Hello, I would like to know if changing congestion control algorithm at the client side has any effect on tcp performance; from what i learned it is the sender side that has the cwnd limit, so only a change in the server will affect throughput ( i am assuming the ideal case of a client that only sends ack and no data ).The only useful tweak at the client side would be the advertised window default size, or am i wrong?
Saturday, January 13, 2018
XO Ethernet Circuits Can't Have Bandwidth Upgraded?
Anyone with XO circuits out there that can lend a hand here?
We have an XO circuit through one of our vendors. We have no business relationship with XO at all and this is an unmanaged circuit we use to communicate with the vendor.
The handoff is copper Ethernet and I do not know the hardware involved as it comes in over a cross connect to our rack. The circuit has 2 VLANs, one with a public internet IP and one with a private IP to use to communicate with the vendor. We had XO shut off the public VLAN so the circuit couldn't be DDOSed and so the circuit appears to be a private layer 2 connection between us and the vendor.
We currently wish to double the bandwidth of the circuit, and we will still be well below the 100Mbps that the port is.
We're being told this is impossible and we must order a new circuit and term the old one.
Can anyone confirm if this is accurate or if it's complete bullshit? We've never had an issue with any other network provider adjusting the traffic policer on our circuits to adjust bandwidth when upgrading a circuit. Level 3, AT&T, Comcast, etc. Usually 1 phone call / change order is all it takes to have them adjust the bandwidth on the circuit for us. I stumbled across XO's Bandwidth-on-Demand service, but have no way of determining if it's applicable to this circuit.
Since we're not an XO customer our argument isn't with them, but the vendor that's passing along this information to us.
Thanks
BGP free core - how do you handle routes from IX?
Our core routers don't run BGP, they're just doing MPLS stuff. We have an internet VRF on the PE routers that have all the internet routes, and I was wondering how do you guys handle routes from exchanges. Do you take those routes in to your internet VRF or to something else?
How about private peering?
Our environment is firewall heavy by regulations and we have to firewall everything between different segments...
Splitting dual-band SSID in to two?
Just curious if anyone has had any experience taking a single SSID that uses both 2.4ghz and 5ghz and splitting it in to two separate SSIDs, one for 2.4 only and one for 5 only?
I'm considering this for our on-campus housing. I've got a Cisco WLC and each network is currently using Band Select. Unfortunately, there seem to be a lot of clients that still prefer 2.4ghz and then we, of course, get complaints about slow speeds or bad signal. Some times we go over there and there doesn't seem to be any issue we can see on our phones and test devices, other times we can see an issue but switching over to 5ghz instantly makes things better. Many of these residence halls have 2.4ghz interferes in the form of things like cheap and/or old microwaves.
We thought Band Select would help, and maybe it is for some devices. I've seen some though that insist on staying on 2.4ghz until you go into device settings and tell it to always prefer 5ghz. Some cheap Wal-Mart laptops only seem to come with 2.4ghz radios (ugh) but we've seen dual-band Lynksys USB wifi adapters that are cheap enough that it won't break the bank for students who want them.
What I'm considering is to just shut off 2.4ghz on the current SSIDs that everyone's devices know and create a new one for 2.4ghz with the same name except with "Legacy" or something included. My hope is that existing devices that know the current SSID will simply reconnect at 5ghz if they support it and, if they don't, the user will have a new SSID to join for 2.4ghz only. Of course I know we need to evaluate 5ghz coverage first.
I've seen this as Best Practices in a Cisco White Paper for Apple devices but I was hoping to hear from anyone on this subreddit that might have experience with this and knows if it improves anything?
Thanks!
30 PC Gaming Competition Hardware
A business partner of mine is running a gaming competition with around 30 pc's. During competition around 16 of them will be running a game that servers are hosted offsite. We will also have 2 twitch streams running. Any hardware switch/router or 3layer switch you guys could recommend? Trying to be price conscious but it must be lag free and have qos on ports used for gaming.
Any perfSonar experts in the house?
I am currently testing perfSonar in a test (hardened) environment and followed the installation guide from their website. I configured throughout tests to a couple of hosts (one in Alaska and another in Haiwaii) to run every hour. But I don't see any test results (logs) Any perfSonar users on here? Thanks
PRTG to makes changes to device?
I dont know if this is possible but I am currently monitoring some APC Switched rack PDUs using SNMP in PRTG. I got the MIB's from the APC and everything seems to be working fine.
However, does anyone how I can turn on/off specific outlets on the PDU directly from PRTG (or if this is even possible?)
nat with a loopback for the outside int - cisco asr
Does anyone have experience or a sample config of using an ASR for a combination of nat, ebgp and ibgp, and setting the outside interface as a loopback?
I've been following this article; but traffic dies when i remove it from gig 0/0/0 which is our main providers ptp peering link.
When the outside is set to the gig 0/0/0, life is good, nat works great.
I setup a second loopback with a public /32 IP. I can get to this from the outside. I have added ip nat outside to this interface. show ip nat stat, shows up with int's gig 0/0/0 and loopback 1. This is great.
Now, when I go and remove ip nat outside from gig 0/0/0 to force everything through the loopback, nat traffic dies.
this is all part of a bigger problem, where i'm trying to setup a second bgp peering session on a secondary router, and have that router and this router peered internally. (right now when that connection is enabled, nat'd clients can't get traffic from the second peer, which makes sense)
anyone have any experience with this? any valuable insights?
How to create a multi account network like a university?
So in Uni's you have a user account + password that allows network access. You to sign in using a user + password on the wifi.
What should I look into to learn how to do that?
BGP Load Sharing
We have a plan currently to do BGP peering with two ISPs for our new /24 block.
I've set up peering for the first already working well, and the second one will be complete soon.
My question is as follows:
Most of our customers are on ISP1 which means that they will come in over ISP1's advertised route - leading to most of our traffic coming in over this line.
What I do not know is if I can even this out by using AS-Path prepend on this line to make more traffic select ISP2 as the better route or if I'm simply going to shift my majority load to ISP2.
Thoughts? BGP is a new world to me so feedback is appreciated.
Hardware needed for full duplex Gigabit?
I'd like to build a router from scratch using plain linux (not even router distro). I have a 1/1Gbit/s fibre which I wouldn't like to bottleneck. I'd prefer the final product to be passively coolable. What kind of CPU performance, how much ram and what kind of NICs I'll need?
Do you know of any mini pc -s that comply to that? (2 quality, Gigabit NICs, decent cpu and ram)
BGP routing on firewalls
We have this kind of setup:
Customer connects to our network at two different cities, and we have BGP peering with them. Then we have static routes towards one of the customer's virtual FWs let's say to number 1 in this case. We point default route statically to FW transit network, and in that network we have static routers towards the different server firewalls to get to the servers.
Static routes being quite troublesome and as we have to choose which customer FW we use, I'd like to move this to a fully BGP routed network.
How would you configure it so that there wouldn't asymmetric routing that breaks the firewall's session tracking? Or how would you configure AS numbers in that network? We're currently using same AS in the FW transit and in the routers below, as the routers below are physically the same devices doing the transit network too.
Thanks!
Kemp LoadBalancer - customize SfB web page
Is ist possible to block the "Sign in with a different account" fields on the Skype for Business websites (dialin/meeting etc.) with kemp? The reason I am asking is that our company guidelines stipulate that it must be prohibited for users to authenticate from the outside.
Ideally the login fields would only be blocked if the user is trying to access from the ouside. Since I've only done elementary things with kemp so far, I would be very grateful if someone could point me in the right direction.
Thank you in advance!
What is cheaper for wide-scale internet deployment: cable/fiber or LTE?
Have trouble finding an answer to this. Let's say you have to decide how to give data access to an entire country with low-density population (ie: many small cities, a few big ones and then nothing but a few rural communities and roads in between) what would be cheaper to deploy on a mass scale, wireless or "traditional" data connections using cable/fiber?
Need to VPN Two SonicWall TZ-100s
Hey All,
A newbie question here. A doctor's office I contract for recently had structural damage to their building, so they needed to move to an auxiliary building to support existing patients. There is a server (stilling running fine) at the original location that acts as a domain controller/file server. I was able to get them basic access to client software by using Teamviewer into computers that are set up at the old location. This is working just fine for them. However, they are installing a new MRI machine at the auxiliary location that needs to connect to the server at the old location to upload and access files at the old location.
They currently have a Sonicwall TZ-100 up and running at their old location from their previous IT company. I have an additional spare TZ-100 that I can set up at their auxiliary location to connect to the old location, however, I've never set up a VPN before in any respect.
What I need is the ability to inherently point the new MRI machine to the server at the old location. What are my starting points? Are there any guides I can follow?
Thanks for your time.
Recommendations for 802.11 wireless site design guides or physical access point placement design guides?
I haven't done much wireless at enterprise level. I need to deploy access points for a small/medium campus and I'm looking for some reading on how to properly determine locations for access to get the best coverage and minimize 2 & 5 GHz congestion. In the past I've done 'guess and check' for access point placement but I figure there had to be a more scientific method of determining AP placement.
Thanks!
How to setup VPN passthrough on the Arris BGW210
I have the Arris BGW210 as the main modem/router and also a Asus AC86U.
I would like to setup the 86U as the VPN router but the problem I have it wont connect to a UDP file. only a TCP, VPN support told me most likely the BGW210 is causing the issue.
What should I do now,
Thanks
Recommendations for Switch-to-Switch encryption of a 40Gbps Dark Fiber link?
Greetings all. Hopefully I haven't jumped over my head here...
Background:
I'm the de-facto IT admin for a small video post-production company that has another location a couple miles away. IT is not my primary role at this company, so I know just enough to get myself into trouble.
Anyway, the city has relatively inexpensive Dark Fiber, so our plan was to go for it. There'd be a Dell N4064 on each end with the 40Gbps uplinks connected via the DF and we'll be using every bit of that throughput.
The Problem:
We have several high profile clients that regularly do their own security audits of our facility and I recently mentioned our dark fiber intentions to them. They said that if we do it, they'll demand that we encrypt all traffic that flows over it.
So, I've been reading up on switch-to-switch encryption. Sounds like 802.1AE (MACSec) does the trick, but the Dells don't seem to support that. In fact, I haven't found many switches that do, aside from a few top tier Cisco and Juniper switches.
My questions:
1 - Is 802.1AE what I should be looking into? Can it handle a 40Gbps link (or four 10Gbps links)?
2 - Is there a device I can add that'll handle doing just the link encryption without needing to mothball my Dells? (I.e. Bldg1 N4064 to Device-A to Dark Fiber to Device-B to Bldg2 N4064)
3 - If I do need to rip and replace, any recommendations on what switch to go with that will support encrypting one 40Gbps link or four 10Gbps links? (Preferably with a web GUI [Laugh if you must.])
Thank you!
Friday, January 12, 2018
Marina WiFi Help
Looking to setup an outdoor WiFi network to serve a maximum of about 200 clients at a yacht club. I am not an IT professional, but I’ve dabbled enough to be dangerous. Let me know if I’m on the right track? Is there a technology or brand I should look into?
There are about 60 boats with people who are likely to use WiFi, and I figure each boat could have a few phones, a laptop, and possibly a streaming media device.
The club currently uses a consumer grade router with a high gain directional antenna on land, which is pointed at the docks. This works OK, but the performance suffers at busy times.
I’d like to set up access points on the docks. I’m considering running CAT6 with a POE adapter from the router in the clubhouse, down the docks in liquidtight conduit, to TP-Link WBS 210 base stations, or something similar. POE lets me avoid needing extra receptacles set up. I would probably start with two APs. Should I consider an enterprise router or switch in the clubhouse for the APs?
I am not worried about enterprise security or management. This network is separate from any of the clubs POS systems and would hopefully be “set and forget”.
New firewall / network setup suggestions. Is this hub spoke done right?
I'm looking at replacing an old ZyWALL with a pfSense box. Just wondering if I am doing this right or if there are any glaring errors I don't see. (I'm a one man band that doesn't have someone to ask.) Specifically, I'm wondering if that hub spoke looks ok or if I can daisy chain anything to make better use of firewall ports. Current and proposed and both at once
Flaws?
I recently designed a small business network for about 50 nodes across 2 floors at about 107ft long. 2f has about 21 nodes while 1f has about 29 nodes inclusive of ip cameras. What I did was, set a switch and patch panel in the existing server room on 2f, ran 2 fiber cable to 1f that has 2 switches and a 48P patch panel. So both switches are connected via fiber cable, where the 2f switch connects to my firewall. Now, the client has decided that every machine needs additional cables to facilitate printers, keypads and card makers. The cable run has been completed and adding 17 cables would cause a mess to rerun. So instead at each cubicle, i decided to use dummy switches to add connections to the additional hardware. My main switches are Cisco SG300 28P x3 and the dummy switches are TP-Link 5 port smart switches.
In the above topology, will the switch to switch cause any problems? Considering that the Cisco switches have STP enabled.
Anyone have a recommended training series for F5 load balancers?
I tried INEs, it was small. I'm looking for something very indepth.
What do you use for your voice network?
Sometimes I suspect that I get tunnel vision on the popularity of certain technologies. I mainly work with various REDCOM switches with a mix of Cisco and TEO IP phones and generic POTS. Our sister network is mainly CUCM. I've briefly worked with CUCME and have researched UCaaS services, but I always wonder what the popular choices for the average medium to large networks is. CUCM seems like licensing-hell. What does YOUR company use?
How do you give access to your management network
Hello all,
How is your management network accessed where you guys work?
Does it live off a firewall or router and only given access to certain machines? Or does it live completely isolated, and a server has remote connectivity + an interface to management?
What is the process like to gain access to the network to perform troubleshooting? What kind of remote services do you use to gain access, and what is process like to authenticate you?
I am curious as to how you guys set up your management network, as I will be setting one up soon and I want to know best practices and ideas.
Thanks for any tips,
Very weird Mac OS vlan tagging issue
Was curious if someone with a bit more packet capture / debugging knowledge might be able to more solidly identify the actual issue occurring here. I've got a user connected to Cisco 3650 switch from an iMac running High Sierra (10.13.2). Due to garbage Brother printer drivers that can't do scanning if the printer is on a different ipv4 subnet from the computer, this particular Mac is using the built in gigE port with networking set to off. Then, via Network -> Manage Virtual Interfaces, two VLAN tagged virtual interfaces have been added, one on the printer vlan with ipv4 but no gateway, and one on the normal computer vlan with traditional dhcp and default gateway being assigned. Computer is able to talk to both networks without issue.
Computer was upgraded to high sierra around whenever it came out, no obvious consequence, everything seemed to work as it had before. It was recently noticed that no matter what was attempted, the Apple photos.app could no longer sync with iCloud. It is able to determine how many photos need to be synchronized, but no synchronization occurs.
The issue made it to the networking side after no one from apple or desktop support could figure out what was going on. I found an odd post about someone having this issue and flipping to wifi resolved it. Okay let's try it, wifi on, hey, photos start coming down instantly. Well that's weird.
I put Wireshark on the system and noticed that traffic to/from the 17.0.0.0/8 apple network will seem to be successful, tcp sessions get established to 443, some data flows (I assume just the part which determines what needs synchronization), then the connection goes mostly idle for a while followed by a bunch of tcp resets, then it all repeats again. There will be some out of order packets sprinkled about.
I change the switch port back to access mode, dump the virtual interfaces, issue goes away. I got out a MacBook Pro running same OS, set up a thunderbolt gigE NIC dongle to tagging, connected it to a tagged switch port, same exact issue occurs, so at least it's reproducible.
I haven't begun looking at the packets on the firewall side yet but that's my next step. Firewall is Fortigate doing plain NAT, nothing exciting. I did consider perhaps MTU issue and lowered it, but same issue occurred. Large file copies to/from iCloud drive are not impacted or running slower than they should, it's strictly the photos app syncing. Only thought so far is that photos is somehow having control of the network stack at a level it shouldn't, for reasons unknown, and not behaving itself if the interface is tagged / virtual. Wireshark on the en0 interface seems to reflect some tcp traffic that is not being tagged, which should also not be occurring, so perhaps photos is somehow causing the Mac to send untagged packets to a tagged port while every other app doesn't, and only for the image data sync.
No one has been able to figure out what I'm missing on this.
EDIT: SOLVED!!!! Thanks to /u/spann0r. I knew it was something simple and stupid, and it was because I didn't set up the return network on CENTRAL =)
Hey /r/networking, no one has been able to help me figure out what I am missing in this exercise to get the last routing step correct. I've asked people on Cisco and in my NOC. I am following this packet tracer exercise, #15
The instructions are:
LAYER 2 ETHERCHANNEL : 1. Configure CENTRAL switch interfaces with the following parameters : - Fa 0/1 and Fa 0/2 as PAGP desirable ports for etherchannel group n°1 - Fa 0/3 and Fa 0/4 as LACP active etherchannel port for etherchannel group n°2 2. Configure SW1 Fa 0/1 and Fa 0/2 interfaces as PAGP auto (etherchannel group n°1) 3. Configure SW2 Fa 0/1 and Fa 0/2 interfaces as LACP passive ports (etherchannel group n°1) LAYER 3 ETHERCHANNEL : 1. Configure CENTRAL Fa 0/23 and Fa 0/24 interfaces as unconditionnal Layer 3 etherchannel members for port channel 3 2. Configure CENTRAL Port Channel 3 interface with ip address 10.6.0.1/24 3. Configure ROUTER Fa 0/23 and Fa 0/24 interfaces as unconditionnal Layer 3 etherchannel members for port channel 1 4. Configure ROUTER Port Channel 1 interface with ip address 10.6.0.2/24 IP CONNECTIVITY : 1. Configure RIP v2 on CENTRAL and ROUTER devices to enable connectivity between VLAN 1 devices and ROUTER. 2. Test connectivity between Laptop0 and ROUTER.
Here's my code:
CENTRAL>en CENTRAL#conf t CENTRAL(config)#int range fa0/1-2 CENTRAL(config-int-range)#channel-group 1 mode desirable CENTRAL(config-int-range)#int port-channel 1 CENTRAL(config-int)#switchport trunk enc dot1q CENTRAL(config-int)#switchport mode trunk CENTRAL(config-int)#int range fa0/3-4 CENTRAL(config-int-range)#channel-group 2 mode active CENTRAL(config-int-range)#int port-channel 2 CENTRAL(config-int)#switchport trunk enc dot1q CENTRAL(config-int)#switchport mode trunk SW1>en SW1#conf t SW1(conf)#int range fa0/1-2 SW1(conf-int-range)channel-group 1 mode auto SW1(conf-int-range)int port-channel 1 SW1(config-int)#switchport trunk enc dot1q SW1(config-int)#switchport mode trunk SW2>en SW2#conf t SW2(conf)#int range fa0/1-2 SW2(conf-int-range)channel-group 1 mode passive SW2(conf-int-range)int port-channel 1 SW2(config-int)#switchport trunk enc dot1q SW2(config-int)#switchport mode trunk CENTRAL(config-int)#int port-channel 3 CENTRAL(config-int)#no switchport CENTRAL(config-int)#ip add 10.6.0.1 255.255.255.0 CENTRAL(config-int)#int range fa0/23-24 CENTRAL(config-int)#no switchport CENTRAL(config-int)#channel-group 3 mode on CENTRAL(config-int-range)#end CENTRAL#conf t CENTRAL(conf)#ip routing CENTRAL(config)#router rip CENTRAL(config-router)#version 2 CENTRAL(config-router)#network 10.6.0.0 ROUTER>en ROUTER#conf t ROUTER(config)#int port-channel 3 ROUTER(config-int)#no switchport ROUTER(config-int)#ip add 10.6.0.2 255.255.255.0 ROUTER(config-int)#int range fa0/23-24 ROUTER(config-int)#no switchport ROUTER(config-int)#channel-group 3 mode on ROUTER(config-int-range)#end ROUTER#conf t ROUTER(conf)#ip routing ROUTER(config)#router rip ROUTER(config-router)#version 2 ROUTER(config-router)#network 10.6.0.0
Would someone please help me figure out what I'm doing wrong? What commands could I use to figure out the problem, and how could I rectify that?
Everything shows as correct, except for Route1: the connection from Laptop0 to ROUTER. Laptop 0 can ping CENTRAL. CENTRAL can ping ROUTER. What am I missing?!?
Finding Comparisons on Networking players
I'm not an english native speaker so there may be some writing mistakes
I've recently started an internship in sales for a Cisco partner that sells R&S, Security and Collaboration sollutions, with focus on Collab.
Is really important to us having specific technical arguments for customers about how cisco is better than the competitors (huawei, hp, unify, etc.) on specific products.
Example: What are the competidors of Cisco 2960x?
we have:
-
HP 2920-48G-PoE+
-
HP 5120-48G-PoE+ EI
-
and others...
And why is cisco better comparatively?
So any of you have some sources of research? It's really hard to find comparisons.
Thanks in advance
Anyone have experience tracking down google search botnet infected machines?
We've been IP banned by google for suspicious traffic and I've been digging through xlate tables and packet captures looking for any sign of an infected machine but have found nothing useful. Does anyone have experience tracking down this crap? Google of course offers absolutely 0 information or assistance.
BGP noob question
I am a bit confused on the relationship between AS numbers and IP blocks.
I have a AS from ARIN and we lease a /24 from one of our ISP's. We use this AS to peer with two ISP's at our datacenter and we advertise that /24 to each.
We are now opening a new office, getting a new /24, and peering with two ISP's.
We only want to advertise the new /24 at this office and the only advertise the other /24 at the datacenter. Can I use my same ASN at both locations?
Remote VPN Solution recommendation?
I have a potential project to design a Remote VPN solution for a 2500-user organization. I do not know the MAX # of concurrent VPN users yet but seems to be around 1000 range. The organization is using 1Gbps Internet.
I am familiar with Cisco anyconnect. But still want to check here to see if there is any better solution to handle large quantity VPN user sessions, something like a distributed VPN solution?
Juniper EX4550 Q-in-Q issues
Hi all
I have a pair of EX4550's that I am having some real issues with getting Q-in-Q tagging working.
The EX4550's have a virtual cross connect to another datacenter that is delivered over a trunk port. The other end is plugged into a M' where the outer VLAN tag is popped for inbound traffic/pushed for outbound traffic and the VLANs are then bridged to a QFX. The MX/QFX end looks like it is working fine, the interface counters on the MX show that traffic is leaving and I can see the inbound counters going up on the EX4550 at the same rate.
My issue is I have no reachability between the two datacenters - I can't ping anything as an example. When I check the counters on the EX I can see that nothing is being sent out the interface to the virtual cross connect, it is only receiving.
It doesn't look like I can pop the VLAN tag like I can on the MX either which is a pain. If I just set up a L3 interface on both ends and use the link with a single normal VLAN tag it works fine. The EX is running an old version of JunOS, 12.3R6. The painful part is I only need this working for a couple of weeks to move a bunch of VM's and the EX side will be decommissioned.
I am wondering if anyone has seen the same behaviour with the Ex's and Q-in-Q where the outbound interface counter seems to show 0 traffic. I have checked the MTU and tried a lot of different combos of config options with no luck:(
Plastic/rubber device to hold position of cables when replacing switch
Some time back I saw where somebody posted a link (don't remember where) to a plastic or rubber device that was used to maintain the position of network cables in a switch. You would clip in each cable into the device, unplug the cables, replace the switch, and then you could easily reconnect all the cables to the original position, without worrying about having to label all the cables. I thought I had saved this somewhere, but am unable to find it, and I have been unable to find such a thing in my searches. Does anybody recognize what I am talking about and have a link to where I can buy this?
Port-Security Tripping Intra-VLAN Across Multiple Switches (Resolved)
A few months ago, I made a few posts on the Monday and Wednesday threads about a weird issue we had been experiencing. Since I had received a lot of different opinions and it seemed to be a pretty niche issue, I thought I'd post an update.
Basically, PCs were randomly spoofing the MAC address of other machines on the same VLAN, regardless of location and switch. This would occur at different times of day, and sometimes not occur at all for days a time. The initial response was that it was a loop, but that was ruled out. No updates, no new apps, nothing pushed.
Packet captures didn't really show much-- a few (non-reproducible) Gratuitous ARPs that didn't make any sense, a few DNS queries that didn't exist, etc. I eventually narrowed it down to -most- PCs having this issue only through power state changes, but PC event logs showed absolutely nothing.
Since I was blamed for the issue ("since port security is tripping, it has to be a network issue"), I went back and forth with Cisco for 3 months and, thankfully, they helped out immensely.
Turns out, SCCM has a setting called Wake Up Proxy that will make a machine on a VLAN a "manager" for machines going through power state changes, where it will spoof their MAC address in order to keep them alive on the CAM table. Blog here and Cisco thread here.
Now I guess we just have to have a working change control process, hmm...
Basic Networking Setup for Classrooms
I have estimated about 568 Ethernet jacks for the main floor of classrooms. How many subnets and subnet mask do you guys recommend? How many routers and switches would be sufficient for this floor?
Thank you.
Sharing IPv6 routes over MPLS (Juniper to Cisco)
I've run into a problem with sharing IPv6 over an MPLS network when doing it from Cisco to Juniper.
I've setup a test vrf on multiple Cisco routes and a Juniper. The Cisco routers see's all IPv6 addresses for the test vrf (TestIPV6) from each Cisco and I can ping between them if it's come from another Cisco router with the TestIPV6 vrf.
I can also see the routes advertised from the Juniper but cannot ping to them.
When looking on the Juniper itself I don't see any of the IPv6 routes active in the table from the other Cisco routers. For some reason they are showing as unusable but I'm not sure why.
I've put the ouput of the 'show route table TestIPV6.inet hidden extensive' on pastebin below:
All IPv4 is fine. It's just IPv6. They are shared via route reflectors and the route reflectors do see all the routes.
I'm sure I've got the correct details for the BGP neighbour so I'm not sure what I'm missing:
set protocols bgp group internal ..... family inet unicast
set protocols bgp group internal ..... family inet-vpn unicast
set protocols bgp group internal ..... family inet6 labeled-unicast explicit-null
set protocols bgp group internal ..... family inet6-vpn unicast
Any help or pointers would be much appreciated.
Thanks
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Outgoing call restriction on cisco devices?
I am here once again seeking the wisdom of networking veterans
I want to restrict outgoing calls having a certain pattern, let's say block outgoing calls to all numbers starting with 12
I did some digging and found out this could be done with after-hours call blocking, however i want to enable the block permanently
Any help would be appreciate as this might really give me a boost in my internship (even though it might be a really small thing for most of you)
Thursday, January 11, 2018
Quick question for Juniper expert.
How to view and change the configured static IP address for an interface on a Juniper SRX240H2 HA Pair via Web Device Manager? Really really new to Juniper stuff (trying to migrate configuration to Cisco FTD)...
What is your next move? What are you currently studying or want to get ahead of the curve with?
Hey Bros,
Long time lurker, rarely poster. However, I know there are a lot of really intelligent and informed people here. I'm asking this question because I have experienced something a lot of you have. Our IT has been outsourced at my company. While I am still thankful and grateful I have a job, I just feel like things are changing a bit.
I am sort of mid level on the pure routing and switching stuff, I do site builds and such and plenty of troubleshooting. I'm somewhat senior with the Cisco Collab stuff(cisco guy). However, I feel like more companies may make moves like this and they don't like spending for IT so we are gonna see more stuff as a service.
I wanted to go a bit further with R&S however, I do not know if I should just continue with collab. Honestly I have been looking at cloud too so I was thinking of digging in with AWS and start getting more comfortable with Python.
How are you guys keeping up with how fast things seem to be changing(at least for me). I've been told pretty much to double down and go deeper into collab as more money will be there.
What are your plans? Where do you see things going?
Question - SR and LR transceivers at the same time?
I have two SR and LR SFP+ transceiver modules. I have a dual port card. I have a project that needs to be up ASAP. I understand that the LR is meant for much longer distance, but because of time constraints this is what I have to work with to close this ticket.
Can I use both modules in the card at the same time? My gut check says "No you dummy!" but I'm not sure why.
Speed test @ rates > 1Gb/s?
So iPerf is the goto performance test. It’s really easy at rates <=1Gb, but beyond that, it becomes a bit of a challenge... I can’t just pull out my laptop and test it as my laptop only has a 1Gb NIC.
Ultimately I am looking at building a pair of servers with 10Gb NICs to test rates across a few Ethernet circuits - as we don’t appear to be getting the rates we pay for.
Any suggestions or alternatives? I am thinking a system based around the Xeon D-1518 may be an inexpensive option.
Documenting subnets
I have been using confluence to document our various subnets and static IP assignments. This is becoming tedious and was looking around of a better solution. I have used racktables before but got a bit lost on how to use it, mainly because we use a /16 and device that up to different areas (I know, it was inherited as on the cards to fix later) and I couldn't find an easy way to handle it. Is there anything else out there like racktimes thats just for IP subnet documentation or should I stick with racktables?
NGFW management - ideas
We are looking at the deployment of Fortinet NGFW devices with all the bells and whistles (application visibility, IPS, malware, antivirus, cloud sandboxing, URL filtering, etc).
Currently we are a network shop and we used to manage standard Cisco, Checkpoint and Fortinet FWs. We mainly use a management platform and a syslog collector (not a SIEM) for troubleshooting.
Based on your experience, what other management systems should we deploy? SIEM? Reporting tool?
Scripting Question - show output from multiple devices
Hey guys,
I'm working on doing some inventory and grabbing some basic data from about 75 switches / routers. I'm wondering if anyone had a python/ansible script that can login to multiple devices and log a decently formatted output. I'm fairly new to scripting, so any documented code is appreciated as well.
I'm looking to grab things like uptime, model number, and IPs for interfaces. I've seen a few examples online for just single devices, but I'd like to be able to batch report about 75 devices if possible.
Thanks in advance!
IPV6 public ips
Curious how many of you have implemented ipv6 at least on the outside. We may eventually get our public ips from ARIN but not sure if i can get any ipv4 addresses. i'm curious of the design. if you had ipv6 public did you leave your internal network as ipv4 and let your firewall handle the 4to6 nat translations?
uccx - Android/jabber call mgr question
Got a user that installed jabber on his android phone. outbound calls work fine but he doesn't get any incoming. He also logs into agent desktop with the same extension. i'm wondering if it's because he's logging into agent desktop?
Automate security inventory?
I have to check every Cisco switch in the organization to see if it has radius authentication. I already have the list of IPs.
Is there a way to automate this task?
How can I bring internet to a desert ?
I live in Egypt and recently I was sent to a place where there is no network coverage of any kind. There is a lot of mountains there. The closest place that has a connection is far by 100 km. The people there can really use it. I remember I read about MIT guy who could make a router that can cover a 50 kilometers or something like that. (Not sure) So what if I brought a couple of those routers and connected it together ?! Or what do you suggest ?
Multi-homed BGP on Spectrum Business Cable?
Anyone know anything about Spectrum (Time Warner Cable) Business Internet connections? I'm trying to order service for my homelab. If I order two 100x10 Mbps connections can I play with things like multi-homed GBP? My end use case would be to buy or rent a class C block and use it for an OpenStack floating IP pool. I intend to run OpenContrail with OpenStack and Juniper's vMX for the edge routers.
Also, if I order a block of static IP addresses with one connection, can I share the IPs between the two connections, or is the cable modem subnetted differently for each connection?
Routing guest VLAN requests to your internal servers the correct way
I have 2 vlans, one for staff and one for guests. I tell staff to connect their phones etc to the guest network. The DNS on staff is our internal domain controllers, everything works fine, the email server mail.consoto.com resolves to the internal ip and all is well. However if people connect to the other network, I have google dns setup for the guest network, mail.consoto.com will resolve to the external IP of the mail server, however it will not route traffic to that IP. I checked firewall logs and cant see anything, so this leads me to think I need a static route of some kind to tell the firewall to route requests from guest correctly? Everything else on the guest network works fine, its just used for internet access. any pointers would be great guys!
ISP forcing Port Forwarding
Hi Guys,
Our main site running a 100Mb link, we have 30 remote sites (and more within the next year) all running DSL with Site to Site VPN split tunnel. All the sites are DSL 8 or 16Mb (yes 1Mb upload speed). Our provider is deploying fiber to all locations - with a catch: speeds under 50Mb will not be given public IP. We were planning to install 10 or 20Mb fiber links are remote locations.
With traditional DSL we used to get a block of 8, but now ISP is forcing either to upgrade to >50Mb (which is not needed, and more $$) or they will port forward whatever ports to internal ip for us to have management and vpn access. I assume they want to port forward since they probably running out of IPs.
I believe ISP is taking a step backwards and will make troubleshooting and maintaining our links a headache.
We are based in Caribbean and unfortunately we cannot switch ISP.
What's your take on this?
Quick dumb question about Cisco switch stacking
I'm throwing together a home lab from some decommed 3750G switches. Apparently one of them was part of a stack, because even though I've blasted out the config, the command show switch outputs the following:
H/W Current Switch# Role Mac Address Priority Version State ---------------------------------------------------------- *4 Master 1c17.d326.1200 1 0 Ready
What needs to be done to completely reset the switch numbering?
edit the command no switch 4 provision returns the error: %Switch can not be un-provisioned when it is physically present
NetFlow Network Overhead?
I know the real answer is "It Depends", but how do you answer someone that wants an estimate of the potential overhead when enabling NetFlow? For example, if you enable NetFlow on all ports attached to a vmware VDS switch. Assuming typical corporate workloads, what do you tell a client to expect in network overhead? Is the best answer 2% to 3% on top of the current interface load?
Tips and advice for managing Satellite Connections
Currently have multiple sites with high latency + low bandwidth connection connected back to the head office via a colo router where the VPN terminates.
Very few sites have wan accelerators.
I'm looking into optimizing these connections but need to have a strategy that isn't cost prohibitive.
Common protocols are SMB2, MAPI, HTTP + HTTPS, AD Services - your standard windows AD environment.
Optimizations I've considered:
1) I've been reading that Server 2012 and up and Windows 8.1 and up have TCP windowing optimizations that may help
2) HTTP based front end for the SMB file servers
3) Lower cost WAN optimizers such as WANOS
4) Reducing AD replication bandwidth
5) Using RDP services or Citrix for web browsing
I'd love to hear your suggestions!
Help with multi-tenant environments
Hey r/networking,
I'm a fairly experienced network engineer when it comes to enterprise level environments - but something that I've never touched is ISP type networks, with high multi-tenant traffic/structure. That changed today. My manager sat me down and wants to add another branch to our datacenter, with multi-tenant capabilities.
I come to you seeking all of the knowledge from those here who are familiar with multi-tenant environments. I tried looking online for some basic diagrams, but everything I look at is like CCIE-level drawings, and it makes my head hurt. Plus, we aren't going to need something THAT complicated.
From what I know so far about what we want to do:
We will be hosting a 'services' network, which will be a simple /24 public IP space. Each of our client's will drop a single mode fiber cross-connect in our cage. This 'Services' network is the unique network that we will be advertising to them via BGP.
As far as client connectivity, each of their cross-connects will be a /30 network, which is provided by us. Then, from my experience, we also give them another internal range, like a /28 or something. This is the range that they will source NAT their internal range(s) to. Then, this /28 range will be advertised by them back to us.
Am I on right track with that so far? Can someone help me out with where or IF VRFs will need to be implemented? I understand the whole keeping the clients separate, but couldn't I just ensure that by filtering the BGP routes I send to each client? This way the clients would ONLY be advertised the 'services' route, not other client networks.
Can someone with experience in this give me a general idea of what the topology would look like? I assume that a massive layer three switch(s) would do the trick?
Any help at all is so appreciated. Especially any diagram mock ups or hell, even some configs (Cisco). I'm kind of over my head with this.
How to combat Double NAT issues as a carrier?
For some time I have been trying to look into how a carrier can combat issues regarding Double NAT. The issue I see is with carriers starting up CGN without really helping subscribers (or in some cases even informing them). Most articles online are for the subscriber and what they can do, but what can the carrier do to help them?
So far this is what I have found as a way around Double NAT:
Buying a VPS and funneling traffic through a VPN
Selling public IP addresses Allowing subscribers to take multiple IPs and allow port forwarding Sell Public IPs
This seems terribly restrictive and difficult to implement. Are these really the only options available? Most of these also require the subscriber to buy a service or rely on their ISP to not switch to CGN. Does anyone of any ideas what can be done either to help a carrier help its subscribers.
WLC active directory integration
Just curious these days how everyone is handling active directory integration for their wireless network, radius, acs or ISE? I'm leaning towards radius since we only one acs vm.
Sonicwall VPN DHCP
I can't seem to get the DHCP server on one Sonicwall to hand out an address WITH a default gateway. The domain name even comes over but not the gateway. I have another Sonicwall with the same setup and it works fine. Not sure what I could be missing.
Question about my attempt to get bonded VDSL
Hi there,
I've contacted a certain ISP in my area and they said the don't support bonded VDSL (MLPPP) because of their infrastructure (I mentioned I have my own Mikrotik gear that's compatibile). I know for a fact that they use PPPoE, just like most if not all ISPs in my country. However, they use the infrastructure owned by another provider (I'm using this one at the moment -- they also doesn't support MLPPP).
Do they really not support MLPPP though? As far as I know it's fairly simple to configure. If it's just a bureaucracy issue I can always insist and perhaps try to find someone that works there. The reason I want to switch to this ISP is because they offer a static IP for 10th the price my current ISPs asks for.
Thanks
Safest place to buy refurbished switches? xbyte, servermonkey, etc?
I'm looking to buy several Dell N3000 switches to replace older models. We already have some N3000's, so that's why I'm going with them. We have a Dell VAR and in the past, we've gone through him, but that stuff is EXPENSIVE.
I've purchased servers from ServerMonkey.com and haven't had any issues with them. I bought one N3024P from xByte.com a few weeks ago and it seems to be pretty good.
That being said, I am wondering how risky it is buying refurb from this place or that. Both xByte and ServerMonkey seem like trustworthy places to buy used hardware from, but I really don't have any idea. The refurb switch I bought of xByte came from Japan and it was something like 4 years old. I don't mind that, as long as it's in good working shape..
Thoughts? Suggestions?
Sonicwall and DNS Conditional forwarding...
We use a Sonicawall NSA series for our firewall (and only for firewalling). On the sonic wall, we use the GEO IP portion and block China. (because reasons above my pay grade).
We're using the All Connections for the GEO IP filter, so basically there is no way to add exclusions for websites to the Sonic Wall unless we use Firewall Based exclusions. (not yet been discussed, but will be).
So another member of our team brought to my attention that DNS Conditional Forwarding was being used to get around this. Tested and it auto-magically works.
A) how does the GEO IP filter work on the sonic wall? Is it only DNS and reverse DNS? Is it blocking the actual IP from those countries? B) If all traffic out to the net traverses this firewall, how does DNS conditional forwarding get around this? I see we use google to resolve the domains of concern, but I would think this would only work if our AD DNS was pointed to the Sonic Wall, which I'm told its not.
Please excuse my lack of knowledge on this specific topic.
Rule base optimisation - the best way?
Hey Guys,
In your opinion, what is the best way to optimise your firewall rule base? We've recently had a few customer opportunities come in looking for this service. Not necessarily to make the policy more or less permissive by reviewing business applications and their needed traffic flows and tightening the security posture that way, but more the act of removing duplicate or shadowed rules, reviewing contradicting rules and which needs to take precedence, collating/collapsing same source/destination/service rules in to less rules, removing unused rules, and so on. Anything that makes it easier to view and manage. Security posture may be looked at once it's tidied IMO.
Any reliable multi-vendor automation tools that can help out here?
Cheers!
Some basic questions about Nexus QoS
Sorry if these questions are stupid... but I did put forth some effort on my part. I read the Cisco Nexus 9000 Series NX-OS Quality of Service Configuration Guide, Release 7.x (read all chapter). But a few things are still very murky.
For starters, nearly all the configuration examples in that guide use 'match cos' in the class-maps.
The network I'm working on uses a DSCP-based QoS configuration everywhere.
I've tried the config examples in the guide and with match cos in the class-maps, nothing hits and everything is best effort. When I write a class-map strictly matching dscp value, then I start getting hits and stuff is queuing properly.
My question is: isn't there some way that I can automatically map DSCP values to a COS value, so I can write the more simple short-form QoS configs as featured prominently in the guide?
Is this what the table-map is for? And if so, is there any really hand-holdy ELI5: type guide to using them properly?
My next question is, can anyone explain to me priority-flow-control and what it actually does, because it looks like black magic to me. When I read about PFC, it seems like the two servers are the ones sending the pause and resume frames, so why does the switch even care? What does the switch actually do when I configure this?
Thanks for any help, sorry about the noob questions.
EDIT: Guess I have a 3rd question also. I understand that I have to do TCAM Carving to do what I'm wanting to do. But how do I know which TCAM region to steal from?? You have to steal in big increments, it seems very tricky.
A Curiosity Regarding Network Traffic and DNS
I sometimes use a basic system monitor which has the ability to display a networking graph and subsequent upload/download. Testing without javascript enabled, I open a website and wait for it to load. I notice that, even long after the website completely loads all of its content, there are always some small bits of data (usually in the byte and kilobytes range) that are sent and received for the remainder of the DNS request before it expires (the amount varies depending on the website and usually spikes right before the DNS request expires).
So I'm curious, what are these small bits of data that are being sent and received as it relates to networking/DNS in general?
I want to learn Carrier Ethernet, where do I start?
I've been googling a lot and found a lot of material, but I just can't get what the starting point is. I just feel so overwhelmed by the amount of the information and can't focus, every sentence seems to contain something I don't understand. Could you guys give me a direction?
PS. I about CCNP level, so I know networks in general.
DHCP Provider to Static Network - Possible?
Hi,
I'm not sure if this is a basic question but my networking knowledge is nothing but primitive.
Is it possible to set-up a network wherein the internet provider is using Dynamic/DHCP while my office network (via a router) would be set-up using Static IP?
Basically, with the following topology:
Modem (DHCP) ----LAN CABLE---> Router (Static) ---LAN CABLE--> PC (Static IP)
Unfortunately, one of the critical software we are currently using needs to be set-up with Static IP credentials. The ISP provider just confirmed that they are unable to provide a Static IP service to us even with additional cost.
Thanks!
Wednesday, January 10, 2018
DHCP Relay/Helper to remote site over WAN
I want to issue DHCP leases from a windows server to a remote site over our WAN connection. We lease a lit fiber connection from our local ISP and are not able to pass VLAN tags across it. Is this configuration possible using HP 2920-24G as the Layer 3 devices at each site?
When I set it up as shown in the diagram, clients at site A received a lease as expected, but clients at Site B did not. When assigned a static IP clients at site B were able to ping the DHCP server.
Help with preparation for exam. Subnetting
Hey I found a example of what should be in the exam and I dont really know how to do this correctly. Divide network 69.20.0.0/14 into a 7 the largest of the same size subnets.
SAP/Hannah deployments - anyone with experience?
Crossposting from /r/sysadmin in case anyone can suggest a network related reason which may be the cause of the recommendation.
Learned colleagues.
My company has chosen to deploy an ERP using SAP/Hannah (I know, don't go there).
The conslutants involved are insisting that we have to do a thin client deployment for office users because of the "nature of the ODBC connections used, and not being supported on a WAN".
Some information about our "WAN". Our offices, while geographically diverse, are all linked via redundant direct fiber to our core DC (where the hardware, including any RDP instance for SAP, is going to reside). A minimum of 10 gig of bandwidth is available (LACP used for redundancy) on a switched network - ping's and data traffic can hit the DC with sub 1ms RTT's - the DC is effectively just another local segment.
Can anyone provide some insight into why these people are saying there's going to be a noticeable difference in performance between using a Citrix/RDS solution and a client on a workstation in the office?
Thanks to anyone who can shed some light on why this may be so.
Enabling SNMP trap notifications on N5K-C5672UP
So I am new to working with these. On all of my other switches, these are enabled by default. I have tried playing with the commands some and looking at it through the Cisco website but I think I am missing something here, hoping you all can help!
I am just connected to the console interface, no ethernet connections. Basically what I want to happen it to be notified when a transceiver is plugged in/removed, if it is unsupported, if the link goes up/down.
I have tried entering the commands I would think would do it such as :
snmp-server enable traps entity entity_unrecognised_module
But even that line does not show up in my running-config. Any advice for a newbie?
Anything similar to sh cdp neighbor on HP switches?
Took over an assignment for a network engineer that left and didn't leave much detail on the data center layout for beta equipment. A ton of daisy chaining going on, vlsm with default gateways placed on random switches throughout the DC for the private networks, ton of switches with no labels or hostnames configured, and since the company split another team owns access to the cage with the patch panels so physically tracing links will be time consuming with requesting access and what not. Is there something similar to sh cdp neighbor on HP switches that will at least tell me what port connects to another switch?
Thanks.
Help with my logical network diagram?
This is a small section of my logical network diagram.
My question is, is the ADSL in a good place? Or does having it there make no sense? (Yes there is a telephone system)
Can the ADSL connect to the router and carry an internet connection to the router whilst not disrupting the connection and doing the normal job of an ADSL? Or does it need moving?
Logging VPN connections on an ASA (Radius authentication)
I am trying to figure out the best way to log user vpn connections to our ASA. I have set up a Graylog server (very new to Graylog) with the intention of using this, but am having trouble filtering for just these connections (really the only thing currently of interest). Authentication is happening via RADIUS (NPS Windows Server 2012) and I've considered this as another avenue for tracking logins and outs.
The parts that are making this a little more confusing is that we have a site to site vpn connection that is also IPSEC and we also use the same radius server to authenticate our BYOD network so there are more events than I can sift through by hand to find the correct IDs. I'm just not sure which events I should be filtering for or how to go about this, either with the logs directly from Windows Server NPS or from Graylog.
edit
And just as a note I've found the logs for NPS but the files are a pain to open and parse / search (but I CAN find the info I need) unless someone has a better solution for that as well
SDWAN Overhead
What are your thoughts on this article about SD-WAN overhead?
The author seems to be saying that SD-WAN has lots of overhead, 30% on average and up to 90% or higher in cases. Where is this tunnel overhead coming from? I understand VPN tunnels have a bit (few % I thought), but surely not 90%? Or is he just full of BS?
I'm guessing that I'm not totally grasping SD-WAN.. Here's my understanding, correct where wrong: it's a software application that auto-manages building VPN tunnels between sites as needed, monitors the tunnels for bandwidth, jitter, delay, etc., and routes traffic via the best route for the application (bulk traffic through the jittery high bandwidth tunnel, VOIP through the smooth low latency MPLS link).
occasional latency spikes on cisco wireless network
This is a new network, run on a 5508 controller using sw version 8.3.133. APs are 3802i. There are currently 22 APs connected to this controller. There are only 2 SSIDs broadcasting 5ghz and 1 that is 2.4 only.
This network is at an assisted living center. We use some devices for cardiac monitoring of residents. The devices stream data to a monitoring station, basically showing vital signs, etc as a graph. Occasionally there is a small break in connectivity that causes gaps in the graph. This causes a problem that's too complicated to explain. I've traced the cause of the problem to a small latency spike on the wireless network. Typically we see 2-8ms latency, with the occasional spikes to 25-80ms. The devices use 802.11a, and when this happens they are generally connected at 54mb.
When this happens, all devices connected to a given AP see the spike at the same time. It doesn't happen on all APs at the same time. Sometimes it doesn't happen at all, sometimes the spikes occur every 5-7 seconds. The issue will happen on one AP for 10 minutes, and then another AP for 5 minutes, and then maybe back or off to another AP. Sometimes it's 2-3 APs at a time. RSSI at the device measured on the device and also with an android phone is -45 to -60db at the time this issue happens.
I'm trying to find any more advanced ways to troubleshoot exactly what is causing that latency spike on the AP - everything on the controller looks good, SNR is good, there are no obvious problems. At present the APs experiencing this only have 2-5 clients associated, most are idle or are streaming this graph data.
The APs are connected to a 3560x running older 12.2 software. Updating that is in the plans, but isn't going to be anytime soon due to downtime intolerance.
I see the latency spikes on A, AC, and AN connected devices. It's something happening on/to the AP iself periodically. I can see the latency spike when pinging the AP from the switch it's plugged into.
This problem does not occur when the same devices are connected to 1140 series or 2702 APs using older software (8.0 something) on a different 5508 controller using an identically configured SSID.
Does anyone have, or know of, any kind of advanced monitoring/troubleshooting tools for cisco APs? I realize that in the wireless world I'm splitting hairs here, as this performance would be considered excellent by most, but I think there's a specific cause for this issue, I just can't find it.
2x10G waves: LACP or ECMP?
We have to link two regional hubs (Ashburn/Dallas and Ashburn/Frankfurt). Wave is the go to tech here. I'd love 100G but it's out of our price range at this point. My first thought is to do LACP/LAG or ECMP on 2x10g waves to get more bandwidth but we've got 45 ms and 100 ms latency respectively here. Primary application is going to be bulk file transfer and source control. Is this viable? Would appreciate some criticism and feedback here!
Some Network Locations are no longer loading. Tried Everything! Please help!!
Tier 1 here getting thrown into the deep end. To avoid the fetal position I'm reaching out for help Reddit!
12/20 Network locations disappeared from my Network menu. My manager said this is an on going issue. Initially I could see all locations and workstations on the network, but for some reason most have disappeared. It's only happening to myself and the other IT person at our company. The weirdest thing is I can still find and access these network locations, but only after saving them to my quick access menu. I've taken the following steps...
Ensured Network Discovery and file sharing were enabled under the Private, Guest or Public and Domain tabs. Restarted workstation (INEFFECTIVE)
Tested with 3rd Party Firewall and Windows Firewall turned off (INEFFECTIVE)
Removed myself from Domain and re-added. (INEFFECTIVE)
Evaluated Services:
DNS Client is running Function Discovery Resource Publication is running (set to automatic) Ensured SSDP is running and set to automatic Ensured UPnP is running and set to automatic Restarted computer to allow Services to start at login (INEFFECTIVE)
Microsoft Forum suggested a bug appeared in the fall update causing this and gave CMD(Admin) commands to troubleshoot with:
Attempted Command Prompts as Admin:
flush DNS ip reset and renew netsh winsock reset sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start= disabled Restart computer (INEFFECTIVE)
The net result of this was the Netlogon Service stopping and required a system restore from local user.
Need to re-evaluate where issue is coming from and why specific computers are losing specific network file locations.
Microsoft forum suggested turning Offline file Sync off in case the network locations were taking too long to load (INEFFECTIVE)
Evaluated whether Network Locations would load on other computers by logging into workstation SGC-108. Successfully loaded all network locations on another workstation when logged in with my profile. Does this show the issue is with the workstation with AD or is it some other network setting I didn't look over.
Resetting the network for 2 computers isn't an option. PLEASE HELP!!!
ASA Routing Architecture
Does anyone know if there is a way to advertise a virtual HSRP address as a default route for an ASA? We're trying to replace this route, which currently is using the IP for the SVI's the firewall is connected to.
How to create own network within Captive Portal network
Hi everyone! I do not know if this post belongs here so correct me if it does not.
I moved into an apartment near my university and the complex has building internet access through Xfinity. Basically everybody gets a login account and they have to log in with their credentials and they gain internet access. My phone and laptop work fine with this but the problem occurs when I need to connect my smart light bulb or my Nest camera. I am not able to log in to the xfinity portal using these devices.
I would like to know if it is possible for me to get a router and log in to the captive portal and basically have my own SSID that I connect too?
Thank you in advance.
Same VLAN, different subnet masks?
I'm currently in the transition process of changing IP subnets on my network, to make room for more IP's... however, during this process, I want to ensure they're both able to 'talk' with each other, until the entire transition is complete. In a quick test, it seems to work fine, however I just want to bounce the idea, to see if any routing must be configured on the router to ensure 100% success.
IP subnet is 192.168.2.0/24 New IP subnet is 10.10.0.0/22
Both are on VLAN 10.... right now, they can ping each other and connect just fine... should I be OK with just leave it as is?
Switch configuration is as follows:
(Note, 192.168.2.1 & 10.10.0.1 is configured as my firewall)
vlan 10 interface vlan 10 ip address 192.168.2.2 255.255.255.0 ip address 10.10.0.2 255.255.252.0 secondary exit ip route 0.0.0.0 0.0.0.0 192.168.2.1
Recommendations for OOB mgmt
I currently work for a datacenter and need roughly 25 OOB consoles that will be scattered throughout 5 different states. I've looked at Opengear, which by far has the best presentation, but is wayyyy too much $$$.
Please let me know your experience with implementing OOB in a legacy environment. Thanks!
Req for recommendation:Issue tracking, not tickets but rather continuous improvement engine tracking.
Looking for a recommendation if anyone is currently using a web based engine to manage continuous improvement. I want the team to log issues they encounter grade the severity on a scale and be able to review/export to report. I want something simple and off the shelf that will allow me to get up and running quickly rather than reinvent the wheel on this one.
Sample of issue to timestamp and track would be ISSUE IDF closet temp SEVERITY 2 sev scale 0 -9
proposed solution section and then submit. Possible attachment section for code/log file or photo/video.
We all encounter so many issue that re occur and when the fire is out it is unlikely that circling back to solve happens only leading to a reoccur through out time.
Cisco VPC and BPDU’s
Someone told me of a failure scenario that occurred with VPC where I don’t understand how it ever could have happened.
We have a host that connects to vpc Pair. So we create a port-channel down to the host from switch 1 and include 1 physical port, rinse and repeat on the second switch.
So now we have 2 port channels with the same ID on 2 switches and the of course the same vpc ID. We fat finger the configuration and we forget to add spanning-tree type edge to the port channels.
The servers sends a BPDU to the switch and the vpc peer switch puts that vpc member in blocking state. Does that also affect the port channel on the other switch. They have the same ID
In this case port type edge is not configured and also not BPDU guard.
Second scenario is that both vpc member port channel do have guard enabled and a BPDU hits the port channel. The interface will go err dis and port channel down. At that time the other port is orphan and regular STP counts.
Am I correct?
My colleague is saying that the BPDU could affect the whole vpc coming apart and both member interfaces going down.
python communication from 3850 guestshell
Hi all, I'm using ZTP to configure many Cisco 3850's. I have the DHCP and TFTP server running and when i erase the startup config and reload the file given in option 67 in the DHCP offer is downloaded and run. so no problems there, which is good!
Now the thing that makes my environment different is the order in which the network devices receive their config. it's hard for me to explain why but try to take my word for it that the devices must be configured in a specific order. so, with the nature of DHCP i can't control what devices receives their config first(i don't think?), so i'm trying a different approach.
Instead of sending a .sh script at the point of DHCP i've created a .py that creates a socket to a server that will request it's config i.e. "i am 3850, serial 123456789, config request". The server will either reply with the 3850's config or it will get ignored. In the case that the request is ignored the .py script on the 3850 will time out and request again every 10 seconds. when the server is ready for the network device to apply its config it will reply with it and the device will apply it.
This way the network gets to the point where every network device is requesting their own specific configs and the server can pass out their configs 1 at a time.
Now the problem i'm running into is that the python script that's running inside the guestshell is not able to create a connection back to the server. Do you know if there is something in place to prevent this from happening? Do i need to use a specific protocol/port?
I realise what i'm trying to do is quite unique because i'm finding it hard to find the information that i need. Maybe there is another way of issuing out configs to each device in order?
many thanks in advance.
Visio ressources
I've been asked to asked to use visio to create some rack diagramms, but it's my first time using this software so i'm having a really having a hard time finding the stencils i need, mostly for fiber equipment (panels and drawers)...does anyone know where i can get stencils for free?
Tuesday, January 9, 2018
PBR Route-Map ACL and Punts 6500-E/Sup720
Greetings all,
I'm working on some routing changes in our core and I noticed something odd after the last round of updates. After removing a device out of the Layer 3 equation and just passing traffic through it via Layer 2 I noticed increased CPU usage on our other core 6500-E devices, upwards of 20% sustained increases.
Looking at the show proc cpu sorted output it looks like it is interrupts. A "show tcam int vlan [id] acl in ip" on any of the vlans associated with the main route-map we're using shows a "punt ip any any" at the end. This is a Permit route-map with an ACL that has all denies (to drop latency sensitive traffic like DHCP, DNS, VoIP, etc out of the PBR) and a "permit ip any any" at the end to match everything else.
I'm confused on why it is punting. This route-map was in use before our maintenance but we didn't see the cpu spike until after. I did change the set command though and I'm afraid that may be what did it.
We've got active/active firewalls and I don't believe I can set the same IP address on each of them for the subinterface that connects to the vlan that our core devices use to talk to it (they all have an SVI on that vlan that we use PBR to push traffic to the firewalls so they look like they're Layer 2 adjacent). Due to that, we set up a loopback with the same IP on each firewall to use as a VIP and this gets advertised out OSPF (route table shows it "via" the two subinterfaces previously mentioned). I'm attempting to use "set ip next-hop recursive" on the route-map to push traffic to that VIP at which point the firewalls will process it. I'm wonder if changing it to recursive isn't what is causing the punt.
I've been looking this up and it appears there should be hardware support for IPv4 recursive next-hop for load sharing.
http://ift.tt/2AKfYVm
The documents and examples I've found online all talk about load sharing but then configure the route-maps with one or more "set ip next-hop" in addition to the recursive one which confuses me since it is my understanding that "set ip next-hop" entries take precedent over the recursive version... at that point it wouldn't be load sharing.
Any thoughts (besides PBR sucks... I know and I can't wait until we have the hardware/time to do something else for traffic/network segmentation)?
Thanks!
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
WAN Optimization
I'm looking into ways to try to cut down on the bandwidth I need for a project I'm working on. I've come across a number of products that claim to do "WAN Optimization" most of what I'm reading makes me think that I can only expect slight improvements in traffic load. Has anyone here used these products and are familiar with the real world performance of doing this kind of thing. Are these cost effective for small businesses? I'm not looking for exact numbers either just a enough to know if this is a viable solution or just wishful thinking.
This wont be for a production environment but I'm still interested in the costs for these devices compared to just buying more bandwidth from an ISP.
Help - Hughesnet static IP on our firewall.
We have a new Hughesnet satellite install for failover internet. We have one static IP. The issue I'm running into is getting our WAN IP on our UTM. Hughesnet is telling that that they don't have modems that support bridge mode and that their modem/router would have to be forwarded to our firewall to allow any services to pass. I'm starting to test now but I don't think our IPS/IDS will allow that to happen. Does anyone know a work around for this so We don't have double NAT?
Cisco ISR1000 WiFi - Can I operate these radios without supporting infrastructure?
I don't know much about the current state of Cisco WiFi, have a project that requires DMVPN routers with:
- Hardwired WAN connection
- LTE WAN connection
- Support for a handful of PoE devices
- Support for WiFi clients
It needs to fit in a fairly compact package1.
I don't think there's anything in the 800 series ISR family that checks all of those boxes, but I've read a bit about the ISR1000, and think it might.
So...
What's the deal with WiFi on these routers? Can I use it as a standalone (autonomous) AP? No requirement for a controller, ISE, or other nonsense?
Does it configure like a separate box, or is it thoroughly integrated into the router?
Thanks!
[1] Not crazy compact. I had another project which featured an ESR5921 running in an Intel Joule. This one only needs to fit in a large suitcase.
Some basic networking recommendations for smaller houses of worship
I wrote a little post that may be relevant to some of you: it includes some basic networking recommendations and troubleshooting tips, specifically for those of you in a limited-budget, volunteer-driven environment like houses of worship.
I'm happy to answer any questions or help in any way I can!
You can read the post here.
Interpreting ASA syslog connection messages
Hey r/networking,
Looking to get a little help interpreting the following syslog message from my ASA firewall, mainly if it's possible to tell from which side the "TCP FIN" was sent first:
Jan 09 09:29:34 CST: %ASA-session-6-302014: Teardown TCP connection 1202854902 for outside:64.x.x.x/11020 to inside:192.168.x.x/57494 duration 2:34:20 bytes 1572060 TCP FINs
These sessions shouldn't be dropping, and I really need to know which end is sending the initial FIN first.
Any help is appreciated.
What are some authoritative resources on proper network capacity planning and congestion mitigation?
Some specific questions I'm looking to answer as comprehensively as possible:
- During the design phase, how do I know how much bandwidth is really "enough" based on the business requirements of the network? I understand the sweet spot now is 1Gbps to the endpoint, 10Gbps to access layer, and 40/100Gbps at the collapsed core.
- In production, how do I know if current bandwidth is reaching or exceeding capacity? Put another way, what OIDs and thresholds do I set my NMS to alert to, which I can then point to and say, "it's time to upgrade"? I understand monitoring an interface's aggregate throughput alone is not sufficient; I need to also look at output drops for microbursts. Anything else?
- When links have finally reached capacity, what is the proper order of mitigation, assuming I can't just drop in higher bandwidth right away? My understanding:
- L2/L3 link aggregation (more parallel pipes), then
- QoS (choose what traffic to keep/drop), then
- Deepen buffers (add latency--only for latency-insensitive applications), then
- Hardware upgrade becomes mandatory
MTA 98-366 Networking Fundamentals Question
I have the MTA 98-366 coming up and am wondering if anyone else has taken this exam. I am only taking the exam to fulfill my school (WGU)'s entrance requirement as I do not have any IT experience. Any advice/pointers?
Best books on telegraphy
I recently read The Victorian Internet, which
discusses the development and uses of the electric telegraph during the second half of the 19th century and some of the similarities the telegraph shared with the Internet of the late 20th century.
I highly recommend this book. The parallels Standage draws between the intercontinental telegraph system and the Internet provide a wonderful framework with which to think about current events.
Does anyone know of any other good historical books on telegraphy? Bonus points for those which relate back to today's networks.
(Sorry if this isn't the right subreddit - I hope the tangential relation is enough to be allowed here)
Does Raid 0 Scale Well?
It is common knowledge that if you run 2 GPUs in say SLI, you will never get 2x the performance of a stand alone card. So I was wondering is it the same with raid 0? EG If I have 1 SSD that can write at 400MB/S will 2 in raid 0 be roughly 800MB/S?
Repost from /r/fortinet - Advanced Fortigate firewall t-shoot requested - Skype4Biz / G2Meeting user experience choppy
Reposting from /r/fortinet as it doesn't seem very active
Hi everyone,
Technical details:
Hardware: Fortigate 100D (A/S HA pair) in site A, v5.2.4 - Site A (~130 people) CPU > 20% Mem > 65% Session > 20 peak Fortigate 80E (A/S HA pair) in site B, v5.4.5 0 Site B (~20 people) CPU > 10% Mem > 45% Session > 3k peak Topology: Site A - L3 switch with multiple vlans, upstream static to HA fortigate, fortigate has dual WAN with primary/secondary Site B - same as A SSL inspection = off Explicit proxy = off
Issue description:
In both site A, B I have a intermittent but irritatingly common user experience while using the in app audio (not hard line call in) features of popular conferencing applications like Skype4Biz, Go2Meeting, Webex, etc. Users will get warning from the app that their network connectivity is poor randomly, occasional audio latency and loss for some/all participants. Site B didn't have this issue until a recent network hardware refresh that included swapping out a legacy firewall with the 80E ha pair above.
T-Shooting done so far:
1. I created a UTM bypass destination ACL/NAT rule above my normal outbound internet NAT/ACL, in this ACL I put a group as the destination and filled it with wildcard hostnames and literally **hundreds** of static IPv4 public network entries (Skype = MS = Azure = holy crap, lets put Skype all over the damn place) for the above popular internet conferencing apps. - This was at Fortinet's TAC support's request 2. After #1 didn't make a difference over a few weeks testing with heavy conference users, in an effort to narrow down the issue, we turned off all UTM features on outbound internet ACL/NAT rules, same result 3. After #3 didn't make a difference over a few weeks testing with heavy conference users, in an effort to narrow down the issue, we disabled UTM features (AV, IPS, Application Control, Web content filter, DLP, Explicit Proxy (wasn't turned on in Site B), VoIP (wasn't turned on in Site B). This was over the holiday break so I'm hoping to get full feedback, however initial, limited feedback was no change...
I am very disappointed with my experiences with Fortinet TAC support, they take forever to get back to me and generally aren't able to provide clear answers to clear questions.
As common as the Fortinet firewalls are in small enterprise locations I have to assume this is something that has come up before but for the life of me I can't find the resolution in google/reddit/fortinet forums.
Thoughts?
Juniper Switch - How to prevent one vlan from talking to another...
Hi Guys,
So we have test network environment that shouldn't be talking to production environment. I want to know what would be the best way to prevent the test vlan from talking to the production vlan, but allow production vlan to talk to the test vlan. I currently have core stack of 2 Juniper EX4600 layer 3 switches with a Fortinet Firewall in front of it. My thought is to block any egress traffic from test vlan to production vlan using access list. If that is the way to do it, what would be the CLI command to do so? Thanks in advance.
Coping configurations of a single switch on Meraki
I have a replacement MS225-48LP and wanted know if there is way to copy and upload the configuration from the old one to the new. I know there is cloning option for the network but I wanted to know if there was a way to do a single switch. Thanks!
Building a network, what to choose Aruba, Juniper or Extreme
Hi, I'm currently on the stage of picking the network equipment for the company. I'm going to overhaul the whole network even placing new fiber and copper between the buildings. I'm going with 10g fiber, the current connections are based on no redundant 1g fiber. I want to also to have iscsi traffic on the network and build a wifi network in the company. I got an offer from juniper for ex4600 for the core and ex3400 for the aggregation and management. As for extreme i got an offer for the x670 G2 and x440 G2. I'm waiting what Aruba will say on their part. As for the Juniper Vs Extreme, Juniper has abandoned their wifi line, Extreme has an license policy that doesn't appeal to me and the CEO. I'm also looking for centralized management because of the staff shortage I have. What are your opinions?
layer 3 connection from nexus in vpc to external switch
I've got a couple of nexus 93180s in a vpc setup. They are acting as the gateway for anything directly connected to them (SVIs setup with HSRP). I'm having trouble figuring out how to configure my connection to the upstream layer 3 switch.
I need to support multicast and as far as I can tell the supported topology would be to create two layer 3 ports (1 per nexus switch) with the upstream switch. I want to avoid running ospf/bgp and keep things simple with just a static route on each on my nexus switches pointing to the upstream switch (ie. the upstream switch will be my default route white I use SVI's on the nexus to handle the "local" routing) and on the upstream switch a single route pointing to my nexus switches for a specific IP range.
My problem is I can't figure out the config. On the Nexus side I'm guessing I can use the exact same config and point to the upstream switch since both switches are more or less independent at the layer 3 level. On the upstream switch though, I can't figure out what to do and from the cisco docs, it seems like I need to create an extra point to point between the nexus switches as well? There never seems to be a sample config in all the examples just a diagram so I'm a bit lost.
Long story long at this point, I think figure 11 (or maybe 14?) on the page below is what I need to do but I'm not understanding how to configure all 3 items involved
Brocade ICX6610 - Two destination mirror ports to monitor one source port, possible?
I'm deploying a web filtering device that requires a span port on our core switch to capture all traffic going to and from our router. The problem is I already have an IDS device using a span port on the switch to capture traffic from the port the router is connected to. Is it possible to send that traffic to two span ports?
Strange routing table entries pointing to NIC MAC in freebsd on AWS
Hi, I have a freebsd instance in AWS inside a VPC, that has routing table entries like this:
172.19.19.19 02:6e:09:e7:06:f8 UHS ixv0 172.19.192.7 02:6e:09:e7:06:f8 UHS ixv0
However, the destination MAC is the MAC of the only NIC connected to the instance. I am not sure where this entry comes from. The flags say that it is statically configured, however I am at a lost to find how these entries come about. There are also corresponding incomplete arp entries in the arp cache.
? (172.19.192.7) at (incomplete) on ixv0 expired [ethernet]
If I delete the route table entries, I am able to communicate with those IPs. However, these entries come back on the table after a while. Where could they be coming from, especially when they have UHS flags? I also have openbgpd daemon running on that instance, and thought that it was accepting this entry from some another bgp instance and so dropped this prefix there, with no changes. Any help is appreciated.
SFP/Fiber optic transceiver white paper/info
Hi, does somebody know of a good resource to learn more about SFP’s? I recently upgraded a long haul WAN-link from 160km SFP’s to 210km, but did not see any increase in RX-level (obviously because TX-level just increased around 1dB). So what is the actually difference between 160km and 210km? I do thing I have read some place that the main difference is the RX sensitivity, but I am not able to find where I have read it. Is that correct? And if so, by sensitivity: does this mean that the E/O-module are able to generate a more «accurate» electrical signal from a weaker optical level?
Free IT Collaboration tool?
Our time is looking for a tool to help us work better together. For instance, have a place where we can see when someone is on vacations.
Do you have good suggestions?
A GLC-FE-100FX question
I have a dying fibre switch with GLC-FE-100FXs, the other end are fibre converters. http://ift.tt/2Eomgw3
Can I replace the dying fibre switch (me3400) with a 3850XS with GLC-GE-100FX?
Will it work?
firmware for a Cisco Nexus 3048 [N3K-C3064PQ-10GX]
Hi, This is probably a long shot, but desperate times - desperate measures and all that. I'm seeking the following firmware for a Cisco Nexus 3048 [N3K-C3064PQ-10GX], need to upgrade to the intermediary version before going to the latest or risk bricking the device apparently. Does anyone have a copy they're willing to share, or know where one might find? Usual trick of Google/Yandex/PirateBay and find a torrent or some random web / FTP server isn't working this time (yes, make double damn sure the hash and byte size is correct)
Cisco Nexus 3048 // N3K-C3064PQ-10GX
Description: Nexus 3000 Release 6.0(2)U6(2a) System Image
Release: 6.0(2)U6(2a)
Release Date: 15/Feb/2016
File Name: n3000-uk9.6.0.2.U6.2a.bin
Size: 197.19 MB (206765681 bytes)
MD5 Checksum: 8f79dcefa013d747ab9d92b9dbe70513
SHA512 Checksum: 5497cd1fc1681d954ce208ec31b0b5f3354bdf4f00ad27deb310c8fcf6fa29b8ad71ec2fe1993a24c1884977f4299bed5bf614b91674cd66ceebed2a7c4c1871
Trying to Block few sites
Hi Guys One of our client that is small company due to BW limitation requires we block all social media sites. so my fast strategy was Class Map but I had no lack, below is the class mp class-map match-any url-block-class match protocol http url "youtube" match protocol http url "facebook" ! ! policy-map url-block-policy class url-block-class drop When I applied to the WAN interface it had no effect what so ever, I applied on the out direction
Attempt Number 2,I tried ACL as below
access-list 101 deny tcp any host 157.240.1.35 eq www access-list 101 permit tcp any any eq www with the ACL when I applied to the WAN interface I loose all internet connections even though I have the permit any any, I am not sure what I missing here but this seems to be my best solution.
WAN Interface Config as below interface FastEthernet0/1 description WAN ip address 192.168.1.254 255.255.255.0 ip nbar protocol-discovery ip nat outside ip virtual-reassembly duplex auto speed auto end
Sh version Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4) Technical Support: http://ift.tt/yGenYU Copyright (c) 1986-2005 by Cisco Systems, Inc.
Thanks in advance
Monday, January 8, 2018
IPv6 Address Assignment question
So IPv6 is approaching it's 20th birthday. What has shaken out to be the most accepted way of assigning Addresses?
- SLAAC (with no Domain info)
- DHCPv6 (with no default route)
Combo of both
- SLAAC with DHCPv6 for for Domain info
- DHCPv6 with SLACC only for RA?
Stateful DHCPv6, vs Stateless?
Trouble with CNC machine FTP over managed switch.
Pre-requisite n00b disclaimer: I am new to Cisco managed switches and the CLI, but I have a basic understanding of what I am doing (I think).
We have a few older CNC machines that support FTP for machine file transfers. For the longest time these machines have used FTP from a server running on a local off-network PC. The two are connected via an Ethernet cable with static IPs and FTP works all the time, every time. That PC is a large time bomb, and doesn't adhere to policy, so I'm trying to get rid of it (them).
The machine has settings for IP, subnet mask, but NO DEFAULT GATEWAY.
I started the process by adding a second NIC to our Network FTP server to get it on the same VLAN and IP range so it doesn't have to traverse a different VLAN. Tried to pull a file and it worked once and never again. Unable to repeat the results I setup RSPAN to monitor the traffic with wireshark. I also attempted to setup a static route in the switch to direct the machine IP to the FTP server IP. With RSPAN I discovered that the FTP request doesn't ever come accross the port, but the machine IP is pingable on that VLAN from the ftp server. I also tested the line to the switch, and it is good. I plugged it back into the local computer, and it will transfer all day with request after request.
Before I left today, I noticed that the switch port was negotiating 10mbs (expected) with half-duplex (unexpected) to the machine. I'll verify what it is negotiating to the local computer tomorrow. The machine is old enough that the Ethernet adapter could very well be half-duplex.
I also tested the FTP between the machine and the local computer with an unmanaged switch between, and it works just fine as well.
My two problem indicators are potentially the half-duplex negotiation, and an "ethernet check failure" that shows up in WireShark during FTP/ping on the local computer, and when pinging the machine over the network.
I'm running out of ideas to troubleshoot the issue. What would you recommend as next steps?
Wisp MPLS design
I am working on a new design for our WISP. We currently have around 800 customers and around 50 towers. We are getting ready to order 2 Mikrotik CCR1072's for our core routers and upgrade from a bridged network to MPLS. I have been researching this over the last few days but I am getting bogged down on the different implementations on how to go about it. I am not sure if I need to setup VRF's, VPLS or something different. We want to conserve IP space and implement IPv6. Possible setup a PPPoE server to handle accounts along with Static Public addresses.
Our needs are as follows Clients can get a NATed IPv4 address or static Public with PPPoE IPv6 support Ability to create tunnels for clients with multiple sites redundant connections for backhauls at different points of entry redundant upstream providers at different locations. Our main 10G connections comes from 1 locations while we have a couple 200M connections at different locations. redundancy will need to be set on a site (tower) level.
I have created a test lab using 4 Mikrotik routers joined as a ring using MPLS and OSPF. I configured a unique loopback address per router and /30s between the routers. Failover when breaking on of the links takes anywhere from 1 second to 30 seconds. I believe that is the OSPF timers??? Not sure where to go from here.
I would like to run a version of BGP for our public/nated ip addresses and try to keep things somewhat simple. Anyone have any good ideas on how to create the best design without being too complicated?
Urban Fiber by HOA? Not a service, just the lines
Hi folks.
We have a community of about 500 town-homes in an urban area in Orange Coutny (google fiber does service a city nearby). We only briefly discussed installing our own fiber lines (using a contractor) and wanted to flesh out the idea a bit more.
Estimates I have seen vary wildly. But since all the community is owned by the HOA I think this is at least possible and is worth investigating.
I wanted to ask a few questions and maybe get some feedback of stuff I am not thinking of...
-
If we run the lines could we get Google, Verizon, etc to possibly tell us where to connect at to provide service? We do not want to run our own service, just lay the lines and try to negotiate a good price with one of the telecoms.
-
How can we estimate lines? Just looking at some rough numbers on google maps, I estimated about 4 miles underground. I doubled up a lot just to make it worse. Reality its about 30-50% less distance. I saw some underground costs and unit cost that put us around $800,000 to $1,200,000. Does this seem ballpark reasonable or am I grossly under estimating.
-
If we got a FIOS company to do this. We would also want them to maintain the lines while they are serving the community. Is that realistic, or do we need to do this ourselves? What sort of maintenance would we be looking at for these lines?
-
Are there any other communities that have done stuff like this? I would like to read about it!
-
Does trying to negotiate better pricing since we are running our own lines sound logical?
-
What aren't we thinking of that we need to be?
1 External IP and Ports to Multiple Internal IP's
Hello,
We have a Cisco ASA 5508-X firewall, and use NAT for Internal to External IP's. These are working great.
We are looking to do the following for our alarm panels:
- <<EXTERNAL IP>> Port 24 -> Internal 10.0.1.1
- <<SAME EXTERNAL IP>> Port 25 -> 10.0.1.2
- <<SAME EXTERNAL IP>> Port 26 -> 10.0.1.3
Is this possible? How is this generally setup?
Thanks in advance.
SVIs and vPC
I have a pair of Nexus 3500s that have a number of SVIs. Northbound, everything goes to a single switch. Right now the Nexus switches connect to the upstream switch via a number of separate links. I want to consolidate these separate links into LAGs from each Nexus into the switch. I don't have any experience with Nexus or vPC, but from what I've read so far, I think my design is going to run into problems. I'm mostly writing this to check my understanding on how vPC works, although I'll be the first to admit that I am doing this half-blind without really digging deep into the docs, and that is not the best idea.
To summarize the basics of the existing design, I have 3 VLANS. VLAN 123 is a big broadcast domain that both the Nexus switches and a few upstream routers connect to and peer via EIGRP. Each Nexus has another SVI that exists only in that switch that are eBGP peers with an upstream provider router (for redundancy if one Nexus fails)
I really want to consolidate these links, but I see two problems with how this would work.
If I don't use vPC, and ran VLAN 123 across a separate link between the two Nexus switches, I would have to rely on spanning tree to prevent the loop that the two Nexus and one upstream switch would cause, but I would really rather not run spanning tree and I don't want to create another connection between the two Nexus, as there is already the existing vPC peer-link.
If I go with vPC, I have an issue where the two BGP VLANs won't work as traffic could go to the "wrong" Nexus over the member-links. I think the solution here is that I have to run the two BGP VLANs across the vPC peer-link, even though I would prefer to not have them span across both Nexus switches when they only terminate on one. Also, I think EIGRP will break (or take the suboptimal path through the upstream switch because of the forwarding rules for vPC.
I inherited this and I'm somewhat limited in how much I can change the L3 design.
Here is a drawing of what I want the physical links and SVIs to look like: http://ift.tt/2En5LR7
Something tells me I'm missing something or going about this completely wrong. Any advice?
Info reg ipspace.net.
Can any one confirm if www.ipspace.net content is any good?
Thinking of subscribing to their content.