|
I'm trying to throttle bandwidth on a switch port in order to somewhat simulate bandwidth restricted clients (ie, users on a DSL line). I'm not exactly sure what settings I should use for the policed rate and burst. Would a DSL line even have a "burst" ability? And how would that relate to the policed rate?
|
# ? Jan 7, 2011 01:08 |
|
|
# ? Apr 28, 2024 17:20 |
|
jwh posted:Cable management sucks though, as in, there isn't any. This system is about the least awful I've used (on a 6506). http://www.youtube.com/watch?v=W3HvmvRALHk&feature=related The picture they flash up as an example of a spaghetti bowl looks disturbingly like a switch wiring job I unfucked recently.
|
# ? Jan 7, 2011 02:19 |
|
inignot posted:This system is about the least awful I've used (on a 6506). That looks pretty good. I think my biggest complaint with the 4500 and 6500/7600 series is the fact that the blades are horizontal with a fan card on the left. I always seem to end up in environments where somebody has pulled cables to the left across the fan card, and I've had more fan cards go bad in 4500s than in any other platform I've worked with. We have a lot of fixed configuration 1u 48 port switches in our user plant, and I've recently asked for a lot of neatpatch systems to clean it up. I don't know if we'll get them, but I think they're clean looking, for horizontal fixed configuration deployments. 96 ports of patch / termination in 10u with good management would be nice.
|
# ? Jan 7, 2011 05:00 |
|
jwh posted:I've recently asked for a lot of neatpatch systems to clean it up. I'm using neatpatch for 4 racks in my colo, and it's definitely better than panduit for intra-rack cable management between switches and patch panels, but I think either I did something wrong or their system isn't quite perfect when it comes to connecting patch panels to servers. My racks would have ended up a lot cleaner if I had gone with with vertical patching and vertical power. But then again it was hard enough getting the money for inter-rack patch panels.
|
# ? Jan 7, 2011 08:16 |
|
Ninja Rope posted:I'm trying to throttle bandwidth on a switch port in order to somewhat simulate bandwidth restricted clients (ie, users on a DSL line). I'm not exactly sure what settings I should use for the policed rate and burst. Would a DSL line even have a "burst" ability? And how would that relate to the policed rate? what switch? try these 2 for a start http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swqos.html#wp1253412 http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml
|
# ? Jan 7, 2011 10:36 |
|
jwh posted:That looks pretty good. I think my biggest complaint with the 4500 and 6500/7600 series is the fact that the blades are horizontal with a fan card on the left. I always seem to end up in environments where somebody has pulled cables to the left across the fan card, and I've had more fan cards go bad in 4500s than in any other platform I've worked with. Switch exclusively to 6509, NEBS variant (vertical LCs, front to back airflow) Or you could do cable harnesses out of the 6509 to patch panels if you're currently doing interconnect patching rather than full cross-connect patching, but it'll take up more rack space you might not have.
|
# ? Jan 7, 2011 13:38 |
|
Well, yeah I'd love to have the 6509-V-E's instead of what I have. I'm not even sure how much those chassis cost compared to a regular 6509-E chassis. Something tells me they're probably expensive. The hard part of this particular redesign was trying to cram ~740 ports of voice and data, including patch panels, switches, and cable management, UPS, and an Avaya G450 into two and a half Chatsworth two-post racks. The problem is this particular space we're working with is only about seventy square feet.
|
# ? Jan 7, 2011 16:53 |
|
Another stupid question. Same 1900 router, trying to configure an ACL to allow SSH traffic from a particular internet host to several internal addresses (which get PATed to 2222-2225). I have NAT going on the router. All the ACL combinations (applying the access-group to dialer0 in or out) I've tried have prevented local hosts from reaching the internet. Here's the basic config I have:code:
Richard Noggin fucked around with this message at 19:37 on Jan 7, 2011 |
# ? Jan 7, 2011 17:08 |
|
I preface this with I am not very good at ACL's, but here is my shot on what it sounds like you are trying to do: ip access-list <extended id> permit TCP <External Address> eq 23 <Internal Address> ip access-list <extended id> permit any any Did you forget to add the permit any any? Happens to us all. This would cause disconnection of all other people if you are applying it to that particular port. EDIT: Access-group should be going inward from your external port, I think. EDIT2: I guess if you don't want to permit any any, you could permit any any established. Bardlebee fucked around with this message at 17:19 on Jan 7, 2011 |
# ? Jan 7, 2011 17:15 |
|
jwh posted:Well, yeah I'd love to have the 6509-V-E's instead of what I have. I'm not even sure how much those chassis cost compared to a regular 6509-E chassis. Something tells me they're probably expensive. According to my pricelist, with no discount: 6509-E == $9500 6509-V-E == $9995 So not that much more. They're a fair bit bigger than the regular 6509 though. 21RU vs. 15RU.
|
# ? Jan 7, 2011 17:45 |
|
Hey, I wanted to ask what is going on here with my FTP server, logically. Right now my FTP servers ip is something internal like 192.168.2.240. When I put the following command in to make it accessable to the internet, external users whom are connecting via my VPN IPSec setup can no longer connect to it. ip nat inside source static <internal address> <external IP address> int faste0 What is the logic behind this? I am sure if I change their FTP program to reach <external address> then it would work just fine. I am just wondering what the heck the packets are doing. Of course, this isn't going to stay FTP and I am moving them onto SFTP once I can find a good SFTP program to use for my server... My guess is that its because 192.168.2.240 is currently being NAT'd on my access-list and that maybe I need to deny it from being NAT'd on my overload line. Though I have posted it quite a few times in this thread, here is a short show run: EDIT: Can I debug certain static NAT connections? code:
|
# ? Jan 7, 2011 18:01 |
|
Bardlebee posted:I preface this with I am not very good at ACL's, but here is my shot on what it sounds like you are trying to do: That's what I have tried, along with permit tcp any any established, but it still cut off access for internal systems to the internet. On an ASA, the following would do exactly what I want: code:
|
# ? Jan 7, 2011 18:01 |
|
Richard Noggin posted:
Hmmm... perhaps it is because you are attempting to do a permit any any on the outside interface coming in. Then when the packets go out of the inside interface it gets denied by NAT? I am as lost as you. EDIT: Ah, where did you place the permit any any? Inside or out? It is possible that peoples packets are being denied coming back from where they were headed.
|
# ? Jan 7, 2011 18:09 |
|
Bardlebee posted:ip access-list <extended id> permit TCP <External Address> eq 23 <Internal Address> Ummm just FYI... "permit any any" nullifies the need for the previous line, because you're allowing any traffic from anywhere to anywhere over any protocol.
|
# ? Jan 7, 2011 18:20 |
|
Richard Noggin posted:Another stupid question. Same 1900 router, trying to configure an ACL to allow SSH traffic from a particular internet host to several internal addresses (which get PATed to 2222-2225). I have NAT going on the router. All the ACL combinations (applying the access-group to dialer0 in or out) I've tried have prevented local hosts from reaching the internet. Here's the basic config I have: By default you don't need an ACL at all to make a PAT work. It functions on its own by virtue of the implicit "allow any" for traffic coming in to an interface. I think you're running into some other issue. Also, you forgot to include any other ACLs that are in your config. As pasted above, your inside hosts wouldn't be able to surf the web, because there's no ACL 20
|
# ? Jan 7, 2011 18:27 |
|
CrazyLittle posted:Ummm just FYI... I got excited because I just got done watching the access-list videos for CCNA. Heh, completely missed that.
|
# ? Jan 7, 2011 18:31 |
|
CrazyLittle posted:By default you don't need an ACL at all to make a PAT work. It functions on its own by virtue of the implicit "allow any" for traffic coming in to an interface. I think you're running into some other issue. I can SSH into any of the devices specified in the nat statements currently. I need to restrict that to just a selected set of hosts on the internet. Here's ACL 20: code:
|
# ? Jan 7, 2011 19:35 |
|
Richard Noggin posted:I can SSH into any of the devices specified in the nat statements currently. I need to restrict that to just a selected set of hosts on the internet. Gotcha. So really what you need is a "permit from hosts to these ports" followed by a "deny any to these ports" Perhaps this: code:
1) You have to write the ACL knowing what your outside IP is. 2) If the IP changes, the ACL will need to be changed too. You could also try a variation on it that I'm too lazy to check if it would work. Its the same idea, but it's working under the assumption that you're not going to try to implement this ACL anywhere else, so only inbound traffic to your dialer will be selected. code:
|
# ? Jan 7, 2011 20:07 |
|
Here is a CCNP level question: What does the following output tell you, what was the command entered to produce this output?code:
|
# ? Jan 7, 2011 21:44 |
|
Powercrazy posted:Here is a CCNP level question: What does the following output tell you, what was the command entered to produce this output? Tells me you work on Wall Street (not srs) sh ip bgp sum *edit* for some reason I thought you were US-East coast/NYC or something. CrazyLittle fucked around with this message at 21:57 on Jan 7, 2011 |
# ? Jan 7, 2011 21:51 |
|
Well that is where I'm at, that is our internet edge, and that is of course the command that was run. Now for some harder questions that the BSCI loves to ask.code:
Is this an iBGP or eBGP neighbor? How can you tell? What if the router ID of the remote router was the same as the local router? What if it was on them same subnet as the local router?
|
# ? Jan 7, 2011 22:19 |
|
jgbaker posted:what switch? Thanks for the links, I'll give them a read. It's a 4948 running 12.2, and I believe I've gotten pretty close to what I want with the smallest allowed burst size when policing. Since I'm simulating lots of small connections and from limited clients I think the smallest burst size is what I want. Obviously it doesn't get me near the max configured rate, but it's at least least somewhat consistent.
|
# ? Jan 7, 2011 23:24 |
|
Powercrazy posted:Well that is where I'm at, that is our internet edge, and that is of course the command that was run. Now for some harder questions that the BSCI loves to ask. First line says 'external link', eBGP. PS Tell Brandon (or whoever your current ARIN Tech/Admin POC is) to validate their contact info with ARIN. Powercrazy posted:lol I think that I'm actually supposed to do that. Brandon was our old CIO. ragzilla fucked around with this message at 23:54 on Jan 7, 2011 |
# ? Jan 7, 2011 23:42 |
|
lol I think that I'm actually supposed to do that. Brandon was our old CIO.
|
# ? Jan 7, 2011 23:46 |
|
Powercrazy posted:Is this an iBGP or eBGP neighbor? How can you tell? eBGP because of the public butt#, whereas for iBGP you should be using private butts in the 65k-something range. Not quite up to snuff on the router ID stuff. Local subnet should be less important (sic) because you can do eBGP over a peering link to some other router also exchanging BGP (and transit) with you. If they had the same router ID... bad news? *shrug* I should really get off my rear end and go test CCNA so I can start working on a CCNP. Also, how'd you get a gig doing BGP for Forex? Is it worthwhile trying to get into net-engineering for financial dbags?
|
# ? Jan 8, 2011 03:45 |
|
Out of curiosity: I just tried enabling NBAR on my 871 to play around with QoS, and it dropped my throughput from 40 mbits down to about 30-ish. What level router supports that kind of sustained bandwidth?
|
# ? Jan 8, 2011 03:56 |
|
CrazyLittle posted:eBGP because of the public butt#, whereas for iBGP you should be using private butts in the 65k-something range. iBGP/eBGP has nothing to do with if you're using private or public ASNs. eBGP/iBGP depends on if the 2 routers are configured to use the same BGP AS. code:
|
# ? Jan 8, 2011 04:05 |
|
ragzilla posted:iBGP/eBGP has nothing to do with if you're using private or public ASNs. eBGP/iBGP depends on if the 2 routers are configured to use the same BGP AS. oh poopy. Yep. I should start up on my book learnin' again. This voip poo poo is giving me gray hair. Jimmy Carter posted:Out of curiosity: 40 mbits WITH nbar? 88x or 89x. http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf
|
# ? Jan 8, 2011 04:59 |
|
As Ragzilla said since that neighbor is in a different BGP AS it is an eBGP neighbor. The other way to tell is the external link. If it were an internal link then it would be an iBGP neighbor. The public/private AS distinction is unimportant and the BGP process doesn't treat either one any different. The router ID isn't an IP Address. It may use an IP Address for convenience and also to help ensure that it is unique, but it is just a number. Two routers cannot form a neighborship if they have the Same router-ID. However a scenario like this: [Router A]----[Router B]-----[Router C] Where router A and C have the same router ID that is different from B is an acceptable scenario. And of course Router A and C would have to be in separate AS's.
|
# ? Jan 8, 2011 13:29 |
|
Can you guys recommend me a cheap router that has the Cisco IOS on it that I can use for my home router? I would like to setup NAT at home and practice there as well. I know there are sims, but I would like to set it up at home too. It would be even more awesome if this router was not loud.
|
# ? Jan 10, 2011 18:45 |
|
Bardlebee posted:Can you guys recommend me a cheap router that has the Cisco IOS on it that I can use for my home router? I would like to setup NAT at home and practice there as well. I know there are sims, but I would like to set it up at home too. Cisco 861/871/88x, or find a cheap 1841/1811 on eBay. Example eBay listings: 871, $219 buy-it-now: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=120670257213 1811, $289 buy-in-now: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=110632828407 CrazyLittle fucked around with this message at 19:53 on Jan 10, 2011 |
# ? Jan 10, 2011 19:48 |
|
When setting up NAT overload for a home setting, I suppose the IP they give you will change once a month. Should I be concerned about that? Will I have to reconfigure my router for this every time my ISP changes its mind on my IP? Thanks for the recommendation!
|
# ? Jan 10, 2011 19:57 |
|
Bardlebee posted:When setting up NAT overload for a home setting, I suppose the IP they give you will change once a month. Should I be concerned about that? Will I have to reconfigure my router for this every time my ISP changes its mind on my IP? Configure the WAN interface to use DHCP and you'll be fine.
|
# ? Jan 10, 2011 20:12 |
|
Harry Totterbottom posted:Configure the WAN interface to use DHCP and you'll be fine. I didn't know you could do this. Learn something new in this forum every day it seems. Thanks
|
# ? Jan 10, 2011 20:53 |
|
I need a device suggestion if you dont mind. We want to standardize on a single platform for all our offices. Each office is going to have 2 internet connections that will both be ethernet handoff, so no need to support T1s or anything. Each office will need to VPN back to a central 'datacenter' and the vpn needs to failover if one of the connections goes down. I would love it if it could actually load balance over both connections. Am I looking at an ASA or an IOS device here?
|
# ? Jan 12, 2011 04:38 |
|
I've always leaned towards routers with the appropriate feature set as a more flexible option than PIX/ASA. Something like the fixed config 1811's are nice for such things since they come with Advanced IP services at minimum which may give you all of the features you need. There's probably several ways you could handle your VPN failover requirement. We have a customer with similar requirements and routers with VTI tunnels and OSPF works extremely well. I'm pretty sure neither of these are supported on ASA.
|
# ? Jan 12, 2011 04:58 |
|
falz posted:I've always leaned towards routers with the appropriate feature set as a more flexible option than PIX/ASA. Something like the fixed config 1811's are nice for such things since they come with Advanced IP services at minimum which may give you all of the features you need. OSPF? Yes. VTIs? No.
|
# ? Jan 12, 2011 05:22 |
|
Syano posted:I need a device suggestion if you dont mind. We want to standardize on a single platform for all our offices. Each office is going to have 2 internet connections that will both be ethernet handoff, so no need to support T1s or anything. Each office will need to VPN back to a central 'datacenter' and the vpn needs to failover if one of the connections goes down. I would love it if it could actually load balance over both connections. Am I looking at an ASA or an IOS device here? how fast are these connections?
|
# ? Jan 12, 2011 05:30 |
|
CrazyLittle posted:how fast are these connections? Generally speaking 5mb/s up and down, give or take a meg. Let me ask this while we are at it. Is it possible to have multiple VPNs open to the same subnet. In other words you have 2 sites, siteA and siteB. SiteA has two internet connections. SiteB has two internet connections. Is it possible to open VPNs accross both connections from siteA to both connections at SiteB? Syano fucked around with this message at 14:10 on Jan 12, 2011 |
# ? Jan 12, 2011 14:07 |
|
|
# ? Apr 28, 2024 17:20 |
|
Tremblay posted:OSPF? Yes. VTIs? No.
|
# ? Jan 12, 2011 15:08 |