Blogpost Friday! Networking |
- Blogpost Friday!
- Some question regarding data checksum field on the TPC/IP layers
- The purple elephant in the magic quandrant - am I crazy for considering Extreme?
- Wireless Segmentation Design
- ESXi Blade Chassis to Nexus 5K - Physical NIC MAC Address
- Recommendation for a Cisco 8 port POE L2 switch
- Inter-AS MPLS - BGP-LU and injecting in Segment Routing domain
- Positron GAM-24-M
- Hyper Segmentation with automation framework
- Question about reverse cloud migration
- Cisco VLAN Question
- Block Websites at certain times
- Office Network Issues
- Passing device output in .txt to napalm
- Automation
- Wireless Network Bridge Recommendations
- Best way to share a printer between networks?
- NXOS/ACI QSFP+ to 4x10Gb Breakout Port-numbering (in)consistency?
- Without including loops or misconfigurations, what is the world record for most router hops a packet had to take from a source to a destination?
| Posted: 29 Apr 2021 05:00 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts. Feel free to submit your blog post and as well a nice description to this thread. Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it. [link] [comments]  |
| Some question regarding data checksum field on the TPC/IP layers Posted: 30 Apr 2021 12:58 PM PDT Hello everyone, this is my first time in this sub and I want to ask a question that burdens me since I have done a lot of research already and still don't understand the issue. It is about check sum calculation in TCP/IP. I notice that the ethernet frame has at the end a FCS field, where the checksum calculation for the integrity of its content is stored. This enable the target device to discard the frame if the checksum (CRC) fails. Now, there is another checksum field in the transport layer. In case of UDP (that is what I want to implement) in order to calculate the checksum there must be a pseudo header, that is clear enough. Want I don't get is, why do we need a checksum field at the transport layer when the data link layer could have discarded the complete frame already if the payload gets corrupted along its way to the destination? Does that mean, that the FCS field of the ethernet frame does not take into account some bits flipping in the transport layer's fields? Wouldn't it be redundant to have a Checksum field in the transport layer, when there is already one in the data link layer? I hope I have made the right questions, since I am so confused. Thank you very much in advance! [link] [comments]  |
| The purple elephant in the magic quandrant - am I crazy for considering Extreme? Posted: 30 Apr 2021 01:54 PM PDT So we're looking at replacing ageing Cisco equipment at our SMB with Cisco Catalyst or Aruba, but I've just given Extreme a look and they're around half the price of Aruba, let alone Cisco. We're a software development house, and have stringent security requirements on what we do. We're looking at technologies such as ClearPass/ISE, StealthWatch/Introspect and possibly NSX to secure our fairly extensive server estate (dev/test is a bit of a wild west), and are looking for a good native management tool (Aruba Central/AirWave, and CloudIQ look good) as we don't have dedicated networking resources in the team. Looking for an integrated wired and wireless network, but also need to have capabilities to drive 25G to servers and storage. Am I crazy for considering Extreme? I figure they can't be in the magic quadrant for no reason but I hear very few people talking about them, and there aren't that many resellers. [link] [comments]  |
| Posted: 30 Apr 2021 10:21 AM PDT Hi All I am currently designing a wireless network and I am trying to work out the best way to provide the segmentation of services whilst trying to keep SSIDs to a minimum and maintaining an acceptable level of security. Trying to achieve all of this is proving difficult unless I'm overlooking something. Our network is currently segmented using VLANs and VRFs. We have a VRF for our corporate network, VRFs for various third party/vendors (about 10), and a VRF for internet only access. We are a Cisco house and use ISE. I am currently thinking of the following: Corporate SSID that will use EAP-TLS. Access to our corporate VRF will only be granted for corporate user/computers that present an internal CA signed certificate. Corporate Guest SSID that will use PEAP-MSCHAPv2. User identities will be local credentials in ISE. Depending on what user ID is used to connect to the network, we can place the user in the required network. This will be used for third parties that need access to their own networks and for employee guest IOT SSID that will use IPSK. Although we dont have any IOT devices yet, I imagine that we will come across devices that don't support 802.1X so will need to use PSK. IPSK seems flexible enough to support similar use cases to the Corp Guest SSID. The only concern that I have with the above design is the use of PEAP-MSCHAPv2 due to its known security vulnerabilities, specifically with Evil Twin and Credential theft. My other concern is that depending on device type, configuration to connect using PEAP is not always as straight forward so may create more tickets into our service desk. I'm also aware that some devices such as Android mobile/tablets running OS 14, have removed the capability to bypass certificate validation. I imagine that other vendors will follow suit which may make this solution unusable as we dont manage the client endpoints (and we dont want to be handing out our root CA to everyone). Is there a solution to this - public EAP cert? How are other doing this currently? Any advise would be appreciated [link] [comments]  |
| ESXi Blade Chassis to Nexus 5K - Physical NIC MAC Address Posted: 30 Apr 2021 01:53 AM PDT Hi All, We got a Dell C6400 chassis with 4 ESXi blades. In our configuration each blade has 2 uplinks going to nexus5k switches or his FEX extenders. The 2 ports in the switch for each blade configured as trunk ports. We couldn't see the blades physical nic MAC addresses on the switch side, just the vm's that located on them. Is there a way to locate the physical uplinks nic MAC addresses on the switch side and not just the vm's? Your help would be appreciated. [link] [comments]  |
| Recommendation for a Cisco 8 port POE L2 switch Posted: 30 Apr 2021 11:04 AM PDT looking for recommendation for a Cisco 8port POE switch. if only 4 ports do POE, that is fine. company has a SG250-08HP which seem to do the job. Is there a newer model of this, or another model that is better with less cost? Switches must be fan less since they will be inside an office. Thanks [link] [comments]  |
| Inter-AS MPLS - BGP-LU and injecting in Segment Routing domain Posted: 30 Apr 2021 03:06 AM PDT We build state-of-the-art Metro ethernet network with inter AS connectivity and wish to achieve inter domain passthrough for L2VPN and L3VPN services. Dataplane is represented by MPLS Segment Routing. Control plane uses EVPN of course. Do you have any examples for it in real world? In our case problem arises, when labels from BGP LU (Inter-AS Option C scheme) for nexthop need to be populated into the segment routing domain in another AS. We have met mentions of BGP-SR or SR-TE ways, but without real applications. So, what is simplest way to deploying inter-as MPLS SR/EVPN L2 or L3 services? [link] [comments]  |
| Posted: 30 Apr 2021 10:21 AM PDT Hello everyone, I've got an issue I am hoping someone could help me out with. The company I work for has recently deployed a Positron GAM-24-M in a highrise apartment building. This lets us terminate our fiber in one location, and use the existing telephone wiring to provide gigabit speeds to customers. One problem we are having is some of the ports appear to be shutting down on their own, and upon a reboot of the GAM, they begin working again. There is nothing in our syslog server about ports shutting down, nothing in the logs of the GAM about it, it appears to just happen randomly. I know these are kinda niche devices, but I'm hoping someone out there has experience with these that can help me out. Thanks! [link] [comments]  |
| Hyper Segmentation with automation framework Posted: 30 Apr 2021 02:59 PM PDT As automation and orchestration solutions become more commonplace, do you think it's feasible to see a Hyper Segmentation solution emerging? Here's how I'd envision it works. Every single host endpoint on the network gets place in its own VRF, dynamically created on the spot when they plug in. Each VRF would have overlapping IP space, and "intent" based flows would be routed with automatically generate source nat configs on the VRF firewall. I know this sounds incredibly cumbersome and not like a good design, but I'm thinking 25-50 years from now.. like the distant future of SD-Access. [link] [comments]  |
| Question about reverse cloud migration Posted: 30 Apr 2021 02:50 PM PDT Lets say your building the next Facebook (lots of users, minimal downtime and social networking features like feeds, pictures, likes, friends, profiles, messaging, relational data etc.). From what I have read so far it seems like AWS is a good server infrastructure solution for such an app as it has lots to offer, scalability and is less of a commitment than building a data center. My questions Is it likely that it will become advantageous to operate from a data center some point in the future if the app becomes widely successful? Would reverse cloud migration for a massive social network to dedicated servers be feasible? Would it be uniqley difficult given the fact its a social network and has massive amount of relational data, or for some other reason? [link] [comments]  |
| Posted: 30 Apr 2021 02:44 PM PDT Got some Cisco CBS350 switches (first time with Cisco switches) that I'm setting up for a customer and I had some weird behavior related to vlans that makes me question my understanding of vlans. I have the switches in my office for config before taking them out to the customer site and I have them plugged into my office switch. My office switch is a Zyxel GS2210-28LP and I have vlan 11 configured for my office. If have the CBS350 plugged into an untagged port (on both sides) so I am effectively crossing from my office vlan 11 to the default management vlan 1 on the Cisco switch. No problem there and it works as I expect it to. The port on the CBS 350 that I am using as a temporary uplink apparently autoconfigured itself to be a Trunk port (PVID/untagged: vlan 1). This auto change from Access to Trunk was unexpected and I confirmed that behavior by changing to another port that I confirmed was set as an Access port on vlan 1 and it changed to a Trunk port. (maybe it could tell it was connecting to another untagged vlan based on LLDP?) On the CBS350s I also configured a Voice VLAN (vlan 571) in Telephony OUI mode and entered the OUI for the Yealink phones my customer (and I) use. Vlan 571 was only configured on the customers CBS350 and not on my office switch. Here's where it got weird: my office Yealink phones that were plugged into my office Zyxel switch on my office vlan 11 suddenly tried to jump to vlan 571 and disconnected from my network (no DHCP or gateway for vlan 571). When I looked at the MAC table on my office switch it showed my phone MACs associated with vlan 571! The CBS350s were downstream from my office switch so there should be no reason for traffic from my office to transit the CBS350s. The gateway router is connected to my office switch. How could the vlan configuration on the Cisco CBS350s reach out to my Zyxel switch and dynamically tag my phone traffic on a vlan that is not configured on my office switch? I resolved the issue by re-configuring the temp uplink port on the CBS350 from Trunk Mode to General Mode. On a related note, can someone explain the difference between Trunk and General mode on Cisco switches; or more precisely, what are the use cases for one over the other? I have read the Cisco help files (and tried to look for this answer in various forums) and understand that Trunk can only have 1 untagged vlan while General can have more than one untagged vlan and Trunk appears to operate in a default all/implicit vlan membership while General requires explicit vlan membership. The Zyxel and Netgear SMB switches I've used seem to behave more like the General mode. Cisco help docs seem to indicate that General mode is 802.1q compliant while Trunk is not (although I'm not sure what makes it more or less than 802.1q compliant)? Apparently Trunk mode can affect more than just the port its configured on based on the behavior I described above? [link] [comments]  |
| Block Websites at certain times Posted: 30 Apr 2021 02:41 PM PDT Hi, With online learning being the reality at the moment I am currently trying to figure out how to blacklist certain websites/domains for certain times of the day. If I want to block a domain I will just go into my DNS server and create a record for it so that it cannot resolve. So is there software (preferably something I can host on my server) to blacklist a list of domains for a period of time? [link] [comments]  |
| Posted: 30 Apr 2021 01:24 PM PDT Looking to get some help. We have a network in our office with routing dhcp and managed by EdgeRouter Lite. Also have multiple Netgear s3300-28XPoE+ ProSAFE switches between offices. We have 3 Main Servers. Recently we have had multiple power outages in our building and our UPC cannot keep up. Once we get the hardware up and running it is difficult to connect to remote admin page of the servers. Also difficulty accessing some IPs in the network. We are able to get in sometimes after multiple hard restarts on switches, routers and servers. What could be the issue we are running into. Thank you in Advance. [link] [comments]  |
| Passing device output in .txt to napalm Posted: 30 Apr 2021 12:53 PM PDT Is it possible to pass an output in the form of a .txt to a napalm driver ? We don't have direct device access so will issue manually show commands and want to use naplam for parsing the outputs into structured format. [link] [comments]  |
| Posted: 30 Apr 2021 04:43 AM PDT Hello! Our Cisco SmartNet are expiring soon. We received an excel spreadsheet with all the devices and I need to check if these devices are still in production. We removed a lot of them in the past year. We don't have any documentation and we are talking about around 400 Cisco switches. I obviously don't want to ssh in every single switch and do a show version to get the serial number, find it in the excel, etc. I want to automate this process. What would be the best way? I also want a framework that I could use in the future. I need to clean up some configs in all these switches and make them consistent. We don't have anything right now. I would like to backup the configs as well. Switches are mostly 2960X, 2960C, 9200L. I'm good with Python but pretty new with network automation tools (Netmiko, NAPALM, etc.) Could Ansible and Nornir be the tools I'm looking for? Thank you [link] [comments]  |
| Wireless Network Bridge Recommendations Posted: 30 Apr 2021 08:18 AM PDT Looking for recommendations on a wireless network bridge for commercial use. I am looking for something with at least 150+ Mbps and preferably 5GHz. I only need range for about 500 feet but the stronger the better. The other building typically only gets about 10 Mbps download on a good day so anything to make that better. TIA [link] [comments]  |
| Best way to share a printer between networks? Posted: 30 Apr 2021 09:18 AM PDT Small office ~20 people. There are two companies sharing space, they already have a big Ricoh MFP with one NIC. The two networks are physically segregated, one using a Sonicwall TZ600 (IP range is 172.16.10.0 /16), the other a basic little TP Link router with 192.168.2.0 /24. The printer is attached to the larger Sonicwall network. Both companies have their own separate internet connections, the TP Link company is just getting DHCP from their local ISP. The Sonicwall company has public IPs. My question is what is the best way to share this device between networks. Both companies want full usage of it, meaning the ability to scan as well as print. My thought was take the Ricoh out of the switch (it is currently on the 172 network), give it its own port on the Sonicwall and its own network and create an access rule allowing traffic from the 172 network back and forth to the Ricoh. Then, on the TP Link router, set up a 1-to-1 NAT and assign an IP for the Ricoh. Plug the TP Link LAN port into a Sonicwall LAN port and repeat the access rule process, allowing traffic from the 192 network to reach the Ricoh. If I'm imagineering correctly, this will allow both networks to send and receive data from the Ricoh but will not allow the 192 network to see the 172 network. [link] [comments]  |
| NXOS/ACI QSFP+ to 4x10Gb Breakout Port-numbering (in)consistency? Posted: 30 Apr 2021 02:30 AM PDT So recently I've been testing various optics on a 9336YC-FX2 (ACI 40/100Gb only switch) connection to a 40Gb blade on a 7706 and was trying to configure the ports into 4x10Gb breakout interfaces as I don't need so many dedicated 40GB cross-connects in-out of the ACI fabric. My first test was with a WSP-Q40GLR4L, and this worked except for some reason port 1 of the 4 breakout 10Gb interfaces came online briefly then went down and remained permanently down without any real error log to hint at why. Otherwise, the port numbering matched one for one on both the ACI and NXOS sides-- and I just sort of assumed that would be the case. Next I tried a QSFP-40G-SR-BD, and unlike the singlemode module, all 4 lanes came online. However the port numbering was now shifted. Instead of 1-1 ... 4-4, it was now 1-3, 2-4, 3-1, 4-2. I guess I just assumed that each of 1300nm lanes would just get assigned the same numbering after being converted to breakout interfaces, but I suppose that is not always the case. Is this normal behavior? Do I have some bad modules? Is there any way to manually change or assign the breakout interfaces? Both sets of QSFP+'s are genuine Cisco. Also, not sure if it matters, but the configs for the breakout on either side were not torn out between module swaps. They were left in place and the module was simply changed. [link] [comments]  |
| Posted: 30 Apr 2021 04:23 AM PDT Topic. Edit: downvotes? Why? Do you not take great pride and passion as a network engineer? This question should inspire a lot of joy and appreciation of your chosen trade! Edit2: ok I'll reword into a smarter question: is there any legitimate destination you can't reach from certain sources due to packet TTL? [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment