|
Richard Noggin posted:Dell 5548s used those too. Yay for non-locking connections. I kinda shortened the story but those switches replaced a Dell 5548 that blew up, which was actually the first place I had seen the HDMI stacking connection. These switches were bought without even knowing they had this feature with the intent of just linking a pair of gig ports between the two, but when we realized it we figured why not give it a try. It's worked fine for years, so I can't complain. I don't think anyone would ever notice the difference though if I was to switch it to just a gig connection.
|
#
?
Sep 6, 2016 22:15
|
|
|
|
| # ? Apr 26, 2024 16:24 |
|
|
Looking to enable a few simple traps on a 2911, config, envmon, bgp.code:code:edit: Turns out its just NHRP traps that are suppressed. Normal traps are being caught, so its a non-issue, just not documented very well. DigitalMocking fucked around with this message at 19:48 on Sep 7, 2016 |
|
#
?
Sep 7, 2016 17:37
|
|
|
My journey into IPv6 continues - once I got our ISP to make the changes to the setup they insisted was working fine, everything started routing properly and we are now running v6 on the majority of our VLANs (I haven't touched the more important ones yet as that needs to go through change control). It's raised an interesting question though - what do people do for tunnels between sites - do you just pick some of your own address space from the site at one end of the link? Is there a convention for this?
|
|
#
?
Sep 10, 2016 21:00
|
|
|
Thanks Ants posted:My journey into IPv6 continues - once I got our ISP to make the changes to the setup they insisted was working fine, everything started routing properly and we are now running v6 on the majority of our VLANs (I haven't touched the more important ones yet as that needs to go through change control). It's raised an interesting question though - what do people do for tunnels between sites - do you just pick some of your own address space from the site at one end of the link? Is there a convention for this? If you don't need to reach the tunnel addresses remotely (e.g. for monitoring availability) you can just do link locals. If you need globally unique, pick one site (normally I pick the 'parent' site if the layout is hierarchical) and address from there. Or if you want to get fancy you can address it out of both sides which allows you (assuming you're not redistributing connected into IGP everywhere) to monitor through each site since traffic toward site A using the site B addressing would initially route through site B and over the tunnel and vice versa.
|
|
#
?
Sep 11, 2016 14:05
|
|
|
New management network is going well.
|
|
#
?
Sep 11, 2016 17:13
|
|
|
I think if I saw that at a customer site, I'd immediately turn out the door and take up smoking.
|
|
#
?
Sep 11, 2016 18:04
|
|
|
CrazyLittle posted:I think if I saw that at a customer site, I'd immediately turn out the door and take up smoking. Oh god, I just saw the Netgear labels.  I mean, sure, it's just for management, but still, gross.
|
|
#
?
Sep 11, 2016 19:12
|
|
|
What's with the power supply and the zip ties?
|
|
#
?
Sep 11, 2016 20:03
|
|
|
Thanks Ants posted:What's with the power supply and the zip ties? That's how you build a Netgear stack.
|
|
#
?
Sep 11, 2016 21:33
|
|
|
Thanks Ants posted:What's with the power supply and the zip ties? Those are not zip ties, they are network loops... Gotta keep packet alignment or you'll get errors.
|
|
#
?
Sep 15, 2016 13:14
|
|
|
Anyone have any strong thoughts about putting public IPs directly on servers? Looking at trying to do NAT at high speeds gets expensive. Would be a lot cheaper to just focus on fast L3/routing at the edge instead of NAT PPS/CPS. Pros: Don't have to NAT Cheaper/faster edge gear No translation required in logs/flows/etc Cons: Have to have a public IP for every server (already done) Security/obscurity (already gone if doing 1:1 static NAT today) Service mobility, can't move IPs easily (too late, software doesn't handle that anyway) I can't think of any obvious downsides that aren't already present or mitigated (in my scenario). The cost difference between something like a big MX that can do NAT or something like an Arista 7280R is pretty staggering.
|
|
#
?
Sep 20, 2016 01:25
|
|
|
Public IPs are the best assuming you have a service that can't be load balanced, and you have sufficient IPs for them. Make sure if you are directly exposing the servers you have someone who knows about IP Tables/SE Linux otherwise you will likely be part of a botnet long before you realize it.
|
|
#
?
Sep 20, 2016 02:28
|
|
|
We run everything with public IPs and it works fine. With that said make sure you still have a firewall in front of the machines because eventually an admin is going to fat finger an iptables rule and all hell will break loose.
|
|
#
?
Sep 20, 2016 08:26
|
|
|
If you own a large block of public IPs is there a good reason for not using them instead of nat?
|
|
#
?
Sep 20, 2016 12:34
|
|
|
Only the requirement to plan your IP space really carefully because the chances of picking up another /24 are really slim. Of course you could always go with NAT for your clients / Wi-Fi and keep the public addresses for your servers. Having public space requires you to actually do that "how small a subnet can I get away with" game from the CCNA rather than throwing out private /24s.
|
|
#
?
Sep 20, 2016 12:36
|
|
|
I got a funky one going on. I'm changing out a MT 2011 on a single gig port for a CCR using 2 ether-channeled gig ports. We do these routers in VRRP, using more or less a router on a stick configuration. The switch here in a 3560. The New router is set to use standard LACP across two ports. The trunk port the current router is on is configured as such. code:code:
|
|
#
?
Sep 20, 2016 21:53
|
|
|
Farking Bastage posted:description LACP-Master-Router Not sure if it's the problem, but you're not actually using LACP. On is for static etherchannels. If the other end is actually expecting LACP, you need to use active or passive (if the other end is active). I usually just set both ends of the etherchannel to active since active/active doesn't hurt anything. On = you're in a etherchannel, no negotiation Active = try to set up an LACP channel Passive = wait for the other end to set up the LACP etherchannel Auto = wait for the other end to set up the PAgP etherchannel Desirable = try to set up a PAgP channel
|
|
#
?
Sep 20, 2016 22:22
|
|
|
Filthy Lucre posted:Not sure if it's the problem, but you're not actually using LACP. On is for static etherchannels. Thank you! The mikrotik is definitely set active LACP which would explain a few things. I'm surprised I got back in at all considering the wan ports are on vlans as well
|
|
#
?
Sep 20, 2016 23:17
|
|
|
The internet of poo poo (ads) is here:
ate shit on live tv fucked around with this message at 01:10 on Sep 21, 2016 |
|
#
?
Sep 21, 2016 01:06
|
|
|
Farking Bastage posted:Thank you! The mikrotik is definitely set active LACP which would explain a few things. I'm surprised I got back in at all considering the wan ports are on vlans as well Do you need to configure the trunk and tagging method on the group as well as each individual port within the group? Edit: That's your show config and not the commands you're entering  , ignore.
|
|
#
?
Sep 21, 2016 13:27
|
|
|
Powercrazy posted:The internet of poo poo (ads) is here: Speaking of, has anyone here ever blocked ad networks straight up on their perimeter devices? Only major downside I could see is that it might break some content-based sites.
|
|
#
?
Sep 21, 2016 14:37
|
|
|
psydude posted:Speaking of, has anyone here ever blocked ad networks straight up on their perimeter devices? Only major downside I could see is that it might break some content-based sites. Unless you're relying on regularly updated URL categories for your proxy or whatever then you'd be fighting a losing battle really. Client-side extensions already do (For free) but with better targeting and greater efficacy. Of course I'm not saying it's impossible, just difficult and impractical. Would love to hear from anyone who's actually tried it.
|
|
#
?
Sep 21, 2016 14:46
|
|
|
cheese-cube posted:Unless you're relying on regularly updated URL categories for your proxy or whatever then you'd be fighting a losing battle really. Client-side extensions already do (For free) but with better targeting and greater efficacy. Yeah it seems like it wouldn't necessarily work as well as a traditional ad blocker, but that it would be a good supplementary tool for protecting devices that don't have one running.
|
|
#
?
Sep 21, 2016 15:00
|
|
|
I tried doing that a while back in my home pfsense, what ended up happening is lots of websites and videos just wouldn't load. Turns out if you blindly block ads websites won't show their content at all. Presumably AD blockers do things like prevent rendering objects in the DOM, which is a lot different than blocking the connection to the AD server.
|
|
#
?
Sep 21, 2016 17:20
|
|
|
ElCondemn posted:I tried doing that a while back in my home pfsense, what ended up happening is lots of websites and videos just wouldn't load. Turns out if you blindly block ads websites won't show their content at all. Presumably AD blockers do things like prevent rendering objects in the DOM, which is a lot different than blocking the connection to the AD server. Nailed it. Browser extensions can block ads hosted on servers shared with non-ad content based on regexes, they can manipulate the DOM to bypass anti-adblock code, etc. For a while Adblock was a lot better on Firefox than Chrome/Safari because Firefox allowed extensions a lot more room to tamper with the browser as a whole. I believe that's mostly evened up at this point. DNS-based ad blocking does work but has to be really conservative to not cause collateral damage.
|
|
#
?
Sep 22, 2016 16:34
|
|
|
HP switch question here: there appears to be two software versions, 15 and 16 for the same switches? Is one a more 'reliable' one and one has more 'features' or something like that? I seem to remember Adtran having something weird like that with AOS releases.
|
|
#
?
Sep 22, 2016 17:50
|
|
|
Bob Morales posted:HP switch question here: there appears to be two software versions, 15 and 16 for the same switches? Is one a more 'reliable' one and one has more 'features' or something like that? I seem to remember Adtran having something weird like that with AOS releases. 16 is the new release train which has more stuff and is the one they are actively maintaining. I have a few HP 5412 zl switches out there and they are still happily running 15.10.0018m and will probably continue to do so until they are replaced or a reason to change them to 16 arises. So I guess it's kind of up to you but I'm just sticking with the old boring 15 stuff since I don't need any 16 features and despise buggy switch firmware.
|
|
#
?
Sep 22, 2016 18:11
|
|
|
Nuclearmonkee posted:16 is the new release train which has more stuff and is the one they are actively maintaining. I have a few HP 5412 zl switches out there and they are still happily running 15.10.0018m and will probably continue to do so until they are replaced or a reason to change them to 16 arises. Yeah, from an infrastructure perspective (at least this is what I advise), you should only upgrade if: - something is horribly broken - there's a security hole that's being addressed - you need new feature - support will no longer actually support you unless you are on version X or greater of the branch you run.
|
|
#
?
Sep 22, 2016 18:16
|
|
|
I've been doing a bit of digging around the whole Cisco / Apple integration in iOS 10 (https://www.cisco.com/c/m/en_us/solutions/strategic-partners/apple.html / https://www.apple.com/uk/ipad/business/work-with-apple/cisco/), and as far as I can tell their three big points that have come about as a result of this collaboration are:
https://blogs.cisco.com/enterprise/turning-promise-into-reality-with-ios-10 Which again, to the best of my knowledge is just a bunch of standards (granted some of them are fairly new standards) that deal with roaming and how clients select APs to use. 802.11r and 802.11k for example have been in iOS since 2013, and 802.11v joined them a year later (https://support.apple.com/en-gb/HT202628). So the only thing unique to Cisco is that they can disable those features unless the device is running iOS 10 to avoid causing issues, that and the marketing co-operation they now have with Apple. Like I said, I might just be failing to understand how this is a big deal, and maybe Cisco's point is more along the lines of "look what we managed to get Apple to talk to us about and implement for the good of everybody, oh and also our relationship means we are going to ensure compatibility in the future as well" than trying to pitch it as a breakthrough. Edit: poo poo, I just realised we have a Wi-Fi thread as well. Thanks Ants fucked around with this message at 22:44 on Sep 22, 2016 |
|
#
?
Sep 22, 2016 22:37
|
|
|
It's probably more of a win for Cisco because long ago Cisco wireless had issues supporting iPhones, whether that was apples fault or Ciscos is anyone's guess.
|
|
#
?
Sep 23, 2016 00:57
|
|
|
Bob Morales posted:HP switch question here: there appears to be two software versions, 15 and 16 for the same switches? Is one a more 'reliable' one and one has more 'features' or something like that? I seem to remember Adtran having something weird like that with AOS releases. Stay with the 15 tree. it requires less from the switches, they tend to be much more stable.
|
|
#
?
Sep 23, 2016 05:24
|
|
|
iOS 10 supposedly breaks sockets so while you can get push notifications, live phone integration with jabber actually breaks now if your phone is locked.
|
|
#
?
Sep 23, 2016 12:20
|
|
|
Anyone know how to reset the root password on a Cisco ASR 9000? I set the root password to something dumb/easy while configuring it and hosed if I can figure out how to change it to a more secure password now that I'm done.
|
|
#
?
Sep 23, 2016 19:41
|
|
|
Filthy Lucre posted:Anyone know how to reset the root password on a Cisco ASR 9000? I set the root password to something dumb/easy while configuring it and hosed if I can figure out how to change it to a more secure password now that I'm done. Looked at your admin config? Should be in there.
|
|
#
?
Sep 23, 2016 22:33
|
|
|
Is there any reason for why you would want your point to point links facing the internet to be on a vlan opposed to just a regular l3 interface? interface Ethernet1 switchport access vlan 54 interface Vlan54 ip address 12.12.12.12/30 interface Ethernet4 no switchport ip address 11.1.1.1/30
|
|
#
?
Sep 26, 2016 04:06
|
|
|
Failover via a layer 2 switch, probably.
|
|
#
?
Sep 26, 2016 04:22
|
|
|
Ehh you might be right. We've only got one run of fibre from each carrier so we would either need to pre-set addressing information on each edge router and then have remote hands physically move the cables over. Or put in a switch before it goes to the edge routers and do a vrrp instance for each of our wan links. Neither of these scenarios it really matters whether it's a vlan or not, and we've got a /30 not a /29 point to point. And if we were to do the switch then that becomes the single point of failure. I'll just set everything to l3 interface. Another dumb question I have is why is Comcast giving me two neighbours to establish bgp adjacencies to. One is the other side of our point to point link and one is something else. None of my other providers have given me two adjacencies to form.
|
|
#
?
Sep 26, 2016 04:56
|
|
|
Methanar posted:Another dumb question I have is why is Comcast giving me two neighbours to establish bgp adjacencies to. Under Comcast's current design the local router you peer with only has local prefixes, not Internet ones (look at your received prefixes from each neighbor). The second BGP connection (to the Super-U router or SUR) has full tables, but you don't advertise prefixes to it because it already learnt your prefixes from the other session via internal RR. Cogent used to do something similar way back when when they used super cheap access/aggregation gear.
|
|
#
?
Sep 26, 2016 12:41
|
|
|
I currently do 3rd line and some 2nd line support for a company and i'm looking to get my CCNA (again) when the V3 training materials are up. Ideally moving forwards i'd like to move into a Cisco-only job and move away from end-user support. Is this a HUGELY unrealistic goal to have? I'm assuming that posters ITT have jobs that need day-to-day use of Cisco equipment and was wondering what sort of roles you all have as i'm not too sure where to head next really. Are CIsco and general support jobs usually tied together or is it possibly to get a Cisco support role without having to occasionally deal with plugging people's mice in for them.
|
|
#
?
Sep 26, 2016 13:38
|
|
|
|
| # ? Apr 26, 2024 16:24 |
|
|
That sounds possible, but ideally you'd want familiarity with other products as well, whether that be fortigate, palo, bluecoat, etc. I'm sure Cisco monocultures still exist out there, but not in the way they used to.
|
|
#
?
Sep 26, 2016 15:32
|
|
