|
Bigass Moth posted:These should not be in production environments anymore but I see them every drat day. I see them at small branch offices where they're used almost exlusively as site to site VPN head-ends, which isn't a bad use case for them.
|
# ? Oct 30, 2015 19:38 |
|
|
# ? Mar 28, 2024 14:04 |
|
psydude posted:I see them at small branch offices where they're used almost exlusively as site to site VPN head-ends, which isn't a bad use case for them. Yeah, I ripped out like 8 of them last year. All they were doing is site to site VPNs.
|
# ? Oct 30, 2015 20:18 |
|
I'm ripping out all our ASA5510s on December 4. Hell yes. Can't wait for them to be gone
|
# ? Oct 30, 2015 20:19 |
|
We actually just quoted a client a asa5505 today for that vpn reason. The more you know.
|
# ? Oct 30, 2015 21:22 |
|
I just brought home like 20 5510s that we decom'd. Hoping to make a few bucks on eBay from people who don't know better :P
|
# ? Oct 30, 2015 22:19 |
|
TBH, given how the licensing is perpetual, 5510s aren't bad for lab environments because they're functionally similar enough to the -X series ASAs. Just buy some extra RAM to get them up to 9.1(6).
|
# ? Oct 30, 2015 22:30 |
|
All ASAs are the worst. Oh and all firewalls.
|
# ? Oct 30, 2015 23:08 |
|
Everything in IT is the worst
|
# ? Oct 30, 2015 23:39 |
|
Thanks Ants posted:Everything in IT is the worst
|
# ? Oct 30, 2015 23:43 |
|
I have a couple Cisco 3500 switches. For whatever reason, I cannot create any VLANs. Its driving me nuts trying to figure out why and I havent had any luck googling it. So I go into global config mode, enter the command: vlan 10 And I get back a invalid input detected message. I know for a fact that is how you create a vlan. Does anyone know what I might be doing wrong or if there is some setting I have to change to do this? These are used switches, and did have configurations already from the previous owner that I wiped. The weird thing is I can go to a specific switch port and assign it to a vlan, thus actually creating the vlan. I dont know whats going on....
|
# ? Nov 3, 2015 02:07 |
|
Charliegrs posted:I have a couple Cisco 3500 switches. For whatever reason, I cannot create any VLANs. Its driving me nuts trying to figure out why and I havent had any luck googling it. Switch(config)#int vlan 10 Switch(config-if)#no shut Switch(config-if)# %LINK-5-CHANGED: Interface Vlan1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up Switch(config-if)#int fa0/1 Switch(config-if)#sw mode access Switch(config-if)#sw access v 10 % Access VLAN does not exist. Creating vlan 10 Switch(config-if)# Maybe try fiddling with the vlan database? Switch#vlan data Switch#vlan database % Warning: It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN in config mode. Switch(vlan)#? VLAN database editing buffer manipulation commands: exit Apply changes, bump revision number, and exit mode no Negate a command or set its defaults vlan Add, delete, or modify values associated with a single VLAN vtp Perform VTP administrative functions. Switch(vlan)#vlan 10 ? name Ascii name of the VLAN <cr> Switch(vlan)#vlan 10 name ? WORD The ascii name for the VLAN Switch(vlan)#vlan 10 name vlan10 VLAN 10 modified: Name: vlan10 Switch(vlan)# Switch# Methanar fucked around with this message at 02:20 on Nov 3, 2015 |
# ? Nov 3, 2015 02:17 |
|
Yeah with those older switches you have to go into vlan database from exec mode.
|
# ? Nov 3, 2015 02:42 |
|
Methanar posted:Switch(config)#int vlan 10 That did it thanks a lot! So does anyone have any clue why I can't seem to talk to my switches through an access server? I can talk to my routers no problem but for whatever reason with the switches I don't get anything. I don't think it's some kind of setting issue because I wiped the configs on all my routers and switches.
|
# ? Nov 3, 2015 06:48 |
|
Charliegrs posted:That did it thanks a lot! Are they local or remote to the server? Do you have ip default-gateway configured on the switches?
|
# ? Nov 3, 2015 13:21 |
|
Slickdrac posted:Are they local or remote to the server? Do you have ip default-gateway configured on the switches? Yep its all local. I have a test lab here in my house with an access server that is connected to my home router. I have an incredibly simple setup, just a 2900 router (that I can reach with the access server) connected to a 3500 switch. The switch has an interface vlan 1 with an ip address and a default gateway. But I get absolutely nothing on my console screen when I try to talk to the switch with the access server. I am clueless as to what can be causing this.
|
# ? Nov 4, 2015 03:22 |
|
Charliegrs posted:( Can you ping it? Do you see it's MAC coming across on the correct VLAN from the interface? Can you hit it from other devices (ping or telnet/ssh)? Try clearing certificates (if applicable) then trying. Trying to figure out a similar issue myself that popped up today (don't worry, I blame you). One of my DC L3 switches does the same thing from remote VPN, I can't remote directly to it and it just times out with no response, and no acknowledgement in the logs. But I can jump to anything within the local network OR in the greater management network and then remote to it just fine, and login via radius creds. Even better, only my computer can't reach it, but my other guys can hit it just fine. Even wiping out the device and readding it to CRT or wiping all my certs and trying to putty didn't do anything.
|
# ? Nov 4, 2015 07:45 |
|
I'm hoping someone can answer a quick question about CISCO routers. I know that mtr is unreliable when reporting response time from a CISCO device that is your network gateway because it offloads requests to the gateway to a different CPU (I think?) and then responds whenever load is low enough to do so. This results in really erratic response times. -- Or at least this is my "I'm only passingly familiar with CISCO hardware" understanding. Now let's say I'm looking for routes to the gateway that might be problematic. My approach was to simply sample mtr data over a long period of time (48 hours) and then hope the data normalizes some. What I saw was the following: Host A -> Gateway -> Host B results in up to 500-700ms extremes in the data collected. Host C -> Gateway -> Host B results in 40-60ms extremes in the data collected. The extreme data points happen 15-20 times per hour, and the standard deviation across the Host A path is much larger. It should be noted that these are very direct routes, as in, what I illustrated is it (aside from some switches at the top of the rack). My sample rate is 1 second intervals and the tests are running at the same time. I brought my findings to the network team, but they simply dismissed it outright as "mtr is unreliable when used to measure performance of CISCO devices." Am I wrong to think these should be consistently unreliable? As in, both paths should have their traffic de-prioritized in the same way and the mtr data should be all over the place...but the extremes should be similar in both tests. The other thing to note is that Host C is actually a VM and is going through UCS, while Host A and Host B are both physical hosts. I'm just trying to assess if this difference is indicative of a problem through one path and not the other. e: the gateway in question is a beefy 7K router. Winkle-Daddy fucked around with this message at 19:59 on Nov 4, 2015 |
# ? Nov 4, 2015 19:52 |
|
Winkle-Daddy posted:I'm hoping someone can answer a quick question about CISCO routers. I know that mtr is unreliable when reporting response time from a CISCO device that is your network gateway because it offloads requests to the gateway to a different CPU (I think?) and then responds whenever load is low enough to do so. This results in really erratic response times. -- Or at least this is my "I'm only passingly familiar with CISCO hardware" understanding. Is "gateway" the same exact IP/interface? Do they go through the same or different switches? Is this an always live and active network, or do the times during off hours become stable and lower and similar then? If you hit between devices within the same subnet, do you still see triple digit extremes from A? Is the overall average time in the single digits/VERY low double digits? If the answer is Yes/Yes, same, minimal change, yes, no. Then could be a bad cable to the host A or in the pathway of it. If any of those answers deviate, then it could just be the amount of traffic hitting one of the devices/interfaces on the line (or still a problem with the cable, because no one expects Layer 1 except helpdesk support, higher support overthinks too much) v-Ah, good info, read his post, don't waste time with mine, could be any number of things. Slickdrac fucked around with this message at 21:02 on Nov 4, 2015 |
# ? Nov 4, 2015 20:35 |
|
You said in the other thread Host A and Host C were on a different subnet. This opens up a huge pool of potential causes for the latency. So to answer your questions. "Am I wrong to think these should be consistently unreliable?" Yes. The specific reasons why are difficult and maybe even impossible to answer. "is this actually indicative of a problem, or is this expected given the nature of CISCO devices." It is not by itself indicative of a problem, and it is also not unique to Cisco devices as most network stacks prioritize control traffic differently then traffic passing through them.
|
# ? Nov 4, 2015 20:45 |
|
Slickdrac posted:Is "gateway" the same exact IP/interface? Slickdrac posted:Do they go through the same or different switches? Slickdrac posted:Is this an always live and active network, or do the times during off hours become stable and lower and similar then? Slickdrac posted:If you hit between devices within the same subnet, do you still see triple digit extremes from A? Slickdrac posted:Is the overall average time in the single digits/VERY low double digits? If the answer is Yes/Yes, same, minimal change, yes, no. Then could be a bad cable to the host A or in the pathway of it. If any of those answers deviate, then it could just be the amount of traffic hitting one of the devices/interfaces on the line (or still a problem with the cable, because no one expects Layer 1 except helpdesk support, higher support overthinks too much) Instead of just giving vague generalities about how long it is, I'll just provide some real numbers. These numbers reflect the overall averages over a 48hr period (however, each hour is characterized almost exactly the same as we did that, too): Host A (physical) => Host B (physical), the data is for ping time to gateway Longest Response: 670.9ms Shortest Response: 0.3ms Average Response: 1.27ms Standard deviation: 5.15ms Host C (virtual) => Host B (physical), the data is for ping time to gateway Longest Response: 42.7ms Shortest Response: 0.3ms Average Response: 0.74ms Standard Deviation: 1.35ms So again, my assumption in the way that the ICMP traffic is de-prioritized leads me to believe that this indicates a problem, as I would expect that the standard deviation from both tests would be about the same simply due to the amount of data collected over multiple days. edit: Because I'm bad at stating my specific question, it is: Does this data indicate there is a likely problem, or is gateway pinging with expired TTL such that there is really no way to tell without getting other tools involved? (I'm testing several other things right now because while I believe this may indicate an issue, I do not believe it indicates a very large issue). Powercrazy posted:You said in the other thread Host A and Host C were on a different subnet. This opens up a huge pool of potential causes for the latency. So to answer your questions. Thanks! I don't know if the additional data I posted above adds any context that could help in one way or another. Winkle-Daddy fucked around with this message at 22:40 on Nov 4, 2015 |
# ? Nov 4, 2015 21:15 |
|
It looks like it's functioning fairly normally, potentially, without knowing just how much traffic and throughput the network and the switches are seeing. Random spikes of traffic are going to eat up clock time and create large numbers. If I were your engineer, I would just load up my snmp monitoring and do a glance over of interface errors, CPU utilization, and interface utilization. It doesn't seem like anything terribly odd, but I always donate a good two minutes when I have a single person raising a question of possible speed issues, because I'm nice, and because I don't want to look like a total rear end later when a cable/interface is starting to fail or a device is approaching overload levels. But getting occasional triple digits isn't terrible odd if there's a heavily utilized device in the pathway. We have a massive fiber ring that links up 4 offices to each other and the data center, it'll ping consistently at 5-15 ms, but on occasion will just spike up to 200, and rarely will sometimes stop off for donuts and come back in 4 figure land. It's just dependent on the amount of traffic going through at that particular moment. Nothing to worry about unless a 2 minute sanity check reveals the start of what could become a larger issue.
|
# ? Nov 4, 2015 23:09 |
|
So networking isnt my forte (or focus area); but something I obviously interface with periodically. We have a switch that my junior admin setup the other day and asked for assistance today while I was on-site with him.. Ports 1-23 - VLAN2 (untagged) Ports 24, 48 - VLAN1 (native, untagged) Ports 24-27 - VLAN3 (untagged) He asked me to give it a look today, and I only had a minute to peek at it - not thoroughly troubleshoot with him.. Basically, hosts on VLAN2 cannot communicate; for example, plugged into port 3 and 9, on the same subnet - no dice Similarly, hosts on VLAN3 cannot communicate, same idea. VLAN1 for switch management works just fine on Port 24 and 48. Resetting the VLAN configuration to have the whole switch native to VLAN1 in default config and hosts can talk as they should (but the switch isnt segregated the way he wants, obviously) Any tips I can toss him? I am in the middle of rebuilding a portion of our virtualization environmentwith a tight deadline so I dont have a ton of time to hand-hold; I'm merely looking for thoughts or tips I can toss at him on this.
|
# ? Nov 4, 2015 23:26 |
|
Slickdrac posted:It looks like it's functioning fairly normally, potentially, without knowing just how much traffic and throughput the network and the switches are seeing. Random spikes of traffic are going to eat up clock time and create large numbers. If I were your engineer, I would just load up my snmp monitoring and do a glance over of interface errors, CPU utilization, and interface utilization. It doesn't seem like anything terribly odd, but I always donate a good two minutes when I have a single person raising a question of possible speed issues, because I'm nice, and because I don't want to look like a total rear end later when a cable/interface is starting to fail or a device is approaching overload levels. Cool, thanks for the suggestions! We are running performance tests and it turns out trying to characterize network performance is a hard problem
|
# ? Nov 5, 2015 00:06 |
|
Walked posted:So networking isnt my forte (or focus area); but something I obviously interface with periodically. Is it a Cisco switch or not? I've seen switches from some manufacturers let you specify the untagged VLAN as well as the PVID per port for reasons I have no idea about, and if they didn't match then no traffic would pass. I would assume the guy hasn't created a private VLAN so that can probably be ruled out, but it might be worth a look.
|
# ? Nov 5, 2015 00:16 |
|
Thanks Ants posted:Is it a Cisco switch or not? I've seen switches from some manufacturers let you specify the untagged VLAN as well as the PVID per port for reasons I have no idea about, and if they didn't match then no traffic would pass. I would assume the guy hasn't created a private VLAN so that can probably be ruled out, but it might be worth a look. Oops, no - not Cisco. I'll have him take a look; thanks
|
# ? Nov 5, 2015 00:35 |
|
Does anybody here use Prime Infrastructure? Our Cisco rep said they may be able to throw the express license at us for free since we're doing a full stack refresh. I'm getting the evaluation installed and the system requirements seem really high (4 CPUs 12 GB ram 300 GB drive space) for what it claims to do. I'll need to purchase some ram for this box, but is it worth it? Or is this thing hyped up and virtually useless? e: for context, we have roughly 13 routers, 10 switches, all being managed by putty with netflow disabled. Not too large of an environment but checking bandwidth consumption is tedious. Judge Schnoopy fucked around with this message at 18:35 on Nov 5, 2015 |
# ? Nov 5, 2015 17:44 |
|
Judge Schnoopy posted:Does anybody here use Prime Infrastructure? Our Cisco rep said they may be able to throw the express license at us for free since we're doing a full stack refresh. I'm getting the evaluation installed and the system requirements seem really high (4 CPUs 12 GB ram 300 GB drive space) for what it claims to do. I'll need to purchase some ram for this box, but is it worth it? It's vastly superior to its predecessor, CCP. If you have a pretty big and distributed environment it can be nice; it might be worth giving it a show.
|
# ? Nov 5, 2015 18:11 |
|
I haven't even used prime myself but as someone who works datacenters and nocs I've seen many people use it in conjunction with something else to poll via SNMP and handle stuff like netflow, traditionally.
|
# ? Nov 5, 2015 19:02 |
|
We have used prime infrastructure for wireless. It does combine useful information in from MSE, controllers, etc. I trialed prime collab assurance for voice (and coincidentally it monitors switches, routers, etc for fault) and it sucks a big one as far as setting it up and having it do anything worth your time. If you have a vendor neutral monitoring and orchestration suite it's going to be just as useful for the basics, unless you really want to go into rmon, nuance, stats gathering, etc.
|
# ? Nov 6, 2015 02:56 |
|
Partycat posted:I trialed prime collab assurance for voice (and coincidentally it monitors switches, routers, etc for fault) and it sucks a big one as far as setting it up and having it do anything worth your time. This, and every time you hit a bug Cisco will reply "Please nuke your enviroment and build it from scratch with the latest version". As far as I can tell we started using it well before it was ready for using.
|
# ? Nov 6, 2015 04:47 |
|
Prime absolutely sucks dick. We had PI that we got for a customer two years ago, and since my second week with the product, I had a call & bug logged with Cisco that has been open for 23 months now. In total I've probably spent 3-4 weeks of my time on support calls, a dozen or two dozen conference calls with developers at Cisco (which was probably the most painful part because apparently they only outsourced Prime development to the thickest-accented-indians they could find), getting logs, trying stuff, upgrading, being told it was now fixed and to wait for the next version (which never fixed it), etc for it still to never be solved. In the end I ended up asking our account manager for our money back so I can go and spend it on PRTG or something. Surprisingly they actually said yes the other week which is good of them at least. The bug is that all of the interface, client/server, usage and application statistics for switches and routers are wrong, which is kind of a big flaw for a switch and router monitoring product. Sprechensiesexy posted:This, and every time you hit a bug Cisco will reply "Please nuke your enviroment and build it from scratch with the latest version". As far as I can tell we started using it well before it was ready for using. Only had to do this once, when that didn't fix it at least they didnt ask me to do it again. Edit: And while I'm remembering the pain and suffering of this entire wireless solution, gently caress MSE too. When you're up till 6am rebuilding the tatters of your second failed version upgrade in a row, the backups you took two hours ago are somehow corrupt, you enter a new administrator password during the setup in your sleepy haze, get the wireless kind-of working and go to bed to pass the hell out, to realise the next morning you forgot to jot that password down. You call TAC to find the password recovery mechanism. Go on, guess what it is. RMA the appliances and wait for new ones to be delivered! Ahdinko fucked around with this message at 12:45 on Nov 6, 2015 |
# ? Nov 6, 2015 12:15 |
|
If you just want nice graphs checkout cacti. It's pretty easy to configure and add devices.
|
# ? Nov 6, 2015 15:56 |
|
In my case with the collab assurance, I didn't even get to the part about "random graphs don't populate" or that the data points were incomplete or provided no details in a number of areas. Some of the java processes cored out constantly causing a watchdog to restart the whole thing every hour. I "fixed" it by disabling cert verification since there was no way to actually add signed certs/chains to this thing that worked - and you have root access to screw around with it. I spent some length of time with a TAC engineer somewhere I couldn't understand, using a PC headset that cut out, and, when he could be heard, he had kids yelling in the background. They came up with some bullshit that didn't have anything to do with it, and my evaluation license expired. So I evaluated it as trash and moved on.
|
# ? Nov 6, 2015 16:23 |
|
OmniCorp posted:If you just want nice graphs checkout cacti. It's pretty easy to configure and add devices. I'm looking for easy and functional graphs as one thing, so I can put them on a wallboard that we will point at when clients come round to make it look like more things are happening. But I also actually really liked PRTG's like "adaptive" alerting that I remember from when I used it a few years ago. Basically it'll chuck up an alert if traffic/stats are different to what it has defined as "usual" from its monitoring over time, even if it hasnt crossed an alert threshold, which has actually saved a system going down a few times for me, or basically diagnosed entire issues before I even had a chance to realise they were happening. I've used a couple of things like Solarwinds NPM, IpMonitor and level platforms but none have come close, what other shiny ones are out there? Ahdinko fucked around with this message at 17:01 on Nov 6, 2015 |
# ? Nov 6, 2015 16:48 |
|
Weathermap for Cacti creates a topology view with usage data if you set it up right, looks like things are doing something, but they don't show like up/down status as far as I can tell.
|
# ? Nov 6, 2015 17:20 |
|
Honestly the wallboard requirements are really "look cool and make it look like things are happening to impress people". The helpdesk guys all get the alerts come into an inbox, none of them are sitting there staring at the telly waiting for a colour to change on a box. I'd like to see something more funtional than anything else when I or the helpdesk guys actually log in to go look at an issue or pull some stats for a query.
|
# ? Nov 6, 2015 18:05 |
|
Ahdinko posted:Honestly the wallboard requirements are really "look cool and make it look like things are happening to impress people". The helpdesk guys all get the alerts come into an inbox, none of them are sitting there staring at the telly waiting for a colour to change on a box. I'd like to see something more funtional than anything else when I or the helpdesk guys actually log in to go look at an issue or pull some stats for a query. Just put this up and call it good http://map.norsecorp.com/
|
# ? Nov 6, 2015 18:45 |
|
Docjowles posted:Just put this up and call it good Seconding this idea.
|
# ? Nov 6, 2015 21:15 |
|
Ahdinko posted:I'm looking for easy and functional graphs as one thing, so I can put them on a wallboard that we will point at when clients come round to make it look like more things are happening. I've done exactly this in Solarwinds NPM, actually. IPmonitor IS NPM, but an older and poo poo version circa 2008 or so? What I did was up to date as of June 2015. It requires NTA as well as understanding of network atlas + alert config, if you're really talking any large environment. It's up to you to define poo poo correctly though, as far as alerts ETC. I did all of this on my last job, so PM me if you have questions. It's pretty simple. If you're good with SQL and joins you can easily do anything you want in it. Shiny graphs of top talkers? Check. Shiny graphs of top talkers for x country in a hyperlink? Check. Otherwise, I can't see why to not do the norsecorp map as it's about as equivalent as any other form of "make it shiny". notwithoutmyanus fucked around with this message at 05:54 on Nov 9, 2015 |
# ? Nov 9, 2015 05:32 |
|
|
# ? Mar 28, 2024 14:04 |
|
I've got all that on Solarwinds already, but I had a screen that had prime on it and now that its going back for a refund, so i need something to go on the screen to replace it. I've taken all of your advice:
|
# ? Nov 9, 2015 13:40 |