Moronic Monday! Networking |
- Moronic Monday!
- IDF/MDF/IPF
- VyOS Max Arp Table Size
- Brocade VE question
- Are there any tool/app you guys use to automatically upgrade routers/switches to the newest ios?
- 1-year-ago-me just saved my ass, aka "babbies first core switch failure"
- Is there a context where SHA128 exists?
- Any point in doing CCNA specialist anymore?
- Untwisted pair length in gigabit Ethernet cables
- Show logging information in SNMP
- GCM vs CBC
- Verifying configuration using ansible
- Questions about Juniper SRX firewall config/operation
- NetMRI Alternatives
- SSH Attempts from Public IP reaching TACACS Server, They Shouldn't!
- IPsec vs EasyVPN
- ISP internal vulnerability scanning
- How to better make use of RADB
- Cheap 5-to-8 port mini-switch WITH STP?
- Sanity check with static routing between Aruba switches
- How does a dual wan router work?
- iperf 10gbps servers in us?
- Anyone moved into security
- Mikrotik VLAN questions
- Silverpeak SD-WAN experience
| Posted: 29 Sep 2019 06:04 PM PDT It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected. [link] [comments]  |
| Posted: 30 Sep 2019 12:26 PM PDT Hey everyone, I'm a critical facilities technician. Part of my job is to escort vendors into our IDF/MDF/IPF rooms. My question is the actual difference between each. I know that the MDF is the main distribution frame and the IDF is the intermediate distribution frame. But isn't an IPF and MDF basically the same thing? Hoping someone is able to clarify things for me and correct me if anything is inaccurate. Thanks! [link] [comments]  |
| Posted: 30 Sep 2019 01:49 PM PDT My google-fu is failing at this. Anyone know the max arp table size for a current release of VyOS? [link] [comments]  |
| Posted: 30 Sep 2019 12:45 PM PDT I need to configure a new vlan and VE for some VOIP traffic, but I do not want this traffic to be routable to any other VE on the brocade. Is there an easy way to accomplish this? I was hoping at first to create just a vlan on the brocade and let the endpoints contact eachother directly, but a new requirement is that the brocade needs to have an IP in this vlan so it can be probed for connectivity. Thanks! [link] [comments]  |
| Are there any tool/app you guys use to automatically upgrade routers/switches to the newest ios? Posted: 30 Sep 2019 11:16 AM PDT I hate tenable. Rather than me sifting through all my remote switches and routers and see if the vulnerbaility is actually applicable to my network I'd like to have a central hub of sorts where I can push out upgrades. Does such a tool exist? Also I do need to upgrade my fleet its been a while, so this would be a two bird, one stone sort of thing. Does anything like this exist? TY Edit: I do have solarwinds but that seems iffy, is there anything Cisco related? i'd rather not do a third party app unless its been proven. edit2: what has happened in the past is that these tenable scans would be assigned to me and then I would go into different devices to see if it was actually applicable to our environment. I would run the commands necessary to show infoSec that this device is not vulnerable. then when they realize its not they ask, well is it upgraded to the most recent ios? They are trying to remain PCI compliant so now proving that the device is not vulnerable isn't the only thing that matters anymore...they want everything upgraded to the newest ios which is where this all stemmed from [link] [comments]  |
| 1-year-ago-me just saved my ass, aka "babbies first core switch failure" Posted: 29 Sep 2019 03:16 PM PDT tl;dr - Core switch died while I was halfway across the country. Due to how I built the network a year ago, there was no outage and I looked super cool and competent through my first major device failure. Friday night I'm hanging out in the United club lounge at the airport waiting for my flight to start boarding when my phone lights up with texts from Solarwinds that some stuff has gone down, including a bunch of stuff (like our Edge switches) that made no sense. So I VPN in, which was weird because if our edge switches were both down then I wouldn't have been able to connect to the VPN. I couldn't get to some devices through the regular network but I was still able to access them through our Cradle-point Out-Of-Band cellular backup network, and everything looked like it was still passing traffic just fine. Initially I was thinking this was a Solarwinds freakout, but then after a couple of minutes of checking things I realized that one of the switches in our collapsed core (we have a pair of stacked C9300s that act as both Core and Distribution layer) had died. But because I'd been neurotic about dual-homing all of our Access layer switches and server switches, and making sure that all other systems that connected to the core were as redundant as possible . . . no one noticed. There was some reduced bandwidth internally, but there was no downtime for anything and aside from us in the IT department, no one knew there was any sort of a problem. By this time I'd boarded my flight, but I opened a TAC case from the in-flight wi-fi and once I got back on site Saturday morning I was able to sort out what happened. It turns out that one of the switches in the core stack had experienced a spontaneous reboot for unknown reasons, but then it stayed down because the "Manual Boot" option was set. Once I was in the console and issued a Boot command, it came back up and everything was hunky-dory. I turned off the manual boot option, cycled in again and we're good. Lessons learned:
Edit: Thanks for all the words of wisdom and congratulatory messages. :) It's always nice to be able to celebrate a solid victory with others who understand and have been here before. <3 [link] [comments]  |
| Is there a context where SHA128 exists? Posted: 30 Sep 2019 08:15 AM PDT Hi, I am setting up a site-to-site VPN between a customer and its partner company. The partner company sends us a VPN form where it requires the auth protocol to be SHA128 (phase 1 and 2), but, as far as I know, SHA is 160-bit (SHA1) or more (SHA2). I told them this could be an error, but they said that's what they always use to establish their VPN connections, so they are not going to change those settings. I'm guessing they are using some template or naming convention that I don't know. The only info about their device is the brand name: Palo Alto Networks (our side device is a Watchguard Firebox). Any idea what it could mean? [link] [comments]  |
| Any point in doing CCNA specialist anymore? Posted: 30 Sep 2019 06:22 AM PDT The new CCNA (Out in Feb 2020) will replace the following certifications:
Any point in passing these specialist exams anymore if they are being phased out with just one generic CCNA? To me it looks like Cisco are undervaluing the old CCNA and making CCNP the goto networking cert to have in the future and the pre-requisit companies are going to start demanding for jobs. Going for a CCNA after Feb 2020? hey kids just go straight to CCNP with 2 exams and skip CCNA! All the hard work we Network engineers have put in to obtaining a CCNA with a specialist cert and planned on going onto CCNP will feel cheated, now that you can just fast forward your Cisco Networking certs. What everyones thoughts on this? [link] [comments]  |
| Untwisted pair length in gigabit Ethernet cables Posted: 30 Sep 2019 05:11 AM PDT I am a test system designer, not a network engineer, looking for some direction in where to find the appropriate standard. I am working on a design in a test station that will require passing gigabit Ethernet through a non-standard connector (think similar to a D-sub style of pins). I know there is a maximum length of untwisted pair allowed in a Ethernet cable run before the signal is significantly degraded to the point it can no longer link at the desired rate if at all. What I am having trouble with is where to find this specification. I don't necessarily need an answer here to the maximum length, but pointing me in the direction of the appropriate spec or a commercial product spec referencing the industry standard would be all I need. [link] [comments]  |
| Show logging information in SNMP Posted: 30 Sep 2019 05:47 PM PDT Hi, Is it possible to gather all the logs using snmpwalk and what would be the equivalent command/oid for the current logging exist on the device? example command using snmpwalk: Thanks [link] [comments]  |
| Posted: 30 Sep 2019 07:27 AM PDT Hi, I've been replacing my routers and they have the option for Site-to-Site VPN to do GCM for phase 1&2. I've read my vendors documentation that states and they say on some models you may see a performance increase. General searching indicates that GCM may use more CPU. What are peoples thoughts on switching to GCM? See any performance increase or other benefits? [link] [comments]  |
| Verifying configuration using ansible Posted: 30 Sep 2019 08:18 AM PDT I've been fighting with ansible to try and verify configuration on our devices. The tough part is getting it to only verify the configuration I care about. My ansible code is simple and looks like so: And this is the file config.txt: I only want it to verify those specific lines and ignore the rest of the config. Currently if I run this using the ansible ios_config module and the diff_against options then it shows the device missing all the rest of the config. I have tried using the diff_ignore_lines option but it would end up being a massive file ignoring lines and lines of config. Can anyone help with what I am trying to do here? I cannot figure it out for the life of me. [link] [comments]  |
| Questions about Juniper SRX firewall config/operation Posted: 30 Sep 2019 04:45 PM PDT Hi, I am trying to understand if we could do the following with a Juniper SRX3000 series firewall. We are behind our organization's data center firewall. We are one of the units behind the firewall. Out default gateway for our externally routed subnets are on the SRX firewall. We would like to bring down the routing (for all our subnets, both internal and external) to our new layer 3 switches and use the SRX as our default next hop. Our network and infosec team are saying that the SRX cannot operate as a transit router (I don't know the proper term for this function) without massive changes to its config and how the firewall is operated. I tried to understand the necessary changes by reading the SRX manual. I couldn't find any info on how the firewall needs to be changed to act as transit router with filtering. Can you throw some light on this issue? Is the firewall operation that different between it acting as default gateway vs transit router? Thanks! [link] [comments]  |
| Posted: 30 Sep 2019 06:51 AM PDT We currently use NetMRI for automation, policy control, monitoring changes etc. We are going to be up for renewal soon, and I'm trying to get an idea of whats out there. NetMRI was in place when I came to this job, but if there is a better product I'd like to look into it. I like NetMRI for what it is, and it may still be the best value so I'm fine with staying with it, but would appreciate other suggestions. [link] [comments]  |
| SSH Attempts from Public IP reaching TACACS Server, They Shouldn't! Posted: 30 Sep 2019 05:45 AM PDT Hello Network people, I have an HPE MSR edge router that has an ACL on the VTY interface which permits only private IPs. However today I get an alarm from the TACACS server that there are too many failed auth attempts. So when I see the logs on the router I see failed auth attempts from 182.61.163.252 (China), when simply put these attempts should be dropped by the router like many other IPs by virtue of the ACL. This is the configuration for the VTY 0-15 lines This is acl 2023 I tried to log in my self from a public IP and the ACL works as expected. Looking in the logs this is also the case for many other public IPs. Below are some log entry's for this IP that is somehow entertained by the router: and below is a sample from the logs of normal behavior: Can anyone think of a reason why the IP in question is able to bypass the ACL? [link] [comments]  |
| Posted: 30 Sep 2019 01:53 PM PDT I havent been able to find any useful information on google as to why my company would use EVPN for remote sites rather than just setting up IPsec tunnels. Could this be because of cost? The amount of usage for the remote sites? Are there any obvious advantages of using on over the other? [link] [comments]  |
| ISP internal vulnerability scanning Posted: 30 Sep 2019 07:41 AM PDT Looking for some insight on how other Network engineers handle vulnerability testing. Some history I work at a mid-size ISP that offer FTTH services via Adtran TA5000 and 5004s. Our network security team (who primarily come from government sector backgrounds) feel the need to be scanning all of our core transport equipment. This has not necessarily been a big deal, other than they wreak havoc on our alarm log with the hundreds of failed login attempts. Last week, though, we came in to find about 14 of our 65 nodes refusing telnet and SSH connections. After 12 hours of troubleshooting with Adtran we finally discovered that all of the 384 TCP listening slots were locked up. We rebooted the System controller to clear all the connections and all was good. Over the next few days and several troubleshooting instances with Adtran we discovered the list of IPs that were holding the TCP connections. They were all from our Network Security Teams probes. It came to light that their scans had discovered a bug in Adtran's firmware that in a very specific set of port scanning would allow port 77 to get locked in the Syn-received state and would not time out the connection. Each scan would grab any where from 3-7 connections on this port, so after a few months all available connections are used. All of this to be said what do other engineers at ISPs do as far as handling Vulnerability scanning. I've talked to someone I know at another ISP, and they thought it was ridiculous to be Scanning the core equipment. Their mindset was all of the transport equipment should be behind a firewall and have no public access so there is not reason to be scanning it. My team feels the same way, but the Security guys don't agree, and will not stop scanning even though they are killing us on this management issue. If anyone has some white papers, or any kind of information one way or another that would be extremely helpful. [link] [comments]  |
| How to better make use of RADB Posted: 30 Sep 2019 07:02 AM PDT Hello r/networking I am wonder if anyone in the community can share how they use RADB effectively in their organization? I currently make use for my transit providers to allow prefixes from my AS, but would ask if you can provide advise on how I can better use it for my edge policies? Any thoughts or suggestions are appreciated. [link] [comments]  |
| Cheap 5-to-8 port mini-switch WITH STP? Posted: 30 Sep 2019 12:34 PM PDT Hi all, I work in an industrial research lab, and in some cases, I want to provide the research staff with a small 5-to-8 port switch that they can connect multiple devices to, that I will connect into an access port on our IDF switches. I'm looking for a cheap (sub-$100) switch that runs STP, so I can deploy it to the researcher's office/lab space and set the connected access port for normal STP operation (non-portfast/BPDUguard config), but if the researcher in question tries to move it to another port (all of our "edge" ports normally run portfast/BPDUguard) then it will errdisable the port when the mini-switch sends the first BPDU out. What's a good (enough) mini-switch that runs STP? We have been using Netgear ProSAFE GS108E switches as breakout switches, but I'm unable to find out if they run STP or not (I thought they did support STP, but a Wireshark machine connected to one of them shows no BPDU packets coming from the switch...) Thanks! [link] [comments]  |
| Sanity check with static routing between Aruba switches Posted: 30 Sep 2019 07:16 AM PDT Working on transitioning away from a flat network design and I need a quick sanity check to make sure that I'm understanding HP terminology correctly. I have two sites, connected via dark fiber that we own. Call them sites A and B. Site A = 192.168.100.0/24 vlan 1 Site B = 10.100.0.0 /16 vlan 1 There are more than just these two subnets, but these two are the only ones that matter. I have two Aruba 5406r switches acting as cores....one at each site. Both switches have IP routing enabled. Right now I have a /29 in between the two cores, call it vlan 20. Site A core has an IP of 10.1.1.1/29 - vlan 20, and site B has an IP of 10.1.1.2/29 - vlan 20. Core A has the following
Core B has the following
Am I correct in my understanding that I should tag vlan 20 on the both ends of the point-to-point link between cores? Or should it be untagged on both ends because vlan 1 exists on both networks, thus stripping all the vlan tags once it reaches the other core? Since vlan 1 exists on both networks with a different IP address range (I know), I can't just tag vlan 1 like I would a normal access switch--> core switch uplink. Hoping that someone can clear this up for me...haven't been able to find anything for this specific scenario on Google. [link] [comments]  |
| How does a dual wan router work? Posted: 30 Sep 2019 06:09 AM PDT Dual WAN router for load balancing. Say you have two different ISPs (one on each port) and you run a speed test on a site like speedtest.net . SpeedTest.net shows your ISP on the bottom of the page. what would it show when using a dual WAN Router? Just whatever ISP it has you using as it is load balancing? [link] [comments]  |
| Posted: 30 Sep 2019 09:14 AM PDT From iperf3 servers list I only see two France and one Netherlands. Trying to test 10gbps ips but with France servers i'm only getting close to 5Gbps. Thanks in advance. [link] [comments]  |
| Posted: 30 Sep 2019 08:43 AM PDT I am a network engineer with CCNP level experience. I have worked with large networks of about 80,000 and small networks of under 100. I have grown increasingly bored with networking. I tried learning automation but there isn't much to automate at my job so lost interest. I have lately picked interest in security mostly infosec . Has anyone moved from Networking to security? If yes, what would be the best way to go about it. [link] [comments]  |
| Posted: 30 Sep 2019 04:38 AM PDT Man I wish Mikrotik had a cisco alike CLI... Basically I need to put several VLANS on my Mikrotik device via trunk. The trunk will be on sfp1. Nothing complicated I just need to know the Mikrotik specific way to do this. So on the Mikrotik device I have: 1) Created 2 VLAN interfaces. 2) Put an ip address on the management VLAN interface. 3) Created a bridge. 4) Put SFP1 and the two VLAN interfaces into the bridge. 5) On the bridge vlans tab I have put that the two VLANs are tagged on sfp1. I have tested this on our office LAN and I was able to access the Mikrotik device on its management VLAN IP. Now the device needs to be shipped to a very remote location. Will it work by just plugging in the SFP? Did I miss anything and what? Edit: I am essentially trying to do the mikrotik equivalent of: Sw mode trunk Sw trunk add allowed vlan xx,yy [link] [comments]  |
| Posted: 29 Sep 2019 08:23 PM PDT Can anyone give me their experience with Silverpeak? We have 400+ locations to support and are looking at different options. How reliable have they been? How is their support? How well do they scale? Are the advertised throughput specs correct? How much troubleshooting can be done through GUI or CLI tools, or do you have to typically open support cases (My experience with Velocloud). I have played with them in some demos, but any input and real life experiences are appreciated. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment