I went and toured an apartment yesterday, and I only caught a glance, but I couldn’t tell whether or not the jacks were phone jacks or Ethernet. There was a jack in each bedroom, and I just kind of assumed that they were Ethernet.
It’s a relatively new complex. Would it even make sense for them to be phone jacks? I figured they’ve mostly been phased out. The only reason I ask is because it will be essential for my home office.
I consulting for a small company that also owns an ISP. The company portion itself has a working internal network, that is setup correctly and the ISP side contains a working management network, that we can access internally, but is NAT'd. I personally have not grown to like this setup, since it means that our management VLAN is routed on our core router, and technically possible to access from CPE's. The design I was thinking is to create much like our internal company network, a separate smaller network, that would route the management networks, not allowing them to be accessible from the customer premise. I have also looked at ACL's as an option if keeping the VLAN gateway on the core router is a better practice, but I just feel like that could be harder to troubleshoot in the future if things change or more networks are added, or exceptions are made. I have kind of laid out how things are set up currently: https://imgur.com/a/ybDuz8N and the proposed changes: https://imgur.com/a/Z9nE72r.
So my question is mainly, are ACL's a better option, or to isolate the management network off the core router (If NAT'd, the management devices could also access the internet through NAT, currently they cannot since the core router does not NAT) or is there another design that I am missing?
Just wanted to hear opinions on such solutions as PacketFence or OpenNAC or any other out there. Pros/cons, etc.
Hi, I am using a HP Procurve switch and I have 3 vlans. (Vlan 200, 300, 400). DHCP is being provided from a Windows Server with a DHCP scope for each VLAN. When I set the default gateway of my Windows server to my firewall/router DHCP requests are not passing to Vlans 200 and 400, only to 300 because my Windows server lives on that Vlan. But when I set the default gateway of my Windows server to my switch, it's able to pass the requests to all the vlans. Here is my config, what am I doing wrong? Any help is greatly appreciated.
vlan 1
name "DEFAULT_VLAN"
no untagged A1-A24
untagged B1-B24,D1-D24
no ip address
exit
vlan 200
name "Voice"
untagged A13-A24
tagged A1
ip address 192.168.100.2 255.255.255.0
ip helper-address 192.168.23.10
exit
vlan 300
name "Data"
untagged A1-A12
ip address 192.168.23.2 255.255.255.0
exit
vlan 400
name "VLAN400"
tagged A1
ip address 192.168.200.2 255.255.255.0
ip helper-address 192.168.23.10
exit
spanning-tree
no spanning-tree bpdu-throttle
spanning-tree priority 0
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
Here is my ideal wire configuration
Bad idea in the real world. I know. But this is for my company's mock lab for new equipment we ship out the customers. Our mock team emulates what the client would see once we ship the servers and does some pre-updating and quality assurance. We have a 10.1.1.0 /24 standard for nearly all of our commercial deployments and our servers all have the same 10.1.1.1 through .150 addresses and .254 gateway. We also have some government clients that have other standards using public addressing.
We currently use about 10 ASA 5505s to segregate these 10.1.1.0/24 VLANs and other VLAN subnets, but I want us to move to a rack with if possible, one 5520, or one 5506-X. Our QA/installation team abuses these firewalls and they die randomly, or find their way in trashcans [not kidding]. Not to mention that we have to get in each firewall remotely to do configuration changes for site that have a different standard.
I'd like to centralize one rack, trunk three 3750 access switches to one distro switch, and trunk that to the firewall, which would be running sub-interfaces CAT5e would be conduit-ed from the access switches to each of the tables [each table representing a different client mockup station VLAN]. In the diagram there are only two stations per table but in reality there could be as many as 15-20 datapoints and servers per site. Of course the central problem would be overlap on these 10.1.1.0/24 networks that are being mocked simultaneously.
I've read multiple context firewalling could do this when applied to subinterfaces on an ASA -- multiple say, 10.1.1.254 255.255.255.0 IPs on multiple subinterfaces -- but I have not been able to test it out and the 5520 we have has just a base license offering 2 context instances. I'd like to have at least 4. I'm sure there is a new hardware solution but I'm just the network pipes guy and the higher ups won't want to give us any better equipment when we have literally hundreds of ASA 5505s lying around. I also have a few 5506-Xs but those don't offer Multiple Context firewalling.
Does anyone have any ideas? I am at wits end with these 5505s
I bought a layer 2 HPE Office Connect 1820 switch so I could have greater trunked bandwidth 802.3ad LACP to my QNAP 231P NAS for an upcoming LAN party. I've failed to make it work. See here if interested:
I'm back to making another purchase and I desire input from the networking enthusiast crowd - as this isn't my technical wheelhouse.
Here's what's important to my buying decision:
•802.3ad (LACP) - I want to get the full 200+ MB/s shared trunk networking speed from the QNAP.
•24 Port minimum (for use at occasional LAN parties)
•Web GUI / ease of administration
•Fanless preferred
•Low Power draw
•easy VLANs options - so I can separate out my crypto mining machines from my home network in typical use.
Here are the units I'm now considering:
$200 - Ubiquiti EdgeSwitch Lite 24 Ports Wall-Mountable Fanless Switch with Optional DC Input - ES-24-LITE-US
https://www.newegg.com/Product/Product.aspx?Item=0XP-000A-000B1
$200 - Ubiquiti Networks US-24-US Managed Gigabit Switches with SFP1
https://www.newegg.com/Product/Product.aspx?Item=0XP-000A-000S4
$150 - Mikrotik Routerboard CSS326-24G-2S+RM
https://www.newegg.com/Product/Product.aspx?Item=0XP-002R-000A7
$150 - Refurb Cisco 2960S
eBay
I've been told to ill consider Trendnet, Linksys, D-link etc - - - because they are just lower tier consumer gear that isn't reliable, and newegg reviews more or less seem to confirm that vs the brands like Ubiquiti, Mikrotik, and Cisco.
Which do you recommend, or is there something else I should consider?
Can someone tell me where can I read about virtual networking? My preferred environment is OpenBSD.
Thanks
I'm looking into fiber termination with quick connectors - and have no idea where to source the connectors and which brand to go with. I'm concerned about reliability, ease of use and price (I know, pick 2, right?).
Any suggestions (also, where to source them in the US?)
Noob here.
I am trying to set up Ubiquiti WAPs for a small business. I have installed them and configured everything through the Unifi controller, but I would like to set up separate VLANs so that I can create a Guest Network, tag the VLAN, and have everyone that connects to the guest network not be able to see the office LAN. The APs are connected to 2 different interfaces on the Mikrotik router - 1 is directly connected to ether10, and the others are connected dumb switches that connect to different interfaces on the router.
I know that this is a noob question, but how would I go about trunking all of the Mikrotik ports to accept the un-tagged traffic that it is taking now, as well as traffic for a guest network (say, VLAN 2)? Can I keep the main office traffic un-tagged and only tag the guest network traffic? Would I have to configure this on each Mikrotik port individually? How would I get this guest VLAN connected to the internet?
Thank you in advance.
I've always found it useful to study by creating practical cases for me to understand. I have created a scenario that has recently peeked my interest.
Network Logic Brainstorming
I want to manage several customers.
I plan to create and IPv6 network to integrate their different IPv4/IPv6 subnetting.
The idea is, I would be able to centrally manage multiple customers' systems and networks. ie patch management, SIEM integration, etc.
Some issues I'm having includes a customer that has two geographic locations using the same IPv4 subnet. Is there a way for me to logically network these as two different geographic locations for the same one customer?
I have some years of experience in network and systems but formal network knowledge is limited to my CCNA. So, any ideas or resources that could point me to best practice for this would be incredibly useful!
We have a yearly review to talk about what we've accomplished the past year as well as what our goals should be for the next year. My boss wanted me to pick a conference to go to. Any suggestions on good networking conferences in the US? If it helps I work in a large enterprise network (University).
So, this is a weird one that I've never run into. I should preface that I'm not a Network Admin, I'm more of a System Admin. I've been with this company for a couple of years and this problem has been around since then but I've typically only ever seen it on Windows 7 but am now seeing it on my own machine which is running Windows 10. The network properties show, "No Internet access" but I'm able to access nearly everything just fine but there's the occasional app that will cause problems, something like OneNote or sometimes Outlook on random machines.
I've tried talking to my Network Admin but he just brushes it off as an anomaly and because most everything still works, he's basically chosen to ignore it. I'm of the opinion there's some underlying networking issue but I don't like to say anything without building significant evidence for a case.
Has anyone seen this problem and have any leads on what might be causing this? One thing that's lit a bit of a fire under the Network Admin's ass is the accounting manager complaining that OneNote isn't working and the no internet access message is a common denominator.
Ninja edit: These are all domain-joined machines. 99% Windows 7, a handful of Windows 10 machines. Mostly up to date, have our standard image applied to them. Issue crops up somewhat randomly.
Thanks in advance.
Does anyone have some guidance for setting up 2 additional AP for mesh? Having issues getting it figured out but we have an SR2208P switch, AP250, and I would like to set AP130 and possibly AP121 for mesh.
Hey guys,
We just set up a new server rack in our NCC and are now in the works to tidy up the cables. The problem is we are using two power strips on either side of the back of the rack for power. They take up all of the space on the sides. From the looks of it I won't be able to use the vertical cable management ducts or the horizontal ones.
Looking for suggestions from anyone else that has a similar setup. What was your solution for cable management?
Thanks in advance everyone!
I am just getting started getting into network security (currently have CCNA and am a network engineer at an ISP) and I do run across customers that have Fortinets, cyberoams etc... that are able to detect and block VPNs.
Now as far as I know VPN traffic just looks like typical encrypted traffic and doing some wireshark captures they look nearly identical. So how to firewalls detect them? Are the IPs compared against a database of known VPN IPs? Does it look at a traffic pattern?
Since IPs and domains are blocked from access unless we explicitly allow them, but how are we going to allow all the advertisers domains and IPs we have yet to know who are going to advertise at the first place.
I went to CiscoLive last week, and i understood that they are definitely not making sense with the defense against open source and the direction of LBN (Linux Based Networking) However, they still like to use Linux and make money out of it. (minute 09:13), complete and utter bullish hypocrisy.
https://www.youtube.com/watch?v=cyC_T-u8Wsw
Not sure if this is a leaked video or not, but i am kind of surprised that this company is openly admitting these kind of ideas.
What really ticked me to share this is when the executive in the video (Chuck Duffy) is openly admitting the competitive pressure, and how IOS is inferior to Linux (minute 01:07), the way he spoke about IOS was inferring that its classic or legacy and thats why its picked up in all their products.
What i wasnt able to comprehend at all is why he mentioned Big switch and cumulus on minute 02:50, is this like a slip of truth or a real defining moment of a vendor’s life saying that open stuff is a disruptive architecture ?
Is Cisco moving to. subscription model because of Linux ? Is it that difficult to change Cisco to go Linux all the way ?
Hello everybody,
the main goal is defined in the title, it seems easy and somehow it doesn't work for me and not sure what could be the cause
first, I followed this official guide from cisco https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html to be sure that i'm not messing anything
I'm on a stage where users can see the WLAN and be redirected to the login page, but no account is going through it, always an authentication error appears
I'm not controlling the AD, but the admin there says that the OU is defined correctly and contains all the users
tried different format like : domain\username or just the username and its password of course, none of them worked
What could be the issue guys in your opinion ?
platform: WLC : 2504, AP: AIR-AP1832I-E-K9
We have been mostly Cisco and have recently introduced a lot more Juniper gear. I see lots of threads where people love Juniper which makes me think we are missing something. Everything we do for configs requires a ton more typing and commands in multiple sections than something on Cisco. Are we doing it wrong? Is there magic we have overlooked?
Currently I work for a TAC and I'm a bit shy about asking a lot of what seem like stupid questions. I feel a little slow coming up to speed with the customers network/setup and feel dumb asking a lot of "could you repeat that" or "can you explain x again". When you're calling a TAC, how much patience do you have for the representative on the other end?
I feel like at the moment, being too shy to ask these "dumb" questions is only making it harder for me to help solve customer issues.
Thoughts?
Since starting my new role over a year ago I need to get some certifications under my belt, but I'm just feeling meh about it all and lack the motivation to study.
I'm still learning new stuff and labbing up to enhance my knowledge, especially when it comes to working a new projects. But as soon as I hear the " you need to get your certs done" I just don't feel that drive to study like I used to.
Anyone else in a similar situation?
Hi
Probably a really simple question but what is the use of ip addresses 10.0.0.0 to 10.225.225.225.
I see they are used by lots of companies world wide but why and how are they used multiple times?
Thanks
Hi, I have read for hours on but still don't know if I understand it correctly. Please please please explain in simple terms if this setup is a viable solution or if I am misunderstanding and need changes. I really appreciate any advice. THANK YOU! (also...please don't suggest a totally unrelated solution like vlan or vpn, etc.) I should mention, I am basically giving up on setting this up myself, but I want to make sure that I can confidently go to vendors for bids to make this thing work and reject over-the-top expensive solutions in lieu of this setup using mostly existing equipment. $$$ is paramount.
GOAL:
PLAN:
▪ Here are links to diagrams of the proposed vs. current setup. The current setup was like this before I came around! Look at this first :) Current Setup Diagram LINK → Proposed New Setup Diagram LINK
▪ the plan is to using 2 routers to put the credit card machines on a separate subnet --▪ Router 1, Subnet A, serving the DVR and providing internet via wifi to various devices as shown in diagram (3 or 4 computers and 5-10 phones or tablets.)
▪ Router 2, Subnet B, serving 5 credit card machines via Cat5.
OTHER INFO/CONCERNS:
▪ I don't understand if one of the new routers in the diagram can be eliminated given the modem from the ISP has 4 ethernet ports and wifi built in.
▪ We pay for static IP which is used for remote access to DVR
▪ Router 1 is priority during the day and router 2 is priority at night. Here is the reason why--
(a) this is for a high volume bar, so it's important that the credit card machines work fast and all other internet traffic is low priority at night. there can be quite a few users on the network at the bar. currently, there is no QoS or anything managing bandwidth, and the credit card machines speed is not always reliable and frustrating.(b) During the day, when the bar is closed, the credit card machines are not used, and it is important the internet is fast for the people working in the office who are not present when the bar is open.
We recently attempted an upgrade on a 4500 chassis from 12.xx to 15.2(4).
We have checked everything from scratch and the configuration is fine. We are 99% sure that we are dealing with a hardware issue, meaning that the GBIC where the optical fiber is connected (MPLS Uplink) is not recognized by the new IOS.
Before upgrade: CORE_SWITCH#sh int gi2/21 status Port Name Status Vlan Duplex Speed Type Gi2/21 ewl_mpls connected trunk full 1000 Unknown GBIC
After upgrade: CORE_SWITCH#sh int gi2/21 status Port Name Status Vlan Duplex Speed Type Gi2/21 ewl_mpls notconnect 1 full 1000 Unknown GBIC
We can see the same logs on the device before and after change: %C4K_TRANSCEIVERMAN-3-INCOMPATIBLE: Port Gi2/21: New transceiver (speed 10Gbps) is incompatible with this module But no communication is done when running the new IOS.
We have tried to force interface up but no communication. We have also tried to activate a non Cisco GBIC with: #service unsupported-transceiver and a reboot but still no traffic could be seen on the interface. We cannot see anything plugged to port 2/21 when issuing the command #show inventory
Because this port was unusable, the Switch could not communicate with the neighbors and no routes wore learned. No other alternative was found to move the MPLS uplink on a different port.
This is the GBIC plugged into port 2/21 (not Cisco):
Basically, the title says it all. We have a requirement that we need to require guest accounts with time limit set. After that, they should be barred from the network like temp accounts or something. TLDR - Captive Portal with Time limits integrated
AP - Aruba or Ruckus, whichever supports it. EDIT#1 - Found on Ruckus.
https://www.mirazon.com/using-ruckus-wirelesss-guest-pass-portal/
EDIT#2 - Still searching for Aruba :/
How people running containers would manage having two different active data centers and not doing anything "legacy" like stretched VLANs? Either running software from both or being able to switch to other DC if other goes down, without losing any traffic.
I'm asking because we mirror two DCs in one city, 2 DCs in another city. Stretched VLANs, synchronously replicated storage. So if DC goes down, vmware just starts the VMs in another and everything is great again. However we can't migrate VMs to another city at the moment.
I've been thinking about having only 2 DCs in total, with BGP or something to route the users to the right place. However I'm not sure how we could replicate the database data or something like that, to be able to do the switchover without losing anything. Colleagues are saying that it's not doable without synchronous storage replication.
We would also have problems when traffic would switch over to another firewall, but I guess that can't be avoided.
I'm hoping to get some new ideas from container world. Our coders are also starting to convert our apps to containers, so would probably need to learn more about this stuff anyway. And having 4 DCs with just few racks in each seems quite wasteful...
Thanks for any ideas!
I've been learning python for a few months now. I created this script a few weeks back that allows users to change their own vlan.
https://github.com/nfordhk/Network-Automation.
Now I'm looking for my next idea but, I'm having a bit trouble. So I thought I'd offer help to someone else! I'll be honest, i'm pretty beginner but let's see!
I have a Symantec BlueCoat ProxySG Virtual Appliance whose web config interface is a Java applet. What do you guys use to configure these types of things?
I'm a CLI native, but the workflow for the ProxySG is essentially download config, edit on local machine, and upload wholesale (at least for individual proxy config). That precludes tab completion, syntax checking, etc. and makes it hard to get my job done on the ProxySG CLI. I'd love to use the web GUI.
I am currently studying for my ccna RS. And i am also studying business in college. I am curious what degree is worth more from college? Or should i stay with business? The college does have a networking program, but it seems weak... Computer science is out of the question, i will fail that really bad, since it requires a lot of math classes.
So this Huawei router is not comunicating through SNMP. I check the router, and there are these weird NAT entries in the WAN sub interface.
nat server protocol tcp global current-interface 20443 inside 10.0.0.150 443
nat server protocol tcp global current-interface 21443 inside 10.0.0.50 443
nat server protocol tcp global current-interface 21022 inside 10.0.0.50 22
nat server protocol udp global current-interface 20161 inside 10.0.0.150 snmp
nat server protocol tcp global current-interface 20022 inside 10.0.0.150 22
nat server protocol udp global current-interface 21161 inside 10.0.0.50 snmp
Can this keep the router from interacting with our platforms? Keep in mind that these IP addresses are not ours, but from the client.
Do these NATs mean port 22 is open? Is SNMP being sent into these local addresses?
Huawei is not my strong suit.
So I have 5 servers, 1 front end webserver with 2 interfaces. Each has a domain name assigned to it (www.example.com and aaa.example.com).
If these ip's are setup like:
208.43.50.25 - www.example.com 208.43.50.26 - aaa.example.com 208.43.50.27 - SQL backend 208.43.50.28 - file server 208.43.50.29 - Domain controller
My question is, are the two IP's that are public, that we can access from the internet, are they leased from our ISP? I wasn't here when this was all setup so I'm curious. These are all on the same subnet using 208.43.50.1 as a default gateway. Do ISP restrict certain IP's to be internet rout able?
How come if I run a small apache server on our DC .29, typing in that IP won't give me anything on the internet?
Traceroutes to both IP's give the same response and timeout at the same place. The webserver tracert times out because it requires cert authentication for the site
We're running 2.4.9.x and are hesitant to roll out SNMP as it polls every port on the ONT and we don't want to trigger a line-card reset.
Hi. I am going crazy with this, so maybe one of you can help. I have my PC connected to the router via ethernet mining ETH with claymore and some monero mining with CPU with stak.
Got a tv connected via wifi. Issue is that if i try to stream content from my pc to the TV or even play netflix on the tv, it doesnt work or it goes extremely slow, choppy, loading constantly. If i reboot the router, it works fine. Now with an asus rt ac88u. I have returned 2 more routers that have the same issue, a dlink dir 879and a netgear r7000. The dlink was worse, the netgear behavd exactly like the asus.
I have searched for help and I found a couple of people with the same issue but no solution. Help please!
I have run into a problem with a network I am currently working on and do not understand why this is happening. I am attempting to remove VTP from the network and running into a problem where DHCP for wireless access points themselves is failing whenever I try. The setup is as follows:
DHCP Server for WAPs ----- Cisco 2960X +++++ Cisco 3850 +++++ Cisco 2960X ===== WAP XXXXX ----- switchport mode access switchport access vlan 70 +++++ switchport mode trunk switchport trunk native vlan 10 ===== switchport mode trunk switchport trunk native vlan 70 switchport trunk allowed vlan 70,90 XXXXX Where I am disabling VTP: vtp mode off VLAN 10: management VLAN 70: wireless ap management VLAN 90: wireless users
From what I can tell, whenever I turn off VTP on the switch marked below with XXXXX, DHCP requests do not make it to the DHCP server, which is a firewall and happens to also be the gateway for VLAN 70. There is no SVI for VLAN 70 in the Cisco 3850, but adding one, even with a helper-address, does not resolve the problem.
I am thinking I just need to just use another DHCP server we have running on the campus, instead of the firewall, and put the default-gateway as an SVI on the 3850, but still do not understand why turning off VTP on that switch causes this problem.
Does anyone know what I am missing?
Thank you for taking the time to read and inform, it is most appreciated.
Generally, coax cable compression tools are useful for crimping coaxial cable with compatible connector. With the use of compression tool, you can crimp twister pair, 4P/6P/8P flat wires, Rg-3C/4C, RG62, RG29, and RG58 coaxial cables.
My last position was as a network admin in a Cisco shop. My entire networking career has been in Cisco. My new job uses Dell switches and managed Cisco routers. I'm not a fan of the Dell switches. The ones I've interacted with so far have not impressed me.
My new position is a senior net admin and I'm the one making the decisions. I've been told that if I want to phase out the Dells and phase in something else, it's all my decision. I've got my first switch I need to swap out. I could go with the Cisco and go back to what I know, but I'm not sure if that's the right route.
I've been looking at Juniper and liking what I'm reading about it. Considering grabbing a Juniper switch to try that out and see if that's what I want to go to.
But, I want to make sure my use case makes sense for Juniper. We are a decent sized credit union (in the top 5 in this state). 13 branches. Each branch (except the main one) has 2 x 48 port PoE switches. Supporting about 250 employees total. 20MB connections to the main branch which has a 100M connection to the internet. Currently, everything comes through the main branch. However, we are looking at moving to either a datacenter or to VMC on AWS and if that happens, I will route most traffic directly to the datacenter/VMC unless it has to come here for some reason.
Finally, I'm looking at bringing more automation into this place, and that includes network automation (something I've read is really nice on Juniper). I also want to look more into SDN and SD-WAN in the near future though I won't do that until we figure out the datacenter/VMC thing.
Finally, if Juniper is a good fit, is there a good place to see equivalencies between Juniper models and Cisco models? For instance, I would probably use a 2960 to replace this dying Dell switch but have no idea which Juniper model is somewhat equivalent.
Appreciate the help.
Hey guys, im trying to do NAT-PT on my client ASA 5508x, the reason I need to do NAT-PT because the ISP would only allow SSL VPN on IPV6 not V4, thus I need to configure this since in my country only 1 ISP supports V6.
Basically the asa has an outside and inside interface. I need to map the outside 2001:: ipv6 address to the outside ipv4 address of 192.168.100.6 so that internet users on ipv4 can reach the SSLVPN portal.from the internet
I looked up lab minutes guide but i`m really pressed for time and I have never done nat pt on an ASA before.
The ASA version is 9.9(2)1
Point to point Or Multipoint To Multipoint?
Sources would be amazing
thanks in advance
Little lab i have set up - Juniper MX Router - Juniper EX Switch - Cisco ASA
ASA and MZ have subinterfaces tagged for vlan 5, the EX switch has access ports in VLAN 5, but i cannot ping from MX to ASA or vice-verse. Logs on the ASA show it ARPing for the MX IP, it has a directly connected route out of the right interface, but the Juniper Switch is not showing any packets coming from the ASA when i run "monitor traffic interface xxx"
The Switch is seeing the MAC's of the MX and the ASA in its mac table but for some reason its not seeing the packets come to it. Any ideas as to what to check next?
EDIT:
The Juniper switch can see traffic on the default vlan if i do a monitor traffic (Can see VRRP packets coming from the MX router), but nothing else
Can you share a good resource describing the basic operation and structure of SNMP? Book, link, video, training, whatever.
PS: I need it for a friend.
I've been lurking in here for quite some time, and I have a situation i'd like to hear your input on.
We all know how temporary solutions are the most permanent things in IT. Well, this is what I'm dealing with at the moment.
We have a somewhat unique network, as in the users on it, and how it's being used. I really can't go into too many details on how and for what it's used.
Long story short.
Way back in the day when the network was "small" we needed a network where the devices on it couldn't talk to each other. Someone said "this is what vlans are for".
This resulted in a network with ~10 access switches, that each had up to 10 ports in their own vlan/subnet. Each vlan had a /30 assigned.
The firewall acting as gateway/dhcp server had a sub interface in each vlan, and then access lists accordingly to block inter client communication.
Then suddenly the network grew. But the design didn't change.
We now have around 100 access switches. And 1000 vlans. And a firewall with a sub interface in each vlan.
This all needs to change, but how?
We still have the need for client isolation on a layer2 level, and we'd like to make the dhcp/access list config simpler.
We've thought about using "Port ACL" (cisco term) or "Source Port Filter" (hp term). And then flatten the DHCP scope from 1000x/30 to a single /22.
This would mean all the vlans/dhcp/firewall rules would go away.
Any advice you could give is greatly appreciated.
Note: this could be a violation of Rule #1, but it's more of a general use question.
I'm uploading a pretty large file to YouTube (30GB of 1080p 60fps footage, 2hrs), and I'm getting anywhere from 6.0 to 6.2 Mbps, but Task Manager says that I am only at 4% utilization. I guess my question is, why is it that it uses such a small percentage when it could easily use more (No one else is using my internet ATM), and just expedite my video's upload? Is there a workaround for this that would make my internet faster? Is there a limit that my provider puts on it?
Thanks!
Hey everyone, I was hoping to get some guidance on creating a new subnet at one of my remote sites. I'm still a bit of a novice when it comes to networking, so I'm not 100% confident in what I need to do. Part of the reason I'm cautious is that I do not have physical access to the site (4 states away), and no one onsite has a lick of technical competence. Also, I don't have much of an opportunity for a maintenance window or planned downtime.
At our largest manufacturing plant, we have 6 Cisco S2960 workgroup switches, a Cisco 5508 WLC and about 40 Access Points scattered throughout the plant. Whichever predecessor implemented this, they did it the easy way.
The network there is 172.16.1.0/24. There are only 100 available addresses for DHCP. Naturally DHCP was set up on the Windows server with all defaults, so the lease time is 8 days. With the growth of devices at the plant the DHCP scope is frequently exhausted. Here's a simplified diagram:
https://i.imgur.com/B2LasDU.png
So I want to create a new subnet out there just for the wireless infrastructure and clients. Static addresses for the APs and 4 hour leases for any DHCP clients.
1) Create a new VLAN on the workgroup switches interface Vlan5 description WiFi VLAN ip address 172.16.101.1 255.255.255.0 ip helper-address 172.16.1.10
2) Create the new DHCP Scope on the server with 172.16.101.1 configured as the router in the scope options
3) Set an unused port on the MDF in the server room on the new VLAN to test interface GigabitEthernet1/0/2 description WiFiVLANTestPort switchport mode access switchport access Vlan5
4) Have someone at the site plug in a laptop to the new test port and ensure they grab an IP from the new scope and they're able to access all network resources.
5) (Here's where I'm really unsure) Identify the ports that the access points are plugged into and set them into switchport mode trunk and allow both VLANS?
6) Log into the Wireless controller and change the IP addresses of the Access Points to the new subnet
7) Reclaim the old AP ip addresses and add them back into the original DHCP Pool.
8) COPY RUNNING CONFIG TO STARTUP CONFIG
Is there anything that I would missing or doing wrong? Do I need to modify the port that the Wireless Controller and/or Server is on in any way? I shouldn't need to do anything on the Powerconnect switch right?
Thanks in advance!
Hello Redditors,
I'm curious about what people use to log network changes, specifically, the reasons for such changes and the procedures done, so you can go back and see them and why were done, say Person A changes 3 things at 3 different devices we currently use a mix of logs and oxidized to track these changes who did them and the diffs with old config, but we don't have a real system where we can go and check "hey those 3 changes done at 3 am were to fix this or that, and this is the procedure followed".
Something that shows all the changes logged in time, then you click in one and you can read the description of the change, who did it, affected devices, config snippets, etc. I'm looking for something that has to be manually filled by operators.
Where I work basically this is just a mix of emails, then oxidized logs the diffs and the loggins systems shows who did it, but having to go and check different systems at once just to see what was done and then go check emails to know why this or that was done, I don't see it that helpful. Maybe a ticketing system would work, but I'm thinking about something that actually shows a timeline of changes logged.
I have an INE subscription through work and while they'r euseful they're also extremely dry and I don't like the style they use to explain much. I have seen a few videos of Kevin Wallace on his channel and saw he had CCNP video course on Pearson and was considering it. Any of you guys try watching them have any thoughts about there quality?
Hello all,
You guys with experience must be tired of these questions but it will definitely help us new comers.
I'm aiming for network admin within my BS in IT and i will be learning a hands on approach with Cisco devices among others, my question to you is which would be a better knowledge assest and career advantage, network+ or CCNA?
Thanks in advance
This may be too small for this sub. I'd looking for a recommendation for an access point or wireless router that can set-up a stand-alone wireless network. This is for a single space, to connect an iPad to an AV device. The WLAN has to support multicast traffic. Any ideas? I'd rather avoid setting up a new WLAN on our campus wireless infrastructure to only occasionally serve these two devices that are rarely used.
How can we connect 2 phones connected in same WiFi network? Like in a game called 'mini militia' you can connect many mobile phones and play a multiplayer battle. [P.s. I'm a noob in this sector. But any help is appreciated. Thank you.]
Hi Folks-
I am planning a small build with a 48 port all-gig 2960S, and a PFSense router which will use a 4x1gb uplink port channel as the working interface, with LAN/WAN/Other vlans running over the one portchannel.
I was curious if I should put the port channel on the 4x1gb up-link ports using SFPs, or a group of 4 access ports on the 2960S?
What is the best option for latency?
I figured the uplink ports would have better access to the backplane, but given that they would be running through SFPs, the access ports may be better.
I can go either way, and it's really just a curiosity, but I wasn't sure if up-linking through the access ports, or the up-link ports would give better latency, in a perfect world. I have plenty of ports available on the switch, so I can go either way.
Thanks!
Any one doing anything resembling NAC (802.1x) with free and open source tools, if possible, i'd like to know more.
We are working to optimize our ansible tasks as some of them take forever to run. For instance the nxos_vlan module takes over 20 minutes just to create ~60 vlans. Is that normal? What times is everyone else seeing with their automation.
Hi Everyone,
May I know if you have encountered this kind of issue, After starting and the terminal pops up there's no display that the device is booting up?
My current setup:
Primary os: Ubuntu
Cpu: Amd (ryzen) SVM(for virtualization enabled)
Ram: 16gb
Look like the permission on image itself is ok too. Any idea?
Everytime I solve 1 issue then another issue will be unlock in setting up EVE-NG haha
Thanks
I have seen this question for entry level but I am curious what a mid level engineer should know. I am in a weird spot where I previously did networking but took a job doing something else (still in IT) but would like to move back into networking. I have been able maintain certifications (CCNA, CCNA Security) but it has been several years since I have actively been networking. I can't really go back to an entry level position the pay cut would be too much for me, so what should I know that might help me prepare for a mid level position.
TLDR; What should I have a more in-depth knowledge of as a mid level engineer.
We've got an anti-DDoS system that uses the RTBH system of setting a route's NH to 192.0.2.1 and then routing that traffic to discard (rfc5635). It is working as expected, but I'd like to query how much traffic is being dropped, or sent to "discard".
We have netflow, snmp, firewall filters/counters available to be used, but with the lack of an interface/firewall policy to poll, I can't think of a way to monitor what's being dropped.
Any ideas?
Hi, been banging my head for a bit. I decided to lab up some L3VPNs after a while and do something new, while I'm at it.
Both PEs just have a couple loopbacks stuck in the VRFs I'm pulling through to the other side. The P routers double as RRs with different cluster IDs, both have a session to each PE. The peerings are VPNv4 MP-iBGP. Now the problem that I've come across is that I want each PE to prefer prefixes advertised by one RR (P1, in my case). I've assumed (can't find much in way of documentation for attribute manipulation via policies on RRs, much less with VPNv4 peerings...) that to that end, I'd need to set up a route-map on P1 facing out towards the clients, setting the LP to 200 (tried MED, too). The prefixes, however, arrive at the PEs with the default LP of 100.
Tried to set MED in case I'm crazy, but no joy there either. This is on c7200 15.2(4)M7 in GNS3. I'm due to try this on colleagues VIRL/EVEng setup and might get lab access to actual hardware as well, but neither can happen right now. Also at new job so no access to core yet and even then, they don't run dual RRs...
Am I crazy or is it actually supposed to be done this way (and work)? Thanks
Hello,
I would like to get an opinion on how to configure trunk vlan on a vPC peer-link.
Cisco states:
"Always perform VLAN pruning on vPC peer-link with allowed list of vPC VLAN."
I guess this is for reasons of resource management. In my opinion, this adds unnecessary complexity though which could lead to errors. If you miss a VLAN in your allow list you may get inconsistencies and if you add the vlan you might fall into the common trap of missing the "add" keyword and thus killing the link.
I would rather like to only maintain the necessary VLANs on the switch and the allow all VLAN on the peer-link for ease and stability of configuration.
So my question: What are your experiences? Do you configure allowed vlans or do you allow all and have had no trouble with this in the past?
I did my first termination with a t568b layout, one end into a rj45 plug and the other into a wall mounted socket.
I am just anxious that I might have messed something up.
I've read that modern device can actually figure the pins out themselves, us that true ?
What in your job makes you frustrated because you know it could be done more efficiently or better if you had the right tools or methods? I'm talking about anything such as software, hardware, management, meeting method or frequency, office/home environment, working hours, etc.
Hi.
When I run a traceroute all of the ISP routers hostnames have syntax like.
bbr01
prr01
crr01
I've always wondered what these mean but I haven't been able to find any information on them.
I have a site to site VPN (IPsec) between a Mikrotik CCR1009 and Draytek 2960, both ends have 100Mb leased lines, latency is fairly low at 17ms, however:
A file move over SMB3 was slow at around 500KB/s (4Mb/s) with Windows 10 and iperf had similar performance with 1 session, however 20 concurrent sessions got well over 60Mb/s,
Is this just the impact of the latency on these protocols as they're not optimised for WAN levels of latency or am I missing something/hitting a bottleneck on my equipment?
Thanks,
Anybody have any knowledge of whether any major ISPs block ports on DIA circuits?
I know that almost all do on residential HSI, and many do on their residential-grade business HSI services (like Comcast), but I'm unsure of whether this is common practice on DIAs for any providers.
I have an instance where I am working with a Vendor to allow two servers to talk (across a VPN) with their network. It is listed in their technical specs that "All servers will be required to NAT to one public IP address before being tunneled"
As far as I understand it Static NAT is a 1 to 1 relationship. Since we are doing two internal addresses to a single external, wouldnt we want to use PAT (Or Dynamic PAT (Hide) as cisco ASDM calls it)?
So I was looking at picking up one of those Microtek 16 port SFP+ switches, to connect up 3 esxi hosts (Dell servers), and also to connect another server to a NAS. The servers I was looking at getting Intel SFP+ NICs, and the NAS is a qnap and had an SFP+ card in already.
What I can't figure out definitively is what transceivers I should have at each end, or should I use DAC (they will all be in the same rack, except for the Nas), and if I use DAC which ones at each end?
So should I have intel transceivers in the Intel NICs, Microtek transcievers in the switch and. Qnap one in the Nas? Or should I use the same brand all round? Is there a golden rule, or does it depend on different manufacturers?
Or should I be using DAC for the devices in the same rack as the switch? If so, I've been looking at FS.com and they can do DAC cables with whatever brand at either end by the looks of it, so what would I get? The NAS might move to another cabinet down a fibre link, so I understand in this situation I would have to use a transceiver.
Any help would be much appreciated
Hi all!
I hope this isn't breaking the rules. If so, apologies and please delete. I didn't want to throw this in homelab or homenetworking as I think 10gig/SFP is still unique enough in those situations that I wouldn't have received much input. So on to it.
I am looking for a small, lightweight, 10Gig/port capable switch. I am working with some Software Defined Radio systems that can move a massive amount of data, and would like an interface capable of handling this.
I've found the Netgear GS110MX-100NAS. It looks like a reasonably good solution for the price, but it will only allow me to connect one radio to my workstation, I'd prefer the ability to connect two. I'd also have to jump thought some hoops as my radios connect with fiber-SFP patch cables.
Does anyone have any thoughts on an alternative that isn't too heavy (<2lbs) and has relatively small overall external dimensions?
I need to roll out a Guest Wireless SSID at a site with Avaya access points using NPS for 802.1x on the corporate SSID.
The APs connect back to a controller. I believe that I need to create an SSID and make it use an Internal Login page (stored on the AP itself) which then references a RADIUS server for authentication.
I've taken a look around but am not finding a way to add a temporary guest user account that can authenticate through the Guest SSID to the NPS server.
Should I consider installing a FreeRADIUS server instead?
I was using these with OpenWRT routers 5 years ago. Babel is meant to help wireless and wired networks be optimally connected; especially in mesh & dual-stack setups. Bird is a multi-protocol routing daemon, still being maintained as of 2018.
I have a 16 gig usb formatted fat32 but when I copy ? There isn't any USB option What am I missing
I have been struggling with my first VLAN setup. We currently use the default VLAN1 (10.2.1.0/24) for a flat network and are adding a second VLAN (192.168.20.0/24). I want to send traffic between VLANS to the VLAN aware firewall so I can restrict the type of traffic across VLANS. We have a switch on each floor, with a core Layer 3 switch acting as a router/gateway managing traffic. The core switch's default route is to the firewall. My PC's gateway is configured as the core switch and not the edge firewall. If I try to ping from my machine on VLAN1 to a machine on VLAN2, it fails and the firewall never sees the traffic. If i set my PC's default gateway to that f the firewall, everything works perfectly.
I am concerned about changing the default gateway on all PC's and Devices from the core switch (where some routes are created) to the firewall. I am not sure what may break.
My question is this: It seems like the core switch/gateway is trying to handle the traffic destined to the new VLAN. How can I force traffic destined to the new VLAN to the firewall (already the default route of core switch)?
I have tried adding a static route, but it just seems to define the VLAN and not route traffic. My next thought is using an ACL to block inter VLAN traffic at the switch level. Any tips or direction would be appreciated.
Thanks!
Hello
When doing IP planning for your data vlans (pc access vlan), do you account for address that will be taken by Cisco phones (DHCP request) in the data vlan before they are switched to the correct voice vlan by CDP ?
I heard some people disable spanning-tree portfast configuration to give time for CDP to switch the phone in the voice vlan and avoid exhausting the DATA vlan ip address. This seems like a half assed solution.
In the event of a complete campus shutdown/restart, Cisco phones will create dhcp exhaustion of your data vlan if this is not taken into consideration.
Accounting for cisco-phone make the number of available address for PCs quite limited.
Is this me or this kind of topic is overlooked/not talked about to CCNA/CCNP R&S students, yet necessary for correct enterprise operation ?
The networks I've been operating/learning on do not take this into consideration. When campus would reboot (very rare occasion) The address taken by the phone int the data vlan had to be cleared manually in the DHCP server to give some space to the PCs. By that time, the DHCP request process would have ended and the PC would have obtained an Apipa address since none were available from the DHCP, pc would end need to be restarted or ipconfig /release /renew, once the the required addresses would be freed.
I was wondering how you handle this in the networks you manage ? Is there something I'm missing ?
Long story short, have Verizon FiOS for the office but have to use a hurricane electric tunnel for IPv6.
Verizon is a slow slow slow adopter if at all of IPv6.
Currently everything we run outside of the office (cloud, aws, vps etc) has IPv6 from the respective providers.
The tunnel introduces some issues we would like to avoid such as netflix being blocked (because they block tunnels), other services being blocked, etc.
Currently I maintain an IPv4 only VLAN just for those use cases but it is a hassle to have to do this with more and more clients: laptops, mobile devices all preferring IPv6 over IPv4.
Also, it's the future so lets get on with it.
I was thinking of a few options such as get a VPS provider to allocate me some IPv6 space I can tunnel but that means I am stuck to that provider.
I was also thinking about looking at the auctions (where I have purchased ipv4 space in the past) but I don't even think that is a thing since there is so much ipv6 space available.
I would rather have my own IPv6 space I can tunnel to via a third party over IPv4 like I do with HE.
Another question, just thinking out loud as I type this, could HE tunnel my own IPv6 space for me?
I don't need much space, just tired of using someone elses IPv6 space.
Any ideas welcome.
I'm trying to understand the general Internet data economy and how ISP cost of unlimited data is compared to mobile operator's limited data price.
First of all, I'm a noob. So, how wholesale mobile data is actually priced? I mean we pay say an ISP say $30 for our home broadband, why are we paying more for limited mobile data other than the cost of spectrum and towers.
My ultimate inquiry is are these carriers paying say $0.001/GB to backhaul ISPs that connect their mobile networks to the wired world?
The free version of EMCO Ping Monitor has done well for me but it is limited to 5 devices. I was wondering if anyone knew of a free ping monitor like EMCO Ping Monitor. When I Google the question I get products like PingPlotter and MultiPing which, while being very robust, cost quite a bit.
Edit: Definitely needs the ability to ping multiple sites at once.
I've been using firepower now for about 4-5 months. So far I've hit 9 bugs between a pair of 4150's and the FMC's. One bug ended up deleting a bunch of flex config EIGRP routes. The company I work for, and our department are now considering just deploying the ASA code. So I am wondering what your guys experience is with the firepower boxes in terms of reliability/bugs. I can't be the only person running into countless issues.
Hello,
I am kind of confused here, my boss and I were sent an e-mail to open the appropriate firewall ports for a specific range of public IP addresses. I am not entirely sure what this entails.
Is this as simple as creating a Network Object with the range of IP addresses and then applying it on the inbound on the outside interface?
When I console into my Cisco ASA, I can't get rid of the initial log screen. Some people call it the matrix screen. I've tried ctrl-z,c,q, so I feel like I'm missing something.
Some context first:
I have designed my first small datacenter in the past year. I have put this over multiple revisions and looking at a lot of different options and design structures. I have to design a network that can scale easily with more racks but will start small (2 racks). I designed it using a spine-leaf structure, where everything was using Catalyst (as oppose to Nexus). I used Catalyst for multiple reasons but the main were:
OOB would use Catalyst as well and would be separated on the firewall.
To allow for easy automation and keep the network simple (since there would only be eight switches, including the two OOB switches) I would solely use Catalyst.
After about a year of research, planning, designing, testing and talking to Cisco Engineers and other (third party) consultants (I really wanted to do this right) the main office (I work at a branch office) stept in with their architect. They were never involved in this process, but knew it was happening. (I guess they never cared about it.) The architect started looking at my design and overhauled it completely. I was overwhelmed and we had a heated discussion and after a while we had an initial agreement that the spine switches would become Nexus and the leaf switches would stay Catalyst.
After a good night sleep and reviewing his solution, I saw that it went against the goals I had with the design: making it simpler and cheaper. So I send an e-mail to the architect the next day saying I didn't think this was the right solution and we should go back to the original design. With a small change to allow for more ports on the spine, same type of switch, just a different version with more ports. Since this was one of his reasons behind the Nexus choice, to allow for more ports on the spine (10Gbit/s per port at the spine).
Fast forward about 2 weeks, complete with full radio silence about this from the main office, they told me everything was a GO. So I asked the main office what the network components were. These turned out to be the Nexus spine and the Catalyst leaf. This in turn frustrated me and we didn't have a good meeting, to say the least. The solution he proposed never came up to me and neither was in any whitepapers I read or was mentioned by any consultant (from Cisco or third party) I talked to. The architect from the main office was clearly sure of this. His arguments were that it would be cheaper compared to my alternative solution with the switch with more ports and that he has done it in all datacenters, so it needs to be coherent. He has implemented this in two other datacenters (both are about 3-4 racks each) that are being managed by the main office. I am managing the datacenter in the branch office.
So now you kinda know about the backstory, I have some questions for everyone here:
Hardware selected:
Original Idea:
Architects Idea:
My revised answer:
I would have preferred 9K, but I couldn't find one with 24 SFP+ ports. 9400 would be overkill I think.
My idea was that the 3850 would be better compared to the Nexus one, since it has a higher backplane capacity and the same amount of ports. Also, it would make all the switches the same and thus easier to manage.
Kudos if you have made it to this point and I wanna thank you for reading it all ;)
Wondering if anyone knows the temperature thresholds for the ASA 5506X. Just installed one at a remote site and it's locked up twice now.
1st time it continued to operate, but wouldn't allow any SSH access, including locally.
2nd time, it locked up hard. Had to powercycle it.
I'm wondering if it's overheating as there's no env controls in the closet it lives in.
Output from sho env;
Temperature: ----------------------------------- Processors: -------------------------------- Processor 1: 47.0 C - OK (CPU Core Temperature) Accelerators: -------------------------------- Accelerator 1: 49.0 C - OK (Accelerator Temperature) Chassis: -------------------------------- Ambient 1: 53.0 C - OK (Chassis Temperature) Motherboard: -------------------------------- Ambient: 53.0 C - OK (Chassis Temperature)
Cisco's guide shows what I'm assuming to be overall operating temp thresholds as
Operating: 32°F to 104°F (0°C to 40°C) (ASA 5506-X and ASA 5506W-X)
All my temps are above that. Time to worry?
I have a client machine that is sending NBNS Name Queries roughly once a second to what look like random IP addresses. I formatted this machine, but after doing a Wireshark capture immediately after the format, I see that it is still sending these messages. No other Windows machine on the network seems to be sending these messages. My first though is that the machine is infected somehow.
The conversation will go: LOCALIP EXTERNALIP NBNS LENGTH 92 PORT 137 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
EXTERNALIP INTERNALIP ICMP LENGTH 120 PORT 137 Destination unreachable (Port unreachable)
We currently have x6 1U 3650 switches in a stack as our core switches at our data-centre. They're not really suitable for the job and we've finally been given the go-ahead to replace.
Our previous data-centre had a 4500 series switch and gave us no issues, but the current site doesn't allow cross cab connects (other than our stack cables), so re-using that is out of the question. Additionally it was 10U in size, there's no longer space in our cabinets for it.
Cost is an issue, so I've been looking at Juniper stuff as that seems to offer similar features, (though we don't actually do anything that clever, so as long as they're Layer3 capable that's fine), I am wary of selecting the wrong model and ending up in the same boat. iSCSI traffic completely nailed our 3650 switches until we added a policy map to reduce the number of packet drops.
Can anyone recommend switches that would be appropriate, I'm relatively vendor agnostic, but the Juniper stuff has caught my eye. I have looked into SDN & Cumulus in particular, but I don't think we need anything that clever really. No one in my team is particularly skilled with Lunix either. I'm more than willing to learn, but there are so many hours in the day....
Coming from the PIX days to the ASA and now ASA 8.3 I have a hard time wrapping my head around the NATing.
I'm building a S2S VPN tunnel where I have one server that will initiated a connection across that tunnel. I would like to PAT that server to the outside interface of my ASA. So far I believe that code would look like this.
ASA(config)# object network my-inside-net ASA(config-network-object)# host 192.168.1.1 ASA(config-network-object)# nat (inside,outside) dynamic interface
But in the code above i'm PATing 192.168.1.1 to the interface regardless of it's destination. What would the code look like if I wanted to do a policy PAT and saying only overload to the interface if you are destined to the server at the other end of the tunnel.
This isn't is treat only as a VPN tunnel and it does not manage internet browsing.
I'm on the hunt for a manual for the GigaVue 2404... Anyone have one? They seem to be super hard to find.
I can't seem to find a best practice for the above.
So for an example if I have a pseudowire from a service provider transferring VLAN2000 from site up to VLAN2000 on the NNI in the data centre I can't use VRF-lite to do 2+ VRFs because it requires a separate VLAN for each.
The ISP I used to work for did this via LDP speakers. We'd extend OSPF area 0 out to the customer site and let the onsite LDP router handle the 2 VRFs and the uplink would be routed using OSPF to the POP / BGP to route-reflectors.
I've mentioned this to some people and got funny looks (around effectively having our core at customer premises) which makes me think there must be a better way to do this but my Google-fu is lacking.
I have Alcatel Lucent IPPhones setup plus softconnect(Used on Windows and Android) licenses. I have a L2TP VPN as well as an IPSEC VPN on the FW. Windows and Android connect to the VPN using L2TP whereas IP Phones connect using IPsec. Hardware Phones work fine on LAN as well as VPN but the softphones only work on LAN. After connecting the Windows machine to the L2TP network, am able to ping the PBX box but not able to use the calling facility. It loops on connecting and terminating.
Any Thoughts ?
Currently moving NAT rules from ASA to Fortigate and have difficulties with them. I'm a trainee so this is all is quite hard and new for me.
This is command I'm trying understand and move to fortigate:
(any) to (any) source static any any destination static svnserverlocal snvserver_new service ssh ssh no-proxy-arp
After googling I understood that this either SNAT or Double NAT, but I have no idea how to do same thing on Fortigate.
Using FortiGate 60E running FortiOS v5.6.3 build1547
Hi,
I would like to connect to PuttY in SSH instead of Telnet on the switches.
For that on IMC I created a template that I added to a switch but once in the plan list this one remains in inconsistent (at the SSH level).
I tried changing the login type ( which was in telnet) to ssh, but it still doesn't want to take the template into account.
When I click on "test" it also gives me a failure message.
Do you have any idea?
Thank you in advance.
If this is the wrong sub, let me know.
So theres a piece of gear im forced to work on and I have no idea how to go about making it work. Its not receiving any messages and im pretty sure the patch panel its connected to isnt setup right. Does anyone know what these letters mean?
C01-C16 ( The panel has 16 ports so I assumed they are the "channels")
r01 (It used to be r00 but it changed for some reason. No other button lets me change it.)
ALr (Only options are on or off)
bEL (Only options are on or off)
dLd(Only options are on or off)
The power suppy is labeled "IXP-PS" and im pretty sure the whole thing is called "IXP-5300".
Edit: Also, "A01-A24" show up on a display below the channels and can be changed. What does it mean?
Hey guys, im looking for help i just got employed by a Fwd company and im the main IT.
so i went to the site room and it's a complete mess there is wires everywere, dust, floor cookies in the floor, and overall terrible. my job is to fix, label and organize everything again.
this leads to the question. the network rack that they have includes 2 mid tower servers, 1 rack server, 1 rack dvr, 1 battery backup unit. and a ton of power strips and other small devices the rack is not properly grounded, what type of grounding wire should i run from the frame of the warehouse to the rack? gage 0,6,10 ? im completely lost into choosing also should i run grounding wires from the equipment mentioned above to the rack? or just the battery unit? since everything is connected to the battery.
excuse my grammar haha
So basically a new company came to town offering fiber internet for awesome prices, everyone is jumping on board since it's the first real competition we've ever had.
Myself and a few IT guys I know have noticed and reproduced several times a very odd issue that ONLY happens with this new ISP.
Any type of file sharing, media serving, any type of connections to a central server while the server is hosted on the new ISP will not allow other users of the same ISP to connect.
So for example:
Person A has Server A on internet hosted by new fiber company 5 People also using fiber company cannot connect to Server A 5 People not using fiber company CAN connect to server A
Person A has Server A on cable internet company All people including fiber company customers can now connect to server A
The issue appears to either be within the fiber company's Modem or with their infrastructure. The same routers were used with the same settings for all of our testing so the only variable is the fiber company's equipment or something on their backend.
The issue absolutely acts like a Nat translation issue from what I can tell however every technician at the ISP we have spoken with continues to blame our equipment even when only their modem in bridge mode directly connected to a computer was used.
Is there something else we can test to verify the issue is on their end? Like irrefutable proof? The issue doesn't hurt our group at all it's just an annoyance we noticed and we don't want our small town being plagued with another company screwing people over or not knowing what they're doing.
I'm curious what your guys opinion is on Juniper gear (MX routers, EX switches, SRX firewalls etc.). I learned networking working in a Cisco shop and continued working in Cisco shops for about ten years. Then I started a new position that was solely Juniper with the above devices in production. I thought it would be good to get some exposure and experience with Juniper gear since it's the other big networking vendor. I read some of the day one books and Sybex material when I started. It took a little while to get used to the syntax, but after that I became became more or less comfortable using Junos.
I don't think I've read anybody criticizing Juniper here. It always the usual praise (the configuration is more logical, having "commit confirmed", able to access the Linux/BSD shell, less expensive, etc.) While this is mostly true, one of my gripes was (IMO) unintelligible logs and debugs/traces that read more like dmesg output with hex and memory address stuff that made troubleshooting a pain. I have experience working with Linux but for a device that's sold as an appliance, I don't think I should have to not infrequently access the underlying shell just to troubleshoot things.
Probably my biggest gripe was atrocious documentation. IMO it's unorganized and a joke compared to Cisco's. It seemed like there was never enough detail on what I was trying to look up, and overkill detail on esoteric stuff. There is an ocean of info out there for Cisco (both official and unofficial) and I don't think I've ever not been able to find an answer in about five minutes of googling. By comparison, I was trying to find out the answer to a pretty basic Junos MPLS question, and the only thing I found was a juniper-nsp mailing list post from like 2001. IMO good documentation is very important as operators of said equipment. I've also picked up on several occasions this elitist, superiority vibe when it comes to talking with Juniper heads. Frequently taking potshots at Cisco like an opposing sports team fan.
Overall, working with Juniper gear left a bad taste in my mouth and I decided that I would avoid working with their equipment in the future if I could help it. This is probably coming off as a rant, and granted, I'm probably biased since I cut my teeth on Cisco, but I'm curious if anybody else in general just doesn't like working with Juniper.
TL;DR I don't like working with Juniper equipment and prefer Cisco's. Does anybody else feel this way?
Wondering what type of laptop you use and if you carry extra chargers for laptop incase there are no outlets
Hi guys,
I'm having a super weird problem. I have one user with below symptoms:
My laptop has absolutely NO problems at all accessing this website - nslookup is fine, web browser is fine, etc
I've confirmed:
Very strange thing is that I ran a Wireshark packet capture on this problematic laptop.
And I RECEIVED the CORRECT ANSWER in the packets when I ran the same query... but the nslookup from Windows cmd did NOT display this at all.
Other than concluding that the native name resolution protocol on this installation of Windows is FUCKED, I'm kind of lost on what else to do next... Generally packet capture is my last resort that shows you 100% of what's going on, but I can't explain this behaviour of nslookup.
Any help? Thanks in advance
Vermont was paying $10,000 to get remote workers to move there. Well, Tulsa wants to do the same thing but better, giving a similar grant but with lower taxes and not excluding entrepreneurs! We want to lead a charge for the betterment of the Remote Worker community in the Oklahoma/Southwest and hopefully bolster the entire RW infrastructure by piloting a program in its infancy. If you all take the survey https://benwagman.typeform.com/to/Fo8q0u It will help shape our program and bolster the national recognition of this sector of the workforce once the program is implemented. Thanks all!!
Does anyone work in Network pre-sales for any MSPs?
Whats it actually like - apart from visiting client sites, what is your day to day? I am quite intrigued by the idea of it, it seems like a good stepping stone into Architecture. I am assuming it will be less hands on, but I am willing to commit to this if it brings me other skills.
Hey all,
I am working on standing up the networking portion of a stack in a Azure Gov DC operating under Fedramp rules/guidelines. I am getting pressure to put an IDS/IPS system as the gateway between every single internal subnet, not just traffic leaving our network. None of the machines will even have access to the internet. The Fedramp guidelines say:
The organization:
(a) Monitors the information system to detect:
(1) Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
(2) Unauthorized local, network, and remote connections;
(b) Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
(c) Deploys monitoring devices (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
Doing this in Azure is a colossal pain in the ass, because then you have to put something like a Barracuda in, and multiple devices like that because Azure instances only support 4 NICs. Its vastly complicates the network and I really don't want to move forward with this if we don't have to.
Wondering if anyone else here works in this type of environment and can shed some light. Thanks!
I'm shopping for new switches. We currently run PoE everywhere and are doing fine with it. I'm looking to future proof us for a while so I am considering PoE+ but what actually needs more that 7W of power?
Our user's are given access to connect to the VPN (Cisco AnyConnect) using the Dial-In remote option in Active Directory. Or so we thought. We've been granting access through that method but recently our Help Desk has said that people are able to access the VPN without the Dial-In option enabled in Active Directory.
We've tested with several users and it seems as though changing the dial-in option has no affect on the user's permissions to login to the VPN. My feeling is that this is also controlled somewhere else by GPO or something. I've asked the security analyst and he only knows about the Dial-in option.
Any suggestions on how I can find out what's going on here?
Hey all, I have a job interview tomorrow for my telecommunictions company for position that implements and maintains large business and government circuits. I have 20 years experience doing mid-level end user IT work but have no experience on the backend. After speaking with others who were interviewed, backed routing is a must. I understand routing fairly well, but I am no expert. I am VERY interested in this position. If anyone has any experience and can offer some tips or advice I would greatly appreciate it. Thanks in advance!
What did you learn at Cisco Live that you might try to share or apply before you get swallowed up by a week's worth of missed issues?
I managed to take both a class on NETCONF/YANG and a lab on Ansible which I should be able use to replace some old bash scripts among other things. I also learned that each Catalysts 9K is basically a small x86 server with a bunch network ports which have its hosting abilities unlocked later this year.
Hello all,
This could be a stupid question, however I am looking into whether I can telnet into a referb Cisco SG300 without going through the Serial/Console port. I just have it connected to my system with a crossover cable RJ-45.
Just wondering what my possible options are!
A lot of products offer Forward Error Correction. This is most commonly uttered in the Wan Optimization space, as well as the SD-WAN space... but there's some stand alone products that do so as well. For example the voip codec "OPUS" says it has Forward Error Correction built into the protocol.
I'm thinking if so many "things" have this, it must be real. But it sounds like impossible nonsense. Basically packet loss across the wan can be "fixed" on the other side, and the lost packets restored. How, I don't know, but that's why I'm asking.
Hi,
Two questions if anyone has any insights;
Thanks
Its Clunky, slow, falls over alot - not really good for anything....
Change my mind
Hey, i read many threads about firewalls, i know that there are many types of firewall at almost every layer except for the First layer.
There are 2 layer firewall that are called transparent that filter packets without being a router hop
There also 3 layer firewall that contains router function
I also know that there are 4 and 7 layer firewas, are these types of devices routed? If they aren't how they works?
What are the most common type of hardware firewall? Is It routed?
I currently have two FMCs, and one is degraded & out of sync with the other FMC. However, the degraded FMC has a policy which has a rule in there somewhere that is blocking some stuff to an SQL server, and the active FMC policy works. I am wondering if there is a way to grab a command line copy of both FMC policies so that I can compare both of them to see what is different? Once I know what changed, I will then repair the HA problem with them both.
All,Im so confused as to why my VLAN isnt working for my Unifi AP???Okay so ive done this before many times on a different brand of firewall and a slightly different method (see below). But I cannot get it to work at my home? I just cant grasp why?Example of Normal method-
That it, it works. Thats all i do.My current method at home (using exact IP's etc)
I cant understand why this is? Im clearly missing something obvious....I dont want to use a seperate interface on my firewall as the other 4ports are only 100mb not gigabit.
Screenshots: https://imgur.com/a/Q9l6jvv
NOTE: Posted in another subreddit for additonal help.
Looking for a small router which ideally has wireless (WLAN) capabilities, an SFP port (SFP+ is fine but I want to keep this as cheap as possible in bulk) and capable of pushing 1Gbps between LAN and WAN.
I'm sure Cisco has a few that have these features but I'm looking for recommendations. These will be installed at both residential and commercial properties.
Thanks. :-)
Hi, I am contemplating replacing my google WiFi with Ubiquiti setup. This would initially be for my house, with possible uses in commercial and other high end residential in the future.
As I own a building automation company, I am always testing and working from home a lot. I usually have a minimum of 18 devices on my network, with a max of 30-40 depending on what I am doing. Ideally I want to drop everything off of my WiFi other than phones and laptops. For my work related devices, I would want to create a separate VLAN for my automation and IoT needs.
What would be the minimum hardware to get a Ubiquiti setup up and going? Do i need anything other than one of there access points to plug into my cable modem? Or does it require any additional hardware to get it up and going. I definitely need a switch as well. There is a pretty good deal today on the Ubiquiti Edgerouter ER-4 for $145 as well.
My house is 2500sqft Two floors Motorola MB8600 Cable Modem 1Gbps Comcast 960mbps average on wired / 350mbps gwifi. No WiFi dead spots anywhere with any setup I have used over the years. Mesh or no mesh.
*Near future use I am running a few VM’s in AWS for testing purposes. I plan to use these as my access point for my home automation and customers as well in the future. The front end software I develop with can pretty much communicate with any protocol/machine ever made and allow cross talk.
In the end I am basically looking for recommendations on a Ubiquiti switch and WAP to swap out the google WiFi.
Thanks!
So I get the idea of broadcast domains and collision domains, but I'm trying to better figure out how to approach network design.
So, what are the most common programs that do this, and (if you know it) how does this influence network design
Hi, im just wondering if anyone here using Eveng and encountered issue with XRV Image under qemu.
Im Able to create the node and tried using multiple image on qemu but still not booting up/starting?
Other images on bin is working.
Os: ubuntu - vmworksation with eveng com edition installed.
Thanks
Hello everyone, For my University assignment, I need to configure a bind9 server. For this I use a centos7 and install bind. I then start it with
systemctl start named
I wrote this config and DNS zone which seems to me correct:
https://gist.github.com/focom/73ca5520bf24e0ee48521153adb8a43e
Then come the time to test my config, the thing is when I try to
dig @127.0.0.1 evilcorpca.com
Or even if I try reverse DNS
dig @127.0.0.1 -x 199.48.22.99
I don't get any answer from the server The server is found but it's like I have not defined the zone I don't get it. I am not sure where to look for now even after reading RedHat doc I am still stuck.
Would love a hint from you guys :)
This Adtran is managed by the ISP but is a new one that was installed just about 2-3 weeks ago for a speed upgrade. Noticed yesterday switches started to go down and could not remote into systems. Went into office and no internet. Rebooted the AdTran, firewall and things worked for 20 mins or so before connection to internet just did not see to work. Called the ISP that is when they said they are seeing 100% utilization on the AdTran. They kept trying to push a new image but did not work. Then they said going to wait a few hours. Today still not working and will be getting on the phone to try to figure out how to fix before work starts tomorrow. My question is can anything on the internal Network cause this issue that I should be looking for? Just hate waiting and want to dig in more to get this solved and wondering if this is only their issue or can I look into things myself? What normally is the cause for something like this just software issues or someone pushing to much traffic at the site? Thanks for any insight.
Hello! We have an old server in our store and we want 10GbE connectivity between the server and 3-4 hosts.
We don't have the budget or the space for a 10GbE switch that is silent enough to operate within the premises.
What I would like to know is if a QSFP+ breakout cable can be used with a 40GbE card on the host and 10GbE SFP+ cards on the clients, negating the need for a switch. Is this something that can be done and that is supported or is it only meant for switches with custom firmware settings?
Thank you!
Hi,
I'm about to implement dual AWS direct connects, both public and private VIFs and am looking to get some feedback on a couple of options for establishing the BGP sessions to AWS.
Currently have a pair of ASA5525-X Active/Standby and Nexus 3548 acting as the "core". The nexus pair are setup in VPC configuration to the ASA's and for the most part, VLANs are trunked to the ASAs which are acting as the default gateways. I have some EIGRP routing on the nexus for a few routes between our DC's.
Basically what I'm trying to achieve is have our dual direct connects as our primary paths to our VPC's and if they're both down, route via VPN to the VPC.
ASA's are running 9.8.x and Nexus switches are running 6.0(2)A8, so layer3 peer-router is supported: https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html.
High level topology: https://imgur.com/a/vCOmIPh
Question is, where to establish the BGP sessions.
Option 1: - Private VIFs. Create a VRF for these VIFs and a establish a BGP session on each Nexus switch, create a HSPR address on the Nexus and point a static route on the ASA's to the HSRP address - Public VIFs. Separate VRF for these VIFs and establish a BGP session on each Nexus switch. Establish dynamic routing between the Nexus and the ASA and redistribute the public routes to the ASA.
Option 2: Instead of having the BGP sessions on the Nexus switches, trunk vlans up to the ASAs for the public and private VIFs and establish the BGP sessions from there.
I'm leaning towards option 2 as it simplifies things a bit, in that I can more easily configure my primary and my backup paths from a single device.
The only thing that concerns me is how the dynamic routing will be handled during a failover event on the ASAs. I did a bit of searching, but only found documentation relating to older code bases. Basically, routes are synchronised between the active and standby, but the adjacency between neighbours needs to be re-established. If this adjacency happens within 15 seconds, there is a "brief" interruption, but if it takes longer, connections are dropped. Is this still the case in the 9.8.x series, or has it been improved?
Is there an option 3 I'm missing that someone could suggest? Traffic to the VPC over the private VIF is the most important, so the other option I thought could be a possibility is a combination of both. BGP for the private VIFs on the nexus with HSRP, and static route on the ASA, then trunk vlans to the ASA for the public VIFs and run BGP on the ASA.
Any feedback would be much appreciated. Thanks :)
Hi there
I've been loosely planning a replacement of switches with a Wireless LAN network that uses Ubiquiti UniFi access points due to need for more ports after steady growth and the need for a bit more PoE budget and likely some more uplink bandwidth. I'm not a network admin on a day-by-day basis thus I'm not yet certain wether or not introducing Private VLAN at the trunk ports of each AP but the limit the scope broadcast packets can reach.
For some context: Ubiquiti APs need to have the management LAN for the APs untagged and then the SSID are are tagged. I don't yet do RADIUS-assigned VLANs (announcing multiple SSIDs) since back then UniFi didn't support that and I need to keep some of my user groups separated from each other. (I do plan on using it it after some tests that I've made in the lab).
If private VLANs might be a really good thing to do, this might affect the choice of switches we're replacing the old ones with. I.e. HPE/Aruba's 2540 does not support PVLANs, but every switch from 2930F onwards does.
I know this is an stupid question but I can't seem to find the answer.
There are LAN outlets on the wall of my apartment and I don't know what they do. I live in a big facility so I don't know if I can share my internet connection by plugging my router in one and my PC in another. Or are they suppose to provide some service that comes from a main source in the building?
I'm in a foreign country and it is not possible for me to ask this from anyone in charge as we don't speak the same language. So I thought I ask you guys before going out and buying LAN cables.
Thanks