Different native VLANS on separate trunk links Networking |
- Different native VLANS on separate trunk links
- Python for Network Engineers, free course, starts Tuesday, March 3rd
- BGP - Overthinking this design
- Zero trust for thick client apps
- I’m planning to upgrade our Cisco Catalyst 3850/3750 Stack Switches. We are running 03.06.04.E. Does anyone have a recommendation of the latest and most stable Version? I was reading Cisco’s recommended release document and checking open caveats/bugs, but I’m still not sure..
- Wireless Surveys: Ekahau vs. Cheaper Options?
- Diagonally mounting hardware
- Developing an application for linux based router
- Anyone work with Palos in AWS, curious on the HA setup with API calls to failover ENI's
- upgrading remotely with no OOB
- Critique my firewall/vpn idea please..
- 802.11ax missing trigger frames
- Anyone know anything about passive vs active telnet?
- iBGP loop prevention in a full-mesh topology
- DNS
- In Ciruit Switched connections using multiplexing, are all slots affected by the bottleneck of any other slot?
- Possible to manage in Aruba Central with OOBM?
- Brocade FCX command help
- SSLV, certificate required to join network?
- Publishing internal server using port forwarding on ASA
- static route on nokia isam with nant-a
- "AMG host lookup failed" Cisco vWaas and Akamai
- Ruckus AP don´t recognize internal network
| Different native VLANS on separate trunk links Posted: 28 Feb 2020 11:50 AM PST Hi guys, so I'm studying for my CCNA, and in addition will soon be assisting in configuring some Cisco switches in my workplace, and find myself stuck a little bit on a concept regarding VLANs. So, let's say I have two switches -- SW1 and SW2. On these switches are two access ports -- on each switch, port 1 belongs to VLAN 1 and port 2 belongs to VLAN 2. Because these are access ports, they are untagged. Between the switches exists a trunk -- SW1 Trunk1 travels to SW2 Trunk1. The native VLAN on both sides of this trunk link is set to VLAN 1. When traffic is forwarded from SW1 to SW2, it hits the trunk line. When it hits the trunk line, traffic for VLAN 2 is given a VID tag. When traffic for VLAN 1 hits the trunk line, it is not given a VID, and because the native VLAN on both ends of the trunk are the same, it is assigned to VLAN 1. Between the two switches, the devices in VLAN 1 and VLAN 2 should be able to communicate with other devices on their own VLAN. (Inter-VLAN routing is not set up -- this is a purely L2 switch -- and nothing is attached to a router.) I think I have this all down but correct me if I'm wrong. Here's where I start to get confused. Let's say I throw another switch in the mix, SW3. SW3 also has two access ports, port 1 belonging to VLAN 1 and port 2 belonging to VLAN 2. A trunk travels between SW3 and SW2 -- SW3 Trunk1 and SW2 Trunk2. What happens if for some reason I decide to assign the native VLAN on either end of this trunk to VLAN 2? Theoretically, communication between SW2 and SW3 should work. However, what happens if traffic from SW1 wants to go to SW3? In this topology, it has to go through SW2. My idea -- and I have no clue if it's right -- is if, for example, VLAN 1 traffic wanted to go from SW1 to SW3: - SW1 VLAN 1 traffic is sent to SW2 over trunk link. It remains untagged because VLAN 1 is the native VLAN on both sides of the link between SW1 and SW2. - The traffic then begins to move to SW3, still untagged at this point. Then, when it hits the trunk link between SW2 and SW3, it is assigned a VID, because now VLAN 2 is the native VLAN on the trunk link. For further example: -SW1 VLAN 2 wants to send traffic to SW3 VLAN 2. It is forwarded as tagged over the trunk link between SW1 and SW2. Then what happens? When it hits the trunk line between SW2 and SW3 where the native VLAN is VLAN 2, would the tag be stripped from the traffic so that it can traverse the trunk line? Or would this simply not work? Let me know if I'm thinking about anything incorrectly. EDIT: To clarify, I am NOT asking if native VLANs can be the different on the ends of a trunk line. In the topology I'm trying to describe, the native VLAN is the same on both ends of all trunks, however, one trunk line's native VLAN is 1, and the other's is 2. I drew a picture to maybe show what I'm getting at better. https://pdfhost.io/v/Mv14wKef_switching_questionrotatedpdf.pdf [link] [comments]  |
| Python for Network Engineers, free course, starts Tuesday, March 3rd Posted: 27 Feb 2020 08:20 PM PST Periodically, I run a free course on Python for Network Engineers. The next course starts this Tuesday. This course is aimed at Network Engineers that want to learn Python. It covers Python fundamentals, but using exercises and examples that are more relevant to network engineers. That being said the course is definitely oriented towards beginners (from a Python programming perspective). The week-by-week schedule for the course is as follows: Week1 - Why Python, the Python Interpreter Shell, and Strings The course is taught using Python3. The course format is a lesson a week for eight weeks. The lessons are all delivered via email and consist of videos, exercises, and additional content. The course is self-paced i.e. you can work on it on your schedule. A bit about myself: I am a long-time network engineer (CCIE #6243 emeritus). For several years, I have been working extensively in network automation. I am the creator/maintainer of the Netmiko-Python library. I am also a core maintainer on the NAPALM-Python library. I also work quite a bit on both Nornir and Ansible. Sign-up is available here: [link] [comments]  |
| BGP - Overthinking this design Posted: 28 Feb 2020 02:58 PM PST I've been tackling a project at my job over the last few weeks involving SilverPeak's SD-WAN product and fitting this into our current network design. My experience with BGP is limited, mostly focused on internet routers out to providers, so I am worried I am over complicating my design and making it harder than it really should be. Our current design has 3 buildings as part of OSPF Area 0, with 2 locations hanging off those in Area 1 and Area 2. I was successful in cutting over 3 of my 5 locations, but hit a snag with my 4th site due to routes learned through my "Partner" that can are learned from any of my 3 data centers, causing a bit of a loop. Here's a quick "Current" design of this one location. Current Design The partner router is peered BGP to my firewall where we have them set up as a separate security zone. I then redistribute those learned BGP routes into my core network as OSPF-type1. Each core switch is then peered to a separate SilverPeak. Where I am exporting connected, statics and the ospf-type1 routes that match the partners prefixes. SilverPeaks will teach my cores all of the routes in the SDWAN fabric. Two issues with this design, 1) I need both cores to learn the BGP routes from eachother, in the event I ever lose one Silverpeak. 2) SilverPeak learns the routes as BGP so my remote sites are preferring the SilverPeak routes rather than their closer OSPF routes. This is what I am proposing and where I am currently banging my head on the desk. Proposed Design I would multi-home the firewalls to both core switches so I am learning the partner routes as iBGP directly. I would do this in my 3 locations that have this "Partner" connection. I would have a route policy so the firewall was only sending the learned routes to the peers and another route-policy so the cores would not attempt to export routes to the firewall. Once I had this working, I can play with the prepends so failover worked as it does today with OSPF. Would I then need to peer the two core switches as well? Could I better utilize multihoming in blue? I should probably multihome the cores to each SilverPeak but I am afraid that this is over-complicating the design. Of course, this is a production network with no lab so all my work is happening after a full 12 hour day. Tried my best to make it as clear as possible but the candle is officially burnt at both ends. [link] [comments]  |
| Zero trust for thick client apps Posted: 28 Feb 2020 07:51 AM PST Thinking about best approaches for securing remote access (think road warriors) to SAP via the legacy thick "SAPGUI" client (let's assume the web client only isn't an option). Ideally, I'd like the server components to stay isolated and SAPGUI packets can only reach it after the underlying client has gone through an initial round of authentication (including MFA), posture checking, etc. Sessions remembered for some period of time thereafter for convenience. Today we can achieve the above with VPN (Pulse Secure), but one has to fire up a client manually first. This can continue to work, obviously, but I'd love to get to a more seamless approach, perhaps via a sort of transparent lite-client that is triggered with SAPGUI tries to make its initial connection. Is something like Pulse Secure's SDP capable of doing this? Akamai EAA? What else should I be looking at? Our SAP environment sits in Azure so am thinking the access gateway could sit there... I anticipate other workloads like this in the future and would appreciate a solution with some flexibility. TIA [link] [comments]  |
| Posted: 28 Feb 2020 09:31 AM PST |
| Wireless Surveys: Ekahau vs. Cheaper Options? Posted: 28 Feb 2020 09:15 AM PST Company is doing a major push for wireless as main connection type. I came on board and inherited a FortiAP refresh project. Since then I have found some flaws in the predictive design from the vendor. Many change windows of tuning has got us to a much better spot and I have learned a ton. However I am still fighting the 'Wireless sucks' stigma. Management is now saying we need to get a handle on this to either prove it is placebo or re-mediate what problems. In the end I need a consistent wireless experience for VOIP/Video across all offices (Count: ~8 and growing). We shuffle a lot as well so paying a vendor to do surveys every time the environment changes will get expensive fast. Looking at Ekahau or other options for 80% time post implementation site surveys and 20% planning/predictive designs. Is it worth the $8k+ for Ekahau+Sidekick or could I just grab a Mac air with a Netspot license or similar and do just as good? I have not used Airmagnet in many year but it sounds like it is stale at this point. Environment info: FortiAP 221e, 5GHz only, 40MHz channel widths, disabled lower bitrate bands, matched power to my clients (14dB), auto channel optimization (Once daily due to it knocking clients off). Typical noise is -108dB, RSSI -57dB, SNR 51dB. Client testing locally w/ iPerf is a decent 220Mbit/s w/ 802.11ac 2x2 Intel cards. [link] [comments]  |
| Posted: 28 Feb 2020 01:36 PM PST Any reason not to mount a switch at an angle? There aren't any magnetic spinning disks, however there are fans. I wonder if it would put stress on the bearings. Any thoughts? Thanks. [link] [comments]  |
| Developing an application for linux based router Posted: 28 Feb 2020 02:30 PM PST I have some programming background. I am interested in developing a firewall/security related application for a router(linux). Any advice on what router can I use to install/test my application? Initial version will be command-line only, planning to add GUI later on. I am not sure what tech stack to use since there is limited space on the router. How about Node js and react app? Any suggestions welcome. [link] [comments]  |
| Anyone work with Palos in AWS, curious on the HA setup with API calls to failover ENI's Posted: 28 Feb 2020 08:30 AM PST So i am setting up HA in a single VPC single AZ in AWS for Palo Alto Vm Firewalls. Following this, I have created the IAM policy and role, and I am going to attach to some newly spun up firewalls. I'm just curious how the VM's know when to do the API calls is there something built into the OS? In Panorama there is an actual plug in that you download and configure which makes sense to me as you are configuring a process to watch VM's and initiate a failover, but in terms of just the VM firewall themselves, I'm failing to see the actual mechanism that fires off the API calls, is it built into the HA functionality of VM series? Just doesn't make sense to me. Have a ticket open with them asking for more details. Will post results if they let me know anything interesting. [link] [comments]  |
| upgrading remotely with no OOB Posted: 28 Feb 2020 03:45 AM PST I am due to upgrade a couple of Juniper MX routers this weekend. Im in the UK and the devices are in USA. As a precaution i wanted to ensure that OOB access was up before i prep for tomorrow, and ive realised that i left the OOB unplugged after my last visit to DC in january..........dope Would you carry on with upgrade remotely regardless? or better to play it safe and hold back until oob is connected? EDIT: I hear you. I've asked for remote hands request to patch in the console ports again. I love how expensive USA data centre charges are compared to UK [link] [comments]  |
| Critique my firewall/vpn idea please.. Posted: 28 Feb 2020 01:43 PM PST Main site: 1x1gb WAN Cyberoam 100i Remote site: 750x750mbps Fortigate 60D Site to Site Ipsec: main to remote Anyone know if there are any compatibility issues with Cyberoam and Forti? Before you ask, this is only to test the remote site 'working off' the servers here at the main site. The old Cuberoam UTM they have maxes at 200mbpd over Ipsec. The Forti 60D maxes at 1gb, so my plan is to install this and provided the tunnel comes up and is stable... then I'll ramp them up to at least 500mb (or maybe 750) so their experience is as good as it can be. (My network handles a lot of large CAD file transfers). Once tested and if proves feasible, the plan then is to replace both Cyberoam and Fortigate with decent Microtik hardware routers running pfsense, that will allow me lot of flexibility, customization and OpenVPN compatible so I won't have to break my 50+ remote workers or have to touch their machines. I am the only IT person here so as transparent as I can get is best. But please blow this apart, tell me where I'm wrong or right. And thanks! [link] [comments]  |
| 802.11ax missing trigger frames Posted: 28 Feb 2020 06:42 AM PST I took pcaps to verify some Wifi 6 features, and I think I am missing some frames. Setup: - 2 Cisco 9120's: one in flexconnect, one in sniffer mode - Laptop that runs vWLC version 8.10.105 on Virtualbox, and serves as server for a speedtest. - Laptop running Wireshark 3.2.1, receiving the frames from the WLC - One client with Intel AX200 chip, one Samsung Galaxy S10 vWLC and client confirm that 802.11ax is used. When performing a speedtest on the clients, the pcap shows a ton of consecutive RTS, CTS and 802.11 Block ACK frames, but no Trigger and/or data frames. I suppose that I should also be seeing these? Or are there any restrictions in what frames the sniffer sends to the WLC/Wireshark? I would like to check stuff like which client gets which amount of RUs etc. Thanks in advance! [link] [comments]  |
| Anyone know anything about passive vs active telnet? Posted: 28 Feb 2020 12:38 PM PST I am working on building a python tool which can communicate with devices over telnet. I'm using the telnetlib module which is a full/faithful implementation of the telnet RFC. However, I need to act as a passive client rather than active and I can't figure out how to do that. I don't see any documentation on it and I couldn't even figure it out in the RFC. I know Putty has an option for it, but after looking through the source code it still isn't clear. Anyone have any idea of what makes a telnet connection active vs passive? [link] [comments]  |
| iBGP loop prevention in a full-mesh topology Posted: 28 Feb 2020 11:56 AM PST I have read that to prevent loops in a iBGP full-mesh topology the following rule exists: „Routes learned from an internal neighbor are never sent to another internal neighbor". I don't quite understand this rule. Can someone explain this further? How does this prevent a loop and how does this make it possible for external routes to be routed through a transit AS with multiple iBGP routers? [link] [comments]  |
| Posted: 28 Feb 2020 11:28 AM PST I'm looking for a way of creating a table of DNS queries/responses at our organization. I don't care about the source/time of the request or how many times it happened. I just want a complete list of DNS name: IP address mappings. The reason for this is that I often get notifications from other software that an IP address was contacted that is in a threat database. The problem of course is that this IP address can be used for many different sites and most are legitimate. Reverse DNS queries will generally only return the owner of the address like Amazon which isn't useful. If I could query our own DNS database of actual query results I could easily determine the DNS names used to contact the IP addresses and make an informed decision as to whether a threat exists or not. Is there any app for something like this? I can't imagine it's that uncommon of a request. [link] [comments]  |
| Posted: 28 Feb 2020 10:27 AM PST A quick example to illustrate the question Server in red, users in blue. 5 machines connect through the same 10Gbps link to the server's edge router, and a single user connects to that router using a 1Mbps link. Consider we had 10 multiplexing slots. If the user on the right was not bottlenecked by his link (assume he also had a 10Gbps link), each user would have an effective bandwith of 1Gbps. My question is, in the scenario with the bottleneck, would the bandwidth for each slot be affected by the bottleneck or not. ie: would each user be getting 1Mbps/10 slots = 0.1Mbps/slot, or each depending on his connection. My first instinct in Time Domain Multiplexed circuits, was that each time slot would get a bandwidth of :(bottleneck bandwidth of that user)/10, this makes sense to me because each user uses his link as much as possible during the time slot he is allocated. But for Frequency Domain Multiplexed circuits this would get more complicated since each user would have a different frequency range to transmit in. ie: user 1 might use a frequency range of 20MHz, but user 2 uses a range of 10MHz since he is bottlenecked. [link] [comments]  |
| Possible to manage in Aruba Central with OOBM? Posted: 28 Feb 2020 09:44 AM PST Is it possible to manage 2930F/M switches in Central through the OOBM port? It picked up the template while connected over port 48 and loaded majority of changes. However, now that I'm pushing another change I get an error that it can no longer push the changes due to connection issue. When I console into the switch, I can [link] [comments]  |
| Posted: 28 Feb 2020 08:50 AM PST I'm fresh out of school and new to this site. I have a 5 stack Brocade FCX that is a complete nightmare to manage. The ports descriptions aren't right and I'm trying to figure out what ports are actively being used on a regular basis and which are not. All management is through PuTTY. What commands can I run to see when each port last saw activity? Preferably all in one list versus a separate command for each interface but I'll take what I can get. I've looked around online but most reference material I'm finding is referencing a GUI interface. [link] [comments]  |
| SSLV, certificate required to join network? Posted: 28 Feb 2020 08:15 AM PST My company has some linux-based equipment connected via ethernet to the network at a healthcare organization and they recently installed 'SSLV', which has knocked the devices offline. They said that a certificate will now need to be installed on the equipment before it is allowed to connect to their network but didn't know how that would work for Linux, the instructions they had were Windows only. The IT guy I talked to didn't seem to know much but said that it wasn't just SSL inspection, though he didn't seem to know what that was... I searched online and the closest thing I could find was 'SSL Visibility Appliance' from Symantec. He specifically said that without the certificate the equipment wouldn't be able to connect to their network at all, which didn't make sense to me but he couldn't clarify further. Is there some way that certificates could come into play in DHCP? Or anything else related to communicating on a network? [link] [comments]  |
| Publishing internal server using port forwarding on ASA Posted: 28 Feb 2020 07:59 AM PST Hi, i have a server that i want to publish so that outside users can access it, so i want to port forward from public ip to the internal server, so when the users outside write https://<public ip>, they will directs them to the server which has an ip of 172.16.12.7 so what i did is on the ASA is that i configured an interface with an ip of 172.16.12.220, and this interface is connected with a cable to a core switch that has a port in a vlan of such subnet, and the coreswitch is connected to other L2-switches where then connected to servers then i configured this nat on the ASA:
and the interface on the ASA is:
but i couldn't access the server from outside, is there something missing or anything wrong? can you please help me? thanks in advance! [link] [comments]  |
| static route on nokia isam with nant-a Posted: 28 Feb 2020 03:56 AM PST hello, any ideas on how to configure a static route in a nokia isam7330 with nant-a card? the default route is no problem with configure system management default-route x.x.x.x but i cant find a way to configure a second route that i need. thx [link] [comments]  |
| "AMG host lookup failed" Cisco vWaas and Akamai Posted: 28 Feb 2020 06:03 AM PST Hi, how can i debug this problem ? nameserver and dns lookup are configured on the router, waas can reach internet vWaas is deployed as ova on the router. Thank you. [link] [comments]  |
| Ruckus AP don´t recognize internal network Posted: 28 Feb 2020 04:28 AM PST I currently have a R700 operating normally in my network. It is in standalone mode and works great ! Then, i thought that i need more 5ghz coverage so i snatched an awesome deal on a R720. After it arrived, and because it defaults to 192.168.0.1, i used my trusty USB->Ethernet adapter and configured it (no problems, login just fine and updated the firmware to the latest unleashed succesfully). Unplugged it from the USB adapter and plugged it in my normal network. Then, the mistery started. My network simply CAN ́T SEE the R720. I have a Edgerouter (not using it ́s passive POE) and a Mikrotik switch (not POE) . In the Switch the port isn ́t even active. The port is enabled and was being used by the R500 just fine ! I ́ve tried to I use an AXIS 60w POE injector brick that can provide all the power that the R720 can devour, but to no avail, it simply isn ́t there. But when i go back to the USB adapter it work just fine ! I know that the Mikrotik don ́t support or do LLDP, but this hasn ́t stopped the R700 from working (LLDP is active in the router, but connecting the R720 directly to it didn´t help). Can anyone shed some light/insight ? I am at my wit ́s end here :( [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment