I'm looking to build a local network for sharing movies and music while deployed. Im trying to use a wireless router + external HDD now and its not user friendly. I need access for 10-15 users so they can watch movies and play music over wifi. Is there a way to connect to a wifi to watch movies of your choice for multiple users on android/apple/tablet/laptop? Also, we will not have any internet. What options are there for this or are there any? I'm somewhat tech savvy but haven't done anything like this before. Thanks for the help.
Saturday, March 3, 2018
Port Mirroring behavior on Cisco Switch
Hi Folks. I recently tried some stuff with SPAN and RSPAN on some Catalyst 3750 in a lab, and saw this behavior:
I was running one local SPAN and one remote SPAN session on the same switch with just one uplink.
The RSPAN was mirroring traffic from an Access Port where a PC was connected. The local session was mirroring on the uplink port.
My Laptop was connected to the port configured as the local SPAN destination and running Wireshark.
When the PC was issuing Pings to devices connected on other switches (going over the uplink), my expectation was to see every single Ping twice. Because the local session was mirroring the uplink (trunk) and I thought I'll see the traffic for the ping AND the traffic for the RSPAN session..
But i only saw the pings once.. no traffic from the RSPAN session was captured.
Pings and RSPAN session were working though.. I also saw the pings on the machine behind the RSPAN session.
Why didn't the local session capture the remote SPAN traffic??
Splitting 50-80km dark fibers with CWDM?
We have three dark fibers leased from our ISP, and was wondering how well it would work if we added CWDM MUX/DEMUX to both ends? We'd need one to three connections more between these sites and our main campus.
Can I just get the cheapest CWDM boxes from FS.com or should I consider something else? Which channels should I use?
Current RX powers from the switches:
From Core Optical Optical Temperature Voltage Current Tx Power Rx Power Port (Celsius) (Volts) (mA) (dBm) (dBm) ---------- ----------- ------- -------- -------- -------- site1 35.3 3.21 74.7 2.3 -23.5 site2 34.9 3.21 84.8 1.5 -24.4 - site3 44.9 3.26 29.7 1.4 -18.2 From remote sites: Optical Optical Temperature Voltage Tx Power Rx Power Port (Celsius) (Volts) (dBm) (dBm) --------- ----------- ------- -------- -------- site1 20.3 3.25 1.3 -19.9 site2 19.3 3.25 1.1 -21.0 site3 42.3 3.26 0.6 -17.9
First two are 10Gbase-ER optics and the last one ZR. Though I'm quite sure the actual fiber run to site 2 is almost 80km... Other two are 60km and 55km from the main campus (just looking from the map, the actual fiber run is of course longer)
Any ideas? Thanks!
Network setup with one static IP
I have a networking question that I know has an answer, but I cannot seem to understand solutions. That or I don’t know what to Google.
I have a public static IP line from Spectrum Business that was installed to monitor a HVAC system. The computer used for HVAC control is set up and online, but that seems to be the only device I can add to the network. The IP address assigned to that computer is the public IP Spectrum assigned to us. I’m trying to figure out a way to get the Ubee modem/router to assign IPs with DHCP, but when I connect to the router’s Wi-Fi, I can’t even access the router’s UI.
I’ve been searching Google and YouTube for tutorials on how to set up a static IP network, or even one with additional DCHP control on top of one static IP, but the two don’t seem to mix. Any ideas?
The Phoenix Project
I just finished The Phoenix Project and thought it was awesome. One part had me curious though. The main character, an IT director in a medium sized business, is told by his CEO that the future career for senior IT leaders rests in the COO position. I find this interesting given traditionally the next step has been CIO. Do you think that this is accurate with the growth of cloud services and being able to jump between development/operations? Are there any current COO's or CIO's who can elaborate?
What could cause a lack of arp replies?
For some reason, a new link we're trying to bring up is not working. When I do a tcpdump on the interface, I see that both our local device, and our distant end router are sending out arp requests trying to find eachother. But neither are replying. What could cause that?
I was thinking since I at least see the distant end request, layers 1 thru 2 has to be good. Why won't either side reply though?
Any advice? Thanks!
Client wants to extend L2 over Dark Fiber thoughts?
Hello,
I have a client that has an on-site server room which contains a small collapsed core of Catalyst 9500 and hyper-v cluster running Nexus 9300 as TOR.
The building next door to the customer is a large DC that has a direct fiber conduit running to the customers building. The customer purchased two fiber pairs to the Colo rack, and I am in the process of setting up DWDM equipment. The original plan was to migrate the VLANs used on the Nexus hyper-v and storage while fork lifting the entire server setup to colo, then simply routing between colo and on-site core (about 800 users). In the process were also getting another set of Catalyst 9500 at the colo as the second core for MACSEC purposes.
Long story short, last minute customer wants to span the VLANs across the dark fiber. The fiber itself is about 0.3 miles distance with no real latency. The customer is insisting with there three "network" guys on staff to do it. They want to have the hypothetical ability to provision local hyper-v cluster in the future to do hyper-v equivalent of VMotion, and other L2 adjacency requirements such as slowly migrating existing VLANs on site to brand newly routed VLANs at the colo.
We offered the client to do an ASR setup with OTV which we have had good experience with, we offered VXLAN BGP EVPN. Admittedly these are more complicated solutions then needed for a customer this size. The customer has other locations but there correctly setup as routed interfaces.
Anyway, I would like to hear peoples thoughts. Honestly, we are against this, but I like to hear opinions or options were missing.
Tagged to Untagged VLAN Question
So I have a pretty good understanding of vlan tagging and untagging, but what confused me recently was how the following worked in a business and I was hoping someone could shed some light on how it works.
A cable comes from a port that has the default server & workstation traffic on VLAN 10 and we plugged the other end of the cable into a new switch that we was untagged on VLAN 1. We were kind of surprised that everything started working and communicating through the connected cable right away. I would have throught we would have had to VLAN tag the entire new switch on VLAN 10.
Is there something with VLAN that I am missing on how it works in this case?
Router, unmanaged switch, managed switch
If I have an unmanaged switch between a router with virtual vlan interfaces and a managed switch, will the unmanaged switch be able to pass along the VLan ID to the managed switch?
How does P2P work with multiple people?
I really want to know this. Let's say you have an 8 player game. Every player has a 1MB/s upload speed and 1MB/s download speed. The server has 8MB/s download speed and 8MB/s upload speed.
When everything would be done server-side, I think that one player would send it's data to the server, and the server would send it back to the other players with 1MB/s speed for each player. But I don't know how it'd work with P2P. Would each player upload the same data 8 times to every player, dividing their upload speed by 8? Or is there any other, more efficient way to do it?
Also, let's say you have a chat client. One user would be logged in, and the other would be logged out, with his client closed. The first user wants to send a message to the second one now, so that when he comes back he'd receive it immediately.
If it'd be sever-side, the message would be just sent to the database, so when the second user logs in, his client would automatically download this database and access this message. How would that situation work with P2P? There's not really any central database. How can you send something to someone when he's currently not using the network? Do you need to keep your PC turned on until the second user logs in? Or do you need to send the message in an encrypted form to other currently available users, and they'll send it back to the second user when he logs back in?
A Chat request Stream
I had a fun(?) idea for a twitch stream where the chat controls the topics covered. So the idea is that I’ll cover whatever comes up, as long as I’m able to explain it / lab it in the stream.
So if you want to ask a question / challenge me then checkout twitch.tv/PacketThrower tomorrow, I’m not sure when the stream will start but I’ll post out notice before.
——- Mod note: I’m thinking of a better way of doing these announcements that is less...spammy but since this is the first one I’ll see how this goes.
Cisco C160 ironport
Anyone have experience with these devices? I’ve read the c170’s can be flashed with a dell equivalent BIOS, but there’s not much information out there for this model.
Thanks in advance!
OSPF over GRE
So I have 3 datacenters that are all connected by a L2 Gig network. Each location has it's own subnets and needs to access resources at the other locations. Easy enough. Problem is that if the L2 wan is down, the sites can't talk to each other, so i want to setup OSPF to fail over to a GRE tunnel that exists on a separate gateway device at each location. The routers are actually linux Quagga. Currently they are all static routed to each other and it's fine. But if I switch to ospf then does each logical location get it's own area, in addition to the backbone being area 0. Should ospf be able to handle switching the routing from the wan to the tunnel or am I making this harder than it really is..
Nokia certifications - comparison to CCIE
I've been looking at the Nokia/ALU certifications, and I wondered if anybody here has experience with them. It looks like a valid CCIE number gets you credit for several of the exams. It also looks to me like their NRS-I is equivalent to CCNA. NRS-II has a 3.5 hour lab exam and several written exams, so it looks about like the CCNP would look if it had a lab exam in it. Then there's the SRA which appears to be a CCIE/CCDE hybrid equivalent. Have you taken any of these exams? If so, did you find them to be comparable to cisco exams? Is my surface-level assessment here accurate?
Friday, March 2, 2018
Help understanding fiber optic setup
I'm starting my career in IT, and I'm supervising an installation of a small office communications rack. The company doing the installation is supposed to set everything up, yet I want to fully understand the set up. Fiber comes through the ceiling to an optical ethernet demarcation unit, which as i understand, has a transceiver. This in turn is connected through cat5 to a cisco switch. From port 24 (of 24) of the switch, a mikrotik router is connected. What i dont understand fully is why the ethernet demarcation unit is connected to the switch first instead of the router, and what exactly this device does (i have not been able to find much info online, nor any datasheets for the device, model minifiberlinx-ii). I'd love some help, either by an explanation or references.
Recommendations for external dual band wifi antennas (Cisco compatible)
I'm looking for some recommendations from anyone who's used 3rd party external wifi antennas. Who's in this market that I can look at? I've only found Ventev so far. I've got a few high density rooms coming up and while I've always used Cisco antennas I'm looking into possible other/cheaper options. I'm hoping to find something close to the Cisco ant2513p4m however I haven't really found anything really comparable out there. Hope this within the 'rules'.
Can Cisco privilege levels be used granularly within the 'configure terminal'?
I have looked without success for a way to create a privilege level on a Cisco switch that would allow a user to access 'config t' and then either 'no shut' nor 'shut' a switchport. We really only want the users to be able to do that one task.
I saw that something like this was available through TACACS, but no luck on what commands, or if it's even possible.
Thanks in advance.
What's going on with the service providers?
http://pacific.sine.com/cgi-bin/smokeping.cgi?target=resy.draft-twc
http://downdetector.com/status/spectrum/map/
Could this be related to memcache? Looks like there's wide spread network outages on the east coast and now moving west..
SSH/HTTPS Banners Pre-login or Post-login?
Having a spirited debate with a colleague about whether there should be a banner prior to a login or after a login. His stance is that we should minimize as much information being told to someone scanning and have the banner display upon a successful login. I suggested we should have a minimal banner displaying no company information, only a generic banner deterring anyone from attempting to login. I am of the belief that a post-banner doesn't hide anything, the port itself is going to appear open anyway.
Thoughts?
incredibly low level question about what part I need for this network rack to support some cable bundles...
Very stupid low level question, but I've been unable to find something that looks like it will work.
I have a 2-post network rack that has two big cable bundles coming out of the wall (not pretty I know). The cable braids were just supporting themselved but now they are kind of resting on a network appliance rack (as seen in the pic). What I am trying to find is some sort of cable support arm or something that I can hook onto the back and then add ties to support the cable bundles (something of that nature).
So far, the best thing I've found is this: http://networkcableandpipe.co.uk/product/cs1-slotted-p-2663t/ as I would be able to kind of hoist the cable braids onto it and then secure them to it via cable ties..
Question on permanent redirects (301) for http(s)
Hello r/networking - this is my first post in this sub!
Got a DNS question regarding an http 301. I set up the redirect for a domain name (using Google Domains). In the browsers I've tested, it works fine with the http protocol, but does nothing with https.
I imagine setting SSL certs will fix it, but I don't want to go through all that if it can be avoided. Is there a concept I'm missing? Anybody know of a trick or an easy workaround?
East coast problems?
Does anyone know of anything happening on the East coast? Our monitoring software started going haywire about 20 minutes ago for our locations up and down the coast. They all vary on ISP's too, from Comcast coax to Lightower fiber.
SPAN Session on my 4507R+E
I'm running a C4507R+E with a Sup 7L-E 10GE card and i'm looking into limits of SPAN ports to support a new security initiative for a SIEM device. I inherited this network and unfortunately the 4500 is our Core, Distribution and Access, so I have a ton of VLANs they are going to want mirrored and a few other physical ports. This sup allows me span up to 8 ports (which sounds scary in terms of stability) which i'm afraid won't be enough. Would network taps possibly help me out here or is the design of this Data Center just not creative enough to support what i would need done.
IKEv2 for Native Clients (Win10, iOS, OSX, Android)
I am developing a VPN solution that leverages the native client built-in to all the modern operating systems. My VPN server is a FortiGate, and I am trying to authenticate against a Cisco ACS RADIUS server. I want to use username/password auth for now, no identity certs. The VPN server and RADIUS server have certs issued from our internal PKI.
Right now, I have Windows 10 clients working as expected. The only cert I have on the client is the root ca in the trusted root store. Apple clients, not so much. They fail right away. Now if I change the auth locally to the VPN server, Apple clients can connect. The error that I see on the RADIUS server is that the EAP method the client is sending is not accepted (EAP-MSCHAP). When I look at the logs for the Windows clients, I see that they are using EAP-PEAP as the EAP method. From Apple's documentation (https://help.apple.com/deployment/ios/#/ior0f9aea818), the clients support EAP-PEAP, EAP-TLS, and EAP-MSCHAPv2.
So my question to my favorite subreddit is:
Does anyone have native iOS/OSX clients connecting to an IKEv2 VPN using EAP-PEAP with only a username/password (no identity/device cert)? If so, what should my .mobileconfig look like for this to work?
cPacket Networks versus Gigamon
Does anyone here have hands on experience with cPacket Networks cVu hardware and are you able to give a comparison of it versus Gigamon? Pro's/con's? We are looking at a possible POC of cPacket Networks cVu 160NG for spanning traffic from Cisco Nexus 7009 (Core and DIST VDC's) and multiple Cisco Nexus 5548's (Internet, DIST for FEX'es, and MWAN) as well a tapping (4) AT&T SIP circuits and off-loading to multiple tools (LiveAction, Lancope StealthWatch, tcpdump packet capture server, Samplicator engine, etc). Gigamon is sooooo pricey and the cPacket Networks hardware includes a lot of what the Gigamon folks charge extra for (de-dupe, Netflow, packet slicing).
Juniper QOS - Dedicated bandwidth for VOIP
I operate an ISP and offer basic broadband circuits of varying bandwidth. I typically drop a Juniper SRX320 or SRX340 on-site to act as PE for my MPLS backbone.
Some of my customers are having issues where they are maxing out their bandwidth and experiencing quality issues with VOIP calls (as expected)
These customers are very non-technical and do not have the proper equipment on-site to properly split the bandwidth before it leaves their network.
I would like to configure my PE device to use QOS to allocate a dedicated amount of bandwidth for VOIP traffic. So if they purchase a 20Mbps circuit, I will allocate 15Mbps for non-VOIP traffic, and 5 for VOIP traffic.
Any configuration guides for JunOS that will get me on the right track?
Using the ASR1001X AUX port to console into another device?
I have a Cisco ASR 1001X at a remote site. I'm trying to bring another device up alongside it and I don't have a term server at the site. Does anyone know if it's possible to connect the AUX port on the ASR to the new device's console port so that I can configure it remotely with reverse telnet from the ASR? I did some googling and can't find a working config.
Cybersecurity Student
So - I’ve just finished my third term of school in “internet communications technology” and just started a co-op placement doing information security architecture.
I’m really looking to expand my knowledge on SDN, NFV and OpenStack as I spend about 2 hours a day on a train to and from the office.
Does anyone in the community have any recommendations on any good material I could on these topics?
BGP/OSPF own lab setup questions.
Hi,
I am quite new to BGP, I want to setup a lab which has 3AS groups with full connectivity.
https://imgur.com/hJG5HeF - different colours = different subnets with 3 AS groups: bottom left, middle and bottom right.
I was wondering is it easier to run OSPF and BGP ontop of this? In terms of the setup I assume set multiple area ospf/gain full connectivity and add BGP ontop?
Sorry if this is the wrong subreddit, and please let me know if you don't understand my questions I will try and make it clearer.
Thanks again.
Cisco ISE 2.3 CA Certificate binding
Hello,
I am currently having some dificulties trying to finalize the last step, binding the signed CSR from the CA that I've exported from ISE.
The message error that I encounter at the end is
Certificate path validation failed. Make sure required Certificate Chain is imported under Trusted Certificates.
Has anyone else encountered this issue and managed to solve it ?
OTV on CSR1000v Lab environment
Hi Guys,
I was wondering if any of you has already setup some OTV on a Cisco IOS XE in a lab or real environment. I want to test a setup that i will create in a lab to see if it will work.
The OTV Tunnel however will work but i remain with a few questions:
- If i want to span a vlan across the OTV tunnel, so preferable the VLAN that exists in both sites. I need to add this as a bridge domain to the OTV overlay interface. But do i also need to add this on the interface facing the LAN segment (i would think yes?)
For example, this is the configuration you will find on the cisco webpage, but it's not complete by a mile i think.
ip multicast-routing distributed ! otv site bridge-domain 1 otv site-identifier 0000.0000.0050 ! interface overlay 2 otv control-group 225.0.0.1 otv data-group 232.10.10.0/8 otv join-interface GigabitEthernet 0/0/0 no shutdown ! service instance 10 ethernet encapsulation dot1q 100 bridge-domain 200 service instance 11 ethernet encapsulation dot1q 101 bridge-domain 201 ! interface GigabitEthernet 0/0/0 ip address 209.165.200.1 255.255.255.224 ip pim passive ip igmp version 3 ! interface GigabitEthernet 0/0/1 service instance 1 ethernet encapsulation untagged bridge-domain 1 service instance 50 ethernet encapsulation dot1q 100 bridge-domain 200 service instance 51 ethernet encapsulation dot1q 101 bridge-domain 201 ! ip pim ssm default
It's missing adding the vlans that span across to the OTV overlay?
Say you build a L3 switch next to the AED's, you can give them an SVI in that vlan and then have your host connect to it as it's default gateway. You still need to tell the L3 switch to forward towards the router of course? Even if you build a trunk link towards the routers interface with the service instances on it?
Also the whole "service instance" configuration in global conf mode does not work.
Detection of broken forwarding planes
Hi all,
We have experienced a problem where one of our core router was causing high latency. The vendor couldn't find anything. We eventually found the problem in one of the hardware fabric modules that handle the forwarding plane. This issue was already present in our network for 2 days, we didn't notice because there were no links that failed, no errors, no logs, nothing. Of course Google's traffic controller noticed higher latency in their applications and steered traffic away from the affected links, which helped us pinpoint the problem.
What systems do you currently use to track the health of your network? I'm thinking about something with these capabilities: * External probe appliances with 10G connectivity (our cores don't have 1G). We want to monitor around 150 nodes, so thinking of the same amount of probes. * Automatic correlation to pinpoint a failing link/node. * Ad-hoc analysis: start latency test, traceroute from all or some probes in the network to a specific IP. (we sometimes get complaints from residential users that experience higher latency to gaming servers, etc. Such a solution would cut down the time to analyze these issues)
Was looking into ThousandEyes, but I'm somewhat lost in their product portfolio. Thanks for sharing your experiences.
Cisco 1000 Series ISR Router - CPU during 1Gpbs of iPerf (and a mini review)
Hey guys. Heard about this new router not so long ago and wanted to get my hands on one to push some traffic through it and see if it did what it says on the tin for the low price I've been quoted.
Testing
Setup: PC1 - R1 - R2 - PC2
- Statics on each router for the opposite PC's LAN
- R1 and R2 are C1111-4P - the lowest spec model available
I know it's a limited controlled test, blasting 1Gbps of iPerf over a static route but I'm really happy with the results as this isn't too dissimilar to what most of our CEs do anyway: https://imgur.com/3ptudzE
Blue CLI is powershell on PC1 Black CLI is console on R1
We're pushing 1% - 2% of CPU while doing 1Gbps of traffic!!
Pros and Cons
The pro's I've found so far are:
- Only costs £400 (about $550) for base model
- Can push 1Gbps of traffic almost effortlessly
- Looks really nice
- Is passively cooled, i.e. completely silent!
- Can do MPLS / LDP with a license
- Can do a couple of ports on POE
- Comes with 5 GE copper ports on the base model (1 routed, 4 switched)
- In addition to the above ports it comes with 1 SFP/RJ45 dual personality port
- As small as an 1841 / 1921
Cons:
- Uses a transformer power brick which will increase the rack profile annoyingly, one small upside is the transformer takes C13 so you'll at least be able to power it in any rack without much hassle.
Summary
I'm a big fan of this router and it's going to be my CE of choice now, previously for a 100Mbps-300Mbps circuit I would've been using a C1921/C2901 with an EHWIC-1GE-SFP-CU which is around £400-£500 and for 300Mbps-1Gbps I would've been using a C7201 or an ASR1001 which is around £1400. I can literally save £1,000 per connection now so the boss is happy.
I'm going to trial it in the field on a couple of 200Mbps connections first and in a month or so if it's still doing what I expect I'll start rolling it out as the new standard.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Switching from Test to Dev after 4 years as a black-box tester at a Networking company. I have no clue about what things to look out for - technologies, work-flow. Need some help. [x-post /r/cscareerquestions]
I started working at a networking company 4 years back as a Test Engineer. I would say my work involves 50% black-box testing, and 50% automation of these tests.
In the last 4 years, I got a good idea about the domain, but got bored eventually and decided to switch to something involving more coding. So right now, I studied, interviewed and got an SDE role from a large networking company based in the Bay Area. After receiving this, I spoke with my manager about Development opportunities within my current company, and he offered me the chance to look at the different teams and take a call on what interests me.
Problem is - in the last 4 years, I have managed to completely pigeon-hole myself. So all the advances when it comes to Software Development - in the networking field, as that is relevant here - are just buzzwords to me.
I have these questions:
1) What do I look for when I go about choosing a team? What are some interesting technologies to look out for in the networking space? Currently, I am going off of language. I code in C++. But I feel basing my decision on that might not be wise. So what else do I look at? We have teams that work on the User Plane, then individual control plane modules related to domain, a platform team which write the drivers and stuff(?) and are developing our virtualized solutions.
2) If I choose to go to the new company, what all things do I take care of - so I get up to speed ASAP - with regards to technologies (in networking AND as a developer in the current market), coding, designing software. I do not want to be in such a helpless position ever again.
Any help would be great!
Thursday, March 1, 2018
Cisco DNA and licenses
First off, in Cisco DNA essentials training, and holy shit, this is the worst training I've ever been in. The labs are just godawful, and to be honest, I'm not impressed with the product either. We've pretty much decided we're not interested in DNA.
For the licensing, the Cisco slides show what things are included with Network Essentials vs Network Advantage, and DNA essentials vs DNA advantage. Our VAR tells us they are tied together, so if you want the advanced network features, you must also buy the advanced DNA feature set.
Anyone confirm this is true? The product seems bad and we don't want it...
Tips on closet cable management
Hello everyone,
I've been looking for some tips on cable management.
To give you an idea of what I am dealing with. We have 3 rows of patch panels of 24 ports follow by a 48 port switch. Rinse and repeat for a rough numbers of over 150 cables.
The basic way we are doing it right now is by splitting down the middle velcro 4 8 12 from the patch and 12 24 from the switch then the cables are passed inside a rack. Patch > vertical rack > switch. Similar to this picture http://farm3.static.flickr.com/2189/2215694485_ec3583babd_o.jpg *not my actual closet
This would be easy to manage if there was no changes made to the cabling but because of a lot of moves being done some cables gets moved every week. Having a lot of velcro would mean spending a lot of time removing and putting the velcro back and I feel that people would get lazy and just say fuck the velcro to save some time.
Do you have any tips on this? Ive heard that whenever adding new cables putting them behind the bundle might help but I feel it will eventually make things messy.
Thanks for your replies!
Searching for IT Professionals to help with graduate research
We are reaching out to IT professionals for a survey on the industry and would appreciate if you took a few minutes to give your response. Respondents are entered into a raffle to win $50 Visa gift cards for this survey, and there is a follow-up survey for which all respondents will receive a $25 Visa Gift Card. https://docs.google.com/forms/u/1/d/e/1FAIpQLSfu10mHADooKfYrHilvn73ug8BYMk8uhcrb-fm-AOQFIDxtBg/viewform
What are some good questions to ask of the interviewers for a Network Engineering position?
What are some good questions to ask HR/sr. net engineer/hiring manager to get a good idea of what the job and work environment will be like?
Need new network security gateway device
I'm not sure if this is the right place to ask.. We currently have a Juniper NetScreen-25 circa 2007 running v5 firmware and I really want to replace it with a new hardware firewall. Yes - I know it's old, but it has been the most reliable device, please don't berate me for not replacing it sooner.
It's configured with a WAN (fibre service from NTU), Private LAN (192.168.1.0/24) providing DHCP, Public LAN (203.x.x.x/29) and has a spare ethernet port.
There are 35 PC's, a few wifi portables and a few servers sitting on the private LAN. There are 5 or so servers sitting on the public LAN. We don't use much in the way of cloud hosting with the exception of Exchange Online for email.
There are many carefully configured in/out port-based traffic rules for both private and public LANs, 5 VIP rules (NAT port forwards) to the private LAN. It's screwed down pretty tight as far as I know and we have never had any breach.
There is no VLAN's, we don't use VOIP at the moment so there no QoS or PBR rules, and there are no VPN connections to or from the Juniper itself (just the SSTP to a Windows RRAS server on the public LAN).
With all of that out of the way - I'd like some advice on what device I should replace this with.
I'm not sure what the difference is between a Next Generation Firewall and a UTM appliance is. One of our external IT consultants uses WatchGuard FireBox devices with active subscriptions. Another uses CheckPoint. Obviously there's Cisco, Netgear, Fortinet, Sophos and so many others, but I'm also aware of other cheaper devices like DrayTek and Mikrotik that can use 3rd party services for security updates.
I want to replace the Juniper ASAP - I just don't know what is going to be best for our network and use case.
Budget is up to $3000 AUD for the appliance and maybe $700-$1200 per year for the updates subscription if required.
Any advice or opinions?
Have an office 1.5 Miles away from my home. Need non-line of sight bridge for internet and networking. 25'+ vertical access in both locations, flat geography (Oklahoma).
Mainly for offsite backup and internet. Looking for a cost-effective solution. Under $1000 if possible. I possibly have roof access at both locations. That said, are there any indoor solutions for this situation?
I was looking at hardware such as:
Brocade Palo Alto LAG static issue
We are attempting to create a static lag between our brocade 6610 and Palo Alto 820. Below is the config used to configure the LAG. When we bring up port 1/1/13 connected to Palo alto port 1 of the AE, after ~6 seconds we observe a WAN disconnect. Our internet transit vlan is 4005, but we also have wan on 4000-4003. I am not confident that we lose all vlans but we at least lose connectivity out the vlan 4005. I do not see spanning tree events in the logs of the brocade, some of these vlans participate in 802.1-w, others do not. We do have an option to enable LACP but we would lose some throughput. Do you know of any incompatibility between these two devices? Our Palo Alto engineer has deployed this same config across many vendors using a static LAG, but it’s possible we are missing something. This config works on a 7250 but I don’t have a spare 6610 to test with. I was planning to test all vlans individually during a maintenance window to determine which ones we are actually losing when the LAG is connected, but the soonest I can schedule that maintenance is this weekend.
Edit: user traffic egress is vlan 4005.
no lag LAGA ! lag A static
ports ethernet 1/1/13 ethernet 1/1/14 ethernet 2/1/13 ethernet 2/1/14
primary-port 1/1/13
deploy
port-name ethernet 1/1/13
port-name ethernet 1/1/14
port-name ethernet 2/1/13
port-name ethernet 2/1/14
! lag B static
ports ethernet 1/1/15 ethernet 1/1/16 ethernet 2/1/15 ethernet 2/1/16
primary-port 2/1/15
deploy
port-name ethernet 1/1/15
port-name ethernet 1/1/16
port-name ethernet 2/1/15
port-name ethernet 2/1/16
vlan 8
tagged e 1/1/13 e 2/1/15
vlan 9
tagged e 1/1/13 e 2/1/15
vlan 255
tagged e 1/1/13 e 2/1/15
vlan 4000
tagged e 1/1/13 e 2/1/15
vlan 4001
tagged e 1/1/13 e 2/1/15
vlan 4002
tagged e 1/1/13 e 2/1/15
vlan 4003
tagged e 1/1/13 e 2/1/15
vlan 4005
tagged e 1/1/13 e 2/1/15
vlan 24
tagged e 1/1/13 e 2/1/15
vlan 11
tagged e 1/1/13 e 2/1/15
vlan 12
tagged e 1/1/13 e 2/1/15
vlan 13
tagged e 1/1/13 e 2/1/15
vlan 204
tagged e 1/1/13 e 2/1/15
int e 1/1/13
dual-mode 255
int e 2/1/15
dual-mode 255
=== LAG "A" ID 6 (static Deployed) === LAG Configuration: Ports: e 1/1/13 to 1/1/14 e 2/1/13 to 2/1/14 Port Count: 4 Primary Port: 1/1/13 Trunk Type: hash-based Deployment: HW Trunk ID 6 Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name 1/1/13 Down None None None 6 Yes 255 0
1/1/14 Down None None None 6 Yes 255 0
2/1/13 Down None None None 6 Yes 255 0
2/1/14 Down None None None 6 Yes 255 0
=== LAG "B" ID 7 (static Deployed) === LAG Configuration: Ports: e 1/1/15 to 1/1/16 e 2/1/15 to 2/1/16 Port Count: 4 Primary Port: 2/1/15 Trunk Type: hash-based Deployment: HW Trunk ID 7 Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name 1/1/15 Down None None None 7 Yes 255 0
1/1/16 Down None None None 7 Yes 255 0
2/1/15 Down None None None 7 Yes 255 0
2/1/16 Down None None None 7 Yes 255 0
Looking for DMS100 Assistance - Regarding ASL+SUPR
Hey all!
Curious what the easiest way would be to find an ASL + SUPR association.
Lets say you have a M5312 Digital 6X21 Set w/ SUPR on Key 1 and then ASL on an Agent Set..
They're both in the same CUSTGRP.
I know you can QCUST XXXXXX to get all numbers in that group and CTRL+F to find the associated that way. But it's tedious.
There must be a way to run a similar command to QDNWRK and narrow it down by LCC AND CUSTGRP so I can search within the same CUSTGRP. If I can just search for SUPR within that CUSTGRP that should find the leading number no problem.
Any suggestions would be great!
Harden Router Suggestion
So since Cisco will stop making the cellular card for the CRG2010, I have been tasked with finding a replacement router and I am having a damn hard time trying to find something that will satisfy the below requirements:
- Harden, needs to be able to run in an environment from -20 degrees Fahrenheit to at least +140 degrees Fahrenheit
- DC Power (12 Volts would be really nice, but can deal with 24)
- Support Multi-VRF
- Cellular Backup
- T1 WIC Port
- Four LAN Ports would be sufficient but not a deal breaker, would like to keep everything in one box as space is at a premium
Question about VPN on cisco devices
Hey everyone! Sorry for the potentially dumb question, but its been a long day and I can't wrap my head around this at the moment.
We are getting ready to set up a site to site tunnel and VPN with an external company. I filled out a webform for their IT department and I provided the gateway from our side, and the subnet we would be souring from when communicating with their servers.
They sent back the confirmation, and this is where my drained brain stopped processing stuff. They gave us their gateway, and their networks that would be accessible across the tunnel. But no Tunnel IP's. And they are calling it a PIVPN, which my googling is showing up as a raspberry pi VPN server, but their endpoint is a cisco ASA 5555(ours at the remote site in question is an ISR4431).
My dumb questions are, what is a PIVPN? And without tunnel IP's I can't set up a tunnel interface I believe? I am the least security savvy engineer, so if someone can direct me to documentation I would be much appreciative.
Synology here. We are coming to a city near you and would love to meet you!
Hey it’s Wyatt from Synology here!
We wanted to let you know we are hosting workshops in 17 North American cities (list below). The series of workshops will bring hundreds of Synology partners, resellers, integrators and enthusiasts like YOU together to connect them with in-depth information and best practices for using our solutions.
The first session will cover best practices regarding File Serving & Data Redundancy. Here our team will show you how to set up a private cloud file server for storing files, sharing documents, and backing up business data using Synology’s robust application suite.
The second session will cover best practices regarding Virtualization & Video Surveillance. Here you will learn how to integrate Synology NAS into cloud backup, virtualization storage, and video surveillance deployments.
Register for free here: https://www.synology.com/en-us/events/workshop_2018_us
Schedule:
Los Angeles, CA – Tuesday, March 20, 2018 @ Pacific Palms Resort
San Jose, CA –Wednesday, March 21, 2018 @ Hyatt Place
Tampa, FL – Tuesday, March 27, 2018 @ Four Points by Sheraton
Denver, CO – Tuesday, April 3, 2018 @ Hyatt Regency Denver Tech Center
Phoenix, AZ – Wednesday, April 4, 2018 @ Hilton Scottsdale Resort & Villas
Chicago, IL – Tuesday, May 1, 2018 @ The Westin Lombard Yorktown Center
Toronto, ON – Wednesday, May 2, 2018 @ Edward Hotel
Cleveland, OH – Tuesday, May 8, 2018 @ Doubletree by Hilton Hotel
Atlanta, GA – Wednesday, May 9, 2018 @ Hyatt Regency Atlanta Perimeter
Indianapolis, IN – Wednesday, May 16, 2018 @ Indianapolis Marriott East
Boston, MA – Thursday, May 17, 2018 @ Embassy Suites by Hilton Waltham
Washington, DC – Tuesday, June 5, 2018 @ Sheraton Tyson’s Corner
Vancouver, BC – Tuesday, June 5, 2018 @ Pacific Gateway Hotel
Miami, FL – Wednesday, June 6, 2018 @ Intercontinental Doral
Bellevue, WA – Thursday, June 7, 2018 @ The Bellevue Club
Houston, TX – Wednesday, June 13, 2018 @ Hilton Houston Galleria
Dallas, TX – Thursday, June 14, 2018 @ Westin Galleria
We hope to see you there!
*And for those outside North America here's the link to our other workshops around the world! https://www.synology.com/en-global/events/workshops_2018_global
Strange behavior of OSPF during a network-type mismatch
Hey everyone,
I'm hoping someone here with an intimate knowledge of OSPF's operation might be able to explain some weird behavior I saw today. We had an OSPF network type mismatch between an ISP and one of our edge router (broadcast & point-to-point).
So even though there was a mismatch, the actual neighborship was up (which is normal behavior, yes?) The part that intrigues/concerns me is that our router received all the LSA's from the ISP (as far as, I looked in the OSPF database and I saw all the LSA's there) - but our router wasn't adding them to the routing table.
Anyway, the moment I fixed the network type mismatch all the missing routes were added to the routing table. But can anyone explain why the LSAs weren't added to the routing table in the first place, if they were in the database?
Using BGP to get the "health" of the network?
Hello guys!
I've been discussing a bit with a colleague of mine what we could get out of using a BGP updates as a health indicator in our network. Roughly 300-500 routers.
The idea is to have all nodes peer with a central BGP speaker. This BGP speaker will not redistribute/advertise any BGP prefixes, but should receive all prefixes from the neighbors. Whenever there is a topology/prefix change, this speaker should process/log/syslog the change.
What's your thought of this? Horrible idea? Have any of you implemented anything like it?
Best place to learn about Network Operating Systems?
I got a free course on cumulus Linux and since we're starting to get whitebox hardware, I am curious if someone could recommend a site or two (or ten) where I could learn everything about the subject.
We have a couple of Edge-Core boxes here and I asked the engineer what O/S is running on them, in which he replied OFDPA.
I guess since i'm so new to all of this, I just want to get an understanding of what does what. For example, is Quagga an O/S? Is ONOS like ONIE? I hear all of these terms and I can't differentiate between them. Rather than google each one separately, I figured if there's a site that exists that explains the more popular ones, that would be awesome.
Thanks all.
Ruckus CloudPath or Aruba Clearpass
Has anyone had any experience with Ruckus CloudPath or Aruba Clearpass. We are a company of about 2000 Employees and looking to implement 802.1x and 11x. Any pro's or con's to either solution?
Nexus not sending packets to 1 host?
I have a host on 10.1.16.253.
The nexus can ping everything in that subnet except one host.
10.1.16.0/24, ubest/mbest: 1/0, attached *via 10.101.16.2, Vlan16, [0/0], 2y21w, direct 10.1.16.1/32, ubest/mbest: 1/0 *via 10.101.16.1, Vlan16, [0/0], 2y21w, vrrp_engine 10.1.16.2/32, ubest/mbest: 1/0, attached *via 10.101.16.2, Vlan16, [0/0], 2y21w, local NEX5K01# ping 10.1.16.1 PING 10.1.16.1 (10.1.16.1): 56 data bytes 64 bytes from 10.1.16.1: icmp_seq=0 ttl=255 time=0.535 ms 64 bytes from 10.1.16.1: icmp_seq=1 ttl=255 time=0.629 ms 64 bytes from 10.1.16.1: icmp_seq=2 ttl=255 time=0.568 ms 64 bytes from 10.1.16.1: icmp_seq=3 ttl=255 time=0.567 ms 64 bytes from 10.1.16.1: icmp_seq=4 ttl=255 time=0.567 ms --- 10.1.16.1 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.535/0.573/0.629 ms NEX5K01# ping 10.1.16.32 PING 10.1.16.32 (10.1.16.32): 56 data bytes 64 bytes from 10.1.16.32: icmp_seq=0 ttl=126 time=5.454 ms 64 bytes from 10.1.16.32: icmp_seq=1 ttl=126 time=0.963 ms 64 bytes from 10.1.16.32: icmp_seq=2 ttl=126 time=2.202 ms 64 bytes from 10.1.16.32: icmp_seq=3 ttl=126 time=1.145 ms 64 bytes from 10.1.16.32: icmp_seq=4 ttl=126 time=7.468 ms --- 10.1.16.32 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.963/3.446/7.468 ms NEX5K01# ping 10.1.16.253 PING 10.1.16.253 (10.1.16.253): 56 data bytes Request 0 timed out Request 1 timed out Request 2 timed out Request 3 timed out Request 4 timed out
Host is not shoing any RX packets:
veth0.16 Link encap:Ethernet HWaddr 00:60:16:68:C2:C2 inet addr:10.1.16.253 Bcast:10.1.16.255 Mask:255.255.255.0 inet6 addr: fe80:::c2c2/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:9000 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:1198312 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:155909564 (148.6 MiB)
The mac address-table is showing that it is in Po5 which is in vlan 12? * 12 0060.1668.c2c2 dynamic 20 F F Po5
So because I haven't really touched a nexus...I just want to double check.
would doing the following resolve the issue?
config t interface port-channel5 switchport trunk allowed vlan add 16 end copy running-config startup-config
Basically just adding the vlan. All my instinct are screaming yes...but just want to double check. added info. Host is a physical host, other hosts are virtual.
VOIP VLAN not working correctly when other VLAN is shit.
We have one VLAN for VOIP and one main VLAN for everything else. Our main VLAN has grown to big and is total horse shit. The VOIP VLAN runs to another switch from our VOIP provider that has a different router
When a VOIP phone is on the VOIP provider switch, everything is fine. But when I connect a VOIP phone to our network that has the main VLAN untagged and the VOIP VLAN tagged, calls are 30 seconds later than the CTI or the user will be kicked from the call group.
I removed the main VLAN to the VOIP phone and it worked perfectly, than I added it back and the user missed a lot of calls again.
So can I correctly say that although the VOIP phone is on the VOIP VLAN that it has trouble with the main VLAN?
Also how the fuck can I can configure VLAN prioratizing on the 3Com Baseline Switch 2928-HPWR?
Dampening memcached UDP/11211 DDoS attacks
In recent days a severe issue with open memcached instances has been uncovered - internet & hosting providers are asked to take steps to dampen the effects of UDP/11211 attacks.
NTT has deployed rate limiters on all external facing interfaces on the GIN backbone - for UDP/11211 traffic - to dampen the negative impact of open memcached instances on peers and customers.
The toxic combination of 'one spoofed packet can yield multiple reponse packets' and 'one small packet can yield a very big response' makes the memcached UDP protocol a fine example of double trouble with potential for severe operational impact.
An example on how to configure IOS XR to dampen the attack effects can be found here. It would be good if we share examples for more platforms with each other.
cisco.com login - CCO ID vs. email
Losing my mind here a bit. I’ve been logging in using my CCO ID for close to 20 years. Just tried and I get a server side error (Ping Identity SSO error). Adapter mapping error blah blah...
I tried logging in with the primary email address on my account and got right in. I’ve never used that as my username in the past.
I can log into the certification tracking system using my CCO though. The login page for that is the “older” Cisco page/style.
Does anyone know what the deal is ? It’s certainly something related to the “new” login “experience”.
Network with Only Static Routes?
Scenario: Small retail network running no internal routing protocols. Everything is statically routed at the firewall. Firewall has MPLS connection to remote offices and site-to-site VPNs over Internet to stores. Assuming I am a total network n00b, why is this setup bad? What is wrong with all my routes being static in a small environment?
BPDU Flooding on Dell PowerConnect - what's it for?
Hello fellow netadmins of reddit.
I'm looking for some detail on the function, use and best practices of Dell's 'BPDU Flooding' feature on Powerconnect N-series and 2800 series switches. I've been having some trouble wrapping my head around this feature. Is there a Cisco analogue to this feature with a totally different name, as often seems to be the case with Dell stuff?
Some background:
I've been at the trade for about 20 years. Recently I have started working at a company with a larger amd wider switch infrastructure where our spanning tree and related configs matter. I'm tasked to ramp up on STP and related concepts, figure out what changes we need and implement.
We are mostly centered on the Dell PowerConnect N2/3/4000 series and a handful of older PowerConnect 2800's
I'm not having trouble with most concepts: root priorities, guard, STP states, portfast & related concepts like loop protection/keepalive -- for the most part I am figuring these out.
However all our Dell switches seem to support and talk about a feature called 'BPDU flooding' that I am having difficulty understanding. While I have found a lot of descriptions about what BPDU flooding does, I can't seem to find any examples of why one would want to do it.
I understand the related concepts of BPDU protection and BPDU filtering, but not how they relate to flooding. My older 2800's seem to force me to pick 'flooding or filtering' at a global level and don't mention 'protection' in their configs at all. The N-series have much more granular options. I haven't started modelling things in my lab, but am pretty much ready to proceed to that step except for not understanding this one point.
The book(s) has this to say about BPDU flooding, and not much else: "The BPDU flooding feature determines the behavior of the switch when it receives a BPDU on a port that is disabled for spanning tree. If BPDU flooding is configured, the switch will flood the received BPDU to all the ports on the switch which are similarly disabled for spanning tree."
I want to make sure I fully understand all of these concepts before I draft my final deployment plans, and this one is really escaping me. Google has let me down in my quest for knowledge today.
I guess my ultimate question is: can anyone tell me what BPDU flooding is specifically for? What problem does it solve, or scenario does it address? How does it fit into the other BPDU modes and the rest of the STP/switch management eco system? Any best practices tips?
Help me Reddit-wan-Kenobi, you are my only hope.
Wednesday, February 28, 2018
Resources for high level WAN topics
What resources do you recommend for things like MPLS, SD-WAN, VPLS and Segment routing? I've played around with MPLS in lab environments, and got it working but only in its most basic form, and without truly understanding what's happening in the background.
Cheers.
Network monitoring solution
Is Zabbix pretty much the best free enterprise network monitoring tool? If not, do you guys have any recommendation on what other free tool that should look into?
Thanks.
Hmmmm
jstretch@switch> show chassis environment Class Item Status Measurement Power FPC 0 Power Supply 0 Failed FPC 0 Power Supply 1 Failed Temp FPC 0 CPU OK 52 degrees C / 125 degrees F FPC 0 NW-PFE OK 37 degrees C / 98 degrees F FPC 0 SE-PFE OK 42 degrees C / 107 degrees F FPC 0 PHY-2/3 OK 40 degrees C / 104 degrees F FPC 0 MGMT PHY OK 40 degrees C / 104 degrees F FPC 0 PHY-4/5 OK 46 degrees C / 114 degrees F Fans FPC 0 Fan 0 OK Spinning at normal speed FPC 0 Fan 0 Airflow OK Airflow In (AFI) FPC 0 Fan 1 OK Spinning at normal speed FPC 0 Fan 1 Airflow OK Airflow In (AFI)
Nexus 9300 - MPLS L3 VPN Support?
Per my understanding, the 9300 line does not support MPLS L3 VPNs - though there's a specific linecard in the 9500 that does.
Is my understanding correct?
Can I tell what kind of fiber connection this is based on this data?
I don't know much about fiber connections so sorry about that, but this seemed like the right place to ask I have the following info:
Connector: LC encoding 8B10B rate 1300 single-mode: 20000 pn: HL-1000BX-S34-20.
An LC connector can be used with both MM and SM right? It does sound like SM, but is single-mode 20 000 nm really a thing?
Pure networking jobs
Do they even exist? It's either a programmer or a sys/netadmin hybrid. I'm honestly tired of sysadmin stuff.
Red Single Mode Fiber Jumpers
We are doing some fire alarm upgrades and I am in need of some red single mode fiber jumpers for a reasonable price. Does anyone know where we could find them at a reasonable price? I have found some for 20x the price of a regular single mode jumper and wanted to check here before spending way too much or settling for yellow jumpers. Any ideas are welcome. Thanks in advance. (ST-SC), (ST-LC), (LC-LC), & (SC-LC)
Cheap AP capable of tagging VLANs
Hi Everyone. I am looking for a Wireless AP capable of tagging VLANs per SSID. I know Cisco Meraki has this feature, but I am looking for an alternative and cost cheaper. Cloud based or not will do. Any recommendation?
How relevant is 2004 CCNA material?
I'm trying to get back into networking and I scored a bunch of older CCNA books from 2004 and was wondering how relevant this material is today? I actually completed some CCNA courses in 2004 but haven't done anything since and wasn't sure how much the field has changed. Any help would be appreciated.
Constant WAN Connection Up/Down.
I have 2 offices that both use Rogers cable, 10 devices in each location. One uses a Cisco RV220 Router, the other an RV325. The offices are physically next door to each other and with separate internet accounts.
These 2 are constantly dropping internet, one more than the other but roughly problematic for both. I check the Network Log on the router and it's filled with WAN Connection UP/WAN Connection Down, throughout the day and throughout the month.
I also get reports of extreme slowness between 11am-2pm, everyday. (Of course when I'm there it's fine.)
I've been through quite a few firmware versions, Rogers says it's always up, changed cables, router reboots usually fix the issue.
Could it be something weirdly electrical? I ask because these 2 offices are small buildings referred to as "cottages" and are built identical.
And since I've been supporting this company, issues were there when it was on DSL and with other routers.
I've also looked for dhcp issues, checked wiring (some drops weren't that good), used various DNS servers, static ip's etc.
802.1q tunnel causing VLANs to not be able to access multiple websites.
I have a weird issue. We have two sites that are about 3 miles apart. ISP gives us an 802.1q tunnel between the sites.
Site A: Has entry point to the internet and our FW. Everything works at this site.
Site B: Uses provided 802.1q tunnel to tie into Site A and gets to the internet that way. Site B native traffic works fine, our Wifi VLAN cannot access multiple websites. (As in the majority of them). Which is weird because Wifi users on the same VLAN at Site A can access everything. As I said, Native traffic at Site B can access whatever it wants, but for some reason our Wifi VLAN cannot. I even bypassed the wireless gear and made a switchport access wifivlan and hardwired my laptop and still had the same problem.
The firewall is Watchguard XTM330 (it's on the list to get replaced), switches are all Ubiquiti Unifi, ISP switches are Cisco 4948s. Both of my ports going to the 802.1q tunnel are trunk ports.
I'm just not understanding how websites will work at Site A but not Site B when it's the same LAN same subnet same VLAN etc.
If anyone could give some insights that'd be awesome.
An example of what websites work/don't work: google.com and facebook.com work at Site B, but espn.com and portal.office365.com don't.
STP Loopguard - Blocking the root port?
Hey all. I've got a (hopefully stupid) question.
As I understand it, loopguard will transition a port to loop-inconsistent state if it receivesstops receiving a BPDU. On our campus network, we use MST for the vast majority of our switches. However, we have some switches where we cannot run MST (they support it, but .... reasons). We also must enable loopguard, as per our security guidelines.
On the switches where we cannot run MST, we are running PVST. On those PVST switches, sometimes (not consistent), the root port will transition into a loop inconsistent state. The topology is very simple - the PVST switch is connected to an MST switch via a single cable (sometimes it's a fiber link, sometimes it's copper). There are no redundant links involved in that portion of the topology. Disabling loopguard will resolve the problem, but it can reoccur if loopguard is re-enabled.
So, my questions are:
- Why would the switch transition its root port to loop-inconsistent? Because it stopped receiving BPDUs, right? Leading to #2....
- Why would an MST switch stop sending BPDUs to a PVST switch?
- Why is this a very intermittent issue? It doesn't happen on all the PVST switches, it can go days, weeks, months without the issue. But once the switch has the issue - it keeps happening.
Note: This morning, I changed some of our PVST switches to Rapid PVST - I hope that will resolve this issue, but only time will tell.
Thanks for any help you can provide!
IPsec phase 2
I need a little help understanding how S2S phase 2 works in a specific situation. Every tunnel I have done before has had specific protected networks specified on both ends and combined using object groups. I am currently working with someone who would like for me to use quad 0s for my network and specify for theirs. The reason being is he wants a smaller amount of phase 2 connections to deal with. I don’t see any issues with this working but my question is this.
If I am using object groups from my end, would this act the same as quad 0s as far as the number of phase 2 connections or would it still create a new connection for each protected network?
TACACS accounting and ISE
Is there a way to send ALL commands, not just exec or certain priv levels to your TACACS servers through accounting? I am not seeing any accounting logs in our ISE 2.3 server and don't know where I am missing something - whether in the router config or in ISE itself. Authentication and Authorization are working fine... just nothing for accounting. Here is my overboard accounting config...
aaa accounting exec default start-stop group tacacs+ - This should only send priv exec commands... right?
aaa accounting commands 0 default start-stop group tacacs+ - anything above priv 0 should be sent?
aaa accounting commands 1 default start-stop group tacacs+ - Same as above but 1??
aaa accounting commands 15 default start-stop group tacacs+ - Same as above but 15??
Been awhile since we have done TACACS, we have been an NPS shop for a bit...
DHCP not updating DNS
Any help would be appreciated.
Currently we have an embedded linux device that needs to register on our DNS. Our server is windows server 2012 running both the DHCP and DNS. I am aware that DNS will only update the DNS with incoming request sent from Windows machines. That being said we have already made the changes to the DHCP scope to "Dynamically update the DNS table: Always dynamically update DNS A and PTR records" as well as "Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0)". After doing that we have even tried changing the DNS to accept unsecure/secure dynamic updates. However, that too did not work.
Manually creating static entries in the DNS is NOT an option as these linux devices are suppose to be unattended. Any thoughts?
Designing a Wireless Backbone
Hello everyone,
I am planning a wireless backbone for use in a "disaster" for my company. I have two separate buildings with Internet access (one w/ fiber, the other w/ cable). Building A has fiber internet and Building B has cable internet. I have multiple buildings with dual wan firewalls (WAN 1 is wired and WAN 2 is the wireless backbone and both go to building B for internet access). I want to configure Building B's firewall to send traffic coming in from the wireless backbone back through the wireless backbone to building A's firewall if WAN 1(cable internet) at building B is down . I was thinking I might have to setup a third WAN at Buildings C,D, and E to go to Building A if the primary WAN at building B is down or setup a third WAN at building B to go back through the wireless backbone and to Building A.I was wondering if I am on the right path and if their are other ways to go about this? I have also provided a link to a picture for reference purposes. In the picture, all the secondary WAN's go back to building B; I want Building B's secondary WAN to go to building A if Building B's primary WAN is down and I want Building A to go to Building B if the fiber goes down.
PCI Express Networking Architecture
For https://i.imgur.com/djqK3Go.png , why is received DLLPs being redirected to 'TLP retry buffer' ? Besides, why is the output of 'TLP error check' redirected to transmitting 'DLLPs' ?
VPN site-to-stite with AWS, traffic flapping
Hey guys,
We have an ASA firewall that's been upgraded to 9.9(1) recently. We also have a site to site VPN set up between our on-premises environment and AWS.
All was working fine, but since the ASA upgrade we experience network hiccups (flapping traffic). From an EC2 instance, I am currently able to ping an on-premises server but it could be that 5 minutes later the ping times out. The VPN tunnel stays on as far as I can tell.
The other weird thing is that while i can ping from the EC2 server to a DNS/DC server on-prem, all DNS lookups fail. So even though the VPN tunnel is ON and ping works, i get a time out trying to get a dns lookup. Even weirder is that the DNS lookup was working 5 minutes ago.
I have installed MS Network Analyser on the 2 boxes but couldn't find anything other than the DNS queries are sent but are not reaching the server from time to time.
I am sysadmin, so I have very basic knowledge of ASA and VPNs protocols, I have asked a colleague who's on vacation so I got a succinct reply: Please verify the AWS supportpages if there's any change to the encryption methodology, possibly some of the preferred ciphers got decommissioned at the time of the ASA upgrade.
As far as I can tell the minimum requirements for AWS are IKEv1, AES128, SHA1, and DH Group 2
This is what it looks like on our ASA:
https://i.imgur.com/isGwmTq.png
Interesting issue with management VLAN being overridden by access VLAN.
Hey All,
Apologies if this is lower-level but I'm trying to see what could be the root cause and would appreciate any help with figuring this out.
I have 1 Firewall with a trunk downlink to 1 switch.
Ruckus APs connected to switch #1.
Switch AP ports are set to trunk with native-VLAN of 100. Access VLAN is 101.
That setup above works with no issues. Ruckus APs get IPs in managment VLAN of 100 on the firewall and clients connect and get DHCP leases from VLAN 101.
Now....the issue is when I establish a 2nd SSID, as a Guest Network, and assign it the VLAN 102 in the Ruckus WLC. What happens is the APs start grabbing their management IPs from VLAN 102 rather than the management VLAN of 100. So then I set static reservations for the APs to only grab IPs from the management VLAN (100) and all is well, until the lease expires, then the go back to grabbing their management IPs from VLAN 102.
Anything you guys can think of?
New DDoS Vector
In case any of you guys haven't seen it yet, memcached is getting used for DDoS now. Link below with more info. Bug your sysadmins if they are using it.
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
NOC Monitoring Software with SNMP, TL1, and ASCII support.
We are looking at replacing our current monitoring system with a different one and possibly an open source one. Does anyone know of any monitoring software (preferably web based) that is capable of SNMP, TLR, and ASCII?
Thanks,
Aruba 2960 to MX84
I have a stack of Aruba 2960's that connect to a Meraki MX84. I'm trying to connect each stack member to the firewall for redundancy.
STP is enabled on the Aruba, but when I connect it, it loops the network. When I plug in the second link, I get this in the Aruba switch.
W 05/21/90 21:46:29 00332 FFI: ST1-CMDR: port 2/1-Excessive Broadcasts
Any ideas? Another option, I have the ports setup with trunk ports going to the MX84, but I don't know if it needs to be access ports (I know trunking is different between Cisco and Aruba).
DC Interconnect. Dual P2P Layer 3 links or Layer 3 PortChannel (Between Nexus 3k)
Hi all,
I am seeking input from anyone who has implemented anything similar. My design is Layer 3 but no requirement for OTV/VxLAN at this point. There will be no stretching of Layer 2. The P2P links are 1Gbps each.
I have some path steering considerations (encrypted tunnel with nightly data replication - so same src/dst) that is leaning me toward dual P2P L3 links but seeking 'devils advocates' as it were to the +/- on the L3 PortChannel as its not something that I have ever used outside a lab environment.
I understand that the Nexus hides the way it implements a L3 PortChannel which is all but the same as a VLAN & SVI. Is my recollection correct that when 1 lane of the PortChannel fills, that traffic will then be placed onto the 2nd lane? Or am I completely off the mark..
As I will have a bandwidth hungry ipsec tunnel with the same src/dst/L4 that will peak at 800Mb over night, so plan on steering remaining traffic to the other 1Gb link using the dual P2P approach.
Thanks in advance for any input available.
Cisco ISE help!
Hi, I am deploying ISE for my company but I have some problems with switch configuration. I have searched on google and found a threat in which Cisco said that ISE can work in any platform especially with the Cisco SG300. CAn you help me with this?
Translating a public to private address
Hi there. I have a questing regarding NAT. I want to forward a port from my router to a server on the internal network, but I want to translate the Source IP (which will be a public IP), to the IP of the router. So to the target device, it would look like the connection is originating from the router, and not from some public IP. How would I accomplish this on a MikroTik router?
WiFi shared throughout a small business park. Paid internet service. Help (please) to think about how ?
I have an office on a small business park, it's probably 400m long by 200m wide. There are lots of small units. Some of the units do not have Internet or even a phone line. I was thinking I could create a paid internet Service for the business park. Maybe at a small cost of £2 per day or £30 per month.
I can get a nice 300Mb Virgin line in my office and share that out. I want to have each customer who uses the services only be able to "see" their computers, as it needs to be secure so Bill in unit B can't see Jane's computers in Unit C.
I came across the WAP371 from Cisco, these allow up to 8 SSIDs to be broadcast, with different Vlans per SSID too! With these in mind I could separate the SSID's per customer. Tell Bill to connect to Wifi1 and Jane to connect to wifi2 etc.
Then have each vlan going out to the WWW.
So it'd look like this. Note: I'd try and have the CPE and router the same device if the ISP will allow.
WWW > CPE > Router (seperating Vlans, controlling DHCP) > POE Switch > Cables going to different WAP's around business park (or a cabled connection to a customer who needs/wants a cabled connection.
I was planning on having a UPS to keep the network up if there is a power cut. I was planning too, a 2nd internet connection (different ISP) for a backup. Each connection would be limited and split evenly. So If I had a 300 Mb line into my office I'd have 30Mb down (based on 10 customers) What would be the best way to separate the bandwidth to individual vlans?
Another thought... I was also thinking about having an added service to that as a storage service. So they could rent 10GB for example from me for a backup. I was trying to think of a way to do this without having to buy 10 NAS devices, I'd really only like 1 NAS device but I can't think of a way to do that. Any ideas?
Oh and I'd need some sort of payment gateway, so the customers are blocked to getting to the internet unless they have a token for today / the month. I've been looking for a gateway like that in the open source market, but I'm not coming across anything that says it does the above.
Thoughts on the idea?
Difference between UTM/NGFW and Secure Web Gateway
Hello everyone, I am still unable to justify the need for a secure web gateway. From what I have read online, it has a greater focus on Web Filtering than a NGFW, but just this won't make buy it.
In which situation would you really need a Secure Web Gateway ? what does it do better than an UTM/NGFW ?
I'm a startup founder. How do I setup a shared network drive on my LAN using my current shared (website) hosting plan?
Hi,
I want to set up a shared network drive so that all my employees that can access shared company documents directly. They all are connected to the same internet connection (we have a dedicated 1:1 lease line connection). Also, we currently have a shared hosting plan with a total space/bandwidth that is higher than our current consumption so was wondering how to use those servers to store the files on this shared drive.
Thanks!
DDM-2000
Anyone in here worked with this gear before? Had a chassis catch fire and having issues configuring the new one. Any help would be appreciated.
Wiring up a friend's small office. Preferences for CAT5e cable?
I'm threading 6 APs and maybe another 6 wall jacks over some drop ceiling and through hollow walls. Nothing fancy, doesn't need to be plenum rated.
Anyone have cable they like that isn't super crappy and hard to work with? Preferably on Amazon, although I could deal with Anixter if I have to.
It's hard to buy this kind of stuff without being able to squeeze it in person and know if I'm going to be swearing all afternoon or if the pairs will fall into the end with me barely glancing at them.
Stealth Edit Yes I know CAT6a, but they will not use more than gbit in their time in this office and I don't feel like dealing with the pain in the ass of jacketing and the divider.
And yeah, no CCA of course.
[Educational] IPv6 from an IPv4 User's Perspective
I'm new to IPv6 and have been using IPv4 for a while now, and I am rather comfortable with it. As a result, I have quite a few questions to ask.
First of all, I know that it is not uncommon to be assigned a /64 block from an ISP rather than a /48 block. The /48 block clearly has the 4th block of nibbles open for subnetting, however this obviously isn't available in a /64 block. How can we split a /64 block (or smaller like a /68 etc) into subnets?
When I set up a Hurricane Electric IPv6 tunnel (as my ISP is IPv4 only) and configured an AirPort base station to use the IPv6 tunnel, I got the equivalent of being on a dual-stack network. I have used this network for a little while now to try and work out IPv6, however I see some confusing things:
- The default route for IPv6 is within my own /64 block and ends in
::1
(so it is2001:XXXX:XXXX:XXXX::1
). The WAN address simply states my block and ends in::
. If the WAN address is not::1
then the default route must be another device. Does this mean Hurricane Electric (or any Tunnel provider for that matter) use one address, specifically::1
, from your block for something? I'm not quite understanding what, but I certainly know that the::1
global unicast address is NOT my AirPort base station, as I can ping it successfully from an external network with the base station disconnected. I assume Default Route to be like IPv4's Default Gateway, but I don't understand why that would be within my own block... - Each device gets its own link local address in the
FE80::
range, and I assume this would be the equivalent of a10.x.x.x
or192.168.x.x
address in IPv4, and it cannot under any circumstances be externally routed, however devices usually also get two IPv6 addresses within the assigned /64 block. I cannot ping these addresses and get a response on anything other than the local network, so I assume these addresses are used for outgoing connections only, and I also assume that rather than the connections originating from the router's IPv6 address (as would be the case with NAT in IPv4) it will actually originate from the devices own IPv6 address it has self assigned from the /64 block. Are these assumptions correct? - How is the WAN address my /64 block with just :: on the end, making it
2001:XXXX:XXXX:XXXX::
? is2001:XXXX:XXXX:XXXX::0:0:0
a valid address on its own, considering I can ping it and get a response, and stop getting responses when I disconnect my base station? I question flat 0's being a valid address as192.168.0.0
is not a valid address, but a network identifier in IPv4. - Can I prevent devices on a network from self-assigning themselves both global unicast and link local addresses? I would preferably like to be able to statically give out
FE80::
and2001::
addresses by myself to devices, or even have them given out in the way I want by a DHCPv6 server (though I have not yet found any implementation on this) - I can tell it would be largely frowned upon, but would it be possible to set up one main router which gives out IPv6 addresses in my /64 block to other routers, then these routers use NAT to provide link-local only addresses to connected devices, and would the same thing be achievable but with the second routers receiving an IPv6 address and then using NAT to provide an IPv4 network to connected devices?
Tuesday, February 27, 2018
Ciena 6500 console cable
Does anyone know what type of cable I need to use for a ciena 6500? I’m trying to console in using a Cisco cable plugged into the craft port but I’m not getting anything back.
Any suggestions?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
How is it possible to have a box with an inet of 192.186.56.101 and another on 10.0.2.15?
On virtualbox I have a machine running metasploitable2 with an inet of 192.168.56.101 and I also have a kali machine with an inet of 10.0.2.15 on the same network, how is this possible?
Does having the metasploitable2 machine on a “host-only adapter” have something to do with this?
VOIP/SIP audio issues
Let me lay out our setup:
Comcast 1gig down, 40 meg up. Modem is technicolor CGA4131COM. We have 5 static IP addresses.
Next, physical firewall Sophos SG-125 UTM9. We Have about 20 tunnels to various facilities across the country.
- eth0 External
- eth1 internal 10.13.13.1/24
- eth2 vlan 100 10.13.100.1/24
The phones are scattered throughout 100.1 and 13.1 which I know is far from ideal. These devices are also in bridge mode which is further from ideal.
Voip provider: Vonage, majority of the devices are T46S
We're having issues with call audio, and more specifically audio dropping. It's never a very long period when we lose audio, maybe a word or 2 from a sentence and random intervals. Vonage doesn't have specific SIP servers per say but rather dnsnaptr for easy failover I assume. Vonage uses ports 10000:30000 for RTP and 5060/5061 for SIP and SIP TLS, respectively. I have traffic on those ports allowed, any <-> any. Here's the testing I've tried so far.
- Bypass firewall, connect phone directly to modem. Issue still persists. It is worth noting that calls to/from external #'s are still experiencing call interruptions at random intervals.
- Brought IP phone home, tested call quality and everything was relatively flawless. No interruptions.
Comcast seems to think it's a vonage issue, vonage seems to think its a comcast issue. Comcast is sending out a tech tomorrow, but their initial findings suggest that nothing weird is going on.
startup-config file open failed (Not enough space)
Stack of four Catalyst 2960S switches on 15.0(2)SE6.
I made one change, issued wr me and then made another change, and attempted to write mem again. After the second change, I get the error:
startup-config file open failed (Not enough space)
According to this forum post, fix is to change buffer size and reboot if nvram is not corrupt.
I have plenty of memory:
dir flash: Directory of flash:/ 3 -rwx 3076 Feb 2 2018 11:59:02 -06:00 vlan.dat 4 -rwx 4050 Jan 17 2018 12:06:38 -06:00 private-config.text 5 -rwx 14562176 Jan 1 2015 13:28:19 -06:00 c2960s-universalk9-mz.150-2.SE6.bin 8 -rwx 3096 Jan 17 2018 12:06:38 -06:00 multiple-fs 6 -rwx 64869 Jan 17 2018 12:06:37 -06:00 config.text 57931776 bytes total (43171840 bytes free)
If I run 'sh startup-config' it just comes up blank.
How do I tell if nvram is corrupt? Would this indicate nvram on the stack master is corrupt, on a single other switch, or on all switches?
I can't just reboot the stack and have it come up corrupt and unable to boot, as this is a 24/7 medical facility.
Cisco WLC web-auth immediately timing out
I have an incident whereby users connecting to guest WiFi, authenticating via web-auth form, are receiving a message immediately after authorising stating that session has expired.
I'm supporting this remotely so it's not as straight forward as it could be. I have a colleague visiting the site tomorrow so will be able to get a better look at what's going on then.
Anyone seen similar happen before and can point me in the right direction?
Can you create a network address that redirects all traffic to a host that is up?
Realworld example here... mining cryptocurrency and there are six mining pools. They keep getting knocked offline by DDOS attacks. I want to make a network address that automatically redirects to any of the mining pool addresses that are still up.
Is there a simple way to do this?
I am running Tomato firmware on a WRT54GL for what it's worth.
Is there a Catalyst 9200 or similar coming? (2960s/2960X replacement?)
Hello /r/networking.
We are looking at replacing a bunch of old 2960s/2960X switches. We don't want to buy C3650s if they are immediately going to be superseded a few months from now by a new Cat 9000 series.
Has anyone heard anything yet about a lower-tier Catalyst 9000 model that is cheaper than the Cat9300?
Thanks.
Shielded patch cables in rack or just UTP?
There was discussion about cables recently in /r/homelab
And I was quite surprised when people claimed that even in data centers the use of just UTP in racks is common.
Whats the opinion on this in here?
Is UTP really enough for anyone who is not next to some huge machinery that gives off interfierence?
What if the cables that are wired through offices and buildings are shielded cat6a, is it wise to go just utp cat6a in the rack?
What about PoE preference?
Devices still obtaining IP address after being filtered by MAC address
I am new to a network and we are currently waiting to move into a new building. However, before we do that we are in an older building with older infrastructure. We are running out of IP's so I have decided to finally force a somewhat ignore policy of not connecting personal mobile devices to the network. I have gone through and started filtering any iphone or andriod devices I see connected by just adding them to the list of filtered MAC addresses. However, they still seem to be able to obtain an IP. Once they are connected to the network they cant actually access the internet or exchange data, but they are able to get an IP address. Any thoughts on why this is or how to prevent them from even being able to get an IP address? Right now I am filtering them on the router (TL-ER6020).
Random device added to my network?
I have the XFi app and I have an 18 character password for my wifi network consisting of random numbers, letters and characters.
Last night, at around 12:30 am, I got a notification on my phone that said a new device was added to my network. The name of the device was epigram-502a.
I actually searched for this and there was a post back in 2004 about a guy who noticed his d-link router changed names and MAC address. I also did a lookup on the mac listed but it just shows up as epigram inc., which oddly was bought out in 2002 roughly by broadcom if I recall...so that makes no sense.
Has anyone ever seen this before? Can't you look up what TYPE of device it is by the last half of the MAC?
Any help would be appreciated. Thanks.
What would you consider the peak of the network engineering field
I find that alot of network engineering jobs out there are just jobs that want you to baby sit their network. With that comes a salary cap, as network engineers are nothing more than operational expenses to businesses and they dont want to spend more on their operations than they have to.
Just wondering, career wise, what you guys consider as a peak in the network engineering field? Is it an architect? Consultant? SE?
Netgear's ProSafe Firewall EOS/EOL?
I was happening to look last week on CDW's price lists for Netgear firewalls to no avail. Checked Netgear's enterprise page and it said they stopped selling the firewalls last September, there is no reason, and no replacement; and if you're looking for VPN software you're SOL. Apparently the last patch to the most recent line ProSafe F/Ws was in April of last year. I kinda liked Netgear's because it was not too technical and overwhelming, and I've always avoided Cisco/IOS, and the other guys are ransomware (if you don't pay to play-attitude)
What was the reasoning? They apparently had no explanation. What would be a nice migration path to something other than a ProSafe in the next year or two?
BLF randomly stops working, SIP 7861 phones, CME
Hi All,
I was hoping somebody else out there may have experienced the following issue.
I have 18 SIP 7861 SIP phones setup with BLF speed dials. For some reason, the BLF status lights will start reporting wrong information. The speed dials will continue to work but the lights will essentially be out of sync.
If the handsets are rest, BLF status begins reporting correctly again however it stops working about a day or so later.
I have tried updating the phone firmware to a known stable version, I have uploaded a special IOS version provided by TAC. I have made sure the presence subscriptions are not over subscribed. However the issue begins to occur. I do have a case open with TAC and it's been open for going on 6 months now but I just wanted to reach out in case somebody else happened to have suffered from the same issue and knew a fix that I have not yet tried.
Phones are running the following firmware - sip78xx.11-5-1-18
Cisco 2901 CME is running c2900-universalk9-mz.SSA.test image provided by Cisco.
Appreciate any help.
Thanks
What are the differences between domain GPO and organizational unit GPO?
Also, if both has policies in placed, which will take precedence?
Console cable causing cisco switch to reboot?
Anyone heard of this or know what could be causing it? Two different console cables, two different 2960's and one 3750. I connect the laptop (windows 10 and putty) via usb console cable. I see standard switch text prompt from the terminal windows and everything is fine until I start to type text, spacebar, or enter and then the switch reboots. I can remotely login fine. Any tips on troubleshooting or know what could be causing it?
tunnel vrf analog in JunOS?
I would like to deploy ADVPN on Juniper SRX, but I am interested in the question whether it is possible there to configure similarly cisco tunnel vrf on the tunnel interface, but that it remained in GRT? For example st.0 in inet.0 (but tunnel routing-instance ISP1)
If someone has AD VPN in the production, what are your impressions?
Sizing a pair of Cisco routers for BGP, multi-homing, and full tables
We're all Cisco guys, in an all Cisco shop, so I'm not looking for anything else. I've got some idea's, but I'm looking for more! Looking for resources/recommendations for sizing a pair of BGP multi-homing routers that can pull full ipv4/ipv6 tables.
We currently have 6 ISP's, with about 800Mbps/800Mbps, I'll need something that can handle at least twice as much bandwidth. I'll need something that can pull full ipv4/ipv6 tables, as we do some BGP software routing enhancements. I'll want it to store over a million routes, so I don't have to replace it soon. These will be set up as a pair in two data centers in the same building.
We run a lot of used gear at my shop, so the 1k with upgraded memory is the current front runner due to cost effectiveness. I was hoping I could find a decent price on a used 1002HX, but I'm fairly new to this 'market' so I still need to do my own due diligence researching that arena..
Any recommendations or recommended resources are very much appreciated!
Monday, February 26, 2018
Data driven world and networking
Hi Redditors!
I'm (yet again) wondering a lot of things related to how our professional world currently works...
I've been reading a lot lately about "data driven companies" as in, companies that use data to make decisions, but not in the regular sense (as in, consultant reports of stats, or departament reports on effectiveness), basically the approach is to process huge amounts of data (big data) via machine learning algorithms, to make smarter predictions or to "let the data and algorithms make such decisions for us"
See for instance Telefonica Group (major european and latin american telco) releasing "Aurora" to integrate every layer of this company by means of data. I'm not a data scientist, but I do find all of this fascinating (and quite complicated to be honest).
Now in networking we do use data to make decisions, information about traffic stats, peaks, CPU, type of traffic, complaints, etc. Drive us to make decisions about the future and about what may be wrong and what may be ok, but this is all "a manual approach". So I want us to focus on the "automated" part of this, using algorithms to solve problems.
Is anyone working (or has worked) in a networking project related to big data, data science. Or has anyone integrated this kind of approach into networking to come with neat ways to solve problems. If so, could you share what you're doing? what's the purpose, approach, what were you trying to solve exactly? I'm trying to get ideas on this.
What are your opinions on this field and networking? I once attended a conference where one of the persons who talked, said they were using big data and machine learning to predict failures, they basically parsed all the logs of all the equipment they had and trained the system based on previous problems, seems the system managed to predict with a high amount of confidence when a network outage was about to happen and where. I personally think this will potentially make our lives easier (and harder with all the new required skill set just to get in).
Question Static routes and VLANs on Nortel 5520 / 10 Stack
Alright, pretty much a network newb. Really need to know how to just setup a vlan with an IP and a static route for our DHCP / DNS servers on these devices. (Nortel 5510 & Nortel 5520 acting as a core router.)
I have made my vlans and added the route but traffic is not getting through to DNS / DHCP servers, while I can PING IP addresses. So I am guessing my route is not working. I thought at first AT&T may have misconfigured their firewall interface IP which would be why I couldn't see or ping it.
My core router IP:
10.188.16.1
My VLAN IP:
172.30.188.11 (As per documentation to do so)
DNS / DHCP :
10.253.188.10
10.253.188.12
The route I am supposed to create is supposed to point to an interface on an AT&T managed firewalkl.
10.253.188.0/24 -> next hop 172.30.188.1
Here is what my interface for the connection to the firewall from my switch stack / router looks like:
Unit/Port: 4/13 Trunk: Admin Status: Enable Oper Status: Down EAP Oper Status: Up VLACP Oper Status: Down STP Oper Status: Forwarding Link: Down LinkTrap: Enabled Link Autonegotiation: Enabled Energy Saver: Disabled Energy Saver Oper Status: No Power Saving BPDU-guard (BPDU Filtering): Disabled BPDU-guard (BPDU Filtering) Oper Status: N/A SLPP-guard: Disabled SLPP-guard Oper Status: N/A **VLAN interfaces configuration** Filter Filter Untagged Unregistered Unit/Port Frames Frames PVID PRI Tagging Name --------- -------- ------------ ---- --- ------------- -------------- 4/13 No Yes 1 0 UntagAll Unit 4,Port 13 **VLAN ID port member configuration** Unit/Port VLAN VLAN Name VLAN VLAN Name VLAN VLAN Name --------- ---- ---------------- ---- ---------------- ---- ---------------- 4/13 1 default 96 DMZ-Traffic --------- ---- ---------------- ---- ---------------- ---- ---------------- *****Spanning-tree port configurations***** Unit Port Trunk Participation Priority Path Cost State ---- ---- ----- --------------- -------- --------- ---------- 4 13 Normal Learning 128 1 Forwarding
And here is the out put from a few common commands:
ROUTER#show vlan ip ============================================================================== Vid ifIndex Address Mask MacAddress Offset Routing ============================================================================== Primary Interfaces ------------------------------------------------------------------------------ 1 10001 10.188.16.1 255.255.240.0 00:1A:8F:69:B4:40 1 Enabled 96 10096 172.30.188.11 255.255.255.0 00:1A:8F:69:B4:42 3 Enabled Total VLAN IP entries: 2 ROUTER#show ip route static =============================================================================== Ip Static Route =============================================================================== DEST MASK NEXT COST PREF LCNHOP STATUS ENABLE ------------------------------------------------------------------------------- 0.0.0.0 0.0.0.0 10.188.16.5 1 5 TRUE ACTIVE TRUE 10.253.188.0 255.255.255.0 172.30.188.1 1 5 FALSE INACTV TRUE
All I did was create my vlan, assign it an IP address, enable routing on it, (routing is obviously enabled globally), and then created a static route for DNS /DHCP traffic. But when plugging it into the Checkpoint Firewall by AT&T it is a no go. These switches are fairly old and will be upgraded soon but if I could just get this working for now I would be happy. Thanks to anyone who tries to help.
Single port on switch limiting bandwidth
I have a Brocade ICX 6450-48P (fw 08030n) that is giving me indigestion, and I'm apparently too dumb to figure out why. It has a single port that is limiting throughput for some reason.
Port# 11 is the offending port, and Port# 10 is my test port that is working perfectly. Here is their config:
interface ethernet 3/1/10 dual-mode 40 inline power power-by-class 3 ! interface ethernet 3/1/11 dual-mode 40 inline power power-by-class 3
As you can see not much is going on. They are access ports on vlan 40 and trunked on vlan 41 for our VoIP phones, with PoE enabled. When connected to each of them they negotiate 1Gbps full duplex, but port#11 doesn't actually deliver that.
I used iperf to test both ports and they were completely identical in packet loss and bandwidth, but that might just be because I'm not using it properly. When I try a real-world test like pulling a large file down from our server, port# 10 gives me full gigabit and port# 11 maxes out at around 100mbit. On speedtest.net, port# 10 gets our full 100/100 down/up, and port# 11 gets like 60/5.
Is there anything else that could cause this on the switch itself other than a physical issue with the port itself? I'm afraid this might be another inexplicable Brocade problem that I've ran into more than I care to count...
Dynamic Multipoint VPN Configuration Question
I have multiple tunnel NHS and use cluster and different priorities so my configuration on the spokes can be seen below
ip nhrp nhs [hub-tunnel-ip-address] nbma [hub-wan--ip] multicast priority XXX
The problem is I accidental left off the "multicast" part of the command, it was accepted by Cisco and seemed ok. The only problem is the OSPF would flap at the Hub/NHS router. I have been looking for any documentation on what is the difference between the command with and without the multicast.
Does anyone use this type of config without the multicast set?
Weird TCP behavior after upgrading to a TZ300 from an old 891-W
Hello all. Recently I tried to replace a Cisco 891-W with a SonicWALL TZ300-W. Nearly everything is working great, sans one function. My client is a small financial organization that has to connect to another's green screen mainframe via terminal emulator. There is no site-to-site tunnel, but instead, they are simply doing an IP based ACL. The TZ300 has the same external IP as the 891-W did, but the terminal emulators cannot connect. Here are the details:
• There is an any-any between the LAN zone and the WAN host for the mainframes so no access rules are blocking it. In fact there are no rules on egress or ingress that are blocking any packet flow whatsoever between both sides.
• I switched the TZ300 to SPI, but no changes.
• I ran a packet capture. I'm not very well versed in packet analysis, but looking at it shows me the TCP session was flagged with 0x014. However, I'm not sure what to do with this information. Some insight here would be helpful.
• I did a TCP traceroute from the PC running the terminal emulator to confirm the routing path, and I noticed something weird. On the 891-W, the 1st hop is the 891-W's local IP, then directly to the green screen. On the TZ300, however, the route is a standard set of ISP hops before ultimately timing out past the 4th hop. I have the runnign config of the 891-W. I'm guessing there's some kind of policy based routing, but all I'm seeing is the following custom NAT rule:
route-map toNAT permit 10
match ip address 189
set ip next-hop 172.16.1.2
This route-map is assigned to the interface providing the uplink to the router (IPs and hashes changed/deleted for privacy):
interface FastEthernet8
description placeholder
ip address 216.292.144.210 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip policy route-map toNAT
duplex auto
speed auto
crypto map VPNmap
I'm looking at that and I see the match ip address 189 but I'm not sure what that means. There is an ACL labeled as 189:
access-list 189 permit ip 192.168.47.0 0.0.0.255 host 13.206.32.209
However, what's confusing me is how and why the policy would be routing to 172.16.x.x? AFAIK, this is a private IP subnet. I can provide the full running config, albeit censored, in a PM.
Thanks for any and all help! I'm mostly a systems guy, but I'm definitely taking this as a wake up call to get my knowedge base up to par with my higher levels of responsibility.