|
We have a Cisco 1841 running 12.4(21a), it has an HWIC-4ESW card in it too. The customer connection is configured on an SVI to be used on the HWIC-4ESW. Fa0/1 is configured for FTTC, which the customer wants as their primary uplink: interface FastEthernet0/1 description *** no ip address duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 2 interface Dialer2 ip address negotiated encapsulation ppp dialer pool 2 dialer-group 2 ppp chap hostname ***@*** ppp chap password 7 *** ip route 0.0.0.0 0.0.0.0 Dialer2 220 name FTTC-DEFAULT-ROUTE They're now wanting to add a primary ethernet uplink (Fa0/0) to our nearest POP, and we will use BGP over this link. The existing static default has a higher AD because the FTTC was originally the backup connection - so the CPE would receive a default route via BGP and use that, however if the link dropped the default learned via BGP would be lost and the static would be used. Obviously this is no good if the FTTC is to be primary because there's nothing to deal with the link dropping. How should we handle the failover? I was thinking along the lines of doing a static default with a lower AD than BGP and having it track something, but I am not sure what. Edit: Going to try tracking the dialer interface IP reachability. If it loses the connection, it ought to lose the IP. Sir Sidney Poitier fucked around with this message at 12:38 on Feb 5, 2015 |
# ? Feb 5, 2015 12:03 |
|
|
# ? Apr 25, 2024 07:15 |
|
I do something similar for HSRP between two routers, but instead of decrementing HSRP priority you can just do the tracks straight against the routes My reachability test is to force static routes through one specific line to two dns servers, and then it tries to ping the servers. If it cant ping those servers, either they're both down at once (unlikely i guess) or my line is down. Its probably a bit arse about face but it works. R320FD#sh run | inc ip route ip route 4.2.2.5 255.255.255.255 109.144.91.0 (the lines default gateway) ip route 8.8.4.4 255.255.255.255 109.144.91.0 R320FD#sh run | inc track track 10 ip route 4.2.2.5 255.255.255.255 reachability track 20 ip route 8.8.4.4 255.255.255.255 reachability standby 11 track 10 decrement 10 standby 11 track 20 decrement 10 R320FD#sh run | sec ip sla ip sla 10 icmp-echo 4.2.2.5 frequency 5 ip sla schedule 10 life forever start-time now ip sla 20 icmp-echo 8.8.4.4 ip sla schedule 20 life forever start-time now Ahdinko fucked around with this message at 13:33 on Feb 5, 2015 |
# ? Feb 5, 2015 13:26 |
|
Here's a fun one. An ASA 5505 is connected to two ISPs. One circuit is 50/20, the other, 30/30. On the 50/20 circuit we get nearly full throughput, but on the 30/30 we only get about 40% of the down (but nearly all of the up). We've swapped ASAs and cables, hardcoded speed and duplex, and there are no errors on any of the interfaces. Take the ASA out and put a laptop there and voila, there's the 30 down. There are no shaping policies or anything else that would limit traffic on that interface. I'll be going on site tomorrow to put a 2960 between the ASA and the problem circuit's CPE to see if that helps (it can on circuits that run closer to 100Mbps, probably because of larger packet buffers on the switch). Anyone want to gamble on what the problem/solution may be?
|
# ? Feb 9, 2015 22:12 |
|
MTU mismatch?
|
# ? Feb 9, 2015 22:41 |
|
0 giants, so I don't think that would be it. I should have mentioned that we do have ingress policy drops, but those are usually attributed to things that wouldn't cause performance degredation (see this.
|
# ? Feb 9, 2015 22:58 |
|
Gypsy curse?
|
# ? Feb 10, 2015 01:51 |
|
Most plausible explanation so far, to be honest.
|
# ? Feb 10, 2015 02:20 |
|
Sounds like a duplex mismatch. Many providers turn off auto detection on 100mb ports and lock it to full duplex where Cisco seems to be the only vendor that constantly has issues and goes randomly to half duplex which causes slowdowns due to retransmits.
|
# ? Feb 10, 2015 07:10 |
|
unknown posted:Sounds like a duplex mismatch. Many providers turn off auto detection on 100mb ports and lock it to full duplex where Cisco seems to be the only vendor that constantly has issues and goes randomly to half duplex which causes slowdowns due to retransmits. This matches my experience as well, for whatever reason Cisco has never bothered to get autonegotiate working right even thought everyone else has had it working reliably for over a decade. I have never once had a duplex mismatch that wasn't caused by a Cisco device being stupid.
|
# ? Feb 10, 2015 14:57 |
|
If you have a spare managed switch laying around, hook into its console port and then stick that between the 30mbit problem connection and your ASA. Play with duplex settings on both your ASA side and the connection side to see if the problem goes away.
|
# ? Feb 10, 2015 17:25 |
|
This was definitely a weird one. What we found what that regardless of whether speed/duplex were hardcoded on both ends or autonegotiated, if the speed was 100Mbps, traffic down was slow. When running at 1Gbps, things are just peachy. Doesn't matter which device was used to connect to the ONT - 100Mbps was the common denominator. We never had speed or duplex mismatches, and neither side had any interface errors. I'm suspecting a faulty ONT.
|
# ? Feb 10, 2015 21:30 |
|
Richard Noggin posted:This was definitely a weird one. What we found what that regardless of whether speed/duplex were hardcoded on both ends or autonegotiated, if the speed was 100Mbps, traffic down was slow. When running at 1Gbps, things are just peachy. Doesn't matter which device was used to connect to the ONT - 100Mbps was the common denominator. We never had speed or duplex mismatches, and neither side had any interface errors. I'm suspecting a faulty ONT. Clearly this is happening because Cisco thinks you need to upgrade to the 5506-X/5508-X (Launch/announcement Feb 12 I believe, and I'm assuming they'll have GbE ports because everything gets GbE ports these days).
|
# ? Feb 10, 2015 23:42 |
|
Interesting...first I heard of a successor. A coworker had told me that at a Cisco event they had said that they weren't going to be replacing the 5505, and that the 5512-X would be the lowest. Having the FirePOWER integration will be the selling point I think. Right now, to get FirePOWER, you have to buy FireSIGHT which is crazy expensive for a single deployment. Maybe they'll lift that requirement.
|
# ? Feb 11, 2015 01:05 |
|
Looks like the 06-X specs are up. http://www.cisco.com/c/en/us/products/security/asa-firepower-services/models-comparison.html
|
# ? Feb 11, 2015 01:17 |
|
Have a WLC 5508 on a dmz handling guest internet. Unfortunately the guest wireless is pointing to our internal dhcp/dns. I'd like to really isolate the guest internet from our internal before it bites us in the rear end. I see the option for an internal dhcp server on the WLC but Cisco documentation recommends using it for only small deploys/branch offices. http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110865-dhcp-wlc.html#Internal-DHCP Anyone have any luck using the WLC for handling ~800 guest users or am I better off throwing another device in the guest dmz for handing out addresses? gooby pls fucked around with this message at 14:31 on Feb 11, 2015 |
# ? Feb 11, 2015 14:25 |
|
I don't suppose NetScaler questions are welcome here? Citrix and Cisco have a pretty incestuous relationship when it comes to these; I've found documentation from both vendors. I'm looking for a way to configure a virtual server to do delayed down state flushes of a service marked down. I can disable down state flush, but it looks like that will result in the open connections never getting cleaned up. Currently, a slow server instance gets marked down due to not responding promptly to the monitor. However, this then results in the in flight requests getting error responses back as the open connection is closed. I'm looking for a way to mark the service down, route new incoming requests to other service instances, but allow the slow instance to recover by draining off and responding to the requests it's currently operating on, and then after a delay (30-60 sec) from the marking down, forcibly flush any outstanding connections. Anyone have any relevant experience that can point me to configuration settings?
|
# ? Feb 11, 2015 21:15 |
|
Anyone have suggestions on solutions for capturing and saving network traffic for future analysis? We'd like to have a pretty interface (even ugly is probably fine) and able to do ladder diagrams, pull RTP, DTMF, etc. Mostly revolving around voice, and high throughput. We're currently demoing Network Insturments' Gigastore platform, and we're pushing almost 10gbps from our voice platform. We're able to store just a shade more than a day on the 48tb storage, and it takes a pretty long time for it to pull the data we're looking for, since it's trying to write the 10gbps to disk while also searching for the data we want. We're demoing the 96tb version, but I don't think it's faring much better.
|
# ? Feb 11, 2015 23:26 |
|
No direct experience but I guess you should checkout Riverbed's Cascade product too?
|
# ? Feb 12, 2015 00:25 |
You might give Netscout a look.
|
|
# ? Feb 12, 2015 03:24 |
|
gooby pls posted:Have a WLC 5508 on a dmz handling guest internet. Unfortunately the guest wireless is pointing to our internal dhcp/dns. I'd like to really isolate the guest internet from our internal before it bites us in the rear end. I see the option for an internal dhcp server on the WLC but Cisco documentation recommends using it for only small deploys/branch offices. http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110865-dhcp-wlc.html#Internal-DHCP Could you stand up a new subnet/scope on your internal DHCP server, and configure IP helper on the wireless controller to forward lease requests on behalf of your isolated network?
|
# ? Feb 12, 2015 03:31 |
|
I'm retarded and have no idea what I'm doing, so maybe someone can point me in the right direction. I have an ASA 5505 deployed to a field location, tunneling to our 5510. The field location's internet connection has a filter on it that's blocking a lot of things that we use, so I'd like to run all internet traffic over the VPN tunnel, however, I can't for the life of me figure out how to do it. This is a checkbox in Windows VPN, how annoying.
|
# ? Feb 12, 2015 05:59 |
|
You'd need to disable split tunneling on the 5505.
|
# ? Feb 12, 2015 10:59 |
|
gooby pls posted:Have a WLC 5508 on a dmz handling guest internet. Unfortunately the guest wireless is pointing to our internal dhcp/dns. I'd like to really isolate the guest internet from our internal before it bites us in the rear end. I see the option for an internal dhcp server on the WLC but Cisco documentation recommends using it for only small deploys/branch offices. http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110865-dhcp-wlc.html#Internal-DHCP I use 5508's with ISE, for about 1500-2000 users. i built the policies so initally machines go into a blackhole auth group where all they can do is get DNS and DHCP from my (windows) DHCP servers. Once they're fully authed then they get whatever level of access they should have. You can do it with all the ACL's in ISE if you have it. If not, just use your guest internet router or something to hand out dhcp because yeah Cisco's recommendation was "dont use WLC dhcp, especially if doing flexconnect" Ahdinko fucked around with this message at 03:22 on Feb 13, 2015 |
# ? Feb 12, 2015 11:35 |
|
GOOCHY posted:You'd need to disable split tunneling on the 5505. I did this: group-policy clientgroup internal group-policy clientgroup attributes split-tunnel-policy tunnelall But it changed nothing. Is internal not a keyword, and somewhere I need to tell the ASA that it should use that policy?
|
# ? Feb 12, 2015 18:09 |
|
Thanks for the ideas guys. For the time being I enabled dhcp proxy on the WLC and locked down the firewall to only allow dhcp requests from the WLC. At some point I'll move DHCP to the guest internet router.
|
# ? Feb 13, 2015 03:09 |
|
Panthrax posted:Anyone have suggestions on solutions for capturing and saving network traffic for future analysis? We'd like to have a pretty interface (even ugly is probably fine) and able to do ladder diagrams, pull RTP, DTMF, etc. Mostly revolving around voice, and high throughput. We're currently demoing Network Insturments' Gigastore platform, and we're pushing almost 10gbps from our voice platform. We're able to store just a shade more than a day on the 48tb storage, and it takes a pretty long time for it to pull the data we're looking for, since it's trying to write the 10gbps to disk while also searching for the data we want. We're demoing the 96tb version, but I don't think it's faring much better. We've been down this road. Unless you're ready to drop 2mil and install a hundred taps just don't even bother wasting your time. Today we store SIP for ~5 days in a home grown mysql/PCAP solution. We can get RTP from our SBCs on demand. Dropping the RTP requirement from the probe solution lowers the price significantly. If you want to talk more about what we went through PM me, it's too trivial to find out who I work for to post more info on our setup. That and we're likely customers of each other. Customer ops has been begging for media captures, but at the prices/effort level we've seen so far it's cheaper to just tell them to hire someone to pull traces. e: Are you OT LLC? currently dba someone else. FatCow fucked around with this message at 03:20 on Feb 13, 2015 |
# ? Feb 13, 2015 03:12 |
|
Panthrax posted:Anyone have suggestions on solutions for capturing and saving network traffic for future analysis? We'd like to have a pretty interface (even ugly is probably fine) and able to do ladder diagrams, pull RTP, DTMF, etc. Mostly revolving around voice, and high throughput. We're currently demoing Network Insturments' Gigastore platform, and we're pushing almost 10gbps from our voice platform. We're able to store just a shade more than a day on the 48tb storage, and it takes a pretty long time for it to pull the data we're looking for, since it's trying to write the 10gbps to disk while also searching for the data we want. We're demoing the 96tb version, but I don't think it's faring much better.
|
# ? Feb 13, 2015 03:21 |
|
Serfer posted:I'm retarded and have no idea what I'm doing, so maybe someone can point me in the right direction. Is this a 5505 with a site-to-site VPN to a 5510? You will need to send all Internet-bound traffic to the 5510, and the 5510 will need to forward it to the Internet Build 5505 as follows: Define VPN crypto ACL as between the LAN subnet and any. Set up NAT bypass so this traffic is classified as interesting (it would otherwise be NATd and not match how the VPN is defined). On the 5510: VPN crypto ACL is a mirror of the 5505. Set up hairpin NAT on your outside interface to let traffic from the 5505 NAT to a public IP on the 5510, to be able to communicate with Internet hosts. Add access rules as needed to permit the outside<>outside traffic.
|
# ? Feb 13, 2015 07:15 |
|
FatCow posted:We've been down this road. Unless you're ready to drop 2mil and install a hundred taps just don't even bother wasting your time. Today we store SIP for ~5 days in a home grown mysql/PCAP solution. We can get RTP from our SBCs on demand. Dropping the RTP requirement from the probe solution lowers the price significantly. If you want to talk more about what we went through PM me, it's too trivial to find out who I work for to post more info on our setup. That and we're likely customers of each other. Yep, we are customers of each other. Traded a pm or two about who we work for awhile ago. :-) Unfortunately price is definitely a concern. We're probably not going to drop 50 grand on something let alone a few hundred thousand and I'm pretty sure the CEO would have a coronary at 1mil+. Maybe look to roll our own but don't know how feasible that is. Right now we have a crappy on-demand using acls to grab the traffic we need without killing whatever box is capturing. We were trying to expand out, but at this point I don't think it's going to be worth it. Thanks for the responses, all.
|
# ? Feb 13, 2015 13:48 |
|
Anybody ever have a situation where you had a client who absolutely insisted on using netbios over tcp-ip across multiple subnets? My company just put in a handful of meraki wireless APs on a network consisting of six 2960 switches and a 2821 router running 12.4(13r). They're not doing dhcp and there isn't an active directory or wins server to use an an ip helper address on the router interface that's serving as the gateway for wireless devices. Gi0/0.1 - 192.168.0.254 -- wired lan gateway Gi0/0.150 - 172.30.5.254 -- wireless lan gateway Gi0/0.600 - 172.30.4.254 -- meraki ap management vlan This admin doesn't want to put put a hosts file on every machine either. I could put the wireless and wired lans together but that would require a larger subnet and the admin would again have to go around to every machine to re-ip it. Also, the company I work for prefers that we keep those two networks separate. Is there a way to get netbios broadcasts to traverse subnets that doesn't require an active directory or wins server?
|
# ? Feb 13, 2015 20:23 |
|
So the company wants to keep the networks separate but have broadcasts be seen by all hosts in both networks? You could have all the subinterfaces be secondary addresses on a single interface or you could use IRB. tortilla_chip fucked around with this message at 20:46 on Feb 13, 2015 |
# ? Feb 13, 2015 20:41 |
|
IRB looks promising. Thanks!
|
# ? Feb 13, 2015 21:05 |
|
On the subject of Cisco WLC: in the infinite wisdom of our customer's project manager we have deployed a managed WAP on an off-shore vessel. There is no WLC on-board the vessel so the WAP is being managed by the WLC back at our DC over a 500ms VSAT link. We are using 802.1x for authentication and due to the latency clients are unable to auth 90% of the time when trying to connect. We escalated to TAC who advised that the latency between the WAP and WLC needs to be <100ms for it to work properly. Has anyone else dealt with such a situation before? It's getting to the point where we will either have to deploy a WLC on the vessel or reconfigure the WAP in standalone mode, both of which I'd rather not do because gently caress going back offshore again. Are there any other options?
|
# ? Feb 13, 2015 21:11 |
|
Have you looked into H-REAP?
|
# ? Feb 13, 2015 21:25 |
|
tortilla_chip posted:So the company wants to keep the networks separate but have broadcasts be seen by all hosts in both networks? This pains me to even suggest it- but I wonder if enabling directed broadcast on the interfaces, then setting helper addresses to both other subnet broadcast addresses would work. It looks like 137/138 are supported by default.
|
# ? Feb 13, 2015 21:33 |
|
cheese-cube posted:Are there any other options? Send someone else to do it?
|
# ? Feb 13, 2015 21:35 |
|
I remember we had talked in the past, I forgot we talked about our employers though. Netscout's product is really nice, they just want about 10x too much for it. Does anyone know if it's possible to put an IP SLA responder on a vrf? It seems to just not respond if I give it an IP that lives in a non-default VRF.
|
# ? Feb 13, 2015 22:13 |
|
Thanks Ants posted:Send someone else to do it? Yeah that would be nice however I'm the only person on the contract who has a BOSIET certificate. poo poo I'm a server engineer, not a networks guy. Hopefully I'll die in a derrick fire or helicopter crash or something.
|
# ? Feb 13, 2015 22:14 |
|
Seriously, I think H-REAP will do what you want: http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/71250-h-reap-design-deploy.html
|
# ? Feb 13, 2015 22:25 |
|
|
# ? Apr 25, 2024 07:15 |
|
H-REAP won't help you if the radio is configured to 802.1x authenticate back to a remote server. Put a little WLC out there, it's really the best solution. Probably a 2500 or similar.
|
# ? Feb 13, 2015 22:39 |