Need help with office network! (VLANS etc.)

[Haggisman]

I've inherited a somewhat bodged together network. It (mostly) does the job, but there are a few issues that need ironing out!

So a background:

50-60 office based employees
~10 remote users
~60 workstations
15 servers

Up until last month, we were running 3 ADSL lines (~10Mb each), and having severe internet problems, we have since upgraded to a 20Mb dedicated microwave link, which has made a huge difference, but we're still having a few drop-outs here and there. It's not the internet connection that's the issue, as having a continuous ping running (e.g. to Google) doesn't drop out, but we get "page not found" errors in browsers (which resolve when you refresh the page). VPN users also temporarily lose connectivity (not enough to drop the connection, but causes issues with open files and TFS)

our DNS/DHCP is hosted on the primary DC, with secondary DNS on the backup DC, forwarders set to the ISPs DNS servers.

For VPN we use PPTP RRAS on the DCs (although apparently this is not advised, so I might look at moving it to another server)

Our firewall/gateway is a Cisco SA520 (which I have a feeling isn't up to the job as it's rebooted itself out a couple of times since the internet was upgraded). We also have an ASA5505 - but I've looked at setting this up to see if it's any better and the config isn't straightforward (I've had no Cisco training and very minimal experience)

The whole network is on a single subnet, and I'm wondering if it's just the level of traffic that's causing these issues?

I'm hoping to separate the network into VLANs, i.e. infrastructure, servers, clients, wifi and guest (maybe printers too?) to try and control the traffic, but the work I've done with VLANs is somewhat limited and so I don't want to go borking it!!

Our switches are Netgear ProSafe managed switches, but I believe these are only layer 2, so I'm not sure what to do about a layer 3 device to allow communication between VLANS, e.g. for clients to talk to servers (as far as I'm aware the SA520 only supports 3 VLANS). The alternative being to use the ANS options on the server NICs to create multiple virtual connections (one on each VLAN).

Anyway, just throwing ideas out there, and would really appreciate any input.

Also, if anyone could suggest a "teach yourself" book so I can increase my knowledge on this stuff, that would be great!!

Cheers guys

 

[Madmrcopper]

Morning, First thing that comes to mind with the drop outs is to try pointing your workstation DNS at google free DNS and see if things improve?

 

[PistolPete]

Not convinced VLANs are the way to go here.

You appear to be getting problems and you think that traffic maybe the issue, then you will only be putting more stress on the network gear by added and striping VLAN tags.

You've not got a particularly high number of users / workstations so and you're not running consumer lever kit so there maybe a problem somewhere else.
Maybe look at the logs on the switches and see if you are getting broadcast storms, or excessive collisions or any other kind of traffic like that which could be slowing things down.

Microwave links by their nature can drop out, but you need to try and work out if it's the link or the kit. The SA520 is the lowest of the SA500 series and is actually as rebranded Linksys bit of kit. It's designed for "small businesses" but I'm not sure how small is small. According to it's spec it's good for 200Mb of throughput, and 15,000 connections - maybe take a look and see how loaded it is.

I'd prefer the ASA5505 simply as I've had experience with them and it'll be a more powerful unit than the SA520.

 

[Haggisman]

Not convinced VLANs are the way to go here.

You appear to be getting problems and you think that traffic maybe the issue, then you will only be putting more stress on the network gear by added and striping VLAN tags.

You've not got a particularly high number of users / workstations so and you're not running consumer lever kit so there maybe a problem somewhere else.
Maybe look at the logs on the switches and see if you are getting broadcast storms, or excessive collisions or any other kind of traffic like that which could be slowing things down.

Doh, should have thought of checking that.

Could something like this cause these issues?

Port 8

TX
Good Unicast Packets 18983773
Broadcast Packets 15295698
Multicast Packets 3098245
Error Packets 0
Collisions 67957

RX
Good Unicast Packets 661982
Error Packets 68209
Broadcast Packets 11562
Multicast Packets 12625
Frames of 64 Bytes 7546374
Frames of 65 to 127 Bytes 9228826
Frames of 128 to 255 Bytes 1936231
Frames of 256 to 511 Bytes 498014
Frames of 512 to 1023 Bytes 281572
Frames of 1024 to 1518 Bytes 154741
Jabbers 0
Fragments 252
FCS Errors 0
128 to 255 BytePkts 0
256 to 511 BytePkts 0
512 to 1023 BytePkts 0
1024 to 1522 BytePkts 0

Switch is reporting that port as being connected at 10M half duplex...

I think that port is connected to a little 5 port desktop switch, but unfortunately can't check that right now as it's in the boardroom and there's a meeting on

Also got another switch with 138 dropped packets on every port that's active...

I been given the impression that my predecessor got most of the switches off the back of a lorry (or at least everyone's favourite auction site) so it's entirely possible they're not 100%...

Microwave links by their nature can drop out, but you need to try and work out if it's the link or the kit.

We've got a guaranteed 20MB with 99.95% uptime SLA, so I'm hoping it's not that (as it wasn't cheap!!), also we were getting similar drop outs before, although far more frequently and lasting longer.

The SA520 is the lowest of the SA500 series and is actually as rebranded Linksys bit of kit. It's designed for "small businesses" but I'm not sure how small is small. According to it's spec it's good for 200Mb of throughput, and 15,000 connections - maybe take a look and see how loaded it is.

I'd prefer the ASA5505 simply as I've had experience with them and it'll be a more powerful unit than the SA520.

It's running at ~50% memory, 10% CPU, no dropped packets/errors on any of the interfaces.

I'd like to get the ASA5505 set up, as from everything I've read it's a far better device that the SA520 - unfortunately like I said, I took one look at the interface and decided I had more pressing things to be doing

Any recommendations on where I can read up on configuring it? Am I better using the ASDM or the CLI?

And you don't reckon setting up VLANs is going to help at all? We want to configure at least one additional VLAN so we can have people connect to a guest WIFI network without having full access to everything.

 

[nightmare99]

Our firewall/gateway is a Cisco SA520 (which I have a feeling isn't up to the job as it's rebooted itself out a couple of times since the internet was upgraded)

We have a SA520W and it certainly has its moments, (there are only two of us!).

 

[Haggisman]

So... I just had a poke around in the floor box in the boardroom, and found one of these bad boys!

Yes, that is a Netgear EN2005, 5 port 10MB half duplex hub.

Could possibly explain some of the issues (on that port at least)?

 

[Devz]

That would explain all the collisions, since it's a hub which is just one big collision domain. What was connected to it?

 

[blastman]

some good advice here.

I agree that adding vlans isn't going to help. I appreciate that you want to run a guest network for visitor internet access (i do this with a vlan) however you need to fix these other issues first.

You might add another layer of complexity to a struggling network making the fault finding even harder if you add the guest vlan now.

my advice would be to install wireshark on a PC, connect that to a main switch and configure a port to output all data the switch receives. then you can capture all the data thats being sent round your network. (edit; might be easier for you to take the up link cable that goes between two switches, put a hub on it and connect your wireshark pc to that. for each switch, rinse and repeat)

you can then start drilling down into whats happening where and why. Also, check for loop backs. I had a similar issue where a user and plugged and cable from a floor box into another floor box. not good.

good luck, and keep us posted!

 

[anything I don't mind]

If you want rule out the internet connection or dns you could try bypass the internal network by connecting another spare switch (or direct) to the Cisco SA520 if it has a spare interface and patch it through to a client pc and test the browsing on it for a day. If that works fine then you know its the switches or at least something within the environment.

 

[prj1865]

throw that hub as far as you can out of the window and never let it touch your network again!

 

[Haggisman]

That would explain all the collisions, since it's a hub which is just one big collision domain. What was connected to it?

A laptop, with a couple of extra spare leads for people to connect up to when they're using the boardroom.

throw that hub as far as you can out of the window and never let it touch your network again!

I have a nice hammer in the toolbox...

If you want rule out the internet connection or dns you could try bypass the internal network by connecting another spare switch (or direct) to the Cisco SA520 if it has a spare interface and patch it through to a client pc and test the browsing on it for a day. If that works fine then you know its the switches or at least something within the environment.

Will give this a try

some good advice here.

I agree that adding vlans isn't going to help. I appreciate that you want to run a guest network for visitor internet access (i do this with a vlan) however you need to fix these other issues first.

You might add another layer of complexity to a struggling network making the fault finding even harder if you add the guest vlan now.

my advice would be to install wireshark on a PC, connect that to a main switch and configure a port to output all data the switch receives. then you can capture all the data thats being sent round your network. (edit; might be easier for you to take the up link cable that goes between two switches, put a hub on it and connect your wireshark pc to that. for each switch, rinse and repeat)

The switches support port mirroring, so if I set this up on one of the connecting ports and run wireshark on that i'm guessing it will have the same effect?

 

[blastman]

I have a nice hammer in the toolbox...

can't do that. hubs are very useful when testing stuff like this.

The switches support port mirroring, so if I set this up on one of the connecting ports and run wireshark on that i'm guessing it will have the same effect?

yep, although make sure your mirroring the uplink port from that switch to the rest of the network. You'll have to do this on each switch to get a real log of what happening on the network.

Have you got any digital signage or network TV devices?

 

[Haggisman]

Just an update.

After removing that hub, everything seems to be running a lot more smoothly, and I haven't had any more complaints of dropouts

I did have a WireShark snoop on the interconnects with the core switch, but couldn't see anything untoward, so hopefully that's it sorted (*touch wood*), thanks for the help

 

[Knubje]

"For VPN we use PPTP RRAS on the DCs."

This concerns me a lot. I assume you are using MS-CHAP v2 as an authentication protocol with your PPTP VPN traffic?

http://technet.microsoft.com/en-us/security/advisory/2743314

Given that article, I'd check into your VPN service. Then consider the amount of security information held on a DC. I could be wrong and I hope I am, but if you fit the above glove then you want to get rid of it ASAP.

Good to hear that things are better, other than that!

 

[Haggisman]

Unfortunately yes, that's exactly how we're set up.

Another thing I am working on, hoping to get a dedicated solution in place, e.g. Juniper, Cisco, Sophos, etc.