Anyone know of a good tool to analyze pcap files for malware/viruses?
Saturday, February 17, 2018
Need help with HP switches. Need to see what device is connected to a port
EDIT: solved
Hi all,
our company has many HP switches and I need to find out what device is connected to what port on a switch.
Let me explain:
I need to document our network and as the people before me werent able to do so, I have no documentation of the fibre connectios. I do not know what fibre line goes where.
We do not have a fibre switch which would be nice but our company says its too expensive... So we use standard Switches to distribute fibre to the other rooms.
I do have all switches MAC adresses and IPs and my question is, can I somehow get the CLI to show me what device is connected to a specific port? I understand that I can let it show me what MAC address is located on a port. This is helpful but not what I want. I need to know for example what the MAC or IP of the device is, that is connected to port xx on the first switch. With this info, I can create a map of the fibre lines in the company as to date no one knows which line goes where
Help would be really appreciated
Thank you very much
Ruckus WiFi Issue
Currently, have a Zone Director 1200 and 13 R600 AP's connected to it.
The WiFi randomly drops out and our users are not roaming properly from AP to AP.
We have a contractor come in and install all this equipment and make MULTIPLE setting changes and it's still not working properly.
Does anyone have a clue what might be going on?
ipexpert videos
For those so inclined, i have collected and posted all of the ipexpert v5 videos in one playlist on my youtube channel.
I saved them from the clutches of the file share demons and other scams, primarily because thay have no business making money from them.
https://www.youtube.com/playlist?list=PLLcWJondP8tK9V4T-cQ8OJy_Vwuefn--1
EXOS spanning a PVLAN across two switches
Hello.
I found a brief mention in the Extreme's EXOS user guide that it is possible to span a PVLAN across two switches. However I found no example as to how to achieve that.
My scenario is like this:
SWITCH 1: Port 1 - PC Port 2 - PC Port 3 - Server Port 4 - To switch 2 (to be configured) SWITCH 2: Port 1 - PC Port 2 - PC Port 3 - Server Port 4 - To switch 1 (to be configured)
What is needed (that fits perfectly to a PVLAN):
- PCs and Servers should be in the same VLAN
- PCs cannot communicate with each other
- PCs can communicate with servers
- Servers can communicate with PCs
- Servers can communicate with other Servers
Creating a PVLAN by itself is quite easy
# config for Switch 1 and Switch 2 create vlan net_vlan tag 10 #network vlan for servers create vlan sub_vlan tag 100 #subscriber (isolated) vlan for PCs create private-vlan pvlan #pvlan creation configure private-vlan pvlan add network net_vlan #adding network vlan to pvlan configure private-vlan pvlan add subscriber sub_vlan #adding subscriber vlan to pvlan configure vlan sub_vlan add ports 1,2 untagged #PCs untagged port # For a network vlan in a PVLAN there are 2 options (it changes the egressing vlan tag out of the switchport): # with the line below port 3 will receive traffic with vlan 10 (the network vlan) configure vlan net_vlan add ports 3 tagged #server tagged port # with the line below port 3 would receive traffic with vlan 100 (the subscriber vlan) # configure vlan net_pvlan add ports 3 private-vlan translated #server tagged port
With the above configuration I pretty much achieve what I want on a single switch. PCs cannot communicate with each other, only with the Servers. Servers can reach anyone.
The question is, how can I span the network/subscriber vlan between two switches keeping the isolation in the requirements?
What sort of configuration is necessary to apply to port 4 on switch 1 and switch 2 to span the PVLAN?
Thank you.
EXOS spanning a PVLAN across two switches
Hello.
I found a brief mention in the Extreme's EXOS user guide that it is possible to span a PVLAN across two switches. However I found no example as to how to achieve that.
My scenario is like this:
SWITCH 1: Port 1 - PC Port 2 - PC Port 3 - Server Port 4 - To switch 2 (to be configured) SWITCH 2: Port 1 - PC Port 2 - PC Port 3 - Server Port 4 - To switch 1 (to be configured)
What is needed (that fits perfectly to a PVLAN):
- PCs and Servers should be in the same VLAN
- PCs cannot communicate with each other
- PCs can communicate with servers
- Servers can communicate with PCs
- Servers can communicate with other Servers
Creating a PVLAN by itself is quite easy
#Config for Switch 1 and Switch 2 create vlan net_vlan tag 10 #network vlan for servers create vlan sub_vlan tag 100 #subscriber (isolated) vlan for PCs create private-vlan pvlan #pvlan creation configure private-vlan pvlan add network net_vlan #adding network vlan to pvlan configure private-vlan pvlan add subscriber sub_vlan #adding subscriber vlan to pvlan configure vlan sub_vlan add ports 1,2 untagged #PCs untagged port # For a network vlan in a PVLAN there are 2 options (it changes the ingressing vlan tag): # with the line below port 3 will receive traffic with vlan 10 (the network vlan) configure vlan net_vlan add ports 3 tagged #server tagged port # with the line below port 3 would receive traffic with vlan 100 (the subscriber vlan) # configure vlan net_pvlan add ports 3 private-vlan translated #server tagged port
With the above configuration I pretty much achieve what I want on a single switch. PCs cannot communicate with each other, only with the Servers. Servers can reach anyone.
The question is, how can I span the network/subscriber vlan between two switches keeping the isolation in the requirements?
What sort of configuration is necessary to apply to port 4 on switch 1 and switch 2 to span the PVLAN?
Thank you.
Just took CCNA today..tips
I took the combined CCNA exam about an hour ago. I did a bootcamp a few months ago, been going through the test bank questions (Meaureup, the Cisco-recommended one) for the last couple of weeks. I thought I was prepared. Nope. First, there was a whole lot more "do this" than "what's this". In other words, be prepared to do a lot of command line work on the exam. Tab for auto-complete does not work, but ? and abbreviations do. As an example, my first question was setting up a numbered ACL to fill certain conditions like letting HTTP traffic through to a certain server from a certain host, but nothing else. Know all the protocols. I saw several abbreviated protocols that I was like wtf? Know IPv6. Know what a valid IP6 address looks like (be able to pick a valid address out from invalid ones). Know about broadcast, multicast and link-local messages. Most importantly (at least for me), once you submit an answer, you cannot go back and look at it again. When taking exams, I usually skip questions I am not sure about, then go back and do those later because often question 53 will give you part of the answer to question 27. Note: While I review network configs as part of my job, I dont write them. There is a big mental difference between being able to edit someone else's work and writing your own. I need to spend more time doing labs.
High Availability on Cisco WLC 5520
Hi All
We have a Cisco Wireless LAN Controller (5520) running as single point of failure. We have purchased another 5520 (both running same OS now). We intent to put them into a HA configuration.
My question is:
Do just need set up the psychical side & add the IP addresses of the interfcaes/ RA ports etc and the rest of the config will sync once they reboot and form a HA pair?
i.e. Do I need to setup all SSIDs etc onto 2nd WLC before forming HA pair?
Thanks in advance
Book recommendations for core concepts of storage area networks
I've read through documentation provided by EMC "Network Storage Concepts and Protocols" however are there any "must read" books on the subject people would recommend?
Help with Fios gigabit Internet
I just got fios gigabyte Internet service.https://i.imgur.com/ani9QHc.jpg and this asus router. I can’t seem to get WiFi speed higher than 120-140 or so. Right now I’m on my iPhone, my son is playing pubg on his Xbox and I am watching Hitchhikers Guide in plex running at 8mb. 2 others are in their iPhones and my daughters watching a movie on Netflix. Is all this traffic slowing it down or am I doing something wrong??
Any help would be appreciated. My son is mad b cause he keeps lagging. I ordered a 100ft of cat 5 to hardwire him as a last resort.
Open Source Needs
Do you have any desires for new tooling (Service Provider or DC) that would be useful for the network engineering community? This could be brand new tooling or additions to existing open source projects.
Is there a small 4-port or 8-port switch that supports enterprise features (vlans, 802.1x, PoE)
Don’t care the vendor. I know Cisco used to have that C3560-8-PS that’s actually a little big physically for what we’re looking for. Smaller is better. Absolutely has to do .1x, and vlans. The other stuff is somewhat negotiable.
Cisco COPP Filtering logic
I manage a couple of catalyst 6807XL switches in a VSS configuration. They have the default "policy-default-autocopp" copp policy in place and I would like to restrict ssh access to specific subnets and limit connections to just a loopback address.
I have seen contradicting info on the correct way to create the ACL for this.
my question is do I create the ACL as shown below with reverse logic of a traditional ACL, or am I doing this wrong for this platform?
class-map match-all class-copp-ssh
match access-group name acl-copp-ssh
!
policy-map policy-default-autocopp
class class-copp-ssh
drop
!
ip access-list extended acl-copp-ssh
10 deny tcp 192.168.1.0 0.0.0.255 host 10.1.1.1 eq 22
30 permit tcp any any eq 22
40 deny ip any any
Friday, February 16, 2018
Default route race condition?!? (BGP <-> OSPF) Help!
Happy Friday Everyone,
I'm currently facing a problem that I can't find an answer for anywhere online, but perhaps I'm searching for the wrong things.
R1--------------R2 | | | | | | |______R3_______|
I have three routers, R1 and R2 are Juniper MX104 routers that are peering with our upstream ISP over BGP.
R1 and R2 have been instructed to inject a default route into OSPF on the condition that they have a default route from one of the peers. The conditional injection works properly on both routers, except that it seems whichever router announces it's default route first wins, regardless of metric or external type. I'm able to toggle the selected default route by running a "clear ospf database all" on either R1 or R2. I can also see both external routes for 0.0.0.0 on the R3 OSPF database for a short period of time, before a route is selected. Relevant config info for R1 and R2 are below. Any help or direction would be greatly appreciated.
The current method I'm trying is shown below, but I've also tried generating routes using a policy and also tried using static routes with the no-install option. I've tried every option I could find online, so I'm hoping there's something obvious that I've missed.
Thanks for reading, and have a great weekend!
***** R1 ***** set protocols ospf area 0.0.0.0 interface ge-0/0/0 set protocols ospf area 0.0.0.0 interface ge-0/0/0 priority 200 set protocols ospf export ospf-default set policy-options policy-statement ospf-default from route-filter 0.0.0.0/0 exact set policy-options policy-statement ospf-default then metric 100 set policy-options policy-statement ospf-default then accept ***** R2 ***** set protocols ospf area 0.0.0.0 interface ge-0/0/0 set protocols ospf area 0.0.0.0 interface ge-0/0/0 priority 100 set protocols ospf export ospf-default set policy-options policy-statement ospf-default from route-filter 0.0.0.0/0 exact set policy-options policy-statement ospf-default then metric 200 set policy-options policy-statement ospf-default then accept
edit: I'm bad at ascii art.
edit: **** OSPF DATABASE AS PER REQUEST from /u/spann0r ****
*** Before "clear ospf database all" on R1 ************************************************** ******* R1 ** R1> show ospf database external OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern *0.0.0.0 70.70.70.100 0x80000003 2823 0x22 0xe3cc 36 ******* R2 ** R2> show ospf database external OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern 0.0.0.0 70.70.70.100 0x80000003 2884 0x22 0xe3cc 36 ******* R3 ** R3#show ip ospf database external OSPF Router with ID (80.80.80.100) (Process ID 100) Type-5 AS External Link States Routing Bit Set on this LSA LS age: 2937 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 0.0.0.0 (External Network Number ) Advertising Router: 70.70.70.100 LS Seq Number: 80000003 Checksum: 0xE3CC Length: 36 Network Mask: /0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 200 Forward Address: 0.0.0.0 External Route Tag: 0 *** After "clear ospf database all" on R1 ************************************************** ******* R1 ** R1> show ospf database external OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern 0.0.0.0 71.71.71.100 0x80000001 521 0x22 0xba90 36 ******* R2 ** 2> show ospf database external OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern *0.0.0.0 71.71.71.100 0x80000001 561 0x22 0xba90 36 ******* R3 ** R3#show ip ospf database external OSPF Router with ID (80.80.80.100) (Process ID 100) Type-5 AS External Link States Delete flag is set for this LSA LS age: MAXAGE(3608) Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 0.0.0.0 (External Network Number ) Advertising Router: 70.70.70.100 LS Seq Number: 80000005 Checksum: 0xDFCE Length: 36 Network Mask: /0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 200 Forward Address: 0.0.0.0 External Route Tag: 0 Routing Bit Set on this LSA LS age: 17 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 0.0.0.0 (External Network Number ) Advertising Router: 71.71.71.100 LS Seq Number: 80000001 Checksum: 0xBA90 Length: 36 Network Mask: /0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 300 Forward Address: 0.0.0.0 External Route Tag: 0 ******* R3 after a few moments *************************** R3#show ip ospf database external OSPF Router with ID (80.80.80.100) (Process ID 100) Type-5 AS External Link States Routing Bit Set on this LSA LS age: 22 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 0.0.0.0 (External Network Number ) Advertising Router: 71.71.71.100 LS Seq Number: 80000001 Checksum: 0xBA90 Length: 36 Network Mask: /0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 300 Forward Address: 0.0.0.0 External Route Tag: 0 ***** END **************************************************
Guest Network content/data filter
I'm utilizing Ubiquiti Unifi controller to manage my guest networks across a number of clients and it works great! However, I have an issue with one client in particular who seems to have guests carrying viruses or at least are flagging our local ISP systems enough to warrant not just an email but a phone call! I'm trying to put together a solution to direct all guest wifi traffic through a proxy like squid/pfsense and really tighten the reigns on guests ability to surf without going overboard. I'm hoping there is a simple product (open source is cool but I'd be willing to pay if need be) that will prohibit the spread of worms/viruses and protect not just the guest from surfing dangerous websites but the internet from some dirty person's laptop on the guest wifi.
haha do any of you know the black magic spells for these supermicro switches?
specifically the XEM-002
specifically what the fuck is this "bridge port-type" nonsense?
specifically I need to configure trunk ports that actually pass frames to each other when they're members of the same VLAN id.
because despite all being members of VLAN 104, none...NONE see a single, solitary frame. and I have no idea why????
help.
VLAN tagging and a shotty network
I’m a big noob when it comes to networking, but I was asked to assist in fixing our new wireless network with brand new Cisco Merakis. We had a consulting company do most of the setup, now they no longer work with us and no one documented anything.
For a while we were having constant disconnects, the authentications would fail (with AD), and the network would randomly crash and have to be rebooted. After days and days of googling and reading the manual, I decided to turn off some settings and see what would happen. First one I disabled was VLAN tagging. Everything now works perfectly. Not a single hiccup for 2 weeks now.
Can someone help me understand why this would fix our network?
Edit: disabled VLAN tagging on the access points
Recover WS-C3560-48PS with bad baud
Long story short, i locked myself out of this box at a remote site. Got someone to go into rommon and change the baud to 9600 (it was 115200 from a previous xmodem recovery) and now i can't get into the box via console. It's reachable by telnet but i can't log in which is why we were trying a rommon reset (which didn't work, kept getting the config from somewhere??)..either because I fat fingered the pwd or something in the aaa.
I've tried the common baud's and also 179000. Is this thing DOA or is there some script i can try to run which can try all bauds? Is it even worth trying to recover this thing or should i just ship out a 3750x to the site?
It's currently connected usb->cisco console on a win server box.
Cisco 3650 stacked, Denali, MPLS nodes, best practice?
Hi all, does anyone see an issue with using stacked 3650's as a single MPLS node with multiple 1 and 10g layer 3 interfaces across both stacks?
This seemed like a great idea at first, but I've been running into a number of issues including a number of FED_L3_ERRMSG error messages in the log that seem to be more than a cosmetic issue. Main issue that I'm having seems to be stuck routes. When links go up and down, it looks like the L3 adjacencies come up okay, but it seems like certain traffic just ends up getting lost even though routes look okay.
Can anyone share their thoughts or best practices in this situation? Do I just have bad hardware?
Switch capacity CISCO ws-c 4510r+e
How can I measure the switch capacity in this switch? in the datasheets I dont see a specific number. Or since is a modular switch I need to check each card for the individual Switch capacity?
HP Networking CLI Future
I've been working in a new job for a few months now, have an assortment of hp procurve model switches in the environment. Some switches run provision and others run comware, I would like to standardize on one or the other. I myself have always liked to the provision cli and I hate the comware cli but I did some googling but could find answer to my question which is what will be the cli of the future for HP network switches? I was wondering if anyone here knew.
I am that guy that you met working in a networking role that knows nothing.
I'm the guy this guys is complaining about:Have You Ever Met People Working In a Networking... not the Actual Guy, I hope, but I've come to a pretty big, private manufacturing company with 35ish facilities across the US, Canada and Mexico. Through a lot of circumstances I have become the network lead on all things not core routing. I develop our configs for our sites from the layer 3 device down to the the switch-port, specify standards for labeling and wiring etc...but I don't know anything I haven't had to fix. Which comes down to my question: A colleague implemented a network change that segregated a flat /8 (using 100.0.0.0/8, hooray!) to a proper 10.x.0.0/16. It was a nightmare as it's a 28 switch network (all 48 port 2960s or x, now) with a c3850-24xs at the head. Several of the ports show multiple neighbors on the port. There are a couple of common threads, but I've gone through the entire chain a couple of times enabling "spanning-tree portfast bpduguard" and verifying nothing is hooked into itself. I can't find what I assume is the loop.
This is the thing that I need to know: Does LLDP use BPDU's the same way CPD does? This is, again, a manufacturing group so many of the switches (even the cisco industrials) will use MST instead of PVST and LLDP instead of CDP due to IEEE standards and licensing. Do I need to enable LLDP on all of these switches and see if any ports get shut down?
adding pic: https://i.imgur.com/tJpjxSw.gif edit: All of the above switches are actual neighbors some are just showing up on several ports.
Got a weird question/answer from a practice question on Cisco's website [CCNA Security]
Just got this question below while studying for CCNA Security:
Which type of VPN technology is likely to be used in a site-to-site VPN?
SSL TLS HTTPS IPsec
You Answered - IPsec
Correct Answer -SSL
Am I crazy here or shouldn't that be IPSec?? Like I said, this is straight off of cisco's website and is available for free.
In the VPN section:
https://learningnetwork.cisco.com/community/certifications/security_ccna/iins-v3/practice
Cisco IPSEC Tunnel with hidden local networks
I've got an ipsec tunnel that's up and working with ATT. They require that the phase 2 IP's not be local LAN's, but public IP's.
So, my phase 1 is X.X.X.132, and my Phase 2 is on the same subnet as X.X.X.133. If I ping the remote router's loopback from 133, I get a reply. If I do a one to one nat of .133 to one my my LAN ip's, I can ping their local loopback as well.
The tunnel is intended to hide our local LAN's, and they will only accept traffic from my local .133 address. I've spent all day trying to set up overloading from my local LAN to my phase 2 IP, routing, etc. and I can't make it work.
Anyone have any suggestions? I can post a config if you'd like.
EDIT: IOS, I can put in an ASA if needed though. Config: https://pastebin.com/WYG6naAv
I tried...
ip nat pool inside_pool 2.0.0.133 2.0.0.133 prefix-length 32 ip nat source route-map NAT-SOURCE-NETS pool inside_pool overload ip nat outside source route-map NAT-SOURCE-NETS pool inside_pool
and a lot of other items, with different routing.
How do I set up connections for my two Xbox’s?
Hi, I live in an apartment complex. I have a modem installed connected to a coaxial cable in my living room. It provides WiFi.
I have an Xbox in the living room, and an Xbox in a bedroom. I can route an Ethernet across the living room from the modem to the living room xbox, but I don’t have much of an option for the bedroom one.
I have Ethernet connections in the wall in the living room. I called my ISP and they said to connect the modem to an Ethernet in the wall, and then plug a router into the wall and into my Xbox. But there’s no Ethernet in the wall near my modem in the living room?
Repairing network rack stripped threads
Drill the old screw out of course, if you have to.
Obvious next steps:
- Re-tap with the same size and hope there's still enough metal to hold
- Re-tap with a larger size and just suffer with the weirdness of having an offsize screw there
But what about other options?
Has anyone ever tried a helicoil in a rack? I'm not sure if the few mm of steel on a rack is enough to use one. I've used helicoils to repair messed up threads on other hardware (things that go thump) but usually it is into a good sized chunk of metal.
Has anyone ever put JBWeld into the stripped hole and then drilled/tapped it afterward?
Edit: What about a clip with a captive nut on it, that just slips onto the rack and replaces the threads? Oh they're called 'clip nuts'
Cisco ISE 2.2 - Internal Network User account creation - SMTP
When creating an internal network user account, we can input the user email address. If ISE 2.2 is configured for SMTP, are we able to send the account information to the email address listed in the new account?
I know we can do that for Guest access, but I've never done it for Internal Network Users.
Question about RIPv2 and Juniper and Cisco routers.
Hi,
I am very new to networking but am trying to learn as much as I can. I have a Lab set up where I am trying to get a Juniper router and a Cisco router to talk to eachother through ripv2.
I have reached a point where I am stuck and can not get further. I have some simple questions.
Do I need to set a loopback ip address for the cisco and juniper routers and add that in to the ripv2 configuration on each side?
The problem I am having is I can not see a route from the Cisco to the Juniper routers or visa versa the way my configuration is. I have tried figureing it out on my own, but my google Fu is lacking, and I think my just lack of general knowledge.
Any help is appreciated. If needed I can post my configs. Thanks in advance.
Best Method to Extend Layer 2 and Layer 3 Between Two DCs Over 1 Wave
I'm connecting two DCs with 1 x 10Gbps wave into a Layer 3 switch on each side. Part of this requirement is to:
- Have L3 between both DCs for MPLS / public IP routing
- Have L2 between both DCs for HA failover for firewalls
What is the best method for this? Do I have a routed connection between sites with an EoMPLS / Loopback cable to extend Layer 2 or do I extend Layer 2 directly between sites and use SVIs for routing?
HP network printer loops from a connected/disconnected state on the network.
There's an HP printer at my office that constantly goes from an online to an offline state all day. (Offline as in I can't access the GUI not just showing offline on the print server) It has a static IP address outside of our DHCP scope so that isn't the problem. I can plug another printer in that uses the same IP address and that printer will stay connected just fine so that rules out something basic like a bad network cable or bad switch port. I did an nbtstat -a on the printer's IP and got a MAC address of 00-00-00-00-00-00 could the NIC card of the printer itself be bad?
CISCO ASA with RSA GROUP-LOCK
Hi All,
I am trying to create multiple groups using RSA to lock down users to specific access. I cannot use LDAP/AD here. With RSA if I create a RSA profile and assign it to a client then it will only specify one group. How can I make it so I can attach multiple RSA profiles to a RADIUS client? I want to accomplish a anyconnect setup where group a only has access to x, group b only has access to y and group c only has access to k. I found this information below but again locks down to only one group https://supportforums.cisco.com/t5/aaa-identity-and-nac/asa-anyconnect-radius-group-lock-with-rsa-authentication-manager/td-p/2496136 1. Create RADIUS profile - 1. RADIUS -> RADIUS Profiles -> Add New 1. Profile Name: group1 2. Return List Attributes: 1. Attribute: Class 2. Value - group-GP1 3. Add -> Save 3. Profile Name: NoVPN 4. Return List Attributes: 1. Attribute: Class 2. Value - NoVPN 3. Add -> Save
- Create RADIUS Client -
- RADIUS -> RADIUS Clients -> Add New
- RADIUS Client tab;
- Client Name: ciscoasa
- IP Address: Cisco ASA's IP address
- Make/Model: Standard Radius
- Shared Secret - your designated shared secret
- RSA Agent tab;
-
RADIUS profile: NOVPN
-
Associate user account to RADIUS profile;
-
Identity -> Users -> Manage Existing
-
Search for user -> click on user -> Authentication Settings;
-
User RADIUS Profile: group-GP1
Thanks
How secure is TACACS.net?
From my previous post I started looking into TACACS.net. I'd like to go with the free version but I see it does not come with security updates and the latest version is from 2015. So for anyone that uses the free version, are there any known bugs/vulnerabilities? Windows NPS had one DoS vulnerability which was patched so I want to know if TACACS.net has any I should know about.
Server Farm access layer arquitecture for DELL switches. Stack or MLAG?
Hi gurus,
I'm currently designing the networking in a rack for a small server farm made of 5 servers (just draw 3 on the pic for clarity). https://imgur.com/a/7SNJL
Client has already bought N4032 and have to use them, so maybe some of you had experience with similar equipment, or has another view of how to set up this design.
I see so far two possible options:
- Option 1 (stacking):
Dell Switches interconnected with Stacking.
Server NICs on LACP to each of the switches.
Pros:
-Easy to set up.
-Switches operate as a single unit to manage.
-Quick failover? Still need to test it, don't know how it will behave if just a link is failing, not the whole switch for failing over.
-It will simply work.
Cons:
-Disruptive firmware update (updating firmware reboots both switches at the same time)
-No load balancing, or active/active links.
Option 2 (MLAG):
Dell Switches interconnected with MLAG.
Server NICs on LACP to each of the switches. (is this correct, will LACP work?)
Pros:
-
Both switches operate as a single switch.
-
Separate control panels.
-
Active/Active links, yeah!
Cons:
-
Never have set it up, so don't know really how is working in real life.
-
How to connect the servers to the Switches, just a LACP group with two nics on the server, to another LACP group in each port of the switches?
-
Not so tested? Don't know about this.
Hope someone already had a go with this and can enlight me a bit as I'm quite undecissed. Many thanks folks! :)
Have you ever met people working in a networking field with zero knowledge?
Working with co-workers who don't know what STP, LLDP, BPDU means but they manage network.
I dunno what to think about it but it makes me so sad. I'm just so disappointed that these people get paid much more than me and know at least half less.
Should I leave and find a better company with zero pseudo-experts?
How do you arrange and decorate your office?
Interested in hearing how you arrange the furniture and "pimp" your office to make it a more creative workplace, without turning pushing it too far and turning it into a kindergarten.
Do you have a preferred way to arrange the desks? What posters/paintings do you have on the walls? Plants? Table games? etc...
HELP!!! Recently purchased a used 3500XL Catalyst Switch, naturally I do not have the enable password. I am attempting to reset the switch to factor default but have been unable to do so...holding the "Mode" Button down as most forums suggest doesn't do a thing...the switch just boots normally.
No text found
F5 LTM - How do I preserve source IP?
Is the only way to do this by putting my servers on the same L2 domain and using F5 as default gateway? Looks like maybe I can use an iRule and log the traffic locally and then forward on that way. That's less than ideal. Anything I'm missing?
FYI, this is TCP traffic, not HTTP so XFF is not an option.
Android phones spamming “large icmp packets” to default gateway?
We have a Juniper SRX acting as gateway/firewall for a guest network. Lately it was throwing 3k-5k syslog messages an hour all for screen alerts.
It keeps saying “large icmp packet received source: <guest device ip> dest: <our srx’s ip>
In our IAP portal I can see all the clients sending them are Android OS devices.
I pulled a pcap and it looks harmless at first glance. Just the phones sending icmp echo requests to their default gateway, packet size usually around 1026 bytes few around 1200-something bytes.
Not sure why they do this, but the SRX definitely feels it’s under “attack.”
I thought I’d be able Google this easily but I can’t really find we’ll documented evidence that Android phones natively do this.
Any advice? I mean I could turn that screen option off, but I’d kinda like to understand what’s actually going on a little more.
Core design using layer 3 switches
Curious to see if one way is better than another or if I'm missing something more important.
Let's say I have a collapsed core network of 6 Cisco 3850 layer 3 switches. They are connected in a ring since that's the only amount of connections available.
Is it better to make the connections between them routed ports and assign /30s to each link or have the core be a common vlan and addressed in a /29? (Assuming you will never expand the core).
I know making the ports routed eliminates STP and a tiny bit of overhead.
Is there any benefit to go one one way vs the other? I feel like I'm missing something.
CMNO Certification
Has anyone taken the CMNO (Cisco Meraki Network Operator)? My boss recommended that we both take it while our new building is getting set up. Just curious if it’s even hard since it recommends that you have a CCNA.
Am I misunderstanding something, or is ISR G2 licensing basically just the honor system?
How I currently understand it:
- [Technically optional, but ethical] Buy the license
- Enable evaluation for said license
- Convert license to right-to-use.
No dealing with any PAK import or anything?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
End-User Experiences of a Residential ISP Bandwidth Bottleneck
General layperson questions: If a 50% bottleneck exists at a certain utilization rate, is it reasonable to expect that speeds would decline 50%, i.e. in proportion to the size of the bottleneck? Do all ISPs employ some form of QoS in the event of congestion?
If I have a 20mbps provisioned line and someone else has one at 10 on my DSLAM, am I twice as likely to draw bottlenecked data as my competitor?
Thanks a lot!
Thursday, February 15, 2018
Cisco ASR 9000: 10gb interface to 4gb provider handoff (Comcast ENS)
I have 3 Cisco ASR 9000 series routers each connected to a 4gb Comcast ENS connection. I have IPSLA probes configured which are showing 10% loss over the Comcast connection, does anyone know of any settings on the interface that should be in place to prevent this packet loss? I have had 3 tickets open with Comcast and they don’t see an issue, any ideas would be greatly appreciated.
Thanks!
Issue with Cisco AnyConnect VPN
We are a big organization in which hundreds of users remotely login to our enterprise network for official work. We have deployed cisco vpn with RSA radius authentication. Now some users require a static ip when they connect to a particular vpn gateway which we assign through RSA radius. The problem is some of the users are not getting the static ip which we assigned, few days it will show the correct static ip other days it will give a different one. We tried un-assigning and reassigning but didn't work. I am new in this, please help.
Question on Replacing Riverbed Physical Appliance with Steelhead-V
I am a little confused and have read the configuration guides for Steelhead-V a couple times. Today we have an inpath Steelhead and are looking to replace it with a virtual one. I get that on the ESXi Box we will create a virtual network for "WAN" and one for "LAN" but I cant wrap my head around how to simulate it being inline. I know WCCP is an option but I would believe by now there is either another redirection method or a way to make it seem like it is truly inline.
Has anyone deployed a Steelhead-v in place of their physical Steelhead and care to share the way they chose to configure it inpath?
Cisco 3850 web gui
So I have installed my brand new Cisco 3850 pair of switches and cabled them together with a stackwise connector. Followed the manual for smart setup and could not get smart setup to work for some reasom. Consoled in instead and gave the stack an ip address. Made an account and applied level15 access. I can log in via browser but pretty much none of the hyperlinks work, the status picture at the top works but pretty much nowt else. Any ideas? I have tried several browsers, chrome Firefox and ie11.
WiFI RADIUS Authentication using EAP-PEAP-MSCHAPv2
I am attempting to setup machine based authentication on a NPS RADIUS server using EAP-PEAP-MSCHAPv2. I understand that the NPS server needs a server certificate which we do have issued from Incommon. This is selected within the NPS PEAP settings to use the issued certificate installed on the server. On a Windows 8 client I configure the WiFi profile to use the SSID that is setup to use the NPS server from the WiFi controller. Whether I check to validate the certificate or not, connecting fails at the client and there is an error on the NPS server for the connection of “The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.” I am not sure if the certificate is the underlying issue with this error or not. While troubleshooting this for the past few hours I read how the certificate CA needs to be in the Trusted Root Certificate Store, which Incommon is not in the Trusted but in the Intermediate CA store. Just for testing purposes I did install the certificate issued from Incommon to the client and manually installed it to the Trusted Root store but that made no difference. Any thoughts on what could cause this? Thanks
SDWAN
Would love to talk more about protecting your network. Enterprise grade cellular modems in-conjunction with name brand routing appliances. There are options :)
How do I tell my DNS server to update it's cache?
When I'm on my corporate network, and a new AWS FQDN is created, it takes 15 minutes before the DNS record is resolvable.
But from outside the network, it's almost immediate. This tells me that:
A. The AWS record is properly updating in top-level DNS servers B. Our internal DNS server is not syncing/caching with it's nearest DNS server (ISP, google, etc..) for ~15 mins.
I think it has to do with tweaking the TTL for externally resolvable FQDNs but I could be totally wrong. Hence the reason I'm posting here. Can any pros here tell me how I can tell my internal DNS server (Windows) to check the records of the next DNS server more quickly so that we can resolve the AWS domains sooner?
I have to add 750 ports to a building - suggested setup?
I've never had to add that many before. Most port counts I deal with can be housed in a single, unstacked switch. I already have 3 HP 5400zls in use in the closet these ports will be added to.
As of right now, there won't be a ton of data flowing over these ports, but who knows what the future will hold. We will have about 150 ports of HD IP TV, 150 ports of surveillance cameras and the rest will be random endpoints PCs and whatnot. 100Mb layer 2 is all I need...for now. We're in the very early stages of this so I just want to start wrapping my head around what gear might be best. Our whole environment consists of about 15 HP 5400zl switches. Any suggestions to what I should start looking at?
Has anyone used Ubiquiti for a hotspot with a portal with user data capture?
I've been trying to make a hotspot for at public events but have people put in their name, email and company and capture that to a database. I'm using a few UniFi AP-AC-LR with a UniFi Security Gateway 4P.
Slow speeds caused by switch?
Let me first state that I am far from a technological professional, I'm youtube educated when it comes to building my own home network. With that being said, I am running into speed issues somewhere. Bear with me as I walk you through this with what little knowledge I have on the subject.
I recently bought a Cisco SG200 and this TrendNet patch and a Netgear Nighthawk and went to work setting up my gigabit home network including a security camera system.
Ran all the cabling (cat5e). Got all of the cabling punched into the patch, and wired into the switch. Tested each drop as I was terminating them to see if 1. I had internet, and 2. It was the speeds that I pay for from Comcast (gig). Everything checked out and I was getting gigabit speeds. Finished all that up and did the cameras too.
Went to run a speed test when all was said and done and I am getting 1.2Mbps down and 2Mbps up. I know IP cameras can take up a lot of bandwidth but it shouldn't be that much. Nonetheless I disconnected all the cameras and the NVR (camera equipment) from the switch to just run the internet, still slow speeds. So I tried to isolate the switch by running straight from the patch to the modem, and it wasn't even picking up internet. Just kept giving me "Unidentified network. No network access." Which makes no sense to me, from what I understand the patch should be transparent.
Defeated and confused, I plug everything back into its spot on the patch and switch and I have internet again, but still slow. Contacted a buddy of mine who is smarter than I in this area and he suggested logging into the modem to see if I could find settings on the port...couldn't. He also thought DHCP settings would be the problem, Netgear Genie failed again, nowhere to be found. So he thought maybe the switch was requesting DHCP and turns out that the 200 series of switches does not have being a DHCP server as a feature.
So I have no clue. I'm open to all suggestions, comments and criticisms and will take pictures and videos walking through what all I've done if need be.
NetDisco vs NetDB
I've been using NetDB for awhile to track MAC addresses and switchports in our network. I'm not a linux expert and have just been using the VM with NetDB pre-installed. One feature I like is that I can see switchports that have been unused for a particular amount of time. I am considering moving over to NetDisco since it seems to be supported pretty well and is still being updated. NetDB on the other had, hasn't been updated for a long time. Does NetDisco have a feature where I'm able to view unused switchports?
Anyone fans of MACsec?
It's fairly simple to understand and setup. Works at line rate. Minimal configuration required compared to L3 cousin IPsec(ofcourse IPSec can be deployed in vast variety of ways whereas MACsec works only hop to hop)
MXL configuration and TOR switching
Hi there,
I'm a network wannabe, but desperately trying to piece together some robust knowledge allied with some solid 'in the field' experiences.
My latest experience involves the wonderful world of Dell M630 blades and MXL and my question is on the breakout from the x520 dual port 10Gb on the blades. ESXi 6.5 will run on each blade, but with vSphere Standard licensing so no distributed vSwitches and therefore no NIOC. So the two ports will be teamed at the ESXi host level and run all of the virtual machine data
There are two unstacked MXL in the M1000e chassis, in A1 and A2, so each MXL hits one of the 10Gb ports on the x520. Each MXL is equipped with a FlexIO 4 port SFP module for connection to TOR switches.
Internally i see the 2 x 10Gb as an active/active connection. It is the breakout from the MXL to the TOR I am trying to establish. I understand that the TOR switches are also not stacked
There is:
- one 40Gb cable from A1 going to LAN network switch 1
- one 40Gb cable from A2 going to LAN network switch 2
- one 10Gb fiber connection from A1 going to Mgmt network switch 1
- one 10Gb fiber connection from A2 going to Mgmt network switch 1
- one 10Gb fiber connection from A1 going to Corp network switch
So:
For the LAN network we have 40Gb uplinks from two different, unstacked MXL going into two different TOR switches.
For the Mgmt network we have two 10Gb uplinks from two different unstacked MXL going into the same physical TOR switch.
For the Corp network we have one 10Gb uplink going to one TOR switch
My questions are around resilence and whether, because we have teamed the ESXi ports, that, with the LAN network, the TOR switches are able to receive traffic from each MXL and route accordingly to the destination. The problem i see is that if one TOR switch or one MXL went down then destinations behind that switch would be unavailable (but all ESXi resources would be available as the teaming would be able to route via the other TOR switch/MXL). Would this equate to a LAG?
Regarding the Mgmt network, the two uplinks from MXL A1 and A2 go to the same switch so my belief is this would simply need to be aggregated at the TOR level?
Many thanks for reading - if you got this far
Speccing Routers
Hey guys with the below image : https://imgur.com/mWoBPks
How would you approach speccing the right devices ?
I do not have info on any special protocols or vendors they prefer but it will most likely be Cisco.
I have asked for more information but was wondering what I can look at in the mean time.
How do you permanently remove a switch from a stack? (Cisco)
I have 4 Cisco Catalyst 3650s in a stack, sw1-sw4 for simplicity.
I had to do some renumbering to get them all in the order that I wanted where the physically top switch is sw1 and has g1/0/1-g1/0/48, the second switch was sw2 and so on and so forth.
My issue is that I had made one of the switched number "5" while shuffling them around, and now I have 5 switches showing up when I run #show switch and I have g5/0/1-48 in my config.
I've already issued the #no switch 5 provision ws-c3650-4pd command, but now the #show switch output just lists the 5th switch as "unprovisioned".
What am I doing wrong or missing?
Cisco Voice - BE4K
Hi Everyone,
Just a broad-strokes question on the Cisco BE4K. Has anyone implemented successfully? How has the overall experience been? Any challenges/shortcomings with ongoing support or featuresets?
I have a few clients with old UC500's that are in need of replacement, BE6K ends up a little cost prohibitive. With the BE4K being fairly new to market, I just don't want to run into another fiasco that was the Cisco BE3K.
Using Cisco ISE for Device Administration, but with Radius instead of Tacacs+.
Basically the title covers it. I realize that tacacs+ would be the preferred method, but we didn't get that license.
Presently, anyone that succeeds authentication with AD can log in to our network devices, too.
I've seen some mention that while you can't use authentication to prevent this, you can use an authorization policy to make sure that once they are logged in, they can't actually run any commands.
I'm thinking this would be our best bet, so if anyone knows how this is accomplished or can link to a guide, that'd be super appreciated. I spent most of the day yesterday trying to find a way to do this with radius, but to no avail.
Edit: Thanks guys, I've got it working now, once y'all pointed me in the right direction
Flat Network QOS
I know networking but don't have much experience. Voice vlan is needed. I believe in order to have anotehr vlan I need another DHCP scope?
Also I will turning on auto QOS on cisco but any suggestions on QOS on the routers?
ISR4k & SPAN
TLDR: Does SPAN/Monitor traffic count against the throughput feature license on an ISR4K (specifically a 4331)?
The ISR4K line is a decent little box, except for the throughput 'feature' license which grinds my gears every time I have to deal with it.
I need to get a long-running packet capture to troubleshoot a nagging video QoS issue (playing the carrier blame game) from a remote site where we're using one of these as our CER, but it's a pretty high throughput site on a 1G circuit which is already hitting the max 1G aggregate throughput limit on a 4331. I'm concerned whether the SPAN traffic would count against that throughput license and am completely failing at finding a clear answer in Cisco's documentation, plus I don't have an ISR4K of any variety in our lab since this site was recently brought on as part of an acquisition.
The next step is to ship out a TAP but I'm waiting on it to come back from another site so that's still a couple days out at least.
Anyone able to confirm whether or not SPAN traffic would count against that throughput cap?
Load balancing to servers from nx or ios
Hello,
I need to perform load balancing to 2 physical servers sitting on a nexus 5k switch. Is this doable? If not, I can optionally move them to a IOS switch 6800.
Any help appreciated
Users getting Google search error "Our systems have detected unusual traffic from your computer network."
Has anyone else dealt with this error? Image.
I've tried to look at http traffic between our network and Google's but everything looks normal.
Monitoring - Zabbix - Interactive Maps
I found it on zabbix forum and i gave it a try. It provides an extra tab in the menu for interactive maps: https://github.com/RussianFox/imap/tree/Zabbix3.4
Has anybody used it before? At the moment I'm not able to add hosts in the map. There's no such a functionality (like a tab/button/menu) visible. Is there any further configuration needed?
Question about dealer pricing ($$$$) Vs. online stores ($)
The company where I work is looking to expand network capacity. We currently have a few different sizes of Cisco switches, and need to get some more that are compatible. Our contract IT person sent a quote from Dell for 4 "Cisco SG300 Series 28 Port Gigabit PoE Managed Switches" at a cost of $1,015 each.
Doing a search for the same model, I found it at Amazon and NewEgg for no more than $373 each.
Can someone help me understand the huge disparity in pricing? I'm trying to think of a reason for the difference, but I just can't. Thanks!
OpenVPN on EC2 instance using router's OpenVPN setup (TP Link Archer C1200)
I'm trying to set up my a VPN using my router as my server. It's super simple to set up (windows setup) and access from a windows machine, but I am having issues getting it to work with a linux/ubuntu EC2 instance on AWS.
After going through getting OpeVPN downloaded and getting my config file on the machine
sudo yum install openvpn aws s3 cp s3://blah/OpenVPN-Config.ovpn ~/
i get the following logs:
$ sudo openvpn OpenVPN-Config_new.ovpn & [1] 4767 Wed Feb 14 03:36:25 2018 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2017 Wed Feb 14 03:36:25 2018 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08 Wed Feb 14 03:36:25 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Feb 14 03:36:25 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]my_home_ip_address:open_port Wed Feb 14 03:36:25 2018 UDP link local: (not bound) Wed Feb 14 03:36:25 2018 UDP link remote: [AF_INET]my_home_ip_address:open_port Wed Feb 14 03:36:26 2018 [server] Peer Connection Initiated with [AF_INET]my_home_ip_address:open_port Wed Feb 14 03:36:27 2018 TUN/TAP device tun0 opened Wed Feb 14 03:36:27 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Feb 14 03:36:27 2018 /sbin/ip link set dev tun0 up mtu 1500 Wed Feb 14 03:36:27 2018 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 RTNETLINK answers: File exists Wed Feb 14 03:36:27 2018 ERROR: Linux route add command failed: external program exited with error status: 2 RTNETLINK answers: File exists Wed Feb 14 03:36:27 2018 ERROR: Linux route add command failed: external program exited with error status: 2 Wed Feb 14 03:36:27 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Wed Feb 14 03:36:27 2018 Initialization Sequence Completed
from what i can see and what i was able to google (example), i need to modify the server's config file. Since this is configured by my router and i don't have access to these files, i'm not sure what i can do.
Looking through tp-link's FAQ also doesn't open up much help because they don't show open source OS's on their setup (link to FAQ query). I'm not sure if this is because it can't work or if it's just not the typical user so they don't build out that support.
My requirements are:
1) I must route all traffic from my EC2 instance through my local IP
My questions are:
1) can i solve this by modifying my client.ovpn file?
2) are there routers that can set up a server as simple as the one on this router but work with Linux machines or should I instead build a server through a raspberry pi?
200+ remote sites, 5M mpls to each, guest access is a requirement
fellow networkerz, my WAN today is all over the place. we're making a bold move to move all of our locations to MPLS with 5M ethernet minimum. For enterprise internet traffic, it will be tunneled to a pair of FP2130s (replacing SSG550M). we have a requirement to provide guest access (we don't use a ton of data today, and most locations have less than 10 users). does anyone have any experience or advice on tunneling guest access using the MPLS? Obvi we'll have ACLs in place to keep it off of enterprise networks.
any advice, or words of wisdom is appreciated. go!
MGMT IP
Hi Guys,
I have 2 Brocade VDX switches (6740 & 6740T) in fabric at remote location. This remote location (lets say it RL2) is connected to our location (lets say it RL1) via P2P link which is configured as trunk.
I have to configure MGMT IP on that switch stack at RL2 for remote access but, we cannot use MGMT port as there is no MGMT switch present over there.
Is there any way that i can configure IP address on loopback inside 1 rbrigde or any other way via which we can gain access to that switch remotely.
I have attached the basic representation of the switch connectivity
Doing 802.1x for wi-fi in a small company without any directory services?
Most of my background is Cisco/Windows enterprises, but I'm helping out a friend's small company as they expand into a new office space. They've got ~25 users on personally owned laptops (mostly Mac and Linux) all using google apps and various other cloud tools, no central user management or directory services.
They'd like to secure their wifi with more than a simple password, and usually my thought is "Well that's easy enough, set your APs to point 802.1x auth to the RADIUS server and set policies referencing against Active Directory." But they don't have any of those and likely won't get them.
What's the best option here?
It's funny, my day job has me living in Cisco WLCs pointed to ACS which references AD, I can spin those up in my sleep. But now when it comes to a network this small I feel like I'm grasping at straws.
Reliability of TP-Link APs with controller
Hey Guys,
Do any of you have experience with Auranet-WLAN-Controller and Cap300 or other TPLink access in a normal or even high density environment?
They seem to be insanely cheap and offer a growing set of features, but I'm not sure how far I can trust them.
Cisco 3850, IOS-XE. change boot path withing writing to the startup config?
Cisco Catalyst 3850, IOS-XE
Hi, so I'm utilizing the ZTP feature, pulling down a Python file that runs inside the guestshell to provide configuration for our 3850's.
However, my problem is this. The factory OS that comes on the 3850s has a bug where the 40Gb SFPs are 'error disabled'. So i can console onto each one and download the firmware needed(cat3k_caa-universalk9.16.06.02.SPA.bin) and the do the command, boot system switch all flash:cat3k_caa-universalk9.16.06.02.SPA.bin. but now the problem is that i have written to the startup config. so if i do a write erase and reload, it tries to revert back to booting from packages.conf, which fails of course.
Is there a way i can change the boot bath without effecting the start up config. I need no startup config because i need ZTP to happen of course.
many thanks
Wednesday, February 14, 2018
phpIPAM - Device Import
Hi Everyone,
I just set up phpIPAM and its great.
Im just wondering if there is a way to mass import the devices, as I see the Import function hasnt been added yet
Could the information be added directly to the DB ?
Thanks
Seeking advice for multi-isp setup
Hey gurus, I have 3 questions for you, background info first.
My network is setup per this diagram.
Current config is as such:
- All layer 3 switches are running EIGRP, and are Cisco
- All traffic currently goes out FW A to ISP A; ISP B is not presently in use
- I have my ASN and /24, but the /24 was provided by ISP B and we have not yet switched to it / advertising it out via ISP A.
- NAT/PAT is being done on FW A
- I'm performing a major equipment/topology overhaul this summer and can COMPLETELY redo things if necessary.
My current plan is to advertise our /24 using eBGP through both ISPs, prepended for a preferred outbound route of ISP A. I was going to run iBGP internally between SW A and SW B to handle route.
My three questions-
- Is HSRP an option here or is my iBGP plan best?
- How do I handle incoming NAT'd traffic, destined for either internal or Data Center (DCSW A) during a failover?
- Is there an easy way to provide full redundancy for hosts sitting behind DCSW A and DCSW B ? I don't need Active/Active for those, plan on using Active/Passive. I guess this is related to #2....
I have a call setup tomorrow with my cisco engineer, but wanted to get some Reddit advice beforehand. Thanks in advance, and let me know if you need more info!
My router only resets to my ISP defaults. Is there a way to reset "deeper"?
It's a Technicolor TG788vn v2. Any info is appreciated
Network specs for new construction?
Greetings all,
I'm rather tired of getting mixed results on our network setup on new building construction on our campus due to weird or outdated network specs in the project scope of work. These specs tend to come from the engineer firm and seem rather old in some cases and inconsistent.
I'm working with several others to come up with our own version by using one of theirs as a starting point.
Particular areas that I'm looking at: - Stating part numbers for cable, patch panels, racks, rack accessories, cable management, fiber cassette kits, etc. with no substitutions without prior approval so we actually get what we've standardized on without us having to purchase it ourselves.
-
Proper trace wire being run in underground conduits as well as proper termination at underground vaults... vaults should also have labeling to help track conduit and cabling as well as proper drainage (big one for me)
-
Specification to state the types of terminations we want (modular keystones instead of old style punches, fused fiber instead of polished, etc.)
-
Guideline for proper labeling including location (wall plate, patch panel, and cable)
-
Certification on completed work (really curious what people here usually request for both gigabit copper runs and fiber up to 10g and whether you require the use of specific models of testing equipment)
-
Proper grounding and use of data cable (including type of cable to be used) if it has to go outside for cameras/APs or underground in conduit (I dislike fried network equipment or bad PoE ports after thunderstorms)
I feel like a lot of this concerning the certification and guidelines for outdoor to indoor cable runs, etc. should already be covered by the spec I'm starting with talks about network concentrators so it seems like it is a bit dated.
I'm wondering what others here might include in their scopes of works for construction ranging from renovations on up to brand new buildings?
Switch Recommendations
Hey guys! Thanks in advance for the info. I'm currently shopping for some switches. I'm looking for 10g sfp+ switches. I'm having a hard time to find some that meet my needs. I need 8-16 port sfp+ 10g. I prefer Cisco but all I see that meets those needs are the sg550x line. I need vlaning at least as this will be my access layer. But, everything is such high density and I don't need that as these will be tor and feed other switches some 10g and some 1g per IDF. I'm looking in the price range of about $2.5k/switch or less. Then later down the road we are looking at doing a 10g core upgrade.
Using an HSRP VIP as a GRE endpoint and use the tunnel endpoint as a BGP neighbor IP?
I had someone ask me if you could use a HSRP VIP as a tunnel endpoint and as a BGP neighbor IP. Their thinking was that by including all of your HSRP VIPs in one group, you could insure that the VIPs used as default gateways were always on the router that held the GRE endpoint to a remote router AND where BGP would be advertising routes to.
I wasn't even sure you could configure a GRE endpoint to be a VIP (you can), and if the GRE tunnel would follow the VIP (it does). At least it works if I can believe a 7200 image running in GNS3.
I figured that BGP would freak out if it saw a neighbor IP suddenly switch from one router to another, but it doesn't seem to care.
In short, it seems to work exactly like you'd think. If you flip the VIP from router 1 to router 2, the GRE goes down on router 1, and comes up on router 2. The router on the other end sees BGP to router 1 drop, and come back up with neighbor router 2.
I have to admit that this is a simple solution to a vexing problem, but I assume this is not any sort of a supported configuration, at least in Cisco world, correct?
Deleted Flash: Without Reload of Device
- Working on a 3750 with minimal space in Flash:
- Accidentally deleted the entire contents of Flash:, not just the old IOS version
- Realized what I'd done
- FTP'd new version to device
- Created "Test" VLAN
- Saved running config
- Set boot variable to load new IOS on reload
This work is prep for maintenance window this weekend.
Is there anything else I can do to make sure this device comes up properly after reload?
Thanks in advance.
SDN for the Access Layer?
Hey everyone,
I've been on the prowl for an SDN solution to try to keep our access layer switch costs down. We're due for a refresh and I would like to buy a ton of whitebox or bare metal switches at low cost instead of buying a ton of new Cisco gear.
Unfortunately, my search has been pretty fruitless. I've found a lot of SDN providers that offer some pretty great solutions for the datacenter, but our datacenter is far too small to reap any sort of reward from utilizing SDN (we're talking 6 physical switches, stacked/VSS to 3 logical ones). I have found next to nothing for anything outside the datacenter.
We are a medium sized business with 22 access switches and 6 core/distribution switches. I don't mind managing the switches via CLI and NCM, but my employer is looking for cost savings because our refresh is looking to be upward of a quarter million dollars. Do you guys know of any SDN solution that can provide useful tools for both the datacenter AND the access layer?
GRE Traffic over VRFs
Hey /r/networking friends;
Edit: I don't know why I titled it as GRE over VRFs when they're IPSec tunnels. Just, ignore that brain fart. I have both running on the router, this configuration relates to the IPSec. Durr.
I'm running into an odd one that I'm just not sure about, and I'm sure that it's going to be something simple and dumb, and I'd rather just go ahead and rather than chase my tail.
In AWS (ultimately irrelevant) I have a CSR1000v that I'm trying to terminate some IPSec tunnels on, with the interfaces and the tunnel path being in separate VRFs.
The egress interface (Gig1) forwards on vrf vpn0 with the default route pointing out (which then translates to an ENI that is publicly accessible). If I create the IPSec with an isolated vrf and set the tunnel vrf to use vpn0, the interfaces don't come up:
Router#show ip int brief Interface IP-Address OK? Method Status Protocol GigabitEthernet1 10.163.255.6 YES DHCP up up [...unrelated interfaces...] Tunnel2 169.254.44.186 YES manual up down Tunnel4 169.254.46.42 YES manual up down interface Tunnel2 ip vrf forwarding vpn-73c2de12 ip address 169.254.44.186 255.255.255.252 ip tcp adjust-mss 1387 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination <far end 1> tunnel vrf vpn0 tunnel protection ipsec profile ipsec-vpn-aws ip virtual-reassembly end interface Tunnel4 ip vrf forwarding vpn-73c2de12 ip address 169.254.46.42 255.255.255.252 ip tcp adjust-mss 1387 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination <far end 2> tunnel vrf vpn0 tunnel protection ipsec profile ipsec-vpn-aws ip virtual-reassembly end
However, if you strip out the vrf in-use by Gig1 and dump it to the global table, and remove the tunnel vrf vpn0 command from the tunnels, it comes up.
Router>#show ip int brief Interface IP-Address OK? Method Status Protocol GigabitEthernet1 10.163.255.6 YES DHCP up up [...unrelated interfaces...] Tunnel2 169.254.44.186 YES manual up up Tunnel4 169.254.46.42 YES manual up up interface GigabitEthernet1 ip address dhcp negotiation auto end interface Tunnel2 ip vrf forwarding vpn-73c2de12 ip address 169.254.44.186 255.255.255.252 ip tcp adjust-mss 1387 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination <far end 1> tunnel protection ipsec profile ipsec-vpn-aws ip virtual-reassembly end interface Tunnel4 ip vrf forwarding vpn-73c2de12 ip address 169.254.46.42 255.255.255.252 ip tcp adjust-mss 1387 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination <far end 2> tunnel protection ipsec profile ipsec-vpn-aws ip virtual-reassembly end ip vrf vpn0 rd 65000:0 ip vrf vpn-73c2de12 rd 65000:3 route-target export 65000:0 route-target import 65000:0
So what am I missing?
Potential add-on details:
Recommended to use the isolated vrf for the tunnel interfaces as the addresses can ultimately be re-used by AWS, so the actual endpoint termination needs to be separate from the rest of the traffic as to not cause an ip conflict.
I have Gig1 on a separate vrf as I have multiple interfaces on various subnets (Gig2 and Gig3), so that I have traffic isolation for what's public versus what's private. Gig1 handles public facing traffic, Gig2 and Gig3 handle the egress back to the private facing sides.
How reliable is an all-Ubiquiti setup really?
I've had AP's only at one location, and compared to the Cisco AP's that was there before I'm not yet 100% convinced of the 'carrier class' reliability. The cost difference is obviously however hugely attractive, and I'm mulling an all-Ubiquiti setup for another technically undemanding and uptime-sensitive, but not uptime-critical, location.
I was wondering what SMB-ish admins who went with wholesale Ubiquiti to refresh an older enterprise (i.e. Cisco, etc) setup thought of them.
Looking for someone who has implemented Velocloud
Hi, Not a networking guy here <ducks>, but am working as a PM on a velocloud implementation project that has yet to get started. I have done a good amount of research with Velocloud and am at a state where I am putting together risks for implementation of Velocloud to replace our MPLS network. I can only learn so much through reading online and am at the point where I could use some input from anyone who has implemented the solution.
If anyone has anything to share about a Velocloud implementation, from lessons learned or problems, to the benefits, or anything about the experience I would love to hear it.
Thanks in advance,
Ethernet over cable TV coax?
One of our facilities put in cable TV in their break room. There is a cable box by the TV that expects cable TV signal and Internet to come in on the coax cable feeding it.
Upstream on that cable is a splitter (functioning as a combiner, I assume) that connects to the incoming cable and a small consumerish looking cable TV branded wifi/router/firewall via coax. The router has the normal WAN and LAN rj45 jacks you'd expect besides the coax connector (also indicated as LAN).
The TV box will not display program listings unless the router is connected to the Internet. I connected the wifi/router/firewall's WAN port to my guest network VLAN, and by finagling the firewall's settings, got it working. There's a double NAT going on, but it seems to work.
However, I'm not real happy with this setup. I'd rather just eliminate the wifi/router/firewall box and connect the TV directly to my guest VLAN, but I have no idea what to use to connect a 1000Base-T switch port to a coax.
I'm fairly familiar with the OTHER direction - DOCSIS cable modems. But what would I use as a layer 2 bridge between my switch and the coax?
Will a MoCA do what I want?
Show negotiated phase 1 encryption
Anyone know of a command on an ASA 5525X to show negotiated phase 1 encryption? I will be migrating from ASA to Fortigates so I want to make sure our phase 1 proposals match with existing VPNs.
Thanks!
buy chassis bundle for its parts?
Looking through a recent offer by our VAR we noticed that a Cisco chassis bundle (chassis, sup, 2x line card) was cheaper than those two separate line cards. As we want 2 sups and 4 line cards, it would make sense to simply buy 2 chassis bundles and not use the 2nd chassis.
- is this possible parts wise? (mainly, is the bundled sup usable as a 2nd sup? I've not found if a double sup setup is actual identical sups or two complementary (but very similar, obviously) models)
- is this something that is, well, done? I can image the VAR/Cisco not allowing this particular way of getting parts cheaper.
HP Scanner and VLANs
I have an HP scanner on VLAN A and the server that it scans to on VLAN B. This was a fresh change that was made a couple of weeks ago, however, scanning doesn't happen that often which is why it was never looked at/tested prior to the move.
When the scanner and server were both on VLAN B (was this way for several years) scanning to a network share worked fine. After the move of the printer/scanner to VLAN A, it prints just fine, but scanning doesn't work. I can ping both ways, routing/ACLs are not the issue.
Obviously scanning is happening at layer 2 (is what my first thought is) which is why it isn't working.
The user scans from the scanner directly to a network share on the server. Their computer isn't part of this process (not until they go retrieve the scan in the network folder, which they can access w/o issues).
I'll have to change the switchport of the switch back to untagged on VLAN B to get them up and running for the scanning they need to take care of over the next few days, but I'd like to try to get this fixed.
Thanks.
EDIT- I can post specific printer/model info when I am back on site, but I don't think this is an issue related to the specific printer model, I believe it is a broadcast separation issue.
[Question] Iperf3 only sending 10% of file? -F switch
Does anyone use Iperf to send a file instead of random data? In my case I'd like to transfer a 30mb excel file to a server. Using the -F switch works, however its only sending 10% o the file. Anyone have success with this?
Output looks like this:
C:\iperf-3.1.3-win64>iperf3.exe -c myserver -F testfile.xlsx Connecting to host myserver, port 5201 [ 4] local 10.6.0.2 port 64793 connected to myserver port 5201 [ ID] Interval Transfer Bandwidth [ 4] 0.00-0.67 sec 3.25 MBytes 40.6 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth [ 4] 0.00-0.67 sec 3.25 MBytes 40.6 Mbits/sec sender Sent 3.25 MByte / 31.1 MByte (10%) of testfile.xlsx [ 4] 0.00-0.67 sec 3.25 MBytes 40.6 Mbits/sec receiver iperf Done.
Thanks for reading.
Cisco not matching crypto ACL
Issue I'm seeing - crypto map based tunnel between Cisco IOS-XE device (controlled by me) and McAfee firewall (out of my control) is not passing traffic. Agreed on tunnel, built, Phase 1 & Phase 2 coming up properly. But traffic is coming through. To troubleshoot, used esp-null and now seeing more information regarding payload which puzzles me even more.
1) If traffic initiated from other side - I can see ESP packet arriving on the external interface with the correct outer & inner headers (tunnel mode), but it is not decrypted (no decaps) further by Cisco, so that's it. Incoming SA number is correct.
2) If traffic initiated from my side, it is encapsulated, sent properly, but no answer from the other side - that would be issue with configuration on the far end if not the first point.
If throwing tunnel endpoint on the other Cisco device, basically configuration stays the same, just the peer IP changes - it works flawlessly - traffic is encrypted & decrypted properly.
Just throw your ideas at me what could be wrong here or how to troubleshoot, even better if there's someone who knows McAfee firewalls, as I have clue at all what to expect from them. I've checked a lot of things, just don't want to make this overwhelmingly long and detailed, just what would you do in such a case?
P.S There are a bunch of working tunnels on Cisco side and, so they say, on the other side as well.
Working for a MSP, thoughts?
So recently I have been given the chance to work at a MSP, I come from a laid back enterprise networking gig and wanted your thoughts. What are some pros and cons? I have read some other reddit posts but want to see if there is any new opinions out there.
help with l2nat, i think i'm doing something dumb
Hey,
so I have this network:
192.168.0.0/24 ------ gi1/1,vlan101 [Catalyst] vlan 1,gi1/2----192.168.1.0/24
192.168.0.0/24 is "corporate network".
192.168.1.0/24 is "controller network".
Int gi 1/1 has vlan 101 permitted on a trunk port.
Int gi 1/2 has vlan 1 set on an access port.
192.168.1.0 is in use in other areas of our network, so we can't simply route to it.
We need to create a L2Nat so that if host 192.168.0.2 tries to connect to 192.168.0.3, the switch will Nat the packets comming in Gi1/1 on vlan 101 like this:
before: source 192.168.0.2, dest 192.168.0.3 after: source 192.168.1.4, dest 192.168.1.5
and reverse
before: source 192.168.1.5, dest 192.168.1.4 after: source: 192.168.0.3, dest 192.168.0.2
I can't seem to figure out where to put what configuration to setup the L2Nat;
What am I doing wrong?
Current configuration : 3298 bytes version 15.2 ip routing license boot level ipservices l2nat instance PLC instance-id 1 fixup all outside from host 192.168.0.3 to 192.168.1.5 inside from host 192.168.1.5 to 192.168.0.3 interface GigabitEthernet1/1 switchport trunk allowed vlan 101 switchport mode trunk l2nat PLC 101 interface GigabitEthernet1/2 switchport mode access interface Vlan1 ip address 192.168.1.250 255.255.255.0 interface Vlan101 no ip address
Small Business Firewall VPN
I saw a few posts on the same topic, but I think my situation is different.
I have a friend that owns a small business of under 10 people. He is "techy" but knows hardly anything about networking. He has sensitive data so he needs something better than is Comcrap "firewall".
Can someone recommend a firewall/vpn appliance that is SIMPLE to use? Im talking like, log into the thing and its all wizards to set it up and if something isn't working, he could maybe go in and click a few buttons to restart a VPN service or something? He isn't going to want to hire an IT staff to maintain this thing and I really not have time to manage anything.
Price isn't really a huge issue, but again, simple simple simple.
I saw the Cisco RW series which seems like it was simple but they are no longer made and only 10/100 ports and 2.4 Ghz? Jeez, no thanks.
Thanks in advance.
Guidance for Multi-Site, Multi-homing, Multi-Carrier BGP setup
Morning, all - Currently bringing a second datacenter site online, and looking for some input for the failover design.
The plan is to have a DIA from Carrier 1 at Site A, and a DIA from Carrier 2 at Site B. Between the two sites is an MPLS circuit connecting our internal networks.
We would like to be able to lose either carrier (at either site), at failover to the other site's internet connection, while retaining the same public facing IP's.
Here are my questions - 1) Is an iBGP connection the best way to facilitate failover between the two BGP routers (one at each site)? 2) Is there any hope of using the limited BGP functionality on a Barracuda firewall for this? Or will we certainly need to purchase dedicated routers for BGP? 3) Since we're spanning across two carriers, we will need to get our own IP address space, independent from the carriers, in addition to an ASN - correct? 4) Is there a way to do this without using an entire /24? I know advertisements for smaller spaces are often rejected, and I don't think we'll be able to aggregate under an ISP as we are using two different carriers.
If it appears I'm overlooking anything, please let me know.
Thanks in advance for the input.
Utilizing the Windows 10 native VPN Client?
I am trying to understand more of the compatibility of the Win10 native VPN client. Is there a list of Remote VPN products, such firewalls from cisco, PAN, Fortinet etc supports Win10 native VPN client?
Best way to precisely measure latency on a point-to-point link
My network has Cisco/Arista switches, and I try to find the best way to precisely measure latency on the point-to-point links. Ping from/to the corresponding interfaces doesn't give accurate results - i measure about 2ms more latency. This is because any pings sourced from/ destined to the switch is handled by control plane and such packets are aggressively policed in control-plane. Any tips and advices will be greatly appreciated.
Juniper oob mngt port has to be in default routing-instance? Wtf?
Surely I’m wrong, lol. How do they suggest setting up the oob mngt on a Juniper box?? I want the mngt port in its own vrf, and forwarding plane in a separate vrf... you know, just like the awesome Cisco ASR.
Does Juniper really not let you do that? I’ve gotta put static routes for mngt in my default routing table? Herp derp help me I’m stuck.
And yes I RTFM... their config guides are bits and pieces usually stops after assigning an IP address to the port (so stupid!)
VDC - limit-resource model
Hi,
We are in the process of adding another line card to your Nexus 7000's in the data center. This card is a F248XP-25E card.
Ofcourse this cards needs to be assigned the correct VDC, i have a question about this. I have to change the configuration on the current VDC in order to support the card:
limit-resource module-type m1 m1xl
This command is on the current VDC, so i will have to add the F2 card to it.
I suppose the command will go like this conf vdc xxx limit-resource module-type m1 m1xl f2e
Because it's a F2e card from the description, if i punch in that command, will it cause an impact? The documentation is not clear on that. Or can i go like this:
conf vdc xxx limit-resource module-type f2e
Or will i knock out the other modules like a switchport trunk vlan allowed xxx instead of an add.
I checked the line card compatbility matrix for Cisco and an e card should work within the same vdc as the M1 cards.
Question about voip phone cabling?
So, from what I've been able to find on Google thus far, a 100mbps phone only requires 2 pairs to work. What I haven't been able to find is if it requires a specific 2 pairs.
So my current issue is I have a phone not pulling an IP, saying please verify network connection. The TDR test shows pair 3 failed, others normal.
So from my understanding, it should work with at least 2 pairs good. But it's not..
So can anyone tell me if it requires a certain 2 pairs working?
IOS XE: set username/password via SNMPv3?
Following situation: local user was deleted but the snmp configuration still exists (the switch was initially configured via Prime 3.2). Is there a way to remotely set a new local user without the classical way via password recovery?
VPC keep alive on 5020s?
I have a pair of 5020s using mgmt0 as their keep alive, and now I'm tasked with changing IPs as my company sold some of its /8. My plan is to direct connect the two, put the interfaces on a separate VLAN, create a SVI on each, and change the config to use those. Am I missing anything here?
Shared Building 6 Network Solution
I am looking to put in a network for a friends new business venture. He needs 6 separate networks, 2 Networks supporting 20 users each, and the other 4 supporting 10-15 users each. They have a 1 gig link into the building. Budget is around $2000, but finding this difficult to find a solution for.
Originally, I thought a high end home / gaming router would work for the building, as they only mentioned needing 4 separate networks, but with 6 networks I believe I will need something more commercial grade.
Suggestions?
SOHO bandwidth management
I've worked with Exinda, Packeteer, and NetEqualizer in the enterprise before, but I'm faced with a new challenge. I'm doing some volunteer work to help out a church with their disaster of a network. They do a live stream of one service every Sunday and re-broadcast it a few times throughout the week. They're currently paying for a whole separate business class ISP connection just for this one computer, which is bonkers expensive. Since they could really use a new router anyway, I was wondering if anyone knew of a SOHO router or appliance that would be cheap and do some basic bandwidth priority for a single IP. The church is not massive, I'd say maybe 300 devices online at a time.
Tuesday, February 13, 2018
Overruns\Underruns High Network Latency ASA 5510
i am working on a network, trying to find what is casuign performance issues. the site has a 225 mbps internet connection and can fairly easily peg that out. i have increased their speed to 350 mbps for troubleshooting and we havent pegged that out yet. i think the 5510 has a max throughput of 300mbps, so i dont expect to hit that. one of the first things i have found is error counters on their asa 5510. both the inside and outside interfaces are counting up input errors. the # of counters between input errors and overruns, (there are underruns too!) is exatly the same on each interface.
Interface Ethernet0/1 "inside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off MAC address 442b.0359.21dd, MTU 1500 IP address 192.168.6.1, subnet mask 255.255.255.0 312476526 packets input, 114296210506 bytes, 0 no buffer Received 318 broadcasts, 0 runts, 0 giants 20235 input errors, 0 CRC, 0 frame, 20235 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 481371281 packets output, 582283911170 bytes, 77596 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 1 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops, 0 tx hangs input queue (blocks free curr/low): hardware (255/230) output queue (blocks free curr/low): hardware (255/0) Traffic Statistics for "inside": 312474776 packets input, 108422541327 bytes 481448926 packets output, 573590766452 bytes 1063578 packets dropped 1 minute input rate 1665 pkts/sec, 989616 bytes/sec 1 minute output rate 1950 pkts/sec, 1906811 bytes/sec 1 minute drop rate, 11 pkts/sec 5 minute input rate 832 pkts/sec, 165855 bytes/sec 5 minute output rate 1187 pkts/sec, 1313979 bytes/sec 5 minute drop rate, 7 pkts/sec Interface Ethernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off MAC address 442b.0359.21dc, MTU 1500 IP address x.x.x.x, subnet mask 255.255.255.240 481773452 packets input, 582644590009 bytes, 0 no buffer Received 27549 broadcasts, 0 runts, 0 giants 49496 input errors, 0 CRC, 0 frame, 49496 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 311474391 packets output, 114204420600 bytes, 20447 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops, 0 tx hangs input queue (blocks free curr/low): hardware (255/230) output queue (blocks free curr/low): hardware (255/0) Traffic Statistics for "outside": 481773194 packets input, 573846100763 bytes 311494838 packets output, 108380968297 bytes 347768 packets dropped 1 minute input rate 1056 pkts/sec, 1066485 bytes/sec 1 minute output rate 785 pkts/sec, 165101 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 1187 pkts/sec, 1314411 bytes/sec 5 minute output rate 825 pkts/sec, 165472 bytes/sec 5 minute drop rate, 1 pkts/sec
a little bit about how everything is connected... there is a content filter inbetween the asa inside interface and the sites core. its an inline content filter and the ethernet interfaces are passive so the wan link still works even if the filter totally dies.
searching around google looking for tips on troubleshooting over runs has pretty much always sent me to look at cpu-hogs. i'm sorry, but the output of that command tells me nothing.
Process: tmatch compile thread, PROC_PC_TOTAL: 1, MAXHOG: 7, LASTHOG: 7 LASTHOG At: 16:16:16 UTC Feb 11 2018 PC: 818ecf2 (suspend)
I can't find any explanation of the data, so it tells me nothing.
when i run sh proc cpu-usage i usually only see a couple non-zero items. ssh, cause i'm ssh'd in, logger and dispatch unit. ssh and logger are always 0.x% and dispatch unit i have seen as high as 30%. 30% on the dispatch unit doesn't seem like its traffic being too high, but i'm just not sure.
1550 blocks look good.
sh blocks SIZE MAX LOW CNT 0 400 399 400 4 200 199 199 80 952 893 952 256 1900 1898 1900 1550 7843 7534 7584 2048 600 567 600 2560 900 899 900 4096 100 99 100 8192 100 100 100 16384 102 102 102 65536 16 16 16
all involved interfaces, on the asa and next hop devices are 1000 full, i captured packets on both sides of the asa toady and have them loaded into etherpeek, but i haven't really used this before and i'm not sure what to look for. any tips?
AWS and NSX
What if AWS figures out how to have an NSX like product handling security and micro segmentation within a VPC? Or even across VPC’s? No multiple security groups needed no NACLs. Just a thought.
Networking now requires developing???
Forgive me if this is not the right subreddit but I know that this subreddit has helped me out significantly.
Ok I live in state of Washington. A company moved me here almost 3 years ago. But the company couldn't generate enough sales to keep me afloat even though the work I did was the highest, the margins were low. So they had to let me go.
Now facing a new world and being laid off the first time in my entire life, I find that that NOW a lot of networking jobs require developing/coding.
I have CCNA, partial CCNP, Brocade certs (which don't mean much), Palo Alto, and a few others but it doesn't seem to not matter without some sort of coding.
what the hell? when did the world instantaneously go to coding?
anyone have any advice on what I should be doing, I'd appreciate it.
Also note, I have over a decade of server and virtualization experience but it isn't cloud ... so how the heck do I get cloud exp without having cloud?
Do network jobs (now) really require DevOps/Coding skills right now?*
I've done VMWare for years, but I have no cloud experience, how much different is cloud VS VMWare ESXi? I also have done HyperV experience as well.
Is a switch to Aruba Wifi worth it?
I, heard that Nordstom and Bank of America implementations are not going well.
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Mini usb console cables?
Has anyone run-up against manufacturers like IBM and Cisco having different standards for mini-usb rs232 console cables? Or is there an industry standard? I don't mind spending 20 bucks the Cisco knock-off from Amazon, but my hope is that it will work in with other devices as well
VLAN Setup?
So I have a bit of a weird network setup. I've been running into problems lately with my LAN running out of IPs and I'm trying to figure out the best way to attack it. Right now I'm thinking my best bet is to get all of my WiFi clients onto another subnet, I've never used VLANs before and it seems like my best bet. The problem is I have 5 buildings connected together and they are all connected in different ways. As of right now I have no managed switches and all of my APs are currently on the LAN network as that is the only network that touches all 5 buildings.
I threw together a little diagram of my network. Would I be able to get a few managed switches and make those the "main" switches for each building and have the current unmanaged switches branch off of them? Have the LAN stay instact as 10.19.36.1/24 while also pushing some a VLAN to all of the buildings with it?
Juniper VRF - no routes
I am trying to configure a VRF on an MX480. It worked at first, but when I tried to add an RD, it stopped working and I can't seem to get it to work again. I tried rebuilding the VRF from scratch (with or without the RD) but it still seems stuck. Here is my config ANyone have any ideas what I am missing?:
VPNA { instance-type vrf; interface ge-4/0/0.3; interface ge-4/0/5.3; interface ge-4/0/6.3; interface ge-4/0/7.3; interface ge-4/0/8.3; route-distinguisher 62000:3; vrf-target { import target:62000:3; export target:62000:3; } }
"show route table ?" doesn't show my VRF
show route instance VPNA extensive:
VPNA : Router ID: 0.0.0.0 Type: vrf State: Active Interfaces: ge-4/0/0.3 ... Route-distinguisher: 62000:3 Vrf-import: [ __vrf-import-VPNA-internal__ ] Vrf-export: [ __vrf-export-VPNA-internal__ ] Vrf-import-target: [ target:62000:3 ] Vrf-export-target: [ target:62000:3 ] Fast-reroute-priority: low Tables: VPNA.inet.0 : 0 routes (0 active, 0 holddown, 0 hidden) VPNA.iso.0 : 0 routes (0 active, 0 holddown, 0 hidden) VPNA.inet6.0 : 0 routes (0 active, 0 holddown, 0 hidden) VPNA.mdt.0 : 0 routes (0 active, 0 holddown, 0 hidden)
NAT instead of firewall
I feel like I might be sent to networking hell for asking this question. I understand that "obscurity isn't security" etc. I'd never implement this in an enterprise, but this is for my home network.
The scenario is that I have a Cisco 1941 on my 220Mbps home broadband connection. If I enable NAT + Zone Based Firewall then the CPU on my router tops out at something like 180Mbps.
If I use CBAC I get a little more, but still not 220Mbps.
I'm now running OK using reflexive ACLs like it's 1999, but wondering do I even need reflexive ACLs?
I'm PATing everything to my outside IP. The only way I can see someone is going to get in to my network from the outside is if they're directly connected to the outside (its cable so I imagine they could be) and then set something like a static route with my Internet IP as their next hop for my internal RFC1918 address range.
So, could I get away with just PATing everything to my WAN IP and then having an ACL ingress from the internet similar to the following:
deny from any to RFC1918 permit from any to any
The PAT would act similar a stateful firewall, where any packets destined to my public IP that don't have a live connection are dropped and the ACL in from the outside prevent anything addressed to my internal address range being forwarded.
Is there a way to extend my serial over IP runs?
I work with LED screens and a majority of the time the setup is serial over ip. There are certain job sites where I find myself needing longer than 326ft runs. Is there anyway I can extend my cable runs to longer distances?
Flexfabric 5700 - fcoe configuration advice
Hey fellow networkers
I'v begun the configuration of our net converged network setup - fcoe and data traffic in the same two switches.
My setup is currently:
2x HPE FlexFabric 5700 with 40x 10g ports - uplinked to core switch for LAN/gateway access. SAN with fcoe modules 3x esxi hosts. 2x dual port 10g nic for each host.
The regular switching, i'v got covered.
Im kinda looking for actual advice on the fcoe configuration of the flexfabric switches. I have found a guide from HPE but im a bit unsure exactly how to go about it.
Does anyone have any experience using these switches as converged switches for both? - and if so, how have you configured your fcoe ports (uplink and host connections).
Finally. What about the inter switch connection, have you connected the flexfabric switches to eachother, or have you seperated them entirely?
Thanks in advance
ASA5505 wont create crypto keys?
I am at a loss here..Ive tried google fu'ing the hell out of everything imaginable..For whatever reason I cannot get this ASA to generate new keys..Has anyone seen this before? Any thoughts on how I can resolve this?
- %hostname%(config)# crypto key generate rsa general-keys modulus 2048
- INFO: The name for the keys will be: <Default-RSA-Key>
- Keypair generation process begin. Please wait...
- % Attempt to generate RSA keys failed:
Alittle background..customer of ours has this asa..out of nowhere loses all ssh capabilties. I confirmed that everythign looked good in the config and further zeroize'd the keys just to run them from scratch and create up a new batch..this is when I now cannot create them up again..Not sure how to proceed..Any help on this would be great!
edit: have already tried zeroizing and starting fresh. No luck there.
What do's and don'ts on a ring network
Hey everybody,
Lately I've been struggling with a ring network made up of 9 switches. Switch sitting at the NOC is root bridge with priority 0 and everybody else is at 32xxx.
It's been up for two years and was working great until the last couple of months when suddenly all CPU spike to full and until and unless switches are restarted, there is no getting into them.
There are clients on both access ports and trunk ports and all switches are layer 2. Uplink ports are just trunks and two ports around the network are on alt blk (the ring is a figure 8).
Now I am me but what would be some of the things you would configure on uplink ports and client facing ports? Loop guard and Mac access lists are set on all client facing ports. Most clients connect to routers and some connect to their switch and then to router (because they have multiple upstream and port limitation on router).
Rstp runs on all the switches.
Thanks in advance.
Subscribe to:
Posts (Atom)