Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
6
Stickied postModerator of r/networking

Blogpost Friday!

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts

Feel free to submit your blog post and as well a nice description to this thread.

67

Checking my understanding of real-life ISP Peering Relationships

Please tell me if my understanding here is correct:

  • Tier 1s sell transit but never buy
  • Tier 2s sell transit but also have to buy transmit
  • Tier 3s buy transit but never sell
  • Tier 2s and Tier 3s peer at IXPs, but only advertise their own prefixes (and those of their customers).
  • Tier 1s have private peerings with each other, sharing their full BGP tables.
  • Tier 2s have private peerings with each other, sharing their full BGP tables.
  • Tier 3s and Tier2s buy transmit from Tier 2s and Tier 1s (respectively) advertising only their own prefixes (and those of their customers), but they receive full BGP tables from the transit provider.

Is this about right?

If so, I have a few further questions:

  • Do large Tier1/Tier2 carriers operate different BGP AS's for the local/regional services?
    • Example: AT&T is a Tier 1, but they also sell DIA and business/residential broadband. Would AT&T operate a separate "Tier 3"-type network in each local market, where they peer with other local providers at IXPs, but only advertise the local "Tier 3" routes instead of their national/global prefixes?
  • Do Tier 2s advertise their transit-customers prefixes at IXPs, or strictly their own prefixes & those of their Enterprise clients?
  • Is there anything that prevents Tier 3 ISPs from buying transit directly from Tier 1s?
3

Well this is a first for me, fiber got cut...

by a shotgun. I guess fiber laying in a ditch waiting to be strung up is too sweet of a target. Its not even fiber season yet, and dove season went weeks ago. Maybe it was self defense? It must have been attacking from above too, because they were skyblasting it.. https://imgur.com/FDPyYEz

3
8

Would this be a good standard for naming/numbering VRFs, RDs, and Route Targets?

I'm thinking that for VRFs it would be best just to use the Customer's Name / Service Account Number; for RDs it would be best to use <global loopback ip address>:<unique number>; and for RTs it would be best to use a global account/service number for the customer.

Is this a good design, or would there be a better/more scalable way to go about this?

(Note: This isn't for a real production network, just my [extensive] home lab)

0
Comments are locked

HIRING: Dutch-Speaking Tech Advisor in The Netherlands! Join us and come work for the most influential technology and gaming companies!

0
comment
8

EVC | Allowing multiple vlans.

Hi Everyone,

Just a quick question about EVC Trunk EFP | Allowing multiple tags.

I'm currently working on this setup and I would like to seek your opinion and expertise about this setup.

From Customer they will send multiple tag (3320-3322). But in this scenario, I only inputted sub-int of .3320.

Supposed to be if Customer frame enters @ ASR920 G0/0/13 int it will match the EFP criteria last process if using ingress is the "bridge-domain from-encap" that means it will derive bridge-domain based on the encapsulation.

Under bridge-domain I'll have the these for formarding.

Bridge-domain 3320 (2 ports in all)

State: UP Mac learning: Enabled

Aging-Timer: 300 second(s)

Maximum address limit: 16000

GigabitEthernet0/0/13 service instance 203

TenGigabitEthernet0/0/27 service instance 100

Question:

  1. Is this configuration is correct? (Though, I'm having issue with IP reachability so I'm checking which side has an issue)

PE#ping vrf custA 10.1.1.2 source 10.1.1.1.....Success rate is 0 percent (0/5)

  1. Based on this interface output, when I try to ping toward to customer from PE, there;s now increasing rate on ASR920 interface?

ASR920#sh interface GigabitEthernet0/0/13GigabitEthernet0/0/13 is up, line protocol is up5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec

  1. Can't detect any mac address even the IP address on 10.1.1.1 for example?

Bridge-domain 3320 (2 ports in all)State: UP Mac learning: EnabledAging-Timer: 300 second(s)Maximum address limit: 16000GigabitEthernet0/0/13 service instance 203TenGigabitEthernet0/0/27 service instance 100

Any docs/Materials about EVC you can share other than Cisco docs or docs posted on the internet?

Configuration:

PE: 10.1.1.1/31

CUST: 10.1.1.2/31

######### PE #########

interface TenGigabitEthernet1/1/0.3320

description bandwidth 98000

encapsulation dot1Q 3320

ip vrf forwarding custA

ip address 10.1.1.1 255.255.255.254

no ip redirects

no ip proxy-arp

#####################

##ASR920(pointing to PE)##

interface TenGigabitEthernet0/0/27

mtu 9216

no ip address

service instance trunk 100 ethernet

encapsulation dot1q 3320-3322

rewrite ingress tag pop 1 symmetric

bridge-domain from-encapsulation

#####################

##ASR920(pointing to Cust)##

interface GigabitEthernet0/0/13

no ip address

negotiation auto

service instance trunk 203 ethernet

encapsulation dot1q 3320-3322

rewrite ingress tag pop 1 symmetric

bridge-domain from-encapsulation

#####################

Thank you in advance.

5

Cool and or new routing methods

Recently I saw someone implement IBGP route leaking with import export commands on our 10 -15 different ospf vrf domains to avoid storage going through firewalls . I’m curious if there are other ccie like routing methods like routing leaking or something totally different that not taught at boot camps or college course work.

2

VM service vs management nic question

I have a VM running in ESXi that is throwing a conflict that one NIC is using the same static IP as another

For instance my management nic was one ip 192.168.10.1/24 on vlan10 and my service nic is also 192.168.10.1/24 on vlan10.

Can they be on the same vlan different ip or do they need to be on different Vlans?

2
2

Bidirectional NAT with Palo Alto

I have this rule (not a palo guy). But, will it allow traffic hitting port 80 on the public IP, reach the 172.16.0.80?? and allow traffic leaving 172.16.0.80 to be nat'ed using that address??

https://imgur.com/a/EeksJHO

Thanks so much!

1

Initial configuration of an ASA 5510

Hello everyone.

I recently purchased a 5510 to practice with for the CCNA security exam and I'm in a little bit of a rut of confusion and maybe it's because I'm thinking from a layer 2 perspective.

I have an soho isp device with the IP address 192.168.1.254 and an ASA that currently as no config. I give it a name and go to the default ASDM address 192.168.1.1 I then go to the configuration tab and the interfaces section. And this is where I'm confused.

To me it would make sense that if I have an inside interface on eth0/1 with a security level of 100. It should be able to communicate with the outside interface eth 0/0 that has a security level of 0. What I'm unsure about is how a default gateway is set on an ASA.

1
comment
1

Online user vs online STA count

I am a network admin(sort of) at a college. I take care Ruijie network systems that one of them manages the user account that shows online user that logged in to the wifi. The system's name is SMP. Meaning that anyone without account cannot connect to the internet. One account only allowed one device connected at the same time. And another system is for managing the access points(AP group, SSID etc). The system is named WAC.

The question is, why is it the online user shown in SMP(~600) have quite a different number compared to online STA count in WAC(~800)? Maybe this is a silly question and I am a newbie. I hope someone can clear this up.

1
comment
284
Posted by1 day agoGilded1

I'm a fraud

When i was 18, i just applied to a random course without any thought , and that course turned out to be Network Engineering. After the first few weeks i knew it wasn't my thing, and I just couldn't click with the material, but i was so determined to not go back home a failure - So i stuck it out. Now the problem with the education system - I didn't learn a thing, I was just a pro at memorizing questions and answers - so the day before exams i would cram cram cram. Go into the exam and smash it. The next day everything that i crammed i would just forget about. So after 4 years i finished university with a Degree in Network Engineering.

I went back home and didn't really know what to do, so i just thought i'd apply to jobs related to my degree. I lucked out, got into a position as a graduate engineer for a rising telecoms company - mainly because they liked my personality in the interview. I was chosen out of over 50 applicants ( This was without any certifications e.g. CCNA, JNCIA etc...) In my first year, literally every piece of work & design i done was entirely collated through using Google and YouTube or by making friendships with senior engineers and finding out their strong points and getting them to help me with my design. In that first year the company were so impressed with me and my work, i got a promotion to a fully fledged Network Engineer from my graduate position.

So now i'm here in this company, still with very little knowledge of networking - i'm 24 now and i feel like it might be too late to start doing my certifications like CCNA etc and actually learning networking. It's embarrassing. I feel like a total fraud, I've managed to get all this way getting a degree and getting a very good job for a beginner in the field simply through my ability to come across like i know what i'm talking about/ by cramming and using google/ by being personable and easy to talk to.

Now i have friends from my Uni course that were really passionate about networking, they live for it, yet they're doing 1st/2nd line support, working their way up from the bottom, meanwhile i somehow ended up in this high end position without having to work from the bottom - it makes me feel guilty. I feel like i'm stuck and i really don't know what to do.I feel like every other person around me is a total wizard, knows what they're doing and love it. There's just this constant thought it my head that everything will come crashing down on me eventually. I just wanted to share my story and guess i'm writing this to find out if anyone has been in the same boat, or has any thoughts or opinions.

TL:DR - Crammed through Uni & got networking degree without actually learning. Got a good job because of my personality rather than technical ability. Getting through job by constantly using Google and pulling work together from other engineers. Given a promotion = 24 year old fraud that doesn't know what to do.

EDIT: - Wow, i was not expecting this kind of reaction! Thanks everyone for taking to time to read through and to those who replied. I really appreciate it.

284
0

Issue upgrading ROMMON and IOS on Cisco 4500-x

Experiencing a weird issue that I haven't seen referenced anywhere in Cisco documentation.

Background: Running Cisco 4500-X on VSS setup, trying to upgrade IOS from 3.6.8 version to 3.8.6 version. Upgrade first requires ROMMON to be upgraded.

Problem: I have bootstring set to load ROMMON and the new IOS version but when I reload the active and standby switches (15 minutes downtime not really a problem in my enterprise if scheduled properly) there are issues. ROMMON upgrades successfully but when it performs the autoboot to upgrade to the new IOS the switch just hangs and never resets. System is totally down. All LEDs are off except on the power supplies which blink green. Fix to this issue is to power cycle the switch and then the IOS upgrade occurs with no problem. With 20+ locations requiring this upgrade I'd rather not have to travel to each location separated by several miles to perform these upgrades manually. Would using the issu changeversion commands rather than a straight reload for this upgrade make any difference? Is it even possible to set both ROMMON and IOS to upgrade using the issu command? Cisco documentation is vague on the subject. Anyone else encountered a similar issue before? I'm not paying for maintenance on these 4500s so I can't use TAC and our Cisco account rep hasn't been super helpful. Would appreciate any advice.

17

Token ring anybody?

I was cleaning out my shed this weekend and found two large tubs full of token ring hardware. Needless say this brought back “memories”. Does anyone out there have any fun experiences to share.

Better yet know of anyone still using it.

11

A Quickstart Guide to IRR/RPSL

As I'm a member of the team trying to run an Internet Exchange, we've been looking into rolling out IRR prefix filtering on the exchange route servers (which is a seriously good thing to do), but as we started to dig into what we were asking all of our IXP participants to do, the current state of documentation on how to get started in IRR to do just enough to enable prefix filtering seemed... lacking.

We've written a whitepaper on the matter, but given our minimal real world experience using IRR, I'd appreciate it if others could sanity check our guide and point out any flaws in our understanding of how our participants should use IRR or where you get totally lost in this guide.

11
0

I’ve got a question for you guys.

I’m not a networking guy. Just a maintenance tech, but anyways here’s the story:

Here at our plant we have three stories of machinery. So I ran some CAT6 to a scalance switch and configured our shop computers adapter to be remote into our visualization with VNC viewer. It makes life easier for us by not having to walk a half a mile to reset faults.

But we have guys who have written some complaints that the plant intranet no longer works, and despite me telling them to plug a different cable into a different wall plate, and configure the adapter accordingly, they’re unable to figure it out and are upset they can’t get on miniclips.com at work.

So my question is: how can I configure my one RJ45 port on my desktop to switch between these networks without having to configure my adapters IP address and subnet masks?

I apologize for the long story, and thanks again for any advice/help.

9

What are you to do if somebody calls and says "I get bpdu from another client and his port turns off when your port is up"?

Hey guys,

I have a BGP peering with another provider and we connect with a private IP over an access port. Now, this guy provides us and others like us with a free streaming service. As far as I can tell, he's getting all service providers to peer with him and possibly turn it into an ix.

Regardless, he calls me the other day and says, if I turn your port on, another port gives bpdu received message and shuts down the port. I was told that I'm creating a loop OTA even though I have no direct peering with that other guy.

I listened, thought for a while and said I'll look into it. I did. There was nothing to look into.

Is there something to look into?

I thought it was like saying 8.8.8.8 went down when Uranus passed Urectum and somebody stuck gum under their table.

7

Where to NAT? Where to run BGP? Check out our latest tutorial presenting the dual ISP with BGP - NAT Configuration.

7
comment
9

AOS/Aruba upgrade pitfalls?

Part of the 'we're upgrading everything' post. This time it's the wireless controller. Going from a 4700 to a 7210 from aos 6.4 to 6.5 and as far as APs it's 125-ish to 315s. I'm decent doing admin work and installing APs, but this is my first time doing a controller hardware replacement.

So my questions:

Can I import the config from the older box to the new one (with some tweaks)? We'll probably stagger the install since we won't be able to replace the APs fast enough. So old and new would have to work/overlap for a while until all the old APs are gone.

I saw a 'zero touch' feature on the quick install guide. Is that something I can use in this scenario?

We're installing 2x 7210s and about 300 APs. I know they can handle 512 APs. Do I set it up as master/slave or as one logical unit?

Any other pitfalls, checks, new features, etc. I need to look into while we're at it?

2
Crossposted by1 day ago

HTTP flood within single TCP session?

HTTP flood within single TCP session?

I'm trying to replicate a issue that is plaguing a production device for one of my customers. To do so requires as many HTTP request that I can possibly throw at it, however these request all need to come from the same source port, therefore it will need to be all in the same TCP session.

I have the lab environment setup to do so but I'm failing to find an application that fits this use case. I'm pretty unfamiliar with such traffic generation. I've looked into a few traffic generators and DOS scripts but none of them seem to fit this use case. They all seem to run multiple threads over different sessions where I would need as much throughput as possible in one single session. The actual packets on the wire would preferably need to be on the smaller side, through something like fragmentation of larger headers, if that's possible. Any suggestions?

4 points
1

Network traffic classification

hello , i have my graduation project which is " Improving the SDN QOS performance using Machine Learning", and i had a hard time in finding a network traffic data in order to test my " Random Forest" algorithm . I found one but now i had a problem of labeling the data . So is there any software that i can use to prepare the data and labeling it before feeding it to the algorithm or how can i solve this issue.

38

Snort Full 10Gbps

Does anyone know if Snort or Suricata are capable of handing full 10Gbps? (14,204,545 PPS)

1

HP Procurve 1410-24g (j9561a) - how hot they run?

Hopefully Ok to post here.

I bought a second-hand HP 1410-24G switch (non-managed, 24-port gigabit). It was sold as non-working*, but I got it for cheap and I thought hey, one might get lucky. If nothing else, couple of hours of troubleshooting fun at least.

I got the impression that the switch had died and did not power up any more. However I did managed to get it power on (I believe I did nothing, might have been just a loose connection). Now the switch powers up - yey! But it's not perfect. There are four ports that do not work (9, 10, 15, 22). This would be fine with me, but I am more concerned that the switch runs very hot (even on idle). There are three big heatsinks on the mainboard, and the center one runs very hot, around 85 degree celcius (it also warms up faster than the others, but the temperature does stabilise so it's not at least completely avalanching away).

The other two heatsinks also run warm, but significantly less (around 40-50 degrees). The switch works (I kept it on for couple of hours for testing), but the case gets very warm (almost too hot to keep hand on the top). I don't know if this is normal with this model, but to mee it feels pretty high temp? The powersupply itself doesn't appear to be under heavy load (the heatsinks there are all under 40 degrees).

(Obviously I won't be keeping this plugged in un-supervised for now)

*) The previous owner (first owner) could not replace it under HP's lifetime warranty, as the company that installed the switch into his house, could not provide a receipt for this particular switch and as such could not produce a proof of purchase.

19

Networking topics relevant to cybersecurity/ethical hacking

I am a young college student, and (very luckily) got my first job in the cybersecurity field. I am going through the training right now, and while I would consider myself competent for an entry-level position, I am being held up by some of the networking- related material, which is substantial (ie network/port scanning) and I am often feeling myself getting lost.

Which networking concepts are most relevant to cybersecurity or ethical hacking, so I know what to review in particular?

If you also have any learning resources to said material they would be greatly appreciated.

99

Best Network Analyzer Tool (for the money)

Backstory: I have previously worked where there is access to Flukes pretty regularly. The current job, which I've been at for a couple years, does not have access to virtually any testing or analyzer tools. This makes life far less enjoyable, when a simple testing device could save so much headache. Add to that, I recently started moonlighting as a SMB MSP with a partner. Neither my day job, nor my business have tons of capital to spare, otherwise we would just buy the flukes.

I have searched the forum, and basically all the threads are 2-3 years old at this point. I figure much can happen in that time, so I am looking for recommendations here. We would want it to have CDP/LLDP, toning, IPerf would be awesome, basic reporting, Packet Capture and traffic would be even better.

The cheap low cost tools I have found thus far: Pockethernet - likely the one we will go with unless hear otherwise. shipping out of Europe only is kind of annoying, but I understand they are a smaller company. that also worries me as I don't want an orphaned product eventually

Netool.IO - didn't appear as feature rich, but close to the same price of the Pockethernet. Does seem to have wireless tools, which pockethernet doesn't seem to

Netpi - This is the option I think the coolest. I actually tried to turn this up to test. Unfortunately, the pi3 doesn't seem to like any of the images available. If anyone has been able to get this on a Pi3, that would be a big swing.I don't want to shell out $70 to buy a pi2, screen, case, etc plus effort to get it dialed in.

Others? thoughts? Insults about how ridiculous it is we don't have any kind of testing tool in an international company? Favorite Cake recipes?

46

Strange network request from a client

Hi everyone,

I work at a place that provides office space for small companies. I have a broker asking for my company to assign a public IP to a device for about 3 times the amount we normally charge. The person we have been in touch with claims to not know what exactly this device will be doing other than the following explanation:

"My understanding is that it is primarily ping / tracert data between the network of these, with the data being aggregated (loss at certain network hops,etc). ... The WAN device is a Meraki Z3 (acting as the firewall / gateway), with a POE powered UBNT edge router fastened to the top of the meraki. My limited tech understanding is that they used to do this with the UBNT devices only, but they have been using the additional of the merki simple because of the easy of remote management / alerting."

We allow firewalls and devices all the time for companies to hook up with their company networks, but this person hasn't been very forthcoming with the purpose of this type of setup. The other twist is that it's for a company that doesn't even have permanent space here. It's just all sorts of confusing... can anyone glean what this type of setup might be doing or am I just being paranoid because of lack of knowledge? I'm fine with hosting, it's just that there are some conflicts of interest and the conversation and other prior conversations have rubbed me the wrong way.

Thanks in advance!

Community Details

123k

Subscribers

574

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Moderators
u/ugnaught
Network Stooge
u/BridgeBum
Former CCSI
u/dubcroster
Artisinal Labelswapper
u/HoorayInternetDrama
Meow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!
u/the-packet-thrower
AMA TP-Link,DrayTek and SonicWall
u/VA_Network_Nerd
Moderator | Infrastructure Architect
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.