Blogpost Friday! Networking

---

• Blogpost Friday!
• Any thoughts on current best practice surrounding iSCSI segmentation when moving to 40G or 100G?
• [Question] Can we create Multiple VPC domains on N9K
• Tool for locating underground Cat 5?
• Any experiences with the Cisco Nexus 9300 FX3S model?
• Cisco Nexus to Juniper QFX5100 with 40 Gbps
• DPI Fortigate?? - Certificate Deploy Mobile Device to School
• Encrypting Tapped Traffic?
• Need help extending L2 (arps, broadcasts, etc.) traffic from lab to AWS VPC subnet
• Understanding of Telco / ISP setup with broadband - Can someone explain the physical setup (UK)
• Aruba (Procurve) 2530 SSH from internet safe with no firewall?
• Small business networking setup
• Dual WAN one is WiFi
• How to configure a SonicWall TZ350 for internal network segregation?
• fs.com alternative around the same price level?
• Advice on Cisco Security Role Certifications
• 802.1X and Web-Auth Precedence - Same Port
• SAML authentication on captive portal
• OTA/Wireless NIC capture on windows?
• Azure S2S (Route Based) to Cisco ASA VTI - strange network behavior
• VLAN question?
• How to Validate Network Performance
• Manually add routes to FRRouting?
• Business vs Residential speeds.

Blogpost Friday! Posted: 21 Jan 2021 04:00 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts. Feel free to submit your blog post and as well a nice description to this thread. Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it. submitted by /u/AutoModerator [link] [comments]

Any thoughts on current best practice surrounding iSCSI segmentation when moving to 40G or 100G? Posted: 21 Jan 2021 07:49 AM PST Conventional wisdom for years and years has been segment your iSCSI traffic onto separate physical interfaces/hardware. Never combine iSCSI and your data traffic onto the same NIC. This worked well in the 1G days, and this thinking extended as the industry moved to 10G. I remember hot debates whether or not jumbo frames were still relevant once you moved servers and storage into 10G. Now that 40G/100G is cheaper and cheaper our organization is moving our SAN's over to 40G. Our VM host servers are currently running 4x10G. active/passive for DATA, and active/passive for iSCSI. I'd like to hear from others that have moved their servers to 40G or beyond and what you're doing as it relates to iSCSI and DATA traffic sharing the same physical 40G interface. Are you continuing to segment on separate physical interfaces? If not, have you noticed any performance issues when DATA and iSCSI share a single 40G link? Or have you seen that once you move into 40G that your bandwidth is now more than what your servers can push and thus it's safe to bring iSCSI and DATA back onto the same physical interface? (All the above is assuming enterprise datacenter level hardware, i.e. Cisco Nexus, Intel/Broadcom/Mellanox NIC's, ESXi vSphere clusters, etc.) submitted by /u/cyr0nk0r [link] [comments]

[Question] Can we create Multiple VPC domains on N9K Posted: 21 Jan 2021 05:46 AM PST Hi All, I am currently at the center of a deployment for N9k switches and In that we are planning to configure VPC between 2 switches and also VPC with upstream core switch too. I need to know if can create 2 VPC domain. I have never done dual VPC domains on N9k thus I am not sure about will it work. I have tried to configure this on one of the switch and it failed as it displayed 2 vpc domains cannot be configured simultaneously. Can you help me with a example or link to one. That would be helpful, Thank you. ​ Edit: This is what I am trying to achieve. [Updated Sample Architecture](https://imgur.com/a/b07TRxr) ​ submitted by /u/efex92 [link] [comments]

Tool for locating underground Cat 5? Posted: 21 Jan 2021 11:25 AM PST Hey, Typical toners like the Fluke MicroScanner are not sensitive enough to locate buried Cat 5 (which makes sense, that's not the intention of the device). Has anyone used found a reliable tool for this? The goal is to locate a Cat 5 cable underground, and both sides of the cable are accessible (so I have the ability to connect both the toner and a receiver on the other end). Thanks! submitted by /u/jonmali [link] [comments]

Any experiences with the Cisco Nexus 9300 FX3S model? Posted: 21 Jan 2021 07:11 AM PST Hello, I'm in the market for new Nexus 9K switches and while I was looking to buy 9300-EX, I came across the newer FX3S: https://www.cisco.com/c/en/us/support/switches/nexus-93180yc-fx3s-switch/model.html However, it seems there is not much info about the model at the moment other than the datasheet. I was hoping for some Cisco Live documentation or other info, but couldn't find any. Does anyone have more info or experience with this model? Is it using the same silicon as the regular FX? The listprice is nearly the same as the EX series and cheaper than the "regular" 9300-FX. Looking at the specs it is an obvious upgrade from the EX series for nearly the same price. Any hands-on experience is highly appreciated. It seems to be targeted at the lowlatency market, but at the same price as the EX it seems interesting for other markets too. Thanks a lot! submitted by /u/Sjaak24 [link] [comments]

Cisco Nexus to Juniper QFX5100 with 40 Gbps Posted: 21 Jan 2021 08:23 AM PST I may have to source optics to connect Cisco Nexus switches to Juniper QFX5100 switches. The intention is to use existing multimode fibers for some of the links, as well a single mode links for the other links. For single mode, I've eyed these modules: Cisco WSP-Q40GLR4L= Juniper JNP-QSFP-40GE-IR4 They appear to have the same characteristics, SMF and LC connectors, using four different wavelengths in the 1300 nm range. They are rated for up to 2 km, which is plenty in this case. Can anyone say for certain these will create link, or for certain say they are incompatible? I've also looked at the equivalent third party generic part, apparently QSFP-IR4-40G. ​ For multmode, there are a few options. Cisco QSFP-40G-CSR-S Juniper JNP-QSFP-40G-LX4 To me, this looks an awful lot like BiDi modules, which would be these. Juniper JNP-QSFPP-40G-BXSR Cisco QSFP-40G-SR-BD ​ Same thing here, MMF fiber using LC (don't really want to deploy MPO cables). Also, same question as with SMF. Will this work at all? If yes on both options, is any one of them preferred? The switches are likely in adjacent racks. submitted by /u/ChannelTapeFibre [link] [comments]

DPI Fortigate?? - Certificate Deploy Mobile Device to School Posted: 21 Jan 2021 11:39 AM PST First, my English is bad, I used Google translate. I have implemented fortigate devices with content filtering and it works fine. Right now I am implementing a 60F in a school, and the content filtering works great when I apply DPI (I have to install the certificates). I understand that with GPOs I can distribute certificates to computers. But in this school the students carry their cell phones and need to access the network. To block traffic or even enable safesearch I need to install certificates on those mobile devices. How can I do this in the simplest way? I know I can enable DNS redirects for safesearch to work, but I WANT TO USE the full filtering that fortigate offers me. The number of mobile devices is large, so I would like to enable a site where the same students can download the certificates without the intervention of IT staff. Is it a very complex option? because nowhere have I found an answer to this. submitted by /u/Electrical-Win-2047 [link] [comments]

Encrypting Tapped Traffic? Posted: 21 Jan 2021 03:06 PM PST I'm looking for a way to take the network traffic that I am tapping off of a few layer 2 links with a network tap and have it encrypted/tunneled over a private WAN. Im taking traffic from edge sites and sending it all to a central IDS. Im guessing I need some sort of hardware agent that takes the data in and tunnels it into an encrypted protocol at my source and destination. Does anyone know of any vendors or solutions for this? submitted by /u/phantom_mood [link] [comments]

Need help extending L2 (arps, broadcasts, etc.) traffic from lab to AWS VPC subnet Posted: 21 Jan 2021 12:09 PM PST Hello all. I hope someone can help me or point me in the right direction. So what we're trying to accomplish is what the title says, bridge our lab network with a network in the AWS cloud. The reason being, we'd like to be able to capture L2 traffic on an instance in AWS that originates from our lab. Here is our current setup: LAB-SN(10.10.10.0) -> RTR -> VPN TUNNEL -> AWS_RTR -> AWS-SN (10.10.10.0) Some things to note: -both networks, cloud and on-premise, need to be on the same network -both routers have LISP enabled and is working as intended ---Local router is the xTR, MS, and MR ---AWS router is the xTR -OSPF is configured and neighbors are seen on both routers ​ The big question is, is there a technology or feature that I need to be using to accomplish this? As you can tell, I thought LISP was going to allow us to do this but the L2 functionality isnt working as intended. I'm looking into OTV/LISP but I dont think we have the hardware to support this. Any help will be greatly appreciated! If you have any questions, lmk. Thanks again!!! submitted by /u/alvarorodriguez713 [link] [comments]

Understanding of Telco / ISP setup with broadband - Can someone explain the physical setup (UK) Posted: 21 Jan 2021 03:12 AM PST Hi all, Slightly embarrassed to say that in all my years as a network engineer, I don't understand the physical setup of how 'broadband' is provided to a home user. I understand campus and security technologies but when delving into WAN's or ISP land i'm miffed! I'll explain my understanding and hopefully someone can expand on this or just outright correct me :) I will refer to broadband (not fibre) as it's the copper layout and the path to the exchange/ ISP I want to understand. I'm going to use a block of flats to as a basis to try and understand/explain how I understand it. So from a customers flat they'll usually have at least a pair of copper cables from a BT socket, which will terminate into a junction box. This will either be a comms room on the premises of the flats or one of those green telephony boxes usually located in the road. I'm assuming this copper pair is usually run no longer than 100m in the same way that UTC runs should not be longer than 100m? From there the local loop is used which is copper? to the local telephony exchange into some sort of switched housing where it's handed off to an ISP router? if the above is loosely correct, when it comes to the local loop, generally speaking how much bandwidth can it support? What I don't understand really is how certain ISP's can offer X amount of bandwdith but others can offer an alternative amount when the copper lines remain the same to the exchange? Do they own an amount of cabling or bandwidth for the local loop? Sorry a lot of daft questions, but any advice or decent resources to understand this would be greatly appreciated. submitted by /u/Wendallw00f [link] [comments]

Aruba (Procurve) 2530 SSH from internet safe with no firewall? Posted: 21 Jan 2021 10:27 AM PST I have never hung a switch out with direct internet access without a firewall before. That is, every switch I have installed in the last 10 years has been behind either a FortiGate, PF, or similar and with no direct access to the management VLAN. For reasons (remote location, no other OOB) I need to do it now. This would be an Aruba (formerly Procurve) 2530 with fairly up to date firmware. I tried looking over the current CVE but I think I need more sleep first. Web interface would be disabled. This would actually be two 2530 switches replacing a pair of fiber media converters so that we can get some actual interface statistics. ISP <--> 2530 <--> fiber <--> 2530 <--> bunch_of_other_crap ISP <--> 2530 <--> fiber <--> 2530 <--> FortiGate <--> bunch_of_other_crap Ok? Horrible? submitted by /u/fibercaustic [link] [comments]

Small business networking setup Posted: 21 Jan 2021 12:05 PM PST Hi all, Doing a setup for a business and am a bit confused on how best to do this. ​ Dsl is all they have to work with in the area and currently running a modem router combo to use voip office phones, a file server and wifi. There is a wifi booster on upper floor but it uses a different ssid than the main unit. I need to bridge the lan to a building behind the main building about 50feet away and I ordered a ubiquiti nanostation to mount on the outside to connect wirelessly to the main network and drop ethernet to a control panel on a kiln. The idea is to be able to read data off the kiln from the main network. What am I missing with the general networking setup inside/ will the nanostation solution work ok? ​ Thanks in advance submitted by /u/stewmanking [link] [comments]

Dual WAN one is WiFi Posted: 21 Jan 2021 03:12 PM PST Is it possible to have something like an Edgerouter X with dual wan and dual LAN and dual NAT? The second WAN using a bridged wireless AP? And what kind of AP would you recommend? Is there an AP that can be a client bridge? (Is that what it's called) so that I could attempt this idea? Background - crazy Have devices on a subnet of a customer network We are putting a Edgerouter in to nat from that subnet to have more IPs and using port forwards. No internet on this I'd like to use their vendor WiFi for one of my devices which doesn't have WiFi so it can reach the internet So I need a WiFi bridge for that device but I wonder if I could just make my Edgerouter NAT that WiFi so I have more available connections from a single WiFi connection. So I am just adding a access point of sorts and using the Edgerouter dual wan. Assuming the Edgerouter or a router in general will do that (dual wan/lan/nat etc) like two routers in one. That's a little simplified but the gist. Happy to go deeper and more detailed on specifics. Mm submitted by /u/tkst3llar [link] [comments]

How to configure a SonicWall TZ350 for internal network segregation? Posted: 21 Jan 2021 02:48 PM PST I've got a network that currently has a Netgear FVS318 segregating a portion of devices. This firewall was installed via Shadow IT and I want to replace it. I've got some SonicWall TZ350s so I might as well use one of those. Sadly networking is one of my weak points and I don't really have anyone I can talk to in person about it. If this were just a standard switch, I'd be able to just set interface Vlan1 ip address 192.168.99.1 255.255.255.0 ip helper-address <primary DHCP> ip helper-address <secondary DHCP> and be done. (I think. Like I said, networking is a weak point...) Right now: The Netgear firewall has a statically-assigned IP address. It has it's own DHCP server that gives out addresses to everything behind it. The network diagram isn't very exciting: https://i.imgur.com/ayKoqsG.png Ideal result: All hosts behind the firewall: get DHCP-assigned addresses from our primary DHCP server and not from the firewall. Are on a separate subnet than the rest of the network Are subject to firewall rules Are subject to DPI on ingress and egress. Issues that I'm running into: IP Helper address doesn't appear to be working and I can't figure out why. Once I get this, I think everything else will fall into place. Settings The SonicWall has the following settings: X0: 192.168.99.254 (static), LAN Zone X1: 192.168.1.99 (DHCP-assigned), WAN Zone DHCP Server: Disabled IP Helper: Enabled for DHCP and DNS Policy DHCP: Source X0, Destination "Domain Controllers" (group consisting of both DCs) Policy DNS: Source X0, Destination "Domain Controllers" Firewall: no changes have been made to default rules. I've researched the various SonicOS features. I don't think I want Transparent Mode or L2 Bridge Mode because I do not want there to be a common subnet across the X0 (LAN) and X1 (WAN) interfaces. I do want a common subnet across X0, X2, X3, and X4 though, if possible (if not I'll just throw a switch behind the firewall). I'm assuming someone's done this before. Am I just not Googling the right terms? submitted by /u/myquestions813 [link] [comments]

fs.com alternative around the same price level? Posted: 21 Jan 2021 01:50 PM PST Hey, Can someone recommend a competitor to fs.com that is on the same price level? Even if it is a company only found in alibaba it could be interesting. Basically anyone you've dealt with before and that you can recommend. If I can deal with the factory themselves that's even better. submitted by /u/barhom [link] [comments]

Advice on Cisco Security Role Certifications Posted: 21 Jan 2021 11:43 AM PST Hi everyone That time of the year has come around and I have to get one of these three certifications. Implementing Cisco Secure Access Solutions exam (300-208 SISAS), Implementing and Configuring Cisco Identity Services Engine exam (300-715 SISE), Securing Networks with Cisco Firepower exam (300-710 SNCF). I'm currently leaning towards SNCF because I have some firepower experience but I would like to hear what some you think about them. ​ PS: I also am trying to take in account which certification is most practical and useable. Thanks in advance. submitted by /u/icantfixprinters [link] [comments]

802.1X and Web-Auth Precedence - Same Port Posted: 20 Jan 2021 11:02 PM PST Hey guys, Wondering if anyone has experience with this. I am in the process of setting up 802.1X authentication on the LAN for one of our clients. The edge switches they are using are Aruba 2930Fs and the NAC product they are using is called ExtremeNetworks A3. Unfortunately, I am not familiar with ExtremeNetworks so my own naivety with that could be part of the issue. Basically, I have got 802.1X working with certificates on the machines and with user credentials based on AD security groups - pretty run of the mill stuff. I also have web-auth working using the native Aruba default page. What I would like to do is set it up so that users can authenticate with the cert or if they don't have the cert, they authenticate via web-auth. This means that I want to have 802.1X and Web-Auth both enabled on all access ports. I have managed to get both 802.1X and web-auth enabled on the ports but when I test, it only seems to try and authenticate with one OR the other (depending how the adapter is configured). I would like it to try the cert first and then failing that, try web-auth. I have seen guides using Captive Web Portal with Aruba Clearpass for this scenario but thus far I have not been able to get Captive Portal working in A3. Thank you for any advice. submitted by /u/Riche98 [link] [comments]

SAML authentication on captive portal Posted: 21 Jan 2021 02:11 AM PST Hi all, our customer wants to authenticate their employees via Azure AD SAML authentication in his guest SSID with Aruba ClearPass and Aruba WLC. The SAML part works fine, but I can't wrap my head around how to change the User-role (basically the user ACLs) after the authentication. The controller is configured to intercept traffic for unauthenticated users and forward it to the ClearPass captive portal. The Captive portal forwards to Microsoft, the user authenticates, and is returned to Clearpass. And then I'm stuck. I can see user data from Azure, but I don't know how I could return something to the controller. The user is stuck on a "captive portal loop" because I never change the role to one that doesn't intercept. The thing is, that in ClearPass there is no request from the controller that ClearPass could return a new user role to. And I also don't see any user-specific information, except what I get from Azure, so I can not cache the MAC or anything. In ClearPass I can only see a request coming from the guest application. Maybe I'm missing something or am I using SAML for what it wasn't intended for? submitted by /u/Linkk_93 [link] [comments]

OTA/Wireless NIC capture on windows? Posted: 20 Jan 2021 08:10 PM PST I know on Mac this can be done easy. But with windows I'm not finding a way to do this. Im not looking for a wireshark capture on the wireless NIC. I'm looking for a full on promiscuous wireless capture to gather all RF frames. For example if I want to find whos at fault the AP or client when EAP is going unanswered. (AP not sending or Client ignoring/not responding) I think Kali Linux can do this, but I am not familiar with it and don't recall if it saves captures in a format wireshark will open. Any ideas? Thanks submitted by /u/Pain-in-the-ARP [link] [comments]

Azure S2S (Route Based) to Cisco ASA VTI - strange network behavior Posted: 20 Jan 2021 09:27 PM PST New to Azure, and have a S2S connection from Azure to our on-prem networks using a Cisco ASA 5508-x running 9.8.4(17). Azure and ASA show the tunnel up and active, but having weird traffic issues. I can ping from an Azure VM to on-prem server, and the Azure VM successfully uses the on-prem DNS. But I cannot domain join the azure VM/connect to an on-prem share or open an on-prem webpage. Additionally, I cannot ping from on-prem to the Azure VM. Windows firewalls are turned off on both servers for testing, and it appears the Network Security Group rules and Azure FW should permit. Packet captures on the two servers show the initial TCP handsshake packet sent, but then retransmits the [PSH,ACK] and [SYN,ACK,ECN] packets until the TCP RST is sent. I'm at a loss what to check, as all documentation shows this should work, and it kinda does, so I'm thinking there may be something misconfigured on the Azure side, but don't know what else to check. Thanks for any hints or tips. I can provide more detail if needed. [EDIT:] Followed this petenetlive kb for configuring the ASA. The Azure side is slightly different as it has a vnet with the virtual network gateway peered to the vnet with the Azure VM. [SOLVED:] Missing route on hub vnet. ​ submitted by /u/supersaki [link] [comments]

VLAN question? Posted: 20 Jan 2021 07:04 PM PST Hi, I was wondering if someone could shed some light on the issue im having, Currently i have HPE OfficeConnect Switch 1920 what im trying to do is create a VLAN on port 24 which would give me 192.168.15.0/24 instead of 192.168.0.1/24 This is what i have so far on the swich https://imgur.com/mbzes0s.png https://imgur.com/6tTn69p.png https://imgur.com/zHC6v6V.png https://imgur.com/QH47QRL.png ​ there is a part on VLAN/interface config but im not sure what setup i should put? ​ https://imgur.com/ppnmML3.png ​ Thank you submitted by /u/killmasta93 [link] [comments]

How to Validate Network Performance Posted: 20 Jan 2021 06:01 PM PST We are a vendor for our customer and we have a flat /24 SCADA-like subnet on their network with all of our equipment. On that network I remotely guided them through upgrading 4 HP 1910 switches to HP 1920s models. After that I got the dreaded "now the network is slow" complaint. They reverted back to the old switches. I can't imagine how the new switches could really cause a problem. There are other upgrades in progress on that /24 that are likely the true source of the problem. But at the same time I want to be humble and know that there are things I don't understand. I want to get some metrics with the old switches in place and compare them to the new switches. Then present to management to prove it isn't the network. Below is what I plan to record before and after. Is there anything else I should document? document arp and LLDP entries on the old switches and compare them to the new ones. This way I can be sure they didn't mess up the cabling. The cabling is a 1 to 1 transfer but I can't rule this out as a problem iperf3 results to and from a sample of servers/workstations in the /24, before and after robocopy results of large ISO file (Windows environment obviously) to and from a sample of servers/workstation in the /24, before and after mtr stats before and after possibly put PTRG or LibreNMS monitoring into place? Thanks for any advice! submitted by /u/LearningSysAdmin987 [link] [comments]

Manually add routes to FRRouting? Posted: 20 Jan 2021 04:30 PM PST Hi. I'm setting up a ocserv VPN server on a CentOS box which will have a number of different subnets for different groups. The VPN access works and when I manually add routes from our (VyOS) router to the ocserv box the traffic to the different subnets flows correctly. However, I thought that adding OSPF on the ocserv box would make adding subsequent groups easier so I set up frrouting on the ocserv box. The ocserv box and the VyOS router see each other as full neighbors but I have no idea how to add the VPN client subnets to the local routing table in the OS of the ocserv box, for redistribution with OSPF. Does anybody have any pointers? submitted by /u/ermit [link] [comments]

Business vs Residential speeds. Posted: 20 Jan 2021 10:11 PM PST I work for an ISP and I'm relatively new to networking. Why would business class customers pay far more money for a 10 meg circuit when residential customers can get speeds up to 1 gig for a quarter of the price? Some customers even use a 3-5 meg circuit... not even sure how much you could do with that. I guess what would help me is more context as to how a 5 meg circuit would be used by a business and why wouldn't they just pay for a residential modem and get a gig speed connection. Thanks in advance! Learning so much from this sub. You guys rock! submitted by /u/MattwillYums [link] [comments]

You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States