|
Docjowles posted:I'm trying to set up babby's first Cisco vPC between two Nexus 6k switches. I feel like I must be missing something completely retarded here. From each switch, I can ping the management interface of the other. But I can't get the vpc keepalive link to come up one end. Any idea what is up with this? In addition to sourcing your peer-keepalive don't forget to connect the switch together with a port-channel then configure that port-channel thusly: code:edit: Are you using a vlan interface to provide your peer keep alive? If so I recommend swapping to mgmt0 or creating an l3 interface in it's own VRF. The intent of the keep alive is to see if the peer is actually up or down. If it's going over the peer link then it won't be able to serve that purpose. I only say this because I see you didn't define a VRF in your ping and it still worked. 1000101 fucked around with this message at 04:06 on Oct 9, 2015 |
#
?
Oct 9, 2015 04:02
|
|
|
|
| # ? Apr 23, 2024 15:31 |
|
|
Well I've certainly gone down a rabbithole of fail on this project! I got the keepalive link working by adding "vrf default" to the end. I realize this is not the proper config for the reason 1000101 gave, and will try to fix at some point. However, I've now managed to lock myself out of one of the two switches  It's still up and passing traffic, thank god, but I can't access the management IP. It's in a data center across town and there's apparently no remote console access (I did not set this up, just took over for someone at a new job), so fixing that will have to wait until the next time I have a reason to go over there. I don't understand how I got locked out, though, so any insight on that would be appreciated!The vPC came up, but I could not reach any of the devices connected to the associated port-channels. After checking the logs, I found that it's because the VLANs those devices were on were set to "switchport mode fabricpath" and I had to convert my poo poo to vPC+. So I did. The last thing I did before getting locked out was editing the port-channel for my vPC peer link. On both ends, I ran "switchport mode fabricpath". When I did that, my SSH connection to switch B immediately dropped and I can no longer reach it. Switch A, with the same config, is fine. Any hope something as simple as shut/no shut on the management interface will restore connectivity, or have I done something seriously retarded? NX-OS bug in our old-rear end version? Pared-down config for the one switch I can still reach below. The other was identical barring interface descriptions: code:code:Docjowles fucked around with this message at 19:31 on Oct 9, 2015 |
|
#
?
Oct 9, 2015 19:27
|
|
|
Ah, so you're using Fabricpath! That changes a couple things. First, unsure the purpose of po20. Is this an uplink to another switch or the same? If it's the same I would consider turning this into an l3 port channel, putting a /30 on it in it's own VRF and using this for peer keep alive (you don't even need the keep alive to be reachable by anything but the remote vpc peer). You don't need a separate l2 link between switches to pass data. It can use the peer link as needed. Either that or plug in mgmt0 somewhere and use that for vPC keep alive. Until you've got l3 reachability VPC will never come up. Since there's an issue with VPC and you're using an in-band keep alive it may never come back online. Your l3 interfaces may be down/dead because VPC+ is trying to keep things sane. Your vPC peer link looks like it's pruning VLANs. From what I recall the default behavior for a port in mode fabricpath is to forward all fabricpath VLANs over it. Just in case though I would make sure the allowed list includes all your fabricpath VLANs. Also it's worth looking at the 'show fabricpath topology' output and picking a vPC switch ID thats going to make sense. If your 2 nexus switches are actually using a statically defined switch ID (say 1 and 2) then I'd consider making your fabricpath vpc switch-id something like 10 or 100 or something.
|
|
#
?
Oct 9, 2015 20:15
|
|
|
FatCow posted:There sure a lot of goons at NANOG. Some may even post on the forums. I'm going to be at the next one, woot new job pays for field trips like that 
|
|
#
?
Oct 9, 2015 21:20
|
|
|
This isn't really a software question but hopefully someone here can help me. I'm looking to build a new home network built around a 2960G or 3750G and a 5520. The current problem I'm trying to solve is airflow. The switch needs to be mounted on the back of the cab, but the switches I can afford all use side-to-back airflow. Then I happened across this: http://www.wrightline.com/images/Products/Airflow%20Director%20Kit/WL_2UAirflowManager.pdf It's designed for the 4948 but based on the airflow pattern it should work for a 2960 or 3750. Only problem is, I can't find anywhere to buy the sumbitch. The manufacturer has been taken over by Eaton and this product isn't listed anywhere in any of their product listings. Anyone have any idea where I might look for this, or something like it?
|
|
#
?
Oct 11, 2015 19:18
|
|
|
Are you sure you aren't over-thinking this if it's just for a home network? Is is going to cause you problems if your switches are blowing warm air at the front of your rack? Could you just open the switches up and flip the fans around?
|
|
#
?
Oct 11, 2015 19:31
|
|
|
Thanks Ants posted:Are you sure you aren't over-thinking this if it's just for a home network? Is is going to cause you problems if your switches are blowing warm air at the front of your rack? The 2960 and 3750 switches have those horizontal blower fans, no way of turning them around short of reversing the polarity, which may or may not actually work and probably won't give any meaningful cooling in any case. And yeah, I kind of need to worry about airflow since I plan on putting this stuff inside a fully-enclosed, sound-insulated rack so I can keep it in the house without my wife going batty from the noise.
|
|
#
?
Oct 11, 2015 19:33
|
|
|
I'd be curious to know what kind of home network you have that requires that level and amount of networking hardware.
|
|
#
?
Oct 11, 2015 21:27
|
|
|
If "quiet" is a requirement, perhaps you should use different switch model. Cat3560C / Cat2960C / Juniper EX2200C are all fanless, and would not need to be in a sealed rack.
|
|
#
?
Oct 11, 2015 21:57
|
|
|
WS-C2960X-24PSQ-L is also fanless.
|
|
#
?
Oct 11, 2015 22:03
|
|
|
The switches aren't the only thing that's going to be in the rack.
|
|
#
?
Oct 11, 2015 22:54
|
|
|
Man and here I thought I was a hardcore nerd with my Uquiti ERL running at the edge of my home network.
|
|
#
?
Oct 11, 2015 23:25
|
|
|
psydude posted:Man and here I thought I was a hardcore nerd with my Uquiti ERL running at the edge of my home network. Pretty soon here I'm going to have a full ubiquiti deployment at home with unifi and edgeswitch. I'm already using an ERL for the NAT device
|
|
#
?
Oct 12, 2015 18:48
|
|
|
Vodaphone just installed a fiber connection at our remote UK site and plugged it into our multi-WAN router, then left for the day. They gave me the static IP address and subnet, but not the gateway. Is there any way to guess the gateway? I tried .1 as the last octet, that didn't work, and I tried a tracert to the IP and tried the last bunch of routers shown there but that didn't work either. I asked them to get back to me with it but they take forever to respond.
|
|
#
?
Oct 13, 2015 17:59
|
|
|
Ping the broadcast address for the subnet.
|
|
#
?
Oct 13, 2015 18:11
|
|
|
Wireshark your connection and try to ping your IP from an off-site location. You should eventually see an ARP request from the upstream router. Everywhere I've ever worked has used either the first or last usable IP in the subnet as the gateway, you could also try both of those.
|
|
#
?
Oct 13, 2015 18:13
|
|
|
Zero VGS posted:Vodaphone just installed a fiber connection at our remote UK site and plugged it into our multi-WAN router, then left for the day. What's the IP and mask? Censor out octets 1 and 2 as they won't be relevant.
|
|
#
?
Oct 13, 2015 18:35
|
|
|
Anyone have any trouble trying to TFTP an ASDM .bin to an ASA inside of GNS3? Using solarwinds and it pokes along before timing out somewhere in the middle of the transfer with a "no client response" error. ASA has default (blank?) config except for a Gig eth interface configured with an IP address. I have a loopback adapter configured on Win10 and use that as the interface on a 'cloud device' in GNS3 to let the solarwinds transfer to the ASA.
|
|
#
?
Oct 13, 2015 21:40
|
|
|
crunk dork posted:Anyone have any trouble trying to TFTP an ASDM .bin to an ASA inside of GNS3? Using solarwinds and it pokes along before timing out somewhere in the middle of the transfer with a "no client response" error. ASA has default (blank?) config except for a Gig eth interface configured with an IP address. I have a loopback adapter configured on Win10 and use that as the interface on a 'butt device' in GNS3 to let the solarwinds transfer to the ASA. Try FTP or SCP.
|
|
#
?
Oct 13, 2015 21:46
|
|
|
Prescription Combs posted:Try FTP or SCP. ....you're making too much sense. I got hyper-focused on making this one thing work I guess. I'll try that.
|
|
#
?
Oct 13, 2015 21:47
|
|
|
falz posted:If "quiet" is a requirement, perhaps you should use different switch model. Cat3560C / Cat2960C / Juniper EX2200C are all fanless, and would not need to be in a sealed rack. I actually had that switch sitting around unused for a year before I plugged it in and discovered it was a lot quieter than I thought it would be. psydude posted:Man and here I thought I was a hardcore nerd with my Uquiti ERL running at the edge of my home network. Zero VGS posted:Vodaphone just installed a fiber connection at our remote UK site and plugged it into our multi-WAN router, then left for the day. Put in the IP and subnet, then try HostMin and HostMax. I've never seen an ISP use anything other than the extremes of the network range as the gateway.
|
|
#
?
Oct 14, 2015 04:20
|
|
|
wolrah posted:How's the ERL for you? I'm tempted to try it in place of my pfSense for no reason other than to make the rest of the UniFi status map thing light up, but I haven't bothered to look in to how featureful it is yet. I think it's related to Vyatta in some way? Yes, "EdgeOS" is a fork from the community for of Vyatta CE, (now re-forked/called VyOS) and the enterprise fork is Brocade's vRouter 5400. Almost all of the commands/features/syntax is the same across them, and it's all kissing-cousins close to Juniper's JunOS
|
|
#
?
Oct 14, 2015 08:14
|
|
|
1000101 posted:Ah, so you're using Fabricpath! That changes a couple things. I think the root of my problems is not having a dedicated link for the keepalive. I'll work on that. I'm actually confused as to the purpose of po20 as well. It's one of those things that was already set up when I started and whoever created it is long gone. It appears to be an uplink between the two Nexus 6001's. I'd have thought that since it's configured with "switchport trunk allowed vlan none", nothing would be passing over it. But I see the tx and rx counters incrementing steadily on a "show int port-channel 20". It's not part of a vPC or anything. What I pasted was pretty much the complete config. "show fabricpath topology" doesn't really show anything useful to me: code:
|
|
#
?
Oct 14, 2015 16:13
|
|
|
Is the ios file DC_default_profiles.txt necessary for switch functionality? I have very little wiggle room and could use the space.
|
|
#
?
Oct 14, 2015 21:22
|
|
|
Any play much with IKEv2 in iOS 9? I managed to finally get EAP-TLS up and running because the client always sent an EAP request, I started with an Agile (Microsoft Windows 7) VPN configuration on StrongSwan using no-EAP certificate auth. The post to IETF suggests that no-EAP certificates should work though? I guess it needs an enterprise profile configuration to force the authentication method?
|
|
#
?
Oct 15, 2015 02:12
|
|
|
I've been looking at adding another transit to my network. Had it narrowed down to two networks. This morning I wake up to a route leak by one of our customers. They are using the 2 transits I'm looking at, one propagated the leak, the other filtered it. This just made the decision easy.
FatCow fucked around with this message at 19:32 on Oct 17, 2015 |
|
#
?
Oct 17, 2015 16:06
|
|
|
Did I dream something about the Sourcefire and ASDM stuff being rolled into a new web UI later this year?
|
|
#
?
Oct 19, 2015 22:54
|
|
|
Thanks Ants posted:Did I dream something about the Sourcefire and ASDM stuff being rolled into a new web UI later this year? 2016.
|
|
#
?
Oct 19, 2015 23:18
|
|
|
Docjowles posted:I think the root of my problems is not having a dedicated link for the keepalive. I'll work on that. Looking at the config you posted I see that VLAN 63 is reachable via po20 and po50. Fabricpath ports forward all fabricpath VLANs all the time. In order to prune a VLAN out of a fabricpath link you'd need to create a separate topology for it. Basically the 'switchport trunk allowed vlan' list gets ignored since the port isn't technically a trunk port. Thats why you see traffic going over po20. FEX's generally don't have switches plugged into them. FEX ports have BDPU guard enabled by default and will shut down a port that it receives a BPDU on. Some people opt to work around this by turning on bpdu filter but don't do this. It's a very bad idea.
|
|
#
?
Oct 19, 2015 23:21
|
|
|
psydude posted:2016. Cool. Do you have any idea what I should be throwing into Google to keep up-to-date with this? I've failed miserably so far.
|
|
#
?
Oct 19, 2015 23:33
|
|
|
Thanks Ants posted:Cool. Do you have any idea what I should be throwing into Google to keep up-to-date with this? I've failed miserably so far. "Hey account rep, can you throw me a roadmap for the ASA product line with respect to the 2016 UI overhaul and sourcefire integration?", or talk to your partner about the same if you don't have a direct relationship/NDA.
|
|
#
?
Oct 19, 2015 23:43
|
|
|
1000101 posted:Looking at the config you posted I see that VLAN 63 is reachable via po20 and po50. Fabricpath ports forward all fabricpath VLANs all the time. In order to prune a VLAN out of a fabricpath link you'd need to create a separate topology for it. Basically the 'switchport trunk allowed vlan' list gets ignored since the port isn't technically a trunk port. Thats why you see traffic going over po20. Thanks! Knowing that the "switchport trunk allowed vlan none" is just ignored makes things MUCH clearer.
|
|
#
?
Oct 20, 2015 19:05
|
|
|
I currently have my CCENT and am gunning for my CCNA soon. My work is getting rid of both a Cisco 1841 and 1720. Which should I grab to learn on?
|
|
#
?
Oct 28, 2015 16:13
|
|
|
The 1841 will be good, the 1720 is old as gently caress though and a bunch of commands in your training probably wont work
|
|
#
?
Oct 28, 2015 17:10
|
|
|
I have a Cisco ASA 5500 setup with internet access working fine. DHCP and DNS are being provided by a linux server. I recently added a tp-link wireless access point to the network and am having an issue with clients accessing the internet. A couple of PCs and an iphone have connected and can get the internet fine. A mac and a couple more phones can connect, get an ip and be pinged by other computers on the network but can't get out to the internet or ping back to the other pcs. I was wondering if this could be being caused by the ASA as i'm not overly experienced with them and this is an odd issue. I can't think why some clients can get out and ping but not others. Should i be looking at the ASA or is it more likely an issue caused by the linux server?
|
|
#
?
Oct 28, 2015 18:17
|
|
|
Could the ASA be a license limited model? With a max number of concurrent inside hosts?
|
|
#
?
Oct 28, 2015 18:50
|
|
|
KS posted:Could the ASA be a license limited model? With a max number of concurrent inside hosts? Thanks so much for this. I've been puzzling over it for weeks and even replaced the wifi access point. The ASA I was given to use was a spare and has only the basic licensing. I spotted it would restrict the number of DHCP clients but didn't know it would restrict hosts too. Thanks again
|
|
#
?
Oct 28, 2015 19:27
|
|
|
Burn all ASA5505's.
|
|
#
?
Oct 30, 2015 17:46
|
|
|
Nitr0 posted:Burn all ASA5505's. Only thing i miss are switchports and PoE, but yeah. 
|
|
#
?
Oct 30, 2015 18:40
|
|
|
|
| # ? Apr 23, 2024 15:31 |
|
|
Nitr0 posted:Burn all ASA5505's. These should not be in production environments anymore but I see them every drat day.
|
|
#
?
Oct 30, 2015 19:14
|
|