Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

InferiorWang posted:

Do you guys struggle with the language barriers with TAC? With the exception of one time, my issues get sorted out. But I feel it's taking much longer to get to the solution and that the language difference is a large part of that. An example of that would be when I explain a symptom to the engineer. I'll get a response of "yes" or "sorry to hear that" but I'm never really sure if they understood what I was saying.

Funny, I just happened to see this... I work for CALO, TAC's lab staff (we run the cables, plug in the cards, etc.) and over half of our actual testing that uses hardware is done stateside in North Carolina. However, if you're on tier 1 support, it's likely that you're getting staff in Costa Rica or Bangalore, which would probably not have English as a first language. Most of my knowledge is about the in-lab work and not customer-facing employees, though.

EDIT: And when I say the testing is done in North Carolina, I mean that the hardware is there - the actual TAC engineer could really be anywhere, so I guess it doesn't mean much.

Eletriarnation fucked around with this message at 09:13 on Mar 28, 2009

Adbot
ADBOT LOVES YOU

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

jwh posted:

Our DC systems folks are attempting to move to UCS-based chassis and blades within the next six to ten months, in an attempt to consolidate our VM environment.

To that end, they're proposing FEXs (Nexus 2ks) in the blades, connected to a HA pair of 6140 unified-fabric boxes. They're also proposing a Nexus 5000, to connect the 6140s to.

Thing is, I don't see what the point of the 5000 is, since all the M71KR-E converged network adapters terminate in the 6140s, and the only thing the 5000 would do is sit in between the 6140s and the 6500 L3 cores.

I can understand the 5000s provide cheaper 10gig density, but I don't see why that's important here if all the CNAs sit on the 6140s.

Am I missing something?

Is the 5000 supposed to aggregate links from the 6140s? It seems like if you only have one 5000, then the implication is that you will be connecting several 6140s to it and then using a 10G uplink or two to the 6500s instead of taking up many precious 10G ports on your core switches. That way, you'll have high-bandwidth interconnects between the 6140s and the ability for a particular 6140 or two to get a a lot of bandwidth to the core when necessary, or for all to get a fair amount constantly.

Basically, the 5000 seems like a distribution layer switch.

ED:Oh, there are only two 6140s... Well, they may be planning for expansion, I guess.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Bardlebee posted:

Can you guys recommend me a cheap router that has the Cisco IOS on it that I can use for my home router? I would like to setup NAT at home and practice there as well. I know there are sims, but I would like to set it up at home too.

It would be even more awesome if this router was not loud.

You don't need to buy something as expensive as a new 800/1800. I use a 1720 with a WIC-1ADSL as a combination modem/router at my place, and if you already have a modem that makes you happy and just want a router you'd be just fine with a 2611 or 1721 as far as I know, which you can get for $50 or less. I haven't actually used a 2600 except in a lab full of much louder things, but as far as I know they're pretty quiet, and I can vouch that the 1700's slow 30mm-ish fan is literally silent.

Just make sure that if you want any specific/exotic features that you check them against the supplied code version on the Software Advisor on Cisco's website, and if you get a 1700 (except the 1760, which is just unnecessary) make sure you buy a power brick because they don't have an internal PSU like the 2600s.

Eletriarnation fucked around with this message at 16:26 on Jan 12, 2011

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

CrazyLittle posted:

The problem with a 1720/1721 is that its CPU isn't fast enough to be useful for home routing an internet connection like a cablemodem, and you can't get a second ethernet interface unless you hunt down a wic-4esw. Also, 26## routers are not compatible with wic-1adsl. Only 26##-XM routers are.

If you're going to get one of these strictly for lab practice, you might as well just use the sims.

I'm not sure about that, but as I said my 6mbit ADSL connection seems to be able to perform at max speed with no issues. I'm at class right now, but when I get home I'll max it out and let you know what my reported CPU usage is.

Also, the point of recommending the 1721 and not the 1720 is that it does have a second FastE interface. I didn't know about the 26xx not supporting ADSL, but that's definitely in the list of features I would check for any model/code version - I clearly remember checking it when I made the decision to buy the 1720.

Eletriarnation fucked around with this message at 16:44 on Jan 12, 2011

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

CrazyLittle posted:

17## series routers only have 1 FE port built in. You can add a wic-1E to most of them, but that card's pretty worthless in any real-world practical applications.

List of router interfaces by model#: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/isr.pdf
Router throughput speed: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf
WIC compatibility list*: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routermodxref.pdf

*wic-1ADSL, I think you're right on this one actually. I'll test it on a 2611 I have at work. It could just be that the 2611 I have doesn't have 12.2 or 12.3 on it:
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_q_and_a_item09186a0080093bff.shtml

Interesting, I must have imagined it based on the difference between the 26x0/26x1. Sorry, my mistake. OK, if you want two Ethernet interfaces, buy a 2611 instead of a 1720/2610 not only because yes, a 10Base-T WIC does suck, but also because why would you pay more for a WIC and a slower router when you could just get two FastE lines built in?

That said, here's a summary of my decidedly unscientific router test:

First off, I fired up the eight most seeded torrents on linuxtracker, plus three more that I can seed myself for a total of eleven torrents. Knowing that I only have around 700KBps of bandwidth (due to the ADSL limitations) I rate-limited each to 100KB download so that one wouldn't dominate. Finally, I fired up WoW and logged in at Stormwind, which is probably the busiest area on my high population server.

Six of the torrents have hit the full 100KBps, and a couple more are creeping along, and WoW while not as responsive as it should be is playable and stable.

Here's a "show proc cpu hist" on my 1721:

code:
    6777777777766666666666666677777777776666666666666667777777
    3000000000088888111116666600000111117777733333666661111111
100
 90
 80
 70  ***************     ********************     **************
 60 ************************************************************
 50 ************************************************************
 40 ************************************************************
 30 ************************************************************
 20 ************************************************************
 10 ************************************************************
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5
               CPU% per second (last 60 seconds)

    7677676555444266  4 5 1  2                  9
    181075967680895178241621171  1        1     911   2
100                                             *
 90                                             *
 80      *                                      *
 70 #******       *                             *
 60 #######***    #*                            *
 50 #########** * #*    *                       *
 40 ############* #*  * *                       *
 30 #############*##  * *    *                  *
 20 ################  * *    *                  *
 10 ################### #**  *                  #
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%
So while it is being worked fairly hard, it's not maxed out with this 6Mbit down/750kbit up link. Would I trust it to max out two 10Mbit WICs or something more strenuous than basic IP traffic? No, of course not, but I've never had any issues with it for anything I've done at home. I'm not sure how the processing power of the 26xx series compares, but all I really wanted to say is that I don't think you need to spend $300+ on a current-gen device to run IOS at home and eat your cake, too.

When I hopefully move up to a 15Mb down/2 up connection next year, I'm sure I'll be in the market for a more powerful device.

EDIT: Bonus shot of what happens when I turn OFF all those torrents:
code:

    1111111111111111111111111111111111333336666666666666666666
    2222444443333388888222225555566666000003333377777888888888
100
 90
 80
 70                                             ****************
 60                                        *********************
 50                                        *********************
 40                                        *********************
 30                                   **************************
 20               *****     ************************************
 10 ************************************************************
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5
               CPU% per second (last 60 seconds)

Eletriarnation fucked around with this message at 17:15 on Jan 12, 2011

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Bardlebee posted:

I have been under the impression that when you have two devices in the same layer (switch to a switch or router to router) you use a cross over cable. In fact is it not in the CCNA that you would use a cross over cable to connect them? Of course, barring the fact that you can connect serial to serial on a router, this has been the norm.

I have been told in the past that you can connect straight through to switch to switch and it will auto-sense. I guess what I am asking is it best practice to use a cross over or a straight through? Additionally, if I see this in the CCNA I assume I would answer cross-over.

The CCNA will tell you: Switch to router or host: straight through. Switch to switch, or router/host to router/host: crossover.

Auto-MDIX is an optional part of the Gigabit standard, making it likely that a gigabit connection with anything will work with either, but as far as I am aware the vast majority of 100/10 connections will not auto-crossover.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Jonny 290 posted:

Man, the cheapest way for me to get a gigabit switch that runs ios in my bedroom closet is just to get a 3508 and a bunch of gbics off ebay, isn't it =/

I've been searching for an answer to this exact question too, and I'm pretty sure you're right. I'm probably going to give up and use a FastE switch and just have a little Mikrotik gigabit switch for the few devices that support it/need it.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Kind of an odd question, but does anyone know offhand about setting up network-to-host IPsec on an IOS router? I just read an appendix in the ROUTE quick reference about setting up site-to-site IPsec and it looks fairly straightforward, but the main ROUTE certification guide has less information than the quick reference and so I'm not sure how exactly I should alter the example configuration if I wanted to try this out on my home setup.

The quick reference guide goes through:
ISAKMP policy configuration
IPsec transform set configuration
Crypto ACL configuration
Crypto map configuration
Applying the crypto map to an interface
and interface ACLs (which is kind of elementary at this point).

It all looks good except that the crypto map configuration involves setting a peer address and I'm pretty sure that it doesn't work that way when I'm doing point-to-multipoint IPsec instead of tunneling over a point-to-point link. I searched around on Cisco's site but their basic configuration example there also involves a point-to-point tunnel, so I'm not really sure where to go except buying a VPN cert guide or something.

Also, are there any special concerns with doing this? I'm aware that my 1720 doesn't have a super-fast processor so I probably shouldn't try to max out my WAN link with a bunch of VPN tunnels, but I don't want to open up any huge security holes or anything like that.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Tremblay posted:

I don't understand what you are trying to do. Take a look at Remote Access (RA) VPNs. You are talking about L2L (LAN to LAN) here and I don't think that's what you need. You don't have to specify the ISAKMP peer by IP you can just 0.0.0.0 for any.

Oh! See, I didn't know that you can specify a range/subnet - the example only gives a single address. As you say, I am trying to set up a remote access VPN but all of the examples I've found are L2L so I was asking if that's an entirely different feature (that is, I can't do it on my little 1720) or if it's just a slightly different configuration.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Tremblay posted:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml

Or RTFM for your version of IOS. But yes RA is not configured identically to L2L.

Awesome - yeah, that's exactly what I needed, I just didn't know the proper search terms. Thanks!

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

workape posted:

Anyone with a Nexus environment since you have to make an alias for "wr mem" to work. Luckily you can just toss a "cop r s" in there. Although, don't ask your coworkers if they "coppers that damned switch" if they are going to reboot it. You will get funny looks.

In IOS XR, your commands don't even do anything until you write them! It was annoying when I was first getting used to it but config versioning can be really useful for debug/testing.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

ragzilla posted:

Does 'commit' actually write the config to nvram? If so that's pretty neat (we're currently looking at some ASRs running XR for our new build, still debating 7600 vs. ASR).

I'm pretty sure it does, yes. Running-config and startup-config are the same in XR.

XR supports some other neat things that I find myself wishing regular IOS did - like CIDR notation and being able to patch a codebase on the fly without having to replace the entire image and often with no interruption in service at all. Of course, you need that when your image is 400MB and the time from initiating a reboot to resuming full functionality can exceed fifteen minutes.

ASRs are especially fun to reinstall code on - we had an RSP that wouldn't properly work as a hot standby, instead going into some kind of indeterminate state, and I decided to try completely wiping the installed code base and reinstalling from an image. Come to find out, the 9k doesn't actually support booting from flash... and the only way we could find out to do that was to move the entire base XR package over TFTP.

Of course, it seems to me that in a production environment you wouldn't ever actually need to install XR on a device from scratch, and with a fast connection doing it over TFTP didn't take THAT long (certainly not like Xmodeming a switch over 9600bps) but I remember being baffled why a device that cost tens of thousands of dollars can't boot off CF when an 1800 can.

EDIT: Like the previous poster, my vote (not very useful since I have no idea what your situation is) would be for the 9k, since I like working with IOX and presumably at some point not too long in the future they'll have a speed upgrade option like CRS-1 -> CRS-3.

Eletriarnation fucked around with this message at 06:05 on Mar 25, 2011

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

FatCow posted:

Is it just me or is that really lame on Cisco's part? They could have had 1+1 fan redundancy in the chassis but instead make it so that if one of two fan units fails the system fails.

The impression I got from the preceding conversation is that this isn't true, and Cisco's website claims that the power supply/cooling is fully redundant on all ASRs.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

jbusbysack posted:

New thread title: The Cisco Questions Thread - Cheaper, Faster and Smarter than TAC.

Well, I guess this is a good time to mention that I'm a TAC new hire on the IOS XR team so... if anyone has any IOS XR questions, ask them, because if I don't know then I should probably learn.

Eletriarnation fucked around with this message at 22:44 on Jun 21, 2011

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

adrenaline_junket posted:

First time Cisco'er here.

I managed to snare two Catalyst 2900 XL routers? from work that were going to the tip otherwise. I had the idea of setting them up in a lab style fashion to get acquainted with the cisco platform, but not sure where i should start.

I haven't fired them up yet as i dont have a PC (macbook pro guy here) and i also dont have the serial connector. Im assuming that they will have the old settings from my work on there, so will probably need to factory reset and start over.

Whats the more cost effective route here. Serial cable + USB dongle and then use that to access it via my mac or Serial cable and old beater PC with a serial port on it?

then whats the best IOS i can install on them? and where do they sit in the network chain? Everything else I have is consumer grade networking gear (ADSL, wireless, etc)

Id be keen to give it a bit of playing if only to satisfy the nerd in me. Just need a point in the right direction.

2900XLs are switches, Fast Ethernet if I recall correctly, and they originally ran CatOS I'm pretty sure. If you have any version of IOS on them, it's probably not worth changing because they're very old models, but from what I can tell the newest (and likely last) thing out for them is 12.0.5-WC17.

You'll probably be happier using a USB-serial adapter than buying a computer just for a serial port.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

ragzilla posted:

I recommend against using WC17 if you plan to log into the switches on a semi-regular basis. WC10 is our standard for XL devices to avoid some wonderful (presumably AAA related) reload bugs on WC11-WC17.

Yeah, I was just searching cisco.com and repeating what Software Advisor says - my personal practice with a system that old would likely be to leave it with whatever code it had unless I needed a specific feature or was actually going to (why?) add it to a production network.

Of course, I'd upgrade it if it had CatOS too.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

routenull0 posted:

Yeah I heard that there are many quality of life changes in the NX-OS and IOS-XR line. I believe one of them has already started the "commit 10" idea that Juniper uses to rollback the configuration in a set number of minutes instead of the ole trusty "reload in 10" I thought they were pushing IOS-XR to the 7600 line? Did that change? After I deployed a bunch of 7600s at my old ISP job, that was the rumor.

My knowledge of NX-OS barely extends beyond knowing it exists, but XR has a "commit confirmed [<#sec>|minutes <#min>]" command where you can commit the configuration changes for anywhere from 30 seconds to 5 minutes - at any time during that, you can do a regular "commit" to make things permanent.

I can't conclusively say it's not true and I'm no expert on the 7600 platform, but I haven't heard any indications of an XR release for it. If it did happen it would almost certainly work like the 12000, where many older/lower-end modules are unsupported because they don't have the proper architecture to run XR - you can't very well use a distributed operating system that runs on all linecards if some of your linecards are little more than switching ASICs tied to ports.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

There's MPLS Layer 2 and 3 VPNs, I believe.

On an unrelated note...

code:
RP/0/RP0/CPU0:CRS-H#sh ipv4 int br | i Hundred
Wed Jul 13 12:19:45.884 EDT
HundredGigE0/4/0/0             unassigned      Up                    Up
Not sure what we're going to use this for exactly, but it's neat to see.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Zuhzuhzombie!! posted:

Yeah. Just submitted to TAC. New 3750's aren't registered under our warranty or whatever it's called so I had to "escalate" it. Hope that doesn't get to them cause me grief.

It just means that the Entitlement team needs to get involved for a bit to verify that you're clear - and then the case bounces back to the LAN Switching team, which handles it normally. No need for worry.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

routenull0 posted:

I went through a 2hour presentation on IOS-XR with our SE's since we are potentially moving to AS9K's at a few sites and I must say that Cisco has fixed a few of my largest problems with Classic IOS in IOS-XR.

Finally we are no longer working on a live configuration!

This is also nice because you have lots of accounting for configuration changes. Yesterday I was checking out a lab setup I had and noticed that one of my BGP neighbors running XR had gone missing. I checked this device and figured out not only that someone had blown up my entire BGP config, but also who did it and when they did it. I rolled the chassis back to exactly how I left it, then sent them a nice email telling them not to do that. In IOS, that would be "dammit, who did this!?" followed by an hour of cursing while reconfiguring.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Zuhzuhzombie!! posted:

*notices memory leak on two insanely important pieces of equipment*

*submits TAC*

*gets response from TAC*

*gets second response from TAC agent who CC'd herself the first auto response*

*the second response is a notice saying TAC agent will be out of office until next Tuesday*


Fffffffff

Call in and say you have a system stability issue and want to raise the case severity to 2 or 1 depending on whether you need it fixed "today" or "now".

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Kenfoldsfive posted:

You can look at a CCNA Security as a mid-level jump off point. Also don't forget the CCSP, though I'm really not sure what the difference between that and the CCNP Security is.

The CCNP Security replaces the CCSP, like the ROUTE and SWITCH replaced BSCI/BCMSN.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

ragzilla posted:

I haven't had to dig into password recovery on XR platforms (CRS/ASR/GSRXR), I imagine it's a little more in depth.

It's similar to an IOS router; just use rommon commands to boot with an empty config. They have a quick guide here: https://supportforums.cisco.com/docs/DOC-15870

Eletriarnation fucked around with this message at 16:27 on Jun 18, 2012

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Methanar posted:

Can someone write some words about why you would ever want to use a software router/firewall like BIRD or vyOS instead of a hardware Cisco or Juniper product?

I'd imagine upfront cost, expected load and need of manufacturer support are the main motivators.

There's actually at least one virtual router that Cisco makes itself:
http://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-aggregation-services-routers/datasheet-c78-734034.html

I saw a presentation about this that I probably should have paid more attention to but I recall one of the use cases being "we want all the same features and CLI, but don't need the same scale/performance numbers that a physical box would provide."

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Zero VGS posted:

I have a core switch with like 16 edge switches plugged into it. I have a MAC address of a device pulling a huge amount of bandwidth. What would be the most efficient commands to find out which port the mac address is on?

show mac-address-table

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Zero VGS posted:

Er, I should specify it's HP Procurves... I don't see a mac-address-table command. I did "show mac-address [the mac address I want]" and it returns Port 19 and VLAN 16, I assume then there's a command to figure out the IP of whatever switch is on Port 19 so I can then Telnet into that and run show mac again?

Well, on Cisco devices you'd use "show arp" (maybe "show ip arp" depending on OS, don't remember) to see that. I don't know about Procurves.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

1000101 posted:

If you re-certify for one it'll go ahead and re-up them all. The recertification process is basically "go pass any CCIE written exam" so as long as you stay current on at least 1 technology you can maintain all of them. The only time you have to re-take a lab is when you let one expire.

Yeah, there are a lot of people inside of Cisco at least who have more than one and are trying for a new one every few years. As long as you can pass the written for the one you're trying for, it recerts you for everything you already have and you don't have to worry about it.

This also applies to lower certs like CCNA and CCNP - you can refresh them by passing the CCIE written, not that anyone cares too much about those earlier certs once you manage to pass the lab as well.

Eletriarnation fucked around with this message at 15:55 on Feb 10, 2016

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

It's pretty easy to set up a Linux machine running nfdump and nfsen, which are free. I don't know about performance but if you just need to handle a bit of traffic I've used them before and had no problems.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Bigass Moth posted:

But what if you don't know the bug ID going in, or that there even is a bug?

https://bst.cloudapps.cisco.com/bugsearch/?referring_site=mm Is this what you're looking for, or is it not what you mean?

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

I'm not sure I understand the situation, but if you have some information about the bug I can try and dig up the bugID for you if it's publicly viewable. If you still have the TAC engineer around he should be able to give you the bugID though.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Well, I think that's the way to do it. I searched just now when I provided the link and was able to find a bug I remembered from a few years back, so it definitely has some of them. The amount of detail in bug documentation varies though, so you might have problems getting a hit on a documented bug even if you're using keywords that make sense.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

BiohazrD posted:

So I'm working for a small company and we have a bunch of remote users that tunnel in using ASAs. Our network is just kind of a mess in general and we don't really have anyone particularly knowledgeable about networking. I have a certification/continuing ed budget and thought it might be a good idea to pursue a CCNA so we at least have someone who knows how all this poo poo is supposed to work.

Are there any legitimate online courses/books/whatevers to get this thing started?

For CCNA it's relatively easy because there's one official book that covers the whole thing. There are some free materials out there too but they're more likely to be on a topic by topic basis - most people who put together a full course guide seem to want to get paid for it. I also enjoyed the Sybex guide written by Todd Lammle when I was working towards the CCNA and it seemed like a good number of people preferred it to the official one. Make sure that anything you buy is for the most recent version of the test, though - they usually change the test number for a new revision, so just be sure that matches.

If you specifically want ASA knowledge you may need to work towards the CCNA Security since the classic cert is just for the fundamental routing and switching topics. Having that basic R&S knowledge will help you with any networking task though.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

I haven't worked enough on ASAs enough to feel that particular pain but I have recently started learning JunOS in a build that also has IOS-XR, and keeping those two straight when I've been working mostly on Nexus and vanilla IOS the past few months is making me kind of wish I had a GUI. Another abstraction layer is probably the last thing that's needed to add clarity though, and I don't know if Juniper even has one.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

I'm not even sure that I'm following all that correctly and this would fix anything, but is it an option to use another device as a dedicated DHCP server instead of having to combine your VPN gateway with that function? Having DHCP and VPN both locked to only work on the default VLAN is kind of nuts.

Speaking as someone who has only really worked with Cisco and consumer gear though, the whole idea of a "router" that supports VLAN encapsulation but doesn't just let you tag L3 interfaces with whatever encapsulation you want seems pretty bad.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Does the switch on the other side also show Rx power? I've definitely seen fiber pairs with one side misconnected or broken and it looks up on one side. I don't think it could happen if you're using autonegotiation (which is built into and can't be disabled with 10G, but can with 1G) but I could be wrong.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Thanks Ants posted:

The far end is unfortunately poo poo and doesn't display that information. I am getting the guy on-site to make up LC loopback cable to test the SFPs out with.

Edit: Lol, took another look at the interface stats as opposed to just the SFP stats

code:
 Status and Counters - Port Counters for port 45
...
  Errors (Since boot or last clear) :
   FCS Rx          : 1                    Drops Tx        : 2,018,127
Think the Tx side has a problem somewhere. From the photos that have been sent through all the kit is covered in dust so I assume that someone on that site has no idea how to handle fibre.

So this looks like mystery solved. Thanks for the autoconfigure suggestion, I probably wouldn't have looked at the interface stats without being nudged in that direction.

Yeah, Tx drops sound like a failing port ASIC or maybe optic to me. I don't think that there's any way to detect problems with the physical medium from the Tx side so I would definitely be looking at hardware first with this.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

adorai posted:

When I first started at this company 7 years ago, they had outsourced their WAN management. The company that did it used "redistribute connected" on any OSPF process. All across the internet I see people using "redistribute connected" on their ospf processes. Is this a normal thing? The first thing I did when we got rid of the outsourced management was remove redistribute connected, set passive-interface default, and specify the networks that should participate in OSPF. It seems lazy and quite frankly dumb to do that unless you have a really good reason for it. Am I right, or am I just anal?

You're right about default passive-interface, as someone could perform a blackholing/spoofing attack if they plugged into a non-passive network. If your only connections are to other devices you control though it doesn't seem like a big deal.

Redistributing connected shouldn't really be an issue unless you have such a large network or such low-end devices that scaling and performance is a real concern. You could make an argument for only advertising what needs to be advertised, but I would say that unless there's a reason not to advertise everything you should try to keep the config simple and maintainable with a simple redistribute over having lots of network statements.

Even in the case where you don't want to advertise everything, you could still make the case that redistributing connected through a route-map makes for a more maintainable configuration.

Eletriarnation fucked around with this message at 04:08 on May 17, 2016

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Dalrain posted:

Yes, you're hitting on the correct reason you want to avoid lazy redistribute connected. They will all be "injected" as external, and depending on your metric type, the paths won't be calculated correctly for internal use. (E1 vs. E2) Passive and network statements are by far preferred for a "professional" OSPF environment.

Of course, if you've only got 5 devices and will literally never grow or have enterprise needs, it probably won't come up as an issue. Probably.

Yeah, that's true. You can set the metrics in a route-map if you're doing it that way instead of just redistributing everything blind, but that's arguably more work than just using network statements.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

In my experience if you just say something like "hey, we're depending on this to replace our previous firewall and it's not really working right now, which is a significant impact to our operations - could you make this ticket severity 2?" then you should be fine. Policy is mostly that the customer defines the priority, so you shouldn't really get pushback as long as you have reasons that match the definitions of the different severity levels and are yourself responsive when you want a more urgent severity.

Adbot
ADBOT LOVES YOU

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.



Oven Wrangler

Docjowles posted:

Also, have fun getting assigned a tech in some random-rear end place. We recently opened a TAC case for our ASA and got a tech in Hawaii or something. "Yes, I would be happy to help you with this. Please join my WebEx at 2AM EST and "

Got that reassigned to someone at least in the continental US, thankfully.

A lot of this depends on when you open the ticket and what the product is. Some products are handled by multiple teams and might have, for example, a bunch of people on different shifts in Bangalore or Costa Rica who handle most of the common issues and kick up uncommonly complex issues or those requiring troubleshooting with development to a smaller team elsewhere. Other products only have one support team on shift at any given time and that team takes all cases during this shift. So for example if you open a case at 10AM EST it might go to the RTP (NC) team, but then 6 hours later it might go to San Jose, then Sydney, then Brussels, then back to RTP.

I haven't worked with all of the support models so it's hard to speak in general, but it's probably a good in general to open the case around the shift when you would want to work on it (so don't do it as the last thing before you leave on a long day) assuming that it's not an urgent open it ASAP sort of thing. It also couldn't hurt to mention your contact hours in your initial communication.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply