Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
9
Stickied postModerator of r/networking

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

9
4 comments
11
Stickied postModerator of r/networking

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

11
8 comments
103

"R-E-S-P-E-C-T. Find out what it means to me. R-E-S-P-E-C-T. TCP/IP. Socket to me, socket to me, socket to me..."

103
8 comments
25

Sorry, lot's of stuff in the pic but it's a complicated question I think...

In short, how to avoid asymmetric routing on firewalls: https://i.snag.gy/chzf04.jpg

We have two ISPs connected to our network in two cities separated by few hundred kilometers. 1Gbps, full BGP table each. We have two /24 we can advertise (those are documentation blocks, IRL we have larger blocks we can split). Some of our servers are on public IPs, some on private (we have private peerings with private IP addresses to some of our customers)

Currently we have single homed internet connectivity, and we'd like to make it dual-homed. However routing traffic back via the right firewall cluster seems to be the problem here. We wouldn't like to have asymmetric routing. We have 2 firewalls in each city towards ISPs, making it 2 fw clusters.

Simple solution here is to NAT everything coming to firewall 1 to a source IP from 198.51.100.0/24 block so the return traffic would get to the right firewall. And everything coming to firewall 2 would get NAT'd to something from 203.0.113.0/24. In that way no matter what link/fw is broken, there wouldn't be asymmetric routing as that block would only be originated from a single firewall. And towards ISPs, we could AS prepend the networks so that 198 would be preferred via ISP1 and 203 via ISP2.

Routers on the right would have to somehow decide which default route to use, or we could just leave it for the OSPF/BGP to decide... though as it's only a VRF called "core" between those, all the routers on the left are 1 hop away so every router on the right would choose the same router for the default route.

Not sure if this would be a problem at all, but it would be nice to have networks in the south to use the ISP in the south :)

Without the NAT hack how would we achieve this? I'm thinking of using communities, and on the right hand side routers tagging every route with either "prefer ISP1" or "prefer ISP2" depending on the location and then left hand side routers/firewalls doing local pref tuning based on communities. Our firewalls talk BGP.

OK it wasn't short but hopefully there are people who don't have anything better to do on friday evenings :)

25
29 comments
14

Where to NAT? Where to run BGP? Check out our latest tutorial presenting the dual ISP with BGP - NAT Configuration.

14
comment
2

Hello,

yesterday I setup a new dark fiber (9.8km) and enabled the first optics (Fibre Store CWDM-SFP10G-20SP, 1330nm, 20km) which was recommended by fibrestore support for the attenuation information I sent them about both fibers which was given from me by the ISP.

The connection worked immediately when I put the optic into the switch, no errors nothing. Tonight, link flapping started. Now the link went offline.

  • On switch A:

display transceiver diagnosis interface gives:

transceiver diagnostic information:

  Current diagnostic parameters:

  Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)

  35 3.24 33.21 -19.71 1.11

  Alarm thresholds:

  Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)

  High 90 3.80 100.00 0.00 6.00

  Low -5 2.70 0.00 -16.99 -7.00

There are some errors on this interface:

 Peak input rate: 204 bytes/sec, at 2018-08-17 17:10:41

 Peak output rate: 376 bytes/sec, at 2018-08-17 21:09:05

 Last 300 second input: 0 packets/sec 0 bytes/sec -%

 Last 300 second output: 0 packets/sec 0 bytes/sec -%

 Input (total): 68540 packets, 6552135 bytes

  41 unicasts, 104 broadcasts, 68284 multicasts, 0 pauses

 Input (normal): 68429 packets, - bytes

  41 unicasts, 104 broadcasts, 68284 multicasts, 0 pauses

 Input: 106 input errors, 0 runts, 0 giants, 0 throttles

  104 CRC, 0 frame, - overruns, 2 aborts

  - ignored, - parity errors

 Output (total): 124626 packets, 10398046 bytes

  50 unicasts, 1426 broadcasts, 123150 multicasts, 0 pauses

 Output (normal): 124626 packets, - bytes

  50 unicasts, 1426 broadcasts, 123150 multicasts, 0 pauses

 Output: 0 output errors, - underruns, - buffer failures

  0 aborts, 0 deferred, 0 collisions, 0 late collisions

  0 lost carrier, - no carrier

  • On switch B:

display transceiver diagnosis interface gives:

transceiver diagnostic information:

  Current diagnostic parameters:

  Temp.(¡ãC) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)

  56 3.20 43.38 -11.59 1.02

No errors on the interface on switch B:

Peak value of input: 242 bytes/sec, at 2018-08-17 20:13:48

 Peak value of output: 440 bytes/sec, at 2018-08-18 03:23:23

 Last 300 seconds input: 0 packets/sec 0 bytes/sec -%

 Last 300 seconds output: 0 packets/sec 4 bytes/sec -%

 Input (total): 68628 packets, 5831800 bytes

  32 unicasts, 767 broadcasts, 67829 multicasts, 0 pauses

 Input (normal): 68628 packets, - bytes

  32 unicasts, 767 broadcasts, 67829 multicasts, 0 pauses

 Input: 0 input errors, 0 runts, 0 giants, 0 throttles

  0 CRC, 0 frame, - overruns, 0 aborts

  - ignored, - parity errors

 Output (total): 50717 packets, 6105567 bytes

  28 unicasts, 810 broadcasts, 49879 multicasts, 0 pauses

 Output (normal): 50717 packets, - bytes

  28 unicasts, 810 broadcasts, 49879 multicasts, 0 pauses

 Output: 0 output errors, - underruns, - buffer failures

  0 aborts, 0 deferred, 0 collisions, 0 late collisions

  0 lost carrier, - no carrier

So, what would you recommend:

a) Put in an optics with more "power" on one site?

b) Change the passive multiplexer with less insertion loss. Vendor Pan Dacom says for its "SPEED-CWDM-81E:" (MUX + DEMUX) is max: 3,85 dB What passive multiplexer would you reommend?

For a) I would need optics with higher costs for all channels. So I´ll try b) What is your opinion?

Update: I am asking myself whether that single optic from FS is actually bad...

2
3 comments
2

When peering via ebgp sessions is it a requirement to set local-as either via the routing-instance config or the routing-instance bgp group config?

I’ve been having issues when dual homing back to customers from the mpls we host - pe’s were not seeing each other’s routes if I configured a local-as. Upon checking the logs it showed the routes were not present due to an AS loop. Fair enough I thought.

I then labbed it up and removed the local-as config, meaning the peers were using our global AS number within the bgp session. This caused the AS loop prevention to not kick in and both pe’s were able to see each other’s routes.

It seems the local-as specified gets appended to the AS-path but the global does not.

I’ve read plenty of mpls setup guides and none state to use a local-as within the specific routing-instance bgp settings, but for some reason that is what my company has historically been doing.

Should I be using a local-as per routing-instance or is it unececcary as I’m beginning to suspect?

2
comment
62

There are many options for Console servers. Curious what you all are using?

We deploy OpenGear for the most part. What else is popular?

62
99 comments
1

I’m in the middle of a project to push all remote site internet traffic through a Palo Alto HA cluster in our DC instead of having direct internet breakout.

At present I have completed one site of about 50 users, and by the end of the project there will be roughly 200 users internet traffic going through it.

They are currently being NATed with the public IP address on the internet interface of the Palo Alto.

At what number of users would it be recommended or necessary to start using a nat pool instead of a single IP?

Is there a volume of source IPs when it’s required to move to nat pool rather than interface nat ?

1
3 comments
2

I am planing on getting a firewall for my home network as I don't have one currently. I am considering a Palo Alto unit but I am unsure as to what model to get and the differences between them. I was looking to get a rack mountable one used off of ebay or the like. I am mainly seeing model 2020s, 2050s, 200s and 500s.

2
11 comments
1

Will that work? Aren’t the DB9 / RS232 exactly the same? Because it looks like that, and they need to connect in each other?

1
6 comments
0

Hi guys, quick question: is it possible for me to make any set of routers into a mesh network. I don't know if there are multiple meanings to a mesh network, but I am looking to join all of my routers into one SSID, where a device will be shifted to the router with the strongest connection automatically. I know ASUS has a feature called Aimesh for some of their routers (which is why I have a feeling it could be possible for all routers since it is software). The only requirement for this to work should be tri band routers. That is, one antenna for 5ghz, another for 2.4ghz, and another (5ghz i think) for communicating with the other routers with the SSID think I was talking about. I have three routers from three different companies, and all of them are tri band. Is this possible, and if so, any way that I can do it? Thanks!

0
3 comments
0
Posted byMake your own flair9 hours ago

So i have a some servers, both running esxi 6.5, as well as one running a vcenter VCSA, and i need to access them remotley from outside my local network. So i can access one server, as long as i forward port 902 and 443 to the local ipv4 address of that server. But what if you have more than one server that you need to connect to? well theres my problem. Ive tried openvpnAS to try and allow vpn connection to the network, allowing me to monitor the servers, but it never really worked. So my question remains, how do i connect to these hosts externally? thanks.

0
5 comments
5

I was toying with an idea of doing /31 subnets for our DMZ servers, just with VLANs now but later maybe with VXLANs. Then lot's of interfaces on the Fortigate firewall and everything under a DMZ zone.

We don't have more than hundred servers where we'd like to allow access from internet. All the access to those would come via F5 BIG-IP load balancers, and the BIG-IPs would have the public IPs. Those /31 subnets would be with private IPs.

Reasoning that then I could allow access between two DMZ servers if needed, and via firewall. If using private VLANs I couldn't route the traffic through the Fortigate I think?

Though the firewall doesn't do anything advanced, maybe I could just use the firewall on the BIG-IP and have it do all those WAF thingies etc. Usually the rule would just be "anything from the internet, allow to port 443 on server". BIG-IP can also sustain more session and everything than our firewalls.

Any thoughts?

5
15 comments
2

Hi all, I posted this in the /r/budapest subreddit but I think it's also relevant here.

Next week (August 25) we organize a hackathon in collaboration with NOKIA, ACM and NETFLIX in Budapest, and we'd like to invite people from local communities on open-source software and computer network enthusiasts/operators to participate. Participation is free and we'll provide food and drinks throughout the day. The link below has more information on the event:

https://conferences.sigcomm.org/sigcomm/2018/hackathon.html

The event will be attended by students and researchers from over 10 different universities around the world and we'd like to connect them with the local open-source and networking scene.

Do you have any suggestions on which communities to contact? I've already contacted the Budapest Hackerspace but since I'm not from Budapest I don't know if there are other prominent communities that may be interested. I checked if there is a local NOG (Network Operating Group) but I didn't find something.

2
comment
0

First off, I’m not a networking pro by trade. I have configured switches in the past, firewalls and done troubleshooting on networks. However, this is my first attempt at configuring a smart switch with multiple VLANS and for the life of me, I can’t get it.

I have a Dell X1026P and I basically need to split this thing into two switches. One VLAN for PCS with an uplink to a firewall, and another VLAN for VOIP with a different uplink over to a clarity device (firewall).

Is there a way that I can do this? When I try to add a second IPV4 addressing interface, it tells me hat I can’t do it in the current mode. This is a layer two switch, so I’m not sure if it’s possible.

Can someone help me out please?

TIA.

0
11 comments
0

Netherlands faces a shortage of developers. Join Honeypot - a developer exclusive job-platform where companies apply to you. Get multiple offers.

0
25 comments
4

Is there any way to schedule a rollback on nxos?

Thr config guide only shows manually rolling back to a checkpoint not scheduling it to automatically occur after x minutes have passed.

Thank you.

4
1 comment
2

This switch has a bunch of new features that I am not totally familiar with at this point. Things like PNP and DNA that I know about, and probably other stuff that I don't. I'm open to testing these new features, but I'd like to make sure that we don't have our pants down while I am figuring things out.

I've always followed the catalyst switch hardening guides, but they don't address these new features. Have you folks got any advice on what I should watch out for?

2
3 comments
2

I want to start out by saying that I've inherited this network and I was not the one to set everything up. We've had this issue since the beginning and have done a ton of troubleshooting and brought in a few different people (including Meraki support) to narrow it down. Thought I'd post here and see if anyone has any ideas/advice.

So here's the deal. We have Dynamic ARP inspection and DHCP snooping enabled on the Cisco switches (APs are set to 100 for the pps) and we have about 60 Meraki MR34 APs throughout the building. Everyone once in awhile, seemingly randomly, we exceed the rate and the ports get disabled. From what we've been able to tell, it seems it is the Meraki APs themselves that are causing the ARP flood (some sort of cross-AP communication), which is what prompted us to reach out to Meraki support, who had nothing to offer.

So based on where we are stuck and the idea that it doesn't look like the problem is going to get "fixed", I think I have a few options here and wanted to get some input on which one is the best route to take:

  1. We can increase the rate for the AP ports (at what point does this defeat the purpose of even having protection?)
  2. We can set the AP ports to trusted (removing the security altogether)
  3. We can configure Port State Recovery for arp-inspection

As an added note, we do also have free public WiFi, so keeping some level of security is a good idea. It is segregated from the Corporate networks via VLANs and the bandwidth is limited, but still.

Thanks in advance!

3 points
2
4 comments
4

If your base network is RFC 1149 compliant?

4
5 comments
0

Hi,

I'm trying to create a few tiny networks, linked using PPTP VLAN to eachother.

I have an ubuntu server in the cloud running a PPTP server, and am using a load of small GL-AR150 routers which are configured to connect to the VLAN server. This part seems to work. The clients can all speak to the server, and the clients can load eachother's router web-portals.

E.g. Server is 10.10.10.1 and it gives the VPN clients 10.10.10.100 to 10.10.10.110. The computers behind each GL-AR150 can load other GL-AR160 pages by browsing to 10.10.10.101 from the router configured to 10.10.10.100.

Each of these routers has a few computers, currently receiving addresses via DHCP e.g. 10.10.100.1 and the computer gets 10.10.100.2.

How do I configure the AR150 to forward traffic between these subnets?

I want a computer that is 10.10.100.2 (connected to the router that has VPN IP 10.10.10.100) to be able to talk to 10.10.101.2 (connected to the router that has VPN IP 10.10.10.101) and vice-versa.

I have tried setting up static routes, fiddling with firewall etc, but seem to be missing something. What static routes would I need to setup and how would I setup IP tables to allow this?

Cheers

0
2 comments
0

Hello, I see so many connnections on the 5585x that go to different switches. Is their a way to view these connections such as a "show interface g0/x" like in Cisco IOS? I'm wondering if there is a similar command...or the ASAs just don't work that way.

thank you

0
4 comments
2

So long story short, I have a desktop that I use for my daily admin machine. Found the other day that a web gui for a firewall did not load when accessing the LAN IP and port. I can ping the device, I can access the GUI via the WAN IP and port (it's a remote site firewall), I can telnet to the port and it connects, I can SSH to the device from this machine, I can tracert and see it's taking the appropriate route, and 3 other machines (including a non-domain joined machine) load the GUI just fine from behind the same switch on my desk. I've tested Chrome, Firefox, IE and even the lovely Edge browser and they all act like the site times out. Even looking at the Wireshark capture on the machine it acts like a TCP timeout. I'm kind of out of ideas at this point. I even rebooted the remote firewall over night as well as my desktop and still have the issue.

2
9 comments
15

Greetings. I am posting this as I believe /r/networking is the most appropriate audience. Apologies if someone feels this is better suited to another sub.

We finally pulled the trigger on a few Opengear boxes for OOB. We planned to deploy the Lighthouse central management software on a server in a colo outside of our own network. However, now that we're getting around to the initial deployment Lighthouse is now supported on the Google Compute Engine platform. We haven't been successful with the deployment as the image file from Opengear's FTP seems to be corrupt.

The question: has anyone here deployed on GCE? Is it working as expected, or would you still go the on-prem route?

15
2 comments
3

Hi, we are currently researching our options for BGP routers. currently our PI-address space (/24) is routed by our ISP (Cisco 3925 @ 100 Mbit line), but we like to change that (own ASN with multihoming and dualstack with a gigabit line)

we also got quotes from our distributor about various juniper models. The cheapest is a pair of used Juniper MX80 incl. Xcare Advanced for ~22k€ (Germany)

I'm not sure if we need a such expensive router pair. Our requirements are not that special:

  • max. 1 Gigabit throughput (Currently usage sitting at 6 Mbit avg, peak 90)
  • min. 4 SFP interfaces
  • No IPsec or IDS/IPS

IDS and VPN are handled by our edge-Firewalls (PA-820). Is there any recommendation for a cost effective router?

3
25 comments
4

Hello

I've just had a very interesting question from one of our sales guys and I wanted to see if anyone here had experience with it.

His potential customer runs some sort of warehouse with automated drone robots that pick the equipment from the shelves. When working out the quote my colleague was trying to sell an internet circuit with it, and the customer was pretty adamant about not needing one, since all he needs his drones to communicate with is a server that's on site. I'm assuming this has some connection to the internet but that's not information I'm privy too.

He wants to deploy a Cisco WLAN with an on-site controller but no outside connectivity, theoretically I can't see any reasons why it isn't possible but it isn't something I've ever encountered before and googling "wireless with no internet" just brings up stacks of people complaining about their wifi not working properly.

Has anybody here ever seen something like this?

Thanks

4
20 comments
0

I have been working with a hand-me-down 'toolkit' since starting my current job ~1.5yrs ago. My crimper is a half-broken StarTech piece. I'm down to two RJ-45 connectors, and my 'cable stipper' (or whatever you call it) is barely functional.

I see many different kits online with brand names I don't recognize, and they all seem to be of poor quality.

I could buy these things piecemeal, but right now I would prefer to get a new kit. Budget is ~$75(us).

What are some good recommendations?

Thanks!!

0
9 comments
20

We have two 3850 stacks each with two WS-C3850-24P-E switches. A couple of weeks ago we upgraded the firmware from 3.7.4E to 3.6.8E, as specifically advised by Cisco TAC, to resolve a bug with interface output counters (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb65304).

After reloading we noticed a couple of problems:

  1. sap pmk mode-list only allowed "no-encap" and not "gcm-encrypt" (MACSec).
  2. The SFP interfaces were down and couldn't be brought back up. Saw below errors in the logs:%PLATFORM_PM-6-MODULE_ERRDISABLE: The inserted SFP module with interface name Te1/1/4 is not supported%PM-4-ERR_DISABLE: gbic-invalid error detected on Te1/1/4, putting Te1/1/4 in err-disable state

The Cisco TAC engineer on WebEx at the time suggested the below, which didn't make any difference:

  1. 3850(config)# no errdisable detect cause gbic-invalid
  2. 3850(config)# service unsupported-transceiver
  3. Remove SFP module, shutdown/no shutdown the port, insert back the SFP module.

Despite explaining at the time and in many emails since that these errors were occurring AFTER reloading (to the same engineer that was on the WebEx), they keep referring to a bug (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud82475) which is specifically about seeing errors DURING the switch reload. After two weeks I've just asked for the SR to be escalated to another TAC engineer.

This upgrade was at the end of two 18-hour days and two days of network issues so we didn't have the time to read any release notes etc (which I'm struggling to find for the specific version anyway). The actual issue ended up being a bug with offloading on our PA-3220s, but we still want to update to a 3850 firmware that doesn't have the output errors bug and something more recent.

Questions for r/networking:

  1. Has anyone had any experience with the invalid/unsupported SFP issue on 3850s on 3.6.4? (I couldn't find anything online specific to that version that didn't look like a different issue).
  2. What is everybody's thoughts on the Denali 16.x train? Should we be looking at upgrading to it? I've read somewhere that the future is 16.x.
  3. Have I just been unlucky with Cisco TAC support on this case or is this a usual occurrence? We raised another TAC case and got really good, immediate support.

Edit: Posting from work while everyone wants to talk to me, please excuse poor title and any lack of details/poor questions :)

20
30 comments
Community Details

127k

Subscribers

487

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Moderators
u/ugnaught
Network Stooge
u/BridgeBum
Former CCSI
u/dubcroster
Artisinal Labelswapper
u/HoorayInternetDrama
Meow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!
u/the-packet-thrower
AMA TP-Link,DrayTek and SonicWall
u/VA_Network_Nerd
Moderator | Infrastructure Architect
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.