Cisco CDP Vulnerabilities Networking |
- Cisco CDP Vulnerabilities
- 2x100G Data Center Interconnects
- Converting L2 networks to L3 with VLANs, guidance request.
- Port Channel Load Balance Algorithm Change
- Meraki Wireless - Clients associated but often completely lose network connectivity
- EoMPLS Vs wave
- MLS QoS Output - Outdiscards
- TextFSM - Parsing of "show interfaces counter errors"
- What do I lose doing MPLS/routing on a L3 switch vs a fully fledged router?
- summary-address 0.0.0.0 and Null0 question
- How can I generate iOS 13 ‘Available Wi-Fi Network’ prompt on my network.
- Assistance with IPv6 Network
- Fiber termination Question
- Load Balancing 2 ISPs 1 Router - Not auto switching between Nat Pool/Overload...?
- Automating Nexus Switch Configuration
- Cisco 9400 - Link Flaps/Drops getting logs and alarms
- SFP and port speed interplay (Layer 1 question)
- What's the most horrific flat network you've seen in real life?
- Migrating from Cisco vWLC to vWLC
- WatchGuard M400 Mobile IKEv2 with RADIUS: Fun and Adventure
- IOS XE ASR1001-X Ansible/Netconf identityref error
- NAT Question: External IP to Internal IP confusion
- Suggestions for standard 48U rack build / correct placement of rack mounted devices?
Posted: 05 Feb 2020 09:21 AM PST A few to work through for us at least... https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce [link] [comments] |
2x100G Data Center Interconnects Posted: 05 Feb 2020 04:40 AM PST Toying with the idea of purchasing 2X100G circuits between our data centers to use for multiple various circuits that connect in different places in the network and have different requirements. Thinking to land the 2x100G circuits to a pair of switches and then provision 10/25G ports off of those switches for different "circuits". Think of a poor man's WAN. There are a couple of ways I can think of achieving what I'm looking for. Looking for other ideas or suggestions. Maybe it would be best to actually run some ONS if we want to do such a design. Any other ideas for more of a poor man's WAN, aside from just purchasing individual 10G circuits when the need arises? -Simple VLANs - obvious spanning tree, blocking, wasted bandwidth -MPLS L2VPN - seems overly complex for the need -EVC [link] [comments] |
Converting L2 networks to L3 with VLANs, guidance request. Posted: 05 Feb 2020 02:11 PM PST I need some help with desigining a L3 network with VLANs. Background: Currently all of our networks are L2. This is company has about 30 sites all set up the same way. At the root/core of each sites network there is a Cisco 1900 series. It's set up with multiple /25 networks on it. There is a DHCP pool for each of them. with exclusions. DNS is set to point at our data center hub site which really isn't any different than the sites, other than the servers we have running at it. Internally the core Cisco switch connects to other cisco switches. Externally the core Cisco switch connects to an SDWAN box that connects to the internet and all of our other sites. There is one static route on each core Cisco switch It sends all traffic out to the SDWAN box 0.0.0.0 192.168.250.50(SDWAN box IP) The SDWAN system was designed by a thrid party before my time. Request: My boss has asked me what is needed to change everything (one site at a time to L3). He is wanting to seperate various networksn specifically VLANs to segregate guest wireless network traffic form everything else. But have security cameras on their own VLAN would be nice as well. I've done plenty of work under L2 and L3 envirnoments and I think understand the difference at least by definition. I don't know how to do this transition, what it's supposed to look like, or even if it's possible. I know I'll need to work with the SDWAN vendors to get the VLAN stuff I'll figured out within the SDWAN. But I'm not even sure about best practices of setting up VLANs at each site. Is there anyone who can give me a push in a good direction? [link] [comments] |
Port Channel Load Balance Algorithm Change Posted: 05 Feb 2020 08:50 AM PST We're changing from src-dst IP to src-dst ip/l4-port. Due to somewhat understandable trepidation, we're being required to verify this will have no impact on traffic before we can try it in our lower environments. I've searched Cisco documents and can't find anything about the impact. Has anybody made this change in production/test environments? Was traffic impacted? Was it severe, short, etc? Edit: As a heads up in the event you ever have to do this, Cisco TAC says it should only apply to new connections. The old connections will just continue on the same links they were already on until it's time to close the connection. [link] [comments] |
Meraki Wireless - Clients associated but often completely lose network connectivity Posted: 05 Feb 2020 10:14 AM PST We have been experiencing an issue primarily with android phones that will randomly lose network connectivity but will still be associated to an AP. The client will appear as connected with no internet access. This typically happens 2-4 times per day. The only fix is to disable/enable wifi on the client device and it will connect back fine. Some additional notes
Has anyone experienced any similar issue or have any tips for troubleshooting an issue like this? [link] [comments] |
Posted: 05 Feb 2020 11:31 AM PST We have 2 X 10gb waves between DC's physically located about 3 miles apart. Contract renewal is due soon so as is expected we have contacted a few other providers to see what they can offer us in terms of service/pricing. One has come back and said they can offer us EoMPLS instead, but I'm not sure what difference this service would provide to us and what pros and cons each would have. We go directly into a router at both sites, no switching beforehand. If we were offered EoMPLS at half price of wave is there anything which would put you off? [link] [comments] |
Posted: 05 Feb 2020 09:20 AM PST My QoS Isn't as strong as I'd like, hoping to run something by you folks. ::Question:: Interface X is showing high outdiscards. (The number itself needs to be taken with a grain of salt, the counters have never been cleared. Assume that the rate of discards has increased though.) As far as I understand it, the only outgoing traffic being dropped on this interface is via dscp:8//cos:1. The queue set 2 config for queue 4 threshold 1 is already at 100, with threshold 2 being the same metric. Does that it even matter which threshold it's in, in this case? Isn't it going to drop everything at threshold 1; since it's set to 100%? Would increasing the srr-queue bandwidth for queue 4 and/or increasing the threshold value for queue 4 threshold 1 make sense in this scenario? ::Configuration:: (Apologies if the tables are a bit hard to read.) *******************\* srr-queue bandwidth share 1 30 35 5 queue-set 2 priority-queue out *******************\* Queueset: 2 Queue : 1 2 3 4 ---------------------------------------------- buffers : 25 25 25 25 threshold1: 100 200 100 100 threshold2: 100 200 100 100 reserved : 50 50 50 50 maximum : 400 400 400 400 *******************\* Interface X output queues dropped: queue: threshold1 threshold2 threshold3 ----------------------------------------------- queue 0: 0 0 0 queue 1: 0 0 0 queue 2: 0 0 0 queue 3: 2559241764 0 0 *******************\* (Most of the dscp:outgoing table is omitted because there is no outgoing traffic on 9, 11, 13, or 15. And extremely little on 10, 12 and 14.) dscp: outgoing ------------------------------- 5 - 9 : 0 0 0 3133283567 0 *******************\* mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15 mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14 *******************\* [link] [comments] |
TextFSM - Parsing of "show interfaces counter errors" Posted: 05 Feb 2020 07:03 AM PST Hi all, I'm quite new to TextFSM, and I'm trying to parse the output of the command "show interface counters errors". Here is a sample output of the command: What I would like, is this output when I parse the data: The first template I wrote is this one: However, the output is not right: I found a post on the forum giving a solution in pure Regex: TextFSM logic - Avoid capturing same data twice When I adapt it to my needs, I have a match for what I need: https://regex101.com/r/DY0Meb/6 However, I'm unable to translate it in a TextFSM template, it fails. Here is my template: Any clues about how I can get the desired output ? Any help would be very welcome :). Thanks in advance ! [link] [comments] |
What do I lose doing MPLS/routing on a L3 switch vs a fully fledged router? Posted: 05 Feb 2020 01:51 AM PST I'm looking for some advice. We have a private MPLS network built using point to point links. Routers are Cisco ISR 4000 series. All links are currently <1Gb. I have a requirement to uplift this to 10Gb. Our standard is to go ASRs or ISRs. If I want >3 x 10Gb ports I would essentially be forced to get ASR 1001-HX if I want to continue using routers. My question is: what is the main thing that would stop you doing MPLS on a Cisco cat 9k? It has the port density I need, the throughout, does vpnv4 and mpls. But I need to have the justification as to why we need routers vs l3 switches... What's the general gap between them here? [link] [comments] |
summary-address 0.0.0.0 and Null0 question Posted: 05 Feb 2020 01:29 PM PST Guys, this is probably a dumb question but I'm unsure. I have an EIGRP network, I am trying to advertise a summary 0.0.0.0/0 route to a stub neighbor. I use the summary-address interface command. This gets installed in the routing table: I understand this is a loop prevention feature. I understand it's harmless when there are more specific routes in the table. Unfortunately, this router is learning a valid 0.0.0.0/0 from upstream: The null0 route gets preferred, so legitimate traffic gets black holed. What is best practice in this case? [link] [comments] |
How can I generate iOS 13 ‘Available Wi-Fi Network’ prompt on my network. Posted: 05 Feb 2020 03:13 PM PST iOS 13 shipped with a new feature that some people love, some people hate. Either way it can be a useful feature depending on circumstance. I have no idea what prompts this notification on iOS, and don't seem to be able to find any Apple documentation that shows requirements. I have a bunch of 'open' public networks, some with landing pages, some without. None of which generate this pop up! Is there a specific network requirement to generate this? Or is it some scary background Apple data process? [link] [comments] |
Posted: 05 Feb 2020 02:29 PM PST I am building a separate IPv6 network for our devs, but am having some issues with setting it up. Our ISP is providing us a delegated prefix of 2603:300b:19:9a00::/56. The modem is configured to hand out addresses via DHCP, where my Linksys LRT214 has received an address within that range for the WAN interface, but with a prefix length of /64. The router has ipv4 disabled, but is able to reach the internet via ICMPv6. Additionally, I removed the router and plugged my laptop directly into the modem with the same results of receiving an 2603 address, and able to surf the web with ipv4 disabled. The issue is the laptop when behind the linksys is unable to reach the internet. Ive set up DHCPv6 on the linksys with a range of fc00::100 to fc00:17f. My laptop receives 3 of these addresses, but cannot reach the internet. I've tried setting a static address on the laptop within the 2603 range while behind the router, which also did not work. Am I missing something? Since, ULA addresses do not route on the internet, does there need to be some sort of IPv6 NAT setting? [link] [comments] |
Posted: 05 Feb 2020 10:03 AM PST Company we normally get to run wiring were unavailable. So I attempted to figure out how to run and terminate fiber myself. Never actually worked hands on with it before. Not having any luck. The Switch seems to accept the SFP. Is there any issues with the items below working together or is it more likely I'm failing the termination. HP 2530-48g J4858C - HP ProCurve Gigabit-SX-LC Mini-GBIC Fiber AFL LC 62.5/125 Multimode OM1 FASTConnect Fiber Connector [link] [comments] |
Load Balancing 2 ISPs 1 Router - Not auto switching between Nat Pool/Overload...? Posted: 05 Feb 2020 01:36 PM PST Alright so I am going to make this quick. I am attempting to load balance 2 ISPs with a unique NAT Pool set for both. However, it will not auto balance. If ISP 1 drops, it will not move the traffic to ISP 2 unless the IP NAT Overload for ISP 1 is removed. (third line in the config I pasted) Once I remove the Overload on the first pool, ISP 2 works perfectly. My First thought is that I need to set a priority on the Overload so it knows to try the next in line but, it didn't seem to matter when I tried... My second thought is that I am missing something and I am wording it incorrectly on a google search. ip nat pool NAT_Pool X.X.X.X X.X.X.X netmask X.X.X.X (ISP 1) ip nat pool NAT_Pool2 X.X.X.X. X.X.X.X netmask X.X.X.X (ISP 2) ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload (ISP 1) ip nat inside source route-map SDM_RMAP_2 pool NAT_Pool2 overload (ISP 2) ip route 0.0.0.0 0.0.0.0 ISP 1 ip route 0.0.0.0 0.0.0.0 ISP 2 route-map SDM_RMAP_1 permit 1 match ip address 150 route-map SDM_RMAP_2 permit 1 match ip address 155 (tried to add on " Set IP Next Hop" to these but no change) access-list 150 remark Test access-list 150 permit ip ISP 1 any access-list 150 deny ip ISP 2 any access-list 150 remark Test access-list 155 permit ip ISP 2 any access-list 155 deny ip ISP 1 any Any thoughts as to why this won't auto load balance? I tried to make this less personalized so, I removed everything pertaining to our info. I also did not include the outside in and inside out access lists because, at this point, I have removed them and just made them permit ip any any. I have spent the time to make them but, there is no difference with or without them. For now, I am leaving them out to keep it simple. EDIT This is resolved. See my comment below for the answer. [link] [comments] |
Automating Nexus Switch Configuration Posted: 05 Feb 2020 09:32 AM PST Any pointers on getting started with pushing configurations to Nexus Switches? I am currently standing up 6 Nexus 9000 switches which will soon be 14 and I rather not manually configure each one individually. Through googling I get the PoAP process as far as the DHCP boot process and point to a TFTP server. What is falling short of is what a configuration file looks like. Do I just configure one on a device, save it out as a template then modify for subsequent switches? How do I tell each switch to get their unique config files? Is there a way to point them to their config files by MAC address or maybe there is a better way to tell them which file to get? [link] [comments] |
Cisco 9400 - Link Flaps/Drops getting logs and alarms Posted: 05 Feb 2020 04:03 PM PST I configured logging on a new Cisco 9410 v 16.9 to precisely like the Cisco 4510 switch. Hundreds of PCs, Printers, etc. which on a daily bases turn off and on, SCCM maintenance updates, blah blah blah? It makes sense not to get these logs locally and on Prime. If not my poor Cisco Prime Server would've been fried. Not sure why I'm getting logs sent to my Switch and Prime. If I have it identical to the rest of my 4500s? is there a different behavior on the 9400 for logging? 0-7? something missing? Cisco 9410 Feb 5 11:31:15.105: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/10, changed state to up Feb 5 11:31:15.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/14, changed state to up Feb 5 11:31:16.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to up Feb 5 11:31:16.352: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/24, changed state to up Feb 5 11:31:17.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/24, changed state to up Feb 5 11:31:18.512: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/19, changed state to up Feb 5 11:31:19.412: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/29, changed state to up Feb 5 11:31:19.512: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/19, changed state to up Feb 5 11:31:20.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/29, changed state to up Cisco 4500 Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. No active filter modules. Cisco 4500 is not generating any logs or Prime alarms event though you see flaps. DTP information for GigabitEthernet1/0/24: TOS/TAS/TNS: ACCESS/OFF/ACCESS TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q Neighbor address 1: 000000000000 Neighbor address 2: 000000000000 Hello timer expiration (sec/state): never/STOPPED Access timer expiration (sec/state): never/STOPPED Negotiation timer expiration (sec/state): never/STOPPED Multidrop timer expiration (sec/state): never/STOPPED FSM state: S1:OFF # times multi & trunk 0 Enabled: no In STP: no Statistics 0 packets received (0 good) 0 packets dropped 0 packets output (0 good) 0 output errors 0 trunk timeouts 0 link ups 119 link downs, last link down on Wed Feb 05 2020, 06:30:57 [link] [comments] |
SFP and port speed interplay (Layer 1 question) Posted: 05 Feb 2020 03:55 PM PST I have a 100Gb port with a 40Gb QSFP+ module in the slot. The output on the switch indicates support for partitioning modes of 1x40Gb or 4x10Gb. If I specify 4x10Gb as partitioning mode, but don't use a breakout cable to accomplish "true" 4x10Gb, and instead just connect the fiber directly into the module, will the port function at 10Gb? or not at all? [link] [comments] |
What's the most horrific flat network you've seen in real life? Posted: 05 Feb 2020 03:46 PM PST Yes, this is for a homework assignment (sort of, it's a graduation project). No, I don't want anyone to do the work for me. Please don't delete. The capstone/graduation project is preferentially a real project done at your real work. I work for a big bank, change management makes ancient Sparta look liberal and laid back, so that's not happening. Making something up is an option, but they want it to be 'indistinguishable' from a real project in the deliverables you end up with. I know what I want to do: Design a campus network from the ground up. For their purposes, it'll be a brownfield deployment replacing a flat, poorly segmented college campus network with a proper hierarchical, modular network just like the In the interests of keeping things 'real', though...how often are badly designed, mostly layer 2, nightmare networks still a thing you run across anymore? I had something to the vague effect of this simplistic layer 2 ring in mind, with each switch in its own building, a couple vlans stretched across the campus and IVR done really inefficiently RoaS style from a data center in the campus 'main building' basement. Is that realistic? Ever seen anything like this in real deployment? Ever seen anything worse? What were some of the symptoms of the poor performance you saw on your monitoring tools/complaints from endusers if you did? What were some of the consequences you saw in networks like this one/worse than this one? I can imagine some problems (wasted bandwidth from STP blocking one direction in the ring, poor STP failover time, easily saturating links for inter-VLAN traffic that has to hairpin up to the router and back out, lack of redundancy, etc), but I was interested in hearing about real world experience because my current professional experience is in telephony, not directly in the networking world yet. Any war stories in this genre anyone would like to share? [link] [comments] |
Migrating from Cisco vWLC to vWLC Posted: 05 Feb 2020 07:54 AM PST Hi ladies and gents, I am a bit lost, but hoping you guys can help at least point me in the right direction. My company is going through up grading our virtual WLCs to a much larger virtual appliance. This is because we are running 3 vWLCs so we have an N+1 environment. The WLCs can only hold a certain amount of APs, and we can't upgrade them to hold larger amounts. So, we are upgrading and simplifying our set up. We are going to now be running 2 WLCs so we still have the N+1, but now we have 2. This leads me to my question, We would like to literally move the configuration from the old one to the new one. I know we can pull the configuration, and edit it, but is there any best practice that I should be aware of? Is there a specific migration process? Is there any pitfalls that I should be aware of? [link] [comments] |
WatchGuard M400 Mobile IKEv2 with RADIUS: Fun and Adventure Posted: 05 Feb 2020 11:03 AM PST This may be helpful to someone down the road, but is mostly just me venting a bit after this shitshow of an issue that shouldn't be able to happen with decent UI design. So one of our sister sites uses a WatchGuard M400 cluster at the edge, can't be helped at the moment but I wish fire upon it. The adventure of the week was setting up IKEv2 with MFA auth for road warriors to replace the legacy SSL client. Easy enough, right? So we set up the RADIUS server, everything goes through without complaint. Set up the IKEv2 tunnel parameters, seems to go okay. Attempt to connect, provide username/password, Windows sits there and then complains it can't connect. Double check everything, see the RADIUS request hitting the NPS server properly, but the WatchGuard claims that it's not responding. Packet capture, see the RADIUS requests back and forth, looks perfectly normal. Turn on debug logging for authentication, see some funky entries: Alright, dig around a little more, double and triple verify that RADIUS config is correct and that NPS is receiving and allowing requests. All checks out. So look more into the source of "rc_pack_list" and "rc_check_reply", find that it's FreeRADIUS. Dig in to the code a little bit and find this: Oh my! Set the RADIUS shared secret to 123123 on both sides, immediately starts working. Thus is proven the value of learning how to interpret debug messages and reading C code or, alternatively, learning to RTFM fully:
Though I would have hoped that the firewall would have complained about the shared secret length in the GUI and not allowed it to be saved. Moral of the story is don't use WatchGuard. [link] [comments] |
IOS XE ASR1001-X Ansible/Netconf identityref error Posted: 05 Feb 2020 05:52 AM PST Hello, I have an ASR1001-X running XE 16.9.4. I am working on an ansible playbook to make certain configuration changes using netconf and yang. It works just fine against a CSR1000v running 16.9.4, but when I try the ASR1001-X I get the error below. Even trying a simple get-config produces the same error. I can ssh to the command line of the router just fine, i can also retrieve the capabilities as well. Any ideas? EDIT: Just to update incase someone else comes across this. It appears to be a problem specifically with the interaction between ansible and the ASR1001x on XE 16.9.4. I tried the same XE version on a 1002HX, ISR4321 and a CSR1000v and none of these have the problem. [link] [comments] |
NAT Question: External IP to Internal IP confusion Posted: 05 Feb 2020 11:18 AM PST So i am pouring through the firewall rules of a new client to see what goes where. I came across a rule that's confusing me. External IP's owned are x.x.x.98 - 102 The firewall has one external WAN interface using x.x.x.101 All internal ip addresses are on the internal network n.n.n.0 /24 controlled by the firewall The rule I found NATs x.x.x.102 to n.n.n.14 Normally i'd be like ok whatever that's cool, however i can't find n.n.n.14 anywhere on the network. I figured it's probably an old deprecated device. The part that confuses me is this. How can the firewall which only has an external interface of x.x.x.101 dictate what happens to x.x.x.102 ?? I've always thought that to do that the firewall would have to have an interface with the ip of x.x.x.102 Am I wrong in this? [link] [comments] |
Suggestions for standard 48U rack build / correct placement of rack mounted devices? Posted: 04 Feb 2020 05:07 PM PST If I'm in the wrong sub please let me know! Looking for a quick suggestion on what to do. I'm putting in a 48U rack that will in a new server closet this weekend. It is open, no doors or sides or anything. Room will be locked at all times. I just was looking for suggestions as far as where to mount this equipment, in what order, spacing, etc, possibly from someone who mounts this stuff all the time. I don't want to have to move it again later! The rack will accommodate the following: 1 x Ubiquity USG-4 (1U) 1 x Ubiquity Cloud Key Gen 2 (with Rack mount kit, 1U) 1 x 48-Port Ubiquity POE switch (750w, 1U) 1 x 48-Port Ubiquity switch (1U) 1 x HP Blade server (PBX, 2U) 1 x HP Blade server (1U) 1 x HP Tower server (on shelf, sideways maybe? ML310 Gen8 v2, 4U if sideways I think) 1 x Comcast Gateway Modem (on shelf, sideways, 2U I think) 1 x Adtran Router from telcom company (1U) 1 x Battery Backup UPS (2U) 1 x Power Distribution Unti (1U) That's it. The problem is that the patch panels for about 130 CAT6 drops were punched down into a wall mounted rack that's about 6' off the ground. It is on the right hand side wall all the way at the back sticking out from the wall right near the back wall, sticks out about 1'l. The wiring guys had to mount it to something while we were waiting for floors to be put in the office so I can build the rack. The server room is relatively small, probably 4' wide max by about 6' deep. Because the patch panels are already mounted on the back right hand side wall, there is enough room for the rack to slide in to the left of it, however I will have to run like 5' or 6' network patch cables from the mounted patch panels through the back of this rack into my switches. Do I mount the switches on the back side of the rack facing the back wall? This makes for easier patch cable management/shorter cables, etc, but will be a pain for me to see anything at a glance and get to in the future. Also, do I mount my servers starting at the bottom (right on top of the UPS)? Do I put 1U Spaces between these devices? Does the Power distribution unit go in the middle? Bottom? If anyone can throw me some quick advice to make things easy for me in the future to work on that would be great. I will purchase any shelves I need to prior to installation. EDIT:. Thank you all for the excellent advice. This is exactly what I was looking for. Appreciate it! I'll post pic later whenever this floor gets done so I can put it in. Thanks! [link] [comments] |
You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
No comments:
Post a Comment