|
ragzilla posted:ANSI/TIA/EIA-568-B "Commercial Building Telecommunications Cabling Standard" lists both wiring configurations. T568B is the most prevalent for commercial installations, and was used by AT&T for the original Merlin phone systems. I read the 2nd line as "T568B Residential Telecommunications Cabling Standards recommends T568A" and snickered. less than three fucked around with this message at 03:36 on Apr 26, 2014 |
# ? Apr 26, 2014 03:33 |
|
|
# ? May 28, 2024 03:31 |
|
Are there any good books you guys would recommend on OSPF that go beyond what the CCNP covers? Something similar to what this book does with BGP.
|
# ? Apr 27, 2014 07:19 |
|
This book is a decent read: http://www.amazon.com/OSPF-IS-IS-Choosing-Large-Scale-Networks/dp/0321168798
|
# ? Apr 27, 2014 20:30 |
|
We've got a pair of ASA 5520's at our hosting site that are setup in an HA failover configuration. Recently we've been having issues where webpages start loading extremely slowly for people outside, and while it's happening pings to the inside interface of the firewall start dropping or responding extremely slowly (for instance, normal pings from our LAN across to that interface are usually 2-3ms, when this starts happening we'll only get maybe half back and those that make it are over 125ms). Memory seems fine, and traffic and connections doesn't seem especially high either. The units don't look like they're failing over at all during this time so I don't think it's the HA configuration. What else can I check to try to figure out what's happening?
wyoak fucked around with this message at 22:08 on Apr 29, 2014 |
# ? Apr 29, 2014 22:03 |
|
What on earth am I doing wrong with a new rancid 3.0 install? My old 2.3.2 was working fine and I'm just trying to move it to a new server, but it refuses to recognize my routers as up. Example, from adding a new router to router.db: code:
|
# ? Apr 29, 2014 22:24 |
|
The announcement says to use ; instead of : http://www.shrubbery.net/pipermail/rancid-announce/2014-April/000017.html
|
# ? Apr 29, 2014 22:55 |
|
falz posted:The announcement says to use ; instead of : Thanks, that was exactly it.
|
# ? Apr 29, 2014 23:04 |
|
wyoak posted:We've got a pair of ASA 5520's at our hosting site that are setup in an HA failover configuration. Recently we've been having issues where webpages start loading extremely slowly for people outside, and while it's happening pings to the inside interface of the firewall start dropping or responding extremely slowly (for instance, normal pings from our LAN across to that interface are usually 2-3ms, when this starts happening we'll only get maybe half back and those that make it are over 125ms). Memory seems fine, and traffic and connections doesn't seem especially high either. The units don't look like they're failing over at all during this time so I don't think it's the HA configuration. What else can I check to try to figure out what's happening? Could be a lot of reasons. Check the connected devices and the ASA for interface errors, burst, over runs, etc. What is the failover config? if it includes failover replication HTTP and you guys don't do massive http file transfers, disable it. Check show fail hist, and show ver for uptime.
|
# ? Apr 30, 2014 00:30 |
|
Any good resources for IPv6? I'd like to go through the whole stack from IP -> Services (DNS, DHCP, etc) -> TCP/UDP I don't need to be an expert but I'd like to know the IPv6 specific basics since a lot of the principles are the same.
|
# ? Apr 30, 2014 16:36 |
|
Powercrazy posted:Any good resources for IPv6? If you're the learn-by-doing type, Hurricane Electric's tunnelbroker.net and "certification program" provide both connectivity and a set of tasks to complete (e.g. set up an IPv6-enabled email server, IPv6 DNS glue), and they'll give you a free t-shirt if you do all the tasks. Also, this presentation covers most of the basics, and this one covers subnetting. SamDabbers fucked around with this message at 18:02 on Apr 30, 2014 |
# ? Apr 30, 2014 16:59 |
|
Powercrazy posted:Any good resources for IPv6? https://www.youtube.com/watch?v=cl4cEbPayek http://www.ipspace.net/IPv6 https://www.nanog.org/archives/presentations http://scientifichooligan.me/
|
# ? Apr 30, 2014 18:08 |
|
I keep a homegrown network status dashboard running on a 2nd screen by my desk, and over the last couple days I've noticed way more upstream bandwidth being used than usual. I have an ASA 5510 sitting at the border, but unfortunately I have a Barracuda web filter sitting between it and the rest of my network, so all of the bandwidth graphs on the ASA show the majority of the traffic coming from the web filter's IP, not the actual host IPs. I've tried setting up Netflow on the ASA but ran in to the same "everything comes from one IP" issue. The Barracuda doesn't have any upstream bandwidth reporting as far as I can tell. I have a 3560 as my main router, but it doesn't support Netflow. Do I have any other options to increase my visibility?
|
# ? Apr 30, 2014 18:52 |
|
SPAN a port on the 3560 to a unix server and sniff w/ tcpdump.
|
# ? Apr 30, 2014 19:05 |
|
That, or change the Barracuda's operating mode from forward proxy to inline, whichi will preserve source addresses: https://techlib.barracuda.com/display/BWFV60/6160452 You get more flexibility out of inline mode.
|
# ? Apr 30, 2014 20:26 |
|
falz posted:SPAN a port on the 3560 to a unix server and sniff w/ tcpdump. Richard Noggin posted:That, or change the Barracuda's operating mode from forward proxy to inline, whichi will preserve source addresses: https://techlib.barracuda.com/display/BWFV60/6160452 You get more flexibility out of inline mode.
|
# ? May 1, 2014 18:37 |
|
That sounds like a hybrid deployment and not a pure inline, but I'm not a Barracuda expert.
|
# ? May 1, 2014 18:43 |
|
OK, so I am seeing a very strange issue. I have a WS-C4948E-F (Cisco) switch, using it for pure out-of-band management. I have a /16 management network (let's say 10.10.x.x/16) that isn't routed in any way. I have a set of Cisco ASA 5585-X firewalls that I'm using for my edge. These all have their management port put into the management switch. They have IPs like 10.10.1.1, 10.10.2.1, 10.10.3.1, etc. I have a LogStash box (Ubuntu) at 10.10.3.10, and all of the firewalls are configured to send their syslogs to this IP. That all works fine (I think), I get tons of syslogs. I also have a Cisco 4500-X VSS stack that has its management port (Fast1) plugged into the management switch, with IP 10.10.6.25. When I am running load tests on the firewalls, I see the management port of the 4500-X VSS stack handling a TON of packets in both directions. Upon further investigation (debug ip packet and some CEF debug), my 4500-X management port is receiving packets from the firewalls that is destined for 10.10.3.10 (the LogStash box). It then forwards them back out (as it should) to LogStash. Example log (received on 10.10.6.25): *May 7 11:18:42.706: CEF-Debug: Packet from 10.10.1.1 (Fa1) to 10.10.3.10 (Fa1) *May 7 11:18:42.706: CEF-Debug: Packet from 10.10.1.1 (Fa1) to 10.10.3.10 (Fa1) *May 7 11:18:42.723: CEF-Debug: Packet from 10.10.1.1 (Fa1) to 10.10.3.10 (Fa1) But WHY would my 4500-X management port ever see the traffic that's supposed to go between the firewalls and the LogStash box? They're all on a flat VLAN, but somehow my router's management port is receiving all this junk that's supposed to go to the LogStash box. A, B, and C are all plugged into the same switch/VLAN and on the same subnet. A sends data to B, but C receives it (and then forwards it on). I have checked all of the IP configs for logging, no duplicate MAC addresses, etc. It's even happening to all of the firewalls, so I don't think it's a bug with one. My first thought is that the C4948E management switch is sending the data to the wrong place, but ARP and the mac forwarding tables all look accurate. Also, I don't see other traffic from the firewalls to other devices (SNMP, etc). Only traffic that's supposed to go to the syslog server. Any advice on what to look into or try? example ASA config: interface Management0/0 management-only nameif management security-level 100 ip address 10.10.1.1 255.255.0.0 standby 10.10.1.2 ! logging enable logging timestamp logging list Syslog_Alerts level notifications class auth logging list Syslog_Alerts level notifications class config logging list Syslog_Alerts level warnings class ha logging list Syslog_Alerts level warnings class np logging list Syslog_Alerts level warnings class sys logging list Syslog_Alerts message 401001-401005 logging buffer-size 1030000 logging buffered informational logging trap Syslog_Alerts logging asdm warnings logging host management 10.10.3.10 logging permit-hostdown madsushi fucked around with this message at 04:52 on May 8, 2014 |
# ? May 8, 2014 01:47 |
|
madsushi posted:OK, so I am seeing a very strange issue. What does your routing table look like on all 3 devices? Also what does your ifconfig/show int look like for all these devices? ElCondemn fucked around with this message at 01:58 on May 8, 2014 |
# ? May 8, 2014 01:56 |
|
madsushi posted:
Double check this, it stinks of unknown unicast flooding. Can you SPAN the traffic that's going toward the 4500x stack and check the dmac?
|
# ? May 8, 2014 02:09 |
|
ragzilla posted:Double check this, it stinks of unknown unicast flooding. Can you SPAN the traffic that's going toward the 4500x stack and check the dmac? This is my thought too, something is definitely not right with some ARP entry. Can you do a "show arp" on the ASA? The 4948 is not routing at all right? Also interested in routing statements on the ASA. Fatal fucked around with this message at 02:20 on May 8, 2014 |
# ? May 8, 2014 02:13 |
|
ragzilla posted:Double check this, it stinks of unknown unicast flooding. Can you SPAN the traffic that's going toward the 4500x stack and check the dmac? 1) I can't SPAN the port at the moment (it's all in a datacenter a long way away) but I want to. 2) Here's the routing statements from the devices: 4500-X getting the traffic: show ip route vrf mgmtVrf 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.0.0/16 is directly connected, FastEthernet1 L 10.10.6.25/32 is directly connected, FastEthernet1 Management switch: show ip route 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.0.0/16 is directly connected, Vlan10 L 10.10.0.10/32 is directly connected, Vlan10 ## this is the switch's management IP (VLAN) One of the ASAs: show route C 172.16.254.0 255.255.255.0 is directly connected, failover S 10.0.0.0 255.0.0.0 [1/0] via 10.127.20.10, inside ## to our regular networks C 10.127.20.0 255.255.255.0 is directly connected, inside C 10.10.0.0 255.255.0.0 is directly connected, management C 199.199.199.24 255.255.255.248 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 199.199.199.25, outside The 4948 is not routing. All ports are simply "switchport access vlan 10" and then VLAN10 is "ip address 10.10.0.10 255.255.0.0" and "no ip redirects". We have some RADIUS set up but that's about it. The 4500-X is just a flat VSS stack that we use to terminate some HSRP connections (not routing). ASA show arp: management 10.10.3.10 - 0025.b507.0002 -- confirmed MAC of LogStash NIC management 10.10.6.25 - b0fa.eb62.deff -- confirmed MAC of 4500-X Fast1 Management switch show arp: Internet 10.10.3.10 - 0025.b507.002 ARPA Vlan10 Internet 10.10.6.25 - b0fa.eb62.deff ARPA Vlan10 I thought about unicast flooding, but we have other hosts connected to the management switch, and none of them see the flood of traffic. When we just do a quick "show int" on the management switch, we can see the surge of traffic to both the 4500-X interface and to the LogStash interface, but nothing major elsewhere.
|
# ? May 8, 2014 04:52 |
|
Maybe try enabling Netflow on it? I think that's supported on the 4500-X.
|
# ? May 8, 2014 08:47 |
|
ragzilla posted:Double check this, it stinks of unknown unicast flooding. Can you SPAN the traffic that's going toward the 4500x stack and check the dmac? So, it looks like this was the issue. However, apparently it wasn't constant. The C4948E forwarding table was losing the MAC address for the LogStash server, and when it did, the traffic was getting flooded. I kept doing "show mac address-table | include 0002" on the management switch and saw it disappear and then my "debug ip packet" on the 4500-X spiked up with the LogStash traffic. Our LogStash box runs Ubuntu and doesn't really talk to anything else. All of the incoming connections to it are UDP syslog, so the LogStash box itself never actually sent any traffic OUT, only received traffic. So the theory is that it was falling out of the FDB and then eventually getting put back in (on some long interval). I set ntpd to poll every 60 seconds, and now we haven't see the issue all day. Thanks for the help and suggestions!
|
# ? May 8, 2014 21:31 |
|
Is there an Enterprise Networking thread or can I ask my dumb Fortigate questions here? I guess I'll just go for it. If I want to authenticate my VPN users using AD, do I need to use FSSO or do I just configure an AD server in the authentication servers section and add it to the appropriate user group?
|
# ? May 9, 2014 04:04 |
|
Martytoof posted:Is there an Enterprise Networking thread or can I ask my dumb Fortigate questions here? it's been a while since I configured it, but as I recall fsso is only for web filtering. VPN users will just be ldap auth.
|
# ? May 9, 2014 04:34 |
|
I'm pulling my hair out over here with this. I have a Catalyst 2960. I'm currently trying to copy over an IOS image via TFTP using Solarwinds as the TFTP server. I can ping the server, I can ping the switch. I'll run the copy tftp: flash: command, enter the tftp server IP, and the IOS .bin file name which is c2960-lanbasek9-mz.150-2.SE6 When I hit enter to begin the copy process, it tells me it cant find the path or file. The IOS image file is in the TFTP root folder where it should be so I have no clue why its giving that error. Any ideas? Edit: Apparently I needed to add .bin at the end of c2960-lanbasek9-mz.150-2.SE6. Doing that worked immediately. Its the little things that always get you. Frag Viper fucked around with this message at 06:41 on May 9, 2014 |
# ? May 9, 2014 06:04 |
|
Hopefully this will save someone some headache (or maybe our sales rep & SE just didn't know), but Cisco 3925/3925E routers won't do more than 85mbps IPSEC VPN out of the box, even though they're marketed/sold as such. You have to buy an additional license (HSECK9) for this. siighhhh Do these normally ship with these licenses? Dropping a few grand per license just so the box will do what it was sold to do is rather, well, common I guess.
|
# ? May 9, 2014 06:38 |
|
quote:Hopefully this will save someone some headache (or maybe our sales rep & SE just didn't know), but Cisco 3925/3925E routers won't do more than 85mbps IPSEC VPN out of the box, even though they're marketed/sold as such. You have to buy an additional license (HSECK9) for this. siighhhh Normally, no. You have to specify that license. Gets more fun with the ASRs/ISRs we run with IPSEC and GetVPN, I think there's about a half dozen additional licenses tied to each one (with each needing its own support charge ) Frag Viper posted:I'm pulling my hair out over here with this. That gets me about half the time when I can't transfer. The other half is when people point the tftp source at the wrong interface.
|
# ? May 9, 2014 06:47 |
|
Slickdrac posted:Normally, no. You have to specify that license. Gets more fun with the ASRs/ISRs we run with IPSEC and GetVPN, I think there's about a half dozen additional licenses tied to each one (with each needing its own support charge ) As an FYI, these licenses are all honor based/RTU in newish versions of code (except sslvpn) and no one from TAC will ever check to see if you have them enabled most likely.
|
# ? May 9, 2014 11:37 |
|
madsushi posted:LogStash How do you like logstash? Just upgraded to PI 2.1 which still doesn't have a fully baked syslog server (though I see you can edit some configs to support more sev levels). Looking to roll a free syslog server for our networking equipment and maybe some other systems if client/server wants to use it as well. No budget for something like splunk but logstash/kibana looked pretty slick.
|
# ? May 9, 2014 14:05 |
|
Welp, remember how I was complaining about Fortigate disks? .. another one on the pile. Reading boot image 1303762 bytes. Initializing firewall... System is started. EXT3-fs error (device sd(8,3)): ext3_get_inode_loc: unable to read inode block - inode=2, block=4 EXT3-fs: corrupt root inode, run e2fsck Formating shared data partition ... Using default data disk. failed, status=256! Cannot mount shared data partition. Using default data disk. [fs.c:603] Read from MBR of boot device '/dev/hda' failed. Using default data disk. Using default data disk. Using default data disk. Using default data disk. Using default data disk. Abort booting! unknown operation mode(0) The system is going down NOW !! I'm starting to think this relationship isn't going to work out
|
# ? May 10, 2014 17:20 |
|
I worked for a MSP that deployed a lot of the 60C devices to customers. The hard drives failed all the time. It was infuriating.
|
# ? May 10, 2014 17:46 |
|
Yeah, I have two 60C devices at home and I'm literally just waiting for the day the flash storage conks out. I work for an MSP as well, and I'm probably not exaggerating when I say I've experienced something like a 25-30% failure rate at this point. I know that doesn't sound like a high number when you first read it, but that's like one out of four or worse.
|
# ? May 10, 2014 23:49 |
|
No that definitely sounds like an absurdly high failure rate for anything I didn't buy for my kid from the clearance bin at Toys-R-Us. Let alone a serious IT vendor.
|
# ? May 11, 2014 05:12 |
|
Their 'fix' was to disable local logging/reporting in subsequent firmware releases to reduce the number of writes on the flash media. If you try and enable disk logging via the CLI it now carries a big disclaimer about reducing the working life of the flash. Pretty poor form, hopefully the 60Ds we're starting to roll out are more reliable.
|
# ? May 11, 2014 12:21 |
|
I really just need to break down and pay for their centralized management solution. We deploy enough of these that it would probably be worthwhile.
|
# ? May 11, 2014 12:40 |
|
gooby pls posted:How do you like logstash? Just upgraded to PI 2.1 which still doesn't have a fully baked syslog server (though I see you can edit some configs to support more sev levels). It works pretty well. We have a logstash "collector" that just listens on tcp/udp 514 and then dumps the syslog messages into Redis. That way, even if the indexer or ElasticSearch (the "database" part) goes down, you're still collecting events. Also lets you handle "bursty" logs where you can't process them fast enough to keep up. Super simple config for this part, just a stock Redis install. Note that you might need to tell Redis to save to disk, as I think it just saves to RAM by default, and you don't want to lose queued messages if you reboot, etc. Then, we have the logstash "indexer", which is just a separate instance of logstash running. It grabs the messages from Redis, does a whole bunch of grok (which was not too bad to set up, took about a day), and parses out important stuff. I have it check incoming/outgoing port numbers to sort it into application buckets, get the device information, syslog event ID, geo IP location, etc. Then, it all gets dumped into ElasticSearch and viewed with Kibana. Works pretty nicely. You do need a ton of RAM though. ElasticSearch will CRAWL without a ton of RAM, you need RAM for your Redis queue, and logstash (indexer) will take some RAM too. Make sure you adjust the init and config files to allocate them plenty of RAM each. I built Kibana dashboards for different teams, so they can see how web traffic looks, or type in an IP and follow the sessions by application type, or just look at trend data to see if anything is out of the ordinary, geoip stuff to see our usage over time (ebb and flow of Euro traffic), etc. e: can't say much about smaller-scale deployments. We have a ton of RAM (256GB) and get over 100 million syslog events a day. Carve out 10-20 for Redis, 75 for logstash, 100 for ElasticSearch. madsushi fucked around with this message at 20:40 on May 11, 2014 |
# ? May 11, 2014 20:37 |
|
Can a 3750-X do QinQ? Alternatively is there a way I can allow a tagged frame to pass through a switch without needing the vlan configured on the switch?
|
# ? May 15, 2014 19:44 |
|
I know a 3750 can pass double tagged traffic, but I've never used one to actually do the double tagging. (We push the tag at the customer NID.) Here is Cisco's page on qinq for the 3750, it certainly looks possible.
|
# ? May 15, 2014 20:17 |
|
|
# ? May 28, 2024 03:31 |
|
You can do qinq on a per port (but not per vlan) basis.
|
# ? May 17, 2014 14:18 |