|
Zuhzuhzombie!! posted:I understand that a portchannel with more than 8 members will feature hot standby to some degree. If they just want redundancy what about spanning tree doesn't solve this problem?
|
#
?
Feb 21, 2013 23:04
|
|
|
|
| # ? May 13, 2024 11:00 |
|
|
Servers don't typically speak STP so it won't help here. If that server is an ESXi host then you don't need to setup etherchannel at all. You can just setup an active/standby uplink on the virtual switch and when one link falls over the other picks right up.
|
|
#
?
Feb 22, 2013 00:54
|
|
|
1000101 posted:Servers don't typically speak STP so it won't help here. Ah I'm stupid, I misread it as a switch to switch connection (probably because he mentioned 8 ports). Look up port bonding, you can pick all kinds of modes including LACP if you really want it.
|
|
#
?
Feb 22, 2013 01:08
|
|
|
Zuhzuhzombie!! posted:I understand that a portchannel with more than 8 members will feature hot standby to some degree. Update the broadcom driver in the server to the full package from Dells website. If all that is needed is failover build a simple switch agnostic team in the broadcom advanced control center. Will not present any issues whatsoever. Every single one of my 20ish Dell servers is configured this way.
|
|
#
?
Feb 22, 2013 01:19
|
|
|
I am in a situation where I might be picking up two 10Ge switches (for my DR site). Most likely, I'd be looking at the nexus line. In my primary datacenter, I have two 5548UP switches today. Would it be possible to run two 6001 switches in tandem and join them in the cross chassis etherchannels? That would allow me to effectively replace my 5548 switch in situ, to take to my DR site. Basically I hate downtime, but like having the newest poo poo, so I need to be sure these ideals can coexist for this upgrade.
|
|
#
?
Feb 22, 2013 04:15
|
|
|
adorai posted:I am in a situation where I might be picking up two 10Ge switches (for my DR site). Most likely, I'd be looking at the nexus line. In my primary datacenter, I have two 5548UP switches today. Would it be possible to run two 6001 switches in tandem and join them in the cross chassis etherchannels? That would allow me to effectively replace my 5548 switch in situ, to take to my DR site. Basically I hate downtime, but like having the newest poo poo, so I need to be sure these ideals can coexist for this upgrade. Sounds like you want to configure "double sided vPC" but I may be delirious from being awake too long. http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf Basically the short answer is yes. Create another vPC domain with the Nexus 6ks and go nuts. Any particular reason you want to put in Nexus 6001?
|
|
#
?
Feb 22, 2013 04:58
|
|
|
1000101 posted:Basically the short answer is yes. Create another vPC domain with the Nexus 6ks and go nuts. Any particular reason you want to put in Nexus 6001?
|
|
#
?
Feb 22, 2013 05:10
|
|
|
pt1xoom posted:I did a little reading on asynchronous connections and routing, and it doesn't look like it to me, but I am be very wrong. Yea that's not asynchronous routing. Looking at that diagram then rereading your post, it seems to work as intended. You seem to believe that by routing traffic to the VPN server instead of the cisco firewall makes it not go through the cisco firewall, but it would still go through it if that's the only link between both networks.
|
|
#
?
Feb 22, 2013 15:40
|
|
|
tortilla_chip posted:Essentially they perform SONET-esque alarm functions. Wireless carriers wanted detailed stats from service providers to prove they were meeting SLAs. One nice thing about either protocol is they use standard Ethernet frames and should be carried without issue across the service provider network. You'd definitely want to check the feature navigator to make sure CFM is available on the platform you're running. That looks pretty cool. But I don't think it is available on ISRs :/ Oh well.
|
|
#
?
Feb 22, 2013 20:36
|
|
|
Has anyone troubleshot a slow Site to Site VPN between two ASA's before? I have two 5515-x and a 100Mb Fiber line with ethernet hand offs at each end. I went through the basics, directly connected between the site to site ends I see 9-12MB's speeds over FTP. 6MB over CIFS. Connected via the VPN, I am seeing 500Kb's over FTP and 100Kb over CIFS. All the devices are set to 1500 MTU (Fiber supports up to 1600 MTU per provider). Any ideas? This is just painfully slow. *Edit* Of course it was a cable issue. Back up to around ~3MB's via FTP. Still pretty slow IMO. *Edit 2* It was the machine. 6.5MB/s on my workstation via TeraCopy. the spyder fucked around with this message at 21:32 on Feb 22, 2013 |
|
#
?
Feb 22, 2013 21:06
|
|
|
My WAN is more or less multiple layer 2 providers bridged together at various points. I run one WAN subnet, with routers at each site that have a WAN IP and then a LAN IP. I use OSPF (area 0 only) for dynamic routing. I want to add backup links via IPSEC VPN to a few locations, and then have those locations able to route all traffic on my layer 2 LAN back to the rest of my network should there be a backhoe event which takes multiple sites off the main network, but leaves them able to talk to one another. Due to my ISPs design, the physical topology is something like this:code:If it matters, I will be using a mix of Fortinet, Cisco ISRs, Cisco ASAs, and Vyatta based devices, so I am limited to open routing protocols.
|
|
#
?
Feb 24, 2013 06:35
|
|
|
Someone brought this up to me last week. Most of the desktops here at work plug into a Polycom phone and the Polycom is networked back to our 3750 stack. We have a voice vlan setup for the points and a regular data vlan setup for everything else. The "problem" as it exists is that I can see SIP traffic that is not destined for my phone. I see tons of packets with a source IP of our internal broadsoft server, but none of the destinations are my IP or my phone number. It's only SIP as well. I can't actually pull and stream the phone conversation. I assume some of it has to do with ARP broadcasts but outside of the initial ARP spam I shouldn't see the same destination, right? But I do. Any ideas?
|
|
#
?
Feb 25, 2013 15:53
|
|
|
How are you seeing this traffic? Using wireshark on the PC. Sniffing from a switch, what?
|
|
#
?
Feb 25, 2013 15:59
|
|
|
Zuhzuhzombie!! posted:Someone brought this up to me last week. Most of the desktops here at work plug into a Polycom phone and the Polycom is networked back to our 3750 stack. We have a voice vlan setup for the points and a regular data vlan setup for everything else. The "problem" as it exists is that I can see SIP traffic that is not destined for my phone. I see tons of packets with a source IP of our internal broadsoft server, but none of the destinations are my IP or my phone number. Are you mostly seeing INVITEs ? What's the registration timeout on your phones ? If you have a registration timeout > mac timeout on switches, that first INVITE will unknown unicast flood.
|
|
#
?
Feb 25, 2013 16:00
|
|
|
Correct. Wireshark from my desk PC. I am seeing majority INVITE and NOTIFY but a few with the Status set to 200, whatever that means. I believe the Status 200 OK messages are supposed to be unicast. Phone registration is pretty high. Just checked mine and it had 1500 seconds, which is about half an hour. I imagine our ARP and MAC time outs are default. So MAC is five minutes and ARP is the default (four hours, I think). I'll double check the phone in the mean time but it looks like phone registration timeout is lower than ARP timeout. Zuhzuhzombie!! fucked around with this message at 19:17 on Feb 25, 2013 |
|
#
?
Feb 25, 2013 18:31
|
|
|
Zuhzuhzombie!! posted:Correct. Wireshark from my desk PC. Is your default gateway provided by an FHRP (VRRP, HSRP, GLBP) shared between 2 switches/routers? If so you may be seeing the 200s due to asymmetric traffic paths.
|
|
#
?
Feb 25, 2013 19:25
|
|
|
ragzilla posted:Is your default gateway provided by an FHRP (VRRP, HSRP, GLBP) shared between 2 switches/routers? If so you may be seeing the 200s due to asymmetric traffic paths. The broadsoft servers are located on a different network downtown. This office network is connected with it via a P2P layer 3 circuit. We're not using a standby protocol but we do have a backup layer 3 P2P that exists on a different 3750 on this network that is trunked to the 3750 that does carry the main default gateway. The backup is for emergencies but mainly it's for duplication purposes. Second circuit that it can fill with a gig of traffic. We use only EIGRP and manipulation the AD to prevent traffic from taking it. Devices on the data network use the SVI's IP as their default gateway and the switch itself has an ip route pointing to the next hop IP.
|
|
#
?
Feb 25, 2013 19:33
|
|
|
Has anyone set up any SNMP monitoring on a Cisco Aironet 1140/41 before? Trying to figure out what I need to set up exactly to monitor radio interfaces going up/down and to monitor # of clients associated to an SSID. Anyone have any tips on this (links to MIB, specific OID or anything? For reference I'm using PRTG SNMP monitoring to accomplish this).
Morganus_Starr fucked around with this message at 02:37 on Feb 26, 2013 |
|
#
?
Feb 25, 2013 23:43
|
|
|
Zuhzuhzombie!! posted:Someone brought this up to me last week. Most of the desktops here at work plug into a Polycom phone and the Polycom is networked back to our 3750 stack. We have a voice vlan setup for the points and a regular data vlan setup for everything else. The "problem" as it exists is that I can see SIP traffic that is not destined for my phone. I see tons of packets with a source IP of our internal broadsoft server, but none of the destinations are my IP or my phone number. Look at your wireshark capture, find a unicast frame that is not destined to your desktop or your phone, assure it's not just one but multiple frames for the same destination mac address, then check the mac-address table of your 3750 to see why it's flooding the frame.
|
|
#
?
Feb 25, 2013 23:51
|
|
|
Morganus_Starr posted:Has anyone set up any SNMP monitoring on a Cisco Aironet 1140/41 before? Trying to figure out what I need to set up exactly to monitor radio interfaces going up/down and to monitor # of clients associated to an SSID. Anyone have any tips on this (links to MIB, specific OID or anything? For reference I'm using PRTG SNMP monitoring to accomplish this). Interfaces should just be IF-MIB, for clients check out CISCO-DOT11-ASSOCIATION-MIB.
|
|
#
?
Feb 26, 2013 04:06
|
|
|
abigserve posted:Look at your wireshark capture, find a unicast frame that is not destined to your desktop or your phone, assure it's not just one but multiple frames for the same destination mac address, then check the mac-address table of your 3750 to see why it's flooding the frame. From what I understand, the packets with the "200 OK" message are supposed to be unicast. However, not seeing multiples of those or anything. One destination IP it's corresponding MAC seem to be pulling one of the three messages and not duplicates. An invite, a notify, or a 200 OK. Doesn't seem like I'm seeing a bunch of repeats either, at least not so far. Originally I assumed that the switches were making an ARP broadcast across the trunks. Kinda leaning back to that assumption again. MAC table looks fine to me. Example: 2 0004.f213.ba69 DYNAMIC Gi3/0/3 3 0004.f213.ba69 DYNAMIC Gi3/0/3 This was a destination MAC. Local interface shows this MAC for Vlan 2 and Vlan 3. 2 is data, 3 is phone. This is how we have our interfaces setup: switchport access vlan 2 switchport voice vlan 3 srr-queue bandwidth share 1 30 35 5 queue-set 2 priority-queue out mls qos trust cos auto qos trust spanning-tree portfast
|
|
#
?
Feb 26, 2013 15:55
|
|
|
What's y'all's opinion of the 4255? I have been super unimpressed with them so far after about a month of use, but then again the guy that I took them over from spent zero time tuning the signatures so maybe I'm not giving them a chance.
|
|
#
?
Feb 26, 2013 18:49
|
|
|
anybody have a good white paper that can explain multiple site to site ipsec tunnels on a single device properly? I'm banging my head on google foo trying to find good examples of multiple site to site links but most are version 6/7 code or lacking ANY sort of description. I've got the live tunnel established and mirrored. I have a subnet I can set for interesting traffic on the test device so I can mirror those subnets and config between the live and test ASA's. Just trying to figure out if I need to do a 2nd crypto isakmp policy to match the 30 or add some more config if I can't share the transform set tset. Throwing down some config from it just incase I boneheaded missed a simple item in my configuration. The live tunnel is still active according to both devices sh cry isakmpcode:
|
|
#
?
Feb 26, 2013 19:35
|
|
|
Isakmp policies go in order, each ASA announces it's isakmp policies in a list, the first one that matches on each side is chosen so you don't need one for each tunnel. You can use one transform set for every tunnel. Your crypto map config looks fine, ASA examples from 7.x would be valid for 8.2 code and lower. It looks like you're running 8.2 or lower since the isakmp policies are worded differently in 8.3 code. The only thing that can't be duplicated is the interesting traffic ACL and peer ip, that always needs to be unique since the ASA wouldn't know how to route it if it were duplicate.
|
|
#
?
Feb 26, 2013 20:32
|
|
|
Sepist posted:Isakmp policies go in order, each ASA announces it's isakmp policies in a list, the first one that matches on each side is chosen so you don't need one for each tunnel. You can use one transform set for every tunnel. Ya what makes it fun is the 3 versions of code going on the devices. 9.0,8.4 and 8.2. Gotta make sure 9.0 syncs to the 8.2 before I can update one of the devices. Then I can preconfigure one device with 9.0 and send it out to just do a straight swap. Then I'll have everything working on 9.0. I'll triple check my acl's to make sure my test subnet isn't replicated across anything. Peer ip's are definitely different so thats not a worry. I'll keep digging in, thankfully my live tunnel is a backup tunnel for an mpls link so I can take it down as long as I can bring it up in a matter of 20 seconds while I test. Thanks for the reply, that helps keep my mind on track so I don't confuse myself trying to step too far out of the box
|
|
#
?
Feb 26, 2013 20:38
|
|
|
psydude posted:What's y'all's opinion of the 4255? I have been super unimpressed with them so far after about a month of use, but then again the guy that I took them over from spent zero time tuning the signatures so maybe I'm not giving them a chance. Dunno about the 4255 but I do know that we're bailing on Cisco when it comes to firewall/ips/ids/etc.
|
|
#
?
Feb 26, 2013 21:00
|
|
|
Zuhzuhzombie!! posted:Dunno about the 4255 but I do know that we're bailing on Cisco when it comes to firewall/ips/ids/etc. we went to Palo alto. Just made sense to us, their product is amazing
|
|
#
?
Feb 26, 2013 21:09
|
|
|
It's a shame, really, that the ASAs don't have the ability to build ipsec protected gre tunnels. They simplify a great deal, at least conceptually. And if you're coming from a routing background, having a logical interface to manipulate is an advantage. I wish Cisco would just buy Palo Alto and extinguish the ASAs forever.
|
|
#
?
Feb 26, 2013 21:54
|
|
|
Langolas posted:we went to Palo alto. Just made sense to us, their product is amazing Funnily enough, I got a cold call from this company today and politely told them to F off. (We use pf on FreeBSD)
|
|
#
?
Feb 27, 2013 00:05
|
|
|
Langolas posted:we went to Palo alto. Just made sense to us, their product is amazing If both I and my boss continue to be unimpressed, maybe we'll start looking into PA for the next FY.
|
|
#
?
Feb 27, 2013 02:00
|
|
|
Fortinet products are really nice to work with as well. That's what I'm leaning towards right now for IDS/IPS/enforcement device instead of Cisco. SDM is so bad.
|
|
#
?
Feb 27, 2013 02:12
|
|
|
Langolas posted:we went to Palo alto. Just made sense to us, their product is amazing That's what we're moving to. We're even replacing out Fire Eye with a PA.
|
|
#
?
Feb 27, 2013 03:06
|
|
|
So has anyone been able to get a Surface tablet working with AnyConnect and/or an IPSEC VPN on an ASA? I'm reading that AnyConnect won't work, but that IPSEC MIGHT if I set up L2TP? See a few articles on the 'net from a few months ago about this but no recent info.
|
|
#
?
Feb 27, 2013 03:36
|
|
|
I have a 1921 router and I'm trying to do something it doesn't want to do. I need to allow access to things like SSH and L2TP etc from internet hosts via both its interfaces (each has a public IP on it). But all traffic from the internal networks needs go out only one of them. I'm at a loss, as it's not quite a normal load balancing scenario, nor failover. Our fortigates don't seem to have a problem doing this with the 'weight' feature for interfaces, but I can't find something equivalent on the Cisco. Basically I just want all internal traffic to use the default route, and external traffic to go back out whatever interface it came in on. Is this possible?
|
|
#
?
Feb 27, 2013 03:49
|
|
|
jwh posted:It's a shame, really, that the ASAs don't have the ability to build ipsec protected gre tunnels. They simplify a great deal, at least conceptually. And if you're coming from a routing background, having a logical interface to manipulate is an advantage. I'd be happy enough with Juniper style routed tunnels. After using a SRX, gently caress the ASA, gently caress it forever. (ASDM is still the better ACL editor though)
|
|
#
?
Feb 27, 2013 04:26
|
|
|
ASDM isn't bad, it's just not great. I do really like Palo Alto, though. I have only enough experience with Juniper / Netscreen to be annoyed by it, which I'm willing to chalk up to non-familiarity.
|
|
#
?
Feb 27, 2013 05:33
|
|
|
BurgerQuest posted:Is this possible? Nope. Not that I'm aware. edit: perhaps a complex nat facility, but really, why?
|
|
#
?
Feb 27, 2013 05:33
|
|
|
jwh posted:Nope. Not that I'm aware. I'm not going to go with anything messy, in the end IP SLA will do 'ok'. I didn't think it was possible on a Cisco. Basically WAN1 is a nice unlimited satellite link, and WAN2 is an expensive slower but more reliable link we use only for out of band management. It'd be nice to be able to connect via WAN2 while WAN1 is active, but we'll settle for it working when WAN1 is down.
|
|
#
?
Feb 27, 2013 06:30
|
|
|
jwh posted:ASDM isn't bad, it's just not great. I loved Juniper/Netscreen, but I just replaced my SSG5 at home with a Palo Alto VM-100. Goddamn, it is awesome.
|
|
#
?
Feb 27, 2013 07:24
|
|
|
|
| # ? May 13, 2024 11:00 |
|
|
BurgerQuest posted:I have a 1921 router and I'm trying to do something it doesn't want to do. I need to allow access to things like SSH and L2TP etc from internet hosts via both its interfaces (each has a public IP on it). But all traffic from the internal networks needs go out only one of them. I'm at a loss, as it's not quite a normal load balancing scenario, nor failover. Our fortigates don't seem to have a problem doing this with the 'weight' feature for interfaces, but I can't find something equivalent on the Cisco. Basically I just want all internal traffic to use the default route, and external traffic to go back out whatever interface it came in on. Is this possible? Put one of the interfaces in its own VRF. I am not sure if l2tp is VRF aware yet, but SSH certainly is.
|
|
#
?
Feb 27, 2013 16:32
|
|
