Reddit Feeds

Sign up and stay connected to your favorite communities.

sign uplog in
11

Moronic Monday!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Lets open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

62 comments
77% Upvoted
What are your thoughts? Log in or Sign uplog insign up

So we have an alternate site with a small ragtag group of admins doing our firewall policies. Me and my coworker are going through their rulesets and trying to figure out why a few things aren't working.

One of the policies has "Source: Any Destination: X Webserver" Yet none of our traffic is passing at all. We're scratching our heads wondering what the heck is going on until my coworker notices that "Any" is not in fact the default IP group on the firewall that allows any traffic. Someone at the site made an address group named it "Any" and stuck a single /32 address on it..... let me die now plz.

Delicious. You might want to check that tcp/http is actually port 80.

They probably just renumbered them in alphabetical order starting at 1.

I break things, professionally.10 points·7 days ago

We allowed our security team on a multitennant fortigate once. First thing they did (unwittingly) was redefine the Any object to be just one IP address while trying to perform a customer change request. That was the last time that team had write access to anything.

and THAT is how you lose admin privileges.

Shouldn’t that be teaching moment though? (Lol)

lol absolutely was

🤘🏻

So very quickly!

CCNP1 point·6 days ago

I had the same experience when someone from the server team did the same thing on a fortigate at a remote customer site. Ground everything to a halt.

Took me a while to work that one out.

Probably drunk CCIE3 points·7 days ago

diabolical

CCIE, Cisco Certified Cat Herder1 point·7 days ago

An earlier, more specific rule may be matching first.

sho shit1 point·7 days ago

if that doesn't deserve a kick to the taint I dont know what does.

[deleted]
1 point·7 days ago

[removed]

Moderator of r/networking, speaking officiallyOriginal Poster1 point·7 days ago

Thanks for your interest in posting to this subreddit. To combat spam new accounts can't immediately submit or post.

Please DO NOT message the mods requesting your post be approved.

You are welcome to resubmit your thread or comment in ~24 hrs or so.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

Aaahahahahah

I put in a ticket to have a technician replace a switch in a cabinet. Technician labels the cables, swaps the switch, then plugs all the cables in randomly.

Sigh...

CCWE (Cisco Certified Webex Expert)5 points·7 days ago·edited 7 days ago

Oh.. you have to enable ip multicast-routing distributed on the client for shit to actually work.

Why did I wait until I was frustrated to mtrace from server to client in order to see this PIM_MT Multicast disabled?

I mtrace'd the shit out of it from client to server. Forgot to do it the other way :)

Stupid question... When do 2 hosts ONLY communicate with each other? I always read about "When computer A sends traffic to computer B on the same network..." But even a simple email or instant message goes to some kind of server (could be on same network). The only thing I can think of is when a computer sends a print job to a networked printer. When else do 2 hosts only communicate with each other?

flair goes here3 points·7 days ago

File sharing comes to mind, though in most corporate environments, you wouldn't want to set up client to client file shares.

tftp'ing images to routers/switches would be an example, where the network device itself is one of the computers in the equation.

Accessing videohttps://www.reddit.com/images from a networked camera would be another example.

File sharing, airplay, shared USB printers, Remote Desktop, VNC, ssh etc. But it’s usually best to keep client to client communication to a minimum in all but the smallest networks.

CCIE Collaboration3 points·7 days ago

VoIP a lot of times either with deskphones or softphones.

When transferring just a file it would be only 2 computers. Or if you had a P2P connection, those two hosts are doing the communicating. A lot of the time, when they say things like that they just mean it as a simple representation of what is going one.

Bluetooth ?

Our environment has big concrete pillars and ceilings with different heights. This impedes the wifi signal in a few conference rooms and offices. Is there an enterprise-grade product that can reflect the wifis off a wall or something? I'd like to avoid purchasing more APs if I can.

Just because it amuses me, leaky feeders with cable going from room to room.

There are paints and window tints that may accomplish this, but the best approach is the design

Tinfoil.

I created 3 daily reports in Cisco Prime about 2 months ago: AP Client Count, Daily Threshold Violations, and average utilization, all sent as .csv files. I set all the reports to be emailed to me at 6:00 AM.

Slowly but surely, all the reports have been showing up in my email later and later, I'd say around a few minutes later each week. At this point, instead of 6:00, they now show up around 6:25 - 6:30. Anyone else experience this, and if so, what's the cause and resolution?

CCNA (expired)1 point·7 days ago

Probably obvious but did you check the time sync status of whatever Cisco Prime is running on?

Not totally obvious to me. : /

Everything's good with our NTP servers. As far as the actual VM host Prime is on, I'd have to reach out to others to check that.

CCNA (expired)2 points·7 days ago

Virtual Machines often drift if they aren't set to sync to an external source.

K12 Infrastructure Focused1 point·7 days ago

Stupid question, but do you have the clock set correctly (or NTP) on Prime?

Yep

CCNA, JNCIA1 point·7 days ago

Prime is an interesting beast. Not sure if it's memory leaks or stuck jobs or what, but I'm betting of you reboot the VM it will go back to close to 0600.

How long does the job actually take to run? You can see this info on the job dashboard page.

The jobs take 7-12 secs, depending on which one it is. Weird thing is, they say the next time they're scheduled to run is tomorrow (daily report) at 0627.

This deployment of Prime is a shit show. It was one of the first things the team dumped on me when I started here a few months ago. Now I know why.

CCNA, JNCIA1 point·7 days ago

Oh haha I see. Ok that's a new one to me, my environment sees jobs progressively taking longer which would neatly explain what you're seeing.

Is the schedule creeping backwards by 7-12 seconds each day?

guilty until proven innocent2 points·7 days ago

Is there any practical application to using stub areas on a modern network? From what I understand, their main purpose is to limited the amount of LSAs/route table entries for routers that don't need to know about specific interarea/external routes.

Given that routers have more resources than they used to, is there any real point in purposely including a stub area in a design? The only way I could see it making sense is if you want to redistribute an insane number of routes into OSPF and can't summarize.

Cleaner routing table that’s easier to interpret. Faster convergence. Some licenses only support stub - e.g. Cisco LAN base on newer switches support eigrp stub for routed access.

Studying Cisco Cert3 points·7 days ago

Why can't you set more than one untagged VLAN on a port?

So when you send traffic into the port, how will the switch know which VLAN it goes into?

That's basically why.

Studying Cisco Cert2 points·7 days ago

Cool! Thanks! We've got a hyper-v server set up with multiple servers running on say... VLAN 104. The switchport to that server is set up as VLAN 104 Untagged. Say I want to start another VM up with a different VLAN (say VLAN 105).

So if I wanted to allow multiple VLANS to enter my server and have them work with VMs...

  • Set the switchport to the server as vlans 104, 105 TAGGED - This is so that the switchport will pass along traffic tagged as either VLAN104 OR VLAN105

  • Inside each Virtual Machine itself on the Hyper-V server, set their VLAN to whatever they should be (i.e. The 'original servers' would be VLAN104, and the 'new' server would be set to VLAN 105).

I don't really have a test-bench to test this out myself, so any changes/troubleshooting I would have to do in the off-hours when nobody is using our system.

I think the above makes sense. If not, please lead me to the promised land of VLAN knowledge.

Thanks :)

Sysadmin also responsible for network sorry3 points·7 days ago

You could tag both (which would be preferred in most situations), or you can do one VLAN untagged and others tagged. This would mean less outage as you don't have to configure the server to accept tagged traffic on VLAN 104.

How you do this depends on your vendor.

Studying Cisco Cert2 points·7 days ago

Will probably go with this method instead of using Hyper-V Virtual switches like u/da_kink mentioned as there's a perverse hatred against using powershell/CLIs for stuff at this shop... :\ Everyone seems to think that it's "hidden configuration"... :|

on Hyper-V you could also create multiple vSwitches and assign the vlan to those. You can then assign the vm to the switch instead of the vm itself. Might save some switching around later on.

For egress traffic, I suppose it would just forward all the broadcast domains' traffic.

But how do you propose ingress traffic would be handled? To which broadcast domain would it belong?

Studying Cisco Cert1 point·7 days ago

For egress traffic, I suppose it would just forward all the broadcast domains' traffic.

But how do you propose ingress traffic would be handled? To which broadcast domain would it belong?

Good point. Thank you! :)

flair goes here0 points·7 days ago

Not at all related to what you're doing, but you can sort of do this with 802.1x or MAC authentication.

Basically, when a frame comes into the switch, it goes into a VLAN based on a setting returned from your RADIUS server. This can be useful if your switches don't auto-detect VoIP devices and you need to assign phones and computers to different VLANs. Also handy in a campus setting where you don't want to be manually changing VLANs all day. Just configure your RADIUS server to return the correct VLAN for a given MAC/User/OUI, or whatever options your server supports.

This is generally more of an edge switch setting than something that you'd deploy in a data center.

ETA: This doesn't really provide a secure VLAN all the way to the edge device, as all traffic that egresses the port goes out untagged (otherwise it will be dropped by the client), and is visible to any other device connected to it, and could therefore be sniffed.

CCNA1 point·7 days ago

I'm working on configuring failover for our WAN connection. We have a wireless device connected to our firewall for when our primary WAN connection is down. One of the recommendations for link monitoring is to establish a TCP connection to a "host that permits idle TCP connections". Does anyone have any recommendations? google.com?

CCWE (Cisco Certified Webex Expert)1 point·6 days ago

I would stand up a cheap AWS/Azure/GCE box in a region close to you and point to that.

I drink and I route things1 point·7 days ago

Why is peering so simple on the surface? It's easy to say "You need to have at least 100Mbps of traffic before we peer". But the rule never applies since you may be pissing off a different PNI agreement?

1 point·6 days ago·edited 6 days ago

(New to r/networking community, I hope this is the right place for this question given the name of the thread!)

Thank you in advance for your insight, here is my question:

I am at a non-profit, in which the campus has two buildings. The one building that has the offices (and an existing broadband internet connection) is separated by the parking lot and a street from the other building (maybe around 300 feet).

The second building has no internet access, and I spoke with the internet provider and they said they could of course install a second modem in that building, which would essentially be another internet bill. Is there a good wired or wireless solution to connect these two buildings via one modem? What would be the setup and approximate cost?

(Of course the street is government-owned, so I doubt the possibility of running a cable below or above ground, unless you know it could be done from a prior experience.)

Thanks!

Campus Diagram

Buildings 1 and 2, Parking Lots A and B, Road Sign, and Distance = 275 feet

Ubuiqiti Airfibre24 - have it running 700mbps across roads (commercial / high traffic) over 400 feet without missing a beat.

APs are about 2500aud but worth their weight in gold.

I looked into the Ubuiqiti Airfibre24, and I would absolutely love to have a pair of those, those look freaking awesome. However, the price point is not reasonably within our budget. What is the best solution you could recommend at (all together $1000 or less)? I also was wondering if this item on Amazon would do what I am wanting to do:

Ubiquiti Powerbeam Outdoor

For sure.. we just opted out of 2.4 and 5ghz due to the area being highly commercial and residential so the number of existing services was clobbering their existing 5ghz (run using a pair of HPE access points initially)

1 point·6 days ago·edited 6 days ago

Additionally: we also have a sign at the street on the office building side (halfway between two buildings, in which we could use the existing power infrastructure to power something in the middle if needed.

Not needed - have also had two 54mbps wireless links running across water (bay) at 15 miles+ (23km) -- line of sight is everything.

Is there a nice website out there that one can use to easily keep track of network equipment in use nowadays and for equipment that will be coming out or/and is obsolete?

SP NOC Engineer2 points·7 days ago

Netbox has inventory management. Not a website exactly but once you install it it will be a website. 🙂

It's hard to say a definitive source. For equipment being obsolete probably the best way to go is through the manufacturer who lists and announces things.

Networkworld has news and updates, but the field is so so broad now.

That's understandable, a lot of manufacturers and equipment to keep track of, would be a huge project in itself, thanks for the input.

CCWE (Cisco Certified Webex Expert)1 point·7 days ago

Most manufacturers have reference designs you can look at. That would give you a start on what kind of gear is in-use these days.

Community Details

117k

Subscribers

440

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post

r/networking Rules

1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.