[sorta OT] LAN reliability ?

Main Page | Report this Page

Computers Forum Index » Computer - DCOM - Lans (Ethernet) » [sorta OT] LAN reliability ?

Page 1 of 1

[sorta OT] LAN reliability ?

Author

Message

Walter Roberson

Posted: Mon Apr 18, 2005 9:13 am

Guest

Recently, I had it put to me that LANs (and firewalls) should be 100%
reliable (barring major equipment failure) -- that networks & security
should be about as reliable as the electrical mains (i.e., something
that can taken for granted nearly all the time, and repairs should take
only a few minutes.)

I was informed that "millions of businesses every day" have that
kind of LAN reliability.

Is that level of reliability the norm in real SMBs, with 500-ish
hosts, multiple subnets, and a mandatory deny-by-default firewall
policy?

Which is the truer picture in a growing organization with fluid network
access requirements: that the network & security person has barely
anything to do because they set up the equipment "right" the
first time? Or that keeping up with the network & security
changes and failures and planning is more than a full-time job
that can involve many a late night (or marathon repair session)?

How much truth is there, in real organizations, to those old
cartoons of a skeleton with cobwebs in front of a computer terminal,
with the caption "The network's down again." ?

It seems to me that more than once I've been in a major bank and been
told "The network's down", and no-one, staff or customer, seemed
surprised. I also seem to recall hearing a number of casual
conversations along the lines of "Oh yeah, the network
went down again at work today"... and I don't recall
hearing anyone reply "Our network never goes down"... not
for anything short of a Service Provider.

Lastly: has anyone observed a network "freak out", with a series
of normally reliable devices getting confused and staying confused
all through hours of standard problem isolation procedures, with no
discernable reason for the multiple failures -- and for the devices
to eventually settle down, and start working properly with
configurations that didn't work before?
--
"This was a Golden Age, a time of high adventure, rich living and
hard dying... but nobody thought so." -- Alfred Bester, TSMD

J. Clarke

Posted: Mon Apr 18, 2005 1:15 pm

Guest

Walter Roberson wrote:

Quote:

Don't confuse the reliability of the _network_ with the reliability of the
_system_.

When someone says "the network went down" they usually mean that the
_system_ went down, which may be a failure at Layer 4 or below but is much
more likely to be a server or application problem.

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)

Vincent C Jones

Posted: Mon Apr 18, 2005 1:41 pm

Guest

Too many topics to address in a bottom posted response. Some comments
in-line...

In article <d3vrn2$6or$1@canopus.cc.umanitoba.ca>,
Walter Roberson <roberson@ibd.nrc-cnrc.gc.ca> wrote:

Quote:

The physical network infrastructure _SHOULD_ be extremely
reliable. However, what it should be and what it is are two different
things. The most common failure is a broken patch cable at the user
end, but regardless of cause, if manual troubleshooting is required,
MTTR can be abysmally long. FWIW, I've had more trouble with power
than with networking. Here in the North East US, power cannot be
taken for granted...

Quote:

I was informed that "millions of businesses every day" have that
kind of LAN reliability.

Is that level of reliability the norm in real SMBs, with 500-ish
hosts, multiple subnets, and a mandatory deny-by-default firewall
policy?

Which is the truer picture in a growing organization with fluid network
access requirements: that the network & security person has barely
anything to do because they set up the equipment "right" the
first time? Or that keeping up with the network & security
changes and failures and planning is more than a full-time job
that can involve many a late night (or marathon repair session)?

How much truth is there, in real organizations, to those old
cartoons of a skeleton with cobwebs in front of a computer terminal,
with the caption "The network's down again." ?

Aha, here is where you are being misled... When a user says "the network
is down" 99.9% of the time, the network is still up and it is the
application or server that they are using which has died. Think of how
many "network" failures are cured by rebooting the PC, then tell me how
that action can impact the cabling in the wall, hubs, routers, etc.

Quote:

It seems to me that more than once I've been in a major bank and been
told "The network's down", and no-one, staff or customer, seemed
surprised. I also seem to recall hearing a number of casual
conversations along the lines of "Oh yeah, the network
went down again at work today"... and I don't recall
hearing anyone reply "Our network never goes down"... not
for anything short of a Service Provider.

WAN links have significant failure rates, but that is why redundancy and
backup links are used. In the case you cite, it is far more likely to be
a software problem at the application/database level than a network
infrastructure problem.

Quote:

Lastly: has anyone observed a network "freak out", with a series
of normally reliable devices getting confused and staying confused
all through hours of standard problem isolation procedures, with no
discernable reason for the multiple failures -- and for the devices
to eventually settle down, and start working properly with
configurations that didn't work before?

Yes, but there is almost always an explanation if you dig deep enough
into the problem. On the other hand, determining root cause can be time
and resource consuming, and most businesses are more interested in
ending the current problem than they are with preventing it from
happening again.

Warning: I have been called a "Network Management Bigot" for
requesting all sorts of monitoring. However, my experience has been
that if you look closely enough at how the network is ACTUALLY
running, you will often spot problems before they are manifested
as service outages. Examples range from marginal links which are
reporting only brief intermittent hiccups on their way to total
failure, to routing tables which indicate that the routes in use
are not the routes you designed with the high probability that
when something fails, the network will roll over and die rather
than select an alternate route.

Been there, done that, been burnt Smile

But its been years since
I've had to worry about a network problem that couldn't wait until
morning to get fixed.

--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com

Al Dykes

Posted: Mon Apr 18, 2005 3:19 pm

Guest

In article <d40a6s02ll@news2.newsguy.com>,
J. Clarke <jclarke.usenet@snet.net.invalid> wrote:

Quote:

Walter Roberson wrote:

Recently, I had it put to me that LANs (and firewalls) should be 100%
reliable (barring major equipment failure) -- that networks & security
should be about as reliable as the electrical mains (i.e., something
that can taken for granted nearly all the time, and repairs should take
only a few minutes.)

I was informed that "millions of businesses every day" have that
kind of LAN reliability.

Is that level of reliability the norm in real SMBs, with 500-ish
hosts, multiple subnets, and a mandatory deny-by-default firewall
policy?

Which is the truer picture in a growing organization with fluid network
access requirements: that the network & security person has barely
anything to do because they set up the equipment "right" the
first time? Or that keeping up with the network & security
changes and failures and planning is more than a full-time job
that can involve many a late night (or marathon repair session)?

How much truth is there, in real organizations, to those old
cartoons of a skeleton with cobwebs in front of a computer terminal,
with the caption "The network's down again." ?

It seems to me that more than once I've been in a major bank and been
told "The network's down", and no-one, staff or customer, seemed
surprised. I also seem to recall hearing a number of casual
conversations along the lines of "Oh yeah, the network
went down again at work today"... and I don't recall
hearing anyone reply "Our network never goes down"... not
for anything short of a Service Provider.

Lastly: has anyone observed a network "freak out", with a series
of normally reliable devices getting confused and staying confused
all through hours of standard problem isolation procedures, with no
discernable reason for the multiple failures -- and for the devices
to eventually settle down, and start working properly with
configurations that didn't work before?

Don't confuse the reliability of the _network_ with the reliability of the
_system_.

When someone says "the network went down" they usually mean that the
_system_ went down, which may be a failure at Layer 4 or below but is much
more likely to be a server or application problem.

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)

Agreed. Or, for a business branch site it means that the leased line
to the corporate network is down. A competant company will haev
contingancy plans for this. It may be non-technical, like manual
proceedures.

--
a d y k e s @ p a n i x . c o m

Don't blame me. I voted for Gore.

Robert Redelmeier

Posted: Mon Apr 18, 2005 3:19 pm

Guest

Walter Roberson <roberson@ibd.nrc-cnrc.gc.ca> wrote:

Quote:

You've received some good answers, and I'll add my 3 cents (CDN).

As many have said -- two different questions here. Networks are
generally very reliable. The occasional fried port or hung router.

Security is a _whole_ 'nother thing. Ideally, the network should be
fully open, and the devices (computers/servers) secure. No network
security required. With Microsoft products so insecure, the network
is called to help provide security by closing down. This is a PITA,
and doesn't stop trojans which the network is falsely blamed for.

Quote:

I was informed that "millions of businesses every day"
have that kind of LAN reliability.

They do. Mostly small businesses with a few printers
and a file server. The problem is that MS scales horribly.

Quote:

Is that level of reliability the norm in real SMBs,
with 500-ish hosts, multiple subnets, and a mandatory
deny-by-default firewall policy?

No. If single server uptime is 99.0% from random causes, and you
have 10 servers, only 90% of the time do you have all 10 servers.

Quote:

a late night (or marathon repair session)?

This is the norm. People are loaded until they break.

Quote:

and I don't recall hearing anyone reply "Our network never
goes down"... not for anything short of a Service Provider.

The network hardware at my home & work almost never go down.
I can almost always access Unix & other Linux-like hosts.
However, fairly frequently MS Windows desktops are out of action.

-- Robert

Al Dykes

Posted: Mon Apr 18, 2005 3:19 pm

Guest

In article <rNP8e.264$yd7.11@newssvr11.news.prodigy.com>,
Robert Redelmeier <redelm@ev1.net.invalid> wrote:

Quote:

Walter Roberson <roberson@ibd.nrc-cnrc.gc.ca> wrote:
Recently, I had it put to me that LANs (and firewalls) should be
100% reliable (barring major equipment failure) -- that networks
& security should be about as reliable as the electrical mains
(i.e., something that can taken for granted nearly all the time,
and repairs should take only a few minutes.)

You've received some good answers, and I'll add my 3 cents (CDN).

As many have said -- two different questions here. Networks are
generally very reliable. The occasional fried port or hung router.

Security is a _whole_ 'nother thing. Ideally, the network should be
fully open, and the devices (computers/servers) secure. No network
security required. With Microsoft products so insecure, the network
is called to help provide security by closing down. This is a PITA,
and doesn't stop trojans which the network is falsely blamed for.

I was informed that "millions of businesses every day"
have that kind of LAN reliability.

They do. Mostly small businesses with a few printers
and a file server. The problem is that MS scales horribly.

Is that level of reliability the norm in real SMBs,
with 500-ish hosts, multiple subnets, and a mandatory
deny-by-default firewall policy?

No. If single server uptime is 99.0% from random causes, and you
have 10 servers, only 90% of the time do you have all 10 servers.

a late night (or marathon repair session)?

This is the norm. People are loaded until they break.

and I don't recall hearing anyone reply "Our network never
goes down"... not for anything short of a Service Provider.

There are lots of parts in a "network" (your word).

There are Data Center clusters that have been providing literally
uninterupted service for years and there may be a Tandem system that
has been running for a decade with no downtime. These systems can fix
hardware and software on the fly. The limiting factors to uptime can
be company mergers and relocations and fuel for the generators.

Today the technology is highly distributed web servers based on BEA
WebLogicServer and IBM WebSphere running on many servers at multiple
locations.

The current phrase is "carrier grade" (Telephone industry terminology)
for computer systems that deliver "5 nines" uptime (99.999%) and the
ability to swap hardware and do software upgrades without service
disruption. That's still 5 minutes/year.

Quote:

The network hardware at my home & work almost never go down.
I can almost always access Unix & other Linux-like hosts.
However, fairly frequently MS Windows desktops are out of action.

--
a d y k e s @ p a n i x . c o m

Don't blame me. I voted for Gore.

Robert Redelmeier

Posted: Mon Apr 18, 2005 7:02 pm

Guest

J. Clarke <jclarke.usenet@snet.net.invalid> wrote:

Quote:

Whoa. The right approach is defense in depth.

When you need to defend. What to defend is a decision.

Quote:

so guess what most of the traffic on the "fully open"
network was.

Through traffic, of course. The Internet was designed that way.
the boundary routers could have been easily configured to drop
non-source/dest packets and it would have stopped. A better
solution would have been to negotiate with the various ISPs for
peering and/or cost to carry traffic. But that may have been
beyond the administrations skills.

Quote:

99% uptime is piss poor. That's one minute of outage every hour
and a half or so. Any server on which that happens is broken.

That isn't the usual granularity. It's more like 2 hours
every month or two, counting only core time. That includes
diagnosis time and is in addition to non-core hours server
routine maintenance and reboots to recover leaked memory.

Quote:

why your system is so unreliable. And if you're focussed on
"Windows" and think that eliminating Windows would solve
the problem then you're not really looking at the problem.

Well, yes. It's a long series of dependant chains. Any link
can break. I have no idea if Unix could be configured as
dependantly as MS-ActiveDirectory becomes when large.

Quote:

If you're running XP and your desktop machines in a place
of business are "out of action" "fairly frequently" you
need to find out why and fix it.

First, we do not use MS-WinXP. MS-Win2kPro is bad enough.
Second, failures are not global. People can usually work
at their desktops. But they lose access to some resources
like shared drives or email. Bizarrely, others are unaffected.

-- Robert

Al Dykes

Posted: Mon Apr 18, 2005 7:02 pm

Guest

In article <RxS8e.310$l45.6@newssvr12.news.prodigy.com>,
Robert Redelmeier <redelm@ev1.net.invalid> wrote:

Quote:

J. Clarke <jclarke.usenet@snet.net.invalid> wrote:
Whoa. The right approach is defense in depth.

When you need to defend. What to defend is a decision.

so guess what most of the traffic on the "fully open"
network was.

Through traffic, of course. The Internet was designed that way.
the boundary routers could have been easily configured to drop
non-source/dest packets and it would have stopped. A better
solution would have been to negotiate with the various ISPs for
peering and/or cost to carry traffic. But that may have been
beyond the administrations skills.

99% uptime is piss poor. That's one minute of outage every hour
and a half or so. Any server on which that happens is broken.

That isn't the usual granularity. It's more like 2 hours
every month or two, counting only core time. That includes
diagnosis time and is in addition to non-core hours server
routine maintenance and reboots to recover leaked memory.

why your system is so unreliable. And if you're focussed on
"Windows" and think that eliminating Windows would solve
the problem then you're not really looking at the problem.

Well, yes. It's a long series of dependant chains. Any link
can break. I have no idea if Unix could be configured as
dependantly as MS-ActiveDirectory becomes when large.

If you're running XP and your desktop machines in a place
of business are "out of action" "fairly frequently" you
need to find out why and fix it.

First, we do not use MS-WinXP. MS-Win2kPro is bad enough.
Second, failures are not global. People can usually work
at their desktops. But they lose access to some resources
like shared drives or email. Bizarrely, others are unaffected.

-- Robert

For Windows on desktops on business it isn't so much the MTBF as the
MTTR that makes a happy shop. With all the user data and profile on
the server we just drop in a fresh pre-imaged box when a user has a
probelm, hardware or software. The sick box goes on te bench for a
hardware repair or reimage and reuse.

IMO MS servers running mainstrea windows applications can be very
good if your expectations o0f scale and complexity are reasonable.

--
a d y k e s @ p a n i x . c o m

Don't blame me. I voted for Gore.

Walter Roberson

Posted: Mon Apr 18, 2005 7:02 pm

Guest

In article <d40mgf04kp@news3.newsguy.com>,
J. Clarke <jclarke.usenet@snet.net.invalid> wrote:

:If you're running XP and your desktop machines in a place of business are
:"out of action" "fairly frequently" you need to find out why and fix it.

I've been isolated for some years [this city is blooming nicely
in biotechnology, but the nearest "high tech city" is ~900 miles away].

Perhaps I don't get around as much as I should... but as best I recall,
I don't think I've ever met anyone who was actually skilled in
configuring and debugging and repairing MS Windows. I've met a number
of good unix/linux hackers, who could repair just about any software
problem -- but with MS Windows, having a good clue about the Registry
has been about the upper limit, after which the standard problem
resolution stream seems to be "Reinstall the application. Reinstall
Windows. Re-Ghost from a known-good system."

I'm certainly not trying to provoke a Unix vs Windows war here:
I'm asking more: Has my sample been biased? Is there a good
representation in IT of people who can -fix- MS Windows problems
beyond "Search the Knowledgebase and check out the registry, and if you
don't find the answer, then re-install?" And I certainly don't mean
to cast stones at MS Windows specialists with this question: I'm
asking seriously whether MS Windows gurus are uncommon or if I've
just not noticed them.
--
Entropy is the logarithm of probability -- Boltzmann

T. Sean Weintz

Posted: Mon Apr 18, 2005 9:02 pm

Guest

Walter Roberson wrote:

Quote:

A few thoughts -

Rarely does an ENTIRE network go down, right? It happens, but that is
pretty darn rare. PARTS of it usually go down from time to time. When
that "part" happens to be your gig Ethernet or ATM core for a particular
building such as your corporate headquarters, it can be rather dramatic,
tho. <grin>

The same could be said for the electrical mains. In fact power here is
problematic enough have diesel powered backup generators at many of our
buildings. And we are in the middle a city.

In all fairness, the electrical systems do not have the complexity and
constant need to be changes that most data networks have. Even voice
networks are quite simple by comparison.

For localized networks outages, there are of course typically off site
back up hosts, etc, that are utilized in such events. But the honchos
upstairs in the building that is down don't see that everything is fine
for customers. Web servers are up for the outside world to see, customer
transactions are being processed, but the CEO of the company can't get
to his favorite blog or check his in house email. To him, "the network
is down"

Quote:

I was informed that "millions of businesses every day" have that
kind of LAN reliability.

I'd counter with "75% of all statistics are made up on the spot" <grin>
Seriously, where did this person get that statistic? My experience
certainly does not bear that out.

Quote:

Is that level of reliability the norm in real SMBs, with 500-ish
hosts, multiple subnets, and a mandatory deny-by-default firewall
policy?

The smaller the org, the smaller the network, the more reliable it is
IME. The less complex, the more reliable IME. I'm sure you'd consider
that common sense.

That said, what you describe above fits my network pretty well. I manage
it pretty aggressively/proactively - read the syslog server logs every
day looking for issues, etc. I DO have outages from time to time. Most
often these are down WAN links, however that is the fault of the local
telco. Things like that happen when you run DS1 circuits over copper
pairs that were put in place over 100 years ago (really - no kidding -
many of the pairs in this city ARE that old!) So I'd have have to say
the core of my network is actually more reliable than the local PTSN and
the power mains here.

However, given what the users know and experience, "reliability" leaves
room for interpretation. For the average end user, having an email
message dropped due to it coming from a blacklisted server might be an
"unreliable network" in their mind. Execs telecommuting from home, using
a cable modem on a congested node that drops packets from over
subscribing, thus causing the citrix metaframe sessions to drop, has in
my experience been blamed on our network. Try explaining to the user
that "yes, I understand you have no problems going to any websites from
your home internet connection. However, the problem IS on your end, not
back here at the office"

Quote:

Which is the truer picture in a growing organization with fluid network
access requirements: that the network & security person has barely
anything to do because they set up the equipment "right" the
first time?

LOL. Even if set up "right the first time", it won't remain so... see below.

Quote:

Or that keeping up with the network & security
changes and failures and planning is more than a full-time job
that can involve many a late night (or marathon repair session)?

Full time job. The problem is the changes. New sites and office open up,
old ones close. Topologies change. Access to new apps over the internet
(designed by folks who consider ease of integration into your
environment lastly or not at all), etc, etc. Reliability is much easier
when the goal is not a moving target.

When I worked for a large bank, that I won't mention by name, rather
than CHASE down our folks during big network changes, we rented hotel
rooms in MANHATTAN for weeks at time, and would send our folks over to
the hotel for a few hours of sleep once in a while. I once witnessed my
boss staying at headquarters for over 72hr without once leaving the
building. Sometimes it crosses over from being a mere "full time job" to
being a "way of life". I started to know I had a problem when I started
dreaming at night about PIX over IP tunnels.

Quote:

How much truth is there, in real organizations, to those old
cartoons of a skeleton with cobwebs in front of a computer terminal,
with the caption "The network's down again." ?

Depends. I never quite got that one - is the skeleton supposed to be the
user or the admin?

Quote:

It seems to me that more than once I've been in a major bank and been
told "The network's down",

Which could mean anything. Most likely it means the leased line from
that branch back to the main office is down. Hardly the same in my mind
as the network being down.

Quote:

and no-one, staff or customer, seemed
surprised. I also seem to recall hearing a number of casual
conversations along the lines of "Oh yeah, the network
went down again at work today"... and I don't recall
hearing anyone reply "Our network never goes down"... not
for anything short of a Service Provider.

There has long been a "blame the computer" component to our culture -
it's a common scapegoat. The network has been added into that. Folks
WANT to be able to have something to blame, real or not. 500 years ago
it was "the devil". Today it's "the network"

Quote:

Sure. I think anyone who has helped manage a network of any size has
seen that at least once. Never fails that things settle down right when
the hour you can start intrusive testing pops up, too.

Keeping configs as simple as possible tends to minimize this IME. Never
seen it happen on, say, a network that had no vlans, all routing was
done via static routes, and no multicast stuff was used, etc.

J. Clarke

Posted: Mon Apr 18, 2005 9:02 pm

Guest

Robert Redelmeier wrote:

Quote:

But then it would not have been "completely open".

Quote:

A better
solution would have been to negotiate with the various ISPs for
peering and/or cost to carry traffic. But that may have been
beyond the administrations skills.

99% uptime is piss poor. That's one minute of outage every hour
and a half or so. Any server on which that happens is broken.

That isn't the usual granularity. It's more like 2 hours
every month or two, counting only core time. That includes
diagnosis time and is in addition to non-core hours server
routine maintenance and reboots to recover leaked memory.

why your system is so unreliable. And if you're focussed on
"Windows" and think that eliminating Windows would solve
the problem then you're not really looking at the problem.

Well, yes. It's a long series of dependant chains. Any link
can break. I have no idea if Unix could be configured as
dependantly as MS-ActiveDirectory becomes when large.

If you're running XP and your desktop machines in a place
of business are "out of action" "fairly frequently" you
need to find out why and fix it.

First, we do not use MS-WinXP. MS-Win2kPro is bad enough.
Second, failures are not global. People can usually work
at their desktops. But they lose access to some resources
like shared drives or email. Bizarrely, others are unaffected.

That sounds like it might be a licensing issue.

Quote:

-- Robert

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)

J. Clarke

Posted: Mon Apr 18, 2005 11:02 pm

Guest

Walter Roberson wrote:

Quote:

There's a reason for that--it's faster than troubleshooting in most cases.
The major criticism of that approach is that the user loses data and
settings. On a corporate LAN neither of those should be the case.

I can generally get a Windows problem fixed or determine that it's a bug
that requires source access to fix and in that case come up with a
workaround, but I find that that's really _practical_ only for my home
system, where chasing the bug is recreation, and not for any situation in
which my time has dollar value. Cheaper to just reinstall or restore the
image.

By the way, you'll find Novell Zenworks a very useful tool for Windows
troubleshooting.

Quote:

I'm certainly not trying to provoke a Unix vs Windows war here:
I'm asking more: Has my sample been biased? Is there a good
representation in IT of people who can -fix- MS Windows problems
beyond "Search the Knowledgebase and check out the registry, and if you
don't find the answer, then re-install?" And I certainly don't mean
to cast stones at MS Windows specialists with this question: I'm
asking seriously whether MS Windows gurus are uncommon or if I've
just not noticed them.

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)

Walter Roberson

Posted: Thu Apr 21, 2005 5:02 pm

Guest

In article <d489gh$9o5$1@X31.networkingunlimited.com>,
Vincent C Jones <vcjones@X31.networkingunlimited.com> wrote:

:Be wary of getting
:caught in the network management success trap. If you do too good a job,
:users (and their management) will never see all the problems you cured
:while still beneath their radar, and you'll be asked "Why spend all that
:money on network management when the network never fails?"

As Pooh would say, "Oh, Bother!".

I've been in that trap for years. People see the failures and not the
successes or the efforts; and they wonder what you -do-, since you
don't seem to be -producing- anything... and then they cut budgets.
Then when a disaster happens because you couldn't get the time or
money allocated to go redundant or build/buy the proper monitoring
and testing tools, it is due to "your Bad Planning". Sad

--
'ignorandus (Latin): "deserving not to be known"'
-- Journal of Self-Referentialism

Page 1 of 1

All times are GMT The time now is Thu Dec 03, 2009 6:03 am Computers Forum Index