|
Aexo posted:Actually, the only IP on the switches is assigned to the vlan used for in-band management. I am a little confused on what you are doing here, if you stack the S4810 both switches act as one logical switch. No heartbeat traffic should be passed over the management links. Typically what we did was stack two switches with the 40GbE QSFP+ ports. You use the stack-unit command to assign the interface that is in the stack-group. Note that "stack ports" are a little funky. For the 10GbE ports, a group of four is considered one stack port, while a 40GbE port is considered one stack port. Refer to the manual for a diagram of which stack ports correspond to each physical interface. All heartbeat traffic will then be passed though the stack port interface.
|
#
?
Oct 31, 2013 02:10
|
|
|
|
| # ? May 29, 2024 00:07 |
|
|
Bluecobra posted:I am a little confused on what you are doing here, if you stack the S4810 both switches act as one logical switch. No heartbeat traffic should be passed over the management links. Typically what we did was stack two switches with the 40GbE QSFP+ ports. You use the stack-unit command to assign the interface that is in the stack-group. Note that "stack ports" are a little funky. For the 10GbE ports, a group of four is considered one stack port, while a 40GbE port is considered one stack port. Refer to the manual for a diagram of which stack ports correspond to each physical interface. All heartbeat traffic will then be passed though the stack port interface. Right... So F10's VLT technology is a bit different from other switch stacks in that the control plane and configuration for each switch remains independent. You create a VLT domain which can span however many switches you want, and anything within that domain is considered one logical device, and you can have more than one VLT domain. I do have two QSFPs between the switches. This is supposed to act as a load balancer and local frame relay from what I understand. This 80GE port channel should also come up as a VLTi (Virtual Link Trunking interconnect). One thing noted in their configuration guide is that vlan tagging on the VLTi link is not needed. But I was unable to get the heartbeat up (and unable to reach the secondary switch) unless I tagged the management vlan on the interconnect. The heartbeat is needed to determine if there's a network failure, and how to handle it. So if a switch goes down, the heartbeat should fail, and tell the other switch(es) that they've lost a primary/secondary/other. If the interconnect goes down, the heartbeat should still be able to reach both switches and they'll just act as one a stand-alone. From my understanding, the heartbeat should be on the "backup" link, which is most commonly the management interface. Since I don't have an OOB in place, and using one SFP port on each switch (and two on my router) is quite wasteful for a backup/heartbeat link, I'm just trying to get the management interfaces to talk to each other. The setup is 4x10GE between *each* switch going to my single router. Those 8x10GE is one dynamic/LACP LAG on a VLT domain. My customer connects various high performance servers to the switches on two different vlans.
|
|
#
?
Oct 31, 2013 14:59
|
|
|
Odom's CCNA book lists the following subnet IDs as overlapping (VLSM chapter): Subnet ID: 10.1.0.0, Broadcast Address: 10.1.15.255 Subnet ID: 10.1.16.0, Broadcast Address: 10.1.23.255 Is this a mistake or what?
|
|
#
?
Oct 31, 2013 15:30
|
|
|
jane came by posted:Odom's CCNA book lists the following subnet IDs as overlapping (VLSM chapter): Indeed, those don't overlap.
|
|
#
?
Oct 31, 2013 21:23
|
|
|
There's usually an errata section on the Cisco Press site for those books. Probably worth a look.
|
|
#
?
Oct 31, 2013 21:26
|
|
|
I know the discussion was a few pages back, but I really can't say enough about the Ubiquity Edgerouters. $100/ea, and I get a feature set and performance level that I would expect to pay around $2k to cisco for (2901 w/ security). If all you need is ethernet routing and VPN functionality, these things are awesome. I've got them in around 30 branches, with multiple branches doing a backup link via OSPF over GRE over IPSEC. Honestly if ubiquity made a model that had a few FXO and FXS ports, I would probably never buy another cisco router.
|
|
#
?
Nov 1, 2013 01:12
|
|
|
jane came by posted:Odom's CCNA book lists the following subnet IDs as overlapping (VLSM chapter): The new Odom CCNA book and supplement materials are rife with mistakes.
|
|
#
?
Nov 1, 2013 01:50
|
|
|
^That's actually from the last edition for the now expired tests. Are Lammle's new books better than Odom's new books?
|
|
#
?
Nov 1, 2013 04:58
|
|
|
Looking for a quick consult on the best way to achieve the PAT'ing of an allocated subnet of 8 addresses to multiple servers behind a Cisco Router on a few different subnets. We currently have a Cisco 1921 connected to the internet on one Ethernet interface, with an allocated public IP from the DSLAM on the other end, and a subnet of 8 public IP addresses. We have an internal interface with an IP on an internal subnet, connected into a switch that has servers and client devices connected to it across multiple VLANS. The VLAN routing happens on the switch and the router is only used as a route out onto the internet. We've defined our inside and outside interfaces on the router and using static PAT rules are able to RDP into the servers from external sources by using the external subnet IP's that have been allocated in a one to one static mapping. I now want to extend this to a mail server on a different internal subnet. We will use a unique external IP for this from the existing pool. Before I make any changes I just want to make sure this will work? I've done some reading around using network object maps and other solutions but am unsure if this is only required to do multiple internal subnets to one external IP. This needs to be relatively simple. Can someone give me a sanity check on the above? I don't have access to the config right now but can eventually post if necessary.
|
|
#
?
Nov 1, 2013 16:00
|
|
|
For you guys who work at carriers: what do you use for interior routing, IS-IS? Or have people been transitioning to OSPF?
|
|
#
?
Nov 2, 2013 00:36
|
|
|
psydude posted:For you guys who work at carriers: what do you use for interior routing, IS-IS? Or have people been transitioning to OSPF? Moved from OSPF years back to IS-IS in the core, BGP to customers. EDIT: To be clear, IS-IS for IGP, but MPLS over top. H.R. Paperstacks fucked around with this message at 03:12 on Nov 2, 2013 |
|
#
?
Nov 2, 2013 00:47
|
|
|
OSPF for everything other than the VoIP network which is IS-IS
|
|
#
?
Nov 2, 2013 02:02
|
|
|
ruro posted:I'm having trouble copying a new image to a 6500, and I can't figure out why. I've verified there is sufficient free space and checked that the file is readable on the scp server, and also tried tftp. on a 6500 it's sup-bootdisk: when IOS is loaded also don't use "bootflash" on a 6500 supervisor... that's for the route processor and has a default space of 64Mb.. Use bootdisk: (sup-bootdisk: which is on the switch processor and typically has 1G of space on the newer sups)
|
|
#
?
Nov 2, 2013 02:30
|
|
|
H.R. Paperstacks posted:Moved from OSPF years back to IS-IS in the core, BGP to customers. I'm guessing the reason for this was because it's protocol independent?
|
|
#
?
Nov 2, 2013 03:21
|
|
|
psydude posted:I'm guessing the reason for this was because it's protocol independent? It was more about the future abilities it offered that were built in for the MPLS/services we were looking at offering later on. Plus the nice things such as no forced area 0. Which was big because we are a global provider for DoD. It was just easier in the end.
|
|
#
?
Nov 2, 2013 03:48
|
|
|
Flash z0rdon posted:on a 6500 it's sup-bootdisk: when IOS is loaded
|
|
#
?
Nov 2, 2013 10:55
|
|
|
Oh yeah... the 2T did away with SP and RP?
|
|
#
?
Nov 2, 2013 17:18
|
|
|
Flash z0rdon posted:Oh yeah... the 2T did away with SP and RP? Yeah, they did away with separate RP and SP and replaced them with a single dual core CPU that handles both.
|
|
#
?
Nov 3, 2013 01:55
|
|
|
Thanks and god bless.
|
|
#
?
Nov 3, 2013 05:25
|
|
|
I think it's ironic (tragic?) that I don't even have any IGPs running anymore. Especially considering all the work I had done with them formerly.
|
|
#
?
Nov 3, 2013 05:45
|
|
|
I'm currently on a network that is using public IP addresses for internal addressing. 
psydude fucked around with this message at 13:26 on Nov 3, 2013 |
|
#
?
Nov 3, 2013 13:23
|
|
|
psydude posted:I'm currently on a network that is using public IP addresses for internal addressing. What, you want to use NAT? jwh posted:I think it's ironic (tragic?) that I don't even have any IGPs running anymore. Especially considering all the work I had done with them formerly. No IGPs and no RFC1918...is this the future?
|
|
#
?
Nov 3, 2013 14:50
|
|
|
SamDabbers posted:What, you want to use NAT? It's just not something you see very much, even with government agencies that own large blocks of private address space.
|
|
#
?
Nov 3, 2013 14:57
|
|
|
It's very common in .edu space, since most got their addresses before ARIN existed. It makes routing/firewalling soooo easy. Comedy answer: So what? Any modern IPv6 network is all public. What rock do you live under? 
|
|
#
?
Nov 3, 2013 16:03
|
|
|
psydude posted:It's just not something you see very much, even with government agencies that own large blocks of private address space. I work for a college and someone was wise enough to get us a class B back in the day. They were also wise enough to get us a class C. Students were demolishing our address space with wireless gadgets, so all of them had to go private with NAT. 
|
|
#
?
Nov 3, 2013 16:20
|
|
|
Aexo posted:Right... So F10's VLT technology is a bit different from other switch stacks in that the control plane and configuration for each switch remains independent. You create a VLT domain which can span however many switches you want, and anything within that domain is considered one logical device, and you can have more than one VLT domain. I took a look at VLT and that's their newer stacking technology that recently came out. Sorry I can be much help since I'm more accustomed to the older stacking method (which has a maximum of 3 S4810 switches). I am pretty sure the VLT stuff is on a different software train so you will have to download a different branch if you want the older-style stacking. In our experience, this has worked pretty well but of course you have the risk of split brain if both switches go wonky. This is how we hooked up a typical server: 
|
|
#
?
Nov 3, 2013 17:19
|
|
|
psydude posted:I'm currently on a network that is using public IP addresses for internal addressing. I have a customer that's using someone else's public IP addresses for internal addressing.
|
|
#
?
Nov 3, 2013 19:43
|
|
|
1000101 posted:I have a customer that's using someone else's public IP addresses for internal addressing.
|
|
#
?
Nov 3, 2013 20:56
|
|
|
Bluecobra posted:I took a look at VLT and that's their newer stacking technology that recently came out. Sorry I can be much help since I'm more accustomed to the older stacking method (which has a maximum of 3 S4810 switches). I am pretty sure the VLT stuff is on a different software train so you will have to download a different branch if you want the older-style stacking. In our experience, this has worked pretty well but of course you have the risk of split brain if both switches go wonky. This is how we hooked up a typical server: Thanks for looking in to it. This researcher's proposal explicitly mentioned VLT several times, so my hands are tied in that we have to use this technology. I thought maybe throwing a dummy switch and assigning a /31 to each management interface might trick it in to working, but I was unsuccessful. Next up I'm going to try private addressing it through their other switch stack, which is eventually going to live behind this VLT stack.
|
|
#
?
Nov 4, 2013 01:05
|
|
|
psydude posted:For you guys who work at carriers: what do you use for interior routing, IS-IS? Or have people been transitioning to OSPF? OSPF holds my loopbacks, iBGP for customer prefixes. If I was rolling again from the start right now I'd likely use IS-IS for the better handling of dual stack networks. e: Just opened a new POP in 56 Marietta, what a shithole. Security is the worst I've ever seen at a data center.
|
|
#
?
Nov 4, 2013 02:29
|
|
|
FatCow posted:OSPF holds my loopbacks, iBGP for customer prefixes. If I was rolling again from the start right now I'd likely use IS-IS for the better handling of dual stack networks. I read this and wondered if someone makes rack intrusion detectors similar to those you can get for PC cases, and it turns out they exist! Learn something new every day...
|
|
#
?
Nov 4, 2013 04:40
|
|
|
OSPFv3 has multi-AF support. Other than the flexibility that TLVs afford ISIS both IGPs are a pretty much a wash.
|
|
#
?
Nov 4, 2013 05:29
|
|
|
Internap's security is pretty wild: bsn2 innerbelt in Somerville, MA, requires 13 security doors, two badges, and biometrics, to get from the parking lot to a customer cage. And even then, a desk agent has to unlock the cage.
|
|
#
?
Nov 4, 2013 05:51
|
|
|
I was wondering about how Cisco uses it's hashes. For example, when I use a SHA-256 hash online on a word, across multiple websites, I always get "E73B79A0B10F8CDB6AC7DBE4C0A5E25776E1148784B86CF98F7D6719D472AF69" Whereas when I stick the same word in IOS to get hashed, I get username test privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY where I'm pretty sure "secret 4" indicates SHA-256 hashing. Does anyone know why the two would be different, or how I'd be able to get the original hashing?
|
|
#
?
Nov 4, 2013 17:43
|
|
|
The former is base 16 (Hex) and latter is base 64?
|
|
#
?
Nov 4, 2013 17:48
|
|
|
As long as the IOS is compatible across both, can I stack a 3750x into a 3750g stack? The 3750g stack as it exists now is running c3750-ipbasek9-mz.150-1.SE1.bin. I believe the base IOS compatibility for a 3750x is 12.2(53)SE2. No problems there?
|
|
#
?
Nov 4, 2013 17:54
|
|
|
I thought that SHA-256 hash for secret passwords was a broken implementation.
|
|
#
?
Nov 4, 2013 17:56
|
|
|
Indeed, here's the PSIRT: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
|
|
#
?
Nov 4, 2013 17:57
|
|
|
inignot posted:I thought that SHA-256 hash for secret passwords was a broken implementation. Yes. But also realize that all cisco hashes are salted. It's not a sha-256(string) = hash. It's sha-256(salt+string) = hash. Although apparently in the broken type-4 implementation it doesn't even salt it, so I don't know what you wouldn't get matching hashes for the same input values.
|
|
#
?
Nov 4, 2013 18:04
|
|
|
|
| # ? May 29, 2024 00:07 |
|
|
Aexo posted:The former is base 16 (Hex) and latter is base 64? Tried converting it, seems like they don't come out as one another after converting.
|
|
#
?
Nov 4, 2013 18:16
|
|