hello , i have my graduation project which is " Improving the SDN QOS performance using Machine Learning", and i had a hard time in finding a network traffic data in order to test my " Random Forest" algorithm . I found one but now i had a problem of labeling the data . So is there any software that i can use to prepare the data and labeling it before feeding it to the algorithm or how can i solve this issue.
Saturday, July 14, 2018
Token ring anybody?
I was cleaning out my shed this weekend and found two large tubs full of token ring hardware. Needless say this brought back “memories”. Does anyone out there have any fun experiences to share.
Better yet know of anyone still using it.
A Quickstart Guide to IRR/RPSL
As I'm a member of the team trying to run an Internet Exchange, we've been looking into rolling out IRR prefix filtering on the exchange route servers (which is a seriously good thing to do), but as we started to dig into what we were asking all of our IXP participants to do, the current state of documentation on how to get started in IRR to do just enough to enable prefix filtering seemed... lacking.
We've written a whitepaper on the matter, but given our minimal real world experience using IRR, I'd appreciate it if others could sanity check our guide and point out any flaws in our understanding of how our participants should use IRR or where you get totally lost in this guide.
I'm a fraud
When i was 18 i was so desperate to move to the city from my small village, i just applied to a random course without any thought , and that course turned out to be Networked Systems Engineering. After the first few weeks i knew it wasn't my thing, and I just couldn't click with the material, but i was so determined to not go back home a failure - So i stuck it out. Now the problem with the education system - I didn't learn a thing, I was just a pro at memorizing questions and answers - so the day before exams i would cram cram cram. Go into the exam and get over 80% every time. The next day everything that i crammed i would just forget about. So after 4 years i finished university with a First Class Bachelor Engineering Degree in Networked Systems Engineering.
I went back home and didn't really know what to do, so i just thought i'd apply to jobs related to my degree. I lucked out, got into a position as a graduate network design engineer for a rising telecoms company - mainly because they liked my personality in the interview. I was chosen out of over 50 applicants ( This was without any certifications e.g. CCNA, JNCIA etc...) In my first year, literally every piece of work & design i done was entirely collated through using Google and YouTube or by making friendships with senior engineers and finding out their strong points and getting them to help me with my design. In that first year the company were so impressed with me and my work, i got a promotion to a fully fledged IP Design Engineer from my graduate position.
So now i'm here in this company, still with very little knowledge of networking - i'm 24 now and i feel like it might be too late to start doing my certifications like CCNA etc and actually learning networking. It's embarrassing. I feel like a total fraud, I've managed to get all this way getting a degree and getting a very good job for a beginner in the field simply through my ability to come across like i know what i'm talking about/ by cramming and using google/ by being personable and easy to talk to.
Now i have friends from my Uni course that were really passionate about networking, they live for it, yet they're stuck doing 1st/2nd line support, working their way up from the bottom doing tickets and on call etc. meanwhile i somehow ended up in this high end position without having to work from the bottom - it makes me feel guilty. I feel like i'm stuck and i really don't know what to do.I feel like every other person around me is a total gizzard, knows what they're doing and love it. There's just this constant thought it my head that everything will come crashing down on me eventually. I just wanted to share my story and guess i'm writing this to find out if anyone has been in the same boat, or has any thoughts or opinions.
TL:DR - Crammed through Uni & got networking degree without actually learning. Got a good job because of my personality rather than technical ability. Getting through job by constantly using Google and pulling work together from other engineers. Given a promotion = 24 year old fraud that doesn't know what to do.
HP Procurve 1410-24g (j9561a) - how hot they run?
Hopefully Ok to post here.
I bought a second-hand HP 1410-24G switch (non-managed, 24-port gigabit). It was sold as non-working*, but I got it for cheap and I thought hey, one might get lucky. If nothing else, couple of hours of troubleshooting fun at least.
I got the impression that the switch had died and did not power up any more. However I did managed to get it power on (I believe I did nothing, might have been just a loose connection). Now the switch powers up - yey! But it's not perfect. There are four ports that do not work (9, 10, 15, 22). This would be fine with me, but I am more concerned that the switch runs very hot (even on idle). There are three big heatsinks on the mainboard, and the center one runs very hot, around 85 degree celcius (it also warms up faster than the others, but the temperature does stabilise so it's not at least completely avalanching away).
The other two heatsinks also run warm, but significantly less (around 40-50 degrees). The switch works (I kept it on for couple of hours for testing), but the case gets very warm (almost too hot to keep hand on the top). I don't know if this is normal with this model, but to mee it feels pretty high temp? The powersupply itself doesn't appear to be under heavy load (the heatsinks there are all under 40 degrees).
(Obviously I won't be keeping this plugged in un-supervised for now)
*) The previous owner (first owner) could not replace it under HP's lifetime warranty, as the company that installed the switch into his house, could not provide a receipt for this particular switch and as such could not produce a proof of purchase.
AOS/Aruba upgrade pitfalls?
Part of the 'we're upgrading everything' post. This time it's the wireless controller. Going from a 4700 to a 7210 from aos 6.4 to 6.5 and as far as APs it's 125-ish to 315s. I'm decent doing admin work and installing APs, but this is my first time doing a controller hardware replacement.
So my questions:
Can I import the config from the older box to the new one (with some tweaks)? We'll probably stagger the install since we won't be able to replace the APs fast enough. So old and new would have to work/overlap for a while until all the old APs are gone.
I saw a 'zero touch' feature on the quick install guide. Is that something I can use in this scenario?
We're installing 2x 7210s and about 300 APs. I know they can handle 512 APs. Do I set it up as master/slave or as one logical unit?
Any other pitfalls, checks, new features, etc. I need to look into while we're at it?
What are you to do if somebody calls and says "I get bpdu from another client and his port turns off when your port is up"?
Hey guys,
I have a BGP peering with another provider and we connect with a private IP over an access port. Now, this guy provides us and others like us with a free streaming service. As far as I can tell, he's getting all service providers to peer with him and possibly turn it into an ix.
Regardless, he calls me the other day and says, if I turn your port on, another port gives bpdu received message and shuts down the port. I was told that I'm creating a loop OTA even though I have no direct peering with that other guy.
I listened, thought for a while and said I'll look into it. I did. There was nothing to look into.
Is there something to look into?
I thought it was like saying 8.8.8.8 went down when Uranus passed Urectum and somebody stuck gum under their table.
Just a heads-up about shipping with Cisco Press
Maybe this subreddit isn't the place for this message, if so, please let me know ;)
I ordered my CCNP books on the website of Cisco Press. After half a day or so I got an e-mail saying my order was shipped. I live outside the US so it had to be international shipping. The e-mail said:
Shipment Tracking
The carrier tracking number for this order is:
XXXXXXXXXXXX
For the latest shipping status, you can call UPS at 1-800-742-5877, or
simply follow this link:
I tried entring the number into the tracking app on UPS, but this did not work. The Link they provided was just a link to the UPS tracking page and didn't help me at all. So, I called UPS 3 times (3 different phone numbers, My country, the number they provided and the international shipping number UPS gave me) and they all didn't know the number and redirected me to Cisco Press. I opened a case at Cisco Press, which they did not respond on... So I just waited for the package to arrive or get a 'you weren't home' card. When I got it, it wasn't UPS like they said, but it turned out to be FedEx.
TL;DR: When Cisco Press (or Informit) tells you the 'UPS' tracking number it isn't UPS. It is FedEx, as I found out.
Gartner 2018 MQ for Wired-Wireless LAN Released.
Leaders: Cisco, Aruba, Extreme.
Visionaries: Huawei, Mist, Mojo
Niche: ALE, Ruckus, Juniper, Aerohive, Fortinet, D-link, Riverbed, DELL, Allied, LANCOM, H3C,
Challengers: None.
Discuss......
[Question] Router Types and Broad-scale Network Topology
The Wikipedia page on routers briefly describes four (are there more?) router types, though it doesn't really give a big picture. I was hoping someone could clarify how these routers compare and give a breakdown on how they interact to get traffic across the Internet (say, one person in one country with one ISP to someone in a completely different country with a completely different ISP).
Was able to ping an address outside of my subnet
So I was looking at Wireshark trying to analyze the mess and learn the tool. I saw something wierd in where hundreds of TCP packets were being sent to an IP address.
My network is let's say 192.168.254.0/24
I was watching packets going from 192.168.255.1 to 192.168.255.2.
The Mac address belongs to my router, so my router was sending packets to 192.168.255.2.
Is 192.168.255.2 me? I could ping 192.168.255.1 but not .2.
How could I send pings outside of my subet and what could my router be doing that it would be sending packets over a different subnet and for so long?
It's just a mutlipurpose wifi/switch/router from Arris
Cellular meshing
This could be an incredibly dumb question but with features like wifi assist on Apple products and every modern smart phone capable of receiving wifi and cellular data at the same time, is it now possible to mesh with client side internet access?
ie. create an AP that has no connection of its own but every client benefits from every other clients connection stability. I’m sure you’d want to include traffic ratios like torrenting.
I’m legitimately surprised this isn’t a thing yet, and if it is why everyone isn’t aware of it.
Friday, July 13, 2018
Snort Full 10Gbps
Does anyone know if Snort or Suricata are capable of handing full 10Gbps? (14,204,545 PPS)
Networking topics relevant to cybersecurity/ethical hacking
I am a young college student, and (very luckily) got my first job in the cybersecurity field. I am going through the training right now, and while I would consider myself competent for an entry-level position, I am being held up by some of the networking- related material, which is substantial (ie network/port scanning) and I am often feeling myself getting lost.
Which networking concepts are most relevant to cybersecurity or ethical hacking, so I know what to review in particular?
If you also have any learning resources to said material they would be greatly appreciated.
sg300 series ACE in ACL blocking all when binding to vlan.
When I use this config for our dmz allowing 80 and 443, it doesn't work and instead the default deny all rule seems to block everything, disregarding my permit statements. I think it's a software bug, can anyone confirm? In reverse (permit all by default) I can get it working by specific deny rules, but I need this to work the other way around for obvious reasons. This is how I configured it below.
ip access-list extended dmz
permit tcp any any any www ace-priority 10
permit tcp any any any 443 ace-priority 20
exit
interface vlan 17
service-acl input dmz
Where vlan 17 is the dmz I want to bind this acl to.
Backing up PCI devices
So I've been wracking my brain on this one, and I'm hoping some community involvement might help.
I'm trying to have a healthy way to back up some PCI In-Scope devices.
Storing the devices and credentials to get into them requires you to have a username and password somewhere, because not all devices support certificate based authentication. So somewhere you have to have a system that accesses a plain text, "this username, this password." It could be stored in a database, and the database itself is encrypted, but somewhere you need to have some method that says, "You'll access this database at this location with these credentials", so if its on the same host as the backup system, where's the real mitigation?
PCI data at rest needs to be encrypted. So, the config files when resting need to be in an encrypted location. Which, I suppose an EFS should handle that accordingly, and as long as you limit access to the box, shouldn't be that bad. But if you're using encryption at rest, wouldn't the mitigated risk by the device list in an encrypted database not be as necessary?
Am I overthinking this as a problem, or is backing up plain text files of configs just something that isn't as complicated as I feel it's being? Or maybe I'm just circling around in my own head for the day overthinking issues.
Strange network request from a client
Hi everyone,
I work at a place that provides office space for small companies. I have a broker asking for my company to assign a public IP to a device for about 3 times the amount we normally charge. The person we have been in touch with claims to not know what exactly this device will be doing other than the following explanation:
"My understanding is that it is primarily ping / tracert data between the network of these, with the data being aggregated (loss at certain network hops,etc). ... The WAN device is a Meraki Z3 (acting as the firewall / gateway), with a POE powered UBNT edge router fastened to the top of the meraki. My limited tech understanding is that they used to do this with the UBNT devices only, but they have been using the additional of the merki simple because of the easy of remote management / alerting."
We allow firewalls and devices all the time for companies to hook up with their company networks, but this person hasn't been very forthcoming with the purpose of this type of setup. The other twist is that it's for a company that doesn't even have permanent space here. It's just all sorts of confusing... can anyone glean what this type of setup might be doing or am I just being paranoid because of lack of knowledge? I'm fine with hosting, it's just that there are some conflicts of interest and the conversation and other prior conversations have rubbed me the wrong way.
Thanks in advance!
Site to Site IPSec VPN and Remote Client VPN on the same Cisco router
Hi Guys,
I managed to successfully get a site to site IPSec vpn tunnel working from my HQ office to one of our remote branch office but now I am being tasked to also grant access to remote users using the same router. Is it possible to do that on the same interface running the site to site? Any clues?
Thanks in advance.
Slow SCP to IOS
I expected TFTP to be slow on IOS. Switched to SCP and I'm topping out at ~45Kbps. I get consistently slow speed on 3560(X), 3750(X) and similar vintage devices.
Doing sh proc cpu hist suggests the switch's CPU is bottlenecking on the encryption cycles. I looked at changing the ciphersuite to a less cpu-intensive one such as RC4, but didn't get very far.
Thoughts?
Aruba Switch STP is blocking Ubiquity AP
I have a Ubiquiti NBE-5AC-19 access access point that I am trying to connect to an Aruba J9727A switch. The port keeps getting blocked by STP. I don't want to disable STP for the entire switch. Is there a way to address this on a single port?
Part two of this question is, does Ubiquity just suck? This was put in by another company. I wouldn't normally use Ubiquiti, but I'm finding it difficult to work with. Since it uses 24v passive PoE, I have to use the stupid injector, and their devices seem unnecessarily complex to configure and clone.
Cisco Smart Install Question.
I am looking to begin using Ciscos Smart Install for remote locations. I have no experience with using it and I wanted to see if anyone in here has experience with it and what their impressions of it are. Is it something worth using or are there any other solutions for a hands free deployment for new switches?
Netbrain Jumpbox
I am hoping someone on here is familiar with Netbrain. I need to use a jumpbox (ubuntu) to access my network devices. However, when testing the jumpbox settings I get the below results. I verified that I can SSH from the Netbrain server to the jumpbox without issue. I also checked the syslog on the jumpbox and see no login attempts. I'm thinking this may be related to the way the shell is setup on the jumpbox. It drops you onto a blank line when you login. Is there anyway to enable debugging in Netbrain?
SSH to [x.x.x.x] via local
SSH to [x.x.x.x] successfully via local
Prepare disconnecting to because of timeout(30 seconds) , Return from Device:[]
SSH to [x.x.x.x] Disconnected
---Jumpbox is tested unsuccessfully via Local---
Thank you in advance!
GRE Remote tunnel interface IP can't be reach.
Hi,
interface Tunnel131868
ip vrf forwarding com
ip address 192.168.255.1 255.255.255.252
ip mtu 1500
tunnel source 10.1.1.114
tunnel destination 10.1.200.156
tunnel vrf com
Tunnel status is Up/up, I can also reach the destination using the source tunnel ip. But I cant ping the tunnel interface 192.168.255.2.
Anyone encountered this kind of issue?
Thanks
Best Network Analyzer Tool (for the money)
Backstory: I have previously worked where there is access to Flukes pretty regularly. The current job, which I've been at for a couple years, does not have access to virtually any testing or analyzer tools. This makes life far less enjoyable, when a simple testing device could save so much headache. Add to that, I recently started moonlighting as a SMB MSP with a partner. Neither my day job, nor my business have tons of capital to spare, otherwise we would just buy the flukes.
I have searched the forum, and basically all the threads are 2-3 years old at this point. I figure much can happen in that time, so I am looking for recommendations here. We would want it to have CDP/LLDP, toning, IPerf would be awesome, basic reporting, Packet Capture and traffic would be even better.
The cheap low cost tools I have found thus far: Pockethernet - likely the one we will go with unless hear otherwise. shipping out of Europe only is kind of annoying, but I understand they are a smaller company. that also worries me as I don't want an orphaned product eventually
Netool.IO - didn't appear as feature rich, but close to the same price of the Pockethernet. Does seem to have wireless tools, which pockethernet doesn't seem to
Netpi - This is the option I think the coolest. I actually tried to turn this up to test. Unfortunately, the pi3 doesn't seem to like any of the images available. If anyone has been able to get this on a Pi3, that would be a big swing.I don't want to shell out $70 to buy a pi2, screen, case, etc plus effort to get it dialed in.
Others? thoughts? Insults about how ridiculous it is we don't have any kind of testing tool in an international company? Favorite Cake recipes?
[CISCO] Mapping AD Users to DNA Center Scalable Groups
Sup guys
I am having a hard time finding out where and how i can map a AD Group (or specific AD Users) to Scalable Groups in my DNA Center. I think this needs to be done on my ISE, not really on my DNA.
ISE and DNA are already integrated - no problems here.
My AD is already joined to my ISE and i imported 3 groups to my ISE under ISE:
Work Center > Network Acces > External Identity Sources > Active Direktory Join > Name of my AD Join > Groups.
But i can not find out where i map those groups (or users) to belong to a SG which i can finally integrate to my virtual networks in my DNAC.
Thanks in advance and regards!
Seeing as we're posting jokes, I want in!
When I try to send SYNs to chicks, I don’t get any ACKs. Just FINs and RSTs
PA Firewall Silently Dropping Intra-VLAN Traffic
I have a PA-220 that is configured with VLAN Interfaces (layer3 SVI), and the physical interfaces are Layer2 interfaces attached to the respective layer2 VLAN. Basically using it as a layer3 switch with firewall filtering. What I am running into now is that devices on the same VLAN cannot communicate with each other on the same subnet. I can arping from hostA to hostB and visa versa, so the layer1 and layer2 path is good. The palo shows absolutely nothing in the logs that the traffic is even occurring. The only indication that the palo is dropping it is the palo packet capture, the drop queue shows the firewall dropping the packets. The default intra-zone rule is to permit. I even overrode the rule to add logging to that rule and it still doesn't log. Any ideas would be much appreciated.
Diagram - https://imgur.com/qVpb6DF
DMZ security zone - VLAN 10 - 192.168.1.0/24
hostA (Intel NUC) - 192.168.1.101 - connected to eth2 on the palo
hostB - 192.168.1.5 - connected to eth3 on the palo
gateway (the palo) - 192.168.1.1
Palo is running version 8.0.10
Dealing with a Redundant SM Fiber Handoff
I am moving a rack of servers to a data center and they are providing redundant single mode fiber to the rack (1 gig connection).
What would be the suggested equipment to handle the failover of the connections? They told me they also use VRRP. I am new to working with redundant connections. Be gentle! :)
Junos and Solarwinds
Hi,
I'm trying to get the ipfix on my mx480 and mx960 routers to send this flow to our Solarwinds. Also, I have ex and qfx switches that are configured with sflow.
The mx routers have multiple virtual-router (vrf-lite) instances. The goal is to send this ipfix data via the oob interface (fxp0). The fxp0 is on the master inet.0 table and the tenants has their own route table and interfaces.
Our Solarwinds is reachable via the oob network. At this point, the Solarwinds is not receiving the ipfix and sflow data. However, when I check the sflow and ipfix, it says the sampling is being sent to the Solarwinds server.
Also, do I need to create a forwarding-options for ipfix for each tenant (virtual-router/vrf-lite) to get their interfaces info?
Thanks
AnyConnect VPN issue
Hi all,
Slightly strange AnyConnect issue, well two in fact.
We have it set up for split tunnellin Included in the split tunnel is 1. Our head office subnets (10.1.0.0/16) where the ASA is located 2. Our azure VNET (10.2.0.0/16) We have a site to site VPN between HO and Azure.
Problem 1: When connected via AnyConnect I get to literally anything in the HO subnet apart from the firewall. It doesn’t ping on any interface or sub interface. I put in a management rule as I needed to temporarily be able to do configuration over the VPN and that doesn’t work. The interfaces are in the same subnets I can get to. For example on the inside interface the IP is 10.1.252.2 which I can’t get to. However I can get to 10.1.252.1 which is the switch connected to it.
On the asa there is a route for the 10.1.0.0/16 network with a next hop if the switch stack which does the inter-VLAN routing. However as the interface addresses Willa Leo be in the route table as directly connected I can’t see this been the issue.
Problem 2: I am unable to route the the Azure network
I have put an outside to outside NAT exemption in for the traffic
I have put a firewall rule in to allow the connection
I have enabled same-security permit intra-interface.
Any ideas on either issue would be greatly appreciated
TIA Ben
MAC address of switches
I've been searching for an answer to this question for a while now but somehow I couldn't find a satisfying answer.
Assume a host H is connected to a router R via a switch S. Now assume the router receives an IP datagram addressed to H. It consults its routing table and determines the interface upon which to forward the packet.
Now it must encapsulate the IP datagram in a link-layer frame and send it on its way. The next hop is obviously the switch, so the router must put the switch's MAC address in the destination MAC field.
But how does the router know the switch's MAC address? It can't use ARP to resolve the switch's MAC address since the switch doesn't necessarily have an IP address (e.g. if the switch is an unmanaged switch). And if it has the switch's MAC address stored in its forwarding table somehow, then how did it get it in the first place? Or does it just put H's MAC address in the destination field and the switch ignores that the MAC address doesn't match its MAC address?
Thank you for your help :)
Find friends in a location
I'm thinking of moving to Reno. I want to find everyone "in my network" who is there.
That is, university alumni around my age who are there. People of similar interests who are there. Is there a platform that does this?
Before you suggest I browse my Facebook and LinkedIn connections who are there, I have none.
Bgp edge devices recommendation
To date we've used 4x Juniper mx5 as our bgp edge. They are the right price point, have all the features we need, and day to day performance is fantastic.
However, we've hit 3 big issues with them: 1. An unexpected major bgp change from the outside (a drop or similar) takes a long enough time to propagate through the krt queue that a blackhole or loop outage is inevitable for, if its a full table rebuild for example, close to 20 minutes. This is a known design flaw with Juniper 2. Their 10g interfaces require a very expensive license to use and we are approaching >1gbps 95th%. 3. Their support is awful for replacements, and we've had a total of 3 mx5s die on us over the course of 5 years.
So I'm looking for alternatives. The price of an mx5 (~10k Inc 5yr warranty) is about what we'd like to spend. Any suggestions appreciated!
Thursday, July 12, 2018
Deserted Engineer joke
A network engineer is deserted on an island after a plane crash. He looks in his backpack and finds a granola bar and piece of fiber optic cable. He laughs to himself, buries the fiber and eats the granola bar. 24hrs later a backhoe arrives and digs up the fiber.
Help needed with pfSense and HughesNet Satlink
I'm trying to setup a pfSense firewall with HughesNet Satellite internet service. Later on, I intend to balance that connection with a 3G external antenna to improve internet speeds and data allowance (Sat is expensive) in a remote location. But thats not really the problem.
I cannot get pfSense to serve internet from the HughesNet HT1200 modem. I can ping every IP I attempt, with the usual 600ms round trip. But there is no way to make DNS work. I've tried many workarounds, including using the DNS provided by Hughes.
I believe there is something to do with the web acceleration feature in the modem, but I cannot disable that (I tried).
Basically, every time I cycle power to the modem, I get at most 5 minutes of good internet before DNS stops. Then I can only access sites with addresses cached by Safari. That is also affecting every other device on the network, including the firewall. I even tried to disable all packet filtering, to no avail.
Another interesting thing is that the modem doesn't even load the web accelerator configuration webpage after DNS stops working. And even when it does, unchecking the option that should disable it has no effect. Upon refreshing, it's still enabled, and there is no "save" button.
Can anyone shed some light? Without pfSense the internet is working, and pfSense is working with other connections.
Project Management Guidance For a New Delivery Engineer
Hey guys,
After spending a couple years in operations, I'm finally moving into a delivery engineering role. I'm extremely happy about this, and I'm confident that from a technical standpoint I'll have no issues with the transition. From a project & time management standpoint, however, I'm less confident. I've just gotten so used to day-to-day administration and fighting fires, and the idea of being 100% dedicated to projects still seems somewhat alien.
What sort of advice would you offer, from a project/time management perspective to someone like me? Are there any specific tools or resources I should try to make use of? Any specific processes/methodologies I should attempt to follow? I don't really need technical advice as much as I need "here's how you should best go about using your technical skills to deliver projects"-advice.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
iPad config editor for Juniper
Is there an iPad config/Tex editor that supports Juniper config files (prefer set commands)? Would be nice to have coloring and highlighting. Thanks!
Restaurant Network Upgrade X-POST from r/sysadmin
https://www.reddit.com/r/sysadmin/comments/8yewcy/upgrade_network_for_restaurant/
I need some advice when it comes to which brand I should go with. I am trying to put together a new network for a restaurant. Right now they are working on an ASUS router with DD-WRT and crappy unmanaged switches scattered all over the place. They also want to be able to have WiFi with an employee side and a public side.
I know I will need a new 24 port switch (probably layer 3 as I will need to have VLANS/Inter-Vlan Routing), at least 2 access points, and maybe a new router/firewall device. My client wants a good/better/best proposal.
My question for all of you is which brands do you think I should propose. I am considering Cisco as I am pretty familiar with the Console CLI and also Juniper, Ubiquiti, and HP/Aruba.
EDIT: Their connection is Cox Business Cable.
Please shower me with your knowledge and expertise.
About to build an Active/Active cluster with 4 SonicWALL NSA 4600s...
Somebody take care of my cat after I eat a gun...
>_<
NIDS with KVM + VXLAN
I have an idea of how to do this but haven't tested it yet. Wanted to post here to see if anyone else had other ideas.
We are building a new environment using Linux KVM as the hypervisors, and VXLAN TEPs on the hosts. Essentially building a "private cloud" type thing where everything will be a VM and the VMs will exclusively communicate via the overlay networks.
We need to setup taps so that all traffic gets sent to a VM running bro/snort for security analysis. Ideally, the collection machine should not have to manipulate or even know about VXLAN headers. But this is not a hard requirement.
I know that VMware has tools that make this simple. But given our technology choices, how would you set this up on the hypervisors? Preferably using only native Linux tools (ie: no OVS).
connecting up 2 datacenters at the cores
hello everyone, we have 2 N9k cores at each datacenter that are in their respective VPC domains. we would like to slap a /30 ip address between the 2 datacenters and connect them up with port-channels. From my understanding, if we want to use the multi-chassis etherchannel feature, we must have VPC configured on those port-channels. Is it possible to use VPC between the 2 data centers. Image below explains what we're trying to accomplish. I would love to lab this, but unfortunately, VIRL does not support VPC.
[Deal] Cisco WS-C2960X-48FPD-L Catalyst 2960 X 48 Gige PoE Networking Device
Amazon has launched a pretty nice discount for this product.
Maybe it will be of help for some of you.
At this time is half the average price.
I found out about it from twitter https://twitter.com/GraceIsPlaying/status/1017542294688460800
Rouge DHCP fix for a noob?
It seems I have a Rouge DHCP that is giving devices 10.10.10.x addresses on my network. I have never experienced this before and while I'm good at tech I don't know much about networking. I downloaded an application that said the server was 10.10.10.254 and the offered client ip was 10.10.10.37. Right now I can not access my roku because of this. What's the best way of fixing this? Thanks in advanced.
EVE-NG & Cisco CSR 1000V High CPU Usage
I had my guys setup a Dell R730 server today to run EVE-NG so that I could lab out the config of a new building, connectivity between sites, etc. before the actual hardware showed up.
The only image I'm using at the moment is the CSR 1000V 16.6.4.
When I run a "show process cpu" inside the CSR I see a CPU usage of 0% when they're idle.
If I run top on the host itself, I'm seeing that each CSR is burning 100% of a CPU core.
This isn't really a major concern since the box has more cores than I need CSRs, but I'm also seeing really irregular performance when using the CLI in a CSR or passing traffic through them.
Is this normal? If not, anyone know what might be setup incorrectly?
Looking for Illustrated network charts, cheat sheets
Did anyone came across a very detailed network chat that has map of network devices. For example a detailed map with one branch of cisco router series and versions ,another branch of switches with illustrated images, likewise for data center devices, WAN and so on for firewalls. I had such detailed maps sometime back in 2014 but stopped collecting.
Network Qualification Tester
So I bought a NetScount AT2000 based on this comparison diagram (originally I was looking at CableIQ). However, I didn't do my homework well enough and the AT2000 can't do any kind of cable qualification/certification, it doesn't appear it can even tell me if a shielded cable is properly terminated.
Does anyone have a recommendation on a tester than can qualify to 1GB (I'd love 10GB but that's a little too cashy for me right now), verify shielding, and test PoE?
SFP+ cable won't click in all the way, advice?
SOLVED (see response below):
So I'm relatively new to SFP+ cables (I mean, you plug them in and they typically work). I have a 7M Twinax HPE cable here with standard SFP+ 10 gig transceivers on each end. I cannot plug it in all they way--it's a dead stop with maybe 1/4" of inch or a little more to go. Visually it doesn't appear any different. The opposite end works just fine, as does any other cable, in other ports and NICs, so I've done all the obvious troubleshooting. Before I contact my vendor and say "no worky," I'm curious if others have run into this and I'm missing something that once you know the secret handshake you're allowed into the room for the cocktails. Any advice is appreciated!
95th explanation
Can someone please explain 95th % billing to me?
My understanding is that measurements of traffic are taken every so often (hourly??) and then placed into a list from highest to lowest. Then the top 5% is removed and the next remaining value is what the 95% rate is. Is that right?
I've also heard people talking of ways to move traffic around on specific days to "work-around" 95% billing... not sure what this means.. any ideas?
ISDN legacy gear
I have a couple of pieces of legacy gear that use ISDN that for various reasons, we cannot stop using. It's becoming increasingly difficult to source ISDN lines from telcos which for the most part, appear to not want to even admit to supporting it anymore.
Currently right now, The 'phone-like-device' plugs into an cat5 copper line connected to the ISDN.
Are there any devices out there that will bridge the ISDN device (providing the signaling to the device as needed) and then converting that to voice over a POTS allowing the device to make outbound calls? I wouldn't know what to call it, most of the devices that I looked at are only ISDN to ethernet routers
Thanks.
Plex server port forwarding in cisco dpc3925 router
Hello, I have a lifetime plex membership and I have a router Cisco docsis 3.0 with 50 mbps of download and 5 mbps of upload with this said. Why do I have the message of I can't connect out of my house? Because I am connect through a lot of routers which is a lie. anyone knows how to fix this ?
This is what I see in my settings in "remote access" not available outside your network, your server is signed in to Plex, but is not reachable from outside your network.
Tip: it looks like your server may be connected to the internet trough multiple routers or other network devices. Try connecting it directly to your primary device, or visit our support site for more information about troubleshooting this "Double-NAT" scenario
I tried to port forwarding my Plex server with the 3400 port and I put my IP computer and it didn't work either.
Slow internet on IE and Chrome
User is complaining IE freezes intermittently, and websites constantly stop due to a long running script. She is using Windows 7, IE11.
I disabled debugging scripts to prevent websites from stopping and I've checked her switchport.
No errors on switchport: https://gyazo.com/383f928aaeefaf5027ab0069e4ae3bfd
full/1000: https://gyazo.com/9cd9a6dd9427c1c9ce12c9deb83eab1c
I reset her NIC on her windows PC, not sure what else to look at. There are some pending updates, but only a few MB worth. I am currently having her try IE without addons.
IOS images on EVE-NG
I have been tasked with evaluating EVE-NG for use at a community college. I've been digging around to see if we an use our existing IOS images with EVE-NG. It looks like only older images are supported via Dynamips, so we'll need vIOS or IOL images for more recent stuff.
Is there any way we can get our existing 2900 images to work?
Firewall Issues
While testing an app we are creating that has an API for our MS SQL DB we found that If your connected to the local WiFi network nothing works at all but over cellular no problem and if you use an outside WiFi network no problem. We asked the designers of the app if there was an issue with the app, they told us no, the issue must be with the firewall.
We have a Barracuda Web Filter and Cisco ASA 5505 Router. Where would we even begin to look into how to troubleshoot this.
A10 SSL decryption ISP question
Hey guys quick question, would and ISP be able to use something along the lines of lets say A10 to decrypt traffic from whatsapp/facebook messenger
Just asking as it`s a topic that was brought up since we are going A10 (but for CGN)
I know A10 has SSL offloaders/proxys with the I thunder line
Prefer BGP over Static Route / Redistributing BGP/MPLS
Please excuse my drawing skills. Looking for some advice on how to best achieve this solution. Client has 2 routes into our core (the bgp route is going live soon, currently the static route is active), and they want the BGP route to be primary and the statics to be a failback incase they lose the bgp route to us.
How can i possibly achieve this?
The issue when ive tried to lab this is that the statics have a lower AD and take preference on the attached router and this is then propogated throughout our core.
The router attached to the BGP route learns both routes, but prefers going up to the router in the top left due to the AS path attribute being shorter(the path is just itself). As the ebgp route is not in the routing table it also doesnt get advertised to its internal peers.
I've tried amending the preference of the static routes to be higher than bgp(170, this is Juniper), but im getting inconsistent results depending on what order the routes go up/down.
All i can think of so far is to change the statics to a default route (this is within a vrf, so only traffic within this routing instance will be defaulted out to this client)
Anyone able to offer some wisdom?
No traffic over IPsec VPN unless traffic is started from A -> B.
Hi guys,
We're having a strange issue with an IPsec VPN with one of our clients.
The tunnel is established, but does't work as expected.
Only if traffic is sent from A -> B, B can send traffic back.
If A stops the traffic, B cannot send traffic anymore to A after a couple of minutes.
Phase 1 and Phase 2 timeouts are the same on both endpoints. The other settings are all identical too.
Does anyone have an idea what goes wrong here?
Thanks for thinking with me!
Internet Speed Potentially Multiplied
So, to preface, I am the network admin at a small ISP and I've been racking my brain to figure out how something has happened. tl;dr at the end
Yesterday, we installed a new customer on our highest package at 100/10. Nothing out of the normal there. According to my tech who performed the install, the cx had a firewall behind the modem and then a "Dell device" behind that, which their computer was connected to. He didn't take any pictures or get any additional information, which I'm sorely disappointed about because that's where things got strange.
Once everything was connected, he ran several speedtests and the results were around the same every time. The picture sent to me shows a speedtest at 215/325. We get those sort of speeds at our headend and certainly not at a home or a place of business that is not connected via fiber.
I believe that the cx is maybe working remotely. Is it at all possible that they are sharing the internet connection of some corporate office or has this particular person found the holy grail of internet connectivity? This is the first time I've encountered this and it has me positively stumped. I've been trying to research this myself to avoid invading the customer's privacy. I will if it comes to it as it poses a potential tax on the overall plant, but that's last resort type stuff.
I've tried researching and setting up my own VPN connected to our office network which did not provide similar results. I also looked into proxy servers, but I don't think that's what this is. The only thing I found remotely close is "WAN Acceleration/Optimization," and since Dell acquired Sonicwall and some have the WAN Acceleration option, I thought this a potential of what it is, but I'm not 100% that fits the bill either. If someone knows anything that fits the description of this magical mystery box, please do inform me. Thanks!
TL;DR: Customer hooked up on 100/10 internet, gets 200/300 instead. How?
ASA intervlan routing question
Hi guys,
I need to configure an ASA 5510 and a 3560G which would be customer-managed (behind our edge router). The only thing I need to do is make the devices able to reach the Internet and the servers behind the switch are reachable from the Internet!
I got stuck at the point where I have the 3560G BEHIND the ASA and I can't ping from the switch anything but its default gateway. I haven't worked with ASAs before so I have a hard time understand the routing if there is any.
The ASA and the switch must be reachable from the servers behind the switch. Also, the servers must be reachable from the Internet.
Is it possible for the ASA to act like a switch? Like having an access port as uplink assigned to a single vlan? The IPs would be configured on the servers behind the switch.
Note: The ASA has only basic license (see config link)
Can you guys help/advise on this topic?
Thank you very much in advance! :)
Netgear GS724Tv4 Port Trunking Issue
I have a weird issue: There are two identical switches (GS724Tv4), which should channel traffic within VLAN150 and VLAN199 to one another if needed.
On switch 1 there is PC1, which speaks tagged LAN on VLAN150 and VLAN199.
On switch 2 there is a DHCP server, which distributes IPs in VLAN150 and three PCs, which get IPs from said DHCP server.
The behaviour is as follows:
PC1 can manage Switch1 via the Management-VLAN VLAN199. PC2, PC3 and PC4 get their IPs from the DHCP server over Switch2.
The problem is, that PC1 cannot access Switch2 and the network interface for VLAN150 does not get an IP from the DHCP server connected to Switch2.
Debugging so far:
- The ARP requests of PC1 for Switch2 can be seen on the cable between the switches, but are not returned.
- Attaching a PC (speaking tagged VLAN199) to the same port on Switch2 as the connection wire between both will yield an answer.
- Swapping out PC1 with a RasPi and trying to connect to Switch2 does not work as well.
My Question:
- Where is the box I did not tick in order to make it work?
- Did I choose a VLAN-ID with a too high number?
For Further Information please see pictures attached.
This is all data from Switch1, PC1 is attached to port 1, the other switch is connected to port 22.
Moving Cisco AnyConnect to a different interface on ASA 5525-X
Hello /r/networking! Apologies, but this might be a little long.
We're dropping one of our ISPs soon, and it just so happens that our AnyConnect VPN runs over the interface that this ISP (L3) connects to on our ASA 5525-X HA pair. I need to move this VPN to another interface (SPECTRUM).
We have a device certificate installed that points to our vpn domain (e.g. vpn.company.com) and it is working as normal at this time. Last night, I set aside some downtime for the VPN to move it from the L3 interface to the SPECTRUM interface. As far as I know, the certificate is not IP-based, so this shouldn't cause an issue. After changing the interface that AnyConnect connects to, it immediately booted me off (I expected this), however what I didn't expect was a certificate error when re-connecting.
Function: COpenSSLCertificate::VerifyExtKeyUsage File: .\Certificates\OpenSSLCertificate.cpp Line: 2167 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391721 (0xFE210017) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_NOT_FOUND:No Extended Key Usages were found in the certificate Function: COpenSSLCertificate::VerifyKeyUsage File: .\Certificates\OpenSSLCertificate.cpp Line: 2137 Invoked Function: COpenSSLCertUtils::VerifyKeyUsage Return Code: -31391723 (0xFE210015) Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate Function: COpenSSLCertificate::VerifyExtKeyUsage File: .\Certificates\OpenSSLCertificate.cpp Line: 2167 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages Function: CVerifyExtKeyUsage::Verify File: .\Certificates\VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed
I'm not very well-versed in the ASA or the AnyConnect VPN, but it seems to me that this should not be happening with the installed certificate. When I moved the AnyConnect back to the L3 interface, it immediately started working again.
Would this be a corrupt certificate on the client's side? If so, how would I go about fixing this? Or do I just need to get a new certificate with a new URL to point to the SPECTRUM interface's public IP?
Thank you!
SFP+ running copper at 1Gbps????
Hi,
I have a Cisco 3850-24XS which has 24 1G/10G SFP+ ports. I also have a firewall capable only of 1Gbps copper termination. Has anyone ever plugged a 10G BaseT SFP+ in one of those and made it work connected to a 1G copper port on the other end?
Cloud/DC basics which are bugging me for years
This might seem weird, but still a valid question which I ask myself more often.
I work as a network engineer for decent amount of time and have couple of certifications. And this fact makes me feel shy about asking this question even more. And obviously I can’t address this question to my direct colleagues. The questions is ‘why everything is moving (or already has moved) to the cloud/datacenter?’ and ‘why cloud is so great and cool’. Somehow, I’ve missed the cloud-hysteria and can’t get into the idea now. I work in datacenter environment - with firewalls accepting connections from public Internet, some core routers routing various flows here and there, load balancers and other stuff. I guess it’s rather typical design. But I have no architectural picture of the whole process. I just receive a technical task/trouble ticket – permit that flow, accept these connections, create this server pool and LB in this manner and that’s it.
I tried to watch some free educational videos on Udemy, etc. But all of these are strongly accented on different cloud models (XaaS, where X belongs [A-Z]). But this is not the thing I need. What I need is a high-level explanation of why cloud is so cool and some typical examples of deployment and how an enterprise can benefit from all this process. Any help, explanations or materials and links would be appreciated.
Please no joking like ‘how did you even get your job without understanding such basic things?!’. I've got what I've got and trying to fill this blank space. Thanks.
Devive Wothout Gateway Setting
So i have an IP device (industrial automation HMI) that has no gateway setting on it; it only has the option of setting an IP and mask.
Are there any options open to me to achieve inter vlan communications to this device on a cisco L3 3850 switch?
Request timed out
Hi,
Im having trouble connecting to two certain servers. I have ensured that this problem is not in my own network, by pinging on the main ewan right from the satelite. It delivered the same results as pinging from my computer and notebook.
Ping test for google and facebook is working flawlessly Id say. However I need these two servers to work: 31.186.224.42 and 95.172.65.100 . Im fixing this problem for League of Legends game and their tech support told me to ping these two certain servers and afterwards he told me that I should contact my ISP, but my ISP isnt going to help me unless the fault is at their side, they wont help if its my own network fault. Im not sure whos fault it really is, so im here to ask you guys for help. Id be grateful if you tryed pinging these servers yourself and told me your results. Now lemme explain to detail wheres the problem.
While im pinging these two above mentioned servers with PingPlotter there is always a packet loss somewhere far away from me, Im not really sure what it is but I guess thats packets expiring ? While im trying to ping with cmd ping command the result is this :
ping 95.172.65.100 = 4x Request timed out. = Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
ping 31.186.224.42 = 4x Reply from 95.172.78.133: TTL expired in transit. = Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
While im pinging google for example it goes well and like one of 10 is 1000ping, the rest is fine, so lemme guys know if that is normal.
I have put all screenshots + dxdiag on google drive, if you need more documentation please just ask.
Screenshots stored on google drive
Have good day,
Thanks in advance
BGP RegEx Confused bit
so i found this question in Cisco forum while learning BGP regex and i built a simple lab about it... in forum where i found it... op said that correct answer test gave was A, but it did'nt really work... i asked my teacher about it (courses mostly focus on CCNA stuff but sometimes we go into more complicated stuff) and we came up with this " ^.*_333_.+$ "
also im bit confused about underscore ( _ ) what does this symbol exactly do, few examples would be helpful because i tried reading few articles most say that it can be space,symbol,end of string,start of string, but mainly its used as space i guess.
thanks in advance
Wednesday, July 11, 2018
[Discussion] WHAT IS MULTIPROTOCOL LABEL SWITCHING (MPLS)? WHAT DOES IT WORK?
MPLS stands for Multiprotocol Label Switching. It is a data transport method for different protocols on the Packet Switched Network (PSN). It is a protocol-agnostic routing technique.
MAC flap took down the whole network
Hello folks, this is one of those posts that excites people... lol jk.
Today, we had someone turn on a switch port which took down almost access for everyone on the network to everything for about 10 min until we resolved it
The drawing below explains the topology. We have 2 nexus cores that are peer links that attach to many switches via VPC, in this example it is our building distribution switch. Our builiding dist switch connects to a building access switch. VLAN 5 is like a black-hole vlan, it's on all our sw-ports by default and meant to not give access to anything until we put a real vlan in there. So we have this new ciena router that is supposed to hook up our main site here to DR site far away. so far it's only connected here, but not DR site yet. The ciena has 2 connections going to each nexus core configured as switchport access vlan 5 on our cores. The ciena is also turned on. So right when my co-worker went to activate a random sw-port at a randome access switch for one of the buildings, he just turned it on....next thing you know tickets start pouring in about loss of connectivity and we get 1 log in the distribution switch saying:
building distribution switch#
\%SW_MATM-4-MACFLAP_NOTIF: Host 085f.51y6.5626 in vlan 5 is flapping between port Po1 and port Po2
\%SW_MATM-4-MACFLAP_NOTIF: Host 085f.51y6.5626 in vlan 5 is flapping between port Po1 and port Po2
So hell breaks loose until we shut off the port. my question is how could this been avoided? Do I need to configure broadcast storm thresholds? I would think spanning-tree would do something about this, but apparently not... I would also expect to see this log more than just once as I outputted above right? I've seen loops like this before in the past many times with MAC flaps, but to take down the network to everyone??? I've never seen it be bad to this magnitude!!
Can't ping other IPv6 hosts
We started deploying IPv6 at a remote site as a pilot deployment. I believe I have most of the configuration correct, as my laptop can access and ping ipv6.google.com with success. I also have servers on a different vlan and subnet that can also access the Internet fine with IPv6. However, my laptop can't ping the server over IPv6.
So far I have verified there's no firewall on my laptop or server that would prevent reaching other. I can access it over IPv4 without issue.
Each device can ping it's own gateway, reach the internet, etc.. over IPv6.
Verified the firewall has no rules preventing cross subnet/vlan communication. Access works fine over IPv4.
I don't know much about IPv6, but it seems like I may need to configure something called router advertisements? Is it possible that even though no firewalls are blocking access, that the IPv6 network doesn't know how to route between each other?
[Request] Can you upload [323Mb] GNS3 Vm on google drive?
Hello guys,
I’m having a hard time downloading the GNS3 2.1.8 VMware Workstation Vm =\ it always stops at a certain point when downloading.
If you can upload somewhere and send me a link It’d be very appreciated.
BGP Internet Design with two Routers and a Firewall
First, I've been a junior network admin for a few years and recently the senior engineers left leaving me with a lot more responsibility. This is really my first deep dive into BGP design, so I very much appreciate any feedback.
Problem: We have two circuits to two ISPs. Currently we filter all but the default route and announce our /24 prefix from each. We run HSRP on the internal interfaces, and fail-over by shutting down the BGP session on the primary router, shutting down the internal interface so HSRP switches us over, and bringing up the session on the backup. This is manual, slow (typically an hour+ in practice), and just generally shitty.
Proposed solution: To make use of both circuits and have fail-over be faster and more automatic I want to accept the full route tables from each ISP, announce our prefix to both at the same time, and run an iBGP session between the two routers.
Here's a diagram.
Is this a reasonable approach to solving the problem?
Question: What is the best way to do the routing on the firewall? Ideally it would send traffic to some destinations via RT-1 and others via RT-2, right? Options I've thought of:
- Remove HSRP and run BGP on the firewall with an iBGP session to each router. I would prefer not to do this because I don't manage the firewall and the firewall admin has pushed back against having routing protocols running on there. He's a fan of static routes.
- Leave HSRP and let IP redirects send flows to the correct router. Is this a reasonable option?
- Any other ways I'm not thinking of?
Proposed BGP config:
On RT-1
router bgp 3333 neighbor 1.1.1.1 remote-as 1111 neighbor 1.1.1.1 update-source Gi0/1 neighbor 3.3.3.3 remote-as 3333 neighbor 3.3.3.3 update-source Gi0/0 address-family ipv4 network 3.3.3.0 mask 255.255.255.0 neighbor 1.1.1.1 activate neighbor 1.1.1.1 route-map IN_FROM_ISP in neighbor 1.1.1.1 route-map OUT_TO_ISP out
On RT-2
router bgp 3333 neighbor 2.2.2.1 remote-as 2222 neighbor 2.2.2.1 update-source Gi0/1 neighbor 3.3.3.2 remote-as 3333 neighbor 3.3.3.2 update-source Gi0/0 address-family ipv4 network 3.3.3.0 mask 255.255.255.0 neighbor 2.2.2.1 activate neighbor 3.3.3.2 activate neighbor 2.2.2.1 route-map IN_FROM_ISP in neighbor 2.2.2.1 route-map OUT_TO_ISP out
Route maps on both routers
route-map IN_FROM_ISP permit 10 match ip address prefix-list ALL_NETS route-map OUT_TO_ISP permit 10 match ip address prefix-list OUR_PREFIX route-map OUT_TO_ISP deny 20 match ip address prefix-list ALL_NETS ip prefix-list ALL_NETS seq 10 permit 0.0.0.0/0 le 24 ip prefix-list OUR_PREFIX seq 10 permit 3.3.3.0/24
Edit: Typo
Anyone know a good AWS reverse proxy solution?
Not strictly networking, but very close. I am looking for some type of reverse proxy solution in AWS so I can host multiple servers using their own domain name and well-known port on my home internet connection with only one public IP. Currently, this works pretty well using Apache, and multiple EIPs bound to an EC2 instance, but it would be great if there was some API Gateway/Lambda based solution, as dedicating an entire host for this seems like a waste. Must be AWS, as I have easy access to whatever services I need, and cost is not a factor.
Anyone know of any ways to accomplish this? And before you say "this doesnt belong here", just remember that SDN is the future of networking :)
Cisco C892 WAN failover problem, suspect IOS bug
I'm trying to get failover set up on a cisco router. Primary connection is mediacom and backup connection is verizon wireless via a cradlepoint router. I have the cradlepoint set up in IP passthrough.
I've created my SLAs and got my route failover working. When I take down the primary I can see the route change to the backup route in the table and I can get into the router via SSH on the backup IP. However, I am unable to get nat translations on the backup IP.
I debugged NAT and I'm getting errors that seem to show that it is still matching the primary route-map/nat statement. When I take out the overload command that is tied to the primary interface. BAM nat translations are working on the backup....it overloads fine. Do you think this is an IOS bug or has anyone seen this behavior?
Relevant Config:
interface GigabitEthernet8
description VZW-Backup
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet9
description INTERNET CONNECTION
mac-address 78da.6e65.582d
ip address x.x.x.x 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip nat inside source route-map INTERNET interface GigabitEthernet9 overload
ip nat inside source route-map INTERNET-BKP interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet9 x.x.x.x track 5
ip route 8.8.8.8 255.255.255.255 x.x.x.x
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp 254
track 5 ip sla 5
delay down 30 up 30
ip sla 5
icmp-echo 8.8.8.8 source-ip x.x.x.x
frequency 15
ip sla schedule 5 life forever start-time now
route-map INTERNET permit 10
match ip address 100
!
route-map INTERNET-BKP permit 10
match ip address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark INTERNET NAT
NAT ERRORS BELOW
*Jul 11 19:54:16.855: NAT: map match INTERNET
*Jul 11 19:54:16.855: mapping pointer available mapping:0
*Jul 11 19:54:16.855: NAT: translation failed (A), dropping packet s=192.168.1.160 d=8.8.8.8
*Jul 11 19:54:16.859: NAT: map match INTERNET
*Jul 11 19:54:16.859: mapping pointer available mapping:0
*Jul 11 19:54:16.859: NAT: translation failed (A), dropping packet s=192.168.1.160 d=8.8.4.4
*Jul 11 19:54:16.895: NAT: map match INTERNET
*Jul 11 19:54:16.895: mapping pointer available mapping:0
*Jul 11 19:54:16.895: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Jul 11 19:54:16.895: NAT: map match INTERNET
*Jul 11 19:54:16.895: mapping pointer available mapping:0
*Jul 11 19:54:16.895: NAT: translation failed (A), dropping packet s=192.168.1.156 d=8.8.8.8
*Jul 11 19:54:16.899: NAT: map match INTERNET
*Jul 11 19:54:16.899: mapping pointer available mapping:0
*Jul 11 19:54:16.899: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Jul 11 19:54:16.899: NAT: API parameters passed: src_addr:192.168.1.101, src_port:0 dest_addr:8.8.8.8, dest_port:0, proto:17 if_input:Vlan1 pak:10F60AAC get_translated:1
*Jul 11 19:54:16.899: NAT: map match INTERNET
*Jul 11 19:54:16.899: mapping pointer available mapping:0
*Jul 11 19:54:16.899: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Jul 11 19:54:16.899: NAT: map match INTERNET
*Jul 11 19:54:16.899: mapping pointer available mapping:0
*Jul 11 19:54:16.899: NAT: translation failed (A), dropping packet s=192.168.1.156 d=8.8.8.8
*Jul 11 19:54:16.899: NAT: map match INTERNET
*Jul 11 19:54:16.899: mapping pointer available mapping:0ebug all
*Jul 11 19:54:16.899: NAT: translation failed (A), dropping packet s=192.168.1.101 d=8.8.8.8
*Jul 11 19:54:16.935: NAT: map match INTERNET
*Jul 11 19:54:16.935: mapping pointer available mapping:0
*Jul 11 19:54:16.935: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Jul 11 19:54:16.935: NAT: map match INTERNET
*Jul 11 19:54:16.935: mapping pointer available mapping:0
*Jul 11 19:54:16.935: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Jul 11 19:54:16.935: NAT: map match INTERNET
*Jul 11 19:54:16.935: mapping pointer available mapping:0
*Jul 11 19:54:16.935: NAT: translation failed (A), dropping packet s=192.168.1.160 d=8.8.8.8
*Jul 11 19:54:16.935: NAT: map match INTERNET
*Jul 11 19:54:16.935: mapping pointer available mapping:0
*Jul 11 19:54:16.935: NAT: translation failed (A), dropping packet s=192.168.1.160 d=8.8.4.4
*Jul 11 19:54:17.023: NAT: API parameters passed: src_addr:192.168.1.101, src_port:0 dest_addr:8.8.8.8, des
Cisco Nexus Equivalent Commands..
I am having such a hard time trying to find this on google. The following commands are for a cisco catalyst switch (work just fine). I am looking for equivalent commands to enter onto a Nexus 9000 switch and can not find it.
-
enable
-
configure terminal
-
archive
-
log config
-
logging enable
-
logging size entries
-
hidekeys
-
notify syslog
-
end
Best way to utilize 2x gig wan links
Can anyone recommend what would be the optimal way to utilize 2 point to point gigabit fiber connections between 2 sites? I'd like a set up where there's redundancy and both lines are utilized (load balanced). Optimally, I'd like to avoid a single point of failure, so would like to avoid plugging both links into a single device at each end. 2 routers on each side though would be difficult to load balance. I've been thinking of hsrp, and mlag (or vpc). Anyone do something similar?
Thanks.
Why Cisco, Why?
I just don't understand why the network gods at Cisco thought it would be acceptable to utilize 1.1.1.1 as a non routeable IP address.... why didn't they use something in 169.254.0.0/16 ?
Edit: rfc3927 states "addresses in the 169.254/16 prefix SHOULD NOT be configured manually...." So that's out but, they still could have used something in the 192.0.2.0/24 range.
Brining up new subinterface w/ HSRP in ISR4300 caused another HSRP group's IP to stop responding
Scenario: G0/1 connects to switch and has several sub-interfaces running HSRP.
G0/1.500 was in a separate vrf. Moved it back into the default vrf which caused it to remove its ip and HSRP config. Reapplied IP and HSRP info, then suddenly g0/1.200 HSRP address stopped responding.
.500 is in a different group number and is in a different subnet.
Logs showed no changes at all to the HSRP process on .200
Is this a bug?
ECDSA Certs & f5s -_-
Little background.
I’ve got a new CA cert that is sha256ECDSA. I need to add it to a bundle I’m using for trusted CA’s on my client SSL profile. All existing certs in this bundle are RSA and work just fine.
I’m on 12.0 LTM code and have added DEFAULT:ECDHE_ECDSA to my ciphers on my client ssl profile. When I add the cert to the bundle I immediately get errors in Chrome and Firefox. IE works just fine with the new cert added.
Firefox error: SSL_ERROR_RX_RECORD_TOO_LONG
Chrome error: ERR_SSL_PROTOCOL_ERROR
I feel like I’ve exhausted all my options and don’t know what else to try. Sorry for formatting, on mobile.
Only one SSID on VLAN affected by storm, all others accessible
So this is a weird one I haven't experienced and hopefully someone can slap me with some knowledge.
This morning we had a network storm of some sort. I can see traffic when traffic increased on our switches, but not where. But that isn't the strange part.
Only one SSID seems to be affected. Other SSID's, on the same WAPs, on the same VLAN, on the same frequency worked fine. I didn't get a chance to wireshark the traffic because I could not get connected to said SSID to initialize the adapter for wireshark.
Does anyone have any ideas?
Has anyone used PureCloud voice before? Questions about their service.
I have a site that chose PureCloud as their voice option (against our recommendation). Now they are complaining of issues and we are looking for ways to monitor the health between the site and PureCloud's AWS environment, but they don't offer any. Has anyone worked with them before, and if so, how do you monitor the connectivity health from customer site to PureCloud?
Monitoring software? Troubleshooting
Hey guys, I have a project at my work to label all cables in the networking rack. However they wanted to ask me if I know any way to see why the network is so slow, it’s a very spread out plant with nothing documented and a a messy rack, the typical “never cared for” setup.
I’ve walked around trying to find loops in any of the small dummy switched but have had no luck, do you know of any monitoring device/software I could use to get an idea of what might be causing this? Any other tricks you use that I could try?
10GbE Network Design Question
Hello, I have a video production client that does editing off of two large SMB/AFP/NFS servers, each with multiple 10GbE ports. All editors are using Macs with Sonnet Thunderbolt 3 to 10GbE adapters or brand new Macs with built in 10GbE ports (only one in use on each currently). Currently, they have a Dell N4000 series 10GbE switch which is segregated from the internet facing network (this was to eliminate contention and also because we set the 10GbE MTU to 9000). Also, any attempt to team NICs from either server freaks the switch out.
I realize this design is far from ideal. The client will be expanding to roughly 2-3x the size, and will need additional networking equipment. I've learned a lot more about 10GbE networking since the original setup, and I don't want to recommend more Dell (we've hit random problems every few months that Dell Support has been able to fix, but always through weird fixes like disabling Green Ethernet on one port). We're partnered with Dell, which meant we got them at a steal, but everyone involved agrees they aren't the future here.
I'm looking for something that meets the following conditions:
- Not breaking the bank. I've seen some great Ciscos that are $5-7K EACH. They will never approve them, especially if we're going to need at least 3.
- Able to reliably switch large volumes of 10Gbps traffic at 1500 MTU or a way to route between a 9000 MTU VLAN and a 1500 MTU VLAN, with the assumption that most client endpoints will need both networks over one connection. I realize this is likely where I'm completely misunderstanding what I actually need/want to do, so any advice is appreciated.
- Preferably with good overhauls. I'm considering also replacing the 3x 1GbE Switches (2 Netgear the client bought and a Dell) as well if the cost is feasible.
Currently, we have over 60 drops to computers. 12 go to editors workstations for 10GbE, and the others go to editors for 1 GbE and for all other employees, wifi, and phones/printers/peripherals. This will likely jump to 150+ starting in November, and being able to route all connections to one switch stack would be ideal.
We don't have firm budget numbers, but I'm aiming to come around $10K USD or so. We also will be having to expand our storage array, which is going to cost another $30K or so, and I know they'll be dropping a bunch more than that on the office expansion.
can't open any port on Asus RT-AC58U, any solution to fix this ?
So i recently bought Asus RT-AC58U everything is working fine except Portforwarding, i also contacted my ISP they told there are no port blocked from their side and i also have a static IP any help is highly appreciated.
And on https://www.ipfingerprints.com/portscan.php it says filtered.
QoS trust cos vs trust dscp?
Just want to see what you guys think regarding qos marking for using the trust cos and trust dscp, say only on Cisco platforms.
My thought process is below, assuming the inbound traffic does have either COS or DSCP value set:
- If traffic inbound on the switch access port connecting to phone, I generally do trust cos and also configure global cos-dscp mapping. I think switches are actually using DSCP value for forwarding traffic.
- If traffic inbound on the switch trunk OR access port connecting to a switch, I generally do trust cos value.
- If traffic inbound on the switch trunk OR L3 port connecting to a L3 device, I generally do trust dscp value.
- If traffic inbound on the router interface or sub interface connecting to a switch, I generally do trust dscp value.
- If traffic inbound on switch/router port connecting to a computer (server, laptop etc.), I generally have to do manual marking...
What do you normally do?
ISP Transition Routing questions
We are switching our ISP and ran into an issue I'm drawing a blank on.
Currently our ISP uses a /30 to route from their gateway to our. We then NAT two separate /28 networks that our being sent our way.
Our new ISP gave us a /29 with their gateway being the first host in the range. This is being changed to a /27, but I'm still waiting for everything to be approved.
If their gateway is the first IP of the range and I set my gateway as the second IP in the range, how would I configure my firewall to NAT the last 4 IPs in the range to internal hosts?
Some routing information we currently have:
- Gateway/30 direct connected, eth0
- 0.0.0.0/0 via ISP /30 gateway , eth0
- 10.0.0.0/16 direct connected, eth1
- First/28 via 0.0.0.0, eth1
- Second/28 via 0.0.0.0, eth1
- Various other VLAN routes
We are using a Checkpoint firewall at the moment, but I do have a new Barracuda F380 I will be putting in place for the new circuit. I don't want to change the gateway device, but 1 year renewal for Checkpoint bought us the F380 and like 5 years support.
Thanks for any help.
Critique my network design - PBX / VoIP
Hi Guys,
We have had a new VoIP solution deployed in my company, I'm Solo responsible for the network within the org, I ran these designs by the VoIP guys, who were happy with everything but I am just looking for some more opinions.
https://imgur.com/a/dCW33JN - here is the diagram
Everything is working fine, apart from a QOS issue where the calls loose quality if I saturate the internet uplinks
Just to explain the setup in order we have:
- Leased line/ Backup FTTC terminations - this is where the internet uplink comes into the company. The leased line is 100/100 and the FTTC is 60/40 (Down/Up)
- Next up is the Juniper router, this is managed by the ISP. We have a total of external 5 IP addresses on this network. This is the gateway for our Firewall and PBX
- After the ISP router we have our Sophos Firewall. here is where we define all our internal networks and VLANS. For this diagram only the 'Main LAN' and 'IP Phone' VLAN is relevant, so i have redacted the others. Our internal networks use this firewall as their default gateway, the firewall will then NAT and send the traffic towards it's gateway (juniper).
Also on the firewall I have a L2 bridge which allows me to connect the WAN port of the PBX to the outside world, withthe safety of the firewall. - No NAT
-
the PBX has 2 network ports. One for WAN, which requires an external IP and one for LAN which has an internal IP onthe 'IP Phone' VLAN.
-
Finally we have the internal networks. Here is where our switches and end devices sit
Now you've seen that i have a question.. If I wanted QOS on the PBX to guarantee bandwidth will this have to be setup on the ISP Juniper since this is the gateway for the PBX? it only passes the firewall using a L2 bridge, so i cant configure it here?
INb4: obviously if money was no object i would have a switch between the router and existing firewall, then i would have a 2nd firewall for the 'External' networks, which contains the PBX
Port security blocks HP laptop?
System admin here running into a strange network issue, hoping for an idea.
Our office has 4 Cisco switches stacked.
My MacBook Pro connects to the wall port beside my desk to the patch panel to the switch stack on port x. My device has internet access without issue, and I have 3 Windows VMs running on it which also connect to the internet successfully. These devices successfully receive ping responses from the gateway.
An HP 840 G4 connected to the same wall port beside my desk cannot ping the gateway nor access the gateway.
All of the above mentioned devices get DHCP addresses handed out in expected scope with the same gateway address.
Seems to me that the issue points to some type of switch port setting but it's outside my realm of knowledge and experience - any thoughts on what could be causing this?
Tunnel-Free VPN's explanation request
Ive looked all over trying to find someone to explain to me how a VPN can be tunnel-free and I cant find anything that really gives me a clear cut definition. Can anyone explain to me how VPN is based off of tunneling and then you can have tunnel free VPN's with IPSec?
Expand Guest Network via Ethernet?
Hi guys/gals,
I'm setting up a wireless network for a small business where they will have a public WiFi spot. I have got a TP-LINK Archer C50 Router & a Ubiquiti AP AC LR.
On the inside of the building will be the TP-LINK Router which I have configured to have a Guest Network with Facebook captive portal. But I need to expand this guest network & captive portal over to the Unifi AP which is outside. Anyone got any ideas how I can expand the guest network to 1 Ethernet port on this router?
Clients (probably just Windows) "falling off" the network intermittently
I have an issue with a Windows-based network where clients are losing their network connections intermittently; or, at the very least, they lose the ability to resolve DNS to the point where the Windows network icon kicks up a yellow warning flag. However, when this happens, connections that are already established are closed so I believe they do lose their valid IP. Running the troubleshooter resets the NIC and they come back up (however, on thin clients, the troubleshooter isn't there and there the easiest solution is a client reboot, which is not ideal.)
I could use some suggestions on what to check. I suspected DNS, but there are two Server 2016 DNS servers that both work perfectly as far as I can see, and they both have the three DNS servers the ISP offers (bypassing our router for DNS, it's not involved) set as forwarders.
The clients are all DHCP, and checking the statistics for their scope shows we're getting to the point where I need to create a second client VLAN, but there are still 37 free leases as I write this, and there is not a huge amount of changes in the required leases day to day.
This is happening on multiple clients (a few at a time) and multiple switches.
Currently it's an annoyance, as it only happens to the occasional client, maybe once a day, but I would hate for this to get worse, and of course the ideal number of annoyances a day for wired networks would be zero.
Any ideas appreciated on where I should start looking.
Help required about multiple usable static IPs on single fibre optics line
We have recently purchased a fibre optics line for our office. We have also asked for 4 usable static ip addresses so that we can have internet facing applications running on 4 servers on fibre optics line to which these IPs will be assigned.
However we are not able to figure out how to do this. We dont see any option to add multiple DMZ hosts on the router. One for each static IP. What can be done in this case?
Tuesday, July 10, 2018
I went to CiscoLive and all I got was this lousy t-shirt...
...And this lousy t-shirt, and another lousy t-shirt, and this pretty cool t-shirt, and this other lousy t-shirt, and this t-shirt my wife stole and now sleeps in, and this Meraki t-shirt which I kind of like, and this t-shirt for a company I've never heard of but the design is cool so I'll wear it on occasion, and this fidget spinner, and this webcam cover, and this light-up hat I gave to my kid, and this battery pack that says 'Cisco UCS and Hyperflex", and all those other useless pieces of swag that wouldn't fit in my suitcase so I left them in the hotel room. :)
Gel filled cable oozing.
I got a gel filled cable 4 years ago but didn’t use it.. today I opened it to use and found out its oozing gel. Question is, is it suppose to ooze gel? I wiped it off but i fear its probably going to ooze again and gonna mess up my connectors. Is it a faulty cable or is it suppose to ooze? Anyone experience this?
Thanks
Proper way to connect two buildings to LAN
Hello there, a small company I work for has a Cat5e CMR solid conductor cable outside which connects the two buildings together so they're on the same LAN. The cable is completely exposed to the harsh elements outside, the sheathing has cracked open in multiple areas and water has most likely slipped through. I'd like to prevent a future disaster. My question is, how do I properly connect the two buildings using a UTP cable? Fiber is too expensive for this company and they don't have room for a fiber patch panel. I'd like to mention that the cable is running overhead on the flat roof. Would it be as simple as running conduit on the roof and fishing a new ethernet cable through? Any recommendations are appreciated, thanks.
Rate my setup
OMG I don't know whether to laugh or cry.. I've been remotely supporting a satellite office at my new job.. I've asked to travel to the offices to audit and examine wiring and infrastructure. Boss sends me a pic and states not to worry.. "The site is wired"...
Looking for concise, eloquent, non-sarcastic rage responses on how to very emphatically state that this needs to be rectified immedately...
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
CenturyLink NBS?
I'm now working for a consulting company as their Network engineer and they advised me that the have the NBS product with CLink. The biggest issue Currently is some sites are p2p VPN others on mpls. What I want to know is with the NBS product can I create ipsec tunnels to the NBS fortigate system and intetgrate into the existing mpls?
Just curious if anyone is currently using this and is it an actual mpls service w/ clnk or are they just creating ipsec tunnels on their fortigates
Remote Network Bridge
Say I have a linux server (or router) with a /28 Public IP block at a data center and I only need one of those IPs for the machine itself. Then I want to bridge those extra IPs back to a remote server/router (maybe over a VPN or a tunnel?) and put them onto a network so that the remote location can use those IP addresses off a switch. They would Route back through to the datacenter and out to the internet. It would be necessary that the servers at the remote location don't realize they are far away (they are configured with the public IP directly) ... other than the main server/router they route though.
At the data center, I can put in any equipment. Any suggestions on where to start? I looked at SoftEther VPN, seems possible?
Note: I tried using a Site-to-Site VPN with an EdgeRouter, but that requires different subnets. They also make a GRE Tunnel, but it seems like it's setup for NAT vs Using a public IP Space.
Simple Diagram: https://imgur.com/1eEQ0B0
SD-WAN and the Players a year after the buzz
Hi everyone, new to Reddit as a poster. Typically just in the background creeping on posts. I saw that there was an SD-WAN thread a year ago. I'm working in the industry and been doing SD-WAN consulting VIA Velocloud for a few years and wanted to get generalist perspective of what you all see in the community. *Me being biased* I believe velocloud is one of the best solutions in combination with our service overlays of (Solarwinds and Service Now), but after the dust settles, it seems like there are some real competitors out there today. The top 10 I see are as follows:
Velocloud
Cisco IWAN
Cisco Meraki
Viptela
TalarI
CloudGenix
Versa
Riverbed
Silver Peak
Big Leaf
Knowing a good amount of information on all of the above but wanted to get an honest perspective of why and who uses what solution. From my perspective, we deal with only the enterprise market where velocloud is a great fit. How do you see each of these solutions and where do you think they fit? Such as mid-mile solution last mile solution, packet base failover vs. flow base failover ETC. What determines whats best for your organization?
Unifi APs - Not passing guest VLAN through DLINK switches
Hey guys, this one has me stumped and I would appreciate some assistance.
We have a site set up with 15 UAP-AC-LITE APs and so far they are great and working fine for the internal wireless network.
However, I'm trying to get the guest network on a separate VLAN (I've designated VID 3 for it).
5 of the APs are going through DLINK DGS-3100 switches, and the rest are going through Ubnt Edgeswitches.
A USG is on the edge handling DHCP and internet access for the guest network, while the internal network is getting DHCP from an SBS server. Internal network is 10.10.20.1/24 and guest is 192.168.3.1/24 .
The APs connected to the Edgeswitches have the ports with the APs connected to them tagged as VLAN3 and the trunk port set on the uplinks - all clients connecting to those APs get an address and function fine.
Now, when I tag the AP connected ports with VLAN 3 on the dlink switches, and enable Vlan trunking on the upliink ports - all of the clients going through those APs fail to get addresses, or get bogus ones like 169.x.x.x or 10.x.x.x addresses.
I've even tried turning on DHCP relay on these DLINK switches pointed to the 192.168.3.1 DHCP server on the USG, but they can't seem to find their way there.
It's confusing to me because it seems like the DLINK switches are handling the VLAN traffic in an odd way compared to the EdgeSwitch connected devices.
Is there a setting somewhere I've missed? I don't have any experience dealing with managed Dlink switches, so i've tried all manner of combinations in the settings and it seems like nothing wants to work.
A side note: We had to add the Edgeswitches into the existing network because there weren't enough PoE ports available on the Dlink Switches, so they are all uplinked to these DGS-3100's (which means they are passing the vlan info when the tag does not originate on the switch).
SFP Converter Question
Hi All,
Hoping someone can give me some advice. We have an end device (its a pay station in a parking ramp), which has a RJ-45 port on it. From the Pay station we have copper plugged into a SFP convert and the Fiber runs back to the switch. When we plug the fiber into the switch we do not get a link light.
We used another SFP converted on the switch side and plugged the uplink into the SFP converter then CAT5 into the switch. This option works with a converter on both sides but not with 1 side.
Any thoughts?
Inexpensive data center edge router options
I'm with a small company. We have just 2 racks of servers in a colo data center serving our production traffic, which averages around 100Mbps during our peak business hours. We're doing BGP but only receiving default routes.
We are looking to remove the "edge router" function from our firewalls and have dedicated devices for that purpose. We need to have gigabit ports and be able to realistically handle 3-4x growth in traffic.
What options are out there on the very low end of the price spectrum?
I know of and have used Mikrotiks so that may be an option. We are using Fortigates in other places, but I'd rather have a device whose primary job isn't a NGFW.
Internet Routing Table Size and Fail-over and BOOM! x-post from /r/Juniper
Okay, so I have two edge routers with 2 providers each. (MX480s with RE-S-1800x4 and MPCE Type 3 3D) I am receiving a full routing table from all my providers. One is Level3 the others are regional providers and the data center. Level3 is where a majority or our traffic defaults to.
Today was fail-over testing day and it did not go as smoothly as expected.
Taking one of the routers offline (The router connected to Level3) went just fine but bringing it back up caused about 5 minutes of downtime.
From the Internet inbound traffic died at the hop before my routers. (Assuming my router didn't have a route back or it was looping internally)
I waited about 20 minutes between taking the router offline and bringing it back online to avoid any upstream dampening.
Internal to the internet traffic was looping between my routers.
I checked the routing table and had active and best routes to my destinations on both routers. I did NOT get to check the details of these routes or the actual forwarding table. My best guess is that routes were being shared between my routers BEFORE they were installed to the forwarding table. I am guessing this because I have had this same setup for years but the last time we did forced fail-over testing the routing table was only 500k routes vs the 700k it is now. Also, during this time the routing engine CPU was pegged at 100%.
I started Googling and found this BGP nob. https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/delay-route-advertisements-edit-protocols-group-family-unicast.html
My question is has anyone seen this kind of behavior before? Does my assumption make sense? I would test it further but customers will be upset. Has anyone used this nob or similar?
need a low end router for a t-1
We have a legacy app that requires a point to point t-1 to a provider. Nothing I can do about the t-1
I am currently using Cisco 2901 to attach this t-1 to the network. I am looking to replace this. On the Cisco side I see the 1921. I am looking for something even cheaper and simpler. I will be doing all my routing security etc on my firewalls and switches. I just need to basically convert the t-1 to Ethernet. Any suggestions would be great.
fiber connector tool for fat fingers?
My sausage fingers can't reach very easily into the very dense LC fiber patch panels we have now. Is there a tool for that? I can't seem to figure out what to Google.
Historical question: Why switches have 24/48 ports? Why not any other count (ex. 10/20)
Hello!
Simple question, but I can't find any information about why almost all switches have 4,8,12,24,48 ports? Why not as example 10,20 or any else? It should be some historical reasons...
Cisco Optimized Roaming Quirk/Question
I'm going to preface this by saying I haven't yet tried it on another software version, but will be eventually.
Cisco 5508 WLC - 8.3.133.0 I'm using one 2702I and one 3802I for testing, both APs behave the same way. All testing is on 5ghz only.
With Optimized roaming enabled, and coverage gap detection set at -60db, the controller properly rejects associations at RSSIs below -60db.
However, it will not dissociate clients as it should. There is no difference in dissociation signal strength with Optimized roaming enabled or disabled.
On the WLC console, I can see that it is not sending dissociates until approx -76db when I understand it should at a much stronger signal strength and when it does that, it's only when there's another AP to roam to. If I go into the void, I will stay associated until about -90db before the controller drops it.
Has anyone experience with cisco optimized roaming that has run across this or similar?
CNA ping and trace utility via cli
I have been finding the Layer 2 ping and trace utility is Cisco Network Assistant very useful indeed. It gives you a complete list of actual in/out port designations for a given ping route across multiple switches between 2 ip addresses or Mac's. Is this feature available via iOS to give the port number that a given device (ip address) is attached to?
https://www.petri.com/images/csc_cisco_network_assistant_06.jpg
VPN tunnel to to provide failover between two different ISPs?
Equipment on my side:
2x SonicWall NAS 2600 in HA mode. 250/250 fiber connection from one ISP, 600/40 cable connection from a second ISP as the emergency backup (since there was only one fiber provider in my area when we set this up, in three years after the contract is up I'll look to replace the 2nd link with fiber but since 40 out is such extreme overkill for what we do I'm not worried about it).
Outside vendor requires VPN connection to their site. They gave us two tunnels for redundancy, both endpoints are on the fiber. They're used to setting things up for sites that only have one ISP so that's just the way they do it. If a tunnel goes down the other tunnel is there for backup. At most of their clients if the ISP goes down, I guess most people just sit offline until it comes back up.
For "reasons" they don't want to give me two more tunnels (primary and backup on my backup ISP) with failover between the two pairs. Not sure why, but it is easier to find alternatives rather than fighting with them.
I'm thinking I need a proxy somewhere that will serve as the VPN endpoing for their tunnel, then direct data to the fast connection if it is up, to the cable connection if the fiber is down. How do I configure such a proxy?
Subscribe to:
Posts (Atom)