Just started reading it, but it seems to be an appropriate depth of detail for intermediate admins/engineers looking to step outside the comfort zone of focusing on how to config devices a certain way and start understanding why we build a certain way.
Saturday, July 7, 2018
What could be my best option to bridge 2 Lan's?
Hello!
I have a couple of servers, office and home in 2 different physicall lotactions. The servers run the camera's NVR (Xeoma), file services (Samba, syncthing...) and backups (rsync).
I want to be able to access to each lan in a transparent way, just ping to the other subnet without the need to configure each OS or APP.
I have DD-wrt routers on each end, so ideally i could setup everything on the routers and forget about it. if needed i can buy more hardware or buy some rpi's.
Between my options:
- IPsec tunneling
- Open VPN Tunnel (Running on the routers ideally)
- Zerotier
- EoIP
Think OpenVPN running on the routers could be my best option, but im really just an enthusiast and at the moment my network's knowledge its pathetic, so i would really appreciate any advice!
VLAN on OpenWRT
Hello. Are there any security benefits for installing VLAN on OpenWRT in my case(will explain further) and what benefits are? Because you cannot access OpenWRT through WAN I assume it’s secure. Also I have OpenVPN installed on each access point. The access point connects to my main router through Ethernet. The access point only gives out WiFi. I’m concerned only with the security of my access points since traffic which exits them is encrypted.
Ps4 wifi keeps dropping.
I'm assuming this would be a good place to ask this question. If not, please feel free to let me know where would be appropriate.
So, I recently moved into an apartment complex and am having issues with the internet. Actually, my ps4 is having issues with the internet. I have xfinity, 60mbps and can use it just fine on other devices. I'm a huge gamer and it blows that I can't use this beautiful connection.
Some important points before anyone asks.
- Yes, I am hardwired.
- I can't find anything elsewhere about this that has worked.
- I've messed with DNS, channels, etc, since the area is highly congested. Idk what channels would have to do with anything since I'm hardwired but worth a try.
- My ps4 stays connected to the internet, it seems, just disconnevts every 20 seconds when I try to play FIFA, bf4, Siege. Also, if I join party it'll boot me.
I'm really confused by all of this and any help (outside of "contact your ISP" would be appreciated.)
Thank you all so much.
ICMP/LAN-side UDP flood - GTA Online/gaming advice
Hello, I don’t know if anyone can answer my question here but if you can, much appreciated.
Basically I don’t know much about networking terms and acronyms. But basically I set my PS4 up into DMZ mode on my router. But everyone so often when playing online (it’s a P2P game) my router has network logs and warnings of ICMP and LAN-side UDP floods - which then causes my online connection to go dodgy for a while.
What is happening? What are people doing to my connection/PS4?
Identifying fiber types/panels
tl;dr: can I put 10GbE across those MM fibers (measurement and patch panels: https://imgur.com/a/mv9kl0f ). the measurement was done by my colleague with a 10m loop on the other panel, so the 2x250m are the cables in the ground.
I tried to read into fiber theory for the last few days and also stumbled upon the long and informative post in here from a while ago. Yet I'm still strugeling to map that information to my setup.
We're planning to put a NetApp FAS2620 as a nearstore in the neighbouring building. Luckily when they built it in around 2003, they laid some fibers across the campus directly into our building.
However, noone seems to know/remember what kind of fiber it was and we only found out the length by pointing a Fluke to one of the sockets. (Measurement readings in the imgur-album) It is about 250m panel to panel and 2,2dB dampening in one direction. Or -19dB. That's another thing i cant figure out yet. Currently we have MM links with 1GbE patched with stable results.
I looked at a few 10GbE optics from fs.com (we're a cisco shop) and their power- and sensivity-values. Do I just pick one, that results in this equasion?
"tx power"-"rcv sens"-"fluke dampening reading"=0
Like shown in the pictures, the SM-panel is also available to us. So 10GbE would be no problem on that path, but I and our storage contractor is not sure yet, if the NetApp can fit SM optics. Because the plan apparently is, that we're too cheap to put a 10GbE-Switch next to it and want to patch the NetApp directly at our switch across buildings.
Friday, July 6, 2018
The Most Efficent Run
Hey guys, currently having a bit of a dilemma. About to rent another cabinet from our data center provider. They are trying to charge $500 per run with us providing the cable. Now this seems reasonable since it's a one time payment, however the cabinet that the cables are being ran to is only 4ft away (same row, another client between the two cabinets). The run consists of 3 cables (one for public, one for private, and one for management. The capacity of the first two links would need to be 10gbps, with the management being acceptable at 1gbps. Are there any solutions where we could only run one cable to achieve this? I know there are QSFP+ cables that split into 4 x sfp+ cables, are there any that just bundle 3-4 x sfp+ cables into a single line? Considering how close the cabinet is, even something as short as a 12ft cable is acceptable. I know this seems absolutely ridiculous, but saving $1000 - $1500 would be quite helpful considering how much the budget is being pushed. Thanks!
TLDR: Any cable that bundles together 4 x sfp+ or 10gbps capable cables?
Double check my work?
Brief intro, working my internship and am the only network person at the location (small business), and they are using a single EdgeSwitch 48 Lite for their networking and a basic SoHo router. Owner has 2 separate businesses at the same location and wants the networks separated. I'm CCNA certified as of January and haven't touched a router/switch since class ended in early Feb. Both sides of the business need to have outside access to the internet but be separated from themselves to they cant see what each other are doing on their respective networks. I know all I need to do for this is separate them onto different vlans, but its a little different on EdgeSwitch CLI than it is on Cisco, so im asking for a once-over of my work before I apply it tonight. Thanks in Advance!
enable
ubnt
ubnt
network protocol none
network parms 192.168.0.2 255.255.255.0 192.168.0.1
network mgmt_vlan 99
vlan database
vlan 10,20,99
exit
config
interface 0/1
description Router
switchport mode trunk
switchport trunk allowed vlan 10,20,99
switchport trunk native vlan 99
exit
interface 0/2
description
switchport mode access
switchport access vlan 10
exit
interface range 0/2-48
description
switchport mode access
switchport access vlan 20
exit
HPE 1950 Switch 3rd party SFP modules?
Hello,
I have a HP 1950-48G-2SFP+-2XGT-PoE+ switch and I need to an SFP module for my fiber uplink, however none of the ones that are listed on HP site are compatible with my needs.
For days I have been searching whether this switch accepts 3rd party SFP modules as well such as Cisco, etc.. and I have not found an answer. I even tried HP support, ended up getting up getting transferred and waiting for hours for a callback to no reply.
So, just wanted to ask if anybody here have experience or knowledge wheter a 3rd party SFP module will work or not ? As much as I've gathered SFP modules are generally universial, unless a particular switch only takes OEM ones, I cannot find anything online or from manuals about this
And as they are not very cheap it's a bit risky to buy it without knowing beforehand.
Thanks.
Anyone familiar with TWC/spectrum public hotspot access points?
I don't know if all Enterprise AP's work like this but i noticed TWC/spectrum hotspot access points seem to broadcast all its 2.4ghz channels on the same frequency and same for the 5ghz as well.
That said, is there such a thing as choosing the "best" signal with these access points? They all seem to share the same exact signal strength so I'm wondering:
If only one channel out of four on a particular band was receiving 99% of the users, will all the channels on the band evenly slow down as well?
I was exclusively using the hotspot 2.0 channels in the beginning assuming less users but I feel like the 1.0 are notably faster at times.
Meraki MX84 or Sonicwall NSA2600
Hey guys,
I am currently rocking Sonicwall NSA2600 firewall.
Meraki is offering to replace it with Meraki MX84 for the same cost if I were to renew existing NSA2600 for 3 years.
So pretty much, same cost, new hardware.
Is MX84 comparable to NSA2600 ?
Thanks
Need guidance concerning Geovision server builds and GPU decoding.
Hi r/networking! The guys at r/cctv suggested I post this question here as well. Mods, if I've goof'd by posting this, I am sincerely sorry! pls no ban :c
Heyo, I'm pretty new to all this so forgive me when I inevitably ask a dumb question or spew too much unneeded information. I have lots of experience building consumer/enthusiast PCs but not much when it comes to server grade hardware or surveillance and monitoring equipment.
Some context if needed: I work IT for a company that does in-home care for the Special Needs community. We currently own/operate 60-70 homes and growing, all with Geovision cameras for remote monitoring of the residents and staff/care-givers. At the moment, we have DVRs (mostly Lenovo ThinkCentres) in every home. Due to the growing scale of our organization, we want to retire the DVRs and funnel the footage into one big remote server. So, going off of GV's hardware requirements, my boss and I are leaning toward something with an i7-7700 or better and 32GB of RAM. My boss is very interested in a dual Xeon setup but neither of us know if GV's software plays well with a dual-CPU and huge core count server. We've tried checking but can't seem to find any information on the subject.
So question #1: Does Geovision play well with Dual Xeon/huge core count servers? Does their software take advantage of a high core count or will it just utilize 2-4 cores and leave the remaining cores untouched?
Question 2: GPU decoding. If we slap a GTX 1060 in the server to assist the CPU with decoding, how big of a load will that take off our CPU? Is a GTX 1060 even adequate enough for a noticeable performance increase? Should we bump up to a GTX 1080 or Titan XP instead?
Additional info: We're using Geovision software and cameras.
In terms of bandwidth consumption, I think we're doing alright. We have a mix of h.264 and h.265 cameras (going forward, we'll only be installing h.265s), and we also scale down the resolution and FPS. Like way down. 4:3 aspect ration, 640x320 and 15 FPS. HD would be great and something we'd like in the future but realistically, our Monitoring team doesn't need super high video quality. They mostly watch for fallen/injured residents, odd/suspicious behavior (resident staying in the bathroom for an hour or more), smoke and fires, strangers in and around the home, etc.
In total, we have 391 cameras deployed. Each home/site has roughly 4-6 cameras. Each recording server has a max of 128 cameras, so we'll be getting 4 + 1 backup, in case of failure.
Any assistance in this matter is greatly appreciated! If you need any more information, please don't hesitate to ask.
ISE Trial and Wireless Design
TLDR: I'm trying to find out what other universites might be doing for BYOD wired/wireless access, especially in dorms, and for the staff/faculty/student general wireless. I'm mostly looking for answers with Cisco ISE but I'd certainly be interested in hearing from people using other products since the design part should be mostly universal.
I'm doing a 90 Cisco ISE trial to see what else is out there in the NAC world. I've seen lots of other great suggestions on this subreddit and I may look at some of those as well but I wanted to start with ISE as we're also in the early stages of evaluating the pros/cons of SD-Access. Here is the current setup with our existing NAC:
- Cisco WLC
- Mostly Cisco 2960-X for Layer 2 with a few spots with 3rd party switches
- Three basic use cases (all captive portal/RADIUS is connected to AD which all of our staff, faculty, and students are in):
- Dorm access (wired and wireless) with a captive portal using RADIUS and MAB. These networks see all sorts of consumer/home devices.
- Academic wireless which allows staff/faculty/students to log in to a captive portal using RADIUS and MAB.
- Guest wireless which doesn't require any sign-in or registration but still flows through our NAC in case we need to blacklist a MAC. Once a user has signed in to either the dorm or academic wireless, they can no longer use Guest.
- Both the above mentioned dorm and academic networks have posture enforcement for Windows and OSX that includes things such as making sure OS is patched, AV installed/updated, proper DNS set, P2P programs not running, etc. Posture enforcement is accomplished via a service that runs on the client computer
- ACLs are really simple now and basically give everyone the same amount of access and we do the rest of our access control at our centralized firewall.
What we like on our current setup:
- User identity capture on as many devices as possible on networks other than guest
- Device history/data
What we don't like:
- No IPv6
- Posture enforcement in dorms seems like a lot of effort for little gain and nobody really likes installing the client (I know we lose some device data without the client)
To start on this ISE trial, I've created a Guest Hotspot portal to recreate the guest access we currently have with the addition of an AUP page they have to click through. I haven't added the block for registered users yet but the rest seems to work fine.
I'm kind of stuck on the rest... should the dorm networks be set up as more Guest portals or BYOD (since ISE has different configs for each)? If BYOD, should we go towards full 802.1x cert provisioning with MAB as a backup (keeping in mind we'd probably try to use native supplicants)?
Same questions for the Academic wireless... I'm also wondering whether posture enforcement makes more sense here, however, it's a lot of money to pay for Anyconnect user licenses, at least with our current design where we access control at the firewall level.
Multiple SSIDs or just one for everywhere and use ISE profiling and user identity to sort it all out?
I also rather like the idea of having a My Devices portal each user could go to and add/modify/remove devices to their account for access but I'm not sure this is really designed to work with ISE guest setup or requires BYOD.
Setting up Eduroam might be something I look at as well.
Excited to hear what other universities with on-campus housing are doing!
How to get more server/Windows experience when your job has nothing to do with it?
To keep it short, my company helps manage a larger corporations VPN network. What I do is strictly networking. They have their own in house people that do their servers, AD, all the system stuff.
Recently I've been looking at job postings and more than 70% of "Network engineer/administration" postings look like this:
Windows 2008-2016 and Microsoft Exchange 2007-2016
Active Directory, Group Policy Design and Implementation, and Server O.S Installations/Upgrades/Migration
VMware Virtualization
Storage design
Microsoft Server
(Side rant: why do they list that as network engineer?? Shouldn't a post like that be classified as systems engineer??? )
I understand that this stuff is related and very important to network engineers, but I have 0 experience with any of that. Not by choice though. I would love to be able to look at and learn all the systems stuff that is happening on my network, but I have 0 access to it. And when I asked my boss about it he said "don't worry about how it works, it's not important." (He's very much in the mindset of "if it's not our equipment it's not our problem.)
So I guess my question is, is just reading about that stuff in books and watching videos enough to B.S. my way through an interview if a question like that did come up? Or should I just say something along the lines of "while I don't have hands on experience with it, I have read about and know the justs of how it works."
(Obviously I'm not ready for a full blown network engineer position, but I've been at my current job for just over a year and know just as much about systems stuff as I did when I first started.)
Real head-scratcher here folks
Ever since upgrading a wireless mesh at one of my sites I've been having very peculiar network issues. On the end of the wireless mesh I have a switch that intermittently stops responding. Every 60 seconds on the dot, the management IP address becomes unreachable for exactly 48 seconds on a continuous cycle. I know that the wireless mesh is staying up, because when I run a constant ping to a PC on the other side of the switch I never lose connectivity. Even more interesting is the fact that if I run a constant ping from the switch having issues over the wireless mesh, it never goes down, almost as if the ICMP traffic is keeping it alive somehow. I have a TAC case open right now, but wanted to throw it out to you swell folks to see if anyone has seen anything similar before.
(Unsuccessful) Troubleshooting steps taken:
- Verified proper VLAN tagging between switches and APs
- Rebooted switch
- Upgraded to latest stable release of firmware
- Disabled STP
- Put layer 3 address on the same VLAN that the PC is on (the one that never drops packets) to see if the same thing happens.
Project Management Tools
What kinds of project management tools do you use for those medium-sized (or larger) projects? I have been looking at a few options and I wanted to see what others like and use most frequently. I'm looking at tools that allow a small team of people to collaborate and understand their roles when working together, for example, a circuit upgrade with router refresh. Since projects like circuit installs involve many different people (telco people, local site contacts, remote network engineers) we have trouble keeping everyone on board and focused.
Other parts of my organization use Jira for software projects and I've look at that but it looks pretty complex. I've thought about just using an internal Gitlab site and the "Issues" feature there, but I wasn't sure how well that would work. Any thoughts and pointers would be appreciated.
mgmt over LAN on switches with USB-only MGMT ports possible? (and a few other questions)
a brief backstory; I've got no education, training or experience with networks and have been thrust into a job as a 'network engineer' of sorts, which requires me to connect switches from various vendors(currently 40+ different vendors switches on the network).
I'm learning as I go but this is a problem I have no idea how to solve. A lot of switches(looking at you, Dell) have USB-A/micro/mini-USB mgmt ports which are beautiful in a pinch but a pain in practice for my use case at least.
My end goal is being able to telnet/ssh into a switch and get details of which transceivers are currently installed in the switch.
To the questions:
I've learned that mgmt is typically done through a serperate VLAN for security reasons, is there a way to enable management functionality over standard eth ports?
Is it possible to connect USB-mgmt only switches to a mgmt LAN?
If not, is it possible to use a 'slave PC' to act as a passthrough? - I know I could do it that way with team-viewer or similar, but that sounds horribly inefficient and costly.
Oh, bonus question, the heck should I do if Windows(7/10) won't find serial COM drivers and I can't find them online? currently it's basically leaving the switch in a bricked state because I have no idea how to get into configs.
Is the TCP 3-Way handshake always needed for establishing a client/host connection?
I have been studying layers 1-3.
If a client is establishing a connection with example.com, I am starting to understand the process of DNS, frames, ARP, packets and routing.
But I don't see where the famous TCP 3 way handshake falls into the picture. Isn't a client/host connection already established once an ARP broadcast is resolved?
Could someone please explain to me how consumer mesh networking systems are technically different than using extenders/repeaters?
I've been searching and asking around about this for a while now. Every article or explanation I can find basically stops at saying "mesh networks work together to blanket your home with wifi."
I'd like the next level of detail. In my house I have a main router and I have an extender (not repeater) setup using ethernet for backhaul to the main. The extender is presenting the same SSID/password, and DHCP is disabled (set to forward to the main), which is how I've heard it described to get a "seamless" setup.
However, in reality it's not seamless for me. If I have a device close to the extender, then walk to the other side of the house close to the main, I usually stay connected to the extender until the wifi gets cycled on/off (manually, or device goes to sleep, etc).
I assume/hope that mesh networking solves that problem, but I'd like some confirmation and technical details. I assume I'd have the mesh nodes all using wired backhaul, so this is just about the "stickiness" of clients.
Does the mesh system automatically/seamlessly bump clients between nodes depending on strength? How do they do that? Isn't choice of AP a client-side decision?
The root of my question comes down to trying to figure out if I should move to a mesh system, or if there's some way I can improve my router+extender to solve my problem.
Thanks for any help.
I'm having problems with PaloAlto renewals - is it me, or everyone?
I've been trying to process licencing renewals for my PaloAlto firewalls. I have about 40 various models deployed in offices in about 8 countries. I am trying to get all the subscriptions co-termed
There have been 6 rounds of gathering them all in to a single account There have been a further 3 rounds of correcting inventory. That process took about two months. Now it has been another month, I finally got a quote to renew the appliances in the US, but I am still waiting on quotes for everything else.
I have to power off some devices in Asia this weekend for scheduled power work - their licences have now expired - they will not come back into HA after the power cycle.
Three months - I have the money approved. I'm waiting to submit the PO. It is going to be several $100k. Is it just my account manager at PA - or is it PA?
Should a management network be on it's own separate physical switch fabric?
Still a bit new to being a jack-of-all-trades sysadmin/network guy where I work... I finally came to understand what a management network is a while back and how we do not actually have one set up. I was considering implementing one to have secure, segregated access to all the management ports of our switches, servers and various net appliances, as right now they are on the same network as everything else.
I would think that management network should be on it's own physical switches and data lines (in the event that the main network were to go down or something) and then of course it should also be on it's own VLAN in cases that management network traffic needs to traverse the regular LAN switches (in cases of virtual appliances or something)
Do I have this somewhat right? I'm just looking to get some insight.
Thanks
VPN site gets ISP wrong - how?
Someone I know was looking for a VPN service and browsed a few sites. They website used the classic 'Here is your IP, Location and ISP' to show that the user is at risk, however they got the ISP (and maybe IP?) wrong.
Here is the site that showed it: https://www.cyberghostvpn.com/en_GB/
How do websites like this gather this information and how could it be wrong?
If someone was snooping on their PC, what affect would this have?
The 'ISP' shown was rather worrying.
Thanks.
AnyConnect Clients Spamming NetBios
Im having an issue where Anyconnect VPN users are slamming netbios. In my wireshark trace I’m seeing VPN users 10.18.254.X hitting 10.18.254.255. Its generating so much traffic on the ASA that its CPU is hitting 80% with only 12 users connected. We just upgraded from a ASA5010 to a ASA5508 with the current IOS as well. The old ASA has version 7.X I think.
I noticed one fix is to use a detected DHCP Server and removed option 43 and move away from the ASA anyconnect pool all together.
Has anyone else seen this? Im at a complete loss as to why im seeing his now compared to before.
Thanks for the help all. Happy Friday :/
How do I get internet on DD-WRT router from TP-Link Archer C7?
I'm having some trouble here, I'm trying to get a second router closer to wireless devices by bringing a wired DD-WRT closer to them. I'm not sure what settings I need to make that happen. I have Archer C7 as my DHCP server, IP address to it is 192.168.0.1, with it giving IP addresses from 192.168.0.100-120. I set the DD-WRT router to 192.168.0.2 with it's gateway set to 192.168.0.1, LAN port on C7 connected to the DD-WRTs WAN port, and it giving IP addresses 192.168.0.200-210. So DHCP is enabled on both but in different IP ranges, am I still fine? I actually thought that would be about all the settings I really needed to get internet on it but currently not seeing anything.
Looking for script to pull Cisco ARP tables and put them into a database
I want to ID everything on the network and put it into a DB, including up/down, first seen, last seen. Netdisco doesn't keep the historical. I want to pull the arp tables because we don't use DHCP. Anyone know of a script or docker that can do this?
Do I need a new router to go with ubiquity APs?
-- edit -- autocorrect in the title which I can't change, Ubiquiti
I work in a small office - 8 people. We’re running a BT router (I know I know) but need to setup a guest network. Honestly the router is fine. We have FTTP, and never really have any issues - other than a back room which can’t be reached - and is currently using a shonky netgear extender. We need pretty good speed, we regularly are transferring large files, or large volumes of files, or working with online software.
The main working area needs good WiFi to the main network (although most people and the server connect through a network switch). The back area needs the main network and the guest network.
I’m thinking about getting Ubiquiti gear. I know computers, but am a complete networking novice, so excuse the stupid questions. We have an IT guy who is will set it all up for us, but he's a little oldschool and I don;t really trust his choice of gear so much. It's a remote location so we don;t have a lot of choice in terms of IT people. Understandably he wants to recommend things he's used, but the last recommendation he gave us was for a draytek router that packed up after a couple of years. I Just want to make sure I buy the right things... So my questions are:
- In order to get a guest network do I need multiple access points? So in order to get the back room good signal on both the normal and the guest network would it need 2 additional aps? Meaning 3 in total, one for the main area and two for the back room.
- which APS do I want?
- do I need to buy a new router too? the edgerouter(lite)?
Ubiquiti's site is pretty confusing. Im confident with the right gear in front of me I could set it up tbh. I'm happy to spend what we need to get good gear - but I don't want to overspend buying something that is for a football stadium, or an office of 100 people, when I don't need it.
Thanks
Cisco nexus 7000 - firewall module?
was there ever a firewall module for the nexus 7000 platform?
my google-fu is giving me nothing substantial.
I can't find a roadmap stating any asa-modules or similar.
Halp?
Trying to access nodes in EVE-ng
Hello, I am trying to access the images I have in EVE. I don't know the username/passwords or where to find them. I am specifically trying to access Cisco ISE, Windows Server, etc. Where can I find the default user/pass and/or crack into it? I got this program from a teacher for a class, so I don't know exactly how he got these files. Thanks for reading and your help!
WiFi and apple issue with youtube
I'm a bit puzzled by an issue we are facing at the moment. We are running 2x cisco 8510 WLCs in HA and 2x ASA5585-x SSP-10 in HA (Active/passive)
For some reason users are suddenly unable to load youtube videos on apple products, while connected to our WiFi. It works fine if they are on a wifi that doesn't run thru our firewall.
Its working fine on PC and android devices, connecting to the same WiFi, and going thru the firewall.
I'm not seeing any traffic blocked on the asa or by the firepower
Tried with an any any rule from an iPads ip, no luck.
Anyone got any ideas - besides throwing apple out the window? :D
Thursday, July 5, 2018
SFP ambient light levels
Hi all, I’ve tried searching and searching but can’t find an answer to this question, so no doubt it’s a stupid one, but here goes.
Is it possible from looking at the received light levels in Cisco/Juniper command line to determine if an SFP has a fibre patch lead connected that’s dead, i.e nothing connected on the other end or if the SFP has no fibre patch lead at all? So my thinking is if a patch lead is connected to the SFP and nothing on the other end is transmitting possibly because Rx/Tx are incorrectly swapped the level would be at the noise floor i.e -40dBm as in theory there should be zero light. However if the SFP is enabled but no fibre patch lead is connected can it pick up overhead ambient light from within the data centre, would the fluorescent/LED strip lights in the DC contain any wavelengths to cause the SFP to see -38dBm for example?
So essentially I’m trying to determine from a remote location if someone has connected a fibre patch lead incorrectly, Rx/Tx swap or if there is no patch lead connected at all?
Head scratching issue
Hi!
I would like to ask the awesome networking community here at reddit for help.
Here is the case:
Ever so often we get one terminal server that usually loses its internet access 2 to 3 times per day. The only way to resolve this issue is to invoke the following commands:
netsh winsock reset
netsh int ip reset
netsh int tcp reset
reboot
the set of commands above needs to be invoked twice if it does not resolve the first time. after which internet access will resume.
Now, I am not sure if I am missing something, I have checked for viruses and spyware and alas, there was none.
Can anyone sight another reason why this is happening in my network?
Thanks in advance.
Adtran - TA5000 - AOE Limitation?
We are currently in the process of adding a new auto provisioning feature to our billing system. For it to work, we are having to manually delete Adtran ONTs and readd them with a specific subscriber ID to link to the customers account. We aren't having to do this with Calix ONTs. Does any know a way to do this without having to delete the entire ONT and readd it? We have 1000s of customers, so you can imagine the pain.
Does the time on a Router matter when doing Phase 1 via PSK instead of certs?
I find conflicting information onlnie. Mostly about SA's timing out. However if a router generates an SA, and it's negotiated it will timeout in 24 hours from now, then I dont see how a time skew between the 2 matters. They will still delete the tunnel in 24 hours from when it formed.
Should i go
Hi,
I worked for 4 years as network engineer primarily working on firewalls, but also had a fair amount of r&s in my work. I am back to school now. I almost have an year to complete.
Although i have a fascination to go into cyber security in near future, i feel that i should strengthen my network knowledge. I already have a ccna and about to take my ccna security exam in 2 or 3 weeks hopefully.
I will probably work on ccnp r&s next. I have been prepating for my ccnp r&s on off for a long time but didnt have the persuation to get it. Now that, i am back to school, should i work towards my ccnp r&s or try to work on ccie r&s as i have an year's time? Or am i putting too much on my plate ? Any guidance from the ninjas over here would be really helpful in taking my decision. I just want to make my time useful over this year.
Note:I want to get the ccie badge for knowledge and respect.
Sorry for my bad english. I am not a native speaker.
Very strange MAC address issue (possible foul play?)
Using my own Modem/Router Netgear C6300 with RCN. Worked for 8 months, today all connected devices say connected, no internet. Power cycled, factory resetted issue persisted, so I called support. One tech asked if I got a new modem recently, I said no. He asked me for my modems MAC which I provided.. then she read to me a MAC address on their end that's not my Modem or computer MAC address. If it was working fine and I didn't call how did it change ? After providing tech with correct MAC from the Netgear 192.168.0.1 and she still wasn't able to see the modem online. DS/US blinking , internet light is off. Modem is toast or issue on their end? Neighbor on the floor with RCN said his connection is fine.
P.S firmware is 2015 because RCN didn't issue an upgrade for it, but was working fine until this morning.
Advices on Enterasys/Extreme Networks needed!
Just switched company from an all Cisco shop to an all Enterasys/Extreme Networks shop. I'll be in charge of revamping an old Enterasys infrastructure with mostly Extreme Networks Summit-G2 switches. I'm trying to get the feel of the Enterasys CLI, this is messy. EXOS is a bit more intuitive and workable but still. Anyone has tips? do's and don'ts? scripts? good experiences/ bad experiences?
Setting metric on RPL XR
HI,
Just want to ask what is the equivalent command for IOS - XR in setting the metric on RPL?
IOS: route-map xxxx permit 10
set metric 10
XR: route-policy xxxx
set metric? <no output)
is this command supported in XR?
Thank you
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Limiting packets going out on a specific port
I have a device in my network that really only needs one specific type of packets. What method is best practice to limit "random" packets being sent from the switch to that specific device? Cisco switches.
Why can't you VPN to a network from inside that network?
I'd like to know the intrinsic reason as to why this does not work. I kind of have an understanding but I don't really know the mechanism that prevents this.
IOS question: Difference between Ipbase, ip services and LAN service, IOS and IOS XE
Hello engineers, I am under impression that ipbase is purely applied when we are using for example 3850 catalyst as core/aggregate and we require lot of routing features available. Where as ipservices is purely for access layer swtiches ?
On the very page I am new to IOS XE ,heard versions prior to 3.06.4 have few to many issues. How different is IOS XE compared to regular IOS version 15.2 etc on same catalyst 3850 swtiches ? (note that I am just taking 3850 as example as it is a LAN based switch that can take role of core swtich or aggregate, and the UPOE versions like 3850 48X can take role of access layer for WLC, AP, IPHONEs etc). Can you guys also help me understanding different versions of IOS like -universal- ? Also 12.2(33)SXI3 is when you we have to upgrade a 6500 in to a vss swtich ? Does VSS have their own version of IOS ?
Can someone assist me with writing a bat file
This is my first time doing this, but based on suggestions on an post I had submitted earlier, I am trying to write a bat script. I am trying to make it so that I can apply changes to multiple switches with one click, such as adding a new user to multiple switches. The program I am using is PuTTY.
So far I have it so that by clicking the bat file, I am logged in...
putty.exe -ssh username@172.16.13.59 -pw PAssword123!@#
and that is working fine. When I click it, I am logged into the switch.
So I was thinking I would just add an "en" and then "conf t" after this then continue with whatever commands I needed to add the user, but I then got an error. I already have a serpate script written up of what needs to go into the cisco switch. Normally I would just log into a switch and copy that into the cisco terminal. Can someone point me in the direction of how I need to add the cisco script to this bat file so that when the bat file is clicked, it runs it on the switch?
Also, how can I set this up so that this can be applied to a range of switches, such as 172.16.13.50 - 172.16.13.90. That way, the config will be updated for all switches connected in that range with just one bat file.
TIA
DDNS with Cloudflare with some network automation sprinkled in
Over the weekend I have been messing around with my home lab, trying to figure out a better way to make it accessible over the Internet. The issue I was having was with providing multiple web services and having only 1 public IP. I obviously could have just set up reverse proxy, but that wasn't interesting enough. I also felt like I could utilize somehow the fact that my home ISP is providing me with IPv6 prefix.
I have realized that Cloudflare could use IPv6-only server as endpoint and then proxy it to both IPv6 and IPv4 users. So I wrote some code that would get the IPv6 address of the system and then update Cloudflare with that data. I also figured that I wanted to be more restrictive with my inbound firewall rules, so I added in some automation in order to update firewall rules with the data.
So, without further due, the code can be found here: https://github.com/eoprede/cf\_dynamic
And if you want a little more information in the form of the blog post, I have put it on packetpushers: https://packetpushers.net/simple-ddns-solution-supporting-ipv6-domains-using-cloudflare-python/
Hopefully this will be useful for somebody. Any comments are welcome!
Anyone in DOD know of any free/open source RADIUS server software that has a Certificate of Networthiness (CON).
I know this is really specific, but just curious if something exists. Can't seem to find anything on Netcom.
ISE & Solarwinds bandwidth reporting
So recently I've been asked by management to provide better reporting down to the user/department level by netID. Is there any known ways to do this with the tools I already have or is there some third party app to purchase to make this happen?
VPLS Issue
Hey all,
Was looking for advice on an issue I am experiencing at work and can't wrap my head around it.
Have 3 sites connected via VPLS. Site 1 is 100Mbps, Site 2 is 100Mbps, and Site 3 is 50Mbps.
Site 1 to Site 2 gets expected speeds when transferring files or using Jperf to test speed.
Site 1 to Site 3 gets expected speeds when transferring files or using Jperf to test speed.
Site 2/3 to Site 1 however gets stuck at 10Mbps. This made me think Site 2/3 had some sort of upload QOS. Provider said it was layer 2 and they don't do any QOS at that level (makes sense) because they just set the connection speed.
Odd thing is that if I test with multiple streams in Jperf (10 or so) I can get close to that 100Mbps on the pipe. We also see this with our site to site backup software that is using multiple streams. Site 2 to Site 3, and vice versa, we are not getting stuck at that 10Mbps per connection. Is there anything on my end that could be limited each TCP connection to only 10 Mbps at site 2 and 3 that I'm not thinking of?
VPLS provider is checking links but said they haven't found anything yet. I find it odd that site 1 to site 2/3 is perfectly fine but site 2/3 to site 1 is limiting each "connection" to 10Mbps.
Thanks!
Have a Subnetting Convention question
So I've been studying subnetting extensively for the past few days, trying to brush up on what I learned in college. What I am most confused (and can't seemingly find an answer to) is common convention and the "right" way to subnet an internal network.
I just joined a company and looked at their Dell Sonicwall. The IP addressing scheme we have is 192.168.21.X /23. From what I understand, the /23 indicates that the network address is 192.168.20.0 and the broadcast address is 192.168.21.255.
So I have a couple questions:
- How many subnets are actually being made here? I understand that 512 (addresses made) and 510 (usable hosts) are being made, but is this all under one subnet? How does this /23 work in a Class C subnet? I think it's only one subnet being made but I'm not sure. I'm just really getting confused with the whole "borrowing bits" thing that is relevant in Sub-Class C subnetting and not in Class C addresses with non-sub-class C subnetting.
- If I made a separate network 192.168.1.0, would this be able to communicate to 192.168.21.X? My feeling is yes, but will need a router to communicate.
- An example I saw online said that if I had a subnet of /23 or /22, that if my network address was 192.168.1.0, that I would have 192.168.1.0-192.168.3.255 and 192.168.1.0-192.168.7.255 respectively. If I use a different 3rd octect, what happens there? Does the same principle still apply?
EDIT: So I was getting myself confused over the different formulas and rules and outdated Class-C configurations that I realized it's exceptionally easier to just do it all in binary. Like, much easier. Thanks for all your comments.
Xconnect L2vpn and Local Switch
Hi,
Just want to verify the difference between l2vpn features pseudowire and local switch.
L2vpn configuration:
R1 - Interface g0/0 l2transport
encapsulation dot1q 10
rewrite ingress tag pop 1 sym
xconnect x.x.x.x encapsulation mpls
R2 - Interface g1/1 l2transport
encapsulation dot1q 11
rewrite ingress tag pop 1 sym
xconnect x.x.x.x encapsulation mpls
Now when frame enters R1 - G0/0 Interface we will match the encapsulated frame 10 then pop then pass to xconnect and add MPLS encapsulation.
When it enters R2 via xconnect we will pop tag 1 which mpls encap will be removed then will encapsulate 11 then pass to customer.
However I want to create a comparison between local switch.
Example Configuration:
l2vpn
p2p local switch
interface g0/0
interface g0/1
R1 - Interface g0/0 l2transport
encapsulation dot1q 10
rewrite ingress tag pop 1 sym
R1 - Interface g0/1 l2transport
encapsulation dot1q 11
rewrite ingress tag pop 1 sym
Now Please help to verify if the process of local switching.
- First Frame enters R1 - G0/0 Interface we will match the encapsulated frame 10.
- Next will pop tag 1
Question:
- When sending it to G0/1 does it add additonal tag like "mpls encap"? So in this case we will send the payload to G0/1 without adding any tag?
- If we pop the tag on g0/0, how can we match the incoming from from R1--->(G0/1)-R2-(Customer)?
Alternatives to Linkrunner AT-1000
Does anyone know of any quality productions that are cheaper than a link runner AT-1000. I have a device called Pockethernet (https://www.pockethernet.com/) which does some similar things but I question the quality of certain things. The main functions I need CDP information, and identifying issues with cables such as shorts and other issues. My maintenance team swears by using cable ties (ugh) and when I previously tested with the Pockethernet it reports shorts. I would like to have something that I would consider potentially more reliable and industry standard.
Any suggests are appreciated.
Does anyone know what a device that converts wifi TO ethernet is called? Has anyone used one that works with 802.11x?
A user in one of our offices has a device that only supports ethernet. At this point it looks like the easiest solution is to just put a box in their office that converts wifi (802.11x) to ethernet, then plug the ethernet cable into her device.
Does anyone know what this is called? Google only returns devices that do it the other way around (convert ethernet to wifi... aka a router).
Netscaler & Let's Encrypt HTTP Challenge
Greetings!
I'm using a Netscaler to front end SSL for some websites. I have a setup where certbot automatically renews the certificate and then updates the netscaler with python. What I would like to do is create a content switch policy that directs the HTTP challenges to the certbot box and redirects all other http requests to https. Does anyone know what that request looks like? Let's Encrypt's quick start documentation is a little vague and says to "open port 80".
I may take a packet capture if I have some free time and I'll post back if I get some results that answer this question.
Per-room Wi-Fi AP Implementation
Does anyone have experience installing per-room Wi-Fi AP in a large hotel building? Is this becoming a standard? What hurdles you had to face? Have you used UniFi AC In-Wall in any installations?
Fiber Headaches
I’ll cut straight to the chase, I’ve set up two Netgear GS110TP’s interconnected with a premade fiber patch cable, using two tp-link MMF Mini GBIC modules. All parts are brand new and for some reason I’m only getting a link light on one of the switches. Any ideas?
How much experience before your resume doesn't get instantly disregarded?
I've been working as a network tech for a year and a half now. It's my first IT job, but I feel like I'm getting good experience for it being my first. I'm working with Cisco routers, and quite a few networking protocols/technologies.
For the past few months, I've been casually looking and applying for network administration/(junior) engineering positions (I want to move up into that role), but with very little luck. I always rather get the standard automatic rejection email or I'm told I don't have enough experience yet. How many years of experience will I need before I'm taken seriously? Or do I just need to fluff up my resume to make it sound like I have more than a year and a half of experience?
Also, I know certs go a long way, so I'm currently studying for my CCNA, but it's quite expensive for me and my work wouldn't cover it or give me any additional comp for having it so I'm kind of stuck between getting it now or waiting.
Any advice? Thanks!
Distributed vs. centralized DHCP
I expect this to be a somewhat controversial topic, but I'm hoping to get some best practice advice on how to make the decision. Currently I have two primary hub & spoke networks under my supervision:
Network 1 - Main HQ houses DC, DHCP and DNS - 6 Remote sites relay DC, DHCP, and DNS traffic back to HQ - Spokes are dark fiber direct to HQ, 1-2 ms latency, will have IPSEC backup but don't yet
Network 2 - Main HQ houses DC, and DNS - 16 Remote sites have local DHCP, but relay DC and DNS traffic to HQ - Spokes are metro-e mesh, 1-2 ms latency, IPSEC backup in place
Both of these models are working fine, but ultimately we intend to converge both networks on a single design template. There's unlikely going to be any change to the Domain Controllers or DNS traffic - the remote sites don't have servers on site for the most part, so that traffic will always go back to the hub.
We're about to bring up a new site in "Network 1" next week, and will likely rebuild the rest of the remote sites in the next 6 months. I'd like to finalize a design now that we can use going forward.
WWRND? (what would /r/networking do?)
Edit: Yes, the remote sites all have internet access directly. DNS has historically been centralized, but we could do something like DNS 1 and 2 are the centralized, and DNS 3 is 8.8.8.8 in the case that a site-to-site link fails. All sites will eventually have an IPSEC tunnel to fall back on if the link goes down though.
Edit2: I should add that the remote DHCP will be on a Palo Alto device. I'm not sure there's any way to cause it to update DNS records though. There's very little love for the idea of sticking a Windows server at the remote sites, so local DNS w/ dynamic updates is probably out of the question.
PuTTY question
Can I set it to open up multiple sessions at once. For example. I have 20 switches all on 172.16.13.2/24 - 172.16.13.21/24. Can I put in a range and have 20 terminals open up, instead of going and having to manually type in each number one after another?
Is my virtual machine or router to blame for being unable to access a VM website?
Looking to test my app over the network(or even public), but so far its only accessible by the computer I host the VM on.
make: VirtualBox, Vagrant, Homestead.
I have NAT, Bridged Adapter(192.168.1.17) and Host only adapter(192.168.10.10).
These are both available from my host computer, but they cant be accessed by my phone.
How can I debug this problem? My 3 best guesses- Bad VM config, bad router config, or Windows firewall blocks.
HP ProCurve, SCP failing due to permission denied
Hi!
I'm trying to copy over a file from my local client towards a HP switch but keeps failing due to permissions.
Downloads $ scp -v candidate.conf username@device.domain.com:/cfg/candidate.conf !--> Output removed debug1: Authentications that can continue: password,keyboard-interactive debug1: Next authentication method: keyboard-interactive username@172.16.0.10's password: debug1: Authentication succeeded (keyboard-interactive). Authenticated to device.domain.com ([172.16.0.10]:22). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: pledge: network debug1: Sending environment. debug1: Sending env LC_CTYPE = UTF-8 debug1: Sending command: scp -v -t /cfg/candidate.conf Sending file modes: C0606 3557 candidate.conf scp: /cfg/candidate.conf: Permission denied !--> Output removed
When I log in trough sftp to get into the underlying OS (not HP ProVision?) I can clearly see the permissions.
sftp> ls -l drwxr-xr-x 2 J9854A J9854A 0 Jan 01 00:01 cfg drwxr-xr-x 2 J9854A J9854A 0 Jan 01 00:01 core drwxr-xr-x 2 J9854A J9854A 0 Jan 01 00:01 log drwxrwxrwx 2 J9854A J9854A 0 Jan 01 00:01 os drwxrwxrwx 3 J9854A J9854A 0 Jan 01 00:01 ssh drwxrwxrwx 2 J9854A J9854A 0 Jan 01 00:01 tr69 ?rwxrw-r-- 1 J9854A J9854A 149 Jan 01 06:05 tr69_log ?rwxrw-r-- 1 J9854A J9854A 0 Jan 01 00:01 tr69_status
I've tried to create a manager user J9854A but without success. There's even a possibility to change permissions, but nothing happens after command is executed.
sftp> chmod 777 cfg Changing mode on /cfg sftp> ls -l drwxr-xr-x 2 J9854A J9854A 0 Jan 01 00:01 cfg
Note! I can copy from the device!
scp username@device.domain.com:/cfg/running-config running.config !--> Output removed running-config 100% 3557 171.3KB/s 00:00 Connection to device.domain.com closed by remote host.
Has anyone managed to transfer a file to a HP ProCurve switch in the way I'm doing trough SCP? (SFTP fails in the same way)
I suppose a last resort would be to SSH into the switch and copy the candidate configuration from a remote SFTP. But I'd like to see if a simple SCP can be used as it's less greasy when I'm scripting it.
Any help is greatly appreciated! :)
// David
Need advice about hotpluggable switch module
Hi All,
Just need some, hopefully simple, clarification on something...
I've got a HP 8206zl with only one management module in. I've bought a second one, tested it in my redundant unit, it has a config on it....can i just hotplug it into my existing 8206? Do i need to make sure it's been reset or anything first? are the management modules hotpluggable like the other modules?
As it's currently a single point of failure on our network until the second one goes in side by side, I'm just a little worried about knocking it over! and HPs documentation doesn't mention the management modules specifically in any documentation about hot plugging modules. :)
Thanks
FTD DDNS for VPN
Hi!
I have a question regarding DDNS and FTD. We get a DHCP address from our ISP on our outside interface which we're using for our VPN clients. We want to bind this address to a more convient name for example: vpn.example.com. I've read about DynDNS and No-IP but it seems you need a software on your computer. I've also found that you can configure this on routers with the CLI but im not sure if its possible on the FTD? I'm managing our FTD with FMC.
FW between the VMs
our customer has 4 UCS with many applications as VMs and he wants the VMs to communicate between each other through FW ? I suggest to use the external FTD but he wants other Virtual products Any Advise pls?
Wednesday, July 4, 2018
College courses for CCNA?
Hey folks! I have 3 semesters left (16 credits) before I graduate, and I am planning to take CCNA Certs exam. I am bit worried because at my school in order for me to qualify to take the CCNA exam, I have to take certain courses. But since I have 16 credits left (that includes IT Capstone and Intern credits and other prerequisites courses) I might graduate first before I end up finishing the courses needed for ccna exam.
So my question is, do I need to take up college courses in order for me to take the CCNA exam or can I just self study or take online class?
Adding unsupported vendors/devices to oxidized.
Setup oxidized yesterday, really liking it so far, but i have a bunch of devices that are not supported, anyone have experience adding an unsupported vendor/device? Tips? Tricks? Or is it impossible without help from the vendor? It seems like it would be doable since i can pseudo script the cli on them...
Network Engineers with Masters Degrees or higher: do you feel your college education has made you a better engineer than your peers?
These questions only pertain to Network Engineers (those whose primary job duties include network infrastructure (routing/switching/firewalling/loadbalancing/etc)) in either an operational, design/architect, or combined role with a graduate degree (Masters or higher.)
-
Question from the topic title. Do you feel your college education has made you a better engineer than your peers who have either no degree or a lesser one? (Better at your job)
-
Do you feel your degree has resulted in a higher rate of pay than your peers that have an equivalent amount of experience?
-
Does everyone you work with have a degree as well? Have you ever worked in a position where your peers had no college degree, but shared the same roles as you. (Had the same “rank”)
-
Is your degree in Computer Science / technology, or is it unrelated to the field.
Thanks!
DHCP snooping blocked no legitimate requests
Hi All
Tried implementing DHCP snooping on a stack of Cisco SG550 switches today and it caused issues.
Basically we have two SG550’s in a stack, they are layer 3 and the DHCP server is also connected to this stack.
Set the port going to DHCP as trusted and everything else as untrusted. When I enabled snooping on a VLAN (only did one to test) and all was fine for a while, I started to see the binding database populate then eventually random people (about half the clients) started failing to get a DHCP address.
Anyone have any experience as to why. I thought that if I had set the DHCP server port to trusted it would be fine.
TIA Ben
Has anyone experienced any good Internet Architecture tutorials? Global networking as opposed to local networking.
I find a lot of local networking tutorials but I'm struggling to find something that shows me how things function on a global scale.
Why are home routers called routers?
Wouldn't they just be switches? Seems like a router is typically pretty expensive and is something a business would use.
Is it truly impossible to accomplish ipv4 AF iBGP multipathing when you use a route reflector?
If, say, I was an ISP and wanted to implement iBGP multipathing for the global internet routing table, is my only option to put it into a VRF and give each edge router its own RD? Or is there another way to accomplish this? (other than a full-mesh of iBGP, that is).
And if there is no other way to accomplish this, why isn't "Internet in a VRF" a more popular design? Are there any drawbacks? I've heard it can cause an increase to memory usage, but surely that is not such a problem with modern carrier-grade routing platforms... right?
Comcast ENS with only HPE Procurve 2930m and 2930f
Basically I am concerned with performance and my design?
The Core site with EDI will be a PAN firewall and a 2930m Stack. It will have ENS to 4 separate sites with 2930fs. Each site ranges from 5-20 users, the main site is 24, and each will have its own vlan. I have never done this with switch only, do you think there will be any performance issues? No Voip. Mostly just AD, Scan, Shares and Internet Traffic to the core and out the PAN to the ENS. Each ENS is 50 meg with 100 meg EDI.
And I can just pretty much put the ENS in its own VLAN and untag it on one port in each site with an IP? The PAN will have a subint in that vlan. Probably ospf it all, or a better method?
Is my ISP blocking access to my blog?
I have a blog at TravelTalesOnline.com. If I go to the site on my laptop, I get "The connection has timed out". Traceroute shows that it gets to the 5th hop (3, 4, and 5 are .bad.comcast.net, if that's relevant), but then it stops. The next 25 lines of the traceroute are "* * *". However, if I go to the site on my phone, not on wifi, I can get to the page with no issues.
Does that mean that Comcast is blocking access to my blog?
NGINX/HAProxy vs. F5 BIG-IP/Citrix Netscaler
Our F5 and Netscaler supports are ending soon and I'm wondering about NGINX and HAProxy options instead of renewing... even with enterprise level support they'd be a lot cheaper. How about feature wise, is there anything that I couldn't do with those softwares?
Currently we're using those hardware appliances for Citrix VDI (+FAS), SSL VPN (we could switch to Fortigate's SSL VPN) and we're using F5's APM module to do SAML/ADFS authentications for applications.
F5 has those iApps that configure a huge amount of stuff (Citrix VDI, Exchange, ADFS, Lync, Sharepoint have their own "apps"). I'm wondering if it's possible to do all the required configs with the NGINX/HAProxy? Or do I even need anything special to load balance those ICA/ADFS/whatever? (Of course according to Citrix or F5 they're a must:)
Bandwidth wise we're not using that much. If those "more complicated" setups would be impossible to do on "software", we could probably live with 200Mbps license for F5/Netscaler and have the "common load balancing" on NGINX/HAProxy.
Thanks for any ideas!
Can someone explain how a switch works and what are its advantages?
I know that they basically are a communication hub for devices connected via Ethernet cable, but how?
Does the LAN connection being stronger mean that the devices that are connected in that LAN have better and faster internet?
If so do other devices that aren't in that LAN experience an internet speed boost since the other devices don't take up as much internet or are they not interconnected?
EDIT: Also are they as easy to hook up as I think they are? Just plug it in and plug everything else in it and then you're good to go?
checkpoint firewall basics adding/deleting interfaces etc
Our basic setup is 2x border gws and a management box. From what I understand the mgmt box is where smart dashboard runs. The guy managing all this got abruptly laid off and our backup guy isn't exactly that. So now I inherited a cp firewall and I need some general help with the basics. I'm trying to delete an interface and adding a static route and it's not taking. Do I do commit and reboot? Does that mean you have to do an outage every time you make changes?
Also, I know there's an abundance of text on the internet about cp but mostly it's about fresh installs and/or if everything is as it's suppose to be. I need to do a sanity check and two important things I'm missing are ssh and web access (talk about disgruntled cp guy). I have a monitor and a kb attached to the box itself (cli). Any help is appreciated
Anonymous website host in lan
What i want to do exactly is to host a website in my LAN. I want it to be anonymous though. I know that my IP is required to access the website but i was thinking if things like TOR or proxies can be used in lan. I do have access to multiple computers (which are not mine). Can i use these computers to sort of, hop on the web request or even use them as bots for my website by using their computers as dummy IP addresses. I just don't want the web admin to detect my computer as the host of the website. Any applicable suggestion is accepted..
HPE 3810M to HPE 1950, compatible DACs?
Hi,
I was looking at repurposing some HPE OfficeConnect 1950 switches we recovered from a branch that closed and to uplink them via a DAC/SFP+ to an Aruba 3810M, however, our sales rep is telling me there's no compatible DACs for the 3810 & 1950, and the only way is to do it with SFP+ MMF transceivers (~400$/each) and MMF fiber.... for a total of ~900$ for each connection.
Does anyone have suggestions, even if it's off-brand "compatible" DAC or fiber transceivers that would work with these 2 switches?
Thanks!
Does your ideal manager/supervisor have great tech skills, or being a fantastic leader/people person?
Yes, yes, I know people say "both" but real world often doesn't operate on that.
So if you had to choose between a manager who's tech skills are mediocre on a good day, BUT their communication and leadership are genuinely exemplary and fantastic.
or
The guy above you is a dick or doesn't really know how to talk to people, BUT when it comes to the actual job, not only does he contribute, he does a good chunk of the heavy lifting because he's THAT more knowledgeable than the rest of you AND your coworkers
Routing ?
I have a site to site vpn. I am suspicious the issues is other site but cant prove it. I created and ACL and see hits on it when I send a ping however I dont see it when I run a capture on the router. I dont understand that
Layer3 Switch Loop. Deactivate RSTP?
Hello, I got a problem I can't seem to solve myself. I am working on a Router Mesh topology. The Router need to still use VLAN's because we are running pseudowire E1 over each link and they can only be connected to a existing vlan. So that means all router in the Mesh topology are Layer3 Switches runnng ospf for the management but still using vlans around the network. Now as always with Vlan and layer 2 tchnology you are running into the loop problem. Since it is a mesh topology and each Port/Link has to be up at all times there are multiple physical loops in my network because they are connected to each other.
My main Question is now. Can I disable RSTP on each Router then with vlan tell the traffic where it can go and where it can not so to have a physical but not a logical loop without the network going down? Is this common practise to deactivate RSTP in a Layer 3 Switch Mesh enviroment or is this very bad practise?
Hope you understand my predicament.
In a GPON context will any ONT work with any network?
Sorry if this is totally the wrong sub, however i can't find any information about ONTs online, other than a description of what they do.
So, question is whether there is some variable that would render any ONT usable on network 1 but not on network 2?
What's the difference between an ISSU and a multihop ISSU?
It looks like for me to get to a certain 7k version I need to do 2 ISSUs. Does the multihop ISSU allow me to have both code on flash and it does it in one go, or sequentally?
Specifically I'm looking at
Table 8 Multi-hop ISSU Paths for the Cisco Nexus 7000 Series Chassis
vs
Table 6 Supported Direct ISSU and ISSD Paths for the Cisco Nexus 7000 Series Chassis
AWS VPN Config
I have a scenario, There are Three Locations, A B and C
I want to create a VPN connection between A and B, and A and C, but B and C should also be able to communicate with each other through the VPN(A) which is an AWS VPN Site to Site, I assume I need a Multi-Site AWS VPN right?
Should I use AWS managed VPN for this, or any other configuration, to setup VPN on EC2. I need a configuration that supports static routes only, no bgp.
Thanks
Sflow probing of discarded packets
I'd like to monitor packets that are being discarded on a switch, but according to sflow specification it won't probe them:
Packet Flow Sampling is accomplished as follows: When a packet arrives on an interface, the Network Device makes a filtering decision to determines whether the packet should be dropped. If the packet is not filtered a destination interface is assigned by the switching/routing function. At this point a decision is made on whether or not to sample the packet.
My question is there some option that would allow to bypass this behavior? I was thinking perhaps routing to another interface (i.e. Null0) would be a workaround? If so, would that create extra load on switch?
RIPng Use Cases ?
Hi guys, been pouring through IPV6 Routing Protocols the last couple of weeks.
I gotta ask : What would be the use cases in 2018 for running RIPng on a network ?
Surely if a device can do IPV6 it can do OSPFv3,MP BGP or EIGRPv6 ?
40Gbps QSFP -> 10Gbps SFP+ 4way splitter
Hi
We're looking at replacing our 4 server switches. Our servers are equipped with 10Gbps NICs and so I'm looking at 10Gbps switches. These switches will trunk using fiber to our core switch which runs at 10Gbps.
I'm finding it difficult to get a definitive answer on whether all 4 of the 10G SFP+ ends of the splitter cable have to be connected to the core switch?
I'm currently looking at the HP 5940 switch in case that's relevant.
The reason for asking is that one of our sites core switch is a 24 port and free port availability is limited.
Cisco Meraki v Cisco
Hello everyone. Hoping someone can point me in the right direction.
I'm writing a proposal at the moment for a client that demonstrates how we can meet their requirements in regards to the Cisco solutions we push (we're a cisco gold partner). However the client has gotten back to me asking for a one to one comparison between our cisco solutions and options offered by Meraki.
Some context, I started this job last week and have very limited exposure to meraki besides APs. Does anyone know of a quick and dirty resource for comparing cisco and cisco meraki equipment. Or should I just suck it up and take my build in cisco commerce and go through each cisco product and find an offering from meraki that sounds similar?
any input would be greatly appreciated. Thanks!
Cat5e/6/6e bend radius when punching down?
Hey there, this has been on my mind for quite a while now. There are industry standards of how far you should bend a CAT cable but is there anything out there that mentions a bend radius for individual conductors?
For example, you strip the jacket of the CAT6 cable, place it in a keystone punchdown jack, and place the conductors into the 110 blades. The thing is, aren't the conductors exceeding a bend radius? In most cases, the conductors are forced to make a right angle bend. I'd love to hear what you guys have to say.
Tuesday, July 3, 2018
(Rant?) Someone toucha my switches
So I finally decide to take some time off work for the first time in the year that I've been here. My vacation is going great until I decide to check in on the ticket queue, my mistake.
30 devices offline - last check in time ~9:30am. (Campus Safety Devices)
So I think to myself, maybe the power has gone at in this particular closet... Log into the switch, nothing at of the obvious. Check the interfaces, which I'm glad I named for these devices. All the interfaces associated with those devices are back on the default vlan. So I'm thinking to myself, "Somebody toucha my spaghet1"....
Check the vlan associated with those devices, it's non-existent. Glad I had a backup of the config, but I hand jammed the vlan back in and tweaked some other settings in the process.
Long Story Short - Don't let people toucha your switch configs
A question about layer 3 wireless roaming?
My understanding of L3 wireless roaming is that you can keep your IP address you started with when you roam onto an AP that doesn't offer the SSID/VLAN you are anchored to. So for example, you start off on an IP that is say, 192.168.100.10 on vlan 100 with an SSID of "Users" then you roam into an AP that is connected to a controller that doesn't have that SSID/VLAN so you join say SSID "engineering" which is tied to VLAN 200. So the new controller you roamed into (the foreign controller) will build a capwap tunnel to the controller you started at (the anchor controller) so you can keep your IP address even though the SSID/VLAN isn't natively offered by this AP/ controller.
I think this is how it works? It's very confusing to me. If you roam onto an AP that doesn't have the SSID you were originally attached to, then it's going to break the connection when you move to the new SSID right? And when you connect to the new one, you'll just get a new IP in whatever subnet that SSID is tied to right? How does the controller know to build a tunnel to your anchor controller and keep your existing IP address?
Is networking saturated?
I'm going to be pursuing a degree in Network Operations and Security it comes with a few cisco certs.I'm interested in networking,but I'm just wondering if I'm doing the right thing here.I mean will Networking jobs still be there when I get finished in a few years with all this automation right around the corner?
Is STP required for exterior mounted APs?
Is STP cabling required for exterior POE APs and Cameras? The devices will be mounted to the walls or under the eves of the facilities.
If it is required, is it as simple as buying shielded connectors and keystones all the way to the POE switch or is something else required?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Nat-t disabled
Hello everyone, We have a fw and in front of that, we have a router that NATs. I had this issue brining up an Ikev2 tunnel, but had no problem brining up ikev1. The second I disabled Nat-t when trying to get Ikev2 to work, It started working. Would anyone know why this would happen?
Linux Tech Tips does 120 megabit wifi at 12km with Ubiquiti gear (Youtube)
https://www.youtube.com/watch?v=lYJFwXw1ZIc
Jump ahead to 14m in if you want to skip a lot of them just trying to get good locations. Kinda slick.
Network content filtering form
Yo so, forgive me if this isn't allowed or not up to par. I had to make a simple quiz for a tech/business camp I'm at (Kentucky GSE), and we're making a company that essentially sells firewalls and network filtration systems. If you could, would you please fill out this form?
Ty if you do, may your servers live long and your SSDs (or HDDs) last forever.
Inline or one armed load balancer?
Ho do you usually add a load balancer to your network?
- One armed mode and NAT everything
- Inline Mode where you have interfaces in every subnet you have servers
- Something in between where you have "outside" and inside" but maybe routing in the inside too?
First option is probably the easies to configure routing wise as you only have one default route, but you'd have to NAT everything on the LB and lose the source IP address visibility? Unless you add extra HTTP headers for example.
Second option would also be quite easy configure routing wise if you have interfaces in every server network on the "inside" and then just a default to the outside.
I'm wodering because we've ended up with setup where we have few interfaces and then lot's of static routes pointing all over the place. I guess it started as something like "internet on the outside, lan in the inside" kind of thing until someone wanted to access the hostname that was on the outside network and then we added few routes there and few NATs there...
Thanks for any ideas!
Wired and Wireless upload speed differences
Hi,
At work, I've noticed quite a significant difference between our wired and wireless upload speeds. Wired, we're getting around 5-8 Mpbs and on wireless it's around 22-25 Mbps.
This seems wrong to me.
So I started by getting some benchmark speeds then, I disconnected our computer, VOIP and guest network cables from the router, leaving only the input line from our ISP and we're getting the same speeds.
I've swapped out the input line cable in case that was faulty, disabled VLANs and played around with router settings, none of which seem to have made any difference.
I'm not massively experienced in the networking world, I'm just looking for some advice whether this kind of behaviour is normal and if not, how to proceed with problem solving in this case.
WAN Cisco Router for 1Gb circuit?
My company wants to utilize Google Fiber small business for our backup ISP, and we're trying to purchase a router for the circuit termination as they provide their WAN IPs via static DHCP reservation and this doesn't work for an ASA Pair in Active/Standby. My manager tasked me with getting a quote for a router for this circuit, ideally something cheap that can handle 1 Gig throughput. I'm looking at some options and trying to understand why a router like a Cisco 4221 ISR has 2x 1Gb interfaces, but lists throughput as only 35 Mbps?
https://www.cisco.com/c/dam/en_us/solutions/small-business/routers/4221-router-infographic.pdf
Any recommendations for a router that would fit this need? All this device needs to be doing is NAT and terminating the Google Fiber copper handoff. Thanks!
Who can donate L2 Switch?
Hi guys, we plan to build and Internet Exchange at Brazil, inside Our University. We looking for someone can help us with an Layer 2 managed Switch with 12 or 24 SFP or SFP+ ports. Someone interested?
IPSec / L2TP ports.
Hello,
I was working with my firewalls on my dedicated servers and I am unable to create connections from iOS or any other device EXCEPT windows by using IPSec / L2TP.
I opened up port 500, 4500 and 1701 on UDP to allow connections and everything works perfect on windows, as for Mac OS and/or other platforms it will not initiate a connection. Am I missing out on something here?
I use SoftetherVPN on Debian 8, with all options ticked in the IPSec settings. I use private key which I have verified is correct. The error seems to be connecting to the actual server. I block all UDP ports except the formentioned one which is why I’m asking.
What am I missing out on?
Thanks, Jam
Line Card crash and tac sent me this!
These errors occur when an energy level within the chip (for example, a one or a zero) changes, most often due to cosmic radiation. When referenced by the CPU, such errors cause the system to either crash (if the error is in an area that is not recoverable) or they recover other systems (for example, a CyBus complex restarts if the error was in the packet memory (MEMD)). In case of a soft parity error, there is no need to swap the board or any of the components.
Cisco Meraki "The Office" Easter Egg
I was in the Meraki portal this afternoon and noticed that when creating a new network the suggested name is "Scranton Branch Office". The suggested address is also "1725 Slough Avenue". The address of the Office Building.
Are there any other "Easter eggs" like this that you've noticed?
Career Advice
I've been studying networking, primarily Cisco, for just over four years now. I've had two networking jobs both of which are network analyst. I love the network side of IT but occasionally I catch myself feeling like an idiot, and maybe it's because my latest position is so complex. My question is, has anyone ever reached a point early in their career when all the stuff you learned and thought you knew just doesn't seem to make sense anymore? I guess I'm just looking for some stories that anyone would like to share.
Palo vs. Firepower FTD
We are currently evaluating both Palo and FTD, and I am looking for some pros and cons of each, and experience running them in general. Particularly interested in people running PA 5220s or Cisco 4110s
Can't ping remote router
Hi, I'm having an issue where I'm not able to ping the remote router. I have 2 routers on my LAN. Router A is our internet router and is able to ping the remote router. Router B which is directly connected can not ping the remote router. The trace route sees router A as the next hop but it times out from there. Any ideas why I'm able to ping from router A and not router B?
Theory Question. Why use BDI over VLAN Subinterfaces?
Hey everyone. Working as an intern this summer for an MSP and a lot of my work has me checking configs on CE routers running two VLAN's over a single circuit to our Core routers.
For the most part most of these are broken up using standard subinterfaces configured for each VLAN.
Today I ran across an ASR-920 that had 2 BDI's set up to separate the traffic instead of using VLAN's like I've seen on the ISR routers.
I did some research on lunch and got the gist of the general difference between the two services but I'm still not seeing the benefits behind using BDI's.
If anyone could spare some time to shed some light on this I'd really appreciate it.
Sorry If my description is unclear or kind of fucked... let me know and I'll do my best to clarify.
IPSec optimal configuration ZyWall <-> tp-link
Hi! I want to get advice from experts:) right now i have in HQ ZyWALL USG 110 and on remote locations (19) tp-link R600VPN. I want to configure IPSec tunnel for all of locations. I have good internet link in HQ but badly on some of locations have LTE modem with redirected UDP 500 and UDP 4500 ports for IPSec. As u know that tp-link isnt a monster of performance :D im looking some advice for detail of configuration to get the best performance of ip sec tunnels. What encryption should i set on Phase1 and Phase2? What SA lifetime? DPD?etc. I will be greatfull for any tips.
Wireless clients endlessly roaming between APs for same SSID
Hi everyone. I've got an odd issue occuring at a client site with some tablets and their wifi system. I'm no expert on wireless, so I was hoping maybe someone could chime in and shed some new light.
We have 6 vendor-provided tablets running Windows Mobile (6? 6.5?) that are having trouble staying connected to wireless because they are constantly and endlessly roaming between the 2 closest APs. This causes their connectivity to go up and down forever as when they try to roam over and over they'll drop a few packets and then resume communication. Does anyone have any recommendations on additional items I should be looking into? Here's what I've tried so far:
- No other wireless clients appear to experience this issue. Other clients include Android and iOS devices, along with Win7 and Win10 laptops.
- The SSID in use for the vendor items is separate from their primary (internal) SSID. I have tried connecting other devices to this same SSID and also the vendor devices to another SSID. Behavior remains the same for the tablets, other connected devices have no issue.
- There are 4 APs total. They are Ruckus R510s acting as a cluster where 1 AP is designated the master / controller.
- The 2 closest APs to where these vendor devices will remain have had their transmit power lowered to ~60% to reduce signal overlap, they have had their channel statically assigned (per vendor request in troubleshooting), and 5 GHz has been disabled.
- Load-balancing on the AP / cluster side is not enabled
- Client-isolation is disabled (was disabled for troubleshooting, makes no difference)
- The client did just move to a new building, and 2 of these 4 same APs (with the same settings) were in place at their old location and not really having issues. They were more spaced out and also more obstructed in their old building, so I'm assuming here that that was actually a positive where these tablets are concerned as they may not have attempted to roam due to much further away / weaker signal.
I'm like 99% sure this is an issue of just the base OS for these tablets being a bit old and not handling wireless very well. The vendor has requested that we lock the SSID to only 1 AP closest to the tablets as that is what they recommend. With the way the APs are clustered, this is currently not possible. A full controller would need to be put in place to allow this type of change. I'm trying to avoid that if I reasonably can since these are the only devices that would need that accommodation.
Thanks
edit1: updated some details for clarity
Simple Linux question?
I am running CentOS 7 and am having a little trouble. I have two networks, a 192.168.0.0/16 and a 10.0.0.0/8 networks (they have multiple /24 subnets in them). They DO NOT have routes between them, so the only way to communicate is to have two interfaces on a device.
On my CentOS machine I have two interfaces (en0 and en1) with IPs of 192.168.7.7/24 and 10.15.1.7/24 respectively. I have tried setting routes on the OS so that 10.0.0.0/8 traffic goes to 10.15.1.1, but I can't get it working. Does anyone have any suggestions?
metal handle GLC-T will get stuck in Cisco Catalyst 9500-40X
We have a Cisco Catalyst 9500-40X. On a metal handle GLC-T, the release mechanism will push/bend the switch catch up getting it stuck. The plastic GLC-T uses a different mechanism and has no issues.
Checkpoint help
Scenario:
I'm trying to go to a https site. Our staff vlan can get to it, no problems but our guest vlan can't. In the log (smartview tracker), staff vlan traffic triggers a rule (x). the guest vlan traffic triggers the final, block all rule. I go to rule (x) and add the guest vlan in it, then save. When i try again from guest it still triggers the last rule/block all rule. Clearly i'm not doing something right here. Any suggestions?
edit: we're currently running r75.45
Will doing advanced cisco certifications (CCNP,etc) be worth 4 years down the line?
I am a CCNA R&S certified network engineer with 5+ years experience. I am at present studying for CCNP certification & plan to also do another cisco certification in an associated stream after that. I have been hearing that networking industry is undergoing massive fundamental changes and changes will be even more pronounced in coming years. I have been hearing how SDN, automation, cloud based services, etc may probably make current cisco router, switches based implementation model less relevant & may reduce the number of required network engineers as well. I have to spend tremendous amount of time and money to complete CCNP & other cisco certifications. So will the effort i am putting to complete CCNP now be worth even after 4-5 years or will i be doing myself a favour by trying to certify myself in one of the emerging fields like AWS, etc?
Need some help with setting up RSTP
Hi all,
i am in charge of setting up our new infrastructure (new switches, new ip-subnets/vlans) and i really need some help with Rapid Spanning-Tree.
The Hardware:
| Switch | PoE | Use |
|---|---|---|
| 5x Dell S3048-ON | No | Clustered to one big coreswitch. |
| 1x Dell N1524P | Yes | Wireless Access Points |
| 1x N1548P | Yes | Offices where we can let PoE over the (new) building wires |
| 1x Dell N1524 | No | Management Interfaces like idrac's etc. |
| a few Unifi 8 150W | Yes | Offices where we can not deliver power over ethernet due to old cables in our walls. |
Every Switch is connected via Port-Channel. Always the last two Ports (No 10G Interfaces!) are used for Uplinks towards the Core.
The Coreswitch is already Root-Bridge with a set priority of 12288.
And now is the situation where i have more and more questions the more i try to get solutions for them:
- How should i continue with my configuration?
- Do i have to set EdgePorts manually? Is it the same as PortFast?
- When and where should i configure RootGuard?
- Are Port Priorities necessary when i use Port-Channels? If yes, on which interface? Gigabitethernet or Port-channel?
- Do i have to set specific port costs?
Chances are high that more questions will be added, but i am grateful for any help!
Thanks in advance :)
Best Practise to replace the default Gateway of a Client
So we want to replace a ASA 5540 with a FPR4120 (with ASA image). The ASA runs in Muli context mode and it is providing the default Gateway for a dozent of /24 subnets in multiple Contexts. The Plan is to migrate one Context after another. The Business side of things wants a silent migration for smaller customers that dont work in the time between 10PM and 4 AM.
Our Initial assasment was that migrating a context should be pretty straight forward with little downtime. We Preconfigure the New Context of the FPR acordingly, disable the Interfaces of the old Context on the ASA and enable the Interfaces in the new Context on the FPR. After my understanding, this will however not work out because the VM's and Servers don't actually loose network connectivity and will retain their ARP Table with the old Mac Address for the default Gateway.
In my opinion we have the following options:
-Restart all Clients where the DFG will change /Clear the arp Table of the Clients ( our Sys Admins don't want that)
-Change the Mac Adress for all Virtual Interfaces on the ASA that are the DFG (we from the Network Team don't want that)
So basicly i want to find out, if any of you know a way to handle this without Restarting devices or to "spoof" the mac address of the old device.
Cisco FTD Remote Access VPN Certificate Issue
Hi!
I finally went and picked up a FMC for our FTD device. When I try to configure the RA-VPN I get this error when I try to deploy "need to enroll the Trust Point for this device."
I open the Devices->Certificates menu and add my self-signed certificate there and get this error
"Error: Unable to communicate to the device. Please check connectivity to the device from Firepower Management Center and retry the operation"
I can ping FTD->FMC No connectivity issues but if I reverse the ping FMC->FTD I do get around 60% packet loss for some reason.
The setup looks like this:
Internet----|FTD|----|SWITCH|----|FMC|
They both are in same subnet and I can ping both devices from a client PC on the same subnet without any packet loss. Even from the FMC to other devices. It's only FMC->FTD that causes packet loss.
I'm using FTD version 6.2.3.1 and Cisco Firepower Management Center for KVM v6.2.3. If I google that error message I find this https://quickview.cloudapps.cisco.com/quickview/bug/CSCvh68618
Any solutions for this? or wont I be able to use RA-VPN until this bugged is fixed?
I'm about to lose my mind with Cisco's Firewalls.
Adding VLANs to multiple interfaces
Hi!
Long story short, I have a few S4048T-ON switches that have a couple of hundred VLANs on them, and I need to add these VLANs to a few new interfaces. On these switches you go into the VLAN and add the interface instead of the other way around, and obviously this will take quite some time to do manually for every switch. Does anyone have any idea of how I could go about scripting this or making it easier?
The VLANs and interfaces aren't in nearby ranges so I can't go the int range route.
Huawei switch login fail
Hey /r/networking,
I'm having an issue with one of our Huawei switches and since our warranty expired last month (typical) I don't realy know where else to go. You are my last ray of hope. Side note: I can use CLI but am not very comfortable doing it.
So here is what's going on:
All of out Huawei switches have the same basic configuration with web access. One of them (S6700-24-EL) refuses to allow logging into it via https service. I did as much debuging and digging as I could (given how abysmal I am at CLI) and here are my findings:
Web login page loads as expected. Provided with WRONG user/password it also behaves normally (wrong password pop-up). Given correct credentials the website does... nothing. Hit Enter: nothing. Press GO icon: nothing.
So I decided to plug in console cable and see what's going on. Logged in just fine and started digging. I couldn't find any miss configuration (remember I'm not good at command line) but I did however notice an interesting thing.
While logged into the console the switch spits out information about failed http login attempts. This is normal. On correct login attempt however it should stay silent (pic). Instead it spits out NETCONF login info (pic). It also logouts NETCONF session after ~10 seconds.
I tried digging in and finding NETCONF configuration but failed. Here is some (hopefully) relevant configuration I did find (pic).
Please forgive me for heavy censorship. I hope you understand the risk of putting your configuration on the inter webs.
At this point I'd like to thank you for your time even reading my post. I hope I can find that one angel that already had this problem and can help me out.
Best regards,
Rudelke
Check my diagram - and Security
I'm trying to work out what the optimal firewall implementation would be if I could ever rip out our firewalls and start again. See the diagram below. The purpose of my question here is what access to inside and outside zones should all these different types of servers have?
Diagram: https://ibb.co/kNFMNJ
So far I've actually decided that there would be absolutely no permit statements going from any of the server side zones to the inside or outside zones (with the exception of the WSUS update servers, which would require internet access) . The reason why, is because everything should be attempting to initiate traffic towards those servers, not the other way around. So I would only need to be building access policy FROM, INSIDE and OUTSIDE zones for limited access towards those servers. I would also obviously build a policy for communication between the zones.
But I've not really had the luxury of starting a firewall area like this from scratch for a DC. So would this be the correct thinking, in regards to my idea between servers not needing permit rules to inside and outside?
Enterprise NAT - 5 million sessions
Can anyone recommend a single appliance of any kind capable of handling this kind of load?
Internet problem. Need help.
Not sure if this is the right place but I try. Yesterday my network was working fine, today when I start my computer it says "Ethernet missing valid IP configuration" I tried to reboot computer, internet without any success. My operator say theres no disturbance around and valid help time is 1-5 days but I dont have that time.. I do not have a router nor Wifi. I use cable from wall to computer. anyone know any tips on this?
Fudging iBGP peerings w/ "local-as"?
So I just wasted a few hours of my life trying to bully some ASRs into forming an iBGP relationship on an AS that neither was "officially" a member of. Something like this:
router bgp 65000 neighbor 10.10.10.1 remote-as 65010 neighbor 10.10.10.1 local-as 65010
Not for production use, mind you... just trying to PoC some different configurations in a lab that's really too small to do what I need to do, so I'm trying to cheat certain things.
In any case, this *mostly* works. Was testing certain RR setups and stuff just fine. Right up until they're no longer adjacent, when they fail entirely. After dicking around with MTUs for a while, I finally just grabbed some pcaps and see both of these damned routers sending their SYNACKs with a TTL of 1. The SYNs were sent with 255, and in sessions that *were* adjacent, once they got going all the keepalives, etc were with TTL of 255.
Is this just a "stupid edge case no one supports anyway, so it's broken" thing? Or is it "actually expressly forbidden and should definitely never work"?
Do you connect to Public Wi-Fi?
I just got hired by a large cloud company and I'm doing the mandatory on-line training for new hires. One module about securing company data while traveling caught my attention. In short, it is instructing travelers not to connect to public Wi-Fi and to use only corporate secured Wi-Fi networks when on the road. The directive also included smart phones.
I have worked for ISPs my entire career. The Network Layer and I are old friends. I like to think I can spot a Man In the Middle attack or know only to surf to secure HTTPS site. I don't worry about using public network. But I'll ask the experts here, do you connect to public Wi-Fi? If so, do you take any precautions?
Networking's most interesting things for newbies
Hi guys. I am starting my journey as a CCNA insturctor and I'm having Wednesday my first CCNA 1 course. I'm OK with the technical side of the course, but I feel I'd need more content on the non-technical.
At my first course I want to show them some interesting things and I could use some suggestions. By now, I plan on showing them these:
- a brief description of my day-to-day work at a big ISP and some examples on how my work impacts the end user
- a video on IoT
- pictures of Facebook/Google's datacenters
- a live DDoS map
- maybe I should also mention that these concepts together with the certification may open some doors
Thanks for any future replies! :)
English isn't my main language, so excuse any mistakes.
Subscribe to:
Posts (Atom)