ckluka"The MP-BGP EVPN control plane for VXLAN was introduced into Cisco® NX-OS Software Release 7.0(3)I1(1) for Cisco Nexus 9000 Series Switches. The software functions will be implemented in the Cisco NX-OS software trains for other Cisco Nexus switch platforms, such as the Cisco Nexus 7000 Series Switches, as well."
cklukamy mind is wrealing
whoaevpn is a layer2 vpn right?
whoaah mp-bgp delivers the macs for the layer2 vpn
whoaok so they are using vxlan to actually deliver the packets in this case instead of mpls
whoaavgn5 that looks like linux?
whoalinux iptables
whoaso its static nat
cklukawhoa: yes, EVPN is simmilar to EVI
cklukathey are both DCI implementations
whoaotv going away you think?
whoai havent heard of evi
cklukaEVI = HPE
cklukanot cisco
cklukaHPE 5900AF's do EVI
cklukathey are about $8500 each for 48x 10G, 4x 40G ports with redundant PSU and most layer 3 features
ckluka$50,000 for a 4-pack of 5900AFs with 8 QSFP DACs and 64 10GBase-SR transceivers
whoapretty cheap
cklukasorry, I mis-spoke
ckluka32 transceivers
whoawhat kind of budget are you working with?
whoadid the company set one?
cklukathe sku is JG848A for 4 switches, 8 power supplies, 8 fans, 32 transceivers, and they took the QSFPs out
cklukatarget is $50-100k for the 4 switches
cklukawe are putting out ~ $9,000 a month in MRC on this build
whoai gotchaa
cklukaincluding $6k/month for 2x 5G circuits from winnipeg to Toronto, $2500/month for rack/power/crossconnects
cklukaand probably another 3k for the azure 10g ports
cklukaso 12k/month for services
cklukaoh, I was right before
cklukathey still have the 64 tranceiver bundle
ckluka4 switches, 8 power supplies, 8 fans, 8 DAC cables, 64 transceivers
cklukaprovantage says $47,615
saq4 switches in a stack or 4 different sites?
saqive got some 93128TXs on order but cisco is being a bitch about it
avgn5whoa: I just can't quite figure out how to replicate this type of nat rule in cisco ios.
twkmdid you read the link provided?
avgn5twkm: Yes, and I know most of the things there, but I'm really not sure how ot replicate this exact nat rule (that I gave in iptables-ese)
whoai havent done that before specifically
whoabut check this out
whoalooks like you want to nat only for a specific destination
whoathese guys suggest you use a routemap
cklukasaq: don't suppose you care to divulge pricing on the 93128TXs do you? I'm considering up to 4x 93180YC-EX
cklukaAny VARs here have a ballpark price on 4x 93180YC-EX + 4x N93-LAN1K9 ?
saqit was part of a big quote so i dont have full numbers for all the sfps/twinax/qsfps and stuff i got
saqbut no additional licensing since im not doing layer3 there
saqlike 16k each?
_drew_saq if you google it there are some places selling it for 14,500
saqprobably without the uplink module
avgn5whoa: Thanks, took a look at that link, but it doesn't really say how I could nat a range like though.
avgn5whoa: Also, in the send post there (first reply) where is that guy getting and from?
cklukaI once had a friend who had a problem. "ah, he said, I can use route maps for this."
cklukanow my friend has two problems.
saqpolicy NAT on the ios platform is so so, route maps work but its a little ugly
twkmahh, jamie adapted.
saqASA on the other hand, policy nat away
whoaok avgn5 heres another try
whoaconditional PAT
whoathis doesnt use route maps
whoanot sure if that will work b/c theres no confirmed solution
whoabut if you are trying to NAT an entire subnet range conditionally to a single outside address you would need that
whoanot sure if you have multiple addresses on your outside to use or not
avgn5Ok I think I just about have it.
avgn5But instead of: ip nat inside source static route-map natthis
avgn5Is there a way to make it something like: ip nat inside source static route-map natthis ?
whoaavgn5 did you see that 2nd link? do you need pat or static nat?
avgn5whoa: static nat seems to work fine, it's the last line, it works for just one ip, like above, but I need it to work for any
whoado you only have one ip on your outside?
avgn5This is between two vpns. vpn1 needs to be able to talk to vpn2 but vpn2 only allows incoming connections from a certain ip, so anything coming from vpn1 needs to masquerade as that certain ip that vpn2 expects.
avgn5So I used the the 'ip access-list', 'route-map', and 'ip nat inside source static' lines from the second post in
avgn5Which actually works, though just for one ip from vpn1. Now I need it to work for any ip from vpn1 and don't want to have thousands of 'ip nat inside source static' lines.
avgn5what do I need to change?
whoanot sure to be honest
whoai dont think you can static nat an entire subnet to one ip
cklukaAnyone used these?
cklukaIt's an LTE serial server with 4 serial ports, 2 1GBase-T ports, 1-2 sim cards and 2-3 antennas
whoathats awesome skluka
cklukaI'm thinking of throwing one of those into my toronto DC location
cklukaplug 1 network port into each of the 2 switches
cklukaas long as either is working, you can use the wired port to get serial connectivity to the other switch
cklukaif neither is working or the site is down, serial connectivity via LTE
cklukaif LTE is down... no one can call me to complain.
whoaavgn5 i would give that conditional pat link (the 2nd link i sent) a shot and see if that works
whoabut thats all i got for now :/
avgn5I'm lookingat that now actually, thanks.
whoackluka smart ;)
whoahave you seen those airconsole devices? those are cool too, work over wifi tho
cklukawhoa: I have an airconsole demo unit on my desk @ work right now
cklukaI think i'm going to order a 3-pack
CapprenticeHI! Im trying to run VirtualBox from Gns3 0.8.7. Virtual Box is installed and when I run Test Settings in Prefers of GNS3, it shows test successful. Yet, when I click the VirtualBox button on the font of GNS3, it shows VirtualBox is not installed!! How do I get it right?
cklukaWhat is your path to VB in the GNS3 settings?
CapprenticeWhere to set the Path? There is only vboxwrapper path setting in prefs.
Capprenticeckluka: Please tell me where to set this VirtualBox path under Gns3
avgn5whoa: Thanks, I think that did the trick.
whoaawesome man
whoagood to hear
avgn5whoa: A local test worked flawlessly, now I need to wait to hear back from the vendor of vpn1 to see if they can finally talk to that particular ip at vpn2.
SB^Omegapppingme: can you daisy chain md1000's
SB^Omegaah you can
SB^Omegaup to 3x
sartani love it when changes go well
sartanlike 50 hours of prep
sartanhuge wan/qos/redundancy/mpls/multi provider/etc change
sartanboils down to 'router bgp XXYYZZ: neighbor ISP shutdown'
sartanzero packets lost.
sartanno* negihbor ISP shutdown
sartansuch a rush haha
sartanangry video game nerd number five.
xous hehe
xousgood planning helps
sartanmassive simulation in virl
sartanwe did have l2 qos failures on 4506s though
xousheh. last major change I did went to shit fast.
sartanwe had production traffic get dropped for being 'belligerent'
sartanwhatever the fuck that means
sartani guess our secretaries were too mouthy to their bosses
xousall because of a GLC-T compatiblity...
sartanxous: strong rollback ?
xousdue to uhh. start up design
xousrolling back was more work than pushing forward and redoing everything.
sartanYeah, i've had some changes like that
sartanif it fucks up just forge through and make it right
xoussartan: I had to either buy another RU in a mmr a month and another xconnect
xousor swap both MMR switches on the fly
xousmgmt decided to take the cheaper option
sartanyou know what is awesome for backout plans?
sartantrue OOB
sartani have these opengears all over the world with 3G cell phone conenctions that are IP-enabled
sartani just ssh to them via $IP and i'm truly oob
sartanit's so good
xousI finally have a console server at our colo
xousno oob.
sartani'm oob against like, fiber cuts and shit
xousbut it's better than nothing
sartanand i've been there
sartaneg: our flood
xouswe are a rogers dealer
sartanyeah rogers is what we use
sartanin canada at least
xousso when things aren't so chaotic
sartanother countries is a mismatch of whatever
xousI'm gonna look into seeing how cheap we can do that shit
sartanrogers gives us a private vpn
saqi need to get some opengears
sartanit's kind of funny how it works
sartanso they're internet IP accessible but only from IPs thjat we trust
sartanit's hard to explain
sartanbut they're perfect
xouswhy nto just an ACL on the opengear then?
saqmy oob is 'call the NOC and ask them to power up the laptop and put the DCs wireless key in so we can remote to it'
sartansaq: well worth the purchase
sartansaq: we're adding environmental sensors on them too, so we can standardize on that too
sartanwe have random env sensors all over the place
sartanso smoke, fire, water, humidity, temp, noise
xousACTION droops
sartanthey're just more ports on an opengear
xoussartan: you bastard. you are making me want to do management things
saqwhich one
saqer, model
xousso I can get away with buying all that shit
saqim going to make a datacenter trip soon
saqmaybe i can get an opengear in place
sartansaq: opengear depending on site size. IM4200 various flavours
sartanonly # of ports
sartanso from 12 to 48 ports
sartandepending on the size of the site
xousI only get shit after I've asked for it ... get refused... and then there is an outage
saqhows the cost?
xousI keep a folder called I Told You
saqlike what
saq1k? 5k? 10k?
sartanjust buy them online
sartani think about $4k
saqdo they have wifi?
sartan..wifi? hmmm
xouswhy would you want wifi?
sartani don't think so
saqmy prod datacenters have site provided wifi
saqkey changes weekly
saqso if im about to do some shit
saqi could call and get the key
xouslol. just get a 1fl or a dsl
sartandude, go the 3g option
xousor go 3g
sartanjust license a sim card and leave it in there
sartanit's liker $15/month
sartanand it _never_ goes down
sartanyou can have it backhaul an ipsec vpn to your asa or whatever
xoussartan: damn that cheap?
sartanseriously, yes
cklukasaq: airconsole
xousok definitely gonna look into that shit with rogers.
cklukasaq: airconsole has wifi, bluetooth 4, serial, ethernet
xousckluka: doesn't help with remote sites heh
saq$15/mo doesnt sound crazy
saqdont know if i can sell that this year
saqbut i think its a no brainer for the 2017 capex budget
xousyou still need a 3g modem or some shit
saqi got two new netapp arrays and a ucs turnup for a site this year
xousor a device that does 3g like opengear
saqso uh, i probably cant get slightly expensive toys like that, heh
xousmy biggest purchase this year is likely to be some new ESXi hardware
saqwhats your budget
xousno idea. boss gives annoying answers when I ask
saqhow many nodes / what kind of capacity / what kind of san?
cklukaI just got some quotes back on some all-flash nimble-storage arrays
ckluka2x nodes with 2x 16G FC ports each, with 24x 960G SSDs each
sartansaq: when i went to build one of our US offices, i didn't have a social security number or whateve rso couldn't buy a cell phone plan
sartani bought a burner cell phone with a pay as you go tmobile data plan
sartanput like $300 on it
sartanand left it there
sartantook sim cartd out of phone put it in opengear. project: success.
sartanits had money for like 2-3 years now
xoussaq, I need about 20vcpu, 40gb memory, and around 2tb in storage,
sartanbonus points: verizon FUCKED me in the ASS and didn't deliver my fiber internet or dsl backup
sartanso i built a site to site vpn over tmobile 3g cell phone on a drug dealer cell phone
sartanand configured vcenter
sartanand had it call home to my AD DNS and replicated everything
sartanit's my most ninja network trick in my life
cklukasartan: my hearo
saqthat is pretty neat
xoussartan: I think I remember you telling me about that
sartani was onsite in a foreign country
sartanxous: washington dc
sartani didn't really have the option to just extend my stay until the techs showe dup
sartanso 3 days later they finally had the DSL up and 2 weeks after that my internet
xousI fucking hate dealing with xDSL.
xousI refuse to use it for anything critical except backup heh.
sartanit really sucks when you're holding the bag. CTO is like, 'where the fuck is the vpn?' and you're like, "i'm a foreign national in a coutnry i'm not authorized to work in, it's a miracle i was allowed on the plane, and you're blaming me for an ISP fuckup, and I have zero contigiency budget'
sartanhe was really understanding -^
sartanbut it's pressure
sartanFuck off it's my network
xousI've always just shipped preconfigured gear and used $60/h techs to unrack gear
xousin the US
sartanyah that wouldn't have worked
sartani needed to do so much
opt sartan that's legit haha
xouseh? i've installed a damned blade center remotely like that
sartanxous: i bet you had internet right
sartanyou bitch
sartanACTION slaps xous
xousheh. not at the start
optI've sent gear preconfigured, guy on site installs it and it boots up and works first shot
sartanyah, we preconfigured as much as possible
optit's rare, but it's happened haha
sartanbut yah. i can't turst some remote hands/eye sto rack and stack like that
xousgot the MM up via over laptop teathered to cell
sartani wore a few hats. i really wanted to see washington, too
sartani did all the desktop setup, printer shit, server stuff, storage, ucs, network, arranged office construction shit like painters and furnioture
xousI just ask for pictures
sartanit wasn't bad.
sartandid it all redicilously hung over
xousyou don't even have to look that them. most of the time that makes the contractors not do stupid shit.
xoussartan: damn.
xousI'd have insisted on bitches to do that.
xousI'm lazy.
sartani could have sent one of my guys but they'd only be able to do network
sartanand all that other shit woudl be pending
sartani really was the best person to go
xousmy problem is I can't just work on one project like that
sartanbrought one of my other guys with me though
sartanhe did most of the windowsy shit whiel i did everything else
xousit's always yeah... deal with an outage while supporting a xDSL outange and installing a printer.
sartanworst hangover of my life though
sartani just slept under a desk
xousI could never do that.
sartanthere was _nothing_ to do
sartanwe were sitting there thumbs up asses waiting for ISP people to show up
sartanliterally no work
sartancan't even make busy
xoushow'd that get fucked up?
sartani think it was an ilec/clec bullshit thing
sartandslam issues, or patch termination, or whatever i dunno
sartani was given a monday, i were there until saturday, it wasn't online till wed next week
sartanstupid shit like, "we shipped you a modem, do you have it?" ... we have no modem. we had no office, what the fuck?"
sartantech in the truck didn't have the dsl modem. th ey don't have spares.
sartanovernighted one
xousyou didn't do a backup?
sartanit didn't work
sartangot anothjer one
sartanthat was the backup
sartanthe fiber internet wasn't due to be ready for a few more weeks
sartanit was a rush project
sartan768k dsl
sartansooo after they finalyl sent me a modem it didn't work. it had some default nat on it
sartani freaked out on them
sartani rolled up my sleeves and ac tually rooted the fucking thing
sartanlogged in
sartanand fixed earthlinks dsl/pppoe config
sartanand removed their stupid wan config
sartanthey kept calling me, 'management acl is down'... 'no it isn't, i'm not letting you back on that fucking thing'
xousmanaged xdsl?
sartanso they had an admin.php or something
sartan'password reset' page
sartanokay, so i visit there.
sartanview source code
sartanroot password is in javascript
xousI fucking hate consumer modems
sartanlike if user.password !=- 'root password': alert('no')
sartani just took the password right out of the html as-is and got root. ssh'd into the thing with it
sartanfixed the dsl
xousthere should be prison time for writing code like that.
sartanNASTY took a swig of yesterdays beer
xousrogers got mad at me for locking them out of their modem
sartanhaha dude i'm so buzzed about how well this change went
sartani wasn't surprised
sartan but i hope my boss knows hbow much work went into what seemingly seemed like a simple change
xousi've given up trying to explain complexity to my boss
xousI just quote time
xousand risks
xoussartan: you could always ask for a raise/bonus and find out. :P
sartanwell, that's not gonna happen
sartanthe long story super short version is i got a shitty review just last week, saying i have poor time management, projec tmanagement, and communication skills =(
sartanbecaus ei'm fucking _overloaded_, my team is drowning in work.....
sartanand shit keeps piliing up
saqwhat? IT teams never have that problem
saqyou are just not good at time management sartan! thats really it
sartansaq: that's fucking what he said
sartanbut whateve.r i'm documnetiung the shit out of everything, and i'm telling him 'we're super backlogged! stop complaining'
saqi make sure my boss knows everyone is crushed and that my time management and constant crisis management basically revolves around strategically ignoring things and emails
sartan-^ this
saqand problems
saqand letting things fail
saqbecause i'd rather lose a battle and win the war
sartan that's a good way to put it
sartanyeah i get complaints that i don't reply to emails
saqugh, time to sleep
saqgetting work stress just from talking about this shit
sartanor if when i do, i'm too brief
xousheh. auto reply with "this should be a ticket"
sartani don't have time to explain basic concepts to pinheads tyvm
saqi think i finally got a point home when i mentioned that im worried about attrition
sartanso you get the elevator version
xousI refuse to deal with any task in a email.
saqlol like i have time to look at my ticket bucket
saqif its important the manager of said team will come and talk to me and i'll delegate it to someone
saq'saq did you see this one ticket?'
saq'i get time to log into our ticketing system about once a week'
sartani don't look at tickets unless they're escalated to me
sartantehb guys that work for me take care of it all
sartanpull me in if they need help/time
xousthen why are people asking you shit in email?
saqyeah, even if i do work on something, i feed it through to someone
sartanxous: like 90% of what i do is project stuff
saq'here is a pcap i did on a customers issue, his idea is bullshit, here is why, here is what you can tell him, im assigning it to you'
sartanthat doesn't work in tickets
xousyeah, I use projet stuff for that
sartani'm actually looking around right now for project management software
sartanto manage all sorts of micro projects, with time estimates, and resourc eload calculations / skills assignments for team members
xousI've used wrike, asana, basecamp
sartanbasecamp didn't support dependencies
xousneither does asana
xouswrike does though
sartani've just starte dlooking into software
sartanthe reality is: my boss is right. i can't manage time/my teams time
sartanit's not about getting things done
sartanit's about setting expectations and communicating those
sartanand it's impossible for me to do without sounding mumbly and wishy-washy
sartan'well i can't give you an estimate....' <wanders off> == unprofessional
xousI have auto replies for certain types of tickets
sartanor, "well, we're loaded right now, but we can start in 2 weeks"
xousthat contain the expected time to deal with it.
sartanii really need to clean up my shit
sartanor i'm gonna lose my job
sartandoesn't matter how good i am at getting shit doen
sartanthis is clear =(
xousthat's when business shit starts to suck
sartani'm desperately looking for software that can help me
sartanmy job is so fucking political and bullshit. i think i can fix a lot of it with good software.
sartanjust hgaving a good pulse on what's going on
xoustake a look at wrike
sartanive been goinbg top down on wikipedia's "team project management software" page
sartani have like 30 evaluations right now
sartanmost of them i wrote off in seconds
xouswhen I first started at $job-1. I drowned
xousnot because I sucked at what I did
xousbut because I inisted on fixing shit myself instead of passing the buck
xousor bullshiting
sartanso i need wrike enterprise
sartan==$ $
xousI quickly found stupid little hacks
xouslike booking 30 minutes/day to review all my pending projects
sartani'm calling an irc bounty
sartani'm gonna put it in the /topic
sartan$250 cash
sartanfor finding me PM softawre that i like
sartancoz yer gonna save my job
xousand responding with a bullshit "not really working on it, but haven't forgot about you"
sartanxous: i'm kind of twisting my bosses arm here by adding an extra meeting a week to help prioritize outstanding tasks, apart from our normal meetings
sartanpurely from a time management / coaching / mentorship perspective
xousyou'd be surprised how much a simple comment like that helps with people screaming
sartanyah other teams projects are stuck on me and my time
sartanthey have dependencies, and i can't give them any reasonable estimates on timelines right now
sartan'everything' is due next week. i've overcommitted everything
sartanthe guys are swamped. i'm swamped. we're all drowning.
sartanand support issues/critical sudden stuff doesn't stop happening
sartandealiung with - say - a websense issue means spending 6 hours on the phone with a senior tech at websense
sartanit's not like we can plan for that. it's not break/fix. it's break/pray
xousI also used to book time for projects
sartanthe thing that really irks me is that i _know_ i have demonstrated need for +1 staff
sartani need 1 junior guy
sartani don't need seniro
sartanjust a junior guy to help with the stuff that goes through cracks
sartansenior guys are HARD to hire
xousi.e from 2-5pm for projects where I DND phone and fuck off.
sartanjuniors are keeners and often better than seniors anyway
sartani'm in 24 hours of meetings next week lol
xouswell that is a fucking problem
xousthat needs to stop
sartani can't say no
sartannot allowed to do that.
sartaneveryone gets whiney
sartanmanagement suuucks when you're super technical adn an actual projhect person
sartanthe other managers... don't do... things...
xousare they recurring meetings?
sartanit's okay for them to have their head in the clouds
sartanno, not always
sartanproject updates etc.
xousthen every friday or whatever
sartani have a few of those yes
xousprebook at least 50% of your week in your calender
xousfor projects
sartani do actually
sartani try to have thursdays and fridays all day 100% exclusive for projects
sartanand the last 2 hours of every day
sartani should take a screenshot of my outlook calendar
sartanit's redicilous
sartanit's like 100% solid this week
xousbeen there done that.
sartancan't say no
xousI've been booked by PMs for three different jobs at the same time
xousand done it. haha
sartanquadruple bookings happen, yes.
xousremote installation support.
sartani do rearrange it but then they book on the X hours i'm not bookedf for
sartanwhich means even more projects slide
sartani can't delegate everything
sartanlord knows i try
sartanmy guys are brilliant
sartanbut they do what they do
xousjust decline the invites and not show up
xousif they book when you are booked
sartanthat's not easy though =(
sartanit's all political
xouswell hten you are fucked
sartanyou become standoffish and arrogant hwen you start saying peoples meetings aren't important enough for you
sartanyes, i'm fucked
sartanand i'm trying to cover-my-mass
xousI got away with it just fine
xousassholes booked me without looking
xousI declined
xousI let their shit burn
xousafter warning them several timse
sartanoh they check my calendar. i'm free.
sartanmy calendar is the only way i can keep my head on
xousthen you are not booking off enough time for projects
sartanclearly -^
xousalso there are things you can do
sartanI work three times the speed technically of a normal person
sartanbut that means i just get so fucking STRESSED
xouslike for a project meeting
sartanso much to do all at the same time
sartani shift gears so fast
xoushave one person from the team deal with updates
sartanand when ig et distracted: open office door, it just falls apart
sartanThankfully! I have an assistant!
sartanmeeting updates are something i've been able to write off for a few months now
xousheh. then you need time where your door is closed.
sartanit's helped TREMENDOUSLY
sartanpurchase orders, contracts, purchasing, anything like that
sartanmeeting minutes, updates, herding cats, booking rooms/reosurces
sartanit's stupid when it takes a half hour to book a baord room with a projector
sartanget the assistant to do it
sartanDO YOU WANT 640x480 OR 1080P?
sartanhaha fuck off
sartanI. DONT. CARE.
sartanall these little things add up when you're go-go-go-
xousI've done all of that
sartanso it's my bosses assistant but he lets me use her
sartanand i do
sartannot as much as i should
xousI used to have people come up to my desk and try to talk to me during project hours
sartani help her a lot more than she helps me. time to flip that coin
xousI had headphones
sartanxous: i'm lucky, i have a door
sartanit works mostly
xousand I'd just have tunnel vision and pretend I didn't see them
xousuntil they fucked off or touched me
sartanwhen people knock i never say no unless it's actually important, so they usually just bottle it up and wait for later
sartanI love my door. it's the best thing for time management ever.
sartanYou're right though I need to pre-book hours for projects
sartanmake it celar i'm not available for meetings when i have deliverables
sartansigning up for wrike demo....
xousthat's one of the best things I did to make sure shit got done
sartanthe hard part here...
sartanso if it comes to crunch time
sartani don't fail timelines
sartanbut there's an awful lot of crunching, and sometimes you get a variable you seriosuly can't deal with and it throws everything off whack
xousmaybe you aren't buffering enough
xousyou need to account for that shit
xousfor a task I know very well I usually do 1.5x time
xousanything that requires learning/labbing/etc
sartanboss said it's obvious i overcommitt
sartanand overpromise
xousit's usually 4x
sartanhe's personally aware of my workload and my team
sartanhe just says i communicate it to others very poorly
sartansop they sit there like, 'wtf? what is sartan doing'
sartanthe problem with network security is that it's cloak-and-dagger
sartanwe don't exist
sartanso from a time scheduling perspective it's hard for them to understand we're committed
sartanwe have a lot going on but it's total background work
xousthat's another reason to have your calender filled
sartanmyt performance rating from peers / other techs is always outstanding 'excellence' stuff
sartanbut they don't understand the _time_ part of that
xousand make sure your team does to
sartanthe technical part is 150%
sartanbuit they'r elike why can't sartan just start working on this nwo
sartanor someone from his team
sartanuhh, coz
sartan<wishy washy>
sartan-^ SARTY needs to fix this IMMEDIATELY
sartanor i'm losing my job.
xoussartan: so push out new stuff as far as you think you can get away with it.
xousreview existing stuff and set realistic deadlines
sartanxouS: the shitty shitty shitty part is that i thought i give reasponabile expectations and thjey're way, way way off.
sartanwe find some stupid bullshit that fucks us for weeks
sartanrecent example
sartancisco sourcefire AMP (malware hsit)
sartansoftware works GREAT on desktops
xousfucks servers?
sartanon our IUPS appliances, the fucking malware analytics fail with cryptic unknown errors
sartanand we've spent 12 hours with cisco tech support trying to just get ROOT on the box so at least THEY can look at root cause
sartanso you spent hours phone tagging with support engineers
sartanit's a very simple project
sartanbut i can't move it forward
sartanit's like, on our condfig side, it's either ON or OFF on the cisco asa
xousdid you communicate that problem to the stake holders?
sartani am the stake holder
xousah, so it's not directly client facing.
sartanwe have a new governance-and-risk-compliacne department
sartanit's their job to butt sniff the policies or whatever and monitor the logs that do fire
sartanbasically the new deal is we set em up and they knock em down.
sartanwe make the IPS work/AMP work and they investigate the signatures that fire, basically
sartanso they have dependencies in their workflow that i can't say "okay, ready" until AMP actually works
xouswell... all I can say is it sounds like you need to work some buffer time into everyones schedule to deal with unexpected issues.
xousand work your projects into everyones scheduled time.
sartanyes, totally
xousi.e pick some numbers... say 40% project time, 10% meeting time, and 30% flex/tickets
sartanso i'm looking at some software
sartanio'm at 100% project time for march 28->apr 1
sartani've actually worked out the hours
sartan70% project 30% meeting 0% flex
sartanmy staff are 80% project 20% support
sartannext week.
xousthe problem is if you book all 80% of those project hours
sartani've pushed some timelines back. sent my boss and email saying 'we can't do everything. here is what we need to change timelines for'. he said that's okay.
xousfor specific project
xousyou get screwed
sartanand to CMA further i arranged a meeting with him early monday morning to go through his priorities again and make sure that he's okay
sartanwe have to just abandon certain projects
sartanother teams are crying
sartani just can't make it happen
sartanso i'm getting my boss cover fire for that stuff.
xoustime management is hard
sartanthere's not enough hours in the week, even if things go perfectly on everything, we skip lunch, and work a few hours extra every day. it's just not possible. so: boss: based on the resources/.skiull we HAVE, what do YOU choose to drop.
xoushave you read time management for sysadmins?
sartanthis isn't a technical problem whatsoever though
xousit's not
sartanand reading takes tim e
xousbut the book has some interesting ideas
sartani go home at 8pm most days =/
sartanwhen i get home, i see my daughter for like an hour, and we put her to bed
xoussartan: that shit doesn't help.
xousskipping lunches,
xousI've done it all
sartandude if i don't, i'm fired
xousmakes things worse
sartanshit needs to be done.
sartani needf +1 staff.
xouswhat is the problem with getting the +1 staff?
sartanit's hard to communicate that need. i'm trying to figure out how
sartanand this all circles back
sartanwe're all drowning
sartanand demands keep coming
sartanif i can make it clear that there's a massive backlog of simple shit to handle...
xouswhy not just flat out ask your boss what you have to do to get the +1 staff?
sartani'v ehad backup sfailing on me for weeks. i can't address the problem due to timing.
xousor hell
sartanno time to look into issue
sartan,"Oh, it's easy"
sartanwhatever the fuck you say
sartan4 hours, flat out, right there, to fix whatever the fuck is wrong with only one type of our backups.
xousmake a list of projects you need to cut to fit your workload
sartandiod that friday, for the first time ever.
sartanalso described operational stuff we simply can't touch
xousit's almost 2am where you are.
sartanit's adult time
xousget some rest and try to chill for the long weekend. :P
sartanyou're right
sartanthanks for listening
sartanfor real
sartanand your advice is helpful
sartani've just been ranting on and on
sartanbut the last week has been extremely difficult. anxiety attacks almost every day.
xousI've done the same thing.
sartani'm freshly wounded
sartanit's just so good when something finally goes right
sartanand you don't need to deal with some fucking bullshit that extends timelines beyond what they are
cklukaSartan: going back to webex: have you checked out slack ?
xousI know it pisses people off but try to deal the demands dispassionately
xousckluka: that's more an email/im replacement
sartanckluka: haven't. stuck on webexz for a while.
cklukaxous: not anymore
sartanbig thing for me is that all the unified video/Im/chat/content sharing must be on-premesis
xousI guess it has been a while
cklukaxous: screen sharing, voice conferencing
sartanmy only complaint with webex right now: no html5 support.
sartanbut we have it integrated with our vcs and shit
sartani can join a wbeex call from ym mobile phone and get full screen video to an integrated boardroom somewher ein or out of our network. happy with that
sartansome fly by night 'conference provider' can'ty do that
sartanIt really is time for bed, 'night
hjohnsonthat was a mighty fine dinner
VLanZplease help me to get this
VLanZhow wrong is it to run both LAN and DMZ vlans in a single physical switch?
bamsefarNot at all?
VLanZthen why do I even need to call it "DMZ" ?
VLanZwhy cant I just call it "LAN 2" ?
VLanZwhat does it make a DMZ so special? I mean, a DMZ is such only because I allow a particular traffic from the firewall, right?
omgwtfVLanZ, because hosts on the internet can reach your servers that are on the DMZ, but not on the LAN, so you can't really call it lan 2 :P
VLanZomgwtf: right, but I know may people that only rely on logical separation (vlans) rather than having a different physical switch
VLanZas long as you can mitigate vlan hopping attacks I fail to see what the problem is
oisteranswer: its not wrong
oistereverything is virtualized now
oistervirtual lans, routers, switches, firewalls, load balancers, servers
hagbardI'm waiting for the virtual jobs, virtual paychecks, virtual food.
oisterme too
M|keanyone here ever ran the 881 in multi-vrf mode with CUBE?
cklukaIs there any way to put a 4th 10G interface on an ASA 1001-X ?
cklukaComes with 2x SFP and you can add 1x 10G SFP port in the shared port slot
cklukais the max on an ASR 1001-X 3x 10G ports?
twkmdoesn't the 1001-x license 10g ports and you only get 2 of those? certainly it is licensed only for 20gb/s throughput so unless your 10g use is pretty limited you're likely to run into that too.
whoawelcome to the network jungle we got fun and game
whoaWe got everything you want honey, we know the names
_drew_(and the IPs)
twkmperfect, 666 clients joined.
whoackluka maybe can try asr1002-x
whoa3 spa and no built in
whoackluka have you looked at 6840-X?
whoahmm can only do 256k ipv4 routes
whoayah looks like C6880-X is the way to go then
whoaif you went with that platform
whoa2048K (IPv4)
whoathats a shit ton of routes
whoacan do mpls
runelindwe have a 6880-X on our network edge
twkmthere are plenty of sitations where you don't need the dfz. ckluka hasn't said much apart from wanting more 10g interfaces.
runelindI thought 6840 only comes with standard tables?
whoatwkm this is continuation from last nights discussion
whoahe was looking for a router that could do multiple full routing tables
whoabut also switches that could do 10 gig
whoaand some layer2 point to point stuff like evpn or mpls
whoai think he was considering some HPs for the switche
whoabut im thinking if he got two 6880-X's perhaps that would be in his budget
whoanot sure thog
whoaThe base chassis comes with 16 10G/1G ports
whoawould satisfy both his routing and switching needs in one chassis
whoarunelind how is the 6880 doing?
avgn5Happy Easter.
whoahappy easter!
runelindwhoa: good so far.
whoaawesome :)
runelindwe only have about 16K routes though
runelindon the edge
whoai gotcha
runelindwe have about 15 pairs deployed as MPLS PE Aggregation though.
runelindhad some issues with software, but they mostly seem stable now.
whoaright its 15x classic ios correct?
bamsefarrunelind: Why not ASR9k instead?
whoaasr9k is hella expensive
whoai really liked the 6800 line tbh
bamsefarBut 6880 is some 6500 bastard child, no?
whoabut the control plane and OS need to be updated
whoaits updated bamsefar
runelindbamsefar: the 6880 is the cheapest MPLS switch that Cisco has.
whoacontinuation of that line
runelindwell 6880/6840
bamsefarYes, but its still a damn switch...
whoaasr9k has an awesome architecture
whoaand os is modern
runelindbamsefar: which is great for MPLS PE
whoacontrol plane is bullet proof
bamsefarAnyone know what the NCS5000 costs?
whoaright everything is layer3 switch nowadays
whoawhat isnt bamsefar?
whoamaybe asr1k
bamsefarThe whole "ooh, look I got switchports" make people du really stupid things.
runelind5001 40k 5002 60k
runelindno pricing yet on 5011, which is what we're waiting for.
whoapaying for a separate router and switch doesnt seem too smart
whoarunelind whats the 5011?
cklukaI think a pair of ASR 1001-X's with an extra 10GBase-SFP+ port in each one will be what we'll end up getting
bamsefarwhoa: 32x100GE
whoackluka did you see the 6880? or is it too pricey
whoaseems to have your router/switch capabilities all in one
cklukatoo pricey
whoai gotcha
bamsefarrunelind: I'm thinking 5001's to aggregate ASR920s.
runelindwhoa: 5011 is their tomahawk switch
whoai remember the base model is like 40k right?
runelind32 QSFP 100G ports
whoabut you wouldnt need much more
runelindrunning IOS XR
cklukayea, ASR 1001-X wil be like 16k
whoasince the base model has all your ports
whoalemme look up the price ckluka
whoamight be confusing it with 6807
whoathe 6880s are supposed to be cheap ;)
whoaloggin in one sec
cklukaASR 1001-X with the additional SPA module for extra 10G port bringing it to 3, 3x 10G-SFP-LR, and the advanced enterprise license pack
runelindyeah, 6880 is cheap
cklukatimes 4
runelindso is 6840 if you want 40G
hkklye, asr1k is wrong platform if you want density
whoackluka i bet the 6880s will be cheap, but gonna double check :)
hkkleven asr9k is cheaper than asr1k
cklukasure, appreciate it
whoahkkl only needs like 4x 10k
bamsefarckluka: Don't buy optics from cisco.
whoaer 10g
hkklwhoa: asr9001s
whoai love dose
cklukabamesfar: I won't. I'll be using fiberstore CWDM optics
whoabut expensive :)
bamsefarckluka: Good :)
runelindhkkl: supposedly the 5011s will land end of April
hkklrunelind: so rsn
srg_won't do full routing though.
runelindwe just went through hell with Approved QSFP twinax
whoackluka do you get a discount?
whoaon gear?
runelindwouldn't link up with Mellanox 40G cards to our N9K
runelindhost to host would link up, switch to switch would link up
twkmelse the 45k for the 6880 will be a bit shocking.
runelindbut not host to switch
runelindgot Cisco cables and it came up immediately :(
cklukadepends; we aren't a partner or anything, but we are buying for a VAR who does $30-40m/year in cisco sales
cklukaso it won't be like 85 points off list or anything, but I expect it will be competative
cklukaI sent off a quote request to the VAR a few hours ago; waiting on reply
whoahardly anyone pays list i think
cklukano i mean I expect about 65 points off list
cklukaon average, over our last 5 purchases
twkmbut it provides a comparison if you don't know the discount rate.
whoayah ok base 6880 is 46k
whoabut you get 16x 10 gig
whoaand XL routing table size
cklukadoes that need licensing to enable MPLS or VPLS or VXLAN ?
bamsefarHow much ram does the 6880 have?
whoalemme see
runelindyeah but 6816-X is 26k list
runelindso if you don't need expansion ports...
whoa6880 regular supports 2m+ routes
whoackluka im checking
twkmdoes anyone even know the full set of requirements ckluka is trying to meet?
whoawill probably need just buy the IOS that supports MPLS
ckluka2m routes is acceptable; our goal is 3 sets of full routes
hkklckluka: also 2m is fib, not rib
cklukatwkm: yes, i was in this channel for 2 hours last night and whoa's been talking to me since then
whoaits XL hkkl
hkklmy c6880x's aren't online atm
runelindckluka: you're a service provider?
twkmbut others don't so they'll be tossing out suggestions that won't fit. but whatever.
hkklwhoa: no, in c6880x normal is 2m, -l or -le or something is 256k
hkklmy c6880x's aren't online atm
cklukanot primarily, but we are going to be for this project; We are peering with microsoft express route (few thousand routes), and also Telus, Sasktel, and Shaw
hkklare being installed so can't check ram, but i'd remember 4 or 8
whoathe regular version is the x , 46k
runelindyeah, I'd be really surprised if you ended up needing full routes.
whoa-le wouldnt meet his requirements
twkmrunelind: needs 3 views of it.
cklukarunelind: We'll be peering with multiple carriers in both Winnipeg and Toronto (and probably eventually also Calgary and Regina)
hkklckluka: my select for peering edge atm would be c6880x
twkmif it weren't for that, i.e., ax only, le would be fine.
cklukarunelind: We are buying 2x 5Gbps circuits (layer 2) from winnipeg to toronto and 1x 1Gbps circuit (layer 3) from winnipeg to toronto
runelindwhy not just accept customer routes and then a default :|
cklukarunelind: we also peer with MRNet (aka CANARIE aka Internet 2)
runelindI2 is like 16K routes
cklukayes, but lots of those routes overlap with the internet routes
cklukaand we have terms that prohibit us from blanket overriding internet routes with CANARIE routes
hkkli wouldn't limit myself easily to non-full tables
hkklunless you are dual-homed island network
hkklso you only have dual peers for 'redundancy'
cklukawe have quad-peers for network distance
cklukashortest path to customer networks for latency reasons
cklukasasktel to get to our regina/saskatoon customers, shaw for manitoba/alberta, telus for manitoba/alberta, etc...
runelindlook at Spotify, they ended up just accepting like 10K prefixes which covered 95% of their customers, they punted everything else to default.
hkklrunelind: yes, but that needs very active analyzation
hkklrunelind: and that's 10k per pop
hkklnot 10k totally, that 10k is quite different in different pops
runelindckluka: and I'm saying, look at if you can get by with accepting just those customer routes from each ISP
hkklrunelind: that would be quite close to my definition of dual homed island network
hkklmuch closer than cklukas :)
runelindyeah, I guess i don't know the requirements.
whoackluka 6880 only has two license levels ip services and advanced enterprise
whoait comes with ip services , advanced enterprise is 10k
hkkladvanced enterprise gives you vpls i think
runelindI'm just used to people wanting full routes for wanking purposes.
hkklit's the reason i got it
hkklrunelind: true
runelindI guess if you want to load-balance outbound you need full tables.
cklukaThat is one of the objectives, yes
cklukaI have two methods of achieveing that:
runelindok, then carry on.
ckluka1) 4 big-ass routers, with full routes
ckluka2) 4 slim-sexy switches forming an underlay network and 6-8 smaller routers, with full routes, 1 per peering edge.
cklukaWe need to be able to do 10Gbps at 20k routes (connections to express route)
cklukabut only 1Gbps with multiple full routes (connections to carriers)
whoagotta get some lunch
runelindhkkl: that's the reason I have full tables at home ;p
runelindv6 tables tho
hkklrunelind: wanking is nice too
hkklbut not good reason to waste money
cklukaACTION runs off and programs his android phone to accept full ipv6 routes
runelindI can handle 2x Full v6 routes on my 3845 :D
cklukaAnyone have ballpark realistic pricing on 4x ASR 1001-X, 4x SLASR1-AES, 4x SPA-1X10GE-L-V2 ?
hkklwell, you can look list prices
ckluka in english: 4 ASR 1001-X's, each with advanced enterprise services licensing and an extra 10Gbps port?
cklukayea, I've looked up list prices
cklukabut that could be 1-85% off from realistic pricing
hkkland i would think i'd get 50-65% off of that without lots of dancing
whoaoh btw 6880 ha 4gb ram
whoaok gone now
whoalaters :)
cklukaprovantage says $10,318 for the chassis, $6,000 for the licensing, $6,000 for the line card with exra 10Gbps port, for $22,318 per ASR
cklukaor $89,280 for 4 of them
cklukaactually, they sell a SKU "SPA-1x10GE-L-V2-B4" which is a 4-pack of the line cards for $18,403 which saves me about $5,600 overall for a total of about $83,700
oister10G capable ASR isnt cheap
twkmshould almost put the desired specs into the topic...
cklukaDesired specs: Site A has 2x10G peering connections with Microsoft Express Route. BGP peering with ~ 20,000 routes. Site B has 2x10G peering with [client access and peering switches]. Site A has 3x 1G IP transit links with full routes (3 sets of full routes probably. maybe 4, maybe 5).
cklukaSite A to Site B has 2x5Gbps layer 2 links and 1x 1Gbps layer-3 link.
cklukamust support full active/active connections everywhere.
cklukaMust support some form of DCI technology for layer 2 over layer 3 (MPLS/VPLS/EVI/EVPN/whatever)
cklukavendor agnostic
cklukarough diagram: (drawing, one sec)
oisterif you need that much bandwidth then 100k should be a big deal :P
twkmckluka is looking at 100k or so.
twkmbut who wants to spend more than you need to or get less than the same amount would provide if only you knew about some other model.
cklukaI'm not afraid of $100 or $150k on this build
cklukahell, we are going to be spending $12,000 a month on racks, power, L2 transport, and IP transit
cklukaI just don't want to waste an FTE's salary for a year on over-buying equipment
cklukaIm basically looking to fill in the ?'s
cklukacan be more than 4 physical boxes
runelindOpenBSD with 10G cards :D
ckluka(i.e. 4 switches and 6 routers (1 per ISP connection) comes to mind)
runelindfull routes use like 200M of memory on those guys
cklukahas to be supportable and have microsecond latency
cklukadoesn't have to be cisco
cklukadoesn't have to be "Big name"
cklukabut has to be hardware-routed and hardware-switched
cklukaAlso, (and I'm not certain), but I don't think BSD will do VXLAN or some other layer 2 DCI technology
runelindOpenBSD was part of the group that invented VXLAN :-/
cklukaoh, I see it does
cklukareguardless, need hardware routing/switching
runelindoh maybe that's a lie
runelindbut I know OpenBSD does VXLAN and MPLS
bamsefarckluka: ASR9001 for the win!
cklukaballpark pricing?
twkmbase chassis is 50k-ish.
hkklincludes 4x10G
cklukayea, but 4 of them clocks in at $200k then
cklukaI don't think the 4th 10G port is worth 25k more than an ASR 1001-x with 3 ports
bamsefarckluka: You'll just have to be creative when buying.
cklukaI mean, I could more cost effectively get 4x ASR 1001-X's with 2 ports each ($18,000 with advanced enterprise licenseing) and "router-on-a-stick" 4 of them with some nexus 5ks or [any vlan capable layer 2 10Gbps switch]
twkmthat's list, so figure your expected discount.
bamsefar"Hi cisco, these Huawei boxes seem really cool!"
hkklckluka: with asr1k your problem is that you don't get any ge-ports with 3x10G setup
hkklah, ok, so you'll do GE's via switch then
cklukaI see 6 GE ports, 2 XG ports, and 1 module slot
hkklah, ok
hkklmy bad
bamsefarckluka: Yeah, get cisco to give you lower prices.
hkklhaven't used 1001x, only 1001s
cklukaThere is another module slot on the left side that can accept another 8x1Gbps ports
cklukaso you can put up to 3x10G, 14x1G ports in a 1001x
hkklok, that's quite much
ckluka1x SPA slot, 1x NIM slot
bamsefarYou could do juniper mx80 also.
twkmthe main issue with a 1001x is the 20g max throughput license, no?
hkklbamsefar: no reason to buy mx80 instead of mx104
cklukatwkm: not really an issue, considering our SiteA-SiteB links are only 2x5Gbps
cklukaso if we upgraded our site-to-site links past 5Gbps, it might be an issue, but I don't think it will be with our current forseeable bandwidth requirements
cklukaLet's just say if I sell 11Gbps worth of express routes bandwidth transit, I won't care about buying bigger routers.
bamsefarhkkl: Maybe not, I'm not really up to date with Junipers.
hkklbamsefar: mx104 = more ports, beefier cpu, lower list price
bamsefarBeefier cpu surely was something the mx80 needed.
cklukaCan I run an MX104 on a base chassis?
cklukaor do I need management or control plane modules?
hkkldon't need additional modules
cklukasame question: licensing?
hkklthough if you want redundant RE then you need to get another one
bamsefarRedundant RE disqualifies all the boxes we've been discussing.
hkkllicensing is such that you need license to activate 10g ports on chassis, and i think rtu for features
hkkltrue, i just mentioned it can support that :)
cklukaRE = ?
hkklrouting engine
hkklalu/nokias sr7750 sra4 could be ok too
cklukaoh, no RE
cklukaI'm buying pairs of routers as a complete fault-tolerant unit
cklukaIf we lose a complete routing engine, we would only be capacity hampered, not down
ckluka.. I don't see what's different between MX5, MX10, MX40, MX80
cklukaare they license differences or physical differences?
bamsefarckluka: Just different license.
cklukaok, and MX104 comes with all 4 SFP+ ports enabled?
cklukainteresting.. MX104 is -40 to +65c operating temperture...
cklukadidn't expect that
cklukaI see SKU S-MX104-UPG-4x10GE activates the 10G ports
ckluka4x {MX104-AC-Base + PWR-MX104-AC-S + S-MX104-UPG-4x10GE + FANTRAY-MX104-S + FLTR-KIT-MX104-S + S-MX104-ADV-R
cklukaChassis + [enable 4x10G ports license] + [redundant PSU] + [redundant fan] + [filter kit spare] + [L3 VPN licnese]
hkkli don't think you need redundant fan, nor redundant filter?
oop0(oop0) I am exploring various ways for wireless file transfer across diff devices
oop0Which is the fastest ways?
cklukait turns out
cklukathat a "router on a stick" with a Nexus 3524P-10GX... costs less than the 3rd SFP+ port on an ASR1001-x
cklukaso [ASR1001-x] + [advanced enterprise license] + [Nexus 3524P-10GX] with 2 DAC cables
cklukacosts less than an ASR1001-x + [advanced enterprise license] + [extra 10G port]
cklukaAnd since an ASR 1001 tops out at 20Gbps routing, I don't see the difference in 3x10G ports or 2x10G ports in a LAG to a nexus 3k...
hkklwell, you lose some link level liveliness with going through switches
cklukatrue, but that isn't much different than the connectivity to the L2 provider
cklukaor L3 provider
cklukathe link could be down in the middle, but the media converter they are giving me as CPE wouldn't know anyway
cklukaThis is what I'm thinking:
ckluka(the connections from ASR to N3K would be a 2-port LAG)
hkklhmmh, so you would use both 10g ports to that lag?
hkkli think i'd really would feel bit uncomfortable with lack of ability to add more 10g ports if needed
hkkllike it easily escalates to this:
hkkl75 Gigabit Ethernet interfaces
hkkl50 Ten Gigabit Ethernet interfaces
hkkl4 Forty Gigabit Ethernet interfaces
whoa2anyone ever used rsvp-te or traffic engineering?
whoahad two clients open :/
hkklwhoa: in lab :)
hkklhaven't needed it in real life yet
hkklbeen able to work with igp metrics
whoaah :) yah
whoai havent tried it yet!
whoai should lab it to understand
whoai am reading googles paper on their wan backbone
whoaand they use BGP ISIS
cklukawhoa: so what do you think of [ASR1001-x] + [Nexus 3524P]
whoabut also have their own server
whoacalled a TE server where they made their own traffic engineering implementation
salparadisewhoa: sure i've used it and use it
whoaand it has a separate forwarding table in the open flow routers across the wan
whoathey said that there is an advantage to have a central controller decide on the paths
hkklckluka: imo: it will work, but i would be quite concerned about lifecycle for that solution, as possibility to add router capacity is not really possible
whoaand is more advantageous that rsvp
hkklwhoa: segment routing is all the buzz nowadays
cklukahkkl: I'm not overly concerned with that; We can add a third 10G port if needed ($6500 per router)
whoackluka as hkkl said before that the rib is kinda might hit a ceiling on the 6880
whoaif the asr1k can scale
cklukarealistically, we are not expecting anything more than 23Gbps theoretical bandwidth in the next 5 years
whoathat would probably be the safest bet
hkklasr1k needs nowadays 8Gb ram to handle full tables at all
hkklckluka: then it it should be ok imo.
whoackluka is the cost bump to a 1002 or 1004 much greater?
whoado you expect anymore growth?
whoathe asr1k is the upgrade path from the 7200s
whoawhich is how i ended up specing out
cklukabut probably not before microsoft adds a third datacenter to canada
whoabut i was only doing it for an enterprise edge
whoarunning full bgp tables
whoaat around 1gig
salparadisewhoa: central controller is nice due to the *central* part, but how are failure modes handled? like is the control traffic inband? how is redundancy done, what state is kept in the flows? not sure if that doc goes into that
whoasalparadise they describe it, i can forward it to you
cklukacontrol traffic requires completely independant cabling
whoaunfortunately i havent understood that part yet
whoathey use quagga
cklukapicture a fat-hub-and-spoke network where the control signaling get's it's own physical network
whoafor the central controller for their bgp/isis setup
whoaand they wrote a proxy
whoathat will take that info and share it with their traffic engineering server
salparadisewhoa: yeah I work for AWS, we are doing a lot of interesting things (that unfortunately I can't talk about) but have similar problems
whoaall that info gets compiled
whoaand dumped into the open flow controller
cklukayes, cost difference to ASR1001-x to ASR1002-x is almost $13,000
whoaand then the controller dumps it into the openflow switches with two forwarding tables
whoaone for TE and one for normal shortest path BGP/ISIS forwarded
ckluka$18,000 for 1001-x with advanced enterprise services; $31,000 for 1002-x with same
whoathe cool part is that they hvae some control over flows , their tuple is (source site, destination site, qos)
whoasal paradise this is the paper
salparadiseyep seen it, will try to read again, tahnks
whoaah cool
whoait is surprisingly detailed
whoanot enough to recreate it from scratch
whoabut enough for someone like me to determine whether it is something i need to invest my tmie into
whoaand cut through the hype
cklukahkkl: I'm increasingly confident that I won't have a density issue with 2x10G ports on each ASR
cklukahkkl: I really only need more 10G ports, because of lots of 1Gbps peering and 1x 10Gbps expressroute path
cklukaso as long aas I'm peering with less than 10 carriers at 1Gbps total, 2x10Gbps should be non-blocking
hkkli nowadays dislike doing any nni's with 1G ports
cklukaand I can add the third-10Gbps port to go up to 20Gbps total peering
hkklas it can be congested by single server or even my own home connection
cklukaI just want the 10G ports for the ability to turn it up to 2 or 4 or 5 gbps
hkkli'd opt for 1G commit on 10G port
hkklif possible
cklukaThat's what I'm doing on all ports
salparadisewhoa: advantage that shops like Google have over normal places is the amount of resources they can throw into this problem, most of this stuff is customized and created there and have the bodies to support it
hkklsalparadise: also that they have very specific dc to dc traffic pattern
salparadisenormal places can only rely on vendor solutions
cklukawe're using all fiberstore optics, so the cost difference between 10GBase-SR and 1GBase-SX is like $21 vs $9
whoasalparadise indeed, but also their deployment doesnt have too many sites
hkklas it is all their own applications
whoasalparadise they mention in the paper they are dealing with only about 12 datacenter with a cieling of like "a couple dozen"
ckluka36 datacenters globally pretty much covers every major geographic and IP-routed area
salparadisethey also have a backbone and all the IX points to think about
hkklsalparadise: that SD-Wan isn't tied to IX-points / cdn nodes
hkklonly DC to DC
cklukaexcept places that end with *arctica
whoa"Limited number of B4 sites means
whoalarge forwarding tables are not required."
whoatheir customer facing network is separate from this one apparently
hkklsalparadise: google runs network that offers services that end users see with just vendor stuff
salparadiseDC to DC is easier and makes sense how openflow would work
whoathey appear to actually use ebgp to the computer clusters themselves
whoathe b4 wan itself uses ibgp and isis and the igp
hkklwhoa: have you seen this:
hkklby microsoft
hkkloh, this seems to be current:
whoahah! just in passing hkkl!
whoai understand
whoathat microsoft has their own SDN like implementation called SWAN
hkkland lapukhov has in between moved from MS to Facebook :)
whoais that right hkkl? interesting
whoathese guys get poached i guess
whoasince they are experts in a field everyone is trying to learn about
whoaat least the big guys
whoaso far from what i saw in the b4 paper, the fact that the openflow switches let you install rules that are very granular is the coolest part
whoai havent seen anything that would automate me out of a job
whoabut im not an expert
whoathe traffic engineering they use is ip in ip encapsulation
whoathe packet its the edge of the wan and gets a label with a source ip and a destination ip that isnt a real ip but just a tunnel id
whoathe biggest benefit they have mentioned is that they can use their links at 100% and save money that way
whoabut using centralized traffic engineering
whoaif that is the secret sauce then its something i can learn :)
xousyou need customized hardware and software to do it.
whoaso the openflow software is one level
whoa(switch software)
whoajust runs on linux
whoatheres an agent
xousbut it's useless without a controller
whoathen theres the open flow controller
whoathey used one that stanford gave them
xousbut I doubt that is what google uses
whoaonix i think was the name
whoait was in the b4 paper that they mentioned they used this
whoathere are other ones i think called nox on the net
whoabut you need something to push the rules to the openflow controller
whoaand thats i think the proprietary part that google made
whoathey call it their TE server
whoathat just holds the topology and creates the tunnels and pushes them down to the controller to send to the switches
xousthe interesting part is how they keep that much network state
xousin real time
whoathey dont have too many sites
whoawhich is why they could scale on merchant silicton
whoa10 to 20 was what was hinted at
xousthat's not the complicated bit
xousI mean to run all your links at 100% or even 99%
whoawell as far as flow information
whoafor the tunnels
whoathe tuples are small
whoasource site, destination site , qos
xousyou'd need to know centrally the exact utilization
xousbut how do you know $x flows = link full, use different link
whoai see what you are saying
whoathe us an algorithm
whoacalled mix-mix fairness
whoa*min max
whoai guess its just a qos concept
whoathats the basis of distributing the traffic
xousah, it seems the flow is setup with a desired data rate
whoayah they add weights
whoato prioritize
whoathose are set by an adminitrator
xouslot of state to track
whoayah def, im gonna keep digging
xousand what about bursty applications
xouswhile it's interesting I don't think it will apply to enterprise or even SP for a very long time.
xousit's gonna be very specialized
salparadiseyou have RSVP-TE for SP and that isn't super awesome
salparadisemaybe segment routing will replace it
xousI haven't seen anyone using it.
salparadisenemith said FB is using it
salparadiseor at least some parts of the network
xousI meant RVSP-TE
xousI know people use SR
salparadiseoh RSVP-TE is used heavily
salparadisewe use it
whoa"By ensuring that heavily utilized
whoaedges carry substantial low priority tra›c, local QoS schedulers can
whoaensure that high priority tra›c is insulated from loss despite shallow
whoaswitch bušers, hashing imperfections and inherent tra›c burstiness.
whoaOur low priority tra›c tolerates loss by throttling transmission
whoarate to available capacity at the application level."
xousthat's alone takes a lot of very tight intergration
whoathey have a bunch of network control servers
xouswonder how availible capacity is communicated to the app
whoathat get state from the switches
whoaper site
whoaand communicate that back
salparadiseproto buffers maybe, probably nothing a fancy as people think
whoathe cool thing is if TE breaks
whoathey have a kill switch
whoato fall back to shortest path regular ibgp/isis
xousGoogle support ISIS
xousI wonder if there is a reporter dumb enough
xousthat'd be lulz.
whoa"gwbush declared google as part of the axis of evil"
xousI should have taken monday off
xous3 days is not enough
whoayah :/
whoai wish i had tomorrow off
whoaeaster sunday visiting my cousin
TomatoBagAnyone used to playing around with Cisco Prime?
whoagotta drive back to dc
xousI also seem to have lost track of Saturday.
TomatoBagAny hot tips/Tricks? :D
whoause dcloud tomatobag
whoato play
TomatoBagOh, I already have a local server running
whoaah cool
whoaive only messed with NCS for wireless stuff tbh
whoathey were supposed to use it to monitor asr9ks at my old job but not sure what happened there
whoaxous my bad onix was made by google nec and a company called nicira
whoathis was another one that is available
whoasalparadise any disadvantages to rspv-te that would be good to know?
whoaif you dont mind me asking
salparadisewhoa: lots of state and possible computation, which is deferred to the routers
whoaah i see
salparadisealthough in theory you can have a controller, haven't seen this implemented
salparadisealso there is a lot of vendor specific features, so a mix of vendors don't play nice
davidhoudeI need to add a second ISP to our office firewall. When I add 'track 1' to the route, connectivity drops. I am not in the office right now but my suspicion is that the upstream router is not responding to ICMP so it drops that route.... I am not in the office to test right now but that seems to be the only logical reason
TomatoBagI guess it depends on how it monitors the second route.
salparadisedavidhoude: is running an actual protocol an option?
davidhoudeIt only monitors the first route via icmp and then drops that route when it goes down, having the backup the new default.
TvillingTomatoBag: I've worked with it quite a bit, any specific issues?
davidhoudewell im sure it is possible
TomatoBagNothing specific so far. We are running EIGRP internally and I was mostly looking at how Prime could help visualize our different routing processes.
TvillingIt can't
TomatoBagthe monitoring part (as far as I can see) seems limited.
TomatoBagWe are running 3.0 if it makes a difference.
whoasalparadise thanks for the feedback!
whoabbiab guys
Tvilling3.0 is moostly a rewrite of the frontend
TomatoBagIts definitely all web 3.0 and sliding menus...
TomatoBagBit of a pain to navigate.
TomatoBagBut yeah, I wanted something like a EIGRP map with all the good stuff in it.
Golleeisn't the point of eigrp that there's no network map?
TomatoBagTo a single router, sure.
TvillingPI isn't htat featureful for monitoring of wired stuff, unfortunately
TvillingIt's getting there, slowly
TomatoBagYeah, the wifi stuff seems the main focus.
TomatoBagWe have two 5760 and there is some good status
TomatoBagGollee, I mostly assumed that if Prime was used to monitor each node in your EIGRP topology, you could get a rough idea of the routing plane.
TvillingYou basically want a weathermap?
TomatoBagKind of, I dont think there is anything quite like that so far. Probably could hack something with nagvis and some specific SNMP queries.
TvillingThere's link state maps and auto-ish discovery there, but no link utilization ovelay
TomatoBagYeah, that was also surprising.
TomatoBagIt doesnt seem to show (easily) traffic/per time per link
TomatoBagThere is a Top N interface but that's way too large
mnathani_Anyone using Amazon WorkSpaces as their Desktop Virualization / VDI Alternative these days?
mnathani_How about Amazaon EC2 / AWS for CCIE Labbing?
xousheh. that would be expensive
oistercisco makes a ccie lab product
mnathani_you talking about VIRL?
Packet_SurfIf your using Wireshark to detect issues, what do you look for. Do you filter out like ICMP Packets or something?