Campus to Data Center spine-leaf Networking

---

• Campus to Data Center spine-leaf
• Link saturation without dropping pings?
• East/West Encryption
• Jumbo Frames, let’s talk about it.
• Looking for a tester to find throughput for fiber
• Bird and Quagga compatiblity - multicast
• SDWAN | Interpret Viptela Service Chaining?
• dACL isn't being downloaded to Cisco 3750X
• BGP equivalent route map CISCO-MIKROTIK
• Carrier grade NAT
• JunOS upgrade on 550HM fails
• Why should Network Engineers learn Linux?
• How does Cisco Partner smartnet work?
• One of our Buildings Suddenly Went Down Offline This Weekend
• Rx Errors on Aruba 6200f
• SAN network design advice
• Dell Force10 Stacking - does it create bottlenecks?

Campus to Data Center spine-leaf Posted: 27 Apr 2021 07:38 AM PDT I know this has been discussed here, in different iterations, but for the life of me, I'm not finding the perspective I need on this. Complete campus redesign, including the basement DC, and now would be the time to do it. If we were to convert from a classic 3-tier campus network to a spine-leaf, what is the simplest/preferred method for tying the rest of the office network into the new DC design? I keep going back and forth between carving out a core/distribution and connecting that to a leaf to have a defined delineation (and maybe a safety blanket) between the old way of networking and the new... Or does it make more sense (mostly cost) to simply tie access closets to a pair of dedicated leafs and use those as my aggregation point? I appreciate relevant perspectives on this. Also, just know I feel like a noob for asking this. submitted by /u/NSH_IT_Nerd [link] [comments]

Link saturation without dropping pings? Posted: 27 Apr 2021 03:26 PM PDT We have a very simple network and have recently been getting complaints of Zoom video issues. Our 2gbps ISP link has been close to fully saturated (~1.7 / 1.8 gbps according to our in-line filter's statistics) during the time where users complain. Zoom has a handy statistics window that shows packet loss on the receive side for video of our user's connections. I've verified it does not happen off network. It's a little hard to try to packet capture because this is a combination of TCP 443 traffic and UDP 8801 traffic coming from the Zoom servers and I don't think I can do a packet capture that would show the loss because I don't have every UDP packet being captured at Zoom egress server link to compare for loss. I tested outside of my firewall and web filter to rule all of that out and if I use our backup ISP, we don't see the issue (Our backup ISP is not being utilized right now for reasons outside of all of this so it's got a lot of available bandwidth). I talked to the ISP and they said they did not see any issues and the only thing they said was the link WAS saturated at points during the day and that UDP handles drops far worse than other traffic (duh). They've set some Zoom QOS to try and solve the problem but I will have to see how it goes tomorrow. My only issue with the theory is I've been running MTR and pings to public hosts all week and have not dropped a single packet to them. Any thoughts on what this might be, if ICMPs should be lost if it was saturation, and what recommendations on troubleshooting strategies would be are greatly appreciated. Thanks in advance! submitted by /u/mcflyatl [link] [comments]

East/West Encryption Posted: 27 Apr 2021 10:17 AM PDT I'm looking for solutions to encrypt EW traffic on Brocade devices. I've started looking into MACsec and ISL encryption. We had a solution from Unisys but it has too many issues. ​ Edit: Each customer we support has their own enclave with various Windows and Linux VMs. We're looking at encrypting the traffic between those various VMs. We use other methods of encryption when those devices send NS traffic. We're currently using Brocade VDX6740s and will be upgrading in the future. submitted by /u/jer9009 [link] [comments]

Jumbo Frames, let’s talk about it. Posted: 26 Apr 2021 08:00 PM PDT I always see some of the comments agree. Some portion agree with tweaking it or leaving it as is. This makes it extremely hard as a rookie, to determine what is the proper step to best optimize an environment. When it comes to performance tuning an environment, what is the official recommendation? Is the other half comments just saying to leave things default because they don't understand something? Is the other half stating to do things just out of a 0.9% performance increase? Is it an ego or self pride thing? Is it a vendor oriented device thing? Which white paper do I confirm to begin coming up with a solution? I'm genuinely fucking lost. Please fuck me up with knowledge, I beg you. Edit: Upvotes for everybody submitted by /u/Thuglife42069 [link] [comments]

Looking for a tester to find throughput for fiber Posted: 27 Apr 2021 02:37 PM PDT I have been tasked to find a tester to test a section of MM in an old building to see if it has any issues. I'm partial to Fluke testers, but if anyone has experience with another brand. We're limited to $3000.00. (I put throughput in header, can't delete... please down vote for my ignorance) Thanks submitted by /u/racerx21 [link] [comments]

Bird and Quagga compatiblity - multicast Posted: 27 Apr 2021 01:23 PM PDT I was tasked with deploying IP multicast routing on our servers using PIM. The servers currently run BIRD and a custom application on top of that for configuration. Since BIRD doesn't support PIM and I don't really feel comfortable touching the old code for the config app (which to my understanding was mostly built by copy pasting from StackOverflow so you can imagine how horrid the code looks, but hey, it works), I want to ask first: would it be possible to keep BIRD for RIP/OSPF and only use Quagga for its PIM daemon, since pimd requires Quagga to function and I couldn't find anywhere if the two routing daemons are interoperable? Or will I have an easier time going with just Quagga? submitted by /u/ShipwreckOnAsteroid [link] [comments]

SDWAN | Interpret Viptela Service Chaining? Posted: 27 Apr 2021 12:45 PM PDT Hello, Would like to know the meaning of below service chain configuration. The situation is that I encountered an issue where we run a packet capture end-to-end but from the 3rd party(cloud security provider) side I'm seeing that somehow the packets from the branch get translated since the public IP I saw in 3rd party capture is IP from the Data center. The setup is that from the branch site we are forwarding the HTTP/HTTPS traffic to 3rd party sec. provider. from my assumption, this is the traffic flow for web/https ? https://ibb.co/2ZYmrxn a. Hub - vEdge Configuration vpn 10 service FW address 192.17.1.254 (Forti firewall) service netsvc1 interface gre1 b. vSmart Configuration site-list CUST_SID site-id 123 policy site-list CUST_SID control-policy CUST-CP-Out out data-policy CUST_DATA-POLICY from-service cflowd-template CF_AP control-policy CUST-CP-Out sequence 60 match route site-list CUST_SID (site-id 123) ! action accept set service FW tloc-list MY-TLOC-LIST tloc-list MY-TLOC-LIST tloc 10.78.250.196 color mpls encap ipsec preference 100 tloc 10.78.250.197 color mpls encap ipsec preference 50 tloc 10.78.251.132 color mpls encap ipsec preference 200 tloc 10.78.251.133 color mpls encap ipsec preference 150 tloc 10.78.251.133 color metro-ethernet encap ipsec preference 150 tloc 10.78.251.133 color biz-internet encap ipsec preference 150 tloc 10.78.251.133 color public-internet encap ipsec preference 150 data-policy CUST_DATA-POLICY sequence 100 match source-ip 0.0.0.0/0 destination-port 443 80 ! action accept count 100 cflowd set service netsvc1 local cflowd-template CF_AP flow-inactive-timeout 120 collector vpn 10 address 10.10.48.54 port 2055 transport transport_udp source-interface loopback10 c. Branch - vEdge vpn 10 service netsvc1 interface gre1 QUESTION: 1, Based on the above diagram, is that the correct flow. From the branch site it will be forwarded to the hub then to the firewall? 2. How Hub and Firewall handle the reply/return traffic back to branch site then to the target destination? Since the source IP address already translated to public IP, is it going to based on src/dst ip or TLOC etc? 3. In terms of the return traffic from the actual target destination, What will happen those it go to Brand -> hub -> FW(nat back to private ip) -> hub to branch -> Client? What is the correct process. 4. AS you can see we also have a service netsvc1? What is the purpose of this? Are we going to use this first? 5. What show command , test that can be preformed to validate the flow? ​ Thanks for you inputs, kinda confuse here. submitted by /u/1searching [link] [comments]

dACL isn't being downloaded to Cisco 3750X Posted: 27 Apr 2021 11:29 AM PDT I am working on an ISE project to implement posturing and compliance for our client machines. We created a test NAD (a used 3750x with ios 15.0(2)SE12 because we're still using old style commands on our production 3850s running version 3 of IOS-XE). One of the issues we're running into is that the test client authenticates to ISE from the test NAD but the dACL isn't downloaded to the switch. We're currently running ISE 2.6 patch 6 atm and I can see that the test NAD is able to talk to ISE using the configured PSKs on the switch and ISE NAD settings. ​ Would anyone have an idea of what is causing this to happen? submitted by /u/rezadential [link] [comments]

BGP equivalent route map CISCO-MIKROTIK Posted: 27 Apr 2021 09:37 AM PDT I have a question. On MikroTik routers you can add an inbound routing filter with action=reject. Which will add the route in the routing table but as inactive. Is there an equivalent route map command in cisco that would do that? submitted by /u/kargchris [link] [comments]

Carrier grade NAT Posted: 27 Apr 2021 08:10 AM PDT How do you implement carrier grade NAT? My company is looking to adopt an m&a strategy, acquiring 10 to 50 businesses over the next 1 to 5 years. We are trying to figure out how to account for whenever one or several of these entities have overlapping private IP space with our own. We are planning on integrating them into our domain so we need connectivity to their DCs but we are certain that inevitably one or more of these acquired companies will overlap with our IPs. What are some strategies, aside obviously from re IP ing, for implementing NAT at the edge? submitted by /u/throwaway9682974 [link] [comments]

JunOS upgrade on 550HM fails Posted: 27 Apr 2021 07:53 AM PDT Has anyone seen this error message when going from 15.1X49 to anything other than a later release of 15.1X49? https://pastebin.com/6F7ThZkp I've googled around and there doesn't seem to be a solution for this other than reimagine the system? This happens with basically any and all versions. It upgrades successfully if I add the no-validate flag. submitted by /u/kur1j [link] [comments]

Why should Network Engineers learn Linux? Posted: 26 Apr 2021 11:05 PM PDT Hello. I had an interesting debate at work regarding this question: Why should Network Engineers learn Linux? Some people think we should learn Linux for X reasons, other people think that learning Linux is pointless por Y reasons. Based on your experience, what do you think? submitted by /u/EnriqueGabrielC [link] [comments]

How does Cisco Partner smartnet work? Posted: 27 Apr 2021 07:23 AM PDT So I have a smartnet for a Cisco device via a Cisco partner. They provide the first few tiers of support and can send me iOS files when I need it. I checked with the Cisco sncheck tool and it says there is no support. The providers engineer said this is normal and they will still provide the support etc. This doesn't sound right to me? Surely if Cisco say it's not in support then I'm not legally entitled to software updates and TAC support? Does anyone know where it says the in the partner agreement with Cisco that every device needs an agreement or am I wrong? submitted by /u/BulkyRisk [link] [comments]

One of our Buildings Suddenly Went Down Offline This Weekend Posted: 27 Apr 2021 06:57 AM PDT Hi all, We had a network outage in one of our buildings on the weekend just gone. I wasn't on-call so my colleague had to deal with it. The building access layer switches all connect back to a distribution switch stack (a stack of two Cisco Cat 9200L units - yes I know 9200L is an access layer switch but there's barely any load on them) and from this switch stack we have a cross stack ether-channel that connects back to our two main server rooms on-site, our "core" Cisco C-6509 VSS chassis pair using a Layer 2 MEC. Luckily, I recently built a new syslog server so we do have some logs to help show what happened during this outage. It happened on Sunday 25th March at 4:16am. Here's the syslog for the switch stack and the core side: https://github.com/smartiedude/Issues/blob/main/2021-04-25--Syslog.txt-switch-stack1.txt https://github.com/smartiedude/Issues/blob/main/2021-04-25--Syslog--core-6509-side.txt I've also attached a gif showing a picture of the topology to help you visualize it: https://github.com/smartiedude/Issues/blob/main/Drawing2.gif Looking at the switch stack side logs I can see that both stack members have reloaded... Chassis 2, followed by Chassis 1... in the stack. I have no idea why this happened. I have some questions I don't understand that I was hoping you might be help me to make some sense of.... Why did the switch stack suddenly decide to reload on it's own at 4am? On the core side logs, the two interfaces on the "core" C-6509 VSS chassis in both server rooms went into an 'error disabled' state. Why is this? There's two logs on the core side at 04:17:57 that indicate this was because of a "channel-misconfig error" but I don't understand why a switch stack chassis member going down at the other end would suddenly be classified as a misconfig error. Why did STP start flapping on Po22 on the core side? I was under the impression that if one of the Po members dies then STP should remain stable because the Po22 and all it's members are considered one individual link. My colleague didn't quite understand what happened or what caused the outage at the time he was called. All he told me was that he logged into the core side and brought the two downward facing interfaces back up by 'shut', 'no shut' to get them out of err-disabled state on the core side (which you can see in the logs because I've got command archiving being logged too so I can see what commands anyone entered on the CLI) and it all started working again. He didn't know that both chassis had actually reloaded on the downstream building side switch stack until I showed him in the logs afterwards. Any info, advice or experience is welcomed. Thank you my friends. submitted by /u/smartiedude [link] [comments]

Rx Errors on Aruba 6200f Posted: 27 Apr 2021 06:57 AM PDT I recently upgraded from an Aruba 2530 series switch to an Aruba 6200f series switch. About 2 days later all of our Infinias door controllers on this one switch start showing up as disconnected in Infinias. Ping reveals a ton of packet loss. We power cycle the door controllers get about 10 good pings then they start dropping packets again. the interfaces show high Rx errors and CRC/FCS as well. I then think maybe I needed to set the port speed so I research and see that the door controllers are 10-T Ethernet and set the port to speed 10-full. I then power cycle the door controllers (They are PoE) That doesn't work so I set them to 10-Half and power cycle the door controllers again. That Still didn't work so I then set them back to 10-full and power cycle the switch. All appears fine now... I'm not seeing anything stand out in the logs... This is all the logs show now. 2021-04-27T02:11:40.070115+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:11:34.058368+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 2c:f8:9b:50:de:0f is updated on 1/1/48 2021-04-27T02:11:10.623885+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO| Throttled 1 Messages 2021-04-27T02:10:40.042534+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:10:35.658218+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 2c:f8:9b:50:de:0f is updated on 1/1/48 2021-04-27T02:10:10.026049+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:09:45.618456+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO| Throttled 1 Messages 2021-04-27T02:09:40.022143+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:09:10.014050+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:08:46.189502+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 2c:f8:9b:50:de:0f is updated on 1/1/48 2021-04-27T02:08:40.614158+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO| Throttled 1 Messages 2021-04-27T02:08:09.994235+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:07:51.277628+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 2c:f8:9b:50:de:0f is updated on 1/1/48 2021-04-27T02:07:39.986369+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO|MSTR|1|CDP neighbor 00:22:ee:12:23:66 is updated on 1/1/5 2021-04-27T02:07:10.608433+00:00 Switch1 cdpd[3076]: Event|8904|LOG_INFO| Throttled 1 Messages Port 5 is connected to a phone and port 48 is connected to our ISP's network. Either way not sure if what i'm now seeing in the logs is normal. submitted by /u/Talgonadia [link] [comments]

SAN network design advice Posted: 27 Apr 2021 06:45 AM PDT Our Storage Network engineer recently left the company and I inherited his responsibilities. We have a dual Fabric Fabric SAN including 10 Switches per Fabric. There is a mix of 8 Gb Cisco MDS 9513, 16 Gb Cisco MDS 9710 & 32 Gb Cisco MDS 9710 running in a partial mesh topology. The partial mesh topology doesn't seem logical to me but I got told it's a result of our growing infrastructure without thinking of a proper topology, for example a Core-Edge topology. First of all, our SAN works and we don't need to put a lot of effort or resources in it. I'm now 2 years with this company and we haven't had any serious issues so far. So I'm cautious to make any changes. We have different VSANs and template starter zones in place for most of our Storage Systems. Whenever a new server needs to be zoned the template zone is copied and the server WWN's are added. I don't know if this is a general best-practice but it seems to work and causes no problems. There is always the possibility someone removes all the zonings in a VSAN per accident but we do take regularly zone back-ups. I've been reading about Cisco Smart zoning but I doesn't see much value for our company. What do you guys think? Any advice for my position? I have more of a Sysadmin background so this SAN Network is a bit new for me but I'm eager to learn. submitted by /u/DrLoveBeats [link] [comments]

Dell Force10 Stacking - does it create bottlenecks? Posted: 26 Apr 2021 06:35 PM PDT When stacking 2 x s4810 switches (stacking, not VLT, MLAG, LACP, VSS, etc. ), are you limited to a 40Gbps link? There's no way to utilize more than one of the 40Gbps ports? Within one switch, the fabric capacity is 640Gbps. So 40 is pretty darn limiting in comparison, no? submitted by /u/MediaComposerMan [link] [comments]

You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States