Moronic Monday! Networking |
- Moronic Monday!
- DOCSIS CMTS Band Plan
- A "man I feel dumb" post v.ARP, VLANs and gateways, oh my!
- DNS Infrastructure Question
- ELI5: Enhanced 911 (cisco)
- 500/500 on a cat4 cable?? How?
- Which "underdog" vendor/protocol/technology have you used that you would like to share here (for free)?
- (Help) Diagnosing a bunch of cisco switches, looking for any issues.
- Conntrack not deNATing return packet's source IP when DNAT destination IP is same subnet. Why?
- How to fix NAT type strict with xbox?
- Telemetry data monitoring. Sending alerts.
- Question on Prefix Lists
- Juniper : Ingress/egress filter via radius for Subscribers?
- GlobalProtect DNS Based Split Tunneling
- Is this asymmetric routing?
- Mounting switches in shallow racks
- How can I configure trunking and layer 3 connections on the same physical interface?
- Belden 9538 cable to t568b wiring?
- Juniper SRX340 Chassis Clustering
- Port forwarding on a mobile carrier which doesn't allow port forwarding
| Posted: 27 Sep 2020 06:04 PM PDT It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask! Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected. Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it. [link] [comments]  |
| Posted: 28 Sep 2020 11:53 AM PDT I'm specifying a linear tv band plan this week and want to make sure it's as wide open for DOCSIS 3.1 as possible. Here's what I've gathered for a specification, how it look to the Reddit hive mind?
[link] [comments]  |
| A "man I feel dumb" post v.ARP, VLANs and gateways, oh my! Posted: 28 Sep 2020 06:27 AM PDT So I ran into an interesting issue while helping out a customer. Ultimately got him fixed up, but I wanted to get a better understanding of what was going on, so I brought the scenario home to my lab and recreated the situation so I could do some additional captures/debugs... So here's the set up, I'll be using generic terms because I don't think the vendor makes any difference in this situation. Router connected to switch with a "trunk port" Untagged VLAN1, subnet 10.245.245.1/24, subinterface VLAN6, subnet 10.245.254.1/24 Switch has both VLANs built and VLAN6 tagged on the "trunk port" So the scenrio at the customer site was that a new firewall was being put in and they were moving L3 from their Core switches to the firewall. what we found was one building they lost access remotely to the switches, but client traffic seemed to have been working fine. This building was built on the firewall to be VLAN6. They dispatched a tech out to the site to console into the switch. Review of the config showed that this building basically had a managed switch with no real config... so everything was just chilling on the default VLAN, but it had an IP address of 10.245.254.10 and a default route of 0.0.0.0/0 10.245.254.1 So in the end we built VLAN6 on the switch, changed the IP to something in the 10.245.245.0/24 subnet (VLAN1) and changed the default route to 0.0.0.0/0 10.245.245.1 According to the customer, they were able to access the switch with this config prior to moving L3 off of their Core switch, and onto the firewall. And the clients that were working were all pulling IP's from VLAN1 (10.245.245.0/24) Now like I said, I took this home to run some debugs and pcaps... what I noticed was I only saw STP being sent from the switch. I saw no ARP, nothing... I would have expected to see some ARP since it sits on L2 and L3, but nothing... Can anyone give me a good explanation of what was happening here? [link] [comments]  |
| Posted: 28 Sep 2020 12:02 PM PDT The organization I work for is looking at renewing/upgrading our current internel DNS/DHCP infrastructure, and there has been a divide over a specific question. I would appreciate any feedback. Should DNS be split to use more than one vendor and product? So DNS would have Server1 be Vendor A, Server2 would be Vendor B, and they would update each other. One side says yes, so that a single bug/issue doesn't take down DNS. One side says no, as it adds too much complexity for an isolated chance. [link] [comments]  |
| Posted: 28 Sep 2020 02:29 PM PDT for context, i'm the network dude and will be working with the voip guy. we're no experts (obv) so bear with us here. I need to understand how E911 works. Does all the setup: PSAP, ERL, ELIN, ALI, etc happen in call manager? So that's manual work right? Admin has to put in all the locations and tie them to an extension. For some reason he's worried that E911 won't work with our future switching equipment (Aruba). That e911 is somehow tied to cdp. He's also worried that we will need to re-IP the phones since currently multiple buildings are in one subnet. please let me know if me, him, or both of us are way off on this. thanks in advance [link] [comments]  |
| 500/500 on a cat4 cable?? How? Posted: 28 Sep 2020 06:43 AM PDT So this may be a bit unusual, but I'm helping an acquaintance with some very light networking, i.e finding where a bottleneck i occuring in their network. When going directly from the ISP/fibre box they are getting 500/500 but as soon as they put in a router they're lucky to be getting 100/100. I took a look at it and find that they have a cat4 cable from their router to the pc. My question is how the **** are they even getting 500/500 on the same cable when directly connected to the ISP? I'm only CCENT but this seems absolutely crazy to me [link] [comments]  |
| Posted: 28 Sep 2020 06:29 AM PDT Hello, Hunting for unicorns today and I would like to start this thread for the betterment of An example: phpIPAM is a free opensource web UI tool that does what it says. the awesome part is that they have support for VRFs, allowing the same subnets to co-exist in the database. [link] [comments]  |
| (Help) Diagnosing a bunch of cisco switches, looking for any issues. Posted: 28 Sep 2020 02:15 PM PDT I was given a few Cisco switches (some 9300 and some 3650) and was told to check to see if they are still functional or if they need RMA'd. I'm still fairly new to network troubleshooting so i'm not sure what i need to do to confirm the switches work or not. I assume I would put a default template on them and check to see if they can ping one another while checking the exterior for LED issues and whatnot. Is this the right way to go? Do any of you have a good process that would benefit me to follow? [link] [comments]  |
| Conntrack not deNATing return packet's source IP when DNAT destination IP is same subnet. Why? Posted: 28 Sep 2020 12:11 PM PDT My understanding is when a DNAT rule is applied to change the destination IP of an outgoing packet, conntrack automatically deNATs the reply packet's source IP back to the original destination. However, I've noticed this only works when the the DNAT destination IP is not on the same subnet. Why is this happening? Here's a worked example with tcpdump to demonstrate (br0 has subnet 192.168.1.0/24). First two examples are forwarding to a server outside the subnet which works properly and rewrites source IP of replies, and third example demonstrates how it doesn't rewrite source IP of replies when forwarding to an IP on the same subnet. On my router, I've added a DNAT rule to forward any DNS requests from any IP on port 53 to another another server like this. Doing a DNS request to 1.1.1.1 ("dig @1.1.1.1 google.com") from a client connected to the router, and running a tcpdump on all interfaces on the router shows that the source IP of reply packets is changed back (client is 192.168.1.2, XXX.XXX.XXX.XXX is public IP): We can see above that DNAT rule changed the destination from 1.1.1.1 to 8.8.4.4 correctly. Then when the packet came back from 8.8.4.4, the return packet's source IP was changed backed to 1.1.1.1 before getting sent back to the client. Also looking at conntrack entries, we can see the entry: This also works when I forward to another server on the same system as the router but in a different network namespace+subnet. Example with this rule (10.0.5.3 is the IP of a DNS server on the router that is in a separate net namespace and subnet than br0): Doing a tcpdump test with a DNS request from a client, we see the source IP of reply packets gets changed back: So again, the DNAT changed the destionation to 10.0.5.3, which replies back, and then reply packets get deNATed correctly changing their source IP back before sending it back to the client. Again, conntrack shows the entry Now, here's where the problem happens. If instead I choose to redirect to a server on the subnet of br0 (like 192.168.1.1, which is an external server connected to the router on br0), like so: Now, doing a DNS request from a client results in an "reply from unexpected source 192.168.1.1" error, and tcpdump on the router shows that the source IP of the reply packets never gets translated back: We can see that the DNAT changed the destination IP correctly to 192.168.1.1, but then the reply packets from 192.168.1.1 never had their source IP changed back to 1.1.1.1. This results in the client (192.168.1.2) seeing the packet as coming from 192.168.1.1 instead of 1.1.1.1, and spits out the unexpected source error since it sent the request to 1.1.1.1. Looking at conntrack we see the following entry, Note how the above conntrack entry says UNREPLIED, while the other ones didn't. But the conntrack entry looks correct (the src/dst/port), so I don't understand why it's not deNATing the reply packets correctly and changing the source IP back like the other examples above. Can anyone illuminate why the source IP is not changing back when the destination DNAT is on the same subnet, and why the conntrack entry shows UNREPLIED even though the src/dst/sport tuple matches the reply packet? Is there anything I can do to fix this so it works properly like for the first two examples with external IPs to the subnet? Thank you very much for your time if you've made it this far. [link] [comments]  |
| How to fix NAT type strict with xbox? Posted: 28 Sep 2020 12:43 PM PDT Over the summer we added our dorms to our network. Previously, the dorms were on their own network. They had their own ISP, and another company managed all of that. I am now getting complaints about NAT type strict on their xbox's. I assume it is because all of our devices (With the exception of webservers and the like) have the same external IPs. I have the right ports open that Microsoft says needs to be open. I also assume that I would need to get each xbox their own Public IP? Firewall is set to NAT using outgoing interface address. *Sorry, if this isn't really the place for such a question. I was not sure that I would get good answers for an enterprise network in a "xbox" type sub, and tbh, I don't know much about xbox's or the way they work network wise. Everything that I google for fixes seems to be talking more about home routers. [link] [comments]  |
| Telemetry data monitoring. Sending alerts. Posted: 28 Sep 2020 05:31 AM PDT Hi! So instead of using snmp for alarming is it possible to do this with telemetry data? Or is telemetry data only for deepdiving into whats happening? https://searchnetworking.techtarget.com/definition/streaming-network-telemetry [link] [comments]  |
| Posted: 28 Sep 2020 01:25 PM PDT This is not something we use a ton so I have myself good and confused. LEt's say I have a set of /29 networks that I want to distribute to eigrp (rather than sending all available networks). I would have something like this: ip prefix-list eigrp-out seq 10 permit 192.168.13.0/24 le 32 ip prefix-list eigrp-out seq 20 permit 10.10.10.0/29 ????? etc. I do not quite understand how the le or ge actually work. WHat is it matching against? I have read about 10 different articles in the last few hours and I just do not get it. Thanks for your thoughts. [link] [comments]  |
| Juniper : Ingress/egress filter via radius for Subscribers? Posted: 28 Sep 2020 03:39 AM PDT I want to try to see if I can apply an ingress/egress filter to certain subscribers via radius attributes and pre-defined filters. I've setup the radius attributes: Unisphere-Ingress-Policy-Name Unisphere-Egress-Policy-Name And I've setup a test filter on the MX104 as below: set firewall family inet filter TEST-FILTER term TEST-IP from source-address 1.2.3.4/32 Radius is then setup with radius attribute refering to the above filter: Unisphere-Ingress-Policy-Name TEST-FILTER When connected I see the below for the subscriber session: Dynamic configuration: However there is no blocking/filtering happenig. I've had a look for examples and the only examples I can find refer to policing the speeds using such filters. Can it not be used for filtering certain traffic to/from a subscriber? [link] [comments]  |
| GlobalProtect DNS Based Split Tunneling Posted: 28 Sep 2020 01:29 PM PDT Hey All, I have been beating my head against the wall on this one. So i have a few URL's that need to traverse my GP tunnel for specific access rights by using a NAT rule. Otherwise i have a list of access routes to anything else that needs to head back to HQ. The issue I'm experiencing is once I enable the "no direct access to local network" tick box to make the DNS part work correctly, it no longer split tunnels. When I uncheck the box it split tunnels but no longer forwards the DNS entries down the tunnel. The configuration I am trying to achieve seems quite simple. I want X DNS entries to go down the tunnel and Y access routes to go down the tunnel and the remaining items to split off. Using route based spit tunneling this works just fine. When I add DNS based it breaks. Is there anyone else out there that has resolved this issue? [link] [comments]  |
| Posted: 28 Sep 2020 04:14 PM PDT I have a firewall with an outside interface connected to a L2 switch (vlan 100) and two ASRs connected to the same switch (Vlan 100). I'm running OSPF between the firewall and two ASRs. By default the route on the firewall will load balance the traffic between ASRs. My question is about the return traffic. If the traffic leaves the firewall and sends the packet to ASR-1 but it returns via ASR-2 but still arrives on the same physical interface on the firewall because of the connection to the switch, will the firewall drop the packet because of asymmetric routing? The firewall is FTD. [link] [comments]  |
| Mounting switches in shallow racks Posted: 28 Sep 2020 01:32 AM PDT We are replacing a bunch of 2960 switches with meraki, and have run into a problem with racks that are to shallow. The switches are the same size, but the 2960 switches are installed with the mounting bracket flipped around. We are currently looking at something like this to solve the issue. Anyone have any experience with using rack extenders to install switches? [link] [comments]  |
| How can I configure trunking and layer 3 connections on the same physical interface? Posted: 28 Sep 2020 01:23 PM PDT I have two switches that are not stacked, but are working in tandem to provide a redundant connection to the rest of the network. These two switches are trucked together over a single physical interface, but new requirements need these guys to be redundant routers as well. I wanted to enable HSRP on these two switches to accomplish that, but I found out that the connection between the two switches requires no switchport be enabled. There can only be a single uplink between these two switches, and I was hoping I could use sub interfaces on this single physical interface, and "split it" into a trunked interface and a no switchport interface? Thanks [link] [comments]  |
| Belden 9538 cable to t568b wiring? Posted: 28 Sep 2020 05:39 AM PDT Hi there, i bought a belden 9538 by mistake its a rs232, not sure what the wiring diagram for this since it's a bit different from T568B standard. Can anyone point me to the correct diagram? I've search in google but still confuse. I already installed the belden and would like to use it instead of replacing it since it was installed already. I was just using a cat6 keystone for it. Thanks in advanced. [link] [comments]  |
| Juniper SRX340 Chassis Clustering Posted: 28 Sep 2020 02:59 AM PDT Hi all, Forgive me I've been Cisco only until now so please bare with... Got a new pair of SRX340s which are in a HA cluster, I get a strange issue where the primary node does not respond to PINGs, SSH and the web GUI does not work. I'm unfamiliar with juniper clustering but I've followed the docs best I can. FXP interfaces on each node is correct and up, ge-0/0/1 are connected to each other and up (apparently this is the control link for 340's), ge-0/0/2 is assigned to fabric 0 and up, finally ge-5/0/2 is assigned to fabric 1 and up. I've also hardcoded the redundancy group priorities so node 0 is primary for group 0 & 1, this reflects correctly in show commands. What's strange is after a reboot both nodes respond to PINGS and the web gui works for the primary node, then after a few mins the primary node doesn't respond to PINGS and the web gui fails. I can SSH through the secondary node to primary. I've tried restarting the web management service on the primary node with no joy and double checked IP config. Firewalls and routing has been ruled out for remote access. Can any juni expert give me a hand? Thanks in advance! [link] [comments]  |
| Port forwarding on a mobile carrier which doesn't allow port forwarding Posted: 27 Sep 2020 06:51 PM PDT Hey everyone, So I have a remote server sitting in my office which uses a USB 4G modem for internet connectivity, I would like to send traffic to this machine to port 3000 (I have a proxy server listening on this port). The problem is that the mobile ISP doesn't allow me to port forward and I need to find another solution. I have tried https://remote.it/ which works but I would like to use my own solution and not rely on them, how are they doing this and how can I replicate that myself? How can I "forward" ports when it's not supported by the ISP? Are they using some kind of VPN solution for that? Thanks. [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment