|
Powercrazy posted:Python is on an ASR1K Who needs python when you have perl? code:code:
|
#
?
Jul 16, 2011 04:41
|
|
|
|
| # ? Apr 25, 2024 11:15 |
|
|
jwh posted:We're looking at some Tufin product, anyone with operational experience care to share? I just sent you a pm.
|
|
#
?
Jul 16, 2011 11:06
|
|
|
Nitr0 posted:What OS are you running this on? Seems cool enough, I might check it out. I am so sick of the pricing of solarwinds tools. It is just unreal. Mine is on FreeBSD, but it runs fine on Linux or any unix system. It's just a PHP / MySQL thing with some unixey requirements for the tools it uses behind the scenes (graphviz, rrdtool, fping, net-snmp, etc). A larger list of what tools it uses, or can use, is in its defaults.inc.php. Not everything there is required (like ipmitool or nmap) but can be used if it's enabled. falz fucked around with this message at 16:05 on Jul 16, 2011 |
|
#
?
Jul 16, 2011 13:24
|
|
|
inignot posted:How do you like the Cascade? I was looking into that box as a sniffer platform. Bear in mind that I've had almost NO training on the software - our architect gave me a 30 minute tutorial on how to run basic reports. That being said, it's incredibly easy software to use for basic stuff. I've already used it to diagnose several inter-site issues, like when a production system was showing a TCP connection to an unknown system on the network with unusually high traffic. A Wireshark capture showed nothing, but Cascade showed a historical view indicating that the IP had been using X amount of bandwidth on port Y every 15 minutes between 12am and 12pm for the last month and a half. Turns out, some engineer had a SQL database backup scheduled far, far more often than was necessary and their wireshark captures were run in the afternoon when the traffic wasn't being generated. Overall, I really like the software and am really curious as to what someone that actually knew what the hell they were doing could accomplish with it.
|
|
#
?
Jul 16, 2011 20:51
|
|
|
Golden-i posted:Overall, I really like the software and am really curious as to what someone that actually knew what the hell they were doing could accomplish with it. We have used it for everything from determining where a virus outbreak is coming from (much earlier than usual) to see who is port scanning/host scanning. It is a very powerful tool. You can have it kick off a vulnerability scan, lock down ports on a switch, create a Visio diagram of machines that connect to a server and on what port, and look at network performance of a certain application (RTT, response time, # of resets, bandwidth usage, etc.). It is a very powerful tool. The only issue that it has is that it requires netflow or a mirrored port. They offer remote tools, more so now since they bough Wireshark, that can get you better layer 7 information and communication between two hosts on the same VLAN.
|
|
#
?
Jul 17, 2011 16:37
|
|
|
Can anyone recommend a good "JunOS for IOS users" style book? I just want to get a feel for how things translate. It's just an idle curiosity at this point so I don't really want to pick up a JNCIA manual or anything, seeing as how I'm still plowing through my CCNP.
|
|
#
?
Jul 18, 2011 20:17
|
|
|
Question. We're gonna play around in a lab for this. Wanted to get another viewpoint. So... We were changing out some 1gig P2Ps between Core and ASR. We had an issue with an IP packet to a certain customer bouncing between ASR2 and Core2. ASR2 would see a range on ASR1 and instead of using the 1gig P2P between ASR1 and ASR2 to forward out of, ASR2 used the 10Gig connection between it and Core 2. Core 2 didn't know what to do with the range, so forwarded it back out to ASR2. ASR2 still saw the 10 gig to Core2 as the most cost effective route, and kept forwarding that packet out, instead of across the 1gig. What would cause something like this? I know there are cost adjustments I can make, but I don't want to cause issues with any other packets that were not having trouble. Customer is BGP peered with us. Core2 knows how to get to ASR1, where customer hangs off, but doesn't know how to get to customer specifically since ASR1 learned that route via BGP. Zuhzuhzombie!! fucked around with this message at 22:30 on Jul 18, 2011 |
|
#
?
Jul 18, 2011 22:17
|
|
|
Martytoof posted:Can anyone recommend a good "JunOS for IOS users" style book? I just want to get a feel for how things translate. JunOS as a Second Language. I believe it's still a CBT on the Juniper website. There really isn't a translation book like that, you just gotta get in the gear and learn it. There is a JunOS for Dummies I believe as well 
|
|
#
?
Jul 18, 2011 22:58
|
|
|
Zuhzuhzombie!! posted:ASR2 still saw the 10 gig to Core2 as the most cost effective route, and kept forwarding that packet out, instead of across the 1gig. What's your IGP? And why doesn't Core2 know how to reach the customer? You're using BGP route reflectors or a full mesh right?
|
|
#
?
Jul 19, 2011 00:40
|
|
|
routenull0 posted:JunOS as a Second Language. I believe it's still a CBT on the Juniper website. There really isn't a translation book like that, you just gotta get in the gear and learn it. Cool, thanks It's just a passing fancy right now. Maybe after I put in my ROUTE exam I'll try to fire up a couple of Olives and give it an actual look
|
|
#
?
Jul 19, 2011 05:37
|
|
|
ragzilla posted:What's your IGP? And why doesn't Core2 know how to reach the customer? You're using BGP route reflectors or a full mesh right? ASRs have full routes, Cores only have partial routes. Core 2 know show to get to ASR1 and 2, and Core 1, but it doesn't know how to get to customer nor does it know that ASR1 has customer's routes. Also. %PM-4-ERR_DISABLE: link-flap error detected on Gi1/0/27, putting Gi1/0/27 in err-disable state %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/27, changed state to down %LINK-3-UPDOWN: Interface GigabitEthernet1/0/27, changed state to down Can an SFP going bad cause this? Can SFPs go bad and go up/up and down/down, or when they go bad, that's it?
|
|
#
?
Jul 20, 2011 16:50
|
|
|
Zuhzuhzombie!! posted:%PM-4-ERR_DISABLE: link-flap error detected on Gi1/0/27, putting Gi1/0/27 in err-disable state Anything is possible. If it keeps happening I would say you have bad cable though.
|
|
#
?
Jul 20, 2011 18:50
|
|
|
So we have an interface that isn't allowing FTP via web browser to work, you can ftp using command prompt or filezilla, just not from the web browser. Inside ACL is allowing any any, outside ACL is allowing port 21 to the world. Put a traffic sniffer on the inside interface and not seeing any differences: non-working: 1: 08:48:26.700738 802.1Q vlan#860 P0 8.8.8.8.65510 > 10.60.21.10.21: S 3265067214:3265067214(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK> 2: 08:48:26.701120 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.65510: S 848465393:848465393(0) ack 3265067215 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 3: 08:48:26.702203 802.1Q vlan#860 P0 8.8.8.8.65510 > 10.60.21.10.21: . ack 848465394 win 4410 4: 08:48:26.703363 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.65510: P 848465394:848465443(49) ack 3265067215 win 260 5: 08:48:26.706597 802.1Q vlan#860 P0 8.8.8.8.65510 > 10.60.21.10.21: P 3265067215:3265067231(16) ack 848465443 win 4397 6: 08:48:26.760367 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.65510: P 848465443:848465463(20) ack 3265067231 win 260 7: 08:48:26.762045 802.1Q vlan#860 P0 8.8.8.8.65510 > 10.60.21.10.21: P 3265067231:3265067243(12) ack 848465463 win 4392 8: 08:48:26.762411 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.65510: P 848465463:848465492(29) ack 3265067243 win 260 9: 08:48:26.763449 802.1Q vlan#860 P0 8.8.8.8.65510 > 10.60.21.10.21: F 3265067243:3265067243(0) ack 848465492 win 4385 10: 08:48:26.763754 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.65510: . ack 3265067244 win 260 11: 08:48:26.769171 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.65510: F 848465492:848465492(0) ack 3265067244 win 260 12: 08:48:26.770300 802.1Q vlan#860 P0 8.8.8.8.65510 > 10.60.21.10.21: . ack 848465493 win 4385 working 1: 08:57:18.174093 802.1Q vlan#860 P0 8.8.8.8.49389 > 10.60.21.10.21: S 1992189072:1992189072(0) win 8192 <mss 1260,nop,wscale 0,nop,nop,sackOK> 2: 08:57:18.174398 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.49389: S 2144276173:2144276173(0) ack 1992189073 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 3: 08:57:18.175512 802.1Q vlan#860 P0 8.8.8.8.49389 > 10.60.21.10.21: . ack 2144276174 win 8192 4: 08:57:18.176641 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.49389: P 2144276174:2144276223(49) ack 1992189073 win 260 5: 08:57:18.391962 802.1Q vlan#860 P0 8.8.8.8.49389 > 10.60.21.10.21: . ack 2144276223 win 8143 6: 08:57:32.027571 802.1Q vlan#860 P0 8.8.8.8.49389 > 10.60.21.10.21: P 1992189073:1992189084(11) ack 2144276223 win 8143 7: 08:57:32.084071 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.49389: P 2144276223:2144276243(20) ack 1992189084 win 260 8: 08:57:32.290344 802.1Q vlan#860 P0 8.8.8.8.49389 > 10.60.21.10.21: . ack 2144276243 win 8123 9: 08:57:33.079646 802.1Q vlan#860 P0 8.8.8.8.49389 > 10.60.21.10.21: P 1992189084:1992189095(11) ack 2144276243 win 8123 10: 08:57:33.080226 802.1Q vlan#860 P0 10.60.21.10.21 > 8.8.8.8.49389: P 2144276243:2144276272(29) ack 1992189095 win 260 11: 08:57:33.288818 802.1Q vlan#860 P0 8.8.8.8.49389 > 10.60.21.10.21: . ack 2144276272 win 8094 12: 08:57:34.778112 802.1Q vlan#860 P0 8.8.8.8.49389 > 10.60.21.10.21: R 1992189095:1992189095(0) ack 2144276272 win 0 There is an inspect policy for ftp, i've removed and re-added it to the interface, no joy. Any ideas?
|
|
#
?
Jul 20, 2011 19:16
|
|
|
Well, in the first trace your client is tearing the connection down (F) whereas in the second, you're seeing a reset (R) Does the ftp work when you pull your ACLs?
|
|
#
?
Jul 20, 2011 19:38
|
|
|
ior posted:Anything is possible. If it keeps happening I would say you have bad cable though. It's fiber. So... bad fiber? It's a ZX SFP. So... > 20 miles or something. That would be a poo poo ton of fiber to have to dig up.
|
|
#
?
Jul 20, 2011 20:17
|
|
|
An OTDR will help you determine if it is an issue with your fiber.
|
|
#
?
Jul 20, 2011 20:21
|
|
|
jwh posted:Well, in the first trace your client is tearing the connection down (F) whereas in the second, you're seeing a reset (R) I can't really pull the ACL to test since this firewall is in front of a VM cluster and is hosting a few hundred VM's. This firewall has been acting a bit funny lately so I will just fail it over and reload, hopefully that's what it ends up being.
|
|
#
?
Jul 20, 2011 20:52
|
|
|
Is the web browser doing active and the other clients passive mode?
|
|
#
?
Jul 20, 2011 22:02
|
|
|
Both are doing passive, it works in firefox though so I'm just writing it off as an issue with IE, the issue being the person is using IE to begin with.
|
|
#
?
Jul 21, 2011 14:29
|
|
|
Debugging individual end user software takes you firmly out of the network engineering role and into the computer janitor role, tread carefully or better yet, pass it off to the windows guys.
|
|
#
?
Jul 21, 2011 14:34
|
|
|
Oh I'm quite good at that particular part, this issue went something like this: check firewall, sniff traffic, test in firefox, kick off to windows admin team - there was a time when I liked doing it all but that's not anymore.
|
|
#
?
Jul 21, 2011 14:46
|
|
|
Does anyone have any information, public or not, about Sup720 Hardware Nat with VRF limitations? We are using a set of 6500's to do a lot of natting within VRFs, and I'd like to know the approximate limit and what happens when you approach that limit.
|
|
#
?
Jul 21, 2011 15:04
|
|
|
Anyone have any NetFlow software preferences?
|
|
#
?
Jul 21, 2011 15:16
|
|
|
Powercrazy posted:Does anyone have any information, public or not, about Sup720 Hardware Nat with VRF limitations? We are using a set of 6500's to do a lot of natting within VRFs, and I'd like to know the approximate limit and what happens when you approach that limit. iirc 720 nat is supported by netflow tcam, so I assume your limiting factor would be the 128k netflow entries supported on the 3b(xl). Should be able to monitor usage with code:
|
|
#
?
Jul 21, 2011 15:28
|
|
|
Looks like we aren't even at 1% capacity for NAT, so I guess its fine, good to know.
|
|
#
?
Jul 21, 2011 15:44
|
|
|
Powercrazy posted:Looks like we aren't even at 1% capacity for NAT, so I guess its fine, good to know. You probably also want to keep an eye on the CPU- the 3-way handshake is punted to the MSFC, after that it's hardware switched by the flow entry.
|
|
#
?
Jul 21, 2011 16:11
|
|
|
Zuhzuhzombie!! posted:Question. We're gonna play around in a lab for this. Wanted to get another viewpoint. http://www.nil.com/ipcorner/LoadBalancingBGP/ covers most of the information you need to know about how BGP load balances on the Cisco platform, from the sounds of your situation I'm thinking- ASR2 learned the path to the customer via BGP. ASR2 installs a forwarding table entry saying 'send customer traffic to ASR1 loopback'. ASR2 sees traffic to the customer prefix, searches fib, finds path that says 'use ASR1 loopback' ASR2 does a lookup for ASR1s loopback (this is the IGP lookup, and optimized away in CEF so it doesn't actually make a second lookup, but logically it does), if ASR1s loopback was learned across the direct 1G PtP as well as the 10G PtP to the core, it's possible the 10G PtP to core was the best path- depending on your IGP setup and costs.
|
|
#
?
Jul 21, 2011 16:25
|
|
|
ragzilla posted:http://www.nil.com/ipcorner/LoadBalancingBGP/ covers most of the information you need to know about how BGP load balances on the Cisco platform, from the sounds of your situation I'm thinking- Awesome. Will address this at our meeting. Thanks for the heads up. Now? Another major stack just gave me an "RPS IS faulty" error. Joy of joys to get when you're the only Admin around for the whole day and already got a load. 
|
|
#
?
Jul 21, 2011 16:30
|
|
|
Sepist posted:So we have an interface that isn't allowing FTP via web browser to work, you can ftp using command prompt or filezilla, just not from the web browser. Inside ACL is allowing any any, outside ACL is allowing port 21 to the world. Put a traffic sniffer on the inside interface and not seeing any differences: edit: im dumb and your last sentence didnt register. does show service-policy inspect ftp show anything? is strict turned on in your ftp policy-map? thiscommercialsucks fucked around with this message at 18:11 on Jul 21, 2011 |
|
#
?
Jul 21, 2011 17:55
|
|
|
Zuhzuhzombie!! posted:Anyone have any NetFlow software preferences? Nfsen if looking in the free/open source realm. I think this has been discussed earlier in this thread but I'm not remembering when. falz fucked around with this message at 23:30 on Jul 21, 2011 |
|
#
?
Jul 21, 2011 19:11
|
|
|
Zuhzuhzombie!! posted:Anyone have any NetFlow software preferences? I use PRTG, it's free (up to 20 nodes) and runs on Windows. I've not heard of Nfsen before so that's another for me to try.
|
|
#
?
Jul 21, 2011 22:04
|
|
|
I just deployed SolarWinds NPM + NTA and I'm pretty happy, it's monitoring about 35 remote sites as well as doing NetFlow stats/reports on about 140 dynamic customer's data flowing through our Sydney PoP. Big improvement on the virtually nothing we had before. Looking at the IP SLA add on but right now we only have a few serious SLA customers so it's harder to justify right now. Is there general distaste for SolarWinds? They seem to have generated an ok community around there free and paid products.
|
|
#
?
Jul 22, 2011 12:08
|
|
|
Solarwinds is pretty okay, but i wish the performance of their web engine was better. With about 750 nodes under management, all sending netflow telemetry, it can be excruciating to pull a report.
|
|
#
?
Jul 22, 2011 16:23
|
|
|
Will check out NFSen. Thanks. We don't want to deploy a Windows box to the public network.
|
|
#
?
Jul 22, 2011 17:04
|
|
|
I don't know much about it and I'm not responsible for it - I'm just interested. Our company uses TACACS+ for access control to our networking hardware. It was suggested to me that we wouldn't be able to give people enable access on switches but not on routers. Is this the case? Is there any way we can provide device-based permissions as opposed to only global privilege level permissions? Am I making sense?
|
|
#
?
Jul 24, 2011 17:05
|
|
|
You're being BSed. Permissions are defined at the device -- and It's perfectly reasonable to have a different aaa configuration on your routers than on your switches. Just have something like "aaa authentication enable default group tacacs+ enable" in your switches but not your routers. I think you might have to have a special account defined on your TACACS+ server for enable to auth against ... I remember it being called $enable$ something ... maybe not if you're using Cisco's product.
|
|
#
?
Jul 24, 2011 19:53
|
|
|
You can do per device permissions based on users. If whoever your admin is says you can't do it he is wrong, however maye HE can't do it, but it certainly can be done. As far as TACACS is conecerned anything that runs IOS behaves identically, switches or routers, however other cisco products, like the ASA or whatever behave differently.
|
|
#
?
Jul 25, 2011 03:08
|
|
|
What version of IOS do I need for LLDP support on ISRs? 1800,2800,3800? It seems most of the switches in my lab support LLDP no problem, but the ISRs do not. I'd like to stay away from the T train, and 15.0 for now.
|
|
#
?
Jul 27, 2011 20:24
|
|
|
Here's a dumb question, not Cisco-related but I couldn't find a better place to ask: Let's say my IP address is aa.bb.cc.194, my provider gives me a single IP address for $49.99 a month. Now, my default gateway (which I assume is my modem) gets the address aa.bb.cc.193. My subnet mask is 255.255.255.252 (or /30), and there's also a 'subnet id' of aa.bb.cc.192, and a broadcast address of aa.bb.cc.195. Are those two addresses basically wasted? Hell aren't they wasting 3 addresses since the modem could be bridged and I could have two IP addresses? How come my modem isn't 192, 193 my neighbor, 194 the next guy, etc? In groups of 16 or 32 or whatever? It just seems wasteful to have 4 addresses for a single subscriber.
|
|
#
?
Jul 27, 2011 20:45
|
|
|
|
| # ? Apr 25, 2024 11:15 |
|
|
Legacy from the days when broadcasts were required for routing protocols and w/e other applications expected broadcasts at layer 3. What you are describing is a /31 subnet instead of a /30, in almost all cases a /31 is fine but you'll never see it. Even in our production network we still use /30's for point-to-points and so do ISPs for BGP Peering etc.
|
|
#
?
Jul 27, 2011 21:01
|
|