|
Didn't you look in to RANCID? That's literally what it does, SSH or telnet or whatever in yo it, grab config, save to a revision control system.
|
#
¿
Sep 23, 2020 22:39
|
|
|
|
| # ¿ May 19, 2024 02:56 |
|
|
tortilla_chip posted:You can also roll your own: .. if you also want to set up ansible. It's just using NAPALM's `get_config` function, which honestly is a trivial half dozen lines of code if you did want to dabble: https://napalm.readthedocs.io/en/latest/support/index.html However, it helps in no way to merge it in to a revision control system, deal with cron, creating diffs, emailing them out, and so on. I don't know why I'd want to go down that slippery road from scratch. I'd still probably just do RANCID because Oxidized is ruby and gently caress ruby. Also ytti is looking for another maintainer, so IDK how active it is. RANCID is a huge hot mess of expect scripts, but at least heasley is super active in updating it.
|
|
#
¿
Sep 24, 2020 21:30
|
|
|
What is anything catalyst anymore, CatOS was dead in the early 2000s. 'set' commands and ISL vlans 4 lyfe
|
|
#
¿
Dec 11, 2020 00:08
|
|
|
MF_James posted:gently caress sonicwall and their site to site vpn. If it still exists, don't forget to go to the hidden "/diag.html" and check some boxes which back in the day was the only way to get some vpn tunnels to work right.
|
|
#
¿
Dec 14, 2020 21:40
|
|
|
What's the firewall vendor whos boxes are bright red, and the only way to admin it was a Windows native application that opens multiple windows? This info is at least 10 years old. I want to say maybe even the word 'fire' was in the vendor or product name. That was the only thing worse imo.
|
|
#
¿
Dec 15, 2020 13:56
|
|
|
Im not a firewall guy and generally don't like being involved in security, but the only firewall I don't remember hating was Netscreen, pre Junos purchase. Fortigate obviously keep that Web UI going similarly, and also with similar terribleness, like have to go to CLI to enable IPV6 so it shows up in the web ui. Netscreen's CLI was nicer than Fortigates though, iirc. This whole pseudo tabbed nested thing with next is bullshit. But at least you can get a text config backup, which IMO is key to any of this poo poo.
|
|
#
¿
Dec 15, 2020 14:58
|
|
|
All CPU bound firewall poo poo works fine under normal/small load, but caves during a DDoS as their session table maxes out. I'd consider it the same as using pf/iptables/hosts.allow at best. Related to firewalls, anyone know of software, open sores or commercial, that is made for vendor agnostic firewall source of truth / documentation, and possibly provisioning? I'm picturing a web ui type of thing where you define your NAT rules, and perhaps it can poo poo out a block of code per vendor. It doesn't even need that config part as long as it has an API, we could make it work with .j2 templates or something. It looks like there's a crusty old sourceforge project that's now dead called `fwbuilder` that does something similar, but it looks like a windows app or someshit.
|
|
#
¿
Dec 17, 2020 16:25
|
|
|
Really need to run a single IGP for starters, and it should be OSPF. If your boss needs convincing draw up a crazy stringed together diagram and explain the insanity of it. 
|
|
#
¿
Mar 6, 2021 13:17
|
|
|
Sounds like he's incompetent and should be fired honestly.
|
|
#
¿
Mar 6, 2021 13:50
|
|
|
Ospf as igp and ibgp is made for that. I'd imagine keeping proprietary eirgrp as igp would be fine too if all of your stuff supported it. Ospf single area 0 is fine. Do you have an asn to do ebgp to upstream transit at each site? Keep in mind that if your internal p2p link goes down between data centers, your area 0 is split and you won't be able to communicate via public internet due to bgp rules unless you do some ghetto allow-as-in hack to learn your own routes from the internet. Solution to that probably a separate diverse p2p link and don't plan on losing both sides of ring in your design. falz fucked around with this message at 16:59 on Aug 21, 2021 |
|
#
¿
Aug 21, 2021 16:55
|
|
|
Bob Morales posted:Cisco book recommendation? I don't need a chapter on subnetting or T1's and ISDN or OSI models. Just real-world examples cookbook type poo poo. O'reilly IOS Cookbook is like 14 years old. Are thinking you don't need this because it's old stuff and you don't care ORr because you already know about that stuff? If it's the former, possibly reconsider as some of it may be useful, and lots of commands on Cisco devices and the reasons the work the way they do is due to old historical things and commands. Ie running in to 'no ip classless' in the wild can be humorous and fix your poo poo while you get a chuckle out of it.
|
|
#
¿
Sep 10, 2021 21:13
|
|
|
Do you have an igp? Create a loopback interface and ip and use that as the routers ip for "ip radius source-interface" and whatnot. Any multihomed router should have a loopback ip imo.
|
|
#
¿
Sep 16, 2021 19:43
|
|
|
Yeah or just a very simple script to log in to them in a loop and issue commands. Or `pssh`, or RANCID clogin (or whatever it may be for that platform) on a loop. Literally last thing to do is manually log in and type the same thing.
|
|
#
¿
Sep 21, 2021 17:24
|
|
|
Yeah that's basically what rancid is written in. it hurts my brain.
|
|
#
¿
Sep 21, 2021 20:06
|
|
|
Also you didn't specify which config, running or startup. Go Cisco. (Junos 4 lyfe)
|
|
#
¿
Oct 1, 2021 20:12
|
|
|
As in an LDAP server that's not Microsoft AD? OpenLDAP certainly is a thing that functions, it's usually a bit harder to administer users unless you can find a good web ui. I'd used one in the past but don't fully remember it's name. It was fine to tie in to freeradius + freebsd server auth tho.
|
|
#
¿
Oct 10, 2021 15:42
|
|
|
uhhhhahhhhohahhh posted:Am I huge a dumbass for wanting to use iBGP as an IGP inside two data centres with eBGP between them? It's like 6 devices total. Yes, don't do that. Just use ospf and area 0 (not proprietary eigrp), optionally something bgp related between datacenters depending on your design. If you need ibgp, run it between loopback interfaces not physical interfaces, this is where your actual igp helps.
|
|
#
¿
Nov 26, 2021 15:10
|
|
|
NHS should be done on your ebgp speaking router. Idk your platform but on Junos you set NHS facing ibgp mesh. And sure you could literally run ebgp and ibgp without an igp but you'd have to configure it on each interface between everything and it becomes a management nightmare, even with only a handful of routers.
|
|
#
¿
Nov 26, 2021 16:11
|
|
|
Not a firewall guy. Certainly your firewall vendor if choice sells models with dual PSUs? My org uses Fortigate for firewalls currently, their 10g/SFP+ models tend to have dual PSU support.
|
|
#
¿
Dec 13, 2021 23:22
|
|
|
I certainly know little about security stuff but is wiregard an actual rfc standard? If not then I doubt Juniper cares, and I don't blame them.
|
|
#
¿
Jan 26, 2022 03:57
|
|
|
I mean other vendors may implement it but Juniper won't unless its an actual standard. IDK about the PKI stuff but i also hate cert stuff. I guess consider me traditional and I just have some VMs that use ssh based transport to wrangle our Junos stuff using netconf / pyez / napalm / etc. In our case though everything has public IPs so there's no additional routing hurdle or whatever your main motivation is for VPN tunnels. Also the underlying transport is all our layer1 stuff so less to zero concerned about wiretapping or anything like that.
|
|
#
¿
Jan 26, 2022 18:30
|
|
|
Curious why you're tearing from rfc1918 space workout nat and expecting it to work? Or just checking if ISP not doing uRPF, which they do seem to be missing.
|
|
#
¿
May 14, 2022 03:09
|
|
|
All of my devices have loopbacks so they use that. In this case without one probs set the 'ip source-interface' command for various things to force a sane default
|
|
#
¿
May 14, 2022 14:45
|
|
|
If you're fine with how loud it is, how much power it takes, use it. Also see if they're even selling on eBay at all, if not -> in the bin. And I presume you don't mean a separate basement network? Connect them.
|
|
#
¿
May 14, 2022 22:17
|
|
|
Prescription Combs posted:A WTF Cisco moment: Is it more specific than the interface netmask?
|
|
#
¿
May 25, 2022 00:11
|
|
|
You should probably monitor their traffic levels and interface errors too? Observium/LibreNMS (a more open fork) for that a good starting place. Thsoe systems can also be used as a 'base', to know what's online, then generate config files out of devices in there, like for RANCID, etc to use. We do this with Observium and it works well. Basically add device there or it's discovered via ospf/bgp/lldp/etc and you'll automatically get a RANCID config file update and it will automatically back it up, for example. But indeed, this doesn't handle pushing configs to them. If they're so bloody old they don't support SSH in IOS, it may be doubtful if NAPALM's IOS driver will even work with them, that requires at least 12.2 or 12.3 or something, and more importantly requires the 'archive' command which was added iirc around 12.4 or something.
|
|
#
¿
Oct 19, 2022 21:14
|
|
|
Not since Cisco started supporting dot1q standards like 20+ years ago. Before that their proprietary ISL only supported 1k.
|
|
#
¿
Jan 31, 2023 20:11
|
|
|
Check for 'ip source interface' commands too, it could be using the loopback ip by default which your PC may not have a route to.
|
|
#
¿
Feb 27, 2023 21:59
|
|
|
Anubis posted:Not sure exactly all the implications of that would be but I've successfully reached the internet in a Client -> Switch -> Router setup. I don't think it's a problem because I can telnet in from my PC and do all the regular things... which seems like it would indicate that the routing is all there? The command I'm referring to is used by the device and is set per protocol - http, tftp, and so on. It has nothing to do with it routing packets through but deals with traffic sourced from the device itself. To confirm it's not a problem set 'ip source interface tftp (blah)' for whatever interface you're attempting to tftp to and from. Since you're windows, you should also just install Wireshark and sniff for tftp packets and see what's the what.
|
|
#
¿
Feb 28, 2023 03:58
|
|
|
MrMoo posted:https://coloradosun.com/2023/11/13/fastest-internet-service-terabits-denver-sc23/ Well, optical vendors use SC conference to test gear in production and put out flashy news releases, so it's a good thing to test waves between Denver and Chicago (starlight 710) per article. Pretty nice for press releases. Also lol at whoever wrote this article quote:This year, the team installed the next generation of internet protocol technology, called IPv6.
|
|
#
¿
Nov 15, 2023 14:59
|
|
|
wolrah posted:It's amazing how logical and explorable the Cisco CLI layout is until it suddenly does something backwards from all reasonable expectations like enabling a port via `no shutdown` or of course everyone's favorite learning experience `switchport trunk allowed vlan add` As noted ios isn't logical at all, it's 30 years of them mashing more commands in while not breaking compatibility. It's sad that most other vendors cloned it. Not Junos of course which is actual legit 95% logical. Give it a try on some virtual thing sometime.
|
|
#
¿
Jan 27, 2024 17:25
|
|
|
Thanks Ants posted:Fortigate CLI tab completion doesn't automatically insert a space after you use it, which is the single most annoying feature. The fact that its tab completion toggles through all valid options is really bad. This is one thing IOS does better. Also arbitrary numbers for things - wtf. Makes it really hard to have config templates and make bulk changes since everything is an arbitrary number. Sorry last complaint, locking down management interface to source IPs is so stupid - you can't just define an ACL, it's based on each user. so if you lock down users to specific source ranges, something internal blocks https/ssh/etc from everything else. But if someone adds a user, it defaults to 0/0, and is then open to the world again.
|
|
#
¿
Jan 28, 2024 22:01
|
|
|
Thanks Ants posted:Local in policies aren't per-user are they? Or is that not what you mean? quote:Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative permissions. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255. https://help.fortinet.com/fmgr/50hlp/56/5-6-1/FMG-FAZ/0900_Administrators/0005_Trusted%20Hosts.htm Basically there should be a setting to permit which source IP's can get to management interfaces that's not associated with user accounts, just 'listen on mgmt iface from x/y/z'. Maybe there's a better way to do this now but our folks didn't seem to find one.
|
|
#
¿
Jan 28, 2024 22:31
|
|
|
Thanks Ants posted:Ah, FortiManager vs. FortiGate It's fortigate (firewall) 600e/1000d/etc.
|
|
#
¿
Jan 28, 2024 22:34
|
|
|
|
| # ¿ May 19, 2024 02:56 |
|
|
Yeah that was just the first google hit that had the infoz. Since there's fortigate chat here - I think the answer is NO but.. scenario is a Web Server is behind a Fortigate as a DMZ (both public IPs) On the web servers config we whitelist certain hosts, block others. But we put a nice 403 message up saying 'you're coming from the wrong ip' (our customers ips) Ideally I'd move this functionality to a firewall in front of the server - can a Fortigate do some sort of FW policy that only permits certain sources, but for others it displays HTTP error message itsself (not passing those requests to the web server?) Seems like a stretch for this, but pretty sure PA can do it?
|
|
#
¿
Feb 2, 2024 15:55
|
|