Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
View
Sort
Coming soon
7 points · 2 days ago

For fun, to learn python, and it sounds strange to say, but the way my mind works it was easier for me to write my own tools from scratch than learn a different pipeline.

Then job well done. I don't have anything against rolling your own, especially for this reason, I just think for most people Ansible or similar would be the way to go.

That said, you might want to look at the NTC slack to get down and dirty with Python if you haven't already.

I also recall looking for Ansible modules for iOS upgrades and found only one that lacked flexibility, at least to my untrained eyes. Correct me if I'm wrong.

I did a upgrade playbook a little while ago, I need to get my eyes on it as we will need to run a upgrade soon again. I will take a look tomorrow, it should be in my work repo (private hosted) so I can't look at it now unfortunately.

see more

I would definitely appreciate seeing your upgrade playbook.

3 points · 12 days ago

Microsoft Planner works pretty well for us, we use it for circuit installs , new project initiatives, new branch sites , etc...

Nice to Assign tasks, have a dashboard where everyone can see active projects , etc..

Also integrates well with Teams.

see more

How long have you been using Planner? My team tried it out in late 2016 but it was missing a lot of features that we needed/wanted but we understood that it was still under development. Is it worth trying again? We're pretty invested in MS Teams so it seems like a good idea if our project management integrates well.

3 points · 12 days ago · edited 12 days ago

smartsheet.com is my favorite. You can assign each task to different people, create dependencies and do pretty much whatever you want in it. I like it for small to large projects. You can even sign in with google.

Here is a screen shot of one of my projects: https://imgur.com/a/IpiBBoE

Edit: the screenshot just shows the overview, there are many more columns with more details.

Original Poster1 point · 13 days ago

That's basically what I was thinking. We do have local internet access, and credentials are cached so authentication should work still. If I add a tertiary dns of 8.8.8.8 then at least in the case of an outage they could still reach websites.

see more

I think the ipsec vpn backup should be your priority. That way dns/dhcp/whatever has a backup route and the status of your primary wan is no longer a factor.

[deleted]
874 points · 15 days ago · edited 14 days ago

[removed]

see more

That's an easy fix, just terminate the cable and screw it into the back of a wall plate.

13 points · 20 days ago

You can with command aliases. First thing I do on a fresh NXOS box.

see more
cli alias name wr copy running-config startup-config
cli alias name wri copy running-config startup-config
cli alias name fuckit reload

You have a a typo, he wants:

cli alias name wr copy startup-config running-config
cli alias name wri copy startup-config running-config
cli alias name fuckit reload
see more

I'll quote OP on this one

That’s not funny at all, that’s a fucking disaster

-cruddy_mccrudderson

Load more comments

I had a cat5 drop fail that attached one of the twenty Cisco APs at my warehouse. The pairs in the cat5 that provide PoE were still working so the AP was still powered on and broadcasting the SSID but data wasn’t working. As users moved through the warehouse they would sometimes connect to the bad AP and be black holed. They would start working again when they connected to a good AP.

If your cisco switch is providing PoE to the APs, compare the command “sh power inline” and “sh int statu” and see if any interfaces are providing PoE but show “notconnected”.

12

show run | include HSRP|IPSec|DPD|Reverse-Route|Mulit-Vendor

I could use some multi-vendor ipsec advice please.

Currently I have a single Cisco 4331 ISR acting as a VPN hub connecting 20 SonicWalls, 2 Sophos, and a connection to a classic Azure network. My goal is to create redundancy.

I'm investigating setting up HSRP on a secondary Cisco 4331 ISR to act as a backup. I'm using this as a guide (https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html).

This is how it will work:

Normal operation:

  • VPNs are established to the primary router because it has a better HSRP priority
  • Reverse-Route is enabled on the crypto maps
  • Route to the VPN is advertised downstream by EIGRP through the command "redistribute static"
  • Everyone is happy

Primary router interface failure:

  • HSRP fails over to the secondary router
  • VPNs are established on the secondary router
  • Reverse-route is no longer redistributed though EIGRP on the primary router because the vpn states are "DOWN" due to the interface being down
  • Everyone is happy

Primary router interface recovers:

  • HSRP moves back to primary router
  • VPNs move back to primary router
  • Reverse-route starts redistributing again on the primary router.
  • Everyone is NOT happy.

Why isn't everyone happy? The vpns on the secondary router still show "UP" so the reverse-routes are still redistributed on the secondary router.

The way Cisco solves this is by editing the Dead Peer Detection (DPD) timer with the command "crypto isakmp keepalive 10" (global setting). So the secondary router VPN states change to "DOWN" after 10 seconds.

My problem is that DPD isn't available on classic Azure VPNs and isn't editable on Sophos. So I can't enable it DPD globally so the vpns won't change their state for a really long time.

Anyone have any suggestions what I should be looking at to fix this?

12
7 comments

What about just a basic static route with tracking on top of it instead of rri?

see more
Original Poster2 points · 1 month ago · edited 1 month ago

I like the sound of that! So.... Something like this?:

Primary Router:

Add a route to the remote subnet with a track

ip route 10.40.96.0 255.255.255.0 Port-channel2 track 10

Configure a track/ip sla to ping the default route

track 10 ip sla 10
!
ip sla 10
 icmp-echo x.x.x.1 source-interface po2 ! ping the default route
 timeout 15000
 frequency 15
!
ip sla schedule 2 life forever start-time now

Configure EIGRP to redistribute the static route and edit the bandwidth metric (100000kbps) to appear faster than the secondary

router eigrp 1
 redistribute static route-map STATIC_TO_EIGRP metric 100000 0 255 1 1400

For fun, add a route-map/pre-fix list to permit only static routes you want to advertise

route-map STATIC_TO_EIGRP permit 10
 match ip address prefix-list STATIC_TO_EIGRP
route-map STATIC_TO_EIGRP deny 20
!
ip prefix-list STATIC_to_EIGRP seq 150 permit 10.40.98.0/24

Secondary Router:

On the secondary router do the same exact config except edit to the eigrp bandwidth metric (100kbps) to appear slow

router eigrp 1
 redistribute static route-map STATIC_TO_EIGRP metric 100 255 1 1400

This way the route is always advertised by both routers but the primary router will always win because of a lower eigrp cost. The primary route will disappear when the track fails.

That's how we do it here, you can track the tunnel itself or a point on the other side. Just make sure you're good on the azure side of the tunnels as well to failover

see more
Original Poster1 point · 1 month ago

Thanks!

I'm was trying to avoid creating 23 separate tracks (one for each vpn) but that might be the smarter way to go.

Tracking the vpn state won't work in a timely fashion because I can't implement DPD correctly.

Load more comments

31

Why did the Energizer Bunny go to jail?

because he was charged with battery

31
11 comments

Look, having nuclear — my uncle was a great professor and scientist and engineer, Dr. John Trump at MIT; good genes, very good genes, OK, very smart, the Wharton School of Finance, very good, very smart — you know, if you’re a conservative Republican, if I were a liberal, if, like, OK, if I ran as a liberal Democrat, they would say I’m one of the smartest people anywhere in the world — it’s true! — but when you’re a conservative Republican they try — oh, do they do a number — that’s why I always start off: Went to Wharton, was a good student, went there, went there, did this, built a fortune — you know I have to give my like credentials all the time, because we’re a little disadvantaged — but you look at the nuclear deal, the thing that really bothers me — it would have been so easy, and it’s not as important as these lives are — nuclear is powerful; my uncle explained that to me many, many years ago, the power and that was 35 years ago; he would explain the power of what’s going to happen and he was right, who would have thought? — but when you look at what’s going on with the four prisoners — now it used to be three, now it’s four — but when it was three and even now, I would have said it’s all in the messenger; fellas, and it is fellas because, you know, they don’t, they haven’t figured that the women are smarter right now than the men, so, you know, it’s gonna take them about another 150 years — but the Persians are great negotiators, the Iranians are great negotiators, so, and they, they just killed, they just killed us.

see more

It’s challenging to read that out loud

128 points · 10 months ago

I'm extremely well-mannered when I'm drunk. I know I'm drunk, so I pay extra attention to my conduct to ensure I don't behave inappropriately. E.g. Coming across someone in a corridor - flatten self against the wall even though there's plenty of room for both of us and apologise profusely for being there. Hmm yea I guess that does seem suspicious.

see more

Sometimes I'm just smiling to be polite or acknowledge you in a greeting (or to preemptively prevent some asshole from telling my I'd look prettier if I smiled), it's definitely not reaching my eyes. I always wondered how unsettling I actual come across.

see more

This is what I think of every time someone tells me to smile http://theoatmeal.com/comics/unhappy

Original Poster1 point · 11 months ago

Apologies, when I edit it, it looks sequenced but as soon as I submit it, it gets garbled.

see more

Add 4 spaces before each line and it'll look like

this

VLAN 99 is not a thing. I made it a thing, because of the mismatched native VLANs on the switches.

SG - Native VLAN: 10 3850 - Native VLAN: 1

So that means that management IPs are on the Native VLANs, right? so in order to bypass the mismatch, I made the trunk's native VLAN 99, and tagged VLAN 10 coming from the SG....

but thinking about it... that won't work because the catalyst will see it as coming over as 10, and itself is talking mgmt on 1.

fuck.

So I have to change the Native VLAN on the switches... huh?

see more

Get Lazy. Use access ports and two cables instead.

||||||                              ||||||
|3850|--<Access 01>----<Access 10>--|Star|
|    |--<Access 99>----<Access 99>--|Gate|
||||||                              ||||||

This is what I ended up doing... But there's another network that needed to be trunked. F those SGs

see more

Okay, so 3 cables

Comment deleted12 months ago

Security through obscurity isn't security at all.

This is not a good solution for sharing between multiple homes but I've had good luck with these: https://cradlepoint.com/products/aer-1600

It works like a DSL wi-fi router but it uses VZW LTE instead.

Original Poster1 point · 1 year ago

Good to know -- thank you.

see more

No problem. What I would do is get a Verizon Wireless unlimited data family plan and sign up for 5 lines. Then use a Cradlepoint AER for each one of the lines. That way each home has their own dedicated connection to Verizon's LTE but you still get the cost savings of a single account.

Full disclosure, I've never set up a Verizon family plan so there might be some elements I'm missing.

18

New Warehouse Network

My company just bought a warehouse and frankly, I'm out of my comfort zone. I've never designed a network for a warehouse from scratch before so I'm reaching out to you guys...

Here are the relevant factors:

  • 77,000sq. ft.
  • 35ft ceilings
  • 25ft tall inventory/storage racks
  • Inventory is mostly cardboard, plastic and cloth
  • About 7 users to start and expected to grow to 20 after a few years
  • Motorola RF Scan Guns will use the Wi-Fi. They just access a https application so speed isn't important.
  • We're a Cisco shop
  • 100Mbps fiber internet
  • Phones will be Skype for Business
  • I think we'll only need one or two IDF cabinets for switches

We're going to be working closely with an electrician to design and implement the cross connects, data drops, MDFs and IDFs. These are the guidelines I'm going to give them:

  • CAT6E for all copper drops (I heard recently that CAT6E is the new normal vs. CAT5E, is that true?) edit:CAT6A
  • Two Single Mode fiber(s) ran from each IDF back to the MDF on a fiber patch panel with LC connectors
  • In the MDF a 4-post rack with vertical cable management on the front posts and two PDUs ran to redundant electrical circuits on the back posts

For the wireless, I'm going to provide a CAD drawing of the building floor plan to my VAR and have them do a predictive site survey. The survey will outline where we should place 2702e Cisco WAPs. I will then provide the survey to the electricians to run the drops and mount the APs. If the users have problems with the Wi-Fi after the inventory is moved in I'll order an active site survey to reposition the antennas.

Switching and Routing Equipment:

  • 4331 ISR
  • 3650 PoE+ | 8 SFP+ ports| switch running LAN base for the MDF with redundant power supplies (I'm choosing the 3650 so in the future we can upgrade to IP base L3 switch if it's needed)
  • 2960-x PoE+ | 2 SFP+ | switches for the IDFs
  • 2702e Cisco WAPs edit:The site survey will determine omni vs. directional(patch)
  • I'd like to use 10Gbps SFPs but I have no idea how to select them, it depends on the type of single mode fiber they install, right? I was looking through this thing but now I have more questions than answers

What do ya'll think? Is anything I listed here stupid or against best practice? Any other relevant advice?

18
43 comments
2 points · 1 year ago

"3650 PoE+ | 8 SFP+ ports| switch running LAN base for the MDF with redundant power supplies (I'm choosing the 3650 so in the future we can upgrade to IP base L3 switch if it's needed)"

why not get the 3850 to act as your Layer3 switch, its more robust in feature set then a 3650, they have replacable PS and Uplink modules, .. I also think they have the cisco AP controller built into the switch ASICs, it would be a solid L3 switch for minimizing traffic to your router

What about a firewall? Cisco ASA? IPSEC / VPN / IPS / wccp / NAC is much easier than trying to wrestle those beasts with an ISR4331

see more
Original Poster1 point · 1 year ago

That's a good argument for a 3850 but with only 7-20 users I'm not going to worry about utilizing any L3 features until there is a good reason. The 3650 has swappable power supplies. The 4331 will be running DMVPN back to our data centers where we have redundant 5508 WLC(s).

For the firewall, we're going with the PA220. That wasn't my decision but I think it's a good one.

3 points · 1 year ago

9090,9091 and those garbage wrist scanners

see more
Original Poster2 points · 1 year ago

I don't remember the version we are using right now but I think we are running a newer model. In fact, I think they are Zebra branded now... Of course that doesn't mean they are any better than the old ones.

Load more comments

Actually cisco has a ssh client you can download called...CLI Analyzer that does some parsing for you and connects you to various tools.

see more

I'll second this.

I was pleasantly surprised how much I like the tool. It's set up in a way similar to Secure CRT and has all the features I look for in an terminal emulator with the added benefit of some Cisco tools such as checking an Nexus, IOS, or ASA's "diagnostics" and uploading the results to TAC.

The diagnostics isn't perfect but has improved drastically now that's it's on version 3. I hope they keep developing it.

4

QoS for MPLS | Cisco 4331 IOS-XE

I'm new to QoS and could use some help with setting it up on a Cisco 4331 that has a 12Mbps mpls(L3vpn) connection.

Here are my goals:

  • Limit traffic out the circuit to the speed of the remote circuit. The other circuits are 1.5Mbps, 2Mbps and 3Mbps

  • Give priority to Voice and Citrix traffic

  • Limit BW consuming applications. I would like to call out SCCM especially because it is causing problems.

Here is a map of the simplified overview of the topology: http://i.imgur.com/d8AVCpU.png

Here is my configuration so far:

!ACL to define remote subnets
!
ip access-list extended SHAPE_1.5Mb
 remark subnet_of_1.5Mbps_site
 permit ip any 192.168.15.0 0.0.0.255
!
ip access-list extended SHAPE_2Mb
 remark subnet_of_2Mbps_site
 permit ip any 192.168.20.0 0.0.0.255
!
ip access-list extended SHAPE_3Mb
 remark subnet_of_3Mbps_site
 permit ip any 192.168.30.0 0.0.0.255
!
!Defining class maps and matching them to the ACLs
!
class-map match-any SHAPE_1.5Mb
 match access-group name SHAPE_1.5Mb

class-map match-any SHAPE_2Mb
 match access-group name SHAPE_2Mb
!
class-map match-any SHAPE_3Mb
 match access-group name SHAPE_3Mb
!
!
!
policy-map MPLS_SHAPE 
 class SHAPE_1.5Mb
  shape average 1425000
   service-policy QoS_POLICY
 class SHAPE_2Mb
  shape average 1900000
   service-policy QoS_POLICY
 class SHAPE_3Mb
  shape average 2850000
   service-policy QoS_POLICY
!
!
!
interface Gi0/0/1
  description MPLS Provider
  service-policy output MPLS_SHAPE
!
!

~~ class-map VOIP match protocol rtp match protocol sip class-map CITRIX match protocol citrix class-map SCCM match access-group name SCCM_SERVERS ! ip access-list standard SCCM_SERVERS permit 10.50.50.10 ! policy-map QoS_POLICY class VOIP priority percent 30 class CITRIX priority percent 20 class SCCM bandwidth percent 10 class class-default fair-queue~~

By the way, I flat out stole most of the config from user/routetehpacketz's comment

Will my config work? What am I missing here?

Edit: I pasted the wrong class maps here is updated config:

class-map VOIP
 match ip precedence 5 
 match ip dscp ef 
 match protocol rtp
class-map SIGNALING
 match ip precedence 3
 match ip dscp cs3
 match ip dscp af31
class-map CITRIX
 match protocol citrix
class-map SCCM
 match access-group name SCCM_SERVERS
!
ip access-list standard SCCM_SERVERS
 permit 10.50.50.10
!
policy-map QoS_POLICY
 class VOIP
  priority percent 30
 class SIGNALING
  bandwidth percent 10
 class CITRIX
  bandwidth percent 20
 class SCCM
  bandwidth percent 10
 class class-default
  fair-queue
4
7 comments

I don't think you want citrix in the priority queue, you will starve out other queues during periods of congestion. Plus citrix is TCP based by default so it can recover and maintain itself pretty well. Just give it a higher bandwidth percent. Leave voice in the priority queue because it will shit its pants if you sneeze.

see more
Original Poster1 point · 1 year ago

We certainly don't want voice doing that, thanks!

I totally misunderstood the difference between the "Priority" and "Bandwidth" variables.

3 points · 1 year ago

Don't put SIP or Citrix in the priority queue. Also, I'm not a massive fan of NBAR. Mark your traffic with appropriate DSCP at the access port and use that. This way, when you switch to a different vendor/type of edge device, you won't have to do shit tons of work.

Priority queues tail-drop when they exceed the bandwidth percentage specified. You want bandwidth queuing for things that don't need real time.

see more
Original Poster1 point · 1 year ago

Great thanks, I guess I totally misunderstood the difference between "Priority" and "Bandwidth". This article cleared it up for me.

I edited my post to include the updated class-maps

Looks like it can only fit 2 monitors at most. Need something to support at least 6 + tv.

see more

This should work for you: http://a.co/jiels7X

Well, yeah. my place does open seating and I need to enough to form my own wall.

see more

That is a very good reason.

How many users do you have using the pool?

Why do you require multiple IPs for outbound traffic?

What type of device are you using for your router/firewall?

Original Poster4 points · 1 year ago

Ahh... That makes more sense.

I have this Touch P5. I haven't looked into it yet but I will try tonight!

see more

Here is the user guide for your router: http://static.tp-link.com/res/down/doc/Archer_C9_V2_UG.pdf

The section you want is 8. 1. Prioritize Internet Traffic with QoS

What are you trying to prevent? Are you worried about users slowing/saturating the internet connection or are you worried about exceeding a data limit?

Edit: Either way your fucked with the Touch PS... You can limit users so they don't saturate the link, but you have to define that every time a new device joins your network... That's going to be a pain in the ass.

You can't implement data caps on users so they don't use too much data.

u/TriforceTeching
Karma
890
Cake day
April 6, 2016
Trophy Case (1)
Two-Year Club

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.