|
Fun update to the SG550 that bricked when we attached it to a stack. We're now on our 5th RMA with Cisco. They had us downgrade the replacement model twice now, both times bricks the unit. The TAC rep says he doesn't have the same result in his lab test. Starting to wonder if it's our tech that's bricking the devices
|
#
?
Dec 27, 2017 22:12
|
|
|
|
| # ? Apr 18, 2024 05:47 |
|
|
Think of the money saved over buying good switches though
|
|
#
?
Dec 27, 2017 22:41
|
|
|
Prescription Combs posted:Single F5's are not good at SSL TPS, even with their accelerator cards. You'd ideally want to distribute traffic regionally to maximize any sort of SSL TPS. Whether that's multiple regions with F5's or nginx. No single point is going to scale well with SSL TPS. Our traffic is already Anycast from 4 geographically distinct locales, plus AWS. The million CPS number was just our biggest datacenter.
|
|
#
?
Dec 28, 2017 01:38
|
|
|
I think the "f5" way of such a setup would be a pool of lbs and GSLB getting DNS to send traffic to the one with least connections. That way your resources will be very evenly utilised and you can scale it to a huge degree. This might simplify your anycast setup as well as you'd only have to use anycast for DNS traffic to the nearest GSLB server. I'm pretty sure you can get GSLB to weight latency as well if you wanted to ditch Anycast altogether. Of course that's hundreds of thousands of dollars and probably a complete re-architecture of your DNS setup...
|
|
#
?
Dec 28, 2017 02:36
|
|
|
ate poo poo on live tv posted:Our traffic is already Anycast from 4 geographically distinct locales, plus AWS. The million CPS number was just our biggest datacenter. Yeeeesh that's a lotta traffic.
|
|
#
?
Dec 28, 2017 03:05
|
|
|
If you're already doing anycast, do it within the geography as well and just make sure your hashing is consistent.
|
|
#
?
Dec 28, 2017 03:09
|
|
|
So I made the mistake of buying a SG300-10 just for a small L3 managed switch to isolate some PCs/Servers/IoT/Guest Wifi at home. I really didn't need much so I figured an entry level model would be fine. Problems with it so far: 1) Can't modify an ACE while an ACL is attached to a vlan, constantly have to remove & re-add ACL's in order to make tiny changes. 2) After performing said changes, routinely stops routing anything and needs to be rebooted. (Remove acl from vlan, add a single permit ACE, reattach acl to vlan, must reboot switch because it stops routing anything to/from that vlan) 3) Constantly get errors when adding ACE's that 'Entry already exists' even when it's the first ACE in a new list. Retrying with the exact same values often works, or sometimes fails 5-6 times in a row, then suddenly works with same values. This is definitely an artifact of the web UI because the CLI doesn't have a problem. 4) Was having horrible internet speeds for the past two days, I thought for sure it was Mediacom since I had rebooted the switch multiple times via the UI. This morning I unplugged everything and traced it down to the switch for sure, and after hard power cycling it, started working again just fine. So only removing power worked, multiple reboots didn't. I would have thought it's definitely just my stupidity, but seeing other people's experiences with 300's and 500's, I don't think it's entirely me. Is there something similar that's actually decent? Maybe an older used cisco model? I need at least 8 gigabit ports.
|
|
#
?
Jan 2, 2018 17:26
|
|
|
Working with EdgeOS today and it has automatic firewall rules for DHCP but not for DHCPv6  Took far too long to find that out. Also it appears some parameters changed format in releases, i.e. prefix-length went from a /56 to a 56 format, of course with no validation other than completely wiping the interface declaration on reboot. Nice.
|
|
#
?
Jan 2, 2018 20:45
|
|
|
Edit: Nevermind.
mythicknight fucked around with this message at 00:13 on Jan 3, 2018 |
|
#
?
Jan 2, 2018 23:46
|
|
|
tortilla_chip posted:This presentation is a pretty decent starting point Extremely good poo poo, thanks for sharing. The first talk is just super technically interesting, and the second is hilarious (in a good way). lmao at his story about forcing all of his company's office traffic to bounce out to Europe before coming back to their data center to hammer home the importance of latency on user experience. And I want to get the Eight Fallacies of Distributed Computing tattooed on my forehead. I now have many more tabs opened for further research which is always the hallmark of a good talk.
|
|
#
?
Jan 5, 2018 05:18
|
|
|
I think this is the most apt thread to ask this question. Though not Cisco. I need to block a mac address on an old Brocade (Foundry) router. The info I found on Brocade's site at the top doesn't make sense to me, maybe I'm reading it wrong. code:Specifically I want to block a MAC that's broadcasting all over the place, that I can't find (because I cannot visit the location at this time). I want to block the address dc:d3:21:00:fc:d3 (on int e 1 for example) and permit everything else. So I just need the correct version of filter 1 and filter 1024. But that example leaves me scratching my head. Thank you. (And yes a new router is on list to get very soon).
|
|
#
?
Jan 5, 2018 05:18
|
|
|
That's got to be a typo. mac filter 1 deny dcd3.2100.fcd3 ffff.ffff.ffff any mac filter 2 deny any dcd3.2100.fcd3 ffff.ffff.ffff mac filter 1024 permit any any
|
|
#
?
Jan 5, 2018 14:59
|
|
|
Agreed, just looks like a stupid typo. Also, goondolences on being stuck with old-rear end Foundry/Brocade gear. We have some too and it is the literal worst  
|
|
#
?
Jan 5, 2018 15:02
|
|
|
Docjowles posted:Foundry/Brocade gear ... Is the literal worst
|
|
#
?
Jan 5, 2018 19:21
|
|
|
tortilla_chip posted:That's got to be a typo. Foundry had its moment last century. 
|
|
#
?
Jan 6, 2018 04:15
|
|
|
If I need a basic router to do NAT for a ~100Mbps internet connection at a remote site and maybe do an IPsec tunnel, is it worth tearing my hair out with a Mikrotik/Ubiquiti box or is the correct answer to just buy an SRX300?
|
|
#
?
Jan 8, 2018 13:02
|
|
|
For low end hardware appliances the limiting factor will probably be CPU performance and IPSec. Anecdotally, a client I consulted for had issues with their Atom powered pfsense box at about ~100mbps of IPSec traffic. Do you need a hardware appliance? A VM with a single x86 core could easily do this. Does the existing support organization have hundreds of years of collective Juniper experience? If so, just buy the SRX.
|
|
#
?
Jan 8, 2018 14:04
|
|
|
Hundreds of years? Junos is pretty straightforward to work with.
|
|
#
?
Jan 8, 2018 15:40
|
|
|
My point was operational experience and existing process may have more to do with capital purchases than actual hardware costs.
tortilla_chip fucked around with this message at 17:54 on Jan 8, 2018 |
|
#
?
Jan 8, 2018 16:34
|
|
|
Thanks Ants posted:If I need a basic router to do NAT for a ~100Mbps internet connection at a remote site and maybe do an IPsec tunnel, is it worth tearing my hair out with a Mikrotik/Ubiquiti box or is the correct answer to just buy an SRX300? My vote would be Edgerouter lite.
|
|
#
?
Jan 9, 2018 01:45
|
|
|
Can anybody help with interpreting the below?code:This is a 1921 provided on a 50Mbps circuit but I'm not reading anything that says it should struggle with basic routing (no NAT etc.) at these sorts of throughputs. The above is from the port that the ISP is handing off to us on, I don't have the output from the interface on their network side.
|
|
#
?
Jan 14, 2018 13:23
|
|
|
Service providers tend to enforce QoS policy as far out at the edge as possible, so it is likely there is a service-policy performing a policer function on the CPE.
|
|
#
?
Jan 14, 2018 13:47
|
|
|
Do they show as overruns then?
|
|
#
?
Jan 14, 2018 13:49
|
|
|
I don't have any hardware available to verify. Fastest way would just be to send traffic at a rate higher than the commit. Try iPerf. I suspect you'll see a correlation between the overruns and traffic dropped due to exceeding the policed rate.
|
|
#
?
Jan 14, 2018 21:05
|
|
|
Input service policy enforcement will show up as overruns. Also output service policy enforcement will show up as an output drop if you've ever configured it. They should have sent you the output of show policy-map for the interface, that would correlate with the overruns
|
|
#
?
Jan 14, 2018 21:38
|
|
|
I will dig further. Unfortunately they are pretty useless and it's taken two weeks to get to this point.
|
|
#
?
Jan 14, 2018 22:37
|
|
|
What happens on an err-disable? Is the port still "powered on" or negotiable at all? I'm trying to figure out why my Linux machine does not detect anything at all and has no link state change notifications when I have a port err-disabled, but the cable is plugged in still.
|
|
#
?
Jan 15, 2018 20:56
|
|
|
Biowarfare posted:What happens on an err-disable? Is the port still "powered on" or negotiable at all? err-disable can be caused by a number of things but usually to restore it you'll have to shut/no shut the port. Whilst the port is err-disable you'll get no Layer 1 and up.
|
|
#
?
Jan 15, 2018 20:59
|
|
|
Biowarfare posted:What happens on an err-disable? Is the port still "powered on" or negotiable at all? err-disabled the port is effectively shut down, as in, it won't send or receive traffic and you have to manually go in to open the port again. It's being disabled for some reason (negotiation issues are common, sometimes an issue with the modules you're using etc), if you do a "show interface X status" I believe it should tell you why the interface is in that state. v-- Yeah, I agree, it's odd that your device on the other end of the cable is not detecting the lack of connectivity. MF_James fucked around with this message at 21:04 on Jan 15, 2018 |
|
#
?
Jan 15, 2018 21:01
|
|
|
You should definitely lose the carrier when the port disables itself
|
|
#
?
Jan 15, 2018 21:02
|
|
|
Thanks Ants posted:Can anybody help with interpreting the below? Microburst. If your circuit is underutilized for a bit (bit = like a couple of seconds), the sending side can flood the pipe to 100% circuit utilization for however many seconds their rate limiter bit bucket allows them to (usually a couple of seconds) before the rate limiting kicks in. Your router can't process that micro sized burst fast enough, so the input queue is over run and it drops packets. You really see it when the input circuit interface is a larger size than the output one (eg: 1g circuit to 100mbps ethernet). Solution: Increase the input queue size if you can. (hold-queue ### in)
|
|
#
?
Jan 15, 2018 21:43
|
|
|
It's a managed router so I'll wait for the provider to fix it. They've managed to spend five days not sending me usage data to prove their claim that the circuit is over-utilised, I'm kind of bored now so might just make it Somebody Else's Problem
|
|
#
?
Jan 15, 2018 23:20
|
|
|
I have an SF200-24FP and was looking at logs since we had some phones that I was told either power cycled or lost their connection. It claims a port went down and came back up, but the port doesn't seem to be one of the ones in web UI. code:
|
|
#
?
Jan 16, 2018 22:47
|
|
|
Fe is fa.
|
|
#
?
Jan 16, 2018 22:53
|
|
|
well I guess that would explain that then! Thanks.
|
|
#
?
Jan 16, 2018 22:55
|
|
|
In terms of programmatic configuration in enterprise networks, are there a set of products or software commonly in the market yet? I've been looking at some job reqs, and they call out Python scripting experience and sometimes SDN. As someone who hates to let their skills atrophy, I'm curious what the current best practice config management looks like. (For me, this usually means Cisco devices.) I'm quite familiar with NSX, but not what is commonly meant by SDN for some of these job reqs. (LinkedIn is an example company asking for these skills) Is it likely homegrown? I didn't think ACI had much market penetration yet.
|
|
#
?
Jan 18, 2018 19:51
|
|
|
SDN is kind of a catchall. There is the configuration management/automation aspect (Ansible, Puppet, Chef, Salt, etc). There is network function virtualization (NFV) which is basically running traditional network appliances as VMs/containers. There's also the *flow movement which is basically defining your own forwarding plane based on other data beyond the traditional 5-tuple. For your example of Linkedin, they're moving towards a whitebox switching/routing model using Salt for management.
|
|
#
?
Jan 18, 2018 21:20
|
|
|
SDN as a product is struggling to gain traction but programming skills are becoming more valuable in the network space.
|
|
#
?
Jan 20, 2018 13:09
|
|
|
I have to change the certs on about 10 Cisco switches of various makes, mostly running iOS 12.2 as best I can tell. We have an internal Windows-based CA that will provide the certs. So, I need to figure out how to generate the CSRs and then install the resulting certs. I'm a complete Cisco newbie and I'm uncertain about my ability to judge the quality of the Google results I've been getting for this process, so I thought I'd ask here if anyone can give me some help or a pointer to a decent doc. If there's more information about the devices, I'll happily provide what I can. Thanks in advance!
|
|
#
?
Jan 23, 2018 13:47
|
|
|
|
| # ? Apr 18, 2024 05:47 |
|
|
Hypnobeard posted:I have to change the certs on about 10 Cisco switches of various makes, mostly running iOS 12.2 as best I can tell. We have an internal Windows-based CA that will provide the certs. Is this a compliance thing? code:
|
|
#
?
Jan 23, 2018 15:10
|
|
