Blogpost Friday! Networking

---

• Blogpost Friday!
• C9500 Switch Architecture, ASICs, and TCAM MAC capacity
• A couple VLAN questions
• TATA Packet Loss from Comcast
• Have BGP track active VRRP in Cisco vPC with DCI
• 10/25Gb Switches with a GUI
• How do ISPs route traffic geographically within their AS?
• Best TCP congestion control for wireless devices
• How to access from home-office/openVPN client(pfsense) -> to device at site (Mikrotik/IPsec)
• help me understand a simple layer 3 firewall scenario
• Wireless Bridge Recommendations Needed
• Addresses/techniques to ping/mtr/whatever specific geographic areas
• single mode fiber light detection
• Help - Public library wifi access
• Checkpoint administration
• VXLAN - Migrate VM holding same MAC and IP
• Routing VLANS SW Dell N1524

Blogpost Friday! Posted: 30 Jul 2020 05:04 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts. Feel free to submit your blog post and as well a nice description to this thread. Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it. submitted by /u/AutoModerator [link] [comments]

C9500 Switch Architecture, ASICs, and TCAM MAC capacity Posted: 31 Jul 2020 05:46 AM PDT Hey Gang, I've been away from switch route for a long time and heavily focused on WiFi for most of my career. I have an implementation which relies heavily on centralized forwarding where all the client MACs end up getting dumped into a single switch port, or port channel. A fellow network engineer tipped me off that the specs on a datasheet for most switches regarding the mac table size, is usually a little more convoluted than what they're telling you. If a switch has a table size of 56K, that may be further split up and restricted to certain groups of ports. So I've gone down the rabit hole to understand a little more about switch/router architecture. https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/nb-06-cat9500-ser-data-sheet-cte-en.html Looking at the C9500 Datasheet, "Table 11. ASIC template descriptions" i see that based on which template I apply I can get either 82K or 32K of capacity for MAC table entries. That looks pretty straight forward to me, but my friend's tip got me digging a little deeper. https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/white-paper-c11-741484.html#Switchdesign Looking at the "Figure 3. C9500-32QC/48Y4C/24Y4C board layout" ""Figure 4. C9500-24Q/12Q board layout" I see 4 ASICs total, appearing to be responsible for different groups of ports below them. https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2018/pdf/BRKARC-2035.pdf Scouring around I found a random slideshow with a hint that the UADP 2.0 XL has a 54K TCAM table size. So this must mean the numbers above are sliced and diced (L2, L3, Sec?) then added up to make up an aggregate of some sort, but I haven't found anything that clearly indicates the MAC table size for specific groups of ports associate to each of these ASICs in the switch. Why am I digging into this so deep? 32K is a lot of MAC addresses, but 32k / 4 ASICS = 8K which will likely be a problem for my deployment. Definitely not today with COVID isolation measures, but definitely some day when things normalize. Edit: corrected reference So now I see the "Figure 3. C9500-32QC/48Y4C/24Y4C board layout" actually just uses a single UADP 3.0 ASIC which has the TCAM size that matches the 2.0 XL at 56K - so where the heck are they getting 82K mac table size in the datasheet from? Edit: I appreciate the design feedback from people's posts so far but for non-technical reasons (shit leadership, unmotivated operations staff, hardware selection outside of my control) I'm just looking to understand switching architecture better. I can figure out how to distribute client mac addresses in creative and efficient ways, I just want to better understand the limitations of various platforms and 'gotchas' when deciphering switch data-sheets. I know the non-technical issues are a problem and trust me, I'm at the point of 'let it burn', but this is just me reaching out to better understand switch hardware architecture. I can weigh out the pros and cons of changing design and network architecture vs. complexity and support-ability on my own :) submitted by /u/DeleriumDive [link] [comments]

A couple VLAN questions Posted: 31 Jul 2020 11:42 AM PDT I inherited a mess of cable spaghetti in a multi tenant building (mostly shared internet) and I'm in the process of cleaning up the wiring and configs and had a couple questions. The core consists of managed switches for distribution (Cisco 2960) and a layer 3 switch (4503) doing the routing. Regarding the configs: On the distribution switch side, are there reasons to designate switchport modes as trunks (or access) and specify allowed VLANs per interface, versus allowing them to auto-negotiate? Seems to work fine when I added a new switch with minimal configuration, the trunk was recognized from the core switch with all VLANs allowed. Just needed to set VLAN access on the proper ports. On the existing switches, I would need to set the allowed VLANs on the trunk interface on both switches for it to work properly. Part 2: There is a subleasee that has their own internet and network. The patch cables for their rooms had been removed from the main distribution switches and connected to a unmanaged switch that's nesting in the middle of all the wires. If I created a VLAN on the managed switches and did not assign that VLAN an IP, would those ports assigned to that VLAN effectively act as a dumb switch isolated from the rest of the network? The normal configuration for tenants is that they have their own VLAN and subnet, but are not isolated at layer 3, so they share the common internet. Would connecting a second internet connection/router to the distribution switch on a VLAN with no IP assigned cause any routing problems or conflicts with the existing internet connection? submitted by /u/oosyrag [link] [comments]

TATA Packet Loss from Comcast Posted: 31 Jul 2020 03:41 PM PDT Not sure if anyone else is seeing this but we are seeing packet loss on TATA from the Comcast network from CHI to San Jose 9.|-- if-ae-50-3.tcore2.ct8-chicago.as6453.net 30.0% 10 73.3 72.5 71.1 75.7 1.6 10.|-- if-ae-51-2.tcore2.sqn-sanjose.as6453.net 40.0% 10 69.5 71.6 69.4 76.2 2.7 11.|-- if-ae-1-2.tcore1.sqn-sanjose.as6453.net 10.0% 10 69.4 71.2 69.0 80.5 3.7 Same issue happened yesterday and TATA said they had "received several large bursts of traffic from Comcast" which cause the packet loss. Anyone else? submitted by /u/JPHPJ [link] [comments]

Have BGP track active VRRP in Cisco vPC with DCI Posted: 31 Jul 2020 02:54 AM PDT Hi guys, I hope I can explain my situation correctly. I currently am tasked to connect two DCs to Azure via ExpressRoute. They currently run the following: DCA DCB vrrp master > SW01----SW03 < standby || \ / || vPC link > || X || < vPC link || / \ || vrrp listen > SW02----SW04 < vrrp listen Switches are Cisco Nexus SW01 and 02 form a vPC SW03 and 04 form a vPC DCA is the VRRP master. All routing is done on SW01 and 02 unless there is a failure. All four switches will have their own links to the ER BGP will be implemented specifically for this The customer prefers to have all traffic flow over the active side My question is as follows: If SW01 stops being the VRRP master or fails I'd like to have BGP advertise a more preferred route via DCB. My issue is that I can't think of a way to have SW02 automatically change its metrics to become less preferred in the case SW01 isn't the VRRP master anymore, but is still up (e.g. maintenance window). I'm probably missing something really simple or not seeing the obvious, so any help is appreciated! submitted by /u/Draggeta [link] [comments]

10/25Gb Switches with a GUI Posted: 31 Jul 2020 08:57 AM PDT We're replacing the top of rack switches and have been looking at Dell S Series switches as we have some N series 10GB switches now which are good. Sadly (ridicule me if you wish) it's an issue if they don't have a GUI. The S series don't seem to have a GUI (The older N series ones do). Are there any options that I'm not aware of? submitted by /u/djsayles [link] [comments]

How do ISPs route traffic geographically within their AS? Posted: 31 Jul 2020 08:12 AM PDT Sorry if this question is to basic for this sub. I was looking at AS6939 route servers and noticed that on the westcoast (Fremont) the best route to 1.1.1.0/24 would have a MED 15 but that same route in Toronto would have MED of 614. How do ISPs go about changing the MED or local-pref of routes on only certain routers in their AS? I guess when that route in Fremont gets reflected to Toronto the router knows that route is far way and changed the MED? How do they do this? Communities? submitted by /u/justinsst [link] [comments]

Best TCP congestion control for wireless devices Posted: 31 Jul 2020 08:09 AM PDT Quick question: what's the best TCP congestion control algorithm that someone could use on a wireless-only device (from a client perspective)? I've seen that Veno has been developed especially for this use, but maybe that's something even better submitted by /u/Tachi_107 [link] [comments]

How to access from home-office/openVPN client(pfsense) -> to device at site (Mikrotik/IPsec) Posted: 31 Jul 2020 03:55 AM PDT Hi! I'm a kinda beginner all in one IT guy who is trying to give an access to clients to devices at sites throught VPN. Hope I get help from here because I couldn't find the right info from Google. How to access from PC1 openVPN client (pfsense(office network)) -> to PC2 at site (Mikrotik(ipsec vpn between office-site)) I also tried to make a diagram - What I tried to do: Made an IPsec P2 entrys (pfsense-Mikrotik at site) in Pfsense for 10.117.1.0/24 network. Added FW rules into Mikrotik which is at site. - What else should I try/do? Thank you for your attention! submitted by /u/beljo91 [link] [comments]

help me understand a simple layer 3 firewall scenario Posted: 31 Jul 2020 07:03 AM PDT So I was thinking about this the other day and it somewhat confused me, probably because I do not truly know routing in depth, and I feel somewhat silly even asking this question but here it goes: say you have a router and network A 10.0.1.X and network B 10.0.2.X and your firewall is set to block traffic from incoming 10.0.2.x to 10.0.1.x and your rules end in Allow ANY ANY. Would it ever be possible for someone to put a router in (on LAN B) and add a different subnet and it would go around the deny rule as the packets would be coming from a different network? I understand if the traffic came through as nat'ed it would get blocked, but don't route protocols just automagically populate route tables. I apologies if this is a dumb question but it just had me thinking. Thanks! submitted by /u/Darren_889 [link] [comments]

Wireless Bridge Recommendations Needed Posted: 31 Jul 2020 06:54 AM PDT I have read a few other similar posts but I figured that I had enough unique requirements that it made sense to make a new post. I work for an IT department for an organization where we have a few locations that are not on our fiber network. These are mostly locations with a few cameras and such. We have an existing wireless network that is aging out and needs replacement. My biggest issue is that most of these devices are installed on a 100' aerial at their origin. This makes maintenance and replacement an issue as this requires we hire a professional to climb the tower to get to the hardware. There is a mix of makes and models that span years. I have worked with and we have a mix of Ubiquity, Mimosa, Ruckus, and Mikrotik. I prefer an easy to use UI but in the end its all the same. I would like to replace this aging hardware with a single manufacturer and model if at all possible. I do not have a preference with manufacturer but I lean towards enterprise grade. budgets are flexible but I would like to stay below ~$500 per location and the lower the better. I was thinking that it would benefit me to have a model that allows me to place the radios in our shed and the antenna on the aerial. This will allow me to readily replace the hardware in the case of a failure. Really expensive to hire a pro to climb the tower and replace equipment. Some locations are located in harsh environments/ocean exposure. I don't have a minimum bandwidth requirement. 1Gbps would be nice for future proofing but I can get away with a solid 250Mbps. Most are 1-1 but there is the need for 1-many in a couple spots. Most locations are under ~2 km with the possibility of ~7 km in a couple spots. I have some locations where there are trees in the way. we are in a busy WiFi area so I am not sure if 5Ghz is what I need. I might be able to get access to a licensed frequency but the permit process can take a while so I need to move forward before that. All in all; I want to unify our wireless bridge network with easily accessible, reliable, and robust equipment. Thanks for taking the time. I am far from a wireless expert and am relying on the community to help out a fellow sysadmin. submitted by /u/_M-J-B_ [link] [comments]

Addresses/techniques to ping/mtr/whatever specific geographic areas Posted: 30 Jul 2020 09:34 PM PDT I'd like test addresses to reach various geographic locations. At the moment my best idea is to search for "<location> ip address" which ends up with some random IP in geo IP web tools, but you know this doesn't smell good. Networking is a bit out of my wheelhouse so apologies if there's some low hanging fruit or tribal knowledge I'm missing here. submitted by /u/tahmsplat [link] [comments]

single mode fiber light detection Posted: 30 Jul 2020 04:55 PM PDT So, i've used my camera to look for light when i troubleshoot SM fiber. Im trying to bring up a circuit, and im having a hard time bringing up L1. I see light via my camera on my Xenpak 10 gig optic, but i don't see light on the fiber drop. The colo guys can test it with a fluke and see signal, but i can't see it via my camera, even though i can see the Fiber module on my 6500. Any ideas as to what could cause SM to SM fiber not to come up? My TX and RX are correct and i've flipped them just to verify. submitted by /u/255-255-255-254 [link] [comments]

Help - Public library wifi access Posted: 31 Jul 2020 08:02 AM PDT My daughter just became the director of a small municipal library. The previous director has disabled the wifi as they were getting DMCA notices for torrenting. The library has no $ in the budget for an IT professional, so I volunteered to make an attempt at getting their wifi functional again. However, my experience is in home networking, I don't know anything about public access wifi. Right now the library is using the ISP-provided gateway that feeds their 6 computers via ethernet. Wifi is simply disabled in the gateway control panel. I'd like to re-enable the wifi and simply block torrenting, but I don't know if that possible or if that's even the right way to handle it. Your thoughts and advice would be greatly appreciated. submitted by /u/nerdburg [link] [comments]

Checkpoint administration Posted: 30 Jul 2020 04:13 PM PDT I recently got handed the role of cp firewall admin after a recent round of layoffs. I have rudimentary knowledge of the device but not in this level. I bought a Udemy course to get me up to speed but was wondering if there's a video course or book that you'd recommend. TIA submitted by /u/d3adbor3d2 [link] [comments]

VXLAN - Migrate VM holding same MAC and IP Posted: 30 Jul 2020 09:54 PM PDT I have some doubts when it comes to VXLAN, I'm learning about the world of Data Centers & something that caught my interest is on some YouTube videos they talk about being able to migrate a VM from one physical server to another, now I don't have a lot of experience on Data Centers but I'm curious on what can be accomplished by this. So would it be possible to transfer a VM to another server from a LAN to another LAN while still having the same IP address??? I'm having some problems trying to solve this since LAN A would be say 192.168.100.0/24 for the servers and 192.168.101.0/24 for the users, but if we go through the WAN to LAN B there will be 192.168.200.0/24 for the servers on that site and 192.168.202.0/24 for users and both LAN's connect to a core switch and promote their network via EIGRP, how would it be possible to move a VM from LAN A to LAN B with still the same IP address and still being able to contact that VM through the entire network? Or is this VM migration possible while having the servers on the same LAN? I have 2 sites, one MDF with our servers and another site with other servers, just wondering if migrating a VM from a LAN to another LAN will be possible or if I can only migrate a VM within the same LAN Any help on this or if someone could refer me to a forum or resource to learn this will be greatly appreciated. submitted by /u/istoleyowifi [link] [comments]

Routing VLANS SW Dell N1524 Posted: 30 Jul 2020 06:32 PM PDT Hi, I would appreaciate your Help to find the solution with a setup issue on a Switch Dell N1524 I have Created 4 Vlans Vlan 18 Servers / Vlan 24 Cameras / Vlan 23 Others I have setup everything as the manual indicated, Port membership as been configured properly. My problem is that I cannot make the devices configured on different vlans communicate each other. For example: Device on switchport 14 which is on vlan24 configured with 10.1.24.15/24 gateway 10.1.24.1 is not being able to communicate with device on switchport 5 which is on Vlan 15 configured with 10.15.1.11/24 gateway 10.15.1.1 Here is the config I have on the Switch. *SwitchPort 24 is configured to be connected to the router console#show running-config !Current Configuration: !System Description "Dell Networking N1524, 6.3.3.14, Linux 3.6.5" !System Software Version 6.3.3.14 ! configure vlan 10,15,18,23-24 exit stack member 1 1 ! N1524 member 2 1 ! N1524 exit ip routing interface vlan 15 ip address 10.15.1.10 255.255.255.0 exit interface vlan 18 ip address 10.1.18.1 255.255.255.0 exit interface vlan 23 ip address 10.1.23.1 255.255.255.0 exit interface vlan 24 ip address 10.1.24.1 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 10.15.1.1 username "admin" password 9e9df680772a01af39ae21b6b5ff4bfb privilege 15 encrypted ! interface Gi1/0/1 switchport access vlan 15 exit ! interface Gi1/0/2 switchport access vlan 15 exit ! interface Gi1/0/3 switchport access vlan 15 exit ! interface Gi1/0/4 switchport access vlan 24 exit ! interface Gi1/0/5 switchport access vlan 15 exit ! interface Gi1/0/6 switchport access vlan 15 exit ! interface Gi1/0/7 switchport access vlan 15 exit ! interface Gi1/0/8 switchport access vlan 15 exit ! interface Gi1/0/13 switchport access vlan 18 exit ! interface Gi1/0/14 switchport access vlan 24 exit ! interface Gi1/0/18 switchport access vlan 15 exit ! interface Gi1/0/19 switchport access vlan 15 exit ! interface Gi1/0/22 switchport access vlan 24 exit ! interface Gi1/0/24 switchport mode trunk switchport access vlan 15 switchport trunk allowed vlan 15,18,23-24 exit ! interface Gi2/0/1 switchport access vlan 23 exit snmp-server engineid local 800002a203684f641ba25f eula-consent support-assist reject eula-consent hiveagent reject exit console# console#show ip route Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel, S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. Default Gateway is 10.15.1.1 S *0.0.0.0/0 [1/0] via 10.15.1.1, 01h:50m:19s, Vl15 C *10.1.18.0/24 [0/0] directly connected, Vl18 C *10.1.23.0/24 [0/0] directly connected, Vl23 C *10.1.24.0/24 [0/0] directly connected, Vl24 C *10.15.1.0/24 [0/0] directly connected, Vl15 submitted by /u/akingsilva [link] [comments]

You are subscribed to email updates from Enterprise Networking news, blogs and discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States