Have the supply chain woes pushed you into vendors you wouldn't normally consider? Networking |
- Have the supply chain woes pushed you into vendors you wouldn't normally consider?
- Is routing and switching slowly disappearing in enterprises?
- Looking for a community like this for enterprise network security and cybersecurity discussion
- vPC config with a IOS 3850 switched Port-Channel
- No incoming calls on VOIP
- RIR BGP Multi-Home between on-prem and AWS. *gulp*
- Outside fiber - Terminate inside with MPO/MTP?
- CGNAT deployment as observed by traceroutes
- Velo-Cloud List OSPF Routes vs Show OSPF Route Table
- Assistance with Network Layout
- EAP-TLS Auth No Longer works on Android 11/12
- ASR1001-X IKEv2 Error - Mismatch proposals, but all options are allowed?
- Is there any reason to not use MPO breakout cables to connect servers to the network?
- FOSS IPAM recommendations for self-hosted SMB?
- Question on Spanning-Tree distance limitation (with diagrams)
- VPC and MST on Cisco nexus
- Feeling Directionless Career-Wise
- "This experiment also demonstrated that the existing ARPANET protocols were not suitable for running over different networks."
- Building the whole network stack at the Office
- Question about POE
- Underlay IPv6
- Juniper vRR license requirement
| Have the supply chain woes pushed you into vendors you wouldn't normally consider? Posted: 02 Nov 2021 05:09 AM PDT I've seen more and more posts about network shops that normally buy from mainstream network vendors using equipment like FiberStore, MikroTik, Ubiquiti and disagg/whitebox because it's more available. It made me curious as to how many will continue to use solutions they wouldn't have normally considered after the supply chain issues have subsided. Have you gone down this road with your company? If so, what's your experience been and will you continue using equipment that isn't from $LargeVendor ? [link] [comments]  |
| Is routing and switching slowly disappearing in enterprises? Posted: 02 Nov 2021 12:47 PM PDT Currently hold a university degree in internetworking and CCNP R&S certificate. I've been working as a network specialist/engineer for about a year. Our organization has 10.000+ users. We are a team of around 12 people responsible for the network geographically spread at multiple sites. I was extremely excited to start a networking career and get hands-on experience in a production environment with the various IGPs, BGP and layer 2 protocols. Everything that I studied for so long - and was the reason I started in the first place. However, since job start I got to troubleshoot a single BGP issue - this is basically the only routing task I remember working on. In our organization all access networks, remote user VPN and most DC equipment are Cisco. We have implemented DNA-C, ISE, FirePower, ACI and many more of their products. The most exciting tasks we have (in my opinion) is when we need to troubleshoot using "show" commands in the CLI on our switches. The only reason we would enter global config mode is to shut/no shut interfaces. Let's say one day there is a layer 3 issue on one of the edge switches at the SDA site - I know we would not even consider looking at IS-IS, LISP, or the VRFs on the device(s). All we need to do is remove the switch from the fabric and reprovision it. Is this method easier? Definitively yes. Is it more exciting? To me, not even close. Most tasks today are looking at the RADIUS logs in ISE, updating software, creating firewall rules, automation and APIs, etc. I feel more like a sysadmin than anything else. Am I looking for something that's about to die? Perhaps ISPs are different? Will this eventually be similar everywhere? If not Cisco, then simply the SDN solutions from other vendors. TL;DR: With all the new (Cisco) SDN solutions I feel more like a sysadmin than a network engineer. [link] [comments]  |
| Looking for a community like this for enterprise network security and cybersecurity discussion Posted: 02 Nov 2021 11:07 AM PDT Hello Guys, I love our wonderful community that serves and help each other out in the Network domain whenever we have an issue in our enterprise network. I am wondering is there any group just like this for enterprise cybersecurity/network security discussion? I have been looking for a while but could not find one. [link] [comments]  |
| vPC config with a IOS 3850 switched Port-Channel Posted: 02 Nov 2021 01:53 PM PDT I have two Cisco Nexus 9Ks and a downstream 3850 access switch. I want to configure a port-channel on the 3850 with two member-trunks which will be dual-homed up to the 9K Nexus pair with a vPC config on the 9K's Below is the config I would use on each switch to do this, but my question is this, should I do channel-group mode ON or ACTIVE? What is the default if I just say channel-group 1 on the member interface configs? Example Config 9K-1 interface port-channel 1 Switchport mode trunk vpc 1 ! interface eth1/1 switchport mode trunk channel-group 1 9K-2 interface port-channel 1 Switchport mode trunk vpc 1 ! interface eth1/1 switchport mode trunk channel-group 1 3850_Switch interface port-channel 1 Switchport mode trunk ! interface G1/0/1 switchport mode trunk channel-group 1 mode on [link] [comments]  |
| Posted: 02 Nov 2021 09:51 AM PDT Hello. I'm posting here as a last effort. I use allworx VOIP for work and I have a C4000BG DSL Modem/router from centurylink. Internet is connected and all my devices function normally except for the work phone. It will not receive inbound calls, but it will allow outbound calls. For a brief time after making an outbound call, it will allow inbound calls, but after a few minutes it is disabled again. I am no expert, but i've read up on it as much as possible and have run out of options to try. The details: Speeds: DSL - 12mb download / 1.5 mb upload / avg ping: 25-50 ms Greenwave C4000BG modem I've confirmed SIP ALG is diabled, I've tried forwarding ports (though i'm not sure if I did it correctly). It's hard to identify the problem as I've tried fully disabling modem security as well as both ipv4 and ipv6 firewalls and the problem persists. That makes me question whether it is a firewall issue. Tried toggling dmz. Toggled NAT. I also have a netgear R6400v2 router from my old setup and I know everything worked with that. I tried setting up the C4000BG in transparent bridging mode, but that proved difficult. I got my PPPoE credentials and logged in on the netgear router, and the wifi worked at that point, but ethernet connections through the netgear router didn't, so I was unable to test whether the phone would work. My contact at allworx said that if i tried port forwarding I needed to set up as follows: port 5060 - UDP and TPC Port 8081 - UDP ports 15000-15511 UDP That didn't work either. Nobody on the phone at centurylink has any clue what I'm talking about, and the allworx people say that the problem isn't on their end. If you have ANY ideas on how to fix this, I'd really appreciate the help! At this point i've looked through every setting option on both routers and I'm stumped. [link] [comments]  |
| RIR BGP Multi-Home between on-prem and AWS. *gulp* Posted: 02 Nov 2021 08:35 AM PDT Hi everyone! I have a fortunate "problem" on my hands. I have a recent allocation of a /22 IPv4 from ARIN to use for some of our locations in a hybrid cloud environment. My dilemma: What is the most efficient way to multi-home some of my IPs so that they are routable from one of my on-prem locations but "fail over" to AWS ASNs in the case that my on-prem routing goes offline. AWS does not give much control over the RIR/Public ASN BGP settings with the BYOIP program. My initial thoughts were to pull the whole /22 into AWS and then advertise a /24 out of the on-prem datacenter ASN (that is more than enough IPs at the moment). If my theory is correct, this route should supersede the /22 advertisement from AWS until the /24 goes offline. At that point, the /22 route will then function. Anyone have any experience with this? Also, what does "fail back" look like when I re-introduce the /24 on the on-prem location? Thanks in advance! [link] [comments]  |
| Outside fiber - Terminate inside with MPO/MTP? Posted: 02 Nov 2021 12:15 PM PDT Hey all, We are working on our outside fiber and we recently went to MPO internally for all our DC cross connections. We are planning on loose tube fiber to all the buildings. My thinking was terminating to MPO pigtails inside then using MPO cassettes. The big questions I have are:
We are really just looking to make it easier to relocate fiber within the rack or room. Please let me know if this is something stupid or just not done (reasoning would be great). I know traditionally it is either SC or LC connectors but looking to see what options we might have. [link] [comments]  |
| CGNAT deployment as observed by traceroutes Posted: 02 Nov 2021 03:53 PM PDT Hey folks, I am an applied mathematics grad student working on coming up with better Internet models, so I apologize preemptively, as my way of thinking about network configuration is very possibly wrong/inaccurate and my vocabulary clumsy. Anyway, as part of a research project, I am interested in detecting whether some clients are hosted behind a CGNAT. The only information I have access to is the source IP address as observed by my server and traceroutes from the clients to my server at a random interval. I do not have a ground truth to validate the quality of my inferences, which makes the problem even more challenging. I thought the best way to get a better understanding of what I could potentially observe from my traceroute is to ask directly the people behind those configurations, so I am hoping that there are people that might have answers to my questions on this Subreddit! I have started by eyeballing my traceroutes and noticed a few interesting patterns that I would like to validate: 1) Observing two different sets of private IP addresses (e.g. 192.x.x.x followed by 10.x.x.x) does not always imply the existence of a CGNAT. Clients can configure their NAT the way they want, and large networks such as companies are sometimes leveraging those IP addresses to set up their own topology. 2) The number of clients is exponentially higher behind a CGNAT than behind a standard customer NAT resulting in a more complex IP-level topology before the first public IP address observed by a traceroute. 3) It is possible to configure the routers between the router doing the client NAT translation and the one doing the carrier-grade NAT translation with public IP address, but it is very unlikely and defeats the purpose of CGNATing (reducing public IP address used). 4) It is safe to say that every private IP address at the beginning of a traceroute correspond to routers and devices that are hosted by the AS of the source IP address observed by my server. 5) Building on 4 and 5, that means by extension that detecting CGNAT requires only to look at the private IP addresses portion of my traceroute. 6) Assuming that I could run traceroute measurements from all the devices behind a CGNAT and that we had no shenanigans from my traceroute measurements. I can build a graph $G$ where the nodes are the first few private IP addresses and the first public IP address of a set of traceroute, and the edges are corresponding to adjacent hops. A CGNAT deployment would result in a tree-like structure where the first layer would consist of the client premise NAT, the second layer would be the internal topology of the ISP, the third layer would funnel toward the ingress of the routers hosting the IP addresses used for the CGNAT pooling (i.e. the public addresses observed by my server). Do those assumptions make sense? As people deploying CGNAT in the wild, what are your expectations from this set of measurements? I would love to hear all of your opinions! Thanks in advance, and thanks again to this Subreddit for helping me to better understand a lot of networking concepts through the prism of the operators (versus pure academic reading)! [link] [comments]  |
| Velo-Cloud List OSPF Routes vs Show OSPF Route Table Posted: 02 Nov 2021 01:55 PM PDT In test and troubleshoot, what is the difference between List OSPF Routes and Show OSPF Route Table? I have a single VCE device with a connection to two cores on the LAN side but we are setting the LAN interfaces on the VCE (GE1 and GE2) as routed interfaces that route via OSPF to the cores - GE1 has an adjacency with Core-1 and GE2 has an adjacency with Core-2. When I run List OSPF Routes I see routes to both cores but Core-2 shows it's routes as TRUE and CORE-1 routes as FALSE. But under Show OSPF Route Table I see both core switch IPs listed for routes to each LAN subnet. And we lose all OSPF connectivity if I shut the VCE interface GE2 going to CORE-2. SHouldn't traffic reroute over GE1 to CORE-1? [link] [comments]  |
| Assistance with Network Layout Posted: 02 Nov 2021 01:46 PM PDT I am attempting to setup a businesses network that was started by another technician, but halfway through they had a medical indigent and I had to take over, and I am a bit lost on what they were trying to do. The computers need access to the main office via a direct line required by that office. The printers need to be accessible to all the computers. I am unsure why all the machines are connected to the DSL modem and not the switch (if it should be). I'm not sure where their new cable internet and firewall should integrate, the DSL modem used to be their main internet and I have no idea how they originally had it configured. Any assistance would be greatly appreciated Network Map: https://ibb.co/RhBFrWZ [link] [comments]  |
| EAP-TLS Auth No Longer works on Android 11/12 Posted: 02 Nov 2021 01:27 PM PDT My environment is deploying our internal root/intermediate and user cert generated via SCEP. This works for Android 10 and older as well as iOS; however, with Android 11/12 on Pixel/Samsung devices, it doesn't connect. I've verified that the root/intermediate and the user cert are installed. After attempting to connect and failing a few times, I notice that the CA cert is missing from the "CA certificate" setting in the SSID wifi configuration. However, the cert is still visible within the cert store. On the clearpass side, it looks like the certificates are not being presented from the device during authentication. Any ideas what may be the issue? Some logs from the device during connection attempt //When os tries fetch certificate to connect to wifi, it faces issue 10-06 10:16:33.217 1000 22084 22084 E WifiConfigController2: ca_cert ([Ljava.lang.String;@a86498) and ca_path () should not both be non-null10-06 10:16:34.564 wifi 1302 1361 E wificond: keyStore2GetCert:146 Keystore 2.0 getKeyEntry failed error: Status(-8, EX_SERVICE_SPECIFIC): '7: '10-06 10:16:34.573 wifi 1302 1361 E wificond: getLegacyKeystoreBlob:313 Failed to get legacy keystore entry for alias "CACERT_CORPORATE-WIFI_WPA_EAPIEEE8021X_TLS_NULL_0": Status(-8, EX_SERVICE_SPECIFIC): '7: '10-06 10:16:34.573 wifi 1302 1361 E wificond: getBlob:336 Failed to get certificate.10-06 10:16:34.573 wifi 3170 3170 E wpa_supplicant: OpenSSL: Failed to parse certificate: CACERT_CORPORATE-WIFI_WPA_EAPIEEE8021X_TLS_NULL_010-06 10:16:34.573 wifi 3170 3170 E wpa_supplicant: TLS: Failed to parse Root CA certificate [link] [comments]  |
| ASR1001-X IKEv2 Error - Mismatch proposals, but all options are allowed? Posted: 02 Nov 2021 08:56 AM PDT I'm struggling with the following showing up from the output of "debug crypto ikev2 error" However my proposals: and my policy: Should be checked in order until a hit is found, right? I'm not exactly sure what is wrong here as I should be allowing everything in the low proposal. Does anyone have any ideas what could be at fault? [link] [comments]  |
| Is there any reason to not use MPO breakout cables to connect servers to the network? Posted: 02 Nov 2021 08:17 AM PDT The setup is like this: 10 PowEdge with 2x 10Gbps connected to 3 40Gbps MPO QSFP+ ports on a Dell Switch. My instinct says this is a bad ideea, but the tech lead keeps pushing this for cost savings. How could I argue against this besides having 1 port config for 4 servers? [link] [comments]  |
| FOSS IPAM recommendations for self-hosted SMB? Posted: 02 Nov 2021 07:47 AM PDT The most recent discussion of this I found here was from five years ago, and I'm curious to see if there are any better options available now, or what the current consensus is. In my case I don't need anything too fancy with a lot of options, just bare bones IP network management with an intuitive UI and not too many "rules" about how I can organize and keep track of things. What we've tried so far:
Any and all recommendations are welcome, so long as they are: Free, self-hosted, and have a web GUI (no windows programs). Thanks in advance! [link] [comments]  |
| Question on Spanning-Tree distance limitation (with diagrams) Posted: 02 Nov 2021 02:39 AM PDT RPVSTP has a "distance" limitation of 7 hops. Is this a hop limitation of the total distance from the root bridge, or a limitation of 7 hops from any switch to any other switch? This is the layout that we're planning, to work around some distance and physical limitations of the site. The MDF-Core switch is configure as the root bridge for all VLANs. By connecting things around in a loop, we're relying on PV-RSTP to give us redundancy in physical path. Unfortunately these are all layer-2 switches, so we can't rely on routing. The right-hand loop is 7 hops to get back to the root bridge. However if we count it as going all the way to the farthest switch on the left side, that could be up to 10 hops. Is this layout going to give us problems, or will RSTP still be doing its thing properly? [link] [comments]  |
| Posted: 02 Nov 2021 07:20 AM PDT Hi All I must configure MST on a couple of VPC peers (Cisco nexus 93k) I read somewhere that the distribution of VLAN/MSTI is automatic when MST run on Nexus 93k. Did somebody ever hear anything about this? If yes thanks to share the details. By the way what if I have VPC peers running MST facing VPC peers running rapid-pvst+ Is there any change in this situation in interaction mechanisms previously seen on MST/Rapid-PVST+? Any comment is welcome. [link] [comments]  |
| Feeling Directionless Career-Wise Posted: 02 Nov 2021 06:36 AM PDT Hi all, Duplicate post of the ITCareers sub, but I wanted to get some advice here too. I don't know that there's any specific point to this, but I wanted to just free-form write some of my thoughts because commenters here usually have good advise and I need a sounding board. I'm a netadmin, five years of good experience with a nice set of certs. Most of what I do is route/switch have some experience in voice and wireless, and a little bit in firewall. I feel burnt out on the operations side due to the usual off-hours stuff as well as user network-blaming. I'm also bored. There's nowhere to advance to at my company. I'm the only networking person. Most of my job feels like I'm just babysitting a bunch of switches and APs. The market for security is big but I feel like that sector is a lot of telling people what they should be doing and them not listening, and I knowni I'm not built for that. I'm kind of interested in wireless. I like the technology and designing in Ekahau. The downside is I don't feel like the market for wireless engineers is almost nonexistent. I like designing in general and rolling out new technology. Most of those roles want presale experience and of course how do you get experience when experience is required? I don't understand what role there is for Network Engineers in the cloud. I see AWS/Azure on a ton of job postings. It seems expensive to lab and the concepts seem ambiguous to me. I've learned the devops/automation/Python basics. Is that the real futureproofed path for people on the network side? I'll hang up and listen to your comments. [link] [comments]  |
| Posted: 02 Nov 2021 09:49 AM PDT I'm learning computer networking on my own so I don't have anyone else to ask and couldn't find an explanation while searching, so some help is really appreciated. I'm reading Computer Networks by Tanenbaum and Weatherall and am currently confused by this statement (the title). The first paragraph talks about the experiment where a truck connected to a University in London successfully, with data packets sent through at least three different mediums (terrestrial radio, wires and satellite). Then, on the next paragraph it says "This experiment also demonstrated that the existing ARPANET protocols were not suitable for running over different networks.". Did I miss something? If the experiment was successful then how did they know that the existing protocols were not suitable for different networks? I really got confused by this. >In addition to helping the fledgling ARPANET grow, ARPA also funded re-search on the use of satellite networks and mobile packet radio networks. In onenow-famous demonstration, a big truck driving around in California used the pack-et radio network to send messages to SRI, which were then forwarded over the ARPANET to the East Coast, where they were then shipped to University College in London over the satellite network. This allowed a researcher in the truck to use a computer in London while driving around in California. >This experiment also demonstrated that the existing ARPANET protocols werenot suitable for running over different networks. This observation led to more re-search on protocols, culminating with the invention of the TCP/IP protocols (Cerfand Kahn, 1974). TCP/IP was specifically designed to handle communication overinternetworks, something becoming increasingly important as more and more net-works were hooked up to the ARPANET. [link] [comments]  |
| Building the whole network stack at the Office Posted: 01 Nov 2021 09:32 PM PDT Good evening, I have the task of setting up an office's entire network stack, and it's a doozy. I'm going to lay this out as best as I can in text. I was looking at Unifi and I've read enough horror stories about the slow decline, and I can't order anything from them anyways since it's all out of stock that I'm not keen on trying them at the moment. As for other brands, I'm not sure if I want to try Aruba's Instant On (literally just read about it tonight through here), Fortinet's offerings, TP-Link since we already have some, or just wing it. (Kidding, no one should ever wing it when it's public services.) Gear we will likely keep for now: TP-Link EAP330, TP-Link RE580D as they are still usable, however I'm inclined to replace them now to add them in as part of the "sticker shock", as well as get WPA3 compatible gear, assuming they stop updating the firmware from this point forward. Modem in bridge mode, serving a /29 range, so two IP addresses. One address will be for a government connection, the other will handle phones, BYOD, Guest access. The Public side needs a router, and a switch with at least 14 ports for POE (802.3af 15W phones) with a minimum 300w budget, 1 WAP, a connection to a switch on the far side of the building for 2 POE phones and another WAP/repeater for BYOD/Guest access. The state requires physical separation of everything, hence the doubling up. My ideal solution would be to go with the same brand across the stack for management purposes, but it's not a requirement. What I'm looking for:
Thanks in advance for any suggestions :) [link] [comments]  |
| Posted: 02 Nov 2021 12:59 AM PDT Just wanting to take the temperature of everyone regarding a POE deployment I have seen my boss do. We were using an Active POE Switch for an outdoor deployment, to a non-POE AP. So we just didn't connect the POE wires when crimping to ethernet cable. Has anyone else ever done this? [link] [comments]  |
| Posted: 02 Nov 2021 05:21 AM PDT Greetings I have been looking around for this information : Arista switches support IPv6 in the VxLAN underlay? [link] [comments]  |
| Juniper vRR license requirement Posted: 01 Nov 2021 04:30 PM PDT Hey All, A while back I recall seeing that the Juniper vRR doesn't require a license. However, I see there is a license for it now. What is the deal on it? is the license for support or required to run it? I searched and came up with inconclusive results. Does anyone know about this? Thanks! [link] [comments]  |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment