Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
CrazyLittle
Sep 11, 2001





Clapping Larry

Bob Morales posted:

It probably wouldn't be the worst gig in the world.

On one hand, you'd probably get to set a lot of stuff up that you wouldn't at a bigger place.

Most of those places basically NEED Microsoft and Cisco certified people to keep their business partner status up. They can't use their logos etc if they don't.

yeah ,but it sounds like the position they're interviewing for is a dead-end.

Adbot
ADBOT LOVES YOU

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

CrazyLittle posted:

yeah ,but it sounds like the position they're interviewing for is a dead-end.

Might be. But depending on the company you could work through some more certs and have access to a lot of equipment. Plus if you can be the 'golden boy' at a mom n pop shop you can write your own check and run the show.

ate shit on live tv
Feb 15, 2004

by Azathoth
unfortnately the biggest check you could write would be for $2.19, and you would never have the budget for any equipment, let alone a lab of any kind. Do it live or don't do it at all.


Not to say a place like that is worthless, but if you work at one of those places it should be strictly short term.

jbusbysack
Sep 6, 2002
i heart syd

Powercrazy posted:

unfortnately the biggest check you could write would be for $2.19, and you would never have the budget for any equipment, let alone a lab of any kind. Do it live or don't do it at all.


Not to say a place like that is worthless, but if you work at one of those places it should be strictly short term.

All of this above. Cut your teeth on mid-market stuff but you'll have the room to grow in large enterprise environments.

For reference: my current lab has more 7200VXRs, 3550s and 6500s than I even know what to do with. Even after building out an entire MPLS-provider transit network there is still gear left over that I don't know what to do with. My previous position in consulting was difficult to even get a single spare 3750 to play with, let alone build an entire lab.

Bottom line, use your environment wisely.

CrazyLittle
Sep 11, 2001





Clapping Larry
What kind of NPEs do you have in your 7200s? I'm trying to convince my boss to upgrade to NPE-G2s

jbusbysack
Sep 6, 2002
i heart syd

CrazyLittle posted:

What kind of NPEs do you have in your 7200s? I'm trying to convince my boss to upgrade to NPE-G2s

NPE-300 and 400s in lab and smaller sites, G2s in core site backups, ASR-1002 now in core sites primary.

CrackTsunami
Sep 21, 2004
I enjoy the eating of babies.
e

CrackTsunami fucked around with this message at 06:29 on Mar 20, 2011

fordan
Mar 9, 2009

Clue: Zero

Bardlebee posted:

They mentioned something about sometimes students will switch out the ports on their switch or something. But, I just don't understand why you WOULDN'T have spanning-tree running.

Because you're running TRILL?
Because the network is dead simple and architected so you don't see redundant links?
ummm, because someone misconfigured something causing an outage, blamed it on spanning tree, so the boss said never run that again?

ragzilla
Sep 9, 2005
don't ask me, i only work here


fordan posted:

Because you're running TRILL?

RBridges still run spanning-tree somewhat (to discover the root bridge on a link), they just don't encapsulate or transmit bpdus (unless they're trying to partition a bridged segment, or trigger a topology change in a bridged segment when they lose appointed forwarder status).

Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

Bardlebee posted:

Anyone have an idea what the hell?

Why they wouldn't use spanning tree? No idea. Other than maybe they want to have a huge headache when some hardware fails.

As someone else mentioned, spanning-tree port-fast and switchport port-security violation restrict will solve issues of douche nozzles loving with your switch.



Bumping my Q





Could someone give me an idea on BE and BC when it comes to setting policy maps?


Example:


Let's say I have a customer requesting 300mb connection.


code:
policy-map police-300mb
  class access-match
   police cir 300000000 bc 7812500 be 15625000 conform-action transmit exceed-action drop violate-action drop policy-map
This is what I see currently the hardware. CIR limits th bandwidth to 300mb, correct? BE is excess burst, correct? Meaning if there is some congestion they could go over their limit by roughly 15mb?


What I don't understand is why CIR is in bits, but bc and be are in bytes.

Badgerpoo
Oct 12, 2010

Zuhzuhzombie!! posted:

Why they wouldn't use spanning tree? No idea. Other than maybe they want to have a huge headache when some hardware fails.

As someone else mentioned, spanning-tree port-fast and switchport port-security violation restrict will solve issues of douche nozzles loving with your switch.

We suffered a major failure this morning caused by spanning tree. It looks like a PCI-E network card in a server on our HPC network failed somehow and bridged the two separate links on that machine. This caused the links on the switch to start blocking/forwarding the two affected ports (Even though they are in different vlans). This seems to have snowballed out of control to the point when the spanning tree traffic completely took out the CPU of all the switches on this network and the routers too. Unfortunately for us these switches are connected directly into our core router so this took out connectivity for pretty much the whole campus. One switch even had to be restarted to make it work properly again. Oops!

Was exciting trying to figure out exactly what was causing our router to not even respond on the supervisor console port...

Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR
I had a very very similar issue like that. A PoE phone was bad. It worked fine whenever it was on an unpowered 3550 and had it's own power source. When we upgraded everything to 3750s and had all phones powered by PoE, this one phone basically started a spanning tree loop that brought down the entire intranet for our main office.


Took a good 5 hours to figure that out.

some kinda jackal
Feb 25, 2003

 
 
New (?) Switch guide just hit my inbox:

http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf

Everyone loves reading about hardware, right?

Enjoy! :3:

CheeseSpawn
Sep 15, 2004
Doctor Rope

Zuhzuhzombie!! posted:


Could someone give me an idea on BE and BC when it comes to setting policy maps?

Example:

Let's say I have a customer requesting 300mb connection.


code:
policy-map police-300mb
  class access-match
   police cir 300000000 bc 7812500 be 15625000 conform-action transmit exceed-action drop violate-action drop policy-map
This is what I see currently the hardware. CIR limits th bandwidth to 300mb, correct? BE is excess burst, correct? Meaning if there is some congestion they could go over their limit by roughly 15mb?


What I don't understand is why CIR is in bits, but bc and be are in bytes.


I havent worked much off our policy maps for rate limiting but on our end the bc matches the be values. According to the cisco press book, "the cir and bc keywords define the first token bucket. be defines the second token bucket. So I guess when we keep bc and be values the same, we keep a single token bucket since it's a single rate policier?

CIR is in bits and bursts are in bytes cause that's just Cisco being Cisco.

ate shit on live tv
Feb 15, 2004

by Azathoth

Zuhzuhzombie!! posted:

I had a very very similar issue like that. A PoE phone was bad. It worked fine whenever it was on an unpowered 3550 and had it's own power source. When we upgraded everything to 3750s and had all phones powered by PoE, this one phone basically started a spanning tree loop that brought down the entire intranet for our main office.


Took a good 5 hours to figure that out.

Whenever you have spanning tree loops you have to figure out where the TC Frames are coming from. Usually this is pretty easy as TC frames are always layer2, which means everything is restricted to one collision domain.

the other tip is to always use per-vlan spanning tree, this prevents say a lovely phone form sending TC frames on your primary vlan. The other thing you need to do during a spanning tree loop is to break the loop. That usually involves reloading or at least isolating one of the core switches. Once the loop is broken it hould take around 45 seconds to be up and running again.

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k
Quick question, think I know the answer. How fast does STP detect a loop? Is it whatever the hello timer is set to? Customer is introducing a NEtgear 1Gbps switch to their distro switchstack and it's causing a loop, I don't think STP is picking up the loop quick enough and blocking the second uplink; the customer disconnects the second uplink before I can diagnose because it's bringing the network down each time.

I'm thinking they need to remove any devices off the netgear switch, introduce the switch long enough for STP to update the topology and then plug everything back in.

jwh
Jun 12, 2002

Well, it should detect the loop before it moves the port into a forwarding state. That's what the listening state is for.

ate shit on live tv
Feb 15, 2004

by Azathoth
They probably have spanning tree turned off as like jwh said traffic will not be forwarded until a loop free topology is confirmed.

BelDin
Jan 29, 2001
I know this is sort of an odd question, but I figured I'd give it a shot before experimenting.

I am running a simple three layer design network, gateways on a distribution layer with hsrp, and all the other goodies like EIGRP.

I have a legacy network that has a PIX for a router, and has a non-standard gateway interface address (192.168.0.2 to a remote network 192.168.1.0/24).

The simple part: In order to move the old VLAN/subnet under the new network design, I'm going to create the configurations on the distribution switches to serve out the old gateway address (192.168.1.1) for the existing clients.

The head scratcher: Some hosts in other subnets (like 192.168.0.0) use a static persistent route on the hosts to get to the 192.168.1.0 subnet (route 192.168.1.0 gw 192.168.0.2). Can I create a secondary IP address in the same subnet to serve as the legacy gateway address?

Here's what I'm thinking:

interface VLAN 10
description interface to LAN 1
ip address 192.168.0.3 255.255.255.0
standby 1 ip 192.168.0.1
standby 1 ip 192.168.0.2 secondary

If I understand correctly, this will allow HSRP to serve up two gateway addresses on the same subnet, and all traffic will return on the primary address to the local subnet.

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k

Powercrazy posted:

They probably have spanning tree turned off as like jwh said traffic will not be forwarded until a loop free topology is confirmed.

They're using pvst, the main switch shows the current link as part of pvst, and they're both configured the same, with the exception of the secondary switch having a higher cost

interface GigabitEthernet0/13
switchport access vlan 5
switchport mode access
spanning-tree cost 200000

At this point I'm going to neeed to run a debug spanning-tree event and see what happens when I plug it in.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Is there a site I can look up a MD5 password hash from a device? I know the simpler password system is easily decrypted.

I have the configuration file and could just reset the router and re-load it, but this would be easier and there'd be no downtime.

fordan
Mar 9, 2009

Clue: Zero

Bob Morales posted:

Is there a site I can look up a MD5 password hash from a device? I know the simpler password system is easily decrypted.

I have the configuration file and could just reset the router and re-load it, but this would be easier and there'd be no downtime.

For practical purposes, MD5 is not reversable. I was going to write a bunch of stuff about rainbow tables to break hash functions, but really, you're just going to need to do a password recovery on it.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

fordan posted:

For practical purposes, MD5 is not reversable. I was going to write a bunch of stuff about rainbow tables to break hash functions, but really, you're just going to need to do a password recovery on it.

I know it's not reversible, I thought there was a site that had a table for it where you could look it up.

ragzilla
Sep 9, 2005
don't ask me, i only work here


Bob Morales posted:

I know it's not reversible, I thought there was a site that had a table for it where you could look it up.

It's salted MD5, so rainbow tables aren't really appropriate (unless someone generated the ~ 2^24 tables for all the possible salts for Cisco's 4 char salted md5 scheme)

ate shit on live tv
Feb 15, 2004

by Azathoth
Yea the md5 on cisco switches/routers for all intents and putposes isn't crackable, sorry.

ate shit on live tv
Feb 15, 2004

by Azathoth
Is there a version of code that will allow etherchannels on 3560G's to be pvlan host ports? It looks like some specific 6500 linecards and code revs will support it, but I'm not sure about a 3560.

Any idea?

Badgerpoo
Oct 12, 2010
What code version are you running? I'll have a look at a dev switch tomorrow...

ate shit on live tv
Feb 15, 2004

by Azathoth
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1)

But I can upgrade to anything if it will support etherchannel pvlans.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Bob Morales posted:

We have a 'new' Cisco 891 that we're going to use to replace a Linksys RV082. Any tips or warnings?

Did they buy the wrong router? This one looks like it's more for a remote user/office to connect to headquarters.

http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78-519930.html

We're the 'main office' and we just need PPTP connectivity for one remote (Windows) user. Currently there is a Linksys router doing this (RV082), but I don't see the ability for this new router to do it in the above datasheet. Should I use another type of VPN or just drop m0n0wall in here using an old PC?

jwh
Jun 12, 2002

That 891 can do all manner of remote VPN. You should be fine. I think without additional licensing, you can do a single SSL-based VPN client. Look up IOS WebVPN.

jwh
Jun 12, 2002

I turned up some additional transit with Cogent the other day, and I hadn't before seen their approach to BGP:

You have a /30, and you neighbor with the other end of the /30, which they term the 'A' peer. That peer advertises you a /32 to their route-server, which you ebgp-multihop with, and that gives you the routes you're actually taking from Cogent.

It was a neat idea, but I had never before seen that type of design.

ragzilla
Sep 9, 2005
don't ask me, i only work here


jwh posted:

I turned up some additional transit with Cogent the other day, and I hadn't before seen their approach to BGP:

You have a /30, and you neighbor with the other end of the /30, which they term the 'A' peer. That peer advertises you a /32 to their route-server, which you ebgp-multihop with, and that gives you the routes you're actually taking from Cogent.

It was a neat idea, but I had never before seen that type of design.

It's because their A-peer doesn't hold full tables (they run a smart core, dumb edge design).

jwh
Jun 12, 2002

That's what I gathered. Kind of interesting.

ate shit on live tv
Feb 15, 2004

by Azathoth
Sounds pretty ghetto to me tbqh. But I suppose that woudl be the way to do it if you have a small rural pop or something. You'd throw a 2811 or even just a MetroE capable switch, like a 3400Metro in the basement with a fiber running to it. Run BGP with the switch that would advertise the route server and then get your routes from the core.

ragzilla
Sep 9, 2005
don't ask me, i only work here


Powercrazy posted:

Sounds pretty ghetto to me tbqh. But I suppose that woudl be the way to do it if you have a small rural pop or something. You'd throw a 2811 or even just a MetroE capable switch, like a 3400Metro in the basement with a fiber running to it. Run BGP with the switch that would advertise the route server and then get your routes from the core.

The Cogent POP next door was a GSR 12008 (E0 LCs) and a 3508 ~ 3 years ago. Don't know if they've upgraded since then. This was a relatively new POP as well.

tortilla_chip
Jun 13, 2007

k-partite
For recent small on-net deployments it's a 7609 for L3, and then a 4900M and ME3400 for L2.

jwh
Jun 12, 2002

We have an ONT from Calix, actually.

We're in Western Massachusetts, and our Layer-3 termination on this thing is in Stamford, CT.

Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

Powercrazy posted:

Whenever you have spanning tree loops you have to figure out where the TC Frames are coming from. Usually this is pretty easy as TC frames are always layer2, which means everything is restricted to one collision domain.

the other tip is to always use per-vlan spanning tree, this prevents say a lovely phone form sending TC frames on your primary vlan. The other thing you need to do during a spanning tree loop is to break the loop. That usually involves reloading or at least isolating one of the core switches. Once the loop is broken it hould take around 45 seconds to be up and running again.

Isn't PVST on automatically?




Also, we use Calix ONTs for fiber and have somewhat high fail rate with them. We also use Myrio for our IPTV stuff and I hate it.

Kerpal
Jul 20, 2003

Well that's weird.
I'm not sure if this is the right thread but I am looking for a router recommendation. At work we are going to be replacing two Cisco 2500 series routers that connect a T1 via serial. We're getting a Time Warner point to point cable line installed so we need 2 routers to handle the traffic between our main office and distribution center. The new line will use a WAN ethernet interface. Most of the machines using the line are simple packing stations with telnet sessions (anywhere from 8-15 total) and 5 workstations that access the line to connect to Exchange/DCs and the Internet. I'm probably over thinking this but what would be a viable replacement to the 2500? We don't really need any special services like DHCP, DNS, VPN, etc, all of which are handled on our Windows servers.

For example I was looking at the Cisco 861-K9. The data sheet on Cisco's website specifies that this router is recommended for only 5 users. Granted our point to point line is only going to be 2 Mbps, but this line is crucial and we can't afford to have any downtime.

We could also get something like the Cisco RVS4000, but I'm skeptical as to its reliability. Our 2500 routers have been rock solid and we've never really had any problems with them. Not to mention it's a Linksys-Cisco brand, which doesn't strike me as Business-grade even if it has the Cisco Small Business badge. We did however setup a Cisco Small Business wireless AP that works great, so who knows.

Adbot
ADBOT LOVES YOU

ragzilla
Sep 9, 2005
don't ask me, i only work here


Kerpal posted:

Granted our point to point line is only going to be 2 Mbps, but this line is crucial and we can't afford to have any downtime.

Buy 3 Cisco 2611 (2x 10BaseT) or 2621 (2x 10/100BaseT) off eBay, keep one on the shelf as a spare. Or hell at the price buy 4 and keep a warm spare at each site.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply