Rant Wednesday! Networking |
- Rant Wednesday!
- Is cisco best in enterprise class on anything?
- Experiences with Arista
- routing traffic between 2 physical LAN's each with their own internet connection
- Issue with Cisco DMVPN with Eigrp flapping.
- Ubiquiti's 2nd Gen Switches released
- Best online site to build/order custom fiber cables?
- Transit gateway routing
- Is there a tool to test/pair RJ-45 jacks?
- Huawei Wireless LAN - anyone?
- How is ArubaOS-CX?
- Site to Site VPN solution for SO-HO?
- Cat6 cable color code issue
- iperf test shows large number of TCP: duplicate ACK / retransmission & out-of-order
- Removing VLANS
- 40Gbps fiber: LC or MPO?
- Noob Question, knock once fail, knock twice door opens?
- Could you use BGP internally to allow for a more controllable scale when you find the need to use Totally Stubby Not So Stubby Areas?
- Cisco ASA - capture directly to wireshark instead of buffer?
- Open source netflow GENERATOR/Collector?
- Cisco Nexus 9300 TCAM carving
- Appflow Collection with ntop/nprobe
- Huawei - VxLan and Vlan configuration advices
- website redirect not loading behind a sonicwall
- Wireshark with aws/azure/gcp
| Posted: 29 Oct 2019 05:04 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments] |
| Is cisco best in enterprise class on anything? Posted: 30 Oct 2019 11:00 AM PDT First, full disclosure. Working on cisco networks has paid my bills since the mid 90's. I am a cisco guy. However there has been a shift over the last few years, and in that shift I have had to learn a lot of other vendors. Here I am now, asking .. for the licensing bs, poor code qa, questionable integration of product lineup... is it even worth it anymore? For switching, aruba and arista eat their lunch depending on use case. For wireless, aruba controllers with clearpass easy. For firewalls, wow.. palo, fortinet, several others easily outpaces them. In the datacenter, I like arista. At the SD-WAN edge, I like versa, or for simple SD-WAN, I like fortinet. ISRs - come on, 10k pus router with rate limited throughput requiring more licensing to go above 300 Mb, 500 Mb. Get out of here with that. We are at the point where home residential service often exceeds 500 Mb, and ISP provided or prosumer routers can move it for next to nothing. It's rediculous to me. Here in late 2019 - I do not see a single product line where I can say, I think cisco is the best in class in that niche. Am I missing something? What's the value proposition now? [link] [comments] |
| Posted: 30 Oct 2019 09:50 AM PDT Anyone have any experiences, positive or negative, implementing Arista switches they can share? We are looking at possibly implementing some 7160s in a leaf/spine fashion to replace an aging Juniper stack. Looking for input such as how is the tech support, how is their OS, any major gotchas, would you do it again, etc. [link] [comments] |
| routing traffic between 2 physical LAN's each with their own internet connection Posted: 30 Oct 2019 09:22 AM PDT Hey there, Hoping someone might be able to give me a hand with this. I have 2 physical LAN's here with 2 different internet companies in a physical location. I have set one network to a 172.16.0.0/12 network and I have the other set to a 192.168.0.0/16 network. What I want is to be able to port forward to get traffic from outside LAN#1 and have the port forwarded traffic route to a machine running on LAN#2. I have built a quick OPNsense router with a 10Gbe NIC because I assumed I could create a static route and have the OPNsense router connect its WAN with the LAN#1 and connect its LAN interface with that of LAN#2 to bridge the 2 networks and route the traffic. However, I must be doing something wrong because I just can't seem to get it to work. If someone could help me through this I would be so eternally grateful. It is extremely important that I get this running. Just for anyone who wants to know why I am doing this, I have to route a lot of data into this machine on LAN #2 and I can't afford to bog down the internet connection on this network, and I also am unable to move this machine completely over to the other LAN as it has duties to perform on this network. [link] [comments] |
| Issue with Cisco DMVPN with Eigrp flapping. Posted: 30 Oct 2019 01:35 PM PDT I recently moved datacenters and moved from a DMVPN setup running on old gear to a newer setup running DMVPN Phase2 on an ISR4431 for the hub and I currently have one spoke up on a CP-941.I upgraded the 4431 to isr4400-universalk9.16.09.04.SPA.bin but that has not resolved the issue. The errors I see on the 4431 console are:Dual-5-NBRCHANGE: EIGRP-IPv4 2: Neighbor (Tunnel1) is down holding time expired. Dual-5-NBRCHANGE: EIGRP-IPv4 2: Neighbor (Tunnel1) is down Interface PEER-TERMINATION received and a few of these but not every time the tunnel bouncesCrypto-4-RECVD_PKT_INV_SPI: decapsP: rec'd IPSEC packet has invalid spi for destaddr I have done research but unable to find anything for this specific issue. Any pointers would be appreciated ***I forgot to mention this only happens about once a day**** Hub Config: (Tunnel 4/VRF2 is the only one in use right now) hostname ISR4400!boot-start-markerboot system flash bootflash:isr4400-universalk9.16.09.04.SPA.binboot system flash bootflash:isr4400-universalk9.16.07.01.SPA.binboot-end-marker!ip vrf VRF2rd 100:118!ip vrf VRF3rd 100:135!ip vrf VRF1rd 100:5!ip vrf VRF4rd 100:112!crypto isakmp policy 1authentication pre-share group 2 crypto isakmp key ****** address 0.0.0.0 crypto isakmp nat keepalive 20 ! crypto ipsec transform-set dmvpnset esp-aes 256 esp-sha384-hmac mode transport ! crypto ipsec profile CRYPTODMVPN set transform-set dmvpnset ! interface Loopback1 ip vrf forwarding VRF1 ip address 172.16.255.1 255.255.255.255 ! interface Tunnel1 description VRF1 ip vrf forwarding VRF1 ip address 172.16.254.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication dmvpn ip nhrp network-id 5 ip nhrp redirect ip summary-address eigrp 2 10.6.0.0 255.255.0.0 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0/1 tunnel mode gre multipoint tunnel key 5 tunnel protection ipsec profile CRYPTODMVPN shared ! ! interface Tunnel4 description VRF2 ip vrf forwarding VRF2 ip flow monitor flow1 input ip flow monitor flow1 output ip address 172.16.253.33 255.255.255.240 no ip redirects ip mtu 1400 ip nhrp authentication dmvpn ip nhrp network-id 118 ip nhrp redirect ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0/0/1 tunnel mode gre multipoint tunnel key 118 tunnel protection ipsec profile CRYPTODMVPN shared ! interface GigabitEthernet0/0/1 description DMZ ip flow monitor flow1 input ip flow monitor flow1 output ip address X.X.X.X 255.255.255.224 negotiation auto ! interface GigabitEthernet0/0/3 ip address 172.16.10.40 255.255.255.0 negotiation auto ! interface GigabitEthernet0/0/3.5 encapsulation dot1Q 5 ip vrf forwarding VRF1 ip flow monitor flow1 input ip flow monitor flow1 output ip address 172.16.20.40 255.255.255.0 ! interface GigabitEthernet0/0/3.118 description VRF2 encapsulation dot1Q 118 ip vrf forwarding VRF2 ip flow monitor flow1 input ip flow monitor flow1 output ip address 10.118.1.254 255.255.255.0 ! router eigrp 2 ! address-family ipv4 vrf VRF1 autonomous-system 2 network 10.0.0.0 network 172.16.20.0 0.0.0.255 network 172.16.254.0 0.0.0.255 passive-interface default no passive-interface Tunnel1 no passive-interface GigabitEthernet0/0/3.5 exit-address-family ! address-family ipv4 vrf VRF4 autonomous-system 2 network 10.112.1.0 0.0.0.255 network 172.16.253.16 0.0.0.15 exit-address-family ! address-family ipv4 vrf VRF2 autonomous-system 2 network 10.118.1.0 0.0.0.255 network 172.16.253.32 0.0.0.15 exit-address-family ! router eigrp 1 network 172.16.10.0 0.0.0.255 ! ip default-gateway 172.16.10.1 ip route 0.0.0.0 0.0.0.0 x.x.x.x ip route 172.16.255.1 255.255.255.255 Loopback1 ip route vrf VRF2 0.0.0.0 0.0.0.0 10.118.1.1 ip route vrf VRF3 0.0.0.0 0.0.0.0 10.135.1.1 ip route vrf VRF1 0.0.0.0 0.0.0.0 172.16.20.1 ip route vrf VRF4 0.0.0.0 0.0.0.0 10.112.1.1 ------------------------------------------------------------------------------------------------------------------------------------------------------ Spoke: crypto isakmp policy 1 authentication pre-share group 2 crypto isakmp key ******** address 0.0.0.0 crypto isakmp nat keepalive 20 ! crypto ipsec transform-set dmvpnset esp-aes 256 esp-sha384-hmac mode transport ! crypto ipsec profile DMVPN set transform-set dmvpnset ! interface Tunnel1 bandwidth 100000 ip address 172.16.253.34 255.255.255.240 no ip redirects ip mtu 1400 ip nhrp authentication dmvpn ip nhrp map multicast x.x.x.x ip nhrp map 172.16.253.33 x.x.x.x ip nhrp network-id 118 ip nhrp holdtime 300 ip nhrp nhs 172.16.253.33 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet5 tunnel mode gre multipoint tunnel key 118 tunnel protection ipsec profile DMVPN ! interface GigabitEthernet4 ip address 192.168.10.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto ! interface GigabitEthernet5 ip address x.x.x.x 255.255.255.248 ! router eigrp 2 network 10.0.0.0 network 10.105.50.80 0.0.0.15 network 172.16.253.32 0.0.0.15 network 192.168.10.0 redistribute static route-map static_to_eigrp ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 x.x.x.x ip route 10.105.50.80 255.255.255.240 192.168.10.1 ip route 10.118.20.0 255.255.255.0 192.168.10.1 ip route x.x.x.x 255.255.255.255 192.168.10.1 ip route x.x.x.x 255.255.255.255 192.168.10.1 ip route x.x.x.x 255.255.255.255 192.168.10.1 ! ip prefix-list STATIC seq 5 permit 10.105.50.80/28 ip prefix-list STATIC seq 6 permit x.x.x.x/32 ip prefix-list STATIC seq 7 permit x.x.x.x/32 ip prefix-list STATIC seq 8 permit 10.118.20.0/24 ip prefix-list STATIC seq 9 permit x.x.x.x/32 ! route-map static_to_eigrp permit 10 match ip address prefix-list static [link] [comments] |
| Ubiquiti's 2nd Gen Switches released Posted: 29 Oct 2019 06:48 PM PDT The 2nd generation unifi switches are out of hardware beta. New features include quieter cooling, 4 x SFP+ ports on the 48 model, redundant power supplies with an extra 1U device (ew...). Nice update but one of the top comments says it well I think.
[link] [comments] |
| Best online site to build/order custom fiber cables? Posted: 30 Oct 2019 11:56 AM PDT Having a hard time finding a company I feel comfortable going with. This is a large order, appx 500 cables... Not sure of deadline needed at this time. Anyone have any experience/suggestions? [link] [comments] |
| Posted: 30 Oct 2019 09:27 AM PDT See Image EDIT: I figured out what the issue was. The security group of the eni was different from the main one. Fixed that and now everything is working as expected I have a test environment in aws setup like the image in the link above. Issue is i cant ping or SSH the linux instance. I have diabled source/destiantion check on the eni of the linux ec2 but with no luck. From my fortigate firewall, i can see that traffic is going out through the vpn to the transit gateway but nothing is coming back. I have setup a routing table and associated it to the remote site vpn and aws vpc attachments. I have put the routes as seen in the pic above but still having issues. What do you think is wrong? [link] [comments] |
| Is there a tool to test/pair RJ-45 jacks? Posted: 30 Oct 2019 10:05 AM PDT The last person to configure the switch at my job did a horrible job and kind of mismatched all of the ports to the patch panel, so now I don't know which switchport to activate when turning on RJ-45 jacks in our cubicles. Is there a tool where I can say, plug in a tool to the port on the wall, and then go to our server room and test each port for like, a beep or some signal that will say "This is the correct port you have matched with"? Thanks in advance. [link] [comments] |
| Posted: 30 Oct 2019 03:46 PM PDT Hello, we're looking for new access points and started buying Aruba AP-535/AP-555 devices running in IAP mode and set them up in areas with high densit. Well, we want something else and we're proposed AP6050DN and AP7050DN from Huawei running in FAT mode. Well, Huawei's pricing is better than Aruba's. We get 6X% off price list for Aruba and 7X% discount from Huawei. Is anyone from here actually using current Huawei access points and can tell about his/her experience with the wireless devices themselves or Huawei's support? Are they ok or rubbish? [link] [comments] |
| Posted: 30 Oct 2019 03:45 PM PDT Right now we have a bunch of Aruba 5406s/5412s that we are looking to upgrade eventually. We are very intrigued with Aruba's new CX-6400/6300 line of switched and are wondering what are people's experience with ArubaOS-CX? I haven't heard much about it except some people seem to love it and some say it's not ready for prime time. [link] [comments] |
| Site to Site VPN solution for SO-HO? Posted: 30 Oct 2019 03:12 AM PDT Hi Guys, Network engineer hear that deals with a large enterprise grade network - working with cisco,juniper, f5 and palo alto etc... My friend has approached me about setting up site to site connectivity for his manufacturing business - they currently have 2 sites - a main design office and a manufacturing plant(no more than 10 users in the business at the moment). Their requirement is to have the manufacturing team be able pull designs down from the head office and print down from one office to the next (essentially have the two sites able to share resources) - both sites have a 50mb internet connection currently FTTC (UK) I dont really get involved with the small business side of things so I am not sure what is available in the marketplace outside of the big players - I was initially thinking something like an couple of ISR900s and setting up a DMVPN as this will allow them to scale out in the future - is this overkill? are there any one-box wonders that I should be looking at ? I know cisco used to do the ASA5505 but this has gone EOL/EOS I believe, and the 5506-X looks like it doesnt support L2 switching (one of the sites just has 2 people so Id rather not buy a separate switch If I can help it) Any ideas? :) Thanks [link] [comments] |
| Posted: 30 Oct 2019 02:33 PM PDT I just learned about cables color coding. There is the T-568A and T-568B color standards but my FTP Cat6 cable (works fine) has a different color arrangement. Mine is: White orange>Orange>White blue>Blue>White green>Green>White brown>Brown Is it better if I rearrange them or does it make no difference? [link] [comments] |
| iperf test shows large number of TCP: duplicate ACK / retransmission & out-of-order Posted: 30 Oct 2019 04:43 AM PDT I carried out a network throughput test using iperf and captured packets at both ends. I see a almost 10% packets highlighted in tcp.analysis.flag with following characteristic: "TCP duplicate ack" followed by "TCP fast restransmission / TCP restransmission" & "TCP out-of-order" occurs every second with rare occurrence of TCP ack for unseen segment. Here is a printscreen using filter on the receiver side (filter: tcp.analysis.flags): https://i.stack.imgur.com/bNSbD.png Here is the capture from sender side: https://i.stack.imgur.com/spbqg.png I have used iperf to send data in TCP mode for a period of 500 seconds using IPv4 only. Only capture filter was "host" followed by IP (sender or receiver). I also observed that major errors (duplicate ack/re-transmission) occur every 3.5 seconds. While few set of errors occur every second. Concluding through high number of duplicate ACKs, I feel there is definite packet drop? Am I correct or am I missing anything. Here is statistics>tcptrace from Wireshark: sender (client) side (client to server view): https://i.stack.imgur.com/2iYiF.png Finally the throughput graph: https://i.stack.imgur.com/sD3gA.png Thank you in advance. [link] [comments] |
| Posted: 30 Oct 2019 02:10 PM PDT I am considering removing VLANs from my network, because I have so many. I have changed some of my SSID's so they are not on a VLAN. So can I just delete the IP range associated with the VLAN from my DHCP scope? Or do I need to delete it from the Core switch? And what will happen to the ports that are tagged to that VLAN, if there are any. And what other possible consequences can there be from deleting the VLANS? [link] [comments] |
| Posted: 30 Oct 2019 01:16 PM PDT Trying to connect two switch racks that are about 150 ft apart. Both ends have 40G QSFP+ ports. I've never used fiber before (just pre-terminated DACs) and am having trouble to figure out what kind to use. It seems like LC and MPO/MTO are both available and not a huge price difference. Any reason to pick one over the other? Future use, industry standard, reliability, etc.? [link] [comments] |
| Noob Question, knock once fail, knock twice door opens? Posted: 30 Oct 2019 12:50 PM PDT Hi Reddit, This is totally a noob question, networking is not my first language, so apologies in advance if I am asking this wrong or without the needed details. I am digging around on the internet for similar insight and hard to explain but will try.... Site A want to open a path to Site B, simple run box path to \\server\ The first attempt will always fail "Windows cannot access \\server\" Network Error. The second attempt will always work and open the path which failed on first attempt. Knock once, no answer, knock twice, Bob's ur Uncle and allows entrance. I am seeing this similar behavior between multiple applications, first attempt fails, 2nd attempt works no problems. With this common behavior seen between multiple applications it gets me thinking what could cause this behavior? Any certain syntax I could use for keyword searches in my research? I would think if a firewall block it would be hard blocked no letting it through on the 2nd attempts. QoS could this drop first attempt? Saturation on network appliances, could this cause? Just trying to get a start on possible areas to investigate further. Appreciate any feedback I can get. Thank you, [link] [comments] |
| Posted: 30 Oct 2019 11:48 AM PDT My professor hardline says "BGP is for use in the internet" but using a NSSA-TSA seems like a annoying level of granularity, maybe it's just the name though. [link] [comments] |
| Cisco ASA - capture directly to wireshark instead of buffer? Posted: 30 Oct 2019 11:45 AM PDT Is there a way to bypass buffer limitation on ASA and direct the cap/capture to wireshark host? Thank you in advance. [link] [comments] |
| Open source netflow GENERATOR/Collector? Posted: 30 Oct 2019 11:44 AM PDT Hey all, Due to some limitations, I need to open up a SPAN port and send the raw data to a netflow generator, then a collector. I see some paid programs (LANGuardian) but is there anything open source? Everything open source is simply a collector of netflows, and will not work! [link] [comments] |
| Posted: 30 Oct 2019 11:35 AM PDT I have Cisco Nexus C9396PX L3 switch and i have configured bunch of ACL (inbound) on it to deny/permit traffic. now if i am trying to add more ACL then getting error that your TCAM table is full. here is the output of tcam If you noticed line "Ingress IPv4 RACL 259 253 50.59" It is for L3 ACL and reach to 50% utilization but still i have 50% free so why i am not able to add more rules? one thing i noticed its Ingress so may be possible i used up all Ingress entries and now whatever else which is for egress.. am i right? Let's say i am not using any L2 function on switch and want to give VACL tcam size to RACL does that possible? [link] [comments] |
| Appflow Collection with ntop/nprobe Posted: 30 Oct 2019 10:36 AM PDT Has anyone set this up? My particular scenario i want to setup a central collector for up to 200 sonicwall devices. Essentially i want to point the netflow to nprobe/ntop which will then dump that into a database that we can build reports off of. [link] [comments] |
| Huawei - VxLan and Vlan configuration advices Posted: 30 Oct 2019 10:13 AM PDT Hey folks, I am working on a project for which we need to use VxLAN. Before I started to work on this project, I do not know anything about VxLan. So, I documented myself, and started to make a PoC. For information, we use Huawei routers and switches. So, I work on eNSP for my PoC. The switches which we choose for this project are S6720SI and S6720EI. This switches implements VxLan functionnality. So, as you can see on my screenshot (there : https://imgur.com/a/1kt2J5Z), I tried to make a simple configuration. I have my backbone, with RRPP and OSPF implemented. This two functionalities works. I have mounted a VxLAN tunnel between SW_1 and SW_2. I can see that my tunnel is up and working. In my first VxLAN tunnel, I allow vlan 10 to go through, and in my second VxLAN tunnel, I allow vlan 20 to go through. I created my VxLan endpoint tunnel on sub interfaces GE1/0/9.10 and GE1/0/9.20 on SW_1 and SW_2. Also, I have VNI 1010 (for vlan 10) and VNI 2020 (for vlan 20). On my switches SW_ANT1 and SW_ANT2, I allow vlan 10 and vlan 20 to go on the interfaces GE0/0/1 and GE0/0/24 with trunk configuration. On my switches SW_SITE1 and SW_SITE2, I have a trunk on GE0/0/1 interfaces, allowing vlan10 and vlan20. The ports GE0/0/2 and GE0/0/3 are access, with vlan 10 or 20, depending on end network. My problem is the following : from PC1-1, I can not ping PC1-2, which are on the same vlan. I don't know what to do, because I have no experience with VxLan. Could you give me some help please? The source I used for my PoC : https://support.huawei.com/enterprise/en/doc/EDOC1000178188/4fef8bd9/example-for-constructing-a-virtual-data-center-network-for-layer-2-communication-over-a-campus-network-using-vxlan [link] [comments] |
| website redirect not loading behind a sonicwall Posted: 30 Oct 2019 09:04 AM PDT I just called sonicwall support and they couldn't figure this out. I am trying to access a website that uses a redirect to view bills. and it seems to be just this one web address that never loads. sonicwall tech said we are sending packets out but it never comes back. which should be true since i believe they use a sso or some way that we can ping them but won't receive any information back. has anyone had a similar issue? i am stumped. its not DNS or CFS issues since CFS is turned off and it still happens. If i bypass sonicwall and go to the modem it works just fine. someone had suggested to disable TCP randomization , i did that and it seemed like it worked for a week or less. now i am back to square one. [link] [comments] |
| Posted: 30 Oct 2019 12:24 PM PDT Hey net lords, Have you guys done any packet analysis using Wireshark on aws/azure/gcp? I was reading on one of the aws forums that Wireshark will only capture on one particular ec2 instance where its deployed and not on other instances. Can someone please elaborate on this and also on azure and gcp. P. S. I am just getting into Cloud so I have very basic idea about it. [link] [comments] |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment