We currently have a site-to-site VPN on 4451 cisco routers, using an IPSec trial license
At the time I could not yet approve the budget for buying this license, which might happen in coming weeks. Problem is the trial will expire, and we're already heavily using the site-to-site connection.
In case IPsec expires, will my vpn go down completely? Or will it just lose IPsec?
In any case is IPsec absolutely required for security? Are there free alternatives?
I’m new to the IT field. And of course mistakes come with being a newbie. I want to specialize in networking, I currently have a network+ and close to the CCNA R&S. I am also close to a Bachelors in networking and security.
I work as a IT Support Technician for a Small company and quickly took over the networking responsibilities of the department ( only two of us, me and my boss + I’ve been there about 7 months)
Over the past month we’ve been setting up and taking down locations, getting a lot of equipment that can be re-used.
Well last week I was asked to configure a firewall for a new site and to reuse one of the firewalls we just took offline.
ALMOST all our sites run through a VPN tunnel back to the main office.
Here’s where I made a mistake. when I plugged in the firewall to configure it, my laptop also connected to WiFi.
I configured the firewall, everything was all happy, when I get a call from one location saying the internet is down.
When I looked up the IP it was the SAME as the firewall I just configured. Instead of connecting to the firewall next to me, I changed the one 4 states away.
I immediately rushed to find a back up of the configuration to reimplement it and save me from my boss and the CEO.
After looking everywhere we had no back up of the firewall. I quickly scrambled to configure it back to the way it was but I had no record of what is down there, static IPs, VLANs, etc.
Over the next 4 days, with the help of my boss I was able to piece together the configuration. and get them back up and running. The VP of the region and and CEO hounded us the whole way.
The icing on the cake, was on Friday, when I found a recent back up of the firewall on a local hard drive and a place neither me nor my boss knew to look.
All I could do was laugh. I couldn’t believe it.
What steps should be taken to prevent this?
My thought was maybe a dedicated server for all configuration backups, we have almost 50 locations and barely half of them are backed up
We use sonic wall firewalls, is there a way to automate a back up every month?
Any advice is appreciated. Thanks!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.250 192.168.1.254
!
ip dhcp pool AP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.253
dns-server 71.10.216.2
!
!
ip name-server 209.18.47.61
ip name-server 71.10.216.1
ip name-server 71.10.216.2
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX162583KV
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex full
speed 1000
!
interface GigabitEthernet0/1
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit any
Any help on trying to fiugure out why this very easy setup cannot access the intnernet is very appreciated, im starting to wonder if I need to update the ios on the router
Okay so I moved into a new apt, internet is purchased through spectrum but charter modem and spectrum router provided. I have an asus router I've used before and wanted to again.
Now. Models: Charter modem: technicolor dpc3216 Spectrum router: Rac2v1s Asus: rt-n53
Issue: When I connect the asus I reset everything and modem lights up except the "link" light (well its on just orange). When the asus is connected it doesnt have internet to the router even on lan.
When I reconnect the spectrum router the "link" light is connected and wifi/lan works.
Its not a ppoe it's static.
What on gods green earth is wrong with the modem/asus connection? There's got to be something im missing. This isnt normal ðŸ˜
Title says it, just wanted to know if it is determined by the type of buisness im going to have or by the size of the actual network or anything like that
I got my first managed switch at the recommendation of a friend. But when it arrived, I initially freaked out because, as you can see, it has 'Unmanaged Pro' plastered on the front.
But you'll also notice it notes a web management interface in the bottom corner. A switch wouldn't have a web GUI unless it was managed, right?
But it definitely has multiple VLAN config panels and I can tag ports, etc.
Have I had a misunderstanding of what 'managed' means all this time?
Hi guys, hoping somebody could shed some light on this for me.
I have a stack of 7 dell N3000 series that i use mainly for my clients, but also for some servers. Seperated into VLAN's.
I have a connection from this stack on tengigabitethernet to another stack of 2 M6348 in the back of a blade chassis.
Historically, i would have all my servers on VLAN 10 on the N3000 stack, on the M6348's i only have servers, so i set all untagged traffic to VLAN 10. Communication between these were fine.
However i have tried to kind of up my security a bit, and i have segregated my servers out in to more VLAN's this has included 3 new VLANS; 12, 14 and 16 I started moving one blade at a time to this configuration, currently i have 3 set up like this with communication back between the old 10 VLAN without issue (or so i thought). I moved 2 servers in a hyper-v file server cluster to 2 of the blades and the following day my users started reporting that applications that rely on these servers etc were crashing. Upon inspection i noticed millions of Oversize Packets on the M6348's.
I configured MTU to 9216 across the stack and thought that would be it sorted, however the problems persisted and i found more oversize packets being reported on the tengigabitethernet port connected to the M6348 from the N3000 stack. So i configured 9216 MTU across the stack as well, rebooted the switches. However the Oversize Packets keep appearing on the N3000 size. The port shows an MTU of 9216.
I am not a network guy, but trying to do my best. I have ran pings from servers not in the new setup to servers in the new setup and i cant see any packets being dropped. I was wondering if it was the configuration of the new VLANs within the servers themselves, I used MS VMM to build logical switches etc. But i am kind of at a loss on how to troubleshoot this issue further.
Any advice is greatly appreciated!
Hey guys,
I am a teacher/IT guy and I host a gaming club at our school. My workstation at the school I work at is used to host our site licensing server(Steam Caching) as well as run VR. Quite a lot of load for one box but it handles it well. The unfortunate part is I have absolutely no network bandwidth to work with and we want to stream gaming club to twitch so parents and friends can tune in and watch the VR gameplay.
To alleviate this I'd either A, completely swap platforms costing several hundred dollars, or...
B: Get an affordable PCI-X cards networking cards.I have NO free PCIe slots, but I have two free PCI-X slots on my motherboard.
Asking you guys if you know of any PCI-X cards that work on Windows 10. Ideally I'd like a multi-port NIC. The more ports, the more bandwidth. And before you tell me it's overkill, I have to go this route because the networking coming to the room is only 10/100(School ain't buying me a network switch haha), so the more ports, the better. If it were gigabit, this would be far less of an issue.
Thank's in advance.
I am a cybersec enthusiast and was wondering how do you guys do the protocol analyzing (for example by using Wireshark) on day to day basis. AFAIK even a smaller company can have millions of logs in a short time span so you possibly cannot analyze each packet. I know this should be risk based and you are not really supposed to analyze everything but I'd like to know the details of how it is really done in practice. What are the relevant frameworks?
Hey everyone,
As much as we plan, prepare, and test, implementations can go wrong and cause big outages. Any one that is good at anything will have made some pretty gnarly mistakes. In our line of work this usually means customer downtime.
Whelp, myself and my team were those guys this week. Outage has subsided and root cause was far more rooted in communication of requirements between teams and accurate validation. Things we’ve all heard and talked about before.
What Id love input on is how you all recover mentally after those kinds of events. We’ve all been there. We’ve all messed up. How did you get back in the game? How did your team?
Hi guys I'm studying IOS IPS configuring stages and need some help
I understood that signatures in retiring category doesn't compile signature to memory and
Un-retiring does compile them to RAM so it is memory intensive.
but In which situation you need to use Un-retiring category to compile signatures to memory?
What are the pros and cons of Retiring and Unretiring categories?
and also there are three most common categories are all, basic, and advanced what are the differences between all of them?
I regularly see comments about VLAN 1 being insecure and that you should not use it.
Say I have the following two switch configurations, where ports 1-22 are access ports for users with a voice vlan for their phones, and ports 23 & 24 are trunk ports to a switch and a router and don't have an untagged/native vlan.
#config 1
vlan 1 name Users untagged 1-22 tagged 23-24 vlan 2 name mgmt tagged 23-24 ip address 172.16.2.1 255.255.255.0 vlan 100 name voice tagged 1-24 management-vlan 2
#config 2
vlan 1 no untagged 1-24 vlan 2 name mgmt tagged 23-24 ip address 172.16.2.1 255.255.255.0 vlan 10 name Users untagged 1-22 tagged 23-24 vlan 100 name voice tagged 1-24 management-vlan 2
What makes the first configuration insecure?
edit: formating
Hello,
We are a small office of about 40 people, however everyone has their own Ethernet drops, and only about 10 devices are ever connected to WIFI. We currently use consumer grade stuff, and as we transition to an AD DC, and a new office, we should also upgrade in this area.
I am thinking of getting a Ubiquiti Edgerouter 8, but not sure on what the best option would be (though I love that I can rack it). We have gigabit connection, and have three switches at the moment.
I also want to get some sort of Wifi, doesn't need to be perfect but we would like good internet for the few who use it anyway.
Would appreciate exact models being linked! Also, we currently use a Cox provided modem, should we also upgrade that?
Thank you!
How come the are 2 different ASA serial numbers on the ASA? When I do show version and show inventory, they're both different and which one is the actual SN of the box?
Something under USD 75, need vlan support and QoS, don't need wifi. Need to connect to nordvpn but can't use l2tp/pptp, it's being phased out.
Any suggestions? Ideally something I can buy on amazon that runs tomato or wrt.
Thanks
Hey guys, so I come from a Cisco background and unfortunately, we have mostly HP switches here in our environment. This was not an issue until a week ago, where my boss looked at my config and mentioned that I had it misconfigured, and now he can't get it back working either (I suspect he isn't well-rounded with VLANs).
I've got an HP A5500 (lets call this SW006) in my office that connects to an HPE 5510 (SW003) in the server room. There are more than the two VLANs I will mention, but I only need to pass traffic on both to get the rest working configured correctly.
VLAN 4 - main LAN
VLAN 20 - Server Management LAN
Originally, I had tagged SW006, eth 48 on both 4 and 20. The same config for SW003, port 18. Both these ports (48 and 18 respectively) were setup as Hybrid (before we knew that this was mainly used for the intent of VoIP). Was able to pass traffic on both VLAN's, no issue, with the rest of the ports on SW006 setup as untagged for how I wanted them.
Long story short, my boss tried saying that only the downstairs switch (SW003) needs to be tagged, and that my port 48 on SW006 be untagged. This obviously does not work, and he does not want to go back to tagging both ends...
So I call HPE for the correct config, and they mention both ends need to be set to trunk, as well as permit VLAN 4,20. Got it. Also, both ends have PVID of 4. With the config standing like this, I can pass my normal LAN traffic through VLAN 4, but for the life of me, I can't get traffic on VLAN 20 to pass over the trunk.
Can someone inform me of what I'm doing wrong and what I have misconfigured?
SW006:
[SW006]dis cur int GigabitEthernet 1/0/48
#
interface GigabitEthernet1/0/48
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 4 20
port trunk pvid vlan 4
speed 1000
duplex full
SW003 (stacked):
[SW001]dis cur int GigabitEthernet 3/0/18
#
interface GigabitEthernet3/0/18
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 4 20
port trunk pvid vlan 4
speed 1000
duplex full
#
Hey Everyone,
I have a bunch of FTD devices I am managing, and right now we are using the virtual FMC, however I am starting to get annoyed at the very low limit for the Connection Events and such. Just wondering where everyone is logging their connection events.
I was thinking of setting up ELK on or UCS cluster (probably 4 ES nodes all together) and sending the events to that instead, but would love to hear other thoughts as well.
I have an old cat 2950 switch and a Netgear ADSL router. If a few PCs are connected directly to the switch and a few laptops are connected wirelessly to the router, will they all have internet access? Sorry if its a stupid question.
Hi,
I need a good PoE injector that provides 30 watts of power. It's for a door controller that I don't believe understand lldp nor cdp. But according to the technicien, it does require 25.5 watts to work properly.
I bought the cheapest PoE injector on CDW: https://www.cdw.ca/product/amer-pig30-poe-injector-30-watt/2634450
This injector is, however, only providing 13 watts according to my testing: https://imgur.com/mes3SHC
I looked online for a better PoE injector, but it's really hard to separated the good ones for the fake ones. Can you guys help? Thanks
Hi guys, I've just got a job as a network engineer without any certification and my employee is now willing to pay training courses for a networking certification.
For some reasons, it has come down to this: either Fortinet (NSE-4) or Juniper (JNCIA-Junos). Considering that
what do you suggest?
Hi Anyone here has experienced with Cisco ASR 900 series?
Got an issue with interface (outbound) not transmitting, Unicast is working but multicast having issue.
There no trasmitted traffic toward to customer link on ASR 900 interface.
#sh int g1/1
30 second input rate 1179 bits/sec, 1283 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec <===
Sample topology:
--Trunk to RTR Edge--g0/0 (SW ASR)---g1/1---to customer
On RTR edge g0/0 we are seeing huge amount of trafic, but g1/1 not trasmitting. no qos policy applied.
Sample Config:
g1/1
service instance 99 ethernet
encapsulation default
bridge-domain 99
Weird one here. I have a Cisco 819 that will not let me SSH into it over the 4G connection. However, I can SSH into it through other interfaces. The 4G is up and working, I can ping the IP of the cell interface, and send traffic through it, but I just can't SSH into it.
When I try to connect, it just sits at the black screen and nothing comes in. It doesn't refuse connection, it just does nothing. I've looked at the config and it's fine, and my crypto keys are fine because I can SSH with the other interfaces.
The router is not even "seeing" the connection.
Line User Host(s) Idle Location 3 tty 3 Async interface 00:00:06 * 10 vty 0 XXX idle 00:00:00 12.X.X.X
Line 10 is from another interface, but when I try to connect through the cell interface, "sh users" doesn't add another connection. I've tried it on a different router and it does show another connection when I SSH from the cell interface.
I've rebooted it, and updated the iOS too.
Hello r/networking... I have a bit of a weird one here with a DMVPN design issue that I'm struggling with.
Background/Business Requirments Basically we have about 120 locations all connected via DMVPN. The company is divesting one of it's departments, meaning about 40 of the locations will be sold off.
The interesting part about this sale is that we will be supporting those locations for the next 18 months until the new company's IT team takes over and then they will be cut off. During those 18 months they will be required to have access to our internal resources.
Management would like us to take those 40 locations and put them on their own DMVPN network ASAP, with separate ipsec profiles so that the new company doesn't have access to our credentials/pre-shared-keys/etc. I can handle the routing here so that part isn't going to be an issue.
Technical Issues So, the tough part is that we have 4 hubs. Two of them are the main office locations, the other two are AWS. This is where all of my problems are as the spokes are just any easy change to spin up a second tunnel and remove the original.
With the hubs, they will need to have both DMVPN clouds up simultaneously. I haven't, however, found a way to do with separate tunnel protection profiles. In a lab I have only been able to get this to work by using the same ipsec profile on both tunnels, which obviously is not going to work in this situation.
We are using the WAN interface on all hubs as the tunnel source. DMVPN is running phase 3. I don't know what other information you may need. I will say that I thought as subinterfaces with VRFs, but we have no way of using dot1q on the AWS side, so that seems out of the question.
If anyone has ANY ideas, I would like to hear them. I am probably going to contact Cisco Monday regardless, but I'd love to try an have an idea of what we can do before then.
I have a 5508 WLC that Iv'e been wanting to turn AVC on for a year or so. Slow managers haven't gotten back to me but I finally got someone to look at it. They are wanting to know if by turning on AVC will create traffic to harm the network. Iv'e done some reading, but can't quite find any hard facts about AVC causing any overhead like that. My gut says its a matter of tagging packets probably with a few bytes of data, but I can quite find anything to back that up. Any help will be appreciated, thanks.
I'm learning networking in school, and I hope this is the correct subreddit to ask this sort of question.
In my textbook, the author defines a frame as: "basically a container for a chunk of data moving across a network. A frame encapsulates - puts a wrapper around - information and data for easier transmission. I like to visualize an imaginary table inside every NIC that acts as a frame creation and reading station. I see frames as those pneumatic canisters you see when you go to a drive in teller at a bank. A little guy inside the network card - named Nick, of course - builds these pneumatic canisters (the frames) on the table and then shoots them out on the wire to the central box... The frame begins with the MAC address of the NIC to which the data is to be sent, followed by the MAC address of the sending NIC."
A packet is described as: "containers called packets get created and addressed so they can go from one network to another. The Internet Protocol is the primary logical addressing protocol for TCP/IP. IP makes sure that the piece of data gets to where it needs to go on the network. It does this by giving each device on the network a unique numeric identifier called an IP address. An IP address is known as a logical address to distinguish it from the physical address, the MAC address of the NIC... For a TCP/IP network to send data successfully, the data must be wrapped up in two distinct containers. A frame of some type enables the data to move from one device to another. Inside that frame are both an IP-specific container that enables routers to determine where to send data - regardless of the physical connection type - and the data itself. In TCP/IP that inner container is the packet. But IP packets don't leave their PC home without any clothes on! Each IP packet is handed to the NIC, which then encloses the IP packet in a regular frame, creating in essence, a packet within a frame."
Ok, after typing that out I think I may have figured it out...
Basically, a frame is used to send data in between a single network. A packet is used to send data from one network to another, and then to a specific device on that network.
So in a real world example, I can think of it sort of like a pay check.
My boss could give the receptionist (NIC) my paycheck (data) and tell the receptionist to put it in an envelope (frame) with my name on it (MAC address), and then to find me and give it to me.
OR
My boss could give the receptionist (NIC) my paycheck (data) and tell the receptionist to put it in an envelope (frame) with my name on it (MAC address), put it in a box (packet) with my apartment address (IP address) on it, and then to take it to the post office (switch). Once the post office gets the package, it gives it to the mailman (wire) who delivers it to my apartment. My roommate (NIC) gets the mail, opens the box, sees there is an envelope for me, opens it, and gives me the paycheck.
Its kind of a weird analogy, but do I understand the concept correctly?
Hi,
I'm looking for a way to wirelessly bridge two locations that are about 500m away from each other in an urban environment (plenty of buildings on the way). I looked at Motorola Canopy as a potential solution, but not sure how effective it would be in such a setup. Any other ideas out there?
Thanks
I realize this is a purely subjective post, but I was recently noting the MTBF for some devices and they are like half a century. Cisco 2960X 48-port switch is 442,690 hours between failure, which according to my calculations is over 50 years!
I realize there are mission critical cases where you can never be without a spare or support contract, but how do you make that judgement call? There's no way these things will be in service 50 years from now, and that's just the mean, some could last far longer. Is redundancy even needed (for other than load balancing)? Is there other information that can be used in combination with MTBF to determine probability of failures?
My org maybe required to have users always VPN/tunnel traffic back to our org to be processed by our PA 820 firewall (6 months old). We currently have an upstream Cisco ASA with anyconnect (basic VPN not the one with host detection & always on functionality). The Palo Alto can also has global protect VPN that can do a "always on" setup. We are a 70% OSX 30% PC laptop shop so working with both Windows and OSX is a requirement.
Recently I got to troubleshoot a client's Windows 7 system with an always on Cisco Anyconnect and I was dissatisfied with it's setup. Basicly the setup was we changed our guest password, Anyconnect wouldn't stop trying to use the old one despite me going in an updating the windows wireless setup nor did it every try and throw an error on the screen to the user that the password was wrong. It would just connect and immediately disconnect in the system tray of the laptop. I did note that Windows was managing wireless settings so I don't know if that should have been disabled or not.
So what is your org using between Cisco and PA's VPN or is there a better one we should consider (that is not cloud based)?
Im setting up a failover WAN on a Zyxel 40USG and would like to know if anyonr has experience with making a S2S azure vpn work seamlessly with the failover practice? Both WANs have Seperated statics.
Thanks
For example: after I start the windows 10 and enter the console it displays "no bootable device" at the bottom. If you experienced this and resolved the issue can you explain what you did.
Hello Team,
We have a dmvpn network and our office is experiencing timeouts during working hours.
Reply from 172.xx.yy.235: bytes=32 time=34ms TTL=126
Reply from 172.xx.yy.235: bytes=32 time=33ms TTL=126
Reply from 172.xx.yy.235: bytes=32 time=33ms TTL=126
Reply from 172.xx.yy.235: bytes=32 time=33ms TTL=126
Reply from 172.xx.yy.235: bytes=32 time=33ms TTL=126
Request timed out.
Request timed out.
Reply from 172.xx.yy.235: bytes=32 time=47ms TTL=125
Request timed out.
Request timed out.
Reply from 172.xx.yy.235: bytes=32 time=47ms TTL=125
Reply from 172.xx.yy.235: bytes=32 time=49ms TTL=125
When I begin troubleshooting I notice that the problem starts around 9:30 AM to 5:00 leads me to believe that a workstation in the company is causing the issue.
It only happens here at our office.
The tunnel from our office is generated with a Cisco 1941 router and is also connected to a Cisco ASA 5508-X
The FireWall does the ISP Fail-over for the router's tunnel. So if one ISP fails the tunnel switches the connection to the secondary ISP.
The problem with this timeouts is with the citrix sessions. We need to restart them all day long....
Any advice much appreciated.
Thank you!
I've been looking at the documentation on this page:
For the switch, C9500-24Q, and it says it has 48x10 gig ports, or 96x10gig ports with a breakout cable.
I'd like to know, does this just use QSFP+ 's, and are these SFP's compatible with the regular ohm3, ohm4 fibre. If not, tell me what fibre you use. In the previous gen switches, you'd just buy 10G-BASE-SR's and 10G-BASE-LR's, and run regular ohm3 fibre between them. I'm trying to figure out whats changed.
Additionally, what is the breakout cable, and how does this expand this switch from 24x10gig ports to 48x10gig ports?
I’m running Ethernet in my basement and I’ve got a few places where I have to pass by or even run parallel with electrical lines, is this a problem? Do I need something to block for interference? I’m not using the same holes and trying to keep them apart but I’ve got a spot over a doorway that will be about 3-4 feet that ideally they could run very closely but don’t want to create a headache later, thoughts?
I thought about wrapping the Ethernet in this?
TitanRF Faraday Fabric // EMI Shielding, RFID Shielding, Cell Phone Block, WiFi Block, Bluetooth Block. MILITARY GRADE SHIELDING FABRIC (44" x 36"/11sq. ft./1.22 Sq. Yds.) + 12"L CONDUCTIVE ADHESIVE https://www.amazon.com/dp/B01M294MGK/ref=cm_sw_r_cp_api_HZ-MBbXZJRT89
Not had to work much with QoS So trying to understand the MQC auto qos implementation on IOS XE and how I would go about I see the replacing/simplifying the complexitiy of the configuration applied when auto qos trust is applied to an interface:
The following configuration is generated could someone explain the questions below:
policy-map AutoQos-4.0-Output-Policy class AutoQos-4.0-Output-Priority-Queue priority level 1 percent 30 class AutoQos-4.0-Output-Control-Mgmt-Queue bandwidth remaining percent 10 queue-limit dscp cs2 percent 80 queue-limit dscp cs3 percent 90 queue-limit dscp cs6 percent 100 queue-limit dscp cs7 percent 100 queue-buffers ratio 10
Can someone explain the function of queue-limit in the class AutoQos-4.0-Output-Control-Mgmt-Queue?
class AutoQos-4.0-Output-Multimedia-Conf-Queue bandwidth remaining percent 10 queue-buffers ratio 10 class AutoQos-4.0-Output-Trans-Data-Queue bandwidth remaining percent 10 queue-buffers ratio 10 class AutoQos-4.0-Output-Bulk-Data-Queue bandwidth remaining percent 4 queue-buffers ratio 10 class AutoQos-4.0-Output-Scavenger-Queue bandwidth remaining percent 1 queue-buffers ratio 10
Is the bandwidth allocated supposed to match the queue-buffers? If so why are the queue buffers over specced for Scavenger class?
class AutoQos-4.0-Output-Multimedia-Strm-Queue bandwidth remaining percent 10 queue-buffers ratio 10 class class-default bandwidth remaining percent 25 queue-buffers ratio 25
Is the bandwidth in the priority queue reserved (ie cannot be used by any other class) or is the available for SRR like the others allocated via bandwidth remaining?
We got a quote from our ISP for internet with diversity and redundancy. They gave two options, the first is POP diversity, but the second option is half price and says "diversity with folded fiber" on the quote. I've googled this and all that comes up is DNA or proteins nothing relating to internet. I've never heard of this, so will ask of course but thought I'd check if anyone knows what this means first.
I'm not sure if this is the correct sub, but I've posted in /r/sysadmin and didn't get much feedback and I think it may be a network issue after further investigation.
I have a tablet that I'm unable to PXE boot whenever I plug the tablet directly into the wall port. However, if I plug a 5 port unmanaged switch into the wall, and run a cable from that switch to the tablet, I'm able to PXE boot just fine.
The error I'm given when plugged nto the wall is 'No such file or directory exists.' The file does exist, as I can navigate to the share and I see it (also because the switch workflow works). This is an entirely flat network, so no VLANs, and everything is on the same subnet. The switch does pull a valid DHCP address from our subnet too when it's plugged directly into the wall
Here's a diagram showing 2 scenarios. The left one doesn't work, but the right does.
Any ideas?
Edit: I think I found the issue, but I don't know why this is the case.
The tablet (specifically a Getac RX10) will not PXE boot when plugged into the wall. A normal laptop (Lenovo T450, Dell E5580) will PXE boot fine when plugged into the wall. So it must be something with the tablet that doesn't allow it to respond unless it's plugged into the unmanaged switch. But I'm not sure why.
Hi all! I just started a position with a new organization this week and life is MUCH better now. I am getting better pay, better benefits, more budget, better team, less stress, etc. My previous org had Cisco at almost all levels (R+S, Wireless, and some firewalls). My new org only has a pair of Cisco ASAs, but they want to phase those out for Palo Alto soon. They currently use Brocade, but are quickly moving to HP Aruba for switching on top of their Aruba wireless.
Where can I go for HP Aruba training? Looks like they have a certification program similar to CCNA etc. Where should I start? So far I like Aruba's wireless platform a lot more than Cisco. Their switching platform seems just fine too.
Bonus: Where can I find training for Arista too?
Can anyone recommend a tool that collects routing tables and has the ability to track changes to those tables over time?
Hi!
I'm trying to find this information in the GUI but I only seem to find how to create scopes, nothing more. I would like to see what addresses are used and etc. I could probably ssh into the FTD and do a show dhcp bindings or something like that.
Am I just blind or is it hidden under som menu? Any help would be appreciated.
I work for a small business and we just have one SSID for production and one for guest\IOT that allow both 2.4 and 5.0. Most all our devices are 5.0 capable, just a few random things that are only 2.4 capable.
The problem is that we recently started deploy Surface Pro laptops and they are frequently connecting on 2.4, and the 2.4 in our area is crap. We have lots of neighbors and sometimes the 2.4 band gets maybe 2-10 Mbps. 5.0 easily gets a couple hundred Mbps. We have a dozen or more different laptop models and whenever I audit which devices are connecting on 2.4 the only Windows 10 devices are Surface Pros.
From what I found the Surface Pro issue is common and there's not a end user device solution other than to disable 2.4, but I'm sure a lot of users have only 2.4 at home so that is not an option. The only other solution that I can think of is to create a new production SSID that allows 5.0 only. Not counting user training issues, what are the pros and cons of doing that? Or is there some other way to force a Win 10 computer to use 5ghz whenever possible? Our APs are Aruba IAPs.
We have just started using the AIR-AP1562E-B-K9 model outdoor WAPs and when checking the AP Join statistics I get this message, Received Discovery request and sent response. They never complete the join process to be configured the rest of the way. The ports are configured correctly as I have three 3802s that are joined and happy configured the same way. These were new in box and were not plugged in until installed. We tried mimicking the Mesh AP setup we have for a different location but cannot get them to join the controller. I feel like there are steps I am missing but the Cisco Wireless Controller Configuration Guide, Release 8.7 is not getting me the right answers. Any help or guidance on where to look would be greatly appreciated.
Had a project pop up and will need very high density for a specified area in a outdoor environment.
https://www.ubnt.com/unifi/unifi-wifi-basestation-xg/
https://blog.ubnt.com/2018/07/10/ubiquiti-wi-fi-performance-at-fedexforum/
Anybody on here deploy any of these yet ?
I'm usually kinda jittery of 1st year Ubnt products on the software end , but the pricing is very very hard to beat.
Hi, Just want to ask your inputs on below scenario.
Sample TOpology:
SiteA ----(ProviderA)-----(ProviderB)-----SiteB
Site a sending unicast and multicast traffic.
Issue - Traffic not being sent to SW2 pointing Site B. (primary traffic is multicast)
#sh int g1/1
30 second input rate 1179 bits/sec, 1283 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
Q: Do you think it affects the frames being sent to site B? Since QinQ is applied on SW01, additional header has been inserted so i think C-Tag will not affect this?
#sh int g1/1
Received 0 broadcasts (0 IP multicasts) <- based on the interface output of switch2, broadcast and multicast is not increasing. (Note that the primary traffic of this list is multicast.)
VC statistics:
transit packet totals: receive 23901162939, send 111031102 <- Increasing
transit byte totals: receive 32752316549739, send 14447377651 <- Increasing
transit packet drops: receive 4417, seq error 0, send 0 <- Not Increasing
Received 0 broadcasts (0 IP multicasts) <--- Multicast here?
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 19625 multicast, 0 pause input <--- Multicast here?
What verification do you think should be done? Any idea?
Thanks
The scenario is two offices about 18ms apart connected with two 100M private lines using low end catalyst switches with ip-base licenses. Some voice traffic, but mostly filesharing and Internet traffic.
Would you choose to load-share using LACP or a routing protocol - or not at all?
I'm a bit lost on this. For some reason i'm suddenly not able to ssh into any of our devices when connect via anyconnect.
I see the ssh going thru our firewall, so its not being blocked, but its just hanging and not prompting for username.
We are running anyconnect 4.6.02074, and 9.6(4)12 on our 5585ASA. I'm runnin win10 on my pc.
When ssh'ing from LAN there is no issues.
ANyone with any ideas what could be the issue?
It has worked fine last time i was working out of office, only thing that has changed is i'm now on a win10 machine, and we were running anyconnect 4.5 last. Already tried rolling back to that but issue remains
The Best IT networking training in Delhi is given by NGIT Global to the applicants separated from enrolling them. Best IT Networking Training
So I'm doing some background reading on QUIC and it seems that the main motivation and use case for QUIC is to speed up HTTP applications and especially HTTP 2. Is there any other application-level protocol that can benefit from the features of QUIC (e.g. bundle TLS handshake, use different data flows over the same QUIC connection)?
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
To simplify, this is the network adapter settings in Windows which works when I connect a PC direct to the NTU:
https://ibb.co/mtpYQU
I am trying to configure a Fritz 7490 to make use of the same settings.
I spoke with the ISP and they suggested I need to configure static routes etc.
I understand Routers are configured differently to Window's - but it shouldn't be this hard to configure a Fritz when it literally took me 20 seconds to configure the same via Windows.
So a strange situation happened. Network went down and the cause of the network going down is that config got lost and 5506 went to default config running first matched asaos.
Off course SysLog is not existent so we can't trace logs prior to the incident.
Device definitely wasn't susceptible to this vulnerability: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1 but was susceptible to this one: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
In 100s of 5506 we deployed this is the first incident of this nature. Everything suggests that someone physically tampered with a reset button.
Obviously I am not asking here what happened but I am curious if anyone else experienced an incident where 5506 went to as-shipped configuration.
Hi all,
I have passed my CCNA last year (on the 4th attempt) and about to start my studying for JNCIA.
My question: What are the main things that JNCIA has and CCNA does not? I kinda wanna cut this short, because I know loads of stuff like OSI, subnetting are also included in this exam, which I already know of.
Thanks
Hello good people of Networking,
I got a job offer as a sales rep at a company called CircleCI, they provide continuous integration. I'm trying to understand how big the market for CI is and how valuable it is to developers. Do you developer's think CI is a big market? Does it provide tremendous value to developers?
I'm only asking because I want to join and work for a company where I can stay for the long run and not jump around. I'll probably take the job offer if I get some confirmation.
Cheers,
Daniel
Good day all, so I was wondering if it was possible to use 2 routers in place of one super long cat6 cable. At a live event, all sound from a sound board goes over an Ethernet cable that is like 60 feet, and people trip on it alot, would it be possible to do this with 2 routers instead. (Other wifi interference is not a variable, that's been taken care of)
I'm working as a Sr Network Engineer at an MSP.
We're deploying cloud based VoIP phones for many of our customers. Some of whom seem to have inefficient routes getting to the PBX host.
What I would like to attempt is to house a older Cisco 2600 series router in our data center which has access to different ISP PoPs and "bounce" traffic off of that router and send it on it's way to the PBX Host.
[Polycom Phone] -> [On Prem F/W with DNAT] ----redirected flow to DC router----- [DC Cisco Router SNAT ] ----- [Cloud PBX]
My thinking is, by doing this, it would prove one way or another that the particular route the traffic is taking is having an effect either by latency or by QoS past the edge of the internal network .
My experience with cisco is fairly old as I work in a Sonicwall / Dell shop and only get to dig into cisco gear once in a blue moon. I would appreciate input and / or other solutions to test.
Thank you.
A friend of mine gave me a rack of 3 Cisco 2600 models routers. I'm having a boot issue with one of them, unsure what is the problem. Could it possible a Bad WIC card? or maybe even a dead router?
Also from rommon mode is there a way to rip the IOS for a back up? because I'd like to keep that IOS version and put another version on, however I posted to boot code below:
Any ideas or recommendation is appreciated?
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1) Copyright (c) 1999 by cisco Systems, Inc. TAC:Home:SW:IOS:Specials for info C2600 platform with 65536 Kbytes of main memory program load complete, entry point: 0x80008000, size: 0xf69358 Self decompressing the image : ####################################################################################################################################################################################################################################################### [OK] Smart Init is enabled smart init is sizing iomem ID MEMORY_REQ TYPE 0000A2 0X00103980 C2600 Dual Fast Ethernet 000381 0X0004FE00 Content Engine NM (NM-CE/BP) 0X00098670 public buffer pools 0X00211000 public particle pools TOTAL: 0X003FCDF0 If any of the above Memory Requirements are "UNKNOWN", you may be using an unsupported configuration or there is a software problem and system operation may be compromised. Rounded IOMEM up to: 3Mb. Using 6 percent iomem. [3Mb/64Mb] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Mon 15-May-06 14:17 by prod_rel_team Image text-base: 0x80008098, data-base: 0x818B28B4 00:00:09 UTC Fri Mar 1 2002: Unexpected exception to CPUvector 200, PC = 0x801A9D18, LR = 0x801A9D04 -Traceback= 0x801A9D18 0x801A91E0 0x801A89C0 0x80628A78 0x80628B80 0x8061E8EC 0x801A5C1C 0x801A5D8C 0x81472C24 0x808FC8D4 0x808FCBA4 0x8060FB58 0x80613004 CPU Register Context: MSR = 0x00009032 CR = 0x53000035 CTR = 0x801A9CD8 XER = 0xA000BF03 R0 = 0xC0000000 R1 = 0x829DEAE0 R2 = 0x825F0000 R3 = 0x00000003 R4 = 0x00000004 R5 = 0x00000000 R6 = 0x825F0000 R7 = 0x68010000 R8 = 0x00000003 R9 = 0xFFFFFFFF R10 = 0x00009032 R11 = 0x82600000 R12 = 0x33000035 R13 = 0xFFF48A24 R14 = 0x808FCB60 R15 = 0x00000000 R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 R20 = 0x00000000 R21 = 0x00000000 R22 = 0x00000000 R23 = 0x00000000 R24 = 0x00000000 R25 = 0x00000000 R26 = 0x829DEB10 R27 = 0x00000000 R28 = 0x68000000 R29 = 0x68004000 R30 = 0x00000004 R31 = 0x00000000 Free space check for flash:crashinfo_20020301-000009 failed (912/1295) Free space check for flash:crashinfo_20020301-000009 failed (912/1295) Free space check for flash:crashinfo_20020301-000009 failed (912/1295) === Flushing messages (00:00:09 UTC Fri Mar 1 2002) === Queued messages: *** System received a Bus Error exception *** signal= 0xa, code= 0x200, context= 0x827dba60 PC = 0x801a9d18, Vector = 0x200, SP = 0x829deae0
Hi,
Does taging/untaging affect flooding methods like unicast, multicast?
Topology:
CLient site 1 ----PROVIDERA-----PROVIDERB-------- CLient site 2
Client say's after changing untagged interface to tagged, multicast doesnt work.
But on "provider B" interfae show that switch interface multicast rate is increasing.
prov.2#sh interface GigabitEthernet1/1 | i multicast
Received 25894387662 broadcasts (124583820 multicasts)
prov.2#sh interface GigabitEthernet1/1 | i multicast
Received 25894397103 broadcasts (124593261 multicasts)
Thank you
EAPS is Extreme Networks proprietary protocol. I want to know if there is a IEEE open protocol to match this protocol and if there is one for other vendors.There is an interoperability? or like pagp and lacp we can use one flavor.
Recently my team and I noticed that doing a remote IP scan will display all devices within the range of the scan, regardless if there is such a device. For instance, if I did a scan range between (192.168.1.1-192.168.1.254) all ip ranges from .1-.254 will be displayed. For devices that do not exist, I am not able to ping them even though the ip scanner states it exists.
If I do the scan on a computer within the same network, it will display the proper IPs correctly. At the moment I think the issue is with SDWAN (which is installed on all sites).
Just wondering if it could be something else that I am missing.
When the automobile was becoming prominent, the government allowed private companies (like Ford) to build and own the city roads and highways, instead of building them with taxpayer money and keeping them as a public utility.
Fast-forward to now where all the roads used by the public are still built and owned by the car manufacturers; you pay a $2 fee to Ford to use the road each time you drive to and from your house.
You regularly visit Costco down the street to buy groceries, but Ford has decided to get into the grocery store business and has set up a new retail store next to Costco.
To prevent anti-competitive behavior, the government created rules requiring Ford to continue to charge you the same amount of money for use of the roads regardless of your destination when you drive on them.
These rules have been recently dropped and Ford can now charge you $2 to drive to the Ford grocery store, and $10 if you want to drive to Costco instead.
Ford = ISPs, Costco = Online Services like Netflix, and those rules that were dropped... were the Net Neutrality rules.
I thought of and have used this analogy for a while now to explain Net Neutrality to people who don't understand the internet.
Network Engineer at a university. Have a CS student that is engaging in some potentially sketchy business for an "independent study". Is mostly on our wireless networks, BYOD with DHCP assignment. Want to monitor his activities.
Things at my disposal:
Any advice?
I have three pieces of Cisco hardware (ASA 5505, 1800 series, and a Catalyst 3560) and I have a Cisco console cable, and my own rollover cable (RJ45->RJ45).
Problem being, I have no access to a computer with a serial port. Of course I could order an adapter, but I'd like to figure this out software wise. Why is it that I cannot find a driver or a piece of software to make my ethernet port function as a com port without a piece of hardware? Without ground, DB-9 is only 8 pins, much like the RJ-45 standard.
Can anyone suggest a work-around?
Seems like a long time ago. Are there any technologies out there that are using these bands? Seems like something should have happened by now.
I'm learning about networking, so bear with me here, can you help a novice? This is probably a very simple question but I'd like to hear some expertise on the subject.
I got into a debate with someone about the security risks of a network that you can only get to remotely through a VPN. The network is comprised of a number of Layer 3 switches with associated Layer 2 devices and so on. The main thing we were arguing about was whether or not a password (changed from default) is necessary to secure the Layer 3 switches since they are on a private network accessible through a VPN.
My argument was that changing the password from default is simply good operational security practice. The person I was arguing with said he thinks it's not dangerous to leave the passwords at default for the Layer 3 switches. BY THE WAY, none of the passwords are default IRL, we were simply arguing about it.
I think his answer is pretty dumb but I don't know of all the various ways someone could compromise this type of network.
Among other things I pointed out that if someone gained physical access it would be trivial to hack the Layer 3 switches. So who is right? Can you help me understand what the security risks are for this type of network?
Thanks!
Hi,
I have an Aruba stack and within it there is about 2x VLANs not total number and I am trying to restrict the other VLANs from reaching the WebGui.
Currently I manage the stack from my VLAN which is VLAN 12 but those on the other VLANs are also able to access the WebGui interface but they don't have the username and password.
How do I prevent the other VLANs from accessing the Aruba WebGui on https://10.50.18.1:4343?
Is there some kind of CLI that I will need to work with? If it is, may I know what is the correct CLI that I have to type out step my step?
I read a few methods like these ones: https://community.spiceworks.com/topic/2096193-access-web-management-from-other-vlan-on-aruba-2930f
I don't have this: https://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/Roles_and_policies/ConfMgmtSubnet.htm
I'm on 3x S2500 with my Fortigate Firewall above it, I don't I will have to do anything on my Fortigate to restrict the access.
Can someone please assist me. Thank you.
Is it possible to have netflow active without having to use a sampler on IOS XR?
I have it setup fine on IOS XE and this has been fine but unless I add a sampler for IOS XE it won't apply it to the interface.
The problem we then have is if I set it to sample something like 1-in-1 CPU goes through the roof whereas if I set it to 1-in-1000 it doesn't capture all the data.
I feel like I'm missing something.
Thanks
Hi guys,
I'm not really proficient in hex calculation, but I can understand a moderate amount. I was reading about the global address space, and someone said it covers 1/8th of the total address space, how is that measured?
We have merged with another company who use Meraki WiFi, they have asked that we allow Meraki Cloud through our FW to enable authentication against our Radius Server.
Thats not a problem, but i cant find what IP addresses i need to allow through. The Meraki Dashboard isnt much help, even when clicking on the FW details page.
Has anyone got experience or able to chip in on what is needed to allow Meraki Cloud in via our FW from the internet?
Hi Guys,
I am new to Networking. I somehow got a job in Networking domain. (Previously was working in a non-Networking domain)
I am finiding it quite tough to understand the concepts. These Networking Jargons are scary.
Currently I am in QA team, where I would need to test the new features that are introduced in the router. It's a IOSXR Core Router.
And to test this feature, I need to know about all the following features. I tried to look at the wiki pages for these features, but still the real world usage part is not clear.
Can someone explain the real world usage for these features in a sentence ?
IGP - I know about this RIP, OSPF, EIGRP used to learn the networks and store the route address in routing table for route lookup. So this solves almost all of our network tasks, which is finding our destination IP address.
BGP
L2VPN
L3VPN
MPLS TE
VRF
RSVP-TE
FRR
MULTICAST
P2MP
MLDP
I work for a healthcare organization that is mainly primary care and ancillaries (Lab/Radiology/Sleep etc). The company is expanding very rapidly but still builds the network the same way they did when it was a couple of locations. We are now pushing 2k employees and 100 locations. Most of the locations only have 10-15 people in them. The hardware at most of the small sites consists of a Sonicwall TZ-300, netgear switches, Meraki access points, with dual internet connections and a VPN back to headquarters and a backup VPN to a second "hub" site (the second site they connect to depends on their location). Most applications we use are cloud based and the internal network is mainly used for Radiology as well as Authentication/GP/Patching/Security services. The core of the network consists of ~10 bigger sites, most of which have some radiology/lab (high bandwidth) applications using larger Sonicwall appliances (I think they are 2600 and 3600 series).These hubs are primarily connected via MetroE to each other. Active directory and radius for WIFI exists at these location for all other sites. There is not a lot of traffic between sites outside of the hubs (spokes) other than what is going to another hub.
With the current setup, the remote sites only have connectivity to a couple of subnets at ~2 hub sites that their VPNs terminate to. All of the routing is done via static routes in the Sonicwalls and there are no other routers in the network for the most part. Adding a route into the network is painful. I am looking for advice on the technology we should be evaluating for the network going forward.
I have a couple of thoughts about how we could design the network move forward but I am very open to other thoughts: 1. Implement a dynamic routing protocol at the hub sites (OSPF?) and change the "interesting traffic" for the remote site VPNs to be 192.168.0.0/16, 10.0.0.0/8 etc so that they route all non-internet, not directly connected traffic back to the hubs when they don't know how to get there. 2. Implement a dynamic routing protocol everywhere with the same as above. 3. Dynamic routing at the core and a technology like DMVPN or similar to dynamically create VPN connections and route traffic.
Networking is not my primary function and has not been my career focus since I was a network engineer 15+ years ago. I am trying to help out the network/systems team right now as they are down a manager and network engineer and are left with primarily systems admins with limited network knowledge.
From my interaction with the CIO (I have to say Hi Jeff! since I am sure you will find this) the business needs as I understand them are: 1. A network that can heal itself with minimal impact to end users, We put in redundant connections to the internet and redundant VPNs to cover for MetroE issues but managing the failover has been an issue. 2. Sites to communicate with each other without having to make massive configuration changes, applications and systems that are accessible no matter where you are. 3. A design that is easy to implement, duplicate and scale. We are growing very fast and have nearly doubled in size in the last year or two and, from what I hear, plans are to do the same in the next year or two. 4. Since most sites are small, budget is a large factor in the technology we choose. Preferably we would accomplish this with the hardware we currently own but if not possible, we need to keep the costs down.
Hello. I am trying to decrypt the SSL/TLS an application is making. I have my host running wireshark and charles proxy as well as the app I am trying to investigate the packets. I have CharlesProxy, proxying the host and have trusted the cert. Charles proxy can successfully view decrypted ssl https requests. However I can't get Wireshark to decrypt anything, can't get it to decrypt the https nor what I am really interested in, the SIP packets. I can't seem to get Wireshark to decrypt the packets. I have exported the charles proxy certificate and under Wireshark settings, Protocols, SSL, then RSA Key List, I then set the following values; IP address: any, port: , Protocol: , Key File: /directory/to/charlesproxy/cert.p12, Password: Password that I set in charles proxy when exporting the cert. That did not work. I also tried using openssl to convert the cert into a .pem file so I could read the decrypted private key, then copying that into a separate file that only contained the "beginning private key" and "ending private key". Then plugging that into Wireshark SSL settings. However both ways yielded no results, all TLS packets seems to be encrypted. Can someone confirm which method is correct. The only other thing I can think of is at one point i thought I saw some packet say the cipher was switched to EC DH which I know WireShark doesn't support. If I have followed the correct method for getting it to decrypt, is there anyway to force the applications/ charles proxy not to use EC DH? *May have been EC DHE, I appear to not have saved that capture. Any help or advice would be appreciated, I have been scratching my head for a couple days now!
*Please let me know if any further clarification is needed
I've got a couple of customer sites with 8K to 10K devices hitting against ISE 2.4 and the devices just aren't consistently authenticating through these new Juniper EX4300s.
I'm not convinced ISE is my problem.
I'm pretty sure it's a firewall filter problem because when we remove the firewall filter, everything works perfectly (well, OK, the problems then become ISE, not my switches) but it's not re-creatable in my lab with just a couple of clients sending/receiving authentication. It usually seems to take a couple of switches worth (96 to 144).
The customer won't let my on-site engineer dig through the ISE logs himself and if he did, I've got just enough additional experience that I'd probably catch things he wouldn't.
I'm spitballing here. I can't logically think of a way to generate a bunch of 802.1x traffic because it all has to identify as coming from the same switches and go through the firewall filters (short of finding 96 laptops and rebooting the switch so they all try to authenticate at once and that ain't happening.)
Anyone else run into issues like this? JTAC and TAC aren't much help.
Thanks.
My Google-fu is failing me and this is incredibly frustrating.
I'm trying to get an LACP port-channel setup between a Nexus 7706 and an Ubuntu 18.04.1 host. Of course, the Nexus side went into "suspended" for each of the two links, because no LACP PDUs are getting through from the Linux host. Apparently this is a common problem.
The common wisdom however, is to simply do "no lacp suspend-individual" and call it a day. I'm not ok with that. If LACP PDU frames arent getting through at all then why even have LACP? I found a Cisco doc that says on a UCS Server the solution is to change the native VLAN of the server's ports, because the PDUs are not getting through to the switch on VLAN 0, due to VLAN 0 being invalid on the switch. (https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/118851-technote-lacp-00.html) No problem...wait...it seems that's not possible to do on Ubuntu 18.04.1, and I don't even see anyone explaining how to do it on RHEL, either. What gives? Is Cisco's implementation of 802.3ad simply not compatible with the Linux implementation? Is this simply accepted and people run link aggregation sans LACP when connecting to Linux hosts? It doesn't seem to be a useful workaround to simply force the port to come up despite no LACP frames being received by the switch.
Anyone faced this before? Any tips that I can do on the Nexus to get it to accept the PDUs from the Linux host?
It looks like the netplan YAML file doesn't have may options available, so I don't think there's much to be gained from the Ubuntu side, unless I can force the LACP PDUs to be on VLAN1 or untagged using iptables or something similar.
plz halp!
In regards to clearance work. I was wondering what it would be like working for such a big company, the pay, if theres more opportunities to work with the latest greatest tech. Currently at smaller/startup company at the moment. Its pretty boring right now.
Anyone had sporadic traffic drops by the CPUs of a A10 5400? Specifically downstream servers that point to the LB as there GW? Doesn't seem to be over utilized. A10 is trying to say we need a bigger box like a 7400 with more cores, but doesn't sound right to me. Anyone had this issue?
Hi all, so I'm stuck in a situation where I have multiple identical subnets (sets of identical devices with same IPs etc) and I need to have this talk to my primary network. Basically each set has devices with IPs 192.168.0.10, 192.168.0.20, 192.168.0.30 etc on a /24 mask. Primary network is 192.168.20.0/24 for example...
I'm thinking vrf based NAT but not 100% on what I need to do to make this happen. I'm CCNA but that was a long long time ago and I can't really think of the solution.
Cheers!
Hello. We have a campus network with ~750 switches. Some of our switches seem to have really high CPU utilization. Usually, this is our larger stacks, (we have a few 9-stacks), but sometimes it affects medium to small stacks (we've seen it on single switches!).
Our current primary thought is that 802.1x is killing our CPU (we have to re-authenticate hourly - large stacks have lots of 802.1x sessions).... but, show commands don't support that. Also, our worst offender is only a 5 member stack - the CPU utilization is so bad, when SSHing, it feels like we're going over a satellite link, when we have ~55ms RTT. We haven't found a great correlation between any of the affected stacks.
Some hurried research shows IGMP snooping to be a culprit for many people... but we can't turn it off. TCAM utilization is nowhere NEAR 100%. And, according to the switch, the LED process is taking a huge chunk of CPU cycles.
So, what is YOUR CPU utilization? What's typical?
If two wireless routers operate at the same band but with different channels, then will there be interference? Even if they were for two different networks?
I'm currently trying to build a simple multihomed network, and I was wondering if anyone knows of a good place to obtain roughly a /46 or /47 cheaply, as I'm on a relatively tight budget. I plan to expand this to add some anycasting with multiple PoPs, which is why I need more than a /48 (I need at least a /48 for non-anycasted, one for anycasted).
I'm in the RIPE region, and everything I've been able to find seems really over-priced (200 euros per year for a /48, for example.)
Thanks in advance.
I designed a new network for our company's recent acquisition, but I'm starting to second guess what I settled on, so I was hoping you guys might be able to guide me to the best way to do what I need.
New building. 5 IDFs connected to the MDF with MM fiber.
My original plan involved keeping three physically separate networks across the 6 strand fiber, data/APs, voice, and cameras. Basically, each IDF would have three switches for each network, each switch back to the MDF, plug the fiber into the corresponding switch. From there, the data, voice, and camera switches were going to be patched into a "main" L3 switch so they can communicate with each other.
I'm beginning to doubt my concept. Should I just VLAN? If so, what's the best way to doing that with something of this scale?
Also, I'm completely stuck on the DHCP server setup. Should I just create two new scopes (voice and cameras) to add to the existing data scope? How do I ensure the right device, such as a phone, gets the proper IP from the DHCP server residing on the data network?
Thanks so much for the help. I'm feeling in way over my head here.
My company did a system wide cutover from EIGRP to OSPF last night. This was driven primarily by interoperability between different vendors and the desire to eliminate redistribution in the network. In an attempt to have an easy backout procedure we just shutdown the EIGRP process and let the routes fall back to OSPF. If something went horribly wrong we could just no shut the EIGRP process while we figured out what happened. The entire cutover was seamless with no downtime whatsoever EXCEPT for one device.
When I shut down EIGRP on an ASR1001-X everything failed over seamlessly. A few minutes later I get a text alert that this ASR has gone offline. Sure enough no reachability. I hop onto the core and the links to the ASR are hard down. A few minutes later the ASR comes back online.
Last reload reason: Critical software exception, check bootflash:crashinfo_RP_00_00_20180911-182746-CENTRAL
I have two sites each with a single ASA at each site. Currently each site has a single ISP with a VPN tunnel passing traffic between them. I want to get a second ISP connection with it's own interface on one of the ASAs and have another VPN tunnel going to the same peer but this one will have a different crypto maps. Example -
Site A VPN Tunnel 1 Local public IP - 1.1.1.1 Peer public IP - 3.3.3.3 Local Network 172.16.1.0 Remote Network 192.168.1.0 VPN Tunnel 2 Local public IP - 2.2.2.2 Peer public IP - 3.3.3.3 Local Network 10.0.0.1 Remote Network 192.168.1.0 Site B VPN Tunnel 1 Local public IP - 3.3.3.3 Peer public IP - 1.1.1.1 Local Network 192.168.1.0 Remote Network 172.16.1.0 VPN Tunnel 2 Local public IP - 3.3.3.3 Peer public IP - 2.2.2.2 Local Network 192.168.1.0 Remote Network 10.0.0.1
Is this possible?
Is there a way to say anything iPhone gets 10.1.x.x and anything Android / Samsung gets 10.6.x.x IP address?
and also (being a newb) what is the above called? is there a term?
and then say APPLE when you go to these websites operate this way but not Android. and vice versa.
"Fixing an old hack - why we are bumping the IPv6 MTU"
Find it funny how top SD-WAN vendors freely gave access to their product minus Cisco/Viptela.
Sounds like they got access to the tests early on and couldn't compete so they didn't want to be humiliated.
Disappointing since they spent so much on it, guess they still need more time to integrate it.
Title really say's it all. I use grammarly as well if that's of any help.
Edit: yea I know there is no question mark in my title.... I f**ked up.
Hi guys,
I'm getting crazy - looks like I'm to stupid to get a working IKEv2 VPN tunnel, between a Cisco ASR and a Cisco ASA.
Maybe someone out there has an idea...I've to problems:
Ofc, I double checked my encryption/algorithm settings for this setup - but it looks fine for me. Atm, I allowed EVERY encryption/algorithm defined on my ASR / ASA for testing - but still no matches.
I found a bug for my second problem in the Cisco Bug Search tool - but I updated the devide to the suggested release which is not affected (or not detected :D)..
The config of my ASR (IP 9.9.9.9):
vrf definition ASRK001 description IKEV2-TEST ! address-family ipv4 exit-address-family ! crypto ikev2 proposal IKEV2-AES256-CBC-SHA256 encryption aes-cbc-256 integrity sha256 group 14 15 16 19 20 21 24 crypto ikev2 proposal IKEV2-AES256-CBC-SHA512 encryption aes-cbc-256 integrity sha512 group 14 15 16 19 20 21 24 crypto ikev2 proposal IKEV2-AES256-GCM-SHA256 encryption aes-gcm-256 prf sha256 group 14 15 16 19 20 21 24 crypto ikev2 proposal IKEV2-AES256-GCM-SHA512 encryption aes-gcm-256 prf sha512 group 14 15 16 19 20 21 24 ! crypto ikev2 policy ASR-DEFAULT match fvrf FDVRF match address local 9.9.9.9 proposal IKEV2-AES256-GCM-SHA256 proposal IKEV2-AES256-CBC-SHA256 proposal IKEV2-AES256-CBC-SHA512 proposal IKEV2-AES256-GCM-SHA512 ! crypto ikev2 keyring ASRK001 peer ASRK001 address 1.1.1.1 identity address 1.1.1.1 pre-shared-key local 1234567890 pre-shared-key remote 1234567890 ! ! crypto ikev2 profile ASRK001 match fvrf FDVRF match identity remote address 1.1.1.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local ASRK001 ivrf ASRK001 ! crypto map CM 1 ipsec-isakmp set peer 1.1.1.1 set security-association lifetime seconds 8600 set transform-set ESP-AES256-SHA1 ESP-AES256-SHA512 ESP-AES256-SHA384 ESP-AES256-SHA256 test TESTER set pfs group14 set ikev2-profile ASRK001 match address ASRK001 reverse-route crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set ESP-AES256-SHA384 esp-aes 256 esp-sha384-hmac mode tunnel crypto ipsec transform-set ESP-AES256-SHA512 esp-aes 256 esp-sha512-hmac mode tunnel crypto ipsec transform-set ESP-AES256-SHA256 esp-aes 256 esp-sha256-hmac mode tunnel crypto ipsec transform-set test esp-gcm 256 mode tunnel crypto ipsec transform-set TESTER esp-gmac 256 mode tunnel ip access-list extended ASRK001 permit ip 192.168.0.32 0.0.0.31 host 192.168.178.1
The config of my ASA (IP 1.1.1.1):
crypto map outside_map 2 match address outside_cryptomap_7 crypto map outside_map 2 set pfs group14 crypto map outside_map 2 set peer 9.9.9.9 crypto map outside_map 2 set ikev2 ipsec-proposal TESTER crypto map outside_map 2 set ikev2 pre-shared-key 1234567890 crypto map outside_map 2 set nat-t-disable access-list outside_cryptomap_7 extended permit ip host 192.168.178.1 192.168.0.32 255.255.255.224 crypto ipsec ikev2 ipsec-proposal TESTER protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm aes-256 aes-192 aes 3des des aes-gmac-256 aes-gmac-192 aes-gmac protocol esp integrity sha-512 sha-384 sha-256 sha-1 md5 tunnel-group 9.9.9.9 type ipsec-l2l tunnel-group 9.9.9.9 general-attributes default-group-policy VPN_ASR tunnel-group 9.9.9.9 ipsec-attributes ikev2 remote-authentication pre-shared-key 1234567890 ikev2 local-authentication pre-shared-key 1234567890 group-policy VPN_ASR internal group-policy VPN_ASR attributes vpn-filter value VPN_Any_Any vpn-tunnel-protocol ikev2 access-list VPN_Any_Any extended permit ip any any crypto ikev2 policy 5 encryption aes-gcm-256 integrity null group 14 prf sha512 lifetime seconds 86400
And finally the logging while I'm trying to establish the tunnel..
Both had a debug on IKEv2 and IPSEC.
ASR:
ASA:
Quick question, I was trying to rethink our network layout (https://imgur.com/a/tATxUJB)
We always kept that mini switch inbetween our Meraki and internet (at the very end, our ISP provides a router which convert fiber to RJ45, the RJ45 is plugged to the Cisco SG 200-08).
I'm new at my company and the previous guy mentioned it was designed this way for a DMZ to keep the FTP server secure.
Connected to that switch and I don't see any DMZ configuration.
Would it be still secure for that FTP server to be plugged to our Meraki MX100 ? So we could get ride of that mini switch.
Thanks,
Probably not ther correct sub but I need some help. I have a Dell R410 with 3 Sata Drives in it currently (500GB 2x1TB) I am trying to install esxi onto it so I can run eve-ng and a secondary centos machine. I cant get it to boot from the ISO on the USB, and the PERC controller isnt seeing any physical or virtual drives. Any help is very appreciated. Thanks in advance.
So I "think" I understand layer 7. it's allowing certain apps from the inside to behave a certain way to the outside. and it is "automatic"?
if someone can throw an ELI5, i'd appreciate it
Hi Guys,
Currently doing my research and I would like to ask what would be the issue when link is ok but server upload/download or server troughput in transferring is not consistent?
Is it the windows size? CPU? Disk? (lets say no problem on network side). Have u encountered this issue and what are the things need to consider?
Thanks
Wherever L4 port/proto doesn't work, I assume it's some kind of vendor secret sauce L7 signature algorithm like Cisco NBAR or PAN App-ID.
Sure, marking VoIP is straightforward. But say I want to ensure that YouTube cannot consume more than 35% of a link in times of congestion, and stuff like Apple iOS updates get scavenger class.
In the past, I did a poor-man's equivalent by finding Apple's netblocks from ARIN and adding them to a rule assigning QoS values. Of course, this is very coarse and can't differentiate between iOS updates and any other traffic to Apple's servers, but it seemed to work well enough. But since a lot of stuff funnels through generic CDNs, I can see this approach failing miserably in most cases.
So for those who are deep in the QoS weeds: What is your approach to QoS classification when L4 characteristics aren't enough?
p.s.:
thanks :)
For those engineers or admins who are using Juniper devices (QFX, MX, & EX Platforms), is anyone using secure syslog?
It seems only the SRX platform can send Syslog over TLS.
I'm curious how others are handling this matter.
im trying to get a trunk up between a cisco and a juniper switch.
Cisco currently only has one vlan, and a vlan interface IP of 10.44.10.5/24. I want to be able to reach the Juniper switch which will have an IP of 10.44.10.6/24. Im struggling to get my head around the logic of it thoigh on the Juniper side
Juniper is configured as below:
description "Uplink to lo-sw-04";
unit 0 {
family ethernet-switching {
port-mode access;
root@lo-sw-01> show configuration interfaces vlan.0
family inet {
address 10.44.10.6/24;
The Cisco is just "switchport mode access", with interface vlan1 ip address 10.44.10.5/24
What am i doing wrong?
EDIT: bad choice of words from me. I don’t need a trunk, I just want to be able to manage the juniper using an IP address. So what I want is just a link between the switches , in vlan1, that allows me to reach an IP address residing on the juniper
EDIT2: Resolved. The issue was in how Junos tags all traffic on a trunk by default, but Cisco does not tag native vlan by default. As the cisco switch only had one vlan it was also the native vlan. I enabled trunk on both sides, and put the following on my juniper config:
description "Uplink to lo-sw-04";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members VLAN1;
}
native-vlan-id 1;
I'm trying to figure out what's happening under the hood when using ipsec as a client VPN solution. To me, ipsec behind NAT is problematic, let alone PAT which is in use in this case. I don't see how it's even possible but apparently the guy who set this tunnel up say's he can test successfully.
So this is using FortiClient 6.0 to connect to a Forticlient device on our vdom. I've been supplied the configuration and psk. What I'm seeing is the Client trying to create some kind of socket with our default gateway. The Forticlient logs show...
9/11/2018 12:14:22 PM Debug ESNAC Start searching for FGT 9/11/2018 12:14:22 PM Debug ESNAC Searching Default GW 9/11/2018 12:14:23 PM Debug ESNAC Timeout in select in SocketConnect 9/11/2018 12:14:23 PM Debug ESNAC Socket connect failed 9/11/2018 12:14:23 PM Debug ESNAC 192.168.192.2:8013, Secondary - 0 9/11/2018 12:14:23 PM Debug ESNAC CKeepAlive::SetState 9/11/2018 12:14:23 PM Debug ESNAC Not Registered 9/11/2018 12:14:23 PM Debug ESNAC m_dwAutoconnectWhenOffnet false 9/11/2018 12:14:23 PM Debug ESNAC End searching for FGT
And on the wire I'm seeing
5 2018-09-12 08:45:12.949585 192.168.0.2 192.168.0.1 TCP 66 3270 → 8013 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 6 2018-09-12 08:45:12.950563 192.168.0.1 192.168.0.2 TCP 60 8013 → 3270 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
My host is 192.168.0.2 and my GW is 192.168.0.1 in this case.
Anyone have any insight to what's actually occurring here?
I inherited the management of a Sonicwall NSA 4600 that is running SonicOS 6.2.7 and I'm having some issues getting the L2TP VPN to work properly when using it from a MacBook. The Windows clients are using GlobalVPN so I haven't had any issues with those clients.
To give some information on the setup, the following interfaces are setup:
| Name | Zone | IP Address | Mask |
|---|---|---|---|
| X0 | LAN | 10.0.0.1 | 255.255.255.0 |
| X1 | WAN | x.x.x.x | x.x.x.x |
| X3 | LAN | 10.0.1.1 | 255.255.255.0 |
X0 is configured and enabled but no cable is connected to the interface. X3 however is the primary LAN subnet and the subnet that end users need to access resources on.
I have tried to setup L2TP IP Pools on both the X0 and the X3 subnet. When I do that, I'm able to access resources that are on the X3 subnet except when end users connect from a remote LAN that is also in the 10.0.0.0/8 subnet range. When end users connect to the VPN from a remote LAN that is inside of 10.0.0.0/8 then they are unable to access resources on the 10.0.1.0/24 subnet.
I did some investigating trying to figure out what was happened and found the following on a test MacBook.
I'll use the following information in my example: MacBook Remote IP: 10.10.10.10/24 MacBook Remote Gateway: 10.10.10.1 MacBook VPN IP: 10.0.1.50/24
Destination Gateway netif default 10.10.10.1 en0 default link#14 ppp0 10 en0 en0 10.0.0.1 10.0.1.50 pp0
If I look at the output of 'ifconfig' then I see that the 'ppp0' interface has the following output:
inet 10.0.1.50 --> 10.0.0.1
From what I can tell the issue is that the L2TP VPN keeps attached to X0 instead of X3. Since the VPN is attaching to X0 instead of X3 then the MacBook's routing table is only creating a route for the 10.0.0.0/24 subnet and then all other 10.0.0.0/8 traffic is going to the default route of the remote LAN. The MacBook's routing table never creates a route for 10.0.1.0/24. I have tried to disable split tunnelling but the summarized 10.0.0.0/8 route still remains.
I've tried contacting Sonicwall support but they have been slow to respond. Any help would be appreciated. Thanks.
Hi All,
I do not have a networking background but I was tasked by my manager to help find a solution to our companys problem. I have done some research and found something called a failover server setup but I am not sure this works in my case.
I currently work in a firm where they operate in 2 physical office locations, but Office A is only connecting to Office B's servers(4 individual servers setup for different usages, mail, data, client data, and company finance records) Our older networking person is a little too old, so he doesn't know any of the current tech in the industry. And our firm cannot afford cloud storage and cannot due to sensitive information.
But recently Office A has found out that Office B's power supply to the building has been in constant fluctuations(3rd world country) so Office A would like to set up the exact server setup in a third location(Location C) off-site where Office A would connect to Office B most of the time but shift over to Office C if the connection broke.
So the question I have is, are there any software we can install onto our current servers(Office B), I believe some are linux based and some windows based, that will synchronize Office B to Office C's servers 24/7, then we setup a failover server at which location?
It is important for the information to be identical at Office B and C and synchronized. The data in Office B's servers are accessed frequently and changed/edited frequently during the day by both Office A and Office B's workers. Office C will have no access, it is just off-site for Office A's use as a failsafe. The managers has said, they are willing to do an end of the day synchronization to Office C's location if that is the only solution for the failover to work properly.
Please help let me know what you guys believe to work best.
Hi,
We plan to migrate a quite old MAN based on Cisco C6500/Sup720 chassis (around 20). Today, our chassis act as PE and CPE (from each chassis, we have dozen of L2 connexion to our sites; chassis acts as default gateway for the sites). Our chassis migration should be an opportunity for us to add new services, mainly L2VPN.
I see today 2 options for L2VPN: - VPLS, which is quite old, but why not - EVPN with MPLS on data plane.
My concern is the migration, there are 2 scenarios: 1) The best way for us would be to be able to change chassis one by one. 2) The worst way would be to have to construct a parallel network to the existing (so, problems with fibers and rooms for chassis) with "temporary" interconnection between old and new design.
I'm not really confident with the VPNL or EVPN MPLS protocols: I imagine VPLS would to follow scenario #1, but I have a doubt with EVPN-MPLS (I expect scenario #1 is possible as it is based on MPLS/LDP, but not sure).
A additional question: would EVPN PBB or EVPN VXLAN give us more advantages than EVPN MPLS?
Thanks for your answers
A previous engineer here purchased a bunch (150) of Ruckus R720 AP's, 2 SmartZone controllers, and cloud hosted CloudPath to replace a 10 year old Cisco wireless system. I am now going to be implementing this and I have some concerns about CloudPath. The AP's and controllers seem great to me but CloudPath doesn't seem like it's very intuitive for the end users. On the devices that we own and provide to our users it's no big deal but it seems like BYOD is going to be a problem. I have an Android phone, for me to connect to the wireless I connect to the onboarding SSID, it prompts me to sign in to the network which is fine. I click the sign in notification and login and get the prompt that I have to download their app to configure the network. This seems like users are going to question why the have to download an app but aside from that, I click the link and get an error that says the URL cannot be opened. According to what I have seen from Ruckus, this is a problem with Android web view and not on their end and they cannot fix it. So I have to close out of everything, open chrome and let it redirect me to the sign in page and from there I can download the app from the play store and let it configure the network for me. The process is even more complicated on a chromebook. Does anyone have any experience with this and did it cause you and your users a ton of headache? Seems like we are going to get a lot of calls from people trying to get their personal devices on the network. Is there any real benefit in using CloudPath instead of using a simple radius server and have users login with their AD credentials? The other thing that bothers me is that the cloud hosted version of CloudPath can't send logs to my Palo Alto firewall so I won't have any user-ID information in the firewall for wireless clients.
I'm looking to do a wireless point to point shot for a single PC and IP cam for a small non-profit. The main site is small has already has a Ubiquity UAP-AC-LR AP as well as a virtual instance of Unify. The remote site is a shed about 50 ft away.
I'm looking to span about 50 ft with clear LOS. Not really familiar with Ubiquity's offerings so I was looking at doing a Nanostation M5 bridge. Ordered a couple off ebay but they were junk and I had to return them. The more I look into the Nanostation M5s, they seem pretty overkill for what I need.
Anyone have recommendations? Would like it keep the site 100% ubiquity, but if there's a better solution I'm all ears. Budget is $500.
Hi guys,
I'm trying to get memory use per process via SNMP for some Cisco switches (3750s and 3560s).
The CISCO-PROCESS-MIB exposes cpmProcExtMemAllocatedRev and cpmProcExtMemFreedRev and I've found a link that suggests subtracting freed from allocated (https://networkengineering.stackexchange.com/questions/19114/cisco-process-memory-usage)
Unfortunately this doesn't seem to provide sane values- often my freed is greater than my allocated (I daresay because some memory is freed in the time it takes me to gather the allocated and the freed).
At any rate, looking at the output of the show processes memory command shows that Allocated and Freed may sometimes be the same and the interesting looking column is Holding.
Switch3#show processes memory
Total: 101037052, Used: 28865600, Free: 72171452
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 37220448 8809344 25419448 0 0 *Init*
0 0 14112 1167376 14112 0 0 *Sched*
0 0 4171182032 4171456888 469920 5795316 421352 *Dead*
1 0 1560 1560 8464 0 0 Chunk Manager
2 0 192 192 3904 0 0 Load Meter
3 0 34736 44552 7592 0 0 SpanTree Helper
4 0 0 0 6904 0 0 Check heaps
I can't find references to Holding anywhere in that MIB, so- does anyone know how to get memory holding per process via SNMP? (I haven't been successful in Googling it)
Thanks