Network health dashboard - any good tools for it? Networking |
- Network health dashboard - any good tools for it?
- Who hangs the plywood for the demarc?
- Firewall TAC Team - Cisco
- Learning curve for networking is strange nowadays...
- Need to add multiple ACLs to over 200 Nexus 3Ks but ACLs are duplicating.
- Network Canary
- Free Visio alternatives?
- Cisco ACI concerns
- Throughput testing for auditing purpose?
- How to block spam calls from spoofed numbers?
- SRV Records in a HOSTS file
- BGP AS PATH Distance Graph from Full Tables
- Differences between a Network Engineer and Network Security Engineer?
- Juniper NFX250 Installation
- Help identifying this physical jack
- How many routes can Nexus 9k hold?
- Cisco ASA toils, question about NAT and MAC addresses
- TCP session teardown question - FIN and RST
- HP 2910al ipv6 setup - traffic not allocated to vlan, needs allow rule in second vlan
- PoE on a Lan Lite switch
- HA/LB Question
- Cradlepoint MBR1000 and Verizon USB620L
- MPLS to ASA Fragmentation - MTU issue and where to place the blame
- Can we make UptimeTuesday a thing? lol show me your longest running...
| Network health dashboard - any good tools for it? Posted: 27 Aug 2019 07:24 AM PDT Hello, I am being asked to create a dashboard that could relatively quickly identify whether there are any noticeable issues with the network. It could look something like this: https://i.paste.pics/00c549d150a718d5ea2b3b8a1dd0edbb.png The data would come from all kind of different places (which is another huge problem, but it's a completely different conversation) and I will be collecting it with some kind of scripts, so the format and type of data received is 100% customizable. Current idea is that data center icon would be displaying the health status of physical gear in the DC, individual services (like VPN, Infoblox, etc) will be showing health of those services - i.e. whether I can get DHCP address and resolve DNS or not, RTT and throughput will be figured out from netflow data, showing red/yellow/green depending on deviation from normal condition and external services like AWS or Office365 would be monitored by some other tools like Thousand Eyes. So my question is - what would be the best tool to display all of this data in a format that's easy for non-technical people (read - managers) to understand? Doesn't have to look exactly like the mock up I made, but I definitely don't want it to be any more complicated than that. We do have PowerBI which I believe I can make show things with streaming data, but I am not sure if it will be flexible enough. I could write something of my own, but that will be most likely replicating somebody else's work. Any suggestions for tools/projects that could help me create this kind of dashboard? Thanks! [link] [comments]  |
| Who hangs the plywood for the demarc? Posted: 27 Aug 2019 06:42 AM PDT In a commercial office building space, leased with an empty closet... As the business owner do I hang the plywood or does the carrier? [link] [comments]  |
| Posted: 27 Aug 2019 06:01 AM PDT Hi all, I am considering a role in Cisco TAC for the firewall team, and I wanted to ask if anyone has experience working there which they can share? It would be great to know about how it is working specifically in the Firewall team, with ASA/Firepower. Thanks very much! [link] [comments]  |
| Learning curve for networking is strange nowadays... Posted: 27 Aug 2019 03:45 PM PDT I never liked it In college I had some basics of networking (DHCP, Gateway configuration, many terminal commands etc.), but as I was totally dev-oriented and the only thing I could ask for when hearing about routing tables was "Can I break them?", I kind of forgot everything. Long time ago I used a Vagrant as dev environment and it was just about one-click VM environment so I had nothing to configure about networking - it just worked, at this stage I already forgot what the hell a gateway is. Notice that even if its a one-click dumb thing (in dev usage), it still has an "environment" word about it. After that I touched some fancy stuff on AWS, on premise instances etc; etc; and everything in network tabs were like "DON'T DARE TO TOUCH IT OR THE WORLD WILL BURN!!!" according to any web tutorial. Well, this worked for me as I still had less and less about networking in my head. My next meeting with a "HELLO I AM A NETWORK THINGY THAT YOU ARE AWARE OF" was when I first met with Docker. I love docker, but I thought I could ignore the network aspect of it as many things were made automatically. This was a half-way truth, but the entry level was quite low so I could adapt to how it works and have some general understanding. It helped me a little to configure things like Docker in Docker Jenkins agents, which I really like so I put more effort to learn about the whole concepts. So then I picked to configure own Kubernetes from scratch (yeah like, who ever heard of GKE etc.). Most of things were quite clear as long as I didn't reach the section about picking a Network Driver and I didn't even touch a shared storage, didn't know what etcd replicas are, I gave up on Kubernetes as its quickly shot in my face. Still don't know how to configure something called a gateway https://i.imgflip.com/391g21.jpg I tookt a step back to smaller tools like Docker Swarm and it was bit easier, but I noticed that this product is loosing support (right now as I type this its more of a gossip) so lately I started to use Hashicorp Nomad. I simply could not connect 2 VPS each other because they were not in private network (this is what I think tho). Right now I am playing with configuring public cloud on similar provider to AWS, stacking some servers that are paid per hour and creating virtual private networks. Its another attempt at Hashicorp Nomad and all that High Availiblity thingies Still do not understand the gateway. The point is, that I still feel like I know nothing about raw networking, but I know that I am closer to create some fancy things like automatic environment provisioning in a datacenter once somebody buy a service on a web page which itself does not sound that bad, and I am aiming for that. Somehow this branch of networking (cloud, orchestration, contenerization... ) comes to be easier and easier to understand, the one cool part is when there comes something new to the market like GKE, Kubernetes, or CoreOS bought by RedHat, it really means something. In typical developer life a new language is "Yeah, whatever." unless made by Google (hype) like GO which will be overriden by Rust once Rust will get better at async operations and networking (because of architecture decisions GO cannot get better, Rust can, and will be). Blahblah language wars mumbling... Do I learn all of this in a wrong way or its like a normal? [link] [comments]  |
| Need to add multiple ACLs to over 200 Nexus 3Ks but ACLs are duplicating. Posted: 27 Aug 2019 03:04 PM PDT Relatively new to the enterprise world but I have a large DC full of devices that require mgmt, ssh, and snmp ACLs but the devices aren't consistent and some have a few of the ACLs and some don't. Management doesn't want duplicating ACLs and I don't want to manually go through each existing ACL to determine which i should add and which I shouldn't. Is there a command I can use to just add the ACLs and if the device has it it will ignore the line and if it doesn't it will add it? I feel like there should be an easy solution to this but can't seem to find one, thanks! example of commands: ip access-list snmp-only permit udp 10.29.101.0/20 any eq snmp permit udp 10.213.92.0/21 any eq snmp ip access-list ssh-only permit tcp 10.39.112.0/20 any eq 22 permit tcp 10.201.96.0/21 any eq 22 ip access-list mgmt-only permit tcp 10.90.112.0/20 any eq 22 permit tcp 10.191.96.0/21 any eq 22 permit tcp 10.87.128.0/19 any eq 22 Hardware: cisco Nexus 3132 Chassis ("32x40G Supervisor") Intel(R) Pentium(R) CPU @ 2.00GHz with 3793764 kB of memory. Reason: Disruptive upgrade System version: 6.0(2)U6(5c) [link] [comments]  |
| Posted: 27 Aug 2019 05:54 AM PDT Ok, so I dont know if this is the best sub for this, or the best name for this. What my problem is: I have an office with around 15-100 people using it at a time. We have a bunch of APs around, and a controller (all UniFi). sometimes people tell me they're having problems with reception (like 2-3 people have complained, but nobody else has). managing the network is what we (devops) do whenever something comes up, so no fulltime network ops. What I want: some sort of dashboard that will show network health. I'm thinking some kind of Raspberry PI device I can just put in the network, with a publicly available dashboard that will show network quality. I'd like to show basic stuff like dns health, ping health to specific internal services, stuff like that. That way when somebody complains, I can just make sure they check the Canary and they know maybe its them. I'm even willing to make the Pi battery powered, so they can move it around the office to check spots. anybody do something like this? [link] [comments]  |
| Posted: 27 Aug 2019 12:41 PM PDT Hello! Does anybody know a free alternative to Visio? I'm in the process of homelabbing and need software to design my networks . All suggestions are appreciated! [link] [comments]  |
| Posted: 27 Aug 2019 05:19 AM PDT I work at a typical place that got pitched ACI. One high up non technical manager started saying how much he loved it and the SDN buzzwords started trickling down to middle managers. They want to convert sites consisting of modern Catalyst switches to 9K/ACI. Each site is 100-250 IP's with < 12 vlan's each. Very little changes are ever made to l2/l3. They already bought the 9k's and the APIC's that have been sitting idle for years. The Cisco sales pitch included phrases like "it's so cheap to add ACI, even if you don't use it it's worth it for the option." No one involved can state what exactly is so great about ACI, yet they claim it's great and "the future". Reading real life deployments from non Cisco employees have me thinking otherwise. I went through the on-site Cisco technical sales meeting and was unimpressed with the entire thing. As an example, Cisco TSE's deflected for 5 minutes on whether the switch firewall capabilities were stateful or stateless. None of my coworkers asked a critical question about the product. All VM and network engineers have no ACI experience and plan to roll it out to production in 3 months without the help of Cisco or anyone else. They are talking application-centric at the start. What can I do to make them see this is a horrible idea? [link] [comments]  |
| Throughput testing for auditing purpose? Posted: 27 Aug 2019 12:05 PM PDT Hello, I'm looking for a solution. I need to test the quality of an internet service through 1000 end points. This is for a private communications company. Basically we want to make sure folks paying for 150MB are receiving and not being throttled, some have shared home phone and tv (basically like Comcast in the USA). I have experience with iPerf, but this is quite a bit different. And and all info is appreciated. [link] [comments]  |
| How to block spam calls from spoofed numbers? Posted: 27 Aug 2019 10:09 AM PDT There's a million click bait articles out there, most geared to consumers, with useless content for enterprise grade solutions. A few SIP filter solutions that omit anything about blocking calls from spoofed numbers? Is there any actual way to fix this? We have dual SIP trunks, 500 DID's and 300ish user extensions. Our provider has virtually no options for call filtering besides a voice portal to manually block individual numbers and an abuse email address that can only do "something" if a certain threshold is hit, which never is since the spoofed calls always source from different numbers. I have mainly a network background, not very strong in voice at all. A few incidents we have had: -A few sweeps of almost everyone of our 500 consecutive DID's hit with Asian spam calls, usually spoofed from NYC area codes which make them hard to block - specially being in the financial. Takes place over a short period of time like 10-20 minutes -Calls like the above but more sporadic -Calls sourcing from either our address range (We gotta fix this in our CUCM config) or similar number or other localish numbers -General spam calls from sales (both targeted and random) and scams (again both random and very specific socially engineered calls) I am mainly worried abut the top two, as those are the ones I fear we have the least control over. Are there any solutions out there in any form (on site, cloud, separate provider) that can deal with spoofed calls? [link] [comments]  |
| Posted: 27 Aug 2019 10:16 AM PDT Not sure if this can be done. Does anyone have a format template to set up SRV Records inside of a hosts file? I believe you can only do A records, but would love to find out I'm wrong. I'm trying to demo out a new CUCM Cluster for Jabber clients. But I dont want to change the internal DNS records to swing over a test user. [link] [comments]  |
| BGP AS PATH Distance Graph from Full Tables Posted: 27 Aug 2019 05:49 AM PDT I thought you all might be interested in some data visualization I'm working on. The graph is inspired by the heatmap created by bgpdump2, although the implementation is completely rewritten in python instead of C. I grabbed a copy of one of the RouteViews dumps, parsed out the BGP announcements for NTT, then plotted the AS PATH distance of each /24 on a Hilbert Curve. My company wants to pick up a new transit provider and this code will be the base of one way to compare the different options. [link] [comments]  |
| Differences between a Network Engineer and Network Security Engineer? Posted: 27 Aug 2019 11:44 AM PDT Might be going through some org changes and I'm trying to determine if its "worth" it to accept a new title. Would it be considered lateral to go from a Network Engineering position to a Network Security Engineer? How marketable or in-demand is a Network Security Engineer as opposed to an NE? edit I should add I just got into a Masters program for Information Security. [link] [comments]  |
| Posted: 27 Aug 2019 07:21 AM PDT Hi Everyone, I received an NFX250S1 and did the first step by giving it a hostname and OOB IP on the eth0. I want to move forward and configure it and deploy VMs on it but I still don't know-how. Juniper's document for NFX is almost 200 pages and it doesn't look straight forward. Does anyone how to do this task the shortest way or if there is a straight forward document online somewhere. Thanks [link] [comments]  |
| Help identifying this physical jack Posted: 27 Aug 2019 08:40 AM PDT I work IT for a county and we have these all over our courthouse, they all run back to a huge wall panel with the same connectors all arranged in rows. I was in that closet helping another department with something else so didn't have a chance to ask about them. I've seen them with RJ45 adapters connected to them at the end points. I had forgot about them until I saw this one while out in a department store and snapped this picture. Always wondered what they were called. Both buildings were built in the 90s [link] [comments]  |
| How many routes can Nexus 9k hold? Posted: 27 Aug 2019 02:36 PM PDT This is more an issue of me just not understanding the Cisco datasheet terminology. I can't figure out how many IPv4 routes N9K can hold. This data sheet says it can hold 128k LPM routes or 16k max host mode routes, how do these translate to what I'd know as just normal IPv4 routes? Does it just mean 128k routes (so it can't hold full table for example)? [link] [comments]  |
| Cisco ASA toils, question about NAT and MAC addresses Posted: 27 Aug 2019 09:35 AM PDT I am hitting a brick firewall here guys, help me out! I am not that well versed with ASAs, but I am familiar with Cisco equipment. I understand the concept of inside/outside interfaces, I understand ACLs and direction, I (think) understand NAT. I think my understanding of BVIs is falling short though. I am in a situation where I am doing something a little out of whack that needs to be done this way. So, topology:
Intent: intercept traffic from the server on DMZ, and if it is destined for a particular IP on the inside network, NAT it over to the inside network. All other traffic should continue on to the DG. I have set up identity NAT between specific host on the private net and the DMZ server. I have tried different variations of it - doing it as object NAT (from DMZ Server object and from Device-on-private-net object), and as Twice NAT. I even tried setting up Twice NAT from "both perspectives" at the same time, which probably is a bad thing if anything... I have access list on the Gi1/1 permitting ip and icmp any any. On BVI I started out with specific access lists, but devolved to permit ip and icmp any any as well for now. NATting appears to work. When I ping from DMZ, with icmp debugging set up, I see ping from outside interface (server IP) to inside interface (host IP). BUT! the ping does not make it out of the inside interface to the host........ Now, if I set the DG of the Server on the DMZ to the ASA's IP, i see the same debug output but the ping makes it to the destination. In my understanding, the only thing that should change in the packet (or frame, rather), is the destination MAC when I switch gateways. I have tried identity NATting from Gi1/1 to Gi1/2 in order to leverage proxy-arp, and voila! same result as setting DG to ASA. Server's arp shows DG with ASA's MAC, and pings flow through just as when ASA was set as DG. Problem then becomes getting out to everything else of course. Question is how does L2 addressing affect ASA's operation? It appears that ASA does not allow traffic through if it was not destined to the ASA on Layer 2. Is there a way to get around this? I just want to re-iterate that this setup is out of whack, that it is not supposed to be set up this way. That is my pain to deal with. I am not looking for resolution of my problem but for understanding of how L2 is involved in ASA processing decisions. I have failed to find info on this online, and neither INE or Nuggets are accessible to me right now!!! Any help is greatly appreciated! PS. I can draw a quick diagram if it helps [link] [comments]  |
| TCP session teardown question - FIN and RST Posted: 27 Aug 2019 09:31 AM PDT On my network, there is a 3rd party router connected to our firewall for a specific application. The vendor connects to a server on our network via this connection. My server: 172.16.0.2 (NATed to 10.0.0.3) 3rd party router - 10.0.0.1 My ASA 5515 logs are filled with messages such as below:
My ASA pcap shows that my server is indeed completing the 3 way TCP handshake. Next, 3rd party router sends PSH, ACK, my server sends ACK, next my server sends PSH, ACK. Now my server sends FIN, PSH, ACK, 3rd party responds with FIN, ACK. Next is what I don't understand, my company server then sends another PSH, ACK, as does the 3rd party router. Lastly, the 3rd party router sends a TCP RST for the PSH, ACK my server just sent before that. Why do I see PSH, ACK after seeing a FIN from both sides? There are no reported issues with the server or the connection to the 3rd party so at this point, as far as we know, the logs are merely a nuisance but since it happens constantly, it fills up our logs. Is this simply a misbehaving application? [link] [comments]  |
| HP 2910al ipv6 setup - traffic not allocated to vlan, needs allow rule in second vlan Posted: 27 Aug 2019 01:07 PM PDT Is someone able to point me into a direction of where to look next for a solution or to check whether everything is alright i just replaced a HP 1920 switch with a 2910al Procurve and I am setting up IPV6 for two VLAN. IPV6 for my main VLan is only working if I allow the traffic out of the 2nd Vlan Router: Pfsense two Lan Interfaces configured with IPv6, home and guest interfaces have distinctive ip adresses switch: 2910al, two vlan configured ipv6 is enabled in dhcp mode/autoconfigure the interfaces each have an ip in their respective vlan gateway of the home vlan is pointing to fe80::vlan.home(id), guest is pointing at guest(id) show route on the switch is indicating the correct ipv6 segments for each vlan Clients on Vlan guest have instant ipv6 access Clients on Vlan Home seem to get preliminary Ipv6 adresses, yet are unable to get traffic out of WAN and cannot ping other ipv6 devices Once I put a firewall rule into the guest lan, allowing ipv6 traffic from source Home to anywhere, all ipv6 clients in Home have access to ipv6 enabled sites. I can then disable the rule and already connected clients from home vlan retain their connections. If I reboot a client, the rule has to be disabled again. what am I missing here? i did not expect such rule would be required, especially since guest vlan just works Before I updated the switch to the most current firmware, it showed fe80::vlan(guest) as default gateway for ipv6. the setting was not user manageable, and not separate for each vlan. in the updated firmware, the entry is showing „blank" without an option to set it. In the cli I could not find a suitable option to change it, neither does the ipv6 configuration guide mention any setting in this regard. I already deleted the guest vlan, yet issue remained even after rebooting the switch without the guest vlan traceroute6 actually go out of the correct home interface on pfsense. [link] [comments]  |
| Posted: 27 Aug 2019 12:59 PM PDT This may be a dumb question, but I'm having trouble parsing the incomprehensible gibberish of Cisco's data sheets. I just need an 8 port switch that does PoE and has two SFP ports. It literally doesn't need any other features other than being configurable on the CLI and not the Web Interface. The 8 port 2960L (WS-C2960L-8PS-LL) seems good...but it only comes in Lan Lite. The data sheets all say it does 67 watts of PoE...but Lan Lite says it doesn't support PoE. Does this mean the switch has PoE, but I just can't configure it or turn it off? Because that would be fine. As long as it powers the phone. I could get the 2960-C, but it looks like it costs a lot more. If I can get away with saving some cash, I'd prefer to. [link] [comments]  |
| Posted: 27 Aug 2019 12:34 PM PDT |
| Cradlepoint MBR1000 and Verizon USB620L Posted: 27 Aug 2019 12:20 PM PDT I'm hoping I have the right forum for this, I'm trying to get this router to connect with this Verizon midi card but the router is not detecting when I it is plugged into either USB, power is supplied vutnit does not connect to WAN or show in settings, mifi card works fine plugged into a laptop. I know this is an older unit but are these just not compatible? I upgraded the firmware to the final version 2.0, now the unit keeps resetting itself when the card is plugged in. Does anyone have experience with these units? Thanks! [link] [comments]  |
| MPLS to ASA Fragmentation - MTU issue and where to place the blame Posted: 27 Aug 2019 08:13 AM PDT We have a client that manages their own MPLS network with many sites, one of which terminates at a Cisco router in our data center (owned/managed by client). From there it connects to our ASA and then into a server environment. A few weeks ago we started receiving ICMP packets from one of their routers with message text "Dest Unreach - Fragmentation Needed". They have stated that their MTU is set to 1400 all the way through; this interface on our ASA is (and always has been) configured to 1500 for MTU. The router that is sending the ICMP to us is the one at their site, not the LSR or LER. My assumption is that if we are receiving the fragmentation request at our edge than the issue has to be with the LSR or LER... is that correct or could we be missing something in our infrastructure? [link] [comments]  |
| Can we make UptimeTuesday a thing? lol show me your longest running... Posted: 27 Aug 2019 11:28 AM PDT AAS-SA-PtP uptime is 6 years, 6 weeks, 1 day, 37 minutes Last clearing of "show interface" counters 3y50w Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 33 24602963 packets input, 1894653516 bytes, 0 no buffer Received 14575026 broadcasts, 1 runts, 58 giants, 0 throttles 967797 input errors, 967797 CRC, 413483 frame, 233710 overrun, 0 ignored, 694616 abort EDIT: I just realized I gave zero context to the interface counters. Those are the counters for the CSU/DSU that our P-t-P for this location terminates into. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment