|
I rolled out IPv6 in the lab at my last company. It's not too hard to do with private addressing because you can basically follow a normal IPv4 address format once you've decided on your /64. If you're using public addressing (which you should in a production network), then it gets a little more confusing.
|
# ? Sep 14, 2017 00:58 |
|
|
# ? Jun 10, 2024 12:39 |
|
I'm definitely wanting to head down the path of our ISP sponsoring a PI assignment of IPv6 space when we finally get rid of our current shitshow connectivity provider. I assume that's what most places do if they don't have their own AS already.
|
# ? Sep 14, 2017 01:06 |
|
Well, whether or not you have your own AS is sort of a moot point. Your ISP is assigning you your own /48, which you will use for your entire enterprise, without NAT. They'll advertise the prefix globally just like they would if they gave you your own /24 for public-facing services under IPv4. You'd run BGP For the same reasons you would under IPv4, so if you don't have a need for that sort of redundancy now, you won't under IPv6, either.
|
# ? Sep 14, 2017 02:32 |
|
Thanks Ants posted:I'm definitely wanting to head down the path of our ISP sponsoring a PI assignment of IPv6 space when we finally get rid of our current shitshow connectivity provider. I assume that's what most places do if they don't have their own AS already. I think it would be a mistake to not just get your own AS for ipv6. However, I also look forward to the year 2027 when ipv6 is still only in use by limited entities and wars are fought over ipv4 assignments instead of oil.
|
# ? Sep 14, 2017 02:34 |
|
I would just get your own v6 address space and not use an ISPs at this point. A /48 per site at minimum depending on what you're doing. If you have customer crap and then your own crap its easy to also request those each be their own routable prefix so you can easily get something bigger per site allocated.
|
# ? Sep 14, 2017 04:39 |
|
psydude posted:Well, whether or not you have your own AS is sort of a moot point. Your ISP is assigning you your own /48, which you will use for your entire enterprise, without NAT. They'll advertise the prefix globally just like they would if they gave you your own /24 for public-facing services under IPv4. You'd run BGP For the same reasons you would under IPv4, so if you don't have a need for that sort of redundancy now, you won't under IPv6, either. It was more to be able to change ISP in the future without having to readdress the internal network.
|
# ? Sep 14, 2017 12:32 |
|
Thanks Ants posted:I'm definitely wanting to head down the path of our ISP sponsoring a PI assignment of IPv6 space when we finally get rid of our current shitshow connectivity provider. I assume that's what most places do if they don't have their own AS already. Tell ARIN you're planning on bringing in multiple upstream providers and get your own space. Anyone can get an AS.
|
# ? Sep 14, 2017 15:26 |
|
Then definitely get your own space.
|
# ? Sep 14, 2017 15:26 |
|
The fees aren't exactly outrageous https://www.arin.net/fees/fee_schedule.html#asns
|
# ? Sep 14, 2017 15:37 |
|
We'd be going through RIPE, they seem to have a slightly different way to deal with it: https://www.ripe.net/publications/docs/ripe-684#IPv6_PI_Assignments
|
# ? Sep 14, 2017 16:30 |
|
tortilla_chip posted:The fees aren't exactly outrageous poo poo, I should get my own ASN for my house.
|
# ? Sep 14, 2017 18:35 |
|
Ok this might be a dumb dumb question but here goes; We've got a few Cisco SG200 switches which have a mystery issue of the CPU getting maxed out then staying that way, after doing a bunch of different tests we can't narrow anything down to what's causing it particularly as two of us share one of these affected switches so where should barely be any traffic going through it, the only thing I can see is possibly over the weekend this happens. Now they aren't fantastic as there is minimal remote management as once the CPU gets maxed out the only fix is a hard reboot, plus I've not long been here so saying "Buy better switches" doesn't have much clout. I've left a remote log server running which hasn't collected anything of worth and surprisingly there is no network monitoring in place so that would be my next stop, beyond that the firmware is all up to date.
|
# ? Sep 18, 2017 14:30 |
|
1. Cisco Small Business switches are poo poo 2. Does it stop if you start unplugging cables? Might be an STP issue.
|
# ? Sep 18, 2017 14:33 |
|
Thanks Ants posted:1. Cisco Small Business switches are poo poo Second. Super Slash posted:Ok this might be a dumb dumb question but here goes; Are they under support? If yes then open a case with Cisco so you can have them tell you that yes, your switches are poo poo. Makes it much easier to convince managers when vendors say so. Or who knows they may fix your poo poo and everything will be fine forever! Alternatively start cozying up to your local Cisco VAR and get them to loan you some proper Catalysts for demonstration purposes.
|
# ? Sep 18, 2017 16:19 |
|
Do you all have a recommended resource if I want to learn BGP and OSPF to an intermediate level? Just grab the highest rated CCNP ROUTE book, or is there something more focused and/or vendor neutral? I see some O'Reilly books on one protocol or the other, but they're from like 2002. I realize these are foundational protocols that haven't changed much. But are those books still fine?
|
# ? Sep 22, 2017 03:24 |
|
For BGP you can start with Internet Routing Architectures. While it is a bit dated, the core portions relating to BGP path selection still apply. Phillip Smith's presentations on BGP for service providers are also really helpful for scaling. OSPF and IS-IS is a great book for getting the basics of OSPF. The NRS-II study guide also has a really good section on OSPFv2 and v3. For either protocol https://www.ciscolive365.com has some good presentations on the latest protocol extensions that are being implemented (BGP-ORR, OSPF multiarea on an interface, etc) tortilla_chip fucked around with this message at 14:31 on Sep 22, 2017 |
# ? Sep 22, 2017 14:29 |
|
Docjowles posted:Do you all have a recommended resource if I want to learn BGP and OSPF to an intermediate level? Just grab the highest rated CCNP ROUTE book, or is there something more focused and/or vendor neutral? I see some O'Reilly books on one protocol or the other, but they're from like 2002. I realize these are foundational protocols that haven't changed much. But are those books still fine? I'm not so much in that world anymore, as I've moved over to focus on security, but I don't believe things have progressed much. Virtually all of the projects I work on that involve BGP or OSPF are relying on knowledge and design philosophies that remain largely unchanged. The only big thing that jumps out to me is ios bgp4 address family configurations, which I don't believe showed up until some time in the mid 2000s (does that sound right?).
|
# ? Sep 22, 2017 14:31 |
|
Docjowles posted:Do you all have a recommended resource if I want to learn BGP and OSPF to an intermediate level? Just grab the highest rated CCNP ROUTE book, or is there something more focused and/or vendor neutral? I see some O'Reilly books on one protocol or the other, but they're from like 2002. I realize these are foundational protocols that haven't changed much. But are those books still fine? There are three books that will teach you almost everything you need to know about BGP. They're all still great. If they mention something like "this is a new thing that's rolling out", it's been out forever and assumed standard. Book #1 - Halabi / Cisco tortilla_chip posted:For BGP you can start with Internet Routing Architectures. While it is a bit dated, the core portions relating to BGP path selection still apply. Book #2 - Stewart / Juniper BGP4: Inter-Domain Routing in the Internet Book #3 - Norton Internet Peering Playbook (most of this content is available for free at drpeering.net as well....) Halabi and Stewart will teach you about the protocols. Norton will teach you about how the internet ACTUALLY works. It's got a lot of the juicy details about peering, PNI, transit, etc that tell you about the actual business side and how agreements are made behind the scenes. If you've never run BGP between companies before, it'll be helpful.
|
# ? Sep 22, 2017 16:45 |
|
Does anyone have any experience with Cisco Umbrella compared to Cisco Web Security? Seems Umbrella does everything CWS did, but better.
|
# ? Sep 22, 2017 17:35 |
|
Docjowles posted:Do you all have a recommended resource if I want to learn BGP and OSPF to an intermediate level? Just grab the highest rated CCNP ROUTE book, or is there something more focused and/or vendor neutral? I see some O'Reilly books on one protocol or the other, but they're from like 2002. I realize these are foundational protocols that haven't changed much. But are those books still fine? One of the best books that has been updated as things have progressed is: Routing TCP/IP https://www.amazon.com/Routing-TCP-IP-1-2nd/dp/1587052024 Covers everything routing, including OSPF and BGP. If you understand the concepts in that book you will understand pretty much every new "overlay network" that has come out since.
|
# ? Sep 22, 2017 17:43 |
|
Cisco's e-Learning is astoundingly good for learning routing. Get the ROUTE course and don't look back. It has interactive labs, videos, and graphics along the way. The other e-Learning is meh, but the R&S courses are so good. https://learningnetworkstore.cisco.com/on-demand-e-learning
|
# ? Sep 22, 2017 18:31 |
|
Check out dn42 if you want to connect your lab up to an operating BGP overlay network with ~200 connected ASes. It was designed to mimic the architecture of the Internet as a sandbox for tinkering and experimentation, and is run over all kinds of VPN tunnels.
|
# ? Sep 22, 2017 18:50 |
|
GreenNight posted:Does anyone have any experience with Cisco Umbrella compared to Cisco Web Security? Seems Umbrella does everything CWS did, but better. When I looked the Umbrella agent didn't support IPv6. Which seems like a pretty lovely oversight from a networking company.
|
# ? Sep 22, 2017 20:19 |
|
Thanks everyone! I ordered the Halabi book to start.
|
# ? Sep 23, 2017 01:35 |
|
to jump off of the routing protocol discussion, if you were deploying a new network today, with the following facts, which routing protocol would you choose? 1) 60 branch locations 2) 8 IP subnets per location 3) approximately 20 locations with secondary WAN links (DSL or cable) 4) most locations have a layer two metro ethernet WAN This is my network today, and we use OSPF for nearly all locations. A few are MPLS over ethernet and I have to use BGP there, but those are being migrated to standard metro ethernet in about 1 month. I have no other constraints other than I prefer open protocols supported by more or less every vendor.
|
# ? Sep 24, 2017 01:32 |
|
RIP of course OSPF is about as open and commonly supported as it gets. If you're primarily Cisco I'd use DMVPN for the secondary WAN links, or just straight IPsec VTI if you want to be super vendor neutral. Consider BFD if you want faster reconvergence. Also, if you're doing a greenfield or side-by-side replacement, now is the best time to deploy IPv6 if you haven't already, even if only on the backbone to start with. SamDabbers fucked around with this message at 02:51 on Sep 24, 2017 |
# ? Sep 24, 2017 02:30 |
|
I'd probably use OSPF because it's supported across vendors, has a faster convergence time than BGP, and is more likely to be in the skill set of new employees. Most customers that I've worked with who had larger networks chose it for that reason and then rolled out BGP as needed, but relied on OSPF for all interior routing. psydude fucked around with this message at 14:53 on Sep 24, 2017 |
# ? Sep 24, 2017 14:49 |
|
adorai posted:to jump off of the routing protocol discussion, if you were deploying a new network today, with the following facts, which routing protocol would you choose? I would go with iBGP with route reflectors in 2 DC's or DC/Primary site. I've dealt with enough OSPF intra-area path manipulation issues to know to stay away from it at scale. BGP offers so much more flexibility. I think OSPF is fine for simple deployments of course, it's my go to protocol for all of our SMB clients.
|
# ? Sep 25, 2017 14:29 |
|
I've got 7 remote sites, 2+ vlans per site, all hub and spoke to my primary. There is no routing protocol in place, just a default gateway to a catalyst layer 3 core that uses local routes to direct traffic. It works I guess and is dead simple. I'd love to implement ospf but with pure hub and spoke I can't think of a justifiable reason to make the change. Either way if the core goes offline our entire network goes with it. Is there another reason for ospf without a mesh network?
|
# ? Sep 25, 2017 15:49 |
|
Judge Schnoopy posted:I've got 7 remote sites, 2+ vlans per site, all hub and spoke to my primary. There is no routing protocol in place, just a default gateway to a catalyst layer 3 core that uses local routes to direct traffic. Flexibility with mobility, could make it easier to deploy new things, makes troubleshooting some things easier, and if nothing else, good practice and resume/interview fodder.
|
# ? Sep 25, 2017 16:18 |
|
Judge Schnoopy posted:I've got 7 remote sites, 2+ vlans per site, all hub and spoke to my primary. There is no routing protocol in place, just a default gateway to a catalyst layer 3 core that uses local routes to direct traffic. If you wanted to have WAN and Internet connections at each site to allow you to use cheaper broadband connections for all non-corporate traffic then you'd need a way to advertise the routes out to those branch sites. Since there's only one way out of each site in your example then you don't really gain anything.
|
# ? Sep 25, 2017 16:19 |
|
Anyone ever run in to link flapping with nexus vPCs to a pair of SRX1400's in link agg before? Only one of the SRX units to the pair of routers is getting the errors/link flaps. code:
|
# ? Sep 26, 2017 03:02 |
|
Has anybody got a working example of the mDNS gateway on an Aruba (HP Procurve) switch? I have the default set to permit in/out which works fine, but I'd like to filter it down a bit to remove some unnecessary services from certain VLANs. As soon as I configure a filter it seems to stop everything, and the routing guide is very light on details.
|
# ? Sep 29, 2017 17:05 |
|
Prescription Combs posted:Anyone ever run in to link flapping with nexus vPCs to a pair of SRX1400's in link agg before? Only one of the SRX units to the pair of routers is getting the errors/link flaps. Are you trying to run LACP between both SRX1400 firewalls? Because SRX reth interfaces do not support LACP between chassis members, since chassis cluster is simply active/passive and uses gARP for failover. If you're trying to run LACP towards the same SRX though that is supported, handy guide below: https://kb.juniper.net/InfoCenter/index?page=content&id=KB22474
|
# ? Oct 2, 2017 01:44 |
|
hanyolo posted:Are you trying to run LACP between both SRX1400 firewalls? Because SRX reth interfaces do not support LACP between chassis members, since chassis cluster is simply active/passive and uses gARP for failover. It's set up properly like on the right side of the image in the KB article. Two separate vPCs on the Nexus side and a single reth on the SRX side, four 10gig links total. Only node1 has the link flap issues. It's very strange.
|
# ? Oct 3, 2017 06:38 |
|
Prescription Combs posted:It's set up properly like on the right side of the image in the KB article. Two separate vPCs on the Nexus side and a single reth on the SRX side, four 10gig links total. Only node1 has the link flap issues. It's very strange. Are the vpcs cross chassis? Or do the links on nexus router 0 go to srx node 0 and router 1 goes the node 1? I'm pretty sure that's what you want. Alternatively just do 4 routed links and eliminate lacp/reth interfaces altogether.
|
# ? Oct 4, 2017 00:31 |
|
Our SRX1400s have all sorts of issues like these. We had to disable BFD to get reconvergence times down. Occasionally they stop forwarding packets between a pair of IPs. Failover times are seemingly random. We had link/stability issues in the past but they seem to be gone now. And for some reason I'm quoting more SRX to replace the 1400s we have now. FatCow fucked around with this message at 01:37 on Oct 4, 2017 |
# ? Oct 4, 2017 01:26 |
|
I still like the 6 SRX240H2 that I manage...
|
# ? Oct 4, 2017 02:35 |
|
ate poo poo on live tv posted:Are the vpcs cross chassis? Or do the links on nexus router 0 go to srx node 0 and router 1 goes the node 1? I'll have to double check the infra, pretty sure we do have a JTAC case open(I'm not directly handling the issue). It's one of the thousands of customers my company supports. No infrastructure changes remotely possible. It's a very large financial institute with red tape for days. Posted as a shot in the dark is all, really. FatCow posted:Our SRX1400s have all sorts of issues like these. We had to disable BFD to get reconvergence times down. Occasionally they stop forwarding packets between a pair of IPs. Failover times are seemingly random. We had link/stability issues in the past but they seem to be gone now. Glad my place isn't the only one having random rear end issues with the 1400's, SRX's in general have some odd issues. One of my favorites is the code train that ISSU is broken on and you have to bounce both units at the exact same time or all hell breaks loose on a code upgrade.
|
# ? Oct 4, 2017 09:34 |
|
|
# ? Jun 10, 2024 12:39 |
|
We just lost an NPC two nights ago, and how the CPU is pegging at 1.5Gbit/s on the B unit. Got a RMA in 4 hours..... and it was bad. Putting the next RMA in tonight. In other news, we spent some money. 9006s and 9001s
|
# ? Oct 12, 2017 01:34 |