Alright I know netdumas and all those gaming routers offer geofilter, but the problem is they are like 200. What i’m trying to do is have two xboxes and everytime they matchmake in the game we match up against each other. (Dont ask me why) I know theres tomato firmware and dd-wrt but how will that make my router block all the locations. I’m only trying to matchmake with myself. I know you need to buy a certain router that works so anything under 100 will be fine. Thanks
Saturday, April 20, 2019
Change your dreams into true .
Nowadays it is not easy to change your dreams to true but here you get an opportunity to change your dreams into true. https://www.vestigeweb.com/2019/04/blog-post_20.html?m=1
Where to get a Palo Alto license
Log story short, where do I get a license for a Palo Alto PA-200 for a homelab?
Help out a developer!
Hello! I am not sure if this is the right place for this but I was hoping for some guidance towards the correct direction. My company will be moving into this new lot with these server boxes (three of them, one in each building) I am assuming that they were used to provide internet in the three buildings.
I was wondering where I can start research on:
-How I can get these three boxes to connect to each other?
-What they are called?
-What additional equipment and hardware I might need?
Along with any helpful information. I have attached a picture of the server with a modem and router we have installed as a start.
https://imgur.com/gallery/jJhQBIU
We have about a week and any help would be appreciated. Thank you ahead of time!
DHCP relay from firewall subnet to DHCP server on another subnet
Hi all
I want to setup my wireless AP's to hang off my sonicwall firewall, so I can have more secure wifi for compliance. I will have SSID's for Corp, BYOD and Guest.
I want clients on the Corp wifi to be able to get DHCP from a windows DHCP server on another subnet that is on my L3 switches.The corp wifi will be on subnet 10.5.13.x/24 off a LAN interface on my sonicwall and the Windows DHCP server is on 10.5.5.x/24.
The 10.5.12.x subnet does not currently exist on the L3 switches and the only link between the switch and firewall is the internal interface of the firewall, which is on subnet 10.5.50.x/24.
What do I need to do on the L3 switches to enable my 10.5.13.x clients to get DHCP from the windows server? I am aware of how to setup DHCP relay on the sonicwall FW, but I do not know whether anything needs to happen on the switches.
I have included a diagram for clarity.
Thanks
Super-cheap managed switch for lab
I have a lab where I test some gear's functionality that used to run old faithful 100Mb Cisco switch that finally died on me last week. I'm looking for some cheap replacement switch. I actually have some small Mikrotik switch that would have worked just fine, but it can't do tagged and untagged VLANs on the same port...
I just need Layer2, ideally with some LACP and basic STP, definitely need to be able to do native vlan on trunk port.
I definitely don't want Netgear (really dislike the brand), but something like TP-Link TL-SG108E would be ideal as at least according to specs I can get almost everything I want (except for LACP, but static LAG is OK too) for $30, as long as it can do native VLAN (judging by reviews
Anybody dealt with those? I don't want to waste money on something bad, but I don't necessary want to pay $300 for something I can get for $30.
Any in-depth video tutorials on Networking?
I know this is a long shot, but I'm looking for video tutorials that go in-depth about networking.
I have an upcoming school exam, and its centred around the book "Computer Networking A Top-Down Approach". However, I find I am unable to learn well when I read -- I learn much better when I watch / hear concepts being explained.
Are there any video tutorials that teach networking at a deep level? Preferably free, but paid ones are OK as well.
Does anyone else feel like they are having Meraki forced down their throat?
I mainly work in the wireless space at my job and overall I am happy with Cisco 3702 & 3802 APs (as long as I stay away from new code releases). Lately our sales rep keeps pushing Meraki pretty aggressively. We have voiced our concerns about density and our warehouse environments but the pushing keeps happening. Is this happening to anyone else?
fiber optic ethernet router
Hello everyone I need some advice. A few months from now I will be moving to an area where there is fiber optic 1gbps internet service. From my understanding once you choose the service they send a contractor which installs a terminal box outside your house then also installs a ONT inside the house which then connects to a router. I’ve been trying to figure out online what I can do if I decided to eliminate the crappy router the ISP provides & replace it with XG-7100 DT pfSense router. The thing is that I’m clueless how I can go about connecting the ONT to the SFP port on that router. It seems like the fiber optic cable connected to the ONT uses a SM pigtail connection where as the router that I mentioned uses MM SFP Connection. I’m pretty new to this stuff but I enjoy learning & up for a challenging task. Any suggestions would be greatly appreciated. I love the internet & I want to take advantage of the services full potential. Thank you in advance.
GNS3 not saving appliance configs
I'm asking this question here since this subreddit has a lot more traffic than the GNS3 subreddit and I'm sure many other networking professionals uses GNS3 regularly.
I've attempted to do my due diligence before asking. Not seeing any relevant answered questions pertaining to my issue here, and not seeing anything on general internet searches.
My appliance configs are not saving. What I mean specifically by that is I installed a toolbox appliance from the marketplace. I then spent a lot of time setting up Ansible on this appliance, creating a directory tree and several files for use in an Ansible/Nexus POAP lab.
I saved my project and turned off gns3. The next time I booted it up and loaded my project, the appliances were there, but all my configs were GONE. All my folders, files, and installed programs on this toolbox had vanished.
Is there something I'm missing? I can't find a straight answer to this and it seems like a huge issue. What's the point of building a lab if it is all undone when I turn off the machine? I saw that older versions of gns3 had a snapshot feature, 2.1.12 doesn't seem to have this
Friday, April 19, 2019
40 to 20 MHz high density wireless question
I’m planning to change our 1 WAP-per-classroom deployment from 40 MHz channel width to 20 MHz, to prevent some channel overlap. I’m a bit confused on what I’ve read. Is the rated 5 GHz speed (say, 300 Mbps) the individual client max speed, or the shared max speed for everyone on the AP?
Thanks!
Learning Everything..
I started a new job working for a mid/large enterprise company. 5 data centers around the world, around 30k users, hybrid cloud(azure and aws), and multi vendor environment(we have juniper,f5,cisco,palo,asa,checkpoint,aruba, and wlc). I've never been in a position like this before and im so lost.. There's guys here that know (or atleast seem to know) everything and im asking myself how did they get to that level? I only have my CCNP in R&S and felt like that in itself was a big accomplishment ,but obviously not.. I still don't have any experience with Wireless, Voice, and Data Center. Minimal experience with Firewalls and i've never even seen a load balancer before in person.
On top of all this the industry expects people to now learning Python/Programming/Automation. Where are you finding the time to focus on that when there's so much other core topics to learn?
I do feel confident enough to handle the Routing and Switching in this current environment ,but everything else im completely lost and dont have any idea on how to go about learning the rest of those technologies since its so many of them at the same. I'm sure im not the first who's been in this positon before.. i'd like some of your guys insight on how you handled this situation before (unless im the only person to have experienced this lol)
basic netmiko python script to search output and print result based on that output
Hello programmer folks,
I'm pretty horrible at programming.
My apologies if I put this question in the wrong section, I just figured this might make more sense for a network engineer who knows some automation.
if you're a network person who knows python scripting this might be an easy one for you.
I'm attempting to write a baby script for my job to make a task easier for myself.
All I want this script to do is get some output from a device on my network, spit that output onto my screen, then search the text it gets back and if it matches the text it finds, print "it is enabled".....if it does NOT find the text, then print "it is not enabled".
In this case, I just want the script to search interface g1/0/30 for the text of "spanning-tree portfast edge"
if it finds this exact text of "spanning-tree portfast edge" on the output it returns
then
print "porfast is enabled"
else
print "portfast is NOT enabled"
Eventually, I'll probably want to add the config lines to actually configure "spanning-tree portfast edge" if it does not find it, but for now I'll just go with the simpler one of it printing outputs based on the results that are returned on the interface show runs.
pretty simple, at least I have the first part working lol :) In the image below I put the syntax. I grayed out where I left off and couldn't get it to work. Tried a few different things, but everything was a failure.
What's going on
First: on mobile, and I literally never browse this sub and am just looking for what's going on.
OK, Im at a hotel and when I went to connect to the network I saw these 2 networks, they had weird names (look at the imgur) so I was interested. I have an app that tells me WiFi channels (what I mainly use it for) among other things so I opened it up and took a look.
I'm by no means "a network guy" but I know enough to say that it all looks kinda odd. So does anybody know what it is?
As a side note, there is a big robotics competition in the area that involves highschool kids with network gear so that could be it, dunno.
Thanks in advance, and tell me if a better place exists for this.
Fail Back of redundant Host = 10-20 second outage on Nexus 9K environment. Pointers for my network team?
Working on setting up a new HCI environment and decided to test failover scenarios before going into prod.
Each node has 4 x 10Gb NICs.
2 are for the HyperConverged Storage.
2 are for VMware Mgmt and all the VM traffic and such.
These are all plugged into a pair of Nexus 9K switches.
During the Failover (we disconnected the LC fiber on 1 Port from each vSwitch), we get maybe 1 ping drop, pretty much as to be expected as the MAC Cache is dumped when the link goes down.
However when we plugged the NICs back in, we saw anywhere from 5 seconds (best) to 15+ seconds (the HCI lost its mind) of downtime.
I suspect that it MIGHT be related to MAC Cache (do they still call it a CAM Table?) on the switches, but we're really not sure.
My Ask, as we have network guys both in house here and additional contracted help, is what kind of things should be we watching/monitoring on the switches when we repeat the process again, so our network guys can see if there is any clue to why the fail back is taking so long.
PS: VMware 6.5 U2, Standard vSwitch (no vDS), Default Teaming mode of "Route based on Source Port" currently in use, and Notify Switches and Fail Back at the vSwitch Teaming level are both enabled (my understanding is Notify Switches = GARP to expedite the upstream MAC Cache updates)
Thanks
actiontec ssh commands?
Anyone have any actiontec experience? I am trying to add some static routes via the command line (the web interface is less than stellar) but it isn't run on linux. I have no idea what system it is this is what I get when I run route help
Usage: route add <IP address> <subnet mask> |metric hops| <|<gw gtwy\_IP>| |<dev interface>|>
so I tried route add sampleIP sampleSUB 192.168.1.2
1.2 being the gateway I want the routing to go
I've tried so I tried route add sampleIP sampleSUB 192.168.1.2 br0 and everytime I try anything the response is: Please at least enter gateway IP or interface
How does everyone diagram/document their L2VPN implementations
I'm completing a hardware upgrade for a client and am working on the as-builts. I'm just wondering how everyone documents multiple L2VPNs in their diagrams. I'm interested specifically in logicals as I typically due separate physicals.
I'm sure I'll answer my question (bluetooth)
Ok so what has been bothering me is planet fitness.
I go with the wife every other gym day to support her, but I notice the air is so flooded with BT that I legit get packet loss from my phone to headphones ( ath-ar3bt) .
Is there anything that I can do other than hard wiring my headset? Its frustrating when your phone is in your pocket or less than 3 feet away and it chokes like you have no LTE
SDN Firewall IP Filtering
So, I've been beating my head against a rock trying to figure out if it's possible to block specific IP addresses or straight up blacklist websites using SDN. I'm currently using Mininet and POX to block individual hosts from talking to each other via MAC address as rules in the .py file but I would like to be able to prevent them from say pinging or browsing to say vimeo or youtube.
I had thought about trying something like
curl -X POST -d '{"nw_src": "10.0.0.1/32", "nw_dst": "151.101.0.217/?", "nw_proto": "ICMP"}' http://localhost:8080/firewall/rules/0000000000000001
or
curl -X POST -d '{"nw_src": "10.0.0.1/32", "nw_dst": "151.101.0.217/?", "nw_proto": "TCP"}' http://localhost:8080/firewall/rules/0000000000000001
But I'd need to do that for each host and each IP, plus each protocol. I'm also unsure what the unknown portions of their IPs are for the internal ones it's easy since it's a /32. The ones I included above are just two of the IPs I found for vimeo, so I'd also need some way of finding all vimeo's server IPs.
Does anyone here know if it's possible or a way to go about doing it? I don't have access to anything more than opensource SDN tools.
I need to form your experience, not from the paper!
Which one is more preferable for you based on your experience?
AirMagnet or Ekahau?
I am planning to do a site survey with Ekahau by next week and I do not have good experience as other tools that I have and the client did ask me to do it with Ekahau.
Can you restrict time and date access for AnyConnect users?
Currently only local users so no RADIUS set up. Can I restrict users VPN access to certain times and days? If not would I have to setup something like a windows RADIUS server and do it from there? Thanks.
Setting up a virtual Cisco ASA to work with our servers located at an Azure data center.
Hello everyone. I am in charge of a project In which I will be setting up a virtual firewall to connect to our servers at an Azure data center. I'm knowledgeable in networking, but don't know how to do this off the top of my head so I am looking for a little guidance so I know the right questions to ask, and I can bring some good suggestions to the table when we have our meeting about how we will set it up.
We are migrating away from our current data center provider. From my understanding, this whole thing works by having a virtual firewall that has a separate vlan and VPN connection to each server at the data center. When we deploy our Network at our customer sites, we install a physical Cisco ASA 5506. Its mostly there to manage the internal Network and provide DHCP, and VPN access to the server which contains our active directory.
Our Azure center is already set up. So it sounds like we just need to get the virtual firewall set up to talk to the servers, NAT their IP address, and set up security.
How can I ensure that the servers on the separate VLANs have no chance at talking with each other?
What general security rules need to be in place?
What kind of Nat rules?
Ultimately, how would you set up a virtual firewall to talk with your servers at a data center?
Side question, how does our physical firewalls onsite come in to play with connecting to the Azure data center. Do they do so through the virtual firewall which has NAT rules configured for the servers?
I hope this makes sense to those that read this. It's hard to know what im even trying to ask because I've never done anything like this before... But I can definitely answer any additional questions.
Any help is extraordinarily appreciated
Thank you guys very much, from one IT guy to another.
Cisco CLI parsing in Ansible using Genie/pyATS
All,
I have submitted a pull request to the Ansible core project that enables a new Ansible filter called parse_genie
. It uses the Genie library (and pyATS) to parse over 500 CLI commands across IOS, IOS-XE, NX-OS, and IOS-XR. It will return structured data that is OS-agnostic and it conforms to well-defined data schema models.
I want to make sure it gets merged, but I need your help. If you think this is a good feature and want it in Ansible, please go to the pull request and give it a thumbs up so the Ansible core maintainers know that the community wants this new plugin.
Usage:
Demo:
https://asciinema.org/a/q1dZtp2thuVFY0KVd6EZjR48D
Supported Commands (more being added with every release):
https://pubhub.devnetcloud.com/media/pyats-packages/docs/genie/genie_libs/#/parsers
Pull Request:
https://github.com/ansible/ansible/pull/55559
Additional Information on Genie and pyATS:
https://www.youtube.com/watch?v=h_vcG7ZwabY
https://pubhub.devnetcloud.com/media/pyats-packages/docs/genie/index.html
*** Big shout-out to the Cisco pyATS team and Cisco DevNet team for working with me on this. **\*
Third-party integration
Anyone ever have to deal with a stubborn third-party? We have a company that some of our employees have to access a code repository for. What should be an exposed web service like git we have to use a dialup vpn, rdp to a box and then checkout code. That’s all fine and dandy until company policy is only http/https outbound. Now you want 10-15 people in the office to use a dialup vpn connection from their laptop to do this?
Junos Syntax Highlighting for SecureCRT
Does anyone have a .ini file for SecureCRT that provides syntax highlighting within an SSH session for Juniper devices? I cant find one anywhere. Plenty of Cisco, though.
Tool "like" RANCID but not quite...
So, where I work we've got terrible tracking of our DHCP scopes what's where and real addresses to buildings, etc, hundreds of locations if not thousands and growing.
We have CA (Broadcom) Spectrum for network devices which works surprisingly well and contains many thousands of network devices.
The issue, it doesn't do any kind of IP management, even if we had some product to do that and it was reading DHCP scopes, they'd be wrong or screwed up because 1 team does networking and another DHCP as directed by the networking folks and frankly, it doesn't work like that.
Scopes are missing, not labeled, old and outdated, some sites don't have scopes because of how they tunnel in or attach to us, and the list goes on.
I had the bright idea that by hooking into each switch/router I could run some commands like the running config, int status, etc and based on interfaces build my own map, like CDP neighbor but with real addresses, scopes, related MAC/ARP data, etc... massages all the data into SQL with a full web-based front end for searching and correlating data.
So, first I looked around and never found anything that did that or anything quite like it and certainly nothing I could expand upon or tailor to our unique environment. Then, I committed all my free time at work to developing a solution, and it works, it does everything I need it to do and our company has seen the value and started using it but it has it's limitations.
So now the question, does anything exist like what I've built to do this sort of stuff and did I overcomplicate something that is/was relatively simple for some other tool or service, CLI, etc?
I think we found a TCP-related problem on our network, but we don't know how to fix it.
So we've been investigating an application performance issue. When the application is used locally, it works 'fine.' When it is used from a WAN location, then the users experience 2+ full minute wait times.
We troubleshot and verified layers 1-3 pretty quickly. It did not appear to be any kind of routing problem, no interface errors or discards, no MTU mismatch, etc.
So we dove into packet captures, and found something of interest. The client (windows endpoint) sends a TCP initial window size of 8192. That seems... small. Both the client and the server have window scaling enabled, with a factor of 8, and the client completes the handshake by changing its window to 65536 (that is because of the scaling factor of 8 I'm assuming?) So the handshake looks like this:
CLIENT: TCP SYN - WIN 8192 - WS 256 (8) SERVER: TCP SYN+ACK - WIN 8192 - WS 256 (8) CLIENT: TCP ACK - WIN 65536
So we took the numbers including bandwidth, latency, MTU, bytes that were transferred, and a window size of 65536 and plugged them into a TCP Throughput Calculator we found online. The calculator perfectly agreed with what the users were experiencing: about 2 minutes to complete the transfer!
Wow...
So I read up and it does seem that initial TCP receive window the client is sending of 8192 appears to be the issue. That value should be able to be 65535 and then scale up to a factor of 8 from there.
When we entered those numbers into the TCP Throughput Calculator, changing nothing else, just window size, the transfer time then changed to about 2 SECONDS.
I'd always read about BDP and windowing issues, but this was kind of a wake up call about how big a deal this can really be.
Interestingly enough we started looking around further and noticed pretty much all of our client endpoints, including my own, are sending this "8192" value in their initial SYN...
At this point we started getting excited, because how often do you find a breakthrough like this in packet captures.. something that may have been causing other complaints all along that no one noticed.
So we brought the findings to our Systems guys, and they seemed... unimpressed. They just pointed out that the application works fine locally, but is slow when used over the WAN, so that problem is the network.
So now we're kinda having to prove our case to them, but as I searched Google for Microsoft Windows networking stuff (painful) I'm having a really hard time figuring out exactly HOW to change this value.
A few very old posts talk about 2-3 different registry keys to change. But most of the more recent posts complained that changing the registry keys doesn't actually do anything. It seems that since Microsoft Vista and all subsequent versions, changing those values has no real effect, because it's all "automatic" now. As somewhat proof of that, my own registry key has a 65535 value, but my machine is indeed sending the 8192 window size (confirmed in wireshark.)
I did find some chatter about Windows "TCP Scaling heuristics" and how it can cause issues and should be disabled (it is indeed enabled on our endpoints.) There is some other chatter about Windows TCP "Auto-tuning level" which has different choices like "Normal," "restricted," "experimental," etc.
I don't know why, but Microsoft has seemingly dumbed this all down and basically has the stance of "TCP Window Scaling is something the Windows Operating System handles automatically now, it is not something the admin can adjust! Trust us, we know best. Signed, Microsoft."
Ugh. It's a bit frustrating to say the least. Anyone know the networking stack in Microsoft reasonably well?
Thursday, April 18, 2019
BGP Full Table Simulation
Hey everyone,
Does anyone know of a VM similar to https://www.stubarea51.net/2016/01/21/put-500000-bgp-routes-in-your-lab-network-download-this-vm-and-become-your-own-upstream-bgp-isp-for-testing/ which will allow me to simulate a full internet table for lab testing? The one linked doesn't support IPv6 and the IPv4 table has grown quite a bit since then.
Need Help/Recommendations
Hi,
first time posting. I have a project at work and really overthinking this. right now we have a Sonicwall nsa3600, 2 stacked dell n4064(L3 Switch) and 1 Aruba switch (L3 Switch), currently, we have all of our subnets just routing through everything. nothing is configured. we want to eliminate the bottleneck and have normal speeds again. i have a solutions which was to implement intervlan switching since we have 7 VLANS w/ subnets. would i add the 7 VLANS to the stacked switch and also aruba and configure a trunk or just intervlans on the dell and leave aruba as a L2? i included a diagram i quickly created. Topology
Should I get one part of CCNP R&S, or take some other CCNA?
My CCNA is up early 2020, I still work with Cisco but am moving to more open source and automation. Wondering peoples experience to decide whether I should keep getting certs. Is the switch part of CCNP really difficult, or about the same as CCNA level time investment, given that people generally learn as they go and should have more knowledge after CCNA and working in the field. Or maybe there is a different CCNA track that people recommend to get some knowledge and extend CCNA without too much study outside of work?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Will a router set up with EIGRP route traffic from router not part of EIGRP
I’m having a friendly argument with a coworker. He thinks that the a remote site router isn’t communicating because it’s not part of EIGRP.
I informed him that if the gateway of last resort is set to the next hop router which does have routes and happens to be a part of an EIGRP AS, that it will route the traffic to a known route, this EIGRP is not needed on the site router.
My understanding is that EIGRP is for sharing routing tables not for actual routing itself. He insists that if traffic that’s not coming from a router configured with EIGRP it will be dropped.
Am I misunderstanding EIGRP?
Password recovery or factory reset for switch and 3 APs
Hello,
Successfully set up a switch and 3 APs
However, I wrote the password wrong or forgot it...
I google search some password recovery steps and I am not getting anywhere.
Switch model US-24-250W
UAP-AC-HD-US Wave 2 Enterprise Wi-Fi Access Point
Could someone please send me a site with the steps for this password recovery. I don't mind setup to factory default and start from scratch.
I tried with MongoDB password replacement. Not able to do it.
Thank you!
Site to Site split tunnel
Hello Fellow Nerds! (Admin it, we know how to subnet, that makes us nerds)
I have a dilly of a pickle for you. I'm currently trying to set up a remote site that has a site-to-site VPN connection to our central location. Fine, simple enough. We have the SonicWall ordered in and all I have to do is set it up. BUT WAIT. They want guest access at this location.Now, because of some mumbo jumbo, I can't just create a separate SSID for the guest wireless (Did I mention that the only hard wires are going to be to the AP's and a printer?). I need to separate the guest traffic from the enterprise traffic (HIPAA thing).
Oh yea, I also don't have access to an actual switch. I'm going from a SonicWall to an Edgerouter 6P.
What I'm here to do is ask this cuddly bunch if there would be a best way to go aboot this. My current thought process is to separate everything out through VLAN's. But I need to know if you can set up Ubiquiti's AP's to segregate SSID's by VLAN.
Can you have traffic coming from the same AP go through both a VPN, and out to the open internet, based completely on SSID?
As always, any help is greatly appreciated!!
~Edit: Spelling
Wireless Site Survey Tools/Software Recommendations
Does anyone have any recommendations for software or tools to plan new wireless deployments or improve legacy ones?
Some background: My organization consists of about 70 sites of various sizes from tiny 5 person offices, up to multi-floor locations with 200 staff. Multi tenant locations are common. We currently use Aerohive APs and Hivemanager NG. We've had complaints regarding poor performance, disconnections, dead zones, speed issues, etc. Sometimes these are valid, but sometimes we simply can't recreate them on demand in order to get anywhere with Aerohive support. I do have interest in improving things, and was looking for recommendations on tools I could use for mapping and planning with the intention of improving coverage in the placement of the APs, adjusting radio power levels and avoiding interference. I also want to ensure we have the right number of APs (it seems it often just an arbitrary amount that was placed without careful consideration or any surveying of any kind).
I freely admit I am not an expert in this area, I'm the low man in a small team.
Has anyone been in a similar position, and can you offer some recommendations on tools or techniques you use to improve wifi at sites you manage or for new deployments?
Hivemanager NG has a heat mapping tool, but parts of it seem really rough, though I admit I only started digging in to it recently.
Thank you for your thoughts on this.
Can anyone recommend a portable KVM over IP solution?
I'd like a device that can capture the video output of a PC while feeding it USB keyboard/mouse input that can be accessed over IP.
I'm having a hard time finding one that works over the internet and isn't just a KVM extender running over ethernet cable.
Fed up w/ Solarwinds, what are you guys using?
Hi all,
Solarwinds is one of those products that checks all the boxes, but if you had to grade how well it does on each box, it starts to fail miserably. I'm pretty fed up with how sluggish and resource intensive it is as well as the shitty customer service / "support" that we get from them. I'm looking at maybe splitting our needs up in to 2 - 3 products that does it's respective areas well. I'm currently looking at AKIPS to fulfill my graphing / device tracking needs, but it doesn't really do alerting or config management. What are you guys using for alerting and config management? Anyone here use PRTG? I started to look at it, but haven't had a chance to demo it yet.
[Stories] How did you fall in love with networking?
For me guys it was the best teacher I've have ever had at high school. Kind, experienced, nice. He basically inspired me and made me fall in love with networking. I started in Packet Tracer and was making YouTube tutorials for my fellow students. During exams I haven't finished only mine assignment but of others, too (let's say about 5-6 people who I helped and basically finished their test to get the best grade)
How about you guys?
Bored engineers?
When you get bored, what sort of non-intrusive network tweaks and cleanup do you do? What sort of things do you do to the network to pass time and improve the network, if only minimally?
Thoughts on buying or leasing a block of addresses
Our ISP provides us with a block of IP addresses we use on our "DotCom" environment, but being married to the ISP because they own the IP addresses is something my management team doesn't like. We are reviewing options and one is buying or leasing a block addresses. Does anyone have any tips on what to look out for, what to consider and what to stay away from? This is uncharted territory and I'm try to make an effort to fully understand both options as to avoid any gotcha's down the line.
I built a small framework running FRR in Mininet for the purposes of teaching networking basics. Would like some feedback.
Some time ago, I thought it would be cool to combine FRR with Mininet for the purposes of teaching about networking and to have a playground for FRR protocols on my computer. This isn't in itself a new idea. FRR runs some tests using Mininet and also the Mininet has a wiki entry on BGP hijacking which uses quagga (project FRR forked from) running on Mininet. The BGP hijacking demo was actually the inspiration for this project and I used some of its solutions in my project.
The project is available on GitHub: https://github.com/Wojtek242/route0.
Good starting points to see what the project is about:
What I tried to accomplish with this project is to have an easy to use framework in which I can run FRR protocols on a Mininet network. I wanted it to be easy to create new topologies and new FRR configurations. This was actually very easy to do with very little python code. I also wanted it to be easy to use for people new to networking and I hope that in conjunction with the lessons it its. There aren't many lessons available at the moment as I only wrote enough to serve as an example to get some feedback. There also aren't that many topologies and scenarios for the same reason. Ultimately, I'd like to build it up to more impressive scenarios with multiples ASes or with L3VPNs.
My questions to you are:
- Is this a useful project? Or do you think there won't be much need for this? I realise /r/networking is for professionals so obviously the readers here don't need it themselves, but I'm sure you can put it into context with other learning resources you know about.
- Is the format good?
- Is it as easy to navigate as I hoped it to be?
- Anything else you would like to say.
I'm open to any constructive feedback. I haven't sunk too much time into this so I won't be offended if it turns out to be not of any use. I myself learned a lot about FRR through this and even submitted a doc pull request to the repo so it's already been productive for me.
At the end, just one small disclaimer: I am not a network admin, technician, etc. I have no certificates. My experience with networking comes from two years of working as a software dev on network protocols.
Packet capture on Cisco 2921 won't start? Stuck on inactive?
I currently have a packet capture setup on a Cisco 2921 with the follow parameters. When I attempt to run "monitor capture point start Gi01" I am returned to the enable prompt without any errors. The status will not change from inactive however.
Any ideas?
"show monitor capture buffer all parameters"
Capture buffer Cisco2921 (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 128 bytes, Packets : 5611
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : Gi01, Status : Inactive
Configuration:
monitor capture buffer Cisco2921 size 1024 max-size 128 linear
monitor capture point associate Gi0/1 Cisco2921
"show monitor capture point all"
Status Information for Capture Point Gi01
IPv4 CEF
Switch Path: IPv4 CEF , Capture Buffer: Cisco2921
Status : Inactive
Configuration:
monitor capture point ip cef Gi0/1 GigabitEthernet0/1 both
Thank you!
Matt
Are SVIs really capped at 1gb? Even though the physical link is 10gb?
I have a 10gb physical link that is a trunk that allows traffic between 5 vlans
I see the SVIs are configured (by default) to 1gb bandwidth.
I read somewhere that the 1gb on the SVIs don't matter, that traffic will not be dropped even if it goes over 1gb. Is this true?
Tell us about the time when the automation let you down.. share your disaster story if you have one
I was talking with some of my colleagues about an automation software I want to use and which they tested and end up not using. One of the arguments was that they were afraid that they could make mistakes and they will be propagated to everything.
Did you have such experiences? How bad was it, Could you share what happened? What are you doing to prevent that from happening ? (testing, validation?)
Sales "Engineers" of the World...
... Do you really think calling me endlessly and even spoofing a local number to get me to answer is going to convince me to use your products?
/rant
Upcoming Exam
Hi group,
I recently finished all 4 CCNA modules and had a nice job offer.
They're looking for people to work on a security department, and I will be trained in CCNA security.
The problem is that I will be evaluated on the following subjects, and some of them as I understand, are part of the security curricula.
- Network Fundamentals
IP tools
OSI Model (concepts and traffic on each layer)
Networking devices (Router/Switch/bridge/hub)
Traffic types (unicast, multicast, broadcast)
Routing / Routed protocols
Distance vector Protocols and Link State Protocol
ARP
Subnetting
MTU/MSS
TCP/UDP, flags and functiionalities
Fragmentation
- OSPF
LSA types
Area Types
DR
BDR
Packet types
- WAN/LAN
Routing-Table
Routing vs ARP
Routing on a stick
PPP
STP
PBR
VLAN
SNMP/NTP/DNS
- Security
Basic Networking Attacks
Types of Firewalls
IPsec VPNs
IPS/IDS
ALGs
- DHCP
DORA Process
DHCP Relay
DHCP Options
- BGP
Attributes
EBGP vs IBGP
Loop Avoidance mechanisms
Packet types
States
- Network Troubleshooting
Basic questions, how to determine a root cause based on OSI, knowledge of troubleshooting tools: packet capture, ping, traceroute, etc
- IS-IS
Concepts and basic functionality understanding
- Centralized Authentication Method/AAA
Radius
TACAS
LDAP
- NAT
Concept and types
Proxy-ARP
Port-Forwarding
PAT
NAT-T
Which concepts fall out of what I would know from CCNA? Which of these subjects are digged deeper into with the Security course? Any resources of tips for getting a nice score? I know that if I take the training I will learn every one of the necessary concepts to a good level, but I need to land the job first.
Thanks!!!
Figuring out if the server just responds slowly
This might be a bit more /r/sysadmin question but as we all know it's always the network and you need to prove otherwise :)
Wondering if there are tools that I could run against packet capture from a server and from that figure out if the server is actually responding slowly to requests. This would be of course better to check from application logs, but the software is not managed by us and the people managing it don't seem to be that good with reading logs. They'll just tell us it's the network.
Wireshark can show round trip times for TCP sessions, but seems I can look only at a single session at a time.
Thanks!
Need help with AOC/DAC QSFP to 4x SFP+ breakoutcable
I am looking for a solution to link a Oracle Ethernet Switch ES2-64 with a Cisco Meraki MS320-24 Switch using a QSFP to 4x SFP breakout cable.
I'm concerned about the incompatibilities of Oracle vs Cisco Meraki when using a DAC or AOC breakout cables. I want to avoid the transceivers and MTP to 4x LC breakout cable route as I really need a short 2m run for this and I believe the AOC/DAC solution is the cheapest.
Anyone in a similar situation?
Cisco c1111-8p question
So I have a fiber hand off from the provider and that only works in one of the routed/SFP ports Gi0/0/0. I was hoping to utilize this as an edge router/DMZ switch but unless I get Ethernet from the provider and create a 'dmz' vlan I don't see how I can with the hand off being Fiber. The end goal is purely to have a couple devices on the edge with public IPs (no NAT) and routing all in one.
Can someone keep me honest?
Intermittent ERR_CONNECTION_REFUSED issues
I am the network engineer for our company, and over the past month, we have had intermittent ERR_CONNECTION_REFUSED errors (on our wired connection, at times, when opening a new Chrome tab, we get the "Aw Snap", but after refreshing, it loads just fine). On wired, I experience this issue around 10 times/day. We also use an EHR application with tablets not provided by our company, but the vendor using an app they have developed. The way they have developed the app, is any time there is an "ERR_CONNECTION_REFUSED" error, the page "Oops", and the tablets have to be manually refreshed. The tablets are wireless on our production network. Previously, we had used our guest network (same AP, but a route map on our access switches going out a different circuit), and had the same issue. This has caused a lot of issues with patients and clinic staff's time as they have had to constantly refresh the tablets or hand out a different tablet. We have a Cisco environment, and have looked into our ASA to see if there are any logs in which there were none. We do not seem to have any browsing issues using a different browser, but these tablets were specifically designed to use Chrome. We have ruled out firepower, and we have not maxed out our translations (~23000 out of 65000). We use Meraki Access Points, and have not been able to find anything in the logs (other than 802.11 associations and disassociations, and DHCP information, I have not been able to see much in the event logs), but since it's happening on wired connections, I am beginning to rule out this is a wireless issue.
As another test, at a couple of sites, we have removed the tablets completely off our production network, and I enabled the 2.4 GHz band on our guest Comcast/Spectrum modems. Since that move, those specific tablets have not had any of the issues mentioned above. So the question, has anyone seen or experienced this issue? TIA for your advice and recommendations.
I’m in need of a pretty simple drop in VPN solution. This is not for anything malicious.
I looked into turning a Raspberry Pi into a VPN but that solution wasn’t ideal for me. I found the Amplify Teleport basically does what I need but it appears to be a combo package that requires and Amplify router. I need something that is ideally easy to setup and works with most router without having to deal with too much in the way of port forwarding.
Basically a device that a hook up to the router and then VPN in from somewhere else.
I keep coming up dry with my searches so if there is a better search term for such a device, that would be helpful.
Thanks in advance!
Not getting bored of networking
Hi everyone, I am just getting started with networking and The only thing I’ve done lately is to read on about networking. But I feel like I will not only learn less but also get bored faster if I dont do any practical work. But I dont know what to do, what actuall networking can I do without the possibility to spend money on switches, routers etc.
Thanks in advance!
Searching for a basic Cisco teaching curriculum
I've been tasked with potentially teaching a group of blue-collar type union workers the basics of Cisco. These are smart guys, but at the end of the day they're not your typical Cisco user. They may or may not ever even actually use the knowledge; it's more about showing Team A what Team B does so that there's a better understanding of everyones roles, promoting better teamwork, etc.
To that, I'm wondering if anyone has suggestions for a ready-made Cisco teaching curriculum, free or paid. Course could go potentially up to 3 days, not quite CCNA level but perhaps I could take a CCNA curriculum and cut out the parts I don't need (routing, for example, it not relevant, this particular environment only cares about switching).
I'm also going to look into established IT training companies such as Global Knowledge, but wanted to see what we could do in-house first. Thanks!
Sanity check: Dell M1000e Chassis; Dell I/O Aggregator switch; Access Lists
Hello,
I have six Dell I/O Aggregator switches, running OS version 9.13(0.0), in a couple of Dell M1000e chassis. I have a couple of issues, hoping someone could provide input.
I am trying to apply ACLs for the VTY lines and SNMP.
- SNMP v3 groups support the "access" parameter, taking an access-list.
- SNMP v3 users support the "access" parameter, taking an access-list.
- There does not seem to be any method of creating an ACL
- VTY lines don't have a method to apply an ACL
So... does this platform just not have ACL functionality? Or, perhaps this would this be handled in the CMC?
Twice NAT translations
When configuring twice NAT for things like a VPN to overlapping subnets, how do you tell what exactly your inside IP gets translated to? Also, how do you ping across the tunnel to an address of say 10.0.0.5 if that's also your local subnet?
Leasing Zayo Dark Fiber on verge of acquisition
Hey all,
What are your thoughts on leasing Zayo dark fiber in the NY metro area on the brink of them being purchased.
What are the risks, potential headaches I could run into?
Thanks
/30 and /28 Cisco ACL
Good morning,
My question is about ACL's, and how they apply to multiple interfaces on the same device. My ISP has given me a /30 and a /28 address. I will be putting a Cisco router out front, followed by a Meraki. At this point I'm thinking the WAN (Gig) interface of the Cisco will have the /30 address assigned, and VLAN10 interface will have the first usable address of the /28.
I will have the Meraki connected to a interface off VLAN10 with the second usable IP address, and do all firewall/NAT things on that device. The Meraki's DFG will be the VLAN10 interface IP.
int gig8 desc *** ISP /30 Physical *** ip address 30.30.30.30 255.255.255.252 int gig7 desc *** ISP /28 Logical *** switchport access vlan 10 int vlan10 desc *** ISP /28 Physical *** ip address 28.28.28.1 255.255.255.240 ip route 0.0.0.0 0.0.0.0 30.30.30.31 ip access-list extended OutIn-Test remark *** ISP /30 WAN IP *** permit tcp any host 30.30.30.30 eq 22 permit icmp any host 30.30.30.30 echo permit icmp any host 30.30.30.30 echo-reply permit icmp any host 30.30.30.30 time-exceeded permit icmp any host 30.30.30.30 unreachable permit icmp any host 30.30.30.30 traceroute deny ip any host 30.30.30.30 remark *** ISP /28 WAN IP *** permit tcp any host 28.28.28.1 eq 22 permit icmp any host 28.28.28.1 echo permit icmp any host 28.28.28.1 echo-reply permit icmp any host 28.28.28.1 time-exceeded permit icmp any host 28.28.28.1 unreachable permit icmp any host 28.28.28.1 traceroute deny ip any host 28.28.28.1 remark *** ISP /28 *** permit ip any 28.28.28.0 0.0.0.15
If I were to apply this ACL to the /30 inbound -- would this include VLAN10? Or, would I need to apply this ACL to VLAN10 inbound also? Or, to save cycles, should I break this into (2) different policies and apply inbound to the respective interfaces?
(I'm not married to the ACL at the moment -- if there's something I've overlooked or should/should not include, please let me know)
Thanks in advance!
EDIT: Added fictitious interface addresses to help visualize
Backblaze/general routing table performance problems?
I'm trying to configure my Windows routing table to allow Backblaze to circumvent my VPN by adding static routes to each of Backblaze's published server addresses.
I added each address to the routing table, bound to both my default (local) gateway, and physical network adapter.
ROUTE ADD 162.244.56.0/21 192.168.1.1 METRIC 2 IF 14 -p
Now my backblaze traffic is successfully bound to my physical network card, but my performance drops from ~15-25mbps up to ~1-5 when my VPN is connected.
Is there something silly I may have forgotten?
Backblaze uses a windows service, rather than the desktop client itself, to do the actual uploading, so I don't know how else I can bind it to the desired interface.
Update: setting up WiFi at university in rural Uganda
After the overwhelming amount of replies (thank you!!!) to the previous post I wanted to give you a quick update on where the project stands. The original post made me realize how little I knew, and how helpful it would be to a) get more information on what their current setup looks like and b) to have someone on board that has done this stuff before. Since that original post I've been talking and working with /u/SuperQue, who like me happens to live in Berlin and is very (very) experienced in basically any kind of network stuff. So, together with him I've been trying to figure out how to deliver this project.
Basically, we spent the last week or so information gathering and doing some planning. It was clear that we needed more information in order to move forward. We initially assumed that there was not much of a network, and we would have to do most of it ourselves. We started designing for a completely independent Unifi network that would handle all WiFi needs. What we designed came in at around €3000.
But, we were both very uncomfortable trying to plan network changes without involving people there. It was very likely that we would be overbuying, or that we had assumptions that were just not true.
Eventually we were able to get in contact with the network administrator at Gulu University (it took some political maneuvering). He sent us their network documentation, and some photos of what's on site. It turns out things are vastly different from our expectations.
Here's what's available on their network (this is all /u/SuperQue by the way, not me 😁):
Core:
- Cisco ASA 5525-X
- Cisco C3850 24-port fiber distribution switch
Edge:
- Cisco 2960-X (No PoE, sadly)
Wireless:
- Aruba 7010 controller
- Aruba AP-215 - 6x (Indoor 11ac)
- Aruba MSR2000 - 8x (Outdoor 11a/n)
There are basic UPSs attached to all of the distribution switches. I haven't confirmed what kind of backup power they have in their NOC.
From what we've been told so far, 90% of the buildings are covered by their fiber network backbone. This is supposedly working ok, except for likely poor setup of the ASA. The network admin said that it was installed by someone else, but the University was given no training on how to maintain it.
But, the wireless is "not functioning". The network admin said that they had a WiFi range of 5 meters from the access point, so they had coverage issues (as he put it). My first obvious guess is that the APs just aren't getting adopted by the controller, or there is some other problem with the controller. We've been told that the MSR2000 APs have always been mostly useless and that the coverage they provide is minimal.
So my new tactic is to see if we can revive the Aruba gear.
- Get access Aruba controller.
- Find out what release they're on and debug whatever is wrong with it.
- Likely old release, research upgrading to ArubaOS 8.
- Price out a second 7010 so they have more capacity and failover.
- Price out replacement outdoor Aruba APs (AP-275, AP-365) for the old MSR2000 (I've been told that they probably won't work with ArubaOS 8)
- Price out additional indoor Aruba APs.
Other ideas:
- Research replacing the 7010 with a virtual controller setup. This way they can run the controller on commodity hardware.
- Used (ebay?) source a second 7010 (~700 EUR) for backup + capacity.
- Used source slightly outdated APs.
If it turns out the 7010 is a lost cause, we will go back to considering the Ubiquiti replacement plan. The cost to repair with Aruba is now the more than the cost to replace the whole setup with cheaper gear.
It's a difficult decision, given that the most basic Aruba APs are three times the cost of Ubiquiti. /u/SuperQue has experience with Aruba gear, and knows how and why it's better for this kind of campus network. But we would have to use all our cash just to replace the 8x outdoor APs with newer models. This would probably improve coverage anyway, as they're much better MU-MIMO radios.
Any help on sourcing Aruba APs either in Uganda or German, especially if we can get EDU discounts, would be amazing.
Finally, we're on a very tight planning here, and whether or not the original timeline is feasible (to install everything by early May) is very much questionable. There are other parts that need to be done as well, for example the selection & installation of the server, and the pre-loading of that server with relevant videos. The tip to consider YouPHPTube for the video part of this project was extremely helpful, I've installed it with docker compose and I think this will be the basis on which we build this project. Anyway, thank you so much for all your input, it was extremely helpful and the project is in a much better place because of it!
Traceroute to google.com
Traceroute to google.com shows a few unnamed addresses at last few hops and i was wondering if there is a way to locate them (more specific than just UK, which they clearly are since the delay is pretty low).
eg.
-
193.62.157.22 (193.62.157.22) 17.793 ms 15.769 ms 15.752 ms
-
108.170.246.161 (108.170.246.161) 5.174 ms 108.170.246.129 (108.170.246.129) 5.181 ms 5.131 ms
-
216.239.57.115 (216.239.57.115) 5.131 ms 5.050 ms 5.029 ms
-
lhr25s01−in−f4.1e100.net (216.58.213.68) 5.254 ms 4.833 ms 4.817 ms
And searching all these ips, tell me they are in US, which i highly doubt.
Network engineer toolbelt?
Looking for a half decent toolbelt to fit all my networking tools. Think crimper, USB to rj45, punch down, couple screwdrivers, Stanley knife, cable tester.
Had a brief look on amazon (UK) but couldn't find anything specifically for network engineers.
Anyone have any recommendations? I'm bored of running up two flights of stairs realising that the bit of kit I need is in the basement...
Aruba for small environment (4-8 AP), AP and management choices
I'm currently trying to inform myself about the options regarding for following environment:
Two story concrete building (each level 250m²) with a large open garage on the ground level (700m²). Maybe I can get away with 4-8 APs.
Usually low people count and throughput. Will need two wireless networks (internal and guest). Wifi roaming required, should be a simple, low cost and maintenance solution.
So I came across Aruba APs, which seem not that bad. But I'm still having a hard time wrapping my head around it.
- seems they have controller and cloud based APs, or with internal and external controller (RAP/IAP)
- what's the lowest cost, possibly without cloud solution?
- Are their wifi software controllers freely available or is there any free/open source alternative? (?Aruba Mobility Controller/ArubaOS)
Ubiquity is also an option, but I'd like to get a rought overview about the market.
AnyConnect Perfect Forward Secrecy
I am trying to raise my score on SSL Labs for our ASA VPN device (running ASA 9.9(2)), with AnyConnect clients 4.5.03040
The SSL settings are set as follow:
ssl server-version tlsv1.2 ssl cipher default custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
Would the following work:
ssl server-version tlsv1.2 ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256" ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA" ssl dh-group group14
From my ASA:
Result of the command: "show ssl ciphers all" These are the ciphers for the given cipher level; not all ciphers are supported by all versions of SSL/TLS. These names can be used to create a custom cipher list ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2) ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2) DHE-RSA-AES256-GCM-SHA384 (tlsv1.2) AES256-GCM-SHA384 (tlsv1.2) ECDHE-ECDSA-AES256-SHA384 (tlsv1.2) ECDHE-RSA-AES256-SHA384 (tlsv1.2) DHE-RSA-AES256-SHA256 (tlsv1.2) AES256-SHA256 (tlsv1.2) ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2) ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2) DHE-RSA-AES128-GCM-SHA256 (tlsv1.2) AES128-GCM-SHA256 (tlsv1.2) ECDHE-ECDSA-AES128-SHA256 (tlsv1.2) ECDHE-RSA-AES128-SHA256 (tlsv1.2) DHE-RSA-AES128-SHA256 (tlsv1.2) AES128-SHA256 (tlsv1.2) DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) RC4-SHA (tlsv1) RC4-MD5 (tlsv1) DES-CBC-SHA (tlsv1) NULL-SHA (tlsv1)
Not able to ping from Fortigate to Switch
Hi All,
I am running through this problem since yesterday. Here goes my setup:-
I have got a fortigate 50E and it has got a LAN interface 192.168.49.1/24 and there's a core switch (Cisco) with 192.168.49.2. VLANs configured on Switch are 49 and 50. I want to introduce a new VLAN and when I try to create a subinterface (VLAN 3 and IP : 192.168.51.1/24)on LAN interface in FortiGate and giving VLAN interface IP on Core Switch as 192.168.51.2 I'm unable to ping from core to Fortigate (newly created subinterface 192.168.51.1) and vice versa. Can somebody help with this? I have created a DHCP scope on Fortigate itself and for other VLANs it's on Core Switch. I'm I missing something? have tagged the new VLAN on the interface which is connected to the Firewall interface. Also, there is a default route from Core to Fortigate (0.0.0.0 0.0.0.0 192.168.49.1).
Please help!
Cisco Nexus spanning tree issue
Have a weird situation with an N5k stack and wanted to get thoughts - particularly around Bridge Assurance - have read the docs but cannot quite work out where I am going wrong.
Have a pair of N5k switches running os 7.x (sw01 and sw02). The pair are configured with vpc and are all seemingly operational with no issues.
I am trying to hang another standalone nexus (sw03) off of sw02 as for a project I have to temporarily connect some additional devices.
I have configured a standard port channel with spanning tree type network set on both ends of the po. When I bring the link up, sw02 goes into FWD state, however SW03 goes into BKN p2p BA_inc state for all VLANs.
From researching this, it appears to suggest Bridge Assurance inconsistency. However, BA is enabled on both sides by default, and I have defined the po as type network which I understand is required for BA.
I can’t quite get my head around what could be causing this, and there doesn’t seem to be too much about BA_inc online, other than the normal suggestion that it is enabled on one side and not the other, therefore does not receive BPDU from the other switch.
All switches are running rpvst+ and configuration is largely default.
Hoping someone can offer some wisdom here, or perhaps I have missed something obvious.
Thanks
VPN Issues - Port 500 possibly being blocked?
I have a crappy RV042 in the UK connecting to a customers Peplink Firewall in HongKong with a S2S VPN. Since the weekend they have been complaining that the vpn has been going up/down and they have had to reboot their peplink device 3 times.
On our side i am seeing this:
ERROR: asynchronous network error report on eth1 for message to xxx.xxx.xxx.xxx port 500, complainant xxx.xxx.xxx.xxx: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
I have searched for this error, but nothing concise is coming up. Is it possible that there is something in the way blocking port 500 hence vpn not completing? Our side is connected directly to the internet, no NAT, and it behind a router we own and manage (all our infrastructure)
China Telecom / CN2 Modems
Does anyone have any experience with China Telecom and specifically their CN2 network?
At present we're using a couple of 'general' CT lines, both of which have come with a Huawei EchoLife modem which from the spec sheets seem to suggest their rated for around 5 users, whereas we have nearly 200.
I'm obviously struggling with the language barrier but I've been advised that even if we move to their CN2 network we are likely to be assigned a similar sized modem that we wouldn't be able/allowed to change - I'm not sure if I'm being fobbed off or not so would appreciate if any of you have any experience in this area or advice on how you've dealt with the legal requirements in China
Thanks
Changing link-local IPv6 address, DHCPv6 IAID and DHCPv6 Client DUID
Hello all
I am a newbie to ipv6 or networking overall, and I was wondering if it is possible to change the link-local IPv6 address, DHCPv6 IAID and DHCPv6 Client DUID for an Ethernet connection? (Windows 10)
So far I have managed to change the DUID in registry editor: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
But this is only working for WiFi adapter and the DUID for the Ethernet has not changed to my input value.
Any sort of help will be appreciated. Thanks!
How do you sotre information baout your network?
Hi guys,
Im just wondering , in every company where I've been working , every IT person is storing information about network/LAN devices in excel, i mean plain text. Ok, several of them are storing passwords in KeyPass at least.
What's is your experience? How do you store your data about your kingdom routes?
Obtain GateWay without DHCP or prior network knowledge?
Hi,
I'm doing a project for school and was wondering if anyone knew whether it is possible to obtain the default gateway (only MAC is required) without prior network knowledge or DHCP? If not i'll have to resort to broadcasting everything which is ugly and messy.
I'm in a man-in-the-middle position, so listening to traffic is not a problem. I was thinking ARP, but cannot find a consistent way of determining the gateway. Something like TCP is also not very reliable, because it only will have gateway MAC if the request is sent outside of subnet.
The man-in-the-middle is achieved with brctl, so I have a list of MAC addresses in which the gateway is always present, looks something like this:
port no mac addr is local? ageing timer 3 00:00:5e:00:01:c9 no 0.11 3 00:01:6c:40:2d:94 no 0.53 3 00:01:6c:40:4f:a3 yes 0.00 3 00:01:6c:55:3a:72 no 55.33 3 00:02:b3:8d:48:a7 no 0.53 3 00:0a:e4:2f:53:bb no 0.59 3 00:0b:82:0a:bc:cc no 16.98 3 00:0c:29:07:3e:de no 9.12
Been cracking my brain over it for a few days now, but have not yet found a reliable way to achieve this. Anyone an idea (or can say for sure it's not possible)?
Thank you!
Wednesday, April 17, 2019
Clarification on MTU/MSS for Cisco Router with PPPoE DSL & IPsec VPN
Hello,
I have some Cisco 800 series routers that I took ownership over and my predecessor seems to have followed a guide similar to this for configuring MTU and MSS: https://www.networkstraining.com/adjusting-mss-and-mtu-on-cisco-800-routers-for-pppoe-over-dsl/
I know these questions have probably been asked many times, but I need someone to elaborate further because I have read countless articles and nothing is clicking for me.
Can you please confirm some things for me:
- When dealing with IP MTU, the MTU actually refers to the maximum size of the IP datagram (IP Headers, data payload) and link layer protocol headers, and ethernet headers are not included correct? So a 1500 byte MTU is actually 1518bytes with the Ethernet headers.
2) When dealing with PPPoE, most guides mention the preferred MTU is 1492 bytes. So my understanding here is that when setting MTU to 1492 you are basically limiting the IP datagram (IP headers, datapayload) to 1492 bytes, while 8 bytes remains for PPPoE DSL headers (PPP 2, PPPoE 6) and 18 bytes of ethernet headers that not counted. This correct?
3) So when we start throwing IPsec VPN (esp-aes 256 esp-sha-hmac) into the mix, should I now be lowering my MTU on the dialer interface even more, and how much should I account for? My predecessor has the dialer interface on the Cisco 800 series configured as IP MTU 1452, but still has the MSS on the VLAN interface as 1452.
Rough cost for a single Cisco 3504 Wireless Controller LIC-CT3504-UPG license
I'm not sure if this is the correct place to post this, so feel free to remove it if not.
I am writing a report for uni and as the post states I am currently trying to find the price for a LIC-CT3504-UPG license for the 3504 wireless controller. I have spent a while searching the internet for it, I found the license for sale only multiple websites but their was no price displayed, I was only able to request a quote from these companies for the price and not see what it would roughly cost.
I was hoping someone would have a link to somewhere with the cost of the license? Or even just the rough cost of the single license.
Double wild card domains
I'm having an issue with a double wildcard sub domain. I properly setup a wildcard domain cert for my domain domain.com
so now sub1.domain.com
, sub2.domain.com
, etc. all have SSL. The problem I'm having is if you go to one of the subdomains with a www, like www.sub1.domain.com
then you're presented with the page from the browser that there is a potential security issue (Proceed with caution). I managed to do a redirect if the request is HTTP www.sub1.domain.com
but the problem is if the request is HTTPS like https://www.sub1.domain.com
then the security page will appear. I'm not able to redirect/intercept this call. Any ideas what can be done?
I'm also using Digital Ocean for DNS networking, and NGINX server to serve all requests, Lets Encrypt for the SSL certificate
Alcatel L3 switch troubles
I had a program manager throw an omniswitch 6850 on my desk today asking me to configure it for a project today. I didn't think it would be quite the undertaking it has been so far. Maybe it's just me but everything seems so disjointed. The web interface has stuff all over the place. All I want to do is create a few VLANS and a few routes so they can communicate. I created the VLANS but can't seem to associate a subnet with it. I found where I can make my routes, but I keep getting a bfd error when I try to create it. I'm even having troubles getting two devices on the same network to talk. I admit, my networking could be a bit better. But I don't think I'm trying to do anything super complex.
Anyway if anyone has any suggestions, I'd certainly appreciate it.
Python concepts into Ansible
I’m hopthing someone who has been in a similar situation can help me here. A little background....I’m relatively new to Ansible - I can write basic playbooks to see Cisco iOS output, pull out some data from ios_facts, etc. Prior to attempting to automate with Ansible I learned and got comfortable with python. I love python in the fact I can do anything I need to with it.
Now, we need to scale automation across 10,000+ devices so I need a tool/platform that can accommodate and thus the reason for exploring Ansible. Here is what I’m attempting to do and want to know if this is even possible with Ansible and how would I go about accomplishing:
- if/then statements in Ansible....how can you program these. I’ve heard of conditionals and using when: but not sure if that would work in all cases (see specific example below I’ve been trying to solve)
- have a playbook execute a python script (which I can currently get to happen) but then pull in output from that script back into the playbook for addition plays or tasks. Is this even possible? If so, how?
- parse an output from any iOS command and take action based upon the output. For example, one specific use-case I have is to look at multiple switches, show interfaces | include interface|CRC >> if any switch has CRC’s, clear interface counters in that switch, wait 10 minutes and run the command again. If CRCs still increase, do something (send email, etc)
Or, am I trying to fit a square peg into a round hole? That is certainly what it feels like but I’m hoping it’s just that I’m new to Ansible. I really want to leverage the programming concepts from python with the scalability of Ansible and create some great automation in my network. Thanks for any help!
Load balancer placement?
Building a new DMZ and it's a requirement to have a load balancer for a couple of web applications.
Would the load balancer be best placed before or after the dmz firewall?
Solutions for Ruckus R510s dropping connection while migrating APs
I have three R510s hardwired PoE (Ruckus Unleashed, no controller), but walking between them drops connection for a moment before next AP picks up. Usually not a problem, but it keeps migrating at just the wrong moment. I know Mesh technology in general solves this problem, but not sure if Ruckus Mesh handles this, and if R510s can be both hardwired and still take advantage of mesh technology? All APs give the same SSID on different frequencies... Or maybe I'm looking at the wrong solution... maybe making all APs use the same frequency? Our internet is only 100mbps, so I'm not too concerned about same frequency loss of bandwidth. Any feedback from other Ruckus users on best solutions?
Network tools for monitoring
Hi guys,
I started to work for a medium company a few months ago and I noticed that they do not take care of the network, so I have been installing some tools to help me out.
Besides Netflow, syslog and SNMP tools what else do you guys use to check the network health?
Cheers
Dan
Juniper interface ranges
So I started a new job this week and they use Juniper for switching. I've mostly used Cisco so I'm trying to figure out the Juniper way of things. When setting up a switch (EX series in this case). I've found that you can specify a range of interfaces to bulk edit similar to Cisco, however, it seems very cumbersome to change it later. Do I just delete the whole range and re add it (this is what I've found so far but this seems wrong to me). For example, ports 0 - 20 are on vlan 5, but later port 0 is changed to a trunk port. What is the proper way to handle this? Is there a way to edit a range of interfaces but they still appear as single interfaces in the config (like Cisco)?
Thanks for the help!
Mail server question
I have a kind of stupid question. If my PC has no internet connection, can I still send/receive emails internally (to and from my colleagues at work)??
Advice desired for network monitoring and summary with my particular setup
I recently received notice that there was a large amount of ingress traffic (in bytes per second, not packets per second) inbound to my network port. I realized that, while I had MRTGs setup on a handful of devices, I have no way to see over-all where most of the traffic and packets are both going into the network and originating from (destination IP and source IP). I'd like to configure something that will allow me to view all network traffic, both within the LAN and going in and out of the network, and graph it as well as be able to break down the largest amounts of traffic both in throughput and PPS, inbound and outbound, so I can determine what is going on.
I have the following setup:
Router: Cisco 2911 with two active interfaces; one is the port connected to the provider (BGP peer), the other is connected to the network switch;
Switch: Nortel Baystack 5510-48T (Avaya firmware) managed gigabit switch; CLI interface very similar to Cisco iOS
The switch is broken into several groups of ports; group 1 is connected to the router and is for interfaces routing out to the Internet using public IPs; group 2 is LAN only, for internal IPs intra-LAN communication; group 3 is a secondary LAN, its basically a secured group with strict routing in that contains IPMI/Dell BMC/iLO/etc. and other potentially insecure devices and is kept isolated.
I'd like to setup a server that will be able to see all traffic coming in and out of the router on that WAN port (which all concentrates to a single port on the switch, the port the router is connected to, so that port could be mirrored) and, secondarily, also be able to see all traffic within the LAN ports group and the third "isolated" port group. The main concern is the WAN traffic, however, so that I can determine who is sending most of the traffic to the network and outbound as well, in both packets-per-second and bandwidth/throughput.
What would you all recommend for this setup? I assume I need to configure various SPAN trunk ports, with the traffic from the WAN/router port going to the SPAN trunk port; the whole group of LAN ports mirroring to it; and the group of IPMI ports mirrored to it. I am not entirely sure how I do this, I assume it's in the manual in the SPAN documentation unless anyone else is aware of anything else. Next, what software and platform is recommended? Linux with some kind of open-source monitoring software, watching the interface that is connected to the SPAN trunk port? What software is recommended for my particular needs?
Thanks in advance,
dataslanger
Building a new server
Hey guys, I work IT for a small bussiness here in pa, were workin on a new client server for financials, I'm gonna be custom building this one actually and I was wonder if you guys had chassis recommendations, I was looking for a server chassis that had 6 hot swap bays and an LCD that would warn me if a fan failed or a drive failed, having trouble finding one though, any suggestions?
Cisco Meraki wants you!
I got tackled by a dog this morning, and if that doesn't scream "amazing place to work" then I don't know what does.
I'm slowly convincing my team that Reddit is a valid place to find future employees, help me show them!
༼ つ ◕◕ ༽つ Summon the candidates ༼ つ ◕◕ ༽つ
Cisco Meraki is hiring Network Support Engineers for our Chicago office (no remote options now, sorry) and would love to have you. You can reach out to me directly if you want to apply!
You can find the job info here - but if you apply, please mention in a CV that you found this post through Reddit for tracking purposes.
Made this morning's drive that much better
I don't know who you are, fellow Los Angeles driver, stuck in morning traffic, but you are my kind of person :)
Patch Panel: Modular or Not?
I'm in an ongoing process of updating the hardware in my first SMB rack.Currently only using 2 x 48 port switches, but it's a bit of a disaster, so I wanted to update patch panels & switches.I've punched panels before, but not 48 lines of existing in-place wire. Would it behoove me to go one way over the other, or is it a moot issue?
**edit** If going modular, does keystone make a difference one way or another, or just the ones with 6 ports per module?
Palo Alto 5250 | Slow Decryption
Has anyone had an issue with slow decryption through PA firewalls? We have recently moved from using a WSA in one datacenter to a Palo Alto 5250 pair in another production datacenter. There has been a measurable change in how fast video/graphic files that are served from the new datacenter environment flow through the firewall when being decrypted. When decryption is turned off all works well. We have a case open with Palo Support. So, far not a lot of progress has been made. Any experiences or thoughts on this would be appreciated.
Thanks.
Automated way to upgrade software on 500+ devices
I've been given the task of doing some software upgrades on over 500+ device. It is about a 50% split between Cisco and Juniper.
I'm thinking of automating as much as possible with Ansible and wanted to get others ideas on this.
My current thought process for what to automate is:
- Copying the appropriate file to the devices
- Running pre-checks
- e,g, show version, show bgp/ospf info, show interfaces
- Running post-check
- same as above
I'm not sure if i want to actually kick off the install process via Ansible though. Since I usually do that via an out of band console server (opengear) so i can monitor the install process and check for errors.
So yeah wondering what other peoples thoughts are? Should i try and use Ansible to initiate the software install? If so, how would i check for errors?
Approximately how much would you expect to pay for 1gbps dedicated fiber from Comcast in an on net building?
My company is out of contract with Comcast and the reseller I usually use wasn't able to give me a quote since I'm currently an active customer. I just got a quote from at&t for $1900 / month for 1gbps (3yr contract) which is less than we're paying Comcast currently for slower speeds. I really don't want to go through the hassle of switching but I felt the at&t quote was amazing. Although my past dealings with at&t have also been lackluster.
What should I expect to pay Comcast for 1gbps? I'm just trying to arm myself with info before I start dealing with them directly.
Thanks!
Potentially Rogue Device
Hi Everyone,
Yesterday at my company, we had an issue where people were not able to connect to the internet. Upon further investigation, it was revealed that we ran out of out of DHCP leases and that a TV with Chromecast was taking up several IP addresses. It was also imitating the names of other devices that were previously connected to the network.
- Has anyone seen anything like this before?
- What are some of the possible scenarios that could explain this?
- What can be done to prevent such a situation in future?
WGU: BACHELOR OF SCIENCE Network Operations and Security legit?
I was wondering if anyone has any real experience with Western Governors University for an IT degree. I know you don't need it and just get certs but I feel like I an being passed on because I don't have a degree plus I could do this after work on my spare time. I see good reviews on this place and people seem to like it. Anyone have an IT degree from them?
Looking to get to 10GBaseT affordably with my HP Procurve 5406ZL switch
I was hoping one of you can help me with a couple of questions I have regarding my HP Procurve 5406ZL network switch.
Yes - I know it's normally overkill for the home, But I'm looking to upgrade a few of my 1GB connections to 10GBase-T connections. I move a lot of larger files between the NAS, Servers and my Workstation... plus, it would be just plain cool to have.. :-)
I found that some of the zL modules (J8707A or J8708A for example) for my switch (5406ZL) can be found at a very reasonable price (~$100). Ideally what I would like, is to be able to run a 10GBase-T cable from the Switch to my NAS, Servers and Workstation's but I'm not finding HP brand X2 to 10GBase-T converters.
I have a few questions, in this regard: - Will the HP switch accept third party brand X2 converters such as Cisco or Fujitsu for example? I know I can go X2 --> SFP+ then SFP+ --> 10GBase-T but was hoping to avoid having to cobble it together like that. - What other Modules are there that will go into the switch that will get me to 10GBase-T without dropping +$1000?
If I can't find a good 10GBase-T solution, I know I can go with the J8708A module, which has 4 CX4 connectors. My question there is, would most brand name CX4 based Network Cards (ConnectX EN, Intel or Myricom for example) able to connect to that module via standard CX4 cables?
Firewall for ~ 50 users
Looking for a firewall router for around 50 users for a business. I was using a Netgear ProSafe FVS 338.
Switch Advice - 10G-BaseT + MultiGig (Netgear XS724EM)
Use case: homelab / small business. Single switch. No failover topology. Will add PoE+ switch later for cctv.
Netgear XS724EM appears to be the lowest cost option (still pricey) for 24-port BaseT 1-2.5-5-10gbps. Released in early-2018.
Has anyone had positive/ negative feedback on Netgear or this switch in particular?
$1,249.99 Amazon price (sold by Amazon.com which is a Netgear certified partner)
Netgear also provides lifetime product replacement as well as free firmware updates.
I considered Cisco products but they are much more expensive, require purchase through authorized dealers, plus purchase of additional support license/packages to be elegible for firmware updates.
Cisco SG350XG-24T 24-Port 10GBase-T Stackable Managed Switch
Is there any other option that I am not considering?
Is Cisco really worth the additional price premium when I’m searching for nearly plug-and-play functionality and VLAN?
I’m going to make the Netgear purchase unless advised otherwise... thanks!
Would most network equipment process reserved space 240.0.0.0/4?
If for grins I wanted to run say 240.1.0.0/16 on my internal network, would most network gear process that traffic like any other IPv4 address space?
WPA2 Enterprise Solutions with User Fingerprinting
Hi all,
My school's IT is looking for a replacement for the web-based portal on PacketFence. We would like to use WPA2 Enterprise, but we need the ability to determine device type and connect a MAC address to the user's account to track their activity throughout the building.
They are currently using Extreme's wireless solution with a PacketFence portal and a Fortinet firewall to (a) monitor traffic of students, (b) isolate students devices on the network and (c) provide authenticated access using a web portal.
Is there any better option? PacketFence has gone down 8 times in the last 4 months, requiring large amounts of troubleshooting to find the issue and fix it.
Thanks!
Edit: The goal of them using PacketFence as a portal solution is to block mobile devices from getting on to the Wi-Fi at all... the school has a policy against phones and they quarantine mobile devices with it. They don't want to use the portal anymore, but WPA2 Enterprise doesn't appear to have fingerprinting tech like that.
Why is DHCPv6 needed if all IPv6 nodes support SLAAC?
I’ve been working with IPv6 since the early days of AS-SIP and I struggle to understand the use case for enterprise IT administration needs for DHCPv6.
I can understand some points on DNS, but that’s mitigated by other means which is as decentralized as SLAAC.
Coming from an industry where critical infrastructure needs to make autonomous decisions without necessarily having centralized management seems counterintuitive as DHCPv6 creates a single point failure.
What are the enterprise reasons for using DHCPv6 over SLAAC?
Stopping bot attacks on phone switch
I work at a small company with intent to grow substantially. So we've installed VoIP and now a bot is sending packet requests to our phone switch. Our firewall is blocking them but I'd like to "move the goalpost" to stop the requests. I thought to just change the port but I've read online that won't solve the problem in the long run. I don't think changing the IP address would resolve it either and that requires a new configuration of all related phones. With these phone systems it seems to be a bit more involved since it connects to a VoIP provider. Is there something typically embedded in these systems like a configuration key that would stop the requests?
No Time for Sleep - Uptime
I've been meaning to replace this switch on our network as it is long out of support (3560). It is in an inconvenient building to access out of state and has been up longer than I've worked here. We have a plan to get rid of it.
switch# sh ver | i uptime
switch uptime is 8 years, 49 weeks, 3 days, 18 hours, 55 minutes
It seems like the older stuff from Cisco had longer uptimes and less weird bug happenings. What is the longest uptime you've seen on a device (not just router or switch) in your employers network? It is amusing that this thing has ran for almost 9 years flawlessly. I dare not reboot it now.
Cisco ASA 5506-X
Does any know what wireless module will fit in the 53U WLAN slot on a Cisco ASA 5506-X? Something like this one on Amazon maybe?
https://www.amazon.com/Atheros-Ar5007eg-Ar5bxb63-Wireless-455549/dp/B00NYWV0SC
Solarwinds Alerts - HTTP Post
Hi ,
We currently use Solarwinds to monitor our network, I am trying to get HTTP Posts to automate opening a ticket with a carrier who has an annoying ticket portal. I've used Postman App to test and I know my configuration is successfully opening the tickets. Trying to add this to solarwinds as HTTP Post/ cURL / HTML data returns nothing.
Does anyone know the accepted syntax on Solarwinds for these HTTP Post alerts / anyone have any examples they could share? Is there somewhere I can view the actual output that it is sending.
CumulusOS - switch choice?
Hello,
what would be your choice for a switch supporting current CumulusOS 3.x and future CumulusOS 4.x?
I need full support for EVPN, but the Cumulus Network´s homepage doesn´t tell me if there is a feature difference between something like a Tomahawk+ or some noname ASIC.
The hardware requirement is low: 1x GbE, 4x SFP+
Would a switch with Broadcom Helix4 be sufficient?
Regards
$36K for Internet! Is that Normal?
Hey All,
We’re in a southern state of the USA, and one of the major ISP is quoting us on fiber. However, the monthly recurring cost (MRC) is way too high in my opinion. Below is what we have and what they are offering us for business class internet. Am I out of touch in thinking the price is very high?
Current service
- Local ISP.
- 12 x 2 Mbps at $210 MRC
- Business class internet
- Month to month
- Coax
- Lots of outages that causes downtime.
Other ISP Offering
- Major ISP
- 100 x 100 Mbps at $605 MRC ($36k over the the length of the contract)
- Business class internet
- 5 year term.
- Fiber
- Need to have their switch on premise that we'd pay monthly for.
- Guaranteed 99.99% network availability.
- Will cover construction of $7k to run the line.
- Will handle all the permit work.
- SLA promise is very impressive.
We’re a small office, but rely on having a network uptime that’s very consistent. We have on premise VoIP phones, upload and download a lot of files, some files are CAD files. 10 users on the network at one time, multiple personal devices. We’re at a disadvantage as we’re in an area that’s a bit rural so services are limited to one ISP at the moment.
Thanks
Edit: thanks everyone for your input! I'm going to see if we can negotiate price on the 300 speed.
How can I find what is feeding my 3850 switch stack?
I have a Cisco 3850 stack with dual 10G fiber feeds that aren't labeled. The trunk interfaces/port channel are not labeled either. How should I go about finding where these fibers go or what feeds it? If I can get any information on the device that's on the other side that would be a huge help.
sho cdp neighbor only returns a bunch of APs and IP phones; no switches or routers. The device on the other end is probably something Cisco but could also be Juniper. Any help is appreciated.
I've been googling but maybe I'm not educated enough to understand these articles I'm finding.
Cisco CTIOS Toolkit
Hello,
Would anyone know where I can download or buy the Cisco Toolkit CD/ISO? I have been looking everywhere for it and I can't find it anywhere. Any help would be greatly appreciated. It wasn't on Cisco's website either (at least I don't think so). Thank you.
Help with understanding outside connection
I was documenting our network and came across a weird configuration. Wondering if any of you can help me understand it or if it is normal practice. Our outside switch has two public IP blocks. One is a /30 and the other is a /128. The outside switch configuration has the default gateway set to /30. Our firewall has a /128 address. Is there any reason for this configuration. Why even use the /30 block?
New Next Gen Firewall for Home & Small/Med Business
Hey guys, i wanted to get a post out regarding a hardware firewall i have been working on for the last 4.5 months. as of today, it is about 95% complete. Here is a little bit about it. The intended market is standard consumer and small business. It is entirely plug and play with default security features, with only needed to change default user/pass if not tech savvy.
Its primary security feature is a DNS proxy. All signatures are maintained by myself and can be updated from my servers along with system updates, through the updating feature.
The DNS proxy includes some standard categories like social media, p2p, drugs, etc as well as malicious, crypto miner(browser hijacks), advertisements, and telemetry.
Along with standard categories is a keyword search function that i will maintain and will look for keywords in domains, this will only be active if enabled and only for enabled categories.
Lastly, TLD blocking is including which is a list of top known TLDs related with high amounts of malicious traffic/domains.
There is also a feature to allow up to 5 user created categories.
Of course with all this is the ability to whitelist/blacklist any domain, or bypass most filters based off of ip address. The intended use case for ip whitelist is to apply parental filters and then whitelist parents ip addresses in conjunction with a dhcp reservation. when an ip whitelist is used, all of the malicious related categories will still be filtered.
I am still working on the ability to apply internet cut off times to be used with curfews.
i don't want to make this too long so i will just list out a few things of interest to close. The DHCP and DNS server are custom developed for this system, it is all programmed in python3.7+, the hardware will be an esspressobin (also used by pfsense) which, based on my test, handles about 650 mbps throughput while the inspection engines are running. standard stateful firewall rules can be made as well as port forwarding. the targeted price is $100 for initial release and $130 thereafter. a subscription will not be required for the updates.
Lastly the back end is entirely open source and free for download/use from my github. If you are a power user the repo version would be all that is needed. The only difference is no front end, and i do not provide lists other than that 3 malicious lists, which are also open source and maintained by a 3rd party. It has currently been tested at 10G traffic rates, with about 250 users, and 160k daily dns requests (CMD version on beefy hardware).
link: https://github.com/dowrighttv/DNX-FWALL-CMD
Let me know what you guys think, and if there is anything else that you might like to see before i wrap this up.
tech demo can be seen here: https://youtu.be/6NvRXlNjpOc
Palo Alto P2MP options/alternatives
I'm running my head through my keyboard a bit trying to create a solution for a seemingly common problem.
I have 65 routers at remote locations that currently each have Cisco 887s that each build their own IPSec tunnels using crypto maps to connect to an ASA5510.
I am working on replacing this whole setup with Cisco 881s at the distant end and having them come back through a different network entirely via a Cisco Edge Router, Palo Alto Firewall, then a Cisco 1001X (which we have a redundant setup for as well).
My goal is to minimize the amount of static routes and actual tunnels created and avoid putting any public IP addresses behind the firewall. what is best practice on how to do this?
I have been playing with a few different ideas on how to do this, put DMVPN (leave out NHRP, I don't need that capability) on the internal Cisco 1001X. But I don't know how to do that without putting a public IP there.
The other option I had was to run everything to the Palo Alto, but I don't see an option to run anything like mGRE or P2MP there, so I would have to make 65 individual IPSec tunnels, which I would like to avoid.
Enterprise 10G CPE Router???
Hello,
We are a medium sized non-profit running a datacenter and fiber network in a municipal area, and I am looking for advice on some options. We currently have RB-2011 Mikrotik routers as CPEs handling each of our customer sites. However, since we are doing a network upgrade for a particular customer, I was wondering what would be some router models that we should look at. I'm looking for a router that can handle 10G SFP+, preferably that has two of these, but depending on cost we could get by with one.
The customer in question is looking to do HD video/audio editing, as well as streaming, so I want to reduce the latency and increase the capacity as much as possible. Are there any routers out there that we should be looking at? Keep in mind that we are a non-profit so our budget is lower... not miserable, but lower.