I just recently got a Helpdesk job that’s remote. I start next week. It will be my first IT job. I have my Trifecta and I will be soon graduating with an AAS in Cybersecurity. I will study for my CCNA slowly also.
So how do I move from remote Helpdesk to a NOC?
Thank you guys for any tips and advice.
I am following this guide verbatim, but I don't seem to go anywhere. I don't get the second prompt where I am supposed to leave the cursor on the SERIAL selection and not press enter. If I don't press enter, it just sits there. If I press ENTER, it just goes on a forever loop.
Has anyone ran into this issue?
I’m thinking of beginning to set up a moderately complex home lab for practice to mimic a real network. So far, I have a pretty good idea of “site 1”/headquarters office, except for the hardware to get out to internet. I’m wondering, however, if I’m missing anything. My goal is below 10-15k through eBay. If anyone has any suggestions or thinks I should have more of specific appliances, that would be helpful.
Site 1
4x WLC
16X LWAP
4x Cisco 4000 series router
7x 2911
6x 3650
8x 3750
36x l2 switch
3x adaptive firewall
1x Cisco iron port web security appliance
1x Cisco 4240
1x Cisco email security appliance
1x ISE
42x ip phone
was curious how many people that manage eBGP peers with ISPs are using or not using peer authentication and any adverse side-effects?
Our current network uses all static routes. I've been wanting to implement OSPF but it's one of those things that always gets kicked to the side since other stuff is "more urgent." I was reading that the simplest way to start would be to just leave all my statics setup, implement OSPF, put everything in area 0, verify that the OSPF routes looked correct, and then slowly start to remove the static routes. since the statics would have a lower cost by default, the idea sounded great because there really shouldn't be any risk of messing anything up (haha).
So, I started with just 2 routers that connect Site 1 and Site 2 together, but instantly ran into an issue. I had a static route set for a /23 subnet, but OSPF learned/generated a /24 include within that /23 and sent it somewhere else, which brough that segment down.
Being new to OSPF, I'm not sure how to find out where OSPF is learning/generating routes from or how to resolve the issue, so I disabled it for now. Basically looking for some info on how to find out where routes are being learned, why, and what to do in a situation like this. I'm just not familair enough with how it works and what to look for. Maybe if I had enabled it on all the vlans on the switches, that may have solved the issue, but I couldn't leave that network down for too long, especially since I knew the easy fix.
Here's a simple toplogy with some snippets of the code on those devices. Hopefully there's enough info here but if any additional info would help I can gladly send it
Vague title, but read below, its my only thought so far.
In january I had a user with an iphone on my network repeatedly doing the wrong thing, I wont go into detail. This user was repeatedly warned, but continued this activity stating "I will continue to do this". I copied down the mac address and after one final warning kicked the user which led to a major tantrum and smashing the phone on my desk... its still here... in pieces. I unbanned the mac address at the time thinking there was no threat.
In about july the user turned up with a new phone and had access to the network. I assumed one of the other admins let him on. It was explained to him that repeating the previous behaviour would result in a permanent ban, no third chances.
I went to the access list and copied down the new mac address, and bugger me, it is the same as the OLD phone... the same phone still sitting in pieces on my desk. I spoke to the other admin and they said they didnt give access.
The user does not in any way have the skill set to clone mac addresses, and it is extremely unlikely has friends who would.
There is a very very very slight chance I screwed up, blocked the wrong phone (he may have had two) or stuffed some sort of blocking up. Things were pretty stressed back then (approximately march).
Is there any way possible the mac address could have been cloned somehow through icloud or some ported settings? I think wifi access passwords can be so that makes me think I may have blocked the wrong phone.
Any suggestions welcome
Hi
I have a question regarding the use of per-user ACL's with Aruba ClearPass. Is this only possible with Aruba switches or will it also work if we have Cisco switches. In this case, ClearPass does not know how to provision Cisco switches and only talks to Cisco switches via RADIUS. I don't see how RADIUS has the mechanism to provision highly granular ACE's, so I am thinking this is user ACL's with ClearPass are not possible if we have Cisco switches. But am I missing something?
Hi
We are a globally located enterprise and looking at Aruba Clearpass. Any best practices on whether it should be deployed per location or in a few central locations. If deployed centrally, there would be latency issues. If deployed distributed, I am not sure how we would get policy consistency across locations. Any thoughts on best practices please?
Seriously, it's was like Cisco wants to punish us for moving to the FTD platform. I had even used their migration tool previously to convert our ASA config to the FTD and the post migration report listed the inspection policy as unsupported. I spent hours scouring forum, blogs, and white paper sites and really couldn't find any good documentation about how you could go about doing it. The most I could find was some suggestions to use FlexConfig objects.
We had several tickets open with Cisco tac on this issue, and every engineer assigned failed to give me a good solution. Their answer always came back to just creating rules in the access policy opening all the high range ports between security zones. Which, kind of sucks as a solution.
So yes, maybe I'm an idiot for not figuring this out earlier, or maybe it was clearly documented somewhere and my google-fu really could use a refresher, but it is possible to replicate policy based DCE/RPC inspection using FlexConfig objects. (To a degree, I still couldn't get it to let me configure timeout pinhole settings, but take the victories you can I guess) I welcome reddit's mockery for banging my head against tha wall this long before figuring it out.
Hi. I used microtik sxt for years, but it's broken. Please suggest me a cheaper p2p wireless device for 1KM away from pop site (it has a direct sight) and maximum speed of my internet service is 16Mb/s
Having a difficult issue with SSL handshakes on a client-server TLS connection over 443 we are trying to troubleshoot. We have a client PC on a customer's network trying to connect over the internet to a cloud hosted server. We have good access to the cloud solutions' tech support and somewhat indirect access to the customer's firewall vendor that is managing the infrastructure getting our PC out to the internet to connect to the cloud server. We had this PC, via an agent service, connecting fine to the cloud solution over port 443 previously. The customer required that we change the local IP on the client PC decrementing the last octet (we went from .251 to .250). It is not an option at this point to change the IP back or to anything else for reasons I can't go into. The agent no longer connects and here is what we know:
Would love some insight/encourage to focus our efforts on the firewall vendor, or identify any other avenues of attack in our troubleshooting/isolation.
Hey all! I am hoping to obtain some guidance as i've run into a brick wall.
For some context, I am a networking noob. I have some fundamental networking knowledge and have done basic cisco router/switch configurations but nothing crazy and only in an educational environment (and that was about 4 years ago, at that). I am a Jr Sys Admin tasked with setting up a network at one of our overflow offices and I have run into a bit of a snag.
I have a Fortigate 100F that will be used as our Firewall and act as our router. I also have a Cisco SF300-48P switch underneath. Alongside this, I have a FortiAP 431f that I need to deploy.
I have the Fortigate and the switch configured and operating normally. When I plug into one of the ports on the switch I obtain network connectivity and it seems to work great.
I was tasked with deploying a FortiAP to provide a wireless option for some of our more mobile users in this office which is where the FortiAP 431F comes in. I figured it would be easy enough, configure the interface in the fortigate for wireless, plug the AP into that port on the fortigate and I should be able to configure from there. However, to my dismay, I have realized that the Fortigate 100f does not offer PoE and so when I plug the AP into the fortigate, it doesn't power on. It looks like I will need to have this AP run through the switch.
I attempted to plug the AP into the switch and the AP powered on just fine (a good sign!) however I could not see the AP in the FortiAP manager console when in the admin console of the fortigate. This leaves me at a bit of an impasse as I cannot interface the AP for configuration because it does not appear in the FortiAP section of my admin console (when remoted into the fortigate).
I assume that I am just missing something very obvious here. It doesn't seem like running an AP off a switch is an unorthodox or unusual configuration so I may just need a nudge in the right direction.
Any guidance is greatly appreciated!
It feels like an ARP poison and the MAC addresses seem weird.
If it is, does anyone know how to remove this?
Thank you
To start I deal with more of defensive and offensive security, so while I can understand the networking aspects some, they are not my primary knowledge base.
I am in the process of designing a training network involving two forested domains with extremely limited access between the both. Here is a rough break down.. Forest 1's domain will have an overarching dc with 2 child domains (a & b). Each child domain will also have a separate file sever and dc. Under each child domain will be several pcs. Forest 2 will be it's own domain with a single dc and separate file server with several pcs.
The idea is to grant selective authentication trust for a single domain admin from forest 2 dc to forest 1 dc. That will be pretty much the only access between the forests with 1 other alternative.
The access I am trying to figure out is a pc to pc connection from Forest 1, child domain b, pc 3 to forest 2, pc 2. I am hoping to set up a one way trust for a single user that can only be accessed via tunnel. Forest 2 will not be able to access Forest 1 via this route at all.
Please share any links or knowledge on this process or let me know if I need to draw anything out and provide more information.
Kinda out of my realm, as I am more at home in IOS world, but here goes.... I have a C9300 switch connected back to a pair of N9K's at the core. The C9300 is trunked over fiber back to the core on a port channel, one connection to N9K-A and one connection to N9K-B, utilizing vpc and hsrp. As this is a critical link, we have added a microwave backup to this site in case the fiber is ever damaged. The traffic between this site would be measured in kilobits rather than gigabits, but every bit is fairly important. I would prefer that 100% of the traffic utilize the fiber until the microwave is the only option. How would you go about adding this backup connection? Add it to the hsrp standby group as a third member? Isolate it and let STP sort it out? Thanks in advance
Does Cisco SDA solution, specially use of LISP, help crackdown MAC spoofing or MAC theft? In my experience, if MAC spoofing/theft occurs, LISP is not intelligent enough to know if the first device is legit or the second.
We are currently troubleshooting an issue where in our site has asymmetrical routing towards the data center where the DHCP servers are. The discover message goes out one side and the offer message is being received on the other WAN circuit. Based from the packet capture the transaction ID is being altered. If we try to force the DHCP communication over one circuit via static route or shutting down one circuit then DHCP works well and transaction ID is intact. We do not have access at the DC side but we suspect that there are two firewalls out there facing different mpls circuits that's causing the transaction ID to be altered. I can't think of any network device that would alter the payload other than a firewall.
So assumption is, discover message goes out mpls1, passes through fw1, offer message goes back through fw2, then mpls2. Thinking like since fw2 doesn't have session on its table, it messes up the offer message but it allowed to pass through. Maybe they allowed to pass udp any/any.
I just can't seem to find a firewall product that could cause this. Any idea? Thanks!
If an endpoint wired or wireless gets disconnected physically or faces an IP disconnect for some reason, does it need to reauthenticate itself with ISE and redo the DORA? Or can such endpoints in Campus LAN be authenticated and join the network back despite reachability to ISE/AAA/DHCP server being down as a result of Data center reachability being down?
Hi Guys
Saw, that quetions like mine pop up from time to time, however it wasn't exactly what I was looking for, therefore asking my own questions now..For a school project I want to setup a small Honeypot environment. In order to evaluate different possible solutions I would like to have some real-life experiences and maybe even real-life examples from different setups.
I'm looking for both high- or low-interaction honeypots as well as "appliances" like FortiDeceptor or whatever fancy marketing-names these devices have. So my questions are:
I'm primarily thinking about honeypots in the enternal network to decept and/or reveal some malicious activity.I know that there are other and probably even better options - which I'll certainly mention in my project, but as I had to chose a specific topic for the school-project so I'm all in on Honeypots :)
I'm open and thankful for all opinions, experiences and discussions!
Hi, I am looking for specifics on all of the types of troubleshooting problems which can arise. For example "no internet connection" , "cannot connect to a certain website" or "internet is very slow." It would be great if anyone could recommend a website where I can learn the diagnosis of the various types of IT/networking issues which clients would call and ask for help.
Hi, all.
Could somebody please explain the best way to reset the the CLI password for SNS-3515 appliance running ISE 2.7?
We've CIMC access but it decided to stop working now. (I can ping but GUI/SSH doesn't work) That leaves me with only option which is via bootable USB. I found this guide but quite confused with the exact steps needed. steps. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html
Has anybody done this before? If so, what is the best way to reset it?
Step 3 on the guide says:
Step 3. Restart SNS-35XX appliance and go to the BIOS mode on console
Step 4. In the BIOS mode, choose boot from USB.
Any idea how can I force the ISE to boot to the BIOS? Is there a keyboard break I should send?
Thanks in advance.
Hey guys, Cisco has too many components to manage..Tired of their forever integration…always need to buy new hardware for their next integrated feature etc.
Which vendor provides the following capabilities better or equal to Cisco.
Preferably should have a single dashboard (DNA center is lol). Remote management support for switches (never need to console in ever). Stackable switches, minimal downtime during upgrades. Should extend to datacenter switches.
How good are Fortinet, Juniper, Arista etc?
Thanks
We tried earlier to upgrade our edge cisco routers. We have 2 WAN links and we use eBGP to peer with the carriers. The primary link was to go from 500M fiber to 10G. The backup link is 50M fiber. The customer failed due to the primary carrier claiming they never moved us to 10G service at their CO. Only the physical line was put in. So, we rolled back to the old router and service.
After that, we notice we had asynchronous routing.
Context: we have a /24 public block purchased from the secondary carrier(Grande communications). We are advertising this to the primary carrier(spectrum). Spectrum is now saying they do not and will not advertise this /24....despite us having this setup for several years at least.
Does anyone have any knowledge of the WAN part here? I'm not familiar enough with the carrier part to say that Spectrum is full of shit and should be advertising this route for us. Do we need to provide some type of LOA or does the carrier who we lease the /24 need to provide this? Any help would be greatly appreciated. We've been at this for hours and I don't know what to do.
I'm seeking insight from those shops who have had a VAR step in and take over full management of the network to provide comment.
Things I'm interested in hearing your experience on:
What equipment did you have before vs. now?
What better/worse standards were introduced?
Was there any major architecture changes (e.g. SD-Access, standard 3-tier, etc)?
How has the service been from a "boots on the ground" worker?
For those who lived through a transition, do you believe the outcome has been for better or for worse for your end customer (the business)?
Care to share any photos of before/after Network closets?
Thanks!
The whole reason that I posted it was to figure it out because I didn’t know. I just went on Reddit to find a subreddit that could hopefully help me. I’m not well versed on anything that has to do with networking. It’s a lot easier to ask on Reddit then for me to be fumbling with words on google and not find any search results that can accurately explain what was going on.
Our security roadmap has 802.1x port-based authentication on the horizon, and I thought I'd put the question out: What's your current favorite NAC solution?
Currently we run a pair of Microsoft NPS servers for our RADIUS authentication, but I've heard that trying to do port-based authentication with NPS is a massive pain in the arse. I've also heard that Cisco ISE is a monster to try and implement...
So I'm currently looking at Aruba Clearpass, Forescout, and PacketFence (with support); but having no experience with any of these products I'm interested to know what you guys think. Obviously we'll do a proper POC, but I don't want to waste time on a stinker. 😄
I wrote a small traceroute geolocation utility that will display routing geolocation map. It uses Tcl+gnuplot+ipwhois to grab and plot the map. The map is ugly(I know!) because I could not find lightweight and free solution so I just used the world map data points from gnuplot.
This is a hobby project I did. Here is the GitHub link
Thanks.
Title says it all. I've got my ENCOR coming up in a couple of weeks. My job was kind enough to buy me a study at your own pace course straight from Cisco. I am good with 90% of it all, except SD-Access and DNA.
Does anyone have tips or things to make sure I look out for?
Thx!
Is there any way I can see packets being sent to a SRX300 firewall? I have the SRX300 connected to the internet on untrust interface ge-0/0/2. I'm running "monitor traffic interface ge-0/0/2" and then using netcat from another device on the internet to send test packets to it. I tried interface ge-0/0/2.0 as well.
But the SRX300 is not showing any of the traffic being sent to it.
So I got crazy and couldn't let this go. I set up a workstation with 2 NICs and ran a live BSD OS. Configured it as a transparent bridge and re-wired the ethernet cables through it so I could see what was going across the wire to the SRX300.
The BSD transparent bridge is showing all the traffic I'm sending with netcat. Every port TCP and UDP. Correct destination IP, correct source IP. But the SRX300 isn't showing anything.
Is there some command I'm not aware of that will show me what I want? I know "show security flow session" isn't what I want.
Really random and hypothetical question here. But could you power a PC (like full tower) over PoE? And if you could, how much could you push it. Would you be able to get any good performance from something like this?
The hypothetical question can use PoE, PoE+ or PoE++. Or if there are any other PoE standards I don't know about.
Hi there!
I'm working on Juniper vQFX EVE-NG Q-in-Q Lab and successfully configured adding S-VLAN tag (2890) on L-PE<->R-PE link but the problem is that packets are outgoing PE client-faced ports without any tag just like on access port. I described right-left packet flow on the diagram but the same situation happens on R-PE on left-right flow as well. Can anybody explain me why that happens and how to fix that?
Thanks for your answers!
Diagram: https://imgur.com/a/b4dnEn7
R-CPE Config: https://pastebin.com/dpHvdKgF
R-PE Config: https://pastebin.com/UXrEQExG
L-PE Config: https://pastebin.com/r3wme2zi
L-CPE Config: https://pastebin.com/e4zNZ5CH
R-CPE xe-0/0/0 outgoing ARP Frame (Wireshark img): https://imgur.com/a/xmzB4lM
R-PE xe-0/0/0 incoming ARP Frame (Wireshark img): https://imgur.com/a/O8cU2aI
R-PE xe-0/0/1 outgoing ARP Frame (Wireshark img): https://imgur.com/a/HPvYVNJ
L-PE xe-0/0/0 incoming ARP frame (Wireshark img): https://imgur.com/a/EldOyrb
L-PE xe-0/0/1 outgoing ARP frame (Wireshark img): https://imgur.com/a/OIzGV41
Hello guys i have tenda mw6 2 nodes 1 is the primary one and other one is secondary Sometime the secondary one show me only 1 mbps the normal speed something between 60-70 mbps i tried already to reset it and even change the ssid and still nothing
The nodes not far away from each other and is show green light and not yellow or red
what the problem can be?
Thanks guys and sorry about my grammar 🤣
First off, I'm new to this subreddit and didn't see any rules posts, so please let me know if there is a better way to post this question :)
----
Basic Question:
What settings should we use so that our 'nested' switches serve up local IPv4 addresses according to our custom subnet, which the 'main' switch is set up to administer?
----
Issue Details:
We have a 'main' switch (Cisco RV325) that is set up to issue a subnet to everything downstream (in this case, we use 10.0.1.#). We have several switches (also Cisco RV325's) 'nested' to that one, which provide additional cable drop locations to workstations, ETC.
The problem is that certain workstations will be initially unable to access the network (neither local server nor internet), and the only solution is to "ipconfig /release" and "ipconfig /renew" several times until it manages to connect. As best I can tell, the issue seems to be that the workstation PC is finding the 'nested' switch into which it is plugged, which is offering up the default subnet (192.168.1.#), and is therefore unable to talk to the rest of the network. This is my best guess based on clues gathered while troubleshooting.
Therefore, my proposed solution is to reset and configure the 'nested' switches to sort of "slave" to the 'main' switch, acting only as 'pass-through' switch. Problem is, I can't find clear direction on what settings to use to achieve this. I've been pouring over the RV325 manual and see a lot of different configuration options, but none that clearly state they will work for the kind of 'nested' condition we are trying to achieve.
Do I use the Cisco manual's process for "Adding a Subnetwork" to the 'nested' switch? Won't that configure the 'nested' switch to think it is 'administering' the subnetwork and cause it to argue with the 'main' switch which is already configured to do so?
Do I simply set the "WAN Connection Settings" to "Obtain an IP Automatically"? Will that cause the 'nested' switch to receive it's subnet instructions from the 'main' switch and serve up the desired subnet to all devices plugged into it?
----
Some background information:
I'm an architect who also wears the I.T. manager hat. Myself and two others here are out 20-person firm manage all aspects of I.T. in-house. I'm very "tech-savy" and have done the I.T. role it past jobs, but I am by no means a trained expert.
Why are we using a subnet this way? Simple answer, because it was originally set up that way, and currently all our server settings, firewall settings, and remote access settings rely on those subnet addresses. I'm sure it's not the perfectly ideal scheme to be using, but at the moment we DO NOT have the ability to re-configure the entire office; we're just so insanely busy with architectural work.
For context: we have 4 new employees arriving on Monday and I coming in on the weekend to install a new switch that will provide network drops for the new employees' workstations, and I was hoping to reconfigure the existing 'nested' switches while I was at it and eliminate this pesky "ipconfig" issue.
---
Any help or pointers would be greatly appreciated!
Hi everyone, let me say that I’m a nobody when it comes to networking :)
I live in an where each space has one Ethernet coming in said space, through a hub not close to this space.
I need to have two incoming internet connections, one DSL, one point-to-point, both having their own Ethernet cables…
Could I use an Ethernet splitter on both ends (hub, then space) to separately connect and receive two signals, onto two different routers, on the same cable that runs from the hub to the space?
Any help is truly appreciated.
Hi, I have an application running on a W10 box that is broadcasting across my lan, the data it is sending is something I do want to pick up but only on the machine it is running on, so I need away of preventing it from “leaving the box”. Any help please, yes I do work in IT no I don’t work in comms. Many thanks Indeedily
Anyone have any recommendations? We had CUCM on-prem, moved to hosted CUCM off-prem by a company I absolutely despise and am now looking to find someone else. I prefer a pure cloud based hosted solution like Zoom Phone but the costs for them in India is prohibitive right now. Would need some hard phone support (cisco 88xx, 78xx) but the majority would be softphones.
For TCP sessions, stateful firewalls generally inspect the 3-way handshake.. for UDP there is no such handshake. How do they track UDP sessions in the stateful session table?
Do they merely log the first packet, record source IP, source port, destination IP, destination port, and track the session that way.. and any other packets received that match the same criteria are marked as client traffic for the session, and packets with the source/dest fields inverted match server traffic for the same session?
Hopefully this is the right subreddit for this question. I'm trying to get my head around how EAP-TLS works, specifically in relation to its integration with Windows AD. I have a Windows enterprise CA issuing certs to domain-joined Windows machines which works great to authenticate them using 802.1x auth on my UniFi and Aruba APs, using NPS on Windows Server 2016 as the RADIUS server.
What I don't understand is how NPS ties the certificate to the AD machine account, or what else is going on in the 802.1x process which controls how NPS sees the machine identity.
Specifically, what I'm troubleshooting right now is a wacky race condition where we're provisioning new Win 10 machines with Azure Autopilot and Endpoint Manager (Intune). I'm issuing certs to the machines via SCEP/NDES, and the certs issued during the Autopilot provisioning process don't work.
What happens is the Win 10 machine enrols for a certificate (via SCEP) with its default device name ("DESKTOP-XXXXXXX"), but during the Autopilot hybrid domain join process it gets renamed. If it tries to auth to the WiFi with the cert issued by SCEP, it fails and NPS logs "The specified user account does not exist". If I delete the cert, the machine gets a new one via SCEP, which then works just the same as if the machine had enrolled directly against the CA with an internal connection.
I have the cert profile set up to use "CN=" as the subject name (i.e. a big long string with no relation to any on-prem AD field that I know of). In the SCEP profile I also have a subject alternative name with the DNS attribute set to ".[my on prem ad domain].local". This is the attribute that differs between the certs that don't work and those that do.
So what is NPS doing/seeing that makes it determine if the user (machine account) exists or not? Is it literally just looking at the SAN on the cert and matching the name to accounts in AD? Or is there an AD credential exchange in addition to the TLS cert-based mutual auth between the EAP supplicant and NPS?
Further to trying to solve this specific problem, I feel like if I can get a handle on how this process really works, I should be able to figure out how to configure cert-based auth for non domain-joined devices, like Android phones (cert pushed out via SCEP), and Yealink desk phones. Is kerberos delegation required for this to work?
Hello all,
I've been troubleshooting an issue for weeks now. Im still fairly new to Cisco ASA and trying to learn.
Hopefully people will take their time and read this.
So we have a server (10.233.10.10) thats needs access another server (10.254.254.58) on port 443.
Here is the topology: Imgur: The magic of the Internet
So when I try to do a TCP connection test from server: 10.233.10.10 > 10.254.254.58 on port 443, I get this log message in the ASA-A:
Sep 16 2021 08:58:18: %ASA-6-302013: Built outbound TCP connection 824057093 for TRANSIT-E:10.254.254.58/443 (10.254.254.58/443) to INT-PROD:10.233.10.10/52275 (10.233.10.10/52275)
Sep 16 2021 08:58:18: %ASA-6-302014: Teardown TCP connection 824057093 for TRANSIT-E:10.254.254.58/443 to INT-PROD:10.233.10.10/52275 duration 0:00:00 bytes 0 TCP Reset-O from TRANSIT-E
The server-A: 10.233.10.10 is directly connected behind ASA-A and the server-B: 10.254.254.58 is directly connected behind ASA-B. In the ASA-B, Im not able to see traffic there because all HTTPS traffic goes via proxy. The windows guys said that they could not see 10. addresses bypass the proxy. We have routing from the server-A all the way to server-B. I can ping from server-A, ASA-A, Switch_A, Switch_B and ASA-B to server-B so routing is no problem with.
In the ASA-A and ASA-B, it is open for HTTPS, I confirmed that the source IP and destination IP is correctly defined in both firewalls and that the ACL is applied to correct interfaces. We do not do any ACL for HTTPS in the switches that could block HTTPS. From server-B and ASA-B and the switches, I cant ping 10.233.10.10 and that is because ping is not allowed (for security reasons).
So my question is:
I did a packet-tracer and here is the output (PS: You probably will ask me if I can do a TCP to 10.254.254.59 but that server is down...)
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.233.63.67 using egress ifc TRANSIT-E
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.233.10.10 using egress ifc INT-PROD
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-INT-PROD in interface INT-PROD
access-list ACL-INT-PROD remark --- Traffic from PROD to GRP-NETAPP-CONTROLLER
access-list ACL-INT-PROD remark - TCP/443, HTTPS
access-list ACL-INT-PROD extended permit tcp object PROD object-group GRP-NETAPP-CONTROLLER eq https
object-group network GRP-NETAPP-CONTROLLER
network-object host 10.255.254.58
network-object host 10.255.254.59
network-object host 10.254.254.58
network-object host 10.254.254.59
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90a9cada30, priority=13, domain=permit, deny=false
hits=344, user_data=0x7f9096d4c6c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.233.10.10, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.254.254.58, mask=255.255.255.255, port=443, tag=any, dscp=0x0
input_ifc=INT-PROD, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90a17ec1a0, priority=0, domain=nat-per-session, deny=false
hits=1260680592, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90a415bbb0, priority=0, domain=inspect-ip-options, deny=true
hits=2216536, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INT-PROD, output_ifc=any
Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map FIREPOWER
match access-list ACL-FIREPOWER-V2
policy-map global_policy
class FIREPOWER
sfr fail-open
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90aebb3010, priority=71, domain=sfr, deny=false
hits=1528351, user_data=0x7f90ae264f60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INT-PROD, output_ifc=any
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f90a9043430, priority=20, domain=lu, deny=false
hits=620700, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INT-PROD, output_ifc=any
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f90a17ec1a0, priority=0, domain=nat-per-session, deny=false
hits=1260680594, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f90a4d2ac20, priority=0, domain=inspect-ip-options, deny=true
hits=9315805, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=TRANSIT-E, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 824613129, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Result:
input-interface: INT-PROD
input-status: up
input-line-status: up
output-interface: TRANSIT-E
output-status: up
output-line-status: up
Action: allow
I appreciate your help!
I'm trying to pull some info from Mikrotiks with Python but not having much luck. I've tried the following two modules:
https://librouteros.readthedocs.io/en/latest/introduction.html
and
https://github.com/socialwifi/RouterOS-api/blob/master/README.md
The example documentation is very light and I'm having trouble understanding it or getting anything useful from the API. Does anybody have some examples to share that I can use? I only want to pull info from the devices (no changes at all) Below are some of the commands I want to run:
ip address print
int vlan print
int vlan print detail where name="Internet"
Any help with this appreciated.
Thanks
Hello all,
I am currently rebuilding my network structure.
This includes the dynamic assignment of VLANs to the clients.
I would like to realize this without entering a password. For this I want to deploy certificates on all clients, which are used for 801.x.
Now my question is, how the user conf on the FreeRadius server must look like, to check the certificate and then allow the client. Or isn't a user conf necessary at all ?
Thank you very much.
So I'm no tech guru or networking expert by any means. I can plug wires in and that's about it but over the last several years I've been slowly hard wiring devices for speed/reliability. I did about 3 second of research and saw Cat8 was the newest shit and found this cable to be comparable in price to any other product when making small purchases. After years of 6 feet here, 50 feet there I now have 14 wires running from my switch and I want to hard wire every floor to make my life easier. A friend was able to get me a 1000' Cat6a Plenem UTP for cheap and now I want to add a patch panel to my setup. The cable I already have is FTP and I'm seeing that patch panel makes a difference for my wiring. Since I'm already using FTP with shielded termination I should use a metal patch. I'm also seeing the keystone passthrough should also be shielded for this wire. My question is, can I use the cat6a from my switch to my patch panel and the cat8 wiring from the back to each device as is already run or is that an issue as the cat6a is unshielded? Also does it really matter for a grounded patch panel?
TLDR: Can cat 6a Plenem UTP be connected to a plastic unshielded patch panel with this as the back to each device?
Our security roadmap has 802.1x port-based authentication on the horizon, and I thought I'd put the question out: What's your current favorite NAC solution?
Currently we run a pair of Microsoft NPS servers for our RADIUS authentication, but I've heard that trying to do port-based authentication with NPS is a massive pain in the arse. I've also heard that Cisco ISE is a monster to try and implement...
So I'm currently looking at Aruba Clearpass, Forescount, and PacketFence (with support); but having no experience with any of these products I'm interested to know what you guys think. Obviously we'll do a proper POC, but I don't want to waste time on a stinker. 😄
Anyone have a recommendation for a vendor in the US that sells bundled cat 5/6/7 Ethernet cables that are also outdoor rated? I've tried searching online around but I'm not coming up with many (or really any) vendors that sell bundled cable in the US. Or maybe it just doesn't exist. I'd be looking for 16 pair cables.
We have two geo-redundant DCs and we want to connect Azure ExpressRoute to both DCs in an active/passive configuration.
Here's a diagram: https://i.imgur.com/inR5rWr.png
The problem is trying to get FW B to send traffic to FW A to go over the high speed ER circuit via the DC Interconnect instead of via the ER connecting directly to FW B.
If traffic goes over the ER from FW B then the Azure metric will send return traffic to FW A which will create asymmetric routing.
We've tried redistributing the Azure routes from BPG into OSPF at both FWs with a huge metric for the passive ER, but we're not seeing the redistributed routes in OSPF on the local side only the remote side. So FW B will see the routes FW A redistributed into OSPF but FW A won't be able to see those same routes in it's own RIB.
I'm potentially thinking that the best option might instead be try peering both FWs over BGP and then trying to use local preference to prefer the high speed ER, but if we were to do that would it be better to have eBGP running over the existing OSPF between the DCs? Or would it be better to replace OSPF with BGP and put the switches in as iBGP peers with their local firewall?
Has anyone had any experience in this type of cloud connection configuration before?
What sites do you all follow to stay informed on the latest industry changes, products, and security disclosures?
I routinely check Packet Storm, LXer, ThreatPost, and Ars Technica. What sites am I missing that could help me keep up with changes in the networking industry?
Thanks!
I've been using orbi mesh networks in the past with great success. Most recently with their wifi 6 rbs750.
Lately the connection has been dropping multiple times a day and we discovered it's due to too many devices on the network. We have almost 70 active between two ap's. And 100+ saved in the admin portal.
I upgraded to the Linksys velop which helped but I'm still getting periodic short drops throughout the day.
What is the next level up to commercial grade wifi 6 that can easily handle my setup?
I found a really nice used Cisco switch that has an MTBF of 140,000 hours listed. How does this compare on average? How bad or good is this?
We are getting Comcast EDI and I'm just trying to wrap my head around it. From my understanding they give you one IP "WAN Block" that is your gateway to Comcast; and then an additional "LAN Block" that's routed over the "WAN Block". You don't even have to use the "LAN Block" if you want too.
I'm setting up a virtual file server and have iSCSI connected using MPIO and the bandwidth doesn't seem to max out both NICs but allows about 20-40MB/s higher transfer so it is working but I'm not sure why it isn't higher than about 1.2Gbps. It does about 700Mbps on one NIC and 400Mbps on the other. The NAS has an NVMe cache so it should be able to handle 10Gbps easy IMO.
Next I teamed two NICs going to the same switch. That switch is connected via 1Gx4 LAG to our 1x per switch in a 4x core switch stack. If I transfer a file simultaneously from two computers on the core switch, the total throughput is around 800Mbps and bounces all over the place. Maybe if both clients are on the same core switch in the stack it's bottlenecking going over the same 1G LAG line? This is my first time working with teaming or a LAG so I only have basic knowledge. I know teaming doesn't increase P2P bandwidth but allows load balancing and failover. To me load balancing would be 2 clients each getting directed to one of the two connections allowing 1G each more or less.
Is my understanding wrong?
I just want to make sure our virtual windows file server has the same or better performance compared to our current NAS hosted SMB share with 2-NIC teaming.
I have been forcefully selected to be the internet admin of my dormitory, but now I realized why previous admins hated to do this voluntary services. We had SonicWall firewall and now Waver and soon Draytek. All of them has one problem; none of them works properly, if there is a router in the network. Because of this the internet is very unstable, and I become the most hated person in whole dormitory. It is impossible for me to play the KGB and go to each room, total 120 and check if any of the student using router or not (Im not getting paid for this). I have thought about router snooping switch. I am not sure, but I assume that DHCP snooping blocks the rogue DHCP connected to the network, but the routers in the network are connected through WAN port and not sharing any DHCP network through WAN to outside. Is there any option to block those routers so my DHCP firewall router can work without any disruption? I would be very grateful, if anyone could provide me a solution.
I feel sheepish asking this because there's a simple Layer 1 solution, but trust me, it's complicated.
I have a situation where I need to set up an analog phone in an office where one Cat6A data jack is present. The jack feeds back to my access layer in an IDF, where the building's phone lines reside.
Yes, I know: Add more data runs. That's happening, but this is a construction site with a billion high-pri items on the punch list and I won't get them until after people are occupying the space. (I cannot sub out to another electrician.)
Before I go taking the jack apart to borrow pairs (and undo the contractor's cable certification,) I was wondering if there is such thing as a pair of devices that can connect over layer 2, carry the analog signal over SIP or something and, essentially, present RJ11 on both ends.
A PoE+ desktop switch and SIP phone is also an option, albeit less preferred because reasons.
Please feel free to laugh at my ridiculous predicament and provide any insight you might find helpful.
I just finished installing some new equipment to give me more environmental data on our main datacenter/server room. This new model of monitor gives us humidity level from our server room which is surprisingly low - between 22% and 31%. I would not have guessed the humidity to be that low.
One article I read says " Critical alerts should be sent if relative humidity reaches either 30% or 70%. ".
Any thoughts on this? Is there any reason to pursue trying to maintain a higher humidity level?
Hi,
after closing a ssh session with "exit" in the command line on the remote host, I still have these "FIN_WAIT_2:FIN_WAIT_2" tcp sessions. Is there any way of getting rid of them?
I monitor the connection of one of my systems and want to switch it of, as soon as all connections have been closed.
thx
Sorry for the poor wording. I'm not well versed in networking but trying to learn more. If your device picks up that a wifi network is nearby, does that activity show up on the router/network?
Hello!
I am unable to get a 100base-t SFP to come up in a 3850 switch.
When inserted I get the error: %PLATFORM_PM-6-MODULE_ERRDISABLE: The inserted SFP module with interface name Gi1/0/4 is not supported
What am missing?
Thank you for your help!
Details:
- Using a Cisco compatible SFP from FS.com - SFP-FB-GE-T
- I have confirmed that I have ran the commands to use a non Cisco SFP:
(config)# no errdisable detect cause gbic-invalid
(config)# service unsupported-transceiver
- sh inv shows we have other 100M SFPs installed, but not a 100BaseT: NAME: "Gi1/0/1", DESCR:
"10/100/1000BaseTX SFP" NAME: "Gi1/0/7", DESCR: "100BaseFX SFP" NAME: "Gi1/0/10", DESCR:
"100BaseFX SFP" NAME: "Gi1/0/13", DESCR: "1000BaseSX SFP" NAME: "Gi1/0/16", DESCR:
"1000BaseSX SFP" NAME: "Gi1/0/19", DESCR: "100BaseFX SFP" NAME: "Gi1/0/24", DESCR:
"10/100/1000BaseTX SFP"
- IOS 16.09.06 - Port compatibility shows:
GigabitEthernet1/0/4
Model: WS-C3850-24S
Type: unknown
Speed: 10,100,1000,auto
Duplex: full,half,auto
Hello,
Regarding wired authentication:
If a port is configured to perform parallel 802.1x and MAC authentication and the client successfully authenticates via its MAC address should the switch continue to send EAP Request ID packets? I am seeing the switch continuously send these packets to ports that have already successfully authenticated a MAC client.
Here is a snip from the switch debug log:
0000:15:26:57.47 1X m8021xCtrl:Port 45: sent ReqId #1 to 0180c2-000003.
0000:15:27:27.47 1X m8021xCtrl:Port 45: sent ReqId #2 to 0180c2-000003.
0000:15:27:57.47 1X m8021xCtrl:Port 45: sent ReqId #2 to 0180c2-000003.
0000:15:28:27.47 1X m8021xCtrl:Port 45: sent ReqId #3 to 0180c2-000003.
0000:15:28:57.47 1X m8021xCtrl:Port 45: sent ReqId #3 to 0180c2-000003.
I am unsure if this is normal behaviour.
Thank you.
I use to have a bookmark for an amazing web site tool that would take a list of CIDR networks, could be 100's or 1000's, and calculate ALL of the narrowest-possible CIDRs for the entire set.
For example I could put in:
10.10.0.0/24 10.10.1.0/24 10.10.2.0/24 10.10.4.0/24 10.10.5.0/24 It would output:
10.10.0.0/23 10.10.2.0/24 10.10.4.0/23 But I can't find this calculator anymore. All the CIDR calculators I can find with a Google search do not do the analysis of the whole range and narrow down excluding the ones NOT specifically needed (in the example above see that 10.10.3.0/24 is excluded, but the tools I've found would not exclude it). Does anyone have this tool bookmarked and can share with me please?
I'm not an every day network engineer so please bear with me here. I have several Cisco WS-C2960S-24TS-L that I use a fiber backbone to connect between our different floors. Can I still use these and swap out for a 10GB adapter or will I need different switches and new cabling. These are currently 7 years old.
Fighting with a nagging issue on a Cisco ISR Edge router that won't establish a BGP neighborship with the ISP.
Previously configured with a static default route, now switching to BGP
Debugs state: Active open failed - No route to peer
show ip bgp summary - shows zero inbound or outbound packets
Routing is working because the internet is up using a static default route. The gateway router on the ISP side is both the Static routing target and the new BGP peer.
At the moment we aren't even advertising any routes, we are just trying to get the neighborship to establish so I can pull a default route from the ISP
Config here has IPs sanitized and working mostly from memory, so I apologize for any syntax mistakes
Previous Network engineer left me with this router having a weird VRF config where there's a unique VRF of this router connected to both the outside and inside interfaces of our Firewall which sits in between. Outside VRF is meant to handle BGP and and an ACL to filter IPs + ports, inside VRF is meant to handle the OSPF instance. And I suspect this config is the root of my problem
Am I right in assuming that the BGP instance on an ISR router has to find the route to the BGP peer from the default VRFs routing table? (Default VRFs routing table is currently blank)
Because the route for the peer is directly connected to Gi 0/0/2 and appears in the EXT VRF routing table.
ip vrf INT rd 101:2 ip vrf EXT rd 101:1 int gi 0/0/0 des WAN_to_Firewall vrf forwarding EXT ip address 192.168.0.1 255.255.255.0 no shut int gi 0/0/1 desc Internal_LAN_From_Firewall vrf forwarding INT ip address 192.168.1.1 255.255.255.0 no shut int gi 0/0/2 desc external_WAN_to_ISP vrf forwarding EXT ip address 172.16.1.1 255.255.255.0 no shut int gi 0/0/1 desc Internal_LAN_to_core_stack vrf forwarding INT ip address 192.168.2.1 255.255.255.0 no shut ip route vrf INT 0.0.0.0 0.0.0.0 192.168.1.2 //Firewall ip route vrf EXT 0.0.0.0 0.0.0.0 172.16.1.2 //ISP router bgp XXXX bgp log-neighbor-changes bgp router-id 172.16.1.1 neighbor 172.16.1.2 remote-as YYYY neighbor 172.16.1.2 password NoYoBusiness neighbor 172.16.1.2 update-source gi 0/0/2 address-family ipv4 bgp damp neighbor 172.16.1.2 activate neighbor 172.16.1.2 send-community neighbor 172.16.1.2 next-hop-self neighbor 172.16.1.2 prefix-list ISP-in in neighbor 172.16.1.2 route-map ASXXXX-out out ip prefix-list ASXXXX-out permit 172.16.0.0/24 ip prefix-list ISP-in seq 5 deny 0.0.0.0/8 le 32 ip prefix-list ISP-in seq 10 deny 10.0.0.0/8 le 32 ip prefix-list ISP-in seq 15 deny 127.0.0.0/8 le 32 ip prefix-list ISP-in seq 20 deny 169.254.0.0/16 le 32 ip prefix-list ISP-in seq 25 deny 172.16.0.0/12 le 32 ip prefix-list ISP-in seq 30 deny 192.168.0.0/16 le 32 ip prefix-list ISP-in seq 35 deny 224.0.0.0/3 le 32 ip prefix-list ISP-in seq 40 permit 0.0.0.0/0 le 32 route-map ASXXXX-out match ip address prefix-list ASXXXX-out set community YYYY:110 Hi all,
I have a quick question. I'm looking to do testing to a host sitting behind a fex (not too familiar with fex's). Instead of connecting an actual workstation to the fex in order to get an IP, is there any way I can simulate this, by statically assigning a port with an IP on the fex so it arps and is pingable from devices upstream of the fex (ie, core fws/routers)?
Thanks
I'm currently studying for the Network+ exam. I am going through the questions on practice tests and when I find a weak spot, I make a flash card with the information on the topic along with the OSI layer written at the top.
I'm having a little trouble with TACACS+, I believe it would run on the Application layer due to it being a secure alternative for RADIUS but cannot find anywhere to verify my assumption. Am I not understanding how TACACS+ works, how the OSI model works or is this just some weird lack of information on the internet?
I’ve spent the past 2-3 days trying to learn what I can about Provider Backbone Bridge Traffic Engineering, my head hurts! I get the concept, customer VLAN encapsulated in provider VLAN. What are the options to encrypt customer traffic within this model?
Hey there--I'm still learning about wireless and all it entails. Could someone provide some confirmation that I'm on the right track with my line of thinking?
Based off the 802.11ac VHT chart, if I'm using 20MHz channels for 2 spatial stream clients that can do up to MCS 8, then the max data rate they could get is 173Mbps (if SNR & RSSI are met). So an access point with 25 clients working at the same time, they would actually only get about 6-7Mbps (173 divided by 25).
Any clarification or additional detail would be great!
Say I wanted to block (ie., redirect) as many magnetic field frequencies as I could with as little weight as possible. In addition to MuMETAL, what would be good?
Asked this question because I always see something like “the 100G QSFP28 DAC internally contains 4 cables which runs 25Gbps for each”, start thinking are those 4 cables can collaborate and sync at physical link level so they can reach 100Gbps, or they just work individually so a single thread connection can only reach 25Gbps?
I only web browsers, and applications like Inkscape and Blender. So I wish to close all unused ports and connections that are not essential for Ubuntu updates.
Recently we are running into lots of issues with devices connecting to our EAP-TLS wireless network showing connected, no internet. Weird thing about it is that if you open a browser you can brows the web fine, ping 8.8.8.8 as well as the gateway for the vlan and all core infrastructure. Its causing people to freak out and generate a ton of tickets but I can't determine the cause because the devices appear to be working fine. No changes for our radius server, wireless infrastructure, or routing. Does anybody know what metrics microsoft uses to determine network connectivity?
We have done a few and looking to see if there is any interest. We have done custom exporters that work with NetBox “Role” and tags. This makes Grafana filters match Netbox.
So here's the deal: I sold a buddy a motherboard of mine (Gigabyte Z390 Aorus Master) who lives in Las Vegas, Nevada (I live in N. CA). I got a 3rd friend that claims that my buddies IP could be held by the motherboard lan unless he does an IP release and therefore he can possibly have the same IP address I had (different ISP and state).
I told him the hardware mac address would be the same since that isn't changed but the IP address would change since his ISP would assign a completely different one but he argued the IP address could remain the same unless he did a manual release of the IP. Keep in mind, we're talking strictly about the motherboard w/the built in ethernet here, not an entire PC.
Please give your thoughts, preferably network engineers or IT guys who do this daily.
Thanks
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Note: This post is created at 00:00 UTC. It may not be Wednesday where you are in the world, no need to comment on it.
Ok, I’ve got a bunch of remote sites tunneled through HQ, going to a database with a web front end. Almost all my remote sites can access the DB fine. I’ve got one site in East Nowhere that can log in, but subsequent calls all time out. (Users report site unusable. I don’t know if they get 404s or it just hangs). Almost no packet loss: 99 out of 100. IP SLA shows 90-100 ms average latency.
How can I diagnose this further? What might I try to fix it?
Simple question, i don't have any experience with 10Gb networks.
I am looking to upgrade to an Aruba 8320 Switch, it has 48 ports 1G/10GBASE-T.
I have some old stuff with speed of 100mb, will it connect with 1G/10GBASE-T ports?
Hi there.
We have a customer that uses Ruckus 7731's for their site to site bridge. They claim the bridge is down but network is up at both sites.
The root bridge shows Network Status Down, the other site shows Network status up.
I've rebooted both 7731's and upgraded firmware, issue persists.
Any advice on where to troubleshoot will be much appreciated :)
Aside from going down the correct path which is to sync time via GPS. Is there any alternatives where NTP can be used as a time source to PTP?
I am new to a job where I am in charge of replacing roughly 30 aging switches and 50-60 access points. I am looking into vendors, and one of the questions I was asked was "What features do you want?"
The only thing I could come up with was support for MFA and some sort of automation support. I'm sure there are other things I want, I just don't know what they are.
What sort of features should I be looking for on new equipment? At this point, the vendor doesn't really matter.
Thanks
Hey all, I have a real head scratcher and need some clue. At this point, I feel like I'm taking-crazy-pills.gif
I'm trying to verify I have as good a load balancing setup as I could given what I have at my disposal. I have all switch-to-host links up in LACP LAG with payload hashing enabled on both the switch and the endpoint hosts, as best as I could verify by RTFMing and lots of google-fu. The configs are relatively straight forward. What I'm focused on is understanding why the Linux host doesn't seem to be spreading the output streams evenly across all 4 of its own links, and how to fix that. AFAICT, whatever is going on is somewhere in my host config (or worse, a kernel bug? a total leap on my part) and not on the switch. Since what I'm observing is traffic originating from the host is at a lower aggregate rate than what I expected, I think my problem is independent from any switch misconfig.
I admit my test bed isn't ultra robust, but here goes. I am using iperf3 to generate traffic hoping to saturate all 4 of the 10Gb links. What I'm seeing is half the bandwidth I'd expect to be able to pump from one of the hosts. It doesn't matter how many parallel iperf3 streams I use, I never can seem to break ~20Gbps total across the 4x10Gb bond. IOW, if I try 4 streams I get about 20Gbps max combined rate, if I try 8 streams I get about the same (with more overhead), and if I go nuts and do 16 streams it's about the same (with even more overhead, to be expected).
What I'm hoping to see is all 4 of my individual links' MTRG graphs to get close to 10Gbps each, and to see the aggregate interfaces reach upward to 40Gbps. What I'm seeing is about half that on each one and I just don't get it.
Here's the basic test scenario:
I'd really appreciate any clue at all on what to try next. I'm pretty lost.
Example output of an iperf3 interval with 8 streams outbound:
- - - - - - - - - - - - - - - - - - - - - - - - - [ 5] 1108.00-1109.00 sec 314 MBytes 2.63 Gbits/sec 0 300 KBytes [ 7] 1108.00-1109.00 sec 313 MBytes 2.62 Gbits/sec 0 331 KBytes [ 9] 1108.00-1109.00 sec 312 MBytes 2.62 Gbits/sec 0 372 KBytes [ 11] 1108.00-1109.00 sec 312 MBytes 2.62 Gbits/sec 0 443 KBytes [ 13] 1108.00-1109.00 sec 312 MBytes 2.62 Gbits/sec 0 592 KBytes [ 15] 1108.00-1109.00 sec 314 MBytes 2.63 Gbits/sec 0 1021 KBytes [ 17] 1108.00-1109.00 sec 314 MBytes 2.63 Gbits/sec 0 728 KBytes [ 19] 1108.00-1109.00 sec 312 MBytes 2.62 Gbits/sec 0 296 KBytes [SUM] 1108.00-1109.00 sec 2.44 GBytes 21.0 Gbits/sec 0 Here's my config with very limited redaction:
# from /etc/network/interfaces auto bond0 iface bond0 inet manual bond-slaves enp95s0f0 enp95s0f1 enp95s0f2 enp95s0f3 bond-mode 802.3ad bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-lacp-rate 1 bond-minlinks 1 bond-xmit-hash-policy layer3+4 auto vmbr1 iface vmbr1 inet manual bridge-ports bond0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes bridge-vids 2-4094 auto vmbr1.1000 iface vmbr1.1000 inet static address 192.168.255.1 netmask 24 Bonding driver information
root@metal1:~# cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: IEEE 802.3ad Dynamic link aggregation Transmit Hash Policy: layer3+4 (1) MII Status: up MII Polling Interval (ms): 100 Up Delay (ms): 200 Down Delay (ms): 200 Peer Notification Delay (ms): 0 802.3ad info LACP rate: fast Min links: 0 Aggregator selection policy (ad_select): stable System priority: 65535 System MAC address: 40:a6:b7:4b:72:18 Active Aggregator Info: Aggregator ID: 2 Number of ports: 4 Actor Key: 15 Partner Key: 7 Partner Mac Address: 04:05:06:07:08:06 Slave Interface: enp95s0f0 MII Status: up Speed: 10000 Mbps Duplex: full Link Failure Count: 1 Permanent HW addr: 40:a6:b7:4b:72:18 Slave queue ID: 0 Aggregator ID: 2 Actor Churn State: none Partner Churn State: none Actor Churned Count: 0 Partner Churned Count: 0 details actor lacp pdu: system priority: 65535 system mac address: 40:a6:b7:4b:72:18 port key: 15 port priority: 255 port number: 1 port state: 63 details partner lacp pdu: system priority: 127 system mac address: 04:05:06:07:08:06 oper key: 7 port priority: 127 port number: 3 port state: 63 Slave Interface: enp95s0f1 MII Status: up Speed: 10000 Mbps Duplex: full Link Failure Count: 1 Permanent HW addr: 40:a6:b7:4b:72:19 Slave queue ID: 0 Aggregator ID: 2 Actor Churn State: none Partner Churn State: none Actor Churned Count: 0 Partner Churned Count: 0 details actor lacp pdu: system priority: 65535 system mac address: 40:a6:b7:4b:72:18 port key: 15 port priority: 255 port number: 2 port state: 63 details partner lacp pdu: system priority: 127 system mac address: 04:05:06:07:08:06 oper key: 7 port priority: 127 port number: 4 port state: 63 Slave Interface: enp95s0f2 MII Status: up Speed: 10000 Mbps Duplex: full Link Failure Count: 1 Permanent HW addr: 40:a6:b7:4b:72:1a Slave queue ID: 0 Aggregator ID: 2 Actor Churn State: none Partner Churn State: none Actor Churned Count: 1 Partner Churned Count: 1 details actor lacp pdu: system priority: 65535 system mac address: 40:a6:b7:4b:72:18 port key: 15 port priority: 255 port number: 3 port state: 63 details partner lacp pdu: system priority: 127 system mac address: 04:05:06:07:08:06 oper key: 7 port priority: 127 port number: 3 port state: 63 Slave Interface: enp95s0f3 MII Status: up Speed: 10000 Mbps Duplex: full Link Failure Count: 1 Permanent HW addr: 40:a6:b7:4b:72:1b Slave queue ID: 0 Aggregator ID: 2 Actor Churn State: none Partner Churn State: none Actor Churned Count: 1 Partner Churned Count: 1 details actor lacp pdu: system priority: 65535 system mac address: 40:a6:b7:4b:72:18 port key: 15 port priority: 255 port number: 4 port state: 63 details partner lacp pdu: system priority: 127 system mac address: 04:05:06:07:08:06 oper key: 7 port priority: 127 port number: 4 port state: 63 These things. MXK-198 GPON OLT
In short, I'm trying to tag a range of vlans for access point ports and uplinks to the core switch. The syntax is very confusing and unlike anything I've seen before. Anyone with experience who could help me feel less stupid?
I am trying to solve an issue of connecting remote workers to a PBX in a base office. The goal is for remote users to be able to use their desk phones via VPN.
I tried connecting a PC to the VPN and then sharing the Ethernet connection and plugging in the phone to it. Doing this I can access the phone's GUI, by IP address, but cannot get it to connect with the PBX.
We considered giving everyone a VPN router with an IPSEC VPN back to the office, but some users are behind NAT. Is there anything I am missing with sharing the windows connection? Is there any device I can purchase that will connect via L2TP but give me an Ethernet port I can plug into?
I am looking for similar functionality to BT routers, this is going in my wisp network.
Product 1/2/3 requirements: WiFi hotspot functionality with seemless roaming between each wap
Product 1 requirements: Around $50/£45 WiFi 4 Phone port Maybe some Lan ports Maybe 4g support
Product 2 requirements: Around $100/£90 WiFi 5 Maybe WiFi 6 Phone port Maybe some Lan ports Maybe 4g support
Product 3 requirements: Any price Support external antenna 4x4 mimo WiFi 5 at least Maybe multiple radios
Product 3 if you can't find it not a deal breaker
Company I'm with has VeloCloud SDWAN implemented via 'Edge' devices at all of our locations. New to the company and new to Velocloud, my experience is as a voice engineer so I really don't know much about the current setup beyond that.
We have two CUCM clusters utilizing multiple cubes for centralized SIP. We are having an issue where numerous sites report intermittent issues such as: Multiple calls ringing in at the same time from the same caller, call comes in, they go to answer and it drops, call comes in they go to answer and get one way audio, etc.
Seems to be limited to inbound from what I've seen, and is intermittent. (of course).
Other voice guy whose been here awhile seems to believe issues started cropping up with the rollout of Velocloud.
Googling the symptoms, they seem to fall in line with what is often reported when SIP ALG is on, though usually with hosted voip solutions - haven't found much in regards to what it would do with an on prem solution.
I looked on the VMware website to try and find anything about SIP ALG or helpers but didn't see much.
I've pulled some calls from RTMT and threw them in translator x, I don't see anything obvious that stands out, but most of my experience has been with H323 GW's using POTS/PRI, am not a SIP expert by any means. Everything I've seen seems fine. Normal call clearing codes - Codec negotiation seems to go fine, not seeing any send only's in SDP's, etc.
Figure it's probably a shot in the dark but has anyone experienced something similar with VeloCloud and CUCM or another on prem solution?
Alternatively, does anyone have advice on where to start looking first?
Any assistance would be greatly appreciated.
I’m starting to believe that the EAP-TLS implementation that Samsung are using on android 11 is fundamentally broken.
Unless I’m missing something here but I’m really struggling to see what.
Currently working through a phone uplift/replace for ~10,000 users and these are the handsets we’re replacing everyone’s phones with, for the last few days however I’ve been tearing my hair out trying to get them to join our corporate wireless network.
Ive read the various posts about no longer being able to ignore an untrusted CA (rightly so IMO) but the problem I’m facing very much isn’t that.
I eventually need to be able to hand over the required settings to our server guys so they can provision it in intune however for now I’m testing with a vanilla unenrolled phone.
Our wireless deployment is all Meraki and we’ve been using EAP-TLS with Microsoft NPS RADIUS servers for our laptops with no issues for a number of years now.
So in summary this is the process I’m attempting to get the phone to join
1) Place the root ca certificate and a PFX of my user certificate on the as card within the phone
2) From the WiFi settings screen selecting the advanced options and going to “Install network Certificates” from here I’m installing our root ca and a pfx of my user cert
3) Defining a wireless profile with the below
EAP Method: TLS Identity: CN from user certificate CA Certificate: selecting the previously installed root Online certificate status: Don’t Validate (have tried all options available here though) Domain: <ssid.com> (This is a SAN on the radius servers certificate) User certificate: <my imported user pfx>
Now this is where it starts to get frustrating, attempting to connect to the ssid results in a message on the phone saying “Incorrect Password”
The logs on the NPS server show “Network Policy Server Granted access to a user”
The event logs within the meraki portal show firstly a “EAP Success” followed immediately by a disassociation event with “unknown reason” in the details tab.
If I run a capture on the AP filtered for this handset and look at it within wireshark the disassociation reason is
“Reason code: Information element in 4-way Handshake different from (Re)Association Request/Probe Response/Beacon frame (0x0011)”
Laptops using the Cisco NAM supplicant have no issues joining this ssid and best I can tell I’ve configured this handset as required with the root certificate import etc.
I have also tried a publicly issued cert for the RADIUS server as well as I saw mention of that but same result.
Ha anyone got android 11 playing nicely with EAP-TLS or any ideas for further debugging/troubleshooting?
Hopefully I can check my sanity here:
I have a network with a single Windows-based management PC spanning several VLANs via several adapters, e.g. VLAN10 = NIC1, VLAN20 = NIC2. The 802.1Q VLAN is enforced by a managed switch.
The management PC needs to span several VLANs to share network resources and for network monitoring, reporting and SDN controllers.
All VLANs are non-default and either port PVID'd or tagged via the AP SDN interface, so there's no untagged traffic floating around from hard or WiFi connected devices.
On the PC, file/ printer sharing and network discovery is disabled on all "untrusted" VLANs, ACL rules forbid routing between untrusted IPs and IPs on different/ same VLANs where these are deemed a security risk and port isolation further denies inter-group/ zone routing external to the PC.
Is there a credible threat of VLAN hopping or inter-VLAN routing via the management PC here?
I've put myself into each VLAN and tried to ping, port scan and route to other VLAN devices and all my attempts failed, when I scan with Nessus it also shows up nothing.
This is a SMB network with a single 48 port switch and VLAN unaware router, so not exactly super high threat either in terms either exposure or attractiveness (i.e. I'm not expecting GCHQ/ NSA to come probing).
We've just bought a business with HP/Aurba switches, I got the model from the config as follows:
module 1 type j9729a
However when googling there's HP J9729A and Aruba J9729A which have a different design and colour scheme. Are they functionally the same? I see to source a replica to do some lab work before I start messing with their routing protocols.
Need help from someone used to using these, we're a Cisco house so it's all greek to me
Is there any difference between the two?
Weighing up between whether to get the NETGATE 3100 and the Protectli Vault 6 Port
Cant find much on google searching x vs x
Thanks in advance :)
What's the best intro book or site to learn the basics of networking and the internet from scratch? New, updated on new and current tech, and short for all the very basics.
Some of these are probably basic, and some of these are probably more advanced than the very basics: https://www.reddit.com/r/networking/comments/pn23p5/what_do_you_consider_to_be_the_fundamentals_of_a/
What's the best updated intro resource to learn the very basics of networking and the internet? Goal is simply to learn the very basics.
RAS Server: Windows Server 2022 Core
NPS: Windows Server 2012 R2 (also a DC)
Router: Lancom 7100+ VPN
I basically followed this Guide and the User Tunnel works fine, it connects automatically and we can reach the internal network via rdp, ssh, smb and so on.
We have two issues:
The VPN is usable as in we can reach the device to administer it, but it's not good enough for our remote workers. Does anybody know if I can perfomance tune anything?
As a comparison my L2TP VPN (Certificate Authentication with the same NPS) has a pretty stable throughput of 63,5 Mbit/s.
If any additional information is needed just ask and I will provide it.
We've just bought a business with HP/Aurba switches, I got the model from the config as follows:
module 1 type j9729a
However when googling there's HP J9729A and Aruba J9729A which have a different design and colour scheme. Are they functionally the same? I see to source a replica to do some lab work before I start messing with their routing protocols.
For years I have been buying Cisco 3560CX 8 and 12 port PoE switches for various deployments, mostly for security cameras. These switches are soon to be end of sale and currently on a 100 day lead time. What alternatives are there for low port count basic access PoE switches? Unfortunately the Cisco 1000 series aren’t available in Australia or they would be a good choice. Happy to look at other vendors too.
What’s the largest number of hosts you’d set up on a network before being worried about broadcast storms, etc.
I have a client wanting to connect 2190 devices to 45 or so dumb TP-Link 48 port switches. Those dumb switches will be uplinked to a layer 3 building core switch that is then connected to other buildings and to each dumb switch. Between all buildings will be approx. 26,000 devices. PfSense routers in each building.
Am I incorrect in saying that even 2190 devices is too many hosts on a single broadcast domain and they absolutely have to introduce layer 3 switching for all devices of any kind? Needing some validation and thinking this through.
Hey there,
I want to learn more about networking. I have been looking into upgrading the networking infrastructure and internet at my premises in Australia. I want o bring more devices into my premises including security cameras and some handheld devices and I feel my current network infrastructure wont be able to handle these extra devices when they are put in place.
If anyone has any awesome resources or best place to learn about this that would be greatly appreciated.
Looking for suggestions on a good bag to hold my tools. I've used two in the past and details on them are below. My needs are for tool storage and a laptop compartment of some kind fitting a 13" MBP.
Current is the Klein Tech Backpack but it's a bit heavy as an empty bag and the strap finally gave way on it after 6 years. I like it because it stays upright and has a laptop compartment. Before that I used the CLC Custom Leathercraft bag which held up great and was super lightweight but was cumbersome because it would not stay upright and it didn't have a dedicated laptop compartment. It did have a ton of tool storage options, though.
Any thoughts or recommendations?
Hello, I do tech work for an autobody garage. Recently they purchased a verifone device to handle payments. The verifone company came back with some security complainces all to do with IP camera system that have implemented into their network.
The main ports that came up as the issue were 8000, 554, and 80. If i disable all these ports the camera system would not function, and my boss would be unable to access it remotely from his phone.
The entire network is on 192.168.1.0. Can I deal with this by seperating the verifone on it's own network, since all it needs is to communicate with the internet? Or would it be better to seperate the camera system, though the issue with this is he accesses the camera system directly through it's IP on one of the workstations in the garage, how could I keep that working if it's seperated on a different network?
Any insight would be greatly appreciated. Thank you!
We have a pair of Nexus switches that will be configured for HSRP as they’re functioning as L3 switches for our inner network routing between subnets and we want to have redundancy for our local site. The question I have is that we have one Palo Alto firewall and I’m not sure how I should connect the two uplinks into the firewall whether they should be L2 connections into the firewall as a port channel to a vPC on the pair of Nexuses or if there’s a way to configure routing between them to the firewall.
Good afternoon all, any insight on this would be greatly appreciated. I am currently working as an intern, as I retire from Active Duty military, with a local internet transport service provider as they try to transition from a WISP to a FTTH provider. The owner, when I came board is looking to use VXLAN to extend layer 2 to customer PONs from the BNG. With that said, I have run laps of the internet looking for documentation of scenarios where this might work. All examples I find are limited to data center employment between VMs and a server. I am coming up empty.
Scenario is as follows:
Ring network with Fiberstore NS8650-32 acting as spine, distro switches in each area to represent cities would be Fiberstore NS5860-48SC forming another ring infrastructure with 2 gateway switches per city area on backbone. NS5860s would feed Ubiquiti Ufiber OLTs further broken out to Ubiquiti ONUs to which subscribers would connect their home routers.
The desired outcome is for vxlans to separate different Internet service providers in each city. These VXLANs would terminate at a distro switch that supports VXLANs. In theory they would be mapped to a VLAN uplinked from user access switches. Is VXLAN the right answer? Has anyone seen it used in this fashion to connect a subscriber to transport up to a BNG and not in a data center or VM environment?
Thanks in advance for any insight anyone can provide.
Howdy!
I have a new IP camera NVR. I'd like to monitor when it is streaming video, how many streams and when a new device connects to it. I have a Sonicwall TZ300 as my router.
I've tried looking at netflows and third party tools but so far I'm sorta spinning my wheels.
Any advice or ideas?
Hello all, currently I work for an MSP and enjoy my job other than what I get paid. I was offered a job for an ISP with a 35% pay increase, relocation is required to a city with a cost of living 10% higher. I am okay with the relocation and I believe my employer would try to keep me as I average 170% above our required revenue goals. My question is should I be concerned that it's a contract to hire, I would start remote and then move once they finalize my full-time position. Long-term wise is it better for my career to stay in the Enterprise environment? What career will lead more opportunities? Your feedback is greatly appreciated thank you
I spend most of my time in LAN and WLAN so I'm a little shaky on BGP and am looking for suggestions. I'm on a Cisco ASR.
The goal is to advertise RFC1918 space and a default route to iBGP neighbors. (We use a peer group.) I also need to prepend the AS. I believe it should work if I create null routes to 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/24 then advertise those with a network statement, but is there something more elegant that won't rely on the null routes?
What are some thoughts on building route maps using prefix lists vs ACLs? And if I'm going to refer to a prefix list/ACL and set as-path prepend in a route map, can I do it on the same sequence or do I need multiple? For example, now I have:
route-map BGP-OUT permit 10 match ip address prefix-list DEFAULT_RT match ip address prefix-list RFC1918 set as-patch prepend 65500 65500
Can I do that or do I need to separate those steps?
Anyone ever have weird connectivity issues when plugging a Polycom Soundpoint IP 6000 conference phone into a 2960X switch? These phones seem to not register with the VOIP provider when plugged into these switches but the normal non conference Polycom phones work just fine and register with no issues.
how do I check what is consuming a lot of bandwidth on the cisco firepower firewall ?
So I'm at this new place and I changed the driver for a printer on my Win 10 machine. After doing this, it then caused all these other computers on our network to want a printer driver update - and they weren't even the same printer! They were both Canon printers.
So the guy before me has the print server on a server 2008 machine, I think.
I didn't think this would happen unless I messed with the driver on the actual server, not on my own client machine.
Is this a settings issue?