No text found
Saturday, November 3, 2018
Learning Firewall Configuration
Hey guys and gals,
I've been studying for my ICND1/2 for the past few months to get some valuable pieces of paper to compliment my military IT experience. Through my studies I've seen firewalls mentioned, but neither textbook (using the Lammle books mostly) goes into configuration as it isn't an objective on the exam.
I was wondering what resources y'all suggest for learning firewall configuration from basic to intermediate skill levels. I didn't work with them too much in the army and feel like it's definitely important to know to further my career beyond entry level.
Any help is appreciated and I'm looking forward to responses!
Power and fiber nodes in broadband
Does anyone know how ISPs get power to the fiber nodes on the utility poles in broadband world? Does every fiber node have an electric meter attached to it?
Also, along the same lines if I wanted to get access to a particular utility pole in a neighborhood how do I go about getting access to it?
NETGEAR GS110TP - Bricked what to do?
I got a second ha d GS110TP for $20 on Craigslist and it lacked a power supply. I bought one from amazon that was referred to me by the netgear support community. Welp, it powered on for a moment then the power supply port sparked. I opened it up and it looks like a capacitor or resistor exploded under the heat sink. I was just going to toss it but it’s such an expensive device. What can I do with it? eBay? Would appreciate some feedback, thanks!
Also, netgear will not give me any warranty support since it was bought second hand
IT Certifcations, why or why not, whats your personal opinion either way.
i got a few comptia certs about 10 years ago, then for 10 years just learned on the job, then decided i wanted to validate alot of what i knew with some certs purely for my own personal validation.
but i have mixed feelings because some people dont appreciate them and feel anyone that has them still dont have any real skillset, due to some people that testdump and just pass with the right answers never really understanding the building blocks behind it.
or some people feel if you have a comptia a+ then thats all you know, not realizing someone may have 10 years of managing networks but the only cert they got was a+ when they did desktop support.
route traffic with tunnel ssh [doubts]
Hello ,
does anyone know how to configure a tunnel ssh with plink ( or other program with no gui) to the purpose to redirect the traffic from a windows server to other remote server who uses debian 9 ?
i was wondering if this is possible even if the two remote servers are running different o.s ?
http://www.hurryupandwait.io/blog/need-an-ssh-client-on-windows-dont-use-putty-or-cygwinuse-git
( has anyone tried this ? )
thank you so much
Linksys AC1200 Cloud Manager and VLANs | Please help (thanks)
Hello,
Currently I am testing a Linksys AC1200 Cloud Manager. The setup went smoothly but I want to ensure that everything works as expected before installing such a device at a client's office.
I did notice that my Ruckus R510 access point in my lab works excellent with VLANs.
I just added the AC1200 Access Point and setup a SSID with my tagged GuestNET VLAN (VLAN 900). Unfortunately I did notice that my connected test guest devices receive an IP address for VLAN 1 instead of VLAN 900.
I did double check the settings and noticed the TCP/IP settings of the AC1200 access point. There is a field where I can set a tagged VLAN and an untagged VLAN. Even after changing tagged to 900 and untagged to 1 the clients still are on the wrong subnet.
It puzzels me... so I decided to go ahead - remove any switches - and connect the AC1200 directly to the LAN port of my firewall where the VLANs are correctly configured. That should work... but unfortunately - it still does not work as expected.
Just plugged my Ruckus R510 in and checked the guest devices by connecting to the R510. These devices are on the correct subnet now...
Has anyone tried this Linksys AC1200 device with VLANs? I just does not work as expected for me. I think I did check all settings but I can't find anything wrong with my configuration.
VLAN1 = subnet 172.16.16.0 /22
VLAN900 = subnet 10.254.254.0 /24
Thanks.
Top Networking Conferences?
I just took a new job as a network engineer in a multi-vendor, cloud-scale, multiple-datacenter environment at a Fortune 100 company. My new boss has expressed that he’d like me to pick a couple of tech conferences to attend in the next year. Besides Cisco Live, what other network-focused conferences should I consider in 2019?
Considerations: 1. I want to attend for the tech—I care more about the content of the keynotes/presentations than the miscellaneous events. 2. I do datacenter networking, so conferences with a datacenter, automation, and/or cloud focus are preferred.
I got a Netgear GS728TP-100NAS
What SFP modules are available that I can use and also if I have 10g fiber patch cords that my boss gave me from out last job we did, could I use an SFP Gigabit Module with the 10G patch cable?
trying to repair a EZVIZ security PoE camera, odd Ethernet color scheme
long story short - I am trying to repair an Ethernet security camera where the camera connections got wet. My Plan is to do the following:
Cut the female end off of this and replace with a standard RJ-45 end. Then use a coupler and connect the repaired section to the old standard Ethernet cable.
The problem I am running into when I cut that security camera female cable, the ethernet color scheme is different, can someone help me map these colors to the standard ethernet cable colors. I did some internet sleuthing and i think I may have figured it out, but looking for a second opinion.
| Standard Ethernet | camera wires |
|---|---|
| White-orange | orange |
| orange | yellow |
| White-green | green |
| blue | purple |
| white-blue | gray |
| green | blue |
| white-brown | white |
| brown | brown |
BGP question
I have 2 routers running BGP, they are in the same AS, but not peered vis iBGP. They are both connected to the same eigrp network.
They are both connected via BGP to the same MPLS cloud. They redistribute the BGP routes into eigrp.
Here is my problem: they are learning about the internal routes via BGP, like router A will advertise 172.26.0.0/16 (an eigrp route) via BGP, and then router B will learn that route via BGP, and it is also learning about it via eigrp internally.
What do I need to do to stop this loop? I need my BGP routers to stop learning about each other's routes via BGP, but they both still need to advertise these routes to that MPLS network.
6500 IOS 12.2 - Sup720 failover - Lost BGP Peers?
So I was doing some routine maintenance on a non-critical system and I was doing a force failover of the Sup720 engines. This 6500 has its BGP peers on a separate line card (i.e. not using the Sup's built-in interfaces).
I had a remote host pinging the router, then I did the failover. Everything appeared to be fine, then I noticed my remote ping died, and I also noticed "sh ip bgp summ" showed my two BGP sessions were down, and in the process of re-establishing. After 30 secs or so the sessions were back up, and my remote ping resumed.
This was a surprise because I assumed when running SSO redundancy (Active/Hot) a Sup failover causes zero interruption. Why then did the BGP sessions go down? It was a 30 second outage, not a big deal, but I was expecting zero downtime.
-John
(UK) New skills for experienced senior network engineers?
Hi folks
I am at that stage where I’ve gained years of experience and risen through the ranks to become a technical lead in a Cisco, F5 and PA heavy network. I’ve been thinking about the future, and what we will need to learn to stay afloat.
I’ve used Python a lot and regularly write custom scripts to check and configure devices, to gather data, and to monitor for certain network conditions that we know can be an early warning sign of an outage, and I also use ansible based tools that were written by a dev but maintained and updated by me.
These have served me well but I can’t help but see that the new DC’s being built out in my organisation are using ACI, and other methods to tunnel vxlan. As well as automating the deployments of new devices using ansible. There is a lot of talk about google cloud azure and aws being used here and there by various business units.
I am sure I’m not alone in thinking that I need to get a grip on all of these things but it just seems overwhelming, there is puppet, ansible, chef, then docker, kubernetes, vmware and microservices, git etc etc...
I know these are all Utilities with specific use cases but I just don’t know where I should be focusing my efforts when it comes to skill development. Does anyone else’s have a clearer picture of where things are going and the skills that we should be picking up?
Help internet is slow
(15yrold in Australia)Ok I’m not even sure if this is the right place to ask but yesterday my whole street had a blackout and turned off everything like streetlights and electricity in everyone’s house. After that happened and the electricity came back my internet (telstra smart modem) went absolutely dog shit! It use to be around 40-50 mbps now it 0.30mbps! I’m not sure it might be the blackout that did it but if anyone knows what happend to my internet I appreciate it
SecureCRT alternatives.
Hello fellow networkers,
I am pretty sure you have seen this question before.
SecureCRT is awesome, but too expensive. Putty is free but too basic. I currently use PuttyNG for work, but I would like to suggest something better.
Do you know any decent alternatives up to $35 - 25GBP 30EU?
Hotel internet issues
So I work Night Audit at a hotel. At about 1am the Wifi goes out in the spot that I have been sitting at for about 6 months. I work 11-7 so I'm on my laptop for most of my work night. I'm connected to the network but no internet signal is coming through. I call Specturm our ISP and they inform me that they run the fiber to our hotel but they don't manage the Wifi. My boss tells me to just restart the modem which isn't working. If I go about 10 yards into the breakfast area, the Wifi starts working but quits as soon as I get to that spot again. It says IP config failed on my phone if that helps. Anyone know what's happening? Thanks in advance
Friday, November 2, 2018
USB Terminal Server Options
What are you guys using for OOB access to network devices that only support USB console/terminal access? We have some remote labs that have devices like newer wireless APs and a few other things that are showing up with only USB (no RJ45) serial ports and they are starting to piss me off.
that heinous IOS command.. switchport trunk vlan add/remove.. how to improve?
One of my friends burned himself by forgetting the "add" keyword - with bad results.
Are you guys out there using any methods to prevent that ? aliases ? scripts ?
Ubiquiti Edgeswitch-48-500 keeps freezing even after RMA - no idea why
Looking for help on this as I'm completely stumped.
An industrial customer has 4 Ubiquiti Edgeswitch-48-500w's running a camera network. One switch keeps 'freezing' about once every 7-14 days. When this happens neither the switch nor any of the hosts on the switch are reachable. Average throughput on this switch is 200-300mbps, it is daisy-chained (number two position) off one other switch (other two switches are on separate network). I RMA'd the bad switch and got a new one. The new switch is having the exact same problem as the original switch. I have to hard-power cycle the switch to get it back online.
What could be causing this with two different switches? After a reset all the hosts come up and run fine, but would a bad termination / short somewhere cause this? Any recommendations on how to troubleshoot?
Unfortunately, the onboard logs aren't offering any help. I just dialed them up to 'debug' to see what I can find.
One catch: on Oct 24th (last freeze event) I installed a network monitoring power outlet to cycle the switch's power when the outlet loses contact with the router (via ping). When the switch froze today, the outlet did not power cycle the switch and I was surprised to find I could still access the outlet's web GUI and had to manually power cycle the outlet. The power outlet's NIC is connected to the bad switch. Now I'm even more humbled and confused.
I can't image this would matter, but ports 1-38 are 100mbps poe connections to cameras drawing about 3.8 watts average / 144 watts total. Port 47 is used by the power outlet, port 48 is the trunk / daisy chain to switch 1. No VLANs / flat network. Switch #1 is also connected to cameras, as well as the server and router, throughput is ~350mbps.
e.g.: Bad switch -> switch 1 -> router
No problems at all with switch #1.
All help / insight / troubleshooting ideas are welcome!
dual MPLS connection, ospf load balance ?
TLDR: I might be barking up the wrong tree here, can I even use ospf to route between two MPLS or do I need to convert to iBGP ? If I can use OSPF please advise what I"m doing wrong. TIA
I tried turning up OSPF on our second MPLS to load balance between them ( static routes on the firewall are doing a decent job for that ) , when configuring OSPF on the 2nd router ended up with an error "% OSPF: Configured Nbr is incompatible with OSPF network type on" so waiting until tonight to play with it more, it was set to broadcast which I thought would work and did work with one MPLS OSPF router.
Topology and some of the config / commands :
Professional Service Recommendations
Hello everyone,
Looking for recommendations for a professional services vendor or best practices when shopping for one. Mostly Cisco stuff and the essential need would be the availability of a CCIE for x hours per week/month. If you guys could share your insight into SLA "gotchas" or tips to negotiate the best possible agreement with a professional services firm I'd appreciate it!
Thanks!
ridiculous amount of TCP keep-alives - dup-ack - retransmittions
Hello network folks,
We have this end user who talks to this application. For everyone else it works, but this one end user when connects to the application and I do a pcap, I see a crazy amount of TCP keep-alives and an even more crazy amount of "Ignored Unknown record" packets (never seen this one in a pcap before and online shows not much info about it). This has actually hit a point where the server is getting overloaded by this 1 end user. I first start at the switchport to see if I can any L1/2 issues (input/output drops, CRC or anything like that) all good there. One thing I noticed is that the end user is the one who is sending more of the keep-alives and the server just keeps responding keep-alive ACK. The picture I attached shows the story a little better with the WireShark IO graph. So then I thought maybe it's their circuit across our MPLS that is causing this and I did iperf along with making ACLs on both side of the circuit to count packets to see if there is any packet loss. There is about .001% packet loss. I understand that TCP can be adversely affected by packet loss, but it's such a negligable amount that I don't think it would be causing this big of a problem. And we also have other branches of users that use this software and they are not affected. I'm kind of out of options, I don't really know what to look at anymore and was wondering if anyone suggested any changes to make maybe to the TCP stack? or to look in the TCP stack? I guess I can replace the PC as last resort, but wanted to dig a little more first. thank you
Trying to understand why TCP SYN packets would occasionally be dropped
A customer of ours is dealing with an issue which is being caused by their (Windows) servers having to retransmit TCP SYN packets occasionally. When no SYN/ACK response is received, the retransmit delay is 3 seconds, and that delay is causing users some issues (they are moving PTZ cameras in realtime). In normal use it happens maybe 4-5 times in an 8 hour period so it's not happening a lot, but it's enough to cause a headache.
At this stage there is not much I can do from the software perspective and I'm trying to provide them with enough guidance to diagnose the issue as we're not responsible for their server hardware, network infrastructure, or cameras.
I've recommended that they setup port mirroring on an edge switch, and capture a packet trace on both ends of the connection. That way they can find out if it's the SYN packet not making it to the camera, and if so, whether the SYN/ACK makes it out of the camera at all.
I haven't seen any evidence of network congestion or high resource usage on the servers, but I'm wondering if anyone has seen any obscure/advanced TCP stack settings that can cause weird issues like this?
Need Some Help!
I'm a new admin. Doing a switch refresh enterprise wide. Right now in the middle of staging switches. The Cisco 2960's that we have all have IOS images from last year, I want to upload the newest img from Cisco before deploying. How do I go about doing this before configuring the switches on our network?
I can console to the switch from my workstation, and tried running tftp64 to use as a tftp server, but I keep getting socket errors when trying to copy tftp flash. Any suggestions? Feel like I'm missing something stupid being new at this.
JunOS Instance-type virtual-router and RADIUS
I am working on SRX firewalls and eventually will move to MX routers. The issue that I am having is I created a virtual-router instance (vrf-lite) and for the life of me I could not get the in-band management via RADIUS to work.
I can traceroute from the SRX to the radius server via the new routing-instance, but when I tested the ssh login it failed. It says that there is no route to the radius servers. This is the same with NTP and DNS.
The question that I have now is. The radius authentication only allowed in the master instance and not to any virtual-routers?
I am trying to keep the master instance just for out-of-band only and in-band management, ntp, dns and the rest of the data traffic will be on a new virtual-router.
Answer to "Why do we use negative edges in networking?"
I've seen a post on this subreddit before regarding what the significance to using negative edges is, but none of the answers seemed to agree on one thing and most of them went back to the analogies in the context of chemistry or monetary values. So, this post is just to give a clear understanding of negative edges in terms of networking, since I was struggling with this yesterday and just learnt it.
While negative cost edges aren't given any particular physical significance in any of the standard protocols, it does have an algorithmic significance. They're used in Bhandari's algorithm to find shortest disjoint path pairs (or triplets or quadruples). Disjoint paths are needed in load balancing or rerouting, so this is needed in practical routing.
There is a variant of Dijkstra's algorithm which works with negative edges as well, let's assume we're using this.
Bhandari's algorithm to find a disjoint path pair goes like this: 1) First, all edges will be positive and we use Dijkstra's algo to find shortest path between A and B. 2) Now, take all the edges of this shortest path and reverse the links, giving them negative cost arcs and only in the backward direction of the original traversal. This is done because, since we want to find a disjoint path, we shouldn't bee using these edges to find the other shortest path in the forward direction. 3) Now, run the algo again with the new graph and try to find the shortest path again. 4) If this new path, shared an edge with one of the negative edges from the first path, then it means that these two paths are technically not disjoint. 5) To make these two paths disjoint, you'll need to discard these shared negative edges.
For more information just refer to Bhandari's paper. Hope this helps.
Avaya 3524gt to Dell PowerConnect 2724 Trunk
I am not entirely sure what I am doing wrong but I am unable to create a trunk link between and Avaya 3524GT(Port 12) to a Dell PowerConnect 2724 (Port 1). I have read several articles on how to set up a trunk correctly on a PowerConnect but it doesn't want to connect. Any help will be appreciated:
Dell Config (Management Web Gui) - Can't grab config so will go by what was set in GUI for what was set on port 1.
Port 1 tagall
PVID 80
allowed vlan 1,11,20,80,82,83
Avaya Config:
Trunk port 1/12
vlan ports 12 tagging tagAll
vlan members 1 9,12,22-26
vlan members 11,20,82 12,24
vlan members 80 2,12,16,18,24
vlan members 83 3-8,10,12-15,24
vlan ports 12 pvid 80
VPN Proxy ARP - FYI/Lesson learned
Something I came across in my environment. I had recently got licensing for Splunk to offload my ASA logs, and after building a nice dashboard, I gained some visibility into some misconfigured VPN NATs. I used IPs out of our public space for commonly interfaced-with systems in order to avoid conflict with VPN partners, and I noticed tons of random internet requests hitting my NAT rule (albeit, asymmetrically, so they resulted in SYN-timeouts).
I saw the ARP entry on the upstream internet routers for the ASA interface for this IP, so I discovered that all my NATs had proxy-arp configured by default.
If you're doing NATs for an IPSec VPN, whether private or public space, you'll want to disable proxy arp. Proxy arp is only required for NATs that are intended to be directly exposed to the internet.
The risk here is that if I would have fat fingered a condition for my NAT, (ex: typing a destination address of 92.168.55.0/24 rather than 192.168.55.0/24), I would have exposed that host directly to the internet for that public /24.
IKEv1 vs. IKEv2
In your experiences with IKEv2, does it really have a significant bandwidth advantage over v1?
Ubiquiti and Cisco
Couldn't find any previous posts on this subject, but if there are please direct me.
Would anyone happen to have experience of mixing Ubiquiti with Cisco, and do they play well together? We would like to get a Ubiquiti US-8 for some cameras. We will use one of the SFP ports as a trunk to a Cisco SG300-28PP. My biggest question, as silly as it may sound, is whether or not Cisco and Ubiquiti devices view vlans the same?
Any tips would be appreciated.
Estimate Ethernet cable distance by software possible?
Does anyone have any idea on measuring or estimating cable distance by software (meaning linux networking tools) ?
Some years ago I saw a smart cable tester with a TFT monitor which was able to do that, but not alone. You had to insert an RJ45 node on the other end. And then you should be able to view a reading in meters like "50m".
This might sound silly but I don't know how did it work, so I don't know If it's possible at all.
DNS Issues
Is anyone noticing issues with DNS today? We are showing issues with our internal DNS server which points at the roots, Google DNS and ATT DNS. Wondering if anyone else is seeing this.
Cradlepoint MAC Address Weirdness
So, I've been working a lot with getting Cradlepoints up for Black Friday, and have noticed that they will have MAC addresses with OUI of 2a:30:44 as reported by the Switch and Router.
But this isn't a valid OUI. If I check, it isn't owned by anybody. I check the actual device and it shows an OUI of 00:30:44, which is shown to be owned by Cradlepoint.
This happens on every device and in every store. Might anybody have any insight about why this is happening? Other techs just accept it as weird and move on, because it really doesn't hurt anything.
WMM (802.11e) woes
I've been trying to debug an home network issue that has proven itself beyond my troubleshooting skills. Perhaps someone here with better knowledge about networking than myself can provide some insight on what might be happening...?
Here's the thing: I have a WRT1900ACS router (running OpenWRT) where connected clients experience very slow upload speeds (around 2 Mbps) on both 2.4 and 5 GHz radios when WMM is on. However, if I put my ISP-provided router/modem doing NAT anywhere beyond the WRT1900ACS's WAN port, the problem goes away.
I've done a lot of packet captures and my eyes are bleeding from looking at Wireshark and, so far, I've been unable to identify anything that might possible cause this. My knowledge of WMM (what triggers it, and if it can trigger anything else on the network) is short, and that's an understatement.
This diagram make it clear (I think): https://i.imgur.com/LIVtSGn.jpg
Arguments to switch to an IPAM / DCIM application
Hi all,
Right now we're using Excel sheets (IP addresses, patch management) and Visio (physical rack layout) in our DC. Its not a huge environment (20 racks or so) but i would like to see our toolset being expanded with proper DCIM / IPAM software.
Regardless of the solution i would like to choose (leaning towards Netbox but still looking at other products) what are some good arguments that i can use towards my coworkers to convince this type of solution? Right now i have:
- 1 central place for all the data- Ability to script using objects in tool (DNS records, monitoring etc)
Possible disadvantages:
- Relies on 1 DB. If its broken you lose all your administration.Yet again proper VM backups and SQL clustering can help mitigating this problem.
Do you have any more recommendations to convince some of my older colleagues? Right now i'm struggling with the "if it works don't fix it" mentality. I'm quite a bit younger than my colleagues and i see the advantages of programming / automating / scripting repeating tasks to make everyone's life easier.
Thanks in advance!
Bleeding Bit, New Cisco, Meraki, Aruba Vulnerability
Security researchers have found two severe vulnerabilities affecting several popular wireless access points, which — if exploited — could allow an attacker to compromise enterprise networks.
The two bugs are found in Bluetooth Low Energy chips built by Texas Instruments, which networking device makers — like Aruba, Cisco and Meraki — use in their line-up of enterprise wireless access points. Although the two bugs are distinctly different and target a range of models, the vulnerabilities can allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks.
https://techcrunch.com/2018/11/01/bleedingbit-security-flaws-bluetooth-wireless-networks/
Yay, more patching overtime!
Ansible - CPU Spikes on Cisco Kit
Hey all,
I was was wondering if anyone here is using Ansible for Cisco configuration standardization and if they're having issues with it causing CPU spikes on certain models of switches (mainly older models which need to be replaced) predominantly 2960's and the horrendous 2950's :'(
Are there any features you'd recommend turning on for the playbook to reduce the overhead? As a note i'm only running the playbook in "check mode" and it's still causing these spikes.
Cheers
Comware 7 - VRRP vs IRF
I have a question for you clever people but I'll give you a little background first.
I work for the NHS in a 2 man team covering a massive area which keeps us very busy. We work very closely with other NHS organisations and sometimes our networks run through each others to keep costs down. One site in particular has 3 organisations utilising the same link. We are planning a re-design of the infrastructure as we have the majority of staff on site so we are taking over the core and running the majority of the network.
My question relates to redundancy and re-convergence times in case of failure. BT supply the connection and will install two routers running HSRP. Currently most of our sites have a stack of 2 or more switches in a VRF stack with a link from each router going to a different switch. It will also be the same to the other two NHS organisations on site but via LACP instead.. If a switch fails, the downtime for re-calculations is relatively short and we have never had a major issue with it.
Would there be any benefit using VRRP to and from all devices? From the brief time I have had to test, it seems like a lot more work and configuration for little to no gain.
In case you need to know, we are running HPE 5510's for our core on the latest firmware R1309P06.
Thanks all!
Thursday, November 1, 2018
What IPAM solution do you recommend?
I’m preparing for next years budget meetings and I’m thinking about adding an IPAM solution to the list.
What do you use/recommend? I’ll need something that works with Windows DHCP/dns as well as Cisco Routers for DHCP.
I have about ~60 dhcp pools with the majority controlled by Cisco Routers and the rest on Windows DHCP servers.
Need advice (or paid consultant/integrator) for networking an animation studio
Hello all,
My apologies if this is the wrong place to post this.
I'm apparently now the 'de facto' IT guy of a small animation studio in the LA area. We are moving to a new space, and I've been put in charge of supervising the network upgrade that accompanies the move. I've never been super knowledgeable about networking, and I'm frankly out of my depth - but also eager to learn. I don't yet have a fixed budget, but if I had to guess, it would be <= $10K (USD) for physical hardware (switches/router/cables - the structure wiring, racks, etc. and such are not part of this). I am seeking either advice or a paid consultant/integrator to assist me with this process.
Current Situation
- The studio has grown very rapidly over the course of two years, and our networking equipment has not kept up.
- Internet comes into a Linksys WRT1900AC that we use as our main router (and also as a WAP)
- Our entire studio is currently configured under one network - no subnetting, VLANs, or other segmentation
- One port of the Linksys runs to a TP-Link 48-port Gigabit switch, that serves our main rendering machines
- One port of that is daisy-chained to a second TP-Link switch (24 port), which has most of our workstations connected to it. There are a few other desktop switches connected to this, but most workstations are directly linked to it.
- Another port of the 'top' TP-Link switch is daisy-chained to a Quanta LB6M 10G SFP switch for a rack of 12 servers for data processing. This is currently the only 10G equipment on our network.
- There are 2 WAPs in use (not sure of the models). I think one of them is a pure WAP, while the other is configured as a separate network
- Our storage is currently divided into four physical systems based on our usage. None of them currently support 10G - but we plan to upgrade after the move:
- 'Hot server' for our active projects. This is about 35TB. It has a live redundant backup, and 3x 1G links aggregated for bandwidth.
- 'Cold vault' for completed projects and longer-term storage. This is about 75TB.
- 'Datastore' for datasets from clients and projects. This is about 70TB.
- 'Cache' for baked animations, shared video scratch, etc.
- In total we have about 36 wired machines on our network, but we probably have an additional ~12 on wireless at any given time.
- We do not have or need any kind of VoIP
Current Problems
- We have team members who frequently edit video at resolutions much greater than 4K (our largest project to date was 17,000 x 6000 pixels per frame), and they've complained about access speed
- We have some machine-learning and data analysis projects where our current network has been proven to be a bottleneck
- Since multiple machines need to read and write to the Cache drive frequently, the network speed can dramatically affect our render times
- When moving files onto our servers, we've noticed issues with moving many small files compared to fewer larger files. That sounds to me like it's probably a software issue or file indexing limitation, rather than a networking problem, but I figured I'd post it here anyways.
New Network Goals
- Boss has explicitly asked for the wired network to be 10Gb/s wherever it makes sense
- He and at least three other workstations need 10G
- Storage needs 10G
- Most of our rendering only needs Gigabit
- Reduce daisy-chaining where possible, or at least make the links higher speed and bandwidth
- Reduce bottlenecks on storage IO as much as possible
- Support a second LAN with internet access that is fully isolated from our main one (a developer wants a sandbox with internet)
- Support probable expansion as we add more hires and connect more machines to our render setup
New Network Progress
- The building is being wired with Cat6A. Everything will be coming back to our server room. Each of the 12 primary workstations will have a dedicated cable into our patch bay (with some extras for later expansion or furniture rearrangement).
- More rack space; currently 4 racks are available, which is ample room for our gear and leaves some room to scale horizontally.
- 1 entire rack (42U) is currently provisioned to be just for networking, patching, and storage.
My Plan
TLDR of everything above:
Currently gigabit off a prosumer router/firewall/WAP combo. Unplanned network, no VLANs or subnets. Daisy chained switches. 150+ TB of storage. ~36 wired, 12 wireless machines. No VoIP. Having IO problems with our storage, especially for video editing and ML tasks.
- New standalone router
- Do we need a firewall?
- WAPs will be connected through building patches
- Top-of-Rack style setup, with a 10G aggregation switch in the networking rack.
- 2 of the racks will be Gigabit equipment - so the ToR for each should be Gigabit with 10G uplinks.
- One of the racks will consolidate our 10G SFP+ equipment. I can reuse the LB6M for now as the ToR.
- Storage should connect into a 10G switch that connects to the aggregation. Our storage hardware isn't currently 10G capable, but it will be in the future.
- The patch out to the workstations should connect into a 10GBASE-T switch that connects to the aggregation.
Where I Need Help
- Does this plan make sense at all? Or is there a different/better way to do this?
- I am still unsure about router choice and configuration for the new network. There are a lot of options, and it isn't immediately clear to me why one might be a good choice compared to another.
- What would be the advantage of adding a firewall device to our system?
- Does it make sense to 'buy into a system' for this upgrade, like Ubiqiti or Cisco equipment?
- What options do I have for a 10GBASE-T switch? I'm having trouble finding one that will support 12+ copper connections.
- My boss has asked me to buy Cisco where possible. However, I'm not sure that is even remotely possible on this budget, and I'm not trained with Cisco equipment - so even if the gear itself was affordable, I doubt I could properly install it.
Again, I am willing to hire a consultant/integrator for this project, but I need to be able to justify it to my boss. We don't have much budget for ongoing maintenance, so anything installed should be something that we can maintain ourselves, or with minimal outside assistance.
Apologies for the wall of text. Thanks in advance for any help!
EDIT: Jeez what happened to the formatting? Tried to go back and make it more legible. Wish there was a preview.
Layer 3 Switching help?
Hi, so I apologize at first that I'm new to this type of networking that I'm having to setup and could use some help:
I have a Cisco SG500X-24 switch that has 3 vlans (1, 5, 10). I have an IP address (10.100.0.9) setup for the 5 vlan for management, and is untagged to access port 24, but tagged on fiber port 2 (trunk port) to same type of switch on second floor. The 10 vlan does not have an IP addresses, and it's untagged for ports 1-23, and fiber port 1 and tagged on fiber port 2 (trunk port). The 1 vlan is not on any port.
From my ISP, (which is connected to fiber port 1), I received a "Layer 3 Subnet" which consists of 50.0.0.40/30 (not real subnet) and has layer 3 ip of 50.0.0.42 with a default gateway of 50.0.0.41. This is the ISP's gateway. Also, I was given a /25 subnet, of 50.0.0.128/25 but no gateway. Just a block of IP's.
Each port on the switch 1-23 (in the 10 vlan) needs to be able to use one of the /25's, however, I'm not sure what to add where to get this routing to work.
Any suggestions?
Web Site Activity Tracking
I recently configured my router to use OpenDNS and I was shocked in reviewing the logs. There is so much activity coming out of my home. Then again, we have smart TVs, Rokus, multiple mobile devices, multiple home and work computers, Sonos, Phillips Hue, Google Home - the list goes on. So, maybe it isn't that surprising. I would really like to map all those domains to IP addresses to understand what is going on, and to make sure the kids are behaving, but you can't do that with OpenDNS. I tried configuring my router, and the logging worked, but it only stores a ridiculous 256 lines before the log starts writing over itself. What other options do I have? Is there software I can install on 1 PC that will monitor all traffic on the LAN and report domains by IP?
What are the shipping container like boxes outside of newer datacenters?
I beleive some of them have the Cat logo.. here is a Google maps example.. https://goo.gl/maps/9BJVpusPXm32
Identity NAT with Public IPs ?
Hello,
I took over a project to migrate an old ASA 5520 to a Firepower 2110 with FTD and managed by an FMC. The old ASA was having a bunch of identity nat for each of network, all networks being Public IPs.
My question is: why would someone do that kind of configuration? Translating a public network to itself when there is no private network in place for this organization.
I know that I can remove all the NAT rules and the FTD will continue routing all the public IPs fine, but I would like to know what the Security experts opinion is on this matter.
Thank you in advance.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Airfiber p2p configuration options
Inherited a network with a lot of technical debt. Now trying to fix one of my locations that has stretched L2 over wireless p2p. I want to move it to L3 and do eigrp across the p2p for dynamic routing. We will be re-iping the site as part of this as well. We are refreshing switch hardware at the remote site which is a large farm about 1.2 miles down the road. Purchased ubiquiti airfiber 24 hds. Company didn’t want to pay the $90k to run sm fiber there and do it right. Going to start up the new network in parallel with the old. The topology looks something like this...
Core —> Access —> AF24 —> AF24 —> Core
Access switch is catalyst 3650 so L3 capable but currently just running L2.
Ip configuration for the L3 network will be a /29
I think that clears up all the details. What I’d like some advice on is how to configure these?
Create new vlan and vlan interface on core and trunk it through to L2 access switch?
Routed port on the access switch?
Create new vlan and vlan interface on the access switch?
Any other options?
Just looking for some recommendations on how other have done it and or any best practices.
On prem DDOS providers. Who do you use or suggest?
I am beginning research into on-prem DDOS providers. Anybody have experience with using something? I see that radware seems to be popular. I’ve also seen that Palo Alto has some sort of offering but haven’t looked into it. Suggestions?
New Cisco ASA SIP inspection engine DOS Vulnerability CVE-2018-15454 - no patch yet
FYI hadn't seen this posted yet here and there are some reports of this out in the wild: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
" Vulnerable Products
This vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later if SIP inspection is enabled and the software is running on any of the following Cisco products:
3000 Series Industrial Security Appliance (ISA) ASA 5500-X Series Next-Generation Firewalls ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Adaptive Security Virtual Appliance (ASAv) Firepower 2100 Series Security Appliance Firepower 4100 Series Security Appliance Firepower 9300 ASA Security Module FTD Virtual (FTDv)
SIP inspection is enabled by default in both Cisco ASA Software and Cisco FTD Software."
Cross posted from https://www.reddit.com/r/Cisco/comments/9t6b6d/new_asa_vulnerability_in_sip_inpection/
Some users there reporting they have already been hit.
Isp ping issue
I am still green as far as networking goes so I am reaching out to make sure I'm not crazy. Also if this is the wrong place place let me know.
So a client needs a VPN to work with company laptop. New internet just got installed. Tried to use the VPN and it fails. Ping static for the business, fails. Tracert, laptop->modem->ISP node and fails 100%. Called ISP. The opened the port and placed connection in DMZ. Still nothing. Rebooted all the things and stuff at home. No change.
I had enable external ping at work to test. If I connect the laptop to my phone hotspot it works.
What can I ask the ISP to do/check? Or what can I do/check to verify what is causing the issue?
Thanks for any assistance.
Meraki Vulnerability Notification
Opps.....
Email i got this morning!
Dear D, A security vulnerability was discovered within the local status page of the MR, MS, and MX product lines. The vulnerability allows an attacker to inject configuration options and data into the device. The attacker would require either physical access or local network access and knowledge of the credentials for the local status page to exploit this vulnerability. Meraki has released firmware for all affected products. We strongly recommend that affected customers promptly upgrade their devices’ firmware to our latest Stable builds which contains patches for this issue. You are receiving this message in advance of public disclosure because your organization includes at least one affected product. Meraki will be disclosing the vulnerability publicly on November 7th. <!-- .meraki-email table {border-collapse:collapse; border-spacing:0; text-align:left} .meraki-email td, .meraki-email th {border:1px solid black; padding:10px} --> Fixed Firmware DetailsProduct Line Fixed Releases MR24.13 or later 25.11 or later All future major releasesMS9.37 or later 10.20 or later All future major releasesMX13.32 or later 14.25 or later 15.7 or later All future major releases If you are unable to upgrade immediately, we urge you to disable the local status page for affected products as a mitigation until you can upgrade your devices. This will allow a layer of protection until you perform the upgrade at your convenience. We’ve posted this document detailing the page, its functions, and how to disable it for each affected product line. We have also built API endpoints for enabling/disabling the local status page and the information can be found under Help > API Docs. With Meraki’s unique ability to monitor our devices through the cloud, we were able to identify the vulnerability and build a firmware patch update as we surveilled the issue. Meraki devices were not compromised due to this vulnerability. Nonetheless, we apologize for the inconvenience this causes you. List of your affected networks:
If you have any questions or require assistance, please reach out to Cisco Meraki Support. Their contact information can be found under Help > Get Help in Dashboard. Meraki
Forward and Reverse PTR for DNS Verification? - does it add any security against MITM?
Hello all,
I know the answer already, and it is NO.
That being said, aside from "obstructication" style security, does setting up DNS with forward and reverse PTR matching pairs NAME = IP, IP = NAME add any type of other benefit? (I also realize PTR does not often / always match directly to the forward look up)
Anyhow just exploring cheap ways to slightly improve the verification of a host, and yes yes I am aware of DNSSEC too.
Not to over answer and, be a know it all. Just hoping for some suggestions outside the realm of obvious. Thank you very much for taking the time to my question, beyond a solid "nope"
Thanks again!
Juniper TED (Traffic Engineering Database) update interval
I'm working on setting up BGP-LS on my network to monitor node and link state of our IS-IS L2 network. I am noticing that the TED does not update very quickly on IS-IS topology changes.
If I cut off a group of nodes, I see that they remain in the TED for up to 10 minutes before they are removed. I am using ACX1100 with JunOS 18.3R1.9.
Is this a tunable parameter, or is this just something I need to deal with?
Which optics should I order?
I've got a pair of Netgear XS716T switches, one located in each of my switch closets. I have existing SMF between the two closets and want to use it to connect these switches.
I see from the Netgear spec sheet (https://imgur.com/a/sKgFBiq) that there are two SMF-compatible SFP+ modules. One is labeled long range, and the other long range lite.
I'm trying to determine which of these would be the correct optic for my application. The distance between closets is approx 350'.
I've tried reaching out to Netgear directly, but haven't been able to get in touch with anyone that could answer the question.
Cabling side gig - How to bill
I haven't taken any side work for many years, and especially not cabling, but now with expensive teenagers...
I just agreed to cable a new office for a small company would like some input on what to charge, etc. Do you charge per cable drop, etc? It is probably 50 lines, two per location, etc.
Thanks for any input
Ekahau Site Survey Laptop Recommendation
We are going to be purchasing Ekahau Site Survey along with the Sidekick. Looking for a new device to run the software on and not sure which way to go. Should I go for something like the Surface Pro, Standard Windows laptop, or Macbook? Anyone using the software have any advice for me?
Thanks
Packet Tracer Help
Hello /r/networking,
I am not sure if this is the place to ask this but I am really stuck with my course assessment. I am really struggling with assigning IP addresses with a layer 3 switch to different VLANS. Most of the time the computers say I am running apipa and DHCP won't work and sometimes it will just fail without saying anything. Can someone please explain how to assign IP addresses for subnetworks for VLANS and how to resolve the apipa issue, thanks :)
Here's to you Pitney Bowes?!? Requiring plain text DNS to 8.8.8.8 is a deal breaker!!! Or, TIL PB sucks; Or, isn't there an RFC for that?
Did you know that recent Pitney Bowes machines require DNS to 8.8.8.8 to succeed? If the request doesn't succeed the device drops the connection, wired or wireless.... Here's the kicker, wait for it... That behavior persists EVEN WHEN THE DEVICE IS STATICALLY ASSIGNED A DIFFERENT DNS SERVER (dynamic too)....
This is dumb behavior! If I assign a device a different DNS server it is because I know something else isn't going to work the way I want it too (security) or the way it needs to (lack of functionality). This is an enterprise environment with multiple locations, this is not the wild fucking west! Its the modern railroad and all of its politics to boot, don't drop your device on our network and tell us how to run shit.
If you want to simplify troubleshooting for your Help Desk then ship the device with an LTE modem by default. Then it won't touch my network and we don't have discuss anything further. You'll probably save money in the end anyway, if not tack on a service fee; we'd pay 10.00/mo/device so we didn't have to troubleshoot.
If you absolutely need to use unsecured 8.8.8.8 DNS to verify connectivity, then force 8.8.8.8 as a DNS server. If you can't do that then, take a hint from Microsoft; If your request fails but everything else works, warn the user (looking at you msftconnecttest.com) but don't drop the connection - that's how you get kicked off the network.
Point-to-point vpn ipsec tunnel help - cisco ios
Have a vpn tunnel to another branch always on.
Nromally when I run show crypto session. The tunnels are UP-ACTIVE, as of late I'm seeing them as UP-NO-IKE. Data is still traversing the tunnels as far as I can tell however when they are in this state I'm getting reports of slower branch to branch speeds. Show crypto isakmp sa, will show no active SAs. I'm at a total loss why all the sudden the SAs are dropping. Clear crypto session resolves the issue for a few hours and the process repeats.
Inbound port access for eSports games in a K12 setting?
Several of our districts are moving forward with eSports leagues, playing LoL, overwatch, etc.
The NASEF IT guide mentions several ports to "forward" for best gameplay. The guide for overwatch mentions several tcp and udp ports to have "open."
Outbound ports are no problem--they are open already.
But inbound/forwarded ports--how could that work with more than one player behind a single public IP?
We do have the IP space to give each league its own public /26 or whatever...but something tells me I'm missing something, and it doesn't have to come to that. I don't play any of these games so I'm not familiar with their network architecture.
Comcast 4g fail-over device
Hey team, Question - I have two clients who want some type of fail over for when their broadband service goes out. Happens monthly in the area they are in. Comcast is pushing a device made by cradle point called an aer1650. This device looks like a modem/router/gateway with a 4 port switch on the back as well as cellular antenna.
My issue is that the 3 people at Comcast I have talked to have no idea how this hooks into the network. Does this replace your router? Does this go inline after your router? Will is supply internet to items via a network switch? Comcast can't answer these questions and they have even sent me info, I have googled for some info and come up with nothing other than videos of people deploying it as as BYON device where it is a stand alone item, not fail over.
My suggestion was to employ another broadband provider and use a Ubiquiti USG to switch to ISP #2 in case of ISP #1 failure and switch back to ISP #1 when it senses service has been restored.
One office is smaller - Maybe 10 total devices. Second office is much larger - closer to 30 devices.
Thoughts and comments. Thanks for your help!
Meraki API for monitoring
Hi All,
I've been scratching my head on this one for a bit. I'm working on monitoring my new Meraki switches. Presently using Nagios XI. Meraki just released webhook functionality and I'm trying to figure out how to potentially integrate that vs just using SNMP.
Has anyone had any marginal success with either? The meraki documentation is pretty short on this.
Splitting phone and data
I'm new to the networking side. We are running out of IPs and were looking to split VoIP and data while still being able to utilize plugging in computers via the phone. I suggested creating a different subnet and do tagging. The MSP that is still currently in place said we should buy another switch and run more drops and not plug into the phones. What do you think?
New ISP
What is the practicality of building fiber to the home (FTTH) via GPON and deploying IPv6 only. What would be issues to overcome with Home networks? Would the home network run IPv6 or IPv4 and convert to IPv6? What if a home device doesn't support IPv6?
ISP would be running NAT64 and DNS64.
ArubaOS 8.x question
My network setup: MM managing 2 MDs in a L2 cluster.
On the inside all APs are pointing to the mobility controllers' VRRP IP. What about RAPs on the outside though? Do I point them to one of the (NATed) MDs or to the (NATed) VRRP IP?
Homeowner Modem Connection
New homeowner question - I have a coaxial cable coming in from outside to the basement in a older home. From there, the cable hits a 2:1 splitter, travels about 20 ft and hits a 4 way splitter. I’m only planning on plugging in my modem on the first floor using the pre existing cable popping up out of the floor and don’t plan on connecting any of the other cables and using those lines. I plan on using a hard line tied into the modem for my tv and Hulu live, but the coaxial cable won’t be plugged in anywhere else.
My question - does a splitter diminish the quality of the line going into the router or if lines aren’t being utilized do they just act as couplers? I don’t want to have to fish a new long cable through my basement rooms and into the first floor when I can possibly just use the current line. Should I disconnect all the other cables going into the splitter despite them not being used at all? Just looking on how I can get the best connection to my modem without seeing diminished results.
SNMP MIB Browser
Hey guys,
does anyone of you know a freeware SNMP MIB browser, which supports IPv6 and SNMPv3?
Did a lot of google research, but was not successful.
Ireasoning Mib browser does not support IPv6 and SNMPv3 in the freeware version.. :(
Edit: it has to be a windows application
Kind regards,
Any feedback on elearnsecurity.com?
I found this site that offers courses and certs in IT security, like pen testing, and was thinking about signing up for it. Has anyone here used or heard of this site before, or is there a better sub to post this question in?
TIA
EVPL Multiplexing
If running EVPL, how can you differentiate between multiple private lines on a UNI? Is it VLAN tagging (.1q?)
I mean I imagine within an EVPL itself there can be multiple VLANs?
Aruba Central
We are looking to change our wireless vendor and Aruba Central is one of the contenders. Unfortunately, I am not seeing a lot of reviews for it online. Only seeing reviews for ClearPass. Has anyone used Aruba Central? If so, what are your thoughts on it and how is the support for it? Aruba seems to be more focused on ClearPass.
My Apologies
Just wanted to apologize to this sub for waltzing in and posting some misinformation yesterday... then, getting kind of belligerent when called out on it. I'm new to this sub and should probably lurk more before offering any more advise.
Ideas / Help / Suggestions for running Internet Exchange Point?
Hello. If this post is not relevant to this subreddit, please remove this and show me the correct path.
I want to open an IXP in my local area. What are the steps? Anyone here have experience in setting up IXP? I have checked NSRC website for some idea. What are your thoughts? Currently I run a company that help local Municipalities / Local Government to establish community ISP using 5GHz wireless links.
Suggestions needed. Thanks. If you need any detais please ask and I will put an edit in post.
Thanks. Have a nice day.
Trouble Completely Understanding Subnetting
Hello all,
Sorry for the long post. I'm having a really hard time understanding subnetting. I've watched hours of videos online and read up on the subject in a Networking book I own. I understand most of it but when it comes to certain things like finding the ranges of the network I don't really get it. I have 2 examples of questions from a subnetting worksheet that I cant figure out.
Example 1:
Network Address: 195.223.50.0
# Needed Subnets: 2
These are the questions its asking and how I answered them.
- Address Class: C
- Default Subnet Mask: 255.255.255.0
- Custom Subnet Mask: 255.255.255.128 -- I made the hosts portion of the subnet mask .128 because I borrowed 1 bit since I needed 2 subnets
- Total Subnets: 2
- Total Host Addresses: 128 - I answered 128 because there are 7 bits in the host portion left and 2^7 = 128
- Number of usable addresses: 126
- Number of bits borrowed: 1
- What is the subnet broadcast address for the first subnet: 195.223.50.127
- What is the subnet number for the second subnet: 195.223.50.128
I'm pretty confident in those answers, if there is anything wrong with those please help me understand why. But these next two questions confuse me.
- What is the third subnet range?
- What are the assignable addresses for the third subnet?
So is there even a third subnet? Aren't there only two subnets? With the ranges being 195.223.50.0 - 195.223.50.127 and 195.223.50.128 - 195.223.50.255? Is this like a trick question and there isn't a third subnet?
Example 2:
Network Address: 10.0.0.0 /16
Questions:
Address Class: A
Default Subnet Mask: 255.0.0.0
Custom Subnet Mask: 255.255.0.0 - I answered this because /16 means 16 bits for the subnet mask
Total Number of subnets: 256 - 2^8 = 256, 8 bits more than the default subnet mask
Total Host Addresses: 65,536
Total Usable Hosts: 65,534
Number of bits borrowed: 8
These questions I'm not sure about because I dont know which octet changes for each subnet:
What is the 11th subnet range: I think it would be 10.10.0.0 - 10.10.255.255 but not sure.
What is the subnet number for the 6th subnet: 10.5.0.0???
What is the subnet broadcast address for the 2nd subnet: 10.1.255.255???
What are the assignable addresses for the 9th subnet: 10.9.0.1 - 10.9.255.254???
Again, sorry for the long post. If I messed up anywhere please let me know what I did wrong. I've been having a rough time trying to figure this out. I'm really having trouble finding the "Magic Number" and the ranges. Any help would be appreciated, Thanks!
Super slow sawtooth
Linux admin here. We have a remote site with a MPLS link that has been having issues. We have a smokeping latency graph running and we have noticed an interesting phenomenon. The latency will slowly climb from ~100ms to ~210ms over the span of 2-3 hours. Then it plummets and starts the cycle all over again. My thought is a process is running away on a firewall of some kind, but I'm not a network admin. I would love any advice you guys have for me.
ntopng with graylog, is it possible?
Hi All,
I just launched my first Graylog server, all working fine.
Now, I am thinking of joining the logs from ntopng to Graylog. Would this be possible?
If so, could somebody guide my in the right direction? I'm fairly new to all this.
Thanks!!!
edit1# Came across this: Nprobe is converting netflow/traffic-flow to JSON format adequate for ntopng, also it logs traffic flow to local syslog, which then forwards logs to the main syslog server, and main syslog server forward logs to Graylog server.
How do you explain value of good networking security and enterprise gear?
I'm a volunteer for two non-profits that share a office space.
I'm struggling to explain some of the infrastructure/security changes we've done.
I hear things like:
- My home internet is simpler
- I want all the passwords, so I can fix it myself.
- Who would want to hack us?
- Our data isn't that critical, we don't need backups.
Things we've done:
- WPA2 Enterprise - they have a lot of casual volunteer staff, and even full-time staff changes a fair bit, so this helps us avoid having to rotate keys (although I think they never bothered to before).
- Separate VLANs/VRFs for the two tenants, as well as VoIP traffic, and also audio/video traffic
- 802.1x for port access control and a NAC (PacketFence) - they rent out the space to other people/groups, and often have visitors in the building.
- Layer 7 QoS - We recently upgraded them from 5Mbps/5Mbps to 100Mbps/40Mpbs - however, staff still complain about speed or "general internet issues". I suspect some of this is related to cloud storage (iCloud, Dropbox, Google Drive etc.) For example - one staff member backed up 50GB of video in 2 hours but didn't realise. (I should probably implement fq_codel or something).
- Suricata as a IDS - not sure how to explain this in layman's terms.
Things I'm still getting a handle on:
- They use VoIP telephony, and complain about call dropouts.
- One of the tenants processes credit-card information, so we try to segregate their traffic. They're not strictly PCI-compliant - but they say their bank has never asked them to agree to be PCI complaint.
- Their CRM/accounting software transmits everything in clear-text, so I'm routing that traffic over ZeroTier (as a VPN).
- They server room is a small storage closet - they use a telco rack, so some of the servers are stacked on top of it, rather than in it. And there's no cooling in that room - heat is trapped in there, I used a FLIR and it's around 40 degrees in there. I don't know how to get them to install cooling.
- Setup FreeNAS to provide some kind of backup (e.g. for video data).
- They have no redundant power, or surge protection for the server/network room. One tenant is mostly cloud-based, whilst the other runs on-premise software. For the cloud-based tenant, I suspect they don't see the value of investing in the room, as it's just "the internet" and them.
Wednesday, October 31, 2018
network upgrade
I am IT manager/Linux admin for a medium size business ~ 200 employees. I am about to replace several old cisco switches with unifi switches. We currently have 3 racks of servers with one 48 port switch per rack. Would daisy chaining the switches with the 10gbe sfp+ ports help at all or should I just stick to the current configuration with cat5e/gigabit ports to connect the switches? I also will be buying a 10gb sfp pci card for our netapp san to connect to our vmware server as well.
Thanks!
Accidentally wiped 2960X-48FPD-L Flash
Was upgrading an IOS image and went to delete the old one after I reloaded to the new image, but when I tried to paste the file name it didn't paste in and just hit a carriage return. So it ended up just running 'delete /force /recursive flash:'
I haven't reloaded the switch yet, so i'm copying back the .bin for the IOS image, but is there a way to recover the other stuff on there? Or am I going to have to do a full recovery?
Can someone please help me with this? Actiontec MI424WR Rev I - Creating VLAN
I followed these steps to create a VLAN, and I got up until the last step. I successfully got the port I was choosing to use a different IP, but then it just had no connectivity. No web pages would load at all.
Here is the steps I followed:
Part 1 – Creating the VLAN Ethernet Interface 1. Login to the BHR and navigate to ‘My Network’ then ‘Network Connections’ 2. At the bottom of the ‘Rule Name’ column click the red ‘Add’ 3. Select the underlying device, normally, ‘Network (Home/Office)’ and click ‘Next’ 4. Assign the VLAN an ID, can be any number between 1 and 4094 and click ‘Next’ 5. On the Summary, add a check-mark for ‘Edit the Newly Created Connection’ and click ‘Finish’ 6. On the new connection, at Internet Protocol, select ‘Use the following IP Address’ and enter a LAN IP address for this interface a. (example) IP Address – 10.0.0.1 b. (example) Subnet Mask – 255.255.255.0 7. At DNS Server, select ‘Use the following DNS Server Addresses’ a. (example) Primary – 4.2.2.1 b. (example) Secondary – 4.2.2.2 8. At IP Address Distribution, select ‘DHCP Server’ a. (example) Start IP Address – 10.0.0.2 b. (example) End IP Address – 10.0.0.254 c. (example) Subnet Mask – 255.255.255.0 9. Click ‘Apply’ at the button of the page to save the configuration 10. Back in ‘Network Connections’, select the new rule to edit it, it may be named ‘Ethernet 2’, rename it ‘VLAN x’ (x = the VLAN ID number) if you wish, and click ‘Apply’ to save the change
Part 2 – Dedicating the Ethernet Port on the Switch 11. In ‘Network Connections’ again, click the ‘Advanced’ button 12. In the ‘Network (Home/Office)’ section click ‘Ethernet’ to edit it 13. Click the ‘Settings’ button 14. On ‘4 Ports Ethernet Switch’ select ‘Show’ 15. Open and edit the port (1-4) that you want to assign the VLAN to 16. In ‘Port Settings’ change the ‘Ingress Policy’ to ‘Tagged (Add VLAN Header)’ 17. In the field ‘Default VLAN ID’ enter the same “VLAN ID” number that was assigned to the VLAN in Step #4, “Part 1 - Creating the VLAN Ethernet Interface” 18. Click ‘Apply’, and at the warning, click ‘Apply’ again 19. The VLAN ID should be displayed in the ‘PVID’ column for the Ethernet port that was selected for use by the VLAN 20. Click ‘Apply’ on ‘Configure Ethernet’, then ‘Apply’ for ‘Ethernet Properties’ 21. This should leave you at ‘Network Connections’, you are Finished The VLAN is created and assigned to the specific Ethernet port that was selected. The switch’s three remaining Ethernet ports will behave as they always have, but any device connected to the port dedicated to the VLAN, will be on a different network, and using a different IP address range.
LAN micro segmentation at host level
We're running our own MPLS campus network with lot's of different VRFs for different use cases. We have a VRF for washing machines, VRF for HVAC, VRF for MRI machines etc... so even at this point there are lot's of different segments to manage and create firewall rules for.
Security/compliance guys are pushing towards even tighter setup where we could limit connections between end points within a segment/VRF. Not really sure if preventing PC to PC communication within a VRF would help us security-wise. And would that break Skype for business I though it uses direct connections between endpoints when it thinks it's in the same network?
Aruba per-used tunneled node would let us micro segment the whole lan and have "deny traffic within segment" as the first rule... and that would probably be enough as the traffic towards other segments would traverse physical firewalls.
There are softwares to control windows/linux software firewalls but that doesn't really help if I'm trying to limit how an MRI machine can access other stuff :)
Any ideas or experiences? Seems that it's really vendor lock-in stuff to do this? Or has anyone ever done this? Or do you allow PCs to talk to other PCs and devices to talk to other devices?
Network Monitoring Recommendations
We are currently looking for a replacement for SCOM 2012 as our network monitoring solution. We're a heavy Microsoft shop and we primarily use it for Monitoring Microsoft Services including Exchange, SQL, SharePoint, Skype). We have found it fairly noisy in terms of altering and no one internally has any experience or training on how to tune it.
Our gaps are that we don't have any monitoring of our actual network, (SCOM does up/down for Services but that's pretty much it) including server, switch and other hardware, we also don't have any kind of Bandwidth monitoring. We have a mix of Cisco, HP and Meraki. Below I've listed our general requirements.
We've looked at SolarWinds (too expensive) and PRTG (which I liked) and another solution called Netreo, which I've never really heard about.
Has anyone worked with Netreo before and if so, what your impressions of it?
Environment 175 Virtual Machines on VMWare (mix of Managed and free hosts)
VM's are 95% Windows, with about half a dozen Linux VM's (Ubuntu)
Mix of Cisco (Catalyst and Nexus), HP and Meraki Hardware
Fortigate Firewalls
Audiocodes Telephony Gateways for PSTN
Skype for Business is our phone system
Kemp Loadmaster Loadbalancer
servers are a mix of HPE, Cisco UCS and Lenovo
Netmiko to tagged vlan base on existing vlan
Hey guys, I'm trying to get my head arround it as I play along with Netmiko, I'm trying to get the following done ( I have it working with an expect script but I'm trying to get it done moving forward with netmiko)
the script would connect on the switch and do a sh run vlan on an initial existing vlan, if the vlan exist, the script would go ahead and create a new vlan (input by the user - so menu system) give it a name, and tagged it according to the first vlan that the switch would look up
I'm currently checking the github of /u/fizzyRobot ( his lldp script might be similar altough it seems a lot more complex: https://github.com/thewozza/configDescriptions_HP/blob/master/src/configDescriptions_HP.py )
any suggestion on how to do that?
thanks
Suggestions for managed desktop routers
Hi,
We are an IOT company that requires developers to have their own subnets for testing in. We are looking to get small managed desktop wifi routers that we can remotely manage to ensure updates are applied, wireless is properly secured, etc... We are a meraki shop so the meraki Z3 seemed like a perfect fit but 2.4G can't be disabled and its generally unusable in our environment. I thought that was basic functionality everyone had these days... Can anybody recommend something similar that they've had a good experience with?
Thanks
Cisco ASA 5508 flash problem
I have a cisco asa 5508 that wont boot up and I'm trying to see if I can recover it, appears that it's not recognizing the flash. There is no ios so I have to boot it from usb, which works fine. But once it's up, I can't copy that to flash because there is no space. Any ideas?
ciscoasa# show disk0: all
--#-- --length-- -----date/time------ path
858 0 Oct 31 2018 19:26:58 coredumpinfo
859 59 Oct 31 2018 19:26:58 coredumpinfo/coredump.cfg
8860 0 Oct 31 2018 19:26:56 crypto_archive
675 0 Oct 31 2018 19:26:05 log
790 125 Oct 31 2018 19:26:05 log/asa-appagent.log
0 bytes total (0 bytes free)
******** Flash Card Geometry/Format Info ********
COMPACT FLASH CARD GEOMETRY
Number of Heads: 243
Number of Cylinders 1021
Sectors per Cylinder 62
Sector Size 512
Total Sectors 15382386
Flash Model: ATA Micron_1100_MTFD
Fiber Optic spools were in the way...
Our providers left a lot of fiber after terminating their connections, a common practice from what I've gathered, and these cables are not very flexible - you know glass and all. So I bought a garden hose hanger, and was able to hang the loops up off the floor, and out of the way from everything. http://imgur.com/gallery/z9m0yqm
There are 3 different providers looped on the hanger in this picture.
WS-C3560X-48T-S can't accept IOS 15.2.2E ED or higher
Hi
I have to upgrade WS-C3560X-48T-S to 15.2.2E ED or higher version to fulfill requirements to use SFP-H10GB-CU2M in this switch (https://tmgmatrix.cisco.com/home)
The switch run IOS 15.0.2-SE7 MD and accept upgrades till 15.2.2E ED (the one that I need to make H10GB to work).
The last working is 15.2.1E3 ED.
How I did? I downloaded .tar and coresponding .bin to this switch using this website:
https://software.cisco.com/download/home/282979304/type/280805680/release/15.2.1E3
Upgrade is performing by using:
archive download-sw /overwrite /reload usbflash0:blabla-ios-image.tar
or
manually uploading to switch .bin image (using tftp), veryfying md5 and set BOOT variable, then reload.
All images (.bin and .tar) that I used have valid md5 (identical to presented in cisco website)
What happened so?
1) When You have the old, good working one image in the flash (for example 15.2.1 E3) and the new one (15.2.2), the switch loaded the new one (15.2.2), then ditched it silently and loading and executing the old one (15.2.1 E3)
2) When You have the only new image in the flash, switch will load it twice and gave up to start with "Boot process failed" message and left You in boot-loader mode (to recover)
The first thing, that I checked was to calculate md5 of .bin and .tar files and yes, they're the same like in cisco web site.
I tried also with these IOS'es (in .bin and in .tar) format, still no joy.
c3560e-universalk9-tar.152-2.E.tar
c3560e-universalk9-tar.152-4.E3.tar
c3560e-universalk9-tar.152-4.E5.tar
I found two threads (different switch models) with the same/similar behavior:
https://community.cisco.com/t5/switching/2960s-upgrade-to-15-0-2-fails/td-p/2452655/page/2
https://community.cisco.com/t5/switching/3750x-doesn-t-boot-after-upgrade-to-version15/td-p/2204929
PS: I have near 20 years of experience with cisco hardware (asa, switches, routers, ubr's etc.) and this is the first one that refused to upgrade IOS with no apparent reason ....
PPS: In next post I will show attempt to boot image from boot rom (mode button was pressed for 30s after power on)
Network Segmentation without a vendor product or lock in
Scenario: You have a flat layer 2 network with SVI's that don't block east/west traffic between any vlan. You have an upstream firewall that carries your north/south traffic to the internet. Your dev/test/build and corporate networks are inter-mingled. InfoSec says this is bad news, and you need to segment off parts of the network based on business use case. The only catch is you can't use any specific vendor technology or product that would cause a lock in. The ultimate goal is zero trust, where we define policy for every traffic flow and nothing is implicitly trusted.
Given the above scenario, I'm inclined to move the firewall down in the topology to be where the L3 gateways sit. Of course this means scoping massive firewalls based on current bandwidth use and anticipated growth (+/- some buffer in case someone says we need something like SSL decryption). My thought with this is that it doesn't necessarily mean a vendor lock in, because we could rip and replace any firewall vendor and replace it with a different one if we decide we don't like our current one. It solves the immediate business requirements and increases security, telemetry, etc.
Another solution could be to keep the SVI's at the switched level and simply add in access-lists based on Netflow data, but maintaining those may become a headache.
Is there a better way to accomplish this that I'm not thinking of?
Is there online tools to simulate network device and server configuration?
I'm trying to learn more about networking by actually doing. Books and stuff are great but I want to get hands on experience but the reality is I can't afford to buy servers/switches/firewalls at home.
I am hoping to gain some command line/linux shell/windows server/etc.. skills.
Is there any online labs?
Sorry if this is a repeat question, I checked the search and didn't find much.
Teaming and VMQ issues with broadcom based network cards on Microsoft OS
We've had countless issues with poor performance, inconsistent performance, dramatic packet loss when using HP530T Nics (BCM957810A1008G) on Windows based OS (bare-metal) when using the teaming option. This as made the system team reluctant to use teaming and as been leading to bad architecture designs.
Microsoft rep says it's common knowledge that these Broadcom based chipset NICs experience issues under MS windows operating system. We've tried different teaming solutions within windows, we've tried different drivers and issues are never fully resolved on windows server 2008-2012-2016.
We've ordered Intel based Nics to see if issues will be resolved.
When the teaming is removed, all issues disappear.
We don't see any issue with the teaming when the cards are in a VMware ESX server.
It's been hard for the network team to help diagnose the issue as we don't have access to the servers and the system team as been reluctant to install Wireshark on the production servers that are experiencing the issue. The problems are also very intermittent. One of the main issue is the application crashing when creating a collection of VMs on Hyper-V based VDI.
As anyone encountered teaming issues when using Broadcom chipset based NICs? Did you ever resolve it ?
Can two SSIDs be part of the same network?
Can I have two SSIDs on the same subnet? For example, if I create two SSIDs that are each on the same x.x.x.x subnet, will that cause any issues?
No DHCP Requests from new NIC?
Hey All,
I just picked up two of these dual-gigabit port PCIE NICs on Amazon but I am unable to get either of them to work in Windows 10.
In running Wireshark, I can see DHCP requests being broadcasted (https://imgur.com/SspbxmU) but I never see these hit the interface of the router or the switch at all. The only thing I see on tcpdump on the router is:
16:36:10.244452 00:13:3b:10:12:57 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 309: vlan 1, p 0, ethertype IPv4, 169.254.151.96.54915 > 169.254.255.255.54915: UDP, length 263
Alas, I tried updating drivers, installing latest drivers, installing manufacturer provided drivers, enable/disable offloading, switch to 100Mbps FD/HD, port bouncing, rebooting multiple pieces of equipment, different ports, different cables, disabling primary network adapter -- the list goes on and on...
..but it still does not seem to be responsive to anything DHCP.
I've configured the interface statically in Windows and it STILL will not go any where.
I looked around online but it seems I am the only person in the world to be having this issue.
Any ideas what the issue(s) could be with this damn card or what I'm doing wrong?
Reason I got the card: Connecting second cable + third cable to switchports for different VLANs to run VM's in specific VLANs for labs.
Free Range Routing - Who's using it?
I've been doing a deep-dive into Free Range Routing (FRR) lately, it's been very impressive so far. I'm curious - who is using FRR in production? What're you using it for?
Happy Halloween!
FTTH and voice issues
Hello,
Will try and keep this brief so its missing details but I hope the gist of the post gets across.
I work at an ISP selling FTTH on a 100% fibre network (from router to core). The entire network is fibre with voice services from a RJ11 phone port from our router for normal phone services. Calls made from a analog phone are routed to a Asterisk server on our network then out to the carrier.
In one case, a customer was unable to see the SSID from the router (router was replaced but issue persisted). After an outage, the fibre from outside was replaced (fibre was cut) and now customer can see the SSID. In another case, replacing the fibre (fibre cut) resolved an issue with noise on the line when on the phone.
The problem is not being able to accurately troubleshoot these issues as there can be a lot of variables. With two identical connections (same switch, same drop-point, same router, same firmware, even the same phone), one might have crazy voice issues (DMTF and calls cutting out) while the other is perfectly fine. Its not to say that the actual fibre itself can cause these issues but I do not have the knowledge to be 100% on this.
I'd like to know how much the actual transmission and frequency on the fibre actually affects customers. For example, how would a 0.10- intermittency in Dbm (both Rx and Tx) affect voice/data services? We have this kind of intermittency with some customers but zero issues reported.
If theres anything out there with info about fibre to analogue and voice/data It would be great. I can't have fibre replaced to test this as management will question it, and I'd need more info before making the case. It might also be that I'm looking entirely in the wrong direction but I hope /r/networking can advise me on that.
Replacing Nexus 7K line card with configuration?
After working with the nexus platform for some years, I just realized I never had to replace an active line card with configurations, so I hope you guys can answer my question with experience.
So we have a F3 line card with some of the interfaces allocated to another VDC that needs to be replace since the current one is having issue.
What would be the most efficient way of removing the current line card and inserting the new with minimum down time?
I want to assume the supervisor will keep the configuration for the line card, and when the new one is inserted it will just fall in line, but in the back of my mind I feel like I will need to manually copy over the configuration to the default VDC and the VDC with the allocated interfaces
Thanks guys
Avaya switch PLC compatibility
We have some ~10-20 year old PLC's that seem to have trouble communicating with a new switch upgrade. We change from the Avaya 4550 to the Avaya 4850, but we have been seeing some weird symptoms. Some of these PLC's will stop communicating at random times, until rebooted. I'm trying to get operations to reseat the ethernet connection to see if that can bring communications back.
After issues in production we reverted back to the old 4550's and see the issue go away. The devices don't disappear.
We aren't utilizing a majority of the security features on either of the switches, just RSTP on the edge ports. The old and new switches are configured basically the same.
My only thought is that this is a problem with auto-negotiation, So i turned it off and manually configured the port speeds, but the issue still remained. Most of the PLC's run at 10 half duplex, with some at 100 full. I've done a bunch of packet captures, and all I can see is that the devices stop responding.
Anyone have thoughts on this?
Director has given me a budget for a training session. What should I choose?
He offered this course, which looks pretty neat, but I'm just not super excited about cyber security, is this the wrong attitude?
https://www.sans.org/event/security-east-2019/course/intrusion-detection-in-depth
I was thinking about maybe taking an AWS course. I manage our AWS environments now, but could totally use a full on course.
Windstream as a 3rd string transit peer...
I know Windstream (Paetec/USLEC legacy) is not thought of highly... But I got a really great quote for a 10G circuit from their wholesale team. I would be using it as a 3rd string peer, so its mainly for extra capacity if needed, extra redundancy, and some extra buffer space during a DDoS.
I know their BGP is terribly managed, so I would filter what they send me (partial routes, filter <= /24). I've heard they let customers announce anything, and do little internal filtering, they even allow /28's and crap like that, etc.,.
Is this circuit a potential hidden nightmare? It would be on a 2 year term. Legay wise, I believe its running on Cavalier fiber - thats the legacy footprint Windstream acquired in my telco building.
Remote Desktop Connection vs Domain/Local Desktop?
Hey guys, I hope Im in the right place for this question
So, I just moved over from a very large investment bank to a private investment firm. The tech situation here seems kinda outta wack and really inefficient. Let me explain the differences between the two (from my limited knowledge of networking):
At the bank:
We would be able to sign on directly into our machine and all of our desktops/apps were used from that local sign in. I know it wasn't Windows per say but something else. Also our local IT guy was able to add and remove programs and permissions remotely and (if necessary) take direct control of the computer and move the mouse etc. We would also be able to sign into any computer on the network in our office.
At investment firm:
We are a MUCH smaller company here no more than 10 full time staff. Win 10 is installed on all the machines. However, we sign onto our local machines and then do much of the work on a remote desktop connection which we sign on in a locally hosted server. However, there are always tech hiccups with this and constant out of sync issues (devices disappearing, settings reset, etc.) Also our desktops are all following the same folder path: C:\Users\Public\Public Desktop
TLDR My question comes down to this: What would the program we used at the bank and can a more streamlined (but economical) version such as that be used here at the firm?
Meraki Vendor in Hong Kong (or able to ship to HK)
(x-post from /r/meraki)
We've been having a hard time finding a networking vendor in Hong Kong that sells Meraki equipment, or an international vendor that is used to shipping into HK?
We tried purchasing some MR53's locally in US, configuring, and sending to our office in HK, but it was seized by HK customs and it's taken a month to get it even returned to sender.
Any advice would be appreciated.
Avaya ERS-4548GT CLI cmd to set DefaultVlanID?
Hi Redditors,
I have been having a few issues with our Avaya stack GUI so limited to CLI at the moment, I am looking for the cmd to set the DefaultVlanID for a specific port on the switch.
Note: I have already added the port to the VLAN membership, all that's left to do is actually set the DefaultVlanID for the port. Screenshot of the GUI tab for this is below (GUI is unaccessible for the stack I am currently trying to make this change on, screenshot is from a different stack which is exactly identical)
EIGRP with HSRP
Hi all, I'll try not to make this too long. We have two 7706 Cisco Nexus cores running vPC and HSRP on layer 3 VLANs as well as EIGRP running throughout our environment. We have an ISR 4k connected to both cores in a layer 3 port-channel. What is happening is the router connected to the cores is choosing Core B as the best path to get to other networks via EIGRP lowest metric. However, Core-B is the standby HSRP member for most of our VLANs including the one that is the gateway for the port-channel to the router. Core-A has a higher metric in EIGRP to get to the remote networks but is active HSRP member for most members.
This is seen when I do a traceroute from the router to another network. I can see the first hop as the Core-B standby HSRP address (not the VIP). My question is... is this a problem? I think everything is routing as intended but more curious if by design I should have my EIGRP primary path and HSRP active line up together?
Thanks in advance.
David
One way Packet lost between ASR 9k and HP switch
Hi, I'm having issue with packet loss between 2 device point to point. HP to ASR no packet loss but when pinging ASKR 9k to HP I have a consistent packet ko of 7 out of 1000 but when using a smaller value of 400 datagram theres no packet loss. Both device connected via fiber optic. tried replacing the cable same with transferring to other port but got the same result 7-Packet loss when using value of 1500.
Verification:
Both supports higher MTU value, running hardcoded fullduplex/100, no interface error/drops, normal CPU and memory.
No filtering, QOS applied on the interface.
Any input about this?
Thank you
Tp-link router slow
I pay for 250 Mbps internet from comcast, and I have a tp-link ac1200 router, which I have had for about 4 years. I was noticing that my internet speeds were slow, somewhere in the 10-50Mbps range using speed test even over wired. So I contacted Comcast. They had me plug directly into the modem, and then I was able to get 250 Mbps. After I had had the router off for a bit, and started using it, my speeds were back to normal at 250, but in a few days, they were down, and now I am somewhere within 50-150. Is there some look up table filling up on the router? Should I flash open source firmware onto it, or just restart it every so often? Is there a better router branch that wouldn't go bad, even after many years of use?
Receiving Spam calls from our Cisco Phone system
Hey guys, maybe you can help me with this one.
I've been receiving spam phone calls coming from our Cisco phone system. When I checked the logs from our phone system I see that a call came into it from the spam company and came out to my cell phone and several other numbers.
How is this possible? Is there a vulnerability somewhere I am missing?
Our design:
\- 1 publisher at Data Center \- 1 Subscriber at HQ \- Voice Gateway at Data Center and at HQ both with 2 PRIs each \- ASA at data center used specifically for VPN connected phones.
- Subscriber and publisher communicate over MPLS
Multicast on l3 switch stub
So I've come at a wall that I seem to not be able to get over. I've got a network where multicast traffic is pushed over the dmvpn. What I am having trouble is that I cannot seem to figure out how to get the phones on the l3 switches network to join the multicast RTP stream. So the multicast server does reach the phones with text and it preps the phone just no audio. I refrenced this https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti_pim/configuration/15-s/imc-pim-15-s-book/imc_stub_routing.html as a guide to help me but it didn't work. Does anyone have an idea of where else I should look to solve this issue? As a reference multicast traffic is pushed over the DMVPN and this l3 switch route is pushed as a redistributed route from router its connected too.
End of Sale and End of Life
Hello Everyone. Happy Halloween.
How normal is it to have EoL/Eos devices running in your infrastructure some even playing the important role of critical device.
Currently, in my environment, we have a few ASAs5510-5585 and Cisco 4900/4948. Ok that's a lie its more than a few. Its quite a lot. We're talking about an entire DC running of these switches. Has anyone worked in such a network where the refusal to purchase new/supported equipment is resisted to the extent that they rather run of unsupported hardware?
Note that not everywhere in this network is bad but there is a crap ton of hardware like this that is EoL functioning as "Core routers".
Problems connecting to work network from home compared to other wireless networks.
Hello, I was recently hired for a company which provided me with a laptop and supports working from home on occasion. To connect to the internal work network, I must connect to the internet and use Pulse Secure.
For some reason, when connecting to my router (wireless or wired) from home, and then connecting via Pulse Secure, when I do a tracert on a work domain I get a 92.XX.XX.XX IP. After talking with my work, this is their 'external' gateway and has restrictions on what I can do. It will timeout trying to connect to databases, things like that.
If I hard wire directly into my Verizon modem and do the same tracert, I get a 10.XX.XX.XX IP, which is the correct internal gateway I need to use. I can do all my work with no issues this way.
I have a backup wireless router and tried both to replace my main router and saw the same issue on both. I even reset my bakup router to its factory defaults and saw the same issue.
Lastly, I went to Starbucks and connected to their wireless network and got the correct internal gateway, so I believe that narrows the issue down to my router.
I'm a novice at best when it comes to networking and how DNS lookups work. Anyone have any suggestions on how to correct this issue?
Thanks!
Cisco per IP Policing
Hello Redditors,
I've got the following situation.
Currently We have a situation where we have sets of IPs (that change over time, get bigger or smaller) that we need to police (rate-limit) when going through an specific interface, the catch here is that each IP must have assigned a maximum bandwidth (so we don't want to deal with shared values).
So, for instance we have:
1.- 10 IPs that must be limited at 10 mbps each
2.- 50 IPs that must be limited at 30 mbps each
Some times we have to move IPs from 2 to 1 or vice-versa, or just remove them altogether. We could achieve this using MQC, we kind of do it, but this means adding a class statement per IP, which is not something I want to do anymore (if possible), I'd like to have something like this:
policy-map IF\AA_OUT)
class class\10_mbps)
match ACL\01)
police each IP to 10 mbps
class class\30_mbps)
match ACL\02)
police each IP to 30 mbps
So adding, removing or changing bandwidth per IP would be a matter of just removing or adding entries to the ACLs. I've found something called flow micropolicer, but all the documentation refers to the Cisco 6500 (we need it to work on ASR1001-X and 7200), and also the documentation points that this can only be done in the ingress-direction, which won't work for us since we need to limit only outgoing traffic over one of the interfaces, not all.
Any help on this? doable? or stick at adding class statements per customer?
Subscribe to:
Posts (Atom)