Should I be worried that our ISP just sent us this router? Networking |
- Should I be worried that our ISP just sent us this router?
- In light of recent BGP hijacking I became curious, what are your thoughts on BGPSec or other alternatives?
- Arista EOS Help
- why am I seeing traffic generating on my NIC as loopback: lo0 when looking at wireshark?
- Dual WAN with VLANs
- Where are your favorite Visio stencils?
- ISP and Sonicwall each blaming the other for dropped link
- ISP Policing causing issues for egress traffic, how can I fix this?
- What (if anything) does a partially-lit link LED on a ProCurve 2810-24G mean?
- Redundant firewalls for internet connectivity between two datacenters - How to?
- Are there any security concerns with OSPF packets?
- Networking / Cisco games?
- Question Friday (is that a thing yet?)
- AWS and MPLS L3VPN
- Cat IOS 16.5+ ZTP via Guestshell
- Looking for input on IGP implementation
- End-to-end campus QoS help
- ipv4 checksum recalculation after ip change.
- How do you handle prefix lists between customers?
- Torn between using OSPF or EIGRP
- Some duplicate packets on PortChannel
- Stupid routing question (/31 from ISP and then routed /30)
- Blogpost Friday!
- High OutDisgard Count throughout campus
| Should I be worried that our ISP just sent us this router? Posted: 27 Apr 2018 04:09 AM PDT I joked with a colleague that all Cisco stuff looks 10 years out of date even when new. But from looking at it, it looks like this thing is 10 years out of date... What's the chances of this being able to handle our new 1Gbs internet connection? Just literally to route between the ISP and us with (presumably) one static route. Everything I've read suggests there's no chance. I'm beginning to wonder if they literally drop shipped the damn thing to us from eBay! [link] [comments]  |
| Posted: 27 Apr 2018 05:50 AM PDT Hey everyone, After reading about a couple more BGP hijacks this week I was wondering what everyone is thinking about BGPSec or just the future or BGP in terms of internet routing in general. I read one of the BGPSec RFC authors apparently said he's not sure if it will ever actually get implemented, but I've also read up to 5% of the Internet have begun acquiring cryptographic keys for securing BGP (doesn't sound like much but some areas appear better than others, Latin America is up to 24%). Do you guys think BGPSec is the future or a different alternative? Or do you think BGP will continue in its current state without needing/wanting to be changed? [link] [comments]  |
| Posted: 27 Apr 2018 02:20 PM PDT Hey folks, I'm learning Arista (on my own dime) and was able to get my hands on a pair of Arista DCS-7050T-52. I want to MLAG these together and treat them as a single logical switch with, LACP across them for my Hypervisors similar to how I do it with my Cisco switches. The issue is that one of the switches has EOS 4.10 and the other has EOS 4.17. After a bit of reading, I couldn't find the answer to a few things... 1) Can I copy the firmware from one switch to the other? 2) Could I break things by trying to MLAG these with such different versions? 3) Is there a way to get the latest 4.18.x EOS for these to make them match and have the latest supported by this EOL gear? My prefered option would be to get the newest EOS for these so that I can test all of the latest features and have all of the latest bug fixes. But that would require a good samaritan that would already have this downloaded, or a valid subscription to download it. Any assistance is much appreciated. Thanks! Cody [link] [comments]  |
| why am I seeing traffic generating on my NIC as loopback: lo0 when looking at wireshark? Posted: 27 Apr 2018 01:38 PM PDT First of I hold my hands up, I'm not familiar with wireshark.. infact today at work was the first time I used it and I am now sat watching a tutorial.. (I work in firstline support) I can see all my network interfaces and there appears to be some called loopback:lo0.. what is this? and why is traffic being generated..? I cant really find a simple answer to this from researching online [link] [comments]  |
| Posted: 27 Apr 2018 03:30 PM PDT In our environment we have a dual wan setup with a vlan for servers and a vlan for workstations. Right now we are running Untangle with WAN Balancer running but the issue we find is that the balancing doesn't really work that well. Would it be possible with extra hardware or something with Untangle to bind a WAN connection to a VLAN so that one WAN is sending traffic to a VLAN and the other WAN is sending data to another VLAN? [link] [comments]  |
| Where are your favorite Visio stencils? Posted: 27 Apr 2018 07:32 AM PDT I do a lot of graphic design on the side and I just accepted a role that will require me to spend more time designing networks then configuring or troubleshooting (Senior Network Analyst woop woop!). I typically use the defaults on Visio 2016 but they are so bland to me now. I am wondering if any of you have stencils that are both aesthetically pleasing and very functional for your drawings! [link] [comments]  |
| ISP and Sonicwall each blaming the other for dropped link Posted: 27 Apr 2018 02:45 PM PDT One of my managed service clients uses a local fiber ISP for their primary internet access. My company uses Sonicwall at all our client sites, generally with no issues. Sometime near the beginning of this year, the fiber link stopped routing traffic. The link to the Sonicwall TZ400 was live, and an IP address was pulled, but none of our traffic reaches beyond the ISP's gateway. This of course caused the Sonicwall to switch to the backup link from another (much slower) ISP, where it stayed until I manually disabled the failover configuration and tried sending pings and traceroutes across the problem connection. Suddenly they started going through and everything was fine, so I switched everything back and wrote it off as an ISP hiccup. 3 days later, same thing happened again. Same fix again. At this point, I contacted the ISP, who (predictably) blamed our equipment, despite the fact that we can ping their gateway. After some back and forth with them, we got the link back up and running. Over the next weekend, same thing happened again. Long story short, the ISP finally did some troubleshooting, and is absolutely adamant that the problem is NOT on their end. Their rationale is "we have hundreds of clients on this same equipment, same configuration, and you're the only one experiencing this issue." The issue persists to this day, recurring about every 3 days or so, though sometimes it runs as long as a week and sometimes as short as 1 day. Here's what has NOT permanently fixed the issue so far:
Here's what brings the link back up (for a few days):
When I arrived to replace the Sonicwall for troubleshooting, the link was down, and remained down after I physically replaced the device. Only when I started sending pings across the link did it come back up. I brought Sonicwall support into this during one of the outages. After spending a good hour capturing ARP traffic and verifying that they could, in fact, reach the ISP's gateway, they said they'll need to work with the ISP and figure out what's happening to the traffic on their end. They confirmed that my config is good, and that there's nothing on the Sonicwall that they're aware of that could be causing this issue. The ISP continues to insist it's not their end, but is willing to talk to Sonicwall directly about this to try and get to the bottom of it. Right now I'm just waiting for the link to fail again before I get everyone on the phone. I'm not new at this, and everything I can see tells me that the issue is 100% on the ISP side, but they have a good point; if it's their end, why are we the only ones with a problem? I'm out of ideas. Has anyone else run into an issue like this before? [link] [comments]  |
| ISP Policing causing issues for egress traffic, how can I fix this? Posted: 27 Apr 2018 08:45 AM PDT We have a 100M DIA on GigE and have been having issues with Internet performance ever since we turned it up a few weeks ago. The carrier claims that everything is great on the circuit and has provided a rfc2544 report that confirms. I'm pretty sure the problem now is the difference in circuit speed vs CIR. We're using an ASR1001X and I've tried to put a very basic traffic shaping policy on the egress interface and that didn't work. I've also attempted to tune the shaping bandwidth down as low at 50M and still had issues. Symptoms are reasonable download speed (80-100M) but upload speed is 0-10M at best and generally starts out around 10M and by the end of the test is in the Kbps range. What am I doing wrong here? Are there questions I should be asking the carrier about their policing config that would help with setting up the shaping? This connection is basically only used for a couple of small web servers and office users to browse the web. So far I've mitigated the problems slightly by forcing the LAN side of the router to 100/Full, but that's not a solution. Any help on this would be greatly appreciated. [link] [comments]  |
| What (if anything) does a partially-lit link LED on a ProCurve 2810-24G mean? Posted: 27 Apr 2018 01:34 PM PDT We have a subtenant moving-in to a vacant floor this weekend and the company told them they could use the existing networking and telephone equipment, which would be fine if there was any to begin with other than a couple abandoned and unlicensed Meraki access points and a bunch of ancient Shoretel phones. I have pulled a ProCurve 2810-24G out of storage and I am finding that the link LEDs on ports 3 and 5 are barely illuminated. Searching for information online has proven nearly impossible because other ProCurves have the DIM status LED. Reading the documentation I don't see any failure mode reflected by a partially lit link LED and I can't find a console cable around here. I have tested the ports and they're negotiating a Gigabit link and there are were no errors in the time I had it plugged in. There are no trouble tickets for this switch but there have been so many layoffs that IT just ceased to function in any organized manner so I wouldn't draw any conclusions from the absence of a trouble ticket. Does anyone know if the poorly illuminated link LEDs either reflect or foreshadow a future hardware failure? Thanks [link] [comments]  |
| Redundant firewalls for internet connectivity between two datacenters - How to? Posted: 27 Apr 2018 01:26 PM PDT Hello, I'm just curious what others are doing in a multi-datacenter design. We have two datacenters each with their own internet connection (and same shared IP space). The distance is too far for HA, so we will have a stateful HA pair at each datacenter. How are you routing your traffic? Do you prefer one location over the other? Also, how are you synchronizing your rules? Any insight would be much appreciated. [link] [comments]  |
| Are there any security concerns with OSPF packets? Posted: 27 Apr 2018 12:50 PM PDT My company is about to get a security audit next week and I'm trying to tighten up my network. I'm not sure if it's normal but I am getting OSPF Hello Packets on all of my VLAN interfaces. I only use OSPF on the main switch that talks to our core router. We usually do static routes at all of our locations so these packets only show up on this one network that uses OSPF. We only do static routes to adjacent IDFs in our buildings. The switch is an HP 5820 running Comware 5 plugging into a Cisco 6880. (Cisco) (HP) I'm thinking the hello packet isn't that big of a deal. I was thinking of adding to the interface ten 1/0/24 on the HP 5820. I'm going to wait until after hours though before I try that. The Cisco is owned by my ISP so I don't like making changes on it but I can if I have too. I'm more comfortable with HP Comware anyway. UPDATEI created an ACL which seems to have stopped the hello packets. I'll look into getting our ISP to use authentication for OSPF. Then I added to the all of my VLAN interfaces. Hopefully this will work until I can push for more secure OSPF. 2nd UPDATEkWV0XhdO comment achieves the same thing as my ACL without having to touch all of my VLAN interfaces. [link] [comments]  |
| Posted: 27 Apr 2018 11:59 AM PDT Are there any decent quality and up to date networking or Cisco based games? Preferably web based and free but I will take whatever. I know of these: https://learningnetwork.cisco.com/community/learning_center/games [link] [comments]  |
| Question Friday (is that a thing yet?) Posted: 27 Apr 2018 03:12 AM PDT So, I am currently designing and building out a new 90000 sq ft, 3 floor, 450 person, corporate headquarters. ASRs on the WAN Cisco NGFW running asa code for firewalls Cat 9Ks Layer 3 to the access switches MPLS Separate AV network (all later 3 to the TOR and Core switches) I got a free DNA appliance from Cisco The question is as follows. For everyone that deployed corporate networks in the last year — what are some lessons learned that I want to look out for? What are some things that you did that you wish you didn't and vice versa For everyone that is building a corporate network now or just finished in the last month — what worked and didn't work? Pain points? For everyone else — what do you wish was around or was cheaper so you could deploy? Talk to you all soon and happy networking!! [link] [comments]  |
| Posted: 27 Apr 2018 11:53 AM PDT So I'm part of the transport team for our company and we have started looking into AWS. We have an MPLS core providing L3VPN connectivity to our customers. We are looking at using a carrier for direct connect to a Transit VPC. I want to extend MPLS to a router in the Transit VPC (CSR1000v or vMX) via a GRE tunnel. The goal is to make that router in the Transit VPC a PE, and each customer VRF in that PE will have an IPSEC connectivity to the customer's VPC. Basically making a VPC a part of a customer's L3VPN. I don't see any reason why I can't do this. But I'm pretty new to AWS and have not seen this done on any documentation I've researched. For those experienced with AWS infrastructure, is there anything that I'm missing that could prevent me from doing this? Is there a better way to accomplish what I'm trying to do? [link] [comments]  |
| Cat IOS 16.5+ ZTP via Guestshell Posted: 27 Apr 2018 11:51 AM PDT Anyone ever have issue's with configure commands? [link] [comments]  |
| Looking for input on IGP implementation Posted: 27 Apr 2018 11:38 AM PDT So I have recently inherited a network that is much larger than what I have previously built. Once again I am the sole proprietor of said network and I have some plans to "fix" what the previous person did and did not do. I have identified the potential of an IGP on a certain closed network to make general configuration and maintenance easier, so on to my question. In a previous role when we used OSPF one of my senior network guys told me when adding a new MLS to the network to simply add the supernet of a network that was probably broken into like 20ish subnets. i.e. 192.168.0.0 0.0.255.255 as opposed to actually adding the subnet that was on the OSPF interface. Something smaller like 192.168.1.0 0.0.0.255 Everything always worked, but this seemed like bad practice to "overscope" a network like that, and since I have not had the pleasure of working with many experienced networking people I was wondering if there were any thoughts that some of you all may have on the topic. [link] [comments]  |
| Posted: 27 Apr 2018 12:53 AM PDT I am trying to implement a end to end QoS solution for a three tier hierarchical campus network and rightly stumped. I'm confused as to which interfaces require a queuing service-policy and whether it should be ingress, egress or both. I also need help with marking classification (typical tcp/udp ports so i can create the access-lists for marking) of a 2p6q3t configuration. I have access to safari, can anyone recommend me a book which will go through QoS in a practical sense and easy to follow which I can then translate to this network type? [link] [comments]  |
| ipv4 checksum recalculation after ip change. Posted: 27 Apr 2018 11:27 AM PDT Hi, RFC 1624 https://tools.ietf.org/html/rfc1624 defines a method to update the checksum after a change in the IP header. However, it is for 16 bit field changes. So if modify a 16-bit IP header field (total length, identification etc) I can follow this RFC. But what about an IP address change which is 32 bit? I need to run this update twice? once for "lower half" and "upper half" of the new ip address? thanks. [link] [comments]  |
| How do you handle prefix lists between customers? Posted: 27 Apr 2018 10:43 AM PDT We've been building a MPLS network that connects few customers to each other and then to our datacenter. Customers also want their network to be segmented and that all the traffic should go via firewalls (because of the nature of the customers and some regulatory stuff). We run BGP between the VRFs and firewalls, and try to route the networks everywhere we can to avoid NAT and then limit the traffic with firewalls and routes with prefix lists. As it's a lot of legacy stuff and private IP address networks from here and there we can't really do summarization like "Customer A: 10.128.0.0/14, Customer B 10.132.0.0/14" etc. The actual question being is that how do you manage such prefix lists between networks? Do you only allow the actual subnets being used, or allow larger prefix and hope that there are no collisions? (For example if customer has 10.128.0.0/24, 10.128.5.0/24 and 10.128.11.0/24 used do you just add 10.128.0.0/20 to the prefix list?) I know ISPs can use DBs that have routes added by every party, but as it is private networks I'm not really sure if we can do this Or should we still try to have a centralized database where every subnet is added and then prefix lists would be generated automatically based on that data? Our IPAM is a bit mess but if we fixed all the networks there to correct VRFs and so we might be able to pull the data from there... Also the decisions when to advertise what network where is a bit problematic, as the customers also host their own servers and might provide some connections to our other customers. Any other ideas doing this kind of larger network that connects multiple organizations running different subnets with private IP addresses? Thanks! [link] [comments]  |
| Torn between using OSPF or EIGRP Posted: 27 Apr 2018 10:35 AM PDT We are in the planning/testing phase of moving from a collapsed core layer-2 design to layer-3 hub and spoke topology given the current network equipment and limitations. There are future plans to eventually connect some of the other spokes to one another creating a partial mesh topology. Each spoke is a different site throughout our county wide network. We will be readdressing each site as we move along with route summarization being the driving force for the IP address changes. Each site is rather small in size, we will be using a /27 mask for every site which will contain multiple subnets. This gives every site the potential to be summarized with one single route. To make the transition from the layer-2 trunk links, we are going to create layer-3 point-to-point links over fiber between the core and each sites distribution switch. The core is a Cisco 6500 and the distribution switches are a mix of Cisco 3650 and 3560. To give an idea on the amount routing involved, there are roughly 15 distribution switches with the expected addition of multiple sites each year for years to come. Here is where I've run into a dilemma so to speak. At the moment I'm torn between using OSPF or EIGRP due to licensing issues and current network layout. I know that may sound kind of silly but hear me out. Originally the intention was to use OSPF for reasons such as being vendor neutral and OSPF scalability with future growth expected. We would be using a single area 0 design throughout the network given the current size and had plans to add additional areas as the network size increased. Each link between the core and distribution switch would be setup as OSPF network point-to-point with hub and spoke and then eventually some links would be configured as OSPF point to multipoint for the partial mesh. Realizing that our distribution switches all have the IP Base license this would currently limit the network to a maximum of 200 OSPF routes for a single OSPF AS. Certainly this wouldn't be a problem if we created additional areas but as it stands, we have no ABRs between the core and distribution switches which we could use to summarize our routes. With no summarization we end up with about 5-7 OSPF routes per site. Unless I'm missing something here we either would either have to purchase an additional router to use as an ABR for summarization or purchase a IP Services license for each distribution switch to remove the route limit. We have considered EIGRP as we are currently all cisco but would like to stay vendor neutral as we could potentially have non-cisco down the road. Using EIGRP we would be able to summarize at each distribution switch without additional equipment which is nice due to our situation but obviously there are still problems with using EIGRP. The drawbacks of EIGRP are that with our licensing all distribution switches would be in stub mode so we couldn't pass the routes beyond that switch which is fine for now but later down the road when we want to take advantage of the mesh topology we will run into problems passing the routes between the stub routers, unless I am mistaken. Again, we could purchase licenses and use EIGRP without limitations. On a side note, purchasing additional equipment and licensing is a possibility in the future but not at the moment. Obviously, this is a decision that I have to sit down with my supervisor and thoroughly discuss but it would be great to get some outside opinions on the matter. I'm always open to suggestions as well, like I mentioned I could be missing something. Thanks for reading if you made it this far. [link] [comments]  |
| Some duplicate packets on PortChannel Posted: 27 Apr 2018 10:21 AM PDT This was a weird one, and I'm still not sure what happened. I'm going to try to run some more tests, but I won't be able to until next week. Knowing my luck, it'll be something totally obvious... Scenario is the following:
Now here's the fun part... some UDP packets, sent by only a couple of the other machines, are received twice on this server, with some delay (a few microseconds) - once on each physical interface of the EtherChannel. After I removed "switchport nonegotiate", there were no more duplicates. I've looked at pretty much any PortChannel 'show' command I could think of and/or find before and after the change, nothing looked wrong on either side (switch & server). I genuinely cannot figure out why the duplication was happening... Has anyone seen this before? (to be continued, once I manage to run some more tests!) [link] [comments]  |
| Stupid routing question (/31 from ISP and then routed /30) Posted: 27 Apr 2018 09:48 AM PDT After posting about the ancient router that an ISP reseller has sent us for our shiny new 1Gbps line, I may be in the market for a new router. I thought it was worth making sure I understand this fully. This is how things would fit together if I don't change anything: The fibre will be terminated on an ISP supplied switch, which will then connect to a Cisco router. The 'WAN' side of the Cisco is x.x.x.129/31 The 'LAN' side of the Cisco is x.x.x.133/30 and will serve as our GW The one usable IP is x.x.x.134/30 which I can assign to our pfSense firewall. So, I get how all this works. However the supplied Cisco clearly isn't suitable for the job. Either they replace it, or I'll have to. If I replace it, I could get a Cisco (expensive) so I'm currently thinking more along the lines of a Ubiquiti edgerouter 4. Or.. Is there a way to just skip the separate router and go straight from ISP switch to pfSense. I guess I could put the pfSense WAN interface on .129/31 and ignore the rest? Or maybe treat the WAN side of pfSense as a /29? Not sure that would work as presumably the ISP is using a /31 mask on their side. Is there a way to use both the /31 and /30 on the WAN side of pfSense and avoid having the router in between? Am I mad to consider it? I'm happy having a Cisco or Edgerouter in between, but it just feels like it's a bit of a waste. [link] [comments]  |
| Posted: 26 Apr 2018 11:08 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| High OutDisgard Count throughout campus Posted: 27 Apr 2018 08:15 AM PDT welp! im at wits end. I've amplified all my lacp trunks to my 3750X distribution switch to at least 3 interfaces at the least. I'm baffled, should i (being a one man team), implement QOS (w/ no experience) throughout the campus consisting of a pair of 6509's, 3750x and various 2960X switch stacks ?? The network is heavily segmented and bandwidth is policed w/ a new pair of 500E firewalls. I've exhausted and therefor AM exhausted over user complaints of intermittant connectivity drops to the outside and within. Only clue i have are all of these OutDiscards throughout all the switches. I read someone had a similar issue with the 2960x's where the frames were'nt being processed by the appropriate ASIC. I'm in between a rock and a hard place. I'm alone, with no cisco support and inexperienced with QOS, I hope its not saturation but some feature im missing. help? please? :( https://paste.ee/p/DTxiK [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment