Looking for advice on a TACACS+ server or appliance Networking |
- Looking for advice on a TACACS+ server or appliance
- How/Why would ping fix an internet connection?
- Difference between ipsec configurations.
- Thoughts on Fortinet?
- Does the software landscape affect your choice for a new job?
- Cisco ASA ECMP without Traffic Zones?
- Is it possible to have a site-to-site VPN with both sites on same subnet (temporary configuration while moving to new building)
- How many IP addresses do I need in my NAT pool?
- Appropriate staffing levels for Network Engineers, what seems to be the norm?
- Advocate for EVPN-VXLAN over traditionnal L2 on new N9K deploiment
- Migration from FDM to FMC
- Cisco stacked 9300 with uplinks to McAfee NS9100, in-line to CheckPoint firewalls - MAC flapping?
- Meraki in retail distribution centers
- 'Module disabled' error with GLC-LH-SMD SFP in Cisco 4431 router
- net_connect.send_command method in Netmiko Automation
- Comcast BGP question
- Fortinet Switch behind a Sonicwall Firewall?
- Cisco IOS XR - show tcam utilization
- Extreme Vs FS transceivers issues?
- Thoughts on YANG
- Low Speed on VxLAN Tunnel using OVS
| Looking for advice on a TACACS+ server or appliance Posted: 30 Jun 2021 08:34 AM PDT Currently have authentication being handled by a RADIUS server for our network equipment but I want the full gambit of AAA, specifically the Accounting part. I want to be able to log every action an admin takes on all network equipment, ie Cisco/Palo Alto. We only have about 30 routers/switches and 9 firewalls and only 5 admins that would access the devices and who could possibly make changes. ISE is pricey. I am looking into TACACS.net but looking for the easiest to configure option. [link] [comments]  |
| How/Why would ping fix an internet connection? Posted: 30 Jun 2021 07:04 AM PDT I can not understand why pinging google.com would restore an internet connection to a PC. I wouldn't believe it if I have not seen it multiple times on our network at work. Is it a misconfiguration somewhere in our network that would cause this behavior? My guess is something to do with the router but I am not sure. The scenario is, user calls with no internet, they can't navigate the internet, or connect to internal shared drives. Without doing anything else, Ping almost any external website, and everything will work again. I can't figure out why that fixes the connection. Our network technician told me it "kickstarts" the connection. If anyone could let me know why, or how this works I would love to know. If you have any resources to point me to figure it out myself that works too. I am at a loss. UPDATE: THANK YOU to everyone commenting. It is helping me understand this issue much better. I am new to this level of troubleshooting and want to learn more. I have posted here before and been completely roasted. I don't mind that the post has 0 karma, this is incredibly helpful. Thanks again. [link] [comments]  |
| Difference between ipsec configurations. Posted: 30 Jun 2021 01:08 PM PDT So I inherited an ipsec DMVPN config from the previous person in my position and it has a different configuration than I'm used to seeing. However I'm far from that experienced configuring ipsec on routers. However, the config that I see that seems to be best practice would look something like: -------------------------------------------- crypto isakmp policy 1 authentication pre-share encryption ae 256 hash sha256 crypto isakmp key ciscokey address 0.0.0.0 0.0.0.0 ! crypto IPsec transform-set trans2 esp-des esp-md5-hmac mode transport ! crypto IPsec profile vpnprof set transform-set trans2 ------------------------------------------------ Now the config that I inherited is more like this ----------------------------------------------------------------- crypto ikev2 keyring KEYRING peer Next-Hop identity address 0.0.0.0 pre-shared-key local 6 c\DQCHU]PDbPXEYVXJKFDJSLF9808FDLLJL pre-shared-key remote 6 ]NPfeGHHfZEVT^BA]_O[hQhFD435464FGFGF ! crypto ikev2 profile IKEV2-PROFILE match identity remote address 0.0.0.0 authentication remote pre-share authentication local pre-share keyring local KEYRING dpd 30 5 periodic ! crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile DMVPN-21 set transform-set TRANSFORM set ikev2-profile IKEV2-PROFILE ----------------------------------------------------------------- I don't see any cisco guides exactly suggestion to go with the way we have it, and I'm not really sure what the pros and cons are of each. Anyone have any ideas or can point me in the right direction? [link] [comments]  |
| Posted: 29 Jun 2021 07:08 PM PDT From what I have seen their products seem to be really well engineered and they have a lot of nice to have features. But the sales process with them has been so miserable I'm tempted to look elsewhere. Getting a quote for specifically what I ask for has been next to impossible. A good example is that I'm looking to purchase between 11 and 20 fortigates and for a FortiManager VM was quoted correctly on the initial licensing but on the renewal they quoted 100+ devices and they didn't even quote me on FortiAnalyzer like I asked for… That and I don't even think they can explain the difference between the cloud offerings with the 360 protection bundle and going with virtual machines on premise because every time I ask the same question about functionality I get a different answer and that answer usually is not correct per documentation I find after discussions with them… I really do like the threat protection features I have seen and read about in the documentation but I'm open to other solutions if it's going to be this difficult to actually get pricing so I can work on actually budgeting everything. On another note what is everyone's thoughts on their switches and access points and how they are integrated into the FortiGates? It looks interesting but I have a preference for Junipers switches and unifi seems much more cost effective for wireless. But if you don't go with their entire product line are you really get your money's worth with FortiManager? Also is anyone able to explain the difference between their 360 protection bundle and going with FortiManager and Analyzer as a Virtual Machine? I would really appreciate all of the help I can get with this. [link] [comments]  |
| Does the software landscape affect your choice for a new job? Posted: 30 Jun 2021 02:59 AM PDT Hi r/networking, I am currently in conversations with some companies for a possible new job. Now i'm curious how most of you guys would handle this situation. One of the companies stands out, but they are exclusively Citrix based. Also for their IT-stations. Personally, some time has passed since I last used it. But I dislike not having full control. Also some other software choices of this company bugs me. Their network is quite interesting and I genuinely see opportunities. I feel like i'm overcomplicating things. But admins/engineers that are not in full control of their 'own' workstation could -potentially- stress me out. Of course i do not know all details. I do know byod is out of the question. So basically the title. Curious how some of you might have handled this. [link] [comments]  |
| Cisco ASA ECMP without Traffic Zones? Posted: 30 Jun 2021 01:23 PM PDT I just re-configured our firewall(s) (HA pair) in one of our data centers to receive a default route from both of our internet routers via BGP. We're running a pair of ASA5545x's on 9.12(3)12. These connect to a set of switches that also connect to the two internet routers. There is only ONE outside interface, as it's able to see both routers over the same VLAN through the switch. Everything is mostly working, except ECMP. In lab I had this working perfectly, but it looks like when I moved the config to production, the If I do need to apply this command to get it to work, what does this mean for my S2S tunnel? And would such a change be traffic-affecting? Kinda frustrating that the entire reason for me redesigning things this way was to get load-balancing (at least on outbound traffic). (To be fair, it was also to do away with HSRP between the routers, but load-balancing was the primary reason.) If anyone has any advice, I'd really appreciate it! Also if you need a config snippet, I'd be happy to provide. Thanks!! [link] [comments]  |
| Posted: 30 Jun 2021 12:37 PM PDT I have a customer that is in the process of moving to a new building 1km down the road. They would like to keep the network up and usable while they move things one piece/department at a time. They have Windows servers with the PCs joined to Active Directory and file shares. They have a site-to-site ZyXEL VPN set up between the two locations, but to accomplish that, they created a new subnet for the new location. This is going to be a serious issue when they move the servers. Either the servers will need to be re-addressed making the move 10x more complicated, or we'll need to find a way to keep both sites on the original subnet across the VPN. Is this possible? I found some articles about this, but they seemed to be related to point-to-site (mobile) VPNs rather than site-to-site. The other option I thought of is a PTP wireless bridge, but there's a few trees and buildings nearby that might make this too expensive. [link] [comments]  |
| How many IP addresses do I need in my NAT pool? Posted: 30 Jun 2021 12:26 PM PDT I'm standing up a network for a temporary event. We expect that we'll have a max of ~15k clients (90% smartphones) connected concurrently. I have been assigned a /27 from the ISP and am trying to determine how many IP addresses I need to devote to NAT. Are there any best practices as to how many clients you can NAT behind a single public IP? [link] [comments]  |
| Appropriate staffing levels for Network Engineers, what seems to be the norm? Posted: 30 Jun 2021 10:16 AM PDT Hi inter-brains, I'm working in a badly understaffed unit. As we make the argument for more staff, it occurred to me that my understanding of an appropriate ratio of Sr. NE's and NE's to users is anecdotal at best. So what's the ratio of network staff to users where you are? And does it seem sane or are you drowning continually? Do you have the staff to actually push technical initiatives forward or are you doing a skeleton crew baling wire hold-it-together exercise? Look forward to getting a sense of what the overall lay of the land is, thanks! [link] [comments]  |
| Advocate for EVPN-VXLAN over traditionnal L2 on new N9K deploiment Posted: 30 Jun 2021 09:32 AM PDT Hello fellow networkers ! I've just landed a gig to help rebuild a small-scale DC setup. I checked the BOMs to try to guess the amount of work to be done, and seeing a bunch of Nexus 9300 there - NX-OS only, no ACI - I assumed they wanted to deploy EVPN-VXLAN. That shop was previously running older Nexus and catalysts in a classic 3-tier L2 design, and just told me they didn't consider deploying an overlay fabric and stick to their old L2 design with MSTP. They just threw $300k on EVPN capable boxes and don't plan on using their key feature, so I'm a bit puzzled. I mean, the Ops team is small, but not as incompetent as I saw in other similar businesses and they seem able to leverage the stability and ease of debugging I appreciate with EVPN-VXLAN fabrics. We're talking about a dual-site setup, scale up to 50 VM hosts and about 800 VMs, so it might make sense to stick to their old guns, but I may miss something. In such scenario, would you advocate for deploying an EVPN-VXLAN overlay, and if so, on what grounds ? If not, how would you do it ? Thanks ! [link] [comments]  |
| Posted: 30 Jun 2021 09:30 AM PDT Hi guys, I migrated 7 Cisco ASA to Cisco FDM. We had so many issues with Cisco FDM, we hated it! It has a lot of bugs, terrible... We talked to Cisco and we got Cisco FMC. The problem is that we will have to migrate everything again from Cisco FDM to Cisco FMC. is it possible to copy the Network and Port objects from FDM to FMC? Rest-API ? Import / Export ? Any Tools ? We have soo many objects :( We have Cisco CDO, but FMC is read-only [link] [comments]  |
| Cisco stacked 9300 with uplinks to McAfee NS9100, in-line to CheckPoint firewalls - MAC flapping? Posted: 30 Jun 2021 08:09 AM PDT Hi folks, I got in a weird situation of MAC flapping where my topology can be described as per title:
Let's call the inline pair on IPS-01 connecting the switch to the Active unit, Gi1/0/24. The other pair (on IPS-02) is Gi2/0/24. Issue: when traffic from F5 LTM VS returns to the outside client (traversing the firewalls), the MAC of the VS gets learnt on Gi2/0/24 (IPS-02 inline to Standby firewall). This effectively makes the MAC of the F5 flaps between Po1 and Gi2/0/24. SPANning ingress port Gi2/0/24 and Po1 shows the exact issue. I was reading up on how McAfee IPS works in High Availability and came across this section: https://docs.mcafee.com/bundle/network-security-platform-9.1.x-product-guide/page/GUID-D5DA6F12-1C5D-414B-835C-FF00DCC27615.html
If this is the case, does the packet somehow loop back to port Gi2/0/24? I usually consider IPS in-line to be working at L1, and the interconnecting port is only for syncing traffic state, but this seems to change my mind if it accidentally forwards the packet via interconnecting port. [link] [comments]  |
| Meraki in retail distribution centers Posted: 30 Jun 2021 08:05 AM PDT I work for a retailer we use Meraki full stack in our retail locations and it works great in that space. Of course we also have corporate offices, distribution centers and data centers. We use Cisco routing, switching and wireless in those areas. Our distribution centers are very wireless heavy and our biggest pain point from the network side. Got a new manager and he wants to push Meraki switching in the corporate offices and the distribution centers. I hate the idea but I'm trying to be open minded. The distribution center is already our biggest headache. The idea of losing the command line and having to troubleshoot from the dashboard could be enough for me to start looking. Has anyone else replaced Cisco switching with Meraki in a similar way? I'm curious what your experience is. [link] [comments]  |
| 'Module disabled' error with GLC-LH-SMD SFP in Cisco 4431 router Posted: 30 Jun 2021 07:49 AM PDT I am plugging in a GLC-LH-SMD SFP and I get a module disabled error in the show log. I read through cisco forums/docs and it says it should work for the Cisco IOS I have on the router. I have used a GLC-LH-SM and this SFP works, but NOT the GLC-LH-SMD. This is WAN connection to the ISP using Single-mode fiber. Any thoughts on why I'm getting this error? Thanks. Edit: Router using Cisco IOS-XE 16.09.07 [link] [comments]  |
| net_connect.send_command method in Netmiko Automation Posted: 30 Jun 2021 10:25 AM PDT Hi all, anybody here is good with Netmiko? I am trying to create a automated script to get information on vrf forwarding table. Part of the snippet looks like this: https://hastebin.com/vodajagape.lua When I am running the code with a sublist [['CN', 'GN']], the following error occured: https://hastebin.com/risudevanu.sql If I run my script with normal list ['CN, 'GN'], it runs 2 times for first item (CN) in the list, and 8 times for second item (GN) in the list. I also tried a simplified version, it runs well without all the aforementioned issues. https://hastebin.com/ijaliwosad.lua I suspect is the net_connect.send_command method that is unable to identify a str. Hope the pros can provide me some insights to this :) [link] [comments]  |
| Posted: 30 Jun 2021 06:17 AM PDT I have a client that has 2 separate Comcast links (EDI with BGP). The have 2 comcast routers, one going to separate Comcast home offices (sorry, don't know the correct term). The customer only wants to use one link at a time with the other as a standby should the main fiber get damaged. I'm confused because since they have 2 links with the same ISP, both are going back to the same Comcast AS. I guess what I am asking is how do I configure my edge router to only prefer one link and advertise the outside world to use that link? Sorry if this is stupid, but I am lost and Comcast documentation seems to cover multi-homed connections with a different ISP. [link] [comments]  |
| Fortinet Switch behind a Sonicwall Firewall? Posted: 30 Jun 2021 09:48 AM PDT We need a NAC solution, and the solution we're going for is FortiNAC. Our curreent switches are not compatible so we're switching them with Fortiswitches. Any comment, or issue with having a Fortinet switch behind a Sonicwall TZ400/470 firewall? [link] [comments]  |
| Cisco IOS XR - show tcam utilization Posted: 30 Jun 2021 06:01 AM PDT We are using Cisco ISO XR on a white box switch/router. I need to look up ACL TCAM resource utilization. I could do this easily on Catalysts systems in the past. This link details the commands. Unfortunately none of these commands work. I also am finding it difficult to find any documentation on the topic for the Cisco IOS XR. How can I look up TCAM utilization for ACL entries on the box? EDIT: I found using [link] [comments]  |
| Extreme Vs FS transceivers issues? Posted: 30 Jun 2021 03:56 AM PDT We are about to upgrade a batch of 44 Extreme x440 switchs to x440-G2 switches and were going to use the FS.com 10301 compat transceivers in them (which we've done with loads of other G2 switches. FS have come back to us and said they don't work in the G2 models, but are unwilling or unable to provide any further info other than their fs002 solution will work. I've no idea what this fs002 solution is, they can't provide any information on it, and there is a 3 week lead time plus the shipping and tax from Asia to the UK. Has anybody come across this before and know what the issue is? [link] [comments]  |
| Posted: 30 Jun 2021 04:14 AM PDT Yang is pretty cool. I've seen lots of videos and tutorials on the benefits of yang, but I'm having trouble figuring out how I can use it on the client side during configuration generation or configuration linting. Ive noticed that it looks like if I get a config via rest/net conf, the Json response I get looks to be a mashing together of the device config with various yang models. How exactly is that done server (router) side? Is it possible for me to combine a normal config with a yang model to generate that JSON extrapolation to validate a config before I push it to a device? General questions: How are you using the yang model in your environment? [link] [comments]  |
| Low Speed on VxLAN Tunnel using OVS Posted: 29 Jun 2021 10:11 PM PDT Hi,I have two hosts and I install OVS on both of them.Now I want to run Vxlan between this two switches. The commands I use for Vxlan tunnel on first switch:
and similarly for other switch: And now i can ping 10.11.12.14 from the other side of the tunnel (with lower than 1ms latency) and everything works just fine. The problem is low bandwidth on tunnel interface. when on host1 (with ip 172.30.201.61) I iperf to hosts2(172.30.0.103), The output shows near 1Gbps. but when i use tunnel interfaces for iperf, The output shows near 100Kbps. I have Googled around but had no luck finding any useful document. Does anyone have an idea why the bandwidth is too low? BTW: I try this type of configuration too and get same results. Thanks! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment