Page 3 of 3

Rearranging The Intranet of Things Part II

December 31, 2014 / / 0 Comments

I’m sure there will be a lot more posts like this to come. I had formerly moved the edge router to the ‘closet’ (aka the garage, right next to the cable modem and 3560-24PS sitting there) and added another router there to have a routed gig port into my ‘office’ (aka my bedroom with a couple desks).

Today I replaced both routers with a single 7206VXR with an NPE-G1. I had it all configured and everything should’ve worked off the bat, but it didn’t — not exactly, anyway. The routing was perfect, the NAT was great. But I only have a VAM card which doesn’t work with 15.x (only VAM2 cards work with new code), and I didn’t want it doing VPN in software.

So I decided to keep the old WAN router as VPN-only duty. I briefly considered using a 1760 with a VPN module (I have a few), but when I finally get to having decent internet speeds it would choke. The 3825 has an EPII+ card on top of the onboard hardware engine, so it should at the least have no issue keeping up with my internet connection with weak Triple-DES. The only issue is when I went to forward UDP 4500 from the edge router to the VPN router I got:

% Port 4500 is being used by system

I was able to successfully forward ports UDP 500 and ESP, but here I got stumped. I verified there was no crypto config, I tried clearing crypto stuff, I tried disabling software crypto — all with no luck. Googling didn’t give me much to go on, but I finally ran into something showing this error as an IOS-XE bug for 15.2(4)S2 –and I was running 15.2(4)S3 (pure IOS, but basically the same), so being out of options and ideas I decided to just install 15.2(4)M7 and Voila! Problem solved!

Two routers replaced with — two routers, maybe that doesn’t sound very good, but it will allow me to do more at the edge with more ports available directly on the router instead of playing with switches and VLANs/VRFs.

And in case you want to see how my network is physically wired — and this is somewhat simplified, here you are!

Network Diagram

Simplified Network Diagram – 01/01/15

Rearranging The Intranet of Things

December 30, 2014 / / 0 Comments

So after dealing with a bunch of random dd-wrt based access points I decided to grab some LAP1142Ns off of eBay. I set up a vWLC on the VM machine, and was able to get it going fairly quickly even with no knowledge of Cisco Wireless technology.

So far my throughput is only slightly increased even after moving to 5GHz and having a 3×3 MIMO radio in my laptop.

I added a real router for the upstairs network (3825), and a gig link from the ‘closet’ to my office/workstations. Some of the interconnects in the lab are temporarily dual 100MBit load balanced via EIGRP to alleviate some of the bottlenecks. The LAP1142Ns are limited to 100mbit due to a 3560-24PS being the only POE switch I have, but I never see more than about 60mbit of throughput over wireless, and the port never exceeds 70mbit — so until I get that sorted out it’s not a limitation.

To get more gig links in my ‘office’ (aka my bedroom) I trunked a cheap Dell 5224 to a 3550-12G, replacing the 3550-12T that was formerly there. I wish I could afford newer Cisco gig switches my budget is basically non-existent.

I still need a total network redesign, my routing table is almost laughable:

dswr1.core#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.5.6 to network 0.0.0.0

D 192.168.30.0/24 [90/28928] via 10.255.1.6, 22:58:10, FastEthernet0/16
 [90/28928] via 10.255.1.2, 22:58:10, FastEthernet0/14
 172.17.0.0/16 is variably subnetted, 6 subnets, 2 masks
D 172.17.0.48/28 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
D 172.17.0.32/28 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
D 172.17.0.16/28 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
D 172.17.0.0/28 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
D 172.17.0.72/29 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
D 172.17.0.64/29 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
 172.16.0.0/16 is variably subnetted, 7 subnets, 4 masks
C 172.16.255.0/28 is directly connected, Vlan601
D 172.16.2.8/30 [90/28416] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28416] via 10.255.1.2, 1d00h, FastEthernet0/14
D 172.16.2.4/30 [90/28672] via 10.255.1.6, 22:58:18, FastEthernet0/16
 [90/28672] via 10.255.1.2, 22:58:18, FastEthernet0/14
C 172.16.5.4/30 is directly connected, FastEthernet0/24
D 172.16.3.2/32 [90/156672] via 10.255.1.6, 22:58:14, FastEthernet0/16
 [90/156672] via 10.255.1.2, 22:58:14, FastEthernet0/14
D 172.16.1.0/24 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
D 172.16.3.1/32 [90/156160] via 172.16.5.6, 10:49:53, FastEthernet0/24
 172.18.0.0/28 is subnetted, 1 subnets
D 172.18.0.0 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
D 192.168.99.0/24 [90/28928] via 10.255.1.6, 03:03:00, FastEthernet0/16
 [90/28928] via 10.255.1.2, 03:03:00, FastEthernet0/14
 10.0.0.0/30 is subnetted, 2 subnets
C 10.255.1.4 is directly connected, FastEthernet0/16
C 10.255.1.0 is directly connected, FastEthernet0/14
D 192.168.0.0/24 [90/30720] via 172.16.5.6, 10:49:54, FastEthernet0/24
D 192.168.100.0/24 [90/28672] via 10.255.1.6, 1d00h, FastEthernet0/16
 [90/28672] via 10.255.1.2, 1d00h, FastEthernet0/14
C 192.168.101.0/24 is directly connected, Vlan400
D*EX 0.0.0.0/0 [170/30720] via 172.16.5.6, 10:49:54, FastEthernet0/24

Getting My Real VM Server Back Online

December 30, 2014 / / 0 Comments

My server has been off hiding somewhere far away from me for a while, so I’ve been running virtual machines on an AMD FX-8320 990FX based box. Unfortunately it only had 16GB of RAM and I gutted the server RAM for use in my workstations.

I’ve decided to order some used ECC Registered 4GB sticks off of eBay — 32GB ought to do for now. I won’t have to worry about whether I can launch a new VM due to RAM constraints (I was using a lot of swap before!), so titan.frankd.lab will soon be back online with the FX-8320 machine for failover. I’m going to need shared storage, so I’ll have to setup a real iSCSI storage box soon.

End short random thought.

A lot of bit of nothing

December 19, 2014 / / 0 Comments

As it sometimes happens personal stuff has taken hold of my life and stopped me from doing anything major with anything technology related. I decided that I should pick a little project to pick up some new skills, so I’ll be setting up Cisco’s AIR-CTVM Wireless controller along with a couple LAP-1142Ns 802.11n (draft) access points that I picked up off of eBay to get rid of the DD-WRT APs which haven’t been entirely cooperative. For example, the Netgear WNR834B v2 will only use the base channel assigned with the second channel being two channels above it (currently channels 6 and 8) which is clearly not optimal for throughput.

I’m going to be rearranging my home network to segment it a bit more and do some more with routing. I want to keep the LAPs running off the 3560-24PS with PoE power instead of powering them with external bricks, so unfortunately each AP will be limited to 100mbit of throughput — that’s actually still better than what I get now over the 2.4GHz N AP, so it’ll still be a usable throughput improvement.

I’ll also be able to actually do some L3 segmenting instead of needing to share a VLAN across physical boundaries for the ‘dumb’ AP bridges currently in place.

I’ve been doing some work on IP management software, and while a lot of the back-end functionality is currently there for calculation, I’d like to rewrite some of it for speed. There are parts that are written strictly for readability using strings instead of bit compares, and they’re much slower than I’d like them to be for large address spaces. I should have something interesting to show if I can manage to put a little more time into it.

Another VM Host Upgrade

September 1, 2014 / / 0 Comments

And yet another not-exciting blog entry. My VM host with an FX-8320 was on an AMD 760G board so it lacked IOMMU which I’d love to have for SR-IOV among other things. I have a spare machine laying around that was formerly a gaming machine. Needing more RAM (The 760G board only had two slots) and IOMMU, I decided to repurpose the gaming machine as the VM host. The 990FX based board already had an FX-8120 in it, so I took a single step back in CPU generation but it’s fairly close. I only had 8GB of RAM in the old setup, so I combined that with 2x2GB sticks of ECC DDR3 RAM I had hiding in a box. I have a bit of head room now and can launch a few more VMs with 12GB of total RAM. While that’s not impressive as far as virtualization host hardware goes it does let me run a bunch of local services for testing/learning/re-learning. Not having onboard graphics with the new board necessitated the use of another video card, luckily I had some GTX 750 Tis laying around (I seem to lay ‘laying around’ about hardware pretty often) so one went in the bottom PCI-E x4 slot so as to not block any other slot for future upgrades. The Intel I350-T2 card went in the next x4 slot for iSCSI.

VM storage is going to be split off from the hardware, so it will all be through iSCSI with MPIO. That pretty much just leaves me with a ton of PCI-E slots for NICs.

I was able to reduce reported CPU TDP by offlining the “odd” cores (1/3/5/7) while load is low (better to offline these cores as 01, 23, 45, 67 are shared in AMD’s CMT architecture), locking the CPU at idle and reducing power state 6 (idle) voltage from 0.9375v to 0.825v which has been stable so far (sensors reports 0.85v). Power tends to stay close to 30w and never breaks 50w. If it was more heavily utilized I’d let it clock up, but nothing is CPU limited at the moment. I’ll have to try monitoring power usage at forced idle vs the ‘ondemand’ governor with various load transition points. I wouldn’t call anything sluggish, but I don’t have hundreds of devices on my network.

As for a power supply, the case already had a SeaSonic 660XP2 80+Platinum power supply, so even if I do have to run the CPU at full tilt there should be little waste in the PSU department. It’s completely overkill both for being Platinum at this power level (likely sub 100w at all times), and for its 660w rating. If I was going to buy something I probably would’ve got a SeaSonic Gold which would still allow me plenty of headroom even if it was full of NICs and RAM. It does feel a little safer than running off a 180w power supply with an FX-8320 and a drive array, though.

There’s plenty of local services running here, eventually I’m going to make some (counter)intuitive web GUIs for configuring stuff (ie IP Address Management which then configured DHCP/DNS).. so it was good to brush up on configuring these things from scratch.