Moronic Monday! Networking |
- Moronic Monday!
- Recommendations for a small ISP | Mikrotik + Ubiquiti
- Public BGP Peering with Active/Active Data Centers
- Medium Business Network Edge Security Questions
- Just something to think about: Can your VPN scale to nearly 100% of your workforce working from home?
- What characteristics of an app or protocol make them “wan friendly” or not?
- BGP: Need to advertise public route for test network
- ICMP packets not showing up after successful DHCP
- Looking for failover options
- Network exam project
- Creating a Personal Wiki
- Need help with making a IKEv2 VPN server from a Ubuntu VirtualBox
- Looking for beta testers for salt-sproxy 2020.3.0rc1
- Port Forward to ftp on mikrotik through public ip using ASA
- Aci multisite
- (cisco) VPN tunnel to a loopback address already behind an encrypted tunnel
- X.25 over TCP/IP in Packet tracer ?
- Attaching single Etherent port device to two switches for resiliency
- Competency Plateau or Peak
| Posted: 01 Mar 2020 05:04 PM PST It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected. [link] [comments]  |
| Recommendations for a small ISP | Mikrotik + Ubiquiti Posted: 01 Mar 2020 08:02 AM PST Greetings from Kenya, fellow WISPs. I posted this on r/Ubiquiti and someone recommended me to post the same on this sub. We are a small ISP company looking forward to more growth. We supply internet to our customers using mainly Ubiquiti APs. Our main router is a single Mikrotik RB951Ui-2HnD. Main switch is a TP-LINK TL-SF1024D. For our client side, we supply them with cheap routers, usually Tenda F3 or F300. You know, third world. We authenticate them using the Mikrotik Hotspot, binding their static IP addresses. Pretty sure it's not a professional method, but works well. Queues define their allocated bandwidth. We want to upgrade our main base station, replacing the RB951Ui-2HnD with a RB3011UiAS-RM, and the TL-SF1024D with a UniFi US-24-500W for better management. We'll also run Giganet 10G cables from the UniFi switch to the base station Ubiquiti APs, through a Siemon CAT6a patch panel. What are some professional tips and tricks you can advise as we do the upgrade? Mainly, is PPPoE authentication any better than our hotspot method? And how effective will VLANs be in isolating our business-internet from home-internet clients, as well as our internal infrastructure like the Ubiquiti APs and a few Linux servers? I have no experience in implementing PPPoE or VLANs either. Which is ideal for implementing VLANs in this case, the RB3011UiAS-RM or the UniFi Switch? Kindly share your experiences and/or methods. [link] [comments]  |
| Public BGP Peering with Active/Active Data Centers Posted: 01 Mar 2020 02:45 PM PST I'm curious to know what the best practices are when you're peering BGP with the public internet at multiple data center locations. Would you commonly advertise the same public prefixes at both locations, or would each location have its own set of public prefixes? If they use the same ASN would there need to be some sort of an iBGP connection between the DCs? My thought process is that yes, they would advertise the same prefixes at both, and that the iBGP connection is not necessary. [link] [comments]  |
| Medium Business Network Edge Security Questions Posted: 01 Mar 2020 01:21 PM PST I have been asked to put in a medium size business network. This will include edge router/firewall, voip, and wifi. I am pretty set on Cisco at the moment. With that information, I am thinking of going with a Cisco ISR 4431 with FXS/FXO for the edge router, a 9300 48 port switch, a 9800 wifi controller and probably some 2802i APs. My question is: Will the 4431 be good enough for the edge device? Should I put something like a PA-220 in front of it? What would be best practice? Money is not an issue here and I am pretty stuck with Cisco. [link] [comments]  |
| Posted: 29 Feb 2020 06:50 PM PST We all read the news. If the situation were to arise could your infrastructure handle it? Not trying to fearmonger, but we are stuck dealing with the results of those that do. I believe the answer for myself is no. [link] [comments]  |
| What characteristics of an app or protocol make them “wan friendly” or not? Posted: 01 Mar 2020 06:26 AM PST So we have a big meeting with our developer team tomorrow, on Monday, and this is a big deal for us, because we've never really had that before. (We haven't evolved yet into net dev or infrastructure as code, we're very old school here.) We're going through Digital Transformation (I know... I can hear your eyes rolling from here) and part of that is making sure there's a good User Experience (UX) with all of our new suite. In the past a lot of our home brew apps have performed horribly over the wan. Add 60-80ms and the user experiences crazy wait times of 2-3 entire minutes for a transaction to finish. If it even does. This has caused a bitter Cold War between our teams where the dev team is screaming "network" and we're screaming "application." Their argument has always been "well it works fine here. So something in the network between here and there is causing it." Our argument has always been "but all the other apps work great at that location. It's only this app that sucks." When you look at the traffic in wireshark the apps server basically sends thousands and thousands of "tiny packets" to the client. Packets that are mostly header and just a few bytes of data. It's not efficient. It takes far too long to do anything. Anyway our CTO has mostly sided with the devs. Which has of course led to nothing getting fixed. So we finally pushed back hard enough to land this meeting tomorrow and I'm actually very excited about it and optimistic. We plan on reviewing the pcaps with them and showing them what's going on and why things are taking so long. But I just wanted to ask the experts here: what other characteristics make an app perform very poorly over the wan? Likewise SQL and SMB are said to be very bad over the wan. Why? What would you tell a dev to make their apps wan friendlier that you would word it in "dev speak" so they understand it? Because ours has told us before they don't know what we're talking about. Edit: Is this really a bad question? I'm a little surprised about the down votes. Can you help me to ask this question more intelligently? [link] [comments]  |
| BGP: Need to advertise public route for test network Posted: 01 Mar 2020 09:07 AM PST I am upgrading equipment for an internet app at a site (Site A) that uses provider independent addresses connected to an ISP, running eBGP. I need to have the servers running concurrently from the same location to test the new machines and code, but I cannot use any of the production address space. I can subnet out a /28 from a class c provider independent address block in use at a different location (Site B)(different AS), but am not sure how to make it workable. Is it as simple as modifying BGP from losing site (Site B) (VLSM) to drop advertising the removed subnet block and creating BGP entries for that block from the shared (new) location (Site A)? [link] [comments]  |
| ICMP packets not showing up after successful DHCP Posted: 01 Mar 2020 10:04 AM PST Hi, I am working on VNFs for building a home router and currently stuck in the phase right after successfully acquiring IPv4 address from another router running pfSense. Following the protocol described in wiki: https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol I can see the respective DHCP DORA packets in wireshark running on another machine in the same LAN as the new home router. The topology is here. The problem is that although the DHCP lease is visible in the pfSense no ICMP packets to the new router are ever seen by the host running Wireshark (monitoring all LAN traffic). However, psSense is able to ping the Wireshark host, and ICMP packets are visible in this case. I tried disabling the firewall in pfSense, still no change. Any ideas what is wrong in this situation? [link] [comments]  |
| Posted: 01 Mar 2020 11:35 AM PST Happy Sunday fellow Network peeps! I'm looking for suggestions for an automatic failover using either 4G/ Fixed WiFi so if the local business class isp fails were not loosing any sales I'm aware of 4G modems and thought cradlepoint offered something similar but would love suggestions [link] [comments]  |
| Posted: 01 Mar 2020 07:57 AM PST Hello everyone. I'm sorry if this sub isn't the right place for these kinds of questions, but I'm starting get desperate. We have a network project which will count for 100% of the exam grade but we feel that we haven't been given enough knowledge and practice to go into this, so we're having trouble even sketching out basic the set up of what goes where. Given 3 physical servers and two Raspberry Pies we are to set these up under the following criteria: Put hardware "where it should go" (anywhere that we want in our network) We get one public IP, and then within our gateway only private ips. Two zones, one dmz and one secure. Vlan 802.1q. Firewall should only let packets going to public services in the dmz, then into the network via NAT/NAPT. Between dmz and secure zone there should be a firewall as well. Connections from secure side should get response. Secure zone should should have dynamically distributed IPS from DHCP while dmz should have static from DHCP. And then some more services, so total: DNS, DHCP, webserver with cms, websolution for email, email, firewall, HIDS and backup. So I guess firstly I am wondering where do I put everything, and what services go where. We haven't had any vlan labs, nothing about hids, nothing about backup, nothing about dmz or secure zone. We're really just wondering how to sketch this up so we can start googling. If we have the "correct" platform, atleast it's easier to start building the configs GW -> firewall-> DMZ -> firewall-> Secure zone Vlan will consist of the dmz and secure zone? We tried showing this sketch to the professor but he said he will not help us because it's the exam project. We were told to Google it [link] [comments]  |
| Posted: 01 Mar 2020 04:38 PM PST Over the years I have found that knowledge that I once knew, I have forgotten. I find myself re-googling things I once knew (asa and linux commands mostly). I am 46 years old old so I maybe losing memory lol. I guess my question is, do you know any cool, neat and organised little ways of creating your own wiki? Right now my wiki does not extend past Notepad ++. [link] [comments]  |
| Need help with making a IKEv2 VPN server from a Ubuntu VirtualBox Posted: 01 Mar 2020 03:06 PM PST I've been trying to make a VPN that uses the IKEv2 protocol using StrongSwan on Ubuntu following the instructions following this link: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2 i will try to give as much detail as possible to what i did following the instructions given. in Step 1 i updated the local package cache as told to do, installed the StrongSwan package in Step 2 i did the command : In Step 3 i followed the steps, in the second part where i had to put a cn and a san i put 192.168.5.220 which is different from the VirtualBox that has a 192.168.5.12 ip, not sure if i was supposed to put the machine's ip or if i was supposed to do what i did. In Step 4 the first part where i had to type in Step 5 followed the steps and restarted StrongSwan. Step 6 i added the exceptions to the firewall, in before.rules i put instead of 10.10.10.0/24 i put 192.168.5.0/24 not sure either if that was what i was really supposed to do, for the rest i followed the steps and retarded the firewall. Step 7 i retrieved the certificate, added it to another VirtualBox, could not connect, tried to add it the host, did not work, and could not make it work from my phone, all 3 devices got the unreachable error or Error 809. I could ping the ip 192.168.5.220 from the other VirtualBox(Win7) but got : Reply from 192.168.5.14 : Destination host unreachable. 0% loss Sorry for the long text, not sure if i did everything properly, did i do something wrong? [link] [comments]  |
| Looking for beta testers for salt-sproxy 2020.3.0rc1 Posted: 01 Mar 2020 04:32 AM PST Hello folks, I've released salt-sproxy 2020.3.0rc1 (release candidate 1 for the upcoming major 2020.3.0), and I was looking for some beta testers. This new version should provide some major performance improvements, as well as better integration with the existing Salt environment (if you have one) - but might as well break things, so it's very important to gather more data before releasing. To clarify, the tool is not limited to working with network devices only, should be useful in whatever contexts (theoretically at least), but that's my main focus at the time being, so I figured I'd ask here. If you have any questions, I'd be glad to clarify anything, otherwise I'll be looking forward to your feedback (either positive or negative). PS. PyPI link: https://pypi.org/project/salt-sproxy/, and perhaps you might also find useful these quick start notes. [link] [comments]  |
| Port Forward to ftp on mikrotik through public ip using ASA Posted: 01 Mar 2020 10:24 AM PST Hi, i just want to test my port forwarding rule on the ASA, so i enabled the service ftp on the mikrotik with port 21, now to port forward to this ftp through public ip, i did this configuration on ASA:
when i write ftp://1.1.1.2 on the internet, i get nothing. While the ftp is working locally, when i type ftp://5.5.5.1 is there anything wrong with my nat configuration? thanks in advance! [link] [comments]  |
| Posted: 01 Mar 2020 07:11 AM PST Hello, I'm trying to set up multisite in the lab for the two fabrics. I don't fully understand how to configure ISN for it. Current set up has 2 multipod fabrics with a single spine from each pod connected to an IPN. There are two IPN switches (not 4) so pod 1 from fabric 1 and the 2 is connected to IPN 1 and pod 2 from fabric 1 and 2 is connected to IPN2. Let say the ports for fabric one are: Pod 1 Spine 1 int 1/1 => int1/1 IPN 1 Pod 2 Spine 2 int 1/1 => int1/1 IPN 2 And fabric 2 Pod 1 Spine 1 int 1/2 => int1/2 IPN 1 Pod 2 Spine 2 int 1/2 => int1/2 IPN 2 IPNs are connected at some other interface How do I configure ISN for this? From what I understand about ISN I need a connection between fabric 1 and 2. Can I use the already created connection from multipod? And if so do I need to make any changes to config on the IPNs? Or do I need another connection such as fabric 1 Spine => IPN => IPN => fabric 2 spine. [link] [comments]  |
| (cisco) VPN tunnel to a loopback address already behind an encrypted tunnel Posted: 29 Feb 2020 10:17 PM PST hi everyone, hoping someone has come up against this before and can give some advice as i haven't been able to find exactly the answer from searching. i've got a cisco 880 series (the cpe) doing a tunnel to a hub (using ipsec+gre). the cpe then bgp peers to the hub, and advertises a /32 publicly reachable address, and thus has direct internet access via this method (underlying network is CGNAT'd) from a bgp originated default route. this works great, as basically a cheapo sdwan type setup (cpe gets a publicly reachable address whilst behind CGNAT'd networks, and can be made easily redundant with an extra tunnel or 2 via other networks like a 4g connection, dsl, etc..). my question is... should it be possible to then run up an l2tp w/ipsec server on the cpe, via the /32 loopback address? i know typically you'd put a crypto map onto the interface directly facing the internet to watch for traffic - but in this case, the physical interface is behind CGNAT and would only see encrypted traffic coming in anyway. is this even possible? can you put a crypto map on a tunnel interface, or even the loopback? i know there's a lot of overheads in this design, but that's not an issue surely someone has done this before? [link] [comments]  |
| X.25 over TCP/IP in Packet tracer ? Posted: 01 Mar 2020 02:51 AM PST Hello, I want to simulate X.25 over TCP/IP in Packet tracer ( tried in latest and older versions also), But in all routers i am unable to find encapsulation x25 [only ppp hdlc frame relay appears] etc commands as mentioned in below article. https://www.cisco.com/c/en/us/support/docs/wan/x25-protocols/9363-x25-over-tcpip.html How can i simulate this . Pls. advice and help. [link] [comments]  |
| Attaching single Etherent port device to two switches for resiliency Posted: 29 Feb 2020 09:22 PM PST Hi, I want to attach the devices to an Ethernet switch, and have the connection failover to a *second* Ethernet switch if the primary unit is offline. For example, I need connectivity when the primary switch reboots during a firmware upgrade. So I am not looking at a switch "stack", or at some flavour of LACP. I am looking to have the device to connect to independent switch 2 if switch 1 goes offline and then resume the connection to switch 1 when switch 1 is back online. (Or it can stay that way until Switch 2 goes offline, no difference really) I found the Omnitron iConverter GM3 which is a "Carrier Class Network Interface Device (NID)" that appears that will do the job, but it does about 20 things I have no interest in and is quite expensive per port. Does anyone have a suggestion on a device that can do this? Preferably something that is rack-mountable and not hugely expensive. Thanks [link] [comments]  |
| Posted: 29 Feb 2020 07:06 PM PST Sorry to break the usual stream of yummy techincal problem solving posts, but I need some folks to weigh in on something. While this is a serious question, I refuse to mark it as such because I just may need the levity at this point. Have y'all ever gotten to the point where you think you have hit the highest level of competency in your field that you can? I am not talking about the run of the mill "imposter syndrome" that any engineer with an ounce of humility experiences once in a while. This is more of a long period of time where learning new tech seems almost out of reach or is at a minimum moving glacially slow. I haven't been in networking very long...6-7 years and I started very late in life. I am almost 50 and never worked in IT prior to this and never thought I was bright enough to do it. Maybe it's an age thing??? I don't know... I have no room to complain really...I have gotten extremely far in a short period of time. I have a pretty amazing job, but the amount of learning that we have to continually do seems like a wall at this point. We cover a good bit of ground where I work, so we work on quite a few different platforms. However, just as most enterprise size companies, we are always on the cusp of major changes. I am comfortable for the most part with my networking chops at this early point in my career, but I am just starting wade into devops and I seem to always be in fog. Is it possible that we have just so much RAM and that's it??? Can't learn anymore? I just keep at it and hope that an ah ha moment is around the corner, but at 48 years old with a family I don't have the time after work to put into knowledge seeking. So do we peak? I don't know. Giving up is not an option, but I am, starting to feel a bit...tired. I really hope y'all have amazing careers and thanks for being mentors to folks like me. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment