Blogpost Friday! Networking

---

• Blogpost Friday!
• Online Labs for Learning?
• Working for Cisco TAC
• Seeking guidance on upgrading campus network
• Looking for resources on programming SNMP?
• What type of fiber connector is this?
• Learning Server Admin stuff as a Networking Guy
• What DNS do you use & thoughts on quad9.net
• Gigabit over CAT5?
• Cisco CVE-2018-0171 Smart Install vulnerability
• Replacing primary ASA in H/A pair (5585Xs)
• macsec encryption on DF links
• UDP file upload killing other traffic on SonicWall
• Disabling TLS 1.0 on Windows SBS 2011 Breaks LDAP and OWA access
• Cisco UC - Real Time Monitoring Tool and alerts
• state of the art: rogue APs, physical detection
• multi-tenancy vpn support with amazon using juniper vrf/vr
• Extreme/Zebra T3/T5 PowerBroadband VDSL Wireless System
• cisco aironet active sensor
• Juniper Op Script Question
• ASA Help - Anyconnect VPN to Azure VPN routing (bgp)
• Best certs when you don't do implementation?
• Are the copper ports shared with the SFP+ ports on the Cisco SG350x 10GB?
• Multiple subnets on one switch
• new IOS XR turnup
• Business profit loss without having a backup internet provider

Blogpost Friday! Posted: 19 Apr 2018 11:09 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. submitted by /u/AutoModerator [link] [comments]

Online Labs for Learning? Posted: 20 Apr 2018 10:46 AM PDT I'm looking for something like these Hera Virtual Labs to start learning more about cyber security. These are pretty pricey for very limited access. Is there something cheaper? I want to learn during my downtime at my current job. Practicing on their systems is not exactly an option. This looked to be exactly what I was looking for. submitted by /u/Arkmodan [link] [comments]

Working for Cisco TAC Posted: 20 Apr 2018 09:24 AM PDT Alright I checked the sidebar so this seems a reasonable question considering I'm not early in my career. Have any of you ever worked for Cisco TAC? I saw a job posting for customer support engineer (I'm assuming TAC since it's in Richardson, TX) and I'm curious what they really look for in a new hire. I have my CCIE in R/S and 6 years of networking experience, but have found so far that it can remove you from the long list of applicants due to the average salary expected by other CCIEs I'm guessing. Would that position be considered a bad/lateral move? Would it even be possible to get at my "level" ? I'm currently a senior networking engineer but tired of the operational aspect. I realize tac would be purely operation, but it's a foot in the door as far as I'm concerned to other things. I've looked at other positions with them at the presale level but they all seem to require presale experince so it's chicken and egg. Thanks! submitted by /u/dfwthrowawayaccount [link] [comments]

Seeking guidance on upgrading campus network Posted: 20 Apr 2018 12:40 PM PDT Hello everyone, I recently became the decision maker for all things IT in my organization and have started looking into upgrading our campus switching equipment. My desire for focusing part of our limited resources on upgrading our network infrastructure is more or less a gut feeling that things could be better, and therefore I am seeking advice from those more experienced than myself about what to look for. Below is a little background information about our current situation. Background: We are a private school with multiple buildings spread throughout our campus and support around 1,000 users between students and staff Older buildings are connected to MDF through Cat5e and often daisy chain off of each other the further out they go. Newer buildings are connected to the MDF through fiber Current MDF switch is a Cisco Catalyst 4948 that is used to service IDFs and create three VLANs for different geographical areas of campus Current IDF switches are mismatched brand and, for all intents and purposes, are unmanaged switches; most being 10/100 speed Wifi is Aruba Instant APs, with a virtual controller in each VLAN Purpose of the upgrade is to have a consistent and new network infrastructure that will sustain us for the foreseeable future; Minimum 1G between switches with 10G possible. We do not currently have any sort of network performance monitoring solutions or anything like that but I would like to in the future and have compatible equipment With that in mind, I contacted CDW to discuss options and they ultimately suggested Aruba for our replacements. The core switch recommended was a 3810M (JL075A) and IDF switches were 2930F (JL256A#ABA) models. I have heard good things about Aruba and have been very happy with their wireless offerings but have no experience in their wired solutions. As far as other requirements, I am wanting POE to power the access points and other equipment such as phones. Because of the budget and the equipment they are suggesting, this would be a phased replacement happening over a course of three to four years. If anyone would be willing to share their opinion, I would be very grateful. I've tried to keep my post as concise yet detailed as possible but I recognize I may not have included a relevant piece of information, if that's the case, I would be happy to further expand. Thank you for your help. submitted by /u/DukeSilver904 [link] [comments]

Looking for resources on programming SNMP? Posted: 20 Apr 2018 08:46 AM PDT I know I might be asking a lot but I'm looking for some good resources on writing snmp scripts/applications. I have mentioned in my previous posts that I'm working on a Raspberry Pi monitoring project. My goal is to attach dry contacts (door sensor, on battery, rectifier failure, etc) to the Pi. When an event occurs and the dry contact closes/opens, I would like to write an SNMPtrap to our NMS with the details of the event. I made some progress yesterday by using pass-through within the snmpd.conf file but I'm looking for some good documentation and examples if possible. submitted by /u/Bazinga79a [link] [comments]

What type of fiber connector is this? Posted: 20 Apr 2018 02:22 AM PDT If you look closely on the first picture you can see there are two fibers going to the connector. This made me think its not some kind of weird variation of LC connector. Maybe MT-RJ? But I have never seen nor used one before. Link with two pictures, front and back https://imgur.com/a/qiTJaqH submitted by /u/sliddis [link] [comments]

Learning Server Admin stuff as a Networking Guy Posted: 20 Apr 2018 03:43 PM PDT What are your thoughts on learning how the other half lives? I'm talking about learning how to setup physical servers, spin up VM's, learn about things like iWARP and ROCE, get your hands dirty on all this server stuff basically, until you're a wizard at Active Directory and can set up your own Domain Controller and generate certificates like a boss. I find as a Networking Guy all of the above stuff is like black magic, and it makes me a little upset that I don't understand any of it to a high enough level where I could just walk in, set it all up, and have it all work. Also part of me feels like if I ever wanted to set up my own network truly, I'd have to configure the servers too, not just the routers and switches. Any thoughts? Is this kind of a useless thing to learn? I figured with Networking Guys branching out into automation, and software defined, why not branch out in that direction, too? I've been reading /r/homelab off and on for a bit, and it kind of surprises me how a bunch of young professionals are setting up linux boxes and spinning up ESXi just to play around, and I literally could not set up either of those things at all without Google some kind of cheat sheet. Simply amazing. Let me know your opinions on the matter! submitted by /u/Norhell [link] [comments]

What DNS do you use & thoughts on quad9.net Posted: 19 Apr 2018 07:53 PM PDT I was wondering what DNS others are using and why Also, for those who have used quad9.net (9.9.9.9) what do you think about it submitted by /u/crua9 [link] [comments]

Gigabit over CAT5? Posted: 20 Apr 2018 11:10 AM PDT We have several floors here and have just deployed cloud based VoIP. All floors are CAT6 and the VoIP mostly works correctly. On one floor, they have lots of quality problems, video stuttering etc... Their floor is all CAT5. Testing with a proper Fluke, the lines pass CAT5 testing, but fail CAT6. All workstations are connecting at 1gbps. Is it possible that the cause of our problems is related to the cabling? Would it be prudent force the ports to 100mbps.? submitted by /u/macward82 [link] [comments]

Cisco CVE-2018-0171 Smart Install vulnerability Posted: 20 Apr 2018 12:34 PM PDT What you all doing about Cisco CVE-2018-0171 Smart Install vulnerability? Just been tasked with getting no vstack onto about 400 devices.....really should have got Linux server setup for automation prior to this point submitted by /u/Theincrediblemeagain [link] [comments]

Replacing primary ASA in H/A pair (5585Xs) Posted: 20 Apr 2018 06:00 AM PDT Hey r/networking, This weekend I will be replacing the primary ASA in my H/A pair of 5585Xs. What I mean by primary, is when I originally configured H/A, this unit was marked as the primary unit, and the other was the secondary. Is there anyone here who was done this that can give me a brief rundown of this process? I will post my strategy as of right now below, in a step by step. If I'm doing something wrong, or missing something, please let me know. 1- Receive the new RMA unit. Upgrade the image to match that of the current active unit. Install the same license as the current active unit. Install any flash images, such as Anyconnect, directly on the new RMA unit 2- Configure the same exact set of failover commands that is on the current (failing) primary to the new RMA unit. 3- In the datacenter, ensure that the Secondary unit is Active. Remove the failing unit. Remove all up-link and interface modules, and insert them in the new RMA unit. Also take the SSP hard drive out of the failing on and insert in the new one?? 4- Rack the new RMA unit and connect all of the connections. Lastly, connect the failover cable and pray that the 'Secondary-Active' unit take its config and writes it to the newly added "Primary-Standby Ready' unit, and not the opposite, like I've seen happen to people. How does that look? My two huge follow up questions are below: 1- Is it necessary to, once I remove the failing unit from the H/A cluster, make the current "Secondary-Active' unit the Primary, and then configure the new RMA unit as the secondary? I just want to avoid all possibilities of the new RMA unit with a blank config, overwriting my production firewall when they detect each other. 2- In step 3, is it necessary to also install the SSP of the failing unit in the new RMA unit? From what I've researched, the SSP is mostly used for IPS/IDS services, which we are not running in our datacenter. Thank for very much in advance for the feedback. submitted by /u/JoeBirds [link] [comments]

macsec encryption on DF links Posted: 20 Apr 2018 04:26 AM PDT Hello guys, I'm looking for solutions to encrypting ethernet traffic(2x1Gbps) over DF (xWDM) links. So far I've looked into HPE and Cisco portfolio. HPE devices that support this feature are a bit expensive and kind of a overkill. On the other hand, Cisco 3560CX should do the job, but their documentation on this topic is inconsistent; Supposedly, only downlink ports (SW to host) support MACsec. I'm all open for your suggestions/thoughts on this matter! submitted by /u/simazgb [link] [comments]

UDP file upload killing other traffic on SonicWall Posted: 20 Apr 2018 08:07 AM PDT So we just started using Signiant Media Shuttle to upload media to a remote site. It uses UDP to maximize the upload speeds. The problem is that when Media Shuttle is uploading a file, all other traffic is slowed to a crawl. Media shuttle is capped around 90mbps, but our total upload capacity should be around 500mbps. We should have plenty of bandwidth to do other things, but even accessing web pages becomes very slow. We ran into this with another similar piece of software, but the client allowed me to set limits on bandwidth, and only caused problems when the limit was set to "max", which I assume basically told the software to push the packets regardless of other traffic. Media Shuttle does not have options to control bandwidth on the client side. I've tried setting the priority of traffic on those ports to low, but it does not seem to make a difference. Any ideas? submitted by /u/basher09 [link] [comments]

Disabling TLS 1.0 on Windows SBS 2011 Breaks LDAP and OWA access Posted: 20 Apr 2018 07:21 AM PDT Hello! I was hoping someone could shine some light on an issue we are experiencing. We need to disable TLS 1.0 and RC4 cipher suits on our SBS 2011 to be PCI compliant. When we turn off TLS 1.0 on the server, our LDAP connection breaks to our firewall for our VPN users and our OWA (outlook web access) breaks. Does this come down to the browsers the users are using for OWA access? Our LDAP to our firewall for VPN users is setup to authenticate Domain users. We use LDAP version 3 over TLS (SSL) on port 636. I have not been able to pin point why these 2 items break when turning off TLS 1.0 on the server. Any thoughts? submitted by /u/lolatmyfail [link] [comments]

Cisco UC - Real Time Monitoring Tool and alerts Posted: 20 Apr 2018 02:35 PM PDT Hi folks, I know Prime Collaboration Assurance is the Cisco UC alerting tool primarily. However to save costs I want to look at RTMT. Can anyone tell me what alerting capabilities RTMT has? Disk usage? Server connectivity? submitted by /u/highflyer88 [link] [comments]

state of the art: rogue APs, physical detection Posted: 19 Apr 2018 08:03 PM PDT I searched. Been a while. I'm looking for a state of the union on rogue APs. I manage small Cisco shops and we use basic network sanitization and strict controls with open access to admins for approval. In short, we try to make it more work to shadow IT than it is to ping us to work with the situation. I'd like to think nobody is happy. That's compromise. That said, I've got a friend working a project who is being tasked with a segment on physically tracking rogue APs and I've been accessed as a resource. My General Sanitation and Sanity response didn't go over well. Client is HIPAA. I'm resistant to talking about specific tooling, so my question is this: How do you deal with the threat of rogue APs? What have I missed? I have a friend who says she's got some beta Terminator shit for visualizing radio spectrums in VR/AR but admits it's kinda half gimmick. For now. What's the cutting edge for finding a needle in a stack of needles? How do you find the rogue APs if your network tools are abolished-- and which do you use if they aren't? Thanks folks. submitted by /u/EnthusiasticEntropy [link] [comments]

multi-tenancy vpn support with amazon using juniper vrf/vr Posted: 20 Apr 2018 01:00 PM PDT Hi Everyone - this is a continuation of my post on /r/juniper but some things have changed so starting a new one here.. I am trying to achieve multi-tenancy with amazon VPNs. This usually means overlapping subnets between accounts (ex: two accounts can both have VPC's configured with 10.0.0.0/16 + I use 10.0.0.0/16 internally). It has been my understanding so far that ultimately I am going to have NAT them to something that I can control but my main issue right now is I am trying to advertise routes on the VRF tunnels back to amazon that I have received from my upstream SRX650 Hopefully this graphic can shed some light: https://i.imgur.com/6UebBYo.png My SRX650 is my main router. My SRX650 advertises routes to "APPNET" via BGP to my VSRX. I then use export policies for controlling which routes are advertised to which VRF and subsequently amazon accounts, however, no matter what my export policy is, the routes are never re-advertised even if I set an open accept. RIB groups and VRF export/import are new to me and I have tried hard on understanding it and doing but the docs assume a higher level of knowledge than I currently have. I also realize I could use OSPF for local advertisement as well but I know BGP more so I took the route I knew. I have tried routing-options instance-import MYNET-SVC-VR1 which didnt work error stated cannot set instance-import on VPN VRF. Can anyone tldr some config for what I am trying to achieve? tldr; I need easy way to re-advertise received routes on inet.0 back through a VRF. I know I need rib groups or vrf-import/export but cant seem to figure out logistics of the configuration. Config below routing-options { static { route 0.0.0.0/0 next-hop 172.31.255.243; route 192.168.1.0/24 { discard; install; } } auto-export; } policy-options { prefix-list mynet-amazon-test { 0.0.0.0/0; 192.168.1.0/24; } prefix-list CLIENT-AMZ-ACCT1-BGP-MYNETPREFIX { 10.98.39.96/28; 10.98.39.112/28; } policy-statement CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY { term 1 { from { instance MYNET-SVC-VR1; prefix-list CLIENT-AMZ-ACCT1-BGP-MYNETPREFIX; } then accept; } } policy-statement MYNET-SRX650-BGP-POLICY { term 1 { then accept; } term 2 { then reject; } } policy-statement mynet-amazon-bgp-policy { term 1 { inactive: from { protocol static; prefix-list mynet-amazon-test; } then accept; } inactive: term 2 { then reject; } } } routing-instances { CLIENT-AMZ-ACCT1-VR1 { instance-type vrf; interface st0.3; interface st0.4; route-distinguisher 1103:9999; vrf-target target:1103:9999; vrf-table-label; protocols { bgp { group CLIENT-AMZ-ACCT1-EBG { type external; advertise-inactive; neighbor 169.254.47.121 { hold-time 30; export CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY; peer-as 7224; local-as 65000; } neighbor 169.254.45.45 { hold-time 30; export CLIENT-AMZ-ACCT1-BGP-EXPORT-POLICY; peer-as 7224; local-as 65000; } } } } } MYNET-SVC-VR1 { instance-type virtual-router; interface reth1.0; routing-options { auto-export; } protocols { bgp { group MYNET-SRX650-BGP { neighbor 172.28.255.243 { hold-time 30; export MYNET-SRX650-BGP-POLICY; peer-as 65001; local-as 65000; } } } } } VR1 { instance-type vrf; inactive: interface reth0.0; interface st0.1; interface st0.2; route-distinguisher 7224:1000; vrf-target target:7224:1000; vrf-table-label; routing-options { static { route 192.168.1.0/24 discard; route 0.0.0.0/0 next-table inet.0; } } protocols { bgp { group ebgp { type external; advertise-inactive; neighbor 169.254.46.225 { hold-time 30; export mynet-amazon-bgp-policy; peer-as 7224; local-as 65000; } neighbor 169.254.44.153 { hold-time 30; export mynet-amazon-bgp-policy; peer-as 7224; local-as 65000; } } } } } } submitted by /u/ckozler [link] [comments]

Extreme/Zebra T3/T5 PowerBroadband VDSL Wireless System Posted: 20 Apr 2018 12:48 PM PDT So we have a site that we acquired last year. It is currently serviced via ~50x mc-802 802.11G access points, fed via VDSL T3 powerbroadband switch which we assumed. Obviously 802.11g sucks, speeds are not great, etc. The issue is this site will be closing down at the end of next year for a full gut/renovation, with additional conduit/routes being installed as part of that scope. Lots of hard ceiling/etc makes it very hard to get cat6 around currently, which is why they had put this system in the first place. Obviously all of our other locations have Cat5e/Cat6 fed via POE with most having dual band 802.11 AC access points. So what we are throwing around is possibly doing a replacement with upgraded equipment. tw-0511 which are single radio, but at least 802.11N which would be many times better and help with much higher data rates and more efficient use of the 2.4ghz spectrum. That would require the upgraded t5 powerbroadband switch as well which is supposed to offer better backhaul speeds. Does anyone have any experience with this product line? Someone said at some point you may only get ~6mb-10mb per AP, even though normally with 802.11G you can see a max of 20mbit, and the T3 broadband switch is supposed to do 75mb down and 10mb upload per AP. T5 is supposed to do 105mbit/50mbit, but all of those values are spec sheet given. I could probably be all in for around ~$6k to upgrade to the newer units/switches. Given all of the core drilling, wall cutting, conduit placement, wiring, and equipment, that would be required to do the ideal scenario, we could be talking 15x-20x that amount, which would be a very hard sell. submitted by /u/cooldude919 [link] [comments]

cisco aironet active sensor Posted: 20 Apr 2018 08:43 AM PDT has anyone purchased one of these to test wireless performance for their WLAN? trying to determine whether i'm better off purchasing this to diagnose wireless network issues or set up a raspi to do this. submitted by /u/charlie_xavier [link] [comments]

Juniper Op Script Question Posted: 20 Apr 2018 06:12 AM PDT I'm currently in the middle of a migration from Cisco to Juniper. The more I play with Junos, the more I like certain aspects, but there is one thing that Cisco has that I have yet to find a satisfactory alternative to in Junos. Cisco IOS has a "Show Interface Trunk" command that will obviously display any ports configured as trunks. In all of my research Junos does not have this, you have to already know the trunk interface to find what vlans are on it. In my googling, I ran across this forum board https://forums.juniper.net/t5/Ethernet-Switching/Simple-Trunking-Question/td-p/21857. The second answer contains an OP script that would do exactly what I want. The only problem is I have no idea how to use an OP script. I've spent hours trying to learn all I could about it, but some things still don't make sense. How do I load the script ON TO the switch? I understand how to load it into the config, but how do I get it on the switch in the first place. If anyone has detailed instructions or can point me in a direction to find them, I'd be super grateful. submitted by /u/njandersen97 [link] [comments]

ASA Help - Anyconnect VPN to Azure VPN routing (bgp) Posted: 20 Apr 2018 12:01 PM PDT Hey there. We are spinning up an Azure instance for some application servers. I have successfully connected our internal network to Azure with routed VPN using BGP. At some point in the very near future I will need to route our Anyconnect VPN clients to this network as well. User connects to w/ Anyconnect and receives a 10.1.1.x address. Azure VTI address is 10.255.255.X Internal network is 192.168.x.x (RIP) router bgp 65500 bgp log-neighbor-changes bgp graceful-restart bgp router-id 10.255.255.X address-family ipv4 unicast neighbor azure_gw remote-as 65515 neighbor azure_gw ebgp-multihop 255 neighbor azure_gw activate network 192.168.0.0 network 10.255.255.0 redistribute rip no auto-summary no synchronization exit-address-family So I guess I need to get the routing information from the Anyconnect clients into the mix. How does one go about this? I know RIP isn't ideal, and I'm not adverse to changing it - but our internal network is pretty simple... submitted by /u/wasserbox [link] [comments]

Best certs when you don't do implementation? Posted: 20 Apr 2018 11:34 AM PDT Hey guys - In my new role I've stepped away from implementation and focus on architecture, business drivers etc. I still need to stay very technical, just not to the point where I can turn the wrench. I have a CCNP in R&S and I'm thinking about taking CCIE R&S written... but where could I go from there. CCDE Maybe? Another vendor agnostic certification that may offer less hands on configuration oriented certificates? submitted by /u/willabizzle [link] [comments]

Are the copper ports shared with the SFP+ ports on the Cisco SG350x 10GB? Posted: 20 Apr 2018 11:29 AM PDT Can't find a Cisco doc to say for sure, it appears to be the case, but before I spec these I want to be certain. submitted by /u/mailerdeemon [link] [comments]

Multiple subnets on one switch Posted: 20 Apr 2018 10:54 AM PDT Hello fellow networkers! It's my first post here, related to an exercise I'm doing for university, and I would love to have some feedback on how I've done it and share with you some thought to have some kind of clarifications, if possible. In short, the exercise is to build a wi-fi network for a town square, 40 mt. of lenght with approximately 8k people living in that town. The network has to fulfill the needs to let approximately 1k people connect for every events that would be done there. Yes, my teacher really loves practical approach to networks. The exercise breaks down in some point: rewriting the problem with technical language, check a small drawing of the placement of switches, routers, wi-fi APs etc., check the kind of techology used, i.e. layer 2 or 3 switches, if you need a router or not, why you are using 2.4 or 5 Ghz signal for wifi, (kinda) check subnetting, dear god help me Basically, my problems come from the 3rd and 4th point of the exercise, propagating from the third to the fourth. So, I tought to place one layer 3 switch with 4 a Gbps uplink ports all connected to a single layer 2 switch that would manage the 5 access points of the square (one in the center and one for each corner). Now, my main issue comes from the fact that if I use a subnet mask like 255.255.255.0, I can just cover 253 hosts to serve, and this is not what I need but, if I use a different subnet for every access point, I can fulfill the needs of a much more large number of hosts. Now my main problem is, can I create those five different subnets on the same switch? It's something I could do in real life or I need 5 different switches? How would you improve this solution, and above all, why in a particular way? Final point, security of the network. It's something i can achieve with just some common blocking rules or i need something more specific like a firewall? Thanks in advance for your help! :) EDIT: formatting submitted by /u/backsofangels017 [link] [comments]

new IOS XR turnup Posted: 20 Apr 2018 10:35 AM PDT So we're looking at upgrading from our old RSP-4Gs on an ASR9010 to RSP440s. I'm doing pre-install upgrades on the new RSPs, got them upgraded to 5.3.4, and there are two is one things conspiculously missing that I can't reconcile with documentation. I can't create SSH keys - the crypto key command doesn't exist (the crypto command only lists other subcommands) Forgot this was in exec mode not config The http server command doens't exist, only the http client command. I have nearly every package installed (no BNG package or the 901 nV package) and I'm at a complete loss as to why these commands are straight up missing. Checking our existing router I don't seem to be missing anything in configuration but I'm not sure if I need to drop into the linux shell to do keygen despite the command being documented for the XR environment. submitted by /u/gramathy [link] [comments]

Business profit loss without having a backup internet provider Posted: 20 Apr 2018 08:43 AM PDT I remember seeing a graph estimating a business' profit loss when losing internet but I can't seem to find it. It was a cisco graph. If anyone could find it I would be extremely grateful. submitted by /u/sassysassafrassass [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States