Blogpost Friday! Networking |
- Blogpost Friday!
- Do you constantly have to prove the networks innocents?
- [RANT] FortiOS 6.x.x is the Windows Vista of FortiOSes
- Nmapping the network down to Valhalla
- Set up custom nameservers in AWS
- Media converters for OC192 to 10GbE?
- 2 modems 1 router same gateway
- Point-to-Point APs that will survive a Canadian winter
- Extend vlan to different switch
- Forcing EIGRP to Send VIP Instead of Interface Address
- Cisco ISE, alot of inactive Endpoints?
- When is your WAN *not* a fit for SD-WAN?
- How to force an application running on Ws server 2016 to use a specific NIC?
- Why must AT&T drag an entirely new line to change my rate from 10Mb to 50Mb?
- best way to deal with load balancing web services where users' IPs are changing?
- Removing a 2F comms room and routing directly to a 3F comms room?
- ASR9010vsASR9912
- Advice on architecture for a VPN link
- MLDC or MLDC Over IP protocol specifications or PCAP files
- Cisco WLC and Rogue Management
- completely isolating VLANs
- Network Logs/Weird Activity?
- Layer 2 Circuit Issues
- I've been given a silly task. I'm pretty green and I feel like this may be above me. (Overlapping networks and Fortigate VDOMs and I'm stressed the fuck out)
- Eliminate IDF against cable guys wishes.
| Posted: 05 Dec 2019 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| Do you constantly have to prove the networks innocents? Posted: 05 Dec 2019 12:48 PM PST I work for a large corporation, and we have a lot of custom in-house software, we end up spending a lot of time spinning our wheels a lot as anytime our software development team has a problem or error with their code the knee jerk reaction is to blame the network and we have to prove it's not. Sometimes many times a day. We will have to dig through our monitoring and logs just to prove nothing happen on the network to cause this. Anyone else experience this? They don't seem to look into anything at all before shoving it on us to check first, and we've never really had one that was network issue but always it comes to us first to defend that it wasn't the network. [link] [comments]  |
| [RANT] FortiOS 6.x.x is the Windows Vista of FortiOSes Posted: 05 Dec 2019 01:04 AM PST FortiNet you gotta get your shit together. I have been a huge fan since the beginning of time, coming from Cisco, Checkpoint, then Palo, but you always proposed an incredible product, with very simple all inclusive licensing for such an aggressive price. You would always be up there with the big boys that would cost three times for half the throughput but always be amongst the best on any Gartner or third party independent tests. 5.6.x was such a masterpiece (yea well not exactly but...), always working, minor bugs here and there, devices been running for 2 years straight without a single problem. But no, let's fuck it all up to pursue this SD-WAN nonsense. Couldn't you just put in the brochure, add a menu to make the CIOs happy and leave the rest of it alone? Couldn't you just stop forcing people on 6.x.x? What about NOT release 6.x.x. at all? It is such a pile of garbage I am almost threw one out of the window. If it was painted grey I would confuse it for goddam Cisco ASA . Stuff that always worked flawlessly now are completely fucked. HA? randomly kicks in. DHCP? Fuck I wont work on port 1, only on port 2 and on Tuesdays! GUI? Why stress you with all those long page full of logs that make no sense, a blank page is much better! We are very concerned about you burning out so if you click or add too many rules too quickly, we will make you slow down and freeze the fuck out of the GUI so you go get a coffee! Let's force you on using that useless FortiCloud with the excuse of not adding the internal harddrive anymore (even if you buy the harddrive you cant use it, that was such a Cisco move) and then throwing "Forticloud does not support the latest version of FortiOS, sorry!" IS this some kind of joke? Rant over. Go back to work. [link] [comments]  |
| Nmapping the network down to Valhalla Posted: 05 Dec 2019 12:39 PM PST Hi fellow networking gurus! Asking for a friend. Today was a long and boring day and my friend's soul was craving for a blockbuster scale action. But only thing this silly sod had around was Nmap - a tool he wanted to try out, but kept forgetting about it.. 30 minutes before the end of the day, he fires up a /24 network scan with roughly 100 live devices on it. Everything went through fine, so he decided to do the same for another /24 network in a building across the road with 30 devices on it. And that's when things started to go funny. He quickly noticed his PRTG monitor started throwing red alerts on random devices on both networks and everyone started screaming "Emails are down!", "No Internet!". He had a suspicion it might be him who caused this, but he didn't expect this from a network scanning software as he had experience with other similar tools. Devices were intermittently going up and down - everything was showing symptoms of a network-related issue. He went onto the ASA which is acting as a gateway for both networks and noticed that the CPU usage is 92% and 98% of bandwidth going through the ASA is ICMP traffic. He pulled the cable going to another building and plugged it back in. The issue was resolved. Now some of you are probably already rolling their eyes or smiling at my friend's stupidity, but poor guy still isn't exactly sure what happened. It sure is an ICMP flood, but why did it originate? Does that mean there are loops on the network? To give you a better idea of the network, these two /24s are technically on VLAN1, even though the guy who my friend has just inherited this network from is calling them VLANs, they are actually just different subnets in a flat network. What are your thoughts? Is there any way to prevent this from happening? My boy is definitely looking into splitting the network into actual VLANs, but that's not a one day job. Any input is highly appreciated Thank you <3 [link] [comments]  |
| Set up custom nameservers in AWS Posted: 05 Dec 2019 02:48 PM PST Hey guys, I have set up a couple of custom nameservers to ec2 instances in AWS. I installed bind9 on both of them and created a domain at namecheap pointing those nameservers to the domain so my question is, does anybody know how to make them working without route53? Any suggestions would be appreciated. Thank you guys! [link] [comments]  |
| Media converters for OC192 to 10GbE? Posted: 05 Dec 2019 02:41 PM PST Has anyone ever seen or used such a device? I have a special use case that I need something like that without going the full router in bridge mode. Needs to support jumbo frames. Condition is preferably new with some kind of support. Thanks! [link] [comments]  |
| 2 modems 1 router same gateway Posted: 05 Dec 2019 02:20 PM PST I have 2 separate circuits(modems) hooked up to a cradlepoint AER2200. Both networks have different IP's but the same gateway. They are having issues with the wifi kicking things off the network. Should the gateways be different? [link] [comments]  |
| Point-to-Point APs that will survive a Canadian winter Posted: 05 Dec 2019 06:38 AM PST Hey friends, Working on a project to get camera + gate access out to a remote area of our campus. We'd like to set up a Point-to-Point wireless to expand our network out to that area. Distance is about 500m with clear line of sight. We had been looking at the Ubiquiti NanoStation AC, but it doesn't seem all that robust... while the temperature rating fits within our environment, there are no seals around the points of entry etc. and I worry about moisture ingress effecting reliability. Has anyone been reliably using these throughout a harsh winter? Are there any other reputable options for a simple point-to-point that is rated for outdoor use? Thanks! [link] [comments]  |
| Extend vlan to different switch Posted: 05 Dec 2019 02:32 PM PST Hello, I am confused on the direction I should head for this issue. I have a switch which currently has a recorded vlan, this vlan hands dhcp instances for our Mitel phones from the Mitel controller. I just got a request to extend this vlan to a separate switch on the other side of the building. I was thinking of simply extending the vlan through a trunk port but after checking the switches locations and up-links I discovered that these switches do not connect to each other. They instead connect to an Aggregate Cisco Catalyst. Now I'm a little unsure on what path I should take, perhaps I'm just overthinking this after being away for 2 weeks. I am currently thinking of asking our Mitel provider to create a new subnet for this switch in which case I would then create a new gateway address and point it towards the Mitel controllers new subnet, then I would add this vlan to the new switch and voila. Any help, corrections or suggestions are appreciated since I believe I've overthought it or confused myself. [link] [comments]  |
| Forcing EIGRP to Send VIP Instead of Interface Address Posted: 05 Dec 2019 02:15 PM PST Is this possible? I have a unique situation with a production network where someone has created a VPC to a distribution switch that has a number of client devices on it and a few routers that are used as labs. We recently underwent a network upgrade and while prior there was only one EIGRP adjacency from the SVI on the cores to the routed interfaces on the routers, now each router is receiving two routes, one from each core. CBAC IP INSPECT causes communication to fail whenever an asymmetric route is taken (return traffic is received from an IP other than from the IP that the router initially sent it out on). I have temporarily fixed the issue, but would like to use the VIP as the address advertised through EIGRP. The only solution I can think of is to use a static route to the VIP. Altering the metric so that the router prefers one core over the other will not solve the problem as return traffic may go to the other router than to which the data was sent. TomNetEng [link] [comments]  |
| Cisco ISE, alot of inactive Endpoints? Posted: 05 Dec 2019 07:58 AM PST In Cisco ISE have Alot of inactive Endpoints (Context Visibility>Endpoint>Authentication). about 95% are from my Guest network which makes sense but the inactive Endpoints are using Cisco ISE licenses still even though some have been inactive for 20+ days (after 30 there is a auto delete). In my Cisco WLC interim RADIUS Accounting Settings under WLANs was not enabled so Googling told to me to enable this, is this the fix for this issue or do i also have to set the "re-authentication timer" under my Authorization Profiles i read this should be set to like 12hrs, but this was in regard to 802.1x wired Auth for Switches, so i am testing this out on my Switch's profile set. My Main issue is about 50% of my Cisco ISE license are being used by inactive Endpoints Thanks in adv [link] [comments]  |
| When is your WAN *not* a fit for SD-WAN? Posted: 05 Dec 2019 06:12 AM PST It's Thursday. I see no thickheaded post, so I'm going to be thickheaded here and hope some experts can pipe-in and tell me what I'm missing here. I think the dream for some of us in networking is to have a centralized management system for all our sites, be it within a large city or spanning the globe. The SD-WAN kool-aid brings the promise of centralized management of these sites for those with branches across the country/globe, but what about for those with lots of sites within a large city? Why am I asking this? Well, I'm looking at the state of my network which spans a large city, and we have around 100 branches/offices, and we have dark 1G fiber between them (edit: no bandwidth issues here, just underutilized). However, most of them have low bandwidth, and even bursting is less than 100 Mbps at most; and most of their traffic isn't Why wouldn't SD-WAN be applicable in this situation? Assume I have multiple* competitive bandwidth options (be it SMB-level broadband, metro-ethernet, MPLS, etc.). Now I realize I'm simplifying things a bit, when asking this, but when is SD-WAN not a fit for a WAN, in a theoretical sense. There's just a lot of coverage with SD-WAN right now (or maybe the algorithms are making it that way), so it really has me thinking. Thanks ladies and gents. Edit- Detail error on my part that needed clarification. Edit 2- Bandwidth and bandwidth options clarification. [link] [comments]  |
| How to force an application running on Ws server 2016 to use a specific NIC? Posted: 05 Dec 2019 07:46 AM PST Hey guys, I need some help with the below mentioned issue. I will appreciate your thoughts. ws server 2016 std The App Sage XRT Treasury 4.0 is installed. There are 2 NICs - a NIC for all network flows and a second one dedicated for the back up. The issue is that this third party app SAGE App SERVICE "XDLO_SERVICE.EXE communicates externally and wrongly uses the NIC for the back up. The goal is to use the other NIC - which is meant for external flows. As a workaround now the back up dedicated NIC is disabled. Is there a way to configure this app on Windows side to use the specific NIC and not the other one? I tried using the Force Bind Ip tool but with no luck. Many thanks in advance! [link] [comments]  |
| Why must AT&T drag an entirely new line to change my rate from 10Mb to 50Mb? Posted: 05 Dec 2019 07:20 AM PST As I speak a field guy is setting up a second run from the MPOE to the data room, and connecting it to a second Edgewater which is exactly the same as the one that's already there. Later on a different guy is going to have to come out for the change-over, except he won't actually be able to do anything - that will be a third guy on the phone. In my mind this is like three lines of config change, or one text box changed in their management system. I can't imagine why any for-profit company would implement changes this way. Edit: Full details: this is an MIS DIA line for a medical practice in a multi-tenant building. There is fiber to the building terminating a Cienna in the MPOE, and from there we have a 50-foot cat-6 run to the server room in the suite. In the suite they give us an Edgewater router that hands off ethernet for data and a PRI for the phone system - it's a grey AT&T branded unit. I think the package is called FlexConnect but I'm not positive. [link] [comments]  |
| best way to deal with load balancing web services where users' IPs are changing? Posted: 05 Dec 2019 05:37 AM PST What's the current best practice for load balaning web services in general these days? My current old school Cisco load balancer will serve a given user from a given server for 10 minutes, but it determines what a session is by the source IP. In a world of mobile devices this is probably pretty common? This causes issues in some of our web apps because our load balancer doesn't retain their sticky session to a given server and they can bounce which servers they are on in the backend... in turn that causes them to land on different databases. Is this an application architecture issue to solve? (I can think of ways to do so... but not great ways). Or are there more modern load balancing approaches that can determine what a session is in some heuristic manner other than IP address alone--so if their underlying IP changes their session remains sticky still? [link] [comments]  |
| Removing a 2F comms room and routing directly to a 3F comms room? Posted: 05 Dec 2019 08:54 AM PST Hi all, The building management are looking at getting more space out of our floor layout. We have 2x floors, 2F and 3F. Each one has its own server room. The 3F is where all the internet lines, telephones lines etc go into and is a much bigger room with proper cooling and UPS. The 2F has some switches which all 2F IT equipment connects to and then it route up to the 3F to access the internet etc. Management are asking so we really need the 2F (convert it into more desk space)? Could the swtiches be moved to the 3F and all the floor ports on the 2F etc are just routed from 2F directly up to 3F? I don't really know about electrical engineering so from a building cabling point of view and IT point of view are there are pros or cons to doing this? [link] [comments]  |
| Posted: 05 Dec 2019 05:02 AM PST Dear networking community, I have some questions regarding the ASR9912 & ASR9922. When would you opt to go for either of these models over an ASR9010? Is this a matter of slotspace? Because I have the feeling the options for line cards are way more limited then those for the ASR9010. Would love to get some opinions on this, thanks in advance. [link] [comments]  |
| Advice on architecture for a VPN link Posted: 05 Dec 2019 12:28 AM PST Hi all, I'm looking for some advice on setting up a VPN link. The situation is as follows, we have two offices in Europe, in the same city about 3-4miles apart. Office #1 has a VPN link towards the US, where one of our partners is situated. We use this VPN link for accessing their internal resources, remote workstations that our people use, etc... In the Office #1 we have a Sonicwall NSA 2600, while Office #2 is running a Sophos XG 210 rev. 3. While we were requesting another VPN link for Office #2, we were notified only one VPN link can exist. Now I'm not too satisfied with the setup in either of those two offices (power delivery, no HA/failover, etc), not a lot of bandwidth is available and due to circumstances of the market here, increasing bandwidth can cost a lot. So I had an idea about setting up a server in Germany (our HQ is there) that would be the termination point for the US VPN tunnel, and then the offices would connect separately to that server in Germany. This server would be running like RouterOS x86 from Mikrotik? The only OS I could come up with, that had everything, maybe you guys have suggestions? I've done a couple of measurements and the latency to the US VPN endpoint from offices #1 and #2 is about 150ms. Latency from Germany to the US endpoint is ~120ms and latency from our offices to Germany is 30-40ms. One important thing to note, this VPN tunnel would be used heavily. Remote desktop connections will mostly go trough it. The US VPN would be IPSec is I remember correctly, and their side is Cisco. Would this be an acceptable solution? Or should we just invest in proper gear at one of the offices? I'm really looking for some reality checks here, so I appreciate all feedback. Thanks, [link] [comments]  |
| MLDC or MLDC Over IP protocol specifications or PCAP files Posted: 05 Dec 2019 12:26 AM PST Hi, Does anyone know where I could find the specifications for the Motorola MLDC/MLDC over IP or some PCAP files? Thanks! [link] [comments]  |
| Cisco WLC and Rogue Management Posted: 05 Dec 2019 06:10 AM PST I've had a nagging OCD impulse to go through and manage my Rogue APs / clients on my WLC. we are not in a real big market, and yet between all our facilities we are pulling up somewhere around 250 rogue AP's. I'm struggling with justifying the time to classify these and the question comes to mind; Do others do this? in larger cities or business campuses it'd take a full time job to manage. Do most people ignore the detected rogues and forever leave them in the unclassified hole, manage them, or simply disable Rogue detection? [link] [comments]  |
| Posted: 05 Dec 2019 06:09 AM PST I have a L3 switch (Aruba 2930F) with 3 VLANs: 10, 20 and 30 This is the entire network. IP routing (intervlan) and Multicast routing is not enabled. Do I still need to apply ACL in order to lock down/isolate each vlan? If ACL still need to be applied, would it be something like this on each vlan? Thanks [link] [comments]  |
| Posted: 05 Dec 2019 06:01 AM PST I have been reviewing network logs today, and I saw that I have a PC that keeps trying to send traffic to another PC on the network but is being denied for Unhanded internal traffic. Every few seconds it is attempting to send traffic to about 20 IP addresses on our internal network, starts with sending traffic to xx.x.40.1, then xx.x.40.2, xx.x.40.3 and so on. Every time it is denied, and after it hits xx.x.40.20, it stops and then tries it all over again. This PC is used in production and all it is doing is running 1 website and local label printer. Networking is not my forte, so I am a bit stuck. There aren't any other internal machines sending traffic like this. Thank you for you help! [link] [comments]  |
| Posted: 05 Dec 2019 05:22 AM PST We've recently had a layer 2 circuit installed for a new office. IP'd privately and connected back to our core, at which point we send relevant traffic where it needs to go. Its provisioned as a 200mb circuit, but speed tests show max of 100mb ish, and staff on-site are complaining of time-outs when loading web pages etc. We have had the provider out to do an etherne test and they say all is good. Ive removed the internal LAN (firewall and Switches) from the equation by directly connecting my laptop (giving it correct IP's), and still the issue persists. Im stumped as to what could be causing this. Ive run iperf tests which show no issues, i've run continuos ping from the site to external addresses which aagin show no issues. Anyone able to offer advice on the next step to be checked please? EDIT:: Resolved. Fricking DNS. New DNS server in DC taking ages to do lookups. Amended DHCP to point to old DNS and problem solved [link] [comments]  |
| Posted: 04 Dec 2019 05:59 PM PST There are two remote networks. They are physically in one location, but for regulation dodging reasons, they are separated physically. Both networks are on an overlapping /16 network. One is connected to a Cradlepoint cell modem (no firewall). The other is connected as such: Cradlepoint > Fortigate > /16. I've been told to connect the two networks to the same Fortigate firewall they already have, but prevent the two overlapping networks from communicating... The only way I can see this working is if I split the Fortigate into two VDOMs. If I give each VDOM one of the Cradlepoint modems, I should be able to keep those two networks entirely separate. Please don't bash on me for this situation. I had nothing to do with this and my company has been brought in to clean things up. Our CEO doesn't say no and I'm in my first professional level position in my career. We're an MSP and that should probably tell you a lot. Edit: went on a rant and forgot to ask... Does this sound like a good solution to you guys? Am I missing something? Is there something better I can do? My biggest concern is killing my connection to the management plane. My only access to the firewall is through a port forward on one of the Cradlepoints. Thank you. [link] [comments]  |
| Eliminate IDF against cable guys wishes. Posted: 04 Dec 2019 04:57 PM PST EDIT: Sorry. That was confusing. I should have simply asked. Do people have good success with CAT 6 cables at 300-315 ft. Limits say 328. But if you are less than that do gig Poe phones work without issue. Thanks OP below. We are remodelling a 3 story office with 2 IDFs per floor. By my math and my wheel measurer- I calculated it right at 300 ft to the furthest office jack. That left 28ft extra (CAT6). I had them run mile tape and it is in fact looking to be right at 300ft, but they keep pushing back. I think they really don't want to because 1) to make sure I don't have issues 2) it's harder to run cables that long 3) more expensive for them if they quoted it per run. My logic for consolidating to one closet per floor. -single UPS -i won't have to run generator power to one closet that was added late -wont have to run fiber to one closet that was added late. -possibly fewer switches. I think per floor I can do 5 switches instead of 3 and 3 It's a big gamble that I'm willing to take but don't have any experience with POE gig phones at the upper limits of CAT6 (328ft). So curious. If it's under 328 ft- am I golden or even if it's under the spec can I have issues... Thanks in advance! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment