The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›430 »

Thanks Ants: May 21, 2004; #essereFerrari

It's monitoring isn't it, not management? You get to see the switch port status, they take part in the topology views and you can see usage, but config and software updates is done manually or through that DNA thing.

# ? Jun 15, 2022 09:37

Adbot: ADBOT LOVES YOU

# ? Apr 23, 2024 11:45

Cyks: Mar 17, 2008; The trenches of IT can scar a muppet for life

Thanks Ants posted:

It's monitoring isn't it, not management? You get to see the switch port status, they take part in the topology views and you can see usage, but config and software updates is done manually or through that DNA thing.

It's both monitoring and management.

From my understanding adding a catalyst switch for just monitoring is free but I haven't seen anything that confirms pricing for management; assuming it uses a typical Meraki licensing per device.

Trying to get the people who just let the required DNA licensing lapsed? Although I do agree it makes me wonder why you'd ever order a Meraki product over a catalyst 9200 in the future (assuming both were readily available).

# ? Jun 15, 2022 13:38

unknown: Nov 16, 2002; Ain't got no stinking title yet!

Probably has a fine print clause saying they'll brick the catalyst switch if you stop paying for the Meraki cloud.

# ? Jun 15, 2022 13:45

Thanks Ants: May 21, 2004; #essereFerrari

I think it's been confused because Cisco are using Catalyst as the name for their APs now. The announcement on the feature only mentions monitoring of switches, but management of wireless

https://blogs.cisco.com/news/smarter-simpler-experiences-with-cisco-networking?oid=pstswt029404

I'd assume this will change at some point

# ? Jun 15, 2022 18:03

GreenNight: Feb 19, 2006; Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

I�ll go hassle the Meraki folks today to see what�s what.

# ? Jun 15, 2022 18:08

Thanks Ants: May 21, 2004; #essereFerrari

It's cool how you can turn a Catalyst AP into a Meraki one, but you can't turn a Meraki Go AP (which are in stock) into an MR20 (which are out of stock).

# ? Jun 15, 2022 18:09

GreenNight: Feb 19, 2006; Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

We've had major issues with their MS390 switches so they're sending us MS355's to see if they work better at no cost. Fuckin better.

# ? Jun 15, 2022 18:10

Cyks: Mar 17, 2008; The trenches of IT can scar a muppet for life

Thanks Ants posted:

I think it's been confused because Cisco are using Catalyst as the name for their APs now. The announcement on the feature only mentions monitoring of switches, but management of wireless

https://blogs.cisco.com/news/smarter-simpler-experiences-with-cisco-networking?oid=pstswt029404

I'd assume this will change at some point

Think the confusion is you can start monitoring your Catalyst switches today, but the configuration option isn't available yet (just being demo'd at Cisco Live).

The Meraki youtube channel uploaded a few videos about it yesterday and in this one https://www.youtube.com/watch?v=v21OIRYH200 they specifically show a C9300-converted being configured using the Meraki dashboard.

# ? Jun 15, 2022 18:20

GreenNight: Feb 19, 2006; Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

My sales guy at Cisco Live got two prostitutes and it was $500. Didn�t get any for the rest of us. I�m finding a new sales guy.

# ? Jun 16, 2022 02:22

Leandros: Dec 14, 2008

Thanks Ants posted:

I think it's been confused because Cisco are using Catalyst as the name for their APs now. The announcement on the feature only mentions monitoring of switches, but management of wireless

https://blogs.cisco.com/news/smarter-simpler-experiences-with-cisco-networking?oid=pstswt029404

I'd assume this will change at some point

All campus networking is Catalyst now: 9100 for APs, 9800 for WLCs, 9200-9600 for switching and 8000 (not Cisco 8000) for routing. But no, you can manage the switches too. First it'll be the 9300, then 9200 and 9500 should get support.

Cyks posted:

It's both monitoring and management.

From my understanding adding a catalyst switch for just monitoring is free but I haven't seen anything that confirms pricing for management; assuming it uses a typical Meraki licensing per device.

Trying to get the people who just let the required DNA licensing lapsed? Although I do agree it makes me wonder why you'd ever order a Meraki product over a catalyst 9200 in the future (assuming both were readily available).

It'll move to Meraki eventually, but it'll be free to try out for about a year. If you have DNA and SNTC you can get free Meraki licenses. Also the 9200 backlog should be mostly fulfilled by end of october.

unknown posted:

Probably has a fine print clause saying they'll brick the catalyst switch if you stop paying for the Meraki cloud.

You can convert back to CLI/DNAC-managed.

Leandros fucked around with this message at 01:54 on Jun 17, 2022

# ? Jun 17, 2022 01:32

Thanks Ants: May 21, 2004; #essereFerrari

Why is the lead time on the MX75 so much longer than the other boxes? Is it just popular because it hits a nice price/performance bracket?

# ? Jun 17, 2022 01:38

Leandros: Dec 14, 2008

Thanks Ants posted:

Why is the lead time on the MX75 so much longer than the other boxes? Is it just popular because it hits a nice price/performance bracket?

Firepower 1010 is under half a year :whitewater:

# ? Jun 17, 2022 01:51

LtCol J. Krusinski: May 7, 2013

bad boys for life posted:

It's a good cert to have for entry level, and whether you get it or not, it's worth studying for as you'll learn good foundational knowledge. To Bob Morales' point, getting cloud certs is more valuable, but personally I would go for the legacy network cert in the CCNA (NP if youre going to go into a SP/MSO/MSP) and cloud certs if I was just starting again.

Bob Morales posted:

CCNA doesn't hurt, but companies are moving towards more CLOUD EVERYTHING. Companies will still have a LAN of some sort but as people start moving to WFH, servers move to the cloud, networks will get less and less complicated on the LAN side.

If you know what kind of equipment you'll be working with, get certified in that (Fortinet NSE or Meraki ECMS or whatever, for example)

I�m looking to finish my CCNA classes and test for the CCNA cert in May 2023.. I know nothing of the cloud. I mean nothing. My school has no classes or anything to learn about cloud computing and all that jazz. I�m guessing my 2 year A.A.S in Networking and a CCNA and A+ Net+ and Sec+ certs is going to be less valuable since� no cloud?

Where should I start to get myself trained/certified?

# ? Aug 14, 2022 06:23

Docjowles: Apr 9, 2009

LtCol J. Krusinski posted:

I�m looking to finish my CCNA classes and test for the CCNA cert in May 2023.. I know nothing of the cloud. I mean nothing. My school has no classes or anything to learn about cloud computing and all that jazz. I�m guessing my 2 year A.A.S in Networking and a CCNA and A+ Net+ and Sec+ certs is going to be less valuable since� no cloud?

Where should I start to get myself trained/certified?

It's late so not going to effortpost but it's probably not as bad as you think. Pretty much everything you've learned layer 3 on up is directly relevant to working in the cloud. If you end up supporting a hybrid environment that has data centers connected to the cloud, all of it is relevant.

Pick one of AWS or Azure and go down their entry level sysadmin/devops cert path and you'll be fine. Sounds like it will mostly be learning new names for concepts you already understand, like security groups.

# ? Aug 14, 2022 06:38

LtCol J. Krusinski: May 7, 2013

Docjowles posted:

It's late so not going to effortpost but it's probably not as bad as you think. Pretty much everything you've learned layer 3 on up is directly relevant to working in the cloud. If you end up supporting a hybrid environment that has data centers connected to the cloud, all of it is relevant.

Pick one of AWS or Azure and go down their entry level sysadmin/devops cert path and you'll be fine. Sounds like it will mostly be learning new names for concepts you already understand, like security groups.

Thank you, I appreciate this feedback.

# ? Aug 14, 2022 09:05

Methanar: Sep 26, 2013; by the sex ghost

LtCol J. Krusinski posted:

I�m looking to finish my CCNA classes and test for the CCNA cert in May 2023.. I know nothing of the cloud. I mean nothing. My school has no classes or anything to learn about cloud computing and all that jazz. I�m guessing my 2 year A.A.S in Networking and a CCNA and A+ Net+ and Sec+ certs is going to be less valuable since� no cloud?

Where should I start to get myself trained/certified?

has your class taught you anything about config management/ansible?

Set yourself up with GNS3 and build a real network and manage everything with ansible.

# ? Aug 14, 2022 19:08

bobmarleysghost: Mar 7, 2006

I'm looking for software to manage a bunch of cisco ios switches, what are the most supported ones out there?
Is Netmiko still a popular? It can be paid or free.

# ? Oct 19, 2022 15:29

BaseballPCHiker: Jan 16, 2006

When you say manage, are you talking config pushes and backups? Or like a GUI to make changes? What exactly are you looking for?

Ansible seems to be the go to these days, or was at least last I looked into it.

# ? Oct 19, 2022 15:32

Pile Of Garbage: May 28, 2007

BaseballPCHiker posted:

When you say manage, are you talking config pushes and backups? Or like a GUI to make changes? What exactly are you looking for?

Ansible seems to be the go to these days, or was at least last I looked into it.

Ansible is good for desired-state config stuff but it isn't a network config mgmt solution. One of my colleagues tried to make it into an NCM backed by Git and with just ~100 devices the daily "NCM Backup" job took several hours to run.

# ? Oct 19, 2022 15:40

bobmarleysghost: Mar 7, 2006

By manage I mean backup/restore configs and roiling out updates.

# ? Oct 19, 2022 15:51

Pile Of Garbage: May 28, 2007

For rolling out updates yep Ansible is good, we've done whole site TACACS cutover and image upgrades in one night via Ansible it rules. However it is not meant for config backup/restore or versioning.

# ? Oct 19, 2022 15:57

bobmarleysghost: Mar 7, 2006

I spent a couple mins looking at cisco for Ansible and it will do perfectly, thanks!
We can manage the config back ups with Netmiko.

# ? Oct 19, 2022 15:59

Thanks Ants: May 21, 2004; #essereFerrari

If you're managing the configs with Ansible then in theory there's no need to back that config up, as what's running on the switch will always match what you deployed

# ? Oct 19, 2022 16:15

uhhhhahhhhohahhh: Oct 9, 2012

If you want something with a web UI then you can try https://www.enms.io/

It's basically a front end for established tools like Netmiko, Napalm, CiscoConfParse. I don't remember if Ansible is on there. I deployed it a couple of jobs ago and it works well enough. You write your own scripts then can just run those, or string them into jobs that do multiple things.

It can backup to Git (I used an internal Gitlab instance). I also used it for compliance stuff, like finding switchports that had 802.1x manually disabled, for example, and then emailing the results so someone can investigate. It was easier to sell there because I could write the python scripts and people didn't have to understand them, they just needed to know where to run them in the UI.

# ? Oct 19, 2022 16:25

Docjowles: Apr 9, 2009

I haven't managed network equipment in a few years but RANCID was always the gold standard config backup/diffing tool. It feels like nagios in that it's old and crusty as poo poo and nobody actually likes it, but it works so people just keep using it. Maybe there's a replacement these days that isn't written in vintage 1995 Perl.

# ? Oct 19, 2022 16:26

Pile Of Garbage: May 28, 2007

These days most vendors have been focussing in on their own NCM solutions which use proprietary protocols (e.g. FortiManager for Fortinet stuff). Of course they all still have standard SSH interfaces and documented config schemas so the standard open-source framework for that is is the Python-based NAPALM (As mentioned by uhhhhahhhhohahhh): https://github.com/napalm-automation/napalm.

Probably worth mentioning that there's a somewhat hard dependency on SSH when it comes to both NAPALM and the Ansible modules for IOS. As I understand they rely heavily on Paramiko for abstracting the SSH side of things and when you make them do Telnet they just fall back to raw sockets. It still works however you need to accommodate it, to the point of splitting up config sequences because if there's too many lines it just shits the bed.

# ? Oct 19, 2022 17:16

bobmarleysghost: Mar 7, 2006

Thanks for the info!

Quite a few switches here have telnet only on them, they're old as gently caress, so thanks for the heads up on that limitation. Shouldn't be a big deal but I'm glad to know about it beforehand.

# ? Oct 19, 2022 18:29

Pile Of Garbage: May 28, 2007

bobmarleysghost posted:

Thanks for the info!

Quite a few switches here have telnet only on them, they're old as gently caress, so thanks for the heads up on that limitation. Shouldn't be a big deal but I'm glad to know about it beforehand.

Looking back at the Ansible playbooks I wrote I created separate roles for Telnet-only devices which just used the generic telnet module to send commands instead of the proper ios_* modules. Also for things like AAA I had to add handling for versions pre-and-post 15.2 because of some poo poo that escapes me (This was using Ansible 2.9 modules, probably fixed in the newer collections).

# ? Oct 19, 2022 18:41

falz: Jan 29, 2005; 01100110 01100001 01101100 01111010

You should probably monitor their traffic levels and interface errors too? Observium/LibreNMS (a more open fork) for that a good starting place. Thsoe systems can also be used as a 'base', to know what's online, then generate config files out of devices in there, like for RANCID, etc to use.

We do this with Observium and it works well. Basically add device there or it's discovered via ospf/bgp/lldp/etc and you'll automatically get a RANCID config file update and it will automatically back it up, for example. But indeed, this doesn't handle pushing configs to them.

If they're so bloody old they don't support SSH in IOS, it may be doubtful if NAPALM's IOS driver will even work with them, that requires at least 12.2 or 12.3 or something, and more importantly requires the 'archive' command which was added iirc around 12.4 or something.

# ? Oct 19, 2022 21:14

bobmarleysghost: Mar 7, 2006

Pile Of Garbage posted:

Looking back at the Ansible playbooks I wrote I created separate roles for Telnet-only devices which just used the generic telnet module to send commands instead of the proper ios_* modules. Also for things like AAA I had to add handling for versions pre-and-post 15.2 because of some poo poo that escapes me (This was using Ansible 2.9 modules, probably fixed in the newer collections).

Good point, I'll make sure to separate them. We have around 10 or so 12.[012]'s that i'll have to deal with. There's a version cut off at 12.1 I think (I need to check) that supports SSH.
The rest are 15.something

falz posted:

You should probably monitor their traffic levels and interface errors too? Observium/LibreNMS (a more open fork) for that a good starting place. Thsoe systems can also be used as a 'base', to know what's online, then generate config files out of devices in there, like for RANCID, etc to use.

We do this with Observium and it works well. Basically add device there or it's discovered via ospf/bgp/lldp/etc and you'll automatically get a RANCID config file update and it will automatically back it up, for example. But indeed, this doesn't handle pushing configs to them.

If they're so bloody old they don't support SSH in IOS, it may be doubtful if NAPALM's IOS driver will even work with them, that requires at least 12.2 or 12.3 or something, and more importantly requires the 'archive' command which was added iirc around 12.4 or something.

Yea I've set up Observium here, I add all networking as it comes along but sometimes my boss gets a switch installed without mentioning it. I'll check out the RANCID integration, sounds useful.

We just got a shipment of new switches to replace the oldest and older ones, I'd be glad to have them gone finally.

bobmarleysghost fucked around with this message at 21:33 on Oct 19, 2022

# ? Oct 19, 2022 21:28

Pile Of Garbage: May 28, 2007

bobmarleysghost posted:

Good point, I'll make sure to separate them. We have around 10 or so 12.[012]'s that i'll have to deal with. There's a version cut off at 12.1 I think (I need to check) that supports SSH.
The rest are 15.something

Just remembered: the telnet module, or perhaps just the protocol in general, is super flaky. This is made worse by the fact that you're just executing raw config commands via the module as opposed to using native ios_* modules which are aware of current device state and can validate desired state. Worse still because you can't use ios_* modules you cannot gather facts so determining current state is a PITA.

This means you'll need to add manual validation tasks to your playbook roles and in some instances separate the config you're applying into separate telnet module invocations.

Here are some examples, pulled from playbooks I created a couple years ago to do mass device management cutover for an MSP switchover. First one is applying general config related to SNMP and line vty which demonstrates deliberately splitting up the config blocks across telnet module invocations to avoid crapping out and checking for SNMPv3 support:

code:

---

# Inherits defaults for telnet module from main.yml

# Run command query to determine whether SNMPv3 is supported
- name: Check SNMP Commands (IOS Telnet)
  telnet:
    command: show snmp ?
  register: show_snmp_output

- name: Select SNMPv2c Configuration (IOS Telnet)
  set_fact:
    ios_snmp_config: "{{ ios_snmpv2c_config }}"
  when: "'SNMPv3' not in show_snmp_output.output | last"

- name: Select SNMPv3 Configuration (IOS Telnet)
  set_fact:
    ios_snmp_config: "{{ ios_snmpv3_config }}"
  when: "'SNMPv3' in show_snmp_output.output | last"

- name: Include Banners (IOS Telnet)
  include_vars:
    file: ios_telnet_banners.yml
    name: ios_banners

- name: Set Hostname, Domain, NTP, Timezone & Logging Configuration (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set Hostname
      - hostname {{ ios_hostname }}
      # Set Domain Configuration
      - ip domain-name {{ ios_domain_name }}
      - ip domain-lookup source-interface {{ ios_domain_lookup_source }}
      # Set NTP Server
      - no ntp
      - ntp server {{ ios_ntp_server }}
      # Set Timezone
      - clock timezone {{ ios_clock_tz }}
      # Set Logging Config
      - no logging trap
      - logging trap debugging
      - logging source-interface {{ ios_logging_source }}
      - logging host {{ ios_logging_host }}
      - end

# WARNING: TASK OUTPUT DISPLAYED IN AWX MAY BE TRUNCATED DUE TO KNOWN ISSUE WITH TELNET MODULE
- name: Set SNMP ACL (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set SNMP ACL
      - no ip access-list standard {{ ios_acl_snmp_access.name }}
      - ip access-list standard {{ ios_acl_snmp_access.name }}
      - "{{ ios_acl_snmp_access.entries | join('\r') }}"
      - end

# WARNING: TASK OUTPUT DISPLAYED IN AWX MAY BE TRUNCATED DUE TO KNOWN ISSUE WITH TELNET MODULE
- name: Set SNMP Configuration (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set SNMP Config
      - "{{ ios_snmp_config | join('\r') }}"
      - end

- name: Set Line Configuration (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set Line Console Config
      - line con 0
      - exec-timeout 15 0
      - logging synchronous
      - transport preferred none
      # Set Line VTY Config & Disable Access-Class (Fail-safe)
      - line vty 0 15
      - no access-class {{ ios_acl_vty_access.name }} in
      - exec-timeout 15 0
      - logging synchronous
      - transport input telnet
      - end

# WARNING: TASK OUTPUT DISPLAYED IN AWX MAY BE TRUNCATED DUE TO KNOWN ISSUE WITH TELNET MODULE
- name: Set Line VTY ACL (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set Line VTY ACL
      - no ip access-list standard {{ ios_acl_vty_access.name }}
      - ip access-list standard {{ ios_acl_vty_access.name }}
      - "{{ ios_acl_vty_access.entries | join('\r') }}"
      - end

- name: Set Line VTY Access-Class (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set Line VTY Access-Class
      - line vty 0 15
      - access-class {{ ios_acl_vty_access.name }} in
      - end

- name: Set Exec Banner (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set Exec Banner (Carriage returns inserted manually as multi-line input has no prompt)
      - "banner exec ^\r{{ ios_banners.exec_banner | join('\r') }}\r^"
      - end

- name: Set Login Banner (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set Login Banner (Carriage returns inserted manually as multi-line input has no prompt)
      - "banner login ^\r{{ ios_banners.login_banner | join('\r') }}\r^"
      - end

- name: Set Enable Secret & Save Configuration (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Set Enable Secret
      - enable secret 5 {{ ios_enable_secret }}
      - end
      # Save Config
      - write memory

And this is applying TACACS config including verification and automatic roll-back (Note inclusion of prompts keyword in the rescue section, that is so that it can automatically respond to the confirmation prompts that appear when you disable AAA):

code:

---

# Inherits defaults for telnet module from main.yml

- name: Check Config for Enable Secret (IOS Telnet)
  telnet:
    command: show running-config | include enable secret
  register: validate_enable_secret_output

# If enable secret is set and "aaa new-model" is enabled you cannot enter privilege 15 using a local account via VTY
# Register output includes the command run so the string being checked for includes a trailing space
- name: Validate Enable Secret is Configured (IOS Telnet)
  assert:
    that: "'enable secret ' in validate_enable_secret_output.output | join()"
    fail_msg: No enable secret configured on device [{{ inventory_hostname }}]!
    success_msg: Confirmed enable secret is configured on device.

- name: Apply Initial TACACS Config (IOS Telnet)
  telnet:
    command:
      - configure terminal
      # Enable AAA
      - aaa new-model
      # TACACS Server Config
      - tacacs-server host {{ ios_tacacs_server.address }} key {{ ios_tacacs_server.key_type }} {{ ios_tacacs_server.key }}
      - ip tacacs source-interface {{ ios_aaa_group.tacacs_source_interface }}
      # AAA Group Config
      - aaa group server tacacs+ {{ ios_aaa_group.name }}
      - server {{ ios_tacacs_server.address }}
      - ip tacacs source-interface {{ ios_aaa_group.tacacs_source_interface }}
      - end

- name: Test & Finalise/Rollback Config (IOS Telnet)
  block:
    - name: Test TACACS Config (IOS Telnet)
      telnet:
        command:
          - enable
          - "{{ telnet_become_password }}"
          # AAA Group Test
          - test aaa group tacacs+ {{ ios_test_aaa_group_username }} {{ ios_test_aaa_group_password }} legacy
        prompts:
          - "[>#]"
          - "Password: " # Enable login prompt
      no_log: True # Prevent plain-text TACACS credentials being written to log
      register: test_aaa_group_output

    - name: Validate AAA Group Test Result (IOS Telnet)
      assert:
        that: ios_test_tacacs_success_string in test_aaa_group_output.output | last
        fail_msg: "AAA test failed! Rolling-back TACACS config."
        success_msg: "AAA test succeeded. Finalising TACACS config."

    - name: Finalise TACACS Config (IOS Telnet)
      telnet:
        command:
          - enable
          - "{{ telnet_become_password }}"
          - configure terminal
          # AAA Config
          - "{{ ios_aaa_config | join('\r') }}"
          # Line Config
          - line con 0
          - login authentication {{ ios_aaa_auth_login }}
          - line vty 0 15
          - login authentication {{ ios_aaa_auth_login }}
          - end
          # Save Configuration
          - write memory
        prompts:
          - "[>#]"
          - "Password: " # Enable login prompt
  rescue:
    - name: Remove AAA Group & TACACS Server (IOS Telnet)
      telnet:
        command:
          - enable
          - "{{ telnet_become_password }}"
          - configure terminal
          # Remove AAA Group
          - no aaa group server tacacs+ {{ ios_aaa_group.name }}
          # Remove TACACS Server
          - no tacacs-server host {{ ios_tacacs_server.address }}
          # Disable AAA
          - no aaa new-model
          - "\r" # Send carriage return to pass AAA disable confirmation prompt
          - end
        prompts:
          - "[>#]"
          - "Continue?"  # AAA disable confirmation prompt
          - "Password: " # Enable login prompt

    - name: Fail Playbook Run (IOS Telnet)
      fail:
        msg: TACACS test failed, configuration changes rolled-back.

Edit: if anyone is wondering why I developed all this whack Cisco IOS Telnet handling for Ansible it was for when my employer landed a contract to do network ops for a big state government department back in 2019. Said department had several hundred devices across ~50 sites and the only thing the incumbent provider gave us was IP addresses and TACACS login. No hardware/software info or anything. Alongside the insane playbooks I created to cutover all the devices in the environment to our management system I also created a custom AWX inventory script that would read a CSV in an S3 bucket containing device IPs and details and then do a socket test against each one to determine whether they could do SSH or Telnet. poo poo was wild, especially considering that we were subcontracted for this and earlier this year the prime contractor decided "yeah nah we don't want ya'll doing network ops anymore gently caress off" lol.

Pile Of Garbage fucked around with this message at 16:50 on Oct 21, 2022

# ? Oct 21, 2022 16:39

Partycat: Oct 25, 2004

Oxidized works well for backups, it can push to a Git repo.

CiscoConfParse is pretty good for making changes, though the syntax is sometimes a bit to work around to make changes until you grok how it parsed , where it doesn�t indent etc. just have a sandbox, but it�s great for taking a config and creating a new one to replace.

# ? Oct 21, 2022 23:29

bobmarleysghost: Mar 7, 2006

Pile Of Garbage posted:

This is going to be of great help, thanks for that!
I'll take a closer look at it on Monday, but from a quick glance it'll make it a breeze to set up the playbooks.

Partycat posted:

Oxidized works well for backups, it can push to a Git repo.

Same goes for this. It'll be a busy Monday.

A separate question regarding best practices - does it make sense to have one playbook for the main, non-port, config that gets applied to all switches in a group, and then have a separate one for configuring the access ports on a port by port or range basis? Then use another tool for config back ups.

We make many individual port changes for various reasons, so I'm thinking about how to best deploy configs.

# ? Oct 22, 2022 16:10

GreenNight: Feb 19, 2006; Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

On a switch I usually go

sh int status

for all port statuses

Is there a command where I only get shown "connected" as a status?

# ? Oct 24, 2022 18:53

Filthy Lucre: Feb 27, 2006

show int status | i connected

# ? Oct 24, 2022 18:55

GreenNight: Feb 19, 2006; Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

Filthy Lucre posted:

show int status | i connected

The man! Short questions comes through again.

# ? Oct 24, 2022 18:57

fatman1683: Jan 8, 2004; .

Does anyone have a preferred vendor for Cisco licensing? I'm thinking of getting away from Unifi for my home network and the Firepower 1120 seems like a good option, but I need to get a better idea of TCO.

# ? Nov 21, 2022 16:27

i am a moron: Nov 12, 2020; "I think if there’s one thing we can all agree on it’s that Penn State and Michigan both suck and are garbage and it’s hilarious Michigan fans are freaking out thinking this is their natty window when they can’t even beat a B12 team in the playoffs lmao"

As someone running an ASA with some kind of firepower module at home I could not recommend it any less. I got it for free years ago and I still hate it. If you�re going to buy something like that just get a Fortigate.

# ? Nov 21, 2022 16:48

fatman1683: Jan 8, 2004; .

i am a moron posted:

As someone running an ASA with some kind of firepower module at home I could not recommend it any less. I got it for free years ago and I still hate it. If you�re going to buy something like that just get a Fortigate.

Could you give some detail on your experience with it? I've never worked with Firepower, only the older ASAs, so I don't really know what to expect.

# ? Nov 21, 2022 16:53

Adbot: ADBOT LOVES YOU

# ? Apr 23, 2024 11:45

Thanks Ants: May 21, 2004; #essereFerrari

Most Cisco stuff relating to firewalls is fairly poo poo, and people put up with it at work. You don't deserve to voluntarily inflict it on your home life.

# ? Nov 21, 2022 18:06

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›430 »