Sup yall!
I was recently blessed with a job as an IT at a school. so far its all been pretty easy but i need some help understanding Port Forwarding. The A/C System at the school i work at is one of those systems which run over the network and controlled over a touch screen panel. The principal of the place would like to have access to the A/C from outside the building (from her phone/pc). How could i configure this?
Very sorry if this is a noob question.
a) Do I understand this industry? If not, please give up. If you venture into an industry that you don't understand, you must take a lot of detours. It’s not that someone else says it’s good for you.
b) Do I love this industry? If not, please give up. Only by loving your own work will you bring more passion and will spontaneously stimulate your potential. Every time I look at ICS's Faking It(a file that trains a completely unrelated industry into a master in 4 weeks, let the industry's masters find Faker's programs from 3 professionals and 1 Faker, such as cleaning The work became a 16-person sailing captain, a punk singer became a classical music conductor, a classical cellist became a House DJ, etc.), basically every teacher would warn that he would love this job, only love, you will be in 4 weeks. I grasp the things that I don’t understand at all through the stimulation of my potential.
c) Will I do it as a lifelong industry? (At least 10 years) If not, please give up, the long-term planning of any industry is very important.
d) Is it the first purpose of making money in this industry? If yes, please give up because there are many ways to make money.
e) Will I enter the industry with a belief in starting from scratch? If not, please give up. Even if you are a prestigious undergraduate, masters or doctoral degree, you may still be a professional counterpart. There will be a completely different concept when you enter society.
At last, you can take the exam by ccnp rs 300-115 dumps that will help you pass successfully. Another thing you have you pay attention about ccie rs preparation).
My dad recently purchased HughesNet for our new house and I was just wondering if I’ll be able to stream SlingTV and Netflix. From the reviews I’ve seen things aren’t looking too good...
Has anyone ever had this happen? I upgraded a stack of WS-C2960S-48FPS-L from 12.2(55)SE5 to 15.0(2)SE12 (Cisco's recommended version) and it broke the stack. Both stacking ports on bothe switches showed Down/Down. I swapped out the cables and reseated the stacking modules and they still wouldn't stack. I reverted to the old IOS and they immediately stacked with each other again. It's as if the new IOS broke the ability to stack. I would like to have this stack on a newer IOS but I can't justify losing the ability to stack.
Issue: during the day, suddenly all field offices lost connection to site A. Traceroute showed the following loop:
What broke the loop: removed EIGRP redistribution into BGP.
Question: How did this just happen in the middle of the day? My thinking is that site A RTRs lost EIGRP routes to 10.1.0.0/16, then learned the route via BGP from B_RTR2. However, EIGRP neighbors between Site A RTRs and SWs was up the entire time.
Hello,
We have this 2960G switch that I am trying to get up and running, it's a gigabit switch with a weird config. It is a L3 switch, but is very different from many other L3 switches. I am creating several VLANS on this switch, I want ports 9-18 to be on one VLAN just to test. I assigned it the subnet 172.31.200.0/24. However, when trying to add a static route from this vlan doing this command:
ip route 172.31.200.0 255.255.255.0 10.0.0.1
The route doesn't show up in the routing table, and it inevitably fails to ping anything outside of that subnet. The default gateway on the switch is 10.0.0.1, which is the IP of the router interface connected on port 1. I figure it's doing this because it cannot reach 10.0.0.1 for whatever reason, not sure why.
I don't want to spend too much time on such an easy task. Assistance por favor
!
! Last configuration change at 00:27:21 UTC Mon Mar 1 1993 by admin
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2960G
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.ebn$VOBRwQlgDRCc.7HPnaBXW0
!
username admin privilege 15 secret 5 $1$9YUi$dUxXa7ncApMbI3uaHSr0y/
username root privilege 15 password 7 0519090035
username oswaldoadmin password 7 00071A1507544B
aaa new-model
!
!
aaa authentication login default group radius local
!
!
!
!
!
aaa session-id common
system mtu routing 1500
ip routing
ip dhcp excluded-address 10.0.1.0 10.0.1.150
ip dhcp excluded-address 10.0.1.251 10.0.1.255
!
!
no ip domain-lookup
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip name-server 10.0.0.1
!
!
crypto pki trustpoint TP-self-signed-3245150976
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3245150976
revocation-check none
rsakeypair TP-self-signed-3245150976
!
!
crypto pki certificate chain TP-self-signed-3245150976
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323435 31353039 3736301E 170D3933 30333031 30303032
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32343531
35303937 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BF40 47F624CB 9B2F6CD7 9DFB2C6B 48AFB101 725B606B B18E24D4 8FD95BFA
DDC671F9 7182C0D0 1A1111D9 98919C1D 4307C30D 92194AE3 19D37499 6093E6E0
AD89CF58 6752896C AE666F92 4511D1A9 AD9E526A 6549A282 D383EC57 6C39B396
B084A048 B41B5BAE EDED07BA 6C5EA46B F926C713 7A0A4D2B BDE541BC 70628608
82DD0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
551D1104 09300782 05323936 3047301F 0603551D 23041830 168014FA 2DA8651B
C53F740D 1756C12E 5D52DAE8 6324F530 1D060355 1D0E0416 0414FA2D A8651BC5
3F740D17 56C12E5D 52DAE863 24F5300D 06092A86 4886F70D 01010405 00038181
005B4C9F E13DE8AA A591B107 0F16CF35 3A1B9A8A A02DDC8E 8CD06942 EE733E07
50D06F61 13169941 D74FE56D 1C0D2093 A00BE1C6 A99E08B8 FB6D1A3A D02A5C37
6D539C38 6D99C1C7 5DFDEFD4 33A61158 FE27C9A9 817066FF D391B1D5 ED17333D
4B9224EB 269A6497 A43E3CCC B0BFE691 4383651D 11C2A2AE C16ABABA FF9BEDD2 E2
quit
!
!
!
spanning-tree mode pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
switchport mode trunk
switchport port-security
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport mode trunk
switchport port-security mac-address sticky
spanning-tree portfast
!
interface GigabitEthernet0/3
switchport mode trunk
!
interface GigabitEthernet0/4
switchport mode trunk
!
interface GigabitEthernet0/5
switchport mode trunk
!
interface GigabitEthernet0/6
switchport mode trunk
!
interface GigabitEthernet0/7
switchport mode trunk
shutdown
!
interface GigabitEthernet0/8
switchport mode trunk
!
interface GigabitEthernet0/9
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
switchport access vlan 999
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/25
switchport mode access
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping trust
!
interface GigabitEthernet0/26
switchport mode access
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/27
switchport mode access
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/28
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/29
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/30
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/31
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/32
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/33
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/34
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/35
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/36
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/37
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/38
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/39
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/40
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface Vlan1
ip address 10.0.0.3 255.255.255.0
!
interface Vlan10
no ip address
!
interface Vlan99
no ip address
!
interface Vlan100
ip address 172.31.200.1 255.255.255.0
!
interface Vlan499
no ip address
!
interface Vlan999
description MAIN VLAN
ip address 10.0.1.1 255.255.255.0
!
interface Vlan1000
description ROUTER
no ip address
!
ip default-gateway 10.0.0.1
ip http server
ip http authentication local
ip http secure-server
ip route profile
ip route 172.31.200.0 255.255.255.0 10.0.0.1
ip route 172.31.200.0 255.255.255.0 Vlan1
logging esm config
radius-server host 10.0.0.254 test username ofernandez key 7 00071A1507544B
radius-server host 10.0.0.3
radius-server key 7 045802150C2E
!
radius server RADIUS
key 7 060506324F41
This is my first larger network I'm designing and I want to make sure that I am doing this right. Up until this point most of my experience has been with smaller networks where the customers were not as interested in budgeting for security. Because ideally my customer wants this to be under warranty for at least 3 years, I decided to go with Juniper over Ubiquiti for the switches. For the firewall we are going with Fortinet to stay under budget and to meet their requirements for UTM. As far as access points go I plan on going with Ubiquiti due to how easily they are managed. Some of my questions will be more Juniper related as I am cross posting to r/Juniper, however I figure some other people may have similar questions and it seems appropriate to post here as well.
As far as the network goes it is going to be fairly complex as far as inter-vlan routing goes, and due the budget the edge firewall will also handle internal security. Right now they only have around 10-15 core users, but over time this network may be expanded to provide internet access for up to 600 people. Thats why for now I think it makes sense to invest more into good switches and to have a solid backbone for future expansion. In the event it needs to be massively expanded it would be as simple as replacing the firewall and buying more access switches and access points. Do you think a FortiGate 80E would be a good choice if they only need 75Mb down and 10Mb up for their WAN connection? It would also help secure traffic going from internal corporate devices going to internal servers.
Some Juniper specific questions I have are on virtual chassis and connecting the two switches that will be in a virtual chassis to the core switch. I'm not sure if it would be a loop or if it would be possible for it to be considered part of a LAG. I know that it manages the two switches as one logical device, so I think it would be possible to set that up as a LAG. Here is an overview of the planned topology and how everything will be connected. I understand the copper SFP+ is not officially supported, but it will be needed to take advantage of existing infrastructure. For a setup like this would any of the switches need an Enhanced Feature License, or would it work with the base features?
For security features I planning on segmenting the network into different vlans and providing devices only access to what they need. All corporate devices will need to be authenticated against active directory with Radius, including wired devices. I'm wondering if it would be possible to set some sort of snmp trap that will detect if an unauthorized device tries to connect to a port?
I would really appreciate feedback on this and to get some additional ideas.
I have one house and two warehouses a few meters apart (different landline connections and different numbers )
Now I pay 3 different phone bills for my three different numbers.
But since I dont use the phones on the warehouses that much what I want to do is
Create an ISDN subscription on my house with 3 numbers (one main and the others as MSN ) and forward as VoIP over wifi the calls from the other two MSN numbers to the warehouses that I keep nearby my house.
Is it possible ?
What kind of gear do i need to accomplish that ?
Hi guys,
we are currently reviewing new switches, and are considering Mikrotik switches for the first time. Until now we are almost only using Cisco and some old 3Com gear.
How do Mikrotik-switches keep up with their cisco counterparts?
We are mainly looking to use them as access-switches, so how are the Mikrotik CRS328-24P-4S+RM vs Ciscos Catalyst 3650-24PD?
I am primarily looking for a comparison of features and handling of switchOS vs IOS. I don't think we need any L3 functionality, at least not for access level.
Please tell me if you need any additional info. Thanks for your help and happy holidays :)
Hey I am noticing an uptick in my home data usage over the course of 3 months, and would like to obtain data usage by MAC address or IP address over time to understand which device is the culprit. My router is the Asus RT-N66U and the monitoring features are only for real time, last 24hrs, and last 7 days (which only gives me total numbers). So far the only good option is the last 24hrs as I can see what network (wired, 2.4GHz, and 5GHz) is using data and by how much and it even integrates the data over the 24hrs which is nice, but i want to know more i want to know at least 7 days of data and by MAC address.
I have researched and found out that DD-WRT is a good firmware for my router that has some level of built in analytics, however this, to me, would be the last resort (I fear it may be my only option for now given all the research i have done) as i have to flash my router and to flash my router for just this feature is a bit much so far. I haven't decided how much i am willing to do to get this data.
I am currently under the microscope by AT&T in that they are threatning to charge me an additional $10 month per 50GB i go over. Right now this month i am at 1024 GB so far and counting as i have another 7 days left in my cycle.
TL;DR
Using too much data, any suggestions on software to monitor my data usage by MAC Address for my whole network? (Roku, Apple TV, phones, Sonos, etc.)
my Linux router has 1 nic (eth0) and it's running in 10.20.0.0/22 subnet. My home computer connected to it through ppp and sits in 192.168.192.0/24 subnet. After setting Linux router to net.ipv4.ip_forward=1 and setting route for 10.20.0.0/22 subnet on my home computer to 192.168.192.101 (Linux router IP on ppp interface), ping to any computer in 10.20.0.0/22 subnet works fine.
Problem accured when I added new vlan (200) on Linux router. I checked it's interface (eth0.200), routes, IP address that it get and sent ping to router located in 200 vlan(10.200.0.1) - everything works fine. But after adding route to 10.200.0.0/22 subnet on my home computer same way I did for 10.20.0.0/22, ping to 10.200.0.1 didn't work. After some research many suggest to switch rp_filter in kernel settings to 0 but it's already set to this value by default on Debian.
I have a suspicion that the problem lies in vlan tagging. eth0, ppp has untagged traffic while everything in eth.200 runs with 200 vlan tag.
Any suggestions what it could be?
I'm trying to troubleshoot some weird issues going on with our network and have been using MTR in part to try and see what's going on. I'm running MTR from my desktop to a server in the data center. My PC to the SVI on the Core router, then a fiber P2P interface to the DC Router, to the server within. MTR initially looks fine:
My traceroute [vUNKNOWN] my.pc (my.ip) 2018-12-22T11:51:03-0500 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. (SVI) 0.0% 75 0.7 2.9 0.4 47.9 8.2 2. (DC P2P Int) 0.0% 74 0.5 2.2 0.4 89.0 10.5 3. (server) 0.0% 74 0.7 0.5 0.4 0.7 0.1
After a few more tries, the server shows up again just after the SVI:
My traceroute [vUNKNOWN] my.pc (my.ip) 2018-12-22T11:52:02-0500 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. (SVI) 0.0% 132 0.4 4.6 0.4 86.9 12.7 (server) 2. (DC P2P Int) 0.0% 132 0.5 3.5 0.4 89.0 11.9 3. (server) 0.0% 132 0.5 0.5 0.4 0.7 0.1
And after a bit more, it shows up once more, after the P2P link again:
my.pc (my.ip) 2018-12-22T11:53:28-0500 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. (SVI) 0.0% 217 0.6 6.4 0.4 192.1 20.8 (server) 2. (DC P2P Int) 0.0% 217 3.5 5.6 0.4 252.1 25.3 (server) 3. (server) 0.0% 217 0.6 0.5 0.4 0.7 0.1
It seems to be happening completely at random. There don't seem to be any OSPF updates between the Core and DC Router. It does the same thing doing a TCP MTR instead of ICMP.
Any thoughts or input are appreciated. I'm likely going to contact TAC soon to get additional help, but I wanted to see what everyone here thought as well.
Not sure if I should be posting this here but if not can you direct me the right way?
I am having an issue where if I connect a small PC or anything for that matter into a jack port directly I am able to get internet in a work small office. However, when I plug a small unmanaged desktop switch (Cisco) into the wall then plug my PC patch cable into the sdwitch I am unable to get internet. What is going on? It used to work fine and after we had to replace the rj45 jack it started to act up. Wiring is good obviously.
I swapped out the small desktop switch as well and no luck, patch cables changed etc no luck.
The drop runs back up to our server room to a patch panel then from there it runs over to a managed cisco switch.
Any tips? Thank you.
I was wondering, is there some special case where this weird RJ45 or rs233 serial port is needed for automation or something? Something that makes USB completely inappropriate?
I mean, even small budget processors come with integrated serial over usb interfaces these days. Why push users to buy converters when a simple usb cable should be enough?
Why is it that some websites, in my experience Facebook, still work if I don't / am unable to do the free WiFi sign in that many places use with their WiFi? Clearly something isn't being blocked properly but I don't know what.
So I got a lab setup in GNS3 to study. I have 10.0.2.250 as external vlan floating IP, .251 for bigip01 and .252 for bigip02. Bigip02 is active. I can ping from 10.0.1.111 which is in internal vlan to .251 and forwarding VS kicks in and ping works. However when ping from the 10.0.1.111 to .250 or .252 , VS not kick in. I tried with auto map on and off. I can ping internet etc.. with automap. But not the floating IP for external vlan or bigip02.
i run tcp dump.
Not working dump to 10.0.2.250
10.0.1.112 > 10.0.2.250: ICMP echo request, id 1995, seq 4, length 64 in slot1/tmm1 lis=
Working tcpdump to 10.0.2.251
10.0.2.251 > 10.0.1.111: ICMP echo reply, id 1985, seq 13, length 64 out slot1/tmm1 lis=/Common/default_gw
forwarding webserver setting
type: forwarding IP
source: 0.0.0.0/0
destination: 0.0.0.0/0
service port: all ports
protocol: all protocols
fastL4
SNAT: Tried auto map or none. Internet works eitherway.
Also I created another virtual server just to cover 2.250 floating IP or 2.252 floating IP and it works when this VS enabled. However, when I made the VS subnet /29 to cover both .250 and .252, it stops working again. It is really weird. I double checked webserver routing table which has only default gateway(bigip floating IP 10.0.1.250). I checked F5 routing table and virtual servers and did not find any other configuration interfering with it.
is this a bug or something wrong with my config? It is not a big deal for the purpose of the lab I am doing. But It is really bugging me.
My lab diagram here -> https://imgur.com/a/hnnPXyJ
I've been playing around with etherchannel from a Cisco 3925 router (IOS 15.7(3)M3) to a Cisco 2960X switch. Researching this, the docs say that the ISR routers only support raw etherchannel - no LACP or PaGP.
Ok, so I set up my port channels on each side and everything seems to work. I can pull either cable of the port channel and things go right on ticking.
The two oddities I've noticed:
When doing a "show ?" on the router, I see a "show pagp" option. That seems to run contrary to the docs specifically stating PaGP is not supported.
On the router, a "show etherchannel" shows zip, regardless of any options to the show etherchannel command. If I do "show etherchannel {whatever}" on the switch, I see the results I expect.
Is the "show pagp" command on the router just a vestigial bit in the IOS code from some other device?
Is the "show etherchannel" command just broken?
Relevant router config bits:
interface Port-channel1 description Uplink to switch no ip address interface GigabitEthernet0/0 no ip address duplex auto speed auto channel-group 1 interface GigabitEthernet0/1 no ip address duplex auto speed auto channel-group 1
Switch config
interface Port-channel1 description Router switchport mode trunk spanning-tree portfast interface GigabitEthernet1/0/20 switchport mode trunk spanning-tree portfast channel-group 1 mode on interface GigabitEthernet1/0/24 switchport mode trunk spanning-tree portfast channel-group 1 mode on
Hi all,
So, I have a EX2300 new switch stack (VC) that will be the new VoIP stack for our CA office; but, for setup, it is currently in our NJ office (where I am.) I programmed it up to support both data/voice traffic on two different VLANs, as I normally do (have done this before here in our NJ office with EX2200's) and, aside from some ELS syntax differences, it is about the same as I have done before. However, when I plugged in one of our VoIP phones, it lit up as it got PoE, but then refused to connect to our IP-PBX backend.
Not understanding why it did not work, I opened a case with JTAC, and we spent a bunch of time investigating things and trying some different config, all to no avail. But then, I thought to mention that as it is destined for our CA office, the voice VLAN there is a different number than the one in Princeton, and I had configured the voice VLAN using the CA number. As a test, we changed the voice VLAN number from the CA one (254) to the NJ one (50), and lo and behold, the phone connected!
Now, here's the thing -- the uplink port is configured on both sides as an access port (i.e., untagged), and not as a trunk. The Juniper VC stack is connected to an upstream Cisco Cat4500 system, thusly:
[ Cisco Cat 4510R+E ] (mode: access, VLAN: 50)------------[ IP-PBX ] | Gi2/44 (mode: access, VLAN: 50) | | ge-0/0/0 (mode: access, VLAN: 254) [ JNPR EX2300-48P VC ] | ge-0/0/46 (data VLAN: 2, voip VLAN: 254) | | LAN (voice) port [ IP phone ]
And the relevant Junos config was:
interfaces { interface-range phoneports { member-range ge-0/0/1 to ge-1/0/47; unit 0 { family ethernet-switching { interface-mode access; vlan { members blackhole; } } } } ge-0/0/0 { unit 0 { family ethernet-switching { interface-mode access; vlan { members ca-voip; } storm-control default; } } } [...] switch-options { voip { interface phoneports { vlan ca-voip; forwarding-class assured-forwarding; } } } vlans { [...] } blackhole { vlan-id 2; } ca-voip { vlan-id 254; } [...] } poe { interface all; }
And Cisco-side config:
! interface GigabitEthernet2/44 switchport access vlan 50 switchport mode access qos trust device cisco-phone service-policy input Phone-Ingress service-policy output Phone-Egress end !
And finally, the interface VLAN membership on the Juniper:
{master:0} l-wdennis@ca-voip-sw> show vlans Routing instance VLAN name Tag Interfaces [...] default-switch blackhole 2 [...] ge-0/0/46.0* [...] default-switch ca-voip 254 ge-0/0/0.0* [...] ge-0/0/46.0* [...] [...]
All we did to get the phones to work was to switch the vlan-id under ca-voip from "254" to "50".
Since the frames should be (are) untagged on the access link between the Cisco and the Juniper, why would a VLAN number disparity kibosh the phone voip connection the set to the IP-PBX from working?
(edit: formatting)
Hey guys, I have a case I am working with Cisco TAC on but just wanted to post it here as well in case anyone has come across this.
Topology:
Cisco SX20 <-----> Cat 9300 stack <--- trunked port-channel----> ISR 4331
Cat 9300 is running 16.6.4
ISR 4331 is running 15.5(3)S7b
Endpoint is marking video packets correctly as AF41, auto QoS is applied on the interface using "trust device cts" and "auto qos video cts".
Both physical interfaces on switch which are port-channeled to ISR are set for "auto qos trust dscp". All other parameters on physical interfaces match. Port-channel is up and all seems normal.
Packet capture taken outbound on both physical interfaces of the portchannel shows packets retaining their AF41 tag. Taking the packet capture from port-channel is not supported.
At the same time, a capture was taken ingress on the port-channel sub-interface showing packets are now marked CS4 instead of AF41. Neither the physical interface nor the sub-interface have any sort of policy-map, it's a very simple config.
15.5(3)S7b itself is not old but I know the 15.5 code train has a pretty bad reputation...........I can't find a documented bug though.
Thoughts?
EDIT: I do know the difference between TCP and UDP and that TCP requires some networking overhead. My question was: what's the difference between implementing reliability on the transport layer(using TCP) and using UDP and implementing reliability on the application layer(like Google Chrome does)?
Hi, Just want to ask if anyone encountered this issue when pinging using PW/end-to-end vc packet loss exist while using regular or mpls pings there's none?
Ex.
(ASR1000)R1 --------(hop1)---(hop2)---------R2(ASR1006)
Checked hop by hop from R1-R2/R2-R1 that there's no congestion or interface error/packet loss, router utilization is low (CPU/Mem).
Here's the output for reference:
R1#ping mpls pseudowire 2.2.2.2 20 repeat 100
.!...!!.!!!!!...!!.!!...!!!!.!
Success rate is 50 percent (50/100), round-trip min/avg/max = 140/146/224 ms
R2#ping mpls pseudowire 1.1.1.1 20 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 140/142/217 ms
Regular / MPLS Ping from R1:
R1#ping 63.218.188.7
!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/140/141 ms
R1#ping mpls ipv4 2.2.2.2/32 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 140/142/221 ms
In addition, tried pinging different router but same version as R2 but I'm seeing good results.
R1#ping mpls pseudowire 9.9.9.9 226 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 169/170/179 ms
Any idea what to check?
Thanks
Is there a way to set up a interface to send syslog messages anytime a specific UDP or TCP port is used? I need to monitor when and how often port 80 is used and am not sure what the best way to go about it would be.
Curious as to why this wouldn't work. Here is the design.
Cisco ASA with a trunk link to a layer 2 switch. That layer 2 switch has multiple routers and each router is in its own vlan. Each router is a connection point to a customer.
Running OSPF between the asa and each router allows the ASA to have multiple adj over a trunk link. So far so good and pretty standard.
The funkiness comes in when let's say there is a router with multiple SVIs. The ASA will ospf adj with one SVI but it will not form an adj with the other SVI. Can anyone figure out why this is an issue for the ASA?
Having an issue where users are unable to register soft phones when going through a palo alto firewall. Looking at a packet trace the packets from the soft phone are larger then 1500 when going towards the palo. What is weird is when we put a static route in that pushes traffic to ring central to go over the mpls cloud and out the DC internet the packets are under 1500??
Hey everyone,
I'd like to ask a very simple question because I couldn't find anything "recent" about it
So, I'm a cs student and enjoy coding a great deal (obligatory: no, this is not homework). I've been experiencing some latency issues lately and my ISP didn't help as they need to be called the exact moment said problems happen (late night usually, but the callcenter is closed then).
I've written a little piece of code that allows me to continuously ping 8.8.8.8 and saves a log in case of high latency
According to this topic it is not illegal but considering it's been two years, I'd like to ask the same question again
am I good to go? any risk?
note that I don't really need those informations, I'm mostly doing it for my personal enjoyment and practice (the ISP will look into the problem and hopefully fix it)
thanks in advance for your help
Basically my semester has recently ended and i have been meaning to build a career in networking. So whats books should i study or any particular certification i should be aiming for ?
Disclaimer: I'm not familiar at all with how IP addresses are managed.
It is my understanding that I can get IPv6 addresses fairly cheap, but what does this mean exactly? How would I be able to *obtain* an IP address? Would I need special networking equipment that only ISPs and server hosts typically have? Would my ISP (comcast home internet) restrict me from *obtaining* IP addresses?
My interest is in having access to a subnet of public external IPv6 addresses for a linux system I have, and I want to know if I can get addresses myself rather than renting a VPS with access to several IPv6 addresses.
I'm in the initial design of this WAN and am seeing some unexpected behavior. 3 sites which all have fortigate firewalls. All in the same as and setup with ADVPN over iBGP. Now each site also has an eBGP over mpls. I then have the mpls neighbor weighted higher than the ADVPN peer. I also have the allow-same-as-in set on the eBGP peer since the provider couldn't do the as-override like initially requested. Also set to 1 instead of the default 3.
When testing, if I shut the MPLS port everything fails correctly but after a few hours to a day I start to run into problems. It's like the MPLS maybe flaps for a second causing the route to failover and the other sites seem to bounce too and become very unstable.
The routes seem to stop propagating over eBGP and the only way to get it back stable is to turn down the iBGP and reset eBGP peer and wait.
Hey,
I'm having some trouble assigning RIP (version1) to these routers. I have done it with other files and that worked but I can't get it to work in this file. Here is a picture
What I thinks it should be is
router 1: 1.0 and 2.0
router2: 2.0, 3.0 and 4.0
router3: 6.0, 5.0 and 4.0
router4: 7.0 and 6.0
I'm sorry if this is the wrong subreddit to post this. If this is the case could someone guide me to the right subreddit,
Thanks for reading.
We currently have a Cisco 6509E that is not used for 2 years around because it was been replaced.
I plan to re-use it to replace two 3750 and a 3825 on a remote site. The 3825 manages the GRE tunel and the 3750 ACLs.
That said, it uses "ws-sup720-3b", they must therefore be replaced by 6800 6T, because we want to have long term support and the "ws-sup720-3b" is in "end of life".
In your opinion, is this a good choice, Or is it better to leave on new equipment like 3850 and ISR?
Quick scenario.
Let's say Alice uses a liveUSB on a computer inside of an office. Alice needs Bob to remotely control said computer while she steps out. The office network prevents outside connections unless initiated first from behind the firewall.
What command or script could Alice run from her live system so that it would connect to Bob's machine, then Bob uses this connection to control Alice's machine?
I'm a bit confused as to the relationship a Cisco AM or SE is supposed to have with an Enterprise client. I know they can be very valuable in dealing with TAC, but aside from that, what is their purpose? I mean, you probably are never going to be able to buy directly from Cisco, so what is their interest in dedicating account managers and sales engineers to you? Wouldn't it make more sense to influence things at the VAR level?
I posted in r/Cisco as well but thought I'd try here as well.
I have an old WS-C3560G-24PS. I have a 1Gb connection. On the local side of my firewall I'm getting 980Mbps. But through the switch I'm getting <650Mbps. Routing is not being used on the switch. I have 6 VLANs and a few trunks but nothing crazy. I'm curious if this type of configuration could cause some propagation delay like this? Could it be due to age of switch? Any suggestions are helpful.
I understand how you would naturally do a DMZ with physical separation with each server being physical but I need some help when VMware comes into play.
One of my questions is: Wouldn't VLAN's on the physical switch not make sense? The host that would be plugged into the DMZ VLAN would still have a mixture of internal and forward facing servers....
Hey,
I have 3 IP camera's connected to the ASA 5506-X. The problem is when they're connected to the firewall, the bandwidth gets throttled for cameras and its really choppy/slow but as soon as its connected to any other switch/device, they work perfectly fine.
The ASA is a flat network that only allows certain ports to be going from inside to outside and vice versa. One flat VLAN for now but theres nothing configured to thorttle and sort of bandwidth/shaping etc...
Hi All,
So I have a Management VLAN for all my network devices: 10.0.100.0/24
I have a L3 Core Switch doing all interVLAN routing: 10.0.100.254
I have a Firewall connected to the L3 Core Switch on the MGMT VLAN: 10.0.100.1
I also have another connection on the L3 Core Switch in a 10.0.200.0/30 Transit VLAN between the FW and Core. FW's IP is 10.0.200.1 and Core's IP is 10.0.200.2 in a /30 network.
Then I have a default route from Core to Firewall. (#ip route 0.0.0.0/0 10.0.200.1)
Now, I can either use the transit VLAN or the management VLAN to set the static route from the Core to the Firewall. What is the benefit of using the 10.0.200.0/30 network vs. the Management network for routing traffic via static default route? I really want to get rid of the transit network (10.0.200.0/30) and just route traffic over the MGMT link, but what is the security risk?
So I wanted to come over to the community, we have some clients that require a l2vpn, we use docsis, but the problem is that every time we test it they have frame loss on small frame sizes like 64, 128, 256 and 512 bytes, I have tried everything, even overprovision the modems speeds to allow for more overhead
Has anyone on the community had a similar issue?
Not sure if this is the most relevant sub but it was the best I could find. So I received my new phone, a Samsung Galaxy Note 9, a couple months ago. Not quite sure when the issue started, but basically when I'm on my home internet, certain things in apps take a VERY long time to load (or sometimes not at all). These things are Twitter videos/images (comments/text posts are fine), Yahoo Finance articles (the rest of the app is fine), The ESPN app home page (not any other page like "scores"), and the live chat in my 3rd party Twitch app, Pocket Plays (the actual live-stream loads fine). It's very specific elements that refuse to load. I have not encountered the issue when using a VPN, on other Wifi networks, or using my cellular data. If I use Chrome to open things it works fine, it only happens on certain elements of certain apps. I just use a VPN when reading through Twitter and such, but it's a pain in the ass. If someone knows what the issue is or how to solve it, PLEASE let me know! I can try return the favor however you'd like. I would really like this issue to be resolved.
Thank you so much, u/M3L0NM4N
Hey /r/networking
Today my boss asked what hardware wireless scanner I want to purchase so we can do heatmaps for wireless deployments.
I have quite a bit of experience with Wi-Fi deployments, but I want to know all the options out there at the various different price levels (cheap, mid-tier, and fancy).
My only requirements is it needs to work with Android/IOS and/or MacOS.
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Currently using Verizon and testing on USMobile for US coverage vs pricing. Our main goal is to provide internet access to our LED signs with or without a static depending if we can use a DDNS service.
Does anyone has any recommendation on which service providers are worth the money?
I have a really niche application that relies on broadcasts to work. However, I need to be able to use this PC-based application from a remote site on a cell connection. I've looked at both L2TPv3 and GRE over a VPN tunnel. Does anyone have any practical experience with something like this?
Hello Guys name is Jerry i've worked in IT for a little more than 4 years
Linkedin: www.linkedin.com/in/jerryleerico
Was wondering how I could transition from making 64K a year in the silicon valley as a Local IT Support to Network Engineer who makes over 100K a year. I do love networking and configuring routers and switches (Currently apart of the Cisco Network Academy) studying for my CCNA R&S.
I currently only have a Network+ that I just got 2 months ago. Really enjoyed the subject! so now i am working on the CCNA R&S.
A few questions that I had was.
1) What is the expected first job in networking
2) expected Pay for the first job (I live in the silicon Valley)
3) What should I expect in this new field in terms of Responsibilities?
4) Any tips to making the transition from 4 years IT Help Desk?
5) I worked at an MSP before and didn't like how none energetic/ helping the environment was. Also didn't like that what i was looking at in the office didn't really give me any idea what a networking engineers role was. I was only interfacing between Solarwinds/ConnectWise and a lot of the networking tools like NPM didn't make sense to me at first. How can I find a cool fun role where I can take on Support tickets and sustain a network? I am thinking like an environment like Blizzard. They have dedicated network staff. Any suggestions on how to land this type of job?
6) Any tips for a very social guy who like to work on networks but still pop my head out of my cubicle every once in a while in a BIG enterprise environment?
7) What certs are relevant to my current career I kinda described in question 6?
Anyways feel free to give me any feedback you have. I really appreciate your help!
I'm setting up an MPLS Backbone, where I've somewhat segregated the MPLS routers into their own Totally stubby OSPF area, just to keep things clean, as I didn't necessarily want to have all of my Area 0 routes getting labeled and distributed across this backbone, and I wanted to only advertise the entire MPLS backbone into Area 0 as a summary route.
The BGP Route Reflectors sit in Area 0. I am advertising Loopbacks on the MPLS Routers into Area 100, and because the area is Totally Stubby, we are receiving Area 0 summarized as a default route.
What's interesting, is that my BGP sessions will not even try to come up unless I create specific static route entries for them on the local router, despite being able to ping them because of the default route into Area 0. If I switch my area from Totally Stubby to just a regular Stub, this works as well.
My platform is Cisco IOS, not sure if this is a weird IOS thing or if iBGP really wants a more specific route than default in order to try to initiate a connection.
To make a long story short...I've set up a pair of ASAs (5516) for failover with 3 interfaces/IPs and I'm having a particularly odd issue:
Gi1/1 -- WAN interface (1.1.1.10/24) -- Security level 0
Gi1/2 -- Internal network A (10.1.0.10/24) -- Security level 100
Gi1/3 -- Internal network B (10.2.0.10/24) -- Security level 100
Gi1/4 -- Disabled
Gi1/5 -- Disabled
Gi1/6 -- Disabled
Gi1/7 -- Failover (stateful)
Gi1/8 -- Failover (status)
I'm able to get Gi1/1 and Gi1/2 both working flawlessly with very standard routes:
ip route 10.0.0.0/8 10.1.0.1 (metric 10)
ip route 172.16.0.0/12 10.1.0.1 (metric 10)
ip route 192.168.0.0/16 10.1.0.1 (metric 10)
ip route 0.0.0.0 0.0.0.0 1.1.1.1 (metric 100)
So, I'm just sending everything internal to the gateway for Gi1/2 and everything else going out to the internet via Gi1/1's gateway...but nothing can talk to Gi1/3 with this and that's a problem.
Put another way...10.3.0.100 can talk to 10.1 all day long but 10.2 traffic is broken (due to the static routes?).
I've created a workaround by sub-netting our 10.0.0.0/8 into multiple networks to isolate 10.2 on it's own (so I can add a machine to 10.2 for management/monitoring) but there has to be a better way (which allows 10.3 to talk to 10.1 as well as 10.2).
We don't have anybody specifically doing networking here and I'm just not familiar with ASAs so I'm sure there's a feature I need to go research/implement (my best guess is Bridging, Route Maps or Traffic Zones)...I'm just hoping to get someone to point me in the right direction
Thanks
Hi,
I don't know if it's the proper sub for this question, but I have a question about an idea of something I want to try.
First, we are a small business who do contract with other small business. In one of the product that we offer that's imply that we need to be able to use their application they use to manage their customer. It's normally an application installed on server on their network so to access the VPN connection we usually need a VPN connection.
We have around 150 different VPN connection and 200 if I count the client that we are not doing any business with them for now.
We have a call center where one or few agent connect with the VPN provided by a client so they can work in their application.
To manage these, all VPN connection are in our database and I have a powershell script that try to load the proper VPN with the information in the database. I can't always to do it that way so they have to connect manually and start the proper application after.
I don't have site to site VPN and it would be difficult to implement since a lot of customer have the same subnet.
One thing I was thinking was to try remove the VPN from their desktop and run multiple instance of a server like PFsense/Ubuntu Server to connect the VPN on it and provide another VM where the application is already loaded. The gateway of this VM will point to the other.
My biggest issue is the number of VPN client. I almost have all the one available on the market : - anyconnect - Cisco VPN(the legacy one) - OpenVPN based client(whatchguard, Sophos, etc) - Sonicwall - Barracuda - Shrewsoft VPN - Forticlient
Do you think it's something possible? My goal it's to remove that part from our call center because it's too complicated for them.
Contacting all client to ask for s2s VPN would be much time consuming since they are hard to reach(they usually do business with us because they are bad on service...). Plus some of them their network is managed by the software manufacturer. They would ask for an absurd amount of money.
To give more insight about what I want to do, some of agent have a VM on their desktop with VMware workstation. If I switch their network interface for NAT instead of bridge and the host have a VPN connected, all the traffic is now going through the VPN.
So I would to use this concept but instead of using VMware workstation I would use a Linux server and get them use this server as their gateway.
Hey folks,
Currently multihomed to two AS's (each with two connections) to my VRRP cluster. Trying to figure how to ensure my routed /22 gracefully switches between Master and Slave on my provider's network.
Currently, if I manually switch my VRRP-FW-1 to slave, my ISPA still forces traffic VRRP-FW-1's throat as that was the "chosen route" by my provider's upstream router. This means traffic exiting my VRRP-FW-2 get's dropped because VRRP-FW-1 doesn't recognize the connection. I understand I can modify my local pref using their chosen communities but how would I do that gracefully in the event my VRRP-FW-1 was no longer the master?
Any help is appreciated.
Hello all,
I'm trying to configure a Cisco ASA 5516 to replace an old Cisco 1841 router for a customer but I am having difficulty converting some of the NAT rules. Whoever put the config together appears to have put conditional NAT in place but I do not understand what is happening in the following example:
! ip nat inside source static tcp 10.0.0.227 443 <publicIP> 443 route-map SDM_RMAP_2 extendable ! route-map SDM_RMAP_2 permit 1 match ip address 111 ! access-list 111 remark CCP_ACL Category=2 access-list 111 deny ip host 10.0.0.231 192.168.0.64 0.0.0.63 access-list 111 permit tcp host 10.0.0.231 eq 443 any
From my understanding the NAT translation is only meant to take place if it meets the criteria of the route-map. However, the ACL contains an inside IP that is completely unrelated.
Any help would be appreciated. TIA!
Hi all,
I'm about to integrate HD 2000 sip phones & SecurPhone in our call manager. I'm aware that I need to insert their respective firmwares in CUCM, but when I downloaded them from the official website, I have a file with "rom" extension. usually, we need sbn files and the "loads" file so the phone can register with the CUCM.. have anyone of you guys succeeded in registering this type of phones in CUCM ? I didn't find any documentation for that particular purpose
Thanks in advance
During a late night troubleshooting session of an AT&T metro fiber circuit I entered the MPOE/DEMARC room to diagnose a cable segment and fiber switch port. The door was alarmed and the building owner (via super) is making a huge stink over it. It’s an externally accessed door, utility keyed, location of all fiber, POTS MPOE. Is it supposed to be alarmed? Is it legal to alarm it? There’s no access to other parts of the building interior from the MPOE room.
Am I the idiot or is the building owner overstepping?
Hi, Having drops on gold traffic even the GigE link is not congested(Outbound direction). Can you verify if my understating with the current configuration is correct.
OUTBOUND POLICY:
#sh policy-map pmap-name queuing
policy-map queuing
class class-default
service-policy cqueuing
shape average 300 mbps
!
####### CHILD
policy-map cqueuing
class gold
priority level 1
!
class control
bandwidth remaining percent 10
!
class silver1
bandwidth remaining percent 25
!
class silver2
bandwidth remaining percent 25
!
class bronze
bandwidth remaining percent 20
random-detect default
!
class class-default
bandwidth remaining percent 20
random-detect default
!
CMIIW, as per my understating.. BW command gurantee specific command during congestion while shape will provide/limit for all the time?
Thank you
Anyone know what I can do about this:
switch# install all nxos bootflash:///nxos.7.0.3.I7.5a.bin non-disruptive Installer will perform compatibility check first. Please wait. This(non-disruptive) option is not supported on Tahoe EOR.
Here's the installed modules:
switch# show module Mod Ports Module-Type Model Status --- ----- ------------------------------------- --------------------- --------- 1 52 48x10/25G + 4x40/100G Ethernet Module N9K-X97160YC-EX ok 2 52 48x10/25G + 4x40/100G Ethernet Module N9K-X97160YC-EX ok 22 0 4-slot Fabric Module N9K-C9504-FM-E ok 23 0 4-slot Fabric Module N9K-C9504-FM-E ok 24 0 4-slot Fabric Module N9K-C9504-FM-E ok 26 0 4-slot Fabric Module N9K-C9504-FM-E ok 27 0 Supervisor Module N9K-SUP-A+ active * 28 0 Supervisor Module N9K-SUP-A+ ha-standby 29 0 System Controller N9K-SC-A active 30 0 System Controller N9K-SC-A standby
Does anyone allow 911 calls from softphones? It's a bit of a nightmare to ensure it gets routed to the right PSAP with the correct address since the user could be anywhere.
The options are:
1) Allow the 911 call to go through. The address sent to the PSAP will be wrong if the user is remote or roaming. The PSAP the 911 call gets routed to could be wrong too.
2) Block the 911 call after playing a message notifying the user to call from a non-softphone.
3) Play a message warning the user of the dangers of the 911 call from a softphone, and then let the 911 call proceed.
What do you guys typically do?
Currently working on a several uncompleted tasks by a previous employee. One of them being to re-establish external SSL VPN connectivity. Is it possible to add a user from the local ASA user group to the ASA VPN Tunnel Group to test authentication? I'm thinking this will allow me to step through things while trying to understand the flow of traffic.
Hey all,
I'm a research specialist and technical writer, tasked at the end of this year to focus in on blogs targeting backup software and network technology. To name a few, my company wants me to focus on network topology, network bandwidth, and network monitoring. (I should note, the pieces I write are aimed more towards those with zero-to-moderate knowledge of networking.)
What I'd like to know is: Within those topics, what kinds of information would you find most relevant or interesting to read, OR what do you think those new to the field should know?
Reading pieces that you don't like sucks, for sure, but it also sucks writing content that you know people don't care about. I'm looking for topics that you all would care to read or might be beneficial for those entering/slightly into the field.
I understand if this gets taken down - I don't think this violates any of the subreddit rules? Unless, of course, the mods rule trying to create helpful networking content as a "low quality post".
Anyhow, cheers y'all, and thank you for your help!
Hey,
So basically the ASA 5512-X is handling traffic from the inside to the outside and the SG300 is doing routing between the VLANs
But the ASA 5512-X is also routing our VLANs to our DHCP server, is this something the SG300 is supposed to be doing our is it fine for the ASA 5512-X to be doing this?
Reason I ask is because I read its best practice to have the firewall do no internal routing and to strictly keep it as a "firewall"
So this is how it would work if I created a new VLAN
Create DHCP Scope on Win DHCP Server
Create VLAN in SG300
Apply any ACL between the new VLAN and other in SG300
Route the new VLAN in ASA 5512-X to the switch EG (route inside 172.25.30.0 255.255.255.0 10.230.1.254)
Nat the new VLAN so that it can access the internet on the 5512-X
Does there exist any tool that we could have a user run to help us figure out why they can't connect to VPN? At this point I don't care if it's free or not because helping someone on the other side of the world without any computer skills is a nightmare.
We use AnyConnect, and I know there is DART. Maybe I don't have the right decoder ring to browse all those files, or am I just supposed to send that to TAC and have them do it?
I feel like a tool that can test MTU settings, poke at UDP ports to see if they work, and sending a string of information to make sure it wasn't messed with in transit would at least confirm that a VPN connection is possible or where the issue.
I don't work at an ISP. But I am a graduate looking for work.
Anyway I'd be really wary to work at the ISP that is also my provider, and one of the most popular ones in the country. On one hand what a great career opportunity.
On the other hand someone gets nosy for what ever reason whatsoever, or you piss someone off, I mean anything really, bam your life is at their fingertips.
Honestly no matter what I'd be too paranoid to work at my provider, but I'd love some input in to this. I mean reassurances it'll never happen is common but you never know right?
So, vendor branded optics. I can't get away from them. You see, we are bound by law to follow very specific procurement procedures. And buying from fs.com is not permitted. We must buy TAA compliant products, and Chinese products are not TAA compliant. (don't ask about the huge number of things we have that say 'made in China'....)
I have a theory (conspiracy theory?) that despite the requirements set forth by the TAA, the optics are built in China, right next to the non-TAA optics, shipped to a TAA company country, where they slap on a sticker, and call it TAA compliant.
Question: Does anyone have first-hand (or second-hand) knowledge on the optic assembly/production process, or know a vendor that sells cheap TAA compliant optics?
I'm starting a job at a small company in a few months (20 staff, one site) and will be responsible for their network setup, which is currently an expensive Windows AD setup by a third party that they're not happy with.
The company wants to move to a fully Linux based network. I've got experience with Linux as a webserver, and basic Windows networking administration, but no significant Linux networking experience.
I've not painted myself as having more experience than I have, but I'll need to learn and setup a Linux office network - I'm looking for some advice on design/best practise and learning, or some resources to go to. There are a lot of tutorials on the internet, but I'm trying to find something more comprehensive. A lot of books seem to be very old and I'm wondering whether they're relevant at all.
From some helpful forums, chat with a couple of friends, and a LOT of test VMs on my home machine, I've mapped the required services into:
Internal Servers (including the DNS and DHCP servers themselves, logging, Puppet, etc.) [10.0.x.x]
Desktops and Laptops, and Authenticated Wireless [10.1.x.x]
Unauthenticated Wireless (guest internet access only, nothing else) [10.255.x.x]
The first two subnets need to talk to each other, of course, the last one needs to be segregated. I'm not quite sure if the Authenticated Wireless needs to be a separate subnet. Of course, I'm anticipating all servers as being virtualised on KVM or similar - for now I'm using VirtualBox for my test networks.
So a few questions:
Are there any things I can do to make this setup better, more secure, or easier to use?
I think I should be setting up all servers via host{} reservations, and all client machines via DHCP, are there any exceptions? I'm thinking the only machines not using DHCP should be the router, VMMs and the DHCP server(s) themselves.
I'm a little confused as to HOW to split out the scopes in such a way that the first two can talk to each other, but the unauthenticated one can't. I think I should be using a shared-network{} directive with two scope{}s inside it, but do I need to change the subnet masks?
Do I need a separate firewall or should the router act as the firewall (assuming it has the functionality)?
My router IP is 10.0.0.1, and the primary DHCP server is 10.0.1.1. What IP address should I use as the "router" and "broadcast address"?
Does the DHCP server need multiple NICs?
Any recommendations on good current books and reference documents for this topic?
My current dhcpd.conf looks like the below. The hard coded hosts work fine, but nothing gets an ip via dhcp.
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.1;
option domain-name-servers 10.0.2.1, 10.0.2.2;
authoritative;
shared-network {
subnet 10.0.0.0 netmask 255.255.255.0 {
deny unknown-clients;
}
subnet 10.1.0.0 netmask 255.255.255.0 {
range 10.1.0.1 10.1.255.255;
deny unknown-clients;
}
host {}
host {}
}
subnet 10.255.0.0 netmastk 255.255.255.0 {
range 10.255.0.1 10.255.255.255;
allow unknown-clients;
}
Thanks and apologies for formatting. Mobile, etc
Hello /r/networking
I'm currently arguing a bit with a netadmin about a packet drop issue and I need some sanity check and help from you guys.
We have around 1Gbps of multicast video traffic (constant traffic) coming into a pair of Cisco Nexus 5548P and egressing on a 10G port (it should grow to 2.5G in the future)
We also have an average of 500Mbps of HTTP traffic coming from multiple servers into the same pair of Cisco Nexus 5548P and egressing on the same 10G port, but in a not so distant future the HTTP traffic could fill up the 10G at peak time If we block this HTTP traffic, multicast is fine, and when the HTTP traffic is present we experience some multicast thus impacting the video.
The theory is that the issue is caused by microburst, and this is a good explanation for me, but I'm convinced this can and should be fixed on the switch side, he is convinced everything was tried so the problem need to be solved server side, and the final client just want everything to work (3 companies)
Reading some Cisco Qos documentation, for example https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/qos/7x/b_5600_QoS_Config_7x/b_6k_QoS_Config_7x_chapter_01001.pdf my understanding is that disabling "Priority flow control", enabling "Link-Level Flow Control", configuring "pause no-drop" on a Qos class map should do the trick
Link-Level Flow Control was enabled on friday (it was already enabled on the servers NICs) but i'm not receiving any pause frame ("ethtool -S ethX | grep flow_control" gives only 0)
My questions are: - do you think we can make "Link-Level Flow Control" work and fix this issue ? (applying no-drop policy to either the multicast or the HTTP or both) - any other knob to ensure that we never drop multicast ?
Thanks
Hi, i want to setup my ddns from no-ip, but when i forward my port they doesn't respond, even when i enable dmz its not working. What's weird, no-ip's dashboard see my router's wan ip instead of my pc. I called to my isp and he told me he doesn't block any port. Maybe i'm doing something wrong?
Losing 1-3% ping packets between router (Sophos) and local Mediacom modem on the local address (10.x). Ping from inside Mediacom CMTS to modem comes back fine - indicating it is a problem between the router and the modem. Rebooting the router does not change. However, unplugging the modem does. Once unplugged, it will work without ping packet loss for a random amount of time (1 hour to 3 days) and then it will start dropping again. The biggest effect is our IPSEC VPN for upload slows from 10 Mbps to 0.1 Mbps (download stays the same) when the ping shows dropped packets.
I have tried a different router, used a shielded cat 5e cable instead, and most recently moved the Mediacom modem to another room in an effort to make sure electrical fields weren't an issue. We have been dealing with this issue with Mediacom for over two months and am running out of ideas. We replaced the modem a few weeks ago, as the previous one would just lose connection for two minutes every few hours. (Mediacom could not diagnose it, only replaced on my request)
Any further ideas or tips? It definitely seems to be the upload only side.
Hey guys, need some advice, hope I'm not posting the wrong stuff.
We need to establish a site-to-site VPN with one of our clients to our of our office locations.
Since we already have existing VPN tunnels set up to our Azure network, it would be easier to route traffic through that and reduce the number of VPNs required.
Unfortunately our address spaces conflict (they use 10.0.0.0/8) and thus require us to source NAT to an ip on that network, but I can't find any details of Azure supporting NAT on the virtual network gateway.
If Azure NAT is not possible and we'd like to avoid setting up a networking appliance on Azure. What would be the best way to tackle this? Am thinking NAT on premise, and route through Azure.
example address spaces:
on-prem: 10.2.0.0/16, 10.1.0.0/16 (we have Cisco 892 series ISR)
azure: 10.5.0.0/16
client: 10.0.0.0/8 (only required to reach address in the 10.4.0.0/16 range)
provided source IP: 10.12.0.1
So I've got 2 sites, likely to be 3 soon, and possibly 4 within the next year or two.
At each site, I have/will have two edge routers. These peer with the providers for internet access. They also terminate PtP links between sites, which are currently and will probably remain in a ring topology.
There is also a firewall at each site, which will have routes into the DMZ. So if you can picture it, one big ring, having two edge routers at each site, and then each site having a firewall, connected to both edge routers on the inside, to form a triangle if you were to diagram it.
My goal here is to have flexibility in routing public IPs within our network, and to be able to control where they are routed depending on what's advertised from the firewalls.
My questions are:
Is it a bad idea to pick two sites and make those two firewalls route reflectors? If so, why?
Would it be a better or worse idea to give all sites a route reflector (still the firewall), rather than just two?
Also, can route reflectors advertise routes themselves? I assume so, but maybe that is not the case.
This is a somewhat abstract scenario, so please excuse the lots of words:
Let's say that I am a service provider with two routers (effectively the reverse view of the common "I have two connections to an ISP that I want to load balance outbound traffic on") connecting back to a neighbor AS with an iBGP link between my pair. ECMP is configured and functions normally and there are no issues I can see with the links. My two routers have multiple uplinks, so traffic can come in to either router (but mostly to, for the sake of example, Router 1 at a 2:1 ratio) but the two links to the "downstream" AS are still relatively equally balanced.
So everything is working fine, and there's no issues. What's bugging me is this - BGP decides what routes to install and installs all relevant routes. The router decides to load balance traffic such that each path is equally saturated (perhaps not perfectly efficiently, but well enough), but how does each router know that a round-robin decision has already been made for a particular packet and that it should forward it to its eBGP neighbor rather than performing the round robin itself and potentially sending a packet back to the router it just came from?
In this simple example, of course it possibly received it directly from a fully resolved possible next hop for the packet's destination (so it COULD assume the decision had already been made), but for a larger network with other routers in between that are not members of the iBGP network (for example, an internal OSPF or IS-IS network connecting the iBGP peers to each other), this isn't guaranteed, and the packet doesn't contain any extra information that I know of that can communicate this. Does load balancing over the two eBGP links still work in this case? Do the iBGP peers know enough about the topology to know when they've received a packet that another iBGP peer already handled? If the path from an upstream iBGP peer HAS to pass through router 1 before getting to router 2, does the upstream router make the decision or Router 1? If it's the upstream router, how does Router 1 know to forward to Router 2 if that was the chosen destination? What about traffic originating from within my AS?
I realize this is a really, REALLY specific set of questions that is a much deeper look into BGP and the actual routing decisions made by a router than nearly anyone would ever get into, but it's bugging me. If anyone has an idea, please help me out here as it's driving me crazy not knowing how it works.
I'm doing a network review for a new customer who primarily has HP switches which are new for me and the company I work for (all of our existing customers are Cisco networks). One of the things I want to do is identify how out of date their installed software versions are on all of their switches but I cannot find any definitive list of ProCurve software versions and their release/EOL dates. We all know how terrible the HPE website is but does anyone know if such a thing exists?
Looking for a low cost enterprise level network monitoring tool. 40 cisco routers 200 avaya switches. 1800 users at 29 different sites.. 27 less than 30 2 head quarters with there vast majority. Goal is to monitor bandwidth, up/down with alerts. Determine which user using how much bandwidth and that they are doing. Quoted 100k from solar winds . Netcrunch looks promising any other ideas?
I just ordered my first round of non-EX2200 switches (EX2300/EX3400), and having received them and looking at the recommended Junos ver to run on them, upgraded them to 18.1R3.3.
Then trying to configure them, I went to do something under “ethernet-switching-options” only to get an error... Thus after searching the mighty Google on how to do what I was trying to do on 18.1, do I find out about “ELS” and all the associated syntax changes... Now I have to live in a non-ELS/ELS syntax world I guess, as I have many EX2200-series switches all running 12.3R12.4 (the recommended Junos ver for that platform.)
Anyone know why Juniper decided to make the syntax change? Not going to be fun trying to remember (or document) the two different ways of doing “X” in Junos switching depending on the platform... </growl>
I'm trying to test the quality of an IPSEC VPN connection before attempting to move voice traffic on to it. The VPN is already being used for replication traffic between two server clusters. The IPSEC tunnel is configured between two Watchguard firewalls. I'm trying to configure the IP SLA between Cisco 3750X switch stacks on each network. The icmp-echo ip sla is working fine, but udp-jitter is not. udp-echo didn't work either.
I'm trying to keep the config simple to start, so I have what I think is the bare minimum
Remote site:
ip sla 50 udp-jitter 192.168.0.40 5000 source-ip 192.168.0.50 source-port 5000 ip sla schedule 50 life forever start-time now ip sla 70 icmp-echo 192.168.0.40 source-interface Loopback50 frequency 10 ip sla schedule 70 life forever start-time now
Primary site:
ip sla responder
Result:
IPSLAs Latest Operation Summary ID Type Destination Stats Return Last (ms) Code Run ----------- ---------- --------------- ------ ---------- ----------------- *50 udp-jitter 192.168.0.40 - No connect 20 seconds ago ion *70 icmp-echo 192.168.0.40 RTT=9 OK 2 seconds ago
I don't know enough about IP SLA's to be sure this isn't a configuration problem, so I wanted to run it by here first to see.
If the config looks good, could this be an IPSec problem, despite other traffic passing without issue?
I'm in a fairly new environment where there is beyond major cleanup needed. I'm partway through standing up 6 new office locations (doubling our number of physical offices) and replacing every speck of network gear at the existing sites.
and I have til feb1 to finish. hooray /s
So yesterday it was brought to my attention some segmentation is needed that was requested of prior admin that never happened. we have a /28 block of computers used to access our cloud servers. there is no direct connection to the cloud from the office by design.
However there is access being allowed that was never intended, and it's audit time.
We have lots of bizarre vlans (lots of empty ones) that have never been used I don't think, cisco gear primarily, etc.
I'm replacing hardware with dell/f10 gear but doing it in chunks. i'm down to core, the biggest user stack, and small stack of non supported but still used for production (it always seems to happen no?) server switches.
The edict was issued that they want all of these "jump" servers be accessable via RDP and SSH from our internal network, but nothing else - but everyone within the internal ips should be able to access (wifi, etc)
right now there is no restriction.
In an ideal world i'd re-ip those bad boys and throw them onto a zone directly connected to firewall and limit access using firewall rules. HOWEVER..... in the next 8 weeks i'll be replacing core switch as well as going from ASA to Palo for firewall.
taking down these remote access servers is very hampered since business must continue.
I could do a bit of a kludge job and use ACLs on the core, but I don't like the idea of doing that and i plan to replace switches in a matter of weeks. I'd prefer to move them to route through a zone on firewall, but that is also getting removed in short order....
and of course they want it done yesterday.... so time is a factor as always.
am I missing any options? which would you go with?
I configured ACL to allow udp traffic (port 161 snmp) between one of our servers and a remote location. but according to linux admins they still dont have access both ways. what's the best ios verification command (or logging?) to show them that the acl is configured correctly
thanks
If i have two different tools monitoring the same link, is it feasible that they have differing 95th calculations for a given month?
I assume this is possible due to when / how often each tool is grabbing the interface usage?
If I then compare these to my ISPs invoice to make sure they are not playing games with me... I assume there will also be some difference between what they report and what my tools report?
I have a assembly line with about 200 Ethernet devices all connected to a 24 port, netgear switch, JGS524E. We are using the switch as a dumb switch and not configuring anything inside the switch. All of the ip address get assigned from the PLC. We are having problems with the remote connection to the machine using a Cisco VPN. We had IT person collecting data on the network and the pings are 60ms all the way to the machine where the pings become 600-800ms. Is there a way we could be overloading our switch with all the data? The machine moves every 4 secs. and all 200 devices talk at basically the same time every 4 seconds. If you think its the switch what switch would you recommend?
Hello,
I'm currently using these routers for a 4G setup on our LED Signs for communication. I spoke with our hardware provider and they are going to be parting ways with them as they will be discontinue soon. This kinda leaves me open in the market which i haven't look into for a while.
Could anyone share some recommendations on which units i could use at a similar or cheaper price without compromising the utility that this router brings to the table?
Thank you.
In addition, the study finds, endpoints continue to be the primary location for data creation in the short term, the fastest growth is forecasted to happen at the core and the edge, with more data stored in the core than in the world’s endpoints by 2025.
https://www.rtinsights.com/brace-yourselves-soon-one-third-of-the-world-will-be-real-time/
I have an isolated system that I am configuring 802.1x, NPS on Server 2016, with an Aruba 2530 switch.
The problem I'm having is when we move a computer with a certificate to a port that is 802.1x enabled, it gets moved to the unauth vlan and the switch reports that the authentication server is unreachable. It never gets moved to the authorized vlan.
Currently all the PCs are assigned static IPs. Switch is configured with an IP on the data network.
I'm having a hard time finding the exact flow of events that the authenticator process goes through.
Does the computer on the unauth vlan need to reach the NPS server or does the switch contact the NPS server? Does the computer need an IP on the unauth_vlan, then the unauth_vlan contacts the NPS server? Should DHCP be setup on both the vlans rather than static assignments?
Switch config:
radius-server host 10.10.10.222 key "themagicword" aaa authentication port-access eap-radius aaa port-access authenticator 1-4 aaa port-access authenticator 1 auth-vid 10 aaa port-access authenticator 1 unauth-vid 80 aaa port-access authenticator 2 auth-vid 10 aaa port-access authenticator 2 unauth-vid 80 aaa port-access authenticator 3 auth-vid 10 aaa port-access authenticator 3 unauth-vid 80 aaa port-access authenticator 4 auth-vid 10 aaa port-access authenticator 4 unauth-vid 80 aaa port-access authenticator active vlan 10 name "auth_vlan" ip address 10.10.10.11 255.255.255.0 untagged 1-24 exit vlan 80 name "unauth_vlan" no ip address exit
I imagine this is a pretty common need. Just wondering how everyone here has solved it.
Use Case:
Several Sites in Mainland China.
- LAN to WAN Path Is Core Switch, Firewall (Inline, Layer 3), Routers
- Router Has Two VRFs (internal and external). BGP Between Both VRFs And The Firewall
- Default From external VRF, Internal Specifics From Internal
- External VRF NATs Toward Internet/Local Breakout
- Internal Sends Traffic Up To MPLS Provider
Right now, we either backhaul internet over the MPLS path, or break it out locally. The L3 Firewall Decides whether to send it to internal router VRF or external router VRF.
It's mutually exclusive. Either we saturate the MPLS circuit and make all the local users angry by trying to backhaul internet over MPLS, or we reduce productivity by breaking US-Based SaaS apps like Webex, Office365, etc., - out locally. These perform abominably in mainland China.
You can try to do PBR it on the firewall, but the DPI engine takes several packets to identify a session, and once that's worked, your TCP session has already established with the website, and when it gets switched, the public IP changes, and the session breaks. Or, you run into weird issues where what the user views as one website is actually like a dozen websites because of all the embedded content, and so from end user perspective, you haven't solved the problem at all - since different aspects of the webpage are hanging.
We've looked at an explicit proxy (customer doesn't like because it is a lot of work to manage).
We've looked at maybe migrating to SDWAN solution - but with the exception of a few options I see in Viptela (CloudExpress) where it snoops DNS and caches various dst sockets as belonging to a specific website, there isn't much out there. And this feature seems to be almost unusably buggy.
Have even considered design changes to leverage Cisco's Umbrella feature with IOS - but I am not sure this meets customer security requirements.
So assuming that we're not the only ones dealing with this, how have you handled it.
Many thanks.
Trying to gather some more detailed technical information on how 802.11n clients negotiate 5g radios when using 80Mhz channel sizes. I know they can detect and connect but I'm wondering how the other AC clients are impacted by an N device connecting to the same radio when configured this way. Does it drop the other clients to 40Mhz or is it just the N client that uses 40Mhz while the radio continues to communicate to the AC clients at 80Mhz?
Does anyone here SPAN traffic out of their Cisco Fabric Interconnects for the Cisco UCS blade chassis' out to any monitoring tools? Our server guys want to basically SPAN all the 10Gb twinax cables going from the Cisco UCS blade chassis' up to the Cisco Fabric Interconnects and then send this to like a cPacket packet broker. I am curious how this is accomplished or if there is a better way. Obviously the best way would be to change over the Cisco UCS blade chassis' to SR optics up to the Cisco Fabric Interconnects and TAP all of those. I am not sure that is feasible from a cost perspective and outage time required to change all of this.
Hi,
Do any of you work a 9-5 job and also do some side work for instance on fiverr to make side money? I wanted to try that but I'm afraid that my CCNA and CCNP (Switch) is too low of a level to take any jobs on there. Are there side jobs for CCNA level folks?
Hi guys, I need your help.
I should write a thesis but there are a couple of question that google does not help me answer. I'm sorry if some of them are more computer architecture questions, but I'll post them anyway.
First, what I already know: I understand what CRC does, how it works, and that CRC check values are attached to ethernet packets and are thus pretty much everywhere.
What I do not understand is how this is realized in todays hardware. I read that it's normally the NIC that checks & discards it. But how do common NICs compute it? Do they have one of those serial hardware circuits? Or do they have a small/special CPU kinda thing? Or is the main computer CPU involved?
If it's usually the NIC that is in charge of calculating the CRC, why does e.g. Intel have a specific CRC32 instruction in it's instruction set? Are there other major use cases of CRC apart from networking?
On https://create.stephan-brumme.com/crc32/ there are many fast algorithms for CRC32, how do these relate to what's happening in todays NICs, are they actually used?
Another thing: I read that frames where the CRC does not match usually don't get forwarded, so they are discarded immediately. Does that mean that routers/switches on a frames path usually are capable of doing these CRC calculations? And if so, how do they manage to do it, they would need to be pretty fast, considering what throughputs some routers/switches have.
Also, if you have any links/readings on these questions, that would be great.
This is why we have a Change Freeze for networking changes in the week leading up to Christmas break.
Hi,
Trying to figure out why a Catalyst switch can't ping itself or other IPs in the same subnet.
I did a basic config using SVI in vlan 1, set a 192.168.x.14 IP, connected a laptop in an access port with default config (vlan 1) with IP 192.168.x.15 and an uplink in access too to another switch which serves as default gateway with IP 192.168.x.1.
From laptop ping works to default gateway. Doing a ping from the 3650 to the laptop or the default gateway doesn't. Doing a ping from the 3650 to it's own IP address doesn't work either.
Any hints?
I currently have TACACS+ setup on a Redhat server that's authenticating network admins against Active Directory when they attempt to log into a network device either by SSH or through the console. This part is working great.
I now want to implement port based authentication (802.1x or NAC) for devices that get plugged into the switches. My current understanding (which is very limited) is that I need to setup a RADIUS server and then configure the switches to authenticate devices through the RADIUS server. What I can't seem to grasp is how I can configure a switch with AAA to continue to authenticate network admin account logins to the switch via TACACS+ while authenticating device access to its ports via RADIUS.
Is this even possible? Every time I try to research this it seems its always be TACACS+ VS/OR RADIUS and never TACACS AND RADIUS.
As an aside, does anyone know of any 802.1x specific training that they'd recommend to me? I probably need some formal training on this before I truly grasp how this all works together.
Hi, we're testing some Huawei devices and I'm struggling with an MPLS test. We have a OSPF core, BGP free, thats working fine. Two dedicated RRs and, for now, two PEs. I created a test VRFs, or as Huawei calls them VPN instances. Now I just want to route between those PEs, right now just with a Loopback interface in the VRF.
First I tried it without the RRs, everything worked fine. Both routers got the routes from the other router and I could ping between the loopbacks in the VRFs. Now, I tried to implement the RRs and I don't get any routes in the VRFs.. or in the vpnv4 BGP. I also don't see BGP peers in the VRF. But I have the neighborship in the "dis bgp vpnv4 all peer" command. And in the global routing-table of course.
For testing, I implemented the RR config for the "ipv4-family unicast" BGP address-family and it is working. I imported the directly connected routes from the PEs into BGP and I get them on the other PE.
Right now, I don't understand what is missing in the VPN-Instance or BGP config.
I'll post comments with the config.
Hi all,
first of all, thank you for all the help in my past thread (https://www.reddit.com/r/networking/comments/a6ehbl/palo_alto_sslvpn_and_default_route_configuration/). I was able to understand a lot of things. I created this new post because after importing the latest configuration file, things are different from what I thought.
Diagram after importing the latest config
https://i.imgur.com/5xl0znC.png
This is what I think it could work..
https://i.imgur.com/JRmAZVI.png
Goal:
SSL VPN users will connect to Palo 1 using ldap+certificate as authentication. SSL VPN users must use Palo 2 e1/1 to access the internet inside the tunnel.
Configuration done so far:
The current configuration had all interfaces and tunnels under the VR1 so if I created a new tunnel interface for SSLVPN and put it inside it, SSLVPN users would have accessed the internet through Palo 1 e1/1 and this is not what I am trying to accomplish. So I created a new VR2 and put Palo 1 e1/2 and the SSLVPN tunnel interface inside it. At this point, sslvpn users would inherit the second 0.0.0.0/0 via 192.168.10.254. With this method , sslvpn users could reach the internet through Palo 2 as long as the first default route is installed in the l3sw's rib. If that link goes down, the second 0.0.0.0 kicks in and now we go nowhere (traffic go back and forth between l3sw and palo 1 e1/2). Another inconvenient is that IPsec tunnel inside the VR1 must reach network via VR2 e1/2, so the only think I came up was to statically route specific routes between VRs and it worked fine(are there other way?).
I think I didn't miss anything..otherwise I am happy to give more info if needed.
Thank you for any hints/suggestion!
