Blogpost Friday! Networking |
- Blogpost Friday!
- I'm misunderstanding something fundamental, I think. Can someone help me out?
- Slack Nebula is a flexible, open source VPN mesh tool
- Cisco ASA AnyConnect VPN - Connects and can route internally, but cannot route to internet
- "Blended" Carrier Bandwidth - Sanity Check
- Trouble setting up VLANS with Juniper
- Zero Trust everything and SD everything
- Create two way vpn tunnel or proxy between countries
- Give your excuse as to why you aren't utilizing IPv6 so that we can tell you why you need to be now
- Cisco vs Ruckus for access switching
- 1.1.1.1 cannot resolve youtube?
- Best Practice on IPSec Settings
- Trunked Ports and Wacky IP Conflicts
- AWS Advanced Network Specialist, Anyone?
- Parent firm moved my company and 3 others to a new building, with no IT staff, and it's becoming my problem
- Switching from MPLS core to EVPN core
- Requesting Assistance with EEM Script for AP
- GNS3 - Layer3 Switch
- Fiber patching between ODFs
- Why host id in ip address when using NAT?
- SMA Coax Cable
| Posted: 12 Dec 2019 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| I'm misunderstanding something fundamental, I think. Can someone help me out? Posted: 12 Dec 2019 06:27 AM PST Can someone help me understand why this broke? Here's the high-level design: There are several thousand clients on each network. In an effort to throttle the amount of bandwidth available to Network 2, I statically set the connection on Link 2 to 100FDX. That link was constantly saturated. When that connection would saturate, Network 1 would turn to shit. Lots of packet loss and latency jitter. To my understanding, doesn't each individual interface have a buffer? Even if Link 2 filled its buffer I would think I'd only see those issues on that network. I never saw a large number of packets waiting in the global buffer on the firewall. What gives? After setting Link 2 back to auto (1000FDX, no more bottleneck) all of my issues on Network 1 disappeared. EDIT: I understand this was not a good way to achieve throttled internet usage in Network 2. That setup was more of a quick band-aid. I'm more curious as to why this happened for my own education. I get that the right solution is QoS or some kind of rate-limiting in R2. In the drawing, yes, both ends of Link 2 were statically set. [link] [comments]  |
| Slack Nebula is a flexible, open source VPN mesh tool Posted: 12 Dec 2019 02:47 PM PST Slack just posted an open source tool which dynamically creates VPN tunnels between two endpoints bypassing the central server / location. It looks interesting and I though worth posting. [link] [comments]  |
| Cisco ASA AnyConnect VPN - Connects and can route internally, but cannot route to internet Posted: 12 Dec 2019 11:31 AM PST Howdy, I've setup a Cisco AnyConnect VPN - when I connect with a client, I get an IP and can route to internal resources fine. However, when I connect, I cannot route out to the internet? I'm not split tunnelling, all traffic is routing via the tunnel. The internet traffic is going out the same interface clients connect on. Do I need to NAT the VPN clients back out? Any ideas would be very helpful! [link] [comments]  |
| "Blended" Carrier Bandwidth - Sanity Check Posted: 12 Dec 2019 11:26 AM PST Apologies for the long post! I've been working this issue for a few weeks and nearing insanity. We're redesigning the internet edge at a DC so a greenfield style deployment. Two new ASR 1001HX routers going to a pair of layer 2 switches which "distributes" the internet to some firewalls, SD-WAN boxes, VPN boxes, etc. We have a new /23 block and ASN and this is the only point we are advertising from. We've ordered a new 1g, 3g burst circuit with 2 /30 handoffs from the DC itself which is "blended" with 4 carriers. The handoffs are 10g LR. So after installing the circuit, I placed a laptop behind the primary ASR, gave myself one of our public IP address and did some bandwidth testing. Test showed 300mb down / 1g up to a few test servers. Opened ticket with carrier and they of course blamed the ASR and whatnot. So the handoff is 10g making it difficult to test direct, so I used a fresh out of the box Cat 9k layer2 switch ran the 10g handoff to it and tested using the DC's public IP (from the /30). The download speed jumped to 750mb and the upload stayed at 1g. My logic at this point is I have two issues, #1 I'm not getting the full bandwidth downstream and #2 the issues is amplified behind the ASR. Opened TAC and Carrier tickets. TAC reviews ASR config/license/port speed/duplex/SFP etc. Switched out 10G LR Optics, LR Cable. All clear. Our SE from Cisco does the same, no issues. Carrier says everything is great and that speed test and iperf are unreliable. I requested I get access to plug directly into their equipment and test, same results 750Mb down, 1g up. They blame the test. I connect to my other 1G provider and run the same test, close to 1G up/down! They gave me a iperf server IP to another DC they own in the same city, 750Mb. Then they blame iperf as faulty. At this point no one will accept responsibility for the issue! Please help, Is there anything I'm missing? [link] [comments]  |
| Trouble setting up VLANS with Juniper Posted: 12 Dec 2019 12:32 PM PST Let me preface this by saying I am fairly new to networking; I've been studying to be a network engineer (with Cisco learning materials) and have obtained my CCNA Routing and Switching, but have no REAL experience in the field other than lab work and exams. I was recently taken on as an intern in a small company that has a super small IT department to work on some network projects they have. They have no in-house network anything and have been paying their ISP to set up any network related thing they may happen to need. The main issue I am running into is, I was trained solely on Cisco, and they solely use Juniper. I understand the concept of VLANS is universal, but I am finding the Juniper CLI difficult to master. My main goal here is threefold:
I am fully confident that I can manage the task ahead of me as the network is still quite small (they currently have 6 routers, which will be shrinking to 1 after the ISP swap, and 14 L3 switches, with maybe 200-500 hosts total, across about 5 sites). The scope of it is not enormous, but I have no resources to call upon other than what I already know and the internet. The main questions I wanted to directly ask about are, do I need to add every Vlan to every switch, even if no ports on that switch are IN that Vlan, and as far as VOIP is concerned, since I'm implementing it after the network has been established for so long is it fine to just enable a voice vlan on every port on the switch so that I don't have to hunt down and find out which ports IP phones are on. Additionally to that last point, how to I make sure that the PCs attached to the phones aren't on the Voice Vlan and rather are on the data vlans (essentially putting a voice AND a data vlan on every port). I have many other questions, but as I work on this and get more familiar these are the main two I'm trying to work out. I've looked on Juniper's website but the tech documentation is a little convoluted and I'm not 100% sure I'm doing this right. I appreciate any help I can get, and if further information is needed I can try and provide some insight. [link] [comments]  |
| Zero Trust everything and SD everything Posted: 12 Dec 2019 08:44 AM PST Hello wonderful people. I have a few questions around Zero Trust Networking and SDP
I am working for a startup that's implementing zero trust model and I can tell you that it's very promising. We are slowly getting there. We treat internal network the same as public network. EDIT: For Baic NAC, we can use windows NPS (Radius) and Meraki access control policies (https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X). [link] [comments]  |
| Create two way vpn tunnel or proxy between countries Posted: 12 Dec 2019 03:59 PM PST Both people have internet access, both have access to multiple routers etc. I live in the UK and need to access services that only work in my home country Czech Republic and need to access my friends network He lives in the Czech Republic and needs to access UK services such as Netflix, BBC iPlayer, etc. and my server (contains movies), i.e. he needs to simulate being connected to my network, again we both have internet and need to somehow have either a proxy on both sides or have a VPN tunnel somehow, we need this to be independent and not run from other services such as pre existing VPN's etc. Since i am quite new to this, could i please be given either youtube tutorials that will help and cover everything, detailed instructions and links to software or some kind of online tutorial Thanks Martin [link] [comments]  |
| Give your excuse as to why you aren't utilizing IPv6 so that we can tell you why you need to be now Posted: 12 Dec 2019 03:50 PM PST |
| Cisco vs Ruckus for access switching Posted: 12 Dec 2019 03:44 PM PST We are medium size business (virtualized servers and ~200 endpoints). We currently have Cisco 2960S in our access layer and Catalyst 3850's for our core. The suggestion has been raised whether we should continue with Cisco (Catalyst 9300) or move to Ruckus (ICX 7150). Personally, I would like to stay Cisco, however, if there is no good argument to do so, we have to look at alternatives. Any thoughts, opinions or experience? Any replies are greatly appreciated. [link] [comments]  |
| 1.1.1.1 cannot resolve youtube? Posted: 11 Dec 2019 04:42 PM PST Did anyone else experience the issue of getting DNS_PROBE_FINISHED_NXDOMAIN when using 1.1.1.1 and 1.0.0.1 for youtube, outlook, reddit and others? I've had my router configured to use 1.1.1.1 and 1.0.0.1, Cloudflare's DNS for a couple of years now. However, thirty minutes ago I tried opening youtube on my smart TV and it would fail every single time. I gave up on that and went on my computer to check up on reddit... same problem even on my phone, it seems the DNS queries kept failing. I've had a similar problem at work before and the answer was that my server's DNS wasn't configured that well so I checked my router and switched from Cloudflare to google's DNS (8.8.8.8 and 8.8.4.4) and the moment I did that everything went back up and I was able to access all my favorite websites. [link] [comments]  |
| Best Practice on IPSec Settings Posted: 12 Dec 2019 07:25 AM PST Good morning r/networking, Theoretical question here today: Wondering if anyone had any subjective experience on setting IPSec settings, and how to go about determining what is best for a network. Assuming relatively fast hardware, such as what is available today in whitebox routers and switches, why not just max out everything (Auth, Encryption, Forward Secrecy, Short Re-key intervals). In my lab, I see minimal impact on performance when these features are at their maximum available settings, but in the real world, I've only ever seen the same old 3DES/AES128 scheme being deployed, despite running on several thousand dollars worth of firewall. Maybe I'm missing something here... [link] [comments]  |
| Trunked Ports and Wacky IP Conflicts Posted: 12 Dec 2019 02:23 PM PST Hi, I have the following network architecture:
I've configured every port on each switch, as well as each port on the ends of each uplink, with "switchport mode trunk" and defined the three VLANs on both switches. Here's the rub: Every time I plug my laptop into a port and manually configure an IP, I get a message saying that my IP is being used by another device. I have very few other devices on the switch and I'm not reusing IPs, but regardless I get the message no matter what IP I use. I get the message even when I use an IP on a subnet that corresponds to one of the three VLANs that isn't presently in use by any device. Can anyone suggest what might be going wrong? I'm new to IOS XE. Thanks! [link] [comments]  |
| AWS Advanced Network Specialist, Anyone? Posted: 12 Dec 2019 07:25 AM PST I posted this in /r/AWS but got no response, hoping I might get more hits here. I have been using AWS for like five years. Primarily EC2, S3 and R53, but I have used a lot of other services and understand what the majority of them do and how they work. I've been through the AWS training class done by AWS Training Team and was pretty bored through it as I knew it all (what at least was taught). I recently stood up a site-site VPN from our on premise Palo to a Virtual Gateway and got all of that working and finally understand all that. I bought the Official Study Guide for Advanced Networking and thinking about taking that test first. Has anyone here taken it and have any things I should focus on? Obviously, no NDA breaking, but just looking for general help. [link] [comments]  |
| Posted: 11 Dec 2019 06:03 PM PST Hey reddit, A couple months ago, my company moved into a new space that is halfway through the remodeling process, at the behest of the investment firm that is our primary shareholder. The new space is going to house the investment firm, my company, and 2-3 other companies like ours that the firm "owns". We moved in first because we're the smallest (startup of under a dozen people), with the parent firm branch mostly moved in as well, and the other companies to follow in a few months when their part of the space is done with construction. At the time we moved in, I (an idiot) inquired what the network situation would look like, since I was at the time looking into servers for our internal use, and so I (like a moron) offered to help another engineer run to Best Buy and rig up 4 routers as access points to get basic wifi up and running during this transition period. At present, my company and the investment firm employees are all sharing this one wifi network, which is mostly comprised of Linksys' out-of-the-box settings with a new SSID and password. Turns out, there are no standing plans to get any kind of professional IT staff in-house. Today I overheard some talk between managers that leads me to believe that the network I set up needs some changes, and from this I intuit that soon I'm going to be asked to change passwords or configurations or some such. The thing is, I'm a mechanical engineer. The extent of my IT knowledge comes from building my own gaming computers and hanging around with software engineers in college. I am at best a hobbyist-grade nerd. The current network setup is woefully inadequate with respect to security, my ability to administrate it, and likely bandwidth, if any of the other companies do anything network-intensive. At some point in the near future I'm going to have to make a strong case for hiring professional IT staff, and I simply don't even know all that I don't know. How can I best make my case for why they should spend the money for a real IT professional? I want to point out all the things that could go wrong with multiple distinct companies all sharing a single consumer-grade network, but I'm not technically well-versed enough to think of all the ways that this could go wrong and the reasons this is a bad idea. Furthermore, this isn't my job - every hour I spend googling "how to change an IP address" is an hour I'm not doing the job I was hired to do, and so I don't want to frame it in a way that ends with "sounds like you need to do some homework" and it stays my problem. What should I bring up in a future meeting to convince the higher-ups to shell out for an expert? How do I best explain to a non-technically-versed manager why the current setup is not acceptable for a building of 5 companies? [link] [comments]  |
| Switching from MPLS core to EVPN core Posted: 12 Dec 2019 08:34 AM PST Now that quite a few vendors have BGP EVPN over VXLAN capable access switches, I'm wondering if anyone is doing their core network with these technologies? We're currently running MPLS in our own network and routing between VRFs happens on the DC firewalls: https://pasteboard.co/IKVL8wT.png Each building has an aggregation switch that also talks MPLS towards the core, and terminates all the VLANs from the access layer. Access layer is L2. We have lot's of different buildings and 50+ different segments for different use cases so just configuring L3 on the access layer would be somewhat nightmare to manage with all the ACLs etc. Also we would lose visibility over the traffic between the segments. Wondering also how do you do traffic engineering, for example have workstations to use core link 1 in the picture and cameras to use link 2 as the primary path. Not really here trying to solve any major issues but rather wondering how EVPN would work and how it would differ from running MPLS. Any thoughts? Thanks! [link] [comments]  |
| Requesting Assistance with EEM Script for AP Posted: 12 Dec 2019 07:54 AM PST I'm using an EEM script that auto-detects an AP when it's plugged in and configures the port accordingly, that part is working fine. However, I'm trying another one that would reconfigure the port if an AP goes down for longer than 2 minutes but I can't get it to trigger. Any assistance would be greatly appreciated. Here is the first script: event manager applet DETECT-LWAP-PORT-CONFIG event neighbor-discovery interface regexp Ethernet.* cdp add action 1.0 regexp "(AIR-)" "$_nd_cdp_platform" action 2.0 if $_regexp_result eq "1" action 3.0 cli command "config t" action 4.0 cli command "default interface $_nd_local_intf_name" action 4.1 cli command "int $_nd_local_intf_name" action 4.2 cli command "macro apply MACRO-TRUNK-LWAP" action 5.0 cli command "end" action 5.1 cli command "write" action 5.2 syslog msg "EEM script configured AP port and saved config" action 6.0 end Here is the second: conf t event manager applet undo-AP-port-config authorization bypass event syslog pattern "LINEPROTO-5-UPDOWN.* changed state to down" trigger occurs 1 delay 120 action 1.0 regexp "Interface ([,]+)" "$_syslog_msg" match intf action 2.0 cli command "enable" action 3.0 cli command "show int $intf | inc Description:" action 4.0 regexp "-AP" "$_cli_result" action 5.0 if $_regexp_result eq "1" action 6.0 continue action 7.0 cli command "config t" action 8.0 cli command "default interface $intf" action 9.0 cli command "interface $intf" action 12.0 cli command "macro apply MACRO-ACCESS" action 13.0 cli command "end" action 14.0 cli command "wr" action 15.0 cli command "exit" action 16.0 syslog msg "EEM script undo AP port config and saved config" action 17.0 end [link] [comments]  |
| Posted: 12 Dec 2019 06:39 AM PST Got FTDv, FMCv, 9000v, IOUL2, and CSR1000v all working and have been able to replicate my environment in a lab for the most part, however I can't seem to find a layer3 switch solution that works - far too many licensing problems with IOUL3 (used keygens to no avail) so I decided to move to a c3725 router in "etherswitch router" mode... the problem is I can't do any true layer 2 configuration so it basically doesn't work for my setup ('vlan xxx' isn't available, nor is STP) I think I need to get IOUL3 working so I was wondering if anyone here had any success? If so is there a guide you followed that works you could link me to? I've tried a bunch so far but it could also be user error. [link] [comments]  |
| Posted: 12 Dec 2019 07:25 AM PST I have a question that I hope some of you may know the answer to! My company has a rather large building with two big sections. These sections are connected through a common technical room where fiber connection from both sections are patched to two different racks. In one of the sections, there are many stories as well. The question is: is it possible to patch the fiber signal from one section to the other in this common technical room by just patching a SC to SC fiber cord between the racks? Or do you need some kind of switch to do the some sort of routing as well? TL:DR: I want to just forward the fiber signal from one section to another in a big building through a common technical room. Any help would be appreciated! [link] [comments]  |
| Why host id in ip address when using NAT? Posted: 12 Dec 2019 08:09 AM PST Hi! I was wondering why your ip address need to be divided inte network and host id if it is uses only one public address with NAT thanks in advance Lejonkingen [link] [comments]  |
| Posted: 11 Dec 2019 06:19 PM PST I need to purchase a SMA Coax cable at a store tomorrow instead of ordering online. Does anyone know of any stores that would sell something like this? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment