Sure there netdb, netdisco... Is there any other cool tools like those.
I figure there has to be a free Netflow solution.
Saturday, September 8, 2018
Alcatel-Lucent 7210 SAS-E | Factory Reset Issue
Hey all,
I'm trying to factory reset an old 7210 SAS-E and am having a hell of a hard time. When I tried to reset the password after interrupting the boot sequence I was unsuccessful due to the password reset being turned off. However, I found a "Reset" button on the front of the device. There is no documentation that I could find regarding this button and tried to hold it down for a multitude of different sets of seconds but, to no success.
Any insight or experiencing with this would help immensely.
Cisco ASR 9000 A9K-MPA-4x10GE 4-port 10-Gigabit Port adapter
Available now, brand new in sealed box Cisco ASR 9000 A9K-MPA-4x10GE 4-port 10-Gigabit Ethernet Modular Port Adapter
Local VPLS
Just started working with service routers, mostly ALU 7750 kind. I'm having difficulties wrapping my head around some of the concepts.
I believe this question pertains to most vendors, not just ALU. No fancy stuff here, no MPLS etc.
I want to send tagged traffic (vl10) on port 1/1/1 to vl10 on another port 1/1/2 and back.
Do I understand concept of local VPLS correctly, that it creates virtual L2 switch and could bridge my ports without any additional tricks?
Something like:
service vpls 1000
sap 1/1/1:10 (sap represents port in ALU concept)
sap 1/1/2:10
should work right away?
I understand on ingress all tags are stripped and on egress added back depending on port/sap tagging, so similarly it could "translate vlans" as well?
service vpls 2000
sap 2/2/2:500
sap 1/1/6:300
interconnecting traffic in vl500 and 300?
Thanks a lot.
Cisco dCloud - CSR1000v
Private Vlan Isolate
I was thinking how private vlans would work within the enterprise networking settings. Let's say, a guest vlan X is configured as an isolated p-vlan, of the primary vlan Y. I curious as to how:
1) since isolated p-vlan are by interfaces, does that mean the AP can only allow that single vlan to traverse that interface?
2) how would DHCP addressing work? Would a DHCP server need to be on p-vlan X since p-vlan Y is the gateway and other community vlan cannot communicate with the DHCP server inside p-vlan X?
I'm not trying to implement this kind of configuration, merely understand the use of p-vlan within enterprise network.
Thanks!
Upstream vs. downstream packet loss
Hi Guys,
If you are measuring packet loss in a mobile network, would you expect the proportional packet loss to be greater in the upstream direction or the downstream direction? What would account for this difference?
Do all the IP addresses associated with .bit domain names (and other alternative domain names) use a proxy?
I am using the Chrome Extension "Peername" to access these domain names, for example "nx.bit"
Peername Chrome Extension: https://chrome.google.com/webstore/detail/peername/kkdihlopcnkjinfjhbeopjfmnfpcoaop
Their source code is a script that is less than 100 lines: https://dpaste.de/YMew
Looking at their code, they don't directly query a DNS server (chrome extensions can only use html/css/javascript); they query a web API that returns an IP for a domain name.
Here is an example query for "nx.bit": https://peername.org/api/?name=nx&namespace=bit
The IP returned is 178.248.244.15. This seems all fine and dandy, but when you navigate to 178.248.244.15 in the browser, it redirects you to https://sv05.net-housting.de/user/index.php, a different page from where it takes you to when you type http://nx.bit in the address bar of the browser.
Inspecting the code further, I realized it uses the chrome.proxy api (docs: https://developer.chrome.com/extensions/proxy) and is using a proxy to connect to the webservers associated with the domain names at their custom DNS server.
Here is a snippet of code (with some defined variables omitted):
var config = { mode: "pac_script", pacScript: { data: "function FindProxyForURL(u,h){if(dnsDomainIs(h,'" + domain + "'))return'" + access + " " + ip + ":" + port + "';return'DIRECT'}" } }; chrome.proxy.settings.set({ value: config, scope: 'regular' }, function() { console.log('Got IP ' + ip + ' from SERVER. Proxy config is set.'); });
From my understanding, it looks like every single .bit domain is using a proxy. chrome.proxy uses PAC, or Proxy Auto-Configuration. "A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server" - https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file
Every single .bit domain that I've tried has an IP address that redirects to a site that is completely different from the .bit site. Can someone explain to me what's going on?
I, too, am creating a new TLD and want the people who use it to be able to connect to these domains easily: via Chrome extension. Do all of these IPs have to forward web browser requests to a proxy server? What is going on here? Thanks in advance.
Friday, September 7, 2018
Those who made the switch from MPLS/Private links to SD-WAN Hybrid or Internet only deployments: How do your internet links transport links compare to MPLS?
We don't currently utilize any internet links as transport links at the moment, so I am interesting how the performance is going to change when we go from MPLS to Hybrid and internet only.
- Did you or your users notice a big change in their application/WAN performance when they are pinned to the internet links?
-
Did you find that internet service providers would differ from country to country?
-
Did you utilize direct cloud access for O365 and other apps, and if so how did you find the performance?
Question on MIBs
Trying to setup a new monitoring platform, but having trouble finding MIBs for the OS version we're running. I managed to find some that are within one minor rev, but like 90% of the OIDs I've tested don't respond. for example, I can test the OID for System Time and get a response, but the next one doesn't respond.
Really just looking for any suggestions folks may have. Is there a way that I can browse OIDs directly off a running device? I'd really like to be able to monitor Temps, PSUs, etc, but struggling with chassis stuff in particular.
Edit: this is for a VDX 8770 on NOS 5.0.1d
Just passed my CCIE and got about 5,000 INE tokens left that I would like to sell. Anybody interested?
Looking to sell my leftover tokens for INE racks at a good price.
WRED and WFQ
My oversimplified description of both, after an afternoon buried in Cisco documentation:
WRED is a congestion avoidance mechanism, which seeks to prevent congestion before it occurs. It specifically addresses the issue of global synchronization for TCP flows egressing a router interface, by selectively and semi-randomly dropping segments even before queues have become full. This is designed to cause staggered slow start for all TCP flows, resulting in more efficient use of link bandwidth, as opposed to all TCP flows entering slow start at once with tail-drop.
WFQ is a congestion management mechanism, which seeks to deal with congestion, as reasonably as possible, once it occurs. In its most basic default configuration, it prioritizes low-bandwidth flows such as ICMP and de-prioritizes high-bandwidth flows, in a very basic attempt at ensuring timely delivery of realtime traffic. It also divides bandwidth between flows, so no single flow can starve other flows during congestion. It is enabled by default on all Cisco interfaces at or below E1 speeds.
According to Cisco docs, WRED and WFQ are mutually exclusive:
You cannot configure WRED on the same interface as Route Switch Processor (RSP)-based custom queueing (CQ), priority queueing (PQ), or weighted fair queueing (WFQ).
But it goes on to say:
However, you can configure both DWRED and DWFQ on the same interface.
So, I enabled default WFQ on both sides of a saturated T1 link (I'm not sure why they were set to FIFO in the first place). Several measurements and subjective tests show improvement over FIFO: realtime stuff is way more responsive, and sflow shows bandwidth is shared more equitably between sources.
Based on an afternoon reading up on WRED, it sounds like that might also benefit this scenario, since sflow confirms 99% of the traffic egressing the interface is TCP. Also, this Cisco StackExchange post says it's advisable to enable both WFQ and WRED.
Questions:
- Is it, in fact, advisable to enable both WFQ and WRED on congested interfaces?
- If so, what is the simplest configuration that enables both, e.g.: just apply WRED to all TCP traffic and use WFQ for everything?
- If not, should I prefer one over the other? (I assume WFQ, but unsure).
Can you use just one fiber strand if you wanted to only send traffic in one direction?
Let's say you wanted to physically ensure that only outbound traffic was possible from a given host.
If you had a 10G fiber connection and plugged in TX on one end and plugged in RX on the other, would you still be able to communicate (e.g. UDP send) or would the NIC or attached switch complain that it couldn’t establish full duplex and ignore the transmit side that is attached? Is this possible?
I am guessing I would need to turn off UDLD for this to work or is it not just possible?
Question: I am learning JunOS. Why are the braces ( {} )separated by carriage returns in the cli?
It just seems to take up additional space without need and makes things look janky.
I don't know a lot about unix so maybe there is some restriction built in.
Best practices for Anti-Malware/Threat prevention; endpoints vs PA next-gen firewalls?
tl;dr - potential client isn't interested in next-gen firewalls DPI features as they've got Umbrella and a tightly controlled user desktop experience. I feel they should have both, for sake of redundancy and layers. What do you think?
I'm doing some side work for a company that currently has ~40 users and will be expanding to ~100 within the year. They're moving into a new office space and I was asked (through a friend of a friend) if I was interested in helping out. The company is cloud-based for everything, OneLogin, Umbrella/OpenDNS and Jamf to lock down workstations (Macs only), g-suite for email, AWS thin clients for their call center workers (currently 5, will grow to 30). There are no on-prem servers of any kind.
I'm no MSP and my experience is pretty limited, but I put together a recommendation package that I felt worked best for them using a Palo Alto firewall with Threat Prevention, URL Filtering and Wildfire, Meraki switches and APs.
The CSO that I presented this to waved off the idea of having a next-gen firewall, saying he wasn't interested in it as he's got Jamf/Umbrella to provide malware and exploit protection. I was surprised to hear this from a CSO, but I also have limited experience outside of the niches that I've worked in so I don't know if he's right.
Is that a reasonable choice for him to make? Deciding that he's comfortable enough with how much his endpoints are secured and he doesn't need the DPI features enabled on his edge firewall?
I need to learn more about Cisco ordering from CCW. And other things... hoping to be pointed in the right direction.
Hey /r/networking. It's been a while.
Took 6 months off and just re-entered the workforce, and I just accepted a pre-sales position with a cisco VAR that relies pretty heavily on ordering through CCW I've played with the demo and tbh it seems pretty straightforward, but I'd like to be a prepared as possible.
There are 2 main things I'm looking for help with.
1) How do you identify bundles when ordering through CCW? Everyone kept throwing around that concept in my interviews, so I expect it to be a big part of the job, but I am not sure how to find them on the site.
2) When it comes to CCW, do you have any tips for MAKING SURE you order the right stuff? It seems like CCW is pretty damn simple, but holy moly is there a lot of SKU's for each product! I'll be building out a network design and ordering that design for our customers, so I just need to make sure I'm not messing it up early on in my role... I assume the answer here is "google it and be thorough" and also "know more stuff that you don't know now". So if anyone has some recommended resources that'd be really cool.
It's funny. I have always considered myself a strong Cisco engineer... but I have never been involved in the purchasing process. I think there's going to be a learning curb.
I guess when it comes down to it I'm really just looking for a crash course on Cisco network design from a hardware perspective.
Thanks for any insight. Sorry this isn't a question about something a little more technical.
Intranet Questions
I have an intranet network setup that only is accessible through a VPN. I want to be able to manipulate traffic inside the network so that I can make custom changes. For example, I want yahoo.com to actually load google.com but the url still remains as yahoo.com
What would I use to do this and how can I make this happen?
Is the AT&T ASE On-demand site usually slow?
We're getting 30 AT&T ASE On-demand circuits installed across our district currently. We just got our logins to the ATT Business Center website where we have to go build out the EVC's we want. So far it's taking 1-2 minutes for a circuit detail page to load and another minute or so to submit the EVC change request. I also get to the end of the order process and get session timeouts and the change request doesn't go through.
Anyone know if that's par for the course or is the site just having problems today? So far it's not this wonderful service like our sales guy promised.
Cisco 819 cellular interface not picking up IP?
I have a Cisco 819 that for whatever reason, will not pick up an IP address on the cell interface. I've ran the activation commands for AT&T, ensured signal, and even replaced the router. Not sure what else to try... any tips?
Config and info:
interface Cellular0 vrf forwarding INET-CELL ip address negotiated no ip redirects ip nat outside ip virtual-reassembly in encapsulation slip ip tcp adjust-mss 1300 load-interval 30 dialer in-band dialer string lte dialer watch-group 1 dialer-group 1 async mode interactive end controller Cellular 0 lte modem link-recovery rssi onset-threshold -110 lte modem link-recovery monitor-timer 20 lte modem link-recovery wait-timer 10 lte modem link-recovery debounce-count 6 no cdp run Router#sh cell 0 r Radio power mode = online Channel Number = 0 Current Band = Unknown Current RSSI = -61 dBm Current ECIO = -31 dBm Radio Access Technology(RAT) Preference = LTE Radio Access Technology(RAT) Selected = AUTO Router#sh cell 0 h Modem Firmware Version = SWI9X15C_05.05.58.00 Modem Firmware built = 2015/03/04 21:30:23 Hardware Version = 1.0 Device Model ID: MC7354 Package Identifier ID: 1102037_9903214_MC7354_05.05.58.00_00_Cisco_005.009_000 International Mobile Subscriber Identity (IMSI) = XXXX International Mobile Equipment Identity (IMEI) = XXXX Integrated Circuit Card ID (ICCID) = XXXX Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) = XXXX Current Modem Temperature = 33 deg C PRI SKU ID = 1102037, PRI version = 005.026, Carrier = AT&T OEM PRI version = 05.09 Router#sh cell 0 net Current System Time = Wed Apr 2 5:41:5 1980 Current Service Status = No service Current Service = Unknown Current Roaming Status = Home Network Selection Mode = Automatic Network = AT&T Mobile Country Code (MCC) = 310 Mobile Network Code (MNC) = 410 Packet switch domain(PS) state = Not attached Cell ID = 0
Debug shows:
Ce0 DDR: Attempting to dial lte 020625: *Sep 7 13:35:38.620: CHAT3: Attempting async line dialer script 020626: *Sep 7 13:35:38.620: CHAT3: Dialing using Modem script: lte & System script: none 020627: *Sep 7 13:35:38.620: CHAT3: process started 020628: *Sep 7 13:35:38.620: CHAT3: Asserting DTR 020629: *Sep 7 13:35:38.620: CHAT3: Chat script lte started 020630: *Sep 7 13:35:38.620: CHAT3: Sending string: AT!CALL 020631: *Sep 7 13:35:38.620: CHAT3: Expecting string: OK 020632: *Sep 7 13:35:58.620: CHAT3: Timeout expecting: OK 020633: *Sep 7 13:35:58.620: CHAT3: Chat script lte finished, status = Connection timed out; remote host not responding 020634: *Sep 7 13:35:58.620: TTY3: Line reset by "Async dialer" 020635: *Sep 7 13:35:58.620: Ce0 DDR: disconnecting call 020636: *Sep 7 13:35:58.620: TTY3: Modem: (unknown)->HANGUP 020637: *Sep 7 13:35:58.620: TTY3: no timer type 0 to destroy 020638: *Sep 7 13:35:58.620: TTY3: no timer type 1 to destroy 020639: *Sep 7 13:35:58.620: TTY3: no timer type 3 to destroy 020640: *Sep 7 13:35:58.620: TTY3: no timer type 4 to destroy 020641: *Sep 7 13:35:58.620: TTY3: no timer type 10 to destroy 020642: *Sep 7 13:35:58.620: TTY3: no timer type 2 to destroy 020643: *Sep 7 13:35:58.692: TTY3: dropping DTR, hanging up 020644: *Sep 7 13:35:58.692: tty3: Modem: HANGUP->(unknown) 020645: *Sep 7 13:36:03.716: TTY3: restoring DTR 020646: *Sep 7 13:36:13.620: Ce0 DDR: re-enable timeout 020647: *Sep 7 13:36:13.620: DDR: Dialer Watch: watch-group = 1 020648: *Sep 7 13:36:13.620: DDR: network 5.6.7.8/0.0.0.0 DOWN, 020649: *Sep 7 13:36:13.620: DDR: primary DOWN
RedundancyISP
I currently use our Firewall as Gateway with a defualt route to the intenret. We are installing an ATT router using BGP. what would be the easiest way to route traffic out the router in the event the Cisco ASA ISP fails.
thank you
What is change control like at your organization?
And are you happy with it?
Change control and change management have been generally pretty lax at my organization, but that's changing very quickly. Which I have no problem with - I've been asking for that for a while now. Only problem is I think management is going about it the wrong way - things aren't really defined, there's nothing accounting for emergency situations, troubleshooting, etc.
I'm hoping if I can find out what processes are used at other organizations, I can try and push upper management in the right direction. They generally seem to respect my opinion, so as long as I have something other than "your idea sucks" to present to them I feel like I can get some traction.
So what is your process for change control? What would you change about it? Is there generally an industry standard for this?
For context, my org has 10,000 employees (give or take) and manufactures all over the world.
Puzzling wireless behavior
As the programmer at a small non-profit I'm also the assumed IT guy. Computer stuff is all the same right? sigh
Anyway, we have a small building served by a single Unifi AP-LR, yes it is old. This has been fantastic until recently.
The configuration:
- We broadcast 2 ssids. One for staff and one for guests.
- Each network has its own vlan and connects directly to our UTM box.
- All block actions are logged.
- The guest network has access only to the internet and no access to any other part of our network.
- No captive portal.
- Each wireless network has its own /24 address block.
- Snort IDS on WAN
- Transparent Squid Proxy
This has all worked fine until this week.
The symptoms:
- Some devices work on the guest ssid but others time out when accessing the internet. However,
- All devices get an ip address.
- DNS queries work on all devices.
- Some services and webpages work on the "broken" devices but most do not but DNS is working on the broken pages.
- The devices that I am testing with are both phones, one android, and one iPhone that fail to connect.
- Laptops seem to work fine.
- The devices that fail do work properly on the other ssid.
- There are no log entries showing traffic from those phones being dropped or blocked. All services seem to be playing nice.
- The AP also doesn't seem to want to inform the controller so I have no data there. Yes, I know how to ssh in and set-inform.
- We have plenty of dhcp leases available.
Any ideas? Thanks for your help!
tl;dr
Some devices work on our guest wireless while others simultaneously do not.
How does NPS find Domain Controllers to establish LDAP connections?
How does NPS find Domain Controllers to establish LDAP connections? Is it DCs in the same Site or same subnet or what? I've looked for answers to no avail. Thank you.
HP NNMI Question?
Is it possible to create multiple icon in topology map using only 1 node?
ex.
Icon01 - Node A -Interface 1
Icon02 - Node A - Interface 2
THanks
2 ubiquiti switches, 2 separate networks, 1 sonicwall tz400
Hi,
I have 2 separate networks at a clients office, one for phones and one for data. I have 1 uniquiti cloudkey and 2 ubiquiti switches. I need the 2 switches to be added to the portal for management, but I only have 1 cloudkey, so I need to find a way to get these 2 switches to be able to communicate with each other so I can have them both online on the portal at once. One network will be on a class C range and the other a class B range.
My thoughts were to connect the data switch to the lan port (x0) on the back of the sonicwall, the data router to x1, configure x2 on the sonicwall to be another lan interface for voip switch, and the x3 to be a WAN interface for for voip router.
What config would I need to do to make this work? Is my thinking right?
Thanks!
What am I overlooking on this switch?
I'm looking to understand how a certain switch is reaching outside its network.
I've got a switch (2960) in my room office, no ip routing enables, no default-gateway set, no management port. It's assigned let's say 10.0.0.2 /25 on a vlan. That's hooked up to a multiplayer switch to get it out. Now my PC is 10.0.0.200/25. My PC is able to reach it and management, and how is what i'm trying to figure out.
I thought it might be proxy arp, but testing disabling that didn't stop things. It's disabled at the gateway router as well.
One person I talked to said that if it's sitting in the same segment, it would be able to still route out with that multilayer switch. I don't quite understand this though.
Is there something I'm missing? My understanding is that it should just drop that packet when it sees it has no path back, simple as that. Am i be stupid?
Edit: Changed /23 to /25
LACP with Gigabit interfaces - Best Practices for Auto-Negotiating Speed?
I understand that most manufacturers recommend use of auto-negotiation with gigabit links as best practice, but today we got burned. A member of an LACP aggregate failed to auto-negotiate properly, and each end of the link handled this differently, causing the entire aggregate to flap. I cannot find any documentation to see if what happened is expected according to the standards, or if we might have a device that is not functioning in compliance with the standards (in which case we can open a support case with the offending vendor).
Two questions:
- Is there a documented best practice for LACP that recommends avoiding link speed auto-negotiation?
- Does the LACP standard define some specific logic that a device must use when detecting and responding to a speed mismatch between port members? (For example: Is it the fastest link that wins? Is it the first link bundled that wins? Is it some other criteria?)
The Details
4 x1Gbps links bundled in a LACP etherchannel between a NetApp and a Cisco IOS switch. Ports configured for auto speed/duplex on each side.
- A power failure occurred and devices power cycled.
- One of the ports auto-negotiated to 100Mbps (consider this a separate issue, root cause of this is not the primary concern, but this triggered the more concerning issue).
- Cisco Switch detected that this 1 port (100Mbps) was not compatible with the other ports (1000Mbps), and removed it from the bundle. This seems like the ideal behavior (but is it standard?).
- NetApp detected that the other 3 ports (1000Mbps) were not compatible with the one port (100Mbps) and removed all 3 of them fro the bundle. This seems like the opposite of the ideal behavior (but did they violate standard?)
- This lead to flapping back and forth again and again with the netapp repeatedly removing and re-adding the 3 ports, and the switch repeatedly removing and re-adding the 1 port.
- After physically disconnecting and reconnecting the link that negotiated to 100Mbps, it successfully auto-negotiated back to 1000Mbps and the connection was once again stable. We are replacing the cable in-case the cable is faulty and caused the failed auto-negotiation, but my concern is that such a failed auto-negotiation can fail an entire bundle like this.
The most helpful error message ever.
Had an ASR9K give this error message:
RP/0/RSP0/CPU0:Sep 4 16:55:20.027 : FABMGR[222]: %PLATFORM-FABMGR-2-FABRIC_SPINE_FAULT : 0/RSP0/CPU0 (slot 4) encountered fatal fabric fault. Standby is not ready so no recovery action taken. Please investigate
Really helpful, right?
Got any similar stories?
Cheapest possible iperf
Good afternoon all!
I'm looking into building a dedicated iperf server for network throughput / latency testing.
I need it to be mobile, and to support 1G/10G SFP+ fiber connections.
While 10G is the physical media it needs to support, I don't expect I will need to test at higher than 1Gbps.
I was looking at the ODROID-C2 which could perform 900 mega throughout tests, but it only has a copper port.
Will I have to go up to a mini-atx motherboard to support optical NICs? Does anyone have a suggested build for this application?
WCCP when the router is not the default gateway
Hello, I explain my questioning. In my network architecture I have a cisco 6k but this one is not the gateway by default for traffic, the default gateway is a Juniper but the traffic goes physically through the 6k. If I put WCCP on the 6k to make transparent proxy is the 6k intercept the traffic and send it to the proxy ? Sorry for my poor English , and thank you for the response.
Fat fingered during AP setup
So I was adding a few aps at a new building and getting them in the right vlan.
default interface GigabitEthernet2/0/42
interface GigabitEthernet2/0/42
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
shut
no shut
Well, after the last command, I got an error, had type no sh!t instead. Good chuckle to end the day.
Cisco WLC and restricting Airplay to local subnet
Starting from the beginning... I have an SSID that is shared across a few AP groups. Within any of the AP groups, this SSID is assigned a different vlan interface so there is a different subnet per building location. All traffic is tunneled back to the controller.
Bonjour is supposed to be link local... but for some reason does not work without mdns being enabled. The problem is the Apple TV's are now crossing subnets which I do not want. I previously setup the ACL's in the controller from the link below, but it does not seem to have any affect anymore as the Apple TV's are still discoverable across buildings.
I'm sure I'm missing something obvious. Any idea's?
Configuration Management
New to the subreddit but looking for feedback on the level to which people track configuration items within their configuration management approach. For instance, I've worked in environments where a VM image or laptop is tracked as a configuration item (i.e., to whom it's issued, make/model, but that's about it) and I've always thought the approach lacked sufficient detail to track more meaningful opex stuff (what software is loaded on a machine, what version of software, licenses for that software, etc.).
How detailed do people get with their configuration items? Examples?
Thanks in advance.
ASR1001-X BGP Flowspec Client
Hello Redditors,
Has any one you worked with the ASR1001-X as a BGP Flowspec client (not RR, client, as in, getting and enforcing flowspec rules). I got in contact with a VAR who said this was possible, but I tried looking for this feature on Cisco Feature Navigator and I don't find it. I wanna be 100% sure this is possible.
Thank you in advance.
4096 vlans limit vs VXLANs - i think we still limited to 4096
I was reading throgh all these VXLAN's/EVPN documentations and still have point unresolved...
in such a topology:
ESXI HOST <---> vtep switch <---- ip network -----> vtep switch 2 <----> ESXI host 2
if we do not use NSX, but using good-old dv-Switches we still have to configure VLANS on leaf switches and then to do a mapping to VNI (VXLAN) in it. Like:
! vlan 100 vni-segment 30100 !
or for Jun QFX
set vlans VLAN100 vlan-id 100 vxlan vni 30100 multicast-group 233.252.0.100
and we still have a limit of 4096 per switch. But if we using V-Motion, like DRS (resource scheduler, which moves VMs by it's own opinion to achieve smooth hosts workload) we have to have same vlans set on all of leaves. Then all our switch fabric limited to 4096 vlans. And we can still use something like FabricPath or any other TRILL implementation without bying new modern N9K :)
Another case - we have NSX or other sdn which do VXLANS by itself on hosts. Then we do not need vxlans in our fabric cause hosts produce pure ip traffic and all we need is ECMP or just bandwith. Only in case we want to connect bare-metal hosts or maybe AIX-monsters we maybe need hardware VTEP, but even in this case it can be solved by software vxlan gateway (NSX has it).
Where i'm wrong? )
ISE & Firepower RADIUS attribute 217
I have a remote-access vpn local pool problem. Here is the step by step of what should happen (I fail at step 7):
- RA VPN user uses anyconnect, and connects to firepower box
- User enters credentials
- Firepower sends authentication required to ISE via radius
- ISE checks user against AD group for authentication
- After successful authentication an authorization profile is assigned
- Within the authorization profile, attribute 217 is set, which is the option to tell the Firepower box that the clients should be assigned an IP address from a local ip pool on the Firepower box called "STAFFVPN". This is shown here: https://ibb.co/gu0n4e
- The result of steps 5 and 6 are sent back to the firepower box, and an IP address address from the pool name "STAFFVPN" should be assigned to the client.
I've got to step 7. On the firepower box I am able to see that the correct attribute is being received from the ISE server via a packet capture, shown here: https://ibb.co/cRtFPe. The capture shows attribute 217, with value "STAFFVPN" is being returned to the firepower device.
I can also show you the client connection profile IP pools here: https://ibb.co/jXYFPe
However, the pool is assiging the wrong IP. It's assigning an IP address from the "NOT-STAFF" ip address pool. Why?
Cisco 3925 - license for SSLVPN (used hardware)
Hi.
I'll admit, I haven't dealt with Cisco licensing for some time and need some help.
I'd like to re-purpose second-hand 3925 router. It has SPE200/K9 and it already has securityk9 permanent license. It worked before as DMVPN hub.
Would like to replace 880 router with that one to provide AnyConnect connectivity (old router can't handle the amount of WAN traffic anymore). For that I need to purchase a license.
I see that some shops still offer FL-SSLVPN10-K9=. I'd like to buy that one instead of SL-39-SEC-K9 which replaced former license according to this document; it's A LOT MORE expensive.
Won't there be any problems with registering such license on used hardware?
New Job - Boredom
Guys,
Due to personal circumstances I recently took a job in another city for a medium size ISP as a project engineer - after having worked in the enterprise sphere for most of my career (around 7 years now)
I've been sat ever since I started, for around 2 weeks with absolutely nothing to do bored out of my skull, no formal induction process or overview of the network / architecture (the team dosent even sit together, its such a crazy setup - Im not actually sat with any networks guys, they don't even sit with each other!) - don't get me wrong I'm confident in my own ability and don't need my hand holding, I just don't get a real "Team" vibe as opposed to other jobs I have worked in
I have been creating my own network diagrams to get me up to speed via tracert's and looking at the config backups (as their current documentation is really poor, this is for my own sake the other guys seem to have the topology committed to memory so dont see the point) - its interesting to see the ISP side of things from an architecture perspective and can see potential to learn and I want to make a go of it.
I don't have any Tacacs logons yet so I cant inspect routing tables or run show commands on any equipment, I dont have local admin on my laptop so I cant even install any of the tooling I use, I dont really have anything to work on - my manager just keeps saying "oh you started at a bad time, we are in the middle of this big project" - I'm just sat like a piece of fruit, not really being engaged for anything ...
/rant
Thursday, September 6, 2018
Possible to Create a IPSec Tunnel Between 10.10.0.0/23 and a 10.0.0.0/16 network ?
Hello. We are currently working to integrate a remote office into our main branch using a set of Palo Alto Firewalls. The remote office is currently setup with a pair of Layer 2 Ciscos into a PA-820 Firewall. The network we inherited was originally 10.0.0.0/8 but we changed it to 10.0.0.0/16 . We are trying to create a tunnel between that network of 10.0.0.0/16 and our network which is 10.10.0.0/23 and its failing. When the remote office does a traceroute to a remote ip of 10.10.0.144 we don' t see it hit the default gateway of 10.10.0.1 and it just times out as if the remote machine is on a local network. We also don't see it hit the firewall. Are we missing a major piece of network design here and banking too hard on the subnet masks? Thanks in advance!
Networking
I need to understand Network issue which i haven't been able to figure out. I have NAS set up for home network which i'm not able to access from outside of my network. My router is behind 3 different routers. I do understand port forwarding however i do not have access to # 2 router where i can set port forwarding rules. How can i accomplish it without port forwarding?
Is there any IP segment issue?
1-Modem
2- Roter (Public IP - 172.34.56.23 (not real - just for understanding) )
3- Wifi Repeater ( NAT )
4 - Wifi Repeater ( 192.168.1.234 (NAT from # 3) )
5 - My Router ( 10.20.10.20 Gateway ) this is also configured for NAT.
My Friends Internet is GARBAGE... halp!?!?
So my friend lives on a street all by himself in a house that was built brand new when they moved in a decade or go or whatever.
So we live in New England (Northeast US) so its not like we're in buttf*ck nowhere either.
But he has frontier, and the best speed they could get is 12 mbps down. That is the highest plan they are allowed to pay for, and even on the few other ISP's its the same or less.
Is there any remedy for my fallen brethren with 100 ping in every game
Network Engineering can be though, so this is what I did to solve it, SSL issues (solved)
I work for an ISP in Systems Engineering. We currently use an in-house wiki to keep track of approximately 30 SSL certificates, including where it was purchased from, what servers it is used on, and when it expires. The ~30 certificates doesn't sound bad, until you factor in that about 10 of them are wildcards and therefore used on multiple services/servers; these 30 certificates cover a variety of services, such as LDAP, HTTP, mail, and a myriad of other functions, probably to the tune of 100-200 actual deployments.
So I decided to build a dedicated software to keep track of these and warn via email, SNMP, and text that certificates need renewing. The tool can even randomly poll via the method used (LDAP, HTTPS, IMAP, etc) and make sure the certificate is good for that server/service.
I have tried looking for solutions for this. Unfortunately, most of the options out there are for enterprise-only environments, and want to only work for Windows/IIS, or only track HTTP.
SO I BUILT MY OWN. It still needs more testing
Would love to get some beta tester on it, anyone would be interested?
Sophos UTM 9 - Two web servers using port 80
Hello,
Quick question - I have two different physical webservers, one Windows and one Linux in my homelab. I am using Sophos UTM 9 as the firewall/router. I have created in the UTM setup two real webservers with the correct and different IPs. I have created two virtual webservers with the following domains name1.mywebsite.com and name2.mywebsite.com. However, when navigating to the different domains, I am only getting one of the websites regardless of what address I am putting in. I have tried searching the web and I can only find to change the ports - I dont really want to do that as I dont want my friends connecting to my sites to have to remember to put an :8080 at the end. I am thinking I may need to spool up another service to use as a reverse proxy, but I am trying to avoid that if possible since I am unfamiliar.
I am unsure what data you will need to assist, but feel free to request what you need and I will do my best to provide it.
Gold to anyone that can help me solve.
Thanks in advance!
HPE OfficeConnect 1950 Upgrade
I'm about to upgrade my first 1950 (tbh, my first HPE Comware switch period) and I'm probably over-analyzing (as is my style) it but the release notes are not very clear about what happens if the new images don't load and run properly. The release notes discuss upgrading from the CLI, but nothing about copying the current images to backup first as I would expect. Only how to issue the upgrade command, answer yes, and hope that everything goes right. Later on in the release notes there is a section titled "Handling software upgrade failures" which states "If a software upgrade fails, the system runs the old software version" but that sounds pretty generic to me.
Would anyone here suggest, from experience, that the existing images should be set as backup startup software images using the (Secret Squirrel mode, potentially unsupported) xtd-cli-mode -> boot-loader command first? I don't really see a downside to doing that, except that I don't know a way to unset those attributes later.
Even though it's not discussed in the release notes, there is also an upgrade section in the GUI which has a nice little step-by-step list of what to do. I'm sure it just gives you an (admittedly) more convenient way to load the .ipe file on to the switch via HTTP rather that using a TFTP server with the CLI upgrade command, and then it probably kicks off the exact same process after the file is transferred.
I'm just more comfortable with the good old method of loading the files to flash and specifying directly and explicitly which image I want to load at next boot and which one to try if that one fails... My fear is that one of these nice, convenient-looking, newfangled processes fails and then I have to drive 3.5 hours to the site before I can get a console cable plugged in to the switch and recover from all Hell breaking loose because I trusted the auto-magic to happen and it let me down. Any and all advice is welcomed.
Ethernet cable to xbox not working?
So i got a new modem/router thing the other night and i have my xbox one wired to it. Yesterday morning i turned on my xbox to see it not conected. It was showing my ip and mac address and everything but no connection. So i reset the modem (which with this new one takes forever) and then it was working fine. Later that day after turning my xbox on again it had the same problem. The ethernet cable to my pc was working so i tried it on my xbox and it worked fine, tried my original one and it still didnt work, until i reset the modem... whats the deal? I assume i need a new cable considering other ones worked while it didnt, but why does resetting the modem fix it?
Comcast EoHFC
So I'm getting two quotes right now...one for a T1 the other for EoHFC. Is EoHFC still an async product like cable modems? Does it use a cable modem? Curious who's had experience with it and could share. I'm getting a small stable pipe for a remote location that needs this for low latency VoIP and a backup to the existing fiber on prem.
Unable to contact domain on two identical computers.
Hello, I am attempting to set up two spare machines for a client and they will not allow me to add them to the domain. As standard procedure I setup both computers with Cisco AnyConnect VPN into their network which normally allows me to add the computers to the domain and login as the domain admin. When I type in the domain name and hit okay, it waits for about 15 seconds before error-ing out. I tried to see if it was a dns conflict by manually setting it to that of the domain however it did not work. I am able to ping and lookup the dns server as well. All of my other machines go through this process without any problems. I would love any help I can get on this error. Thank you!
Console cable to USB
Can I use something like this
https://www.tailormade.kiwi/digitus-10-100m-network-usb-adapter
With a RJ-45 cable as a console cable for configuring Cisco switches/routers?
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Can two cat6 ethernet cables from different brands have any major difference?
In other words, does the brand of cat6 cable I buy matter? Or can I just buy the cheapest one?
What to do with a free Meraki AP?
I took place in a competition hosted by Cisco and won a Meraki MR42. I’m personally have no use for it as I am studying using software based emulators. How would I even go about selling it / working out a fair price for it?
UK based if that makes a difference. I’ve read the rules before posting but if this does break any rules let me know so I can amend.
Cisco Catalyst 3750G configuration assistance
Hey Redditors and Network Gurus!
I need some assistance, because this is driving me insane. I'm trying to have my network interconnect internally. I have a Cisco Catalyst 3750G Switch, and I have Samba shares on my Linux Server and Windows Server that I need my clients to have access and connect to.
I have looked at static routing, and using extended ACLs and just normal ACLs, and so far nothing has been able to work, and I'm not sure where to go from there.
Pasted below are sections of my switch config, if anyone can help me with this, I would be eternally grateful. I have literally hit a brick wall...
[Code] vlan access-map map1 10 action forward match ip address int_network ! vlan filter map1 vlan-list 1 vlan internal allocation policy ascending ! ! ! ! interface GigabitEthernet1/0/1 switchport mode access ip access-group int_network in
interface Vlan1 ip address 192.168.0.245 255.255.255.0 ! ip default-gateway 192.168.0.1 ip classless ip http server ip http secure-server ! ! ip access-list extended int_network permit tcp any any permit udp any any
! access-list 2 permit any
[/Code]
Question about OSPF in my network
I am in the process of changing many things on our network. Current network has all static routing and we use a L3 connection between our office switches and the switches that are used by the dark fiber network in town. The dark fiber switches then route all data to our main centralized switches where the rest of the routing happens. We are now transitioning to having a L2 point to point connection back to our datacenter switches from our offices rather than this L3 network. I am looking into switching from static routing to OSPF. Here is a network diagram of what our setup will look like when completed.
My thoughts are to setup the network as follows:
- Run OSPF between switches to aid with routing.
- Use a /29 for each of the point to point connections between each office. This is because we have two switches setup in our datacenter that are running VLT + Peer Routing so a /30 would not work as that only allows 2 hosts and not 3 or 4.
- I would like to keep routing table as small as possible.
So my question is about areas. Should all of these switches be in area 0? Or should I leave the DC as area 0 and then create a different area for each office?
802.11q expected for 3rd party devices, is this normal?
I'm wanting to say no, I hope.
Company I've been with for 12 years has been around for 15. We put "kiosk" see devices onto our clients sites, and often get to use their network as transport. Most common setup is site to site vpn between our DC and their, and a dedicated vlan that spans the site, terminated to untagged access points at the given locations and switches.
Had a client yesterday tell me they're shocked and disappointed that we don't support 802.11q tag support on our devices, as now they have to "manage the switches" and concerned about what will happen if someone repatches one our leads.
This is a coal mine, in full 24/7 operation. I'd like to think people aren't willy nilly repatching switches! Certainly in my 12 years, I've never had to respond to an issue where the cause was that someone moved our patch lead. (unplugged or cut leads, sure)
Is this a reasonable expectation?
Fwiw, our devices in this case are windows 8 embedded on an industrial PC, and some moxa IOLogik devices. I'd say I could probably have made the PC do it, if the drivers supported it, but the moxa flat out doesn't.
Cisco standalone WLC versus Supervisor 8-E
Hi all,
I have a 4510R+E chassis with dual Supervisor 8-E's. From what I have read this model of Supervisor has the ability be a wireless LAN controller in addition to everything else it does normally. So my question to this group is:
- Is anybody using their Supervisor 8-E to manage wireless instead of a dedicated WLC?
Thanks.
FYI: Changes To Out-Of-Region ROUTE, ROUTE6, And AUT-NUM Objects In The RIPE Database
This went live on the 4th and has been impacting some of our customers.
Help...sonicwall + network switches
Hi all,
I’ve been given a task to do tomorrow for a client of ours at our MSP.
At the moment, our client has 2 modems going into a Cisco meraki router. One line is for their voip system and the other for their data.
Tomorrow I’m replacing their set up with this:
2 x ubiquiti 24p poe switches 1 x sonicwall tz400 1 x ubiquiti WAP
I need to create a vlan for guest WiFi, a vlan for the data, and the second switch is going to be on a different subnet.
I’m going to plug the data router into the sonicwall and configure the interface it is plugged into, and then plug this into the VOIP switch and put the voip switch on the same subnet.
The data switch, I need to create a vlan for their data and on the sonicwall, and then set up DHCP scopes for this I think? And then do the same; a vlan for their guest WiFi, and the same on their sonicwall.
I’m really nervous as my networking skills aren’t that great, and I don’t want to rip out the clients network and then not be able to get them up and running again! I’m more server installations rather than networking, and I really need some advice about where to start with all of this.
I’ve got the kit here with me tonight for set up, I’m planning on upgrading the firmware firstly for each device and then putting them on our ubiquiti portal and registering the sonicwall.
Cisco Nexus VPC internet outage
Hello everyone,
Have a situation I am trying to figure out for for a failover situation with VPC.
We have two Nexus 3000s in VPC mode for redundancy. My question is when the link to the internet fails on the primary is the nexus switch smart enough to transition to the secondary nexus for internet access and routing? I have attached a screenshot of an example.
Anything helps.
ASA Experts please chime in ...
Hey Guys,
I have a simple question that I am hoping someone here can chime in on. I have two sites right now, Las Vegas, and Los Angeles. At both these sites we have two ASA 5540s in HA handling VPN connections. The Las Vegas units were setup as a DR site (this whole setup was configured by the previous Net Eng) and the Los Angeles site is the primary.
The higher ups want Las Vegas to be the primary location now as Los Angeles will be dissolved. I noticed that the Las Vegas ASAs does not have the proper Mobile Connect license (it doesn't have one period) but the Los Angeles units do.
We can't find the proper license anywhere to enable Mobile Clients for the Las Vegas firewalls. So they want me to move the LA Firewalls to Las Vegas. I am hoping I can do this with with minimal downtime. This is my plan and I am just looking for some confirmation that it will work. This is the COA I am planing on taking.
I guess my main question is if I take the config from the Las Vegas ASA and load it to the LA unit will it work correctly?
Backup configuration of both the LA and Las Vegas ASAs
- Shutdown and unplug the secondary ASA 5540 in Los Angeles
- Leave Primary ASA 5540 Up and running.
- Load the Las Vegas backup configuration on the Los Angeles secondary ASA
- Verify that the Las Vegas configuration is properly loaded and working on the secondary ASA
- Ship/Take unit to the Las Vegas Office
- Backup and shutdown the Las Vegas ASAs
- Remove Las Vegas ASA 5540s
- Install the new primary ASA 5540 on the Las Vegas Rack and plug everything up
- Turn on unit and verify that it is accessible via the Management port
- Finalize configuration and external access to the ASA
- Test VPN connection and update DNS address
- Once DNS updates verify connection to the VPN via DNS address
- Logout all users from the LA ASA 5540
- Verify that end users are able to connect to the Las Vegas ASA and the DVRs
- Shutdown outside interface on LA ASA
- Remove old Las Vegas ASAs
Sister's school adds root CA for HTTPS interception. Ways to restrict it?
Hi everyone. Apologies if this isn't the best subreddit to post this on.
My sister's school is introducing a BYOD policy for the new year and it turns out that they want to do HTTPS interception through a product called Smoothwall. To do this they've made the students install a trusted root CA certificate which has an alarming number of purposes.
I'm wondering if there is a way to restrict this installed certificate, either to a certain wifi network, or reducing the intended purposes under certificate properties? She only needs to use Chrome at school for the Google classroom websites and webmail. I've spent a long time googling this myself but can't find any definitive information on the subject...
Thank you for your help!
Network design interview question
Hey reddit,
I had a nice task at my job interview, im just wondering how "correct" was my answer.
I had unlimited budge and i had to design a complete enterprise network with intercontinental locations and only with Cisco devices.
How the topology would look like? What devices would you use? What routing would you use? VPN? what flavour? SDN ready? Defense in depth?
They were curious about an innovative/special/irregular solution.
Anybody feels like to solve this also?
Solarwinds mapping with a large network.
So I got approved to get Solarwinds purchased and setup on my network. I'm wondering if anyone has experience/suggestions for creating a sensible map for it though. You get that world map which is fine, but I'm going to need to add around 500 sites on one of my networks, and it is fairly impossibly to do with that like 720p Jpg they give you. I haven't really located anything much better either. I'm not sure if you can do a vector based map and use that or not.
Possibly the best answer is that I'll need to find the best way to group things and set it up that way. I'm not sure yet If I can possibly setup a group and create a threshold of it changing colors or something to indicate so many sites being down.
How secure/safe is traffic segmentation through tagged VLANs? Is VLAN hopping the only thing to worry about?
Title kind of says it all. I'm wondering what are the dangers of using VLANs in regards to traffic leaking across. How practical is VLAN hopping in the real world? Are there other security issues to worry about? How do you prevent VLAN hopping?
Bufferbloat in Enterprise
My late moronic Monday question:
Spent some time reading up on fq_codel and other AQM stuff aimed at mitigating bufferbloat last night. Enabled SQM QoS package on openwrt at home and now show little/no bufferbloat.
So how do we address bufferbloat on enterprise gear such as Cisco/PAN/etc? I assume it's all wrapped in the overall qos package from each vendor, but I'm not sure where to start. bufferbloat.net seems to imply it's is mostly a SOHO issue since it is where the bottlenecks are--but I have to assume enterprise networks contend with this as well, right?
what, if anything, do you do about bufferbloat?
Looking for a switch monitoring solution.
I'm looking for a solution to monitor our HP/Aurba switches. We have about 30 switches that a customer would like to monitor for device health, network traffic status, ARP tables and traffic, and anomalous login attempt information. I've used Cacti before but I'm looking at PRTG and Aruba's solution. What do you guys recommend?
Web-app for simple switch configuration tasks done by helpdesk
Hi everyone,
I need a simple app with web-based GUI to simplify configuration of access switches in our company and make it available to users with no networking knowledge. I just want to make a simple configuration changes - apply port profile to selected interface on selected switch(and maybe check operational status of all interfaces).
Our environment is very monolithic cisco shop(catalysts everywhere, and maybe a few SMB switches - Cisco SG series).
I found NETCONFIG on github(and in this subreddit) which looks like it is very close to my idea (https://github.com/v1tal3/netconfig) so right now I am thinking about modifying this app for my use-case...
Do you have something similar running in your company? Or is there a better solution to this problem?
Policy Based Routing over WAN?
Ok guys this is probably an easy answer but Im still learning PBR and cant find my exact example through google.
I need to set up policy based routing to send internet traffic to an ISP thats connected to a site across our private wan. Everything Im reading and examples only show using PBR to select 1 of 2 equal paths with only 1 hop between them.
My scenario has multiple routes and hops between the end host and final destination. Also the network is routed all the way through if that makes a difference.
Here is a no-frills diagram. current default route is to ISP 1. I need a traffic to a certain vendor to got out of ISP 2. Where does the route-map need to be configured?: https://imgur.com/HQYbTux
WOW internet and cable, Cleveland Ohio
I have a love hate relationship with WOW. I love them because they give us good deals and they are always helpful and always want to help with the prices. But their equipment is awful and they don’t have common sense. For about 2 months now we have been having problems with our internet and phones. Our internet cuts out at the worst times, often at 7:30 am, 7 pm or midnight. I was told to reset it whenever this would happen or unscrew the coaxial cable and screw it back in. That usually works but it’s extremely annoying. This usually happens 2 days a week. For 2 months it’s been going on and I’ve been having to do this and today it just happened and it’s 8 am. We called and they said our account was flagged because of the problems. I’m pretty mad at this point because awhile ago they said they think it’s an external problem maybe something to do with the wiring outside the house. But our account is flagged why would they not just send someone out? They are sending someone out tomorrow and hopefully it’s fixed. Another thing I asked about is if I can pick up a modem and hook it up myself cause I’m quite good with computers and internet and I have my wires setup a certain way that I like. They said I could not pickup a modem and that they need a technician to be sent out to do that for you. We live in a day an age where internet is something that everyone uses on an everyday basis and most people can probably setup the very simple box. But yet the companies don’t give you any info on what’s wrong, won’t let you setup anything on your own, and you always have to pay for someone to get sent out to fix a problem with their own stuff. I want to remain loyal to WOW but if this technician comes out and the problem exists when they leave I’ll need to drop them. I can only imagine the frustration of someone who doesn’t have patience or any idea how internet works has when something like this occurs.
Am I just really good at breaking things or is it just a crazy coincidence?
OK so Im getting moderately peeved whenever I try and do anything involving making changes to my works network, because it seems like whenever I do something something else breaks.
Context: Im doing a rack / hardware swap to move to a deeper rack and put in a new Unifi Switch to replace a possibly damaged one. I put everything together and test it all and one of our PowerBeam bridges seems to have died. (IDK If I can post the link but if Im allowed to I can put the link to the full story on the ubnt forums)
Another example: My boss and I are moving to some new switches to implement proper gigabit at one of our buildings. Its supposed to be a 5 minute swap in the end. Took us like 3.5 hours to diagnose a bad SFP connector.
Its stuff like that where any time im working on a project something seems to break.
Is that just me? Thanks
Consolidating subnets - Is it possible to have two default gateways?
Hopefully an easy question. Looking to consolidate two /24 networks into a /23.
Due to lack of access to some existing devices it would be useful if we could retain both existing default gateways e.g 1.1.1.254 and 1.1.2.254 so we don't need to reconfigure the devices. Is this possible and recommended?
Also any downside to not changing the mask on existing devices as long as they don't need to communicate with devices on the other /24 range?
Hopefully a simple question but wanted to double check. Thanks as always.
Looking for specific streaming service.
Hello Guys! I looking for streaming service with ultra low delay(maximum 2 seconds, i'm living in Poland) and with possibility of creating private streams. Do u know service with that capabilities? I need these two capabilities to make stream from my work(I'm photographer/ cameraman /ovie maker). I need to make a stream from hospital where the doctors will make operation . Also, privacy (it has to hit only specific people who will get the link) and a delay of maximum 2 seconds is required (during the operation the doctors from the rest of the country will discuss about the procedure.) I have a lot of experience in making a film but I have never done such a thing before, so help me please!
Wednesday, September 5, 2018
Adding back a failed HA partner: Two old 5510s
The internal CF blew out on our secondary firewall in an HA pair, and I've reconstructed it, but the new flash is only 64MB instead of 256MB. It's a pair of old 5510s, and I've confirmed the ASA image, ASDM and licenses are the same...but will it balk at the partner having a different amount of RAM? Everything fits, and I found another 64MB CF to use in the external slot to house the Anyconnect images.
Standalone Fortigate 60d with two WAN links query
Requirement: Small customer has a standalone Fortigate 60d (which we have read only access) with one wan link, no dynamic routing with static default route through wan 1. They have connected another wan 2 link which they don't want to use for redundancy but for "load-balancing". "LB" for them means sending all microsoft (office 365, sharepoint and skype) traffic through wan 2 at all times.
My solution: As I haven't worked with this particular firewall and it looks to be a bit basic to me, my solution to them is to add static routes for all IPv4 cidr blocks from microsoft website and just route this destination traffic through wan2 link. Also told them the risk of always forcing this static traffic through in case wan 2 goes down.
Question: Am I right or is there a better way of doing this. Can this firewall do path/link monitoring which we can apply in a couple of pbf rules for microsoft application specific traffic?. One rule for wan 2 and a failover back to wan 1.
Sorry for the long post. :)
Slow printing over VPN
I’m troubleshooting this issue where users have to print over a VPN..
users in a remote site use a terminal session to connect directly to a “server”.. so essentially they are on the server which is not in their physical location. They then need to print from this server to a local printer at their site... the sites a connected via site to site tunnel.
The document they print are pretty decent in size but not huge. Maybe 2-3MB... basically after a print job is initiated, it takes some time before the printer starts to print... then when it does print, it prints one page at a time with 30-45 seconds in between page.
Other services over this vpn work fine.
To rule out the sever being the issue, I mapped a workstation at the site where the server is, to one of the printers at the remote site and tested myself.. same issue.
Anybody have any ideas what this could be or why this is happening?
Is BT a dying company?
I work for a mid sized government organization that has the WAN, LAN and IPT under a fully managed service with BT. After dealing with BT now for a few years in the contract I question how they still exist as a company. Are BT a dying company who just rely on long contracts that non technical CIO's sign and the monopoly of ducts and last mile cabling?
In previous roles working in a service provider and another managed service I think MSP's that come from the service provider space are not in the right space to manage enterprise networking. I don't really see how they innovate vs smaller MSP's that dont come from MPLS service provider market. Policies seem to be based around a service provider model where changes to core product are not very frequent (Applying this to the enterprise doesnt appear to be flexible enough).
There appears to be huge amounts of non-technical staff at BT rather than decent technical engineers. I find that one technical guy is overrun with fixing everything on our contract.
What do BT need to do to stay relevant and become sucessful? If BT lose openreach are they going to die?
Network Design - Internet on LAN side of router
I'm working with an existing network where the connection from the Internet is passed through a pair of wireless devices before being split into several distinct networks. Something like: https://imgur.com/Gmx2NJ5. While this works, the two wireless devices are not addressable from any of the private networks, nor from the Internet. This was intentional, however it makes maintenance remote maintenance as well as local maintenance difficult.
These wireless devices have only a single Ethernet interface, no secondary maintenance interface.
In order to allow remote maintenance we've come up with this unholy abomination: https://imgur.com/h1PdT5B.
I'd appreciate some help in figuring out exactly what is likely to go wrong with this setup, and ideally some ideas on how to solve them.
Router H is intended to be a publicly addressable device which could provide NAT/port-forwarding to the two wireless devices. The Internet is connected to both the WAN and LAN sides of the device, which feels wrong, but since the local network uses private addresses I can't actually think of what could go wrong here since my understanding is that traffic shouldn't be able to be routed into this network from the Internet.
Router I is intended to 'bridge' the 192.168.3.x network and 10.0.0.x network, allowing local maintenance from the 192.168.3.x network. Ideally it would only forward traffic from specific devices. This may instead be a computer with two network interfaces. Either way, this device will be connected directly to the Internet, however again it will only have a private IP address which shouldn't (as I understand) be addressable from any device on the Internet.
Please correct me where I am mistaken, and thank you in advance!
OSPF: Redistributing connected routes vs adding internally
Hello everyone,
Just making up a scenario, a router/layer 3 switch with a couple of OSPF enabled uplinks to the rest of the network and a few subnets the device is a gateway for.
There is a requirement to advertise the these subnets to the rest of the network, I could add these subnets to the OSPF area and it'll advertise it within OSPF. I could also just redistribute the connected routes (type-1 to add cost per hop, and be selective with a route map) in OSPF to the rest of the network too.
I 'feel' the better method out of these two would be keeping it internal, and not using redistribution. Would that be right? Are there any advantages/disadvantages to just redistributing connected routes?
VIRL or GNS3 for ISR4500 / SG500?
Hi all,
Quick question, a new job has seen me inherit a network made up of ISR4500's running IOS-XE 03.16.04b / IOS 15.5, along with some SG500 switches, WMC's and WAP's. As I am rusty on Cisco I would rather use one of the above sims to verify behaviours and configs before rolling it out, but which is better suited to do this please?
Thanks in advance
Networking professionals - how do you prepare for coding questions during the interview?
I have been working with Python for quite a while and when it comes to writing a script that can pull some data off F5 API, or send some commands to Cisco switch via SSH, or when I need to modify some Ansible module - I can do it without any significant issues. It's probably not the best or cleanest way and I do rely on Google's help, but the end result works and tends to be fairly reliable.
However I have already had a few interviews with different companies where in the very beginning of the process I am being tested on my coding skills with questions like "write a function to flatten a list, while maintaining its order". And while the task is not particularly hard, I may still end up taking 5-10 minutes to come up with an answer. And then I may get asked - can you do it in a different way (in example above - can you do it without recursion?) And I often times don't have an answer for it.
The reason for such a lackluster performance is simple - if in my code I need to flatten a list, I just google it, copy-paste an answer from stackoverflow, verify that I can understand what it does and that it works properly - and go on with writing something that actually has value. And while I have taken some programming courses in school that went over these basic algorithms, I don't quite remember them well.
So the question is - what's the best way to prepare for these types of questions during the interview? Are there any courses that you could recommend for a good refresher of basic algorithms and maybe some data structures or what else is common to ask in the programming interviews? Or maybe you have some other suggestions?
Can you even get a "direct" internet connection?
I'm wondering, as the internet is something owned by everyone, is it even possible to get an internet connection without the use of a mainstream ISP? My mind has been stuck on this question for days now and I need to know.
Those Network Admins / Managers of both networking and sysadmin jobs, need some help.
So I've always been a "network" guy meaning I work with the infrastructure: routers, switches, wireless, ISP's, disaster recovery and backup circuits and so on. I'm looking to move on to a new specialty and we are looking for someone to oversee both the networking side and the systems administration. I'm really struggling on what to call the position and really curious to how many out there really do both as part of their "networking" job. I've been over the top job sites and see some Networking Managers have Windows duties and lot's without just curious to what you guys consider the "Networking Manager" to be and what would be a good title for someone to be recognized for both fields.
Edit: Will manage a team of 4, my role was 50% technical, 50% paper pusher
Birds eye explination of CDN appliances
I will start by saying im not a network guy. I know enough to get me through my job and I know how to learn when I need too move forward but more complex things are totally outside of my knowledge base. Out of pure curiosity I was wondering if anyone could explain to me the CDN appliances? I am under the impression through various posts and conversations that much like speed test CND networks like netflix youtube etc dont necessarily let you pound on there primary servers. I was under the assumption that they curb this by copying data to appliances on carrier networks (ISPs) so that user experience is improved and bandwidth traversal across global networks is minimized.
Please feel free to correct any part of this post but my thought pattern doesnt really allow that to happen unless you take into consideration demographics. You couldn't host all of the netflix library in an ISP (that would basically be a copy of the primary netflix DC?) and an appliance couldn't do it either. What I think happens is netflix tracks shows watched (number of users) and geographic location of shows watched (more people watch here) and seed those popular shows to that regions appliance to lighten the burden on the networks involved.
Am I totally off base here? I would love some info about it, its super interesting mind you try to maybe keep it ELI5 im not far into networking, I work on servers so basic network typologies.
Thank you!
Firewall Under a Firewall for Remote Client VPN?
Long story short, we've bought a company that has a Juniper SRX220 at their Data center, which does not support Remote Client VPN.
They currently have VPN with a parent company via Cisco's Anyconnect, but that will not follow them.
They have many brand new ASA 5516-Xs in the box. We're looking at adding this to their data center to host VPN.
So basically, I'm thinking the packets will flow in this order:
DIA>Router>SRX2200>ASA 5516>Switch with cross connect to hosted VMware environment
I don't like adding a firewall under an existing, but apparently the company we've purchased is not comfortable to rebuild a whole new firewall in the short time we have to migrate things.
Network Diagramming Software
All,
I get bored of making fiddly diagrams in Visio when I want to "Visualise a network". The company I work for doesn't own software such as Solarwinds Topology Mapper or the latter. So I decided for the past few nights to write my own system of mapping a network - wondered if I could get some input of peoples thoughts on this as I do like a bit of mild programming at night - it's a nice hobby.
Anyway; I'm not selling anything (however; feel free to use this should you want to) - I'm just after a positive bit of input to what people perceive "important" when drawing a topology diagram; what they want out of it most - what they find useful.
It's hosted on Free MS Azure - so when a few people jump on this; it might get on a go slow - and it's only 60 Minutes of compute per day so a lot of use may find the service suspended for 24hrs.
r/http://netmapperio.azurewebsites.net/
Feel free to either make an account or just use the username "testaccount" and the password "password" to take a look.
All input welcome.
Thanks
P.S; Yes this may seem "Noddy" but to put together a quick diagram to visualise an issue helps me a lot day-to-day.
Transportation Layer Protocol question
Total beginner here, if this should be asked somewhere else let me know.
I understand UDP and TCP fairly well in theory. Been programming for years (mostly in python and SQL). I am trying to teach myself more about transportation layer protocols and how to make my own. I'm not trying to reinvent the wheel and don't think I have a better way of doing it. I just learn better this way.
The part i'm missing is, how do these protocols run? are they services? code repositories? Every google search I perform just gives me tons of info on what TCP and UDP are but very little info on how to build my own.
Is it just as simple as writing some functions to handle the back and forth? Then having another program use those functions to do something meaningful? I've followed some tutorials to build a communication link between a server and client in PERL. Nothing fancy. I just used the package that I found in an online tutorial. Does the individual package contain the transport layer code? Or does the NAT card take care of that on some level?
Thanks for your patience in advance.
URGENT: Host randomly loses internet connection - DNS
Okay, I am at home. I work as a Field Tech and a client recently attempted a firewall change which failed. They currently have an ASA 5505 with VLANs segmenting Users/server/etc. This Cisco 5505-x is connected via Spectrum Modem to the internet. My boss attempted to upgrade them to a 5510, with a second one to act as a failover.
Anyway, a host on the network randomly gets disconnected. Yesterday, I was in the office. She was unable to connect to anything outside the network, able to ping the Default Gateway and even ping Google DNS Servers(4.2.2.2, 8.8.8.8). However, when she tried to ping google.com, it wouldn't resolve.
Here is where it gets complicated. I have tried various DNS servers, none of which translate anything. This users PC is in everyway identical to the PCs of other users in the office and who aren't experiencing any issues. It's something else.
On the Cisco firewall 5505, I have cleared the arp cache, and xlate table. Her MAC address is linked to her IP address. Any suggestions are greatly appreciated.
EDIT: Same as yesterday, cleared xlate table and arp cache, after reboot her PC was connected to the internet again. Not exactly sure what happened, and I am almost positive this incident will occur again.
Can't open port
Hi everyone,
I can't open port on my windows server 2016 VPS. I am using AWS as my VPS provider I turned of the firewall and added my ports in inbound and outbound rules but it still says the port is closed on canyouseeme.org. I am trying to open 28961 port.
Can anyone help.
CIR / EIR how to?
Hi, im wodering how to test CIR EIR between two localization? we have link between this localization and i get a question about CIR EIR, how can i test/calculate it?
Need to make my racks mobile
We got 8 42u racks and are setting up a lab for a variety of different classes. I need the racks to be mobile. I know this sounds like a crazy idea but the classroom is modular so I need to be able to disconnect power and data and move the racks around. Do any of you know of a solution that I could use. I know I can just install casters in the the bottom but I was looking for something with a little more stability and strength. Money is not really a factor as far as purchasing a solution, but I do need to use the current racks I have. Having a hard time finding a solution that is satisfying.
vendor invoice management and approval
good morning-
I run an ISP/NSP that is part of a larger company that also provides cloud, proserv and managed services.
I mention that first because it means I'm somewhat wedged into using certain software, and using outboard stuff is an uphill battle.
My business unit provides traditional NSP type stuff: DIA, MPLS, L2 services. We have some of our own fiber, but most of our work is done via NNIs (about 40) as well as some "managed broadband" stuff (where we hold paper on normal broadband circuits, coax, DSL, etc). We also do managed firewalls (which we couple with managed broadband).
The company uses Connectwise and it's not going anywhere. The company also uses ITGlue, Sharefile and Sharepoint, and it's unlikely they are going anywhere. My group uses Solarwinds Orion NPM.
My challenge is invoice approvals and linking vendor account info back to our own records of service delivery. We get about 300 invoices a month.
I'm looking for a scheme whereby I establish cannonical storage of the invoices that also me to associate arbitrary attributes to the invoices (like, linking to structured account info) as well as received dates, paid dates, approval status, and so on.
One feature of this scheme would be that if an invoice (and it's various dollar amounts) is linked to revenue, and the revenue and supporting agreement is not changed from the previous month, it would be approved without much (if any) human effort. The back office could do this without my team's involvement.
There's other stuff too - like my support staff being able to quickly drill into an invoice for a delivered services (going from monitored element in Solarwinds, our Agreement with the customer, and then to the structred account info, and then into spefici invoices if more details is needed).
Or, if we want to do a cost drive-down, we can select all the accounts/invoice based on various attributes and focus on them.
Etc etc.
Just looking for some tool/process ideas from y'all.
Thanks!
I'm studying Networking and need help with a question...
I recently started college and have been given an assignment to complete. One of the questions just doesn't make sense to me and was hoping to see if it made sense to you.
Q. Which two factors determine what you would use a network for?
Thanks for anyone who takes the time to help :).
Cisco Wireless question about client disassociation
So something I've been noticing a lot when attempting to troubleshoot clients through Prime Infrastructure... a lot of wireless clients seem to disassociate fairly frequently and then immediate associate again... usually to a different AP. The association history in Prime for the client ends up looking like a repeating wave between three APs. The durations between association times usually seem to always be around an a factor of 5 minutes... so 15 min 14 sec, 10 min 14 sec, 25 min 39 sec, 1 hr 10 min 55 sec, etc.
I've been wondering what this is about and how it probably affects the end-user experience. My assumption is it is disruptive due to the client having to move between APs... so anything real-time and/or latency sensitive like video chat or online gaming might be affected. I figured at first it may be due to a system default of 5 minutes on the User Session Idle but I adjusted it up to an hour and didn't see a noticeable difference. DCA is currently set on an interval of 10 minutes and I have EDRRM on so it seems like it wouldn't always happen in a factor of 5 between changes.
I can see a ton of RRM events for 2.4ghz, so many so that Prime is saying there are to many unique events per device, so I think I may need to tweak 2.4ghz RRM sensitivity down but the clients I'm seeing are also 5ghz which doesn't have nearly as much of an interference or co-channel utilization issue at our location and no where near the number of events.
Anyone have any thoughts or experience with this or is this just normal?
30ft Wall-mounted Free-standing Antenna Pole for 16kg antenna. Feasible or Not?
Hi. Is it okay to install a free standing 30ft wall-mounted antenna pole that can accommodate a single 16kg radio antenna? This will be installed on a rooftop and an option of a pole from the ground up is prohibited. AirFiber5u to be exact.
My concerns are maybe the antenna will not be stable because of the wind, will the pole needs support aside from wall clamps? What kind of pole do you suggest? Size? Im looking to use GI Pipe with 4inch in diameter, is it okay? Im also looking for ways to install this properly. Any help will be very much appreciated. Thank you.
PCs unable to get IP from DHCP with tons of DAI deny logs
Hey guys,
I had this weird DHCP issue happening on all our access switches (3850) after upgrading our core Nexus switches (7k). I upgraded our core on a Sunday morning and went smoothly. But then on Monday morning we received calls from users that their network is down.
All attempts on renewing DHCP was failing and when I had a look at 3850 logs and there were heaps of logs like below :
1 Invalid ARPs (Res) on Gi2/0/4, vlan 100 ([847b.XXXX/169.254.0.55/501c.bXX/0.0.0.0/09:19:17 ])
1 Invalid ARPs (Req) on Gi3/0/8, vlan 100.([a44cxxxx/10.30.112.210/0000.0c9f.XXX/10.30.112.1/)
As soon as turned off DHCP snooping and DAI for VLAN 100 then the issue was resolved and I could renew DHCP almost on all affected PCs.
Anyone has had similar issues with DAI before? I read somewhere that I have to add below command to fix the issue:
ip arp inspection validate src-mac dst-mac ip allow zeros
I have also seen this as suggested solution to allow APIPA in DAI:
arp access-list VLAN_100
permit ip 169.254.0.0 0.0.255.255 mac any
ip arp inspection filter VLAN_10 vlan 100
Cisco TAC could not find an issue on the switches and are asking to re-enable DAC to troubleshoot further. But given the huge impact of this, I wanted to see if there a fix for this issue before turning it back on.
I'd appreciate any suggestions.
Thanks.
Anyone using Cisco FRA in production? Started testing and am noticing a feedback loop with RRM and FRA
So we have started deploying 3802Is on 8.5.120.0 and recently started testing FRA. Set all the radios to static role assignment, turned on FRA, then started turning the radios with a 100% COF to auto role assignment. We started with ~100 APs in a moderately dense deployment. Minimal LoS AP placement, normally a wall or two between placements, but still about ~25-40ft apart.
This initially seemed to go well, first COF run we had 8 APs show 100%. All the 2.4 Ghz radios were running a TX power of ~7-8. Set the 100% COF APs to auto and they converted to dual 5Ghz. Next batch about 5 APs, same story. Rinse and repeat for a couple of hours.
I've let it bake for about 12 hours and come back to something disturbing. We're up to 23 APs that have been converted to dual 5Ghz, and another 10 APs saying they have 100% COF. It seems like RRM and FRA are starting to form a feedback loop. FRA will disable an AP, RMM will boost power of the surrounding APs. FRA will have new redundant APs, convert, and RMM will boost the power.
So far I've noticed at least one area where a coverage hole seems to have formed. The center AP was converted, then later the 3 surrounding APs were converted. For the most part the 2.4 radios are still TX powered between 7-8, but there is a group starting to raise into the 4-5 range. Right now about 80% of the clients are still reporting RSSIs of => -65dBm and 70% are => -60. Signal quality is also looking really good with 90% at => -25dB. Our worst 5Ghz client is also reporting -77dBm, and the worst 2.4Ghz is reporting -66dBm. So the numbers say there isn't actually a problem and I should keep letting FRA go to town.
I've read the documentation, and I know that if there's an actual coverage hole, FRA will dump a radio back to 2.4 immediately. I know I have set an upper limit on what I want my 2.4 radios to TX at. I've looked at the debug and know that I'm not getting any significant bleed between floors. I'm just not sure if I want to ride the train all the way to end of the track where RRM has raised all the 2.4 radios to a TX power of 4, and FRA determined half of my APs were now at 100% COF.
TL;DR: FRA and RRM seem to be feeding into each other, FRA disabling 2.4 radios, RRM increasing TX power. FRA disabling more 2.4 radios. Repeat. Do I really want to end up with a bunch of 2.4 cells with a TX power of 4, and half my APs turned to dual 5Ghz?
Secure mounting options for firewall/switch? Dust protection and a fan?
I’m looking at replacing some of the equipment at our smaller international locations. Last time I visited one the cheap router was covered in gecko poop and dust. I’d like to avoid that :)
I’ve found small small wall rack units in country, but I’m not seeing anything for just a few desktop sized boxes (Fortigate 60e and an 8 port Unifi switch).
These are indoor locations, but really dusty environments and many have open venting/windows. I’m not worried about water, but dust and critters, and then heat from enclosing things.
Suggestions?
Tuesday, September 4, 2018
Firewall certifications?
For a beginner with some good sound knowledge in Network Security which certification is HOT currently? Palo Alto vs Juniper vs Cisco vs Fortinet?
Adtran? Thoughts.
I'm looking to upgrade all of my edge switches. This is for a in-state retail company, so super simple configs. All sites connected via carrier mpls. I've looked at Cisco and Juniper. I have an Adtran router that I control that hasn't failed me yet(2 years). My VAR is recommending Adtran 1638P and 1550P switches and the price is good. I'm looking for hardware reliability as the config is static routes and simple vlan switching.
[HELP] Just bought a new router. It only accepts ethernet cable (RJ45 I guess). ISP left a fiber optic cable for the old router. What should I do?
[http://prntscr.com/kqpkaa](What I believe is fiber cable)
Please help, I'm tired of the trash router my ISP provided
Dealing with rogue DHCP server. Need recommendation for Wireless AP isolation and 48 port managed switch?
Hi guys,
The title says it all.
Tl;dr?
Need recommendation for 48 port managed switch that supports port isolation and/or dhcp snooping
Need recommendation for a wireless AC access point that supports device/AP isolation that doesn’t cause a double NAT (ie needs to prevent different guests devices on the wifi network from seeing/communicating with each other)
Thanks for your time.
I need a recommendation for a 48 port managed switch. My usage case is pretty simple. I’m wiring up a small hotel with 45 rooms, and I need to isolate each room / port from each other. The hotel is owned by a family friend and we’re trying to do this for a reasonable cost.
Additionally, I need a recommendation for a good wireless access point. I’ve been dealing with several rogue dhcp servers on the public wifi, and when I went to enable “AP Isolation” on the Netgear R700 access points, the option was greyed out as apparently client isolation is only supported when the device is in router mode. I would like to avoid the double NAT issue caused by putting the wireless AP into router mode. What would you guys recommend for isolating wireless clients and preventing inter device communication that won’t cause a double NAT?
The main router is an OpenBSD 6.3 firewall/DHCP/DNS server. All I really need is a way to isolate the different guests untrusted devices from each other, so that we can avoid the dhcp nightmare we’ve been dealing with. Several times a week we get complaints that “the wifi is down”, even though it isn’t. Turns out their device is trying to pull a 192.168.1/24 address even though we use a 172.27.27/24 subnet. The hotel has multiple long term tenants and I’m sure one of them has some sort of rogue DHCP server running.
Any recommendations or insight would be much appreciated
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
Aerohive AP250 - only getting ~150Mbps max?
New to aerohive. Using the cloud-based hivemanager I pushed a policy and got the AP up and running. For some reason, I'm getting pretty poor performance out of it. My latency is around 50-60ms and the max I can pull or push out of this thing from a laptop or a Smasung Galaxy S9 is only 150Mbps.
I have 1000/1000 fiber and can easily pull at least 800Mbps-900Mbps from a copper-connected desktop with latency sub 20ms.
This AP is configured for both 2.4Ghz and 5Ghz radios (I have some legacy equipment that is b/g/n only -- is this my problem?). I tried turning WIPS on and off - it made no difference. Channel selection for 5Ghz is clean. I'm clearly missing something.
IOS XE - BGP Based Queues
Hello Redditors,
Here's the scenario, I've tried to a find a function for this but I haven't so far:
We have several upstreams, but the issue where I work is the fact that the bandwidth is sold as metered by region, say you get 1 Gbps line and then it's metered like this:
- 100 Mbps towards region A
- 200 Mbps towards Region B
- 1 Gbps if towards Region C
Those regions are easy to filter using BGP AS_PATH regex, I can tag the prefixes by filtering them using such regex, so let's say Region A has community 65500:1000 applied, region B has 65500:1001 applied, region C has 65500:1002 applied.
We use MikroTiks and are planning to move away from them due to the amount of bandwidth we're now seeing and the fact that those devices just can't hold the load, those devices allowed us to tweak a lot of things and even build QoS mappings using data from BGP (by means of filtering and scripting). Management want to go to Cisco and want to know if this is doable, we're looking at the ASR1000 series (IOS-XE).
In short this is what we need:
- Tag BGP routes in with communities based on AS_PATH (easy to do with route-maps)
- Based on those communities apply Queing policies, say police 50 Mbps when traffic is directed towards region B or police to 30 Mbps when traffic is sourced from IP X.X.X.X and goes to region C
Is there any way to achieve this with this platform? thank you in advance.
Unifi AP Pros having strange power issues
So not sure if anyone else has experienced this or knows the cause/solution, But so far I have encountered 2 of these AP pros acting extremely strange with POE. The two that I have doing this simply wont power on when plugged into a POE+ Switch. I have tried Unifi, HP, and TP link POE+ switches with no luck on any, but they turn on just fine and act normally when plugged into a POE+ brick.
Has anyone else encountered this before and does anyone know a solution or have an idea for a solution?
Thanks
Hardware list for cafe network.
Hello,
I'm looking to update my network to something better for my coffee shop. I offer free wifi to my customers, peak customers would be 30. I want two separate networks, one for point of sale, and one for guests. I'd like to have a captive portal, to at least get them on either my FB page, or website page, even if it's just a second. The shop is 1500 sq ft. with outside seating. I was thinking of going with Unifi, with the following hardware:
Ubiquiti UniFi Switch 8 60W
Ubiquiti Networks UAP-AC-Pro-E
Ubiquiti Unifi Security Gateway
Ubiquiti Unifi Cloud Key
Is that everything I need, is it over kill? Should I be looking at anything else? Thanks for your help.
Subscribe to:
Posts (Atom)