Rant Wednesday! Networking |
- Rant Wednesday!
- Multi-homed routes took a new path to Level3 yesterday, preferring Century Link now.
- Configuring new brocade switches on a new c7000 bladesystem enclosure?
- What tech magazines are you reading??
- SFP+ to Laptop
- How many IPS hits do you see?
- Warehosuse & Office Network
- ASA 5525-X SNMP not responding
- Cisco 350x48 10GB ports
- I trying to learn MPLS and have a basic question.
- What’s the best way to distribute the bandwidth & client connections (in my scenario) on our network?
- Cisco ACI - Spine - IPN Connectivity
- Multiple VMs accross different segments in one VM box
- Sooooooooooooooooooooooo Level 3 issues?
- Need a network visual aid
- Cisco IWAN DIA with CWS - Is Cloud Web Security replaced with Umbrella?
- Layer 2 Fiber link having odd issues with VLAN 1 from Service Provider
- ASA 5525 - is it possible to specify multiple NPS servers for VPN access?
- Do you feel there’s a trend towards moving complexity off of the network and onto the hosts?
- Cisco port forwarding issue
- Help? Trying to figure out a project
- How do you manage SNMP traps
Posted: 24 Apr 2018 05:09 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments] |
Multi-homed routes took a new path to Level3 yesterday, preferring Century Link now. Posted: 25 Apr 2018 01:51 PM PDT We are multi-homed to Century Link and Cogent, both sides are burstable to 10GB, typically we would see a daily peak of about 1GB on Century Link and 1.7GB on Cogent. Currently billed at a base of 1GB on CL and 2GB on Cogent, so that has actually worked out very well for us as far as not seeing overage charges etc. Yesterday, something change. Cogent was essentially carrying all of our Level3 traffic and CL was carrying a significant portion of everything else, as of 4:15 UTC yesterday AS209 took over as path to all AS3356 (Level3). Using the Level3 looking glass, AS174 doesn't even appear as an available path anymore. We are now seeing about 2GB on CL and 800MB on Cogent, so we are going to get hammered in overages from CL every month unless this changes back. Not sure if this is related to the CL/LVL3 merger or if there is a peering issue with Cogent/LVL3 (which would not surprise). We are connected to POPs in Pittsburgh. Not really looking for anything specifically here, just a bit of a gripe, although I would love to hear any thoughts if anybody knows why this happened or any information about the situation. Going to have to explain to management why our Internet costs just went up $20k/year if this maintains. Edit - We are in Western PA and we connect to POPs in Pittsburgh for both CL and Cogent. [link] [comments] |
Configuring new brocade switches on a new c7000 bladesystem enclosure? Posted: 25 Apr 2018 09:53 AM PDT We are getting a new c7000 bladesystem with virtual connect and embedded brocade switches. The enclosure and virtual connect modules will be configured by someone else but ive been tasked with configuring the brocade switches. This will be brand new switch config. Ive configured new brocade switches before but this will be my first time doing it on a blade enclosure. I assume the process is the same? Or are there a few differences? [link] [comments] |
What tech magazines are you reading?? Posted: 25 Apr 2018 07:31 AM PDT I am currently working on a CCNA and wanted to keep up with the latest developments in IT, especially networking. I am aware of many publications that address technology developments but wanted to know which you guys thought were the most worthwhile. [link] [comments] |
Posted: 25 Apr 2018 08:34 AM PDT I found this post from a few years ago. Besides using something like a JDSU tester, has anybody used a laptop with thunderbolt and maybe an external PCI enclosure with a 10G SFP+ adapter? I need something somewhat portable for testing 10G connectivity to the Internet as well as iperf to a server in my core. (We are a service provider) Any recommendations on hardware for this? [link] [comments] |
Posted: 25 Apr 2018 06:03 AM PDT I am relatively new to the Network Admin role and I am curious about IPS events hitting our firewall. We have 2 physical sites with a watchguard M series firewall at the edge of each. In the daily summary reports for both I am noticing between 3 and 10 IPS detections listed. This has been consistent over the past couple days. The report states they have been stopped but I am curious if this is something that I should be panicking over. How many IPS events do you normally see on a weekly basis? [link] [comments] |
Posted: 25 Apr 2018 09:29 AM PDT My company has been looking at me for upgrading there network infrastructure but I've never done too much networking. A lot of the networking here has been done by someone who has moved to a different position and they found me to have be as a dedicated to IT. Anything you guys think I should do or recommendations would be awesome, i'm looking to improve my skills and become a better overall sysadmin. Important Stuff:
The main issue at the moment is the connectivity to the access points with the Zebra Mobile Scanners. The access points are right were they would be doing anything with network connectivity. Switching and Routing Equipment:
Heres my issues:
Please advise me on if there are any good upgrades to the system. I have a call with Frontier today about upgrading our internet. We are looking at upgrading switches if there are some good recommendations for 48 Port Switch to replace two in one room. [link] [comments] |
ASA 5525-X SNMP not responding Posted: 25 Apr 2018 01:45 PM PDT Hey all. For full transparency, I posted this same question over on the Cisco firewalling forums earlier but haven't had a response yet. I figured I'd give /r/networking a shot too. Thanks in advance for any replies. I'm trying to set up SNMPv3 on one of my production ASA 5525-Xs. From what I'm seeing, the ASA is never responding to the SNMP GET requests being sent from my NMS. I've also tried configuring SNMPv2c and have gotten the same result. I am running ASA version 9.2(2)4 and ASDM version 7.3(1)101 on this device currently. On this particular ASA, my network management subnet is associated with an interface called "P-Config". It is not using the "Management" port, but a regular gigabit Ethernet port. This interface is separate from my "Inside" interface. Additionally, the "Inside" interface is designated as the "Management Access Interface" in ASDM under "Management Access > Management Interface". As part of my testing, I have configured hosts in the "SNMP Host Access List" section of the SNMP config to use the "Inside" interface and the issue occurred on that interface as well. I am normally trying to set up the SNMP Host Access List entries using the P-Config interface. Both the "P-Config" and the "Inside" interface are security level 100. On the P-Config interface, I have rules allowing UDP ports 161 and 162 from the network management subnet to my NMS and vice versa. I have also added a "permit ip any any" rule at the top of the ACL for the P-Config interface as part of testing. Unfortunately, none of these rules make a difference. Just in case it wasn't clear - the P-Config interface and my NMS are on the same subnet. I have another ASA - a 5510 - that I use for testing purposes. It is running a similar code base, 9.1(5), and I was able to get SNMPv3 up and running for that device. It is communicating on my network management subnet and is using the same SNMPv3 credentials that I am entering into my production ASA. Same USM, same SNMP user, same SNMP user group. Doing a wireshark packet trace from the NMS to the ASA shows SNMP GET packets getting to the P-Config interface on the ASA, but I never receive a response. And yes, I have turned on SNMP on the ASA. Using the Packet Trace tool in ASDM and from the CLI, when I trace with the Source IP set as the IP of the P-Config interface to the IP of the NMS, I get an ACL-drop response due to the "Implicit Deny" rule... even when I have the "permit ip any any" rule enabled at the top of my P-Config ACL. Here is a santizied version of my SNMP config (not including location, traps, etc): At this point, I'm stumped. I've been through all the documentation, forums, blog posts, etc, I can find. I have an open case with Cisco TAC as well and so far they've been unable to find the problem. Any assistance is appreciated. [link] [comments] |
Posted: 25 Apr 2018 01:38 PM PDT We recently added one of these switches on one of our floors. It has two 10GB Ethernet ports labeled XG1 and XG2 at the end of the switch next to the four SPF ports. Image here- Is one of these suitable to use as the uplink back to the core switchs? I assume they (or the SPF ports) were intended to be used as stacking ports. I can find no answers in the Cisco literature. I tried it and it seems to work OK but I want to make sure I'm not heading for unseen consequences. Thanks [link] [comments] |
I trying to learn MPLS and have a basic question. Posted: 25 Apr 2018 03:35 PM PDT *I'm I have read through this: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/15-mt/mp-l3-vpns-15-mt-book/mp-cfg-layer3-vpn.html Looking at the topology, how would routing/switching a private network over it work? Where are the ips encasulated? I'm confused because to me it looks like you'd have to send private ips to the first hop off the customer premise. [link] [comments] |
Posted: 25 Apr 2018 03:12 PM PDT Our setup: there is a coaxial to a basic Arris modem. That Arris modem is connected to a board of coaxial that then have a main line that feed into the wall where spectrum comes from. As well, there is a 2nd coaxial that comes from the board of coaxial that goes to a Arris Surfboard. It's like data modem to allow phones and enternet to work once connected via wan Ethernet. So that Arris Surfboard has a single Ethernet wan port that has a Ethernet that plugs into the Nighthawk wan router. Which allows the nighthawk to allow WiFi and enternet to work. Then the nighthawk router has a Ethernet lan cable that runs from it to the Cisco switch and the Cisco switch then makes all the wired computers and phones working. What I want to do: is to somehow make that nighthawk router the one for the Cisco switch so that only the wired phones and computers use it. The nighthawk is securely passworded for connectivity and for the router login too. Then have a separate router, (I have a Mac airport express) that will be open without a password to be a public WiFi for everyone to get on. I want to be able to disburse the network equally without having too many clients on one router so that it doesn't mess up and reboot. Cause today there was 60 connection on the nighthawk at lunch and it had to be rebooted. Would I be able to get a surfboard with 2 wans port and wire up the 2 routers from that? Cause the surfboard now is only 1 wan port. Or should I just upgrade the nighthawk router to something much better to help handle the traffic and client connections? Cause the connection is business standards and is 1 internal in and 1 external out. Right. [link] [comments] |
Cisco ACI - Spine - IPN Connectivity Posted: 25 Apr 2018 05:12 AM PDT Hi Guys, I know there are quite some ACI experts here. I am in the process of putting the final touches on the multi-pod design. I have a question to the connections from the spines towards the IPN devices. Every Cisco example uses single connections or a 7K with seperate VDC's. I would want to use redundant connections, because i will have 2 IPN devices per data center. So this means Spine 1 and Spine 2 will have 4 physical cables towards the 2 IPN devices. But since the spines will have to peer OSPF to the IPN's i presume i can configure all those 4 physical ports as 1 route peering to the IPN or how does that work? Because from the IPN devices (not in the fabric) that would be a L3 port-channel per IPN back towards the Spine. And since the IPN devices will ne Nexus 9K's in NX-OS mode, can we configure a vPC towards the ACI for IPN to Spine connectivity? Last time i read somethinh that peering L3 across a vPC can sometimes lead to mistakes in the hashing of the traffic. That's a bit fuzzy to me. [link] [comments] |
Multiple VMs accross different segments in one VM box Posted: 25 Apr 2018 04:24 AM PDT Hi all. Noob question here. My DC has a internet facing Tier 1 Firewall and internal facing Tier 2 firewall. Each Firewall are gateways to certain segments. As part of the DC transformation, lots of the servers are consolidated into VM boxes. My worry is that VMs in one box are comimg out of 1 NIC card going to a segment where the Tier 1 firewall is the gateway amd another nic card which goes to the segment where the Tier 2 firewall is the gateway. Is there any risk to putting tier 1 and tier 2 segments in 1 box? Are individual NIC cards like individual PCs in its own network that will never interfere in the box. Will VMs interact with each other in the same box? Thank you reddit in advance. [link] [comments] |
Sooooooooooooooooooooooo Level 3 issues? Posted: 25 Apr 2018 12:54 PM PDT Outages distro feed is buzzing with chatter on Level 3 outage(s) in Southern California, SLC area and NC. Ya'll see anything? [link] [comments] |
Posted: 25 Apr 2018 08:43 AM PDT Everything I can find actually makes VMs for all the network devices, unless I'm overthinking things, that doesn't sound like what I want. Trying to setup a visual aid for new network setup so I can better plan things, I don't even need simulated traffic flow, although it would be cool. I literally just want something where i can say "generic firewall" connects to "generic/cisco switch 1" and visualize how the network is physically connected. TL;DR I want something (preferably free) that visually looks like the cisco network simulator but I don't need anything crazy like vm's to truly simulate the traffic. [link] [comments] |
Cisco IWAN DIA with CWS - Is Cloud Web Security replaced with Umbrella? Posted: 25 Apr 2018 07:31 AM PDT Trying to work out if the CWS integration for DIA with IWAN is to be replaced with Umbrella branch since CWS has been EoL for a while. My client is going to need to migrate from Webroot DWP by October but I wasn't aware of the EoL notice on CWS until recently. Yet, as far as I can see, CWS and Umbrella are not working at the same layers or solving the same problems. Does anyone know the path for IWAN DIA for customers who already implemented CWS on ISRs for centralised security policy management? [link] [comments] |
Layer 2 Fiber link having odd issues with VLAN 1 from Service Provider Posted: 25 Apr 2018 06:43 AM PDT Hoping you guys might be able to provide some insight on what the ISP is doing in this case that might be causing my problem. So we use Cisco and have VLAN 1 as our native VLAN (I know shitty practice). We recently got a Layer 2 Fiber Uplink to a remote office. We realized DHCP isn't working across the link but routing works fine and all the correct IP Helpers on the SVI are added. We have a redundant (different provider) link that works normally at this site and is also Layer 2 fiber up link. The only difference is that it is a direct fiber hand off and the link that is giving us trouble is using a fiber to Ethernet hand off. After some troubleshooting with the provider and running a packet capture on the trunk link I discovered any kind of broadcast would come up with "Ethernet Frame Checksum Errors". If you google this you get alot of generic responses saying its just a wire shark error and to filter it out. As I dug deeper into the issue I noticed that STP is not working for VLAN 1 as well but for other VLANs it works normally (pointing to our core switches as the root) VLAN 1 seems to point to it self as the root. In the packet capture all the STP Frames for VLAN are bigger (94 bytes vs being 64 bytes for the other vlans) and it also comes up with the Ethernet Check Sum Error. I noticed that alot of the broadcasts are VLAN 1 related or somehow leverage it to some capacity. I worked with the SP on this and sent them all the packet captures and they did some monitoring on there end but they have not been helpful at all and tried some meaningless tests. I feel like they are doing some kind of extra tagging or filtering out VLAN1 in some way but they keep denying this and saying tagged and untagged traffic should pass normally. Q and Q is not needed per the ISP. I requested they remove the Ethernet hand off and just use direct fiber and also to open up a case with there equipment provider because somewhere along the lines this is not working properly on their end. Anyone ever experience something like this or have an idea what the SP is doing? I feel like they are not giving me the full story. They are a small SP and after speaking with some of their onsite techs it seems this fiber to Ethernet hand off thing is new for them and they are trying to no do fiber only hand offs apparently. In the meantime I am looking into other SP for this service. There support has been really unhelpful. [link] [comments] |
ASA 5525 - is it possible to specify multiple NPS servers for VPN access? Posted: 25 Apr 2018 05:29 AM PDT As title says. Does ASA 5525 allow for this, or is it just one IP? I'm planning a cutover to a new NPS server, and wondered if I can configure it to work in tandem for VPN access. [link] [comments] |
Do you feel there’s a trend towards moving complexity off of the network and onto the hosts? Posted: 24 Apr 2018 06:31 PM PDT To me it seems to make a medium to large enterprise network work, it requires a lot of different features. In the past most of these features lived on the switches and routers, and hosts were dumber—and we made the magic happen. But I've kind of felt like there's a trend to move those features and complexity onto the hosts until we're left with a simple network. Just some small examples I remember a time when our systems guys always wanted lacp port channels. Now they just want stand alone ports and they do nic teaming that's independent of our switch. Also I read in another thread here that the op's sys admin guys want to run hyper-v network virtualization which is basically switch independent vxlan... not sure how that works but it seems to move the complexity of vxlan completely off the routers/switches and onto the hosts. Another good example is multicast. You used to have to configure PIM for stuff like iptv, media conferencing, and music on hold. Now you can easily run all of those with zero multicast routing... because vendors started coming out with media servers that basically act like rendezvous point and abstract multicast into the application layer. It seems like after a point Networks won't have rich features and complex configuration to make stuff work any more. Or like server guys said screw you to the network team and can do most of our stuff on the hosts without our help anymore. Anyone else notice this, or is it just me? [link] [comments] |
Posted: 25 Apr 2018 04:53 AM PDT Greetings, When I open port on Cisco router C892FSP-K9 ip nat inside source static tcp 192.168.1.100 22 interface Loopback0 22 Loopback0 is public IP I have management interface that is not part of the port forwarding and even in different VRF. But still if I connect too the router on the management IP that is on that different interface on the router. I will get forwarded too 192.168.1.100. So pretty much by forwarding port 22, I have disabled my ability to connect too the router with SSH.... anyone knows how to avoid this? [link] [comments] |
Help? Trying to figure out a project Posted: 24 Apr 2018 10:12 PM PDT Let me start off with, I am not a networking guy by trade, but do work in the IT realm. I know enough to get into trouble, at that's where I'm currently at. I am part of a statewide emergency communications team. One of our duties is providing internet and VOIP services to public safety agencies during disasters. We have multiple vehicles and trailers that currently have separate small office type networks on their own (non-standardized) /24. As we add more server type services to our units, I thought it would be a good idea to start standardizing some of these networks so we could tie into the servers from other units while we are deployed together. My original plan was to setup a /16 across all the units, with each unit utilizing the space of a /24 (but still set to a /16). Then, if we bridged any two or more networks with a switch, clients one one unit would see the servers on the other, and vise versa. The downside to this is there would be two or more DHCP servers that may answer. Their address space would not overlap, though. It's still not a very elegant solution. Someone then suggested RIP. But looking at it,, I can only configure it on one of the WAN ports on our router. Because of NAT, I don't think this, by itself, would help us. Clients on network A could see the router of B, but not the clients on B's subnet (assuming I'm understanding RIP and how it works with NAT correctly). I was then thinking, if I could combine RIP with a static route, but again, I know just enough to get myself in trouble with static routes. My understanding, I could set 10.10.1.1 255.255.0.0 with a gateway of 0.0.0.0 pointed at the WAN port RIP is on. if my local subnet is 10.10.1.0, and I wanted to go to 10.10.2.2, it would route it out through my specified WAN port which, with RIP, would be set up to deliver the the packet to a router at 10.10.2.1, and then to 10.10.2.2 that sits behind it. Would this work, or should I stick to the kludge of putting all the units on 10.10.0.0/16 and deal with the multiple DHCP server issue? My biggest hurdle is this network needs to be adaptable, because we don't know in advance what other units will be there, and the routers we have won't allow enough static routes for one for each unit. [link] [comments] |
Posted: 25 Apr 2018 12:57 AM PDT What do you use (and like) to display and manage the important, and filter out the not so important snmp traps? [link] [comments] |
You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
No comments:
Post a Comment