Networking Myths Networking |
- Networking Myths
- What tool do you use to detect network scanning?
- How do you go about troubleshooting latency?
- Can a QSFP28 to SFP28 breakout cable work in a QSFP and SFP+ ports? I know they are backwards compatible but just double checking.
- Automating / Maintaining IP Blacklists
- Rate Limiting and QoS
- ICMP tools - Traceroute to packetloss
- How do you detect DOS and DDOS attacks?
- Attenuator failure rate vs transceiver failure rate risk
- Is L3 Switch for routing purposes really needed in this cases?
- Adding switches into an enterprise design the right way?
- HPE Virtual Connect 10Gbps unable to achieve 10Gbps.
- Meraki vs Ubiquity AP
- EIGRP Routing Manipulation - Bandwidth
- FOSS NetFlow tools
- Route-map question
- Intel now has a WiFi 6E wireless card
- Google Services and Cogent (US)
- ASA Alerts In a Daily Email
- Proxy VS DNS questions.
- Connection to server only works with Windows Store AnyConnect, otherwise I get ERR_NAME_NOT_RESOLVED
- Velocloud Edge - 1:1 Nat to another public IP?
- Potential VLAN Issue?
- Connecting Dell S4048-ON & S5232F-ON using 40G DAC
- DNS question - why using a recursive resolver (e.g. 1.1.1.1 or your ISP's) instead of running it locally and querying directly the DNS root servers?
| Posted: 03 Nov 2020 01:23 PM PST Networking myths are networking information that's commonly believed but are either technically inaccurate or completely false. Share some of the networking myths you know, and let's create a list to help dispel some of these myths. I'll start with eBGP peering between loopbacks. It's common knowledge that you have to change the TTL to 2 when eBGP peering using loopbacks between directly connected routers. That's a myth! A directly connected router is only 1 hop away regardless of the referenced interface. The reason the eBGP peering doesn't come up with TTL 1 is because the router does a check if the neighbor IP is directly connected. Changing the TTL to 2 works because it no longer does the check, not because the loopback is 2 hops away. The appropriate solution is to disable checking for direct connectivity with the following command: [link] [comments]  |
| What tool do you use to detect network scanning? Posted: 03 Nov 2020 04:08 AM PST As attackers will often do some network recon. Do you use any tools that alert you to active scanning happening on your network? [link] [comments]  |
| How do you go about troubleshooting latency? Posted: 03 Nov 2020 08:05 AM PST Recently been having some issues with latency, mostly internal with images booting on thin clients. We use all cisco switches. I do the normal stuff like check logs and check counters. If I see errors, I will swap SFPs, clean fiber, swap with new fiber, etc. What are some other steps to take when troubleshooting latency? Our latency is usually pinpointed to one or 2 areas at a time. Not our entire network. [link] [comments]  |
| Posted: 03 Nov 2020 09:23 AM PST We are trying to future proof our cabling purchases and just want to verify with some of you that may have done this. We are trying to do QSFP28 to SFP28 breakout cables to connect, right now, Netapp equipment that as of now have QSFP ports on the switch end and SFP+ on the node end. Thanks for any comments and advise in advance! [link] [comments]  |
| Automating / Maintaining IP Blacklists Posted: 03 Nov 2020 11:15 AM PST So looking for help / advice with a solution for maintaining / tracking IP blacklists. Our company initiates blocks daily by several employees at different levels (firewall, CDN, ISP, ect). My question is what is a good way to track these blocks in way that isn't just slapping a bunch of IP addresses in a spreadsheet / Microsoft access DB? We want to track who / why a block is initiated and the reason but in a way that is as automated as possible? Does anyone have any advice / solutions / tools that could be leveraged for this scenario? [link] [comments]  |
| Posted: 03 Nov 2020 08:16 AM PST TL;DR: Conceptually, how is QoS and rate-liming handled in carrier networks? Is there a way I can improve reliability for VoIP and video conferencing when actual bandwidth isn't the issue? Context: We're a small reseller that provides internet service to some business and residential customers. Our business customers have strands of fiber that interconnect directly with our head end, and terminate at a switch. We don't have a PON OLT (yet). Basically our fiber service is one big LAN. Previously each business customer would get a 100Mb/s loop that would simply operate at line speed. We used to have a bunch of crappy 100Mb/s media converters jumbled into a switch but I've since replaced that with an SFP switch. Customers wanted an option to save cost when they didn't need 100Mb or 1Gb service. My solution was to configure rate limiting on the switch ports. The problem I have now is that when demand is high, packets that exceed the rate limit are dropped. Customers experience some stutter and occasional drops during voice and video calls. This is particularly vexing given the current remote work and school situation. I've been trying to wrap my head around QoS but when I do a packet capture on the inbound traffic, it all comes in with the same DSCP value. Is that typical? [link] [comments]  |
| ICMP tools - Traceroute to packetloss Posted: 03 Nov 2020 08:45 AM PST Hi sub Is traceroute a reliable packet loss troubleshooting tool? I do use it to identify packet loss in hops but honestly I do have doubts about its reliability. So, how far can I pursue a packetloss troubleshoot based in traceroute tests? [link] [comments]  |
| How do you detect DOS and DDOS attacks? Posted: 03 Nov 2020 07:34 AM PST Hi, We run a really heterogeneous network -basically because we offer services to several thousand customers who host with us their infrastructure- we have our own DDOS detection and scrubbing system, which is mainly build for volumetric detection and we also divert traffic via BGP announcement to an external provider for big attacks scrubbing. Basically we have several taps on our network, and traffic is sniffed by machines running iptables with some high performance rules, that are able to detect attacks. It's running quite well, but as it's basically designed to be a volumetric attack detection system, some small attacks are not really detected because their are under our detection threshold. These small attacks should be theoretically handled by our customers directly, as they are so small their own infrastructure should not have problems handling them, but I'm trying to anyway improve our own system. What I always found quite difficult is to find DOS or DDOS attack "definitions". I know for example there is malicious traffic which is quite easy to identify (UDP port 0 or similar) but I've never been able to find kind of "definitions" for DDOS attack detection. I would like to find some "definitions" with things like "hping3 SYNs have the ACK flag set" (unless -L 0 option is used) that would make really easy to write custom rules to detect and block this kind of traffic. So I'm wondering, what do you use for DOS or DDOS attack detection? And also, is there any kind of definitions out there that could be used to identify most common attack traffic? Thanks! [link] [comments]  |
| Attenuator failure rate vs transceiver failure rate risk Posted: 03 Nov 2020 09:29 AM PST Does anyone know if there has been a study of failure rate of fiber attenuators compared to transceivers that might run on the hot side that are still within specs? For example, will adding a attenuator make sense when running at -1dB (while specs allow up to +2dB) to lower transceiver failure risk compared to the extra risk of adding an attenuator that could fail? My theory would be that if light levels are within specs, then attenuator failure rate risk would be higher then just leaving it a little on the hotter side. I tried to do a Google search on that but found nothing useful. [link] [comments]  |
| Is L3 Switch for routing purposes really needed in this cases? Posted: 03 Nov 2020 10:07 AM PST We have a Cisco ASA5516 Firewall running ASA Version 9.6(1) with Firepower and connecting to our ISP with 1Gbps. The firewall and iboss filter is at Location 1, the next hardware is C9300 Layer 3 Switch connecting to Location 2 L2 2960 switch and Location 3( L3 C3850). Also Location 1 has 2951 ISR router running cisco telephony and DHCP for Location 1&2 and wireless clients at all locations. Location 3 does DHCP with the 3850 switch. All Locations have L2 2960 distribution switches. Location 1 has Cisco 5520 Wireless Controller connecting to Location APs(AIR-AP1852 and AIR-CAP3702I) at all locations. Location 1 has the main internet connection from isp and connecting to Location 2 and 3 with 1Gig fiber e-line, and soon to Location 4. Location 2 and 3 each has camera servers and cameras. We also have a printer server at Location 1 connecting, managing printers at all locations. We are a public school We don't have any in house data center or anything. So users/staff/students traffic usually just goes to the internet and comes back. How bad idea is it to not have routing at location 2? Cameras and the camera server are in vlan 26. For cameras to reach camera server, traffic just stays at location 2 correct? But if a wireless user needs to connect to Location 2 camera server from Location 2 the traffic has to traverse to Location 1 and back to Location 2. In this case, do we even need L3 Switch at Location 3? [link] [comments]  |
| Adding switches into an enterprise design the right way? Posted: 03 Nov 2020 12:32 PM PST Good afternoon. We are introducing about a dozen new Dell servers into our environment and require additional switches for this. Our current setup consists of two Nexus 3Ks with four connections each to our VSS core (two 4500X switches) Due to the new servers being 100% SFP+ and us not having SFP+ ports on our switches (I was not involved in the project until after these servers were purchased...), I will be introducing two new switches into the network. I have introduced switches on the edge before, but I have not done a major change to a core or distribution layer before. So, here are my thoughts - Do I connect these to the 4500X Core and have them hang off the same as the Nexus switches currently do? Do I connect them to the Nexus switches and have them be "downstream" from the Core? Our core vCenter cluster will be located here, as well as our storage devices, so I'm thinking they should connect directly to the core as they do currently. I am still a bit out of my depth on these topics so I'm mostly hoping if I'm missing any major considerations you all might be able to help me consider them now. :-) Thank you so much! [link] [comments]  |
| HPE Virtual Connect 10Gbps unable to achieve 10Gbps. Posted: 03 Nov 2020 11:29 AM PST I have BL460c Gen8 with 554FLB adapters each with 4 FlexNics. I configured the two management nics to auto and configured the other two for 10Gbps which gives it a minimum 5.5Gbps to 10Gbps. My issue is I cannot get 10Gbps speeds between two hosts in the same enclosure. I am using iPerf but it appears I can only get a maximum of ~5.3Gbps on a 10Gbps link. What exactly and I missing here? I have also enabled SR-IOV on the hosts (Hyper-V) and those can only get a maximum of ~4Gbps because the guest only sees the minimum speed (which is 5.5Gbps). Shouldn't I be able to achieve closer to 10Gbps on the host? These servers have plenty of CPU and memory and since iPerf runs in memory the disk shouldn't be causing a problem. I just don't know what else I am missing here. Diagram: https://imgur.com/a/k5hvlZy (ignore right enclosure) [link] [comments]  |
| Posted: 03 Nov 2020 06:21 AM PST Hi guys, Looking for implementing APs in our new MSP, trying to figure out the best option for a small Office (10 to 30 users) Meraki and Ubiquity seems to be the best options, what I dont like about Meraki is their license fee. Do you have any recommendation to me? Thank you in advance [link] [comments]  |
| EIGRP Routing Manipulation - Bandwidth Posted: 03 Nov 2020 09:17 AM PST All switches are layer 3 switches. Something I'm not understanding about EIGRP but if I'm running EIGRP processes, one of the main concepts of EIGRP is the minimum bandwidth of a link to a neighboring router/switch. If I leave in the defaults of 1000000Kb (1Gb) of bandwidth across the other interfaces but I modify the port connecting switch 2 and switch 3 to 300000Kb (300Mb), it doesn't make a change to the topology table in EIGRP. One thing to note that I'm pondering as I'm typing this, is that between Switch 1 and Dist 1, the EIGRP process is running across a VLAN 'transit interface' for the routing between the two switches rather than at the physical interface. The same applies between switch 1 and switch 3. The routing process takes place across a VLAN 'transit interface' between Switch 1 and Switch 3 and not on physical interfaces. So layer 2 happens from switch 1 to switch 3 and then the neighbor relationship is formed. Appreciate any insight you might have. [link] [comments]  |
| Posted: 02 Nov 2020 05:33 PM PST I'm slowly replacing components of my infrastructure software with FOSS tools. What open Netflow tools are folks using in production? We've been on SolarWinds for years, and it's no longer cost effective for us. I'm currently labbing up NtopNG, and it's reasonable. I've previously used Plixer and found it lacking. I'm more interested in Free-as-in-speech, than zero cost, Supportability is important, etc. [link] [comments]  |
| Posted: 03 Nov 2020 03:24 PM PST I'm trying to create to network diagram from some command outputs (sh run, sh int, sh ip bgp, etc.). The particular device I'm working on now is from a Cisco Nexus 7k. The iBGP AS is xxxxxx. I'm very confused on one particular route-map, here is the output: So I look up route map BGP-UNTRUSTED and find this: Finally the prefix-lists: Correct me if I'm wrong here, but isn't the first route map statement saying: Deny permit 10.90.0.0/16? Why would someone do this? [link] [comments]  |
| Intel now has a WiFi 6E wireless card Posted: 03 Nov 2020 03:23 PM PST https://ark.intel.com/content/www/us/en/ark/products/204836/intel-wi-fi-6e-ax210-gig.html I'd be interested in seeing how they do the 6GHz antenna. Now we just need some 6E access points. I think we will start to see those announced in Q1 2021. [link] [comments]  |
| Google Services and Cogent (US) Posted: 03 Nov 2020 11:16 AM PST Anyone else having issues with Cogent and google? Our Local ISP uses Cogent for its upstream provider and we keep having on an off issues over the last week with Google services not working (mostly calendar). Were on the East Coast. This has happened in the past, and i'm confident the issue is with Cogent and its hand off to another provider (seems to be a common issue with them) Traceroute dies after it hits New York. [link] [comments]  |
| Posted: 03 Nov 2020 01:40 PM PST I'm trying to figure out how I could configure my ASA to send me 1 email per day with all the anyconnect connections successes for that day. I can't figure out if it's possible just using the ASA. [link] [comments]  |
| Posted: 03 Nov 2020 01:38 PM PST I have been watching an old Eli the Computer Guy video about proxies and he basically listed out the 2 pros of running a proxy as: Cache White listing / blacklisting I was under the impression that a DNS can do the same thing and also caches websites for faster speeds. I still need a proxy and know what they are good for just confused on why a proxy would be better than DNS for these two points? [link] [comments]  |
| Connection to server only works with Windows Store AnyConnect, otherwise I get ERR_NAME_NOT_RESOLVED Posted: 03 Nov 2020 09:32 AM PST I am having a strange issue, that since last week the connection to the host only works with the Windows Store "AnyConnect" app, not with the "AnyConnect Secure Mobility Client" application I've been using normally. If I use the regular app, I get the error " ERR_NAME_NOT_RESOLVED" when I try to open the webpage. I haven't changed anything in the configuration, it just started out of the blue for all our users, and I have no clue what may be the reason for that. [link] [comments]  |
| Velocloud Edge - 1:1 Nat to another public IP? Posted: 03 Nov 2020 12:46 PM PST Hi all, Can the velocloud NOT 1:1 NAT to another IP from the same block? IE, WAN facing interface is 1.1.1.1/29. Can I not put another FW behind that EDGE with an IP of 1.1.1.2/29? It looks like the only way this is possible is if I put a private IP address on the WAN port of my downstream FW. [link] [comments]  |
| Posted: 03 Nov 2020 12:19 PM PST Just inherited a problem at a site that has a main building complex then a small centre about a 1KM away that's physically linked by a dedicated leased line. The overall issue is that the centre has no network connectivity, whereas the main complex is fine. The entire network is logically segmented into VLANs . Everything in the centre is configured to feed off the main complex (i.e DHCP, DNS, WiFi, Internet etc.) where all of the core devices reside. Core devices (servers, switches, router etc.) sit within VLAN1 on a 10.12.12.0/24 network. Backbone consists a mixture of Cisco SMB and TP-Link switches all with static IP's. A L3 Cisco SG300 carries out the routing. The main DC (DC01) is situated within another cabinet in the main complex away from where the link between both buildings comes in, so at present, there are several truncated switches inbetween for the devices in the centre to communicate with the main DC. This handles all VLAN adressing. They do have a failover DC (DC02) that is situated at the centre. Both have static IPs. Now, I can ping DC01 to DC02 and vice versa and I can also remote into DC01 and RDP over to DC02, so I know for sure that the physical link is intact. However, I can't ping or access the switch IPs in the centre from DC01 and also any switch IPs in the main complex from DC02. I don't see how I can ping and remote from DC to DC but can't ping any switches on the other side as I thought that by default, all untagged packets would be associated on VLAN1, where all the core devices sit plus traffic must go through switches on either side or order for me to connect from DC to DC. This might need some clarification on how this works. Today was just a fact finding mission so I should have the tools and access to troubleshoot going forward, but what I'm angling towards is a possible VLAN issue. Basically, it was all fine before some VOIP installers came in and I'm assuming messed around with tagging ports on switches. What I'm going to start with tomorrow is work my way backwards to the main DC, checking to make sure that the truncated ports between switches are set to trunk with VLAN1 untagged and all other relevant VLANs tagged. Do you think this is a good starting point? Like I said, main complex is fine but for some reason, no devices connected to the switches in the centre can obtain a DHCP address from it's respective VLAN, even when connecting to a port I've set to VLAN1, but I can communicate from DC to DC. Just wanted to brainstorm potential causes and ideas on where and what to troubleshoot to see if I can find anything glaring or missing. Any tips and/or explanations would be greatly appreciated. [link] [comments]  |
| Connecting Dell S4048-ON & S5232F-ON using 40G DAC Posted: 03 Nov 2020 01:24 AM PST Just purchased a Dell S5232F-ON 100G switch for BeeGFS-ing our GPU servers. I wanted to connect the S5232F-ON (S5K) to our existing S4048-ON (S4K) switch stack using the fastest connection possible which Dell said was using 40G Twinax DAC cable. Both switches have the latest firmware version. The S4K switch is not set to quadport mode and I've tried setting the S5K to use breakout map 40g-1x and feature auto-breakout which basically does the same. Either way, both switches say "port up, line protocol down". On both switches, it correctly detects the DAC cable (from Dell) and will even show its serial number. I've also tried another known good DAC cable. This is with a minimal configuration, no lag, no VLAN etc. LLDP does not show anything. Looking at the logs, there are no errors, it doesn't appear to have been shutdown by Spanning Tree etc. With the same minimal configuration, connecting both switches using 10G MM SR SFP+ work fine and it shows up in LLDP. I've already sent the show tec to Pro Support and it's baffled them. Any ideas? [link] [comments]  |
| Posted: 03 Nov 2020 07:51 AM PST I couldn't find an answer to this one. Negate says on the pfSense docs that the resolver (unbound) that is installed and enabled by default ignores any recursive name servers set and instead query the root servers directly, unless configured otherwise. (https://docs.netgate.com/pfsense/en/latest/services/dns/resolver.html). So I was thinking, in a privacy point of view, why having an intermediate and send them all your browsing history? Cloudflare implements, for example, DNS over TLS, DNS over HTTPS and even encryption of SNI (so "your ISP can't really see the names you are querying"). But ISPs can see the IPs you are accessing and, therefore, can trace back the IPs to their corresponding names. It looks like a bogus sense of privacy only to convince the users to send them their DNS requests. Besides, running it locally could bypass censorship on the DNS level (yes, it happens sometimes in my country, very "democratic") and the local cache could not only speed things up but also really improve privacy by reducing the number of queries sent though wan (and, obviously, excluding intermediates). Idk, maybe I am misunderstanding the functionality of the DNS stack. Am I missing something? Could someone help elaborate? Thanks! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment