Blogpost Friday! Networking |
- Blogpost Friday!
- VPN Apps (Palo Alto, Cisco, Pulse Secure and f5) - Session Cookie Vulnerability
- Looking for a configuration analysis/standardization tool
- Router-On-A-Stick, Loopbacks, and Management
- Actual advantages or disadvantages of enabling EEE / 802.3az?
- Patch Panels
- Cisco VXLAN EVPN & Microsoft 2016 DHCP RFC3527 issue
- Multicast-questions
- VRRP - virtual-ip-ping - Aruba/Procurve
- Any opinion on Catalyst 9200 vs 3650?
- CCDA training courses in the UK?
- Networking gear that supports automation
- What networking equipment or setup ?
- Question on fiber type and size
- Unmanaged switch not connecting to LAN
- Cisco IOS & Route Map Problem
- ACL VLAN question
- Minimum cable length for a 1u patch panel to an adjacent 48-port switch?
- Key features to acheive 2Gbit/s single communication stream with LACP
- Onboarding into Infiniband (needed)
- Google....Reddit...Cisco TAC progression
| Posted: 11 Apr 2019 05:04 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  | ||||||||||||||||
| VPN Apps (Palo Alto, Cisco, Pulse Secure and f5) - Session Cookie Vulnerability Posted: 12 Apr 2019 11:25 AM PDT Read this Article earlier today. Out of four vendors, only Palo Alto has issued a patch. Until the apps are patched, best defense appears to be two factor authentication. [link] [comments]  | ||||||||||||||||
| Looking for a configuration analysis/standardization tool Posted: 12 Apr 2019 07:42 AM PDT I'm looking for a tool I can use that will compare a configuration file against a baseline set of rules to look for standards being followed. The goal being to look for things like vlan tags, vlan names, SVI descriptions, etc. all being standard across a large set of devices. I've got to think that there's something out there that exists in the software development world that could easily be adapted for looking at a text config file from a router or switch, but I haven't been able to find anything. Edit: Thinking about how I asked my question, I know there are comparison tools that can take two file and do a diff on them. I'm looking for something where I can feed it a configuration file and it compares that file against a set of pre-defined rules that I configure. [link] [comments]  | ||||||||||||||||
| Router-On-A-Stick, Loopbacks, and Management Posted: 12 Apr 2019 12:34 PM PDT Quick question. I'm using router-on-a-stick to a switch (Router --> Switch --> Hosts), which has 3 VLANs for hosts, plus a management VLAN makes 4. I'm using g0/1.1, g0/1.2, g0/1.3 for hosts and g0/1.99 for the management VLAN, so the hosts below the router and connected to the switch will have a gateway to the management subnet. I also have a loopback address for management purposes (this is the address, for example, that I would SSH into). The rest of my network is also using loopbacks for management and I'm looking to keep things consistent. Addressing is as follows: G0/1.1: 172.16.0.1/24 G0/1.2: 172.16.1.1/24 G0/1.3: 172.16.2.1/24 Lo0: 172.16.255.235/32 Management subnet: 172.16.255.0/24 My issue is with adding an IP to G0/1.99. I already have the /32 loopback configured, so when I try to add 172.16.255.1/24 to G0/1.99, it tells me it overlaps with Lo0. If I understand correctly, this is because I'm adding the same subnet onto a router twice, so it denies the change. But I want the Lo0 interface to be in management, and the G0/1.99 to be the gateway for management, so both have to exist on the same router. How can I work around this? [link] [comments]  | ||||||||||||||||
| Actual advantages or disadvantages of enabling EEE / 802.3az? Posted: 12 Apr 2019 12:58 AM PDT Hi I've been reading up a bit on the advantages and disadvantages of Energy-Efficient Ethernet (EEE) / 802.3az. Most switches that support it, so far seem not to enable it by default. I've enabled it for testing on one switch that mostly feeds Ubiquiti access points to see what happens during idle times. From that small sample it looks like during night and school holidays a some reduction in total power usage so I wouldn't be opposed if it doesn't come with issues like affecting stability. I've tried to find the disadvantages and / or issues enabling EEE might give us. So far the added latency is something that is definitely not wanted in low-latency networks such as audio (DANTE) or high-frequency trading. But that's not my use case. Other than that, I haven't found many disadvantages or reports where it would affect stability or even when the connected device wouldn't support 802.3az but the switch does. I've found a paper published through IEEE in 2013 that show that the process of switching from LPI mode to operational mode on a port some spikes that might "eat up" the power saving of LPI mode to a certain degree. (Bolla, Bruschi, Lago: The Hidden Cost of Network Low Power Idle) Are there any other source or experience that you could share or point me at? [link] [comments]  | ||||||||||||||||
| Posted: 12 Apr 2019 04:59 AM PDT We use Leviton 48 port patch panels. Simple question, how long can I reasonably expect one of these to last before needed replaced? Is it just a matter of punching them down again every so often and they last forever? Should these have a regular replacement schedule? [link] [comments]  | ||||||||||||||||
| Cisco VXLAN EVPN & Microsoft 2016 DHCP RFC3527 issue Posted: 12 Apr 2019 12:54 PM PDT Hey all, Have any of you ran into an issue when using a VXLAN EVPN network with option 82 on the DHCP server? We have this running live in our environment now. Client are able to get addresses through the option 82, but when a device goes to another site with a different subnet they are not getting the new IP addresses, but rather sticking to the old address. Config has been verified with Cisco, and I am going to have to contact Microsoft on Monday. But in the meantime have any of you experienced this, and what was your workaround? [link] [comments]  | ||||||||||||||||
| Posted: 12 Apr 2019 02:27 AM PDT EDIT: Problem was fixed and questions were answered :) Hi guys, i am currently troubleshooting a strange problem, which I can't really grasp right now. While troubleshooting, I've got some questions concerning multicast-traffic and igmp-snooping on switches. For the sake of clarity our internal network in this post is 172.16.0.0/16. This might be relevant later. Our CheckPoint-Firewall-Cluster spams our intranet with it's multicast packets. IGMP Snooping is active at the cisco coreswitch, where the firewalls are connected to. In order to troubleshoot that issue, i've looked at the switch, and both firewall ports got recognized and grouped with a multicast-address. Next, I've mirrored one of the interfaces, and looked at the multicast traffic itself. After searching around on the internet and looking at MDNS-Broadcasts etc. with Wireshark, my understanding is that a 'proper' multicast packet looks like this (internal IP-Adresses and MACs are changed/randomized):
So for me the proper multicast packet has a normal source IP and MAC and a multicast destination IP and MAC. Now looking at the Check Point High Availability multicasts which are my problem, i see the following:
so for me the Check Point CPHA multicast looks strange, and the problem is, it gets forwarded via our whole campus. My next step would be to talk to our check point consultant, and looking into the 'weird' multicast packets sent by the cehckpoints. My Question is:
Thank you guys in advance for any help, it is much appreciated. [link] [comments]  | ||||||||||||||||
| VRRP - virtual-ip-ping - Aruba/Procurve Posted: 12 Apr 2019 03:07 AM PDT Hello Networker, I am preparing to replace an Core Switch with ISC (2x5406R v2). It will be a 1:1 exchange (to 2x5406R v3). Existing firmware: 15.16.0005 New Firmware: 16.08.0002 Unfortunately a VSF is not possible, because we still have to use V2 modules.... My question: Under the old firmware my global VRRP config looked like this: The command virtual-ip-ping does not exist anymore. Has this command become unnecessary because virtual-ip-ping is now default or is there a new command? [link] [comments]  | ||||||||||||||||
| Any opinion on Catalyst 9200 vs 3650? Posted: 12 Apr 2019 02:13 PM PDT We're looking at making a large purchase of new switches. Previously our standard was 3650, but it looks like the 9200 (non-L) might be a bit cheaper. We'd be looking at 48 port PoE with the 4x10G uplink module, as well as non-PoE 48 porters without an uplink module to create a stack with. We're only going to be using these in Layer 2 mode, with all the VLANs on the distribution layer (Cat6.8K) Anyone have any thoughts on the 9200s, and if they would purchase them in place of the 3650? We are not really looking at SDA right now and would just do a 3 yr license that we'd likely never use. The 9300s are likely out of our budget. [link] [comments]  | ||||||||||||||||
| CCDA training courses in the UK? Posted: 12 Apr 2019 01:36 PM PDT My company is offering to pay for a week course and I've an interest in going for CCDA (already hold CCNP). Anyone here of UK based course providers apart from firebrand? [link] [comments]  | ||||||||||||||||
| Networking gear that supports automation Posted: 12 Apr 2019 11:35 AM PDT I'm building a lab in a box, that has a switch, couple APs, and a router / firewall, along with a server, and the configs can be modified via a script. From the networking side of things, I need to be able to handle vlans, static routes, raidus, 802.1x for the wireless, and be able to firewall off ports and vlans from cross talking. I also wants this to be fully managed without internet, but I could make internet access a requirement. Configuration of all this had to be scripted so someone with limited networking knowledge can do things like, specify how many teams, usernames and passwords for the different radius users, etc. This would drive the number of subnets / vlans that get created, setup firewall rules, etc. Clients would join the wireless or wired networks on the switch. If internet access is a requirement the WAN port would be connected to the local network onsite and everything would be NAT'ed. Not idea in the real world of course, but nothing will be reacting into the lab from the WAN, only getting out as needed. Clients would not allowed to get to the internet other than getting a font library or something. Today I do all this with Ubiquiti USG, Cloud Key, Unifi APs and switch, however they have no officially supported APIs and what I've seen of the comunity SDKs, APIs, I'm not filled with warm fuzzies. While this fits the price point, I'm worried about being able to automate their gear. This solution works for the one lab I run, but if this is going to scale to multiple labs that are shipped around, I might need something else. This is for a non-profit and used for mostly high schools and colleges. so cheap is another requirement. This is not for production usage, so no HA requirements, and don't need support other than firmware updates as needed. Don't need hardware support if the equipment is cheap enough. I've mostly worked with Cisco Nexus and Palo Alto in my career and that level of gear is way over my budget for what I need. Are there any other brands or something open source that would work for this? Meraki might work, but they are expensive and requiring internet to manage it, is a bit of a detractor. [link] [comments]  | ||||||||||||||||
| What networking equipment or setup ? Posted: 12 Apr 2019 10:00 AM PDT I need some advice to upgrade my office network as we are expanding and moving to a new location. So i have three options: option 1 option 2 Option 3 juniper I shall reiterate my requirements : Basically all i need is one router and two 52/48 port switch and a few wireless ap's your recommendations would help a lot Total office area is 3100sqft and on one single floor p.s i dont want any soon to be eol equipment, ex2200 is almost dead so not spending monies there, Just found out. edit: not us based im in india [link] [comments]  | ||||||||||||||||
| Question on fiber type and size Posted: 12 Apr 2019 09:10 AM PDT Hello, I'm planning to buy these transceivers for distances of less then 15 feet. I do need the 10Gb capability as well. What is the correct size and type of fiber to buy for these? [link] [comments]  | ||||||||||||||||
| Unmanaged switch not connecting to LAN Posted: 12 Apr 2019 02:21 PM PDT I am not too network savvy, so I'll try to be as clear as possible. Sorry if I get some of the jargon incorrect. Update: I think another important piece of information is that I'm getting assigned 169.254.x.x ip addresses. Seems that might be relevant information? I am tasked with setting up 36 laptops for classes through North America, sometimes the laptops come back to our office and I have to update the course content. As you can imagine it take forever doing it manually with a couple thumb drives when the overall content is about 120 gbs. I try to automate as much as possible, we have deep freeze set up on all the computers, so the ip addresses are easily managed... Deepfreeze does alot of other unrelated stuff for us. Anyway, we have 2 unmanaged network switches, 1 16 port and 1 24 port. (they already had the 16 port switch, so I bought the 24 port to get enough connections). It worked great yesterday, I was able to move almost a terabyte of data overnight, and set up WOL which will make things even easier. This morning they were all still connected, so I restarted the systems with WOL just to make sure, and all was still good. Then, about 4 hours ago, I noticed they were all disconnected. After some troubleshooting, I realized the new 24 port switch is the cause. This is what ipconfig /all is showing on the laptops connected to the switch Here The other switch is working fine as I can connect to them just fine. Is there a way to reset the switch? I tried power cycling to no avail... It was my impression unmanaged switches don't assign ip addresses, so I wouldn't think this is an issue. I also tried changing some of the ports around which did not help. Networking is hard. [link] [comments]  | ||||||||||||||||
| Posted: 12 Apr 2019 07:37 AM PDT Folks, I've been struggling with this for days, and I've completely changed topology multiple times, and this: https://imgur.com/a/OiLAfWA is what I've decided on. I will focus on the Cisco 891F in the top left of the diagram for now. It has an internet connection with a /30 and a /28 IP address assigned to VLAN1 (with the /28 as a secondary). It also has an "internal" interface of 172.31.255.1/30 assigned to Fa0. The Meraki MX84 is connected in routed mode with a real world IP on port "Internet 1" (second usable /28 IP). It also has another interface directly connected to the Cisco with an IP address 172.31.255.2/30. I have the below configuration on the Cisco side: ! interface Loopback0 ip address 10.30.10.1 255.255.255.0 ip policy route-map ROUTEMAP ! interface FastEthernet0 ip address 172.31.255.1 255.255.255.252 duplex auto speed auto ! route-map ROUTEMAP permit 10 match ip address 10 set ip next-hop 172.31.255.2 ! access-list 10 permit 10.30.10.0 0.0.0.255 access-list 10 permit 10.40.10.0 0.0.0.255 ! I can ping 172.31.255.2 from the Cisco, but I cannot do a "ping 8.8.8.8 source lo0" -- this fails. A packet capture on the Meraki shows nothing, so I know it's a Cisco issue... but not sure where to go from here. I mean... this should be very basic... Thank-you! [link] [comments]  | ||||||||||||||||
| Posted: 12 Apr 2019 06:32 AM PDT Sorry if this is the wrong to post this. I have a layer3 switch with 2 VLANs (VLAN 10 and VLAN 20) I want to only allow PC1 (vlan 10) to connect to PC2 (vlan 20) on port 8000. This is only communication I want between VLAN10 and VLAN20. So I plan to apply an ACL on VLAN 10 to permit this. My question if I apply another ACL on VLAN 20 to block all traffic into VLAN10, will PC1 still be able to connect to PC2 on port 8000? Thanks [link] [comments]  | ||||||||||||||||
| Minimum cable length for a 1u patch panel to an adjacent 48-port switch? Posted: 12 Apr 2019 09:31 AM PDT I would like to have the cleanest and shortest patch cables between a patch panel and an adjacent 48-port switch. Each port is just connecting to the port in the row closest to it in the patch panel, straight up-and-down. The equipment is behind a glass-door rack and I would like it to be as clean as possible. Thank you. [link] [comments]  | ||||||||||||||||
| Key features to acheive 2Gbit/s single communication stream with LACP Posted: 12 Apr 2019 04:50 AM PDT Hey there, i have here a rumor (it has already been proved working) that it is possible to acheive a higher throughput for a single data stream just with LACP configuration. For example with 2x 1 GBit/s Ports transfer one file with more than 120 MB/s. There were 3 admins that proved me it is working, but failed to get it working on my setup. The main problem is, they can not tell me where i have to look for or at. I have digged really a long time into this topic for years now and now i am trying to get some help here. So far some basics that might cover my issue:
So far i wasn't able to acheive 2 GBit/s with a single stream at my setup / network / lab. More Details
Windows config
Switch Config
ESXi config
NAS config
My goal is to to acheive more throughput for backups between multiple esxi hosts to our backup-server and increase bandwidth between multiple hosts. I have a second project running with infiniband, but thats not functional for now :-/. And i really want to know why they can what i can not do. [link] [comments]  | ||||||||||||||||
| Onboarding into Infiniband (needed) Posted: 12 Apr 2019 04:06 AM PDT Hey i'm digging into Infiniband 10/20 and 40GBit/s or SDR/DDR and QDR. Currently i have two problems to solve to get everything working. Problem 1: Speed negotiation issues with windowsDetails:
Problem 2: Connect IB-Switch with GBE-SwitchDetails:
Additional Details
Any ideas or advices? [link] [comments]  | ||||||||||||||||
| Google....Reddit...Cisco TAC progression Posted: 11 Apr 2019 04:58 PM PDT Working through a problem (self-induced) that while the solution is normally pretty straightforward (google answer), it involves a VSS config. Specifically, a pair of Cisco 6816X-LE's running IOS 15.5.1. Login works to Router>. When I attempt to elevate to Enable, I get the error "% Error in Authentication". The procedure is clear. Restart to ROMMON, confreg 0x2142, fix the AAA local config that I fouled up, config-register 0x2102, reboot, tahtah. Doesn't seem to work with the VSS as the reset button (to initiate ROMMON) only seems to restart one of the two switches. The other one takes over as primary. Before I head off to open a TAC Case, is there a solution here in the sub? Thanks - [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment