Blogpost Friday! Networking |
- Blogpost Friday!
- What is your networking horror story?
- Confusion about tagged and untagged vlans
- 802.1X Fail Open
- Datacenter edge router redundancy
- Software to practice non-Cisco CLI?
- DCI Options Today
- Traffic Management for PLCs
- Router for site to site VPN?
- Configure vendor specific LLDP on Cisco
- TCP Re-transmissions an Stalled File Downloads
- Cisco 5520 WLC - Management interface and imm/CIMC
- Network design suggestions
- ZTP and initial setup dialog
- RSPAN over VPN
- Confused about Mellanox switch?
- Good set of Networking tools?
- SNMP OID for the RAM usage and total of Stormshield SN3000
- Monitoring cascade ports on a Avaya switch
- How Many Network Operations Engineers Runs Your Network
- Site to Site VPN/ASA issue
- Looking for advice for running a gaming event
- Need help tracking a cryptominer on my network....
- Conntrack timeout explanation
- Firepower /w ASA Failover issue
| Posted: 30 May 2019 05:04 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| What is your networking horror story? Posted: 31 May 2019 12:29 PM PDT I've recently read the 'spanning-tree hospital' occurrence where I believe the spanning-tree white papers stemmed from, and even though it made the hairs on my neck stand up, I found it interesting. So, I thought I'd check in with my networking buddies to see if there are any horror stories you would like to share? Were you being careless, or was it lack of understanding, perhaps you were new to your job. [link] [comments]  |
| Confusion about tagged and untagged vlans Posted: 31 May 2019 10:51 AM PDT Hi everyone, please I need the most simplistic explanation about tagged and untagged packets. Are all access ports untagged ? And all trunk ports tagged? I am so confused about this [link] [comments]  |
| Posted: 31 May 2019 09:21 AM PDT I'm working through an 802.1x PoC and so far everything looks good with the exception of one thing I'm stuck on. In the event the radius server goes down I would like the switch to fail open. The commands I found for my cisco switch look something like this
However, my voice vlan is 200 and I'm not sure how I would configure the switch port to ensure my voice and data devices fall in the appropriate vlans. VLAN100 is my data vlan, and with the above config it would seem that my phone would be put in that vlan as well. Am I missing something? [link] [comments]  |
| Datacenter edge router redundancy Posted: 31 May 2019 05:22 AM PDT For a customer I need to extend the current single edge-router setup to a redundant one. The router used is and will be a Cisco ASR 1001-X with 16GB memory. The customer does eBGP for transit and iBGP for DMVPN, running on the same router. VRFs and NAT is used as well. The picture below represents the current setup (left) and the planned setup (right). https://i.imgur.com/GptS6Ek.png IMO i do have 3 options: 1) run iBGP (AS12) between the ASR's and both ASR's will open a eBGP session to AS10 and AS11. this is probably the most robust/vendor neutral setup 2) run iBGP (AS12) between the ASR's, while each router only holds one eBGP session to one transit AS. therefore the left ASR may open an eBGP session to AS10, while the right one will open an eBGP session to AS11. (i don't see any real benefit in this setup currently, listing just for the sake of completeness) 3) use cisco stateful switchover (SSO) [1] on both ASRs. configure only one to be 'active' while the other router keeps in hot-standby mode. tbh i don't have any experience with cisco SSO yet. however i expect this setup to be more robust to human failures (changing configuration only on just 1 router) since the configuration should be synchronized by cisco and are configurable (more or less) as 'one' device. currently i'm testing option 3 in a lab environment. if the config of the router would be more simple i'd probably opt for option 1, however with a bunch of different VRFs, DMVPN and NAT rules option 3 human failure may be a larger threat than a proprietary HA protocol. My question is: do i miss something? should cisco SSO be used for such a scenario? [link] [comments]  |
| Software to practice non-Cisco CLI? Posted: 31 May 2019 07:53 PM PDT First post here, I am currently pursuing a career in network administration. Right now I am hoping to get my CCENT Routing and Switching certification here soon, when my voucher comes in. Anyway, I've become very familiar with Cisco and it's CLI through the use of Packet Tracer and real equipment. Is there any other free software like Packet Tracer to practice/learn the CLI of any other network equipment vendor? Anything helps. [link] [comments]  |
| Posted: 31 May 2019 12:14 PM PDT Hello folks, We are embarking on a DR solution and wanted to check-in with the community on what DCI options are "in". I have been doing some research and the technologies that usually come up are OTV and VXLAN. Researching the topic though, OTV has very little articles and posts. Is OTV on the way out? I should mention that I have been looking at Cisco Live online videos and presentations, nothing new about OTV. We are primarily a Nexus 9K based DC's with ASR 1001-X's. Is OTV still an option worth looking? Are there other better options? Since we are a VMWare shop, we want to be able to vmotion or replicate the VM's and bring them up at Site#2 when disaster hits. VMWare has their own solutions to this, but I wanted something from the network side. Thanks [link] [comments]  |
| Posted: 31 May 2019 10:14 AM PDT The manufacturer I work for is on a path of connecting its production equipment/industrial controls to the network to start collecting data. Today, we have a VLAN dedicated to industrial controls and a variety of different PLCs and automation devices plug into it. Some of these devices plus right into our Cisco 3850 IDF and others are connected through Allen Bradley lightly managed switches that then hit the 3850. Many of these devices are older and can be sensitive to excess network broadcast traffic which can cause delays in the transmission, response or in some cases crash the equipment. I am looking for ways to try to further shield these devices from the general network chatter. Would Storm Control be a viable option with a level of 1% of traffic? I would like to be able to add additional vLans to further segment the network/broadcast domain but our manufacturing equipment can get moved around the production floor to different lines so there isn't an easy way to create more networks without the burden of needing to change IPs on the control equipment as it shifts lines. [link] [comments]  |
| Posted: 31 May 2019 10:16 AM PDT I am not sure if this is the place to ask or not, but I'll give it a shot. I am tasked with setting up a site to site VPN for a medium-sized business. ~30 Users over 4 sites. The internet speed they have is 50 up, 50 down per site. I have not set up something like this before so I am looking for some guidance on what router(s) I should use? I am thinking a Cisco RV325 or Linksys LRT224 for each site. I want SMB share traffic to be sent over the VPN and regular internet traffic to be routed as normal. [link] [comments]  |
| Configure vendor specific LLDP on Cisco Posted: 31 May 2019 01:25 AM PDT I`m trying to configure a Cisco c3560 to send specific config to Avaya IPT phones. I have found some information for Extreme Networks But i think the Cisco is not supporting vendor specifics [link] [comments]  |
| TCP Re-transmissions an Stalled File Downloads Posted: 31 May 2019 06:25 AM PDT Howdy, For some reason, file downloads stop and don't complete when I go to a particular http website and I'm trying to figure out why. My palo alto firewall is allowing the traffic (although web application shows 'incomplete'). Only seems to happen when users are on vpn and not at all internal. I'm not a captures expert, but I'm seeing a lot of re-transmissions from server to client. Any suggestions on what I should be looking at in them to figure this out? Thanks [link] [comments]  |
| Cisco 5520 WLC - Management interface and imm/CIMC Posted: 31 May 2019 12:35 PM PDT Hi, I'm somewhat new to wireless controllers so maybe I'm just being an idiot. Please see diagram above. We haven't yet connected the fiber but we're trying to do some pre-config and so far I've only been able to access the controller via the console port directly, and now I've set up CIMC to allow a "Serial over LAN" function which allows me to SSH -> Serial console, and access the CLI that way. Of course what we really want is just the regular web GUI. Perhaps we could read it out-of-band using the service port but how can it be configured remotely via http/https? Hoping any WLC gurus can help me. Been wrestling with this for a couple days and found precious little useful documentation. Thanks! [link] [comments]  |
| Posted: 31 May 2019 12:27 PM PDT Hi All, We have a customer that is looking to have all of their server infrastructure hosted in our datacentre (which is the easy bit) however I am just a little unsure what the best way is to terminate the connection from their site to our datacenter. At the moment we are undecided if we are going to use a layer 2 connection or a layer 3 connection. The bit that is maybe adding complexity to this is we need to provide 2 connections, 1 primary connection and 1 backup connection. Initially, we were thinking of just providing a layer 2 point to point connection to the datacenter and then having a layer 3 FTTC as a backup line, but then I cannot think of a way to manage the fail over properly. If we were to look at 2 x layer 2 point to point links, I understand we COULD put these into an LACP trunk, however they would need to terminate into just 1 of the core switches at the datacenter side as they are presented as 2 logical switches and not a stack as such. The other issue with this is both links need to be the same speed to be part of an LACP trunk, and it is unlikely the customer will pay for 2 x 1Gbps connections. Another option would be to go with 1 x 1Gbps connection and 1 x 100Mbps connection and control the flow of traffic using STP, the issue I have with this is I see some people saying some ISPs will not allow BPDUs and I'm not sure this is a viable way of controlling the "failover" as such? Which then means we are onto looking at layer 3 connections, and having the ISP manage the failover using HSRP and we would create some sort of IPsec VPN between the customer site and our datacenter - which thinking about it seems the easiest solution however we will need to factor in new firewall(s) for the customer site that will provide adequate VPN throughput. Just to give you a bit of background on the customer site, they currently have 1 x HPE Aruba 5406 core switch which is their layer 3 switch and has a number of SVIs on here. They have maybe 10 edge cabinets each with a stack of HPE Aruba 2930F switches which connect back to the core over OM4 fiber. The core switch currently has a default route pointing to their firewall, which of course then routes out to the internet. I'm at a bit of a loss with this and a little unsure what is the best solution here, any advice or guidance would be greatly appreciated. Thank you in advance. [link] [comments]  |
| Posted: 31 May 2019 05:15 PM PDT Hey, I'm playing around with ZTP on the CSR 1000v and it seems to only run when the initial setup dialog pops up. The issue is I cant get the initial setup dialog to consistently pop up. It seems it only pops up the first time the router boots. Even with no startup configuration. Any tips on how to factory reset? Is there more to it than just write erase? Thanks :) [link] [comments]  |
| Posted: 31 May 2019 10:54 AM PDT I have two sites, and I want to be able to send my voice data from my second site back to a recording server at the main site. This requires spanning at the main site but I'm not sure how/if possible to do remotely. I've two dell 6248 switches (older I know) connected by a site to site vpn through two sonicwalls. From Dell's docs I'm supposed to create a new RSPAN vlan and send all traffic through that. Does anyone have any experience setting up RSPAN on Dell switches? I have a question in particular about the reflector port, can it be the same as the egress port? Can you send RSPAN traffic over a VPN, read some esoteric cisco blog where they set up a L2TP tunnel to make it work. Any input would help. [link] [comments]  |
| Confused about Mellanox switch? Posted: 31 May 2019 04:47 PM PDT I'm a bit confused about Mellanox line of switches when it comes to ethernet interoperability . The Mellanox SX6036 switch is listed as a "InfiniBand/VPI Switch System". Since VPI = Virtual Port Interconnect and in regards NICs defines it supports both Infiniband and Ethernet, does that mean the Mellanox SX6036 switch can also be used to switch regular ethernet traffic? Or does it only switch ethernet traffic if you buy some unaffordable license for switch? If it matters, there's also a Mellanox SX6036G varriant which is a "Infiniband to Ethernet gateway' Links to product Info: [link] [comments]  |
| Posted: 31 May 2019 09:25 AM PDT Hey guys, I'm looking for a good set of general crimper/punchdown/tester/etc stuff to replace my crappy Chinese stuff. I was thinking about getting one of Greenlee's kits but wanted to see if you guys had any recommendations first. [link] [comments]  |
| SNMP OID for the RAM usage and total of Stormshield SN3000 Posted: 31 May 2019 05:20 AM PDT Hi everyone, I'm currently making some scripts to monitor my both firewall with Nagios but I can't find the right OID about RAM usage and total. Do you have any link or oid ? Thank you in advance, best regard, ssoflashy [link] [comments]  |
| Monitoring cascade ports on a Avaya switch Posted: 31 May 2019 10:41 AM PDT Been trying to check the operational status of the cascade ports of an Avaya Switch (Avaya 3549GTS-PWR+ using firmware 5.3.0.8) but even though I've been executing the SNMPWalk command on it, I cannot find such ports (50 and 51). It is a cascated switch (one master and five slaves) with a little over 290 ports (each has 48 ports, 1 to 49). Only the master has an IP configured and we are able to monitor all but those two ports (50 and 51) in each switch. Unsure if there's a web interface we could configure an alert to be generated if one of those, or both, ports goes down. Has anyone ever tried to monitor such thing? Here's the link the picture of the ports: IMGUR - Ports 50 and 51 [link] [comments]  |
| How Many Network Operations Engineers Runs Your Network Posted: 31 May 2019 02:18 PM PDT Out of professional curiosity, I'm looking for a really rough measure of efficiency. So, how many network operations engineers do you have supporting how many devices? Yeah, I get that it's more complicated than that, no two environments are the same, yada, yada. [link] [comments]  |
| Posted: 31 May 2019 01:41 PM PDT I have a strange issue that I cannot seem to figure out. At work, we are deploying a site to site VPN with a Cisco ASA 5508 and a stack of two Cisco 9300s. Our point to point fiber circuit is not ready yet, so we need to use the existing connection. Before I connect the ASA to the demarc I can ping from the switch to the ASA without an issue. When connected the ASA builds the tunnel just fine. The ASA can ping anything at the main site, but pings between the switch and ASA fail about half of the time making the connection unusable. We are just passing one subnet over the tunnel, and it does not appear anywhere else in our network. The firewall can still reach everything just fine on both the internet at at the main site, but anything on the switch cannot. I will be back on site tomorrow to work on it further, as it is not a downtime tolerant site through the week. I was wondering if somebody had any suggestions? I have tried different ports and cables. Im not seeing any issues with the config, and NAT appears to be working as intended. Thanks in advance! [link] [comments]  |
| Looking for advice for running a gaming event Posted: 31 May 2019 01:17 PM PDT I work for a city and we are trying to host a gaming event at our sportsplex in the roller rink. The rink is fitted to host trade shows so power and audio won't be a problem. We have a 300mbps business internet connection from WoW but can upgrade to 600 or 1gig if need be for the time of the event. We're looking to sell no more than 100 seats but don't expect that many for the first event. It will be BYOC. I've run gaming tournaments before but have never had to worry about the network. I'm looking for some resources or advice on what I need to look for while setting up a network to host 100 people max for gaming. We have some network switches laying around the building for a total of about 50ish ports. Our building has one modem and router outside of the rink we will be using to host the tournament. Would I just be running an ethernet line from the modem and splitting the switches up in the arena to connect the computers? The head IT guy in the city hasn't been much help for us but he did say he can come in to make sure the firewall and such is set up for security when we bring some PC's in to test everything once we get it set up. If there is a better subreddit for me to look for some information or any websites where I can get some more help, any advice or links would be appreciated. We're hoping to get this rolling within a couple of months and are looking to host a gaming event at least once a month. We'll be doing Overwatch, Rocket League, Apex Legends, and Hearthstone to start. Thanks for any and all help. [link] [comments]  |
| Need help tracking a cryptominer on my network.... Posted: 31 May 2019 01:16 PM PDT Ok, so we use OpenDNS for web filtering and at one point this client had some cryptominers that got on the network. Honestly, nothing that malicious - they were literally just mining crypto currency. We have identified as many devices as possible, but I am still seeing queries going to nanopool.org (OpenDNS is blocking them). A LOT less so I think it is only 1-2 devices left. OpenDNS will not show me the destination IP address, just "destination" domain name... We have a SonicWall NSA 2650 for a firewall. I have tried like thousands of packet capture masks and still can't find the the remaining devices. I know the devices have static IPs assigned because the OpenDNS virtual appliance is not receiving the queries, and it is showing as coming from our firewall public IP. Initially I was able to search the ports that NanoPool lists on their websites, but nothing is coming back any more. OpenDNS will not show me the internal IP it is using, meaning it is forwarding from one of our AD DNS servers and straight to the internet I think. Any ideas on how I can find these compromised devices? I think the problem I have is I have no clue what port they are connecting on, nor what IP they are truly connecting to. OpenDNS just does not make that avaliable, and my packet captures have not turned up any matches yet.. [link] [comments]  |
| Posted: 30 May 2019 11:22 PM PDT Background: I have a DNAT rule configured on a firewall which works fine until the source is turned off over night, and then the next morning the traffic does not seem to be matching to the rule. Running tcpdump shows packets with a [S] flag, but these are not forwarded on as they should be, until the firewall is restarted. I have had the vendor looking into the issue, and they have come back to me saying that the conntrack timeout only being 3 hours is the cause of the issue. They have increased this timeout and are assuring me that this is the fix - this is not a fix in my eyes. Question: Am I right in thinking that even when the timeout of that connection is reached, it should simply create a new connection when receiving traffic again? To my knowledge, increasing the timeout is putting a band-aid on the real issue. [link] [comments]  |
| Firepower /w ASA Failover issue Posted: 31 May 2019 07:08 AM PDT Hello, For two days now our failover lan interface has gone down/down. I fixed it yesterday by changing the interface from e1/12 to e1/10 on both members. Has anyone experienced this before? below is a partial output of my config: Primary: Test-Cluster# show run failover failover failover lan unit primary failover lan interface LAN_Failover Ethernet1/10 failover key ***** failover replication http failover link State_Failover Ethernet1/11 failover interface ip LAN_Failover 192.168.195.1 255.255.255.252 standby 192.168.195.2 failover interface ip State_Failover 192.168.195.5 255.255.255.252 standby 192.168.195.6 Test-Cluster# show failover Failover On Failover unit Primary Failover LAN Interface: LAN_Failover Ethernet1/10 (Failed - No Switchover) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 1043 maximum MAC Address Move Notification Interval not set failover replication http Version: Ours 9.8(4), Mate 9.8(4) Last Failover at: 11:40:53 EDT May 30 2019 This host: Primary - Active Active time: 83122 (sec) slot 0: FPR-2140 hw/sw rev (49.46/9.8(4)) status (Up Sys) Interface TestASA (10.55.58.1): Normal (Waiting) Interface outside (omitted): Normal (Waiting) Interface inside (192.168.1.1): Link Down (Shutdown) Interface management (192.168.45.1): Link Down (Shutdown) Other host: Secondary - Failed Active time: 2660 (sec) slot 0: FPR-2140 hw/sw rev (49.46/9.8(4)) status (Unknown/Unknown) Interface TestASA (10.55.58.2): Unknown (Monitored) Interface outside (omitted): Unknown (Monitored) Interface inside (0.0.0.0): Unknown (Waiting) Interface management (0.0.0.0): Unknown (Waiting) Secondary: Test-Cluster# show run failover failover failover lan unit secondary failover lan interface LAN_Failover Ethernet1/10 failover key ***** failover replication http failover link State_Failover Ethernet1/11 failover interface ip LAN_Failover 192.168.195.1 255.255.255.252 standby 192.168.195.2 failover interface ip State_Failover 192.168.195.5 255.255.255.252 standby 192.168.195.6 Test-Cluster# show failover Failover On Failover unit Secondary Failover LAN Interface: LAN_Failover Ethernet1/10 (Failed - No Switchover) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 1043 maximum MAC Address Move Notification Interval not set failover replication http Version: Ours 9.8(4), Mate 9.8(4) Last Failover at: 09:56:15 EDT May 31 2019 This host: Secondary - Active Active time: 335 (sec) slot 0: FPR-2140 hw/sw rev (49.46/9.8(4)) status (Up Sys) Interface TestASA (10.55.58.1): Normal (Waiting) Interface outside (omitted): Normal (Waiting) Interface inside (192.168.1.1): Link Down (Shutdown) Interface management (192.168.45.1): Link Down (Shutdown) Other host: Primary - Standby Ready Active time: 29152 (sec) slot 0: FPR-2140 hw/sw rev (49.46/9.8(4)) status (Unknown/Unknown) Interface TestASA (10.55.58.2): Unknown (Monitored) Interface outside (omitted): Unknown (Monitored) Interface inside (0.0.0.0): Link Down (Shutdown) Interface management (0.0.0.0): Link Down (Shutdown) ###Edit### Primary: Test-Cluster# show failover history From State To State Reason 10:50:50 EDT May 31 2019 Not Detected Disabled No Error 11:01:18 EDT May 31 2019 Disabled Negotiation Set by the config command 11:02:03 EDT May 31 2019 Negotiation Just Active No Active unit found 11:02:04 EDT May 31 2019 Just Active Active Drain No Active unit found 11:02:04 EDT May 31 2019 Active Drain Active Applying Config No Active unit found 11:02:04 EDT May 31 2019 Active Applying Config Active Config Applied No Active unit found 11:02:04 EDT May 31 2019 Active Config Applied Active No Active unit found Secondary: Test-Cluster# show failover history From State To State Reason 10:52:19 EDT May 31 2019 Not Detected Disabled No Error [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment