Blogpost Friday! Networking |
- Blogpost Friday!
- Do you guys use something to store useful commands for your team to access for various vendor tools?
- Multimeter and Coax/Ethernet/Fiber tester
- Aruba 6300 CX with Palo Alto issue
- Troubleshooting Wireshark - Can someone verify my work & describe what I'm seeing?
- A Post About Packet Mismatches
- Micro-segmentation/ZTNA with Juniper, Fortinet and Aruba
- L2NAT Deployment - Production network
- Video Playback on remote cameras not working on Corp network - It does work on Guest Network
- Remote Data Transfer using TCP
- Cogent vs Blended Option? PROS & CONS?
- IDF Relocation
- Cisco SDA Network design queries & validation
- PTP time source for labs?
- LRL (Lite) modules compatible with LR?
- Operating Systems of Devices on Network- How to get useful information?
- Using /32 vs /24 for Endpoints on a /24 Subnet?
- Trying to troubleshoot an inherited enterprise environment with a Cisco Backbone
- unifi + tp-link + pfsense guest wifi
- Consistent Weekly outage, same time every week
- Cloud AD authentication
- OSPF DR site w/backup default route
- Fiber TX/RX dBm specs with QSFPs
| Posted: 28 Oct 2021 05:00 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts. Feel free to submit your blog post and as well a nice description to this thread. Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it. [link] [comments]  |
| Do you guys use something to store useful commands for your team to access for various vendor tools? Posted: 29 Oct 2021 07:22 AM PDT Let's face it, we can't remember every CLI command that Cisco, Palo, Shell, or whatever you use has. I was wondering if anyone uses software or a wiki to store some of the more useful commands. We currently have Confluence as our wiki documentation but having worked with it, it's not a very quick tool to get around. I was wondering if anyone uses anything specifically to store commands so you and the team can have quick access to them. [link] [comments]  |
| Multimeter and Coax/Ethernet/Fiber tester Posted: 29 Oct 2021 03:15 PM PDT Any recommendations for an Networking tool that has the capability of testing all 4? Multimeter/Coax/Ethernet/Fiber tester all in 1? [link] [comments]  |
| Aruba 6300 CX with Palo Alto issue Posted: 29 Oct 2021 01:52 PM PDT Hey all, Having an issue when migrating from cisco 6900 series to our new Aruba 6300m series switches. I have the PA in a HA pair, so I moved one over to my Aruba switches, then flipped it over. Most of my traffic works except one of the interfaces has has multiple tagged vlans for some DMZ stuff (guest wifi is what I am testing here). Tried a few various configs on the aruba and not able to have this work. Cisco config that does work: interface GigabitEthernet10/39 description GigabitEthernet10/39-rta.pal3020.02.e1/5.trunk switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 25,152,154,160,161 switchport mode trunk spanning-tree portfast edge trunk Aruba: interface 9/1/18 no shutdown description paloalto.firewall.dmz.eth5 no routing vlan trunk native 1 vlan trunk allowed 25,152,154,160-161 Palo Alto ethernet 1/5: ethernet1/5 { layer2 { lldp { enable no; } units { ethernet1/5.152 { tag 152; } ethernet1/5.154 { tag 154; comment "VZW Backup"; } ethernet1/5.161 { tag 161; } ethernet1/5.160 { tag 160; } ethernet1/5.25 { tag 25; } I have also tried changing the trunk native vlan 152 tag to test and was not able to get connected to the guest wifi. The interface for the guest wifi and dhcp service comes from the PA. Any help is appreciated! [link] [comments]  |
| Troubleshooting Wireshark - Can someone verify my work & describe what I'm seeing? Posted: 29 Oct 2021 09:57 AM PDT i'm using wireshark for the first time to troubleshoot VOIP issues (poor call quality) my company is having. i'm the solo IT guy here and i could really use some feedback on what i'm looking at here. my office is totally hardwired into a 48-port switch, except for two IP cameras. here's a map. my main questions are: (1) have i setup the right/best place for complete network monitoring? my goal is to capture all gateway throughput (2) as a way of experimenting/learning, i'm also running wireshark on my personal client, comparing those results with what i see on the monitoring client (re: that client mirrors the router's port on the switch). the monitoring client obviously captures ALOT more, but i notice my personal client still sees communication between *other* clients on our network... why is my personal client able to even see that traffic? despite all hardwired clients having their own ports, do they each still see ALL networked traffic on the switch anyways? not just their own? why isn't the personal client just seeing its own traffic on the switch? (3) a significant portion of network traffic (via the monitoring client) is from the IP cameras. those destination/source addresses are local, as they record to the NAS. i don't want to capture traffic these IP addresses. thanks for the help and i appreciate any advice/insights to improve on what i'm doing [link] [comments]  |
| A Post About Packet Mismatches Posted: 29 Oct 2021 01:17 PM PDT Our company recently deployed two cellular devices which would act as bridges for downstream FortiGate firewalls. These firewalls would then build policy-based IPsec tunnels between each other. The tunnel is unable to establish, although all IKE phases match, as well as traffic selectors. So, we thought, "can we even ping the other side of this tunnel?" We set up our ping -t and saw some pings go through, and others report a message MISCOMPARE AT OFFSET 13 - TIME=118ms MISCOMPARE AT OFFSET 13 - TIME=113ms MISCOMPARE AT OFFSET 13 - TIME=108ms So we thought this was odd, which led us to getting packet captures on either side of the tunnel with active pings running. What we discovered was pretty interesting. The packet leaving Site A would actually change (which we could see in the raw packet data shown in hex characters using Wireshark) when received by Site B. And sure enough, visa-versa. Site B would reply using the incorrect packet data which Site A would drop. What this boils down to is something changing the packet during transit. We ran these same tests on different ISP networks and had no issue. Which leads us to believe that it is a carrier-related issue. We now have a scheduled call with some of their engineers to dig a little deeper into the issue. It sure breaks up the monotony of our usual day-to-day so I thought I'd share it with you all for your own interest. Before today, I had never seen miscomparisons in a ping! [link] [comments]  |
| Micro-segmentation/ZTNA with Juniper, Fortinet and Aruba Posted: 29 Oct 2021 02:25 PM PDT We have a relatively small network (under 5 locations, about 300 switches, access points and firewalls) and leverage Juniper for our core and switch backbone, Fortinet at the edge and Aruba for wireless. We'd like to start moving down the zero-trust/micro segmentation path, but I'm wondering if such a thing is even feasible with very disparate vendor platforms. We are open to switching (no pun intended) if necessary, but are pleased with what we currently have.
[link] [comments]  |
| L2NAT Deployment - Production network Posted: 29 Oct 2021 02:15 PM PDT Hi all, Are there people who use L2NAT in their production environment here ? Just curious on how you all go about it. We are trying to implement it using vrf on the cisco switch so that those internal devices are reachable by any host on our network (not just those defined in the translation table as with regular L2NAT). [link] [comments]  |
| Video Playback on remote cameras not working on Corp network - It does work on Guest Network Posted: 29 Oct 2021 01:34 PM PDT Pulling my hair out here over an issue I've been troubleshooting, and just need any possible directions to look. We have internal users that are able to view remote cameras in cars through a website in chrome. The website works absolutely flawlessly EXCEPT for live video playback. For whatever reason it starts to load the live feed, and then the screen will just flicker a black/grey and do nothing. You can view old playback from remote SD cards no problem, but live viewing is a no-go. If I switch to our unrestricted guest network, it works without issue. I have combed through every wireshark pcap and firewall log to write down any IP address I see during video playback on BOTH corp and guest networks. I have whitelisted everything I can possibly whitelist according to the vendor. Aside from the firewall we do have two edge security appliances, and I've checked all the IP ranges in those and no issue. I even removed one of the security appliances temporarily to see if that would help, and it didnt. What kind of issues have people run into when dealing with remote live viewing of a camera? [link] [comments]  |
| Remote Data Transfer using TCP Posted: 29 Oct 2021 06:35 AM PDT Hi everyone, hope you are having a good day. I am currently using a python script to create a local server and then send commands over TCP to an ESP32 microcontroller (acting as a client). The ESP32 then reads ADC data and sends data back to the PC Server. This works great on a local network, but I am stuck on how to do this remotely i.e. over internet. I have looked into port forwarding and VPN tunnelling but unsure how to implement this and whether there is a simpler solution. Any suggestions on a simple approach would be greatly appreciated, Thank you, [link] [comments]  |
| Cogent vs Blended Option? PROS & CONS? Posted: 29 Oct 2021 09:33 AM PDT Hi, I currently have a few server at a datacenter and they are giving me less bandwidth, only 50TB and I am planning to get a new line. I am going to keep using the existing 50TB and get a new line. But i I torn which way to go for. I have a Cogent option, which is costing me $430/mo with one time setup fees of $275. 1gbps at 10gb fibre. And I have another option of $400/mo with $500 setup fees. Again 1gbps @ 10gb fibre. But it is blend of Zayo, GTT, Cogent and IX peering. Which one should I opt for? Any tips? [link] [comments]  |
| Posted: 29 Oct 2021 09:19 AM PDT Looking to relocate an IDF which currently terminates about 200 data drops. The cabling is almost brand new feeding an assortment of IP cameras and IoT devices. Is there a TIA compliant method of extending these runs to the new IDF location 75 feet away. Assuming all the runs still remain under 100 meters. Obviously the real solution is to rerun all cabling from the new IDF to the existing endpoints, but there is some management pushback for that. [link] [comments]  |
| Cisco SDA Network design queries & validation Posted: 29 Oct 2021 10:51 AM PDT I am working on a SD-access and data center networking design with green field deployment for our company I have attached a diagram to illustrate the design. Firewall would connect outside to fabric borders which has connectivity to Internet, WAN and DMZs. In addition, those firewalls are used for East-West traffic between servers in server farm as well. Here are some technical questions prior to finalizing the low level design. 1- At first place, is it a valid design? I would love to have your valuable inputs and recommendations. 2- For now, there is no plan for micro-segmentation using ISE and SGTs by customer. That said, macro-segmentation is way to go in the fabric for segmenting traffic between Corporate users, IoTs, Guest etc. VNs In the design, I will use data center distribution switch for L3 handoff to handle communication between separate VN's or VRF or from VN/VRF to Shared services residing at the Data Center. I want to ensure internet/unknown traffic originating from campus users is routed directly to firewalls. What is recommended approach to accomplish it? 3- How should routing be configured when North-South traffic from clients to servers when some servers have network segment behind firewalls? I am guessing I have to creates VRFs on Data center switch then import them Campus VNs! 4- There would be full mesh connectivity between Border nodes and Fusion devices and cross-links between redundant border devices. What routing protocols and configuration will be needed ensure no traffic is disrupted if any link or device fails? 5- I have some IoTs devices for Building Management Systems (BMS) like HVAC, Campus Security and their servers are located in data center block, however these devices should have L2 adjacency with the server ? What is the optimal solution since all the links in campus fabric is L3. Hoping for valuable suggestions from the great experts in his reddit. Thanks in advance. [link] [comments]  |
| Posted: 29 Oct 2021 09:47 AM PDT Hi, does anybody know of a way to emulate a PTP time source? A VM or something? Doesn't need to be real PTP just pretending to be is enough in the lab. [link] [comments]  |
| LRL (Lite) modules compatible with LR? Posted: 29 Oct 2021 05:39 AM PDT I am in a small bind right now till we get more LR modules to arrive. On a short distance run under 10Km can I use a LRL (Lite) module and the opposite end a LR module? The length of the cable is within the building just from floor to floor reach so it maybe at best 500ft (Well under the 1Km for a LRL). We ran out of the LR modules and only a few LRL modules on hand. [link] [comments]  |
| Operating Systems of Devices on Network- How to get useful information? Posted: 29 Oct 2021 09:19 AM PDT I don't know if what I want to do is possible. My goal is to detect what devices are connected to my network and push that to Splunk for further analysis. I want to get information that can identify what the device is. For example, I detect that 192.168.86.100 is a Windows 10 laptop, 192.168.86.101 is a windows 2012 server, and 192.168.86.102 is an iPhone 6. What tools do you know of that can get this information? Is nmap -O and creating a log with that the best way? [link] [comments]  |
| Using /32 vs /24 for Endpoints on a /24 Subnet? Posted: 29 Oct 2021 06:31 AM PDT I feel like this is a terribly basic question, but when I try to look up the answer, all I find is posts referring to Subnetting. On my firewalls, I originally was instructed to use 192.168.40.X/32 (255.255.255.255) for each endpoint, which seemed odd to me, as previously I had always used a /24 (255.255.255.0) for endpoints. I understand how subnetting works, but I am struggling to understand why I need to use a /32 when adding firewall addresses? From my research, it appears that would only be pertinent if the endpoint never had to communicate with anything else on the same subnet (such as a gateway address/loopback). Again, I feel this is something I should already know, but I have had zero "formal" training, and learned on the fly. Is it proper to use a /32 for endpoints on a /24 subnet, or am I thinking of this the wrong way? Editing to include the information that these addresses are being configured for use in Firewall Policy Rules, not to define networks. EDIT: Thank you to everyone who replied. I do understand the concept now, and I appreciate all of the time that was used to explain it in a way my brain understood. Cheers! [link] [comments]  |
| Trying to troubleshoot an inherited enterprise environment with a Cisco Backbone Posted: 29 Oct 2021 06:35 AM PDT I was wondering if someone could help educate me here. Mods if this is against the rules feel free to remove. My understanding of VLANs is that they cannot communicate between each other unless there is some layer 3 routing between them. I am working in an environment where we have several layer 2 switches connected back to one layer 3 core switch. The vlans on the core switch are as follows: interface Vlan1 description ***** DATA ***** ip address 192.168.10.1 255.255.254.0 no ip proxy-arp ! interface Vlan10 description ***** VOICE ***** ip address 192.168.42.1 255.255.255.0 ip access-group DENY-VOICE-SECURITY out no ip proxy-arp ! interface Vlan20 description ***** SECURITY ***** ip address 192.168.0.1 255.255.255.0 ip access-group DENY-VOICE-SECURITY out no ip proxy-arp ! interface Vlan22 description **** GUEST **** ip address 192.168.22.1 255.255.254.0 ! interface Vlan100 description ***** ASA-UNTANGLE ***** ip address 192.168.100.1 255.255.255.248 ip access-group DENY-UNTANGLE-ASA out no ip proxy-arp Everything is trunked back to the main switch which then goes to an Untangle firewall. Everything is currently running on VLAN 1 apart from the IP phones What I am confused by: 1.) If I put a switch port on vlan access mode 22 ie: interface 0/40 vlan pvid 22 vlan participation exclude 1,10,20 vlan participation include 22 exit and connect a computer to it with a static IP in the 192.168.22.1/23 subnet I cannot get internet access or even ping the 192.168.22.1 gateway. Shouldn't I be able to ping the vlan interface? I'm not even sure if I am asking the right questions but I hope someone here can put me on the right track. [link] [comments]  |
| unifi + tp-link + pfsense guest wifi Posted: 29 Oct 2021 07:59 AM PDT Hello, I have read dozens of guides on doing this but can't for the life of me manage to create a guest wifi with internet access. My current set up is: ISP router (LAN CABLE)-> pfSense (LAN CABLE)-> port 1 (TP-Link switch SG108E) and out of port 8 (Unifi AP lite 6) Having read through guides I managed to default my internet traffic to use a virtual private network. So I connect to my unifi wifi which gets routed through pfsense to default to a virtual private network. This is what I have configured so far: -------------------------- Unifi: 2 Networks
Wireless networks:
----------------- Tp-Link 802.1Q VLAN configuration VLAN ID 1: Default Member ports 1-8 / untagged ports 1-8 VLAN ID 10: Guest Member ports 1,8 / tagged ports 1,8 ------------------------ PfSense: ------------------- System routing (Gateways): WAN_DHCP / Interface WAN: Gateway 192.168.XXXX WAN_DHCP6 / Interface WAN feXXXX V.P.N / Interface V.P.N 10.16.XXXX GUEST / Interface GUEST dynamic --------------- Interfaces Assignments: WAN igb0 LAN igb1 V.P.N (ov.p.nc1) guest VLAN 10 on igb1 - LAN ----------- VLAN Interfaces: igb1 (lan) VLAN tag: 10 ---- Firewall NAT outbound (see pfsense guide at top of message for WAN/Open.V.P.N configuration) x4 WAN interface mappings x2 Open.V.P.N mappings for XX.XX.27.0/24 which I copied for x2 GUEST mappings for XX.XX.10.0/24 ---------------- Firewall Rules GUEST Ipv4+6 Source / port / destination * * * allow all ----------------- DHCP server for LAN XX.XX.27.0 - 245 DHCP server for GUEST XX.XX.10.0-245 --------------------- Comments:
TLDR; my devices appear to connect to the guest network and successfully grab the correct IP from pfsense belonging to the subnet I configured on the DHCP server but none of those devices are able to connect to the internet. Any help would be appreciated! [link] [comments]  |
| Consistent Weekly outage, same time every week Posted: 29 Oct 2021 09:43 AM PDT Hey Guys, Interesting problem we have been facing and would like to see if anyone may have any suggestions on similar issues they have seen in the past. We have been losing connectivity at our organization at 7:00 and 7:40 every friday for the last several months. The issue is within +/- 7 minutes of 7:00 every time. Connectivity loss is around 2-4 minutes every time. The severity of the connectivity issue does tend to fluctuate week to week. Sometimes multiple servers alert, sometimes none. We do lose all of the IPSEC VPNs every time. We noticed we are losing other devices on our edge switch outside of the firewall. It definitely seems like there is something that is on a schedule or something is falling over. It appears more and more by the week like this is a provider issue, due to losing other devices in front of our firewall on the edge switch. Has anyone seen anything similar or have suggestions on some specific things to check? Our network and server teams have exhausted most of the resources we have looking into this issue. Our ISP doesn't see anything on there side. One of the weirdest and most inconsistent issues, other than the timing, that we have ever seen. Thank you in advance. [link] [comments]  |
| Posted: 29 Oct 2021 08:55 AM PDT Hi,The AD would manage the desktops and users' authentication and log in; remote users would use VPN to the office/on-prem to authenticate. How would this work on the cloud use Azure AD or AWS directory service for those remote computers and users? Do they need a VPN connection to the cloud? or can this be done from any internet access without any VPN? Thanks [link] [comments]  |
| OSPF DR site w/backup default route Posted: 29 Oct 2021 08:55 AM PDT I think I know what needs to happen, but I'd like to make sure before starting the config: Currently, default routes are statically configured - HQ and DR sites have internet access. Branches point to HQ for their internet, DR uses its own because why not? Goals:
Point 3 is the tricky one - I want everything else to use HQ, but DR to only use its own unless ISP goes down and I'm not 100% sure how the cost manipulation should work. [link] [comments]  |
| Fiber TX/RX dBm specs with QSFPs Posted: 28 Oct 2021 10:12 PM PDT All, Trying to understand the optimal dBm for SFP/QSFP. From looking at Cisco command show int f01/1/1 transceiver detail Now I have been told that it should be close to 0 for the XMT/RCV or within +5/-5 (unsure which is correct) I understand distance, and # of connection come into play in this. THe outputs I am trying to figure out are: Optical XMT Power Optical RCV Power High Alarm Threshold High Warn Threshold Low Warn Threshold Low Alarm Threshold Say we are using Cisco-40GB-ER4. I have seen connections with XMT: 0.0 RX: -0.7 all the way to XMT: 3.0 RX: -13.00 [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment