Topics

Hey guys/gals!

I hope you are all doing well. We are going to be dual-stacking our ISPs soon and starting the migration to IPv6! Do you have any good design guides/books you recommend? Also, for those of you who deployed IPv6 Did you use ULA or GUA addresses for your internal network? I do not see why we would not just use our GUA addresses and let the firewall control what can talk to them.

hey guys,

I hope you are all doing well. I am possibly moving to a new role which involves a SaaS company with a heavy investment in the cloud. so my role will b e 50/50 on prem and cloud. Which books/resources do you recommend for AWS and azure networking?

thanks!

Hey guys!

I hope you are all doing well. 2020 has been a crazy year for sure thus far.

Do any of you know someone who has taken the CCNP enterprise yet? What were their thoughts on the exam? Difficulty? Time taken to prepare? Materials used?

Hey guys,

We have moved over to our new ARIN addresses, and AS#. We are running into issues with various companies blocking us due to Geo-IP, signature systems, or heuristic detection blocking. This is an issue specifically with symantec message labs, as we have critical people we contact through them.

Is there a way that you know to work around this? ARIN does not offer any geo-ip services, and I know it is on the customers end, but do you know of anything else we can do. One of our problems for example is with chase bank. The only way symantec will fix the issue is if chase calls them. yeah... good luck.

Hey guys.

Took my NP Route back in '17 and never finished the switch + tshoot. I want to get them done so I can get NP before feburary.

Right now I have 2 vouchers through global knowledge and the video course through them. What other books/crap should I buy for the switch, and what else should I get for the tshoot?

Hey guys, I have only used global knowledge. Have you used any of these, and which one is your favorite. I need to finish my CCNP R&S before feb. I would really appreciate your assistance.

US:

Fast Lane Consulting and Education Services
Global Knowledge
Micronics, Inc.
NC-Expert
NetMasterClass
NterOne




https://learningnetwork.cisco.com/community/learning_center/expert-level-training/ccie-routing-switching/learning-partners

Hey guys!

I think it would be interesting to see visios/diagrams of your environments internet edge. If you also want to include sanitized configurations that would be pretty interesting as well. It would be cool to see the different thought processes behind each design, and why you ultimately came up with your solution.

Hey guys,

Have any of you designed MPLS backup through a provider for leaf to spine communications? Any limitations?

Did you run the MPLS in the overlay vrf, or the default vrf?

Are any of you familiar with how reseller operations work in IT?

So lets say you are a reseller for cisco. You (the reseller) works with cisco, and their distributors to get a quote for customer X. You provide them the quote, they sign the PO. Does the reseller purchase the equipment on behalf of the customer, or does the customer actually pay the distributor directly?

Have any of you ran into an issue when using a VXLAN EVPN network with option 82 on the DHCP server? We have this running live in our environment now. Client are able to get addresses through the option 82, but when a device goes to another site with a different subnet they are not getting the new IP addresses, but rather sticking to the old address.



Config has been verified with Cisco, and I am going to have to contact Microsoft on Monday. But in the meantime have any of you experienced this, and what was your workaround?

At first we had two DHCP servers configured (a primary & secondary) and what we saw happening was the original DHCP primary server was responding to the client (which on the new subnet was actually the secondary server) after the actual primary server received 2 DHCP requests for its old IP address.

So we removed DHCP failover, and removed the secondary DHCP server and tested... and the problem still arose. The good news is it was now talking to the proper server, the bad news is it looks like Microsoft was not responding correctly with the proper subnet and IP address for that subnet.

If I have a VXLAN setup, you cannot peer OSPF from a VLAN SVI because of the shared IP/MAC on the VTEPS. So how would you go about setting up an OSPF adjacency from lets say a virtual firewall/switch without having to use any additional dedicated network interfaces?

My guess is to have a dedicated vlan SVI with a /31 range and advertise that into the distributed switch, and create a port group for that vlan? Any other way you guys can think of?

for those of you who have tested/deployed DCNM with your vxlan fabric. Do you know why, when you assign a leaf as a border leaf it removes the SVI configuration?

According to David Jansen in building networks with VXLAN BGP EVPN, he states a single leaf can perform all 3 functions of a leaf "service, border, and normal". Yet in DCNM, when you configure a border leaf it removes all SVIs.

I wonder if this is a bug, or if I should try wiping my leafs and re importing them fresh to see if there is a difference.

I cannot find this problem, nor a solution. But if you have remote leafs in ACI running vPC, and the spines are in a different data center. If both leafs lose connection to the spines and controllers in that data center, how does vPC operate? Because according to my understanding there is no direct peer connection between leafs in ACI mode, it uses the fabric for its keepalives. But what if that goes down?

Gentlemen,


I have a problem, and I am wondering if this would work.

The problem I have is I have two data-centers with layer 3 links between them. Each DC has its own ISP, but they are using different public IP address spaces at each data center. We are on a waiting list to get our own public IP addresses... the pain... it hurts.

The question I have is on the interim. How can I make this work. What I want to do is advertise the same carrier owned IP block at both sites, but prevent asymmetrical data flows. The only way I can think of doing this is putting the public IP address range on a vlan, and stretch it over the datacenter so our virtual firewalls have the IP block at both sites for failover. The problem is we have layer 3 connections.

My question for you is this. Lets say my internet range is 66.66.66.0/24 vlan ID 666 at datacenter A. What would happen if I created a subinterface ethX/X.666 and did encapsulation dot1q 666 on the subinterface at both datacenters with no IP address (or the IP of the network). Would that VLAN then be stretched over the subinterface to the other datacenter? So then at datacenter B's vlan 999 I have an edge router in the 66.66.66.0/24 network. Would I be able to ping the 66.66.66.X host on the other side?

I am thinking this will work... but I have no way to verify.

Guys,

I am trying to essentially re-design our guest infrastructure. What I am trying to do is get a default route from our firewalls, that advertises down to our cores into a guest VRF. For whatever reason in GNS3 this will not work. Any thoughts? I do not want to advertise a static route because that defeats the purpose of redundancy.

Can this be done?

Design is simple. Firewall and core are in GRT right now. I have an SVI + VRF for guest network in GNS3. Trying to see if I can get the 0.0.0.0 propagated.

Here is the config:

Code Select Expand


ip vrf GUEST
rd 1094:1
import ipv4 unicast map Import
route-target export 1094:1
route-target import 1094:1
!
interface Loopback1040
ip address 10.10.40.1 255.255.255.0
ip ospf 1 area 0
! 255.255.255.0
ip ospf 1 area 0
!
interface Loopback1094
ip vrf forwarding GUEST
ip address 10.10.94.1 255.255.255.0
!
interface GigabitEthernet3/0
description ***TO INTENRET***
ip address 10.0.0.5 255.255.255.252
ip ospf 1 area 0
negotiation auto
!
ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0
!
route-map Import permit 10
match ip address prefix-list DEFAULT
!


Any of you guys going to cisco live this year? Finally after 8 years in the IT, my new job (since November) is letting me go. I am very excited, as you can imagine and I hope to meet some of you for the first time down there.

So who else is going?

What are you guys current using?

Currently we are using a microsoft NPS, and it has been pretty unreliable so far... Im debating between standing up a new 2016 NPS, or giving freeradius a try.


Biggest needs are for infrastructure + wireless (multiple SSID) authentication.

Any other recommendations?

Are any of you on version 7/8 of NX-OS. I want to upgrade to either of these to get the BIDI single strand transceiver support.

Just wondering how it is running for you all.

Gentlemen,

What do you use for your SSH boxes. We are looking into this, and the only thing I have used was a 2800 router with a list of IPs and a tripplite console/ssh server which I did not like.

Looking to hear more information for those of you in the larger enterprises.

Here is a fun QoS problem I have run into.

Lets say a router has a shared MPLS + Internet circuit (100/100mbps). Both are going out the same external interface but in VRFs and sub interfaces.

You can't apply the NBAR policy on the parent External interface because it does not see any protocols in the NBAR protocol analyzer (unless this is a bug). This then forces me to apply the service policy on the sub-interfaces.

Would it be safe to apply the QoS policy to both sub-interfaces (100mbps), and have them aggregate?

My fear is that I have 50% allocated for voice + video. It would then use 50% on vrf A sub interface A and 50% on vrf B sub interface B.

Thoughts?

here is my current QoS design. This was however assuming percentages based on a single interface policy. I am not sure if sub-interfaces are aggregates of the parents bandwidth. Or am I really going to have to shape out a specific amount of bandwidth for internet, and a separate share for MPLS (example: 80 mbps for internet, 20 mbps for mpls).

Code Select Expand


class-map match-any REALTIME
match protocol rtp audio
match protocol rtp video
match protocol cisco-phone-audio
match protocol webex-meeting
match protocol webex-app-sharing
match protocol webex-media
match protocol telepresence-media
match protocol sip
match protocol sip-tls
match protocol skinny
match protocol sip
match protocol h323
match protocol rtcp
match protocol telepresence-control
match protocol cisco-phone
match protocol cisco-jabber-audio
match protocol cisco-jabber-video
match protocol attribute category voice-and-video
!
class-map match-any MISSION_CRITICAL
match protocol mgcp
match protocol bgp
match protocol smtp
match protocol vmware-view
match protocol vmware-vmotion
match protocol vmware-vsphere
match protocol radius
match protocol ssh
match protocol attribute category netadmin
!
class-map match-any BUSINESS_CRITICAL
match protocol attribute category consumer-internet
match protocol attribute category consumer-file-sharing
match protocol attribute category browsing
match protocol attribute category email
match protocol http
match protocol https
!
class-map match-any STANDARD
class class-default
!
!
!
!
policy-map QOS
class REALTIME
set dscp ef
priority percent 50
!
class MISSION_CRITICAL
set dscp af41
bandwidth percent 25
!
class BUSINESS_CRITICAL
set dscp af21
bandwidth percent 20
!
class STANDARD
bandwidth percent 5
fair-queue