|
Badgerpoo posted:Are you looking for 1Gb or 10Gb edge ports? Do you want to stack? 1 GB, and I don't think stacking is a priority.
|
#
?
Oct 18, 2013 13:14
|
|
|
|
| # ? Jun 3, 2024 18:49 |
|
|
adorai posted:I don't have production experience, but we looked at them and got scared by the backplane speeds. What scared you? The only issue I see is they won't do full line rate on every port @ 64b/pkt (that only gets up to ~128Gbps). It's a Sup-6E in a box. Just don't use the 8x10GE cards in the top slots, since each of those slots are only 40Gb to the fabric. Should be fine for IMIX applications.
|
|
#
?
Oct 18, 2013 14:48
|
|
|
ToG posted:This isn't a strictly Cisco question but can you make ntp more tolerant of time difference for a switch. We enabled ntp on a few switches and now they're spewing snmp messages about the time changing a few times an hour. Our monitoring software throws an alarm for this but it's literally changes of sub second values. I would think the fix here would be to adjust the alerting on the monitoring server. You want NTP to stay as close as possible, or you could look at suppressing the SNMP trap related to NTP drift.
|
|
#
?
Oct 18, 2013 15:19
|
|
|
Erkenntnis posted:1 GB, and I don't think stacking is a priority. If you don't need stacking, I would go with the 3560x. 1gb speeds and you can still throw a 2-port 10gb NM in there if you really needed down the road.
|
|
#
?
Oct 18, 2013 15:23
|
|
|
Erkenntnis posted:1 GB, and I don't think stacking is a priority. 3560 may be a good bet. More reasonably priced and has options for 10gig. ed beaten
|
|
#
?
Oct 18, 2013 15:33
|
|
|
I'd put the new 10G 3650s in, 3560X is old hat now.
|
|
#
?
Oct 18, 2013 16:13
|
|
|
ragzilla posted:What scared you? The only issue I see is they won't do full line rate on every port @ 64b/pkt (that only gets up to ~128Gbps). It's a Sup-6E in a box. Just don't use the 8x10GE cards in the top slots, since each of those slots are only 40Gb to the fabric. Should be fine for IMIX applications. Alright. That's an awesome tip ragzilla. Thanks for that. I'm not going to be pushing anything close to line rate through this (since it's a WAN link aggregation switch, and our total edge connectivity is far less than 100gbps. But knowing the backplane speed for the module slots is handy info for future reference. I'll probably just break those ports out into twin-gig fiber.
|
|
#
?
Oct 18, 2013 17:07
|
|
|
We use those switches as part of our REP ring for venues, they seem solid.
|
|
#
?
Oct 18, 2013 17:18
|
|
|
jwh posted:I had used RiOS boxes before, supposedly for wan opt, but our users were pretty ambivalent about apparent improvement. NetWitness for commercial, Moloch for open source / roll your own.
|
|
#
?
Oct 18, 2013 21:26
|
|
|
inignot posted:NetWitness for commercial, Moloch for open source / roll your own. NetWitness is garbage and does not handle the rates they claim at full pcap. EDIT: On a related note, anyone here actually *at* Cisco? I'm looking for a contact to talk to about cheating on the CCIE R&S Lab exam.
|
|
#
?
Oct 19, 2013 01:11
|
|
|
H.R. Paperstacks posted:I'm looking for a contact to talk to about cheating on the CCIE R&S Lab exam. Uh what? You're looking for a Cisco employee to help you cheat on the CCIE lab? --- Is NAGIOS worth installing in a VM to play around with monitoring? At work we use SolarWinds, so that's the only real monitoring and logging platform I've messed around with.
|
|
#
?
Oct 19, 2013 02:26
|
|
|
QPZIL posted:Uh what? You're looking for a Cisco employee to help you cheat on the CCIE lab? I don't see why not if you're interested in it, it's pretty widespread. Solarwinds annoys me in having some functionality in the Web UI and then a lot of other stuff you need to run something that was produced in the win2k era. Otherwise it just works and is generally not a pain in my rear end.
|
|
#
?
Oct 19, 2013 02:36
|
|
|
H.R. Paperstacks posted:EDIT: On a related note, anyone here actually *at* Cisco? I'm looking for a contact to talk to about cheating on the CCIE R&S Lab exam. Ior works at Cisco Norway, I believe.
|
|
#
?
Oct 19, 2013 02:40
|
|
|
QPZIL posted:Uh what? You're looking for a Cisco employee to help you cheat on the CCIE lab? It's what we use. Functional. Pretty easy.
|
|
#
?
Oct 19, 2013 03:27
|
|
|
No no, not me. I am looking for someone at Cisco I can talk to about someone else cheating for the CCIE Lab... Full disclosure, there is a member of my team that is actively "studying" (read: cheating) for his CCIE written and lab, in hopes to certify by the end of the year. My hope was to put him on some radar of sorts at Cisco.
|
|
#
?
Oct 19, 2013 04:27
|
|
|
Why?
|
|
#
?
Oct 19, 2013 04:43
|
|
|
Why? Because cheating is cheating anyway you slice it..?
|
|
#
?
Oct 19, 2013 05:03
|
|
|
It's part of the race to the bottom as far as the value of certs goes. Sadly it seems unavoidable and widespread. There was some graph someone created about the length of time it took to get 10K CCIEs and it was less than half that time to get the next 20K. What's the number at now 40k?
|
|
#
?
Oct 19, 2013 05:15
|
|
|
H.R. Paperstacks posted:I would think the fix here would be to adjust the alerting on the monitoring server. You want NTP to stay as close as possible, or you could look at suppressing the SNMP trap related to NTP drift. It's HPs iMC software (formally h3c) and I can't find a way to filter the traps based on the offset/ntp time. We obviously want to know if a devices time changes just not every time it's adjusted by 0.2ms
|
|
#
?
Oct 19, 2013 12:39
|
|
|
Anyone have any recommendations regarding control plain policing on a sup 720?
|
|
#
?
Oct 20, 2013 17:57
|
|
|
Baseline for your environment. Start with liberal policies and then tighten. Read the C-NSP threads that are out there.
|
|
#
?
Oct 21, 2013 04:16
|
|
|
ToG posted:It's HPs iMC software (formally h3c) and I can't find a way to filter the traps based on the offset/ntp time. We obviously want to know if a devices time changes just not every time it's adjusted by 0.2ms Quick glance at Cisco IOS, it doesn't look like there is a trap configuration for NTP, so I am guessing these are not Cisco devices? As I mentioned, you could look to suppress the SNMP traps, but I don't think you'll be able to suppress them based on time either, it will be an on/of option.
|
|
#
?
Oct 21, 2013 12:55
|
|
|
Am I correct in understanding EtherChannel as just a logical interface ("PortChannel#") that represents a group of physical interfaces (e.g. "FastEthernet0/1 - 4"), so that it's easier to manage? Or is there more to it than that?
|
|
#
?
Oct 21, 2013 16:42
|
|
|
QPZIL posted:Am I correct in understanding EtherChannel as just a logical interface ("PortChannel#") that represents a group of physical interfaces (e.g. "FastEthernet0/1 - 4"), so that it's easier to manage? Or is there more to it than that? Not exactly; you are bonding links together to increase available throughput when you build a PortChannel/Etherchannel/Aggregate-Ethernet interface.
|
|
#
?
Oct 21, 2013 16:48
|
|
|
H.R. Paperstacks posted:Not exactly; you are bonding links together to increase available throughput when you build a PortChannel/Etherchannel/Aggregate-Ethernet interface. Ah, so instead of STP blocking one of the links, both get used simultaneously to increase throughput? I get it. Thanks.
|
|
#
?
Oct 21, 2013 17:13
|
|
|
Make sure you are only connecting an etherchannel to one device and not like 4 different hosts or whatever. (there are exceptions to this, but to keep it easy). One interface per host. If you are connecting to a switch make sure the switch also has an ether-channel configured.
|
|
#
?
Oct 21, 2013 17:23
|
|
|
tortilla_chip posted:Baseline for your environment. Start with liberal policies and then tighten. Read the C-NSP threads that are out there. anyone have anything more specific than this? Thanks in advance.
|
|
#
?
Oct 21, 2013 17:52
|
|
|
Do you have a more specifc question? CoPP works, but it's definitely not a one size fits all solution.
|
|
#
?
Oct 21, 2013 18:39
|
|
|
tortilla_chip posted:Do you have a more specifc question? CoPP works, but it's definitely not a one size fits all solution. And it tends to need other features to ensure availability of the device under attack. Best place to start with CoPP/MLS rate-limit is to span your CPU for a week and see what traffic levels are ordinary.
|
|
#
?
Oct 21, 2013 19:37
|
|
|
H.R. Paperstacks posted:Quick glance at Cisco IOS, it doesn't look like there is a trap configuration for NTP, so I am guessing these are not Cisco devices? It's the hp gear shouting about this. There must be a way to adjust the traps on the device.
|
|
#
?
Oct 21, 2013 20:17
|
|
|
ToG posted:It's the hp gear shouting about this. There must be a way to adjust the traps on the device. What is the snmp trap configuration of the HP ProCurve look like? It has been ages since I worked in one, but it was essentially a rip of IOS or very similar.
|
|
#
?
Oct 21, 2013 21:26
|
|
|
QPZIL posted:Ah, so instead of STP blocking one of the links, both get used simultaneously to increase throughput? I get it. Thanks. Be aware you may not see a 2x increase in speed. You might also need to play around with the hashing algorithms as well.
|
|
#
?
Oct 21, 2013 22:31
|
|
|
Etherchannel isn't really useful for one ip to one ip file transfers, since the hashing algorithm will always send it through the same pipe. One to many or many to many can utilize all pipes depending on the hashing.
|
|
#
?
Oct 21, 2013 23:01
|
|
|
H.R. Paperstacks posted:What is the snmp trap configuration of the HP ProCurve look like? It has been ages since I worked in one, but it was essentially a rip of IOS or very similar. It's not procurve. They're 5500s, the old h3c style switches . Not sure on configuration as I'm not a hp guy really. Edit: I just filtered the alarms and added a policy compliance task to run the show ntp status equivalent command on all the devices and detect if the output doesn't say synchronised as the status. ToG fucked around with this message at 13:02 on Oct 23, 2013 |
|
#
?
Oct 22, 2013 00:57
|
|
|
See what you guys think about this: A switch with an SVI 500 with an IP on it. There's an interface on that switch trunked with only that VLAN. It is also in that vlan. /30 is advertised on router. interface GigabitEthernet1/0/1 description test switchport access vlan 500 switchport trunk encapsulation dot1q switchport trunk allowed vlan 500 switchport mode trunk interface Vlan500 description test ip address 192.168.1.1 255.255.255.252 end That interface is cabled to a router with a subinterface with dot1q encapsulation. Now, if it has the other half of the /30 on it and the /30 advertised, I can ping across the link both ways no problem. interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.500 encapsulation dot1Q 500 ip address 192.168.1.2 255.255.255.252 Now, what if I wanted to have FA 0/1 also carry traffic on vlan 500? Creating a subinterface and tagging it with dot1q 500 traffic does nothing. I assume the tag is getting stripped at the other interface. The Vlan-ID command creates a dot1q tag on fa0/1 but it doesn't work. I suspect that works in a different application anyway. Basically I'd like to bridge the 500 vlan between the two interfaces, with the host on one end plugged into the fa0/0, svi 500, using one half of the IP, able to communicate with a device plugged into fa 0/1 using the other half of the /30. I don't think it's possible but appealing to those who know better.
|
|
#
?
Oct 24, 2013 16:54
|
|
|
Zuhzuhzombie!! posted:
First off, the command switchport access vlan 500 does nothing here, since the port its a trunk. It clutters up your config, so please remove it. Alternatively, if this won't ever carry more than one VLAN you could keep it as an access port. It might be possible depending on the device. But, instead of a tired interface, you need a switchport: interface range fastEthernet 0/0 - 1 No ip address Switchport Switchport mode trunk Switchport trunk allowed vlan 500 This should do the trick, if your device can support switchports Jelmylicious fucked around with this message at 17:18 on Oct 24, 2013 |
|
#
?
Oct 24, 2013 17:14
|
|
|
Thanks, and I thought that was the case, but having that interface as just a switchport I couldn't ping either side of the circuit from either device. Placed it as a trunk and was able to ping. The device I'm working with is a 2800 router so no switchports.
|
|
#
?
Oct 24, 2013 17:22
|
|
|
How were you planning on addressing the fa0/1 subnet? And if you just have one device plugged into the router, why would you need a VLAN at all? If 192.168.1.1 addresses a packet to, say, 10.1.1.1, if it's in the routing table, it won't need any VLAN tag. If you want to use a VLAN on the fa0/1 side of the router, you'd need to have a switch there and the device plugged into an access port on VLAN 500. And if you did that, you'd have to do the same subinterface setup on that side. Think of it like this, Switchport: "Hey, f0/0! I've got a packet here for 10.1.1.100 from VLAN500!" f0/0: "Cool, my bro f0/0.500 deals with VLAN500-tagged traffic, I'll pass it to him." f0/0.500: "Hey a new packet! Okay it's from VLAN500... hm, nope, 10.1.1.100 isn't in my local VLAN500 subnet, I'll see if it's in the routing table. First, gotta strip off these tags!" Here's where two things could happen, f0/1: "Hey, the routing table told me there's a packet that needs to be delivered to 10.1.1.100 and that I (10.1.1.1) am the next hop! Awesome. Alright, I know 10.1.1.100 is directly connect, so off you go." OR f0/1.500: "Hey the routing table told me there's a packet that needs to be delivered to 10.1.1.100 and that I (10.1.1.1) am the next hop! Awesome. Alright, gonna send this to the switch tagged with VLAN500 so that it will broadcast only out of the ports it says are VLAN500 ports. Best of luck little packet!" That's a little convoluted of an explanation, but the gist is this: f0/0 and f0/1 doesn't know anything about each others' VLAN tags. If you want to route VLAN500 through the router for whatever reason, you'll need a new VLAN500 subinterface with a new subnet.
|
|
#
?
Oct 24, 2013 17:29
|
|
|
Out of force of habit, I always build router links as sub-if's on the off chance I might need to carry another vlan to a differnt vrf / lsys.
|
|
#
?
Oct 24, 2013 17:31
|
|
|
|
| # ? Jun 3, 2024 18:49 |
|
|
Zuhzuhzombie!! posted:Thanks, and I thought that was the case, but having that interface as just a switchport I couldn't ping either side of the circuit from either device. Placed it as a trunk and was able to ping. Too bad. Is this a lab setup, or production? If it's a lab, I could give some funky suggestions. What is the need for layer 2 connectivity between a switch and a host? Can't you just route to a second /30?
|
|
#
?
Oct 24, 2013 17:36
|
|