Where and why do you use /31 in your network? Networking |
- Where and why do you use /31 in your network?
- SSL Decrypt; to tell users or not, that is the question
- Sanity check for looking at jobs requiring certs.
- Are you purchasing SDA or DNA Center type of products? Trying to gauge the market. I don't think there is one.
- Why isn’t Identity based NAT a thing?
- Can someone give some insight into why I'm seeing this? One of our public IPs came up on Shodan in an SMTP header with some other random IP
- Is networking engineering getting kinda old.
- eBGP Manipulation
- RFC 6598 - Carrier Grade NAT. How to Automate?
- How is the Juniper EX2500?
- client VPN access to intra-vpc resources in AWS in two different regions
- Network Meltdown
- Anybody know how to "break" a long-running command (e.g. ping with high repeat count) on Cisco Small Business switches?
- NMS/CRM/Ticketing
- Bulk Patch Cables
- Can traffic from a node with the network portion of the IP address ending in zeros leak to other subnets?
- Meraki AP's constantly losing connectivity
- Aruba in warehousing?
- Cisco config verification: VLAN settings for ESXi management/vMotion
- Is configuring LACP server side only a thing?
- Cisco Switching Question
- PIM operation with unicast
- Reset SD-WAN router
- How to configure a /31 range on a Ubiquiti UniFi Security Gateway?
Where and why do you use /31 in your network? Posted: 15 Aug 2019 11:35 AM PDT Hey everyone. I've been working at a medium sized service provider for a little over a year now. During that time, I've grown accustomed to /31 subnets being widely used throughout our network - virtually across the board, anywhere a /31 can be used it is, including lots of edge devices. I'm aware of some devices not liking this netmask such as Windows servers or ESXi management interfaces, however there are often workarounds such as reducing the mask on the interface. Linux flavors have no trouble with it. Having a discussion recently with someone who works in industry in another country, they sounded rather horrified at this practice. I'm unsure if this is just because they learned by using /30 subnetting that they don't get how it works? Most Cisco materials neglect to mention that you can even use /31. Are they used to typical LAN environments as opposed to predominantly routed infrastructure? I have the following questions for anyone who would like to chime in:
Cheers [link] [comments] |
SSL Decrypt; to tell users or not, that is the question Posted: 15 Aug 2019 04:07 PM PDT Hey everyone, currently in the middle of an SSL decrypt project for our enterprise. Executives and management do not believe it is necessary to inform the users and would rather keep it quiet. Have you deployed SSL decrypt in your organization? If so, did you circulate information to existing users and update your computer usage policy for future employees? [link] [comments] |
Sanity check for looking at jobs requiring certs. Posted: 14 Aug 2019 11:17 PM PDT Just need a small sanity check. I've been working in IT for about 10 years now. No formal education, have a bachelor in something else. Was lucky enough to move from help desk out of college to a better job via a recommendation(sysadmin of a state university, 5000+ people). Was recommended by a friend after that to a start up (great timing, great series C funding, 100 mil+ and now as things go, slowly tanking) and have been there for four years as a network engineer. Watched it grow from 20 employees to 160. Looking to finally jump ship by my own free will (before I'm laid off and forced to) and find a stable career path that could support a future family if I were to have one. I'm very happy with my current salary (~100k) but wonder if the general nature of a start up has inflated this. My stock is vested and very cheap if we were to get bought out.. so not worried on missing on that.. just looking for stability in the future. All the jobs I've been looking at have required at the bare minimum a CCNA. I've been so busy working I've never thought to go down the cert path but it seems it's time I might need to do that. I'm very comfortable with routing protocols, managing multi site VPNs, automation (python) etc. Great with Juniper stuff. Physically I've built out / designed server rooms / data closets etc (don't want to give away too much what I do to coworkers that lurk this subreddit). My only fear is that I don't have the time to study before the layoffs will happen. I'm digging in now just to get started regardless and it's all going fast, but it does take a few months to get the memorization of all the rote stuff down again. I only ask because I've never gone into a job search not already having networked myself in there. A lot of my coworkers seem to have ideas about jumping as well, but it's hard to work with them for connections as it's very sensitive with our current work culture to talk about it.. don't want to show my hand and risk getting let go early. I'm totally ready to start at the bottom again.. but have gotten spoiled by a salary that has always felt too much to me. Probably fakers syndrome.. but can't shake the worry. I assume job experience and recommendations will get me over the hurtle, but is it commonly cut and dry.. if you don't have the certs you're passed over? I'm 30 now but don't have the experience of the actual dreaded "job search" to call on. This might need to go to another sub but I've always had good luck with advice given by you guys. [link] [comments] |
Posted: 15 Aug 2019 08:12 AM PDT Post sales consultant here. I've been knee deep in ACI for the past few years and here lately have seen quite a push for DNA center and SDA products in the access layer. However I continue to feel like it won't take off for a few different reasons.
[link] [comments] |
Why isn’t Identity based NAT a thing? Posted: 15 Aug 2019 02:46 PM PDT So identity based access lists have become mostly readily available. Aka a known user/IP relationship uses a defined ACL rule. What is the limitation for identity based NAT? For NAT I feel we're restricted to User->Hardware MAC->Reserved DHCP (or Static IP) ->NAT translation... Some Internet services for business users restrict access to a specific IP or range. It'd be useful to perform Known User -> Public IP translation. I am ultimately just wondering why User to NAT translation isn't a thing. [link] [comments] |
Posted: 15 Aug 2019 12:55 PM PDT So I am just wondering if anyone has any ideas on how Shodan got this information. Just now, out of curiosity, I searched one of our /24s on Shodan and got a hit on some random IP in the Netherlands, but the match was an SMTP server response to what appears to be our public IP: Now this public IP of ours belongs to a mail server, and I understand we could have sent mail to this domain/IP from the Shodan search results. My question is: how would Shodan have this information, unless they have access to this SMTP server or visibility into either our or their network traffic? Just from searching that "Exim 4.84_2" string from the data above shows a pattern of, what appears to me, Shodan observing SMTP exchanges between clients/servers that don't appear to belong to Shodan: https://i.imgur.com/pVc9wti.png How are they getting this stuff? I'm just curious if anyone has any insight. Thanks! [link] [comments] |
Is networking engineering getting kinda old. Posted: 15 Aug 2019 04:53 AM PDT I'm not calling you guys old, just experienced. This isn't intended to be discriminatory in anyway I feel like I started in IT rather early (20) and for the past 7 years I've consistently been the youngest person on any of my network teams, the majority of my seniors are usually 38+ and I've scarcely run into any younger folks getting into networking, everyone is devops, programming and virtualization/cloud. Like i've heard of age discrimination in programming and software dev, but never once in Neteng. I feel like because networking is such a slow moving piece of IT infrastructure(older protocols, manual input, limited autonomy etc) it doesn't really attract alot of youth since it isn't "sexy" per se. I kinda see us as civil engineers or road construction, building the bridges/roads that keep everything running smoothly but that takes months to complete. Sometimes I wonder how this will affect the field in the future, will we see a mass retiring of Neteng in 10-20 years and companies having trouble because everyone knows abstraction but not the fundamentals. Once again this is an observation I've personally made and I'd like to see if anyone else has similar experiences, This could also be related to my employers. [link] [comments] |
Posted: 15 Aug 2019 04:24 PM PDT Hey everyone,Have a BGP related question. Lets say, Site A (me) has two EBGP links with Site B, two different ISP providers (ISP 1 and 2). The same prefixes are advertised out of both links from the client (Site B). Traffic will be initiated from my side, Site A to Site B. I'm looking to manipulate the traffic outbound to prefer ISP 1 over 2 (primary and secondary).
Any other feedback is more than welcome, besides my question Thanks! [link] [comments] |
RFC 6598 - Carrier Grade NAT. How to Automate? Posted: 15 Aug 2019 08:27 AM PDT I'm in the process of building out a project for work and need some input since I've never worked on this type of level. We connect customers to different services and the IPs assigned from those services are all over the 10.0.0.0/8 subnet and almost randomly assigned to us. Using the 10.0.0.0/8 space has proven difficult with conflicts on our customers end and we need a fix. We plan to use the 100.64.0.0/10 identified in RFC6598 to allow our customers to use a more friendly 100.64.0.0 IP address which is NAT'd to a 10.0.0.0/8 with NAT44 or even possibly NAT46 in the future. This needs to scale to about 500,000 translations. I've built this out in a PoC and know that, technically, it works but I need to figure out how to automate the process 100%. There are several triggers from our business processes that would require appends, drops, and edits to the IPtables. I'm asking here to see if there are any CGN tools that help manage this level of NAT on this type of scale? I know it has to exist for some of the big providers but I'm not able to find anything. Anyone able to identify some tools that could help with this? [link] [comments] |
Posted: 15 Aug 2019 02:16 PM PDT I see that they are only marginally more expensive used than the ex4200-24f and the 2500 is 10GE and dual PS. Contemplating it.. [link] [comments] |
client VPN access to intra-vpc resources in AWS in two different regions Posted: 15 Aug 2019 02:13 PM PDT I have an ASAv currently located in single VPC. I have the RA vpn working using the VPN client DHCP pool is hosted in the ASAv Things that are working: Client access vpn access the internel resources in the same vpc (vpc 1 Region A) I have a VPC peering link that exists between these two VPC's in two diffrent regions Things that are working: I can ping devices in vpc 1 Region B from the ASAv and from other EC2 machines in vpc 1 Region A and vise versa Think that won't work: can't ping devices in vpc 1 Region B from the RA vpn subnet on the ASAv subnet in vpc 1 Region A hosted on the ASAv (this appears to be a limitation in AWS, you can not use VPCPEERING as a transit link between VPCs and a "corparate network" so AWS is not aware of my RA client subnet) Things I have tried: I have added a route the the RA subnet in VPC1 Region B I have tried created the same RA subnet on using on the asav in VPC1 Region A for testing and attempted to use it as DHCP scope for the RA cleints however this does not appear to be supported in AWS I tried to use the AWS transit gateway to route traffic between VPC's however you have to create attach points and the vpn attachment it supports is AWS site to site vpn VGWs, no attachemnt to the device (asav) itself, so if it go this route I might as well do a direct site to site vpn to another ASA in spin up in VPC 1 Region B. As I have done several google searches and poured through documentation and the only way I see this being possible is a site to site tunnel from VPC1 Region A to VPC1 region B. I didn't know it anyone knew of anyother way to achieve this? [link] [comments] |
Posted: 15 Aug 2019 08:14 AM PDT Alright guys, I need some help understanding what on earth went wrong with my network last night. The school I work at is about to do a full upgrade to its network so after hours I plugged various objects into the network (Meraki mx64 firewall, ubiquity cloudkey, ubiquity 500W 48 port switch, ubiquity AP) but then when I disconnected all of these objects I was unable to get the network back online. the network configuration is as follows: Cox internet comes into the modem, the modem then has a single wire that runs to the router which connects the clients to wireless, attaches to the switches, runs the printer, etc. I thought I would be safe if I disconnected the router from the modem and then connected the new equipment. This isolates the new equipment from all of the equipment on the network, except for the modem. However, after disconnecting all new equipment and plugging the router back in I was dismayed to find that only the direct connection to the modem provided connectivity. I rebooted both the modem and the router multiple times with no result, finally I attached the router to the modem and direct connected into the router at which point the router acted as though it had never been on the network. There was no configuration on the device whatsoever, the password and username were both defaults and I had to completely rebuild the network. Is this device failure or did I have a massive oversight? If anyone requires any further detail I am happy to provide it, I am incredibly annoyed that things went so poorly and am very interested in better understanding what happened. [link] [comments] |
Posted: 15 Aug 2019 10:22 AM PDT Title says most of it... I have a bunch of Cisco SG300, SG500, and SG350X all over the place. I know that on "real" Ciscos, Ctrl + Shift + 6 is usually the break sequence, e.g. to terminate a long-running Ctrl+shift+6 does nothing on the Small Business series CLIs. I've also tried:
Anybody have a clue? [link] [comments] |
Posted: 15 Aug 2019 01:35 PM PDT Hi everyone,I work at what is basically a large state owned ISP. we provide internet for many sites. we use so many tools.....some are spreadsheets, some are house made and aging. some are incoming and not....really a good fit.I have been looking at tools that would help us integrate monitoring our cisco devices and do some ticketing.... It would be nice to be able to look at a customers information, their equipment information, current tickets/past tickets etc. etc. etc. I just saw this software Sonar.software looks pretty good, but I think its cloud based. Is there anything self hosted....or even a couple offerings that fit together....that would compare to this software? we don't need billing, basic monitoring (up/down), device and customer information, ticketing that can show tickets based on customer/site....inventorying would be nice but mostly the other things. I have seen that some nms have plugins for ticketing, but I havent seen anything really solid in terms of examples I can view. any thoughts, or suggestions? [link] [comments] |
Posted: 15 Aug 2019 07:10 AM PDT Where does everyone order their bulk CAT6 patch cables? I need to order cables by the thousands and would like them not to be individually bagged and twist tied. [link] [comments] |
Posted: 15 Aug 2019 12:37 PM PDT If I have a device with IP address 10.0.0.1 and a subnet mask of 255.255.255.0, will it be able to talk to a second device with IP address 10.13.26.42 with subnet mask 255.0.0.0 without a router? Emphasis on the middle octets being all zero. Because I kinda think it can because the XOR of the IP address and subnet mask for both will be 10.0.0.0 and that appears to be how IP decides if they are in the same subnet. This came up because two devices with IP addresses 10.0.0.10 (255.255.255.0) and 10.0.1.11 (255.255.0.0) were found communicating with each other through a normal layer 2 switch like it was completely normal. I'm wondering if this is a freak bad implantation of the IP stack or if this is expected behavior. EDIT: Fixed and clarified my example. EDIT2: Tested further and this seems to be particular to these devices. Connecting directly to one of the two devices from a computer with the IP settings of the other device does not allow communication. [link] [comments] |
Meraki AP's constantly losing connectivity Posted: 15 Aug 2019 12:26 PM PDT I'm stumped by this issue. A remote site has a bunch of Meraki AP's, and they all constantly loose connectivity (like clockwork). I'm honestly stumped why these things keep disconnecting like this :( For the record - the last 2 times were at 3:30 am and 11:47 PM (when no one was in the office). Just not sure what I should look at next. [link] [comments] |
Posted: 15 Aug 2019 11:50 AM PDT Currently we are a Cisco shop, looking at cutting costs. Our situation is that we have around 15000 sq ft of office space, and 750K sq ft of warehouse space, ceiling heights from 15 to 35 feet, contents ranging from containers on the floor all the way to dense high bay racking. A friend, who works in an utterly different industry (hospital) recommended we look into Aruba as a cheaper alternative (we've maxed out our current WLC, thinking of moving to a higher capacity model) so I'm hoping someone has either tried this kind of application, or provide some useful feedback. APs suitable for this situation? Hot, cold, dirty, high ceilings, outdoors? I'll be honest, we haven't dug into their product range yet, but warehousing/manufacturing/etc is conspicuously absent from their website. ;) [link] [comments] |
Cisco config verification: VLAN settings for ESXi management/vMotion Posted: 15 Aug 2019 10:34 AM PDT I've got some new ESXi hosts coming in and I'm prepping the network config. Admittedly networking is one of my weaker points, but I'm working on it! Can someone take a look at my config and tell me if I'm on the right track? Most of this is copying from pre-existing configs elsewhere on our network, but I have no idea if the people who set it up did it right either. It just happens to work. General Info.
Switch config: Current Status
Questions1. Is the above config sufficient?I believe that this config is sufficient for when the ESXi hosts arrive, since it ticks all the boxes (inter-VLAN communication, no external communication). Would people agree? Or do I need to provide more information? 2. Ping one of the dummy hosts from a PC on VLAN 1 or 17?For testing, I want to be able to ping the one of the dummy hosts from a PC on VLAN 1 or 17. How would I enable that? My initial thought was putting
Basically I'd end up with: 3. What best practices, if any, am I missing?Any tips? [link] [comments] |
Is configuring LACP server side only a thing? Posted: 15 Aug 2019 10:24 AM PDT Is there any legit reason for a linux server admin to configure LACP on their NICs without getting the network team to put complimentary LACP config on their side? [link] [comments] |
Posted: 15 Aug 2019 01:55 AM PDT We are moving one of our servers to another branch in order to do this, we need to know the bandwidth consumed by this server. The server is connected to one of our switches to a Fast Ethernet port, is there a command where I can get the full details of the bandwidth being consumed by the server on that switch-port? We need to do this as, we need to decide whether we will need to go for a bandwidth upgrade when moving the server to the other branch or not. [link] [comments] |
Posted: 15 Aug 2019 03:24 AM PDT Im fairly new to multicast apart from some music-on-hold configurations ages ago so could use a bit of guidance. I have a multicast source connected to a router (BGP peer) and I have a client which is connected to another internal router several hops away. Each router is configured with pim rp settings to link the multicast group to the IP of the source via next hops. Do I need to have end-to-end unicast connectivity between the client and source to allow multicast to operate properly? [link] [comments] |
Posted: 15 Aug 2019 09:04 AM PDT Fun one. I am playing with building and rebuilding a router in my lab for SD-WAN Viptela however I can not figure out how clear the config on the router. All the Cisco web docs point to a "could not find" webpage as well. Anyone have the secret commands? [link] [comments] |
How to configure a /31 range on a Ubiquiti UniFi Security Gateway? Posted: 15 Aug 2019 09:01 AM PDT Hi there, We have recently had a new circuit connected which is exposed to us via SFP. Our previous circuit was exposed via ethernet, causing us to upgrade out security gateway to a UniFi Security Gateway 4P. We've been provided new IP address details with the circuit, eg: 200.0.0.82/31 This is the first time we've dealt with a /31 subnet mask, our previous was a /30 and no issues. We are struggling to configure this correctly on the USG. We couldn't get this working at all on the initial configuration page and could only get it to accept the subnet when configuring through the Unifi controller. Now that it's configured, we can't access the internet via the interface at all: Our network configuration is as follows: Here are the interface details: show interfaces: show configuration: We're not sure if the USG supports this subnet? Any pointers would be greatly appreciated. [link] [comments] |
You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
No comments:
Post a Comment