Rant Wednesday! Networking |
- Rant Wednesday!
- Can the path of traffic vary depending on the type of protocol?
- Segmenting some VLANs in a flat network spread across seven buildings, possibly pushing L3 to the distribution layer, speed upgrade... what do you think?
- Passed GIAC GNFA today. Have a practice exam I'm allowed to give away until 3/15.
- Best way to identify security vulnerabilities with CIsco switches and routers.
- Unclear about presentation layer 6 of OSI model
- Restructuring ideas
- switch from LACP-rate slow to fast uninterupted
- how to create vlan in this configuration
- IPv6 transition tools?
- OSPFv3 PTP with multiple routers on the same interface
- TCLSH script Cisco IOS
- Push Captive Portal after WIFI Association
- HP/Aruba Uplinks tag all VLANS
- Curious! What are you guys seeing real world with SFP28 DAC cables and downlink compatibility?
- MTU size help
- Palo Alto PA-400
- Best way to troubleshoot a network that keeps dropping out?
- Trying to erase voicemail on Meridian m7130 NorCal telephone and set up new voicemail.
- Question with SPLUNK and Cisco devices.
- Need help on using duplicate address space on one network for firewall testing/cutover
- any one setup a tacacs proxy?
- Climate Controlled Wall Mount Rack
- Clear hardware alarms on vEdge 100m?
- How to turn off Nexus 3500 in vpc
- Troubleshooting Nexus 3K -> Dell R740XD 10G NIC Connectivity
| Posted: 01 Mar 2022 04:00 PM PST It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related. There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves! Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it. [link] [comments] |
| Can the path of traffic vary depending on the type of protocol? Posted: 02 Mar 2022 04:46 AM PST So there are few branch offices and few data centers. I do simple management on the firewalls in one of the DC. The user reports he cannot connect to some web server over HTTP/HTTPS. He provides ping and tracert outputs that end at one of the firewalls in DC. I can see on the FW the tracert/ping was indeed blocked (by default), but no other traffic (attempts at the connection to the webserver) is visible. So my question is it possible that the HTTP traffic takes a different path? Or are the causes here are simply on the endpoint machine/ some local/ISP settings and I can reply that this is 100% the case here. Sorry if that doesn't make sense. [link] [comments] |
| Posted: 02 Mar 2022 10:24 AM PST Hi all, I have inherited a network spanning several buildings situated close to each other in an urban campus, interconnected with leased dark fiber. Buildings C and G each contain a Layer 3 switch, with these two switches serving as the core - they are set up with identical configurations, use VRRP for HA, have ACLs for inter-VLAN routing, and are connected to each other with a 10G fiber link. They are Dell N4032F switches. In each of the seven buildings, there is a switch with 1G fiber connections to each of the two core switches, with STP ensuring that only one link is active. These switches in each building serve as both distribution and access switches, providing connectivity to one or more downstream switches, to Wi-Fi access points, and to some directly-connected end-user devices. All of these non-core switches are Cisco Catalyst 2960X switches. Here is a diagram. Right now, the there are about 7 or 8 VLANs (management, staff, students, guests, printers, VoIP phones, multimedia devices, access control, etc.), all of which are flat /16 subnets. There is no segmentation whatsoever, meaning that broadcast traffic is sent across all forwarding links to all buildings. Obviously, this isn't great from a performance or security perspective, so I'd like to segment the VLANs to which end-user devices (staff, student, and guest VLANs) connect, while keeping a few VLANs set up to reach across the entire physical network in all buildings (management, access control, etc.). I would also love to take this opportunity to replace spanning-tree with a fully routed setup and also upgrade the distribution-to-core links to 10G, but I'm not sure that the budget is available for replacing our distribution later and maybe core layer, so I'm trying to consider all my options for : * Priority 1: Segmenting the end-user networks (staff, students, guest) to isolate broadcast traffic to within the same building (so 'staff - building A', 'staff - building B', etc.), while keeping some campus-wide VLANs (access control, multimedia), and * Priority 2: If possible, integrating an upgrade to 10G and routed connections (OSPF) With lots of simplification, I see three options, at three very different price points: Option 1: segmentation only, no equipment purchase required
Option 2: change distribution layer, use OSPF to distribute routes to each building's segmented networks, keep some VLANs that traverse all buildings
Option 3: change core and distribution layer, use OSPF for the segmented networks, and use VXLAN for the networks that must form one single broadcast domain in multiple locations
I'm still working on finding what kind of budget might be available for this project, but I'm in a tricky position, as my predecessors had not anticipated - at all - the need for updating the network. (Our Wi-Fi access points are from 2014, their support will end next year, and no one had been tracking this or preparing to budget for their replacement until I found out a few months ago...) This is a very interesting topic to me, and it's my first time proposing such an extensive upgrade of our aging network. Having no estimate of what kind of funding would be available is why I'm trying to at least plan a back-up option that will work without replacing existing equipment, even if it will be more management effort down the line. For the options involving OSPF and pushing Layer 3 out to the distribution level, I'm definitely open to equipment suggestions from other brands as well. I know that Juniper and Aruba have models more-or-less aimed at providing equivalent features to Cisco's models. What do you think of the three technical solutions I've listed here? Am I on the right track, or missing some obvious solutions to accomplishing these goals (network segmentation, possibly eliminating spanning-tree, hopefully upgrading to 10G)? Sorry if I've left out any important technical information... and thanks in advance for any thoughts or advice you may have. :) [link] [comments] |
| Passed GIAC GNFA today. Have a practice exam I'm allowed to give away until 3/15. Posted: 01 Mar 2022 06:25 PM PST If anyone has a SANS account and is interested in this cert, please let me know. I realize it's more of a cybersecurity/forensic cert, but if you stare at network traffic all day, it's certainly relevant. Figured I would ask here before another subreddit because I lurk here the most. [link] [comments] |
| Best way to identify security vulnerabilities with CIsco switches and routers. Posted: 02 Mar 2022 01:59 PM PST What's the best way to manage switches and routers to push out firmware and identify security vulnerabilities? I know at one time Cisco recommended APIC-EM which I think has been replaced by DNA? I'm specifically thinking of older switches and routers that probably don't work with DNA? 2900s series for example. In particular what's the best way to identify security vulnerabilities in the IOS? I tried an online tool the Cisco active advisor but it didn't show any CVE vulnerabilities just cisco best practices. Hopefully you can point me in the right direction. Thanks so much. 😊 [link] [comments] |
| Unclear about presentation layer 6 of OSI model Posted: 01 Mar 2022 08:31 PM PST Hi, I'm having trouble understanding Layer 6 of the OSI model. I've watched numerous videos and read various articles and all I have gathered is that the layer makes sure that the info is presented in a format that the device can understand (this is unclear to me) – if even the system is different. Can someone explain this? For example, if I am working with a file format of .foo I can store that on the server or send that via email and another computer can easily download that file from an email or transfer it from the server to their desktop – but yet have no application that can work that file. So now the destination device has received/downloaded a file that it CAN NOT understand. I've also read that when a computer gets a file it asks itself is this a JPEG or MOV or PDF? In that case, it would convert it from binary to whatever type of file it was before it got broken down - this makes sense. The former example is how I am interpreting "makes sure that the info is presented in a format that the device can understand" - which I don't think is the case The latter example is how I think it makes sense - but this is not what I've come up with from the explanations I've read. PS - I understand the process of windowing in TCP/IP and I know these files get broken down into packets and frames - but I used the word file for simplicity/brevity. Can someone clarify exactly how this process works? Thanks. [link] [comments] |
| Posted: 02 Mar 2022 08:16 AM PST Howdy everyone. I'm new to networking. I was a pc technician turning a screw driver until about a year ago. Now that I understand a little bit more about the infrastructure at my work I feel like it's time to start trying to implement change. I work for a school district with approx 35 sites, 20k students, 3000 staff members and we're growing. Each site has its own IP range. All sites have 4 vlans. A WAN vlan on just the main mdf switch of each site. A wireless client vlan. A wireless management vlan. And the default vlan for everything else. Phones, cameras, servers, wired connections, etc. all traffic is routed through our core switch at the main office Our core switch at the main office has 3 static routes per site. One for each vlan that isn't the WAN. I feel like this is clunky and needs to be fixed. Is it normal to have over 100 static routes on the main switch of a network this size? I feel like I have to change the default vlan at each site to not be the same as every other site (they use vlan 1). Then I need to set up ospf. But I am having trouble figuring out how that should look. Any insight on to how to streamline this mess would be appreciated. I feel like we have too many vlans district wide. 70+. [link] [comments] |
| switch from LACP-rate slow to fast uninterupted Posted: 02 Mar 2022 12:00 PM PST Due to $reasons and $legacy we run our switches and servers with bond (802.3ad) and lcap-mode slow. The legacy systems have been removed (juniper qfabric ...) and we want to use lacp fast. We'd like to switch during operation and lose as few packets as possible. Our juniper switches are already configured to handle both rates, so they match whatever the server has configured. I did some tests today with ping and during network restart, we lose about 5 ping packets. Is there a way to make it an even more seamless transition? [link] [comments] |
| how to create vlan in this configuration Posted: 02 Mar 2022 10:23 AM PST I have a main switch, a managed GS116ev2, that the main home office is connected to. One port connects to a small satellite building outback. That line in the satellite building connects to a small wireless router that provides wifi and a small 4 port POE switch that powers 4 POE cameras. All of it is riding on my 192.168.1.x network. I'm wanting to put the 4 cameras on their own vlan, like a 192.168.5.x and isolate them from the rest of the network. Am I right in thinking that I need to use a managed POE switch for the cameras? I think I'm not right now as it's just a stupid Trendnet 5 port POE switch. [link] [comments] |
| Posted: 02 Mar 2022 10:13 AM PST I'm doing some research, so if you've got v6 up and running, love to get your comments. 1) what tools did you use to measure your v6 deployment against your v4 to make sure security deployment and policies carried over properly through the transition? 2) are you using common ASM vendor (Tenable, Rapid7...) to monitor your deployed v6 or something else? If I just use my known list of v6 IPs, I am concerned that I'll have missed a bunch of hosts due to SLAAC [link] [comments] |
| OSPFv3 PTP with multiple routers on the same interface Posted: 02 Mar 2022 08:43 AM PST Hello everyone, do you understand that with OSPFv3 an interface configured as PTP only connects to an adjacent device? With OSPFv2 if for example I configure the vlan850 as PTP and this vlan is configured on 4 routers, in the neighbors I see the routerID and the routes of all 4 routers With OSPFv3 it doesn't happen, do I have to configure a vlan for each single PTP? Example: vlan10 Router 1 to Router 2 is it correct or am I wrong something? [link] [comments] |
| Posted: 02 Mar 2022 08:31 AM PST Hey team, Does anyone know of a way using tclsh scripting so I can create at least 500 different loopbacks with their own different IP addresses such as: 10.0.x.1/24 10.1.x.1/24 [link] [comments] |
| Push Captive Portal after WIFI Association Posted: 02 Mar 2022 01:24 AM PST Hello i am deploying captive portal solution with Meraki WIFI. But i have a problem when some devices associate to WIFI. They didn't get the captive portal. Last week i was on holiday and where i stayed, there was a WIFI. I tried the WIFI connection and after association, i got a captive portal popup on laptop and phone. So i discovered that is possible to push a captive portal to open on customer device. How can i do that please ? Thank you [link] [comments] |
| HP/Aruba Uplinks tag all VLANS Posted: 02 Mar 2022 12:35 AM PST Hello Networking Guys, is there any way to use the HP CLI for ProCurve (5406 series) Switches to allow ALL available VLANs on a Port. I did not find any possibility to achieve this, only by manually using the syntax conf t (vlan XX): tagged Port1,Port2,Port21-24 etc As far as i know, cisco has the ability to specify allow all VLANS from 1-4096 to be allowed on a port. Thanks [link] [comments] |
| Curious! What are you guys seeing real world with SFP28 DAC cables and downlink compatibility? Posted: 01 Mar 2022 07:19 PM PST Is it mostly seemless autonegotiated if only one side is 25Gb and the other 10, switch or vice versa nic. What if both sides are sfp+ 10Gb? Does nic vendor seem to matter? Emulex, broadcom, qlogic, marvell, intel, mellanox? Are you guys ever needing to hard set the speeds? ….to clarify, not talking about SR fiber transcievers here, only DAC. Also, Is negotiation to 10Gb typically being seamless if using a SFP+ DAC and both devices are SFP28 25Gb? Also chime in if its different for Active/passive, or if you have backwards compatibility experiences with AOC. [link] [comments] |
| Posted: 01 Mar 2022 11:08 PM PST Hi guys, currently working on mtu sizes in between switch links. I have set the mtu size on cisco to cisco links to 9216. I tried to do an extended ping test however, its only successful on 8996 value is it normal??? does that mean that I successfully configured my links? thanks for any advise :) [link] [comments] |
| Posted: 01 Mar 2022 06:25 PM PST Original idea was to purchase PA-3260 or PA-800 firewalls but the datasheets seem to point to PA-400 as the right decision. Can anybody vouch for the performance of the PA-460 firewalls? On paper the 400s smoke even the 3200s but we all know those numbers aren't always real-world. It just doesn't feel right replacing a rack mounted firewall with a desktop device with no HA ports or built in PSU. 800s and 3200s have more CPU/RAM/hardware (HA ports/SFP) so it seems weird a lower end model claims better performance. [link] [comments] |
| Best way to troubleshoot a network that keeps dropping out? Posted: 01 Mar 2022 04:50 AM PST I am using an LTE Router (link) for some servers in a semi-remote area in Canada. Our operation is expected to require 500MB of total transmitted and received data per day, though on a recent check we have been doing about 5GB per day. The IT folks who provided the package for us seem quite baffled. A colleague of mine who does similar work in a different area (but also remote) and for a different company (two totally unrelated projects) says he is also experiencing the same issue. The one thing we noticed we had in common is the use of LTE Routers from the same manufacturer. Frequently the internet connection also cuts out for several minutes and comes back on, but this happens almost in structured intervals. In connectivity checks, the connection drops appear to be non-random and spaced relatively consistently. The network is a hub and spoke, Cisco Catalyst 2950 switches, a /22 network with about 350 devices total. Unfortunately each device is running a proprietary Linux distro which doesn't have much room for additional software, but I may be able to install something on them if required. There are no local machines on site running windows, so all access to the network has been done via command line and L2TP/IPsec. Any help or a point in the right direction would be appreciated. *EDIT: Here is a link to a chart showing devices going offline and then coming back online: https://i.imgur.com/2GHpniA.png They all take a minute or two to register on the network after their boot cycle once they lose and regain connectivity. [link] [comments] |
| Trying to erase voicemail on Meridian m7130 NorCal telephone and set up new voicemail. Posted: 01 Mar 2022 02:22 PM PST Trying to erase voicemail on Meridian m7130 NorCal telephone and set up new voicemail but not having any luck. Looked up several user manuals and "how to's" but nothing has worked. Anyone have experience with these phones or know of a company that services them? Bay Area, CA. Thanks! [link] [comments] |
| Question with SPLUNK and Cisco devices. Posted: 01 Mar 2022 06:12 AM PST So I'm a network admin and recently got enrolled for a Splunk Fundamentals 2 course through work, along with a handful of other co workers. I have no background at all with splunk, but I am starting to see how you can track data, put it into charts, etc. I am trying to understand, as a network admin, the real practical benefit of using Splunk. I get that it has capabilities of tracking clients and all that, but I am talking specifically for network devices. Can anyone weigh in on this, as far as tracking your devices? Like what is the advantage of splunk over using something like a regular syslog server for tracking logs, or an advantage of using splunk over something like Cisco Prime, which tracks your utilization, etc. Also, a technical question..... Our current setup has all of our devices forwarding their logs to 2 redundant syslog servers. On one of those syslog servers, we have a Splunk forwarder installed. With that being said, is splunk still going to be able to interpret each log per device, or is it basically just seeing a bunch of logs coming from one IP (the syslog server)? Should each cisco device be forwarding directly to the Splunk server? [link] [comments] |
| Need help on using duplicate address space on one network for firewall testing/cutover Posted: 01 Mar 2022 08:49 AM PST Imgur: The magic of the Internet Hello, We're in the process of trying to test out a new firewall and are working through how to test it a veryspecific way on our production network. If you look at the drawing I linked, you'll see that we have two sites and the firewall at site2 is the one we're looking to replace. However, we'd like to install the new firewall at Site1 and use the same address space that is behind Site2's Firewall so that when it's time to do the cutover, there will be less changes to make. Additionally, installing the new Firewall at Site2 in parallel will require us to work with the organization that manages the Site2 router highlighted in red. It difficult to to make changes on that device and we are trying to avoid having to do that. I don't have a lot of experience with VRFs but all of my initial searches online regarding using the same address space for 2 different areas of a network point me to VRFs. I also realize that it may be easier to just stand put the new firewall in parallel at site1 using address space that is natively behind Site1's router and firewall but I'm trying to avoid doing that in an effort to minimize the changes needed at cutover. Additionally, I'd like to avoid VRFs if possible because this testing is being done in parallel to a production network. That being said, would it be so simple to just have an additional VRF on the site1 router and install connections between the router, new firewall, and core switch shown in the diagram, and then just give it the same address space as site 2? If anyone has a high-level explanation of how one would get this to work, I'd really appreciate it. Additionally, if anyone is aware of any resources online that maybe address how to implement something such as this, that would also be greatly appreciated. [link] [comments] |
| Posted: 01 Mar 2022 03:28 PM PST Throw away because I don't want to be recognised. I apologise if that's not allowed. I work for a small MSP and I have an ACS server running TACACS. I want to set up a proxy in a customer network, so their routers request TACACS authentication from this server. Do I need a full ACS application to do this on the customer server, or is there a cheap/free TACACS server that will just act as a proxy? I've dug through the docs for the free tacplus daemon, but it doesn't appear to do this... Would I be better off looking to RADIUS to do this instead? Thanks in advance [link] [comments] |
| Climate Controlled Wall Mount Rack Posted: 01 Mar 2022 08:48 AM PST Anybody have any experience with climate controlled cabinets? I have a project to extend connectivity to an offsite location that is in an unconditioned space. I can have a mini split installed or I could install a climate controlled enclosure. We are looking at three IDFs at this location (multiple unconditioned buildings) One rack would contain the service provider gear, our access switch and a patch panel the other racks just the access switch and patch panel. We've done mini splits for IDF locations where the existing building HVAC was not sufficient but not in a location that has no HVAC or insulation and I have no experience with climate controlled racks. If you've used one, I'd be interested to know what your experience has been, especially in terms of reliability. [link] [comments] |
| Clear hardware alarms on vEdge 100m? Posted: 01 Mar 2022 08:37 AM PST Hi, we have a bit of an odd situation where we have one of our vEdge routers at one of our spoke sites that has an alert configured for 75C, but it has currently been around 66C for the last 2 hours but the alarm hasn't cleared on vEdge and thus Nagios our monitoring system is flagging it now and we all know how the useless higher ups or service desk managers act when they see anything RED. I would like to avoid a reboot but at this moment I can't see anyother way around it? [link] [comments] |
| How to turn off Nexus 3500 in vpc Posted: 01 Mar 2022 09:46 AM PST How to safely turn off pair of nexus 3500 in VPC? I'm not aware of any cisco command like "shutdown" the whole switch , so In my opinion I need to unplug the power cable from the secondary than unplug from the primary , and after that to bring the whole vpc up in safely , plug the primary box , wait something like 10 second and than plug the secondary , am I right ? [link] [comments] |
| Troubleshooting Nexus 3K -> Dell R740XD 10G NIC Connectivity Posted: 01 Mar 2022 01:21 PM PST Hi, I'm trying to get to the bottom of a connectivity issue I'm having between two Nexus 3Ks and a Dell R740XD with 10G NIC. Server is running ESXi if that's of any importance. The server is being moved 20+ meters away from the 2 switches, so the 3m 10G DAC cables that were in use before aren't viable anymore. Swapped them out for some SMF cable with 10G LR sfp+ transceivers from FS. Both the nexus and iDRAC can see the transceivers when plugged in and I have confirmed that light is reaching the end of both cables, but I can't for the life of me get the connection to either switch to come up. The Nexuses just show the port as Not Connected, and the iDRAC shows the port as Enabled and Down. The NIC seems to only support 10G as auto negotiation is disabled and there's no option to enable it or change the speed. Manually setting the speed to 10000 in the port config on the nexus doesn't have any effect either. I'm getting my hands on some Intel and Dell specific SR sfps tomorrow, but I'm wondering if there are anymore networking troubleshooting steps I can take on the Nexuses themselves before I have to take it as an incompatibility on the NICs end? Thank you EDIT: looks like the Intel optics have worked. Thanks for everyone's suggestions and help! [link] [comments] |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment