Summary of CenturyLink's December 27, 2018 outage. Networking

---

• Summary of CenturyLink's December 27, 2018 outage.
• Riverbed sales model hopelessly broken? Or are we just too small to be worth their time?
• How many ways to use an access-list?
• Cisco static route not working (basic networking)
• Build vs. Buy - Networking Software
• Rough costing for 10Gb L2 / dark fiber
• Need help/advice with subnetting for Azure vNets/AWS VPC networks for direct access via MPLS
• DIRECT-2TLAPTOP ideas
• IP Reservations for Devices Connected to WiFi Outside DHCP Range
• Help adding additional VLAN
• Wireguard: confused about routing/subnets/interfaces
• Core switch to ASA gateway
• OOB (Out of Band) Management access
• What is the equivalent of ip local-proxy-arp of Cisco IOS on JunOS ??

Summary of CenturyLink's December 27, 2018 outage. Posted: 20 Aug 2019 07:24 AM PDT The FCC report on CenturyLink's DWDM outage that occurred last year is out. Full Report: https://docs.fcc.gov/public/attachments/DOC-359134A1.pdf In summary: In the early morning of December 27, 2018, a switching module in CenturyLink's Denver, Colorado node spontaneously generated four malformed management packets. Malformed packets are packets that, while not rare, are not typically generated on a network and are usually discarded immediately due to characteristics that indicate that the packets are invalid. In this instance, the malformed packets included fragments of valid network management packets that are typically generated. Each malformed packet shared four attributes that contributed to the outage: 1) a broadcast destination address, meaning that the packet was directed to be sent to all connected devices; 2) a valid header and valid checksum; 3) no expiration time, meaning that the packet would not be dropped for being created too long ago; and 4) a size larger than 64 bytes. CenturyLink and Infinera state that, despite an internal investigation, they do not know how or why the malformed packets were generated Due to the packets' broadcast destination address, the malformed network management packets were delivered to all connected nodes. Consequently, each subsequent node receiving the packet retransmitted the packet to all its connected nodes, including the node where the malformed packets originated. Each connected node continued to retransmit the malformed packets across the proprietary management channel to each node with which it connected because the packets appeared valid and did not have an expiration time. This process repeated indefinitely. The exponentially increasing transmittal of malformed packets resulted in a never-ending feedback loop that consumed processing power in the affected nodes, which in turn disrupted the ability of the nodes to maintain internal synchronization. Specifically, instructions to output line modules would lose synchronization when instructions were sent to a pair of line modules, but only one line module actually received the message. Without this internal synchronization, the nodes' capacity to route and transmit data failed. As these nodes failed, the result was multiple outages across CenturyLink's network. submitted by /u/djpyro [link] [comments]

Riverbed sales model hopelessly broken? Or are we just too small to be worth their time? Posted: 20 Aug 2019 01:37 PM PDT We are (formerly) happy Riverbed customers. We're a small business with a couple of Steelhead appliances that are nearing end of life. We'd like to replace them. I've tried calling Riverbed directly-- sales calls go to voicemail, not returned. I've filled out the web form. Someone called to qualify me and then set up a sales call by appointment. No one called. I reached out to Insight to have them get a quote for me, theory being that they have enough buying power to be taken seriously. They've been trying to get a quote for over a week now. The latest, per my Insight rep, is that every purchaser must be qualified prior to receiving a quote, and there is currently "no one assigned to the New Orleans area" and therefore no one available to approve a quote. We've been customers since before the world went cloud crazy (since about 2006). I can promise you we didn't have any trouble getting attention from Riverbed sales then. Riverbed should be ashamed. Can anyone recommend a wan optimization appliance to replace them? I've always felt Riverbed was best of breed, particularly since we're slinging large AutoCAD models over the WAN link all day. But apparently they are now manufactured from unobtanium. The worst part is going to be burning my orange screwdrivers... submitted by /u/aspiringgreybeard [link] [comments]

How many ways to use an access-list? Posted: 20 Aug 2019 09:04 AM PDT I have a few hundred routers and switches being onboarded and I need to go through and clean up some dead access-lists that are no longer in use. Lot's of them. So, how could I automate this? How can access-lists be used? Where do I find if they are in use? Here's the thought process I came up with. is it applied on an interface? is it used for snmp acl? nat overload? prefix-list for bgp? statements for QoS policy-maps? ipsec/dialer interesting traffic? line vty access control? What else can they be used for? How would you logically go about finding dead acl's? submitted by /u/projectself [link] [comments]

Cisco static route not working (basic networking) Posted: 20 Aug 2019 02:53 AM PDT I have a pretty simple problem here, i am trying to route between two networks on a cisco isr and i cant ping from one network to another. The router has two interfaces one on the internal LAN the other on a perimeter network which i want to be able to access the internal lan Here is my config interface Vlan1 ip address 192.168.1.12 255.255.255.0 ! interface Vlan10 ip address 10.0.0.1 255.0.0.0 ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 ip route 192.168.1.0 255.255.255.0 Vlan1 interface gigabitethernet 0/0 description LAN ! ! interface gigabitethernet 0/1 switchport trunk allowed vlan 1,2,10,1002-1005 switchport mode trunk So i can ping the internet from the router so one static route isworking but all the clients on vlan cant access the internal network using the static route. The following commands just time out ping ip 192.168.1.1 source vlan 10 ping ip 192.168.1.1 source 10.0.0.1 Can anyone spot any config mistakes i might have made submitted by /u/RaymondPrest [link] [comments]

Build vs. Buy - Networking Software Posted: 20 Aug 2019 03:16 PM PDT Been reading up a lot on this; wondering what the consensus is here. I have a biased opinion coming at this from a vendor perspective, so I find this very interesting. submitted by /u/PutchDes [link] [comments]

Rough costing for 10Gb L2 / dark fiber Posted: 20 Aug 2019 02:13 PM PDT My org presently has a 1Gb metro ethernet circuit from Spectrum between our office and our colo. We're looking at upgrading the bandwidth of that connection from 1Gb to 10Gb. Spectrum has given us a quote, but it's more than we can afford. Crown Castle has fiber about 100' from our building, and is already on net in our DC so I'm going to solicit a quote from them as well. I'm wondering if there's any cost benefit of ordering bare / dark fiber vs a service like metro ethernet, if that's even possible. The two locations are about 50 miles apart in Central Florida. Questions: Any idea on what ballpark I should expect for pricing? Is there any benefit to ordering dark fiber vs metro ethernet? submitted by /u/vrtigo1 [link] [comments]

Need help/advice with subnetting for Azure vNets/AWS VPC networks for direct access via MPLS Posted: 20 Aug 2019 12:17 PM PDT I am currently planning our migration to accessing resources within Azure using our Express Route Circuits (think of Azure been directly connected to our MPLS network) and was wondering what people's recommendations regarding VNet/Subnet IP Address assignment scheme are when using AWS/Azure. Unfortunately (and for historical reasons) we are very unorganized IP Address scheme which is making it difficult to come up a good addressing scheme within Azure. Essentially the networking team (they not a proper networking team and I have more networking experience than them) are only able to allocate me with two /16 subnet ranges for use within Azure – 172.17.0.0/16 and 172.18.0.0/16. For awareness, 10.0.0.0/8 is reserved and I cannot utilize it and 192.168.0.0/16 is not an ideal as range a number of networks scattered thought the range. The rest of 172.16.0.0/12 are used by our third party's which we have S2S VPNs for and need to route traffic to. Our plan is that we want all our services/servers hosted in Azure, to be located in two different data centres, so the two /16's help in this case. My first thought are: Assign one /16 to our main/preferred Azure DC and the other to the DR DC. Divide the /16 into 26 separate /20 network range. Each /20 network is assigned to a subscription (think of a subscription as a Business unit, Ie Accounts, Development, Sales) The /20 network is then submitted depending on the business/application requirements ie device the /20 into /27's for each application/server. Is anyone able to suggest anything better in regards to subnetting for our Azure/AWS networking? Apologies if I made any mistakes in my subnetting. Subnetting is not my strong point. Thanks submitted by /u/zh12a [link] [comments]

DIRECT-2TLAPTOP ideas Posted: 20 Aug 2019 12:15 PM PDT Trying to track down a rogue ap with the name "DIRECT-2TLAPTOP." We are narrowing it down but are struggling to pin it on our campus. I've done some googling and was hoping I wasn't alone on this one. I was expecting it to be related to a direct tv product. Anyone else experience this before? Edit: Found! See comments if curious. submitted by /u/M3atmast3r [link] [comments]

IP Reservations for Devices Connected to WiFi Outside DHCP Range Posted: 20 Aug 2019 06:16 AM PDT Hey, first time poster here. Had a question that I thought you folks might know the answer to. We have a bunch of Roku streaming devices we're setting up at my work which work on WiFi only. We are setting up a solid amount of these, 100+. I wanted to make IP reservations for these devices outside the normal DHCP range so we don't eat into a solid amount of our available IPs from our WiFi network. Unfortunately, using the regular reservation setup in our router, it won't let me do a reservation unless I make that range available to the DHCP server. Basically, we have a network that issues 192.168.1.2 to 192.168.3.255, but I would like to reserve these Rokus in a separate range so they don't take up half a subnet of my available IPs, say 172.16.100.x. We have pretty decent hardware, Fortinet across the board for our APs, switches, and the router. I feel like I should be able to do this, but I'm not sure how to approach it without adding the other range to the DHCP. Is this even possible or am I approaching this the complete wrong way? Thanks for reading! submitted by /u/FargusFargus [link] [comments]

Help adding additional VLAN Posted: 20 Aug 2019 07:02 AM PDT Can anyone tell me what I'm missing here, a few weeks ago I added 5 VLAN's to my workstation via powershell. Today I need to add another VLAN and powershell is not letting it happen. I'm not quite understanding how to skip/bypass the VLANID fields that I previously used, as they are already assigned obviously. And if I try to enter the existing VLAN ID's it thinks I'm trying to create a duplicate, which also wouldn't be allowed. I'm missing something stupid here, what is it? Below is the output from ps. ​ ​ ​ PS C:\Windows\system32> Add-IntelNetVLAN ​ cmdlet Add-IntelNetVLAN at command pipeline position 1 Supply values for the following parameters: ParentName[0]: Intel(R) Ethernet Connection (7) I219-V ParentName[1]: VLANID[0]: 6 VLANID[1]: Add-IntelNetVLAN : Failed to add one or more of the specified VLAN IDs. At line:1 char:1 + Add-IntelNetVLAN + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (IANet_PhysicalE...SKTOP-KNE62TB"):CimInstance) [Add-IntelNetVLAN], Ex ception + FullyQualifiedErrorId : Error executing cmdlet.,Intel.PowerShell.Network.VLAN.AddIntelNetVlan ​ PS C:\Windows\system32> submitted by /u/APBpowa [link] [comments]

Wireguard: confused about routing/subnets/interfaces Posted: 20 Aug 2019 07:38 AM PDT Hi, I am trying to achieve this setup https://i.imgur.com/Kgr2Ena.jpg, where clients at Office A, B and C can all communicate with each other. However, I'm struggling with the wireguard config, routing and addressing on physical and virtual interfaces. I have followed this guidance https://github.com/pirate/wireguard-docs#setup and enabled relaying/forwarding on the cloud server, as well as added the forwarding rules to iptables. I have the wireguard VPN on subnet 10.200.200.0/24 and can successfully ping between any combination of the 3 peers (10.200.200.1, 10.200.200.2 & 10.200.200.3). Now I'm unsure how to get clients on office subnets in B & C to communicate. Do I also need to enable relaying/forwarding on the the two office wireguard peers in order for them to route from their respective office subnets to VPN subnets (eg 192.168.110.0 to 10.200.200.0)? As well as add the office subnets to the AllowedIPs list in each peers config? I also need to make sure clients in A can communicate with C. There is a Meraki AutoVPN between A and B, so I need to make sure peer B can also forward traffic to C from A. Lastly, I presume I will need to setup some static routes so A and C can communicate. Thanks in advance. submitted by /u/miyo360 [link] [comments]

Core switch to ASA gateway Posted: 19 Aug 2019 09:47 PM PDT Hi Everyone! I've got an ASA5508 managed through FMC and a c3560 core switch with most of the SVIs on the core handling the inter VLAN routing. The core switch default gateway is pointed to the internal ASA interface. I'm considering doing a redesign of the connection between the core and ASA, and I'd like to do a port-channel and have subinterfaces as the default gateways on the ASA, to better restrict traffic between VLANs since right now it is wide open. Our other sites are connected via DMVPN, using HSRP internal and using EIGRP to redistribute routes between sites. Currently, I've got the following on the core... interface Vlan8 ip address 192.168.8.41 255.255.255.0 standby 8 ip 192.168.8.1 standby 8 priority 200 standby 8 preempt ! interface Vlan9 ip address 192.168.9.41 255.255.255.0 standby 9 ip 192.168.9.1 standby 9 priority 200 standby 9 preempt ! interface vlan 50 ip address 192.168.50.41 255.255.255.0 standby 50 ip 192.168.50.1 standby 50 priority 200 standby 50 preempt ! ip route 0.0.0.0 0.0.0.0 10.101.8.254 ip default-gateway 10.101.9.1 On the ASA... Gi1/1 Inside 192.168.8.254 Po2.50 ServerMgmt 192.168.50.5 ASA policies seem fine, as I have it set to any/any. If I set the VLAN 50 host gateway to .1 I can access it just fine, but once I set it to .5 (the ASA) it's not accessible. I can see the routes being redistributed to our other sites, but if I try to reach a host on the VLAN 50 subnet, it times out once it reaches this core. Looking at the ASA logs it looks like SOME of the traffic makes it through the ASA, but only asymmetrically. My initial thought was PBR, but I wasn't sure if there was a better way to handle this. Thanks in advance! submitted by /u/MileHighImpala [link] [comments]

OOB (Out of Band) Management access Posted: 19 Aug 2019 07:24 PM PDT Our ISP provides us a 100mb circuit for out of band management, have any of you configure one on a Cisco ASR off an ISP. Looking for example configurations ... Static route ? will I be using the circuit IP address to access the box OOB remotely? Currently, our ISP provides us a GB bandwidth and an extra 100mb circuit that is not in use now- they mention it is for OOB access. I have done OOB internally to the network, but never of an ISP. Any config ideas to get this going will be great :) submitted by /u/hvcool123 [link] [comments]

What is the equivalent of ip local-proxy-arp of Cisco IOS on JunOS ?? Posted: 19 Aug 2019 04:42 PM PDT Any Juniper experts - please let me know, will continue to google meanwhile. submitted by /u/rameshpvn [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States