Rant Wednesday! Networking |
- Rant Wednesday!
- My boss bought some 'grey market' Cisco gear and it bit us in the ass...
- RJ45 crimping question
- Available high scale virtual routers - alternatives to Mikrotik CHR
- Cisco DNA Rollout
- Emulating Network Conditions
- Reaching internet from a BGP router
- Two AP controllers on different VLANs. How are APs finding the controller on the other VLAN?
- Ruckus ZoneDirector OIDs
- NAC in the network?
- Data Center Patch Cable Cleanup Advice and Suggestions
- RADIUS not using Loopback IP as Source IP even when configured
- Don’t Frag bit / surfing data
- What is your company doing for Guest Wireless?
- Any CBRS books out there yet?
- Importing network equipment from UK to USA - Taxes?
- ISP Network topology design - Need Feedback
- MPLS Breakout
- Is there any difference between a cat5e keystone and a cat6 keystone
- Dual 5GHz radios vs doubling bandwidth (40/80/160)
- Cisco wlc question
- Catalyst 9k, stacks, mismatched licenses ?
- 3rd party company set up Cisco switch for my company and I feel like I'm locked out of it.
- Use Fortigate as switch vs Cisco 2911
- IAID vs Different types DUID in DHCPV6 messages
| Posted: 20 Aug 2019 05:04 PM PDT It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! [link] [comments]  |
| My boss bought some 'grey market' Cisco gear and it bit us in the ass... Posted: 21 Aug 2019 11:40 AM PDT So my boss has this tendency to save a few bucks by buying gear from just whoever. Not every time, but a lot of the time. I really never gave it much thought, assumed he was doing things legitimately and just did my thing. Then it was decided that I should do OS updates on all our routers and switches. I went through, site by site, upgrading things and everything was going just fine. Then I had a switch stack that didn't come back up after reboot. After digging into it and doing some troubleshooting, the issue was a license problem. The switches decided that they weren't properly licensed and stopped passing traffic. Long story short, it turns out he had bought the gear from some unknown company. The switches were on some sort of blacklist and that's why they were bricked. Since I didn't know this, I had reached out to Cisco for support and now they know my company had these switches. So I'm wondering...aside from us having to scramble to get replacement switches installed, will there be any further consequences of this? Either for my boss, me personally, or the company? Will the Cisco Police come knocking on the door looking for proof-of-purchase for every Cisco device we have? Is there likely to be any legal fallout? I've been in this business for about 23 years now and have literally never run into anything of this sort and I've worked with some shady characters. I just have no words. [link] [comments]  |
| Posted: 21 Aug 2019 07:42 AM PDT My boss insists that when crimping an rj45 onto cat5e, we should squeeze the crimper multiple times to ensure a good connection on each side. I believe the opposite. I feel that squeezing the crimper once is fine and any more than that is asking for trouble down the road. Can I get a verdict from you folks on this please? Thanks! [link] [comments]  |
| Available high scale virtual routers - alternatives to Mikrotik CHR Posted: 21 Aug 2019 06:57 AM PDT Hello, At my company where we have a pretty high scale network (5000+ devices) we are hosting our core network on our own appliances in a datacenter. We are working with a lot of Mikrotik devices so as a result we are using the CHR images on vmware for routing in our DC. Lately we have some issues with the performance of the Mikrotik CHR images in combination with our AMD Epyc processors. When we route about 1Gbps throughput through an appliance with 4 threats we notice a cpu load at about 60%. Doing the same with FRR we are able to route 1Gbps of packets at about 20% cpu on 2 threats. We have this issue since we swapped our servers from Intel CPU's to AMC Epyc's. We have had numerous support cases on this matter with Mikrotik, VMware, ... After about a year debugging on this matter we are now looking at other options. Are there any recommendations? Currently we are looking at virtual Cumulus appliances as an option. Also VyOS is currently being looked at. Any experience sharings with these are appreciated. Features that we use:
optional:
Any help is appreciated, if you want more info on our setup, just let me know! [link] [comments]  |
| Posted: 20 Aug 2019 06:53 PM PDT I was tasked with implementing DNA Center into our infrastructure, from the ground up. Let's embark on this journey and see how it plays out. Completed thus far:
Before I get into my experience with DNA-C Appliance, I want to pre-warn ANYONE that is looking into rolling this out.
Standing DNA up has been frustrating to say the least. I had to build routes from the core to the pizza box. I had to build routes to the lab that only traversed the internet VLAN and nothing else (because of how or environment is set up, if I staged a live switch, it would break one of our sites due to IP conflicts). Frustration 1: RADIUS If you plan on implementing RADIUS to access DNA-C so you do not have to create/use local accounts -think again. This is not possible without ISE (very clever Cisco). I spent countless hours troubleshooting why RADIUS wouldn't work. I followed their documentation to a T (funny, they have documentation for something that doesn't work). I spent hours on the phone, Webex, and email with TAC -to no resolve. I created a new friendly name on the RADIUS server, used the existing Cisco shared secret that we use with other Cisco gear. I tried creating it from the ground up (to ensure there wasn't a key mismatch) TAC Resolution (from the guy that created the documentation for RADIUS/DNA) "Implement ISE, RADIUS to the DNAC simply doesn't work" -fantastic!! Advice: Implement ISE alongside DNA or be prepared to make user accounts and privileges (your own little AD) Frustration 2: Templates Get ready to configure the hell out of some switches. I know with automation comes a lot of manual behind the scenes shit to get it up and running, but my word. Cisco, no baseline templates? You have to build from scratch. Beings we are in the middle of a network refresh, the sentiment of having to configure a switch once (template building), granted the config is correct (DNA yells a lot), I guess it's ok. Once you iron the kinks out and the template is bullet proof, you can go ahead and lock in your Day0 template. After your Day0 is tried and tested, its time to build your DayN template (this is where you will adopt and claim a switch into a site within DNAC), pretty much prod ready. Templates ARE fickle. The way DNA interprets them is a mystery. I have taken a switch config from one that I was replacing, threw its config into a DNA template, and it error'ed out every single time. Advice: use variables properly. I found strings worked better on L2 switches (for mgmt interfaces) and integers worked better on L3 switches (for mgmt interfaces and plan interfaces). Frustration 3: Global Settings The hierarchy is downright despicable. It is a mess to say the least. Clunky and certainly not intuitive. The interface was not planned out well, I am not sure what design language they were going for, but I am not a fan. For instance "Provision" contextual menu at the top, houses sub-options, that you wouldn't know, because its not clear. This so happens to be where DNA's bread and butter live "Plug and Play" or "UPnP" to kick of provisioning. Menu Navigation goes something like this:
As you can see, this is very convoluted. I am used to it now, but you can see why it can be unwelcoming when just beginning. Frustration 4: Provisioning This is what DNA was built for, automating switch configurations by the way of templates. Well, I can tell you, when it works, its amazing -WHEN IT WORKS. I have had more error then provisioned messages. You claim the switch, select the iOS image you want (upgrade to golden image if you so choose), set the parameters you defined in the templates, set and claim the device to the site in which this will be deployed. Sit back, cross your fingers, and prepare to be pissed. There is a bug with chrome, while filling out your parameters, you can not scroll down far enough to see "DHCP or default gateway properties".
Advice: do not interrupt DNA when it is provisioning. you will end up with a blank switch (no image) in ROMMON. If you find yourself in this predicament, console into the switch "wr erase" "wr mem" "sh boot" make sure it is NOT the .bin file, make sure this is pointed to "BOOT variable = flash:packages.conf" if you don't, you will disable UPnP and DNA will not be able to do its job. I understand that every network is different. Every template will vary. Every use case will vary. This is just MY experience thus far. I do NOT hate DNA (contrary to what I have written). It is a newer product with a lot of bugs. It has a great use case and demographic. I am just giving you my POV (the engineer in the trenches). Others that use DNA, once it is already set up, will think it is the greatest thing since sliced bread -I will probably join them in that consensus. For now, while standing it up, I still think it needs work. Right now I am fighting a 9200 L2. Let me know if you want to hear about the fun I am having with this.... I hope this didn't deter anyone. I just needed to rant more then anything, and maybe I will run across someone that can give me pointers and help my deployment go a lot smoother then it has been. If you made it this far -CONGRATS! TL;DR Cisco DNA is great when it works. It still has a lot of shortcomings and obstacles to overcome. Be prepared to exert a lot of time and energy implementing this into your environments. -NetworkGnome [link] [comments]  |
| Posted: 21 Aug 2019 12:38 PM PDT Hi So currently my aim is to emulate specific network conditions on a linux vm such as bandwidth, packet loss, jitter and delay which I can currently do using netem scripts. However, my aim is to emulate specifc network conditions such as WiFi, GPRS or Satellite. The problem is that apart from network speeds I am struggling to find references for metrics like packet loss or latency that a GPRS or Satellite network may experience. Looking at sources such as wikipedia I can only find common network speeds but no other metrics. Does anyone know where I can find these metrics? Thanks alot in advance edit: for these networks: Satellite, Gigabit Ethernet Lan, 802.11n wifi 4G LTE and GPRS I am looking for packet loss, latency, jitter, bandwidth and possibly the average buffer size of the device that may be running them [link] [comments]  |
| Reaching internet from a BGP router Posted: 21 Aug 2019 09:14 AM PDT Hi! Diagram I'm setting up eBGP between the ISP and my client's network. That is not a big deal, public services work wonders. Navigation traverses through this router - which is an F5 - and goes to the internet NATted to a couple of IPs on the public range. Now, absolutely everything that should reach the internet does, except for the F5 itself. Since it does not go through the F5, its packets are not NATted, and thus, come out with its real IP (the peering network). This network, of course, is not published to the internet, so the F5 does a couple of hops and then dies. How do I make my device reach the internet? Thanks! [link] [comments]  |
| Two AP controllers on different VLANs. How are APs finding the controller on the other VLAN? Posted: 21 Aug 2019 07:29 AM PDT We have two AP management VLANs with a Mobility Express controller on each. At times, when the controller on one VLAN is rebooted, the APs on its VLAN join the controller on the other VLAN. I don't have any how are these APs finding the other controller? [link] [comments]  |
| Posted: 21 Aug 2019 12:13 PM PDT I'm looking for a specific OID for a ruckus zone director 1200. Is anyone familiar with the process for finding them? I have a generic SNMP template that I am using on my monitoring server, but it's missing the network traffic and AP count OIDs [link] [comments]  |
| Posted: 21 Aug 2019 03:31 PM PDT Hey guys, I'm investigating some ways to help secure our networks and also some basic automation, i.e. put this device in this VLAN, basics like that. I talked with my SE about ISE and it sounds pretty great(doesn't it always?). Has anybody implemented ISE from the ground up? How painful was it? I've also heard good things about PacketFence. Are there any othwr suggestions to look at? We're a Cisco, Palo, Meraki shop. Any pitfalls to look out for? How did you sell administration on using NAC? Would this help to mitigate ransomware in any ways?(MAJOR point of concern for our org right now) Thanks everybody. [link] [comments]  |
| Data Center Patch Cable Cleanup Advice and Suggestions Posted: 21 Aug 2019 07:42 AM PDT This weekend I am going to be embarking upon a small data center patch cable cleanup. It's only two 42U racks. In a vacuum, I feel like the easiest way to do things is to simply remove all existing patch cables and re-run with appropriate length cables. While this approach is an option, it would be nice to be able to track each cable move so that I can be confident that every device is plugged back into the correct port after it has been managed. The reason for this is that I am not super-duper confident that the administers of the servers effected will be readily available to validate everything post cable move. I do have full access to all switches so I can validate Mac addresses, arp tables, cdp and such. Does anyone have any words of wisdom or general advice for this type of scenario? [link] [comments]  |
| RADIUS not using Loopback IP as Source IP even when configured Posted: 21 Aug 2019 10:25 AM PDT Hi, I am seeing an issue where Juniper EX4300 is not using the Source-IP of a loopback in the RADIUS packets it sends out. Interestingly - in the NAS-IP attribute it still sends the Loopback IP I configiured. Basically the Source-IP of the RADIUS UDP packet and NAS IP are different. Its using the IP address of my uplink which has reachability towards the RADIUS server in the IP Header and puts the RADIUS attribute NAS-IP with the loopback IP. This is causing some problems for me and I would like both the IP header and NAS-IP to use the loopback. Any knobs I need to be aware of achieve this ? Thanks in Advance. [link] [comments]  |
| Posted: 21 Aug 2019 01:45 PM PDT Why almost all web surfing traffic contains don't drag bits? Is there any particular reason for this? This problem cause a lot of pain with IPSec tunnels [link] [comments]  |
| What is your company doing for Guest Wireless? Posted: 21 Aug 2019 12:42 PM PDT How are you letting guest connect? Is it open with PSK or registration type? Trying to figure out a quick but secure way to get guests on the guest wifi network. [link] [comments]  |
| Posted: 21 Aug 2019 12:26 PM PDT I haven't found any yet, but I'm looking to get into this. Only thing I have found is a class from comscope but it's $500ish dollars. [link] [comments]  |
| Importing network equipment from UK to USA - Taxes? Posted: 21 Aug 2019 11:46 AM PDT We have a new build coming online in the USA, but for strange reason all the equipment was ordered to a UK office so will need to be shipped and sent to USA. Anyone done this before.amd able to advise on the costs involved , not including shipping? Thanks! [link] [comments]  |
| ISP Network topology design - Need Feedback Posted: 21 Aug 2019 11:28 AM PDT Hi Guys, I do work in a small LOCAL ISP and also I'm graduating in Telecom Engineering, I do work to make a living in this foreign city, rent and etc and to be able to graduate. Thankfully I could manage to work in the same field I'm studying at, and so I do a lot of research about it. I have designed a PoP topology including MPLS forwarding paradigm and network infrastructure services ( BRAS, CGNAT) Here is the topology, some info which is not on the diagram: All services would have it broadcast domain segregated by vlans BRAS would have PPPoE PADO delay time adjusted There is no P LSR on the network, only PE's Thanks in advance ;) [link] [comments]  |
| Posted: 21 Aug 2019 11:28 AM PDT Hello, This may be a really obvious question so apologies if it is but I have some questions around routes of last resort and internet breakouts. Let's say you have a Datacentre and a whole bunch of offices around the world all connected via a MPLS provided by a 3rd ISP. Let's say the Datacentre is 192.16.10.0/24 and each site is an octate away eg 192.168.20.0/24 etc. I'm guessing bgp or something would learn the subnets and route site traffic accordingly? How would you handle users getting on the internet and external DNS requests presuming that you'd really want that done via the Datacentre. Would you need a separate internet breakout at the Datacentre, plug that into a switch on a vlan and just make that the route of last resort on the MPLS or is there more too it?? Thanks [link] [comments]  |
| Is there any difference between a cat5e keystone and a cat6 keystone Posted: 21 Aug 2019 11:14 AM PDT I have taken a part both, and they look identical except one mold has a 6 and the other says 5e... when you are doing a few thousand, and the price is $0.66 each, its a bit of savings, the cable is cat6. but from what i can see the keystones are identical. [link] [comments]  |
| Dual 5GHz radios vs doubling bandwidth (40/80/160) Posted: 21 Aug 2019 03:03 AM PDT We're running a 40MHz 802.11ac deployment today and we're seeing quite a lot of throughput need (28 clients downloading 7 GB at the same time and that kinda stuff). Got me thinking about MU-MIMO, which isn't really useful as our clients doesn't support it, AND; What would be the benefit of running two 5GHz radios vs just going for 80MHz bandwidth - if any? We're running Cisco 2802i APs, and I can't really see why dual 5GHz would be beneficial unless you're allready running 160MHz on your primary 5GHz radio? Anyone running dual 5GHz who got some points to throw in? [link] [comments]  |
| Posted: 21 Aug 2019 10:29 AM PDT Hello, I have a question that I hope someone can answer. We have a Cisco wlc that has a quest network configured on it. I have been asked to update the certificate for this wireless network as the current cert is an old Symantec one that is no longer trusted and people struggle to connect. I have bought a new certificate and have read a bunch of guides on how to upload the new cert, but none of the guides say what to do with the old cert. So my question is what do we do with the old cert? Do we delete it somehow? It is a 3rd party cert and it is still valid. [link] [comments]  |
| Catalyst 9k, stacks, mismatched licenses ? Posted: 21 Aug 2019 10:05 AM PDT Hello all, My understanding is that when building a stack, the license level has to match. I believe the mismatched switch(es) won't even join the stack ? This makes sense to me otherwise how would it work ? If the least licensed switch became master - I'd assume you'd lose advanced layer 3 features for example, and the config would get trashed with missing sections... I have a client that has various 9300s, of various license levels (Net. Essentials vs. Advantage). We looked at the Sorry for the lack of details and history on this, I'm playing catch up/forensics trying to unravel what they have purchased and how it's working. My general MO is buy what you need, get it all the same, build your stack, and go on with your life. I'm just struggling unraveling what this client has and how to get them to where they need to be. Thanks. [link] [comments]  |
| 3rd party company set up Cisco switch for my company and I feel like I'm locked out of it. Posted: 21 Aug 2019 09:16 AM PDT I work for a company that is acquiring smaller companies rapidly and our infrastructure is playing catch up. Before I got here there are 2 cisco switches that are synced with a Meraki cloud. This setup was commissioned out to a 3rd party network consulting company. We want to add a new switch and integrate it into our Meraki. My game plan is to download the running config files off the current 2 switches and upload them to this 3rd switch once it arrives. The switch models, and the next one that is being ordered, are Cisco MS120-48LP. https://meraki.cisco.com/products/switches/ms120-48 Here's the issue though, I cannot find anyway to get into the switch's CLI or the http splash page when you type in the switch's IP address into a browser. I think this 3rd party company locked the switch down to prevent getting into these resources. The IP address page times out and there's an ethernet port on the back of the switch, which I assumed was for serial cabling into. I have a usb to RS232 converter which connects to the Cisco rollover cable. I tried using Putty at various speeds to get to the CLI and made sure all settings were correct, but nothing I tried worked. I ran an ethernet cable to this management port and got to a management webpage, but this only allows to change the same settings as you can do in Meraki. It's not the http splash page that allows you to download the config file, etc. I've contacted the consulting company, but they're giving us the run-around and told us "There is no local config on Meraki switches and also no capability to access a CLI" and "these features never existed" (which I am smelling total bullshit on). Everything my gut is telling me that they disabled these features to force us to go through them. Is it possible to disable the CLI from the management port and disable the http splash page on these switches? If so, how can I unlock these features and get into the CLI or this splash page? Once this new switch comes in, can I plug it in and just use Meraki to clone the settings into this new switch? Feedback would be greatly appreciated, thank you! Edit: Got my answers now, thank you. I've worked with switches before where it allows you to work in both the Meraki cloud and also able to access the CLI/ IP splash page (SG200 series). I had no idea that modern switches are all cloud managed and config'ed now. I had the impression that all modern Cisco switches were like this as CLI was DRILLED into your brain as part of the CCNA exam. This is where I thought this consulting company was giving us a hard time; their sales people have been pushy before. Go ahead and downvote me, you all don't know the full story and background of where I'm coming from. [link] [comments]  |
| Use Fortigate as switch vs Cisco 2911 Posted: 21 Aug 2019 07:07 AM PDT So here's the context: At remote office with 5 people, I have a Fortigate 80e with 14 open ports as the main router/firewall. Below that, I have a cisco 2911 with a switching module with 15 ports being used (this router used to be used for PRI phone connections). The problem is that the switching module is only 10/100. This 2911 is also the DHCP Server for voice and data subnets. This office decided to purchase 300/30 Mbps internet without consulting us but doesn't want to purchase a gigabit switch to make their lives easier. So I'm stuck with what I have. Here's a quick Visio diagram of the setup:https://i.imgur.com/1NsL5Jh.png So here's what I'm thinking. Since the Fortigate doesn't have enough ports, I can use the 2911 switching module for the printers and move everything thing else to the Fortigate. My question is, how can I use the Fortigate ports as a "switch" when the DHCP server is on the 2911? Should just make the Fortigate the DHCP server, and the 2911 a "dumb" switch? Or should we just push them to buy a gigabit switch? [link] [comments]  |
| IAID vs Different types DUID in DHCPV6 messages Posted: 21 Aug 2019 07:00 AM PDT 3 types of DUID - appending Link layer with timestamp, vendor assigned unique ID or only Link layer addresses Whereas IAID is just the Link layer address. My doubt is which one is a better candidate for uniquely identifying a DHCPv6 transaction(solicit, advertise, request, reply)? Thanks [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment