Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«380 »
  • Post
  • Reply
Sepist
Dec 25, 2005

FUCK BITCHES, ROUTE PACKETS


Gravy Boat 2k

Fun update to the SG550 that bricked when we attached it to a stack. We're now on our 5th RMA with Cisco. They had us downgrade the replacement model twice now, both times bricks the unit. The TAC rep says he doesn't have the same result in his lab test. Starting to wonder if it's our tech that's bricking the devices

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

Think of the money saved over buying good switches though

ate shit on live tv
Feb 15, 2004


Winner #11 of the 2k14 #Gamergate Shit Show
Do not talk to me if your a SJW MRA PUA fucktarded Shitlord, (PS: GJ on ruining videogame journalism twitter drama MODS).


Prescription Combs posted:

Single F5's are not good at SSL TPS, even with their accelerator cards. You'd ideally want to distribute traffic regionally to maximize any sort of SSL TPS. Whether that's multiple regions with F5's or nginx. No single point is going to scale well with SSL TPS.

e: Alternately use a CDN to handle the brunt of SSL and then pipeline the traffic from the CDN to your load balancer to minimize SSL TPS on that.

Our traffic is already Anycast from 4 geographically distinct locales, plus AWS. The million CPS number was just our biggest datacenter.

abigserve
Sep 13, 2009

this is a better avatar than what I had before


I think the "f5" way of such a setup would be a pool of lbs and GSLB getting DNS to send traffic to the one with least connections. That way your resources will be very evenly utilised and you can scale it to a huge degree.

This might simplify your anycast setup as well as you'd only have to use anycast for DNS traffic to the nearest GSLB server. I'm pretty sure you can get GSLB to weight latency as well if you wanted to ditch Anycast altogether.

Of course that's hundreds of thousands of dollars and probably a complete re-architecture of your DNS setup...

Prescription Combs
Apr 20, 2005
   6

ate poo poo on live tv posted:

Our traffic is already Anycast from 4 geographically distinct locales, plus AWS. The million CPS number was just our biggest datacenter.

Yeeeesh that's a lotta traffic.

tortilla_chip
Jun 13, 2007


If you're already doing anycast, do it within the geography as well and just make sure your hashing is consistent.

Rescue Toaster
Mar 13, 2003


So I made the mistake of buying a SG300-10 just for a small L3 managed switch to isolate some PCs/Servers/IoT/Guest Wifi at home. I really didn't need much so I figured an entry level model would be fine.

Problems with it so far:
1) Can't modify an ACE while an ACL is attached to a vlan, constantly have to remove & re-add ACL's in order to make tiny changes.
2) After performing said changes, routinely stops routing anything and needs to be rebooted. (Remove acl from vlan, add a single permit ACE, reattach acl to vlan, must reboot switch because it stops routing anything to/from that vlan)
3) Constantly get errors when adding ACE's that 'Entry already exists' even when it's the first ACE in a new list. Retrying with the exact same values often works, or sometimes fails 5-6 times in a row, then suddenly works with same values. This is definitely an artifact of the web UI because the CLI doesn't have a problem.
4) Was having horrible internet speeds for the past two days, I thought for sure it was Mediacom since I had rebooted the switch multiple times via the UI. This morning I unplugged everything and traced it down to the switch for sure, and after hard power cycling it, started working again just fine. So only removing power worked, multiple reboots didn't.

I would have thought it's definitely just my stupidity, but seeing other people's experiences with 300's and 500's, I don't think it's entirely me. Is there something similar that's actually decent? Maybe an older used cisco model? I need at least 8 gigabit ports.

MrMoo
Sep 14, 2000



Working with EdgeOS today and it has automatic firewall rules for DHCP but not for DHCPv6 Took far too long to find that out. Also it appears some parameters changed format in releases, i.e. prefix-length went from a /56 to a 56 format, of course with no validation other than completely wiping the interface declaration on reboot. Nice.

mythicknight
Jan 28, 2009


Edit: Nevermind.

mythicknight fucked around with this message at Jan 2, 2018 around 23:13

Docjowles
Apr 9, 2009



tortilla_chip posted:

This presentation is a pretty decent starting point

Extremely good poo poo, thanks for sharing. The first talk is just super technically interesting, and the second is hilarious (in a good way).

lmao at his story about forcing all of his company's office traffic to bounce out to Europe before coming back to their data center to hammer home the importance of latency on user experience. And I want to get the Eight Fallacies of Distributed Computing tattooed on my forehead.

I now have many more tabs opened for further research which is always the hallmark of a good talk.

Djimi
Jan 23, 2004

I like digital data


I think this is the most apt thread to ask this question. Though not Cisco. I need to block a mac address on an old Brocade (Foundry) router.

The info I found on Brocade's site at the top doesn't make sense to me, maybe I'm reading it wrong.

code:
MAC address filters command syntax

To configure and apply a MAC address filter, enter commands such as the following.

device(config)# mac filter 1 deny 0000.0075.3676 ffff.0000.0000
device(config)# mac filter 2 deny any ffff.ffff.ffff ffff.ffff.ffff 
device(config)# mac filter 3 deny any 0180.c200.0000 ffff.ffff.fff0 
device(config)# mac filter 4 deny any 0000.0034.5678 ffff.ffff.ffff 
device(config)# mac filter 5 deny any 0000.0045.6789 ffff.ffff.ffff 
device(config)# mac filter 1024 permit any any
device(config)# int e 1
device(config-if-e1000-1)# mac filter-group 1 to 5 1024

These commands configure filter 1 to deny traffic with a source MAC
address that begins with "3565" to any destination, and configure
filters 2 through 5 to deny traffic with the specified destination MAC
addresses. Filter 1024 permits all traffic that is not denied by any
other filter. 
The first line (filter 1) apparently blocks MACs that start with '3565', but I don't see it.

Specifically I want to block a MAC that's broadcasting all over the place, that I can't find (because I cannot visit the location at this time).

I want to block the address dc:d3:21:00:fc:d3 (on int e 1 for example) and permit everything else.
So I just need the correct version of filter 1 and filter 1024. But that example leaves me scratching my head. Thank you.
(And yes a new router is on list to get very soon).

tortilla_chip
Jun 13, 2007


That's got to be a typo.

mac filter 1 deny dcd3.2100.fcd3 ffff.ffff.ffff any
mac filter 2 deny any dcd3.2100.fcd3 ffff.ffff.ffff
mac filter 1024 permit any any

Docjowles
Apr 9, 2009



Agreed, just looks like a stupid typo.

Also, goondolences on being stuck with old-rear end Foundry/Brocade gear. We have some too and it is the literal worst

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Docjowles posted:

Foundry/Brocade gear ... Is the literal worst

Djimi
Jan 23, 2004

I like digital data


tortilla_chip posted:

That's got to be a typo.
That's what I thought - and thank you for your example. I literally looked at it and just thought I didn't really know dot notation of MAC addresses for beans.

Foundry had its moment last century.

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

If I need a basic router to do NAT for a ~100Mbps internet connection at a remote site and maybe do an IPsec tunnel, is it worth tearing my hair out with a Mikrotik/Ubiquiti box or is the correct answer to just buy an SRX300?

tortilla_chip
Jun 13, 2007


For low end hardware appliances the limiting factor will probably be CPU performance and IPSec. Anecdotally, a client I consulted for had issues with their Atom powered pfsense box at about ~100mbps of IPSec traffic. Do you need a hardware appliance? A VM with a single x86 core could easily do this. Does the existing support organization have hundreds of years of collective Juniper experience? If so, just buy the SRX.

Moey
Oct 22, 2010



Hundreds of years? Junos is pretty straightforward to work with.

tortilla_chip
Jun 13, 2007


My point was operational experience and existing process may have more to do with capital purchases than actual hardware costs.

tortilla_chip fucked around with this message at Jan 8, 2018 around 16:54

Prescription Combs
Apr 20, 2005
   6

Thanks Ants posted:

If I need a basic router to do NAT for a ~100Mbps internet connection at a remote site and maybe do an IPsec tunnel, is it worth tearing my hair out with a Mikrotik/Ubiquiti box or is the correct answer to just buy an SRX300?

My vote would be Edgerouter lite.

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

Can anybody help with interpreting the below?

code:
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/75 (size/max)
  1 minute input rate 105000 bits/sec, 170 packets/sec
  1 minute output rate 3506000 bits/sec, 300 packets/sec
     133181989 packets input, 630165686 bytes, 0 no buffer
     Received 1494 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     650 input errors, 0 CRC, 0 frame, 650 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     312180333 packets output, 3345149118 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
The bit I am confused about is the 'overruns' counter on the output - our provider (who supplied the router) insist that this is what happens when the circuit utilisation is too high, but everything I can read from Cisco says that when you're incrementing this counter it's because you're running out of hardware resources on the router itself. Surely the rate limitation on the connection is applied further upstream than on the CPE device?

This is a 1921 provided on a 50Mbps circuit but I'm not reading anything that says it should struggle with basic routing (no NAT etc.) at these sorts of throughputs. The above is from the port that the ISP is handing off to us on, I don't have the output from the interface on their network side.

tortilla_chip
Jun 13, 2007


Service providers tend to enforce QoS policy as far out at the edge as possible, so it is likely there is a service-policy performing a policer function on the CPE.

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

Do they show as overruns then?

tortilla_chip
Jun 13, 2007


I don't have any hardware available to verify. Fastest way would just be to send traffic at a rate higher than the commit. Try iPerf. I suspect you'll see a correlation between the overruns and traffic dropped due to exceeding the policed rate.

Sepist
Dec 25, 2005

FUCK BITCHES, ROUTE PACKETS


Gravy Boat 2k

Input service policy enforcement will show up as overruns. Also output service policy enforcement will show up as an output drop if you've ever configured it.

They should have sent you the output of show policy-map for the interface, that would correlate with the overruns

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

I will dig further. Unfortunately they are pretty useless and it's taken two weeks to get to this point.

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

What happens on an err-disable? Is the port still "powered on" or negotiable at all?

I'm trying to figure out why my Linux machine does not detect anything at all and has no link state change notifications when I have a port err-disabled, but the cable is plugged in still.

cheese-cube
May 28, 2007

OMNIA SUNT COMMUNIA





Biowarfare posted:

What happens on an err-disable? Is the port still "powered on" or negotiable at all?

I'm trying to figure out why my Linux machine does not detect anything at all and has no link state change notifications when I have a port err-disabled, but the cable is plugged in still.

err-disable can be caused by a number of things but usually to restore it you'll have to shut/no shut the port. Whilst the port is err-disable you'll get no Layer 1 and up.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Biowarfare posted:

What happens on an err-disable? Is the port still "powered on" or negotiable at all?

I'm trying to figure out why my Linux machine does not detect anything at all and has no link state change notifications when I have a port err-disabled, but the cable is plugged in still.

err-disabled the port is effectively shut down, as in, it won't send or receive traffic and you have to manually go in to open the port again.

It's being disabled for some reason (negotiation issues are common, sometimes an issue with the modules you're using etc), if you do a "show interface X status" I believe it should tell you why the interface is in that state.



v-- Yeah, I agree, it's odd that your device on the other end of the cable is not detecting the lack of connectivity.

MF_James fucked around with this message at Jan 15, 2018 around 20:04

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

You should definitely lose the carrier when the port disables itself

unknown
Nov 16, 2002
Ain't got no stinking title yet!

Thanks Ants posted:

Can anybody help with interpreting the below?
...
The bit I am confused about is the 'overruns' counter on the output - our provider (who supplied the router) insist that this is what happens when the circuit utilisation is too high, but everything I can read from Cisco says that when you're incrementing this counter it's because you're running out of hardware resources on the router itself. Surely the rate limitation on the connection is applied further upstream than on the CPE device?

This is a 1921 provided on a 50Mbps circuit but I'm not reading anything that says it should struggle with basic routing (no NAT etc.) at these sorts of throughputs. The above is from the port that the ISP is handing off to us on, I don't have the output from the interface on their network side.

Microburst. If your circuit is underutilized for a bit (bit = like a couple of seconds), the sending side can flood the pipe to 100% circuit utilization for however many seconds their rate limiter bit bucket allows them to (usually a couple of seconds) before the rate limiting kicks in.

Your router can't process that micro sized burst fast enough, so the input queue is over run and it drops packets. You really see it when the input circuit interface is a larger size than the output one (eg: 1g circuit to 100mbps ethernet).

Solution: Increase the input queue size if you can. (hold-queue ### in)

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

It's a managed router so I'll wait for the provider to fix it. They've managed to spend five days not sending me usage data to prove their claim that the circuit is over-utilised, I'm kind of bored now so might just make it Somebody Else's Problem

WarauInu
Jul 29, 2003


I have an SF200-24FP and was looking at logs since we had some phones that I was told either power cycled or lost their connection.

It claims a port went down and came back up, but the port doesn't seem to be one of the ones in web UI.

code:
2147481621	2018-Jan-11 11:47:17	Warning	%STP-W-PORTSTATUS: fa22: STP status Forwarding      
2147481622	2018-Jan-11 11:47:13	Informational	%LINK-I-Up:  fa22      
2147481623	2018-Jan-11 11:47:07	Warning	%LINK-W-Down:  fa22      
2147481624	2018-Jan-11 11:46:33	Warning	%STP-W-PORTSTATUS: fa2: STP status Forwarding      
2147481625	2018-Jan-11 11:46:28	Informational	%LINK-I-Up:  fa2, aggregated (1)      
2147481626	2018-Jan-11 11:46:26	Warning	%LINK-W-Down:  fa2, aggregated (1)      
2147481627	2018-Jan-11 11:46:25	Informational	%LINK-I-Up:  fa2      
2147481628	2018-Jan-11 11:46:22	Warning	%LINK-W-Down:  fa2    
When I go to System Summary or Interface settings all my ports are FE or GE. Any thoughts on what I should be looking at?

Thanks Ants
May 21, 2004

Bless you, ants. Blants.




Fun Shoe

Fe is fa.

WarauInu
Jul 29, 2003


well I guess that would explain that then! Thanks.

Dalrain
Nov 13, 2008

Experience joy,
Experience waffle,
Today.


In terms of programmatic configuration in enterprise networks, are there a set of products or software commonly in the market yet? I've been looking at some job reqs, and they call out Python scripting experience and sometimes SDN.

As someone who hates to let their skills atrophy, I'm curious what the current best practice config management looks like. (For me, this usually means Cisco devices.)

I'm quite familiar with NSX, but not what is commonly meant by SDN for some of these job reqs. (LinkedIn is an example company asking for these skills) Is it likely homegrown? I didn't think ACI had much market penetration yet.

tortilla_chip
Jun 13, 2007


SDN is kind of a catchall. There is the configuration management/automation aspect (Ansible, Puppet, Chef, Salt, etc). There is network function virtualization (NFV) which is basically running traditional network appliances as VMs/containers. There's also the *flow movement which is basically defining your own forwarding plane based on other data beyond the traditional 5-tuple.

For your example of Linkedin, they're moving towards a whitebox switching/routing model using Salt for management.

Adbot
ADBOT LOVES YOU

abigserve
Sep 13, 2009

this is a better avatar than what I had before


SDN as a product is struggling to gain traction but programming skills are becoming more valuable in the network space.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«380 »