VTP - questions and tips. Networking

---

• VTP - questions and tips.
• SMB UTM firewall
• Anyone running Nexus 7000's without vPC to FEX's?
• Is Anyone Using GETVPN?
• Upgrading my switch for my office nas.
• eBGP - ISP peer authentication with password, anyone actually do this for security reasons?
• Cat6 cable length question.
• Church - Recommendation to overhaul network
• 3702I-E-K9 disconnects from 9800-CL controller
• Problem implementing OSPF

VTP - questions and tips. Posted: 19 Sep 2021 08:52 AM PDT Hi all. So I just started at a major company which have several big sites. On average its about 60 switches per site and about 500 sites geografically (big tech company). I've been tasked with a "LAN-upgrade" of several of these sites, and when I check configuration I see some VTP configuration. To be honest, I don't remember much of it (other than from school) and CBT Nuggets (with Jeremy Cioara), but I just wanted to confirm some statements then then how I should go about it. So from what I understand is this (you can just answer yes/no on these statements); The highest VTP revision number gets to be the master for the database, EVEN, if the VTP mode is in client mode. So say for example you got a couple of core switches which are the servers, but then you go and get an old switch with a higher revision number, and even if this one is in client mode, those VLANS will be the only ones in that VTP domain. VTP server is the default mode. All switches start with revision 0. VTP revision number remains even if the configuration is reset (side question; how do you remove the VTP revision number?). There are three VTP modes;Server: Server can change VLAN information (such as add/delete). Server sends and recieve VTP updates. The server saves the VLAN configuration.Client: Cannot change VLAN information. If you try to configure a VLAN, you get a error message saying you cant. It send and recieve VTP updates, but it does not save the VLAN configuration.Transparent: Can change VLAN informarion (like adding a VLAN). It does not listen to VTP advertisements. It saves the VLAN configuration. There is not way to turn off VTP. But its essentially what the VTP mode transparent command does, even though it passes VTP updates. And my questions are: Can you actually turn of VTP? Does Cisco recomment to have VTP turned off? Is there any verison of VTP that is considered "safe"? If your enviroment was quite static, in other words, not so many VLANs is introduced, but the burden is more to add/remove port is different VLANS, would you bother with VTP? What differs VTP v.1/VTP v.2 and VTP v.3? Does all of them require domain-name and password to pass VLAN configuration? And my last thing I want your input is this: I'm going to add a new switch to a network where almost every switch is in VTP transparent mode. Is there anyway I can mess this up, if I also put my switch in VTP transparent mode? The old switches are mainly 2960 and the new switch is a 9320 (which supports VTP v.3, but the old switches does not support that, from what I understand. So even if the switch were to have a higher revision number, the fact that its transparent, makes it safe to use. I also noted that the VTP transparent configuration show in the show run output. If you got other tips or tricks to share with me, I'd be happy to hear them. VTP was always something I heard wasn't widly used, and since I only worked with Extreme Network for 5+ years, I don't have much knowledge about VTP. Thanks a lot of your help and input is this. submitted by /u/Mihdrin [link] [comments]

SMB UTM firewall Posted: 19 Sep 2021 09:29 AM PDT If this post doesn't fit the subreddit rules, kindly delete it. In a corporate or enterprise network or someone with "a big budget", I'd recommend a UTM firewall such as fortigate or Palo Alto. What are some other options for small business? Requirements: 5-20 users 50Mb internet traffic 2-7 IPSEC VPN (nothing intensive) VLANS UTM features such as application control, web filter, antivirus (or block known botnets or botnet IPs) License Subscription is ok as long as it's not as expensive at FGT or Palo. It's been years since I tried pfsense or untangle. What are other possible Options. submitted by /u/taken_velociraptor [link] [comments]

Anyone running Nexus 7000's without vPC to FEX's? Posted: 19 Sep 2021 02:48 PM PDT Hello, Is anyone here running a distribution layer with 2 x N7K's, without vPC'ing to downstream FEX's and access switches? I am having some exciting times after migrating from 6500's to 7000's (SUP2E, F2e to FEX, M2 to core, 8.4(3). I am having ARP problems, i.e. ARP will be lost for devices that are singled homed, i.e. devices linked to 7K-A, will randomly stop being accessible from systems that are multihomed. This seems to mostly affect devices using ISR's (hanging off 7K-A) for NAT I can describe it further and in perfect technical detail, but I want to get some feedback first to see if anyone is actually running 7K in this group thanks for all submitted by /u/evs9000 [link] [comments]

Is Anyone Using GETVPN? Posted: 19 Sep 2021 04:39 PM PDT I'm starting to research replacements for DMVPN. If there is one. And GETVPN has really peaked my interest. 1. Am I correct in understanding that it only uses Ike for KS and GM communication? And then establishes the IPsec tunnel. So essentially it only has the phase two portion of the VPN after initial setup? Because of the preservation of the original IP header, does the underlying transport have to know or learn the networks being encrypted? If you did implement GETVPN, did you see a performance improvement on bandwidth, application traffic, file transfers etc... submitted by /u/unclemonkeyboy [link] [comments]

Upgrading my switch for my office nas. Posted: 19 Sep 2021 11:41 AM PDT we have a TL-R600VPN that we use to host many servers for our website and docker containers for various purposes. We have used all the ports on the TL-R600VPN so we just got a cheap 150mbps switch for a couple of computers, problem is, now we added a TrueNAS server and we want to get a gigabit connection to all the computers running off the cheap switch. We are thinking of getting a couple of TP-Link TL-SG105 switches. Problem is, is this switch going to create a port forwarding mess like another solution that we tried before did? submitted by /u/marconovino [link] [comments]

eBGP - ISP peer authentication with password, anyone actually do this for security reasons? Posted: 18 Sep 2021 06:36 PM PDT was curious how many people that manage eBGP peers with ISPs are using or not using peer authentication and any adverse side-effects? submitted by /u/tolegittoshit2 [link] [comments]

Cat6 cable length question. Posted: 19 Sep 2021 08:36 AM PDT I know the maximum stated cable length but what about when you're willing to take a significant loss. For example let's say you only needed 1Mb/s out of a gigabit connection. Does anyone know how long a cable you could have with that data rate as a target? submitted by /u/ethicsg [link] [comments]

Church - Recommendation to overhaul network Posted: 19 Sep 2021 11:57 AM PDT Hello all, I'm looking to upgrade my church to the modern era. Right now, we're using the router/modem combo that is rented via Spectrum. I'm going to try and get us away from that by utilizing a network closet with centralized patch panel, several Ethernet runs, APs in general areas, plus running VLANs to separate traffic (i.e., staff, guest, video/sound). My church isn't the biggest, but I think 3 APs will cover it. 1 for sanctuary/foyer 1 for the classroom wing 1 for the basement Our speeds aren't the best at the moment. I think we're on the base Spectrum business, and we'll ideally want to up that when we start streaming. I'm thinking we'll have at least 5-6 wired devices at this point with expansion possible in the future, so I'd like to go with a 16-port PoE capable switch. UDM or UDM-Pro might be the best option for the router/FW. I'm not sure on the APs though. Then again.... I could be mistaken on all of this. I'll be the one managing the network for the foreseeable future, and I know Ubiquiti is basically the Meraki of the small/pro-sumer market which works for me. As for the Ethernet runs... I'm planning on doing the following: 4 - Sanctuary ceiling (AP, camera - potentially SDI over ethernet, two projectors - projectors to eventually connect via HDMI over Ethernet to PC utilizing 2 of the ports in the sound room below) 8 - Sound Room (2 PCs, 2 snakes from sound board to sound room, any other device that may need connected in there) 1 - Basement ceiling (1 AP) 1 - Hallway ceiling (1 AP) 4 (or 8) - Pastor/Secretary office (PCs + Printer) 4 - Rack of audio equipment (Some of those jacks will be used to connect from front of house with the soundboard to the sound room, so we can stretch audio back to there and have several XLR inputs in the sound room.) I'm not sure what else I'm missing at this point, but I'm trying to plan for the future with expansions and all that. Any recommendations or words of advice/criticism will be incredibly beneficial. To be honest, I'm not sure on the budget, but the lower the better since we're a smaller church. EDIT: looking for hardware recommendations, too. submitted by /u/Shamrock013 [link] [comments]

3702I-E-K9 disconnects from 9800-CL controller Posted: 19 Sep 2021 12:43 AM PDT Hi everyone, I am facing a weird issue with my 3702Is and the 9800-CL WLC where the APs work and broadcast, but then disconnect from the WLC with the following error: *Sep 19 08:40:14.095: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.1.1:5246 *Sep 19 08:40:14.099: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 27 *Sep 19 08:40:14.211: %CAPWAP-5-AP_EASYADMIN_INFO: AP Easy Admin information - EASY_ADMIN is not set, turn off easy admin service! *Sep 19 08:40:14.211: %CAPWAP-5-AP_EASYADMIN_INFO: AP Easy Admin information - Easy Admin is not enabled, turn it off! *Sep 19 08:40:14.227: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 39 *Sep 19 08:40:14.235: %CLEANAIR-6-STATE: Slot 1 down *Sep 19 08:40:14.235: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down *Sep 19 08:40:14.243: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 10 *Sep 19 08:40:14.247: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Sep 19 08:40:14.851: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 10 *Sep 19 08:40:14.875: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Sep 19 08:40:15.279: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down *Sep 19 08:40:15.287: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset *Sep 19 08:40:16.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Sep 19 08:40:16.279: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down *Sep 19 08:40:16.315: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Sep 19 08:40:16.323: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down *Sep 19 08:40:16.331: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Sep 19 08:40:17.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Sep 19 08:40:17.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down *Sep 19 08:40:17.355: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Sep 19 08:40:18.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Sep 19 08:40:25.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.1.1 peer_port: 5246 *Sep 19 08:40:25.279: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.1.1 peer_port: 5246 *Sep 19 08:40:25.279: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.1.1 *Sep 19 08:40:25.319: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 27 *Sep 19 08:40:25.331: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller Does anyone have any ideas? It seems to be this close notify alert error. The WLC reports 'DTLS Server Session Error' Thanks submitted by /u/ewsclass66 [link] [comments]

Problem implementing OSPF Posted: 18 Sep 2021 04:56 PM PDT Our current network uses all static routes. I've been wanting to implement OSPF but it's one of those things that always gets kicked to the side since other stuff is "more urgent." I was reading that the simplest way to start would be to just leave all my statics setup, implement OSPF, put everything in area 0, verify that the OSPF routes looked correct, and then slowly start to remove the static routes. since the statics would have a lower cost by default, the idea sounded great because there really shouldn't be any risk of messing anything up (haha). So, I started with just 2 routers that connect Site 1 and Site 2 together, but instantly ran into an issue. I had a static route set for a /23 subnet, but OSPF learned/generated a /24 include within that /23 and sent it somewhere else, which brough that segment down. Being new to OSPF, I'm not sure how to find out where OSPF is learning/generating routes from or how to resolve the issue, so I disabled it for now. Basically looking for some info on how to find out where routes are being learned, why, and what to do in a situation like this. I'm just not familair enough with how it works and what to look for. Maybe if I had enabled it on all the vlans on the switches, that may have solved the issue, but I couldn't leave that network down for too long, especially since I knew the easy fix. Here's a simple toplogy with some snippets of the code on those devices. Hopefully there's enough info here but if any additional info would help I can gladly send it https://imgur.com/a/3b6B40u submitted by /u/leopor [link] [comments]

You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States