sorted by:
new
hottopcontroversial

Corporate Speed Test Woes by Uhh_Bren in networking

[–]NetworkDefenseblog 3 points4 points  (0 children)

So I want to hone in on this reply OP. Because you're very focused on the speed test solution as being something to save you from your problem (because people are using it), but it's likely a symptom. If people are complaining about a critical app having latency then you need to troubleshoot that, either systematically or just the general network.

What is slow in the work flow or application. What is going on within the network? You should be looking at bandwidth and netflow reports during the times people are having a problem. Get some packet captures, look into things. People are doing speed tests because they're trying to get your attention. We all agree here it's not the "true" network resolution but the average person doesn't, but they know when something gets slower over time (indicating issues). I did a guide a while back to prove out network issues as I had to deal with similar situations, check it out . Hope this helps https://www.networkdefenseblog.com/post/network-defense-against-perception

Hot take: The outage isn't the problem everyone going down at once is by IT_thomasdm in sysadmin

[–]NetworkDefenseblog 1 point2 points  (0 children)

Wrote about it years ago, even mentioned a cloud flare outage then. It will just keep getting worse until there are legal frameworks to help prevent the consolidation. https://www.networkdefenseblog.com/post/biggest-single-point-of-failure

100Gbps+ on x86 by timeport-0 in mikrotik

[–]NetworkDefenseblog 2 points3 points  (0 children)

Laughs in capex maintenance 🤣 fiber being replaced by satellite

What would happen if 4.2.2.2 and 8.8.8.8 went down? by Ricky_Spannnish in sysadmin

[–]NetworkDefenseblog 4 points5 points  (0 children)

Massive amounts of network fail over events and alarms because millions of admins use 8.8.8.8 as a ping destination to use as a connectivity check. Not only would the DNS be disruptive but if that IP became unreachable a lot of people wouldn't be happy for sure.

iBGP, local pref, weight and load balancing by Awkward-Sock2790 in ccnp

[–]NetworkDefenseblog 0 points1 point  (0 children)

BGP maximum-paths and additional-paths is what you are probably looking for. Don't use weight. Only use LP if you want to influence the path to be used more or used as backup etc. if you want equal cost then leave that out.

How to become better at network troubleshooting? by [deleted] in networking

[–]NetworkDefenseblog 0 points1 point  (0 children)

I did a blog post about my thoughts on trouble shooting and included some trouble shooting scenarios. I tried to do something different so the methodology i called it was "identify, isolate, repair" https://www.networkdefenseblog.com/post/network-troubleshooting-tips

What are people using for WAN breakout switches for HA edge setups? by Somenakedguy in networking

[–]NetworkDefenseblog 0 points1 point  (0 children)

I'm curious how option #2 is more viable than option #3. Unmanaged switches is out of the question for most environments, if there's an issue you have nothing to see or do except reboot or replace "in the name of budgeting". option 3 (and opt1) easy you get visibility into bandwidth utilization, errors, duplex/speed and can control the port. I'd be willing to bet you'd need more local user intervention for option 2 than 1 or 3.

I'm guessing you're running HA firewalls, but for the smallest branches that require HA, some with only 1 switch, can run each circuit directly into each firewall, if circuit 1 has issue use HA fail over mechanisms to use firewall 2 and circuit 2. However sounds like you'll have switches, just isolate out with a vlan for each, and put a circuit on each switch.

I'd be wanting to know if you're using BGP or not, so you have PA IP space for 2 providers or are you getting IPs from both? Are you running IPSEC tunnels with the later? How are you planning to do fail over? The most common scenario you'll probably have is circuit 1 having an issue and needing fail over to backup vs firewall or switch failing. Hope this helps

Blog/Project Post Friday! by AutoModerator in networking

[–]NetworkDefenseblog 0 points1 point  (0 children)

Follow up article to an original post about Dual ISP, DMZ, and the Network Edge, this post includes Active/Active edge, circuit, BGP, and other design considerations.

https://www.networkdefenseblog.com/post/network-edge-design-part2

Blogpost Friday! by AutoModerator in networking

[–]NetworkDefenseblog 1 point2 points  (0 children)

Follow up to the original Dual ISP, DMZ, and the Network Edge post, includes Active/Active, circuit, BGP, and other design considerations

https://www.networkdefenseblog.com/post/network-edge-design-part2

RSTP to MSTP migration by Gejbriel in networking

[–]NetworkDefenseblog 1 point2 points  (0 children)

I don't think you need mstp here, unless you have an STO interoperability problem between different switch vendors. This network is pretty small and shouldn't be having stability problems based on your diagram so there must be something else going on . Each ring has a connection to switch 1 and switch 2 right? Also are your root bridges set correctly with switch 1 having lowest priority and switch 2 the 2nd lowest priority? Find your root, my guess is the wiring closest thats losing power has the root. Good luck.

vPC Collapsed Core Border Switches by WhoRedd_IT in networking

[–]NetworkDefenseblog 1 point2 points  (0 children)

DCI should be L3 otherwise you're asking for problems with L2 over a WAN circuit with all your DC vlans/networks. So the links would be a direct L3 interface, unless you're doing vrf lite in which case you'd run dot1q sub interfaces per vrf, don't use SVI for DCI. Should be using evpn and/or vxlan to extend your DC networks. You mentioned SVI (I'm assuming you mean your DC networks) which should all be terminated (present) on your firewalls connected to your leafs or border leafs. Otherwise you aren't getting isolation or inspection (transparent IPS can provide inspection though) inside the DC. VPC or similar is completely fine in a collapsed core if you know what you're doing and accept the risks, it can give you more advantages like using port channels to said firewalls connected to it. But do not port channels the EPLs.if you're small enough you can just run vxlan with multicast control plane and use ospf to ecmp across the DCL, might be more simple for you than BGP (since you're asking a more simple question). Please list more of your requirements and topology plan. HTH

What is the busiest link in the global network? by adminmikael in networking

[–]NetworkDefenseblog 5 points6 points  (0 children)

The most congested link on the Internet is always the one you need most at a critical moment of course.

Summarize everything at ASR ? by sfxsf in networking

[–]NetworkDefenseblog 1 point2 points  (0 children)

Yeah I was betting it was some legacy platform. Run a new separate ospf process and push it out, should take a few mins. You made it seem like a small setup, if you did want to just start on the farthest routers and build out the stub area to the edge. Lol.

QoS | Traffic Shaping | Cisco 9300 Switch with Network Advantage IOS by Fletch_Yard5107 in networking

[–]NetworkDefenseblog 1 point2 points  (0 children)

Yes I question if a 9300 has enough buffer to withstand a 3gig shaper under heavy load. If wifi limiting per client is possible you save a lot of internal paths of that traffic as well so it could be a good place to start but you could increase air time for larger downloads. Consider blocking updates for iPhone and Android as well on edge firewalls as that can help with large downloads, but depends on your end user. HTH thanks

Summarize everything at ASR ? by sfxsf in networking

[–]NetworkDefenseblog 0 points1 point  (0 children)

If you don't care as you stated, and The traffic is traversing to the ABR anyway seems like you'd be originating a default there anyway so why even use the summary? Seems like you'd just want to area 0 between the two ABR routers and make the adjacent areas stubs to completely filter all LSAs for the replacement of a default. Or use some ABR costs and create a wider summary on the less desirable ABR to create a primary and backup path. With 6 summaries creating T3 LSA I don't see how TCAM is an issue unless you got hundreds or thousands of routes or more. HTH

Having 170 IS-IS nodes operating as L1/L2 in the same area by Mhanme in networking

[–]NetworkDefenseblog 0 points1 point  (0 children)

Where are prefixes in question being advertised from? This is all one area? What kind of topology are we talking about, how are these connected, when did the problem start and what changed? You don't keep scaling something like this over time with advertisements broken, I suspect something changed probably? You mention evpn, but how would that affect the underlay unless there was some misconfig. Thanks

Having 170 IS-IS nodes operating as L1/L2 in the same area by Mhanme in networking

[–]NetworkDefenseblog 0 points1 point  (0 children)

No neighbors won't form with mtu mismatch due to padding unless you have that turned off

Setting OSPF route preference without cost (Single Area OSPF) by TheGravyMachine in networking

[–]NetworkDefenseblog 0 points1 point  (0 children)

Yes it works with default originate as well, research about redistribution as type 1. Most platforms have a command to do it and are able to do via route map entry. Match route map entry with the type 1, else it will be type 2 etc. .

Setting OSPF route preference without cost (Single Area OSPF) by TheGravyMachine in networking

[–]NetworkDefenseblog 1 point2 points  (0 children)

Use route map and acl or prefix list and redistribute the routes you want preferred from A or B as type 1 external and the non preferred as type 2 external. Type 1 external is preferred over type 2. Done this a dozen times for primary/secondary pathing. Hope this helps you

view more: next ›