Rant Wednesday! Networking

---

• Rant Wednesday!
• 10g Multimode Fiber Link Between Brocade 7450 and 7250 - Link up only on one side
• Cisco ISE 2.4 Wireless Setup... will it nuke existing configs?
• Options for routing internal ASA traffic
• Access restriction with Aruba switches
• WAN Services Help (MetroE, MPLS, Leased Lines, VPNs)
• Firepower FTD IPSEC tunnel endpoint as non-interface IP?
• How to stop OSPFv3 to automatically set "no passive-interface" despite "passive-interface default"?
• Internet timeout issue
• Anyone benchmark/use DANOS (the AT&T and Brocade version of Vyatta after they got bought) yet?
• 110 connecting block removal tool?
• Issue with a 'vehicle' network.
• Monitoring "Carrier Grade" Carriers
• Cisco UCS servers sending a DHCP client-id that I can't pre-determine?
• Unable to browse websites between hosts
• Checkpoint FW access logs
• Preventing excessive ARP queries from Cisco internet-facing router to switch?
• Can you breakout QSFP28 into 4 x SFP+ ports?

Rant Wednesday! Posted: 17 Dec 2019 04:04 PM PST It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! submitted by /u/AutoModerator [link] [comments]

10g Multimode Fiber Link Between Brocade 7450 and 7250 - Link up only on one side Posted: 18 Dec 2019 11:21 AM PST Hey all, Posting here because I'm at the end of the troubleshooting I'm knowledgeable about and Brocade support wasn't much help. My configuration: Brocade 7450, port 1/4/1, 10GE LR 10km SFP+ Brocade 7250, port 1/2/1, 10GE LR 10km SFP+ Multimode Fiber No additional port configuration, both ports show as 10gig. When these are connected, I get links up on the 7250, with a LK-DISABLE status. The 7450 port 1/4/1 shows as down. When I disable 1/4/1, port 1/2/1 on the other switch goes down, so I know they are connected. I have tested the SPFs by plugging them into the same switch and looping them, both ports show as up. (One LK-DISABLE to prevent the loop) But it won't work between the 7450 and the 7250. Fiber vendor is confident their physical is correct. I have the correct licensing on both of my Brocade switches. Firmware on both is the same, version 08070e which is a known good version. Am I missing something here? I've got this working between other Brocade switches just fine. About to test the fiber with Cisco switches to make sure it's not a Brocade configuration/bug but I'm sure it will be. submitted by /u/thetorsoboy [link] [comments]

Cisco ISE 2.4 Wireless Setup... will it nuke existing configs? Posted: 18 Dec 2019 05:18 AM PST Hey nerd fam, I've got ISE 2.4, though I'll be upgrading it soon. I'm looking to setup a sponsored guest portal... and while I know I can build out the components involved (ACL's, Policy authZ, etc) by hand, I wanted to test out the wireless setup wizard. Videos make it seem pretty simple to use, but because they slap BETA on it, throw warnings around and have it disabled by default... I can't figure out one simple question. Will it leave my existing WLC configs for other SSID's and my existing policy set for ISE alone and just add the components additionally to what's already there? To confirm, the "feature" is accessible in the upper right corner in a drop down menu that also has PassiveID setup. Thanks for any help! submitted by /u/syntax24 [link] [comments]

Options for routing internal ASA traffic Posted: 18 Dec 2019 06:52 AM PST I am trying to route traffic between two specific "inside" ASA Interface of the same security level in order to connect two customers under our same firewall. I know this can be done with "same-security-traffic permit inter-interface", but there are many other customer networks and I cannot have them intermingle. So far, my efforts to get around this policy with ACL's have not been successful. submitted by /u/digitalsquirrel [link] [comments]

Access restriction with Aruba switches Posted: 18 Dec 2019 11:04 AM PST The background on this is that we have an old server running Windows Server 2003 that runs a legacy accounting application. We finally migrated to a cloud-based system a year ago, but of course, this server must be kept running indefinitely for audit purposes. We have no support for the application (nor did we for the previous 5 years I've been here when the application was actually in production), so we try to touch this server as little as possible lest we mess something up. Since it needs to stay running, we want to wall it off from the rest of the network as much as possible. It's on our Active Directory domain, so we want to maintain the ability to authenticate with AD. We also need to allow access from a small number (3-4) of dedicated laptops but want to limit access beyond that. One of the ways I've been looking at doing this is by enabling security at the switch. Our core switch is a 5406R and our access is a 2930M stack. I'm planning to create a new VLAN for the dedicated laptops. Those machines should have access to a domain controller for authentication, the accounting server, and nothing else. We plan to connect them to an unmanaged switch in the accounting department and bring it upstairs to a port in the access stack. I'd like to limit the server to connections to/from the domain controller and the dedicated laptops. None of these machines should have internet access. Looking through the Aruba documentation, there appear to be a few ways to do this. Traffic/Security Filters Access Control Lists Port Security/MAC Lockdown Based on the information provided, can anyone suggest the best way to accomplish this task? Thanks, submitted by /u/thomassowellistheman [link] [comments]

WAN Services Help (MetroE, MPLS, Leased Lines, VPNs) Posted: 18 Dec 2019 01:00 PM PST Hi guys, I just finished my CCNA studies and I've got everything down with the exception one one topic. How do MPLS, Metro E, and Leased lines differ? I understand label switching of MPLS but...I keep hearing that they area all the same? Like I've read that Metro E is a type of leased line, and that Metro E uses MPLS...does that mean MPLS uses a leased line? Can have MPLS without Metro E? Would that just be Serial connection? Is a P2P metro e line the same thing as a leased line but just ethernet instead of serial? submitted by /u/Debusatie [link] [comments]

Firepower FTD IPSEC tunnel endpoint as non-interface IP? Posted: 18 Dec 2019 10:36 AM PST Hey all! I'm trying to configure some VPN tunnels in a new environment I inherited with a Cisco Firepower FTD firewall as our endpoint, but a unique config is requiring that the tunnel be terminated to an IP address that isn't the one directly assigned to the outside interface. My outside interface IP is RFC1918 (10.10.10.1 in diagram) because the path to our internet egress traverses a separate internal network, but our public range is routed from that network to my firewall's outside interface and my public IP range (x.y.z.0/29 in diagram) is reachable from the public internet. x.y.z.1 is my PAT address from the devices inside the firewall and that egress also works properly. The issue here is that when trying to create a VPN tunnel, it requires that the local VPN endpoint IP be an interface IP (my only option when choosing my outside interface is 10.10.10.1) and will not allow it to be one of the public IPs I have that isn't the exact interface IP. Is there another way to get it to specify the source address of the tunnel as one of those public IPs? Diagram - https://i.imgur.com/8tVqAa3.jpg submitted by /u/valherum [link] [comments]

How to stop OSPFv3 to automatically set "no passive-interface" despite "passive-interface default"? Posted: 18 Dec 2019 02:30 AM PST Recently i have started migrating some switches from OSPFv2 to OSPFv3 and have stumbled over something that I can't figure out. This is (the relevant part of) my ospfv3 config: router ospfv3 10 ! address-family ipv4 unicast passive-interface default area <omitted> nssa no-summary Now, coming from ospfv2, what I expect this to do is leave any interface that has not been explicitly configured as "no passive-interface" in passive mode. But whenever I go on and add an interface to the routing process using the command below, since I want it to be advertised in the network, IOS XE goes on and automatically whacks a "no passive-interface" into the OSPF config. Which I have to remove again, since I don't want my OSPFv3 building neighbourships over my access VLANs. ospfv3 10 ipv4 area <omitted> Did anyone else here come across this and figure out how to actually set "passive-interface default"? submitted by /u/Phrewfuf [link] [comments]

Internet timeout issue Posted: 18 Dec 2019 03:29 PM PST Hi...Hopefully I can describe this well enough. The specifics: Network with about 300 users, 12 switches for distribution (Unifi), Unifi wifi throughout building, onsite Unifi controller, Xfinity ISP with static IP, Sonicwall firewall, Unifi core, and Server 2016 for AD and DNS. Only on domain joined computers the internet (including pinging) will timeout for random pages. In other words, I can go to ESPN.com no issue, go to Google.com with no issue, but then try Amazon.com and it will time out. Eventually, Amazon will appear and work. Usually getting to a page makes it better for the immediate time, but the next day or after a period of time things return to the same randomness. Using ICMP (ping) it is the same....time out, time out, then finally it will respond. This is different on each computer and very random. Changed to static DNS (8's and 9's and ISP) on a domain joined workstation, essentially skipping the DC/DNS on prem server. Still same results with the time out. Other computers on the same network that are not domain joined (students or chromebooks) all work as they should with no timeout issues at all. Any thoughts would be helpful! submitted by /u/emont100 [link] [comments]

Anyone benchmark/use DANOS (the AT&T and Brocade version of Vyatta after they got bought) yet? Posted: 17 Dec 2019 10:15 PM PST As title. I got it downloaded and have used it and it seems...interesting. Kinda interested in seeing how it would be as an edge router and an MPLS P. Seems like it would be very interesting. The other thing I found cool is that it apparently has a control plane/forwarding plane separation in it. The forwarding plane part is apparently DPDK...which is VERY interesting. Could bring a crap ton of PPS of throughput. Anyone mess with it yet? submitted by /u/Cheeze_It [link] [comments]

110 connecting block removal tool? Posted: 18 Dec 2019 01:36 PM PST We have several 110 connecting blocks that are corroded. They are a \*monster\* to try and pull out with pliers. I know, or feel very certain at least, that there should be a specialized tool to yank these bad boys out. My ability to google has failed me...would anyone happen to know the name of said tool? submitted by /u/dumbestFIquestion [link] [comments]

Issue with a 'vehicle' network. Posted: 18 Dec 2019 08:23 AM PST Switch 1-------------------------------------------------Sw3------------------------------------Sw5 | | | | | | | | | Unmanaged SW ---- Device 1 Device 2 Device 3 || | | || | | || | | Switch 2-----------------------------------------------Sw4--------------------------------------Sw6 The figure above describes a network we plan to implement on a moving vehicle. The devices represent computers which send signals to the propulsion units on the vehicle allowing it to accelerate, decelerate etc. With the exception of the unmanged switch, all switches are L3 with a single VLAN spanning across the entire network shown above. The idea is for Device 1 to be able to constantly communicate with either Device 2 or 3 at any given time. Originally Device 1 was only connected to Sw1, but to add more redundancy, a second link ( represented by ||) was proposed. This was supposed to allow for a single failure (of either Sw1 or any of the links) and provide an alternate path for Device 1 to communicate to 2 and 3. During some basic connectivity tests, I ran simultaneous and continuous pings from Device 1 to Devices 2 and 3. However, upon unplugging any of the primary links or killing Sw1, both ping streams are affected and it takes about 30 seconds for them to recover. The transition is not seamless and this 30 second gap is considered an unacceptable failure condition. All the devices are on the same network with RSTP running on all switches. Trunk links have been established and the behavior is generally predictable. The unmanaged switch however is from a different supplier and is flat with no configuration on it. The ports on Switches 1 and 2 connected to this unmanaged switch are access ports. What is causing this behaviour? What can be done to rectify this? Thanks! ​ EDIT: Sorry, the formatting is screwed up! The crude illustration was that of a ladder type network with Switch 3 and 4 connected to Device 2 and Switch 5 and 6 connected to Device 3. EDIT2: Grammar. EDIT3: https://imgur.com/a/ecMrHpm EDIT4: The components shown in the rectangle (unmanaged switch and Computer 1) are being provided by a different supplier and cannot be modified. Link aggregation therefore is not an option. submitted by /u/that90sreference [link] [comments]

Monitoring "Carrier Grade" Carriers Posted: 17 Dec 2019 08:57 PM PST I work for a small voice provider and we use public internet termination in combination with MPLS circuits to feed our voice network trunks. In the days of least cost routing our calls can be originated/terminated almost anywhere in the world and so we accept UDP traffic from many AS's around the globe. Now, we will get tickets for our VIP customers where we need to figure out why we lost RTP UDP packets over the public internet. We have used bgpmon.net to monitor our own prefixes and use a variety of external "reachability" services but those dont give us a view of sub optimal route changes between any AS in the world and our AS at the time in question. For example, if a link goes down between the big guys, say for example, between Verizon and L3 and there is a major re-route due to a fiber cut. Did that happen at the time of the call in question. Any suggestions that wont break the bank? submitted by /u/climbcolorado [link] [comments]

Cisco UCS servers sending a DHCP client-id that I can't pre-determine? Posted: 18 Dec 2019 09:45 AM PST Hi all, Weird one that I haven't encountered. I have some Cisco UCS C240 M5SX's that are sending a 36 character string as their DHCP client-id rather than their MAC address as I would expect. This is making it hard to deliver configs via PXE, do DHCP reservations, etc before hand. Does anyone know where this identifier is coming from? They all seem to start with "b6220feb00020000" and then a changing 20 character string that tends to start with "ab". submitted by /u/nullityrofl [link] [comments]

Unable to browse websites between hosts Posted: 18 Dec 2019 05:44 AM PST Hi All, I am in the process of finalising a server environment that is geographically located in two seperate locations For the WAN side the 2 firewalls connect to our PE routers and is working fine On the LAN side for the server resiliency I am running a VPLS connection between the two switches with VRRP running over this. The gateway address 10.0.1.1 floats between 2x SRX firewalls with the SRX in Location A being the primary. The host's can all communicate via ping and can access the internet Host 1 in Location A has the IP 10.0.1.10 Host 2 in Location B has the IP 10.0.1.90 The issue: Unable to access webpages hosted in location B from Location A or vice vera The web-pages do respond as I can access them from the WAN side Ping between the hosts: C:\Users\Administrator.JUMPBOX-EN1>ping 10.0.1.90 Pinging 10.0.1.90 with 32 bytes of data: Reply from 10.0.1.90: bytes=32 time=1ms TTL=64 Reply from 10.0.1.90: bytes=32 time=1ms TTL=64 Reply from 10.0.1.90: bytes=32 time=1ms TTL=64 Traceroute from Host 1 to Host 2 C:\Users\Administrator.JUMPBOX-EN1>tracert 10.0.1.90 Tracing route to 10.0.1.90 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 10.0.1.90 Trace complete. Telnet 443 from Host 1 to Host 2 - Connects ​ I have checked the firewalls and the traffic isn't hitting it as the devices are technically on the same LAN ​ What would be the best method for diagnosing this? submitted by /u/AWatson9898 [link] [comments]

Checkpoint FW access logs Posted: 18 Dec 2019 01:37 AM PST Can anyone help me out with exporting and accessing logs on Checkpoint FWs? We are on R77.30. I can view the current logs through Tracks on the Smart Console but I cannot figure out how to export the logs from there. Also it only displays logs of about the last 24h. I suppose the older ones are stored? I tried to look things up on the Checkpoint communities but they are not very helpfull as they assume you know how to access everything on those stupid boxes. submitted by /u/NazgulNr5 [link] [comments]

Preventing excessive ARP queries from Cisco internet-facing router to switch? Posted: 17 Dec 2019 05:04 PM PST I have a not-so-optimal setup on our network, with a Cisco 2900 series router facing out to the Internet with several IP prefixes announced, covering approximately 10k IPs, plugged into a "WAN" vlan'd port on a Nortel Baystack 5510-48T managed switch. Aside from that there aren't really any vlans configured to segment off individual hosts - as most of the hosts are VMs on vSphere hosts, where some VLANing is done on the [distributed] vSwitch there - and at the end of the day I end up with a boatload of ARP traffic hosing every single active port on the switch. A tcpdump from an interface with the "WAN" tag VLAN on a non-VMware host yields no less than 8000 ARP queries per minute, presumably the result of non-stop Internet scans across the 10k+ IPs announced on the router. The vast majority of queries go unanswered as only a fraction of the IPs are in use at the time. What are my options for reducing this number of ARP queries on the switch? Should I be looking at some kind of per-IP ARP query 'cache' time, e.g. if answer timed out, don't ask again for X amount of seconds; some kind of configuration where I can list CIDRs of IP space as currently unattended, telling it not to ask; or anything else I'm not considering? I am not overly familiar with both Cisco CLI and the Nortel Baystack switch firmware (an Avaya CLI, similar to Cisco syntax, on the managed switch). Any input is appreciated. Thank you! submitted by /u/dataslanger [link] [comments]

Can you breakout QSFP28 into 4 x SFP+ ports? Posted: 17 Dec 2019 05:16 PM PST We have some new switches we're testing that have 32 x 100Gbps (QSFP28) ports (Arista 7060CX2-32S). However, we still have a bunch of legacy equipment that uses 10Gbase-LR, with SFP+ optics. (NICs are mostly Intel 520-DA2, or Intel 710-DA2). We could get a separate ToR switch just for them, but it'd be easier if we could integrate all into the one switch. What's the easiest way of breaking out each QSFP28 port, such that we can use our existing SFP+ optics/fiber? I do believe each QSFP28 port can be split into 4 x SFP28 - which is backwards compatible with SFP+, right? However, I can't actually find any adapters that do the breakout. All I can see are DAC cables with QSFP28 on one end, and 4 x SFP+ on the oehter, which is not what we want. Ideally, we want to break out each QSFP28 into 4 x SFP28/SFP+ slots into which we can insert our existing SFP+ optics. Does such a thing exist? submitted by /u/victorhooi [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States