/r/networking
Enterprise Networking Design, Support, and Discussion.
Enterprise Networking --
Routers, switches, wireless, and firewalls. Cisco, Juniper, Arista, Fortinet, and more are welcome.
Routers, Switches, Firewalls and other Data Networking infrastructure discussions welcomed.
New Visitors are encouraged to read our wiki.
This subreddit allows:
Enterprise & Business Networking topics such as:
Educational Topics & Questions are allowed with following guidelines:
Networking Career Topics are allowed with following guidelines:
This subreddit does NOT allow:
Home Networking Topics.
Braindump / Certification Cheating.
Blogspam / Traffic Redirection.
Low-quality posts.
Early-Career Advice.
We don't do your homework for you.
Political Posts.
ChatGPT/LLM Prompts.
/r/NetworkingJobs
/r/sysadmin
/r/ITCareerQuestions
/r/CSCareerQuestions
/r/ccna
/r/juniper
/r/jncia
/r/ccnp
/r/jncis
/r/ccdp
/r/jncip
/r/ccie
/r/ccde
/r/cisco
/r/jncie
/r/HomeNetworking
/r/TechSupport
/r/Network
/r/ipv6
/r/networkautomation
/r/outages
Rule #1: No Home Networking.
Rule #2: No Certification Brain Dumps / Cheating.
Rule #3: No BlogSpam / Traffic re-direction.
Rule #4: No Low Quality Posts.
Rule #5: No Early Career Advice.
Rule #6: Homework / Educational Questions must display effort.
Rule #7: No Political Posts.
Rule #8: No ChatGPT/LLM Prompts.
/r/networking
I’m wondering if there is anyone out there in network land who has a role that basically allows them to be mostly 9-5 work and fairly stress free. As the title here says. What is your role and what type of company/industry is this that you work in?
I am writing some scripts for network analysis (out of personal interest) and was wondering if anyone is aware of any methods of tools that will allow me to determine if a given host is a piece of networking equipment rather than an end-user device?
Thanks for any advice!
Hi guys,
My company has branches in 3 locations (the US, China, and Canada). I want to create a FULL-TUNNEL VPN for users who connect from coffee shops, airports, and hotels.
I will do it using the Cisco profile editor and call it a UNSECURED VPN profile.
My question is: Instead of creating 3 profiles for the US, Canada, and China, is there a way to redirect the user to the correct VPN profile depending on where the user connects?
For example, the user is connecting from China > connect to the China FULL-Tunnel VPN
My Devices: Cisco FMC / Cisco FTDs
Thanks, folks
So, for context, I am new to enterprise networking and probably making all sorts of novice mistakes. Please be gentle.
Setup:
I have an Aruba 2930F on WC.16.11.0016, to which wired clients and APs are connected.
The Aruba is connected to a FortiGate 60F router via 6 x LACP trunked interfaces (overkill, I know). The trunk is solid and the Fortigate web UI and SSH are accessible via the interface from wired clients with static IPs plugged into the Aruba. The wired static clients also have internet access through the FortiGate. The only thing (apparently) not working correctly is DHCP.
The FortiGate trunked interface (10.0.1.254) is set to LAN mode and is configured to serve DHCP addresses.
The Aruba is configured with a single VLAN 1(10.0.1.252).
Here is a basic diagram of the environment.
Aruba config:
(config)# show config
Startup configuration: 28532
; JL256A Configuration Editor; Created on release #WC.16.11.0016
; Ver #14:67.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:44
hostname "Aruba2930F"
module 1 type jl256a
aruba-central disable
dhcp-relay option 82 replace ip
dhcp-snooping
dhcp-snooping authorized-server 10.0.1.254
dhcp-snooping vlan 1
dhcpv6-snooping vlan 1
trunk 47-48 trk1 trunk #Unrelated trunk#
password minimum-length 8
no telnet-server
no web-management
web-management ssl
web-management idle-timeout 7200
ip default-gateway 10.0.1.254
#Unrelated interfaces removed#
#Start Fortigate60F connected LACP trunked interfaces#
interface 41
lacp active
name " 60F LAG 1"
exit
interface 42
lacp active
name " 60F LAG 2"
exit
interface 43
lacp active
name " 60F LAG 3"
exit
interface 44
lacp active
name " 60F LAG 4"
exit
interface 45
lacp active
name "60F LAG A"
exit
interface 46
lacp active
name "60F LAG B"
exit
#End Fortigate60F connected LACP trunked interfaces#
snmp-server community "redacted" unrestricted
snmpv3 enable
snmpv3 restricted-access
snmpv3 group managerauth user "redacted" sec-model ver3
snmpv3 group managerauth user "redacted" sec-model ver3
snmpv3 user "redacted"
snmpv3 user "redacted"
vlan 1
name "Default"
untagged 1-46,49-52,Trk1
ip address 10.0.1.252 255.255.255.0
ip bootp-gateway 10.0.1.252
ip helper-address 10.0.1.254
ipv6 enable
ipv6 address autoconfig
ipv6 address dhcp full
exit
spanning-tree Trk1 priority 4
no tftp server
no autorun
dhcp host-name-option
password manager
password operator
More config:
(config)# show dhcp-relay
Status and Counters - DHCP Relay
DHCP Relay Agent : Enabled
DHCP Request Hop Count Increment : Enabled
Option 82 : Enabled
Response validation : Disabled
Option 82 handle policy : keep
Remote ID : ip
DHCP Relay Statistics:
Client Requests Server Responses
Valid Dropped Valid Dropped
---------- ---------- ---------- ----------
1327 0 0 0
DHCP Relay Option 82 Statistics:
Client Requests Server Responses
Valid Dropped Valid Dropped
---------- ---------- ---------- ----------
1792 0 0 0
I see valid client requests to the relay, but they are not resulting in leased IPs.
What am I missing?
Edit:
# show dhcp-relay bootp-gateway
BOOTP Gateway Entries
VLAN BOOTP Gateway
-------------------- ---------------
Default 10.0.1.252
Hi All,
I have a question regarding designing a small site, so I am in the process of finalising a design scheme for all our branches to follow going forward. We have just upgraded all the lines to 1Gbps and now looking to change our whole network stack as they are either going EOL or just outdated. We are going to have 2 firewalls per site in A/P for redundancy and for the bigger sites WiFi 6E APs with the smaller ones having WiFi 6 due to price of 2.5gb switches not being justifiable for a site of say 10 people (looking at juniper ex or fortinet fortiswitch here).
My question is given that there are sites with minimal people, some have no more than say 30-40 floor ports and couple APs is there a point of having switch redundancy (purchasing 2 switches instead of 1)? I get that its a single point of failure but the added cost for just in case it goes seems steep. My idea would be having them under care naturally so they can be RMA'd if something goes wrong and have some maybe cold standby switch as a solution?
For example our smallest site with max 15 employees has 2 x HA firewalls A/P > 2 x Super Collapsed core (Core, Aggr, Access) > 2-4 APs on POE+. I know the ideal minimum model is 2 x collapsed and 2 x access but thats over kill.
if we replace this it would follow the same model but 2 x 48 port 1gbps switch with POE+ for WiFi 6 sites. But Im thinking do we need 2 x collapsed core switch and if is an acceptable risk to go with 1 x and use a cisco switch (2960x) as cold standby.
Just to add some other requirements/notes
Hello,
I have a dev environment (on Ubuntu 22.04) for my android application. I am running mitmproxy in transparent mode on the same server, which requires the following iptables rules as defined by the mitmproxy docs:
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv4.conf.all.send_redirects=0
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
sudo ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
sudo ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
I also have mitmproxy running in transparent mode on 127.0.0.1:8080
as the mitmproxyuser
This setup works fine, all local-originating traffic that is not from the mitmproxyuser
gets redirected to localhost on 8080 and captured by mitmproxy.
I'm now trying to introduce a WireGuard Client config to route my traffic through my WireGuard server. The config is very basic and looks the same as all default WG client configs.
I am able to ping and get my IP via DNS successfully, but all web requests over 80 or 443 now hang and never connect.
If I switch to the mitmproxyuser
and curl a web server to get my IP, it successfully returns the IP of my WireGuard server as expected. It is only when the traffic gets redirected via the iptables rules above (that is, originating from the root or any other user) that I never receive a response.
An update after some more troubleshooting, take a look at these two packets captured via tcpdump (listening on all interfaces):
10.3.112.100.52882 > 127.0.0.1.8080: Flags [S], cksum 0xf996 (incorrect -> 0x4fd8), seq 2299162457, win 64860, options [mss 1380,sackOK,TS val 1952818886 ecr 0,nop,wscale 7], length 0
104.16.184.241.80 > 10.3.112.100.52882: Flags [S.], cksum 0x9b97 (incorrect -> 0x4953), seq 634736556, ack 2299162458, win 65483, options [mss 65495,sackOK,TS val 2567993406 ecr 1952818886,nop,wscale 7], length 0
10.3.112.100
is the wg0 interface.
As you can see, we see the SYN
on the REDIRECT
rule to localhost:8080
, which is the transparent proxy
We then see the SYN/ACK
come back from our web server at 104.16.184.241:80
But I see no subsequent ACK
so the handshake never completes, just repeats of the same two-packet sequence above as the connection retries. Is something dropping the SYN/ACK
response or the subsequent ACK
that I should be seeing?
This feels like a simple fix and maybe I'm just missing another iptables rule but I've googled around and haven't found my scenario anywhere.
Any help is appreciated, thanks.
We're upgrading our internet connection from a single leased line (1gb) + VDSL backup. This service is essentially provided to us as a single CAT5 cable from a Cisco router that handles the failover to VDSL (public IP failover too). We stick this straight into a VLAN on our core switch (Aruba 5400zl) and then our HA virtualised firewall handles it from there. All good.
We're moving to a redundantly (physically)routed pair of leased lines 5gb on the primary, and 1gb on the secondary, each arriving into a different building. ISP have said they are configuring a "Dynamically Verified Static Route (DVSR) to support failover on the WAN" and that "VRRP should be configured on on-site equipment". There is a question as to whether this "equipment" should be provided by our reseller or not, but let's assume they aren't providing that for now.
The secondary line is going to get connected to one of our aggregation switches (an Aruba 3810m), which is then connected by 20gb aggregation back to our core switch.
Question is - could/should I forgo a physical 'router' on each leased line, and use the routing/VRRP capability in both the core and aggregation switch to present the virtual router IP to our firewall? Or is that a terrible idea for reasons I don't fully comprehend?
My other option is to persist in insisting that the reseller should be providing hardware to do this, but I'm happy to cut out unnecessary hardware and failure points if I can. Would they provide routers with redundant PSU's? Not likely!
Any sage words of wisdom for a relatively novice network tech? Thanks!
When people say a "Fabric link" in a data center network, do they mean
Or 2) Heavy- traffic carrying links b/w leaf & spines?
I'm writing a piece of code to determine this and I'm stuck on the definition. The Internet is split on this. Mucho appreciated!
Hey,
So like the title states, we are currently trying to incorporate an ECI 9603 into our environment. Due to a lack of understanding we only got one just to see if this will be useful and to play around with it.
We are trying this in a TM200-EN linecard, currently with a loopback until we can figure it out more.
However, the issue occurs when we are trying to use SFPs, in that they always show the alarm "gfpLfd", despite the parts being ECI supported, and setting the exp-transceiver-type to the part we are using, such as an otp10-sr or otp10d-alxx. The parts themselves do show an Rx and a Tx value, and we have no other alarm on the, other than the "gfpLfd" alarm. I've tried to look around but the only guide/troubleshooting list i could find only related to an XDM and the closest alarm it showed was "Loss of Frame Delineation".
The only way I feel as though this can be fixed is by getting another 9603 or 96xx variant and getting an additional TM200-EN, as I remember looking at some old ECI/Ribbon datasheets for the TM200-ENs and it showed them going from one TM200-EN to another TM200-EN, however this is more just a speculation.
If anyone is able to help, it would be greatly appreciated.
Hi there, this is my first post on the sub, though i´ve been reading and learning from you for a while.
Lately, i´ve been learning about Radius and how it works, in order to implement the protocol in my company. Though, as much as i´ve read online, I still have a big question I haven´t answered myself and can´t seem to find anywhere. I feel it is very silly, but anyway here it goes.
Let´s say i´ve set up a FreeRadius server, and configured my Cisco switches as radius clients in order to have port authentication. Then, i have a user in my network who has a lan connection with a Windows PC who wants to gain access to the network. How does the Cisco switch authenticate this user? Are there any specific software i need to install in every Windows PC that will communicate with the switch? How do they enter their username/password? I still haven´t found any articles on how the user end part works. I know that you can use Windows NPS with AD for example, but let´s say i want to use my linux FreeRadius server, and don´t want to use samba and such to make the AD communicate with it, i want a separate login.
Thanks in advanced!
Hi all,
My employer has a budget to send me to a couple of networking conferences this year, but Cisco Live and Tech Con are on the same week this year. I’ll already be at Tech Con. What are some good alternatives to Cisco Live within the US?
Not sure if I’m being stupid here, I have a Cisco 1117-4P and want to understand the functionality of each ports on the LAN.
So for example could I use my WAN circuit presented on RJ-45 on the LAN interfaces to save the SFP port for the LAN if required?
When I look on Cisco’s website I can’t seem to find info around configuration on those LAN ports, are they switchports only etc.
Do you all just read through the devices data sheets to get this info?
Hope that makes sense
Thank you
Just wondering if we can do a wildcard in the endpoint list for a large number of devices all starting with the same numbers/letters? Similar to how you can do in windows NPS?
We are using TACACS server as a Cisco ISE, I have acheived getting the device admin access via local when tacacs was available meantime with tacacs also works fine below is the config snippet, is this advisable or iam doing wrong..... In juniper ex series switches while tacacs was available login with local config works fine so i thought to replicate like this
NOTE: before in cisco if tacacs was available local account login will not work because first priority is tacacs then local but now i made changes first local then tacacs so i need to know is this suggestable way of config or i should do in different way ?
!
aaa group server tacacs+ tac_server
server name ise1
tacacs server ise1
address ipv4 x.x.x.x
Key 6 xxxx
timeout 1
aaa authentication login default local group tacacs+ line
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization commands 1 default local group tacacs+ if-authenticated
aaa authorization commands 15 default local group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting send stop-record authentication failure
aaa accounting update newinfo periodic 2880
!
At the moment we have the last two but we must replace the old ipplan.
I see DNAC offer the IPAM capabilities, but would it be possible to integrate it with the DHCP and DNS products mentioned in the subject, so that we don't go for Infolox, for instance?
Panatism
I know the answer is probably going to be "it depends on the default hashing configuration on your NOS" but my question is if you have four links between a switch and a router, and you configure it in two different ways:
Secnario A: you make the four links point to point layer 3 routing links, configure whatever your favorite routing protocol over it, or even just using static routes, but you make it so the destination network you are trying to reach has the exact same metric on all 4 links, so it becomes equal cost multiple path routing (ECMP)
Scenario B: You configure all four links into a LAG, like with an LACP port channel, to create one virtual interface... and then you just trunk a routing VLAN on the virtual interface, and then make one routing neighbor between switch and router, using the VLAN SVI or whatever. (I suppose you could also just make this a layer 3 interface on the port channel, same affect? But we can call that scenario B.2?)
Which configuration, scenario A or B (or B.2?) will balance traffic best across all four interfaces? Your goal is that all four interfaces get as close to equal share of traffic as possible, but you're not willing to change load balancing hash configs or anything.
Assume the traffic flowing across is lots of individual flows between multiple source and destination IPs all day long, on many different destination ports.. no elephant flows or anything like that.
Will the three scenarios be incredibly comparable, or would one stand out as a clear choice?
I recently got my CCNA after just over 2 years working in a NOC environment for medium-large size MSPs and am feeling uncertain about how to develop further. I think this is partly due to being at an MSP that has involvement with just about every vendor and field - collab, servers/DC, network, cloud, projects etc which makes choosing a bit overwhelming. As a tier 1 I’ve been exposed to all of these areas due to the nature of being tier 1 (triaging/taking calls) and since getting my CCNA I’m not sure where to go next. I know it depends on what I enjoy but I feel like I don’t know enough about anything to know for sure. Top choice is to be a traditional network engineer since thats what I ‘know’ the most.
As the title reads, with this uncertainty and to avoid stagnating what are some skills or certs that I can work on that could not potentially be a waste of time? So far I’ve been thinking to learn Linux, although I don’t think I will use it in the near future. Or a firewall cert like Palo Alto’s PCNSA. CCNP is on the list but feel I need to branch out first. Also, which path would you choose with the current state of networking? Any advice is appreciated.
I'm looking for OOB for some non-critical sites. Are there any cloud based console servers?
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Hi, I have been trying to find resources to learn SDN but I couldn't find anything useful. YouTube is mostly SDN theory. Labs r a bit hectic and really hard to understand. If anyone can share any useful resources to learn and get deep in SDN, I would really appreciate it.
Thanks!
Anyone have some interview questions they've asked network engineer candidates that really gave you good insight about them? Does your list always include a certain question that has been your favorite to ask?
EDIT Thank you all for the responses. I really appreciate it, so much that I would not of thought to ask. Some pretty fun and creative questions as well.
Thank you!
I have simple nat config which I need to use:
ip nat pool test 40.0.0.3 40.0.0.3 netmask 255.255.255.0
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip nat inside source list 2 pool test overload
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 2 permit 192.168.1.0 0.0.0.255
interface GigabitEthernet0/0/1
ip address 40.0.0.1 255.255.255.0
ip nat outside
However when I try it on asr 1001 I get that address can't be assigned since pool might be exhausted. I get this as soon as I enter nat config, there is no traffic at all. I can't figure this one out, please help !
Hi all, I need some advice on Opnsense with my smoothwall S4 Firewall. So I've got OpnSense installed but I want to set the LED Display on the front to display information about Opnsense, I know that you can do it but not sure how to set it up, and wondered whether anybody else has done the same or even with pfsense?
Hopefully, someone has done this and knows the process of how to set this up.
Cheers!!
Hi, i just got hired and was tasked with setting up the scheduled external scans of the vulnerability scanner. The issue is that the list of public facing IPs are incomplete for the firms we are working with and i have to find out what they are. My senior mentioned i could use Connectwise automate to find out but only see router IP addresses. I did cross reference it to the IPs provided which they got from the Meraki portal and are different. Thanks in advance!
Mainly talking to those operating larger public or BYOD WLANs serving lots of devices, but any enterprise network folks are welcome to answer. Are you punching a hole for UDP 53 to your DCs & allowing your "public" VLANs/SSIDs to hit your internal DNS/recursive resolvers? Or are you throwing 8.8.8.8 at those devices and calling it a day, since they should only be going OUT to the WAN and not east/west?
My view is that while obviously the VLANning and f/w rules should 100% prevent any internal access, from a defense-in-depth perspective, probably best that non-internal clients not even be able to query hostnames that are internal just to us. At best, they could learn more about our network (and while I don't love security by obscurity, goes back to defense in depth/Swiss cheese model). At worst, it would make it easier for them to discover a misconfigured firewall rule/unpatched CVE, allowing them to go someplace they shouldn't (which should never happen but again, defense in depth).
I also worry that with DNS generally running on our DCs (not my decision), while exposing UDP 53 isn't inherently a security risk, what if there was one day a Windows CVE involving DNS services?
If anyone cares to challenge or agree with that view, I'm all ears.
Hi, I'm being tasked with installing and setting up Cisco Stealthwatch and trying to find some good walk through series but I'm having issues. I can only seem to find a video on certain sections of how to set it up or how to configure a certain aspect of it without knowing the whole picture from a-z (or as good as possible)
Has anyone come across any good series for it before?
Thanks
I have about a year of network admin experience after 10 years or so of doing field tech work. Most of the experience was with Aruba equipment. I switched jobs about 2 months ago, and this one is a mix of Cisco and Aruba, but I have TONS of downtime and get to do very little actual work (I'm assigned to a project with tons of project management issues). I used the downtime to study for and pass my CCNA certification so I would be more comfortable on the Cisco side of things, but I'm still given very little work. I've considered continuing my learning path towards CCNP paths (even if I don't take the exam I want to know the material so I can take advantage of opportunities). I just feel very lost and want to take as much advantage of the downtime as I can and would appreciate the guidance from those who have been there.
Hi, we are new to Nokia hardware and we owned a new 7250IXR-E router for PoC.
I’m facing different issues wich i did not understand why this happening.
Router only boots when console is connected and display output. Without connected with output console cable it doesn’t boot.
The router random reboots. Reason is Unknow.
The Ethernet Ports stays down after reboot. admin state disable enable solved the problem. And interface is connected again.
So far the cli is quote good but the above issues are strange and i never see it before on other vendors. Cisco,Juniper,Fortinet etc.
Are there some missing statements in the config?
Original post was automodded as it thought I was trying to post about a code development project which is why some things are vague
TL/DR: is devnet worth the effort it takes to pass the test (let alone the money)?
I’ve been in networking many years, I’ve picked up automation over the last few years and most of my time is spent building automation so I’ve been asked several time why haven’t I got devnet. I’m also currently in a Cisco shop that uses traditional networking, firepower’s, ACI, and DNAC/SDA (along with other vendors and technologies) so I feel I won’t ever be in a more fitting role but still feel like devnet is a cert looking for a purpose
Here’s my main hang ups:
Very few jobs postings actually ask for devnet, this is probably my biggest reason to question the money/effort vs benefit
The practice questions give me he impression it’s a lot of silly or quiz level knowledge but lacking substance, e.g. asking for exact formatting of something when in reality you’d have an IDE or other tools to ensure it’s properly formatted
I almost feel some would look down on it, basically questioning why put time/money/effort into it when it’s not normal on the software side and there are other ways to prove skills and experience
I might be able to get my work to pay for the exams and really the only reasons I’m considering it are the CCIE EI having such mixed reviews currently, I still have a mindset that certs are generally good and might be able to get a raise from my current job.
We have a small entertainment venue in which we'd like to update the wifi/network setup. Our goal is to have two networks (one for guests/customers and another for all the devices needed for the operation of the venue) - both password protected. The internal network would include wired and wireless devices. For instance, our audio/visual system has up to 8 devices that require an ethernet connection. Some wired devices need to talk to some wireless ones on the operations network, but should not be visible to guests. Guest network would be wifi only. We'd like bandwidth controls for the guest network to ensure that people don't clog up the network and interrupt operations. We have about 10,000 sqft of space.
I'm the owner and have basic networking experience. I'm fine setting up routers, running cables, etc.
Here are my questions: