Rant Wednesday! Networking |
- Rant Wednesday!
- No, really, it's not the network...
- Network engineer with two job offers, and unsure which to take.
- Different Autonomous Systems - OSPF routing over private lines before using BGP learned routes
- ipv6 octets?
- ASA 9.7 + VTI + no sysopt connection permit-vpn
- Give me one annoying thing about a vendor TAC, what is it and how would you like to see it change?
- Switch config for HA firewall
- Having brain fart, need help with Cisco switch and UBNT router
- QoS - Realworld Deployment
- Juniper SRX240, Ubiquiti ER10X, or other?
- 3rd Party Optics - Cat 9500 "high-performance"
- Communication over multiple firewalls
- Fax over SIP with Skype PBX?
- What's the point of using copper SFPs?
- Multimode Fiber Multiplexer / SPFs
- BOVPN Hub and Spoke Network Watchguard
- At lost - random network problems regarding Office 365
- Anyconnect and the new IOS XE (C1100) routers
- Passing CCIE RS without attending bootcamp or CIERS1/2?
- It looks like an ASIC issue ... And now I want to borrow an SFP module in Boston.
- 3750x licensing experience - enforced or honor?
- SNMP VPN monitoring Cisco ASA
- Switchport config to secure an external- facing port?
- Idea: Non-profit, fully auditable, free VPN that pays for infrastructure costs via truly anonymized traffic pattern/trend data.
| Posted: 02 Jul 2019 05:04 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments]  |
| No, really, it's not the network... Posted: 03 Jul 2019 12:48 PM PDT Dad writing me on WhatsApp: "Pictures in WhatsApp don't load on my phone! It's due to that Russian sub accident damaging submarine optical cables!" Me: "No dad, Facebook has issues, and Facebook owns WhatsApp. Submarine cable systems are very redundant and many more things wouldn't work if it was network problem" ... it just ... never ... stops... [link] [comments]  |
| Network engineer with two job offers, and unsure which to take. Posted: 03 Jul 2019 01:17 PM PDT So I'm a Network Engineer at an ISP with 5 years experience and I just achieved my CCNP R & S and JNCIA, and ive been looking for a new job. I went to some interviews and i'm in the lucky position to have been offered two jobs. One is for an global online retailer were I would be managing their network and working on projects for them, its a pure Cisco network where i would get to work with SD-WAN, Cisco Meraki, Fortinet firewalls. But as its a small team, i would also work with the infrastructure, like AD, storage, servers, VMware, CDN ect (stuff other than pure networking).(along with BGP, VPLS, OSPF) and the L2 stuff. They have a few data-centers and offices dotted around the globe and are in the process of interconnecting them. They seem to have lots of projects i could take on. The other is a cloud service and datacentre provider (like AWS). where the deliver IT solutions and services. I would be a senior network engineer, working on projects and solutions for customers, as well as managing the network and providing support. Here i would be working with Cisco and Juniper devices, ASA and SRX firewalls, VMware and Hyper-V, Cisco UCS and Cisco Nexus. (lots of MPLS, EVPN, BGP). It has a bigger IT team, with lots of systems/infrastructure guys. So it would be more of just the pure networking side, but working closely with the systems team to provide solutions. The online retailer is a bigger company in terms of revenue. but their network is much smaller. The cloud service provider is smaller. but as the companies business is based around tech. The network is much bigger, with more project opportunity's, as i would be designing bespoke network solutions. One offers more than the other but for me the question does not come down to money, i want to learn new things and have new challenges, as my current role has become stale. The question for me is, what is better for my career progression. Pure networking with firewalls and some virtualization, but more advanced networking. Or a smaller network, but a broader variety of tech, with chances to work on SD-WAN and infrastructure. Which would look better in the future. I know retail may be looked down upon because the network doesn't change all that much, but they are growing the team rapidly. Saying that cloud service company seems more prestigious . I'm not asking which one I should choose, i'm asking which would you guys choose and why? Thanks [link] [comments]  |
| Different Autonomous Systems - OSPF routing over private lines before using BGP learned routes Posted: 03 Jul 2019 02:26 AM PDT Hello, I´ve a setup which seems to be fine, but wanted to know from your experience if it´s a valid / common one, or something to be avoided. ( https://imgur.com/kTSxyTG ) As i need to extend this setup to other sites. i´ve two Antonomous Systems (same company) - one is a private AS - the other one a public AS SiteA & SiteB are inside of the private AS having their public ip address space from the same provider (ISP A) - Each site is advertising its own and the public address space of the other sites to achieve redundancy (they are physically at different locations) - Each site is receiving the default route only from ISP A - SiteA and SiteB are interconnected directly via P2P line - Via OSPF running on SiteA-RTR and SiteB-RTR, SiteA & SiteB knows that they can use the P2P lines to reach each others public space. - In case of a P2P line failure, they will use the default route learned via BGP to reach each others public address space SiteX has a public ASN and peers with different providers - SiteX is advertising its public address space to different providers (ISP-B & ISP-C). - Ifself it´s receiving full tables from ISP-B and ISP-C Now i need to integrate SiteX into this public routing over private P2P lines setup. - There is a P2P line from SiteB to SiteX - The target is, that SiteA, SiteB & SiteX are joining the other sites public network over the P2P lines - in case of P2P line failure, they should use the internet to join the public address space of the other site -> I will include SiteX into the OSPF routing in order to make them aware of the public networks which can be reached over the P2P lines. (Right now there is no OSPF running on SiteX Routers) In case of P2P line failure, the routes learned will be removed from the routing table and the received routes from the eBGP peers will be taken. Is this a valid / common setup? Are there any pitfalls i should be aware of? I´m happy about every hint / comment [link] [comments]  |
| Posted: 03 Jul 2019 08:42 AM PDT So in ipv4 we call the 4 segments octets because they are 8 bits each. In ipv6 we have 8 segments that are 16 bits each. Writing an email talking about one segment of an address I was at a loss as to what to call it. How does the hive think I should refer to a single segment of an IPv6 address? [link] [comments]  |
| ASA 9.7 + VTI + no sysopt connection permit-vpn Posted: 03 Jul 2019 03:07 PM PDT Setting up the first VTI tunnel on this ASA. The rest are policy based. It was a breeze. Since I use no sysopt connection permit-vpn - I added a line to the inside interface ACL to allow the traffic and packet-tracer was happy. Unfortunately when I try to initiate traffic through this tunnel, I see the encaps increase but no decaps on "show crypto ipsec sa". Usually I'd punt it to the other side after clearing the tunnel but interestingly enough capturing traffic on the outside interface, I see traffic coming back but thinking its just getting lost on an ACL. The stranger issue is the other side can initiate traffic just fine and communicate. In reading it appears ACLs on VTI isn't supported until 9.8 which I'm investigating running but not sure if anyone has run into this nuance with VTI? [link] [comments]  |
| Give me one annoying thing about a vendor TAC, what is it and how would you like to see it change? Posted: 03 Jul 2019 02:30 PM PDT |
| Posted: 03 Jul 2019 10:38 AM PDT This is a new type setup for me to try implementing myself. We currently have a single firewall. We are replacing that with two FortiGates in an HA configuration. Planning on using one Juniper EX2300 switch and using that switch for both splitting the LAN connections to the FW as well as the outbound connections from the FW to the router. This is a flat network (I don't want to talk about it...I try to drink my sorrows away). The routers are managed by the ISP (so much drinking). I would like, however, to keep the traffic separate on the switch. I'm not sure if that's absolutely necessary from a technical perspective. It seems like it would be. What is the best way to go about this. I figure I can VLAN it out, but do I need to have the routers add the new VLAN for those connections or do I just trunk the port and let it go out like normal? There will be three outbound connections: Router to ISP, router to a Cisco router that is used for a connection to our core provider (financial institution here) and one to a federal reserve VPN device. I hope that's enough info to go off on, but if not I can provide more. Thank you. [link] [comments]  |
| Having brain fart, need help with Cisco switch and UBNT router Posted: 03 Jul 2019 02:17 PM PDT I'm either missing something glaringly obvious or I've missed something all together, so I come to you all for help. I'm configuring a Cisco 3560 switch and an EdgeRouter (ER8) for a client, but I'm having troubles with the vlan setup. Ideally, on the router, eth0 will be the uplink to the fiber carrier and eth7 will be the vlan trunk down to the switch. Then on the switch, gig 0/47 will be the vlan trunk, and various ports will be access for the different vlans. Can someone help me out? Links to Pastebin copies of the config below: [link] [comments]  |
| Posted: 03 Jul 2019 01:52 PM PDT Recently had an LLDP issue where an IP phone wouldn't pick up a correct priority (Yealink) I managed to get priority 5 into it eventually but was a fiddle. My question is how is that priority respected across the network? Does the switch take this priority value and map it into DSCP46 ? Is that mapping stripped out as soon as the frame leaves the switch? What do you deploy across the network for it to respect QoS markings? [link] [comments]  |
| Juniper SRX240, Ubiquiti ER10X, or other? Posted: 03 Jul 2019 12:28 PM PDT Hey guys, my first post here, looking for some advice from my fellow experts. I have a Netgear R8000 router that has been giving me lots of problems. So I want to replace it with a different router/firewall device and turn the netgear into hardwired AP. I am not looking for something crazy and expensive, somewhere around $100 range. This is for a home network with about 20-25 devices, some wired but mostly wireless. As far as network load, some streaming, not much gaming, handful of IP cameras, rest is light traffic and web browsing. Not really heavy users but would not want to limit bandwidth provided by ISP so at least 500Mbps throughout. As far as device requirements: 5 or more gig-e ports (don't care for SFPs or POE) Basic firewall capabilities VPN - mainly openVPN (server side, to log into the network from remote location, rarely used but needed feature) DDNS - have been using netgears free ddns service so if I could migrate that one, would be great. No subscription fees or licensing fees of any kind. My first choice was srx240 as one of those could be had on eBay for around $80, but I don't know about licencing for that device and if any of my requirements will not work unless I do get a licence for it. Second choice was Ubiquiti, read a few posts, people seem to like them and they are reliable. Little more expensive and seems to be little less powerful than junos. I am also open to any other suggestions or getting a white box and putting PFsense on it, just could not find one for my price range and 5 or more gig ports. Anyway, sorry for many words, and thanks in advance for any suggestions! [link] [comments]  |
| 3rd Party Optics - Cat 9500 "high-performance" Posted: 03 Jul 2019 07:23 AM PDT Anyone have experience with 3rd party optics (including BaseT) in the Cisco Catalyst 9500's (C9500-48Y4C)? I'm interested in 1Gb MMF SFP, 10Gb SMF/MMF SFP+ and 1Gb Base-T SFP. [link] [comments]  |
| Communication over multiple firewalls Posted: 03 Jul 2019 10:39 AM PDT |
| Posted: 03 Jul 2019 09:54 AM PDT I'm an ISP sales rep. I have a customer that accidentally ported over their fax lines to us. While we typically can deliver the fax lines over SIP to their PBX for them to route at their LAN, it looks like they're not able to. Are any of you using fax machines with the Skype for Business(2019) PBX? If so, would you be able to direct me to some user guides that I might be able to share? As it stands, we're working on getting some analog lines installed for them, but they're pretty reliant on fax and the wait will be damaging. [link] [comments]  |
| What's the point of using copper SFPs? Posted: 03 Jul 2019 01:22 PM PDT I understand that fiber SPF has the advantage of being "low power" and can be deployed over longer distances than copper. But what's the point of using copper SFPs ? I see none. [link] [comments]  |
| Multimode Fiber Multiplexer / SPFs Posted: 03 Jul 2019 09:18 AM PDT Hi All, I'm looking at multiplexing fiber (CWDM + MUX/DEMUX) over my existing 62.5nm multimode backbone to address lack of available fiber for redundant links. The existing fiber is mostly 400-1000m and we are using Ci$co gear at each running 1GE interfaces. Has anyone had experience with this type of solution and can speak to its feasibility and reliability? If so what vendors have you used? The Ci$co list prices make it look like running new fiber would be cheaper :/ Feasibility-wise, I'm somewhat concerned the transceivers will burn themselves out, being a fraction of their rated range from each other. [link] [comments]  |
| BOVPN Hub and Spoke Network Watchguard Posted: 03 Jul 2019 05:32 AM PDT Hello, Apologies in advance if this seems like a rather simple question, I am not as familiar with Watchguard systems as I would like to be. I recently took over the network administration at a company with a hub and spoke network with two hubs (M200's) and around 10 spoke sites running T50's. Looking at the BOVPN tunnel topology it appears as if the entire network is built on a point-to-point basis as opposed to hub and spoke. Should I need tunnels on each individual site that point to every other site if the hub is in place? For example we have 192.1.1.1 as our hub, which has a two-way tunnel to 192.1.2.1 and 192.1.3.1 Both 192.1.2.1 and 192.1.3.1 have the same two-way tunnel to 192.1.1.1 and a forest trust is active between all sites as proof of connectivity to the hub, however in order to direct traffic between 192.1.2.1 and 192.1.3.1 there needs to be a BOVPN tunnel in place between the two on each side. We have a limited number of licences for tunnels so I am wondering if anyone could shed any light on this situation and if a more tunnel-efficient solution will be possible? Many thanks in advance. [link] [comments]  |
| At lost - random network problems regarding Office 365 Posted: 03 Jul 2019 08:45 AM PDT Since multiple weeks we have those weird problems, where we can access the internet, but not our synchronized Office programms, Outlook or Sharepoint for minutes at the time. This happens via LAN and WLAN connection in the same network. I don't know if it matters, but we use our fixed IP for internet access (at least, this is what shows up when I check "whatismyip". Do you guys have any idea, why this is the case and what we can try to resolve this? I would be incredibly thankful. I have following ideas, but I do not know if they are worth trying: [link] [comments]  |
| Anyconnect and the new IOS XE (C1100) routers Posted: 03 Jul 2019 08:10 AM PDT Have they now moved to FLEXVPN for client based VPN's on these routers or do they still have the support for Anyconnect? Looking through the datasheets on Cisco and lots of VPN guides but none at all for setting up Cisco Anyconnect on these routers and 'webvpn' is missing. Thanks [link] [comments]  |
| Passing CCIE RS without attending bootcamp or CIERS1/2? Posted: 03 Jul 2019 07:32 AM PDT The title says it all. Has anyone here passed without attending a bootcamp and/or CIERS1 & CIERS2? I understand it's better it attend if you can, but that won't be possible for me. Background: INE subscription Completed INE workbooks Completed Cisco 360 Core and Advance workbooks Completed Cisco T-shooting labs [link] [comments]  |
| It looks like an ASIC issue ... And now I want to borrow an SFP module in Boston. Posted: 03 Jul 2019 07:18 AM PDT I've got four switches connected in a double-ended MLAG like this (not my drawing). Two switches from vendor A (A1 and A2) and two switches from vendor B (B1 and B2). It's been running for many months without issue. Recently, some flows have begun failing to traverse the some legs of the aggregation. I zeroed in on one problem flow, found the specific link carrying that flow. SPAN on the sending side shows the frames leaving. SPAN on the receiving side doesn't show the frames arriving. Other flows between the same IP pair (using different ports) are unaffected. Other flows traversing the same link are unaffected. Error counters are not incrementing. If I down the suspect LAG member, the problem flow hashes elsewhere and gets delivered just fine. Re-enable the link, the problem flow lands on it again, and doesn't survive the trip. Both ends are Broadcom based: Trident2+ from vendor A, Trident+ from vendor B. Because the two SPAN results don't agree, I'm leaning toward putting a tap on the link to get an independent opinion. BUT... The links are made with CX-1 cables, so I can't tap 'em. Ideas? I've got SR transceivers I could use on one end, need some HPE 455883-B21 for the other end. Anybody happen to have some of these at 50 Innerbelt in Somerville MA? Edit: I scored some transceivers, don't need to borrow any [link] [comments]  |
| 3750x licensing experience - enforced or honor? Posted: 02 Jul 2019 07:59 PM PDT Good evening Redditors! Have an interesting situation where a remote site's industrial router failed, and thanks to oof we were able to bypass it and keep the site alive by enabling IP Services (BGP) on a 3750x. Unfortunately, this place is pretty remote, and given its non-stop environment all maintenances are minimum 90+ days out, leaving me in a pickle: if this license expires before we can get a replacement router installed, the site goes down. I have found lots of differing input on this topic - some saying that as of IOS 15, IPServices goes right to use after the eval period ends. Others say it removes the features real time. So, simple question, hopefully answered from experience: when the evaluation license expires on a 3750X running 15.x, do the enabled features turn off? [link] [comments]  |
| Posted: 03 Jul 2019 02:49 AM PDT Good morning, Hopefully this is okay to post in here. I am currently trying to monitor a VPN using a PRTG SNMP sensor between my ASA and a customers peer. The PRTG server is on another site and can communicate with the ASA via a different VPN. In my ASA (version 9.2(3) I have put in the following command: snmp-server host inside x.x.x.x poll community ****** version 2c From what I can understand that should be enough to allow the PRTG server to poll the ASA but it doesn't seem to be working. I spent ages looking at this yesterday, far too long if I am honest. Any ideas on what I am missing here? [link] [comments]  |
| Switchport config to secure an external- facing port? Posted: 03 Jul 2019 06:34 AM PDT Branch site has its own internet. I want to shunt it directly to a meraki AP, what's the best way to secure the Cisco switchport that connects that modem to the AP? [link] [comments]  |
| Posted: 03 Jul 2019 09:33 AM PDT I've been putting off moving to a VPN service because I'm too lazy to stand up my own and I've only heard bad things about paid services. After all, if your private data becomes important to someone (e.g. govt) then they'll just pay the VPN company enough money to get it anyway. Been mulling over the idea in my head for a while and I have two questions my experience (cybersec policy/compliance) can't quite confirm: 1) Can you set up an infrastructure like this on a cloud solution that would scale and also be a fairly safe harbor, in the event someone important/powerful doesn't like what we're doing? 2) Can you actually sell anonymous traffic data in such a way that it would pay for the infrastructure (and a little extra for the admins and lawyers we'd probably need to have on staff). Alternatively, could we work with ad networks to provide semi-targeted ads that wouldn't break confidentiality? Otherwise, I'm fairly confident that we could set up a black-box solution that could be independently verified by a 3rd party audit (e.g. Big 4, Verizon, IBM, etc.) that would prove no human being can actually get to the traffic data before it's completely stripped of any identifiers. Even if the environment is tampered with, it could simply drop any unprocessed logfiles that haven't been stripped and purged. Would love to hear some thoughts on problems I haven't thought about already, even outside of 1) and 2) above. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment