Is possible for routers in EVE-NG to communicate with current prod MPLS WAN network? Networking

---

• Is possible for routers in EVE-NG to communicate with current prod MPLS WAN network?
• Just wanted to say Thank You.
• ISP BGP point-to-point links between routers?
• Industry wide price increases?
• Ethernet 10Mbps and Half-Duplex vs Full-Duplex
• Layer 1 problem
• Can't ping vrrp virtual ip address across trunk links, ideas?
• In BGP is prepending outbound the proper way to control traffic?
• Firepower Rant - AnyConnect SAML
• Cisco ISE Device Admin Policy Set
• Impact of Changing Cisco Switch Hostnames
• What would you look for in a network documentation tool?
• Any potential issues in enabling jumbo frames globally on Nexus?
• Any Akamai / ThreatAvert users with a "Luna Control Center" account willing to help me out?
• Cisco Core Switch upgrade questions
• vPC interoperability with SPB
• Best solution to conflicting routes with remote VPN network?
• Oxidized Install Fails CentOS 7
• Idle question - Are there any laws regarding rude SSIDs?
• Firewall Recommendations for SMB
• Routing traffic from on-prem subnet outside advertised BGP subnets to AWS VPC
• Troubleshooting intermittent timeouts between an F5 and our Hyper-V Infrastructure
• Not sure if the right spot please redirect me if not. Looking for a fibreoptic (SL) to USB3 media converter in a small form factor. Any leads?
• COVID and Cisco certification
• 802.1 radius authentication

Is possible for routers in EVE-NG to communicate with current prod MPLS WAN network? Posted: 01 Apr 2020 02:11 PM PDT I know that we can connect it to the internet via the Cloud0 Mgmt node. But is a setup like so possible? ​ (MPLS WAN in production)---->(Azure cloud)-->(bridge type of connection)---(bgp routes can be learned and exchanged)<--->(Eve-ng VM)---->(Lab for testing SDWAN and see if we can learn routes from MPLS in production) submitted by /u/Ineedafkingusername [link] [comments]

Just wanted to say Thank You. Posted: 31 Mar 2020 08:26 PM PDT The world is more than ever dependent on the internet right now. and it's for folks like you that keep it running smoothly despite the massive amounts of traffic. I don't think we ever appreciate how important connectivity is in our lives and those people who make it possible. Thank you so much! submitted by /u/gr8monkeyman [link] [comments]

ISP BGP point-to-point links between routers? Posted: 01 Apr 2020 06:43 PM PDT Does anyone here know how best to handle these? Specifically the /30ish subnet between the routers? All the BGP guides I find are somewhat generic and always discourage advertising these into BGP itself but never explain why. They mention using an IGP, loopback & static routes, and I do understand how all of that works; but what is recommended in real life scenarios? I know you can use an IGP to handle this but I am interested in how ISPs connect their iBGP routers. For example, one datacenter I manage has a BGP session with 2 different ISPs to 2 of my routers. Cogent to router A & Hurricane Electric to router B. They each gave me a small public subnet to peer with them on. These subnets are advertised because they are routable on the Internet. But beyond that I have no idea what ISPs are using to connect routers in their own AS and to external ISPs. A part 2 to this question would be how ISPs interconnect with each other. I know generally they converge at Internet exchanges with a route reflector/server, but I am interested in the subnets they are using to do this. Are they public and Internet routable? One last thing. I have 2 different routers, one connected to each ISP (eBGP) and then they were connected to each other (iBGP). They are each getting a partial/default route table from their respective ISP. Instead of using next-hop-self, I simply advertised the /30 into iBGP at each router so they each have an organic route to the next hop ISP router instead of router A announcing itself as the next hop to router B for routes on Cogent. Is there anything wrong with this? Thanks for all who chime in ;) submitted by /u/3retto [link] [comments]

Industry wide price increases? Posted: 01 Apr 2020 01:59 PM PDT Anyone heard of this? Was chatting with my VAR and he mentioned there's some "industry wide price increases effecting all resellers". I can see something like this in the current covid-19 global situation but also am skeptical since I have a decent size purchase coming up. I've seen tarriff fees on a few quotes but this sounds like something more. Thoughts? submitted by /u/Cache_Flow [link] [comments]

Ethernet 10Mbps and Half-Duplex vs Full-Duplex Posted: 01 Apr 2020 02:22 PM PDT Not sure if my general question is appropriate to this sub; please let me know if it should be re-directed elsewhere. But I'm wondering why back when Ethernet 10 Mbps was more popular than Ethernet 100/1000 Mbps, why were half-duplex and CSMA/CD used if full duplex is clearly better? Second question: When I looked at the MII diagram for Ethernet 10 Mbps, it seemed to me like it supported full duplex communication. There are both RX[4:0] and TX[4:0] signals, but I thought half duplex would just have one such bus. Why would there be both? submitted by /u/NOTDUMBOK [link] [comments]

Layer 1 problem Posted: 01 Apr 2020 03:22 PM PDT I have a DSL twisted pair about 3000 feet long, and when both ends are disconnected the impedance between tip and ring are only 13megaohm's. Is this a faulty insulation on the twisted pair? submitted by /u/Curiositey [link] [comments]

Can't ping vrrp virtual ip address across trunk links, ideas? Posted: 01 Apr 2020 12:54 PM PDT I'm setting up a new pair of EVPL circuits between two different pairs of core switches. I have a VLAN configured with the local IP and a vrrp vrid with a virtual IP address on each switch. Then a dt-trunk interface built tagged with the appropriate VLAN. Each switch has a single fiber interface connected to one side of the EVPL circuit configured like so: Site A Sw1 10.1.1.2 <-EVPL-> Site B Sw1 10.1.1.5 | VIP 10.1.1.1 | VIP 10.1.1.4 Site A Sw2 10.1.1.3 <-EVPL-> Site B Sw2 10.1.1.6 I can ping from each switch to any other switch but I cannot ping to the remote virtual IP address across the EVPL. I can ping the VIP IP from the non-master switch on the same side (E.g. Site A Sw2 can ping 10.1.1.1) E.g. - I can ping from Site A Sw1 10.1.1.2 to 10.1.1.5 and to 10.1.1.6 but I cannot ping 10.1.1.4 I can ping from Site B Sw1 10.1.1.5 to 10.1.1.2 and to 10.1.1.3 but I cannot ping 10.1.1.1 ​ VRRP Virtual Router Configuration Information Administrative Status [Disabled] : Enabled Mode [Uninitialized] : Backup Priority [100] : 200 Advertisement Interval [1] : 1 Preempt Mode [True] : True Preempt Delay Time [0] : 0 Respond To Virtual IP Ping Requests [Yes] : Yes Version [2] : 2 Null authentication compatibility [False] : False Primary IP Address : Lowest IP Address --------------- 10.1.1.1 ​ What am I doing wrong here? submitted by /u/b34ny [link] [comments]

In BGP is prepending outbound the proper way to control traffic? Posted: 01 Apr 2020 04:06 PM PDT I've only read about BGP design for ARCH exam and I've never built BGP peering by myself. We paid a consultant for a few hours to help us. His advice was not very thorough. He said we should prepend inbound and out. CCDP study mats said prepending is inbound and outbound should be local pref if your public space is /24 or smaller (it is). I imagine we'd get by with just his advice but I recognize he has just been using the same template for 15 years without thinking about it. So what is the best way to traffic engineer, without getting too complicated? Communities not available on all links. Some deets- two local routers, each with two available ports, and 3 ISPs. Planning on single links for lower bandwidth, 2 links for highest bandwidth. Will move off one ISP when pandemic subsides. submitted by /u/severance26 [link] [comments]

Firepower Rant - AnyConnect SAML Posted: 01 Apr 2020 08:03 AM PDT I am slowly regretting my boss's decision to move all of our ASAs over to FTD Code, and then lifecycle them with the 2130s. As you all are probably aware, Anyconnect is severely limited on FTD. I did manage to get the Umbrella Connector working on Anyconnect via a flexconfig. I am now trying to get SAML deployed on the Anyconnect Policy, via Flexconfig. The problem I have is getting the Signing Cert added to the device. Wondering if anyone has successfully gotten it integrated even though it is not supported. Trying to avoid having to buy more Cisco Firewalls, just for VPN access. ​ PS. We could use RADIUS, but we are implementing MFA and it requires the user to type the method of Authentication at the end of their passwords, providing an absolutely terrible user experience submitted by /u/theITcowboy [link] [comments]

Cisco ISE Device Admin Policy Set Posted: 01 Apr 2020 01:22 PM PDT I'm working on building a new ISE deployment. Our previous version is much older and is using AD joined vs LDAPS. That said, I'm trying to figure out how I specify an AD security group in the auth policy. I've selected the Ext Id Source for LDAPS, but the conditions don't show anything remotely related except TACACS users. Any ideas? Everything I can find with the googles is using internal IDs or AD. submitted by /u/cisco-throwaway [link] [comments]

Impact of Changing Cisco Switch Hostnames Posted: 01 Apr 2020 09:33 AM PDT Should I be worried that this will cause any issues? The switches are in a stack and are the vtp server for 15x other switches. Would like to change the naming scheme and remove underscores before generating any certs etc. Sorry if this is a stupid question, inherited responsibility for the new network when my coworker resigned without notice a week before we got the order for all non essentials to work from home during the middle of our office move so I'm a bit fried. submitted by /u/PM_ME_UR_MANPAGES [link] [comments]

What would you look for in a network documentation tool? Posted: 01 Apr 2020 06:13 PM PDT It's an open discussion submitted by /u/muxie2007 [link] [comments]

Any potential issues in enabling jumbo frames globally on Nexus? Posted: 01 Apr 2020 07:33 AM PDT We are experiencing a VMware performance issue and we discovered that jumbo frames are not enabled for all ports. As opposed to tracking down all of our vmware and SAN interfaces 1 by 1, I thought I would just do it globally. Has anyone done this? Is there any threat that something may break by doing it? Thanks! submitted by /u/chrisv25 [link] [comments]

Any Akamai / ThreatAvert users with a "Luna Control Center" account willing to help me out? Posted: 01 Apr 2020 08:58 AM PDT I have a recurring problem where Spectrum Internet will blacklist my domain name. This happened 6 months ago, and some helpful r/networking & NANOG users that work for Spectrum informed me that Akamai ThreatAvert feed blacklisted my domain -- rightbridge.net I've had a hell of a time trying to get help from abuse@akamai.com and support@akamai.com. Ultimately, not being a customer they won't help me or even validate the problem exists. I'm assuming someone that is an Akamai / ThreatAvert customer could submit a simple ticket "Remove rightbridge.net from ThreatAvert feed" to quickly resolve this. Additionally, any ideas how I end up blacklisted would be appreciated. I'm at a complete loss on this. None of the public blacklists show any problems: https://mxtoolbox.com/SuperTool.aspx?action=blacklist:rightbridge.net&newAppVersion=1 Akamai's own tools at: https://akamai.com/us/en/clientrep-lookup/ Indicate my servers did not receive a bad risk score.. I'm tempted to switch my DNS from Rackspace to Google or route53, but I'm not sure that would even make a difference. submitted by /u/dagronslayer [link] [comments]

Cisco Core Switch upgrade questions Posted: 01 Apr 2020 08:01 AM PDT I'm looking to upgrade our Cisco core switch. it's an old 3560 catalyst with a pretty basic configuration. The existing 10/100 ports are split up into VLANs for various client and server groups. The switch is largely there for routing. There are a combination of static routes and BGP for our connections to branch offices. The current north and south connections are all 1Gb Ethernet and a combination of L2 switches from various vendors (Dell, HP, Cisco whatever was available when others purchased). The configuration on this switch rarely changes. I'm talking one config change every 3-5 years. For this reason, it's gone largely ignored. I'm hoping to change that with a core switch upgrade and have a few questions. We are a medium size business. We are very flexible on budget. I want something that is easy to configure, deploy, and maintain going forward, so that it doesn't go ignored in the future. I have plenty of networking experience, so am comfortable configuring a Cisco, even if I haven't had to do so in over a decade. My only lack of experience is with managing BGP, as it's something I rarely have to engage. Cisco site is recommending the upgrade path from a 3560 to the 9300. Does this upgrade path sound fair, overkill, or lacking? With this upgrade path, would I likely be able to copy the config line for line on to the 3560, reducing configuration and implementation time. There was a previous concern among the decision makers that Cisco licensing is difficult and overpriced. Is that true nowadays? Are there other vendors we should consider? I figured transitioning to a different vendor would greatly increase time to implement. Not a deal breaker, but hoping to implement something sooner rather than later. Any feedback or suggestions are helpful. Thanks! submitted by /u/Clear-Disk_-Number_1 [link] [comments]

vPC interoperability with SPB Posted: 01 Apr 2020 08:38 AM PDT One of our customers wants to interconnect their current network environment (Alcatel running SPB) with a small vPC network (Merger). The task here is to interconnect the SPB network with the vPC network. I have created a network drawing of the situation and the proposed uplinks from the vPC network. My question here is, is this a valid interconnection? The reason I ask is because I have no experience with SPB, only with vPC. Are there any caveats...? Will this introduce network loops? https://imgur.com/hxnXdPH submitted by /u/Llamavis [link] [comments]

Best solution to conflicting routes with remote VPN network? Posted: 01 Apr 2020 12:03 PM PDT Corperate network uses 192.168.0.0/22 which conflicts with most home network equipment. Users have issues accessing certain hosts on our network because of overlapping routes and their PC doesn't know where to route it. What is the easiest way to solve this? Thinking just renumbering our corporate network is the cleanest method here unless someone has a better idea. submitted by /u/housewoes2020 [link] [comments]

Oxidized Install Fails CentOS 7 Posted: 01 Apr 2020 08:01 AM PDT When following install guide for Oxidized according to the steps listed for RHEL and CentOS ( https://github.com/ytti/oxidized#installation), I get the following error when running gem install oxidized: Could not create Makefile due to some reason, probably lack of necessary libraries and/or headers. Check the mkmf.log file for more details. You may need configuration options. It appears this issue has been noted here: https://github.com/ytti/oxidized/pull/2050 Has anyone been able to successfully install the latest Oxidized on CentOS 7? submitted by /u/ruminative_vestige [link] [comments]

Idle question - Are there any laws regarding rude SSIDs? Posted: 01 Apr 2020 11:27 AM PDT This working from home business has caused me to notice more about my local WiFi environment. Some people have rude names like suckmywhatever and such. I cuss like a sailor so I don't care but I thought it was a bit inconsiderate of others, maybe families and such. Are there laws regarding that kind of thing? Would it be considered using profanity in public or something like that? submitted by /u/BSwollocks [link] [comments]

Firewall Recommendations for SMB Posted: 31 Mar 2020 06:41 PM PDT Hope everyone's doing well with this crisis. I'm looking to upgrade our FortiGate 80E firewall and seeking recommendations. 25 Users in Total 15 SSL VPN Users 40 Devices 350/35 Internet Speed (Please don't laugh, it's Comcast's Fault) I am thinking of Cisco ASA 5515-X but I don't have enough CLI experience to solely depend on it so how's ASDM or does it have actual GUI? I used it many years ago. Second option was maybe SonicWall TZ600 or NSA 2650. It has to be FIPS 140-2 validated which means no Meraki or UniFi (Cries on the inside). submitted by /u/PrivateHawk124 [link] [comments]

Routing traffic from on-prem subnet outside advertised BGP subnets to AWS VPC Posted: 01 Apr 2020 12:34 AM PDT Hi, a little while back I tried setting up a site-to-site VPN between my on-prem lab and my AWS VPC. I do this via CloudFormation, and I decided to advertise the AWS subnets via BGP. Some details: AWS VPC Subnet: 10.0.0.0/16 Subnet A in AWS: 10.0.0.0/24 Subnet B in AWS: 10.0.1.0/24 Subnet C in AWS: 10.0.2.0/24 On-prem subnet: 172.21.20.0/24 OpenVPN server IP address: 10.0.0.200 OpenVPN Tunnel subnet: 10.1.100.0/24 Laptop/OpenVPN Client ip: 10.1.100.60 Tried to make a gliffy as well: https://imgur.com/a/lKfjn03 Description Currently, BGP from AWS advertises 10.0.0.0/16 successfully to my Juniper SRX, and traffic flows as expected with the VPN tunnel established. In the AWS VPC, I have set up a OpenVPN server in EC2. It has a elastic public ip associated to it, and it sits in the subnet 10.0.0.0/24. When I configured OpenVPN, I set the OpenVPN tunnel subnet to be 10.1.100.0/24. This was chosen as you cannot specify a route more specific than the VPC CIDR which is 10.0.0.0/16 in the route table. The message if you try to specify a more specific route in the route table is "This route table is used by a subnet, and doesn't support route destination which are more specific than VPC local CIDR." In the route table, I set up a static route for 10.1.100.0/24 --- > IP address of the instance hosting the OpenVPN server, in order to get around the above issue. When I connect to the OpenVPN server using my laptop (10.1.100.60), I can ping other servers hosted in the VPC, and I can also ping the OpenVPN client (the laptop) from a server hosted in EC2 in the 10.0.0.0/24 subnet. So the routing within the VPC works. I can also from the laptop, ping my servers hosted on-prem in the subnet 172.21.20.0/24. The subnets are propagated to the route table in AWS via BGP. My problem is, I cannot send traffic from on-prem (172.21.20.0/24) to the OpenVPN clients, since the advertised routes from AWS via BGP is 10.0.0.0/16, and the OpenVPN traffic is using 10.1.100.0/24. If I run tcpdump on one of my servers hosted on-prem (172.21.20.0/24) while pinging it from the laptop connected via OpenVPN, it send the respond back to the OpenVPN server (10.0.0.200). So I know i need to route traffic destined for the subnet 10.1.100.0/24 to the OpenVPN server 10.0.0.200. That's clear to me. However, from the AWS documentation "The virtual private gateway does not route any other traffic destined outside of received BGP advertisements, static route entries, or its attached VPC CIDR" https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html Does the above have an impact in setting up a static route to the OpenVPN server? ​ How do I route traffic to the OpenVPN tunnel subnet from my on-prem SRX, via the already established AWS VPN tunnel to my VPC? - Can I set up static routing? eg 10.1.100.0/24 -> 10.0.0.207. My brain is having a hard time understanding the language of the AWS documentation listed above. I did a test already, but I could not get it to play along. I did this on the SRX: set routing-options static route 10.1.100.0/24 next-hop 10.0.0.207 I think this does not work due to the IP adress of the OpenVPN server, 10.0.0.207 is not reachable from within the SRX itself as its using a 169. address.(https://forums.aws.amazon.com/thread.jspa?threadID=48379) Show route 10.1.100.0 tells me that it's still routed by the route 0.0.0.0/0 - Did I shoot myself in the foot, and need to redesign the the whole VPC and network (if so, how should I do it instead?) I am fresh to both networking and AWS, so any hints appreciated :) submitted by /u/Peter-_-94 [link] [comments]

Troubleshooting intermittent timeouts between an F5 and our Hyper-V Infrastructure Posted: 01 Apr 2020 02:20 AM PDT Hi everyone, I've been stuck with this topic for a while and not sure where to go next. If anyone can point me in a direction I would be very grateful. I have very little experience in this type of "deep dive" network troubleshooting. F5 support has told me the issue is "between the F5 and the VM", which doesn't help much since the connection goes F5 <-> Switch <-> Hyper-V Clusters. The switch is managed by our datacenter provider while we own both the F5 and the Hyper-V Clusters. What happens is that we will have intermittent timeouts of connections to the F5 that I have yet been unable to reproduce reliably. At random intervals, accessing one of our virtual servers will time out. Sometimes this happens 10 times in a row, most of the time it will work fine immediately after. My next step would have been to see if this issue occurs on infrastructure other than our clusters. They are both configured exactly the same so the issue could be existent on them both. The traffic in Wireshark looks like this: On the server (10.0.0.58): No. Time Source Destination Protocol Length Info 2381 14:10:57.92 10.0.0.58 10.0.0.43 TCP 66 54236 → 25 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 2744 14:11:00.92 10.0.0.58 10.0.0.43 TCP 66 [TCP Retransmission] 54236 → 25 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 3394 14:11:06.93 10.0.0.58 10.0.0.43 TCP 66 [TCP Retransmission] 54236 → 25 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 On the F5 VS (10.0.0.43): No. Time Source Destination Protocol Length Info 7736 14:10:57.93 10.0.0.58 10.0.0.43 TCP 66 54236 → 25 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 7738 14:10:57.93 10.0.0.43 10.0.0.58 TCP 62 25 → 54236 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1 8560 14:11:00.93 10.0.0.43 10.0.0.58 TCP 62 [TCP Retransmission] 25 → 54236 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1 8562 14:11:00.93 10.0.0.58 10.0.0.43 TCP 66 [TCP Retransmission] 54236 → 25 [SYN, ECN, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 10983 14:11:06.93 10.0.0.43 10.0.0.58 TCP 62 [TCP Retransmission] 25 → 54236 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1 10985 14:11:06.94 10.0.0.58 10.0.0.43 TCP 66 [TCP Retransmission] 54236 → 25 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 17059 14:11:18.93 10.0.0.43 10.0.0.58 TCP 62 [TCP Retransmission] 25 → 54236 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1 submitted by /u/chasfrank [link] [comments]

Not sure if the right spot please redirect me if not. Looking for a fibreoptic (SL) to USB3 media converter in a small form factor. Any leads? Posted: 01 Apr 2020 01:58 AM PDT I already have one with gigabit ethernet but I want to try a new piece of hardware that requires USB 3 and needs to fit into a small space and have a temp rating of around 80°C. Or is their a work around for it? Current unit has a foot print of W: 1.75" (44mm) x L: 2.25" (57mm) x H: 0.84" (21mm) I'd like something this size or smaller. submitted by /u/swootybird [link] [comments]

COVID and Cisco certification Posted: 31 Mar 2020 06:34 PM PDT I was going to let my certification lapse as I was planning on quitting for good in the next couple of years and thought I could ride that out with my current employer. Then COVID happened. My employer is crying poor and maybe they'll fold in the upcoming months which will force me to get another job. My situation is that my CCNP expires in July and historically, for whatever reason, HR still puts a premium on having Cisco certs. Given the circumstances globally, does anyone know what Cisco is going to do? Right now in my country it's at necessary travel only and the lockdown is becoming more strict everyday. I don't see myself waltzing into the nearest testing centre and I'm not even sure they'd be open at the moment! submitted by /u/juegasiempre [link] [comments]

802.1 radius authentication Posted: 01 Apr 2020 08:46 AM PDT Hello, I put this on r/wireless but for some reason it was removed as spam? I'm doing a Uni project and I've to investigate what happens when a laptop is powered up and connects to an AP using a radius server for authentication (WPA2 Enterprise). So far I can see we have 1 - Probe Request 2 - Probe Response 3 - Authentication Request 4 - Authentication Response 5 - Association Request 6 - Association Response Where I'm getting confused is where the radius authentication comes in, I initially thought it would be at steps 3 and 4 above, but some other information is suggesting the radius authentication takes place after these 6 steps. If anyone could shine a light on this I would be very grateful. Cheers submitted by /u/Paddy-R [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States