Wez Posted June 21, 2006 Share Posted June 21, 2006 Out of hours sucks, he he he, I am sat in an empty office working on a bunch SunFire servers Link to comment Share on other sites More sharing options...
carl0s Posted June 21, 2006 Author Share Posted June 21, 2006 What was frustrating was that the bits/sec in the interface counters didn't make sense at all. Whilst downloading at 230KB/sec (over 2,000,000bits/sec), the counter showed about half that. Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 I am assuming you are using a cross over cable between the router and the ISA box... and not running into a switch or something? Link to comment Share on other sites More sharing options...
carl0s Posted June 21, 2006 Author Share Posted June 21, 2006 Also, I would suggest, using a third interface either physical or virtual and running the workstations and servers on seperate vlans/subnets. What's the reasoning here? Packet filtering? Come to think of it, it would be nice to be able to firewall the workstations just in case. When I saw the flood of DCERPC stuff from the IT managers box to the ISA Server, I wondered if it was some wierd worm.. Link to comment Share on other sites More sharing options...
carl0s Posted June 21, 2006 Author Share Posted June 21, 2006 I am assuming you are using a cross over cable between the router and the ISA box... and not running into a switch or something? I'd hope so, but it was just a mess (about 7 server in the room) and I haven't checked. IT Manager nr2 set that machine up and I haven't heard from them in some time since he started there (I turned down the job.. wanting to keep my freedom.. and poorness.. ) I'll be sure to check tomorrow. Good point though Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 The reason I always seperate workstation and server networks, is so that if f&^kwit user on the network does something weird to his PC he doesn't flood the servers (from a network traffic point of view)... Also makes debugging things a little eaiser... Link to comment Share on other sites More sharing options...
Wez Posted June 21, 2006 Share Posted June 21, 2006 What was frustrating was that the bits/sec in the interface counters didn't make sense at all. Whilst downloading at 230KB/sec (over 2,000,000bits/sec), the counter showed about half that. do you mean these counters :- Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 241000 bits/sec, 207 packets/sec 5 minute output rate 227000 bits/sec, 196 packets/sec Which are a 5min average so will show a lower rate. This is a show int from a 3640 I have here. Link to comment Share on other sites More sharing options...
Wez Posted June 21, 2006 Share Posted June 21, 2006 Also makes debugging things a little eaiser... Agreed, plus from a security aspect you can filter the traffic so that they can only access the applications they are supposed to be using. Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 Also, just had another look at the network... How does the ISA box connect to the internet....are we talking another router? an ADSL modem on the box? a cable line? just could add another bit of interesting topology Link to comment Share on other sites More sharing options...
carl0s Posted June 21, 2006 Author Share Posted June 21, 2006 do you mean these counters :- Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 241000 bits/sec, 207 packets/sec 5 minute output rate 227000 bits/sec, 196 packets/sec Which are a 5min average so will show a lower rate. This is a show int from a 3640 I have here. Yeah but I'd been downloading a 3gb Fedora DVD for over 5 minutes I was mainly looking at show summary (or was it 'show int sum'). Can't remember if they were 5 min averages or not. Link to comment Share on other sites More sharing options...
carl0s Posted June 21, 2006 Author Share Posted June 21, 2006 Also, just had another look at the network... How does the ISA box connect to the internet....are we talking another router? an ADSL modem on the box? a cable line? just could add another bit of interesting topology Ethernet to a 1721 router which backs onto a leased line I know it's more topology but since the problem also shows on non-internet related usage of the 3640 I left that bit out.. it is in effect 'part of the internet' since the public IP comes straight to the ISA box from it. Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 Hmmm, perhaps if you have to redo the network....*grin* I'm seeing internet -> 1721 -> cable -> ISA -> cable -> 3640 Hmmm, give me 5 mins, I'll put a mini diagram together and then open it up for comments... Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 Here we go... Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 Physical wiring wise, I would run ALL the links into the switch and have 5 VLANS on the switch 1. Public (unsecure) 2. VPN 3. Servers 4. Workstations 5. Sister company And then the ISA server has a link into each of those... or and I need some guidance on whether ISA would support it... get two gigabit cards and use VLANing on the server side as well via VLAN trunking.. Link to comment Share on other sites More sharing options...
imi Posted June 21, 2006 Share Posted June 21, 2006 Sry I havent read the entire thread....so perhaps this has already been mentioned Setup Vlans on the switch, and a trunk port and hook that to the FA interface on the router (just the one) and do routing on the stick. mind you it will impact performance, however since you only have a 2Mb link to the internet it shouldnt be a problem. Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 And something I've completely forgotten about... make sure they know the risk of running the entire core through the ISA box... if it crashes you WON'T have any network at all.... So you might want to get another one and cluster it... Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 Setup Vlans on the switch, and a trunk port and hook that to the FA interface on the router (just the one) and do routing on the stick. Hmmm, not sure I would route 6 subnet's worth of traffic up and down a single interface... not at 100mbit....purely for performance reasons.... however, with VLANing active it would still be nice and tidy on the switch side... so it is a quick easy option so worth a go Link to comment Share on other sites More sharing options...
carl0s Posted June 21, 2006 Author Share Posted June 21, 2006 hmm, that was quick. Your pictures are so much sexier than mine. I see what you're suggesting. I need to google VLAN trunking. Is it bonding two connections to the same VLAN? My only reservation before on the suggestion of the ISA box doing it all, was that it's publically connected to the 'net, and obviously would become the most vital part of the entire organisation. Is ISA 2004 safe enough? Link to comment Share on other sites More sharing options...
carl0s Posted June 21, 2006 Author Share Posted June 21, 2006 Oh, hang on. VLAN trunking.. I guess that means all the VLANs come down the one (or two) links and are dealt with at the host side? Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 Personally I don't like ISA since it is based on a microsoft operating system underneath.... I would rather use checkpoint (but it is DAMN expensive) or my personal choice... PIX.... and one of those would do the job nicely.. and you can cluster them... Link to comment Share on other sites More sharing options...
carl0s Posted June 21, 2006 Author Share Posted June 21, 2006 OK guys, I've taken a lot from this and really appreciate the time you've taken with me. Priority for tomorrow has to be setting up VLANs where the different subnets are going through the switches, and using the spare interface in the ISA box for the sister company (there's a designated DMZ interface which isn't being used on the ISA box, so hopefully I can do that without having to reboot). Link to comment Share on other sites More sharing options...
imi Posted June 21, 2006 Share Posted June 21, 2006 What switch are you running,,,, if its is a layer 3 switch...if so, get that to do the interVlan routing..the performance wouldnt be an issue Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2118/index.html That is what you want.... Link to comment Share on other sites More sharing options...
imi Posted June 21, 2006 Share Posted June 21, 2006 http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2118/index.html That is what you want.... Naah - ASA not PIX anymore... Link to comment Share on other sites More sharing options...
JustGav Posted June 21, 2006 Share Posted June 21, 2006 hahaha, oooh bollocks... sorry I've been so busy trying to keep up with WAFS now being called WAAS, and that silly product called AIR-AP1242 that I didn't even realize the pix was end of life now..... Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now