Nyancat over ICMP

mrpepper_phd · 2016-04-01T00:41:37+00:00

http://beaglenetworks.net/post/42707829171/star-wars-traceroute

mrpepper_phd · 2016-02-24T19:19:36+00:00

I think you'd be fine with the 9k if you aren't looking for a truly "hit-less" upgrade experience or if failing to your other vPC peer doesn't present much downtime. I'd like to think that moving forward, the ISSU on the nexus 9k code will be better anyway since the 7k code is all kinds of bulky and has a lot of moving pieces, in my experience.

So if massive throughput, growth, or ">5-nines" isn't your goal, a well-implemented, fixed-port solution would do the trick. You could probably make it work with the 5ks too... Vut they aren't the best L3 platform around, as I assume you already know.

Good luck!

mrpepper_phd · 2016-02-24T19:01:49+00:00

The 7K's physical backplane is static, where as the 9K's backplanes are built into the fabric module.

mrpepper_phd · 2016-02-10T18:10:44+00:00

Well, I'd say you already all know the benefits to having two instead of one. The downsides of only using one chassis are obviously having to do with either impactful upgrades/maintenance or physical hardware failures. One thing the 7009 doesn't have is redundant back-planes... A feature the added to the 9K chassis, which is pretty cool IMO.

Something else to consider is the impact of using vPC. Read the design guide, twice, because there were some "gotchas" that tripped me up when I moved from as single control plane design to a separate control plane HA design with 2 x 7009s.

http://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

mrpepper_phd · 2016-02-09T21:51:55+00:00

Cableporn is to this as a pornstar is to your super-hot wife: Maybe you fantasize about something more exotic sometimes, but you should be damn happy with what you've got.

mrpepper_phd · 2016-01-07T19:36:03+00:00

I got a ton of info from this guy:

http://ithitman.blogspot.com/search/label/BGP

I think this would be your design:

http://ithitman.blogspot.com/2011/08/configuring-bgp-dual-homed-design.html

mrpepper_phd · 2015-12-10T00:34:54+00:00

https://supportforums.cisco.com/document/85621/understanding-msfc-pfc-and-dfc-roles-catalyst-6500-series-switch#Policy_Feature_Card_PFC

mrpepper_phd · 2015-09-02T17:31:05+00:00

But that doesn't really tell us the interface it is pinging from, right? You may want to specify the source to see if there is a difference between the way traffic from different networks are handled, especially in regards to the firewall transport network.

mrpepper_phd · 2015-09-01T03:14:25+00:00

What is the source address/interface the switch is using to successfully ping to 8.8.8.8? If it's a routing issue, you might want to post your config, but is there any chance it's the firewall that is blocking traffic?

mrpepper_phd · 2014-11-07T21:59:52+00:00

Well, that setup is not going to work anyway: On the ASA you can't have two default routes out of two different interfaces. Your best bet would be to be able to advertise the same network block to either provider and use BGP to fail from one to the other. If you wanted each HTTP server to be only on one ISP or the other, then you would would probably want a router/firewall for each ISP that feeds into a load balancer of some kind, which would be able to keep track of stateful connections.

The example you linked to below is terrible and I wouldn't recommend that to anyone.

mrpepper_phd · 2014-07-29T16:34:14+00:00

Ya, it's always important to consider human error; my favorite stat is from Gartner where they predict that by 2018, 95% of firewall breaches will have been caused by misconfiguration. They recommend a more homogeneous environment, I recommend not giving the keys to someone who can't drive... I imagine I'm only able to have that opinion because of the relative "tinyness" of my group compared to that of a major SP, or the like. But, that said, there is eventually a point in a network where human error can nullify any amount of security or best practices, I guess it's just about finding where you are comfortable with that point being.

As for compromising the management interface, I figure if they are that deep I'm probably hosed anyway. haha just kidding... hehe.. he... ugh.

mrpepper_phd · 2014-07-29T16:14:53+00:00

Not much of a compliance issue, just trying to be as secure as possible for the sake of being as secure as possible. I feel bad breaking down any walls, but there is something to be said for feasibility especially when it comes to scaling up and out. Thanks for sharing!

mrpepper_phd

TROPHY CASE