I've got a pair of Arista switches in MLAG that I'm going to turn into our L3 core. Anyone know the best approach for doing OSPF? Do I involve the peer (MLAG) link? Do I put both switches and the upstream firewall in the same /29? Each switch in it's own /30 to the firewall?
I've done some quick labbing with VMs, and it seems like if everything is in the same /29 you can run into situations where one switch will bounce through the other to hit the firewall.
I am going to provide the show configs first:
Router0: https://pastebin.com/naNTZizs
Router1: https://pastebin.com/fbnEHkg5
Switch1(Multilayer): https://pastebin.com/BUhx8iwd
Switch0(Access): https://pastebin.com/6bXk7czN
Now here is my topology overview: https://imgur.com/a/GHnPd
So every device has an IP address. The data for the computers is being sent on VLAN 20 DATA. Separating it from the voice traffic which is VLAN 10 VOICE. For some reason my devices, on the right hand side of my network, are receiving IP configurations, but my IP phones aren't receiving IP Default Gateway information from the DHCP packet.
Need some help figuring this out, thank you :)
Hello all, again.
As the topic suggests, I would like to talk about bgp communities and how to best deploy them.
Let's say, I have (A)66.66.66.0/24 and (B)69.69.69.0/24. Now, both originates at a router and both are announced to the internet.
"A" is used for providing internet and "B" is used for providing some special peering of sorts for services that are hosted locally (CDN's).
Traffic for "A" is metered and "B" runs amuck, getting as much bandwidth as possible (for the client).
Before you scratch your head and wonder why, let me say it's a situation I'm not happy with and not much can be done about it.
So, some clients are peered via bgp and most are on static. The problem arises when a clever client decides to route traffic through peer "B" in hopes of stealing free internet; they can because both IP are present on the routing table.
So how would anybody use bgp community to stop community 65534:1235 from going to the internet?
Firstly the community has to be tagged on the inbound? They aren't really routes since they are directly connected. Am I right in assuming that I have to go full bgp peers with clients?
I don't mind criticism, as long as I learn and get what I need.
I'd appreciate any help. Thank you
Hello, I'm looking for advice on updating our current encryption method for DMVPN hub and spoke.
Would like to change to the following (seems like this is what Cisco documentation suggests)
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
Would adding the new transform set to the DMVPN hub, deleting the old one, updating the crypto ipsec profile, and then doing the same on the spokes be all there is to it?
Current configuration on the hub is:
! crypto isakmp policy 1 encr aes authentication pre-share group 5 crypto isakmp key key123 address 1.1.1.1 crypto isakmp key key123 address 2.2.2.2 crypto isakmp key password123 address 0.0.0.0 crypto isakmp keepalive 60 ! ! crypto ipsec transform-set TransformSet1 esp-3des esp-sha-hmac mode tunnel ! ! crypto ipsec profile dmvpn set transform-set TransformSet1 !
And on the spoke:
! crypto isakmp policy 1 encr aes authentication pre-share group 5 crypto isakmp key password123 address 0.0.0.0 ! crypto ipsec transform-set TransformSet1 esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile dmvpn set transform-set TransformSet1 !
This doesn’t seem correct for me. I preface this with subnetting is not my strong suite, but this doesn’t seem correct.
Flat network, one vlan. DHCP lease 172.16.0.1 Subnet mask 255.240.0.0
This mask seems incorrect to me for the network scheme...am I missing something?
I have a third party service that connects via a VPN (tunnel is one of the Amazon variety, I did not set it up).
I have two sites, each site has two separate ISP connections. There is a tunnel that connects my two sites together, and each site has two tunnels connecting to the 3rd party service for redundancy.
The problem is that the two tunnels at each site to the 3rd party route through only one of the interfaces, so if that ISP goes down the tunnel goes down with it. The 3rd party does not want to create four new tunnels (two tunnels at each site) and suggested that I get a "fronting" IP at each site, use that as the endpoint that their tunnels see, then if my primary ISP goes down they won't have to change the endpoint on my side of the tunnel.
I understand the concept of what they are describing, but how is such a thing accomplished? Where would I even get IPs that aren't locked into one ISP or the other?
hey guys, personally, I just find information I need on the net, but in this case we have several junior sysops joining the team and I wanted them to grasp the IPV6 concepts changes that are coming very soon. Specifically hands on stuff like ranges, CIDRs, how to block, etc...
Did anyone lately stumble on something decent we chould purchase for our department?
Thanks!
Common setup: An SMB has 5 public IPs and outsourced VOIP.
MSP designed the network this way:
Verizon ONT --> Cheap 4-port Netgear switch One switch port --> 1 IP to internal network router One switch port --> 1 IP to externally managed VOIP router
Is this proper, or is the cheap Netgear switch going to bottleneck it somehow? Is there a more proper setup for an SMB that does not have access to the externally managed VOIP router?
I have to imagine anybody paying $40 a year for a .expert domain is anything but that. But there are so many inexpensive and odd little TLDs for a couple bucks a year that would suit my personal needs just fine. Is there any reason not to use these, other than perceived professionalism?
Cable and/or fiber? Considering bringing them in for office outside of Chicago area but have zero experience with them in my career.
Hi all so I was wondering if anyone knew about setting up a small DOCSIS Network with opensource software, a server, and some cable modems. I've become really interested in setting up a small scale ISP for lab purposes and learning more about. So if anyone could point me to some information about this kind of thing it would be much appreciated! Thanks, Lawson
How would you route traffic from VRF A to ISP 1 as primary, and from VRF B to ISP 2 as a primary? But allow both VRFs (or customers, in this case internal) to use the second ISP as a backup?
Pic: https://snag.gy/GimwlR.jpg
Let's imagine the private IPs there are actually our public PI blocks we can advertise to the ISPs. I'd like VRF B users (as they're all in city B) to use ISP 2 as a primary and then ISP 1 as a backup. And the other VRF other way around (it has users in both locations).
Best I could come up is the idea in the picture (it's quite simplified), which is to create two "internet VRFs", that have default routes configured with different local pref than the other "internet VRF". Taking in whole BGP table doesn't probably help at all so I wouldn't do that. Then I'd advertise the IPs with prepended ASs to the secondary ISP.
I wouldn't do any more of those VRFs, as this would balance the traffic well enough.
Reason for this is to be able to load balance traffic better, and not having packets going in towards ISP 1 and coming back from ISP 2. We could use our internet capacity better (2x1Gbps). Or am I worrying about these too much and should take in the full internet table and just have everything in one internet VRF?
Any thoughts? Thanks!
Looking to get my next cert. Which would further my career as a cleared network administrator? Any thoughts?
Bit of a noob here on the ProCurve and Aruba gear and switching in general as I've just moved from Sys Admin to do all the things.
Anybody got any pointers or reference points on where to dig into the HP switching line? I've just inherited about 70 individually managed switches that I'd like to redesign into stacks.
If I'm trying to connect to a server that has a firewall in the middle all I need to add is the port number and IP address of the source and destination right? Do I need a return path and port for return traffic on the firewall?
Hello I am looking ot limit the vlans allowed over my trunk links and I see that over a 'virtual link' I have vlans being sent over the trunk and I want to only allow certain ones.
usually I would accomplish by the following (some data omitted for brevity) interface port channel x ... ... switchport trunk allowed vlan x, xx, xx, xxx, xxx, xxx ... however, on an interface configured as a virtual link that command is not even available.
interface port channel x ... ... switch virtual link 1 ...
am I missing something? is there another way to do this? (for example within the virtual domain creation?)
Hi, I'm doing some etherchannel work at the moment and this one thing is annoying me, as I don't know where I'm going wrong.
I save the work as this: http://prntscr.com/is4wpb
and when I re-open it in packet tracer it looks like this :http://prntscr.com/is4x6m
Why's it failing to save? the layer 2 ones are saving, but the layer 3 aren't. I can't really see where I'm going wrong so a friendly push in the right direction is welcome.
hello is it possible to direct connect a c220 m5 rack server to a N3K switch using the built-in 10GIG NIC that the server comes with ?
or do i need to add an SFP+ card to the server and use transceivers/twinax?
Hi, could someone help me with my issue regarding rdp session disconnects? We recently replaced our old fw with fortigate unit most of the stuff works fine, but there is one annoying bug. When connected via vpn, rdp session gets brief(5-10 sec) disconnect every 5 minutes. I'v spend many hours trying to find the cause. I have ticket with with their support, but after 2 months of "investigating" there is pretty much 0 progress, might be even worse after messing with various settings(ttl,mss etc..). The RDP work perfectly fine on local lan or with our old vpn system.We are using pretty much only MS products Win10 and Win2k16. I have ipsec,ssl and l2tp vpn setup on fortigate but its the same problem on all 3.
This are packets when the rdp session drops: "15196","14:38:35.313416","192.168.2.10","192.168.2.3","TCP","123","3389 → 25779 [PSH, ACK] Seq=5638053 Ack=110353 Win=63294 Len=69" "15248","14:38:37.366950","192.168.2.10","192.168.2.3","TCP","1354","[TCP Retransmission] 3389 → 25779 [PSH, ACK] Seq=5636988 Ack=110353 Win=63294 Len=1300" "15326","14:38:42.167267","192.168.2.10","192.168.2.3","TCP","1354","[TCP Retransmission] 3389 → 25779 [PSH, ACK] Seq=5636988 Ack=110353 Win=63294 Len=1300" "15477","14:38:49.292559","192.168.2.3","192.168.2.10","TCP","60","25779 → 3389 [RST, ACK] Seq=110353 Ack=5636988 Win=0 Len=0"
Any help, suggestion appreciated
Thanks
So I'm currently renovating and running ethernet everywhere. The keystone jack's I have, have an A or B configuration for the green and orange wires. From what I've read, it doesn't really make any difference, BUT the rest of the network has to be run the same way. Question I have, if I was to buy some premade ethernet cables online, would they come in the A or B configuration?
I'm working on a solution as a vendor over deployment model for NGFW with following interest:-
1) east-west traffic inside server farm for stopping malware lateral movement
2) user (access layer) to server farm for policy control e.g AV, IPS etc
Constraints / Concerns:-
1) Currently there is no l4 policy control or firewall in place , network topology is flat.
2) don't want to buy layer 3 switch for inter-vlan routing
3) internet traffic is managed by another segement not to be passed through proposed ngfw.
Concerns from vendor integerator prespective
Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and efffecting throughput as well
I'm looking if there exists an validated design either for or against the above solution. Thanks.
Hello all and thanks in advance for any help that you can provide!
This is going to be a somewhat complex request and I will be asking for a lot and for help with a lot. As such, I would be willing to compensate anyone willing and able to help. TLDR: I need a Mikrotik CSR109 router sucurely configured for a POS environment.
Anyway, on to the problem.
My parents own a small retail space. Their credit card processor has told them that they need to upgrade and segment their network so that they can meet PCI (payment card industry) compliance standards or else risk a monthly fine until the network passes compliance standards.
The processor recommended the Mikrotik CSR109-8G-1S-2HnD-IN as a solution for segmenting the network and securing the POS (point of sale) side of the network. The only problem is they offer NO support and NO direction on how to actually do this on this particular router.
I have been scouring the internet and have even had my brother post questions here looking for answers but everything seems so complex and daunting.
If you've read this far, perhaps you can help us. The requirements are as follows:
Eth1( interface would be used as the main internet connection.
Eth2 interface would be used as the POS port set up on a 192.168.10.0/24 scheme. This port would need to be set up as a secured (no internet access save a few whitelisted domains) port and would connect to a dummy switch that houses the POS/payment terminals. The WAN1 interface on the CRS109 would also have to be tied into the Eth2 interface domain and be secured the same so that handheld terminals can connect and communicate with the POS desktops.
Eth3 interface would be an open DHCP enabled port set up on a 192.168.100.0/24 scheme and would be used for the general purpose office computers.
Eth4 interface would be used for the public wifi router. open and DHCP enabled on a 192.168.50.0/24 scheme.
Eth5 would be used as an emergency backup internet port. There are two ISP modems in this location and one is used ONLY in the event the other goes down.
Eth6 would be my management port. Just a port I can plug into to manage the router should anything start acting up.
Eth7/8 will not be used in this current setup
The kicker in all this is that each interface port (minus Eth6) must be COMPLETELY ISOLATED from the other ports. Each port must act as its own separate network.
HERE is a link to a simple diagram I made to illustrate the network a bit.
If anyone could make a configuration file for me to load with the settings or help walk me through setting this up myself, both me and my parents would GREATLY appreciate it.
Thank you all in advance!
The secondary market for IPv4 space has been going for awhile now. We're thinking of purchasing some address space here (a /21 or /20 maybe) but I'd like to hear what others experiences have been.
If you have purchased IPv4 blocks from the secondary market what was your experience? How did you do it? Are there ongoing costs? Is there a risk that the original owner steals the space back somehow? Any issues with duplicate global advertisements? Any regrets and would you do anything differently if you had to do it over?
Hello all!
We recently had our Adtran 1544 core switch die (no power). I quickly replaced the switch with a cheap Unifi switch to get us back up and running. I am now looking at replacements and I like the Juniper EX4300 series, but want to hear about opinions or if you believe it is right for our environment.
We have 1 main location (about 200 clients) and 4 other offices (20-200 clients) with a point to point back to our main location. The 4 other locations tie back into an Ubiquiti EdgeRouter back at the main location and heavily rely on services that the main location hosts. I would really like to introduce some redundancy to our network. I was lucky to have our Adtran switch fail during non-working hours. Had it failed during working hours, much of staff would not have been able to get work done for around 3 hours while I worked on getting the new switch in place. Juniper's Virtual Chasis feature looks like it would be perfect for redundancy.
I am also looking into L3 switches. As I look for more ways to introduce redundancy to my network, I think it would make sense to use this core switch to connect my point to points and Internet to my EdgeRouter and Firewall (OPNSense). This way I can set up VRRP with my EdgeRouter and CARP with OPNSense.
I am interested to hear about everyone's opinions on the EX4300 and my proposed design. If you have any suggestions for my environment, that would also be helpful. Please keep in mind that my organization does not have a lot of money to spend. Cisco products are most likely out of the question.
Thanks!
I want to rate limit my API to prevent from abuse. My setup for my API is currently:
Setting up rate limiting for cloudflare and nginx should be relatively easier, since all they need are some changes to the control panel. For my app server, however, I will need to use aerospike to track sessions (which would make my API not truly stateless) for a minute to block people who make requests too frequently and send back a 429.
However, I would let some users with the right tokens (pricing plans) bypass rate limiting, so I wouldn't know how to make it work on cloudflare.
So, my question is where should I setup rate limiting to make it most effective (non-circumventable), but fastest, and even if I should use cloudflare at all.
Anyone else impacted by the Frontier strike in West Virginia? And/or have any inside news on how negotiations etc, are going?
I'm waiting on fiber installs in their service area that have been delayed by the strike. It's usually Windstream screwing our schedules on their own, not this time...
I know the basic details surrounding UDP but I want to learn about it in dept on my own. Can any of you please recommend something free that is detailed and reliable?
I know you can use feature and no feature to implement and rip out all settings for a feature set. Is there anyway to just restart a feature like you would do with a service in Linux without losing all the configurations? ie I update my PTP parent on switch A, but after several minutes sh ptp par still shows the old parent.
My setup is: Grandmaster -> boundary clock 1 (nexus 3048a) -> boundary clock 2 (nexus 3048b)
The grandmaster is plugged directly into nexus 3048a and everything on it is working great except that Nexus 3048b however is being a dick.
For ease of reading grandmaster will be GM, nexus 3048a will be NXa and nexus 3048b will be NXb
GM to NXa works great, consistent double digit nanosecond corrections, all devices on NXa except NXb report consistent double digit nanosecond corrections.
NXb reports 1-2 second corrections. When initially configured and setup it was doing corrections in the 3-4 microsecond range. After a couple of days it jumps to 1-2 seconds.
Any ideas?
TIA
I have 143 users who all require AV. For the past few days I've been going around making sure everyone had it installed but there are stragglers who keep evading me and I'm getting tired of running around aimlessly.
Is there a way to force a download over the network of Symantec?
The thing is that Symantec has a option to do this over the network via the admin panel but it doesn't work for some reason, the install never go through.
Any suggestions would be super helpful
inb4 Zabbix, Nagios, etc. for generic threshold monitoring and polling.
I wonder if there are success stories in time series analysis per-device for networking/security devices like Cisco, Fortinet, Palo Alto, etc. - Take in critical counters and metrics of multiple devices, and the system trends/baselines the data per-device to alert oncall when a device is acting abnormally. Some devices may comfortably run at 60% with spikes at 80% every night at 9pm, and I don't want an alert, but some devices typically run at 20% and a spike to 60% would be a critical alarm.
We have 1000+ devices my team wants to monitor like this, so automatic learning is preferred to research/set each device threshold.
Tools I've heard of: Timelion(Elastic Stack), Prometheus, InfluxDB with visuals/alerting. Anything else? Most importantly, anyone here actually accomplish what I'm asking?
I just wanted to ask the community a question.
I have a Business static IP address with Bell Canada.
We host or own email server.
Our company just signed up for Bell DSL Business internet with a static IP.
We wanted to get them to add a PTR record (rDNS entry) in order for our mail server to properly deliver mail.
All of our other ISPs in the past have no issues with this.
Bell Canada is refusing to update the PTR as they say that "international standards so not allow customizations for PTR records on single static IP addresses". In order for them to add a PTR record, they want the customer to buy a block of 12 IP addresses.
Has anyone heard of this before?
Sounds ridiculous to me as every other ISP changes PTR records instantly upon request.
So unless I upgrade from $70/month to $1000/month, our PTR records cannot change and our emails sent from our mail server are getting hung up in most spam folders.
Any comments would be appreciated as I am considering going to other ISP like Rogers, Primus, Shaw or Teksavvy.
I'm not really sure of all of the terminology, but we have AT&T's ASE to connect 6 of our locations together. One of the locations is our main one, and the other 5 just need to be able to communicate with it. The main location and one of the other locations had a bandwidth of 100mpbs, while all the others had 8mbps.
Now, we needed to upgrade the bandwidth at the non-main location from 100mbps to 600mpbs, and so we did the same at the main location. However, I am only pushing around 48mbps(I tested using ntttcp and a normal SMB file transfer), which seems like something might be capping things at 50mbps.
None of these locations are pushing any real traffic most of the time so it's not congestion, I checked. Also, I'm not really sure we got over 50mbps before the upgrade either. I never really tested it other than running a quick Internet speed test a few years ago when we upgraded that non-main location from 10mbps to 100mbps. Back then, I got a speed of around 50mbps and assumed everything was good since our ISP was 50bmps. The reason I mention this is because back when this connection was set to 10mbps, our main location was set to 50mbps. I'm wondering if something just didn't get changed at the main location.
So I put in a ticket with AT&T, and they ran some tests and they are saying that they are getting 500mbps+ between the 2 locations between their equipment (Ciena boxes. I don't know the model number, but they are fairly new).
I have checked everything on our end, and there is nothing that would be limited things to 50mbps. It's all negotiating to gigabit all the way to the ASE's Ciena boxes on both ends.
Does anyone here have experience with these circuits? Assuming ATT is right and their side is OK, is it possible that this limitation is on the Ciena port facing our network? That's really the only thing that I don't have access to AND that ATT might not have checked(They checked between the Ciena boxes. I'm going to call them this morning, but I just wanted some opinions to see if I'm even on the right path.
Thanks in advance for any help you can give me.
Hello
as we have some problems at a Site with VoWLAN. and the company, which does all the site surveys,power&radio management, told me to disable cleanair function.
as for me i dont actually use this feature. is there someone who actually goes through all those Rogue AP detected messages? if yes, how do you handle those? its not like i could go to the neighbor building and tell them not to point their AP out the window.
Got a Cisco press email.
Looks like the Troubleshooting NX-OS eBook has been marked down from $39.19 to $55.99.
Get em while they last!
Hi, first time posting in networking.
So I have an issue with Ruckus Wireless and with the controller, I have set the informational email setting to state the MAC and AP name for any emails regarding reboots/power cycles and I have named ALL of my APs and given them descriptions however when an event trigger email comes up which states "rebooted because of [power cycle]." the only thing that shows up in activity is the MAC address even though the AP does have a name.
Anyone else using Ruckus controller or ruckus products have the same issue? My APs are 300/310/500/510/700/710s
Thanks!
Hi Guys
I need help / suggestions for a solution to sharing files between our UK and US offices.
Heres what we have: The same setup in each office - Mac Mini with High Sierra and Serve 5.5 which servs files (mainly large photoshop files) to the workstations in the studio.
Each Mac Mini is connected via Thunderbolt to a RAID which has the 'work' volume. The UK Raid is backed up by Carbon Copy Cloner to another raid (which is working perfectly so no need to change)
The UK office has 500mbps up and down fibre internet connection (Wiline) The US office has 700mbps up and down fibre internet connection (Virgin Media) Internet speeds are consistent and stable on both sides when tested. We can achieve transfer speeds of 17 MB/s when using services such as WeTransfer. Our ISP have installed VPN on our routers.
So here is what we need...
We need each of the RAIDs to Mirror. So they have the latest version of each file constantly. So staff members can access the files on the 'local' RAID for speed. Once the files is saved it will sync back with the other location.
Speed of transfer is very important as some of our files can be <10GB.
We have tried Chronosync but found we can only achieve transfer speeds of around 1 - 2 MB/s. Similarly we can connect to each server with SMB and get the same speed when copying a file via finder.
A speedtest (.net) on the US server shows full speed, however if we do a speedtest from the US using a UK (London) server we get a dramatic drop in speed. and vice-versa
Can anyone shed any light on the issue. Where the route of the traffic goes / needs to go and where the drop in speed is occurring.
Thank you in advance.
I'm doing a CTF type coding challenge involving buffer overflow. I need to execute a command on their server and then send the output through a socket.
The problem is that I can't listen for this connection on my computer since I live in a big apartment building where I am not capable of doing any port forwarding. Is there any obvious solution I'm missing here to listen for this connection (that I can control remotely)?
I'm more than willing to pay some service to do this remotely if that's a thing.
Thanks
Hello Everyone I work For a ISP and They would like people to be certified with at least the NRS 1 Certification. However I am unable to find basically nothing online as far as study material >.< Would anyone happen to know if there are any study materials like CBTNuggets or INE for Nokia's line of certifications or even a book. I do have my CCNA and I don't know how much different it will be. I heard it was about the same difficultly as a CCENT for Cisco. Any help would be awesome because i can't find anything besides from the nokia website.
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Is this just par for the course when dealing with setting up business quality internet connections? Their sales number goes right to voicemail (which is apparently never checked), and the contact form on their website hasn't gotten us a call from them either.
We're looking for a 100/100 or 200/200 fiber connection, I would have thought companies would be interested in taking our money. But so far AT&T was the only one to actually answer the dang phone, and Comcast at least got back to us the next day. I hate both those companies with a passion and would have prefered to go with anyone but them, but if Level3 can't be bothered to call us back then we might have to.
/rant over
So we have a typical collapsed core setup, the core is a HA pair of 10G switches. All the routing is done on the core switches.
I'd like to control access to the management network through the edge firewall, mostly because it's less tedious and time-consuming than creating or adjusting ACLs on the core switches. However, since the core switches have IP addresses in the management network, traffic destined to that network gets processed by the switches before hitting the firewall. Since routing is turned off on that VLAN, the traffic goes nowhere (the switch mgmt IP addresses are still pingable though).
So, what is the best solution here? Do I adjust the metrics so the route to the management network is more desirable than the directly attached route on the core switches (if this is even possible, I can't find a way on these Extreme switches). Or is this going to require policy based routing? Or do I just suck it up and write the ACLs? Am I overlooking a simpler solution? Thanks in advance!
This is for inter-VLAN monitoring mostly. There's already an IPS at the perimeter. I've been using Security Onion for the past few months, but it's really more than what we need; We're a pretty small operation, and I have the sensor and collector all on the same physical box connected to a SPAN port. Is there an Easy-Bake Oven of IDS out there? I had thought about pfSense with Snort, but using a firewall distro in that way seems like using a saw in place of a hammer. Preferably, I need something with a pretty GUI so the less CLI savvy people here don't feel overwhelmed. Thanks.
I've got two switches directly connected to each other via an aggregated ethernet link (ae0 on both sides). There's a host connected to Switch 2 on a gigabit ethernet port (ge-0/1). The switches are running VRRP for the default gateway for the host's subnet. The VLAN is trunked across ae0.
Here's where things get weird. Both switches have an ARP entry for the host's IP and MAC pointing to each other over the ae0 interface. If I clear the arp entry, the correct one shows up for a few seconds before being replaced by the inaccurate one. A firewall filter on Switch 1's ae0 interface shows that it is trying to send packets with the host's ip and mac across ae0, but I can't for the life of me figure out why.
There's no loop, and it only happens to this one ARP entry out of dozens on this VLAN. JTAC doesn't have an answer. Is it a bug, or have I overlooked something?
Ok so maybe this is crazy, but I was kind of thinking to leave "debug ip bgp updates" on full-time on some of our Cisco / IOS routers?
Obviously nothing with a full table / internet peering, but some of the smaller devices, branch routers etc. that only learn a handful of routes?
What I'm aiming at is to have BGP UPDATE / WITHDRAW messages logged to syslog so we can keep an eye on events, routes learnt etc.
Is this crazy? Or are there any other ways to log these kind of events?
Alright, here is my current situation.
All of the AV stuff goes over the network. I have TV boxes which go to encoders, which then go through the network to decoders. Every 15-25 seconds or so there is a pause in video that lasts about a second. This happens everywhere, on all decoders as well as audio streams. I have checked port utilization across all devices and they are well under their thresholds. Where would the best place to be to start looking into this? I see high numbers of discards on the main AV switch (the most out of all), attached below is a picture of this. Any help is appreciated as I am new to UDP multicast traffic stuff.
I've been studying AWS recently to prepare for a datacenter move and noticed that dynamic routing vpn connections with BGP are preferred. the cisco ASA that we would be building the vpn tunnel on does not have the latest version that enables bgp but I'm considering upgrading. are there any good resources out there to get up to speed on how bgp works? maybe an eli5 :)? thank you!
on another note, any aws vpc architecture recommendations or best practices? I found this talk really interesting https://www.youtube.com/watch?v=3Gv47NASmU4 among others
I need to capture udp and icmp traffic using tcpdump. I'm using the following command: sudo tcpdump -vvv "udp or icmp" Using this command and running traceroute blah i get only udp traffic. When running sudo tcpdump -vvv "icmp" with traceroute blah I get only icmp traffic. Is sudo tcpdump -vvv "udp or icmp" the correct syntax to get udp and icmp traffic in the same capture? Thanks!
What is the smallest, shortest RJ45 toner you know of? Nearly every one I can find is like 5+ inches and pretty wide.
There's GOT to be a compact one some where. I use a Fluke Networks Pro set.
We have some laptops being used to answer calls in a uccx group. The agents reappear and disappear from the Supervisor desktop. When these laptops are on the network, the issue doesn't happen. Seems to only happen on the F5 vpn. I looked at the client and couldn't see any firewall that is bundled with the f5 client.
Hi there,
I found a solution to my issue but I was wondering if someone could give me an explanation about that ?
I'm working on HP Aruba controller at my work and since few weeks, we had to split our network at the branch office, creating 2 new subnets for the employees being connected to the wifi.
Since then, If we had to connect remotely to the branch HP Aruba controller there was no issue. However, if we tried to do the same locally, so myself being at the branch office, I was getting the Semaphore timeout period has expired. I managed to solve the issue by connecting locally through its IP address being on the same subnet as myself.
Can someone explain why though ?
Cheers! Xzi.
Hello,
I am looking for someone IT professional individuals currently working within a Networking or Cyber Security related IT organisation to help me fill in a questionnaire for my BSc Final Year Project Research Questionnaire. The questionnaire is completely annonymous and will only be used within the project report and will be kept private and confidential.
Please let me know if anyone can help me with that.
Recently did a network upgrade from Cat 5 to Cat 6. We have around 50 users who need a voip solution. Facilities like call forwarding, recording and answer phone should be available. We are on office 365 already. We use 2 fiber broadband connection to the premises already acting active / stand in case of failure and providing speeds around 30 mbps download and 6 mbps upload speed while on active. Suggestions are welcome
So I just started being he IT guy for a new company. They have an msp as well (used to work there) but want me to implement a new wireless solution.
I am looking at 6 ubiquiti ac pros. With a cloud key. We don’t have PoE switches.
Looking for help on how to setup with a Business and a public network. We have a sonicwalls running dhcp.
Also, should I just use power injectors or get an 8 port PoE Switch?
Any advice/tips would be great!
Thanks guys!
I run a Cisco 5505 ASA with Remote VPN tunnel to my home lab. I was always able to connect to home, access server/PC at home and use internet on my remote device at the same time.
I have an ASA 5505 at home in my home lab. I use the remote VPN on it to access my server and network remotely. I upgraded from 8.2(5) to 9.2(4)20 for security patch reasons and now the VPN will connect to home and let me access my PC/server but while connected, my device that I'm connecting from can no longer access the Internet until the VPN is disconnected (no HTTP, no ping). I'm stumped at the moment.
Does anyone know if a list of consumer devices exists which outlines those that support the Wi-Fi Alliances Passpoint (Release 2) spec? From what I'm reading there is some pretty cool functionality that release 2 makes available regarding profile provisioning and service controls but I just can't determine what the scope of mobile devices and whatnot is that would actually be able to utilize the functionality.
Does anyone know the max routes for MX204 3D? Can’t seem to find an official Juniper doc anywhere.
Hi, I'm a relative newbie to the HP way of doing things and inherited a config of a 5412 in a server room with 5406's on 2 additional separate floors. Each of the 5406's are connected via 2 10gig connections and are configured as a standard HP Trunk (trk, not lacp). Floor 2 is connected to a single 5412 module using 2 ports, and Floor 3 is connected to a second module on the 5412. Is there any reason why I shouldn't create the trunks across the modules to get a little redundancy in there, where Floor 2 has 1 10gig connection to module 1 on the 5412, 1 10gig connection to module 2 on the 5412, and configure the trunk like that? It seems logical that if I lost a module to have it work that way so the whole floor wouldn't drop off.
New to the HP way so be gentle! Thanks!
I'm trying to get a dashboard widget or, alternately, a report that will show me top N applications per managed device. FMC 6.2.x with 71xx/81xx/83xx devices inline.
Although there is a default widget for top N applications, I'm not understanding how to see it per device, if that's even possible. Any assistance would be greatly appreciated!
We have a domain user who was booted due to someone remoting into their pc. The odd thing is the re.ote user who logged in via rdp, was logging in via a 2nd domain. Anyone have Info in regards to this?
I'm looking at the HP/Aruba 5412 chassis switch and one model is 5412 zl2, and another model shows 5412 v3 zl2. After doing some reading, it sounds like both chassis are zl2 and only the modules are v2 or v3, e.g. there are v2 modules and newer gen v3 modules, but all the chassis are zl2. Is that correct, or is there any difference in the chassis itself?
A Network interface in promiscuous mode accepts and process all the packets, even if the packets were not destined for the host. So what I am doing is... I have created 3 LXC containers in my computer and their IP's are
10.248.150.60 ( c1 ) 10.248.150.235 ( c2 ) 10.248.150.197 ( c3 )
I have put c3 in promiscuous mode.
When I ping c1 from c2 and run tcpdump on c3, I should be able to see the echo requests coming from c2 on c3 and echo replies going from c3 to c2 in tcpdump output. However I am not seeing any packets coming to c3.
Am I misunderstanding the meaning of promisuous mode or is it some system fault because of which I am not seeing any output on c3??
Hi fellow geeks and nerds, I have a problem which is borderline home-use, but needs entreprise-grade hardware and advices IMHO, so I hope I'm at the right subreddit. I know some things about networks but I'm not a pro so I apologize if my question is not clear, I will try my best.
I'm in charge of updating the hardware on an installation whose purpose is to share an 1Gbit symmetrical internet connection with 52 apartments. Until now, the routing was done by a debian box and the switching by crappy D-link switches (1 per floor, 7 floors). My goal is to replace it by an entreprise router and separate the clients via pvlan for privacy (think hotel-style internet sharing).
The goal is to provide an ethernet port in each of the ~50 apartments to share internet access (no wifi till this point), then my job is done and it is the responsability of the "endusers" to add wireless or not to their home.
The router should have an home-grade firewall (we don't have anything more to hide as any home), but should be robust and able to constantly route for up to around 50 clients simultaneously. Then the switches should be pvlan capable (or equivalent) for privacy.
What kind of hardware do you recommend? which brand should I use to maintain price down while achieving the goals I have? I could invest around 1000$ for now and could invest up to 3-4000$ in total within 3 years, but not much more.
It is extremely difficult to find information about this subject, which is surprising to me as I thought connection sharing was quite popular. I'm sure a solution to my problem can be useful for others who also have such a plan.
Thank you all!
I know my title sounds like the start of a tutorial, but I honestly can seem to find any explanation of a programmable data plane that is network-speak, not developer-speak.
From my understanding, the data plane just forward packets base on a rule written by the control plane, whether that be on the switch or a SDN network operating system. So if all the data plane does is look at a rule and follow it, what has to be programmed? If all "programming the dataplane" does is change the rules, isn't that just control plane?
Hopefully someone has some knowledge on this.
Voip has been working fine for weeks and then suddenly on Monday call quality sucks. I have a packet capture and trying use Wireshark to diagnose but I'm pretty new to voip troubleshooting. The reverse numbers in the screenshot seem to be pretty bad but can anybody help interpret them for me? Also the duplicate mac address errors bother me. Not sure if I did something wrong in my packet capture or if there are truly double the packets for everything. My packet capture came from port mirroring on the managed switch. The port I mirrored has the user PC and phone on the same line and that's it.
Thank you for any input you have!
I was having a bit of a stumper with my mom's phone that ended up giving me some interesting insight into cellular networking and how carriers are routing traffic.
The phone in was dealing with would get 4g LTE service but eventually drop big name sites: anything from Google (including services), facebook, yelp, etc.. I did notice that sometimes partial functionality was there: facebook would work, but sends would fail. The phone always had some connectivity to less used sites and it was fast. Changing APN settings would give me full service--perhaps minutes, perhaps 12 hours.
It turned out to be due to bands the phone was capable of using. The phone was a Tmobile LG G5 using ATT towers thru a straight talk sim.
You may say "duh", but there was very little difference between AT&T and T-Mobile versions of the G5. It was also very odd only some sites were being refused, and that the phone reported 4G LTE Connection. Setting the phone to wcdma only (3G....which it reported as 4G without LTE) would cause everything to work properly, albeit more slowly. There are only two frequencies that the Tmobile phone didn't have that the att version did: 29 and 30, which are "overflow" or "downlink only" bands that weren't in all markets when the g5 was produced.
This leads me to believe that cellular carriers are choosing to route certain traffic to certain bands ("hey, people use Facebook and Google services a lot, let's send that traffic using band 30 because we don't use it much")
I have several small sites that are part of an MPLS network. Most of the sites have Cisco 1921 routers that are handing out DHCP for about 6 machines. Looking to add VOIP at these sites and thought about doing VLANS, but don't want to spend money on a layer 3 switch since we are going to do POE. What would be the proper way to do this for those smaller sites?
I've always created VLANs on Layer 3 switches and pushing traffic
Hi guys,
Got an Allied Telesis AT-9000/24. Layer 2 switch I believe. I want to create a system where I have several ports all isolated from each other but able to access the internet (guest network), and another group of ports that are able to talk to each other, and the internet (clean network).
What I figured was I would create a seperate VLAN for each guest port (untagged) and then add the internet router to this (untagged as it does not have any vlan functionality)
Then I would create another VLAN for all the clean ports to share (untagged) and the router once again for internet access (untagged).
The router would dish out DHCP to all clients on same subnet.
Have seen this setup working perfectly on a TP-Link router but from everything I read on the internet you cant have the router port for example untagged on several VLAN's, but yet you can on the TP-Link.... what the? My switch does not allow this.
See this article here https://www.tp-link.com/us/faq-788.html you can see their VLAN 101 and 102 both have port 9 untagged for their router, how?
I'm looking for a small scale networking switch <10 ports that supports multi gigabit over optical supporting 2.5G. It would need 2-4 10G uplinks and preferably it would also support 1g interfaces.
I understand that multi gigabit was primarily developed to reuse existing Cat 5e cables but was hoping there was an optical option out there. I haven't found one yet.
Why? We have a proprietary remote sensor that were asked to connect to a network and the low power device only supports rates up to 2.5 G and it only has an optical data output. We could fall back to 1G but or try a media converter but those are less desirable alternatives.
What are you working with right now that gets you excited? Maybe a new way of doing things, or a new technology that's just coming out. Perhaps it's an old technology that's new to you.
What's exciting your (networking) passion?
For me, I'm really looking forward to implementing IBNS 2.0 across our campus.
Hotspot Shield, PureVPN, and Zenmate VPN were tested (all of which exist as a browser add-on), and it was found they all had IP leaks! Which makes them, in effect, next to useless as this defeats their whole purpose.
Moreover, Hotspield Shield was the only vendor which, after having been contacted, was quick to respond and release a fix within days.
https://www.vpnmentor.com/blog/vpn-leaks-found-3-major-vpns-3-tested/
So lets pretend I'm no whiz at QoS...
I currently have a situation where in one direction, Citrix traffic is getting tagged correctly (From the local router/switch) and going over QoS as intended towards the datacentre, though in the other direction (Datacentre to site) it is going as Best Effort (BE).
If we ignore the working portion, I need to workout where to apply the QoS policy to tag the traffic going back so its no longer BE. The direction of hops/travel shows as:
VLAN on VMWare environment -> 10Gig Trunk ports to Core Switch (VLAN on core switch) -> WAN Routers -> Other sites WAN Routers -> Other sites switches
Now, I have applied the tagging and policy on the WAN Routers at this end though it doesn't work (QoS is already applied on the other end), I know I need to tag closer to the source so my question is, do I/can I apply the tagging/policy on the Core Switch 10gig trunk ports or the VLAN interface itself?
I hope this is enough info, if not I can provide whats needed. Thanks in advance!
Hi, currently using Packet tracer i am trying to configure my Router for a DHCP Server (It is an optional task but would like to understand how it works). *I am trying to assign 20 PC's with a IP Address between the range 175.200.0.225 - 175.200.0.254. *Whilst the network address is 175.200.0.224 and subnet of 255.255.255.224.
This is the config i am entering (Withing global config)
*int fa0/0 *ip address 175.200.0.225 255.255.255.224 *no shut *exit *ip dhcp pool Ip-Admin *network 175.200.0.224 225.255.255.224 *defult-route 175.200.0.255 *ip dhcp exclude 175.200.0.255 175.200.0.254 Whenever i try to check the DHCP ip address of the 3 connect PCs (I will be adding more) it says 'dhcp failed. apipa is being used' Anybody know why? or what i am not doing correctly?
This is the first thing i have been trying to config for a few hours and worked with an other example. (The formatting is not working so apologies for the mess)
Im a networking noob, just to let you all know. I understand the basics, but I'm in need of some help in regards to setting up some CPE's around an apt complex.
We have a laundry room that has its own modem and router. Connected to that router are 3 IP Cameras. I setup a CPE in Client mode and another on the main office of the office, where there are 2 Access Points. In the main office we have the CPE in AP Mode, connected into a switch, which has a PC connected to it. I am able to detect our IP Cameras on the network and access them.
Now my question, is there a way to use a CPE without a router, to accomplish the same thing? Ultimately I want to know if I can connect our cameras via a switch, to the CPE and have it still detectable on the Access Point down the road.
As I mentioned before, Im a networking novice and self taught at that. If anyone has any information or advice, it would be greatly appreciated.
Hi guys,
I am working on an SDN project and I trying to figure out whether to send an ICMP type 3 code 0 or 6 back to host when a network doesn’t exist or route is not in the table, and a code 1 or 7 when a host doesn’t exist or isn’t in the ARP table. I tried researching however I am unclear on the difference between unreachable and unknown and reading RFC 792 and 1122 did not reveal much to me.
If anyone is willing to share their knowledge it would be much appreciated.
Networking newb here...
I have a mikrotik CRS109-8G-1S-2HnD-IN that I would like to segment.
Basically I am putting this in my parents' small retail setting where the terminals and office need to be on separate networks on the same router. There is only 1 internet source and I am hoping I can segment this router so that I have different IP schemes on each of the ports so that the two sides of the network can both have internet but not be able to see each other.
Right now I have port 1 set up as the internet port. Port 2 is set up with a 192.168.2.xxx scheme and port 3 is set up with a 192.168.3.xxx scheme. Both sets of computers are getting internet connection, however, the problem is that the 2 scheme terminals can ping the 3 scheme office computers and vice versa. I really need to get this segmented so that there is no crosstalk across the ports.
How can I accomplish this?
Any help will be greatly appreciated
Hey all,
Wireless has been iffy in my environment since I inherited it. Not being a wireless guy, I've struggled. But I have read plenty and ordered an Ekahau sidekick to assist me.
Today I located and identified all 52 APs in our environment (Cisco Aironet). We had a map with numbers of the AP, and then the APs had names (some made no sense), so I changed the names and correlated numbers on the map to the names of the APs. Good start, I would say. Now I know what is what, and where it is.
Now, here's the next part. I have an Ekahau sidekick. I have no idea how to use it, but I have the quick start crash course tomorrow. I guess I'll dabble a bit there, then figure the rest out as I go along. I need some advice though. I see we used non-DFS channels but at 40 mhz channel width. That does not leave a lot of channels I feel like for 2 floors with 52 APs, which maybe is one of the first problems. Should I continue to use non DFS channels if I plan on statically assigning channels to my APs? I imagine once I understand what I am looking at inside the Ekahau software, it will make more sense about what needs to be done. We had a coverage map done at some point but we did not follow a lot of the power or frequency settings. My first real plan of action is to get the interference thing taken care of by adjusting the channels. Then I plan on walking the floor and figuring out coverage and if the TX power needs to be adjusted anywhere (the coverage should be good but maybe the TX power is off). Does this sound like a good plan? Any good YT videos to follow perhaps?
I'm looking for a standardized way of deleting this line from my running config:
crypto pki trustpoint TP-self-signed-1719673600
I can obviously just no it out:
no crypto pki trustpoint TP-self-signed-1719673600
But I am looking for a command that can be run that would remove this line from the config (text only) without knowing my cert number (1719673600). Because that number changes on every deployment.
I have been thinking. Maybe there is another no command I don't know about, like no crypto cert all. or something. Or maybe there is a way to refer to this line in the config similar to a pipe command. Something like:
no "show run | inc crypto pki trustpoint"
Any thoughts or suggestions?
Thanks,
Original post but asking here for more exposure
https://www.reddit.com/r/fortinet/comments/84enty/ha_with_multiple_vdoms/
I will try and add as much detail as I can however I have a situation where we are looking to create an HA cluster with 100E that will need to manage multiple VDOMs that have been provisioned as external/internal configurations e.g as basically separate firewalls with their own public IPs and internal networks.
They will be connected to a layer 3 switch with the WAN connection coming into the switch and ports set with untagged VLANs for each of the VDOMs for internet access. There is a route statement that routes all of this traffic to the WAN connection which itself is a separate untagged vlan port.
Are there any good recommendations or feedback on how I would achieve an HA setup with this type of configuration or if it needs to be redesigned perhaps provide some high level pointers?
Hi all,
We're currently building a BGP EVPN fabric based on N9K (9300 as both spine and leaf), and we're exploring new ways to get some visibility in our datacenter (no, we're not aiming at Tetration or a netflow collector like LiveAction).
I've started exploring ELK as syslog, telemetry collector plus the option of running some custom scripts in NX-OS guestshell and uploading the results to the ElasticSearch cluster. However, I cannot think about some advanced data to gather - you know, something that will have an additional value to simple SNMP-style syslog and maybe telemetry (which is quite disappointing so far. very few sources, cli commands which don't support JSON cannot be exported as telemetry, and I can't really send interfaces stats like throughput).
Are you familiar with implementations of ELK as cisco monitoring solution? I'd love to see some advice (yes I know there's a lab in the DevNet) and examples or ideas to things you can monitor with custom scripts in guestshell etc...
I am trying to connect an OpenGear ACM5004-GV to my desk switch (WS-C3560CX-12PC-S) on Gi0/8.
I took the Opengear from our lab down the hall where it was connected to the LAB-Switch (WS-C3560CX-8PC-S) and given an IP 10.220.38.7 and where it was working properly.
However when I plug it into my DESK switch (same port config as LAB-Switch) the interface shows up/up but the mac address (0013.c600.e294) of the OpenGear does not show up. Furthermore I see no incoming packets from the device.
I have tried new cables / ports, as well as statically adding the mac address. I manually set the speed and duplex on my switch as the port was cycling between up and down initially. Both LAB and DESK Switches have identical trunk port uplinks to the same distribution switch. I am running out of ideas (or possibly missing something simple)
Let me know what other information I can provide. Thanks,
>> info dump: DESK Switch- interface GigabitEthernet0/8 switchport access vlan 36 switchport mode access switchport nonegotiate speed 100 duplex full Desk_3560-sw1#sh int gi0/8 GigabitEthernet0/8 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 247e.1273.8a88 (bia 247e.1273.8a88) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:01, output hang never Last clearing of "show interface" counters 22:04:26 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 2 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 265217 packets output, 22466313 bytes, 0 underruns 0 output errors, 0 collisions, 8 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Desk_3560-sw1#sh mac address-table int gi0/8 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- Desk_3560-sw1#sh ip int br | i 0/8 GigabitEthernet0/8 unassigned YES unset up up Desk_3560-sw1#sh spanning-tree interface gi0/8 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0036 Desg FWD 19 128.8 P2p Desk_3560-sw1#ping 10.220.38.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.220.38.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Desk_3560-sw1#ping 10.220.38.8 ***This is the sister device in the LAB*** Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.220.38.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms ************************************************************ Stuff from the working LAB-Switch interface GigabitEthernet0/8 description *** Terminal Server 10.220.38.8 *** switchport access vlan 36 switchport mode access switchport nonegotiate spanning-tree portfast edge end 3560CX-LAB#sh ip int br | i 0/8 GigabitEthernet0/8 unassigned YES unset up up 3560CX-LAB#sh mac address-table int gi0/8 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 36 0013.c601.0978 DYNAMIC Gi0/8 Total Mac Addresses for this criterion: 1 3560CX-LAB#sh int gi0/8 GigabitEthernet0/8 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 00eb.d58e.3c08 (bia 00eb.d58e.3c08) Description: *** Terminal Server 10.220.38.8 *** MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:04, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2160 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 2 packets/sec 503487 packets input, 57984007 bytes, 0 no buffer Received 2 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 32217867 packets output, 2859664077 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out 3560CX-LAB#sh spanning-tree int gi0/8 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0036 Desg FWD 19 128.8 P2p Edge 3560CX-LAB#
I have two PTP servers that I'm testing in our lab. They're supposed to communicate using multicast, over 224.0.1.129. One of the PTP servers gets its time from a GPS antenna, which gives it a higher priority during negotiation. What's supposed to happen, is that the two will talk, and the second PTP server will fall back as a slave device, syncing off of the server with the GPS time. In the event that they can't communicate, they will both become grand masters. What I'm seeing, is that when PIM is enabled on my switch, the two never talk, and they both default to grand master status. If I disable PIM and run strict IGMP, they're able to sync up and the second device becomes a slave. I've analyzed both switchports when PIM is enabled, and both devices are sending out IGMP membership reports. The switch is receiving them, but isn't creating the joins for some reason. What's odd, is that if I put an encoder on the switch, and spin up a multicast stream, I can tune to it without any issues. This doesn't seem to be a multicast issue, because all of our video sources work just fine. The only thing not working here are these two PTP servers. I was on the phone with Brocade for several hours yesterday, and they're stumped, the PTP server vendor doesn't have an answer either. The setup here isn't all that complex, it's just a single VLAN, with either PIM or IGMP enabled.
Technically, we don't need to be running PIM, since it's a layer 2 setup in our lab, but we will need to deploy these servers in routed networks in the future, which is why I'm trying both setups. My understanding of PIM is that it also enables IGMP, and active/passive querying is determined by the RP. This seems to be the case, as I am getting queries from the switch when PIM is enabled, and both PTP devices respond with their membership reports, but the joins never happen in the switch. Any ideas on what might be happening here? This is on an FCX 624 running 8030c firmware.
I have a DGS-1100-26. A weird model, with a working but totally fucked up interface regarding VLAN config and I've been wondering if I could somehow alter the backup.cfg file and send it back to the switch with the desired settings. The file is in binary format with FM2 header. No tools known to me have any idea of this format, which I am aware could be (and probably is) proprietary.
Had an interesting discussion with a coworker about the pros and cons of stacking for access switches.
Assuming you have a NCCM what are your take on this subject?
Stacking Pros: Virtual Chassis Capability Mixed Media Performance of "backplane"
Stacking Cons: Adding or removing switches in a large stack can be problematic Limited to switches in the same product family of the same vendor
I have two 10Gbps uplinks from a stack of Cisco 2960-X switches to my core. Currently RSTP is set up so one of the links is down (in ALTERNATE state) and one is always up. Traffic from the users never ever comes close to 10Gbps. I've always felt better making a single port-channel out of multiple uplink ports and having all links "active"
Are there any advantages or disadvantages with just leaving all uplinks as they are and letting RSTP figure things out if a link (or switch) goes down or is it better to put all links into a port-channel and let the port-channel algorithm figure it out.
(or is it a case of "six of one, half dozen of the other" kind of thing where it really doesn't matter either way)
We have a location in China where we use an ipsec VPN as primary connectivity to locations in the states. The current ISP there is one step up from consumer Internet, and seems to work well for accessing Chinese web sites. And, for a while, our VPN performance was good as well.
However, recently our VPN latency has gone from a steady 200ms to ranging from 300ms to 400ms and has stopped working altogether to one US location (since business VPNs are supposed to be allowed, we've notified the local ISP about the blocked VPN, but so far, have not heard anything).
We are also testing Office365 and seeing some performance issues via their existing ISP.
We've been recommended to switch the China Internet to CN2, but it is expensive, and typically requires a three year commitment. Is anyone using CN2 that can vouch for better performance (and stable VPNs) over a local Chinese ISP?
Any recommendations for a enterprise FTTC modem that supports ADSL/VDSL.
Thank you.
Currently have Cisco edge switches and have to replace core switching with Meraki. Meraki switch will need to be STP root but the Cisco equipment is configured with rapid-pvst. Meraki cannot be root in this scenario, it doesn't seem to support per vlan spanning tree. The Cisco side doesn't seem to support just standard RSTP. The only option I see is to use MSTP on Cisco and put all vlans in instance 0. If I use anything other than instance 0 the Meraki won't become root. Is this the only way to do this?
Hi all, the new edition is now available. For self learner, I agree that community edition is totally enough For others, needing complex scenarii and ability to work from everywhere, this new edition could fits your requirements... Indeed, offering a complete html5 desktop for a real clientless usage means ability to use EVE from everywhere trough a simple http(s) access (and a browser ofc) ...
I'm pretty new at my role and was recently tasked to enable netflow on all of our switches in our environment. We have a wide variety of switch models and the iOS that it runs on.
My colleague gave me a script to run netflow commands that will practically capture netflow traffic via vlan instead of interface but the issue I've been running into is that this script doesn't work on every switch in our environment and basically slowed me down.
I'm just doing one location and it's over 72 switches I have to perform this task (as I've been told).
"Script"
flow record NAME match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output
collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last
flow exporter rvbd-exporter destination #### source Vlan## transport udp 2055
flow monitor NAME exporter name-exporter record NAME
I'm looking through videos and I've seen that most would go by interface. I think my major problem when I view a network diagram that we have I'm not sure how exactly the traffic flows (or neither does my colleague in those specifics). Basically i've been calling Cisco for each switch model and verify if we can perform netflow on it (I swear this is what I was told to do).
I was curious if anyone has done something similar and more "cleaner"? I think this is a chaotic mess of an approach.
Has anyone evaluated whitebox switching software costs? How much do software licenses cost from the following whitebox vendors, and whom do you buy them from?
Big Switch Cumulus Networks® OcNOS by IP Infusion PicOS™ from Pica8 Inc. SnapRoute FlexSwitch software. Pluribus Netvisor ® OS Pluribus Networks
Those are the main ones it seems.
Hi Guys,
The router in question is a simple RV320. On it there is the following setup:
-VLAN 1 with LAN network, all ports untagged
-VLAN 20 with Voice network, all ports tagged
With this how is the connection to the Switch? Are the ports on the switch on trunk with allowed vlan 20 (and default VLAN 1)?
This is simple but I'm making this more complicated than it needs to be and lost myself.
Thanks!
LONG story short: I'm trying to minimize points of failure and bottlenecks, avoid using a 1-off small switch, and connect 2 separate L3 devices to each copper interface of a Ciena delivery switch. Comcast claims those ports can't be bridged for use in the same WAN IP block. Comcast claims that each fiber circuit only works with a single copper interface. I have no experience with this model but also find it hard to believe what Comcast says. I'm waiting on a response from my friend that works at Ciena, too. Any help is appreciated. It took 3 months for Comcast to get fiber (Metro Eth) service working at one of my client's 3 locations. Comcast still can't figure out why 2/3 locations aren't working.
Has anyone got any experience with these switches?
Looking at an alternative to the ME3600 as they don't support stacking. The Cisco 9300 series does support stacking and looking at the data sheets they seem to have all the features I require (MP-BGP, MPLS) but before I go ahead and order a couple I just wanted to see if anyone has any real world experience with them?
Thanks
For the life of me I can't recall the product that can clip on all of the cables on an active switch to save the 'placement' of them. Need to swap out a 48 port switch and this would make my life easy. If anyone knows what it is called, I would appreciate it.
I like to play steam games and stuff on the clock along with fun websites like reddit, plex, and fb will they figure out all of this? I use vnc as well for my home machine
I'm trying to set up an IPSec connection from a Sophos XG 85 to a Ubuntu box running libreswan. I have three subnets on each side, but I don't want them all to be able to talk to each other. For simplicity, I'll call my Sophos-side subnets A, B, and C, and my libreswan-side subnets D, E, and F. In libreswan, I have the following tunnels defined:
D <--> A E <--> B F <--> C
On the Sophos, I have to enter a group of subnets for each side. So I enter A, B, and C for the local subnets and D, E, and F for the remote subnets. But this results in 9 tunnels:
A <--> D A <--> E A <--> F B <--> D B <--> E B <--> F C <--> D C <--> E C <--> F
Is there any way to do what I'm trying to do on a Sophos box? Thanks in advance :)
Hello! Not so long ago I was ignited with the idea of personal home server to collaborate with my colleagues on projects.
Eventually bought 3 separate internet connections with dedicated IPs from different providers. We ran multiple speed tests on different Windows 10 machines using multiple protocols like FTP. But unfortunately all of them reach only 3MB/s max! Which is unaccaptable for large file syncs.
The interesting part is when you try to upload a file to cloud server, the upload speed is 12MB/s. But when you try to download a file directly from the computer - it's around 2MB/s depending on the internet. The computers are now connected directly to the internet, without any routers for now.
What am I doing wrong here? Is there any differences between hosting a file and uploading it to FTP server? Is Windows limiting upload speed?
Thanks for help!
A networking noob here trying to figure out how networks work beyond the LAN and i'm confused about the use of PPP, PPPoE, PPPoA
PPPoE is used to enable PPP features on Ethernet links, a protocol mainly used in DSL lines however DSL modems do have an RJ-11 connecting to the ISP but still use PPPoE...Why is that? Shouldn't it be straight PPP or PPPoA?
I looked around the internet but I didn't find a satisfying anwer, I think it's always better to ask people who actually have experience in the field
Does anyone have any experience in getting an Avaya PBX to talk to Cisco Call Manager in terms of bi-directional 4 digit dialing? Is this an in-depth configuration? My org is in the middle of a Cisco UC project, migrating from Avaya, but there will certainly be periods of some deparments getting cut over before others. Our vendor is seeking outside assistance as they are not an Avaya shop, but I am curious enough to see if I can get it working on my own. I do have some experience in CM, but was hoping some Google fu could help me the rest of the way. Any tips are greatly appreciated. Thanks gang!
All,
I have some Cisco c220 m4 servers one with a VIC 1227 card, the other with an Intel X520 DA2.
Separately I have a c220 m4 with a Intel X520-DA2 that is working.
On the two servers that don't work Windows Server 2016 is trying to use the Cisco VIC Ethernet Interface as the driver. When this driver is in use Windows can detect a link, the status is good, I can assign an IP address, but it never registers as having Internet access.
At first I thought I had a bad port, or bad DAC cable. But I swapped everything around by using the server with the x520-X2 with the correct driver confirmed all cables and ports work. I've spent hours trying to uninstall and reinstall drivers to no-avail.
I guess I have two problems, but they both seem to stem to this driver.
1) On the server with the x520-DA2 being picked up as a Cisco VIC, how do I force it to use the correct driver? I've installed Intel's driver pack. I've manually selected the driver from the list, and when I do that Device Manager says the device can't be started.
2) How do I get the Cisco VIC driver to work? I've installed almost every version of the ISO's from Cisco and have marched through them one by one, no avail.
Or a better question is: "Is there anyone out there successfully using this Cisco VIC Ethernet Driver?"
I feel like there's a missing link in here I am grasping at. In CIMC everything is good, NIC's are identified, link is up, all good. On the switch port there's a link, everything good. But yet somehow when we get to Windows it goes south..
Thanks!
Hey all -
Routed-access design. Phase 1 calls for a 3 switch triangle (collapsed-core, two access) using 10g OM3 backbone - lots of video being pushed around the campus, live streams and what not. Two legs of this triangle are not a problem but the third leg is obstructed and a cable run straight across 'as the crow flies' is not possible.
Only options I see:
-cable run the third leg down the path used for legs 1 and 2.
-break the design and don't run the third leg.
-Running the cable would require right around double that of legs 1 and 2.
-Breaking the design means I lose: fault tolerance, scalability - Anything else?
A planned Phase 2 will add 2 more switches - end result: collapsed-core with four access. There is limited projected growth after this.
How much pain will be had if we choose to ignore the third leg?
I have a switch (Catalyst 3650) with redundant power supplies, but I have discovered that the power cables are VERY sensitive to being handled. Just a slight bump took both of them down, despite being fully seated. They do not appear to be the cables that came with the switch originally... Is this something that can be fixed by replacing the cables? Is there a certain spec for power cables to networking equipment that I should look into?
I need to do some cable management but now I'm not touching anything until a maintenance window.
Hi all,
I have a single computer with a single NIC
I need to connect to device A from source IP A (default IP on NIC)
I need to connect to device B from source IP B (Alias IP on NIC)
I tried to create a route for the destination to device B, but when I set the gateway for that route equal to the alias IP, it defaults to “on link” and uses the default IP on that interface.
Any help?
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
We're looking to implement campus wide MPLS, and have had good experiences so far. Though I'm wondering what happens when we actually have real production traffic over the network, for example nightly backups etc. that might use huge amount of the bandwidth available. Mainly we have 2x10G LAGs between the MPLS switches, but the virtualization environment could push that much traffic and our backup system could take that much traffic in.
So far we haven't had much problems in our current network but I'd like to prepare us. Do you have any recommended reading how to configure QoS to limit for example this nightly backup traffic or how to classify it to a lower level?
Or anything else we should take into account before going to production with this?
Thanks!
been in the industry for 20+ years but out of the 'hands on' work for the last 15.
I've got a ton of tools and want a good toolbox but a regular toolbox just doesn't seem right.
What is the common thought on the best kind of toolbox for networking pros right now?
i've got things like a klein pouch but there's nowhere near enough space obviously.
Could someone please explain why when we have two distribution switches is it best practice to interconnect them with a L3 link if we're not spanning VLANs across multiple access switches and a L2 trunk link if we're spanning VLANs across multiple access switches? Why is that link necessary?
Hello redditors,
Currently working over a new design for a VPS provider (smallish one) that also provides a service that a lot customers will want (lets call this service, the "critical service").
Basically I made a high level overview of the design that you can see in the following picture:
Aside from the critical service and Internet, xconnects may be offered between DCs to certain customers (perhaps via VPLS), the DCs aren't owned by the VPS provider, it's colocated.
Now a little bit more of information here, we basically need:
I've wrote more details in the image, I have some doubts here:
If you need more info please feel free to request it, for this design we're thinking on going mainly with Huawei.
Edit: I forgot to add 2 key important facts:
I'm looking at option for coverage large campus like areas and have known about this company for a while but haven't heard much about it. They were purchased by Riverbed last year I believe.
The design art is here: https://docs.google.com/drawings/d/1vL59fyXOHkjTovhLNTZJpPUx-5i4a2tRRSQ3nFWU0tE/edit?usp=sharing
The issue I'm thumping my melon on is in regards to a STP loop happening at SITE-FM-SWITCH or at the SITE-HQ SWITCHES. It would seem to me it is the equivalent of 2 ethernet paths and I'm unsure of what remedy is best to proceed with. My desired goal would be that if one VLAN13 at distance backhaul link drops, the network automatically fails over the functional link. Should I (can I) implement these ports as a LAG w/ LACP even though they are pathing over different media/providers?
Thanks in advance for your time / thoughts / ideas.
I'm looking to use a domain name to access various guests on my box, depending on what port they connect to, so I can have RDP access my Windows 10 VM, and SSH hit one of my Linux guests, all set up with certs if possible with the domain. However, my router only allows connection to/from one of three dynamic providers, DynDNS, noip and dyns. Can I do this with port forwarding instead? Or a VPN between the two machines? How do I set up the DNS record for this? This is what I have for DNS on the domain, https://i.imgur.com/d5H4cAL.png
I have a feeling I'm missing something here, how does the domain know what the IP is, or can I run something my end to enable this?
Like the question says:
ISP > Firewall > Router > LAN ISP > Router > Firewall > LAN?
We have several routers and devices at the "Edge" but I would think you should have the firewall at the edge then all devices behind it for better security. Correct me if I'm wrong.
Thanks!
I'm fairly new to networking but I've heard a lot about Cisco's licensing costs for everything. Are they the only campus network gear manufacturer that actually requires a yearly license fee to keep receiving firmware and security updates compared to HPE, Extreme, Ruckus, etc.? Or does everyone have required yearly license fees for network equipment and Ciscos are just known to be a lot more than everyone else?
team lead wants me to either find a service, software, device we can use onsite to determine if a network is voip ready.
Ideas thoughts??
I have this setup (see link to diagram). 2 edge routers advertising a /16 to 2 providers. We are receiving summary routes from each provider. I would like to influence routes that are learned on each ASR out different ISPs. For example, I would like 8.8.8.8 to go out the Primary and 4.4.4.4 to go out the Secondary. I have a iBGP connection between 1_ASR and 2_ASR. I was thinking about using local preference, but I don't see how to apply that to a single route. Any help would be appreciated.
Diagram is here:
We utilize a Sapling STR-2000 series master clock. According to the manual it is hard coded to get it's time from an old NIST server that is no longer in service and it uses the daytime protocol. After discussing with support I was advised to change the server it connects to using an application called DSManager from Tibbo to an active NIST server. Watching a packet capture on the clock's network port, I see daytime protocol request and responses but then after an hour or so the communication breaks down and stops communicating. NIST mentions not to connect to their servers more than once every 4 seconds (or something like that) so I was thinking maybe they have put something in place that stops persistent connections to their servers. As a test for that I setup an internal LINUX server running daytime (xinetd.) Again I would see the daytime request/responses however the clock is not updating it's time. I even changed the daytime output to match the exact format that NIST servers send in their response. I've been through the programing Manual for this unit time and time again. Thinking I must have a setting off somewhere.
Bottom line, does anyone have one of these devices that is currently operational and functioning correctly and would you mind sharing the settings you use? I would appreciate it very much.
Hey all,
We are looking into purchasing a new Cisco router (ASR1001x-2.5g-K9) with a SmartNet service agreement (CON-SNTP-ASR105GK) for our library. We put together an RFP for companies that work with schools/libraries using E-rate (discount on stuff for education) and the quotes we received seem a little odd. So I started looking around and noticed that the price variance for this gear is huge.
For instance, I have seen the ASR1001x-2.5g-K9 for as little as $7K (on Amazon) to as high as $27K (random IT gear website). The quotes we received were all around $11K-$14K. Also, the price that one company quoted us for the SmartNet service (CON-SNTP-ASR105GK) was $8K but I've seen it sold online for $2K.
Are these companies just trying to rip people off by charging more and hoping that people are too lazy to shop around? What am I missing?
Hello!,
Quick question guys: will using a 10/100 load balancer for multiple ISP connections (https://tinyurl.com/ycxeq46p) affect the performance of my network? (powered by a Cisco SG-500).
It's worth mentioning that all the ISP connections will not surpass 100mbits.
Thanks in advanced.
Hello Guys,
I have recently changed job and also environment. At my last job i was more in an environment where i did the data center for 1 specific client and the campus LAN. So the technology is not different but the approach is.
I am now working for a service provider and the designs are of course somewhat different. I feel like i have a bit of a gap in service provider routing: eg. BGP, Peerings and MPLS.
I was thinking about reading through the learning stuff of a CCNA Service Provider, since most of the gear we use is Cisco related anyways. On top of that i become more and more involved in Juniper SRX and Palo Alto as data center firewalls.
So my plan of "attack" was:
Then progress on Palo Alto and the designs and lay-out there.
Anyone here did some sort of the same track? What were your experiences? What helped alot?
Had this discussion with a colleague yesterday. While we were setting up an IPSEC VPN, we were musing "how fast would it get hacked if we just sent it out in the clear?"
We came to the conclusion that pretty much everything going across that tunnel is natively encrypted anyway: SSL/TLS, SSH, etc. Even our phone stuff is encrypted (SRTP).
Also that the ISP is probably a pretty secure environment now, and how it would not be easy for someone to just intercept the traffic and SPAN/TAP it and grab all your goodies.
We started to think, are these tunnels even necessary in this age? Why not just eliminate the overhead?
Of course in the end we did our duty, but the genie is out of the bottle now.
Thoughts?
So I have to frequently stack Cisco 2960-S models with newer X models, which means I have to match the IOS versions. This typically means I have to copy an image over to the new switch before deploying to the stack.
I was using HyperTerminal but it expired, and wondered if there was a solid alternative or if I should just bust out the Benjamin and pay for HT.
I don't want to go through the hassle of getting the new device on the network before deploying, I prefer to just copy the image over.
Am I overlooking an easier way?
Hello everyone,
I'm struggling to make that work since I'm not an expert in CCX, trying to figure out how to make a correct setup for that purpose
Our sales team purchased a CCX recording license, but I'm not sure what it does and what it allows me to do, opened a ticket with Cisco asking for that, they involved Calabrio immediately without giving any explanation or a direct answer about my original question, and we didn't purchase the software anyway. Well, I thought Calabrio is the most appropriate solution for that purpose so they gave me documentation to start the setup, and found many details that I should take care about
I want just to be sure that I'm in the right path
My questions :
1) in the docs they say I need to install at least SQL server Express, which has many components ( 5GB of size) which components should I select, I don't think I should add them all
link to Microsoft download page of SQL server express : https://www.microsoft.com/fr-ma/download/details.aspx?id=29062
2) we have CCX premier edition and a license for recording purpose, should I purchase Calabrio software to record calls anyway ?
Solved: Silly me!! Set it ACL's on incoming interfaces only took 3 hours of troubleshooting!
So: Local Pref - (set external routes - outside of the network) MED - (set internal routes into network)
Please see the image above, i have no idea why this doesn't work.
Thsose are the routes I want to reach!
So I'm learning about cable networks but from my current understanding everyone in a given area is serviced by the same cable network and any message that enters the network will be sent to everyone.
So this would mean surely that anyone on this network could spy on all traffic occurring on that particular cable network and see all un-encrypted data... Surely this is a huge problem - I know the cable modem will filter this out but that won't stop someone using a cracked modem such as the ones used for uncapping. I'm sure I must have misunderstood something, does anyone know what I'm missing here?
