|
Humm, weird. Both my interconnects are 12.2-something, running transparent. I'll have to check next time I'm consoled in.
|
#
?
Feb 25, 2012 22:01
|
|
|
|
| # ? May 31, 2024 17:19 |
|
|
Martytoof posted:I've always wondered why VLAN info wasn't in the running/startup config. Have to assume it's just backwards compatibility, but I dunno. I assume you are talking about 6500 switches, in which case vlan info is most assuredly in the running/startup config.
|
|
#
?
Feb 25, 2012 22:12
|
|
|
Oh, no I'm running Cisco GESM interconnects in an HP P-Class blade enclosure. That's really the only Cisco equipment I have my hands on on a regular basis these days 
|
|
#
?
Feb 25, 2012 22:15
|
|
|
Let’s assume I want a 50mbit circuit. 50mbit = 52428800bits. So to find the ideal burst rate I would: Burst = (52428800 * 0.00025) = 13107. So in a policy map, my rate/CIR/bandwidth should be defined as 52428800 and the burst should be 13100 if I round down? policy-map kyletest class class-default police rate 52428800 bps burst 13100 bytes conform-action transmit exceed-action drop Does this look applicable?
|
|
#
?
Feb 27, 2012 17:43
|
|
|
Go find the policing bc be calculator out there. It takes the guesswork out of it.
|
|
#
?
Feb 27, 2012 17:56
|
|
|
I didn't even think to look for that! I'll have to find it.
|
|
#
?
Feb 27, 2012 20:07
|
|
|
Here's hopefully a simple question. Customer is having latency between two vlan's, DB subnet and Web server subnet, both vlans are on a 2960G but their gateways are on an ASA with 100Mb connections to the gig switch. Looking at a "sh int summ" I see a poo poo ton of output queue drops on the two interfaces that plug into the ASAcode:I already bumped the output queue hold time up to 4096 and it didn't do jack poo poo, is it safe to say my only two options at this point are to put this switch into layer 3 and enable CEF or upgrade the 5510's to gigabit? edit: Also I have done 'show controller utilization' during peak times and the ASA uplinks do sometimes hit 100% utilization Sepist fucked around with this message at 05:00 on Feb 29, 2012 |
|
#
?
Feb 29, 2012 04:57
|
|
|
You aren't going to get layer 3 on a 2960 and output drops are from congestion. I assume you are getting a lot more traffic than your 100meg pipe can handle. Get rid of, or upgrade the ASA if you can, a 5510 is pretty slow and more for a ranch type office, not a fully blown datacenter.
|
|
#
?
Feb 29, 2012 08:53
|
|
|
Ahhh F I totally forgot the 2960's don't support IPbase, this is going to be a lovely conference call this morning - thanks for reminding me before I looked like an idiot.
|
|
#
?
Feb 29, 2012 13:59
|
|
|
Pretty sure that's a LAN closet grade switch for user access. Depending on the models you can have varying configurations of shared asics or shared output buffers between ports. If you plug a bunch of high traffic servers into a switch like that you'll get poor performance. I ran into something similar with a 6509 that had servers plugged into closet grade blades.
|
|
#
?
Feb 29, 2012 18:38
|
|
|
Anyone have experience setting up priority queueing on an older Cisco 2500 series router? I am having a voice quality issues on a T1 which has been identified as network congestion. We have 2 sites, a distribution center and an general office. We have phone switches at both sites but lately one user at the DC has complained about voice quality issues. We reproduced the issue and know its network congestion because whenever we attempt to saturate the T1 line on a particular machine at the DC, the quality of any phone call in the DC diminishes. We want to setup some type of QoS but we do not know all the ports associated with the voice traffic. I thought it would be best to do this with priority queueing and access lists by prioritizing phone switches from other traffic. We're running 2 older Cisco 2501 routers on 12.0(5) IOS. Each router has an Ethernet and serial interface. The current running configuration on each router is pretty simple, setting up IP addresses interfaces e0 and s0. We have 2 routes created and an access list to prevent certain hosts from getting outside. I have come up with some commands that might do what I'm looking for, but I don't have any kind of Cisco test environment so I can't test during production. For the router at the office site I have these additions: 192.168.2.x represents the distribution center subnet #allow any ip to phone switches on serial 0 out, for use in high queue access-list phone permit any host 192.168.2.30 access-list phone permit any host 192.168.2.31 access-list phone permit any host 192.168.2.32 #allow any traffic, for use in normal queue access-list all permit any any #Create priority list priority-list 1 protocol ip high list phone priority-list 1 protocol ip normal list all #select serial 0 interface s0 #Assigns newly created priority list 1 to interface s0 priority-group 1 However I'm not particularly familiar with Cisco configurations and I don't know that this would even work. Am I on the right track?
|
|
#
?
Feb 29, 2012 18:56
|
|
|
Powercrazy posted:You aren't going to get layer 3 on a 2960 and output drops are from congestion. Actually newer IOS releases for 2960 does give you basic static layer3 routing. Cisco.com posted:This chapter describes how to configure IP Version 4 (IPv4) static IP unicast routing on the Catalyst 2960-S and 2960 switch. Static routing is supported only on switched virtual interfaces (SVIs) and not on physical interfaces. The switch does not support routing protocols.
|
|
#
?
Feb 29, 2012 21:00
|
|
|
We just finished a network backbone upgrade. The new backbone consists of the following: [SERVER] ---> [SWITCH1] ===> [SWITCH2] ===> [SWITCH3] ---> [SERVER] ---> is a 1 gbps ethernet connection ===> is a 2 gbps ethernet connection of 2 1gbps ports aggregated together. What's a good way to test if the backbone is actually capable of hitting 2gbps and that everything is working correctly? Copying a file from my computer (connected to switch 1) to a server connected to switch 3 is peaking at 85 MB/s and then settling to between 45 and 55 MB/s. Obviously that's no where close to even hitting the 1 gbps my computer's ethernet is theoretically capable of, but I have no way of knowing what the bottleneck is, or even what real world speeds I should be expecting.
|
|
#
?
Feb 29, 2012 21:21
|
|
|
iPerf or jPerf.
|
|
#
?
Feb 29, 2012 21:26
|
|
|
Frozen-Solid posted:Copying a file from my computer (connected to switch 1) to a server connected to switch 3 is peaking at 85 MB/s and then settling to between 45 and 55 MB/s. Absent some optimization like window scaling; that's about what a single TCP session is going to max out at. You either need multiple concurrent transfers or some kind of traffic generation application as previously mentioned.
|
|
#
?
Feb 29, 2012 21:32
|
|
|
tortilla_chip posted:iPerf
|
|
#
?
Feb 29, 2012 21:55
|
|
|
iperf running on a linux at both ends. Follow these instructions for tcp tuning; http://fasterdata.es.net/fasterdata/host-tuning/ Run it with the option for parralel streams (4 is the sweet spot for some reason, maybe someone can elaborate). After that spits some (hopefully big) numbers at you download and install bbcp, and try and use that to copy some real data. I've managed to run a mem to mem transfer at 980mbps using bbcp between two red hat VM's through a moderately sized backbone network. If you do these two things you can use these numbers to pretty much nullify anyone who complains about network performance.
|
|
#
?
Mar 1, 2012 02:50
|
|
|
abigserve posted:Run it with the option for parralel streams (4 is the sweet spot for some reason, maybe someone can elaborate). CEF (and port channels) typically load balance based on IP address/port tuples on platforms where it can. If the middle devices are only l2 capable testing this would actually require multiple machines on each end. The Cisco Etherchannel tech note [1] covers it pretty comprehensively for switches. Technically with 2 links you should only need 2 streams, but that's hoping that the streams get balanced on different bundle members, going up to 4 or 8 gives you better odds of getting multiple streams going over each bundle member. If you're on 6500 check out [2] as it gives some commands for determining which link a flow will use, useful if you want to do UDP tests as you can generally tell iperf to use specific ports, then you'd just need 2 streams. 1: http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml 2: http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a963a9.shtml#ec ragzilla fucked around with this message at 13:48 on Mar 1, 2012 |
|
#
?
Mar 1, 2012 13:43
|
|
|
inignot posted:Pretty sure that's a LAN closet grade switch for user access. Depending on the models you can have varying configurations of shared asics or shared output buffers between ports. If you plug a bunch of high traffic servers into a switch like that you'll get poor performance. I ran into something similar with a 6509 that had servers plugged into closet grade blades. We have a lot of companies using 2960G's for cost reason, but the customers who know they need to plan for enterprise grade traffic have the proper equipment. As an update, most of the congestion was caused by a faulty NIC on a server, there's still minor congestion but since it's no longer making the whole network fall over my "expert" advice is falling on deaf ears.
|
|
#
?
Mar 1, 2012 19:23
|
|
|
ragzilla posted:CEF (and port channels) typically load balance based on IP address/port tuples on platforms where it can. If the middle devices are only l2 capable testing this would actually require multiple machines on each end. The Cisco Etherchannel tech note [1] covers it pretty comprehensively for switches. Technically with 2 links you should only need 2 streams, but that's hoping that the streams get balanced on different bundle members, going up to 4 or 8 gives you better odds of getting multiple streams going over each bundle member. Etherchannel load-balancing is based on an XOR operation between either the source and destination IP or the source and destination mac address on most IOS switches. Because of this, you can have a million streams between the same two endpoints and they'll all go down the same link in a portchannel.
|
|
#
?
Mar 1, 2012 23:56
|
|
|
So I've got myself in a rough position. I'm by no means a Cisco guy (haven't really dealt with much Cisco stuff since 2005 or so). I was sent out today to switch a Cisco PIX from one ISP to another. This is a fairly basic task, but something broke somewhere and I can't get back online with either connection. I changed the outside IP, removed the old gateway and added the new one, and then made sure the nat/global settings were good. After that didn't work, I checked out the web GUI and tried running the wizard that lets you put in your ISP info. This probably broke something because now I can't even revert to the old connection. I'd rather not paste the whole config here as it has some company specific stuff in it, but if anyone can help me out I'll gladly PM it to you or paste specific lines here...
|
|
#
?
Mar 2, 2012 20:21
|
|
|
Did you do basic tests, say pinging across the /30 to the ISP? Also if you used the web gui your entire config is probably hosed unless the PIX was initially setup with the gui. hopefully you have a backup of the original config?
|
|
#
?
Mar 2, 2012 20:40
|
|
|
Knowing the person who set it up, I'm 99% positive it was setup with the GUI originally. I started with the CLI stuff first since I really don't trust the GUI. I can't ping out to the ISP's gateway. Unfortunately, since I'm a moron I don't have a backup of the config before making the changes this morning. I would have just reset it to defaults and started over but there's a few IPSEC tunnels that no one seems to know anything about, as well as client based VPN settings. Re-doing that stuff would be a little bit of a pain, unless there's an easy way to export it and re-import it.
|
|
#
?
Mar 2, 2012 20:54
|
|
|
I can't really help you with the VPN stuff as I'm not super familiar with how the PIX handles those. As for your problem, I suspect that when you changed the outside interface address that there is an ACL(s) that are expecting a different outside address. Also make sure your default route is updated for the new ISP next hop, and of course that the existing default route is gone. From the cli you can also use the packet-tracer command to see where the traffic is being blocked/dropped.
|
|
#
?
Mar 2, 2012 22:06
|
|
|
Welp, we had to do a whole shitload of tweaking with ACLs and routes. On a whim I power cycled the cable modem after doing an arp clear and that at least let the router get out to the Internet. We then had to tweak the rules further to let LAN traffic out. Everything's golden now. Thanks for the input
|
|
#
?
Mar 3, 2012 00:56
|
|
|
Quick Question: If I'm looking at interface counters on say a 6500. And I see 100 output drops, and 10000 total packets output. Do those total packets output include the dropped packets? So as a percentage, drops would account for 100/10000 = 1% of total traffic? Or is it something different.
|
|
#
?
Mar 6, 2012 00:20
|
|
|
Powercrazy posted:Quick Question: The total output won't count drops, since they never actually left (they were dropped).
|
|
#
?
Mar 6, 2012 00:28
|
|
|
Well I assume that the packets would be counted before the output queue, whereas dropped packets would be counted when they were dropped. I could see it working either way. If your way is the case it throws my numbers off a bit.
|
|
#
?
Mar 6, 2012 00:55
|
|
|
output drops are difficult to diagnose because you have to figure out what is dropping them: it's either a higher intelligence function, such as SPD, or the queuing strategy, or the hardware itself. It's one of the most obnoxious parts of owning network gear, in my experience.
|
|
#
?
Mar 6, 2012 03:37
|
|
|
Well in this case I know exactly what it is. We have multiple vlans that have thousands of hosts in them being feed from multiple 10G sources being spanned to a single 1G port. The only thing I was trying to clarify is if the output drops number on the show interface screen should be added to the total output packets to get %packets dropped. And it looks like it should.
|
|
#
?
Mar 6, 2012 04:46
|
|
|
mono posted:Welp, we had to do a whole shitload of tweaking with ACLs and routes. On a whim I power cycled the cable modem after doing an arp clear and that at least let the router get out to the Internet. We then had to tweak the rules further to let LAN traffic out. Everything's golden now. Thanks for the input Not sure if it applies here but I think on 8.2x, at least, that the implied policies are built dynamically on boot based on the existing ip address. So if you have: ssh 192.168.67.25 255.255.255.255 outside And change your outside interface IP those entries will either need to be removed and re-added or just reboot the device.
|
|
#
?
Mar 6, 2012 05:47
|
|
|
Has cisco done away with all of the access switches with the old fat gbic uplink slots? All I'm seeing are sfp uplink ports.
|
|
#
?
Mar 6, 2012 16:33
|
|
|
Yeah 1G optics are all SFPs these days. 10G is another story.
|
|
#
?
Mar 6, 2012 16:44
|
|
|
Ok, thanks. Goodnight sweet big boned gbics.
|
|
#
?
Mar 6, 2012 17:01
|
|
|
There have been so many 10G "standards" over the years just in Cisco land, not to mention everywhere else. XFPs, SFP+, Xenpak, X2's, not too mention the various "colors" of wavelength as well as PoS, Ethernet, or pure Sonet.
|
|
#
?
Mar 6, 2012 17:04
|
|
|
My favorite 10G product moment with Cisco thus far has been the ASR9001. SFP+ on the builtin ports... and XFP for the modular cards 
|
|
#
?
Mar 6, 2012 17:25
|
|
|
Currently we don't have much in the way of ACLs to silo VLANs from each other. Does cisco have any sort of centralized way to control ACLs for VLANs over multiple devices? Being able to create ACL roles for various VLANs and have that automatically propagate out to our switches would be lovely.
|
|
#
?
Mar 6, 2012 17:50
|
|
|
tortilla_chip posted:My favorite 10G product moment with Cisco thus far has been the ASR9001. SFP+ on the builtin ports... and XFP for the modular cards I thought Cisco had standardized SFP+ across the board. Guess not.
|
|
#
?
Mar 6, 2012 19:02
|
|
|
Boner Buffet posted:Currently we don't have much in the way of ACLs to silo VLANs from each other. Does cisco have any sort of centralized way to control ACLs for VLANs over multiple devices? Being able to create ACL roles for various VLANs and have that automatically propagate out to our switches would be lovely. Mayhap you should purchase a firewall? 
|
|
#
?
Mar 6, 2012 21:25
|
|
|
|
| # ? May 31, 2024 17:19 |
|
|
MTU question. What's would happen if we have a storage network (NFS/iSCSI traffic) with jumbo frames enabled on only some interfaces? E.g. on the switches, but not the filers/servers? I'm assuming this is a terrible idea and everything should be switched over at once (or set up that way in the first place, of course...)
|
|
#
?
Mar 6, 2012 21:55
|
|
