Blogpost Friday! Networking |
- Blogpost Friday!
- Opinions on Palo Alto firewalls and Panorama v. Checkpoint and other brands.
- How much annual leave do you get? (US)
- How do mmWave base stations work in 5G systems?
- Meraki multi path networking
- Aruba 8320
- Securing Access to Network Gear
- Meraki MS L3 Routing Issues
- Adding new circuit to ISP
- ASA5515 and etherchannel
- Forgive my naivete - but is L2 really necessary to build out anymore? As in, why build a switched network when you can build a routed network?
- Point to Point wireless bridge
- Juniper Dynamic VPN - server to client connection
- Core Switch Upgrade
- Cisco ise problem or flaw
- Cisco 9200 - "Service unsupported-transceiver" error
- Does anyone here any an idea of the interview process for Nokia?
- 25G switches for small datacenter infrastructure
- How am I supposed to troubleshoot this?
- Google Maps style mapping software
- Catalyst 9500 Stackwise Virtual
- SSH From Cisco Router - [Connection to x.x.x.x aborted: error status 0]
- Trunk port issues
- Question about TCP duplicate acknowledgements, even when pings to turn out excellent
- Multiple VLAN tagging with VOIP VLAN
| Posted: 06 Feb 2020 04:04 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts Feel free to submit your blog post and as well a nice description to this thread. [link] [comments]  |
| Opinions on Palo Alto firewalls and Panorama v. Checkpoint and other brands. Posted: 06 Feb 2020 10:18 AM PST Looking to see what others Opinions are experiences are on various other firewalls. Currently Checkpoint is bugging out on us quite a lot. It recently started dropping "hello" TLS packets for one particular application only (Also sharing the same certificate as other traffic that did get through) but gave no indications or logs that this traffic was getting error-ed or denied. The other kicker is no we touched nothing in regards to this traffic or rules impacting it. Our new Architect is pretty well at wits end, and likes PA. I have a very limited exposure to it. And when I did it was pre panorama. But as a security guy CP does some really nice things in terms of IPS/IDS and the ability to correlate logs track threats etc. (Their IPS stuff is honestly one of the best security tools I have) Also coming in R80.40 the https inspection is getting an overhaul. I have another close friend that loves their PA, and no issues with it. Our vendors that also sell PA say really they're not all that different in terms of maintenance, bugs or general quirks. Not a particular fan of Sonic wall or firepower. Fortigate I have 0 experience with, but was also warned about their product stability and fixing bugs. (Just what I heard.) The other issue we're looking to over come is needing actual FWs for remote sites that we're moving DIA from MPLS. Possibly looking at SAAS FW instead of direct appliances to lower costs and management. Also ripping out one for the other seems like more work than we'd want especially if there's no drastic difference. Thanks for your input. [link] [comments]  |
| How much annual leave do you get? (US) Posted: 06 Feb 2020 01:39 AM PST Asking for me. I'm UK based, but will soon be marrying an American and then we will decide where to live. Returning to the US is a distinct possibility as she would like to be closer to her family. We are weighing up what our quality of life could be and holidays are a major concern for her. She tells me they aren't really a thing in America. I currently work within the network team of a UK university, I get 41 days paid holiday per year. This came up once in conversation with her father and he was pretty shocked. It's worth noting that universities are public sector. If I went private, pay would be higher but my holidays would likely drop to around 28+ (28 being the legal minimum if you work 5 days a week full time). Generally speaking, what's annual leave like in this sector in America? [link] [comments]  |
| How do mmWave base stations work in 5G systems? Posted: 06 Feb 2020 01:20 PM PST Will the mmWave base stations be added on top of the LTE EPC and similarly communicate through existing SGW? [link] [comments]  |
| Posted: 06 Feb 2020 01:06 PM PST Does anyone know off top of their heads if with Meraki if you can use an MX450 to route traffic across a private fiber link to branch office, but should that link go down the branch office networks could also be available via site-to-site VPN? Thier would be a meraki MX450 series at the branch office. [link] [comments]  |
| Posted: 06 Feb 2020 09:23 AM PST We are looking at replacing our core HP 5406 with a pair of Aruba 8320s. We are a a mid size school with around 1000 users. According to HP/Aruba all my current 10g spf+ modules are compatible. My vender has come in with a really good price on them. With a lifetime warranty and my current adapters working I'm leaning towards purchasing the 8320s. Has anyone had any experience with them, any pros or cons? [link] [comments]  |
| Securing Access to Network Gear Posted: 06 Feb 2020 11:02 AM PST Polling the hive mind: what do you use, dislike, or like, for securing access to network gear beyond just username and password? MFA(YubiKey? RSA?)? Rotating passwords? Jumphosts only? Maybe it's something really cool I don't even know about? [link] [comments]  |
| Posted: 06 Feb 2020 12:14 PM PST I recently designed and orchestrated a sizable campus network overhaul for a customer of mine.
This was my first experience setting up a "proper" campus network with Meraki switches. It ticks all the boxes in terms of features and redundancy that most people would want for a campus route / switch environment. For the most part, everything works great. The issue I'm having now is that the users are complaining about occasional random phone re-registration issues and occasional thin client drops. I'm not exactly looking for troubleshooting advice. What I'm trying to get a feel for is the /r/networking community's experience with using Meraki MS L3 switching to its full potential, the way you would with a Catalyst or Nexus type deployment. I have seen many Meraki deployments in my day, however they've almost always been simple layer 2 configurations, no redundancy, no stacking, daisy chaining, deployed by sysadmins with little network experience. Am I asking too much of Meraki? Is a moderately complex layer 3 configuration a bad idea on Meraki MS? [link] [comments]  |
| Posted: 06 Feb 2020 11:57 AM PST As the title suggests I was thrown into a new project attempting to upgrade our service with a new circuit to our ISP. I have all the config info. The issue im running into is I was asked by my superior to test the connection before it goes live but without advertising any networks. Problem is this is a router that is live, as bgp enabled, configured and working to the same service provider. wouldnt this task be impossible? as adding a new interface and neighbor to the config immediately advertise these networks? [link] [comments]  |
| Posted: 06 Feb 2020 11:57 AM PST Hey everyone! I've been noticing some overruns on my ASA WAN and downstream trunk. I'd like to try creating a couple port channel groups to increase throughput but am noticing that I cannot do a port channel on an int with sub interfaces. How is this scenario typically handled in best practice? [link] [comments]  |
| Posted: 06 Feb 2020 03:36 PM PST Some background: I come from a small business environment as a net admin, and all I ever did was spend time on the firewalls writing up policies, nat rules, vpns, security stuff. We had a large amount of clients come in and out, and each room had it's own subnet/vlan but they were connected to a dummy switches that acted as more ports to fit into one redundant interface to be honest. I didn't have to configure any STP, storm control, nothin' - straight outta the box they did what I wanted. Now, this being a small business environment the most that ever occupied one subnet/vlan was 40 people, and every switch was either a 24 or 48 port hybrid switch (Juniper ELS). I see posts here and there about "just get rid of L2" - is this true/possible? The only thing I've ever had to actually do on L2 is configure STP in some labs but otherwise L2 is handled by the devices fairly well and I handled administration and security through the firewall. Thoughts? [link] [comments]  |
| Point to Point wireless bridge Posted: 06 Feb 2020 09:34 AM PST I need a point to point solution for my company. I've never done point to point before so I wanted to double check before I started ordering stuff. I was looking at a couple of the Ubiquiti NanoBeam's. We don't need to go very far, a few hundred yards at the most. I'm assuming I just need two of the NanoBeams? There isn't any other hardware required other then regular networking stuff on both ends? It looks like they are about $100 bucks a piece. Do they work well or is there another solution that would work better? Edit: I'm aware they both are going to need a PoE switch or PoE injectors. Edit2: I should have mentioned that this will be a temporary setup used for live events and the traffic will be very small used by stage lighting consoles. So a reliable connection far out weighs large speeds. [link] [comments]  |
| Juniper Dynamic VPN - server to client connection Posted: 06 Feb 2020 01:51 PM PST Hello, I'm attempting to have a server create a connection with a client that is remotely connected through a Pulse Secure Dynamic VPN on Juniper SRX. A connection can be established from the client to the server. What about in the opposite direction? There is no route to the dynamic address pool assigned. And I'm not sure what the next hop would be as the dynamic VPN has to be a policy-based VPN. Basic datapath traceoptions shows the route lookup failed. Is it possible? If so, what needs to be done? [link] [comments]  |
| Posted: 06 Feb 2020 08:11 AM PST Currently planning on doing a core switch upgrade at my workplace to remove our old Catalyst 3560-X. I would like to upgrade to a 48 port, with POE and 6-8 SFP(+) ports with a budget of 2500. I really don't want another Cisco as I can't stand their licensing nonsense and would like to move away from that. I've seen decent offerings like the Juniper EX2300-48P (not enough SFP ports) and the Fiber store offerings look nice but are pretty sketchy from some reading around this subreddit. Basically I'm not a networking pro and there is too many options. [link] [comments]  |
| Posted: 06 Feb 2020 04:13 PM PST Running cisco ise 2.3 patch 5. Keep having posture redirect problem. What does this do and why do I even have it? Not using remediation. [link] [comments]  |
| Cisco 9200 - "Service unsupported-transceiver" error Posted: 06 Feb 2020 03:44 PM PST Evening guys, I'm standing up a fleet of 9200s, ran into this and couldn't find anything online about it. Trying to run "service unsupported-transceiver" on a C9200L-48P-4G, running firmware 16.9.3 or 16.9.4 yields the following output - Switch(config)#service unsupported-transceiver % Ambiguous command: "service unsupported-transceiver" If I do "service ?", I actually see "service unsupported-transceiver" listed twice. I've got 2 of these switches running on 3rd party SFPs from FS, I ran "no errdisable recovery cause gbic-invalid" and the links are up with no errors, "sh inv" shows the SFPs nice and happy. Doing "sh int gig1/1/1 trans de" shows the following output Switch#sh int gig1/1/1 trans de Transceiver monitoring is disabled for all interfaces. Has anyone seen this or have any insight? [link] [comments]  |
| Does anyone here any an idea of the interview process for Nokia? Posted: 06 Feb 2020 03:38 PM PST I received an interview offer with them, it's my first ever technical interview so I'm starting to get some imposter syndrome. Any idea of what format I should be prepared for? [link] [comments]  |
| 25G switches for small datacenter infrastructure Posted: 06 Feb 2020 03:21 PM PST Hi everyone! We're building a new infrastructure for our business. Right now it's going to be just one (fully stacked though) rack, but there's a possibility that we'll grow into the second one in a couple of years, so this should also be taken into account. Disclaimer - I've never done network architecture before. Please tell me if I'm missing something obvious for a weathered NOC or just doing everything completely wrong... Given:
Right now we're thinking about purchasing two 32x100G switches (Cisco C3132C-Z or Arista 7050CX3-32S). It's roughly twice the number of ports we need for a single rack, but it enables a very simple path for an expansion into the second rack - just toss a couple of MPO cables into breakout patch panel in second rack. So my questions are:
[link] [comments]  |
| How am I supposed to troubleshoot this? Posted: 06 Feb 2020 03:09 PM PST Hey all, got a weird one. We have 3 offices, all with Palo Altos, all with the exact same configurations minus the actual outside interface public IPs. The only real difference being the models at each office due to their size. One office has HA 3220s, another office has an 850, and the last one has an 820. Each of these offices have ~15 site-to-site VPN connections with the same AWS accounts. I have an AWS account that is designated for network monitoring and IT supporting resources, a network monitoring server in that account it sends an ICMP request once a minute as an uptime monitor, and SNMP requests every few seconds for system and bandwidth usage information. The VPN connection to this account is extremely important to have high levels of uptime, as we have other servers in that account that support critical authentication infrastructure. One of the offices, the one with the 850, has been experiencing disconnects to this AWS account at least once a day, at random times, lasting anywhere from 3 minutes to 2 hours. There are no real errors on the firewalls aside from seeing the first policy based route turn itself off followed very shortly by the second route turning itself off due to the route monitors both failing, we also see the two tunnels that support this connection "collapse" but there is no real error giving a reason aside from a lost connection. An interesting note, the rest of the AWS tunnels all seem to be up during these outages, but in my log searches I'm seeing those tunnels also go down in similar random fashion, but again, this is only happening on the 850. AWS unfortunately offers almost nothing in terms of logs for its networking, so there isn't anything to be seen there. I've logged into servers inside that account during an outage and have been unable to ping back to the office with the 850, and vice versa office to AWS account resources with no successful responses. I've also run a tcpdump on both ends to see if traffic is making it there but failing to return, but the servers running tcpdump don't see any incoming ICMP traffic while testing. During the outages I'm able to connect to the 850's remote access VPN and look at logs, so it doesn't seem to be a hardware issue (data plane/management plane reset or anything like that). The tunnels from the 850 to the other offices also remain up. I've rebooted the Palo, recreated the configuration on the palo for the tunnels, and deleted and recreated the AWS configuration for the tunnels with our IAC tool and then reconfigured again on the Palo. We do have a Cisco ASA at another office using BGP for its routing to the same AWS accounts, but I've verified that it's not advertising any routes to the office with the 850 that might be getting picked up on the AWS side. I've verified the Palo and AWS configurations 20 times now, everything is the same on both ends as other connections that have been stable for years. The 850 in that office is brand new, my next step is to contact Palo support to have them dig through logs, maybe they can find something I missed. Then I'm planning to contact AWS support to have them look through their virtual firewall logs of the firewalls I'm connected to. After that though, the only thing I can think of would be the office's ISP, though I doubt they will be much help, they'll likely ping their gateway and tell me everything is good. I kind know my stuff when it comes to networking, but I'm no CCNP or CCIE, so I'm hoping someone may be able to lend some other suggestions or avenues that I can explore. Could this be a backbone routing issue? This is seeming like some ISP infrastructure or Palo hardware issue at this point. Really appreciate any help in advance and I'm happy to answer any more questions to give more information. [link] [comments]  |
| Google Maps style mapping software Posted: 06 Feb 2020 07:34 AM PST Is there any software I can use to create a network map with the following:
[link] [comments]  |
| Catalyst 9500 Stackwise Virtual Posted: 06 Feb 2020 09:40 AM PST This is a newish feature on a newish switch platform which always makes my hair stand up. Is anybody using this yet? Is it scary? How has Stackwise Virtual behaved on the 9400s, since they've had this feature for longer? [link] [comments]  |
| SSH From Cisco Router - [Connection to x.x.x.x aborted: error status 0] Posted: 06 Feb 2020 12:52 PM PST When trying to SSH from a Cisco router to some other devices at times I get this message relating to SSH algorithms: [Connection to x.x.x.x aborted: error status 0] In the syslog of the router there will be this corresponding entry: %SSH-3-NO_MATCH: No matching hostkey algorithm found: client ssh-rsa server ssh-dss I have searched and searched to try to find something that I can change to overcome this but I can't find anything. I have seen this post on the Cisco forums: That seems to only indicate that the server (device being SSHed in to) needs to use something compatible with no way to simply configure the Cisco Router to relax this requirement. Does anyone have any suggestions? [link] [comments]  |
| Posted: 06 Feb 2020 12:20 PM PST Hello all, a few weeks ago I was having issues making the leap from Cisco to Juniper as far as vlans are concerned, and I've made some definitive progress, but i'm still running into one major issue that's making my whole setup work. As of right now, I cannot get my trunk port to route vlans using RVIs (this is an EX2200 Switch by the way). I have two switches, both with 2 vlans on them, vlans 10 and 20. I have these assigned to ports 1 and 2 respectively. I have port 23 on both switches as my trunk port, with members v20 and v10 assigned to it. When I am using no RVIs, i can ping across the trunk from ports in the same vlan (2 to 2 or 1 to 1), and when I implement the RVIs and IP addresses on my vlans, I can ping inter-vlan on the same switch. The problem I am hitting is now going back ACROSS the trunk port. I can't ping devices in the same vlan or inter-vlan at all. Currently, I have on SW1 v10 as 172.23.11.1, and v20 as 10.10.10.1, and on SW2 v10 as 172.23.11.2 and v20 as 10.1.10.2. I have one host as 10.10.10.100, and one as 172.23.11.100, and have the default gateway set to whatever vlan IP address it is plugged into per switch (so 172.x.x.1 or on sw1 or 172.x.x.2 on sw2). I am getting destination host unreachable when I try to ping across the trunk, and the documentation online has been essentially no help. What am I missing here? Do I need to create an IP route on the switch to know to go through port ge-0/0/23 to send ip traffic? [link] [comments]  |
| Question about TCP duplicate acknowledgements, even when pings to turn out excellent Posted: 06 Feb 2020 10:57 AM PST I'm working a trouble ticket to see why a Windows 2016 server that is experiencing extreme slowness when downloading updates from Microsoft. It often takes 10-12 hours to download a 1.5GB file. The server is at a different site and takes a path through a 1GB link. Congestion on the 1GB link rarely exceeds 65%. None of the interfaces on any devices in the traceroute from my PC to the server showed a significant amount of errors. Pings to the Internet from the first router past a firewall at the other site turned out excellent. Same goes for pings from my PC to the server. I have done a wireshark capture on the server and a large number of TCP duplicate acknowledgements, fast retranmsisisions, and previous segment not captured have been found. So is the case from a packet capture on a Palo Alto firewall that is the first layer 3 hop for the server.I do not have access to the firewall. The server is connected to a Nexus 5596 switch and no other users with devices in the same data center are connected The TCP window size is 65535 . The server cannot ping any destinations outside the corporate network. Has anyone seen a similar issue before and what did the solution involve? [link] [comments]  |
| Multiple VLAN tagging with VOIP VLAN Posted: 06 Feb 2020 10:45 AM PST Not sure if my title even reads correct as I'm having a hard time finding any information on what I'm trying to do. Old building - single cables to desks - currently running VoIP and Data over one line. My IT team does a lot of testing over different VLANs - testing firewall rules, administrative VLAN, etc. We run virtual machines and you can tag the port to a different VLAN in HyperV/Vmware. Should be seamless and done on the fly. I would like to have multiple data VLANs on the same port so we can tag the virtual machine and be on a different subnet/VLAN. Currently, we run Extreme edge switches and have Avaya phones. Removing the VoIP VLAN and having the switch port only configured for multiple networks, tagging the VM works fine. Once the VoIP phone is in the mix, it seems like it doesn't work. Is it possible for VoIP phones to pass VLAN traffic? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment