Rant Wednesday! Networking |
- Rant Wednesday!
- First job in a NOC
- How would you do routing/crypto to 100,000 WWAN spokes?
- Do most organizations have well-documented troubleshooting playbooks?
- Cisco dhcp on vlan issue
- 10G firewall for filter intervlan traffic
- Network Scans displaying IP addresses that do no exist
- Anybody using an ASA with FTD?
- Script for mass download of Packet Pushers Podcast?
- Cisco fpr appliances in asa mode any good?
- arp-on-stp
- Crimper tool? Cat6a
- Favorite centrally managed/single pane of glass networking?
- Looking for a ping tool
- Simple/free 802.1x solution?
- 10Gb over 62.5/125 OM1
- CISCO - how do jumbo frames work on point to point links? Fragmentation?
- Minimal Packet loss exist on Ping Plotter?
- Cisco Port-Security
- Juniper Config Recommendations - EX Series
- Cisco FireSIGHT 5.4 to 6.2.3 Upgrade
- Why isn't this VLAN interface being added to the routing tables on a Cisco 9300 stack?
| Posted: 23 Oct 2018 05:12 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments] |
| Posted: 24 Oct 2018 04:05 AM PDT Hi all, I've landed a job as an ops engineer in a NOC. This isn't my first role in IT as i've done a couple of service desk jobs over the last few years. I'll be doing shift work as it's a massive company that needs things running 24/7, they've said there is lots of scope for moving up (I've spoken to people that work there and I believe this is accurate) Any advice for someone new to this line of work? I'm studying for CCNA R&S in my own time, is there anything else you would recommend? EDIT: Wow, I'm overwhelmed with the response, thanks so much everyone for all the advice! I'll give it all a good ready when I get in from work! [link] [comments] |
| How would you do routing/crypto to 100,000 WWAN spokes? Posted: 24 Oct 2018 12:29 PM PDT Scenario: You want to design a central solution to connect 100,000 WWAN devices into something topologically resembling Dual Hub DMVPN.
I guess this could be done using BGP over IPsec+mGRE but I guess the overhead alone would probably saturate the leased lines to the WISP. WWAN connection's nature to jump up and down every now and then, especially at scale, would probably make the hub routers sweat. What's a good solution here? Am I too stuck in my old DMVPN thinking in that I might as well forgo mGRE completely and just go straight IPsec tunnels? Would I reach a better scalability/price if I used a couple separate IPsec Concentrator instead of terminating IPsec on a router? Is a traditional routing protocol even needed? Could one perhaps do some magic with the RADIUS attribute Framed-Route? Should I just give up and start using NAT on all the spokes? [link] [comments] |
| Do most organizations have well-documented troubleshooting playbooks? Posted: 24 Oct 2018 09:15 AM PDT Asking this question to get a sense of what documentation everyone here has available when they run in to an outage or slowness. Things that have worked in past or new tech deployed by someone else might provide helpful clues. Do you have this info easily available? [link] [comments] |
| Posted: 24 Oct 2018 10:19 AM PDT Some months ago I set this up as a test for a client to use when ready. It worked when last tested. I went to hook up clients today and they do not received DHCP on this wired vlan. Wireless clients on the same vlan work just fine. It's possible that the access switch that they are connected to might have had its config messed with by another person, but I cant' confirm and I can't see what's wrong. I have a particular vlan 30 that I set up for its own dhcp pool. The clients on this vlan all connect via an access switch that has this vlan configured on it. They receive dhcp from another switch that has the pool configured on it. This is the switchport config: This is the part of the config that might have been messed with, but I can't see what it's missing. The DHCP pool works as wireless clients are using it on the same vlan through a wlc 5520. If I set a static IP, the network operates correctly. Wireshark shows DHCP discover broadcasts sent, but there is no reply. There is a ip helper-address set on the vlan interface on the switch that runs the dhcp server. can anyone see what I'm missing? Can share more config if someone wants. Everything is pretty standard. Thanks! [link] [comments] |
| 10G firewall for filter intervlan traffic Posted: 24 Oct 2018 01:40 PM PDT Hi! We are looking for redundant feasible cost firewall just to filter intervlan routing traffic. I want to only allow some traffic from user vlan to some critical servers vlan. similary Development users can reach to all servers where other normal users can only reach to some specific subnet. We will not use this firewall as edge firewall as we already have Fortigate 100E in place for that. Please guide in this scenario. Thanks [link] [comments] |
| Network Scans displaying IP addresses that do no exist Posted: 24 Oct 2018 10:15 AM PDT Using IP scanning software or monitoring tool (nmap, angry ip scanner, darktrace, beyond trust, etc) will display IP addresses that do not exist within the network. What is strange is that it displays all IP addresses in the range of the scan. For instance, if we scanned 172.16.1.1 - 172.16.1.254, it will display all active IPs from 1-254. Our network is sort of a hub and spoke network with SD-WAN (from velocloud) implemented at all of our locations. Our main headquarters houses all the servers, so the other remote sites will be coming through to our main site. Since our ISP (TPx) doesn't allow us to control what is on the SD-WAN, we have a fortigate firewall installed behind the SD-WAN at our HQ. The other remote sites do not have a firewall in placed, just SD-WAN. If we did a network scan from a remote location to another remote location, the scan works perfectly. However, the issue only arises when scanning is between one HQ and another remote site (both HQ to remote and remote to HQ). Our fortigate simply has an allow all rules from all other remote sites to be allowed into the HQ network. There is no special configuration at the other remote SD-WAN sites, other than having a static route at the HQ site of our main IP address (10.10.x.x) so that other remote site knows how to communicate with our main site. [link] [comments] |
| Anybody using an ASA with FTD? Posted: 24 Oct 2018 07:56 AM PDT Decided to setup an ASA in this, and while the interface makes a ton more sense than the crazy ASDM/Firepower separation that it had before, I keep running into things that bewilder me. For instance, as far as I can tell, you can't make any config changes through the CLI, however you can only make more CLI users and not any more GUI users. Then comes to the spot where it came with 20 lines of AOL instant messenger objects, that are freaking unremovable. They just sit there at the top of my objects list every time I click it, taunting me. Now I don't have it planned for an important connection, but is the FTD just too beta right now or have people been using it successfully? The interface makes sense and functions great I just keep running into things that make me feel like I'm testing pre-launch software. [link] [comments] |
| Script for mass download of Packet Pushers Podcast? Posted: 24 Oct 2018 02:38 PM PDT Hi all, I stopped listening to the PPP around episode 200. Now I see they are up to 400, and have spawned a whole bunch of other sub-topic podcasts. Does anyone have a script to do a mass download (preferably tagging with the release date)? If not, who's up for some collaboration to get this done? I recall hearing/reading that they weren't keen on people downloading and sharing as it would affect their download numbers which they use to find sponsors. [link] [comments] |
| Cisco fpr appliances in asa mode any good? Posted: 24 Oct 2018 08:15 AM PDT You don't have to look far to find all the fmc/firepower horror stories. Is anyone running the fpr 2100s or 4100s in asa mode? Any problems or painful experiences? I think you still have to manage the underlying fxos which can be an operational challenge but aside from that I have heard much good or bad. [link] [comments] |
| Posted: 24 Oct 2018 10:14 AM PDT Anyone using arp-on-stp for particular use cases in production? We have a number of RVIs that are OSPF enabled, which support next-hop reachability for iBGP sessions running on lo0. We are seeing some instances of iBGP flapping if we have a rstp TCN. I believe it is due to all the mac learning going on, the routing-engines on the ToR switches end up losing the BGP keepalive packets from the upstream peer. I'm thinking I can use arp-on-stp to help minimize the impact of this. Although, the documentation is pretty spare - it says you must have RVIs to take advantage of this (which we do), but docs are totally silent on if we have to enable this feature on all physical interfaces that carry the vlans where the RVIs live? I'd love to get rid of the RVIs and just have fixed layer 3 boundaries between ToR/Core, but we have a number of folks that need to span VLANs between switches, in a very heterogeneous environment (multi-tenant, some physical, variety of virtual). But alas, I can't figure out the config to make it work on EX series switches we are running as ToR. [link] [comments] |
| Posted: 24 Oct 2018 01:40 PM PDT Hi I'm looking for a good cable crimper tool. I have one but it sometimes strips too much so it breaks my cable! What are you guys using? What are the better brands? Thanks [link] [comments] |
| Favorite centrally managed/single pane of glass networking? Posted: 24 Oct 2018 01:32 PM PDT Hi Network Gurus! Yes, Ubiquiti is on the list and is one of my favorite systems to work with, but we're not committed or required to use it. Nice to haves would be switch models that have 10gig uplinks for future proofing in the core. [link] [comments] |
| Posted: 24 Oct 2018 09:42 AM PDT I need this ping tool to run a constant ping, but only pop up when a ping *doesn't* work. Something I can run locally from a windows command prompt maybe? So instead of: Reply from 10.0.0.1 : bytes=32 time=15ms TTL=127 Reply from 10.0.0.1 : bytes=32 time=15ms TTL=127 request timed out to 10.0.0.1 at Forsday 25:11:09oclock February 31st 2092 Reply from 10.0.0.1 : bytes=32 time=15ms TTL=127 Reply from 10.0.0.1 : bytes=32 time=15ms TTL=127 request timed out to 10.0.0.1 at Forsday 25:11:12oclock February 31st 2092 I get request timed out to 10.0.0.1 at Forsday 25:11:09oclock February 31st 2092 request timed out to 10.0.0.1 at Forsday 25:11:12oclock February 31st 2092 Is this a thing, somewhere? [link] [comments] |
| Posted: 24 Oct 2018 12:38 PM PDT I'm looking to find a simple 802.1x solution. The intent is to possibly replace (or augment) the need for Port Security and for the client devices to authenticate with a RADIUS server before being given access to the network. What I'd like to avoid is some sort of big software suite that provides not just 802.1x but a bunch of other features that I won't use. My understanding is that Cisco ISE is more than just a simple 802.1x solution. I was also told once that 802.1x can reconfigure the VLAN that the port is a member of based on which devices (identified by MAC Address?) get plugged into it. I'd like to know if this is true. For example, if some person decided to switch desks and they disconnect their PC and VoIP phone from their current port and move to a different location and the guy plugs the VoIP phone into a port that would normally be defined on a different VLAN, 802.1x would authenticate the phone and then change the VLAN membership of the port to remain in the voice VLAN. Is that a typical feature of 802.1x? Is this something that FreeRADIUS can provide? I'm already using TACACS+ (free tac_plus solution) for AAA of network hardware (switches and routers) but it doesn't have any 802.1x capabilities. Thanks for any comments. [link] [comments] |
| Posted: 24 Oct 2018 11:24 AM PDT Looks like I can get 10Gb over OM1 (62.5) up to 220m, using 1310nm optics and mode conditioning patch cables [source] Does this BoM look correct?
Anything else I should consider, other than SMF on refresh? [link] [comments] |
| CISCO - how do jumbo frames work on point to point links? Fragmentation? Posted: 24 Oct 2018 07:21 AM PDT Quick question for you all, I'm wondering how to properly implement Jumbo on my network.My team is looking to start off by implementing Jumbo frames on our Cisco L3 switches from our access layer to our distribution/core layers on point-to-point links. My question is: Say I have 5 x L3 Vlans (with respective L2 vlan mapping) where all switch ports are configured for the standard 1500 MTU.I then configure another SVI Point to point link to my distribution layer, both sides configured for JUMBO MTU (Let's say 9000). Would fragmentation not occur from the distribution layer to access layer during the conversion from Jumbo MTU to standard 1500 to reach my access vlan's?If not, how exactly do the switches perform this? By doing this, am i just increasing CPU use due to fragmentation with no real traffic optimization benefit? Thanks [link] [comments] |
| Minimal Packet loss exist on Ping Plotter? Posted: 24 Oct 2018 10:21 AM PDT Hi, Here's the story, Customer always raising this packet issue using their ping plotter and upon checking they do have a packet loss but its "0.3%" only. I have provide the necessary details from switches interface etc. What would be the cause of this 0.3% loss is this because of the hardware which is ping plotter was installed? Upon looking up their mac. seem the source is HP then the destionation is VMware. Any technical explanation... Though im still searching how to answer this but maybe someone here encountered this? Thanks [link] [comments] |
| Posted: 24 Oct 2018 09:17 AM PDT I have Cisco port-security enabled (MAC address sticky). An unauthorized device shut down the port and further investigation revealed a MAC address 0000.3600.10ab which comes up as an Atari device. Obviously the user in question says nothing was plugged into his workstation or jack. MAC address spoofing is in the back of my head but, does anyone know what type of Atari mobile type console I should keep an eye out for in the office area? This has happened twice in the past two weeks [link] [comments] |
| Juniper Config Recommendations - EX Series Posted: 24 Oct 2018 06:28 AM PDT Hi Everyone, I am stepping over from the Cisco world to the EX series. While I am reading up on them I was wondering if anyone tips or to go configs for their setups especially for the access layer / device side ports. My setup would be:
Somethings I found that were quite interesting are:
Any points or tips would be appreciated. Thank you! [link] [comments] |
| Cisco FireSIGHT 5.4 to 6.2.3 Upgrade Posted: 23 Oct 2018 08:16 PM PDT I'm looking to get some help on upgrading our FireSIGHT and FirePOWER devices from 5.4 to 6.2.3. Here's my current state: FireSIGHT VM: 5.4.1.11 3D7030: 5.4.0.10 2x ASA5516-X with FirePOWER: 5.4.1.10 I've heard the horror stories about upgrades. I inherited these devices when they were at 5.3, so I've done my share up upgrades and seen the failures. I attempted the 6.0 upgrade on FMC and it failed horribly (thank you VM snapshot). So I'd like to build a new FMC at either 6.1 or 6.2. My question is how do I import all my configs and licenses into the new FMC? Can I just take a backup on 5.4.1.11 and import it straight into 6.1 or 6.2? And my next question, how do I manage the sensor upgrades? Because 6.2 can't manage 5.4 devices. So should I go to FMC 6.1, import my sensors and then re-image them? Or go straight to 6.2.3, re-image my sensors and then add the sensors to FMC? I've done some Googling and read the Cisco forums but I can't find a straight answer for this scenario. I'm sure I'm not the first person to go through this. Everyone just says build a new FMC and re-image the sensors but I can't find these specific steps. Anyone else go through this FirePOWER nonsense!? And I guess, what version should I land on? I just saw the post that said 6.2.3.6 is buggy. Cisco recommends 6.2.3.5. Or should I stay on 6.2.3? [link] [comments] |
| Why isn't this VLAN interface being added to the routing tables on a Cisco 9300 stack? Posted: 23 Oct 2018 06:03 PM PDT I've configured VLAN 100 on my soon-to-be core 9300 stack for a routed transit network to my edge firewalls. It's configured similarly to all of the Access VLANs on the stack: However the network isn't showing up in the routing table, and even though the command "ip default-network 10.1.100.102" is in the running-config it's still not showing up in the routing table as having a gateway of last resort: Why isn't that network for VLAN 100 showing up in the routing table, and why isn't it taking the default-network command? [link] [comments] |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment