Rant Wednesday! Networking

---

• Rant Wednesday!
• Any value to standalone IPS appliances anymore (eg. FireEye NX)
• I was reading up on and trying to understand IBN. However, a lot of times I struggle to comprehend bookish language. Please help me out
• How do linux based routers and linux hosts handle multiple gateways and multipath
• S2S VPN between Cisco ASA and Fortigate with overlapping subnet mask
• What to do when sites dont work?
• Unable to backup cisco prime using FTP
• Port-channel/trunk between Aruba WiFi Controler and Aruba Switch
• iBGP instead of VRRP gateways
• No longer able to RDP to devices behind Fortigate from devices behind new Firepower
• Does ASA support GRE w/ IPSec?
• palo alto SD-WAN panorama interfaces
• Cisco ISE and ThousandEyes with Cisco Meraki. Worth it?
• Do I need to have both a Cisco ISR and an ASA?
• MS Teams issue Screen Share freezing ?
• IPS/NGFW for cloud
• VLANs VRFs & Security
• Grandstream WiFi 6 APs - Anyone have feedback or experience?
• Plugging in a desktop faults all PoE ports on switch
• OSPF Design Question
• Analysing Mac /var/log/wifi.log file for reasons why Mac wont connect to 802.1x wifi network
• Structured cabling courses?
• Networking blogs/websites to read?
• Should I be able to see input packets during loopback testing?
• Hard coded speed setting disappeared on 4331
• VRF Route leaking on NX-OS between default & created VRFs.

Rant Wednesday! Posted: 22 Feb 2022 04:00 PM PST It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it. submitted by /u/AutoModerator [link] [comments]

Any value to standalone IPS appliances anymore (eg. FireEye NX) Posted: 22 Feb 2022 09:26 PM PST We've had FireEye NX appliances for around 6 years now and they're coming due for a hardware refresh, which will likely be $150k+. We just installed Palo's last year to replace our ASAs and our FireEye block notifications have dropped off a cliff since then. I wasn't around during the initial planning/deployment, but I'm in a position to advise on whether we should move forward with the hardware refresh, or ditch them and just rely on our Palo's + NG-AV. I'm not seeing any value in refreshing them, so I'm curious if anyone else is. submitted by /u/ThisIsAnITAccount [link] [comments]

I was reading up on and trying to understand IBN. However, a lot of times I struggle to comprehend bookish language. Please help me out Posted: 23 Feb 2022 06:21 AM PST I was reading Evolving to Intent Based Networking from This website link. Below I have written the same 5 points in (my own )simple and speaking language. It would be a great help if someone could read what I have linked on "Evolving to Intent Based Networking" and help me point out any irregularities in my understanding and also clear my doubts :) ​ Manual : Data center network devices were manually managed by a group of people called the operations staff. They used CLI and other basic and discrete tools for this. Questions: 1) What is the operations staff managing when we say that they are managing the network devices? 2) What is ment by discrete tools? What kind of basic and discrete tools are they referring to here? Semiautomated : A set of rules were made explaining how the management is going to be done . This small modification was done in the old infrastructure which provided the network some basic automation, visibility into network data and alerts that enable reaction to network events. Questions: 3) On the website link, they have written "scripts and rules-based management…". What is "rules-based management"? Are these rules a piece of code that the network understands and follows? 4) Why do we need "visibility into network data"? 5) "Alerts that enable reaction to network events" : What kind of network events are we talking about? Software-defined Data center : A software abstraction of the network infrastructure enables faster, secure deployment of services and applications. Questions : 6) What is meant by "software abstraction" ? 7) They mention "deployment of services" - I am unable to get some intuition regarding this, what kind of services get deployed on a network? 8) Does software defined data center have much to do with SDN (software defined networks) ? 9) What exactly is a SDN? How is it different from IBN? Automation-centric data center: Builds upon the software-defined data center by automating provisioning, configuration, deployment, and orchestration. Questions: 10) What is meant by the term orchestration? Intent-based data center: All the necessary data is constantly collected from the network that will help automate the actions required to achieve the user's intent. submitted by /u/rocksnotstars [link] [comments]

How do linux based routers and linux hosts handle multiple gateways and multipath Posted: 22 Feb 2022 06:13 PM PST I have two networks that each have two VRRP pairs and are connected via an OSPF network. I have struggled with getting both to work in a fully converged network, as connections between the host networks behind each pair intermittently fails to connect. Each host sees two gateways received from router advertisement with high route preference, and VRRP pair A connect via a single broadcast domain to VRRP pair B which serve a remote host that also sees two gateways with a high route preference. Unless I turn off link local addresses on the backup routers and disable ospf so traffic only flows between two of the four routers, connectivity between remote hosts between each network, or even among vlans fails via IPv6. IPv4 does not have an issue because hosts use the VRRP virtual IP which is similar to this test configuration. I know I'm missing something that should be configured on the hosts, or within the routers so everything in IPv6 can route multipath between each router independent of VRRP (which is really used for public address failover which isn't a factor here. Some details: zone based firewall is used on all 4 routers between all network zones Ping and TCP connections are effected All traffic in this example scenario is in the same "ADMIN" zone, including the OSPF router network and host networks Layer4 hashing is enabled on all 4 routers Turning this off does not improve performance All hosts use ipv6 autoconf from router advertisements, setting static IPv6 gateways and using a VRRP virtual IP on hosts is not preferred MASTER VRRP router and BACKUP VRRP router have ipv6 RA default preference set to HIGH and are both listed as equal in hosts' "ip -6 route" output setting the BACKUP VRRP router to low default preference does not improve even when "ip -6 route" MASTER is high and BACKUP is low *conntrac-sync is configured using the VRRP sync group, I'm not entirely sure this is working. IPv4 connectivity is not an issue because it has to use VRRP virtual IP's on each router. IPv6 ping from any router directly to a remote host is sucessful, only host to host connectivity is effected. both router pairs have an OSPF connection in area 0 with a cost of 1 between eachother, and connect to the routing switched network in area 0 with a cost of 100. Setting the cost to 1000 for the BACKUP router's link to the routing network does not improve, the master router still sees an equal cost path between both the BACKUP and MASTER routers of the other network. Currently on Vyos nightly 20220218 build on all 4 routers, however I've had this issue for about 6 months on different builds. submitted by /u/ACiDGRiM [link] [comments]

S2S VPN between Cisco ASA and Fortigate with overlapping subnet mask Posted: 23 Feb 2022 03:25 AM PST Hello, I have questions regarding the following scenario. There is a established VPN S2S connection between a ASA and a Fortigate: 172.17.0.0/16 - Cisco ASA - Internet - Fortigate - 192.168.10.0/24 Due to some organizational changes we now need to provide them a /24 network from our 172.17.0.0/16 network. Hence the design will looks like this in the future: 172.17.0.0/16 - Cisco ASA - Internet - Fortigate - 192.168.10.0/24 + 172.17.199.0/24 We already did this with Cisco ASAs on both side but we don't know if a Fortigate can handle this "conflicting" crypto maps. Will a Fortigate accept and understand this config setup? submitted by /u/ProxyOps [link] [comments]

What to do when sites dont work? Posted: 23 Feb 2022 09:13 AM PST We have a bit of a chicken and egg situation here. at our main site we use comcast business as our main egress for internet bound traffic. we also have a Lumen DIA with static ips on the same ASA stack, using PBRs to direct dmz traffic. ​ occasionally we get a ticket for a site that just cant be reached from the comcast line....it seems very arbitrary what sites and when. my coworker has been going into the asa stack and flipping the default route to just send all traffic out the LUMEN dia. Which actually has more bandwidth, but has the issue of its static range of IPs being geolocated in Brazil(we're in the boston area). We've been looking for weeks but cant figure out which geolocation db has the wrong information. Most have it in florida, which at least is US....but occasionally some sites will serve us a page in portugese.... we've sent out emails to these sites asking them which DB they use....but havent gotten any responses. Coworker opened a ticket with Lumen and they replied with "not our problem" So he's basically switching the default routes on the ASA stack daily based on user complaints. Comcast is no help because they wont escalate the issue. And the geolocation sites are no help because we cant figure out exactly which DB provider has the bad data. We dont wanna give up these statics because we've been using them for years and have VPNs terminated on them and applications and clients depending on them. Looking for advice. submitted by /u/sendep7 [link] [comments]

Unable to backup cisco prime using FTP Posted: 23 Feb 2022 08:17 AM PST I'm using filezilla. I created an FTP repository on Prime and in the location, I weote the IP address of my PC and used the username and password that I created on Filezilla. I can't get it to work. I keep getting an error everytime. Could someone share the steps that I should do on Prime and Filezilla or any other FTP? submitted by /u/Som3a92 [link] [comments]

Port-channel/trunk between Aruba WiFi Controler and Aruba Switch Posted: 23 Feb 2022 07:31 AM PST We used to have a LAGG between our two Aruba controler 7210 and our two HP A5120 (one of each in each room) In one room, we ditched the HP for an stack of two Aruba 2930M but I can't manage to join the 7210 in this room since the new setup. I can't find specific info for this use case. Actual conf on the 7210 for the port-channel: interface port-channel 0 add gigabitethernet 0/0/1 add gigabitethernet 0/0/0 trusted trusted vlan 1-4094 switchport mode trunk switchport access vlan 63 switchport trunk native vlan 255 switchport trunk allowed vlan 1-4094 ! interface gigabitethernet 0/0/0 description "GE0/0/0" trusted trusted vlan 1-4094 switchport mode trunk switchport access vlan 255 switchport trunk native vlan 255 ! interface gigabitethernet 0/0/1 description "GE0/0/1" trusted trusted vlan 1-4094 switchport mode trunk switchport trunk native vlan 255 ! ​ Actual config on the 2930M for the trunk link: trunk 1/10,2/10 trk2 lacp vlan 255 name "Management" tagged Trk2 exit I also tried trunk 1/10,2/10 trk2 trunk without success Old working conf for the HP A5120: # interface Bridge-Aggregation2 description ### Vers WLC 2 ### port link-type trunk port trunk permit vlan all port trunk pvid vlan 255 # interface GigabitEthernet1/0/21 description ### Vers WLC 2 ### port link-type trunk port trunk permit vlan all port trunk pvid vlan 255 port link-aggregation group 2 # interface GigabitEthernet1/0/22 description ### Vers WLC 2 ### port link-type trunk port trunk permit vlan all port trunk pvid vlan 255 port link-aggregation group 2 # ​ The link is up on the 2930M but I can't ping the interface on VLAN 255. Status and Counters - Port Status Port Type | Alert Enabled Status Mode Mode Ctrl Limit 1/10-Trk2 100/1000T | No Yes Up 1000FDx MDIX off 0 2/10-Trk2 100/1000T | No Yes Up 1000FDx MDI off 0 ​ Is this even possible without changing the Aruba 7120 configuration? submitted by /u/Nyutag_arch [link] [comments]

iBGP instead of VRRP gateways Posted: 23 Feb 2022 06:41 AM PST Sorry if this is a really stupid question, but I thought I would ask to at least learn something. We host clients in our datacenter, each client gets a /29 portion of our /24 prefixes. We currently use VRRP on several virtual interfaces on the routers that act as the gateway for the tenants firewalls. With 2 routers in VRRP, 3 of the usable IPs in the /29 are consumed. The firewall VMs we have for the tenants have the ability to use BGP. My thought was, what if the tenants firewalls were added to our iBGP each with their own /29 prefix being advertised. Is this possible? Would a gateway actually need to be set on the tenant firewalls if they were part of the iBGP? Am I crazy? ​ Thanks! submitted by /u/greasyveggie [link] [comments]

No longer able to RDP to devices behind Fortigate from devices behind new Firepower Posted: 22 Feb 2022 12:58 PM PST Recently installed a new Firepower (running FTD, managed by FDM) to replace our Meraki. We also have a Fortigate that manages several subnets that are used by machines/VM's behind the Fortigate. The topology goes like this: My PC > Switch > Firepower 1120 gi 1/2 > (same switch) Switch > Fortigate > VMs/Machines. I am able to ping those subnets behind that Fortigate but I cannot RDP to them. I have ACL's to connect the subnets and allow any any ports. A Wireshark of an attempted RDP shows the initial connection is allowed (SYN, SYN-ACK) but then I get a RST, I am assuming from the Firepower for trying to get to 3389. My ACLs to allow the LAN's to talk: SOURCE: Zone: Inside || Networks: my subnet || Ports: Any DESTINATION: Zone: inside || Networks: machines/VMs || Ports: Any And another one going the other way. ​ The machines behind the Fortigate have also seem to have loss access to the internet. I created a NAT for them to reach the outside gateway but that didn't change anything. NAT rule to get machine/VM subnet out to the internet: Original Packet: Src Interface: inside 1/2 || Src address: VM/machines subnets || Src Port: any || Dest Address: IP address of Firepower || Dest Port: Any Translated Packet: Dest Interface: outside 1/1 || Src address: VM/machines subnets || Src Port: any || Dest Address: IP address of Firepower || Dest Port: Any submitted by /u/franman409er [link] [comments]

Does ASA support GRE w/ IPSec? Posted: 23 Feb 2022 06:17 AM PST I am currently moving about 10ish GRE w/ IPSec VPNs over from our IOS VPN Router to our ASA Pair managed by FMC in our DC. The current state is of the VPN topology is IOS Router connected to IOS Router via GRE w/ IPSec, and the Future state is to be IOS VPN Router (REMOTE) connected to ASA via VPN. My question is, does the ASA platform support GRE w/ IPSec terminations, or will I have to migrate to using IPSec S2S VPNs using Crypto maps? I did some prior research, and it mentioned that ASA does not support GRE, but I just wanted to confirm here double. I am pretty green to the ASA platform so let me know if more details are needed. Thanks again. submitted by /u/BlueberryThick [link] [comments]

palo alto SD-WAN panorama interfaces Posted: 23 Feb 2022 02:07 AM PST hey guys hello, while configuring SD-WAN on panorama interfaces must be added (slot, interface, ip...) i want to know are the interfaces created in panorama the same as the physical interfaces in the firewalls ? and should i use the same IPs when creating them as the same physical interfaces ? in other words will the interfaces created in panorama override the physical interfaces in the FWs or they are virtual interfaces pushed to the firewall? submitted by /u/H_a_M_z_I_x [link] [comments]

Cisco ISE and ThousandEyes with Cisco Meraki. Worth it? Posted: 23 Feb 2022 12:57 AM PST Hi, So curently we are deploying Cisco Meraki to all our locations. Our biggest location is running on 15 or so switches and it just an office environment. No real server hosting as we have that at a hosting provider.   We are currently focusing on Securty and have been recommended Cisco ISE which we will most likely start implementing on sites where everything has been replaced with Cisco Meraki.   We have also been recommended ThousandEyes. Does anyone have experience with it? Is it worth it and how to it work with Cisco Meraki? In order to support Cisco ISE we are told we need at least MS2xx series switches. So far we have had deployed around 15 MS120 switches total over a few locations. These are being replaced with MS210 switches instead.   submitted by /u/gahd95 [link] [comments]

Do I need to have both a Cisco ISR and an ASA? Posted: 22 Feb 2022 10:25 PM PST We have a client that we have been supporting for several years and I have been the onsite person there for a few years now. A lot of the infrastructure there was already in place when I got there and we are looking to upgrade these devices but I do not know exactly what I should upgrade or what I should just take out of the equation altogether. ​ Our set up is a Metro Ethernet connection and we have a Cisco ISR and a Cisco ASA in one location. There is a point to point to a secondary location across the street that is connected by fiber through the ISP hardware. The satellite offices just come off the ISP hardware and goes straight into a switch. The main location goes from the Edge device to the Cisco ISR and then to the ASA. ​ I don't understand why we would need both a router and the ASA. I was under the impression that the ASA would be able to route everything we have. The phones go from the ISP PRI device to their Edge hardware as well. ​ Any help with this would be greatly appreciated. submitted by /u/NotBoyfriendMaterial [link] [comments]

MS Teams issue Screen Share freezing ? Posted: 23 Feb 2022 02:46 AM PST Hi Guys, Just wanted to get your thoughts on the MS Teams Freezing issue when screen sharing. The problem arose recently, but the good part is that audio and video are working fine, so it appears that the problem is limited to the screen share. Teams freeze regardless of the number of people who attend the meeting, according to the statement. From a network standpoint, there appears to be no problem, and everything appears to be normal except for this screen share. We switched to a different ISP provider, but the problem still exists, according to them. As a result, both ISPs are experiencing the same issue. but kinda hard to prove that this is ISP issue. Here's the port number used by MS team. audio 50,000–50,019 TCP/UDP video 50,020–50,039 TCP/UDP application/Screen Sharing 50,040–50,059 TCP/UDP ​ Is there anything else that needs to be checked after that? Particularly on the network side, to prove that there is no problem within the internal network. Will take the following action. Monitor the laptop availability / reachability. (advise to use wired). Monitor Laptop performance (available in windows 10). Install a wireshark capture and monitor the MSteams ports. On access,switches, routers.. check if there's any smoking gun. Thinking to request a new laptop with newly installed OS and MS teams application.. ​ Thank you submitted by /u/1searching [link] [comments]

IPS/NGFW for cloud Posted: 23 Feb 2022 02:03 AM PST My company is looking for a non-cloud IPS/NGFW to safeguard our own cloud (which is available to the public). We're quite large (5k-10k employees) and I was curious to see which solutions are considered to be good value for money. From what I've seen PaloAlto, FortiGate and TippingPoint seem to be universally praised and from what we've looked into so far, SonicWall, Juniper ATP and Hillstone seem reasonable as well. One important note is that we care about what and how large files it supports and what protocols can it look into. submitted by /u/DoomMakerPL [link] [comments]

VLANs VRFs & Security Posted: 22 Feb 2022 06:23 AM PST To give a little context, I support a multi-site isolated secure environment (no internet) while I do share some facilities with general business (internet, email, cloud, etc). I initially used just routers, VLANs and Firewalls to create the network segmentation. I have been moving to full physical separation, separate switches, VRFs for networks, firewalls, storage, virtualization, etc. There are a couple of areas that I have not been able to achieve full physical separation, my private WAN, which I intend to use a combination of SD-WAN and IPSec to create tunnels. I feel like that I am on a good path. There is one area that I feel that the full physical separation is excessive, and wanted to get feedback. General business has created 1 network for video surveillance & security devices that appears secure in that it doesn't have internet and streams video to a capture server which also does not have access to the internet. These cameras often overlook my processes and are in the same physical area. Why isn't VLAN separation with a VRF valid security? I have a network engineer who says it is secure. I talked to another person who says "script kiddies" can jump VLANs easily (I would like to see and understand one of these scripts) The company has a cyber consultant who just flat says, no combined hardware. In one location, I have a point to point multi-link wireless network (AES encryption (not wifi)) which supports only my secure traffic and the secure video traffic on separate VLANs. My contention has been that both are secure networks, separated by a VRF, my network is not at risk. So there has been a task generated to build a new wireless network just for video. It feels like a lot of excessive cost and effort for a very low risk situation (I am not saying no risk), when there are many bigger security holes to attack. A. If it is Ok to use IPsec on my WAN, why isn't OK to use IPSec here? I have seen small DIN rail mount firewalls that could easily provide this security or maybe even my existing routers and switches. I would like comments on any part of this, but in particular my item #1 and any misguided thoughts that I may have. G submitted by /u/GB-ACWD [link] [comments]

Grandstream WiFi 6 APs - Anyone have feedback or experience? Posted: 22 Feb 2022 01:22 PM PST I am trying to understand if these APs are a viable option as an Ubiquiti alternative (since WiFi 6 supply issues are impacting availability) http://www.grandstream.com/products/networking-solutions/wifi-access-points submitted by /u/doublecowboy [link] [comments]

Plugging in a desktop faults all PoE ports on switch Posted: 22 Feb 2022 02:50 PM PST K-12 environment, we purchased a couple of labs of new HP Omen 30L desktop computers for media/gaming uses. Strangest thing, as soon as we plug one into our switch all PoE ports on the switch go into "overload state". The switch models are Brocade ICX 7450-48P switches. Disabling PoE on the port the desktop is plugged into doesn't help anything either and this occurs before the desktop is even turned on so long as it has power plugged in. Curious to see if anyone has seen anything like this before and has any ideas. Thanks! submitted by /u/puddingmonkey [link] [comments]

OSPF Design Question Posted: 22 Feb 2022 07:22 AM PST Our current OSPF topology looks like this: https://imgur.com/jiYZshf We are adding VPN connections from R2 and R3 back to R1 (our HQ). Will look like this. My question is, should those tunnel interfaces be in area 0 or a new area? My plan was to put them in area 0. submitted by /u/Excellent-Will3373 [link] [comments]

Analysing Mac /var/log/wifi.log file for reasons why Mac wont connect to 802.1x wifi network Posted: 22 Feb 2022 03:02 AM PST Hi are there any tools that will analyse the logs on a Mac to shed light on why it wont connect to a 802.1x authed wifi network? Had a user upgrade his M1 pro to 12.0 , and also recently changed his password on the domain, he came into the office today (we're still predominantly wfh) and couldnt connect, we use Cisco ISE to authenticate requests and ensure the user gets the right role. ISE logs just show; Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication. in the past on windows laptops updating the driver usually fixed the issue. any ideaS? submitted by /u/nbs-of-74 [link] [comments]

Structured cabling courses? Posted: 22 Feb 2022 06:12 AM PST I've been cabling for a few years on my own and would love to take a course so that I can be sure I'm utilizing best practices and perfect my craft. What are some of the designations or courses I should be looking at to achieve this? Is a local community college good enough or is there a 'gold standard' in the industry? Thanks! submitted by /u/Squiggy_Pusterdump [link] [comments]

Networking blogs/websites to read? Posted: 22 Feb 2022 01:32 PM PST At start, I hope this doesn't fall under rule of not advertising any sources. Anyways, I'm interested what other Network Engineers at this subreddit browse, in terms of networking technology? Your daily/weekly press, as a whole, news from different sources & places, not focusing on single vendor, taking account "old" established services/protocols, as well as trending topics. Myself, I've never been able to find any site where I'd be always welcomed by some interesting articles on same level with some hardcore technical stuff for nerds only. I also, don't want to follow on people who delivers courses to different exam topics - these people, although respectable, often prefer to focus on track of what they're selling. What's your daily "newspaper" for networking technology, gents? I'm based in Europe, so anything closer to this region would be a bonus, but as always, this is to broad topic to limit ourselves. submitted by /u/qajteq [link] [comments]

Should I be able to see input packets during loopback testing? Posted: 22 Feb 2022 01:05 PM PST Hello reddit, I am pretty new to layer 1 troubleshooting and I would like some clarification from the more experienced folks here. We are troubleshooting a cross connect because the provider is reporting input errors on their side (while our interface looks good). DC technician is saying that there is a hard loop facing our device at the MMR. Should I be seeing input packets on this interface? My understanding of loopback testing is that whatever packets/frames we send out travels over the medium until it hits the loopback and returns over the tx. I am not seeing any input packets so I am not sure if the tech correctly installed the loopback facing us. This is over a span of about 10 minutes Interface: et-6/0/0, Enabled, Link is Up Encapsulation: Ethernet, Speed: 100000mbps Traffic statistics: Current delta Input bytes: 0 (0 bps) [0] Output bytes: 40402944 (1016 bps) [84480] Input packets: 0 (0 pps) [0] Output packets: 315648 (0 pps) [660] Error statistics: Input errors: 0 [0] Input drops: 0 [0] Input framing errors: 0 [0] Policed discards: 0 [0] L3 incompletes: 0 [0] L2 channel errors: 0 [0] L2 mismatch timeouts: 0 [0] Carrier transitions: 0 [0] Output errors: 0 [0] Output drops: 0 [0] Aged packets: 0 [0] Active alarms : None Active defects: None Input MAC/Filter statistics: Unicast packets 0 [0] Broadcast packets 0 [0] Multicast packets 0 [0] Oversized frames 0 [0] Packet reject count 0 [0] DA rejects 0 [0] SA rejects 0 [0] Output MAC/Filter Statistics: Unicast packets 0 [0] Broadcast packets 0 [0] Multicast packets 315648 [660] Packet pad count 0 [0] Packet error count 0 [0] Please feel free to provide any troubleshooting tips as well here. I mostly work with BGP and routing issues and I would love to learn more about troubleshooting layer 1 issues. Thank you. edit: It ended up being that it was already normalized. Thank you for the helpful hints! submitted by /u/dydska [link] [comments]

Hard coded speed setting disappeared on 4331 Posted: 22 Feb 2022 11:44 AM PST I had a weird thing happen on a 4331 and I'm wondering if anyone else has seen this. Had a site go down and ended up replacing the router. When I got the bad router back I found that the WAN interface had mysteriously lost the hard coded speed setting. No idea what happened. It was there 2 weeks ago and now it's gone. Now, a few days later the site is down again and I'm wondering if this problem happened on the new router too. The vendor sees their handoff port down. They tried hard coding 10m, 100m, and set to auto negotiate but nothing helped. I'm probably going to end up replacing the router again and the cable too for good measure. Here's what the configuration looked like on my last backup 2 weeks ago. The only thing missing is the speed 100 command. Any help is appreciated. Interface GigabitEthernet0/0/0 Bandwidth 10000 No ip address Speed 100 No negotiation auto No cdp enable ! Interface GigabitEthernet0/0/0.1111 Bandwidth 10000 Encapsulation dot1q 1111 Ip address 10.10.10.10 255.255.255.248 No cdp enable submitted by /u/EndIess_Mike [link] [comments]

VRF Route leaking on NX-OS between default & created VRFs. Posted: 22 Feb 2022 10:04 AM PST I think I'm close to a solution on a design challenge / project I'm working on but am stuck on one last piece. The customer has a large "metro area" network with a pair of Nexus 7000s as the core. We're working with them to segment the network in to multiple VRFs for additional security - no reason for some classes of sites to be able to talk to each other. My thought was that in order to ease transition we can start creating VRFs for each class of sites, move their networks in to that VRF, and leak routes back and forth between the default VRF as needed. Eventually we'll pull all the sites out of the default VRF, so the default VRF will just contain their servers & Internet connection. I've run through the Cisco guide here and am seeing my test "server" VRF in my "Example Site" VRF, so leaking from default -> site via BGP seems to be working fine. However, I'm hung up on how to get the return route from my "Example Site" back in to the default VRF. Reading the Nexus 9000 unicast routing guide (since that's what I'm doing our proof-of-concept on) it states that route leaking to the default VRF is not allowed because it is the global VRF, so what do you do in this case? In this environment, they're currently using EIGRP between the cores & remote sites, FWIW. The server VLANs are all 'local' to the N7K's, and there's a static default route out to the Internet. TIA for any guidance here, first time doing all of this from scratch. EDIT (and a note to myself): If I do a 'show bgp ipv4 unicast vrf all' I don't see the routes that should be in my "Example Site" VRF via EIGRP / connected routes showing back up in BGP. My issue might be redistribution on that end. submitted by /u/UserReeducationTool [link] [comments]

You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States