|
For our Firewall on a stick setup we carve out the vlan on R3/R4 and the firewall then just default gateway to the inside IP on the firewall, same setup abigserve explained. We have the FoaS connected into the access layer with L3 MSFC's instead of distro to avoid dumping gig's of inside traffic to the core so I guess it makes sense for us to use it.
|
# ? Aug 11, 2011 15:05 |
|
|
# ? May 30, 2024 20:39 |
|
Yea putting the network that needs to be firewalled behind the firewall makes the most sense as well as using specific statics for the interesting traffic and letting your IGP take care of the rest. Firewall on a stick isn't all that desirable if you are in any kind of bandwidth or latency sensitive situation. So basically something like this: code:
|
# ? Aug 11, 2011 18:38 |
|
FatCow posted:
|
# ? Aug 11, 2011 20:22 |
|
jwh posted:What kind of firewalls are these? Haven't selected a vendor yet, it's mostly likely going to be ASAs or SRXs though. The reason we're going with an "on a stick" architecture is because only ~5-7% of our traffic by volume actually needs to go through a firewall. Having the protected hosts directly hang off the firewall would mean I need another switch, I'd prefer to just use R3/R4 as a L2 device for those vlans. I'm not sure why I dismissed putting the default routes on the firewall now that I spend some more time thinking about it.
|
# ? Aug 11, 2011 21:29 |
|
FatCow posted:Haven't selected a vendor yet, it's mostly likely going to be ASAs or SRXs though. You don't need a new switch, all you do is trunk your firewalled vlans down to the firewalls from R3/R4. Any vlans you didn't want firewalled you just route directly off R3/R4.
|
# ? Aug 12, 2011 00:39 |
|
Palo Altos are a good choice. They can terminate layer 2 / layer 3 on-box, at wire or more or less. That would give you some significant flexibility in handling your layer-3 boundaries. Just a FYI.
|
# ? Aug 12, 2011 06:25 |
|
jwh posted:Palo Altos are a good choice. They can terminate layer 2 / layer 3 on-box, at wire or more or less. Just watch your HA configs and state sync on this, we got bit in the rear end because of the dual forwarding nature of the nexus environment created all sorts of async routing that our security guys didn't plan for accordingly and we were dropping traffic for out of state and all sorts of things. You'll want to have HA1-3 up and operational on there.
|
# ? Aug 12, 2011 13:47 |
|
I finally remembered why I didn't want the defaults on the FW, I simplified the drawing too much to show the reason, then forgot it. I'd really rather not extend L2 from R5/6 to R3/4. Anyone see something obvious that I'm missing here that would let me keep the defaults on FW2 (And R5/R6) and still be easy for NOC guys to manage?code:
|
# ? Aug 12, 2011 21:08 |
|
This question concerns interface errors. We've been having some issues with a couple interfaces getting input errors, usually only a couple a minute, and I haven't been able to track it down. No CRC or other errors, just input. Both interfaces are gig fiber SFPs, one going out to ISP for one of our IP uplinks, the other goes to an internal piece of equipment. I've talked to the ISP and they're not seeing any output errors, speed and duplex are correct. Settings from the Cisco to the internal equipment is fine as well. This is only happening on one Cisco in one city. Redundant links to the other Cisco aren't getting errors, and no other issues in other cities. The Cisco is a 6506 with SFPs in slot 1. I've tried looking through Cisco troubleshooting docs, but I haven't really gotten anywhere. If it were dirty fiber or a bad port, we'd be getting CRC and other errors, wouldn't we? We haven't tried moving ports, because both are pretty heavily used and would cause some pretty heavy downtime even early AM if we messed with them. We also get very little input traffic on the ISP interface. The internal equipment interface is higher usage in/out. Any ideas on what else to look for?
|
# ? Aug 15, 2011 15:53 |
|
Panthrax posted:This question concerns interface errors. We've been having some issues with a couple interfaces getting input errors, usually only a couple a minute, and I haven't been able to track it down. No CRC or other errors, just input. Both interfaces are gig fiber SFPs, one going out to ISP for one of our IP uplinks, the other goes to an internal piece of equipment. I've talked to the ISP and they're not seeing any output errors, speed and duplex are correct. Settings from the Cisco to the internal equipment is fine as well. This is only happening on one Cisco in one city. Redundant links to the other Cisco aren't getting errors, and no other issues in other cities. What kind of errors are they? Please mark the box below that corresponds: Input queue: 1/75/356/174 (size/max/drops/flushes); Total output drops: 0 0 runts, 0 giants, 1 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected It's possible that it's a buffer miss or some kind of malformed packet. Have you taken captures of that port to check for runts/giants etc?
|
# ? Aug 15, 2011 16:51 |
|
Input errors. Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 6000 bits/sec, 18 packets/sec 5 minute output rate 521977000 bits/sec, 340673 packets/sec L2 Switched: ucast: 2273 pkt, 221465 bytes - mcast: 0 pkt, 0 bytes L3 in Switched: ucast: 592337 pkt, 46276236 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 1452292053 pkt, 280123836332 bytes mcast: 0 pkt, 0 bytes 596050 packets input, 46578990 bytes, 0 no buffer Received 2584 broadcasts (0 IP multicast) 0 runts, 0 giants, 0 throttles 152 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1451819138 packets output, 280024647378 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
|
# ? Aug 15, 2011 16:54 |
|
Panthrax posted:Input errors. show int <interface> counters errors
|
# ? Aug 15, 2011 18:40 |
|
Is there a tool I can use to visually map out how a particular address space is being used? For example we have a /16 allocated for static natting. Unfortunately we are getting a variety of networks that we need to nat. Everything from /23s up to /32s. I tried to plan out the utilizations logically, but it's grown so much that I've got overlapping IP space in my nat statements. Luckily for now, not all the space in each nat is being used, but in the future things may change, or I may add more nats etc. So what I'd like is to give a program an arbitrary number of networks smaller than a /16. Say something like 10.80.4.0/23 10.80.6.161/32 10.80.1.0/25 etc. Then the program would map out overlapping space, free space, and used space so I could evaluate where my free blocks are, and where my overlapping blocks are. I've tried to do it with Excel, but it's pretty awkward especially since most of my networks are small /26's and /27's, but I also have a few /23's /24's and /25's. Any tips?
|
# ? Aug 15, 2011 19:24 |
|
Just gen a spreadsheet of /24s and then break them down to /32 in excel, and colorize?
|
# ? Aug 15, 2011 19:29 |
|
There are 256 /32's in a /24 though. So that would be 256 cells per /24, and I'm mapping out a /16 (though most of it is empty for now, except for a few /20's) so that is another 256 columns. I'm not really interested in looking at 2^16 /32s
|
# ? Aug 15, 2011 20:08 |
|
Use a Hilbert Curve?
|
# ? Aug 15, 2011 21:15 |
|
Well, you're going to have to start somewhere
|
# ? Aug 15, 2011 21:15 |
|
Have you looked into IPPlan? http://iptrack.sourceforge.net/ It works nicely for us in carving out segments from five /16's into more manageable borders.
|
# ? Aug 15, 2011 21:20 |
|
Is the whole NET-192-168-0-0 style of designation standard? I see it everywhere when I whois but I just realized I have no idea whether it's an actual "thing" or just something that people started using that has no set guidelines, etc. What a ridiculously dumb question, right? I'm not even sure I'm asking it right
|
# ? Aug 15, 2011 22:10 |
|
Martytoof posted:Is the whole NET-192-168-0-0 style of designation standard? I see it everywhere when I whois but I just realized I have no idea whether it's an actual "thing" or just something that people started using that has no set guidelines, etc. What a ridiculously dumb question, right? I'm not even sure I'm asking it right I don't think it's formalized in any RFC I've read.
|
# ? Aug 15, 2011 22:21 |
|
Have you guys gleamed any sort of usage guidelines in your years of experience? Like right now I'm seeing NET-130-113-0-0-1 for my campus network, and that -1 is giving me the evil eye. Aside from the obvious stuff that I can guess, where you just staple NET- onto your network address.
|
# ? Aug 15, 2011 22:24 |
|
ragzilla posted:show int <interface> counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Gi1/16 0 0 0 889 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/16 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Gi1/16 0 0 0 0 0 I found this in reference to it, but I'm not really sure it pertains, since there's so little inbound traffic, the buffers shouldn't be filling up, obviously.
|
# ? Aug 15, 2011 23:08 |
|
Martytoof posted:NET-130-113-0-0-1
|
# ? Aug 15, 2011 23:52 |
|
Panthrax posted:Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Flow control enabled and working? Depending on the card you're probably using shared buffers, so it could be another port on the ASIC group chewing up buffers (especially if you're going 1GbE->100MbE). 'show int <interface> capabilities' to see the ASIC group, iirc.
|
# ? Aug 16, 2011 01:38 |
|
ragzilla posted:Flow control enabled and working? Depending on the card you're probably using shared buffers, so it could be another port on the ASIC group chewing up buffers (especially if you're going 1GbE->100MbE). Here's the capabilities output: GigabitEthernet1/16 Dot1x: yes Model: WS-X6724-SFP Type: 1000BaseSX Speed: 1000 Duplex: full Trunk encap. type: 802.1Q,ISL Trunk mode: on,off,desirable,nonegotiate Channel: yes Broadcast suppression: percentage(0-100) Flowcontrol: rx-(off,on,desired),tx-(off,on,desired) Membership: static Fast Start: yes QOS scheduling: rx-(1q8t), tx-(1p3q8t) CoS rewrite: yes ToS rewrite: yes Inline power: no SPAN: source/destination UDLD yes Link Debounce: yes Link Debounce Time: yes Ports on ASIC: 13-24 Port-Security: yes
|
# ? Aug 16, 2011 16:00 |
|
Here's something interesting. Finally got the replacement 48 port 3750s in production. Everything is running better than previously. Good. However, whenever logging in via radius or local credentials, the CPU spikes to 80 - 100%. The other switches on the domain only jump to 20% or so when logging in. The switch hit 100mbps+ earlier and the CPU was more than stable. Thoughts?
|
# ? Aug 16, 2011 17:28 |
|
Zuhzuhzombie!! posted:Here's something interesting. Finally got the replacement 48 port 3750s in production. Everything is running better than previously. Good. Do this: TRB-TT8N-A-SW4506#sh proc cpu sort CPU utilization for five seconds: 17%/0%; one minute: 16%; five minutes: 16% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 27 33617339444059290755 0 10.07% 10.01% 10.12% 0 Cat4k Mgmt HiPri 28 2187111912 11223403 194876 2.55% 3.72% 4.10% 0 Cat4k Mgmt LoPri 41 1469365084 886583619 1657 1.67% 1.39% 1.37% 0 Spanning Tree 5 150560424 23127386 6510 1.19% 0.15% 0.07% 0 Check heaps 96 112 85 1317 0.63% 0.12% 0.02% 3 Virtual Exec See which process is the hog.
|
# ? Aug 16, 2011 18:13 |
|
Not exactly sure how to read the output, but I got:code:
|
# ? Aug 16, 2011 20:24 |
|
What's weird is that if I immediately login and do a show proc cpu his I'm showing 100% and logging in is slightly laggy. If I do show proc cpu sort SSH has hit up to 7.5% but according to that, there isn't enough processes running to cause a jump to 100%. EDIT Finally got usable output. code:
Did the same on another switch and it only jumped to 20%. Zuhzuhzombie!! fucked around with this message at 20:56 on Aug 16, 2011 |
# ? Aug 16, 2011 20:41 |
|
Zuhzuhzombie!! posted:What's weird is that if I immediately login and do a show proc cpu his I'm showing 100% and logging in is slightly laggy. Well it's clearly the SSH process that is screwing up, so follow-ups: 1) Are they on the same code rev? 2) Generate another SSH cert 'crypto key generate rsa mod 1024' 3) Try and see if it matters when using say putty vs securecrt. They handle SSH in different fashions (1.99 vs SSH2). This is usually limited to super old switches with old implementations of SSH daemons though.
|
# ? Aug 16, 2011 20:59 |
|
So far same with Putty. Will regen keys now. EDIT Regen'd keys at 1024 and tried with putty as well. Still jumped into the 70%. Now, the only other difference between these two 3750s and the ones we're testing against is that the ones we're seeing spikes on are running ipservicesk9-mz.122-58.SE1.bin where as the other switches are running ipbasek9-mz.122-58.SE1.bin. However, we have two switches also trunked to the master switch (the one causing problems) that is running ipservices and experiences no issues. Zuhzuhzombie!! fucked around with this message at 21:15 on Aug 16, 2011 |
# ? Aug 16, 2011 21:05 |
|
Zuhzuhzombie!! posted:So far same with Putty. Will regen keys now. Scanned the Cisco bug list for known bugs and didn't find any related to SSH for that code rev. File a TAC case or go to a different code version and roll the dice.
|
# ? Aug 16, 2011 21:17 |
|
Yeah. Just submitted to TAC. New 3750's aren't registered under our warranty or whatever it's called so I had to "escalate" it. Hope that doesn't get to them cause me grief.
|
# ? Aug 16, 2011 21:23 |
|
Debugging ip ssh shows this switch receiving multiple times as many packets as other switches when creating an ssh connection.
|
# ? Aug 16, 2011 22:32 |
|
Zuhzuhzombie!! posted:Yeah. Just submitted to TAC. New 3750's aren't registered under our warranty or whatever it's called so I had to "escalate" it. Hope that doesn't get to them cause me grief. It just means that the Entitlement team needs to get involved for a bit to verify that you're clear - and then the case bounces back to the LAN Switching team, which handles it normally. No need for worry.
|
# ? Aug 17, 2011 00:06 |
|
I tried renewing support for all our Cisco equipment this month and Cisco comes back and says that about 15 of our devices "are not in the system at all". As in they have ZERO clue what the serial number corresponds to for a product. How does that happen? How do you ship/sell an item with a serial that isn't even in your system to assign to a contract number.
|
# ? Aug 17, 2011 00:20 |
|
Chinese knockoffs?
|
# ? Aug 17, 2011 00:40 |
|
falz posted:Chinese knockoffs? I highly doubt it. The majority of the devices were the Embedded Cisco (CBS-3032) with the Dell M1000E chassis. The other big surprise was the serial number for a 4510R-E. Being government, we have to buy from approved resellers, etc etc but it's not *impossible*.
|
# ? Aug 17, 2011 00:42 |
|
routenull0 posted:I highly doubt it. The majority of the devices were the Embedded Cisco (CBS-3032) with the Dell M1000E chassis. The other big surprise was the serial number for a 4510R-E. Whoa, 3032's? Get rid of that poo poo post haste. We finally swapped all of our old 3032's out with 4948E's and now rather than having literally millions of discards a day, we have 10's now. It kind of sucks for cable management (48 copper instead of 4 fibers), but meh, you typically only cable it up once.
|
# ? Aug 17, 2011 01:43 |
|
|
# ? May 30, 2024 20:39 |
|
Powercrazy posted:Whoa, 3032's? Get rid of that poo poo post haste. We finally swapped all of our old 3032's out with 4948E's and now rather than having literally millions of discards a day, we have 10's now. 3032s are the embedded switches for the chassis, only current upgrade option is 3130X. They aren't standalones like a 4948.
|
# ? Aug 17, 2011 01:59 |