> On 23 Jul 2020, at 18:59, Mark Tinka <mark.ti...@seacom.com> wrote: > > > >> On 23/Jul/20 10:43, Lukas Tribus wrote: >> >> You just need a route to a HTTP proxy (like tinyproxy) in your FIB, >> just like you already need reachability for monitoring systems, NMS, >> radius servers etc. > > All those monitoring systems live in the IGP, which is in FIB. > > >> >> No default route or full table necessary on any boxes, just IP >> reachability of a single, very simple forwarding proxy. > > Things that call home into the cloud tend to be a bit flaky. Adding a > proxy to that can mix things up quite nicely, and I'd prefer to avoid > that altogether. >
+1 on that - this is precisely why we went down the SSM route and not “proxy direct to cloud” > >> - if the Cisco Licensing Cloud suddenly denies valid licenses due to >> temporary technical problems > > I would expect that the SSM server has some grace period during which it > can lose communication with the mothership before starting to become a > threat to local operations. Not having that would be bad design, as the > Internet is well, not infallible. Those with SSM can enlighten us. SSM only needs to check in once a year (if I remember correctly) before things REALLY break, and generally once a month if you don’t want it to alarm. So loss of comms doesn’t phase it too much It’s got an airgapped mode where it can be synced via a “sneaker net” file rather than direct https comms to Cisco, too. Not so much an issue for most SP networks I’d suggest, but I imagine it comes in useful in some circumstances where you’re dealing with a network with no internet access at all. As a final point the routers also have a grace period (measured in days, but I forget how long - our SSM box stays up without too many issues other than patching) - so losing SSM for a short period of time isn’t going to cause a problem. > > >> >> - if the US gov suddenly imposes sanctions against your country (and >> in the simpliest scenario - you are unable to pay for subscriptions >> because international payments are blocked - this is happening right >> now between RIPE and iranian LIRs) > > Well, this affects you even when you don't have an on-prem SSM server, then. > > In our case, it helps to have backbone in other continents... > > Mark. > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/