Tech Blog

We had some issues a while back where there was latency between a PC and SAN so I started to look at all the layers to try and find a problem, here’s my findings in case anyone finds it a interesting read.

To rule out the PC, I’ve tested the performance of the SAN and network throughput.

The performance of the SAN which is based in IOP’S (Input/Output Operations Per Second) and the current average total is 800 (found on the SAN info page).  To put this prospectus, a poor performance would be in the 2000’s.

The below graph only shows output from 17:28 but has been running all day meaning the average should be accurate:

Looking at the performance of switches can be difficult, but we’ve started using HP Intelligent Management Centre which is great at collating stats. The switches reported low bandwidth, CPU, memory and I/O seemed normal:

We know from experience the throughput on these switches is limited by infrastructure in our case 1GB fibre.

These are the theoretical Max Sequential (SEQ) write limits we could obtain from our connection to the SAN (in practice there is a  5%-20% overhead involved):

I’ve managed to very roughly test this write limit from a client to the SAN SAS disks:

A result of 81.12MB/s is very positive, considering we can realistically over ever achieve 125MB on our current setup.

What this meant in my opinion was the SAN and network were not to blame meaning it was either client or server….Long story short the AV on the server was causing our latency not the “network”.

Hi All,

We’ve recently implemented a BYOD wireless SSID for end users to check facebook or what ever it is they do.  As we’re short on resources we had to use existing DC’s to doll out IP’s but we were obviously worried around users “hacking” into the system.  So first thing we did was create a VLAN and assigned it to the wireless then applied several access control lists (ACL’s) to the core switch limiting the access to only the DC’s, proxy, core switch, each other and firewall then blocked the rest:

Firstly check the subnet mask of the VLAN you want to apply the ACL too as the wildcard/subnet address in the ACL will change dependant of the subnet.

The below example will use a subnet mask of 255.255.255.0 (the bits in red are notes only – do not try and apply them)

Logon to a switch and go into config mode:

#Here we specify the ACL will be extended rather than standard then we create a name for the ACL 
ip access-list extended NEWACL      
#The below rules specify what servers the users on the ACL  can have access too:
10 permit ip 192.168.241.0 0.0.0.255 192.168.250.2 0.0.0.0
15 permit ip 192.168.241.0 0.0.0.255 192.168.250.3 0.0.0.0
20 permit ip 192.168.241.0 0.0.0.255 10.0.0.1 0.0.0.0
25 permit ip 192.168.241.0 0.0.0.255 192.168.250.18 0.0.0.0
30 permit ip 192.168.241.0 0.0.0.255 10.0.0.76 0.0.0.0
31 permit ip 192.168.241.0 0.0.0.255 192.168.241.254 0.0.0.0
35 permit ip 192.168.241.254 0.0.0.0 0.0.0.0 255.255.255.255
#The below denies access to certain subnets
50 deny ip 192.168.241.0 0.0.0.255 192.168.0.0 0.0.255.255
55 deny ip 192.168.241.0 0.0.0.255 10.0.0.0 0.255.255.255
57 deny ip 192.168.241.0 0.0.0.255 172.0.0.0 0.255.255.255
#This final permit allows access to itself and therefor out of its network to other networks:
60 permit ip 192.168.241.0 0.0.0.255 0.0.0.0 255.255.255.255
#Apply this ACL to a vlan, in this case 3241:
VLAN 3241 ip access-group NEWACL in
#Show me my handy work:
Show Access-List GuestACL

Finally test!

Ok so what if you have a network that has a subnet of 255.255.252.0, well the wildcard changes in the ACL or above we had 0.0.0.255 where as in a 255.255.252.0 subnet we’d need 0.0.3.255.

Example:

#Name of ACL and extended:
ip access-list extended "StudentACL1"
#List of allowed servers:
10 permit ip 192.168.216.0 0.0.3.255 192.168.250.2 0.0.0.0
15 permit ip 192.168.216.0 0.0.3.255 192.168.250.3 0.0.0.0
20 permit ip 192.168.216.0 0.0.3.255 10.0.0.1 0.0.0.0
25 permit ip 192.168.216.0 0.0.3.255 192.168.250.18 0.0.0.0
26 permit ip 192.168.216.0 0.0.3.255 192.168.250.30 0.0.0.0
27 permit ip 192.168.216.0 0.0.3.255 192.168.250.68 0.0.0.0
30 permit ip 192.168.216.0 0.0.3.255 10.0.0.76 0.0.0.0
31 permit ip 192.168.216.0 0.0.3.255 192.168.216.254 0.0.0.0
35 permit ip 192.168.216.254 0.0.0.0 0.0.0.0 255.255.255.255
#List denied subnets:
50 deny ip 192.168.216.0 0.0.3.255 192.168.0.0 0.0.255.255
55 deny ip 192.168.216.0 0.0.3.255 10.0.0.0 0.255.255.255
57 deny ip 192.168.216.0 0.0.3.255 172.0.0.0 0.255.255.255
#Apply to this VLAN:
VLAN 3216 ip access-group StudentACL1 in
#Show me the money:
Show Access-List StudentACL1
Save

So what happens if you want to delete a ACL from a VLAN:

#remove the ACL from the VLAN: 
no VLAN 3216 ip access-group StudentACL in
#Remove the ACL from the switch:
no ip access-list extended StudentACL
Save
#Now to check its gone either do Show Access-List or Show Config.

Hi All,

Started at a new company recently and they’ve had a ongoing issues for ages where they could only access one of two switches in their server room if they were on the same subnet.

So Switch A was the problem switch and had a IP of 10.0.0.123,

Switch B they could access from anywhere and had a IP of 10.0.0.124.

My Computer had a IP of 192.168.111.1.

So initially I started thinking the issue was down to vlans as we have around 50 vlans and I kind of just presumed it would be a issue with cross vlan routing.  Well actually I was wrong.

Firstly I pinged both switches:

SwicthA – Can not ping.

SwitchB – Can ping.

Next Trace route (TraceRT from a win 7 PC)

SwitchA – Could not trace

SwitchB – two hop trace, Core switch then the switch.

Ok so what next…..Lets try the above from the switches (so after connecting to server on the same subnet I ran the tests):

Ping my PC:

SwicthA – could not ping,

SwitchB – could ping.

Trace route:

SwitchA – No route,

SwitchB – two hop route.

So after this I decided it must be a routing issue, as both switches could ping the core switch and both switches could trace route the core switch.  So lets have a butchers at the routing.

Switch A# show ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  10.0.0.0/8         DEFAULT_VLAN    1    connected            1          0
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  192.168.101.0/24   iSCSI-VLAN      1010 connected            1          0

Switch B# show ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          10.0.0.2       1    static               250        1
  10.0.0.0/8         DEFAULT_VLAN    1    connected            1          0
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  192.168.101.0/24   iSCSI-VLAN      1010 connected            1          0

Hold the phone, there’s no sodding return route to the core switch (10.0.0.2)

So I added the route like so:

Switch B# conf
Switch B (conf)# ip route-static 0.0.0.0 0.0.0.0 10.0.0.2
Switch B# write

And bobs your uncle it worked!!

So How do I send the output of the “show tech all ” command to a TFTP server?

  copy command-output 'show tech all' tftp <IP addr of TFTP server> <destination filename>.txt