|
InferiorWang posted:Cheers. I checked the Gi0/1 interface and it was set to auto duplex which in turn put it as half duplex. That's what happens if you connect an auto-duplex port to a full-duplex one. Since it can't autonegotiate, it goes to half-duplex, and you get a shitload of unnecessary duplex collisions (because the other end still sends as if it were full duplex).
|
#
¿
May 10, 2007 17:07
|
|
|
|
| # ¿ May 7, 2024 21:06 |
|
|
I'm wondering a bit about the Cisco 1811 / 1812. How useful are those extra 8 ports, really? It's called an "8 port switch", but I've seen configs where they're referred to as FastEthernet 2-9. What can they actually do? An ISP has one of those at our site, and they have connected FastEthernet 1 to one of the "switch" ports (and we connect to another one of them), is that really the only way to get any traffic out of those ports? With some vlans, that would get me a sort-of 8-port router (with 2 ports used up by a silly cable), but where 7 of them share a common 100Mbit. It would probably still be perfectly usable for what I would need it for (just need to separate some lans from the rest of our network with a separate router, due to private networks colliding between us and a client).
|
|
#
¿
Nov 27, 2007 22:22
|
|
|
If at all possible, I definitely wouldn't just stick a cable between two ports like that, but one of our ISPs does that. We just upgraded from a 4Mbit DSL pipe to a 30Mbit fiber link, and they both had the same setup with a Cisco 1812 each: Fe0 to DSL modem / fiber converter, Fe1 to Fe2, we hook up our stuff on ports 3 to 9 (though we only use one port at the moment). Seems to me they have ports 2-9 just set up as a switch, completely separate from the rest of the router (which only uses 0 and 1). Silly, but that's how they do it. They also didn't know if their switchports were set to auto/auto or 100/full... If I can get two "proper" interfaces on Fe0 and 1, and the other 8 to only run untagged stuff (even sharing 100Mbit between them), 1811/1812 suits my needs just fine. I can even use the same setup for two different clients, so if I can get them both to pay for it, I'll get a couple of useful lab boxes as well. I think I can even sell them the idea of having a pair of them (with HSRP). How are they performance-wise? I only need fairly simple routing (~50 routes static and OSPF, no address translation or encryption, a couple of simple ACL's), and the wan links in question are under 10Mbit. If I were to fill it up with more stuff, how much would it be able to handle? I really don't need to be able to get wire-speed on 8 10Mbit interfaces all at once, either.
|
|
#
¿
Nov 28, 2007 00:07
|
|
|
inignot posted:I use loopbacks on all my routers. They are used for the routing protocol router id, the snmp trap source, the tacacs source, the ntp source, the syslog source, and the icmp/snmp polling destination. Definitely. Interface addresses come and go, but a good loopback lasts forever.
|
|
#
¿
Dec 1, 2007 00:34
|
|
|
brent78 posted:I have a pair of stacked 3750's with a couple VLANs. One VLAN is used for Internet based traffic and the other is private SAN traffic. I'd like to use an mtu of 9000 for the second vlan, however from what I've read the mtu can only be set system wide and not per interface or vlan. How will having a sys mtu of 9000 affect internet traffic that upstreams to a pair of ASA's that have an mtu of 1500? Shouldn't affect things at all, since it probably won't be the 3750's generating the traffic. If everyone else on the "internet" VLAN uses mtu 1500 (which they would unless explicitly told otherwise), noone will ever notice anything.
|
|
#
¿
Dec 5, 2007 07:57
|
|
|
I'm not sure if I have ever seen the Windows DDNS function work properly for the virtual interfaces created from VPN or PPP or such things. On the other hand, I can't see why not having a DNS name should cause problems for a client connecting over VPN. Having DNS names for client PC's (from VPN or on a LAN) is nice to have, but rarely really needed for applications to work. Also, I thought the whole point of still having WINS is to be able to cover just that, some kind of naming service (to map a share at a client PC with a certain name or something) when DNS is not around. I have never had to bother with WINS since Windows 2000 (which speaks DNS well). Might be they can get by with just having any kind of proper DNS name, like if there is some app requiring a name in a certain domain to grant access. In that case, just generate a bunch of generic names (vpn-dynamic-123.foo.bar or something), forward and backward for the entire address pool I would make sure whoever requires it specifies for what purposes they need DNS names, and see if they really know what they're talking about. (this is in no way a solution, but getting rid of the problem altogether is always a good fix  )
|
|
#
¿
Dec 6, 2007 22:44
|
|
|
What effect, if any, will GRE have on network performance (mainly in terms of latency)? We have a 100Mbit link through a provider network (MPLS), and I need my routers at each end to talk OSPF. I'm thinking GRE, but I'm not sure what effect it will really have. Latency now is really low (just a couple ms), but I don't want to start adding too much to that since we are running lots of voice traffic. That data is in fairly small packets (and properly QoS tagged), so those packets shouldn't be bothered by the possible fragmentation from GRE affecting MTU.
|
|
#
¿
Dec 10, 2007 09:55
|
|
|
What I have at the moment are a pair of 2801's, not sure how much they can take though I can definitely try with encryption as well. Wouldn't that router still have to fragment stuff, unless I were to lower the MTU of all hosts as well (or at least the couple of routers from which data can come, letting them fragment instead)? What does "ip tcp adjust-mss 1400" do that "mtu 1400" doesn't?
|
|
#
¿
Dec 10, 2007 14:31
|
|
|
jwh posted:You're going to be stuck with qos-preclassify, so make sure you understand what that will mean for you. If you influence any selective discard behavior within your provider's MPLS network currently, through dscp or ip precedence, or whatever, make sure you think about the effect of encapsulating everything in GRE. I might have the option of using some routing protocol directly with the providers routers (not sure which ones they support), which would solve our issues rather nicely without having to do GRE. I would still prefer if what we got from them would look like a "normal" layer 2 link, which is sort of what GRE would do. Since we're probably adding 3-4 sites and will need to do some other strange stuff with that network, we'll have to see what they can do for us (including QoS stuff). The example setup in that Avaya paper actually fits pretty well into what we want to do. Question is just if I can get the stuff needed to do it (right now I'm sitting with IPBASE-equipped 2801's). jwh posted:tcp adjust-mss modifies the, er, tcp mss of the packets traversing the GRE tunnel. It's a clever thing, because if TCP never tries to shove more than 1400 bytes into an IP packet, then you don't have to worry about the combined IP, TCP, ESP, and GRE headers exceeding the interface MTU, which would cause fragmentation. By contrast, lowered tunnel MTU will fragment data. Ah, so it "hijacks" and changes the mss of the syn packets? Clever, indeed. Wasn't even aware that you could do that. I don't think there will be much non-tcp traffic that will approach the MTU/MSS sizes. If it can make sure most (if not all) of the TCP traffic doesn't need to be fragmented, that should be all good
|
|
#
¿
Dec 10, 2007 22:48
|
|
|
jwh posted:I don't know who your MPLS WAN vendor is, but if it's AT&T, ask about their 'AVPN' product. If it's anybody else, tell them you want VPLS maybe? I dunno. Well, I'm in Sweden and it's a relatively small regional provider (northern Europe only). I've got circuits over MPLS networks from two different (regional) providers. One of them was presented as a plain layer 2 link (though, I think, without broadcast), the other is as a layer 3 link. None of them have even suggested we do the MPLS LER ourselves, but I'll ask for it and see what they say. Surely, these guys should be able to come up with something better than the routing mess that will ensue if we continue on in the current direction. BGP is something I'll probably only look into if all else fails...  Edit: Yep, they won't let us run MPLS LER ourselves, but they can just present the whole thing as a L2 network (which will be way easier to set up and administer, especially since we're adding a few nodes to it). ionn fucked around with this message at 17:32 on Dec 11, 2007 |
|
#
¿
Dec 11, 2007 08:04
|
|
|
Reefer Inc. posted:I've tried it. One day it's going to be a very useful app, but at the moment it's very limited in features and more of an interesting concept than anything else. It couldn't even import or export a Dynagen config file when I looked at it last, and it also prevented you from using a lot of the standard Dynamips options if you chose to run it from GNS3. But the development seemed to be moving pretty fast and I wouldn't be surprised if they'd added a lot of the missing features by now. Definitely one to watch... GNS3 actually generates dynagen config files when saving or loading (and is built on dynagen stuff to launch dynamips). And the graphical topology and general gui-ness sure is useful at times. It is still a bit too bug-riddled, but I'm sure it will get better.
|
|
#
¿
Dec 20, 2007 23:52
|
|
|
jbusbysack posted:It seems that 2800's with switch WIC cards work with Show int status. The L2 switch interface modules work with "sh int status", since that is switch hardware. The built-in "real" FastEthernet interfaces aren't present in the output, are they?
|
|
#
¿
Jan 4, 2008 00:51
|
|
|
How are Cisco's layer 3 switches when used as routers, really? We need to upgrade our ancient SSR routers with something that has lots of ports, at least a few of them gigabit, and full resilience. A pair of 24-port 3560G with the "advanced" image would cost way less than "real" routers with all the interface cards we would need. From what I can gather, the advanced image for L3 switches give me about the same features as ipbase, which is well enough. It needs to handle OSPF, and a routing table of maybe 100 entries. It's not like I need wirespeed routing on all ports simultaneously, but at least some decent kind of throughput (a few gigabits total, almost all of it between a few directly attached networks). 32Gbps / 38.7Mpps is plenty (though one is "large packets", the other "small packets"), but will it deliver something like that at layer 3? Will a 3560G do the job, or do we need to spend loads more money for something with way less ports (3845 or 2651 + modules)? I've talked to a couple of Cisco partner-reseller dudes, and they basically just say "hell yes, L3 switches rock, but you should really buy the 3750 or 3750-E they're cooler", but since they're salesmen, I have no reason to trust them. Other people say "you need a real router, L3 switches are no good", but without much technical facts to support that view. Also, what is _really_ the difference between 3560G and 3750G (specifically WS-C3560G-24TS-E and WS-C3750G-24TS-E)? I really don't need the stackwise thing (to me, that seems mainly useful for switching, not routing) or 10G.
|
|
#
¿
Jan 24, 2008 00:08
|
|
|
Well, with the amount of routes we have, TCAM size shouldn't be a problem for anything that calls itself a router. If I've understood anything about things like CEF, this is what it should be pretty good at. Anything else (various GRE tunnels and access lists, all of it quite low-bandwidth stuff) is and will mostly be done by separate hardware (2801 is the current weapon of choice). It will do pretty straightforward "nothing-but-routing". We run QoS for voice traffic, but everything is tagged and ready from the source. I could understand people who don't like the "simple" L3 switches. Those that just can do static routing and RIP wouldn't be a replacement for most "proper" routers, but these advanced-image L3 ones should do the job just fine, and if you need more than 3 gig ports and a few FE ones, it's hard to beat the price. Now I'll have 28, which is shitloads. The port configuration that makes sense for us is the -24TS-E (24 gig copper + 4 SFP). The backplane connectors would be nice to have, but I don't really see the need for them (at least not at a 50% premium). I've seen a faulty ethernet blade in a 6509 (Sup32) bring the entire switch down (despite Cisco saying it never really happened), and if something like that could happen with a stack of 3750's, I'd rather not have it and just set them up as a pair of hsrp routers / spanning-tree switches. The metal front is  , but Cisco green always looks good.
|
|
#
¿
Jan 24, 2008 01:17
|
|
|
8 SVIs should fulfill our needs pretty well. We currently have 10 or so router IP interfaces, but I can reduce that to 7 by merging a couple of transit lans, and some nets are just management networks that I could stick behind a 1811 (they really don't need much performance, just a bit of isolation). I can get it down to actually requiring 5 SVI's, which would still give me some room. If the limit somehow really is "8 SVI's at full speed and everything else with reduced performance", it would be no problem at all. Can anyone find any hard facts about this recommendation? The 4948 would blow my budget into tiny little pieces I'm afraid, and so would anything involving the 3845. A 2821/2851 with a few modules (HWIC-1GE-SFP and NM-16ESW-1G) plus a layer 2 switch might do the job at a decent cost, but would limit total routing capacity a lot (as it would involve trunking things on a pair of etherchannel gig ports) and leave no or very little room for expansion. 3560G would probably still be the best value for money and performance for what I need, from the looks of it.
|
|
#
¿
Jan 24, 2008 10:05
|
|
|
Girdle Wax posted:The true limit is the TCAM size, so long as you can stay within the TCAM limits it will do full wire speed on as many SVIs as you want. What _is_ the TCAM size, really?
|
|
#
¿
Jan 24, 2008 21:07
|
|
|
Yeah, I know what the TCAM does, I just hadn't found anything describing the size of it for the 3560. From that table, however, looks like we will be well in the clear. A thousand MAC addresses, a hundred or so unicast routes, 10 VLANs, and that's about it. In which case, the number of SVI's won't be a problem, I guess. I'll see what I would have to pay for a 4948. I've always disregarded them as too expensive, but I just realized there was a version without 10G as well... Edit: Seems they're about twice the cost of a 3560G-24TS-E (the 4948 also with the enhanced/advanced/expensive image). If there only was a cheaper 24-port version, it would probably fit well. 2x48 ports is way more than I can justify (and it's probably well outside what I can spend), unless there is something really good about it that we need. I could buy just one, but the major point of the upgrade is to get full resiliency. ionn fucked around with this message at 22:24 on Jan 24, 2008 |
|
#
¿
Jan 24, 2008 22:18
|
|
|
jwh posted:Oh, sorry. Hopefully I didn't come off as patronizing; I wasn't sure if you were asking what the TCAM size was, as in what it did, or only what the size was. Don't worry about it, I am a noob at this after all. At my last job I just got handed the (horribly overspec'ed) equipment and told what to do with it, and now I get to (and have to) do the whole design myself.
|
|
#
¿
Jan 24, 2008 22:27
|
|
|
Kreg posted:Each router currently has 1 ethernet LAN port which is connected to the interior. Will this setup support an ethernet WIC? The only WIC ethernet module I know of is the WIC-4ESW (a 4-port ethernet switch, wich can do at least some kind of routing), but that would require an IOS upgrade to work. There is the WIC-1ENET 10Mbit one, but I don't think it works in the 2600. Is the NM slot available? If so, get a NM-1FE or NM-2FE2W or something. Can usually be found pretty cheap. I need to do some NAT stuff, and while I could easily have pulled it off on a big firewall, what I have to work with is a 2801 router and my IOS-fu is rather weak when it comes to NAT. Here is my artistic rendition of the situation:  Fa0/0 = 192.168.10.17/24 (an internal transit network, where there are more routers with various nets) Fa0/1 = 10.161.17.1/25 (client network, private IP range assigned by partner company) Vlan93 = 10.161.7.3/29 (small handover network to some VPN gateway, which is not under my control). The interface itself is a SVI on a WIC-4ESW, shouldn't matter too much I hope. We have a bunch of clients on a network assigned to us by a partner company (which then leads on to a client, and that's the only network allowed in through their firewalls). I need to access a few of their systems from other parts of our internal network, and therefore need to NAT things to have it allowed in. Some parts of the traffic coming in on Fa0/0 to certain destinations (as specified/allowed by an access list) need to be NAT:ed, and the NAT source needs to be an address inside 10.161.17.0/25. I can steal a small subnet for this. There is another access list already for specifying what stuff between the 10.161.17.0/25 net and the external company is allowed. Traffic between the 10.161.17.0/25 and the rest of the internal network and to some other attached stuff is not to be NAT:ed, only traffic to a few specified destinations (those at the external company). I guess I should specify a loopback interface with the NAT source address, and some clever access list trickery to specify what is allowed through and NAT:ed, but I'm not sure how it all fits together, or even if it is at all possible. Is it?
|
|
#
¿
Feb 17, 2008 21:40
|
|
|
What can cause a router to not see any CDP neighbors (and not show up on other routers)? I have a 2801 router, which simply doesn't see anyone else on CDP. I'm pretty sure it used to, but now it plain refuses to. It is actually the 2801 I'm having some NAT questions about. It has a twin brother (they serve the same client networks with HSRP), and that one looks just as it should. HSRP works fine, it seems to have settled down without any further errors. OSPF neighbors show up as they should, but CDP is completely silent. Looks like this: code:Its counterpart ("router02") sees the CDP neighbors it should see on Fa0/0: code:
|
|
#
¿
Feb 18, 2008 21:49
|
|
|
Anjow posted:I start ZTerm (the device 'usbserial' is already selected from before) and it displayed 'xxxx' on the screen. I go to connection preferences and change from 38400 to 9600, leaving other settings as they are - service name 'Local', 8N1, local echo disabled and Xon/Xoff still checked. I click okay and it returns me to the screen with 'xxxx' on it. I checked in modem preferences and 'usbserial' is selected. The initialise string is 'ATE1 V1^M'. You could have strange cabling between the usb-serial dongle and the Cisco device. Try connecting pin 2 and 3 of your serial port on the usb dongle (with a bent staple or something). If the serial device thingy works, you should see what you're typing on the screen (2 and 3 are send and recieve, which will just echo things back to yourself). If that doesn't work, there might be something wrong with the serial adapter. If that does work, you probably have the wrong console cable.
|
|
#
¿
Jul 17, 2008 14:15
|
|
|
jbiel posted:Turn off spanning-tree on all ports that are not links to other switches, but you should some some sort of backup links to other switches. This reminds me of something I saw a couple weeks ago when connecting a link to a 3rd party company. At our side, there is a pair of Cisco 2811 routers and 2960 switches (there are lots of connections to other parties, each on separate handover VLANs). One of them was a straight ethernet connection over a pair of 100Mbit fiber converters. It worked fine when I hooked my laptop up (could ping everything at their end just fine), but it all died when I connected it to the switch. I could see a Cisco 3524 switch at the other side via CDP, but everything else was dead (even ARP to their switch IP). When I had only the 2960 switch connected (with a newly-erased default config and only vlan 1 configured), I could ping stuff across the link, but as soon as I connected something else (a router or my laptop), it went down right away. I did suspect spanning tree had something to do with it, so I set "spanning-tree bpdufilter enable" on the switch port and everything started working as it should. I set it to portfast as well for good measure. Somehow, when the two switches (our 2960 and their 3524) are talking spanning-tree, something happens that causes their switch to block that port (I haven't got the spanning tree output but I know the 2960 said it was forwarding on that port). There is in no way a loop somewhere, there is just this one link. What I'm really wondering is, what kind of settings on their side could cause this? ionn fucked around with this message at 14:34 on Jul 17, 2008 |
|
#
¿
Jul 17, 2008 14:31
|
|
|
Anjow posted:Before I try these suggestions, would it be safe to assume that everything is okay with the serial adapter and the console cable if it works fine on Windows? I don't know but I think I said before that I can get it working just fine using Tera Term in Windows, with exactly the same hardware. What you're saying would almost certainly mean the problem is between OS X and the RS-232 adapter, and that is likely a driver issue, or ZTerm not using the right device.
|
|
#
¿
Jul 17, 2008 15:26
|
|
|
jwh posted:Well, when you connected a router or PC to the 2960, was it also in vlan 1? I say this because out of the box, Cisco will set 'no spanning-tree vlan 1'. The "blank" 2960 (which was just an out-of-the-box spare) was running on vlan 1 and might very well have had that (didn't really look), but the original one had (among other irrelevant stuff): code:With that holddown timer, would any new bpdu frame just reset the timer? I had a ping running for like 15 minutes or so with nothing coming back (while the switch was doing stp now and then), but I have no clue what their timers are set to. I have a couple of spare switches I was going to test this stuff out on, but it seems bpduguard (if I've understood it correctly) pretty much explains it. I'll ask them to disable it, since even if we can just as well have bpdufilter on, it would be silly if a slight misconfiguration (for example, if replacing the switch) would kill the connection just like that.
|
|
#
¿
Jul 17, 2008 22:14
|
|
|
jwh posted:Yeah, that's pretty much what bpduguard does. It's nice for when you want to prevent a switch from accidentally appearing on the network in places you don't anticipate. We tend to run it in combination with portfast on workstation ports. Oh, sorry, those two statements (spanning-tree bpdufilter enable, spanning-tree link-type point-to-point) where what was on the switch after the issue was "resolved" (as in "working, though I'm not really sure why"). Those are the only two lines changed from before when it was not working. bpduguard probably can be useful when you want to really prevent (and punish) users plugging in nonallowed switches, but I've never had any problems with just running spanning-tree portfast. A switching loop would cause some broadcast bursts for a few seconds, but I've never seen that cause anything serious. I'll ask the other side if they run bpduguard, just to get the issue explained, and if they can just take it off. Sure, it works fine as it is, but I can imagine what will happen next time when someone needs to move it to another port or something ionn fucked around with this message at 22:48 on Jul 17, 2008 |
|
#
¿
Jul 17, 2008 22:45
|
|
|
atticus posted:Bridging loops don't just cause broadcast bursts for a few seconds. They'll peg the CPU's of the affected devices and render them unusable as long as the devices are connected. The ARP tables in CAM will get flooded with repeating entries (on different ports) and become unstable. I've seen a bridging loop bring down an entire corporate office. IIRC, if you configure PortFast on an interface, BPDUGuard is configured on it automatically as well, but if for whatever reason you want to disable BPDUguard, that's where you'll run into problems. I've seen a bridging loop kill an entire office, but it took until next day for them to notice. The loop was created sometime during the day, and the network died at 04:00 at night (when the alarm went off becuse everything was unreachable from insane cpu load). It was an Avaya 4621SW IP phone, which has a two port switch in it, and someone plugged the "computer" port on it into the wall. The switches were running spanning tree on all user ports, but it was for some reason disabled on the port-channel between them. In that instance, it only seemed like traffic was slowly increasing along the loop, and it took several hours until anyone noticed. Noone said the network had been abnormally slow the day before. Thinking about it, that seems rather odd, and the network should have been worse off, faster. Then again, the switches already had full MAC tables, and it would then only be broadcast things like ARP flowing around, and that might take a while to build up enough crap in the "ethernet cyclotron". atticus posted:As jwh said, bpdufilter keeps the switch from sending or receiving BPDUs on that particular port, so that's probably the bit that made it start working, but I'm not sure why "link-type point-to-point" was configured as this is only pertinent to RPVST+, and they only have PVST+ configured. The spanning tree link type of point-to-point is also set automatically because it's based on the duplex of the port, so the logic of setting that manually is completely beyond me. Correct, bpdufilter is what fixed it, and without that it didn't work. I added the link-type statement for good measure when I was just mucking about trying to figure it out, but later figured out it was useless. I had portfast on there as well for a while, but removed that (as I'd rather start running spanning-tree proper instead). ionn fucked around with this message at 08:11 on Jul 18, 2008 |
|
#
¿
Jul 18, 2008 07:59
|
|
|
Stuff like that should probably only be needed where you cannot be sure of the physical access to your equipment. Colos or equipment at 3rd party sites that you mention however, is just where it might be useful. Where possible good physical security is always better, and if so, protecting against someone resetting your gear should be unnecessary. We had a couple of routers at us where the provider had superglued blank RJ-45 plugs in the console ports...
|
|
#
¿
Jul 25, 2008 06:33
|
|
|
Bad flash, or forgetting to save running-config after changing it. 
|
|
#
¿
Jul 31, 2008 20:36
|
|
|
Network design! Our SSR routers from the dark ages need to go, and I want to get Cisco gear instead. The thing is, I don't have a clue what is the best deal for us in terms of what hardware to get. Here's the deal: * 10 or so directly connected networks (with varying load and population). At least three of them need gigabit interfaces. * Don't really need "wirespeed gigabit" routing between the nets, a couple hundred Mbits would do fine. * 3 Ethernet WAN links between sites (10-100Mbit). * Need to support OSPF, GRE, HSRP * The network (one big OSPF area) has about 10 routers and just over 100 routes (including loopbacks and redistributed statics). Need room to grow to maybe twice that, in all not a horribly large routing table. * One single organization, no access lists or crap in between. * Need some QoS support (our VoIP traffic is tagged and ready) * No single points of failure, meaning anything mentioned below is just half the stack * On a rather tight budget. I can get what is needed, but probably nothing more. Since gigabit ports are rather expensive in a "real" router, I'm thinking about how to get by with as few as possible, by using switches to "break out" more ports. I basically have these ideas on how to do it: * One router (Cisco 2821?), use both gig ports as a portchannel to a L2 switch (such as a 2960G). All the networks go as VLANs, to various ports on the switch (which are connected to access switches, or straight to the "important" servers and such). Maybe get separate 100Mbit interfaces for the main WAN links. Downside is everything between LANs has to pass through the portchannel via the router, and I don't know how it likes routing between VLAN interfaces. * Same router, with a portchannel to a L3 switch (3560G/3750G). L3 switch acts as router between the local networks, with static routes (possibly RIP?) between the switch and the router, and the router speaks OSPF to the rest of the world and handles all the other stuff. Probably good performance, but seems a bit stupid with static routes and stuff. * Just use an L3 switch (3560G/3750G/4948?) with "enhanced" image to do it all in one box. Not sure how those L3 switches act as routers, or how the feature set is. * 2821/2851/3845 and more gig interfaces. "Proper" solution, but more expensive. Can only buy this stuff if necessary, and after fighting a bit with the finance people. I really have just very vague ideas on where to go. I've asked some contacts for suggestions, but since they want to sell the hardware I assume they will try to sell me more than I need. In my last job this would have been solved by throwing several bags of money at it (a quite similar network there had 6509/Sup720 in the middle, 3845 at remote sites, and 6509/Sup32 as access switches), but that's not going to happen here... What should I do to get adequate performance for my budget (need to get new firewalls as well), and that won't fall apart on me?
|
|
#
¿
Aug 27, 2008 18:19
|
|
|
Girdle Wax posted:If you don't need synchronous interfaces (T1s, DS3s, etc) this is an excellent way to go. Performance on layer 3 switches is excellent so long as you don't exceed the TCAM limitations (which with 100 routes, you're probably not likely to). I do not. The last such circuit was decomissioned a couple of years ago, and the chances are very small we will ever get anything without an ethernet interface (as long as ethernet is the networking standard). And if we do, we can get a separate router + interface just for that. Using some kind of "this is how much the TCAM can hold" (MAC addresses + VLANs + routes) number from Cisco, it seemed to me like the 3560G could take roughly our current network + projected growth x10. And if it runs out, I guess we could split things up when the need arises. Then, what is the best stuff? From what I can tell, the difference between 3560 and 3750 is mainly the stacking and 10Gig capabilities. Stacking seems well enough for switches, but can it really be a good idea for two routers? I'll have to make a better count of the ports needed. 2 24-port units should hold most stuff, but 2x48 would take just about "everything" (with all important servers having one port on each unit). 4948 seems really good, but 3560/3750 looks very capable indeed (and cheaper).
|
|
#
¿
Aug 27, 2008 20:32
|
|
|
jwh posted:Are you going to carry your WAN links into the same devices as your connected servers? If so, are there security implications? The WAN links between our sites are private links (mostly layer 2 links), and can be considered secure. We need no security restrictions for those connections. The stuff that needs protecting, is already behind a separate firewall. jwh posted:What is your GRE requirement? 3560G and 3750G will not do GRE in hardware, which means it may as well not do it at all. We only use GRE to be able to do OSPF over a couple of backup links (IPSec VPN tunnels and such). GRE is only used for encapsulation, not for any encryption, as that is handled by separate VPN devices. We do not require much from it in terms of performance, if it can push through a few megabits of unencrypted traffic over GRE, that is good enough. jwh posted:QoS support is great on 3560G/3750G- four queues per-port with a configurable priority queue. It's not easy to configure, though, so you may need to do some reading. While I understand the basics of what QoS does, it's still a big scary numbers game to me. I definitely need some reading up on it before giving it a go. We are getting by without it just because we have bandwidth to spare, but eventually I want it in there. I do have lab equipment to try it out, so I think I can pull it off given some time. jwh posted:Well, 3560Gs are roughly five-thousand a pop, and maintenance is about $350 a year for SMARTnet 8x5xNBD(SNT), although the 3560Gs have a limited lifetime warranty covering the hardware. Since we are mainly planning on having hardware doubled up (as even an hour production downtime would be very costly, and losing these routers would kill pretty much everything), I don't think we'd need anything too extravagant for hardware support. Something that can give us hardware replacements covered for a few years would do nicely. I can easily sell something that costs 10% of the hardware cost per year to management, and we still pay loads more for support on the PBX (which is only slightly more important, and less stable). Prices are slightly different here (Sweden), and we are really a very small Cisco customer with no kinds of sweet deals. I'll check up on prices on the various L3 switches and see what I'll end up with. We are looking at new firewalls as well, and we might end up buying a few ASA-somethings at the same time. In all it's the usual deal. Management wants something that can't break, but they do not really want to pay for it even if a single outage will probably cost way more. jwh posted:If you're buying separate firewall devices, 3560Gs are great switches. At this point, I'd be concerned about your GRE requirement, and whether your access control platform is going to cost you an arm and a leg to support the kind of throughput you're suggesting (in the hundreds of megabits area). We have separate firewall and VPN endpoint equipment (a mix of different devices) for any kind of encryption, and none of that is really performance-critical. Looking closer, the 3750 really does nothing that the 3560 does not, that we might ever need in a router. 10Gig models are out of the question, and stacking routers seems silly. Question is, will a 4948 do me any extra good? It's (probably) not that much more expensive than a 48-port 3560G, and does offer better performance, I'm just not sure we'd need it. CrazyDutchie posted:You may want to check out the Catalyst 4500 series. Not the new expensive series you mentioned A pair of 3560G-24TS-E would fit in my budget, and it can probably be stretched to 3560G-48 or 4948, but a 4500 with dual stuff would simply not be possible... Also, I would actually rather have two separate units with no redundancy each, than a single one with "dual everything". I have seen a faulty line card bring down a 6509 with dual Sup32's, and I would put more trust in two separate 3560's. Also, the 4948 can do dual PSU's after all.
|
|
#
¿
Aug 27, 2008 23:23
|
|
Sure, they are a bit more expensive compared to a 3560, but you can have redundant powersupplies, redundant supervisors, there is room for an IPS or firewall or whateveryouwant module.
|
jwh posted:I don't know how much 4948s are off the top of my head, and we never quoted them out, but they have a reputation for being extremely fast, and extremely expensive. I'll just have to get quotes in for 3560 vs 4948 and see what it boils down to. It really comes down to how much room we have to spare in terms of capacity for growth, I think. Looking at the list prices it seems rather expensive with the "standard" image, but the difference is smaller comparing the "enhanced" ones. I have a weaker 3560 (the 100Mbit variant) currently unused I can play with and see how well it does GRE (don't tell Cisco I have the enhanced image lying around). The GRE stuff is handled by 2801/2811's as it is, and that could continue to be a way out of that.
|
|
#
¿
Aug 28, 2008 07:02
|
|
|
Both interfaces would need to have an IP address assigned within that subnet for that network to really exist. It seems to me like it just isn't specified in the diagram, probably just to confuse you since the actual addresses probably aren't needed for the excercise. The concept of a network name (such as 192.168.6.0/24) in IOS only really comes from the assigned IP/netmask, without which it doesn't have a clue. No idea about the first question though. I've only ever done stuff like that by using ip unnumbered, and that never outside the course labs...
|
|
#
¿
Sep 10, 2008 07:39
|
|
|
While this doesn't have to do with Cisco stuff (the site in question is running Brocade / Foundry), this thread probably has the people needed. I've got a bunch of switches (two aggregation switches and 8 or so top-of-rack access switches connecting to them) running MSTP. The MSTP setup has three instances with 5 VLANs in them (2+2+1). Now, I need to add another VLAN. I don't know much about the traffic volumes, so I'm not sure yet which instance to add it to, or if it goes in its own instance (so we can balance instances across uplinks depending on traffic). Probably a new instance. Anyway, there's plenty of info available on how to set up MSTP, but very little on how to update a running setup. If I change the vlan-instance assignments and bump the revision (the meaning of which I'm unsure of), it will mean a new configuration hash, and then what? Will MSTP break until I update all switches? From what I can read out of the manual, there's no way of "staging" a new mstp config and have it switch over, I can only seem to change the active config in-place. If I update the switches one at a time, will my network die? I can deal with that, it just means I need to go to the DC at some godawful early morning hour, and I'd rather not if it's reasonably safe to do it remotely (we don't have full OOB management for all access switches yet...) or during daytime. And if it's a hassle with some downtime, I'm going to add a few "spare" VLANs (a couple to each instance) just because I can.
|
|
#
¿
Feb 3, 2011 15:47
|
|
|
|
| # ¿ May 7, 2024 21:06 |
|
|
tortilla_chip posted:You will take a hit because the VLAN mapping to spanning tree instance is hashed and will change as you map the additional vlan(s). You could make the change if you start at the bottom of the CST and work up to the root. I guess I'll hook up a spare switch as "yet another access switch" and change the config on that and just see what happens there. You're saying I could add more vlan-instance mappings before I create the VLANs, without changing the config hash? Not sure how that would help (if it even works, will have to test that too), that would mean I take the exact same hit when I create the VLAN instead. In essence, I could then "stage" the MSTP config, but not the VLAN config. Idea: I don't want to go around disconnecting links making the net loop-free (which means I could run either with or without spanning-tree during the transition), too many links and too much poo poo that could go wrong. However, it might do with just making the connections between the two aggregation switches loop-free (disconnect one cable or disable one port, that I can deal with), and set up the new MSTP config on one of them. Then I could change the configs on the access switches one at a time, which should cause them to go from one config to another, and move over from one switch to the other. I think I can scrounge up three switches to try it out...
|
|
#
¿
Feb 3, 2011 17:43
|
|