• Breaking News

    [Android][timeline][#f39c12]

    Monday, August 19, 2019

    Home Networking Moronic Monday! Networking

    Moronic Monday! Networking

    August 19, 2019

    Moronic Monday! Networking

    Moronic Monday!

    Posted: 18 Aug 2019 06:04 PM PDT

    It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

    Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

    submitted by /u/AutoModerator
    [link] [comments]

    HA Firewalls & HA ADCs - Sanity Check Please?

    Posted: 19 Aug 2019 02:30 PM PDT

    I am configuring a set of HA FortiADCs and would love a sanity check on my cabling. Initially I was trying to keep a switch out of the mix and just use the internal switching capabilities of the FortiGate and FortiADCs but it doesn't seem that's feasible/ideal due to the possible failover scenarios.

    https://kb.fortinet.com/kb/viewContent.do?externalId=FD31396

    In referencing the above link, Fortinet suggests to create two LACP groups on the switch for each firewall. I'm running a pair of Aruba 5400rzl2 switches in a VSF configuration so they're a single logical device. I'm applying this article's suggestion to the FortiADCs as well so I will have a total of 4 LACP groups that will all be added to the same VLAN on the Aruba.

    Any input would be appreciated on this, I think what I've scratched together will be solid, but I would definitely appreciate a sanity check.

    My diagram is in the image posted below.

    https://imgur.com/GMUCO3q

    Cheers

    submitted by /u/IsNotMyWorkAccount
    [link] [comments]

    Using SPAN/Port Mirroring for production

    Posted: 19 Aug 2019 05:05 AM PDT

    I recently came across an environment where there was permanent SPAN set up on switches to accommodate required features of a system they were running. Basically if the SPAN was turned off their records and billing system totally broke and assigned all their customers a $0 bill. They had a problem where some transactions weren't being captured by their records and billing system, and the reason ended up being oversubscription of the SPAN output port.

    Thinking this was surely some hucklebuck solution, I spoke to the vendor and confirmed this was their official way of doing it. They also required customers on purchase to buy their switches which were already pre-configured, but they finally admitted that other vendors were supported so long as you SPAN'ed the correct ports.

    This was at a big name national company too, not some little mom and pop shop. The system they were running is quite old, but the vendor is keeping it in support and continues to update it exclusively for this customer.

    Not really asking a question here, just thought I'd share since I hadn't encountered this before.

    What other examples of a "feature" like this have you guys ran into where a vendor used the network as a crutch?

    submitted by /u/Linklights
    [link] [comments]

    L3 switch - subinterfaced routed port not working but L3 SVI does?

    Posted: 19 Aug 2019 11:30 AM PDT

    Weird one. I put a stack of c9300's into service last week, did 'no switchport' on the uplinks to core routers, subinterfaced etc but only one of the uplink ports worked. These are 8x10g SFP modules.

    I went back to site today and changed the uplinks to trunks, and put a L3 SVI on the switch instead and it worked first time.

    Before that I changed the modules around, swapped the sfp's, changed fibres etc with no joy.

    I know behind the scenes a routed port Vs a vlan svi is the same thing, but any ideas why this wouldn't work with subinterfaces?

    submitted by /u/LittleWanger
    [link] [comments]

    Does anyone know a way to take a spreadsheet full of information and turn it into a topology?

    Posted: 19 Aug 2019 01:02 PM PDT

    Hi all. Last year in college and as a networking intern. I'm looking for tricks, tips, and information here.

    I've just been tasked with mapping the entirety of our campus access layer's connections up to our distro layer. This, from top to bottom, contains: 2 distro switches, 7 aggregate switches, 83 access switches.

    I need to map every single connection (not really concerned with the "why" at the moment, more concern with the "how") between these devices. There are not cleanly organized anywhere - I simply have a list of there physical interfaces and each device's CDP information.

    Aside from going through each device individually, drawing it's connections, and trying to remember where each one is the diagram whilst drawing future connections... how do I handle this without spending the next week or two drawing and redrawing lines?

    submitted by /u/slickwillymerf
    [link] [comments]

    Have you ever seen CDP send different IP info to different neighbors?

    Posted: 19 Aug 2019 10:24 AM PDT

    I'm working on some discovery/automation stuff for Catalysts, would like to know if it's reasonable to use the management address advertised by CDP as a key for uniquely identifying each switch.

    I don't think I've ever seen a switch send different IP addresses to different neighbors. Have you?

    submitted by /u/chrismarget
    [link] [comments]

    Where do I need to look to find Elastiflow log information?

    Posted: 19 Aug 2019 12:21 PM PDT

    Hello, I installed Elastiflow following the steps outliner here:

    https://www.catapultsystems.com/blogs/install-elastiflow-on-ubuntu-18-04-part-1/

    I believe I have everything configured correctly but I am not seeing any data on the Elastiflow dashboards. I can't find the log file that shows the data being received by Elastiflow. Does anyone know what file I should be looking at to verify that traffic is at least being received?

    Also, does anyone by chance have a better resource that goes over installing and configuring Elastiflow? I'm having a hard time figuring out what I'm missing, so any help is greatly appreciated!

    thanks

    submitted by /u/NativeVLANerican
    [link] [comments]

    Do you think there is value in developing CDPv2 for authentication/authorization?

    Posted: 19 Aug 2019 06:23 AM PDT

    I just had a thought that since CDP is inherently risky, would there be value in improving the standard to incorporate authentication and authorization, and include that new protocol enhancement into the network devices (Fluke/NetScout) for additional security

    submitted by /u/cruddy_mccrudderson
    [link] [comments]

    Cisco Networking Need To Know?

    Posted: 19 Aug 2019 12:49 PM PDT

    I'm taking a class on Cisco Networking and the instructor just blows through terms every day at a rate that I can't write it all down and also understand it at the same time. So my question is should I focus more on taking notes or should I put my effort into understanding and applying this in labs? Also are all these terms useful in the networking field?

    submitted by /u/BananaBaiter
    [link] [comments]

    Vcenter ping timeouts when connecting to web interface

    Posted: 19 Aug 2019 01:42 PM PDT

    Hello!

    So, first off, there have been no issues up til now connecting to vCenter. Our VCenter is on vlan 10, connecting to it from machines on the same VLAN. We wanted to enable connections to the VCenter web interface from another VLAN, let's say 75, which is configured on an upstream L3 switch.

    Configured the trunk to allow said VLAN across, with routes to that VLAN and back. VLAN 75 can ping VCenter with no issues. However, once you connect to the web interface, the it continually times out and the pings start dropping packets (anywhere from 15-25% loss). As soon as you close the web interface, pings are good again.

    For troubleshooting, tried opening all VLANs on the trunk, tried an 'allow any any' on ACLs, tried configuring VLAN 75 and a l3 interface in the downstream switches for giggles.

    Seems like no matter what I do, it still starts dropping packets as soon as 75 attempts to connect to the web interface of 10.

    Any ideas, anyone ran into this before?

    submitted by /u/TristynWyatt
    [link] [comments]

    Secure Remote Access architecture

    Posted: 19 Aug 2019 07:04 AM PDT

    Currently, our environment is using AnyConnect for remote access. We have an ASA at our perimeter which terminates the SSL connections. My company is starting to focus on updating and securing our enterprise architecture and are happy to put some money into it. I am brainstorming some solutions and just curious if there is a consensus on remote access design?

    We are starting to implement Palo Alto's so my idea was to replace the ASA with the Palo and create a new remote access DMZ. I could then place an ASA or router for VPN termination and further restrict traffic.

    Would it make sense to do SSL decryption and inspection on the Palo Alto sitting on the perimeter? Or is it best to use a dedicated appliance for this?

    Would a Web Security Appliance be suitable here if I have a Palo Alto already doing the inspection/url filtering?

    I've also seen designs where enterprises are utilizing dual firewalls (External/Internal). This seems it would be the most secure but I'm curious if anyone has any experience implementing this solution as it seems it could be more complex.

    submitted by /u/_TidePodsTasteGood
    [link] [comments]

    From the Vlan 44 interface I am not able to ping the Vlan 3 interface of the Core Switch

    Posted: 19 Aug 2019 12:42 PM PDT

    Hi everybody;

    I have the following scenario (IP's are fake, is only orientative example), i am implementing a new mobility express topology because in our company everybody is still using ethernet cable :S, the following topology is that:

    https://imgur.com/NRxwtMN

    Laptop ------ WLC -------- Switch 1 ------- CORE

    Ip Address DHCP Pool Int Vlan 44 int vlan 3

    192.168.45.231 192.168.44.0 192.168.44.2 192.168.3.1/24

    255.255.254.0 255.255.254.0 255.255.254.0

    GW GW Int vlan 3

    192.168.44.2 192.168.44.2 192.168.3.4/24

    Vlan 44 Vlan 44 default router to:

    Management vlan 10 192.168.3.1

    192.168.10.90/24

    Default GW for vlan 10 Management vlan 10

    192.168.10.22/24 192.168.10.22/24

    From the test laptop i am able to ping his GW 192.168.44.2 and the IP 192.168.3.4 but i am not be able to ping the CORE Ip address 192.168.3.1.

    From the Switch 1, obviously i can ping the IP 192.168.3.1 from the Core, and even i can ping 192.168.3.1 source 192.168.44.2

    On Switch1 the use default ip route to the ip address 192.168.3.1 (interface vlan 3 of Core)

    On Core i use this static route:

    ip route 192.168.44.0 255.255.254.0 192.168.3.4

    What's wrong? I forgot something? I only use in this case static routes.

    submitted by /u/torrefacto
    [link] [comments]

    Announcing same prefix out two different datacenters

    Posted: 19 Aug 2019 05:10 AM PDT

    Imagine the fairly common scenario quickly depicted here: https://imgur.com/N2wbwl2

    I want to announce the same publicly assigned /16 out of two datacenters. The datacenters are connected with dark fiber and run OSPF as the IGP.

    Do the two routers need to be connected to each other via a layer 2 link or a GRE tunnel for this to work (in addition to iBGP of course)?

    I tried to convert a router to strictly layer 3 over the weekend with no L2 or tunnel between the two PE's and all heck broke loose. After doing some research, I believe it's because I broke the layer 2 connection between them (because I want to rid myself of all unnecessary layer 2 in the network).

    submitted by /u/jlstp
    [link] [comments]

    Applying policy on Fortigate routed address

    Posted: 19 Aug 2019 01:23 AM PDT

    TL;DR: Can one apply IPv4 Policy on an IP that is switched by Fortigate's own virtual switch?

    The questions probably stems from some basic lack of understanding of how Fortigate applies policy.

    Interface 1 on the Fortigate goes to the switches. Interface 2 goes to a router that routes to a remote subnet. Interface 1 and 2 are in a virtual switch. The router on Interface 2 has an IP in the same subnet as the endpoints on the switch (i.e. Interface 1).

    Is there a way I can apply policy on whatever comes from Interface 1 to Interface 2 (and vice versa) ? Maybe I can break Interface 2 from the virtual switch? Does that mean I need to segregate Interface 2 into another subnet and give Fortigate and the router there their own IPs? The latter is not really an option for me.

    submitted by /u/Hakkensha
    [link] [comments]

    Looking to get more tools for wire/wireless testing

    Posted: 18 Aug 2019 11:06 PM PDT

    Hey guys,

    So I manage a large wired/wireless network. We have almost 400 wireless end points to give you an idea of what I'm working with. Right now we have devices like the lrat-2000, intellitone pro, ciq-100 and a few others. We have everything we need for testing ethernet, but we don't have anything for wireless. So I was looking for suggestions to expand our copper testing capabilites, and have something besides the wi-fi analyzer app on my phone. I already found the aircheck g2 kit which seems like it would have anything we might want. Does anyone have experience with these type of devices so we don't end up with something that becomes a nuisance?

    I also also specify that the newest equipment we maintain are Meraki APs and we're using up to wireless AC currently.

    submitted by /u/mrcluelessness
    [link] [comments]

    Switching Questionnaire for Pre-Sales to ask customers

    Posted: 19 Aug 2019 01:51 AM PDT

    Hi,

    I was wondering if Juniper has a Questionaire table or something alike that we can send to our customers once they have a switching requirement. A lot of them just send that they need a switch that has 24 or 48 port but later on, we discover that they wanted it to support PoE+ or Redundant, Virtual Chassis, MACSec, Centralized Management, etc...

    Does anybody have this or the right questions that we can ask in order to cover most of the common requirements?

    Thanks in advance.

    submitted by /u/Hussam_Bay
    [link] [comments]

    Help Understanding HTTP(s) Request Latency through NLB to on Premise Server vs Directly through Firewall

    Posted: 19 Aug 2019 08:24 AM PDT

    I have the following scenarios (we are located in a data center in Chicago):

    1. AWS Network Load Balancer in US-EAST-1 listening on 443, forwarding traffic over port 8443 to an on-premise Nginx reverse proxy listening on 8443 (and 443). We have an AWS direct connection as well.

    From my understanding (and verifying using packet captures), traffic goes... client (azure) -> aws-us-east-1-nlb:443 -> internal-reverse-proxy:8443 -> upstream server. response is the same but in reverse

    1. Firewall in our Data Center with static NAT enabled for our internal reverse proxy server for port 443.

    traffic goes... client (azure) -> firewall NAT:443 -> internal-reverse-proxy:443 -> upstream server. response is the same but in reverse

    I am using https://github.com/apigee/apib as my http(s) benchmarking tool, and the command I am running is: 

    apib -d 10 -c 50 -t application/json -H "Host: REDACTED" -H "Authorization: REDACTED" -x POST --csv-output --name "REDACTED" https://REDACTED

    Every single time I test, it doesn't matter the location of the client I am testing from, AWS always seems to win, and I just cannot understand how or why.

    I used an Azure free-tier account to spin up an Ubuntu 18.04 server in US-SOUTH-CENTRAL location (Dallas, TX), and here were my results:

    Client Server Throughput Avg. Latency Threads Connections Duration Completed Successful Errors Sockets Min. latency Max. latency 50% Latency 90% Latency 98% Latency 99% Latency Latency Std Dev
    DallasTX FirewallDirect 166.039 594.611 2 100 30.029 4986 4986 0 100 174.797 921.127 592.297 692.909 794.512 855.213 85.196
    DallasTX FirewallDirect 185.297 533.783 2 100 30.022 5563 5563 0 100 192.812 997.528 512.197 672.711 779.978 808.828 101.795
    DallasTX FirewallDirect 203.451 487.400 2 100 30.027 6109 6109 0 100 173.641 1052.452 477.83 620.199 709.733 747.05 99.43
    DallasTX AWS-US-EAST-1-NLB 194.637 508.742 2 100 30.025 5844 5844 0 100 272.026 832.814 492.759 650.240 716.850 732.909 95.55
    DallasTX AWS-US-EAST-1-NLB 189.954 519.970 2 100 30.023 5703 5703 0 100 265.800 965.367 504.867 665.015 754.291 818.146 100.296
    DallasTX AWS-US-EAST-1-NLB 183.496 541.257 2 100 30.022 5509 5509 0 100 310.584 933.735 522.065 673.488 794.933 835.227 94.65

    Can someone help me understand if I am missing something when testing the above? I just do not see how AWS can have request/response latency that is, in some cases, better than making requests to our server directly through our firewall in Chicago when sourcing from a client in Dallas, TX. Is there something I am not understanding or failing to account for in this scenario? I know the firewall now has to process the NAT traffic but that should be failure trivial and we have a pretty powerful firewall fronting our services.

    Traffic for using AWS would have to go.. 1. Dallas, TX -> 2. Northern Virginia -> 3. To Chicago -> 4. Over our Direct Connect -> 5. Get processed internally -> 6. Request gets sent out to AWS NLB and sent to client.

    Traffic for using NAT on our Firwall would go... 1. Dallas, TX -> 3. Chicago Firewall -> 4. NAT'd to internal proxy and processed -> 5. Sent back out to client

    The latency from Dallas to US-EAST-1 is about 29ms (taken from https://www.dotcom-tools.com/internet-backbone-latency.aspx) and the latency from Chicago to US-EAST-1 is about 42ms (taken from https://www.cloudping.info/, I am located in Chicago) giving a total latency of about 71ms in just travel time.

    The latency from Dallas to Chicago is close to 39ms (pinging from my VM in Azure to our firewall).

    Assuming time to process the data, I should see results where it is about 30-40 milliseconds quicker to use our Firewall directly for NAT instead of AWS in US-EAST-1 for a client located in Dallas.

    Additionally, even testing using Azure NORTH-CENTRAL, I get the exact same results as above, the latency is the same for using US-EAST-1 and just using our Firewall directly (for NAT). Ping between Azure NORTH-CENTRAL and our Firewall is just 2 milliseconds, so I would expect to see using our Firewall directly for NAT to be about 70 milliseconds quicker, but its the same as AWS (average request time).

    Can anyone help point out if there is something I am missing or not taking into account when doing these tests? I just don't see how my testing is showing AWS to be comparable or better than hitting our Firewall directly for NAT.

    Thanks

    submitted by /u/magion
    [link] [comments]

    Question about replacing a 2U Patch Panel with a 1U Patch Panel

    Posted: 19 Aug 2019 07:35 AM PDT

    I've been tasked with replacing a 2U Patch panel with a 1U Patch panel and can't find information on if I will have to do punchdowns on the backside or not.

    Is it as easy as unplugging cables, unscrewing the front of a patch panel, screwing in a new patch panel front, and then plugging cables back in?

    I feel like it's not, and that I will need to unwire every cable on the backside, then re-punch them down.

    Any insight on this would be very much appreciated!

    submitted by /u/Deose42
    [link] [comments]

    Help deciding between a Cisco Meraki MX64W and a dedicated PfSense PC converted to router with multiple lan cards

    Posted: 19 Aug 2019 10:51 AM PDT

    Hello,

    I am wondering what offers better performance for 50 heavy users between the Cisco Meraki MX64W and a PfSense computer converted to router with multiple gigabit lan cards.

    We have a 200mbps dedicated connection from our ISP.

    We would like to have firewall security, access control, bandwidth monitoring and website and application access control.

    The vendor promises me that the Cisco Meraki is the way to go, but I have my doubts.

    Thanks for the advice!

    submitted by /u/CyB34R
    [link] [comments]

    IP log for mobile phones

    Posted: 19 Aug 2019 05:22 AM PDT

    Hello, we have an issue in our company that allowed a virus to sneak up on our smartphones. Is there an app to log the ip addresses the phone pings to so that we can investigate this further? Thank you for the help already.

    submitted by /u/ruitenbreker
    [link] [comments]

    Internet access across multiple VLAN's

    Posted: 19 Aug 2019 01:20 AM PDT

    Hi all,

    First of all I apologize if this kind of post is prohibited here however I believe that this may be the best place to find a solution to a problem I have.

    Network topology

    I have an existing internet gateway through which I need to allow multiple vlans to gain access. The gateway is connected to a managed switch which has the interfaces for all my vlans. The gateway providing the internet also has a DHCP service enabled. So I guess what im asking is how my vlan on subnet 10.255.100.0 would gain internet access through the gateway 192.168.100.99? In the end I'd like all vlans on my side to gain internet access.

    submitted by /u/Djehutii
    [link] [comments]
    Read more
    at
    Labels:

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel