|
Anyone need some old ONS cards? 12x DS3XM6 5x XC 4x TCC Note these are original TCC and XC, not TCCP or TCC2P or XC10g or anything like that.
|
#
?
Apr 20, 2012 19:45
|
|
|
|
| # ? May 30, 2024 14:27 |
|
|
ok i just got my nexus 5k switches in today, one is racked, the second is going live tomorrow. Can you point me in the direction of a good nx-os vs ios resource, and also a good resource on VRFs specifically as they relate to management interfaces? We've never made use of our out of band management interfaces but I think I want to start with this switch and server refresh.
|
|
#
?
Apr 20, 2012 23:14
|
|
|
adorai posted:ok i just got my nexus 5k switches in today, one is racked, the second is going live tomorrow. http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_NX-OS/IOS_Comparison_Tech_Notes Very handy reference.
|
|
#
?
Apr 21, 2012 01:26
|
|
|
With the SG series devices ... It is clear they're not 100% IOS replicated, but, its not really all that bad to use. The macro/antimacro smart ports have thrown me for a loop. Is there a way to return an interface to its default configuration? "Default" isn't present in the command set, at least on 1.1.2.0 , which makes macros for technicians to configure port scenarios not very practical. Understandably, if you know how to use IOS this isn't a problem, but we have people that do not.
|
|
#
?
Apr 22, 2012 04:58
|
|
|
I wasn't sure where to put this, as I didn't see an "enterprise" networking thread. How bad is it to have a huge subnet? We currently have four subnets, each with its own DHCP and DNS forwarder. It was slowly built and added to over 10 years. It gets annoying sometimes when a Windows system only shows 20 computers or so that are on its subnet, or I have to remember which ".225" system I'm working on. We're probably using way less than 400 IPs, but things were split so each building had its own subnet, printers were on their own subnet, etc. The buildings are all physically next to each other. I figured "hey, lets simplify this." How about 1 subnet? Something like 172.10.100.0/22, so 1,022 hosts. Would this cause a lot of problems? Would network browsing/discovery be slowed tremendously? I figured buildings could be separated by IP still (172.10.100.x for one, 172.10.101.x for another), but they'd still be on the same subnet and Windows would show all systems.
|
|
#
?
Apr 24, 2012 18:39
|
|
|
You don't want to do that for a variety of reasons, the number of hosts isn't one of them however. Typically you want to keep layer 2 local. This means you don't want to have a layer 2 link that goes across campus or whatever. Subnets are your friend and provide a lot of other benefits that you may not notice. As for why windows can't see all the computers, I'm not really sure, is your domain setup correctly? Because in theory all windows hosts should be able to "see" each other, but I'm not super familiar with how windows networking discovers resources. I suspect that if you answer that question, you'll be able to solve your problem.
|
|
#
?
Apr 24, 2012 20:08
|
|
|
Xenomorph posted:It gets annoying sometimes when a Windows system only shows 20 computers or so that are on its subnet, or I have to remember which ".225" system I'm working on. A great way to avoid having to remember which IP address goes to which device is to use DNS and predictable host names. What are you doing that you need to be double-clicking Network and browsing for resources? If you really, really need to see every device there, you could build a WINS server. But there's probably a better way to do what you're trying to do.
|
|
#
?
Apr 24, 2012 20:28
|
|
|
Head scratcher: If I were to run iPerf from my desktop at work to the public iPerf server, I can get great speed. Some customers, however, can not. They can only flood their entire bandwidth if they do multiple TCP windows. Any idea what might cause that?
|
|
#
?
Apr 26, 2012 00:27
|
|
|
Zuhzuhzombie!! posted:Head scratcher: Welcome to TCP sliding window. Have them try it with UDP using the -P option and specify several streams
|
|
#
?
Apr 26, 2012 01:41
|
|
|
Xenomorph posted:Letting layer 2 leave local is a bad idea, quick example is if you have two buildings connected by a 100Mb and a faulty NIC on a gigabit server starts broadcasting at it's max, you're going to fill that 100Mb pipe and any other layer 2 connected port also and kill your connection, atleast if it's local you will not lose as much functionality.
|
|
#
?
Apr 26, 2012 14:18
|
|
|
Sepist posted:Letting layer 2 leave local is a bad idea, quick example is if you have two buildings connected by a 100Mb and a faulty NIC on a gigabit server starts broadcasting at it's max, you're going to fill that 100Mb pipe and any other layer 2 connected port also and kill your connection, atleast if it's local you will not lose as much functionality. Our VLANs already span buildings, and have done so without issue for a decade. That wasn't going to change. There is zero physical difference between our switches connected to each other down the hall or two buildings over. The buildings are all physically adjacent and every switch has the same fiber connecting them to each other (well, one has 10 Gb/s when the others are 1 Gb/s). I was just wondering about the pros/cons of having 254 hosts on a subnet versus having 1022 hosts. I don't want multiple subnets - especially since we pay for some of the subnets. Half our subnets are public IP addresses, and we pay for a bunch of IPv4 addresses we don't need. Instead of just creating more subnets (with private IPs to move users to), I wanted to expand an existing subnet and consolidate all other private subnets into one.
|
|
#
?
Apr 26, 2012 15:05
|
|
|
Having lots (hundreds) of hosts on a single subnet produces excessive broadcast traffic, which has to be propagated to every single machine on that VLAN. If your VLAN spans several buildings...think about it. A school I worked with had a similar setup; 3 buildings on one big VLAN (10.0.0.0/8), with 100Mbps wireless links between the buildings. Each building had a separate Internet connection and firewall, and they directed traffic by setting the appropriate default gateway. That network CRAWLED. They couldn't even get full speed out of a 20Mbps cable modem at any given site. Luckily, the sole IT guy had the foresight to number all the machines at each site with the same second octet (e.g. 10.5.0.0, 10.6.0.0, etc) so it was fairly simple to expand the subnet mask to a /16 for each building and make the firewalls route inter-building traffic. Network performance dramatically improved, especially for inter-building transfers. Word to the wise: bring in an expert to reorganize your network. You shouldn't need to pay for public addresses for machines that aren't running a public service, and judicious use of subnetting, routing, and even NAT will likely improve both performance and reliability, and make it easier to troubleshoot when something goes sideways.
|
|
#
?
Apr 26, 2012 15:22
|
|
|
Xenomorph posted:Our VLANs already span buildings, and have done so without issue for a decade. That wasn't going to change. There is zero physical difference between our switches connected to each other down the hall or two buildings over. The buildings are all physically adjacent and every switch has the same fiber connecting them to each other (well, one has 10 Gb/s when the others are 1 Gb/s). You really need to take a proper network design course.
|
|
#
?
Apr 26, 2012 15:43
|
|
|
routenull0 posted:Welcome to TCP sliding window. Have them try it with UDP using the -P option and specify several streams Basically, every now and then we'll get a customer complaining about "slowness". So we'll open up our speed test server to them off our core and they'll get whatever mbit they are paying for. Then they'll speedtest to speakeasy, speedtest.net or what have you and they'll only get 20mbit or something and complain. If I hit speedtest.net or speakeasy or whatever from internal I can get 100mbit, great speeds, etc. iPerf is usually my way of showing customers that the bandwidth is there. Except for when iPerf does the above and throws me under the bus. Will try UDP and manual bandwidth setting tonight. Thanks for the heads up!
|
|
#
?
Apr 26, 2012 16:25
|
|
|
Nitr0 posted:You really need to take a proper network design course. Ouch. Sometimes you inherit things that aren't easy to change.
|
|
#
?
Apr 26, 2012 16:34
|
|
|
So I'm guessing I should actually *increase* the number of subnets, putting each building on its own subnet & VLAN. The setup when I got here was one DHCP server per VLAN & subnet, and we've just been adding more DHCP servers as subnets were added. I'm going to work on having a single DHCP server handle all the private subnets (I was reading about the "ip helper-address" setting for our switches to forward DHCP requests). And yes, I'll look into network design classes. I've had 20 weeks of Cisco classes, although I don't think we ever went into VLANs and splitting up big networks. I had to fix the NAT setup when I started my job. Only a few printers were on the private VLAN, as the previous guy couldn't figure out how to route data to the Internet (that's why we had purchased so many public IPs!!!).
|
|
#
?
Apr 26, 2012 16:34
|
|
|
Xenomorph posted:Only a few printers were on the private VLAN, as the previous guy couldn't figure out how to route data to the Internet (that's why we had purchased so many public IPs!!!). Wow, just wow! If you are interested in networking though, this might be the perfect learning environment for you. See a lot of things going wrong and getting your hands dirty to fix them is a good teaching environment. Make a few adjustments that improve performance or stability and you can probably convince your managers to sink time and money into this.
|
|
#
?
Apr 26, 2012 17:00
|
|
|
My campus is the same state of confusion. Every address in our entire university is publicly routable, but firewalled thankfully. I've tried to figure out our subnets before but it's a mess. I have a jack that will serve both the x.x.172.0/24 AND the x.x.174.0/24 subnet, but the instructions from University Computer Svcs is that everything MUST have a /24 subnet mask. So we have (at least) two gateways on this network that are dumping two networks onto the same wire, and there are networks like this all over campus. EVERYTHING is a publicly routed IP address. Printer? Computer? Server? Doesn't make a difference. We own a /16 so this isn't a big deal I guess, but you can probably EASILY address the computers that NEED off-campus access into a /22. I gather that a lot of it is grandfathering in old machines and terrible decisions from when the campus was first wired, but at some point you have to just face the music and do a sane re-ordering of your assets. I work with the research supercomputing datacenter downstairs and at least their system is sensibly laid out. I shook my head with them a few times talking about the state of the campus network, but meh.
|
|
#
?
Apr 26, 2012 17:16
|
|
|
Martytoof posted:I gather that a lot of it is grandfathering in old machines and terrible decisions from when the campus was first wired, but at some point you have to just face the music and do a sane re-ordering of your assets. Or just do it right and switch to IPv6. 
|
|
#
?
Apr 26, 2012 19:04
|
|
|
Martytoof posted:Unless you have ears 
|
|
#
?
Apr 26, 2012 22:31
|
|
|
aksuur posted:Take the fan out I don't know exactly how much heat that bad boy puts out but that seems like an iffy idea  Though for real, I hated every second of having that CCNA stack next to my desk. If I could replace those tiny rear end fans with something else I probably would have. I guess if I really cared I could have added in a resistor or two to stop those things from spinning so fast. Still pump air but not a huge datacenter-esque torrent.
|
|
#
?
Apr 26, 2012 23:16
|
|
|
routenull0 posted:Welcome to TCP sliding window. Have them try it with UDP using the -P option and specify several streams Could you elaborate on sliding window and how it applies? I'm reading up on it but haven't really grasped it just yet. Is it an issue with packet loss/time out between ACK? Is there a way to alleviate this? We're not getting any errors on the interface. The host switch/interface is a gig but is negotiated down to 100mb, which is the core dedicated interface. The setup is core router, dedicated interface for customer to a host 3750. Each customer interface is a switchport with it's own vlan, that vlan is allowed out a trunk to transport ring. Would this be a fix on my end or customers end? Would checking MTU sizes help?
|
|
#
?
Apr 27, 2012 02:28
|
|
|
TCP sessions send some amount of data before waiting for an acknowledgement that it was recieved. That amount of data is the window. The max window size isn't very large, 65K or something like that. At high speeds this having to stop transmitting and wait for an ack becomes the throughput limiter on a TCP session. There is a newer TCP option to increase that window size much larger which yields greater throughput to a single TCP session. I think it was implemented as an option that has to be turned on in the registry in Windows XP. I think it's on by default int Vista and Windows 7. Both ends of the TCP session need to support this option for it to work. Not sure which versions of Linux / BSD / Mac OS this is on by default in. https://en.wikipedia.org/wiki/TCP_window_scale_option
|
|
#
?
Apr 27, 2012 03:35
|
|
|
Ninja Rope posted:Or just do it right and switch to IPv6. I like IPv6 because it's the easiest way to make a vendor sweat when they ae talking to you about a new product. "We have a full routing feature-set, including-" "Does it do OSPFv3?" "yes, you bet it does OSPF, BGP, IS-IS..." "No no, v3. Version 3. Ipv6 OSPF?" "uh um well it is road-mapped and uh we will uh have that feature uh in the future did we mention our management suite?"
|
|
#
?
Apr 27, 2012 06:22
|
|
|
Ninja Rope posted:Or just do it right and switch to IPv6. I look forward to upgrading all the dumb little utility Windows 2000 machines running experiments to IPv6 
|
|
#
?
Apr 27, 2012 06:26
|
|
|
inignot is correct, but there's more to it. Most operating systems now enable receive window scaling by default, which allows a vastly larger receive window, though you may still have to tune this. Selective ACK becomes very important the larger the window grows, and should be enabled if it's not. Without SACK, a single lost packet could lead to a large amount of needlessly retransmitted data. A bigger problem is how TCP handles congestion control, with older algorithms having poor bandwidth utilization. Without boring everyone with details the Wikipedia page has, in short a small amount of packet loss or latency can have a huge effect on overall bandwidth due to how some operating systems handle congestion control. Different algorithms control how much bandwidth is allowed in-flight (known as the congestion window, which is different from and <= the receive window), and how that window changes size when a packet is lost. Some good steps to start tuning are to increase TCP buffers (and possibly socket buffers), enable window scaling, enable selective acks, enable tcp timestamps, and switch to BIC or CUBIC as a congestion control algorithm. If you've done all of this and you're still having problems, check some tcpdumps and make sure a stupid network device isn't stripping the TCP options (especially window scaling). Edit: And I completely forgot the initial congestion window, which should probably be set to 10, though this won't help much for long-ish connections. Ninja Rope fucked around with this message at 06:50 on Apr 27, 2012 |
|
#
?
Apr 27, 2012 06:30
|
|
|
Martytoof posted:I look forward to upgrading all the dumb little utility Windows 2000 machines running experiments to IPv6 just use 4to6... ermmmm
|
|
#
?
Apr 27, 2012 08:19
|
|
|
Anybody got a best practice for MTU size on SSL vpn clients? I have them on default but I may want to tweak it for a disconnect problem I've been having on my clients
|
|
#
?
Apr 30, 2012 16:53
|
|
|
jwh posted:Ouch. I just did a rebuild for a customer and didn't have a choice. They couldn't accept the downtime to re-ip everything and in some cases rebuild whole system suites. loving sucks having my name attached to it.
|
|
#
?
Apr 30, 2012 16:57
|
|
|
Langolas posted:Anybody got a best practice for MTU size on SSL vpn clients? I have them on default but I may want to tweak it for a disconnect problem I've been having on my clients The main concern for MTU size is fragmentation, since each fragment would have to be encrypted individually. Oversized packets can essentially double your PPS, causing higher cpu utilization. To be safe just change the MTU to like 1400, if you want to verify, do a test ping from the source to the destination with the "do not fragment" flag set.
|
|
#
?
Apr 30, 2012 17:58
|
|
|
Powercrazy posted:The main concern for MTU size is fragmentation, since each fragment would have to be encrypted individually. Oversized packets can essentially double your PPS, causing higher cpu utilization. Awesome, I'll do that. Thanks!
|
|
#
?
Apr 30, 2012 19:38
|
|
|
quote:75 15870903 2637477 6017 3.51% 3.43% 3.40% 0 RedEarth Tx Mana CEF is turned on. Dunno what this is and Google says it's related to CEF.
|
|
#
?
Apr 30, 2012 22:12
|
|
|
Zuhzuhzombie!! posted:CEF is turned on. It's using less than 5% of the CPU... you are concerned because?
|
|
#
?
May 1, 2012 00:09
|
|
|
Zuhzuhzombie!! posted:CEF is turned on. Also you should post what platform that is, though I suspect it is an ISR, but it may be a Nexus. I know I've seen those processes before. In anycase it doesn't matter, 5% cpu is fine.
|
|
#
?
May 1, 2012 15:13
|
|
|
routenull0 posted:It's using less than 5% of the CPU... you are concerned because? I think it's using more than 5% sometimes, because show proc cpu his shows the graph at 90% sometimes. Then I immediately do a sort and that was at the top were those two. I had a previous problem where SSH would peg out the CPU but whenever I did a sort SSH would be at the top, but only using 1%. Wasn't sure if this was a similar situation. This is a 3750e.
|
|
#
?
May 1, 2012 21:10
|
|
|
That, a HULC, and the LED process will eat some CPU, and I recall reading articles saying there was a software version where that was or may have been more CPU than it needed to grab on the 3750 platform, but, it wasn't concerning. It's hard to narrow down 90% CPU but, I found the CPU will do that if it's dealing with any sort of forwarding loop or heavy storm control. It will also spike to near 100% if it is rebuilding the running configuration in the background, as if you exit global configuration or write memory.
|
|
#
?
May 1, 2012 21:13
|
|
|
Well, I regen'd the RSA keys and haven't seen it happen since then so maybe a fluke. I was also mucking around with radius keys and eigrp around the same time.
|
|
#
?
May 1, 2012 21:19
|
|
|
I wouldn't worry about brief CPU spikes, the CPU is there to be used afterall. If it were sustained then I'd investigate.
|
|
#
?
May 1, 2012 22:58
|
|
|
Babby's first branch office. Looks like we'll be occupying a building off our campus for the first time. We already have an overseas location with a P2P VPN, so that's certainly an option, but there's also L2 P2P metro ethernet through someone like Comcast, or the whole world of MPLS that I know nothing about. We're talking a smaller building, probably 50 users with light data requirements and a corresponding number of VoIP phones. A 10Mbit connection would probably be fine. Can someone give me some brief pros/cons of the different methods of doing this?
|
|
#
?
May 2, 2012 16:51
|
|
|
|
| # ? May 30, 2024 14:27 |
|
|
If IP telephony is a requirement, you may want a network that provides better guaranteed forwarding for the real-time data, so that would (to me) rule out p2p vpn over commodity broadband. I think a better option would be ethernet and MPLS, though it will be more (perhaps substantially) expensive. Metro ethernet from Comcast might be an option, but make sure they provide information about quality of service.
|
|
#
?
May 2, 2012 17:17
|
|