A question for fellow engineers on work-life balance Networking |
- A question for fellow engineers on work-life balance
- Avoid routing loop in Velocloud configuration
- Need someone to clarify.. Adding new vlan to existing port channel trunk. Do I add VLAN just to port channel or put the command on both port-channel and interface?
- FRR BGP not advertising routes.
- OSPF/BFD Sanity Check on Leased Circuit
- How can I span VPN Traffic to Record Calls with an on-prem recording server?
- identifying users of cisco SBL vs VPN after logon users
- Bad "advice" from "engineers"
- Site-to-site tunnel that is the same broadcast domain on Zyxel Zywall platform?
- L2TP pseudo-wire on Cat 9200L?
- To stack or not?
- STP & link aggregation doubt
- EVE-NG - vSRX Image Not Loading
- Shunra EOL - replacements?
- guacamole behind nginx (Non Root Location)
- Anyconnect group policies
- IPSEC VPN or port forward with specific source IP - why is one better?
- Data Center migration to Hyperconverged Infrastructure
- NATING or Static route issue
- Slow internet speed
- Undertanding IPSec AH transport and tunnel mode
| A question for fellow engineers on work-life balance Posted: 25 Jun 2020 01:47 AM PDT Hi everyone! I am a junior engineer, and I am currently pretty satisfied with both my work and my life in general. However, I get often complains from colleagues (network engineers in both junior and senior positions) regarding their work-life balance. What is your experience on that? Do you ever think you don't have enough time to cultivate your personal relationships or other things? Curious to know your perspectives! Cheers! [link] [comments]  |
| Avoid routing loop in Velocloud configuration Posted: 25 Jun 2020 02:54 PM PDT So I have a customer with three sites. All of the sites have a Velocloud device. Only the Hub/Main site has a firewall. The customer wants to backhaul internet traffic from branch sites to the main site to be inspected by the firewall. Hub site Velocloud has a default route sending all traffic to internal firewall for inspection and Firewall inspects traffic then uses a default route to send traffic to internet via hub site Velocloud. I think this is going to create a routing loop between Hub site Velocloud and firewall. What can I do to make this work? Any help would be appreciated, thanks. [link] [comments]  |
| Posted: 25 Jun 2020 03:52 PM PDT So I want to create a new VLAN for management. There are 2 interfaces that are bundled with port channel. When I add the new VLAN over the portchannel, will it also show allowed under the interface config? I ask this because they have it configured like this: Portchannel 20 Switchport trunk allowed vlan 10,40,60 Int Gi1/1 Switchport trunk allowed vlan 10,40,60. I thought you only want to put it on the port channel and it propagates to the interface? Should I just add the new vlan over the port channel and not the interface? [link] [comments]  |
| FRR BGP not advertising routes. Posted: 25 Jun 2020 07:05 AM PDT Ok, Im at a loss with this... Trying to advertise routes between 2 frrouting "routers" via GNS3. I've created a pastebin with all the details from the two routers here: https://pastebin.com/EzDkWRez The frr/daemons file is correct and is the same for both frrs. # This file tells the frr package which daemons to start. # # Sample configurations for these daemons can be found in # /usr/share/doc/frr/examples/. # # ATTENTION: # # When activating a daemon for the first time, a config file, even if it is # empty, has to be present *and* be owned by the user and group "frr", else # the daemon will not be started by /etc/init.d/frr. The permissions should # be u=rw,g=r,o=. # When using "vtysh" such a config file is also needed. It should be owned by # group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too. # # The watchfrr and zebra daemons are always started. # bgpd=yes ospfd=yes ospf6d=yes ripd=no ripngd=no isisd=yes pimd=no ldpd=no nhrpd=no eigrpd=no babeld=no sharpd=no pbrd=no bfdd=no fabricd=no vrrpd=no # # If this option is set the /etc/init.d/frr script automatically loads # the config via "vtysh -b" when the servers are started. # Check /etc/pam.d/frr if you intend to use "vtysh"! # vtysh_enable=yes zebra_options=" -A 127.0.0.1 -s 90000000" bgpd_options=" -A 127.0.0.1" ospfd_options=" -A 127.0.0.1" ospf6d_options=" -A ::1" ripd_options=" -A 127.0.0.1" ripngd_options=" -A ::1" isisd_options=" -A 127.0.0.1" pimd_options=" -A 127.0.0.1" ldpd_options=" -A 127.0.0.1" nhrpd_options=" -A 127.0.0.1" eigrpd_options=" -A 127.0.0.1" babeld_options=" -A 127.0.0.1" sharpd_options=" -A 127.0.0.1" pbrd_options=" -A 127.0.0.1" staticd_options="-A 127.0.0.1" bfdd_options=" -A 127.0.0.1" fabricd_options="-A 127.0.0.1" vrrpd_options=" -A 127.0.0.1" # configuration profile # #frr_profile="traditional" #frr_profile="datacenter" # # This is the maximum number of FD's that will be available. # Upon startup this is read by the control files and ulimit # is called. Uncomment and use a reasonable value for your # setup if you are expecting a large number of peers in # say BGP. #MAX_FDS=1024 # The list of daemons to watch is automatically generated by the init script. #watchfrr_options="" # for debugging purposes, you can specify a "wrap" command to start instead # of starting the daemon directly, e.g. to use valgrind on ospfd: # ospfd_wrap="/usr/bin/valgrind" # or you can use "all_wrap" for all daemons, e.g. to use perf record: # all_wrap="/usr/bin/perf record --call-graph -" # the normal daemon command is added to this at the end. / # Interestingly if I run an ospf instance, using the following config: router ospf network 0.0.0.0/0 area 0 ! I can ping both loopbacks. Am I missing something? Cheers in advance! [link] [comments]  |
| OSPF/BFD Sanity Check on Leased Circuit Posted: 25 Jun 2020 06:45 AM PDT Hi folks, I just wanted to get your input on an issue I am seeing - I operate an MPLS network. (Diagram Here: https://i.imgur.com/i4jTQpE.jpg) Both the SiteA and SiteB "P" Routers are connected to their peer router by a 1Gbps Ethernet leased circuit, of which each uses a different service provider. Each Circuit returns pings at around 11-12ms. I have been having problems with the top provider and enabled BFD last week to try and achieve faster failover. BFD Config snippet: I am now seeing sometimes 20-30 OSPF up/down events on that circuit over several nights starting at around midnight and usually lasting only an hour or two. This lines up with what I have been seeing prior to enabling BFD, and is why I enabled it in the first place. I checked my traffic graphs and we are not even close to exhausting our CIR, and the service provider is telling me that they don't see any issues with that link. The bottom link, which shares the exact same BFD configuration does not exhibit any of this behavior. I just wanted a sanity check here, as I think the Service Provider is full of shit, but I wanted to get some input from you folks on my BFD configuration to make sure it looks reasonable before I start raising hell. [link] [comments]  |
| How can I span VPN Traffic to Record Calls with an on-prem recording server? Posted: 25 Jun 2020 04:11 AM PDT Hi We have some users at home using IP Phones. These IP Phones connect back to the office with VPN and are assigned static IP addresses on the VPN subnet. Phone conversations are recorded by use of SPAN ports/vlan sending traffic to the recording server. Is it possible to also SPAN the VPN subnet so that the on-prem recording system can capture the calls? (Cisco IP Phone->VPN TUNNEL->Cisco ASA->Cisco Switch->Recording server) [link] [comments]  |
| identifying users of cisco SBL vs VPN after logon users Posted: 25 Jun 2020 04:05 AM PDT Hi guys, is there a way anyone knows of to differentiate connections to a cisco anyconnect box between users who are using sign in before logon vs those who login to the vpn after signing into their win10 accounts? [link] [comments]  |
| Posted: 25 Jun 2020 01:05 PM PDT Hi, the last couple of months I've spent almost everyday learning Python, network automation tools with python, SDN etc... and all have clicked and I feel very comfortable now for the most part. With always in networking (or anything IT related in the end) things change, obviously that's why I decided to study the things I've studied the last couple of months to future proof myself just incase. As with a lot of people I'd guess, like me, that a lot of your information and learning comes from YouTube videos and reading good networking sites. There are a lot of very good networking people on YouTube who make good videos, I find myself sticking to one or two of them that I find are the best for me as most people do with themselves I'd guess. As I was browsing through today up popped networkchuck on my recommend, I don't normally watch him however because I don't find him to be as "good" of a networking teacher on YouTube. Mainly his videos comprise of him saying....LEARN THIS, whatever the topic is, him reading very general cliff notes and "teaching" next to nothing on it. I find him to be a "Jack of all trades master of nothing". His latest one today though I just clicked on it, skipped most to were I was just listening to bits for about 5 mins before switching the video off. But before I did I came across the part around 20-25 mins in I think it was were he talks about AWS and everything networking not being important or relevant in the future according to him, I just sat there in disbelief when he said things like networking, networking concepts, python etc... he all just threw out the window and said the networking will be "point and click" in about 5-10 years time. I laughed in amazement tbh, the guy gives out such bad "advice" or "information". I then thought, this can't just be me who thinks this surely (about his "information I mentioned above)...so I thought I'd just put the question out there to see if was just me who thinks that about him and the stuff he comes out with sometimes. I do get that a lot of networks will be moving over the either SD-WAN or SDN down the road but even then, networking concepts, knowing the cli, python and the rest will all be massively relevant still. It was just one of those moment were I listened and thought, in the networking community on YouTube he is probably one of the more popular ones, surely I can't be the only one that thinks that? [link] [comments]  |
| Site-to-site tunnel that is the same broadcast domain on Zyxel Zywall platform? Posted: 25 Jun 2020 12:22 PM PDT I am looking for input/advice if anyone has ever set anything up like this. Site 1 will have a zywall and on it's lan 1 subnet will sit a dhcp server. Site 2 will have clients connected to another zywall's LAN that I want to be able to receive an address from the server on site1. DHCP relay is something I want to avoid if possible due to it would require alot of configuration on the site2 equipment. Any ideas? Edit: i guess what I'm actually asking is a single vlan solution between 2 sites [link] [comments]  |
| L2TP pseudo-wire on Cat 9200L? Posted: 25 Jun 2020 11:48 AM PDT |
| Posted: 25 Jun 2020 07:35 AM PDT Looking here:https://www.reddit.com/r/networking/comments/5kqxpu/stack_core_switches_any_benefits/ It seems like the majority of people stack, however I did see someone talking about stacking switches (especially core switches) as "playing with fire" I imagine in part due to the fact that it acts as one logical unit, and the entire stack could go down, which is perhaps why FHRP/HSRP are mentioned quite heavily in the CCNA The biggy I guess is the issue of resiliencyhttps://blogs.arubanetworks.com/solutions/stacking-network-switches-why-and-why-not/ Do you stack your switches? If so, which "tiers" do you stack at? ie: core, distribution, access. Do you do it differently in the DC than locally too? What are your reasons behind it [link] [comments]  |
| Posted: 25 Jun 2020 07:22 AM PDT Hello, Given this: https://imgur.com/I30YudC (sw 1 and 2 are one stacked switch and sw 3 and 4 are another stacked switch) The plan is to have trunk1 connected to an aggregated interface (2 physical interfaces per sw, 4 total) and then a trunk2 between the sw stacks for redundancy. So in my head it works like this: If sw1 fails, sw2 can use sw4 then sw 3to access the fw If sw2 fails, no problem If sw3 fails, sw4 can use sw2 then sw1 to access the fw if sw4 fails, no problem I'm obviously not expecting more than two sw to fail at once or the fw to fail, that's a risk I'm willing to take. Now my doubts are: 1.- With STP, I assume once of the trunk1 int will be disabled until the other fails, but is there a way to prevent sw3 from going to sw4 then sw2 then sw1 to reach the firewall instead of using the trunk1 interface connected to it directly? same with sw4. 2.- some trunk2 interfaces will also be disabled by STP until one of the others fail, right? How should I configure that trunk? just a regular trunk with all the required vlans tagged on it? 3.- Do I really need four physical interfaces for trunk1 (two x sw) or just one per switch would do it (gigabyte ports, Cisco SG350X)? They would be connected to an aggregated interface (which would have 4 ports, 2 per switch, or 2, one per switch if I dont need to physical interfaces per switch) on a fortigate 60e fw which would do the routing to the Internet. I've thought of MSTP but since both stacks share the same vlans that wouldnt solve anything for my particular case Thank you! [link] [comments]  |
| EVE-NG - vSRX Image Not Loading Posted: 25 Jun 2020 12:43 AM PDT Hi Guys, I am trying to install Juniper vSRX3.0 on EVE-NG, however no matter what I try I can't come right... I come to a point where I start the vSRX on EVE-NG and then it loads, after a couple of minutes it says "Rebooting in 15 seconds". I am using a qcow2 vSRX file which has been downloaded from the Juniper Website. Can anyone help out please? I am running VMWare Workstation 15 Player on Ubuntu Linux. My EVE-NG Lab has an allocation of 6GB and x4 CPU's. When running the vSRX I have also allocated 2GB of RAM and 2 CPU's. The vMX is working perfectly, just getting the vSRX to work is a problem. If you need any further information, please let me know! Your assistance would be much appreciated! [link] [comments]  |
| Posted: 25 Jun 2020 10:21 AM PDT Hey, I was using Shunra for my WAN emulation testing but it has since gone the way of the dodo and no longer usable. Apparently HP has EOL the devices. Is there a good alternative to the Shunra? Looking for something easy to use that won't take a lot of setup or training to get up and running. I tried using some open source tools but I was not getting consistent results. Any suggestions? [link] [comments]  |
| guacamole behind nginx (Non Root Location) Posted: 25 Jun 2020 10:06 AM PDT hello everyone, I'm trying to run Nginx as reverse proxy to EVE-NG (apache2 with guacamole socket), when i configure the root location of Nginx to proxy pass to the IP of EVE-ng it work nicely, but if i change it to /example it won't work any advice how to solve this issue? Nginx conf: Apache conf: the result is just an empty page, but the source code is there, it seams that the socket/tunnel is not being established correctly any help will be much appreciated, i have been working on it for 3 weeks and no results yet [link] [comments]  |
| Posted: 25 Jun 2020 09:12 AM PDT I'm struggling to get multiple group policies working on an AnyConnect installation I'm implementing. I have x2 tunnel groups, one for general staff and one for IT. We have an Azure AD, so I've setup SSO via SAML to Azure with an 'Enterprise Application' Initially this was all fine. However I soon realised that you can't segregate the authentication of users by having multiple Anyconnect applications in Azure as you can only have one saml idp configured on the webvpn. This means that everyone is lumped into the same group. Am I missing something or is what I'm trying to achieve not possible? with this configuration? Actually thinking about it, even with a local database for authentication, I'm not entirely sure how you'd define who is allowed to connect to which tunnel group? Does have anyone have any good blogs or links to the subject? I know CISCO documentation is pretty extensive, but I find it hard work to get my head around sometimes. [link] [comments]  |
| IPSEC VPN or port forward with specific source IP - why is one better? Posted: 25 Jun 2020 08:45 AM PDT Been meaning to ask this for a while, so here goes. I have 2 sites, completely independent of each other, and the HVAC company wants to put in monitoring from one location to another. They require one port to be forwarded for monitoring, and both locations are static IP. Conversation around this ensued around the 'proper' way of doing this, just port forwarding the port to the specific IP only, or setting up IPSEC Tunnel and doing it that way. From ease - port forward would be quick and easy, but I really wanted to know what the whole story is here to both sides. Thanks, [link] [comments]  |
| Data Center migration to Hyperconverged Infrastructure Posted: 25 Jun 2020 08:15 AM PDT Our organization is building multiple data centers using hyperconverged infrastructure. Right now we have a traditional setup using spine/leaf and VPCs to connect to our Core. We are flooded with work on planning and preparation to migrate to the hyperconverged data centers. I am concerned that once we are fully migrated to this new data center that the need for pure network engineers/admins will be reduced on our team. Obviously we will still have our distro/access equipment to worry about and perimeters but the data centers will now be completely virtualized. Has anyone adapted to a situation like this before? I feel most of the duties will be turned over to system administrators and the number of network personnel will be reduced. Will I be able to offer much as a network engineer if I adapt? Any advice moving forward is greatly appreciated. [link] [comments]  |
| Posted: 24 Jun 2020 05:57 PM PDT Hi all, long time lurker but starting to get stressed and not really sure where to turn for .. well any semblance of help on this on any steps I might be missing .. This is all to add another internet line to a specific department, which includes a new firewall to go with current due to switching throughout of our current firewall I'm currently at a point where my static routes work THROUGH the transit vlan I made, that is I can ping the VLAN interfaces for the 190 net and the firewall transit networks, but my Asa is not sending it as NAT. I can ping Google from outside interface, but can't from inside. This is using a transit lan... So for example 192.168.190.0/ 24 routes to 172.16.17.1/29 (This is on a 2960x enabled to do static routing) The key thing is I copied EXACTLY my natting setting from the one not working to a test interface port on firewall and made it a flat network... And it worked Is there a missing step because the 190. Net doesn't actually have a physical point on firewall? Like i set a static route to use the 172 net, but does the firewall need something? For testing purposes all internal interfaces are currently allow all The end goal is to have a default route to firewall, but the have some static routes to our core switch (cisco 4500) for DHCp server, printers access, mangemtn VLAN etc I'm almost tempted to just make the 2960x back to l2, and drag another cable from a few interface to our 4500 for printer, management and other vlans, but I feel like that would be giving up.... I have configs if you like, I just ..need to rant out and bounce something off somebody.. //////////////////CONFIGS, Not some itesm are pruned for brevity///// Not on Switch that the 10gig interface is not currently in scope, rather only focusing on ports 45-48 ////////////SWITCH/////////////// ... no aaa new-model switch 1 provision ws-c2960x-48td-l ip routing ! .....cut outposts of config..... ! interface GigabitEthernet1/0/1 switchport access vlan 190 switchport mode access spanning-tree portfast ! .... ! interface GigabitEthernet1/0/44 switchport access vlan 190 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/45 switchport access vlan 191 switchport mode access ! interface GigabitEthernet1/0/46 switchport access vlan 191 switchport mode access ! interface GigabitEthernet1/0/47 switchport access vlan 18 switchport mode access ! .............. interface TenGigabitEthernet1/0/2 description 4510 Uplink switchport trunk allowed vlan 158,159,190 switchport mode trunk switchport nonegotiate spanning-tree link-type point-to-point ! interface Vlan1 no ip address shutdown ! interface Vlan18 description internet vlanTESTInet ip address 172.16.17.2 255.255.255.0 ! interface Vlan159 description netmgnt ip address 192.168.159.90 255.255.255.0 ! interface Vlan190 description Media_UntrsutedNET ip address 192.168.190.2 255.255.255.0 ! interface Vlan191 description NewNET ip address 192.168.191.1 255.255.255.0 ! ... ! ip route 0.0.0.0 0.0.0.0 192.168.190.1 ip route 192.168.159.0 255.255.255.0 Vlan159 ip route 192.168.191.0 255.255.255.0 172.16.17.1 ! ///////////// ASA //////////////// interface GigabitEthernet1/1 nameif outside security-level 0 ip address 66.9.218.175 255.255.255.192 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 172.16.17.1 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 nameif intemp security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Management1/1 management-only nameif mgnt security-level 0 ip address 192.168.159.155 255.255.255.0 ! boot system disk0:/asa9-14-1-10-lfbff-k8.SPA boot system disk0:/asa961-lfbff-k8.SPA ftp mode passive same-security-traffic permit inter-interface object network obj_any object network N_192.168.191.0_24 subnet 192.168.191.0 255.255.255.0 description TEsting Network object network H_66.9.218.180 host 66.9.218.180 object network kyleTEST host 192.168.191.95 description kyle BS object network InTEMPNetwork subnet 192.168.1.0 255.255.255.0 access-list inside_access_in extended permit ip object kyleTEST any inactive access-list inside_access_in extended permit ip any any access-list outside_access_in extended deny ip any any access-list intemp_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu intemp 1500 mtu mgnt 1500 no failover no failover wait-disable no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside asdm image disk0:/asdm-openjre-7141-48.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network N_192.168.191.0_24 nat (any,outside) static interface object network InTEMPNetwork nat (any,outside) static interface access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group intemp_access_in in interface intemp route outside 0.0.0.0 0.0.0.0 66.9.218.129 1 [link] [comments]  |
| Posted: 25 Jun 2020 12:41 AM PDT Hello guys, So we changed our ISP, we got a new ISP with a 5g modem. We have 2 cisco router, so I connected the ISP modem to a switch and those 2 cisco routers are connected also to the switch. The cisco routers are connected to each other via NHSRP. So i confirgured the interface of the first router to be in the same subnet to the ISP modem and that on both cisco routers. And also configured the standby IP to be the same on both routers and on the same subnet. But with all this, when i do a speed test on the network, the speed is about 200Mb/s, but when I want to open websites the speed is very slow and it is not consistent. I need help!!!! Thank you all [link] [comments]  |
| Undertanding IPSec AH transport and tunnel mode Posted: 25 Jun 2020 12:20 AM PDT Time to drill into understanding the difference between the two. I can't understand why people are saying that in AH transport mode that "it just adds an AH header after the IP header", but in tunnel mode "we add a new IP header on top of the original IP packet. This could be useful when you are using private IP addresses and you need to tunnel your traffic over the Internet" . Ok so I labbed it up as per below, and used transport mode. : (R1) .1-----13.0.0.0/24------.2 (R2) .2-------23.0.0.0/24-------- .3 (R3) Note: for testing, I've confugred # ip telnet source-interface lo0 on R1. Tunnel runs between R1-R3. I sent a telnet packet from the source of lo0 on R1 to lo0 on R3, and took a capture as shown in the link below: So yes, the AH is inserted after the IP header, and the idea of AH is that it authenticates/verifies interity of data behind that. But.. In my capture, I still have another IP header, which aparently is supposed to only be there with tunnel mode. Ok, so then what is the difference between transport and tunnel mode. I will enable tunnel mode and capture another telnet session: |
No comments:
Post a Comment