I'm about to implement 2 Cisco SG300 switches. Have 28 ports that will be used on a floor by floor basis. The switch has 2 modes, switch and router. Does the router mode enable only router capabilities or does it then function as a L3 switch? I would like to implement 5 to 7 Vlan on the switch and I don't have a dedicated router to work with, so if it operates on L3 switch mode, SVI would enable easy routing.
Does anyone have any experience with SG series of switches?
I've connected two sites with a fairly rudimentary policy-based IPSec tunnel
The tunnel pops right up, but the performance is abysmal.
When connected to Site A from Site B via IPSec tunnel:
Ping:
ping -D -s 1200 10.0.0.94 PING 10.0.0.94 (10.0.0.94): 1200 data bytes 1208 bytes from 10.0.0.94: icmp_seq=0 ttl=62 time=22.737 ms 1208 bytes from 10.0.0.94: icmp_seq=1 ttl=62 time=23.217 ms 1208 bytes from 10.0.0.94: icmp_seq=2 ttl=62 time=68.820 ms 1208 bytes from 10.0.0.94: icmp_seq=3 ttl=62 time=22.508 ms 1208 bytes from 10.0.0.94: icmp_seq=4 ttl=62 time=23.064 ms 1208 bytes from 10.0.0.94: icmp_seq=5 ttl=62 time=121.610 ms 1208 bytes from 10.0.0.94: icmp_seq=6 ttl=62 time=22.045 ms 1208 bytes from 10.0.0.94: icmp_seq=7 ttl=62 time=353.490 ms 1208 bytes from 10.0.0.94: icmp_seq=8 ttl=62 time=22.763 ms 1208 bytes from 10.0.0.94: icmp_seq=9 ttl=62 time=137.248 ms 1208 bytes from 10.0.0.94: icmp_seq=10 ttl=62 time=20.840 ms 1208 bytes from 10.0.0.94: icmp_seq=11 ttl=62 time=22.813 ms
Bandwidth:
[ ID] Interval Transfer Bandwidth [ 4] 0.00-10.00 sec 133 KBytes 109 Kbits/sec sender [ 4] 0.00-10.00 sec 4.76 KBytes 3.90 Kbits/sec receiver
When connected to Site A from Site B via AnyConnect :
Ping (never deviates beyond +/- 5ms):
ping -D -s 1200 10.0.0.94 PING 10.0.0.94 (10.0.0.94): 1200 data bytes 1208 bytes from 10.0.0.94: icmp_seq=0 ttl=64 time=23.182 ms 1208 bytes from 10.0.0.94: icmp_seq=1 ttl=64 time=22.701 ms 1208 bytes from 10.0.0.94: icmp_seq=2 ttl=64 time=22.910 ms 1208 bytes from 10.0.0.94: icmp_seq=3 ttl=64 time=25.023 ms 1208 bytes from 10.0.0.94: icmp_seq=4 ttl=64 time=24.687 ms 1208 bytes from 10.0.0.94: icmp_seq=5 ttl=64 time=26.293 ms 1208 bytes from 10.0.0.94: icmp_seq=6 ttl=64 time=24.710 ms
Bandwidth:
[ ID] Interval Transfer Bandwidth [ 4] 0.00-10.00 sec 49.9 MBytes 41.9 Mbits/sec sender [ 4] 0.00-10.00 sec 49.8 MBytes 41.8 Mbits/sec receiver
I've tried locking down the MTU on either end and it doesn't seem to have made a difference.
At this point, I'm at a total loss. There's nothing special being generated in any of the related logs. I've played with a variety of encryption settings, but both ends remain relatively idle CPU-wise.
Should I be looking at MTU still here?
Providers are starting to roll out 1gbps download speeds to customers (business & residential) without using FTTH. Cable providers are doing this, typically, with DOCSIS 3.1 (though I've heard of a few doing it with DOCSIS 3.0). Cox offers 1gpbs/35mbps using D3.1, Comcast appears to be the same (it was really hard to find info on them), and I think AT&T customers are out of luck unless they have fiber.
So I was doing some math and I think it's right - but call me out if it's not.
(Math obviously varies if you're using 103 vs 210 units. I'm using the latter - 1024. And yes, I've simplified and not accounted for the downstream headers and such.)
1000 mbps = ~1,048,576,000 bits/sec ... / (1500 bytes ethernet MTU * 8 = 12000) = ~87,380 packets/sec.
So, assuming we're using TCP - every packet needs it's ACK... which is ~54 bytes * 8 = ~432 bits.
That gives us: 87,380 ACKs/sec * 432 bits = 37,748,160 bits/sec of TCP ACKs... or ~36mbps.
None of this accounts for duplicates, retransmissions, drops, etc. I'm assuming best-case-scenario (which I know full well that it's not).
So, if my math is correct, that seems to mean that anyone selling 1000 mbps download bandwidth while only providing 35mbps of upload is actually selling you download bandwidth that's mathematically impossible to obtain unless you're using UDP or another connectionless protocol (whee, let's download all of our files with TFTP - even that sends its own ACKs on Layer 7, lol - I just happen to have a TFTP capture open, the acks are 50 bytes on the wire.)
Obviously for those with deep enough pockets to be on a SONET ring with a synchronous 1000/1000+ connection (or be lucky enough to have some form of cheaper fiber deployed), this is a non-issue.
Am I thinking clearly? I did the math several times and I'm kinda in shock. I hadn't given it much thought until recently.
As someone who is new to IT and deciding what route I would like to take I have heard rumors that SDN can destroy network engineers jobs. I'm about to start studying for the CCNA soon but don't want to commit to a dying field. What are your opinions on this?
I'm currently working on a design which will put a pair of Fortigate firewalls in between my default VRF and a number of L3VPNs over MPLS. The firewalls will be located in two different locations on our campus.
In the past, all I have been able to find is documentation on how to setup the Fortigates in Active/Active where they basically act as a large virtual device. This make handling fail-over between multiple locations a challenge, and adds the need to drag L2 networks around my very nice L3 network.
At a conference this fall, I talked with an engineer who had deployed a pair of Fortigate firewalls basically as independent routing devices where session and firewall rules were synced between the devices. I have looked around the Forinet website, but can't seem to find anything there pointing me in the right direction.
I was hoping someone here has deployed this, and could either chat with me about their setup or share with me the documentation they used.
I've done this setup with our Palo Alto firewalls, and I'm really hoping I can do it with the Fortigates. No firewalls would be even better....
Hi all,
I am needing to connect 3 buildings (A,B,C) where both B and C need a minimum 12 strands each back to building A (Only one pair will be in use to start). Building C is directly connected to B, and B to A. There is no outside cabling required. I thought it would be fairly simple... have an electrician in to install some 2" conduit from A to B and 1" from B to C, then get them to pull some pre-terminated cable from fs.com along with some spare pull tape. That thinking ended once my electrician reminded me the cable needs to be CSA approved to go into crawl spaces and such.
I've confirmed with fs.com that their cable is not CSA approved and now I'm looking for another vendor that can provide custom length pre-term'd cable that is. My search has not found anyone yet. My question is: should I just get some un-term'd cable and throw some mechanical splices and pigtails on? Or do I make the case to rent (if I can find a rental place) or purchase a cheap splicer (it would be v-groove - no way they'd go for core alignment. Probably something like the Ilsintech Swift F3)? This is for a MDU where each unit has fiber that is currently un-term'd. They would need to terminate this later, but the thinking is that the ISP who would want to use it would take care of that.
The maximum length of the cable needed for the building interconnect is 160 meters. It would be singlemode fiber running 1Gbps. I'd say it will never see 10Gbps, but I know better than to make bold statements like that. Fusion splicing is ideal - no debate on that from me. Unfortunately I don't know that I'll have the funding for it.
Any help or suggestions would be greatly appreciated. Thank you in advance.
I sorta got handed this new network build out with a bunch of calix gear and no one seems to have an account on their site, I signed yesterday morning, up but it said it 3 days before I get an account... wanted to knock out some updates over the weekend (none of this gear is hot yet, but I know I need updates on a few of them to talk to the CMS)
Hi Guys, I have about an hour and a half to fix this problem before going on a flight to SF for a few days. I'd really hope to fix this problem before I leave as it would leave me more secure leaving my business knowing I can watch from afar.
First things first - My incredibly shitty network structure made by "Professionals". I know it's a mess, but this is a story of it's own. Pic here
The main issue was, the people who set up my server never set up static IPs. So when I connected my new camera system, it used IP's already in use. So I created a new VLAN for the cameras to run from, the NVR and all the cameras on the NVR listened to the vlan rules properly and it works like a dream. However, the camera Switch, instead of pulling IPs from VLAN 30 (New vlan) it's pulling the IP from VLAN 20 (VOIP server) and at the same time, my NVR is not capable of finding the IPs from the VOIP server.
I have the VLAN properly set up in both switches and the cisco router. Tracert and pings are confirming it's setup properly. But for the life of me, I cannot figure out why it's pulling IP leases from my VOIP server. The port it's connected to in the cysco router is pointing to my AD server on vlan30 and my AD server is assigning it IPs from vlan30, but for whatever reason, it's ignoring everything and going directly to vlan20.
It's a cisco rv320 router, a cisco SG300-28PP switch and a hp 2610 switch. Both servers are 2012 r2
Any and all (hopefully quick) input is greatly appreciated
Edit
When pinging the camera from my voip server, it comes back 4/4, when pinging from a computer connected to the AD server, it says it expired in transit
Hello, sorry if I'm asking this in the wrong sub but I have a question on port forwarding security. I understand how port forwarding enables one computer/server on my network to be the dedicated server for a particular service. What I do not understand is where/when the packets are screened for malware. Let me give an example:
I have an apache web server. When you type my IP/Domain in a browser you send a packet to my ip at port 80 asking to download my website. What if however, you created a packet with some type of malware that could exploit that apache server and simply label the packet as a port 80 packet? Does apache make sure it is only communicating with "good" packets? How does it do that?
Bonus question: If I am forwarding 80 to my rpi and my rpi is off, is the port technically off too or is there still vulnerability in the network?
Thank you
I recently obtained my CCNA and plan to switch over to CCNP studies soon. However I've decided to concentrate on rounding out the skills a little before jumping back into the Cisco certs. I've jumped into some Udemy courses for Wireshark along with network automation using Python.
I've gotten the feel for Wireshark and everything it can do, now I'm trying to find some good material for actually using it to troubleshoot issues with labs. I found this book which seemed like my answer but it was written before Wireshark 2.0 was released. Is there anything better and more current out there? I know the author has another book with the title "Wireshark 101". It's written with 2.0 in mind and boasts having a ton of labs. It seems that it's based more about learning Wireshark than actually using it to tshoot specific issues though.
I have been reading up on GETVPN recently, and working on a lab. I have two KS, in coop. Per the document, I generated the RSA keys in primary and exported it to secondary for rekey purposes. After exporting, I look at the keys and the private keys are different. Aren't both public and private keys suppose to be the same between KS?
So I'm perfecting my notes here and I wanted to clarify a few things, make sure I have it right. I know that if a port scanner or something is checking a TCP port it will send TCP syns for the port and will try to establish a 3 way handshake. For UDP I know that it will just send protocol data depending on the port, or random data hoping for a response or icmp type 3 code 3. However, I want to be sure about one thing. Is it absolute that a TCP host SHOULD send a TCP RST, or can they send an ICMP type 3 code 3 as well? Is this just how the implementations have gotten and that's now the norm (tcp using tcp rst and udp using icmp type 3 code 3?) Is there ever a scenario when a host rejecting a TCP connection would send a icmp type 3 code 3?
I'm not responsible for the config but I inherited it. we have an office with a router with 2 interfaces, one interfaces is going to this company division and the other to this company division. Both interfaces are trunked to their respective switches and have sub-interfaces with untagged vlans. - gi0/0.1/encapsulation dot1q 10 native and gi0/1.1/encapsulation dot1q 10 native.
Our systems admin noticed that it's a little slow copying files between the 2 company divisions. How would this even work? How would the router know which subnet the untagged vlan belonged to since there are 2 interfaces?
A third party is trying to establish BGP connectivity to us, via an IPSEC tunnel. We have been able to establish BGP neighbors but they cannot get past only advertising a default route to us.
Supposedly, the route 10.1.2.0/24 is directly connected on their end, but it does not show up in their BIRD routing table. Does anyone have any pointers? I only have a snippet of the config.
birdc show route all BIRD 1.6.3 ready. 0.0.0.0/0 via 13x.1xx.xx.1 on eth0 [kernel1 17:30:34] * (10) Type: inherit unicast univ Kernel.source: 4 Kernel.metric: 0 router id 1.0.1.1; protocol device { scan time 10; } protocol kernel { persist; learn; import all; export all; merge paths yes; } protocol bgp BGP { local 192.168.1.2 as 65160; neighbor 192.168.1.1 as 65200; import all; export where ifname ~ "eth*"; preference 160; hold time 6; }
Just after some advice please! As a security & network installation company we are doing more and more fibre installations; currently we out-source our fibre terminations to a sub-contractor but I'm trying to bring this in-house. I've sent one of my very keen engineers on a fibre installation course and he's come back with some great insight and I just want to check what was good advice, and what was pure "sales pitch" by the course provider (also a manufacturer of equipment). Our current sub-contractor has always terminated the fibre cores with connectors (e.g. LC); my engineer has said he was taught this is not recommended, and instead we should be using a fusion-splicer and pigtails. Is this correct? If so can anyone recommend a good splicer (we're in the UK)? It's quite an investment and I want to make sure we get a good one... I've also seen some for hire, which seems a good idea for a the first few jobs. Any other advice would be greatly appreciated! Thanks in advance. A.
I'm looking for guidance on how to update the IOS of a switch stack with different models of Cisco 3750's. I have a stack of switches consisting of 3750G's and 3750X's.
Both models are currently running on the same number version of code but different licensing(?) levels. The G's are running on IPServices images and the X's are running on Universal images. This is the same when I go to download the IOS from Cisco's website (G's have IPServices and IPBase images, and X's have Universal and IPBase images).
The X's currently have a the IPBase license active with a temp IPServices eval license that hasn't been used.
How do I go about updating the IOS on this switch stack?
Hell everyone,
Short back story, I work for a large ISP as a front line sales person and I formerly had a lot of technical support. There was a corporate restructure and my title and role has changed. I am now responsible for selling network solutions and all of the technical support is now gone.
I have tried finding a good explain like I am five on this subject but have been unsuccessful. The internal training resources are also dismal at best. I have a question that i am embarrassed to ask a colleague as everyone on my team is new to me.
What is the difference between port and access? For example, I am being asked to quote
100Mb Port/1Gb access burstable.
Is the 100mb the speed or is the 1gb the speed? Or are these even speeds at all? I am completely lost here and would really appreciate a very simple explanation. I am one week into this role and I am really trying to understand it but I don’t know where to even start. I should also mention that I currently do not even have a manager to point me in the right direction.
Any help would be greatly appreciated.
Thank you.
We are currently using Cisco Nexus 9000 switches in our datacenter. These are deployed in NX-OS mode and we've created a VXLAN overlay on top of these switches to provide layer-2 adjacency across the racks. We are not able to get ACI. Cisco used to have Nexus Fabric Manager, or NFM, to help manage this deployment method, and it's going end of sale. They are now pitching the new DCNM which is supposed to have all the same functionality. It seems somewhat OK (regardless of DCNM nightmares in days of yore), but what are my other alternatives? How can I manage about 35 9ks, and monitor the whole thing?
Century Link opened a ticket with Zayo, but everyone said that there were no issues found on their networks. 173.46.64.186 appears to be the last hop in the Zoya network, but it's reverse DNS of "173.46.64.186.static.not.updated.ignitionmsp.com" appears to be a MSP in Bermuda. The issue started happening 3 days ago.
They eventually passed the buck and said that the issue is on LPL's end. LPL claims its on CenturyLink's end. Pinging hops on the traceroute makes it appear that the issue is on Zoya's end.
|------------------------------------------------------------------------------------------| | WinMTR statistics | | Host - % | Sent | Recv | Best | Avrg | Wrst | Last | |------------------------------------------------|------|------|------|------|------|------| | - 0 | 748 | 748 | 0 | 57 | 200 | 69 | | 65.158.66.37 - 1 | 745 | 744 | 0 | 60 | 204 | 64 | | 67.14.102.110 - 6 | 619 | 586 | 0 | 78 | 222 | 58 | | 64.125.12.121 - 26 | 371 | 276 | 0 | 78 | 236 | 197 | | 64.125.28.230 - 88 | 167 | 21 | 0 | 112 | 267 | 71 | | 64.125.31.253 - 63 | 215 | 81 | 0 | 81 | 229 | 22 | | 64.125.27.13 - 76 | 187 | 46 | 0 | 57 | 168 | 95 | | 64.125.31.254 - 91 | 163 | 15 | 0 | 102 | 208 | 72 | | 64.125.31.171 - 86 | 171 | 25 | 0 | 94 | 199 | 109 | | 64.125.31.198 - 88 | 167 | 21 | 0 | 94 | 202 | 94 | | 64.125.25.1 - 97 | 155 | 6 | 0 | 78 | 95 | 89 | | 173.46.64.186 - 94 | 159 | 11 | 0 | 87 | 243 | 72 | | 40.143.24.13 - 94 | 159 | 11 | 0 | 111 | 252 | 82 | | 40.143.25.229 - 94 | 159 | 11 | 0 | 106 | 238 | 71 | | 40.143.25.1 - 97 | 155 | 6 | 0 | 96 | 164 | 72 | | 104.219.77.47 - 91 | 163 | 16 | 0 | 78 | 133 | 72 | |________________________________________________|______|______|______|______|______|______|
I appreciate any guidance on what I should do next.
Im curious as to how this works, what exactly gets done regarding hardware etc.
Also just interested in having some kind of idea as to how the progress works
We are looking at multiple vendors for adding NGFW to our environment. On another post I mentioned FTD or ASA with firepower bolton. It sounded like a lot of folks were having issues and bugs with these solutions in production. I am going to be meeting with Cisco soon and was just curious what kinds of challenges others are having with the FTD solutions in production?
First a little background. Currently we have SonicWall NSA 240s/TZ210s deployed at our office locations and NSA 3500s deployed at our primary/secondary datacenters. The primary method of connectivity between our sites is a MPLS WAN, but we do use the SonicWalls to provide backup VPN connectivity to our datacenters via broadband connections at each site in the event that the MPLS circuit is down. Because our network is not flat, we used tunnel interfaces with advanced routing (OSPF) enabled, as described here. The SonicWall at each site forms an OSPF adjacency with the local Cisco 2900 series ISR (which acts as the default gateway for the site, the uplink to our MPLS WAN, and as a voice gateway for CUCM, so these aren't going away). If the MPLS circuit drops then the local ISR drops the routes learned via the MPLS network, sees that those routes are available via the SonicWall (which it learned via OSPF by way of the VPN tunnel) and routes traffic accordingly. Again, because of the number of VLANs (some of which are stretched between our datacenters), the traditional site-to-site VPN where you have to define the subnets that are reachable on each side (or where they have to be local to the firewall) isn't a fit for us. Aside from a break in connectivity when the switchover happens, we are very happy with this solution.
Some of our SonicWalls are coming up on EoS, so it is time to look around at alternatives. The names that are on my radar are Palo Alto, Watchguard (because we have some staff that has experience with them, although I have my reservations based on the little I've seen), and ???
Palo Alto seems like it can do the route based VPNs based on what I've read here. On the Watchguard side it seems like maybe BOVPN is the equivalent functionality, maybe. I am leaning away from pfSense (because I don't like how everything is a bolt-on, i.e. Quagga, Snort), Fortinet (because of what I've read about performance and support), and Meraki (because of limited OSPF support). Also not a fan of Cisco ASA's (despite being a Cisco route/switch shop), but to be fair it's been a while since I've worked with one. Have I ruled out any that I shouldn't have? Are there any others I should look at? Price will not be the deciding factor and I am well aware of where PA falls on the price spectrum, but if I can get the functionality I want at a fraction of the cost then I'll listen.
In addition to supporting something similar to what we're doing today for WAN failover, the features we are looking for include:
Also, the fact that our setup (MPLS plus broadband) at each location is ripe for a SD-WAN solution is not lost on me. I am just wondering if that is too much to bite off right now. A solution that would set us up to leverage SD-WAN 1-2 years down the road would be nice though... Our Cisco rep tells us that exciting things will be happening with the ISR line due to the Viptella acquisition, so maybe a wait and see approach is correct for now.
Lastly, if anyone has a VAR that they are particularly fond of for their product of choice (primarily because of the technical resources available), I'd like know that as well.
Thanks in advance.
TL;DR Looking to replace aging SonicWalls. Need something with robust OSPF capabilities, plus other bells whistles that we may not even know we are missing out on.
New place, new environment.
We will need to secure the open Wi-Fi network in a school district, what we are trying to accomplish is that anyone that logs in to the open Wi-Fi will have limited access and restrict them to not do damage to our network and other unnecessary things. Best case scenario is to have authorized user’s access resources like files and folders etc. within the domain. Our environment briefly consists of Cisco wireless controllers, no radius server and windows server. Any solutions to secure open SSID - create a new one? Or modify the existing one. Any suggestions and guidance with our existing infrastructure will be great.
I heard of many solutions, one example was to have a separate ISP for the open Wi-Fi users, more cost :( or have every user login and authenticate, so they can have certain resources (Files/Folders) but that seems to me that we need more stuff involved?
Any other info I’m missing please let me know.
I replaced a phone and now i'm getting the error message invalid extension? I found the application user that's configured in cucm for cuac but none of the other extensions that use cuac are added to it? I also created an operator in Cuac just for testing and was able to log in from my phone. any ideas?
Can someone help me with this issue, hopefully I can explain enough needed to resolve it, please ask me for any more details:
Topology: Core>Wireless bridge>Switch>Wireless AP
Core: Catalyst 4500 Wireless bridge: Ubiquiti M5 Airmax Switch: Catalyst 3650 AP: Aruba AP135
Core is setup with VLAN's 1-33 Switch connects to core via wireless bridge through vlan (1) trunking ip-helper address is setup on VLAN's both core and switch When I configure an interface on switch with a vlan, client received a dynamic IP just fine.
AP is connected to switch with VLAN trunking as well, but a client will not receive a dynamic IP, only gets APIPA address, which is the issue.
Any ideas?
I'm having to reconfigure one of our routers next week, but I'm trying to figure out if I can reconfigure it from my office instead of driving 3 1/2 hours to do so.
The new config is not all that different, the static public IP (from ISP) is still the same, but the internal IP's are changing. Vlan IP's, IP of our DMVPN tunnel, and ip ssh rsa keypair-name would be under a different name.
The thing I'm worried about is if I will still have remote access when I reconfigure it. Normally when I reconfigure one of our routers, I wr er then just paste the new config in, copy run start, boom done. But I always have to generate new crypto keys in order for us to gain remote access.
Is there a way to do all this remotely? Could I copy the new config onto a text file, upload it to the router, then boot from that file, and then copy run start?
Worse case scenario I have to go out there, which is not a huge deal, but I was just wondering.
We're looking into setting up a bridge for two (comcast) gateways for our small business. My understanding is that a bridge is typically a piece of software that runs on a switch's hardware... is that correct? Or do actual hardware bridges exist?
Curious what a cost effective solution is? Maybe just setup a small computer with bridging software and to act as a router?
Or is 10GBe just the simple TCP/IP address setup?
Hi, I have been given a couple of ASR1001X to play with, simulate some scenarios etc. The idea from the TA is to use these as connections either end of a 10Gb link and run OTV. Not sure of the need for OTV to be honest, but anyway... Whilst the link is being ordered I wanted to have a play with these and see If I can simulate some scenarios that I have not done before. I'm comfortable with basic IGP's (EIGRP/OSPF etc.) but not looked too much into VRF's/MPLS and BGP, and indeed OTV thought this would be a good time to look.
Any advice on if these are good devices to learn those technologies, and of any good guides or recommendations to start with?
Okay, I have a quick question about what I feel should be a simple task.
Quick Summary: Create a vlan and a static route on a stack of Nortel 55xx ERS devices acting as a core router to a Checkpoint firewall interface for all traffic with the a certain destination IP prefix.
To cut down on common traffic that gets logged in the firewall such as DHCP / WSUS / ETC we are creating a 'bypass' connection to the ip that handles that from the core stack which is then routed further by the checkpoint firewall.
I guess the main thing I want to make sure I know how to do is create said vlan, assign it an IP, and create a static route on the core router. So that when we plug in the bypass cable it will work as it is supposed to. I have made what I feel our the necessary changes but I just want to reach out just in case I missed something. :/
From my router config and command this is what I have done so far:
show vlan
96 DMZ-Traffic Port None 0x0000 Yes IVL No Port Members: 4/13
Vid ifIndex Address Mask MacAddress Offset Routing
Primary Interfaces
1 10001 10.188.16.1 255.255.240.0 00:1A:8F:69:B4:40 1 Enabled
96 10096 172.30.188.11 255.255.255.0 00:1A:8F:69:B4:42 3 Enabled
ip routing
interface vlan 96 ip address 172.30.188.11 255.255.255.0 3
show ip route static
IP Static Route
DEST MASK NEXT COST PREF LCNHOP STATUS ENABLE0.0.0.0 0.0.0.0 10.188.16.5 1 5 TRUE ACTIVE TRUE
10.253.188.0 255.255.255.0 172.30.188.1 1 5 FALSE INACTV TRUE
exit
I'm working on a project and a a VAR just quoted $4k per unit for 1GBase-LX transceivers that should be $150 per unit. These are for J9151A HPE official transceivers.
Do these guys even have a concept of what things should cost?
Hi, we recently had a new internet line installed in our datacenter and it was extended to our cabinet as 1000LX (Single Mode) but we actually need a copper extension.. Going through the datacenter tech support seems like it may take a while so I was wondering if there are any other options I can look into? I've found some converters online but I'm not sure if they would work in this situation.
Thanks for any help!
Apologies if any of my terminology is slightly wrong, some of this is new to me.
We have recently expanded our customer hosting to utilise a 2nd physical datacentre provided by our colo provider and I'm struggling to route internal traffic between the 2 locations via a new physical uplink they installed. I think I'm fighting against auto-created STP rules that are prioritising one link over the other.
Each datacentre has 100mbit Primary and Secondary internet feeds (for redundancy) and there is a cross-link of 1gbit (again, primary and secondary) that is for internal traffic. Illustration: https://ejquo23388.i.lithium.com/t5/image/serverpage/image-id/23449i6E00D20A296DA84F
I have a Netgear GS724Tv4 at Location A that understands STP and VLANs, and a TP-Link TL-SG1016DE at Location B that understands VLANs but doesn't give me any visibility or control over STP. Screenshot of STP status of netgear switch at Location A: https://ejquo23388.i.lithium.com/t5/image/serverpage/image-id/23450iD6393C377EA5D681/
Ports 17 and 18 are the Primary and Secondary 1Gbit uplinks to location B - Tagged with internal VLAN traffic Port 22 - is Primary 100mb uplink and internet - no VLAN tags Port 23 - connects to another internal switch at location A Port 24 - is Secondary 100mb uplink and internet (redundancy for port 22) - no VLAN tags
Internal traffic (regardless of VLAN tagging) is passing via the 100mb uplinks. If I create a VLAN that excludes Port 22/24 (the 100mbit links) the traffic is isolated to it's own location and doesn't cross over ports 17/18 between location A and B. From what I can tell, it's being dropped by the netgear switch because STP detects ports 17/18 as redundant and is prioritising 22 as the only port to send cross-location traffic through.
My plan is to replace the TP-Link switch with another GS724T and setup Multiple Spanning Trees Protocol (MSTP) to tag internal VLAN traffic in it's own STP that only passes over the 1gb links (ports 17/18) between locations, and doesn't have access to the 100mbit feeds (ports 22/24).
Will this work, or is there another method I should follow to prioritise and route traffic between the 2 locations? What are best practices when routing internal traffic between different physical datacentres? Any advice or hints would be greatly appreciated.
I manage several offices that currently have D-link routers with AP's. The performance sucks, our VOIP phones are unreliable and I cant setup a proper guest wifi. I'd really like a solution where the guest portal requires a facebook like or checkin for access. So far i'm leaning towards a UniFI USG, UAP-AC-PRO, & Cloud key. blackbx.io would give me the facebook feature i'm looking for.
Does anyone recommend a better solution?
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
i have 4 machines each with a 2 port infiniband card "InfiniBand: Mellanox Technologies MT26428 [ConnectX VPI PCIe 2.0 5GT/s - IB QDR / 10GigE] (rev b0)" i'm trying to set them up in a ring topology i have opensm setup but it doesn't seem to be able to see the fourth computer.
i've looked around and i haven't been able to find a way of fixing this does anyone know how i can bridge the connectors or some way for opensm to get to the fourth computer
My professor wants us, and I mean he said WANTS us to go onto forums and ask about STP and your own implementations of it, then print it out for the discussion on it. I would rather not create a random account on random website that I will forget about and would like to post here instead. So, uhhh tell me your hearts content! If not allowed to post this here sorry, just seemed more relevant to post here to get actual professionals and not rando's on other subreddits.
Hey everyone,
My company took the decision to move some of our services to AWS. We'll have two VPCs there with probably two /16 subnets (which is huge) and two redundant cross-connects in BGP to interconnect our infra to AWS.
What would you recommend: to use AWS as an extension of my infra (easiest way but less secure from my point of view) or to do some NAT on both side (not route the /16, more secured). Or do you have another idea?
stargate# tcpdump -nni eth0 '(tcp[tcpflags] & tcp-rst != 0)' and ip6
tcpdump: expression rejects all packets
Can anyone explain why this syntax is no good, and how one would write a capture filter for IPv6 TCP RST?
Talked to a co-worker of mine who use to be a senior network engineer but switched to the automation team. He tried to tell me that I should waste less time on pursuing networking certifications and more time into coding for automation. He believes the role will be redefined to the point where we wont't be logging in via command line anymore. That being said until i can see someone run code that can diagnose an issue and fix it without human intervention besides just clicking a button I would highly disagree with his statement. The reason is simple you still need the knowledge of the technologies in today's age in order to automate it. Some people are under the assumption where a automation engineer can come in and code ridiculous scripts that can diagnose and fix BGP issues itself. My rebuttal to that was that how can someone who has no routing experience tell a script where to look for the root cause of a BGP issue and fix it with the click of a button? While I do think automation will make greater changes in our industry, the people who will be doing that work is us (Network Engineers). If anything, automation will redefine the role and be an added skill set needed, but will not take our jobs away from us. You can even make the argument that more jobs will be created because of it. Whose going to fix that script when it breaks? I've been an engineer since I was 19 and I am now 21 and although automation has made my job duties easier, I still get calls to investigate MPLS, routing issues, implementations, etc. What are you guys' thoughts for our role going forward for the next 10 years? Do you think high end certifications like CCIEs, JNCIEs, etc will be a thing in the past/useless?
The Setup: Client uses Windows based PPTP VPN. Router is an EdgerouterX forwarding ports 47 and 1723. Her new ISP is called DigitalPath.
The established VPN works fine from my office an hour away and it works for her other remote employees so I'm confident that the config of the VPN isn't the cause of this but I am not ruling that out yet.
Previously my client has been able to remote in from her home DSL connection but she has moved to a more remote area where the only internet available is wireless based. So she has an antenna on her house acting as her gateway.
I have tried working with her ISP to reestablish the connection so they configured a DMZ for me to use and I configured her home router with the DMZ settings that they gave me but the VPN does not establish a connection. I don't know if I can get anywhere else with the ISP.
I'm not a master of anything so any help would be greatly appreciated and I'm sorry if I left out any crucial information. My client is trying to retire so I would appreciate it if she could do the rest of her work at home like she was before she moved houses.
this is a simple {dumb} question i just don't wanna by the wrong thing,
I have a long run of coax in my house and i need it to continue another 20 feet so i need to extent the current coax line do i just get any old splitter to do so or do i need an amplifier ? can someone point me in the right direction ?
I think this would be the right place to ask this question, but if not, let me know if there's a better sub to post this.
I am looking for some input as to how you would go about proving a deauth attack with enough evidence that would stand up in a court of law. As an example, I'll say let's use hotels as the culprit in this as they are notorious for spamming deauth messages over WiFi to force users to use their (pay-per-use) WiFi.
So this is a case where you know they are spamming other WiFi channels with deauth messages and need to gather enough evidence that it would hold up in court. What apps or programs would you use? What information and screenshots would you gather?
Just curious if there was a way to force the agent to stay ready in uccx. We're on version 9. a complaint i got yesterday was 'my computer froze and agent desktop went to the not ready' get quite a few complaints of was way from my desk and missed a call and had to remember to put myself in the ready state.
I have a configuration in place, and while the links come up, I can't get the GRE over IPSec running. Can someone please tell me what I'm missing? I tried to generate interesting traffic to the other side of the tunnel and also using the vrf option in ping, but nothing...
Here is my config on R2. R1 has a duplicate config, but the IPs are changed from .2 to .1.
ip vrf vrf1
rd 1:1
!
ip vrf vrf2
rd 2:2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ******* address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15 periodic
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set T101-AES256 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile T101-AES256
set security-association lifetime seconds 86400
set transform-set T101-AES256
!
crypto map T101 local-address GigabitEthernet0/2
crypto map T101 101 ipsec-isakmp
set peer 172.16.101.1
set transform-set T101-AES256
match address 101
!
interface Loopback101
ip vrf forwarding vrf1
ip address 10.101.255.2 255.255.255.0
!
interface Tunnel101
bandwidth 100000
ip address 10.255.101.2 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
delay 1000
tunnel source 172.16.101.2
tunnel destination 172.16.101.1
tunnel vrf vrf1
!
interface GigabitEthernet0/2
description MetroE
ip address 172.16.101.2 255.255.255.0
duplex auto
speed auto
crypto map T101
router eigrp 100
network ***** omitted
passive-interface GigabitEthernet0/2
passive-interface Tunnel101
access-list 101 permit gre host 172.16.101.2 host 172.16.101.1
I got the base config from here:
https://networkology.net/2013/07/14/gre-over-ipsec-configured-and-explained-ccie-notes/
Tom
Found this after getting some user complaints about a "loud access point" (rolling my eyes, then being surprised it was actually quite loud when I looked at it) and figured I'd pass it along.
If you have any Unifi Access Point that is making clicking, scratching, ticking noises (like an old HDD) they will honor an RMA even if you're out of warranty period.
VLAN 1 has a Windows 2008 Server doing Active Directory, DNS and DHCP, along with a Copier.
VLAN 2 has a Buffalo NAS
VLAN 3 doesn't have much relevant equipment
I'm trying to get the Copier on VLAN 1 to scan to the NAS on VLAN 2. I can ping the copier from the NAS. I can not ping the NAS from the copier. I have the same behavior from my laptop on the respective VLANs. Devices on VLAN 3 seem to be able to communicate with devices on VLAN 2 without issue. Previously, the Cisco router was doing DHCP and DNS for VLAN 2 and 3, but yesterday I created 2 DHCP sites for VLAN 2 and 3 on the Windows Server and enabled DHCP relay on the Cisco so the Windows server could do DNS and DHCP for the whole network, to try to fix this issue. I verified devices on all 3 subnets were getting the correct IP addresses. Inter-VLAN routing is enabled on all VLANs on the Cisco. The switches on the network are unmanaged (dumb) switches.
Any thoughts on what to do to start diagnosing this issue?
Posted a similar question to /r/fortinet but thought maybe other recommendations would be warranted.
We're an acute-care hospital - around 90 beds.; probably around 600 guest users (employee phones, patient phones, etc), another 200 private-wireless/wired users, and various medical devices. Our 2 ISP connections (100 Mbps and 500 Mbps) aren't really tapped most of the time except during snapshot/replication pushes off-site, which we're doing more and more of. We have a circuit upgrade in the future that should push both circuits to 500 Mbps.
Right now, we have in place 2x ASA 5525-X firewalls and are crushing our IPSEC VPN throughput limit. 5525 datasheet says that IPSEC is limited to 300 Mbps, and our Palo Alto is limited to 500 Mbps per the data sheet. We're doing VM snapshots to AWS, various imaging study pushes and pulls to/from our facility, etc.
We're looking to up our VPN throughput so we're not stepping all over ourselves with the 15-18 active IPSEC VPN tunnels we have at any given time. My thought is to eliminate the 5525's and the Palo Alto that sit at our edge for a pair of Fortigates. Even moving to strictly the Palo, we're limited to 500 Mbps of VPN throughput.
Can anyone recommend what model Fortigate to go with, or should I look at other hardware? I feel the 100E might be too small; reseller in the past recommended 500E but even that might be too big. Anyone have any advice/direction/opinions?
Having just recently passed my CCNA R/S I am the sole network guy for a rapidly growing company. I assisted in getting new Cisco switch infrastructure ordered, (new ASA's running ISE and looking into AMP solutions) as well as other measures. I am very excited to get my hands on the equipment and finally start putting my knowledge to work. I am not very good with the ASA's, I have external support as well when needed (consultant/sub) who I can hire for things I am not yet proficient at. I am very lucky because my company is very understanding and supportive of me learning on the job. My fear is the new gentleman coming for interview has some decent experience. It's likely he will be hired but I am stressed out by it. I am fearful that this new candidate will come in eager to impress and basically take over the projects I have been working on. I have put a lot of effort and time to get where I am and due to our growth we are in need of another guy in the department. As my luck would have it he is strong in networking. Am I being reasonable in my concerns or just selfish? There is always an opportunity to learn from someone but at the same time I really don't want to give up all the future opportunities I have been looking forward to. Just wondering what everyone else's experience in the field have taught them. Thanks in advance.
I have an HP 2920-24G POE+ switch from Amazon and I think it may have taken a power surge. HP will not honor the warranty since it was bought from Amazon. Amazon only offers a 30 day warranty. (inb4 should have bought from authorized reseller blah blah blah) I attached a video showing what it does. https://youtu.be/JY-y-7ql59c
So I am stuck with this ~$1200 switch that doesn't work. I believe it is failing on the self test.
This is crash info from the console. System went down: 01/01/90 00:04:19 Saved crash information: Software exception at arenal_chassis_slot_sm.c:3597 -- in 'eChassMgr', task I0 -> Slave (1-24) crashed. Debug slave, NOT master.
When it reboot it shows this. SPldFC done. BR I01
I have done an erase startup-config command to get it back to factory.
Is it fixable? Is there somewhere I can send this to get fixed? Any help is appreciated.
Hello all,
I have a couple old cat6500's that are running rpvst with about 700 currently active vlans. I'd like to add a few Nexus 3048TP switches hanging off of them but according to this document I've already exceeded the RPVST limit for these switches. I'm curious if it's possible to run MST on these downstream of the RPVST 6500's which are the root bridge without any issues. I'd assume I need to have PVST simulation mode on as well. Due to other constraint's it's not likely we'll be able to migrate the 6500's to MST anytime soon.
Thanks in advance.
I started out using paint which was terrible, I have Ekahau now and just kind of use that but the AP's are not very well defined. Any tool / software suggestions?
I'm not really sure how to explain this problem so here we go:
I'm working on an Access database for my dad's company and I need to store the documents that go in the database somewhere that other people in the company can get to them if they have just the Access database file.
My dad and I have a WD MyCloud on our network and you can easily map it as a network drive, grab the file path of the document, and hyperlink it into the database. So then (assuming the drive letter is the same on the computers that have the database file) if we just have the Access database file with the path names, we can both still get to the documents.
Now, upscale this problem a bit.
The company has WD EX4100 NAS drive, but its in a different geographical location. We need to be able to store all the documents there and somehow make the NAS show up as a network drive on the computers using the database.
My hope is that it shows up as a network drive and I can map it easily, but I don't know how to do that or if it's even possible.
Does anyone have any suggestions on how I can accomplish this?
So, i started a new job a few months ago and have finally come to a point where i can start mapping out this network. now basically everything here is cisco but their routing and everything is so odd to me. what's the best way for me to map this network so i can tell where all the ISP's come into the locations, and how everyone is plugged in? i brought up a vm and put in observium. i have a list of the routers and switches and their IP's so i was able to add them. i tried using cisco network assistant but there's VPN tunnels to different locations so i can't get a graphical layout in my mind. i'm guessing i'll have to do this manually but i'm looking for someone who has done this before to give me some tips.
So i came from holiday to find a bunch of users were complaining of slow connections and jitter while talking on the phones. upon checking i found they were all connected to the same switch. CPU was 100% , i found ARP Input was eating all of it. upon doing some more digging i found the switch was looped between two ports.
So when i went to check what caused the loop it was a polycom phone that had the PC port connected back to the switch.
Switch f0/1 ----------- polycom -------- switch f0/2
Now what id like to understand is how the switch couldn't block the loop since it had BPDUguard on (it was seeing itself through CDP) and also What protocol would prevent this kind of loop?. My guess is that the phone was not forwarding the BPDUs to the PC port and switch was not aware of the loop.
I have a BGP neighbor asking me to suppress part of the AS-path of a route I am advertising. My kit is Juniper, but I'm curious about Cisco and other as well. My neighbor wants a shorter path from me so it's more preferred in his table. I'm familiar with path prepending, but I didn't think BGP really likes you modifying the AS-path by removing things.
All I can find is AS-override, which just replaces other ASNs with my own, which still would have a longer path if I understand ti correctly.
The alternative is to create a virtual router/vrf, learn the routes there, then share them to my vrf with OSPF. This would create my AS as the only hop, but is a kludge.
I've asked him to look into weight and localpref, as the whole point of BGP is each AS gets to decide how to route their own traffic, but it's so far falling on deaf ears.
I once saw a website where people setup a network using BGP with fake AS numbers, but I can't for the life of me remember what it was. It let you setup your router and BGP to this network so you could practice with BGP and play with configuring it. the AS numbers weren't real ones, and are only routable on this network.
Has anyone heard of this?
We have been hosting some customer servers in-house for several years, using a Fiber primary WAN and Cable failover WAN. We've only had a few failovers so it has never been a problem for the Failover DNS to take over and keep things online.
But we're growing and expanding, so we are moving our servers and our customers into a local datacenter. But I'm trying to rack my brain on the best way to do WAN failover for the DC. I don't want to continue DNS Failover, because occasionally DNS servers for outside groups won't update then we are blacklisted by AOL, Yahoo, etc because the DNS records are wrong. We don't own the IP subnets, nor are they big enough, so we can't do multi-homed BGP. I was looking at SD-WAN or Cloud Firewall solutions, but that's just another point of failure I can't control.
How would you suggest doing internet and failover in your DC? Am I over-thinking this?
Hi all, I need help setting up Cisco access points with Netgear Poe switch, I have configured the SSID with all the relavent VLANs, including management VLAN.I have allowed the respective VLANs in their corresponding ports, DHCP service is provided by a server, the issue is the users are not getting IP addresses. Please help!!!
Hi, everyone.
I'm trying to come up with a scheme that will allow to load-balance (and, ideally, to load-share, too) traffic between multiple PEs in a partially meshed network built on top of RSVP-TE with EROs as the only constraints plus "cold standby"s as well.
There are some implications regarding international links and paths with long delay but it actually doesn't matter that much, for now (but if someone has smth. to say about AG vs. SRLG, I would be glad to hear your stories). What I hope to hear is what techniques you, guys, are using, what was proven too complex or "buggy" and what is a "must have":
Just a bunch of parallel LSPs with/without BW constraints
A couple of LSPs with auto-BW (possibly, with additional prioritiy tricks)
Container LSPs (for Juniper shops)
Ditching RSVP-TE in favor of SR (maybe, co-existence)
External controller (PCEP, anyone?)
Our network used to have OSPF, BGP, DMVPN, redistribution, route-maps, prefix-lists, and all the cool stuff we network guys love to configure on our networks.
Now there's nothing left but static routes and directly connected networks.
Our wan which was BGP over DMVPN tunnels has been completely torn down and replaced with an SD-WAN product. That simplified our data center network tremendously as it got rid of all the redistribution and routing policies, and basically replaced it with a big dumb static route pointing at the VIP of our SD-WAN boxes.
As for the LAN side, we had a big push last year to move as many services to the cloud as we could, including our entire backup datacenter, which was shut down and moved to DR as a Service (cloud). Now there are so few physical hypervisors running the remaining of in-house services, we were able to collapse it down to a single pair of switches, and for good measure, we moved the IDF switches to this as well.
It then occurred to me that we no longer had any real use case for OSPF, turned it off on the core, and removed the other switches which were now empty.
Our network "evolved" (devolved?) into a single /16 static route for the WAN, a single default route for Internet access, and Directly Connected networks.
The way I see it, it's barely even a network anymore, at least not one that requires full time employees to maintain.
On the one hand I'm proud of my team for getting through this much in a frantic one year period, on the other hand I'm now worried that we've basically put ourselves out of work.
( If I have posted this in the wrong sub Reddit , my apologies . Recommendations appreciated ) We are looking at replacing our current SMS to email system . We are interested in upgrading our present system in which our clients send an SMS and it gets converted find a provider to a Gmail email account, and then is pushed to our operators .
We are interested in a more sophisticated system then relying upon two vendors, our client’s SMS telco, and the reliability of an email app to receive and respond from .
We don’t know if we need an entirely bespoke custom system built , or whether such a system is available to purchase or lease , or whether a modular system can be put together and handed over to us .
We don’t use SMS directly back and forth between our clients and our operators because we have only one operator on shift at a time , and they live and work from homes that are far apart in rural Australia , so the Sim card or phone would have to be shuttled back-and-forth every day. Also some of our operators live in rural areas where their Internet connection (email) is more reliable then an SMS signal.
Does anyone have any useful suggestions? Thanks , Brian
I'm looking for a wifi access point to connect directly into the switches I'm working on so I don't have to have a such a long cable going to whereever I can sit down, I'm sure some of you do the same so what sort of AP do you recommend? Looking for something compact and durable.
Hi all,
http://ift.tt/2BcGarS for network diagram.
I had been trying to configure my switch for PBR. Was wondering if my configuration is correct? is the two default route 0.0.0.0 0.0.0.0 192.168.x.253 needed?
Below is my configuration. omitted the unneeded information.
class ipv4 "User"
20 match ip 192.168.54.0 255.255.254.0 0.0.0.0 255.255.255.255
exit
class ipv4 "Server"
10 match ip 192.168.52.0 255.255.254.0 0.0.0.0 255.255.255.255
exit
class ipv4 "CorpWIFI"
10 match ip 192.168.56.0 255.255.255.0 0.0.0.0 255.255.255.255
exit
policy pbr "CorpWIFIPBR"
10 class ipv4 "CorpWIFI" action ip next-hop 192.168.54.253 exit
exit
policy pbr "ServerPBR"
10 class ipv4 "Server" action ip next-hop 192.168.52.253 exit
exit
policy pbr "UserPBR"
10 class ipv4 "User" action ip next-hop 192.168.54.253 exit
exit
ip route 0.0.0.0 0.0.0.0 192.168.52.253
ip route 0.0.0.0 0.0.0.0 192.168.54.253
ip routing
vlan 1
name "Server VLAN"
no untagged 1/12,1/37-1/44,2/4-2/5,2/26,2/37-2/38,2/40-2/44
untagged 1/2-1/11,1/13-1/25,1/34-1/36,1/49-1/51,2/1-2/3,2/6-2/25,2/27,2/36,2/39,2/49-2/51,Trk1-Trk7
tagged 1/1
ip address 192.168.53.1 255.255.254.0
service-policy "ServerPBR" in
exit
vlan 51
name "MGT VLAN"
untagged 2/5
ip access-group "ACL-BLOCK" in
no ip address
exit
vlan 54
name "Users VLAN"
untagged 1/37-1/38,1/43-1/44,2/4,2/37-2/38,2/40-2/44
tagged Trk1-Trk5
ip address 192.168.54.1 255.255.254.0
ip helper-address 192.168.52.8
ip helper-address 192.168.52.9
service-policy "UserPBR" in
exit
vlan 56
name "CorpWIFI VLAN"
tagged Trk1-Trk3
ip address 192.168.56.1 255.255.255.0
ip helper-address 192.168.52.8
ip helper-address 192.168.52.9
service-policy "CorpWIFIPBR" in
exit
vlan 58
name "Guest VLAN"
untagged 1/39-1/42,2/26
tagged Trk1-Trk3
no ip address
exit
vlan 59
name "CCTV VLAN"
untagged 1/1,1/12
tagged Trk1-Trk7
no ip address
exit
Pls let me know if you have any questions regarding the network setup.
Will appreciate any advice!
Thanks!
Hi everyone,
I try to export the config on my 2 hp procurves 5400. I use a free tftp server, but it doesn't work. (copy run tftp IPTFTPSERVER config.txt
If i just copy all the running-config in a notepad... It's the same thing ?
Thanks you
Hi all - seem to be having an issue with BGP session terminating arbitrarily. It doesn't seem to occur at any specific time, but the messages below always precede the peer reset. From my understanding, the ISP seems to be sending a community and/or attribute that my router cannot understand, causing a reset.
Am I missing anything? ISP swears everything on their end is beautiful and working wondrously.
ARS BGP>show ip bgp summary
BGP router identifier W.W.W.W, local AS number 330XX
BGP table version is 343
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
Y.Y.Y.Y 4 407YY 3732625 43874 343 0 0 00:05:35 1
Total number of neighbors 1
ARS BGP>show ip bgp neighbor
BGP neighbor is Y.Y.Y.Y, remote AS 407YY, local AS 330XX, external link
BGP version 4, remote router ID Z.Z.Z.Z
BGP state = Established, up for 00:05:35
Last read 00:05:35, hold time is 90, keepalive interval is 30 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Address family IPv4 Unicast: advertised and received
Received 3732625 messages, 0 notifications, 0 in queue
Sent 43531 messages, 343 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 343, neighbor version 343
Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
Inbound path policy configured
Outbound path policy configured
Incoming update prefix filter list is *default
Outgoing update AS path filter list is *1
1 accepted prefixes
1 announced prefixes
Connections established 344; dropped 343
Local host: X.X.X.X, Local port: 56939
Foreign host: Y.Y.Y.Y, Foreign port: 179
Nexthop: X.X.X.X
Nexthop global: fe80::c0ea:e4ff:fe91:18b5
Nexthop local: ::
BGP connection: non shared network
Last Reset: 00:05:41, due to BGP Notification sent
Notification Error Message: (UPDATE Message Error/Malformed Attribute List.)
Syslog:
BGP:Y.Y.Y.Y-Outgoing [DECODE] Open Cap: unrecognized capability code 64 len 2
BGP:Y.Y.Y.Y-Outgoing [DECODE] Attr Comm: Flag(D0) ! (Optional && Transitive)
TCP connection dropped X.X.X.X, 55157, X9 Y.Y.Y.Y, 179, X9 tcp
For Legibility:
X.X.X.X is our IP Y.Y.Y.Y is ISP BGP neighbor IP.
Thanks!
I have a legacy network with a single vlan interface on a core network configured with a IP address and 4 secondary IP addresses. Someone just kept adding secondary IP addresses when there were too many users in one block... I can see 1500 different MAC addresses there currently.
You'll have to remind me how the IP helper works here :) If a client connects to a network where the router has 5 IP addresses, how does it send DHCP requests? Does it send a DHCP request with all the 5 different source addresses and give client the first one it gets back, which might be from any of those 5 IP blocks?
What would be the best way to migrate these to a single IP block, the fifth one with a /22 mask? Can I make the first 4 DHCP scopes smaller to force the DHCP server to lease IP addresses only from the last block? Or do I need to contact the persons managin this switch (management of the switch has been outsourced for some reason...) and ask them to change the /22 block as the first one? Are there still changes that a DHCP server would lease addresses from the other blocks?
Thanks!
I know its convenient as hell and probably wouldn't hurt anything by doing it but would it be considered bad practice??
I got an a bunch of old Cisco 2811 routers for my home lab. I want to take it apart to replace the fans to quiet ones. However the every screw I try to unscrew it doesn't budge and the screws become stripped. Any recommendations on how I can remove these screws? I've tried multiple screwdrivers. It just seems like the screws are too soft and the screws are too tightly screwed in.
Today found me prepping some new gear that is to be managed only by loopback address, with an on-box policy enforcing it.
The gear doesn't have any routing adjacencies up, right now has only a single IP address on an access lan in the lab. I added a host route for the new gear's loopback to the lab distribution switches, created a prefix list, added it to the STATIC->OSPF route map, etc...
Checking my work, I saw that external LSA appear twice in the database. Great. But I noticed another external (for a lab VPN block) appeared in the database only once. Where was my redundancy for this one?
The configuration looked fine. Both boxes had a static route for the VPN prefix and identically configured redistribution, route map, prefix lists, etc...
I ripped off the static route on the non-advertising guy (from home, via VPN!) Debugs there said this when I re-applied it:
OSPF: Don't redistribute net <vpn-prefix>, <other-switch> advertises it already
Wait, what? The LSA for my new gear's loopback is happy to have two instances in the database, why not this one?
The only difference between the LSAs is that the VPN prefix was pointing at an address on a backbone LAN (one with a type-2 LSA - the VPN box should have been running OSPF, but that work never got done so I'm redistributing statics), while the new loopback prefix (with its pair of LSAs) was on a "passive" access LAN.
Because of the difference between the network types of the next hop, the advertised forwarding address for the VPN block was the address of the VPN box, while the forwarding address for my pair of /32 LSAs was 0.0.0.0 (use the advertising router).
Could that be it?
Off to RFC 1583!
In this case, RTA and RTB would originate the same set of AS external link advertisements. These advertisements, if they specify the same metric, would be functionally equivalent since they would specify the same destination and forwarding address (RTX). This leads to a clear duplication of effort. If only one of RTA or RTB originated the set of external advertisements, the routing would remain the same, and the size of the link state database would decrease.
I'm not sure if I ever knew this (I had some intuition to compare the forwarding address of my samples), but I'd certainly forgotten it.
That was fun.
I work in higher education. I used to do a mix of desktop support and networking, but I've moved into a role where I'm more of a network engineer with some systems work on the side. In my old role, I attended a really great conference yearly. It gave me some really good exposure to what others were doing, relationships with other people in a similar role, fresh ideas, and vendor contacts. That conference doesn't make much sense to my role now, so I'm looking for another conference to pitch to my boss. It doesn't have to be higher ed specific, as long as there is relevance. Any recommendations?
Does anyone have recommendations for software that will model an OSPF area and let you visualize traffic flow in specific failure situations? I've discovered software solutions like Riverbed's SteelCentral Riverbed Modeler and Juniper's WANDL IP/MPLSView. I don't have pricing on Riverbed, but list price on WANDL is over $100k. Are there any opensource software solutions for this type of network engineering software?
Hey folks,
Looking to see how others are segmenting their server networks. I want to group them by purpose. DB's in one subent, apps in another, proxies in another. It makes NAC in the campus easier so I can only allow access to proxy networks. Looking to see how you do it.
Thanks,
Hello, I'm trying to build out a DR site that is connected with my primary site. I have a COLO about 20 Miles away that is provided by my ISP and I have a QinQ 100mbps link shared with my internet between their network any my network to carry layer 2 VLANs.
My objective is to place older hardware in the DR site to serve as offsite backup storage and failover for our virtual machines. We opted to have layer 2 services provided vs layer 3 to be able to transparently failover to the site without needing to re-IP which minimizes the impact to our computing services in the event I lose my primary datacenter.
I want to know the best way to link/route the network in the DR site to my production network and correctly route traffic from VLAN 100 to VLAN 1000. My background and knowledge quickly runs out and I need some guidance on the best way to accomplish my goal.
This being said what would you do if this was your network and you stuck with the layer 2 link? I'm not specifically asking the exact configs but a design that has been vetted by networking experts that will put me on the right track. I don't know what I don't know and that makes this hard.
My plan was originally to put some static routes on the routers but in my testing I ran into major difficulties particularly I planned on using the 10.0.4.101/24 network ganged up on VLAN 100 to generate the static routes but the SonicWALL will not let me assign 2 ip's on a single virtual interface. I was trying to avoid cross contaminating ip's from site to the other except for the vm's if they were to failover. I have tried setting up routing on the switches and had some limited success getting ping able access between the VLANs but it looks like the dell 6248's wanted additional configuration and would not pass traffic. My management VLAN on the 6248 is VLAN 100 and it won’t let me route that VLAN which ultimately is very annoying I tried setting up some alternate configurations where the VLAN 100 was not the management VLAN but ran out of time to test last weekend. I've spent some time googling but I tend to find a bunch of stuff where people are like “hey don't span VLANs across sites”. I've tried some other smaller things but haven't had much luck. Right now my plan looks like this
I've got a few questions but these may be pointless depending on your recommendations.
Note: Later on, I'd like the take the knowledge I learn here and extend it to improving my primary site.
TL;DR: A networking novice Sysadmin is trying to go into advanced networking without any real knowledge other than he doesn't know what he's doing.
Great Cisco forum post about the IOS TDR feature: http://ift.tt/2rgIAWP
Anyhow, I'm troubleshooting a port, on a WS-C3560X-48P-L running 12.2(55)SE8
This is what I get:
Switch#test cable-diagnostics tdr int g0/37 Link state may be affected during TDR test TDR test started on interface Gi0/37 A TDR test can take a few seconds to run on an interface Use 'show cable-diagnostics tdr' to read the TDR results. Switch#show cable-diagnostics tdr interface g0/37 TDR test last run on: January 17 13:02:40 Interface Speed Local pair Pair length Remote pair Pair status --------- ----- ---------- ------------------ ----------- -------------------- Gi0/37 100M Pair A N/A N/A N/A Pair B N/A N/A N/A Pair C N/A N/A N/A Pair D N/A N/A N/A Switch#
It looks like the TDR test ran successfully, but everything's N/A?
The int is up/up, and in heavy use. Maybe TDR doesn't work when the int is mostly saturated?
Hello,
I am looking at running a lab for BFD on our DMVPN WAN infrastructure. We do not currently run PFR or any other iWAN but we are looking at it for a 2018 initiative.
This guide makes it look simple, however I am curious if anyone has any real world experience with it.
I have a lab set up for a remote spoke site, however I do not have a lab HUB network so I would have to test in production (With change control, etc).
Is it really as easy as the following?
Spoke:
bfd-template single-hop BFD-TEMPLATE
interval min-tx 1000 min-rx 1000 multiplier 5 <-- TIMINGS I WANT, Anything suggested here?
interface tunnel#
bfd template BFD-TEMPLATE
Hub:
bfd-template single-hop BFD-TEMPLATE
interval min-tx 1000 min-rx 1000 multiplier 5 <-- MATCHING THE SPOKE SIDE TIMINGS
interface Tunnel#
bfd template sample
router eigrp #
bfd all-interfaces <-- Can this be set to just one interface for testing?
Any tips would be great, Just looking for gotcha's or maybe a configuration example.
Thanks everyone!
I don't know if this is relevant here, and if it isn't, could you direct me to the right place before this is removed? Thank you.
So, I want users of my app to be able to access a list of items from an AWS database, without being able to edit or remove the items. I hope this makes sense because my searching doesn't seem to be giving me what I want. I hope you guys can help.
The tutorials I keep finding all seem to be about being able to add and remove your own, and not about one shared database that everyone can view and search through.
Has anyone deployed Google Fiber at a branch office? We have an office of 6-8 employees currently on Cable (300/20). They are moving physical locations and their new location has google fiber in the building.
My gut feeling is it can't be worse that Spectrum/TWC, and we will keep the cable for backup.
We have all the necessary equipment (firewalls, switches, AP's) so plan on using the cpe as a pass-through device.
Any experience or insight you can provide would be helpful.
Hello everyone, I just wanted to ask if there are any windows/linux software alternatives to features that run on the Fluke LinkRunner 2000. In particular, the port information it retrieves; I.E. switch hostname and port that its connect to. I just can't imagine that there isn't an app that does that same thing that doesn't require SNMP community, just like the fluke doesn't require that information to get information, but I could be wrong. I do have physical access to the switches and I can run all of the necessary commands to find out what port which devices is on etc. And yes, I have this Fluke which makes life so much easier when I have it in my tool bag.
However, if I just don't happen to have the tool on me I was hoping there was some sort of software alternative I can run on my laptop to at least find the switch/port that I'm on to quickly find a run that needs to be found in those situations that there are no jack labels or terrible labeling.
Thanks! Phyrexious
Hey Guys
So I'm trying to transition our policy model to that of ASA = port filtering the SFR URL Filtering/Inspection.
One challenge I'm facing is that as I've migrated a couple services over to this design, some of the connections outbound fail to register anything in the URL column and therefore get blocked.
The ASA and FP don't treat FQDN the same way and I've since had to add in an additional set of IP based objects on the FP policy to get things moving. This could obviously lead to annoyances down the road.
Is there anything I'm missing here that could be the reason why these connections in the table are sometimes lacking the URL, or in some cases, never having a URL?
Hi all,
So for the last half year I have been doing a school project about captive portals. A good helping point for me has been this serverfault Q. But since the Q is closed and I would like to help people the way it helped me I decided to open it up here.
So please everyone post down your Apache/Tomcat/Nginx ways to get the captive portal popups.
One method that worked for me for all devices I tested it on (IOS 8/9/10, Android 4/5/6/7/8, Windows Phone) was:
RedirectMatch 302 / http://$IP
As told by Stackexchange user @hdezela this is how the captive portal popups are triggered:
All mobile OS just check a web page to decide whether they're behind a captive portal or not. The mechanism is this:
- GET/POST http://foo.com/bar.html
- If bar.html == [expected content] > Open Internet
- If bar.html != [expected content] > Captive Portal
- If bar.html[status] != SUCCESS > No Network
Also, for iOS, you need to have a domain for your WiFi network as it assumes a domainless network without access is a home network and just marks it as No Network instead of Captive Portal.
Apologies for sounding like an idiot, im a sysadmin not a networking guy so please be kind.
Im looking for some alternatives to Meraki for midsize enterprise, we are looking at replacing all of our switching, firewalls, and access points and ideally want a cloud based SD solution. After reading several lengthy posts the general consensus seems to be that Meraki is great for the SMB market but doesnt scale. Does anyone know of anything that fits the bill for midsize enterprise? We looked at Riverbed but i cant say im that taken with it.
Hi guys,
Just wondering - can you redistribute ipv4 into ipv6 for from eigrp into ospfv3 and vice visa ?
I am just labbing stuff up for a sort of routing 'mega lab' just thought i could try that out. Can't see much about redistribution of routes eigrp and ospf running ipv4 and ipv6.
Thanks in advance.
yeah, yeah, it's a hunk of junk and everyone is more surprised when it works than when it doesn't. but i'm messing around with it and it's throwing the weirdest errors... can't seem to figure out what the heck is going on. if anyone has sorted this out or has a better tool that does the same things, please drop me a line. thanks.
here's the CLI barf when i run DiscoverAPs.exe:
The following Interfaces are associated with this Machine IFACE IP MAC ===== == === eth0 192.168.7.74 <VALID-MAC-HERE> Enter Interface(eth0,eth1,...) from the above list to Discover APs :: eth0 Broadcasting an AP Discover message Traceback (most recent call last): File "DiscoverAps.py", line 189, in <module> File "scapy\sendrecv.pyc", line 357, in srp File "scapy\arch\pcapdnet.pyc", line 313, in __init__ File "dnet.pyx", line 112, in dnet.eth.__init__ OSError: No such file or directory
aplogies for the self-serving, mass-inflicted torture... :P but thanks for the help.
Hello guys, I don't have a specific question but was wondering if you guys had any suggestions to improving / polishing the setup at a small business I'm working at. Networking isn't my specialty but I've set up our network from what I've learned mostly from searching online and a little common sense.
Here is our current setup:
Ciena 3930 fiber modem/switch (provided by at&t) in MPOE
fiber cable drop through ceiling from MPOE --> office IT room
fiber connected to media converter
ethernet cable connected to Orbi router
Orbi router connected to Cisco switch
Switch feeds some orbi satellites throughout the office and some conference rooms' ethernet ports on the wall
We are a pretty small startup so we don't have any servers or other network equipment (all cloud based), so the setup is relatively simple.
Right now, everything works but I just feel like there could be improvements made.
I'm not a huge fan of the Orbi system as I feel like I don't have much control over it, including different SSID's for 2.4/5 GHz. Some devices seem to be forcing onto 5GHz in poor conditions giving slower WiFi speeds (just a wild guess), and some devices seem to connect to satellites that are further away rather than nearby Orbi satellites (we have 3 satellites throughout the office)
Other information:
Provider is AT&T business fiber (250up and 250down), and we have 1 static IP address.
Around 40 users (each user has a laptop, and most of them also have their phones connected to the network as well, so around 50~80 devices connected max), and 99% of usage is wireless. There are a few mac minis connected via ethernet in conference rooms.
No remote users (that need our office network access anyways)
Not a lot heavy network usage - most work is browser (image/text) based, but several people stream videos/music while they work as well.
Office is around 17,000 square feet (fairly open, few thin walls)
I guess my main questions are:
Is my setup 'correct'?
What sort of obvious improvements can I make to make our network more efficient?
Thanks!
We bought two Dell S4128-ON switches. They come with ONIE for installing the OS. The only operating system we can find that is compatible is OS10 Enterprise Edition. OpenSwitch has a version that works for the S4048 switches but it does not seem to work on the S4128. I am way out of my element here. I just need to do some L3, gateways and ACL's. I need to make them a stack and do LAG's and vlans. Can someone point me in the right direction?
Is there a basic OS that will give me a cli that is similar to the cisco and force 10 cli's. That I can install on an s4128-on switch? Do any of the Cumulus, BigSwitch, Pluribus etc offer such a solution? Preferably a free one.
Can anyone identify the manufacturer of this DSL node/modem/router? Need a service/user manual. It is functionally similar to a Soekris Net5501.
Thank you.
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
I supervise networks for organizations that don't always document their stuff. I'm interested in APs and IP cameras. I want to know which ports those devices are connected to, so I can label the ports and add them to our NMS. I have a list of AP MACs from the controller, and a list of OUIs for IP cameras.
I want a Thing(R) that does this:
I will then take this output and use it to update our NMS.
So, does this Thing(R) — or something very much like it — already exist, in mostly-turnkey state?
Or is this sort of Thing(R) a use case for NAPALM/netmiko?
Looking for help again again, but I have a MDF that connects over to an IDF that are 3400s through fiber that has the ports trunks between the switches and all is fine and well. I then have another port that is connected to that IDF that then goes out into a warehouse that is a 2300, when the warehouse switch is plugged in I will momentarilly get DHCP and an IP but shortly after that will drop off, and then shortly after that the switch at the warehouse and IDF start becoming unresponsive. The warehouse switch can ping the IDF but not the MDF. I have checked all tagging and can say those are all correct and have checked the cables as well to make sure they work and that they go directly from switch to switch. Spanning tree is all default for Juniper as well. Any ideas on what next I can look towards? I have run out of ideas!
So I've been reading about IGMP a lot lately, mostly RFCs (IGMP, IGMP Snooping, IGMP Proxy) and Cisco/Juniper docs. What I've found, and what I feel a bit confused about, is whether or not IGMP Snooping Querier an RFC based feature or not. It seems like it is not and it's just a feature vendors came up with, but it sounds a lot like IGMP Proxy in the RFCs.
So my core question is: are IGMP Snooping Querier and IGMP Proxy different features and what parts of the RFCs can show me that?
I have a network that has 2 servers running clustered together via vSphere Server Appliance (VCSA) or otherwise known as vCenter. I have a single public IP address that I have NATed with a pfSense firewall so that all my virtual machines have an internet connection. My goal is to have VCSA externally accessible by logging into the portal via the URL.
Currently, when I go to the URL, I bring up the VCSA Web Client, and when I click on the HTML5/flash login, the URL bar in the browser changes from the URL, "fake.website.com", to "192.168.1.19", and then proceeds to time out.
I have narrowed the problem down to when I connect to the URL and click the HTML5/flash button to login; it tries to pull data from the local IP address "192.168.1.19", which it obviously cannot as I am external of that network.
I have floated around with many ideas that I am not sure would fix this. Would a virtual IP address fix this? I do not understand virtual IP addresses at all. Secondly, I tried a 1:1 NAT mapping that had the same effect as above. Could a combination of 1:1 NAT mapping and NAT reflection fix this? I currently have NAT reflection turned off.
If you need any clarification or have an idea as to a solution, I am eager to hear it.
Public IP address: 1.2.3.4 Internal IP address: 192.168.1.19 URL: fake.website.com
So my coworker implemented a few layer 3 switches in a industrial network and on these switches are many port acl's (extended acls) applied to all the vlans. At the end of these huge lists of acl's is a tcp any any and a udp any any, both of which have a few thousand hits per hour. The customer now wants us to remove those any any acl's however we dont want to just incase some important traffic used to run the machinery is traversing them. He has told me that the only way is to syslog the firewall rules to another server and comb through it - I wondered if there was a way to do it locally on the switch (not using debug) - these are 3750's
TL;DR - how to do a reset on an AP-7532i OR get MotorolaAP Tool working.
i got a boatload of these units from a Victoria Secret site demolition (panties and wifi, oh my!). figured i could reuse them as they're in pristine condition and the demo boys were just going to turf them all! O_o how the flonk do i factory reset these buggers?? it is pulling an IP from the DHCP and i can hit it with SSH, but, as they should be, the default PW has been changed and the web UI doesn't load. i just want to reset these to factory and move on. i am aware of how to reset once i have access, but i don't. i tried using the MotorolaAP Tool... but it instantly dies when launched. which sucks, because that would be perfect for my needs and is the preferred option here.
so, i would like either: A) help getting MotorolaAP to run properly (or if there's a Linux tool to do similar), or B) some concrete info on how to get a factory reset done (wish it had a reset button for a nice 30-30-30...). for those who want to know exactly which model: Extreme AP-7532i 802.11AC AP, Int Ant WR AP-7532-67030-WR.
TIA.
Hi,
I am working in a 3 building enviornment (all within 50 yards from each other). All wiring is Cat6 - no fiber and the ISP is 150/150.
We have a combo of IP cameras, IP phones, wifi devices etc.
Each building has a main 1000mb switch (Cisco - SG500-28P) and multiple 100mb POE Switches (Cisco CE500-24PC - all 24 ports POE).
Buildings are all connected to the 1000mb Cisco switch (as are wifi access points and other 'main' equipment).
Building 1 (main building) - has 1 (Cisco - SG500-28P 1gb switch) with two of the Cisco CE500-24PC switches - covering 25 cameras & 30 IP phones. Also two Ubquiti Wifi access points.
Building 2 (2nd priority) has 1 (Cisco - SG500-28P 1gb switch) and 1 of the Cisco CE500-24PC switches- covering 15 cameras & 10 IP phones. Also one Ubquiti Wifi access points. Also has the IP Camera DVR
Building 3 (3rd priority) has 1 (Cisco - SG500-28P 1gb switch) covering 3 cameras & 2 IP phones. One Ubquiti Wifi access points. Also has the IP Camera DVR
We are using a 255.255.254.0 scheme & have roughly 300 devices.
My question is regarding the network flow - to ensure things are good are there any issues with using 100mb POE for IP cameras and IP Phones in terms of data flow?
We have a bunch of spare Cisco CE500-24PC 100mb units - about 8. We sort of just pop them on as we need them (more phones / cameras / other).
Thanks, Rich
I have trouble myself remembering many of these for so many useful technologies that I wish I knew. I hope I'm not the only one who struggles to gather all of them and remember them by heart.
pubdns is a library for python to have more than 28K public dns servers from 190+ countries at your python script. it works based on the public-dns.info collected data and there is a wrapper based on the dnspython to resolve all type of dns records through these public dns servers smoothly.
I currently have two HP Procurve switches that have the majority of my equipment (tv broadcast) connected. From each of the switches I have a home run to the switch that is connected to our cable modem/router. Both of the Procurves have 10GbE CX-4 ports in the back.
Would it be possible/advisable to use the CX-4 port to connect the two switches together and do away with one of the runs to the router? The traffic that these two switches is very low since the majority of the equipment doesn't generate any measurable traffic. The highest traffic would be maybe 10Mbps going over that cable.
Should I move things over to the CX-4 connection or just leave it as it is? I also have a couple of SFP ports on the back of them and have the adapters and fiber patch cables.
I know that it would be simpler to leave it as is, but I'm trying to get more knowledge in networking since that is where my current field is leading.
Thanks
Hello, as title suggests, is there any way to prompt clients to initiate a DHCP request other than reconnecting the physical cable? I’m asking from the perspective of firewall/router/switch/ap.
Scenario: you want to change the scope on your LAN, and instantly remove the old scope, how can you ensure that from the above mentioned units the clients gets new addresses while they are still on the old lease?
I am recognizing while typing that I’m having trouble to clearly articulate my question - but I hope I am making sense.
We are doing a refresh and don't have enough boxes for our Cisco 6500 cards. Is there a place anyone has found to get a bunch or something that works for their size? We need to pull them out, box them up, and move them around. We don't want to kill them.
Hi guys, I need to add a few DHCP reservations and would love some advices.
We haven’t any DHCP server at the moment, that’s why I need to configure them directly on our switches.
Our infrastructure is a mess of bad practices, we are currently in the process of making significant modifications to improve the situation. (I’m at this job for a few months now, first real job for me)
My question is pretty basic : I have a simple /24 dhcp pool without any excluded address, and I need to do a few dhcp reservations (3) in the same pool.
Do I have any possibilities other than making 3 new dhcp pools as follow ?
ip dhcp pool $(poolName)
host $(ip address) /24
default-router $(gateway)
name-servers $(dns)
I read that you don’t have to exclude these host reservation or they won’t be handed over to the client. Can you confirm that they won’t conflict with the already created /24 pool (as they belong in it) ?
Thanks for you inputs and have a great day!
edit: formatting..