What 20% of Networking knowledge gives you 80% of the effectiveness? Networking

---

• What 20% of Networking knowledge gives you 80% of the effectiveness?
• How do you add a switch stack to Netbox
• Testing Polarity on BiDirectional QSFP
• Need public trusted certificate on Microsoft NPS RADIUS server with non-valid AD Domain (.local)
• [HELP] Commercial Wifi Setup for a Hotel?
• Dumb problem with STP/MST. Am I doing this wrong?
• Alternative switches to Ubiquiti EdgeSwitch with OSPF features?
• SD-WAN vs Site-to-Site VPNs
• Cisco ISE 2.7 Patch 4 June 11, 2021
• Cisco EA Partnership
• Business using public IP range for local network
• Why do I not see all traffic in ASA Real Time Viewer?
• Hardware recommendations for software routers?
• Need help understanding F5 and exchange azure cloud modern auth deployment with CAS servers..?!
• Post Network Upgrade Cabling
• Anyone accomplished micro segmentation in a Hyper-V environment?
• (SonicWALL) Pinging WAN interface from LAN. Help understand why this solution works? (x-post from r/sonicwall)
• Which CDN WAF/DDoS protection service for publishing web sites from on-prem?
• Ipsec not working with organisation issued certs, works with self signed certs, strongswan
• Changing IP Helper Woes
• UDP loss - Arista 7150
• What your Linux distribution of choice for DevNet?
• Switching

What 20% of Networking knowledge gives you 80% of the effectiveness? Posted: 15 Jul 2021 01:53 PM PDT Also, were you to try to teach fundamental networking principles to someone with some decent exposure setting up default gateways and understanding the general OSI Model that would give them 80% of the results they'd need for a career in Networking (or, for my purposes, a technical interview), what would your study/practice recommendations be? submitted by /u/PhoenixOfStyx [link] [comments]

How do you add a switch stack to Netbox Posted: 15 Jul 2021 07:15 AM PDT We are building a Netbox from the ground up and I'm about to start adding devices. I have a stack of 3850 switches and I'm trying to figure out the right way to add these to a site. The entire stack has the same host name so do you guys add the multiple devices with the same hostname but with it's unique SN's and Asset Tag Numbers? Whats the best practice here? submitted by /u/bicho6 [link] [comments]

Testing Polarity on BiDirectional QSFP Posted: 15 Jul 2021 11:18 AM PDT I am adding some switches to an existing network using 40/100 QSFPs. Normally, I would just look to see which side of the fiber has light, shut one port or the other, connect the cable, and bring the port back up during a maintenance window. With the bi-directional QSFPs, both sides have light, but the polarity still matters. I'm using patch panels so I can't just make sure 1 goes to 1 and 2 goes to 2. I really don't want to have to come in at midnight to plug in some cables. Any ideas? Update: One side is still brighter than the other. If you can somehow view the light (without looking directly at it) with your naked eye, you'll see a bright side and dark side. After that, it's the same. submitted by /u/still_killing_it [link] [comments]

Need public trusted certificate on Microsoft NPS RADIUS server with non-valid AD Domain (.local) Posted: 15 Jul 2021 02:12 PM PDT I apologize if this is too simple a question, but we recently lost our SSL/Security admin who normally handles this and it's been many years since I dealt with it. We have a legacy AD domain name (company.local) that was created back when it was standard practice no not use the same domain as your public DNS or other valid root domain name. Our Windows NPS is named radius.company.local, and it has a cert issued by our AD CA. Now that WPA3 is being enforced on Pixel devices, we can no longer auth them over WiFi via RADIUS since our CA isn't trusted. I understand I can get a cert from a trusted root CA (we use DigiCert), but what SN would I use? I can't get a cert for radius.company.local, and if I got one for our public domain (like wifi.company.com) wouldn't it fail because the server is reporting as radius.company.local? We do have a wildcard cert for the public domain but it didn't work, and there's plenty of pages out there saying MS NPS really hates using them. So I'm at the point of just buying a single cert for this but can't wrap my brain around what SN to put in the certificate request. My guess is something like this: Subject Name Common Name: wifi.company.com OU: IT Organization: Company Name Locality: City State: State Country: US Alternative Name wifi.company.com Since this is going to be public I don't want to use my company.local domain, correct? Would I need to add a public DNS entry for wifi.company.com? If I'm in the wrong sub please msg me or post it here so I can go there instead. submitted by /u/Cyberman88 [link] [comments]

[HELP] Commercial Wifi Setup for a Hotel? Posted: 15 Jul 2021 04:20 PM PDT So I'm new to all this but trying quite hard to help out a friend. He's not technologically literate so it's all on me. And I suck at networking so here I am! Building: 3 Story Hotel Clients: Guests using wifi to stream internet/media, can throttle ISP Plan: 25mb Current Setup: Main router on 1st floor at front desk, connects to 2 different extenders on ceiling of 2nd floor. On first floor signal is strong, but extenders are doing a bad job despite me going in multiple times for config. I set up WPA2 (open network before) and passwords. During the setup the extender had a 50% connection rate to the 1st floor wifi. It constantly drops/breaks and requires manual restarts. Guests who are at the ends of the building get no connectivity whatsoever. Requirements: Strong wifi signal throughout entire building Secure, prevent any malicious torrenting/illegal stuff if possible My naive understanding so far is that I'd need to buy new routers/extenders and place them on the 2nd or 3rd floor. Hopefully if I can get away with 1 per floor by placing them in the middle or if I can place 2-3 on 2nd and have their range reach the 3rd floor that'd be great. What kind of commercial router/extenders would I need? What is the best way to solve my use case? submitted by /u/CorruptHope [link] [comments]

Dumb problem with STP/MST. Am I doing this wrong? Posted: 14 Jul 2021 06:43 PM PDT So I have a medium-ish sized network (~30 sites) in a semi-mesh fiber topology. I'm trying to migrate from my predecessor's design of "stretch all the vlans, STP all the things" to routed OSPF underlay with VXLAN overlay. In the mean-time, I'm part way through migration and having unexpected issue: MST is blocking my OSPF peering vlans. Sample config: switch 1 port1 <----> switch 2 port 1 switch 1 port2 <----> switch 2 port 2 #Switch 1: int 1/1/1 vlan trunk allow 1,10 int 1/1/2 vlan trunk allow 1,20 int vlan 10 ip address 10.10.10.1/24 int vlan 20 ip address 10.20.20.1/24 spanning-tree spanning-tree priority 0 spanning-tree mst 10 vlan 10 spanning-tree mst 10 priority 0 spanning-tree mst 20 vlan 20 spanning-tree mst 20 priority 0 #Switch 2: int 1/1/1 vlan trunk allow 1,10 int 1/1/2 vlan trunk allow 1,20 int vlan 10 ip address 10.10.10.2/24 int vlan 20 ip address 10.20.20.2/24 spanning-tree spanning-tree mst 10 vlan 10 spanning-tree mst 20 vlan 20 Now, it is my expectation that: vlan 1 would be permitted on all ports vlan 1 is a member of mst instance 0 (default) mst instance 0 should be designated on both ports of switch1 mst instance 0 should be root on port 1/1/1 of switch 2 mst instance 0 should be blocking/alternate on port 1/1/1 of switch 2 (all of the above statements appear to match what I see in the running switches) further, it my expectation that: vlan 10 would be permitted on 1/1/1 of both switches vlan 10 is a member of mst instance 10, of which instance 10 on switch 1 should be root vlan 10 should be a designated port on 1/1/1 of switch 1 and root port on 1/1/1 of switch 2 vlan 10 should not be fundamentally capable of blocking anywhere, as it only exists on 2 ports. (all of the above statements appear to match what I see in the running switches) further, it my expectation that: vlan 20 would be permitted on 1/1/2 of both switches vlan 20 is a member of mst instance 20, of which instance 20 on switch 1 should be root vlan 20 should be a designated port on 1/1/2 of switch 1 and root port on 1/1/2 of switch 2 vlan 20 should not be fundamentally capable of blocking anywhere, as it only exists on 2 ports. This is where the problem lies: Vlan 20 is blocking/alternate on port 1/1/2 of switch 2. is My config wrong or is my understanding of MST operation wrong? I am trying to build a set of OSPF routed point-to-point links using vlan 10, vlan 20 between these two switches so that I can remove vlan 1 from both links, create a vxlan SVI routed between the two switches, and bridge vlan 1 from switch to switch over a routed vxlan, rather than using STP to block these two routed links. Thoughts? other config or output that would help? submitted by /u/asdlkf [link] [comments]

Alternative switches to Ubiquiti EdgeSwitch with OSPF features? Posted: 15 Jul 2021 01:17 PM PDT I'm looking to replace some ~20 year old Cisco Catalyst 3750G-24T switches that are on their last leg. Use case is two access switches in a single rack in a remote colo serving mostly HTTP web traffic and some minimal video streaming. Details: 1G access and uplinks. 10G not required but I would really want LACP support. RJ45 preferred but SFP is okay too. serial console port. L3 routing with OSPF. I could potentially get by with another routing protocol but static routing won't cut it. Not super tiny buffers. A hardware warranty would be nice but I don't need an active support contract. I'm okay buying used. Full non-blocking forwarding and switching capacity. Lower power usage, if possible. Targeting $300/switch (sans optics) but I'm flexible on price (I know that's really pushing it). I was looking at Ubiquiti EdgeSwitch 24 Lite but that unfortunately seems to only support static routing and the buffers are on the small side otherwise that would be a great fit. Anyone have recs for another switch platform that could potentially fit my criteria? submitted by /u/Spoonolulu [link] [comments]

SD-WAN vs Site-to-Site VPNs Posted: 15 Jul 2021 12:41 PM PDT What is the difference? Forgive me, I'm SD-WAN stupid, and haven't had the opportunity to work on, training on, or evaluate an SD-WAN solution. What are the benefits of SD-WAN versus site-to-site VPN connections? (The amount of marketing BS out there about how SD-WAN will fundamentally change your life and solve world hunger is aggravating for someone trying to stay up-to-date on what's going on in networking.) submitted by /u/ip_addr [link] [comments]

Cisco ISE 2.7 Patch 4 June 11, 2021 Posted: 15 Jul 2021 12:11 PM PDT Anyone use the new Patch for 2.7? If not I'll be sure to report back. (My management wants me to patch this month). submitted by /u/vendor_fluid_nw_tech [link] [comments]

Cisco EA Partnership Posted: 15 Jul 2021 12:06 PM PDT Hi there, hoping someone can help. We are evaluating different partners for an upcoming Cisco EA. From your experience, what have different partners done/ or maybe haven't done, that made your Cisco EA easier/ harder to manage? I have a couple good partners, one in particular, that I think would take feedback or these key points and work with it, so any advice or gotchas I should look for will be greatly appreciated as this is a huge undertaking for our organization. submitted by /u/Fair-String-127 [link] [comments]

Business using public IP range for local network Posted: 15 Jul 2021 12:00 PM PDT Hi everyone, I was asked to help regarding an issue a friend of mine has with his internal business network. Networking is not my force, but I can understand some basic stuff. Their network was created a while ago, more than 15 years ago, and they used a public IP range (1.0.0.X). That range resolves in Australia from what I see, but we are in Canada. When people are 'inside' the business, either wired or wireless, everything seems 'fine' in a sense that all their tools (NAS, inventory network software, firewall, etc.) works, they can all be reached with their IP address since it's local and the firewall knows it, from what I understand. The issue comes from people outside the business, connecting to the VPN and trying to access local services (the ones I named earlier) via their IP addresses, sometime it works, sometime it doesn't, it's like if the computer is dancing between the local service and Australia, all this while connected to VPN. The weird thing is this : each IP address seems to be independant. Take this : on their network, there's 4 network devices let's pretend. 1.0.0.1 to 1.0.0.4, when making a tracert to all those 4 IP, I get many hops, always heading to an IP located in Australia. But when I connect to VPN and make the same tracert, some will directly point to the local network device (one hop) and the other will give many expired hops, until it reaches 30 or so, then it stops. So some service work temporarily and others don't. I though the whole range would either work or not. Apart from changing the range of the internal network, is there something to be done about it ? Is there something I can do to make sure all those services (IP) works as intended when VPN is on instead of trying to reach something in Australia or so ? Thanks a lot everyone. submitted by /u/pplante19 [link] [comments]

Why do I not see all traffic in ASA Real Time Viewer? Posted: 15 Jul 2021 11:46 AM PDT Ping traffic just for example. I can ping from my hot site to cold site successfully and 2 ASAs are in between, yet real time viewer never picks up a single ping. ​ If i do a show run logging: ​ Result of the command: "show run logging" ​ logging enable logging standby logging console debugging logging buffered debugging logging trap alerts logging asdm debugging logging host **_***\* 158.56.1.152 logging class auth trap informational logging class config trap informational ​ ​ As you can see ASDM is set to debugging so shouldnt it see every and all traffic that passes the firewall? What am I missing? submitted by /u/Little-Body4115 [link] [comments]

Hardware recommendations for software routers? Posted: 15 Jul 2021 11:14 AM PDT Is there a canonical reference on how to select hardware for software routers? Or any kind of decent documentation on what the best practices and trade-offs are from one architecture to another? Even with the advent of kernel offload forwarding I assume the choice of hardware will have a material impact when interface speeds are 10G and above. Off the top of my head here are a few questions about selecting hardware: Intel or AMD. Intel is referenced a lot, but does this necessarily mean that AMD CPUs should be dismissed out of hand? How much is performance tied to CPU generation and/or model? CPUs should be evaluated on base frequency. Should turbo boost always be disabled? Given the choice between more cores or more Ghz, which is the optimal choice? Assuming that two CPU cores for the control plane and one CPU core per interface have already been allocated. Only use server CPUs or also look at consumer CPUs? Referring to the previous question, as consumer CPUs can have higher base frequency. Should CPU cache sizes and/or types influence the choice of CPU? What kind of memory is best? Fastest, ECC or non-ECC, etc.? How much memory is "enough"? How many PCI lanes do I need? Enough to feed all the NICs or is there any benefit to excess capacity? Does the choice of motherboard affect performance? Does the NIC vendor matter? Is it better to bond 10G/25G ports or use NICs with 100G ports? Something else I'm missing completely? I'm tagging a few redditors who have previously posted about software routers in the hope that they will share experiences and tips. u/gonzopancho, u/Jammy_Stuff, u/Cheeze_It, u/error404, u/Enrage, u/amaralarama, u/FidelityFM submitted by /u/Ftth_finland [link] [comments]

Need help understanding F5 and exchange azure cloud modern auth deployment with CAS servers..?! Posted: 15 Jul 2021 10:57 AM PDT I need some input on this f5 deployment I am working on. They currently use the normal APM AD auth (with AD query) for exchange, ActiveSync, /owa, etc. This is the flow and diagrams, I am unable to find any similar deployment guides from f5 online. I found this thread on Reddit asking about a similar config - https://www.reddit.com/r/networking/comments/258k7g/office_365_hybrid_deployment_with_f5_ltms/ MS vendor guys have also mentioned o365 cannot support SSL offloading, in which case I believe f5 can only work as an LTM load balancer for the CAS servers, however, we want to know what other options are available so we can have some control of the traffic on the f5 instead of letting the traffic directly hit the CAS servers. Has anyone tried something similar or can share some best practice suggestions? Flow and Diag: https://i.imgur.com/5BwqnPF.png The F5 APM will redirect the request to CAS Servers Pool. F5 at this stage should not do SSL Offloading or Present an NTLM Challenge. The CAS Server will reject the request with 401 Unauthorized Error Response. However, will ask the client to authenticate against Azure Authentication Services [EVO STS and Azure AD]. Client will directly reach the Azure using the Public Internet and request the Token. At this time Azure will Encrypt the credentials and perform a Pass-Through Authentication. Upon successful validation of credentials from the Local Active Directory. Azure will return an access token to the client. Client will make another Autodiscover request with the new token. F5 will again redirect the request to Exchange CAS Server. CAS will Accept the Token as it is Oauth relationship [Federation Trust] setup during Oauth Configuration through the Intra[1]Organization Connector. User will get authenticated and fetch the Autodiscover XML and get connected to the corresponding Mailbox Server. https://i.imgur.com/gwHo8FT.png submitted by /u/thenetworkking [link] [comments]

Post Network Upgrade Cabling Posted: 15 Jul 2021 08:38 AM PDT I work for a large hospital (20K+ staff). I recently completed a network replacement project in our adult inpatient building. The closets were a disaster, with some where'd you look and go hey there's the chassis behind all those cables. With only a 4 hour change window it was difficult to replace all of the connections with appropriate length cables but when we finished they looked amazing. Butterfly on some chassis (where we could) or funneled all in from the cable management side on the corresponding blade to make replacement of a failed line card quick and painless. Velcro to hold the cables in place. As with any upgrade you have the potential to miss some connections so you can imagine my face when I walked into a closet and good old device support has already started running cables straight up from the below the 10 slot chassis (some patch panels are below where we had to rack the chassis) up to the 2nd blade. For those that do depreciated network replacement of the hardware, do you take the time to cable in a tidy manner? Does your staff who has access to the comm closet follow good cable management practices? It would be great if we had like an activation team where only a select few individuals had access to the comm closet but that isn't the case. submitted by /u/Chr0nics42o [link] [comments]

Anyone accomplished micro segmentation in a Hyper-V environment? Posted: 15 Jul 2021 08:31 AM PDT I'm currently evaluating SDNv2 in a SCVMM configuration. So far it has been bug after bug in the deployment of SDNv2. VMWare NSX is a fully fleshed out product. I'm looking for an equivalent option so that I can offer the same level of SDN configuration in a Hyper-V environment. Has anyone accomplished micro segmentation in a Hyper-V environment? I'm willing to look at third party vendors who can offer NSX level config. We have three datacenters with around 3k VMs at each DC that need to be containerized individually through a SDN solution. submitted by /u/kingkanga [link] [comments]

(SonicWALL) Pinging WAN interface from LAN. Help understand why this solution works? (x-post from r/sonicwall) Posted: 15 Jul 2021 10:10 AM PDT I know by default/design, pinging one interface IP from behind another interface is not allowed. I was able to get this working by following the instruction in this support article: https://www.sonicwall.com/support/knowledge-base/ping-or-access-the-interface-ip-using-a-host-connected-to-another-interface/170505874136212/ I don't really understand why this works though and I'm hoping someone can help me understand. The NAT rule described in the article translates the original destination (X1 - WAN) to X0 instead. To me, this seems like it sees the destination of the X1 interface and sends the traffic to the X1 interface instead, in effect pinging the LAN interface instead of the desired WAN interface. However, packet monitor does show echo replies being generated from the X1 WAN IP. Can someone please help clarify what is happening here? submitted by /u/MScoutsDCI [link] [comments]

Which CDN WAF/DDoS protection service for publishing web sites from on-prem? Posted: 15 Jul 2021 07:28 AM PDT We've been pretty much "on-prem" but now we're having few services that need to be published to users in the internets. Previously we've had a DMZ and tried to limit everything from DMZ to the internal network, but as the demand is growing I'm thinking we should get something more advanced. Something that could block the basic exploits and DDoS's, as we run software that we've not developed ourselves and can't be sure how secure it is... For some software we would like to limit the URL in HTTP request that is allowed as we know what the allowed URLs are (not sure if this is reasonable to do?) As we're pretty MS house Azure is of course one of the option (App Gateway + WAF?) but how about Cloudflare, Fastly or this Prophaze I just Googled? We're not really looking for the "global distributed CDN features" rather than ways to protect our web servers (some of them are IIS...) and web softwares One option is to use FortiADC/F5 BIG-IP/Citrix ADC which we use today, but those would be only for the WAF part and not the DDoS part as we have only couple gigabits worth of internet capacity. submitted by /u/PublicSectorJohnDoe [link] [comments]

Ipsec not working with organisation issued certs, works with self signed certs, strongswan Posted: 15 Jul 2021 12:11 AM PDT I've set up an ipsec connection in Linux using strongswan transport mode so that users can remotely connect into the network, its set up so that traffic is in transport mode and uses certificate aswell as eap authentication to connect. When I use self signed certs from the server, and pass the ca over to my device connecting, it let's me connect no problem, however when I use my root ca for my organisation aswell as my own p12 aswell as some certs and keys for the server, it doesn't let me connect remotely. Unfortunately there is nothing in the logs with debug on, there is one thing moaning about nat however I've tried putting the server on the same network with no natting and same issue persists where self signed work and root ca doesn't Any tips? Thanks submitted by /u/Ill_Watercress5047 [link] [comments]

Changing IP Helper Woes Posted: 15 Jul 2021 08:26 AM PDT Using Extreme IQ as our wireless controller, L3 switch and core switch are Cisco Catalyst 4500X. I change the IP helper for a VLAN that is used for addresses for our APs and they get an IP address from the new DHCP server, but cannot connect to the AP controller or be pinged from the core switch. The scope was copied directly from our current DHCP server to the new one. I've tried clearing arp cache on core switch and L3 but that did not allow connectivity. Any suggestions on what direction to take? Thank you! submitted by /u/ruralconnection [link] [comments]

UDP loss - Arista 7150 Posted: 15 Jul 2021 05:29 AM PDT Hi All, I have 2 x Arista 7150s in play. TCP traffic is fine, but when i try to pass UDP traffic i get tons of packet loss. The set up i have is 1000mb forced on 1GB SMF SFP both sides. When i place a media converter between them - i can hardcode speed down to 100MB and wallah the packet loss is gone with UDP. (i can not hardcode the 1GB SFP down to 100MB, nor have i had to in the past). Any ideas on a solution around this without the media converters? submitted by /u/yusuklol [link] [comments]

What your Linux distribution of choice for DevNet? Posted: 14 Jul 2021 10:21 PM PDT Just trying to see where I should start learning. submitted by /u/iwasanacidbaby [link] [comments]

Switching Posted: 15 Jul 2021 07:11 AM PDT I just started working in a distribution facility with 50+ desktops on the plant floor. My manager is on vacation this week, go figure, and I am tasked to deploy another unit with domain access. I have a need to use an existing connection from the switch that runs to the plant floor. It is right beside another desktop that has domain access, plugged into to a double gang wall plate. Thinking the other port would be hot, I had the desk moved and everything powered on, but I dont get any signal from the other port. I have a PoE switch that was used in another office, and I think it was plugged into our general network. I want to use this switch here for this purpose. In my training this is a huge no no, as it could cause switching loops, but I know it was used in another office for a similar purpose. Can anyone talk me out of using this PoE switch for this purpose? I would have to find out if the Cisco switches are running STP I would expect, which I could do hopefully by the end of the day. Help Reddit! submitted by /u/protocoLgo [link] [comments]

You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States