Rant Wednesday! Networking |
- Rant Wednesday!
- New WPA2 crack
- Emulating Large Scale Production Networks: Microsoft's Crystalnet
- Policy maps and TCP traffic - limiting ACKs?
- What is the best technology to encrypt traffic over an MPLS network?
- BGP, two Cisco routers, two Cisco Meraki firewalls, and two separate lines from our ISP. Could use help.
- Router on a stick issue with NAT/Browsing
- [Question] C9500-48Y4C-A StackWise Virtual?
- Local VLAN traffic
- Junos port security
- IPv6 Secondary address?
- Nornir - a pure Python, pluggable, multi-threaded inventory management framework in the same vein as Ansible and Salt, written by David Barroso (NAPALM co-founder) and Kirk Byers (netmiko author)
- Oddball question - Take home network box
- Router recommendation for simultaneous Client Mode and Access Point
- Force10 MXL 10/40GbE management IP external access unstable
- Display running config alcatel omni?
- Dell EMC N1548 Switch stack and ShoreTel VoIP issues
- jperf/iperf representative file
- Fiber vs Copper uplink
- loss of bidirectional communication?
- Using an IP ending .255
- Stupid question, OSPF.
- Got a NOC Tech Interview
- New attack on wpa /wpa2 makes it even easier to crack
- Where do you implement FHRP's eg VRRP/HSRP/CARP
- Need Help with a Juniper Switch Issue
| Posted: 07 Aug 2018 05:14 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments]  |
| Posted: 08 Aug 2018 12:01 PM PDT I have not seen anyone post about this but this looks to be a big deal to me. [link] [comments]  |
| Emulating Large Scale Production Networks: Microsoft's Crystalnet Posted: 08 Aug 2018 03:39 AM PDT I was working on a project a while ago, trying to emulate the packet flow determined by a Cisco IOS switch, on a virtual switch (OvS on OpenStack), migrating the configs to create a network infrastructure somewhat similar to what IOS is configured for. I was revisiting the project but instead chose to study for my CCNA R&S (because networking is amazing (giving it this month :D)). After that microsoft released this CrystalNet paper, and I found it very interesting that they were also working on the same thing, but towards a much more commercial and production-ready product. Just sharing it here, if anyone of you might want to read it and wanted to know your thoughts about it. EDIT: updated link from pdf to site [link] [comments]  |
| Policy maps and TCP traffic - limiting ACKs? Posted: 08 Aug 2018 10:45 AM PDT I need a sanity check on this. Update- platform is Cisco ASA
This should limit all outbound TCP traffic on that interface to 2Mbps, which it is doing successfully. Problem is that somehow it's also limiting inbound traffic to 2Mbps. Vendor told me that this is happening because inbound TCP ACKs are being limited. If that's the case, I would expect that 2Mbps worth of inbound ACKs would equal a larger amount of overall outbound traffic. I don't have any data/numbers to support this, just my gut. Curious to see everyone's thoughts. [link] [comments]  |
| What is the best technology to encrypt traffic over an MPLS network? Posted: 08 Aug 2018 07:34 AM PDT I've been handed a project to encrypt our traffic over our provider's network. Our MPLS provider will not be participating in encryption. The encryption will be from CE to CE. We are a Cisco shop and I'm not sure where to start. Thank you in advance! [link] [comments]  |
| Posted: 08 Aug 2018 01:41 PM PDT You guys have helped me a lot in the past, but I'm on a difficult task now that I could really use some help on. This is a fun one. To start this off, I'll provide a brief history with what my company is trying to do for link and device failover. A long time ago we had two Cisco 1921 routers. We deprecated those and got a single Cisco Meraki MX100. We later bought a second MX100 that we were hoping to configure in a warm spare configuration. This is somewhat easy with one line and enough private IP addresses in a subnet (one IP for each router and one IP for the virtual link). And if the main MX100 fails, we could just plug in the line from our ISP into the second MX100. (I think) But we now have two completely separate lines from our ISP that go to two different places in the state. Effectively, it's like having two different ISPs. For maximum load balancing, this is the path we'll most likely go on: First, configuring our two Cisco 1921 routers each with it's own line from the different locations. Our ISP wants us to use BGP on each router so if one link goes down, it'll automatically switch to the other link. From there, we'll configure the two 1921 routers to connect to each other via iBGP. Then we'll use three IP addresses for the two routers. Two for the routers, and one for the virtual link. We go on to naturally connect those 1921 routers to our two Cisco Merakis in a warm spare configuration. In theory, if one 1921 router goes down, we have an extra. If a Meraki goes down we have spare. If a link goes down, we have another. This is all for making sure we have little down time if a device or link goes down. So here's what I think we need: 6 IP addresses from our ISP (3 on 2 different subnets. 3 for the 2 Cisco 1921 routers and 3 for 2 Cisco Meraki firewalls), and AS numbers for each BGP connection (including the iBGP connection). This is all theory-crafting at the time, but does all this make sense? This is my first time configuring anything quite like this or working with BGP (or really any dynamic routing protocol for that matter) so it sometimes it's difficult to wrap my head around. Does anyone have suggestions on what we could do? Would this even work? Do I theoretically have everything I need? Could just use some help theory-crafting and getting ideas from people who are much more experience than myself. Any help is appreciated. tl;dr I have two Cisco routers, two Cisco Meraki firewalls, and two separate lines from our ISP. The two lines each need to have BGP configured. I need to configure all of this into a failover setup so if one single thing fails, it will all still work with minimal down time. [link] [comments]  |
| Router on a stick issue with NAT/Browsing Posted: 08 Aug 2018 03:29 AM PDT Just thought I would share a little gem I learned today. Way back in the day I worked for an ISP and router on a stick was our bread and butter lol. At my new job we had a new site turn up where they only wanted internet connectivity, so they ordered a isr4331 and a cat9k switch. I was on vacation and they asked me to whip up some quick configs, which I did. Super simple setup with like 5 sub interfaces for wired, guest wifi, user wifi, ect. It didn't work, could trace and ping all day long but browsing didn't work. checked my config 100 times and couldn't figure it out. Got off vacation today and called Cisco and in 14 seconds they found the issue. I was doing the NAT overload to a pool, IOS-XE it accepts the command but it doesn't work. You have to overload an interface. Moral of the story... no matter how easy it is, read the configuration guide of the platform you are using and don't assume anything haha. [link] [comments]  |
| [Question] C9500-48Y4C-A StackWise Virtual? Posted: 08 Aug 2018 02:42 PM PDT Here is a simplified drawing of my current layout: https://imgur.com/a/KkZeyhh We're upgrading our 2960-S access switches to 10G 2960-X switches in the coming months. We have a pair of 3850-12XS in a stack for our collapsed core. Unfortunately, the 3850s do not have the port density I need for all of the new 2960-Xs to have 10G uplinks. I could stack another 3850 in place, but we are growing to a point where we've decided to move to an actual aggregation switch model: the C9500. This would remove the old 3750-X from the picture entirely, and move all of our access switches directly to the 10G core. Proposed setup: https://imgur.com/a/PmiPfjN Our VAR informed us that the C9500 is equivalent to the 4500-X and did not stack like the old 3850. Instead they use a newer version of VSS: Stackwise Virtual. They also gave us a great deal on a pair of C9500-48Y4Cs -- they were even cheaper than the C9500-40X that I was originally looking at. UADP 3.0, more port density, 25G and 40/100G capable--so we have much more flexibility in the coming years... It all sounded great. Let's jump to today. I've discovered that the high performance version of these C9500s are not currently capable of Stackwise Virtual. I read the datasheet on this switch and I must have just missed that the particular model we bought doesn't support it. So I've got a pair of these suckers soon to be shipped to our location that will not be capable of hardware stacking or Stackwise Virtual. My question: Has anyone heard when we might be getting Stackwise Virtual on the high performance series of 9500? I have to imagine it's on the roadmap for these since the current versions already support it. Secondly, I would assume the only way I could hope to achieve ECMP on these 2960-Xs would be to use static routes on each of them? I'm just trying to come up with some way that I can have some hardware redundancy in our core until we get Stackwise Virtual on this model. [link] [comments]  |
| Posted: 08 Aug 2018 03:49 PM PDT I have been troubleshooting this issue between our main VLAN (we'll call V1) and V4 which is the native. The 2 host devices (1 on V1 and 1 on V4) are not able to establish a TCP handshake. This network is running on a Fortigate and the policies exist to allow all traffic over any port from V1 to V4. There is also a separate, but identical policy for V1 to V3 and the connectivity when testing the hosts from V1 to V3 works just fine. Upon doing a pcap from the successful connectivity of the hosts from V1>V3 I am able to see a series of syn/psh/fin and their corresponding ack packets. The pcap from the failed handshake only shows a long list of syn packets sourced from both hosts to each other without any corresponding acks. So the conclusion I've come to is that the host on V4 is receiving the packets from the V1 host, but just not establishing a handshake and acknowledgments. I'm sensing it might have something to do with V4 being the native or some other policy I am not catching somewhere. There is also no policies that allow any traffic into V1 initiated from any other VLAN, but as mentioned, traffic sourcing from V1 to elsewhere allows bidirectional traffic once the handshake is established. Thanks in advance for any suggestions! [link] [comments]  |
| Posted: 08 Aug 2018 03:26 PM PDT I have qfx and ex switches. I have port security configured for my access ports. I configured it in switch-port stanza. Basically just a sticky Mac and the action is shutdown. The problem now is on xe-0/0/0, I'm not seeing any Mac entries. I have a server plugged into xe-0/0/0 and the interface terse shows up/down, but the show interface xe-0/0/0 shows it is up. Even the show ethernet-switching interface xe-0/0/0 states is forwarding. I ran the monitor traffic on xe-0/0/0 and I see an arp from my server requesting for a Mac for another device. But somehow, the switch is not reporting anything on the port and the interface terse shows it is up/down. Any idea? Is this a bug in the switch firmware? [link] [comments]  |
| Posted: 08 Aug 2018 03:14 PM PDT Hi, Anyone here tried configuring a Secondary ipv6? Im using XR and there's no secondary command on ipv6.
Thanks [link] [comments]  |
| Posted: 08 Aug 2018 02:57 PM PDT Have yet to try it out, but looks promising! https://github.com/nornir-automation/nornir (disclosure: I am not affiliated with the project) [link] [comments]  |
| Oddball question - Take home network box Posted: 08 Aug 2018 02:14 PM PDT OK, I've done this at a job before and just chucked everything into a cardboard box, but the person setting it up was familiar with the install procedure. My boss and I are talking about setting up a portable box (akin to the loaner laptops of the old days) that has a silverpeak SD-wan box that would build tunnels and route automagically once it pulls a DHCP ip off the person's home network (I've done THIS bit about 300x....so I know it works well) and either a small POE switch and an aerohive AP connected to it, OR possibly one of the new Aerohive Atoms that plug into a wall socket - they are seriously pretty cool looking... In my ideal world I'd have everything cabled and just have a "plug power here, plug network cable there" and bingo....corp wifi being broadcast at person's home. We have lots of small remote offices where users are on VPN or since we are primarily cloud don't even need that much, and also have on-call or medical reasons working from home for extended periods and it would be nice to hand them a box with easy to follow "plug in here" directions. Executive easy :D My issue is.... I need to find something easy and portable but won't invite mucking with cables. I wondered if anyone had ever set anything like this up or had suggestions? I wanna buy a dremel and some old school metal lunchboxes, but boss is worried about wifi signal ;) [link] [comments]  |
| Router recommendation for simultaneous Client Mode and Access Point Posted: 08 Aug 2018 01:50 PM PDT Hi, I'm looking for a router which has the capability of acting as a wireless client to one SSID and also broadcasting it's own SSID with it's own DHCP subnet. The one router I have is currently doing this as it has 2 radios - 2.4Ghz and a 5Ghz. It uses 1 radio as a client and another for the AP, but it can then only connect as a client to 2.4Ghz network and distribute a 5Ghz AP. Are there any routers out there anyone can recommend that have this functionality? Are dual radios required and can I get around the frequency band limitation? The reason I want to do this is because I want the devices connected wirelessly to the router (acting as client and AP) to be hidden from the main router - hence the need for separate subnet, but via a wireless connection. Thanks for any help. [link] [comments]  |
| Force10 MXL 10/40GbE management IP external access unstable Posted: 08 Aug 2018 01:46 PM PDT Hi, We're using a stack of Force10 MXL 10/40GbE mezzanines on a Dell PowerEdge M1000E blade enclosure, which are linked to a stack of Dell N3024 managed switches. In this setup, the N3024 stack is linked to both the M1000E CMC controllers via Ethernet and with the MXL stack using the N3024 10 GbE rear IO cards. The MXL stack works great with the N3024 stack, but we're having an issue related to the MXL management interface since the initial setup, in 2015. When we try to connect to the MXL management IP using SSH, it works one third of the time... and the connection is not stable and does not work for more than 30 seconds... It's not a big issue, since we can connect to it using the CMC internal bridge whenever we need it, which works great. SNMP is configured on the MXL stack and, you guessed it, it does respond one third of the time... which isn't very practical for monitoring purposes... The three components (CMC controllers, MXL switches, N3024 switches) have the latest firmware installed (as of August 3rd 2018). Earlier this week, I investigated the issue and noticed that when I log in to the MXL using the CMC bridge, and then ping an IP address, the management IP responds correctly and remain stable for minutes... until the ping stops... Here's our MXL configuration about the management interface : In addition, if we connect using SSH to the Dell N3024 switches, the MXL can always be pinged/SSH connected/SNMP probed without issues. We don't know where to begin searching... [link] [comments]  |
| Display running config alcatel omni? Posted: 07 Aug 2018 11:58 PM PDT Hey. I'm pretty new at this tech company, we provide the city fiber network. We use Huawei switches at the moment, but we went from alcatel to Huawei. But still, a lot of old switches are Alcatel because there haven't been any reason to replace them. (We do so if someone purchase a subscription that is faster than 100mb/s, or seldom for other reasons.) However, I am comfortable with configuring huawei hardware but I'm not with Alcatel. I have been trying to google the answer but it keeps sending me to these massive manuals, were the commands listed did not work. So if anyone could provide me with a working command, that will display the running config on the Alcatel I would appreciate it. Almost all my co-workers are on vacation so I can't turn to them. [link] [comments]  |
| Dell EMC N1548 Switch stack and ShoreTel VoIP issues Posted: 08 Aug 2018 08:38 AM PDT Hi all I've wasted hours trying to configure our Dell EMC N1548 Switch stack (sw ver. 6.5.1.3) to work with ShoreTel 230 handsets, so I'm hoping someone out there can help. Basically, handsets don't switch to the Voice VLAN, despite the config looking ok to me. Setup:Switch version: Our switches are fairly simple, in that we only have 2 VLANs: the Default (VLAN 1) and Voice (VLAN 2). We have global voice vlan enabled: Auto VoIP mode is not used: (all other ports are the same) IP Helper is configured globally and in the voice vlan: Port config: (note that vlan 1 untagged and pvid vlan 1 does not show in the config as these are default) DHCP is configured on Windows Server 2012r2 - each scope has this configured: (Data, Voice and TestData as mentioned below) Option 156 "IP Phone Boot Server" The phone model I'm testing is the ShoreTel 230 (various handsets tried) Symptoms:The phone starts up, gets an IP in the VLAN1 range, then "Reconfigures" (meaning it tries to switch to VLAN2) and then it just sits waiting for DHCP forever. I've noticed that the mac address table has two entries for this handset at this stage: Attempts:At first I thought there might be an issue with the fact that we use the Default (1) vlan for data, so I creted another vlan (100), configured it to use the same ip-helpers and also created a new scope for the new VLAN. The new config looks like this for the switchport (which brings it in-line with Dell's documentation): So, I reset the phone and tried again, but the same symptoms persist. The mac address table looks similar again (it gets an IP in vlan 100, then tries to switch to VLAN 2): So, please!Are there any kind soul out there that can help me out of this problem please?(replacing these switches with Cisco or HP switches is not an option, just saying!) edit: typo - Option 156 not 158; option configured for all scopes [link] [comments]  |
| jperf/iperf representative file Posted: 08 Aug 2018 08:38 AM PDT So basically what i'm trying to understand is how does the representative file work and what are the differences between using jperf to test throughput speed for a file and using network sharing over two windows machines. i.e. will it show any huge difference and if so what are they and why? If someone has experience with this please share with me I can't seem to wrap my head around it. https://github.com/esnet/iperf/blob/master/docs/faq.rst bottom of the page is a tiny bit of info and i know it works over the link layer but not much more than that. edit: spelling [link] [comments]  |
| Posted: 08 Aug 2018 12:21 PM PDT setting aside distance, why do most setups have fiber uplinks between switches rather than copper? Is there somehow better throughput via fiber? Fiber and SFP's are more expensive and I just don't understand the rational there. Assume uplinks are all 1G [link] [comments]  |
| loss of bidirectional communication? Posted: 08 Aug 2018 11:43 AM PDT Hi Guys, I just want to here your thoughts about this. Issue: I cannot ping the next hop-address but I can learn the mac address of the next hop. Topology: Provider(PE)-----(Partner)-----(CE)Customer PE# Show arp 10.2.2.1- e0ac.f163.bb5e Interface ARPA TenGigE0/0/2/2.8 10.2.2.600:00:18 ecbd.1d8b.aca1 Dynamic ARPA TenGigE0/0/2/2.8 <--CE MAC ADDRESS/IP So if I can learn it mac address this means "RX" is working(I know how to reach the nexthop),
Now is there any possiblity that the reply from CE has an Issue, In this case do you think they can or cannot resolve our mac/Ip from CE side? In case of udld issue should both side can learn it mac address? Let's exclude the filtering/acl/fw on this scenario because there is none. Thank you [link] [comments]  |
| Posted: 08 Aug 2018 06:59 AM PDT Hey there, I seem to finding contradicting information on this so thought I'd ask people who do this stuff for a living. I've been provisioned a /28 by one of my server providers. Within that range is 137.x.x.255, can anyone tell me if it's possible to actually use this IP address? My understanding is that this is used for broadcasts, would love to know if this is right or if I'm completely wrong [link] [comments]  |
| Posted: 07 Aug 2018 03:38 PM PDT Hello r/networking. I have a job interview tomorrow for a very small company who wanted somebody with little to no knowledge on OSPF, he just wanted somebody that understands computers in general. I have been building PCs and gaming for 10 years, so I thought I'd give it a shot since I'm recently out of work. He wants me to learn as much as I can over night to see how quickly I can pick up on this. So far I've gotten the basics of what it's used for, I understand that SPF is fastest path, similar to a GPS in your car. Area, how all Area have to touch Area0 and go thru a Area Border Router if you want multiple area, LSAs and LSDB. But he wants me to answer 3 key questions, What is OSPF used for? Why/Where would you want to use OSPF? And Why do we used OSPF? I have answers for What/Where. But I can't for the life of me figure out what I want to say for, Why we use OSPF? Any help is greatly appreciated and I'm sorry if I'm breaking any rules in this sub. Just trying to learn/land a gig. [link] [comments]  |
| Posted: 07 Aug 2018 05:13 PM PDT Second noc type interview. First one was for engineer at my last job but no one got hired (company was going broke) so I don't know how well I did. This interview is for a NOC TECH at a different company where the might be same thing but different applications and processes I figure. It's a telecommunication company with GPON, FATS, OLT,MDUS and so on. Job description is below. Any help in what type of questions that would be asked would be helpful as just thinking about it now has my anxiety going off. I'm jobless and reply in need of it. MAIN RESPONSIBILITIES ❖ Monitor the network 24/7/365 on shift system ❖ Detect service issues, attempting to handle them before they affect our customers ❖ Interface with Customer and multiple departments on status of network ❖ Track e-mail and service requests in the ticketing system to ensure that customer requests are being handled in a timely manner ❖ Execute Escalation procedures in an accurate and timely manner ❖ Co-ordinate tasks, visits and disseminate information to ODN team, Engineering, Customer Operations, Sales, Customers and Management ❖ Be willing to work on projects and be part of continuous training sessions ❖ Be able to carry out instructions while being directed remotely ❖ Be able to work on unfamiliar equipment while being guided verbally and remotely ❖ Ensure adherence to applicable HSE legislation and policies as far as reasonably practicable ❖ Commit to attending all required HSE training ❖ Ensure all HSE assigned Key Performance Indicators (KPI's) are fulfilled on a continuous basis REQUIREMENTS ❖ Bachelor's Degree in Computer Studies or equivalent ❖ Must possess strong computer skills and demonstrate proficiency and experience utilizing Microsoft Word, Excel and Outlook software including familiarity with other Windows based software and the Internet ❖ Must possess excellent customer service skills and good reading comprehension. ❖ Must possess basic typing skills and complete familiarity with a computer keyboard. ❖ Computer Science, Telecommunications or related field is highly desired. ❖ Experience in Information Technology, Master Control, Programming, Call Center Customer Service, or Technical Support preferred; comparable knowledge acquired through certificate or degree program may be acceptable in place of work experience. ❖ Must possess strong communication skills. ❖ Must possess basic math skills including the ability to apply concepts such as fractions, percentages and perform basic math operations ❖ Ability to analyze facts and data to accurately define problems during troubleshooting of major NOC issues ❖ Must be able to work quickly and efficiently in time sensitive, high pressure situations ❖ Must have a minimum typing speed of 45 WPM ❖ Must be able to understand and implement subnetting calculations ❖ Must be willing to be part of an On-Call roster ❖ Must be able to communicate professionally with customers ❖ Must exhibit skills of proper documentation, organization and prioritization ❖ CCNA or Network + would be an asset [link] [comments]  |
| New attack on wpa /wpa2 makes it even easier to crack Posted: 08 Aug 2018 01:03 PM PDT |
| Where do you implement FHRP's eg VRRP/HSRP/CARP Posted: 07 Aug 2018 11:57 PM PDT Hi. My question is when I configure a FHRP like CARP or HSRP do I have to run it on the WAN? Doesn't the WAN usually failover via things like bgp in a multihomed environment? What is bugging me is that In the OpenBSD FAQ they use CARP on the WAN but I'm not sure why? Thanks for any help provided and have a nice day. [link] [comments]  |
| Need Help with a Juniper Switch Issue Posted: 08 Aug 2018 07:27 AM PDT I'm not sure if this is simple problem I don't get, but I'm still just a CCENT, low level network admin so any help would be appreciated. So I had a switch deployed and working. It was two Juniper 3400s, a 24 and 48. The 24 being the master in the virtual chassis. For some reason, the switch entered a weird mode upon login. The switch worked fine, passing traffic, but anytime you logged in, the prompt would just be ">". Now to my knowledge, the shell is signified by "root@host%" so this isn't the shell. I couldn't get past this prompt, and rather than try more troubleshooting on a live switch, I just replaced the switch with new ones. After some research, I still have no clue what to do. Here's a picture of the prompt. https://imgur.com/a/UvUB0U3 Oddly enough, the 48 port in the virtual chassis came up just fine when disconnected from the virtual chassis. I tried wiping it and creating a virtual chassis with it as the master, but when I brought up the two together, then disconnected the 24 and logging in separately, the same issue came back. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment