|
bort posted:F5 and Palo Alto come to mind, too. The F5 gui is pretty good, even on version 10. Everything is laid out in a sensible manner, it's quick to respond to requests and there's no ambiguity. Course you can also just edit the config files directly then restart the server daemon.
|
#
?
Aug 22, 2013 23:26
|
|
|
|
| # ? May 28, 2024 01:50 |
|
|
Powercrazy posted:fc00::/7 Aka RFC4193- unique local addresses http://blog.ipexpert.com/2010/08/02/ipv6-unique-local-addressing-explained/
|
|
#
?
Aug 22, 2013 23:28
|
|
|
Also keep in mind that you do have Global unique addresses that you're assigned which is enough to work with (you requested the correct amount right?). Just because they're globally unique doesn't mean they need direct access to 'the internet'.
|
|
#
?
Aug 22, 2013 23:40
|
|
|
QPZIL posted:So, IPv6... bort posted:The other thing to remember is that if you subnet below /64 you will break SLAAC on the subnet. I can't see SLAAC being terribly important on an enterprise network that uses DHCP. Particularly DHCP can be used to deliver non-addressing related options (NTP, TFTP, etc).
|
|
#
?
Aug 22, 2013 23:41
|
|
|
ruro posted:I can't see SLAAC being terribly important on an enterprise network that uses DHCP. Particularly DHCP can be used to deliver non-addressing related options (NTP, TFTP, etc). You can use DHCPv6 to deliver the non-addressing related options AND use SLAAC. It doesn't have to be stateful DHCPv6.
|
|
#
?
Aug 22, 2013 23:45
|
|
|
Is there a curmudgeons guide to ipv6 available somewhere on the internet? I'm a real IT person with real networking knowledge, but have done nothing with ipv6. I feel like I am way behind the times since I'm not even running it at home.
|
|
#
?
Aug 23, 2013 00:03
|
|
|
^e: I totally want to run IPv6 (dual stack of course) at my next place just for the hell of it.doomisland posted:Also keep in mind that you do have Global unique addresses that you're assigned which is enough to work with (you requested the correct amount right?). Just because they're globally unique doesn't mean they need direct access to 'the internet'. I only requested 152,000 
|
|
#
?
Aug 23, 2013 00:47
|
|
|
adorai posted:Is there a curmudgeons guide to ipv6 available somewhere on the internet? I'm a real IT person with real networking knowledge, but have done nothing with ipv6. I feel like I am way behind the times since I'm not even running it at home. Get a free tunnel and check out the tests/exercises here.
|
|
#
?
Aug 23, 2013 01:16
|
|
|
psydude posted:^e: I totally want to run IPv6 (dual stack of course) at my next place just for the hell of it. I ended up with 79228162514264337593543950336 after making a pretty vague request to APNIC (we only have a /23 for IPv4... running out of that too). Unfortunately none of our end-user satellite equipment supports IPv6 but I guess I could tunnel remote IPv6 networks.
|
|
#
?
Aug 23, 2013 01:41
|
|
|
We have a /32 and a /22 I think? Too lazy to look into the IPAM.
|
|
#
?
Aug 23, 2013 02:25
|
|
|
The "swatting a fly with a Buick" aspect of IPv6 does amuse me. Oh, a /24 isn't enough for you, tough guy? Ok, here's more address space than all of IPv4. We give no fucks 
|
|
#
?
Aug 23, 2013 02:33
|
|
|
Just have to remember you can only route a /48 on the internet which also means you get huge rear end space for each site. Used to be a /32 too which is how we got such a large allocation. I think now RIR's give out a /46?
|
|
#
?
Aug 23, 2013 02:36
|
|
|
ARIN will give you a /44 if you tell them you have two sites. It's great that the address space is so large because it's really easy to get roomy allocations.
|
|
#
?
Aug 23, 2013 03:53
|
|
|
Any of you guys have training by Raj Toumai (sic?)? Guy is a savant!
|
|
#
?
Aug 23, 2013 04:21
|
|
|
I wonder what my /19 of v4 space will get me in IPv6. e: One of my blocks was an ISP assignment (product never panned out though) so I could get a /32 if I wanted to be a dick. FatCow fucked around with this message at 05:21 on Aug 23, 2013 |
|
#
?
Aug 23, 2013 05:15
|
|
|
FatCow posted:I could get a /32 if I wanted to be a dick. That's the thing...the address space is so massive that the dickliness of taking up a /32 would be miniscule. Here's an illustration of just how big we're talking.
|
|
#
?
Aug 23, 2013 05:28
|
|
|
I don't even remember making an argument for our /32, I just thought we might as well get an allocation while I was doing IPv4 stuff.
|
|
#
?
Aug 23, 2013 06:31
|
|
|
doomisland posted:Just have to remember you can only route a /48 on the internet which also means you get huge rear end space for each site. Used to be a /32 too which is how we got such a large allocation. I think now RIR's give out a /46? If you're an end user it's between a /44-48 depending on your demonstrated need. If you're a provider, then they'll give you a /32 by default... smaller if you ask for it, or bigger if you show justification.
|
|
#
?
Aug 23, 2013 10:34
|
|
|
FatCow posted:I wonder what my /19 of v4 space will get me in IPv6. How many sites do you have? ARIN NRPM 6.5.8.2 Initial Assignment Size posted:Organizations that meet at least one of the initial assignment criteria above are eligible to receive an initial assignment of /48. Requests for larger initial assignments, reasonably justified with supporting documentation, will be evaluated based on the number of sites in an organization’s network and the number of subnets needed to support any extra-large sites defined below. Or if you make assignments to end users and are considered an ISP/LIR, you can get a /32.
|
|
#
?
Aug 23, 2013 11:44
|
|
|
Is there ever an occasion when you'd put an ip helper on a vlan which points to an address within that vlan? Ie 192.168.1.0/24 with the helper as 192.168.1.20? I saw it in a configuration today an I'm still trying to wrap my brain around it.
|
|
#
?
Aug 23, 2013 14:33
|
|
|
We run a tunnel from an IOS router to a Ha pair of ASA's in another country to NAT radius from two RADIUS clients to a server behind the ASA. This works great for a few weeks till it doesn't. 5 hours of troubleshooting later with no configuration changes on each and and multiple rebuilds of the tunnel, we Failover the ASAs and it starts working. We fail the back. Still working. What the gently caress.
|
|
#
?
Aug 23, 2013 14:56
|
|
|
ToG posted:Is there ever an occasion when you'd put an ip helper on a vlan which points to an address within that vlan? Ie 192.168.1.0/24 with the helper as 192.168.1.20? ip helper will turn broadcast dhcp requests into unicast requests. If for some reason the DHCP server NIC doesn't handle broadcasts well, or if you have broadcasts turned off on the SVI, the helper address will ensure the DHCP server gets the requests.
|
|
#
?
Aug 23, 2013 15:37
|
|
|
BurgerQuest posted:We run a tunnel from an IOS router to a Ha pair of ASA's in another country to NAT radius from two RADIUS clients to a server behind the ASA. This works great for a few weeks till it doesn't. 5 hours of troubleshooting later with no configuration changes on each and and multiple rebuilds of the tunnel, we Failover the ASAs and it starts working. We fail the back. Still working. What the gently caress. Just for s&g are the phase1 and 2 lifetimes matching? Does one side try to re-key after a certain data threshold?
|
|
#
?
Aug 23, 2013 17:33
|
|
|
This is more of a Cisco hardware question vs a software question. I'm moving into an office with a 500X switch with a fiber run connecting the other half of the office to another 500X switch. I have to replace one of these switches but not the other. Could I save some money and get a 500 series switch with a 5gb SFP fiber module to connect to the 500x with 10gb SFP? Assumptions: ** We will very likely not saturate the 5gb fiber connection, 10gb seems overkill ** Due to physical space we will not need to add another switch. We have plenty of ports leftover in the current situation. ** With only 2 switches and a very simple topography I don't see us needing complicated management setup. A 500 and 500X would likely not be stackable but would I really need that with such a relatively small setup? ** We do not need POE ** If it matters, we are a 99% mac shop with a few small linux servers for development.
|
|
#
?
Aug 23, 2013 18:02
|
|
|
Generally, the fiber SFPs need to be matched on both ends. A 5gb module will not link up with a 10gb module.
|
|
#
?
Aug 23, 2013 18:47
|
|
|
sellouts posted:This is more of a Cisco hardware question vs a software question. Can you not just reuse the SFP from the switch you're replacing? Why are you replacing it to begin with?
|
|
#
?
Aug 23, 2013 18:51
|
|
|
Herv posted:Just for s&g are the phase1 and 2 lifetimes matching? IOS Default P2 lifetime: 3600 secs (1 Hour) 4,608,000 kilobytes ASA Default P2 lifetime: 28,800 seconds (8 Hours) 4,608,000 kilobytes
|
|
#
?
Aug 23, 2013 20:00
|
|
|
n0tqu1tesane posted:Generally, the fiber SFPs need to be matched on both ends. A 5gb module will not link up with a 10gb module. Thanks for this, I'll make sure to match them. SamDabbers posted:Can you not just reuse the SFP from the switch you're replacing? Why are you replacing it to begin with? Because it is being taken by the previous tenant. The other switch is being left for us as part of the sublease deal. I don't know why the powers that be left one and took the other. I'm guessing it's because we are taking some of their furniture and it was negotiated as a 50/50 split. sellouts fucked around with this message at 20:35 on Aug 23, 2013 |
|
#
?
Aug 23, 2013 20:10
|
|
|
Herv posted:IOS Default P2 lifetime: 3600 secs (1 Hour) 4,608,000 kilobytes Yep, the ASA has the default and the router is set for 28800. After clearing the SAs the tunnel looked fine and in fact was encapsulating the data from the IOS side fine, but only data matching UDP 1812 appeared to get encapped on the ASA in return. The ASA wasn't encapsulating return data on 1813 or ICMP in return. So the client requests would hit the RADIUS server behind the ASA ok, the server would respond appropriately, but only some bits were encapsulated for the tunnel by the ASA. And to make it weirder, this only affected one client and not the other. Atleast I got to generate some pcap files out of the IOS router, which I haven't done much of before.
|
|
#
?
Aug 24, 2013 00:25
|
|
|
BurgerQuest posted:Yep, the ASA has the default and the router is set for 28800. After clearing the SAs the tunnel looked fine and in fact was encapsulating the data from the IOS side fine, but only data matching UDP 1812 appeared to get encapped on the ASA in return. The ASA wasn't encapsulating return data on 1813 or ICMP in return. So the client requests would hit the RADIUS server behind the ASA ok, the server would respond appropriately, but only some bits were encapsulated for the tunnel by the ASA. And to make it weirder, this only affected one client and not the other. Atleast I got to generate some pcap files out of the IOS router, which I haven't done much of before. Hrm, ok cool, since you are matching lifetimes, I'm assuming the nat exclusions are tight...but I am curious if/when it happens again, if the return traffic is somehow getting banished to the xlate table and never making it to the tunnel. Maybe just a bug in the ASA build? That sounds like a frustrating one to peg down. Good luck, hope you find the problem. e: Sorry for asking this here, but is there a 'SQL short questions thread'? I scanned the first few pages here but don't see anything. I am having weird issues with TDE encrypted databases and log shipping, the monitor isn't updating properly post encryption, and every secondary has the certificates, is restoring properly, but the logship monitor is deaf and dumb to some of the metrics. Herv fucked around with this message at 00:57 on Aug 24, 2013 |
|
#
?
Aug 24, 2013 00:41
|
|
|
I'm leaning towards strange bug too. The setup is pretty simple. Basically RADIUS requests are received from a tunnel interface on the IOS router, which has a static route for the RADIUS server towards the outside interface where a crypto map is applied to match the RADIUS traffic and ICMP (complete reverse of the same ACL on the ASA). Before that, the two clients addresses are statically NAT'd to another IP each, because the RADIUS server behind the ASA's also talks to these RADIUS clients directly elsewhere. This works well enough for our purposes. It's a pretty simple configuration and doesn't require much maintenance generally. Unfortunately I managed the gear in this country and someone else manages the ASA in the other, so I wasn't debugging the ASA directly but I trust him when he says nothing in the config changes and the relevant parts he pasted me seemed a-ok. The debug output from the tunnel looked fine, just DPD messages.
|
|
#
?
Aug 24, 2013 01:53
|
|
|
OK I don't give up easy. You say the radius servers behind the ASA need to talk to the clients through multiple channels due to (A reason I also don't know about). Can't you just add secondary IP's so you can point what traffic you want to client 1 and 2 on either the primary or secondary IP instead of the NAT tricks? I have a hard time picturing the exact details without a map. I can't tell if this is an old school transient ipsec tunnel, I try to avoid straight tunnels and do dmvpn wherever I can. (Don't think this is an option on PIX/ASA). Another question, are the encrypted radius calls not secure enough on their own? I know, could be policy... lots of moving parts. Anyhow, I love a good/weird problem here and there.
|
|
#
?
Aug 24, 2013 03:04
|
|
|
I'll PM you a diagram and an explanation, I don't want to talk much more publicly about it 
|
|
#
?
Aug 24, 2013 04:14
|
|
|
In a not-at-all-surprising move, my employer has decided to sell and manage a product that we cannot possibly support. Of course, the design task has fallen to our networking lead and we have been trying to flesh out a design that is simple, scalable and provides basic segmentation between port members. Since our IW pricing is astronomical, our equipment budget is basically nonexistent. Welcome to my hell. Without divulging the entirety of the project, since it's very much in beta, these are the quick and dirty specs: - 100 Mb Ethernet hand off into a 39XX (praying they approve a second router for FHRP and a second circuit for diversity) - 3 X 3750G-12S-12 aggregation switches - 13 X 2960 access switches We're running OM3 between all of the equipment because we like charging the customer for poo poo they don't need (not our decision). All of the uplinks will be port channels and we're running layer 2 all the way up to the router. We're handing public IPs off at the access layer (no NAT). Each customer is going to be getting a port with a public address and it's their responsibility to protect their traffic. Given this scenario: What is the easiest, most scalable solution to prevent each customer from being able to talk to the other customers? Once this is designed, it's going to be deployed to (potentially) 2,000 different sites and standard "Have you tried turning it off and on again?" personnel are going to inherit the day-to-day maintenance and management of each site. We've discussed some of the following solutions: - VRFs for every customer (not scalable, not simple enough for NOC personnel to troubleshoot, excessive documentation required) - PVLANs (requires more expensive switches at the access layer; a non-starter) - Put every customer in their own VLAN and use L3 ACLs to prevent routed traffic (time consuming, not scalable) Our current champion design is to use protected ports at the access layer (all 200 ports in the same VLAN; not my idea) in an attempt to jury-rig a PVLAN solution with cheaper switches. All of the ports save the uplinks will be protected essentially preventing traffic sourced by a customer from going anywhere except the edge router. Other than this not being best practice, is there a better way to design a solution given a lovely budget and no time? The only glaring problem I can see is that if, down the road, customer 1 need to talk to customer 100 we would have to move them into their own VLAN. How would you handle this? Protokoll fucked around with this message at 04:18 on Aug 27, 2013 |
|
#
?
Aug 27, 2013 04:09
|
|
|
Protokoll posted:Each customer is going to be getting a port with a public address and it's their responsibility to protect their traffic. Why even bother with trying to isolate the traffic between customers? Set up DHCP snooping/ARP inspection to mitigate IP spoofing, put it all in a big layer 2 (to save addresses and complexity) and call it a day. This also saves you from having to devise a way for NOC personnel to permit desired customer-to-customer traffic later. Alternatively, what about PPPoE? Bump up the L2 MTU a little so the path is 1500 byte clean, ACL deny anything but PPPoE on the access ports, and all traffic goes through the router so you can filter to your heart's content. You can even pass ACL rules via RADIUS.
|
|
#
?
Aug 27, 2013 04:51
|
|
|
SamDabbers posted:Why even bother with trying to isolate the traffic between customers? It's a requirement we cannot control nor influence. I know... PPPoE sounds like a good solution, we can white board it tomorrow.
|
|
#
?
Aug 27, 2013 05:13
|
|
|
Not sure about platform support, but how about private vlans? Edit: derp didn't read all of your post. ruro fucked around with this message at 06:44 on Aug 27, 2013 |
|
#
?
Aug 27, 2013 06:29
|
|
|
I would have figured pruning would have done the trick but not sure if that is supported on those switches. At any rate static arp entries > arp spoofing. e: Oops can't tell difference between IP and ARP spoofing. Nevermind me. Herv fucked around with this message at 20:48 on Aug 27, 2013 |
|
#
?
Aug 27, 2013 20:45
|
|
|
Why don't you just use VRFs? Sure, there's some effort in the initial provisioning for them but it's possible. It's not that hard to explain to the front line folks how a VRF works in basic terms. I worked for a MSP that was able to communicate how to do basic troubleshooting for VRFs. After some initial thrashing the non-necessary ticket escalations slowed down to nothing. There are always growing pains. "Potentially 2000 sites" - what's the realistic deployment out of the gates? GOOCHY fucked around with this message at 01:38 on Aug 28, 2013 |
|
#
?
Aug 28, 2013 01:33
|
|
|
|
| # ? May 28, 2024 01:50 |
|
|
Seriously -- VRF is pretty simple concept in todays virtualized world.
|
|
#
?
Aug 28, 2013 02:01
|
|