Rant Wednesday! Networking |
- Rant Wednesday!
- Do APs defeat the object of DAI?
- Multicast OIF is a VLAN. Does this results in broadcast to all hosts in that VLAN?
- Mac Flap Logging Issues
- Juniper l2circuit ccc
- ArubaOS
- NGFW solution - Palo Alto 400 series vs Fortigate F Series
- Recommendations for WAN circuit throughput/bandwidth testing
- Rack Cable management inspiration needed
- Career/Cert Advice
- What do you monitor on devices?
- Switch supporting 16+ span/mirror instances
- Best practices for installing large scale wireless connection
- How is this for a preliminary network diagram?
- Arista MAC Address Issue
- Getting Public IPv4 Address, (Good idea or ;( ?)
- Dark Fibre (UK)
- MSS Problem
- Site 2 Site VPN - Port Forwarding on the Opposite Site WAN IP
- Cisco ISE with Fips
- Ping and DNS via Zscaler
- Dell os10 VLT failover
- Users on network pick up non-functional IP from DHCP
| Posted: 30 Nov 2021 04:00 PM PST It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it. [link] [comments] |
| Do APs defeat the object of DAI? Posted: 01 Dec 2021 02:57 AM PST I am in the process of planning an implantation of DHCP Snooping and Dynamic ARP Inspection. The network is using Ubiquiti AP's with Cat 2960X switches. The AP ports are configured as trunks with the necessary VLANS tagged. However, there will be a few locations where roaming will push you onto a new access switch as you enter a new block. My thinking to combat this is to 'trust' the AP ports so DAI doesn't go mental when someone switches switch. However, doesn't that defeat the object of DAI in the first place? Now an attacker can "connect" to the WiFi and start an ARP poisoning attack, and I'm allowing it!! Is there any other way around this? Like access switches being able to share their DHCP Snooping bindings? Originally posted on r/Cisco but thought it might get a more traction here with other vendors involved. [link] [comments] |
| Multicast OIF is a VLAN. Does this results in broadcast to all hosts in that VLAN? Posted: 01 Dec 2021 04:12 AM PST I want to confirm something and make sure I'm not being silly. I have an access switch in vlan 2 with igmp snooping enabled. This switch also has PIM-SM enabled on this VLAN acting as a querier for the VLAN. The uplink to the core switch which hosts the rendezvous point is VLAN 3. Vlan 2 is not trunked to the core, only vlan 3. PIM-SM is configured between the access switch and the core via vlan 3. The rendezvous point is the ip address of VLAN 3 on the core switch. My understanding is that an IGMP report will come into the access switch via vlan 2, which results in a PIM join / prune to the RP address - via vlan 3. The core switch which has the rp then adds the incoming interface for that s, g via vlan 3. When a new subscriber wants to join the group, it sends a join / prune to the rp, again via vlan 3. The rp then adds the outgoing interface for the group as vlan 3. As the oif interface for the group is VLAN 3 and not a physical interface, am I correct in assuming this will result in multicast traffic being flooded to all hosts in vlan 3 as this is the oif for the group? Igmp snooping is not enabled on the core switch, nor do I believe it will help, as the source traffic is via pim after the initial vlan hop between 2 and 3 to reach the rp - or am I incorrect in this statement? [link] [comments] |
| Posted: 01 Dec 2021 12:07 AM PST I know that on a majority of Cisco devices: Is the command used to enable logging for mac flaps when they happen, but for some reason I cannot get a Cisco NCS 520 or an ASR 920 to actually take this command. I'm coming up short so far on finding another command that will work with these devices. Any possible suggestions would be appreciated. [link] [comments] |
| Posted: 01 Dec 2021 12:02 AM PST I have been wrestling with an issue for a bit now that has left me perplexed. I am trying to get a pseudowire build for transporting traffic between two sites (two Cisco 3750G MLS peering with OSPF) across my provider network and I cant seem to get it to function. ------------------------------------------------------------------------------------------------------------------------------- ge-0/0/14 is connected to wireless a wireless point-to-point bridge pair and normal traffic passes fine. The Telemetry routing instance functions fine, MPLS/LDP however appears to not function. Both sides report up And both LSPs show up Occasionally bursts of 1k or less cross the interfaces (symetrically when showing stats on both PSW interfaces) but the symptom appears to be arp related on the 3750Gs. They cannot ping or complete arp messages across the PSW. Any pointers? [link] [comments] |
| Posted: 30 Nov 2021 12:07 PM PST Hi to all. for SMB customer I was used to buy HPE Aruba 2530 series switches. Now this product is EOL. Aruba say that replacement model is the 6000 series, but I've see that this series have AOS-CX software. Is old ArubaOS (the one in provision switch) died ? thanks [link] [comments] |
| NGFW solution - Palo Alto 400 series vs Fortigate F Series Posted: 30 Nov 2021 04:32 PM PST We are looking for a ngfw solution for all our schools and we've tested out Palo Alto's 450 and 460 models as well as the Fortigate 100F series. What I'm not sure of is if we are comparing apples to apples between the two. The best comparison I could come up with was as follows: PA-460 ~ 200F PA-450 ~ 100F PA-440 ~ 80F PA-410 ~ 60F We tested a 450 and 100F at the same location and tried to make sure all the scanning settings were equivalent on both and we found the 450 to hit a peak of maybe 40% on the data plane and the Fortigate seemed to consistantly get up to 80% memory usage but the cpu numbers seemed fine. SE for Palo Alto went through all the performance metrics and couldn't find any reason that this box wouldn't handle the load from this school with room to spare. The SE for Fortinet however said that the 100F was at about its limit and should look at possibly sizing up. The kicker here is pricing for the Fortigates ends up being higher than Palo Alto on a 1, 3 and 5 year term. So assuming my comparisons above are somewhat close is there any reason we shouldn't choose the Palo Alto 400's for our ngfw solution? Thanks all! [link] [comments] |
| Recommendations for WAN circuit throughput/bandwidth testing Posted: 01 Dec 2021 04:42 AM PST Looking for some recommendations on a small, cheap devices to run iPerf to measure/test our WAN circuit bandwidth/throughput/status. We have multiple remote sites connected over 1G circuits and wanted something to test performance from our central location, to the remote sites. I've looked into the Pi 4 but have recently read about the Odroid and the performance, speed and cooling being much improved. Also that tests have shown near full 1G utilization on the network interface. What we ultimately need - Ease of use/setup for non-Linux admins Ability to run iPerf (trying to use the full 1G link speed without running multiple streams) Possible support of up to 10G network interface NO wireless capability (hard requirement) - or ability to disable/remove this feature Any thoughts on the latest greatest devices of this type that would work for this? [link] [comments] |
| Rack Cable management inspiration needed Posted: 30 Nov 2021 04:42 PM PST Hey chaps needing some thoughts on this I have the pleasure to re-arrange this naturally evolved networking rack (and some more) and want to properly re-do it, yet lack experience. I already cut down on anything unnecessary, but now lack inspiration on how to arrange it. my approach would probably be: ISP stuff top, firewall next, patch panels, switches, client stuff I'd love to get these but I dont think they will fit (8.4 depth, enclosure only has ~10cm to the door). Big side verticals obviously wont fit https://www.fs.com/products/64186.html any other ideas? P.S. any ideas how to route cables to the next server rack next to it? It used to be a massive tangled mess lying on the ground, which i cut down to a single cable by installing a switch in the rack itself - do I just add a conduit to protect it or are there some kind of top - cable trays that I simply havent seen yet? [link] [comments] |
| Posted: 30 Nov 2021 04:33 PM PST Hey guys, I got my CCNA in 2020 right before the exam change (I took icnd1/2) and have essentially been forced into sysadmin roles since. I recently started a new position (on my 3rd week) and the network admin is retiring next week. His position requires CISSP, CASP+, or CCNP-Sec in addition to a CCNA. I was told to choose a cert, they would send me to a boot camp and I could fill his role if I wanted. That said the scope of the environment goes beyond CCNA and I was planning to go for CCNP-Encor next because I wanted to learn the material. Should I just try to snag the CASP+ to meet the requirements and then study for ENCOR? We do use Cisco so the CCNP-Sec would actually be useful information to learn but don't think it's something I can just pick up with a boot camp. I'm also very nervous about the scope of work in general with my experience (mainly small l2 networks, some l3 switches and roas setups) but also see this as an amazing opportunity to get where I want to go. Just not much time for training and a lot on my plate, also it's a solo role so I'd mainly be assuming someone else's network and learning on the fly. Any advice would be great, thanks if you took the time to read this. [link] [comments] |
| What do you monitor on devices? Posted: 30 Nov 2021 06:28 AM PST I know this varies by situation a dozen other things, but i was wondering what are some things you monitor on switches, routers, UPS, WLCs, etc. I know there are more useful items to monitor aside from just up/down status. I've been tasked with completely redesigning our zabbix monitoring system. In many cases the default templates have been used all all that comes with them. I was wanting to slim this down to what we absolutely needed. I appreciate any input, thank you. [link] [comments] |
| Switch supporting 16+ span/mirror instances Posted: 30 Nov 2021 07:25 PM PST Are there any switches out there supporting this? We have a situation where we need to mirror customer internet vlans in a data center, and each customer internet vlan must be mirrored to a customer-specific hardware appliance. We need to support at least 16 customer's worth of this, and the in-place QFXes only support 4 mirror/span instances. Our thought is to use a single QFX mirror instance sending customer vlans x,y,z out over a 20H LAG into some switch that support "lots" of span instances and then hang the hardware appliances off that switch. Alternatively, we're looking at e.g. Garland Network Packet Brokers. [link] [comments] |
| Best practices for installing large scale wireless connection Posted: 01 Dec 2021 12:51 AM PST Hi there, The company that I work for are facing some issues regarding wireless connection, the main problems are now are:
The wireless interference is happening because there are many routers in the company, and I think all the wifi radios are working on the same channel (with different SSID names), so what could be the best practice for this type of issue? Network jamming, it's happening because the Head office is located near a presidential place, and most probably they have network jammers. I don't know if we can avoid this, but if there were any suggestions, please tell me. Thanks in advance! [link] [comments] |
| How is this for a preliminary network diagram? Posted: 30 Nov 2021 09:04 AM PST Hi everyone, I am working on a network diagram to bring Wi-Fi to a remote office in the mountains. I am working on a budget, and would like to get this as close to right as possible right from the start. Data usage: 1TB per month, for non-critical remote work, for about fifteen people. Site notes: We plan to use a Starlink as the primary internet connection. There is no fiber or cable access nearby. LTE is only available 200m away on a hill near the upper building—that point has line of sight to a cell tower ten miles away. 25 Mbps over LTE is consistent. Burying conduit will not be a possibility before early summer. Distances: Hill <-200m-> Upper office building <-300m-> Lower office building Hill: there is AC power here. I will have a Pepwave LTE router here, with an ATT 100GB /mo data-only SIM. Planning to use a Nanobeam to send data to the upper building. Upper office building: Multi-WAN router connected to Starlink and Pepwave LTE connection, using Starlink as primary, failing over to LTE if Starlink goes down. One PoE nanobeam pointing up the hill, another pointing down toward the lower building. Wifi: We have been using Eero Pros but I am open to suggestions. Lower office building: PoE Nanobeam aimed at upper office. Nanobeam connection plugged into switch switch connected to a Wi-Fi setup similar to that of the upper building. Here is the preliminary diagram: https://imgur.com/a/ApzAvvF My main questions:
Any advice much appreciated! thank you. [link] [comments] |
| Posted: 30 Nov 2021 06:08 AM PST Hi all - I've got an issue whereby when I do a "show mac-address table" on an Arista switch connected to a Cisco switch, the MAC which is learned by the Cisco is different from the MAC address on the Arista itself. I have 4x instances of this. Sometimes it's very similar, but still different. e.g., MAC learned ends in c9f6, but MAC showing on Arista port ends c9f5. Other times, the MACs are quite different indeed. e.g., MAC learned ends 0600, but MAC showing on Arista port ends 05ff. What's more, I can't actually see the "learned" MAC anywhere on the Arista device. (i.e., do a "show interfaces" command and grep/ctrl+f for the learned MAC address and no results). Any thoughts? [link] [comments] |
| Getting Public IPv4 Address, (Good idea or ;( ?) Posted: 30 Nov 2021 01:59 PM PST Greetings, I recently joined a mid-size company that has handful of public IPv4 addresses from two ISPs. I am thinking of getting us IPv4 addresses as we are planning to move to a new location and didn't want to get us tied to the ISPs. I wonder how to start the process and your suggestion on whether I should sweat to get us IPv4 addresses or not. We have a hybrid network with presence in all three public cloud providers, and planning to go to SD-WAN soon. Thanks, [link] [comments] |
| Posted: 30 Nov 2021 12:41 PM PST Its possible we are going to move out our existing single office into two new locations in a Centre City which has virgin. Duplication of the same services at each new site would be costly. We have alot of low latency high bandwidth services. So was wondering if anyone had any dark fibre experience? (UK or elsewhere very welcome) - is it as simple as two switches with single mode fibre SFP's? or much much more complex... I am assuming danger here be dragons.....? [link] [comments] |
| Posted: 30 Nov 2021 01:47 PM PST So today I got in a situation like This. [link] [comments] |
| Site 2 Site VPN - Port Forwarding on the Opposite Site WAN IP Posted: 30 Nov 2021 10:55 AM PST I have 2 Sites with 2 Wan IPs, Site A i cannot port forward, and Site B i can. I setup a Openvpn Tunnel from pfsense running on Site B, and using and My initial idea is if i can make the tunnel network accessible from Site Can some please help me with any ideas or advice i can use to make this easy to accomplish? [link] [comments] |
| Posted: 30 Nov 2021 12:11 PM PST Anyone implement Cisco ISE with FIPS? FIPS disables PAP. Cisco Catalyst switches use PAP to authenticate with Radius using ISE. So after enabling FIPS on ISE and switches, auth attempts fail and live logs are saying because the PAP protocol is not allowed. It doesn't appear like I have the option of changing the auth protocol on the switch side. What am I missing here? [link] [comments] |
| Posted: 30 Nov 2021 03:57 PM PST Hi there. My team is working on implementing Zscaler ZIA and ZPA across our company. One ZPA limitation that has been most annoying, mostly for our IT teams, is the inability to ping/nslookup an host and get the associated internal IP address. You instead get the IANA special shared address space IP (somewhere within 100.64.0.0/10) (even for servers on the network, not just laptops/workstations on Zscaler). It's a minor annoyance, but I'm curious if anyone that has implemented Zscaler has found a way around this or an alternative. Thanks. [link] [comments] |
| Posted: 30 Nov 2021 02:13 PM PST I understand how to setup VLT on Dell os10, my question is how it handles core routing. For example, I have 2 core switches, call them A and B. Now I want to setup interface vlan1 with IP 192.168.1.1 with failover, how do I accomplish this? If I set switch A with the IP addr and it fails, will switch B be able to failover with VLT? Since VLT differs from stacking I am wondering if both switches will answer for their partner's respective configs. Or maybe there is a way to setup vlan interface IP addresses on both switches without conflicts? Thanks. [link] [comments] |
| Users on network pick up non-functional IP from DHCP Posted: 30 Nov 2021 07:50 AM PST Something peculiar is happening to users on my network and I am wondering if anyone here has experienced something similar. They are trying to use wifi on a /23 subnet and they pick up the *255 IP address which I believe is the address that broadcast traffic uses. The computer then cannot connect to the internet. For example the subnet would be 192.168.10.0/23 and the user will pick up the IP 192.168.11.255 and be unable to connect to the internet. Why would this be happening? Can I just create an IP reservation or something on my DHCP server to stop this from happening? For reference I am using Unifi APs, a mixture of Ubiquiti and Cisco Switches, and an Ubuntu DHCP server. Thanks! [link] [comments] |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment