|
Powercrazy posted:Yea I tried those things, but unfortunately when dealing with an SFP interface JunOS doesn't even acknowledge the interface exists unless there is an Optic in it. I'm wondering if there is a "pre-populate" configuration command or something that will let you apply configurations to a phantom interface. If you set a description on the interface, it'll show in your 'sh int desc' and give you your admin down status even without a transceiver. At least it does on the MX series.
|
#
?
Sep 26, 2015 02:14
|
|
|
|
| # ? May 22, 2024 22:26 |
|
|
2960S or x are what I see a lot of, and meraki.
|
|
#
?
Sep 26, 2015 02:15
|
|
|
2960S is going end of life, if that's something you need to have support for. http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-series-switches/eos-eol-notice-c51-733348.html
|
|
#
?
Sep 26, 2015 02:22
|
|
|
Powercrazy posted:Yea I tried those things, but unfortunately when dealing with an SFP interface JunOS doesn't even acknowledge the interface exists unless there is an Optic in it. I'm wondering if there is a "pre-populate" configuration command or something that will let you apply configurations to a phantom interface. There is no pre-populate command but you can configure the interface before you stick an optic in it and it will commit fine. use the below in > mode to see what optics are in what FPC. code:Another nifty thing you can do if you're running a virtual chassis is you can completely configure a new switches' interfaces before you even add it to the "stack" hanyolo fucked around with this message at 00:51 on Sep 28, 2015 |
|
#
?
Sep 28, 2015 00:39
|
|
|
I've got a bunch of IP cameras and access control card readers on the same VLAN and subnet as my VMs. I want to move them to their own VLAN and subnet. Easy enough. But the consultant that set these things up did it by going to each port and applying their VLANs and QoS settings port by port. So changing them or adding new ones is going to new ports and copy/pasting settings. Can't I just make like a 'profile' where I say "this is the profile for a camera, it sits on this VLAN x, trunks allowed are y, QoS settings are z, etc.' And then I just configure the port, drop the profile on it, and done? Trying to google it and I'm getting results for either Nexus 1000v or vmware related. Is this what I'm looking for, or am I barking up the wrong tree here?
|
|
#
?
Sep 28, 2015 17:12
|
|
|
Thanks Ants posted:Why do you want layer 3 switches for running two VLANs across a couple of switches? It doesn't sound like there's much requiring routing between the voice and data VLAN so it's fine to let the ASA do that. So long as you get LAN Base software on a 2960-X, it will do static routing.
|
|
#
?
Sep 28, 2015 18:01
|
|
|
itskage posted:I've got a bunch of IP cameras and access control card readers on the same VLAN and subnet as my VMs. I want to move them to their own VLAN and subnet. Easy enough. Catalyst switches have auto smartport macros, which can be triggered off CDP/LLDP messages or MAC addresses/OUIs.
|
|
#
?
Sep 28, 2015 18:05
|
|
|
XO Communications wants me to renew our 100mbit fiber contract with them, and I noticed they want to charge $177 a month to lease me a Cisco 2951 and manage it for me. I asked them if I can supply my own Cisco 2951 and not have to pay that, and they said absolutely, but they will not provide the initial configuration on it. 1) Is it going to be particularly involved for me to configure a 2951? I'm assuming it is more complicated than providing my own Surfboard on a consumer cable modem connection. 2) Can I use something else, like maybe an HP equivalent? I'd rather not add Cisco equipment. I mean, if it's as simple as these guys running an LC or SC fiber plug to me and I just plug it in and punch in the IP/Subnet/Gateway and give them the MAC address to provision then cool but I get the feeling there's gonna be some wackiness. I should also mention that uptime is not an issue, I already have a high availability router bonding two other ISPs so out uptime is higher than we need... I just want to tack on more raw bandwidth, so I'm fine with freestyling this a bit.
|
|
#
?
Sep 28, 2015 20:59
|
|
|
It's essentially an outside interface, an inside interface, and possibly some NAT overload statements if you don't have another device behind it doing NAT. <1 hour of work for someone who knows the CLI. Any router that can handle the throughput should be fine -- could likely do it on a $100 mikrotik.
|
|
#
?
Sep 28, 2015 21:04
|
|
|
It could be as complicated as a public IP address in a /31 subnet and then another subnet of routable IP addresses to use on the inside interface to sit in front of your firewall, but it's probably 30 minutes work including flashing an IOS image if required. Just make sure that whatever you buy can cope with 100Mbps throughput at Internet-typical packets (I think 512 bytes are used as an average to turn PPS into Mbps numbers). Normal suggestions if you want to take more of a hobbyist approach are Mikrotik as stated already, or an Ubiquiti EdgeRouter. I would expect handoff on copper Ethernet from a piece of NTE equipment.
|
|
#
?
Sep 28, 2015 21:33
|
|
|
If they want to install a transit router, they're definitely going to be slicing you an address block for the transit network between your firewall and their equipment. But as has already been pointed out, this is just going to be a normal /31 on one interface and whatever block size they give you on the other, with static routing in between (since it sounds like your load balancing is taking place somewhere else). If uptime and support don't matter, get a Ubiquiti edgerouter. It'll support 1Gbps at line rate.
|
|
#
?
Sep 28, 2015 21:58
|
|
|
In the two instances where we are doing this, we actually terminate it directly into a layer two switch and dump the transit vlan into an instance of VyOS. Cost was only the optical transceiver.
|
|
#
?
Sep 29, 2015 00:29
|
|
|
adorai posted:In the two instances where we are doing this, we actually terminate it directly into a layer two switch and dump the transit vlan into an instance of VyOS. Cost was only the optical transceiver. Out of curiosity, are you running ipv6 dual stack on your vyos instances and/or are you trying to use ospfv3? Quagga's still saying support is "beta" status which gives me pause.
|
|
#
?
Sep 29, 2015 06:39
|
|
|
CrazyLittle posted:Out of curiosity, are you running ipv6 dual stack on your vyos instances and/or are you trying to use ospfv3? Quagga's still saying support is "beta" status which gives me pause. No ipv6
|
|
#
?
Sep 29, 2015 13:58
|
|
|
I've got an ASA at work that I've got set up behind a NAT. I've got a Fortigate at home that I have set up using a dynamic DNS name. I'd like to configure the ASA to create an IPsec tunnel between itself and my home Fortigate, but the VPN wizard in ASDM doesn't allow a domain name for a peer identifier -- it needs an IP address. I don't want to have to re-build the config every time my IP changes at home. I've had this set up before using two Fortigates since it supports a Dyndns type peer identifier off the bat. Obviously the device at work will have to initiate the connection as it is NATted, itself. Thoughts?
|
|
#
?
Sep 29, 2015 19:55
|
|
|
Is there any way to use an asa in front of a vcs?
|
|
#
?
Sep 29, 2015 20:13
|
|
|
Martytoof posted:I've got an ASA at work that I've got set up behind a NAT. I've got a Fortigate at home that I have set up using a dynamic DNS name. Can you set the far end IP to 0.0.0.0 and use something other than the IP address as the IKE ID?
|
|
#
?
Sep 29, 2015 20:16
|
|
|
e; Nevermind, that doesn't actually work.
|
|
#
?
Sep 29, 2015 20:42
|
|
|
Martytoof posted:I've got an ASA at work that I've got set up behind a NAT. I've got a Fortigate at home that I have set up using a dynamic DNS name. Dynamic VPN. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html
|
|
#
?
Sep 29, 2015 21:08
|
|
|
Disappointed that my google-fu let me down there. Thanks very much!Thanks Ants posted:Can you set the far end IP to 0.0.0.0 and use something other than the IP address as the IKE ID? I kind of want to try this.
|
|
#
?
Sep 29, 2015 22:16
|
|
|
Bleh, so I'm sort of sorted on the dynamic VPN thing, but now I've got a separate problem. All the docs for a dynip L2L VPN state that the side with the dynamic IP needs to be the one to establish the connection since the other side has a fixed IP. In my case the fixed IP is behind a NAT firewall so I'm kind of boned there. Problem here is that I can't forward IPsec ports on the outside firewall with the static IP that's fronting for my ASA. So What I need is for a way to use a hostname as a remote peer on the NAT'd ASA since ultimately it WILL have to be the ASA that initiates the connection -- the far end (dyndns) router won't be able to initiate anything as its peer is behind NAT. Not really seeing much in the way of a solution here so I might have to give up the ASA in this instance. Wonder if pfSense can do something like this. I know FortiOS can since I've had it set up exactly like this before but I'm not ready to shell out for a FortiOS VM :\
|
|
#
?
Sep 30, 2015 14:16
|
|
|
Why can't the ports be forwarded to the ASA on the headend?
|
|
#
?
Sep 30, 2015 15:51
|
|
|
Richard Noggin posted:Why can't the ports be forwarded to the ASA on the headend? I have no administrative control over the ASA in question. I could probably work to have this done but to be honest I just need this temporarily so I'm not going to fret over it. I'm going to bring a spare Fortigate from home tomorrow as a workaround, I was just hoping to get this done with the resources I have at hand.
|
|
#
?
Sep 30, 2015 16:14
|
|
|
Hopefully I'm being Captain Obvious here but if I were your network admin, I'd be downright bullshit that you tried this.
|
|
#
?
Sep 30, 2015 17:16
|
|
|
Richard Noggin posted:Hopefully I'm being Captain Obvious here but if I were your network admin, I'd be downright bullshit that you tried this. Haha yeah, no I would be too if this was unauth. I have all the right approvals and I'm just temporarily tapping into our guest DMZ on our end so no damage done. I can get the ports forwarded but our network guy is slammed and I can't get 15 minutes of his time for another two weeks according to his calendar so I'm just working around it.
|
|
#
?
Sep 30, 2015 18:47
|
|
|
Would running a virtual router on a cloud provider and pointing your work ASA and home Fortigate at that be an option?
|
|
#
?
Sep 30, 2015 21:17
|
|
|
Thanks Ants posted:Would running a virtual router on a cloud provider and pointing your work ASA and home Fortigate at that be an option? That would probably be fine, though I just got home and prepped a spare Fortigate. I guess ASAs don't really need that sort of flexibility as they're typically not deployed in environments where you'd need to connect to a dyndns peer. The Fortigates seem to be more of a SOHO thing so I'm a lot less surprised that they've taken that into account. Not a big deal, but it would be nice if I could specify a peer by domain name rather than IP. I guess it would introduce an extra point of failure, though in my case it's either that or count the ASA out altogether. Shame. I meant to see if this is something pfSense could do but honestly it was really quick to set up a spare FG so no big deal.
|
|
#
?
Sep 30, 2015 22:21
|
|
|
I'm intrigued into what you're doing where you can set up an ASA to tunnel back out to your home with no issues from corporate, but running a VPN client on your PC and cracking open an RDP session isn't an option.
|
|
#
?
Sep 30, 2015 22:49
|
|
|
Thanks Ants posted:I'm intrigued into what you're doing where you can set up an ASA to tunnel back out to your home with no issues from corporate, but running a VPN client on your PC and cracking open an RDP session isn't an option. I've got a lab on the DMZ here at work and I've got a lab at home. I'm going to vMotion some machines back and forth.
|
|
#
?
Sep 30, 2015 23:43
|
|
|
"Hmm. I'm seeing a lot of encrypted traffic here to this one suspicious IP address." access-list inside-out extended deny udp any any eq 4500
|
|
#
?
Sep 30, 2015 23:47
|
|
|
Well I've gone through CAB so if it still gets shut down then I guess I'll just go do something else.
|
|
#
?
Sep 30, 2015 23:51
|
|
|
Martytoof posted:I've got a lab on the DMZ here at work and I've got a lab at home. I'm going to vMotion some machines back and forth. rather intresting
|
|
#
?
Oct 1, 2015 11:44
|
|
|
There sure a lot of goons at NANOG. Some may even post on the forums. 
|
|
#
?
Oct 6, 2015 16:18
|
|
|
FatCow posted:There sure a lot of goons at NANOG. Some may even post on the forums. Please don't post while drunk
|
|
#
?
Oct 7, 2015 13:29
|
|
|
I have been in a constant hungover-drunk cycle since Sunday.
|
|
#
?
Oct 7, 2015 14:49
|
|
|
FatCow posted:There sure a lot of goons at NANOG. Some may even post on the forums.
|
|
#
?
Oct 7, 2015 22:48
|
|
|
I'm not sure if the op is still around but nearly every link on the first page is dead. Didn't realize this thread is almost ten years old, it has to be one of the oldest active threads on the whole forums. Bigass Moth fucked around with this message at 03:23 on Oct 8, 2015 |
|
#
?
Oct 8, 2015 03:17
|
|
|
Re the negotiation thing, at least on the Cisco 3750/3560s I have been hosing around with recently, setting jumbo MTU is only applicable for gigabit ports, not 10/100. Some hardware may support jumbos on 100Mbit but this again would mean that if you have a pin open and a server link drops down to 100 from 1000, all those high byte size frames get dropped as errors. Or, due to a mysterious lovely bug, you could have it just do that anyways on a gig link after it was taken down, because it just feels like doing that anyway.
|
|
#
?
Oct 8, 2015 12:54
|
|
|
I'm trying to set up babby's first Cisco vPC between two Nexus 6k switches. I feel like I must be missing something completely retarded here. From each switch, I can ping the management interface of the other. But I can't get the vpc keepalive link to come up one end. Any idea what is up with this? Switch A: management interface is 10.63.162.45/16 Switch B: management interface is 10.63.178.45/16 Switch A: code:code:
|
|
#
?
Oct 8, 2015 19:28
|
|
|
|
| # ? May 22, 2024 22:26 |
|
|
Try this:quote:vpc domain 2 I have "source" specified on my boxes, might be important. I also have "role priority 1" and also 2 specified in there, not sure if required.
|
|
#
?
Oct 8, 2015 19:42
|
|
