Blogpost Friday! Networking

---

• Blogpost Friday!
• Linux application for the Pockethernet
• Where to go from IBM G8xxx series enterprise switches?
• BGP peering to multiple ISP's, FROM two physically separate FW cores (Internet Services & VPN)
• DMVPN Diffie Hellman issues
• Buying a switch for a LAN file sharing for video editors.
• Converted My CCIE to Emeritus
• GNS3 VM CPU usage skyrockets to 100% using IOSv images
• Aruba NAT router?
• How do AppleTVs/Chromecast Broadcast existance.
• Cisco EOL's Catalyst 3850
• Cisco Wireless LAB?
• Daloradius - automated monthly usage reports?
• I need some advise on Media Converters, just need a sanity check.
• Help us please
• Cisco ISE help!!! - SSL Cert expired
• Need some advice on Port Security
• PoE "Cycling" problem - HP Procurve JG963a
• Career question: Where do you see yourself in 5-10 years.
• ERSPAN support on McAfee NS5200 and LogRhythm NM3300/3400
• Why my redistribution doesnt work "rip into ospf" ?
• Site-to-Site VPN tunnels dying, ASA 5506-X

Blogpost Friday! Posted: 31 Oct 2019 05:04 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. submitted by /u/AutoModerator [link] [comments]

Linux application for the Pockethernet Posted: 01 Nov 2019 06:18 AM PDT I bought the Pockethernet hardware back when it was still on indiegogo, After all this time the android application that you're supposed to use with it is still pretty crappy. I finally took the time to write a nice GTK3 application for it that can now do some of the basic features. I haven't managed to make some of the more advanced features work like the cable length tests and more advanced link tests like DHCP and the various port-id protocols. It's written in python and split in two parts, Wiremapper is the GTK3 application and the pockethernet library that actually handles the communication with the hardware. This makes sure that it can support other testing hardware and probably a QT5 frontend. I hope that I can make some other network administrators very happy with this application :D submitted by /u/PiZZaMartijn [link] [comments]

Where to go from IBM G8xxx series enterprise switches? Posted: 01 Nov 2019 12:41 PM PDT I recently found out from Lenovo that after they bought the RackSwitch business from IBM, they've kind of dropped the G8xxx series and replaced it with the NExxxx series. These are supposed to run all new code, so all my config templates etc won't work with their new CNOS vs the older ENOS. They also dropped the "pretty useful" GUI, which I do like. Now, I know we used ISCLI for the G series which was closer to something, and I thought it might have been Cisco, but IDK for sure. I'm somewhat inclined to avoid HP due to the general insanity around what happened with Procurve in the past and the lack of clarity even in the "Aruba" brand that replaced it. I like the contacts we have with Lenovo, but they just sort of bought into the G series, and I have no idea "how good" the NE series would be especially for whatever the price turns out to be. Of course there's Cisco (expensive especially to get firmware updates), and I just saw Juniper also competes, no idea about their pricing / history. What are people doing for 10/40Gbit SFP+, high performance MST 1Gbit with support for at least 11 MST instances, and doesn't need a service contract to get firmware updates? Is that even possible today? What still has a easy to use GUI for occasional users who need to change a PVID once in a while, but a good serial and OOB management CLI for ease of setup? What's cheaper than Cisco? Or is it doable to go mostly used (what we've been doing for G8xxx for a few years to good effect)? It's worth noting, the only reason we're dropping G8xxx is difficulty sourcing used ones that work lately - I think they're close to off the market, especially at sub $2k prices which is about as high as I like to go used for 48 port switches. The other reason is forward looking, in 3 years or less, we'll likely be looking at 50/100 GBit SFP28 and the old G series don't do that. submitted by /u/jmp242 [link] [comments]

BGP peering to multiple ISP's, FROM two physically separate FW cores (Internet Services & VPN) Posted: 01 Nov 2019 09:38 AM PDT Alright guys, got a though provoker for you. Right now I have two static data centers. Half of my sites come in on one, and half come in on the other. As a result of this being a long time coming, and a 10 hour outage on the main data center last week with lots of angry executives due to no dynamic routing/failover, I have been given the go ahead by management finally to merge the two together and set up BGP peering to each ISP. Here's the catch: One firewall (PA850) runs our public internet services that folks connect to from the internet (i.e. traveler iphone email). This is done by NATing the backend private IP's of the servers to public addressing, setting up DNS and configuring rules, as I'm sure you all have as well. The other core (ASA2110) is the hub for all of our branch site to site VPN's to terminate on. Both firewalls will connect to our 6509 core switch on the inside, and to both ISP's on the outside via eBGP, with a transit switch in between ISP's and my FW's. Here is a drawing I've done to represent this: https://imgur.com/a/114Br93 The primary requirement of doing this is to ensure that 12.3.250.0/24 is always reachable at all times, even if the primary ISP is down (assumption is BGP will reroute to 2nd ISP due to the advertisement of 12.3.250.0/24 I've configured to said 2nd ISP, and the end result is the internet services, as well as the site to site VPN's would never go down unless I lost both ISP's or hardware. With that said, here are my concerns: To achieve this, since I have two physically separate cores (one Internet Services, one VPN), I need to BGP peer both of my firewalls to both of the ISP's, and I need to advertise 12.3.250.0/24 FROM both of my firewalls TO both of the ISP's. In my mind, the way I've always understood routing is you can't tell a router peer that a particular subnet lives in two spots, because then routing won't know where to send it. Now I know that assumes equal weight, AD, costing, etc, and that BGP will not weigh the route the same way since it's all on a common network thanks to the transit switch, so I am thinking the logic in BGP will take care of that if I'm advertising the same subnet from multiple physical points, but I can help but worry about potential routing loops here. Will this work as intended, or am I risking problems here trying to design it this way? The subnet I need to advertise happens to be the subnet that is in use for comms between my firewalls and the primary ISP's ISR router (because we don't own our own public /24, so we are leasing the ISP's), so the router knows about it already because it's directly connected (see diagram). If that is the case, do I need to advertise it manually in BGP to that peer? submitted by /u/TheFaytalist [link] [comments]

DMVPN Diffie Hellman issues Posted: 01 Nov 2019 10:12 AM PDT I'm labing this DMVPN setup, and even though I have set DH key exchange in the ipsec profile, my spoke to spoke sa comes up but without DH. My Hub to spoke sa is using DH but not the spoke to spoke one. Anyone else have this problem? I'm using the same settings on all the routers so there really no reason why this should happen. Everything "works" there are no errors, not even in the ipsec/ikev2 debug, but I just don't get DH key exchange going. I also don't see any fundamental reason why this would be the case, when the spoke to spoke tunnel comes up, the spokes negotiate a tunnel so it should just work the same as when the hub-spoke tunnel is created. This is just a lab, but I wouldn't put something like this into production, given the nature of DMVPN where the keys are on routers in all sorts of remote offices, it would be very easy for someone to steal one and get the keys, and decrypt all past traffic. Not to mention the administrative pain of rekeying everything. submitted by /u/paulzapodeanu [link] [comments]

Buying a switch for a LAN file sharing for video editors. Posted: 01 Nov 2019 03:36 PM PDT Hello I am buying 2 NAS next week, one with HDDS and another with NVMEs. These will be supported by a switch that will be connected to 6-8 editors that will edit RED raw and blackmagic Raw streams, they will connect via SFP+ 10g. I want to get a 24 port 10g switch that could handle all the traffic reliably. I am looking at the Cisco SG550XG-24F or a Juniper EX4550-32F. Which would you recommend? FYI: both are EOL earlier this year, is there any switch suggestions, for a sub 5k budget? thanks in advance. ​ TLDR: cisco SG550xg or juniper ex4550-32F for heavy video streams submitted by /u/cpgalvez [link] [comments]

Converted My CCIE to Emeritus Posted: 01 Nov 2019 11:45 AM PDT submitted by /u/jeff_78 [link] [comments]

GNS3 VM CPU usage skyrockets to 100% using IOSv images Posted: 01 Nov 2019 03:30 PM PDT Hi all, I've recently installed GNS3, and think I've set up everything correctly. I added IOSv images, but when I run the devices (4 x IOSvL2 nodes), the CPU usage for GNS3 VM hits 100% almost immediately. I know this is normal while booting up the machines, but it stays at 100% even after everything is loaded, and I can't do anything in CLI. My computer's CPU use stays at ~40%, so I feel like GNS3 is not utilizing my system's power well. I've tried cranking up the vCPU and RAM values for the VM and the nodes, but that didn't seem to do anything. I've spent hours to fix the issue and am about to give up at this point. Any advice from experienced users? Btw, I'm running GNS3 on a machine with i5-8350 vPro and 8 gigs of DDR4. submitted by /u/griwulf [link] [comments]

Aruba NAT router? Posted: 01 Nov 2019 03:48 PM PDT Does Aruba offer a NAT capable router for large brands offices? Something close to a Cisco 4431? I see great switches but not really firewalls or routers.... submitted by /u/ITdirectorguy [link] [comments]

How do AppleTVs/Chromecast Broadcast existance. Posted: 01 Nov 2019 11:38 AM PDT Does anyone know how or have documentation of how devices like chromecasts and apple TVs broadcast their existence on the network? We're trying to figure out a way to stop them from broadcasting everywhere without having to divide our wifi subnet into multiple subnets. submitted by /u/Deivonte [link] [comments]

Cisco EOL's Catalyst 3850 Posted: 31 Oct 2019 07:21 PM PDT Just announced today, in case anybody else missed it. Personally I'm only aggravated because I just had a meeting with our reps last Thursday and they mentioned nothing about it. https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3850-series-switches/eos-eol-notice-c51-743072.html submitted by /u/IDDQD-IDKFA [link] [comments]

Cisco Wireless LAB? Posted: 01 Nov 2019 02:45 PM PDT Hi, I'm planning to build a LAB for Cisco wireless using the below controller and AP. I would like to ask if this will be possible? WLC: Vitual WLC (eval mode) installed on a hypervisor AP: cisco air-lap1142n-a-k9 (planning to buy) ​ I'm planning to purchased a 2nd AP which is cheaper. Though I'm not able to locate the above model and specify which WLC should I use. https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html ​ From cisco forum it says, I can run this AP with controller. https://community.cisco.com/t5/other-wireless-mobility-subjects/wlan-controller-for-air-lap1142n-a-k9/td-p/2018327 ​ Please let me know if this is possible or any currently using this setup? Thanks submitted by /u/1searching [link] [comments]

Daloradius - automated monthly usage reports? Posted: 01 Nov 2019 08:43 AM PDT We use daloradius for authentication purposes for a number of legacy ADSL customers. What I would like it to do is send an email on a specific day in the monthly listing the bandwidth usage of each customer. Is this possible, and if so, how? I know I can query it manually, but it would make my life easier if it could send this report off to my finance dept automatically submitted by /u/LittleWanger [link] [comments]

I need some advise on Media Converters, just need a sanity check. Posted: 01 Nov 2019 08:14 AM PDT I have a remote site where the ISP delivered (it's stupid CenturyLink) a DIA two floors up from our space with long-haul 10km Single-mode fiber SFP thats 1/10/1000 Gbps capable. If I were to purchase a cheap Media Converter like say this one - https://www.amazon.com/Gigabit-1000BaseT-single-mode-1000Base-converter/dp/B002N90OIO or one off FS / etc. just something that is 10km Single-mode capable - are these devices pretty much 'dumb' - can I expect it to 'just work' providing me Copper Ethernet that I can dump into our public switch? The other option is piping it directly into our Cat 9300 on a isolated VLAN, I have SFP ports available on the module - but for security reasons would like to keep it completely out of band. Thanks in advance for your time. submitted by /u/Elysiom [link] [comments]

Help us please Posted: 01 Nov 2019 09:19 AM PDT Hi guys, INFO: Our new switch is the HPE OfficeConnect J9983A 1820 using sfp+ port to link to port 45S on an Aruba 2920-48G The VLAN20 is our desktop range which the APs get an IP for which is ok. Our curriculum VLAN should get IP 172.23.248.XYZ We have had 4 new classrooms built and need to put WiFi in, we have put in identical Ruckus APs to the rest of our network and they show up in the ZoneDirector. Our new switch is linked via fibre to the nearest breakout room and plugs into a switch there with SFP. Issue 1: Our new switch is 172.23.241.40 and we can't ping it outside of that switch. You have to be plugged into it with a static up of 172.23.241.XX to be able to get to the web GUI or ping the switch. Why can't we access the switch from anywhere else like every other switch? Issue 2: VLANS have been setup on the switch like every other switch on the network and when you connect to the switch you get 172.23.242.XXX which is our desktop range. We need all wireless devices to connect to the 172.23.248.XX range. If I take an AP into the main building you get the right AP and taking an AP from main building into the new classrooms you get the wrong IP. It's definitely the switch config. Any pointers?? Writing this after spending hours stuck in a tiny cupboard balancing a laptop so if my post makes no sense...hopefully you understand :) submitted by /u/techformarcus [link] [comments]

Cisco ISE help!!! - SSL Cert expired Posted: 01 Nov 2019 07:50 AM PDT SSL cert for our ISE expired yesterday. Network admin took today off and is not answering his phone. I was able to create a CSR and we got a new cert. When importing the new cert it requires the Private Key and password.... I cannot find WHERE to export the private key and give it a password. I know it is SOMEWHERE on the ISE, as it generated a CSR.... ​ please help this poor lost soul... submitted by /u/dot19408 [link] [comments]

Need some advice on Port Security Posted: 31 Oct 2019 11:52 PM PDT Hi, I am new here. I need some advice on whether this is possible. The objective will be denying any external visitor/vendor to just simply plug in into our network plug and use our network, they need to authenticate themselves with Active Directory user and password before they are able to use it. We can probably use the sticky mac address method, but there are a few hundred host and will be a hassle if they replace it. I have setup a radius server just in case i might need it. I have run the commands from here, but is not working for me https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html#GUID-430BBBAE-CB5D-46F9-80B2-6DF8A5497922 submitted by /u/samsimoncc [link] [comments]

PoE "Cycling" problem - HP Procurve JG963a Posted: 01 Nov 2019 06:40 AM PDT Hey all, I'm setting up a solution that involves iPads in wall mounts outside of conference rooms and I have an adapter that converts PoE -> Lightning for iPad 10.2 or Mini power (it's by Texas POE). This device uses 802.3af PoE technology I have an HP Procurve JG963a switch, which, according to the manual supports 802.3af but it has that dubious verbiage of saying "802.3af (Ready)". ​ When I plug this PoE converter into the switch, the networking lights do a consistent cycle of seemingly powering on, then fading off, and repeat ad infinitum. If I look at switch logs, I see this error over and over: Trap <pethPsePortOnOffNotification>. ​ My best hypothesis is that I have to change some setting on the switch that either matches the power required by the PoE converter or enable 802.3af support, but I can't seem to find any options to do so. ​ Anyone have any ideas? submitted by /u/mksolid [link] [comments]

Career question: Where do you see yourself in 5-10 years. Posted: 01 Nov 2019 02:40 AM PDT Hello, With the constant evolution of IT, nobody's job is secure. MS Exchange admins are already long gone and IT infrastructure engineers are shrinking by the day. I know I need to get in to the cloud wagon, but I would also like to hear another point of view in regards to where I should be heading to. A bit about me. I am 34, and just started working in a huge enterprise company. My previous job was not a great place since they didn't know what virtualization (or even ITIL) was! I am CCNP certified with knowledge of linux, VMware, firewalls and Windows administration. I am currently passively on a free online course called "python for network engineers", and I want to get my AWS associate exam. I went to a couple of interviews and I have failed to answer the question: "Give us an example on how you have successfully migrated workloads to the cloud." I want to be able to answer that, as well as keep my current salary. I can either: -move to management which i am not keen of. -become a developer which I am not seeing it. -specialize in Security (is CISSP still worth it? or be a CEH) -become a CCIE (I think CCIE is not as valuable as it was 5 years ago, can you prove me wrong?). What's your opinion about the CCIE devops? -Presales (which is my preferred route). ​ Any advice would be appreciated. submitted by /u/nicolaidesnikos [link] [comments]

ERSPAN support on McAfee NS5200 and LogRhythm NM3300/3400 Posted: 01 Nov 2019 03:51 AM PDT Hi r/networking, We are to implement a new Cisco ACI fabric as a replacement for a core DC network. As per previous experience, Cisco ACI doesn't really play well in terms of mirroring traffic to the other security appliance as: All endpoints are now connected to different leaves (6 leaves to be exact), instead of centrally at one or two core (I know, it's a small setup). Local SPAN therefore requires the other appliance to have as many ports as the number of leaves (as they used Local SPAN with source VLAN on their core), which our NS5200 and LogRhythm are short of. ERSPAN (used by Tenant SPAN, which is the most appropriate match for the traditional Source VLAN SPAN) might not be supported by the security appliance (hence the title) So, does these two appliances support ERSPAN at all? Or do I have to rely on an external switch or packet broker for decapsulating the ERSPAN traffic then push the raw data to the appliances? Thanks in advance. submitted by /u/IrvineADCarry [link] [comments]

Why my redistribution doesnt work "rip into ospf" ? Posted: 01 Nov 2019 02:13 AM PDT Im learn a few routes from my rip process, but I would like to redistribute just one of then: PE3#show ip route rip 172.31.0.0/32 is subnetted, 1 subnets R 172.31.1.1 [120/1] via 30.210.2.2, 00:00:18, FastEthernet1/1 R 194.14.32.0/19 [120/1] via 30.210.2.2, 00:00:18, FastEthernet1/1 ​ ​ So I tried to do this : Standard IP access list 1 10 permit 194.14.0.0, wildcard bits 0.0.255.255 ​ My ospf: router ospf 30 log-adjacency-changes network 10.101.33.2 0.0.0.0 area 0 network 10.101.43.2 0.0.0.0 area 0 network 30.210.2.1 0.0.0.0 area 0 network 172.25.3.3 0.0.0.0 area 0 distribute-list 1 out ​ I know that I could use prefix list, route map... But I am just trying to learn all ways.. Thanks a lot. submitted by /u/raikone14 [link] [comments]

Site-to-Site VPN tunnels dying, ASA 5506-X Posted: 31 Oct 2019 07:31 PM PDT We have site to site vpn tunnels between remote offices and a datacenter where our SNMP server is. The vpn tunnel is for management traffic. The remote sites have newly installed ASA 5506-Xs on the outside doing the routing and firewalls and the data center is using a cisco 1921 router. We've seen issues at all remote sites with these ASAs where the VPN tunnels die after a day or two and we have to reload the ASAs to get them up again. The ip sla pings dont seem to be working on the ASA so we configured them on the core switches and they are working but we still see outages on the vpn tunnels semi-frequently. Anyone else experience these issues or have recommendations for troubleshooting? ​ TAC has told me that the ip slas are working as expected on the ASAs and that the ip sla needs to be configured on the inside of your network because the ASA will always use the closest interface to the outside instead an inside mgmt interface IP. But this still doesn't answer the issue of the mgmt vpn tunnels dying out so often. submitted by /u/vorgestellt3 [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States