|
tx ring limit tuning on atm subinterfaces is just really, really obnoxious.
|
# ? Nov 17, 2011 22:49 |
|
|
# ? May 30, 2024 20:12 |
|
ElCondemn posted:1) What's the reasoning for this? Your loopback should always be available as long as you have one interface up with an IGP running on it, interface IPs can come and go depending on circuit states. IGP metrics will handle making routes that circle all over the place look poor.
|
# ? Nov 17, 2011 23:15 |
|
FatCow posted:Your loopback should always be available as long as you have one interface up with an IGP running on it, interface IPs can come and go depending on circuit states. IGP metrics will handle making routes that circle all over the place look poor. That makes sense, I'll start doing that from now on.
|
# ? Nov 18, 2011 01:13 |
|
FatCow posted:Your loopback should always be available as long as you have one interface up with an IGP running on it, interface IPs can come and go depending on circuit states. IGP metrics will handle making routes that circle all over the place look poor. Also iBGP peering between loopbacks and using IGP to discover the loopbacks will let you do equal cost multipathing once your network gets to that point.
|
# ? Nov 18, 2011 01:23 |
|
jwh posted:Had a 2960G wig out today in the weirdest way: of the ten we had deployed at this particular site, one of them decided it'd be fun to start arbitrarily dropping layer-3 specific traffic. The stations affected were all in one physical area. We moved the stations to a different VLAN and they had no trouble. Moved them back, problem gone. Hasn't recurred, to my simultaneous relief and frustration. edit much later: Frozen-Solid posted:Any idea what this is, or if it's something I should even worry about? We've had random complaints that "everything is slow" for the past few weeks, that we've slowly been fixing various issues trying to track things down. Today we had a report while this weird spike was going on, but I have no way of knowing if it's related. What a newbie network guy should focus on fixing: interface errors, and logging errors. Look at show interface and show logging. Are errors non-zero? Are there errors spamming the logs for some reason? Find out why and try to fix it and you're on your way. Also, show run. show run interface <blah>. If you have a Cisco Smartnet contract, you can get a login to Cisco.com that gives you access to tools and documentation. The output interpreter is your friend. Read the articles it links to. Do a lot of preparation and reading and call the TAC if you can. Don't get fancy, configure what you set out to do and write mem when you can confirm beyond a doubt it works. Then you can always reboot and go back to the old config if you mess up and things are broken. If your users tell you the network is slow, talk to them and make them show you, if you can't confirm that yourself somehow remotely. The users who tell you it's slow are often the ones who really use it and will have the most information about what is wrong. A properly configured network should only be as slow as it's smallest link. Now there is where cacti is useful: are your interface graphs spiking and plateauing similarly? Then you may be undersized, and it's difficult to tweak anything to make a link send more traffic than it's designed to. At that point, traffic and protocol analysis (sniffing) will tell you if it's production traffic saturating your links or not, and if you can justify the cost or have to tell/make users to knock it off. bort fucked around with this message at 04:50 on Nov 18, 2011 |
# ? Nov 18, 2011 01:35 |
|
Frozen-Solid posted:We've had random complaints that "everything is slow" for the past few weeks... I advocate ignoring those kinds of complaints for a variety of reasons: -They aren't any kind of objective measurement of any data you can act on. Real information is in a network management system. -Networking is a systemic, macro level thing. Uh...metaphor time...take care of the tree trunk and the branches, the leaves are someone else's problem. There are many branches and many leaves, if you're dealing with one leaf you're detracting from your ability to serve the whole. -If there really is a problem making things slow for everyone you should have already noticed. When my ability to constantly screw off on the internet is degraded, I certainly look into it.
|
# ? Nov 18, 2011 13:02 |
|
inignot posted:-Networking is a systemic, macro level thing. Uh...metaphor time...take care of the tree trunk and the branches, the leaves are someone else's problem. There are many branches and many leaves, if you're dealing with one leaf you're detracting from your ability to serve the whole. I'll take your metaphor even a step further, sometimes the promise of miracle grow (MORE BANDWIDTH!) is even better than the real thing. The first thing I ask anyone that complains about slowness is is "how's the internet?" If the response is anything other than "it's complete poo poo!" then they can talk to the app people. Because you've got a 99.999% change that some shithead developer decided to promote code into Production without following proper change management.
|
# ? Nov 18, 2011 15:46 |
|
The thing is, we have objective and measured, as well as personally experienced issues. We have been trying to track down the causes of the issues, which is one of the primary reasons I've put more efforts into better network monitoring tools. The problem is we have no baseline from before "everything is slow" We've tracked down the issue to several possible causes and are slowly fixing what we can find, but I still want to cover all my bases. I see a strange spike in CPU usage on the ASA, and I have no idea whether that's expected behavior or something that needs looked into further.
|
# ? Nov 18, 2011 17:47 |
|
Anyone have any experience with the ONS 15454 M6 chassis? I'm doing some research to see if it'll work at a new, small site, but everything I see isn't exactly clear. It says all the old cards will work (other than control cards), and I assume that means the XC-VXC-10g and DS3XM12s (I know it doesn't have BNC ports on it, all we're doing is bringing x DS3s in, and muxing the T1s into an OC3 to bring to another site, and I think XM12 is the easiest way to do it)? Has anyone had any problems with them? Any stability issues? It seems to be a fairly new product (~2 years) so I haven't been able to find a whole lot on it other than on Cisco's site.
Panthrax fucked around with this message at 17:59 on Nov 18, 2011 |
# ? Nov 18, 2011 17:52 |
|
Frozen-Solid posted:The thing is, we have objective and measured, as well as personally experienced issues. We have been trying to track down the causes of the issues, which is one of the primary reasons I've put more efforts into better network monitoring tools. The problem is we have no baseline from before "everything is slow" As someone else said, 20% spike in CPU usage is really nothing to worry about. It might look big on the graph but it can happen for many reasons, I would only worry if it were somewhere closer to 80 or 90% and I knew I didn't have a ton of ACLs or inspection rules that would cause it. I would suggest looking at your interfaces and verifying there are no send/receive errors. Look for spanning changes or loops that may be putting your traffic through a 10/100 switch on someones desk. Make sure port speeds and duplex settings are correct.
|
# ? Nov 18, 2011 18:29 |
|
Panthrax posted:Anyone have any experience with the ONS 15454 M6 chassis? I'm doing some research to see if it'll work at a new, small site, but everything I see isn't exactly clear. It says all the old cards will work (other than control cards), and I assume that means the XC-VXC-10g and DS3XM12s (I know it doesn't have BNC ports on it, all we're doing is bringing x DS3s in, and muxing the T1s into an OC3 to bring to another site, and I think XM12 is the easiest way to do it)? Has anyone had any problems with them? Any stability issues? It seems to be a fairly new product (~2 years) so I haven't been able to find a whole lot on it other than on Cisco's site. Don't assume, ask your SE. The M2/M6 seems to be more of an optical/DWDM shelf - so I wouldn't count on any electrical cards working in it. If you're wanting something more compact than a 15454 for an aggregation site, look at the 15300 series (like a 15310-CL). I believe the ports in those are straight DS3 ports though (no transmux) so you'd need to transport it as an STS-1 back to an XM12 in portless mode somewhere else in the network.
|
# ? Nov 18, 2011 19:15 |
|
Frozen-Solid posted:We've tracked down the issue to several possible causes and are slowly fixing what we can find, but I still want to cover all my bases. I see a strange spike in CPU usage on the ASA, and I have no idea whether that's expected behavior or something that needs looked into further.
|
# ? Nov 19, 2011 09:14 |
|
I replaced a switch at a branch office that we recently acquired today, and ran into some trouble. I pulled their unmanaged dell switch and put in a cisco 2960. I configured each access port with vlan 2 as the access vlan. When I plugged in the existing 2600 series router, spanning tree would complain about a vlan mismatch and disable the port. I was able to get around it by marking the port as a trunk port with vlan 2 as the native vlan, but I am curious how in the future I can avoid this kind of issue (without setting the port to a trunk mode port, which is not ideal because I can't just send the switch to the branch office and ask the end users to move all of the wires over). The router in question had no vlan tagging defined on any interface.
|
# ? Nov 20, 2011 05:35 |
|
adorai posted:I replaced a switch at a branch office that we recently acquired today, and ran into some trouble. I pulled their unmanaged dell switch and put in a cisco 2960. I configured each access port with vlan 2 as the access vlan. When I plugged in the existing 2600 series router, spanning tree would complain about a vlan mismatch and disable the port. I was able to get around it by marking the port as a trunk port with vlan 2 as the native vlan, but I am curious how in the future I can avoid this kind of issue (without setting the port to a trunk mode port, which is not ideal because I can't just send the switch to the branch office and ask the end users to move all of the wires over). The router in question had no vlan tagging defined on any interface. Wouldn't that be the issue then? If the 2600 didn't have any vlans defined then it would be defaulted to a native vlan1. Try to plug it into a switch access port on vlan2 and there's your mismatch. You should be trunking the router and the switch.
|
# ? Nov 20, 2011 06:03 |
|
The 2600 wouldn't be passing vlan info unless it were using a dot1q subint, bvi, or switch module.
|
# ? Nov 20, 2011 16:59 |
|
Nitr0 posted:Wouldn't that be the issue then? If the 2600 didn't have any vlans defined then it would be defaulted to a native vlan1. Try to plug it into a switch access port on vlan2 and there's your mismatch. You should be trunking the router and the switch. falz posted:The 2600 wouldn't be passing vlan info unless it were using a dot1q subint, bvi, or switch module.
|
# ? Nov 20, 2011 17:07 |
|
We're looking at giving VTPv3 a whirl in two of our data centres and the buildings they are in. The catch is that we're running layer 2 between the two buildings and there is significant VLAN overlap at each site. I'm reasonably sure that all I need to do is: interface TenGigabitEthernet1/10/1 switchport switchport mode trunk switchport nonegotiate switchport trunk allowed vlan remove 2-4094 switchport trunk allowed vlan add 2000,2100,2101,3011,3012,3313,3992 ! other config Am I missing anything obvious?
|
# ? Nov 22, 2011 04:04 |
|
ruro posted:We're looking at giving VTPv3 a whirl in two of our data centres and the buildings they are in. The catch is that we're running layer 2 between the two buildings and there is significant VLAN overlap at each site. I'm reasonably sure that all I need to do is: Shouldn't need the remove statement if you have pruning enabled.
|
# ? Nov 22, 2011 12:51 |
|
I had something resurface today that I thought I had figured out, but I am probably wrong. It has to do with ASA/VPN/NAT. Long story short, we are connecting to a partner via site to site. ASA's on both ends. We have them apply NAT's for their devices on their ASA (site A). They have another site that connects via VPN (site B). They have one outside interface that the tunnels are being established on. Can it be setup so that the ASA at site A can NAT the traffic coming from site B before it goes across the tunnel back to us. I wouldn't think it could because the traffic from site B would never hit the inside interface and therefore couldn't be NAT'd. Or am I thinking about this incorrectly or missing something?
|
# ? Nov 23, 2011 07:24 |
|
CaptainGimpy posted:Can it be setup so that the ASA at site A can NAT the traffic coming from site B before it goes across the tunnel back to us. I wouldn't think it could because the traffic from site B would never hit the inside interface and therefore couldn't be NAT'd. Or am I thinking about this incorrectly or missing something? This can be done, it's called NAT U-Turn and it can be done dynamically. I always made fun of TAC making you go to a NAT or VPN or ACL or Whatever specialist when calling about the ASA's, now I understand.
|
# ? Dec 1, 2011 05:44 |
|
We have about 50 sites with a single MPLS T1 running off a 1751 or 2901 router. We would like to be able to offer bare bones public wifi at all of these sites. We could afford to lose 250kbps at many of these sites, and that would almost certainly be sufficient for our public wifi needs. Is there a way we can securely segment this traffic to keep it away from our internal assets without having to maintain access lists on each router? If we have to pay for DSL at each site that is ok, but I would like to save some cash if possible.
|
# ? Dec 1, 2011 23:50 |
|
adorai posted:We have about 50 sites with a single MPLS T1 running off a 1751 or 2901 router. We would like to be able to offer bare bones public wifi at all of these sites. We could afford to lose 250kbps at many of these sites, and that would almost certainly be sufficient for our public wifi needs. Is there a way we can securely segment this traffic to keep it away from our internal assets without having to maintain access lists on each router? If we have to pay for DSL at each site that is ok, but I would like to save some cash if possible. We have a remote site that has a T1 + IPSec tunnel over DSL and the only time they notice if their connectivity is down is if they loose power or unplug cables.
|
# ? Dec 2, 2011 02:16 |
|
adorai posted:We have about 50 sites with a single MPLS T1 running off a 1751 or 2901 router. We would like to be able to offer bare bones public wifi at all of these sites. We could afford to lose 250kbps at many of these sites, and that would almost certainly be sufficient for our public wifi needs. Is there a way we can securely segment this traffic to keep it away from our internal assets without having to maintain access lists on each router? If we have to pay for DSL at each site that is ok, but I would like to save some cash if possible. Who's controlling the MPLS? You should be able to create a separate VRF for Wifi at each site, but if this is through a provider you'll have to ask them to set it up. And it probably won't be cheap since they have to touch every site you have a router at... Alternately if they don't extend MPLS all the way out to the CE router they could potentially vrf-lite on the CE and use 2 separate groups of channels on the T1 (channels 1-20 for private data, channels 21-24 for public) but that would hard cap private data at 1.25 and wifi at .25, and this is only possible if the T1 WICs are multichannel capable.
|
# ? Dec 2, 2011 03:34 |
|
ragzilla posted:You should be able to create a separate VRF I keep reading about using VRF for all kinds of things but I don't know what it is and what the configuration would look like. Could someone please show me a sample configuration and give a little bit of info on why and when you would use a VRF?
|
# ? Dec 2, 2011 03:42 |
|
ElCondemn posted:I keep reading about using VRF for all kinds of things but I don't know what it is and what the configuration would look like. Could someone please show me a sample configuration and give a little bit of info on why and when you would use a VRF? code:
When you get into using MP-BGP and VRFs you can do other things like leaking routes between VRFs which we plan to use to leak our service networks (backup products, voice products) directly into the customer VRF so it drops in behind their firewall. This requires a little bit more coordination with address space (we have to assign address space to the customer, then we only leak that particular prefix into our service VRF, and we leak our service address space into the customer VRF). -edit- Somewhat important to note is that this is different from SDR on IOS-XR platforms. SDR (secure domain routing) is a hardware level 'VRF' where you assign physical line cards and interfaces into a logical partition that is essentially it's own IOS instance with it's own users, configuration, etc. VRFs are all still configured from the global IOS instance, there's no way to hand out a login to a VRF for the customer to perform their own troubleshooting/configuration- that all has to be handled by whatever org has overall control of the device. ragzilla fucked around with this message at 04:16 on Dec 2, 2011 |
# ? Dec 2, 2011 04:11 |
|
You can do similar on JunOS and it's really useful, unless you happen to be running a fully supported and recommended version of JunOS that happens to have completely non-functional routing-instances and you end up wasting days at a customer site with JTAC on the phone and no one can figure out why this poo poo is working.
|
# ? Dec 2, 2011 04:32 |
|
adorai posted:We have about 50 sites with a single MPLS T1 running off a 1751 or 2901 router. We would like to be able to offer bare bones public wifi at all of these sites. We could afford to lose 250kbps at many of these sites, and that would almost certainly be sufficient for our public wifi needs. Is there a way we can securely segment this traffic to keep it away from our internal assets without having to maintain access lists on each router? If we have to pay for DSL at each site that is ok, but I would like to save some cash if possible. IŽd recommend buying a WLC (wireless lan controller). Then your access points can easily tunnel the guest traffic back to your HQ and egress their traffic in a DMZ. No WAN changes needed!
|
# ? Dec 2, 2011 18:50 |
|
ragzilla posted:VRF info Thanks for explaining it this way, I had trouble understanding it before but I think I get what's going on. I use policy based routes in a few places where I think using VRF may help me out.
|
# ? Dec 3, 2011 14:00 |
|
Hoping someone can help me out with this retardly simple problem. One of my branches is running a 870 adsl modem/router. I'm not particularly a Cisco guy, but I have messed around by telnetting in and setting up an IPSec VPN before. It appears we've got a zombie somewhere at that location sending out spam (and causing us blacklist issues). Can anyone explain (or point me to a guide) that gives step by step instructions on how to block port 25 outbound for all ips except a specific subset? (i.e. the exchange server + another backup smtp server) - including writing the config to memory , and all the little things that inexperienced people wouldn't know? Also, is there any free/cheap easy to implement traffic analysers so I can track this zombie down and hit the user with a sledgehammer?
|
# ? Dec 4, 2011 07:02 |
|
roflsaurus posted:Hoping someone can help me out with this retardly simple problem. One of my branches is running a 870 adsl modem/router. I'm not particularly a Cisco guy, but I have messed around by telnetting in and setting up an IPSec VPN before. Someone correct me of I am wrong here. access-list BLOCK_SPAM permit TCP <server ip> 0.0.0.0 any 25 access-list BLOCK_SPAM permit TCP <backup server ip> 0.0.0.0 any 25 access-list BLOCK_SPAM deny TCP <your subnet> 0.0.0.255 any 25 ... so if your network is 192.168.1.0 then put that. Then you have to apply it to an interface, which I would recommend your inside: interface <interface> ip access-group {number|name} {in|out} .... so in this case, if your inside interface is say fastethernet 0/1 you want interface fastethernet 0/1... then ip access-group BLOCK_SPAM in To save your settings (I recommend you see if this works first): Copy run start (or wr me) To see if this is working use: show access-list... I believe it should show a 'counter' EDIT: Don't take my word on this, I am very new to the industry... don't use the < > when putting in those characters... those are just reference. EDIT2: What would help A LOT is if you do a show run and post it here... we will get you sorted. Bardlebee fucked around with this message at 09:35 on Dec 4, 2011 |
# ? Dec 4, 2011 09:24 |
|
Bardlebee posted:Someone correct me of I am wrong here. I think that ACL needs an "eq" - or maybe I'm thinking of a different type. I'd add "log" to your deny statement which will log hits on the ACL with the source and dest IP, so access-list BLOCK_SPAM deny TCP <your subnet> 0.0.0.255 any eq 25 log Do keep in mind that access list logging causes logged packets to be fast-switched (though I don't know if an 870 will do CEF anyway), so keep an eye on your cpu to make sure you don't get DoSed. Edit: Whoop, also on the permit statements, use the host keyword and not that 0.0.0.0 subnet mask, and don't forget your permit any statement, so to summarize: access-list BLOCK_SPAM permit TCP host <server ip> any eq 25 access-list BLOCK_SPAM permit TCP host <backup server ip> any eq 25 access-list BLOCK_SPAM deny TCP <your subnet> 0.0.0.255 any eq 25 log access-list BLOCK_SPAM permit ip any any !(if you don't put that, all traffic that isn't SMTP destined for your mailserver will get dropped because of the implicit deny) Kenfoldsfive fucked around with this message at 09:57 on Dec 4, 2011 |
# ? Dec 4, 2011 09:51 |
|
Thanks guys, I ended up managing to get a local contractor on site to fix it. Now to hunt down the rogue PC for some percussive maintenance.
|
# ? Dec 5, 2011 05:59 |
|
roflsaurus posted:Thanks guys, I ended up managing to get a local contractor on site to fix it. Now that you've got the ACL in place, crank up logging on the device and point it at a syslog server, you'll be able to see which IP is constantly running into the ACL.
|
# ? Dec 5, 2011 14:29 |
|
Mierdaan posted:Now that you've got the ACL in place, crank up logging on the device and point it at a syslog server, you'll be able to see which IP is constantly running into the ACL. I don't suppose you've got a link to a walkthrough on this? I'm fine with the non-Cisco stuff (i.e. building a syslog server), but not configuring the 870 to send it there.
|
# ? Dec 5, 2011 23:45 |
|
conf t logging 10.x.x.x end wr where 10.x.x.x is your syslog server ip.
|
# ? Dec 6, 2011 01:52 |
|
We've had an issue with a 2940 12.1(22) which is connected to the LAN via a Symbol AP-5151. Where it will just stop responding altogether. The AP responds OK, but the switch is silent. A power-cycle of the 2940 brings it back up again, and all is well, maybe for a few weeks, or a couple of months, but then the same thing will happen again. Is there hints I might pickup from the switch which would indicate if it's just crashing? Or has some sort of physical fault?
|
# ? Dec 6, 2011 04:19 |
|
lazyman posted:We've had an issue with a 2940 12.1(22) which is connected to the LAN via a Symbol AP-5151. Where it will just stop responding altogether. The AP responds OK, but the switch is silent. sh flash: If it crashed, there should be tracebacks/crash logs saved to flash.
|
# ? Dec 6, 2011 05:01 |
|
Kenfoldsfive posted:sh flash: Thanks for this, but I guess not.. code:
|
# ? Dec 6, 2011 05:24 |
|
I'm walking into a new job, mainly in a Windows Administrator role, but I've been informed I'm going to get stuck with a bit of networking too, namely to support the domain I'm to stand up and administer. The situation: Site A - Cisco ASA5505 Site B - Cisco ASA5505 Right now, theyre independent sites that they use a Cisco VPN client to connect from their corporate office; over the internet. They want the sites (including Site C, their corporate office) all on one contiguous domain via VPN. Question) Will a third ASA 5505 at Site C enable me to do a mesh VPN between the three sites? How complicated is the configuration? I dont want to particularly do any traffic filtering. Relatively low traffic between all 3 sites. Just trying to point my nose in the right path. Walked fucked around with this message at 20:20 on Dec 6, 2011 |
# ? Dec 6, 2011 20:18 |
|
|
# ? May 30, 2024 20:12 |
|
Walked posted:I'm walking into a new job, mainly in a Windows Administrator role, but I've been informed I'm going to get stuck with a bit of networking too, namely to support the domain I'm to stand up and administer. Set up site-to-site ipsec tunnels between each office using the wizard in the ASDM. Make sure you match your crypto-map and have a trusted cert if you don't use a passphrase.
|
# ? Dec 6, 2011 20:56 |