my subscriptions
POPULAR-ALL-RANDOM | LOADING...MORE »
newworldmonkeys2 commented on a post in r/networking
40
GaryOlsonorg 4 points

How do I traceroute a mulitcast network path? Every page I find is a conglomeration of checking igmp-snooping and pim at multiple points on the switch and router assuming you have a multicast source operating.

newworldmonkeys2 2 points

How do I traceroute a mulitcast network path?

There is an "mtrace" standards proposal which is implemented by some vendors. This mtrace provides similar functionality to a traditional traceroute, but it's built around an active query/response mechanism - which means that all multicast routers in the path must support mtrace in order for it to function.

https://tools.ietf.org/html/draft-ietf-mboned-mtrace-v2-23

I know that Cisco in particular supports this, simply with the mtrace command (Basic Multicast Troubleshooting Tools). I don't actively work with multicast these days so I can't comment on whether you'll find this available on other vendors' gear.

newworldmonkeys2 commented on a post in r/networking
seanx820 3 points

People are doing this, Google around for layer 3 to the host. People are running vrouters, or running VyOS, FRR, Bird or something to peer servers to ToR. Outside of data center I have not see this yet... Cumulus Networks has a cool technology called redisitrube neighbor that could possible work for campus networks as well as DC. Although the switches they sell are geared towards DC. VLANs are stupid simple so will remain popular for a long time.

Also Google search for Medallia routing on host, super interesting talk they did at a Meetup in Silicon Valley.

newworldmonkeys2 3 points

People are doing this, Google around for layer 3 to the host. People are running vrouters, or running VyOS, FRR, Bird or something to peer servers to ToR.

True, but to be clear - this is done much more for redundancy, failover time, performance, etc. than for any form of security like OP is discussing.

newworldmonkeys2 7 points

If security with this level of segmentation and isolation is required, the more appropriate solution is some form of NAC, combined with dynamic access policy and port-based access control. Cisco's ISE (with 802.1X and potentially integration of malware scans) is a good example of this.

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 3 points

In ASDM if I just check the box "Use LOCAL if Server Group fails" on the AnyConnect Connection Profile, will I be able to use a local admin account to connect? Or do I need to add a local user to a group?

Yes, you should be fine just enabling that feature on the AnyConnect connection profile. No need to add users to a group, because there's not any real user group structure in the ASA's local database. Any local user is simply considered part of the LOCAL group, and that's all there is to it.

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 3 points

it seems that it takes me multiple times to read a paragraph when first covering a topic to be able to retain anything more than a minute later.

Agreed, which is why I almost never make technical text books my first method of study. Since it sounds like you're asking specifically about certifications, I'll speak to that. Typically my study pattern for certs is something along the lines of:

  1. Watch a video course all the way through to get a general overview of all relevant topics - what the technologies do, why you'd use them, general overarching ideas of basic functionality and how all topics from start to finish fit together with one another.
  2. Read technical resources - text books, whitepapers, configuration guides, etc. to get a deeper understanding of nitty-gritty details.
  3. In tandem with #2, do lab work on relevant topics, specifically focusing on the side that the technical resources tend not to focus on. That is, technical resources tend to tell you how to do things correctly - I most often try to lab broken setups so that I can learn the symptoms of different misconfigs, and then their resolutions. This has proven one of the most effective ways that I learn the real deep-down, low-level behaviors of any topic.
  4. Re-watch either the same video course or a different video course as a sort of review, and to bring the focus back to the high level stuff and the overall picture of how all different topics are tied together.
  5. If any concepts are still a bit shaky, repeat #2, #3.
  6. Take the exam.

Basically, video courses tend to lack depth, while text-based learning resources are often more detailed and expansive but sometimes quite dry. It took me a decent number of certs to work out the above study method, but at this point it does work quite well for me to have those basic high-level overview concepts from step #1 rooted in my mind before attempting any deep dive.

newworldmonkeys2 commented on a post in r/Cisco
8
kjack9 12 points

Have you tried something like this?

  • show run <start of command you want to see>

ASA doesn't share a code base with IOS, so you shouldn't expect any given IOS feature to be available in ASA.

I like to think that ASA is just enough like IOS that you think you know what you're doing, but just different enough for you to shoot yourself in the foot.

newworldmonkeys2 1 point

I like to think that ASA is just enough like IOS that you think you know what you're doing, but just different enough for you to shoot yourself in the foot.

asav-lab1# sh ip int br
                     ^
ERROR: % Invalid input detected at '^' marker.
asav-lab1# 

Been working with ASAs for a few years now and this still bugs me :|

muxie2007 2 points

Yes you get pretty much what you paid for..we have 4 of those and are heavily used but never crumble. Also when deploying them, have a plan on spinning new ones with all your configs should they fail.

newworldmonkeys2 1 point

Perfect, thanks for the input!

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 6 points

The desire is to add the new IP range to the existing VLAN interface, while I know how to add an "IP Secondary" to a standard Vlan Interface, I am not sure if this is possible to do on an interface that is setup with HSRP.

This is possible, you just add secondary to the HSRP configs as well:

int vlan 100
ip address 192.168.1.254 255.255.255.0
ip address 192.168.2.254 255.255.255.0 secondary
standby 100 ip 192.168.1.1
standby 100 ip 192.168.2.1 secondary

Or as /u/geronimo1000 said, you can configure unique groups for each HSRP IP - this would allow you to have one HSRP IP active on switch1 and another HSRP IP active on switch2. With this setup you don't want to use the secondary keyword for the unique groups. For example:

!switch1:
int vlan 100
ip address 192.168.1.254 255.255.255.0
ip address 192.168.2.254 255.255.255.0 secondary
standby 101 ip 192.168.1.1
standby 102 ip 192.168.2.1
standby 101 priority 150
standby 102 priority 50

!switch2:
int vlan 100
ip address 192.168.1.253 255.255.255.0
ip address 192.168.2.253 255.255.255.0 secondary
standby 101 ip 192.168.1.1
standby 102 ip 192.168.2.1
standby 101 priority 50
standby 102 priority 150

Of course, all that said, if you can use entirely unique VLANs that would likely be ideal.

SS324 2 points

Why would you do this? Why not just create another vlan?

newworldmonkeys2 2 points

From the network admin perspective, yes, a new VLAN is almost always the proper way to go about this. Unfortunately I think in OP's case, he's facing resistance from other parties (maybe unknowledgeable management that refuses to take the word of the network admin, maybe server admins that are not able to easily coordinate any changes this may force onto their systems, etc.).

One example of a valid use case from the networking point of view would be an IP migration. If you're planning to change the subnet (e.g. expanding a /24 to a /23), eventually decomming the old subnet entirely, then secondary IPs can facilitate that migration and make it a bit more seamless, as opposed to having to change everything over to a new VLAN as well.

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 2 points

This is the thing that I need to know: Does LLDP use BPDU's the same way CPD does? This is, again, a manufacturing group so many of the switches (even the cisco industrials) will use MST instead of PVST and LLDP instead of CDP due to IEEE standards and licensing. Do I need to enable LLDP on all of these switches and see if any ports get shut down?

I think there's a misunderstanding here - and maybe I'm taking a bit of a leap, but I think you are misunderstanding what a BPDU is. CDP doesn't use BPDUs, LLDP doesn't use BPDUs, just STP (all varieties) uses BPDUs. CDP and LLDP do use PDUs - protocol data units - which is really just a very generic term to describe the framing and formatting of any particular protocol's data flows. A single CDP packet/frame can be called a CDP PDU, a single LLDP packet/frame can be called an LLDP PDU. A single STP packet/frame is called a bridge PDU, or BPDU.

To sum that up - CDP and LLDP use their own PDUs, but not BPDUs, because a BPDU is specific to STP, which serves an entirely separate purpose from CDP and LLDP.

.. And with that in mind, to clarify your final question directly - LLDP will not in any way, ever, cause a port to be disabled. Go ahead and enable LLDP on your Cisco switches, it may indeed help you glean some more detail. But then again, it may not, you might just see the same neighbors as with CDP.

Anyways, apologies if I made some assumptions and explained things you already knew. But hopefully at least some piece of this has been helpful!

binarycow 2 points

CDP doesn't use BPDUs, LLDP doesn't use BPDUs, just STP (all varieties) uses BPDUs.

On my HP switches, enabling BPDU Guard breaks 802.1x. So either HP is doing some weird stuff, or 802.1x is using a BPDU (Not a STP BPDU, but a BPDU nonetheless).

newworldmonkeys2 1 point

On my HP switches, enabling BPDU Guard breaks 802.1x.

Huh, interesting. My suspicion would be that this is just a flaw in HP's implementation of BPDU guard.. though personally I've never touched HP gear so that's pure speculation on my part.

Good to know, regardless.

newworldmonkeys2 commented on a post in r/networking
Cloudineer 7 points

That would be correct, yes. We have some on 8.4.7 and "webvpn" still shows up in the configuration even after the command. However I'm not able to connect to the device on TCP/443 from a non-management IP address, so I'm assuming that means we're safe.

newworldmonkeys2 3 points

Sounds like you're okay, but you might show asp table sockets to verify.

Cloudineer 1 point

Perhaps I'm misunderstanding, but won't it show a listening socket for management regardless of the state of webvpn?

newworldmonkeys2 1 point

Right, if you have ASDM enabled, yes. I overlooked that because most of my ASAs are only managed via SSH.

newworldmonkeys2 commented on a post in r/networking
82
kWV0XhdO 5 points

Paste the result into the comments box, highlight all and indent as code.

Wait, what? Can I get a tutorial on indenting a bunch of lines all at once in a reddit comment box?

newworldmonkeys2 5 points

This seems like a genuine question but for some reason reads as sarcasm to me. Either way, legitimate answer: Reddit Enhancement Suite browser addon.

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 1 point

I've got to say - it's great that you're asking these questions. Stay curious and you'll go far. Here, I'm going to try to answer your question with a question of my own.

First, some basic groundwork of the functionality of HSRP (and other first-hop redundancy protocols):

  • There is one shared virtual IP between the two devices
  • Each device also has its own unique dedicated IP (though in the case of some protocols like this, VRRP for instance, the virtual IP can potentially coincide with one of the dedicated IPs)
  • This virtual IP has its own unique MAC - separate from the hardware MACs of the devices
  • There's no active "peer" relationship between the devices - each device simply expects to hear hello packets from the other periodically, and if it stops receiving these hellos, it assumes the other device is down in some way, and takes over as active

So your question - how does the router signal to the rest of the network that it is now in charge of the virtual IP?

The switch(es) that the routers are connected to know nothing of HSRP itself, all that the switch sees is frames to be forwarded out one port or another. Ignoring HSRP itself for a moment, in terms of basic switching functionality, what might cause a switch to begin forwarding traffic for the virtual IP out of port #2 instead of out the original port #1?

doughboyfreshcak 1 point

that is exactly my question! I wasn't sure how to word it. So I understand layer 2 switches are in a sense dumb, compared to a router and would not know to send it though port #2 instead since the hello messages from router .1 have stopped, so what stops the switch from sending packets from port #1 to port #2 now since router .2 has taken the role as active router?

newworldmonkeys2 1 point

The new active router has to force the switch to update its MAC address table. The only time that a switch will move a MAC from one port to another is if it receives traffic from that MAC as the source on some new port. So the new active router, as soon as it goes active, must send at least one unsolicited frame into the network using the virtual MAC as the source MAC.

In the case of HSRP (and again, many other similar redundancy protocols), this is done with gratuitous ARP. Gratuitous ARP is essentially just an ARP reply when there has been no ARP request. As soon as a device takes over as HSRP active, it will send out at least one gratuitous ARP packet, forcing the layer 2 network to re-learn the virtual MAC on the new port.

You can read more about this functionality with HSRP specifically here:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/HSRP-Gratutious-ARP.html

Though as I mentioned, gratuitous ARP is used often with other similar redundancy protocols - or more generally, in any situation that some networked device might want to ensure that the MAC address tables on switches are fully up to date.

Edit - Apologies, it seems that article doesn't go super in-depth on how it's used with HSRP. Here's one with a bit more detail, which also expands on different use cases for gratuitous ARP:

http://www.practicalnetworking.net/series/arp/gratuitous-arp/

newworldmonkeys2 commented on a post in r/networking
Poulito 1 point

The active/standby pair do not send the active ip on both units in an HA pair.

What kind of connection is this? Physical cable? Routed vlan? VPN? Let’s start there.

Edit: if the stand-alone ASA is using redundant interfaces, the standby interface becomes active only when the primary interface fails. It’s not clear to me if the standby interface is in an up/up, up/down, or down/down state. That may be what the problem is here though. Can you shim a switch in between the pair and the stand-alone ASA and see if that helps the HA standby change from failed? The metrics that determine if an interface is failed for Failover is L2 and L1. L3 does not come into play there unless there is a track command with a ping going, so it is not an up addressing issue.

newworldmonkeys2 1 point

if the stand-alone ASA is using redundant interfaces, the standby interface becomes active only when the primary interface fails.

I think this line needs to be highlighted here.

/u/nzwasp, because of this behavior, your failover will only trigger correctly in scenarios where the link between the primary ASA and the standalone ASA is seen as physically down by the standalone ASA. An example of where this would cause a problem is if some other interface on the primary ASA fails, then the secondary will take over - but the standalone ASA will know nothing about this and will continue to send traffic to the primary ASA.

Best practice with ASAs in an HA pair is, for each interface, to have a single layer 2 domain that both the primary and secondary to connect to. The standalone ASA does not bridge the layer 2 domains in this case thus you are outside of the recommended setup and could very well run into some unexpected failover failures as described above.

tl;dr - put a switch between the standalone and the pair.

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 6 points

I just need to show them that the packet is getting to the server, or atleast the wire to the server. The issue is there is also normal UDP streams between the servers. I can't for the life of me find something that shows me the source address I should be seeing for multicast traffic. Is is the true source, or the multicast group address?

The packet when it enters the receiver's NIC will still have a destination IP of the multicast group. The source IP is likely simply the real IP of what ever server the stream is sent from - though this is not strictly necessary, and there might be some use case where this would not be true.

tl;dr - if you have a packet capture, simply filter based on the multicast group IP as the destination.

Otherwise:

Short version - I'm looking for something that diagrams what a multicast packet looks like as it flows through the tree. I can't find the magic phrase for google to spit out what I need.

There are some command line tools for this sort of thing, platform-dependent obviously. For example, some basic troubleshooting on Cisco devices can be done with mtrace and ping:

https://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/13726-57.html#mtrace

Edit - To be clear, all of the above is regarding layer 3 multicast. If your post is in reference to strictly layer 2 multicast then this may not necessarily apply.

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 2 points

I don't care so much about individual tunnels, just IPSEC usage as a whole.

There are some global stats you can pull this from in CISCO-IPSEC-FLOW-MONITOR-MIB.

cipSecGlobalInOctets - 1.3.6.1.4.1.9.9.171.1.3.1.3.0
cipSecGlobalOutOctets - 1.3.6.1.4.1.9.9.171.1.3.1.16.0

I've got a Zabbix setup that polls these and graphs the aggregate of the two for total IPSec usage on the ASA. Can't really comment on doing the same in Solarwinds but I'd imagine it must be possible.

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 40 points

My only guesses are these switches are just now rebooting for the 1st time since the July changes occured and have lost their config.

It should be simple to be sure of whether the switches are rebooting - are they, in fact, rebooting?

Well now we have shutoff the tftp server and disabled the service, yet we are still seeing this behavior.

You realized that there were some switches pulling old configs, likely due to unsaved changes - have you not gone back into every single switch and issued a copy run start to ensure that all configs are saved?

newworldmonkeys2 commented on a post in r/Cisco
CBRjack 5 points

Since your cert is expired, it's exactly the same as if you never had it in the first place. You can do both exams separately.

newworldmonkeys2 3 points

Since your cert is expired, it's exactly the same as if you never had it in the first place.

Right, this.

To make this clear: you simply cannot renew an expired cert. You can only renew active certs.

OP, in your case, you are not looking to renew a cert anymore, you are now looking to earn the CCNA from scratch - which you can indeed do by passing ICND1 and ICND2 separately.

newworldmonkeys2 commented on a post in r/ccna
newworldmonkeys2 5 points

Yes, as long as you're the type of person to keep yourself motivated and on track. Just make sure to be thorough and study based around the official exam topics listed on Cisco's site. Most online video courses and text books will stay centered on those well enough, but always go back to the exam topics just to ensure you're solid on each.

www.cisco.com/go/ccna

newworldmonkeys2 commented on a post in r/ccna
visionarygvp 1 point

I think I have the converting IP’s to binary and vice versa. At this very moment I’m a little stuck on Subnet masks and CIDR notation.

I’m reading that the CIDR tells how many bits are the same for each IP on the subnet.

It gives me 192.168.0.0/24 1100 0000 - 1010 1000 - 0000 0000

How are the first 24 bits the same? I’m trying to find the best way for me to understand.

newworldmonkeys2 2 points

How are the first 24 bits the same? I’m trying to find the best way for me to understand.

It means that the first 24 bits are the same between all IPs in this subnet. As an example, for a typical 192.168.10.0/24 subnet (255.255.255.0 mask), all IPs 192.168.10.100, 192.168.10.241, 192.168.10.1, and 192.168.10.48 will begin with the same 24 bits.

Or to put it another way, 192.168.10 translates to binary 11000000.10101000.00001010. So any IP within the 192.168.10.0/24 subnet will begin with exactly those 24 bits. If any of the first 24 bits were different from what's listed here, then that IP would by definition simply be in a different subnet.

Essentially, a subnet is just defined by 1. deciding the amount of bits in the mask (i.e. define the subnet mask) and 2. deciding the value of those bits (i.e. define the network ID).

newworldmonkeys2 commented on a post in r/networking
newworldmonkeys2 2 points

ASA 9.6 Config Guide - Routed and Transparent Mode Interfaces

Transparent Mode and Bridge Group Guidelines
* <snip>
* Each directly-connected network must be on the same subnet.
* The ASA does not support traffic on secondary networks; only traffic on the same network as the BVI IP address is supported.
* For IPv4, an IP address for the BVI is required for each bridge group for both management traffic and for traffic to pass through the ASA. IPv6 addresses are supported, but not required for the BVI.
* <snip>
* The BVI IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255).
* <snip>

newworldmonkeys2 commented on a post in r/networking
VA_Network_Nerd 4 points

IMO: Don't bother with interface cost.
Focus on device priority.

newworldmonkeys2 5 points

With his topology, priority/bridge ID alone is not going to guarantee that the first downstream switch prefers the fiber path.

/u/jburm - You'll want to do two things here:

  • Set "switch A" to have a low priority value so that it takes root.
  • Set the copper link between "switch A" and the first downstream switch to some cost value higher than the default (doesn't matter what value, just has to be greater than the fiber links). Do this on both ends of the link.

Note - The remaining copper links and the fiber links can remain at default costs.

newworldmonkeys2 commented on a post in r/ccna
12
newworldmonkeys2 6 points

First thing to note - I'm sharing this from my own experience, different points of views from others are still entirely valid, real concerns.

I'm part of the camp that says it's pretty difficult to be "over-certified" (assuming you passed all exams by legitimate means). Any reasonable employer should be able to take a CCNA, CCNP, even CCIE for exactly what it is - a guarantee that a person has a specific set of skills. A CCNP does not guarantee real-world experience, it does not guarantee anything outside of exactly what was tested on the exam. Any employer trying to look at a certification like these as any indication of real-world experience is a bit short-sighted.

I had CCNA R&S, CCNA Security, and was half-way through CCNP R&S before I ever touched a single real-world network device. All of my studying had been on my own time, via books, video courses, and my home lab. I did lack any of the practical experience of network administration, however I was still hired into a position managing Cisco and Arista gear, with EIGRP, BGP, DMVPN, multicast, etc. I was given a technical interview and showed that I knew the technologies at hand. However, I also made it clear that I was aware that I lacked the real-world experience - be honest about your limitations. Some employers may determine that the lack of experience trumps the technical knowledge - and that's fine, they have their own needs. In my case, the company took a chance with me because I was able to prove not only that I knew the technologies, but that I had had the drive, motivation, and ability to seek out this knowledge myself, rather than relying on any other external source (job experience, any senior admin mentor, teachers/classes, etc.) to push the knowledge onto me.

Both viewpoints are valid, I would say. It depends on who you are interviewing with. Some companies may be able to take the chance on a candidate without practical experience to back up the knowledge, and your motivation shown by your past self-study may even help you in interviews. Other companies, as evidenced by some of the comments here, may be very wary of someone with certifications and no experience. You run a bit of a risk either way.

--

On a separate note entirely:

Screw the idea of holding your own self study back so that you might possibly look better in interviews. Study for yourself, learn what ever it is that you find most interesting, and if you have the knowledge to do so, go get certified. Personally I believe that if an employer can't view my certifications as my own personal desire and motivation to learn, then they are not a company that I want to work for. I'd much rather follow my own passion for learning and potentially put this "over-certified" red flag on my resume than to trim and tailor my own personal desires to match what certain employers are looking for.

newworldmonkeys2 commented on a post in r/Cisco
6
newworldmonkeys2 4 points

Can anyone help me understand why anyone would NOT want this feature enabled, so traffic is was able to be spoofed?

In the case of asymmetric routing, uRPF would drop traffic that should not be dropped. Asymmetric routing is not an uncommon scenario in networks with multiple links to internet.

I can't comment as to why it's disabled by default on all Cisco devices. I'd speculate that the idea for routers/switches at least is "this is a security feature, not a routing feature, so it shouldn't be enabled by default on routers". Personally I do agree it should be enabled by default on ASAs at least, especially since ASAs generally shouldn't be deployed in asymmetric topologies to begin with.

view more:
next ›
2,378 Karma
1 Post Karma
2,377 Comment Karma

Following this user will show all the posts they make to their profile on your front page.

About newworldmonkeys2

  • Reddit Birthday

    November 25, 2013

Other Interesting Profiles

    Want to make posts on your
    own profile?

    Sign up to test the Reddit post to profile beta.

    Sign up