Blogpost Friday! Networking |
- Blogpost Friday!
- Rouge Device on My Network?
- Free Python for Network Engineers Course starts next Thursday (Aug 9)
- Arista Acquires Mojo Networks
- Script / Automation / DevOp Development Cycle
- TextFSM Issues
- Multicast Problems
- 'allow-unsupported-transcievers' for Aruba 8320?
- Collecting base configs
- Presenting web services from DMZ to Internet ? To Reverse Proxy or not?
- Layer 2 Link between DataCenters
- Residential per-unit WLAN with Roaming?
- Does your power come from the floor or the ceiling?
- ECMP and FIB utilization
- Anyone know the make and model of this WiFi access point? Trying to help a friend identify it.
- IP network testing - the challenges
- Fortinet entry-level firewall questions
- Tagged vlans between Cisco SG350 and HPE A5800
- MPLS Network - Need help please
- Career crisis, please help.
- HMF a vLAN Conceptual Resource
- Can someone fact check a network newbie with new vlan and scopes?
- Small Router Recommendation
- Cisco ISE policy sets
| Posted: 02 Aug 2018 05:15 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| Posted: 03 Aug 2018 02:38 PM PDT So this is a situation that happened today. My company deployed Cisco ISE a couple months back, and, despite a few problems, I'm really enjoying ISE. Now obviously a lot of trouble tickets that come in now a days are just adding a phone or printer MAC to the Identity Group or whitelisting a PC MAC temporarily so we can push new certifications to the PC. Well this one customer in particular has been needing a new MAC added every other day, so this morning I decided to look at all dot1x failures on that building's switch and then go out there and fix them all at once. I look through the list of MACs, and I notice one MAC looked odd. A completely different OUI than any other device on our network. I check that failed authentication session in ISE, and notice that it labels the Endpoint Profile as Nortel. Thats odd, because we shouldn't have any Nortel devices. I search in ISE for the first 6 of that OUI and notice that we have 4 Nortel devices on our network. Our network currently has 3,000 dot1x sessions active, so 4 Nortel devices is really odd. I also notice that 3 of the Nortel devices have authenticated with the PC dot1x policy, which means they are authenticating with certificates and not MACs. Better yet, theres one Nortel device in the building I work in, connected to the same switch as me! I tell my more senior network engineer, and now we're both interested. Its very unlikely these devices are rogue machines if they are authenticating with certificates, but still, we're both wondering what Nortel devices could be in use. We immediately go to question the sysadmin shop, but they have no clue. We figure out the switch port the device is connected too, and also the wall port number labeled on the path panel. We hunt all over the offices looking for the wall port, but there's no real rhyme or reason to how they were labeled and large desks cover most ports. Finally, the senior network engineer spies an interesting looking laptop. It just so happens that the laptop in question was mine. I, for some reason, was issued a Lenovo laptop, while the other thousands of ends users use mostly HPs. I tell him thats mine and its a Lenovo, not a Nortel, but he still insists I check my MAC.... Lo and behold, I was the rogue device. I can only assume that Lenovo must have bought Nortel NICs or something along those lines, which is why ISE displayed the device as Nortel. We all got a good laugh out of it, and I genuinely say I would have NEVER checked my own PC. https://imgur.com/a/4aKF7XR TLDR. Found an odd MAC on my network, after searching all over for it, turns out it was my PC. Edit: Rogue not rouge [link] [comments]  |
| Free Python for Network Engineers Course starts next Thursday (Aug 9) Posted: 02 Aug 2018 08:18 PM PDT Periodically, I run a free course on Learning Python for Network Engineers. The next course starts on Thursday, August 9th. This course is an online course and covers Python fundamentals from a network engineer's perspective. The course is a lesson a week for eight weeks. The lessons are delivered via email and consist of videos, exercises, and additional content. The course syllabus is as follows:
The course is generally taught using Python3 (I cover some PY2/PY3 compatibility issues and the reference exercise solutions support both PY2 and PY3). To sign-up, see: https://pynet.twb-tech.com/email-signup.html [link] [comments]  |
| Posted: 03 Aug 2018 05:39 AM PDT |
| Script / Automation / DevOp Development Cycle Posted: 03 Aug 2018 05:42 AM PDT Do any of you follow a 'documented' development cycle for any of the scripting / automation / DevOps that you do? Any special software you use to aid in the sign-off and deployment of the code? We are just getting around to getting an 'official' internal server to be used to house git repos for those of us in IT that aren't on the development side of the house. I'm interested to hear what others are doing and if / what kind of defined processes you're using. [link] [comments]  |
| Posted: 03 Aug 2018 02:16 PM PDT I'm attempting to parse the output of Packet-Tracer using TextFSM, but the first phase is never matched. Here's the relevant part of my template: I've tried various permutations of the above with no luck. [link] [comments]  |
| Posted: 03 Aug 2018 10:26 AM PDT The developers here are starting to work with a multicast protocol implementation in one of our products per a customer request. I have two subnets, one for static hosts/servers and one for user desktops/laptops, etc, with a SonicWall routing between them and to the public internet. The developers need multicast traffic from one subnet to reach the other. Multicast support is disabled by default on this SonicWall. But, it looks like all that's needed to enable is to check a box in the Firewall Settings and check a box on each of the relevant interfaces - easy enough. And as soon as I did, the network ground to a near halt. I am not sure of the exact symptoms, but it took about 10 minutes to be able to bring up the web admin interface on the Sonicwall so I could get those boxes unchecked again. I'm a sysadmin in a one-man shop, so while I have a baseline competency with networking, I don't know enough about multicast as a technology to figure out what went wrong. Is there any obvious textbook cause why this would have happened? Doesn't need to be Sonicwall-specific (click this button then that one), but conceptually, what happened? [link] [comments]  |
| 'allow-unsupported-transcievers' for Aruba 8320? Posted: 03 Aug 2018 12:30 PM PDT We purchased a couple of Aruba 8320s and would like to run Axiom J4859D SFP transceivers (FS.com doesn't have compatible transceivers yet) but upon inserting them into the switch, it shows 'Unsupported XCVR' Anyone know how to get these SFPs working? [link] [comments]  |
| Posted: 03 Aug 2018 04:16 PM PDT Hello! I am working on a tool that works with device configurations, to look for configuration drift, generate device specific configurations, etc. My tool should work for any configuration. To that end, I would like to collect base configurations of all kinds, so I can ensure my tool works appropriately. I would really appreciate it if any of you could provide some base configurations for your environment, so I can use them to test my tool. I'm especially interested in layer 3 device configurations, and configurations that have a different style than Cisco (Juniper, HP, etc). Thanks in advance for any help you can provide! [link] [comments]  |
| Presenting web services from DMZ to Internet ? To Reverse Proxy or not? Posted: 03 Aug 2018 11:59 AM PDT Hi Guys, When would a reverse proxy be favored over a traditional load balancer for making websites/applications accessible from the internet? After reading about reverse proxy, to me it seems like the more "secure" option for publishing websites out to the internet - however in the jobs I have worked before we have not used this technology to make web servers accessible from the internet - we always perform a NAT into the DMZ, to the front end of a load balancer and the web servers sit behind that. When would a reverse proxy be favored over a load balancer and visa versa? [link] [comments]  |
| Layer 2 Link between DataCenters Posted: 03 Aug 2018 11:13 AM PDT Hello, we are having an issue with a gig link between our datacenters. We are only getting roughly 400mb of throughput using iperf between two systems during downtime. When switching to UDP, we get nearly the full gig. Our first thought was window sizing, and the possible need for a wan accelerator. Has anyone seen this before? If so, what did you do to fix it? [link] [comments]  |
| Residential per-unit WLAN with Roaming? Posted: 03 Aug 2018 02:47 PM PDT Hello guys, My NOC Supervisor and I were just having a conversation about a potential Multi-SSID WLAN project for some residential buildings. The idea is where we would have multiple APs for each residential unit/suite, per floor, say 10+ Floors. Each AP would be preconfigured have each SSID be in it's own VLAN(For customer LAN enviroment) and to broadcast the SSID assigned to that unit so the customer may access their network at home. The AP will also be broadcasting, or rather not, every other non-assigned SSID(for the whole building) as Hidden Networks, to allow roaming, for the same unit-SSID everywhere in the complex without drops. Very ambitious, I guess at this point the limitation would how many SSIDs a single AP can hold. Based on some articles I read, there is a range of between 0-64 SSIDs per unit so I don't think thats an issue. Seems like it's more of an overhead problem where the more SSIDs are in a network, the more ssid beacon frames are sent, slowing down the network with upwards of 50% management overhead. I was wondering if you guys had any ideas as to how far we can get with this idea? I had another idea with GPON equipment and programming magic to make the ONTs broadcast 2 networks, one home and one single community-ssid for non-LAN access (IP Isolation) and when you connect to the lan-SSID, it automatically connects you with the hidden one. [link] [comments]  |
| Does your power come from the floor or the ceiling? Posted: 03 Aug 2018 10:43 AM PDT My boss, who is not from around here and constantly complains about how things are done in "America", claimed that the newly-placed server rack which is upside down is actually right-side up, based upon how things are done with "real" racks in other parts of the world. So, the power prongs (on the attached power rail) have the ground pin on top and the two tines on the bottom, like a triangle, and the cable to this power rail goes to the ceiling, when we otherwise have power on the floor. We may have power somewhere above the drop ceiling, I'm not sure. I just want to verify his claims for myself, because he isn't really listening to me while I observe with my best :/ face on. Edit: Picture [link] [comments]  |
| Posted: 03 Aug 2018 02:16 PM PDT Does having multiple paths to a destination increase FIB usage? e.g let's say I have a router with 100K FIB limit. If I have 50K destination prefixes but they all have 2 next-hops each for ECMP, is my FIB now 100% used? [link] [comments]  |
| Anyone know the make and model of this WiFi access point? Trying to help a friend identify it. Posted: 03 Aug 2018 02:09 PM PDT |
| IP network testing - the challenges Posted: 03 Aug 2018 10:27 AM PDT Hello, I am working on a small project investigating the challenges with testing an IP-based computer network. I have come up with two so far - scalability and resource. Scalability being the fact we're being asked to test 100G ports in a model capable of only 40G traffic. Resource is a challenge too. We're a small team and when we're all in the office it's fine - we can work on individual specialities - but as soon as Leave or illness comes in we struggle to move the skills around. I would love some thoughts on more technical challenges if you have any [link] [comments]  |
| Fortinet entry-level firewall questions Posted: 03 Aug 2018 09:39 AM PDT Hey all, I'm looking at maybe picking up a Fortinet Fortigate 50E (FWF-50) and had some questions. First question is regarding the licensing. I see that I can buy them from a lot of places both new and used. I know new I won't have a license and even with Amazon I've seen some complaints about people getting a device that shows up with just a few months left on the term due to the clock starting when it left the first vendor rather than when it left Amazon. So to avoid some of the headaches (and maybe save some cash buying a used one) I was thinking I'd get it without licensing and just buy the license separate and load it on. Is there any problem with this approach? Next is access points. I've had issues in the past with the various WIFI routers I've owned due to where the cable comes into the house. As is often the case where the wiring comes in isn't ideal to get full coverage. That said I'd like to run cabling upstairs and put an AP up there. Are there any caveats to adding an AP to this device that I should be aware of? I've never actually used Fortinets at all, where I work was a Juniper shop and has converted to a Cisco shop. I know both of those have some weird quirks with what's compatible with what, etc and I just want to make sure there's no big gotchas other than checking to see if the models are compatible with each other. I am actually leaving my job in a couple weeks to take a new role at a place that's a Fortinet shop. That coupled with a bit of inspiration from this sub has got me thinking I'd like to upgrade my home kit from the mid-grade Netgear home crap I have to entry level small business kit (baby steps). To be honest until I saw a few threads here I had no idea Fortinet sold an entry level line that's this affordable so I'd never considered it as being an option for home. [link] [comments]  |
| Tagged vlans between Cisco SG350 and HPE A5800 Posted: 03 Aug 2018 08:06 AM PDT Dear /r/networking, I have a problem connecting the SG350 to a HP Comware switch (A5800). I have quite few SG300 switches and they work OK when connected to the HPE A5800. Recently I've got a new SG350 and trunk port configuration doesn't work. The port on HP switch is configured like this: vlan 1 untagged (native), vlan 160 tagged. On sg350 I've configured uplink to HPE as a trunk port with tagged vlan 160. When I connect SG300 with the same port configuration I can see incoming mac addresses on both native and tagged vlans, on the SG350 I see incoming mac addresses only in the default vlan Example port config on A5800: Port config on SG300 (uplink to a5800, works): Port config on SG350 (uplink to a5800, doesn't work) : I've also tried switchport mode general with no result. Any hints? [link] [comments]  |
| MPLS Network - Need help please Posted: 03 Aug 2018 07:27 AM PDT Hi everyone! I'm the sole network engineer recently hired to work on a fairly new MPLS network. It was designed and handed over to my employer before I came on board. I've begun testing the network and I've noticed a potentially huge flaw in the design. While this is a fairly straight forward MPLS network, it does have a slight hitch. All L1 connectivity is done via microwave which connects to around 100 sites. Every site has a 3560 switch (L2 ONLY) which was meant to serve as the PE and all hub sites have Cisco ASR1002s. Due to being microwave, a lot of the sites are in remote locations and the microwave paths are crossed over with the 3560. This network is doing iBGP in the core with OSPF as the IGP. So if I were to bring on a customer at SW1 in the middle of a segment, I'd peer them via eBGP with R2 and R3 with the intent that if the link failed, it would go in the other direction to reach CE2. Here is a sample segment from my lab: Although, there are only 2 switches in the drawing, sometimes there are as many as 6 3560 switches between ASRs. The issue I'm having occurs when the microwave path gets interrupted between switch sites. As depicted in the drawing, when I shut down SW1 port F0/7, CE1 can no longer reach CE2. The issue is that R2, is still preferring its 0.0.0.0 path to CE1 because it acts like it isn't aware the path between SW1 and SW2 has failed. Is there something I could do with BGP to make it not prefer its local originated route? I realize since it's Cisco I could just change the weight something higher than 32768 on the R3 neighbor, but when I did this in my lab, it only went to R3 and still wouldn't failover. I hope bringing 3560s into the iBGP mesh isn't the only way to fix this. I'm sorry about the lengthy post and I'm truly appreciative any input I get. Thanks! [link] [comments]  |
| Posted: 03 Aug 2018 06:30 AM PDT Hello ppl of reddit, I need some career advice. Story of my life in nutshell: I was attempting uni (computer science), but i have not graduated, after i was doing all kind of low level job (cleaner, fork-lift driver, waiter...) then i got fed up and once a friend of mine (CCIE) suggested to start learning cisco. I did. I wanted to work in security, but first things first, need the fundamentals and i did ccna r&s. After i was looking for a job, but i quit and change again and change again and now i am at about to change again and im not sure what would be the smartest move right now. First i got a network designer job in an SSC, this was too boring, no technical tasks. Standard designs, mostly worked in excel and visio. (about a year) Then i got a junior pen-tester job (lower job grade as network designer), which was very cool, but the management was trying to fight the fire in a burning building with a cup of water...it was a mess and too much headache. So less value i could extract there. Basically we were reporting stock web app issues... (9 months) Then i changed to system verification job (R&D). Basically i have to support my colleagues in a data center environment. Configuring underlay network and testing (regression,sanity) switch firmware, (in security aspect as well, but that is just a very small slice), reproducing customer issues and solving them. ( Trial period will end soon) I got two offers: One is a Cyber Threat Defence Analyst, which is an real-time, eye on glass job, where we need to review SIEM alerts and escalation by end users. Escalating anomalies. The other is a network engineer. Operation and maintenance of global back bone, resolving trouble tickets, on call support (night and weekend), domain registration. I am a CCNP R&S and CCNA Cyber Ops and so close to OSCP. What would you do? Stay at the data center where probably SD network will be the direction OR regular network engineering where later on i could try the ccie OR go for cyber cybersecurity, which is the closest to my heart? I am a little afriad of the cyber threat job, because probably it is just staring at various displays (which is boring AF) but if there is chance to grow and in 1-2 years doing some interesing jobs in a SOC (if there is...) then it worth the suffer...but i have to stop jumping from job to job. What would be a reasonable decision here? What would you do guys? Any advice with a bit of reasons? (31 yrs old with family) [link] [comments]  |
| HMF a vLAN Conceptual Resource Posted: 03 Aug 2018 08:32 AM PDT I'm looking for a resource that describes how vLANs operate from a conceptual standpoint, rather than a, "Here's how you configure a vLAN on our particular hardware," angle. Ideally it would describe how switches deal with vLAN tags in different scenarios, what the terminology means, etc. [link] [comments]  |
| Can someone fact check a network newbie with new vlan and scopes? Posted: 03 Aug 2018 08:16 AM PDT I'm mostly a jack of all trade guys and wanted to double check something. https://imgur.com/a/YPGGr38 I am looking to add the new addition that is in red. My goal is to separate that switch onto a new vlan and network similar to the phone server scope.
If anyone see any issues with this setup, please let me know. [link] [comments]  |
| Posted: 03 Aug 2018 12:07 AM PDT I have been tasked with building two routers to handle multiple full tables and IBGP between them (all 10G), running VyOS, with a budget of $2500. I could proceed and build dual e5 systems to handle everything, but after getting tired of finding a reliable benchmark on an Intel 10g NIC for 64 byte packets (needs to handle short ddos attacks without dying), I've decided on the Ubiquiti EdgeRouter Infinity (ER-8-XG). The only problem is that it doesnt support hardware LACP, which really sucks, but I can get around it with ECMP based BGP from the core and vice versa for the default route. Otherwise it ticks all the options to handle full tables. The core is a QFX5100, which gets a full tables from our providers but only accepts very specific AS paths for optimal routing between sites. So the question comes down to this, do I continue with server builds or push for the Ubiquiti router and suffer with the problem. I'm also all ears for other small routers that fit within $2500, a pair preferably but can be 1 based on the hardware specs. Thanks! [link] [comments]  |
| Posted: 03 Aug 2018 03:17 AM PDT Hi; In the case of multiple Policy Sets on Cisco ISE, what order of processing/operation takes place if there were overlapping conditions on policy sets? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment