To join the ICX 7750 to the existing ospf network that just has 1 area, is it going to be as easy as running the commands found in this link? http://ift.tt/2zOTmHa
device(config)# router ospf
device(config-ospf-router)# neighbor 10.1.20.1(ip address of an ospf neighbor)
Or am I missing something?
Thanks in advance for any advice.
Complete networking newbie here. I have a Edgerouter X...basically on eth0 I've got my WAN connection and eth1 I'm trying to setup a single VLAN say 10. Created a new VLAN interface, set the IP to 192.168.10.1/24. I've set a static IP within the range on my test workstation which is directly connected to router but when I attempt to ping the gateway (10.1) I get nothing.
Why is this?
I've been using Switch Miner to quickly poll our Cisco switches via snmp but I was wondering if you folks had something else that would let me also poll our Dell/other switches?
We are replacing a switch with a newer model and moving a few people to another building. One of the network admins configured the switch for us.
The new building already has fiber run to it and I've patched the fiber for the new switch. My question is how do I determine which port on the core switch the new switch is supposed to be connected to? I have the switch configs in a text file but have no idea what to look for. The network admin told me the trunk port info should be on the config text but it shows as port 15. That's ethernet and the new switch is using fiber. The old switch was trunked to the core switch with CAT5 cable. The new switch is running from fiber to the core switch if that makes any sense?
I'd love to hear if you have experience with or heard of cases where a strange networking problem somehow got fixed without any apparant explanation to what solved it.
Hey all,
I've got a HP 1920 switch setup. I've got my default VLAN interface on id 1 and a second VLAN interface on id 100. I want to setup the id 100 VLAN as the default but I can't seem to find a way to do it through both the web interface or the cli.
I've entered the expanded cmd options through "_cmdinline-mode on" but none of the options allow me to set the default VLAN.
Also through google I found this doc "http://ift.tt/2i6NVZG" which says there is an option to change the default VLAN ID from the global config option. But I'm not sure if the doc is even for the correct switch and am not sure how to enter the config options since the "config" command does nothing:
"default-vlan-id
When you enable port-based VLAN operation, all ports are assigned to VLAN 1 by default. As you create additional VLANs and assign ports to them, the ports are removed from the default VLAN. All ports that you do not assign to other VLANs remain members of default VLAN 1. This behavior ensures that all ports are always members of at least one VLAN. You can change the VLAN ID for the default VLAN by entering the following command at the global CONFIG level of the CLI:
HP9300(config-vlan-2)# default-vlan-id 4095
You must specify a valid VLAN ID that is not already in use. For example, if you have already defined VLAN 10, do not try to use "10" as the new VLAN ID for the default VLAN. Valid VLAN IDs are numbers from 1 – 4095"
Anybody got any ides?
Thanks
Hey! I am studying networking and I am trying to understand exactly what’s going on in the Tit for That strategy applied in P2P file sharing. The professor’s explanation is not a good one, but quite the opposite. And google doesn’t seem to help either. I’ve been unable to find a good explanation and would really appreciate if some of you guys will explain it to me, but not like I’m five :D Thanks!
So I've got a EdgeRouter X, TP Link Smart Switch, and 1 ESXi host with 6 NICs. I'm playing around with VLANS on the vmware side.
Example - I set a vlan id of 5 on a port group...vm's all can still communicate with each other..great. None of the VM's can access the Internet..I'm guessing because they can't reach the gateway even though I set one for the vlan on the router. Nothing is configured on the switch side as far as vlans go.
Any suggestions?
Currently we use mRemote. What do you use at the office? I hate that the https isn't working currently. Id like to find something like it that xan also handle VNC.
Edit: I'm looking for one piece of software to handle all of my connections i.e. ssh, https, vnc, rdp.
Hi guys, so I moved into a new apartment and the wifi on my Samsung galaxy s7 edge connects to wifi but says "internet may not be available" and I can't browse anything etc. Basically wifi with exclamation mark thing.
However all the other non Samsung devices including laptops, tablets and phones work quite well. Now if I create a Hotspot on one of these laptops then my Galaxy would connect to it and my internet would work perfectly.
Unfortunately I don't have access to the router since the landlady is quite old and she doesn't want me tinkering with it. But I really want to have this problem fixed. So far I tried assigning static configuration with 8.8.8.8 DNS but same results as before.
I am in the market for a new modem/router combo. The current one I have is a DOCSIS 3.0 combo router modem for Frontier (formerly Time Warner). Since I am going to upgrade my laptop real soon, I know that computer will have AC wifi.
So therefore in looking for a new combo device that not only does AC, but also have USB not for charging a device, but to use it as a NAS. I want to use a USB Drive. Google searches hasn't provided a product that fits my needs. Is what I am looking real?
Full disclosure, I have never worked directly with Azure, so forgive me if I say something silly.
I'm a network administrator for a pharmacuetical dispense automation company and my company is getting into Azure app hosting for some of its mobile apps.
My director asked me to run latency tests to our Azure hosts at one of our beta sites to see how latency from the site to the regional Azure cluster would be during peak pharmacy hours. The client reaching out to Azure through the pharmacy's internet connection is a Windows Server 2008 box. He ideally wants a few days of data of traffic latency and then wants it organized into a report.
I am kind of at a loss on how to attack this. ICMP is blocked on Azure servers and ping looping services we normally use for testing latency would not even reflect a production environment, as we connect to Azure's cluster through TCP connections sent to the public IPs of cached domain names. I've thought about PsTools, but I'd like this test to run as a service in the background, generate a log file, and not require much oversight. (Demanding, right?)
Does anyone have any ideas? Thanks for reading!
When I enable HTTPS scanning on XG 17, several apps on my iPad / iphone stop working...
App Store
Facebook Marketplace
Ebay
I have the certificate installed from the router.
I've also tried looking in the firewall logs, and can't see anything being blocked (in fact, I can't see most the traffic even though I'm logging it).
I've tried guessing at to what some of the domains are to create bypass rules, but I can't seem to find any blocked items in the logs to create exclusions.
What's the best way to find what domains or IPs are being blocked to create web exceptions?
For example, I tried adding ones for apple.com and iTunes.com to try to get to apple store but it wasn't enough...
Any pointers would be amazing!
Our phone vendor is suggesting that we transition to a single voice VLAN for the campus. "Campus" means two buildings, connected underground. All devices connect to one of five Cisco 3750 switch stacks, and all stacks are connected via 10 Gb fiber with L2 and L3 on most of the links (one link is L3 only, but we can reconfigure it). Do you think it's ok to trunk a single VLAN throughout to serve all voice? Total number of phones is 100 now, going to 150 when we remove the digital devices and move to all IP.
We are setting up the network for a remote office and I need a IP based KVM. Ideally one that can connect to the servers and console in to the network devices via serial.
The Vertiv Avocent AV3108-001 claims to be able todo just that but I can find the documentation show how it does it or verify that it even works. Any advice.
Hi, I was wondering if someone could assist me on wrapping around the idea on what im trying to do. Not sure if im complicating more then it is.
Currently have an a RUGGEDCOM RSG2300 switch which is connected to a Chasis model Pure Flex System 8721HC1 with 3 nodes. Within the flex system theres a Switch IBM Flex System EN2092 1Gb Ethernet Scalable Switch. The idea is to create another VLAN. Our main LAN is 10.50.0.0/23 we want to create VLAN for all PLC and industrial machinery with range 10.10.10.0/24 and be able to ping 10.50.0.0/23 I was testing with a pc using a static IP, i gave the pc 10.10.10.8/24 that PC is connected on the ruggedcom on port 25 VLAN 50 Untagged. On the Ruggedcom a cable connects on port 31 VLAN 50 TAGGED to port 05 of the pureflex switch. My question is do i need to tag or untag? and i also see an option for pvid? not sure if its needed? see picture
Thank you http://ift.tt/2AAvNz7
I'm trying to use the android app AndSMB to connect to my windows 10 computer. If I choose to use v1, I connect just fine with the username/password. If I try to use v2, it adds a field callled "shared", which is a required field. I tried putting in the username and connecting but authentication fails. What the heck am I supposed to put for this cryptic "share" field?
Switch, router, server, whatever you want...
So I was just thinking about one of my clients who had turned a janitor's closet to a bathroom and an IDF. You could literally be sitting on the can and look to your right and see a rack of cleaning products, and look up and to the left and see an 8RU wall mount rack with nothing physically secure. The entire room couldn't have been more than 50 sqft. I am sure that pales in comparison to what some of you have seen. Let's hear it!
Let's say my DHCP pool is 192.168.0.10 - 192.168.0.20. Let's then say that I put a laptop on the network and it grabs 192.168.0.10 from that pool. Finally, let's say that I then create an exclusion range of 192.168.0.10 - 192.168.0.15.
Will this change have any immediate, detrimental effect on that laptop's network access? Or will it carry on regardless with its .10 address and then, when its lease expires, seamlessly get assigned an address from the now smaller pool of 192.168.0.16 - 192.168.0.20?
My google-fu is entirely failing to find an answer to this one, so I'm hoping someone here can chime in. Thanks in advance!
I don't seem to be able to enable BFD on interfaces on my ISR4331s. I checked the Feature Navigator for Universal K9 and BFD is supported.
This is the image on the router (I know it's a little old, sue me)
isr4300-universalk9.03.13.04.S.154-3.S4-ext.SPA.bin
This is what I get when I try
RTR-1234(config)#int g0/0/1 RTR-1234(config-if)#bfd ? % Unrecognized command
I got approved to buy some new toys/software at my company. So, I'm looking for something that you, as a network administrator/Engineer, can't live without or wish you had. I'm really looking for something to help manage my network or make my job easier. So, really any suggestions!
Currently in an all Cisco shop. I use Solarwinds, infoblox, and Prime daily.
Sorry for my horrible grammar!
They are going to be making some physical changes to some of the floors of the building and I have a chance to ask for some space for my use, but space is so tight that I have to request the absolute minimum space to have any hope of getting anything.
I want my closet to have punch down blocks for networking and telephony, and a rack to hold patch panel, switch, and a few other rack-mount items, with room for the conduit to pass wires into the ceiling and to the other floors.
According to the professionals I should have a minimum of 5' x 10' with double doors opening into the hallway, but that is probably asking too much.
What is the smallest closet you have used that didn't make you hate your life every time you had to do anything inside?
My friend told me that when I send data, TCP buffers them first (TX buffer size is 64kB), segments according to MSS, encapsulates, and forwards to L3. Then I started to wonder what would happen in L4 if I need to send exactly 64kB of data. My assumption is that TCP first buffers 64kB of data -> TX 64kB buffer is full -> L4 segments and encapsulates -> 64kB buffer will overflow because of TCP header size :(
If you know what actually happens in TCP Buffer and L4 when A sends exactly 64kB to B please let me know. Let's assume that rwnd and cwnd are both 64kB.
Hi,
We have Juniper BRAS on which we connect our PPPoE customers. All of them have dynamic interfaces and most of them dont have SNMP capable devices.
Can you help in proposing a solution as to how I can plot MRTG of their interfaces? If you know of any paid solution than that could be of help too.
Thank you in anticipation.
Background Started working as a POS helpdesk little bit over a year ago making about 14/hr and the job was relatively easy, I did however hate having to take calls all the time and they attempted to push me into customer service which I vehemently refused unless given a raise that is. Since I was hired to be a help desk for our stores not help customers get a refund. Anyway about 12 months pass by and I get an offer for a “promotion” which honestly surprised me since I thought I would be last to get the promotion (I was youngest/newest person on the Help desk). They offered me a Network Specialist position; I did a bit of research and realized this was actually pretty interesting position with possibility to make a lot of money down the road (i.e becoming network admin after all certifications and experience.) I accepted my bosses offer and I moved to my position about a month after accepting (they had to hire a couple of people for replacements).
Tl;dr started pos helpdesk promoted to network specialist
current
I enjoy what I am doing I configure and install switches, firewalls, monitor traffic, and my least favorite installing wiring (which wouldn’t be too bad if they let me dress a little bit more casual for these situations). Anyhow I did not ask while given the offer but I assumed I was getting a pay raise when I was promoted. I did not, then I assumed I was getting a pay raise after being better at the positon I was learning, I did not. I did how ever get a .75$ payraise this month for I don’t know. I was upset but I thought might change once I get my ccna(still working on it).
Currently we do not have a Network administrator, our last one quit after having an argument with one of our IT managers (now our systems admin). I don’t know if this is normal my colleagues who have been working as Network engineers, far longer than I, have told me that the systems administrator has his hands in too many cookie jars, they tell me that they are forced to give him and another IT manager administrative access to our switches/firewalls and apparently the sys admins is the only one that can design/modify our network architecture. Is this a normal sys admin network engineer relationship?
Uh I guess background wasn’t really needed but thought I’d share thanks for reading folks.
was not sure if this goes to /r/itcareerquestions or /r/networking so sorry if this is the wrong subreddit.
Hello,
I recently took over the networking at my current employers. Things are a bit messy but I've got my head around most of it. We have a public facing server(intranet.ourcompany.com), it also handles traffic from certain site to site vpns. It currently resides at 10.13.13.98. Under all the tunnels, the traffic is allowed specifically to this ip. We have a windows server 2012 handling the dhcp and dns for 10.13.13.0/24, but this same server is acting as ADDS. It's also part of the flat internal network. I want to segment the .98 server into the different VLAN, which I have already created and test-10.13.100.0/24. The public facing computer doesn't rely on our internal network for anything and it's also a vulnerability I'd rather have separated.
In your opinions, what would be the best course of action?
Hello.
I have a testing machine that sits on a public IP. Alarm bell #1. Unfortunately I can not change the IP of the device. It HAS to be on this IP.
The issue is that this means that everybody and their dog on the internet is trying to break into it.
I changed the access list to only permit my specific subnet, which is good, but it is not allowing traffic through. I am not a routing guy, and the routing guy leaves permit ip any any on the end of the ACL...which correct me if I'm wrong...kind of makes the whole thing pointless. There are more than one of these. MINE is specifically for testing, so the permit ip any any is no longer in play...which apparently is where I lose traffic.
To my understanding, it basically says "here's a bunch of subnets that are allowed, now permit ip any any, now everybody else is, too."
So if I set up like this, with ACL 150 being inbound and 160 being outbound....
access-list 150 permit ip 10.10.1.0 0.0.0.255 any remark "my connection"
access-list 150 permit ip 10.10.2.0 0.0.0.255 any remark "myDHCPserverishere"
access-list 150 permit ip 10.10.3.0 0.0.0.255 any remark "publicIP'shere"
access-list 160 permit ip any any
I would think that this would work. Unfortunately, this device has a bunch of addresses that also have public IP's, but we'll say that they're on the 10.10.3.0 0.0.0.255 subnet for the exercise.
Since outbound is permit ip any any, that shouldn't matter.
My first thought is that I need a routing process, but this device is not set up as a router.
Is there a way to permit traffic to go through a LAG port but also keep said traffic from having access to the machine it runs through?
I need a way for my subnets to pass traffic THROUGH the device, keep anything on those subnets from accessing MANAGEMENT on the device (IE logging into it), and keep the rest of the internet off of the device itself.
Hi,
I wonder if anyone can help me. I inherited a couple of Mellanox IS 5030 switches. I was able to log into the Web interface and it showed it had no licenses. I also don't see any configuration for VLAN and multicast IGMP support. Those are really the main functions I need. Please help answer the following questions:
1) Are those IS 5030 switches upgradable to support VLAN and multicast? If so, what license(s) do I need and where can I get some licenses right now?
2) Are VLAN and multicast IGMP support configure via the Web interface or CLI only?
3) How do I upgrade the firmware to the latest? Website is not clear on the step by step instruction. Where can I download the latest firmware and upgrade instructions for these switches?
4) Can these switches be upgraded to 56 Gbps?
5) Are these switches fully compatible with latest Mellanox switches?
Thanks for any help in advance.
My boss just bought a ton of Extreme X450s for me to install. I put in about 13 of them before I ran into an issue with an old building management machine not connecting. Finally found a KB article stating these switches don't support half duplex due to hardware: http://ift.tt/2jjJ1ME
I checked the product specs sheet and saw the same thing. Talked to our Extreme rep and they said it is the Broadcom chip that no longer supports half duplex.
So my question to you all is this: Is this a sign that half duplex is going to be phased out, or is this just Extreme trying to save on cost?
EDIT: I'm not asking to how to solve this problem. I am well aware that half duplex is old technology, but there is still plenty of old equipment out there that still uses it, so I was just curious for the reason why the chips don't support it anymore and if this is going to be the norm for all vendors.
I've been tasked with resolving a Stateful High Availability setup for 2 Sonicwall NSA 2600's in a very large network that have been left in a bad state.
From what I've gathered, the firmware of the Primary sonicwall was upgraded 113 days ago by a previous admin, and during the process, HA failed over to the Secondary Sonicwall. Firmware was never upgraded on the Secondary appliance, and it has remained the Active device ever since.
My question is regarding best practices for matching the firmware versions back up and restoring Stateful HA, with the Primary sonicwall returning to active status. I need to do so without losing any configuration changes made during these 113 days.
Sonicwall NSA 2600 x2 Primary Firmware Version: 6.2.2.1 (6.2.2.1-14n--HF159825-2n) Secondary Firmware Version: 6.1.2.3 (6.1.2.3-20n)
HA Mode: Active/Standby Secondary has been Active, Primary in Standby for 113 days Found Peer: Yes Settings Synchronized: Yes Stateful HA Synchronized: No
My plan is to utilize the "Synchronize firmware" feature within HA settings on the Secondary appliance to match firmware versions and restore Stateful HA sync, then go through the documented best practices to start the firmware upgrade process from the beginning and get them both to the most recent stable SonicOS.
Will this result in loss of any configuration settings? Any further advice for this process? Thank you in advance!
Can you double bond ethernet connections from 2 different network cards, I.e my z230 has 1 ethernet port, I get a cheap network card from amazon and configure a double bond. Or do both ethernet ports have to be in the same PCIe slot for it to work?
Thanks
Hello all, I work as a IT Presales and Projects specialist at a Systems Integrator, and we just won a deal for a VPN setup between 2 remote offices. Office A has a Fortigate 80D Firewall, while Office B will have a Cyberoam CR25iNG.
I have had a lot of trouble with similar projects in the past, trying to get VPN Tunnels to hold between firewalls from different vendors, mostly Cisco ASA and Juniper SRX. I have never worked with Cyberoam and Fortigate before, and just want to know if there's anything bad I should expect? On paper it's supposed to work, they even have a KB on that setupn on the Cyberoam Support page but I would like to hear from people
Scenario 1
2960-X-switch ----> (patching) ----> Paying client
Scenario 2
2960-X switch ----> (100Mb switch) ----> (patching) ----> Paying client
Is there any way to configure a 10/100/1000BaseTX port on a Cisco 2960-X switch to negotiate only at 10Mb or 100Mb? I'd like to provide a 100Mb connection to a paying client (who has paid only for 100Mb) via Scenario 1. I'm aware I could use
speed 100 duplex full
but that would disable auto-negotiation and I'd prefer not to have to impose configuration requirements on the client equipment. The only solution I've found is to use Scenario 2, which introduces another point of failure, but will indeed work.
Is there any way I can get Scenario 1 to work? To configure a single port on 2960-X to autonegotiate, but prevent it negotiating at 1Gb speed?
I have oxidized up and running. I have my groups all sorted.
But for the life of me, I can't figure out how to set the enable password per group/device.
Right now i have the enable password set globally, but if if move it to the groups, it no workie.
HALP!
vars: enable: s3cr3tstuff groups: procurve-device: username: procurve password: p@ssword cisco-device: username: cisco password: p@ssword netscaler-device: username: netscaler password: p@ssword
Hello all, Is it possible a 4Mb/s internet connection to cover the needs of 65 employees? Thank you
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Is there a better known way or tool to search Cisco bugs? Other than googling ‘Cisco bug ...’ or logging a TAC case.
The Cisco bug search tool is not very good...
At the college I work for I am responsible for my department's firewalls, but we rely on campus to manage the core routers.
We were switched to a new campus router a year ago, and it drops 5% pings directed to it every 6 minutes. This loss happens on all pings to the same device at the same time regardless of what system is pinging it. This loss causes our routers to think their upstream gateway is down, we have since disabled the ping check. Even their central monitoring system is showing that this is their highest loss system. We are experiencing unusual outages too, where traffic does not get passed and the firewalls freak out.
I asked if the system was at capacity or configured differently, or if they could remove throttling, but their response was:
PingLossBDF is a newer model of hardware than the majority of our BDFs. It's treats ICMP with less priority. We are at 1% CPU, have zero errors on the links, and are extremely nowhere near reaching capacity. My recommendation would be to ping your own equipment.
Am I being unreasonable, or should I just expect that their own monitoring system should high loss and just deal with the frequent outages.
All,
Ok, so I've had my third issue with this in as many weeks, and I'm starting to become annoyed. I seem to keep having issues with Comcast business connections, which for whatever reason don't want to work when in bridge mode (directly binding a public IP on my equipment). Comcast supposedly places the equipment in bridge mode (or I do it myself) and without fail, I cannot reach the gateway IP after assigning the IPs in question. If I reconfigure for DHCP, my equipment pulls an IP without fail and works flawlessly; but I'll be damned if it wants to work with my assigned static IPs. At first I figured it was just a fluke, but it has happened 3 times now since mid Oct. and I'm starting to think it's not a one-off.
I have spent countless hours on the phone with support, but I can't seem to make any of the monkeys understand that when I say I cannot access the "gateway" I mean I can't frakking reach the gateway IP I was assigned with my static IP space and I don't mean the "sharty SOHO modem they put onsite". Every single time, they try to explain that I cannot access the "gateway" (meaning their damn modem) because it is in bridge mode (A: No shit sherlock and B: technically I can with an additional IP in the 10.1.10.0/24 space).
I may have lost my temper with the last rep somehwat, and suggested that they google "Internet Protocol" and call me back when they were done reading the relevant wiki articles so we could talk using equivalent terms. That earned me a chuckle from my customer, but sadly they were unwilling to actually educate themselves.
Just hoping maybe someone else has bashed their head against this particular brick wall, and can save me the trouble of the 462nd explanation as to why exactly VPN tunnels can only be initiated from one side (after 3 hours of calls and 4 reps, my client insisted that I set it up dynamic and go with it). Either some way to explain to Comcast support exactly what the issue is, or even better, some knowledge of why this seems to be happening and what the hell to do about it.
What actually causes them? Are they the sign of an underlying problem in the network, or are they just the nature of certain applications?
Can they be somehow eliminated? Should traffic shapers be used to smooth out bursts?
What are you using as a replacement for IP accounting. The 4000 series routers don't have that feature.
Evening all,
I’m doing some learning with layer 3 switches to expand my functional knowledge and I’m hoping to get some advice from more experienced minds.
I’m trying to get away from a router on a stick configuration for my home lab. I’ve been running into an issue in the fact that I would also like to apply an ACL to some vlans as added security. I have a general network VLAN (10) and a internet of things devices subnet (20). For control of the IoT devices I would like to reach them from my general network but I do not want those devices to be able to reach my general network unsolicited.
My questions are as follows: Is this possible with just an L3 switch? If not is there a recommended way to implement this that keeps as little load on the uplink to the router?
Ideally things would only hit the router if they are bound for the outside.
Thanks
I'm labbing some stuff here to mess with VTP. I have a switch with ip routing enabled and 6 vlans configured along with interfaces as well. It's set as the VTP server. Once I connect another switch to a trunk port and vtp starts up, all the vlan's on the original switch disappear from "show vlan brief" and I have to manually go in and...
interface vlan XX
vlan XX
then the interface status changes to up.
Any idea whats going on here? Trying to understand why the "server" switch would be doing this. Thanks for any help!
Edit: ohh, and it's running 12.2, a 3560G
Recently I was wandering the MDFs in my campus and found a PA-5060 with a bad power supply. Surely I must have ignored the alert. Nope. It turns out that the node details in Solarwinds do NOT show ANY hardware status. No fan RPM, no power supply voltage, status? nothing. I started searching around, and only found TRAP MIBs for power supply insert / remove / fail.
Surely this can't be right? The only information I found was a CLI command for hardware health. Apparently the GUI has no way of displaying if your chassis is running low on power or fans...
So I'm in a situation that I either need to hire a monkey to watch the chassis LEDs, or write a script to run the CLI commands every hour.
Or am I missing something stupid obvious?
we're trying to consolidate vendors, which is much needed since we have separate ones for switching, voip, wireless, network access control, etc. more than likely it will be cisco vs. hpe/aruba. cisco has the familiarity, but their nickel and dime strategy with licenses, etc. is getting old. hpe/aruba is the opposite, but im sure it comes with drawbacks besides unfamiliarity. care to share your related stories?
Hello there /r/networking, please excuse my lack of greater knowledge with most things network related in advanced, also please excuse my terrible sharpie sprawlings. I have an issue with my current home network where my computers are roughly 75 feet worth of Ethernet cable away from the modem resulting in what I can only describe as several yards of blue spaghetti throughout my home.
What I am hoping to achieve is to run a single Ethernet from the router closest to the modem to a router closer to my computers to act as a switch of some sort to wire all of my computers into as opposed to running several individual wires throughout the house from the router closest to the modem. Bonus points if the switch can still function as a wireless access point, as you can imagine, being 75 feet away from the wireless AP produces a less than desirable wireless browsing experience. Much appreciated for any and all help.
Que otras opciones tengo a mi disposición para crear un laboratorio de red y permitir el acceso al mismo de manera calendarizada para crear laboratorios virtuales de manera remota.
Interesting article on how blockchain technology could change network architecture. What do you guys think?
Hello there everyone,
I'm currently a Sophomore in College studying Network Engineering, and I recently was invited to a second round of interviews with a bigger financial company. I'm very excited and I want to be sure I'm as well prepared as I can be.
I've just finished my first quarter at the school and am now completing my intro to networking course where we covered the OSI and TCP/IP models and their various layers.
I'm trying to prepare by going over the topics we learned so far which has generally been a brief overview of the TCP/IP stack and the common protocols concerning each layer. Subnetting was also covered but only in an IPV4 environment.
I wanted to ask the community here what I should expect in the technical interview. I was in the Army for 4 years and worked some customer positions but I've never been in an interview environment like this. So I'm not sure what to expect.
If anyone has some similar experiences that they can share that would be great.
My understanding is that if native VLAN on a trunk is 1, CDP will send its frame untageed. However, if native VLAN on a trunk is not 1, CDP will always send its frame tagged with VLAN 1 tag. To make sure, I did test on the Packet Tracer 7.1 and the lab was successful.
Recently I had a chance to ask some questions to the CCIE Routing&Switching holder. He said, "Since DTP and CDP packets do not get forwarded, there is no need to tag VLAN info. However, VTP packets do get forwarded and loop might be occurred. That's why VTP is always forwarded on trunks with a VLAN 1 tag unless the native VLAN on a trunk is 1." He indeed showed me that CDP always sends its frame untagged even if the native VLAN is changed to something else than 1 with EVE simulator.
So my questions are:
If you can understand him, could you please explain to me why loop might occur if VTP packets get forwarded untagged?
If you have real switches or VIRL, could you please test whether CDP sends its frame tagged with VLAN 1 tag or untagged when native VLAN on a trunk is not 1? I really love to test myself, but I don't have real switches and my computer is way behind from VIRL hardware requirements.
Hey guys, I was hoping to get a little advice/input on a small side project of mine that I just started. For context, I'm a few months into a network engineer role at a large company with an on-call function for a few weeks a year (broken up over the year). I have yet to enter the rotation for on-call, but I want to be as prepared as possible when I do.
So, I had an idea to go through all trouble tickets that directly involve my department, starting from my first day working. I have been recording the ticket #, date/time brought to our department's attention, briefly summarize the problem/resolution, and make note of any useful commands or questions I may have from each one. So far, I've gotten through about a months worth of tickets, which amounts to ~50.
My goal here is at the very least get familiar with our processes and what's expected of our department in the event of XYZ problem when it's dropped into my lap. With luck, maybe I could even devise a sort of loose playbook for commonplace problems. So far I have noticed a bit of a trend with common trouble calls we have, so I do think that is possible.
However, I'm having trouble thinking of a way to visualize the data in an efficient way. The way I've been doing it so far is to just write stuff out in excel cells for each respective section (crude, I know). Obviously this isn't a the best way to get a 'big picture' view. One idea I had was to go through each of my entries after say, 100 tickets and come up with a color coded legend to categorize the trouble tickets.
Does anyone have any advice or pointers on how to best do this? Also just in general - should I be doing something in addition to what I have been doing so far? I'll gladly answer any questions if I left anything important out, and of course any feedback is very appreciated.
I have a customer that is seeing a lot of timeouts at random times at one of their satellite sites (they have about 50 but only 1 is complaining). I did a large packet capture and am seeing an inordinate amount of "Duplicate ACK's" and "(suspected) out of order segments".
I believe this is an issue within the ATT network that is connecting this site. But in typical ATT fashion they closed the ticket 10 minutes after I opened it saying they found no problems.
If anyone has experience analyzing large packet captures I would be willing to pay for their time to do an analysis. Please PM me if you are interested.
I work for a WISP, I just finished deploying accel-ppp on some HP DL360 G7 servers and they are working OK, but I am concerned about reliability over the long term and am looking at hardware solutions. Right now I can do about 1000 customers per concentrator, I have 10,000 customers and am growing rapidly.
I have looked at the Cisco ASR series, but licensing per user is really cost prohibitive, Same with juniper.
I am looking to see if anyone has suggestions for a pppoe appliance with the normal radius integration and 802.1q integration, that doesn't have licensing per user. I have looked at Mikrotik CCR but that would be a step backwords in terms of # of clients per box.
Thanks in advance!
We're using GlobalProtect for remote access VPN and have some users with Steelhead Mobile installed. The PA identifies most of the traffic from those users as riverbed-rios or riverbed-steelhead-mobile which doesn't work with our current "application-defaults" rules.
Has anyone successfully deployed Steelhead Mobile with GlobalProtect, and how did you do it while keeping the security in place?
If I'm running a web service off of a multihomed BGP AS, what's the best way for me to check application layer connectivity to my network from multiple providers, preferably on a regular basis?
I get that I could throw a machine behind a router with multiple circuits coming into it, but that's not exactly scalable plus it limits me to those ISP's that are available in my area. And of course I could alternate among multiple VPN providers, but then I'm at their mercy should they change their upstream ISP's. Likewise I could always ping hosts on different provider networks, but that's not the same as a machine on their network throwing an HTTP GET at me. Just wondering if there's a service or a setup anyone has used that they like. Thanks!
Hi folks. I have a quick question.
I have remote systems that lies in China and Mexico. Each of this site connect using Cisco ASA 5505 to mine and initiate a IPSec-l2l connection from the remote location to mybusiness. I don't understand but since few month the chinese connection seems to be blocked. The only clues I have to says that are :
Do you think I get block by chinese great firewall ?
EIGRP ( Enhanced Interior Gateway Routing Protocol)- 16 Lectures OSPF ( Open Shortest Path First) - 23 Lectures BGP ( Border Gateway Protocol) - 27 Lectures Network Services - 20 Lectures IPv6 - 12 Lectures
Hi all,
I have a VPLS (think MPLS, but at layer 2 only) that connects all our locations together. Over the connection, there is an untagged network and a tagged network.
For some reason the tagged network (VLAN 101) is dropping frames to one specific location (around 20%), but the untagged one isn't. The rest of the locations that connect over the VPLS don't have issues with the VLAN or connection and the ISP claims it's not an issue on their side and they don't see any errors. All cables within my control have been replaced just in case to no avail.
Is there anything I'm missing here? Is there a good procedure for debugging this? The devices on both sides of the connection are Fortigates and are both pinging fine over the untagged network.
Thanks in advance.
Question, Cisco disables anyconnect from being used via remote desktop by default. I can override this with an XML however, can anyone find or think why this shouldn't be allowed? Cisco probably disabled this for a reason as a default.
Hello, A costumer who has a cafe wants to provide free Wifi. He specificly wants, every costumer of the cafe who successfully log in to the wireless network to get redirected to his facebook page. There is not need for username and password. Just to get redirected where he wants. I found a plenty of guides on google, but none works for me. I'm using a Mikrotik RB951 series, which is connected to a bridge model-router. Thanks in advance!
I bought this ASA for labbing purposes for CCNAS. I have the S/N and PAK. I however am unable to download ASDM from Cisco's website.
They say I need an active Contract list... What does this mean? Do I need to pay for a Contract just to download ASDM in my ASA?!?!?
Are there are any network engineers here that work solely from home 100% of the time?
Hi all,
Could you please help me to choose a small L2 switch with management?
Requirements: VLANs, trunking, STP Optional: LACP
I'll need to buy more than one so it should be affordable (new or something used from eBay). I'd prefer CLI over web management but I don't assume that I'll use management regularly so web is fine.
Clients on the switch are not servers so I don't have high requirements for switching and that's probably a reason why I'm thinking about something that isn't a switch with ASIC. Something like Raspberry Pi with many Ethernet ports and Linux with configured bridge might do the job.
It's not easy to find good inexpensive small switch since I found for example TP-Link TL-SG108E that is cheap but it has huge issue with security. Management IP on this switch is accessible from all VLANs which is pretty crazy from security perspective.
Thank you.
hi there im kinda having trouble with adding snmpv3 devices to opennms. with cacti snmpv3 worked like a charm but it doesnt have the features i need. my snmp-config.xml looks like this is there anything that i missed or am i missing something? would really appreciate the help ive been trying to get this to work for 2 days now.
<snmp-config xmlns="http://ift.tt/2hi7eP6; version="v2c" read-community="public" timeout="1800" retry="1"> <definition write-community="private" read-community="windows211" port="161"> <specific>192.168.77.146</specific> </definition> </snmp-config>
<snmp-config xmlns="http://ift.tt/2hi7eP6; version="v3" auth-passphrase="password123" auth-protocol="MD5" privacy-passphrase="password444" privacy-protocol="DES" security-name="user3" timeout="1800" retry="1"> <definition port="161"> <specific>192.168.77.152</specific> </definition> </snmp-config>
TL;DR
I want to create a single power computer. My company got some old computers and I want to join them.
Full description
Hi guys, In the last few days I've been reading some stuff regarding different types of clustering systems but I want to do something quite different.
I manage the network and computers in my company and my coworker just had a dream about making a supercomputer using our good old machines.
I've seen some stuff regarding this, but it's just the management portion of it.
I can manage all the nodes in a single place and I can even configure an high available system so I can loose one computer with no problems.
But instead of this system I want to be able to join processing power and memory in order to create a "single" computer with higher specs.
I don't know if this is indeed possible.
Can you guys help me?
My ISP gives me fiber, and has installed a ONT in my house, but I don't seem to be able to reach it, or do anything to it. Is it just a simple fiber-to-RJ45 terminal, or should I be able to 'manage' it, as I can a router or other network devices?
I have a Mellanox SX6018T switch (18-port FDR10 40Gbps), and I'm considering getting an SX6036F (36-port FDR 56Gbps).
Since I have a few 10GBE clients, and an IB/Ethernet Gateway license on the SX6018T, I'd like to keep using that in addition to the new switch, both for 10GBE clients and for FDR10 IB clients (the Ethernet gateway license for the 6036 is quite expensive, and the slight increased latency from having two switches won't matter for my use case).
The two switches will be right next to each other in the same rack, and I'm planning to use QSFP+ copper cable to connect them. That will be a 40Gbps uplink, and I'd be interested in getting a bit more bandwidth between them, so I guess what I'm looking for is link aggregation between two ports, so I could get 80Gbps instead.
However, I haven't found a lot of information on this (Mellanox switch ethernet link aggregation is documented in various places, but not IB). Is this supported? Automatic? How do I set this up? Can I (theoretically) aggregate more than two ports too?
I'm asking about this because it's a factor in whether or not to buy the new switch, so I can't just test it and see if it works.
So... at a minimum I have a 3 hour commute round-trip to work. Some days (bad days) it is 6 hours. I am expected to be in-front of a computer 9 hours + lunch M-Thur. Friday’s alternate to being off or 8 hours (9/80).
I’ve been having a hard time explaining this to my spouse (who required this as she wanted to be close to her son... we could have lived closer...)
Some days I leave early, but I still have hours I owe and I either need to take leave w/ an approved backup or catch up...
I’ve explained this conundrum countless times... some days I need to be gone for 17 hours due to the round trip commute and the 9 hours I need to put in... some days I leave later/early to dodge the commute, but I still need to clear my owed hours...
I can find closer work for a $20-30k/yr decrease (or without benefits) -“Merica”... which won’t work - unless I pick up a 2nd job.
How do I explain everything in her terms?
(I’ve been watching our (US) politics and may jump to Ireland/NZ/Aussie in the future so long as I can maintain my family’s level of comfort... even if I am constantly uncomfortable.)
OK so as far as I have read up on in a Two-rate Three-color policer, traffic markes as exceeding is anything above the CIR and below the PIR within a Tc timespan., anything that exceeds the PIR is considered violating, this makes sence to me.
.
I'm not quite understaning what traffic will be marked as exceeding in a single-rate three colour policer, would that be all traffic that matches, let's say Tc window is 200msec, would traffic marked as exceeding be any data within Tc window that exceeds Bc, and is below Be ? if so whtat is the point of having a two-rate policer, couldnt you just keep increasing the Be to ahve the same result?
.
Or would exceeding be a burst within that 200msec average that exceeds both Bc and Be data/bytes, I assumed that traffic would be marked as violating.
Take below example =
.
police 64000 bc 1600 be 2400
Tc window 200msec : | ( 800 Bytes) -- ( 900 Bytes) |
.
That last 100 Bytes in the 2nd burst exceeds the Bc, so would that be considered exceeding or violating ? does it depend on wether or not we have surpluss tokens in the Be bucket? I am assuming exceeding in this scenario would be any data that has use tokens from the Be .
.
If anyone could explain this to me or point me to a good document, that would be appreciated.
I have a router that when I do a 'show processes cpu history' is showing for the last 24 hours my CPU utilization at ~90-95%. I know how to read that graph fairly easily.
When I do a 'show processes cpu sorted' however, it's showing me a chart that I don't understand, because even the biggest hit (PID 140) is only taking up 2.17% CPU utilization, and a few lines later it MIGHT add up to 8-10%
Why the discrepancy? Does anyone have a napkin drawing to show how to read the output of the 'show processes cpu sorted' command? Thanks.
Hey guys, I'm at the end of my rope on this one, so I'm hoping someone here can help me out. This is a weird one.
So, I run a server on my home network, with a statically-assigned IP. Every so often, this server stops being able to reach the gateway on that static IP via IPv4. However, if I change to any other IP, it immediately starts working again. If I change back, no luck.
So, every couple of months, I've been having to change IPs. This has even happened to my previous server, when it was the Primary Domain Controller. It doesn't happen to any other devices on my network, so I figure it has something to do with the device being a domain controller, although I don't see what that could possibly be. IPv6 still works fine, so thankfully I can maintain my RDP sessions.
I've checked that there aren't any rogue devices on my network; I've checked there's no IP conflicts (Most devices are statically assigned and don't have problems). The IP is also statically assigned in the router, and there are no worrysome events in the router logs.
What's interesting is that the IP just seems to be "poisoned" for a set period of time, until it strikes whatever new IP I'm using -- then the old one works again.
Modem/Router: Netgear C6300
Windows 2016 Server 2 NICs, one for the server, one dedicated to hyper-v
Switch: Cisco C3650 (15.2(2)E5)
Can someone help me out here?
Hi, I'm unable to connect to a licensing manager software installed on an Azure VM. It says 'RPC server is unavailable as you can see in this image.
From the image, it looks like there is some account name resolving issue. What I have tried already:
I did a port scan and found out port 135 as 'filtered' on nmap. Might that be causing the issue? But one of my colleagues at a different location is not getting this connection issue.
For a little more than 90 minutes on Monday, internet service for millions of users in the U.S. and around the world slowed to a crawl. Was this widespread service degradation caused by the latest botnet threat? Not this time. The cause was yet another BGP routing leak — a router misconfiguration directing internet traffic from its intended path to somewhere else.
Continue reading the article
Anyone have any opinions on NX-OSv 9000? I have an ESXi cluster that I use to lab/test various networking technologies using various virtual network devices. My guess is that testing NX-API and possibly openflow with something like opendaylight would be a use case here.
Basically, we have a contractor coming in and handling our phones for our call center.
The way I see it I have two options. They require SSH access to their ASA to manage everything:
1.) Put ASA in DMZ and poke a bunch of holes in our firewall to allow ASA DMZ > Server Internal.
2.) Plop the ASA in the internal network so they can have a straight shot in and not have to poke holes in the firewall. No DMZ at all
We almost always do #1 for all external services, but these guys want ports 23/3389 open to manage their shit and I don't really feel comfortable popping open a hole in the FW for those ports.
What is the best way to go about this?
To start with: I've got zero ASA experience, other than some small changes to this box adding subnets to the tunnel.
We have one remote location that has an ASA. This location had two separate DIA circuits, one was used for local internet breakout, the other was dedicated for a site-to-site back to our data center. Apparently the site has lost the VPN circuit and has no chance of getting it back. In order to get connectivity back, we changed a couple of lines to point to the internet interface instead of the VPN (physical interfaces named internet and vpns). I changed the route statements (lines 245-254) to reflect the internet interface, and the cryptomap ACL (line 295) as well. At this point, all tunnels are up enough for DCs to sync, but I've got no other connectivity. No ICMP, no RDP, nothing. I've tracerouted from the inside interface on the ASA and it's clear that the traffic is exiting to public internet and not getting put in the tunnel. I can assume that this is because of the route statements pointing at the 'internet' label. So if I understand the config correctly, I need to be able to point those private subnets into the tunnel...which is no longer on a dedicated named interface. Can I just remove the static routes on the subnets that are tunnelled and let the box figure it out?
Also-I know there are a ton of issues in this config. At present, I can't fix a lot of what is wrong.
config: > > hostname ASA5510
enable password redacted encrypted passwd redacted encrypted names ! interface GigabitEthernet0/0 nameif internet security-level 0 ip address public-ip 255.255.255.248 ! interface GigabitEthernet0/1 nameif vpns security-level 0 ip address public-ip 255.255.255.248 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 nameif inside security-level 100 ip address 192.168.13.254 255.255.255.0 ! interface Management0/0 nameif management security-level 100 no ip address management-only ! boot system disk0:/asa847-30-k8.bin ftp mode passive same-security-traffic permit inter-interface object network obj-192.168.13.0 subnet 192.168.13.0 255.255.255.0 object network obj-192.168.0.0 subnet 192.168.0.0 255.255.255.0 object network obj-10.1.60.0 subnet 10.1.60.0 255.255.255.0 object network obj-192.168.0.0-01 subnet 192.168.0.0 255.255.0.0 object network obj-192.168.16.0 subnet 192.168.16.0 255.255.255.0 object network obj-10.3.60.0 subnet 10.3.60.0 255.255.255.0 object network obj-10.254.60.0 subnet 10.254.60.0 255.255.255.0 object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 object network obj-10.2.10.0 subnet 10.2.10.0 255.255.255.0 object network obj-10.2.60.0 subnet 10.2.60.0 255.255.255.0 object network obj-192.168.13.41 host 192.168.13.41 object network obj-192.168.13.41-01 host 192.168.13.41 object network obj-192.168.13.41-02 host 192.168.13.41 object network obj-192.168.13.41-03 host 192.168.13.41 object network obj-192.168.13.41-04 host 192.168.13.41 object network obj-192.168.13.41-05 host 192.168.13.41 object network obj-192.168.13.41-06 host 192.168.13.41 object network obj-192.168.13.41-07 host 192.168.13.41 object network obj-192.168.13.41-08 host 192.168.13.41 object network obj-192.168.13.41-09 host 192.168.13.41 object network obj-192.168.13.41-10 host 192.168.13.41 object network obj-192.168.13.41-11 host 192.168.13.41 object network obj-192.168.13.41-12 host 192.168.13.41 object network obj-192.168.13.41-13 host 192.168.13.41 object network obj-192.168.13.41-14 host 192.168.13.41 object network obj-192.168.13.41-15 host 192.168.13.41 object network obj-192.168.13.41-16 host 192.168.13.41 object network obj-192.168.13.41-17 host 192.168.13.41 object network obj-192.168.13.41-18 host 192.168.13.41 object network obj-192.168.13.41-19 host 192.168.13.41 object network obj-192.168.13.41-20 host 192.168.13.41 object network obj-192.168.13.6 host 192.168.13.6 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-192.168.13.5 host 192.168.13.5 object-group service rdp tcp port-object eq 10338 port-object eq 10339 access-list nat-internet extended permit ip 192.168.13.0 255.255.255.0 any access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.1.60.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.254.60.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.3.60.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.2.10.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.2.60.0 255.255.255.0 access-list vpns_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.254.225.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.1.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.0.0 255.255.0.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.3.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.254.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.2.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.2.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.254.225.0 255.255.255.0 access-list inside-in extended permit icmp any any access-list inside-in extended permit ip any any access-list vpns-in extended permit icmp any any access-list vpns-in extended permit ip any any access-list internet-in extended permit gre any host 192.168.13.6 log access-list internet-in extended permit ip host public-ip any access-list internet-in extended permit ip public-ip 255.255.248.0 any access-list internet-in extended permit ip public-ip 255.255.255.0 any access-list internet-in extended permit icmp any any access-list internet-in extended permit ip host public-ip any access-list internet-in remark Migration, ACE (line 11) expanded: permit tcp any 150.101.227.56 255.255.255.248 object-group rdp access-list internet-in remark Migration: End of expansion access-list internet-in extended permit tcp any host 192.168.13.41 eq 8015 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8020 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8000 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8001 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8002 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8003 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8004 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8005 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8006 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8007 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8008 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8009 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8010 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8011 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8012 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8013 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8014 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8016 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8017 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8018 access-list internet-in extended permit tcp any host 192.168.13.41 eq 8019 access-list internet-in extended permit tcp any host 192.168.13.6 eq pptp access-list internet-in extended permit tcp any host 192.168.13.5 eq 3389 access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.13.253 any access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.13.5 any access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.13.41 any pager lines 30 logging enable logging buffered debugging logging asdm debugging mtu internet 1500 mtu vpns 1500 mtu inside 1500 mtu management 1500 ip verify reverse-path interface internet no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any internet icmp permit any vpns icmp permit any inside asdm image disk0:/asdm-733.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.1.60.0 obj-10.1.60.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.0.0-01 obj-192.168.0.0-01 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.16.0 obj-192.168.16.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.3.60.0 obj-10.3.60.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.254.60.0 obj-10.254.60.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.2.10.0 obj-10.2.10.0 no-proxy-arp route-lookup nat (inside,any) source static obj-192.168.13.0 obj-192.168.13.0 destination static obj-10.2.60.0 obj-10.2.60.0 no-proxy-arp route-lookup ! object network obj-192.168.13.41 nat (inside,internet) static interface service tcp 8015 8015 object network obj-192.168.13.41-01 nat (inside,internet) static interface service tcp 8000 8000 object network obj-192.168.13.41-02 nat (inside,internet) static interface service tcp 8001 8001 object network obj-192.168.13.41-03 nat (inside,internet) static interface service tcp 8002 8002 object network obj-192.168.13.41-04 nat (inside,internet) static interface service tcp 8003 8003 object network obj-192.168.13.41-05 nat (inside,internet) static interface service tcp 8004 8004 object network obj-192.168.13.41-06 nat (inside,internet) static interface service tcp 8005 8005 object network obj-192.168.13.41-07 nat (inside,internet) static interface service tcp 8006 8006 object network obj-192.168.13.41-08 nat (inside,internet) static interface service tcp 8007 8007 object network obj-192.168.13.41-09 nat (inside,internet) static interface service tcp 8008 8008 object network obj-192.168.13.41-10 nat (inside,internet) static interface service tcp 8009 8009 object network obj-192.168.13.41-11 nat (inside,internet) static interface service tcp 8010 8010 object network obj-192.168.13.41-12 nat (inside,internet) static interface service tcp 8011 8011 object network obj-192.168.13.41-13 nat (inside,internet) static interface service tcp 8012 8012 object network obj-192.168.13.41-14 nat (inside,internet) static interface service tcp 8013 8013 object network obj-192.168.13.41-15 nat (inside,internet) static interface service tcp 8014 8014 object network obj-192.168.13.41-16 nat (inside,internet) static interface service tcp 8016 8016 object network obj-192.168.13.41-17 nat (inside,internet) static interface service tcp 8017 8017 object network obj-192.168.13.41-18 nat (inside,internet) static interface service tcp 8018 8018 object network obj-192.168.13.41-19 nat (inside,internet) static interface service tcp 8019 8019 object network obj-192.168.13.41-20 nat (inside,internet) static interface service tcp 8020 8020 object network obj-192.168.13.6 nat (inside,internet) static 150.101.227.60 object network obj_any nat (inside,internet) dynamic interface object network obj-192.168.13.5 nat (inside,internet) static interface service tcp 3389 10339 access-group internet-in in interface internet access-group vpns-in in interface vpns access-group inside-in in interface inside route internet 0.0.0.0 0.0.0.0 public-ip 1 route vpns 10.1.60.0 255.255.255.0 public-ip 1 route vpns 10.2.10.0 255.255.255.0 public-ip 1 route vpns 10.2.60.0 255.255.255.0 public-ip 1 route vpns 10.3.60.0 255.255.255.0 public-ip 1 route vpns 10.254.60.0 255.255.255.0 public-ip 1 route vpns 10.254.225.0 255.255.255.0 public-ip 1 route vpns public-ip 255.255.255.255 public-ip 1 route vpns 192.168.0.0 255.255.255.0 public-ip 1 route vpns 192.168.1.0 255.255.255.0 public-ip 1 route vpns 192.168.16.0 255.255.255.0 public-ip 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http public-ip 255.255.248.0 internet http public-ip 255.255.255.255 internet http 192.168.13.0 255.255.255.0 inside http 192.168.0.0 255.255.255.0 inside http public-ip 255.255.255.255 internet http public-ip 255.255.255.255 internet http 10.2.10.0 255.255.255.0 inside snmp-server host inside redacted version 2c no snmp-server location no snmp-server contact snmp-server community redacted snmp-server enable traps snmp authentication linkup linkdown coldstart service resetinbound crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 86400 crypto map vpns_map0 3 match address vpns_cryptomap crypto map vpns_map0 3 set peer public-ip crypto map vpns_map0 3 set ikev1 transform-set ESP-AES-128-SHA crypto map vpns_map0 interface vpns crypto ikev1 enable vpns crypto ikev1 policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400 crypto ikev1 policy 50 authentication pre-share encryption aes hash sha group 5 lifetime 86400 telnet 192.168.13.0 255.255.255.0 inside telnet 192.168.0.0 255.255.255.0 inside telnet 10.1.60.200 255.255.255.255 inside telnet timeout 5 ssh public-ip 255.255.255.255 internet ssh public-ip 255.255.248.0 internet ssh public-ip 255.255.255.0 internet ssh public-ip 255.255.255.255 internet ssh public-ip 255.255.255.255 internet ssh public-ip 255.255.255.255 internet ssh public-ip 255.255.255.255 vpns ssh 192.168.13.0 255.255.255.0 inside ssh 192.168.0.0 255.255.255.0 inside ssh 10.1.60.0 255.255.255.0 inside ssh 10.1.60.200 255.255.255.255 inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-filter none vpn-tunnel-protocol ikev1 ssl-client
username redacted tunnel-group public-ip type ipsec-l2l tunnel-group public-ip general-attributes default-group-policy GroupPolicy1 tunnel-group public-ip ipsec-attributes ikev1 pre-shared-key ***** peer-id-validate nocheck tunnel-group public-ip type ipsec-l2l tunnel-group public-ip ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic class-map class-conn-param-tcp-01 match access-list acl-conn-param-tcp-01 ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map policy-conn-param-inside class class-conn-param-tcp-01 set connection random-sequence-number disable policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp inspect ip-options ! service-policy global_policy global service-policy policy-conn-param-inside interface inside prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http http://ift.tt/115Gun1 destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:86d07c34f0ea522f7b6bbc9fa96d0081
I have been contacted about doing residential cabling. Does anyone have any resources about doing so? I am interested specifically in Tennessee code, but all responses are welcome.
Also, does an attic without airflow count as plenum space, or would riser cable suffice?
I have Nexus throwing up high RX power warnings on an SFP port every 5 minutes or so. This is a single mode run, about 500 meters away.
Ethernet3/18 transceiver is present type is 1000base-LH name is FiberStore part number is SFP1G-LX-31 revision is A0 serial number is F175CO25721 nominal bitrate is 1300 MBit/sec Link length supported for 9/125um fiber is 10 km cisco id is 3 cisco extended id number is 4 SFP Detail Diagnostics Information (internal calibration) ---------------------------------------------------------------------------- Current Alarms Warnings Measurement High Low High Low
Temperature 30.23 C 100.00 C -50.00 C 85.00 C -40.00 C Voltage 3.34 V 3.79 V 2.80 V 3.46 V 3.13 V Current 15.00 mA 90.00 mA 0.00 mA 85.00 mA 0.00 mA Tx Power -5.91 dBm -1.50 dBm -10.50 dBm -3.00 dBm -9.03 dBm Rx Power -4.94 dBm + -3.00 dBm -26.98 dBm -5.00 dBm -23.97 dBm Transmit Fault Count = 0 ---------------------------------------------------------------------------- Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning
No warnings on the remote side, but this is the transceiver info:
ITU Channel not available (Wavelength not available), Transceiver is internally calibrated. mA: milliamperes, dBm: decibels (milliwatts), NA or N/A: not applicable. ++ : high alarm, + : high warning, - : low warning, -- : low alarm. A2D readouts (if they differ), are reported in parentheses. The threshold values are calibrated. High Alarm High Warn Low Warn Low Alarm Temperature Threshold Threshold Threshold Threshold Port (Celsius) (Celsius) (Celsius) (Celsius) (Celsius) --------- ------------------ ---------- --------- --------- --------- Gi1/0/49 32.3 100.0 85.0 -40.0 -50.0 High Alarm High Warn Low Warn Low Alarm Voltage Threshold Threshold Threshold Threshold Port (Volts) (Volts) (Volts) (Volts) (Volts) --------- --------------- ---------- --------- --------- --------- Gi1/0/49 3.34 3.79 3.46 3.13 2.80 Optical High Alarm High Warn Low Warn Low Alarm Transmit Power Threshold Threshold Threshold Threshold Port (dBm) (dBm) (dBm) (dBm) (dBm) --------- ----------------- ---------- --------- --------- --------- Gi1/0/49 -6.3 -1.5 -3.0 -9.0 -10.5 Optical High Alarm High Warn Low Warn Low Alarm Receive Power Threshold Threshold Threshold Threshold Port (dBm) (dBm) (dBm) (dBm) (dBm) ------- ----------------- ---------- --------- --------- --------- Gi1/0/49 -5.2 -3.0 -5.0 -24.0 -26.0
I've replaced SFP's on both sides with no luck, what should I try next? I was going to try replacing the patch cables tomorrow.
Hi guys
Consider this scenario if you will: HQ Network 192.168.10.0/24 Branch LAN Network 192.168.20.0/24 Branch Server Network 192.168.30.0/24
We have a site to site VPN between HQ and Branch, and both networks can communicate fine.
We need to get access to Branch Server Network from HQ. currently, the router between the branch LAN and Server networks does not have a static route or ACLs in place to allow HQ to communicate.
I have set up a pfSense router on a VM on Branch LAN. It has one interface so far, WAN, That has a static IP on Branch LAN.
Is it possible to set up NAT such that any traffic coming from 192.168.10.0/24 will appear to be the pfSense router, which has a branch LAN IP, and would then be able to access the branch Server Network?
It seems rather trivial: I set a static route in HQ's router for Branch Server Network pointed at our VPN router on HQ side.
That VPN router sees the Branch Server Network advertised by the Branch VPN router.
The branch VPN router has a static route for the Server Network pointing to pfSense.
pfSense has a static route to the server network through the router that separates the two branch networks.
I set up a Outbound NAT rule on pfSense so any traffic from HQ will be translated to the pfSense WAN interface.
I also set up firewall rules all along the way to allow the traffic.
I can ping all the way up to hq from pfSense, and back. I can ping the server network from the pfSense, but not from HQ or either of the VPN routers. Seems like I maybe have something misconfigured on the pfSense but I have never used it before so I'm not so familiar with it. Will this setup work with a single NIC on pfSense? It would not allow me to have two IP addresses in the same subnet on two NICs.
What am I missing here?!
Current network infrastructure has about 15 sites in a fiber ring. Need to support two major customer networks, so first look was MPLS. Equipment upgrade would be about $200k. We could split the fiber strands and run BiDi SFPs...anyone have any experience with these? Price for that solution would be about $70k, but something in the back of my head says "Don't do it...you'll regret this"
Anyone have experience with it or thoughts? Thanks!
I had an issue just now where several of my PA200, PA220 and PA500 routers started using the wrong interface and zone for DHCP traffic. After several hours of investigation and an hour on the phone with PA it was determined that the cause of this was that our specific route, and the default route had the same metric.
My understanding, and the understanding of others I work with, is that the most specific route wins, or in the case of a conflict it will use the metric. PA tech support is telling me that the metric conflict cause the problem.
I didn't set up these routes so I'm not sure there's a good reason to keep all of the metrics the same, but I also don't understand why it would start to fail in this way all of a sudden in the absence of any changes or updates.
Any thoughts?
On my router, when I disable a link, should the OSPF reconverge right away, or does it have to wait for the dead-timer to expire?
From what I've found online, it seems that if the interface is disabled, OSPF should start right away.
Hi, I'm new in the IT domain and I got an entry level job in a really big IT company. I am not happy where I am since it's pretty much a ticket farm / script monkey job and told my boss I was leaving yesterday.
I also told one of my friend who is a security analyst and he did something really nice for me. We took CCNA together and he knows I learn really fast and I want to learn more and have a more challenging job so he reached out to his contacts and got me an interview.
The problem is, the interview is tomorrow and they are supposed to ask me around 20 technical questions and I don't think I am ready for this. I did not finish my CCNA yet and barely worked in the IT domain. The interview is for a level 2 network only job. I would like to know if there is any tips you could give me on what to study more or what I should put emphasis on.
Thanks a lot and sorry about my poor English, Canadian French Fry here!!!
Considering the 9000v is really only for labbing this isn't a huge deal, but I was able but to default an interface from enable mode... config mode is not required.
I tried this on production N9Ks running code 7.0.3.I2.4 and this wasn't possible.
NX-OSv 9000 image version 7.0.3.I7.1
NX-OSv9K# conf t Enter configuration commands, one per line. End with CNTL/Z. NX-OSv9K(config)# int e1/10 NX-OSv9K(config-if)# description TEST-DEFAULT NX-OSv9K(config-if)# switchport mode trunk NX-OSv9K(config-if)# end NX-OSv9K# NX-OSv9K# sh run int e1/10 !Command: show running-config interface Ethernet1/10 !Time: Wed Nov 8 19:08:24 2017 version 7.0(3)I7(1) interface Ethernet1/10 description TEST-DEFAULT switchport mode trunk NX-OSv9K# default int e1/10 NX-OSv9K# NX-OSv9K# show run int e1/10 !Command: show running-config interface Ethernet1/10 !Time: Wed Nov 8 19:08:36 2017 version 7.0(3)I7(1) interface Ethernet1/10 NX-OSv9K#
Can someone please explain to me the point of security layering? In a scenario, where you have two firewalls, one north that connects to the circuit with a south interface that connects to a DMZ, then another firewall that has an Untrust interface in that DMZ with the trusted networks south of it. I understand that it fully segregates the DMZ from the trust networks, but this same thing could be achieved with simple security levels on an ASA, or zone policy on a Palo Alto.
In what scenario could a business be attacked and this be of use? At the moment, I only see that it's more expensive and more difficult to manage, meaning you have two rule bases to maintain.
Thanks in advance!
Well first of all I spent time looking at what other people are having success with. At the same time I spotted an awesome product that helped me create animated videos really quickly. So the idea for my gig was born – I’m going to create a video animation service offering things like whiteboard videos, 3D animation videos, hand drawn videos etc.
Know more watch this: https://www.youtube.com/watch?v=LtqcHaAEI2Y&t=78s
I work at an SMB with around 100 users and about 250 devices total and we are due for a hardware refresh, mainly the network switches. We currently have six network closets that all connect back to a main network stack, back in our server/networking room.
Currently all of our closet switches are Dell PowerConnect 5524's or 5548's and they all connect back to a stack of 4 Dell N3048's via port channels/LAG groups over 2-4 Cat5e cables (I'm hoping to eventually connect the switches via fiber at some point but it will require a lot of ceiling-crawling).
I always hear bad things about these Dell switches and they've been good enough so far, but I'm thinking we'd be better to go with something by Cisco. Any suggestions? It doesn't have to be Cisco.
Just as title says, after Mondays fiasco and Comcast today and a month ago I need to look into 4g-lte rollover. My Routers are 2 wan ready and already support a USB 4g-lte Modem.
The problem, I need to not break the bank. The company has 3 offices that only one office is used each day. they move from office to office. So while in reality it is one company with 3 offices on any day it is ran like one company one office so already we have redundancy on equipment that does not get regular use.
No second wired options beside enterprise Business Fiber at 100's of $$$ in area so can't do Comcast and Fios, Would Have to do Comcast and Verizon Business Class/enterprise Ethernet over fiber.
So what are my cheapest reliable options? To tell the truth in the last 5 years Comcast has been good minor short problems, but it has been only in the last 6 months that we have had very disruptive problems.
2 offices are used twice a week while one office is used once as that one is Verizon Business Fios and not as important and we can hit xfinity hot spots in the building with laptops to get us through there.
I just hate paying for more overhead with failovers when it is a part time thing and especially when offices are part time. But I need to do something.
Any Pay what you use? Any minimal monthly and a higher fee but not so high it would cost more than having a regular month to month when used? Saying we are talking depending on office and downtime of primary needing a wide range of 3-10 gigs anytime it rolls over.
A company we acquired has some 4208s on site that they claim are configured for QoS, but looking at the configuration it looks very minimal, and I'm wondering if QoS is actually in place.
There are a few "qos dscp-map" commands, but that's it. From what I understand from the documentation this basically just associates a DSCP value with an 802.1p value, but doesn't actually do any traffic prioritization.
It'd be conceivable for prioritization to happen if the priority values were defined by default or something, like, "priority 7" for example is always treated the same way on a ProCurve, but I'm not sure if that's the case.
Can somebody definitively tell me what steps need to be taken to actually prioritize different DSCP values in different ways on a port by port basis? Are there any commands to verify that it's actually working? I don't see any reference to different queues on the interfaces at all.
I have all my servers in VLAN100 and a domain computer in VLAN200. As I started out writing the ACL to allow the domain computer to get domain services (Login, DNS, DHCP, Group Policy, etc) I found that my ACL is getting really long really quickly. Do I have to write a ton of ACEs for all of these ports, or is there a more efficient way to do this? It's on an HP layer 3 switch.
Anyone able to point me in the direct of study guides/information sources on azure networking?
I have some work allowing traffic from our dc to azure but can for the life of me work out some odd bits. For example there are a number of subnets in azure which I need to get data to but they don't have any vpn gateways configured.
I understand that sliding window protocol is used with in-order delivery. Is the window size how many packets can be transmitted at once? (How many can be sent and unresolved) this is a small part of a larger assignment calculation, but knowing this bit and understanding it is somewhat key.
Thanks!
This is my first time doing something like this, so it's pretty much a 'learn as I go' process for me. I'm trying to set up a small office (5 PC's) network. I already bought a server and a couple of other things. The equipment that I have as of now:
I was also thinking about getting a router, but I'm not sure whether I need it (we already have a modem that comes with our internet package)
Another thing is that the server comes with no OS, and I'm not sure what kind of OS what I should get. I want to be able to do the following:
So here are my question:
Is that something I can do with any OS or do I need to buy Windows Server, and if so, which version?
If I need a router, what's the best option?
Thank you in advance
We are looking at test equipment for troubleshooting and testing fiber for 100G usage. I've seen one or two techs from other companies come with one of these:
Anyone have experience which this or something similar that you love, hate, or live with but find useful?
Okay I'm retarded. I'll fully admit this so anyone can call me extra retarded off this question:
So I'm 80% sure I have a network engineer from another company screwing with me because I'm an idiot but I'm wanting to confirm I'm not actually as retarded as I think or find out how dumb my questions can go.
Essencially they're installing a jumper to get from our patch panel to our rad location.
Our rad is 1gps 205/ac
The transceiver we install is:
SFP, 1000bit, 1310nm
specifically sfp 1000sfp31b20l cmcp from champion one
Now I know for a fact we typically use MM fiber jumpers over these sort runs (sub 300ft). The loss under 500m for om3 or om4 should be negligible. It shouldn't matter, right?
We could also use 1310nm SM fiber to that transceiver... right?
Now I don't know the fiber patch panel connector (sc/lc) off the top of my head and for what it is worth it's mixed in my area so I do need to check that out.
But when i told this guy essencially "we normally use MM fiber for jumpers. SFP connectors at the isp end And ill have to check at the osp end. We use a 1000/sfp/1310 transceiver so we could use smf 1310" and he replies with:
"Get the connector type LC or SC, om3 vs 4, and fiber type sm and wavelength" I've given that information... right?
Om3 vs om4 won't matter on this run... sub 500 ft and only a max load of GBe. I don't think I've ever ran across om1 or om2 mm fiber, but I'm an idiot so what do I know.
We can and have mix SMF and mm Om3/om4 fiber with minimal loss.
We use sfp connectors on the isp end, but I do concede I have to check LC/SC...
What have I messed here...
It wants me to create all my new wifi passwords and everything on this 'unsecured' site - isn't that unsecure and a red flag?
I come from an MPLS-IP background, have never worked with MPLS-TP, but my new job is requiring me to learn about it. I came across some 4-5 year old internal documentation that I don't think is correct, but I don't know if it's incorrect because it's old and things have changed or if this documentation has always been wrong. I've tried to do some reading but have already spent maybe 2 hours on this and haven't found anything that would tell me one way or the other, and I don't want to spend too much more time on this right now, so if someone who knows FRR in MPLS-TP can chime in here that would be great.
The first thing I thought was odd was a warning that FRR could cause conflicts with ERP. I was told that in the MPLS-TP world FRR actually builds backup LSPs so they're ready in the event that a change in the path occurs. In my experience that wasn't the case in MPLS-IP.
I don't remember ever needing to look up an equivalent command in Cisco IOS, but for example in Alcatel TiMOS you could do a command show router mpls lsp <LSP ID> path <PATH ID> detail and the output would show you every hop and whether or not it had node and/or link protection. Example:
Actual Hops : 10.20.1.1, If Index : 2 @ n Record Label : N/A -> 10.20.1.2, If Index : 2 @ n Record Label : 131071 -> 10.20.1.4, If Index : 2 Record Label : 131071 -> 10.20.1.6, If Index : 2 Record Label : 131071
... now maybe ALU was building backup LSPs in the background and simply grouping them under the one LSP being shown to the user, but I don't have ALU support where I am now so I can't go ask. So I accepted the answer I was given - that MPLS-TP does build these LSPs in advance - and moved on with my reading.
Next this internal documentation says FRR only protects the next segment/link or the next hop along the LSP, and that in order to protect later hops/links other workarounds are needed. Again, going back to the ALU command I just mentioned the output clearly showed whether or not there was node or link protection for every hop along the path (the @ and n in the output above).
So then I'm wondering if these differences are just due to vendor-specific implementations that don't exactly follow the RFCs or is this part of the FRR RFCs? In the very first RFC I can find regarding FRR (RFC 5286) I see this: "The alternate next-hop can protect against a single link failure, a single node failure, failure of one or more links within a shared risk link group, or a combination of these."
That RFC hasn't been obsoleted so I think I'm safe in thinking the internal documentation I'm reading is either incorrect or a vendor specific implementation, but to be certain I'd have to read about 250 pages of RFC docs. Hopefully one of you out there can narrow my search or has already been down a similar rabbit hole and can share your results?
I am new to networking and am not sure I understand what "10 Gigabit Ethernet Dual Port SFP+ TWINAX" is.
This is for a backup server we're looking to get to hook up for backing up to.
Does this just mean we can use a 10GB switch? Any special cable or transceiver is needed?
We have a pfSense server, with several VLAN's configured on it and this pfSense is direcftly connected to several Cisco AP's. Cisco AP configuration is basically an SSID and a VLAN number.
I recently upgraded all APs due to the KRACK vulnerability.
AP001 works fine. I have exported running-config to a configfile. AP002 is completely reset/cleared and configured from the same configfile (copy tftp: running-config).
Result: AP001 works fine. AP002 does not work at all. Same goes for any other AP. It kinda drives me crazy.
Any suggestions why this is no longer working. Should I be looking at pfSense or the APs? There is nothing specific configured for any AP in pfSense.
<code> ^ version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP001
!
!
logging rate-limit console 9
enable secret 5 xxxxxxxxxx
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid MY-SSID-1
vlan 2 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 7 xxxxxxxxxxxx information-element ssidl advertisement
!
dot11 ssid MY-SSID-2
vlan 9 authentication open mbssid guest-mode information-element ssidl
!
!
!
no ipv6 cef
!
!
username Cisco privilege 15 password 7 xxxxxxxxxxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 2 mode ciphers aes-ccm
!
ssid MY-SSID-1
!
ssid MY-SSID-2
!
antenna gain 0
mbssid
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.9
encapsulation dot1Q 9
no ip route-cache
bridge-group 9
bridge-group 9 subscriber-loop-control
bridge-group 9 spanning-disabled
bridge-group 9 block-unknown-source
no bridge-group 9 source-learning
no bridge-group 9 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface GigabitEthernet0.9
encapsulation dot1Q 9
no ip route-cache
bridge-group 9
bridge-group 9 spanning-disabled
no bridge-group 9 source-learning
!
interface BVI1
mac-address xxxxxxxxxxxx
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://ift.tt/1M5jmKo
!
!
snmp-server community public RO
bridge 1 route ip
!
!
!
line con 0
password 7 xxxxxxxxxxxx
line vty 0 4
password 7 xxxxxxxxxxxx
login local
transport input all
!
end</code>