Blogpost Friday! Networking |
- Blogpost Friday!
- I Made a Boo-Boo
- Any other service providers feel the pain from this morning's Fortnite update?
- PBX server and port 53 question
- Weird traffic cutouts after connection added to a site
- Can't find a legitimate ISP.
- ATT Midwest Area wide outage
- Design consideration for MetroE network. Would you place Layer3 switches for the connection points?
- Static w/ SLA vs BGP for redunant VPN setup
- xpost - Meraki MX Users - how do you like the client VPN?
- NETSH Trace is not returning actual data
- Configuring a Static Route over a VLAN (nxos)
- Manage Public IP’s with Solarwinds?
- FlexVPN design .. where to firewall hub site?
- Building Layout for Access Points
- Dealing with PLC Equipment that use same I addressing
- Stem Expo advise
- Network issues from cold boot
- How to get past the Helpdesk gate keepers?
- Network mapping software
- Filter based forwarding / Policy based routing OR static routing?
- Understanding a NAT Translation
- Workplace network Help!
- Baselining throughput over an ISP
| Posted: 28 Feb 2019 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| Posted: 28 Feb 2019 05:56 AM PST Long post, so I'll start with the TL;DR: This week I learned Fortiswitches come with spanning tree disabled out of the box. Fun times where had. I'm not exactly sure what happened in my brain this week, but everything that could go wrong, did go wrong, and everything was because of stressful former weeks, too much work and bad planning. I had earlier (a couple of months ago) designed up a new proposal for an upgrade for a customer. My boss was a bit eager to try out a couple of new solutions for this customer and not just go for a standard Cisco setup on the layer 2 segment. As my company and our customers widely use Fortigates as their primary firewalls, we started checking out other Hardware products besides FortiWLC, and landed on Fortiswitches. Fortinets Security Fabric structure is pretty cool, and we went for a couple of 248's. At first we ordered up a FW-cluster and a 248 to test at the customer site. This was working quite well, and the customer ordered up two additional 248's to replace their stone-age 2950, some old HP-switches and an Allied Telesis stack. The week before, all my planning went to shit, as I was side-tracked by more pressing issues. I wrote up a quick plan, but forgot essentials as creating a change, getting this change accepted in CAB and preparing some more details around a roll-back plan and overall plan for the migration to new equipment, as well as much needed essential research on Fortiswitches. Migration day came, and I prepared to possible configurations; one where I set aside dedicated Virtual Switch Link interfaces for the Fortiswitches directly to the Fortigate, and one where we daisy-chained the fortiswitches. The first topology worked fine for all the equipment, but you can't view the switches on the Fortigates, which was one my main goals to make configurations easier. I rolled back and went for a daisy-chained topology. All Switches showed up in the Fortigate management view, and I started configuring up all necessary trunk-ports and access-ports. The last two cables remained, and the job would be done within the agreed upon billable time. The last two cables however, where attached to another old HP-switch, which was a dedicated AP and WLC switch. This switch hadn't had any LAG config, but two cables where connected to the Allied Telesis stack nonetheless, One port was of course in blocking-state and the other one was forwarding. As I was interested in getting the job done, I didn't give this much thought, and hooked the cables up to the Fortiswitches. Big mistake. Apparently STP isn't enabled on Fortiswitches out of the box, however, everything seemed to be working fine and I got the good ol' pat on the back and thanks.One and a half hour later, our monitoring guys are calling frantically, the WHOLE site is done, nothing is working as it should, but from our device-database, we're able to reach the servers at the site, but devices on the same VLAN's aren't able to reach each other. Luckily, but alas, to no help at resolving the issue - I was able to reach the Fortigates over the Loopback interface, and lo and behold; topology and duplicate OSPF router ID's everywhere. I quickly disabled all interfaces I knew where connected to other bridges, and set the Fortiswitch directly connected to the Fortigate as Root bridge, and the topology changes stopped, however, this didn't help at all. And devices on same VLANs or had policies in place, where unable to reach each other. After 16 hours of troubleshooting, and completely messing up the whole environment, and using my poor colleagues time on troubleshooting with me; we rolled back everything to the old equipment, and everything, except for the poor vcenter, came up and worked again. This sucked so bad, as well as I'm stuck with the worst conscience for my colleagues who also had to help get everything up. I'm now in a re-planning phase, and setting up an identical lab to the proposed solution for the customer, to really cover all aspects and doing everything from scratch. A hard lesson was learned this week. [link] [comments]  |
| Any other service providers feel the pain from this morning's Fortnite update? Posted: 28 Feb 2019 07:29 AM PST My transit links and Akamai caching boxes got some good exercise for four-ish hours this morning thanks to Fortnite v8.00 dropping. Things are settling down now but that's probably the largest surge of early morning traffic I've seen since I took over this network a few years ago. The sustained load out to our customers held steady at just under 50 Gbps at its peak. [link] [comments]  |
| PBX server and port 53 question Posted: 28 Feb 2019 09:55 AM PST Hello everyone, I have recently received access to our firewall. I had to open up ports for remote access. After locking down most ports and whitelisting the correct IP address everything seems to be running smoothly. Except for the fact that 4.2.2.2 ( a well known Level3 DNS server) keeps hitting my firewall port 53 ( DNS port) every 5 seconds or so multiple times on lots of different high lvl ports 30000+ . Now I do not have access to our PBX server but we do not use 4.2.2.2 in our environment for DNS although I am not able to see the settings on the server so I cannot confirm. they are all UDP outbound connections. It just seems really excessive as 8.8.8.8 ( google dns) only hits once and a while. Is this normal or am I somehow getting hacked? DNS spoofing? [link] [comments]  |
| Weird traffic cutouts after connection added to a site Posted: 28 Feb 2019 02:11 PM PST Hey guys. Got a confusing mystery here and just wanted to bounce it off you experienced people for some ideas or insight. The Layout So there's a small school district that consists of a few schools. The schools connect back to one "main" school via a gigabit ELAN provided by an ISP. The main school has a L3 switch which handles all the routing. For Internet, a connection goes through the ELAN to a county office. It's not ideal, but things work fine. Or at least they did... One day a charter school is added to the mix. They work out an arrangement to connect into the district network via Ubiquity wireless units and piggyback back to the county for Internet access. They get their own VLAN from their site all the way back to county where they get Internet access as well as VPN access to their other charter schools. Ever since that happened, some subtle but nonetheless weird things occur on the district network. In particular, monitoring software that periodically pings district equipment will alert periodically over switches, cameras, and other monitored networked equipment as being offline. This seems to only happen during peak working hours and when the networks are being used. It does not happen on weekends or weeks that schools are not in session. The charter school network's equipment doesn't appear to be affected at all. One day during a storm knocked out the charter wireless for a couple days. The issue went away. When that link was repaired, the issue came back. Summary of Troubleshooting
Any ideas or explanation that could be causing this weird behavior? Part of me wants to just say it's the ISP's (ELAN) fault because I can see the ping replies disappearing in it. But I really don't get why it only happens when the charter connection is up? [link] [comments]  |
| Posted: 28 Feb 2019 10:05 AM PST Hope this is the right sub. If not, lemme know. Back story- my company bought a building about 2 years ago and we haven't been able to get a legitimate ISP to provide us with a workable internet connection. Currently we have 15/1 mbps connection from a wireless modem from Verizon. We're around 30-40 employees on any given day, and most are using some kind of streaming service at any given point. Our physical location is in New Bedford, which is one of the biggest cities in Massachusetts. And we're right in the middle of the city. But we're also on a wharf, which has been the problem. I guess putting in telephone polls or digging through the concrete is too much of an expensive hassle for ISP's. Here's what I've tried or considered so far... • Comcast wants us to pay ~$17k to have them install the infrastructure for cable internet, and even more for fiber. I asked about petitioning other businesses on the wharf to agree to signing up with Comcast, if they would wave that fee. But what they said was that it would cost them even more per building, so it's not worth it. • Verizon is more or less the same as Comcast. • Business class satellite internet has a cap on gb's per month, maxes out at around 35 mbps, and doesn't like weather. • I've talked to a couple other fiber providers, who want almost twice as much as Comcast. • We could add a second and third line of 15/1 from Verizon, but that would only help so much. • What's interesting is that the company that was in this building before us was a large health insurance company, and they got their internet through Light Tower (now Crown Castle Fiber), which is a fiber network. I reached out to them and they're telling me that in order to connect to the building, they have to lease a conduit through the local power company, which would end up costing us over $2k per month. What's frustrating is that the hotel that is literally across the street has internet. I'm completely out of ideas. Any help would be amazing. [link] [comments]  |
| Posted: 28 Feb 2019 12:53 PM PST Who all is experiencing issues with any of ATT's WAN services? Trying to identify if this is larger than just a single MPLS Cloud. [link] [comments]  |
| Design consideration for MetroE network. Would you place Layer3 switches for the connection points? Posted: 28 Feb 2019 04:41 PM PST Hello I have a client that is installing a Metro E network and wants to use Layer3 switches (Arista) as the backbone for the sites. How common is that? Maybe I'm old but I always separate switching from routing so I would only consider a traditional router for each of the sites' connection point with a L3switch as the next hop inside. Is my perspective too old fashioned or rigid? [link] [comments]  |
| Static w/ SLA vs BGP for redunant VPN setup Posted: 28 Feb 2019 10:39 AM PST I have 2 hub locations with a dozen remote sites over VPNs. Each remote site has a VPN to each hub. Hubs are ASAs and remote sites are Juniper SRX devices. What's the best way to implement failover in the event connectivity is lost at a hub? I've never configured BGP before, and I was thinking static routes to each hub with lower metric route tied to SLA to drop it from table in the event it can't be reached. Thoughts? [link] [comments]  |
| xpost - Meraki MX Users - how do you like the client VPN? Posted: 28 Feb 2019 08:21 AM PST I've seen some mixed reviews mostly based on it not having an actual client. I am considering deploying this for a small remote facility that will host a handful of servers. The primary users that would connect to this network via VPN are not the most tech savvy. Ideally this would be a solution that's easy for them to connect to [link] [comments]  |
| NETSH Trace is not returning actual data Posted: 28 Feb 2019 01:18 PM PST I'm trying to capture some traffic using netsh but I'm not getting the data I'm looking for, so I hope someone can help me out. Unfortunately, I can NOT add programs on to any of th systems I'm working with, and I don't have access to Message analyzer. I have used the following commands: netsh trace start capture=yes ipv4.address=x.x.x.x tracefile=filename.etl netsh trace start capture=yes provider=Microsoft-Windows-NDIS-PacketCapture level=5 tracefile=filname.etl The captures run fine. I attemptet to look at them several ways. I converted to a csv with netsh dump, and I imported the data into powershell with Get-winevent. The data is very vague and doesn't have information like destination ip, just messages like "Packet fragment (54 bytes)". All examples I see online have actual data like IP's and ports. What am I doing wrong? [link] [comments]  |
| Configuring a Static Route over a VLAN (nxos) Posted: 28 Feb 2019 01:01 PM PST hi, apologies in advance, i need some assistance with putting static routes on svis on a nexus switch. the intention is to have some inter vlan routing for a handful of vlans, but traffic involving vms on the dmz routed on a sonicwall. all the vm hosts are connected only to the nexus. at the moment i have a router on a stick setup with the nexus acting purely as a switch for dmz traffic, it looks ok, vms connected to the switch, on different dmz vlans, can ping each other. i'd like now to have static routes on the (non-dmz) svi vlans so they pass vm traffic destined for the dmz and beyond to the router, and i'm not even certain that is possible, or if instead, i should be physically connecting the vm hosts to the sonicwall as well as just the nexus, and present dmz vlans from the sonicwall, and the internal vlans from the nexus. anyway, looking at this document: gives me this example: switch# configure terminal switch(config)# feature interface-vlan swicth(config)# interface vlan 10 switch(config-if)# ip address 192.0.2.1/8 switch(config-if)# ip route 209.165.200.224/27 vlan 10 <===209,165.200.224 is the IPaddress of the interface that is configured on the interface that is directly connected to the switch. with this explanation: "Adds an interface static route without a next hop on the switch virtual interface (SVI). The IP address is the address that is configured on the interface that is connected to the switch" does this mean the IP address/mask in the last command is that of the routers interface to the switch, with the router interface to the switch (or one of its sub interfaces) being 209.265.200.224/27? [link] [comments]  |
| Manage Public IP’s with Solarwinds? Posted: 28 Feb 2019 03:09 PM PST I am looking for a way to manage the public IP's that we own with our existing Solarwinds system. Ideally, I would want to script it to do a DNS Lookup, ARIN / APNIC / RIPE check and details import, and basic up / down response. Anyone know of a way to do this? Or if not, does anyone have recommendations on tools that can do this? [link] [comments]  |
| FlexVPN design .. where to firewall hub site? Posted: 28 Feb 2019 06:14 AM PST Hi all I'm currently designing a deployment with FlexVPN. For reference i'm using a lot of iWAN documents as they're more comprehensive than anything about FlexVPN, and the differences between FlexVPN and DMVPN don't mean much for topology anyway, I've seen quite a few designs with this kind of setup for the hub routers in the hub site (in my case it is the corporate head office) https://i.imgur.com/cBCghgJ.jpg The "outside" of the hub routers is NAT'ed to public IPs which the spokes create tunnels to, and the traffic to them is mananged by a firewall, which is fine, but wouldn't this mean that the tunnels terminate on the "inside" LAN, bypassing the hub site's firewall, which seems like a security risk to me ... im not sure I trust my branch offices that much? Thanks in advance [link] [comments]  |
| Building Layout for Access Points Posted: 28 Feb 2019 01:48 PM PST I have some building plans and I know the model AP's we are going to use for this new building. I am trying to design a flow for where the AP's should be but I cannot seem to find any programs to map it out. Does anyone know of one? Preferably free. The only ones I can find are designed for existing wifi network mapping and coverage. [link] [comments]  |
| Dealing with PLC Equipment that use same I addressing Posted: 28 Feb 2019 10:01 AM PST I work in a manufacturing environment which has a lot of equipment using PLC networking. - We have an Electronics Manager who is in the midst of an effort to connect all of this equipment to a central server running a PLC control and monitoring interface. - We have Cisco networking - 3750X Layer 3 switches at the core, and 2960 layer 2 switching at remote closets (where the PLC device would connect). We have encountered a scenario where a vendor has installed their equipment on 2 lines, same equipment in each line, and both lines have the same IP addresses for each part. - In this case, there is one primary interface for each line, and both use the same IP - let's say 10.1.1.1 - The goal is that our PLC server needs to be able to monitor both lines without conflict. - The vendor advised us to use NAT translation for the ports where the two devices will be connected so that each one would appear as a different IP. My question is... Can a Cisco 2960 switch perform this kind of NAT translation on a port to port basis? Otherwise we are planing to put in two small Routers in front of each device to perform the NAT function for us. I don't know that I'm in love with this plan, although I'm still somewhat new to the world of PLC networking, and maybe that's normal? Was curious to see how someone else would approach it. [link] [comments]  |
| Posted: 28 Feb 2019 09:51 AM PST I was asked to run a small stem Expo exhibit for grades 5-8 that relates to networking. Any thoughts as to what activities I could run that wouldn't be difficult for young kids and still have a little bit of a wow factor? [link] [comments]  |
| Posted: 28 Feb 2019 01:19 AM PST At one of the classrooms of one of our schools we have a very specific but unknown issue. The whole classroom is equiped with HP Z-series (mini) workstations. On a cold boot they all show the yellow network error icon on the Windows lock screen and are unable to log-in. After a reboot (warm-reboot) the issues are gone. Did anyone hear of these issues before and how to further troubleshoot this? All the workstations which have issues are on the two similar switches (Cisco 2960). [link] [comments]  |
| How to get past the Helpdesk gate keepers? Posted: 28 Feb 2019 12:12 PM PST I have a problem with being randomly disconnected from my work's network and I'm hoping someone might have some insight on the best way to approach this. I work for company completely remotely. I'm not even in the same state as their call centers. They have VPN connection points in several different cities across the US and I'm completely dependent on connecting to one of their VPN connections for everything I do at the company. I've worked there for 5 years now and I've never had any trouble connecting or staying connected. Im using a edge router x with a Fiber connection via frontier fios. 100mbs up/down. We use a specific proprietary software at this company for doing the job I do. Which is working with customers over the phone. Recently the software has been freezing in the middle of my contacts and dropping calls. Which makes it look like I'm hanging up on customers. As you can imagine, that looks really bad to management. When this happens, I never lose connection to the VPN but their IT department has been running ping tests from my work computer to google, while connected to the VPN and those tests have shown dropped packets. When I disconnect from their VPN, I don't see any dropped packets on the work computer and Ive used ping tests on other computers in my network to test the connection and haven't found any dropped packets, even when the work computer is showing dropped packets at the same time while connected via the VPN. From what I've heard from the other people that work at this company, this is common behavior for the VPN. I also have more evidence that leads me to believe the VPN is the problem but I don't want to make this post too long. I've contacted their Helpdesk about this multiple times, they do the same thing every time, they point to the dropped packets while connected to the VPN, blame my network, then refer to my ISP. They refuse to troubleshoot the VPN past that. They then tell my manager that it's my network. Which makes it look even worse and at some point my manager will have to tell me to switch ISPs and possibly even fire me, if it gets worse. So that's the overall situation that I'm trying to solve. I like my position there and I want to stay within good standings but the issue is both making me look bad and making it much harder to do my job. Ive become good at switching to a different VPN connection point, when the VPN starts to lag, but that doesn't stop the calls from dropping before switching and sometimes all the VPNs are lagging. I'm in the process of setting up a script in my router that pings their VPN and pings google, then emails the results to my email, in order to time stamp the connections. I could probably use that information to go above the Helpdesk but that's going to burn a lot of bridges really fast and in my mind, there's no guarantee they won't still blame the router / ISP or say the script wasn't approved, so the results can't be trusted. Im wondering if anyone else has any other ideas? [link] [comments]  |
| Posted: 28 Feb 2019 07:22 AM PST I am looking for software that can be relatively easily deployed, that can produce network maps that cover the following primarily: Layer 3 Map Layer 2 Map Trunk/Port Channel connection map Not going to complain if it also includes individual ports on a deeper level (like clicking on a switch stack). It would be amazing if the map could show a global view that has like, concentric circles or something that shows where "vlan 50" is on everything, where it connects to (like which trunks it runs across sort of thing.) We have LibreNMS already, and it only shows single physical connections (not even port channels). Yes, its a useful tool, sometimes, but I'm looking for something more granular. [link] [comments]  |
| Filter based forwarding / Policy based routing OR static routing? Posted: 28 Feb 2019 02:03 AM PST Servers in their own VRF need to access routes in multiple other VRFs. Instead of route leaking I decided to use filter based forwarding to match on destination address and forward using a next-hop in a different VRF. Alternatively I could create around 20 static routes and specify a next-hop table for each. Are there any advantages / disadvantages to either approach? *Route leaking is not an option as I'm working with around 50k routes* [link] [comments]  |
| Understanding a NAT Translation Posted: 28 Feb 2019 09:26 AM PST Hi, Just had a quick question about a NAT statement in my environment that I am inheriting, can you please explain what exactly it is defining. I have changed some of the IP information for privacy: R1# ip nat inside source route-map RMAP_1 interface Dialer0 overload R1# ip nat inside source static tcp 10.120.100.25 8080 142.23.24.132 62701 route-map RMAP_1 extendable R1# ip nat inside source static tcp 10.120.100.25 443 142.23.24.132 63701 route-map RMAP_1 extendable -I understand that the first line is PAT, it is basically saying the inside source is a route-map, and it should translate to the IP address on the Dialer0 interface (this is PPPoE), and overload so it uses PAT -To add some context the route-map is matching pools of addresses in an extended ACL called traffic_for_nat -The next two lines are static NAT right? From what I understand is is stating that the inside source is 10.120.100.25 to the outside of 142.23.24.132. Extendable needed because I am making translations to the same external IP correct? -So what is the route-map doing in those static statements? Any help is appreciated! [link] [comments]  |
| Posted: 28 Feb 2019 09:17 AM PST Hi all, I'm hoping someone can help me with an office networking problem. I'll preface by saying I'm a Veterinarian and while I feel I'm good at medicine, networking is not a strong suit. I do have moderate computer experience (have done a few builds, can replace motherboard capacitors etc), but I've been pounding my head against what I assume is a basic oversight at work for a couple of days. Scenario: Out veterinary clinic was built In the early 90d and has a dozen workstations or so. We have a wired network for the workstations to access our practice management software and printer off a central workstation. This has never been connected to the internet, mostly to avoid any chance of compromising our client data and of paranoia that we would be more likely to experience crashes with the workstation from employees using/downloading things without knowing what was "safe". In the last few years we've found the need to add internet access to individual work stations to access email and help clients place online orders at out front desk. I've run Ethernet cables to our separate wireless modem (not connected to the offline network) and allowed access individually to the workstations that need it. I'm trying to do the same thing with a workstation at our front desk and having issues. To start the computer (running windows XP professional) only has 1 Ethernet port, which is occupied by our offline network cat5. I've had this issue once before, and purchased a usb to cat5 adaptor and that worked no problem (newer workstation running windows 10). I installed the drivers and connected the 2nd Ethernet cable via the adapter. If both networks are enabled only the first one to connect works... If I enable the one connected to our internet, and then enable the offline network connection I will have internet access but am unable to load our software from the central "server" computer. If I enable the offline network and then internet the opposite happens, can access software but not internet. Each connection works totally fine when enabled by themselves, but not together. I changed the IP ranges for one of the routers so avoid any overlap, but that didn't help. I'm totally stumped and lost here, and guessing I'm overlooking something fairly simple or not understanding a concept all together. If anyone is willing to give me some advice I would be very grateful. I'd also be happy to offer you back companion animal pet advice in return! Some other specifics- the offline network is connected together via a Cisco router with internet disabled, and just used to assign IP addresses to the computers and printers. The online network uses an Apple airport router and switch to allow multiple computers to access internet (we have our lab equipment, radiology suite etc all hard wired in). Edit: I used the same adaptor and exact same setup on another workstation with the only difference being that computer is running windows 7 and it works just fine. The computer with XP is the one that doesn't work, despite the same setup. [link] [comments]  |
| Baselining throughput over an ISP Posted: 27 Feb 2019 08:17 PM PST What method do you rely on to baseline the throughput of an ISP circuit, for instance a L3VPN over metro ethernet circuit? I usually see one of these used: RFC2544 Y.1564/EtherSAM IPERF Speedtest Website File Transfer (FTP, SCP, Filezilla, etc) RFC6349 [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment