|
You are confusing your terms here, which is making it difficult to give you good advice. If you say the cores see themselves as one big switch, that means they are stacked via VSS or something. However I doubt that is the case. Now you say they are "ether-channeled" Which is possible if you have two 10G links between the two cores, however it isn't necessarily indicative of where a routing loop would come from. If you have a single 10Ge Trunk Link between the cores, that tells us a bit more, but I still think you are confused as you won't be running an IGP over a trunk (layer2) link. So it could be a routed (layer3) link. Now at this point assuming you are indeed running a routed link link between the two cores, if they were both receiving a default route via BGP but they weren't BGP peers, then yes you will have all kind of issues. However you shouldn't be running BGP with your cores anyway, unless you have another requirement. The best would be to use a static route pointing to the HSRP address of your edge routers (the one's taking full public routes). The other alternative is to run an IGP with your edge and your core, this is usually not done because of the need for a firewall of some sort, but again I don't know your environment.
|
#
?
Jun 13, 2011 19:05
|
|
|
|
| # ? May 13, 2024 22:25 |
|
|
Yeah, I can't divulge too much info for security purposes. Currently the cores are trunked together to share VLANs.
|
|
#
?
Jun 13, 2011 19:37
|
|
|
Actually, watching trunked l3 switches bring up IGP adjacencies on every VLAN they carry is one of the fun things that happens when you forget to passive your vlan interfaces.
|
|
#
?
Jun 13, 2011 20:03
|
|
|
Here's something that's had me stumped for the past week. I'm currently implementing port based authentication using using Microsoft NPS for the RADIUS server. Everything seems to be working fine except for trying to access the switch itself be it through SSH or the console connection where the NPS appears to be rejecting the authentication message due to "message authenticator attribute not set where one is required". There is a checkbox for "message authenticator attribute required" in NPS and if it gets unchecked then the process works normally. I'm wondering why it isn't working properly for switch access when the box is checked making the message authenticator attribute mandatory yet works as expected for the regular dot1x stuff on the switchports.
|
|
#
?
Jun 13, 2011 21:29
|
|
|
jwh posted:Actually, watching trunked l3 switches bring up IGP adjacencies on every VLAN they carry is one of the fun things that happens when you forget to passive your vlan interfaces.
|
|
#
?
Jun 14, 2011 04:55
|
|
|
ruro posted:passive-interface default is my favourite command. Just use ISIS, you have to opt in on an interface by interface basis with 'ip router isis' And you get the awesome 'advertise-passive-only' command to exclude connected interfaces (which the protocol is operating over) from getting injected into ISIS. Which I'm quite disappointed to find doesn't affect IPv6 connected prefixes when using ISIS for v6.
|
|
#
?
Jun 14, 2011 05:04
|
|
|
Thanks for the Arista tips. I have a meeting with their local rep on Thursday, let's see what they got 
|
|
#
?
Jun 14, 2011 14:33
|
|
|
I am trying to figure out the best way to do something if you guys could offer some input. We just had a layer 2 point to point fiber linked dropped in this morning between two offices. Both are almost identical in their configuration in that they have a a 3560 handling core switching duties and a 3825 ISR handling routing duties. Can I hand off one side of the connection from the switch and terminate on the router on the other end or should I terminate both ends using the routers and have a private net between them?
|
|
#
?
Jun 14, 2011 17:44
|
|
|
If it is a layer 2 point to point and you need layer 2 adjacency, just terminate it in the 3560's and make it a trunk. If you are using it as a routed link, then have it connected directly to the routers on a common /30 would be the ticket. Unless there is another consideration I see no reason to do switch -> router.
|
|
#
?
Jun 14, 2011 18:15
|
|
|
I guess I never even considered trunking the connection. Good idea thanks!
|
|
#
?
Jun 14, 2011 18:23
|
|
|
What bandwidth is the fiber link?
|
|
#
?
Jun 14, 2011 18:23
|
|
|
10 megs. Nothing real fancy
|
|
#
?
Jun 14, 2011 19:02
|
|
|
Make it a point to point link terminated on the routers. There is no need for layer 2 adjacency, and spanning vlans like that would most likely saturate the link and cause dropped packets, including BPDU's which would interrupt operation at both offices.
|
|
#
?
Jun 14, 2011 19:59
|
|
|
Well crapola. Ok then router to router we go!
|
|
#
?
Jun 14, 2011 20:01
|
|
|
He's got 3560s, he could just enable routing on the switch and turn an interface into a routed port. 3560 ports are a lot cheaper than 3825 ports. Although I guess if you have them either way it doesn't much matter.
|
|
#
?
Jun 14, 2011 21:45
|
|
|
falz posted:Is it Cogent as mentioned above? If not that's pretty silly. I have v6 feeds from Sprint and Level3 as well as an HE tunnel that's only used if somehow the other two are down which thus far has been never. I just checked the paper trail of email regarding connection issues ... and it is Cogent. They keep giving the same canned response when you bitch to them: quote:"There are no new routing additions schedule in the near future. Its hard to give a definite rough estimate as new routes are brought on as mutual agreements get made with peering partners. But I would estimate a timeframe of months rather than weeks. In order to get a more complete IPv6 routing table , it may best to get IPv6 from multiple carriers." So as of June, we have a "months" timetable set for us getting connected. It's Ok though, our ASA 5550 keeps rebooting because of buggy IPv6 code, so we may as well just shut that off completely and stick with IPv4 and black & white TVs forever.
|
|
#
?
Jun 14, 2011 23:21
|
|
|
Xenomorph posted:It's Ok though, our ASA 5550 keeps rebooting because of buggy IPv6 code, so we may as well just shut that off completely and stick with IPv4 and black & white TVs forever. I was checking in for CISSP class on Saturday and the guy behind me was complaining of his ASA 5580 doing the same thing after turning up v6. Any word on exactly what the cause is?
|
|
#
?
Jun 14, 2011 23:28
|
|
|
jwh posted:He's got 3560s, he could just enable routing on the switch and turn an interface into a routed port. Well the way it sounds is this is a small office with routers handling layer3 stuff and the 3560's acting as nothing more than switches. If that is the case then hooking a routed port up to his switches would lead to additional complications, over just putting in 2 static routes on the routers. but yea, doesn't matter either way.
|
|
#
?
Jun 14, 2011 23:50
|
|
|
routenull0 posted:I was checking in for CISSP class on Saturday and the guy behind me was complaining of his ASA 5580 doing the same thing after turning up v6. No idea what his cause is, but I'm on 8.3(1) and am not having any problems with v6 on my 5510s. But I don't have a lot of traffic through them either.
|
|
#
?
Jun 15, 2011 02:34
|
|
|
ragzilla posted:No idea what his cause is, but I'm on 8.3(1) and am not having any problems with v6 on my 5510s. But I don't have a lot of traffic through them either. In two years I saw no more than 20 or 30 cases on v6 and those weren't 30 unique installs. No one really runs it and dev test doesn't catch everything  . At least it's fixable on the ASA platform. FWSMs pretty much melt if you dual stack.
|
|
#
?
Jun 15, 2011 02:59
|
|
|
Tremblay posted:In two years I saw no more than 20 or 30 cases on v6 and those weren't 30 unique installs. No one really runs it and dev test doesn't catch everything Somewhat expected, FWSM is EOL'd isn't it? And it's replaced by the ASASM which hopefully doesn't melt? My biggest gripe with Cisco not 'supporting' still current products is on 3750/3560, unless I'm running v2 hardware or newer it can't support running v4 HSRP and v6 HSRP at the same time? Despite the device supporting dual stack? And 99% of the HSRP work gets punted up to the processor anyway? I love forced obsolescence for a currently shipping product Thankfully I'm able to work around it in most situations by disabling v6 DAD and putting the IPv6 'virtual' on both HSRP interfaces, relying on v4 HSRP to move the MAC around, and setting a static ND entry on the downstream devices. Hell of a hack but it works in small scale (typically 4 router) networks which need v4 and v6 HA through HSRP.
|
|
#
?
Jun 15, 2011 04:14
|
|
|
how do I 'get in to' more extensive networking stuff / cisco device administration? I've been doing IT work all my life, have a great understanding of tcp/ip, understand the concepts behind vlans etc, but have only worked in small business environments - the most I've encountered as far as 'real' routing equipment is the occasional cisco 1700esque interface for a T-1, or a cheap netscreen or something. and I've never really done anything with cisco ios. I've never worked in a mid-large size business, or a NOC or anything - I feel like I'm probably missing out on an important area of knowledge. do I just jump headlong into a ccna? any good 'essential' books anyone would suggest?
|
|
#
?
Jun 15, 2011 05:57
|
|
|
I'd recommend Todd Lammle's CCNA prep book from Sybex. It's a pretty comprehensive study guide for the CCNA rather than an "essentials" book. IOS is pretty easy to pick up (in the sense that it's not some cryptic thing once you get to know it) but it's so compartmentalized that you'll be learning its ins and outs for years to come. I'm not sure where to get experience with newer hardware, so I guess I'm in the same boat there. My experience is mostly with old hardware, hoping and praying that it translates over well to new gear, but I'm in no way in any position to make product recommendations at this point that don't involve looking at a chart of devices and their capacity in pps/Mbps.
|
|
#
?
Jun 15, 2011 06:19
|
|
|
Can anyone recommend a good source to learn about BGP from the ground up? Most of the things I find are for reference, rather than establishing an understanding (as seems to be the case for so many technologies!).
|
|
#
?
Jun 15, 2011 16:32
|
|
|
ragzilla posted:Somewhat expected, FWSM is EOL'd isn't it? And it's replaced by the ASASM which hopefully doesn't melt? Yes, and it won't melt. It is common codebase with the other ASA. There are very ridgid cpu and memory budgets I'm presuming that is why you can't on the first gens. Really most of the time I've seen features withheld due to performance concerns. Not to say that forced obsolescence doesn't happen.
|
|
#
?
Jun 15, 2011 16:35
|
|
|
I have a grip of SFPs that don't say whether or not they're MM or Sm.
|
|
#
?
Jun 15, 2011 17:35
|
|
|
Anjow posted:Can anyone recommend a good source to learn about BGP from the ground up? Most of the things I find are for reference, rather than establishing an understanding (as seems to be the case for so many technologies!). The RFCs? Specifically: http://www.ietf.org/rfc/rfc1771.txt The wiki article on BGP is helpful as well. If you want practice setting up BGP then you can use GNS or real hardware, juniper, cisco, foundry, etc. and play with BGP there. Now for my question for anyone with experience with non-cisco ip phones. I'm using some old POS Nortel phones, and I want to use the dataport on the phone, but have the PC that is attached to that be in a different vlan than the voice vlan. The Cisco switch I'm using is a 2960-PoE and I can set the voice vlan, but afaik that use CDP to determine vlan information. SO I need to set a Voice Vlan for the phone, but also allow the phone to pass the data vlan to the attached PC. What should the switch config be?
|
|
#
?
Jun 15, 2011 17:46
|
|
|
Powercrazy posted:Now for my question for anyone with experience with non-cisco ip phones. I'm using some old POS Nortel phones, and I want to use the dataport on the phone, but have the PC that is attached to that be in a different vlan than the voice vlan. The switch may not be involved in the decision. I've never used a Nortel phone, but on Polycoms they support both CDP from the switch and special DHCP options where the phone does DHCP on the data VLAN, gets the correct info from that, then restarts its networking on the correct VLAN. Linksys phones either do it manually or via CDP on some models. A quick Google brings up this, indicating Nortel phones do it via LLDP wolrah fucked around with this message at 18:03 on Jun 15, 2011 |
|
#
?
Jun 15, 2011 18:01
|
|
|
I picked up the O'Reilly BGP book by Iljitsch Van Beijnum. I haven't had time to do much but skim it, but it seems like it would be what you're after if you want a good guide and looks to be Cisco-centric inasmuch as it gives you IOS commands.
|
|
#
?
Jun 15, 2011 18:04
|
|
|
Powercrazy posted:The RFCs? Thanks. I will get a chance to practice with real hardware, just thought I'd like to get a decent grounding in the interim. Martytoof posted:I picked up the O'Reilly BGP book by Iljitsch Van Beijnum. I haven't had time to do much but skim it, but it seems like it would be what you're after if you want a good guide and looks to be Cisco-centric inasmuch as it gives you IOS commands. I believe we have this at work, I will see if I can borrow it.
|
|
#
?
Jun 15, 2011 18:10
|
|
|
Zuhzuhzombie!! posted:I have a grip of SFPs that don't say whether or not they're MM or Sm. What color are the handles? Black = SX Blue = LX Green = ZX Anjow posted:Can anyone recommend a good source to learn about BGP from the ground up? Most of the things I find are for reference, rather than establishing an understanding (as seems to be the case for so many technologies!). Check out ISP essentials (and various other BGP presentations) from ftp://ftp-eng.cisco.com/cons/ GNS3 is also a great learning platform, I use 7200s running 12.2(33)SRE2 (although you could go newer) in my GNS lab. Make sure you only set the NPEs for 256M memory though (512M breaks aunder GNS). -edit- And of course there are Phil Smith's presentations over the years. which cover a lot BGP. ftp://ftp-eng.cisco.com/pfs/seminars/ ragzilla fucked around with this message at 19:48 on Jun 15, 2011 |
|
#
?
Jun 15, 2011 18:11
|
|
|
Arrg, this Motorolla PTP 250 doesn't want to play nice with any of my GBICs in any SFP port I toss it into. Plug it into a regular gigabit ethernet port and no problem, put it in a SFP port and it just stays down/down (and yes I've used no shut). I've hard set the duplex and speed to what it's negotiating on the gig port that is working, but I'm at a loss since I can't get the SFP port to even acknowledge it is plugged in. Any ideas? I've also verified the SFP ports and gbics are working by testing them between a couple of switches. SFP Port code:code:Harry Totterbottom fucked around with this message at 18:34 on Jun 15, 2011 |
|
#
?
Jun 15, 2011 18:19
|
|
|
Zuhzuhzombie!! posted:I have a grip of SFPs that don't say whether or not they're MM or Sm. Look into them  MM = red light LX/LH = invisible light ZX = burning light
|
|
#
?
Jun 15, 2011 18:23
|
|
|
Anjow posted:Can anyone recommend a good source to learn about BGP from the ground up? Most of the things I find are for reference, rather than establishing an understanding (as seems to be the case for so many technologies!). http://www.amazon.com/Internet-Routing-Architectures-2nd-Halabi/dp/157870233X/ref=sr_1_1?ie=UTF8&s=books&qid=1308159785&sr=8-1 THE BGP guide!
|
|
#
?
Jun 15, 2011 18:43
|
|
|
Question and Problem Time!!: I want to provide my patrons with free internet, but I don't want to allow them on my network. Is it as simple as using a separate WAP, putting it in a separate VLAN then making an ACL to not allow traffic to my main network? Also, can I NAT both separate VLAN's onto the same external IP?
|
|
#
?
Jun 15, 2011 23:08
|
|
|
Bardlebee posted:Question and Problem Time!!: If your WAP can handle multiple SSID's then you can do it off a single WAP. You just need to set the second SSID to a different VLAN. You then create an ACL that blocks that VLAN to any other network. NAT shouldn't be an issue as it'll still be going out the same out interface, but you will probably need to add the VLAN to the ACL you're using for NAT.
|
|
#
?
Jun 16, 2011 00:46
|
|
|
But that does present a scenario where wireless clients could DoS regular users by consuming all available ports on the NAT'd IP.
|
|
#
?
Jun 16, 2011 00:49
|
|
|
Ninja Rope posted:But that does present a scenario where wireless clients could DoS regular users by consuming all available ports on the NAT'd IP. Yes. It also presents a situation by which guest could DoS the WAP. Can't win them all dude.
|
|
#
?
Jun 16, 2011 01:40
|
|
|
Tremblay posted:Yes. It also presents a situation by which guest could DoS the WAP. Can't win them all dude. I was just trying to point out that it would be beneficial to NAT them through a different IP if possible, though after re-reading his question it sounds like it's not. You'll also get to watch out for vlan hopping, maybe implement some kind of throttling/QoS, etc. Just be careful.
|
|
#
?
Jun 16, 2011 07:45
|
|
|
|
| # ? May 13, 2024 22:25 |
|
|
Xenomorph posted:I just checked the paper trail of email regarding connection issues ... and it is Cogent. Both Cogent and HE are trying to position themselves as Tier 1 for v6 and have basically broken the DFZ for v6. HE keeps trying to act like the knight in shining armor baking cakes, etc but actively refuse to buy transit to Cogent because it breaks what they want in the long term. Cogent refuses to peer because they don't want to help establish another Tier 1 v6 provider. Since most of HE's prefixes come from tunnels built over v4 anyway it's kind of silly, Cogent has a far larger reach for v4.
|
|
#
?
Jun 16, 2011 13:52
|
|