Rant Wednesday! Networking |
- Rant Wednesday!
- Cisco REALLY wants us to keep using EIGRP /s
- IPsec Client VPN (Forticlient SSL VPN alternative)
- Point to point wireless shot on a non-profit budget. Ubiquity?
- trunk between Cisco and Juniper Switch
- Secure Syslog Messages from Juniper Devices
- What is the state of the art in traffic classification for QoS purposes?
- CDN Cloudflare implements a more permanent fix to their PMTUD issue on IPv6. You won't have their problematic configuration, but remember not to block relevant ICMPv6 or you'll get the same effect.
- One ASA with two ISP with two VPN tunnels to single peer. Can I do it?
- Is there a Networking term dictionary that I am unaware of, I am tired of adding to dictionary all of the time for emails.
- MPLS migration: what's about EVPN ?
- Cisco/Viptela Hiding Something?
- Question about wireless network bands
- Those of you running Cisco 3750X - what's your CPU utilization?
- Upgrading ASA 5525-X firepower
- Ciena Waveserver - Reliable? Stable?
- Asking for a little advice on the best way to layout a new network.
- Need Sonicwall L2TP VPN Setup Assistance
- Learning BGP multihoming and anycasting, where to obtain IPv6 assignment?
- Question about a network layout (simple one)
- IKEv2 VPN Cisco ASA <> Cisco ASR
- Is there a networking term for this? can a bunch of devices be hardset (automatically) for a set of IP addresses?
- Server upload/download performance under private line?
- Ruckus Wireless with CloudPath
| Posted: 11 Sep 2018 05:13 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments]  | ||||||||||||||||
| Cisco REALLY wants us to keep using EIGRP /s Posted: 12 Sep 2018 12:40 PM PDT My company did a system wide cutover from EIGRP to OSPF last night. This was driven primarily by interoperability between different vendors and the desire to eliminate redistribution in the network. In an attempt to have an easy backout procedure we just shutdown the EIGRP process and let the routes fall back to OSPF. If something went horribly wrong we could just no shut the EIGRP process while we figured out what happened. The entire cutover was seamless with no downtime whatsoever EXCEPT for one device. When I shut down EIGRP on an ASR1001-X everything failed over seamlessly. A few minutes later I get a text alert that this ASR has gone offline. Sure enough no reachability. I hop onto the core and the links to the ASR are hard down. A few minutes later the ASR comes back online. Last reload reason: Critical software exception, check bootflash:crashinfo_RP_00_00_20180911-182746-CENTRAL [link] [comments]  | ||||||||||||||||
| IPsec Client VPN (Forticlient SSL VPN alternative) Posted: 12 Sep 2018 06:17 AM PDT I'm trying to figure out what's happening under the hood when using ipsec as a client VPN solution. To me, ipsec behind NAT is problematic, let alone PAT which is in use in this case. I don't see how it's even possible but apparently the guy who set this tunnel up say's he can test successfully. So this is using FortiClient 6.0 to connect to a Forticlient device on our vdom. I've been supplied the configuration and psk. What I'm seeing is the Client trying to create some kind of socket with our default gateway. The Forticlient logs show... And on the wire I'm seeing My host is 192.168.0.2 and my GW is 192.168.0.1 in this case. Anyone have any insight to what's actually occurring here? [link] [comments]  | ||||||||||||||||
| Point to point wireless shot on a non-profit budget. Ubiquity? Posted: 12 Sep 2018 05:24 AM PDT I'm looking to do a wireless point to point shot for a single PC and IP cam for a small non-profit. The main site is small has already has a Ubiquity UAP-AC-LR AP as well as a virtual instance of Unify. The remote site is a shed about 50 ft away. I'm looking to span about 50 ft with clear LOS. Not really familiar with Ubiquity's offerings so I was looking at doing a Nanostation M5 bridge. Ordered a couple off ebay but they were junk and I had to return them. The more I look into the Nanostation M5s, they seem pretty overkill for what I need. Anyone have recommendations? Would like it keep the site 100% ubiquity, but if there's a better solution I'm all ears. Budget is $500. [link] [comments]  | ||||||||||||||||
| trunk between Cisco and Juniper Switch Posted: 12 Sep 2018 06:16 AM PDT im trying to get a trunk up between a cisco and a juniper switch. Cisco currently only has one vlan, and a vlan interface IP of 10.44.10.5/24. I want to be able to reach the Juniper switch which will have an IP of 10.44.10.6/24. Im struggling to get my head around the logic of it thoigh on the Juniper side Juniper is configured as below:
The Cisco is just "switchport mode access", with interface vlan1 ip address 10.44.10.5/24 What am i doing wrong? EDIT: bad choice of words from me. I don't need a trunk, I just want to be able to manage the juniper using an IP address. So what I want is just a link between the switches , in vlan1, that allows me to reach an IP address residing on the juniper EDIT2: Resolved. The issue was in how Junos tags all traffic on a trunk by default, but Cisco does not tag native vlan by default. As the cisco switch only had one vlan it was also the native vlan. I enabled trunk on both sides, and put the following on my juniper config:
[link] [comments]  | ||||||||||||||||
| Secure Syslog Messages from Juniper Devices Posted: 12 Sep 2018 06:01 AM PDT For those engineers or admins who are using Juniper devices (QFX, MX, & EX Platforms), is anyone using secure syslog? It seems only the SRX platform can send Syslog over TLS. I'm curious how others are handling this matter. [link] [comments]  | ||||||||||||||||
| What is the state of the art in traffic classification for QoS purposes? Posted: 12 Sep 2018 09:21 AM PDT Wherever L4 port/proto doesn't work, I assume it's some kind of vendor secret sauce L7 signature algorithm like Cisco NBAR or PAN App-ID. Sure, marking VoIP is straightforward. But say I want to ensure that YouTube cannot consume more than 35% of a link in times of congestion, and stuff like Apple iOS updates get scavenger class. In the past, I did a poor-man's equivalent by finding Apple's netblocks from ARIN and adding them to a rule assigning QoS values. Of course, this is very coarse and can't differentiate between iOS updates and any other traffic to Apple's servers, but it seemed to work well enough. But since a lot of stuff funnels through generic CDNs, I can see this approach failing miserably in most cases. So for those who are deep in the QoS weeds: What is your approach to QoS classification when L4 characteristics aren't enough? p.s.:
thanks :) [link] [comments]  | ||||||||||||||||
| Posted: 12 Sep 2018 09:46 AM PDT "Fixing an old hack - why we are bumping the IPv6 MTU"
[link] [comments]  | ||||||||||||||||
| One ASA with two ISP with two VPN tunnels to single peer. Can I do it? Posted: 12 Sep 2018 12:40 PM PDT I have two sites each with a single ASA at each site. Currently each site has a single ISP with a VPN tunnel passing traffic between them. I want to get a second ISP connection with it's own interface on one of the ASAs and have another VPN tunnel going to the same peer but this one will have a different crypto maps. Example - Is this possible? [link] [comments]  | ||||||||||||||||
| Posted: 12 Sep 2018 10:12 AM PDT Title really say's it all. I use grammarly as well if that's of any help. Edit: yea I know there is no question mark in my title.... I f**ked up. [link] [comments]  | ||||||||||||||||
| MPLS migration: what's about EVPN ? Posted: 12 Sep 2018 07:20 AM PDT Hi, We plan to migrate a quite old MAN based on Cisco C6500/Sup720 chassis (around 20). Today, our chassis act as PE and CPE (from each chassis, we have dozen of L2 connexion to our sites; chassis acts as default gateway for the sites). Our chassis migration should be an opportunity for us to add new services, mainly L2VPN. I see today 2 options for L2VPN: - VPLS, which is quite old, but why not - EVPN with MPLS on data plane. My concern is the migration, there are 2 scenarios: 1) The best way for us would be to be able to change chassis one by one. 2) The worst way would be to have to construct a parallel network to the existing (so, problems with fibers and rooms for chassis) with "temporary" interconnection between old and new design. I'm not really confident with the VPNL or EVPN MPLS protocols: I imagine VPLS would to follow scenario #1, but I have a doubt with EVPN-MPLS (I expect scenario #1 is possible as it is based on MPLS/LDP, but not sure). A additional question: would EVPN PBB or EVPN VXLAN give us more advantages than EVPN MPLS? Thanks for your answers [link] [comments]  | ||||||||||||||||
| Cisco/Viptela Hiding Something? Posted: 12 Sep 2018 09:58 AM PDT Find it funny how top SD-WAN vendors freely gave access to their product minus Cisco/Viptela. Sounds like they got access to the tests early on and couldn't compete so they didn't want to be humiliated. Disappointing since they spent so much on it, guess they still need more time to integrate it. [link] [comments]  | ||||||||||||||||
| Question about wireless network bands Posted: 12 Sep 2018 03:27 PM PDT If two wireless routers operate at the same band but with different channels, then will there be interference? Even if they were for two different networks? [link] [comments]  | ||||||||||||||||
| Those of you running Cisco 3750X - what's your CPU utilization? Posted: 12 Sep 2018 02:33 PM PDT Hello. We have a campus network with ~750 switches. Some of our switches seem to have really high CPU utilization. Usually, this is our larger stacks, (we have a few 9-stacks), but sometimes it affects medium to small stacks (we've seen it on single switches!). Our current primary thought is that 802.1x is killing our CPU (we have to re-authenticate hourly - large stacks have lots of 802.1x sessions).... but, show commands don't support that. Also, our worst offender is only a 5 member stack - the CPU utilization is so bad, when SSHing, it feels like we're going over a satellite link, when we have ~55ms RTT. We haven't found a great correlation between any of the affected stacks. Some hurried research shows IGMP snooping to be a culprit for many people... but we can't turn it off. TCAM utilization is nowhere NEAR 100%. And, according to the switch, the LED process is taking a huge chunk of CPU cycles. So, what is YOUR CPU utilization? What's typical? [link] [comments]  | ||||||||||||||||
| Upgrading ASA 5525-X firepower Posted: 12 Sep 2018 02:29 AM PDT Hello guys, I know there is a lot of hate going on about the Firepower. And i do agree FTD sucks, but i still love ASA's, even if they run with SFR module :). First time i will be upgrading a pair of ASA 5525-X with firepower. How long will it take going from 6.2.0 to 6.2.3? Trying to plan a maintenance window with the customer. Going forward upgrading them will be done in the FMC(Upgrading the FMC as i write this, and it is taking ages!) Process will be:
Correct? I think i will upgrade the ASA image after, to be sure nothing goes wrong. They are running fairly new code. 9.9(1)2 [link] [comments]  | ||||||||||||||||
| Ciena Waveserver - Reliable? Stable? Posted: 11 Sep 2018 08:01 PM PDT We are evaluating Ciena Waveserver for datacenter interconnect. So far we like what we see, curious to hear from folks operating Waveserver infrastructure. Is it reliable and stable? Any issues? [link] [comments]  | ||||||||||||||||
| Asking for a little advice on the best way to layout a new network. Posted: 12 Sep 2018 12:32 PM PDT I designed a new network for our company's recent acquisition, but I'm starting to second guess what I settled on, so I was hoping you guys might be able to guide me to the best way to do what I need. New building. 5 IDFs connected to the MDF with MM fiber. My original plan involved keeping three physically separate networks across the 6 strand fiber, data/APs, voice, and cameras. Basically, each IDF would have three switches for each network, each switch back to the MDF, plug the fiber into the corresponding switch. From there, the data, voice, and camera switches were going to be patched into a "main" L3 switch so they can communicate with each other. I'm beginning to doubt my concept. Should I just VLAN? If so, what's the best way to doing that with something of this scale? Also, I'm completely stuck on the DHCP server setup. Should I just create two new scopes (voice and cameras) to add to the existing data scope? How do I ensure the right device, such as a phone, gets the proper IP from the DHCP server residing on the data network? Thanks so much for the help. I'm feeling in way over my head here. [link] [comments]  | ||||||||||||||||
| Need Sonicwall L2TP VPN Setup Assistance Posted: 12 Sep 2018 06:23 AM PDT I inherited the management of a Sonicwall NSA 4600 that is running SonicOS 6.2.7 and I'm having some issues getting the L2TP VPN to work properly when using it from a MacBook. The Windows clients are using GlobalVPN so I haven't had any issues with those clients. To give some information on the setup, the following interfaces are setup:
X0 is configured and enabled but no cable is connected to the interface. X3 however is the primary LAN subnet and the subnet that end users need to access resources on. I have tried to setup L2TP IP Pools on both the X0 and the X3 subnet. When I do that, I'm able to access resources that are on the X3 subnet except when end users connect from a remote LAN that is also in the 10.0.0.0/8 subnet range. When end users connect to the VPN from a remote LAN that is inside of 10.0.0.0/8 then they are unable to access resources on the 10.0.1.0/24 subnet. I did some investigating trying to figure out what was happened and found the following on a test MacBook. I'll use the following information in my example: MacBook Remote IP: 10.10.10.10/24 MacBook Remote Gateway: 10.10.10.1 MacBook VPN IP: 10.0.1.50/24 If I look at the output of 'ifconfig' then I see that the 'ppp0' interface has the following output: From what I can tell the issue is that the L2TP VPN keeps attached to X0 instead of X3. Since the VPN is attaching to X0 instead of X3 then the MacBook's routing table is only creating a route for the 10.0.0.0/24 subnet and then all other 10.0.0.0/8 traffic is going to the default route of the remote LAN. The MacBook's routing table never creates a route for 10.0.1.0/24. I have tried to disable split tunnelling but the summarized 10.0.0.0/8 route still remains. I've tried contacting Sonicwall support but they have been slow to respond. Any help would be appreciated. Thanks. [link] [comments]  | ||||||||||||||||
| Learning BGP multihoming and anycasting, where to obtain IPv6 assignment? Posted: 12 Sep 2018 11:56 AM PDT I'm currently trying to build a simple multihomed network, and I was wondering if anyone knows of a good place to obtain roughly a /46 or /47 cheaply, as I'm on a relatively tight budget. I plan to expand this to add some anycasting with multiple PoPs, which is why I need more than a /48 (I need at least a /48 for non-anycasted, one for anycasted). I'm in the RIPE region, and everything I've been able to find seems really over-priced (200 euros per year for a /48, for example.) Thanks in advance. [link] [comments]  | ||||||||||||||||
| Question about a network layout (simple one) Posted: 12 Sep 2018 10:45 AM PDT Quick question, I was trying to rethink our network layout (https://imgur.com/a/tATxUJB) We always kept that mini switch inbetween our Meraki and internet (at the very end, our ISP provides a router which convert fiber to RJ45, the RJ45 is plugged to the Cisco SG 200-08). I'm new at my company and the previous guy mentioned it was designed this way for a DMZ to keep the FTP server secure. Connected to that switch and I don't see any DMZ configuration. Would it be still secure for that FTP server to be plugged to our Meraki MX100 ? So we could get ride of that mini switch. Thanks, [link] [comments]  | ||||||||||||||||
| IKEv2 VPN Cisco ASA <> Cisco ASR Posted: 12 Sep 2018 10:36 AM PDT Hi guys, I'm getting crazy - looks like I'm to stupid to get a working IKEv2 VPN tunnel, between a Cisco ASR and a Cisco ASA. Maybe someone out there has an idea...I've to problems:
Ofc, I double checked my encryption/algorithm settings for this setup - but it looks fine for me. Atm, I allowed EVERY encryption/algorithm defined on my ASR / ASA for testing - but still no matches. I found a bug for my second problem in the Cisco Bug Search tool - but I updated the devide to the suggested release which is not affected (or not detected :D).. The config of my ASR (IP 9.9.9.9): The config of my ASA (IP 1.1.1.1): And finally the logging while I'm trying to establish the tunnel.. Both had a debug on IKEv2 and IPSEC. ASR: ASA: [link] [comments]  | ||||||||||||||||
| Posted: 12 Sep 2018 01:09 PM PDT Is there a way to say anything iPhone gets 10.1.x.x and anything Android / Samsung gets 10.6.x.x IP address? and also (being a newb) what is the above called? is there a term? and then say APPLE when you go to these websites operate this way but not Android. and vice versa. [link] [comments]  | ||||||||||||||||
| Server upload/download performance under private line? Posted: 12 Sep 2018 08:04 AM PDT Hi Guys, Currently doing my research and I would like to ask what would be the issue when link is ok but server upload/download or server troughput in transferring is not consistent? Is it the windows size? CPU? Disk? (lets say no problem on network side). Have u encountered this issue and what are the things need to consider? Thanks [link] [comments]  | ||||||||||||||||
| Ruckus Wireless with CloudPath Posted: 12 Sep 2018 07:24 AM PDT A previous engineer here purchased a bunch (150) of Ruckus R720 AP's, 2 SmartZone controllers, and cloud hosted CloudPath to replace a 10 year old Cisco wireless system. I am now going to be implementing this and I have some concerns about CloudPath. The AP's and controllers seem great to me but CloudPath doesn't seem like it's very intuitive for the end users. On the devices that we own and provide to our users it's no big deal but it seems like BYOD is going to be a problem. I have an Android phone, for me to connect to the wireless I connect to the onboarding SSID, it prompts me to sign in to the network which is fine. I click the sign in notification and login and get the prompt that I have to download their app to configure the network. This seems like users are going to question why the have to download an app but aside from that, I click the link and get an error that says the URL cannot be opened. According to what I have seen from Ruckus, this is a problem with Android web view and not on their end and they cannot fix it. So I have to close out of everything, open chrome and let it redirect me to the sign in page and from there I can download the app from the play store and let it configure the network for me. The process is even more complicated on a chromebook. Does anyone have any experience with this and did it cause you and your users a ton of headache? Seems like we are going to get a lot of calls from people trying to get their personal devices on the network. Is there any real benefit in using CloudPath instead of using a simple radius server and have users login with their AD credentials? The other thing that bothers me is that the cloud hosted version of CloudPath can't send logs to my Palo Alto firewall so I won't have any user-ID information in the firewall for wireless clients. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment