DaemonD ? ugh
theacolyteor any variant of mtr
DaemonDcant mtr do it?
theacolyteeh? I'm pretty sure that's exactly what I just said hahaha
DaemonDcool thanks
DaemonDtheacolyte: do you know for sure that it will detect and notify me that a hop was changed?
theacolytedetect, yes
DaemonDit night do the traceroute once and then just show the path statically
theacolytenotify, no
theacolyteit does not do that
theacolyteif there's another hop it'll increment counters for that hop
DaemonDhow do i know that a change was made?
theacolyteyou could write something in python pretty easily to do that
DaemonDi dont know programming :(
avgn5Is there a way to do "debug ip nat" but limiting it to just certain matching IPs or access lists ?
TeMP_# debug ip nat ?
TeMP_ <1-99> Access list
avgn5TeMP_: I saw that, but it doesn't seem to work with named access lists
avgn5I get invalid input
avgn5I tried 'debug cond ip' and 'debug ip nat' but it's not showing only lines with but lines that don't have it as well.
avgn5What am I doing wrong?
DaemonDtheacolyte: i will just do a report and then compare visually as you say
avgn5I've goolged but can't find anything to explain why this isn't working.
avgn5It's like the condition is being ignored.
DaemonDtheacolyte: Where is proof that mtr will do increment to hop ?
_drew_do increment to hop?
DaemonD“if there's another hop it'll increment counters for that hop.”
_drew_if say hop 9 changes, it'll give you a different host and latency stats for that host
_drew_also, you are aware that hops over the internet are usually asymmetrical right
_drew_like shit will take a different pack going out as it does coming back to you
DaemonDi want mtr to tell me if and when a hop is introduced or eliminated through a period of 24 hours ex
DaemonD" the big advantage over traceroute is that the output is constantly updated. " ... output of ping or traceroute? they dont specify
_drew_so internet routes change all the time, and even when they're not really changing, there are like multipath routes where you will see a variety of ips as a specific hop
DaemonDbut maybe one of those ips is badly configured?
_drew_the output of mtr is what they're referring to as the thing that's constantly updating
_drew_no, thats just the way the internet works..
_drew_backbones will have multiple links between backbone routers
_drew_oh, i see, you want to troubleshoot if one of those IPs is badly configured, yes
_drew_so really what you want to do is correlate a mtr with a period where you're seeing bad stuff in smokeping right
saqyou get smokeping setup?
DaemonDsaq!! nice to see you man
DaemonDi setup master -> slave as we spoke before
_drew_so the thing about mtr is it keeps all stats from when you started it
saqcool, you get the slave working?
DaemonDsaq: yes
saqadd more slaves, the mountain of evidence mounts
saqis the slave outside the network?
DaemonD_drew_: so it would not update the traceroute table if a new ip is used
DaemonDsaq: master is outside network. easier that way
_drew_it still would, but my point is the display gets convoluted after a while, because the internet is changing all the time
saqi can see why you would say that
_drew_so what i would recommend is to run mtr via a scheduled task, cron or something, for a minute at a time
_drew_then when you see a period of shitty performance in smokeping, go pull the mtr records for that time period
_drew_ive set up something exactly like that before and its extremely helpful
_drew_you gotta mtr both ways though
DaemonD_drew_: yeah, that makes sense. cron job pipe to logfile
DaemonDnot the most elegant method though
saqstill having office internet issues?
_drew_check out the command line options, theres stuff for putting it in syslog etc
saqim seeing some stuff tied to alerts in smokeping that runs an mtr
DaemonDyeah, it's like on purpose they make it all better and then it all goes to hell lol
saqin google
saqtheres not a clean way of doing this but thats probably it
saqyou have all your hops plotted right? default gateway, uplink ip, ip up from that, etc
_drew_saq thats not helpful though because you dont know the condition of the network *before* the alerts went off
saqfrom both sides?
DaemonDsaq: yep and want to add many more slaves soon.
DaemonDproblem is securing the master
saqits just a website
DaemonDi tried ip filtering but it just filters the cgi stuff
saqrestrict what can access it to some specific IPs
saqwith iptables etc
DaemonDyeah i am kind of sharing the master atm. no money for vps atm
_drew_yeah smokeping is kind of a security nightmare
DaemonDi want to create openvpn tunnels
DaemonDthat would be the best way.
saqno... money...
saqdigitalocean is like $4/mo
DaemonDi know, but i dont control the monetary part
DaemonDi will setup openvpn tunnels over the weekend.
DaemonDsetup crontab, should be interesting thanks guys
DaemonDsaq: i hear smokeping 3.0 is in the works
saqhas been for years
saqi dont think its gotten very far
_drew_i hope they totally rewrote it
_drew_smokeping is a disaster of code
_drew_i guess rrd isnt much better but at least its extremely fast and lightweight
saqits not that bad of a disaster
saqits a disaster of documentation
saqits a product of its time, its pretty old
_drew_the config is also a disaster
_drew_i guess so
saqyou can fix the config
saqone monolithic file was a dumb idea
saqjust gotta use some @s and get creative :)
DaemonDhah true true
DaemonDsaq: i have small issue. if slave looses connection for a few minutes. it gets 500 error. i have to manually restart it
DaemonDhave you run into this?
saqthats your host
saqwhere does the error show up?
DaemonDwe had network outage for 10 minutes.. i come back 2 hours later and see slave is error 500
DaemonDservice smokeping status
saqit should reconnect
saqi dont have that problem
DaemonDit said error 500 timed out
_drew_each smokeping on the slave is triggered by the master?
_drew_the http 500 status code isn't timeout, it's server error
DaemonDno slaves knows master http page and secret
_drew_anyways.. you just need smokeping to know there is a problem and mtr from both sides to know what the problem is
saqyou can create a lot of monitoring points wiht smokeping
saqif the route changes a lot that wont help but you can narrow it down
_drew_well what ive seen is the route changes and the new route is shitty
_drew_usually what happens is a backbone does some maintenance in the middle of the night and shifts all traffic to another link which becomes congested.. or something like that
DaemonDthanks again. gn
xoussoulds like some shitty network design
MyssTxous <- expert in shitty network design :p
xousdealt with and built plenty of shitty designs
xoushow else do you know it's really stupid until you try it
xousMyssT: uhh. the ccie lab exam is pretty much "here is a really really shity network" tune these knobs
xousthat's why paper ccies are truely terrifying
xousthey may not have the common sense to know that you don't do shit like that in real life :P
FastEthernetHello. I am GeekNerd. I am here under an alt because niko (of freenode staff) banned me here a while back and said the chanops woild be in charge of when it expires. I have no idea if and when chanops are even around here.
FastEthernetso if there's any chanops seeing this plz /msg me
FastEthernetmeanwhile I will be playing with my new routers, switches, and AP's
saqnobody here cares, or ever will care
MyssTFastEthernet: Your life sounds amazing, tell us more..
saqim pretty sure ive seen that exact copy and paste here like 3 times
MyssTshh saq
saqover a period of years
FastEthernet saq, not from me
FastEthernetanyhow, I just got done cropping a pic of my awesome CCNA lab setup
MyssTtell us about your routers FastEthernet
FastEtherneti had to use this smartphone's S-Pen (yeah I got the Note 4, hooray for me)
FastEthernetto crop the pic tightly
FastEthernetso i dont reveal any personally identifiable aspects of my bedroom
FastEthernetso now I can upload the pic to imgur
MyssTyou should tumblr all your network gear
MyssTcoz, that'd be so hawt
FastEthernetand now I can do all the lab stuff
frollermaybe a long set-up for goatseing everybody...
FastEthernetare you suggesting I am affiliated with the Gay Nigger Association of America?
FastEthernetmortal enemies of the Ku Klux Klan?
FastEthernetanyhow lets not get on that topic
FastEthernetit tends to get me banned
MyssTFastEthernet: your switches are sexeh, but you need a rack
FastEthernetfor the 2621 is there a WIC that is just a 10/100 FastEthernet port or two?
MyssTit's 2 fa ports
FastEthernetbuilt in has 2
FastEthernetare you saying theres a WIC with 2 as well?
MyssTthe bakplane on a 2621 is like 12 mbit
FastEthernetfor WIC cards?
FastEthernetits limited that low?
FastEthernetare the built in fa ports any faster than 12mbit?
MyssTyes but not much
FastEthernetand is there any way to make it do overloaded NAT (on the built in ports) at 30Mbps?
FastEthernetand more importantly (google isnt as helpful as i'd expect for this one, seems a easy question).....
MyssTprobably not, it chokes about 20 if i recall
FastEthernetCisco 3560 layer 3 switch with the 4 SPF ports, are they SFP or SFP+
FastEthernetits the bottom of the stack on the pic i posted
saqhow old are they?
saqdoubtful they are SFP+
saqthats new shit
FastEthernetIDK but the firmware was built in '07 or '08 if i recall from the boot output
saqfar older
saqshow ver
FastEthernetthats older than sfp+?
saqwill tell you the hardware
saqthe cisco SKU
saqlook that up
FastEthernetso it could be sfp+ at that agem
MyssTlul FastEthernet you're funny
FastEtherneti guess I better boot it up
FastEtherneti am not currently trying to be funny
saqboot it up, get model number, search model number
FastEtherneti remember from the ebay listing its the one with 48 TS in it
FastEthernetand besides I know its physically SFP form factor and 1gig is the only ones listed in that table
saq[3/29-00:19] <saq> boot it up, get model number, search model number
tehrealI should have read this so long ago
saqnothing else matters
FastEthernetthanks. and this is the answer i wanted
FastEthernetbecause I dont need a 10 gig interface. what i do need is cheap cheap cheap stuff on a cheap budget, and old stuff is cheap
FastEthernetnot sure i will even need it though
FastEthernetit will be difficult if I want to migrate my family's home network from consumer roiters and DD-WRT to Cisco. firstly our cable modems built in router doesnt do static routes
FastEthernetso the actual decent (anything but built in) router needs to use NAT
FastEthernetand if I move away from old DD-WRT units I would need a cisco router that doesnt bottleneck our 30 meg internet on NAT
FastEthernetof course I could keep an old dd-wrt unit just for NAT and the rest could be cisco, except what about the AP?
FastEthernetI want at least 802.11n but I would have a and g only
FastEthernetbecause the LAP and not AP version are available for cheap, and while the 1231 and 1131 second-to-newest IOS images let me download
FastEthernetthe 1142 which has 802.11n, i cant get any image for except LAP
FastEthernetunless i get a service acct
FastEthernetthru cisco
FastEthernetand i dont have a million bucks and a legal team laying around to negotiate contracts to turn a fucking lightweight access point into an autonomous AP
FastEthernetthe AP1142 vs LAP1142 is merely software, those with a cisco service contract on their acct can download the images and convert easily between the two
saqpony up for smartnet
FastEthernetLAP is lightweight and requires a WLC which arent cheap even used
FastEthernetwhat is smartnet?
saqthats ciscos support service
FastEthernethow much you think that is?
saqprobably not much
FastEthernetI am an IT Network Specialist (thats an associates degree including CCNA classes and a shitload of other stuff)
saqnobody cares
FastEtherneti also have a car payment. and i pay my mom $100 a month to cover the added cost of a teenage boy on her insurance policy
FastEthernetso "probably not much" has a far different meaning to me than to most adults
FastEthernetwhen it comes to cost
FastEthernetneedless to say I bought all this gear used, with stuff like bezel damage, missing port label sticker, etc.... makes it real cheap
FastEtherneti wonder what kind of data rate I'd get without NAT on a 2621
FastEthernetlike just static routes or maybe RIP
saqa little more
saqthats a pretty old piece of gear
FastEthernetis 30 feasible?
FastEthernetor at least 25?
saqtake out nat and ISR g1/g2 perf is a lot better
FastEthernetmight as well give it a shot
FastEthernetg1? lmfao
FastEthernetno gigabit here
saqi mean gen1/gen2
saqnot sure if a 2621 even qualifies as that
saqits like -2 gen
FastEthernetits a gen1?
saqtheir terms for what is an ISR gen1/gen2 is pretty wide
MyssTFastEthernet: fa to fa port maybe 50 mbit without nat
saqa 2621 router is like, probably as old as you are
FastEthernetwell the owner of Knowledge Computers offered me a special deal knowing I was a student. he said they arent much good for any modern speeds but are good for a ccna lab
saqthose were new when i first got into this kind of stuff, 16 years ago
FastEthernetso he said, $5 each for the two, $10 for both
saqthats worth it, just have realistic expectations
FastEthernetone has a missing bezel the other has a missing port label sticker
FastEthernetthats why they were cheap
FastEthernetif it does 50 with NAT off, would it actually cut it in half to use NAT?
MyssTI had a 2621 and 2651 in my first rack sometime early 2000's, that 50 mbit is 1500 byte packets.. 64 byte.. well, way way less
FastEthernetyou used 64 byte packets??
MyssTwhat you mean used?
FastEthernetyour MTU
FastEthernetwhy set it that low?
MyssTno, some packets are smaller than others dude ;)
FastEthernetwell yeah
FastEthernetbut things that need lots of speed will be trying to transfer a lot of data and should be using the max allowed
FastEthernetlike streaming Netflix, I assume wouldnt be 64 byte packets
FastEthernetor downloading a file
FastEthernettoaster66: toast your face
FastEthernet66 times
MyssT^ shots fired
MyssTso just for my amusement, what ios version is on your 2621
FastEthernetare there any real benefits use-wise (as opposed to just ease of management) to a WLC over autonomous AP's?
FastEthernetoh its got 12.1 i think
FastEthernetthey can support 15 is what that guy said
FastEtherneti just dont have the service contract to acquire it
saqcan a 2621 run 15?
saqthat would be pretty surprising
saqhow old are you
FastEtherneti mean, Microsoft has DreamSpark for IT students to get free Windows, Windows Server, and stuff like that.
MyssTyou know those things can even do basic mpls.. with the right ios, ldp is possible to configue
FastEthernetand Cisco doesnt have squat
FastEthernetMyssT: second semester part time
FastEthernethavent got to those acronyms yet
FastEthernetsaq, I am 19
saqwell, that router went end of sale in 2003
saqcant find the first sale date on them
FastEthernetI was 7 (or 6 if it wasnt that late in the year)
saqbut its entirely possible it was before you were born
saqmath isnt your strong suite was it
saq(is it
Mcl0vingood morning all
MyssTACTION lulz
FastEthernet1996 is all i will say
FastEthernetfor my birthday
FastEthernetand 2003 was 7 years later
FastEthernetso you sir, can go suck yourself off. well at least u wish u could
FastEthernetno offense
FastEthernetbut I did take AP X
FastEthernetAP calc
FastEthernetin high school
FastEthernetso dont tell me i am no good at math
FastEtherneti make typo not by being idiot
FastEthernetbut by being on smartphone
FastEthernetwith touch keyboard
FastEthernethey, is there a bot in this channel?
FastEthernetlike an anti spam bot?
Golleestarting to wish there were
Mcl0vini need some help understatning ospf O IA routes please.
FastEthernetGollee: this wouldnt trip one. this isnt spam
FastEthernetI was considering pasting a running-config without a pastebin, thats what would trip a spambot
saqsomebody might go have a chat with niko
Mcl0vinACTION wonders, why kids are still up so late!
FastEthernetoh but thats neither needed nor has any benefit to anyone
saqyou underestimate the entertainment value
FastEthernetas a simple disconnect/reconnect of the VPN and if its a $a ban, group and set new accountnamr
saqyeah, but the smell
FastEthernetthe issue is, GeekNerd is a cloaked acct
saqits detectable a mile away
FastEthernetthats why i needed an alt to evade
FastEthernetdid u know i am geeknerd?
FastEthernetoh yeah i said it when i joined
FastEtherneti forgot
FastEthernetGigabit costs a gigashit. Long live FastEthernet!!!!!
twkmgood thing the network staffers are asleep, as ban evasion is strongly frowned upon.
Mcl0vintwkm: go for it! :)
twkmi'm not an oper here.
Mcl0vintwkm: but atleast you feel our pain. Thats what counts.
FastEthernethey tinyhippo this is geeknerd
FastEthernetsince chanops around here seem to be more of a myth than a solid factual presence, i was wondering what to do about the ban niko said to talk to chanops about
xous+b FastEthernet plz
FastEthernetxous, you werent even part of any conversations I was in.
FastEthernetIIRC thats your first line since I joined this channel. so what did I do to upset you?
Mcl0vinxous: '/ignore FastEthernet <- that should do the trick for you
FastEthernetyeah, if you are offended at the concept that someone has questions about a router, here's an even better command: /part #cisco
FastEthernetanyway im not gonna fight.
xousMcl0vin: where is the fun in that.
Mcl0vinxous: ohh... You are sick then :P LOL
FastEthernetso this is fun for you?
Mcl0vinyou like to see them in pain LOL
MyssTwatch out xous.. FastEthernet is n IT Network Specialist!
xousI used to hang out with real trolls
xousthey at least did funny shit
xousthis shit is just sad and pathetic
Mcl0vinMyssT: "MyssT> watch out xous.. FastEthernet is n IT Network Specialist!" <-- classic
xouszomg. he will reinstall windows instead of fixing the actual problem.
xousso badass
Mcl0vinwatch out ....tasklist | findstr gns3
FastEthernetxous, I fix plenty of problems. However, if it is a virus or spyware, I prefer to reinstall and then scan the backups with Norton before restoring files
FastEthernetalthough nowdays I have imaging instead of reinstalling from scratch
FastEthernetfinally got a 128gig USB3.0 flash drive. it boots winpe
FastEthernetas in ever since i learned how to set up windows PE
xousuhh. imaging has been popular for over a decade
Mcl0vin i need some help understand OSPF O IA routes please
FastEthernetwhich I hadnt really thought to learn until I saw it in class
FastEthernetACTION shuts up for on topic question he knows nothing about
Mcl0vinif i do 'sh ip route ospf' i should see O IA for the external 192.168.3.x right?
jotnIf I create a Flexconnect group, and do WLAN VLAN mapping. Do I still have to choose VLAN support under FlexConnect on each AP?
jesturSo, not sure if this is doable and my google-fu is failing me, but.. 802.1x authentication on cisco 2960x switches with dynamic vlan assignment is straight forward to set up. Radius server replies with the VLAN for the device/user. But what if you use different vlan numbers over your organisation for the office network (for instance)? Lets say that depending on the location vlan 1501 is used somewhere and 1502 somewhere else (up to 1599). Can you have the radiu
jesturHopefully you understand what I mean
eirirsmy idea is different radius server for each location
eirirsmight be some better solution without me being aware of it, though
jesturThat would require ~100 servers, so would prefer to do it another way :)
syadminAnyone can point me out what's wrong with this architecture?
syadminyou can also punch me in the face if it's so badly wrong
Mcl0vinsyadmin: i wanna say you will need two more trunk for redundancy
mxhob1syadmin: Why not add a 6th link between the top two switches and let STP do it's thing?
Rasmus-syadmin: You want to build triangles, not squares.
Luc-SVKPls is it possible to check NVI NAT configuration from that router where is configured?
Luc-SVKwith legacy inside/outside nat config i can do ping x.x.x.x source inside_iface .. but this doesn't work with NVI config
Luc-SVKAny hints pls?
HelgeO_Even though Cisco has not announced any eol/eos dates yet, will the controller live for many years to come?
bandroidxis isdn actually still used for video conferecing?
Armegedenheard that INE was doing a $1000 off bootcamp deal... anyone have details/code? i don't see it on their site
SuperNullwhat is the point of spanning tree if you have BPDUfilter on everythnig
syadminMcl0vin mxhob1 yeah but this won't work because I still have a SPOF, that is to say, when a switch dies it prevents me to access that vlan.
tmbg_SuperNull: none. Bpdufilter is evil on most cases
Mcl0vinArmegeden: bootcamp for what? NA, NP or IE?
SuperNulltmbg_: they have that shit used everywhere
SuperNullits like they enjoy using dumb switches
UncleDraxbpdufilter has it's uses.. putting it 'everywhere' is bad though
SuperNullUncleDrax: provide me a use .. in the service provider network
SuperNullnot facing a customer
Mcl0vinUncleDrax: my understanding is that you config bpdu filter on end-user facing ports!
UncleDraxsure. I have an aggregate switch that goes to a MDU site (or call it a 'small campus network'. I don't want a misconfigured/misbehaving switch at that site to ever accidently send me BPDUs, and I know i'll never have a loop to that site because I don't build the fiber that way
eirirsSuperNull: bpdufilter don't save you from loops. spanning-tree do.
SuperNulli know.
eirirsSuperNull: if no bpdu packets are coming, no loops will get detected no matter how many ports have bpdufilter up
UncleDraxwell no loops detected via STP anyway
UncleDraxthere are other protocols/tech that does that
SuperNulli know what it does.
eirirsonly places I do bpdufilter are uplinks
SuperNullmy point is internally it should be used but facing a customer bpdufilter should be enabled
SuperNullwhy uplinks ?
SuperNullhow do you provide multiple paths ?
eirirsagainst isp, or on a single wire between two buildings
eirirsyou have a stp domain per building
eirirsyou don't want your stp domain unnecessarily large heh
UncleDraxya I do sorta what eirirs does. that said, if you split the 2 levels of SP I do.. one is MAN/WAN stuff.. the other is on-campus topographies to end-users, I BPDUfilter between that wall
eirirswith mstp you won't need bpdufilter though
zadrot_ebaniy<3 cisco
zadrot_ebaniyyou can enter a nat statement that breaks internet connectivity
zadrot_ebaniyand when you try to undo it as fast as possible
zadrot_ebaniyit says that it cannot do "no ip nat ..." because translations are in use
zadrot_ebaniyalso when you try to clear those specific translations, it will tell you that you cannot remove static translations
twkmnewer ios allows you to force it. otherwise you can try to use do to clear it then repeat the no and hope it works.
kmcelroy1you usually have to just have it ready to paste both at the same time
kmcelroy1so like do clear ip nat trans * no ip nat yada yada
kmcelroy1then paste both from config mode
kmcelroy1it is rather annoying, you would think removing the statement should just automatically clear the translations
zadrot_ebaniybut the feelings that rush through your mind when something like that happens for first time and you hadn't had any idea that this would happen...
avgn5I tried 'debug cond ip' and 'debug ip nat' but it's not showing only lines with but lines that don't have it as well in 'show log' or 'term mon'. What am I doing wrong?
ohsnapis it possible to ID ASA's by mac vendor or are they kinda all over the place?
kmcelroy1avgn5: read the supported debugs
kmcelroy1avgn5: use an ACL to filter nat debugs
eirirszadrot_ebaniy: that's why you have reload in 2 before you try something dangerously
kmcelroy1most newer platforms should be able to do the commit config and auto rollback now
kmcelroy1so not needed in most cases to reload
ohsnapanyone here know what mac prefix's ASA 5505's can have?
kmcelroy1anything cisco owns
kmcelroy1you aren't going to find an ASA by mac prefix
ohsnapdamn. figured as much
ohsnapcisco has so many prefixs. trying to narrow down somehow
kmcelroy1you won't
avgn5kmcelroy1: I don't don't see anywhere how to specify an ACL in debug condition
UncleDraxohsnap: can you SNMP the device in question?
UncleDrax(if you're coming from the outside, I would expect not)
ohsnapGollee: thx actually i could put that to use. but though i can tell for sure that this is a cisco prefix (d4d748) there are just too many cisco prefix possibilities. trying to tell for sure if it is an asa
ohsnapUncleDrax, yeah was gonna start snmpwalkin it thx
UncleDrax sysDescr.0 should tell you everything you needin most cases
UncleDraxif you're just wondering what is on the other side
UncleDraxalso.. LLDP.. CDP.. etc.. but again if you're coming from the outside side of the device.. I would hope none of those things are enabled on the WAN
kmcelroy1ASA doesn't support LLDP or CDP
ohsnapi can get inside, just not certain about community strings etc
UncleDraxreally? huh.. I've never touched an ASA tbh.
kmcelroy1that is why they are fairly hard to find without having it documented
UncleDraxwell they are designed to be security-type appliances.. so that's not.. entirely insane
kmcelroy1no, but they should still support it if you want to turn it on, easily restrict it to security zone unless you manually bypass, etc.
kmcelroy1i should be allowed to decide, but i get not turning it on by default
oisterasa is going to be changing a lot over the next few years, no telling how its going to turn out
kmcelroy1should be for the better i think
kmcelroy1i am ready for something different on that front
oisterthey are really trying compete with PA
oisterfrom what it looks like
kmcelroy1then they need to kill off plain jane IOS
kmcelroy1well, of course
kmcelroy1they are the top at this point
oisterbut its going to be a mess until its all integrated
oisterthey bought opendns and are buiding this amp thread grid shit
oisterbut its still all separate software
kmcelroy1should clean up nice eventually
kmcelroy1PAN has the luxury of being new to market with no legacy crap to support
kmcelroy1it's the old legacy support vs nimble new software game
oisterand playing catch up
kmcelroy1maybe they will eventually kill off IOS and just use XR/NX-OS for everything
kmcelroy1one can dream
oisterget it down to 3 interfaces lol
kmcelroy1i could live with that
ohsnapthx all
kmcelroy1IOS is getting too long in the tooth at this point
kmcelroy1and XE is a step in the right direction, but still reliant on IOS
frankie64good morning, having a cisco 7941G IP phone problem , looking for some help.
kmcelroy1frankie64: not many phone people here, but just post the problem and if anyone around knows they will say
frankie64i have about 20 7941G ip hones (SIP 9.4.2) somehow 3 way calling doesnt work, do first call, click confrn and 2 line comes up, make call on second line and supposed to click on confrn again to join the calls and nothing happens, looking for help or direction (Ie is there a better IRC Channel)?
kmcelroy1since it is SIP firmware, probably not cisco PBX, so you won't get much help here honestly, i would talk to whatever forum/support the vendor offers
kmcelroy1most likely something with the PBX
frankie64the 3 way calling is a phone feature, nothing to do with the PBX
avgn5kmcelroy1: I don't don't see anywhere how to specify an ACL in debug condition. I'm using IOS on an 881.
frankie64my spa504 sip phone works correctly
kmcelroy1avgn5: not sure what to tell you, gave you the link for the command, the supported versions and syntax
kmcelroy1avgn5: but your conditional command will not work for the debug you are trying to run
avgn5kmcelroy1: You're the one who said to use an ACL.
kmcelroy1avgn5: i did, notice it is listed in the syntax of the command i gave you
avgn5How do I limit 'debug ip nat' log lines that only show certain IPs.
kmcelroy1documentation has it, gives supported versions, if your box doesn't have it, either find supported software or you can't get it and you should call cisco
kmcelroy1read the document, it clearly states
avgn5I don't see anything about ACL in the debug condition section.
kmcelroy1avgn5: going to be a bit of a dick, are you blind? debug ip nat [ access-list | clearly the first option in the listed command
kmcelroy1literally the first on the matrix explaining each option is access list
kmcelroy1it says what that option does, in fairly good detail
avgn5kmcelroy1: I thought you were talking about 'debug condition' the whole time.
avgn5You never said the ACL was appied directly to debug ip nat
kmcelroy1you didn't read anything clearly
avgn5kmcelroy1: The link you gae, with #wp1384201382 on the end, scrolled directly to 'debug confidtion' so I thought that's what I was supposed to be looking at.
kmcelroy1i gave both
avgn5I only saw one link.
kmcelroy1first one i told you to look at the supported commands
kmcelroy1you will notice debug ip nat is not listed
kmcelroy1then i gave you the debug ip nat link with options
kmcelroy1this field will beat you to death if you don't read the docs
avgn5FWIW I ususally do fine. I just don't understand why debug condition ip doesn't filter things like debug ip nat. It would make debugging a bit simpler. It's not a big deal to set up a temp acl and use that.
kmcelroy1for reference, i had no idea what was supported with the debug condition, i spent all of 1 minute on google to find out, my point is you didn't really look
kaleidokmcelroy1: the cisco manual says, on page 1, "for answers to all your questions, please see #cisco on freenode"
kmcelroy1anytime you don't know why a command is working different than expected, look up the command reference first
kmcelroy1it will generally explain most everything
avgn5kmcelroy1: For the record, I did look, googled quite a bit but honestly couldn't find anything.
kmcelroy1i googled your command verbatim
kmcelroy1first link
kmcelroy1no reason to defend it, just correct it in the future and your life will be much easier, all i am saying
avgn5I googled a lot with variations of "debug ip" and "debug condition ip" and wasn't able to find anything of use before.
kmcelroy1then i would ask, how did i find it so quick?
kmcelroy1i am not some super genius
kmcelroy1i have literally never used debug condition
avgn5kmcelroy1: I don't know. I do know that google doesn't necessarily show the exact same results to everyone.
twkmi find going to the ios documentation directly is better.
avgn5It's often influenced by your search hgistory.
pffsuccx is obnoxious
pffsmostly because I don't use it very often
kmcelroy1most cisco phone stuff is obnoxious
avgn5Ok I set an ACL 'access-list 123 permit ip ...' but when I try 'debug ip nat 123' I get "Invalid input detected", what am I doing wrong?
oistereverything avgn5
avgn5(And yes I left config mode before entering the debug commands)
kmcelroy1please stop working in networking
oisteruse the ? key
oisterlearn the ? key
kmcelroy1cause you are horrible at self learning?
avgn5I used ?, it shows an access-list number cna be entered, and that's what I did
pffstab + ?
avgn5kmcelroy1: No I"m not. Like I sasid before I don't normally have this kind of trouble.
kmcelroy1you have a lot of these troubles as i have seen before
kmcelroy1i don't generally remember names unless someone asks a lot of these sort of questions or i talk to them often
codydnkmcelroy1: Seriously, don't be an ass. I'm sure there have been times in the past when you a defficult time. Belittling people helps no one.
avgn5No I don't.
oisteruse the ? key
avgn5I did.
oisterit will tell you what input it wants
avgn5It says to enter an acl numbe and that's what I did.
avgn5access-list number*
avgn5I already said this.
kmcelroy1you have to use a standard ACL
oistermaybe its the wrong acl type
codydnkmcelroy1: I've hardly seen him ask questions.
kmcelroy1codydn: then you don't look often
codydnHe said he used "access-list 123 permit ip" which looks very standard to me
codydnkmcelroy1: I look all the time. Stop making all these assumptions about people.
codydnkmcelroy1: You're just coming off as seriously calous.
kmcelroy1codydn: standard ACLs are 1-99, 1300-1999, you would realize this based on the IP portion of the ACL statement, standard ACLs don't have that
kmcelroy1as they are destination based only
kmcelroy1which is why i said STANDARD
kmcelroy1not extended
codydndebug ip nat ? doesn't actaulyl say standard, so I'd submit that it's not very clear.
kmcelroy1the syntax description was very clear in the debug ip nat command as well as this is access list 101 for cisco
kmcelroy1read the first matrix description for access list
kmcelroy1(Optional) Standard IP access list number. If the datagram is not permitted by the specified access list, the related debugging output is suppressed."
kmcelroy1i'm sorry you need things spoon fed, but it is very clear
oisterfrom the command reverence which popped up on the 3rd google hit
oisterrequires standard acl
kmcelroy1i posted it earlier
oisterimagine if you didnt have google
avgn5I don't need anything spoon fed.
avgn5I do appreciate help.
oisterlive would be sucky
codydnkmcelroy1: Seriously, can you please dispense wit hthe rude and needless comments?
oisteryou new here cody?
codydnkmcelroy1: No.
codydnkmcelroy1: That mean I have to tolerate needless rudeness and holier-than-thou attitudes that really shouldn't be here.
kmcelroy1codydn: forgot to read usernames too brah?
kmcelroy1you said no to me, oister was the one that said it
codydn"<kmcelroy1> i'm sorry you need things spoon fed, but it is very clear" <-- That was you.
oisterwhen you give someone a link to the exact command sytanx and they cant read its pretty frustrating
kmcelroy1so you said no to that? ha
codydnJust because someone has gotten tripped up doesn't mean the yaren't an otherwsie effective admin. I really don't seem him asking many questions in here over all, yet you're all to ready to just jump all over someone like him.
kmcelroy1debug ip nat ?
kmcelroy1 <1-99> Access list
kmcelroy1just thought i would post that too, ha
kmcelroy1remember when he said use ?
kmcelroy1remember when it listed 1-99?
pffsyou mean 123 isn't between 1 and 99?
kmcelroy1remember when the ACL he used is 123?
pffsmath is hard
kmcelroy1remember when we can count?
kmcelroy1remember when we gave the docs?
codydnkmcelroy1: I've seen other places where that was listed that accepted a higher number, so it's legit to assume that might not be the limit but just how the docs were written.
codydnkmcelroy1: There many other inconsistencies like this that I've seen between what ? shows and what actaully is allowed.
kmcelroy1codydn: maybe don't get involved in things and get it all wrong over and over?
codydnSo can we seriously not put people down for making that sort of mistake.
kmcelroy1cause clearly we were correct with every piece of this so far
kmcelroy1so he could have just followed the docs and syntax help and done this
kmcelroy1this would be like if you went to college and started asking how to do addition
pffsyou say that like this doesn't happen
kmcelroy1oh, i am sure it is
kmcelroy1but clearly that it is a solid time to chastise
codydnkmcelroy1: You're the one who gave docs pointing to "debug condition" and then wondered why he thought you meant debug condition.
kmcelroy1codydn: i gave both, but ok sunshine
codydnkmcelroy1: Point being, you're not as perfect as you seem to think you are.
kmcelroy1someone's feelers got hurt by proxy
codydnkmcelroy1: There you go again.
kmcelroy1i fuck up all the time, but i usually go fuck, i am an idiot and move on
kmcelroy1not spend 40 minutes blathering on in butthurt fashion
pffsI'm not sure that kmcelroy1 is arguing with you that he's an asshole
codydnYes, but I don't see anyone throwing random insults at you.
pffsjust that avgn5 sucked at using available help
oisterwhat was the insult?
avgn5Yes, I could have done better, but I didn't need to be insulted. Sometimes people just a lot going on, making absortion a little slower. Sorry for that.
oisterhow were you insulted?
codydnI just hate seeing people jump all over someone, as that doesn't help anything.
codydnIt just creates noise.
kmcelroy1you mean like complaining for 40 minutes?
oisterjust wait until squib jumps on your ass for not reading the manual
kmcelroy1i am pretty nice in comparison
codydnI didn't say anything until 12 minutes ago.
pffsseriously, the white knighting in here is some crazy tetris right now
kmcelroy1someone is trying to get a fair maiden
pffsyou'd think avgn5 was a hot chick on the Internet
codydnI wasn't meaning to white knight, just pointing out that this attitute that we need to gather around someone and start kicking them just because they aren't understanding something is wrong.
kmcelroy1it was mostly just me then someone else said to use ?, which would have worked in that scenario
kmcelroy1then he said he did
kmcelroy1but clearly he didn't, cause as i showed you, it shows what number to use
codydnComments like "you shouldn't be in networking" are just needlessly deaming.
pffstrue, at least he wasn't in ccp
oisterwell thats a pretty common joke
pffs"I don't see the debug command on the webpage"
codydnIt's not very funny.
kmcelroy1does anyone actually use CCP?
oisterlike people that suck at skydiving, we tell them to take up bowling
kmcelroy1i thought if you suck at skydiving you die
kmcelroy1sorta self regulating
codydnGood point.
oisterthat or you kill someone else
kmcelroy1oh yeah, forgot about that whole tying up chutes thing
kmcelroy1that would blow
oisteryeah thats a bummer
codydnI've heard of people landing on someone else's chute because they waited to open, ripping through it, and getting that guy killed.
kmcelroy1that would suck as well
kmcelroy1numerous reasons not to jump out of a perfectly good plane
oisterbut its similar, if you suck at reading and helping yourself then this job might not be for you :)
codydnEspecially if you're the last one left.
pffshow about going bowling while skydiving?
oisterim sure its been done
codydntHrowe pins out of plane, followed by a ball
codydn(Ok, I'm sorry for making a big deal about all of that before.)
avgn5And I'm sorry for not payign closer attention to the docs there. (It didn't help that I was in a bit of a rush, but that's not really an excuse.)
oisterthere ya go :P
kmcelroy1avgn5: no big deal, we are assholes, but we are fairly forgiving assholes
kmcelroy1usually any shit we give is to try to motivate
pffsI feel like there's a joke in there somewhere
kmcelroy1unless someone is just a complete lost cause, then we just give up completely and stop giving any input
avgn5kmcelroy1: I can understand that.
jomidoanyone ever seen a CUCM CDR with letters in the callingPartyNumber?
kmcelroy1jomido: odd, is it coming in to you from the carrier with letters?
kmcelroy1i assume there is a CUBE in the mix somewhere
squibkmcelroy1 reads the manual
squiboister reads the manual
squibwhy you you rtfm?
oisterhe is risen!
squibI don't mind questions
squibI just can't stand seing shit like
squib"hey. can anyone tell me what a chair is?"
squibyou can fucking google that
squibI don't mind shit like "I tried to make this work and am stuck please help"
squibanother pet peeve of mine, and I'm sure most of you would actually agree, is when you offer the specific section of documentation that will solve somebody's problem and you get a fuckin attitudinal response
squibanyway y'
squibya'll caught me at directly after a full 60 minute workout so I'm pretty amped
squibshall we go on
murderwhats the more common problems betweeen ipsec x asa?
murderI have 6hrs pattern disconnections
squibmurder, configuration mistakes are the most common problem
murderthe logfile claim it's a DPD R_U_THERE not ACK
squibunexplained disconnects I would say is the 2nd most common type
squibso you configured dead peer detection right?
murderyes, both sides
squibhow long do your disconnects last
murderthe DPD works flawlessly the entire day
murderless than 2 minutes
squibmurder, I would see if you could just adjust your dpd thresholds then
squibwhat type of wan is this?
murderits internet
squibmurder, do you have any sort of monitoring tool like smokeping or nagios?
murderI think I know what you want, you want to check for possible ISP problems?
oisterwhy isnt there constantly traffic going down the tunnel
squibmurder, I am curious if your monitoring system supports the notion that you have temporary losses of connectivity
murderthere is, thats the point, since DPD from ASA is not even active, right
murderit only checks if idle
squibnot like total loss of internet, but end to end connectivity to your peer
murderlike reset by peer.
murderanyway, we've checked the ISP part, we ran a daemon and kept echong for 2 weeks
murderno drops happened
murderwith TCP, of course
oisteris it asa on both ends?
murderno, openswan x asa
hagbardWhats the proper way to have the ASA not attempt the clientless VPN when someone successfully logs into the https:// site? As in, I simply want authorized logins to be offered the anyconnect download.
oistermurder: any clues from the openswan side?
oisterive never used openswan so cant provide much help there
murdercheck this out
murderthere's a pattern in the disconnections, based on 6
oisterdoe the timers match on the tunnel config?
murderwhich ones?
murderthe DPD ones?
oisterphase 1 and 2
murderlet me check
Gunniports in bpduguard enable mode, do they SEND bpdus? (im too lazy to check and my google-fu isn't telling me)
oisterGunni: yes they do
Mr_BondGunni: no
Gunniyay, thanks oister
oisteronly bpdufilter doesnt send pbdu
Gunnioh no conflicting info
oisterstp always sends bpdu unless you have filter enabled
oisterotherwise it cant detect loops
Mr_BondI thought bpduguard was silent, and listened for bpdus, while bpdu filter ignored them
oisterthen if you connected 2 bpduguard ports together you'd have a loop
Mr_Bondgood point
oistereasy to test for yourself, turn on bpduguard and run wireshark
oisteryou'll see STP packets
murderis it a bad thing to have ASA being the initiator of the renegotiation?
murderI just thought it
murderI dont like how ASA supports DPD and I've seen some forums talking about exactly the same issue, with the same pattern
Gunniah yes, confirmed....
Gunnitwo ports with guard connected together
jomidokmcelroy1: yeah, from the carrier. use, running CUBE
jomidosorry, s/use/yes
Mr_BondGunni: nice :)
Mr_Bondmurder: shouldn't matter who is initiating, and both should be capable of it (having ike+ipsec open end-to-end). I had a simular issue once with strongswan and asa, it was due to different idle timers and one end not being able to negotiate
Mr_Bondalso you should use ikev2 if possible, because DPD/keep-alive is a part of the specification, and it better handles failures
murderrestart_by_peer yo umean?
murderon dpdaction.
bschipwhat ports need to be open for ACS for clients to access cisco ACS server?
bschipport 1645 and port 1812?
theacolyteI took what you just said "what ports need to be open for ACS for clients to access cisco ACS server?" and popped it directly into google
theacolyteThe answer is in there hahah
theacolyteDon't forget they are UDP
bschipthat is what I'm reading now :-)
squibtheacolyte, that's what I was complaining about!
theacolytesquib: wat
squibtheacolyte, how hard is it to type into google network ports for acs
squibthat's the kind of thing that makes me go "well did you fucking try?"
squibI know I can be a dick but sometimes people need to hear "did you google that?"
theacolytehahha I don't really like to answer like that, but it's funny to take a literal quote and paste it in to see if the answer comes through
pffsthose would be the ports for RADIUS
murderMr_Bond at this moment I have dpddelay=30,dpdtimeout=120 on OpenSwan and ASA 'isakmp keepalive threshold 300 retry 10'
murderare you suggesting I should align openswan to dpddelay=10,dpdtimeout=300 ?
randymarsh9anybody know if solarwinds has an irc channel?
errli dont think so
squibrandymarsh9, they have technical support.
oistermurder: generally you want everything to match
omgwtfI'm off for 2 weeks, work calls me if I want to come in for overtime
omgwtfuhhh, let me think about it
SuperNullomgwtf ' yeah i will come in for double time'
SuperNullbilled hourly minimum 4 hours
SuperNullplus travel and lunch <3
omgwtffree time > work
omgwtfbecause I already have enough shit to deal with and these 2 weeks I won't be spending them in the sun
SuperNulli live in florida the sun dont go away
omgwtfthat's a plus
UncleDraxwell... you live in the southern half though ? it's very much more sunny down there
UncleDraxup here it's overcast all the damn time
UncleDraxlike right now
omgwtfmust be hard to do any real work
SuperNullApple should counter sue government for trying to accost its rights in the color of law.
SuperNullUncleDrax: where you at ?
SuperNullim in Miramar right now but home is coral springs
UncleDraxheh. i lived in Oral Springs (right off the C-14) until about .. '90?
UncleDraxup in Gainesville presently
SuperNullUncleDrax: i'm right off sawgrass literally like 2000ft away.
SuperNullget off.. drive 2000 ft.. home.
UncleDraxgotcha. it's been a while.. I like how the C-14 is now a "river". we used to watch people ski down it and wipe out where people dumped cars
UncleDraxahh mispent yute
SuperNull3 yutes bro
SuperNullor was it 2 yutes
ryandda 2 yutes
UncleDraxi believe it was 2. but it's been awhile since I've seen the movie in question
ryandthe motel used in the film is on the way to my parents lake house, drive by it frequently
SuperNull2 makes sense
ryandand that line comes to mind every time
SuperNull2 yutes bro
pffswell, watched the docker videos on cbtnuggets
pffsthis shit makes a lot more sense now
pffsstill kind of black magic to some extent
SuperNullwelp the power just dumped
theacolytehella tight
kmcelroy1just got california in here
randymarsh9squib: what if you need help with their free products?
randymarsh9anyone have any idea what i would put in a solarwinds credential config for our cisco user name when the user name on the cisco device is blank?
nemithit's 2016
pffsare you looking at a line password?
nemithmaybe it's time to use aaa
runelind_qanyone using DMVPN as a primary connection for remote sites?
pffsrunelind_q: sure
runelind_qhow many remote sites, and what's typical connectivity at those sites?
pffswe have deployments between 10 and 5000 right now
runelind_qmy manager doesn't want to do it because it is not "reliable enough", which I could see to some extent.
pffsand they're just normal business class broadband normally
pffssome cellular
runelind_qwe'd have a low-bandwidth L2 circuit for things like voice.
pffsas long as you don't do something dumb like try to run it over satellite or 2g it's not that bad
pffsI think one deployment has a minimum circuit requirement of like 1/368k or something silly
pffsour biggest deployment is around 5000 and they try to force a 10/1 minimum. They probably have 20 sites down at any given moment, but some of that might be construction
runelind_qwhat do you use for a head-end in those scenarios?
square1Guys, i'm currently preparing for my CCENT exam after following the CBT Nuggets videos by Jeremy, I'm using to practice but i'm concerned one of the questions on it wasn't covered in the videos (e.g: "Which of the following use cases are matching the UTP Ethernet media type?") - Is a good resource for practice or should I avoid it, or do I need more than the videos?
twkmyou might want to look at the cisco blueprint.
runelind_qpffs: you do everything from file-sharing to regular internet traffic I take it?
anon12Okay I Have done that, and got the offical certifcation guides as well
pffsrunelind_q: most of these don't have a lot more than POS communication
pffsand headends depend on scale, usually some sort of ASRs
pffssometimes loadbalanced behind an f5 if it gets to a certain size
pffsthere are some that are just normal branch environments though
pffswork just fine
pffseither split tunneling the Internet at the router or forcing it all back to go out some type of content filtering
pffslooking into doing some flexvpn sometime in the near future, I think
runelind_qpffs: cool, thanks.
MichichaelQuick question folks. When monitoring ccmHistoryRunningLastChanged on a Cisco ASA 5545-X via snmp, if a user logs in via ASDM, the value is updated, even if no configuration change occurred
oisterdont log in with asdm
MichichaelNot an option for this client, as their admin team prefers it. :P
square1Guys, i'm currently preparing for my CCENT exam after following the CBT Nuggets videos by Jeremy, I'm using to practice but i'm concerned one of the questions on it wasn't covered in the videos (e.g: "Which of the following use cases are matching the UTP Ethernet media type?") - Is a good resource for practice or should I avoid it, or do I need more than the videos?
MichichaelOne would expect that if there's no configuration modification, the counter wouldn't update. ASDM prompts to save a change, I'm just curious as to why it would update the counters with no changes.
oisterthats going to be a tac question
oisterbut im sure they wont have a answer you can use
MichichaelYeah... was afraid of that.
MichichaelWe'll see what they say in 6 months
oisterdoesnt hurt to ask
oisterfor fun do a a show run before after logging in with asdm
oistersee if anything is different
oisterjust tried it on my 9.5 asa and nothing different in CLI
oistersure enough though, that snmp string changes after loading up asdm
oistersilly asa
square1does anyone have any advice please?
oisterfree advice?
square1um, I guess so :)
kmcelroy1square1: advice #1 don't spit in the wind
oister#2 dont stick it in crazy
square1Thanks :)
oister#3 dont take CCENT exam
oisterwaste of time
kmcelroy1#4 wipe front to back
square1This is all new to me though, so i figured starting from the bottom would be best
oister#5 dont scratch your nuts after handling jalepenos
kmcelroy1#6 don't forget to bring a towel
oistersquare1: do the ccna full exam
square1I think I'm struggling with the 100-101 practice tests and
square1It's difficult as I don't do this day to day anyway, but i'm only getting ~655 points
square1on the practice exams at
oisterwhich ones are you missing
square1I got this wrong: Question: Which of the following use cases are matching the UTP Ethernet media type?
cryptolvmv2hello everybody , can anybody explain me the purpose of updater identity in vtp protocol
oistersquare1: yeah it has all kinds of dumb questions like that
square1I keep getting OSI related questions wrong, "Question: Which layer of the OSI model ensures that information sent from the application layer of one system is readable by the application layer of another?"
oisteryeah those are all the ones you get to forget after you pass the exam
square1Another one: "Question: Identify characteristics of switches."
oisterread those 2 study guides i gave you
square1I'll have a read, thanks oister
nierosis there a tidy way with firepower
nierosto see which devices are sending out via pop3/smtp
square1I'll go read in bed, back tomorrow and may take another practice exam.
square1Thanks oister and kmcelroy1 :)
cryptolvmv2oister: why you consider somebody that have a bit less knowlege then you dump
cryptolvmv2is it was refered to me : yeah it has all kinds of dumb questions like that
oisterno, referring to the ccent exam
ayeceeitt: english murdered repeatedly
cryptolvmv2ahh then i sorry
square1yeah the english isn't great on
square1Ok, reading time. Thanks!
gewti need a pseudowire between a ubnt edgeos (vyos) and a 2851
twkmsounds ... bad.
UncleDraxi'd start with a regular wire... (sorry.. i had to...)
squibgewt, gre
squibuse gre bridging
squibit'll perform like ass though
squibdonkey ass
oisterass ass
runelinddamn, AnyConnect is slow :-/
runelindtried scp inside and outside the tunnel, getting 660KB/sec inside and 18MB/sec outside.
runelindguessing it is a config issue ;p
oisterscp is slow
oisteruses tiny buffers
runelind18MB/sec isn't slow.
runelindover the internet.
oistermaybe its a fragmentation problem?
oisteralso try anyconnect with udp
runelindyeah, I'll do some iperf tests
oisteru on a newer asa ?
oisterX series
runelindmy own personal 5505 :D
oisteri havent test anyconnect perf with one of those
runelindI seem to recall essentially getting wire-rate anyconnect when directly connected to it.
oisterbut it should be faster than 1mbs lol
runelindya, I got like 90mbps back in the day when I tried this.
runelindgetting like 1mbps with udp ;p
runelindI enabled dtls, set mtu to 1406 and set ssl compression to none.
oistercpu low on asa?
runelindnah, has like three clients connected to it.
oisternot cpu, not mtu
oisternot packet loss or anything stupid like that?
runelindinteresting, not getting 18MB/sec, but getting 1.1MB/sec with v4 rather than v6
runelindoh never mind, it is going down just like v6
runelindyeah, same slow speed with v4
sdn-bro1 stream?
sdn-brosometimes if you do -P # you get more
sdn-bro-P 2
sdn-bro-P 3
runelindscp should just be single stream
sdn-broi had a scenario recently where 1 stream in iperf was getting me 20M, when I ran 3 I got a total of 55
sdn-broi was wondering if it was TCP and latency, etc. but i was tired to try all the math
sdn-broi didnt muck with window sizes
runelindwell I don't need to prove performance with iperf, I already did that with scp
twkmiperf with udp limits itself to 1Mb/s.
runelindtwkm: well that's good to know
squibiperf -u -b <your_desired_bandwidth>
dogbert2twkm is simply brilliant :P
twkmi like -R too, to go the other way so i can see the losses every report interval.
whoaalso iperf3 is pretty great
sdn-broyes, when i say iperf i usually mean iperf3 :)
whoayah theres a live cd that perfsonar distributes
whoathat has iperf3 on it
sdn-brosometimes i get loss with -u even when my desired bw is under my limit
sdn-broi dont know why
twkmreporting takes a little bit of bandwidth.
twkmnot much, but if you shave it too close that'll tip it over.
dogbert2twkm, like most things :)
squibsdn-bro, check your packet sizes
squiblimit your packet size with -l
squib-l 1500 or whatever your mtu is
squibfragmentation can cause out of order packet/loss reporting with iperf
omgwtfwhoa, applied to amazon after all, we'll see if I get a call back
whoagreat man omgwtf!
whoaim root for ya
whoaa few years ago
whoai went to an interview
whoaand found out they were offering a pretty low level position
runelind_qthey wanted to fly me out
runelind_qI said no right around the time that article came out about them being a meat grinder
omgwtfYeah, they said for this position I might need to go to Virgina
runelind_qthis was Seattle
whoaalso meeting the folks and understanding how they did things gave me some good perspective for the job i had
whoai ended up staying at that job for a few more years
whoaomgwtf i see, yah im like 40 mins from ashburn
whoaequinix has one of the biggest east coast peering points here
whoaomgwtf is it a management position?
omgwtfnetwork tech, aws scaling
runelind_qwill you have 4 interns from thailand directly underneath you?
whoai gotcha, my friend was a manager out there for aws for a year
runelind_qsounds similar to what they wanted me to do
runelind_qsounded like building pods all day.
omgwtfThe position responsibilities will include scaling support of several data center locations and be responsible for day to day assistance with capacity management.
whoayah ask them about their policies for tracking data
whoai forget if it was aws , but they are really tight on where their hardware is
nierosone of my favorite interview questions is "what is your turnover for the last year or two"
whoathats a great one nieros
oistersounds like paperwork
nierosI just want an idea of how stable the company is
omgwtfTravel within the Virginia region will be required.
nierosand turnover is a great identifier
nierosmore than 20% can be a red flag
whoawhat is your nameee????
whoawhat is your questtt?
whoawhat iss your favorite colorr?
kidn3ysblu... no greeeeeeeennnnnnn
whoahah :)
nierosI've actually gotten pretty good at interviewing
omgwtfLike I said, I haven't signed anything..will see if I even get a call
whoathose who cross the bridge of death must answer these questionss threeee
nierosin terms of figuring out a potential employer
omgwtfcare to tell nieros ?
UncleDraxno.. yellloooooooo
UncleDraxoh you did that bit
UncleDraxmy reading comprehension is LIFO
nierosomgwtf: it kidn of depends on the company
nierosMSP / Var/ internal are all very different to work for
omgwtfWhat would you look for in a company like Amazon for ex?
whoaomgwtf cisco also has an office out here
whoain herndon , not too far
omgwtfnot that far from me either
omgwtfonly 1000 kms
envirocbrReally dumb question: SPAN ports on Fabric Interconnect. All they have is a laptop to connect, but how on Earth am I expected to SSH into that laptop when it is configured/connected to the destination port?
kidn3ysseperate wireless NIC?
envirocbrkidn3ys, Data center with no WLAN available
kidn3ysusb niC?
envirocbrNah, its just an old Lenovo
envirocbrNo one really has anything useful there
whoaits running linux ?
envirocbrwhoa, Yes
oisterneed 2 nics
envirocbrYeah, I figured as much
oisteror serial console
envirocbrI wish those guys were smarter, I could just have them configure whatever and just run the tcpdump against the NIC and send it to me
envirocbrMaybe I can, give them all the commands, then tell them to reconnect at their desk with DHCP, and run another script to upload the .pcap to my server
whoais fabric interconnect for UCS?
whoaif you have a jetpack or phone with lte you could leave it there
omgwtfenvirocbr, usually field techs aren't
whoaand have the laptop connect via wifi that way
UncleDraxcan't you have ports accept packets for tranport as well as spit out mirrored traffic?
UncleDraxah but dunno if that applies to Fabric junk
envirocbrUncleDrax, not for FIs, it needs to be a physical port
envirocbrthat isn't assigned
envirocbrtechnically, I could connect it to a switchport and then span that port