|
According to snmp logging, we're randomly overclocking the hell out of our 5520s Message: ASA 5520 Adaptive Security Appliance has exceeded threshold: (90%) currently (4294964%) Anyone seen this before? They always start out 42949, just the last two digits change.
|
#
?
Jun 18, 2014 13:39
|
|
|
|
| # ? May 30, 2024 01:08 |
|
|
Check out Cisco bug CSCto53782 for the ASA CPU usage - the misreporting is only cosmetic.
|
|
#
?
Jun 18, 2014 23:47
|
|
|
What's the proper way to handle PIM rendezvous points in a vPC topology where my two N5Ks are also serving as gateways for my multicasting VLANs? Should I use BSR? What interfaces would I use for it? Here's what the SVIs look like:code:
|
|
#
?
Jun 19, 2014 02:30
|
|
|
Auto RP would work just fine, I guess. I've never configured BSR, but that would work too (and works in combination with auto rp).
|
|
#
?
Jun 19, 2014 04:34
|
|
|
Yeah I haven't done either, so I guess my question would be - what interface do you use? Other than my SVIs, I don't have any layer 3 interfaces for the N5Ks. Looking at a configuration guide led me to believe that you would use a loopback interface, but if the second N5K doesn't have a route to the first N5K's loopback I'm not sure how that would work.
|
|
#
?
Jun 19, 2014 15:37
|
|
|
sudo rm -rf posted:Yeah I haven't done either, so I guess my question would be - what interface do you use? Other than my SVIs, I don't have any layer 3 interfaces for the N5Ks. Looking at a configuration guide led me to believe that you would use a loopback interface, but if the second N5K doesn't have a route to the first N5K's loopback I'm not sure how that would work. Add your loopbacks to your IGP or create a static route on each 5k. I prefer the first method myself. As an aside I also use loopbacks for in-band management as well. Edit: seeing your config, don't forget to put the loopbacks in the appropriate vrf.
|
|
#
?
Jun 19, 2014 16:57
|
|
|
I don't have an IGP running. The only routing going on is between my VLANs. Would that break multicast in a vPC topology? You can tell this is pretty new to me.
|
|
#
?
Jun 19, 2014 17:12
|
|
|
Anyone else using an ASR9k? The more we use them the worse the feeling I get about having them as our core.
|
|
#
?
Jun 19, 2014 19:44
|
|
|
Yep. 9010 and 9922's all over the place. I am still waiting for someone to forget about layer 2 loops. I've configured 4 9010's myself (from turboboot to routing) and two 9922's in the next month, hands down my favorite part of this contract.
|
|
#
?
Jun 19, 2014 19:56
|
|
|
Having weird problems with it. IPv6 funkiness, SNMP processes crashing, eigrp issues...
|
|
#
?
Jun 19, 2014 21:19
|
|
|
What version of code? TAC involved?
|
|
#
?
Jun 19, 2014 21:24
|
|
|
Zuhzuhzombie!! posted:Having weird problems with it. IPv6 funkiness, SNMP processes crashing, eigrp issues... Sepist posted:Yep. 9010 and 9922's all over the place. I am still waiting for someone to forget about layer 2 loops. I've configured 4 9010's myself (from turboboot to routing) and two 9922's in the next month, hands down my favorite part of this contract. ragzilla fucked around with this message at 22:52 on Jun 19, 2014 |
|
#
?
Jun 19, 2014 22:48
|
|
|
sudo rm -rf posted:I don't have an IGP running. The only routing going on is between my VLANs. Would that break multicast in a vPC topology? It won't; Worse come to worse if you just have the 2 switches in your environment you could create a static route pointing towards the loopbacks. OSPF/EIGRP won't screw up multicast. How many switches/routers do you have in your whole environment that'd need to reach your RPs?
|
|
#
?
Jun 20, 2014 05:32
|
|
|
Zuhzuhzombie!! posted:Anyone else using an ASR9k? I work at a large MSO and we have them as our edge routers, CRSs as the core (but were moving to the new version of the CRS, been labbing it). Make sure youre on newer code, at least 4.2.3, or youre going to run into lots of odd issues. Ive configured dozens of 9001s, 9006s and 9010s, and we havent had any issues since upgrading the code. We have probably 400 in the network now.
|
|
#
?
Jun 21, 2014 16:27
|
|
|
3850 trip report: things went very well, had no trouble with the three I brought up in Boston this past Monday. It's nice to see that Cisco finally managed to make IOS ugprades a 'one-touch' affair, because that sure as anything never worked all that great on the 3750s. Nice switches, I guess. The buffers aren't exactly huge, but they're 2x the 3750s.
|
|
#
?
Jun 26, 2014 21:37
|
|
|
I have an ASA issue that has me about to pull my hair out. Here's the setup: [me] ---> [10.7.6.0/23] ---> [10.24.0.0/23] ---> [ASA1] --->crosscountry<--- [ASA2] <--- [10.8.8.0/24] The problem I have is with the two ASAs. I have an IPSEC tunnel set up that's currently working, active, and all good. I can ping the address of ASA2 just fine (10.8.8.1) from me (10.7.6.182), but can't ping anything past it, on the 10.8.8.0/24 network. However, PCs on the 10.8.8.0/24 network can ping me just fine! I've checked my NAT 0 stuff, I've checked my ACLs against each other. I'm not sure what's going on. If I run (from ASA2) "packet-tracer input outside icmp 10.7.6.182 0 0 10.8.8.1" it passes, but if I run the same with "10.8.8.81" at the end, for example, it gets "dropped by acl rule". Here are the two configs if anyone has a moment to look at them: ASA1 - http://pastebin.com/X5BrA2Xr ASA2 - http://pastebin.com/Eac0jfAj
|
|
#
?
Jun 26, 2014 21:43
|
|
|
bad boys for life posted:Make sure youre on newer code, at least 4.2.3, or youre going to run into lots of odd issues. But not 4.3.2, which is a pile of poo poo QPZIL posted:I have an ASA issue that has me about to pull my hair out. show run all | i sysopt - are your vpn tunnels configured to bypass acl check? If not are you explicitly allowing echo AND echo reply in your interface acl? Sepist fucked around with this message at 22:31 on Jun 26, 2014 |
|
#
?
Jun 26, 2014 22:28
|
|
|
Those ACLs and NAT exemption statements look proper to me. This isn't something goofy with the far end network hosts and Windows firewall is it?
|
|
#
?
Jun 27, 2014 00:33
|
|
|
 Anyone have very obvious traffic deviations because of the World Cup game? This is from a major US telephone network.
|
|
#
?
Jun 27, 2014 00:42
|
|
|
GOOCHY posted:Those ACLs and NAT exemption statements look proper to me. This isn't something goofy with the far end network hosts and Windows firewall is it? GOOCHY posted:This isn't something goofy with the far end network hosts and Windows firewall is it? GOOCHY posted:Windows firewall is it?  God drat it. I need a stiff drink now. Ugh. loving Windows firewall.
|
|
#
?
Jun 27, 2014 01:02
|
|
|
FatCow posted:
We just turned up a new transit, and cacti (loving cacti) was polling the 32bit counter, so I lost any decent statistics I might have gathered.
|
|
#
?
Jun 27, 2014 01:16
|
|
|
QPZIL posted:
Glad to hear it's just that - coming from a grizzled veteran who is four Deschutes Fresh Squeezed in after a day of IT soul crushing.
|
|
#
?
Jun 27, 2014 01:27
|
|
|
FatCow posted:
hahahah yeah. Got a few unhappy campers this morning who were even less happy when I showed them they were basically DDoS'ing themselves with world cup streams.
|
|
#
?
Jun 27, 2014 02:05
|
|
|
Catalyst 2960XR w/ IP Lite: poor man's layer 3 switch, or is a C3650 the minimum for intervlan routing?
Contingency fucked around with this message at 20:04 on Jul 1, 2014 |
|
#
?
Jul 1, 2014 20:02
|
|
|
I believe the Cat 2960s (all of them?) will allow you to make a single SVI, but that's it.
|
|
#
?
Jul 1, 2014 20:20
|
|
|
Contingency posted:Catalyst 2960XR w/ IP Lite: poor man's layer 3 switch, or is a C3650 the minimum for intervlan routing? We don't have anything in the field yet but should be deploying some thing summer. Yet to be seen, pim performance. Also no EIGRP if that's your thing (it is for us). Basically I would be wary of the whole thing, it seems like it encroaches on the 3560/3750X space a bit too much so I'm waiting for the other shoe to drop on where Cisco cut corners. Edit: As mentioned below you get EIGRP stub which is somewhat useful I guess... Fatal fucked around with this message at 22:19 on Jul 1, 2014 |
|
#
?
Jul 1, 2014 21:26
|
|
|
jwh posted:I believe the Cat 2960s (all of them?) will allow you to make a single SVI, but that's it. You can create multiple SVIs (8?) on a 2960, at least with LAN Base. http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swipstatrout.html and http://blog.alwaysthenetwork.com/tutorials/2960s-can-route/ Note that this doesn't work on 3750s with the LAN Base - just the 2960 series.
|
|
#
?
Jul 1, 2014 21:59
|
|
|
jwh posted:I believe the Cat 2960s (all of them?) will allow you to make a single SVI, but that's it. -XR adds 'IP Lite' (even lower than IP Base) level of L3 features: quote:What features does IP Lite bring to the 2960-XR switch models? Very poor man's L3 switch, but if you can live with that featureset you should be fine. Supports ~4k adjacent hosts (http://www.cisco.com/c/en/us/td/doc...8DB28FB6755DA38).
|
|
#
?
Jul 1, 2014 22:01
|
|
|
Well that's interesting! I didn't know that.
|
|
#
?
Jul 2, 2014 18:10
|
|
|
I guess this is an Adtran question but it's similar to IOS so I'll ask anyway: We have our Adtran Netvanta 3348 doing our routing/firewall duties. We also have a Linksys E1200 wireless AP deal that we want to use as a 'guest' wifi network, as we have another AP that allows access to our internal network. Actually, they both do, one is just using NAT the other is just an AP but that's what I'm trying to fix. In theory nothing prevents a guest user from accessing our internal network. My first thought was to make an ACL that only allows traffic from the guest AP to our router (and to no other IP addresses, such as our servers), but apparently you can't use an ACL to split up traffic on the same subnet. Any suggestions? Buying 'real' wireless hardware isn't really in the budget right now (but will be in the future). Should I just plug the guest AP into our internet connection on a free IP address (I think we have 10)?
|
|
#
?
Jul 2, 2014 19:00
|
|
|
If the second Ethernet is available I'd create the guest subnet there and attach any APs in a bridged mode to that. If its in use or if I'm misunderstanding that model (assuming the switch ports are internally seen as eth3 or such) then you could do the same with VLANs. Basically the Adtran sees two different LANs and can firewall them as you want. Since you say you have multiple IPs I think it's even possible to have them NAT through different ones so youll know if any complaints are about trusted or guest users.
|
|
#
?
Jul 2, 2014 19:25
|
|
|
Not to turn this into my own personal livejournal about Fortigate, but I had another 200B die on me today. I swear to god I'd switch to another brand if we weren't a reseller for these pieces of poo poo. I'm going to feel guilty every time I install these at clients' now. https://www.youtube.com/watch?v=WsBB93IqJkE some kinda jackal fucked around with this message at 01:10 on Jul 3, 2014 |
|
#
?
Jul 3, 2014 00:57
|
|
|
Martytoof posted:Not to turn this into my own personal livejournal about Fortigate, but I had another 200B die on me today. I swear to god I'd switch to another brand if we weren't a reseller for these pieces of poo poo. I think they're finally using SSDs in the 100+ model range in newer revs, but I've had about 4 60Cs fail out of probably 50 or so which is higher than we'd like when these things are in the middle of the ocean. Fortunately they're cheap and HA is great so our bigger customers always have two running together.
|
|
#
?
Jul 3, 2014 01:14
|
|
|
Richard Noggin posted:You can create multiple SVIs (8?) on a 2960, at least with LAN Base. http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swipstatrout.html and http://blog.alwaysthenetwork.com/tutorials/2960s-can-route/ Ah...SVI. I've seen that term, but never picked up on it until now. In Dell land, a routable VLAN is just that. I get the impression that there's some potential gotchas lurking. The config guide for the XR says the SVI limit is 128 (page 21), so it appears adequate from an interface standpoint. Are Cisco switches underpowered CPU-wise? It just seems unlikely that Cisco would have a stripped down Layer 3 switch undercutting its competition on price.
|
|
#
?
Jul 3, 2014 05:47
|
|
|
I don't think anyone markets the 2960 series switch as a layer 3 switch. Yes, it has some basic layer 3 capabilities, but calling them 'stripped down' doesn't really go far enough. I guess if you're super budget conscious they might get you by. We use heaps of them, but with a router.
|
|
#
?
Jul 3, 2014 08:30
|
|
|
Contingency posted:Are Cisco switches underpowered CPU-wise? It really depends on how you look at it, and what you're asking the processor to do.
|
|
#
?
Jul 3, 2014 18:13
|
|
|
Contingency posted:It just seems unlikely that Cisco would have a stripped down Layer 3 switch undercutting its competition on price. Cisco does crazy things. Even inside Cisco, business units compete with each other, often for no good reason.
|
|
#
?
Jul 3, 2014 18:15
|
|
|
Martytoof posted:Not to turn this into my own personal livejournal about Fortigate, but I had another 200B die on me today. I swear to god I'd switch to another brand if we weren't a reseller for these pieces of poo poo. Oh yes, in my limited experience with Fortigate, gently caress them. Yes, I would like a HA pair to have the primary fail in a way that the secondary can't detect (it hard locked btw, no console/ping response), causing a complete edge failure. jwh posted:Cisco does crazy things. Even inside Cisco, business units compete with each other, often for no good reason. Which is exactly what the XR line is doing. It's such a weird place for a switch but I guess it gets distributed routing going further away from the "core" into some weird collapsed distribution/access model. The more I think about it, the more I like it though. Fatal fucked around with this message at 18:49 on Jul 3, 2014 |
|
#
?
Jul 3, 2014 18:46
|
|
|
jwh posted:Cisco does crazy things. Even inside Cisco, business units compete with each other, often for no good reason. Each BU has it's own internal P&L, that's their reason to compete.
|
|
#
?
Jul 3, 2014 21:34
|
|
|
|
| # ? May 30, 2024 01:08 |
|
|
Fatal posted:Oh yes, in my limited experience with Fortigate, gently caress them. Yes, I would like a HA pair to have the primary fail in a way that the secondary can't detect (it hard locked btw, no console/ping response), causing a complete edge failure. That's really weird that the HA slave didn't pick it up though. Seems like a non-response like that would have explicitly triggered the heartbeat fail detector. Anyway, gently caress Fortigate v  v
|
|
#
?
Jul 4, 2014 00:17
|
|