Rant Wednesday! Networking

---

• Rant Wednesday!
• Risks in upgrading Cisco 2960s/2960X stack members individually ?
• Equinix Cololocation in Ashburn, VA DC4
• Cumulus VRR to good to be true?
• Weird port security violation
• Help me understand Cisco prime infrastructure and DNA center
• Blocking an IP on a Cisco WS-C6509-E
• Mbps vs MBps
• Cant ping static IP from core
• Measuring packet loss roaming between access points
• Networking education for industrial controls
• iperf slower than Internet on WLAN and I've ruled everything out
• PnP deployment of 22 new switches
• Second level domain forwarding with a FortiGate 60D
• SRX Firewall NAT rule with multiple route instances or zones in "from".
• Juniper EX vs MX - why do they use MX as their core
• Clone Deploy on separate Vlan - PXE boot
• On the note of Distributed transactions and message loss within a transaction scope
• LLDP Client for Android/iOS
• ProCurve Per-IP rate limiting
• Cisco Prime Location Alternative
• What's a Wyebot?
• Ideas on upgrading TPLink to Unify - Advise on kit needed
• How can I accomplish VPN across Dual Wan connections?
• TLS 1.2 Authentication
• Looking for some ideas on a switch install location.

Rant Wednesday! Posted: 06 Aug 2019 05:04 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! submitted by /u/AutoModerator [link] [comments]

Risks in upgrading Cisco 2960s/2960X stack members individually ? Posted: 07 Aug 2019 11:10 AM PDT Hey all! We've got a few Cisco switch stacks in one of our production environments and I'm looking to upgrade the IOS to the current gold star version. The only thing is, we don't want to have to reload the entire stack at once, but rather, upgrade them individually. Info about the environment setup: Two switches per stack Cisco 2960X and 2960s Models (not mixed) I've created a test environment consisting of two 2960s switches stacked together. I'm upgrading from iOS 15.2(2)E6 to 15.2(2)E9 (Stack Protocol Version 1.56) I've successfully upgraded IOS on switch 2 with the following command, issued from the master: Switch# archive download-sw /safe /reload /destination-system 2 http://10.0.0.1/cisco/c2960s-universalk9-tar.152-2.E9.tar This was successful and switch 2 booted up and joined the stack using the new IOS. We did the same command for switch 1 and when it went to reload, the master failed over to switch 2 automatically (which preserved any connections on switch 2 as was desired). I am aware that the only reason this was successful was because the Stack Protocol Version is the same between both IOS releases. Here's the issue... I can't find this procedure documented anywhere. And while it worked on the 2960s in my test environment, I'm hesistant to apply the procedure to the production 2960X stacks. When looking at the official chapters on managing switch stacks for both the 2960s and 2960X it doesn't mention upgrading this way. It doesn't explicitly go over a procedure for upgrading a stack at all. Though, a lot can be inferred from the examples it does show. There is however a whitepaper called "Cisco Catalyst 2960-S FlexStack: Description, Usage, and Best Practices" that does talk about upgrading IOS on the stack. And while it doesn't explicitly outline a procedure to upgrade each stack member individually, it seems to imply you can. From page 14 of the white paper: The default behavior is to upgrade all members. The options for the 'archive download-sw' command allow for detailed control of the upgrade. Use the options to update only a single member instead of the entire stack or to reload the stack after the upgrade is successful instead of having the reboot be an extra step for the network admin. So does the lack of documentation mean that this is an unsupported way of upgrading a stack? I'm curious if anybody else has tried to do this before. I don't think upgrading IOS in this manner could result in bricking the switches. Thoughts?? -J submitted by /u/jayhauss [link] [comments]

Equinix Cololocation in Ashburn, VA DC4 Posted: 07 Aug 2019 01:07 PM PDT Does anyone have an gotchas you could recommend we look out for on a full rack colocated in Equinix out of Ashburn, VA DC4? Looks like we'll get a full 42U that is 19" wide and 36" deep and 45U tall (45U rack, top 3 RU reserved for Equinix) with primary and secondary 208V, 30A, single-phase power (we will provide PDU's). We plan to use this rack to tap into their ECX (Equinix Exchange). submitted by /u/01Arjuna [link] [comments]

Cumulus VRR to good to be true? Posted: 07 Aug 2019 08:51 AM PDT TL;DR: Cumulus Linux's VRR just seams so simple and easy? What am I missing? Why don't all networks work like this? Why bother with VRRP/HSRP/GLBP? What are it's gotchas or limitations? From my reading, instead of a protocol with dead timers, a master, etc, like VRRP or HSRP; VRR works on the anycast principal like this: Both switches respond to every ARP request with an identical response The host accepts either the first or second response (doesn't matter since they are identical) The host (or downstream switch) sends traffic to either gateway depend on the L2 network (MLAG hashing, STP, etc.) Whichever switch receives the traffic first accepts it and routes it on ​ My environment: I just got 2 new EdgeCore switches + Cumulus Linux, and am installing them as the core switches for my manufacturing campus and datacenter. I'm planning to do MLAG to each server (12 servers), MLAG to our Checkpoint firewall cluster, and MLAG to several of the IDF switches. Some other IDF switches will just have single uplinks for now. The Cumulus switches will terminate L3 for all server and LAN vlans and will route traffic onward to the firewalls (I'm using VRF-Lite for segmentation). Any issues with using VRR like this? Being a manufacturing plant we do have random flaky devices out there and it makes me wonder whether we'll have issues with devices chocking on 2 ARP replies? submitted by /u/packet_nerd [link] [comments]

Weird port security violation Posted: 07 Aug 2019 09:22 AM PDT I had an offline printer this morning due to port security violation. The weird thing is, the device that violated it is indicated by MAC address to be one of our VOIP phones. The phone in question however is located at a different site several miles away on different switches and as far as I can tell from the logs has not been disconnected recently. This leaves me with a few possibilities. Someone noted the MAC address of the phone and attempted to spoof the MAC in order to try and gain network access. The printer frequently goes offline due to a not so great network cable/connector, so possibly it randomly threw this MAC address at the port that just happened to be the MAC of one of our VOIP phones?!??! That seems unlikely... Someone tried to plug in some device and just randomly happened to guess the MAC address of one of our VOIP phones? Some other bizarre occurrence where the MAC address of that phone reflected, crossed a vlan into the port of another switch entirely?!?! Maybe some sort of Schroedingers VOIP Phone?!?! In my experience the only thing I've ever come across that was weird with regards to port security was a Black Box DSL device that constantly spit out a new mac address every few hours or so. Anyone have any ideas of how this could not be possibility #1? submitted by /u/LoHungTheSilent [link] [comments]

Help me understand Cisco prime infrastructure and DNA center Posted: 07 Aug 2019 10:10 AM PDT Is there a difference between both products? DNA is the replacement for prime? We have 5 offices with a mix of c9200's in new, and 3750's in old. Add to that a couple of c9300 stacks, and some 4500-x's in data centers. We then have 20ish access points with 2 wlcs in data centres. Do I have a use case for either of these products? Does DNA center support the older devices, does prime even support the newer catalysts? For pricing, I think I've worked it out at $100 for base prime license then you either buy single device license for around $60 or buy a bundle. For DNA center I can't really work it out.... submitted by /u/LittleWanger [link] [comments]

Blocking an IP on a Cisco WS-C6509-E Posted: 07 Aug 2019 07:18 AM PDT Good Morning! My company is probably close to death. We no longer have a network admin, so I apologize if this is a stupid question... I know crap about networking, but this has fallen on my lap. Our main router is an ancient Cisco WS-C6509-E running iOS 12.2. When I run show ip flow top-talkers, I see: Displaying Software Switched Top Talkers on MSFC SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Gi1/1 54.111.256.34 Local 69.254.254.169 01 0000 0800 7272K Gi1/1 43.140.0.13 Null 109.122.254.161 11 CFF1 0035 128K Gi1/1 155.106.1.173 Null 109.122.254.162 11 68E7 0035 99K Gi1/1 70.26.24.23 Null 109.122.254.161 11 49F0 0035 92K The IP 54.111.256.34 seems to be hitting us with a shit-ton of traffic. 69.254.254.169 is our internet IP on Gi1/1. We have an extended ACL with the line deny ip 54.111.256.0 0.0.0.255 any, however the traffic is aimed at our public IP/interface so I don't think it's going thru the ACL. Is this correct? Is there a way to block this IP on this antique hardware? Thank you! Edit: This is how the ACL 69 is applied: interface GigabitEthernet1/1 ip address 69.254.254.169 255.255.255.252 ip access-group 69 in no ip redirects no ip proxy-arp ip nat outside ip flow ingress ip flow egress load-interval 30 speed 1000 duplex full ! and this is the relevant chunk of the ACL. Extended IP access list 69 10 permit tcp any host 109.122.254.60 eq 22 ...a bunch of denies. 90 permit tcp any host 109.122.254.161 eq domain (31189 matches) 91 permit tcp any host 109.122.254.162 eq domain (39046 matches) 131 deny ip 54.111.256.0 0.0.0.255 any All IPs are obfuscated... submitted by /u/soiled_knickers [link] [comments]

Mbps vs MBps Posted: 06 Aug 2019 06:20 PM PDT Today at work there was an arguement about why bandwidth was measured in bits and not bytes. I suggested that it was measured in bits because each electrical signal sent over a cable is either a 1 or a 0, hence being measured in bits. My coworker suggested that its a clever marketing scheme to make data rates seem faster. What are your opinions on this? submitted by /u/VexxNetworks [link] [comments]

Cant ping static IP from core Posted: 07 Aug 2019 08:18 AM PDT I have a Juniper ex4600 for our core. I have had issues, where I cant ping a static IP from the core but I can from the switches on the subnet. This has happened with more than 1 device at more than 1 location. I can ping the IP from any client machine on the subnet but not from any other subnet. The netmask has always been correct when looking into it. If I put the device on DHCP it pings fine. If I move it back to static it will ping fine for a few days maybe. Then it will stop responding to ping from any other subnet or the core. Do you have any ideas what the problem might be? submitted by /u/JasonG81 [link] [comments]

Measuring packet loss roaming between access points Posted: 07 Aug 2019 09:30 AM PDT Is there some kink of a speed test I can run for like 5 minutes while I walk around to measure packet loss and download speed? I'm trying to submitted by /u/im_not_an_NSA_agent [link] [comments]

Networking education for industrial controls Posted: 07 Aug 2019 01:13 PM PDT I work in instrumentation, automation, and industrial electricity. Most of what I do is the installation of measuring instruments and creating or editing ladder logic. All of our logic controllers are ran over an ethernet network or subnetwork depending on their tasks. Ive been spoken to about my company potentially integrating our process control and information technology department. My networking knowledge is very limited in the scheme of things. The only experience I have is dealing with our limited PLC networks. I'm interested in going back to school to learn more about networking but I'm unsure as to whats the best way to go. Is another associates degree worth pursuing or are there certification classes that could catch me up to speed on networking. I apologise if this post isn't allowed. I read that esrly career advice isn't allowed but my career isnt in networking and its more supplemental than anything. Also, sorry if there is more information you need from me to answer my questions. submitted by /u/Thattaruyada [link] [comments]

iperf slower than Internet on WLAN and I've ruled everything out Posted: 07 Aug 2019 09:03 AM PDT I just installed 4 Ubiquiti AC Pro APs in a business; so far so good. The only problem is that iperf tests from over Wi-Fi are uniquely slow: slower than an Internet speed test on the same hardware setup. I was hoping someone with fresh eyes or more experience can see something I missed. Background: The network is a single /24 network that spans 3 buildings, with a single 1Gb fiber between each building. Fiber terminates into SFP port on the L3 switch in each building. There are no traffic shaping rules except for IGMP and multicast suppression enabled on the switches. The network is for 30 users, and activity is mainly Web, printing, VoIP, and Filemaker database. The fiber is installed between the 3 buildings as: [Admin]------[Manufacturing]------[Sales office] The internet router is in the Admin IDF, and production/VoIP servers are in the Sales office IDF. Test setup: -iperf server running on my ThinkPad, 1 Gb ethernet into the switch in the Sales office IDF. (All tests) -iperf client running on my IdeaPad laptop Tests: Google speed test over LAN to my laptop in all 3 buildings is as high as 150 Mbps (Expected) Google speed test over Wi-Fi to my laptop; iPhone in all 3 buildings is high as 150 Mbps (Expected) iperf over LAN within Sales office is 940 Mbps (Expected) iperf over LAN from Sales office to manufacturing is 890 Mbps (Expected) iperf over LAN from Sales office to admin office is 860 Mbps (Expected) The next test is where I'm confused iperf over Wi-Fi to my laptop in all 3 buildings is less than 20 Mbps Test 5 shows that there is enough bandwidth between all 3 buildings Test 2 shows that that Wireless internet access works as fast as the ISP can deliver. Test 3 shows that the iperf server can push almost 1 Gbps If iperf can push 1 Gbps over LAN, and Wi-fi can send 150 Mbps, why is test 6 slower than test 2? submitted by /u/vetaplex [link] [comments]

PnP deployment of 22 new switches Posted: 07 Aug 2019 07:08 AM PDT Hello, I have a deployment of 22 (total) small business grade Cisco SG550XG-8f8t, SG550X-48 and SG355-10P switches. It's an isolated network and once this deployed won't (shouldn't) require any work except in case of equipment failure. I'm trying to decide if it's worth looking in to any PnP solutions to upgrade the firmware image and apply a base config allowing me to ssh on to them. I can't see anything Cisco OpenPnP related without having DNAC. All the Free/OpenZTP projects I've been finding are POAP rather than PnP. I think I've answered my own question but for this number of devices is it worth looking at automation or should I just crack on with the console cable? What would you do? submitted by /u/danger_area [link] [comments]

Second level domain forwarding with a FortiGate 60D Posted: 07 Aug 2019 02:07 PM PDT First of all I have no idea what I'm doing. I want to forward every connection received at git.*.com to a local raspberry pi for my own GitLabs server. Idk what vocab terms to google or what questions to ask, how do I go about doing this. submitted by /u/danhab99 [link] [comments]

SRX Firewall NAT rule with multiple route instances or zones in "from". Posted: 07 Aug 2019 08:48 AM PDT submitted by /u/anothersackofmeat [link] [comments]

Juniper EX vs MX - why do they use MX as their core Posted: 07 Aug 2019 06:07 AM PDT Hello, I see many people using MX series as their core switch instead of high-end EX switches, for example, EX9200 which is a modular solution as well. why is that? submitted by /u/Hussam_Bay [link] [comments]

Clone Deploy on separate Vlan - PXE boot Posted: 07 Aug 2019 01:36 PM PDT Windows server 2016 - DHCP HP Arube 5400 switch CloneDeploy ​ I'm setting up a seperate vlan, I already have a IP Helper configured to my DHCP server. What do I need to do to get PXE boot running properly. I see some options in my DHCP server may allow what I need. But I'm also seeing ip helper address (which I already use to point to my DHCP server on a seperate Vlan) that works in conjunction with "ip forward-protocol udp <??> " submitted by /u/Hollow3ddd [link] [comments]

On the note of Distributed transactions and message loss within a transaction scope Posted: 07 Aug 2019 07:27 AM PDT Considering that in the context of executing a transaction part of the transaction may be lost within messaging (considering the two generals problem). How should you go about helping your system learn when a transaction experienced such a fault if you are restricted to the Two phase pattern? Some context, we have an application that handles Distributed Transactions with MSDTC, and the main problem we are facing is explained here: https://ayende.com/blog/167362/the-fallacy-of-distributed-transactions Aside from the obvious, commonly accepted consensus, that one should not use distributed transactions. Are there some discussions with regards to, discovering when the fault occurred. I.e if we were to take the two generals problem again, if before a transaction started a copy of the message firing the transaction was kept,and deleting this message if the transaction finished successfully (by confirming this when the transaction comes back), would we be able to "report" and "retry" transactions in cases of such faults mentioned in the link above? I can't seem to find someone discussing this "patch" to a similar situation. Not sure if it belongs in this sub.. submitted by /u/DeriusMH [link] [comments]

LLDP Client for Android/iOS Posted: 07 Aug 2019 04:10 PM PDT I purchased a USB OtG adapter that successfully powers an Ethernet adapter. I was able to test it on my iPad Pro and a Samsung 10, got IP address and was able to detect devices on the network. Seeing this function, it would be an amazing tool for on the go field work when working on networks. Is there an LLDP client for either OS that can be used to see the VLAN, Switch, Port ID, etc. on the network, similar to Hanewin LLDP client for Windows? submitted by /u/dingdongbannu88 [link] [comments]

ProCurve Per-IP rate limiting Posted: 07 Aug 2019 07:13 AM PDT At a remote site tied back via MPLS, I have a guest network which we are looking to throttle a bit to prevent link saturation. The router at the site is a ProCurve 5406zl with v2 modules on K.16.02 code. class ipv4 GuestClass match ip 10.0.100.0/22 any exit policy qos GuestPolicy class ipv4 GuestClass action rate-limit kbps 2000 exit vlan 1000 service-policy GuestPolicy in Guest users are all running in the 10.0.100.0/22 space in this scenario and vlan 1000 is the guest vlan. When testing however, the policy doesn't seem to work. submitted by /u/xXNorthXx [link] [comments]

Cisco Prime Location Alternative Posted: 07 Aug 2019 09:26 AM PDT I haven't been able to find much for a suitable replacement for a small environment. I'm planning on about 10 Meraki MR55's with real time location services. I'm interested in location awareness and helping entry level support people troubleshoot wifi issues. All of the software I kept coming across was "wifi analytics" which is basically marketing BS to gather data try and push sales on people. Meraki RTLS looks like it might help us a bit but the integrations don't look like they are up to date. submitted by /u/marvonyc [link] [comments]

What's a Wyebot? Posted: 06 Aug 2019 07:22 PM PDT My CFO has been getting emails about a Wyebot and keeps asking me if we should use one to diagnose our network. I shrugged it off last year, but she's brought it back up again and I need to figure out if it's worth expending any effort on. Has anyone here has any experience with the company or the device? Supposedly it conducts a wireless site survey and makes recommendations. We use Tamograph (not the best) for this already. Any advice or general wireless analysis discussion would be awesome. submitted by /u/Sirelewop14 [link] [comments]

Ideas on upgrading TPLink to Unify - Advise on kit needed Posted: 07 Aug 2019 10:03 AM PDT Hi all, I am looking to upgrade our predominantly TP-Link based network with Unify devices and would appreciate your help on what is best to go for. I inherited this setup and its having all kinds of issues. 1) The 200 Meter link has nasty ping which may be down to some Willow(trees) and 2.4 saturation. 2) The WiFi the customer is getting is 1-4 mbps, but we have a 20Mbps line. I want to upgrade to 5Ghz so was thinking of upgrading the main 200 Meter link with: Ubiquiti NBE-5AC-Gen2 NanoBeam I am not sure that the N Router is required and possibly slowing down the throughput. Maybe replace with an unmanaged L2 switch. I wasn't sure what to replace the CPE210s with? The final piece is i think the travel routers are unnecessary and was thinking maybe upgrading to UAP AC Pro so there is just an access point without the router features we currently have but don't need. Here is the current network topology: https://imgur.com/ZorhwS1 submitted by /u/Thankyourepoc [link] [comments]

How can I accomplish VPN across Dual Wan connections? Posted: 07 Aug 2019 08:57 AM PDT How can I accomplish VPN across Dual Wan connections in a optimal way? Plan_for_network_desing Idea is to make: ​ Site to site VPN. Make single connection inside the VPN to use full bandwidth of both wan connections using (Split TCP, Multipath TCP, Bonding or technique x?). Make it possible for a Road Warrior to have VPN connection to both sites and have traffic use the optimal speed/route. Note ​ The order for "split/bonding" and VPN might not be in optimal/working order in the plan_for_network_desing picture. The wan2 and Road-warriors connections are 4G so they are behind ISP-NAT. So they can "only do" outbound IPv4 connections. Public IPv6-address might be possible. The DSL connections have public IPv4 addresses and can take incoming connections. I am interested to know how can I accomplish this? What techniques you recommend and how should they be implemented? submitted by /u/Shore5 [link] [comments]

TLS 1.2 Authentication Posted: 07 Aug 2019 07:58 AM PDT Hello Do you know any good reading about 802.1X using TLS 1.2? I'm lookink to authenticate a device using a User and a Certificate (Windows PKI)... Don't know if its possible tho ​ THanks :) submitted by /u/TheSentient06 [link] [comments]

Looking for some ideas on a switch install location. Posted: 07 Aug 2019 04:09 AM PDT We have a building outside that has no air conditioning. They want about 6 cameras around and wifi in building. I am tasked with putting a switch, cameras and new fiber. Cameras and fiber should not be a problem, however no ac for the switch. All open area. Switches are juniper ex3300 poe models. Looking for options. Thanks submitted by /u/Amazing_Falcon [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States