r/networking 21d ago

Blogpost Friday Blogpost Friday!

7 Upvotes

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.


r/networking 2d ago

Rant Wednesday Rant Wednesday!

10 Upvotes

It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.

There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!

Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.


r/networking 14h ago

Career Advice Are Cisco certifications still a must have for network engineers?

74 Upvotes

Wondering if the relative importance of the various Cisco certs has declined over the past 5-10 years now that companies like Arista, Juniper, Aruba, etc have become more popular.


r/networking 13h ago

Career Advice Networking jobs that involve more moving around

15 Upvotes

I’ve been working for an msp for 5 years as a network consultant. I mainly deploy firewalls, also do a good amount of switching and wireless work.

A lot of this is desk work unfortunately, occasionally there is travel for installs but the use of smart hands has been pushed more and more. I’ve been getting fed up with being behind a desk all day and am considering leaving the field for a different trade. One thing holding me back is that I do enjoy networking and the troubleshooting aspect of it, just don’t like sitting all day. Anyone know of or have networking jobs that involve more moving around?


r/networking 5h ago

Design Shortest Path Bridging (Extreme/Avaya Fabric Connect) pt 2

3 Upvotes

About 1 year ago I posted this. We got a lot of good conversation going on in the thread, but I still have not gotten real world experience with SPB so far.

Was lucky enough to have been introduced to a live setup with 4 VSP (pair) cores. Got to ask a lot of questions about it etc. So far they have had almost zero issues with the setup after about 2-3years since the setup. They mostly use SPB for spanning L2 around the campus. They also use Fabric Attach quite extensively, since they have lots of Extreme switches from before.

They had some issues in the beginning, when they were still setting it up, but got them solved in cooperation with Extreme. Basically the firmware was patched to fix their issue. And since then it has been smooth sailing without any problems. All failovers work seamlessly and adding additional devices to the network is easy etc.

BUT!!! Recently I created this post: Spanning VLANS in a ring topology. And saw people bashing SPB and this got me thinking, is there any real reason to it besides personal preference? I have deployed Cisco EVPN based VxLAN (manually on the cli, not through any supervisor like DNAC or ACI) and imho it was a nightmare to set up and manage compared to how easy it looks with SPBm.

Is SPBm really dead? If so, how? Why?


r/networking 6h ago

Career Advice Engineer's encouragement into Network Programmability

4 Upvotes

Currently in enterprise design/architect role backfilling build/L3 work and run/L2 escalations, with the great resignation of many Sr. engineers, including technical leads, our company is now resorting to bringing engineers of all levels to the trenches with eventual chaos of priorities (run vs build vs design vs managers).

Having this "opportunity" to look closer into the engineer's day-to-day and trying to alleviate their struggles I'm trying to encourage the use of IaC, tooling, and automation and get them on board with doing their best with network APIs/SDX technologies and make their life easier for all, however, there are all of these comments here and there

"I chose neteng because it didn't involve programming" / "coding, versioning and all that git looks too complicated" / "I have not much of linux experience, once I learn that first, then I'll give it a chance"

don't get me wrong, we do have problems with staffing and workload like all companies, but I firmly believe that all network engineers should be aware they can't guarantee any near-future growth, geez even job security; we can give them training (1 or 2 hours every other day) but clearly, they need to practice, dedicate some personal time and see progress, my frustration is they can't seem to appreciate the personal benefit or investing any time on their own and limit themselves on "hand-holding learning"

All of this reluctant attitude and need is been visible to me in all my previous jobs, although I think we are moving really fast, too many engineers feel like is not needed.

How are you motivating your engineers? Have you worked on any training plan in the past that has worked and probably have some buy-in from leadership to staff Do you rather defer automation to a developer/group? if that's the case how did you get the funding for it? (I still think that shouldn't give you a free pass of not learning)

hopefully, I can learn from some positive stories from all of you, this has been so long in my head and hearing from others can really help


r/networking 1h ago

Design Best practices for L3 to (hypervisor) host ?

Upvotes

Hello.

I've been tasked with setting up our second datacenter (clean slate, yay). One of requirements (reason being DR) is keeping machine's IP while migrating between datacenters for various reasons (legacy stuff mostly). So the idea is basically making a route per host and letting routers figure out how to get to host. Hosts are "just" Linux KVM/libvirt so plenty of flexibility here.

My initial design (as in, already implemented and working) is just basic OSPF on every switch, BGP between datacenters and hypervisor + loopback IP on host used for most of the connectivity (want to use ECMP to get some more bandwidth to Ceph, already have setup like that in first DC) so all that's left is how to get the VM routes going.

I ended up converging on one of 2 designs:

  • Give every VM /31 to talk with the host and make host just distribute all connected interfaces back to OSPF. Keep the IP config with the VM (which is easy as we use CM). Wastes half of the IP (not really a problem) and makes adding new annoying (as every one of them needs /31 in IPAM) but otherwise looks like the simplest way of attaining it, no extra code needed.
  • Make big fat network (say 10.0.0.0/12), set it on every hypervisor (so every VM just have default gateway of 10.0.0.1 no matter where it is booted), and just script adding /32 for VM IP to the routing table then distribute only /32s to switches. We have something similar with our OpenVPN setup, but it is quite "hacky" as host must know they need to use gateway even if they only need to talk to their neighbour.

Both look workable but I just want to be sure I'm not missing something obvious between them.


r/networking 4h ago

Switching Which fiber connector to use?

1 Upvotes

I want extend my network with a switch around 100m (329ft) away from my installation.

But I’m not sure which cable and connector to use, as I don’t know much about fiber.

Would a multimode cable with LC connectors be fine? Haven’t ordered SPF modules or anything yet.

It’s just for a 1Gb connection.


r/networking 1d ago

Career Advice Network engineer interviews are weird

220 Upvotes

I just had an interview for a Sr. Network engineer position. Contractor position.

All the questions where so high level.

What’s your route switch exp? What’s your fw exp? What’s your cloud exp? Etc

I obviously answered to the best of my ability but they didn’t go deep into any particular topic.

I thought I totally bombed the interview

They called me like 20 minutes after offering me the job. Super good pay, but shit benefits.

How weird. If I knew it was this easy I would of looked for a new job months ago.


r/networking 11h ago

Other Iconic network hardware

3 Upvotes

Been thinking about this a bit, but does anyone have equipment that has had a lasting impact on you, either from using them daily for years, or having that one bug that brings back nasty memories of a prolonged outage? Maybe a router that has been chugging away for longer than it probably should have, that nobody seems overly keen on replacing?

Would be interested to know what everyone has in mind when they think back to some of the older networking kit and the fun stuff that came with it. Maybe people have some interesting stories of split-brains or even just fond memories of that one bit of kit that started it all? Would love to hear some war stories.

For example, that one Catalyst 6509 you probably still have in your comms room, or a C7200 that outstayed and outlived its welcome, or maybe the little Netgear that could(n't)


r/networking 4h ago

Troubleshooting Getting DNS_PROBE_FINISHED_NXDOMAIN when connecting to IIS website

0 Upvotes

I'm hosting on a VM (development environment) an ASP .NET Core app using in-process IIS. It works fine when I connect from any machine connected to the local network using ethernet in the 192.168.2.X subnet (which is our global subnet for our whole network).

I'm trying however to access it the same way by typing the host name (not the IP address) in a laptop connected to the local network using a wifi router (WAN address is 192.168.2.19, LAN is 192.168.0.1 ; the laptop address is 192.168.0.100). This fails with the error in the post title despite the router being configured to use the global DNS server used by my company, which is the same server for the other working machines.

I have no problem accessing the website from the laptop using the ip address of the VM (so 192.168.2.24) although I have IIS errors but that's another concern ; those should be fixed if I can get the host name to work on the laptop.

Any insight?


r/networking 15h ago

Troubleshooting LAG marked as edge in spanning-tree on HP switch

3 Upvotes

There are 2 trunks going over a lag on an HP core switch to dell switches, one of the trunks is marked as an Edge, which probably shouldn't be the case in a switch to switch situation. I tried to force it to recognize that it's plugged into a switch, has anyone run into anything similar?


r/networking 11h ago

Troubleshooting Duplex/Speed Mismatch on a Black Box

0 Upvotes

This is a problem I've encountered a few times. I get an alert that there is a duplex and/or speed mismatch between a switch and a piece of equipment. I have no access to the equipment to check its configuration, and there is no vendor documentation I can check. I can only make changes on the switch. I've tried guessing speed and duplex and watching the error rate, but I want to know if there is a better way of getting it right.


r/networking 17h ago

Design Redundancy with only one uplink

2 Upvotes

Hello, everyone

I am planning to upgrade my network. We now have access to 10 Gbit/s and the ISP router only has a 10 GbE port. I would now like to use two redundant pfsense firewalls behind the router. How would I have to configure that? Can you give some ideas or links?

Since I only have one uplink patch cable and I would only connect it to one device and if it failed, it would be stupid and no real redundancy guaranteed.

Using a router other than the ISP router is out of the question. Our internet provider works with multiple VLANs and the Mobile Backup via. LTE only works with the ISP router. When I install an aftermarket internet backup I can't use my fixed IP subnet either.

My idea: (which I've never configured like this since I'm a noob): Configure 1 switch and another port with port mirroring and then connect both firewalls. Of course, we would also have a single point of failure with the switch here.

How exactly should I configure the firewall in this case? Is there a better idea?


r/networking 19h ago

Routing Routing VLANs on L3 switch instead of dedicated router

4 Upvotes

Question on this:

I currently have my VLAN sub interfaces configured on my dedicated router. I understand L3 switches have routing capabilities, albeit more limited.

If you are doing routing on your switches, am I right that you need to add the IP and subnet for all of your VLAN SVIs on every switch that needs to pass traffic for your VLANs? I know there is technical benefit to the way the data is handled if its done on the L3 switch and doesnt need to go back to the router, but in terms of complexity it seems easier to just set the routing information on a dedicated router and then just add the VLAN IDs to each switch.

Thanks!


r/networking 14h ago

Troubleshooting Port disappears

0 Upvotes

I am having some difficulties understanding what actually is happening on our lab. I have 2 end users in vlan 150, and a server. The end users will grab information from said server. The issue I am currently facing is the server will drop the port the application needs in order to function. I have done three NMAP intense tcp scan and confirmed that once the server is soft reset ( powered off and turned back on) the port appears (57000) and we are able to log into the application. A second scan of NMAP intense tcp scan shows that the port randomly drops and we are kicked off the application. I have confirmed that I am able to ping from end user 1 and 2 to server. I also did trace route from both end users and confirmed it is 1 ms to server.

This is a simple setup, access port to access port, and the switches configuration shows no logical security feature enable. Can someone help me understand what is happening here?

I am not able to touch the server as it happens to belong to a different company, and i am only in charge of the switches. I want to be able to prove that this is not an issue on the networking side.


r/networking 15h ago

Troubleshooting Packets stop at router and not sure why.

1 Upvotes

I started a new job this week and I have to shake off the networking rust fast. So there's a Louisana location and the texas location, in the week that I have been here I have noticed that the Texas office traffic(and remote access user traffic) hits and passes through the Meraki firewall just fine, however it does not progress beyond the router to the switches. Now from Texas and Remote, I am able to ping and access that router, but I can't get any traffic to that switch. Traffic with Lousiana orgins can hit Texas just fine, just not the other way around. The router doesn't have any active access list. Does can anyone throw any ideas on what the problem is?


r/networking 21h ago

Monitoring IOSXR BGP + PRTG + SNMPv3 + VRFs = Headache

2 Upvotes

Anyone out there have good success in monitoring your BGP Neighborships on IOSXR across different VRFs. It seems like if you are using SNMPv3 you cannot do so, even when using the SNMP context. Please halp. Open to any and all answers.


r/networking 1d ago

Security Cisco ASAv firewalls and inter-DC clustering

4 Upvotes

We're migrating away from a couple of active/standby ASA5555-X clusters and for reasons (primarily no time to re-factor huge ACLs for another vendor) we're sticking with Cisco. We had an order in for some Firepower-4112s (which we planned to run in ASA mode as our requirements are pretty simple), but got hit with HW delivery delays. As we need these for a time pressured project I'm considering using ASAv on a hypervisor, probably KVM. Either ASAv50 or ASAv100 should do the job looking at the datasheet.

The specific setup we're looking at is a routed east/west inter-dc cluster design, where we have a 4-node cluster deployed across 2 DCs - connect the FWs to a vPC cluster in each DC and use VxLAN EVPN for the L2 overlay between DCs. Its a design mentioned in BRKSEC-3032 (that cisco live presentation references OTV rather than VxLAN but otherwise its the same). The goal is to avoid host traffic unnecessarily traversing the DCI for vlans that are extended between DCs, and maintaining redundancy in each DC. This is to enable a DC migration, so eventually will be simplified once the old DC is emptied.

I would be very grateful for any feedback on stability, performance, deployment tips - either for ASAv generally and/or this active/active inter-DC design specifically.


r/networking 1d ago

Switching How do I find all disabled ports in my switch and list them by description?

9 Upvotes

I'm working on a script to open disabled ports on my Juniper switches.

I would like know how I can get a list of all disabled ports but show their description instead of the port name on the switch.

Currently what I do to list all disabled ports is easy: show configuration | display set| match disable.

The problem is that the output I get is:

set interfaces ge-0/0/0 disable
set interfaces ge-0/0/1 disable
set interfaces ge-0/0/2 disable
...
...

Is it possible show the same list, but get the desk port name? For example:

show configuration | display set | match ge-0/0/1
set interfaces ge-0/0/1 description "PP: S-F0-600"

I always want to get the PP: S-F0-600.

Thanks :)


r/networking 18h ago

Design Q-in-Q in ISP networks

0 Upvotes

So, I'm an enterprise network engineer working in a relatively complicated environment but I'm always curious about how ISP networks work.

As far as I know, Q in Q is used in the access network, but there are some things I don't get.

1) My understanding is every subscriber (every home for residential Internet) has its own C-VLAN, presumably associated to a small subnet (maybe a /30 would be enough?). Am I right?

2) The DSLAM or whatever is basically (DSL stuff aside) a switch with 1 C-VLAN per subscriber. So does the DSLAM use Q in Q? And if so, is there one outer VLAN per DSLAM (So basically the outer VLAN is a DSLAM ID), or are there multiple outer VLANs per DSLAM maybe for different services? Again, am I getting this correctly?

3) Who is the default gateway for all customers?


r/networking 18h ago

Wireless Radius solution that can easily integrate with LDAP (for wifi)

1 Upvotes

We are a small college and we use Fortinac to do mac authentication on wifi (extreme/Aerohive) for guests and byod. Fortinac has been giving us a lot of issues with wifi and i spends few hours every week just to troubleshoot registration.

I am looking to replace this. We only use LDAP on campus and to add radius to wifi, we will have to create a new radius server. Our sys admins insist on using open radius (free stuff) but they are having issues with integrating it with ldap and I am at lost on what to do.

Is there a cheap radius solution that is easy to setup and is cheaper than fortinac (5k a year) or can you think of any other solution which can help integrate Aerohive to ldap for login?

Any help will be appreciated!


r/networking 19h ago

Routing Understanding L2TP

0 Upvotes

I need help understanding the actual logistics of how an L2TP/IPSec connection is established.

Background: I am running port scans for some clients on their public facing IPs, whom I know for a fact has L2TP traffic allowed to pass through the router. Running the scan,

sudo nmap -sS -sU -Pn -p0-65535 -T4 -v <ip address>

I can see that there are two ports open:

1723/tcp - open - pptp

500/udp - open - isakmp (running on zenmap it's labelled as IKE)

Looking at RFCs, googling all about this VPN, etc, I don't actually understand how a connection is established between the host and the server, nor why each port is used for what thing(s)?

L2TP says that port 1701 is required, but it is not open .

Given this I have a number of questions:

Does port 1701/tcp need to be open to create an L2TP tunnel?

What does port 500/udp actually do for L2TP?

What is the functionality of port 4500, and why is it only open sometimes when I scan the server?

What is the timeline for establishing an L2TP connection?

Does port 1723/tcp need to be open for L2TP, when it is the pptp port?

I have reason to believe that it is currently working as intended (because the client isn't throwing a fit that it's not working), however I cannot personally establish a connection myself, so I can't look at what an active connection looks like on the network.


r/networking 20h ago

Monitoring Looking for live dynamic monitoring diagram tool

1 Upvotes

Our networks routing runs on OSPF/BGP. I already have a tool that monitors when these peering relationships go down. What I'm looking for is an open-source tool that queries my routers for their peering relationships and dynamically creates a live network diagram. I'd love to have a live graphical view of my network before/during/after maintenance.


r/networking 1d ago

Switching Cisco 6807 SUP6T LACP-4-MULTIPLE_NEIGHBORS: Multiple neighbors detected

3 Upvotes

The business I work for is seeing an odd error with a LACP port channel between two Catalyst 6807s over a Comcast ENS Q-in-Q WAN link. When a Ciena 3926 is deployed at a satellite location that is single homed over Comcast ENS back to a single 6807, the port channel between 6807s is detecting a new neighbor in the port channel and the physical interfaces of the port channel are brought down.

I haven't had much experience with Ciena and can anyone think of a setting that is causing this. Thank you much.


r/networking 1d ago

Routing using eBGP internally instead of iBGP?

52 Upvotes

hello reddit networking,

i am working with a contractor to set up bgp within our network environment (among many other things). we have a relatively small environment (all equipment in the same building) and the contractor wants to set up eBGP internally instead of iBGP. when i asked him why he said "we have always done it like this" but i didn't get anymore of an answer. i tried searching up but i couldn't figure it out

would there be a reason why you would run eBGP within your environment instead of iBGP? if this is a bad question or im in the wrong area i am sorry. this is my first post ever on reddit.

i have been a network engineer for a year and i am the only one at my job so doing new things is a bit difficult for me since i don't have anyone to go to for advice.

we have 3 layer 3 switches as well as 2 firewalls internally. we are running OSPF at the moment but they want us to switch to bgp (external bgp)

please let me know if more info is needed and again im sorry if this is a bad question

thank you guys so much for your comments and help. like i said i dont have anyone to go to for advice and everything i do i never know if im doing it the best/correct way. im reading books and studying for CCNP but that only gets me so far. thank you guys so much i really apreciate it

thank you!!!!


r/networking 19h ago

Automation SSH Issues with vIOS Images

0 Upvotes

Hey all.

Maybe I've never tried to do this in the past, but i'm testing some automation against my eve-ng environment and i'm requiring SSH'ing into my devices. I am running into the issue below, and this is with a variety of different images (csr1000v, IOL, etc.)

Unable to negotiate with 192.168.10.11 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

I find it odd I can't SSH right out of the box with your typical setup. Domain name, SSH ver 2. RSA key of 1024 (tried others).

I am able to fix it by adding certain parameters to my Ubuntu ssh_config file but why wouldn't this work without having to do all of that? Am I missing something here?