Rant Wednesday! Networking |
- Rant Wednesday!
- Cloudflares RPKI toolkit
- What are some good Python network automation learning resources?
- Major outage in around Birmingham, AL?
- No L2 In the Core
- Measure throughput between Cisco devices
- UPS choice for networking gear?
- BGP attributes
- LLDP (VLAN auto-assignment) for computers on Dell N Series switches?
- why put the web server behind the F5 LB - should I always?
- Travel Router - Dual Band, portable?
- Firewalls in 3 tier architecture
- (Another) VRRP question: How does the switch know where to forward the traffic to?
- Using ACLs to deny local network access, but still allowing internet access?
- Dell S5048F-ON Stacking
- Cisco Firepower Bug - DHCPRelay does not consume DHCP Offer packet with Unicast flag
- Cisco Optical Amplifier - EDFA-24 on NCS2002
- Anyone managing international IT teams
- Spanning Tree
- What do you think of my design?
- How many IP's do I allocate for svi/subinterfaces
- Weird Questions - Would putting a server in the same datacenter as another webserver provide sub millisecond latency between both devices? And is there a cheap method to determine physical data center location of a webserver?
- Help Needed for AP Mounting Brackets
- Juniper vSRX NAT between routing instances
- What do you think about a portal of my core firewall published to internet?
| Posted: 26 Feb 2019 04:04 PM PST It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments]  |
| Posted: 26 Feb 2019 07:56 AM PST https://blog.cloudflare.com/cloudflares-rpki-toolkit/ This was posted quietly on a Sunday night but I think its actually pretty big news. I know that a couple of times in past jobs I've been asked to evaluate the business case around rpki and it's always come down to "Validation and tooling for troubleshooting are both difficult, expensive problems to solve." Now that the barrier to entry is "you need to enter a few lines of configuration on your router and run two docker containers", does this change anyone's mind? Are there compelling reasons not to run rpki with the implementation simplified to such a degree? [link] [comments]  |
| What are some good Python network automation learning resources? Posted: 26 Feb 2019 05:31 AM PST I'm struggling with sorting which resources are good and which are not. I have some python experience and use it almost daily to automate simple tasks but I have never tried automating network configuration with it. Where should i start reading? [link] [comments]  |
| Major outage in around Birmingham, AL? Posted: 26 Feb 2019 10:51 AM PST Not sure if this is the best place to put this, but here we go. I was sent to one of our Alabama locations to check on a site that was down. Upon arrival, not only were they down, but the majority of the town was down. No internet, pots lines, even cell towers for all carriers. I had to drive a few miles outside of the town to update my team on the situation. Someone heard through the grapevine there was a major fiber cut around Birmingham, crippling a lot of infrastructure to the South. I've tried our service provider (wind stream) and they don't know what's happening. Any of you heard anything? [link] [comments]  |
| Posted: 26 Feb 2019 04:18 PM PST Gotta say, my work buddy really came through and has now provided me with my favorite article of clothing. Thought you all may enjoy this and the meaningful conversations that can be had on the topic... Enjoy! [link] [comments]  |
| Measure throughput between Cisco devices Posted: 26 Feb 2019 01:57 PM PST We've got a Direct Connect from HQ to AWS with 1Gb transport. I'm attempting to test the throughput before I tell our storage team to begin pushing backups to S3. I don't have access to any servers in AWS to run iPerf so I found a hidden command called "ttcp" on Cisco devices. I've ran this command with default parameters and I'm getting 107kB/s which is pretty short of the 1Gb we're paying for. Is anyone familiar with this ttcp command or is there a better way I can test throughput before I go back to the Service Provider and say, "what the heck man??" [link] [comments]  |
| UPS choice for networking gear? Posted: 26 Feb 2019 04:19 PM PST I'm looking for something specifically for C9300s and N7706s. We're planning a deployment and need UPS backups for the power. I'm thinking that N backup is sufficient, because this would only be used in case of an outage, and as long as the device remains online and forwarding traffic, that's all that we expect the UPS to do. However, the question remains about what type of UPS to use. (https://www.eetimes.com/document.asp?doc_id=1272971) There are a plethora of different designs, and generally speaking, lower interaction with the battery means reduced costs and higher response times in case of a failure, while higher interaction with the batteries means higher cost plus faster wear for the batteries, which also increases costs. A friend of mine that owns an IT shop buys exclusively online UPSes, because he's had issues with servers rebooting due to the short switchover time from line to battery power. But that's for HP servers, not networking equipment. I can find no guidance on Cisco's website about what they recommend, except for old equipment like 4500 and 6500 switches. For those of you that use UPS backups for your networking gear, what type and brand do you use, and what's your experience with it during power outages? Also, how much time do you normally budget for an outage before the UPS runs out of juice? I'm trying to avoid simply calling a UPS vendor, because I don't like asking vendors for advice. They often don't know basic questions or they up-sell either to CYA or to boost commissions. [link] [comments]  |
| Posted: 26 Feb 2019 03:59 PM PST Aloha, What is the difference between BGP community and BGP peer group. They both group neighbor configuration into one group, according to my research. Looks like one is for routes and the other is for neighbors? However can't you assign a community to a route-map and attach the route-map to a peer group? Just need a little clarification on this please. [link] [comments]  |
| LLDP (VLAN auto-assignment) for computers on Dell N Series switches? Posted: 26 Feb 2019 02:24 PM PST Right now we have all our computers, servers, printers, etc all on one flat network, default untagged VLAN. The only thing we have on separate VLANs are the phones (VoIP) and wifi traffic. On our Dell N3048P switches, we have set up the voice VLAN to 50 and LLDP global commands: Each port is configured with: Our computers are connected to our phone sets, and those phone sets connect to the switches. Computers stay on the default VLAN and phones automatically get thrown onto the voice VLAN. Now, what I am trying to do is figure out the proper way to auto-configure computers to have them be put on VLAN 10 in the same way phones are put on VLAN 50. Is this possible? I did call support and they told me there wasn't really a way to do this and suggested I just make a new VLAN and then assign this command to each port: But in doing that, ANYTHING that connects to these switches, such as a server or wifi AP (just for example) will get put on the computer VLAN. I am not really trusting the Dell support tech on this one since he seemed dead to the world and very unhappy to help me. I told him to close the case and I would just figure out a solution. I've been coming through the manual but its a little tough to wade through. [link] [comments]  |
| why put the web server behind the F5 LB - should I always? Posted: 26 Feb 2019 02:13 PM PST Hi this is kind of a curiosity noob question. Do the F5 LB provide a layer of security? So let's say I see a stand-alone web server that can be accessed by the public behind an F5...this server has no monitoring or anything special at all. Not even gateway_icmp... which seems kind of useless by itself anyways. I was told by someone a long time ago that this provides security... I'm curious, how does it do that? The only difference is now the server can be accessed through a VIP.. I don't get what the point of putting it behind the LB is if you don't put monitoring or SSL offloading or load-balancing to other servers...it's just a standalone server by itself. Is their anything other than security that it provides in this config? [link] [comments]  |
| Travel Router - Dual Band, portable? Posted: 26 Feb 2019 04:21 PM PST I'm currently looking for a travel router with the below features and I'm not sure if any actually exist on the marke (which fit this criteria). I've been looking at the big name brands like tp-link and GL.Inet but I'm wondering if there are other strong competitors out there which provide the below. Regardless of the reasons for the below, here is the criteria.
The two best ones I can see are the TP-Link TL-WR902AC and the GL.iNet GL-AR750S Slate . The TP-Link router does not seem to support OpenWRT but maybe there is some hack for this. There are probably other travel routers of some obscure brands out there that I've never heard of which may be far better than the more known brands, but I'm not even sure which ones they will be. Thought I would ask someone who does know about these things. Thanks [link] [comments]  |
| Firewalls in 3 tier architecture Posted: 26 Feb 2019 09:24 AM PST Where do firewalls traditionally sit in a 3 tier architecture? [link] [comments]  |
| (Another) VRRP question: How does the switch know where to forward the traffic to? Posted: 26 Feb 2019 07:08 AM PST Another VRRP question from me, I'm sorry. I'm really getting to know this topic at the moment and this subreddit has been a great help so far. Let's say you have two routers (A + B) that were assigned to a single VRRP group with ID 1. Thus, the virtual MAC address should be The routers are both connected to a single switch on the LAN. At the switch, you have a client PC which was correctly configured to use the virtual router addresses. Now, what exactly happens in case router A goes down? I understand from RFC 5798 how the election of the 2nd router to become the new master works, and thus that the traffic then goes over this device. But how does this work in detail? I understand that the client PC made an ARP resolution of the virtual gateway IP I suppose the switching table says something like:
Does the switch forward the traffic on both ports 2 + 3 all the time and then the backup router drops the traffic? Or is my assumption about the switching table wrong and something changes on the switch once the backup router gets elected master? Thanks in advance, once again! [link] [comments]  |
| Using ACLs to deny local network access, but still allowing internet access? Posted: 26 Feb 2019 03:14 PM PST I've got ~15 VLANs with their L3 interfaces on my core switch stack. I'd like to prevent most of those VLANs from communicating with each other internally, but still allow them to get internet access via the switch's default route. Is my only option an ACL with ton of Deny rules and an expressed permit at the end? For every VLAN? For example: And apply said ACLs inbound to each L3 interface. I can see it working, it just seems . . . onerous. And explicit permits make me squicky. Is there a more elegant way of doing this? [link] [comments]  |
| Posted: 26 Feb 2019 09:05 AM PST I posted a few days ago aboiut these switches being lumped on me, and having the joy to set them up. They have the following software version installed:
I have read plenty of configuration guides online but i cannot get these to stack. The commands do not seem to be valid. Ive gone through this guide: There is not a comparable document for the 5048's. But im starting to thinkl they support VLT only. Anyone able to assist? [link] [comments]  |
| Cisco Firepower Bug - DHCPRelay does not consume DHCP Offer packet with Unicast flag Posted: 26 Feb 2019 01:07 AM PST So....we've hit this bug, and hit it hard! https://quickview.cloudapps.cisco.com/quickview/bug/CSCvo12057 Has anyone else hit this, and if so, what was your fix/workaround other than /ragequit and smash the FTDs into pieces? [link] [comments]  |
| Cisco Optical Amplifier - EDFA-24 on NCS2002 Posted: 26 Feb 2019 04:20 AM PST Hi everyone! First time posting here. Do you know about EDFA-24 amplifier card in Cisco DWDM environment? I need to understand how does it works, but online there isn't sources that explains how this should be configured. In one Cisco guide about it, i was reading the following:
Here is the pic of this tiny project: https://imgur.com/a/QvCnyov . As you can see,we have two sites. At the moment we need to build the site with the Cisco 3850. Each 3850 are interconnected to the NCS2002 via one DWDM SFP placed on the Cisco 3850. Then the NCS2002 should amplify the signal with the EDFA-24 card. My question is, how should i have to cabling the fiber through the Cisco 3850 to the EDFA-24 (on which port i mean, COM TX/RX or LINE TX/RX)? And how should i have to configure it on CTC? Thanks so much in advance! Framemurder [link] [comments]  |
| Anyone managing international IT teams Posted: 26 Feb 2019 01:16 AM PST Hi, I am wondering if anyone here is or was managing international/intercontinental IT teams? I am curious as of what are the differences between EMEA, APAC, and the USA. I guess that budgets in USA and EMEA are similar, a bit lower in APAC depending on location, but the money is often spent differently based on prioritization. In Europe, IT tends to stick longer to traditional technology instead of giving the latest tech a chance, while in the USA most IT organizations are more willing to take a risk and learn from whatever the outcome is - SDx as an example. IT teams in APAC seems to be staffed higher compared to the other regions, and they seem to be well educated, but show the lowest acceptance of any "trial and error." Different laws and regulations for employee privacy could be another huge challenge. What are your experiences, if you mind sharing? [link] [comments]  |
| Posted: 26 Feb 2019 12:33 PM PST I'm going to connect a cisco switch (3560) to a non cisco switch. I only have access to the cisco switch and it will only act as a hub. It won't have any vlans etc. I don't want any loops or problems with spanning tree when connecting the cisco switch to the non cisco switch. Is RootGuard or LoopGuard useful in this case?? [link] [comments]  |
| What do you think of my design? Posted: 26 Feb 2019 12:23 PM PST Scenario: Guest network and production network are currently separate. I would like to converge. Separate firewall, separate core, separate access switches. My idea is to bring the APs to the production network's access switches, and VLAN them into the production network's core. Basically eliminating the need to refresh the guest network access switches and the core. I want to keep the guest network firewall. My idea is to make the guest network firewall and the production firewall do the layer 3, and adding security policies (they are both palo alto networks firewalls, so the two firewalls would connected via separate virtual router). Does that seems sound? I feel like it's more secure and a better design that trying to create access lists off the production core and connecting the production core to the guest firewall. Or to move all of the policies from the guest firewall into the production firewall (my biggest concern here is capacity, I don't want to make my production firewall handle all of the inspection of the guest network. I have enough throughput on the production firewall to handle the additional bandwidth from the two firewalls doing the layer 3 between the two networks, but not enough threat protection bandwidth on the production firewall to handle the guest traffic). Any thoughts or suggestions are appreciated. [link] [comments]  |
| How many IP's do I allocate for svi/subinterfaces Posted: 26 Feb 2019 11:26 AM PST So I was allocated a subnet 172.20.220.70 /28 subnet. So I realize that I can have 14 hosts. I need to allocate 9 addresses to some field devices that are connected to a field switch. My first thought was that I should start at 172.20.220.71 - 79. But wouldn't I have to account for the SVI interface IP or subinterface of a router? How many would I have to account for? [link] [comments]  |
| Posted: 26 Feb 2019 10:46 AM PST I'm designing a service that will require a low latency (sub millisecond if possible) connection to a few different webservers. Very simple service; will essentially be sending GET and POST requests at a low rate (<1Mbps) to the servers and analyzing their responses. The only critical aspect to the service is that latency between my server hosting the service and the webservers in question is as low as possible. Like, averaging under 1ms if possible. I know from a IP lookup that the sites in question have servers hosted by Cloudfare in Ashburn and San Jose. However both of these areas are an absolute clusterfuck of data centers. Obviously just getting my server setup within a few miles would already be good. But I'd like to get my device physically in the same building. Is this possible to find out with any existing services? Would it actually provide me the latency I'm hoping for, or is this an impossible task to begin with? Thanks! [link] [comments]  |
| Help Needed for AP Mounting Brackets Posted: 26 Feb 2019 04:31 AM PST Hey everyone! I'm hoping someone can help me out here. We're currently deploying many 3700 series Cisco APs in a hospital environment, and we've come across a few tiles where our Cisco supplied mounting brackets won't fit into place. I'm trying to figure out what type of brackets can be used to mount our APs up to these ceiling tiles - unfortunately, placing them within the ceiling tiles, or in another area isn't possible, as we wouldn't have the required wireless coverage. Please let me know if you have any questions, below are images of the tiles. These images were the only ones our contracting team on the field could provide us. [Imgur](https://i.imgur.com/ZDe3XDU.jpg) [Imgur](https://i.imgur.com/r4hacsO.jpg) [Imgur](https://i.imgur.com/SktVZpE.jpg) [Imgur](https://i.imgur.com/I8VFAtm.jpg) Thank you! Edit: I appreciate the responses, you all have been a big help :-) [link] [comments]  |
| Juniper vSRX NAT between routing instances Posted: 26 Feb 2019 10:15 AM PST Is it possible on a vSRX to do the following with NAT: match destination 1.1.1.1/32 port 2222 from interface 1 in VRF A DNAT action 2.2.2.2/32 port 22 to interface 2 in VRF B without having a route in VRF A 2.2.2.2/32 next-table VRF B and without having a route in VRF B to 0.0.0.0/0 next-table VRF A? The use case is I have a Juniper vSRX connected to an AWS public gateway. The vSRX has a management interface in VRF A and public, private interfaces in VRF B (management and public interface both have default routes to the AWS public gateway). I want to SSH to a host on the private subnet through the management interface by use of NAT. [link] [comments]  |
| What do you think about a portal of my core firewall published to internet? Posted: 26 Feb 2019 09:27 AM PST Hello Reddit, This is my first post. I have an headache, I have a provider that installed a Fortigate 100D on my network and they published it to internet (It's accesible using the public IP and the default port 443). This provider sustain that they have a rule to block login for a minute if they detect a error on login after three intents and it's enough for the security of my comany, even they say that always they do it with all their clients. I detect it yesterday and I'm not sure what road I should take, I'm thinking on fire this provider. What do you think Reddit? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment