|
GreenNight posted:We're replacing all our C3560X switches with Meraki MS390. My first dip into the Meraki world outside of wifi. I've been really bad about doing any research into the Meraki line but that'll have to change with it being part of the certifications now. My basic understanding is it provides ease of use for people who aren't experts on configurations and has built in visual monitoring tools without needing an application like Solarwinds but at an increased cost for hardware and licensing. Is that about right?
|
# ? Feb 28, 2020 16:38 |
|
|
# ? Apr 23, 2024 22:26 |
|
Cyks posted:I've been really bad about doing any research into the Meraki line but that'll have to change with it being part of the certifications now. We have a poo poo ton invested in Solarwinds, but from what I've seen so far, yes. I'm used to changing vlans via the CLI, but yes you have a GUI for all port settings now and it tells you traffic per port, usage, poe usage, etc. It's pretty slick and I like all the information it provides without loving around in Solarwinds.
|
# ? Feb 28, 2020 16:42 |
|
Meraki is slick GUI configuration and it collects analytics about every device, user and switchport that would make the NSA blush. Just being able to type a machine name, user name or IP phone into the search box and "it just works" is so nice. less than three fucked around with this message at 20:50 on Feb 28, 2020 |
# ? Feb 28, 2020 20:46 |
|
We use Meraki for access layer switching, WiFi and site-to-site VPNs. It is dead simple to config/monitor. It is great to have our helpdesk folks in there to be able to do some quick troubleshooting/hunt down clients. The reporting from the WiFi side is great, as we have some higher ups that use those stats. Really no complaints from me. I am running around 30+ switches, 50+ APs and 10ish site-to-site VPNs.
|
# ? Mar 4, 2020 03:45 |
|
My best asset as an IT person has been never being afraid to be the stupid person because thats how I learn best, trying/failing/repeat. In the spirit of that I have a question for the network people here. I'd like to start rolling out Ciscos config archive and rollback feature on new devices we deploy. If I'm understanding it correctly I can specify a path to save configs too using TFTP. We already have that infrastructure in place for our nightly config backups, so it should be pretty easy for me to make a new folder to save these archives too. If I understand correctly once I have devices saving archives via tftp we can remotely start working on a device, issue a revert 20 or something, and if we totally hose things up the switch will revert back to its previous archive. How would that work though if you truly mess something up? For example, you start working on a switch, do a revert 20 command, then while pruning a trunk you forget to do 'allowed vlan add' and just do 'allowed vlan'. In this case the switch has lost connectivity back to the tftp server so how is it getting its old archived config? Am I better off setting up the archives to be saved locally? Then still have our nightly config backups run via tftp?
|
# ? Mar 5, 2020 16:04 |
|
BaseballPCHiker posted:How would that work though if you truly mess something up? For example, you start working on a switch, do a revert 20 command, then while pruning a trunk you forget to do 'allowed vlan add' and just do 'allowed vlan'. In this case the switch has lost connectivity back to the tftp server so how is it getting its old archived config? I don't work with Cisco often and it's never new stuff, so I've only seen it done as a "reload in X" followed by a "reload cancel" when things are set, but it seems like the modern way to do this would be something along the lines of "configure replace nvram:startup-config time 120" followed by "configure confirm" when good because that won't waste time rebooting the whole device. Accessibility of the remote archive shouldn't matter unless you're looking to go back multiple versions.
|
# ? Mar 5, 2020 17:30 |
|
Briefly looking at the archive config reference it seems like a better idea to use a local filesystem rather than a tftp path.
|
# ? Mar 5, 2020 18:39 |
|
Yeah as I was looking into it more saving the archives locally looks to be the best way forward for us. That way if a device gets foobared it can just revert to the archive stored locally. That plus the tftp config backups nightly ought to cover us.
|
# ? Mar 5, 2020 18:49 |
|
Doing some JunOS stuff and I'm looking for some advice specific to JunOS but also somewhat general advice. I have a distributed network (4-5 remote sites), this is setup in a star topology, one of these remote sites is going to have some vendor devices, these vendor devices will need to communicate with a single device on another subnet, but I do not want them communicating with any other subnet (other than the internet). At the moment, my best thought is applying a firewall filter, to all other vlans, blocking traffic form the vendor subnet by source address. edit firewall set family inet set filter FILTERNAME set term TERMNAME set from source-address VENDORSUBNET set then discard set vlans VLAN filter input FILTERNAME The above (should?) do what i want, just need to replace capital lettered stuff with real stuff and then the last line apply it to all the vlans. My issue is, there are a bunch of vlans and going to be more, so I'm hoping there's a better way to do this. Perhaps I could limit egress traffic on that VLAN to all private address space but exempt some addresses, such as the subnet I want it to talk to and the router/firewall interfaces it needs to get out to the internet? Just not familiar with how exceptions work and how to set it up.... halp i'm bad MF_James fucked around with this message at 18:51 on Mar 11, 2020 |
# ? Mar 11, 2020 18:38 |
|
Why not set an acl on the closest l3 device for traffic from the vendor source IPs to allow your alternate subnet, deny all other internal networks, and allow 0/0 beyond that? Configuring one device is way less work. Allow from vendorIPs to SubnetRange Deny from vendorIPs to InternalNetworkList Allow from vendorIPs to 0/0 Its been a while since I was in a JunOS device so syntax is not gonna be something I can intelligently type, but thats what youre going for realistically and it will encompass further expansion of your inside network. Digital_Jesus fucked around with this message at 21:01 on Mar 11, 2020 |
# ? Mar 11, 2020 20:54 |
|
What are the devices? SRX or EX?
|
# ? Mar 11, 2020 21:06 |
|
EX I was going to set the ACL on the L3 device which is a 4200EX stack (I think it's 4200's maybe 3200's).
|
# ? Mar 11, 2020 21:30 |
|
My company recently bought some Juniper PTXs running Junos Evolved. There have been quite a few bizarre bugs related to SNMP, re0:mgmt interface, MPLS/RSVP etc. (To be fair, 14.5 is fixing a lot these as well as hundreds others, I've submitted 2 new PR's myself). However the the joke is the new Junos has devolved, very clever I'm sure. But this bug is amazing. I am turning up some p2p's between two of our sites that I live nearby to get some DC experience since it's been at least a year since i'd been (hurrah for dedicated DC teams). I copy and past the config, find out the circuit's aren't up yet get obm online etc etc. find out the other end of the circuit won't even be connected til tomorrow so I'm not too worried about it. Put on a copy and past config on the interface on the production PTX on the other side, no other services. I accidentally set the interface IP to 10.1.1.1/3, the address was supposed to be 10.1.1.1/31 The interface is down, and won't be getting turned up until tomorrow and I start troubleshooting a "disk full" error/bug on a different ptx. Finally I wrap up and head home. I find out later that night traffic through that router is getting blackholed. Investigation revealed the the FIB had installed 10.1.1.1/3 as a destination out of the DOWN interface. Cool bug. For the curious, 10.0.0.0/3 is IP range: [0.0.0.0-31.255.255.255] ate shit on live tv fucked around with this message at 03:49 on Apr 9, 2020 |
# ? Apr 9, 2020 03:42 |
|
What goes into the decision to use Juniper rather than Arista, other than Juniper gear already being entrenched and in place?
|
# ? Apr 9, 2020 04:53 |
|
Might only make sense to those using FortiGates on the reg, also only if you use profile groups (Which you should be they're dope): https://twitter.com/GarbageDotNet/status/1248155278958153729 tl;dr: device will stop you from creating an invalid config state but won't stop you from editing existing config into an invalid state (Mixing Comfort Clients protocol options with the Content Disarm & Reconstruction AV feature). I'm certain that invalid config has been causing a bunch of issues in my home network with weird dropped replayed packets and poo poo.
|
# ? Apr 9, 2020 12:56 |
|
Methanar posted:What goes into the decision to use Juniper rather than Arista, other than Juniper gear already being entrenched and in place? I don't know his answer, but depending on the ptx he bought may be q5 chip based (qfx10k, they just rebranded a bunch of those, specifically super dense 100g/400g models), which have in house pretty capability silicon vs broadcom jherico with fib tricks to get millions of routes. Q5 can do 2mil fib and 100ms buffera on all ports. Ymmv depending on Arista model w/ bcm stuff. Junos has been hot garbage lately but I'd take it over an IOS clone any day.
|
# ? Apr 9, 2020 18:20 |
|
Methanar posted:What goes into the decision to use Juniper rather than Arista, other than Juniper gear already being entrenched and in place? In our environment until we got these PTX10003's, we only had two SRX1400's as far as Juniper went. Our infrastructure is almost all Arista already, and we were planning on sticking with Arista, but we had decided to do MPLS+RSVP+TE+Backup Path+Auto-BW for our WAN. Well Arista doesn't support those MPLS features even though they claimed they would "next quarter" for about a year. (As an aside Arista is all-in for Segment routing which is what I wanted to build our WAN with, but MPLS won out). We chose the PTXs because we wanted 32 ports of 100GB and MACsec at linerate, with the ability to do 400GB in the future.
|
# ? Apr 10, 2020 00:23 |
|
Anyone have any tips, or documentation for building your own BGP-community schema? Our bgp network is big enough to need such things now. I want to create schema that is extensible enough to not need much tweaking in the future.
|
# ? Apr 28, 2020 16:52 |
|
ate poo poo on live tv posted:Anyone have any tips, or documentation for building your own BGP-community schema? Our bgp network is big enough to need such things now. I want to create schema that is extensible enough to not need much tweaking in the future. We did the same and gave it a lot of thought, discussion over 6mo or so before implementing. Create info and action communities. Keep them different length of characters, our info are all 5digits starting with 5, action are all 4 digits. This makes it easier to strip communities. Make regions like a tic tac toe board and encode that as one digit of the info comm. We use another pair of digits as the pop id. Make one digit of the info community the method the route was learned, hopefully following your localpref standard. 100 = paid transit for us, so we used 1 for that. 3 peering = 300, etc up to customer and aggregates. For action communities, embed that same digit somehow, like don't advertise to transit would have a 1 in it somewhere. Create special per peer and peer type policies to allow control by type and asn. Ultimately this gives you fun stuff like 'share ix routes in this region' and 'dont advertise to cogent' or whatever. Document the poo poo out of it including to your customers. We're Junos so used slax scripts. It supports py now so I may port them or better yet use off box automation to update them. It's really not possible via humans. I'm exploring Jinja templates to instead use https://github.com/respawner/peering-manager to do this once I have more time. Pm me and I can share more info, just don't want to associate me with an org publicly. Edit, while you're at it, consider also implementing some of newer-ish standard bgp communities and developments * https://tools.ietf.org/html/rfc7999 - Standard BLACKHOLE community 65535:666 * https://tools.ietf.org/html/rfc8326 - BGP Graceful shutdown 65535:0 * https://tools.ietf.org/html/rfc8092 - large communities. We implemented our standards a year or so before this went final. Using standard communities, you cannot really do per-asn control on 4 byte asns. falz fucked around with this message at 20:24 on Apr 28, 2020 |
# ? Apr 28, 2020 18:35 |
|
Thanks, and yea I would strongly suggest jinja templates, especially for Juniper. We are going to be using PTXs as our provider edge routers and we already deploy them with ansible and jinja templates. It's great.
|
# ? Apr 29, 2020 15:20 |
|
ate poo poo on live tv posted:Anyone have any tips, or documentation for building your own BGP-community schema? Our bgp network is big enough to need such things now. I want to create schema that is extensible enough to not need much tweaking in the future. https://archive.nanog.org/meetings/nanog50/presentations/Sunday/NANOG50.Talk33.NANOG50-BGP-Techniques.pdf At the very least, add a community to indicate where/how a prefix is learned. The majority of scoping can be enforced via those communities.
|
# ? Apr 29, 2020 16:14 |
|
I’m a big fan of how NTT set up their communities- using private ASN space prefixes to create a set of communities that can be used to control policy toward specific peers by ASN rather than remembering the specific provider’s community for suppress/prepend to their individual peers. https://onestep.net/communities/as2914/ Also, don’t forget to filter inbound communities at your border if you accept communities from transit/peers for use within your AS.
|
# ? Apr 30, 2020 14:38 |
|
I just upgraded code on a bunch of 5515 ASAs to what is supposedly to be the last major revision. How bad are the 2110 series FirePower/SourceFire/AMP/WhateverTheFuck now? When I last looked into them they seemed pretty universally reviled. We'll be doing replacements of these 5515s within the next year or two and are strongly considering Palo Altos as well.
|
# ? May 20, 2020 18:42 |
|
BaseballPCHiker posted:I just upgraded code on a bunch of 5515 ASAs to what is supposedly to be the last major revision. I'd avoid firepower, not from my personal experience but from literally every person I've ever talked to. Fortinet/Palo Alto are the 2 big boys in the space, I haven't really used Palo but Fortinets are nice and if you have a large enough environment for their management/log collectors/other stuff it all works pretty well.
|
# ? May 20, 2020 19:10 |
|
Not really a firewall guy, but we went from asa to Fortinet it's web gui is totally sane. It's from the Netscreen guys who sold to Juniper and eventually sorta became srx. Cli a but garbagey but its passable. Haven't extensively used PA but have lab demo'd and their is is better than the others. Has legit commit like Junos. Costs way more than Forti.
|
# ? May 20, 2020 23:43 |
|
BaseballPCHiker posted:I just upgraded code on a bunch of 5515 ASAs to what is supposedly to be the last major revision. We had a couple FTD code 2110s a few months ago spontaneously brick their failover configs in a way that TAC spent a week trying to fix before finally going "well, that's hosed, you're going to have to completely reimage both of them".
|
# ? May 20, 2020 23:46 |
|
CLi for fortinet is fine, it's arranged somewhat sane (not at all like the ASA) but it's very poorly documented. Though they are supposedly getting better about it? I am mostly using ASA's now at my current job and very rarely touch them anyway past a deployment.
|
# ? May 20, 2020 23:47 |
|
MF_James posted:CLi for fortinet is fine, it's arranged somewhat sane (not at all like the ASA) but it's very poorly documented. Though they are supposedly getting better about it? I am mostly using ASA's now at my current job and very rarely touch them anyway past a deployment. The main issue I have with the cli it is everything is nested sorta like xml and it's annoying. It's do able but just very different. It's like they tried to do Junos and failed miserably. I also recently discovered they have a commit like option but the rollback reboots the device. Lol
|
# ? May 21, 2020 01:42 |
|
Yeah the CLI is a bit strange, simple stuff like ping being execute ping instead for some reason. I'm sure I'd be a lot more proficient with a one-pager on how to navigate around it but I use it so rarely that each time I go in I spend half my time getting back to where I was. Having said that, shoving everything into a flat structure like IOS works fine for routing but by the time you have actual firewall stuff to deal with it turns into unreadable garbage.
|
# ? May 21, 2020 13:17 |
|
Just chiming in to say for the price I've not come across anything better than a Fortigate, and if it can't do what Palo does, go spend more for Palo. Disregard every other option unless you literally want IPTables or Cisco ASA hell.
|
# ? May 21, 2020 13:56 |
|
I'm currently in the process of setting up a new HA pair of PA-3220s, going to be migrating from some Huawei NGFWs. I've used Cisco ASAs as well and the PA is so much easier to work with compared to both of them. The documentation is incredibly well written, has a bunch of examples and it's easily googleable when working out the quirks. Most of the basics carry across between all the firewalls but there's always some stuff they do differently, like no VRRP on the PAs. I fuckin hate having to do anything on the ASAs, cli and asdm both loving suck, and our ASA pair is in a cluster because they bought a gig internet and our model only has 650mbit throughput. Not done much on cli yet though so can't say how good it is. Expensive as poo poo though, cost us like £24k each for 3 years of licensing. The Huaweis were like £3k. uhhhhahhhhohahhh fucked around with this message at 14:08 on May 21, 2020 |
# ? May 21, 2020 14:05 |
|
I've got 2 Nexus 3172s in a vPC domain and a bunch of vlans on both in HSRP groups. Everything appears to function correctly but both devices spam syslog with the following messages:code:
code:
code:
|
# ? May 25, 2020 01:37 |
|
Not sure if this is appropriate for a short question, but any recommendations or models on whether some used ciscos are decent for some basic learning stuff/personal project hosting? Right now I'm using a Supermicro whitebox running bird with two dual SFP+ cards installed for routing. I currently have 2 (soon 3) full table transit BGP sessions, and this one would be directly connected to 4 internet exchanges. At least a handful of 10G ports are preferred.
|
# ? May 26, 2020 06:26 |
|
Biowarfare posted:Not sure if this is appropriate for a short question, but any recommendations or models on whether some used ciscos are decent for some basic learning stuff/personal project hosting? Right now I'm using a Supermicro whitebox running bird with two dual SFP+ cards installed for routing. I currently have 2 (soon 3) full table transit BGP sessions, and this one would be directly connected to 4 internet exchanges. At least a handful of 10G ports are preferred. Get set up with GNS3. You'll be able to test a million more situations than you ever could with just one metal box sitting somewhere. GNS3 is a tool that runs real ios/eos/juniper/whatever images in VMs for you. You can even hook up real devices like your supermicro to your GNS3 network if you're feeling spicy and want to connect to the real internet for some reason.
|
# ? May 26, 2020 07:03 |
|
Methanar posted:Get set up with GNS3. You'll be able to test a million more situations than you ever could with just one metal box sitting somewhere. This is intended for actual deployment, I'm running about 20-30 Gbps of ""production"" traffic right now. I'm just kind of wondering if any outdated ebay-tier cisco gear is worth getting or if they all have problems dealing with fulltable memory-wise or something at that level of end-of-life oldness. Or I have no idea how much real cisco kit costs. Impotence fucked around with this message at 07:38 on May 26, 2020 |
# ? May 26, 2020 07:35 |
|
Biowarfare posted:This is intended for actual deployment, I'm running about 20-30 Gbps of ""production"" traffic right now. I'm just kind of wondering if any outdated ebay-tier cisco gear is worth getting or if they all have problems dealing with fulltable memory-wise or something at that level of end-of-life oldness. Or I have no idea how much real cisco kit costs. At my last job I I bought like 8 of arista 7050SX off ebay used with a 100% success rate for literal 10% the price that Arista themselves would sell them to you. 10/10 would buy again. Has a good API and cisco style cli. Minimal bullshit with offbrand SFPs 48 10gbps ports with 4 40g qsfp https://www.ebay.ca/itm/Arista-DCS-...oYAAOSwnWBdUdGI I didn't run the 7050s with full table BGP, so you might need to check if they'll work for you, but I did run 5x full table BGP off of arista 7280SRs which are also dirt cheap on ebay for what it is. https://www.ebay.ca/itm/Arista-DCS-7280SE-64-F-48x10GbE-SFP-4x40GbE-QSFP-F-to-R-Airflow/323584542483 Methanar fucked around with this message at 07:51 on May 26, 2020 |
# ? May 26, 2020 07:46 |
|
You linked a 7280SE, which I don’t think can do full tables. The SR is like 8x the cost.
|
# ? May 26, 2020 13:07 |
|
He seems to be asking for Cisco devices however. I live in Juniper land now so out of date with Cisco, but Venn diagram of full routes + 30gbps on Cisco across multiple devices is probably spendy. You can do full routes on some older crusty ISR stuff still for dirt cheap though, but probably only 1gbps or so. Are you specifically looking for Cisco? If not get a Cisco box, Juniper, and some other IOS clone like Arista or God forbid brocade/foundry.
|
# ? May 26, 2020 13:16 |
|
I'm ok with any brand, not a fan of Mikrotik. One of my upstreams in Netherlands uses exclusively Huawei stuff, which is somewhat interesting and not something I've seen to be common. I mostly just want to "move up a tier" from running Linux with software routing python-generated bird2 configs. Emailing the IXP mailing list every time I need to update the kernel and reboot becomes tedious. Have heard a cheap option to be flashing a Quanta LB6M to some Brocade firmware but that seems like hell in itself. I would like at lesat something that can do netflow or equivalent, and bgp flowspec. Impotence fucked around with this message at 20:51 on May 26, 2020 |
# ? May 26, 2020 19:34 |
|
|
# ? Apr 23, 2024 22:26 |
|
Would you care to pass along any major trouble you had with mikrotik in this sort of application? I’ve been unclear on high throughput perf on their x86/CHR platforms
|
# ? May 27, 2020 04:35 |