|
Going to display my ignorance here, but wouldn't this be a good place to consider a MED? Without the prepends, border7 and border8 would have the same AS hop count as they are connected to the same provider. A MED could be used to tell the upstream which circuit you would prefer. Or am I totally misunderstanding how MEDs work? I've never tried using one, myself.
|
#
?
Sep 4, 2013 22:16
|
|
|
|
| # ? May 24, 2024 00:36 |
|
|
Filthy Lucre posted:Going to display my ignorance here, but wouldn't this be a good place to consider a MED? Depends on if his upstream provider is using a single AS or two AS to provide service. If there's a single upstream AS, MED would work. If there's two upstream AS, then MED doesn't work (only works in the same AS).
|
|
#
?
Sep 4, 2013 22:29
|
|
|
I'm having a hard time understanding what communities i'd even set in this case, however, mostly because I can't tell what's going wrong on border7.
|
|
#
?
Sep 4, 2013 22:39
|
|
|
What has internap said? Looks like a funky PBR on their border gateway
|
|
#
?
Sep 4, 2013 23:04
|
|
|
Internap is saying that both border 7 and border 8 are functionally identical, and that they see the prefixes the same (absent the prepends on 7). I'm not convinced, but only because its so odd.
|
|
#
?
Sep 4, 2013 23:29
|
|
|
What about your IDS, is there any way to take it out of the equation? The next hop after border7 is I'm assuming your IPS "bump in the wire", so that would be my next suspect.
|
|
#
?
Sep 4, 2013 23:47
|
|
|
Get them to send you a show ip bgp for your /24 on both border routers, that'll be your easiest path to a fix (assuming you haven't done this already).
|
|
#
?
Sep 4, 2013 23:54
|
|
|
jwh posted:I've checked the /24 as it appears to cogent's looking glass, and aside from the prepends on the advertisement we make to border8, they're identical. do a clear ip bgp * OP. Then update your resume
|
|
#
?
Sep 5, 2013 01:46
|
|
|
Tell them to stop being lame and setup a public looking glass so their customers can debug such issues themselves. Log in to various other ISPs looking glasses to see what they see advertised to them.
|
|
#
?
Sep 5, 2013 03:29
|
|
|
Internet routing owns and that looks like two different paths out of the Uruguay network.
doomisland fucked around with this message at 07:18 on Sep 5, 2013 |
|
#
?
Sep 5, 2013 07:15
|
|
|
South American routing can never be trusted.
|
|
#
?
Sep 5, 2013 07:39
|
|
|
Any issues to keep in mind if using /31s for point to points?
|
|
#
?
Sep 5, 2013 15:27
|
|
|
Zuhzuhzombie!! posted:Any issues to keep in mind if using /31s for point to points? As long you're using IOS 12.2 or higher on both ends, I think you're good.
|
|
#
?
Sep 5, 2013 15:47
|
|
|
Zuhzuhzombie!! posted:Any issues to keep in mind if using /31s for point to points?
|
|
#
?
Sep 5, 2013 16:03
|
|
|
Bluecobra posted:Maybe it's too early in the day for me, but how will that work? In a /31, there are only 2 IP addresses, and you need one for the network and the broadcast leaving you nothing for the interfaces on both ends. A /30 will give you 4 addresses total, leaving you with 2 addresses for the interfaces on both ends. Since 12.2 (actually, 12.2(2)T or something like that), Cisco has supported using /31 for point-to-point connections. I'm not sure about the lack of a network address, but P-P links don't need a broadcast address, so it kinda makes sense.
|
|
#
?
Sep 5, 2013 16:08
|
|
|
QPZIL posted:As long you're using IOS 12.2 or higher on both ends, I think you're good. Yeah, we use /31s on hundreds of devices and it's fine. On another note, does anyone know of any software for mass deploying base configurations to routers connected to a term server? Im going to have to configure 50 routers at a time and would like to load a base config on each of them, and then apply a specific config file per term server port to them afterwards. Im writing software to do it myself, but would like to use something commercial long term.
|
|
#
?
Sep 5, 2013 17:14
|
|
|
We have BMC Network Automation (Bought it years ago when it was called E-Netaware) and it works reasonably well to push configs out based on templates, variables you can fill out, grouping devices by whatever. It does a few things well, a few things poorly, and all sorts of features we don't use. We now use it more or less for basic customer port provisioning at scheduled times, and some auditing (alert if telnet enabled on a line vty for example). I had eyeballed Manageengine DeviceExpert as a replacement. I liked it a lot better but the project for this kind of fizzled out.
|
|
#
?
Sep 5, 2013 17:56
|
|
|
QPZIL posted:Since 12.2 (actually, 12.2(2)T or something like that), Cisco has supported using /31 for point-to-point connections. I'm not sure about the lack of a network address, but P-P links don't need a broadcast address, so it kinda makes sense. Wow, I had no idea you could do that. Here's the RFC if anyone wants to read it.
|
|
#
?
Sep 5, 2013 18:47
|
|
|
Bluecobra posted:and you need one for the network and the broadcast leaving you nothing for the interfaces on both ends. You don't need this and haven't in a long time. Even application owners don't rely on broadcasts for anything anymore. The only commonly used service that uses broadcasts is DHCP, switches don't even need to broadcast anymore strictly speaking.
|
|
#
?
Sep 5, 2013 20:13
|
|
|
Powercrazy posted:You don't need this and haven't in a long time. Even application owners don't rely on broadcasts for anything anymore. The only commonly used service that uses broadcasts is DHCP, switches don't even need to broadcast anymore strictly speaking. Unless this is framed from the perspective of point-to-point links then what about ARP?
|
|
#
?
Sep 5, 2013 23:29
|
|
|
abigserve posted:Unless this is framed from the perspective of point-to-point links then what about ARP? I'd think it'd be more accurate to state that the subnet directed broadcast addresses at layer 3 are no longer used by applications for most part, having moved to multicast instead. All-1s broadcast still being used for local applications (DHCP, ARP et al) requiring layer 2 broadcast in v4.
|
|
#
?
Sep 6, 2013 00:11
|
|
|
Scrub question. Got a trunk up and running between a few switches and our Core. Not in same VTP database. I can prune the vlan on only one of the switches and non of the cores. Just doesn't accept it. SSH across it is fine however. Traffic flows. Any ideas? Hardcoded dot1q. Should I use ISL? ed Just tried it again and now I can allowed add only 300. Still can't on 6500 ints though. Zuhzuhzombie!! fucked around with this message at 16:27 on Sep 6, 2013 |
|
#
?
Sep 6, 2013 16:23
|
|
|
What on earth are you talking about? Definitely don't use ISL, dot1q is the only way to go. When you say prune, do you mean delete? If that's the case, I'm guessing the switch you can't delete VLANs off of is part of a VTP domain and is acquiring its VLAN database from another VTP server. Best solution is to get every switch on the same VTP domain so you don't have to deal with this crap. Still I have no idea what this means: "I can allowed add only 300. Still can't on 6500 ints though."
|
|
#
?
Sep 6, 2013 16:57
|
|
|
Zuhzuhzombie!! posted:Just tried it again and now I can allowed add only 300. Still can't on 6500 ints though. 
|
|
#
?
Sep 6, 2013 17:29
|
|
|
I am so stealing that image. It's the absolute perfect SH/SC.jpg 
|
|
#
?
Sep 6, 2013 18:44
|
|
|
Fatal posted:Still I have no idea what this means: "I can allowed add only 300. Still can't on 6500 ints though." Guessing that all VLANs are already allowed so 'switchport trunk allowed vlan add 300' doesn't appear to do anything. Or his 6500 ints aren't configured as switchports.
|
|
#
?
Sep 6, 2013 19:12
|
|
|
You guys remember that issue I was having with my 3550 and 3750 not playing nice and the 3750 not accepting the switchport mode and encapsulation type I set it to? I just plugged the 3550 into the next stack of 3750s and it works fine now  Still a mystery, but I suspect it to be an authentication issue. I couldn't write to the startup-config, so maybe the switchport mode wouldn't change for me because of authentication? Who knows.
|
|
#
?
Sep 6, 2013 20:26
|
|
|
Fatal posted:What on earth are you talking about? Definitely don't use ISL, dot1q is the only way to go. When you say prune, do you mean delete? If that's the case, I'm guessing the switch you can't delete VLANs off of is part of a VTP domain and is acquiring its VLAN database from another VTP server. Best solution is to get every switch on the same VTP domain so you don't have to deal with this crap. I was trying to use "switchport trunk allowed vlan add 300" and it wasn't working. Didn't think to use "switchport trunk allowed vlan 300" because I should never ever use that command except for specific occasions. ed Since PRTG can't reasonably monitor SVI bandwidth we've tested, successfully, doing the same with sub interfaces. So now the plan is to replace the ridiculous bookended circuit we have which requires an individual interface and cabling for running customer host circuits with a router pointed at a trunked transport circuit and using sub interfaces instead. Woo. 7609 will do sub interfaces on it's switchblade. So do 6509s. If these two devices will do so, wouldn't also a 4500x? Also, on a 6509 if you remove a blade the blade itself will still exist in the config until a reboot or you run a specific command. Anyone know what that command is? Zuhzuhzombie!! fucked around with this message at 22:20 on Sep 9, 2013 |
|
#
?
Sep 7, 2013 18:34
|
|
|
My boss quit last week and it's been quite the scramble to document the pieces he's been responsible for for the past decade.jwh posted:The short answer is yes, but the longer, and better answer is no An IPS (not necessarily Cisco) would be adequate, but not the ideal solution. Gotcha. Docjowles posted:Contingency, you just produced the best name/avatar/post combo I have ever seen In IT and engineering, most notable people win fame through a colossal blunder. Rickover is the rare exception. I do hear a lot of good things about Palo Alto feature-wise, but also that stability isn't there yet. My company just lost one of our key admins, so they're likely wary of buying expensive hardware that only one person would know how to manage. Everyone knows Cisco. Local admin is a political problem. The plan was to deploy a ticketing system so the support department can quantify how much time they spend on preventable issues (and use those metrics to justify removing admin), but that was shot down by management because tickets are too much of a hassle for end-users. Meanwhile, users regularly complain to upper management because their issue was overlooked. "Let me provide better service" is a much tougher sell at my company than it should be. dotster posted:From a safe to deploy standpoint the Cisco IPS is not bad, if you use the default sig set and have it drop traffic with a threat rating over 90 (you could start with 95-99 to be safe on first deploy) you will have a very low to zero false positives from outside to inside. The coverage is not as good as Sourcefire (they are the best IPS out there) and Sourcefire does a better job mapping and learning your network to help you deploy. If you are already a Cisco shop and you need to deploy IPS I would go with one of these, probably Sourcefire if it were me. My company does use ASAs (and enough of them to discount the possibility of replacing them with another vendor), so the IPS module is what I was considering. It sounds like they would work as desired, but are not the best/most effective choice. Unfortunately, I found that my ASA is EOL, and so is the IPS module. I'm going to push hard for integrated IPS next upgrade. In the meantime, I could set up a Snort box in IDS mode as a proof of concept. If I can demonstrate its value, I might be able to convince management to pay for a Sourcefire box.
|
|
#
?
Sep 12, 2013 05:14
|
|
Have I said this before about one of your posts? Feels familiar. Anyway.
) if you're talking several hundred users most of them are not special VP or C-level snowflakes that "need" local admin and unrestricted access to Pirate Bay to do their jobs.
|
So I've got a phone interview with a company tomorrow that works with Cisco UCS B and C series servers - and welp, I've never heard of them before today. What are they? How do they relate to the rest of Cisco's products? The extent of my technical knowledge is CCNA-level, and these devices don't even appear to be dedicated towards networking.
|
|
#
?
Sep 12, 2013 22:19
|
|
|
Erkenntnis posted:So I've got a phone interview with a company tomorrow that works with Cisco UCS B and C series servers - and welp, I've never heard of them before today. What are they? How do they relate to the rest of Cisco's products? The extent of my technical knowledge is CCNA-level, and these devices don't even appear to be dedicated towards networking. They're servers built around a unified Cisco storage/network/compute stack intended for VMware deployments.
|
|
#
?
Sep 12, 2013 22:34
|
|
|
Erkenntnis posted:So I've got a phone interview with a company tomorrow that works with Cisco UCS B and C series servers - and welp, I've never heard of them before today. What are they? How do they relate to the rest of Cisco's products? The extent of my technical knowledge is CCNA-level, and these devices don't even appear to be dedicated towards networking. If that's all they are working with, then that position isn't really a network position.
|
|
#
?
Sep 12, 2013 22:49
|
|
|
Yeah it's not a networking product per se, though it has a networking component. It's basically compute + networking + storage in a box, designed to scale out massively but be centrally managed from one interface. My company's starting to roll them out in a limited fashion. The B-series are a blade chassis, and the C-series are a traditional rack mount form factor. FWIW we have had no loving end of problems with the C series but the B's have been great.
|
|
#
?
Sep 12, 2013 22:55
|
|
|
I'm posting this here to get input from tech-savvy goons to respond to while I google the same thing. My company uses a Cisco Global Site Selector for load balancing between datacenters, though I do not know the make/model/version of it. I am responsible as an application guy to suggest settings to the networking folks for GSS configuration. That said: I have two IIS servers, one at each site configured identically such that each server has 8 virtual sites within IIS listening on port 80. So each server responds to: code:code:code:Now: Is it possible to configure the GSS such that if a probe of a URL on server1 fails, all traffic to that URL and only that URL will be directed to server2? I am being told by a network guy that I don't really know or trust, that this isn't possible. He is saying that since each site answers on the same TCP port, GSS can only be configured in two ways: 1. If a URL probe fails on server1 on any of the URLs, server1 gets taken out of the VIP and traffic for all eight URLs will be directed to server2. 2. Make each URL listen on a different port and create a unique VIP for that URL. This will give each url independence from the other URLs. Like this: code:Help?
|
|
#
?
Sep 12, 2013 23:13
|
|
|
Erkenntnis posted:So I've got a phone interview with a company tomorrow that works with Cisco UCS B and C series servers - and welp, I've never heard of them before today. What are they? How do they relate to the rest of Cisco's products? The extent of my technical knowledge is CCNA-level, and these devices don't even appear to be dedicated towards networking.
|
|
#
?
Sep 13, 2013 00:08
|
|
|
Agrikk posted:But this seems overly complicated and dumb. It makes no sense to me that Cisco has no way of monitoring and handling multiple virtual sites independently within a single VIP. First of all keep in mind that GSS directs client traffic to servers by controlling the response to DNS queries - it has no idea what URL the client is trying to reach, only the host name it is resolving. Having said that if the probes are configured to expect a particular response from a particular URL separate ports shouldn't be necessary, only separate VIPs/probes/server-farms for each application. So if you want fail over for individual URLs you're going to have to consider a separate VIP per application. Someone who has used GSS can correct me if I am way off base here. ruro fucked around with this message at 02:18 on Sep 13, 2013 |
|
#
?
Sep 13, 2013 02:14
|
|
|
ruro posted:So if you want fail over for individual URLs you're going to have to consider a separate VIP per application. So we would have to set it up like: code:
|
|
#
?
Sep 13, 2013 02:40
|
|
|
Docjowles posted:Yeah it's not a networking product per se, though it has a networking component. It's basically compute + networking + storage in a box, designed to scale out massively but be centrally managed from one interface. My company's starting to roll them out in a limited fashion. The B-series are a blade chassis, and the C-series are a traditional rack mount form factor. Can you expand on your issues with the C servers? We're looking at adding some for local storage applications.
|
|
#
?
Sep 13, 2013 02:54
|
|
|
Agrikk posted:So we would have to set it up like: Correct. I'm not familiar with GSS, but yes, you should be able to build separate VIPs that use the same "real servers," but health checked differently. I've done it with F5 LTM frequently.
|
|
#
?
Sep 13, 2013 03:11
|
|
|
|
| # ? May 24, 2024 00:36 |
|
|
Agrikk posted:So we would have to set it up like: Also, based on what you've said so far I would confirm that GSS is probing a URI that will return an error if the application is in anyway non-functional - e.g. the server might return HTTP/200 but there is some problem with a DB query and all that's displayed is a header/footer.
|
|
#
?
Sep 13, 2013 03:48
|
|