|
For what it's worth, Cisco also offers "Refreshed" hardware, essentially stuff returned for one reason or another and recertified. It's a bit cheaper and you would have to ask your Cisco rep for availability and what components are included (you generally don't have a lot of options in the commerce tool when working with refreshed SKUs, some things are included by default and some aren't), but it does allow bypassing lead times.
|
# ? Aug 2, 2021 19:03 |
|
|
# ? May 29, 2024 21:55 |
|
At my new job we have 2 data centers, each with their own internet and ExpressRoute connection etc. There's also 2x 10gb P2P links between the core switches for replication traffic and user traffic... But they're not used for internet failover, for some reason. DC routing is done using EIGRP, but needs to be changed to accommodate some new firewalls. I wanted to suggest just advertising a tracked, static, default route at the edge device at each DC, but I need them to prefer their local route until it's not there. Would OSPF or iBGP be better for this? My concern with OSPF is it's most likely just going to be all in area 0, and the Core at the backup DC will always prefer the default route from the primary because of the combined 20gbit links and I don't believe I can influence it using tagging, metrics and route-maps, since it's all in the same area? Or can I/is there a better way of picking the preferred one? OSPF would be slightly preferred because we have Meraki devices that use it and would mean we don't need to do any redistribution there. There's no lab VRF or anything here so I want to make sure before I suggest something dumb. Thank
|
# ? Aug 21, 2021 11:18 |
|
Ospf as igp and ibgp is made for that. I'd imagine keeping proprietary eirgrp as igp would be fine too if all of your stuff supported it. Ospf single area 0 is fine. Do you have an asn to do ebgp to upstream transit at each site? Keep in mind that if your internal p2p link goes down between data centers, your area 0 is split and you won't be able to communicate via public internet due to bgp rules unless you do some ghetto allow-as-in hack to learn your own routes from the internet. Solution to that probably a separate diverse p2p link and don't plan on losing both sides of ring in your design. falz fucked around with this message at 16:59 on Aug 21, 2021 |
# ? Aug 21, 2021 16:55 |
|
falz posted:Ospf as igp and ibgp is made for that. I'd imagine keeping proprietary eirgrp as igp would be fine too if all of your stuff supported it. We're probably going to be replacing a mess of Cisco firewalls/contexts with, hopefully, that doesn't support EIGRP. The end ideal design is: Core - Zone based firewall - Internet routers. Replicated at both sites. There's no eBGP. We're just given a VRRP IP to use as the next hop which would be the default route on our firewalls. We don't need anything fancy really. The hundreds of Meraki sites have a link into both DCs. All the servers are at the primary DC and are in the process of being moved to Azure. If things need to be brought up in the backup DC, they'd just use DNS to handle whatever needs to be accessed over the internet (there's a bunch of WAFs or F5s for that already). Of the P2P drops, the user's at the backup DC should still be able to get to the primary DC over the Meraki SD-WAN. My main concern is advertising the default route in both places, and all the user traffic from the site where the backup DC is (both of these are the main corporate offices for context) will use the P2P to the internet at the Primary DC instead of its own local gateway because I'm not sure what I can do to influence route preference in same area OSPF? Normally I'd use route tagging when redistributing or something but not sure I can do that here?
|
# ? Aug 21, 2021 17:18 |
|
I run this design for a pair of DCs and it works great. OSPF should prefer the local 0's route over the remote 0's route, since cost is cumulative. Are you planning to have the firewall and/or internet routers participate in OSPF? The backup DC core will have two zeroes entries in its OSPF table: one with cost X (where X is backup-DC-core-to-backup-DC-firewall) and one with cost Y + X (where Y is the inter-DC link, and X is from the main-core-to-main-firewall). Even though the 2x10 Gbps link is "good", cost is cumulative, so it's tacked on to the total cost.
|
# ? Aug 21, 2021 19:26 |
|
madsushi posted:I run this design for a pair of DCs and it works great. OSPF should prefer the local 0's route over the remote 0's route, since cost is cumulative. Nice one, thank you. This is what I was hoping for. I was just second guessing myself so I don't look dumb. Both cores should have both routes but prefer their own one, until it's not there, is the basic idea. Firewalls will be part of OSPF, internet routers won't be. Ideally it'll be a PA firewall and that will be where I'm advertising the route from... There's a N7K pair with 3 contexts that'll all be in different zones on the PA.
|
# ? Aug 22, 2021 22:27 |
|
Cisco book recommendation? I don't need a chapter on subnetting or T1's and ISDN or OSI models. Just real-world examples cookbook type poo poo. O'reilly IOS Cookbook is like 14 years old.
|
# ? Sep 10, 2021 15:49 |
|
Network Warrior was good last I looked like 5-6 years ago. Not sure how recently that has been updated or how relevant it still is.
|
# ? Sep 10, 2021 15:54 |
|
Todd Lammle's stuff is good
|
# ? Sep 10, 2021 17:01 |
|
Bob Morales posted:Cisco book recommendation? I don't need a chapter on subnetting or T1's and ISDN or OSI models. Just real-world examples cookbook type poo poo. O'reilly IOS Cookbook is like 14 years old. Are thinking you don't need this because it's old stuff and you don't care ORr because you already know about that stuff? If it's the former, possibly reconsider as some of it may be useful, and lots of commands on Cisco devices and the reasons the work the way they do is due to old historical things and commands. Ie running in to 'no ip classless' in the wild can be humorous and fix your poo poo while you get a chuckle out of it.
|
# ? Sep 10, 2021 21:13 |
|
falz posted:Are thinking you don't need this because it's old stuff and you don't care ORr because you already know about that stuff? A little of both. I mean if they have chapters on that, fine, I just have those parts covered. I have some old Odom books (2003?) but they don't cover some security-related things and other newer stuff. I can do most of the stuff I want on our gear but I want to read more about the stuff and a lot of the model-specific documentation doesn't cover things. Like our 2960's work a bit different than our 4500. And then we'll probably get some 9300's or something in the near future.
|
# ? Sep 10, 2021 21:55 |
|
You’d probably be better off just reading the config guide for the models you have honestly. Also I’m pretty sure 2960s go end of support this year.
|
# ? Sep 11, 2021 00:55 |
|
Just buy Arista instead and you won't need to deal with any of the ancient lovely parts of ios. Arista's official docs are actually readable, and not from 2002, too. Methanar fucked around with this message at 01:09 on Sep 11, 2021 |
# ? Sep 11, 2021 01:07 |
|
BaseballPCHiker posted:You’d probably be better off just reading the config guide for the models you have honestly. Methanar posted:Just buy Arista instead and you won't need to deal with any of the ancient lovely parts of ios. We are getting all Fortinet to replace them
|
# ? Sep 11, 2021 03:17 |
|
BaseballPCHiker posted:You’d probably be better off just reading the config guide for the models you have honestly. They already have! Pretty good timing as we were thinking about moving to a different vendor since our Cisco rep just never interacts with us. Nice of them to not give us a heads up at all.
|
# ? Sep 11, 2021 11:43 |
|
I knew it had to be close to eol. I replaced about 100 in 2020 with 9000 series catalysts. Some days I miss being in networking. But then again I haven’t woke up to support a site with a fiber cut in over a year.
|
# ? Sep 11, 2021 16:06 |
|
I have two interfaces on this 2960 One is a 10.x.x.x, the other is a 192.168.x.x If I set the default route to 192.168, instead of 10., RADIUS auth times out Is this on my firewall (new company and old company networks, but on the same firewall etc) or where should I look on the switch config? I don't see anything that jumps out at me but I have other switches with that default route that work fine. I didn't check the radius server yet.
|
# ? Sep 15, 2021 21:51 |
|
What interface is the switch communicating from? You need a route back from whatever is upstream of your switch, so if your RADIUS requests are coming from 10.1.2.3 but the thing your switch is connected to thinks that it's on-net for that subnet it won't be forwarding packets to the correct place.
|
# ? Sep 15, 2021 21:56 |
|
Thanks Ants posted:What interface is the switch communicating from? You need a route back from whatever is upstream of your switch, so if your RADIUS requests are coming from 10.1.2.3 but the thing your switch is connected to thinks that it's on-net for that subnet it won't be forwarding packets to the correct place. It's connected to both...I can ssh to either address and connect. Not on-site today so I don't want to gently caress with it when I'm not able to console in.
|
# ? Sep 16, 2021 15:13 |
|
I meant this https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfrad.html#wp1027454
|
# ? Sep 16, 2021 15:19 |
|
Thanks Ants posted:I meant this Don't have a line like that on any of our switches. I can see they are coming from the right address on the firewall though. I think that's where the issue lies.
|
# ? Sep 16, 2021 15:40 |
|
Do you have an igp? Create a loopback interface and ip and use that as the routers ip for "ip radius source-interface" and whatnot. Any multihomed router should have a loopback ip imo.
|
# ? Sep 16, 2021 19:43 |
|
Actually I need to just remove all the 10. Interfaces on these...since we are abandoning that network
|
# ? Sep 16, 2021 21:17 |
|
Maybe the radius server is behind something that won’t allow return traffic ? Seems pretty straight forward .
|
# ? Sep 17, 2021 03:15 |
|
Partycat posted:Maybe the radius server is behind something that won’t allow return traffic ? Seems pretty straight forward . Doesn't make sense since I have other switches on that same network using radius with similar IP's. We enabled MFA on 20-some people without setting up their devices first so I will probably have to wait another day...
|
# ? Sep 17, 2021 13:54 |
|
If you're changing your radius source IP (and you aren't using any 'default device' feature on your radius server, I'm assuming you're using ISE here) you need to update the network device on there to reflect the new IP - assuming all your routing and firewall policies are how they're meant to be.
|
# ? Sep 17, 2021 14:31 |
|
welp. it was NPS
|
# ? Sep 17, 2021 14:40 |
|
.
|
# ? Sep 17, 2021 14:42 |
|
Anyone had any experience with mass importing/changing geographical L7 rules on a meraki? I have over 250+ vet clinics (networks) that the parent company decided to block all traffic except Canada/USA/UK... which I advised against; at least until we can figure out a way to mass implement changes. Since like half the sites these clinics access sites that have like NS servers in Ireland or Netherlands (and I'm not even talking about cloudflare type, just independent hosting in Bahrain was another one I saw... , etc, etc.) Plus there's the whole Thanks Cloud! Copy/pasting doesn't work because the gui does that good ol auto-complete, and I'm too much of a newb to know how I would even begin to do it via CLI/Scripting Hirez fucked around with this message at 12:03 on Sep 21, 2021 |
# ? Sep 21, 2021 11:29 |
|
Basically I don't wanna type be bri can den finl fran ger irel neth swed unit unit x250 times, and it looks like we need to add Japan too since a new vendor hosts their site there, exciting e: I assume it's something like this, but even this looks like I need to go through each MX (though I guess that shouldn't be more than a 5min script, assuming I can retrieve all the keys easily) or maybe I'm gonna need something like https://docs.ansible.com/ansible/la...firewall-module
|
# ? Sep 21, 2021 12:04 |
|
Definitely learn the API for this, put the Ansible stuff up as a future goal - it will also mean you have everything in place to switch firewall vendor if Meraki start messing you about.
|
# ? Sep 21, 2021 16:01 |
|
Yeah or just a very simple script to log in to them in a loop and issue commands. Or `pssh`, or RANCID clogin (or whatever it may be for that platform) on a loop. Literally last thing to do is manually log in and type the same thing.
|
# ? Sep 21, 2021 17:24 |
|
Meraki have a collection of automation scripts using their own python module. Maybe there's one there that covers your use case: https://github.com/meraki/automation-scripts I haven't done your exact scenario, but my new job uses Meraki and I've been using the API this week to pull a bunch of information from our appliances to add to our NAC. Use the Cisco dev website for the API explorer, it's much easier to find and they give real examples of what a python snippet looks like. I think the GET for the network appliance L7FW is this one: https://developer.cisco.com/meraki/api-v1/#!get-network-appliance-firewall-l-7-firewall-rules There should be a POST in the sidebar nearby. You should download the Meraki python module too so you don't have to write REST calls yourself. If you click the Template bit on the right side of whatever endpoint is correct for your case, it should give you an example using the Meraki python library. Looks like you'll have to format your change as JSON. This is the git for the API: https://github.com/meraki/dashboard-api-python I think some rough steps would be: run the getInventory.py script from Meraki, filter it down in Excel to just the appliances/networkIDs you care about. Take the example script from the Cisco API website to run a GET on one of those you've configured in the UI to how you want it to be so you have the JSON preformatted. Test making the POST request to a test network to make sure it works. When you're certain it's working, take your NetworkIDs and make a list in your python script, then just loop through that list with the working POST request using the JSON data. uhhhhahhhhohahhh fucked around with this message at 17:39 on Sep 21, 2021 |
# ? Sep 21, 2021 17:29 |
|
falz posted:Yeah or just a very simple script to log in to them in a loop and issue commands. Or `pssh`, or RANCID clogin (or whatever it may be for that platform) on a loop. gnu expect
|
# ? Sep 21, 2021 19:19 |
|
Yeah that's basically what rancid is written in. it hurts my brain.
|
# ? Sep 21, 2021 20:06 |
|
Hirez posted:Basically I don't wanna type be bri can den finl fran ger irel neth swed unit unit x250 times, and it looks like we need to add Japan too since a new vendor hosts their site there, exciting TIL that Meraki's CLI is in Welsh.
|
# ? Sep 22, 2021 07:56 |
|
Expect is on top of TCL, which means you can do some neat things with the scripts like fire off emails and that. It also means you have to learn some TCL
|
# ? Sep 22, 2021 10:39 |
|
thanks for the answers even though they're sorta latin to me (I log into the API how?! [Don't worry I'll google it, and I think its ssh, I think i did it once!!! ) I just took a meraki from an old clinic and and I guess I'll gently caress around with it ay home instead of the live Meraki's they have me doing this on with 0 notice and instruction except get it done! (then read all your coworkers emails from clinics about sites they can no longer access or their Xray and Dental machines phone home before they work because... I feel this is gonna really go up a notch soon as this big partner just got bought out by some British Hedge Fund and now I'm gonna have to learn about this GDRP shitl and actually pay attention Hirez fucked around with this message at 11:36 on Sep 22, 2021 |
# ? Sep 22, 2021 11:33 |
|
I’d check Cisco’s DevNet documentation for Meraki. Some good documentation there on how to interact with the apis. https://developer.cisco.com/meraki/api/#!introduction/meraki-dashboard-api Would also grab postman to manually interact with the apis first to make sure things work as expected before scripting them out further. https://www.postman.com/ For better or worse this is the future of network engineering. I did the devnet associate cert last year and I was able to learn an absolute ton and has made my job much easier in return.
|
# ? Sep 22, 2021 21:17 |
|
|
# ? May 29, 2024 21:55 |
|
Methanar posted:gnu expect mods???
|
# ? Sep 22, 2021 23:19 |