• Breaking News

    [Android][timeline][#f39c12]

    Thursday, August 15, 2019

    Where and why do you use /31 in your network? Networking

    Where and why do you use /31 in your network? Networking


    Where and why do you use /31 in your network?

    Posted: 15 Aug 2019 11:35 AM PDT

    Hey everyone.

    I've been working at a medium sized service provider for a little over a year now. During that time, I've grown accustomed to /31 subnets being widely used throughout our network - virtually across the board, anywhere a /31 can be used it is, including lots of edge devices. I'm aware of some devices not liking this netmask such as Windows servers or ESXi management interfaces, however there are often workarounds such as reducing the mask on the interface. Linux flavors have no trouble with it.

    Having a discussion recently with someone who works in industry in another country, they sounded rather horrified at this practice. I'm unsure if this is just because they learned by using /30 subnetting that they don't get how it works? Most Cisco materials neglect to mention that you can even use /31. Are they used to typical LAN environments as opposed to predominantly routed infrastructure?

    I have the following questions for anyone who would like to chime in:

    • Is the use of /31 subnets considered bad practice?
    • Are there any particular places where this is/isn't a good idea?
    • Do you or your company utilize /31 subnets and have you run into any issues as a result?
    • If you saw x.x.x.0 as a gateway address would you have an aneurysm?

    Cheers

    submitted by /u/tsubakey
    [link] [comments]

    SSL Decrypt; to tell users or not, that is the question

    Posted: 15 Aug 2019 04:07 PM PDT

    Hey everyone, currently in the middle of an SSL decrypt project for our enterprise. Executives and management do not believe it is necessary to inform the users and would rather keep it quiet.

    Have you deployed SSL decrypt in your organization? If so, did you circulate information to existing users and update your computer usage policy for future employees?

    submitted by /u/Metaphoric_Moose
    [link] [comments]

    Sanity check for looking at jobs requiring certs.

    Posted: 14 Aug 2019 11:17 PM PDT

    Just need a small sanity check. I've been working in IT for about 10 years now. No formal education, have a bachelor in something else. Was lucky enough to move from help desk out of college to a better job via a recommendation(sysadmin of a state university, 5000+ people). Was recommended by a friend after that to a start up (great timing, great series C funding, 100 mil+ and now as things go, slowly tanking) and have been there for four years as a network engineer. Watched it grow from 20 employees to 160.

    Looking to finally jump ship by my own free will (before I'm laid off and forced to) and find a stable career path that could support a future family if I were to have one. I'm very happy with my current salary (~100k) but wonder if the general nature of a start up has inflated this. My stock is vested and very cheap if we were to get bought out.. so not worried on missing on that.. just looking for stability in the future.

    All the jobs I've been looking at have required at the bare minimum a CCNA. I've been so busy working I've never thought to go down the cert path but it seems it's time I might need to do that. I'm very comfortable with routing protocols, managing multi site VPNs, automation (python) etc. Great with Juniper stuff. Physically I've built out / designed server rooms / data closets etc (don't want to give away too much what I do to coworkers that lurk this subreddit). My only fear is that I don't have the time to study before the layoffs will happen. I'm digging in now just to get started regardless and it's all going fast, but it does take a few months to get the memorization of all the rote stuff down again.

    I only ask because I've never gone into a job search not already having networked myself in there. A lot of my coworkers seem to have ideas about jumping as well, but it's hard to work with them for connections as it's very sensitive with our current work culture to talk about it.. don't want to show my hand and risk getting let go early.

    I'm totally ready to start at the bottom again.. but have gotten spoiled by a salary that has always felt too much to me. Probably fakers syndrome.. but can't shake the worry.

    I assume job experience and recommendations will get me over the hurtle, but is it commonly cut and dry.. if you don't have the certs you're passed over? I'm 30 now but don't have the experience of the actual dreaded "job search" to call on.

    This might need to go to another sub but I've always had good luck with advice given by you guys.

    submitted by /u/testestestststest
    [link] [comments]

    Are you purchasing SDA or DNA Center type of products? Trying to gauge the market. I don't think there is one.

    Posted: 15 Aug 2019 08:12 AM PDT

    Post sales consultant here. I've been knee deep in ACI for the past few years and here lately have seen quite a push for DNA center and SDA products in the access layer. However I continue to feel like it won't take off for a few different reasons.

    1. Licensing. I deal with a lot of K-12 customers who really ride their gear off into the sunsets as they only get budget money for refreshes during bond elections every 5-10 years. So paying for yearly renewals just to keep things running does not seem to align with their current budgeting practices. I previously watched them purchase smartnet contracts on only the most high priority equipment. (core/distro switches, voice gateways, edge routers).

    2. The learning curve required for those who typically work in the access layer is too steep for what is typically being paid in this arena.

    3. With SDA, are we solving a problem that cannot be solved today with the current sets of gear and tools available? Is this not just locking you into a complicated design that's incompatible with other vendors? It feels mainframe like when everything I purchase needs to be of the same vendor and phone home to the mothership for instructions.

    submitted by /u/jimothyjones
    [link] [comments]

    Why isn’t Identity based NAT a thing?

    Posted: 15 Aug 2019 02:46 PM PDT

    So identity based access lists have become mostly readily available.

    Aka a known user/IP relationship uses a defined ACL rule.

    What is the limitation for identity based NAT?

    For NAT I feel we're restricted to User->Hardware MAC->Reserved DHCP (or Static IP) ->NAT translation...

    Some Internet services for business users restrict access to a specific IP or range.

    It'd be useful to perform Known User -> Public IP translation.

    I am ultimately just wondering why User to NAT translation isn't a thing.

    submitted by /u/davis-sean
    [link] [comments]

    Can someone give some insight into why I'm seeing this? One of our public IPs came up on Shodan in an SMTP header with some other random IP

    Posted: 15 Aug 2019 12:55 PM PDT

    So I am just wondering if anyone has any ideas on how Shodan got this information.

    Just now, out of curiosity, I searched one of our /24s on Shodan and got a hit on some random IP in the Netherlands, but the match was an SMTP server response to what appears to be our public IP:

    220 [REDACTED] ESMTP Exim 4.84_2 [DATE] 250-[REDACTED] Hello **OUR IP** [**OUR IP**] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP 

    Now this public IP of ours belongs to a mail server, and I understand we could have sent mail to this domain/IP from the Shodan search results. My question is: how would Shodan have this information, unless they have access to this SMTP server or visibility into either our or their network traffic?

    Just from searching that "Exim 4.84_2" string from the data above shows a pattern of, what appears to me, Shodan observing SMTP exchanges between clients/servers that don't appear to belong to Shodan:

    https://i.imgur.com/pVc9wti.png

    How are they getting this stuff? I'm just curious if anyone has any insight. Thanks!

    submitted by /u/routetehpacketz
    [link] [comments]

    Is networking engineering getting kinda old.

    Posted: 15 Aug 2019 04:53 AM PDT

    I'm not calling you guys old, just experienced. This isn't intended to be discriminatory in anyway

    I feel like I started in IT rather early (20) and for the past 7 years I've consistently been the youngest person on any of my network teams, the majority of my seniors are usually 38+ and I've scarcely run into any younger folks getting into networking, everyone is devops, programming and virtualization/cloud.

    Like i've heard of age discrimination in programming and software dev, but never once in Neteng. I feel like because networking is such a slow moving piece of IT infrastructure(older protocols, manual input, limited autonomy etc) it doesn't really attract alot of youth since it isn't "sexy" per se. I kinda see us as civil engineers or road construction, building the bridges/roads that keep everything running smoothly but that takes months to complete.

    Sometimes I wonder how this will affect the field in the future, will we see a mass retiring of Neteng in 10-20 years and companies having trouble because everyone knows abstraction but not the fundamentals.

    Once again this is an observation I've personally made and I'd like to see if anyone else has similar experiences, This could also be related to my employers.

    submitted by /u/Throwmojojojo
    [link] [comments]

    eBGP Manipulation

    Posted: 15 Aug 2019 04:24 PM PDT

    Hey everyone,Have a BGP related question. Lets say, Site A (me) has two EBGP links with Site B, two different ISP providers (ISP 1 and 2). The same prefixes are advertised out of both links from the client (Site B). Traffic will be initiated from my side, Site A to Site B. I'm looking to manipulate the traffic outbound to prefer ISP 1 over 2 (primary and secondary).

    1. Plan is to set a higher local preference on the primary ISP link. Create a route map/prefix list and apply the RM on the BGP neighbour, "IN" direction so it's received by our site.
    2. Here is my question. Is it advisable to also create a route map/prefix list and applied it to the "OUT" direction on the same BGP neighbour to ensure the return traffic also follows via the primary ISP 1 link, for eg, I can prepend the neighbourship link on ISP 2 to make it longer so ISP 1 appears shorter and more desirable. Is this advisable or not at all required?

    Any other feedback is more than welcome, besides my question

    Thanks!

    submitted by /u/kramer9797
    [link] [comments]

    RFC 6598 - Carrier Grade NAT. How to Automate?

    Posted: 15 Aug 2019 08:27 AM PDT

    I'm in the process of building out a project for work and need some input since I've never worked on this type of level. We connect customers to different services and the IPs assigned from those services are all over the 10.0.0.0/8 subnet and almost randomly assigned to us. Using the 10.0.0.0/8 space has proven difficult with conflicts on our customers end and we need a fix. We plan to use the 100.64.0.0/10 identified in RFC6598 to allow our customers to use a more friendly 100.64.0.0 IP address which is NAT'd to a 10.0.0.0/8 with NAT44 or even possibly NAT46 in the future. This needs to scale to about 500,000 translations.

    I've built this out in a PoC and know that, technically, it works but I need to figure out how to automate the process 100%. There are several triggers from our business processes that would require appends, drops, and edits to the IPtables.

    I'm asking here to see if there are any CGN tools that help manage this level of NAT on this type of scale? I know it has to exist for some of the big providers but I'm not able to find anything. Anyone able to identify some tools that could help with this?

    submitted by /u/whats-your-password
    [link] [comments]

    How is the Juniper EX2500?

    Posted: 15 Aug 2019 02:16 PM PDT

    I see that they are only marginally more expensive used than the ex4200-24f and the 2500 is 10GE and dual PS. Contemplating it..

    submitted by /u/dbh2
    [link] [comments]

    client VPN access to intra-vpc resources in AWS in two different regions

    Posted: 15 Aug 2019 02:13 PM PDT

    I have an ASAv currently located in single VPC. I have the RA vpn working using the VPN client DHCP pool is hosted in the ASAv

    Things that are working:

    Client access vpn

    access the internel resources in the same vpc (vpc 1 Region A)

    I have a VPC peering link that exists between these two VPC's in two diffrent regions

    Things that are working:

    I can ping devices in vpc 1 Region B from the ASAv and from other EC2 machines in vpc 1 Region A and vise versa

    Think that won't work:

    can't ping devices in vpc 1 Region B from the RA vpn subnet on the ASAv subnet in vpc 1 Region A hosted on the ASAv (this appears to be a limitation in AWS, you can not use VPCPEERING as a transit link between VPCs and a "corparate network" so AWS is not aware of my RA client subnet)

    Things I have tried:

    I have added a route the the RA subnet in VPC1 Region B

    I have tried created the same RA subnet on using on the asav in VPC1 Region A for testing and attempted to use it as DHCP scope for the RA cleints however this does not appear to be supported in AWS

    I tried to use the AWS transit gateway to route traffic between VPC's however you have to create attach points and the vpn attachment it supports is AWS site to site vpn VGWs, no attachemnt to the device (asav) itself, so if it go this route I might as well do a direct site to site vpn to another ASA in spin up in VPC 1 Region B.

    As I have done several google searches and poured through documentation and the only way I see this being possible is a site to site tunnel from VPC1 Region A to VPC1 region B. I didn't know it anyone knew of anyother way to achieve this?

    submitted by /u/jdm7718
    [link] [comments]

    Network Meltdown

    Posted: 15 Aug 2019 08:14 AM PDT

    Alright guys, I need some help understanding what on earth went wrong with my network last night.

    The school I work at is about to do a full upgrade to its network so after hours I plugged various objects into the network (Meraki mx64 firewall, ubiquity cloudkey, ubiquity 500W 48 port switch, ubiquity AP) but then when I disconnected all of these objects I was unable to get the network back online.

    the network configuration is as follows: Cox internet comes into the modem, the modem then has a single wire that runs to the router which connects the clients to wireless, attaches to the switches, runs the printer, etc. I thought I would be safe if I disconnected the router from the modem and then connected the new equipment. This isolates the new equipment from all of the equipment on the network, except for the modem. However, after disconnecting all new equipment and plugging the router back in I was dismayed to find that only the direct connection to the modem provided connectivity. I rebooted both the modem and the router multiple times with no result, finally I attached the router to the modem and direct connected into the router at which point the router acted as though it had never been on the network. There was no configuration on the device whatsoever, the password and username were both defaults and I had to completely rebuild the network. Is this device failure or did I have a massive oversight?

    If anyone requires any further detail I am happy to provide it, I am incredibly annoyed that things went so poorly and am very interested in better understanding what happened.

    submitted by /u/MacStruggleBus
    [link] [comments]

    Anybody know how to "break" a long-running command (e.g. ping with high repeat count) on Cisco Small Business switches?

    Posted: 15 Aug 2019 10:22 AM PDT

    Title says most of it...

    I have a bunch of Cisco SG300, SG500, and SG350X all over the place. I know that on "real" Ciscos, Ctrl + Shift + 6 is usually the break sequence, e.g. to terminate a long-running ping command.

    Ctrl+shift+6 does nothing on the Small Business series CLIs.

    I've also tried:

    • ctrl + break
    • shift + break
    • ctrl + shift + break
    • ctrl + alt + shift + break
    • sending "break" from the telnet client itself (and before anyone starts with "reeee telnet isn't secure," I'm fully aware, and I only use telnet if I know the network itself is secure e.g. I'm plugged straight into the switch with nothing else between. The way these switches handle SSH sucks [they ignore whatever username you send over SSH and make you manually input it again], so telnet is mildly more convenient.)

    Anybody have a clue?

    submitted by /u/ZPrimed
    [link] [comments]

    NMS/CRM/Ticketing

    Posted: 15 Aug 2019 01:35 PM PDT

    Hi everyone,I work at what is basically a large state owned ISP. we provide internet for many sites. we use so many tools.....some are spreadsheets, some are house made and aging. some are incoming and not....really a good fit.I have been looking at tools that would help us integrate monitoring our cisco devices and do some ticketing....

    It would be nice to be able to look at a customers information, their equipment information, current tickets/past tickets etc. etc. etc. I just saw this software Sonar.software looks pretty good, but I think its cloud based.

    Is there anything self hosted....or even a couple offerings that fit together....that would compare to this software? we don't need billing, basic monitoring (up/down), device and customer information, ticketing that can show tickets based on customer/site....inventorying would be nice but mostly the other things.

    I have seen that some nms have plugins for ticketing, but I havent seen anything really solid in terms of examples I can view.

    any thoughts, or suggestions?

    submitted by /u/michaelagaudio
    [link] [comments]

    Bulk Patch Cables

    Posted: 15 Aug 2019 07:10 AM PDT

    Where does everyone order their bulk CAT6 patch cables? I need to order cables by the thousands and would like them not to be individually bagged and twist tied.

    submitted by /u/networkmonkey
    [link] [comments]

    Can traffic from a node with the network portion of the IP address ending in zeros leak to other subnets?

    Posted: 15 Aug 2019 12:37 PM PDT

    If I have a device with IP address 10.0.0.1 and a subnet mask of 255.255.255.0, will it be able to talk to a second device with IP address 10.13.26.42 with subnet mask 255.0.0.0 without a router? Emphasis on the middle octets being all zero.

    Because I kinda think it can because the XOR of the IP address and subnet mask for both will be 10.0.0.0 and that appears to be how IP decides if they are in the same subnet.

    This came up because two devices with IP addresses 10.0.0.10 (255.255.255.0) and 10.0.1.11 (255.255.0.0) were found communicating with each other through a normal layer 2 switch like it was completely normal. I'm wondering if this is a freak bad implantation of the IP stack or if this is expected behavior.

    EDIT: Fixed and clarified my example.

    EDIT2: Tested further and this seems to be particular to these devices. Connecting directly to one of the two devices from a computer with the IP settings of the other device does not allow communication.

    submitted by /u/CapinWinky
    [link] [comments]

    Meraki AP's constantly losing connectivity

    Posted: 15 Aug 2019 12:26 PM PDT

    I'm stumped by this issue. A remote site has a bunch of Meraki AP's, and they all constantly loose connectivity (like clockwork). I'm honestly stumped why these things keep disconnecting like this :(

    For the record - the last 2 times were at 3:30 am and 11:47 PM (when no one was in the office).

    https://imgur.com/a/0MnR1G6

    Just not sure what I should look at next.

    submitted by /u/acebossrhino
    [link] [comments]

    Aruba in warehousing?

    Posted: 15 Aug 2019 11:50 AM PDT

    Currently we are a Cisco shop, looking at cutting costs. Our situation is that we have around 15000 sq ft of office space, and 750K sq ft of warehouse space, ceiling heights from 15 to 35 feet, contents ranging from containers on the floor all the way to dense high bay racking.

    A friend, who works in an utterly different industry (hospital) recommended we look into Aruba as a cheaper alternative (we've maxed out our current WLC, thinking of moving to a higher capacity model) so I'm hoping someone has either tried this kind of application, or provide some useful feedback. APs suitable for this situation? Hot, cold, dirty, high ceilings, outdoors?

    I'll be honest, we haven't dug into their product range yet, but warehousing/manufacturing/etc is conspicuously absent from their website. ;)

    submitted by /u/Gecko23
    [link] [comments]

    Cisco config verification: VLAN settings for ESXi management/vMotion

    Posted: 15 Aug 2019 10:34 AM PDT

    I've got some new ESXi hosts coming in and I'm prepping the network config. Admittedly networking is one of my weaker points, but I'm working on it!

    Can someone take a look at my config and tell me if I'm on the right track?

    Most of this is copying from pre-existing configs elsewhere on our network, but I have no idea if the people who set it up did it right either. It just happens to work.

    General Info.

    • ESXi Mangement and vMotion on VLAN 101.
      • We don't use vMotion much (because we're on vCenter Essentials and don't get live migration...) so I'm OK with it sharing the Management network.
    • Data VLANS: 1 (hardwire), 17 (wireless)
    • Cisco Catalyst 4948, IOS v12.2(52)

    Switch config:

    interface GigabitEthernet1/38 description p-esxi-02 Mgmt and vMotion switchport access vlan 101 switchport mode access spanning-tree portfast interface GigabitEthernet1/41 description p-esxi-03 Mgmt and vMotion switchport access vlan 101 switchport mode access spanning-tree portfast interface Vlan101 ip address 192.168.101.1 255.255.255.0 ip helper-address 192.168.11.2 

    Current Status

    • Two dummy hosts connected: one on g1/38, the other on g1/41
    • Both hosts get a DHCP address from 192.168.11.2 (during prod each hosts will have a static non-DHCP address).
    • Both hosts can ping 192.168.101.1 and each other.
    • Neither host can ping anything outside the 101.0/24 subnet.
    • No host outside the 101.0/24 subnet can see or ping these hosts.

    Questions

    1. Is the above config sufficient?

    I believe that this config is sufficient for when the ESXi hosts arrive, since it ticks all the boxes (inter-VLAN communication, no external communication). Would people agree?

    Or do I need to provide more information?

    2. Ping one of the dummy hosts from a PC on VLAN 1 or 17?

    For testing, I want to be able to ping the one of the dummy hosts from a PC on VLAN 1 or 17. How would I enable that?

    My initial thought was putting switchport trunk allowed vlan 1,17,101 on the interfaces, but that doesn't make sense to me. My understanding is that:

    1. trunk is used for switch-to-switch connections, and access is used for a single host (Source)
    2. setting switchport trunk <foo> and switchport mode access at the same time seems... wrong. With mode access, won't the trunk settings have no effect? Eg: trunk settings only apply with mode trunk?

    Basically I'd end up with:

    interface GigabitEthernet1/38 description p-esxi-02 Mgmt and vMotion switchport access vlan 101 switchport trunk encapsulation dot1q switchport trunk native vlan 101 switchport trunk allowed vlan 1,17,101 switchport mode access spanning-tree portfast interface GigabitEthernet1/41 description p-esxi-03 Mgmt and vMotion switchport access vlan 101 switchport trunk encapsulation dot1q switchport trunk native vlan 101 switchport trunk allowed vlan 1,17,101 switchport mode access spanning-tree portfast 

    3. What best practices, if any, am I missing?

    Any tips?

    submitted by /u/dougthor42
    [link] [comments]

    Is configuring LACP server side only a thing?

    Posted: 15 Aug 2019 10:24 AM PDT

    Is there any legit reason for a linux server admin to configure LACP on their NICs without getting the network team to put complimentary LACP config on their side?

    submitted by /u/DudeImTheBagMan
    [link] [comments]

    Cisco Switching Question

    Posted: 15 Aug 2019 01:55 AM PDT

    We are moving one of our servers to another branch in order to do this, we need to know the bandwidth consumed by this server. The server is connected to one of our switches to a Fast Ethernet port, is there a command where I can get the full details of the bandwidth being consumed by the server on that switch-port? We need to do this as, we need to decide whether we will need to go for a bandwidth upgrade when moving the server to the other branch or not.

    submitted by /u/enjyzayed
    [link] [comments]

    PIM operation with unicast

    Posted: 15 Aug 2019 03:24 AM PDT

    Im fairly new to multicast apart from some music-on-hold configurations ages ago so could use a bit of guidance.

    I have a multicast source connected to a router (BGP peer) and I have a client which is connected to another internal router several hops away. Each router is configured with pim rp settings to link the multicast group to the IP of the source via next hops.

    Do I need to have end-to-end unicast connectivity between the client and source to allow multicast to operate properly?

    submitted by /u/Kslawr
    [link] [comments]

    Reset SD-WAN router

    Posted: 15 Aug 2019 09:04 AM PDT

    Fun one.

    I am playing with building and rebuilding a router in my lab for SD-WAN Viptela however I can not figure out how clear the config on the router. All the Cisco web docs point to a "could not find" webpage as well. Anyone have the secret commands?
    Tried reset, erase nvram: and the traditional commands I knew.

    submitted by /u/wraithscrono
    [link] [comments]

    How to configure a /31 range on a Ubiquiti UniFi Security Gateway?

    Posted: 15 Aug 2019 09:01 AM PDT

    Hi there,

    We have recently had a new circuit connected which is exposed to us via SFP. Our previous circuit was exposed via ethernet, causing us to upgrade out security gateway to a UniFi Security Gateway 4P.

    We've been provided new IP address details with the circuit, eg: 200.0.0.82/31 This is the first time we've dealt with a /31 subnet mask, our previous was a /30 and no issues.

    We are struggling to configure this correctly on the USG. We couldn't get this working at all on the initial configuration page and could only get it to accept the subnet when configuring through the Unifi controller.

    Now that it's configured, we can't access the internet via the interface at all: From 200.0.0.83 icmp_seq=1 Destination Host Unreachable and traceroute returns address unreachable:

    ubnt:~# /usr/bin/traceroute -i eth3 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets 1 200.0.0.83 (200.0.0.83) 3000.969 ms !H 2998.886 ms !H 2999.820 ms !H 

    Our network configuration is as follows:

    Type: Static IP Address: 200.0.0.83 Subnet mask: 255.255.255.254 Router: 200.0.0.82 

    Here are the interface details:

    eth3 Link encap:Ethernet HWaddr inet addr:200.0.0.83 Bcast:0.0.0.0 Mask:255.255.255.254 inet6 addr: Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:809 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:34246 (33.4 KiB) 

    show interfaces: eth3 200.0.0.83/31 u/u WAN2

    show configuration:

    ethernet eth3 { address 200.0.0.83/31 description WAN2 firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } out { ipv6-name WANv6_OUT name WAN_OUT } } } 

    We're not sure if the USG supports this subnet? Any pointers would be greatly appreciated.

    submitted by /u/Joshx00
    [link] [comments]

    No comments:

    Post a Comment

    Fashion

    Beauty

    Travel