|
Be careful with layer seven health checks: it's not uncommon for them to drive more load to your platform than regular user activity. Which is funny.
|
#
?
Sep 13, 2013 04:33
|
|
|
|
| # ? May 28, 2024 06:11 |
|
|
jwh posted:Be careful with layer seven health checks: it's not uncommon for them to drive more load to your platform than regular user activity. 
|
|
#
?
Sep 13, 2013 05:42
|
|
|
ruro posted:It's funny if you run them as often as you'd run a ping probe I've worked in several environments where management had wanted subsecond failover of real servers in a pool, based on failed transactions to the platform that included backend components. I don't recommend it. Also, this leads me to an important piece of experience that I've learned in my career, maybe the most important: never, ever, throw a jump ball to management. Do not, for example, say, "how quickly do we need to failover?" Say, instead, "we can detect failover at one second, two seconds, or five seconds. What would you like to do?" It's the illusion of choice that satisfies their need to manage, and it gets you out of the problem of having to live with their bad (and open ended) decisions.
|
|
#
?
Sep 13, 2013 06:05
|
|
|
ragzilla posted:Can you expand on your issues with the C servers? We're looking at adding some for local storage applications. The biggie was some fuckery with the RAID controllers. I wasn't the main guy working on this but if you really want I can ask the guy who was and get you explicit details. But basically you'd provision the box in UCS manager with a RAID config and everything would boot up fine. Then sometimes the disk IO performance would go to poo poo despite the management software not showing any alerts or issues. Reboot box, suddenly the RAID config is gone along with everything on the disks and you get to start over  This persisted across a bunch of hardware swaps.The C series boxes are in production now so I assume that's been resolved (since they're acting as database servers, not some stateless throwaway box) but like I said I wasn't personally handling that issue.
|
|
#
?
Sep 13, 2013 06:44
|
|
|
jwh posted:I've worked in several environments where management had wanted subsecond failover of real servers in a pool, based on failed transactions to the platform that included backend components. Also don't be afraid to say "No" to unreasonable, or unrealistic demands.
|
|
#
?
Sep 13, 2013 07:19
|
|
|
Picked up a pair of 6509-E's equipped with dual WS-SUP720-3B Supervisors. Been trying to find a compatibility matrix for IOS versions (ie supported). I've seen one in the past but for the life of me cannot find it. If anyone could toss a link my direction I would greatly appreciate it!
|
|
#
?
Sep 13, 2013 07:22
|
|
|
jwh posted:I've worked in several environments where management had wanted subsecond failover of real servers in a pool, based on failed transactions to the platform that included backend components.
|
|
#
?
Sep 13, 2013 08:13
|
|
|
Confused_Donkey posted:Picked up a pair of 6509-E's equipped with dual WS-SUP720-3B Supervisors. Been trying to find a compatibility matrix for IOS versions (ie supported). I've seen one in the past but for the life of me cannot find it. If anyone could toss a link my direction I would greatly appreciate it! Google Cisco feature navigator. When in it search by platform and choose that supervisor. It will show compatible IOS versions with that sup and you can compare features between different versions.
|
|
#
?
Sep 13, 2013 14:16
|
|
|
Docjowles posted:Yeah it's not a networking product per se, though it has a networking component. It's basically compute + networking + storage in a box, designed to scale out massively but be centrally managed from one interface. My company's starting to roll them out in a limited fashion. The B-series are a blade chassis, and the C-series are a traditional rack mount form factor. Don't forget to tape across the front of the chassis for the Bs. Only half joking. They used to vibrate themselves out, and I don't know if it's still a problem, but better safe than sorry.
|
|
#
?
Sep 13, 2013 16:06
|
|
|
Can someone help me figure out why the gently caress my route-map ROUTE_MAP_FROM_HURRICANE isn't working?pre:#show run | i neighbor 184.105.249.5
neighbor 184.105.249.5 remote-as 6939
neighbor 184.105.249.5 description Hurricane Electric eBGP Session
neighbor 184.105.249.5 update-source GigabitEthernet0/0/7.1127
neighbor 184.105.249.5 version 4
neighbor 184.105.249.5 next-hop-self
neighbor 184.105.249.5 route-map ROUTE_MAP_FROM_HURRICANE in
neighbor 184.105.249.5 route-map ROUTE_MAP_TO_HURRICANE out
#show run | b route-map ROUTE_MAP_FROM_HURRICANE permit
route-map ROUTE_MAP_FROM_HURRICANE permit 10
match ip address prefix-list PREFIX_LIST_AS6939
set local-preference 150
set weight 100
#show run | i ip prefix-list PREFIX_LIST_AS6939
ip prefix-list PREFIX_LIST_AS6939 seq 10 permit 1.0.20.0/23
#show ip bgp 1.0.20.0
BGP routing table entry for 1.0.20.0/23, version 2957089
Paths: (2 available, best #1, table default)
Multipath: eBGP iBGP
Advertised to update-groups:
4
Refresh Epoch 1
174 2914 2519, (received & used)
38.104.102.10 (metric 2) from 24.36.32.66 (24.36.32.66)
Origin IGP, metric 51061, localpref 100, valid, internal, best
Refresh Epoch 1
6939 2519, (received-only)
184.105.249.5 from 184.105.249.5 (216.218.252.168)
Origin IGP, localpref 100, valid, external38.104.102.10 is my upstream connection to Cogent from one of my other routers (24.36.32.66). I've stripped down the route-map and the prefix-list trying to get it to work. I can't figure out why it's not setting the local pref for 1.0.20.0/23 to 150.
|
|
#
?
Sep 13, 2013 16:22
|
|
|
Filthy Lucre posted:Can someone help me figure out why the gently caress my route-map ROUTE_MAP_FROM_HURRICANE isn't working? nvm H.R. Paperstacks fucked around with this message at 17:49 on Sep 13, 2013 |
|
#
?
Sep 13, 2013 17:44
|
|
|
jwh posted:Be careful with layer seven health checks: it's not uncommon for them to drive more load to your platform than regular user activity. I'm with you on this. The URL landing page for each of the seven applications is basically a poke of the back end database (I think it just calls getdate() or something similarly lightweight) to indicate that the URL is working and the database is responsive. The original call was for a join statement to test the availability of a few tables, but that was quickly shot down as being too heavy a transaction for a probe...
|
|
#
?
Sep 13, 2013 18:13
|
|
|
Agrikk posted:The original call was for a join statement to test the availability of a few tables, but that was quickly shot down as being too heavy a transaction for a probe... At one point we noticed that our monitoring software was running a non-trivial query against the production DB many thousands of times per day, despite being configured to run every 5 minutes or something. Turned out collectd had a bug where the setting to specify how often to poll just didn't work and defaulted to every 10 seconds That was a fun discovery.
|
|
#
?
Sep 13, 2013 18:29
|
|
|
Filthy Lucre posted:BGP stuff This won't have an immediate effect. Do a soft clear inbound on the HE peer.
|
|
#
?
Sep 13, 2013 20:56
|
|
|
I've gone home for the day (been awake for 30+ hours at this point), but I've done several soft and a few hard clears. I'll grep the logs when I go back to the office for an exact count. The issue is more of a personal challenge at this point. Traffic is coming in and going out, so people are getting their porn, it's just not necessarily the way I want it.
|
|
#
?
Sep 13, 2013 21:27
|
|
|
falz posted:Google Cisco feature navigator. When in it search by platform and choose that supervisor. It will show compatible IOS versions with that sup and you can compare features between different versions. I cannot believe I didn't see that when I searched. That helped me narrow it down, thanks!
|
|
#
?
Sep 14, 2013 07:55
|
|
|
Docjowles posted:The biggie was some fuckery with the RAID controllers. I wasn't the main guy working on this but if you really want I can ask the guy who was and get you explicit details. But basically you'd provision the box in UCS manager with a RAID config and everything would boot up fine. Then sometimes the disk IO performance would go to poo poo despite the management software not showing any alerts or issues. Reboot box, suddenly the RAID config is gone along with everything on the disks and you get to start over What RAID controller were they running? I have run the mez card or PCI controllers but those are just LSI.
|
|
#
?
Sep 15, 2013 17:52
|
|
|
Filthy Lucre posted:I've gone home for the day (been awake for 30+ hours at this point), but I've done several soft and a few hard clears. I'll grep the logs when I go back to the office for an exact count. You're filtering that route out from your eBGP neighbor somewhere, that's what "received-only" means, and this is probably why it's not modifying those attributes.
|
|
#
?
Sep 16, 2013 00:31
|
|
|
My kingdom, such as it is, for anyone who can tell me how to configure ingress queuing on an WS-X6816-10T-2T line card using c3pl on a 6500/Sup2T running 15.0(1)SY1 advanced enterprise...  .
|
|
#
?
Sep 16, 2013 09:47
|
|
|
dotster posted:What RAID controller were they running? I have run the mez card or PCI controllers but those are just LSI. Looks like LSI MegaRaid 9265-8i.
|
|
#
?
Sep 16, 2013 16:37
|
|
|
I hope this isn't to general a question for this thread, but if I wanted to learn more about the different types of VPNs where would be a good starting point? If it helps, I'm mostly interested in access VPNs and how they are implemented/their security.
|
|
#
?
Sep 16, 2013 16:47
|
|
|
The Third Man posted:I hope this isn't to general a question for this thread, but if I wanted to learn more about the different types of VPNs where would be a good starting point? If it helps, I'm mostly interested in access VPNs and how they are implemented/their security. If you already have a networking background or a CCNA or something, I'd get some study books on the Cisco CCNA Security exam, they tackle those concepts. But "VPN" is a pretty broad topic, that would obviously just deal with Cisco's implementations.
|
|
#
?
Sep 16, 2013 17:13
|
|
|
Docjowles posted:Looks like LSI MegaRaid 9265-8i. Huh, must have been some early BIOS and RAID card firmware bugs or something. I have had good luck with those and the 9266 cards, I have even done some testing with LSI cachecade and been pretty pleased with it on a big SATA array. Anyway, sounds like they got it sorted.
|
|
#
?
Sep 16, 2013 17:30
|
|
|
Follow up on my BGP issues; From my ssh logs, multiple bgp resets; pre:C:\PuttyLogs>grep -ic "clear ip bgp 184.105.249.5 soft" 24.36.32.66-20130913.log 10 C:\PuttyLogs>grep -ic "clear ip bgp 184.105.249.5$" 24.36.32.66-20130913.log 2 I don't loving know.
|
|
#
?
Sep 16, 2013 17:45
|
|
|
Filthy Lucre posted:
This happened to me the other day with an IPIP tunnel. Three days of it not working then suddenly sh ip int br saying up up on both ends with no config changes.
|
|
#
?
Sep 16, 2013 22:20
|
|
|
Can someone help summarize how multipoint frame relay works? In GNS3, I have a frame relay switch set up like so (just an example) Port 1: DLCI 102 -> DLCI 201 Port 2: DLCI 103 -> DLCI 301 Port 3: DLCI 104 -> DLCI 401 R1: s0/0.102 to port 1 on switch, s0/1.103 to port 2, s0/2.104 to port 3 R2: s0/0.201 to port 1 on switch R3: s0/0.301 to port 2 on switch R4: s0/0.401 to port 3 on switch What do I need to make sure I do on the routers? So far I've tried: int s0/0 no ip address no sh enc frame-relay ! int s0/0.102 multipoint ip address 10.102.1.1 255.255.255.0 frame-relay map ip 10.102.1.1 102 broadcast frame-relay interface-dlci 102 And the accompanying configurations for other ports/DLCIs. I'm dumb when it comes to frame relay apparently, maybe I'm just not understanding it correctly.
|
|
#
?
Sep 17, 2013 02:45
|
|
|
What does GNS3 use for LMI type? Make sure that is set correctly. Your frame relay map command should have a remote IP (the other end of your circuit) and the local DLCI.
|
|
#
?
Sep 17, 2013 05:39
|
|
|
Having a strange issue with a bunch of wism2s I've inherited: I have two 6509s with sup720 in a VSS pair. Each has 3 wism2 modules code:code:code:Any ideas why the internal console connection fail?
|
|
#
?
Sep 17, 2013 11:12
|
|
|
Gap In The Tooth posted:Your frame relay map command should have a remote IP (the other end of your circuit) and the local DLCI. Ohhhhh. Thanks, that's probably the issue.
|
|
#
?
Sep 17, 2013 11:36
|
|
|
Anyone successfully using dummynet, WANEM, or something similar (open-source) for WAN simulation? We have a small lab at our local site here and we use it from time to time to test things rather than capitalizing the big lab at HQ. I'm looking to just have it simulate latency, etc for a link between two routers. I am using a space RHEL6 server with two dedicated NICs. I've never personally used dummynet as I've always done this testing at the big lab. My limited googling hasn't turned up anything good, but my thought process was: code:
|
|
#
?
Sep 17, 2013 13:24
|
|
|
routenull0 posted:open-source wan simulation stuff Scratch this, I spent some time today getting dummynet working like a champ inside of RHEL6.
|
|
#
?
Sep 17, 2013 21:03
|
|
|
I installed ACS 5.4 on an ESX server and can SSH to it just fine to set it up via CLI, but... I... have no "acs" commands? I've looked through all the exec, show, and config commands, and there's not a single drat "acs" command in there anywhere. Is there something I need to do before I can start the web-server?
|
|
#
?
Sep 20, 2013 04:40
|
|
|
QPZIL posted:I installed ACS 5.4 on an ESX server and can SSH to it just fine to set it up via CLI, but... I... have no "acs" commands? No. All administration is through the web GUI.
|
|
#
?
Sep 20, 2013 05:45
|
|
|
QPZIL posted:I installed ACS 5.4 on an ESX server and can SSH to it just fine to set it up via CLI, but... I... have no "acs" commands?
|
|
#
?
Sep 20, 2013 07:17
|
|
|
ruro posted:As long as you've configured the ip address, default gateway, ntp etc. Run application start acs and away you go via the web gui. I tried that, but "show application" doesn't show any listings. Does the ACS have to have an active internet connection? My assigned NTP connection doesn't actually connect, but I didn't think much of it. edit-- I'm thinking maybe the "installing acs..." phase of the installation failed, based on not seeing any output from "show application." Count Thrashula fucked around with this message at 13:54 on Sep 20, 2013 |
|
#
?
Sep 20, 2013 11:36
|
|
|
routenull0 posted:Anyone successfully using dummynet, WANEM, or something similar (open-source) for WAN simulation? We have a small lab at our local site here and we use it from time to time to test things rather than capitalizing the big lab at HQ. I'm looking to just have it simulate latency, etc for a link between two routers. I am using a space RHEL6 server with two dedicated NICs. we used Netem on RHEL and while it was somewhat of a performance hit throughput-wise it gave us the delay we wanted.
|
|
#
?
Sep 20, 2013 14:51
|
|
|
We used dummynet in the financial brokerage I used to work it, no one ever said it didn't do what it was supposed to. I don't have any first hand experience with it though.
|
|
#
?
Sep 20, 2013 15:20
|
|
|
Sepist posted:We used dummynet in the financial brokerage I used to work it, no one ever said it didn't do what it was supposed to. I don't have any first hand experience with it though. Yeah I got it all working like a champ last week. It's been great for the minimal stuff we'll do locally. Anything heavy we do in the mirror lab at HQ.
|
|
#
?
Sep 20, 2013 15:30
|
|
|
I have a question about the Authentication Proxy feature. It's old and I was wondering if there was a newer system. The auth challenge is not working in Chrome with default settings, IE/Safari and the like do work with it still. Has there been a replacement to this feature? I have a new partner/tunnel set. The data they are accessing is classified/sensitive exam content (e.g. exams you have heard of) The remote partner has a /16, and two /24's on their end of the tunnel, with /24 on my end. I like to use auth-proxy since I can create granular radius policies that can have specific users receive ACL entries based on their identity after a successful auth with their AD account on my end. When a partner user auths, the radius server provides their ACL entries and they are applied to the ACL on the next hop interface once through the firewall. Then they have 8 hours till they have to re-auth. The auth-proxy is running on the vlan interface behind the firewall. That way, while the tunnel is open to all their LANs they still have to auth to get through the deny all ACL (with their entries placed at the top to bypass it), and I have a record of who/what came through the tunnel for accounting purposes. Anyone have a more recent suggestion? If not I have to make a custom HTML page that doesn't use whatever Chrome is blocking. Thanks Herv fucked around with this message at 04:54 on Sep 21, 2013 |
|
#
?
Sep 21, 2013 04:41
|
|
|
|
| # ? May 28, 2024 06:11 |
|
|
So those new 6800 "instant access" switches from cisco are basically like a window into the future of distribution -> access layer switching. Run 'em as fabric extenders of a 6880 distribution switch and boom, instead of managing 12 switches per building you manage...one. The technology isn't there yet (there are some hard limits about total port/switch counts) but give it 3-5 years and that'll be it.
|
|
#
?
Sep 24, 2013 03:33
|
|