|
Nfsen, as-stats are great open sores tools for flow stuff.
|
#
?
Feb 28, 2014 00:51
|
|
|
|
| # ? May 31, 2024 04:39 |
|
|
We use the old Xangati flow analyzer that was purchased by Calix.
|
|
#
?
Feb 28, 2014 01:22
|
|
|
Been a while since I posted here. I'll try and check in more frequently. If anyone has questions about newer security products, ISE, etc. Let me know I'll do my best to answer.
|
|
#
?
Mar 3, 2014 16:40
|
|
|
Tremblay posted:Been a while since I posted here. I'll try and check in more frequently. If anyone has questions about newer security products, ISE, etc. Let me know I'll do my best to answer. So how about that Nexus 7k firewall module?
|
|
#
?
Mar 3, 2014 18:54
|
|
|
chestnut santabag posted:So how about that Nexus 7k firewall module? AFAIK it's not going to happen. Most folks that I've spoken with prefer the appliance approach and are happy with the 5585-X. There is some new stuff in the pipe that folks have been asking for. Couple months and I expect there will be announcements.
|
|
#
?
Mar 3, 2014 22:42
|
|
|
can someone tell me about extreme network switches, specifically comparing the x650 switch to a cisco nexus 5548up or 5672up? edit: specific use is technically datacenter TOR, though it doubles as the core switch with our size.
|
|
#
?
Mar 4, 2014 00:46
|
|
|
They work, configuration is confusing and you'll never actually see a resume from someone who has used them before. TAC is poo poo, but so is everyone else's.
|
|
#
?
Mar 4, 2014 04:54
|
|
|
FatCow posted:TAC is poo poo, but so is everyone else's.
|
|
#
?
Mar 4, 2014 05:43
|
|
|
adorai posted:can someone tell me about extreme network switches, specifically comparing the x650 switch to a cisco nexus 5548up or 5672up? XOS is VLAN-centric, instead of interface-centric, so the config can be a bit wonky if you're used to Cisco. I would trust them way more for L3-type stuff than I would trust a 5548.
|
|
#
?
Mar 4, 2014 06:26
|
|
|
I know it's not really networking; but getting back into the UCS stuff, a bunch has changed since I last dealt with it, looks like cisco really stepped up it's game. Any good books/online resources that aren't a sales pitch; just want to make sure I a current.
|
|
#
?
Mar 4, 2014 20:04
|
|
|
If you have a Cisco academy login (mine still works from when I did my CCNA) you should be able to download a VM based UCS emulator. I've been playing with it for a while and it's pretty loving neat.
|
|
#
?
Mar 5, 2014 00:17
|
|
|
Martytoof posted:If you have a Cisco academy login (mine still works from when I did my CCNA) you should be able to download a VM based UCS emulator. I've been playing with it for a while and it's pretty loving neat. Yeah I go that, just looking for something to read I suppose, have a more structured whack at things.
|
|
#
?
Mar 5, 2014 05:29
|
|
|
Ok, so our network is totally hosed, everyone here is going apeshit, the outside techs came in and are all swearing. Perhaps one of you has seen this issue before. Basically when I scan the lan, about half the IP addresses all have the same mac address. Like hundreds. The mac address is our ASA. All unassigned IP addresses are also shown as having that mac address. When we unplug the ASA the scan appears correct and after a few minutes the IP addresses that had that weird mac address start working again. We first noticed this when our two microsoft DNS servers started working intermittently yesterday. We didn't change anything recently, except we did change the subnet mask from 255.255.255.0 to 255.255.254.0 a few days ago, but everything seemed to be working ok after that switch until yesterday morning.  Everything has been restarted multiple times. Our next step is to start replacing hardware one thing at a time.
|
|
#
?
Mar 5, 2014 16:47
|
|
|
Is the ASA trying to act as a dhcp relay or something? Is it the default gateway or what? I assume this is a flat network with all hosts connected to a switch and one host is the default gateway. When you changed the subnet mask did that include changing all hosts on the network? With the information provided it's pretty difficult to pin-point the problem.
|
|
#
?
Mar 5, 2014 16:55
|
|
|
Not flat, we do have a vlan for phones. We recently changed the subnet of the network from /24 to /23 and change the voice subnet. We have multiple switches, with a router off the core switch and the ASA off the core switch. Everyone points to the router as the default gateway, and the router has the ASA as it's 0 0 destination. We haven't rebooted the router since the changes, we are going to try that soon.
|
|
#
?
Mar 5, 2014 18:25
|
|
|
Begby posted:Not flat, we do have a vlan for phones. We recently changed the subnet of the network from /24 to /23 and change the voice subnet. The router may be sending ICMP Redirects if ASA, router, and hosts are on the same subnet. This will cause an entry to be made in the routing table of each host for each non-subnet-local address they try to reach. Maybe you could set no ip redirects on the router's LAN interface? You could probably also solve your ARP problem by putting your ASA on a dedicated (sub)interface on the router, instead of on the same subnet as the hosts. SamDabbers fucked around with this message at 18:35 on Mar 5, 2014 |
|
#
?
Mar 5, 2014 18:30
|
|
|
The ASA is probably proxy ARP'ing due to an identity NAT translation.
|
|
#
?
Mar 5, 2014 18:34
|
|
|
SamDabbers posted:The router may be sending ICMP Redirects if ASA, router, and hosts are on the same subnet. This will cause an entry to be made in the routing table of each host for each non-subnet-local address they try to reach. Maybe you could set no ip redirects on the router's LAN interface? You could probably also solve your ARP problem by putting your ASA on a dedicated (sub)interface on the router, instead of on the same subnet as the hosts. Ok, just tried this but it didn't work. Dunno if it makes a difference, but we can ping and access all the IP addresses that are showing up in the scan results with the duplicate mac address. The real major issue is that the local DNS servers are workign intermittently. Like they will be fine for 5 minutes, then for maybe 1 minute they will not respond to lookups, but you can still ping the server fine while they are not responding to nslookup. There are no errors on either DNS server. I have no idea if that is related or not. edit: One thing that is odd, is that the DNS issues seems to pop up more often on our macbooks compared to windows 7 boxes. Also, earlier I saw DNS lookups failing on a mac machine, but working on a windows machine right next to it. So it seems to be down interittently on a per machine basis, and not across the whole network. quote:The ASA is probably proxy ARP'ing due to an identity NAT translation. The network guy said he thought of this earlier and removed the NATs but that didn't fix it either. He is going to try and resurrect his 10 year old SA account and hop into this thread as I am currently his middleman and I primarily converse in the nerd dialect known as programming vs. cisco. Thank you both for your suggestions. Begby fucked around with this message at 18:48 on Mar 5, 2014 |
|
#
?
Mar 5, 2014 18:44
|
|
|
sysopt noproxyarp [interface] is the proper command to disable proxy arp on an interface Sounds like you need to find the root problem. If it's DNS related, change one of your devices to an external DNS (8.8.8.8) and see if the problems go away, then focus on the DNS servers as being the cause. Sepist fucked around with this message at 19:36 on Mar 5, 2014 |
|
#
?
Mar 5, 2014 19:34
|
|
|
vPC is blowing my loving mind. It was so simple to enable and set up, but I have no idea how everything else works now. I'm trying to create a trunk link between a port on my vPC'd fabric extender and the esxi host I have connected to it. Do I configure the vlan information and fex interfaces on only one of the n5ks? Both? How do SVIs work now? If we were going to do routing on the N5Ks between our vlans, do only one of the N5Ks need the necessary SVIs? Either I can't find the answers, or they're just that beyond my level of understanding that I can't even recognize them as answers. Help, you're my only hope.
|
|
#
?
Mar 5, 2014 19:54
|
|
|
Changing the DNS to 8.8.8.8 will allow a machine to get on the internets without interruption, however, it doesn't fix any of the duplicate mac addresses. My guess is that there is something going on with the network that is causing our local DNS servers to fail intermittently. Like I said, there are no errors on the DNS servers, rebooting them doesn't fix it, and the issue is intermittent on a workstation by workstation basis, i.e. the DNS doesn't seem to be down for everyone on the network at the same time as far as I can tell (was able to have DNS lookups fail on one machine, while on a machine right next to it the DNS was working at that time). 8.8.8.8 and 8.8.4.4 have not had this issue on our internal network, that is what I am using on my mac right now, and I haven't had any issues yet.
|
|
#
?
Mar 5, 2014 19:54
|
|
|
sudo rm -rf posted:vPC is blowing my loving mind. It was so simple to enable and set up, but I have no idea how everything else works now. 1) Yes, you configure a port-channel on BOTH of the N5Ks. You add the additional tag "vpc #" where # is just an incrementing number (usually matches the port channel. e.g.: interface port-channel 5 switchport mode trunk switchport trunk allowed vlan 999 vpc 5 If the "vpc 5" matches on both N5Ks, then the N5K knows those two are paired together. 2) No, you'll need to put your SVI on both N5Ks. The easiest way to do this is with VRRP floating the primary IP between the N5Ks. Also here is my VPC config if it helps (including some vPC interface tracking): vpc domain 150 peer-switch role priority 1 peer-keepalive destination ***** source ***** delay restore 150 track 1 auto-recovery ip arp synchronize track 1 list boolean or object 2 object 3 track 2 interface Ethernet1/1 line-protocol track 3 interface Ethernet1/2 line-protocol
|
|
#
?
Mar 5, 2014 20:05
|
|
|
sudo rm -rf posted:vPC is blowing my loving mind. It was so simple to enable and set up, but I have no idea how everything else works now. Configure all SVIs on your 5ks just like you always would and setup an FHRP between them. One great thing about vPC and VRRP/HSRP is that either side will respond as the active gateway depending on which 5k receives a packet so you don't have to worry about traffic going over the peer link. How are your fex's configured? Are they physically connected to both 5ks or just one? if they're connected to both 5ks then make sure the channel-group for the fex has a VPC ID assigned to it. i.e. int port-channel 101 vpc 101 on both 5ks (assuming you're using po101 for fex101.) If they're single homed then just configure the port-channel as needed. For the ESXi host, assuming you want to use LACP/VPC and not just LBT or originating port you'll want to do something like this: int eth101/1/10 channel-group 210 mode active int po210 <your interface stuff here> vpc 210 Repeat on 5k-2 int eth102/1/10 channel-group 210 mode active int po210 <interface stuff> vpc 210 If your FEX's are dual homed then just add the interfaces to a channel group on both 5ks. If you don't then a "show int brief" will show the state as "inactive."
|
|
#
?
Mar 5, 2014 20:05
|
|
|
Begby posted:Changing the DNS to 8.8.8.8 will allow a machine to get on the internets without interruption, however, it doesn't fix any of the duplicate mac addresses. That is because proxy arp is not being disabled correctly by your tech, I posted the correct way to disable it. As it is now, every arp query sent on your network is replied by the ASA, which is why you're seeing the MAC of the ASA for every IP - that's by design. It's a red herring. Just taking a stab at it, someone probably is using the same IP as your DNS servers, or your DHCP scope isn't excluding the DNS servers IP's after changing your subnet mask recently.
|
|
#
?
Mar 5, 2014 20:28
|
|
|
Ok, thanks again for all your help, I'll let you know how it turns out. edit: Yup, that was it, all those duplicate mac addresses went away. The DNS servers are not in the range of IP addresses being handed out, but they are applying hotfixes for those, perhaps it is a separate issue. Leaving now anyways, hopefully someone solves that while I am exercising. Thanks again everyone who pitched in. I'll tell the networks guys they owe you blumpkins next time you are in town. Begby fucked around with this message at 20:57 on Mar 5, 2014 |
|
#
?
Mar 5, 2014 20:49
|
|
|
sudo rm -rf posted:vPC is blowing my loving mind. It was so simple to enable and set up, but I have no idea how everything else works now. Configuring a port on a fex that's dual homed to two 5ks requires you to do the exact same configuration on both Nexus 5ks. There's a "configure sync" option that's supposed to apply the exact same configuration across both 5ks from a single command line but I always found it to be a bit too erratic to use. For SVI configuration, treat your Nexus 5ks as any regular pair of independent layer 3 switches using HSRP, VRRP or GLBP for redundancy.
|
|
#
?
Mar 5, 2014 21:21
|
|
|
You guys are the best, that helped a lot.
|
|
#
?
Mar 5, 2014 22:17
|
|
|
I'm back! How do I set up NTP on a 5548UP so that devices on its various vlans can use it as the NTP server? Is this possible?
|
|
#
?
Mar 6, 2014 17:43
|
|
|
sudo rm -rf posted:I'm back! How do I set up NTP on a 5548UP so that devices on its various vlans can use it as the NTP server? Is this possible? I don't think the 5548 can act as an NTP server. If you have a router, or server somewhere, use that instead.
|
|
#
?
Mar 6, 2014 18:08
|
|
|
Powercrazy posted:I don't think the 5548 can act as an NTP server. If you have a router, or server somewhere, use that instead. It can as of current releases. 'feature ntp' 'ntp master 2' Sets it as a stratum 2 NTP source. This is on version 6.0(2)N2(2)
|
|
#
?
Mar 6, 2014 20:15
|
|
|
We're on 5.2 (1), but I was able to get ntp to some devices using 'ntp distribute'. Fortunately the devices that need NTP are some cisco call managers and telepresence vcs appliances - so I'm guessing CFS works with them.
|
|
#
?
Mar 6, 2014 21:25
|
|
|
Depends on what you've got configured for NTP already. If you've got NTP servers configured on your Nexus to update their times, then you shouldn't need any additional configurations to use your Nexus switches as NTP servers. I'm fairly certain you don't need the 'ntp distribute' command - your devices might just not have updated immediately. NTP can take a while to settle on the correct time.
|
|
#
?
Mar 7, 2014 16:54
|
|
|
chestnut santabag posted:Depends on what you've got configured for NTP already. Yeah you're probably right. We didn't realize the 5k was actually working until I went back into our little video appliance and attempt to test a windows box I had started working on. In another update from sudo's first networking job, gently caress ASAs. I'll probably be asking for help about that later this weekend, but right now my brain needs time to recover.
|
|
#
?
Mar 8, 2014 01:37
|
|
|
sudo rm -rf posted:In another update from sudo's first networking job, gently caress ASAs. I'll probably be asking for help about that later this weekend, but right now my brain needs time to recover. Just a heads up, you'll be saying this on your second, third, fourth and so on network jobs ceaselessly throughout eternity.
|
|
#
?
Mar 8, 2014 04:55
|
|
|
I work with a bunch of tools who give me poo poo anytime I want to bring in any firewall that isn't ASA because they are afraid of anything that isn't ASDM. I hate them. Oh how I hate them.
|
|
#
?
Mar 8, 2014 07:25
|
|
|
It blows my mind that people hate ASA's so much, I've been using them for 3+ years and never found anything difficult. I've also never installed ASDM though so maybe that's the culprit... In other firewall news a coworker in another state came into the team meeting to let us know one of the Palo Alto's shat itself again and they are sending a replacement. They haven't proved the most reliable of boxes but the usability has probably still offset the time spend debugging and fixing the problems. abigserve fucked around with this message at 08:28 on Mar 8, 2014 |
|
#
?
Mar 8, 2014 08:24
|
|
|
abigserve posted:It blows my mind that people hate ASA's so much, I've been using them for 3+ years and never found anything difficult. I've also never installed ASDM though so maybe that's the culprit... We have PAN's at work in our office. One problem is that they don't do IPv6 well at all. Thanks Obama. Speaking of firewalls any ever worked with the datacenter SRXs? I hear they're real fun to configure and troubleshoot due to how it handles the add-on modules.
|
|
#
?
Mar 8, 2014 15:41
|
|
|
abigserve posted:It blows my mind that people hate ASA's so much, I've been using them for 3+ years and never found anything difficult. I've also never installed ASDM though so maybe that's the culprit...
|
|
#
?
Mar 8, 2014 15:45
|
|
|
abigserve posted:It blows my mind that people hate ASA's so much, I've been using them for 3+ years and never found anything difficult. I've also never installed ASDM though so maybe that's the culprit... You can manage an ADA via CLI or ASDM, not both. If you convert to ASDM you can never go back to CLI. Also apparently the CSM isn't feature complete with the CLI? IDK, but it just seems like ASA are pretty poo poo in the firewall hierarchy.
|
|
#
?
Mar 8, 2014 17:52
|
|
|
|
| # ? May 31, 2024 04:39 |
|
|
Powercrazy posted:You can manage an ADA via CLI or ASDM, not both. If you convert to ASDM you can never go back to CLI. Also apparently the CSM isn't feature complete with the CLI? IDK, but it just seems like ASA are pretty poo poo in the firewall hierarchy. Unless they changed something in a newer version, you can certainly do both CLI and ASDM. Either way, ASAs are poo poo and for my next job I will try to avoid a company that uses them. abigserve posted:In other firewall news a coworker in another state came into the team meeting to let us know one of the Palo Alto's shat itself again and they are sending a replacement. They haven't proved the most reliable of boxes but the usability has probably still offset the time spend debugging and fixing the problems.
|
|
#
?
Mar 8, 2014 18:07
|
|