My company just started moving to aryaka from mpls. First few offices have mixed results. I just want to know what experienced network techs feel about it? Have people had good experiences?
Saturday, November 18, 2017
What IT networking certification/course can be done after completing CCNA R&S? Pls see comments for details of my question
I am a engineer with 5 years of exp in IT networking domain. I have taken a break for the past 3 years & am now looking to get back into IT networking industry again, I have recently re-certified CCNA R&S. What certification/course can be done to enhance my employability considering my break & current situation of indian IT industry?
Two domains and two web servers, one forward facing IP.
I have two web servers running on the same LAN and two domains both pointed at the forward facing IP but I am unsure how to set up each domain to the respective web servers. I think I am supposed to use a reverse proxy? I have a windows server 2012 r2 system running a DNS server if that can be used to help.
Sorry if this question is too entry level for this sub.
Managed Switches and Subnet Masks
I recently purchased a managed 24 Port Ubiquiti EdgeSwitch. I have two separate networks with two different masks (255.255.255.0 and 255.0.0.0). I'm trying to get these two networks to communicate over the new switch but I must be missing something. I've narrowed it down to the masks being different and I know I must be missing a setting within EdgeMax. Any ideas?
Learning about Blueprints/Floor plans in networking?
Hey everyone.
In my previous role, I worked at a credit card processor in a single data center with no construction ever. Now in my new role as a Network Analyst, I deal with a lot of floor plans/blue prints in CAD. It's been over 15 years since I've dabbled in some AutoCAD and read prints. Is there somewhere where I could get a crash course on learning to read prints and understanding the different Icons/hashed areas/etc.? Just out of curiosity, is this something other network analyst/engineers do or deal with regularly?
Home Networking - Vlan help needed
I'm a noob when it comes to Networking. Currently all I have is a Verizon provided router.
I plan on getting the Netgear Arlo Pro 2 camera system (for security reasons I wanted to put them on a separate vlan)
I want to create 3 vlans for: personal electronics / guests / arlo cameras.
How would I go about doing this?
From what I've read I was thinking of buying a new wireless router (use as wap), and a L3 switch (to create the vlans). Is that right? Do I need other equipment? Any recommendations?
Thanks in advance.
Today is the day we multihome BGP.
In about a half an hour, we're going to turn up two new Internet connections to our campus. When it's finished, we'll be running multihomed BGP across two ISPs. And I'm getting a little nervous. We did as much testing as we could earlier in the week, but we had propagation issues: first we only advertised a /26 (which Cisco Advanced Services didn't make us aware was an invalid advertisement) and then when we fixed it, some sort of autosummary occurred and we took ourselves down.
Twice.
In twelve hours.
These are things that happen. Outages were less than 10 minutes each time but felt like forever. Comcast says they're not summarizing, our other ISP says they're not, so maybe that was out of our hands. Short of really digging into it and keeping the whole place offline we were up a creek. Seemed like we blackholed to the new router, which wasn't linked to the production network. But while we were up on that link, testing was fine.
So we're going full speed ahead: advertise the full route everywhere, the specific NAT pools at each router, and see what happens. I think we'll be OK. We don't have a lot of BGP experience, but techs from both ISPs will be available, and it's pretty straightforward.
The scotch is at the ready for when I get home.
We who are about to die salute you.
Networking Course Project: Calendar about implementation
Hey! i'm a computing student and in my network class i have to do a project and i'm "Stuck" on "Generate" a calendar about timmings on the network instalation.
The company is 50 employees , and the actions detailed in the plan are upgrade copper to fiber , add switches , local backup server and two access points for better wifi connection.
I have to generate a calendar with dates on how long it will take to do these duties.
->Question: Anyone knows where i can find info about "timmings" or any idea how i can come up with info like this in something similar to reality? any idea?"
Macro help
I am trying to utilize a macro that inserts the #interface range [shit ton of ports] on a switch as I use them often. Is there anyway to do this?
I tried
#macro name allports int range gi1/0, etc..... @
but when im in config mode and use #macro global apply allports
I do not go into interface range config mode. Am I doing this wrong?
Network fails after implementing firewall
Information:
- Yellow = VLAN50
- Brown = VLAN 30
- Pink = VLAN 20
- R1 has NAT configured and has a connection to the internet via f0/2
- R2's interface f0/1 has subinterfaces for each vlan
- H1 is a host we connected to f0/0 instead of R2 to check if this host could reach the internet, it couldn't.
So for school we have to set up this network . We had the entire network working with all hosts being able to access the internet without the firewall inserted. But then we inserted the firewall(PFSense) into our network and nothing worked. The firewall allows everything right now in both directions for troubleshoot reasons. What can we do?:
-
R1 can ping to F.f0/1 and to F.f0/0
-
F can ping to R2 's f0/0 but not a single subinterface
-
H1 could ping to F 's f0/1 but not to R1's f0/1
-
R2 can ping F's f0/0 and f0/1 but not R1's f0/1
-
All possible ACL's etc. are configured to allow everything right now
-
IP adressing is correct (we are sure of this)
-
every router has a default route to the next interface that goes outside and routes to the inside network on the next inside interface
-
When we check our firewall traffic is passing through it every second
-
For some reason our firewall keeps pinging the next device that's connected on f0/0, we do not know why but do not think this is relevant to the problem.
Any ideas what we may have overlooked? We think the problem must be related to R1 or our Firewall somehow.
If there is anything I did not explain clearly or some information you want to know, ask away, I'll probably be able to give it to you, and if not, next monday we're able to test again so I'll have the info then.
Common latency for router-hops
The answer is not straight forward, but what latency can you expect on a fibre based router-hop?
Some say you as a minimum should add 1 ms for each NIC/routers, but of course for longer WAN-links you also need to think about the distance...
Does anyone have any articles or litterature to recommend regarding this topic?
Friday, November 17, 2017
Finding my port on Brocade
Switch is a Brocade ICX 7250 I have some AV equipment patched into a switch and I need to get them onto another AV only switch. How can I find out which port my devices are connected to using wireshark? I have no access to the interface of the switch. I did this once with cisco and CDP. Any help or ideas much appreciated.
ASA transparent mode subnet mis-understanding
Hey all, trying to get transparent ASA deployment down and I'm hitting a road block concerning something that I feel should work, but does not.
Setting the ASA with ROUTER(subnet-A)------------ASA(subnet-A)------------ROUTER(subnet-A) works just fine. Traffic can traverse from router to router.
But when I do ROUTER(subnet-A)------------ASA(subnet-B)------------ROUTER(subnet-A) no traffic flows. Is the ASA not operating in promiscuous mode or something similar that I'm not understanding? My plan was to configure the LAN router with a secondary address on it's WAN interface to allow me to still access the ASA, such as ROUTER(subnet-A)------------ASA(subnet-B)------------ROUTER(subnet-A + secondary address on subnet-B)
What am I missing here? is this even possible?
How do I setup Network Automation using Windows
I'm trying to learn about network automation with Python, but I am at a complete loss. I am on a Windows 10 workstation and I have downloaded and installed Phyton, and have used IDLE to create local scripts, but can't for the life of me figure out how to install modules. I've read Intro to python networking and netmiko, but I'm coming up blank. I can't seem to get the module to install. Is there a ELI5 document or can someone point in some direction?
Thanks!
Throughput, fabric speed and marketing numbers
Reading through various vendors numbers for their fabric speed it gets a little confusing. For instance: http://ift.tt/2hIS21e
This is a pretty simple system, it has 2 line cards with 480 Gbps of Full-Duplex throughput per card. What becomes a little confusing is that the total system throughput is 1.92 Tbps, which I assume is all duplexes in/egressing the fabric.
When sizing up these systems is it always generally a case of just doing the math which is simply working up from the card and making sure all the numbers check out for the equipment facing ports? (e.g. 480 Gbps, 480 in/out over 2 cards = 1920 Gbps)
Realistically the unit can only handle 480 Gbps of Full-duplex traffic from the port perspective as the inputs have to match the outputs.
A simple example of a switch with 2 line cards of which the interfaces are 1 Gbps each. My system will be able to achieve 1 Gbps Full-Duplex traffic. But each of those cards will need 1 Gbps into the backplane (2 Gbps) and if we wanted to say that each of those 1 Gbps links into the backplane needs in/egress traffic that's 4 Gbps. Which I assume 4 Gbps is the marketing number used on the quoted system throughput?
- I assume this is more of a problem on systems in which the fabric isn't at line rate to the interfaces like older equipment cat4500/6500?
- Is this just a typical annoyance because there is no real definitive way to say "this does linerate" without just adding up all the speeds and feeds?
- In regards to a sizing exercise (like if you were sizing this for a client) would you have to work backwards to end up with my calculation of 480 Gbps in order to realise if the device suits your needs? Anything above this number doesn't seem to represent a useful value for traffic transiting between networks.
Edit: I guess I was really after figuring out what real world traffic could be pushed through the device.
(slots / 2) * linecard speed = Maximum transit traffic through device?
Any network engineers moved totally to the cloud?
My company currently has 2 datacenters, a primary and dr site. We're a pretty small shop and considering moving to the cloud and doing away with the datacenters. We're in the process of moving to Office365...so that's one less thing that will be in our datacenter. I think right now we're looking at azure and using a virtual circuit on our mpls' network to connect. Curious if anyone of you has gone through a similar transition or are currently totally in the cloud. I do like having stuff to do and would be a little concerned that my skills would atrophy. I currently manage our nexus 7k/9s, ASAs, cucm etc....
Can I make a report in PI 3 to show when APs were first registered?
I've been asked to come up with a history of sorts to show AP density growth over time.
I can probably manually create this from the depths of my email but I figured Prime should know when APs first come online - the question is does it save that and can I get it out with a report somehow?
I tried a few likely suspects in the Reporting Launchpad: AP Summary, Inventory, Wireless Uptime - but none of those are what I need.
Is this even possible or should I give up now?
My WAN at my colocated server
I noticed that I am paying for only 3 ip addresses but they give me a /29 which consists of 6 ip addresses (I think). And for example my addresses look like this. 10.0.0.1 Gateway 10.0.0.2 edgefirewall1 10.0.0.3 edgefirewall2 10.0.0.4 hpILO
I noticed there is an ip that pings on 10.0.0.6. I do not own that ip. Could I be held responsible for that?
Also I can use 10.0.0.5 and have a edgefirewall3 router there with no problem. Is this because they just don't lock things down? Is there something I can do tell if they will find out? Change my mac address every month or week?
Has anyone else experienced this before?
Is there a way to deny traffic for a certain html5 app that is using SSL
I'm trying to see if it'd be possible to deny traffic for apache guacamole http://ift.tt/1NE8RU8 without relying on SSL interception. As far as I know, there wouldn't be a way to do so without having something running on the end user machines to detect the app when it's run from a browser. This application can be run from any address/url, so it's not like I can just block specific IPs.
ASA, how to tell how fast your tunnels are going
It seems that Cisco doesn't have a way to Give you this answer. They can tell you how many packs/bits have transferred but not how fast. I see third party programs want money to give you this info. So I'm going to dive into a few math books and figure out one simple question. If I last had X packets 1 minute ago, and now I have Y packets. How fast am I going. Before I dig further. Has anyone solved this issue?
Nanobeam vs NanoLocos
We've been using Nano Locos as bridges inside for a variety of reasons and they work wonderfully. Recently, we set them up to get signal to a building 200 feet away from a main facility and it worked as wonderfully as we expected it to. However, these things don't seem like they're made for outdoor use. Even though they say they are. Fast forward to three weeks later, and one has failed. I'm not sure if it was just a bad unit, or because it was outside. The master unit is under a bit of cover, but the one that failed is entirely exposed to the elements.
Someone recommended the NanoBeams to me today. Are they more reliable outside? Are the Locos NOT unreliable and I just got a bad unit?
Any good CISCO ACI training ressources ?
Hi Guys,
The title says it all, could you please share your ACI trainning ressources ? any videos, tutorials....will be much appreciated.
Thank you
Re-subnetting the entire network
In at a company which is in the process of growing out of the SMB phase to more of a enterprise. Boss sees that our class C subnetting scheme will eventually run out of organizational space. (entire /24's were handed out for 5 devices etc, before my arrival).
This is the first time planning to re-subnet a network of this size.
VLans were very limited, which will change with this.
My thought is to jump to a 10.X.Y.Z network (10.VlanID.SiteID.Host)
Also, do you separate your management network for servers away from your network devices? example: .70 for network gear and .74 for server management. I'm trying to push for best practices for our small enterprise.
Suggestions?
Managing a new SSID without user auth or PSK?
Hi,
We have a well established NAC that controls all our wireless authentication over RADIUS.
In order to help "split" the traffic between devices, we are looking into splitting our AD based devices into their own segregated wireless SSID/network, and to leave all other devices like our Chromebooks and iPads/Apple Macs.
The CB/Apple network is our growing concern as they are currently using user auth through RADIUS to connect, but several users figured out they could also connect their cell phones, etc and it's causing us a major issue in terms of bandwidth. We looked at restrictions like MAC based ones, but that becomes an issue because we lack the human resources to properly gather all of that information.
What I want to do, and correct me if I am wrong, is to deploy through our different MDM solutions (AirWatch and Google Admin) a way for these devices to connect through their current SSID, but using something like a certificate rather than an authentication with user credentials.
Maybe I am complicating myself here, but it seems I can configure the device to connect to our SSID without the need to provide the user with any info whatsoever, simply by provisioning the device with the relevant components.
Any advice or help, maybe other ideas I am overlooking or generally if I am just talking out of my arse :)
We use AeroHive to manage our wireless infrastructure if that helps in any way.
Thanks all
Eliminating single point of failure on incoming WAN connection
I'll preface by saying I'm a "jack of all trades" person, so I have networking knowledge, but not strong networking.
At our datacenter setups, we're trying to eliminate every single point of failure.
Currently it goes like this:
Single fiber internet line > switch > dual Sonicwall HA's > core switches
That initial switch the internet line runs into is our single point of failure. What I'd like is to request two fiber runs from our ISP that are on the same circuit, then have them run into two switches which then feed the HA Sonicwalls. But I'm not sure how to accomplish that.
Is that possible? What would have to be configured to accomplish it? I just need a starting point here but I'm just not sure how something like that would be configured, what to ask my ISP for, etc.
Obviously I know there could still be a failure on the ISP's end at some point, not impossible, but my goal is to at least eliminate as many single points of failure on our end as possible.
Anyone have experience using a broker for multiple dsl/cable connections?
Is it better/cheaper than going to a carrier and getting a bundled "business dsl" for 200-300 sites? There are several of these brokers available, none of them call themselves brokers. Anything you wish you had known before signing up? Has it made life a lot easier like they all say? Was it cheaper like they all say?
Sanity Check: Seeing some strange issues with delays on inbound tcp packets.
A little back story. We started noticing an issue yesterday with our VOIP provider. Calls not establishing audio from us to our customers. We also started seeing issues with streaming data via tcp from our proprietary devices in the field. Using wireshark I was able to capture some good examples of this, but not really able to narrow down anything with the RingCentral issues. Just wanted to get y'alls opinion on potential causes.
A 100,000 ft view of our process is we have two devices that connect to a server to transmit data from our application to the customer. They link themselves through this connection server via an application that sends data via TCP. Outbound transmissions are fine, but inbound form the server to devices on our side are seeing 2+ second delays periodically that you can see on Timesequence in wireshark. Looks like a staircase. This to me would seem to indicate a problem with the application, but when combined with the intermittent RingCentral audio issues I find it hard to believe it is just a coincidence.
Our provider found no issues on our primary circuit, but we have failed over to our backup. I am currently waiting for our Dev's to test and try to recreate the issue. I have not been able to find anything in our networking environments that would explain this issue. We are not doing any QoS on any of the network gear that are part of the Server & device networks. We are doing QoS on the gear that transmit the VOIP connections.
I have checked all of our network monitoring and have found zero problems. I checked interfaces and found no issues. The amount of data actually transmitted by our devices is very small, but the packet count can be pretty high. No link is at more than 20% utilization except for our interfaces connected to our ISPs which sit around 30% to 40% utilization at peak times. Am I missing something obvious?
Understanding native vlan and Q-in-Q
Hi. I've been reading up on this for the last couple of days, but I still can't get the need of "switchport trunk native vlan tag" or "vlan dot1q tag native" when configuring Q-in-Q. Does the customer need it or the provider? If it's provider, then on core or edge switches? Is it always needed? And what is the actual problem this feature solves? Thanks!
Users moving cables
Hey,
I've just started at a new company that have a bunch of remote sites. One of the first things I have noticed is that we seem to get a horrible amount of internal network loops from users taking it upon themselves to move desks and cables around. our VOIP and Data traffic are kept on separate vlans and go to separate switches. It doesn't tend to be issues with the VOIP stuff it is always the data switches that end up with a loop.
Other than a strict policy to prevent this is my only real option to implement better port security? Presumably blocking each port down to one Mac Address? Or is there a better way?
Troubleshooting a WiFi environment remotely
Me and my team have just taken over a large WiFi environment with end users utilising Lync for voice and video calls.
We inherited a ticket queue overflowing with reported Lync issues - bad voice quality, calls dropping out etc. In a wired environment i would be looking at jitter/delay etc, but this is the first experience i have when all users are on WiFi trying to utilise Lync.
Are there any tools i can use to assist in t-shooting? Are there anything built into Cisco WLC's which can assist?
Thursday, November 16, 2017
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
I made a network tools site that's actually useful to me. Hopefully you find it useful as well.
I've been programming lately because it's the future and all us network engineers are apparently out of a job... (/s)
I was playing around with node/express/react and thought I'd create a website for a couple of network tools I use:
There's a tools for
-
IPv4 Subnetting
-
Converting between binary/decimal/hex
-
Converting between bits/bytes
-
DNS
-
WhoIs
-
BGPv4 prefix lookup (I know this isn't the most useful, just playing around with their API).
Warning it's not mobile friendly because honestly I rarely need these tools when I'm away from a computer and if I did need it I'd prefer an app anyway (at least that's my excuse).
Running it in a docker container on a $5 Linode VPS because why not. Pretty fun actually. One docker container for the site, another for a reverse NGINX proxy and another container for automatically issuing Lets Encrypt certs. Using Cloudflare as a CDN.
Code is on Github here: http://ift.tt/2zKQies
Seeking script to capture output from Cisco's "show inventory"
Does anyone have a script that will export the output from the "show inventory" command to a csv file?
BGP Default route conditional advertising
I have 2 routers (R1and R2) are in separate sites and both have internet connection (using default static route) and connected to the branches by BGP . I want to configure them to advertise default route to the branches and all the branches use R1 as primary as long as its internet connection is active . In brief I want to configure R1(the primary) to advertise Default route as long as it has active internet connection
New Cisco WS-C3850-12XS-E, what version of IOS-XE should I run?
We received some new Cisco WS-C3850-12XS-E that is currently running IOS-XE 03.07.04E. I am reading that 03.07.05E is the last of this version and some of these features of 03.07.05E have been rolled into Denali IOS-XE 16. But what is Everest then? What is my best bet for moving forward but retaining feature parity? Why does Cisco make this so confusing?
Cisco Telepresence SX20 video formats?
Is there anywhere in the gui where you can see what the video format is? h.264? Also, what would be some settings that would tweak the bandwidth so the video is not using as much? I poked around under system configuration, video but didn't know which one to choose under there exactly.
Laws about Plenum and Riser cable
So I just started a job at a small company and found that all the ethernet that is running through the plenum air spaces is CMR cat5e. Is this something that is required by law to be replaced or what is the deal with that? I know it should be CMP but if it's not required by law to be replaced I know this place won't do it. Let me know also if this is the wrong place to ask this question.
Windows 10 VPN DNS Issue
I have a client with a few Windows 10 Laptops that are using a Lt2p VPN on an Ubiquiti ERPro Router. 90% of them work just fine but I have two that refuse to grab the DNS from the VPN. They get the correct IP Address and Gateway but keep using the local DNS. Also as a work around I tried setting the DNS on the NIC to use the DNS for the VPN which did allow me to ping the server that I am trying to access with its DNS name but I still can not get the laptop to access the server through RDP or Windows Explorer. I found some articles relating to setting the connection priority of the VPN to be higher than the Wi-Fi card which I did and still no success. Was just curious if anyone else has had issues with Windows 10 and VPNs that could point me in a new direction to try.
Guest WLAN, what's your idea to make it?
Hello guys! I've been thinking about to make "guest wlan". What I would like to have is for sure switch, which allows me to send the network signal to two access points in two separated places. The main idea about "guest wlan" is simply - I want to have possibility to print e.g. 50 tickets with random or exact logins with random passwords or just separated 50 passwords. For each login/password I want to set up temporary time of possibility of using the wlan. So after e.g. 1h user will be disconnected and there will be no more possibility to connect again with same login/password to wlan. I was thinking about fortinet/fortiap, also something with cisco hardware. I think that extended/separated firewall hardware isn't necessary. I got something in my mind but I would like to see other opinions. What would you add/say about whole idea?
Advice on cleaning up a small network left behind from previous IT
Hi guys!
I "inherited" this small network from the IT guy before me. Im looking to both clean it up and label so that any network problems can be dealt with easier. I know its a much smaller scale than some networks on here but any pointers would be appreciated. I am currently thinking of getting a patch panel to clean up all the wires through the wall, and maybe some kind of shelf/case to lock away the equipment (yes this is open for any employee to mess with and yes we have had our fair share of IT wannabes bring down the internet from messing with it). We have identical network setups at 4 other locations, and they all are in a similar state.
Also, how do you guys recommend tracing and labeling each cable? Most of these are unlabeled...any equipment or strategy recommended for this?
Any input is greatly appreciated. Thanks!
NAT64/DNS64 on Windows Server?
I'm trying to setup a network (VMs on ESXi) to duplicate customer's environment. Customer wants to have pure IPv6 internal network and setup a NAT of some sort to talk to the outside world that doesn't support IPv6 yet. I've been trying different things for NAT64 but none of them worked for me... Does anyone know how to setup a NAT64 on a Windows Server machine?
SD-WAN: SilverPeak or Viptela
Can anyone share their experiences regarding the SD-WAN solution from SilverPeak and Viptela. We are looking to use the hybrid solution to have an MPLS and ISP connected to all the 100 locations. From a feature standpoint both of them are very similar except for the WAN acceleration by SilverPeak. Has anyone deployed these in production, what are their pros and cons. ?
When to move from RIP to OSPF?
I realize the benefits of OSPF, but for one of our networks that is currently 4 remote Cisco 3750s with a 2 stack core of 3750s and handles 20 VLANs, is it worth the cost to move from IPBase to IP Services? Future projections and segmentation of our network is looking to be at most 20 (guessing 10-12 realistically) 3xxx series switches and 40 different VLANs. I didn't know if there was a nice magic number or even a given range that the change over was preferred at.
Using Ansible for out of the box switches
We've been testing out using Ansible for our configuration management for switches, but are curious how it might be used for switches right out of the box. We'd still have to touch every switch to assign and IP and enable SSH before we can get Ansible to connect to push the rest of the config. At that point since we're touching every switch, it's not a huge amount of effort to simply paste in the rest of our config anyway. What are others doing for straight out of the box config generation?
Fiber 101?
What are some good resources for learning more about optical fiber? I've had a hard time finding any and some pointers would be appreciated, thanks
Internet WAN Connection Diversity - need help
Hello-
I have a customer that has a 1GB Fiber Option internet connection from their ISP. They pay a premium for this speed trunk, and have no backup in the event that it is down.
Uptime is key, and they are looking for redundancy. The current ISP has offered them DIVERSITY rather than redundancy...they're selling them a second 100mb circuit on the same backbone and they're indicating that it will take a different route in the fiber network to give them guaranteed uptime. This is raising their monthly by about 25%.
I'm trying to get through to them that this would be best done using a separate carrier. They do not host any infrastructure (email and all other office functions are in the cloud), but they have a large user population and internet downtime = no work gets completed. There is also a remote site that relies on the PBX at this facility over a VPN, so internet downtime would also mean phone downtime for another site (not for this site since the phone service is a voice PRI from the same provider).
Does anyone have any whitepapers that I can send to try to get the point across in a more succinct way? At this point, I think that the client may think I'm just trying to get myself a "dog in this fight" since I am a reseller that can sell them the 2nd circuit from the alternate provider. Because of this, I think that a whitepaper indicating WAN DIVERSITY / BEST PRACTICES may help drive my point home.
Can anyone help with this?
Thank you!
Aloha POS and Cisco Firewalls
Hey all,
I have a problem that I could use some help with. This one has me totally stumped. I have three different networks that all have the a similar problem, and here's the kicker, 1 location has an MX64 and the other two are using 5506-x ASAs. All have basically similar firewall configurations, and each one has a rule to allow communication between the office computer and the office Aloha server on all ports. The office computer has the name and IP of the Aloha server in its host file, and the Aloha server has the name and IP of the office computer in its host file. By all accounts, they should be able to communicate with no problem, but when I try to run Aloha Configuration Center from the office computer, I get an error saying that it cannot locate the office Aloha Server. My logs are not showing anything being blocked by the firewall, and the host files should be bypassing DNS to help the two find each other. I do have the two on separate VLANs, but that has not been a problem so far. However, we upgraded to a new version of Configuration Center, and that is when this problem started. The new version is 17.10.0.375. Has anyone out there had a similar problem, or does anyone have any insights?
Access network jobs
Hi, I'm new to Reddit and don't know if this is the right place to ask.
I know carrier networks are pretty much divided into a core network and an access/distribution network.
Core network jobs sound, well, hardcore from the networking point of view. IGP and EGP routing, MPLS, and all that stuff.
What about access network jobs? So far, I've mostly found jobs related to link budgets, finding permission to dig trenches (for fiber) and something about antenna placement and cell optimization on the mobile side.
Not saying it's not interesting, and I know the core network deals with much more packet switching than the access part, but I wonder, are there any jobs in the access part that also use knowledge of networking protocols (I guess PPP, ATM, PPPoE, maybe Radius)?
phpIPAM 1.3.1 released
For those of you not using netbox, phpIPAM version 1.3.1 has just been released:
Automated way of pulling CDP neighbor device name to port description?
Hello fellow networkers,
Does anyone know of an automated way to pull a device name from CDP and put it as that ports description?
We have a new distribution switch that has about 120 or so connected switches. Rather than going into each port config manually and adding a description, I want to see if I can automate it. My initial guess is a script in tcl could get the job done. However, I'm not well-versed in scripting yet.
Just seeing if anyone has ever done this. Thanks in advance!
yEd networking stencils?
Does anyone use yEd for their network drawings?
If so do you know where I can find some stencils for it? I looked all over the place and am having a devil of a time finding decent ones.
Facebook is open-sourcing Open/R
Pretty exciting stuff, have anyone tried it yet? I hope to try it out on a few Juniper-routers
Bell Canada
Has anybody here had experience with Bell Canada for Layer 3 MPLS circuits and PSTN circuits? I can't put into words right now and if I did I could write a book about customer support with Bell. I've never come across as so bad. The only thing that has made my smile is that person developed a website that is called http://fuckyoubell.com/
Cyberoam - any users?
Hi, /r/networking
I am currently testing a cyberoam firewall with a view to replacing the Meraki MX devices we currently use. We mainly use site to site Vpn with a few VLANs.
So far the cyberoam seems to work well although the UI isn't the most pleasant. I haven't yet tried the cli.
I'm curious if anyone here has used cyberoam before in production and what the experience was like. Also any tips and tricks are much appreciated!
Thanks
Wednesday, November 15, 2017
If you need to explain to a non-technical person what oversubscription on a circuit is....
Standarize the CAT Keystones or Brand
(Disclm. Mother tongue not english) As a guy who normally only does the physical patch tasks and doesn’t do anything with switch configuration I need the help of Reddit.
In our organisation which consists out of 20 different physical buildings spread over a 30km radius. I found out that the local handymens are using all kind of different Keystones and panels for their “jobs”. Finally ending in a huge mess in the switch cabinets with all the different sizes, colors etc.
I want to standarize the brands we use in the cabinets but to be honest I have no clue what to look for.
Are there “standards”? The size of the keystone? Are there new developments? 48 port wall panels thingies. What should i take into considiration when choosing a standard brand to push in all locations?
I saw they use some “legrand” and i’d say the keystones look fancy with the twist system but this brand is in the minority right now.
I created a redistribute metric in OSPF (set metric 100). What "Show" command allows me to verify my work?
i have this down:
route-map rip-in permit 10
match ip address 10 20
set metric 100
set metric-type type-1
and then some other stuff... how do see the "set metric" in a show command? I have 2 route-maps ... one with 100 and 200 values.
Study networking at school or study CCNA?
I'm a CS student at UC Santa Cruz and the university offers courses in Computer Networking. Specifically Intro to Computer Networks, Advanced Computer Networks, and Network Programming. Should I take these classes or should I just study the CCNA?
Edit: I'm a CS major
Computer Networking on Social Media
Hi Guys,
Can anyone recommend some good sites/groups to follow on Facebook and/or Twitter. I have 'router nest' on Facebook that looks pretty good.
Flow analysis for an MSP
Hi,
Can anyone recommend a product (Open source or commercial) to present Netflow/Netstream/SFLOW that would be suitable for an MSP. The goal would be to provider clients with flow information from the devices that are assigned to them only, not the whole estate. Ideally some way to create period reports would be required as well.
Ideally needs to be able to support at Cisco and Huawei equipment through Netflow/Netstream
Thanks in advance
Budget site to site VPN
Hello 👋
I’m looking for a cheap way to do a site to site vpn with dedicated hardware? I’ve seen you can pickup asa 5505’s from ebay for £150 a piece but I’m wondering if I can do something even cheaper.
Throughput doesn’t need to be a lot I’m looking at around 50Mbps.
How does your network/system architect assign you work?
So we have an old battleaxe of an architect who gives zero details when assigning work, I get that he probably wants us to figure it out but his diagrams are all logical - theres no direction on how he wants things done at all. His latest idea was for me to create a vpn within vpn but had no idea how that would be achieved, i ended up getting it done but when I asked him for some help he was telling me garbage like both local and remote subnets have to be the same range. When I asked my manager about the vpn he said the architect has never configured a vpn in his life. My latest work involved configuring a dual context firewall - The architect didnt specify how many interfaces etc it should have, and the logical diagram seemed to be missing info too.
The other thing is that when he tells me to use such and such software product its shit thats 20 years old - because thats what he used previously and it just works...
Troubleshooting sluggishness of 10GbE network cards connected via Thunderbolt 2
I seem to be running into an issue where 10GbE network cards connected via Thunderbolt 2 are incapable of achieving full bandwidth potential. I'm preparing to deploy 10GbE on several iMacs and this issue is throwing me for a loop.
The cards are Intel 82599ES cards in Thunderbolt-2 PCIe chassis. I have a few classic MacPro workstations, and with their cards connected directly to PCIe they are able to achieve full line speed. The iMacs -- whose 10GbE cards are connected to a Thunderbolt PCIe enclosure -- are not. I'd gladly welcome thoughts as to what I'm overlooking.
Below is my test data. Connectivity method was via SFP+ DAC cable connected straight to each unit. No switch, though for the heck of it I briefly tested with a Dell N4032. Jumbo frames enabled (MTU 9000). I've also rotated several other 82599s into the test (I have several) with no significant change in result.
---Test 0 (Control)
Unit1: LinuxBox (Ubuntu 16.04.3) with Intel 82599ES via PCIe.
Unit2: MacPro5,1 (OSX 10.11.6) with Intel 82599ES via PCIe
iPerf2 Uplink result: 10.6 Gbits/sec
iPerf2 Downlink result: 9.87 Gbits/sec
---Test 1
Unit1: LinuxBox (Ubuntu 16.04.3) with Intel 82599ES via PCIe.
Unit2: iMac 2015 (OSX 10.11.6) with Intel 82599ES via TBolt2
iPerf2 Uplink: 6.14 Gbits/sec
iPerf2 Downlink: 5.46 Gbits/sec
---Test 2
Unit1: MacPro5,1 (OSX 10.11.6) with Intel 82599ES via PCIe
Unit2: iMac 2015 (OSX 10.11.6) with Intel 82599ES via TBolt2
iPerf2 Uplink: 5.97 Gbits/sec
iPerf2 Downlink: 5.28 Gbits/sec
---Test 3
Unit1: LinuxBox (Ubuntu 16.04.3) with Intel 82599ES via PCIe.
Unit2: iMac 2015 (Windows 10 Creators Edition via BootCamp) with Intel 82599ES via TBolt2
iPerf2 Uplink: 4.27 Gbits/sec
iPerf2 Downlink: 4.40 Gbits/sec
OSX systems are running SmallTree 3.3.15 drivers. Windows system running Intel Network Adapter drivers v22.9.
I've tried to rule out as much as possible. I've also tested with different iMacs in case the machine itself had some sort of issue, and I even loaded Windows on one of them in case it was somehow an OS thing.
I'm pretty certain Thunderbolt 2 can do better than 6 Gbit per second, but I don't know what more I can do to troubleshoot this problem. Suggestions welcomed. Thank you!
Am I correct about ICMP Type 5 Code 1 Redirect for Host?
Doing some CCIE notes, and not finding anything definite. The only scenario I can think of when Code 1 (yes code 1 not code 0) is sent is when a sender has a misconfigured (smaller) subnet mask, and sends a packet to the router/default gateway, and the router has the proper mask and notices that the source is in the same network, and thus sends a host redirect. Is that correct?
VPN communication between multiple sites
I'm in way over my head and I know it. That said, it's falling upon me to get this figured out.
I have a client with multiple sites that all connect to a central office via gateway to gateway VPN.
The main office uses a cisco RV042G with multiple tunnels setup (1 for each satellite office)
The satellite offices connect via a cisco RV180W
Each site is on a different subnet
Communication from satellite to main office works fine in all instances. However, there is no communication between satellite offices, which is what I need to make happen.
As I said, I'm in over my head. The guy who set this all up originally is gone and I'm the closest thing to a "network guy" available. I generally just administer servers and workstations.
Do I need to have them all setup to use the same VPN tunnel, or is there a firewall rule I should be adding? Apart from the default rules for these routers, there is nothing else setup to my knowledge.
Cisco APs from other contries
Hi everyone, so today I am looking for some thoughts and information on this topic. We have a site shutting down and they are sending us their Access Points, the site is in Germany the APs are -E. From what I see they support most of the same chls as our -A devices. Does anyone know if I can be shown regulations against using them in our US sites? So far I did not find anything except some information banning us from sending them to China/Philippines.
Level 3 route leak: what we saw
A post last week was asking about how to measure performance per ISP / ASN:
We were able to do some interesting stuff during the Level 3 route leak last week to see how our customers were impacted, measuring loss / latency stats out of the real application traffic (vs. pings or synthetic transactions). Wrote a blog on it here:
Max number of supported BDIs on ISR 4451-X router?
This might not be a valid question but I just do not have a 4451-X router available to verify...
I got following when test configuration of BDI inside EVE-NG.
Router(config)#interface BDI208 New BDI exceeds maximum allowed BDIs(5)
The configuration is for a 4451-X router running IOS-XE 3.13.04.S for 8 BDIs. So is it also an limitation on the router OR simply just a EVE-NG limits? Northing shows inside release notes...
Enabling SSH access on an HP5500?
Recently inherited a network that terminates all IDFs to a single HP5500, currently with only console access. SSH is active but nobody can log in with any credentials.
Spent half an hour yesterday trying to enable SSH via console.
Here's the relevant config:
ssh server enable ssh client source interface Vlan-interface1 ssh user austindcc service-type all authentication-type password user-interface vty 0 15 authentication-mode scheme user privilege level 3 protocol inbound ssh local-user austindcc password cipher $c$3$avzOJ------------------------------------- authorization-attribute level 3 service-type lan-access service-type ssh
I followed everything I could in this HPE forum post. No matter what I do (correct or incorrect password), I getPermission denied, please try again.
When I was jacked into the console, I saw the SNMP trap for failed SSH login, but nothing to indicate why the login failed.
Any ideas?
Decent switch with more than 4 SFP ports
Dear /r/networking, I am looking for decent (and not very expensive) switch with 6-16 SFP ports. We mostly use HPE Comware devices. They usually have 4 SFP ports and in few places it is few (one or thee) ports short. In one place I've used Cisco SG300-28SFP to connect 5 fiber links and I feel it is a big waste. Something like Cisco SG300-10SFP would be ideal but it has external power supply.
Add a CUCM User/Extension from another server cluster to a line group/hunt pilot?
Hey Guys,
My company has two CUCM servers that services different remote offices around the world. I am tasked with adding some global IT members to a line group/hunt pilot that belongs to one of the clusters. Is it possible to add extensions that are a part of another cluster to a line group/hunt pilot? Users from both call managers can call each other just fine BTW.
Adding additional network to site-to-site VPN
I have a IPSec site-to-site VPN setup between a Ubiquiti EdgeRouter and a Sonicwall. I would like to add another network to the list of allowed traffic.
For example, currently on the edgerouter side I am passing 192.168.1.0 network over the VPN, I would like to add a VLAN network 192.168.2.0 to the list to allowed traffic. Do i need to create a completely new tunnel or can I easily add it to the existing tunnel.
Thanks
Sophos - Vendor Shaming - Rant
- Sales staff never responds to phone calls. Seriously not once; ever. It takes on average 3 weeks to get email responses. We've been through 4 sales reps and 2 of their supervisors which I feel is an accurate enough sample group to make this claim.
- Sales staff doesn't know what they're selling. We have received the wrong product so many times that I'm now sure they have no idea what it is they're selling. The last order basically went: "We need X." "I've never heard of that. Let me check." 4 months later after numerous unanswered status update requests - We get the wrong thing.
- Support seems to have never used their own products. I called in today because the option to add users in Mobile Control was missing - The support rep goes to the dashboard, points to one of the Youtube videos and says "You can do it here." I inform him that those are Youtube videos and don't carry out the intended task as they are titled. He literally responds "Hang on let me google. Ok I see someone doing this on Youtube."
Multi-wan load balancing and/or
Anybody know a good best practices document for multi-wan load balancing and/or failover for cisco routers?
BGP implementation on Azure gateways
Hello,
I setup a fully meshed IPSec connection between two routers on my side and an Active-Active Azure gateway, effectively two VPN endpoints as well, for a total of four tunnels.
I setup BGP over this to exchange routes with Azure, however I can not convince Azure to return the traffic to me over a single path by the traditional as_path prepending mechanism. Admitedly the Azure implementation guide doesn't say anything about as_path prepend, but I hoped it would work. It may be that the mistake is on my side as I'm far from a BGP expert, but I suspect that Azure has only a very basic BGP implementation and doesn't honor as_path prepention. I also wasn't able to find any info on this via the trusty google search. Has anyone else succeeded in setting something like this up? Have you managed to make the traffic flow as you wish?
Fans stopping and starting on Dell Powerconnect
Hi guys,
So i have 2 stacks of Dell Powerconnect, two 5224 and two 6224. On stack 1 (5224) One of the units has the fans changing speed level from 1 to 0 and after like 5-20 min they go again from 0 to 1.
There are some times that this goes for more than 1 hour, back and forth,
The temperature is always at 41 and the server room is never hot so i don't really know why this happens.
Also curious why only one unit on this stack. Does anyone know why this happens?
Thanks!
Python makes people stupid
This is my conclusion after migrating the functionality of hundreds of lines of python into a single line of bash on several occasions.
EX2200s losing configuration after power outages
We are not a Juniper shop, but have taken over management of a client who is all Juniper. It hasn't been too difficult to figure out things, but the client has a remarkably poor power infrastructure in some of their facilities and while we have made suggestions nothing has come of fixing it yet.
The thing we do see is EX2200s losing their configuration and we have to recover them after they lose power. This happens almost once a week. The Junos versions vary and are releases in the 12.3 and 15 trains.
Is this normal? Are there bugs? I can't imagine this is normal.
Cisco Wireless Point-to-Point
Greetings all. I'm getting a little confused about a few things and I hope someone's experience can help out. We are having a new building constructed and the contractors have 2 trailers outside our hospital. Apparently in the contract we have to provide an internet connection to them. At the risk of becoming a TLDR, there was fiber that ran where we needed it, but it's been left in the elements and tested bad. So, I'm needing another option, besides a new fiber run.
So, here's where my confusion starts because I'm not wireless expert. The trailer isn't very far, maybe 100 yards, and has direct line of site from the hospital. I'm assuming I need to create a bridge, but I'm not seeing that as an "AP Mode" option in one of my 3802's I'm trying to test with. I just see "local, FlexConnect, Monitor, and Sniffer." The antenna that I'm looking at is this one. I've used Ubiquiti's NanoStation about 3 or 4 years ago and mentioned that but was told "get a Cisco solution." Too bad because I remember how easy it was to setup and how well it worked.
So, is a bridge what I need to look at or am I totally off base? I'm going to continue to research on my own, but figured I'd throw this out there. Appreciate it.
Cisco Unity Full ldap sync
maybe this is a silly question but if i perform a full ldap sync during normal business hours, is it a disruptive process? I have a user I need to import and the phone field wasn't fill out in AD until a few minutes ago. Cisco Unity is configured to do a full LDAP sync at midnight but I do one now so i can create her voicemail will the system be impacted much?
AOC Cabling Vendors
Anyone know of some good 40G AOC cabling vendors that have bulk stock? We typically buy them in chunks of 1000+ and have had some quality issues recently from a few different places.
The model we use is: QSFP-40G-AOC Lengths are: 7M and 20M
We prefer to have them coded as QSFP-SR4 as we find these work the best with Juniper QFX devices. FlexOptix is our main vendor and they code them as SR4 however they are out of stock at the moment.
Don't mention fs.com as they are one of the vendors were we've seen lots of quality issues and things just not working.
Expanding Across Building Floors
So as the title suggests our company will be expanding from the first floor to the second floor.
Right now I have 2 WAN connections that are load balanced / failover that comes with the router on floor one.
I guess my predicament is that both floors will be sharing this same network connection. What use would fiber be in this instance? Should I run fiber between the two floors to connect a switch on the second floor to the router on the first floor? Or should I just run Cat6?
There isn't a ton of heavy lifting in terms of network utilization -- mostly sales and some times some files syncing across the cloud and maybe some large files here and there from marketing, so I don't think it needs fiber. There is also no on-prem storage or VM infrastructure that would require such low latency or speeds.
Am I correct in thinking fiber wouldn't be necessary?
I'm just learning networking now. Taking a class right now as wel, need some help to figure out the propper way to wire 2 buildings
If your router only has 1 output would you put a switch after it to connect more switches? Wouldn't that be a bad idea due to forwarding all broadcasts?
Level3 IPv4 and IPV6 DNS?
I can't seem to find it anywhere on their page since they got acquired by Century Link. Is their public DNS gone now? Anyone got a link?
Making better Network Diagrams
What do you guys use?
I've been using MS Vizio, but for some reason it just looks like a school project and not really a professional looking diagram. It's probably just me, but I was curious as of what you all used? We have a new manager and he seems to like good looking documents, I want to make an impression and flabbergast him with my topology.
Any tips are greatly appreciated.
Why isn't FIOS completely symmetrical?
I just saw an advert for 940 down 880 up.
Is this 'gigabit' package offered on the same ONT/GPON as Video?
Do they ratio to keep management traffic available or to ensure their network never sends more than it receives to keep up negotiations for transit sales?
Just seems like an odd ratio. Only other reason I can imagine is they just don't want to troubleshoot 'optimal' upload complaints
Firewalls firewalls every where
I keep seeing requests for what firewall to use and a lot of the time I’m surprised by the results. I’ve worked in multi-vendor environment and from my experience the suggestions that are being made shock me and make me wonder if it’s just my experience. So let’s list the firewalls and make a pros and con for each one. And this isn’t a bad mouth this is a in our experience. Because at the end of the day we are all fan boys for one product or another but let’s be honest. Some of the swankiest stuff has the biggest cons going weather its usability, cost or support. Also this is more from the multi-vendor support out there so we can get an overall picture of the field.
Juniper SRX Pros – cheap, solid networking product, powerful command line
Con – Useless Gui, nextgen features not great, steep learning curve, ALG
Checkpoint Pros –Gui is easy to use for most things, next gen features excellent
Con – expensive to buy and support, always feels like beta version with bugs, networking elements not great. Networking elements a bit hit or miss. Turing on all fetures will dramatically bog down the firewall, best to reinstall than upgrade.
Cisco FAN design
Hello reddit!
The title says it all. For a developing project I am tasked with researching possible network designs for power grid systems using Cisco equipment. First thing I did was to read through some papers. Mainly this paper.
Based on the document the equipment for this solution are:
Cisco 2010 connected grid router (CGR)
Cisco 2520 Connected Grid Switch
Cisco Aggregaion Services Router
However, for the design solution MPLS is required on all nodes. As I then went through datasheets of each product I found out that only ASR supports it.
The question here is, has Cisco any other similar switch/router which is compliant with IEEE 1613 and IEC-61850-3 substation standards for rugged design (mainly low latency for GOOSE messaging transport) and has MPLS protocol stack? The solution with ASR at every substation is unfortunatley a bit too expensive.
Thanks!
SRX DHCP Relay to Cisco WLC - DHCP issue?
Hi,
I currently have an issue that I am trying to get to the bottom of. I have clients in Subnet X and a Cisco WLC in subnet Y acting as a DHCP server for the IP address of subnet X.
The L3 device is a Juniper SRX 340: with the following relay config:
set forwarding-options helpers bootp server (DHCP-SERVER) set forwarding-options helpers bootp interface (SUBNET-X-GW-IRB)
Clients in subnet X cannot seem to get Ip addresses from the WLC - I have ran a few debugs and get the following output: -
DHCP Server: Nov 15 09:38:49.978: Dropping packet from <SRX-MGMT-LOOPBACK> (unable to match to a dhcp scope) DHCP Server: Nov 15 09:38:57.135: dhcpd: Received 300 byte dhcp packet from 0x0afa6325 <SRX-MGMT-LOOPBACK>:67 DHCP Server: Nov 15 09:38:57.135: Dropping packet from <SRX-MGMT-LOOPBACK> (unable to match to a dhcp scope) DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP received op BOOTREQUEST (1) (len 556,vlan 210, port 2, encap 0xec00, xid 0xef071f00) DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP option len (including the magic cookie) 320 DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP option: message type = DHCP DISCOVER DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP option: 57 (len 2) - skipping DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP option: 61 (len 7) - skipping DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP option: hostname = 25119969 (len 8) DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP option: 55 (len 4) - skipping DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP options end, len 320, actual 64 DHCP Socket Task: Nov 15 09:38:57.755: 54:e1:40:35:d2:af DHCP dropping packet (no mscb) found - (giaddr 0.0.0.0, pktInfo->srcPort 68, op: 'BOOTREQUEST') DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP received op BOOTREQUEST (1) (len 296,vlan 50, port 1, encap 0xec00, xid 0xef071f00) DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP option len (including the magic cookie) 60 DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP option: message type = DHCP DISCOVER DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP option: 57 (len 2) - skipping DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP option: 61 (len 7) - skipping DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP option: hostname = 25119969 (len 8) DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP option: 55 (len 4) - skipping DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP option: 82 (len 13) - skipping DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP options end, len 60, actual 64 DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP received a REQUEST from Gateway SUBNET-X-GW-IRB -- bouncing to local DHCP server. DHCP Socket Task: Nov 15 09:38:57.757: 54:e1:40:35:d2:af DHCP sending to local dhcp server (<SRX-MGMT-LOOPBACK>:67 -> 10.174.8.2:1067, len 300) DHCP Server: Nov 15 09:38:57.757: dhcpd: Received 300 byte dhcp packet from 0x0afa6325 <SRX-MGMT-LOOPBACK>:67
I wonder if the SRX is changing the source IP address of the DHCP requests to its mgmt loopback interface hence the line:
DHCP Server: Nov 15 09:38:57.135: Dropping packet from <SRX-MGMT-LOOPBACK> (unable to match to a dhcp scope)
can anyone else shed any light on this - this setup was working before when the L3 was handled by a cisco L3 switch??
Can switch 'damage' spread?
Hi guys, I believe I have a problem with a switch, I've posted on other subreddits before with the same issue, however my question this time differs.
The switch in question is a Netgear GSM7248 v1. I realise this is an old piece of kit, but I can't afford to replace it with newer at the moment. I identified at least one 'suspect' port, mainly with packet loss of around 20%. A couple of others with similar figures appeared to be within the structured cabling. On those I changed port on the patch panels and the problem appeared to go away. The faulty port however I plugged a laptop in directly trying several cables in case I was just unlucky. This pretty much proved a faulty port. The server (running nas4free) was moved to other ports (2 x 1Gb LAGG) and tested again using ping from several directions and monitored over a few hours of use with zero packet loss.
Fast forward a number of weeks and I am seeing packet loss again and slower responses. Packet loss is a few percent and is random. If I am browsing folders it takes ages to show the contents or open content but the machine is showing no stresses on the status pages.
My questions are: can damage to switching fabric cause such problems? If so, can this damage spread to other ports? I can't rule out damage from spikes etc as I've no way of discovering how it has happened in the first place.
Thanks in advance! Hopefully I can stop pulling my hair out soon!!
strongswan and meraki
I have been struggling with this for the bulk of the day, trying to get a linux box to connect to a merkai mx.
log from mx-
http://ift.tt/2mr2E6i
ipsec.conf-
conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret ike=3des-md5-modp1024,3des-sha1-modp1024! esp=3des-md5-modp1024,3des-sha1-modp1024! conn meraki-vpn keyexchange=ikev1 left=%defaultroute auto=add authby=secret type=transport leftprotoport=17/1701 rightprotoport=17/1701 right=172.250.xx.xx
I have messed with the ike/esp for hours still unable to get to phase2.
1510732528.116933419 Warden_Norton events Site-to-site VPN: ISAKMP-SA established 172.250.xx.xx[500]-138.197.xx.xx[500] spi:d6c0db1674716fed:c2ee37f6382c90e7
meraki default ipsec policy-
http://ift.tt/2z1MOVL
Any hints to what I am doing wrong here would be great!
thanks
Tuesday, November 14, 2017
Some questions about how DNS works
So, if I make a DNS request to a root server for www.google.com, it'll reply with authoritative and non-authoritative servers for..... com? Also, why does it not return an IP address? It only returns the name of the nameserver. How is a DNS resolver supposed to turn around and request the IP for google after that point?
what is the difference between out vs out ethernet 1/0?
trying to understand distribution... I only have 2 routers so not if I am doing it right.
but in short, I have a distribute-list 2 out ethernet 1/1 but I also have another distribute-list 1 out
so what is the diff between "out ethernet" vs "out"?
Cisco Dial Plan Design
I have Collaboration projects with about 40 branches , I am hesitated to use the traditional dial plan (Just route patterns ) or use a generic Route Pattern(+!) with multiple Translation Patterns . What are the benefits of using the generic Route Pattern(+!) ?
Core Switch - Juniper EX9204 vs Aruba 5406R zl2
I'm in a pickle on some decisions I have to make at one of our sites, and I'm hoping one of you smart network engineers out there will be able to gleam some of your experience off here. The main decision point I'm wrestling over is basically what brand of core switch to implement. We're currently standardized on HPE/Aruba, but I've fallen in love with Juniper's offering on this solution. Problem is, I get eye rolls and grumbling when I mention this to my co-workers who are more comfortable on the HPE/Aruba gear. I do plan to stay with HPE/Aruba for the distribution and access layers and FortiGate as the firewall. Mainly, here's why I'm leaning toward Juniper for the core switch.
-
I've never heard of someone running HPE/Aruba on the core of their network. I think HPE/Aruba are great access layer switches, but I just can't bring myself to trust them at the core. I've read true core switches have deeper packet buffers than access switches although I haven't found the documentation that enumerates this on Juniper. The Aruba 5406R zl2 mentions a 13.5Mb packet buffer in their datasheet. http://ift.tt/2zXUAQr
-
More redundancy in one chassis. None of our ISPs at this site are able to give us an LACP handoff so my personal opinion is that a virtual chassis setup with two hardware switches would be less than useful. You could make the argument that having that second port pre-configured for a manual fail over might be of use, but since I'd be trying to assist the on-site techs with this remotely in that scenario...I'd rather not. Knowing that, I'd like to get as much redundancy as I can out of this setup, and the EX9204 looks to have more to offer here. Holds up to four power supplies, support for a backup routing engine and switch fabric module since control and forwarding planes are separate, etc. The 5406R datasheet does mention support for a redundant management module that handles nonstop switching and routing, but I'm not sure how equally these compare.
And, of course, the reasons why I'm resistant...
-
Price. This is just straight off CDW's website, but the EX9204-REDUND-AC build-out with a 32-port 10Gb line card and a 40-port 1Gb line card runs close to $70,000...whereas to get a similar setup on a 5406R would be closer to $20,000. I have not formally priced these though, and I've heard Juniper will compete fairly well if you competitively bid them.
-
Familiarity. I haven't not been on a Juniper box before, but learning new CLIs doesn't scare me too much. Still, the learning curve is there, and I'm afraid my co-workers would never touch it so I'd be the only person supporting it.
Design reference: http://ift.tt/2zD9oU4
And the Juniper EX9204 datasheet: http://ift.tt/2zXUBDZ
Switchport Trunk Add
So... I had to add some vlans to a trunk link today, and I learned something new. I bet your thinking that I forgot to use the add command, but I always triple check that.
I'm working on a building transition to another building... and I had one vlan too many apparently. At first I thought it was a cosmetic bug because I have never seen this before, and because that was the exact command I had entered to add the vlan.
This is how it shows in the running-config
interface Port-channel4 switchport trunk allowed vlan X, X, X, X... switchport trunk allowed vlan add 310 <--This line switchport mode trunk
After thinking about it, it does make sense because if you had to paste this config elsewhere, it would require that command to apply correctly. Again, just something unexpected.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Juniper route leaking, VRF's and RIB Groups
The issue I am having is as followed:
Let’s say PE1 terminates number of GRE tunnels and places them into VRF “Instance1”. These tunnels learn about the 172.21.1.1/32 route.
PE1 also has a VRF instance “Grey-VRF” with a static route to 203.1.1.1. I need this static route to be leaked into VRF “Instance1” and I need the 172.21.1.1/32 route to be leaked into “Grey-VRF”
I was able to get this to work using RIB groups:
set routing-options rib-groups group1 import-rib GreyVRF.inet.0
set routing-options rib-groups group1 import-rib Instance1.inet.0
set routing-instances GreyVRF routing-options static rib-group group1
set policy-options policy-statement Instance1-OSPF-TO-GREY term 1 from route-filter 172.21.1.1/32 orlonger
set policy-options policy-statement Instance1-OSPF-TO-GREY term 1 then accept
set policy-options policy-statement Instance1-OSPF-TO-GREY term 2 then reject
set routing-options rib-groups group2 import-policy Instance1-OSPF-TO-GREY
set routing-options rib-groups group2 import-rib Instance1-VRF.inet.0
set routing-options rib-groups group2 import-rib GreyVRF.inet.0
set routing-instances Instance1 protocols ospf rib-group group2
The above works, however I now have the issue whereby this is leaking the 172.21.1.1 route into all VRF’s that import from the GREY-VRF. I have tried using the VRF-export option, but no luck.
Any ideas?
Cisco SRST and e911 laws in the US
Hi everyone. I've got several remote locations that have an ISR G2 with an FXO to the POTS network that is used for e911 dialing. These locations can vary from one or two phones up to twenty or thirty. I would like to look into cheaper Cisco routers for some of my smaller locations. The problem is that a lot of the time some of these smaller routers will only support up to five or ten registrations during SRST mode.
What I would like to do is to put a smaller router out at some of these locations and then specify which phones will register to the router. I would then instruct the branch personnel that when the network goes down, only 911 calling would be possible, and only from certain phones.
My question is this: is there a legal requirement in the US to have every single phone register to the router in SRST mode and provide e911 dialing? I have not been able to find any legal documents that say that if there is a phone, then it needs to be able to call 911, but I am no expert in VoIP technologies. Any help is appreciated. Thanks.
Anyone using Ethernet shared access for MPLS and Internet service delivery, using sub-interfaces of your edge router?
Original request: new Internet connectivity service delivered in remote branches, for some local (to country/region) Internet resources access (think local office ISP breakout + regional content at the other end), when the rest of traffic gets routed through the Data Centers, via MPLS, for all filters and controls only DCs could provide.
Instead of installing and delivering a new Eth/Internet service, ISP suggests utilizing existing access for remote offices, in order to share the Ethernet service delivery for both MPLS and Internet, by creating sub-interfaces on CPE. How do you configure (as only preferential traffic is supposed to use the Internet, rest defaulting to MPLS cloud) and secure such things? Would ACLs suffice?
Network Config Parser
Hi all,
I've been working on an application to parse network device configuration, and I'd like to get some feedback (and bug reports) from the people here in /r/networking. It's in an alpha state, but I figure it still may be useful to people in this state.
Summary
- It's called ncp
- It takes configuration files (or input from STDIN), parses them, and outputs it in a specified format (raw Perl, JSON, CSV).
- It currently has partial support for Cisco ASA, CheckPoint CLISH, and Linux iproute2 and net-utils.
- It's easily extensible - plugins can be written to add parser support, as well as output driver support (CSV, database, etc).
- There may be bugs. If you encounter something, please raise issues on the GitHub Repo.
There's documentation up for the ncp cmd line utility as well as the module that supports it.
You can install it with cpanminus (cpanm Device::Network::ConfigParser), or with the legacy cpan utility (cpan Device::Network::ConfigParser).
Here are some examples:
Reach out if you've got any questions.
Can a DHCP IPv6 relay agent serve IPs?
if between DHCPv6 relay agent and dhcp server had a block TCP 547 and then reboot the DHCPv6 relay agent, can the agent still issue out IPv6 addresses?
How to expose multiple IPs behind router
Imagine my ISP just gave me 100 IPs for free.
I have 100 servers at home that I want accessible to the public via individual IP. They are all behind a router.
How do I set this up?
Troubleshooting Cisco ASA 5516 Site to Site VPN
Hi everyone,
I recently inherited all of the firewall duty at my workplace. I've gotten at least a bit familiar with the command line and ASDM for it, but there has been an ongoing issue recently that I'm trying to figure out where to start looking.
Basically, we have a IKEv1 IPsec tunnel going to our remote branch.
Over the last few weeks, occasionally it will drop off and kick our users off (services are hosted at main branch and so is the VoIP controller). I've called Cisco a few times and the only thing that "fixes" it is "clear crypto ipsec sa peer xxx.xxx.xxx.xxx"
But I want to find out why this is happening and why they are dropping. I have a sneaking suspicion that the firewalls are okay and that the real villain here is Comcast, but if I could get some insight on why this is happening that would be really great. Thank you.
Anyone has experience with SD-WAN
Hi my company is considering switching from MPLS to bigleaf SD-WAN. How is the quality compare to MPLS ?
Iterate subnets in Jinja template?
So I'm trying to generate switch configs using Ansible and Jinja.
I'm trying to extrapolate subnets from a starting subnet (class C) based on a variable provided in a site specific YAML. I define the starting subnet (ex. 10.1.1.0/24) and the number of subnets needed (ex. 16.) I'm using ipaddr() to get specific host addresses within the subnet, but have no idea how to easily get the next class C subnet.
Is there a way to do this without having to rip the string apart and parse the third octet by itself?
Having issues connecting to Azure through different IP range, on same VLAN... thoughts?
I have a VLAN setup (Vlan20) with the IP 192.168.2.x, connected to Azure using a tunnel on my Cisco ISR. Azure is setup to accept clients from the 192.168.2.x as well as 10.12.0.x networks. My ISR is also setup to have a secondary IP in the VLAN20 address space, at 10.12.0.1, however, when computers from the 10.12.0.x try to ping a machine on Azure, I get no responses.... switch back to the 192.168.2.x address space, and it works.
I have my access-list's setup properly for both ranges... I'm not entirely sure what else I could be missing. Here is my configuration:
crypto ikev2 proposal azure-proposal encryption aes-cbc-256 aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy azure-policy proposal azure-proposal ! crypto ikev2 keyring azure-keyring peer 52.237.36.248 <- Azure IP address address 52.237.36.248 <- Azure IP address pre-shared-key xxxxxxxxxxxxxxxxxxxxxxx ! peer 52.237.34.217 <- Azure IP address address 52.237.34.217 <- Azure IP address pre-shared-key xxxxxxxxxxxxxxxxxxxxxxx ! crypto ikev2 profile azure-profile match address local interface GigabitEthernet0/0/0 match identity remote address 52.237.36.248 255.255.255.255 match identity remote address 52.237.34.217 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local azure-keyring ! zone security INSIDE description All interfaces on the INSIDE of the network, including VPN tunnel interfaces zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect POLICY-INSIDE-TO-OUTSIDE zone-pair security ZP-OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE service-policy type inspect POLICY-OUTSIDE-TO-INSIDE ! crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile azure-vti set transform-set azure-ipsec-proposal-set set ikev2-profile azure-profile ! interface Loopback0 description BGP Peer IP address ip address 192.168.255.1 255.255.255.255 ! interface Port-channel1 description Po0 to Core Switch Po4 no ip address no negotiation auto ! interface Port-channel1.20 description Production VLAN20 Subinterface encapsulation dot1Q 20 ip address 192.168.2.1 255.255.255.0 secondary ip address 10.12.0.1 255.255.252.0 ip nat inside zone-member security INSIDE ! interface Tunnel2 description Tunnel to Azure Canada Central Gateway 1 ip address 169.254.0.1 255.255.255.0 zone-member security INSIDE ip tcp adjust-mss 1350 tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination 52.237.36.248 <- Azure IP address tunnel protection ipsec profile azure-vti ! interface Tunnel3 description Tunnel to Azure Canada Central Gateway 2 ip address 169.254.1.1 255.255.255.0 zone-member security INSIDE ip tcp adjust-mss 1350 tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination 52.237.34.217 <- Azure IP address tunnel protection ipsec profile azure-vti ! interface GigabitEthernet0/0/0 description Interface to Internet ip address xxxxxxxxxxxxx 255.255.255.248 ip nat outside ip nbar protocol-discovery zone-member security OUTSIDE negotiation auto ! interface Vlan1 ip address xxxxxxxxxxxxx 255.255.255.240 ip nat outside zone-member security OUTSIDE ! interface Vlan20 no ip address ip helper-address 10.12.0.20 ! router bgp 65002 bgp log-neighbor-changes network 192.168.2.0 network 192.168.3.0 network 192.168.5.0 neighbor 192.168.207.6 remote-as 65001 neighbor 192.168.207.6 ebgp-multihop 255 neighbor 192.168.207.6 update-source Loopback0 neighbor 192.168.207.7 remote-as 65001 neighbor 192.168.207.7 ebgp-multihop 255 neighbor 192.168.207.7 update-source Loopback0 ! ip nat inside source static tcp 192.168.2.81 443 xxx<my public ip>xxx 443 extendable ip nat inside source static tcp 192.168.3.9 80 xxx<my public ip>xxx 80 extendable ip nat inside source static tcp 192.168.3.9 443 xxx<my public ip>xxx 443 extendable ip nat inside source static tcp 192.168.2.73 21000 xxx<my public ip>xxx 21000 extendable ip nat inside source static tcp 192.168.2.73 21001 xxx<my public ip>xxx 21001 extendable ip nat inside source static tcp 192.168.2.73 22000 xxx<my public ip>xxx 22000 extendable ip nat inside source list NAT_LIST interface GigabitEthernet0/0/0 overload ip nat inside source list NAT_LIST_SMTP interface Vlan1 overload ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip tftp source-interface GigabitEthernet0 ip route 0.0.0.0 0.0.0.0 xxx<my public ip>xxx ip route 192.168.207.6 255.255.255.255 Tunnel2 ip route 192.168.207.7 255.255.255.255 Tunnel3 ! ip ssh version 2 ! ip access-list standard SSH_MANAGEMENT permit 191.234.35.42 remark List of addresses that can manage this device via SSH permit 192.168.0.0 0.0.255.255 permit any ! ip access-list extended ACCESS_TO_DR_PORTAL permit ip any host 192.168.3.9 ip access-list extended NAT_LIST deny ip any host 67.226.181.231 permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any permit ip 192.168.5.0 0.0.0.255 any permit ip 192.168.8.0 0.0.0.127 any permit ip 192.168.9.0 0.0.0.255 any permit ip 10.10.0.0 0.0.0.255 any permit ip 10.12.0.0 0.0.0.255 any permit ip 10.13.0.0 0.0.0.255 any permit ip 10.14.0.0 0.0.0.255 any permit ip 10.15.0.0 0.0.0.255 any permit ip 10.18.0.0 0.0.0.255 any permit ip 10.19.0.0 0.0.0.255 any
Thoughts? Most of this is existing configuration, not mine - so some of it may be wrong. They're using Classic Azure which has it's own set of challenges when it comes to configuration... but I believe it's setup correctly... just having issues connecting.
Cannot connect windows 7 laptops to WiFi with 802.1x PEAP
Hi there, i am hoping someone can help shed a little light onto a small issue i have come across when setting up 802.1x authentication for our WiFi.
I work within a school and in the process of setting up a SSID for students. I have done all the VLAN'ing and setup up a radius server which all seems to be working fine on a user/password / permission level. When i try to connect with my mobile using my typical username and password, i can connect fine etc.
When i try to connect on a windows 7/10 device, i just get the troubleshooting message and it doesn't connect. I know there is a work around where you have to add the wireless network manually and tell it not to use the laptops default login credentials, although this is not ideal as i do not want to be doing this for every student's personal device.
Has anyone ran into this problem before and managed to figure out whats wrong? Any help right now would be awesome as i must have spent an easy 2 weeks on this, trying to get it to work.
Thanks!
HP LaserJet Office Troubleshooting
I can't seem to connect the shared folder from one of three computers. This computer can print and transfer to the other computers. It is a fresh install on Windows 10 Pro. Here is a pic of the error message I'm getting.
NAC and Remediation: Any recommendations for BYOD environments?
I'm working with Impulse SafeConnect and I've got Cisco Layer 2 switching (2960-X) and Cisco WLC with APs in Local Mode. I'm attempting to implement 802.1x auth on these platforms with SafeConnect as the RADIUS controller. Our previous SafeConnect deployment had Layer 3 enforcement so quarantined devices were all policy-based routed to the SafeConnect appliance which would act as a proxy for AV websites but block everything else.
The issue is trying to allow Quarantined clients to get out to the web for certain things like AV downloads and updates so that they can self remediate. Apparently, the remediation bit is the only thing that the Layer 3 deployment option really does better.
With 802.1x I'm utilizing a Redirect URL ACL on the Layer 2 switches but Cisco switches don't seem to do DNS or URL based ACLs. You can enter a DNS name and it immediately gets converted to an IP. For something in Amazon Cloud Services, this is likely to be a problem due to IP changes or a DNS name that resolves to multiple IPs.
The Cisco WLC CAN utilize some DNS names with a standard ACL, however, it seems like it can only hold about 20 entries which sounds like a lot until you realize that some AV vendors utilize multiple URLs for updates that don't always exist in their registered CIDR.
Options I'm considering:
- Limit the number of AV vendors we officially support and do our best in the ACLs to allow access to these even while in Quarantine
- Turn off the policy check for AV updates and maybe only check to make sure the user has one installed and running (I believe this already being done for Mac clients... Windows clients are the only ones checking to make sure everything is up-to-date)
- Create a Quarantine VLAN for every building and expand our SafeConnect policy to allow for this and then have the RADIUS commands tell switches to move the client to that Quarantine VLAN if they fail policy. Policy Based Routing can be applied on this VLAN to force all traffic to SafeConnect. The issue here is that, apparently, devices can get stuck because they don't realize they need to ask for a new IP when the VLAN switching occurs.
I'm looking for recommendations for what others do in a BYOD environment like public Wifi and on-campus housing networks.
Thanks!
Options for connecting remote sites over the Internet
Hello fellow network engineers,
I turn to your collective wisdom for some advice about how to connect a customer's remote sites over the ol' Internet.
Current situation: Customer has some 7 sites 5 of which are connected over MPLS and two over IPSec. Because their MPLS is too expensive they want to do away with it and just connect over the internet. They have one single Cisco 1901 router in one of the sites and Sophos boxes in all the others. Each site has at least one Internet connection, most of the sites have two. Possible solutions: 0 - Full mesh manually built tunnels. Given the number of sites and the fact that most have redundant internet connections that I would like to take advantage, this goes right out the window. Too complicated, too dificult to maintain and troubleshoot and not at all scalable.
1 - Hub and spoke, or more likely dual redundant hub with spokes so as not to have the hub as a spof. Fortigate should have something in their portfolio to fit the bill. They have reasonable price, reasonable performance, support IPSec tunnel interfaces (needed for routing), and routing protocols. This should be a reasonable solution. I'm thinking this could also be done with some gear from Mikrotik (hub and spoke, with GRE over IPSec and OSPF or BGP for routing.)
1' - Same as above but with the Sophoses that the customer already has and perhaps a couple more. However I don't really think this is possible. As far as I know Sophos has no support for tunnel Interfaces. And without that, and the ability to run some sort of routing protocol I would have to do manual failovers in case one of the hubs fails, which I certainly don't want to do. I could go with a simple hub and spoke topology but that seems woefully fragile for a production environment.
2 - Cisco DMVPN - I've never set this up in practice but it seems an interesting solution and I'd like to give it a shot. It wouldn't be that difficult from a technical standpoint, I can lab it all up in GNS3 in a couple of hours, and see if it works how I want. Upside: I'm pretty familiar with Cisco gear and usually it's very capable and mature. Downside: Cisco routers are very pricey (given the budget I expect this customer to have), IPSec performance is appaling or something with good IPSec performance is prohibitively expensive. Also Cisco has the habit of nickel and diming you for every feature you want.
3 - Meraki Auto VPN - I don't have much experience with this, however as far as I know creating tunnels between Meraki firewalls under the same account is very easy, next to automatic. I suppose Meraki would also be able able to handle redundant internet connections. As long as your network is fairly simple Meraki should be able to handle it, but the moment you come into something like an IP overlap, you are pretty much screwed. I may be wrong here but I found Meraki to be very simplistic, and I have a feeling that once you even slightly walk away from the beaten track you are imediatelly screwed (Once you need something like a PBR or quirkier NAT to get around some issue I don't Merakis is capable of that). Seems only a little more capable than a 50$ router you can get for home use. Also not entirelly a deal breaker, but last I checked Meraki did not support IKEv2.
I also know Juniper and Checkpoint have solutions for this but I'm not at all familiar with those, and I also expect them to be pricey.
Thoughts?
Bandwidth Spikes
Every day at around 8:56-8:58, then 9:56-9:58, and again at 10:56-10:58 we have several sites on our WAN that spike up to their capped network allocation. We have noticed this behavior for several weeks now and was wondering if anyone else has seen this?
Packet captures show lots of traffic to/from akamai cdn addresses. I dug up some weird stuff in regards to one specific address that appears multiple times on multiple days.
Any good reddit are ads to buy networking equipment as a broker
Edit: any good Reddit areas to buy networking equipment
Monday, November 13, 2017
Are networking jobs on their way out or just developing into more responsibility?
Today, a co-worker of mine told me its useless to go for networking certifications as the industry is moving away from valuing them as high as they are now. I thought to myself "Maybe so, but the knowledge is never going to lose its value". This particular person believes that automation is going to make us extinct, but I replied with "Who do you think will be doing the automation? Network Engineers thats who!".
I don't know, what do you guys think the future is going to shape our profession into?
Firewall Recommendation
I had this originally posted on /r/sysadmin and was recommended by /u/gamebrigada to post it here in hopes of a more positive response. I am the IT Manager for a small childcare business. I am new to this workplace, and was told by other IT Managers that the previous one was... not very good. I am looking for a firewall and was wondering what you would recommend for a company with around 10 computers. We are looking for something cost effective, but not a cheap piece of garbage. I'm looking for something with Web Filtering, VPN, and protocol blocking. Thanks! -Garrett
Design question / firewall recommendation
I don't think this breaks the sidebar rules. Apologies if I'm wrong.
I'm going to be combining two networks, which are essentially two separate lines of business, into one rack. I need to buy a new set of HA firewalls and I'm not sure what to get. I've always been a Cisco guy, but the more ASAs I get in my environment the more pissed off I get that there's no good way to centrally manage them. So, I'm open to other suggestions.
Here are the details of what I'm trying to do:
I'll have two WAN connections coming in, each with its own /27, each from a different telco, and essentially each needs to talk to its own set of internal vlans.
I don't need much in the way of speed, each of my WAN links is only 100Mbps but I DO need some pretty strong NAT capabilities. One of the ASAs I'll be migrating to this new HA pair has about 700 individual NAT statements and that is likely to grow significantly. And decent L2L VPN capabilities. Currently have ~200, that may grow also.
My real hang up is the two WAN links and routing. One set of internal vlans will only receive traffic on one WAN link, and can only send data out that same WAN link. The other vlans have to use the other WAN link. Can an ASA even do that? I've only ever set up an ASA to use a secondary WAN as a failover (and that doesn't work half the time).
For compliance and budget reasons I can only buy one set of HA firewalls. It would be so much easier to just keep these networks on separate devices with their own WANs, but that's not an option right now.
Can anyone offer any advice on the design, whether the ASAs will do what I need, if not, what firewall will, and secondarily, what size ASA should I look at - at 5525, 5585, bigger?
Thanks in advance.
Edit: added some info on the VPN needs
CUCM translation pattern issue
Hello,
I have a CUCM VoIP setup that has been working fine for years with little to no issues. Recently the phone company started giving out local numbers that match one of our Translation patterns.
The translation pattern in qeuestion is set to 8570. the local number pattern is xxx-570-xxx. We use 8 to dial out. So if a user is trying to call out to one of these numbers they pickup the phone, dial 8 then 570-xxxx. However, as soon as they get to the 0 they get redirected to the internal extension defined by the pattern.
Is there any way to work around this without having to assign a new phone number?
Public DNS Queries
We've been running into some internet issues recently with a remote site that occurred around the same time we migrated to new Domain Controllers/DNS servers. For the remote site, access to various public websites will timeout or are very slow to load, while on other days these same sites work with no issues. I stopped by the remote site last week to check inside the network and so far everything looked good. Right now the issues seem to stem from our local office(the remote site connects to our site for access to the internet proxy and AD authentication). I've placed tickets with our Managed Services provider to check the internet equipment/configuration at the border or or network and the tickets come back with everything looking good from their end.
Anyone run into similar issues with migrating to DC/DNS servers with new IP Addresses?
Trying a nslookup pub.url 8.8.8.8 shows DNS request time outs at both the local and remote office.
New network enclosure with existing patch panels
We are looking at replacing several network equipment enclosures that currently house patch panels. There is nothing wrong with the patch panels and we would like to preserve them. The problem is that I can't seem to find any cabinets that are designed for this scenario.
Has anyone had success performing a retro-fit kind of install like this? What did you do?
VM Firewalls Only
We're spinning up a limited, essentials only, DR Site for failover. This site is out of state and a single rack. Our typical deployment is PA Firewall > Core Switch > UCS Switch > Servers
Has anyone done or had luck virtualizing the PA Firewall side of that complete. As in our Internet Edge traffic would terminate on a VLAN and go through the Core Switch to the UCS Servers.. Then since our entire environment is virtualized it should stay within the UCS Backplanes.
In theory this should be easier to manage a remote site, but I have some hesitations and I'm trying to make sure it isn't just nerves of virtualized networking.
An interview question, how many broadcast and collision domains in a 24 port switch, with 4 hosts connected to two VLAN's
I said 2 broadcast domains (2 vlans) and 4 collision domains (4 connected hosts to 4 ports in up/up state).
interviewer did not seem convinced by the answer, I think he was expecting to her 24 collision domains, since it was a 24 port switch.
what do you guys think?
Does the port speed of your gateway determine the speed of your network?
Doesn't sound like it's right, but someone has me thinking that the speed of your gateway port speed, determines the speed of your network. I can understand the speed to the internet, but not the internal traffic? Right?
Scenario:
2x Core switches (Dell 4032F) Stacked with QSFP+
4x Workstation switches (Dell 3048P) Stacked with SFP+
1x Cisco ISR 4331 with only an SFP connection
If he's correct, because my Cisco ISR only has a 1Gb interface... my internal traffic is limited to 1Gb? Makes no sense to me; except for traffic going external... but maybe this is accurate because the ISR is my gateway... It's Monday, and has been a long weekend. Should I be making my Core switches the gateway instead if that's the case?
Thoughts?
How come networking protocols (SMB) are so bad at handling small files?
Dear experts, I've been curious about this for a while:
How come network protocols SMB (AFP, etc) handles small files so much slower than big files? Why can't, say, 100mb of binary data get bundled together and be sent in one go? And then deal with the permissions for each file in a bundled manner as well?
The difference in performance can be 20-fold between many small files vs. a large file transfer. I'm just curious how this can be a hard problem.
thank you! J
Alternate to cisco L3 ?
Hey guys,
We are looking to replace a Cisco L3 switch that's working as a router for us.
Bgp, ospf and plenty of svi running of it along with bandwidth policy.
We are thinking of replacing it and my choice would be to get an asr1000 something with enough ram for the full bgp table and enough ports for 10/40g connectivity. Reason behind wanting to change it would be it's size, age and power consumption; in a way the device is also underutilized.
One way to go and it's very popular here, would be to go with a mikrotik device or Ros on an x86 and it does the job that a Cisco device can do and then some more.
I'd like to hear what else is out there and who is using it and how?
Cheers Niamul
Which WAN Technologies are used now?
Hello!
I'm nearly sure that FrameRelay, ATM, X.25 are history regarding WAN technologies. So what is used now? MPLS? Ethernet, what else?
Any Experience Implementing 2FA Admin Access?
We've been told by our PCI QSA that we have to implement 2 factor authentication for admin access to all network devices (Cisco routers, switches, ASAs, etc.) this year. Information on this seems pretty sparse on the web, has anyone here done it before? What did you use for the second factor? How does it work exactly?
We already have an RSA soft token infrastructure. If we went with these as the second factors, how would that work exactly? Would another prompt come up in the CLI to input the code? What about scripts and monitoring access?
Or is it possible to combine SSH public key authentication with password authentication and use certificates as the second factor? This seems preferable because I'm really not liking the idea of having to type in the code every last friggin time I need to log into a switch.
Any other possible second factors I'm not thinking of?
Subscribe to:
Posts (Atom)