Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
ate shit on live tv
Feb 15, 2004

by Azathoth

I forgot this was a thing. I messed around a little bit with OER long ago. I assume this is a Cisco exclusive feature for now?

Adbot
ADBOT LOVES YOU

adorai
Nov 2, 2002

10/27/04 Never forget
Grimey Drawer
I started playing around with the ansible plugins for ios today and wish I had done this long ago.

abigserve
Sep 13, 2009

this is a better avatar than what I had before

adorai posted:

I started playing around with the ansible plugins for ios today and wish I had done this long ago.

yeah it's nice not having to gently caress around with expect and poo poo

Proteus Jones
Feb 28, 2013



abigserve posted:

yeah it's nice not having to gently caress around with expect and poo poo

These last couple posts may be the kick in the pants I need to move over to ansible. I have a whole tool chest of Python scripts I've built (and migrated to 3.x) over the years that rely on pexpect. Since I'm mostly using them in a lab and UAT environments, I haven't really felt the urgency. But since I'm using pexpect, there are huge swaths of code to trap exceptions. It would be nice to not have to deal with that going forward.

abigserve
Sep 13, 2009

this is a better avatar than what I had before
You will need a reasonable amount of custom code still but it's purely logic so it's much more efficient. Ping me on the dms if you need help getting plugins to work because it took me way too long to work out "action" plugins

Methanar
Sep 26, 2013

by the sex ghost
Is the internet in general eating poo poo for anyone else right now?

Kazinsal
Dec 13, 2011



The internet in general has always been poo poo, friend.

Methanar
Sep 26, 2013

by the sex ghost

Kazinsal posted:

The internet in general has always been poo poo, friend.

There was 25 minutes of something going down at Ashburn Equinix for sure.

Passed for now.

FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE
Is Cisco dumping EHWICs? Seems like every small router that uses them has an EOL date.

ragzilla
Sep 9, 2005
don't ask me, i only work here


FatCow posted:

Is Cisco dumping EHWICs? Seems like every small router that uses them has an EOL date.

NIMs are the future. ISR4k and ENCS both use NIM form factor.

CrazyLittle
Sep 11, 2001





Clapping Larry

ragzilla posted:

NIMs are the future. ISR4k and ENCS both use NIM form factor.

you use a stick to install them.

cisco p/n NIM-ROD

ate shit on live tv
Feb 15, 2004

by Azathoth
Does anyone know the equivalent command for Arista as Juniper's "set default-address-selection?"

The intention is that we are going to be using private addresses for the point to point links between our edge routers and our core-switches, but we will be having public IPs on the core switch loopbacks for NAT. So we'd like it where if we trace-route to that public address, the switch uses that public ip to source the ICMP ttl expires.

e: I think this may do it

pre:
ds1a.nyi(config)#ip icmp source-interface Loopback ?
  <0-1000>  Loopback interface number

ate shit on live tv fucked around with this message at 18:16 on May 4, 2018

FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE

ragzilla posted:

NIMs are the future. ISR4k and ENCS both use NIM form factor.

RIP 56k and reasonably priced T1s.

In other news I need to light a circuit to Bruce, MS. This is going to be fun. Rural? Check. Non-RBOC LEC? Check. Not near a major city? Check.

tortilla_chip
Jun 13, 2007

k-partite
Indatel can probably deliver.

Thanks Ants
May 21, 2004

#essereFerrari


Can Juniper SRX devices just throw packets at each other to test the throughput on a link? ISP is being a pain in the dick about packet loss between two VPLS sites (but only in one direction) and won't lift a finger until I can get to our datacenter and plug a laptop into their CE router directly. If there's a feature built into the SRX like the MikroTik boxes have then I can ask them to run it.

I guess the alternative is to put a NAT rule in at one end to bounce traffic back over the link but then I lose the ability to test one direction at a time.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
May depend on srx model but

https://www.juniper.net/documentation/en_US/junos-space14.2/topics/concept/oam-rfc2544-testing-overview.html

doomisland
Oct 5, 2004

RPM too possibly, though I've never tried it.

Proteus Jones
Feb 28, 2013



I know this is the Cisco thread, but is there a pfSense thread? I've been banging my head against the wall trying to get an IPv6 OpenVPN server up and running.

ate shit on live tv
Feb 15, 2004

by Azathoth

Proteus Jones posted:

I know this is the Cisco thread, but is there a pfSense thread? I've been banging my head against the wall trying to get an IPv6 OpenVPN server up and running.

It's just a general networking thread tbqh. Post away.

Proteus Jones
Feb 28, 2013



ate poo poo on live tv posted:

It's just a general networking thread tbqh. Post away.

I figured it out. I hosed up a WAN firewall rule, once I corrected it everything started working as expected.

BaseballPCHiker
Jan 16, 2006

Has anyone here ever enabled storm-control in their environment?

Doing some testing in the lab with it and having a hell of a time actually getting it to shut down a port at what appears to be the correct utilization of the interface. If I hard set and interface to have %30 upper and lower it seems like the switch will still go up to %99 CPU before it finally shuts down, taking a couple of minutes to shutdown.

I think I have things setup correctly but just need to figure out the right parameters for traffic.

tortilla_chip
Jun 13, 2007

k-partite
Depending on the gear it's more of a step function than a reflection of the configured percentage IE 33% is actually 40%.

Thanks Ants
May 21, 2004

#essereFerrari


Is there a feature on network switches that would require a connection to start with a DHCP request before data can pass? I've been working with a supplier that has a switch in the basement of our building, and if we pull an IP via DHCP then everything works fine. Statically addressing the same details won't even show an ARP entry for the gateway address.

adorai
Nov 2, 2002

10/27/04 Never forget
Grimey Drawer

Thanks Ants posted:

Is there a feature on network switches that would require a connection to start with a DHCP request before data can pass? I've been working with a supplier that has a switch in the basement of our building, and if we pull an IP via DHCP then everything works fine. Statically addressing the same details won't even show an ARP entry for the gateway address.
ARP inspection paired with DHCP snooping does exactly that.

Matteyo
Jul 19, 2009

Thanks Ants posted:

Is there a feature on network switches that would require a connection to start with a DHCP request before data can pass? I've been working with a supplier that has a switch in the basement of our building, and if we pull an IP via DHCP then everything works fine. Statically addressing the same details won't even show an ARP entry for the gateway address.

The configuration you are talking about is almost always enforced on the host side (force machine to dhcp an address), so that would have to be handled with something like group policies (assuming the operating system is in your administrative domain) in Windows. As far as on the network side - there isn't a quick and easy way to my knowledge. You can do something like 802.1x with VLAN flipping that basically forces the machine/user to authenticate and use DHCP to get access to the network, but probably overkill. I would quadruple check the operating system config with the static configuration. Could be something as rare as a silent host or something as simple as an IP address/mask/gateway misconfiguration. In particular I have seen subnet mask misconfigurations lead to weird issues like this.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.


Oven Wrangler

Thanks Ants posted:

Is there a feature on network switches that would require a connection to start with a DHCP request before data can pass? I've been working with a supplier that has a switch in the basement of our building, and if we pull an IP via DHCP then everything works fine. Statically addressing the same details won't even show an ARP entry for the gateway address.

Sounds like DHCP snooping with IP source guard?

Thanks Ants
May 21, 2004

#essereFerrari


It's possible, I'll open a ticket with the ISP and hope they can send it to the right team. For what it's worth, I can get a DHCP lease and then assign the same address statically on the same equipment without releasing the DHCP lease or dropping the physical link, and the gateway doesn't appear in the ARP table of the firewall. Creating a static ARP entry doesn't improve anything.

The ISP have said that they will always issue the same address, but I'm just interested in how they were doing this as I can see there being uses for it elsewhere. The equipment identifies itself as Huawei, and the allocated IP address is the first one out of a /29 range.

Thanks Ants fucked around with this message at 20:24 on May 19, 2018

madsushi
Apr 19, 2009

Baller.
#essereFerrari
Are you sure you're not dropping the physical link? Changing from DHCP to static will often trigger an automatic flap. Is the MAC address of the client interface the same with both DHCP client and static IP?

Thanks Ants
May 21, 2004

#essereFerrari


The MAC is definitely staying the same. Granted I hadn't considered that changing an interface around would do a shut/no shut even if I didn't specifically do that.

I can put a dumb switch in the middle of this to make sure that the physical link stays up when I get a chance. Until then I'll see if the ISP can say what they're doing.

Partycat
Oct 25, 2004

BaseballPCHiker posted:

Has anyone here ever enabled storm-control in their environment?

Doing some testing in the lab with it and having a hell of a time actually getting it to shut down a port at what appears to be the correct utilization of the interface. If I hard set and interface to have %30 upper and lower it seems like the switch will still go up to %99 CPU before it finally shuts down, taking a couple of minutes to shutdown.

I think I have things setup correctly but just need to figure out the right parameters for traffic.

It isn’t instantaneous- there is an interval to it and traffic is averaged over the interval. You can slam the switch briefly and storm control should stop it eventually if the traffic type is proper for what you’re looking for.

You can set it to filter and or errdisable with auto re enable but I have had gear eventually crash out after the storm control flapped enough to eventually tank it, so my preference is to shut down.

Jbz
Jun 6, 2011

Huge idiot here, I'm taking the ICND1 in a couple weeks and doing practice exams. Came across this question and I can't figure out why the /17 is the Most Correct answer.

Explanation says: "Of the routes for the 100.100.0.0 network shown, three of them would match for the 100.100.100.50 destination: 100.100.0.0/14, 100.100.0.0/16, and 100.100.0.0/17. The 100.100.0.0/21 route would not match the 100.100.100.50 destination because it would include only the addresses from 100.100.0.0 through 100.100.7.255, inclusively."

Re-reading the relevant chapter from the book wasn't helpful.

Methanar
Sep 26, 2013

by the sex ghost

Jbz posted:

Huge idiot here, I'm taking the ICND1 in a couple weeks and doing practice exams. Came across this question and I can't figure out why the /17 is the Most Correct answer.

Explanation says: "Of the routes for the 100.100.0.0 network shown, three of them would match for the 100.100.100.50 destination: 100.100.0.0/14, 100.100.0.0/16, and 100.100.0.0/17. The 100.100.0.0/21 route would not match the 100.100.100.50 destination because it would include only the addresses from 100.100.0.0 through 100.100.7.255, inclusively."

Re-reading the relevant chapter from the book wasn't helpful.



If a destination matches multiple routes, it will take the most specific one.

https://en.wikipedia.org/wiki/Longest_prefix_match

This is actually how 0.0.0.0/0 works.

It's the least specific route possible, it will always match if nothing else does. Its not just a hardcoded magic number, its logically consistent with all other routes.

Jbz
Jun 6, 2011

Methanar posted:

If a destination matches multiple routes, it will take the most specific one.

https://en.wikipedia.org/wiki/Longest_prefix_match

This is actually how 0.0.0.0/0 works.

It's the least specific route possible, it will always match if nothing else does. Its not just a hardcoded magic number, its logically consistent with all other routes.

Thank you very much. As expected I'm just a dumbdumb.

Richard Noggin
Jun 6, 2005
Redneck By Default
e: nm

Richard Noggin fucked around with this message at 21:16 on May 22, 2018

Partycat
Oct 25, 2004

Jbz posted:

Thank you very much. As expected I'm just a dumbdumb.

Nah those are designed to be like that on purpose so you have to think . When it does that with different protocols with someone playing with weights and you have to troubleshoot - you’ll thank these sort of examples for being there teaching you to scrutinize - to save pulling at least a few hairs out .

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k
Assuming CPUSE is unavailable, is upgrading a Checkpoint 12600 from r77 to r80 only available through USB boot?

I dont normally deal with them but so far they seem extremely painful to deal with.

ior
Nov 21, 2003

What's a fuckass?

Sepist posted:

Assuming CPUSE is unavailable, is upgrading a Checkpoint 12600 from r77 to r80 only available through USB boot?

I dont normally deal with them but so far they seem extremely painful to deal with.

You really want to do it through CPUSE, why is it unavailable? (you can import packages offline, control it via CLI if webui is unavailable etc..)

Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k
Honestly I have very little insight into this. I brought the unit up in eval mode but theres no packages available in CPUSE. I dont know enough about checkpoint to know if its because the full license hasn't been applied yet.

I tried to.import the r80 ISO but that doesnt seem to do anything. And without a support portal login I'm a bit stuck. Finding random walkthrus for checkpoint isn't as easy as it is for ASA and Palo Alto.

ior
Nov 21, 2003

What's a fuckass?

Sepist posted:

Honestly I have very little insight into this. I brought the unit up in eval mode but theres no packages available in CPUSE. I dont know enough about checkpoint to know if its because the full license hasn't been applied yet.

I tried to.import the r80 ISO but that doesnt seem to do anything. And without a support portal login I'm a bit stuck. Finding random walkthrus for checkpoint isn't as easy as it is for ASA and Palo Alto.

If you installed with a recent ISO then CPUSE will show you packages in eval. If you used an old ISO the CPUSE agent needs a manual update to get online.
Either how, what you want to import is: Check_Point_R80.10_T462_Fresh_Install_and_Upgrade_from_R7X.tgz
Get it here: https://supportcenter.checkpoint.co...s=&fileid=54771

Adbot
ADBOT LOVES YOU

mythicknight
Jan 28, 2009

my thick night

I have an access switch stack that has a single link to two different core switches. My problem is it seems to be pushing all traffic up one link right now, and its saturated. Anything I can do to tell it to use both? Port channel wouldnt work I think since each link is going to a different device upstream. Not sure why we didn't run multiple links for each connection but here we are :pseudo:

A lot of the config is over my head, but the interfaces seem to be configured identically. Trunks, vlans, etc.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply