Showing posts from March, 2019

Policy Based Routing on a Nexus

First of all, let's just admit, I am a collab guy, doing work on a Nexus is a foreign experience. While some things are intuitive not everything follows RFC's and the Nexus platform is a bit more restrictive.

First of all, to get PBR going, I had to change the hardware profile, since I have no intention of using QoS internally in my lab, I decided to steal from it:

hardware profile tcam region qos 0
hardware profile tcam region pbr 256

This then requires a reboot. 

After this is done and the pbr feature is enabled:
feature pbr

You can get into creating the route-maps.  However, unlike IOS devices you can only use permits in your acl's and then use a deny statement on the route map itself:

ip access-list PBR_DENY
statistics per-entry
10 permit ip any

ip access-list PBR_PERMIT
 statistics per-entry
 10 permit ip any any

route-map PBR_RULE pbr-statistics
route-map PBR_RULE deny 10
 match ip address PBR_DENY
route-map PBR_RULE permit 20
 match ip address PBR_PERMIT
 set ip next-hop

Google Domains, no API and a lot of collab edge sadness

Not that it's not something that can't be worked around, but I was enjoying using Google Domains' own name servers and not having to manage my own.  However, given the fact I use Let's Encrypt and I would rather not renew my own certs every 90 days and the fact you need A records for each SAN... well, I guess I have to spin up my own External DNS server.  Luckily, Google Domains use DNS SEC, so I will have to do that this weekend.

I found that my old ASA Let's Encrypt script was not perfect, I will also update that this weekend with more logical checks.  It will need to be ran as a sudoer as well, as there is some mkdir commands that need to happen.  I have gotten to a point, where I will test it as a cron job. 

In the mean time, someone has asked me to automate Windows Server 2016 installs for their lab, so I guess I will do that tonight.

I haven't been posting lately, because I am leading a game development team outside of work, studying for the lab and frankly, no clue where I have any time to do even this post.