The whole internet was down after one tiny little mistake Networking |
- The whole internet was down after one tiny little mistake
- SIEM - Primary Syslog Collector
- Bit Confused on how tag popping works
- Thinking about replacing our Cisco MX64 SD-WAN
- CG-NAT A10 vs F5
- Request fellow network engineers to share their troubleshooting notes/SOP
- Enterprise/building automation recommendations?
- Lab Traffic Generators
- Switch uplink ports
- Dynamic data latency with CDN
- What would cause poor download speeds but upload speeds remain good?
- MPLS Common Practices
- ISP & WAN Switching Question
- Question about switchs to be used between WAN CARP and ISP's
- HTB QoS for VoIP at sites with residential Internet connections that won't honour your markings
- How would you isolate a device from it's own vlan?
- DHCP IP Helpers
- SD-WAN replacement that is free?
- Trying to connect to third party RDP but can't connect.
- Weird DNS issue with W10 VPN
- VLAN Tagging by MAC vendor ID Meraki
| The whole internet was down after one tiny little mistake Posted: 08 Jan 2021 01:13 PM PST First of all I'm using a throw away account for this post. Something really weird happened and I just thought I would share the story with you guys. I work for a major telecom provider in a country with a population of about 40mil, we have around 15mil clients (consumers and businesses). Last week, an engineer in the maintenance/operations team was migrating some public /30 subnets (enterprise clients) configured in our global public internet vrf. He was migrating them from the PE router to a smaller aggregation router. However, for one client (/30), when he configured the interface on the new router, he put /3 instead of /30. As a result, thousands of public addresses on our network were duplicated, and ended blackholed, including our DNS servers. So there was a nationwide outage for a few hours, before anyone could figure out what was going on. The guy is still keeping his job by the way. And to be honest, mistakes like these do happen, but I think we should implement something somewhere to keep mistakes like these from causing a huge outage like this. Has anything like this ever happened to you guys? [link] [comments]  |
| SIEM - Primary Syslog Collector Posted: 08 Jan 2021 09:47 AM PST Hi All Just trying to get others opinions/experiences on this. Our SIEM (Currently QRadar) has basically become the god Syslog Collector in our environment but from an operational side it's a bit of a mess. It's gotten hit with thousands of VMware debugs, junk logs and loads of events that aren't security related which just create noise and impact the actual logs we care about. It's great as a security tool but from an operational event perspective it's not really fit for purpose so I'm looking at splitting it out for security monitoring and operational monitoring. Do others use their SIEM as an operational monitor (by design or just chance cause it's a Syslog Collector that is there)? Or do you have a dedicated system for operational use? Cheers! [link] [comments]  |
| Bit Confused on how tag popping works Posted: 08 Jan 2021 09:07 AM PST Hey,I've been reading about this subject after I've encountered this in my work. Right now my job is to configure interfaces for our customers, specifically for circuits were we need to buy transport from another provider to get to our network. The configuration on interface is something like this on the interface we receive the traffic from: service instance 200 ethernet encapsulation dot1q 100 second-dot1q 200 rewrite ingress tag pop 1 symmetric then, we create a pseudowire pointing to a loopback interface on the router that will deliver the traffic to the final operator and, create a cross connect to put together service instance and the pseudowire. Then on the interface we deliver it to the operator, the configuration is the same minus the tag popping bit. My understanding is that, traffic arrives to us using the vlan 100, we pop the tag the moment the traffic enters our network and add our own tag to it (200)and then it travels through our network solely using the 200 tag, since this is the same vlan the operator we deliver it to expects, that's it, no further configuration is needed. However in certain case we do use a vlan translations and the way we go about it is that in the point where we receive the traffic we pop both tags with the "rewrite ingress tag pop 2 symmetric" command, rather than just one and on the interface we deliver the traffic we configure the encapsulation with the vlan the operator expects and a "rewrite ingress tag pop 1 symmetric" command. My question is, when the packet get to our network, it is composed by a customer vlan (with a value of 1-4096 we don't know about nor we really care) then the operator that delivers the traffic to us adds its tag then, we add ours once it enters our network as we pop the one added by the previous operator. However, when the vlan is translated, we pop both so that means the information will travel our network without any tag, so my question is, once it gets there how does the destination router knows which service instance that packet belongs to (after all the tag for it was stripped the moment it entered our network) and how to retag it? Does the router just sees which VC id it came from and thus is able to determine the interface service instance by looking at the crossconnect the pseudowire belongs to and once he sees the physical interface/Service instance associated to it knows what to do or, it does it in another way? Thanks [link] [comments]  |
| Thinking about replacing our Cisco MX64 SD-WAN Posted: 08 Jan 2021 07:23 AM PST Hello, I am a recent graduate who got an IT job with a smaller manufacturing company who has no IT infrastructure other than what a previous company who was in our building left. Needless to say it is a mess and I am the only IT guy in both this factory in US and our headquarters in Canada. I have managed to get all of our devices online and replaced all the old switches with Cisco 2960s which my company considers "new". I have ran Cat 6E cable to most of our devices(some still running on Cat 5E from previous company). However, the one device I have yet to replace is our Meraki MX64. The device only supports 50 devices according to to Cisco and throughput is only 250 mbps when we have a 1Gbps connection. So, I have been looking at the Meraki MX100 but I feel it maybe too expensive and I am trying to find other options. I am willing to separate the gateway and firewall if needed as we currently use only the meraki for both. If anyone could help point me in the right direction for this it would be much appreciated. I would like to note being the only IT guy it means I have to do networking along with security and sys admin so I would prefer if the device(s) could be easier to config. Thanks [link] [comments]  |
| Posted: 08 Jan 2021 01:20 AM PST I currently work at a smaller ISP, and getting low on IPv4s like many ISPs around the world. We've been looking at deploying either A10 4440 or F5 i10600 We've gone through their sales presentations, and listened to why they're better then their competition, but do not really have a clear winner in our mind and we do not have time to thoroughly test each platform. Have any of you used these solutions specifically for CG-NAT and what are your experiences with either? [link] [comments]  |
| Request fellow network engineers to share their troubleshooting notes/SOP Posted: 08 Jan 2021 04:52 AM PST I am a L2 network engineer with R&S, Security (ASA, palo alto) and wireless experience. Whenever i encounter a new issue and eventually solve it, i have always made it a point to note the troubleshooting steps, how a particular protocol works, etc. This is info that is not covered in certs and that one can learn only in real world troubleshooting. This is how i solve many issues that i encounter even after a gap of long period. My hunch is many others might be keeping similar notes/SOP. Can fellow network engineers share their troubleshooting notes/SOP's? As there are some areas in n/w where iam week due to lack of adequate exposure, i could use with a few reference material. I don't mind sharing my notes (R&S, ASA, VPN) if someone has a similar need. Hope this is not a odd request :) [link] [comments]  |
| Enterprise/building automation recommendations? Posted: 08 Jan 2021 01:12 PM PST We are planning our first factory large network as a BAS company. Most of our jobs are satisfied by 8-16 port unmanaged industrial switches This time we will have 60+ connections so I'm curious if that would warrant a managed switch? It doesn't need to be industrial grade given it's environment and our networking knowledge is enough to get by in the web portal or googling our way through the CLI honestly. I've understood managed for a network with VLAN, QoS, etc but we will only have HVAC equipment and controllers which will all be static IPs. Is there a reason to run a managed switch that I'm not seeing? No dhcp, no VLANs and there will be two PCs on the network with the equipment. There will be one link to the customer network where their routers and firewalls will handle anything that needs to go out. And then, since we don't do this a lot- would a HP, Dell or ubiquiti etc be adequate? (Learning the model numbers)? Would you have a recommendation? 2 48 port switches that are reliable for such an application? Thanks!!! [link] [comments]  |
| Posted: 08 Jan 2021 11:34 AM PST What do you all use for lab traffic generation? In the past, a company I worked for used IXIA, but I believe there may be many lower cost software options that can run on Windows or Linux. [link] [comments]  |
| Posted: 08 Jan 2021 04:06 PM PST Hello, all. I am just getting started in the networking world. Our current network was installed by some contractors, and I have taken over responsibility for it now. I have an distribution switch that has multiple uplink ports and no other available interfaces. Can I continue to use one of those ports to uplink and use one of the other uplink ports to 'downlink' to another access switch? [link] [comments]  |
| Posted: 08 Jan 2021 03:23 AM PST Im particularly interested in cloudflare but my question is probably more on general CDN. There is a website using cloudflare that I want to access its dynamic content at low latency as possible using a vps. As far as I understand, all data to and from the website is routed through one of the closest cloudflare's CDN server from the user. So in order to gain access to live data as fast as possible, do I need to somehow find a vps location close to one of the CDN server, that is also closest from the origin web server? (any ideas on how?) Another thing is about the ping value. Since pinging seems to return the latency to the assigned CDN server, am I understanding correctly that low ping doesn't represent low letency to live content, but on the other hand high ping does mean high letency? Or is that also not as simple as I think? [link] [comments]  |
| What would cause poor download speeds but upload speeds remain good? Posted: 08 Jan 2021 12:59 PM PST I have a site that has a C95000 core, with 16.12.4, as the firmware. This is connected to a Aruba 7220 on FW 8.3.0.10. The issue that I am plagued by involves the download speed being out of SLA, but the upload speed is within SLA. This is an issue on both wireless and wired, 2.4 and 5Ghz. Our SLA is 50 x 50. This issue seems to be sporadic in nature can last days or just a few minutes. There is no issue with the PTS. Core has no errors. At this point I'm more than stumped as to what would cause such sporadic download speeds. Could anyone share some light on possible causes? My NOC team is at a loss as well. [link] [comments]  |
| Posted: 08 Jan 2021 12:33 PM PST Have a few questions regarding MPLS infrastructure and encrypting traffic:
I hope these questions make sense. I appreciate references to read up on as well. Thanks! [link] [comments]  |
| Posted: 08 Jan 2021 01:05 AM PST Hi all, our company have recently had a new internet circuit installed in the main office building to replace the old ADSL circuit with a 1GB circuit. They have provided us with a Cisco C3560 and told us that only port Gi0/2 can be used - so they've only given us one interface. However, we have two firewalls - a primary and a backup just in case and we want to setup an interface on them both. So I have used an unused Dell N1500 series switch to become our WAN switch so we can pass multiple interfaces (one coming in from the ISP, then two going out - one to each firewall). We have more than enough IP's on the circuit so we can configure static IP's on the firewall interfaces. I've configured a VLAN (100), and I just have two questions. 1) do we need to tag the port coming from the ISP into the WAN switch on VLAN 100 as a switchport access or trunk 2) do we need to tag the port coming from the WAN switch to the firewalls on VLAN 100 as a switchport access or trunk Thanks in advance, this was the job of a previous employee but sadly they are no longer with us and has been passed onto me. It's been over 10 years since I've done anything like this as I'm now as Service Desk Manager so any help is greatly appreciated. [link] [comments]  |
| Question about switchs to be used between WAN CARP and ISP's Posted: 08 Jan 2021 09:57 AM PST Hello everyone, I am setting up two netgates XG-7100 to be used with High Availability, but I really dont know want kind (and even models or brands) of switchs I should use for WAN side, for this purpose, and the issues that I could encounter. I am looking for two desktop switches with 4 or 8 ports at maximum, and dont want to buy cheap (with possible weak hardware...) manageable switchs for 30€ used at home or small offices, to add in a system like this. Thanks in advance! [link] [comments]  |
| HTB QoS for VoIP at sites with residential Internet connections that won't honour your markings Posted: 08 Jan 2021 06:05 AM PST Do any of you guys implement HTB QoS for VoIP at your sites that have Internet feeds that aren't going to honour your markings? Do you guys see any benefit for doing this or is it just a waste of time since the ISP isn't going to honour the markings? I would be marking the VoIP traffic and then putting them in a HTB priority queue. IMO I see it being useful in a scenario where the sites WAN Upload is at 100% utilisation in which case the VoIP packets will be sent out the queue before everything else. I see it mainly being useful during 'bursts' of traffic not shown in SNMP polling intervals. I would like to hear everyone else's thoughts on this. [link] [comments]  |
| How would you isolate a device from it's own vlan? Posted: 08 Jan 2021 08:23 AM PST I know this sounds stupid, and that the answer is "make another vlan", but hear me out: A client wants a machine in the DMZ to be accessible from the internet (web server), but not able to talk to other devices in the DMZ for what are basically political reasons. A new DMZ vlan means changes to the firewall, routing, and a few switches right before we're supposed to "lock down" configs for the season due to the nature of our work. It's a medium-sized project at a moment where there's no time to do it (and who wants a new vlan for a single machine?) An obvious answer is the machine's local firewall, but the client wants some network segmentation too. Next I thought of Port ACLs, which I haven't used much before so excuse me if what follows is idiotic. I made one that was basically: permit [gateway MAC] any deny any any With the reasoning that any L3 traffic would have to be sourced from the gateway (maybe I'm wrong about this). The PACL did its job except it killed their outgoing internet too. Perhaps because broadcasts aren't getting through? A last way I thought of was to put a small firewall between the hosts and the rest of the network. That also feels sloppy, though, but the client likes this idea for some reason. Anyway I'm sure there's a better way to do this but I'm blanking. Any help would be appreciated, since I've never been asked to do something like this before. [link] [comments]  |
| Posted: 08 Jan 2021 08:19 AM PST Hi there, I have a secondary location that was spun up with a new DHCP cluster. Each location has 2 dhcp servers acting in a load-balancing failover cluster. Currently, I have the two dhcp servers at the primary location as my helpers (ex: 10.0.1.1, 10.0.1.2) and will be needing to add the secondary location servers (ex: 10.0.2.1, 10.0.2.2). I read in this MS doc that if i use broadcast IPs, it would allow me to relay to all 4 servers. Would you all recommend this? Solution?: If you have a better solution overall, I'm def open to it. Ref doc (section: relay agents): https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn338979(v=ws.11)) [link] [comments]  |
| SD-WAN replacement that is free? Posted: 08 Jan 2021 06:04 AM PST We are getting rid of our SD-WAN appliances, brand at this point doesn't really matter. We are no longer using the bulk of its capabilities due to some restructuring. However, the one thing we do use the SD-WAN appliances for, is load balancing our two Internet connections and for failover/poor connectivity on one ISP etc... I have done a bit of digging but haven't found much, but I am looking for an open source project that can handle the basic tasks for load balancing / failover etc... Preferably supports HA too. I have looked at PFSense and it might be able to do some of those things, but I haven't used it enough to know for sure. We are also trying to avoid redesigning the firewall at this point, so this I why I am asking. If anyone has any experience, please let me know, thanks! [link] [comments]  |
| Trying to connect to third party RDP but can't connect. Posted: 08 Jan 2021 09:23 AM PST So I have an issue where our client signed up for a "cloud software" solution. Which is they run a VM on Windows with a Line of Business app and give you access through RemoteApp via RDP. I am trying to connect to the third party RDP but it is constantly failing. Their support says that there is a problem with our network configuration. Which I find odd, since we are running their router/firewall in a pretty default state. They say they need port 80/443 open so clients can connect over RDP to their hosted app. But no matter what I do, I can't get it to connect and I am running out of ideas. What works: 1) I am able to add the url into RemoteApp and get it to connect. Things I have done so far: 1) Open ports on Windows firewall. I feel like our clients firewall is the main culprit over any server config. But I can't think of anything else to test since the work computer is able to talk with the third party RDS servers over port 80/443. Nor do I have access to the third party cloud providers servers to review their logs. Any help would be appreciated. [link] [comments]  |
| Posted: 07 Jan 2021 09:16 PM PST Hey, I have merkai VPN setup and configured on my laptop (W10) Some weird issue im having that no one else is. It seems to be random, but all of a sudden, when connected to the VPN, it'll stop resolving using the DNS server I set in the Meraki config If I do ipconfig /all - I can see the correct DNS set on the VPN client. I.E: Connect to VPN for about an hour I can resolved internal resources I.E nslookup server After about an hour it starts failing and using Google's DNS for resolution on internal resources which I do have 8.8.8.8 set as a dns forward but this should starts happening to devices directly connected to the network but it doesn't.. This issue only occurs via connecting through the VPN and not on the network itself. [link] [comments]  |
| VLAN Tagging by MAC vendor ID Meraki Posted: 07 Jan 2021 11:05 PM PST Hello, Trying to find a straight answer to this.. I was working with someone using Meraki network with a few MX's and Switches. He has many 3D printers in which he would like to do VLAN tagging by device MAC address ID (First 3 MAC Address ID) since they are plugged all over the place with different switches and doesn't want to manually tag them. He would like the printers on a different subnet. I know how to do this with non-meraki Cisco devices but I'm not sure if this is possible in the Meraki world of networking. Has anyone done this? (Wired and Wireless) [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment