|
nzspambot posted:Does anyone have any info on the 3850 Catalyst Switches yet? https://puck.nether.net/pipermail/cisco-nsp/2013-January/088884.html And you can view the images on Cisco's download page.
|
#
?
Jan 21, 2013 19:47
|
|
|
|
| # ? May 13, 2024 21:53 |
|
|
Anyone know a creative way to allow traffic to pass between a ZBF member and a non-member? Have an interface as a zone-member security and I can't convert the other interface to ZBF at the moment. Taking the ZBF off isn't an option.
|
|
#
?
Jan 21, 2013 21:07
|
|
|
falz posted:The most info I've seen so far is here: Yep that's what piqued my intrest bloody NDAs
|
|
#
?
Jan 22, 2013 07:24
|
|
|
falz posted:The most info I've seen so far is here: So it's a single RU switch running IOX? I assume Class4 PoE, stacking, and probably the same ASICs used in the new 4500 linecards. Seems cool. Probably a similiar form factor to the 2960S too. (52 ports, console on the front etc.) Got a link to the image?
|
|
#
?
Jan 22, 2013 14:59
|
|
|
I tried to move my 8.4 ASAs into production. Tried.  I don't know why the ASAs are such obstinate beasts. ICMP was fine. UDP was fine. TCP synacks were being lost, somewhere, mysteriously. Screw you ASAs!
|
|
#
?
Jan 22, 2013 17:03
|
|
|
nzspambot posted:Yep that's what piqued my intrest 1U 48P switch with WLC built in, cray cray.
|
|
#
?
Jan 22, 2013 17:55
|
|
|
jwh posted:I tried to move my 8.4 ASAs into production. Had to do this fucker to fix: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml + disable a bunch of inspect poo poo for UDP to work.
|
|
#
?
Jan 22, 2013 18:35
|
|
|
falz posted:I ran in to a similar or same issue with a customer's network last week. Consulting company designed it but not well thought it. Traffic flow was such that traffic from remote sites came from a managed MPLS network, SYN would hit the host but the reply would hit the gw, which was the ASA. It naturally dropped it since it's stateful. That's kind of an interesting scenario. How did you figure out that you had to configure it this way? I run into a lot of weird design poo poo working for a MSP but I can't say I've seen that one in the past.
|
|
#
?
Jan 22, 2013 21:26
|
|
|
falz posted:I ran in to a similar or same issue with a customer's network last week. Consulting company designed it but not well thought it. Traffic flow was such that traffic from remote sites came from a managed MPLS network, SYN would hit the host but the reply would hit the gw, which was the ASA. It naturally dropped it since it's stateful. You had an asymmetric routing issue and your response was to disable TCP state checking on the customers firewall?  Why not just fix the routing problem? jwh posted:I tried to move my 8.4 ASAs into production. Nothin' in the logs I presume?
|
|
#
?
Jan 23, 2013 00:12
|
|
|
abigserve posted:You had an asymmetric routing issue and your response was to disable TCP state checking on the customers firewall? Wondering this as well.
|
|
#
?
Jan 23, 2013 00:18
|
|
|
abigserve posted:You had an asymmetric routing issue and your response was to disable TCP state checking on the customers firewall?
|
|
#
?
Jan 23, 2013 00:48
|
|
|
Anyone have any experience with ASR9K1?
|
|
#
?
Jan 23, 2013 00:54
|
|
|
doomisland posted:Anyone have any experience with ASR9K1? 9001? Should be similar to a 9000 running an RSP440 and SE line cards capability wise. I have a couple of 9010s running the old RSPs in one of our DCs. What're you trying to do?
|
|
#
?
Jan 23, 2013 02:22
|
|
|
ragzilla posted:9001? Should be similar to a 9000 running an RSP440 and SE line cards capability wise. I have a couple of 9010s running the old RSPs in one of our DCs. What're you trying to do? Router on our edge that would be taking in at least 4 full BGP tables, probably at least a few more in the future. A 10g here and there and at least 10 1g SFP ports. It seemed of the models Cisco has it would be able to handle it and is in a small form factor. edit: I should note I'm more familiar with Juniper than Cisco so it would be something equal to a MX80 at least.
|
|
#
?
Jan 23, 2013 02:50
|
|
|
doomisland posted:Router on our edge that would be taking in at least 4 full BGP tables, probably at least a few more in the future. A 10g here and there and at least 10 1g SFP ports. It seemed of the models Cisco has it would be able to handle it and is in a small form factor. Looks pretty drat similar to an MX80 in terms of ports (4 onboard sfp+/xfp, 2 modular cards taking 20x1G/2x10G/4x10G/1x40G) and featureset. The 9001 also supports Cisco's nV Edge clustering if that's appealing (MLACP etc on a clustered router pair similar to VSS or Juniper VC)
|
|
#
?
Jan 23, 2013 03:40
|
|
|
abigserve posted:You had an asymmetric routing issue and your response was to disable TCP state checking on the customers firewall? The gist of the conference call a few hours before the work was "hey could you configure a few IOS routers? thanks. They then snuck in "Oh can you look at this ASA firewall config we whipped up? We think it's right!" at the end of the conference call. Oh and "That's only about an hour of consulting work, right?" Then we got to see the config and how everything as really set up the night that they swapped it all in. Greeaat. Part of their client's network is AT&T managed L3 MPLS network with routers that were out of everyone's control, especially on such a short timeline. Packet flow was: Remote site-> att router-> host host-> ASA (default gw) -> att router-> remote site Yes, the ASA logged dropped return packets since it never saw the first one if coming from a remote site. Traffic from the site with the ASA worked fine since it was the default and had 'same-security-traffic permit intra-interface' enabled. The better way to do it would have been to put an ASA interface towards the MPLS network, but it is on the same /24 as the rest of their office and this would have meant to renumber an office of servers, workstations, etc. Or figure out some NAT fuckery, but gently caress that. It's definitely dumb and I would not design a network like this. What's even more fun is they want to do all sorts of policy based routing and it's going to be a disaster. We told them we didn't want to help at all but they basically forced us to at least get something working.
|
|
#
?
Jan 23, 2013 05:36
|
|
|
falz posted:In this case a cisco partner/"professional" consulting firm sold a bunch stuff (2901, ASA5512X) to a customer of theirs but have no idea how to configure it or properly design anything. This customer of theirs had a contract with a different managed firewall which ended that week and they were going to pull everything out. They contacted us the day before it all had to go in to production because they know they couldn't get it to work themselves. So from what you're saying, the AT&T routers have two routes to the same destination network, one through the ASA and one not through the ASA, and their preferred route is the one without the ASA in the way? Why is the other route even there?
|
|
#
?
Jan 23, 2013 06:05
|
|
|
If a serial multilink group does not have the clock source specific on the multilink this indicates that it is sourcing the clock from the line, correct?
|
|
#
?
Jan 23, 2013 17:27
|
|
|
Zuhzuhzombie!! posted:If a serial multilink group does not have the clock source specific on the multilink this indicates that it is sourcing the clock from the line, correct? Correct. If you don't specify clock source, the default is line http://www.cisco.com/en/US/docs/ios/12_2t/inter/command/reference/irfthw1.html#wp1131668 quote:clock source CrazyLittle fucked around with this message at 20:39 on Jan 23, 2013 |
|
#
?
Jan 23, 2013 20:00
|
|
|
abigserve posted:You had an asymmetric routing issue and your response was to disable TCP state checking on the customers firewall? Nothing useful. Syn timeouts, which is understandable, since the box never saw the synack.
|
|
#
?
Jan 23, 2013 21:01
|
|
|
Zuhzuhzombie!! posted:If a serial multilink group does not have the clock source specific on the multilink this indicates that it is sourcing the clock from the line, correct? The multilink itself doesn't have a clock source, however the underlying T1s need to have one end or the other supplying clock or they'll slip.
|
|
#
?
Jan 23, 2013 22:43
|
|
|
Ok so I got the vlans built on my 2960s and I set the system jumbo mtu 9000 command on all the switches and I reloaded them all. I went to test my config and I did an extended ping from one switch to another using 1700 for the size and I set the df bit so I would have no fragmentation. I am getting no communication. Where do I go from here?
|
|
#
?
Jan 23, 2013 23:04
|
|
|
Syano posted:Ok so I got the vlans built on my 2960s and I set the system jumbo mtu 9000 command on all the switches and I reloaded them all. I went to test my config and I did an extended ping from one switch to another using 1700 for the size and I set the df bit so I would have no fragmentation. I am getting no communication. Where do I go from here? Did you raise the MTU of the layer3 interface you were pinging from?
|
|
#
?
Jan 23, 2013 23:13
|
|
|
ior posted:Did you raise the MTU of the layer3 interface you were pinging from? Ok I just did a show vlan mtu and it shows the svi_mtu as 1500. I am assuming that explains it right there?
|
|
#
?
Jan 23, 2013 23:18
|
|
|
Syano posted:Ok I just did a show vlan mtu and it shows the svi_mtu as 1500. I am assuming that explains it right there? Yup, unfortunately it is quite likely that you wont be able to up the L3 SVI mtu on that switch, however that wont affect your traffic running through the box, only the test you are attempting now.
|
|
#
?
Jan 23, 2013 23:23
|
|
|
ior posted:Yup, unfortunately it is quite likely that you wont be able to up the L3 SVI mtu on that switch, however that wont affect your traffic running through the box, only the test you are attempting now. Been pulling my hair out for a while over this. Thanks. I guess tomorrow I can hook up a couple hosts and just ping across to make sure it works
|
|
#
?
Jan 23, 2013 23:25
|
|
|
Syano posted:Ok I just did a show vlan mtu and it shows the svi_mtu as 1500. I am assuming that explains it right there? You may be able to "ip mtu" up to 1998 (max size accepted by the CPU)
|
|
#
?
Jan 24, 2013 01:41
|
|
|
abigserve posted:So from what you're saying, the AT&T routers have two routes to the same destination network, one through the ASA and one not through the ASA, and their preferred route is the one without the ASA in the way? Why is the other route even there?
|
|
#
?
Jan 24, 2013 04:57
|
|
|
Syano posted:Ok so I got the vlans built on my 2960s and I set the system jumbo mtu 9000 command on all the switches and I reloaded them all. I went to test my config and I did an extended ping from one switch to another using 1700 for the size and I set the df bit so I would have no fragmentation. I am getting no communication. Where do I go from here? Always test THROUGH networking equipment, not TO the equipment. Remember there is a significant difference between the control plane and the forwarding plane, even older stuff handled traffic destined for the router much different than traffic being routed by it. This will only get more defined as SDN gains more traction.
|
|
#
?
Jan 24, 2013 05:32
|
|
|
Speaking of SDN, has anyone had any chance to play with openflow yet? I've got an OF capable switch...and a controller...but I'm sorta stuck on how to progress with it (if it's even worthwhile?) I've heard OpenFlow is going to be the next wave of networking but a lot of it seems to be rumblings from software people who have no idea what problems they are out to solve.
|
|
#
?
Jan 24, 2013 06:55
|
|
|
abigserve posted:Speaking of SDN, has anyone had any chance to play with openflow yet? I've got an OF capable switch...and a controller...but I'm sorta stuck on how to progress with it (if it's even worthwhile?) Openflow is something I'm probably going to end up having to work a lot on this year, but so far I've been too neglectful/busy to get involved with it yet. Similarly, I might end up at Nicira all next week...
|
|
#
?
Jan 24, 2013 09:35
|
|
|
I haven't gotten to touch anything SDN or Openflow related. I'd love to, but I don't even know what products have that stuff or how I'd use it.
|
|
#
?
Jan 24, 2013 13:53
|
|
|
Powercrazy posted:Always test THROUGH networking equipment, not TO the equipment. Remember there is a significant difference between the control plane and the forwarding plane, even older stuff handled traffic destined for the router much different than traffic being routed by it. This will only get more defined as SDN gains more traction. I actually did not know this. Yesterday was the first time in my life that I actually realized that the switches did not pass any forwarding traffic through the cpu. I am one of the million jack of all trade admins who is not really an expert at anything so I guess I never had to know. I guess it all makes sense now though when I think about it. I am embarrassed that I didnt know. I actually have my CCNA that I just passed at the end of 2011 (by 2 points  )EDIT: If anyone is interested in the plight of my dumbness... I had another problem as well: I was pinging across the switches this morning and still couldnt get it to work. Started to get upset. Then all of the sudden I realized I hadnt enabled jumbo on the laptops. Even further stupidity I soon realized that one of the laptops I was using did not even support jumbo. I am a moron and I should go die. Syano fucked around with this message at 16:37 on Jan 24, 2013 |
|
#
?
Jan 24, 2013 14:41
|
|
|
Powercrazy posted:I haven't gotten to touch anything SDN or Openflow related. I'd love to, but I don't even know what products have that stuff or how I'd use it. Brocade and HP are pretty much the only 2 vendors making commercial Openflow hardware AFAIK. Seems like the best use I've seen so far is when you have multiple datacenters and need to schedule bulk transfers (transfer agent requests a path between 2 DCs from your Openflow control plane which provisions an MPLS LSP based on bandwidth availability/cost)
|
|
#
?
Jan 24, 2013 17:06
|
|
|
There's also stuff like this: http://www.pica8.org/documents/pica8-product-quick-reference-guide-dec2012-d.pdf I got a quote last year for some lab testing last year, seemed reasonably priced.
|
|
#
?
Jan 24, 2013 18:51
|
|
|
NEC has some switches too: https://www.necam.com/SDN/
|
|
#
?
Jan 24, 2013 19:01
|
|
|
I hear about SDN mostly from virtualization folks who are excited about not having to build big stretched layer2 networks. Is that what is driving it? What other applications does it have?
|
|
#
?
Jan 24, 2013 20:08
|
|
|
falz posted:The most info I've seen so far is here: I had a quick look at the images available to download for the 3850s. 200+MB images for an access switch
|
|
#
?
Jan 24, 2013 20:27
|
|
|
chestnut santabag posted:I had a quick look at the images available to download for the 3850s. Cisco IOS images: the new HP printer drivers.
|
|
#
?
Jan 24, 2013 22:09
|
|
|
|
| # ? May 13, 2024 21:53 |
|
|
ragzilla posted:Brocade and HP are pretty much the only 2 vendors making commercial Openflow hardware AFAIK. Seems like the best use I've seen so far is when you have multiple datacenters and need to schedule bulk transfers (transfer agent requests a path between 2 DCs from your Openflow control plane which provisions an MPLS LSP based on bandwidth availability/cost) A lot of the solutions you hear about that are implemented using Openflow are build on top of MPLS. The main use of Openflow that I can see is policy-based routing on steroids. There are other uses though, like using it to do true packet-by-packet load-balancing within a port-channel. Will it survive without vendor backing is the question. It's already in use within Google, but google have a huge team of engineers whose job description probably goes "do whatever you want, for however long it takes. Your budget is infinity money."
|
|
#
?
Jan 24, 2013 22:54
|
|