Blogpost Friday! Networking |
- Blogpost Friday!
- Network to Code Nautobot
- IST and VLAN assignment
- Stating route to cable modem causes ARP (CM600/ER-X)
- MikroTik for 10gig in the server room
- How do you get NTP to pass from FXOS to ASA on Firepower 2130?
- Cisco 2x 100G A9K-2X100GE-TR in ASR-9010-DC (v1)
- updating switch firmware for whole network
- Recommended broadcast domain Catalyst 9500
- Question about global IP address allocation/deployment
- Problem am having with 802.1x authentication
- Increase Subnet vs Multiple Interface IPs
- Virtualization
- SSH0: TCP send failed enqueueing/Requeueing error
- Strange NTP Destinations
- Catalyst 9800-L HA question
- Acquiring of Surprise IoT Devices
- Fiber Optic Cable Types for Indoor Backbone < 300ft
- VLT uplink to single multihomed ISP
- Wireless Certificate Issues
- How to discover switch IP's and credentials? (Networking noob)
- Multicast TTL on windows
- What IPV6 address is 1::1?
| Posted: 25 Feb 2021 04:00 PM PST It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts. Feel free to submit your blog post and as well a nice description to this thread. Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it. [link] [comments]  |
| Posted: 25 Feb 2021 05:28 AM PST A bit of a rant here: NtC released a new product, Nautobot, and it's big enough that my Google News filters picked it up. Cool! I go to the site https://www.networktocode.com/nautobot/ and the man image looking back at me is a screenshot of NetBox? I read the entire front page and it's nothing but buzzwords about "Source of Truth" "data sources" and "automation." I click for more info and hit a login page. Nope. This is not for lack of understanding about this realm of networking, my title has "network" and "automation" in it. I live in NetBox. But if your product page is just a screenshot of someone else's product, and no real description of what you're doing, and no easy way to get more information: That's a problem NtC, I love some things you've done, but I have no idea what this one even is and I'm your target audience. [link] [comments]  |
| Posted: 25 Feb 2021 04:19 PM PST in encor ocg,there is this topology https://ibb.co/44NGvXh,correct me if im wrong, why sw1 to sw2 links are access not trunking?!! why would you do that , access ports dont send BPDUs right?i dont understand why Gi1/0/2 is blocked is it normal STP forward blocking process negotiation , the book:
i gone through the [cisco 802.1s whitepaper](https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html) and i encounters the same exact topology and explanation, can someone clear this to me thanks [google](www.google.com) [link] [comments]  |
| Stating route to cable modem causes ARP (CM600/ER-X) Posted: 25 Feb 2021 04:07 PM PST Hello, I'm trying to add a static route for my cable modem (Netgear CM600) on my router (ER-X) . I do that so I can advertise it over a BGP session I have, without it, BGP won't advertise the route since the link isn't in the local routing table. Weirdly, when I add the static route, even tho it has a /32 CIDR, it causes all outgoing traffic to try to ARP request instead of forwarding the traffic. I suspect it's because of the inactive link that the modem leaves on initial DHCP. I'm trying to figure out how I can create this static link without everything becoming ARP(ed)? Some routing excerpts: A normal connection, with everything working properly (and WITHOUT my static link):
Adding the static route produces the following:
Ideas why that routing entry would cause everything to ARP? I am guessing the word 'recursive' is the culprit. [link] [comments]  |
| MikroTik for 10gig in the server room Posted: 25 Feb 2021 03:42 PM PST Hey everyone! I'm looking at a 10 gig upgrade for our office, at least for the backend to the access switches and server connections. Our use case is simple. Standard file transfers and AutoDesk software, all reaching back to a file server, as well as your standard AD and other windows services. Currently the server is connected to a 10 gig switch which immediately hands off to a single gigabit connection to drive 5 access switches in my IDFs. We're not doing any layer 3 stuff in these switches at the moment. I'm intrigued by the MikroTik hardware, specifically the CRS 312 and CRS 317 for my server room. For the price they seem to be what I need, how very I'm not finding very many reviews on them from a business perspective. Are any of you guys running these things, or have heard negative or positive feedback on them? [link] [comments]  |
| How do you get NTP to pass from FXOS to ASA on Firepower 2130? Posted: 25 Feb 2021 02:20 PM PST We just got a new Firepower 2130 for a new one-off project. We mostly run Palos in our enterprise so I have no experience with Firepower although I am passable with the ASA. Let me also say that I finally get all the hate, this thing is a nightmare. We are really only use the firepower to terminate IPSec tunnels so we do not need any of the NGFW stuff. We are configuring everything via CLI, no FTD or FMC or whatever it's called. We are running ASA and trying to avoid using the Firepower at all. My first experience with this device was that enabling an interface in the ASA code is not enough, it also needs to be enabled in FXOS. Annoying, but ok. Now we learned that the ASA has no NTP commands whatsoever. We were able to get the FXOS to pull time (also a pain in the ass) but we can't get that to propagate up to the ASA. I'm sure it's listed somewhere in a Cisco doc but we haven't been able to find anything yet. Does anybody have any experience with getting NTP on FXOS and pushing it to the ASA? One last note is that our code only allows us to run the ASA in "platform mode" meaning the ASA has to rely on FXOS for services such as NTP. I guess in later versions, you can run the ASA in appliance mode meaning you can run all the commands from the ASA but upgrading our version is not an option unfortunately (red tape bullshit). Thanks in advance for any help, I appreciate it. [link] [comments]  |
| Cisco 2x 100G A9K-2X100GE-TR in ASR-9010-DC (v1) Posted: 25 Feb 2021 12:06 PM PST So I'd like to put a A9K-2X100GE-TR in my ASR-9010-DC -- and can't really find a definitive indication on whether it will work or not. A couple of the resellers say it's for PEM v2 only(which would require ASR-9010-DC-V2) chassis (https://netmode.com/product/cisco-a9k-2x100ge-tr-asr-9000-series-2-port-100ge-packet-optimized-line-card/). One reseller says it is compatible with both V1 and V2 (https://www.router-switch.com/pdf/a9k-2x100ge-tr-datasheet.pdf). The official Cisco documentation for the card says "The Cisco ASR 9000 Series 2-Port 100 Gigabit Ethernet Line Cards are fully compatible with all Cisco ASR 9000 Series chassis, route switch processors (RSPs), and line cards. No hardware upgrade to the chassis or cooling system is required." But one could interpret that to mean "fully compatible with all [non-EOL] Cisco ASR 9000 Series chassis" Further, support for both the ASR-9010-DC-V2 *and* A9K-2X100GE-TR were added in IOS XR 4.2.0 (Table 1) https://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-aggregation-services-routers/product_bulletin_c25-695311.html I cannot find anything from Cisco that *specifically* states the A9K-2X100GE-TR is compatible with "ASR-9010-DC (v1)" Any thoughts? [link] [comments]  |
| updating switch firmware for whole network Posted: 25 Feb 2021 12:04 PM PST We have about eight different Cisco switches set up across our offices, but most of them have not been updated in quite a while. Since the updates require a reboot and network down time, we would like to upgrade all of them at once. Are there any (preferably free) methods of pushing firmware updates to multiple switches at the same time? So far, the only closest thing I've found is Cisco Flex Stack, which requires all of the switches to be directly connected with aftermarket modules installed. [link] [comments]  |
| Recommended broadcast domain Catalyst 9500 Posted: 25 Feb 2021 11:59 AM PST We're going to be replacing our Cisco 3750-X (L3) and 3750v2 (L2) that we use at our large sites for user access networks with catalyst 9500s and 9300s (9300s because info security paid extra versus the basic catalyst 9200). We've had great success with the 9300s at our smaller locations so far. Most of our large sites have 100-200 users, so around 300-500 devices, probably 800 at the largest. WAPs and wireless devices have their own networks, this is just user devices that are wired like phones, printers and workstations. These are broken up into /24s, so each large site may have 10+ data and another 10+ voip networks... most of these /24s were around 25-50% capacity before covid. In high rises they're sometimes broken up by floor, but we don't always have an IDF on each floor so that standard fails pretty fast. Instead of just doing a straight hardware swap and carrying over the vlans as-is, some of our team is interested in collapsing our many /24s into larger single networks that are easier to manage. I think that at each site we could collapse the 10 data and 10 voip /24s into single /22s, so we'd have a single data vlan and single voice vlan per location. Besides being much simpler to manage, this would make these large sites follow the same standard network design as the rest of our smaller branch locations (yay standards!). Some of our team believes that the broadcast domain is too large and will cause problems, won't work with ARP, etc. I've seen networks this large in use at other companies, so i'm confident the cisco hardware can handle 1000-2000 entries in ARP. What do you guys think? What is the recommended size for broadcast domains? Everything I googled still talked about 100-200, but I have a feeling that information isn't accurate for modern cisco catalyst hardware. [link] [comments]  |
| Question about global IP address allocation/deployment Posted: 25 Feb 2021 05:54 AM PST How does the process of the regional internet registry allocating IP addresses work? I understand that each RIR allows organizations, often ISPs, to request IP address blocks that they then have assigned to them. The backbone isps then peer with each other using bgp in order to have routes with each other. What I'm confused about is how exactly does the assignment of the global ip work; how do existing routers on the internet know the new owner of the IP address? In what way is the IP address binded to the new organization? I assume it might have something to do with the AS numbers but I'm not sure how. If anyone has a link to a writeup or good resource about this level of the internet (IANA, tier1/backbone, BGP) I would be interested in that as well. Sorry if this is a very noob question, I've done a lot of googling/ searching Wikipedia and I still haven't found a conclusive answer. [link] [comments]  |
| Problem am having with 802.1x authentication Posted: 25 Feb 2021 10:46 AM PST I have 802.1x based authentication for my wireless clients, but the problem am facing is when a client switches from one node to another ( I have 4 nodes which covers the entire area, all 4 having same SSID and 802.1x authentication) it takes about 2-3 seconds of time to re-establish the connection(mainly cause of authentication process) .Is there anyway in which after the first connection the radius generates a certificate or some kind of key which is used to re-authenticate the user (which is done by the node itself... something like validating a certificate). Am very new to this field, so this idea may have a lot of flaws.. I appreciate any advice for improving the idea or maybe if there is a solution out there which you know of(similar to it or exactly like this) I would love to know more about it. [link] [comments]  |
| Increase Subnet vs Multiple Interface IPs Posted: 24 Feb 2021 07:47 PM PST So I am currently in a debate with another technician about either: * a) adding another /24 interface + dhcp_pool to a VLAN * b) just changing the subnet mask to /23 (which can be done as gaps were left during the design) This is for a wired network and would not increase beyond /23, would just mean updating the netmask in DHCP (this network is almost pure dhcp, with 100 static leases and maybe 10 actual static ips on devices) Is there any performance reason for picking one over the other (ie broadcast traffic etc). Security is not a concern, in this case, so addressing the space separately (via /24) does not matter. edit: for ref, I am team b edit2: Looks like its an overwhelming win for Team B - Thanks peeps [link] [comments]  |
| Posted: 25 Feb 2021 10:29 AM PST I was directed here from r/virtualization so hopefully this is the right place. I work so a smaller company and I'm fairly tech savvy so I get asked to "help out" with a lot of the operations tasks. I have a basic understanding of networking but very little in terms of Virtualization. I have a group of ~20 employees on Windows 10 machines that use a VPN to connect to our clients billing system to provide support for the client's customers. However, we also have internal applications that require the agents have access to our network for functionality. The client provides the VPN so I can't change that. My idea was to setup Virtual machines that would be able to connect to the VPN so that my employees could have access to both networks simultaneously. This should work right? [link] [comments]  |
| SSH0: TCP send failed enqueueing/Requeueing error Posted: 25 Feb 2021 09:05 AM PST Hi guys, I am having a problem over SSH. I am SSH'ing to a remote router & switch and I noticed that the terminal responses were very slow when entering commands and they would lock up at times and sometimes close the session down. For example if I entered ''show run'' I will get the response ''Building configuration...'' but it would take about a minute or longer to show any output, and if I started hitting the space bar to see more of the config it would be v ery slow or it would stall and lockup entirely I connected via telnet as a test and everything was fine. So I ran some debugs from a telnet session while connecting in again over SSH. I can see this error message being logged over and over again. *Feb 25 16:56:36.058: SSH0: TCP send failed enqueueing *Feb 25 16:56:36.986: SSH0: TCP send failed, Requeueing The remote router and switch are connected to a 512/512kbps Vsat link and the only traffic on this link at the moment is management, link is not yet in use, so I know it is not a QoS issue. Troubleshooting I have done. so far I have regenerated the SSH keys on both router and the switch, no difference was seen. I have jumped from a PE onshore router to the remote router and switch using SSH and got the same behaviour. I have telnetted to the router and then SSH'd through to the switch and I still see the behaviour. I have googled the error however that has not yielded anything that suggests what might be causing my issue. Router is a Cisco ISR 4321 Router image: isr4300-universalk9.16.09.02.SPA.bin Switch: Cisco 2960X Switch Image: c2960x-universalk9-mz.152-2.E7.bin The link is solid, pinging over it rarely drops a single ping Any one got any ideas what could be causing the issue with SSH ? TIA [link] [comments]  |
| Posted: 25 Feb 2021 08:38 AM PST Hi, I have a FGT pointing to north-america.pool.ntp.org for NTP services. I'm seeing it try to get to destinations like 74.208.235.60 (pakrats.com) and 216.6.2.70 (up2.com). Are these legitimate NTP servers? pakrats.com doesn't look like any NTP server I've ever heard of. [link] [comments]  |
| Posted: 25 Feb 2021 08:13 AM PST Hoping this is going to be a short and sweet one. I've got a pair of N+1 5508s that we'll be moving away from, and I'm just wondering; I've heard the HA on the 9800s actually works so I'm setting it up. the topology information given in the Cisco Doc shows the RP ports are connected via a Vlan/Switch. Is it acceptable to just connect them to each other (as I've done with my ASA's), or is it necessary to burn two more switch ports and a dedicated Vlan to make this work? [link] [comments]  |
| Acquiring of Surprise IoT Devices Posted: 25 Feb 2021 08:00 AM PST One of our campus sites decided they were going to do an "upgrade" to the conferencing equipment in one of their boardrooms. They didn't think to contact TS until the very last minute as the gear is already installed. The devices connect to their own basic Best Buy router and need an internet connection for the meetings and any firmware updates. Currently we have two options for the internet connection Option A: Acquire an MR52 Meraki AP that has two gig ports available. The WiFi on-site is already completely segregated. This cheap router will then connect directly and simulate being on one of the WiFi SSIDs. An issue with this solution is double NAT. Option B: Connect the cheap router directly to an access switch and put it on it's own PVLAN. Also, the Router is broadcasting it's own SSID that some of the equipment will be connected to. Any other ideas on how we can provide an internet connection as securely as possible are appreciated. This site is also extremely remote, thus no new DIA can be added. [link] [comments]  |
| Fiber Optic Cable Types for Indoor Backbone < 300ft Posted: 25 Feb 2021 08:00 AM PST Hi all, I am an AV and IT integrator. I'm not new to fiber optics at all but I am wondering what you all choose for fiber optic runs under 300ft that are all indoors. Most of this is generally drop ceiling or occasional conduit. I only usually pull 6F for these applications and FREEDM One tight buffered was the last product that Corning recommended to us that I installed. I think this is similar to Belden FX tight buffered. I've also installed breakout type fiber (consultant spec) such as Belden FI3B004RB. When do you choose armored cable? I hesitate on that since it is 3-4X the cost. I also don't see a reason to use loose tube or gel-filled for indoor-only use. I know you can use innerduct but that may be more expensive than using armored? Do you have a go-to product? I know a lot of you here don't install your own fiber but I'm sure you have a say in what other contractors use. [link] [comments]  |
| VLT uplink to single multihomed ISP Posted: 25 Feb 2021 07:08 AM PST We are changing vendors and are migrating our Cisco switches from Cisco to DELL. I am now in the process of moving the ISP uplinks from our Cisco core switches to a DELL S5232 VLT-pair. However, I am not sure on how to mimic the Cisco config. Current (Cisco) situation: Our Cisco core switches are configured in a VSS pair. We have a single fiber uplink to 2 ISP and both VSS members are connected to 1 of the uplinks. This situation works well and if 1 of the links go down, the default gateway switches to the working link. New (DELL) situation: The big difference in my opinion is that with Cisco we had a single routing table between the VSS peers and this is not the case within a DELL VLT. Moreover routes aren't synchronized between VLT peers and the VLTi only passes port-channel traffic so these uplink ports are 'orphaned' in some way. How to make uplink B the backup default gateway for VLT peer A and vice versa? [link] [comments]  |
| Posted: 24 Feb 2021 05:28 PM PST I was wondering if anyone mayt be able to provide some insight into an issue I am experiencing at the moment. We have certificate based wifi setup, but several users are having consistent issues with connecting. The issue seems to be the certificate, as when you try to connect to the wireless this will state that the certificate for the network cannot be found on this computer. The certificate is locally on the computer within Personal > Certificates, there is also a valid cert for the local machine in the same location. The certificate is used for VPN also and this works fine, so that seems to indicate that the certificate isn't the issue. If I generate a new certificate for the user, this will work for a number of days and then revert back to the above error. When looking in to this, I can see when a successful connection is made, the WLAN-AutoConfig event log shows the below fields; Identity: [firstname.lastname@domain.com](mailto:firstname.lastname@domain.com) User: Domain Domain: Domain When the connection is failing it shows; Identity: NULL User: [firstname.lastname@domain.com](mailto:firstname.lastname@domain.com) From the auth exchange it states the client is failing to respond with their identity, and then is timing out. As far as I know the above information is taken from the certificate locally on the machine. Does anyone have any ideas why the identity field is being presented as NULL after a period of time? Apologies if this isn't the correct sub reddit, mods delete if needed. [link] [comments]  |
| How to discover switch IP's and credentials? (Networking noob) Posted: 25 Feb 2021 05:09 AM PST Hello, I'm a SysAdmin and a networking noob....I have been tasked with the following: Upgrade (firmware) and refresh credentials on all switches across the environment. We have multiple locations across the US and there are probably 15 switches. The problem is the previous regime didn't document any switch IPs or creds. My question is, how can I discover the switches and somehow obtain the admin creds? To the best of my knowledge they are all Cisco switches. If needed we can reset them but that is a last resort. Thanks and sorry for the silly question. [link] [comments]  |
| Posted: 24 Feb 2021 04:39 PM PST So I've been testing out some proprietary software on windows 10 that is using multicast. I was able to get it to work on a flat network, however, once I tried to route it things failed. I knew my multicast routing was set up correct, so I did a Wireshark and found the multicast packets were being sent with a TTL of 1. I talked to the company about this, asking if there was a setting they had in there. They told me the problem was with windows, and that I needed to change a multicast TTL setting in windows. However, I'm unable to find anything like a registry setting. I've only found programming guides to tell the Winsock how to handle it. From what I can tell it's on the program itself. Does anyone have any other insight? [link] [comments]  |
| Posted: 25 Feb 2021 09:56 AM PST I can't do a Google search because it doesn't work even when I put quotes around the search term like this " 1::1 " and try to search for results. I thought ::1 means local host. So, what's the difference between ::1 and 1::1? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment