|
Emilio posted:Like management, LMAO. What are your management doing going near your network equipment!
|
# ? Nov 28, 2013 09:16 |
|
|
# ? May 30, 2024 11:32 |
|
Seriously. I'd tell them I'd pull any configs they need to see, but at that time we're going to have a conversation about why they think they need to see it. Gotta manage upward. If it's really a requirement that people without the skills to configure a router using the cli would need access to my configs, I'd suggest they purchase Solarwinds NCM.
|
# ? Nov 28, 2013 16:33 |
|
Bob Morales posted:Is Perl still the way to go if I want to make some scripts to automate pulling information from a couple switches? I found Expect is pretty easy to use.
|
# ? Nov 28, 2013 17:17 |
|
Emilio posted:What information do you want to pull? Like when a support tech says "next time X happens send me the output of xxxxx and yyyyy" I'm actually using Adtran hardware and Net:Telnet:Cisco sorta works
|
# ? Nov 28, 2013 17:53 |
|
I put ssh keys on my switches so I can run commands remotely and it sends the output back to me. Handy when you have to run 'show tech' on a 7k and it blasts you with 700MB of data.
|
# ? Nov 28, 2013 18:44 |
|
can't you | redirect tftp:// ?
|
# ? Nov 28, 2013 20:23 |
|
Emilio posted:Can you recommend any web front ends with a decent interface for this? We would like to use rancid, we have people who are not strong on CLI. Web front end for which part? Viewing the configurations and differences we use WebSVN. You need to decide on CVS or SVN for version control, and then there are a few options for the web front end in viewing. Web front ends for actual management of RANCID don't really / cleanly exist. It is something you setup and only mess with when you add/remove devices.
|
# ? Nov 28, 2013 20:26 |
|
H.R. Paperstacks posted:Web front end for which part? Viewing the configurations and differences we use WebSVN. You need to decide on CVS or SVN for version control, and then there are a few options for the web front end in viewing. Or git, if you're open to the rancid-git fork.
|
# ? Nov 28, 2013 22:28 |
|
Bob Morales posted:Is Perl still the way to go if I want to make some scripts to automate pulling information from a couple switches? Echoing that expect is really the way you want to go. TCL is a good thing to learn anyway as you can run it on the Nexus range, use it to write EEM events and if you ever get any F5 gear you can use it to write iRules. That said Perl is used for everything else under the sun in network admin land. Learn both! Use both! abigserve fucked around with this message at 10:17 on Nov 29, 2013 |
# ? Nov 29, 2013 10:15 |
|
I have a couple of MPLS VPNs from the same ISP running on routers that for various reasons I want to consolidate onto an ASR 1002-X (I cannot collapse the two VPNs yet, nor do I know when I will be able to for a variety of reasons). As the ISP will drop any routes it with its own ASN in the as-path what are my options for routing? At the moment all I can think of is: 1. use an aggregate-address summary or redistribute into an IGP in order to "clean" the as-path, 2. use an egress route-map on each neighbor to prevent routes containing the ISP ASN from being advertised then rely on a default route to get VPN1>VPN2 traffic back to the ASR and vice versa, or 3. see if the ISP will configure accept-own to avoid the routes being dropped. I'm leaning towards 2 as it seems like it will be the easiest to configure/maintain (and will be obvious to anyone else what is going on later), but just wanted to see if I'd missed anything obvious that might be easier.
|
# ? Dec 2, 2013 11:07 |
|
Static to null0 with network statements. Filter via communities if needed. Am I missing something?
|
# ? Dec 2, 2013 15:20 |
|
So I have an interesting challenge. I want to deploy a bunch of routers to branch offices that will be acting as APs (I'm doing a lot of crazy DMVPN stuff on the back end to support the APs, but that will be for another post). Now these branch routers need to be plug in play to whatever internet service is available. That means most likely no public IPs. So the WAN interface IP of the router will be acquired via DHCP. Of course the branch router will be acting as a DHCP server to clients, but what if the acquired DHCP address overlaps with defined scope in the router? Is there a workaround? Because obviously if that happens, I won't have access to the router to fix it, at least not easily.
|
# ? Dec 2, 2013 22:33 |
|
Put all your internal clients in a VRF with a default pointed to the global interface?
|
# ? Dec 2, 2013 22:36 |
|
tortilla_chip posted:Put all your internal clients in a VRF with a default pointed to the global interface? Haha. This simple project is using all the exotic features. Lets see here. From top-down: Flex-Connect: APs register centrally, but route traffic locally. DMVPN: To all Flex Connect APs to reach the WLC through a firewall without individual per-site HUB access-lists VRFs: to take care of potentially overlapping internal addressing with provider addressing. Now, can a cisco 881 do per vrf dynamic natting, and how will I "leak" the default-route interface into the user VRF? I've only leaked networks, never interfaces, obviously without putting the interface in the user vrf.
|
# ? Dec 2, 2013 22:56 |
|
I'm not sure you can. Or, at least, I'm not sure you can do it dynamically. In my experience of operating a large DMVPN environment on mostly DHCP addressed Internet links, you have to get pretty unlucky to collide rfc1918 10/24 on the inside, for example, with the same on the outside. Maybe you could do something unusual, like redistribute connected into BGP with a route map to set a community, and then leak based on the community? That gives me a headache, just thinking about it.
|
# ? Dec 2, 2013 23:03 |
|
Rather than make it too complicated (heh), I think I'll just have to assume that most providers will be giving out either a 10/8 or a 192.168.1.0 or 192.168.0.0 So I'll make all my offices 192.168.97.0/24's The Class B range will be for my "interesting" DMVPN traffic hubs something like 172.18.0.0/28 and working up. Maybe even through a 172.20.255.0/32 for management loopbacks, who knows... I'll avoid 10/8 all together as that is corporate and hub site addressing.
|
# ? Dec 2, 2013 23:15 |
|
Is it that super common for ISPs to be handing out rfc1918 space and NATing customers now? Most stuff I deal in is typically static IP but any dhcp assigned addresses from, say, Charter are always public, even if some rfc1918 stuff is visible in the traceroute in the ISPs network.
|
# ? Dec 2, 2013 23:40 |
|
For my specific case I'm often dealing with "business class internet" from say Comcast, or whoever the ISP is. This isn't for a datacenter, or anything. I also won't be on location to do configuration. So I want to configure these as generic as possible so that a non-technical user can just plug the router in and get managed wireless service. I'm building management capability into the router so that as soon as it has internet connectivity I'll be able to login remotely and make any changes as needed, for example taking the provider router out of the equation and have our router be the the customer edge device. But I won't always have that option.
|
# ? Dec 2, 2013 23:49 |
|
25.0.0.0/8 is a public, unused space that you could use internally, just don't announce it in BGP. We use 25/8 for our Carrier Grade NAT stuff.
|
# ? Dec 2, 2013 23:59 |
|
Yea I often use 7.0.0.0/8 for the same thing.
|
# ? Dec 3, 2013 00:32 |
|
If I have three subinterfaces on my router, will a QoS policy applied to the physical interface cover all three subinterfaces? Our SIP trunk runs on one of the subinterfaces, with Internet traffic on the other two. I'm looking for a way to prioritize the SIP traffic.
|
# ? Dec 3, 2013 16:55 |
|
I suspect this is a liscensing issue or something but, how do I do ipsec on an 881 running 15.2 code?code:
|
# ? Dec 3, 2013 21:23 |
|
Filthy Lucre posted:If I have three subinterfaces on my router, will a QoS policy applied to the physical interface cover all three subinterfaces? Yes it will.
|
# ? Dec 3, 2013 22:06 |
|
Powercrazy posted:I suspect this is a liscensing issue or something but, how do I do ipsec on an 881 running 15.2 code? You are using a no payload encryption license (Index 1 Feature: advipservices_npe) so I don't think you get access to ipsec. You'll need a license that permits payload encryption.
|
# ? Dec 3, 2013 22:09 |
|
Powercrazy posted:I suspect this is a liscensing issue or something but, how do I do ipsec on an 881 running 15.2 code? Is the code on the flash universalk9 or universalk9_npe? If the latter, you may need to load the universalk9 code and hopefully your license doesn't have the encryption features restricted.
|
# ? Dec 3, 2013 23:10 |
|
ruro posted:You are using a no payload encryption license (Index 1 Feature: advipservices_npe) so I don't think you get access to ipsec. You'll need a license that permits payload encryption. He has the advsecurity license so he should be good from a licensing standpoint. He'll just need the k9 image instead of the npe, c880data-universalk9-mz.152-4.M4.bin: http://software.cisco.com/download/...&reltype=latest (Or just run M5 instead of M4 cause it's baller)
|
# ? Dec 3, 2013 23:18 |
|
Yea I has completely forgotten that the NPE was the new approved code for export. I loaded 15.4, and i had access to IPSEC features, but I'm not sure if my licenses are good to go now, or if I'm in evaluation period. I have the tunnels configured but I'm not using them currently I'm not sure what this means, but I don't think I like it. code:
What license does IPSEC require?
|
# ? Dec 3, 2013 23:39 |
|
Did anyone else have a hell of a time with the new ASA NAT commands? I got handed a new ASA 5515-x running 9.0 to replace a 5500 running 8.0 that my client couldn't manage to configure. It took me damned while to figure out how to do a simple port forward on it. I got it now, but it was a bastard
|
# ? Dec 4, 2013 00:11 |
|
My first experience with new NAT was painful. 8.3 hadn't been out for very long and we had a client's ASA crash without a backup so it had to be rebuilt from scratch. It came with 8.3 and I had to set up 30 L2L VPN tunnels, an RA tunnel plus a bunch of static NAT's on it, on a saturday. Took me about 6 hours
|
# ? Dec 4, 2013 00:51 |
|
Sepist posted:My first experience with new NAT was painful. 8.3 hadn't been out for very long and we had a client's ASA crash without a backup so it had to be rebuilt from scratch. It came with 8.3 and I had to set up 30 L2L VPN tunnels, an RA tunnel plus a bunch of static NAT's on it, on a saturday. Took me about 6 hours If you want some real comedy, go look at the 8.3(x) release notes. quote:CSCte46460 Good times on 8.0->8.3 upgrades. After those atrocities we just started doing scratch rebuilds when upgrading customers out of 8.0/8.2.
|
# ? Dec 4, 2013 01:31 |
|
ragzilla posted:If you want some real comedy, go look at the 8.3(x) release notes. This is pretty much what I ran into. The client tried to import the config from the old one and it pretty much told him to gently caress off. I ended up building it from scratch. After figuring out the new commands, the next hardest part was removing a shitload of unnecessary NAT rules and actually making the network object names somewhat meaningful instead of the ip_address-obj stuff that was in there. I think I cut the number of rules in half and it accomplishes the same functionality.
|
# ? Dec 4, 2013 02:19 |
|
Powercrazy posted:Yea I has completely forgotten that the NPE was the new approved code for export. I loaded 15.4, and i had access to IPSEC features, but I'm not sure if my licenses are good to go now, or if I'm in evaluation period. IPSec is part of Advanced Security. Advaned IP Services is Advanced Security + SP Services. Use advipservices if you're licensed, if not use advsecurity.
|
# ? Dec 4, 2013 03:52 |
|
Don't even gently caress around with ASAs anymore, if you can help it. I mean it. Word on the inside is that the Sourcefire products are going to become the successor anyhow. I type this from our corporate HQ, and I just swung some VPNs over from ASA5545s to Palo Alto 3050s, and it was such a joy working (again) with the Palos. Phase 2 negotiations? They really don't care, unless you tell them to care. Bring up a logical tunnel interface, set the IKE parameters, autokey the ipsec tunnel, and you can route whatever you'd like over the tunnel. It's analogous to routing over a point to point link, and it's a great time saver. No need to rebuilt P2 parameters.
|
# ? Dec 4, 2013 06:43 |
I need a new job. I work with epic pieces of entitled poo poo who have been doign this work for 4 years and think Cisco Nexus and ASA's are the best thing ever and they are currently fighting F5 integration for ACE-30. I work with idiots. Help me.
|
|
# ? Dec 4, 2013 09:53 |
|
Emilio posted:I need a new job. I work with epic pieces of entitled poo poo who have been doign this work for 4 years and think Cisco Nexus and ASA's are the best thing ever and they are currently fighting F5 integration for ACE-30. The best thing we did recently was ditch our ACE-20 farm for Viprions. Bloody brilliant kit.
|
# ? Dec 4, 2013 10:03 |
|
ASDM makes me crosseyed. This is right, right? ( packet traces good)code:
Farking Bastage fucked around with this message at 14:36 on Dec 4, 2013 |
# ? Dec 4, 2013 14:31 |
|
I really don't understand the 100% cisco mentality that corporations have. Ace is a terrible end of life piece of poo poo, and even when it was "good" it was really just a step up from PBR on a router. I don't think it's changed to much since then. ASA is fine, if you use it as a firewall, but there are absolutely better firewalls out there.
|
# ? Dec 4, 2013 16:14 |
|
VTP and CDP on switches, especially running VOIP is awfully nice. I agree though, I loving abhor their firewalls
|
# ? Dec 4, 2013 16:40 |
|
Powercrazy posted:ASA is fine, if you use it as a firewall, but there are absolutely better firewalls out there. This would be true if it did loving BGP.
|
# ? Dec 4, 2013 16:46 |
|
|
# ? May 30, 2024 11:32 |
|
Powercrazy posted:I really don't understand the 100% cisco mentality that corporations have. Cisco reps have a ton of companies in their pockets, at a high level it is pretty corrupt. I've said it before and I'll say it again 6 months later as it is still true, our Cisco guys take my boss, my coworker and I to lunch every single day. The bills are always $150+, just so we keep our network all cisco. The other departments have the same poo poo going on.
|
# ? Dec 4, 2013 17:00 |