I am Craig from VeloCloud - AMA! Networking |
- I am Craig from VeloCloud - AMA!
- Network Admins or Engineers who work from home, what’s a typical work day like for you?
- Has anyone ever used Port Triggering
- Multi state MPLS providers
- UDP NAT timeout 3 days
- Fortigate Vdoms or Vlans or both?
- Feature Extraction from PCAP file
- Bizarre ARP issue
- Is IPMI over Infiniband possible?
- I can pick up a lot of info at once and already have a decent base. Any long youtube videos or sites? I use Linux already and kind of want to get into networking"hacking" and all the tools that go along with it. Im assming general networking is important as well as penatration testing?
- Mist and Cisco ISE
- Pre-Turn up Circuit Testing ideas
- Using LLDP to configure phone vlan
- Weird IP address conflicts
- Sanity checking a simple network to replace one exit network
- Need some assistance with troubleshooting an connection issue
- AP 1562E joins WLC 3504, SSID is broadcasted, assign static IP for the network, but cannot gain access to network
- AnyConnect Management VPN tunnel
- VLAN Config help
- Patch panels in top of rack design
- Troubleshooting DHCP issues
- Help IPPBX with unlimited internal phone numbers
- New to HP's - Can you guys double check TACACS+ config on an older ProCurve
- Hello, so I'm selling my Cisco Lab KIT after taking the exam...
| I am Craig from VeloCloud - AMA! Posted: 11 Dec 2019 06:02 AM PST I am Craig Connors, Chief Architect for VMware SD-WAN by VeloCloud. I've been in the SD-WAN space since joining the initial engineering team at Talari Networks in 2007, spent time in Cisco Advanced Development and have been with VeloCloud/VMware since 2013. Ask me anything - about VeloCloud, VMware, SD-WAN, network design, protocols, coding. I will be candid in my answers but I do work for a public company - any opinions expressed are my own and if there is something I cannot answer I will say so explicitly. I'll try to cover all time zones as best as possible by answering questions from 6AM-11AM PST. Proof: https://twitter.com/egregious/status/1192076960282877952 https://www.linkedin.com/in/craigconnors/ Edit - Whew! Thanks for all the great questions over the past 5 hours. I'll check back later and try to answer a few more for anyone who couldn't make it during the time window. I have tried to be candid in my answers - networks are the lifeblood of our businesses and I strive to be as transparent and trustworthy as possible. Thank you! [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Network Admins or Engineers who work from home, what’s a typical work day like for you? Posted: 11 Dec 2019 09:15 AM PST | ||||||||||||||||||||||||||||||||||||||||||
| Has anyone ever used Port Triggering Posted: 11 Dec 2019 01:42 AM PST Network Engineer here, I do probably 30% Firewall work, 10% Routing, 20% switching and the rest on Load Balacing, so I think by now I've seen every sort of network configuration. My question regarding Port Triggering is that every $20+ Home Router has this feature that I have never seen on an enterprise firewall or appliance. You know the one, the one that says, if I detected x I'll open y, like how is that useful? Does anyone know any examples of when they have needed port triggering, and more specifically if they needed it in enterprise network? Edit: Most seem to agree it's like UPnP before UPnP, [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 10:52 AM PST We're currently bidding out a replacement for one of our MPLS providers (name starts with an X and ends with an O until their acquisition is complete) that's been an absolute dumpster fire. We've got sites in Utah, Arizona, and Texas that we need connected. In particular I'm interested in finding out if there are any providers that we should absolutely stay away from when we start reviewing bids. What experiences has this crowd had with the various carriers out there? (We are working on an SD-WAN solution instead of MPLS but we need to make this provider switch before we'll have anything ready) [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 08:22 AM PST A VOIP provider who provides/manages 2 x on-prem PBXs at our 2 sites has asked us to increase the UDP NAT session timeout on our routers from 180s to 259200s (3 days) to try and resolve some issues we are facing with calls not forwarding to internal extensions between the two sites. Does this sound like a reasonable thing to ask? My concern is that UDP nat session table will fill up and cause unintended consequences. If it helps, both devices are SMB type fortigate/draytek routers with < 100 clients at each site. [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Fortigate Vdoms or Vlans or both? Posted: 11 Dec 2019 02:12 PM PST This may seem quite open ended but i would like to see how some think of this. If ISP decides to sell network management services, say they will want to bring in different customer management networks over IPsec tunnels (hub and spoke Fortigates). Fair assumption is that they will at some point overlap in terms of network addresses and need to be brought in the same alarm monitoring platform. How would that be set up on the hub/main Fortigate? Separate vlans with NAT, using separate Vdoms, both somehow? does that play well with each individual ipsec tunnel? These shouldn't have access to one another and all traffic (mostly snmp traps, polls etc) would be firewalled and brought into a Zabbix platform or similar, for aggregation/interpretation. Thanks! [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Feature Extraction from PCAP file Posted: 11 Dec 2019 06:40 AM PST I was following along this paper: https://cyber.bgu.ac.il/wp-content/uploads/2017/10/07346821.pdf and I was curious as to how they extracted the data from the PCAP file. According to the authors, this was what made their approach to malware detection unique and special. The full list of features they were able to extract can be found here: http://www.ise.bgu.ac.il/dima/Network_Traffic_Features_Set.pdf Does anyone have any experience doing this? Other papers I have looked at simply say they used the feature extraction tool from this paper, but I am not understanding it well enough to implement it by myself. Suggestion on how to do this, or repositories where code needed to do this can found would be greatly appreciated! [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 01:57 PM PST *Problem: Looking for some assistance on this issue I've encountered today that's got me beating my head against a wall. We have a VM that is unable to resolve default-gateway (ASA) IP. Capture shows ARP request arriving at first-hop TOR SW and being sent upstream toward Core. I have also confirmed via "debug ARP", packet capture matching on ether-type ARP and or dropped packets the ARP request doesn't arrive at the ASA (default-gateway) interface. So it seems the ARP traffic is being dropped by one of the switches. Note, I have yet to capture traffic on the Core and second TOR switch connected to the ASA. *L2 Topology: VM > TOR SW > Core > TOR SW > ASA (DG) With exception of VM and ASA, the devices are connected via static LAG. Don't ask about the design choice. Wasn't me and I have no say in it :) Findings and Notes: *No issue with default-gateway resolving VM IP by flushing ARP cache. This fixes the issue for about 10 seconds. *VM loses the ARP entry for the default gateway after a few seconds while sending continuous traffic - not sure why. Have not yet tried to add static ARP entry.. *Verified IPs and MACs in capture are correct i.e not a duplicate IP issue. *L2 good. MACs learned on appropriate ports and all switches agree on root bridge. No MAC flapping. *Not an issue on other VMs on same subnet *Storm control running but no traps (within window of issue) and PPS is well below threshold *Ports in question do have "arp inspection trust" set but DAI isn't enabled globally i.e it should be irrelevant config but may result in some type of buggy behavior? *ASA is HA - may failover for testing but no reason to believe it's the ASA at this point.. *Not seeing any input errors/CRCs logical LAG or member ports. Any ideas? [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Is IPMI over Infiniband possible? Posted: 11 Dec 2019 03:43 PM PST | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 03:39 PM PST Finally, is kali linux my best option? I have Lubuntu im assuming the difference is just programs preinstalled? Im not really trying to go onto the dark net or anything like that so I dont need tails just a good Distro but not too complicated unless it needs to be [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 02:22 PM PST Anyone doing this yet? I'm curious about it. I'm very Cisco ISE friendly as well as Cisco Wireless - quite a bit of experience with TrustSec and SDA too but one of my clients is really enamored with MIST's wayfinding and wants to use their wireless too. MIST's website is pretty light and refers to AVPairs for security. That seems pretty light to me... [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Pre-Turn up Circuit Testing ideas Posted: 11 Dec 2019 01:30 PM PST We've been bitten recently by our ISP's not providing us with the CIR we've put in for, and seen errors and drops on the circuits from the word go that takes the ISP days to weeks to fix. What are some tests you guys use to test a circuit before it goes live? It's been difficult to get resolution on these circuits, but unfortunately our hands are tied by the ISP's we can do business with, so changing providers isn't really something we can do. Some of these sites are 10Gbps, so a laptop won't help in those cases unless we get a 10G NIC, and run iPerf across or something along those lines. I don't think speed tests would be as reliable either, some seem to cap at ~180Mbps, and are more generalized. I'd like to be 100% sure I won't have circuit issues when I plug my router in. Any insight on what others are doing would be greatly appreciated. Thank you! [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Using LLDP to configure phone vlan Posted: 11 Dec 2019 12:48 PM PST Hello /r/networking I am looking for help identifying where I have gone wrong in my LLDP voice vlan configuration. The phones are not picking up on the VLAN they are supposed to be using. I have reviewed the LLDP section of the IOS Config Guide 15.0(2)SE and cannot find what I have missed. Switch: Catalyst 3560CG-8PC-S, IOS version 15.2(2)E8 Phone: Digium D62 firmware version 2_2_2_0 Switch LLDP Config: I also tried removing the network policy from Gig 0/7, adding `switchport voice vlan 6`, and then adding the network policy again. The config guide says that by default when you turn on LLDP all TLVs and LLDP-MED TLVs are enabled by default. I did enter `lldp med-tlv-select network-policy` on the interface but this did not change anything. It also did not explicitly show up in the config. I also entered `lldp transmit` and `lldp receive` on Gig 0/7. I guess they do not show up in the code because they are on by default. If I add `no lldp transmit` or `no lldp receive` they show up in the port configuration. I am testing this using a small switch on my desk. Most of our switching environment are 3750G's and 3650's running 12.2(55)SE12. [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 06:40 AM PST [SOLVED] From my understanding, Windows and Cisco both send our ARP requests with a source of 0.0.0.0, and if they happen at the same time, Windows sees that 0.0.0.0 as a duplicate address and causes issues. Sending a "no ip device-tracking" command to the switch fixed the issue. Hello all! Running into a situation that I've literally never seen before. Running multiple Windows 10 boxes in a air-gapped Server 2012r2/2016 environment. Win10 boxes are connected to a Cisco 3850 with ipbasek9 license (15.2 OS) via copper SFPs. All systems are given a static IP. Whenever we boot a system, it comes up normally. When the system reboots, it tells us that there's an IP conflict, and it gets an APIPA address. We've verified that there actually is no IP conflict on the network. When we reboot, the systems go back to normal, no APIPA address, and they're happy with their statically assigned IP. We reboot again, and it goes back to IP conflict mode. Reboot again, back to good. Repeat... forever. Digging in a bit further, I was looking into the event log, I see that on every machine, there's a 4199 event for the IP conflict. Now here's where it gets weird. Every box says:
The MAC address is the MAC addy for the switch port that the PC is connected to. Somehow, the systems are having an IP conflict with their own switchports. We've tried:
Any advice would be greatly appreciated, because this is just boggling to me. [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Sanity checking a simple network to replace one exit network Posted: 11 Dec 2019 08:47 AM PST New place, trying to make sense of it. We have 5 offices. Here's the current setup
1gig vpls is up for renewal, phonesystem in A/B is outdated and want to switch to cloud voice. the VPLS is only seeing 100mbps traffic according to ISP. We have Meraki MX64/MX65 in B, D and E. The MX64's have a max VPN throughput of 100mbps which is what our internet connections are so i don't see a point for going for anything larger than that. We're currently getting numbers for a VeloCloud setup that is WAY more complicated than what we need it for. We really only need site-to-site VPNs and figure out how to correctly QOS the voice to be prioritized. What I'm thinking getting internet connections for B(hopefully a 250mbps and C (100mbps), putting an MX84 in LocationA and an mx64 in locationC. [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Need some assistance with troubleshooting an connection issue Posted: 11 Dec 2019 12:17 PM PST Hello all. I hope you guys can help me out. I am experiencing an issue where I believe that the application is the problem and not the network. Here is the situation: Host A (WW HMI Host): 192.168.30.30 WW Server : 172.16.10.20 They are seeing each other. Host A can RDP to the server with no issues. They are connected via a cell modem VPN. Due to an electrical issue at the remote site (where the WW server resides), we had to replace the modem. The modem configuration was restored with a backup with the same configuration. Since then, the host has not been able to poll the server for data from the application server, Wonderware. We confirmed a 3 way handshake via WireShark on the server. We can see the packets going in and out. We see a RST packet on WireShark after 5 attempts. Connectivity was established via TCP/5413. But the WindowViewer app on the host still wont pull the data needed. We had a contractor on site, he installed a version of the host application on his laptop. I provided him with an IP (192.168.30.31) and he was able to get the data with no issues. My next idea was to change the IP of the host to 192.168.30.31 as well. Lo and behold, this solved the issue. How!?!!?! Firewall is wide open, the rules allow for the entire subnet to traverse, no ports are being blocked, this didnt make sense to me. Client was ok with leaving it at the new IP, 30.31. Has anyone seen anything like this? The contractor believes its a networking issue and that's expected since the burden of proof is always on the networking guys. If anyone has any experience with the WW server, I would greatly appreciate that. I believe that the 30.30 and 30.31 are "blacklisted" or stuck in a session which doesnt allow them to connect anymore. Maybe the session needs to be closed or deleted. If anyone has any ideas on why this work, I would love to hear them. I have never worked with WW but I'm going through their documentation now to see if there is a location in the settings to have some kind of shunning option available. Thanks in advance! [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 12:01 PM PST Network that I am trying to access is 199.8.0.0/16 and is on VLAN 1 AP01 joins WLC-1 and begins broadcasting SSID "CISCO2_test". Created a vlan 1 interface:
Switch port WLC is connected to is trunked. Switch port AP01 is connected to is trunked. [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| AnyConnect Management VPN tunnel Posted: 11 Dec 2019 11:52 AM PST Has anyone deployed AnyConnect Management VPN tunnel at scale? I'm looking at potential switch from Pulse Secure to AnyConnect (big cost savings) and this feature would be rather important. Since it's fairly new (around a year old), I haven't found a lot of people talking about it beyond just getting it setup, so I'm looking for some feedback on how well it performs/behaves. I need a VPN tunnel connected before a user logs and I can't rely on users using the "network login" option in W10 to do it. Right now Pulse Secure does this seamlessly as it's integrated with login provider, grabbing the user/pass you type in and sending it to Pulse Secure to connect the client, then passing it back to windows to complete the sign-in. Cisco doens't have anything like this (I was told it's because they don't believe in pass-thru auth to the VPN client), so the management tunnel is the only option. [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 11:44 AM PST Hello all, I have been troubleshooting this for quite some time now, and I feel like I am starting to run in circles here. I am trying to configure VLANs between a HP V1910 switch and two Cisco Catalyst 3560 switches I have a SonicWALL TZ300 which is providing DHCP for each VLAN. This is my current config: HP V1910 Switch: Ethernet Port 21 (Connects to SonicWALL TZ300) - Untagged VLAN 6, Tagged VLAN 100, 150 Ethernet Port 22 (Connects to Cisco 3560 #1) - Untagged VLAN 6, Tagged VLAN 100, 150 SFP port 26 (Connects to Cisco 3560 #2) - Untagged VLAN 6 Cisco 3560 #1: Fa0/16 (Connects to Ethernet Port 22 on V1910 switch) - Trunk port tagged 100, 150. Untagged VLAN 1 Fa0/13 (Connects to SonicPoint device #1) - VLAN 100 access port Fa0/14 (Connects to SonicPoint device #2) - VLAN 150 access port Cisco 3560 #2: Gi0/1 (Connects to SFP port 26 on V1910 switch) VLAN 1 (default vlan) Fa0/1 (Connects to SonicPoint device #3) - VLAN 1 access port Fa0/2 (Connects to SonicPoint device #4) - VLAN 1 access port SonicPoint devices #1 and #2 are receiving IP addresses, but clients who connect to these devices are not getting issued an IP SonicPoint devices #3 and #4 are not receiving IP addresses I will gladly provide clarification on anything. I am just in dire need of some assistance. [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Patch panels in top of rack design Posted: 10 Dec 2019 11:04 PM PST Hi Folks, Do you install a. copper patch panels in each server rack or connect servers directly to top of rack switch? b. fiber patch panel to connect top of rack switch with master switch or directly interconnect using patch cords? Any suggestions ? [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Posted: 11 Dec 2019 11:07 AM PST Having some issues with DHCP snooping on a corporate network. I am in a Dell environment with Dell N series and some S series switches. My topology is as follows: Dell N3132PX-ON --> Pair of Dell S4048-ON (VLT, Peer routing and IP Helper) --> Dell N4000 --> ESX host with Windows DHCP server The main issue is when I enable DHCP snooping on the access switch (N3132PX-ON) with the clients I can watch the DHCP request go out via wireshark but the DHCP request never comes back. I can watch the DHCP server get the request from the core switch using the IP helper. The uplink ports to the core are marked as trusted ports for DHCP snooping from the N3132PX-ON. DHCP snooping is not enabled on the core or the N4000 switch connected to the ESX host. The second issue I have is how would I run a packet capture between these switches from a laptop with a 1G link when the switches are connected with two 10G uplinks? Is there a way to filter the traffic using the monitor functions on the switch? [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Help IPPBX with unlimited internal phone numbers Posted: 11 Dec 2019 04:43 AM PST Hi all, not sure if this the correct place, but i have a query. Can i have say 1 phone number(pri line) and unlimited internal numbers in my office? Basically, i want only a few phones to be able to receive and call outside, and the others to be able to only call within the organisation. Is such a thing possible? And how do i go about it. Can you guys point me in the right direction please? Thank you. Edit: thanks for the replies guys. I'll get professional help as this is my first set up. [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| New to HP's - Can you guys double check TACACS+ config on an older ProCurve Posted: 11 Dec 2019 10:23 AM PST In an effort to hopefully not cut my arm off here and have to drive an hour and a half to a remote site, I'm hoping my TACACS+ config is right. I haven't put any of it into the switch and it currently is already in production with everything else working fine. We're simply needing to implement AAA. I'm used to IOS and some of the HP syntax is a little different so anything I need to add, change or remove would be a big help. It's a Procurve 2610 and I read through the PDF on Access and Security for the 2610. Our TACACS+ server is already configured and working fine with our other switches and I basically want to be able to SSH with a username/pw from an IP address in the ACL and be entered into operator mode mode and deny any authentication requests from any IP that is not in the ACL and to have the switch fail over to the already configured local privilege mode account if the TACACS server is not available. Once in, I want to be able to enter enable mode as privileged account with login credentials that are on the TACACS server. SSH is already configured and working properly and I can ping the TACACS server from the switch. I guess my two main questions are: Is my syntax correct for authenticating and is the ACL syntax correct? aaa authentication ssh login tacacs local aaa authentication ssh enable tacacs local aaa authentication console enable tacacs local tacacs-server host 10.10.92.150 Tacacs-sever key KEY tacacs-server timeout 10 The ACL appears to be able to be setup two ways but I'm wondering which of these is correct or if either will work? access-list 1 permit host 10.1.104.116/24 <- Is the subnet required here? access-list 1 permit host 10.1.104.104/24 access-list 1 permit host 10.1.104.102/24 access-list 1 permit host 10.10.92.150/22 access-list 1 permit host 10.10.92.107/22 access-list 1 permit host 192.168.104.117/24 OR ip access-list standard "1" permit host 10.1.104.116 permit host 10.1.104.104 permit host 10.1.104.102 permit host 10.10.92.150 permit host 10.10.92.107 permit host 192.168.104.117 Interface 25 access-group 1 in Interface 28 access-group 1 in [link] [comments]  | ||||||||||||||||||||||||||||||||||||||||||
| Hello, so I'm selling my Cisco Lab KIT after taking the exam... Posted: 11 Dec 2019 02:22 PM PST I took the exam and decided to sell it on ebay. If anyone is planning on taking the exam, here's the link https://www.ebay.com/itm/401990022173 . Happy networking! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment