- Welcome to Networking-Forums.com.
We're Here to Help!
Recent posts
#91
Routing and Switching / Re: Add a backup router to the...
Last post by deanwebb - February 06, 2024, 09:54:37 AMGoing with what Otanx said, the PFsense router may be more usable as a cold spare. For redundancy, I've seen setups where there's a business connection that has two inbound cables from the ISP or one cable each from a different provider, then the two are either set up with a link balancer tool or with a high-availability pair of identical firewalls/routers that have a heartbeat between them so that NAT and connection tables are maintained.
#92
Management Tools / Re: Switch SNMP Connectivity I...
Last post by deanwebb - February 06, 2024, 09:45:27 AMI'm assuming from the context of the post that this is SNMPv3.
SNMPv3 cred fail means that there can be an issue with the auth, the priv, the appliance not being in the SNMP server group, the appliance IP address not being in the ACL that controls SNMP communications, or the SNMP setup limiting MIBs and one that the appliance requires is missing from the permitted MIB list.
Most common mistakes are the auth or priv mismatched/mis-set. Next most common are not adding IPs to server lists/ACLs. And if these guys actually defined MIBs to use, I'd try an access-all for the appliance just for troubleshooting and if that works, then the MIB list is in need of at least one more entry.
EDIT: Otanx ninja'd me!
SNMPv3 cred fail means that there can be an issue with the auth, the priv, the appliance not being in the SNMP server group, the appliance IP address not being in the ACL that controls SNMP communications, or the SNMP setup limiting MIBs and one that the appliance requires is missing from the permitted MIB list.
Most common mistakes are the auth or priv mismatched/mis-set. Next most common are not adding IPs to server lists/ACLs. And if these guys actually defined MIBs to use, I'd try an access-all for the appliance just for troubleshooting and if that works, then the MIB list is in need of at least one more entry.
EDIT: Otanx ninja'd me!
#93
Homework Help / Re: How does DHCP client knows...
Last post by deanwebb - February 06, 2024, 09:39:19 AMThe network device that the client is attached to handles the DHCP request. The request is bound to a MAC address, so the network device makes sure that the request gets back to the device with that MAC address. In the case of multiple DHCP servers, the first to respond will be the one the client goes with.
#94
Management Tools / Re: Switch SNMP Connectivity I...
Last post by Otanx - February 06, 2024, 09:37:02 AMIf nobody can agree on the password is then that is probably your issue. Using SNMPv3 there are five items you need to make sure all match.
- Username: kind of obvious
- Password: kind of obvious
- Encryption Key: This is different than the password. The password authenticates the user, the key encrypts the data.
- hashing algo: This is how the password will be hashed. MD5, SHA, etc. Not all systems support the same algorithm so you need to pick one that all the systems can do. If it only says SHA it is probably SHA1, and not SHA2/SHA256.
- encryption algo: The is the encryption that will be used. 3DES, AES, etc. Same as hashing. Not all support the same ones. Also if the choice is just "AES" it is probably AES128 not AES256.
If you are getting credential failure then the encryption algo and key are probably OK. It has to decrypt the packet to authenticate. Then check hashing, password, and username. If you can get a pcap wireshark can decrypt SNMP you just have to supply the info under the protocol preferences.
-Otanx
- Username: kind of obvious
- Password: kind of obvious
- Encryption Key: This is different than the password. The password authenticates the user, the key encrypts the data.
- hashing algo: This is how the password will be hashed. MD5, SHA, etc. Not all systems support the same algorithm so you need to pick one that all the systems can do. If it only says SHA it is probably SHA1, and not SHA2/SHA256.
- encryption algo: The is the encryption that will be used. 3DES, AES, etc. Same as hashing. Not all support the same ones. Also if the choice is just "AES" it is probably AES128 not AES256.
If you are getting credential failure then the encryption algo and key are probably OK. It has to decrypt the packet to authenticate. Then check hashing, password, and username. If you can get a pcap wireshark can decrypt SNMP you just have to supply the info under the protocol preferences.
-Otanx
#95
Everything Else in the Data Center / Re: moving the datacenter
Last post by Otanx - February 06, 2024, 09:26:28 AMDo you have the budget to stand up the new place first and migrate? That is how we ended up doing it. We built out the new data center network, and some new hypervisors and storage. We connected it to the old facility with a temporary circuit, and started migrating systems from one to the other. Once we thought we were done we shut off the link to the old space, and did a scream test. Took a couple tries. Once done we excessed most of the gear at the network gear at the old site. It was pretty old anyway.
Issues we had:
- Servers not installed correctly: We had servers sitting on top of other servers. No rails to be found. This caused some issues with order of operations. I can't move the server on the bottom until we move the other servers. After the move those all got flagged for replacement.
- Drive failures: Make sure you have good backups. Drives are going to fail. If you have a lot of the same drives see if you can get the vendor to send some ahead of time for swaps. Otherwise you move a server, and the drive fails. You RMA it, and wait for the RAID rebuild before doing the second server in the HA pair. Or you accept risk and move the second server while the first one is still in a degraded state.
- Other failures: Drive failures are not the only thing that will fail. Power supplies, fans, full systems. Moving systems will break them. When possible virtualize, and move, or build on new hardware, and decom.
- Link speed: We built out new, and migrated. We found we still had 3 devices that only would do 100M, and didn't have a way to support them on the new gear that did 1/10G.
- Misc parts: Stock up on cables of different types and lengths, power cables, SFPs, cage nuts, screws, etc. You don't want to scrounge up cables because the server was installed 2U below the switches in the old place, but is now at the bottom of the rack. This also includes extra tools for mounting gear. If you don't know there is a tool for installing cage nuts so you don't rip your fingers apart. Get a bunch.
-Otanx
Issues we had:
- Servers not installed correctly: We had servers sitting on top of other servers. No rails to be found. This caused some issues with order of operations. I can't move the server on the bottom until we move the other servers. After the move those all got flagged for replacement.
- Drive failures: Make sure you have good backups. Drives are going to fail. If you have a lot of the same drives see if you can get the vendor to send some ahead of time for swaps. Otherwise you move a server, and the drive fails. You RMA it, and wait for the RAID rebuild before doing the second server in the HA pair. Or you accept risk and move the second server while the first one is still in a degraded state.
- Other failures: Drive failures are not the only thing that will fail. Power supplies, fans, full systems. Moving systems will break them. When possible virtualize, and move, or build on new hardware, and decom.
- Link speed: We built out new, and migrated. We found we still had 3 devices that only would do 100M, and didn't have a way to support them on the new gear that did 1/10G.
- Misc parts: Stock up on cables of different types and lengths, power cables, SFPs, cage nuts, screws, etc. You don't want to scrounge up cables because the server was installed 2U below the switches in the old place, but is now at the bottom of the rack. This also includes extra tools for mounting gear. If you don't know there is a tool for installing cage nuts so you don't rip your fingers apart. Get a bunch.
-Otanx
#96
Routing and Switching / Re: Add a backup router to the...
Last post by Otanx - February 06, 2024, 08:56:52 AMThere are a few items you need to consider:
1. Will the GPON hand out addresses to both the openwrt and PFsense routers at the same time? Some ISPs limit customers to a single device, and if so you will not get any failover.
2. How do you plan on handling the inside to outside traffic flow? Assuming the openwrt router is the default gateway how will the endpoints know to start using the PFSense router instead?
3. You will still have a lot of single points of failures, and this setup only protects you from a failure of the openwrt router. If that is worth it is up to you. I would probably not bother, and if I was having issues with the openwrt router I would just replace it instead of trying to add redundancy.
4. Understand that you will still take an outage on failover because the NAT and connection tables will end up blank.
-Otanx
1. Will the GPON hand out addresses to both the openwrt and PFsense routers at the same time? Some ISPs limit customers to a single device, and if so you will not get any failover.
2. How do you plan on handling the inside to outside traffic flow? Assuming the openwrt router is the default gateway how will the endpoints know to start using the PFSense router instead?
3. You will still have a lot of single points of failures, and this setup only protects you from a failure of the openwrt router. If that is worth it is up to you. I would probably not bother, and if I was having issues with the openwrt router I would just replace it instead of trying to add redundancy.
4. Understand that you will still take an outage on failover because the NAT and connection tables will end up blank.
-Otanx
#97
Routing and Switching / Add a backup router to the int...
Last post by adhossain - February 06, 2024, 03:55:02 AMI have a simple network setup where my fiber optic cable connects to the GPON and the CAT6 cable from the GPON connects to a openwrt router. The openwrt router then connects to a switch and the switch delivers internet to the wifi access point and my connected PCs.
Now I want to add a Pfsense backup router from the same gateway so that the CAT6 cable from the GPON will connect to the managed switch using VLAN and both router will also connect to the managed switch using VLAN so that, if one router fails, I can have continuous internet. The managed switch will also distribute internet to other networking devices using separate VLAN.
Maybe this sounds stupid but wondering if it is possible. if so, any guidance?
Now I want to add a Pfsense backup router from the same gateway so that the CAT6 cable from the GPON will connect to the managed switch using VLAN and both router will also connect to the managed switch using VLAN so that, if one router fails, I can have continuous internet. The managed switch will also distribute internet to other networking devices using separate VLAN.
Maybe this sounds stupid but wondering if it is possible. if so, any guidance?
#98
Homework Help / How does DHCP client knows tha...
Last post by networkloser - February 06, 2024, 02:15:09 AMLet's discuss the "DORA" of DHCP.
1) Discover
Client broadcasts that "I want IP address".
Destination IP address=All 0s.
Destination hardware address=All Fs.
Source hardware address=DHCP Client address
2) Offer
Server/s makes an offer.
Destination hardware address=client's mac address
So that client knows the offer is for it.
It also should contain server's IP address/es.
3) Request
Client broadcasts DHCP request packet.
This includes,
DHCP Server's IP address so that other can cool down their IP address so client gets from who it wants.
Client's hardware address so that client hardware->IP address mapping can be done.
Destination address is All Fs, so that all hosts receive the notification.
4) Acknowledgement.
I am following TCP/IP foundations by Black and I'm confused how will the client know that the acknowledgement came for it?
1) Discover
Client broadcasts that "I want IP address".
Destination IP address=All 0s.
Destination hardware address=All Fs.
Source hardware address=DHCP Client address
2) Offer
Server/s makes an offer.
Destination hardware address=client's mac address
So that client knows the offer is for it.
It also should contain server's IP address/es.
3) Request
Client broadcasts DHCP request packet.
This includes,
DHCP Server's IP address so that other can cool down their IP address so client gets from who it wants.
Client's hardware address so that client hardware->IP address mapping can be done.
Destination address is All Fs, so that all hosts receive the notification.
4) Acknowledgement.
I am following TCP/IP foundations by Black and I'm confused how will the client know that the acknowledgement came for it?
#99
Management Tools / Switch SNMP Connectivity Issue
Last post by config t - February 05, 2024, 05:49:16 PMOn one of the enclaves I support there are around 190 switches and routers managed by my NAC tool. The switch objects are configured with profiles so the settings are the same for each group. Several of the switches are getting SNMP cred fail errors and the answer doesn't seem to be obvious (to me).
-the snmp service account and snmp group/view is configured the same across switches
-snmpwalk from the connecting appliance says cred fail
-all of the switches are on the same network with connectivity to managing appliances, so pretty sure its not fw related
-switches are same model/version (C9300)
Can't figure out what I am missing. I think we already looked for an inbound/outbound acl. MIB? I would think MIB is the same on a particular version.
I hate to say it could be something as dumb as a wrong password. Nobody can seem to agree on what the SNMP password is for this particular account. Terrible PAM practices should be frowned upon.
-the snmp service account and snmp group/view is configured the same across switches
-snmpwalk from the connecting appliance says cred fail
-all of the switches are on the same network with connectivity to managing appliances, so pretty sure its not fw related
-switches are same model/version (C9300)
Can't figure out what I am missing. I think we already looked for an inbound/outbound acl. MIB? I would think MIB is the same on a particular version.
I hate to say it could be something as dumb as a wrong password. Nobody can seem to agree on what the SNMP password is for this particular account. Terrible PAM practices should be frowned upon.
#100
Everything Else in the Data Center / Re: moving the datacenter
Last post by deanwebb - February 05, 2024, 08:54:41 AMPrepare for regular "cry tests" when you unplug stuff and wait to see if anyone cries about it. If nobody cries, then don't move that asset. You will not move everything. Taking a good look at what the visibility tool discovers in the datacenter will help with finding esoteric items from bygone days that need to not graduate up to the new DC.
Even worse is the data part of the datacenter. Those teams that manage data need to have a data visibility tool in place ($VENDOR alert, my company works with Alation as a partner in that space) to discover all the data and determine what's currently accessed and what can be sent off to long-term cold storage and forgotten.
Even worse is the data part of the datacenter. Those teams that manage data need to have a data visibility tool in place ($VENDOR alert, my company works with Alation as a partner in that space) to discover all the data and determine what's currently accessed and what can be sent off to long-term cold storage and forgotten.