• Breaking News

    [Android][timeline][#f39c12]

    Wednesday, May 2, 2018

    Rant Wednesday! Networking

    Rant Wednesday! Networking


    Rant Wednesday!

    Posted: 01 May 2018 05:11 PM PDT

    It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

    There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

    submitted by /u/AutoModerator
    [link] [comments]

    ISE ISE Baby

    Posted: 02 May 2018 01:49 PM PDT

    Yo, VRF, let's kick it!

    ISE ISE baby
    ISE ISE baby

    All right stop
    Collaborate and listen
    ISE is back with a brand new invention
    SOMETHING grabs a hold of me tightly
    The Net flows that I handle daily and nightly
    WILL I EVER WORK?
    Yo, I don't know
    Turn up the ports and I'll glow
    To the extreme, I grant the auth like a vandal
    Bring up a page and send 'em through on their handle

    Dance
    Around the problem that looms
    I'm killin' your brain like a poisonous mushroom
    Deadly, when I play a dope melody
    You were caught stealing data? That's a felony
    Love it or leave it
    You better gain way
    You better hit bull's eye
    The ISE don't play
    If there was a problem
    I might solve it
    Check out the book while DNS resolves it

    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco

    Now that the party is jumping
    With the MAB kicked in, the ACLs are pumpin'
    Quick to the point, to the point no fakin'
    I'm cookin' DC's like a pound of bacon
    Burning them.. if they're not quick and nimble
    I go crazy when I see a symbol
    And MAC bypass.. with Apple OUI
    I'M ON A ROLL and my latency's high
    ROLLIN version 2.3
    With patches installed (and they were free)
    The SNS on standby
    HA is the war cry
    DO YOU CRASH?
    Naw, I just retry
    Kept on pursuing to the next hop
    The AC left and then I heard a fuse pop
    That row was dead…

    So I continued to pull the fuse, WHERES THAT ALLEN SCREW
    Racks were hot dressed with top shelf cables
    Hardware stacks pushing routing tables
    JEALOUS 'cause I'm out getting mine
    Admin full of rage and Cisco lookin' fine
    READY for the docs on the call
    The patients feeling ill, 'cause smoke is filling the hall
    MELTED cables trashed as hell
    I took my time
    All I heard were bells
    RINGING in the DC real fast
    Jumped in the pipe, flowed through the tubes
    Packet to packet the data stream's packed
    I'm tryin' to fail over before the hackers hack
    InfoSec on the scene
    You know what I mean?
    They spun me up, made sure I was in the green
    If there was a problem,
    I might solve it
    Check out the book while DNS resolves it

    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco

    Take heed, 'cause I'm a lyrical poet
    InfoSec's on the scene just in case you didn't know it
    My team, that fixed the problems they found
    Enough to cause all their heads to pound
    'Cause my style's like a chemical spill
    Pokin' more holes than policy can fill
    Wrapped and packed
    ISE is a hell of a concept
    We make it hype and you want to step with this
    IE's getting' paid, slice it like a ninja
    Cut like a compute blade so fast
    Other PS says "damn"
    If hope was a drug
    I'd sell it by the gram
    Keep my composure while I take abuse,
    But I won't let on that I can't produce
    If there was a problem
    I might solve it
    Go read the book while DNS resolves it

    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco
    ISE ISE baby… I'm Cisco

    Yo man, let's get out of here
    Word to your cluster

    ISE ISE baby
    Console…
    ISE ISE baby
    I polled I polled..
    ISE ISE baby
    Withhold withhold..

    ..access.

    submitted by /u/holey_guacamoley
    [link] [comments]

    Softphones and QoS

    Posted: 02 May 2018 06:47 AM PDT

    I'm trying to diagnose occasionally sketchy VoIP quality in a medium sized network running Cisco switches, Fortigate firewalls and RingCentral softphones (no actual hard phones anywhere).

    I took a look at a Wireshark capture on my laptop going to RingCentral during a call. It doesn't look like DSCP is set on these packets. This tells me that all of the QoS on all of the switches is actually doing nothing at all. Am I reading into this correctly?

    https://imgur.com/a/2hAJZTy

    submitted by /u/macward82
    [link] [comments]

    Aruba ClearPass vs Cisco ISE vs ForeScout

    Posted: 02 May 2018 09:32 AM PDT

    Looking for some community feedback. Do you use these systems? If so what do you like or dislike about them?

    If there was something you could know now that you didn't know when you chose your platform, what would it be?

    I run a Cisco shop, no BYOD, and very little wireless (company managed iPads under AirWatch).

    submitted by /u/dravenhavok
    [link] [comments]

    Networking/IT presentation to high school kids -- any good topic ideas?

    Posted: 02 May 2018 09:40 AM PDT

    Hi All- I have a coworker that asked me to make a 20-30 minute presentation on the topic of IT and networking for a group of high school kids (think like votech IT 101). They've touched on a little bit of everything apparently and he's looking for a more informal "real practitioner's" perspective. So... what's everybody's thoughts on topics? Hopefully we have a few members still in HS/College that can weigh in on what they'd want to see.

    Couple ideas I've been kicking around: OSI Model, basic subnetting, basic campus architecture (DNS/DHCP/AD/Wifi/switches/etc), virtual machines, how to set up a homelab.

    submitted by /u/pmormr
    [link] [comments]

    100G + BGP Router/Switch

    Posted: 01 May 2018 11:55 PM PDT

    Hi guys. I got a new task at work. Company is planning an upgrade from 10G to 100G by the end of this year. They are getting some deal on wavelength to SIX (Seattle Internet Exchange). Plan is to get a 100G port at SIX and peer. There is not much information available about router/switch models and pricing. I am familiar with Brocade, Ubnt and Mikrotik only. I have only seen one article about Netflix using Arista 7280 and 7500 for the same situation. Does anyone have pricing information about these models? I tried looking them up on ebay and there is nothing. I want to gain some knowledge before talking to vendors. Please share your valuable experience about your 100g solution. Company Budget is $20k, its super low (I know... lol but boss is always right!!).

    submitted by /u/calgary2k17
    [link] [comments]

    Weird 802.1Q with Wireshark issues with Wireshark.

    Posted: 02 May 2018 11:52 AM PDT

    Has anyone seen an 802.1Q tag change on an ingress and egress PCAPs? I'm trying to troubleshoot why traffic is being discarded across two network devices and the 802.1Q completely changed even though the tag (that it changed to) isn't marked on that interface.

    submitted by /u/LeanBreeze
    [link] [comments]

    Entire Verizon MPLS Network went down because I plugged in a Router. Whyyy?

    Posted: 02 May 2018 03:13 PM PDT

    I'll try to keep it short.

    We have a Verizon MPLS (using BGP) with roughly 15 different locations. We have been deploying Citrix SD-WAN at each location. Today we deployed SD-WAN at one location and it caused the entire MPLS Network to go down as soon as we turned up the port.

    My question - how could 1 device (SD-WAN) possibly cause an outage for our entire MPLS Network using BGP?

    Edit : We believe we did not properly enable the export path and advertised all the local networks including 0.0.0.

    submitted by /u/MikeMonopoly
    [link] [comments]

    Collect sFlow from uplinks or from all the ports?

    Posted: 02 May 2018 01:32 PM PDT

    Quick question: should I have sFlow sampling enabled only on the uplinks for both directions, or have it configured on every interface on a distribution level switch, but just for example inbound direction?

    Wondering about a situation when the switch sends samples from the same flow, wouldn't it show as duplicate flow on the collector if I have it enabled on the both interfaces the flow travels?

    submitted by /u/PublicSectorJohnDoe
    [link] [comments]

    Cisco vWLC - APs 'hanging' - broadcasting SSID but not allowing connections

    Posted: 02 May 2018 01:55 AM PDT

    Hi,

    I've got a fairly simple network of a mixture of 1142, 3502 and some 3602 connected to 3560 POE switches and being controlled by a vWLC running 7.6.120.0. The software has been pretty much rock solid but I've not ruled this out as an issue.

    I'm having an issue whereby APs will appear as registered with the WLC, be broadcasting the relevant SSIDs, but not allow client devices to connect. The devices attempting to connect have no underlying similarities (different OSes, different hardware). The issue occurred again this morning on an 1142 with the following:

    S/W Version .................................... 7.6.120.0

    Boot Version ................................... 12.4.18.3

    Mini IOS Version ................................ 3.0.51.0

    The issue seems to occur after a fairly random period of time, and doesn't affect all APs at the same time. It affected one out of 5 that came up at the same time, so it wouldn't necessarily appear to be an issue with the vWLC in that we didn't lose registrations of other APs at the same time.

    Has anyone else experienced similar here? I'm wanting to move to a hardware WLC ASAP anyway but I'd prefer to try and understand the root cause of the problem. It's resolved by issuing config ap reset - as soon as the AP comes back it's fine.

    Edit: Having researched, I wonder if it's something related/similar to https://quickview.cloudapps.cisco.com/quickview/bug/CSCuc78713

    Edit 2: 5508 arriving on site Friday; 1142s are being retired over the weekend. Raze it to the ground approach.

    submitted by /u/mr-mistoffelees
    [link] [comments]

    IPsec Cisco & Strongswan

    Posted: 02 May 2018 01:06 PM PDT

    Hi I'm having a few issues setting up a Cisco router with a strongswan peer. I'm getting « no tustred rsa public key » error from the strongswan peer. But all the ca and intermediate ca are in /etc/IPSec.d/cacerts/ . I see the « request cert xxxx » but only seem to receive 2 from the Cisco box. I ont get the 2 ica and not the root ca. The root ca is present on the box and everything looks good on both sides. What could be the issue? Thanks

    submitted by /u/bestnovaplayerever
    [link] [comments]

    Monthly WAN Quota for LAN Device

    Posted: 02 May 2018 05:54 AM PDT

    Hi,

    I'm just wondering if anyone has found a gateway device that can track WAN usage for LAN devices and implement a quota (on a monthly basis) please?

    Thoughts from anyone with real experience of this would be gratefully received.

    Thanks.

    EDIT: Our particular requirement is to limit a single LAN device to 50 GB / month so it doesn't blow the 200 GB data cap on the LTE WAN connection.

    submitted by /u/jonbennell
    [link] [comments]

    Networking Monitoring

    Posted: 02 May 2018 07:38 AM PDT

    So I have been tasked with possibly replacing our current network monitoring software and wanted some input on what other people are using. Currently we are using nagios but its starting to lack in features that we want.

    EDIT: I should have included that we have a 7.5k node network right now that we monitor and its only expanding from there.

    submitted by /u/ajemery9
    [link] [comments]

    Using Ansible to configure Loopback with an IP address on NXOS?

    Posted: 02 May 2018 07:37 AM PDT

    Has anyone seen a way to use the native Ansible modules for NXOS to configure a Loopback interface in NXOS with an IP address?

    I use the nxos_interface module to create loopback0, which works fine.

    However, if I use nxos_l3_interface to apply an IPv4 address to the loopback0 interface, that task fails with the output indicating that it failed upon trying to issue a 'no switchport' command under the loopback0 interface which is an invalid command in that context.

    I'm using 2.5 with the network_cli connection method.

    I could drop down to using nxos_config to deal with this but I'm looking for a way to see if this can be done via nxos_l3_interface.

    submitted by /u/scrapple74
    [link] [comments]

    Cumulus Linux Feedback

    Posted: 01 May 2018 09:19 PM PDT

    I would like to get feedback from someone using Cumulus Linux. If anyone is using the product out there I would love to know your thoughts and what is cool and what needs work. We have been looking into different SDN products since Cisco is now going the same model to encourage cloud SDN adoption.

    submitted by /u/longfeathers
    [link] [comments]

    CLI spoofing prevention

    Posted: 02 May 2018 10:21 AM PDT

    Not sure if this belongs in /r/voip but it seemed like a mix of enterprise/home over there, and this is somewhat topical here anyways. Disclaimer: I am a novice to voice outside of the basics of setting up/managing VoIP for small business/home use, so I'm aware my speculation may sound dumb. Just trying to learn.

    Can someone explain why CLI spoofing is not more preventable? In my admittedly limited understanding of all things voice it seems that the problem may be purely legal, i.e. we could require CLI info to match the number it originates from but there are no laws doing so. Am I correct or are there deeper technical reasons why? Almost sounds like a problem that could be at least somewhat mitigated by requiring verified registration of CLI info when the number is registered to some person/entity. Something along the same lines as a routing registry to prevent incorrect BGP advertisements.

    Also any pointers to deep dives into how voice routing/registration works on the provider level would be appreciated. I sort of get it from rubbing shoulders with the voice team while working at a large SP, but....not really. It's always sounded like a weird mix of ancient Bell arcana and modern networking concepts to me.

    submitted by /u/scair
    [link] [comments]

    Retail Store Network - Best practices?

    Posted: 01 May 2018 05:24 PM PDT

    Anyone here manages retail stores network? How do you do it, and what's best practice? VOIP? POS Machines? Domain Controllers? Failover internet?

    We are on VOIP Phones and if the internet cuts out or if there are some unexplainable issues there's no one there that can do simple debugging or power cycling and a lot of issues pile up.

    What are ways that you have found to allow as much remote fixing/debugging as possible?

    Sorry I'm a newbie, please go easy on me haha.

    submitted by /u/nahccire
    [link] [comments]

    Connecting my server's SFP+ 10Gb port to a Cisco 1gigabit switch. Please advise.

    Posted: 02 May 2018 09:10 AM PDT

    So I have a Chenbro 4U server with an older dual LGA 2011 (v1) Foxconn motherboard. It has 2x SFP + 10 Gb ports (1 ethernet port, but it's for BMC). I also have a Cisco SG200-26 gigabit switch. As I've learned recently, you can't connect a SFP+ 10Gb port (using an SFP+ cable) to a 1Gb SFP port. So my question is, would the following set work:

    Use a GLC-T Cisco 1000BASE-T SFP Transceiver Module . Plus that into the SFP+ 10Gb port on my server. Then simply plug in a cat 6 cable to run from the transceiver to any open ethernet port on my switch?

    Do you know of a better solution or a cheaper one? Or is this priced well and will work with no problems?

    submitted by /u/miekster
    [link] [comments]

    BGP failover NAT statements on cisco ftd (ASA5525-X)

    Posted: 02 May 2018 09:08 AM PDT

    We have BGP peering in place on our firepower device with two ISPs both advertising the same /24 network. The BGP is configured on the firewall and we do not have an upstream router. Since the firewall is a stateful device we cannot have traffic coming in one ISP and going out the other. We have used a combination of AS path prepending and BGP communities to force all traffic to/from one ISP or the other.

    When we perform a test failover, everything works properly with the BGP path selection, but no traffic flows to our servers until we update the NAT statements to go to ISP1 vs ISP2. The fmc will only allow us to NAT to an individual interface (ISP1 or ISP2) and we cannot NAT to an interface group. I am wondering if there is a workaround for this so everything fails over automatically if one ISP goes down. Ideally i would like to avoid having to add a router to our topology.

    submitted by /u/zfs_balla
    [link] [comments]

    Looking for a SD-Wan solution that has a lan interface passthrough...

    Posted: 02 May 2018 07:18 AM PDT

    So I'm looking to put some SD-WAN appliances at client sites, what I need is a physical appliance that has at least one physical wan interface to connect to the internet (modem/gateway/ont/ciena/adtran/etc), and then two lan interfaces- one of the lan interfaces being the "sdwan" option, and on the the lan ports being a dumb bridge to the wan interface.

    The goal here is to be able to have two networks...one interface using the sdwan functionality of the appliance, and one that simply passes through the internet connection to the lan interface...

    Does anyone know of such a solution?

    submitted by /u/lifeisbutajoke
    [link] [comments]

    Cisco AP PoE issue

    Posted: 01 May 2018 09:42 PM PDT

    I'm sure there are other or better places to ask this, I tried on the irc but would like a second opinion. We as a business don't use much Cisco equipment currently, so I don't have much experience with it, but the hardware choice is out of my hands

    Currently we are trying to setup wireless aps (aironet 1562e) over poe (poe+ in this case, so 25/30W) but they are not all drawing enough power to turn on the radios. It is not consistent between Aps either. The ones that do not get enough power log "waiting for poe negotiation to complete" but connect to the wlc (2504) without an issue and get network info etc, they just aren't putting out a signal because of low power. Cdp entries show the local host as not having any info on power_* attributes on the failing ones but these are present on the one the has radio up. Is manually setting the cdp info viable?

    I have tried unmanaged 802.3at switches with enough budget to run 4 at 30W each, but even if there is just a single one it does not get the power. We also have tried regular power injectors (air-pwrinj6) as listed compatible in the ap data sheets, but even then the ap only gets 15W after waiting for negotiation.

    All devices are brand new too. Currently 1 of 4 ap gets the correct power, the others refuse to negotiate it, and I have several more in boxes to setup.

    I don't know what else to try at this point, we have gone through several updates on the wlc&ap to no avail. I wish I knew more before getting dumped on this. Any assistance or advice would be greatly appreciated. If we just need to return the devices under the presumption that they are bad, that's really unfortunate but it is what it is. Thank you.

    submitted by /u/hiimbob000
    [link] [comments]

    Juniper SRX HA Configuration for dual Internet circuits

    Posted: 01 May 2018 07:25 PM PDT

    So, we are refreshing our Internet edge infrastructure, and seeing as we're an all-Juniper shop, it made sense to go with the SRX platform. We picked SRX 1500's, as they seemed to meet our needs for an affordable price.

    We're currently in the design phase of setting up how all of this is going to work. We're to get two DIA Fiber Circuits for our Internet Handoff. One will be a 10Gbps circuit, and the other a 1Gbps circuit.

    We're currently weighing our options between doing an HA Cluster configuration, or leaving the two SRX's as stand-alone boxes with VRRP and iBGP between them. (LAN side will have a single, static default route pointed to a single gateway IP Address in either scenario.)

    Based on our understanding of how the two configurations work, this is how the two different setups would look

    Here are some of the pro's and con's we came up with between going Cluster Mode and going with stand-alone SRX's.

    Cluster Mode Advantages

    • Maintain state table between both boxes. (This helps sessions stay alive during failover events)

    • You don't lose one of the Internet circuits if one of the SRX's goes down.

    • Single management plane, so the routing and security policy configurations are simplified.

    Cluster Mode Disadvantages

    • Have to put a switch/switches north of the SRX's so that each Internet circuit can be fed Layer 2 to both SRX's. So this includes extra hardware/extra devices to manage.

    • Single management plane could mean crash/failure/instability of both SRX's (but hopefully the new hardware with updated code would make this a non-factor)

    • Adds the redundancy groups configuration to the boxes.

    Stand-alone SRX Advantages

    • We won't have to put any switches up north of the SRX's, so it saves us money, less devices/less equipment, etc.

    • More maintenance friendly? (we can do maintenance on one SRX that won't affect the other)

    • Some people like sticking to open standard stuff like VRRP and BGP (not sure if this qualifies as an advantage, but thought I'd throw it in there)

    Stand-alone SRX Disadvantages

    • Less redundancy - each Circuit is hard-tied to one SRX. If SRX-A goes down, we lose the 10 Gig circuit, period.

    • More configuration, as far as setting up iBGP to share routes and VRRP to establish the gateway (this may be trivial configuration, but it's still more)

    • Failover events would be noticed by users, since all the sessions would die and have to re-establish (first packet isn't SYN, etc.)

    That's pretty much what we've come up with so far. We're including feedback from this community in part of the discussion process, so feel free to pick all this apart and tell us what we're over-looking, what we're wrong about, etc. I'm thinking there's probably a bunch more bullet points that could be added to a few of the sections.

    Thanks for any help you guys give.

    submitted by /u/Linklights
    [link] [comments]

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel