Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
BaseballPCHiker
Jan 16, 2006



I think Tufin will do something like that but its been a while since I've dealt with that software. Might want to look into it though.

Adbot
ADBOT LOVES YOU

tortilla_chip
Jun 13, 2007

k-partite

https://github.com/google/capirca

Kazinsal
Dec 13, 2011







By chunking through several hundred dollars a month in cloud vCPUs.

They tend to also have some pretty hilariously abysmal license tiers that correspond to lower vCPU requirements for lower throughput, but nobody is going to buy a license for a cloud based 10 Mbps firewall.

Thanks Ants
May 21, 2004

#essereFerrari


Meraki's virtual MX doesn't do anything other than provide a way to build a VPN tunnel between a Meraki network and Azure, the license costs a shitload, and you still consume compute resource costs.

It's also trash and only exists because the IPsec support on MX boxes is so incredibly lovely. It would be cheaper to buy a Fortigate box to manage your VPN tunnels and then just sit it next to any Meraki stuff you have, and throw some static routes in each box.

BurgerQuest
Mar 17, 2009

by Jeffrey of YOSPOS


We have quite a few Forti/Meraki deployments for similar reasons. Works well enough with VDOMs so stakeholders can self manage. Trunks back into the Meraki wifi as VLANs/SSID.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Are there any tools around specifically for debugging vxlans? I've been having some serious network problems lately and one of the big issues I'm facing is I basically don't know how to deal with vxlans. TCPdump is a nightmare for this, as far the 1990s style I've been trying to use it, and hasn't been working well because what I naively expect traffic to be like isn't what it actually is on the wire.

tortilla_chip
Jun 13, 2007

k-partite

If you've got the pcap with the fully encpsulated packet you could just rip headers off at the right offset to get normal IP/ethernet traffic.

ate shit on live tv
Feb 15, 2004



Speaking of VXLAN, am I right in trying to do anything I can to just get rid of layer2 rather then trying to throw more network complexity at solving a problem that shouldn't exist anymore in 2021?

Why do we need to preserve IP addresses when migrating VMs? I work for a modern software company. We use middleware applications that fully understand layer3, DNS and don't need layer2 adjacency. Hell most of them run in docker containers. Our application ingests data on a local machine, and sends it to a DNS defined dynamic endpoint. Yet our datacenter is full of vlans spanned across hundreds of switches with network sizes ranging from /22 to /19! The environment is stable, and the applications that run on all those vlans are well-behaved so we don't have issues, but our deployment process uses MaaS and expects different applications to be put into different vlans.

Anyway, I don't see any reason for VXLAN except to try to preserve bad server side programming.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

ate poo poo on live tv posted:


Anyway, I don't see any reason for VXLAN except to try to preserve bad server side programming.

vxlan is mostly bad, yeah.

https://docs.cilium.io/en/v1.9/concepts/networking/routing/

The only reason I'm using vxlan is because it completely abstracts away the underlay network. I could and should be just leveraging the aws SDN since everything is all fully routed anyway. But that's slightly difficult for a few reasons.

1) Limitations on how many IPs you can have per ENI. This is irritating to deal with for a few reasons
2) Its slightly more portable for when we start doing k8s on bare metal, or in GCP like we thought we might.
3) We already started with vxlans and its a big deal to change

ate poo poo on live tv posted:

Why do we need to preserve IP addresses when migrating VMs? I work for a modern software company. We use middleware applications that fully understand layer3, DNS and don't need layer2 adjacency. Hell most of them run in docker containers. Our application ingests data on a local machine, and sends it to a DNS defined dynamic endpoint. Yet our datacenter is full of vlans spanned across hundreds of switches with network sizes ranging from /22 to /19! The environment is stable, and the applications that run on all those vlans are well-behaved so we don't have issues, but our deployment process uses MaaS and expects different applications to be put into different vlans.

What's the need to even migrate a VM here? What's the difference between migrating a VM and creating a new one in your case.

ate shit on live tv
Feb 15, 2004



Methanar posted:


What's the need to even migrate a VM here? What's the difference between migrating a VM and creating a new one in your case.



I think it's because somewhere there exists an ip->customer mapping that is defined on turn-up.

Pile Of Garbage
May 28, 2007





Methanar posted:

1) Limitations on how many IPs you can have per ENI. This is irritating to deal with for a few reasons

Interested to know why this is an issue if you don't mind indulging me. When I've deployed stuff in the past if I need another IP in the VPC I just add another ENI. If I need the EC2 instance to handle traffic not specifically for it then I disable source/destination check on the relevant ENI.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Pile Of Garbage posted:

Interested to know why this is an issue if you don't mind indulging me. When I've deployed stuff in the past if I need another IP in the VPC I just add another ENI. If I need the EC2 instance to handle traffic not specifically for it then I disable source/destination check on the relevant ENI.

If you're not using vxlans, you're programming in pod IPs directly to an ENI on a host with the expectation that the pod cidrs are all fully routed in the underlay already.

I can't remember the exact details of the issue regarding IPs/ENI but a year and a half ago when this was a discussion point it was an issue. We typically use c5.9xls today, so maybe there was a concern that we might limit ourselves to 30 pods per host which in some cases might be an issue

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI

uhhhhahhhhohahhh
Oct 9, 2012


I've got a turbojank setup but I can't do anything about the jank. Trying to make some OSPF <-> EIGRP redistribution work cleanly.

Baiscally, in a DC, I've got a HA pair of WAN routers (that I have no access to), two Nexus 9300 in a vPC, and a HA Palo Alto firewall pair - all with HSRP, etc. - The Nexus and WAN routers peer using EIGRP to learn the routes for all our sites, and we redistribute (static) routes into EIGRP for the other sites to learn, from both our DCs. That bit's fine.
I've set up OSPF on the Nexus and PAs so I don't have to put static routes in 9 fuckin' places (because can't do EIGRP obviously), that bit all works fine too. Then I redistribute EIGRP into OSPF with tags, redistribute OSPF into EIGRP, tagged again, and block those tags from being re-advertised back in on each process. That bit all seems fine, too. The problem is OSPF has a lower AD than EIGRP, so instead of installing routes for all the other WAN sites via the primary WAN router, one of the Nexus switches will install those WAN routes via the other Nexus switch or the PA firewall, which is very Not Ideal. I can't just increase the AD for the OSPF learned routes, because I'll be advertising the same routes at my other DC also, for fail-over purposes, but this one should be preferred until the route doesn't exist anymore. My workaround for this was making a prefix, route-map, and table-map on each Nexus, for it's peer IP, and adding that to OSPF. It works how I'd hope... but this seems super hacky. Is there a better way I should be doing this? Or is this just the expected amount of jank with a design as poor as this?

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

uhhhhahhhhohahhh posted:

I've got a turbojank setup but I can't do anything about the jank. Trying to make some OSPF <-> EIGRP redistribution work cleanly.

Baiscally, in a DC, I've got a HA pair of WAN routers (that I have no access to), two Nexus 9300 in a vPC, and a HA Palo Alto firewall pair - all with HSRP, etc. - The Nexus and WAN routers peer using EIGRP to learn the routes for all our sites, and we redistribute (static) routes into EIGRP for the other sites to learn, from both our DCs. That bit's fine.
I've set up OSPF on the Nexus and PAs so I don't have to put static routes in 9 fuckin' places (because can't do EIGRP obviously), that bit all works fine too. Then I redistribute EIGRP into OSPF with tags, redistribute OSPF into EIGRP, tagged again, and block those tags from being re-advertised back in on each process. That bit all seems fine, too. The problem is OSPF has a lower AD than EIGRP, so instead of installing routes for all the other WAN sites via the primary WAN router, one of the Nexus switches will install those WAN routes via the other Nexus switch or the PA firewall, which is very Not Ideal. I can't just increase the AD for the OSPF learned routes, because I'll be advertising the same routes at my other DC also, for fail-over purposes, but this one should be preferred until the route doesn't exist anymore. My workaround for this was making a prefix, route-map, and table-map on each Nexus, for it's peer IP, and adding that to OSPF. It works how I'd hope... but this seems super hacky. Is there a better way I should be doing this? Or is this just the expected amount of jank with a design as poor as this?

Sounds pretty jank.

If you have decent config management, is it really that much harder to populate a static route entry in 9 different places rather than maintaining and documenting a complicated dance of prefix, route-map and table-maps out there? I suppose this might be a pretty big if.

Why was EIGRP ever used if there wasn't a solid commitment to only using cisco hardware?

Methanar fucked around with this message at 00:59 on Mar 6, 2021

uhhhhahhhhohahhh
Oct 9, 2012


Methanar posted:

Sounds pretty jank.

If you have decent config management, is it really that much harder to populate a static route entry in 9 different places rather than maintaining and documenting a complicated dance of prefix, route-map and table-maps out there? I suppose this might be a pretty big if.

Why was EIGRP ever used if there wasn't a solid commitment to only using cisco hardware?

You read all that and then assumed we have config management? Absolutely everything is done manually. I'm going to start using eNMS/ansible/Netmiko soon to do some stuff but my junior and me will need to keep it secret because if my bosses find out they'll make us turn it all off. They'd sooner have someone sit there and spend 2 months upgrading switches one by one than having something to do it automatically... And they won't pay for something like Prime either.

It's more like static routes will have to go on 6 switches, 4 Palo Alto firewalls and 2 Cisco firewalls. I feel like once the redistribution config is nailed down it shouldn't ever need touching again?

It was originally all OSPF. We'd already bought some non-Cisco firewalls. the config was all written up and then my boss decided at the last minute, right before implementation, he wanted it to be EIGRP. I think probably because he doesn't know OSPF (he barely knows EIGRP tbh) even though he's done zero of the implementation or config or daily management of it. Pre- this WAN setup when we had a VPLS with EIGRP and only Cisco devices they were still using static routes in the DCs for no discernible reason. I vaguely remember overhearing somebody saying it's unsecure to use routing protocols on your firewall/DMZ because the hackers can get to all your of network. I didn't bother to argue they could do that anyway since there was static routes for every internal network on them anyway.

Kazinsal
Dec 13, 2011






Replace all that jank with a cron job that puts the static routes back on every few hours.

Jank, but centralized, documentable, and less prone at breaking jank is better than that jank

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Really need to run a single IGP for starters, and it should be OSPF.

If your boss needs convincing draw up a crazy stringed together diagram and explain the insanity of it.

uhhhhahhhhohahhh
Oct 9, 2012


Too late in the game to change it, they'll never go for it. Especially because we'd have to pay since it's a managed WAN contract.

The guy didn't even want any automatic failover for our routing/DCs. I had to slip that bit in too. He genuinely believes it's better for our staff to lose their access to patient information until someone gets called out and changes it manually by putting the static routes in the other DC so he can send an email out saying "IT fixed it ".

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Sounds like he's incompetent and should be fired honestly.

tortilla_chip
Jun 13, 2007

k-partite

I guess you could introduce additional tags for the mutual redistribution to control scoping and RIB installation for your DR prefixes. You are basically reinventing BGP communities at this point. Keeping in the jank train, you could use your IGP to carry loopbacks/ptps and then run BGP on top for prefixes that need more granular policy selection.

uhhhhahhhhohahhh
Oct 9, 2012


My DR and route tagging part works fine. I can advertise a route at both DCs with one of two tags, and it'll be prioritised towards the primary or secondary DC based on which tag I set.

The main bit I'm unsure about is the table-map and if there's a better way of avoiding that, but still having one Nexus not learn WAN routes from the other. The other issue with the table map is, if another SVI is added onto these switches and gets advertised into OSPF, I'm probably going to have to block the Nexus peers' SVI IP on each of them on the table-map too.

tortilla_chip
Jun 13, 2007

k-partite

It sounds like you want an additional distribute list on the ASBRs to keep the OSPF external routes from being installed to the rib. (Those prefixes should have a corresponding rib entry from EIGRP). This should allow you to tweak the AD. The type-5 LSAs will still propagate into your OSPF domain, so you'll pull the traffic towards the ASBRs as desired.

tortilla_chip fucked around with this message at 17:55 on Mar 9, 2021

Internet Explorer
Jun 1, 2005


Hello everyone! Just a quick note to help out the folks who browse by bookmarks. We've started a SH/SC feedback thread and would love it if you stopped by to say hi and let us know what you think.

https://forums.somethingawful.com/showthread.php?threadid=3961558

KS
Jun 10, 2003


Outrageous Lumpwad

I got all the necessary bits and pieces up and running to make mDNS/bonjour work with my Mobility Express APs. Wireless clients can see both wired and wireless bonjour services like Chromecasts, etc and it works across VLANs once I figured out mDNS policy.

The only thing that's missing is my wired clients can only see services on the same VLAN. Any pointers on the missing piece? I'm wondering if I need mDNS snooping which appears to be WLC only.

uhhhhahhhhohahhh
Oct 9, 2012


Updated our WLCs last night to fix an ARP bug with AP2802 access points. Only to be met with another bug where locally switched devices can't get an IP after a successful CoA on the same model. I can't upgrade any further because we have 300+ 2600 APs that aren't supported on any other version.


Oh and 30 access points disappeared and they're probably stuck in recovery mode, so someone has to drive out and unfuck them manually. I want to cry.

BaseballPCHiker
Jan 16, 2006



The next exam refresh for Cisco should include correspondence with TAC, and looking up bug reports.

I swear 1/2 of my last networking job was either fixing bugs I encountered with Cisco devices, or updating IOS on devices to avoid bugs I hadnt encountered yet.

uhhhhahhhhohahhh
Oct 9, 2012


I actually did look before hand, that's how I knew not to update to 8.10 or whatever they're up to now or we'd have lost 300 APs, and this new bug is not listed as an open caveat on this version, either.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Looking to replace our 5-switch core stack of HP A5500's (the old Comware ones)

2 of the switches have 24 copper ports, and 4 SFP ports
The other 3 have 8 copper ports and 24 SFP ports

I don't see many switches split this way. One of the switches with 24 SFP ports, we're using 8 media converters to go over to ethernet... That one would need about 16 copper ports.

Anyone know of any that are still configured like this? We're limited to $10k/switch which probably won't be enough. I mentioned FS.com and I might as well have said Netgear.

We had 2x the budget last year (right before COVID so that went *poof*), and the place we bought all our Aruba wireless stuff was going to get us Aruba switches, but there isn't a quote anywhere with actual models etc.

Pile Of Garbage
May 28, 2007





What and how many SFPs do you have in the SFP ports of the current switches? Maybe easier just to break-down your actual port requirements as copper/SFP?

Thanks Ants
May 21, 2004

#essereFerrari


Do you need any of the L3 features that the Comware stuff could be made to do?

That's not a particularly high number of ports, have you considered a CX 6400 chassis rather than a stack? It would be better suited to your mix of SFP+ and 1GbE.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Pile Of Garbage posted:

What and how many SFPs do you have in the SFP ports of the current switches? Maybe easier just to break-down your actual port requirements as copper/SFP?

Currently in use:

1/2 - 10 sfp 8 copper (comm room)
3/4 - 0 sfp, 20 coppers (server room)
5 - 4 copper, 8 sfp (actuall copper, using media converters), would really want at least 4 more copper here maybe 8. Don't actually need any SFP ports (backup server room)

Also it looks like on most switches we'd need two SFP ports for stacking unless they have dedicated stacking ports on the back.



Actual picture of 1/2. Fibers are all redundant pairs going to MDF's in other areas of the building and the coppers are going to our wireless controllers, phone system, and firewall pair.

Bob Morales fucked around with this message at 12:24 on Apr 12, 2021

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Thanks Ants posted:

Do you need any of the L3 features that the Comware stuff could be made to do?

That's not a particularly high number of ports, have you considered a CX 6400 chassis rather than a stack? It would be better suited to your mix of SFP+ and 1GbE.

Agreed, but they are physically located in 3 different areas. Two are about 50 feet apart and the other is like 1000 feet away

We aren't doing anything funny with it other than VLAN routing.

Thanks Ants
May 21, 2004

#essereFerrari


Are you actually running a stack over that distance, or just an IRF?

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Thanks Ants posted:

Are you actually running a stack over that distance, or just an IRF?

IRF

What is the difference?

Pile Of Garbage
May 28, 2007





Bob Morales posted:

Actual picture of 1/2. Fibers are all redundant pairs going to MDF's in other areas of the building and the coppers are going to our wireless controllers, phone system, and firewall pair.



What you're describing sounds less like a pair of redundant switches and more an actual network core (As the labels on those switches seem to indicate). I'm not exactly fully across the Cisco product line (Really only Fortinet firewalls) but as I understand the only thing that is only going to give you the same amount of density and expansion is a 9400 or a 6500 (Are they even a thing anymore?)

Side note, for this kind of full hardware refresh it'd be best to engage a VAR that can give you options and validate your design (Also they may be inclined to get you discounts on account of being a largish build).

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Pile Of Garbage posted:

What you're describing sounds less like a pair of redundant switches and more an actual network core (As the labels on those switches seem to indicate). I'm not exactly fully across the Cisco product line (Really only Fortinet firewalls) but as I understand the only thing that is only going to give you the same amount of density and expansion is a 9400 or a 6500 (Are they even a thing anymore?)

Side note, for this kind of full hardware refresh it'd be best to engage a VAR that can give you options and validate your design (Also they may be inclined to get you discounts on account of being a largish build).

quote:

Looking to replace our 5-switch core stack of HP A5500's (the old Comware ones)

We had 2x the budget last year (right before COVID so that went *poof*), and the place we bought all our Aruba wireless stuff was going to get us Aruba switches, but there isn't a quote anywhere with actual models etc.

I'm not sure if we're calling them back or what. They for some reason allocated half the money this time around so I'm not sure if it will even be possible.

Pile Of Garbage
May 28, 2007





I'm not exactly familiar with the HP A5500 series but at a glance they look just like regular stack switches. I may be extremely wrong here but as I understand stacks are exclusively a thing for access switching and cores at a certain size are almost always built with with chassis configurations where capability is provided via line-cards. For example, one of our previous customers had the top four floors of an office tower so they had 10Gb P2P from the DCs to the top floor IDF where a 6500 was installed that then connected to 3850 stacks in the IDFs on the other three floors.

So yeah, I doubt they've allocated enough money for you to do a full refresh. Out of interest, for the LC fibre runs what distance do they cover?

BaseballPCHiker
Jan 16, 2006



Just to pile on, Im just a Cisco guy, but for Cisco we'd have dedicated stacking cables in the back of the switches, not using SFP or copper ports for that.

Are you calling trunk links stack ports? Or is that how HP does stacking?

Also, when I was looking into something similar last year, Cisco had yet to come out with a fiber aggregation switch in their 9000 series of switches. Not sure if thats still the case or not.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Pile Of Garbage posted:

I'm not exactly familiar with the HP A5500 series but at a glance they look just like regular stack switches. I may be extremely wrong here but as I understand stacks are exclusively a thing for access switching and cores at a certain size are almost always built with with chassis configurations where capability is provided via line-cards. For example, one of our previous customers had the top four floors of an office tower so they had 10Gb P2P from the DCs to the top floor IDF where a 6500 was installed that then connected to 3850 stacks in the IDFs on the other three floors.

So yeah, I doubt they've allocated enough money for you to do a full refresh. Out of interest, for the LC fibre runs what distance do they cover?

20M and maybe 300M?

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

#essereFerrari


I think a pair of Aruba CX 6300 24 port SFP+ switches will do for your 'core', then just use CX 6100s for your copper access.

Trying to get that combination of SFP and copper ports into new devices isn't really going to happen unless you go for a chassis or something weird like a Netgear . Also I don't think trying to stack them all together is worth doing - you won't want to do maintenance on them all at the same time, you won't want to reboot your main core just because your secondary ESXi cluster needs a firmware update. Use something like NetEdit or Aruba Central for management.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply