Hi,everyone! Does anyone know how to reset or get back the root password of MA5683T?
Saturday, February 10, 2018
How would you handle this situation?
New setup at a new location.
2x ASA 5506 in failover. 2x Catalyst stacked. Plus other stuff not relevant to the story.
In my assembly instructions; ISP equipment connects to a random vlan and then 2 ports go to each ASA for the high availability.
The onsite contracted 3rd party sent a tech who would not assemble it that way, "Internet connections cant be plugged into the switch." They plugged the WAN directly into ASA1. I let it slide because I needed other work completed. We have full remote access to both ASAs.
Now after the fact we needed that fixed. It was assigned to my coworker to get it cabled correctly and test.
My coworker did not fix the cabling state and instead tested the failover which didn't go well.
My coworker proceeds to go to our boss and say that my configuration on the firewalls are so bad that they need to be both shipped back to us(internationally >5000km away) for him to reconfigure them from scratch. My boss updated me about this because I am the one responsible for these devices.
So I emailed said coworker that the cabling is not plugged in correctly. I only provided facts directly related the cabling issue.
His response back to me was that he told the bosses that 'the configurations are totally not the issue' even though I never brought it up.
So basically the boss or him are lying.
I replied back, "Why do you need to bring them back here? We have full remote access to them."
His response back was, "I want to make sure the chips are clean. I saw on one of the forums that dirty chips can mess with performance and I don't want them opening up the units to do it themselves." That's literally copy and paste of his response.
I forward this to my manager but not the boss. I said, we should trying plugging the cables in properly first. My manager's response was more or less that 'You were warned to make my configurations like his otherwise I will upset him.'
TLDR: Coworker is going to our boss, telling them that I'm bad at my job and he needs to do major amounts of work to fix my mistake. But I'm being told it's my fault for upsetting him.
That's where it stands. How would you handle this?
How does TCP and IP work hand and hand?
So, the title says it all. How do these two work hand in hand? IP can be used by itself, right? Then why not TCP? Why does TCP need IP in order for it to work?
Any response is appreciated.
Anyone ever done "full network encryption?"
Let's define "full network encryption" as the understanding that there will be IPSEC between every layer 3 hop, and MACSEC on every layer 2 segment, including between hosts and their access layer switches.
Just at a first glance, it seems like a huge undertaking. Especially as someone who has never touched MACSEC before. Any thoughts?
The Cloud: Good or Bad?
I would love to hear how "The Cloud" has positively or negatively impacted your Networking careers. I'm currently in the transition between two networking jobs and will be working in a SMB business where they plan to migrate most of their on-prem services to the cloud. What are people's experience with this in regards to networking? Nightmares? Headaches? Or maybe more effeciency? Less stress? Lay-offs? Restructuring? I'd love to hear everyone's stories with their experience with the Cloud and networking.
IPv6 Dedicated Citadel Forged With Fire Server Help
I am trying to setup a dedicated server on my pc , I have ipv6 so port forwarding does nothing for me really, although I have port forwarded my local IP address just in case, the ports are also allowed in my firewall, the server shows up in LAN but not in the browser. Any ideas ?
Occupation profile paper. Can anyone who works in networking tell me about your job ?
I have some questions to ask you if you would like to help.
I’m going to use your answers , along with information from trade magazines and books , and the occupational outlook handbook.
I have a 4-7 page paper but it dosent have to be long or detailed just need it for a source because I’m supposed to interview someone but I don’t know anyone in networking or IT and as well as an additional information especially first hand would help me immensely here at are the questions I wanted to ask you, some should be separate but they were like the same category so I kept them together
- What’s a typical day at your job like? What are some daily activities ?
- What’s the environment like? What are the co workers like? Do you work with a team or alone
- What do like most and what do you like least
- What are the hours like
- Any education requirements? Any incentives to further your education? Do you have to learn constantly?
- Is previous experience important?
- What’s the rate of pay , or what’s a good starting salary or rate of pay
- Is there anything dangerous
- Can you move up? If so to what position?
- Are there any considerations to take before pursuing this career
- Anything else you would like to add that could help with a profile of your job?
Simple "SAN" > VLAN configuration for a Netgear Switch
I got a Netgear GS724, smart switch. Customer has several boxes that are used for deep storage/backup/etc.. A proper SAN is not available at this time (notice "SAN" instead). The goal is to mark out 6 ports as a VLAN for it to be fully carved out for this "SAN" so it won't disrupt other test, or production LANs. Strictly isolated, and no bottlenecks on both this VLAN and the rest. I do know the thruput is 52gigs, so I don't see this being a problem. Netgear's documentation can be confusing.
Satellite Modem connection
My friend has satellite service and their modem is not physically connected (coaxial) to the dish. Does this make a difference speed-wise?
I don't know much about satellite service. I would think that service is more likely to encounter interference and transmit and receive slower than a direct connection from the modem to the dish.
ASA Connection/Port Analysis
I'm currently involved in a project where a client wants to redesign the network. They have a private line to our infrastructure, but without any restrictions. The issue they currently have is that their internal network design is a mess; anyone can plug in anywhere and gain access to their servers.
Dividing the network and placing logical restrictions on each grouping is a step in the right direction. The issue is that they use loads of custom software solutions created by specialized vendors. Gathering information from the vendors themselves on how these solutions work on a network-level is an administrative hell. So I'm tasked with analyzing the traffic that enters on our end and analyze the connections. Their DHCP servers provide some grouping (LAN-WiFi-VoIP/building scopes).
They would like to create a standard for all firewalls on-site and for the firewall on our end. So I'm looking for a way to analyze all incoming traffic over a specific interface (their MPLS line) and monitor which IP's use which ports. Based on that, we can create a template for access rules that are more restrictive.
What is in your experience an efficient way to gather such information and analyze such traffic? I have currently looked at netflow solutions, but there are loads of traffic analyzers out there that may be too advanced for what I'm hoping to achieve. I was wondering whether there are any straightforward solutions. Any tips or experiences on internal network design are also much appreciated!
ASA configuration for lab/educational purposes
I have been trying to set up an ASA at the edge of my network but it's not going as planned. I can't seem to get it to PAT/forward traffic. I'm not sure if it's the NAT process or an ACL blocking traffic from flowing between the two interfaces, or none of the above. I have spent hours upon hours looking at the same config to no avail. I went ahead and defaulted back to my 2921 at the edge for the time being.
My topology consists of an ASA 5506-X at the edge, connected to two stacked 3750s via a routed port with a /30 subnet. The 3750s perform intervlan routing (with eigrp enabled and peered with the ASA) and forward the default route to the ASA via its 172.16.100.1/30 inside interface.
I can ping the ASAs inside interface from the switch stack and from internal clients. I can not, however, ping the outside interface of the ASA nor any external public address beyond that.
If I remote into the ASA I can ping the switch stack and internal clients, but only if I source the ping from its inside interface. Also, I can ping 8.8.8.8 and the like from the ASA but only from the outside interface.
Any assistance/guidance would be greatly appreciated.
ASA Config: https://pastebin.com/p6ayWyqY 3750 Stack Config: https://pastebin.com/NnZZH9Pv
Can I connect a repeater to a repeater?
Ok guys... So... I live in a huge collection of houses/apartments with the same landlord. There is a router in the beginning of the row of houses/apartments (don't know why, I guess an infrastructure problem), and there is a repeater in the middle, and we are in the end. Our kitchen has perfect wifi/internet connection, unlike our living room and bedroom. So my question is: can I connect a repeater to the repeater wirelessly, in the kitchen? Note: the signal from the router is not reachable by us at all.
Thank you in advance! Have a great weekend!
Linksys EA9300 Opinions
Hey Guys,
I received a EA9300 and before I open the box I want to know if it has some certain capabilities. If not, I may try to sell it for a router that does have what I am looking for.
Separate MAC address filtering for guest and main connections (my current netgear has the same mac address filtering list for all WLANs so even my guest network is filtered. Basically makes it useless.) Set up VLANs (is this capable of doing so) access control to connected external drives Turn off WPS (not just set it to push button, but actually disable it) control the single strength (I don't need to reach my router in my neighbor's yard) Enable collecting data logs and forward them to another device Thanks.
Has anyone here ever used Zabbix to monitor Dell N series switches?
I've set up Zabbix 3.4 because I want to monitor my company's N series switches (we have mostly Dell N3048P switches). I've configured snmpv2 and everything on the switch and then I've added the host in Zabbix and done as much as I can going off the documentation, but I'm at a point where I can't figure out what to do next. I'm not getting any metrics from my single test switch yet.
If anyone has any experience, please help me get going in the right direction.
Starting/configuring the AS process (discussion, not looking for assistance)
If a company has an AS Number (ASN), how do they connect to the internet? Please don't say BGP, with cables, routers, etc... :)
Let me be a bit more direct. I looked up a company that has their own ASN and they have 3 neighbors...Level 3 communications, Akamai Technologies, and Comcast Cable. Does this mean that this company has a router which is physically connected to those 3 providers or that any of the next hops can be either of those providers?
As an example, take a look at this ASN, http://as-rank.caida.org/asns/136302
Are they directly connected to 9498 and 17917/route directly to those two ASNs?
Router based IP redundancy/loadblance
I have 2 NAS units that are setup with live 2 way sync. I also run a Tomato ARM based router. Is there anyway in any form to setup a single IP that will switch between the 2 units for redundancy? So that if the main unit fails the same IP will direct ro the second one. And further, is there a way to maybe load balance it (not important but would be nice).
Thinking of getting CCNA at 51. Should I?
Spent 27 years as Administrator in Higher Education, but due to addiction I lost my career. I am now in recovery trying to get my life back on track and was wondering if getting a CCNA and RS is a good career move? I have a BS in MIS.
Thank you.
GBIC vs SFP Query
Hi All,
Not a networking engineer by any stretch of the imagination so wanted to come here and double check something.
Looking to re-purpose an HP2510G for a small office that's going to be connected to the main cable by Fibre. This is mainly being done by 3rd party. They are suggesting getting in Fibre GBICs for the switch however the only ports on the switch I can see are labelled SFP.
Are GBIC and SFP modules inter changeable or am I right to be a little confused?
Thanks all,
My IP address says I’m in another state and I don’t have a VPN. Is that normal?
So I’m a noob at this so sorry if this is normal but I was thinking about getting a VPN and I found out that my IP address says I’m in another state. Shouldn’t my IP address should go back to my actual address?
Thanks for any help and again sorry if I sound like an idiot :)
PAM-4 transponder recommendations
Does anyone have any recommendations for PAM-4 transponders for 100G. I'd be looking for something like QSFP28 on both LINE and client side, where PAM-4 QSFP28 is plugged in on line side, and I just talk to my router using normal 100G-SR4 or LR4 QSFP28 on the client side port.
Also, anybody deploying PAM-4 transceivers today? If so, besides Inphi (who does not sell direct to customers), who do you procure the transceivers from?
Friday, February 9, 2018
NEXUS rack rentals?
What are you guys using for rack rentals? It seems like the nexus stuff in virtual just doesn't cut it. I love INE but it seems their DC track is reserved for boot campers, so thats a no go for me.
Juniper ACX1100 Reliability
We've recently begun upgrading our backbone to Juniper ACX1100 routers acting as PE boxes.
After 1 week we've seen 1 out of 20 installed units fail. Doesn't boot, no console output, all interface lights just light up and nothing else happens.
I understand that this can just ben an anomaly, but with more than 400 routers left to install, I'm becoming a bit concerned about failure rate.
Cabinet this was installed in is not excessively hot, so I do not believe this is a thermal issue.
Anybody else experience this with ACX1100 routers, did you ever determine the root cause of the failure?
VLAN's stretching across router ports
The place I work has several buildings on campus with one switch per building going back to a central router. Each building has it's own VLAN but there are also campus wide VLAN's like Wifi, Security, etc.
My understanding was that routers break off broadcast domains and so a VLAN cannot extend to multiple ports of the same router and yet this appears to be how this network is configured.
I'm working in Packet Tracer to try to reproduce this topology.
Can someone explain to me how this might be working?
VLT needed for MXL 40Gig switches for ESXi hosts?
Ok, here's my situation: when I started my current gig, I found two Dell Chassis with M8024-k switches with 10Gig uplinks in fabric A that were configured as a stack. I really didn't like this, because they couldn't be updated without bringing down the whole chassis. So when we installed a new chassis with MXL switches with 40 Gig uplinks, I configured them as a VLT pair - one of the 40Gig uplinks on each one was used as the VLT link, and one was used to uplink to our core switches (themselves a VLT pair).
This has worked fine, but now I am about to install another new Chassis - and it occurs to me, why bother with te VLT on the MXLs? These are all VMware ESXi hosts in these chassis, so none of the ports are actually configured with portchannels. Its standard Vmware LBT. If instead I just used both uplinks as a portchannel to the core, with no link between them, it seems to me I'd have a much simpler solution and more upstream bandwidth, to boot. Anyone ever done this?
Cisco 4948E switch and
On out prod env, we have a 4948E switch with a DHCP server and the sysadmin guys use it to for loading new images on MacBooks (via netboot). Recently, netboot has been failing, upon investigation. Hosts cannot netboot because they aren't getting a DHCP assigned IP from the DHCP server. Looking at the tcpdump, we see the hosts send out 6 DHCP requests before the DHCP server finally sends a reply with an IP. The problem is when u do a netboot, it sends out one DHCP request and thus it never gets a reply from the DHCP server this netboots don't work. I replaced the 4948E with a dumb Netgear switch and everything works fine. We see one DHCP request and one DHCP server reply.
I also got another 4948E set up in the lab, did a write erase, set u a DHCP server on a windows laptop and connected another windows laptop and it got a DHCP reply after one request. I took this same switch and put back on the porduction env and the same issue occurs, hosts have to send out 6 DHCP requests before they get a reply back.
The 4948E running the E8 iOS image. Anyone seen anything like this?
Thanks
Cisco SDA, is it as great as they claim?
Having attended early test drives, spoken to the people pushing it and read the documentation/CVD. I'm still not convinced. The concerns I have are:
- Scalability
- Reliance on a Cisco GUI tool
- Licensing
- Cost
- Vendor lock in
- Stability
Additionally, it seems many of the problems SDA solves are not major for us. As an example, configuration deployment/automation is already achievable on many existing systems.
I know it's early days, but does anyone here have any real world operational experience with Cisco's SDA solution? Does it really make life that much easier? I'd be interested to hear your experiences.
Recommended Load Balancers - Low End
Hello, we are upgrading some of our legacy Nortel PBX Sites to a Multi-Cluster CUCM Architecture. However, for extension mobility we are looking at using a load balancer (preferably cheap) yet will be able to handle small http requests. So far I've heard
1) NGINX 2)HA-Proxy 3)?
You guys have any that you like or recommend? While I am a fan of F5 I think the price may be too high or take too long to implement.
Thanks bros
what kind of tester do I need if I want to check cable runs for defective wires/EMI/crosstalk, etc?
I suspect that I have some issues with a few Cat5e cable runs between switches. I am looking to test the cable integrity myself so I want to purchase something that is sophisticated enough to do that. I am just not 100% certain what I should get... looking on Amazon, I get a ton of results. I already own a Fluke Networks toner but it's kind of finicky and I've only ever used it to trace cables as needed. I wouldn't mind spending up to $500 on it if needed.
We eventually plan to run fiber, but our building is so messed up right now, I'm just trying to make due with what we have and test it for issues..
Virtual switches
Is there any way besides owning the IOS and using GNS3 for actually working with a virtual Cisco Switch? I'm not asking about homework here, or schoolwork but this is what it's meant for. Not on here, but to work ahead on my own at home on my own hardware. Instead having pressure from teacher or classmate.
Fiber St extraction tool
Hi team,
I have been looking for a tool that I'm not sure exists. I have joined with a company that has lots of old fiber. These fibers have an ST connection. Similar to a Coaxial BNC connection.
Is there a tool to help easily extract these ST connections from a patch panel?
I can't seem to find the right key words for Google to get me an image of the tool.
F5 LTM SSL Passthrough VIPs
I am trying to figure out a way to compile a list of all VIPs in my environment that are currently configured for SSL passthrough. Any tips on easily gathering this information before i start digging through the config file? Thanks!
Other entities joining a udp multicast network
So I've been working on a weird project. Multiple TV districts throughout my state rebroadcast TV signal from a large city. Currently, we all use an old microwave system abandoned by the state. The cost to upgrade this system is cost prohibitive.
I've set-up equipment at a TV studio and taking all the RF and converting it to Transport Stream over IP (TsoIP). We have an ISP who is taking that main feed from the studio, sending it to their facility where each district will pay for their own point to point fiber and join that network. The ISP is just basically providing a transparent L2 network where they will join the other users with simple ubiquity edge routers.
I want their set-up to be as simple as possible.
There is a management VLAN for the switches, a control VLAN to configure the equipment, and 3 VLANs with all the udp multicast data. I only want the other TV districts to join the 3 multicast VLANs.
I have a couple of different ideas. I'm thinking the cheapest way is I buy a switch, the users pay for it according to the MOU, I configure it on the other side of the edge router provided by the ISP and configure the switch. What I don't like is the idea of leaving a physical box outside of my control. I know there are control methods to lock that switch down, but I still don't think it's a good idea.
I suppose firewalls are the best way to go where I don't manage them. But I've had trouble with these basic udp multicast streams going through firewalls.
Any input would be appreciated.
QoS Review and Recommendations
Please take a look at the QoS config below and let me know of any tweaks that would be beneficial:
class-map match-any VSL-MGMT-PACKETS match access-group name VSL-MGMT class-map match-any VSL-DATA-PACKETS match any class-map match-any VSL-L2-CONTROL-PACKETS match access-group name VSL-DOT1x match access-group name VSL-BPDU match access-group name VSL-CDP match access-group name VSL-LLDP match access-group name VSL-SSTP match access-group name VSL-GARP class-map match-any VSL-L3-CONTROL-PACKETS match access-group name VSL-IPV4-ROUTING match access-group name VSL-BFD match access-group name VSL-DHCP-CLIENT-TO-SERVER match access-group name VSL-DHCP-SERVER-TO-CLIENT match access-group name VSL-DHCP-SERVER-TO-SERVER match access-group name VSL-IPV6-ROUTING class-map match-any VSL-MULTIMEDIA-TRAFFIC match dscp af41 match dscp af42 match dscp af43 match dscp af31 match dscp af32 match dscp af33 match dscp af21 match dscp af22 match dscp af23 class-map match-any QOS-Multimedia-Stream-Queue match dscp af31 match dscp af32 match dscp af33 class-map match-all QOS-Network-Mgmt match dscp cs2 class-map match-all QOS-VoIP-Signal-Cos match cos 3 class-map match-all QOS-Scavenger-Classify match access-group name QOS-ACL-Scavenger class-map match-all QOS-Signaling-Classify match access-group name QOS-ACL-Signaling class-map match-any VSL-VOICE-VIDEO-TRAFFIC match dscp ef match dscp cs4 match dscp cs5 class-map match-any QOS-Priority-Queue match cos 5 match dscp ef match dscp cs5 match dscp cs4 match access-group name QOS-ACL-Priority-Queue class-map match-all QOS-VoIP-Data-Cos match cos 5 class-map match-any QOS-Bulk-Data-Queue match cos 1 match dscp af11 match dscp af12 match dscp af13 match access-group name QOS-ACL-Bulk-Data class-map match-all QOS-Transaction-Classify match access-group name QOS-ACL-Transactional-Data class-map match-any QOS-Multimedia-Conf-Queue match cos 4 match dscp af41 match dscp af42 match dscp af43 match access-group name QOS-ACL-Multimedia-Conf class-map match-any QOS-Transaction-Data match dscp af21 match dscp af22 match dscp af23 class-map match-all QOS-Network-Ctrl match dscp cs7 class-map match-all QOS-Scavenger match dscp cs1 class-map match-all QOS-Default-Classify match access-group name QOS-ACL-Default class-map match-any QOS-Signaling match dscp cs3 match cos 3 class-map match-any QOS-Scavenger-Queue match dscp cs1 match cos 1 match access-group name QOS-ACL-Scavenger class-map match-any QOS-VoIP match dscp ef match cos 5 class-map match-any QOS-Multimedia-Conf match dscp af41 match dscp af42 match dscp af43 class-map match-any QOS-Control-Mgmt-Queue match cos 3 match dscp cs7 match dscp cs6 match dscp cs3 match dscp cs2 match access-group name QOS-ACL-Signaling class-map match-all QOS-Broadcast-Vid match dscp cs5 class-map match-any QOS-Bulk-Data match dscp af11 match dscp af12 match dscp af13 class-map match-all QOS-Realtime-Interact match dscp cs4 class-map match-all QOS-Multimedia-Conf-Classify match access-group name QOS-ACL-Multimedia-Conf class-map match-any QOS-VoIP-Signal match dscp cs3 match cos 3 class-map match-all QOS-Bulk-Data-Classify match access-group name QOS-ACL-Bulk-Data class-map match-any QOS-Trans-Data-Queue match cos 2 match dscp af21 match dscp af22 match dscp af23 match access-group name QOS-ACL-Transactional-Data class-map match-any QOS-Multimedia-Stream match dscp af31 match dscp af32 match dscp af33 class-map match-any QOS-VoIP-Data match dscp ef match cos 5 class-map match-all QOS-Internetwork-Ctrl match dscp cs6 class-map match-any VSL-SIGNALING-NETWORK-MGMT match dscp cs2 match dscp cs3 match dscp cs6 match dscp cs7 ! policy-map QOS-Input-Policy class QOS-VoIP class QOS-Broadcast-Vid class QOS-Realtime-Interact class QOS-Network-Ctrl class QOS-Internetwork-Ctrl class QOS-Signaling class QOS-Network-Mgmt class QOS-Multimedia-Conf class QOS-Multimedia-Stream class QOS-Transaction-Data class QOS-Bulk-Data class QOS-Scavenger policy-map QOS-Output-Policy class QOS-Scavenger-Queue bandwidth remaining percent 1 class QOS-Priority-Queue priority police cir percent 30 bc 33 ms class QOS-Control-Mgmt-Queue bandwidth remaining percent 10 class QOS-Multimedia-Conf-Queue bandwidth remaining percent 10 class QOS-Multimedia-Stream-Queue bandwidth remaining percent 10 class QOS-Trans-Data-Queue bandwidth remaining percent 10 dbl class QOS-Bulk-Data-Queue bandwidth remaining percent 4 dbl class VSL-L3-CONTROL-PACKETS class VSL-VOICE-VIDEO-TRAFFIC class VSL-SIGNALING-NETWORK-MGMT class class-default bandwidth remaining percent 25 dbl policy-map VSL-Queuing-Policy class VSL-MGMT-PACKETS bandwidth percent 5 class VSL-L2-CONTROL-PACKETS bandwidth percent 5 class VSL-L3-CONTROL-PACKETS bandwidth percent 5 class VSL-VOICE-VIDEO-TRAFFIC bandwidth percent 30 class VSL-SIGNALING-NETWORK-MGMT bandwidth percent 10 class VSL-MULTIMEDIA-TRAFFIC bandwidth percent 20 class VSL-DATA-PACKETS bandwidth percent 20 class class-default bandwidth percent 5
Crimped my own cables with very weird results. Explanation?
Hi.
I recently installed new Cat 6 cables in every room ending up in the technical room where the router and switches are.
You might get shocked, horrified and angry at what I did, but here goes: The Cat 6 cables were so insanely stiff that it was nearly impossible to use 568B termination (worange/orange/wgreen/blue/wblue/green/wbrown/brown).
So I did an evil thing and used my own sequence (orange, blue, brown and green pairs in that order). When I measured with the Ethernet meter, it showed a perfect 1-8 straight through connection, same as one would get when using 568B termination.
BUT, I only achieved 100mbps on every single cable. I noticed that yesterday at first.
I couldn't get my head around it. Why would this happen? The start and end point for each lead is exactly the same as with 568B, the only difference is me making my own order to make the crimping a whole lot easier.
I started to think the cable was bad, despite it having a solid core, with solid core plugs.
Experiment 1: Made 1 meter cable with 568B termination, with the cape inside the plug as it should be. Lead 1-8 connection to 1-8 on the other end. 1gbps connection.
Experiment 2: Made 1 meter cable with 568B termination, with the cape 10cm outside the plug just for testing purposes. Lead 1-8 connection to 1-8 on the other end. 1gbps connection.
Experiment 3: Made 1 meter cable with my own sequence termination, with the cape perfectly inside the plug. I really went all in to make a perfect cable on this one. Lead 1-8 connection to 1-8 on the other end. 100mbps connection!!!
How on earth is this possible? The leads start and end at the same point, just a different sequence. If the leads didn't follow 1-8 straight through I would totally get it (2 pair connection=100mbps, 4 pair=1gbps).
Do anyone have an explanation for this?
STP with Transparent Firewall in Middle
MEC is not possible.
Routing/Routed mode is not possible.
FW1 is in transparent mode - forwarding L2 frames.
How does spanning tree play in this scenario?
It seems to me that SW3 will receive two BPDUs on the same portchannel interface:
- A. Original BPDU from SW1 which is fine
- B. Higher cost BPDU forwarded by SW2 which can make the port turn into blocking?
Network access control (NPS vs ISE vs X)
Hi,
I'm currently in a very difficult situation regarding NAC.
Maybe I start with the current situation:
We use Cisco ACS in the latest version that was released cluster-ish. So far so good. But as ACS is end of life I'm looking for a new solution. We have 4 sites. And our networking infrastructure in LAN is full Cisco. Wireless is Extreme Networks. Clients are Dell.
-
The main site
- with over 4000 network devices (VoIP-Phones, PCs, Notebooks, Access Points, etc...)
- with over 60 VLANs
- 4 SSIDs each with different authentication methods (eduroam, captive portal, dot1x, and PSK for WiFi-Phones)
-
three smaller remote sites with a pretty inconsistent connection to the main site over VPN
- with something over 20 network devices each
- with 3 VLANs each
Currently we're using 2 ACS VMs at our main site and Microsofts NPS at our remote sites, as the VPN connection is not very reliable.
With the implementation of NPS (without the consent of the network-crew), everything got WAAAAAY too complicated and some people had the idea to use NPS at our main-location too, because it doesn't cost anything (as a university we have some kind of Microsoft flatrate)...
Now there is some kind of 'office war' between the network crew and the server crew about who is responsible for the NAC solution. Is it the network crew, or is it the server crew?
I'm absolutely not happy with NPS as a NAC-Solution at our scale. I want an all-in-one solution for our Wireless and LAN infrastructure. With captive portal, dot1x, reporting, monitoring and most importantly... security.
Our server-crew wants a simple, free and basic auth server (Where NPS is the wrong solution, but that's my opinion).
Maybe you can help me how I can work on this. Budget isn't a problem per se, but when they hear that this works with a free solution too... well you know the drill.
I'm looking at Cisco ISE or Aruba Clearpass here... I also looked at Packetfence, but that isn't a viable solution either, as it is too complicated for the 'server crew'.
Simulation for HTTP/P2P (BitTorrent or Gnutella) Comparison
Hi, I am a university senior finishing a CS major and am looking at doing an HTTP/P2P comparison as my capstone project. Since the campus network blocks P2P transmissions as much as it can (and rightfully so), I have been sniffing around for methods to simulate a traditional client-server distribution network vs a P2P (BitTorrent or Gnutella) distribution network, in more or less the same environment. I am looking mostly at more or less the normal networking metrics, e.g. throughput, reliability, scalability.
Problem is I can't seem to find a simulator that has support for both types already built; most seem to be either one or the other, or were abandoned in 2005 and no longer really work.
There are some out there that let you define your own topology (ns-3), but I would rather avoid having to build my own implementations due to time constraints.
Would anyone happen to know something that fits these guidelines? I've done research on it but I don't really know what I am looking for. Free is preferred due to having a whopping $50 budget for this project, but we can make other things work. Hopefully this isn't breaking sub rules, sorry if it is :<
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Thursday, February 8, 2018
Keeping device hostname/IP synced across management stations
When we deploy a new device in my environment we have to do the following:
-
Input the device hostname/IP into DNS
-
Input the device hostname/IP into Solarwinds Orion
-
Input the device hostname/IP into our AAA server for TACACS/RADIUS authentication
-
Input the device hostname/IP/other info into our inventory/asset tracking system
That's a lot of places to manually enter information and a lot of room for manual error. As you can imagine, we have cases where the hostname entered in one system doesn't match what's entered in another system, the monitored/managed IP doesn't match across the systems, or the device just isn't entered into one of those systems.
Do you guys have a similar process you have to go through before you deploy a device? Do you have some kind of orchestration system that can do all of this for you?
I've been told that some of these systems can automatically scan the network and get that information. For others, I've been toying the idea of scripting it out but I wanted to hear what others are doing/have been doing.
Thanks
Netflow Analyzer - group by AS
Is anybody aware of a netflow analyzer that is capable of grouping by AS? It needs to lookup the AS of the corresponding IP in the Flow and group by it.
Palo Alto Inbound SSL Filtering Without SSL decryption
Hey All,
We have devices on the internet communicating inbound over SSL to the PA on the perimeter. We are looking to drop all SSL traffic that does not originate from these devices without using SSL decryption. Right now I have suggested matching on the CN from the cert being presented by the device but... I was looking for something that is a little more concrete than that I.E. checking the cert is from an internal CA. So is there a way we can establish a forward trust with the CA, Check the CRL and then establish an SSL session without the SSL decryption feature?
Or if there is a better way to do this I am open to ideas.
Thanks!
Juniper user reporting L2 channel errors on DIA port?
Hello,
So I'm scratching my head on this one as we have a customer (I'm in a provider environment) that is reporting that their hand off port with us is taking scrolling L2 channel errors on their Juniper. We're using a Cisco 6500. I'm not seeing anything wrong on the interface stats on my side either.
Cisco Port Config: Port configuration: interface GigabitEthernet3/10 description Acme Customer ip address X.X.X.X 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp no cdp enable ip flow ingress end
Juniper Port Config: show interfaces ge-1/0/0 description Acme Provider; unit 0 { family inet { address X.X.X.X/29; } }
[edit]
Their interface stats: show interfaces ge-1/0/0 extensive | grep err Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 129663, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 4, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 CRC/Align errors 0 0 FIFO errors 0 0 Output packet error count 0 Flow error statistics (Packets dropped due to): Incoming NAT errors: 0 User authentication errors: 0 Addresses, Flags: Is-Preferred Is-Primary
Any idea as to what could be causing this? Am I wrong in thinking this is likely purely cosmetic?
Cloud...BigData...Bandwidth...
Congrats! You've just decided you are moving to the cloud! Business! Agile! Savings! Automation! Magic?!?!?!?!
How are you guys handling traffic management for the transition?
A 10Gb circuit (best path) to Equinix ceases to become a lot of bandwidth (relatively) when you have TBs upon TBs of data to move, project deadlines to meet, and server/app resources who's only concern with the situation begins and ends at their app.
Service policies/traditional shaping-policing seems to fall apart for this since (at least) in GCloud, things that can be summarized easily (projects/VPC) aren't always the same things eating bandwidth for breakfast/lunch/dinner.
I can think of creative solutions utilizing our circuits to the East region, other colo facilites, blah blah blah. I'm failing to find a scaleable solution beyond a service-policy tied to an interface that I'm sure would become untenable within a week and likewise require explaining to management, to move forward with.
Cisco? Yes. You got a solution that involves not Cisco? I got cash.
LACP Nexus 9000v - IOSv Bug fix
Enjoy....
!!! nexus I7-1 and nexus I7-2
conf t feature bash end run bash sudo -u root cp /isan/bin/lacp /isan/bin/lacp2 run bash sudo -u root echo -e "00098830: 8c5f f7ff 85c0 7442 c685 9cfe ffff 01c6\n00098840: 859d feff ff80 c685 9efe ffff c2c6 859f\n00098850: feff ff00 c685 a0fe ffff 00c6 85a1 feff\n00098860: ff02 8b83 90fe ffff 8d95 9cfe ffff 8b0a" | sudo xxd -r - /isan/bin/lacp2 run bash sudo rm /isan/bin/lacp run bash sudo mv /isan/bin/lacp2 /isan/bin/lacp run bash sudo killall -9 lacp
!!! nexus I5
conf t feature bash end run bash sudo -u root cp /isan/bin/lacp /isan/bin/lacp2 run bash sudo -u root echo -e "00984d0: c685 b4fe ffff 01c6 85b5 feff ff80 c685\n00984e0: b6fe ffff c2c6 85b7 feff ff00 c685 b8fe\n00984f0: ffff 00c6 85b9 feff ff02 8b83 90fe ffff"| sudo xxd -r - /isan/bin/lacp2 run bash sudo rm /isan/bin/lacp run bash sudo mv /isan/bin/lacp2 /isan/bin/lacp run bash sudo killall -9 lacp
!! lacp hack for nxos.7.0.3.I7.x.bin to add in config for auto patch on boot/reload
feature bash-shell event manager applet PATCH description "PATCH" event syslog pattern "Configured from vty by root" action 1.0 cli run bash sudo -u root cp /isan/bin/lacp /isan/bin/lacp2 action 2.0 cli run bash sudo -u root echo -e "00098830: 8c5f f7ff 85c0 7442 c685 9cfe ffff 01c6\n00098840: 859d feff ff80 c685 9efe ffff c2c6 859f\n00098850: feff ff00 c685 a0fe ffff 00c6 85a1 feff\n00098860: ff02 8b83 90fe ffff 8d95 9cfe ffff 8b0a" | sudo xxd -r - /isan/bin/lacp2 action 3.0 cli run bash sudo rm /isan/bin/lacp action 4.0 cli run bash sudo mv /isan/bin/lacp2 /isan/bin/lacp action 5.0 cli run bash sudo killall -9 lacp action 6.0 event-default event manager applet PATCH2 description "PATCH" event syslog pattern "Supervisor 1 is active" action 1.0 cli run bash sudo -u root cp /isan/bin/lacp /isan/bin/lacp2 action 2.0 cli run bash sudo -u root echo -e "00098830: 8c5f f7ff 85c0 7442 c685 9cfe ffff 01c6\n00098840: 859d feff ff80 c685 9efe ffff c2c6 859f\n00098850: feff ff00 c685 a0fe ffff 00c6 85a1 feff\n00098860: ff02 8b83 90fe ffff 8d95 9cfe ffff 8b0a" | sudo xxd -r - /isan/bin/lacp2 action 3.0 cli run bash sudo rm /isan/bin/lacp action 4.0 cli run bash sudo mv /isan/bin/lacp2 /isan/bin/lacp action 5.0 cli run bash sudo sleep 30 action 6.0 cli run bash sudo killall -9 lacp action 7.0 event-default
Fortigate scripting
Probably just describing a dream here but I get so many firewall requests that I could probably justify hiring a firewall changes only position and their entire day would be checking if the request firewall request is needed and wasnt fat fingered in the request, change log written up, and then actually inputting the firewall rule later that evening.
Is anyone currently using fortgate and able to streamline or simplify firewall rule creation via script/vbs/batch anything? Literally makes my days a nightmare when I have my normal work on top of tackling daily firewall rules there just isnt enough time in the day.
Anyone have any experience with Meraki firewalls
The University where I work is looking at is looking at increasing our internet bandwidth and our current Palo Alto's can't handle the threat protection at the higher speeds so we are looking for a replacement. We were looking at either a larger PA or a Juniper SRX, but a vendor suggested we look at what Meraki has. The advertised specs say that it should be able to handle the job, and the price is a fraction of what the others will cost.
Has anybody here used the Meraki's and want to share their experience? Are they really in league with the big guys? If not where do they fall short? The cloud based management causes me some concern, should it? Any other big gotchas?
Could you explain me this contractor thing?
I'm having hard time to understand why US has so many people doing contractor networking stuff...
Reading /r/networking I see that there are lot's of people doing contractor work, many of which are contracted (correct term?) to the same position for a long time. I even see 'CCNA level' guys talking about contractor jobs.
Here in northern Europe we got consultants to do a single task, but if we need a networking guy for a longer period of time we hire one. Though we sometimes use guys from recruitment agencies where we pay the agency and then the agency pays the guy the usual salary he would get in a regular job too. Would this count as a contractor job? In this case it's usually for few month a time and there's usually a very little notice to end this kind of contract.
What's the catch here, why do so many even entry level guys are doing contractor work? Couldn't you just hire a guy for a lot cheaper? From what I understood you can kick the guy there with a like days notice, compared to northern Europe where it is really difficult to get rid of an employee just because you feel like it.
It's really an honest question I just want to understand how it works there, I'm not saying one way would be better than the other.
Thanks!
Any vendor recommendations for managing cisco router/asa configs?
For the last two years I have been in charge of my company's entire infrastructure. We have two locations one being a rack inside a Tier 3 data center. I am feeling increased pressure to keep everything up and running. Our cisco configuration complexity is getting a bit out of my comfort zone. I can make things work, however I would like to make sure that it is working efficiently and securely. Obviously the ideal solution would be to hire a network admin, however there is no budget for that. Do you guys know a vendor that would for example charge a monthly fee for maintaining configurations / help with troubleshooting cisco configurations?
Network architecture - Where to terminate my WAN connections?
Firstly, I'm not a network expert but I am trying to learn, my background is more general security.
We are setting up a new data centre and a query was pushed my way that I didn't really like the look of.
We have 2 connections coming in to one of our sites, one from our MPLS (DR) and one from our LES circuit (New DC), I believe both are 1Gb fibre. (We have redundant kit and circuits)
It was suggested that we change our current architecture from using Cisco 2960-x as our WAN switches where our external connections terminate, to both lines terminating on our core switches. I refused this as I feel, although logically separated, it's not appropriate for WAN traffic and LAN traffic to be on the same switch. Our providers have had DDOS attacks before and it heavily impacted us the last time, am I right in thinking it would be even worse with both LAN and WAN on the same switch?
Their suggestion following this push back was to use our Cisco ASA 55xx firewalls as a termination point, but I couldn't think of any reason not to, other than scalability. What are the pros and cons of this? I know we would lose some functionality that we apparently aren't using anyway, but are there security implications?
I'd appreciate any input to this anyone can give please. As a side note, they have also suggested going straight into the cores at the DC, which will also have general internet based traffic.
Thanks for your help.
TL;DR: New data centre and trying to figure out where to/ where not to terminate our WAN and internet circuits and the pros/ cons of the solutions.
Help me find a VPN solution
Hi,
I'm using a Cisco ASA 5505 at home for VPN. It's old and not supported anymore so I can't update it. As you may know, there are now several severe security holes and I want a new solution.
Can you help me find a solution that can do the following
- There is a client for Windows, Mac and IOS
- Can be free or not (remember it's for home, I don't wanna pay $500 for this).
- Possible to have several profiles (let me explain)
I want to have the possibility to create two profiles, one that tunnel-all and one split configuration.
What I like with my ASA and anyconnect, when I log, I chose my profile (split or tunnel-all) and I'm good to go. I often need to chose one over the other depending on my needs.
Now it seems most alternative I found just have a global option on the server for this.
Do you know an alternative that can work ? I tried Openvpn but it seems it's global too....
thanks
network_cli and netconf becomes top level connection method for Ansible 2.5
With Ansible playbooks for networking platforms, historically most of the networking modules require a provider argument per task (which supplied the connection type, username, password, etc). Notable exceptions included BigSwitch and Cumulus (one is a controller and one is a Linux NOS).
With Ansible 2.5 (which you can install now, via the latest dev release) allows connection: network_cli as a top level connection which is supported by all the major networking vendors now (ios, nxos, iosxr, eos, junos) and vyos. connection: netconf is supported on iosxr and junos. The deprecation for provider won't begin with Ansible 2.5, and will take considerable time, so there will not be any rush to update playbooks.
The network_cli and netconf connection plugins will allow playbooks to look, feel and operate just like they do on Linux hosts. Also the error reporting is significantly improved, which will help a lot of people who were frustrated with changes to Ansible in 2.3.
Here is a quick example:
--- - hosts: rtr1 connection: network_cli remote_user: admin become: yes become_method: enable tasks: - name: Backup configuration ios_config: backup: yes
Feel free to ask questions on this thread and I will try to answer them to the best of my ability :)
More details and examples can be found on my post here
PEAP-TLS-MSCHAP-V2 and computer authentication
I've deployed a WPA2-Enterprise SSID that uses PEAP-TLS with MSCHAP-V2 inner. The clients are AD domain joined PCs that have GPO to connect to this SSID with server certificate verification turned on. Clients are only trusting the internal CA that the NPS server certificate was issued by. The GPO specifies only "computer authentication" and the NPS server checks for membership in a Computer group that domain PCs are a member of.
Is this setup vulnerable in some way? If so, how? EAP-TLS is supposedly the gold standard but we aren't yet at the point where machine certificates are issued.
Thanks
Zyxel USG Session Limit Issue
I'm looking for guidance/best practices on utilizing the session limit feature in Zyxel USG routers. I generally set it for 1,000-2,000 sessions per client and typically don't have any issue. However, I've found that when some devices try to open more sessions and are blocked, the USG CPU maxes out and causes high latency for everyone. I am theorizing that this is due to the device continually attempting to open new sessions. Whatever the cause, this seems counterproductive to the intended use case for session limit (i.e. prevent one device from hogging all the sessions). Is this a bug? Is this normal? Do I have a configuration issue? Am I misusing this feature?
Two conflicting thoughts on QOS markings. Can’t seem to find a Cisco doc to resolve it.
Hi. If this isn’t the correct place to post this please let me know and I’ll post there.
I’m working with a vendor who is using ip precedence to mark their traffic before it hits my router. We use DSCP so naturally it goes to our default class. They will be moving to using DSCP at my request but now here is where I’ve received two conflicting thoughts when I’ve asked some of the other network people at work.
-
Vendor changed their markings to DSCP - we need to do nothing as they now match our QOS setup so all the queues should pass properly.
-
Same as above except my thought is that their traffic will still fall into our default classes regardless if they marked it correctly or not. Our QOS doesn’t trust by default. We mark it on the way out using access lists to match against IPs. (Not my design and I can’t change our overall QOS design for this).
If this was a once or twice thing I’d just try option one first but they are looking to do this at.... many locations. I’d rather have this figured out ahead of time so I won’t need to fix any templates I’ll make to push it out.
Could the QOS gurus please weigh in on this one!
We are going from their router to my router then to another remote location with their servers. No switch involved until it gets to the other end.
Thanks!
Nexus 7k Design re-design
We have 4 7k's with Multiple L3 links between sites (see pic1) for redundancy (east and west) 8 total. Currently we use EIGRP w/ BFD enabled on all L3 links. Since this adds a lot of extra EIGRP neighbors and topology routes would it be possible to utilize a L3 port-channel that is VPC-ed together between the 7k's (picture 2)? We are also utilizing OTV between the 7k's for a couple vlans as well, dont think this would make a difference.
[img]https://i.imgur.com/XwbYVtSl.jpg[/img] [img]https://i.imgur.com/nNa1kaRl.jpg[/img]
![https://i.imgur.com/XwbYVtSl.jpg[/img]](https://i.imgur.com/XwbYVtSl.jpg%5B/img%5D){kind=link}
![https://i.imgur.com/nNa1kaRl.jpg[/img]](https://i.imgur.com/nNa1kaRl.jpg%5B/img%5D){kind=link}
Yes or No - Adding routed interface IPs to DNS?
As the title says, I am looking for opinions on having router IP addresses in DNS. I see a benefit for troubleshooting at the expense of providing more information on the network to untrusted users. Thoughts?
ISP connections vs ASN/IP space/peering
At what point in the growth of a company do you look at obtaining an ASN, buying IP space and peering instead of simply using connections from an ISP/colo provider and using public IPs provided by the connection provider? Are there resources I can read to help me decide? My google-fu is failing me when looking for anything on the topic.
[Cisco] How to enable OSPF "passive-interface default" without breaking the connection?
I've noticed that the "no passive-interface <interface>" is not accepted before the "passive-interface default" command is given. Running the "passive-interface default" command turns down OSPF on all interfaces before you can exempt specific interfaces from it though, so it seems like it will always break your connection.
Does anybody know of a way to define which interfaces you want to remain active before disabling all others?
Update: I just tried copying and pasting the whole block of commands, and this seems to work, as apparently the interface in question is re-enabled before the hold time expires, so the neighbor doesn't end up going down. Slightly annoying, but works for now.
EdgesSwitch to Meraki MX65 poor performance
Hey Everyone,
Have something that is perplexing me...
I have an Edgeswitch ES-16-XG with a port uplinked to our Meraki MX65 (temporary).
When connected to the Meraki directly on its /24 I get close to our ISP advertised speeds 300/300...
When connecting to the internet via the Edgeswitch I get speed that is ~100Mbit..
Anyone know of what might be causing this or what things I might try to resolve this...?
I made a thing by ripping off someones thing
original https://imgur.com/gallery/29wGY
I might get fired for making this all day at work, so you better give me some damn karma.
scheduled andAutomated file transfer between two computers on different networks
So i'm looking for a bit of network advice.
I'm trying to figure out a solution to a problem we are currently facing at work.
We're implementing a new system where we need to schedule an automatic transfer between an export folder on our office network to an import folder on a different network every day at a set time.
Basically i need to copy everything from the export folder to the import folder on the other network and afterwards move the content from the export folder to an archive folder on the same computer, at 10am every day.
What's the best practice here? I was looking in to creating an FTP server on the remote computer and automating it with winSCP. But is there a better way?
[Question] DHCP Relay and DHCP server on the same network
I have a network A with a old dhcp server (call it server A) I want to get rid off. I have set up a dhcp-relay on the main L3 switch (also gateway) to my other dhcp server (on network B, call it server B) and I have added a scope for network A on it.
As today, both dhcp server respond to dhcp request for network A (obviously, only a small part get a IP from B because server A is much closer). But, if I set the scope down on server A, no one get an IP. Why?
I can ping server B from any machine in network A, so, it's not a routing issue.
Any guess where I need to look?
I know I may need to wireshark the sh*t out of this, but I just can't understand why my dhcp-relay seems to work only when server A is operating.
What do you use for PtP/PtMP encryption?
Alright /r/networking I need some help. I've got a customer who owns a couple of data centers. He's currently building a new one and his niche market is Top Secret data storage and transfer. We have the ability to provide the PtP to interconnect his data centers via Layer 1 DWDM or Layer 2 Ethernet but I'm running into some issues when it comes to Encryption. It must support FIPS 140-2 Level 3 and at minimum 10G transport. What do you think are the best option? I've looked into the Ciena 6500 and don't know if that will be the right fit as it's more of a Carrier/ISP product set.
Core switch stacking & multicast issue
Hello,
I've made a setup of 3 switches (Extreme x670) which are stacked native. I'm experiencing high stack port utilization (100% some times).
My guess is that multicast is redirected to the master switch through this stack connection. But to my knowledge multicast stays within its own VLAN, even while using stacking?
The setup is used to stream raw video to devices within the same VLAN, occasionally to another VLAN (max 4 at a time). The average bandwidth of these streams is high, over 3gb/s. The bandwidth of the stack is 80gb (native v_160).
The setup itself seems to work as intended, which seems odd because when hitting the 100% you should receive some kind of packet/link loss.
I'm new to this subreddit, so if I've missed any crucial information please tell me.
Is there a limit to the seq numbers for prefix-lists in IOS?
Simple question, I know, but I can't find an answer on the web. I'm about to make a change to one of our prefix-lists and as part of that I'm going to change the numbering from sequential to by 10s if possible. This particular list as 28 entries so I want to make sure it will accept seq numbers up to or higher than 280 before I start making these changes.
Patched ASA to fix CVE-2018-0101 and now Anyconnect rejecting SSL
Hi guys, we updated our ASA 5520 to 9.1(7)23 last night and everything looked good. But this morning we are getting reports of users not able to VPN in. We have been able to isolate the problem to Windows PC's, (Our testing last night was with people who all happened to have Apple devices) that have home firewalls that do SSL inspection. Getting the users to add SSL exceptions into their firewalls fixes it, but isn't very feasible given our scale and technical aptitude of our remote employees. Anyone else had this weirdness after patching, and if so any other workarounds?
Campus fabric for L2 adjacency over routed access
We have recently moved to a routed access design for our new campus buildings and it is working well, apart from some legacy BMS/BACnet systems that need L2 adjacency to function normally.
We want to avoid hooking up additional switches just to support these items so have been looking into campus fabric to create an overlay for this purpose. We manage all networking in-house and have modest CCNA/NP skillsets available but dont want to end up with a configuration that is difficult to manage.
Wondering if anyone else has set this up and how difficult it was to do?
RA network is cisco (C9500 cores, C3850 access, both on Everest code).
How do you handle OOB sim card access in EU?
We have several OpenGears in our EU locations and are looking at getting sim cards to insert into them to give us OOB access to our console servers. We're having trouble sourcing these and I was wondering how anyone else here handles this. What provider do you use? How did you procure them? Good/negative experiences with coverage?
At the moment all I can find locally are data sims at local shops that I have to provide my personal infomation for and then manually top-up with credit. This isn't practical or scale-able. I'd like to find some provider that can sell us a batch of SIM cards expressly for the purpose of OOB management of our devices that we can easily manage/pay for.
Suggestions?
Security Officer “recommend” constant upgrades
So we have a security office that was hired about a year ago and recently he’s been constantly pressuring us to “always have latest” firmware. We use mostly use cisco 800 routers (70+ routers, similar for cisco switches (they are internal only)), and right now we are on 15.4.3 m6. I’m not against upgrading but for example 15.4.3 m9 was released couple days ago and he’s already “recommending for upgrade”. I’ve tried explaining them that this isn’t like windows updates. Current m6 is stable with no issues. We normally upgrade if a special feature is needed or bugs or critical security issues.
Have you guys had to deal with something like this?
Need help on a possibly simple issue
Good morning/afternoon/evening r/networking.
Please bare with me if this gets a bit long. I just want to make sure I give enough information to you guys/gals.
I'm honestly stumped on this one, not sure what it could be. I've simulated this exact configuration and design, and it works fine on the simulation.
I have this network I'm helping to configure, it's a hub and spoke design, no redundant links, nothing fancy.
I have seven L3 3850 Cisco catalyst switches that are going to be connecting into a Cisco 4507, I'm literally configuring this setup as a router on a stick. Seven different IP schemes, one per 3850 with the 4507 acting as the router.
Each 3850 switch has a basic configuration; username and password, one configured VLAN with an IP address, and a switch default gateway, added nearly all my ports to the VLAN as access, SFP module uplink ports are configured as trunks with all VLAN access.
At the 4507, I have created all seven VLANs with the VLAN gateway ip addresses, enabled IP Routing (We're not doing dynamic routing at all.) I've configured the uplink ports to the 3850s as trunk ports as well with full VLAN access.
When it came to testing on the simulation, everything seemed to work fine. I did this in real hardware today, and I couldn't ping from one switch to the other.
When I went back to check my configurations on the 4507 using 'show run' I noticed that IP routing was not on the list, but if I enter command 'no IP routing', then 'no IP routing' shows up on the list. Google explains that this is normal on some Cisco switches.
I've tried to configure OSPFv2 after IP routing failed me, but then quickly discovered that the Cisco 3850s are missing this layer3 service.
Here's what I managed to write down. The IOS image on the Cisco 4507 is 'cat4500es8-universal.SPA.03.07.03.E.152-3.E3.bin'
Right now my only theory is that the Cisco 4507 is not routing, maybe due to the specific IOS image? Is there something simple that I'm just too numb to realize???
Unfortunately I am not able to show the configs since it's difficult to get a copy of at the moment, apologies for that.
Ask away any questions, and I'll answer them all. AND thank you in advance.
Edit:forgot to mention that at this moment, nothing is connected to the access ports on the edge switches, I'm simply just trying to ping other gateways on the 4507 and the other switches IP addresses.
Network design for a small engineering office
Hey all, I work in a small engineering office and I've been slowly grappling the IT responsibilities away from the senior engineer in the office.
Our current set up is a network of internet connected computers connected mostly via wireless to a router (1-2 computers each + phones). We have another air gapped network of 5 computers & 2 archival drives which is for the drafting stations and all our shared work. They are networked amongst each other but none are on the internet.
The problem is these isolated computers on the regular exchange USB drives with networked computers, and as they're not networked some are up to a year (or realistically more) behind in software / security updates. (These computers occasionally get disconnected from the offline network and connected to the internet for updates)
We make daily back-ups which are brought to an offsite location, the networked computers have antivirus & updates installed and generally people in the office aren't the type to open random email viruses.
Is there a better system we could be doing? I feel like we're living in the past and there's an obvious better solution. Any suggestions are welcomed.
Cheers
Looking for software that will let me monitor dozens of computers across multiple networks.
Im looking for software that will allow me to see dozens of computers with a small thumbnail live feed of whats happening on them across 3 different networks.
I own a small company with two branches. I want to monitor employees screens with software similar to veyon or tightvnc but from what I see I can only monitor computers that are on the same network. We have two branches so i would like to be able to monitor all computer screens when i need to from my office or from home.
For example.
I login from my home network and i see live thumbnails of computers from my two branches in a grid.
Wednesday, February 7, 2018
IPSec ESP Troubleshooting on the internet
I have a IPSec VPN issue.
I have a diagram that will help with this.
In my office, we have a VPN Firewall, connected to dual internet service providers.
At a remote site we have a VPN Firewall connected to just one ISP
-
If my traffic traverses ISP #1, I can Ping, SSH and HTTPs to the WAN IP no problem. My VPN establishes, but I get 60% packet loss if I try to ping across the VPN link. The VPN has IPs on both Ends.
-
If my traffic traverses ISP #2, I can Ping, SSH and HTTPs to the WAN IP no problem. My VPN establishes, and I get 0% packet loss across the VPN link.
-
If I try to ping the remote office, from my office. I see packets leaving my office to the remote office, but the packets never make it to the remote office's WAN interface.
-
If I try to ping my office from the remote office, I see packets arriving at my firewall and the responses. However the responses never arrive at the remote office.
So given what I see, if encrypted IPSec traffic leaves my office to the remote office through ISP #1, it fails. Through ISP #2 it works. All other traffic seems to work fine.
If this was a SSL VPN, I could just tcptraceroute and see where it fails, but I don't have an equivalent for IP Protocol 50.
I'm trying to figure out a way to show this to the ISP, because I know they are going to say PING/TRACEROUTE works, so everything else should work.
Has anyone else had a problem like this?
Newbie manager of a Ubiquiti UniFi network, how vital is it to replace EOL access points?
Hi, I've recently been put in charge of a network with several older access points that have been EOL'd by Ubiquiti. Not wanting to spend a lot of money at once to replace them, if I were to avoid updating the management software and firmware, how big of a risk would this be in terms of security, etc.? Could I expect them to function indefinitely as long as I don't update, so I could do rolling upgrade instead of a large purchase? Sorry if this is relatively basic.
'Reload in 10' gives erroneous, future time / date for reload
Hey all - I have a weird one for you - hope somebody has seen this before. Thanks in advance!
I found myself logged into a WS-C3560G (12.2(44)SE6) today and when I issue a 'reload in 10', the system informs me it will be reloading but not in 10 minutes as desired - rather 3 weeks and 8 hours and change into the future. I've included the commands issued, system response and relevant config.
I issue a 'sh clock' immediately before issuing 'reload in 10' to provide the current time to compare with the system's response to the reload command.
hostname# sh clock 15:53:45.383 CST Wed Feb 7 2018
hostname# reload in 10 Reload scheduled for 23:10:44 CST Wed Feb 28 2018 (in 511 hours and 16 minutes) by redacted on vty0 (ip.ip.ip.ip) Proceed with reload? [confirm] hostname# reload cancel hostname#
I have the clock and ntp configs and below we see that ntp is synched
hostname# sh run | i clock clock timezone CST -6 clock summer-time CDT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
hostname# sh run | i ntp ntp source VlanBB ntp server ip.ip.ip.ip prefer ntp server ip.ip.ip.ip ntp server ip.ip.ip.ip
hostname# sh ntp stat Clock is synchronized, stratum 2, reference is ip.ip.ip.ip. nominal freq is 119.2092 Hz, actual freq is 119.2079 Hz, precision is 2**18 reference time is DE25F281.95274A75 (15:57:26.582 CST Wed Feb 7 2018) clock offset is 9.4973 msec, root delay is 85.33 msec root dispersion is 41.31 msec, peer dispersion is 31.33 msec
Setting up an IPSec(?) VPN for a Small Business
I work for a brick-and-mortar store as a technician and I've been attempting to setup a roaming VPN for a small business on-site.
The gateway is a D-Link DSR-500AC (one of the only gateways/routers that matched all the criteria he required that we sell). I followed this guide to set it up (with increases in the security algorithms): http://files.dlink.com.au/Products/DSR-500AC/REV_A/SetupGuides/How_to_setup_L2TP_VPN_Service_in_DSR-1000AC_500AC.pdf
I have the L2TP/IPSec server VPN setup. The only way I could get it to connect correctly was to set an L2TP secret AND an IPSec pre-shared key, with a username and password. The guide above mentions not using an L2TP secret. Windows' native client only allows setting the IPSec pre-shared key. So the first question: What's the difference between the two keys/secrets? Everything I can find online only ever implements one or the other, not both.
As of yet it works fine on Android's native client over LTE. On WiFi, it only worked once I enabled L2TP and IPSec pass through on my home router. So the second question: Is there any way to deal with the pass through issue for the employees that will undoubtedly not have VPN pass through on their home routers?
Thanks guys!
Network Tap Software
I'm looking into mirroring some ports on our LAN and hoping to keep about 1 week of pcaps. I know of Bro, but what other software are people using for this? Is this common?
Bonus feature would be to replay some PCAPs.
EDIT - to clarify, this would a continuously running service that would ingest 4-6 port mirrors and keep the packets on disk.
[Educational] Looking for some guidance on a semester long Networking Project with a Deliverable
Good Afternoon r/networking,
I have been offered an outside studies class by one of my faculty members for my MIS program. My interests, and his, lie in networking and cyber security.
The project is mostly research based but does require a deliverable. The deliverable doesn't have to be a unique or even new idea. The deliverable should demonstrate a semester (4 months) worth of research and work. For example, a deliverable could be submitting a paper to network world, regardless if they run it.
The purpose of this post is too get some ideas on where the future of Enterprise networking and enterprise network security are heading (e.g. SDN). I will do the research, I'm just looking for topics to research, and to see if anyone has ideas for a deliverable (logical model, submitted paper, demonstration via software etc).
I’m currently researching SDN and its security value for IOT and trying to think how I could demonstrate it.
So, does anyone have any ideas on good research topics or potential deliverables? Thank you all.
IPSec Site-to-Site tunnel issues between Europe and China
Since several months we have continues IPSec VPN issue with our Site-to-Site tunnels between our China and Europe sites via Internet. IKE traffic sent by some Europe sites is never arriving at the China site. All other traffic is arriving as usual.
Our china contact told us some of our public address spaces are on a kind of blacklist. We solved this by switching our public address spaces used for the tunnel establishment with our china sites on some important Europe sites. This works for now, but this might change ...
I spoke with some other colleagues i know from work. Most of them have the same behavior except those who are using MPLS lines to connect to Europe.
I heard that there is a way to "register" a company vpn to the chinese government in order to get not blocked by the great firewall. But i was not able to get any details yet.
You are/were faced with the same situation? How you solved it?
Anyone know what is going on with Meraki MR33s?
Over 2 months ago, we had all of our MR33s suddenly disconnect from the cloud controller and never connect back up no matter what we did. All other models worked fine on the network.
After over a month of being down, they finally released a beta firmware just for our MR33s and had us beta test for a week or two. Now they say that they'll roll the fixes into a general release, but it's been over a week since then.
Does anyone actually know wtf is going on? My rep is not helpful at all and support is giving me the ole run around about engineering not telling them anything. Hopefully someone with insider info can chime in.
Cisco AnyConnect filtering?
Hello all. Pardon my lack of knowledge in this department. We currently use Cisco Anyconnect (3.1.12020) for roughly 50 of our end users. We are trying to find ways to further lock it down to a device level. By this I mean, we really only want users connecting with it back to us via our devices, not their personal ones such as a home computer. Is there a way to do this? I am more or less asking on behalf of our Network Admin since he will be the one to make such changes but I thought I would get some advice from you guys!
Again, pardon my lack of knowledge in this area!
Motorola 7550 Modem/Router Woes
Howdy,
I've had two techs out in two days to investigate the issues we've been having with our home cable internet connection. The first tech removed some old amplifiers and splitters from years ago and that didn't fix anything. The tech that came out today didn't see any issues with downstream, upstream or SN ratio either from the drop or the modem.
However, as soon as they leave, this stuff starts right back up and it's super annoying, especially when you're trying to get homework done online!
I've tried to google the logs from my modem, which are annoyingly truncated and not showing the full message for each event, however, there seems to definitely be an issue. If anyone with experience with cable DOCSIS codes or just a general idea of what any of this means, that would be great to understand it. This is an example of the pattern that occurs a few times an hour. ============================================================ Tue Feb 06 17:12:23 2018 Error (4) Missing BP Configuration Setting TLV Type: 17.9;CM- MAC=00:40... Tue Feb 06 17:55:44 2018 Critical (3) Started Unicast Maintenance Ranging - No Response received -... Tue Feb 06 17:56:17 2018 Critical (3) Received Response to Broadcast Maintenance Request, But no U... Tue Feb 06 17:56:28 2018 Notice (6) Overriding MDD IP initialization parameters; IP provisioning... Tue Feb 06 17:56:36 2018 Error (4) Missing BP Configuration Setting TLV Type: 17.8;CM MAC=00:40... Tue Feb 06 17:56:36 2018 Error (4) Missing BP Configuration Setting TLV Type: 17.9;CM-MAC=00:40...
Other info: Ch LockStatus Mod CID Freq Pwr SNR Corrected Uncorrected 1 Locked QAM256 16 549.0 -6.2 39.6 0 0 2 Locked QAM256 10 513.0 -5.8 39.7 0 0 3 Locked QAM256 11 519.0 -5.9 39.7 0 0 4 Locked QAM256 12 525.0 -5.8 39.8 0 0 5 Locked QAM256 13 531.0 -6.0 39.7 0 0 6 Locked QAM256 14 537.0 -6.0 39.7 0 0 7 Locked QAM256 15 543.0 -6.1 39.7 0 0 8 Locked QAM256 9 507.0 -5.8 36.2 0 0 9 Locked QAM256 17 555.0 -6.3 39.5 0 0 10 Locked QAM256 18 561.0 -6.3 39.6 0 0 11 Locked QAM256 19 567.0 -6.3 39.6 0 0 12 Locked QAM256 20 573.0 -6.3 39.6 0 0 13 Locked QAM256 21 579.0 -6.3 39.6 0 0 14 Locked QAM256 22 585.0 -6.1 39.7 0 0 15 Locked QAM256 23 591.0 -6.1 39.7 0 0 16 Locked QAM256 24 597.0 -5.8 39.8 0 0
Total 0 0
Ch LockStat ChanType CID SymbRate Freq. (MHz) Pwr (dBmV) 1 Locked ATDMA 3 5120 30.4 44.0 2 Locked ATDMA 2 5120 24.0 44.0 3 Locked TDMA 1 2560 19.2 42.8 4 Locked ATDMA 4 5120 36.8 44.8
How deep should a Network Architect go into knowing a specific product or technology
In my view as network architect you need to understand the principles and you have to be able to create high level designs/architectures that will map business requirements to network functions. Then the design is refined by an engineer.
These days the network devices are quite complex they are capable of working with lots of technologies, some open standard some vendor specific, each vendor implementation of the above coming with its own limitations or specifics.
How deep does an architect need to know vendor products in order to be able to do proper high level designs. Let's not forget that most of the cases the companies become vendor shops and they stick with one vendor for most of the technologies they use (Ex: Juniper, Arista, HP etc). Do you need to know CLI and hardware specifics? Do you need to know about capacity limitations? What would you focus your learning on if you would hold such a position in your company?
Hi-Freq Trading/Financial Networks and Careers. Thoughts?
For some time I've been considering shifting from MSP to the Financial side (High-Freq/Low Latency). The opportunity may present itself and I need to make a quick decision at this point. I feel like I am diving into the unknown and may seriously regret the decision if I take it.
What can I expect? How stressful and hectic is the work environment? Is it a wise choice for progressing my career? Worth the money?
Forgive me if this falls into "Early Career Advice." I don't believe it does though. Strictly networking and coming up on 6 years in the industry.
Does such a thing as as wireless switch exist?
So a hub has wired connections. When it receives something on one connection, it sends it to all other connections. A switch only sends something to it's intended destination.
A WAP is like a hub in the sense that everyone connected to it is on the same medium, so when a WAP receives something it sends it to all others, like a hub.
I was wondering, does there exist a switch that instead of clients connecting via Ethernet, they instead connect via different wireless channels. So that it's as if they have their own connection to the switch and the switch can send data only to the intended receiver.
Just wondering if something like this exists, I understand this doesn't really improve security or anything like that.
Cisco ASA vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed
Looks like the previous fixed code of the ASA still has some security holes in it. :)
Does CAT6 cabling differ in quality?
Setting aside obvious cable standards such as Cat6a, and the type of cable UTP, STP, etc, I’m curious as to whether the quality of Cat6 can differ and in what way?
I’ve purchased some fairly cheap CAT6 UTP at 100m for 60 AUD, looking at electrical wholesalers it seems most of them charge around double this for around the same length and cable type - what am I missing out on going the cheaper cable? is there any reason not to go the cheaper one?
For reference the brand of cable is Anyware.
Let me know guys!
Why switchport port-security maximum should be enabled?
What good arguments can be used to convince a manager to activate this feature?
What is you have many sites already using cheap consumer grade switches connected to an access port. Activating this port security feature would disconnect them, so why should I activate this feature if it's going to cause some trouble for them?
Regular expression in Cisco Prime (3.3)
Hello!
Question in regards to Cisco Prime's Configuration Validation.
Fairly new user to Cisco Prime, as I have previously been using Nessus for auditing our networking devices for config validation.
I'm having trouble with figuring out how to properly make Regex work with building out a custom configuration audit policy/rule.
Currently, I have created a policy, and am adding a rule. For this particular one, I want to ensure that the enable password is encrypted.
What I have set:
- Scope: Execution
- Data Type: String
- Input Required (Unchecked)
- Is List of Values (Unchecked)
- Accept Multiple Inputs (Unchecked)
- Default Values: Blank
- Max Length: Blank
For "Valid RegExp", I tried the following:
enable secret [^ ] enable secret [4|5] enable secret 4|5
When I click preview, I get "Invalid Regular Expression".
Any help would be greatly appreciated.
Is it possible to pull wifi signal to a router to create an IDF so I can Ethernet wire everything?
Wherever the MDF is, it's not running an Ethernet line down to this strange basement area I'm working in. Currently, this business wants to use a netgear AC1750 router to supply a connection to all the switches. Is this even possible? The wifi connection is good enough, but how would I configure this wireless access point to act as this?
Seems nuts, but just because I haven't done this before. This is the basement of some school built in 1937.
Catalyst 3850 stack addition Q
This is probably a simple question, but I couldn't find a definitive yes or no (probably because it's assumed), and I haven't worked on a cisco stack in ages.
I have a 4 switch stack of 3850s. I need to add another switch. The data and power (stacked power) cables are connected as follows:
1-2
2-3
3-4
4-1
My understanding is that this is a full duplex stack because it's looped back. And show switch stack-ring speed verifies this.
Can I safely disconnect the cables (data and stacked power both) between switch 4 and 1 (break the ring), to bring in switch 5? It should just go into a half-duplex type condition where bandwidth drops and lose shared power but nothing goes offline. Right? As long as the switch is powered off when I connect it, I can then power it on and it will auto upgrade/downgrade to the correct version when added to the stack?
Is there any advantage to pre-provisioning it with the switch number it will have after addition to stack? Is there any need to do any configuration of the switch at all beforehand?
Thanks!
Chassis vs Stacks in IDFs
We typically do loaded 2 post racks with Cat 3k's in 4 or 6 member stacks. We used to do 2' cables and Neat Patches but lately have been doing 6" cables with no organizers (more dense, works pretty well, very easy to trace when vetting documentation). It get us about 6 switches per rack, 100% patched. There's an idea to do chassis based switches in the IDFs now (Cat9400) and I'm interested in hearing from folks on the contrast between the two. Seems like a lot of cables but we can always hire someone to do that. Which do you like more and why? If going chassis, what are some things to keep in mind or avoid?
Looking at NCCM
We recently went into a merger and we now have around 300 sites to manage with about 30k end users. Boss man seems to "finally" understand that we are a big shop now and says that we have budget for enterprise level tools.
The network is made up of different vendors (Cisco, Brocade, HP, etc.)
What do you guys recommend for NCCM (Network configuration and change management)?
In the past I've used Cisco Prime Infrastructure and liked it but that's not multi vendor better tools are possibly be out there.
I know of SolarWinds and ManageEngine solutions but I've been out of the loop since we never had the funds for these types of solutions.
What is out there and what do you recommend?
Cisco 7600 VPLS Configuration Help
At my shop we're trying to setup VPLS on our Cisco 7600 series (Yes they are EOL as fuck but support is still good and cheap spare parts are aplenty). We use OSPF for our MPLS core and already just do straight L2 xconnects so VPLS didn't seem that far off of a dream. Unfortunately that dream has seemed to died.
I'm setting up between three 7600's to create this tunnel with the following:
7600 1.1.1.1 l2 vfi Phones manual vpn id 231 neighbor 1.1.1.3 encapsulation mpls neighbor 1.1.1.6 encapsulation mpls
7600 1.1.1.6 l2 vfi Phones manual vpn id 231 neighbor 1.1.1.3 encapsulation mpls neighbor 1.1.1.1 encapsulation mpls
7600 1.1.1.3 l2 vfi Phones manual vpn id 231 neighbor 1.1.1.1 encapsulation mpls neighbor 1.1.1.6 encapsulation mpls
On each 7600 we have this in the interface VLAN config:
interface Vlan231 description Phones no ip address xconnect vfi Phones end
Then we trunk that out to the ports needed as a standard VLAN. The Xconnect comes up and everything shows fine that I can diag.
1.1.1.1_7609#show mpls l2transport vc 231 Local intf Local circuit Dest address VC ID Status ------------ -------------------- --------------- ---------- ---------- VFI Phones VFI 1.1.1.3 231 UP VFI Phones VFI 1.1.1.6 231 UP 1.1.1.1_7609#show vfi name Phones Legend: RT=Route-target, S=Split-horizon, Y=Yes, N=No VFI name: Phones_DVS, state: up, type: multipoint VPN ID: 231 Local attachment circuits: Vlan231 Neighbors connected via pseudowires: Peer Address VC ID S 1.1.1.3 231 Y 1.1.1.6 231 Y
Now on the switches at each location, we've tried running a ping between but getting failures. Also if I throw a VLAN on the int vlan on two of the 7600's, it fails to reach the other 7600.
Any ideas and suggestions would be appreciated, thank you!
How to send a custom packet?
I want to cheat in a simple multiplayer game, and I have 2 qestions.
-
- I found the packet I want to send to the server using wireshark, but how do I send it?
-
- can I make a pyton code that does it?
-
I use linux
OSPF LFA instead of RSVP-TE for FRR
Is anyone running OSPF LFA in their MPLS core instead of RSVP-TE? I'm curious if you've come across any caveats or problems... or is it working well? We're currently using RSVP-TE, only for the Fast ReRoute capabilities. I've done some basic testing in the lab and it's working as expected, but I haven't pushed it very hard yet. Would love to hear some real world experiences.... We're doing L3VPN, VPLS and will be adding Label Switch Multicast (mLDP) to the mix soon.
AT&T to Release “dNOS” Software Framework Into Open Source to Accelerate Network White Box Adoption
Couldn't see this posted here even though it's 8 days old.
Has anybody used dNOS? Is it Vyatta like syntax? Where does this put VyOS in the open source networking world?
Tuesday, February 6, 2018
Anyone plan on getting the EVE-NG pro version coming out soon?
https://www.youtube.com/watch?v=aLZJXwZN0fk&t=1s
Trailer looks wicked, the dev's been putting some serious work into this thing. Worlds beyond VIRL and GNS3.
I heard from a source itll be like $100.
SD-WAN packet fixing & Optimisation,.. does it really work
Hi All, So I've been going back and forth with some people in my team over SD-WAN & Optimisation tech and wearing my Admin type hat,.. well tbh, I don't believe that it actually works as described. Far too many times I've been told about product bla that will do this amazing thing and make my life amazing & simple only for management of my workplace to fall for it, we put it in and then it does a mediocre job at best. Essentially we have one guy in our team who is pushing Silver-Peak massively (to the point where I think he must be getting a kick back) saying that it will make our Office 365 run so much better bla bla bla, however this guy has questionable knowledge on how the inner working of tech works and generally just know what current buzz works to say.
So mini rant over, does this stuff actually work? If i put in a silver peak router & server in azure will it somehow magically use less bandwidth when downloading files from SharePoint? Will it somehow make all of my emails smaller and allow us to de-dupe email traffic,.. even though said traffic is encrypted? Also the whole SD-WAN premise looks to be geared towards businesses with multiple offices that want links in-between them, however everything of ours is in the cloud so I don't really see any benefit with that. The only thing I can see is that it can repair dropped packets through parity information in the packets that did arrive. however thats not an issue that we really have.
So I guess what I'm asking is, does anyone use this stuff that can honestly tell me if it works as described who doesn't work for the company selling said product. Every review I've read that says it works all looks to be written by someone who works for the company of the product they are reviewing.
thanks in advance for anyone that has the time to comment.
Bought a router, Speeds over wireless abysmal, speedtest.net said something about port 8080
So, I'm assuming that port 8080 is somehow blocked, and to my knowledge port forwarding directs traffic to a specific computer.
I'm using this router, which I got for the new place, since it has to be in the main room, and it was attractive. So far I have to say I'm very unimpressed.
I'm not a network guru or anything, but I'm techy enough. This piece of shit is blocking 8080, which is basically option 2 for web traffic. 80 being the primary.
What gives? Is there a setting somewhere I can change? Port forwarding doesn't seem like the right choice. Only getting .29 of my 50 mb down right now. Getting full upload.
So confused.
Nat route-map question.
I'm trying to understand what the following command is doing:
ip nat inside source route-map MAP1 interface GigabitEthernet0 vrf INET overload
Here is route-map MAP1:
route-map MAP1 permit 10 match ip address NAT_LOCAL match interface GigabitEthernet0
Here's NAT_LOCAL ACL:
ip access-list extended NAT_LOCAL permit ip 192.168.1.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any
And then there's also another route map:
route-map MAP2 permit 10 match ip address LOCAL set vrf INET
And LOCAL ACL:
(Bunch of (what looks like to me) random deny statements.) permit ip any any
And finally
VRF definition INET
and our Tunnel0 has "tunnel vrf INET"
So, my question is, are both route maps being applied? What I think is happening (please correct me if I'm wrong) is both route-maps are being applied, but the IP of the traffic depends on which map is applied? For example if a packet comes in that's not in the 192.168.1 subnet or the 10.0.0 subnet, the route map MAP1 will be applied?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
archive config from exec mode not working on Nexus 9k?
Working on a 9300 right now and I wanted to know how this works
The docs say that after you configure the archive, besides the periodic saves you can commit the config voluntarly with *archive config *
for me this is working only of I enter in the archvie config mode
switch(config)# archive config
^ % Invalid command at '' marker.
then this works
switch(config-archive)# archive config
switch(config-archive)#
here is my config
archive
path bootflash:
time-period 5
maximum 14
write-memory
Issue with Fiber Connection Between Dell N1548P and Dell 5548P
I have installed two new Dell N1548P switches and am running fiber back to my server room to a Dell 5548P. I am getting intermittent drops on both new switches, but one of them is really a problem child. It will lose connectivity completely unless I reboot it. The link on the 5548 end still shows good, and the optical diagnostic shows no loss of signal, but connectivity to it will just stop. I have tried switching the fiber connections with the other switch, which even though has intermittent drops, still works, and I get the same issue, no connectivity unless I reboot. I have not done any other configuration on these switches with the exception of getting their IP's on the network and joining them to a VLAN for our wireless. Is there anything I could be missing here? Some sort of loop I'm not seeing?
Aruba says it's the network: Wireless authentication timeouts
Hey, everyone, I've got a problem I've been working on for a bit and thought I'd toss it out here for any additional insight the community could provide. We have a basic hub-and-spoke network with all of our sites coming off the central data center across WAN links. All of the sites are set up the same way but I'm seeing an issue at one particular site. We are seeing wifi authentication timeouts from all client types at this site (chromebooks, iPads, iPhones, Windows 10 laptops) and the experience on the user side is it can take anywhere from 0 seconds to 5 minutes for a client to connect to wifi. We are using 802.11x certificate and PEAP authentication (to tie a user name to a client device). I've looked at our Clearpass (authentication server and seem timeouts occur at all sites but really only heard of complaints from this particular site. I've visited the site myself and it's the only site where I've been able to replicate the issue personally. If I try to connect, about half the time, I get a "network not available" and then I try to reconnect and it will work after one or several more tries.
I worked with Aruba (we have their wifi and Clearpass authentication server in production for wireless) tech support and we did a lot of troubleshooting. We compared configs of sites that work with the local controller at this site. I've replaced the local controller at the site. I've done iperf3 TCP and UDP tests across the WAN link to this site and compared those results to several of my other sites. I've compared switch and router configs from all sites. I've looked at routing tables, pings, MTRs, jitter, and latency. I've set up a simpler wifi SSID at the site that only uses PEAP to take certificates out of the mix and still have the issue on the simpler SSID. I've done simultaneous packet captures on the local router, the wireless lan controller, both routers in my data center (where the packets would need to travel to reach the authentication server) and finally, Clearpass (authentication server). After comparing these with Aruba support, we have been able to narrow down the problem to RADIUS UDP packets not getting back to the client and then that authentication session times out. From what I saw, the packets all reach the Clearpass server but when we see the timeout, the clearpass server just never sends the response back to the client. These packets go over UDP 1812 and what we should see is an access-request from the controller (on behalf of the client) and then an access-challenge from Clearpass. This goes back and forth until Clearpass either responds with an access-accept packet or an access-reject. When we see the timeout happen, Clearpass fails to send anything back during this process. So it might receive a access-request and then send an access-challenge back to the client and then another from each and then finally, the client will send an access-request and no access-challenge is sent back for that packet. Finally, that session times out and a log in Clearpass is generated for that session. Aruba just keeps saying this is a network issue (of course).
Finally, I did something to "fix" the issue, at least temporarily. What I did was fail all of the APs at this site over to our backup controller that is located in the data center. When I did this, we stop seeing the issue at the site and stop hearing complaints from users. This does nothing to change the topology but the only thing I can think of that changes is where the AP GRE tunnel drops the client traffic off. When the APs terminate to the local controller at the school, all wifi client traffic terminates there onto the local switch. When I fail the APs over to the WLC at the data center, wifi traffic gets dropped off there, they get a DHCP IP from the data center DHCP pool and then that authentication traffic goes straight from the WLC located in the data center over to the Clearpass server (in the same DC).
Here is a diagram showing the differences: DIAGRAM
This made me think our WAN provider might be dropping UDP traffic or something but again, I've done iperf3 tests on UDP 1812 and not dropped any traffic during those tests. The traffic would be tunneled through GRE across the WAN in the "working" configuration and just sent raw as UDP 1812 over the WAN link when I am seeing the issue. This theory contradicts what I'm seeing with Clearpass failing to send responses when I see requests on the packet capture hitting Clearpass, however.
I'm stumped of what to even try next. Any ideas? Sorry for the long post! Just wanted to include all of the details and thanks in advance for any replies to this thread!
"Modern" DHCP server?
Just wondering what you guys are using for your DHCP servers away from the corporate network (i.e. not Windows)?
It seems like a fairly trivial thing but we're deploying a new development environment and are coming up with custom provisioning tools for physical/virtual machines, iLOs, networking hardware etc yet can't find a DHCP server with any kind of database backend or API that can easily be managed via scripting tools/Ansible.
Anyone got any ideas?
I (briefly) looked at ISC's new Kea DHCP server but it doesn't seem very mature and has a lot of gotchas.
Subscribe to:
Posts (Atom)