whoaciscolive doc on segment routing http://d2zmdbbm9feqrf.cloudfront.net/2015/usa/pdf/BRKRST-2124.pdf
optmnathani_: run servers at home for that
Alagaris possible to findout switch or firewall performance using jPerf iPerf ?
saqsure, why wouldnt you be able to?
Alagarsaq: thx, could you please explain
newtmewtxous: i just saw you apaprently talking shit about me like 15 days ago :P
omgwtfyou check your logs ? lol
newtmewtit was in my main thingy saying he tagged me
newtmewton weechat
omgwtfETA 2h30, then I'm off for 2 weeks
omgwtfwoo
omgwtfstill thinking if I should apply to that AWS job
omgwtfit's still operations though
zs10szhello, Cisco 550X
zs10szCan the case be used as a network of heart ?
omgwtfnetwork of heart?
omgwtfwtf
omgwtfhow many coffees did I had?
zs10szhaha
zs10szonly 2
zs10szcore network
Thaylihow popular is it to hate Cisco these days, btw?
omgwtfjoin the hate wagon
ThayliACTION lets the hate flow through him
omgwtfwhy would anyone hate Cisco?
omgwtfthey're the best thing since french toast
Thayliwell, not so much hate, but in many divisions of IT, open standards and non-proprietary protocols and languages are gaining popularity over their proprietary counterparts
ThayliI was wondering if this was happening in networking to, to Cisco specifically
ThayliI know EIGRP is losing popularity to OSPF according to many, for example
omgwtfwell, EIGRP is now open heh
Thaylicompletely?
lowbyteOpenStandards are what the IETF and MEF are about, now days standardised implementations are used in favour of non standard
Thayliafaik EIGRP was never completely open
lowbytein the case of cisco you will find some old cisco proprietary things have gone eg ISL, TDP
lowbytehttp://packetpushers.net/why-is-cisco-bothering-with-open-eigrp/
lowbyte"Which really leads to number three. The best features are tightly controlled. Thats not really open source, now is it? I expected it to be rather open, but there are caveats."
Thayliyeah that's what I meant, EIGRP is "open", but not really
ThayliI come from a programming background, and to me choosing any procotol, similar to a language, that induces vendor lockin, is just a huge red flag
ThayliI assume that same train of thought happens in the corporate world
whoathayli as you gain more experience in the field you will notice that ospf/isis are becoming the main IGP's in the industry
whoacisco is dominant in the market for many sectors
whoausually a technology is created
whoathen it is standardized
whoacisco's name is on alot of rfc's as a result of this type of thing
ThayliI like this trend of moving towards non-proprietary, at least
whoaalmost every tech nowadays has an open analog
whoableeding edge stuff may take a little bit of time, but usually theres a standard not too far behind
Thaylithey're not always equal in quality and support, though
Thaylisadly
whoabgp , mpls , ospf are all standard technologies and run many of the networks
whoastandards are not equal in quality in support?
Thayliopen versions of [insert proprietary tech here]
Thayliaren't always equal to their proprietary counterparts
Thayliopengl vs directx springs to mind
Thaylilike you said, they usually lag behind a bit
whoai see
whoawell
whoaas far as network tech, ospf bgp are pretty old now
ThayliI know OSPF fairly well, but I have zero experience whatsoever with BGP
whoabut still innovating at least to add extensions and stuf
whoabgp is good to know
Thaylithere doesn't seem to be any new routing protocol on the horizon
whoai still need to understand it better myself
whoathere are many
whoasegment routing is one
whoavxlan is relatively new
ThayliI should really find some news references on this, I see :P
whoabut i understand where you are coming from
whoai was reading a slide deck yesterday where they mentioned that there was alot of potential for innovation in the networking space
Thaylialso, correct me if I'm wrong, but the way I see it is that OSPF and IS-IS are pretty much entirely interchangeable, but are chosen based on existing infrastructure and comfort levels?
ThayliCCNA R&S teaches OSPF but doesn't touch IS-IS anymore, sadly
whoai cant say they are interchangeable, but then again i dont know much about isis
whoai know google uses it
whoai think some folks in europe may leverage it as well
ThayliI know there are some relatively minor technical differences, but one can do what the other can, heard IS-IS is favored by ISPs
whoayah how decisions are made
whoais often hairy
whoanetwork engineering has politics too
Thayliyeah... I've grown to understand that :|
Thaylieither way, should probably just get that CCNA R&S cert
whoaif you are in the US
whoaits not a bad beginning point
ThayliEU, thing is that my uni teaches me the entire course material
whoaif you look at market share and usage cisco still has a healthy chunk of the market
Thaylibut doesn't bother getting us the cert itself
whoaif the idea is to get a job
whoayour odds arent bad
Thayliso figured I might as well do the exam
whoatheres noething stopping you from learning for instance juniper as well
Thayliand despite being very Cisco centered, I feel it does teach you a lot of general knowledge
whoathe idea is that you just need to understand stp, ospf, ip , layer 2 and 3 concepts
whoathose are pretty universal
Thayliyeah
whoaif you learn some cisco stuff extra
Thayliit's not a loss, in any case
whoathat will just be a "rounding error" you can work on balancing out later
whoalook at the juniper certs
whoaand find out what concepts overlap
whoaand you can have something that is neutral
whoai gotta head to work!
whoa7 am shift starts
Thayliewww, work! :D
whoayarr
whoaomgwtf you should go interview man!
whoano harm it trying to see what the folks are like !
whoa*in
whoaadios
zadrot_ebaniyif there are multiple entries in crypto map acl, what proxy identity will be used?
metheo_irchi guys
metheo_ircanyne using high density optical patchpanels ?
metheo_irclike PEACOC(tm) ?
voipsiemens
zapotahbosch
jaelaeencountering an issue setting up some 2k fex ports. I am using fex ports as my management port for my Fabric Interconnects. Pretty simple setup actually so I am not sure why this isn't working. I hookup a 2k fex to a pair of Nexus 5k switches as FEX101. Then the first port is eth101/1/1 - so for a FI management port I set it as a switchport access vlan (with
jaelaethe vlan ID of that subnet) and speed 1000
jaelaeon both 5k's. i think thats really all that you have to do
tyorkWhat issue are you encountering?
jaelaeEthernet101/1/2 is down (inactive)
jaelae:)
tyorklayer 1 issue. Is it a multi-homed fex?
jaelaeyup
tyorkConfig matches on both 5ks?
jaelaedefinitely. i run a show fex on both 5k's and I see the same Fex serial come up and it shows online
jaelaeports are configured the same on both 5k's for those fex ports
tyorkI mean e101/1/2 config
neuro^anything in the log?
tyorkah
tyorkHmm
jaelaenothing is showing up as an issue on the nexus side. so I am thinking perhaps this is on the fabricinterconnect itself but i don't see what would have to be set
jaelaehmm unless it requires me to have the VLAN listed on the FI management port
jaelaebut i normally dont have to with switchport mode access
bschipneed help sizing an ASA.. current bandwidth is 400Mbps (200 used to wireless and 200 used for wired). They would like to have Firepower with all services.
bschipFuture plans for bandwidth growth would be up to a 1Gbps.
tyorkjaelae: I'd suggest more layer 1 troubleshooting. Test the cable, test a different device, test a different port
tyorkTest a non-FEX port
jaelaeyea i had it on a catalyst switch directly and it was working
jaelaeso i moved that same cable over to the fex port - i am trying to decom the catalyst
jaelaethen i swapped the cable
bschipCisco partner trying to sell them the new Cisco 4100 FirePower Threat Defense appl
jaelaelet me try the other FI though
bschipThoughts? Does this seems like the best model?
bschipI was thinking the ASA5555-X might be enough horse power for them..
SuperNullnemith: you have said in the past you guys have the ability to more or less blackhole an ip from the world ... right?
poopshi guys. simple question. have this in conf: vlan 10,3000-3500,3700-4094 how do I edit to vlan 10,3000-3800 without doing no vlan 10,3000-3500,3700-4094 first ?
Golleevlan add 3701-1800?
Gollee3800*
poopswill it remove the 3700-4094 range?
poopsproblem is there is a limit of 1005 vlans total
poops(cisco 3750)
Golleedid you notice the "add" keyword in there?
poopsi cannot add, since it will be more than 1005 total
poopsneed to remove first
poopsis there a remve keyword?
tyorkYes
poopsi cant find reference for it online. can u point me to it?
tyorkyou just literally use the word remove instead of add
slackerpoops, are you talking about adding and removing VLANs from a trunk? 'switchport trunk allowed vlan add vlan 1,2,3,4' 'swichport trunk allowed vlan remove 5,6,7,8'
poopsits not from a specific port
poopsits in the root conf
tyorkThen you can just no vlan 1234
slackerso you want to add/remove VLANs globally? Only option is 'vlan 10' 'no vlan 10'
poopsi cant remove all the vlans as some are being used
poopsneed to remove from global only a small range
poopsso turn vlan 10,3000-3500,3700-4094 into vlan 10,3000-3800
slacker'no vlan 1-5'
tyorkAll of the time wasted, you probably could have written a little bash one liner to spit out all of the needed remove lines and just copy/paste it in :P
poopsso running no vlan 3700-4094 will turn it to vlan 10,3000-3500 ?
slackeryes
poops! thanks
darkelitehttps://pbs.twimg.com/media/Cbk_N6zUAAAT_Pa.jpg:large
metheo_irchi
genecsrg_: thanks again.
metheo_irchow it is possible to isolate AC and PW from each other in a bridge-domain on IOS-XR ?
metheo_ircI need a bridge domain that has PW with incoming traffic that is replicated (bcasted) to AC (EFP on physical port) and another PW (both int the same BDomain with the ingress PW)
metheo_ircVFI that has default split-horizon enabled allows only PWs in it
pffs"The tunnel is up and I'm sending you traffic!"
pffswhich is why I have 3 total decaps over a weeks time
pffsthat's a good indicator that everything is working
bmoraca_workwell, 3 decaps is better than 0 decaps
pffsthey're in theory sending netflow across this tunnel
bmoraca_workahh
pffswhich I'd imagine should result in more than 3 packets over the course of a week
pffsin theory
bmoraca_worki'd agree with that
kaleidomaybe theyre doing 5 hour sampling instead of 5 minute :D
kaleidoor 5 day?
oistersanity check, area <area> range only works between 2 areas on an ABR ?
oisterdoing area 0 range whatever on an ABR wont fuck with the rest of the routers on area 0
bmoraca_workoister: that's correct
bmoraca_workarea 0 range whatever will only affect that routers advertisements from area 0 to other areas
oistersweet thx
sudormrfanyone have a bead on when Cisco may release an 881 with GigE + AC wifi?
sudormrfreally want to buy one
sudormrfthe current 881s are in dire need of a refresh. the meraki mx64w is exactly what I want, save for Meraki's horrible licensing
kaleidoand save for meraki being the worst thing ever
Golleeisn't the 890 series the current one?
kmcelroy1pretty sure malaria is worse than meraki
kmcelroy1also herpes
kaleidokmcelroy1: thats arguable. you ever had meraki?
kmcelroy1yes, i have one at home, ha
kmcelroy1it has some dumb issues, but it isn't herpes bad
pffsyeah, the 881 was already refreshed as the 891, so that's kind of a dumb request
metheo_ircguys
metheo_ircneed to drop all incoming traffic on a sub-interface (802.1q) with pw/xconnect configured
metheo_ircip acl does not work
metheo_irc7600 box
bmoraca_work891s are great
Golleemetheo_irc: tried shutdown?
metheo_ircGolle, troll elsewhere, man ;)
Golleehm, maybe you can't shutdown subinterfaces.
pffsyou can
Golleewell then! problem solved :D
metheo_ircthe sub is used to pass egress spanned traffic
metheo_ircno ingress is expected
pffsif it's spanned it should ignore ingress anyway
pffshttp://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_0/security/configuration/guide/n1000v_security/security_9mac_acls.html
pffsmake a mac acl!
bmoraca_workmacl vacl dacl
bmoraca_workspacl
sudormrfkaleido, lel
pffsloool spacl
metheo_ircpffs its not a span interface actually. its normal sub with pw with spanned traffic that comes through it
sudormrfGollee, the 890 series still doesn't tick the boxkes
sudormrfboxes, even
sudormrfGollee, and it isn't the "current" version: http://www.cisco.com/c/en/us/products/routers/800-series-routers/index.html
pffsmake a macl
sudormrfthere are various devices in the 800 series lineup
syadminhey guys... I would need to set this up with some cisco gears: http://www.pica8.com/document/v2.3/html/picos-routing-and-switching-configuration-guide/images/download/attachments/557579/1111.jpg
sudormrfthe 890 series is for a specific type of environment
syadminany good walkthrough to make sure I dont screw it up?
sudormrfsyadmin, google?
metheo_ircpffs, are you in mind ? the doc is for nexus. I wrote about 76xx. You better ask me abt linecards ;))
sneysyadmin: lab it in packet tracer first?
bmoraca_worksudormrf: an 881 and an 891 are the same box, except that the 891 is the newer version. the 89x supercedes the 88x series.
syadminsudormrf: I am trying but I only find about straight etherchannel
sudormrf...
syadminnot cross switch
oisterbmoraca_work: im setting up an nssa area that has a default going another path out of the area.
pffsshould work on IOS too
oisteron the ospf side i want to summarize basically all RFC1918 out the ospf abr router
pffsI think it's even the same syntax
sudormrfbmoraca_work, that is incorrect
sudormrfbmoraca_work, the 881 has 4 ethernet ports, the 891 has 8. just one example of the differences
oisterbut my nssa area is getting a bunch of /32 type 7 routes showing up in the table
squiboister, the abr is advertising the default?
squibthat would make it an asbr
bmoraca_worksudormrf: ..... are you fucking serious? jesus christ.
bmoraca_worksudormrf: like i said. 89x upgrades 88x.
oistersquib: default is giong out another path
sudormrfbmoraca_work, yes. I am. and either way, the 891 doesn't have gigE
oisternot in ospf
sudormrfnor does it have AC wifi
sudormrfper this: http://www.cisco.com/c/en/us/support/routers/891w-integrated-services-router-isr/model.html
sudormrfso the only "upgrade" is more ports.
bmoraca_worksudormrf: yes it does. the 891 was refreshed. modern ones have gige and PoE
pffsyeah, works just fine on ios
oisteri just want to summarize all RFC1918 into the area from ospf
bmoraca_work891f
sudormrfbmoraca_work, checking
squiboister, all you have to know about summaries in ospf is that there is a difference between external summaries and intra area summaries. they are two different commands
oisterrange and summary-address ?
bmoraca_workand, no, it doesn't have AC, but the wireless APs in the 8xx series routers were absolute garbage
metheo_ircpffs, i know it works just fine on ios. feel difference between the boxes
squibwell that's not true, path selection behaves differently. but configuration wise that's the only difference
bmoraca_workbuy a $90 UniFi
squiboister, yes
sudormrfbmoraca_work, had one, returned it. and the Unifi's are not $90. they are $190.
metheo_ircand actually it does not work on particular ios on particular box
sudormrf866.7mbps AC is not what I am after.
SuperNullbmoraca_work: we use ruckus here pretty balls deep.. everything from outlet aps to outdoor APs
SuperNullwe ran all of Ultra Music Fest with 42 Ruckus APs
sudormrfhad a whole unifi setup
sudormrfreturned the whole thing. the USG wasn't performing well
bmoraca_worksudormrf: you're never going to get that in the real world. stop trying. also, you're never going to get that from an integrated AP from any vendor at any cost.
SuperNullsudormrf: ruckus
sudormrfbmoraca_work, sure thing, bub.
SuperNullsudormrf: most i have seen on wifi was less than you bro
pffsmetheo_irc: http://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/qos.html#36764
sudormrfexcept you have no clue about my use case. but thank you for the info about the 891fw
bmoraca_worksudormrf: fine, be a moron and ignore 20 years worth of enterprise best practices.
sudormrfSuperNull, hahah
sudormrf:D
sudormrfbest practices have nothing to do with wifi speeds
SuperNulluhh
SuperNullsure.
SuperNullthey do
bmoraca_worksudormrf: btw, unifi works great if you know what you're doing (the wireless, would never use or recommend anything else in the product line)
sudormrfbut keep waving your "experience" around like a floppy horse cock
SuperNullits not like bmoraca_work and i did wireless for YEARS
squibsudormrf, yes they do. there are plenty of best practices related to wifi performance
sudormrfSuperNull, I know you did :P
bmoraca_worklol
SuperNullor i started a complete WISP from scratch
sudormrfbmoraca_work, the wifi wasn't the issue with the unifi.
sudormrfit was the other components
SuperNullbmoraca_work: the unifi is great in clean environments
bmoraca_worksudormrf: that's my fucking point.
pffsbmoraca_work: I like their ERL
SuperNullif its dirty u fucked
sudormrfthe UAC-AP-PRO was cool
sudormrfer
sudormrfUAP
SuperNullsudormrf: unifi doesnt provide a lot of intelligence to traffic or anything
pffsI have the first gen UAP-AC
SuperNullwith ruckus zone director i can see what everyone is doing .. like netflow
pffswant to replace it with the UAP-AC-PRO at some point
sudormrfSuperNull, that is awesome
SuperNulli was watching my bosses brother post snapchats
bmoraca_workSuperNull: Ruckus is like the Playskool of enterprise wifi, dawg
SuperNullplus the integrated speed testing TO the ap
sudormrfpffs, the UAP-AC-PRO was good stuff. the USG...well, it sort of fell on its face
SuperNullbmoraca_work: eh. we use it mostly for beyond enterprise
squibhey! don't make me turn this car around!
sudormrfsquib, do it
sudormrfLD
SuperNullbmoraca_work: i was working with a past employee of here at ultra and he said he likes the aruba stuff but ruckus is not much different
bmoraca_workSuperNull: you top dawg big dawg partners?
pffsyeah I don't think I'd bother getting a USG
pffsERL and the UAPs
SuperNullbmoraca_work: yeah we get over 50% off i know that
SuperNullwe probably deploy a few thousand APs yearly
snacky
sudormrfpffs, it was an experiment. bought the USG, the unifi switch and the UAP. the system worked well together (the management VLAN was frustrating, though), but the throughput on the USG was trash
bmoraca_workruckus is so funny. what's most hilarious about them, though, is their ability to sell non technical decision makers. which is weird, because their product is clunky and ugly. last place i was at barely understood what vlans were when i started and i was unable to convince them that there are better alternatives to ruckus in most of the environments we worked
squibbmoraca_work, so aruba then?
bmoraca_workSuperNull: they were selling ZD1100s to places that only needed 3 APs. i'm like...dude, $10k on wireless and $200 on switches (SG300s)...your priorities are way fucked up
bmoraca_worksquib: unifi for most of their customers. and i'd have liked to see Cisco in the larger ones, but lost that fight.
bmoraca_workin the end, ruckus was "too easy"
squibI haven't liked my experiences with Cisco wifi
sudormrfsince I returned all that stuff I am rethinking the whole setup. probably just roll all cisco. was hoping to do it with an 881 (or 891 as bmoraca_work pointed out), but will probably do something overly complex like 5506-X + Cisco WAP + some cisco switch
sudormrfsqui
sudormrfsquib, what haven't you liked?
b1ackdeath_afkdo cisco 4948 and cisco 2960 use the same serial pin-out?
squibsudormrf, the interfaces were ass
sudormrfsquib, autonomous mode or from a WLC?
squibsudormrf, when I first rolling multi ssid/vlan, I was reading cisco.com documentation that was flat out wrong
bmoraca_worksudormrf: 891 is much more flexible than 5506, but it depeends. do you need firepower? if not, 891 with DMVPN is seriously better than IPSec site-to-site tunnels
squibsudormrf, admittedly it was autonomous
snackybmoraca_work: what product do you like more than ruckus?
squibbut I don't like most of cisco's central management software and figure I probably wouldn't like their central wifi management
squibI barely like ucs manager
sudormrfbmoraca_work, I don't really need firepower and I know the 5506-x has quite a few issues. the 891f (no W) + UAP with PoE could work. it depends on the switch I put in place.
sudormrfbmoraca_work, I would like to have some of the IDS functionality, but I believe the advsec license for the 891 would offer that
bmoraca_worksnacky: in SMB, unifi is hard to beat. for enterprise...i like Cisco, but don't really care... i'm just pointing out that Ruckus is not a very technically advanced wifi system
sudormrfunifi pricing is right
sudormrf:D
bmoraca_worksudormrf: not really. 891 does stateful packet inspection. doesn't do any IPS/IDS or anything like that. if you're using a separate switch, you could look at ISR 4ks, but they don't either. 5506s are stable in my experience. firepower is not overly stable, however.
drkat_We have 5515X and working on doing firepower
bmoraca_workif you don't care too much about having super-granular control over the wireless network, Meraki can work well, too
sudormrfbmoraca_work, I think the issue with the 5506-X is that the interfaces are all L3, which could present some challenges. Did they remove the ability to do basic IDS from the 89x? I could swear I read somewhere that the previous models had a basic IDS with the right license. could be mixing it up with something else
sudormrfbmoraca_work, this is for a home office setup which is the reason for targeting the 8xx series
bmoraca_worksudormrf: they used to ahve Content Filtering for the 891, but you can't really buy it anymore. it never had any IDS/IPS stuff in it. it doesn't have enough CPU for that. the switch works well, though, and it has the ability to have 4 ports of PoE.
bmoraca_workif it's for home office, though, you could look at something like OfficeConnect
bmoraca_workif it needs to scale
bmoraca_workif it's a one-off, then whatever
SuperNullwe have this new 'wifi project manager' she walks like 4 inches per step
bmoraca_worksorry, OfficeExtend
squibdoes ruckus do radius assigned vlan
squibunifi does not currently
SuperNullbmoraca_work: so who you liking wifi ?
SuperNullsquib: i believe they are using it here
SuperNulldynamic vlan assignment
snackySuperNull: that could either be due to a back problem, or... medication
bmoraca_worksquib: ruckus can, yes
squibbmoraca_work, see that automatically makes it better than unifi. for me. right now. :)
squibI used to have a boner for unifi but it doesn't do it for me anymore
sudormrfbmoraca_work, interesting. the IDS/IPS is a nice to have, not a requirement.
sudormrfsquib, that is how it starts. pretty soon you will be doing coke out of a hookers butthole
squibsudormrf, did that for my bachelor party
sudormrfLOLOLOLOLOL
squiband no regrets whatsoever
bmoraca_worksquib: it's all about requirements. very, very, very few SMBs need dynamic ACLs or have any interest in 802.1x
SuperNullunifi is good if you just want simple wifi for people to use
squibbmoraca_work, here we start getting into fuzzy grey definitions though. we're a small company. smb in size. but we manage 6 billion in financials and security is taken seriously here
SuperNullbeyond that it starts getting shit
bmoraca_worksquib: in fact, every SMB i've enabled 802.1x on has requested it be turned off because it's too hard for them to figure out and they don't have the infrastructure to facilitate a cert-based deployment
squibdoes that make us... smb or enterprise?
bmoraca_worksquib: sme :D
SuperNullsquib: if security is an issue ..
squibheh
bmoraca_worksquib: there's always exceptions. i tried to deploy it for a $150m/yr business and they had me turn it off because it was too annoying.
SuperNull802.1x sounds good in theory
SuperNullthen users get in the way
bmoraca_worki wouldn't necissarily consider $150m/yr SMB either, but the way they act...uhg
sudormrfSuperNull, that is how things usually work out :D
SuperNullyep
SuperNullwell there are no doubts security is possible .. just not easy always
SuperNullremember back in the 90s with PGP and you had to move the mouse around to generate a 'unique' key good times.
SuperNulli bet a bunch of retards were like 'move mouse what?'
bmoraca_worksquib: the last place i worked wanted a guest network and for our internal network to be 802.1x...when i did that, all of the managers couldn't be assed to sign in every time, so they'd just join the guest network...then they'd bitch about not being able to connect to exchange. so i had to just open the guest network up and allow it to talk to internal production. and we were a fucking technology company.
sudormrfSuperNull, ahahahaha
sudormrfbmoraca_work, C891F-K9?
sudormrfthat the right model?
sudormrfor is that the old one?
bmoraca_worksudormrf: that should have gig, yes
SuperNullhonestly i miss the late 90s early 2000s
SuperNullpeople knew more
sudormrfbmoraca_work, thanks
SuperNullif you were using a computer heavily in the 90s .. you typically knew how to use it
squibdid a hardcore leg workout with a trainer this morning
squibnow it's lke Ministry of Silly Walks up in here
SuperNullmmm
squibbmoraca_work, that's awful. sorry dude.
SuperNulland before that it was ministry of silly wanks
bmoraca_worksquib: did i tell you i got an offer on Friday?
squibbmoraca_work, network commander made me do something similar at a building we share with Zephr in NYC
squibbmoraca_work, no. for CERN Lite?
bmoraca_workyes
squiband?
bmoraca_work41% salary increase over what i make now
squibwow! so you're gonna take it?
bmoraca_workat that, i don't think its an option to not take it, lol
squibcongrats!
squibso what will you be doing there for the most part
bmoraca_worksr. network engineer
bmoraca_workso, bit of this and a bit of that
squibah
bmoraca_workbut
sudormrfnice one
bmoraca_workthey did explicitly say that i won't be doing windows or vmware or anything like that
bmoraca_workwhich i'm a bit sad
bmoraca_workbut w/e
bmoraca_worksad about vmware, not windows
squibno cross training?
bmoraca_workwell, it's compartmentalized
squibah
squibget into automation tech
bmoraca_worki'm on the network team. network!
squibthat's what I'm trying to learn now
bmoraca_worki have a feeling i'll have more time to work on stuff like that
squibI really want to improve my programming abilities a lot the next two years
bmoraca_workbut i want to bone up on my linux and move over to the supercomputing lab! lol
SuperNullbmoraca_work: i was hired as a GPON engineer
bmoraca_workthey're actually hiring a systems architect for the supercomputing lab
SuperNulli have a full blown VMware server here with my shit on it
sudormrfbeen kicking around the idea of redoing my whole home setup and installing ESXi into a box with a bunch of drives in it to do all my stuff
sudormrfneeds to be a quiet box
squibbmoraca_work, have you given notice yet?
sudormrfapparently you can do what I am thinking of with SAS
bmoraca_worksquib: no. both my boss and the HR person are on 2 week vacations, lol
sudormrfbmoraca_work, sounds like perfect time to put in notice
sudormrfthey will come back, you will be gone
sudormrfahaha
squib"hey bro. how was your vacation? nice, niiice. hey so I'm leaving. next week."
sudormrfmaybe they won't fix the glitch?
sudormrf:D
bmoraca_worklol
bmoraca_worksquib: i actually kind of want to stick it out through the majority of this EVPN project, though. and i have no idea how long it'll take LLNL to onboard me. shoot, it took 6 months to get me an offer
metheo_ircpffs, tnx for the last doc
metheo_ircthere is info for Router(config-if)# mac packet-classify
metheo_ircbut a bit confused of no info how to attach mac ACL to a sub
SuperNullafter this place im not sure what to do but i want to work my self into the programming side some what
sudormrfbmoraca_work, well, we just closed one of our offices so I am hoping to get my hands on the 3750 they had there :D
sudormrfand take that home :D
bmoraca_workSuperNull: i started out as a programmer before networking, but i was never really that good at it, lol
bmoraca_worktoo slow
topsideARIN’s RR sucks so bad :\
squibfuck you experian
squibfico: 799
squib799. really? fuck you
twkm*snore*
bmoraca_worklol
sudormrfsquib, I thought you were saying fuck you experian because of the t-mobile/experian hack, and then experian offering free credit monitoring. the irony.
squibexperian is actually like \_(?)_/ 799 \_(?)_/
bmoraca_worksquib be like (╯°□°)╯ ┻━┻
squibare you utf-8
squibbecause that was total goodlegook
bmoraca_worklol
bmoraca_worki'm hexchat defaults
squibI"m using the same damned client!
bmoraca_workconsolas 10 is the font
bmoraca_workit works fine
bmoraca_workhere, let me pastebin it
bmoraca_workhttp://pastebin.com/89jzp0pY
pffslol goodlegook
dogbert2hhehehe
sudormrfchrist. captive portal needs to die. going to kill it this week.
dogbert2kill it!
avgn5I was looking through our router config 'show run' (cisco 881 / IOS) and noticed that under 'line vty 0' was 'privilege level 15', is this normal? I thought 'privilege level' should only be under actual users?
sudormrfstupid redirect doesn't work 100% of the time, instead of investigating that, just going to kill it
dogbert2no, it shows the level that is needed to execute the command, not the level of each user who can execute the command
avgn5Oh, right.
avgn5ACTION feels dumb now.
AlvinLorusdefining 'privilege level' under a line vty or line console will give that privilege to users of that line by default
avgn5dogbert2: Wait, to execute which command exactly? 'line' isn't a command.
avgn5AlvinLorus: That is what I thought.
AlvinLoruse.g. telnet to the router, you automatically get priv 15 because you're connected to VTY 0.
dogbert2exactly...
sneyexcellent security
avgn5AlvinLorus: But shouldn't privs be based on a login, not what VTY they get (the vty number is sometimes 0 for me when I ssh into the router, sometimes it's another number.)
twkmit is fine as long as it is coupled with a login.
dogbert2hey twkm
AlvinLorusavgn5: well, "should" is subjective. if it's a production environment, then yeah, you probably want to define privilege by user or role.
twkmbut it is likely left-over from the initial config.
twkmheya dogbert2.
AlvinLorusbut if it's a lab router or something, not that big of a deal
dogbert2ayup since in a lab environment, you hose any current config anyways
avgn5I already have: username me privilege 15 secret 5 ...
AlvinLorusthen the priv 15 on the line vty is redundant.
avgn5So I can remove that, right?
FluffyISISUgh. Yesterday I bought LinkSys, plugged to the outlet. Everything looked fine. Now it doesn't power up :-\
twkmi think sdm expects it.
AlvinLorusassuming you're the only person logging in and/or you're the only person who should have priv 15, yep, you can remove it
avgn5sdm?
AlvinLorusbit of advice: when changing any login settings (e.g. user/pass, vty/con, enable password) i always leave one session open, enabled, in global conf mode, then test with a new session to make sure i won't be locked out next time :)
sudormrfgoing to hopefully kill this captive portal on Friday
dogbert2yeah, I've locked myself out of linux/unix boxen by accident...
sudormrfinvesting way too much time with people that cannot follow simple instructions
sudormrfwhenever this specific group visits they ALWAYS have problems
sudormrfand then people call me to solve this
sudormrfwhich is well below my paygrade
sudormrfso you just "fix the glitch" :D
avgn5AlvinLorus: Also, I don't copy run to startup until I'm absolutely sure the config change is correct, that way worse case I just have the router power cycled.
dogbert2apple update crashing some devices...egad
dogbert2also, copy and paste working config to Notepad++ etc
dogbert2sudormrf: end-users are like that...usually clueless
avgn5dogbert2: Yeah I keep backups of every working startup and run configs.
sudormrfwe deploy quite a few 881s. I used CCM to create a template config and then just use notepad++ to replace all
avgn5dogbert2: I have them in a folder that is a simple git repo so I can easily diff them and such.
sudormrfwell
sudormrfactually I had the config built out
sudormrf then used CCM to "templateify" it
sudormrfwhich really just adds {{}} around the things that are "variables"
avgn5On another note, is it possible to set 'exec-timeout 0 0' for a specific user, instead of on a line vty/whatever ?
sudormrfthen just copy and paste that after doing a replace all
avgn5I don't want to keep getting disconnected when idle.
kaleidowhy would you want to give a user a session that never times out?
avgn5But only for my user login.
sudormrfone issue that I have run in to is that sometimes copy/paste fails hard
twkmavgn5: also, reboot in 5
avgn5Yeah
sudormrfkaleido, security, bro :P
avgn5I've used that.
avgn5twkm: ^
dogbert2ACTION didn't get any moola for his DHCP bug/patch-fu from google security...oh well :)
kaleidoits bad enough around here whne someone leaves their machine unlocked and they suddenly send out an email laced with gay innuendo
avgn5twkm: Either way, I don't commit run to startup until I'm sure so I have that reboot safey net if need be, though thus far I haven't needed it.
sudormrfkaleido, HAHAHAHAH
kaleidowhy would want someone wiping configs and having it log with your id?
sudormrfwe do that as well
sudormrfsomeone in IT leaves computer unlocked, that person sends out an email to the whole team telling them they will be buying lunch. and then they are forced to.
avgn5kaleido: It's just annoying when I'm working on something on the router, switch to an editor or whatever, and my connection disconnects and reconnects and what I was looking at before gets buried.
sudormrfavgn5, set up putty to store all logs?
avgn5kaleido: It'd be simpler if I could just not have my session idle out, as I'm perfectly capable of disconnecting it when I'm done. Or just make the timeout very very long.
sudormrfthen you can just open your log file
kaleidoavgn5: i would suggest using a terminal program that stays intact after you get booted, and has a scrollback buffer
sudormrfand figure out where you left off
sudormrfwhat kaleido just said
kaleidodont put yourself in a position where you can be setup to fail for something that trivial
kaleidois my only advice
sudormrf^^^^
avgn5sudormrf: That's over kill though, I'm talking about just not wanting disconnected so quickly so I can still see the last few lines and be able to type where I was; that is, no loose my place.
avgn5kaleido: My terminal app isn't the problem, it's all the login text (motd and such) that scroll the screen.
AlvinLorusthere's no way to set timeout parameters on anything except the line config. not that i'm aware of, at least.
sudormrfavgn5, what? introducing a potential security risk because you don't want to tweak your scrollback buffer is pretty silly
pffsis there a way to use the hostscan portion of the asa's posture assessment just for informational purposes?
pffslike maybe just logging hostnames of devices?
avgn5I mean if I can ssh into remove unix/linux machines and not get booted until I decide to disconnect, I should be able to do that here.
avgn5s/remove/remote/
avgn5sudormrf: Scrolling back isn't the problem, it's the loosing the place, because when I start typing again, I'm far away from that spot so I have to scroll back and forth, and I also loose the history (up/down arrow)
avgn5lose*
kaleidoyou can make it never timeout
kaleidoits just stupid
avgn5Ok how about just making the timeout longer.
sudormrfavgn5, so you don't want to look back at your own logs?
dogbert2some good books: https://www.nostarch.com/catalog/security
kaleidolike all things cisco, they were kind enough to give you a lot of rope, but not care whether you hang yourself with it
sudormrfthat seems to be the issue here
dogbert2send the logs to a remote server and let it handle 'em
dogbert2then log into the remote server and look at them
avgn5sudormrf: Looking at logs isn't a problem, but again, 1) I loose key up/down history, and I need to flip between two screens then. Yes I could have them side by side, but in general it just makes things more annoying than just having my session as it was before I went to my editor/whatever.
avgn5lose*
sudormrfagain, you are saying that you should open up a potential security risk due to "annoyance"
sudormrfwhy not type it in to a text file first
pffsI find passwords annoying
sudormrfthen copy paste?
pffscan I remove all of those?
pffsfirewalls too, with their blocking of traffic
sudormrfhahahaha
kaleidoi just wanna be able to login remotely as root
avgn5I do do that, but that isn't the issue. The problem is coming back to ssh to only to be greated by the motd screen.
sudormrfroot all the things
pffsif you're root why bother making users
sudormrfstop being lazy
pffsjust use root all the time
dogbert2I use SecureCRT...I just use the keepalive function in that application...so it never times out
kaleidoallow remote login as root, too
avgn5pffs: I prefer private/public key auth better, so yes passwords can be done away with (for things like ssh)
kaleidohell, why not go back to the good old days when you had to edit inetd.conf to close ports
sudormrfLOL
kaleidowhats wrong with having privileged ports opened by default???
dogbert2ACTION looks at kaleido *UGH*
kaleido:D
dogbert2though I hate the new iptables stuff with rich<whatever>..
kaleidoiptables is terrible stuff
avgn5Ok, what about making the default exec- (or session-) timeout longer? Also, what exactly is the difference between these?
sudormrfyou mean you don't open all 65535 ports to everything?
sudormrf:D
kaleidooh i do
sudormrfwe ain't got no filters
sudormrf:P
avgn5(Sorry to be pedantic, but there are a total of 65536 ports, where 65535 the highest port number.
dogbert2we don't need no steenking filters
avgn5Or badges
kaleidoi return one point to you, for the reference
sudormrfnothing wrong with being pedantic.
avgn5Ok, I get it, having no timeout isn't a good idea, I can accept that. But what about setting a longer timeout? Is it better to set the session timeout or exec timeout?
squibkaleido, then they made it go full retard with fail2bail
squibfail2ban
avgn5(Actually, unless port number 0 can actually be used, there actually would be only 65535 usable port numbers.)
dogbert2port zero is valid, but you should never see traffic on it...
AlvinLorusavgn5: session-timeout is for outgoing connections. exec-timeout is for incoming connections.
avgn5ah
avgn5Thanks.
squibhey btw gns3 protip: disabling exec-timeout really cuts down on CPU usage
squibexec-timeout and then auto-pc-idle
kaleidolife protip: dont at yellow snow
kaleidoeat
kaleidofuckin e key
avgn5Sorry if this is a obvious question, but I can't find the answer anywhere. What is the difference between 'line vty 0' and 'line vty 1' ? Do these corraspond to vlan or wan interfaces?
AlvinLorusthey don't really correspond to anything
avgn5So what exactly are vty 0 and 1 ? In the the config I see one has ssh enabled on it the other has telnet enabled
Golleeavgn5: it's an interface per session. so with the line vty 0 4 you allow 5 sessions, ID 0 to ID 5
Gollee5 concurrent sessions*
AlvinLorusyeah, just the router's internal way of tracking these things.
avgn5Here is what I see: http://paste.debian.net/hidden/db0d2d09/
AlvinLorusthough you can define different ones with different properties as you've seen.
avgn5So when I ssh into the router, what determines which vty is used (0 or 1) ?
AlvinLoruswhether you log in first (vty 0) or second (vty 1)
avgn5http://paste.debian.net/hidden/5e6ca5c7/
oistershow line
avgn5http://paste.debian.net/hidden/a56f2539/
avgn5I'm 10 in that list, at least according to 'who'
avgn5So things under 'line vty 0' will only apply when one happens to get 0 ?
AlvinLoruscorrect.
avgn5This doesn't seem very useful then when logins get random number.
AlvinLorusright. typically you'd set all VTY lines to be the same.
avgn5How many are there?
twkmit isn't intended for that.
avgn5Every thing I've found online about setting an access list for ssh (to limit ssh access to only desired IPs, to prevent unwanted people from trying to get in.)
avgn5shows setting access-class for line vty 0 4 or so
avgn5I never seem them set it on any other vty.
kaleido"default" is to only have 0-4
kaleidoyou can create as many as you want
kaleidobut you still should configure them all the same
twkmrandom search results = random crap, usually.
theacolytelies, I just found some amazing stock advice
avgn5Here is one of several I found that all pretty much say the same thing: https://www.pluralsight.com/blog/tutorials/configure-secure-shell-ssh-on-cisco-router
avgn5They only add the access-class to line vty 0 4
twkm*shrug*
kaleidothen onl apply it there
kaleidonobody is making you listen to anyone here
avgn5But why don't they apply it to every possible vty ?
twkman 881 likely has more vty's. feel free to change 4 to match your highest unit.
twkmbecause not everyone has the same number of vty's.
avgn5How does one tell how many there are though?
kaleidosh run | i vty
kaleidomight return useful config
twkmand some people are too lazy to read all the words cisco supplies, so when they use 0 4 having written words about it the crap sites tend to just copy the 0 4 and ignore their own device about which they think they are writing.
avgn5kaleido: 'line vty 0' 'line vty 1 4'
kaleidoso you have 5
kaleidobut if you were to enable ; conf t ; line vty 5
kaleidoyou would have 6
twkmaka, 0 to 4. but 0 is slightly different.
avgn5Should I delete 'line vty 1' ?
avgn5I mean is more than just 'line vty 0' needed?
drkat_well they're vty lines
drkat_im so missing the question here
twkmusually. what if you are testing aaa or logins or ... and you want a second one to be sure you didn't fuck things up?
drkat_or more thanone person is logging in
twkmwhat if a cow-orker needs to look at it while you are looking at it?
twkm(just a variation on you looking at it twice at once)
avgn5drkat_: I don't quite understand what vty represent
avgn5Or what 'vty x' means, and what it means vs 'vty x y'
drkat_did you look at the cisco documentation?
twkmx y, the range between x and y. don't you have your ios config guide or command ref open?
avgn5Yes but I couldn't find anything about that specifically.
drkat_http://ciscoiseasy.blogspot.com/2010/08/lesson-3-initial-configuration-of-cisco.html
AlvinLorusavgn5: if you enter "line vty 0" then you're configuring vty 0. if you enter "line vty 0 4" then you're configuring all lines 0-4.
drkat_https://learningnetwork.cisco.com/thread/2367
avgn5I'm not really new to cisco ios, but I never really did anything with vtys (that's something that fell under leaving well enough alone until I had more time I look at it.)
AlvinLorusas far as what they represent, it's essentially just the router's internal way to track these connections.
avgn5AlvinLorus: So each individual ssh/telnet connection needs to have it's own vty x or vty x y or ?
twkmconsider pty's or pts'.
avgn5oh
twkmsingle vty. a single connection can't consume a range of vty's. but the connection might be to any vty, so have a range configured is usually wise.
AlvinLorusessentially, yes. if one person connects to a router via SSH/telnet then they will reach vty 0. if a second person connects while the first session is still open then that second person gets vty 1.
AlvinLorusfirst person disconnects, third person connects, third person now hits vty 0 because it's the first available.
twkmnot just ssh or telnet, pad connections too though odds are you have no x.25 setup.
avgn5AlvinLorus: Ok that makes sense.
avgn5AlvinLorus: what about the second number though?
avgn5Like the 4 in 'vty 0 4'
AlvinLorusyou mean in your running config where it shoes "line vty 1 4"? that just says "all vty's 1 through 4 have these settings"
avgn5yeah
AlvinLorusjust a way of condensing the output really
avgn5ooooooooooooooooooooh
avgn5ACTION facepalms
AlvinLorusheh
twkmcondensing your configuration application, like int range ...
avgn5Now it makes sense.
avgn5Now it all*
twkmwhen output it is is that condensing -- it means that x thru y have identical configs.
avgn5So that's why they write 0 4. Thank you all very much.
avgn5So I can set, say, vty 0 with an access-class that matches only my ip and then those settings would only apply to me, right?
twkmwell.
squibthat won't work
squibthat will deny everybody if you unless you are already logged into vty 0
twkmno. only to the first virtual connection. whether you or a cow-orker or a robot on the net.
avgn5And then have vty 1 4 without an access-class option or or one matching others and then only I'll get vty 0, right?
squibI don't think if somebody tries to ssh and it denies on vty 0 that it will roll over and check another vty
squibyou'll have to try that
squibthat doesn't sound like it will work
twkmavgn5: no.
avgn5Oh, yeah I assumed it would keep going in effort to find a match.
squibI have seen configurations where the last vty is reserved by ACL, so that there's always an available vty for an administrator
squiblike if somebody wanted to dos the router or for whatever other reason
avgn5ah
xyxxyhello, what book would you recommend for a newbie interested in networking and planning to a get a CCNA? I feel like pursuing a CCNA right now is a little too steep for me and I need understand the fundamentals first.
squibxyxxy, as ronnie coleman would say, the ccna material is already a bit lightweight
squiblightweight!
drkat_ha!
drkat_bing
squiberrrybody wanna be a bodybuilder.....but nobahdy wanna lift no heavy ass weight!
squibhooOOOOOoo
xyxxysquib, I was thinking about getting Computer Networking: A Top-Down Approach
drkat_thats a college textbook
squibxyxxy, that is WAY more dense than ccna
squibccna is way way gentler
squibbbiaf
xyxxyreally? wow. this changes everything. :-)
UncleDraxCCNA is more practical as well.. it's "heres some junk you should know.. here is how you implement it on Cisco gear"
UncleDraxbut the concepts are teh same
drkat_CCNA is fine if you want to just start off anyway
UncleDraxya
drkat_or network+ prolly or something
AlvinLorusif you don't have much experience in networking start with CCENT instead of CCNA. the CiscoPress official certification guides are typically pretty solid.
drkat_ugh cisco press
AlvinLoruseh, it does well for lower levels.
UncleDraxand is commonly available.. can prob get last-test-gen stuff for dirt-cheap..
UncleDraxhell xyxxy if you lived nearby I'd just give you my old CCNA texts
UncleDraxOSI model hasn't changed.. pin out on a Cat-5 hasn't changed... STP/RIP/OSPF haven't changed.. so they are all still perfectly relevent books.. just less current to the current Cisco CCNA exam.
drkat_ospf v3 now
drkat_or whatever
drkat_I hate certs in general tbh
servchancerts gets you laid and paid
drkat_ha
UncleDraxas do I.. but given I'll be leaving my current emp in a couple years, if I want to stay doing IT stuffs then I should prob get some to make interview processes easier
drkat_once I get some shit under control I'm gonna be a plumber or something lol
xyxxyUncleDrax, if you don't mind me asking, why are you leaving?
servchanleave now while you can
servchanor forever be squib
UncleDraxxyxxy: because i'll be eligable to start collecting a pension from the 20-and-out they had when I started
bmoraca_workdrkat_: didn't you already leave networking once?
UncleDraxso if I go somewhere else and make the same salary, I'll get a 40% raise
bmoraca_workor, even better, leave and get hired back in as a consultant. no having to deal with changing jobs and you still get your 40% raise
UncleDraxbmoraca_work: ya they are trying to put the kabash on that here. we'll see
twkmyou'll be well able to work on the civ side of the same companies you work with now.
bmoraca_workunfortunately, llnl doesn't have a pension anymore :( sad for me
UncleDraxheh.. friend of mine at LANL is tyring to get me to go apply there when I leave
UncleDraxtbh.. i'm hoping I can just go be a beach bum and find some pick-up work with some Carrib SPs
servchanwill fix networks for sex
servchanbackpage style
drkat_bmoraca_work, nope wasnt me
squibmy back hurts. my neck kinda hurts too
squiboww. my neck and my back
kmcelroy1your pussy and your crack?
squibI asked my trainer how long it will take to look like King Leonidas
squiband I didn't get a clear answer
squibmaybe next week
nierosfookin fook
squibI wanna be like http://thisisspartablogdotcom.files.wordpress.com/2014/02/300_kick1.jpg
avgn5I know that 'exec-timeout 15' means timeout in 15 minutes, but in some places I see a second number given, like exec-timeout minutes
capncrunch4mefor some reason my as5350 isnt passing calling-station-id in the radius accounting to my freeradius server. I see it as a possible attribute (31). Do I need to do anything to turn it on?
avgn5I know that 'exec-timeout 15' means timeout in 15 minutes, but in some places I see a second number given, like 'exec-timeout 15 0', what does that second number mean?
avgn5http://www.cisco.com/web/techdoc/dc/reference/cli/nxos/commands/fund/exec-timeout.html doesn't seem to mention it.
avgn5(and I just realized that this isn't the specific doc for ios, but seems to be the same syntax, I can't find the one specific to ios though.)
AlvinLorusavgn5: do you have access to a CLI right now? check what the context-sensitive help says.
avgn5Not right this moment.
AlvinLorusah. i'll make it easy then. first number is minutes, second number is seconds.
avgn5Ah, found it: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf004.html#wp1017909
avgn5exec-timeout minutes [seconds]
avgn5(And why do they still give 'no exec-timeout' instead of 'exec-timeout 0 0' ? From what I understand if one were to mistkenly use 'no exec' they'd be in a world of hurt.
avgn5I'd think they'd have amended that in the docs, perhaps leaving 'no exec-timeout' with a nice big note or something.
AlvinLoruscapncrunch4me: does the as5350 not send that attribute, or does the RADIUS server not recognize it? no idea about that particular platform but for some cisco gear you may need to set calling-station-id to use a specific format.
capncrunch4meradius supports it
capncrunch4mecisco supports that attribute
AlvinLorusright, i'm sure the attribute is supported on both ends. i mean it may send it in the wrong format. like the as5350 may send abcd.1234.5678 when the RADIUS server expects ab-cd-12-34-56-78
capncrunch4memaybe so
capncrunch4meright
nemithSuperNull: like RTBH?
radiusI don't support any of those things
nieros what the hell is the difference between a ASA5512-K8 and a ASA5512-K9
SuperNullbro.
SuperNulli didnt ask anything bout black holes.
SuperNullif i did drkat would be involved.
kmcelroy1nieros: encryption level?
SuperNulloh
SuperNullwait
SuperNullyou mean at 9am today
SuperNullyes..
SuperNulllol
nierosI assume i probably just want the k9
nierosbut that's annoying
twkmk8 is the shitty crypto (des only). k9 is "good" crypto (3des & aes).
nierosoh 9 is probably security plus
nierosyeah
nierosthat's stupid
twkmmakes it possible to sell an asa some places.
nierosoh
nierosexportable stuff
Golleeagreed nieros, I found a 5506-X for 5.6k and 7.6k SEK on a website, with absolutely no description of what the difference between them was, even had the same cisc-blablabla model number
twkmresellers can be very lax on that stuff, especially if they don't really know the product.
nierosyeah
nierosespecially when the price is so close
bmoraca_workon ASAs, K8 is standard (which does include AES)
nieros... sigh
bmoraca_workyou overspent!
bmoraca_workthough...why you buying a 5512?
bmoraca_work5508 is slightly cheaper with same performance
bmoraca_workor do you need fiber to it?
nieroshrm
nieroshandoffs are copper
nierosoh
nierosthat's why
nierossite to site number is way lower
nieros100 vs 250
nierosI knew there was a reason
bmoraca_workyou're never going to hit 250 on a 5512
bmoraca_workit doesn't have enough RAM to maintain all those SAs
nierosWell I'm at 120 on a pair of 5510s right now?
bmoraca_workwow
bmoraca_workthat's surprising
nieroswhich is whats being replacec
nierosreplaced
bmoraca_workyou know the number is the number of SAs and not the number of phase 1 tunnels, right? i'm sure you do
nierosyep
nierosit's 60ish phase 1s
bmoraca_workjust making sure...lots of people don't understand that
nieroscisco docs suck :/
syadminOMG GUYS please halp me with etherchannel. Either I'm a fuking noob or I'm getting this entirely wrong
nierossyadmin: channel-group 1 mode active
nierosBOOM
syadminIt's been all the afternoon and I cant get over why it works with 4 links but not with two
bmoraca_workyeah...link aggregation is pretty cut and dry
syadminhttps://www.youtube.com/watch?v=S-ZX-EWLi3w
syadminI've also made a video
nierosplatform and config dumps please
syadminall different computers in 4 different vlans
bmoraca_worksyadmin: draw a diagram, pastebin configs
syadminok just a sec
kmcelroy1am i the only one that caught the 4 different vlans part?
bmoraca_workkmcelroy1: no
bmoraca_workkmcelroy1: but i wanted to give the benefit of the doubt and wait for a diagram
kmcelroy1ha
enOsbrozhttp://pastebin.com/iHm4CTmP -- I'm trying to figure out how to find the number of addresses available for a dynamic nat translation. Would I take the subnet mask, which in this case is a 255.255.255.224, which lets me know it's a /27 and then take the bits of the last octet, break them down into 11100000? this is where it gets grey for me. Do I take the bits, all the 1's that are flashed on,
enOsbrozand are they my hosts? (2*2*2) or are those my network bits and the 0's are my hosts? which would be 2^5, which gives 32...
AlvinLorusenOsbroz: ignore the mask. look at the address range.
Golleeyeah, there are a total of 32 addresses in a /27
enOsbrozAlvinLorus: but isn't that only 7?
enOsbroz209.165.201.23 209.165.201.30
bmoraca_workyes
bmoraca_workthat means that 8 out of the 32 ip addresses will be available for that dynamic NAT pool
GolleeI have to admit this is the first time I've seen anyone use dynamic NAT in the wild
bmoraca_workremember, subnet mask is only relevant in so far as determining what is considered traffic that's on the same local ethernet segment.
AlvinLoruslooks more like lab/study than the wild.
bmoraca_workat the end of the day, an IP is just an IP
enOsbrozbmoraca_work: ohhh
enOsbrozI'm still a little blurry
bmoraca_workit's a tough concept. most people think that subnets are the end of it. and, yeah, that's fine...but it's just a way to group and quantify IP addressess. subnet masks define the L2 boundaries of your L3 subnet by informing a sender what traffic is local to it via L2 and what traffic is remote.
bmoraca_workbut an IP address is just an IP address
bmoraca_workso i can have lists of ip addresses that have nothing to do with the subnet mask they're assigned
syadminbmoraca_work: here's the diagram: https://www.dropbox.com/s/8cmtmzimm6jtdi1/Screenshot%20from%202016-03-28%2023%3A09%3A07.png?dl=0
bmoraca_workit's why if i have a network like 10.2.2.0/29 routed to me, i can use the .0 and .7 addresses, so long as they're not part of a L2 broadcast domain.
enOsbrozinteresting
syadminbmoraca_work: http://pastebin.com/S0jVCJXy
bmoraca_worksyadmin: what are the "100mbps" and "50mbps" labels?
bmoraca_worksyadmin: i don't see anything wrong with the config. what's the specific issue you're having?
bmoraca_work(assuming this config is duplicated on both sides, of course)
syadminbmoraca_work: it means that I have A --> B and C --> D talking to eachother at 100mbps as seen with iperf. As soon as I cut two of the four cables in the LACP, the two that doesnt even seem to blink very fast, the speed drops to 50mbps for each.
syadminand yes, the config is the exact same both ends
syadminmy question is, why does it need all four?
bmoraca_workit doesn't
syadmin2 out of 4 shouldnt be enough? So why am I seeing this behaviour?
bmoraca_worklacp hashes flows across links (unless you do something like per-packet)
bmoraca_workare you running iperf bidirectionally?
syadmindo you mean the test with iperf is not realistic?
syadminacutally no, just one direction
bmoraca_workso when you cut your links, both flows get hashed over the same link
bmoraca_workfor whatever reason
bmoraca_workwhat hashing algorithm are you using?
syadminhow can I know that?
syadminmostly because this is just a test with all cisco gears
syadminbut I should be able to set this up with pfsense
bmoraca_workhttp://www.cisco.com/c/en/us/td/docs/ios/cether/configuration/guide/ce_lnkbndl.html
syadminand I have the exact same issue
bmoraca_workagain, it all comes down to how LACP is hashing the traffic
bmoraca_workif you want to verify that both links are actually active, you can do "show int po1 eth
bmoraca_work"
tmbg_How many parallel streams were you running in iperf? That could 've been a factor too
syadmintmbg_: only one...
syadminI thought it would be enough
bmoraca_workit is, but you're not listening to what i'm saying about LACP
syadminyou're telling me to change the hash
bmoraca_worklink aggregation doesn't loadbalance per-packet (it can, but that'd dumb)
bmoraca_worklink aggregation loadbalances per flow. change the flow parameters and restart it and it'll redistribute across the two active links
bmoraca_workor change the hashing mechanism based on how you want it to distribute the traffic
tmbg_With only one stream, link hashing shouldn't matter. You'd only be using one link at that point
nemithbmoraca_work: thanks for saying link aggrigation and not stating the signaling protocol ;)
bmoraca_worktmbg_: he has two separate streams running
nemithbmoraca_work++
bmoraca_worktmbg_: well, two single stream transferes
tmbg_K. He needs a minimum of four to utilize all four links
syadminbmoraca_work: port-channel hash-distribution {adaptive | fixed} this one?
nemithno
bmoraca_worktmbg_: right. his issue is when he goes from four links to two that the throughput of his flows is halved
bmoraca_worksyadmin: read http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swethchl.html#wp1275731 and http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/swethchl.html#wp1276203
nemithtmbg_: four streams and you need to get lucky
tmbg_That's why it's a minimum of four
nemithbecause it's a hash you really should have as many streams as possible
tmbg_Indeed
bmoraca_worki agree
nemithfour streams could easily all hash ontpo the same link
tmbg_And hash with as much entropy as you can
tmbg_E.g. srcdst port
bmoraca_worki'm just trying to explain to him why his simple scenario of two sets of hosts talking is behavbing the way it is
nemithor go buy some 10G nics
nemithleave LAG for the middle of the network
syadminnemith: It's just a relativle small HA project
nierosLAG is for redundancy, not statless flow resilliancy
tmbg_Yuk. That has its own problems if the leaves are faster than a link in the lag
nierosyou lose a member, data gets lost
nemithnieros: ?
nemithpackets in flight, sure
nierosthats what I mean
nierosthe flow will be disrupted
bmoraca_worklink aggregation exists purely to trick spanning tree into letting you have two links active at the same time
nieros.. yeah that about sums it up
bmoraca_workL3 ECMP is clearly the better option :)
nemithtmbg_: and i don't mean 10G to serves and Nx1G in the middle of your network. I assume you would need Nx10G if you have 10G connectivity to servers
tmbg_Indeed
nemithor Nx40G or Nx100G
nierosnemith: or hopefully NX40 - yeah
nierosyou beat me to it
tmbg_Just clarifying that
nemithbmoraca_work: hashing is the same between l3 ecmp and lag
bmoraca_worknemith: yes, i know. but with L3 ECMP i don't have to worry about spanning tree
nemithbmoraca_work: control plane may be better, but don't expect hashing to be better
bmoraca_workwon't solve his problem
nemithyou don't with LAG either
bmoraca_worktrue
nemithwhich is why mclag for layer 2 networks is the hotness right now
nierosthe solution is probably better written software...
nierosif it's really that vital
nierosmy wife works for a software company that offers up a web service
nierosand they've had a bunch of outages in the last few weeks
nierosbecause A SINGLE database goes down
bmoraca_worki really like the idea of EVPN...my gateways and L2 domains exist only on the edge and nowhere else, but i can span them if absolutely necessary
nierosI pointed out how broken that is, and how it will never scale
bmoraca_worknieros: that's a pretty bad design, man
nierosyeah
nieroslike, jump ship now pls
sneynot even clustering
nierosthey wrote the software
bmoraca_workdidn't she just start that job?
nierosno, she's interviewing
bmoraca_workahhh
nierosshe's been at this place for 3 years
nierosbut they sure as hell didn't architect the software
nieroskludge kludge kludge
nemithbmoraca_work: i really like the idea of applications that run over IP and use IP based failover instead of hacking up the network for shitty applications
nemithbmoraca_work: your default gateway is always your TOR
bmoraca_worknemith: yes, yes, i know :)
nierosnemith: well you know
nemithand you use simple, time tested, routing protocols to "route" traffic
nierosfuck vmware
nemithcrazy
nierosthis is mostly their fault
bmoraca_worknemith: but in the campus, i can see EVPN being useful as well
nemithvmware really did fuck the DC nework
bmoraca_workdumb vmware admins fucked the DC network
bmoraca_workyou don't HAVE to use all the crap vmware has
nemithbmoraca_work: even there.. why do you need to be on the same l2 segment?
nierosBECAUSE NETWORKS HARD
nierosOSPF HARD
nierosZOMG AREAS
nemithbmoraca_work: there are applications that think "redundancy" is vmware vmotion
bmoraca_worknemith: because customers like it. i agree with you.
bmoraca_work"omg l2 adjacency!"
nemithwell IT business decisions are made from the application down. Not from the infrastructure up
bmoraca_worki litterally had a customer tell me that they needed to extend a user VLAN across sites because "what if our main site goes down and we have to move everyone over to the other one"
nierosnemith: when I point out AIX has been doing most of the functions of vmware without a pretty gui for a whole lot longer... with all the routing availale
nierosIt annoys vmware guys
nemithso app needs vmware, sever needs flat l2 network... network gets the shaft
nemithnieros: ?
nemithi am not familar with this part of AIX
nieroshost level routing and l3 awareness
nierosit's just an older virtualization platform
nierosthat's all
nemithon the rs/6000?
nieroson a whole lot of platforms, definetly more specialized though
nierosit's just.. highlighting a point
nierosvmware didn't have to make stuff dumb
nierosthey chose to
bmoraca_workvmware didn't make things dumb...they made things generally available. dumb vmware admins made things dumb
nemiththey sold it as a feature and upcharged for it
nieros^
nierosLOOK HOW EASY VIRTUAL NETWORKING IS
nemithbut really they did it that way because it was less intrusive to the app (more intrusive to the network)
nierosand thus stretched layer 2 techs were born
nemiththe real solution requires apps that are not written by morons
UncleDraxpft.. it's all wireless and in ZE KLOUD anyway..
UncleDraxnetworking is easy
nieroswhere are we going to get not-morons though..
bmoraca_worknieros: yeah, but stretched L2 existed long before vmware
nierosnot in the flavors we have now
bmoraca_work(not the company, but the implementation at customer sites)
nemiththat use proper service discovery instead of assuming a single IP == app
squibnemith, https://www.reddit.com/r/networking/comments/4ad0ld/spanning_tree_in_the_real_world/d11mj42?context=3
squib:)
squibI make lots of friends
squibj00 no work with the super of computers!
nierosYou've clearly never worked in a supercomputing environment, so I won't bother to justify anything to you.
nierosLOL
squibwait let me get the context
squibso you can see how stupid her statement was
bmoraca_worksquib: to be fair, the people who regularly post there are so jaded by all the dumbfuckery that gets posted that they just assume everyone's a complete moron
bmoraca_workkind of like this channel
squibhttps://www.reddit.com/r/networking/comments/4ad0ld/spanning_tree_in_the_real_world/d0za6fv
squibbmoraca_work, she works at NASA
squibcolbyzg stalked that out of her a long time ago
nierosmy cousin works in AI dev, and deals with big supercomputing style clusters
nieroshe's ignant as fuck on the infrastructure side
squibI mean am I crazy? she literally said that tor routing isn't awesome if you can't tor route
bmoraca_worki can't wait to look at the supercomputing lab at llnl...
nierosI don't think she understands TOR routed access architecture
UncleDraxi'm sure it looks like a big server room
squibbmoraca_work, I mean I'm plenty stupid comparatively speaking, but I'm pretty sure she had failed with words on this thread
bmoraca_worksquib: she's just pointing out that it doesn't always work
nierosshe's pointing out that it's not a different architecture
codydnACTION wonders if anyone else has found the guys at AWS (as far as their VPN and network goes on their end) are morons?
nieroswhich isn't a design really
avgn5codydn: Oh god yes.
nierosor rather
nierosit's not an argument really
squibeven with supercomputing do you really need the legacy l2 architecture
squibwouldn't spine/leaf with overlay work
squibunless there's not much of a point to doing that at scale, I dunno
nierosyes it would, but LIke I said
nierospeople who work in those enviroments are usually there for other reasons
nierosfrom my discussions with my cousin
nierostheir biggest limiting factor is processing power
nierosnot storage, or network, or anything else
nierosit's CPU
nierosthey're always gobbling up more and more
nierosif that's the constraint you probably don't care about other systems
xousnewtmewt: what was I making fun of?
tmbg_Haven't worked with the aws guys. What's dumb about them?
nemithsquib: r/networking is the butthole of networking communities
oisteri thought that was #cisco
squibr/owmyballs
kmcelroy1oister: we are a cesspool, get it right
oisterah, right
bmoraca_worki love this...this ASA has like a 1000 line ACL with like 3 denies and a bunch of permits...and then at the bottom, a nice "permit ip any any"
oister#pesto is the butthole
kmcelroy1#pesto is a train wreck, a delightful train wreck
nieroswe're like...
kmcelroy1you can't look away
nierosgenerally functional
nemithoister: so glad it exists though... this channel got so much better
nierosbut kind of angry
nierosnemith: contain the cancer?
nemithall that used to be here in #cisco
bmoraca_workwtf is #pesto?
kmcelroy1bmoraca_work: secret club
bmoraca_workahh
nierosit's where scrye and co went
bmoraca_workonly been here for about 4 years
bmoraca_workahh, so that's why he's not around anymore
nierosit started last year or so
nemithACTION dances
nierosyeah nemith drove them out with the angry fires of a thousand suns
bmoraca_worki bought some stuff from him, but it was all in pretty bad shape...razorz's stuff is usually in better condition
kmcelroy1but filled with packing peanuts
nierosI like them both in their own way.
kmcelroy1cause he is evil
bmoraca_workyeah...packing peanuts...
nierosbut yeah pesto... is it's own monster
razorzAyy
kmcelroy1^
kmcelroy1DOMAN
razorz<--
kmcelroy1the packing peanut enthusiest
razorzWe use GF peanuts
kmcelroy1only the best
razorzFree range
bmoraca_worki say "usually" because we got a 6504 from him once and it looked like someone had played rugby with it
razorzbmoraca_work: yeah, that was a good order
bmoraca_workwe made up for it
razorzOvernighting a 6500 chassis isn't fun :D
bmoraca_worklol
razorzIndeed
nieroshustle bitch!
razorzSpeaking of pesto, that might be dinner
squibI got a lot of questionable stuff from scrye which is why I stopped going to him a lot
squibI got shipped a 3560-E with a missing mode button and damaged face plate
razorzUse a toothpick tho
squiblot of stuff from him had cosmetic damage or worse
squibonce I ordered a -S switch and got -L
danshtr|workOT - On flexfabric, any idea how to show the mac address table?
squiband got a lot of attitude when I complained about it
razorzLol
squibplus I sent him a lot of regular business which he showed 0% gratitude for
razorzScrye pretty much got out of the equip sales business afaik
squibsee when I first started out ordering from him, it was all gear for personal lab use
syadminok I will ask you guys becaus you know fucking everything. I have to chose from a single 4x1gbps etherchannel with a trunk of both LAN and DMZ vlans or two separate etherchannels (2x2 gbps) with VLAN and DMZ separation. Too bad that at the access layer DMZ and LAN need to be togheter for whatever reason.
syadminwhat do I chose?
squibthen when I started ordering for actual jobs I was like yeah this sucks
squibrazorz, so what does he do now then?
razorzConsulting
razorzI just sent him a PO today actually
squibit seemed like he was still doing sales a least as of a month ago
razorzOh he will still sell, I just don't think that's his focus right now
razorzHe's a pain in the ass but generally a good guy
squibbut yeah I would order from him on behalf of clients and shit would show up looking like it had been around hte block a few times
squibthe mode button issue was particularly awkward
squibluckily the client was a close personal friend
nierosI guess I don't know what you'd expect buying used stuff
squibwell. nhr/curvature is of course a lot more expensive but shit shows up looking new.
razorzWe repaint everything and replace faceplates in some cases, most stuff should look damn close to new
squibmaybe I should give razors more business
squibbut not if he's apparently getting his shit from scrye ;P
bmoraca_worknieros: off ebay, beat up. from a grey market supplier, should be decent cosmetically
nierosya'll grew up going to them FANCY goodwills
bmoraca_worklol
bmoraca_workwell, we aren't from Michigan
razorzsquib: lol
razorzGive me a shot, I'll offer anyone on #cisco a 7 day right of refusal if the gear isn't up to par
razorzAnd I'll eat the return shipping
squibhttps://www.youtube.com/watch?v=I33vX5k2Iho
squibthat lady in the background has got to go though
squibhaving a loud snack and shifting her in seat
bmoraca_workopenconnect is really copol
bmoraca_workcool*
nieroswhats openconnect
bmoraca_worknetflix's peering and content delivery mechanism
nieroshttps://en.wikipedia.org/wiki/OpenConnect
nierosoh
nierosI thought it was this
bmoraca_worknieros: https://openconnect.netflix.com/en/
nierosah
nemithlife is easy when you have static content
nemith:P
_drew_nieros: thats cool i didnt know about that
_drew_dont you still need a license for the anyconnect client tho?
nierosno idea I just found it
_drew_i guess you could have one asa with a shitty license and have everybody connect to it once to get the software, then connect to your openconnect server instead
nieroslicenses are really per connection
nierosnot per software dpleoyed
_drew_the asa i had was garbage, we were always manually updating the ip list for split tunnel routing
_drew_right so you can have like 1000 users on a 25 user license
_drew_they just connect 25 at a time to download the software
_drew_then connect ot anyconnect
_drew_i mean, then connect to openconnect
squibnemith, but but they created a nifty red box with a random movie quote printed on them that can do 100 gigabit
bmoraca_work_drew_: or you can just distribute the anyconnect standalone installer
_drew_sure.. then you wouldnt get auto upgrades..
bmoraca_workyou're not going to get auto upgrades anyway
bmoraca_workauto upgrades happen when you connect to an anyconnect vpn, which openconnect is not
oisterauto upgrading is bad anyway
oisteryou want to test upgrades then push them out
bmoraca_workagreed
bmoraca_workbut oister is the anyconnect master, so listen to him
oisterhonestly i havent upgraded anyconnect in like 4 years lol
oisterusers are still on 2.5
oisterbut we're about to go to 4.0
bmoraca_work2.5? really? don't you have all kinds of compatibility issues with Win7?
oisterworks perfectly
oisteranyconnect has been rock solid which is why we havent touched it
oisterbut we're about to do our ISE rollout so 4.0 it is
nieroswin8/10 is when the issues start
bmoraca_workyeah, i know i can't do ac 2.x on win 10
bmoraca_work(cause i had to try)
oisterstill on win7 around here
bmoraca_work(cause customer...uhg)
nemithsquib: fair enough
nemithsquib: fbsd is cool too
DaemonDsaq you on here man?
syadminIs it even possibile to have this diagram if the distribution switches are not in stack? https://www.dropbox.com/s/z0bu44l0ixwvmc0/Screenshot%20from%202016-03-29%2001%3A11%3A23.png?dl=0
theacolyteeither stack or vPC/MLAG/whatever
GenteelBenWell it looks like vPC to me.
GenteelBenBut then, I am but an amateur.
theacolyteEasier way to think about it would be the top switch needs to be a single logical switch
theacolyteEven if it's technically 2 physicals
GenteelBenSo what's new in the world of Cisco?
theacolyteACI!
GenteelBen"Cisco Application Centric Infrastructure (ACI) reduces TCO, automates IT tasks, and accelerates data center application deployments. It accomplishes this using a business-relevant software defined networking (SDN) policy model across networks, servers, storage, security, and services."
GenteelBenI've been out of the game almost a year now.
syadmintheacolyte: you mean that just setting "channel-group x mode active" on both ends is not enough?
GenteelBenActually yeah, I haven't logged into a switch in a year.
GenteelBenAnd no Cisco certs seem worth doing anymore. :(
theacolytesyadmin: it could be that simple if they are stacked or in a VSS pair
theacolyteif it's vPC, there's a couple more commands
syadmintheacolyte: but let's suppose I have a core L3 switch with two interfaces and I want to connect them to two access switches, one port each so they are redundant. Why can't I use LACP in this case?
theacolyteBecause your access switches are individual
theacolyteLACP is one logical switch to another logical switch
theacolytea logical switch can be a single physical switch, a VSS pair, a stack, or vPC/MLAG/MC-LAG/blahblahblah
syadminok I kind of understand now
syadmin:(
syadmintheacolyte: but whait a minute. how about this?
syadminhttps://www.sagedining.com/downloads/pfsense1.png
syadminthese switches dont seem to be in stack
mxhob1The unmanaged ones?
theacolyteLook at what you just sent a bit closer
theacolyteIf you're talking umanaged those bond0's aren't LACP
theacolytewhy are you second guessing what I'm saying hahaha
theacolyteIn fact that diagram you just linked there's a stack on the left
syadmintheacolyte: omfg you're right
theacolyteAnd when I say left I mean right
theacolyteSorry I'm really tired
syadminyeah np man
syadminthanks for pointing me out
syadminse I need to come up with smth different
syadminspanning tree for the access layer and some other shit for the redundancy at the distribution
ivanskiehey
ivanskieim forgetting my ccna stuff.. so here comes a stupid question.
theacolyte42
ivanskiei've got an SG300-28pp
E1ephantewww
theacolyteI'm sorry
ivanskiealso, i have a very stupid old 4 port 10/100 switch between my modem and two routers. (long story).
ivanskieso the question is.. can i separate like 3 ports on the sg300 from the rest of the network, so the three ports are like their own little switch?
_drew_sure you're going to need a hacksaw
ivanskieyah.. thought so
ivanskiecuz if i vlan those ports.. the modem won't know what to do with that tagged traffic right?
_drew_no you should be able to just create a new vlan
theacolyteIt would not
theacolyteYou would need a router
E1ephanthttp://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf ivanskie
_drew_so you want to separate 3 ports, and you still want them to talk to the router?
ivanskiethe thing is. i only have access to one port from the modem. i have two static IPs from isp. i have an old UC540 conneted to that "wan" switch. and i have a pfSense box connected to that "wan" switch.
ivanskiewhat i'm trying to do, is have something more than 10/100. without having to buy another cheap 100/1000 switch. since this is only temporary until i have a window to move uc540 behind pfsense.
E1ephantwhy two routers, instead of one router with both IPs?
twkmmmm, 666 clients joined.
ivanskieit'll eventually be pfsense with both IPs. from the one port.
E1ephantand you would just have access ports in this vlan, with like you're saying, a special "section" for WAN traffic
E1ephantjust with more cables than makes sense for dot1q
ivanskiewhy more cables?
twkmsounds like you should just bite the bullet, get that done now.
E1ephant^
ivanskiei should just plug the UC540 into our third router, that'll provide LTE WWAN. since chances of lte going down are pretty darn slim
ivanskiemy only window to do that is the weekend. just thought i could cheat. for now, during the week so i can get proper 120 instead of 70.
ivanskiebut soudns like its too much hassle
ivanskiestupid gui
DaemonDanyone know how to fix smokeping 500 error after no connection for a few minutes. have it retry maybe?
codydnHow exactly does one watch a log, a la 'tail -f' in linux/unix ? 'show log' just shows the log from the beginning. I want to see new entries as the come in.
twkmhave logging sent to a linux box.
syadminAH FUCK THIS IM GOING TO BED
diozhahaha
codydntwkm: I don't such boxen where that router is located. If the log can be dumped in a ssh session (with 'show log') then surely it can be tailed in some manner?
twkmnope. at least not for ios.
codydnWow... why? I mean the concept of tail -f has been around since early 1990s at least. It's 2016. What the fuck am I missing?
twkmturn on monitoring for your session.
nathanihow would I go about setting up an IPsec VPN between an Ubuntu server and a CSR1000v Virtual Router?
whoahttps://www.netflask.net/ipsec-ikev2-cisco-csr1000v-openiked/
whoamaybe something like that
nathaniwhoa: thanks, I will check it out
whoacoolio
whoanathani another example http://anastarsha.com/using-cisco-csr-1000v-as-secure-vpn-gateway-to-extend-network-to-the-cloud/
whoacanada is pretty cool http://farm8.staticflickr.com//7022//6555744745_a7e6608e15_o.jpg
cactoidlake louise?
sneylooks like minnewanka
diozyou still hung over sney?
whoamoraine lake
cactoidheh, wanka
sneynah I'm good
cactoidoh yeah, lake moraine
cactoidwent there too
whoasays bannf
diozsney: that hike. we ended up finding a 4 or 5 day old deer carcass. with the hugest rack.
diozwe didn't reach the memorial though
cactoidheh, hugest rack
diozcactoid: it was a huge rack
sneyit's funny because tits
diozthe deer would've been a beast
whoa:P
diozi'm waiting for the photographer to post the pics
diozi think he's watermarking them all
sneyfigures
hjohnsonI was going to say, that's Morane Lake
hjohnsonamazing how a full tank of propane makes your grill work better.
snacky
Resident_Germ.
DaemonDWhat is a tool I can use to keep track of hope changes through traceroute? Is that a good idea to keep track of it?
DaemonDI want to see if traceroute hops change over time
DaemonD i setup smokeping master/slave but it does not have this feature :(
samy1028DaemonD, I wonder if you could use diff to compare 2 stored traceroutes are different? just a thought.
samy1028don't have any idea how to implement it though.
DaemonDwhat if its like 1000s of files
DaemonDanything out there that does this anyone know?
samy1028There was a tool we used about 12 years ago at a previous job. don't remember the name of it though. Ran on Windows.