|
It's monitoring isn't it, not management? You get to see the switch port status, they take part in the topology views and you can see usage, but config and software updates is done manually or through that DNA thing.
|
# ? Jun 15, 2022 09:37 |
|
|
# ? Apr 23, 2024 11:45 |
|
Thanks Ants posted:It's monitoring isn't it, not management? You get to see the switch port status, they take part in the topology views and you can see usage, but config and software updates is done manually or through that DNA thing. It's both monitoring and management. From my understanding adding a catalyst switch for just monitoring is free but I haven't seen anything that confirms pricing for management; assuming it uses a typical Meraki licensing per device. Trying to get the people who just let the required DNA licensing lapsed? Although I do agree it makes me wonder why you'd ever order a Meraki product over a catalyst 9200 in the future (assuming both were readily available).
|
# ? Jun 15, 2022 13:38 |
|
Probably has a fine print clause saying they'll brick the catalyst switch if you stop paying for the Meraki cloud.
|
# ? Jun 15, 2022 13:45 |
|
I think it's been confused because Cisco are using Catalyst as the name for their APs now. The announcement on the feature only mentions monitoring of switches, but management of wireless https://blogs.cisco.com/news/smarter-simpler-experiences-with-cisco-networking?oid=pstswt029404 I'd assume this will change at some point
|
# ? Jun 15, 2022 18:03 |
|
I’ll go hassle the Meraki folks today to see what’s what.
|
# ? Jun 15, 2022 18:08 |
|
It's cool how you can turn a Catalyst AP into a Meraki one, but you can't turn a Meraki Go AP (which are in stock) into an MR20 (which are out of stock).
|
# ? Jun 15, 2022 18:09 |
|
We've had major issues with their MS390 switches so they're sending us MS355's to see if they work better at no cost. Fuckin better.
|
# ? Jun 15, 2022 18:10 |
|
Thanks Ants posted:I think it's been confused because Cisco are using Catalyst as the name for their APs now. The announcement on the feature only mentions monitoring of switches, but management of wireless Think the confusion is you can start monitoring your Catalyst switches today, but the configuration option isn't available yet (just being demo'd at Cisco Live). The Meraki youtube channel uploaded a few videos about it yesterday and in this one https://www.youtube.com/watch?v=v21OIRYH200 they specifically show a C9300-converted being configured using the Meraki dashboard.
|
# ? Jun 15, 2022 18:20 |
|
My sales guy at Cisco Live got two prostitutes and it was $500. Didn’t get any for the rest of us. I’m finding a new sales guy.
|
# ? Jun 16, 2022 02:22 |
|
Thanks Ants posted:I think it's been confused because Cisco are using Catalyst as the name for their APs now. The announcement on the feature only mentions monitoring of switches, but management of wireless All campus networking is Catalyst now: 9100 for APs, 9800 for WLCs, 9200-9600 for switching and 8000 (not Cisco 8000) for routing. But no, you can manage the switches too. First it'll be the 9300, then 9200 and 9500 should get support. Cyks posted:It's both monitoring and management. unknown posted:Probably has a fine print clause saying they'll brick the catalyst switch if you stop paying for the Meraki cloud. You can convert back to CLI/DNAC-managed. Leandros fucked around with this message at 01:54 on Jun 17, 2022 |
# ? Jun 17, 2022 01:32 |
|
Why is the lead time on the MX75 so much longer than the other boxes? Is it just popular because it hits a nice price/performance bracket?
|
# ? Jun 17, 2022 01:38 |
|
Thanks Ants posted:Why is the lead time on the MX75 so much longer than the other boxes? Is it just popular because it hits a nice price/performance bracket? Firepower 1010 is under half a year
|
# ? Jun 17, 2022 01:51 |
|
bad boys for life posted:It's a good cert to have for entry level, and whether you get it or not, it's worth studying for as you'll learn good foundational knowledge. To Bob Morales' point, getting cloud certs is more valuable, but personally I would go for the legacy network cert in the CCNA (NP if youre going to go into a SP/MSO/MSP) and cloud certs if I was just starting again. Bob Morales posted:CCNA doesn't hurt, but companies are moving towards more CLOUD EVERYTHING. Companies will still have a LAN of some sort but as people start moving to WFH, servers move to the cloud, networks will get less and less complicated on the LAN side. I’m looking to finish my CCNA classes and test for the CCNA cert in May 2023.. I know nothing of the cloud. I mean nothing. My school has no classes or anything to learn about cloud computing and all that jazz. I’m guessing my 2 year A.A.S in Networking and a CCNA and A+ Net+ and Sec+ certs is going to be less valuable since… no cloud? Where should I start to get myself trained/certified?
|
# ? Aug 14, 2022 06:23 |
|
LtCol J. Krusinski posted:I’m looking to finish my CCNA classes and test for the CCNA cert in May 2023.. I know nothing of the cloud. I mean nothing. My school has no classes or anything to learn about cloud computing and all that jazz. I’m guessing my 2 year A.A.S in Networking and a CCNA and A+ Net+ and Sec+ certs is going to be less valuable since… no cloud? It's late so not going to effortpost but it's probably not as bad as you think. Pretty much everything you've learned layer 3 on up is directly relevant to working in the cloud. If you end up supporting a hybrid environment that has data centers connected to the cloud, all of it is relevant. Pick one of AWS or Azure and go down their entry level sysadmin/devops cert path and you'll be fine. Sounds like it will mostly be learning new names for concepts you already understand, like security groups.
|
# ? Aug 14, 2022 06:38 |
|
Docjowles posted:It's late so not going to effortpost but it's probably not as bad as you think. Pretty much everything you've learned layer 3 on up is directly relevant to working in the cloud. If you end up supporting a hybrid environment that has data centers connected to the cloud, all of it is relevant. Thank you, I appreciate this feedback.
|
# ? Aug 14, 2022 09:05 |
|
LtCol J. Krusinski posted:I’m looking to finish my CCNA classes and test for the CCNA cert in May 2023.. I know nothing of the cloud. I mean nothing. My school has no classes or anything to learn about cloud computing and all that jazz. I’m guessing my 2 year A.A.S in Networking and a CCNA and A+ Net+ and Sec+ certs is going to be less valuable since… no cloud? has your class taught you anything about config management/ansible? Set yourself up with GNS3 and build a real network and manage everything with ansible.
|
# ? Aug 14, 2022 19:08 |
|
I'm looking for software to manage a bunch of cisco ios switches, what are the most supported ones out there? Is Netmiko still a popular? It can be paid or free.
|
# ? Oct 19, 2022 15:29 |
|
When you say manage, are you talking config pushes and backups? Or like a GUI to make changes? What exactly are you looking for? Ansible seems to be the go to these days, or was at least last I looked into it.
|
# ? Oct 19, 2022 15:32 |
|
BaseballPCHiker posted:When you say manage, are you talking config pushes and backups? Or like a GUI to make changes? What exactly are you looking for? Ansible is good for desired-state config stuff but it isn't a network config mgmt solution. One of my colleagues tried to make it into an NCM backed by Git and with just ~100 devices the daily "NCM Backup" job took several hours to run.
|
# ? Oct 19, 2022 15:40 |
|
By manage I mean backup/restore configs and roiling out updates.
|
# ? Oct 19, 2022 15:51 |
|
For rolling out updates yep Ansible is good, we've done whole site TACACS cutover and image upgrades in one night via Ansible it rules. However it is not meant for config backup/restore or versioning.
|
# ? Oct 19, 2022 15:57 |
|
I spent a couple mins looking at cisco for Ansible and it will do perfectly, thanks! We can manage the config back ups with Netmiko.
|
# ? Oct 19, 2022 15:59 |
|
If you're managing the configs with Ansible then in theory there's no need to back that config up, as what's running on the switch will always match what you deployed
|
# ? Oct 19, 2022 16:15 |
|
If you want something with a web UI then you can try https://www.enms.io/ It's basically a front end for established tools like Netmiko, Napalm, CiscoConfParse. I don't remember if Ansible is on there. I deployed it a couple of jobs ago and it works well enough. You write your own scripts then can just run those, or string them into jobs that do multiple things. It can backup to Git (I used an internal Gitlab instance). I also used it for compliance stuff, like finding switchports that had 802.1x manually disabled, for example, and then emailing the results so someone can investigate. It was easier to sell there because I could write the python scripts and people didn't have to understand them, they just needed to know where to run them in the UI.
|
# ? Oct 19, 2022 16:25 |
|
I haven't managed network equipment in a few years but RANCID was always the gold standard config backup/diffing tool. It feels like nagios in that it's old and crusty as poo poo and nobody actually likes it, but it works so people just keep using it. Maybe there's a replacement these days that isn't written in vintage 1995 Perl.
|
# ? Oct 19, 2022 16:26 |
|
These days most vendors have been focussing in on their own NCM solutions which use proprietary protocols (e.g. FortiManager for Fortinet stuff). Of course they all still have standard SSH interfaces and documented config schemas so the standard open-source framework for that is is the Python-based NAPALM (As mentioned by uhhhhahhhhohahhh): https://github.com/napalm-automation/napalm. Probably worth mentioning that there's a somewhat hard dependency on SSH when it comes to both NAPALM and the Ansible modules for IOS. As I understand they rely heavily on Paramiko for abstracting the SSH side of things and when you make them do Telnet they just fall back to raw sockets. It still works however you need to accommodate it, to the point of splitting up config sequences because if there's too many lines it just shits the bed.
|
# ? Oct 19, 2022 17:16 |
|
Thanks for the info! Quite a few switches here have telnet only on them, they're old as gently caress, so thanks for the heads up on that limitation. Shouldn't be a big deal but I'm glad to know about it beforehand.
|
# ? Oct 19, 2022 18:29 |
|
bobmarleysghost posted:Thanks for the info! Looking back at the Ansible playbooks I wrote I created separate roles for Telnet-only devices which just used the generic telnet module to send commands instead of the proper ios_* modules. Also for things like AAA I had to add handling for versions pre-and-post 15.2 because of some poo poo that escapes me (This was using Ansible 2.9 modules, probably fixed in the newer collections).
|
# ? Oct 19, 2022 18:41 |
|
You should probably monitor their traffic levels and interface errors too? Observium/LibreNMS (a more open fork) for that a good starting place. Thsoe systems can also be used as a 'base', to know what's online, then generate config files out of devices in there, like for RANCID, etc to use. We do this with Observium and it works well. Basically add device there or it's discovered via ospf/bgp/lldp/etc and you'll automatically get a RANCID config file update and it will automatically back it up, for example. But indeed, this doesn't handle pushing configs to them. If they're so bloody old they don't support SSH in IOS, it may be doubtful if NAPALM's IOS driver will even work with them, that requires at least 12.2 or 12.3 or something, and more importantly requires the 'archive' command which was added iirc around 12.4 or something.
|
# ? Oct 19, 2022 21:14 |
|
Pile Of Garbage posted:Looking back at the Ansible playbooks I wrote I created separate roles for Telnet-only devices which just used the generic telnet module to send commands instead of the proper ios_* modules. Also for things like AAA I had to add handling for versions pre-and-post 15.2 because of some poo poo that escapes me (This was using Ansible 2.9 modules, probably fixed in the newer collections). Good point, I'll make sure to separate them. We have around 10 or so 12.[012]'s that i'll have to deal with. There's a version cut off at 12.1 I think (I need to check) that supports SSH. The rest are 15.something falz posted:You should probably monitor their traffic levels and interface errors too? Observium/LibreNMS (a more open fork) for that a good starting place. Thsoe systems can also be used as a 'base', to know what's online, then generate config files out of devices in there, like for RANCID, etc to use. Yea I've set up Observium here, I add all networking as it comes along but sometimes my boss gets a switch installed without mentioning it. I'll check out the RANCID integration, sounds useful. We just got a shipment of new switches to replace the oldest and older ones, I'd be glad to have them gone finally. bobmarleysghost fucked around with this message at 21:33 on Oct 19, 2022 |
# ? Oct 19, 2022 21:28 |
|
bobmarleysghost posted:Good point, I'll make sure to separate them. We have around 10 or so 12.[012]'s that i'll have to deal with. There's a version cut off at 12.1 I think (I need to check) that supports SSH. Just remembered: the telnet module, or perhaps just the protocol in general, is super flaky. This is made worse by the fact that you're just executing raw config commands via the module as opposed to using native ios_* modules which are aware of current device state and can validate desired state. Worse still because you can't use ios_* modules you cannot gather facts so determining current state is a PITA. This means you'll need to add manual validation tasks to your playbook roles and in some instances separate the config you're applying into separate telnet module invocations. Here are some examples, pulled from playbooks I created a couple years ago to do mass device management cutover for an MSP switchover. First one is applying general config related to SNMP and line vty which demonstrates deliberately splitting up the config blocks across telnet module invocations to avoid crapping out and checking for SNMPv3 support: code:
code:
Pile Of Garbage fucked around with this message at 16:50 on Oct 21, 2022 |
# ? Oct 21, 2022 16:39 |
|
Oxidized works well for backups, it can push to a Git repo. CiscoConfParse is pretty good for making changes, though the syntax is sometimes a bit to work around to make changes until you grok how it parsed , where it doesn’t indent etc. just have a sandbox, but it’s great for taking a config and creating a new one to replace.
|
# ? Oct 21, 2022 23:29 |
|
This is going to be of great help, thanks for that! I'll take a closer look at it on Monday, but from a quick glance it'll make it a breeze to set up the playbooks. Partycat posted:Oxidized works well for backups, it can push to a Git repo. Same goes for this. It'll be a busy Monday. A separate question regarding best practices - does it make sense to have one playbook for the main, non-port, config that gets applied to all switches in a group, and then have a separate one for configuring the access ports on a port by port or range basis? Then use another tool for config back ups. We make many individual port changes for various reasons, so I'm thinking about how to best deploy configs.
|
# ? Oct 22, 2022 16:10 |
|
On a switch I usually go sh int status for all port statuses Is there a command where I only get shown "connected" as a status?
|
# ? Oct 24, 2022 18:53 |
|
show int status | i connected
|
# ? Oct 24, 2022 18:55 |
|
Filthy Lucre posted:show int status | i connected The man! Short questions comes through again.
|
# ? Oct 24, 2022 18:57 |
|
Does anyone have a preferred vendor for Cisco licensing? I'm thinking of getting away from Unifi for my home network and the Firepower 1120 seems like a good option, but I need to get a better idea of TCO.
|
# ? Nov 21, 2022 16:27 |
As someone running an ASA with some kind of firepower module at home I could not recommend it any less. I got it for free years ago and I still hate it. If you’re going to buy something like that just get a Fortigate.
|
|
# ? Nov 21, 2022 16:48 |
|
i am a moron posted:As someone running an ASA with some kind of firepower module at home I could not recommend it any less. I got it for free years ago and I still hate it. If you’re going to buy something like that just get a Fortigate. Could you give some detail on your experience with it? I've never worked with Firepower, only the older ASAs, so I don't really know what to expect.
|
# ? Nov 21, 2022 16:53 |
|
|
# ? Apr 23, 2024 11:45 |
|
Most Cisco stuff relating to firewalls is fairly poo poo, and people put up with it at work. You don't deserve to voluntarily inflict it on your home life.
|
# ? Nov 21, 2022 18:06 |