|
ruro posted:Given that you'll be upgrading to a 20/20 link and the number of devices you have I would consider something beefier than the 881, particularly if you'll be using NAT/ACLs. While the 881 itself isn't listed http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf is a decent reference to get an idea of how many packets per second a device can manage. Keep in mind that the PDFs numbers are with 64 byte packets. The 881 will easily do 100Mbits of NAT traffic if the packets are of a 'normal' size. However he really should by something with a webgui instead.
|
#
?
Jul 15, 2013 22:13
|
|
|
|
| # ? May 30, 2024 13:39 |
|
|
ior posted:Keep in mind that the PDFs numbers are with 64 byte packets. The 881 will easily do 100Mbits of NAT traffic if the packets are of a 'normal' size. However he really should by something with a webgui instead.  .
|
|
#
?
Jul 15, 2013 22:20
|
|
|
ruro posted:Good points. He did say he was happy to learn CLI though Just use CCP  Get a 819H! They're significantly more than an 881 but suuuuuuper cute.
|
|
#
?
Jul 15, 2013 22:23
|
|
|
DeNofa posted:Just use CCP Unplugging Ethernet cables from an 819H is a huge pain in the rear end  . Thus not cute at all.Serious reply: Ubiquiti Edgerouter - http://www.ubnt.com/edgemax! Has a pretty UI.
|
|
#
?
Jul 15, 2013 22:38
|
|
|
ruro posted:Serious reply: Ubiquiti Edgerouter - http://www.ubnt.com/edgemax! Has a pretty UI. These are definitely nice for the $99 pricetag. They'll even do OpenVPN for remote access, but you'll have to configure it via CLI since the Web UI doesn't have that part implemented yet. It's basically Vyatta under the hood, so just about anything you can do with Vyatta, you can do with the Edgemax.
|
|
#
?
Jul 15, 2013 22:49
|
|
|
ruro posted:Has anyone ever implemented FHRP gateway localization on a 6500? I have a feeling I am going to lose an argument against having active VMs in several DCs on the same spanned VLAN while still having to provide host mobility, and I really want to avoid traffic tromboning if at all possible. It's definitely doable with a 7k using OTV. Don't see why the same principles wouldn't apply but I've never tried it (I personally hate layer 2 extension since it's usually the wrong solution to a problem.) From: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-644634.html code:
|
|
#
?
Jul 15, 2013 23:18
|
|
|
1000101 posted:It's definitely doable with a 7k using OTV. Don't see why the same principles wouldn't apply but I've never tried it (I personally hate layer 2 extension since it's usually the wrong solution to a problem.) That's the document that I looked at initially before posting my question. My problem is that the 6500's in each DC are a collapsed core and are directly connected to each other over DF, so I don't have any intermediate devices that I can do the IP/VLAN/ARP filtering on so as not to affect local hosts reaching the VIP. The MAC and IP filtering I can do on the inter-DC interfaces easily enough, but I haven't managed to figure out a way to do the ARP inspection filtering on an interface instead of a VLAN. Annoyingly this won't be a problem if I managed to get the DCI network off the ground as I'll be able to do the filtering on the DCI switches.
|
|
#
?
Jul 16, 2013 00:27
|
|
|
indigoe posted:Now keep in mind I'm no network engineer but I can learn and I'm not afraid of the command line. So my questions are: 881 can only do around 15mbps when IPS inspection is turned on. You'd need something more powerful if you wanted to use that. There is a GUI config tool called Cisco Configuration Professional which you can download free of charge. Have you looked at a Fortinet 60D? It has a pretty painless web based GUI.
|
|
#
?
Jul 16, 2013 00:46
|
|
|
Thanks for the feedback so far. My boss won't go for "unknown" brands like Ubiquity, though it looks good on paper. This is why I'm looking at cisco. What would be the next step up from the 881? The 1900 series? (As an aside the routerperfomance pdf seems out of date) About CCP, I got the impression that it requires a license and it is not free. Is there a non-obvious download link somewhere?
|
|
#
?
Jul 16, 2013 02:31
|
|
|
indigoe posted:Thanks for the feedback so far. My boss won't go for "unknown" brands like Ubiquity, though it looks good on paper. This is why I'm looking at cisco. I thought it was free anyways. Try logging in with your CCO account and see if you can download. What's your budget for the device? Assuming you don't have a vendor relationship with a Cisco partner, you're looking at $1150 for a 1921-SEC/K9 or $1600 for the 1941 variant. Even though I love Cisco, it's probably not the best solution for what you're doing at the branch. Something like this would fit the role better and be cheaper as well. ($550) You can demo the GUI at https://www.fortigate.com with the login demo/demo. less than three fucked around with this message at 05:22 on Jul 16, 2013 |
|
#
?
Jul 16, 2013 05:19
|
|
|
Just say, "well, we can spend fifteen hundred dollars for features we'll never use from a company you recognize, or we can spend a hundred dollars for what we need." For only twenty megabits you could use just about anything recent without worrying. It's not like you're going to turn on a bunch of high-touch stuff anyway, I imagine.
|
|
#
?
Jul 16, 2013 05:23
|
|
|
indigoe posted:Thanks for the feedback so far. My boss won't go for "unknown" brands like Ubiquity, though it looks good on paper. This is why I'm looking at cisco. Buy a used 3825 from eBay for $200. Buy another as a cold spare.
|
|
#
?
Jul 16, 2013 07:19
|
|
|
While I really love the 1921's I've put out and about, I couldn't not recommend something like a fortigate 60D and a simple bridged ADSL modem. It'll do your level of traffic ok, offers all the usual remote access VPN options plus UTM (Web filtering etc, block Skype, facebook). They're cheaper and I'd spend the money saved on a few good 48pt switches (just get refurbished equipment if your budget is super tight).
|
|
#
?
Jul 16, 2013 09:24
|
|
|
less than three posted:881 can only do around 15mbps when IPS inspection is turned on. You'd need something more powerful if you wanted to use that. There is a GUI config tool called Cisco Configuration Professional which you can download free of charge. If you want IPS get a real IPS box - not some wannabe IOS feature. Also CCP is horrible I´d rather have a ASA5505 with ASDM.
|
|
#
?
Jul 16, 2013 10:09
|
|
|
falz posted:Buy a used 3825 from eBay for $200. Buy another as a cold spare. I'm in Australia and the cheapest I can find is around $500 with shipping. That model seems to be overkill anyway as far as I can tell. There is no set budget, it's whatever gets approved. I'm looking into the Fortigate 60D, it's definitely within the price range that's been indicated to be acceptable. I played around with the demo UI - I hope it's only indicative of features and missing some things (couldn't find DHCP for example, or port configurations).
|
|
#
?
Jul 16, 2013 10:38
|
|
|
ior posted:If you want IPS get a real IPS box - not some wannabe IOS feature. Also CCP is horrible Good call. Just get an ASA5505! But yeah CCP is super bad.
|
|
#
?
Jul 16, 2013 13:00
|
|
|
falz posted:Buy a used 3825 from eBay for $200. Buy another as a cold spare. This is usually what I do, but I have control over procurement for my org. I would rather purchase grey market, two of everything with as much automatic failover as possible, for 40 cents on the dollar. Works for me at least.
|
|
#
?
Jul 16, 2013 14:50
|
|
|
indigoe posted:I played around with the demo UI - I hope it's only indicative of features and missing some things (couldn't find DHCP for example, or port configurations). Yeah, the demo doesn't have everything. DHCP setup and port configurations are easy and straight forward. (for example, just go to the DHCP page and specify your pools of addresses.) Fortinet also has decent documentation. Here's a PDF that shows how to do pretty much anything you'd be thinking of: http://docs.fortinet.com/cb/fortigate-cookbook50.pdf
|
|
#
?
Jul 16, 2013 19:21
|
|
|
Dumb question but with that performance PDF, it's using 64KB packets, not 1.5KB, right? Or am I confusing things with the layer 2 MTU size? Or gently caress is MTU the contents of the frame???! Argh where's my CCNA book when I need it.
|
|
#
?
Jul 16, 2013 22:06
|
|
|
edit: er, 64 byte frames.
jwh fucked around with this message at 22:13 on Jul 16, 2013 |
|
#
?
Jul 16, 2013 22:07
|
|
|
Gap In The Tooth posted:Dumb question but with that performance PDF, it's using 64KB packets, not 1.5KB, right? Or am I confusing things with the layer 2 MTU size? Or gently caress is MTU the contents of the frame???! Argh where's my CCNA book when I need it. MTU is the Ethernet payload (ie IP data gram), the full frame is MTU+14+4 for smac/dmac/etype/fcs. On the wire it's a bit bigger due to preamble/ifg (which varies in size). 64 byte packet is 46 IP datagram + 14 Ethernet + 4 FCS. Fun note, MTU settings on XR include Ethernet headers, leading to much gnashing of teeth if you copy MTU settings from IOS to XR.
|
|
#
?
Jul 16, 2013 23:02
|
|
|
Cool, thanks. Has anyone seen a performance PDF like the one posted but just for straight ethernet or realistic frame sizes? Or will I have to go to each product page individually and get the stats I need?
|
|
#
?
Jul 17, 2013 01:42
|
|
|
I don't think i've seen anything that summarizes IMIX rates or anything.
|
|
#
?
Jul 17, 2013 02:28
|
|
|
Most third party reports will include an IMIX section... but since those are usually commissioned by the vendor for a bake off YMMV. It's still best to lab for your own specifications.
|
|
#
?
Jul 17, 2013 15:30
|
|
|
The reason you don't see router performance numbers very often is because you can only be sure of one thing about them, the numbers will be wrong. Traffic profiles are unique and even if you set up two identical environments the real numbers will be different.
|
|
#
?
Jul 17, 2013 15:36
|
|
|
Usually I will look at them to see if they are in the ballpark I am looking for capacity wise, so I don't deploy a 2811 into a Service Provider network and realize later on there are no 100Gb linecards for that router 
|
|
#
?
Jul 17, 2013 15:59
|
|
|
I don't know about anyone else but the only number I pay attention to on that spreadsheet is the PPS, so it's nice to have so many models all in one place. I use the PPS in conjunction with the average packet size on our network and then divide by two for each major service I enable to get a ball park idea of uni-directional throughput.
|
|
#
?
Jul 17, 2013 22:02
|
|
|
ruro posted:I don't know about anyone else but the only number I pay attention to on that spreadsheet is the PPS, so it's nice to have so many models all in one place. I use the PPS in conjunction with the average packet size on our network and then divide by two for each major service I enable to get a ball park idea of uni-directional throughput. It's pretty nice for "which Cisco router do I need here" or "is this Cisco router an upgrade over this other Cisco router?". I wouldn't bother using it to compare with other brands, and I take real-world numbers with a grain of salt, but its definitely handy for relative comparisons.
|
|
#
?
Jul 18, 2013 04:57
|
|
|
I have an ASA5510 with Security Plus we'd like to enable the anyconnect mobile client on. Am I reading the licensing correctly that all I need is the enable key for anyconnect mobile and I can use however many normal VPN connections i'm entitled to?
|
|
#
?
Jul 18, 2013 17:56
|
|
|
Nebulis01 posted:I have an ASA5510 with Security Plus we'd like to enable the anyconnect mobile client on. Am I reading the licensing correctly that all I need is the enable key for anyconnect mobile and I can use however many normal VPN connections i'm entitled to? No, you need anyconnect essentials + anyconnect mobile which will give you 250 concurrent connections.
|
|
#
?
Jul 18, 2013 19:09
|
|
|
ior posted:No, you need anyconnect essentials + anyconnect mobile which will give you 250 concurrent connections. Thanks! Looks like the combination isn't terribly expensive.
|
|
#
?
Jul 18, 2013 19:18
|
|
|
How are you guys doing your lab setups for performance testing? Any specific software you recommend?
|
|
#
?
Jul 18, 2013 19:36
|
|
|
Upgraded my test 3560g to 15.0(2)SE4 from 12.2 just to see what's new. Any major changes I should be aware of? As always, Cisco's documentation is impossible to find so I'm having difficulty finding a good changelog.
|
|
#
?
Jul 18, 2013 20:41
|
|
|
psydude posted:Upgraded my test 3560g to 15.0(2)SE4 from 12.2 just to see what's new. Any major changes I should be aware of? As always, Cisco's documentation is impossible to find so I'm having difficulty finding a good changelog. 
|
|
#
?
Jul 18, 2013 21:05
|
|
|
psydude posted:Upgraded my test 3560g to 15.0(2)SE4 from 12.2 just to see what's new. Any major changes I should be aware of? As always, Cisco's documentation is impossible to find so I'm having difficulty finding a good changelog. Well they introduced their new SHA password encryption into the 15.0(2) code for switches after which it was soon discovered that their implementation of this new encryption method is actually less secure than the old MD5 encryption. Also SE3 was out for like a week before being pulled due to some bug causing 100% CPU utilisation from TACACS.
|
|
#
?
Jul 18, 2013 21:09
|
|
|
Yeah, I read the release notes for (1) and (2) and saw the TACACS+ thing (which is good, because we use it). In terms of general operation are there any major bugs, crazy changes in syntax, etc. that I should know about? I'm planning on slapping it on the switches for a new environment I'm building and want to know if I'm in for any nasty surprises that I won't find through normal testing in my lab.
|
|
#
?
Jul 18, 2013 21:10
|
|
|
Does anyone know how to find software serial number on NCS? We're trying to transfer our maintenance agreements to smartnet but I'll be damned if I can find any of those serials on NCS, or what they even look like.
|
|
#
?
Jul 18, 2013 22:10
|
|
|
I have a stupid question about the permit/deny logic when using route maps to filter routes. I'm fairly certain I have the concept down, but I just need some reassurance. Pretend I want to filter the 10.10.10.0/18 subnet from being advertised via EIGRP. If I want to filter the route with a prefix list, I would deny the subnet: ip prefix-list baller deny 10.10.10.0/18 If I want to filter the route using a route map that references a prefix list, I would need to permit the subnet with the prefix-list command and then configure a route map subcommand that matched the route I want to filter. ip prefix-list baller permit 10.10.10.0/18 route-map baller deny 5 > match ip address prefix-list baller Only a route-map deny and a prefix-list permit will cause the route to be filtered. All other combinations permit/permit, permit/deny, and deny/deny will cause the route-map logic to move to the next sequence to look for a match. Is this correct or am I way off base?
|
|
#
?
Jul 18, 2013 23:33
|
|
|
Protokoll posted:I have a stupid question about the permit/deny logic when using route maps to filter routes. I'm fairly certain I have the concept down, but I just need some reassurance. Pretend I want to filter the 10.10.10.0/18 subnet from being advertised via EIGRP. Any permit in the prefix-filter will match that route-map entry and apply it's policy (permit or deny on the route-map, and any set statements). It will then stop processing the route through the route-map unless you have a continue statement. Not sure if this applies on a route-map deny or if continue only works on a route-map permit, logically it'd only be the latter, but who knows with Cisco.
|
|
#
?
Jul 19, 2013 00:18
|
|
|
|
| # ? May 30, 2024 13:39 |
|
|
Sepist posted:So how many of you have been inside #1024? Crap, I am having a hard time remembering how to be a CCNP.
|
|
#
?
Jul 19, 2013 04:11
|
|
