Blogpost Friday! Networking |
- Blogpost Friday!
- Pair of Nexus 9ks as core, VPC to Palo firewall, things break when 1/2 the VPC goes down
- Sonicwall NSA 2650 VPN (GVC) to LAN access
- Eigrp over the top - opinions
- Expected International Performance
- Cisco SD-WAN Experiences (Former Viptela Solution)
- Working smart not hard. (help needed)
- (Cisco) L2 Multicast Traffic not being properly forwarded
- anyone know what could cause 10g link flapping between cisco 6807XL's
- Strange connection stop
- Can I run a Zyxel GS1920-24HP fanless?
- Now that Netscount sold off their network tester business - what are alternatives to LRAT-2000/OneTouch AT 10G?
- How to restrict traffic from internal to data centre network?
- Former CCNA+S needs help with new IOS-XE (Cisco ISR 1111-9P-LTE)
- if you qualify - get a free meraki switch - 'watch their latest offering'
- Fibre/leased line from Boston USA to UK?
- Small office network - Database server
- Extend Fax Line over LAN
- Need an alternative wireless Mini-PCI card...
- ASR920 help - Metro Ethernet and EVC
- (Question) How does socks proxy chain works?
- Aruba IAP Dynamic VLAN Assignment
- Spirent vs. Ixia
- CIR and CBS?
| Posted: 03 Jan 2019 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| Pair of Nexus 9ks as core, VPC to Palo firewall, things break when 1/2 the VPC goes down Posted: 03 Jan 2019 06:34 AM PST Hi y'all, I'm hoping someone here can sanity check me, cause I think I'm missing something pretty obvious and I'm going crazy after staring at all 50,000 of Cisco's diagrams of Nexus>VPC>Router/Firewall/L3 device configurations. Here's a brief diagram of what I have setup. I can add more if I'm missing pieces. https://drive.google.com/file/d/17KCigIwe9pSAWCgQSHXkuWYYNlufsvSC/view Diagram doesn't include any routing -- it's all static. There's a /29 shared between the 3 devices. .1 is fw, nexus hsrp locals are .4 and .5 with hsrp of .6. Default route on core 0.0.0.0/0 points to the .1. This svi is only used for routing traffic between firewall and core. Palo has a static route back pointing at the .6. [link] [comments]  |
| Sonicwall NSA 2650 VPN (GVC) to LAN access Posted: 03 Jan 2019 11:53 AM PST I have set up the Global VPN (IPSEC) on the Sonicwall 2650, the clients are given DHCP addresses from the DHCP server I configured under 'Networking' on the Sonicwall itself. The clients are able to successfully connect via the VPN but they don't have access to any LAN resources, despite the users having access to 'LAN Subnets'. I am however, able to ping the LAN interface of the Sonicwall when connected via VPN. If I do a 'route print' on the client, I am able to see a route for the LAN subent. I'm thinking that I'm possibly missing a NAT rule or something along those lines, although I couldn't find any mention of one in any of the guides I have looked at. [link] [comments]  |
| Posted: 03 Jan 2019 08:20 AM PST were in the process of redesigning our routing between our 2 datacenters and our clients and im looking at eigrp over the top. has any one used this in production? does it cause issues or is it well supported? a little background. we proved data center services as well as internet connectivity to about 100 clients around the US. each client is any where from 1-20 locations. a typical client will have either MPLS or Metro E between their branches and our 2 data centers, and then DMVPN back up over a separate internet connection to each DC as well. we also have a pair of DCI links between the 2 DCs that traffic can traverse for the client as a last ditch effort kind of thing if they connectivity directly to the particular DC goes down. MPLS means we BGP peer with the carrier, and then currently do some redistribution into eigrp for the the rest of the network. this adds some obvious complexity. it also means some differences in configuration between clients who use MPLS and those that use metro E (where we run eigrp) or god forbid T1 lines (rare, but point to point metro E links to a head office with MPLS or other connectivity to branches off head office is not) we exploring SD wan options later this year, but that probably wont be a thing untill at least 2020 for POC at the earliest. were also exploring just doing all this connectivity via BGP. but im curious in using an overlay of some sort so we dont have to do BGP beyond the carrier edge and came across EIGRP over the top. tunnels is an option, but that would mean some new hardware as well to support something like DMVPN over the MPLS as well (we would want separate equipment for the hubs from the failover) and brings up some other questions about certain types of outages and its effect. so, yeah, thoughts on eigrp over the top? [link] [comments]  |
| Expected International Performance Posted: 03 Jan 2019 06:47 AM PST OK - I have a few years of networking experience, but I may have run into a fundamental "TIFU". Months ago, we noticed poor performance downloading files from S3 (us-east-1) to our office (based overseas); we were getting just about 1-2 Mbps. After messing with MTU, MSS, and other knobs, I decided to take the big-hammer approach and we ordered a 50Mbps DirectConnect with a "Public" interface - Basically, AWS advertises all of their IP space (using BGP) down a 50Mbps L2 connection to my router. The L2 connection terminates inside an AWS rack. ...Well, I got it up-and-running, but we're still only seeing only 8Mbps on single HTTP requests. Our DirectConnect partner is telling me that 8Mbps is to be expected with 100Mbps (temporarily upgraded) and 130ms ping times. Is he right? Is this the first time that "ping time" should have meant more to me than "time-to-first-packet"? Did I just send my company down an expensive rabbit hole that doesn't fix our problem? EDIT: I should add another "slow" use-case - We chose a "Public ViF" because we required increased performance of S3 traffic. As a side-effect, we though our AWS VPN connections would go faster, as those VPN endpoints are also advertised through the DirectConnect L2. Because these are IPSec VPN's, all traffic through the tunnel is effectively _one flow_ - As such, our VPNs are _also_ limited to the same ~8Mbps. Yes, a Private ViF may perform better. [link] [comments]  |
| Cisco SD-WAN Experiences (Former Viptela Solution) Posted: 03 Jan 2019 10:35 AM PST Is anyone running Cisco SD-WAN (Viptela) on newer versions of the platform 18.x+ and using the ISR 1K/4K routers successfully? I have been working on staging a new environment for over 2 months with a mix of vEdge 2Ks and ISR 1Ks (specifically C1111-8PLTEEA). I have been through all the different 18.x software versions and am currently bleeding edge on 18.4.0 (wouldn't recommend it at the moment). I have been hitting constant bugs and quirks while working through this deployment and can't understand how this is release (not beta) software. I'm just curious what other peoples experiences have been? [link] [comments]  |
| Working smart not hard. (help needed) Posted: 03 Jan 2019 02:42 PM PST Working on Cisco and HP equipment I was wondering if you guys know of any python script that might solve the current dilemma that I'm facing: cue super long story in which the network admin ends up doing all the work ... So basically i need to create access lists on each of the ports of 600+ switches for the devices that are currently connected there (could be just a PC or a Phone and pc or a printer) So, here is my process right now:
So far this has taken me over 2 hours per switch and i feel that 600 switches it's going to drive me nutz (deez nuts) If somebody has gone through this, how did you solve it? and if so, where do i send a r/RandomActofpizza? Thanks!
[link] [comments]  |
| (Cisco) L2 Multicast Traffic not being properly forwarded Posted: 03 Jan 2019 02:05 PM PST We are experiencing an issue where video intercoms need to multicast information across a L2 network. The data is not getting end to end. We have two endpoints on the same network/subnet/gateway but on separated switches. To my understanding this type of traffic should be forwarded without issue as long as it was L2. Traffic flow is 3750x-->Nexus7000-->9300 When both endpoints are put on the same switch, it works. They are both still on the same VLAN as they were on when they were on two separate switches. Any suggestions on what I should look at next? [link] [comments]  |
| anyone know what could cause 10g link flapping between cisco 6807XL's Posted: 03 Jan 2019 12:37 PM PST Got complaints from remote users that their SSH sessions were disconnecting mid jobs and I decided to investigate and noticed the 10g L3 link between our core switch (Te7/1) and our distribution switch (Te7/3) was flapping for a millisecond and OSPF adjacency between them as a result was flapping as well. Both are cisco 6807XL, there is a tap between this link though. looking at the logs on the link on the dist switch, it goes down and up for a millisecond.
but this millisecond is enough to bring down the OSPF adjancency between them, as shown in the logs from the core below...
I'm trying to figure out why it's flapping. I have checked the physical links and did a "sh int te7/1 transceiver" to see the optical Tx/Rx power and they are within normal range. on the dist switch(Te7/3):
on the core(te7/1):
or could this be caused by the tap that is in the middle? thanks [link] [comments]  |
| Posted: 03 Jan 2019 02:04 AM PST Hello guys, First, happy New year to you all! Now about the question, I would like to ask you. I got some strange problem at the work. To be precise network connection problems. I'll try to explain the situation to you. We have two infrastructures in the same city but different datacenters. Infrastructures consist of main router, switches, hypervisor and VMs. Let's say both of them are almost identical. There is a task to migrate VMs from one location to another without changing IPs. For that reason, I have created the GRE tunnel from one router which is Juniper MX960 to another which is Juniper SRX3400. GRE tunnel purpose: The link for a BGP connection the link to transmit traffic from already migrated VMs BGP connection is used for advertising already migrated IPs to the old location. In a graph below you can see that GRE tunnel is actually set between juniper routers routing instances (for isolation purposes). So in short main route that we are interested in is VM 1 <--> Hypervisor A <--> MX960(VM-PUB routing instance) <--> SRX3400(RT-PUB2 routing instance) <--> Uplink C Also, I should mention that GRE tunnel is established like this: MX960(VM-PUB routing instance <--> RT-PUB1 routing instance) <--> Uplink A <--> Uplink C <--> SRX3400(RT-PUB2 routing instance) Now about the problem. At first, all seemed to be fine, but a few days ago we encountered a problem. When migrated VM (the one that goes via GRE) bigger amount of traffic its connection is stalled. Its example are SSH, HTTP, SCP and so on. With SCP test I see that it always stops at exactly 2112 KB. Meanwhile, when migrated VM sends receives data it's no problem - it could go for gigabytes and all is fine. I've already checked the MTU and all seems good, on GRE tunnel it is 1476 on the hypervisor - router route it also matches. I'm thinking that this may be some kind of limitation on SRX3400. We had already problems with it because of asymmetric connections before and had to do a workaround. Maybe any of you guys have any idea why connection could work like that? Everything is working perfect but as soon as VM 1(migrated) send traffic outside, that connection stops working. [link] [comments]  |
| Can I run a Zyxel GS1920-24HP fanless? Posted: 03 Jan 2019 11:48 AM PST Hi, I just got this switch, and even with the slow fan speed it's quite noisy. I've unplugged the 3 fans in the unit, temps so far are cool, not even warm to the touch. The use for it is just a PoE access point and 3-4 devices more, not much. Can I leave it like this? Is it safe? Temps at the moment are under 50º at the MAC probe (room temp around 21º). What is the highest safe operating temperature? Thanks! [link] [comments]  |
| Posted: 03 Jan 2019 11:12 AM PST I just found out (yes, sorry, I know I'm slow....lol) that Netscout apparently sold all their handheld tester portfolio to a private equity firm: I have a Fluke LRAT-2000 (from before Fluke sold it to Netscout) - but it only takes SFP optics. I'm getting into SFP+, and it might be nice to upgrade to something that can test our 10Gb networks. What are some alternatives that people can recommend? [link] [comments]  |
| How to restrict traffic from internal to data centre network? Posted: 03 Jan 2019 04:14 PM PST Hi all Hoping for some solution suggestions here... We have a data centre environment connected to our internal user network via a 10G port between two Nexus 9Ks. Currently when a user is connected to our internal network they can access the Data Centre resources. Our goal is to only allow port 80 and 443 traffic from internal to DC and block everything else EXCEPT for 5 admin users who should be allowed to access all IP ports across the link. We've considered Cisco ISE with SGTs but it seems overkill for the scale of what we're trying to do and we don't want to change our whole authentication architecture. We can't base it on IP addresses because the 5 users need to be able to access DC resources when on wireless too, so static wired IPs isn't enough. Also considered sticky MAC address port-security, which would be fine if we didn't need to allow all users on ports 80 and 443. Ideally the control would be based on usernames but separate to Windows AD. Perhaps we could implement a small next-gen firewall to control the traffic? Any other ideas on how we can achieve this? Thanks [link] [comments]  |
| Former CCNA+S needs help with new IOS-XE (Cisco ISR 1111-9P-LTE) Posted: 03 Jan 2019 12:02 PM PST Hi ! I used to be certified CCNA+S back in 2010. I was running the company I work for since then with gear that I was able to configure and troubleshoot but now I have introduced a new device running IOS-XE and I need to get back to the basics. Can someone post a configuration template for a branch office directly connected to the internet. The official configuration guide (cisco_1100_series_swcfg_xe_16_7_x.pdf) isn't helping a lot for now. Thank you. [link] [comments]  |
| if you qualify - get a free meraki switch - 'watch their latest offering' Posted: 03 Jan 2019 03:06 PM PST Sadly - I've never qualified - even though I've installed hundreds of their devices... https://meraki.cisco.com/videos/switch " Qualified viewers of the recording will receive a free Cisco Meraki MS220-8P switch with a 3-year cloud management license. Please see meraki.cisco.com/freeswitch for eligibility details. " and I don't work for Meraki, I did work for a large ISP as a contractor (installing APs, switches, firewalls, phones and more) -unemployed at this moment- [link] [comments]  |
| Fibre/leased line from Boston USA to UK? Posted: 03 Jan 2019 12:19 PM PST Our main data centre is in London and we have an office in Boston USA that needs a fibre connection back to our core, previously they have had plain internet connection but now they need connectivity to some hardware in London - management don't want to do this over VPN. Anyone had a circuit of this length in the past and have an idea of cost? I've contacted our COLT contact but he's currently on holiday . Ideally we would be able to buy this through one Of our existing UK suppliers who can deliver via an existing QinQ circuit we have in place [link] [comments]  |
| Small office network - Database server Posted: 03 Jan 2019 10:23 AM PST Hey guys! We have around 4-5 Computers, so far they are accessing the internet through a Switch and a Router. The File exchange is done by sync.com. I have written a small database which I would like to introduce, its tiny around 50Mb. Thank you! [link] [comments]  |
| Posted: 03 Jan 2019 09:51 AM PST I'm looking for a way to extend a single POTS line over IP to a remote site. ATT is unable to move the number to the destination site and I'd rather not use fax forwarding. The new faciliity has new POTS numbers, however the department that is moving is focused on tax preparation and they've already registered with the IRS and is pre-printed this number on thousands of forms. I need a way to bridge the gap through 2019 until they reregister and reprint 2019 forms next Winter with their new number. I've seen some posts regarding ATA's; does anyone have experience forwarding a fax signal over IP to a remote receiver? Thanks in advance [link] [comments]  |
| Need an alternative wireless Mini-PCI card... Posted: 03 Jan 2019 08:48 AM PST Currently using MikroTik R52HnD Mini-PCI cards in multiple outdoor locations. TX power/RX sensitivity drove us to this particular card (26dBm/-100). Due to a few supply chain issues and I went looking for alternatives and was somewhat surprised with how few results I'm seeing. Without changing the main router itself I cannot use Mini-PCIe or M2 (unless someone knows of a way to adapt those to the Mini-PCI bus). USB would be additional work but not impossible. It must have external antenna capability. I'd prefer to stay on MMCX but beggars can't be choosers. [link] [comments]  |
| ASR920 help - Metro Ethernet and EVC Posted: 02 Jan 2019 08:29 PM PST So I'm hoping someone on here can potentially help me with configuring an ASR920. The ASR920 does not have sub-interfaces. All dot1Q trunk features are implemented with service instances and BDIs. Scenario: I've got multiple links at an NNI coming in on a single port (different VLANS) and I'd like to route the traffic to either the next-hop/VRF/another port. Right now, I can see the tagged packets show up at the port but nothing is being seen by the service instance / at the BDI. Can't ping the BDI but get replies from a loopback. Outputs Let me know if you have any ideas or if there is any more info I can provide to make this easier. I can also get eve-ng lab exports mocking this up if you want to test any scenarios. [link] [comments]  |
| (Question) How does socks proxy chain works? Posted: 03 Jan 2019 06:54 AM PST After looking up online for a little while on how to create a proxychain, I was disappointed with so little information. Does anyone understands it enough to explain how we could write a small script that chains socks5? I have made some ssh reverse tunneling before and was able to chain proxies that way. What i'm looking for is automating the process (but not using shell commands)! Thanks [link] [comments]  |
| Aruba IAP Dynamic VLAN Assignment Posted: 03 Jan 2019 05:49 AM PST Hello Networking Community I'm trying to setup Dynamic VLAN Assignment on a Aruba IAP-215. My goal is one SSID and based on the User that connects to the SSID he sould get a VLAN assigned. I'm using ClearPass with Local Users as a RADIUS Server. From ClearPass im sending the Attribut "Aruba-User-Vlan". In the SSID i've set the VLAN Assignment to dynamic and set a rule that: Aruba-User-Vlan = vlan My Problem is that the client alway gets the default vlan(1) and not the Aruba-User-Vlan. Thanks for your help. [link] [comments]  |
| Posted: 03 Jan 2019 05:38 AM PST New to networking, I am an investor. Anyone here made a purchase decision between Ixia and Spirent? What went into the decision? If you are in telecom - will 5G change any of your reqs/purchases? [link] [comments]  |
| Posted: 02 Jan 2019 09:40 PM PST Hi, I'm trying to setup bandwidth limitations for each port on a Cisco SG500X-24 switch. Each port needs to be locked down to 128MB up and down. Under QOS -> Bandwidth it's asking for CIR in Kbytes (which i set to 128000) and CBS in bytes (which I set to 2500000 based on googling some information about CIR/CBS). Is this correct for a 128MB speed/bandwidth limit? If not, how do I get the correct numbers? I'm getting some weird traffic issues with those numbers, i.e. slow page loads, etc. If I turn the limitations off, pages load like normal. Any help would greatly be appreciated. Thanks! Edit: kilobits/sec and 128Mbps [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment