|
Powercrazy posted:That sucks and is not best practice config. Unless you have a need for spoke to spoke communication then you just need to have a a single tunnel going to each remote site from your hub. The tunnel addresses should be p2p /30's and the sites should each be on their own network. So say site 1 would be 10.1.0.0/16 site 2 would be 10.2.0.0/16 etc. and all your tunnel /30 addresses would be in 10.0.x.x/16. I can post a config of how we do it if you'd like. I haven't played a lot with DMVPN, mostly GETVPN for MPLS setups where encryption is required. How does it hold up? I hadn't realized you don't need to configure the hub in any special way.
|
# ? Nov 18, 2010 17:24 |
|
|
# ? May 31, 2024 08:41 |
|
reborn posted:I haven't played a lot with DMVPN, mostly GETVPN for MPLS setups where encryption is required. How does it hold up? I hadn't realized you don't need to configure the hub in any special way. You need to configure the hub initially as the NHRP Server and setup point-to-multipoint tunnels etc, but once it is configured then adding a new site is easy. code:
|
# ? Nov 18, 2010 17:43 |
|
para posted:We have 8 sites connected using T1's to an MPLS cloud provided by AT&T. Each of our site's CE routers BGP peer with AT&T. Then each of the 8 routers have 7 tunnels addressed in the same /24 subnet that go to each of the other 7 routers, and EIGRP runs over the tunnels to provide our internal routing. All communication between sites go through these tunnels. DMVPN would be easier. That's what I'd recommend.
|
# ? Nov 18, 2010 21:50 |
|
jwh posted:DMVPN would be easier. That's what I'd recommend. +1 for DMVPN which is awesome.
|
# ? Nov 19, 2010 18:43 |
|
Anyone had any experience with deploying dot1x? I'm running a dev FreeRadius server and have some spare switches of various types in a lab arrangement (3550, 2960, 2950, HP 2626, Brocade FCX). I want to be able to assign end devices vlans based on either a login or by it's mac address. The non logged in assignment would be for printers, and for PCs that are booted but not logged in but need access to updates etc. I have already got the server talking to the Active Directory to authenticate users. Next is getting the swtiches and clients working. Any tips?
|
# ? Nov 29, 2010 21:12 |
|
Be very, very mindful about the version of code you're running on your switch(es). Cisco changed things around dramatically, several times, with respect to 802.1x. It's still possible to find configuration guides that seem relevant, only to learn they've been superseded several times over by entirely new ways of doing things. I've had success with the default XP supplicant, but it was pretty wonky. We ended up putting our deployment on hold until after our client base was migrated to Windows 7, simply because the stock supplicant is so much better. Anyway, you need to return the following attributes: [064] Tunnel-Type = VLAN [065] Tunnel-Medium-Type = 802 [081] Tunnel-Private-Group-ID = VLANNAME Then, just have a VLAN with that textual name on your switch.
|
# ? Nov 29, 2010 21:56 |
|
Kind of an ambigious question here: I have a company with five sites, four of the those sites use the same ISP. Each site uses a different set of Unique global IP addresses, for which we only use one out of the set, so the distribution would look like this: Site 1 IP's: 216.201.140.111 to 216.201.140.116 Site 2 IP's: 216.201.142.222 to 216.201.142.228 Site 3 IP's: 209.206.174.333 to 209.206.174.339 Site 4 IP's: 209.206.174.444 to 209.206.174.450 Obviously these are not the real numbers and aren't even in correct subnetting math. Keep in mind this is a question coming from someone that is particularly new to WAN networking. Here is my thought. Couldn't I just take the IP set that my ISP gave me for Site 1 and use the excess IP's as my other sites? For all sites I am using NAT Overload, so I don't need the other IP's. Does this even make sense? So instead of: 192.168.2.0---SITE1 ROUTER ----216.201.140.111------------IPSEC-------------209.206.174.333---- SITE 2 ROUTER ---192.168.11.0 It would look like this: 192.168.2.0---SITE1 ROUTER ----216.201.140.111--------------IPSEC-----------216.201.140.112---- SITE 2 ROUTER ---192.168.11.0 Goal here is to save bills on not having multiple IP batches and just having one for all our locations. Again, this is probably impossible if not stupid.
|
# ? Nov 29, 2010 23:09 |
|
Sure it's possible, but your ISP will have to make the change- they're delegating the address space to you. You don't have the ability to influence it. They're probably giving you a /29 per site, and saying, 'have fun, bye.' You need to ask them what the smallest allocating is per-site that you can receive. Start there.
|
# ? Nov 29, 2010 23:23 |
|
^^^^ This, and how much money do you realistically think you are going to save by using less ip space?
|
# ? Nov 30, 2010 13:31 |
|
inignot posted:^^^^ That and if they are already giving you the IPs I wouldn't give them back willingly....It'd be good to assume you'll have future expansion that might need those IPs. It is easier to have them than to have to go back and do a request for more IPs with justification and shown immediate 90% usage, etc, bla bla bla..
|
# ? Nov 30, 2010 13:36 |
|
inignot posted:^^^^ Well apparently none. I called the ISP and they said there would be zero price difference. I am still new to this so I didn't realize that there wouldn't be much of a cost savings. I am there first and only IT guy so I try and find new and innovative ways to save them money and to wow them. Also Virigoth has an excellent point, even though each site has more IP's then we will ever need, it is nice to have just in case. Though I seriously doubt these people will ever use them. I mean... the doctors still use taper recorders to dictate. That's what I am working with here, technological phobias, the lot of them.
|
# ? Nov 30, 2010 15:37 |
|
Now it's time for a "gently caress the competition" post HP has the absolute best practice ever in regards to their software releases; if you are running old code, and have to upgrade, occasionally you won't be able to upgrade straight to the latest version. No biggie. Except they don't keep the old versions available on their sight. Brilliant, guys, well done.
|
# ? Dec 1, 2010 05:04 |
|
abigserve posted:Now it's time for a "gently caress the competition" post What's even better is when you call for support and they require you to upgrade before they begin support and yet don't have those intermediary software upgrades still on their site. Excellent support model!
|
# ? Dec 1, 2010 16:54 |
|
Don't use HP. Foundry/Extreme/Brocade for the cheaper end of the scale, and then Juniper or Cisco for the high end. Anything else probably isn't enterprise stuff anyway, especially HP.
|
# ? Dec 1, 2010 17:19 |
|
Powercrazy posted:Don't use HP. Foundry/Extreme/Brocade for the cheaper end of the scale, and then Juniper or Cisco for the high end. Anything else probably isn't enterprise stuff anyway, especially HP. Seriously, don't buy into the glitzy marketing they are doing now. Their support sucks, their field techs for the most part are worthless and while I am not certain that they have a group of drooling mongoloids writing their software, I do know that it has poo poo for features and options.
|
# ? Dec 1, 2010 17:42 |
|
I haven't used Foundry / Brocade lately, but I liked them back when they were making the original ServerIrons. How are they now?
|
# ? Dec 1, 2010 17:52 |
|
My experience with Foundry/Brocade gear has been frustrating due to the lack of uniformity on the CLI (IE platform dependent ways to configure L3 vlan interfaces etc). I found the documentation to be lacking as well. Also their internet edge router (CER2024) doesn't support full tables out of the box. Requires some TCAM slicing ala SDM profiles. There was a thread on NANOG about some service provider's foundry infrastructure making GBS threads the bed with regard to MPLS LSP issues. That said, the price per port is hard to beat. Prior to the ME3600/3800 the CER2024 absolutely killed anything Cisco could offer in the same form factor with feature set. Overall the pick two seems to be fast and cheap.
|
# ? Dec 1, 2010 18:44 |
|
One of our transit providers had some serious BGP bugs on their NetIron that would periodically cause it to suffocate BGP neighbors until recycled, but that was about two years-ago. I'm figuring they've probably fixed that by now (I hope).
|
# ? Dec 1, 2010 19:36 |
|
tortilla_chip posted:That said, the price per port is hard to beat. Prior to the ME3600/3800 the CER2024 absolutely killed anything Cisco could offer in the same form factor with feature set. Downside is those cheap ports can kill your whole box when they go bad, one of my customers had a bad 10GbE card, took down the whole MLX it was in (and not hard down, just dropping >90% of all traffic on the box).
|
# ? Dec 1, 2010 19:54 |
|
jwh posted:I haven't used Foundry / Brocade lately, but I liked them back when they were making the original ServerIrons. How are they now? The version of code I'm using is identical to Cisco as far as most CLI commands and formatting goes. They do their vlans differently (tagged and untagged) but its really not too bad. I've been responsible for this deployment for about 6 months now and I've only had one problem with a 10G optic going bad and causing their VSTP switching protocol to flap. No traffic lost though, so I can't really fault them. We will be replacing the lease soon since we are a 90% Cisco shop. We have 2 Big Iron RX-16s with several FGS648P switches for Access, and 4 XMRs getting full BGP tables as well as 4 Server Irons for Global Load balancing / Firewalling. Haven't seen any crazy issues although one of our edge XMRs I can't reliably log into though the box stays up. So overall I'd say Fast and Cheap, but not super reliable.
|
# ? Dec 1, 2010 21:01 |
|
I have 6 MLXs currently (XMR with less memory). So far they have been rock solid in my network, they are acting as core/edge routers. All of my L2 is Extreme gear which has also been rock solid for me. My #1 reason for loving the MLX/XMR is that it uses a stupidly low amount of power compared to the 6509s they replaced. Since I have them in MMR space with my telco gear that's pretty important to me.
|
# ? Dec 1, 2010 21:21 |
|
Powercrazy posted:The version of code I'm using is identical to Cisco as far as most CLI commands and formatting goes. They do their vlans differently (tagged and untagged) but its really not too bad. Be careful, Brocade used to default to a prestandard version of PVST. Found this out the hard way .
|
# ? Dec 2, 2010 01:46 |
|
I'm curious what methodology people use to filter/announce outbound routes to eBGP peers. Our systems still use some legacy methods of as-path access lists combined with prefix lists that are generally a pain in the rear end to maintain. I'd like to switch to something that's based on only iBGP communities only if possible. This seems like a good basis but seems almost too easy: * http://puck.nether.net/bgp/cisco-config.html * http://puck.nether.net/bgp/juniper-config.html Thoughts or caveats to the above that aren't immediately apparent?
|
# ? Dec 2, 2010 01:54 |
|
Has anyone read Andrew Tanenbaum's "Computer networks"? Would you recommend it and what's it like compared to Cisco's books
|
# ? Dec 2, 2010 02:01 |
|
falz posted:I'm curious what methodology people use to filter/announce outbound routes to eBGP peers. Our systems still use some legacy methods of as-path access lists combined with prefix lists that are generally a pain in the rear end to maintain. Communities, communities, communities, communities! Tag your own originated routes with a specific community, tag routes from transit with specific community, tag routes from peers with a community, tag routes from customers (or originated on customer's behalf) with a community. Set up inbound and outbound route-maps for each category of BGP peer ensures you have consistant community tags on ingress, giving you consistent egress based on the community. But yes, communities are absolutely the best way to control your announcements. We don't even bother with any aspath filters anymore, we just community tag everything and use prefix lists to control what we accept. You may also want to look over Phil Smith's talks over the years (ftp://ftp-eng.cisco.com/pfs/seminars/), specifically the BGP-Techniques talk (most recent was NANOG50)
|
# ? Dec 2, 2010 02:06 |
|
What does a 6509-E chassis and two WS-CAC-6000W's go for on the grey market? Anybody know? I don't want to call a reseller until I have a ballpark, since once you call them, they will never, ever leave you alone again.
|
# ? Dec 2, 2010 18:29 |
|
jwh posted:What does a 6509-E chassis and two WS-CAC-6000W's go for on the grey market? Anybody know?
|
# ? Dec 3, 2010 00:34 |
|
I have a pretty low pressure reseller I could hook you up with. Powercrazy has used him as well.
|
# ? Dec 3, 2010 06:11 |
|
ragzilla posted:Communities, communities, communities, communities! Thanks, definitely is the way to go. Since communities were more or less neglected on our network until I started adding some communities last week we didn't have 'send-community' on iBGP on most routers. I've since added it on all. Everything is working fine except that Route Reflectors don't seem to be sending communities to their clients even with a clear soft (route refresh is enabled on everything). However, the RR clients do send their communities to the RR with a clear soft. Hard resetting BGP sessions obviously isn't desirable. Does this seem normal, or has anyone compiled a list of BGP neighbor changes that do/do not require hard reset?
|
# ? Dec 3, 2010 15:55 |
|
edit: Nvm figured it out, user has a DSL connection so it isn't transferring the source IP of the external machine.
Sepist fucked around with this message at 16:46 on Dec 3, 2010 |
# ? Dec 3, 2010 16:07 |
|
falz posted:Thanks, definitely is the way to go. Since communities were more or less neglected on our network until I started adding some communities last week we didn't have 'send-community' on iBGP on most routers. I've since added it on all. Doesn't seem normal. You've got send-community on the neighbor statements in the RRs as well right (needs to be pretty much everywhere) ?
|
# ? Dec 3, 2010 16:07 |
|
I figured it out, it's really stupid. I had 'send-community extended' in some places and just 'send-community' in other. Looking at the docs, extended is extended only. Works fine now with 'both' keyword or just no extra keyword.
|
# ? Dec 3, 2010 17:28 |
|
Does anyone know if TRILL support is on the road-map for lower end catalysts (ie, 2960S, 3750)?
|
# ? Dec 3, 2010 18:26 |
|
Just reading about Trill it seems like it would be impossible for a switch to support without different ASICs. Unless your definition of support is just able to pass TRILL frames.
|
# ? Dec 3, 2010 20:26 |
|
Hey, do you guys think that 500 dollars for ASA 5505's is overkill for a business that is 1.5Mbps bandwidth and 100 users? If so any recommendations on a cisco firewall that still has the IOS on it? The firewalls I am getting are refurbished, that's why they are so cheap.
|
# ? Dec 3, 2010 20:29 |
|
A 5505 with unlimited user licensing is like ~$650 or so, at least as far as CDW is concerned.
|
# ? Dec 3, 2010 20:39 |
|
jwh posted:A 5505 with unlimited user licensing is like ~$650 or so, at least as far as CDW is concerned. Yeah, comes with a three year replacement warranty through a reseller. So it sounds like a good deal. What does it mean by licenses? I haven't quite figured that part out.
|
# ? Dec 3, 2010 21:08 |
|
ASA's are licensed based on how many users (read as: visible MACs seen by the device's LAN port, or something). If you exceed that number, no worky. I think user-based licensing is just a way to gouge the customer into paying for the privilege of using what they're already purchased, but that's just my personal feeling. Which is why I like the Palo Alto pricing model: you bought a box rated for x, you can cram x traffic through it.
|
# ? Dec 3, 2010 21:12 |
|
jwh posted:ASA's are licensed based on how many users (read as: visible MACs seen by the device's LAN port, or something). The 5505 is the only model with this kind of licensing.
|
# ? Dec 3, 2010 22:24 |
|
|
# ? May 31, 2024 08:41 |
|
I didn't know that, but that explains why we didn't have to buy user licensing for our 5540s. Although SSL VPN on the other hand...
|
# ? Dec 3, 2010 22:33 |