Rant Wednesday! Networking |
- Rant Wednesday!
- ISE Guest Certificates
- Does PeeringDB has accurate information about all ISPs point of presences within public and private facilities?
- MAC addresses not being discovered for downstream switches
- Xconnect vs bridge-domains
- Trying to help someone leverage two circuits for terrible uptimes in the area.
- Fiber Optic Speed Over Distance
- What are your essential Cisco commands on first run?
- Load balancing network traffic
- Firewall Policies and AWS/Azure instances.
- ACI intre bridge domain communication
- Service Provider Automation
- Random link flapping issues on some switch ports. How can i troubleshoot this mess?
- Backbone capacity ISP
- Username for VTY password
- Outbound Internet Protection - Public Hotspot
- 802 authentication with Windows NPS server
- Alternative to Meraki
- A few questions about Passive Optical Networks.
- How to tap/mirror LACP
- Dock station (to USB C) with PTP support.
- Cisco 1142N lightweight to autonomous
- Can anyone vouch if is Kirk Byers paid Python course worth it? Confused about how the course is structured..
| Posted: 12 Jan 2021 04:00 PM PST It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it. [link] [comments]  |
| Posted: 12 Jan 2021 11:37 AM PST Hello, I am deploying Cisco ISE into our organization. We have 2 domains,local and public one (organization.local,oragization.org ). we need to enable guest portal on ISE can I use the organization.local for my internal users, and then create a portal certificate for guest using the organization.org domain? [link] [comments]  |
| Posted: 12 Jan 2021 07:39 AM PST Should I rely on the information given in the website? Do ISPs actually use this website indefinitely? [link] [comments]  |
| MAC addresses not being discovered for downstream switches Posted: 12 Jan 2021 02:38 PM PST I know that this isn't strictly enterprise networking kit but I'm hoping someone can help. I have 2 switches - a Mikrotik CRS309 in RouterOS mode, and a Cisco SG300 in L3 mode. The SG300 has an ASA gateway connected to it which is the router for all VLANs. The SG300 is connected to the CRS309 by a 1G link trunk port with all VLANs trunked. Clients connect to the SG300. Clients <> SG300 <> CRS309 <> ESX hosts <> VMs Also: ASA <> SG300 The CRS309 has ESX hosts connected at 10G to it with VLANs trunked to the hosts, and VMs sit on various VLANs. Somehow, the SG300 keeps forgetting how to get to the VLANs, meaning devices connected to the SG300 cannot reach VMs. It's not all VMs, however - it varies. The only way to make VMs reachable again is to leave a continuous ping to the desired VM running and clear the dynamic MAC address table on the CRS309. It then comes up instantly and can be reached. At the time the VM is unreachable, the MAC address does not exist in the MAC table on the SG300 but does exist on the CRS309's MAC table. It seems to me like the SG300 forgets the dynamic MAC entries downstream on the CRS309 and then cannot rediscover them. Weirdly though, it has no problem remembering MAC addresses for devices that are connected to another SG300 (which is directly off itself). Can anyone help? I can provide a diagram if that makes it easier to understand. [link] [comments]  |
| Posted: 12 Jan 2021 05:36 AM PST Hi, as of last month I've started a job in an ISP that provides transport to other providers and the first task they put me on was configuring services on our routers. We usually do it through the usage of xconnect with MPLS pseudowires when the router we collect traffic from and the one we deliver to are on different sites however, when the two routers are inside the same data center the configuration obviously varies a bit. Routers in the same data center have a l2 interlink between them. Said L2 interlink is always a member of a Port-channel even if its just one interface (for future scalability reasons I assume) So, the way I go about this, is to create the service instance under the two physical interfaces and then under the l2 Port-channel present on both routers. However, rather than using a xconnect to put together the service instance on the physical interface and the one on the Port Channel, company mandates to use bridge-domains. Both for scenarios like this were the collecting and delivery interfaces are on two routers with a l2interlink between them or, in cases were the interface we collect from and the one we deliver to are on the same router. I've been doing some reading about it and I came across this post: So what I gather is that xconnect is a "dumb" solution, everything it receives, it passes on the other end and that's it. Bridge domains however do their forwarding based on a destination mac address and are capable of learning them. I think I see why we use bridge-domain the scenario were the interfaces we collect and deliver traffic from are on the same router since they would be learning external mac addresses. However, I can't come up with a rationale as to why we're using bridge domains to bridge together the physical interface and the l2 Po in the scenarios were the two interfaces are on two interlinked routers.Wouldn't a xconnect in these circumstances work just as well? I've tried to ask to my supervisor but got no answers besides "That's just how we do it" Anyone could offer some more insight? Thanks [link] [comments]  |
| Trying to help someone leverage two circuits for terrible uptimes in the area. Posted: 12 Jan 2021 03:53 PM PST I have a family friend who is a plastic surgeon and the building they are in has extremely unreliable comcast. I am trying to pinpoint the root cause but the other professionals in that building also complain. My daughter split open her chin and the ER didn't do such a great job, he fixed it up and I paid nothing. I am mostly Cisco so I need some help as the Cisco solutions to bring in 500Mbps to 1Gbps connections are going to be expensive and noisy. My goal is an easy to setup head end that can use Comcast and possibly AT&T (I am open to cellular backups, but I worry about coverage within the building) and then some better WiFi device(s) than the Comcast all in one. I would like fanless devices if possible or those that are quiet. The office is maybe 1500sq ft. about 5 exam rooms, the doctors office, lobby and a receptionist and imaging/record storage area. [link] [comments]  |
| Fiber Optic Speed Over Distance Posted: 12 Jan 2021 04:19 PM PST I'm new to the fiber thing so I'm looking for some general advice here. I work at a location that is running 62.5/125 multimode fiber between data closets. We are budgeting an upgrade in internet from 1 to 5 Gb and not sure if we would need to budget running to fiber cable to go with the new transceivers. Googling I've found that OM1 is good for 10 Gb up to 33 meters, but fall off to 1 Gb at 275 meters. Question is, how fast does the speed drop off? For example, is this as simple as adding both together and dividing by two to know where the 5 Gbps mark would be (i.e.: 33 + 275 = 308 / 2 = 154 meters)? Or is the drop off much faster similar to what we see with 5 GHz Wi-Fi networks? [link] [comments]  |
| What are your essential Cisco commands on first run? Posted: 12 Jan 2021 04:14 PM PST Surely most of us will do a no ip domain-lookup and a few basic others, but do you use a template? Which commands do you consider essential after switches and routers first boot? [link] [comments]  |
| Load balancing network traffic Posted: 12 Jan 2021 02:58 PM PST How common is it to set a cap on network traffic per IP address? The job I work at set their firewall to limit each IP address to only 5 Mb of traffic max. The bandwidth we have for the entire site is 50MB up/down and have about 100 users give or take. I have people complaining that they can't have a normal Teams conference call with video without having some type of disruption. What would be the best route to take here? Our firewall is managed by a third party provide and they have already prioritized Teams traffic but the issue still occurs. I wanted to remove the 5Mb but then I don't know what the repercussion of that would be. [link] [comments]  |
| Firewall Policies and AWS/Azure instances. Posted: 12 Jan 2021 02:10 PM PST Afternoon everyone, Curious how others have been handling requests from their dev, sysadmins and other teams for access to cloud based services hosted by AWS/Azure and the like? These asks are for websites/apis hosted in these cloud environments from our internal systems. Usually, I always ask for any documentation on FQDNs, ports or IP address blocks so we can whitelist on our firewalls. More often that not lately, vendor support says "Just whitelist api.mycompany.com and hit us over 443." After we put these policies in, we usually see that the machine talks out to a number of different addresses always hosted in cloud instances. I am personally running Palo Altos so I spend time filtering using application-id and URL categories to get around it. I just can't stomach the thought of allowing an entire "content-delivery-network" URL category or something to get these applications working. A non-specific policy honestly keeps me up at night sometimes. Are we just supposed to accept this risk? [link] [comments]  |
| ACI intre bridge domain communication Posted: 12 Jan 2021 05:59 AM PST I'm looking for some reading on how to do this and seem to be finding issues. Say I have two separate Application Groups, each with a different VLAN and each within different Bridge Domains that are in the same VRF. How can I get the hosts connected to the EPGs in different Application Groups to communicate with each other? In our normal switched environment we would have an OSPF instance within the VRF that could route between the different VLANs. [link] [comments]  |
| Posted: 12 Jan 2021 08:50 AM PST TLDR: I appreciate any feedback on the whole process, but I'm having trouble with headless speed tests using both Go and python. Can't achieve same speeds as browser. Anyone in the service provide space that's automated the process of either of these?
I'm trying to research a way of automating both these processes using a cluster of raspberry pi's. My idea is to hook up one or many pi's behind a switch connected to a modem/router. Then run a series of tests headless and email the results to the person doing the testing. My initial thought is to write everything in Go since its dependency free and I'll be off the hook for any rpi updates or software configuration. I planned on having a bash script execute upon start up of the pi's that reaches out to my git repo for the Go binary. Then run that binary as root ( I anticipate needing root to control socket binding). Tests:
Trouble: My first test was to get speed tests working but I'm having an issue with all the libraries I've tried with python and go. None can even come close to the speeds I'm getting from my browsers speed test. If anyone has any suggestions for an accurate application I can use to test speeds I would really appreciate it! [link] [comments]  |
| Random link flapping issues on some switch ports. How can i troubleshoot this mess? Posted: 12 Jan 2021 06:32 AM PST Configuration:
Issue: A new machine has been installed and connected to one of the PRODUCTION switches, after few days of tests the machine technician complained that our network seems not really stable. Investigation: So we checked the logs of the HP switches and found out many "port status change" events with this kind of pattern: We collected all the logs in one Excel spreadsheet and realized that:
Some of the affected hosts are Windows computers so we tried to check for "link loss" events in Event Viewer but what's weird is that most of the times there were no warnings, so the port in the switch turned off for a bit but for the computer the link was still ok. So it seems like we have found out this problem only now because we connected a device who is more sensible to these kind of issues. How can we troubleshoot this? [link] [comments]  |
| Posted: 12 Jan 2021 12:59 AM PST I am just trying to learn a bit more about networking, especially backbone networks for ISPs. So in my country I know that the maximum capacity in the backbone of at least one ISP is 800Gs. However, I really have a hard time grasping how that is enough. I mean, I know that depending on where the signal goes from and to it doesn't necessarily needs to go through the entire backbone and take up capacity. But still, many 1G connections are available for e.g. regular consumers, and more for companies etc. And in my mind I find it kind of insane that with the amount of available 1G connections, that there isn't e.g. 800 users using the max bandwidth of their fiber or coax connections, which has to go through the backbone in order to get outside the country etc. What am I missing here ? [link] [comments]  |
| Posted: 12 Jan 2021 08:50 AM PST I goofed and locked myself out of a router. I was trying to fix TACACS, which wasn't working. I was able to get with the localadmin account. I have a backup (below) of my config before the change. I removed all aaa and tacacs config, I also removed the admin (but not the local admin) account since I dont know what it is. We have a password on the VTY lines and I was able to de-hash it. My question is, which username do I use when I have a password on the VTY line? Also, without login local on the VTY lines Im pretty sure it doesnt even matter. I dont have easy console access as the office is about 30 miles away. Any ideas how to get in? Or am I getting in the car? Thanks, enable secret 5 blahblahsecret aaa new-model aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ username admin privilege 15 password 0 blahblahadminpwd username localadmin password 7 blahblahlocaladminpwd tacacs-server host 1.2.3.4 tacacs-server host 5.6.7.8 tacacs-server directed-request tacacs-server key blahblahtacacskey line con 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 15 0 password 7 blahblahvtypassword transport input ssh line vty 5 15 exec-timeout 15 0 password 7 blahblahvtypassword transport input ssh [link] [comments]  |
| Outbound Internet Protection - Public Hotspot Posted: 12 Jan 2021 08:37 AM PST Hi everyone, I'm looking for some ideas and design/solutions to lock down and secure outbound internet traffic users connected to a shared hotspot/workspace environment to protect the network from vulnerabilities and malicious attacks. Ideally, in a corporate environment where laptops are managed internally, it's simple to add a pac file and filter this traffic via a proxy, but this scenario is a bit different, due to not having control over the users workstation settings. A couple options which came up immediately were:
I'm curious if anyone has any other ideas and solutions, I would like to read more in to them. In addition, if anyone has any other secure solutions in the event that a vulnerability does seep through somehow, how to catch it and isolate/eliminate the attack instantly. Thanks! [link] [comments]  |
| 802 authentication with Windows NPS server Posted: 12 Jan 2021 07:36 AM PST Hi all, Just looking to see if i am correct with my assumptions of 802 auth with Microsoft NPS server. I have set it up for certificates, but i can only see an option for user or computer cert. Not user and computer so it will only require one of the certificates not both of them - is this called EAP chaining? I dont think this is do-able with NPS server but if we were to purchase a copy of Cisco ISE it would be? [link] [comments]  |
| Posted: 12 Jan 2021 04:06 AM PST Looking for suggestions on an alternative to a Meraki setup. Trying to get out from under the steep licensing cost. Medium size nonprofit at a single location. Fiber internet. MX84 running the show, with Ubiquiti switches making up the bulk of network with a handful of unmanaged switches. Unifi APs providing public and private WiFi access throughout the campus. VoIP phone system as well as IPCams. Total of 8 APs and 14 managed switches. VLANs for LAN, VoIP, IPCams, and Guest WiFi. We got a Ubiquiti Dream Machine Pro and I have been working with it for about a week. The UDM pro just does not seem stable enough yet to pull off what the Meraki setup does with ease. It especially struggles with our windows domain controller. Just looking for other alternatives to save on costs. [link] [comments]  |
| A few questions about Passive Optical Networks. Posted: 11 Jan 2021 07:59 PM PST I don't currently work in IT. I'm a computer science student and I've always been fascinated by how the internet works, and I think I've got most of the basics down with how passive optical networks work, but I have a few questions. I previously posted in another subreddit, but they said that is one would be a better fit. Please excuse my ignorance. I want to know more about upstream bandwidth allocation. What protocol(s) does the OLT use to tell the ONTs when to transmit upstream data? I suppose that each PON variation is different, so for this purpose, I'd like to know the protocols for DWDM-PON and GEPON. I think I've read somewhere that it's got a gate, request, and acknowledge command, but I don't know the name of it. Is it at OSI layer 3? I live in a rural area and I doubt I'll be starting an ISP, but would it be theoretically possible to split a fiber at each service drop instead of having the splitter at the central office or "stacked" splitters (please forgive me, the name of that configuration also escapes me)? Would that be horribly inefficient? Could an asymmetric splitter do such a thing and still have the network go 20+ km? Why do optical amplifiers cost so much? What's the best network configuration so that you don't have to run so many miles of fiber (tree, ring, any others I don't know about)? And finally, is it possible to stack a passive optical network on top of a passive optical network? More precisely, is it possible/easy to configure (I assume probably not feasible) to have each ONU on one passive optical network feed into an OLT for a smaller passive optical network? I apologize if these questions are too hypothetical, if these are basic questions, or if they've already been answered. I welcome all answers. Thank you. [link] [comments]  |
| Posted: 12 Jan 2021 03:00 AM PST Hi! I am using a Fortigate Firewall, that is connected with LACP to two Arista 7050s (MLAG). Now, I want to mirror/tap the traffic to a network monitoring / IDS system. How do you monitor LACP-interfaces? I can tap each of the physical members to the IDS, but is this enough? Is there any better solution to do this? Thank you for your help! ITStril [link] [comments]  |
| Dock station (to USB C) with PTP support. Posted: 12 Jan 2021 02:56 AM PST Does anyone know of a dock station with ethernet interface with PTP support? I have a MSI Laptop (GS63 Stealth 8RD) with a Thunderbolt (USB C), and I need PTP support, I think maybe could be a dock station which I could connect with this feature. Do you know any product with this carachteristic? [link] [comments]  |
| Cisco 1142N lightweight to autonomous Posted: 11 Jan 2021 08:54 PM PST So I was given a whole bunch Air-LAP1142-N-K9 access points. They are in lightweight mode I cannot access conf t commands. I am trying to set them up and I've spent about 6 hours now researching why I cant load a new Image to them for autonomous. So far I am able to connect the AP and hold mode and it brings me to the boot process where it attempts to grab c1140-k9w7-tar.default from my tftp folder. When it reaches my tftp folder I always get an error stating that it does not have permission to access the folders. -My firewall is turned off - I used tftp64 and solarwinds -I used two separate machines to host the tftp server -I have allowed the port to be forwarded on my router. -The file is exactly the same name as the one that the AP tries to grab. -I tried changing my ip 10.0.0.2 But Im not sure if this would even work in my network. that Ip is in a different subnet so idk. I'm basically throwing in the towel at this point but its really annoying me that I cant get them to work so you guys are my last hope. Im not sure what permissions I can change as well I messed around with a bunch of security settings but no luck. [link] [comments]  |
| Posted: 11 Jan 2021 10:21 PM PST Some background, Network engineer (CCIE R&S) looking to get into automation, have taken the Automate the Boring Stuff course on Udemy and feel like I've got a good grasp of the core python concepts, loops, string methods, dictionaries, functions etc. Have automated some simple tasks at work which is great, but looking at taking the next step into networking automation, from the research I have done on reddit this course has received the most recommendations: https://pynet.twb-tech.com/class-pyauto.html I was under the impression it was an on-demand video series like Udemy, but looks like it has a start date and is done via email. so just had a few questions before I pulled the trigger for $800: 1.Are the videos distributed as a live lesson format, or just a link to an on-demand page we can do in our own time? 2.Are you able to join a course half way through? or stop for a certain period and pick it back up? 3. With my current knowledge level, is it still recommended that I take the free course first, annoying thing is that it starts 2 months away, and I'm eager to get the ball rolling. 4.Whats the time commitment required for each day? Thanks in advance [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment