|
Thirteenth Step posted:I currently do 3rd line and some 2nd line support for a company and i'm looking to get my CCNA (again) when the V3 training materials are up. Its not HUGELY unlikely, but I'd guess its pretty unlikely. The jobs where you get more focused on a single technology are generally in a big business and the ones higher up the chain. Even then in a small/medium business you have to help out where you can. I'm a Cisco network consultant in a small MSP, today I made a network design for a new customer, built 6 VPN's, advised some company on how restore their AD servers after they got cryptolockered, fixed some weird routing issue between ASA's, and fixed a SIP trunk issue on a random Splicecom phone system that I've never seen or used before.
|
#
?
Sep 26, 2016 16:32
|
|
|
|
| # ? May 30, 2024 14:10 |
|
|
You can definitely move into an infrastructure role though and not have to deal with "halp my screen is dark" type requests. But yeah even a networking role is going to require a bit of knowledge of other areas because it touches everything.
|
|
#
?
Sep 26, 2016 17:25
|
|
|
Absolutely. Cisco only is unrealistic, but a "network engineering" job is quite possible.
|
|
#
?
Sep 26, 2016 18:50
|
|
|
My last role was Cisco only, but it was highly niche - and I had to do a lot of non Cisco networking over the course of my career to get to that point.
|
|
#
?
Sep 26, 2016 19:30
|
|
|
Thirteenth Step posted:support role without having to occasionally deal with plugging people's mice in for them. There's no getting away from stupid, instead of plugging in people's mice for them you'll just get asked different but equally stupid questions. Some of my favorites from supposedly "Senior" network technicians; 1) Do I need an SFP on both sides of the fiber? 2) The follow up to 1; Does having an SFP on both ends double the bandwidth? 3) Does the wavelength of my SFPs have to match? (He was trying to make an 850nm short range multimode SFP work with a 1550nm long range single mode SFP) 3) Why won't it let me put in 192.168.1.1 for my gateway? (His IP was 10.1.x.x/24) 4) When I plug cables A and B from Switch1 into Switch2, why does my network go down? (He had disabled spanning tree and was creating a loop, hello broadcast storm!) 5) Why doesn't "deny ip host 192.168.1.100 any" work in this ACL? (The subnet for that interface was 10.1.x.x/24)
|
|
#
?
Sep 26, 2016 19:33
|
|
|
What's the consensus on config backup tools? I have a multi site environment with dell/hp/cisco gear. The last time I used rancid, it required a ton of manual tweaking. I found Oxidized, but have not had time to set it up. Recommendations are welcome.
|
|
#
?
Sep 26, 2016 19:36
|
|
|
the spyder posted:What's the consensus on config backup tools? I have a multi site environment with dell/hp/cisco gear. The last time I used rancid, it required a ton of manual tweaking. I found Oxidized, but have not had time to set it up. Recommendations are welcome. RANCID still works quite well for me and we have HP, cisco, Force10, Juniper (netscreen & JunOS), F5, and Netscaler equipment. It all works pretty flawlessly, though I'm sure Oxidized works too, is there a specific feature or issue you're having?
|
|
#
?
Sep 26, 2016 19:47
|
|
|
Sepist posted:My last role was Cisco only, but it was highly niche - and I had to do a lot of non Cisco networking over the course of my career to get to that point. Networking with bitches?
|
|
#
?
Sep 26, 2016 19:49
|
|
|
My last role was Cisco only, but it was this hellish call center thing and I would never go back. I'm currently working on a mix of Cisco, Mikrotik, a little HP, and Ubiquiti gear and am finding things much more interesting overall. A bit of flexibility can really pay off in this field.
|
|
#
?
Sep 26, 2016 20:02
|
|
|
ElCondemn posted:RANCID still works quite well for me and we have HP, cisco, Force10, Juniper (netscreen & JunOS), F5, and Netscaler equipment. It all works pretty flawlessly, though I'm sure Oxidized works too, is there a specific feature or issue you're having? We're using Rancid 2 with subversion instead of rcs (lol) across three datacenters, with each having a local box pulling config; there's a puppet module out there for managing your login credentials file and expressing the router.db as a yaml list, which means adding new equipment or rotating passwords isn't nearly as ad-hoc as it can be if you just have a random unmanaged box running it. It's working reasonably well for us to the point that a replacement would have to be Really Good to justify the time spent on switching to it.
|
|
#
?
Sep 26, 2016 20:14
|
|
|
Another RANCID user here. The comment of ton of manual tweaking may depend on how your environment is setup. We've got centralized auth with a specific account for it, proper DNS. The rancid config is auto generated from Observium. This can be done with many other things, we're considering moving that part to Netdisco. Both of those systems auto discover everything via lldp or ospf neighbors. So just get s device online with proper config, by the next day it auto shows up in observium, netdisco, and rancid (and other stuff such as smokeping).
|
|
#
?
Sep 26, 2016 23:16
|
|
|
Everyone would replace RANCID if it didn't work so well. But it works really well. Took some tuning to get my A10s and my Cisco Nexus stuff on it, but it's been great other than that. I did have one issue where a Nexus box was reporting two lines of config in a different order each time you ran 'show config' that was trashing my inbox, but I edited the RANCID script to sort that section (copying from another example where it does that).
|
|
#
?
Sep 26, 2016 23:30
|
|
|
I'm looking to go cheap on a NAC. I was looking at packetfence, but I am not sure if it will really fit my needs. I have ~70 branch offices, which generally have an ISR and 1-2 layer 2 cisco switches (2960, mostly). It looks as though it expects to be the default gateway for the remediation and discovery networks, which is not the case for me. Does anyone have any experience with this product, or possibly opennac? Or something cool that i've never even heard about.
|
|
#
?
Sep 27, 2016 04:26
|
|
|
I'm about ready to flip out on Rackspace support. I've been trying to get a simple ipsec VPN tunnel set up to them for a week now. Every time they write me to say it's done, I try, and it fails to come up. I spend a bunch of time combing my config for errors and running debug mode. See nothing. Check back with Rackspace: "oh lol sorry did you say you wanted 10.2.2.0/24 tunneled? We just randomly entered some other network that was not mentioned anywhere in the ticket instead. u mad?" I'm on the third iteration of complete dumbass, non-sequitur errors with no end in sight. How hard is it to copy and paste the subnets I give you into a loving terminal and hit enter?
|
|
#
?
Sep 27, 2016 18:50
|
|
|
Docjowles posted:I'm about ready to flip out on Rackspace support. I've been trying to get a simple ipsec VPN tunnel set up to them for a week now. Every time they write me to say it's done, I try, and it fails to come up. I spend a bunch of time combing my config for errors and running debug mode. See nothing. Check back with Rackspace: "oh lol sorry did you say you wanted 10.2.2.0/24 tunneled? We just randomly entered some other network that was not mentioned anywhere in the ticket instead. u mad?" I'm on the third iteration of complete dumbass, non-sequitur errors with no end in sight. Law 14 of Networking: Every VPN connection between two companies will fail until one side asks to see the other's firewall config so they can fix their mistakes.
|
|
#
?
Sep 27, 2016 19:52
|
|
|
madsushi posted:Law 14 of Networking: Every VPN connection between two companies will fail until one side asks to see the other's firewall config so they can fix their mistakes. Yup. One of our clients moved office and their new ISP set them up with a hosted firewall that they managed. Gave them the VPN config and the subnets on the other end, they built the tunnel and traffic only went one way. It took two days of "look I can see what's happening here, no nothing is coming back" before they looked and went "oh lol we had a /16 static route that shouldn't have been there".
|
|
#
?
Sep 27, 2016 20:25
|
|
|
Filthy Lucre posted:There's no getting away from stupid, instead of plugging in people's mice for them you'll just get asked different but equally stupid questions. I want to answer all of these in the most nitpicky obtuse way (but still semi-correct)
|
|
#
?
Sep 27, 2016 21:49
|
|
|
Let's go. 1. No, you could use a media converter with the correct specification for the fiber 2. If you use two pairs of bidirectional SFPs and a port channel protocol, yes
|
|
#
?
Sep 27, 2016 22:13
|
|
|
Filthy Lucre posted:There's no getting away from stupid, instead of plugging in people's mice for them you'll just get asked different but equally stupid questions. Clearly his subnet mask is wrong, it should be 10.1.0.0/0 if he wants to use that as his gateway
|
|
#
?
Sep 27, 2016 22:16
|
|
|
Docjowles posted:I'm about ready to flip out on Rackspace support. I've been trying to get a simple ipsec VPN tunnel set up to them for a week now. Every time they write me to say it's done, I try, and it fails to come up. I spend a bunch of time combing my config for errors and running debug mode. See nothing. Check back with Rackspace: "oh lol sorry did you say you wanted 10.2.2.0/24 tunneled? We just randomly entered some other network that was not mentioned anywhere in the ticket instead. u mad?" I'm on the third iteration of complete dumbass, non-sequitur errors with no end in sight. Can you PM me the ticket number? I can take a look.
|
|
#
?
Sep 27, 2016 22:55
|
|
|
double post
|
|
#
?
Sep 27, 2016 22:55
|
|
|
Anyone using policy based VPNs with Azure? Anyone know when they stopped allowing multiple vpn connections to a vpn gateway for policybased VPNs?
|
|
#
?
Sep 27, 2016 23:05
|
|
|
Thanks Ants posted:Let's go. 3) Why won't it let me put in 192.168.1.1 for my gateway? (His IP was 10.1.x.x/24) Oh, because you forgot to put the static arp entry in for 192.168.1.1 and then add the route from your CLI/shell
|
|
#
?
Sep 28, 2016 00:23
|
|
|
Prescription Combs posted:Can you PM me the ticket number? I can take a look. We finally got it working this morning, but I appreciate the offer. It turns out when I ask them to tunnel a /16, and they configure that as 255.255.255.0 on their side, the proposals don't match. Who would have thought 
|
|
#
?
Sep 28, 2016 14:11
|
|
|
Filthy Lucre posted:There's no getting away from stupid, instead of plugging in people's mice for them you'll just get asked different but equally stupid questions. 1) Nope, WS-X6408A-GB 2) Yes, 1000BASE-BX10-D 3) Nope, 1000BASE-BX10-D one one strand and 1000BASE-BX10-U on the other
|
|
#
?
Sep 28, 2016 16:20
|
|
|
FatCow posted:3) Nope, 1000BASE-BX10-D one one strand and 1000BASE-BX10-U on the other The example of SR to ZR won't work though, or shouldn't. The APD receiver in the ZR isn't sensitive down to 850, and the PIN receiver in the SR isn't sensitive up to 1310 let alone 1550. However LR to ZR usually works.
|
|
#
?
Sep 28, 2016 16:52
|
|
|
Docjowles posted:We finally got it working this morning, but I appreciate the offer. It turns out when I ask them to tunnel a /16, and they configure that as 255.255.255.0 on their side, the proposals don't match. Who would have thought Sounds like you're dealing with the U.S. business unit.  It's a real crapshoot over there.
|
|
#
?
Sep 28, 2016 20:34
|
|
|
adorai posted:I'm looking to go cheap on a NAC. I was looking at packetfence, but I am not sure if it will really fit my needs. I have ~70 branch offices, which generally have an ISR and 1-2 layer 2 cisco switches (2960, mostly). It looks as though it expects to be the default gateway for the remediation and discovery networks, which is not the case for me. Does anyone have any experience with this product, or possibly opennac? Or something cool that i've never even heard about.
|
|
#
?
Sep 29, 2016 00:31
|
|
|
adorai posted:Anyone have any comments on this? Stop being a cheap rear end and drop the money on ISE. We work with dozens of customers who've tried the NPS or opennac route for 802.1X only to break down and order ISE from us. It's not even that expensive if you don't need to license more than a couple thousand endpoints.
|
|
#
?
Sep 29, 2016 01:26
|
|
|
psydude posted:Stop being a cheap rear end and drop the money on ISE. We work with dozens of customers who've tried the NPS or opennac route for 802.1X only to break down and order ISE from us. It's not even that expensive if you don't need to license more than a couple thousand endpoints.
|
|
#
?
Sep 29, 2016 03:12
|
|
|
adorai posted:Define not that expensive. I have roughly 2000 endpoints. I was actually looking at a BOM with a 3000 endpoint license on it the other day, although I can't find it right now. If my memory serves me correctly, it's less than 10 grand, although I'll check tomorrow just to be sure.
|
|
#
?
Sep 29, 2016 04:26
|
|
|
CCW's List price on L-ISE-BSE-2500= is 11k so any gold partner can probably get it to you for 5k. You also need the VM licenses at about 4k list per server, and the admin license of 4k list price. those are all perpetual licenses. 2k endpoints is pretty small, you could run Admin/Monintoring/Policy on 1 server so you're looking at about 9k all-in or 11k with a redundant server. edit: Also what's your address so I can send you the bill on this pre-sales work 
Sepist fucked around with this message at 15:49 on Sep 29, 2016 |
|
#
?
Sep 29, 2016 15:33
|
|
|
On a level of 1-10, how screwed am I? I just inherited a MDS 9509 that's been sitting unmanaged for god knows how long. Both sup's won't respond to Telnet and even with console access the login I have does not work. I'm going to try this tomorrow, but I'm not sure if I want to touch it since otherwise it's working. http://www.cisco.com/c/en/us/support/docs/storage-networking/mds-9000-series-multilayer-switches/29441-8.html
|
|
#
?
Oct 4, 2016 22:58
|
|
|
Is there any authoritative resources for practically learning BGP? I'm going to be spending a fair bit of time figuring out how to handle DDOSes, load balancing, traffic shaping and so on multihomed with 4 providers with an awful lot of bandwidth. My understanding is the blunt way of weighting certain links higher than others is AS-path pre-pending your advertisements to different peers. You can also break a /24 into a /26 for more granular control neighbor 11.1.1.1 route-map prepend out ! route-map prepend permit 10 set as-path prepend 65123 65123 and neighbor 11.1.1.1 route-map prepend2 out access-list 13 permit 10.10.10.0 0.0.0.192 route-map prepend2 permit 10 #priority match ip address 13 #acl 13 set as-path prepend 65123 65123 65123 #neighbour 11.1.1.1 thinks getting to 10.10.10.0/26 this way takes forever. That's cool but I don't actually understand all of the consequences of doing so. How can I use this to help mitigate DDOSes in-band without resorting to escalating to my ISP? If all 4 of my WAN links have the same bandwidth why would I want to even to influence traffic to prefer certain links over others. I guess I could have different internal services use different wan links, but even then why, why not just let BGP figure out what's best on it's own. I have so many questions and while google can give me the commands I don't know the real architectural reasons for making these choices.
|
|
#
?
Oct 5, 2016 06:43
|
|
|
https://www.nanog.org/meetings/nanog50/presentations/Sunday/NANOG50.Talk33.NANOG50-BGP-Techniques.pdf
|
|
#
?
Oct 5, 2016 07:04
|
|
|
the spyder posted:On a level of 1-10, how screwed am I? I just inherited a MDS 9509 that's been sitting unmanaged for god knows how long. Both sup's won't respond to Telnet and even with console access the login I have does not work. I'm going to try this tomorrow, but I'm not sure if I want to touch it since otherwise it's working. You should be OK with password recovery as long as your employer understands there may be downtime while you do the recovery, and maybe more if that old pos doesn't boot back up.
|
|
#
?
Oct 5, 2016 12:32
|
|
|
Do any of you run vPC in your core and test a failover scenario? I was doing some work last night and shut down the primary vpc peer which caused the voip phones to go into their registration cycle for a moment. I never deploy vPC because I'm all about the physical separation of redundancy but its was done by a consultant so I have to deal with it. Isn't the whole point of vPC so this poo poo doesn't happen? Edit: Nexus 56128, I know the 7k's handle vPC like a dog but the 5k is supposed to be p good
|
|
#
?
Oct 5, 2016 13:42
|
|
|
We have it on 7Ks acting as collapsed core and did not have any trouble with failover. I think one or two pings from workstations to Level 3 were lost, but phones certainly never lost enough heartbeats to go into SRST.
|
|
#
?
Oct 5, 2016 15:38
|
|
|
Are you using FEX's on your 7k's? Apparently it was a 4-minute full outage but the onsite guy failed to tell me that. They have tested this successfully in the past but they have added FEX since that test. I know the 7k locks up during dual-homed FEX sync, not sure if the 5k does. I hope not. Edit: Turns out they forgot to run a second trunk cable so they lost all access when the one carrying all the traffic was powered off. Finally, not a cisco bug 
Sepist fucked around with this message at 16:36 on Oct 5, 2016 |
|
#
?
Oct 5, 2016 16:18
|
|
|
|
| # ? May 30, 2024 14:10 |
|
|
Methanar posted:Is there any authoritative resources for practically learning BGP? The two best BGP books imo: https://www.amazon.com/gp/product/0201379511/ref=oh_aui_search_detailpage?ie=UTF8&psc=1 and https://www.amazon.com/gp/product/157870233X/ref=oh_aui_search_detailpage?ie=UTF8&psc=1
|
|
#
?
Oct 5, 2016 18:33
|
|