|
jbusbysack posted:You can name it whatever you want, but I'm sure TAC gets great humor in going through a 'sh tech' where the interfaces are named 'fart' 'boobies' 'wiener' and 'lmao'. Cool, thanks for the help! NAT is so much easier on an ASA....
|
# ? Sep 8, 2011 22:50 |
|
|
# ? May 30, 2024 09:49 |
|
Bardlebee posted:Cool, thanks for the help! NAT is so much easier on an ASA.... That was almost entirely the point of the PIX/ASA. Though these days Cisco is pretty far behind wrt firewalls, they are still pretty solid for most small things...
|
# ? Sep 9, 2011 05:17 |
|
I went through a 2hour presentation on IOS-XR with our SE's since we are potentially moving to AS9K's at a few sites and I must say that Cisco has fixed a few of my largest problems with Classic IOS in IOS-XR. Finally we are no longer working on a live configuration! I hope they move the "named-objects" feature of ASA into IOS-XR soon because internet facing ACLs in IOS/IOS-XR are a complete pain in the rear end when dealing with multiple peer links.
|
# ? Sep 9, 2011 14:04 |
|
Bardlebee posted:Cool, thanks for the help! NAT is so much easier on an ASA....
|
# ? Sep 9, 2011 16:48 |
falz posted:I must be backwards since NAT seems so strange on ASA and more logical on IOS. I share this opinion. Making complicated NATs is a pain in the rear end on ASAs.
|
|
# ? Sep 9, 2011 16:55 |
|
I've always hated PIX/ASA syntax.
|
# ? Sep 9, 2011 16:59 |
|
routenull0 posted:I went through a 2hour presentation on IOS-XR with our SE's since we are potentially moving to AS9K's at a few sites and I must say that Cisco has fixed a few of my largest problems with Classic IOS in IOS-XR. This is also nice because you have lots of accounting for configuration changes. Yesterday I was checking out a lab setup I had and noticed that one of my BGP neighbors running XR had gone missing. I checked this device and figured out not only that someone had blown up my entire BGP config, but also who did it and when they did it. I rolled the chassis back to exactly how I left it, then sent them a nice email telling them not to do that. In IOS, that would be "dammit, who did this!?" followed by an hour of cursing while reconfiguring.
|
# ? Sep 9, 2011 17:24 |
|
Eletriarnation posted:This is also nice because you have lots of accounting for configuration changes. Yesterday I was checking out a lab setup I had and noticed that one of my BGP neighbors running XR had gone missing. I checked this device and figured out not only that someone had blown up my entire BGP config, but also who did it and when they did it. I rolled the chassis back to exactly how I left it, then sent them a nice email telling them not to do that. In IOS, that would be "dammit, who did this!?" followed by an hour of cursing while reconfiguring. Yeah config rollback, commit confirmed, etc is all stuff I've been waiting for them to implement since I live by it in our Juniper gear.
|
# ? Sep 9, 2011 18:12 |
Eletriarnation posted:In IOS, that would be TACACS+ accounting is your friend! Though yes, XR does it far far better.
|
|
# ? Sep 9, 2011 18:38 |
|
What do you guys think about Vyatta as an ethernet access router? I need something with a lot of cheap bulk CPU power to handle traffic shaping and QoS, and looking at Cisco pricing for some of this stuff just starts to not make sense anymore. It doesn't help that some of our vendors are telling us to get a 7600 chassis, sup-720-3bxl and sip-400 but then aren't telling us what modules for the sip-400 we need if any. And of course the quotes are bouncing all over the place +/- $20k
|
# ? Sep 9, 2011 19:05 |
|
Nuclearmonkee posted:TACACS+ accounting is your friend! Though yes, XR does it far far better. Classic IOS will update the config at the top with the user that last changed it if AAA accounting is turned on I believe. quote:#sh configuration
|
# ? Sep 9, 2011 19:18 |
|
CrazyLittle posted:What do you guys think about Vyatta as an ethernet access router? I need something with a lot of cheap bulk CPU power to handle traffic shaping and QoS, and looking at Cisco pricing for some of this stuff just starts to not make sense anymore. It doesn't help that some of our vendors are telling us to get a 7600 chassis, sup-720-3bxl and sip-400 but then aren't telling us what modules for the sip-400 we need if any. And of course the quotes are bouncing all over the place +/- $20k We use OpenBSD for our transport routers. $3k and less per unit (4 core, 8GB ram, intel nics) and we can get a full BGP route feed received and fully calculated in seconds, not 10-15 minutes. Also, the cheap route reflector mesh setup finally makes upstream connection drops truly transparent. We avoided Vyatta because the software they use for BGP is horrible in comparison, but we're *nix admins so we're OK without having a point and click interface.
|
# ? Sep 9, 2011 19:54 |
|
Nuclearmonkee posted:TACACS+ accounting is your friend! Though yes, XR does it far far better. TACACS+ with command accounting (and authorization), RANCID, and SEC are quite an awesome combo. Use SEC to watch syslogs and trigger rancid-run on the device when it sees a 'configured by' message. ~Matt
|
# ? Sep 9, 2011 20:22 |
|
*notices memory leak on two insanely important pieces of equipment* *submits TAC* *gets response from TAC* *gets second response from TAC agent who CC'd herself the first auto response* *the second response is a notice saying TAC agent will be out of office until next Tuesday* Fffffffff
|
# ? Sep 9, 2011 21:08 |
|
Zuhzuhzombie!! posted:*notices memory leak on two insanely important pieces of equipment* Call in with PRI 1 issues like that, wait on phone until they connect a TAC engineer.
|
# ? Sep 9, 2011 21:14 |
|
feld posted:We use OpenBSD for our transport routers. $3k and less per unit (4 core, 8GB ram, intel nics) and we can get a full BGP route feed received and fully calculated in seconds, not 10-15 minutes. Also, the cheap route reflector mesh setup finally makes upstream connection drops truly transparent. Yeah, Unfortunately I don't think I'd be able to get away with a straight BSD stack as an access router. Bosses always want a company to fall back on for support just in case.
|
# ? Sep 9, 2011 21:18 |
|
I realize this won't change your boss's mind but when what feld described was in the lab we found a bgpd bug and the author fixed that day.
|
# ? Sep 9, 2011 21:34 |
|
Zuhzuhzombie!! posted:*notices memory leak on two insanely important pieces of equipment* Call in and say you have a system stability issue and want to raise the case severity to 2 or 1 depending on whether you need it fixed "today" or "now".
|
# ? Sep 10, 2011 06:24 |
|
So, I had an interview yesterday and I had a question that completely stumped me, and not for a good reason. I think it was said something like this: "If I had a firewall and two servers were connected and one server was a .5 and I could successfully pint the .5 from the other server, but if I then took the .5 IP address from that server and gave it to the server I was on... suddenly I wouldn't be able to ping the server I was on from the other. They are in the same VLAN." I think I explained that pretty badly, but I am stumped. The guy said there were no ACL's involved that is stopping the communication. When the two servers swapped IP addresses, suddenly you couldn't ping the new .5 server. I am still perplexed. EDIT: On a side note, I discovered what Etherchannel Stack connections were today. Those seem pretty rad! Bardlebee fucked around with this message at 15:17 on Sep 10, 2011 |
# ? Sep 10, 2011 15:13 |
|
Did the new .5 server try pinging the firewall after the swap? If not it had an outdated arp entry for .5
|
# ? Sep 10, 2011 16:30 |
|
Bardlebee posted:So, I had an interview yesterday and I had a question that completely stumped me, and not for a good reason. I think it was said something like this: Two ways to approach that question. First-off, if they're on the same VLAN why would the firewall even matter (assuming adherence to VLANID = single L2/L3 segment best practices). Question you should have asked: is this a transparent firewall or an L3 firewall? If transparent it silently eats packets on the wire but if an L3 firewall it would never enter the equation due to the servers being L2-adjacent already and would have no need to go through a L3 hop. Which leads to.... The second approach was already described - either a static ARP entry or the ARP had not been updated yet. :edit: Third question is, if you took the .5 off one server, does it even have an IP address left to ping with? Really though, questions like that are about how you tackle the problem, which questions you ask and where you approach the troubleshooting.
|
# ? Sep 10, 2011 17:12 |
|
Upgraded our stack a year ago and 3 out of 6 came into the stack, number 4 joined and hour later, 5th one a day later, and the 6th one two days later. And Cisco TAC couldn't figure out what was wrong. At least 5 of them booted up fine, but 6th one gave me this lovely message. code:
|
# ? Sep 11, 2011 20:21 |
|
jbusbysack posted:Really though, questions like that are about how you tackle the problem, which questions you ask and where you approach the troubleshooting. I think this kind of stuff comes with experience. When I read the problem I immediately thought to check the arp table on the switches, but someone that's never had to actually troubleshoot these kinds of issues might not think to start there. Granted I don't think that it should take anyone who understands switching very long to figure out.
|
# ? Sep 12, 2011 05:12 |
|
When Cisco says "hardware redundancy" in an ASR1006, what do they mean exactly?
Zuhzuhzombie!! fucked around with this message at 21:06 on Sep 12, 2011 |
# ? Sep 12, 2011 21:03 |
|
Zuhzuhzombie!! posted:When Cisco says "hardware redundancy" in an ASR1006, what do they mean exactly? It can have redundant Sup/RSP and ESP cards. Also power supplies/fans. As opposed to 1001/1002 which have 'software redundancy' (single RSP/ESP running 2 images)
|
# ? Sep 12, 2011 21:13 |
|
ElCondemn posted:check the arp table on the switches, I think you mean check the arp tables on the hosts.
|
# ? Sep 12, 2011 23:20 |
|
abigserve posted:I think you mean check the arp tables on the hosts. Both. Either can have static entries or proxy entries.
|
# ? Sep 13, 2011 00:42 |
|
jbusbysack posted:Both. Either can have static entries or proxy entries. Switches don't have arp tables...
|
# ? Sep 13, 2011 00:49 |
|
abigserve posted:Switches don't have arp tables... Yes, they can if they're a managed smart switch. code:
CrazyLittle fucked around with this message at 01:14 on Sep 13, 2011 |
# ? Sep 13, 2011 01:12 |
|
abigserve posted:Switches don't have arp tables... Doesn't mean you shouldn't check it. From the info given you don't know if it does L3 or not. Edit: 'Switch' is a vague term, especially in an enterprise environment. Makes no sense to assume anything unless you know its capabilities. It could mean lovely linksys or 6500/Nexus 7k. Worlds of difference. jbusbysack fucked around with this message at 01:17 on Sep 13, 2011 |
# ? Sep 13, 2011 01:14 |
|
In the context of that question, checking the arp tables on the router is a far more appropriate answer. It doesn't matter whether the router for the segment is a 3750G stack or an 1800, it's still the router. Saying "check the arp tables on the switch" opens your answer up to interpretation - depending on how old-school the interviewer is this could be interpreted as "I do not understand the fundamentals of routing and switching". Keep in mind that answer still isn't correct as it has nothing to do with whether two hosts on the same segment can ping each other.
|
# ? Sep 13, 2011 01:43 |
|
abigserve posted:In the context of that question, checking the arp tables on the router is a far more appropriate answer. It doesn't matter whether the router for the segment is a 3750G stack or an 1800, it's still the router. In the context of the question we can probably assume the "firewall" supports both l2 and l3 and probably up to l7. You're being pedantic, should we call the firewall a switch because it does vlans? The point is there are arp entries somewhere that could be pointing to the wrong system. Edit: The question, to me, barely makes sense anyway. The questions starts with a firewall, but then goes into a question about vlans. In my eyes the simple question is "I moved the IP from one system to another and I can't reach it now". In my experience when I see a problem like that it's usually an issue with arp. ElCondemn fucked around with this message at 01:58 on Sep 13, 2011 |
# ? Sep 13, 2011 01:48 |
|
I'm not emotionally invested in this so chill! We cool! I just thought your statement could be construed as misleading - at least it would be by most of the senior engineers I work with/have worked with. Bardlebee is clearly eager to learn and using ambiguous terms can cause confusion when you're still picking up the finer details. Edit: I totally agree with you and they probably through the firewall in there to try and confuse people. abigserve fucked around with this message at 02:11 on Sep 13, 2011 |
# ? Sep 13, 2011 02:02 |
|
Thanks for the help on this guys, heh I kind of figured it may have been an arp like issue. In either case it didn't stump me enough to not proceed with my next interview. I have, yet another question. Does anyone have experience with nat-control and how nat 0 comes into play with it? I am reading the cisco docs on it and I am not understanding why the ASA's need nat-control, what its used for, and what nat 0 does... Can anyone shed some light on this?
|
# ? Sep 13, 2011 03:05 |
|
Bardlebee posted:Thanks for the help on this guys, heh I kind of figured it may have been an arp like issue. In either case it didn't stump me enough to not proceed with my next interview. 'nat 0' is for nat-exemptions. See my above syntax for how it works. Usually you attach an ACL to the nat 0 statement (for VPNs or devices that are already public-routable via IP).
|
# ? Sep 13, 2011 03:06 |
|
jbusbysack posted:'nat 0' is for nat-exemptions. See my above syntax for how it works. Usually you attach an ACL to the nat 0 statement (for VPNs or devices that are already public-routable via IP). I guess I realize that nat-control is used to force you to initiate rules to NAT for better security. I am just confused as to what happens when its disabled. Does the ASA automatically setup a Dynamic NAT situation? Can outside hosts hit your internal network with sessions? EDIT: I think I get it now. NAT-control is enabled and you HAVE to setup a rule to translate no matter what if you want to get through the box, even if its two internal networks. So for instance if I have 192.168.1.0 and 192.168.2.0 I would have to make a NAT rule that basically converted the IP's both ways. This can however be circumvented with things like nat 0 or other means through nat exemption so that the IP's do not get translated and just make a one to one connection. With NAT-control disabled we would be able to make those one to one connections and not have to worry about NATting at all. It confuses me a bit why NAT-control being enabled ensures your network is more secure. I suppose it just means that it locks down everything and you have control on what goes through. Bardlebee fucked around with this message at 03:27 on Sep 13, 2011 |
# ? Sep 13, 2011 03:16 |
|
Bardlebee posted:I guess I realize that nat-control is used to force you to initiate rules to NAT for better security. I am just confused as to what happens when its disabled. Does the ASA automatically setup a Dynamic NAT situation? Can outside hosts hit your internal network with sessions? For ASA, if NAT control is disabled and you don't have a nat/global pair or static then the traffic is routed normally (from high security zone to low). ACLs are not required on that platform. You've essentially blown the firewall open for outbound connections. FWSM is different in that each interface MUST have an ACL applied before it will pass traffic. I can't speak to the new ASA blade, I suspect it will be the same as the appliance ASA.
|
# ? Sep 13, 2011 04:24 |
|
Hmmmm.3750 posted:Warning: This CLI will be deprecated soon. Please move to radius server <name> CLI The new RADIUS sub menu doesn't really seem to work. I put in the address "address ipv4 ##.##.##.##" and then put in my radius key "key 0 stuff", but the radius string never generates. If I do "pac key stuff" the radius string generates, but I get error messages that "Request to provisioning driver failed." and I can't add a second radius IP address and key. Any idea? code:
Zuhzuhzombie!! fucked around with this message at 15:33 on Sep 13, 2011 |
# ? Sep 13, 2011 15:05 |
|
What version of code is that
|
# ? Sep 13, 2011 15:50 |
|
|
# ? May 30, 2024 09:49 |
|
Actually just tested it and despite it not generating the key like I expected/am used to, Radius did kick in and it did let me log in with non local credentials. Very weird. Now I just gotta figure out if it's possible to actually view those settings since they don't appear in "show run". EDIT More weirdness. added: aaa new-model ! ! aaa authentication login default group radius local aaa authorization exec default group radius if-authenticated aaa accounting exec default start-stop group radius aaa accounting system default start-stop group radius To both TEST Sw1 A and B. Was able to initially log into TEST Sw1 A with radius info. Added radius info and AAA to TEST Sw1 B and was able to log into it with radius credentials. Did a Show Run on B and it did show generated radius strings in the confi. Went back to check TEST Sw1 A again and was not able to log in via Radius. It also did not have the generated keys. Running c3750-ipservicesk9-mz.122-58.SE1.bin EDIT Another update: May have left the old radius strings in when I moved over configs from old switches. When those are taken out of TEST A and B, I can not log in with Radius credentials, even when setting server through the new Radius CLI. The old Radius commands still work in spite of the error that you should set them up via the new radius sub menu. Zuhzuhzombie!! fucked around with this message at 16:16 on Sep 13, 2011 |
# ? Sep 13, 2011 15:57 |