|
doomisland posted:No but let get ahead of this and say see ya'll at NANOG65 I'll be there too. Ragzilla should come as well. If I remember correctly he is a short flight away. By any chance has anyone here collocated in Verizon SCOPE space before? Turns out no MPLS carriers want to do the TDM to IP conversion for SAToP
|
#
?
Jun 5, 2015 19:44
|
|
|
|
| # ? Apr 18, 2024 21:52 |
|
|
psydude posted:Who's going to Cisco Live next week? I'll be there
|
|
#
?
Jun 5, 2015 20:13
|
|
|
Drank the Cisco cool aid and dropped any hope of switching to Juniper this week. Too many of our offices are legacy Cisco gear and our new management doesn't want to have multiple brands. Soooo Nexus 6004EF/2348 and 3650's it is. I'm going to demo Meraki AP's next week.
|
|
#
?
Jun 6, 2015 19:50
|
|
|
The Meraki kit is pretty nice, especially if you're looking for ease of management.
|
|
#
?
Jun 7, 2015 02:27
|
|
|
We're in the process of swapping out all of our branch offices to Meraki APs (and later on MX devices for the firewalls as well). It's so nice to be able to change things on the fly when someone submits a ticket regarding one of these offices since I can just pop into the dashboard and see what's going on and make changes in real time. I totally understand why you wouldn't want to run this stuff if you have a dedicated network engineer on staff, but for a small-medium sized business like us it's pretty drat great and saves us loads of time, effort, and money. My single complaint is the licensing scheme and the fact that the devices apparently become unusable if the licenses lapse but it's not money out of my pocket so whatever.
|
|
#
?
Jun 8, 2015 17:27
|
|
|
Sheep posted:We're in the process of swapping out all of our branch offices to Meraki APs (and later on MX devices for the firewalls as well). It's so nice to be able to change things on the fly when someone submits a ticket regarding one of these offices since I can just pop into the dashboard and see what's going on and make changes in real time. Merakis are awesome I'll say it over and over. As for the licencing I believe they don't shut down if you don't pay, but you can't make any more configuration changes.
|
|
#
?
Jun 9, 2015 06:42
|
|
|
less than three posted:Merakis are awesome I'll say it over and over. As for the licencing I believe they don't shut down if you don't pay, but you can't make any more configuration changes. Nope - they turn into bricks within a couple of days.
|
|
#
?
Jun 9, 2015 16:19
|
|
|
unknown posted:Nope - they turn into bricks within a couple of days. I've also heard this. Only manageable from the cloud with no way to troubleshoot/collect logs locally seems like a joke.
|
|
#
?
Jun 9, 2015 20:13
|
|
|
If you want that then you deploy Aironet or not-Cisco. Aerohive strike a decent balance - cloud managed but the APs don't require the cloud to be available. If you stop paying your bills then the APs chug on as usual, and you can configure them through SSH if you really want to.
|
|
#
?
Jun 9, 2015 20:24
|
|
|
So I contacted Meraki and they offered to send a dozen AP's to my site for testing... I was not expecting that. I wanted one, maybe two for some basic testing. Well, we shall see how they work next week.
|
|
#
?
Jun 11, 2015 00:40
|
|
|
The line of reasoning is that once you've done the work to install them, it's so much hassle to untangle them from your infrastructure/users/etc. that you'll just pay Meraki money to keep them and buy licenses for all eternity. Solid business plan.
|
|
#
?
Jun 11, 2015 14:53
|
|
|
As others have said, if you have the money to keep paying for Meraki's licensing, they are pretty great. I run a bunch of APs, access switches and firewalls from them.
|
|
#
?
Jun 11, 2015 15:41
|
|
|
Are the firewalls still horrific to configure rules on? Last I checked you couldn't do port translation in a 1:1 NAT scenario, and there was no concept of service groups.
|
|
#
?
Jun 11, 2015 20:24
|
|
|
This seems like the best thread for a network documentation question. I have a few rather large, mishmash, multi-vendor switch networks. There is no visual documentation (or at least no recent documentation that makes sense.) I do have a database (that I have to use a crappy UI to query against) that can give me what a switch is *supposed* to be connected to. I would like to diagram all the physical links and all the trunks that carry a few specific vlans. I'm thinking this would be very tedious to do in Visio (or Dia, which is what I actually have.) One thought I had was using graphviz and using layers to represent the vlans I care about, but I was wondering if anyone had any ideas, or know of any tools to do the diagramming part efficiently. Actually gathering the information is going to be a pain, but I guess I can churn through all the switches. It sucks because on some switches, most vlans are allowed everywhere, instead of only allowing them on trunks that need them, meaning they are allowed in one direction, but not the other. I do not yet know how consistently I will be able to use SNMP to get the info I need, I may have to log into most of them, gather them manually and spider through the network. That might be easier than writing a script that can deal with multiple vendors and variations within vendors' management interfaces. If anyone could share some tips on this, that would be cool as well. There are places where vlans are segmented so that VLAN 10 in switch A is a different broadcast domain than VLAN 10 on switch Z. My end goal is to fix this mess and be able to add new links without causing any forwarding loops. Did I mention that due to our crazy multi-vendor build, we don't really have any form of STP working correctly?
|
|
#
?
Jun 14, 2015 22:25
|
|
|
I work in branch banking at a bank that has done 8 acquisitions in the past 7 years. I feel your pain.
|
|
#
?
Jun 15, 2015 00:22
|
|
|
I shouldn't have any problems with getting an IPSec VPN working site to site between two different vendors, right? (Adtran and Fortinet) I hosed around with settings for a little bit today but I opened a support ticket and I'll just let them help me figure it out, that's what we're paying them for right?
|
|
#
?
Jun 15, 2015 02:14
|
|
|
the real blah posted:This seems like the best thread for a network documentation question. I'd doco the physical layer using visio, then work on your VLAN design to see if you can simplify it enough such that you don't need individual diagrams for every one, because that is insane.
|
|
#
?
Jun 15, 2015 03:08
|
|
|
Bob Morales posted:I shouldn't have any problems with getting an IPSec VPN working site to site between two different vendors, right? (Adtran and Fortinet) In theory, no. But VPN is always a bastard that takes a bit of smacking around when you pair devices you've not done before. the real blah posted:This seems like the best thread for a network documentation question. Visio isn't too bad once you've put a few hundred hours into it. With multivendor, you're not likely to get a decent layout from any auto mapping device (especially with hosed configs/vlan), and depending on how anal you or your boss is on layout, it might be more tedious to edit what some tool spits out. You SHOULD be able to pull down configs at least from most with any non vendor specific config management software. You are running some sort of central login, I hope, worst case same local account? Nab a trial if you need to of a high end config manager, just make sure it allows enough devices. Slickdrac fucked around with this message at 03:32 on Jun 15, 2015 |
|
#
?
Jun 15, 2015 03:23
|
|
|
Bob Morales posted:I shouldn't have any problems with getting an IPSec VPN working site to site between two different vendors, right? (Adtran and Fortinet) I've had problems with a Fortinet<>ASA VPN where when the ASA attempted to establish the VPN, the Fortinet would not respond to QM negotiation. The Fortinet wasn't my side, but I believe it was something like policy mode being selected or not selected or whatever that made the Fortinet treat the tunnel as outbound only. The tech waited a week to call tech support (who caught the problem immediately), so if you've done so already, you're ahead of the game.
|
|
#
?
Jun 15, 2015 03:39
|
|
|
Slickdrac posted:In theory, no. But VPN is always a bastard that takes a bit of smacking around when you pair devices you've not done before. Exactly this. I've never been unable to get the two ends talking eventually, but more often than not it doesn't work the first time even if the settings appear to match at each end. Inevitably the logs are useless on both ends so figuring out which device doesn't like what can be a major challenge. Doubly so if the far end is not under your control and/or can not have settings changed for whatever reason.
|
|
#
?
Jun 15, 2015 04:44
|
|
|
ASA site to site VPN is the worst thing ever when you're trying to do any sort of routing across it.
|
|
#
?
Jun 15, 2015 04:56
|
|
|
Bob Morales posted:I shouldn't have any problems with getting an IPSec VPN working site to site between two different vendors, right? (Adtran and Fortinet)
|
|
#
?
Jun 15, 2015 05:07
|
|
|
psydude posted:ASA site to site VPN is the worst thing ever when you're trying to do any sort of routing across it. Is it more difficult than enabling RRI on the specific crypto map entries and calling it a day?
|
|
#
?
Jun 15, 2015 05:11
|
|
|
the real blah posted:This seems like the best thread for a network documentation question. Zenoss has a network graphing feature I believe. It was on the roadmap anyway.
|
|
#
?
Jun 15, 2015 05:19
|
|
|
adorai posted:most of my cross vendor issues have been related to how you create phase twos. For instance, cisco lets you easily group a bunch of subnets together into a single phase two, and fortinet (used to, maybe still does) only allows one subnet per phase two, so you had to have a shitload of them. Pretty sure they fixed this, or at least you can reference an address group now which can/should match the reverse of the ACL on the Cisco side. I haven't touched FortiOS much in the last 6 months though so I'm a bit rusty now.
|
|
#
?
Jun 15, 2015 13:47
|
|
|
Contingency posted:The tech waited a week to call tech support (who caught the problem immediately), so if you've done so already, you're ahead of the game. I forgot HP switches won't use Netgear SFP modules but Netgears will use HP's... So I still have 2 Netgears on the network and they aren't passing VLANs right. Derp.
|
|
#
?
Jun 15, 2015 14:45
|
|
|
Throw the Netgears away before they send you crazy.
|
|
#
?
Jun 15, 2015 18:24
|
|
|
Thanks Ants posted:Throw the Netgears away before they send you crazy. That's why I got the HP's. I'm going to be office-spacing the Netgears tomorrow after the Axiom SFP modules come in.
|
|
#
?
Jun 15, 2015 19:11
|
|
|
I just had a Netgear bonfire with some switches that randomly wouldn't pass broadcast traffic and kept dropping packets and shutting ports down at random. gently caress those things.
|
|
#
?
Jun 15, 2015 20:06
|
|
|
Just applied for a /40 of IPv6 space from ARIN. Time to enter a completely new world of bugs.
|
|
#
?
Jun 19, 2015 02:00
|
|
|
FatCow posted:Just applied for a /40 of IPv6 space from ARIN. Time to enter a completely new world of bugs. And exploits 
|
|
#
?
Jun 21, 2015 01:20
|
|
|
FatCow posted:Just applied for a /40 of IPv6 space from ARIN. Time to enter a completely new world of bugs. Welcome friend.
|
|
#
?
Jun 21, 2015 16:38
|
|
|
I'm guessing since there is no enterprise WIRED networking thread, this is as good a place as any to discuss. I have a network architecture issue that's crushing my budget. I have a new pair of datacenters that share an ASN and BGP routed block. They are connected with a pair of L2 10gig links. The whole IP address scheme and systems architecture in general was designed on a shared layer 2 providing free floating VM mobility across sites. I want our routers to do all layer 3 traffic manipulation so I can force network firewall acls. To do this, I need to license the ASR-1001-x to the tune of 20gb which is crushing me. Ultimately I need HSRP or VRRP or similar to allow the .1 gateway address to float properly in a fail over situation. Obviously the $180k+ list (take that with the usual grain of salt) for that config is still crushing my budget. BSDRP or pfSense come to mind but this strikes me as insanely risky in a production enterprise environment without a full time, dedicated network engineer. Anyone have words of wisdom to share or another strategy to think about for this? I am on my iPad or I would give a drawing. Well let's try this....  �KennyG fucked around with this message at 22:32 on Jun 21, 2015 |
|
#
?
Jun 21, 2015 22:17
|
|
|
KennyG posted:BSDRP or pfSense come to mind but this strikes me as insanely risky in a production enterprise environment without a full time, dedicated network engineer. Anyone have words of wisdom to share or another strategy to think about for this? I am on my iPad or I would give a drawing. Well let's try this....
|
|
#
?
Jun 22, 2015 05:48
|
|
|
KennyG posted:I'm guessing since there is no enterprise WIRED networking thread, this is as good a place as any to discuss. I have a network architecture issue that's crushing my budget. I have a new pair of datacenters that share an ASN and BGP routed block. They are connected with a pair of L2 10gig links. The whole IP address scheme and systems architecture in general was designed on a shared layer 2 providing free floating VM mobility across sites. Could just do l3 on the 5ks assuming it's a 5600 or you have the l3 module. Are your firewalls running in transparent mode? Do you need stateful inspection between all your VLANs or just security zones?
|
|
#
?
Jun 22, 2015 06:22
|
|
|
1000101 posted:Could just do l3 on the 5ks assuming it's a 5600 or you have the l3 module. Are your firewalls running in transparent mode? Do you need stateful inspection between all your VLANs or just security zones? Stateful? Probably not. Robust ACL, yes. The issue I run into is the fact that the firewall service provide proxy content filtering, ips/dis, site to site VPN, dpi and a number of other security services beyond firewall. I like the sonicwalls we have but I get the feeling we have outgrown dell networking products at this point. If I move to a L3 license on the 5600s I have a similar problem as they are not a single shared logical unit (HSRP). There are 4 5596UPs in two sites, two In each DC.
|
|
#
?
Jun 24, 2015 02:50
|
|
|
KennyG posted:Stateful? Probably not. Robust ACL, yes. What's a "robust ACL" entail though. If it's just "I want to stop traffic from source X to destination Y on port Z" then a nexus 5600 can do that fairly well. I think it might support logging if you need to track it (this was an issue on the 5500's with l3.) You can also enable HSRP on the 5600s relatively easily with vPC and it'll support OSPF/BGP for northbound routing. They also have pretty decent l3 performance compared to the 5500s with an L3 card. feature hsrp int vlan x hsrp x ip 1.2.3.4 optionally configure vPC for optimal traffic flowing. I'd generally do HSRP just for servers/VMs to find their default gateway then for l3 traffic northbound (up to your ASRs for example) just use ospf. Try to avoid having all your inter-vlan go through the firewall as it may cause more problems. Instead design around the idea that you traverse the firewall to go inter-security zone (i.e. from users to servers, servers to DMZ, users to internet, and users to servers.) For each security zone you'd create a vrf and have that vrf's route to any other security zone be through your firewalls. Your ASRs should only need enough horsepower to get data in and out of that given site.
|
|
#
?
Jun 24, 2015 04:13
|
|
|
So what are people doing for teleworkers and such? We've been using Meraki Z1s, but they're doubling the price on them in the near future, which is bananas so we're starting to look at around at alternatives.
|
|
#
?
Jun 24, 2015 17:14
|
|
|
Does longest-match prefix processing work in the following situation? The network 10.0.128.0/17 exists behind a router-firewall. This network is subnetted further into about 10 subnets, each of which is on a separate VLAN. There is an egress to the intertubes, and another egress to the rest of the company network on 10.0.0.0/8. The latter egress is on the subnet 10.0.199.0/24 (interface is .1). The upstream router routes 10.0.128.0/17 to 10.0.199.1. In other words, the upstream router is trying to route traffic to a router that is inside the range of the network it doesn't know how to route to (to my eyes, anyway). The network manager says no this is fine, LPM takes care of it. I thought that this was weird. I get when you use LPM to choose between two next hops for two overlapping network ranges, but is it also possible here, to route a network's traffic to a host inside that network? The reason I ask is that we're having routing issues and both the network team and the firewall team are waving towards each other. I'd like to figure out what's going on so we can get the issue resolved.
|
|
#
?
Jun 25, 2015 07:50
|
|
|
|
| # ? Apr 18, 2024 21:52 |
|
|
Weatherman posted:Does longest-match prefix processing work in the following situation? Possibly confused trying to follow that, but if the upstream router does not have a direct connection, or a route entry in it's table for 10.0.199.0/24 network, it's not going to work. You can route a supernet to an address inside the supernet, but it needs to know how to get to that address first, otherwise it will just use whatever default route it has configured.
|
|
#
?
Jun 25, 2015 15:19
|
|