|
Lonoxmont posted:Thanks guys, looks like I got lucky, and all that happened was the sonicwall has to do the routing for the new range until I get all the /24 changed to /22 on the clients on my end. So everything stayed up and running, but until everything has the new hostmask it is still a bottleneck through the sonicwall (I presume). At some point I will probably get around to moving the default gateway etc where the sonicwall lives to somewhere closer to the beginning of the address space, where networking stuff should go. Not looking forward to running through all the clients again for that. If your clients are all windows based, you could use powershell to do it!
|
#
?
Sep 20, 2018 18:40
|
|
|
|
| # ? Apr 20, 2024 02:34 |
|
|
MF_James posted:If your clients are all windows based, you could use powershell to do it! Oh? I was vaguely toying with trying to finagle something through Group Policy to do that, but if there is an easier way I am 
|
|
#
?
Sep 20, 2018 19:57
|
|
|
Lonoxmont posted:Oh? I was vaguely toying with trying to finagle something through Group Policy to do that, but if there is an easier way I am This guy has some powershell that can do it locally, you just need to invoke via remote powershell and possibly step through an array of computer names, make a few other changes, and possibly have it step through each netadapter found in the event you have wireless, wired and other possibilities. The thing I'm not sure about, and possibly someone else can comment on, is if you will run into a problem running the script part-way through due to the changes being made.
|
|
#
?
Sep 20, 2018 20:28
|
|
|
Lonoxmont posted:Thanks guys, looks like I got lucky, and all that happened was the sonicwall has to do the routing for the new range until I get all the /24 changed to /22 on the clients on my end. So everything stayed up and running, but until everything has the new hostmask it is still a bottleneck through the sonicwall (I presume). At some point I will probably get around to moving the default gateway etc where the sonicwall lives to somewhere closer to the beginning of the address space, where networking stuff should go. Not looking forward to running through all the clients again for that. set your router to 10.1.0.0 /15
|
|
#
?
Sep 21, 2018 01:32
|
|
|
CrazyLittle posted:set your router to 10.1.0.0 /15 That sounds like a bad idea from a performance standpoint, from what I have been told.
|
|
#
?
Sep 21, 2018 01:55
|
|
|
Lonoxmont posted:That sounds like a bad idea from a performance standpoint, from what I have been told. Nothing magical about that subnet aside from being able to set an IP that some stupid devices won't recognize as a valid address... which it is.
|
|
#
?
Sep 21, 2018 02:00
|
|
|
Confuse the gently caress out of everybody who comes to work on that network and enable proxy ARP
|
|
#
?
Sep 21, 2018 15:37
|
|
|
Partycat posted:This is why I love reserved or static DHCP , because I dot have to chase statically configured garbage around that ends up being some embedded poo poo I have no password to. It's also just nice to have all that information in a database (that's not an excel spreadsheet or some impromptu IP database you threw together), so you can leverage it later for stuff. ElCondemn posted:Having very large subnets means you also have a larger broadcast domain, so be wary of that as it can cause problems as you add more hosts (like larger impact during broadcast storms etc.) I mean, yeah, a bigger subnet means the possibility for more hosts, but you should be taking precautions on the layer 2 access side of things to prevent this anyway (storm control, port security?). MF_James posted:This guy has some powershell that can do it locally, you just need to invoke via remote powershell and possibly step through an array of computer names, make a few other changes, and possibly have it step through each netadapter found in the event you have wireless, wired and other possibilities. Couldn't you just readdress everything major that needs to be statically assigned and then pull the client PC MACs from the ARP table on the SonicWall, put some reservations on via DHCP, presto blamo. Unless I'm missing something here, that seems the most straightforward way unless you really want things to stay statically assigned without the use of DHCP. We recently migrated from a very old server running an also old version of pfSense to a Netgate appliance, resubnetted our entire company LAN (broke up our dwindling /24 full of statics into 5 /22's by dept), and that's essentially how we did it. Pulled the MACs, binded via DHCP, and then slowly told everyone to switch to DHCP (mind you we kept two active firewalls live for the transition). Chuck Finley fucked around with this message at 14:34 on Sep 22, 2018 |
|
#
?
Sep 22, 2018 14:08
|
|
|
Interviewed a candidate today who claimed he had his CCNA and CCNP, didn't get any of the my layer 2 questions except Port-channels. I've said it before over 10 years ago itt, and I stand by it, if you don't understand Layer2, you aren't a network engineer.
|
|
#
?
Sep 25, 2018 19:59
|
|
|
Chuck Finley posted:Couldn't you just readdress everything major that needs to be statically assigned and then pull the client PC MACs from the ARP table on the SonicWall, put some reservations on via DHCP, presto blamo. Unless I'm missing something here, that seems the most straightforward way unless you really want things to stay statically assigned without the use of DHCP. We recently migrated from a very old server running an also old version of pfSense to a Netgate appliance, resubnetted our entire company LAN (broke up our dwindling /24 full of statics into 5 /22's by dept), and that's essentially how we did it. Pulled the MACs, binded via DHCP, and then slowly told everyone to switch to DHCP (mind you we kept two active firewalls live for the transition). Yeah there are a lot of ways to do it, I was just giving an option that fit within the current framework. I'm often bad about that, I'm used to doing hacky poo poo and not having any options to change things to the correct/a better way of doing things.
|
|
#
?
Sep 25, 2018 20:19
|
|
|
ate poo poo on live tv posted:Interviewed a candidate today who claimed he had his CCNA and CCNP, didn't get any of the my layer 2 questions except Port-channels. I've said it before over 10 years ago itt, and I stand by it, if you don't understand Layer2, you aren't a network engineer. Well don't leave us hanging on what some of the questions were!
|
|
#
?
Sep 25, 2018 20:35
|
|
|
Yeah like are these questions like "what is ARP" and "why do we need spanning tree" or are we talking things like "what is the most commonly used protocol that operates on 802.2 LLC SNAP"
|
|
#
?
Sep 25, 2018 20:58
|
|
|
Kazinsal posted:"what is the most commonly used protocol that operates on 802.2 LLC SNAP" Levi’s
|
|
#
?
Sep 25, 2018 21:16
|
|
|
Super basic as this was a phone interview: I started out asking about Cisco hardware as his resume said he had experience with Cisco 35xx, 45xx, 29xx, 65xx's etc. "what are some of the basic differences between the various 6500 chassis', can you name what you worked with?" (I was looking for at a minimum the numbers of slots, i.e. 6504, 6506, 6509 etc. bringing up the "E" chassis would have been fine too, just something to indicate you have interacted with a Cisco 6500, maybe eventually asked about supervisor cards eventually.) Him: "not sure" Ok fine, he's not really super in to hardware, maybe he's never actually seen one (wouldn't surprise me tbqh). What about the CLI, what commands have you run, what information were you looking for? He doesn't answer me with anything specific, i.e. "show vlan" or anything like that. But he mentions that he had to add a switch to a VTP domain, and set the proper password, which fine, I guess that's possible. Then he talks about how he had to prune the vlans on the trunk port, which completely defeats the purpose of VTP to begin with I asked him a probing question about what VTP does, but he was light on details. Ok let's just do some basic layer 2. Me: Suppose you have 3 unconfigured cisco/arista switches and you set them up in a triangle topology. Switch 1 connected to switch 2 and switch 3, and switch 2 and 3 connected to each other. Him: The lowest "mac-address" would become the root, (actually the lowest bridge-id, but I don't really care that answer works for me). Me: "Great" let's call the root "switch 1" would all the links in this topology be passing traffic? Him: stammering about port-costs and priority's and native-vlans etc etc eventually mentions blocking. Me: Ok, which link would be blocked? Him: ... Me: Ok well which switch wouldn't be blocking any of its ports? (it's the root) Him: ... What if we added another link between switch 1, the root, and switch 2? Him: It would be blocked What if we wanted it not to be blocked? Him: ether-channel the two ports. Ok, would the port-cost of this new logical link be lower or higher then the cost of the one link? Him: That's a good question... Sigh, it's not that I expected him to be perfect, but the conversation we had during these questions indicated that he had memorized definitions and protocols, but didn't really know what they did, or why. Like he knew that to make an ether-channel the protocol you used was LACP (and of course he mentioned PAGP, as I'd expect someone who had just memorized stuff, but these days in an interview I wouldn't even mention PAGP since afaik, even Cisco doesn't support it anymore.) He also didn't know that you could setup an etherchannel without any type of link aggregation protocol. He mentioned VPC on the Nexus, but didn't know what problem it solved, or why you'd use it. I hope my expectations aren't too high for interviewing someone who claims they passed their CCNA and CCNP. I didn't even talk about ARP or TCP etc, because if you can't answer basic switching questions you aren't a network engineer. My coworker who was in the same room asked him some basics about BGP, i.e. how do you control out-bound, how can you influence in-bound? Missed them both... :/ ate shit on live tv fucked around with this message at 22:12 on Sep 25, 2018 |
|
#
?
Sep 25, 2018 22:08
|
|
|
ate poo poo on live tv posted:Interviewed a candidate today who claimed he had his CCNA and CCNP, didn't get any of the my layer 2 questions except Port-channels. I've said it before over 10 years ago itt, and I stand by it, if you don't understand Layer2, you aren't a network engineer.
|
|
#
?
Sep 26, 2018 03:54
|
|
|
Our last round of hiring I was really disappointed that I wasn't able to grill anybody on bare metal anything let alone BGP or networkingisms because everyone who applied had only ever worked on AWS. Was a bit of an eye-opener
|
|
#
?
Sep 26, 2018 03:57
|
|
|
Methanar posted:Our last round of hiring I was really disappointed that I wasn't able to grill anybody on bare metal anything let alone BGP or networkingisms because everyone who applied had only ever worked on AWS.  Look I'm all about the cloud, used properly, but if you don't need someone who knows layer 2 or bgp etc, then you don't really need network engineer.
|
|
#
?
Sep 26, 2018 15:14
|
|
|
ate poo poo on live tv posted:
I don't quite follow. What I was talking about was a case where we were hiring Linux SREs who could code, or devs who were comfortable doing infra things. Out of like 15 people that I interviewed, only 1 of them had any meaningful non-cloud experiences at all. At the time I didn't realize that working in an physical DC was becoming such a lost art. Particularly where you can't do things like just throw money at Amazon to do your edge load balancing for you or have to consider capacity planning, or etc etc etc I didn't really think it was that unreasonable expect awareness of virtual MAC based HA as an example off the top of my head. Or being able to walk through a troubleshooting scenario where you have data loss because you are emitting jumbo packets to the internet that get fragmented down to 1500 somewhere in the middle, but the ICMP fragment requests get dropped at your edge because of your firewall policy that didn't permit ICMP. Or the classic example of you type "traceroute google.com`. How does this work? Methanar fucked around with this message at 06:28 on Sep 27, 2018 |
|
#
?
Sep 27, 2018 06:22
|
|
|
Methanar posted:
To add to this virtual MAC bit. One of the guys that we did hire set up keepalived on a network that was shared with our NAT installation that was using CARP. There was a few moments of mass confusion when terrible things happened because the guy didn't know that keepalived and CARP were both implementations of virtual MAC HA and that you can't have them share VRRP groups in the same broadcast domain. Methanar fucked around with this message at 06:35 on Sep 27, 2018 |
|
#
?
Sep 27, 2018 06:32
|
|
|
Is there any way to do Netflow on a Layer 3 switch (that is now acting as a replacement internal router) in a way that separates traffic by vlans, in the same way that a router can? Say... a 3850? Because I'm running into issues with the whole "can't run flexible netflow on a SVI". We can get flow exporting fine via the physical interface, but rather than simply knowing the total amount on the exit interface, we'd rather know there was 10GB egress on Vlan 1234 (to a core switch from a remote network for example) - the way we could do easily on a dedicated router. Google has been unhelpful other than parroting "flexible netflow is not supported on SVIs".
|
|
#
?
Sep 27, 2018 12:26
|
|
|
You could do a loopback cable and do Netflow off the subints.
|
|
#
?
Oct 2, 2018 19:34
|
|
|
All hail shitloops
|
|
#
?
Oct 2, 2018 22:10
|
|
|
This is a fun bug! https://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64228.html quote:Field Notice: FN - 64228 - ASA 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 Might Fail After 18 Months or Longer Due to Clock Signal Component Failure My boss buys most everything grey market and of course we dont have smart net on any of these. I get to look forward to replacing several ASAs in the next month...
|
|
#
?
Oct 3, 2018 17:28
|
|
|
We replaced 3 ASA's due to that bug. Didn't need smartnet, just that they're under warranty (which is not the same thing as smartnet).
|
|
#
?
Oct 3, 2018 17:32
|
|
|
We've still got some outstanding RMA requests on that bug, 18 months later. We're entering the fun zone now.
|
|
#
?
Oct 3, 2018 18:04
|
|
|
BaseballPCHiker posted:This is a fun bug! That one hit a lot of vendors, because it's actually a flaw in the Intel C2000 processor which is widely used in network appliances.
|
|
#
?
Oct 3, 2018 20:51
|
|
|
They're pretty late to the game if they didn't already try to fix that poo poo last year. Everyone else seemed to. Maybe you got the bad hardware from someone dumpster diving on eBay?
|
|
#
?
Oct 3, 2018 21:36
|
|
|
falz posted:They're pretty late to the game if they didn't already try to fix that poo poo last year. Everyone else seemed to. Maybe you got the bad hardware from someone dumpster diving on eBay? It was almost certainly this. Some of those defective ASA's ended up in the grey-market and you bought them. Also everyone should do something like this on their edge: code:ate shit on live tv fucked around with this message at 21:55 on Oct 3, 2018 |
|
#
?
Oct 3, 2018 21:52
|
|
|
I'm looking at 10/40/100gig switches and don't particularly enjoy the $20k pricepoint of Cisco Cat9500 or Arista's new generation. Anyone here use Cisco Nexus 9300, or specifically Cisco N9K-C93180YC-EX ? Any thoughts on these boxes? I probably won't need any fancy features like NAT or MPLS on them since it'll be sitting in between 2+n routers, but netflow might be a nice bonus. Also what does Arista's grey-market support services look like? Non-existant? Can you get bug fixes / firmware patches for 7280SE's anymore?
|
|
#
?
Oct 3, 2018 22:43
|
|
|
Would the Juniper EX4650 work for you?
|
|
#
?
Oct 3, 2018 22:55
|
|
|
Thanks Ants posted:Would the Juniper EX4650 work for you? Probably? But it's also $20k
|
|
#
?
Oct 3, 2018 23:23
|
|
|
Fair enough, just did a quick look on CDW and it’s not a huge amount more than the Cisco - I just assumed that the discounts available on each would be similar.
|
|
#
?
Oct 3, 2018 23:35
|
|
|
You likely get sflow, not netflow. Not sure if it is all of them, but at least some 9300s are Broadcom based. We have a bunch of 9336pqs pushing packets in our DCs with no issues.
|
|
#
?
Oct 4, 2018 00:17
|
|
|
quote:It was almost certainly this. Some of those defective ASA's ended up in the grey-market and you bought them. Grey market comes back to bite us again. I wish my boss would just go with someone like CDW for all of this but instead he spends half his day shopping around for "deals". The worst part is that now when we do try and go through normal channels people will be shocked by the price.
|
|
#
?
Oct 4, 2018 00:29
|
|
|
CrazyLittle posted:I'm looking at 10/40/100gig switches and don't particularly enjoy the $20k pricepoint of Cisco Cat9500 or Arista's new generation. Anyone here use Cisco Nexus 9300, or specifically Cisco N9K-C93180YC-EX ? Any thoughts on these boxes? I probably won't need any fancy features like NAT or MPLS on them since it'll be sitting in between 2+n routers, but netflow might be a nice bonus. We use the 93180YC-FX and 93180YC-EX in the data center. They shouldn't be 20k for the box if you use one of the big resellers. They can get you 60% off list without much trouble. Your biggest pain point is going to be optics because they are stupid expensive unless you go 3rd party. Cisco is a bit more lenient with 3rd party optics, with Arista you have to call into support and tell them the optic you're using and they will give you the unlock code. Some of the optics dont have a code yet like 40/100bidi
|
|
#
?
Oct 4, 2018 00:33
|
|
|
9300s are all Cisco silicon. The 3ks are where the commodity line lives
|
|
#
?
Oct 4, 2018 01:17
|
|
|
tortilla_chip posted:9300s are all Cisco silicon. The 3ks are where the commodity line lives 9200/9300 are hybrid Cisco/Broadcom (BRKARC-2222/BRKDCT-3640). Broadcom supply the forwarding ASIC (the NFE, Trident II/Tomahawk) and Cisco silicon does the ACI stuff/VXLAN routing/flow/enhanced buffering and queuing by supplying the switch fabric (ASE/ALE ASIC).
|
|
#
?
Oct 4, 2018 02:52
|
|
|
Look at qfx100003 (juniper silicon) and qfx5110/ qfx5200(?) Which is broadcom.
|
|
#
?
Oct 4, 2018 03:08
|
|
|
falz posted:Look at qfx100003 (juniper silicon) and qfx5110/ qfx5200(?) Which is broadcom. qfx10000000003 and mx10000000000000000003 thanks juniper
|
|
#
?
Oct 6, 2018 03:42
|
|
|
|
| # ? Apr 20, 2024 02:34 |
|
|
Did Cisco ever release a model with >3 zeros in the name? I immediately thought of CSS but that was only 11500 (I assume the 5 was a courtesy move because ugh).
|
|
#
?
Oct 7, 2018 14:57
|
|
