Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«431 »
 
  • Post
  • Reply
Count Thrashula
Jun 1, 2003

Death is nothing compared to vindication.
Buglord

Sepist posted:

On the 3750 reset the interface with "default interface X/XX" and try again

Did that before I did anything else.

workape posted:

Also, what are the outputs from "show run interface gi 3/0/5" and "show run interface fa 0/12" on their respective switches? Are you configured for no negotiate on your interfaces as well?

code:
interface GigabitEthernet3/0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 100
 duplex full
end
code:
interface FastEthernet0/12
 switchport mode trunk
 duplex full
 speed 100
end
Negotiation isn't an option on the 2950, but having manually-set speed and duplex should preclude that, right?

And I am using a crossover cable :) CDP sees each other as neighbors, but the problem seems to be on the 3750 with the Administrative Mode/Encapsulation not carrying over to the Operational Mode/Encapsulation.

* # ? Aug 30, 2013 16:47
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 28, 2024 02:01
  • Quote
workape
Jul 23, 2002

QPZIL posted:


Negotiation isn't an option on the 2950, but having manually-set speed and duplex should preclude that, right?


No, turning off DTP negotiation. Sorry about that. Issue the switchport nonegotiate on ports on both ends do that you are statically setting the trunk and then shut/no shut the interfaces to ensure that they come back up in an operational state.

* # ? Aug 30, 2013 16:56
  • Quote
Count Thrashula
Jun 1, 2003

Death is nothing compared to vindication.
Buglord

workape posted:

No, turning off DTP negotiation. Sorry about that. Issue the switchport nonegotiate on ports on both ends do that you are statically setting the trunk and then shut/no shut the interfaces to ensure that they come back up in an operational state.

Still didn't work. Here is the log from the 3750:

code:
Aug 30 12:38:31.577: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/3, changed state to down
Aug 30 12:38:32.584: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/3, changed state to down
Aug 30 12:38:35.201: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/3, changed state to up
Aug 30 12:38:36.266: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/3, changed state to up
Aug 30 12:38:35.404: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet3/0/3 VLAN5. (xxxxxxx-3750-1-3)
Aug 30 12:38:35.404: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet3/0/3 on VLAN0005. Inconsistent local vlan. (xxxxxx-3750-1-3)
Aug 30 12:38:53.840: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet3/0/3 (5), with xxxxxxx-2950-1.xxxx.xxx 
      FastEthernet0/12 (1).
Aug 30 12:38:53.840: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet3/0/3 (5), with xxxxxxx-2950-1.xxxx-xxx.gov 
      FastEthernet0/12 (1). (xxxxxxx-3750-1-3)
Aug 30 12:39:03.495: %SYS-5-CONFIG_I: Configured from console by xxxxx on vty3 (10.5.4.201)
Aug 30 12:39:53.843: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet3/0/3 (5), with xxxxxxx-2950-1.xxxx.xxx 
      FastEthernet0/12 (1).
and on the 2950:

code:
*Feb 28 23:00:57.127: %LINK-3-UPDOWN: Interface FastEthernet0/12, changed state to down
*Feb 28 23:00:57.703: %SYS-5-CONFIG_I: Configured from console by admin on console
*Feb 28 23:00:58.499: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 5 on FastEthernet0/12 VLAN1.
*Feb 28 23:00:58.503: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet0/12 on VLAN0005. Inconsistent peer vlan.
*Feb 28 23:00:58.503: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/12 on VLAN0001. Inconsistent local vlan.
*Feb 28 23:00:59.835: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/12 (1), with xxxxxxx-3750-1.xxxx.xxx 
      GigabitEthernet3/0/3 (5).
*Feb 28 23:00:59.971: %LINK-3-UPDOWN: Interface FastEthernet0/12, changed state to up
*Feb 28 23:01:01.131: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/12 (1), with xxxxxxx-3750-1.xxxx.xxx 
      GigabitEthernet3/0/3 (5).
edit, and the show switchport for the 3750:

code:
xxxxxxx-3750-1#show int g3/0/3 sw

Name: Gi3/0/3
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 5 (xxxx-data-vlan)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 10 (xxxx-voice)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

xxxxxxx-3750-1#
(Someone let me know if I'm spamming too much, but this logs are important for diagnosis!)

Count Thrashula fucked around with this message at 17:51 on Aug 30, 2013

* # ? Aug 30, 2013 17:48
  • Quote
Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR
Using PRTG for bandwidth monitoring. SNMP2 setup on device. Layer 3 ports work fine.

I need to create several SVIs and use them as the routable interface on an aggregate switch/router. PRTG has a limitation where the SNMP Bandwidth Monitor will not report bandwidth that routes across an SVI.

I have not been able to find any information online as to a solution. Any ideas?

* # ? Aug 30, 2013 18:44
  • Quote
Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k
Maybe it is related to your native vlan mismatch, either issue switchport trunk native vlan 1 or switchport trunk native vlan 5 on each and see where it takes you. My hunch is that it is blocking due to both vlans being untagged/tagged depending on which direction they are going.

* # ? Aug 30, 2013 18:46
  • Quote
Count Thrashula
Jun 1, 2003

Death is nothing compared to vindication.
Buglord

Sepist posted:

Maybe it is related to your native vlan mismatch, either issue switchport trunk native vlan 1 or switchport trunk native vlan 5 on each and see where it takes you. My hunch is that it is blocking due to both vlans being untagged/tagged depending on which direction they are going.

That was actually the next thing I did after my last post. The CDP errors went away, and VTP isn't doing anything now, but I still have the "Administrative mode: trunk" / "Operational mode: static access" mismatch on the 3750 switch. So weird.

* # ? Aug 30, 2013 18:50
  • Quote
H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue
What IOS on the 2950 and 3750?

Outputs from "sh spanning-tree summary" on each.

No other connections between the 2950 and 3750?

* # ? Aug 30, 2013 18:59
  • Quote
Count Thrashula
Jun 1, 2003

Death is nothing compared to vindication.
Buglord

routenull0 posted:

What IOS on the 2950 and 3750?

System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"

System image file is "flash:/c3750-ipbasek9-mz.122-46.SE.bin"

routenull0 posted:

Outputs from "sh spanning-tree summary" on each.

2950:
code:
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN0020
EtherChannel misconfiguration guard is enabled
Extended system ID   is enabled
Portfast             is disabled by default
PortFast BPDU Guard  is disabled by default
Portfast BPDU Filter is disabled by default
Loopguard            is disabled by default
UplinkFast           is disabled
BackboneFast         is disabled
Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          1          1
VLAN0005                     0         0        0          1          1
VLAN0020                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
3 vlans                      0         0        0          3          3
3750:
code:
Switch is in pvst mode
Root bridge for: VLAN0034, VLAN0048
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          4          4
...
VLAN0005                     0         0        0        158        158
...
VLAN0020                     0         0        0          2          2
...

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
...
---------------------- -------- --------- -------- ---------- ----------
36 vlans                     0         0        0        358        358
(omitted non-pertinent VLANs. VLAN0020 is the management VLAN we use for switches, 0005 is what we use for data)

routenull0 posted:

No other connections between the 2950 and 3750?

None, just a single crossover cable going between fa0/12 on the 2950 and gi3/0/3 on the 3750. (which is one switch of a 7-switch stack)

* # ? Aug 30, 2013 19:10
  • Quote
H.R. Paperstacks
May 1, 2006

This is America
My president is black
and my Lambo is blue
After setting the appropriate native vlan on both switches, are you still getting?

code:
Aug 30 12:38:35.404: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet3/0/3 VLAN5. (xxxxxxx-3750-1-3)
Aug 30 12:38:35.404: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet3/0/3 on VLAN0005. Inconsistent local vlan. (xxxxxx-3750-1-3)
Both those still indicate a inconsistent native vlan.

Have you attempted to debug spanning-tree and capture the output?

* # ? Aug 30, 2013 19:27
  • Quote
Flash z0rdon
Aug 11, 2013

Zuhzuhzombie!! posted:

Using PRTG for bandwidth monitoring. SNMP2 setup on device. Layer 3 ports work fine.

I need to create several SVIs and use them as the routable interface on an aggregate switch/router. PRTG has a limitation where the SNMP Bandwidth Monitor will not report bandwidth that routes across an SVI.

I have not been able to find any information online as to a solution. Any ideas?

I like PRTG. I wish there was a linux rpm variant.

* # ? Aug 30, 2013 19:44
  • Quote
Count Thrashula
Jun 1, 2003

Death is nothing compared to vindication.
Buglord

routenull0 posted:

After setting the appropriate native vlan on both switches, are you still getting?

code:
Aug 30 12:38:35.404: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet3/0/3 VLAN5. (xxxxxxx-3750-1-3)
Aug 30 12:38:35.404: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet3/0/3 on VLAN0005. Inconsistent local vlan. (xxxxxx-3750-1-3)
Both those still indicate a inconsistent native vlan.

Have you attempted to debug spanning-tree and capture the output?

As I mentioned earlier (I may have been unclear), setting the native VLAN on both sides stopped all STP/CDP/any kind of messages. Both sides are sending out STP packets, and nothing looks fishy there that I can tell.

* # ? Aug 30, 2013 19:54
  • Quote
Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

Flash z0rdon posted:

I like PRTG. I wish there was a linux rpm variant.

It works great in every other capacity. We can even do what I'm trying to do here with ASA's since they do not have a CEF table. It just can't, as far as I can see, monitor bandwidth across an SVI. I got a trouble ticket in and a post on their forum to see if there's a MIB or something I can install that will do it.

* # ? Aug 30, 2013 20:11
  • Quote
Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k

QPZIL posted:

As I mentioned earlier (I may have been unclear), setting the native VLAN on both sides stopped all STP/CDP/any kind of messages. Both sides are sending out STP packets, and nothing looks fishy there that I can tell.

So at this point the only problem is

code:
Administrative Mode: trunk
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
which may not actually be an issue

* # ? Aug 30, 2013 20:29
  • Quote
Count Thrashula
Jun 1, 2003

Death is nothing compared to vindication.
Buglord

Sepist posted:

So at this point the only problem is

code:
Administrative Mode: trunk
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
which may not actually be an issue

It is an issue though, since the 2950 switch is not pulling down VTP info and can't ping the 3750 switch or the router it's connected to... i.e. it's not trunking.

* # ? Aug 30, 2013 20:36
  • Quote
Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

QPZIL posted:

It is an issue though, since the 2950 switch is not pulling down VTP info and can't ping the 3750 switch or the router it's connected to... i.e. it's not trunking.

Maybe a dumb question but have you checked VTP domain/pass?

* # ? Aug 30, 2013 20:42
  • Quote
Count Thrashula
Jun 1, 2003

Death is nothing compared to vindication.
Buglord

Zuhzuhzombie!! posted:

Maybe a dumb question but have you checked VTP domain/pass?

Yep. And actually I just set up a spare 3550 with the same configuration as the 2950, and the same issue occurs. I think it's an issue with the 3750 not wanting to change from "static access" to "trunk".

Actually... I just have an idea...

* # ? Aug 30, 2013 20:51
  • Quote
Flash z0rdon
Aug 11, 2013

Zuhzuhzombie!! posted:

It works great in every other capacity. We can even do what I'm trying to do here with ASA's since they do not have a CEF table. It just can't, as far as I can see, monitor bandwidth across an SVI. I got a trouble ticket in and a post on their forum to see if there's a MIB or something I can install that will do it.

i monitor bandwidth on SVI's all the time. version 9 and 13

edit: this is on 6500's though.

Flash z0rdon fucked around with this message at 23:23 on Aug 30, 2013

* # ? Aug 30, 2013 23:15
  • Quote
falz
Jan 29, 2005

01100110 01100001 01101100 01111010

Zuhzuhzombie!! posted:

Using PRTG for bandwidth monitoring. SNMP2 setup on device. Layer 3 ports work fine.

I need to create several SVIs and use them as the routable interface on an aggregate switch/router. PRTG has a limitation where the SNMP Bandwidth Monitor will not report bandwidth that routes across an SVI.

I have not been able to find any information online as to a solution. Any ideas?
Some fixed Cisco switches such as 3560 simply don't report unicast traffic on SVIs, just broadcast traffic.

Edit: it's that it won't show hardware switch packets, which is the ones you care about.

http://puck.nether.net/pipermail/cisco-nsp/2005-March/018406.html

* # ? Aug 30, 2013 23:40
  • Quote
Gap In The Tooth
Aug 16, 2004
 Both sides have to be native or both have to switchport trunk native vlan x

You get the same issue when you do router on a stick and forget native or put it on.

* # ? Aug 31, 2013 00:10
  • Quote
Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

Flash z0rdon posted:

i monitor bandwidth on SVI's all the time. version 9 and 13

edit: this is on 6500's though.

Yeah, we have some HSRP groups that we're monitoring on 6500s that do it. But not on a 3750.

* # ? Aug 31, 2013 00:40
  • Quote
dotster
Aug 28, 2013

falz posted:

Some fixed Cisco switches such as 3560 simply don't report unicast traffic on SVIs, just broadcast traffic.

Edit: it's that it won't show hardware switch packets, which is the ones you care about.

http://puck.nether.net/pipermail/cisco-nsp/2005-March/018406.html

You should be able to get traffic stats with netflow on 3750/3560-X for switched ports.

* # ? Aug 31, 2013 03:19
  • Quote
Herv
Mar 24, 2005

Soiled Meat

QPZIL posted:

Yep. And actually I just set up a spare 3550 with the same configuration as the 2950, and the same issue occurs. I think it's an issue with the 3750 not wanting to change from "static access" to "trunk".

Actually... I just have an idea...

Sorry if I missed it, but did you set the ports back to access mode, set them for vlan 1, then turn them back to trunks?

No clue why one is white knuckling vlan 5, but thats what usually fixed native vlan mismatches for me. Lotta work for the untagged frames there. ;)

* # ? Aug 31, 2013 05:45
  • Quote
Contingency
Jun 2, 2007

MURDERER

jwh posted:

Cisco has product, but IPS is best imagined a owning a horse. You have to feed it, brush it's hair, take it for walks. Otherwise it gets cranky.

If your organization can't spring for a desktop guy, I wonder if you're likely to have the resources to take care of an IPS.

Here's the deal:
My company doubled in size about 18 months ago. Veteran staff hired underlings to help shoulder their workload without consideration of the big picture (at some point you should hire an Windows admin with a solid grasp of Group Policy). Stuff barely tolerable in a 50 employee company (leaving it up to users to install AV software, wide open shared folders) is an administrative nightmare with several hundred users. I'm a network guy; I can't fix our domain admins, but if I get first line support some breathing room, they will eventually grow into the desktop admin role my server admins won't fill. Spam filter was updated for the first time in years. Centralized AV broke at some point but will soon make a return. We're turning things around.

The company's shortcomings are outside my area of responsibility, but I'm evaluating what I can do on the network side. I have the time to babysit another device. Given the risk of false positives, I would be content with IDS mode, but my question has to do with Cisco IPS effectiveness. Does it do a good job of identifying compromised machines that AV doesn't catch (flagging botnet participants via traffic analysis)? Does it catch exploit code being downloaded from a site? How well does it handle obfuscated Javascript? I can read bullet point features on a white paper, but that's not the same as knowing whether it does something well.

* # ? Aug 31, 2013 06:09
  • Quote
jwh
Jun 12, 2002

 The short answer is yes, but the longer, and better answer is no

You should spring for a palo alto box, in my opinion.

* # ? Aug 31, 2013 06:26
  • Quote
abigserve
Sep 13, 2009

this is a better avatar than what I had before
JWH, how long have you had PA's in your prod environment?

* # ? Aug 31, 2013 09:04
  • Quote
Docjowles
Apr 9, 2009

 Contingency, you just produced the best name/avatar/post combo I have ever seen :golfclap: Have I said this before about one of your posts? Feels familiar. Anyway.

jwh posted:

The short answer is yes, but the longer, and better answer is no

You should spring for a palo alto box, in my opinion.

Seconding this. I was in the middle of evaluating Palo Alto when I left my last job, and their poo poo is awesome. It was on the higher end of the price spectrum, but put it up against Cisco and it will look pretty great especially considering what you get for the money.

And for the love of god, please try to get management support for taking away local admin. Surely (right? :smithicide:) if you're talking several hundred users most of them are not special VP or C-level snowflakes that "need" local admin and unrestricted access to Pirate Bay to do their jobs.

* # ? Aug 31, 2013 09:40
  • Quote
Count Thrashula
Jun 1, 2003

Death is nothing compared to vindication.
Buglord

Herv posted:

Sorry if I missed it, but did you set the ports back to access mode, set them for vlan 1, then turn them back to trunks?

No clue why one is white knuckling vlan 5, but thats what usually fixed native vlan mismatches for me. Lotta work for the untagged frames there. ;)

I'll try that when I get back to work on Tuesday.

It's just so weird.

* # ? Aug 31, 2013 19:07
  • Quote
dotster
Aug 28, 2013

Contingency posted:

Here's the deal:
My company doubled in size about 18 months ago. Veteran staff hired underlings to help shoulder their workload without consideration of the big picture (at some point you should hire an Windows admin with a solid grasp of Group Policy). Stuff barely tolerable in a 50 employee company (leaving it up to users to install AV software, wide open shared folders) is an administrative nightmare with several hundred users. I'm a network guy; I can't fix our domain admins, but if I get first line support some breathing room, they will eventually grow into the desktop admin role my server admins won't fill. Spam filter was updated for the first time in years. Centralized AV broke at some point but will soon make a return. We're turning things around.

The company's shortcomings are outside my area of responsibility, but I'm evaluating what I can do on the network side. I have the time to babysit another device. Given the risk of false positives, I would be content with IDS mode, but my question has to do with Cisco IPS effectiveness. Does it do a good job of identifying compromised machines that AV doesn't catch (flagging botnet participants via traffic analysis)? Does it catch exploit code being downloaded from a site? How well does it handle obfuscated Javascript? I can read bullet point features on a white paper, but that's not the same as knowing whether it does something well.

From a safe to deploy standpoint the Cisco IPS is not bad, if you use the default sig set and have it drop traffic with a threat rating over 90 (you could start with 95-99 to be safe on first deploy) you will have a very low to zero false positives from outside to inside. The coverage is not as good as Sourcefire (they are the best IPS out there) and Sourcefire does a better job mapping and learning your network to help you deploy. If you are already a Cisco shop and you need to deploy IPS I would go with one of these, probably Sourcefire if it were me.

If you don't really need IPS, meaning you lack and audit or compliance requirement like HIPAA, PCI, or something similar then I would look at an application firewall. The Palo Alto box is nice but functionally you can do most of the same thing with an ASA with integrated IPS, that is what PA is but just does a better job of integrating the two. The Sourcefire app firewall is nice as well. Like before if you are a Cisco shop with an ASA I would used integrated IPS, if it is greenfield I would add Sourcefire. If you aren't a Cisco shop then I would eval the Sourcefire and PA app firewall stuff.

* # ? Aug 31, 2013 19:15
  • Quote
jwh
Jun 12, 2002

abigserve posted:

JWH, how long have you had PA's in your prod environment?

At my last job I brought Palo Altos in in 2008, I think. We were a fairly early adopter; at the time, Palo Alto had less than 500 enterprise customers.

We were looking for an IPS initially, but then we evaluated the boxes and decided to use them as a direct successor to our IPS (Proventia), firewall (Checkpoint on IPSO), and URL filtering (Surfcontrol) boxes. We initially brought in four 4020s in two HA pairs and an additional PA2050 as a lab box.

Back then, the boxes were shipping with 2.x PAN-OS, and 3.0 was just beginning to come out to customers. I worked with the boxes through 4.1 PAN-OS before I left the company in 2012.

I like working with them very much. I had some issues, particularly in the 3.x days, mostly to do with failed heartbeats to the dataplane, and a disastrous upgrade / downgrade scenario that corrupted our configurations (3.1 to 4.0, back to 3.1).

But aside from those issues (which were bad, don't get me wrong), they were great boxes. In fact, after I left the company, they upgraded to 5.x and replaced the 4020s with 5020s. I hear they've been problem free ever since.

Today, I'm working on bringing in four 3050s and two PA500s to my current workplace as replacements for a handful of linux boxes and ASAs.

I think they're great boxes, particularly when compared to other UTM platforms. They're the closest thing to what I had really wanted back when I was working with Checkpoint running on Solaris machines, back in 2001.

If you have any specific questions about the platform, just ask away.

* # ? Sep 1, 2013 00:48
  • Quote
jwh
Jun 12, 2002

 I should also mention, one of the nicest things about the Palo Altos is that you get a whole mess of ports, and can use them in any combination of vwire, layer-2, layer-3, or tap configurations, simultaneously.

That was a real benefit during our implementation, because it meant we could build policies and test them without having to position the box as a layer-3 component.

Later on, we actually ended up keeping the vwires and tap interfaces to provide more visibility to specific areas of the network where we couldn't, or didn't want, to have the boxes assume routing for those networks.

They're very flexible boxes.

By comparison, the ASA has a very vestigial approach to things, no doubt the result of that products history and lineage. I spend most of my time with the ASA saying, "why can't I do this?". The answer is usually, "well, because that's how things were back in 1999."

For example, no client VPN when running multiple context mode (unless they've finally figured that one out), no concept of tap interfaces, no application criteria in the rulebase (unless CX does this), no tunnels as logical interfaces, no secondary addressing on interfaces, the logging makes my mind melt, etc.

I actually like Checkpoint more than I like the ASAs, and that's really saying something.

* # ? Sep 1, 2013 00:57
  • Quote
Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR

falz posted:

Some fixed Cisco switches such as 3560 simply don't report unicast traffic on SVIs, just broadcast traffic.

Edit: it's that it won't show hardware switch packets, which is the ones you care about.

http://puck.nether.net/pipermail/cisco-nsp/2005-March/018406.html

Thanks! That was what I had come up with.

Can any one confirm whether or not this Will be the case on a 4500x?

dotster posted:

You should be able to get traffic stats with netflow on 3750/3560-X for switched ports.

Never used NetFlow but we have various NetFlow options in PRTG. Version 5 and 9, and custom of each. Dunno differences or the importance of the Custom designation. Last I looked at NetFlow it gave some options I wasn't familiar with. I'll take a look this weekend and make post what I find here.

Zuhzuhzombie!! fucked around with this message at 03:35 on Sep 1, 2013

* # ? Sep 1, 2013 03:28
  • Quote
Zuhzuhzombie!!
Apr 17, 2008
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR
ed double

* # ? Sep 1, 2013 03:34
  • Quote
DeNofa
Aug 25, 2009

WILL AMOUNT TO NOTHING IN LIFE.

Zuhzuhzombie!! posted:

Thanks! That was what I had come up with.

Can any one confirm whether or not this Will be the case on a 4500x?

I can't confirm right now but Netflow should still show out inbound packets? It's just the locally generated traffic it has problem with for the most part.

* # ? Sep 1, 2013 04:16
  • Quote
madsushi
Apr 19, 2009

Baller.
#essereFerrari
I have also been running PAs in production for years; they're amazing. If only they would do DDNS, they would be perfect. I actually use a PA VM-100 as my home firewall, it's a ton of fun.

* # ? Sep 1, 2013 08:02
  • Quote
jwh
Jun 12, 2002

 I'm looking for some help, or even just another set of eyes, on what's turned into a fairly difficult problem. I've caught some weird issues before, but this one is especially resilient.

Here's the setup: I have two circuits in my Boston Internap facility, both Internet transit feeds from Internap. I advertise a single /24, and we take only a default.

One circuit goes to Internap's "border7" router, the other to Internap's "border8" router.

I weight our border7 session and prepend (x3) our /24 to border8, in an attempt to get an active/passive scenario. There's an IPS in line which wants to see bidir flows, so this is an attempt to facilitate that.

Now, everything was working just fine for months, but late last week we noticed that we lost reachability to our /24 over border7 from a handful of destinations. At first it looked like mostly international prefixes, but now we can't be sure. We do know that, at present, when we advertise our /24 via our circuit to border7, we have some very odd traceroutes.

Here's me, testing from South America, in Uruguay, tracerouting toward our /24 when we only advertise to Internap's border8:

code:
traceroute to 64.95.69.5 (64.95.69.5), 30 hops max, 40 byte packets
1  r200-40-234-65.su-static.anteldata.net.uy (200.40.234.65)  0.891 ms 0.991 ms  1.261 ms
2  r200-2-33-170.ir-static.anteldata.net.uy (200.2.33.170)  2.182 ms 2.474 ms  2.466 ms
3  * * *
4  iag2agu1-1-2-1603.antel.net.uy (200.40.177.25)  0.718 ms  0.700 ms 0.809 ms
5  ibb2agu1-7-1.antel.net.uy (200.40.18.225)  0.761 ms  0.753 ms  0.731 ms
6  ibr2nap3-0-2-1-0.antel.net.uy (200.40.16.174)  147.456 ms  146.940 ms 147.476 ms
7  xe-10-3-0.mia10.ip4.tinet.net (216.221.158.61)  162.467 ms
176.52.252.93 (176.52.252.93)  138.135 ms xe-10-3-0.mia10.ip4.tinet.net
(216.221.158.61)  162.445 ms
8  xe-3-0-0.bos10.ip4.tinet.net (141.136.109.138)  172.600 ms  172.578 ms
172.520 ms
9  internap-gw.ip4.tinet.net (77.67.77.54)  176.616 ms
xe1-0-0-0-grtdaleq4.red.telefonica-wholesale.net (213.140.36.66)  170.336
ms 176.52.251.49 (176.52.251.49)  169.171 ms
10  border8.te12-1-bbnet1.bsn.pnap.net (63.251.128.13)  367.665 ms
border8.te13-1-bbnet2.bsn.pnap.net (63.251.128.77)  370.354 ms
border8.te12-1-bbnet1.bsn.pnap.net (63.251.128.13)  367.860 ms
11  3cinter-2.border8.bsn.pnap.net (66.151.237.22)  178.739 ms
be2031.ccr21.dfw01.atlas.cogentco.com (154.54.7.45)  171.407 ms  170.161 ms
12  be2141.mpd22.mci01.atlas.cogentco.com (154.54.5.157)  182.433 ms
vpn.bos.3cinteractive.com (64.95.69.5)  175.468 ms  175.502 ms
I would love to know why we're seeing cogent hops at 11 and 12, but that's a mystery.

Anyway, here's a traceroute when we advertise our /24 to border7, no prepending:

code:
traceroute to 64.95.69.5 (64.95.69.5), 30 hops max, 40 byte packets
1  r200-40-234-65.su-static.anteldata.net.uy (200.40.234.65)  0.878 ms
0.979 ms  1.277 ms
2  r200-2-33-170.ir-static.anteldata.net.uy (200.2.33.170)  1.489 ms
1.900 ms  2.246 ms
3  asr3agu1-3-2-1-1603.agg.antel.net.uy (200.40.177.26)  1.011 ms  1.105
ms  1.088 ms
4  iag2agu1-1-2-1603.antel.net.uy (200.40.177.25)  0.719 ms  0.696 ms
0.788 ms
5  ibb2agu1-7-1.antel.net.uy (200.40.18.225)  0.770 ms  0.750 ms  0.720 ms
6  ibr2nap3-0-2-1-0.antel.net.uy (200.40.16.174)  149.301 ms  146.562 ms
146.603 ms
7  176.52.252.93 (176.52.252.93)  138.172 ms  138.162 ms
xe-10-3-0.mia10.ip4.tinet.net (216.221.158.61)  162.738 ms
8  Xe15-1-0-0-grtmiabr3.red.telefonica-wholesale.net (94.142.122.250)
169.623 ms Te0-5-0-6-grtmiabr6.red.telefonica-wholesale.net
(94.142.122.254)  141.317 ms xe-3-0-0.bos10.ip4.tinet.net
(141.136.109.138)  172.643 ms
9  Xe10-0-0-0-grtwaseq5.red.telefonica-wholesale.net (84.16.14.197)
172.795 ms internap-gw.ip4.tinet.net (77.67.77.54)  176.542 ms  176.517 ms
10  border7.po1-bbnet1.bsn.pnap.net (63.251.128.12)  174.108 ms  174.047 ms  (213.140.55.30)  180.451 ms
11  Xe3-0-0-0-grtwaseq4.red.telefonica-wholesale.net (94.142.122.194) 166.828 ms * 
      207.88.14.170.ptr.us.xo.net (207.88.14.170)  172.491 ms
12  * * *
13  * border7.po1-bbnet1.bsn.pnap.net (63.251.128.12)  179.690 ms  171.012 ms
14  * * be2140.ccr22.bos01.atlas.cogentco.com (154.54.43.186)  236.456 ms
15  * te4-2.ccr01.bos06.atlas.cogentco.com (66.28.4.254)  287.656 ms *
16  * 38.104.252.70 (38.104.252.70)  193.920 ms *
17  border7.po2-bbnet2.bsn.pnap.net (63.251.128.76)  194.267 ms *
border7.po2-bbnet2.bsn.pnap.net (63.251.128.76)  194.053 ms
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
Notice how fundamentally bizarre this looks: border7 in Internap's network and then to XO and telefonica, then a handful of hops in cogent's network, back to Internap, and then dying.

I've checked the /24 as it appears to cogent's looking glass, and aside from the prepends on the advertisement we make to border8, they're identical.

I'm stumped.

* # ? Sep 4, 2013 20:11
  • Quote
tortilla_chip
Jun 13, 2007

k-partite
Why not use communities to adjust the local pref on the Internap side?

* # ? Sep 4, 2013 20:14
  • Quote
jwh
Jun 12, 2002

 We could try, but I don't think it's an issue of localpref on Internap's side, it's the fact that anything toward our /24 that hits border7 seems to scatter off into space, apparently.

I just find it really, really weird. We thought about advertising the /24 to border7 with a community to prevent readvertisement to Cogent, but haven't had a window to do it.

* # ? Sep 4, 2013 20:17
  • Quote
tortilla_chip
Jun 13, 2007

k-partite
http://onesc.net/communities/as6993/Internap-Customer-Guide-1.3.pdf

Prepending to achieve traffic sharing can resort in all sorts of weirdness. I'd take a look at the bottom of page 4

* # ? Sep 4, 2013 20:20
  • Quote
jwh
Jun 12, 2002

 It's sort of odd though that the only advertisement that seems to work for us is the x3 prepended advertisement to border8, as opposed to the non-prepended advertisement to border7.

Thanks for the doc, though, I'll check it out.

* # ? Sep 4, 2013 20:21
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 28, 2024 02:01
  • Quote
inignot
Sep 1, 2003

WWBCD?
Internap has a list of communities you can use that equate to local prefs used by their upstream peers.

edit: Ah yes, that's what that pdf was.

* # ? Sep 4, 2013 22:12
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«431 »