happened when we deployed to our production LTMs. In production we run 6400s, in the lab we have a 1500. They were running the same code base and irules, everything was exactly the same except the IPs and the hardware but for some reason in the lab the irules worked flawlessly but in production it would do the SDP header rewrite at first and then stop doing it randomly, the only way to make it start working again was to reboot the LTMs. F5 refused to even look at the issue without us paying for an irule contractor from them. I worked with the pre-sales engineer for weeks and with their phone support and they just couldn't help me out. Later we found out after probing them during those weeks that their hardware platforms executed different code depending on if hardware ASICs were available or not, clearly it wasn't working right and they never escalated it up to their development group or reported it as a bug. Also there were some just bad support issues, for example, we asked them to explain an issues relating to how IPs are NATing that I solved before they bothered to respond. I hear the newer versions of the code fix a lot of these issues I had a couple years ago but netscaler just seems better to me. I would suggest learning both because one doesn't always have a choice.
|
# ¿ May 24, 2011 17:14 |
|
Ninja Rope posted:A10's are the only LB's I actually kind of like. Brocade just can't get their poo poo together for IPv6. I had a couple A10 boxes here to evaluate that I never had a chance to because we already paid for F5s. I also had a foundry load balancer that I also didn't get a chance to test out. I really dig the netscalers but it might just be because I dislike F5 so much.
|
# ¿ May 24, 2011 23:37 |
|
Bardlebee posted:Hey my gurus! I was just recently looking into this since I'm taking over our corporate network and there's this white paper on cisco that explains things pretty well http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfc.shtml
|
# ¿ Jun 17, 2011 22:27 |
|
Does anyone have any suggestions for a good netflow collector that I can use? Preferably free and that can run on linux if possible, definitely not stuck on any specific platform or price though. Also it should support sflow since I've got some procurves in my network too.
|
# ¿ Aug 8, 2011 21:14 |
|
Powercrazy posted:Rule number one to enjoying your network position. Make sure the network is a revenue generator, not a cost center. So offices of programmers, designers, Engineers etc, aren't where you want to be. Finance (algorithmic/low latency trading) or Service Providers (AT&T, Verizon, etc.) are the ideal places, and coincidentally the only places I'll work unless the pay elsewhere is really good (it won't be). I just took over our corporate network because our old IT director basically just disappeared. I've got to say, only having experience working for datacenters and service providers, office networks are a pain in the rear end. Justifying any kind of cost is nearly impossible. Recently I wanted to justify replacing several servers that were over 6 years old with just a couple modern servers with virtualization and they treated it as though I were proposing a $250,000 network build out. I've kind of given up on getting what I need, but I'll still explain why going the cheap route will cause issues. And when the cheap route does cause issues it's pretty easy for me to say "I told you so". Still sucks having to scramble to fix the problem after they approve my original proposal. Edit: Another reason corporate networks suck is that I can't expect the regular IT people to be knowledgeable about anything. I installed some new switches to replace our mess of netgear unmanaged switches and now every time they have an issue that could be network related, they come and ask me if it could be an issue with the new network. ElCondemn fucked around with this message at 22:06 on Aug 10, 2011 |
# ¿ Aug 10, 2011 22:02 |
|
CrazyLittle posted:Here's one of those rare questions for you guys: You can format any compatible CF card in IOS, but I don't think you can just move and read files between a VXR and ISR Look up the erase command to format a card. edit: I guess if your goal is to pre-prep the CF card formatting won't help you out
|
# ¿ Sep 2, 2011 02:25 |
|
Martytoof posted:Did you type this on an Apple device? He's gotta upgrade his routers to get the good apps man! Sucks that it resets the jailbreak though
|
# ¿ Sep 3, 2011 00:56 |
|
I'm having a weird issue with a new 2951 I'm setting up. In the past I've configured a bunch of 2851s and have used the NME switch modules and they show up no problem. As some of you may know, the newer 2951 has "sm" ports so to use the NME-16ES-1G module I have to use a sm-nme adapater. When I boot up the 2951 I see the lights on the nme go on and I also can connect cables and get link, but the drat thing isn't showing up anywhere that I can see. For some strange reason it seems to just be creating a gig interface but none of the FE interfaces. quote:Cisco CISCO2951/K9 (revision 1.1) with 2054144K/43008K bytes of memory. anyone have any ideas?
|
# ¿ Sep 7, 2011 01:06 |
|
Tremblay posted:Can you send me a show tech? Looking at the show inventory I'm seeing the module and it automatically adds the line "hw-module sm 1" but it only adds an unusable gig interface instead of all the FE interfaces. Zuhzuhzombie!! posted:Which iOS are you running? I bought all of this new but the module could definitely be older. edit: Figured it out, I've never used a switch module like this one. It actually has it's own configuration separate from the router, it runs it's own IOS and everything. To access it form the CLI you have to assign an address to the gi1/0 interface that it creates and then you can access the cli using this command service-module gi1/0 session ElCondemn fucked around with this message at 20:03 on Sep 7, 2011 |
# ¿ Sep 7, 2011 18:54 |
|
jbusbysack posted:Really though, questions like that are about how you tackle the problem, which questions you ask and where you approach the troubleshooting. I think this kind of stuff comes with experience. When I read the problem I immediately thought to check the arp table on the switches, but someone that's never had to actually troubleshoot these kinds of issues might not think to start there. Granted I don't think that it should take anyone who understands switching very long to figure out.
|
# ¿ Sep 12, 2011 05:12 |
|
|
# ¿ Apr 28, 2024 06:08 |
|
abigserve posted:In the context of that question, checking the arp tables on the router is a far more appropriate answer. It doesn't matter whether the router for the segment is a 3750G stack or an 1800, it's still the router. In the context of the question we can probably assume the "firewall" supports both l2 and l3 and probably up to l7. You're being pedantic, should we call the firewall a switch because it does vlans? The point is there are arp entries somewhere that could be pointing to the wrong system. Edit: The question, to me, barely makes sense anyway. The questions starts with a firewall, but then goes into a question about vlans. In my eyes the simple question is "I moved the IP from one system to another and I can't reach it now". In my experience when I see a problem like that it's usually an issue with arp. ElCondemn fucked around with this message at 01:58 on Sep 13, 2011 |
# ¿ Sep 13, 2011 01:48 |