|
Herv posted:RANCID should do what you want. For hand storing multiple copies of documents you can use Visual Source Safe or CVS or some other version control system. Another recommendation for RANCID, it's essentially a bunch of scripts that run with crontab and dump your configs into CVS or SVN. I have mine setup to be redundant so it'll keep all changes stored in a semi-fault tolerant way. It's great if you have more than one net admin, if any changes are made you're emailed and if it's wrong or stupid you can totally know about it and revert changes if you have to. It also works with all kind of switches and network gear and it's free.
|
#
?
Jul 7, 2009 18:05
|
|
|
|
| # ? May 31, 2024 21:56 |
|
|
Just received the first of my two 881s, and thought maybe people would be interested in how they compare to the 871s. They're code:code:Here's where things get interesting: the 881 is running C880DATA-UNIVERSALK9-M, which is a combination of both the ADVSECURITY and ADVIPSERVICES IOS images. You enable the license for ADVIPSERVICES with the following: code:Bonus picture of 881 compared to 871:
|
|
#
?
Jul 7, 2009 19:36
|
|
|
Is there any reason that one wouldn't have full mesh for iBGP? I've inherited a scenario where everything is meshed together with the exception of the core boxes.code:
|
|
#
?
Jul 7, 2009 20:11
|
|
|
Herv posted:RANCID should do what you want. For hand storing multiple copies of documents you can use Visual Source Safe or CVS or some other version control system. I just installed this, and it's pretty sweet. Thanks!
|
|
#
?
Jul 7, 2009 20:48
|
|
|
jwh posted:Ugh. On-box licensing here we come. What could possibly go wrong? Looks like 'Party over Wayne'. I wish they left this to their firewalls.
|
|
#
?
Jul 7, 2009 21:34
|
|
|
Herv posted:RANCID should do what you want. For hand storing multiple copies of documents you can use Visual Source Safe or CVS or some other version control system. Is there something like this for the Windows platform? How much poo poo am I going to cop using Windows? I've done it my whole life, I've developed in it at University, I design and support Windows networks in my current role (AD, Win2k3 + Win2k8, I'm not a helpdesk guy with mad Office skills) and I've always used it. Obviously I'm really comfortable there and pretty much anything that happens or goes wrong I usually know what to do. As I'm moving towards doing network engineering as my main gig, it's becoming increasingly obvious I'm usually the only one in the team using MS. Now I know enough IOS and spend a lot of time there, I can see the benefits of the CLI interface over a GUI and appreciate knowing more about how something actually works rather than following wizards and hitting 'next'. Do I need to start down the open source road to have credence as a 'real' networking guy? Am I going to try and leave my current job with my new CCNA and the experience I've got, to find most employers looking at me weird when I say 'oh no, I've never used UNIX/Linux'. Most of the ISP Cisco guys I talk to don't even have Windows workstations if they wanted them, it's all UNIX.
|
|
#
?
Jul 8, 2009 01:26
|
|
|
As long as you have a good terminal program (I like SecureCRT), the host OS doesn't matter in the slightest. People at Cisco use OS X, UNIX, and Windows, it really doesn't matter. Aside from programs like RANCID or whatever which are designed to make your life easier managing large networks, you can organize your devices however you want. When I was working in a lab with a couple hundred devices, I had a spreadsheet and a couple of directories on my laptop to keep them organized. That coupled with the sorted TFTP server was enough for my needs, but then again I was only working with a team of maybe 4 others, so we didn't step on each others toes very often at all, and we were all local. I really wouldn't worry about your "cred" just make sure that you are using the right tools for the job, and if they don't exist create them.
|
|
#
?
Jul 8, 2009 08:33
|
|
|
Tony Montana posted:I Am I going to try and leave my current job with my new CCNA and the experience I've got, to find most employers looking at me weird when I say 'oh no, I've never used UNIX/Linux'. Most of the ISP Cisco guys I talk to don't even have Windows workstations if they wanted them, it's all UNIX. To be honest it does sound a bit weird to me, but not crazy. Especially if you naturally don't like being confused and befuddled and prefer a comfort zone. Even with a woman to keep happy I have lost many a weekend deep diving into something new. One of the main draws for me is the challenge of 'I bet I can get this to do everything that <x> did, it's just a little different'. I have lost many a weekend on unix/linux, sys-v/bsd adventure. In truth I lost nothing, gained a lot! Maybe I am a 'dented can' but I will not lie, I love immersing myself in things, and unix fits the bill sometimes. http://admin.com/ The LSAH and USAH are probably worth their weight in gold to you right now. Read them like the holy books they are. 
|
|
#
?
Jul 8, 2009 14:18
|
|
|
Unix is good to know, but that's mostly because network people have historically been saddled with a handful of network services platforms, and those platforms have often been Unix based. BIND boxes, for instance. A handful of commercial firewall offerings still run on Unix underpinnings. So it's good to know, but probably not as essential as it once was. I'm a Windows on the desktop guy all the way, and that's not a dig on OSX or Unix, it's just easier to have our Systems group reimage my machine or give me a new one when I blow it up or spill coffee on it.
|
|
#
?
Jul 8, 2009 15:30
|
|
|
My philosophy is to use whatever you know and like, and most importantly gets the job done on your desktop but for servers and services you use what makes sense for your environment. If you work for a company that has mostly windows servers try to keep things simple and the same. The more varied your environments the more you'll have to maintain in terms of updates, hot fixes and security. I tend to let the developers or whoever dictate what kinds of systems they want to use for their servers and make suggestions based on what I know. I would however suggest you at least be comfortable with BASH because more often than not you will eventually run into a device that is based on UNIX/Linux/BSD (Load Balancers, DDoS Mitigators, NetFlow Appliances, etc.). Personally I use mainly OSX and sometimes Windows but I know plenty of net admins that use Linux only and Windows only. Also as for something like RANCID for windows... I haven't really used many but I think SolarWinds has something but it costs money.
|
|
#
?
Jul 9, 2009 00:36
|
|
|
Herv posted:crypto map help Thanks for this, it works perfectly now.
|
|
#
?
Jul 9, 2009 02:09
|
|
|
Powercrazy posted:As long as you have a good terminal program (I like SecureCRT), the host OS doesn't matter in the slightest. People at Cisco use OS X, UNIX, and Windows, it really doesn't matter. Unless you have to use loving CTC. To hell with learning TL1. I'd prefer windows mostly because if I'm having trouble most likely it's not reproducible from my work station and I'm SSHing into something else anyhow to troubleshoot from there so the native tools disadvantage isn't as big.
|
|
#
?
Jul 9, 2009 03:27
|
|
|
What are you talking about TL1 is a perfectly logical language. act-user::CISCO15:100::otbu+1; rtrv-cond-all:::100; apply:::100::rvrt; Type that in on a few of your non redundant nodes and laugh as your "five 9's" become 3, and then some service provider sues you for violating the SLA. Though seriously, if you are managing 20+ 454's learning how to do some basic stuff with TL1 and then scripting it all pays off big time. Hell just learning VX Works can be pretty nice. ate shit on live tv fucked around with this message at 17:01 on Jul 9, 2009 |
|
#
?
Jul 9, 2009 08:40
|
|
|
Anyone familiar with SLAs on an ASA 5505? My SLA is working (somewhat), but the debug sla monitor trace command does not produce any results whatsoever. I'm waiting on the SmartNET info from the customer so I can call TAC, but wanted to see if anyone else has seen this.
|
|
#
?
Jul 9, 2009 14:33
|
|
|
FatCow posted:Unless you have to use loving CTC. To hell with learning TL1. CTC uses Java and you can get it to run on just about anything (although it can be pretty picky about JREs on Linux on older code, the 7 code is pretty forgiving).
|
|
#
?
Jul 9, 2009 15:13
|
|
|
Cisco short question: For those with full routes, how much memory are you currently using? What does your "BGP using <21603220> total bytes of memory" say? Just curious, thanks. Richard Noggin posted:Thanks for this, it works perfectly now. The thread never loses. The thread always wins!
|
|
#
?
Jul 9, 2009 16:17
|
|
|
Herv posted:Cisco short question: code:
|
|
#
?
Jul 9, 2009 17:18
|
|
|
ragzilla posted:
Interesting. If my math is correct (doubtful) ASH is using 82 MB memory and CHI is using just under 81 MB for BGP. I was expecting closer to 256 MB, although I haven't looked at a full table in 9 years or so. Thanks for the numbers.
|
|
#
?
Jul 9, 2009 17:42
|
|
|
Herv posted:Interesting. If my math is correct (doubtful) ASH is using 82 MB memory and CHI is using just under 81 MB for BGP. I was expecting closer to 256 MB, although I haven't looked at a full table in 9 years or so. Are you confusing the memory size of the BGP RIB with the installed FIB? On hardware forwarding platforms, it's the installed FIB which often teetered on the edge of 256k entries, which was the TCAM limit on a number of platforms such as Sup32 or non XL 720s (I think).
|
|
#
?
Jul 9, 2009 18:46
|
|
|
jwh posted:Are you confusing the memory size of the BGP RIB with the installed FIB? On hardware forwarding platforms, it's the installed FIB which often teetered on the edge of 256k entries, which was the TCAM limit on a number of platforms such as Sup32 or non XL 720s (I think). You know jwh, I hope you make a fuckton of money. Your knowledge of this stuff is insane.
|
|
#
?
Jul 9, 2009 18:50
|
|
|
Richard Noggin posted:You know jwh, I hope you make a fuckton of money. Your knowledge of this stuff is insane. Eh, I do okay. I'm pretty much right in the middle of the pay-scale bell curve for a tier 3 network engineer living in a tertiary market. If I went and got a CCNA or CCNP I could probably rake more dollars. Or if I moved to a city. There are lot of people here in SH/SC that know a lot. It's pretty nice that a forum I would read anyway also has good network people hanging out.
|
|
#
?
Jul 9, 2009 19:03
|
|
|
jwh posted:Are you confusing the memory size of the BGP RIB with the installed FIB? On hardware forwarding platforms, it's the installed FIB which often teetered on the edge of 256k entries, which was the TCAM limit on a number of platforms such as Sup32 or non XL 720s (I think). I confuse easily for sure, but yes I was asking about the Active BGP Entries (FIB). In short, how much memory was taken up by the actual routing table. Do you know how to check the size of the RIB? Show ip cef <something?> When I compare my active BGP routing memory allocation to the global process, the memory overhead is certainly more globally (as you would expect). Just an example: code:code:What dark things are going on inside the BGP process? Cheers e: jwh posted:Eh, I do okay. I'm pretty much right in the middle of the pay-scale bell curve for a tier 3 network engineer living in a tertiary market. If I went and got a CCNA or CCNP I could probably rake more dollars. Or if I moved to a city. You are not alone on that one, (no certs) my CCNA was based on the Introduction to Cisco Router Configuration curriculum, and my CCNP was based on the ACRC (1998-1999). Your average CCNA today would probably light me up with new facts and information, and remembering stuff I had forgotten from lack of use. One of these days... I might just dust off that horse again. Screw the city though. Herv fucked around with this message at 20:14 on Jul 9, 2009 |
|
#
?
Jul 9, 2009 20:02
|
|
|
Herv posted:I confuse easily for sure, but yes I was asking about the Active BGP Entries (FIB). In short, how much memory was taken up by the actual routing table. Do you know how to check the size of the RIB? Show ip cef <something?> On both hardware and software forwarding platforms, use 'show ip route summary' to list the number of routes and size of the RIBs. Obviously you don't have the FIB limitation on software forwarding boxes, and are primarily RAM limited instead. Ragz probably has a much better understanding of this than I do, since he has multiple full feeds to hardware forwarding platforms, whereas I don't have any full feeds these days.
|
|
#
?
Jul 9, 2009 20:49
|
|
|
jwh posted:Well, on a hardware forwarding platform (ie. 6500) you can use 'show mls cef summary' to show how many routes and of what type are installed into CEF (ie., FIB). The show ip route summary is what threw me off the trail actually. I was expecting to see a much larger metric for the RIB. Either that or I am reading this incorrectly. Was going to post it in the last one but the numbers didn't help me. code:Ragz, if you have a chance could you give us a 'show proc mem | inc BGP' please? Thanks folks.
|
|
#
?
Jul 9, 2009 21:07
|
|
|
Herv posted:The show ip route summary is what threw me off the trail actually. I was expecting to see a much larger metric for the RIB. Either that or I am reading this incorrectly. Was going to post it in the last one but the numbers didn't help me. Actually, I see what you mean- it looks like the held column for BGP in 'show proc mem' is roughly twice what is reported in 'show ip bgp su'. I don't know enough about IOS internals to know why that is.
|
|
#
?
Jul 9, 2009 21:42
|
|
|
Herv posted:Yep, I am just using software router for this, so my memory is under scrutiny here. code:
|
|
#
?
Jul 9, 2009 22:49
|
|
|
Richard Noggin posted:You know jwh, I hope you make a fuckton of money. Your knowledge of this stuff is insane. Heh, I've thought the same thing many times. The fact jwh doesn't even have a CCNA blows me away, really says something about the networking industry, boot camps and the real value of that cert. jwh, I've said before but I'll say it again! Get your firm to get Cisco Partner status (it's easy, they are basically giving it away at the moment) and then do your CCNA through the Partner Education Center. It would be ridiculous for you, I seriously think from what I've seen you write you could almost take the CCNA exam cold, just brush up on stupid, unused stuff like converting into binary.
|
|
#
?
Jul 10, 2009 01:33
|
|
|
Tony Montana posted:just brush up on stupid, unused stuff like converting into binary. To be fair, you don't even need to know that for the CCNA. There are a lot of shortcuts for subnetting/supernetting that barely involve math, let alone base 2.
|
|
#
?
Jul 10, 2009 17:58
|
|
|
Does anyone have a good reference for Cisco ASA configurations? The samples in the Cisco guide are good, but I am going to be setting up a 5520 without using private addressing on the inside. We have a whole class B space and will have 100.100.10.x on the outside with 100.100.x.x on the inside (for example). The routes and NAT statements are all different enough that their examples end up being confusing.
|
|
#
?
Jul 13, 2009 14:44
|
|
|
TheBoohi posted:Does anyone have a good reference for Cisco ASA configurations? The samples in the Cisco guide are good, but I am going to be setting up a 5520 without using private addressing on the inside. We have a whole class B space and will have 100.100.10.x on the outside with 100.100.x.x on the inside (for example). The routes and NAT statements are all different enough that their examples end up being confusing. Sorry I don't have anything like config references, but you just want to do a NAT 0 (0 means do NOT NAT, well it used to*) Sub netting should be the same, if you are going to bust out some of your class B for use in front of the FW. Anything specific should get answered here within a workday. *NAT 0 is way over 10 years old so not sure if something new came along.
|
|
#
?
Jul 13, 2009 15:03
|
|
|
Herv posted:Sorry I don't have anything like config references, but you just want to do a NAT 0 (0 means do NOT NAT, well it used to*) Sub netting should be the same, if you are going to bust out some of your class B for use in front of the FW. Thanks Herv. I'll be putting this config together and testing it in a lab soon. All of you posting in this thread are pretty awesome, so I really appreciate the help.
|
|
#
?
Jul 13, 2009 15:17
|
|
|
tortilla_chip posted:Is there any reason that one wouldn't have full mesh for iBGP? I've inherited a scenario where everything is meshed together with the exception of the core boxes. You might need direct peering between two border router to avoid non optimal traffic flow from one boarder to second boarder to external AS's . ( boarder1->core1->boarder2). It could be fixed by other methods. And do you have RR ?
|
|
#
?
Jul 13, 2009 15:34
|
|
|
TheBoohi posted:Does anyone have a good reference for Cisco ASA configurations? The samples in the Cisco guide are good, but I am going to be setting up a 5520 without using private addressing on the inside. We have a whole class B space and will have 100.100.10.x on the outside with 100.100.x.x on the inside (for example). The routes and NAT statements are all different enough that their examples end up being confusing. There are different method. Method one Don't do translation for prefix that been match by noNAT ACL and do translation for 10.10.10.0 255.0.0.0 nat (inside) 0 access-list noNAT nat (inside) 1 10.0.0.0 255.0.0.0 or you can disable nat nat (inside) 0 0 0
|
|
#
?
Jul 13, 2009 15:37
|
|
|
neroshige posted:You might need direct peering between two border router to avoid non optimal traffic flow from one boarder to second boarder to external AS's . ( boarder1->core1->boarder2). It could be fixed by other methods. Nope, no reflectors in this scenario.
|
|
#
?
Jul 13, 2009 16:30
|
|
|
The existing peerings would be correct if border 1 and border 2 were a pair of clustered route reflectors. For regular ibgp, adding a peering between core 1 and core 2 would be the only outstanding peering left to achieve full mesh ibgp. Or if everything works now just leave it alone.
|
|
#
?
Jul 13, 2009 18:47
|
|
|
I need to be able to enable & disable a network port from a linux box. I've been googling, and haven't found a magic SNMP command or anything other than just having to telnet in to the switch and disable the port. I'm testing on a cisco 2950, and would like to avoid having to telnet in to the switch and do it that way; if i do, does anybody have a good reliable script already written to do this?
|
|
#
?
Jul 15, 2009 21:47
|
|
|
citywok posted:I need to be able to enable & disable a network port from a linux box. You could write a snmp trap to do it. Or just write an expect script with all the commands.
|
|
#
?
Jul 15, 2009 23:31
|
|
|
Clogin from the RANCID tool will do it pretty easy. Just need to put the host commands and login info into some easy to make config files. Pretty sure the tool is just a package now for a lotta distros. It was a package in FreeBSD, started getting some really stupid problems compiling the dependencies so just said gently caress it and pkg_add'd my way to a coffee break. Came back, edited the files, and I can clear my auth proxy at the end of the night since the timeouts don't work in my current IOS version. (Upgrading the sups this Friday) For SNMP I believe it's Net SNMP With this thing you can get all sorts of real time bandwidth, cpu, anything, on a color graph. Oh yeah, will send all sorts of SNMP traps too. Clogin (and expect I'm sure) will be the short path, cron it out if you want or invoke as needed.
|
|
#
?
Jul 16, 2009 03:01
|
|
|
citywok posted:I need to be able to enable & disable a network port from a linux box. If you're familiar with Perl, SNMP::Util can handle this fairly trivially (if you have a RW SNMP community set up, you just use SNMP::Util to set ifAdminStatus.<interfaceindex> to up/down- which is actually their example. Mapping interface names->numbers is an exercise left to the reader, but you'll want to look at ifName/ifDescr or ifAlias, or if you want to be lazy just check out a "show snmp mib ifmib ifindex" on the switch): http://search.cpan.org/~wmarq/SNMP-Util-1.8/Util.pm#set ragzilla fucked around with this message at 04:43 on Jul 16, 2009 |
|
#
?
Jul 16, 2009 04:41
|
|
|
|
| # ? May 31, 2024 21:56 |
|
|
citywok posted:I need to be able to enable & disable a network port from a linux box. You need to have snmp community with the write permission and then you can change port status. Basically you need to set ifAdminStatus from IF-MIB (RFC1213) to disable or enable
|
|
#
?
Jul 16, 2009 21:03
|
|