This pic is on the third floor in an interior telecom closet - (not on an exterior wall) - the water was leaking down here onto the gear
This pic is the entry point, three floors down.
Dont know how water would get inside here inbetween these two points? Condensation seems odd?
I decided that I needed more color and opted for this solution, but now that I need yo connect it, I'm having some doubts about its security.
I have my ISP router used only to connect it to the Internet, this router has WiFi off and in the LAN1 port it is connected a second (my own) router. This one has all the devices connected either by lan or WiFi.
I thought it would make it more secure if I connected the philips brige to the ISP router, is this just being paranoid or should I care? If I get it right it need Internet access to allow me control lights and eventually devices while out of home. However I won't use this functionality but rather use my phone yo control the lights while at home.
Is there a smarter, more secure solution?
Looking for any recommendations for a alternative to RJ45 for connectors on a ceiling. The problem is the RJ45 connectors are to easy to break or pull out of the jack. Looking for something that preferably has some sort of locking connector and can still be self terminated.
Hello,
Just curious if anyone knows of a firewall vendor/model for an Azure VA that can handle subnet overlap across multiple IPsec tunnels without doing 1:1 NAT? ADC's seem to do this pretty easily via overload or pools, I was surprised that Palo Alto and CheckPoint can't do it. I'm averse to Cisco (paying for the name in this use case) and Fortigate (worst support of my career) but if they're the only game in town, so be it.
hoping some UTM/NGFW (or whatever the cool term is this week) out there can handle this.
Hi, folks!
I'd like to promote a useful tool I've wrote to query text configurations of network devices called 'netcop': https://github.com/andriyanov/netcop
It can be useful to extract data or analyze network configs with a simple Python script. For instance, you have to find out which of your devices miss the mandatory configuration statement. Or you have to replace one VLAN by another on any interface which it is used as a native.
If interested, check it out. I would really appreciate any feedback on this.
Hey guys, I recently made a little home lab. I’m using a dell poweredge 24u rack with HP Proliant 380 g6, a Cisco 2960x, APC ups, and smart PDU. I plan on adding in more equipment to lab, however Im noticing noticed the rack is filled with ESD (electric static discharge) all over!
I know I can wear a antistatic strap when working inside of it, but I’m wondering if you have any other suggestions.
There are many Wi-Fi networks around our office, so we can't use 40 Mhz channels in the 5 Ghz spectrum.
Would it be worth it to upgrade to 802.11ac from 802.11n? We are using a Cisco Wireless LAN Controller and have 4 lightweight access points all running 20 Mhz channels in the 5 Ghz spectrum.
These APs are installed on two separate floors (we have two suites) in an office park that are right above / below each other.
There's an additional radio module that can be installed in the access points to give them 802.11ac functionality, so I was wondering if it would be worth it and possibly give us extra throughput. We stream a lot of video and there is a lot of VoIP traffic that runs on our wireless network.
This is a repost of an earlier question that was removed by an admin. I've been asked to repost it with additional information.
I have two buildings on campus, each with their own internet connection and network. Setup for each is ISP > Barracuda X100 > Ubiquiti USG Pro 4. The buildings are connected to each other by fiber with a /30 and routing to each other's LANs. That works fine.
I want to be able to access Building B's X100 from Building A's LAN and vice versa without the need to setup VPN over internet. I'm having a hard time wrapping my head around the routing. Below is a quick diagram of the setup. Any pointers?
I am not able to connect to the internet because the calendar only goes up to 2019. I have flashed the latest firmware but no success. Thank you for your help.
I am familiar with SOHO networking but I took over IT last year for a small private school (150 workstations) where we have a more compartmentalized system. Part of updating the system was moving DHCP to a Meraki MX 84 (to get it off the 10 year old WinServer. I only found out after school started that the Meraki will not run internal DNS (since external DNS works fine).
I tried to patch this hole with Pi-Hole, but it doesn’t get hostname info from the Meraki (I don’t know why).
We have 5 VLANs (don’t know why) and a buddy (pro SOHO IT guy) suggested dropping them in favor of a single LAN. He said I could use Windows native LAN discovery, which I found is called LLMNR. The name mDNS also came up in my search for answers. I’m basically familiar with Bonjour, having using MacOS and iOS devices for many years.
So will LLMNR or mDNS work for 150 workstations? 192.168.1.XXX would offer 255 possible addresses: that looks like a nice cushion to me on 150 units. We have 24 hour IP leases. (100 of them are laptops FWIW.)
Hello all,
I'm currently undergoing a project related to the detection of malicious cryptocurrency miners on a network. I'm looking for a packet capture/networking monitoring utility that has a public API so that I might implement a simple network monitor that identifies stratum protocol communications on a host device/network (for educational purposes).
Alternatively, if anyone knows perhaps a pre-built tool that (with some appropriate configuration) might be better suited for this please let me know! I'm quite new to NetSec, so still just getting my head around a content filters and networking monitoring utilities.. I was thinking a content-filitering proxy server?
Thanks all!
Hi,
I need to replace our current Internet Edge.
We currently have 2 datacenters.
In DC1, we have:
DC2 has :
Manual internet Failover from DC1 to DC2 by adding default route (manually) to DC2 cores if DC1 went down and manually start advertising our prefixes to this ISP.
ASRs and SSG need replacing.
We want to upgrade to 10G ISP links, and provide some form of automated failover between DC1 and DC2. We do not want Firewalls in HA between sites...DC1 internet should be primary unless of catostrophic failure in DC1.
I'm looking at MX204 as internet routers and SRX 4100 at both DC1/DC2. (dont need next-gen, just simple imix 10g throughput (no VPN or any other inspection/ALG etc). Each SRX having a L3 link into each core, perhaps running OSPF.
Im aware that SRX4100 have single REs so cant use GRES and Full Failover requires the routing daemon to restart/start so theres scope for non-hitless failover if using dynamic routing protocols on the SRX.
Do you have any suggestions regards routing protocols between routers/firewalls and firewalls/cores?
And how to manage failover to DC2?
We have no dedicated links to iBGP between DC1 and DC2 edge routers so would need to use VXLAN via the inline DC-DC L3 links.
I would like to keep the DC1 and DC2 edges as seperate as possible, if possible.
Hello,
I am looking for tools to create network testing procedures for a group of non-technical people, so that their members can share metrics with each other and with me, in order to decide who will carry out certain activities during live group videoconferencing.
I would like it to be easy for them to get metrics such as:
- jitter
- latency
- packet loss
- band
- mtu
I understand that Zoom clients have some of these metrics available to their users.
But we are not using Zoom.
We are using Google Meets and StreamYard as virtual rooms.
I discovered the site test.vsee.com that runs diagnostics in parallel to a videoconference. I understand that the metrics from test.vsee.com will not reflect direct values between the tested computer and the server used for videoconferencing (ex: Google Meets or StreamYard servers). But, it seems to be better than asking each participant in the referred activity to enter command line commands in their different operating systems (Linux, Mac and Windows).
I would like to know if you have any preferred tools or procedures to recommend in this case.
Thank you very much for any help,
GS
Startup company. So far using Verizon FiOS router. We bought 3 servers and installed esxi on them with vcenter. I setup openvpn on one of the vm but I can't reach it from outside even when I forwarded port in router. I am actually looking for advice on best way to configure office network. Open to ideas on buying networking gear which can replace Verizon router and give us VPN firewall and other capabilities. I was also thinking of using pfsense. Does it provide everything we need? Does it make sense to create vlans and segregate traffic. I am looking at making it safe so that only developers can VPN and get in and no hack attacks can occur. Open to all ideas. How do you do it?
I tried making a shared folder on windows and can get it to work, i already allowed every action for every user but still i get a prompt when trying to connect with other PCs. The prompt info: "You do not have permission to access \DESKTOP\DRIVE contact your network administrator to request access" If you know anything about this please feel free to help me
I am trying to configure a (very) secure SFTP file server for transferring files between employees. I already know that files should be protected/encrypted in transit and at rest. Fortunately, the SFTP protocol has in transit encryption covered. However, I am still trying to work out the best way to transparently encrypt files that are at rest on the SFTP server. I have investigated full disk encryption, but that seems to only be effective when the encrypted disks are unmounted. Is there any way to either configure the Ubuntu server or the SFTP software, to transparently re-encrypt the files as they are being uploaded so that they can only be accessed by authorized SFTP server software users as well as IT administration staff but restrict access to any potential attackers who do not have the decryption key whether the drives are mounted or not.
Hello new here, heard you can get alot of help from reddit about this kinda stuff so thought I'd try. I am currently having issue with my Google nest hub and was trying to figure out why it's having connection issues to some devices. For instance some devices such as my Samsung TV(known for connection issues I know), my mother's old ass Intel Celeron AIO, and sometimes even my note 9. I plugged the nest into the cable company gateway and turned off both 2.4 and 5ghz networks as well. I'm thinking that I need to get a separate, way better, Arris modem to fix the issue but I don't know if that's actually the source of the problem... Thoughts??
Hey everyone,
I'm working on a web application person project and I'm curious to understand, when outputting data in chunks, is this an advantage for the server by not needing to know the size of the data to be sent across the client or not?
Hello I'm looking to get back into the IT field as quick as possible as its been awhile and I'm wondering what I should study for cloud related learning. Should I study the Cloud+ or learn a more specific cloud technology like AWS, Azure etc.. ? I know that Cloud+ will be updating its CV0-002 and Im not looking for a certification just a faster way to get a job that requires knowledge of the Cloud. Thanks my funds are drying up and need a little help.
There are many Wi-Fi networks around me, so I can't use 40 Mhz channels in the 5 Ghz spectrum. Would it be worth it to upgrade to 802.11ac from 802.11n?
So this feels like one of those situations that will have a painfully obvious solution once I know it. But... that time isn't here yet. So here is my situation. I have an ASA that is receiving a default route via iBGP from our peering router. This route is installing into the ASA table as the default, although I had to decrease the administrative distance of BGP learned routes on the ASA so that it would not prefer a default it receives from OSPF via another peering point. I have also placed default-information originate metric-type 1 into the ASA's OSPF config. However, when looking at the router immediately inside of the ASA there is no default route coming from the ASA. When I perform a sh ip ospf external 0.0.0.0 on the inside router I only see an entry for the default coming from the other pop.
I tried forcing the OSPF process on the ASA to advertise the default with default-information originate metric-type 1 always, this worked insofar as I was able to see both default LSAs in the OSPF database on the inside router. However, this also defeats my intended purpose, which is to only advertise the default from the ASA if the ASA is also receiving the default from BGP. Help!!! LOL. Seems like this should be working and I'm missing something obvious.
Good morning,
for the network design and architecture of our project we are planning to use a 3-tier architecture and I am wondering which one could be the right combination between:
-) Core Switch
-) Distribution Switch
-) Access (Layer) Switch
following the FortiGate appliances.
One of the supplier suggested the following:
-) Core Switch: 2201E
-) Distribution Switch: 424E
-) Access Switch: 224E
What's your opinion about?
Can you please suggest any use case to follow that?
Cheers,
I have some ASA images running on FP2140's. I want to run Ansible or a python script to collect the power status("show chassis power psu") as there is no way to check power on asa runnning on top of fxos. But the modules I see so far are only there for ios or asa or using rest api. Paramiko/netmiko uses "conf t" which does not work in fxos. Anyone has any workarounds?
He didn't specify what brand or model it was, and it was cheap so I thought maybe I'd be getting a deal. Not so sure anymore, as the more I read/google, the more I think maybe this modem is way too high-tech for my needs?
Yesterday though to put my other workstation to work, unused for around 1 year cuz bought a new one. Now i'm trying to share files between those two but doesn't seem to find anything on the network except "Media streaming", both are connected to the same router, connected to the internet, both on different IP (automatic detection) didn't use neither ipv4 or ipv6, but whenever i try to share a folder or hard drive on simple sharing or advanced sharing options can't find anything on the other workstation on the networking section. Anyone can help to figure this out? Thank you in advance.
Hi,
I'm wondering what these files in my firewall are? (I'm from belgium so some files are not listed in english). I think these remote assistance things are kind of weird. This is just my personal pc at home so no work related things get involved. Also things like cortana (selected in picture) are weird. Maybe i'm trippin idk? Thanks guys!
Hi ! so today I Found I can download this csv from google https://www.gstatic.com/covid19/mobility/Global_Mobility_Report.csv?cachebust=9e64e67cbad15dab at 17-22mbps (the csv can be found here:https://www.google.com/covid19/mobility/ under "Download Global CSV")
The curious fact is that I have a VDSL plan of 20MB (that would be like 2.0 2.3 mbps)
How can I be downloading this particular file at those rates? I tested it with more than one browser, and in two computers.
Sorry if this is not the correct sub to ask.
Thanks!
Has anyone heard of the protocol hopopt? Googling it yields it being related to IPV6 but little other detail. I have IPV6 off on the laptop and SCCM server and we don't use it. I'm unfamiliar but we keep having an issue when Dell laptops go to image and talk to our SCCM server, it unleashes hell on our network. I've snapped a picture of what's happening according to our Palo Alto, we even turned on Buffer Packet Protection and yet it still seems to cause slowness on our network. SCCM is in our server zone and the Dell laptops are in our campus zone.
Picture: https://ibb.co/84MJJTz
These are two arista devices, both operating at 40G. It's literally just one circuit but the only thing I'm going off of is the CLI and my outdated and spotty knowledge of fiber in general.
I don't need a breakout cable do I? The MTP cassette makes me think I do but they're both singular ports on the devices-with some logical interface config. I only know I need OM3/4 and LC.
What countries do you block outright on your networks?
Right now we block some of the big offenders like China and Russia and most of the middle east but which others should we be blocking?
DO NOT let a manufacturer bully you into buying their optics. They are grossly overpriced.
I am not a manufacturer or a reseller, I work for a company that has a number of large campus networks and some smaller business offices. 6 years ago we were towing the line, buying the rip-off vendor optics for new projects. The final straw was a very large install where we paid over $1,000,000 just in 10G single-mode SFP+'s. At that time they were list-price $6,000 each, even with heavy "discounting" we were still paying several thousand dollars per-SFP.
I swore "never again" and started shopping around. We found many vendors that would have cheaper optics, maybe 20% of original cost. I wasn't feeling it - too expensive to change while not cheap enough if things go bad. Eventually I found another source. I'm not affiliated, but if you type "fiber store" in google it will come up right away. My $6000 manufacturer SFP could be purchased there for $24. At that price, who cares if it breaks, throw it away and put in another one!!
Yes, I realize these are somewhere near "gray market" in that they sell SFP modules with the original manufacturer ID burned in so the switches don't reject them. I can tell you after 5 years we have ZERO problems using them. Occasionally one might go bad, but they will RMA them just like any other company.
The important part is if the VAR or vendor LIES to you and says you aren't supported, tell them to take a hike. I have NEVER had a case rejected due to a 3rd party optic or DAC cable attached. If you really are worried, buy 1 set of optics from your vendor, swap them into the same spot just to prove it's not the problem. Unless you are seeing problems directly related to data transmission, it's going to be difficult to blame the optic.
I can't tell you how much our company has saved now by switching to this. Definitely in the multiple million of dollars. When we interface with a new manufacturer up front we state we are going to use 3rd party optics and to not even bother trying to make us buy their scam-hardware. In the end they all want your business and will take what they can get.
I hope this tip will save some of your companies some money down the line. Please spread the word, stop being scammed.
Hello all,
I have been tasked with finding a switch from any vendor that can do:
1G Copper, 10G Copper, 10G Fiber, Must have at least 32+ ports
Any ideas? I know about the Cisco Nexus but the only 10G sfps I can find are "cisco compatible" which Cisco won't support (AFAIK).
Any help is appreciated.
Anyone doing anything with multiple inbound ISP load balancing?
I have a potential client that is using BGP between two carriers today and having issues when a carrier is having issues, but the entire BGP link isn't bad. I know I could set some generic IPSLAs on the link and check connectivity to a few key locations, but is anyone using another solution?
Right now they are going into the office and disconnecting the carrier until they can verify the connection is good again.
Hi guys
I would need some advice, I would have to do a project like teamviewer. How do I go about doing it, for now, I have set my eyes on getting a VPS with VPN and a webserver functionality. I would need to create an admin portal as well - a web based where users can add in PC's that they would need to remote in to. Of course, these PC's have to be in the same network. I would need to do an rdp connection and a share screen connection as well.
What is the best approach in doing so, I know..using teamviewer is the best..but we just want to try out something on our own. Appreciate all feedbacks and advices.
Is VPS the right way to go or is there any other better mechanism for this.
We have Geo Blocking but looking at the logs our Palo Alto is destination for 8.8.8.8 is now India. Anyone else?
Hello, I was recently informed by a customer of ours that during a VRRP test they were seeing up to 45 seconds for the VRRP failover to complete. I believe he was doing simple ping testing to determine this. With this information I used a pair of ports on our Juniper EX4550's on the same devices in the same setup to verify this. To my surprise, I did have similar results. The first failover from master to backup was around 1-2 seconds nearly every time. But the fail back from the new master VRRP back to the new backup when the interface is brought back up usually took between 15 seconds and up to 1 minute 10 seconds for a ping to come back. These times are to the end device not the VRRP interfaces. The VRRP backup interface itself took about 20 seconds to come back up which is still way to long.
I've read about improving convergence of VRRP with removing the skew timer and delegrate process change. Before I take a maintenance to change these I wonder if anyone else has changed these and what improvements were seen. Based on the speeds I'm seeing I don't see how it can dramatically improve the failback speed.
https://www.juniper.net/documentation/en_US/junos/topics/concept/vrrp-convergence-time-improving.htm...
Things I have tried is changing the interface to fast-interval 100ms with 3 misses before it fails over.
To cause the failover I just disabled and enabled on the master and running a ping every 1 second to the VIP, backup VRRP IP, and end device WAN IP.
Devices in the setup 2 EX4550's connected to a L2 switch which has a firewall attached to the L2 switch with the device WAN IP I'm pinging.
VRRP setup with 1 IP on the master and VIP is the same as that IP then the backup VRRP has its own IP.
Which would be more useful- to send syslog from a certain severity or from specific event classes? I'm set to informational now but am toying with the idea of choosing only certain event classes that would benefit me rather than get lots of noise. Looking for suggestions.
Basically the title.
In order to stay up-to-date on my network knowledge, I'm wondering if it make sens to subscribe to one of this plan.
Are they worth it? Which one has the best value for money?
Hello all,
I am attempting to write a python script that will upload the running config of the device to a TFTP server - altering the txt file name to represent the device's hostname and also the days date.
I have grabbed the hostname from a show run command.
When attempting this script it hangs for a while, then returns this error:
OSError: Search pattern never detected in send_command_expect: GBA\-00\-SWA\-Build\-01\#
Which I understand to be Netmiko complaining that I am not confirming the filename on the device.
I have tried using the expect_script method but that doesnt seem to work either.
Here is my code if anyone would like to have a look at it.
from netmiko import ConnectHandler
from datetime import date
TFTP_SERVER = "10.137.79.40"
date = date.today()
filedate = date.strftime("%d/%m/%Y")
device1 = {
'device_type': 'cisco_ios',
'host': '10.200.252.29',
'username': '*******',
'password': '*******',
}
my_devices = [device1]
i = 0
for device in my_devices:
i += 1
name = f"device{str(i)}"
net_connect = ConnectHandler(**device)
net_connect.enable()
result = net_connect.send_command("show run | in hostname")
result = result.split()
hostname = result[1]
print(hostname)
print(filedate)
copy_command = "copy running-config tftp://"+TFTP_SERVER+"/"+hostname+"_"+filedate
output = net_connect.send_command(copy_command)
if 'Address or name of remote host' in output:
output += net_connect.send_command_timing('\n')
if 'Destination filename' in result:
output += net_connect.send_command('\n')
net_connect.disconnect
print(output)
And here is the output
Traceback (most recent call last):
File "//****/python/NCM2.py", line 33, in <module>
output = net_connect.send_command(copy_command)
File "C:\Users\geeo\AppData\Local\Programs\Python\Python38-32\lib\site-packages\netmiko\base_connection.py", line 1405, in send_command
raise IOError(
OSError: Search pattern never detected in send_command_expect: GBA\-00\-SWA\-Build\-01\#
TL;DR: Can Extreme X460G2-48p-10G4 switches NAT?
Hopefully someone can chime in on this.. I have a client whose internally developed application has the Exchange server address for notification emails hardcoded. It is Exchange 2010, and we are about to kill the mailserver (Exchange 2016 is running in its place). They have no way to recode the application; it will be replaced soon and can't justify the developer hours to do it. So I'd like to implement destination NAT on the local gateway to redirect unauthenticated SMTP traffic sent to the Exchange 2010 environment to the Exchange 2016 environment, where it can use an IP-restricted SMTP relay.
They are using Extreme X460G2-48p-10G4 switches and although these switches are configured as the local gateway for each network segment, they are not currently NATing traffic (that's handled by the SDWAN on the perimeter). Local admin says there is no way to configure NAT on these switches. They will not grant me access to the switches to poke around, and I'm not seeing the documentation online to help me confirm this.
Hello all,
A customer of mine wants to add some additional access points in their building, however the distance from the switch to the AP location will exceed 100 meters. We didn't get the actual number yet, but let's say it's most likely around 150 meters.
The question or idea we had was to use UTP repeaters. I'm just not sure about how this works in combination with the AP requiring PoE ...
Can we "just" use a PoE injector and disable PoE on the switch, will this also "extend" the UTP signal?
I'm guessing if we go for a "UTP repeater" it HAS to be one with PoE? Also, does this "inject" PoE (aka is this the same as a PoE injector) or how should I see this...
I may be overthinking this, but the solution obviously needs to work. They are currently using a meshing solution at that location but they decided to migrate to a new environment and get rid of the meshing solution.
Thanks for any advice on this topic!
Hey r/networking
I'm currently completing a degree in engineering/computer science, did a subject on basic networking and encountered a rather abrasive Lecturer.
I'm a student so i apologise if some/all of what I say doesn't make sense.
The crux of the issue I had came in the form of a practical involving a Cisco router and 4 switches. The goal was to setup a basic network, cabling, loopback, 4 VLANs on each switch etc. My setup passed scrutiny bar 1 (possible large?) oversight. I didn't hard code one VLAN to be the root bridge for a specific switch. Because of this, I received a penalty of 50/100, failing the assessment and ended up failing the unit.
I've been told by the faculty that this is a major error in a network. The reason given is that if the setup from this switch was copied to a new one (if it blows up/needs replacing) the hexadecimal value it holds might be higher/lower meaning the firmware might designate a previous switch in the network, as the root bridge for the VLAN in question.
I suppose my question is: Is this as big an issue as it's being made out to be? I have an IoT major and don't plan on getting a job in networking, so I'm willing to cop this decision but it seems extreme. Especially since it was an introductory unit.
Any advice is appreciated.
Security isn't a big strong point of mine, but was always curious how this is done.... A lot of places I have seen the nuclear option of disconnecting from the Internet, then contain, forensically check and rebuild if necessary any possible effected devices when an attack is seen..
what if a connection is kept up though... what are the mitigations to keep the connection up? Im assuming you can whitelist/blacklist connections with firewalls, IDS/IPS, how are unclassified UDP connections dealt with then?
if you get to a point where your device is only responding to legitimate traffic, whats the next issue? bandwidth utilisation on inbound connections if the attacker is flooding with UDP or ICMP packets?
any better ways of dealing with it?
We have an snmp scan occurring that we can not locate where its coming from. The ip its coming from is from a subnet we have never used EVER in our network. Our tools are seeing the scan happen but since we cant ping or locate the IP from any of our devices we are not sure where its coming from.
have you ever ran into an issue like this? We have spent a lot of man hours this past week to try and find this with no luck. Have you been able to locate this type of issue? ANY advice is greatly appreciated.
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.
Feel free to submit your blog post and as well a nice description to this thread.
Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.
So I inherited a FW that a Security guy, who deals with policies and has a little networking experience, but this was NOT his thing, attempted to configure it but had no idea what he was doing and left it for the next guy......me. Now I have dealt with Cisco for a while and am pretty comfortable with navigating a firewall, although I've never really dealt with Cisco. Nonetheless, I love a good challenge.
I can log into the console port. The running-config shows that all 8 ports AND the Management port are shut down. I figured I would just type "enable" and I would be able to configure the Management port so that I could get to the Web Interface.......WRONG!!!! Enable is not an acceptable command.
Is there a way to either configure the ports from the CLI, or my only option to reset this to default and start all over...with either option, I will need help.
My ISP informed me that they are configuring new settings on my GPON, ever since then, my device is refusing the save WAN broadband settings and therefore cannot connect to the internet. I've tried factory resetting to no avail. It seems like every time I do a factory reset, the device doesn't actually fully reset; it still has my PPPoE information in memory even after a full reset!
Unfortunately, due to lack of popularity, there are no firmware files available for the stock version of the AN5506-04-F, only some PLDT ISP-specific version. So there is no way for me to try my hand at a firmware upgrade either.
I have another GPON (Huawei EchoLife HG8346M) which I would like to use now that my AN5506 seems to be bricked. However, the EchoLife doesn't register on the OLT and keeps cycling between 02(Stand_by) an O3(Serial_Number_State)
My question is:
Is there any way to resuscitate the FiberHome AN5506 from it's seemingly bricked state? If not, is there any way to trick the OLT to register my EchoLife GPON?
Reddit platform has always been helpful and supportive because we have genius members here.
I have been trying to find answers on Cisco.com, so far it has been vain. No clear and detailed documentation on migration
I am looking for a guidance on Cisco SD-Access. I am working on building Fabric Sd-access in parallel to the existing network. It is a network refresh and greenfield deployment project. Once that Sd-access is all setup and happy, then we would incrementally migrate the users.
Can anyone give step by step guide and strategies for migrating users, firewall and servers from old to new network.
Existing setup is
Firewall-----6500 (CORE)---trunk---- 2950 (access switch)
Servers
New Devices:
9500 as fabric borders
9300 as fabric edge.
Our lead engineer is out and I need to figure out how he's done this so that I can make a change.
Right now I have a device assigned to an EPG with an associated vlan pool that sends it's traffic to a firewall also connected to the ACI fabric. I need to move that traffic away from the firewall and towards a router also connected to the ACI fabric.
On a standard network I'd simply switch vlans but on the ACI I believe that what I need to do is assign the connected router interface to the same EPG as the end device and remove the firewall interface from that EPG? Is this correct?
I'm looking for some insight on the proper config for our Palo HA pair. We tried doing a firmware upgrade since there was a critical release a couple weeks ago regarding SAML patch, and it went poorly to say the least. This is the first time I think we haver actually had to failover since I've been here.
Our Current Setup https://imgur.com/a/HRZPdC5
We have two Palo-Alto 5220's in HA. Each is connected to two Nexus 3000 switches via vPC.
The upgrade path went like this:
- We upgraded FW2, since it was already passive.
- Manually failed over to FW2 and upgraded FW1
- Manually failed back over to FW1, then no internet traffic/management etc.
For whatever reason now, FW1 is unusable, can login but it just will not route any traffic. Currently we just suspended FW1 and are running on the one.
Anyone have a similar setup? Anything I should be doing different?
Thanks for any insight!
Is it just me? What other options are there? I'm just basically looking for thoughts from other guys in the industry. Do you specify anything different when putting together a project?
I live on the Northern California coast. Sunny, wet, and corrosive are the words used to describe the environment. I am realizing more and more that I hate PVC. It seems like it has such a limited lifespan but it gets used for EVERYTHING. Every time I see a large project implemented with PVC running on rooftops and underground I cringe. When I get called out to work on infrastructure projects completed even 10 years ago, I find the conduit and fittings to be brittle and falling apart. If I have to open up a box, or take the cover off an LB, I feel lucky if goes well and can be reassembled. Usually I expect some cracking or complete failure around the screw holes in the box and cover. The thing is, many of these parts can NOT be replaced because the cable runs through the box or LB. Especially bad are PVC straps, touch them lightly after 5 years and they are going to break - they should NEVER be used. Galvanized straps are better but are disgusting after 10 years. Unistrut seems to hold up fairly well even when all of the accessories (straps, etc) are heavily rusted. I don't know, just venting and checking to see if anybody has any input.
Hello-
I have a short term project occuring, and I need a VPS solution basically to provide 2 things.
Basically, the end unit will VPN to the VPS, and then I will talk to a port forwarded VPN tunnel like I am locally connected.
No integrations or other features needed at this time.
What would be my best bet for a provider? Generic server host and a PFSense ISO?
I just purchased a home video security system that automatically comes with Alexa/Google Voice (which I hate, but have no control over). How do I enable the video camera to connect to wifi (which is needed) but block all traffic to Alexa/Google Voice?
With today's environment I have to put together a minimum requirement to work from home for networking. We have 100s of users that require a constant VPN for telemarketing. Looking for something like users must be on a Lan cable, NO WIFI. Users minimum internet speed is 20mbps download and 5mbps upload. Recommend 50mbps download and 10mbps upload. Maybe a recommendation on home wifi router and modem. We keep seeing users with VPN issues on spectrums free WiFi router modem combo. We are a big user is teams zoom and Cisco WebEx. Streaming video and audio.
This is to help with troubleshooting. Ever since we moved to 95% remote working we are having to troubleshoot home wifi.
Does anyone have documentation like this?
This is a question more for the ISP side. I'm trying to develop some reporting at the node level for a HFC ISP, and I want to make sure I'm not overlooking any useful metrics for diagnosing node health. Right now the main metrics that I track are committed bandwidth to the node, oversubscription rate, maximum utilization for last 7 days, and average utilization for the last 7 days.
Are there any other related metrics that would be useful for a networking person to see which nodes are 'healthy' (or unbalanced, or overloaded, etc.)? Assume I can deploy probes on about anything (they don't use Nagios, but they use Cacti) to monitor it.
Thank you for any insights you can offer!
I have an on-prem network and another client has a network in Azure.
The goal is to allow our on-prem network be able to talk/connect to a network in that client's Azure network.
However they say we can't use a VPN from our on-prem firewall to go to their Azure VPN gateway. But rather, we would have to establish a tunnel from an Azure we have to their Azure.
My question is, how could I then allow our devices to talk to their network if we do that?
I have an Azure VPN IP Sec established to our own on-prem firewall.
Do I add another connection in our Azure gateway and go configure somewhere to re-route any connections to the remote vendor network through it if it's coming our on-prem network?
I'm currently working on a PoC to interconnect multiple sites through IPSec using StrongSwan. The goal is to create backup links through other sites if a direct connection to a site goes down.
I've created a docker-composed based lab setup and I'm currently so far that I have active IPSEC tunnels between 3 hosts and that I can ping between them. This is policy based so I can't send traffic from host 1 to host 3 through host 2.
Now I want to switch to route based (using https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN as a lead) using xfrm interfaces, but it appears that I'm missing some glue to tie the policies to the interfaces. The docs state that "No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier (XFRM interface ID) links policies and SAs with XFRM interfaces.", so I would assume that I shouldn't need to specify the mask in the policy, but doesn't mention how this matching is done. If I specify mask in the policy with the value of the interface_id, no traffic goes over the tunnel.
I've created the interface like so:
ip link add ipsec2 type xfrm dev eth0 if_id 0xff02 sysctl -w net.ipv4.conf.ipsec2.disable_policy=1 ip link set ipsec2 up ip route add 192.168.102.0/24 dev ipsec2 metric 10 ip route add 192.168.103.0/24 dev ipsec2 metric 20 ip link add ipsec3 type xfrm dev eth0 if_id 0xff03 sysctl -w net.ipv4.conf.ipsec3.disable_policy=1 ip link set ipsec3 up ip route add 192.168.103.0/24 dev ipsec3 metric 10 ip route add 192.168.102.0/24 dev ipsec3 metric 20 And ipsec.conf looks like this:
conn sts-base fragmentation=yes dpdaction=restart ike=aes256-sha256-modp2048 esp=aes256-sha256-modp2048 keyingtries=%forever leftid=192.168.100.101 leftauth=secret rightauth=secret leftsubnet=192.168.101.0/24 conn STRONG-2 also=sts-base keyexchange=ikev2 right=192.168.100.102 rightsubnet=192.168.102.0/24 auto=start # mark=0xff02 conn STRONG-3 also=sts-base keyexchange=ikev2 right=192.168.100.103 rightsubnet=192.168.103.0/24 auto=start # mark=0xff03 I've got the entire docker-compose based setup, including all used config files, up at GitHub, so if anyone want to have a go at it, you can easely replicate my entire setup: https://github.com/TomCan/strongswan-xfrm-poc
I know the current config isn't complete for the redundancty (probably need 0.0.0.0/0 selectors), but step 1 is to get this simple setup working route-based instead of policy based.
Introducing SNIcat: How the security features in state-of-the-art TLS inspection solutions can be exploited for covert data exfiltration
New research on TLS inspection bypass #SNIcat
Details here: https://www.mnemonic.no/blog/introducing-snicat
PoC here: https://github.com/mnemonic-no/SNIcat
Palo Alto advisory here: https://security.paloaltonetworks.com/CVE-2020-2035
Hi All,
So I have a HP 5412zl Switch here at work and we're trying to get LACP links working to our site next door.
There are 2 fibre links to each of the 3 cabinets next door, each 10GbE
I have done the following on the core switch
trunk a6,c6 trk6 lacp
trunk a7,c7 trk7 lacp
trunk a8,c8 trk8 lacp
On the other side which are HP 2920G's
trunk 1/a1,3/a1 trk1 lacp
trunk 1/a1,3/a1 trk1 lacp
trunk 1/a1,2/a1 trk1 lacp
I have tagged them in all the vlans required and left them untagged in vlan 1 which is the management vlan.
However i am getting an issue, as soon as i connect the second link, spanning tree disables the trunk?
What command do i need to issue to add these trunks / interfaces to disable spanning tree on them and get them running at 20GbE?
Running exos 22.2.1.5 on X460-G2-24t-10GE4 switch, trying to find if there is way to configure automatic backups of running configuration to tftp server, like in Cisco with archive or kron ?
Hello,
Let me start by saying I am by no means a network professional, but I have a decent understanding of NAT.
I work for a local ISP as a Call Center Manager. We had a customer claim that he was getting DOS attacked. Like many ISPs, we use NAT Pools. So if somebody was trying to find his IP address to DOS attack him, wouldn't they just see the public IP that the customer is routing through? If the attacker found that IP, he could DOS attack it, and wouldn't that affect a large amount of customers also NATted behind that public IP? Or is it possible to JUST attack the one NAT Pool IP behind that public IP? Or am I so far from accurate on anything that I maybe don't understand NAT as well as I thought I did?
Any information is helpful, thank you in advance! I'm going to bring this up to our engineers tomorrow and see what they have to say about it as well.
Hi so we use PLC to computer set up her so i cant run any software on the plc.
Could i connect a router or a type for managed switch to check the traffic going trough..
this is old equipment so the plc is running at 10mbit and 100 for the computers
If we’re not hosting any internal servers servicing the outside world, is configuring a DMZ even needed? All we’ve got are users accessing the internet for cloud services (AWS, GCP, azure) and general connectivity (Gmail, slack, zoom, social networking, etc).
What is the general rule of thumb on when you would need a DMZ configured on a network?
Need advanced dpi for a network, what would be the best solution would like the data to go in-depth
I have two PC's on separate vlans within interface x0 - that I need to completely restrict from all other "vulnerable" vlans on the interface. These are vlans 1 2 and 3 we'll call them. These "risky" PC's are on vlan 4.
Switching - I can successfully make the risky PC grab the risky vlan tag when the port it's plugged into is programmed as such in the switch.
But, for various reasons, I need the network to be ready for the possibility of one of these risky PC's being plugged in anywhere - where it is likely that the port is programmed to the vulnerable vlan.
So I created an address object with the ethernet mac and then set rules saying deny anything from x4 to 1/2/3 when the source is such address object. But still the PC will take an address when plugged into a port that includes any other vlans.
How do I make sure it only communicates with the dhcp server on the risky vlan? I don't want these PC's to have any chance of ever getting on these other vlans. What am I doing wrong?
I have 2x N9K switches that are in production in our DC. I would like to add vPC across the switches, but wondering what the impact would be to the network/applications and which steps would cause an outage?
build vPC keepalive link
build vPC peer link
build new port-channel to member ports
Has anyone had experience with whitelisting Adobe Creative Cloud using a Cisco WSA (S300V)? I have been working with TAC all day and we are not making any progress.
If a user is behind the proxy, adobe no loady nothin, not even a proxy block page (every other website loads fine). If I take the proxy off, then yay everything is happy and adobe loads great.
If I look in the firewall, I can see connections from us to adobe being allowed. I can see these connections being allowed regardless if someone is behind the proxy or not. If they are behind the proxy, I just see the proxy IP and a bunch of allowed statements for adobe.
In the WSA we have made a specific adobe group for a custom URL bypass, and I put in EVERY imaginable adobe website in there. There is a full list on adobe.com and I put every.single.one. of them in there. The Cisco TAC person also put this policy in a nodecrypt policy apparently. Still no luck.
This is becoming my new nightmare as we just recently moved ALL of our adobe products to the cloud subscription service. People are excited for this change let me tell you.
Edit: TAC Just got back to me again, and is saying:
Adobe Creative Cloud desktop application is using HTTP Range headers for download. By default range request header is not forwarded from WSA appliance to destination server, and this could be why the requests are failing. To work around this problem, please enable WSA to handle HTTP range requests.
We have two offices connected via SM fiber. Currently using 1G links. If we upgraded our SFPs to 10G, would there be any benefit? Every other port on same switch is Gigabit. All other LAN switches are also Gigabit. I'm thinking 10G SFPs are more for datacenter uses and not this type of use.
Both offices are only 50 users each; basic hum drum offices.
WE're looking into potentially teaching outside in a field, roughly the size of a football field. Once the pipe is installed, can anyone provide me with a basic suggestion for what would be required to provide internet to up to 200 chromebooks/iPads spread out across the field?
Would appreciate anyone who can give me enough information to really start digging in. TIA.
Hi, I can't figure out how to switch to 1Gbps . I have Virginmedia HUB 3 switched in modem mode and tplink connected as a wireless router mode. Wireless speed is working great both 2Ghz and 5Ghz but on my pc wired it only connects to 100mbps. I have tried to switch full duplex 1Gpbs but it appears as cable unplugged. I have cat7 from router to pc and cat6 from router to VM hub. Any help please?
Need some help, total newbie to networking / firewalls, i tried reading tons of materials online about proxies and still don't understand the concept..
I have a physical firewall and want to know what is the use of HTTPS proxy or TCP/UDP proxy policy. I tried to install an app that requires to establish a connection(for verification) to a server through the web and it got blocked by the firewall, i read the logs saying something about https proxy denied or something, so i went ahead and created a https proxy policy to allow the connection.
I just need someone to explain what is a HTTPS proxy or proxy in general in as layman terms as possible, and why my above example needed a https proxy to work. Thank you in advance!
So we use Jump desktop which is a sort of teamviewer like application to stream media remotely.
Everything works great except sometimes the users will complain about lag.
The lag usually happens when the network at the office is busy.
So I set some bandwidth rules to process the jump traffic above other types of traffic - which helped.
I guess I’m treating jump like VoIP.
So this question is for the VoIP experts.
When you guys set VoIP rules you basically give first priority to phone calls.
Say you have a 1 gig up and down connection. How many users can talk at the same time before noticing performance issues?
My point: I’m trying to understand if all of my jump traffic is set to high priority, at which point will the jump traffic itself start to cause performance issues with other jump users?
Obviously the answer is: if bandwidth is completely saturated over 1 gig with all jump traffic. But I keep seeing performance impacts when my firewall is only at %30 bandwidth.
So I’m wondering, really wondering. If QoS is setup properly, when does the VoIP traffic start to cause congestion on itself?
Like if all users do an upload at the same time, which totals the bandwidth limit of 1 gig, does all the traffic get passed at once? Or how does the pipe work?
Is it possible to saturate a 1Gig uplink with all VoIP traffic without lag, or would that much traffic cause delay in itself since it is so much?
We don’t really notice lag when it’s just a few users working. But we do notice lag when lots of activity is going on, even though the firewall is only at %30 bandwidth usage.
Hello,
I'm in the process of redesigning our corporate network.
Currently we have a stack of 3x Dell S3048 that contains 30 VLAN. The stack takes care of internal routing and has a default gw to the firewall to get out over the internet. There is no isolation between these VLANs.
We plan to change this architecture to 10G and take advantage of this to add security.
The core network will be replaced by 2 Nexus 3064PQ-10GX with HSRP and VPC. Each access switch will be connected in VPC.
There will be about 20 VLANs for the users (1 per building) and about 10 for the infrastructure (SRV/MGMT/PRINT/CCTV/STORAGE) .
Regarding isolation of these VLAN, I had several ideas:
That would make me more than 30 VRF to manage, knowing that the N3K supports a maximum of 64 VRF. And we planned in futur to add more VLAN with the expansion of our fiber network.
So I'm looking for advice and ideas for this new network.
Thank you !
PS : Sorry for my bad English
I want to run a service like github pages, where a user can send me some content to host, and point their domain to my server(s) with a dns record and have me host the content on their domain.
Sounds simple right?
But I want to make sure I host the content geographically close to the user (like a CDN does), yet as far as I can see a service like cloudflare wouldn't work for me - I wouldn't be able to validate ownership of the domain.
I could get the customers to use a CNAME to point to my own DNS servers and use GeoDNS, but that doesn't work for the root of the domain (where CNAMEs aren't allowed).
I could get the customers to point to an anycast IP address, but it seems no VPS provider will allow me to assign an anycast IP to a set of VPS's.
This is for a small hobby project, so setting up my own AS and IP block and having my own physical servers all over the world like github has done is probably not viable.
Is there any other way to get customers to point their domain at mine and route the requests in a geographically smart way?
Hi all,
I was wondering if anyone has experience troubleshooting interrupt utilisation on a Cisco 2921.
Our Total utilsation is sitting around 96 percent however the interrupt utilisation is 91. We thought the number of NAT translations may have been causing the issue initially however after putting NAT timeouts in place and putting an EEM script in t periodically clear NAT there has been no improvement.
I read the following article which is for a 3750 platform however some of the commands are not applicable to a 2921
Here is the output I get when I run a show platform interrupt command. I note that IO Controller network counters are high and continue to rise however so does POW interrupt, fpga interrupt & CIU Timer 0 ISR so I am not sure where the issue lies. I suspect that the router is just getting too much traffic pushed through it but can't see how I pin point that.
There is no throttle counters incremented on any of the interfaces. Any ideas what to do next ? Do not want to upgrade this router to a 4000 series as it will be getting removed soon anyway.
TIA
CIU Interrupt info:
CIU Int Handler Count Context Level Name
0 0x300C3958 932498927 0x0 IP2 Pow Interrupt
18 0x300CAACC 447376 0x2 IP3 fpga interrupt
30 0x300C9204 0 0xE IP2 USB 0 Over Current i
31 0x300C9204 0 0xF IP2 USB 1 Over Current g
32 0x304951CC 0 0x0 IP2 MBOX0 interrupt
33 0x304951CC 0 0x0 IP2 MBOX1 interrupt
34 0x304BC314 1 0x1 IP4 Aux Port interrupt
35 0x304BC314 1 0x0 IP4 Console interrupt
40 0x300C9620 0 0x0 IP2 MSI 0 interrupt
41 0x300C9620 0 0x1 IP2 MSI 1 interrupt
42 0x300C9478 2361007398 0x2 IP2 IO-Controller Networ
43 0x300C92D0 0 0x3 IP2 IO-Controller Mgmt/E
46 0x300C9D98 1 0x0 IP2 NPEI RML interrupt
52 0x304D6D64 66552628 0x3DE2CC18 IP3 CIU Timer 0 ISR
53 0x304D6D64 0 0x21472E98 IP2 CIU Timer 1 ISR
54 0x304D6D64 2600 0x3DE2CC8C IP2 CIU Timer 2 ISR
56 0x3051FAA4 1 0x0 IP2 USB 0 interrupt
IP2 Int En: 0x01604F03 C0000001
IP3 Int En: 0x00100000 00040000
IP4 Int En: 0x0000000C 00000000
Interrupt Counters:
Int Level Counter: L1 (netio) 930600569, L2 0, L3 (mgmt) 66996541, L4 (console) 2, L5 0, L6 0, l7 (4ms timer) 114485138
CIU IP level int counter: IP2 2758185883, IP3 66996541, IP4 2
Debug counters/Info:
ciu_int2_count 2758185883, ciu_int3_count 66996541, ciu_int4_count 2
unknown_ip4_int_cnt 0, unreg_int_cnt 0, wdog_int_cnt 0
unreg_int_sum1 0x0, unreg_int_sum2 0x0
spur_timer_int 0, unreg_msi_int_cnt 0
rml_int 1, npei_int 0, usb1_int 1
npei_pcie0_err 0, npei_pcie1_err 0, npei_pcie_timeout 0
fpa_err 0, pip_err 0, ipd_err 0, mio_err 1
l2c_err 0, l2c_int_sum 0x00000000, lmc_err 0
l2d_faddr 0x00000000, l2t_fddr 0x00000000, lmc_faddr 0x00000000
usb 0/1 over current 0/0
pcie0_cfg030 0x0000583F, pcie1_cfg030 0x00000000
pcie0_cfg065 0x00000000, pcie1_cfg065 0x00000000
pcie0_cfg068 0x00000000, pcie1_cfg068 0x00000000
pcie0_cfg071 0x00000000, pcie1_cfg071 0x00000000
pcie0_cfg072 0x00000000, pcie1_cfg072 0x00000000
pcie0_cfg073 0x00000000, pcie1_cfg073 0x00000000
pcie0_cfg074 0x00000000, pcie1_cfg074 0x00000000
pcie0_cfg076 0x00000001, pcie1_cfg076 0x00000000
pcie0_dbg_info 0x00000022, pcie1_dbg_info 0x00000000
fpa_int_sum 0x00000000, pip_err_reg 0x00000000, ipd_int_sum 0x00000000
MSI Interrupt info:
MSI 128, name: wic_mbrd_hdlc_intr, hdlr 0x3079E1C0, cnt 0, ctx 0x0, slot 0, IO_Controller, NETIO, number 0
MSI 129, name: wic_mbrd_hdlc_intr, hdlr 0x3079E1C0, cnt 0, ctx 0x1, slot 0, IO_Controller, NETIO, number 1
MSI 130, name: wic_mbrd_hdlc_intr, hdlr 0x3079E1C0, cnt 0, ctx 0x2, slot 0, IO_Controller, NETIO, number 2
MSI 131, name: wic_mbrd_hdlc_intr, hdlr 0x3079E1C0, cnt 0, ctx 0x3, slot 0, IO_Controller, NETIO, number 3
MSI 132, name: wic_mbrd_hdlc_intr, hdlr 0x3079E1C0, cnt 0, ctx 0x4, slot 0, IO_Controller, NETIO, number 4
MSI 133, name: wic_mbrd_hdlc_intr, hdlr 0x3079E1C0, cnt 0, ctx 0x5, slot 0, IO_Controller, NETIO, number 5
MSI 134, name: wic_mbrd_hdlc_intr, hdlr 0x3079E1C0, cnt 0, ctx 0x6, slot 0, IO_Controller, NETIO, number 6
MSI 135, name: wic_mbrd_hdlc_intr, hdlr 0x3079E1C0, cnt 0, ctx 0x7, slot 0, IO_Controller, NETIO, number 7
MSI 136, name: net_int_wrapper, hdlr 0x3077D944, cnt 1290182450, ctx 0x21E02234, slot 0, IO_Controller, NETIO, number 8
MSI 137, name: net_int_wrapper, hdlr 0x3077D944, cnt 2361007907, ctx 0x3E7636D8, slot 0, IO_Controller, NETIO, number 9
MSI 138, name: net_int_wrapper, hdlr 0x3077D944, cnt 0, ctx 0x21E02340, slot 0, IO_Controller, NETIO, number 10
MSI 139, name: net_int_wrapper, hdlr 0x3077D944, cnt 457893, ctx 0x3E7637E4, slot 0, IO_Controller, NETIO, number 11
MSI 155, name: i2c intr handler, hdlr 0x30A26630, cnt 0, ctx 0x0, slot 0, IO_Controller, NETIO, number 27
MSI 156, name: wic_mbrd_scc_netio_, hdlr 0x3079DDE4, cnt 0, ctx 0x0, slot 0, IO_Controller, NETIO, number 28
MSI 192, name: wic_mbrd_hdlc_error, hdlr 0x3079DE64, cnt 0, ctx 0x0, slot 0, IO_Controller, ERR, number 0
MSI 193, name: wic_mbrd_hdlc_error, hdlr 0x3079DE64, cnt 0, ctx 0x1, slot 0, IO_Controller, ERR, number 1
MSI 194, name: wic_mbrd_hdlc_error, hdlr 0x3079DE64, cnt 0, ctx 0x2, slot 0, IO_Controller, ERR, number 2
MSI 195, name: wic_mbrd_hdlc_error, hdlr 0x3079DE64, cnt 0, ctx 0x3, slot 0, IO_Controller, ERR, number 3
MSI 196, name: wic_mbrd_hdlc_error, hdlr 0x3079DE64, cnt 0, ctx 0x4, slot 0, IO_Controller, ERR, number 4
MSI 197, name: wic_mbrd_hdlc_error, hdlr 0x3079DE64, cnt 0, ctx 0x5, slot 0, IO_Controller, ERR, number 5
MSI 198, name: wic_mbrd_hdlc_error, hdlr 0x3079DE64, cnt 0, ctx 0x6, slot 0, IO_Controller, ERR, number 6
MSI 199, name: wic_mbrd_hdlc_error, hdlr 0x3079DE64, cnt 0, ctx 0x7, slot 0, IO_Controller, ERR, number 7
MSI 203, name: error_int_wrapper, hdlr 0x3077D954, cnt 0, ctx 0x3E7637E4, slot 0, IO_Controller, ERR, number 11
MSI 212, name: Hsib Error Monitor , hdlr 0x30A2C5C0, cnt 0, ctx 0x0, slot 0, IO_Controller, ERR, number 20
MSI 220, name: wic_mbrd_scc_mgmt_i, hdlr 0x3079D708, cnt 0, ctx 0x0, slot 0, IO_Controller, MGMT, number 28
MSI 221, name: tdm_exception_handl, hdlr 0x30E6207C, cnt 0, ctx 0x108A0000, slot 0, IO_Controller, ERR, number 29
MSI 222, name: GPIO interrupt hand, hdlr 0x30A1BDC0, cnt 0, ctx 0x10900200, slot 0, IO_Controller, ERR, number 30
MSI Enable Reg 0: 0x00000000 00000000
MSI Enable Reg 1: 0x00000000 00000000
MSI Enable Reg 2: 0x00000000 18000FFF
MSI Enable Reg 3: 0x00000000 701008FF
Hi,
I am developing a system consisting of an application server that I will need to deploy on location at each of our 100+ customers.
The applications are used for a manufacture process control. They will be accessed on location as well as remotely anywhere in the world. To ease the access to the server and applications, I will set up domain names such as server.customer1.example.com, app1.customer1.example.com, …
I will use SSH to manage these servers.
Our servers will be behind NAT at our customers' facilities. So port forwarding will be used for remote SSH access with IPv4.
The servers will also be accessible with IPv6.
Now, this is where I am not sure how to proceed when it comes to port forwarding for SSH.
My best bet is to make sure that I use the same internal and external port numbers.
Let's suppose an application server instance listens on port 2222 and a port forwarding has been set up from the location public IPv4 (e.g.: 1.2.3.4) port 2222 to the private IPv4 of the application server (e.g.: 10.100.100.3) port 2222. This way I can easily access the server via its domain name server.customer1.example.com and the port 2222 independently of the the IP version used (IPv4 vs IPv6). If the server was listening on port 22 and the port forwarding was set from 1.2.3.4:2222 to 10.100.100.3:22, then it would remotely be accessible with a different port whether the domain name resolves to a IPv4 (port 2222) or a IPv6 (port 22). Also, the DNS servers on location will resolve domain names to the private IPv4 of the corresponding server, so by using the same internal and external port numbers, I can also easily access the server via its domain name without doing anything special whether I am on location or not.
I have not been able to find much literature about using the same internal and external port numbers for such use case. I would like to have the community's feedback. Is there any disadvantage to keep the same internal and external port numbers?
Currently working on a system that has a dedicated network cache on our end. This cache device has been causing intermittent drops on our services. I’ve checked config’s and they are exactly how the distant end wants them programmed. For now, I currently have it bypassed in order to maintain functioning services. Due to our network policy, we are technically required to use it. (Because of a recently renewed contract)
I know that our individual work stations, and distant end, cache data to speed up “xyz” processes. So my question is: is the dedicated network caching device a useless redundancy in the overall scheme? (Despite policy requirements)
To me, it seems that this tertiary device is an extra redundant piece of equipment that stands to just complicate things. (Probably because I’m tired of dealing with it.) Do you think having a third dedicated network caching device is a necessity?
I understand the basics what a DMZ is, and I want how exactly it can be implemented.
I am using Network Manager on a machine running Arch. I have connected a 4G modem using the usb0 interface. I want to share this connection over Ethernet to my laptop that is using wicd on Debian 10.
I have configured "shared to other computers" on the Ethernet interface in Network Manager. The host PC has MDI-X support (the laptop does not). I have enabled IPv4 port forwarding on the host machine.
The two machines can ping each other but the client PC cannot ping the router or the world wide web.
Any help would be greatly appreciated.
Hello Together,
i founded a small it company and we mainly supporting SMBs.
We born the idea, that it would be great to have one main manufactor for network gear like, NGFW, Wifi and Switches. Regardin partnership, pricing, knowledge etc...
I have some FortiGate, HP Procurce, Unifi background and as mentioned bevor, it would be nice to focus on one manufactor. Is this a good idea or can i say the cisco asa, switches and wifi products are all very different in usability and i can use different manufactor anyway. (is there a equal cli or gui on all three categories?)
Thanks for any feedback!
I've been trying to get this modem/router supplied by the ISP in bridge mode so I can port forward using my tplink router I have connected to it. But I called the ISP twice for them to set it for me and they said I'm on my own because they don't want people changing the settings if they mess something up. So I guess I'm on my own and haven't been able to find any guides yet so any advice would be greatly appreciated
I started working from home a month ago. As a result, my company gave me a Remote Access Point so I can connect directly to my company’s network. The problem is I don’t have direct access to my router, so I was unable to plug my Remote Access Point directly into my router.
As a workaround, I purchased a NETGEAR WiFi Range Extender EX6120 which has an Ethernet port, allowing me to access my network via the extender then plug the extender into the Remote Access Point.
I have a relatively fast WiFi connection with my router. I generally get 150-250 Mbps down. I ping on average at about 5ms.
However, when I use my computer with my Remote Access Point, it’s giving me about 25-75 Mbps down. I notice the speed constraints often when working.
My question is: is there anyway I can reconfigure the WiFi extender so it’s optimized for my situation? I’m basically using it solely to tap into my network and use the Ethernet port to connect to my Remote Access Point. I’m not even using it as a wifi extender. It’s generating an extender network which I don’t need but I just set it up that way.
TL;DR: I got a Remote Access Point to work from home. Don’t have direct access to my router. Got a WiFi extender w/Ethernet port to connect my access point. My WiFi speed compared to the speed I get out of extender is 75% slower. Is there anything I can do to the configuration to make it faster? *Note: I don’t use the WiFi extender network. Just using it to tap into my network and use the Ethernet port. *
I appreciate the help. 🙂
I am a very small ISP with nearly 150 customers and have taken 310 mbps bandwidth for my network. As you all can see that combo 1 is the link coming from main BTS into the router and ether 2 is lan out going from router to the OLT for FTTH clients. As you can see the speed difference btw the combo 1 and ether 2 is so big. Clients are not using this much bandwidth but combo 1 still get choked at 300-310 mbps. Because of this clients are facing speed issues and latency issues. I have contacted many ISP's but they can't get this problem sort out. Please help me. (Sorry for the bad English)
I have a strange question in my office network; summary setup as follow:
Internet -> Mirkotik -> UBNT AP
I have about 10 PC and 4 servers and a few more devices connected to the same internet connection from my provider with static IP (5.6.7.8).
I have a web server located outside the office at another state, Centos 7 + DirectAdmin, Apche+php.
Locally I have 2 CentOS 6, 1 CentOS 7, and 1 Debian server in my office, recently something very funny happens, 1 of the CentOS 6 server, the Debian server, and 6 of the PC cannot open the web pages from my public webserver at another state.
I tried basic troubleshooting like ping and traceroute to the server IP (1.2.3.4) are fine, can open other ports like my custom SSH / FTP / DA ports. However, with the CURL / Telnet test from that server and those PC to the web server ports 80 & 443, I'm not able to connect or open the web pages from the webserver.
I have also compared the Centos 6 networking setting are the same as the other centos 6 servers which can access. On the web server itself, firewall or DA settings are looking good and in Linux, messages log I also cannot find the "try" call from office 5.6.7.8 when testing with the server cannot open the web page.
Office LAN settings firewall also checked in Mikrotik and UBNT controller, all server settings are the same, I have simple LAN with only 192.168.1.xxx.
Any suggestions or things I shall look into?
Assuming you work in an “agile” workplace how many hours a week do you spend in team meetings, sprint plannings, stand ups, sizings, reviews, etc. The meetings with your team to talk about the work you’re going to do, not the meetings with actual stakeholders. Just trying to get a feel for “normal” on this in the network world.
So this recently happened when i switched my websites host from Squarespace to GoDaddy Website Builder. I understand a domain propagation will occur during the transfer process, but usually last 24-48 hours. So it's been over 48 hours and i'm still experiencing issues with my website. If it try to searching for my website it works perfectly fine under my home wifi, but for Cricket Wireless it doesn't go through. I tried it on 4 devices using Cricket wireless data... So i'm wondering what could be the problem? Is it my DNS? My host told me that my domains DSN seems to be updated. Here's my website www.iGeekFixThis.com to those who might have cricket wireless. It worked under the At&t network (yeah i'm aware that Cricket Wireless is powered by At&t), but it does go through with other carriers, but not cricket. Please help :'(
I have a Juniper switch and this is for a small business. We do not have any servers just a network switch and firewall. I was going to use the firewall for the dns but when configuring the dns it asks for an ip. Do I make one up or do I need to create a server on AWS or another cloud service for this to be completed.
I work for a school system that is using Google meets as it's virtual learning platform and I am looking for advice on how I can prioritize the traffic. Google suggests not using qos for some reason, so what would be another good method. I am working with a palo alto firewall and extreme network routers. I will also add that we are experiencing drops and lag from Google meets even with our teachers who are working from home, so some of the issues may be on their end.
I'm working with someone who has a fiber connection at the top of a hill and need to bring that connection 3400feet to another building at the bottom of a hill. They own the entire hill and the path is forest, so there aren't really any issues with approval or regulation. I was considering point-to-point ethernet over metal clad fiber optic cable. Point-to-point WiFi isn't an option due to dense foliage and the second building existing in a crevice. Is this the most reliable and cost effective option?
Thanks!
Don’t forget the obvious
As things are crazy and stressful right now I thought maybe someone could learn from my mistake. So, I’ve had a school site with some odd, terrible intermittent wireless issues for several months. I could not figure out what was happening. Some days it would work fine, some days it was just slow, and some days it wouldn’t work at all. I checked everything, or so I thought. It turns out MS DHCP Server will let you set a scope with a default gateway that is also in your address pool. It seemed too obvious to be DHCP so I only glanced at the scope. The issue was that ever so often a client would be issued the gateway address and would completely screw the network.
So, I say all that to say don’t neglect the small, obvious things. It’s not always some massively complicated issue.
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
What are the respective advantages when you put the gateway in the access layer or in the aggregation layer? Can you cite a scenario where you would use such design?
How would I go about connecting this Cisco switch to this Dell switch via a 40GigE link? I've never connected across vendors before, so I'm a little confused about the QSFPs required. I don't think a passive copper cable would work, since the QSFPs are already built into the copper cable, and they are usually the same brand. Would a Cisco Branded QSFP work through fiber optic or to a Dell Branded QSFP?
Also of course we need to save money. So a $400 cable is kind of out of our price range, we are doing this to 8 switches. Going Dell to Cisco. We also might want to connect via 10GigE to a breakout 10GigE port on the Cisco switch for a smaller Dell S60 switch.
Any guidance?
I work for an ISP that has a fairly decent size FTTH market. We currently have somewhere in the range of 25,000 customers. We only offer gigabit speeds for our customers, and have marketed ourselves as guaranteed 950+ megabit service. For 90% of our customers they could care less what their speeds are as long as netflix doesn't buffer, and things generally work. Unfortunately we always have those few customers who like to just run speed tests, or verify their service. (For reference we had one gentleman that purchased a brand new top of the line mac book pro specifically for running speed tests. No apps or anything was loaded to the computer. If he thought his speeds were bad he would boot up the mac and run a series over an hour or two. Then report to us how terrible our service was because he was only getting 800mg on his tests.)
So to the problem at hand; right now our only way to verify if a customer is getting the speeds they are paying for is to run an ookla speed test to a dedicated server at our core. This keeps the traffic all on net. Unfortunately some of our markets are 100s of miles away from our core and have to hit several switches or routers before making it to the server. This tends to cause our latency to be up in the 10-15ms range. Adtran, our vendor for GPON equipment, has told us that latency above 10ms can cause issues with the TCP windowing and lowering the resulting speed test. On our MPLS network we have the ability to use test sets to test the circuit with out relying on a protocol like TCP to show bandwidth capability. Is there any offering of this type available for a GPON network? At the same time what is the best way to provide a customer an ability to test their bandwidth capability with out over complicating the process. We've discussed adding more Speedtest Servers in our network, but one of the concerns is we only have 2 exit points from our network. Would it be considered bad faith to have a speedtest server not actually at a point where the customer's traffic would be leaving the network?
Hi guys,
I am currently working to setup a road warrier VPN solution based on Windows 10 and a central MikroTik CHR. Protocol used is SSTP. The basics are already working. But my question is a follows: is it possible to have a split tunnel with that sort of setup, meaning to have the "standard" Internet traffic use a local breakout and to have just selected RFC1918 networks being reached via the SSTP tunnel?
Thanks in advance
I have this network rack in my basement. I want to mount small boards, like raspberry PI's. What are the correct mounting screws in this cabinet?
I'm trying to do something which I know should be simply but I'm failing :/
I want a simple route-policy which will allow me to advertise an as if it originates from a certain AS number but ONLY if it originates from that AS and doesn't pass through any other AS's.
I've got:
route-policy CUSTOMER-AS
if as-path originates-from '12345' then pass
endif
end-policy
But this will allow my router to advertise the prefixes even if they pass through multiple AS's before reaching me.
Thanks
Hi All,
I have a home internet subscription using HFC. Compared to DSL (at least in my country), HFC gives a usually higher bandwidth, but with slightly less stability compared to DSL. And indeed, I regularly suffer from small "line hits". Symptoms are either DNS failed requests, or at application level, many times, I open a webpage, nothing happens, and I need a refresh (or 2) to then immediately see my page.
I'm seriously considering to switch to DSL to hopefully get more stability.
Is it known and acknowledged that indeed, DSL tends to give you more stability and better tolerance against very short lines hits? Is there a consensus on the straights and weaknesses of DSL versus HFC?
Many thanks
Hi All,
Was hoping someone could help me out here. I have very limited experience ( actually none) with Smart licensing on firepower.
I noticed upon looking into one of the FMCs, that currently its state is as follows:
usage authorization: out of compliance
There is an option to reauthorize this, but i am not 100% sure as to what that will actually do.
For my own mental health, is this the device stating its licensing is expired and is due to be renewed or is this contact with the smart licensing that disconnected due to a change on the smart license side of things?
Also as a final note, should this not be resolved, will this impact me going forward (only two licenses currently are Control and Protection licensing on the FMC)
Thanks!
Hi all
I've been trawling the web but can't seem to find what I'm looking for. I'm looking for best case application response times. For example, what is the best reponse time you will get from a CIFS transaction on a local network. Same for NFS, SMB, HTTP etc.
Are there too many variables involved to get an idea?
I have a new BSNL fibre connection and I would like to know how to use Tenda AC1200 instead of ONU by bridging. There is no bridging option in the ONU provided by BSNL. The ONU brand is Optronix. I would like to know the settings so I can use Tenda router seamlessly.
Hey guys, I'd like to share a script I wrote that proved useful in my daily work life, perhaps it might come in handy for somebody else too. It's a quick shell alternative when you need an asn lookup and aspath trace while working on your network.
I'm always open to feedback, please feel free to comment and/or open an issue or pull request.
The script works on both Linux (bash v4+) and Windows (Cygwin).
You can find it here.
Can anyone help with this issue, I'm connecting to the WiFi hotspot (Virgin Media) on a Windows 10 laptop, but the connection disconnects every 20 minutes or so, any suggestions?
I've inherited a rather large campus network that is currently using VTP V2. I'm about to deploy a new switch (2960xr). I just want to confirm that as long as this new switch is in VTP client mode there is no chance of it blowing out the VLANs across the network.
Also, anybody know why VTP configuration is not stored in the standard config file? This just seems odd to me; are there other "hidden" configuration setting that exist but are not stored in the config?
I know we know have certificate transparency instead but for some applications I'd still like to pin the certificates or at least log them. Is there any tool that can do this? Ideally in a centralized way. like a proxy? If not, any browser extension or similar that could be used?
I am looking for programs to replay pcaps.
tcpreplay is not working well for me.
My setup:
Machine 1 ---- GW ---- Machine 2 | My Computer I want to send all the pcap packets from Machine 1(which is 'attacker') to Machine 2 (which is 'attackee')
tcpreplay doesn't send to spesific ip (which I need to catch traffic in GW)
I tried using it but the GW doesn't see the traffic. (because the attacker should send to spesific IP and not 'broadcast' the packets - the GW watches for traffic for both of them)
Any suggestions? I prefer Python scripts.
My notebook computer does not have an RJ45 port and I have to use an USB-to-Ethernet adapter to connect my machine to the LAN port of my router.
My operating system is Microsoft Windows 10 and according to the information provided by the OS, my IP address is:
Adapter Type: Ethernet 802.3
Product Type: ASIX AX88179 USB 3.0 to Gigabit Ethernet Adapter
Installed: Yes
Service Name: AX88179
IP Address: 192.168.0.186
IP Subnet: 255.255.255.0
Default IP Gateway: 192.168.0.1
DHCP Enabled: Yes
DHCP Server: 192.168.0.1
However, after I have logged into my router that is directly connected to my ISP, it gives me the following information:
WAN
IP Address: 172.20.34.33
Dynamic IP
Subnet Mask: 255.255.254.0
Default Gateway: 172.20.34.1
DNS Server: 1.1.1.1
I would appreciate it if someone could explain to me the differences in the IP addresses.
Hi everyone,
I'm just trying to setup VDSL2 on a Cisco ISR 1111, as usual with Cisco its far too complicated a process for me to figure out in an hour or so.
I have setup the modem the router is connecting to into Bridged mode with VLAN ID 2 which I'm assuming means the Cisco router doesn't have to tag the packets outbound or have a sub interface.
I've been googling setups for this type of router and seeing alot of information on upgrading the VDSL Controller firmware, but i cant see any firmware in flash for the controller. When i do a show command on the controller too and i am seeing that the controller is down - I'm not sure if there needs to be traffic pointing to it to bring it up or if the controller needs to be up before any traffic can use the controller.
The router has a working cellular interface currently too so I'm not sure if that's causing some issues also.
- would anyone happen to have any ideas on why the below wouldn't be working? Or be able to point me into the right direction?
controller VDSL 0/3/0
operating mode vdsl2
interface Dialer1
description VDSL
ip address negotiated
ip nat outside
encapsulation ppp
ip mtu 1492
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
no keepalive
ppp authentication pap chap callin
ppp chap hostname [myname@myprovider.net.au](mailto:myname@myprovider.net.au)
ppp chap password 0 ISP-PASSWORD
ppp pap sent-username [myname@myprovider.net.au](mailto:myname@myprovider.net.au) password 0 ISP-PASSWORD
ppp ipcp dns request
ppp ipcp route default
ip virtual-reassembly
route-map dialer-route permit 10
match ip address nat-wan
match interface Dialer1
ip nat inside source route-map dialer-route interface Dialer1 overload
ip route 1.1.1.1 255.255.255.255 Dialer1 <to bring the interface up>
interface GigabitEthernet0/0/0 (WAN INTERFACE)
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip tcp adjust-mss 1460
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
Hi everyone! NOC jobs are quite rare in my area and I'm super nervous about this interview. I'm currently at helpdesk and would love to work in a more hands on role. Person in HR said hiring manager would ask questions based on my experience on my resume (not much, I graduated in December. No CCNA, but BS in CS, minor networking). Any tips, suggestions are highly appreciated.
Thank you so much!
The job description is:
NOC Technician
The NOC is the central point of communication for the IT organization. Communication between the different technical teams flows through the NOC. Because of this, NOC team members need to be able to effectively communicate technical issues with technical and non-technical people. NOC techs handle systems monitoring, alert triage, client requests and escalate issues to higher-level resources as necessary. NOC members will find themselves in an ideal position for learning a wide collection of technologies and candidates can look forward to crucial experience with Cisco gear, Linux and Windows servers and the engineers who built the systems.
Responsibilities:
Qualifications:
Not sure if this is the right spot, but figured it wouldnt hurt to ask. I have spectrum internet. I used a router + a spectrum modem, and just tonight switched over to router + my own modem. Tried to get online, got an error page saying I had to register my MAC address with spectrum. Okay, whatever. Call in, set up, get 200 Mbps down. Cool.
Thirty minutes go by, and I start getting that page again. Okay. So I call in, and in troubleshooting she says we’ll need to get a tech out. Okay... so I ask her to wait while I switch the other device back on. So, she goes through the setup again. My original router is set up and online. However, I still get the page that says to set up the MAC address. But it’s showing the MAC address of the previous modem.
In chrome browser I can access some pages, but can’t access most. I’ve cleared cache, cookies, etc. power cycled computer, modem, router multiple times.
I say chrome browser because I can access all pages via Firefox. What in tarnation is going on? My girlfriend can access all pages on her computer. We’re both wired to the router. I can’t even get Spotify — it shows as no signal. It’s like chrome is super confused.
Literally never seen anything like it. Anyone have any ideas?
Local museum tried expanding their network, none of the cabling would work. They called me, turns out the patch panel is a T568-A rather than B, which is fine obviously but everything must be wired accordingly.
Would y'all recommend rewiring the patch panel to B? Or just leave it. It's about 25 cable runs that would have to be redone.
I'm guessing they had a telecom guy install the structured cabling once upon a time and they just followed the color codes on the back of the panel which is labeled for A.
My idea is that I need to multi-home one router to two ISP. How do I set the preference for one ISP over the other? My idea is to separate rate traffic and send some of that traffic to an assigned ISP.
I just tried to bring up a new Intel X550 Nic in an ESX host and then moving it at the same time to the Nexus 9k core. I just by added the new 10Gb vmnic's that are trunked to the Nexus to the dSwitch and dropped the 1Gb links to the other 3850's switches behind the Nexus core. Existing dSwitch or the 3850's behind the Nexus were setup to do Port-Channel with the current config, and has been running like this for years on the 3850's. But this config did not work on the Nexus's.. Nexus's are paired with VPC, but should have still worked with the same config as the 3850's?
Or am I being forced to create a new dSwitch with LACP and port-channel (VPC) on the Nexus now?
Edited. Replaced LAG with LACP.
Hello great fellow networkers; I need some help here.
I have been working on an issue for many months now I cannot seem to make any sense of. We have two datacenters on opposite sides of the United States. Both datacenters are interconnected via a few point to point connections as follows:
When I send traffic from datacenter A(West Coast) to datacenter B(East Coast) I get approx 700Mbps(iperf3 tcp single stream test). When I send traffic from datacenter B to datacenter A I get approx 150Mbps(iperf3 tcp single stream test).
Please see THIS diagram; The lines represent the following:
The WAN LINK is where the 4 connections between the datacenters exist. It is OSPF on the 4 links with BGP on top for the actual routing. It does not make a difference what link is being used on the WAN connection. The speeds are the same.
I have thoroughly gone through every piece of networking equipment that is in play here. There are no CRCs, no pausing, no queuing, no fragmenting, no over subscription, light levels are good, no dropping on the carrier side, etc... I've contacted all 3 providers of the WAN links and they've sent techs to do throughput testing and achieved the speeds we pay for. I've done packet captures and I see lots of "TCP ACKed Unseen Segement" even though tracepaths show that the path is symmetrical. The packet captures have come from datacenter B's ASR 1006. I've consulted this with many other co-workers, friends, etc and we cannot figure out what may be causing this issue. I will provide any additional information you may need to assist me with this issue.
