|
Yes check the release notes.
|
#
?
Sep 22, 2015 21:33
|
|
|
|
| # ? Apr 20, 2024 00:06 |
|
|
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/release_notes.html#pgfId-2560852
|
|
#
?
Sep 22, 2015 22:47
|
|
|
Collateral Damage posted:They forgot the "delusional competence" which is usually the third step, where people have learned a little and think they know it all. https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect So who's going to be at NANOG in a few weeks?
|
|
#
?
Sep 23, 2015 01:30
|
|
|
Moey posted:This. Networking is an endless pit of learning, just have to keep digging. I enjoyed reading this after getting my CCNA. I saved the duplex chapter to educate anyone questioning why auto/half/full/no-negotiate matters.
|
|
#
?
Sep 23, 2015 04:41
|
|
|
OmniCorp posted:I saved the duplex chapter to educate anyone questioning why auto/half/full/no-negotiate matters. Just to be clear, you're saying it matters in that it's good to know the symptoms of a failure to autonegotiate so you can identify and fix the problem, right? Because if you're saying that manually setting those things when you're not forced to by something like a broken and unfixable/irreplaceable device at the far end is a good idea, I'd like to hear your thought process. I'm glad it's been a few years since I've run in to an ISP that insisted on hardcoding the interfaces on their managed circuit hardware to 100/full or 1000/full.
|
|
#
?
Sep 23, 2015 20:28
|
|
|
wolrah posted:Just to be clear, you're saying it matters in that it's good to know the symptoms of a failure to autonegotiate so you can identify and fix the problem, right? Ran into an issue a few months ago where devices were auto setting themselves to 10/half, and it was because one of the two fiber converters was ancient between the two centers (good keeping up to date Equinix!)
|
|
#
?
Sep 23, 2015 20:42
|
|
|
wolrah posted:Just to be clear, you're saying it matters in that it's good to know the symptoms of a failure to autonegotiate so you can identify and fix the problem, right? Because it's good to know the symptoms and it's an easy thing to check when troubleshooting. I have had newer techs not understand why a mismatch would happen and the performance impact. We have customer that are still requesting 100/full.
|
|
#
?
Sep 23, 2015 21:27
|
|
|
I understand the sentiment when at the demarc, when you hardcore you avoid a possible autonegotiate problem.
|
|
#
?
Sep 23, 2015 22:49
|
|
|
I have no real issues with ISP handing off with a port set manually, but tell me what you set it to in your circuit documentation! I've even had issues where I've been told to use 100/Full and it turns out their documentation was out of date and autonegotiate was the way to go. Come on guys, this is important. Incidentally, I'm quite new to all this (going through my CCNA at the moment) - are the console messages about duplex mismatch a feature of CDP, or does Cisco stuff use some other voodoo to work out that you might have an issue?
|
|
#
?
Sep 23, 2015 22:51
|
|
|
That's CDP and the message is even prefaced with like %4-CDP-SHTFUK-DUPLEXMISMATCH or whatever. There is nothing wrong with setting it manually if you need it to because your equipment sucks, the other side is set manually (and it is not yours or cannot be changed), or: - You want it to fail out of service instead of re-negotiating to 100/F when a wire opens or something happens to the circuit - You're using an unsuitable medium (category 3 cable) and you want to fix it at 10/F just to get service until you can repair the fiber optics (that's happened) - Re-iterating the equipment being a piece of poo poo or has bad drivers and in unable to operate until you fix it at 100/A Some gear can bet set with the speed set to a fixed value but the duplex auto- that's better as at least you won't have that 100/F fixed that turns into 100/H on the other end bullshit. Generally changing some configuration items from standard would not be considered wrong - but there is wrong and practice. Part of the CCNA talks about the role of the technician, vs, engineer and architect. lovely technicians are dime-a-dozen, and lovely engineers let stuff get out undocumented only for techs to "break" them later. Also on non-fixed links like hosts this is just waiting for you to try and figure out why some port is "screwed up" later. Some of Fluke's tools, namely the CableIQ will display the available negotiation rates. I haven't come up with any good way to figure that otherwise from a laptop, persay. Don't bet on the console messages as not everything is Cisco, and even with Cisco sometimes CDP is off.
|
|
#
?
Sep 24, 2015 01:52
|
|
|
adorai posted:I understand the sentiment when at the demarc, when you hardcore you avoid a possible autonegotiate problem. Or you create one when the next tech down the line who never received the original documentation about the hardcode (if it exists) goes to plug in a piece of replacement hardware after whatever was hooked up there takes a lightning strike. I don't think you're avoiding any problems by hardcoding when the equipment at the far side is unpredictable, just changing them. You avoid problems with lovely gear that doesn't autonegotiate properly, but you create problems for the rest of us who reasonably expect autonegotiate to work on anything 100mbit or above. Obviously when the far side can't be fixed you do what you have to, likewise for forcing a link up temporarily in unusual circumstances. Partycat, your gig link going down versus failing to 100/f is possibly the first time I've heard a situation described where auto would work just fine but fixed config actually offers a benefit. In theory 100mbit and above autonegotiation can actually specify that it'll only accept certain rates, allowing one to force a rate without disabling autonegotiation, but I certainly wouldn't be surprised to find out that can't be customized on a lot of ethernet devices.
|
|
#
?
Sep 24, 2015 02:39
|
|
|
wolrah posted:Or you create one when the next tech down the line who never received the original documentation about the hardcode (if it exists) goes to plug in a piece of replacement hardware after whatever was hooked up there takes a lightning strike.
|
|
#
?
Sep 24, 2015 03:03
|
|
|
adorai posted:Do you not backup configs for reference? I don't understand how you could not see the hardcode in a previous config. The company I work for does outsourced IT type stuff for small/medium businesses. A lot of our business on that side has started with existing customers of our VoIP service who come to us for help after something failed that was set up by some other vendor years ago or the kid of the old boss or whatever. Between that sort of thing and installing our supported routers for VoIP in place of problematic existing ones for which the password is long gone I'll admit that I end up dealing with a disproportionate amount of these undocumented situations.
|
|
#
?
Sep 24, 2015 03:56
|
|
|
Anyone have a good book or video series to help master access lists? They are by far my weakest points.
|
|
#
?
Sep 24, 2015 19:07
|
|
|
OmniCorp posted:Because it's good to know the symptoms and it's an easy thing to check when troubleshooting. I have had newer techs not understand why a mismatch would happen and the performance impact. We have customer that are still requesting 100/full. This is the golden rule and should be the law is the land. If you are connecting at 1GE, you should do auto/auto. As auto negotiation is part of the GigE spec. If you are connecting at less then 1gig hard code the speed/duplex. If both sides are auto but are coming up at 10/half or not coming up you have a bad cable/patch or a lovely intermediary device. I.e media converter. Hard code to 1000/full only as a last resort.
|
|
#
?
Sep 24, 2015 23:50
|
|
|
Also apparently Juniper doesn't have a way to look at access-lists a la "show access-list."
|
|
#
?
Sep 25, 2015 00:03
|
|
|
show firewall filter ?
|
|
#
?
Sep 25, 2015 00:09
|
|
|
tortilla_chip posted:show firewall filter ? That just lists the name of the filters. This is on a firewall that is terminating vpns and doing natting. The command gives no other information.
|
|
#
?
Sep 25, 2015 00:15
|
|
|
show firewall Just by itself?
|
|
#
?
Sep 25, 2015 00:19
|
|
|
Thanks Ants posted:show firewall Nope. Just shows the name of the filters. But no detail on what the filters are doing or where they are applied. I'm also not sure if the list is exhaustive. No "hit counts" either. This is an srx1600 I think. I'll check tomorrow. I don't think juniper has a concept that sometimes you use an access list to mark "interesting traffic" for say a site-to-site vpn. Or possibly to restrict control-plane management. All are access lists. All should be displayed.
|
|
#
?
Sep 25, 2015 00:59
|
|
|
So I'm having some issues with 6800 IA switches. The design requires us to run 15.2 in order to leverage the increased number of switches per stack (5) and the increased number of total switches supported per 6880 (42). I can provision and join each FEX stack while the 6880 is running 15.1, but the switches won't auto upgrade or join while the 6880 is running 15.2. Any ideas?
|
|
#
?
Sep 25, 2015 01:26
|
|
|
Powercrazy posted:Nope. Just shows the name of the filters. But no detail on what the filters are doing or where they are applied. I'm also not sure if the list is exhaustive. No "hit counts" either. This is an srx1600 I think. I'll check tomorrow. Add a count statement to "then" to get counters on actions.
|
|
#
?
Sep 25, 2015 02:23
|
|
|
Powercrazy posted:Nope. Just shows the name of the filters. But no detail on what the filters are doing or where they are applied. I'm also not sure if the list is exhaustive. No "hit counts" either. This is an srx1600 I think. I'll check tomorrow. SRX firewall/nat/vpn information will be located under the security stanza. show security policies detail show security ike/ipsec security-associations detail show security nat source/destination/static rule all show configuration security ...
|
|
#
?
Sep 25, 2015 03:29
|
|
|
We're thinking about transitioning from DAS to a proper SAN, but don't really have the backbone for it atm. All of the storage vendors we talk to recommend we go 10G for iSCSI--any recommendations for babby's first 10G switch?
|
|
#
?
Sep 25, 2015 04:31
|
|
|
beepsandboops posted:We're thinking about transitioning from DAS to a proper SAN, but don't really have the backbone for it atm. All of the storage vendors we talk to recommend we go 10G for iSCSI--any recommendations for babby's first 10G switch?
|
|
#
?
Sep 25, 2015 05:10
|
|
|
Powercrazy posted:Nope. Just shows the name of the filters. But no detail on what the filters are doing or where they are applied. I'm also not sure if the list is exhaustive. No "hit counts" either. This is an srx1600 I think. I'll check tomorrow. make sure you're in conf mode before running the commands mentioned in this thread. "show firewall" means completely different things in > and # modes. Other tips (all in conf (#) mode)) show firewall - shows the currently firewall filters configured. These are stateless firewall filters, if you're using an SRX you will have to use security policies as well code:- shows you the specific firewall filter configuration, and where it is applied. "display set" lets you easily copy and paste config statements code:Just read the rest of your post. All control plane management is done through firewall filters to the loopback interface. See this guide if you're looking to do control plane policing: http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/hardening-junos-devices-checklist/ In most cases you should be fine with tuned "host-inbound-traffic" settings on each security zone. This will restrict what traffic is allowed to the firewall itself In terms of "interesting traffic" for a VPN, any traffic that tries to go out the st0.x interface will try and bring up the VPN. I usually just force the VPN tunnel up at all time with the below: code:hanyolo fucked around with this message at 06:25 on Sep 25, 2015 |
|
#
?
Sep 25, 2015 06:18
|
|
|
hanyolo posted:make sure you're in conf mode before running the commands mentioned in this thread. "show firewall" means completely different things in > and # modes. This is the dumbest thing. But thanks that was the problem. Compare: pre:user@vpn1a.nj01> show firewall Filter: __default_bpdu_filter__ Filter: ABC user@vpn1a.nj01> pre:user@vpn1a.nj01# show firewall
family inet {
filter ABC {
term ssh_allowed {
from {
source-prefix-list {
permitted-ips;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term old_etl {
from {
source-prefix-list {
old-etl-temp;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term sftp_allowed {
from {
destination-address {
998.980.950.907/32;
}
}
then accept;
}
term hbmon01_nira {
from {
source-prefix-list {
hbmon01;
}
destination-prefix-list {
nira;
}
}
then accept;
}
term instream {
from {
source-prefix-list {
isa-util;
}
destination-prefix-list {
cluster;
}
}
then accept;
}
term ssh_denied {
from {
protocol tcp;
destination-port ssh;
}
then {
reject;
}
}
term ntp {
from {
source-address {
998.948.950.0/24;
}
source-prefix-list {
NTP-SERVERS;
}
protocol [ udp tcp ];
port ntp;
}
then accept;
}
term ntp-denied {
from {
protocol [ udp tcp ];
port ntp;
}
then {
discard;
}
}
term snmp {
from {
source-prefix-list {
permitted-ips;
snmp-permitted;
}
destination-port [ snmp snmptrap ];
}
then accept;
}
term snmp_denied {
from {
source-address {
0.0.0.0/0;
}
port [ snmp snmptrap ];
}
then {
discard;
}
}
term default_accept {
then accept;
}
}
}
ate shit on live tv fucked around with this message at 16:07 on Sep 25, 2015 |
|
#
?
Sep 25, 2015 15:51
|
|
|
Powercrazy posted:dumbest thing. Would you prefer "do show firewall"
|
|
#
?
Sep 25, 2015 16:02
|
|
|
I believe you mean "run show firewall"
|
|
#
?
Sep 25, 2015 16:08
|
|
|
AHhhhhh! So if I want a one stop command that will show me the number of free ports on a juniper switch does it exist? Basically a port is "free" if it is admin down, if it's just not connected or if I can put an optic into it. From what I've seen there isn't a way to sort by that information considering that if there isn't an optic in the interface, the interface doesn't exist at all. Anyway to change that behavior? I just want to find how many free ports I have on this switch :/
|
|
#
?
Sep 25, 2015 16:36
|
|
|
Powercrazy posted:AHhhhhh! So if I want a one stop command that will show me the number of free ports on a juniper switch does it exist? 'show interfaces terse' should be roughly a 'show int brief' equivalent. edit: See below! 1000101 fucked around with this message at 17:21 on Sep 25, 2015 |
|
#
?
Sep 25, 2015 17:12
|
|
|
show interfaces media terse
|
|
#
?
Sep 25, 2015 17:14
|
|
|
tortilla_chip posted:show interfaces media terse Better but still bad: pre:xe-0/0/10 up up xe-0/0/11 up up xe-0/0/14 up up xe-0/0/15 up up xe-0/0/16 up up
|
|
#
?
Sep 25, 2015 17:51
|
|
|
god you Cisco bigots are hard to please  show int detail | match "Physical interface:"
|
|
#
?
Sep 25, 2015 18:00
|
|
|
Yea I tried those things, but unfortunately when dealing with an SFP interface JunOS doesn't even acknowledge the interface exists unless there is an Optic in it. I'm wondering if there is a "pre-populate" configuration command or something that will let you apply configurations to a phantom interface.
|
|
#
?
Sep 25, 2015 19:22
|
|
|
Why not just use the GUI? That's the only way I can get Juniper to take commands without acting like a spoiled finicky 5 year old.
|
|
#
?
Sep 25, 2015 20:05
|
|
|
Slickdrac posted:Why not just use the GUI? That's the only way I can get Juniper to take commands without acting like a spoiled finicky 5 year old. I'm afraid what that will do to the configuration, a la the Cisco ASDM eating ASA configs.
|
|
#
?
Sep 25, 2015 20:14
|
|
|
Powercrazy posted:I'm afraid what that will do to the configuration, a la the Cisco ASDM eating ASA configs. We haven't had so much configuration issues with our Junis, just super fun clustering issues. Once it decided to just dump and reform the cluster, and for the last year the cluster has believed that two of the devices have the same exact fans in two of the chassis's, same serial number and everything. We're just waiting for the fan to die on one of them since that bug has caused it to be spinning at 100% for 12 months and 2 weeks now.
|
|
#
?
Sep 25, 2015 20:24
|
|
|
I'm finally able to look at replacing our 10/100 Cisco Catalyst 3550 switches at work which makes me wonder what the standard is for Cisco managed switches in smaller environments these days? I've currently got 48 and 24 port 10/100 Catalysts on opposite ends of 2 adjoining office suites that are connected via Gigabit fiber uplink. We have 2 VLANs (phone system vs. "data" network) so I'd like to get layer 3 (I think Cisco calls them layer 2-4) switches. They are all behind an ASA 5510. I'm not really looking for in depth answers right now, just an idea about different models people are buying lately for smaller environments so some salesperson doesn't try to sell me the most expensive thing possible just because.
|
|
#
?
Sep 25, 2015 21:22
|
|
|
|
| # ? Apr 20, 2024 00:06 |
|
|
Why do you want layer 3 switches for running two VLANs across a couple of switches? It doesn't sound like there's much requiring routing between the voice and data VLAN so it's fine to let the ASA do that. As for models, I see a lot of 2960-X being used.
|
|
#
?
Sep 25, 2015 21:32
|
|