|
ASA question: Other then a static route, do I need a ACL to allow internet access in the setup below? I have a 5515-x (8.6.2) and a HP 5604zl. I have ip routing enabled on the HP, I can ping between the vlans- all of that works. My problem is I can not get internet on any of the vlans. I have my ip route configured on the HP and a static route configured on the ASA. I do not have any ACL's configured and I have seen it mentioned that there needs to be. Thanks!
|
#
?
Sep 21, 2012 01:30
|
|
|
|
| # ? May 30, 2024 10:41 |
|
|
Erwin posted:Okay, another dumb question, but I want to confirm my understanding coming from the Procurve world: Like ragzilla said, the "switchport voice vlan 10" will accept tagged traffic intended for vlan 10. This allows you to use the auto-qos command, and traffic going over the voice vlan will be given higher priority. On the newer switches, a port configuration for a phone with auto-qos would be done something like this: interface GigabitEthernet1/0/14 switchport access vlan 100 switchport mode access switchport voice vlan 10 auto qos voip cisco-phone The "auto qos voip cisco-phone" command will add a few other lines of configuration to the port, and a bunch of lines of configuration to the global config. You could use this config on all your ports, and will allow you to move phones around without having to reconfigure the port every time. It'll keep the PCs on your PC vlan, and your phones on your voice vlan. You can also configure the ports as a trunk, and connect a PC to it. Since PCs don't normally tag their traffic, it'll default to sending the untagged traffic over vlan 1. You can configure this on the port as well, using the "switchport trunk native vlan XXX" command, which will put all untagged traffic coming in on that port into vlan XXX. Older Cisco switches, such as the 3500XL switches, didn't automatically trunk the port for a phone with the voice vlan command on an access port, and the port had to be configured to trunked. This way, if you had a PC hanging off the back of a phone, you had to use the "switchport trunk native vlan" command to put the data from the PC onto the correct vlan. For purposes here, this command functions the same on a trunk port as the "switchport access vlan" command works on an access port. Such a configuration would look like this: interface FastEthernet 0/14 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport voice vlan 130 With a trunked port though, by default it'll accept tagged traffic for any vlan, which isn't always desirable for security reasons. The voice vlan command only accepts tagged traffic for the voice vlan, and not for any others. EDIT: Wow, that's a lot of 
|
|
#
?
Sep 21, 2012 01:41
|
|
|
the spyder posted:ASA question: Other then a static route, do I need a ACL to allow internet access in the setup below? Default outbound behavior is to drop, so you will have to set up a permit ACL outbound on your inside interface. Do you need to/Have you set up PAT?
|
|
#
?
Sep 21, 2012 01:42
|
|
|
I should clarify- I have internet if I set the default gateway on the hosts to the ASA's inside IP. Can you give me a example? I believe we do, I will need to remote in later to answer that.
|
|
#
?
Sep 21, 2012 02:58
|
|
|
BelDin posted:Default outbound behavior is to drop, so you will have to set up a permit ACL outbound on your inside interface. Do you need to/Have you set up PAT?
|
|
#
?
Sep 21, 2012 03:07
|
|
|
ragzilla posted:Default ASA policy is to permit to lower security-level unless that changed in -X. The usual thing I see people missing is an outbound NAT/PAT if needed. You're right, my bad. My difficulties were when you had the same security level on two interfaces. Of course, when I inherited our firewalls they were being used as routers with that exact configuration. I think I need to take a break. Been off lately.
|
|
#
?
Sep 21, 2012 03:28
|
|
|
ragzilla posted:Default ASA policy is to permit to lower security-level unless that changed in -X. The usual thing I see people missing is an outbound NAT/PAT if needed. What should the outbound NAT/PAT look like?
|
|
#
?
Sep 21, 2012 04:03
|
|
|
the spyder posted:What should the outbound NAT/PAT look like? Typically something similar to: code:
|
|
#
?
Sep 21, 2012 04:24
|
|
|
the spyder posted:What should the outbound NAT/PAT look like? Since you can reach the internet if you are directly connected to the ASA, my guess would be that you don't have any routes back to your other subnets. Does the ASA know it should go back over the HP to reach your inside networks?
|
|
#
?
Sep 21, 2012 08:08
|
|
|
Anyone know of a good *nix based solution for introducing latency? I am looking for something cheap I can put into our small local lab to help simulation latency on a few lings to mimic our global stuff. If anyone has a suggestion on traffic generation that's free as well, that would be great. We have all this stuff in our big lab in VA, but I am cobbling something together here for the team so we don't have to travel.
|
|
#
?
Sep 21, 2012 14:54
|
|
|
routenull0 posted:Anyone know of a good *nix based solution for introducing latency? I am looking for something cheap I can put into our small local lab to help simulation latency on a few lings to mimic our global stuff. I think dummynet on fbsd is the defacto standard for packet mangling on the cheap.
|
|
#
?
Sep 21, 2012 14:56
|
|
|
ragzilla posted:Typically something similar to: He's using 8.6 code code:Doesn't look like your PAT is the issue though since internet is fine if the host gateway is configured as the ASA. Does the HP have a default route to the ASA inside IP? Sepist fucked around with this message at 15:22 on Sep 21, 2012 |
|
#
?
Sep 21, 2012 15:17
|
|
|
routenull0 posted:Anyone know of a good *nix based solution for introducing latency? I am looking for something cheap I can put into our small local lab to help simulation latency on a few lings to mimic our global stuff. D-ITG, Distributed Internet Traffic Generator http://www.grid.unina.it/software/ITG/ I have used this in the past for some QoS projects
|
|
#
?
Sep 21, 2012 17:04
|
|
|
Sepist posted:He's using 8.6 code Thanks! I converted it last night, but did not have a chance to test it. The HP is 10.20.28.254 and has: ip route 0.0.0.0 0.0.0.0 10.20.28.1 The ASA is 10.20.28.1. It has a static route: 10.20.0.0 255.255.0.0 10.20.28.254 It also has a existing network obj_any statement that fairly closely matches that one. I will check when I get to that site.
|
|
#
?
Sep 21, 2012 18:23
|
|
|
Yo. What model router do people use for internet routing? I would need something that is able to hold full BGP tables. I was looking at the ASR 1004 and maybe the 7603-S as something of a possibility with the correct route processor cards. Anything else in the Cisco catalog that would fit the bill? I'm not familiar with Cisco product families so not sure if I'm missing some obvious solution without reading every data sheet.
|
|
#
?
Sep 21, 2012 21:52
|
|
|
doomisland posted:Yo. What model router do people use for internet routing? I would need something that is able to hold full BGP tables. I was looking at the ASR 1004 and maybe the 7603-S as something of a possibility with the correct route processor cards. Anything else in the Cisco catalog that would fit the bill? I'm not familiar with Cisco product families so not sure if I'm missing some obvious solution without reading every data sheet. ASR9k is also a good option (check 9001). 7600/6500 is getting a bit long in the tooth but is a good platform if you stay within its limitations.
|
|
#
?
Sep 21, 2012 22:12
|
|
|
ragzilla posted:ASR1k with an ESP10 or greater I think. Thanks, looks like I was looking around the right products.
|
|
#
?
Sep 21, 2012 22:25
|
|
|
doomisland posted:Yo. What model router do people use for internet routing? I would need something that is able to hold full BGP tables. I was looking at the ASR 1004 and maybe the 7603-S as something of a possibility with the correct route processor cards. Anything else in the Cisco catalog that would fit the bill? I'm not familiar with Cisco product families so not sure if I'm missing some obvious solution without reading every data sheet.
|
|
#
?
Sep 22, 2012 04:25
|
|
|
Bluecobra posted:We have two Cisco 3845's each with 1Gb of memory and this has been pretty solid for years. I just checked and saw that we have ~420K IPv4 routes and ~10K IPv6 routes. The 1gb memory is kinda the part that matters the most. You can still get a Sup-720 that does not have enough memory to store full tables.
|
|
#
?
Sep 22, 2012 05:08
|
|
|
It looks like I figured it out- it was my Hp 5406zl. I needed to assign a IP to the default vlan, use that as the default gateway for the edge switches, and restart everything. Came right up. This works great, thanks!
|
|
#
?
Sep 22, 2012 05:18
|
|
|
Bluecobra posted:We have two Cisco 3845's each with 1Gb of memory and this has been pretty solid for years. I just checked and saw that we have ~420K IPv4 routes and ~10K IPv6 routes. Yeah that is about what the internet looks like for us. I checked out the 39xx chassis and it looks like it only can go up to 350Mbps. Yikes! Am I reading that wrong or do the the expansion slots matter? It looks like you'll only get line rate on-card with those expansion and as soon as it needs to be routed you run into the 350Mbps issue. For comparison the ASR 9001 can do 120Gbps and the smallest router we're buying now can do 20Gbps. I suppose I should've mentioned it being able to route probably at least 10 Gbps.
|
|
#
?
Sep 22, 2012 05:43
|
|
|
You're reading it right. Any old router can in theory receive full routes with enough memory, but your actual load requirements may dictate spending more on beefier equipment.
|
|
#
?
Sep 22, 2012 07:21
|
|
|
CrazyLittle posted:The 1gb memory is kinda the part that matters the most. You can still get a Sup-720 that does not have enough memory to store full tables. Don´t forget TCAM on the hw forwarding platforms!
|
|
#
?
Sep 22, 2012 21:09
|
|
|
BurgerQuest posted:You're reading it right. Any old router can in theory receive full routes with enough memory, but your actual load requirements may dictate spending more on beefier equipment. Yeah, the ASRlk2 looks pretty sweet since you can software upgrade to meet your needs. Though I'm trying to figure out why someone would get the dual height 10 port SPA over two 8 port SPAs which are single price. I'm going to assume price or niche requirement.
|
|
#
?
Sep 22, 2012 23:47
|
|
|
jwh posted:Nexus 5k experiences: yay? nay? 5510 = NO 5596 = maybe
|
|
#
?
Sep 22, 2012 23:54
|
|
|
doomisland posted:Yo. What model router do people use for internet routing? I would need something that is able to hold full BGP tables. I was looking at the ASR 1004 and maybe the 7603-S as something of a possibility with the correct route processor cards. Anything else in the Cisco catalog that would fit the bill? I'm not familiar with Cisco product families so not sure if I'm missing some obvious solution without reading every data sheet. Juniper M and MX series Cisco 7600 and 6500 series
|
|
#
?
Sep 23, 2012 00:02
|
|
|
a world called z0r posted:5510 = NO I'm having some luck with a pair of 5548s right now, and other than the hoop jumping of converging our networks, they have been solid. Definitely seconding that you don't want anything lower than a 5548. The 5548/96 also supports ISSU, so that when you want to do a firmware upgrade you can do it without a reboot. Just remember that they don't do per interface MTU. *lol*
|
|
#
?
Sep 23, 2012 01:20
|
|
|
BelDin posted:Just remember that they don't do per interface MTU. *lol* 
|
|
#
?
Sep 23, 2012 22:47
|
|
|
Ok so I'm still playing around with this Cisco 860. I'm trying to get PPTP working so I can connect with my laptop through the windows 7 built in client. I can only get connected to it if I manually set the IP on my laptop. But even then I can only ping the inside local ip (192.168.1.1) of the router and nothing else on the inside of the network. If I try to connect without manually setting the IP in the client first, it tells me that their was a network error. Any suggestions?code:I just changed the PPTP_POOL to; ip local pool PPTP_POOL 192.168.1.5 192.168.1.15 and added to the virtual-template 1 interface; peer default ip address pool PPTP_POOL Now I can get an address without having to manually enter it in the windows VPN client, but I can't resolve any host names on the network, access the internet while connected to the VPN. I can access network resources with the IP address. Interface IP-Address OK? Method Status Protocol Virtual-Access1 unassigned YES unset down down Virtual-Access2 unassigned YES unset up up Virtual-Access3 192.168.1.1 YES unset up up Virtual-Template1 192.168.1.1 YES unset down down Vlan1 192.168.1.1 YES NVRAM up up ofwolfandan fucked around with this message at 04:48 on Sep 24, 2012 |
|
#
?
Sep 24, 2012 02:58
|
|
|
QoS question: Is it possible to enable QoS on a dedicated L2 switch handling only one traffic type, and end up with interfaces having more resources available to them than they did before QoS was enabled? I ask because I'm troubleshooting a sporadic latency issue for ESXi hosts accessing iSCSI LUNs on a Compellent SAN, with a 3560 in between, and think it's tied it to output drops on the switch. That manifests for the VMware hosts as very short bursts of 200-500ms latency. Right now there's no QoS enabled at all, and Cisco's recommendation seems to be to enable QoS and give all the egress queue resources to one queue. Does that make sense?
|
|
#
?
Sep 24, 2012 20:20
|
|
|
I suppose that makes sense, sure. Though I don't see how a different queue set would rectify a 200-500ms sporadic latency issue.
|
|
#
?
Sep 24, 2012 20:23
|
|
|
jwh posted:I suppose that makes sense, sure. I'm not sure either, unless microbursts are filling a buffer and this could help out? Here's specifically what they're proposing: code:
|
|
#
?
Sep 24, 2012 22:19
|
|
|
At 1mbit per millisecond, with default queue allocations, you're still servicing each queue well below each .25ms, or 0.25ms. I just can't wrap my head around how the default queue allocations would be introducing such HUGE latency. I don't even think the per-port buffers are capable of storing much more than 2MB per 4-port bundle. Is it possible the large increases in latency are the result of retransmission? I don't know how iscsi works. It can't be tcp drop retransmit, because that's much slower than what you've described.
|
|
#
?
Sep 24, 2012 22:35
|
|
|
I don't know, I'll admit I'm over my head here - I've never even touched QoS before. Here's some debugging info I was looking at since the interface MTU looks like it's set to 9000, and since the hosts/SAN are set at 1500 I was worried I was misunderstanding when fragmentation would happen. Doesn't look like that's the case though, and my untrained eye doesn't see anything else really worrying here.code:code:code:code:code:Mierdaan fucked around with this message at 00:55 on Sep 25, 2012 |
|
#
?
Sep 24, 2012 22:50
|
|
|
Troubleshooting queue drops is the worst thing in the world, in my experience. But in this case, 81 queue drops over 4.4 million packets wouldn't worry me. I see much higher on ATM interfaces (pray for me). I wish I could help more, but I'm it's hard to know exactly what to look at at this point. I would go out on a limb and say that more than likely, your infrastructure isn't the issue. And as a general point about QoS, I'm fond of saying that it's not about making things better, it's about making other things worse. In your case, it doesn't look like there's much to make worse, so I'm not sure how much a robust QoS scheme is going to benefit you in the first place. 
|
|
#
?
Sep 24, 2012 22:58
|
|
|
jwh posted:Troubleshooting queue drops is the worst thing in the world, in my experience. I am going to side with jwh on this too. That low of a drop count for that many packets isn't that much to worry about. If you had something like 200,000+ like I had on my 3750's a while back then you have to worry about it. QoS may or may not help your issue there. It really could be a mixed bag for you and even cause more issues if its not done right.
|
|
#
?
Sep 24, 2012 23:29
|
|
|
The QoS in this case isn't actual QoS, this is fixing the broken defaults in IOS. The way development seems to be going is that Cisco assumes everyone is running enterprisey QoS and sets up the hardware defaults that way which in the case of 3560/3750 leaves 75% of the buffer resources unused assigned to queues 0,2-3 while queue 1 services everything. Sigh. We had this same problem with Scale Computing backend network (don't touch them with a 10' pole if you have the chance) where the bursts would overflow switch buffers until TCP slowed down, it gets compounded by the fact you're typically looking at a many-to-one-port traffic pattern (lots of ESX boxes talking to a handful of SAN ports). Try Cisco's suggestion (during a maintenance window) but keep in mind it may not help. We ended up moving to 4900/6500 to get some decent buffer depth.
|
|
#
?
Sep 25, 2012 00:14
|
|
|
Thanks for the input. I'll go ahead with Cisco's suggestions this weekend and see if they have any impact. So far the latency spikes don't really affect anything, but it's worrying to think about moving production Exchange/SQL over to this platform when there's  spooky performance issues I can't explain. You guys have talked me off the ledge a bit though, I'm okay with the answer being that we move to a more robust switch for this fabric later if we really start to hit a performance wall.edit:  They make performance graphs look like poo poo too 
Mierdaan fucked around with this message at 01:01 on Sep 25, 2012 |
|
#
?
Sep 25, 2012 00:49
|
|
|
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_55_se/command/reference/cli1.html#wp2144505 Here's a doc on queue set and buffer tuning, FYI.
|
|
#
?
Sep 25, 2012 16:10
|
|
|
|
| # ? May 30, 2024 10:41 |
|
|
jwh posted:http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_55_se/command/reference/cli1.html#wp2144505 that's a very good doc to read. FYI a couple of pages ago I had the same issues with a 3750-X stack, no amount of tinking can really fix the issue with these switches. The only thing which really worked for me was to look at which queue had the largest amount of traffic and make that have the most buffers. Even then I still see drops. The boss found a Dell switch which has more buffers for a lot cheaper inc HBAs
|
|
#
?
Sep 26, 2012 03:21
|
|
