|
Charliegrs posted:I recently got my CCNA and have a job interview for a NOC or helpdesk position for coming up on Friday. The recruiter told me the interviewer would probably ask me some technical questions like CCNA level LAN/WAN type questions. So having never done an interview for this type of job before (hopefully my first step in a networking career) can anyone give me any idea what kind of questions I might be asked? I have tonight and tomorrow night to bone up on it. Here is what I would ask of a fresh CCNA coming into a NOC/helpdesk: - understanding basic Layer 2 principles of switching, vlans, spanning tree - understanding some routing principles in general (static, dynamic) - difference between layer 2/3 And don't forget to spend some time researching the company you are applying for. Show some understanding of the services/products you might be supporting in your role if hired.
|
#
?
Apr 7, 2016 19:41
|
|
|
|
| # ? May 30, 2024 13:48 |
|
|
DigitalMocking posted:Routing entry for 10.21.15.0/24 There is a command I think it's 'sh ip bgp neighbors advertised-routes' Make sure 10.21.15.0/24 shows up on router1. According to the 'sh ip route' it SHOULD, but if it doesn't then you have somewhere to start. If it does show-up, then you'll need to check if there is something weird going on in your MPLS setup on your PE routers (router 1 and 2) isn't accepting that route for some reason. Perhaps you are running MPLS on Gig0/2 or something like that.
|
|
#
?
Apr 7, 2016 19:50
|
|
|
Powercrazy posted:There is a command I think it's 'sh ip bgp neighbors advertised-routes' It's not being advertised. Bizarre. aus-2911-1#sh ip bgp neighbors 100.65.0.5 advertised-routes BGP table version is 76, local router ID is 100.65.0.6 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.0.0.0 0.0.0.0 0 32768 ? *> 10.10.10.0/24 100.65.0.5 0 3549 3549 98 393887 ? *> 10.10.11.0/24 100.65.0.5 0 3549 3549 98 393887 ? *> 10.21.8.0/24 10.21.12.254 0 112 113 i *> 10.21.11.0/24 10.21.12.12 0 111 i r> 10.21.12.0/24 10.21.12.12 0 111 i r> 10.21.16.0/24 10.21.12.254 0 111 i edit: This is beginning to feel like a TAC case to me. Per Cisco's documentation 'redistribute connected' will advertise routes that show up via the 'sh ip route connected' aus-2911-1#sh ip route connected Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 10.21.12.254 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 18 subnets, 5 masks C 10.21.12.0/24 is directly connected, GigabitEthernet0/0 L 10.21.12.8/32 is directly connected, GigabitEthernet0/0 C 10.21.15.0/24 is directly connected, GigabitEthernet0/2 L 10.21.15.9/32 is directly connected, GigabitEthernet0/2 C 10.30.0.0/16 is directly connected, Vlan30 L 10.30.0.1/32 is directly connected, Vlan30 100.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 100.65.0.4/30 is directly connected, GigabitEthernet0/1 L 100.65.0.6/32 is directly connected, GigabitEthernet0/1 110.0.0.0/32 is subnetted, 1 subnets C 110.143.8.170 is directly connected, Dialer2 203.45.253.0/32 is subnetted, 1 subnets C 203.45.253.1 is directly connected, Dialer2 Every other route in that table is being advertised except for 10.21.15.0. I don't have any weird route maps or access-lists blocking it. DigitalMocking fucked around with this message at 20:12 on Apr 7, 2016 |
|
#
?
Apr 7, 2016 20:02
|
|
|
Enable soft reconfig inbound and see if the prefix is being denied for a policy reason (or maybe you hit a bug)
|
|
#
?
Apr 7, 2016 20:59
|
|
|
I've seen that happen once in our lab on a 7609, our Cisco AS reps escalated to TAC and the only fix was a reboot.
|
|
#
?
Apr 7, 2016 21:13
|
|
|
Silly ICND2/HSRP question - Is this a Packet Tracer bug?code:Japanese Dating Sim fucked around with this message at 22:27 on Apr 11, 2016 |
|
#
?
Apr 11, 2016 22:23
|
|
|
A few of my coworkers and myself have very rarely run into very specific situations where the CPU on a given router is getting capped. After digging into the problem we will consistently find that the culprit is unsurprisingly IP input. Using netflow we see that one or several of the top talkers has a destination interface of Null, which in this context we believe means that the traffic is being process switched. What we have not been able to figure out is why. We haven't seen any commonality in terms of IOS version or router chassis. Generally rebooting the PC seems to fix the problem but it's really odd and I'm wondering if anyone else has run into something similar.
|
|
#
?
Apr 11, 2016 22:59
|
|
|
Japanese Dating Sim posted:Silly ICND2/HSRP question - Is this a Packet Tracer bug? VRRP can share a VIP with the interface but yes HSRP does require the VIP be different than the actual interface IP. Typically you'll see R1 as 10.10.0.2 and R2 as 10.10.0.3 with an HSRP address of 10.10.0.1. Probably packettracer loving up.
|
|
#
?
Apr 12, 2016 00:12
|
|
|
Pendent posted:A few of my coworkers and myself have very rarely run into very specific situations where the CPU on a given router is getting capped. Any chance I could see the routing table/configuration? I'll redistribute null routed summaries to attract traffic to a specific router which then has a bunch of more specific routes. Also what router model is this and what version of IOS?
|
|
#
?
Apr 12, 2016 00:21
|
|
|
The one I saw today was a 1940 running 15.0 (1)M5. I know I've seen happen on stuff running 12.4. The really weird thing is that I only see this pop up with Internet traffic. I was just going over my running config to try to redact the sensitive stuff but that would probably pull out anything at all you'd find helpful. Even the routing table would actually identify my both company and the client with a cursory lookup on ARIN. The router I'm looking at is handling primary Internet for this site, and has the sites secondary VPN tunnel back to me (GRE over IPSEC). All of the interesting routing is going over that tunnel. Really simple stuff, honestly. I suppose there's a bit of policy based routing for the Internet fail over. Here's that config: code:E:Given that this is the short question thread I'm mostly wondering if anyone has run into this. I get the feeling it's a bug of some sort but it's really hard to reproduce. Pendent fucked around with this message at 02:35 on Apr 12, 2016 |
|
#
?
Apr 12, 2016 01:45
|
|
|
Pendent posted:The one I saw today was a 1940 running 15.0 (1)M5. I know I've seen happen on stuff running 12.4. The really weird thing is that I only see this pop up with Internet traffic. Sounds buggy for sure. Can you move off that old 15.0 code for at least newest 15.1? If you do then TAC thing, they can probably figure it out pretty quickly. If you can post or PM config I would like to look.
|
|
#
?
Apr 12, 2016 12:52
|
|
|
Pendent posted:A few of my coworkers and myself have very rarely run into very specific situations where the CPU on a given router is getting capped. debug netdr capture rx, if it's supported on your platform.
|
|
#
?
Apr 12, 2016 12:53
|
|
|
Japanese Dating Sim posted:Silly ICND2/HSRP question - Is this a Packet Tracer bug? Likely a bug, packet trace is a simulator and not an emulator IIRC and is susceptible to coding bugs like that
|
|
#
?
Apr 12, 2016 15:20
|
|
|
Why in the world does this brocade 648P use the settings on first four Ethernet ports to determine settings for the 4 SFP slots as well? Been beating my head against the wall trying to figure out why I can't see them at all and thankfully stumbled upon an old post in their forum saying that was why.
|
|
#
?
Apr 12, 2016 16:20
|
|
|
So I'm working for a small company and we have a bunch of remote users that tunnel in using ASAs. Our network is just kind of a mess in general and we don't really have anyone particularly knowledgeable about networking. I have a certification/continuing ed budget and thought it might be a good idea to pursue a CCNA so we at least have someone who knows how all this poo poo is supposed to work. Are there any legitimate online courses/books/whatevers to get this thing started?
|
|
#
?
Apr 12, 2016 17:22
|
|
|
crunk dork posted:Why in the world does this brocade 648P use the settings on first four Ethernet ports to determine settings for the 4 SFP slots as well? That switch is a 48-port switch, not a 52-port switch. That means that F1-F4 share with four of the ethernet ports, probably 1-4. Lots of switches will have the four fiber ports share switching hardware with four of the copper ports.
|
|
#
?
Apr 12, 2016 17:27
|
|
|
BiohazrD posted:So I'm working for a small company and we have a bunch of remote users that tunnel in using ASAs. Our network is just kind of a mess in general and we don't really have anyone particularly knowledgeable about networking. I have a certification/continuing ed budget and thought it might be a good idea to pursue a CCNA so we at least have someone who knows how all this poo poo is supposed to work. For CCNA it's relatively easy because there's one official book that covers the whole thing. There are some free materials out there too but they're more likely to be on a topic by topic basis - most people who put together a full course guide seem to want to get paid for it. I also enjoyed the Sybex guide written by Todd Lammle when I was working towards the CCNA and it seemed like a good number of people preferred it to the official one. Make sure that anything you buy is for the most recent version of the test, though - they usually change the test number for a new revision, so just be sure that matches. If you specifically want ASA knowledge you may need to work towards the CCNA Security since the classic cert is just for the fundamental routing and switching topics. Having that basic R&S knowledge will help you with any networking task though.
|
|
#
?
Apr 12, 2016 18:23
|
|
|
Eletriarnation posted:For CCNA it's relatively easy because there's one official book that covers the whole thing. There are some free materials out there too but they're more likely to be on a topic by topic basis - most people who put together a full course guide seem to want to get paid for it. I also enjoyed the Sybex guide written by Todd Lammle when I was working towards the CCNA and it seemed like a good number of people preferred it to the official one. Make sure that anything you buy is for the most recent version of the test, though - they usually change the test number for a new revision, so just be sure that matches. It's worth noting that the CCNA Security (at least when I took it in the previous revision) is very heavily focused on the GUI Cisco pooped out for the ASA, the ASDM. If you're hoping to get a ton of ASA-applicable command-line knowledge from studying for the CCNASec, welp. I'd like to think the ASDM has gotten better since the last time I looked at it, but I'm not hopeful. The good news is a lot of the basic stuff you'll learn in the CCNA will apply to the ASA, there's just a lot of weird little differences in the syntax and such, because the ASA doesn't run IOS, it runs its' own thing. For example, ASA Access Control Lists use subnet masks, not wildcard masks like IOS ACLs do. Why? 'gently caress you, that's why' is the best answer I ever came up with. (The real answer probably has to do with how Cisco bought the company that made the firewalls that later became the ASAs and just borrowed their code wholesale or something, but I don't know.)
|
|
#
?
Apr 12, 2016 20:36
|
|
|
As someone who lives and dies by the CLI, I recently was forced to use ASDM and it was actually pretty pleasant compared to how it used to be. It certainly made deploying a webvpn painless
|
|
#
?
Apr 12, 2016 20:44
|
|
|
Sepist posted:As someone who lives and dies by the CLI, I recently was forced to use ASDM and it was actually pretty pleasant compared to how it used to be. It certainly made deploying a webvpn painless VPN configuration is the only thing I use ASDM for, since they've done such a fantastic job of automating the whole process with it. For everything else, gently caress ASDM.
|
|
#
?
Apr 12, 2016 20:48
|
|
|
Jedi425 posted:The good news is a lot of the basic stuff you'll learn in the CCNA will apply to the ASA, there's just a lot of weird little differences in the syntax and such, because the ASA doesn't run IOS, it runs its' own thing. For example, ASA Access Control Lists use subnet masks, not wildcard masks like IOS ACLs do. Why? 'gently caress you, that's why' is the best answer I ever came up with. My personal favorite is IOS 'show ip int br' vs the ASA's 'show int ip br'. That just seems like a totally useless gently caress you move.
|
|
#
?
Apr 12, 2016 21:17
|
|
|
ASA's command syntax is much more similar to NX-OS than it is IOS, truth be told.
|
|
#
?
Apr 12, 2016 21:34
|
|
|
I haven't worked enough on ASAs enough to feel that particular pain but I have recently started learning JunOS in a build that also has IOS-XR, and keeping those two straight when I've been working mostly on Nexus and vanilla IOS the past few months is making me kind of wish I had a GUI. Another abstraction layer is probably the last thing that's needed to add clarity though, and I don't know if Juniper even has one.
|
|
#
?
Apr 12, 2016 22:04
|
|
|
Eletriarnation posted:I haven't worked enough on ASAs enough to feel that particular pain but I have recently started learning JunOS in a build that also has IOS-XR, and keeping those two straight when I've been working mostly on Nexus and vanilla IOS the past few months is making me kind of wish I had a GUI. Another abstraction layer is probably the last thing that's needed to add clarity though, and I don't know if Juniper even has one. netconf/yang, if you're working with routing. But you need to build your own GUI, but they provide the abstraction and the interaction mechanism.
|
|
#
?
Apr 12, 2016 22:11
|
|
|
This probably isn't that interesting to many of you but my VLAN/DHCP setup is a hot mess. The key issue is that our main router, a Peplink, allows us to set only a single range of IPs as the untagged VLAN, and that's the only place the router will put clients who VPN in. The other VLANs I create on the Peplink all have to have a VLAN ID set. So, those who VPN in are all placed on the /24 VLAN which hosts our servers (the Peplink has is set as untagged, but to our switches the subnet is designated "VLAN 1"), when I want the VPN users to show up on our main VLAN 16, which is a /22. Also, the Peplink VPN requires DHCP to be enabled on said untagged VLAN. Those who VPN in are able to use the internet perfectly fine, but then the Peplink randomly gives out those /22 IP addresses to clients who are supposed to be on VLAN 16, preventing them from using the internet (for some reason, probably having to do with the switch's VLAN tagging). I'm in a situation where I have to disable the DHCP on the untagged VLAN during the day (so on-prem clients aren't randomly given a 192.168.2 address and have their internet disrupted) and enable the DHCP at night (so when we go home we can use the VPN). VLAN 1 (our servers) VLAN 2 (phone servers) VLAN 16 (200 hard-wired PCs, and all our wifi devices, which our wifi controller reduces broadcast domains on further) VLAN 20 (all our Polycom SIP phones hop on to this, I think because of our DHCP option?) To break it down: Core switch: code:code: So, like, what the gently caress do I do? Thanks goons!
|
|
#
?
Apr 13, 2016 19:19
|
|
|
I'm not even sure that I'm following all that correctly and this would fix anything, but is it an option to use another device as a dedicated DHCP server instead of having to combine your VPN gateway with that function? Having DHCP and VPN both locked to only work on the default VLAN is kind of nuts. Speaking as someone who has only really worked with Cisco and consumer gear though, the whole idea of a "router" that supports VLAN encapsulation but doesn't just let you tag L3 interfaces with whatever encapsulation you want seems pretty bad.
|
|
#
?
Apr 13, 2016 19:27
|
|
|
Bigass Moth posted:Is there a good way to actually search ciscos bug fix website? A TAC engineer just sent me a bug but when I tried to search by the exact terms in it I couldn't find it on my own. They've gotten pretty bad at actually linking things to the correct hardware or version on the voice stuff, and some platforms where the bug is cross platform via IOS or whatever.
|
|
#
?
Apr 14, 2016 00:13
|
|
|
wolrah posted:Looking for a sanity check. A customer just bought a building that has Cisco VG224 24 port FXS boxes in place already currently attached to a CUCM system. I'm playing with one to see if we can support them on their Asterisk system when we switch over the phones rather than having them buy a set of Adtran TA924s that would be functionally identical. You will want a e164num map or something, or multiple peers to match 911 immediate, otherwise it will time out on digit collection before routing. You also don't need an incoming called number for those peers. I've never done digest auth per peer and extension, you could just trunk the thing to asterisk or register something less specific and route back. Supplemental stuff like MWI, conf, caller ID, etc may require configuration as well. But for basic poo poo that will do. For anyone else shopping these, or the new VG3X0 - they are pretty limited outside of being a basic gateway for phones to the ucm. You want a real voice router or similar to do cool poo poo at a remote site.
|
|
#
?
Apr 14, 2016 00:18
|
|
|
The gently caress is a peplink? Can you put it on VLAN 16 as PVID and tag in the rest of them for clients and apps ? Either move management or give it a management IP on Vl 16 and secure it with an access list? This is also probably why they recommend not using Vl 1 for anything wherever unnecessary.
|
|
#
?
Apr 14, 2016 00:26
|
|
|
It's a lovely load balancer (like the rest of them). it's been around forever. The smaller ones are super confusing because they only have one physical interface to do *.
|
|
#
?
Apr 14, 2016 01:33
|
|
|
So I hate firewalls but I'm doing a very base config on one to ensure the rest of it goes smoothly (things like getting interface names, standards for policy objects, etc). It's a fortipoop. It has 2x10g interfaces, setting them up as LACP to a J EX with tagged subinterfaces. The fortinet seems to have.. problems doing this. From the Web UI one cannot add a 2nd physical port (it calls its 10g's "portA" and "portB". Adding it do it from the CLI no problem, but the box just acts all fubar after that, in that: One can still SSH to it, but not HTTP/HTTPS Not pingable, cannot ping out (even its default gw) arp entries still show up on itsself for its peers If you remove the 2nd interface, sometimes it will recover and sometimes you have to reboot it. Has anyone had success with these pieces of poo poo before using LACP with tagged subinterfaces? Reason for the design is to add some level of additional redudancy - an EX switch member could go down, an optic fail, or someone bump a jumper and it should stay up. At least if it were acting properly.
|
|
#
?
Apr 14, 2016 01:40
|
|
|
Eletriarnation posted:I'm not even sure that I'm following all that correctly and this would fix anything, but is it an option to use another device as a dedicated DHCP server instead of having to combine your VPN gateway with that function? Having DHCP and VPN both locked to only work on the default VLAN is kind of nuts. The Peplink router can make up it's own VLANs and it can run it's own DHCP on any of those VLANs, the restriction is that it serves VPN and that can only work with the Peplink's own untagged VLAN and I think it's own DHCP. I specifically moved the DHCP to the Peplink because the guy before me was using the Windows 2003 phone server to do DHCP, problem being that A) we're retiring it for a new SIP system and B) he never bought CAL licenses for it and it's the only Windows server we have so I want it gone yesterday. Partycat posted:The gently caress is a peplink? I get a lot of double-takes from router people when I mention the Peplink. Peplink Balance 710 router. The thing has been a godsend for me. It's a router which can load balance up to 7 WANs at once, lets you plug-and-play it with a USB LTE hotspot for emergency internet, active/standby HA, and it has an awesome feature where you can shotgun the same L2 traffic across two or more of the WAN connections then a Peplink at the remote location takes whichever packets arrive first, which in my testing completely eliminated packet loss and improved jitter. You can have a whole ISP go down and your SIP phone calls will persist, and I've confirmed this actually works in practice. Lastly they are cheap (a couple grand for 1gbps WAN routing capacity) and have the single best support team I've witnessed in my decade of IT. Instantly connect to US-based engineers for free, every time I call them. I feel guilty bothering them (and you all) to bail me out when I should be brushing up towards my CCNA and figuring this poo poo out myself, but I'm pressed for time. Partycat posted:Can you put it on VLAN 16 as PVID and tag in the rest of them for clients and apps ? Either move management or give it a management IP on Vl 16 and secure it with an access list? Huh, I never even tried it before, but the Peplink does place a management IP on each of the VLANs already. I can get into it from 192.168.2.254 or 192.168.19.254 (last IP in the VLAN 16 subnet). So, you're saying I should change the switch config to tag the Peplink's LAN port to VLAN 16, change "ip route 0.0.0.0 0.0.0.0 192.168.2.254" on the core switch to 192.168.19.254, change the Peplink's untagged VLAN (192.168.2.x) to VLAN 1, change it's VLAN 16 (192.168.16.x) to untagged? That makes sense I think, I can test it out. I guess since the Peplink does VLANs itself and does inter-VLAN routing, I could actually go and remove some of the VLANs from the switch config? I think the only VLANs we actually need are just PVID VLAN 16 (workstations) and 20 (IP phones) since we have 300+ of each and I want to keep that chatter contained, and the wifi has it's own broadcast domains. Our 192.168.2 network is just a bunch of device management IPs and a file server that doesn't really get any use. falz posted:It's a lovely load balancer (like the rest of them). it's been around forever. The smaller ones are super confusing because they only have one physical interface to do *. I dunno, if you can't tell I'm in love with the thing. I haven't seen anything else with so many features that I actually value at the same price point. Mine has multiple LAN ports and console port so I haven't run into your issue, though. Here's their model comparison page if anyone's wondering what they do, I have no affiliation I just think their poo poo is tight: http://www.peplink.com/products/balance/model-comparison/
|
|
#
?
Apr 14, 2016 02:02
|
|
|
I can toss my hat in on peplink though I mostly use their Pepwave BR1 LTE units as temporary internet access for outages etc. Even those have 2WAN + 2LAN built in.
|
|
#
?
Apr 14, 2016 03:01
|
|
|
falz posted:It has 2x10g interfaces, setting them up as LACP to a J EX with tagged subinterfaces. The fortinet seems to have.. problems doing this. From the Web UI one cannot add a 2nd physical port (it calls its 10g's "portA" and "portB". Fortifail. "The two 10G ports are located on different NPs and there is no internal switch fabric." https://forum.fortinet.com/tm.aspx?m=128501
|
|
#
?
Apr 14, 2016 14:53
|
|
|
You get what you pay for.
|
|
#
?
Apr 14, 2016 15:26
|
|
|
Indeed. 10g firewalls aren't cheap and Im fairly sure that these are the cheapest vendor solution. All firewalls suck, some just suck more than others. We'll see what new and exciting way this one sucks once it's in production.
|
|
#
?
Apr 14, 2016 18:27
|
|
|
Zero VGS posted:Huh, I never even tried it before, but the Peplink does place a management IP on each of the VLANs already. I can get into it from 192.168.2.254 or 192.168.19.254 (last IP in the VLAN 16 subnet). So I would assume that management IP is the gateway IP as this item is acting as a router. If I understand your configuration, you have VLAN 1 untagged on your core switch and that is where this thing is connected. Change its port to tag VLAN 1 and untag VLAN 16. Now where you may run into trouble is that this appliance may not let you configure VLAN 1 as tagged, which is what you'd have to do, to allow it to still act as the router for your servers on VLAN 1. If it doesn't , you could make that subnet VLAN 999 or whatever you want, and tag that from the core switch. Then create an untagged access port on that VLAN, and plug it into an untagged port on VLAN 1 on the switch (loop the switch to itself). Depending on the switch vendor you would have to disable CDP, LLDP, PVST, etc so that the switch doesn't freak out since this is not standard, but, that only matters if this appliance can't support tagging VLAN 1. You could also move your servers and things to a different VLAN ID and tag that instead of making a loop in the switch - whichever thing is going to be easier for you to do. That would be better. Regarding that core switch, you would not want to move the default route for it's traffic (assuming it is for the switch) to something else as you will not be able to manage the switch once you have done that. It won't know how to communicate with 192.168.19.254 assuming it is part of 192.168.2.0/24, without an interface on 128.205.19.0/24. Probably just leave that alone. Unless the switch is doing some sort of routing itself then, but even still it would be pointless to hose around with its default routing. The switch's management will be part of a VLAN interface somewhere and it will get to the router on that VLAN regardless of if it is tagged out or not. If there are VLANs with no ports or that are tagged out to switches/devices that aren't using them then you could remove them, sure, but, it would be safer to check MAC tables, and follow out configs, to make sure that someone didn't set those up to create little HA networks for appliances or something.
|
|
#
?
Apr 14, 2016 22:02
|
|
|
Let's talk anycast, conceptually it's easy, but once you start hitting the big bad world of The Internet, things never work out the way they should. As far as I know, if you have several geographically dispersed PoP's you should advertise the same anycast blocks out of all locations and you should limit your advertisements to a small subset of large carriers. This creates an anycast 'backbone' while keeping the path to your services roughly consistent within a given region. Now let's say I have a provider, like Internap, who has a presence in different parts of the world but they don't have a global backbone. We use communities to tell Internap to advertise to only two providers, GTT/Tinet and Cogent and this works well for our services. Now because of politics and economics if we wanted to move away from Internap we'd need to pick up a different carrier. We have Zayo as a non-anycast internet back up at all of our PoPs, and look, Zayo peers with both GTT and Cogent. So if we want to migrate traffic from Internap to Zayo it should be a simple matter of cease announcing to Internap, start announcing to Zayo, throw some communities on there to restrict any-cast advertisement to only GTT and Cogent, and after BGP propagates we should have a similar traffic profile. But alas the change caused us to "lose" all of our AT&T traffic, as well as connectivity to numerous other small ISP's around the US. Additionally a significant amount of traffic that should be west-coast destined, ended up in Amsterdam. Anyway, I haven't learned anything from all this, but for some reason several residential ISPs have issues getting to us through GTT and Cogent to Zayo to get to us, but are perfectly fine getting to us from GTT, Cogent through Internap to us.
|
|
#
?
Apr 21, 2016 22:13
|
|
|
Powercrazy posted:Additionally a significant amount of traffic that should be west-coast destined, ended up in Amsterdam. lol. What're you using anycast for?
|
|
#
?
Apr 21, 2016 22:32
|
|
|
|
| # ? May 30, 2024 13:48 |
|
|
Powercrazy posted:Let's talk anycast, conceptually it's easy, but once you start hitting the big bad world of The Internet, things never work out the way they should. As far as I know, if you have several geographically dispersed PoP's you should advertise the same anycast blocks out of all locations and you should limit your advertisements to a small subset of large carriers. This creates an anycast 'backbone' while keeping the path to your services roughly consistent within a given region. They'll still pass it to anyone who is considered in their customer cone who is then free to send it to every one as well. It helps to use catchpoint, thousand eyes, ripe atlas, nlnog ring or any other global monitoring service with enough diverse networks to troubleshoot anycast issues. Usually the latest hotnes monitoring service uses cloud providers which all use the larger networks youre also using making regional issues invincible to you unless you're really watching other metrics. Have you done this with v6 or just v4? doomisland fucked around with this message at 23:32 on Apr 21, 2016 |
|
#
?
Apr 21, 2016 23:27
|
|
