Shaping yourself for the future of network engineering Networking

---

• Shaping yourself for the future of network engineering
• Looking for vendors for small deployments
• Netflow for specific SVIs?
• Looking to replace 40 Watchguard APs throughout 20 sites
• Status LED is Blinking fast RED on Cisco C6880-X. Is it dead?
• How do you set up your MDF/IDF cabinets?
• OTV too expensive - Using VXLAN for L2 Extension via DCI instead?
• ISE and TACACS+ on the same Cisco ISE box?
• Throughput limited by Cisco 2960 switch
• WLC 5508 Load Balancing
• Mellanox Connectx3 40gbe - Can't get past 20gbps from Windows VM to Windows VM
• Create pinhole (port forwarding) in Palo Alto 3020
• RADIUS doesn't work with management vlan for first switch only
• Strange network issue with one VM - Help Needed..
• Help iptables
• Ciena 3930 SFP module part numbers?
• I have set up a VPN and am trying to allow/deny traffic for certain networks with UFW
• Suggestions for phone system refresh?
• Link Aggregation for Video Editing (?)
• AWS MPLS vs MPLS -> Direct Connect
• catching loops on non-managed switches
• Different Port QoS on C6.5K VS-S720-10G Module with VSL
• At what rate does the efficiency of the network drop when using hubs?

Shaping yourself for the future of network engineering Posted: 26 Apr 2018 04:56 AM PDT I have been a network engineer for a few years and work at a large company that has many different silos for different technologies. For example my department deals with engineering anything networking below firewalls. Those are handled by a dedicated IPS department that I work very closely with. My question for anyone willing to answer would be, how should I be shaping my expertise in order to stay valuable in the job market? I have a couple years prior experience as a systems administrator at a very small company where I did everything, so I at least have working knowledge of all other technologies. Should I be going outside my current job description to master firewalls? Polish up my scripting abilities? concentrate on server infrastructure, and virtual networking? I am very happy at the job I am at now, but you never know what would happen, and I want to keep myself current and viable. Thoughts? Experiences? submitted by /u/perfectbackstage [link] [comments]

Looking for vendors for small deployments Posted: 26 Apr 2018 02:32 PM PDT Hi, This is my first post on reddit, please be kind ;-) I'm a network engineer working with Cisco and Juniper gear. I know what you can (and cannot) do with particular boxes and software. From time to time I am asked to help with a small deployment, where there is no budget for Cisco or Juniper. However this is justified by a very little feature (and performance) requirements. I don't have much experience with other vendors (my home network is built on Juniper, Cisco and one MikroTik for LTE backup). I am looking for some advice - can you recommend something between soho and Cisco/Juniper for L2 switching? Features I am looking for are mostly: DHCP Snooping BPDU Guard MAC limiting LACP SNMP :) RSTP Also, anything for routing which can PAT up to 300-600Mbps of IMIX traffic? I was looking at Mikrotik RB3011UiAS-RM, looks promising. And stateful firewall is a plus here. I would really appreciate any hint or advice. Cheers! submitted by /u/hithxbye [link] [comments]

Netflow for specific SVIs? Posted: 26 Apr 2018 02:03 PM PDT Haven't had much luck googling this because I'm not even sure this is possible or I'm wording it incorrectly. Is there a way with a Cisco 6500 series switch with several SVIs configured, to explort Netflow for those specific VLAN interfaces and only send source/dest information in regards to that specific SVI? Scenario: Customer A has SVI VLAN 20. Customer B has SVI VLAN 30. so on and so forth Each has a dedicated link directly to the Cisco 6500 connected to a switch on their side (basic layer 2 connection passing their vlan ID). They are routed upstream after 6500 to internet. Simple hub n spoke topology. The goal here is to export Netflow to a parser (LogicMonitor collector) in this case. These collectors have a cap of 1000 top flows. I want to break this out and have separate collectors for each customer as to capture as much data per collector. Is this possible? Or does Netflow not work like that. submitted by /u/awkwardviking [link] [comments]

Looking to replace 40 Watchguard APs throughout 20 sites Posted: 26 Apr 2018 02:57 PM PDT We have a Meraki Demo, and a few Fortinets thrown our way. Looking for something cost efficient, manageable without too much headache. Right now we cannot do a captive portal, our Watchguard Controller cannot be upgraded and another needs to be updated. Thoughts on the FortiAPs if anyone has used them. I know this sub has a lot of love for Ubiquiti, I have one in my home. Anyone use open mesh. At this point the wifi is unreliable, ports configured wrong. submitted by /u/chunk_le_funk [link] [comments]

Status LED is Blinking fast RED on Cisco C6880-X. Is it dead? Posted: 26 Apr 2018 02:31 PM PDT Woke up to find the status light on the 16port 10/1GbE supervisor on the C6880-X blinking red rapidly. No response when I tried connecting via console. Turned it off. Took out fan module and supervisor, cleaned them out thoroughly too. But still nothing. Is this device officially dead? It's out of contract, so no Cisco support for this. Anyone who had similar experience? Thanks submitted by /u/nok4us [link] [comments]

How do you set up your MDF/IDF cabinets? Posted: 26 Apr 2018 02:17 PM PDT At my previous job the IDFs would have a patch panel/switch/patch panel/switch stacking. This allowed us to use 6-inch patch cables and everything looked pretty clean. At my present employer, the put all the patch panels on top of the IDFs and switch stacks below. Then they run like 7ft cables to patch everything in and it looks like a cluster! Recently, we had a vendor ask about angled patch panels but suggested the same setup as they have here, patch panels on top and run cable down the sides to connect the switches. I prefer the way my former employer set up everything. Is that the wrong way? Is there best practice I should be following? submitted by /u/jaime_cal [link] [comments]

OTV too expensive - Using VXLAN for L2 Extension via DCI instead? Posted: 26 Apr 2018 11:42 AM PDT Afternoon Everyone - Working on a project to bring online a second datacenter and a DCI back to our primary site. We are going to have a L2 Psuedo-wire between the two sites, and I was originally hoping to terminate that connection into N7K's on both ends, and use OTV for the L2 extension. Unfortunately, even refurb'd N7K's will be north of $60K, which won't be possible for this project. So I'm now looking into using VXLAN on some N9K's to accomplish the same goals. Has anyone had success with this? submitted by /u/dricha36 [link] [comments]

ISE and TACACS+ on the same Cisco ISE box? Posted: 26 Apr 2018 11:07 AM PDT Hi, I can't find much info on this but I know someone may help here. I'm planning a deployment of about 20000 endpoint with ISE (most functionality, using Base/Plus/Apex/Anyconnect licenses), and would certainly use a 3595 server for it, which should support the endpoints with no issues, but I also want to enable the Device Admin license to configure a number of devices (let's say 2000). How should I decide if the almost topped 3595 will support a number of TACACS+ sessions (say 1000, don't fix on my numbers, I know that 1000 sessions for 2000 devices is way off). How can I know if the device can handle all the traffic? In Cisco I can find comparison tables with number of simultaneous devices for RADIUS sessions (NAC), and TACACS+ sessions per second, but I can't find the limit for the TACACS+ sessions. I'm pretty sure that I can mix them, but the main thing is that we want to find a technical reason to NOT mix the two. Thanks for your time. submitted by /u/NuttyBunny [link] [comments]

Throughput limited by Cisco 2960 switch Posted: 26 Apr 2018 06:51 AM PDT I have a 300x300 fiber internet circuit. When testing directly to the ISP's CPE using Speedtest.net and iPerf to HE's public server using 40 parallel streams to saturate the link, I'm able to get 300M up and down. I have a EdgeRouter Lite as my router. Eth0 is the WAN and Eth1 is my LAN. When testing directly to the LAN interface, I'm also able to achieve 300M. Now on the Cisco 2960 switch, there are 2x 1G copper interfaces. When I connect Gi0/1 to Eth1 on the ERL and Gi0/2 to my test machine, I can now only get around 150M up and down when testing with Speedtest.net and iPerf. My Speedtest latency is only about 2ms and the iPerf latency is about 18ms. Obviously my switch is the bottleneck. I have a few more things to test such as a local iPerf test with two machines connected to each Gi interface on the 2960. I won't have a chance to do this for a few more days, but I was wondering what may be causing this? My interfaces on the 2960 are negotiating to 1000 full, and there are no errors incrementing on the counters. There's no special configuration on these interfaces. Am I missing something? submitted by /u/brianatlarge [link] [comments]

WLC 5508 Load Balancing Posted: 26 Apr 2018 04:39 AM PDT We use a 5508 controller in our network environment. My question is about Load Balancing policies on the controller. I see where load balancing is set at, and ours is at a default Client Window Size of 5, and a Maximum Denial Count of 3. My question, which I seem to not be able to find in Cisco documentation, is is this setting globally turned on, or does it have to be enabled per WLAN to be turned on. We have 3 WLANs and all of them do not have load balancing turned on. Any help would be appreciated! Thanks! submitted by /u/tvangeste [link] [comments]

Mellanox Connectx3 40gbe - Can't get past 20gbps from Windows VM to Windows VM Posted: 26 Apr 2018 10:03 AM PDT Scenario: Two Windows Server 2012 R2 virtual machines, one on each of 2 Esxi hosts. Hosts are directly attached to each other via connectx3 infiniband cables (card models and cables confirmed to be compatible via mellanox) I have spent hours with Vmware & Mellanox support. EsxiHost1 to Esxhost2, via SSH, DOES achieve 40gbs using iperf directly in the CLI of the esxihost, so I know the drivers should be good. I have tried the following: I have tried PCI passthrough, allowing me to achieve 20gbps When using VMXnet3 i can't push past 17 or 18gps I have tried many small tweaks in windows including Jumbo packets/TCP offload/etc etc under the "configure" section of the network adapter Help me achieve 40gbps throughput (please)! submitted by /u/mikecrash [link] [comments]

Create pinhole (port forwarding) in Palo Alto 3020 Posted: 26 Apr 2018 12:28 PM PDT I am having issues with a NAT for palo alto. I am trying to do what is in the diagram below. It works from our IP address and a few others, but the majority of the internet canno't get to the site after the NAT statement is created. The frist link is the current NAT translation that works from out site (not in the same subnet as the server we are trying to static nat for, nor do we have a VPN to this colocation space). https://imgur.com/7BCCAzp The second image is what I am trying to do: https://imgur.com/a/GEdUSlP submitted by /u/extremenetworks [link] [comments]

RADIUS doesn't work with management vlan for first switch only Posted: 26 Apr 2018 11:49 AM PDT I have a RADIUS server which works for 3 of my 4 switches and I don't understand why. 192.168.18.1 192.168.18.2 192.168.18.3 192.168.18.4 18.2, 18.3, 18.4, works fine, the radius sees they and the AUTH is ok, but for 18.1 it doesn't work. The error message on ther RADIUS server is coming from the ip 192.168.15.3 which is the managment ip for the MPSL of the main switch there. I don't understand why can't the RADIUS pick up the ips of the management of the first switch. submitted by /u/napsterpepper [link] [comments]

Strange network issue with one VM - Help Needed.. Posted: 26 Apr 2018 11:24 AM PDT I have a strange issue with a Windows 2012 R2 VM.. Apps team said they were having an issue transferring a file. They did a running ping from the server doing the transfer to the server receiving the file.. When they specified a byte size of 5000 it would randomly drop pings but the latency was fine.. This is all over the WAN.. To troubleshoot I have done the following: When I do a running ping with a packet size of 5000 on another VM on the same host I get no drops from two different WAN core switches. Moved VM to another host (even though host not suspected to be issue) - issue persisted. Rebooted VM Removed VMNIC (was VMXNET3) and Added New VMXNET3 - issue persisted. I can ping local LAN physical and virtual servers without issue on the problem VM. I'm out of ideas of things to try.. If the server can ping local LAN nodes with no issue that would point to it being the WAN, no? But then why are other VMs on the same vmware cluster (and same esxi host) not having the issue?? Thanks for any ideas! submitted by /u/Walter_Whitey [link] [comments]

Help iptables Posted: 26 Apr 2018 10:33 AM PDT Hello, Having those few lines.. Would you say that is a machine acting as a server or as a client? Do you detect any error on the configuration? iptables -t filter -F iptables -t filter -X iptables -t filter -P INPUT DROP iptables -t filter -P OUTPUT DROP iptables -t filter -P FORWARD DROP lan = "192.168.1.0/24" www = "eth0" iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -s $lan -o $www --dport 80 -j ACCEPT iptables -A OUTPUT -p udp -s $lan -o $www --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -s $lan -o $www -j ACCEPT submitted by /u/pr_m3 [link] [comments]

Ciena 3930 SFP module part numbers? Posted: 26 Apr 2018 10:26 AM PDT Can anyone tell me what part number a Ciena 3930 uses for SFP modules? I called fs.com and they weren't sure, but were going to have an engineer check. I've heard that they will work with prolabs XCVR-000CRJ - but I really would like to find a sfp module that will work with what we need....the scenerio is att circuit to Ciena 3930 with fiber handoff to us, Sophos XG125 firewall doesn't have a SFP port so we're using a media converter...I know, I know...media converters...but, it's what I've got in this situation. Anyone have any insight into this? Anyone have a specific media converter/sfp module they know works with a 3930? I found an old thread with this same issue, but, I need LC to LC sfp modules, no SC... ( https://www.reddit.com/r/networking/comments/5feduk/fiber_converter_question/ ) I tried this media converter: https://www.amazon.com/Converter-SFP-Transceiver-20KM-ipolex/dp/B0716XT1QT/ref=sr_1_7_sspa?ie=UTF8&qid=1524763716&sr=8-7-spons&keywords=10gtek%2Bmedia%2Bconverter&th=1 but, going from the sfp module that came with the cienna to the sfp module that came with the media converter, no luck - you think if I had matching sfp modules that would help? I'm thinking about getting this media converter: https://www.amazon.com/StarTech-com-Gigabit-Ethernet-Fiber-Converter/dp/B011KH1TTC/ref=sr_1_3?s=electronics&ie=UTF8&qid=1524763639&sr=1-3&keywords=startech+media+converter My reasoning being that the startech one in the thread I mentioned earlier seemed to work for the OP of that thread...but he was using SC sfp modules that weren't multimode... I wish I could just change the handoff from the ciena to us from fiber to cat5/6 but, AT&T basically said to do that we need to cancel and reorder the circuit...even though the cienna 3930 can do it by simply changing a setting...such bs... Any insight is greatly appreciated. submitted by /u/lifeisbutajoke [link] [comments]

I have set up a VPN and am trying to allow/deny traffic for certain networks with UFW Posted: 26 Apr 2018 09:45 AM PDT I have been trying to allow/deny traffic to certain networks with UFW. The I have several others, but the one in the picture is the one I am working on first. I have tried many things so far, we are probably on hour 4 of this. I cant figure out why UFW is still blocking the traffic in the picture. https://i.imgur.com/WpJdEqf.png Any input would be greatly appreciated. Thanks! submitted by /u/Nanabas [link] [comments]

Suggestions for phone system refresh? Posted: 26 Apr 2018 09:09 AM PDT Our organization currently runs Cisco voice for everything (CM, CCX, ER, UC). Our phones are 79xx and are failing at exponential rates.   Current environment: - 500 7961G-GE - 10 7962 - 25 7936 - Most phones use Line 1 and possibly Lines 4-6 for organization speed dials - 30 or so phones use Extension Mobility - All phones are PoE (except 7936) - Skype for Business Hybrid configuration (not currently integrated with CM, but there is future opportunity)   I am hoping the community can offer feedback or suggestions on the following: 1. Cloud PBX/PTSN? Our organization has been slowly transitioning to more Microsoft cloud services and I am wondering if we should position ourselves for Cloud voice services. 2. Cisco or Other? #1 might dictate whether we stay with Cisco or move to other vendors. Exchange might be able to replace Unity Connection (voicemail) and Skype for Business might be able to replace Contact Center Express (call queues, auto attendants). 3. New or Refurbished? I see a $1,000 new phone on CDW that is only $300 refurbished on third-party sites. If we stay with Cisco, should we purchase new or refurbished phones? We will not be adding the phones to SmartNet coverage, so is there a practical difference between new and refurbished?   Cost is the most important factor. SmartNet coverage is not cheap, by any means, and my general feeling towards Cisco is that they try to lock you in wherever possible. User acceptance could be a hurdle if we migrate to another system, but if the cost savings are significant enough I'm sure this could be tolerated.   I appreciate any and all feedback. submitted by /u/blobskewer [link] [comments]

Link Aggregation for Video Editing (?) Posted: 26 Apr 2018 08:50 AM PDT Skip below to TL;DR if you don't care about the background. Hi all, looking for some help to understand what's going on with my link aggregation. I'm the de facto IT guy at a small public access TV station (with my background more in video and audio engineering). For those who aren't familiar, public access is basically the library for video: anyone can come in and check out cameras/equipment, use the studio, and/or edit in our community editing room - all free of charge. For that community editing room, patrons are currently logging into network accounts and storing archived files on our NAS. As of now, all the editing needs to be done locally on a SAN connected device (we use 2TB LaCie Rugged Thunderbolt bus powered drives). When someone comes into edit, they check out "their drive", which is shared among 4-6 people. To avoid the scheduling nightmare of people sharing these drives, we've decided to take the step towards folks storing their edit on the NAS. The speed theoretically works, but rendering is a bit slow. TL;DR I'm looking to create a link aggregation from each computer to the NAS using the physical ethernet port and a thunderbolt ethernet adaptor. For some reason, I'm getting the same speed whether I'm using either of these connections or both of these connections (roughly 500/500Mbps for read/write). Why does creating a link aggregation not double my speed? Late 2013 iMac running macOS 10.13 Gigabit Ethernet port Thunderbolt Gigabit Ethernet adaptor ^ bonded to theoretically create 2G connection Late 2012 Mac Mini Server running macOS 10.12.6 10G fiber connection to switch Thunderbolt connection to RAID submitted by /u/goldenageretriever [link] [comments]

AWS MPLS vs MPLS -> Direct Connect Posted: 26 Apr 2018 08:40 AM PDT Just wondering if anyone is currently utilizing a MPLS connection directly into AWS? We are developing a new product that is going to be located in the Virginia Region (primary) and the Oregon Region (backup). Our business partner is going to basically be the PE and we are going to be the CE. They do not want to do AWS Direct Connect because apparently it is too hard for them, they would rather do MPLS. We have a primary data center on east coast and a backup (DR) in midwest. We were going to take in the MPLS into both data centers and on the back end have 4 Direct Connects (one into each region from each data center). I would then just route traffic back into MPLS to complete the connection. Then my VP was wondering if we could just do MPLS directly into AWS and just bypass the Direct Connect entirely. I imagine we would just have VPC that goes into either a CSR1000v or a vSRX. I have not done this before so curious to see if anyone else has. I know AWS does it because I have a few PDFs but looking for people who are actually doing this in prod. submitted by /u/realged13 [link] [comments]

catching loops on non-managed switches Posted: 26 Apr 2018 03:14 AM PDT https://imgur.com/a/ZzfmxD5 Hello, I wonder if someone can help me out with a HP Procurve -> layer2 switch situation. I have to put up with some users plugging cheap layer 2 switches into our network. Ideally I would just stop them right there and disable the port, but I'm not allowed to. If a loop is created on the cheap none-managed switch, loop-protect doesn't stop it. Do you guys know of any HP procurve commands that can detect the downstream loop and disable the port? PS: in the case of a loop, I am OK with shutting down that segment of the net. TIA submitted by /u/nxspam [link] [comments]

Different Port QoS on C6.5K VS-S720-10G Module with VSL Posted: 26 Apr 2018 02:08 AM PDT Hello, I've got a question regarding different QoS policies on a VS-S720-10G Module which also hosts a VSL. Setup: - 2 x Catalyst WS-C6509-E (IOS 12.2(17r)SX7) with a VS-S720-10G Supervisor Engine and a VS-F6K-PFC3C submodule as VSS - The Te2 interface is used as a Virtual Switch Link (the other is located on a WS-X6708-10GE module), Te3 is used as a L3 interface. - Gi1 is used for Fast Hello Dual-Active Detection in the VSS - Gi2 and Gi3 are not in use. I would like to use Gi2 as a L3 interface with a set of QoS rules (WRR). From my understanding a special QoS is needed for the VSL ("no mls qos channel-consistency") and the cisco documentation states, that "Port-based queue types are determined by the ASICs that control the ports"[1]. The only thing I could find out is that "The Supervisor Engine 720 features the PFC3, which is equipped with a high-performance ASIC complex"[2]. I'd like to know if the Gi2 interface is served by another ASIC and therefore can be configured with different Qos rules from the VSL interface Te1. One more thing I found: "12.2(33)SXHI will allow diverse QOS configuration on the unused 10G port of Sup720-10G".[3] So would maybe upgrading to 12.2.(33) help? Or does this only affect the 10G ports? Thanks for any advice! Sam [1] https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/qos.html [2] https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_data_sheet09186a0080159856.html [3] https://www.cisco.com/c/dam/global/da_dk/assets/docs/presentations/VSS_0109.pdf submitted by /u/u-trox [link] [comments]

At what rate does the efficiency of the network drop when using hubs? Posted: 26 Apr 2018 08:54 AM PDT I am creating a network topology for a class and have to provide multiple scenarios in regard to the economic impact of the whole network. In the first scenario I was using switches to switch between the 8 hosts, but for the second one I need to use a hub for the same purpose. What is the efficiency drop and how can I measure it in terms of congestion, dropped packets etc. when switches are replaced with hubs? submitted by /u/BokaBlues [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States