Sorry if this is in the wrong place, but would someone be able to point me in the direction of getting started on becoming a network engineer.
Saturday, November 17, 2018
Experience with BigSwitch?
Hey guys,
Right now I am going through a datacenter redesign for our 2 DCs, my prime candidate is BigSwitch due to their OpenStack and Kube integrations, and their SDN model in general. Just wanted to reach out to the community to see if people have implemented a solution with them yet, what their thoughts on them are, and how they compare to their competitors, ACI, etc.
Thanks!
IPv6 Subnetting Question
Is there any reason I couldn’t use a /80 subnet mask when subnetting ipv6? My professor tried telling me I couldn’t because it’s a rule or something but I did the math and it all worked out. We didn’t have the equipment on hand at the time to try it out so I thought I would ask more people. My google searching did not show me what I was looking for :(
Replacement L3 switch
The company I work for has about a dozen of our 100+ locations connected with MetroE (instead of VPN). Most of these locations are Radiology offices. The MetroE locations have beetween 100mbps and 1gbps connections and are currently running on 9+ year old L3 gigabit switches. I would like to have full L3 capabilities on the new switches and I don't foresee the need in the near future to upgrade much more than a couple of ports to 10gb. The current switches are HP 2910al-24g and they rely on a java web interface for config or a telnet/ssh session that seems to always think that there are too many people connected (when there are none). Command line config is a must and gui a nice to have. I could foresee running OSPF or possibly BGP on them with a few hundred routes in the near future, though the current setup is all static routing. We are not loyal to any particular brand as the only other routing devices on the network are sonicwall TZ and NSa firewalls. Budget will probably be $3k or less per device and requires 24+ 1gbps ports and possibly a couple of 10g ports (not required).
I would love to know what others would purchase with these requirements in mind.
Questions about OSPF and L2 to L3 migration
Hello everyone. Longtime reader first-time poster. I need some help understanding certain things about OSPF and converting existing L2 network to OSPF (at least partially at first). Everything below is based on using Cisco equipment and commands.
I have two buildings connected to each other with single-mode fiber (4 strands).
One building is running a 4500X and other newer Cat9500. They are spanning VLANs to each other via port-channel. Right now the plan is to gradually migrate specific VLANs over to the Cat9500 and add some new ones that don't exist on the 4500x side.
Then to connect the two sites via a single OSPF area and let the SVIs in each building do inter-VLAN routing. When they need to access a different VLAN/Network that is at the other building, they will use OSPF. The goal is to end up with the only L3 between sites.
All SVIs are on the 4500x, its the core of a small network. I want to move two VLANs over two the cat9500 and remove them entirely from the 4500x. Right now all the VLANs that need to move to 9500 exist at both locations. There are some devices already using those VLANs at both locations (we will be removing vlans as we move devices off them at one location).
Since we still have devices that span both buildings I want to first migrate the SVIs out to cat9500. I cannot use one of the fiber pairs for a new L3 interface, and I cannot break the existing PO between building. I plan to create a transport VLAN on the PO for OSPF between the 4500x and the cat9500 to connect them via SVI. I understand the concepts, and I am pretty sure about the configs.
My first goal is to connect a network that only exists on the cat9500 to the 4500x via L3. It has SVI setup with HSRP working without issue on the cat9500.
My concern is first if I enable OSPF on both sides will that somehow interfere with the existing inter-VLAN routing going on between all the SVIs on the 4500x?
Also like most people, I have a static route on the 4500x (where all the svi live) pointing to a firewall for the internet and DMZ. The DMZ gateways exist on the firewall interface.
If I enable OSPF will I have to add the default-information originate, so the existing inter-VLAN routing doesn't get messed when it tries to get internet? Or does that only effect routing going through the OSPF, not the existing SVIs.
This is a small network, so I will be enabling OSPF on an interface basis using IP ospf process-id area area-id on each SVI and a loopback, I will also be running all interfaces as passive by default. The only networks that have OSPF are the two SVIs (for now).
Will the OSPF automatically learn the networks and SVIs that already exist on the switches without my specifying? If I add new VLANs and new SVIs do they automatically become known by each side?
Also since the DMZ network has a VLAN provisioned, but the gateways exist on the firewalls I assume OSPF will have no knowledge of the networks without either the firewall joining the OSPF OR simply having the static route catch it. In those cases, I assume I use the same default-information originate for those DMZ subnets?
The end game plan is once all the VLANs are moved over, and everything is L3, to also enable internet access at the cat9500 building. So each building has its own internet connection.
I was planning on putting a static route at each building core (one at 4500x and one at cat9500) pointing the firewall there at each site. Hoping OSPF will ignore the other static route due to cost distance, and use the other if its down.
I hope this made sense without a drawing and thank you very much for answering.
CCNA ebooks
I am currently studying for the CCNA using the CCNA Routing and Switching ICND2 200-105 Official Cert Guide, however I find them to be a bit cumbersome when travelling. Has anyone tried using various CCNA study books on a Ereader, such as the Kindle, and if so, how are the diagrams? Does anyone have any recommendations for CCNA books available on Kindle?
Fresh core stack of 3850's, fresh client access stacks of 2920's - how to get port-channel/lacp/lag and spanning tree to work nicely between them?
Hi,
this is my first time setting up stacks of core and client access switches, and I want to get it right
what's the easiest way to connect two 10Gb ports from each HP stack, to two 10Gb ports on the Cisco stack? if it was all Cisco I'd use port-channel active, but on the HP side I've seen talk of "trunk/trk" , "bridge-interface" , and "lacp", what's the best way to get them to play nice and have 20Gb throughput along with redundancy?
Also, I've read about so many different kinds of spanning tree implementations on both the cisco and HP side that I can't figure out which mode will work between them - any recommendations on the commands I would use on both the Cisco and HP side to make them play nice?
Thanks for any suggestions you have!
Doing BFD on Internet circuits
I’m looking for input from the crowd here. BFD on INET circuits: yay or nay?
I read in some other threads here that most providers will not even offer BFD on an INET circuit. Ours did. 300ms interval with 3x hold timer (so 900ms failover... hey, it’s still sub-second!)
My concern is that both of our circuits running the BFD have both flapped within a one weeks time after standing these connections up. One has flapped once, the other 2-3 times.
Are INET circuits just too noisey to run BFD? My concern is prior to turning on the BFD the one circuit was rock solid pretty much for a whole year.
A stable circuit should have its uptime measured in months, not hours/days. I’m worried that if it flaps too much we’ll get Dampened or something and take a huge outage. Plus we have one app that hates flaps and has to manually be cleared out of a session table. Said app being down is pretty much a hard work stoppage.
It sounds like the decision should be easy: just have them turn BFD off and accept the 90-180 second failover time of typical BGP. Problem is not every member of the team agrees with that outcome.
Any advice?
Wrong BGP identifier
I have a cisco router which runs iBGP and eBGP as AS 64512. This router peers with a router running as AS 64610. Config:
Router1
Router bgp 64512 neighbor 5.5.5.5 remote-as 64610 neighbor 5.5.5.5 update-source loopback0
ip route 5.5.5.5 255.255.255.255 10.0.60.2
Router 2
Router bgp 64610 neighbor 1.1.1.1 remote-as 64512 neighbor 1.1.1.1 update-source loopback0
ip route 1.1.1.1 255.255.255.255 10.0.60.1
iBGP works just fine. But for the eBGP I get wrong BGP identifier.
Any ideas?
Home ISP has started using Carrier-Grade NAT thus destroying port forwarding and setting up any servers on my PC.
https://en.wikipedia.org/wiki/Carrier-grade_NAT
Basically, it's a double NAT. Now, I have been reading about Port-control protocol which I have no idea my ISP would support as it's a relatively new one. And I don't have a router new enough to support it.
Is my only option reverse tunneling? Because, the server which I have at home requires low latency high bandwidth short bursts and I am not gonna get it by any free reverse tunneling service.
I am no network engineer or anything. Just a normal enthusiast. Any help would be appreciated!
Data Center Move - Order of operations and best practices
Hi and thanks in advance for ANY help or recommendations!
I've been tasked with forming a plan for moving our network devices from one data center to a new data center across town.
I've already ensured the new data center circuits have been turned up and tested (BER tests), so I'm not too concerned with that part. I'm more focused on exactly what order I should power down and then power up the network equipment, and any gotchas or caveats I should look out for.
I have a relatively straightforward network, I just want another set of eyes for a sanity check as the applications and databases that we host have a LOT of moving pieces and many other people/departments will be waiting on me to bring up the network.
My initial plan was...
- Power down 'B' side starting with Fex
- Fabric Interconnect
- N5k-b
- ASA-b
- MPLS router
Then power down the 'A' side in the same order...
- Fex-a
- Fabric Interconnect-a
- N5k-a
- ASA-a
- internet router
At this point I'd move everything to the new data center and power up in reverse order...
- 'A' side internet router, ASA, n5k, etc...
- 'B' side MPLS router, ASA, n5k, etc...
Reading more about the VPC active-active scenario between the 5ks has me second guessing my plan. Is there a better approach that I'm not thinking of?
A technical question about Cat6 cables (and probably many other types of twisted pair cables)
So, as I understand it, in a Cat6 cable we have four twisted pairs - positive and negative conductors for, let's call them, lines 1, 2, 3 and 4. My question is, how does the switching device (switch/router/whatever) decide what goes down each line (twisted pair) within the cable? Is it all just split up randomly and equally between them? How 'deeply' are they split, like do individual packets get split up or do packets always stay as a single piece?
Friday, November 16, 2018
Duplex vs BIDI
Im setting up a temporary office, and the fiber infrastructure is old and falling apart.
I thought I had a pair of mutlimode fiber, when I did the site survey I found one of the strands is damaged.
I'll get it the strand fixed eventually, however in the short term , I did some googling and came across BIDI
just curious why it is not more prevalent , I'v even had trouble finding a single strand multimode to UTP media converter.
as mentioned, I have zero experience with BIDI, but it sounds like an easy way to double your campus fiber .. but since I haven't seen this .. leads me to believe .. there is some downside or trade off that is not apparent.
would like to hear your experience
Router or L3 switch recommendation
Looking for a recommendation. We're about to refresh some gear in our datacenter. We have an Aruba 5412R L3 switch that connects all our servers and other appliances. We plan to keep it in place. We're going to be putting in a new NGFW (Fortinet or Palo Alto) for the Internet stuff. We have 46 WAN connected sites that pull data and Internet from our datacenter. Our datacenter is connected to the WAN at 100G (100G handoff to an AT&T Metro-E switch). Our 5412R does not support 100G (it does have 40G ports). It's also weak at a L3 router. It does basic L3 stuff, but does not have the features a dedicated router has. AT&T threw a curve ball at us a while back and forced us into a 100G handoff instead of the 40G we were planning to connect to our 5412R. At any rate, we threw in a 100G Fiberstore L3 switch to pick up the handoff to AT&T as well as act as our "core" router as it had more traffic shaping and L3 features than the 5412R. It currently has a 10G connection to our existing Palo Alto 5050, a 40G connection to our 5412R and a 100G connection to AT&T. It's actually been working great, but we want something better in the long run.
All that said, we're looking at replacing the FS switch with something that will give us the capacity to grow over the next 5 years. At a minimum, we'll need a 40G handoff to the new NGFW (we plan to support a maximum of 30Gb/s of Internet traffic over the next 5 years), a 40G (or two 40G aggregated to 80G) connection to our 5412R and the 100G connection to AT&T. Since we have a lot more bandwidth leaving our datacenter than we have coming into the remote sites, it would be a bonus to have something that can do some advanced traffic shaping on VLAN or subinterface egress so we can control the traffic heading out to our sites. I know Cisco ASR and Juniper can do this. Juniper actually has a good explanation of what I'm talking about here: https://www.juniper.net/documentation/en_US/junos/topics/concept/cos-virtual-channel-security-overview.html. It also needs to potentially handle a bunch of policy-based routing. We currently run all traffic headed for the Internet through some in-line web filters. We may moving to a cloud filtering solution. Clients using the cloud solution would be redirected around the in-line web filters. I testing doing this with policy-based routing rules on the Fiberstore switch. It works great when there are only a few clients in the ACL to process and set the next hop accordingly, but just about crippled the switch when I tried to have it look at all the traffic coming from our 30k+ clients.
We've been kicking around the idea of consolidating the core routing and firewalling into a single device. We're still in talks with Fortinet, but the cost of putting in a Palo Alto solution that would satisfy the firewall and routing components costs about $500k more than a model that just does the firewalling. I'm having a hard time justifying the cost to do that.
So in short, I'm looking for an advanced L3 switch or dedicated router that has 10G, 40G, and 100G ports. We'll have less than 100G of sustained throughput running through it. Probably more like 50G or 60G max. Preferably a 1U or 2U device given we only need a few ports. I don't want to put in a huge chassis if there are other options.
I'm looking at the Juniper MX204 and Cisco ASR 9901. I'm a little worried that we may need more 40G or 100G ports on the 9901, but the 9904 may be overkill. Anyone running any of these?
Any other recommendations would be appreciated!
Thanks!
Ubiquity EdgeRouter Lite Site-to-Site / VPN Connection to Symantec Web Security
I am attempting to create a vpn connection from my EdgeRouter Lite to Symantec's Web Security service and I've been told that it should work but it isn't tested. I have tried a number of things but there really aren't any good resources or walk through to get the two connected. Does anyone have any good resources or some kind of documentation that may be helpful? Thank you!
Cisco 2911 VPN help
Hi folks! I'm in some fairly urgent need of assistance with an issue I'm having and I figured I'd post here and hopefully some of you can help a brother out. :)
So, I recently inherited a pretty scattered IT department for an SMB and the ISP had informed them months ago that they were closing down the subnet that their WAN IP was on. The ISP informed them of their new IPs and told them they needed to change them to avoid service interruption. Well, lo and behold, no one ever did anything with that info so last night, the ISP shut down that subnet and this morning, no internet. I spent a little time digging through the network trying to diagnose the issue and discovered what the problem was upon calling the ISP. I changed the IP out in the Barracuda firewall at the main office and everything was back online.
Now for the problem. We have an office in Canada that has a Cisco 2911 and there was an IPSec VPN tunnel between the Barracuda at the main office and the Cisco at the Canada office. Now that the WAN IP has changed on the main office, the VPN is obviously kaput. I know I need to go in and modify the VPN on the Cisco side to reflect the change in the IP, but I know absolutely zero about configuring Cisco gear without a GUI. I'm sure I'll take quite the flogging for being that guy that hasn't taken the time to learn Cisco yet. It's on my to do list, but in the meantime, I need to get this VPN back up asap. I imagine there are only a couple of simple commands to get this done, but I have no idea what they are. I've tried to read through the Cisco documentation for the 2911, but it really only gives details on setting up a VPN and it's all pretty confusing to me. I thought maybe someone might have a more simplistic way of explaining it that would help me get this done with a minimum of hair pulling and jumping about.
Thanks in advance for any and all help!!
Calculating 95percentile on Multiple Ports
I'm being tasked with implementing 95% billing report to start offering as a service to customers but having questions about the math involved.
This customer has 4 ports that will be in use but only one active at any time. If I add these 4 ports together than 95% it, won't I come out to about 25% of the actual 95%? Or am I looking at this all wrong and all the 0's just average together as one 0?
Comissioning VoIP
Just wondering how you guys test an end to end VoIP system. We would have access to both ends, but the middle is provided by a service provider.
Do people just take the SP's word a service is provided?
What we were thinking of was:
-Ping test
-test with star trinity each end to get RTCP stats
-connect end systems and monitor with wireshark via span port
-use analogue equipment one end, loop another end, and get more in depth MOS tests along with RTD of end to end systems
What other tests are available.... would a soak test be of any use (bulk calling for a number of hours? )
RJ45 connector suggestion
What brand do you guys use for the RJ45 connectors? Mostly 5e, some 6. looking at Tyco, but they are kinda expensive.
Fiber Installations (Seeking info)
Hey All,
I am working on a project to get a few buildings in the same property connected via fiber. 3 Buildings, max 50ft between buildings. I know the basics on fiber, and I can work with it but not knowledgeable much in new installs between buildings. I have two bids from two contractors one is in the 30K, the other in lower 10k. The bulk of the price for the 30k one is a conduit system.
My question here really is are there any good books, articles on fiber installation best practices. Conduit systems, advantages and disadvantages or things I should be considering.
Thanks!
MPLS | Pe to Ce static routing
Hi, is it possible to configure static routing only between pe to ce? From pe how can we install the static route into vpnv4 table?
Tried creating staric route under vrf but it's not in the vpnv4 table.
Thanks
Firewall Event Logging
Looking for some input on firewall event logging. Today, we log every single flow (permit or deny) through all of our firewalls (~600). We overrun our management system in about 20 minutes (and it is very slow to search). What are other people doing in regards to firewall logging? I like to think that we are being a little ridiculous, but our ISO likes the ability to see every flow from a specific time for potential attacks. FWIW, we also push all of these logs to a cloud SOC. Does this sound pretty much normal?
Issue with new Cisco switches
Going through a refresh. Have new 2960 switches replacing older HP Pro Curve ones. Replaced a backbone switch yesterday that was trunked with an uplink to a switch on a different floor. The uplink would not come up from Cisco to HP. Changed port on the HP and it started working, so assumed it was the port on the HP that went bad at the wrong time. Went to replace that particular HP switch today, plugged in the uplink to the existing 2960 and no activity whatsoever. No link lights...nothing. Plug back in the old HP, uplink comes right back up. Move uplink around on the HP it gets link lights on any port. Move it back to the new Cisco and no link lights on any port at all. Had to go back to the HP switch so the location could remain online for now.
Any thoughts on this at all? I tested all the uplinks between the new switches before ever trying to install them and they all worked fine. Have you seen Cisco switches be more sensitive to line issues? This building is old. At this point we are having a vendor come out to test the line and replace to rule the line out completely before we contact Cisco.
Netflow on L2 or L3 Interfaces?
I don't have a lot of Netflow experience. I'm setting up Flexible Netflow 9 on our new core switches (cat 9500s IOS-XE 16.9). What I've read says that you normally monitor the flows in the input direction of all L3 interfaces.
I've set it up on the L3 interfaces going to the rest of the network in the input direction. This tells me what's coming in from the DC, WAN, etc but it doesn't tell me what is going out from clients, etc off of that switch. Mostly access switches connected to clients.
The switch won't let me configure Netflow on the L3 SVIs and the rest of the interfaces are L2. So it seems my choices are to:
- Configure Netflow in both directions on the L3 (routed) interfaces going to the rest of the network or
- Configure it in the input direction on all the L2 interfaces as well
The problem with option 1 is that there are some L2 interfaces to the rest of the network that won't get captured.
What are the issues/downsides of Netflow on L2 interfaces? I know Netflow really is an L3 protocol so is it still able to look into the L3 packets traveling over an L2 interface?
Does it require extra processing that might eat up a lot of the CPU?
I've seen posts on how to configure L2 netflow on older switches, is this any better or different on new versions of IOS-XE?
Thanks! Any advice appreciated.
Nexus switch CoPP not allowing TFTP on in band management?
Trying to update the OS and cant do TFTP over in band management. A co worker says the Control Plan Policing blocks this. Is there a way around this?
FreeRadius Error
After doing a fresh install of FreeRadius on my Ubuntu Server 18.04 using the command "sudo apt-get install freeradius" FreeRadius installs, next I try and run "radiusd -x" but when I do this I get the bash error "bash: /usr/sbin/radiusd: No such file or directory" I am somewhat new to Linux could someone tell what this means and maybe how to fix it?
I am following this guide https://wiki.freeradius.org/guide/Getting%20Started if this helps anyone.
Broken pipe
Has anyone here gets this error?
packet_write_wait: Connection to 192.168.1.1 port 22: Broken pipe
I am starting getting this error when executing some show commands that generate a good amount of output. A good example would be "show configuration", "show interface terse", etc. The output will get printed about 25% then the error and cut the ssh connection.
This is on Junos. This only happens when I apply a control plane acl to the loopback. The filter doesn't have any kind of QoS or policing just a simple allow a list of servers and workstations to ssh to the nodes.
Any ideas?
IPSec Tunnel not coming up: Issue with ACL?
I'm trying to bring up a IPsec tunnel between router and a bridge. I can see the Ipsec tunnel configurations are up and running but I think I have made a mistake in the ACL and hence the encr and decr counters are still 0.
Can someone guide me on this?
Desktop(ETH0)-->(FE3 SVI)Router(FE4 WAN)-->(ETH0)Master Bridge(RF0)-->(RF0)Remote Bridge(ETH0)-->>Client.
Tunnel is between Loopback created on Router and RF0 Interface on Remote Bridge.
Configuration: https://pastebin.com/hfSQGpMu
Diagram:https://imgur.com/a/lBPECqE
SGLAB-C881K9# SGLAB-C881K9# SGLAB-C881K9#sh run Building configuration... Current configuration : 2043 bytes ! ! Last configuration change at 11:09:09 UTC Fri Nov 16 2018 version 15.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SGLAB-C881K9 ! boot-start-marker boot-end-marker ! aqm-register-fnf ! enable secret 5 $1$bEYB$z5Jz9F7gED/aMzosGxRe01 enable password <Masked> ! no aaa new-model ! ! ! ! ! ! ! ! ! ! no ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! license udi pid C881-K9 sn FGL2101208A ! ! username ssn privilege 15 secret 5 $1$2N/d$gqvkb2e6IZLUCEE5oVhG20 ! ! ! ! ! ! ! crypto isakmp policy 1 encr aes authentication pre-share lifetime 3600 crypto isakmp key 4B0u7WnF6vFGSdy2QARJ0U09SaK1CvCW address 10.110.249.1 ! ! crypto ipsec transform-set bridge11f7d8 esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map TST local-address Loopback0 crypto map TST 10 ipsec-isakmp set peer 10.110.249.1 set transform-set bridge11f7d8 match address bridge11f7d8_ACL ! ! ! ! ! ! interface Loopback0 ip address 10.50.50.10 255.255.255.255 ! interface FastEthernet0 no ip address shutdown ! interface FastEthernet1 no ip address shutdown ! interface FastEthernet2 no ip address shutdown ! interface FastEthernet3 no ip address ! interface FastEthernet4 ip address 192.168.2.1 255.255.255.0 duplex full speed auto crypto map TST ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ! router rip network 10.0.0.0 network 192.168.2.0 ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ! ip access-list extended bridge11f7d8_ACL permit icmp 192.168.1.0 0.0.0.255 10.110.193.0 0.0.0.3 permit tcp 192.168.1.0 0.0.0.255 10.110.193.0 0.0.0.3 eq 20000 ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! line con 0 no modem enable line aux 0 line vty 0 4 password <Masked> login transport input all ! scheduler allocate 20000 1000 ! end SGLAB-C881K9# sh crypto ipsec sa interface: FastEthernet4 Crypto map tag: TST, local addr 10.50.50.10 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/6/0) remote ident (addr/mask/prot/port): (10.110.193.0/255.255.255.252/6/20000) current_peer 10.110.249.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.50.50.10, remote crypto endpt.: 10.110.249.1 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0) remote ident (addr/mask/prot/port): (10.110.193.0/255.255.255.252/1/0) current_peer 10.110.249.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 12, #recv errors 0 local crypto endpt.: 10.50.50.10, remote crypto endpt.: 10.110.249.1 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: SGLAB-C881K9#
Selective Split Tunneling using Windows VPN RRAS / SSTP
Hi Folks,
I've been experimenting with Windows built-in VPN Client to replace Cisco's IPSEC VPN client which is no longer supported.
The feature I'm lacking (besides mobile device support) is selective split tunneling, or the ability to inject routes to a VPN Client deice.
My Goal : All Company Subnets can be routed to/from a Windows SSTP VPN Client but public Internet Access from the connected client does *not* go through the VPN tunnel.
The VPN client settings appear to be route everything through the Tunnel, or route only the one subnet that is assigned to DHCP.
Am I missing something here, or can anyone suggest a way of acomplishing this? It was very easy using Cisco, with an Access-List defining the Split-tunneling subnets.
thanks
firepower - lack of multiple peer ips in ikev2 site2site
so..
Switched from 5525x to 2110 boxes a year ago or so. So far things are okayish - pretty unstable site2sites for some time but i think its okay now after switching from ikev1 to ikev2. No clue why that would change anything but im not too bright on firewalls - more of a wifi guy myself.
Anyways, now im trying to get some redundancy for my two branches who cant get a redundant curcuit from the same isp where they are located.. Hense i need to support two peer ip addresses in the firepower setup at the DC.
Cisco says that:
- ikev2 will most likely never have multipe peer ip support.
- route based vpn isnt ready in 6.3 off the block - which would be where they would be able to support multiple peer ip's in site2sites
Maybe im just a rookie and not too sharp on stuff like this. Can anyone give me some insight in why the lack of ikev2 multi peer support doesnt just get fixed? and 2. why the F*ck cisco doesnt put some damn resources into the ftd software development and gets things flowing.. im a bit puzzled at the moment
Cisco 3750-X End of Vulnerability/Security Support
According to this announcement, our edge switches will stop receiving security updates next year.
Is this enough of a justification to replace the switches, or is having a restricted network management VLAN a strong enough mitigation?
AP location Maps - what do you use?
First time post for me. What do people use as AP location maps for site documentation? Do you use what is displayed inside of tools such as Airmagnet or Ekahau? Visio, word or simple lists in excel? We currently use Visio but but forever being pushed for faster project completion times to drive the man hours down.
Thursday, November 15, 2018
Nearly destroyed our network tonight
A few weeks back I posted asking a question about this, but in packet tracer. Tonight things in my class got a little crazy on actual hardware. I am aware that HRSP has to send hello packets to the other core device(s) and that should really be about it. Like the other devices shouldn't receive the packets from the core devices, in this case 2 3560 switches. We tried to create an ACL to prevent traffic getting to our Access layer, but instead we created 200,000 packets a second. HSRP is effective, but we were wondering how to stop it spamming the rest of our network with hello multicast packets. We are using older hardware, so some commands now do not exist on them.
I truly appreciate any and all advice on this situation.
Hardware: 2940, 2960, 3560, 3650, 2901
Oracle to Purchase Talari Networks
All I have to say is FUCK, there goes my excitement about doing a new SD-WAN deployment next year.
Specific routes not advertised to BGP peer?
Hi Guys, Just want to ask what would be the reason why we are not advertising this prefix 1.1.16.0/24, Based onmy interpretation on RPL it's should be allowed/pass because it has the Community Tag of "40:40" (CMIIW).
EDGE ROUTER: sh ip bgp 1.1.16.0 455 36.8.1.1 (metric 10) from 36.18.4.10 (36.8.1.1) Origin IGP, metric 100, localpref 200, valid, confed-internal, best, group-best Received Path ID 0, Local Path ID 0, version 3114343623 Community: 40:40 30:30 Originator: 36.8.1.1, Cluster list: 0.0.0.204, 0.0.0.114 neighbor 23.246.56.18 remote-as 200 description NETFLIX graceful-restart address-family IPv4 Unicast maximum-prefix 1000 75 30 policy Standard-Peering-IN in policy NET_OUT out remove-private-AS send-community-ebgp soft-reconfiguration inbound always route-policy NET_OUT apply PEER_OUT end-policy route-policy PEER_OUT if ((community matches-any CUSTA) or (as-path in ASPATH)) then apply DARD_OUT else drop endif end-policy community-set CUSTA 40:40 end-set route-policy DARD_OUT if (community matches-any ALL_CUSS) then pass elseif (as-path in PATH_10) then pass else drop endif end-policy sh rpl community-set ALL_CUSS community-set ALL_CUSS 91:10, 40:40, 31:5 end-set
We can advertise this prefix succesfully 122.65.1.0/24 and the attribute were similar to the other prefix which is not working.
sh bgp neighbors 192.168.1.1 advertised-routes | i 122.65.1.0 122.65.1.0/24 x.x.x.x x.x.x.x AS:AS sh bgp neighbors 192.168.1.1 advertised-routes | i 1.1.16.0 NO OUTPUT sh bgp x.x.x.x comparison 122.65.1.0/24 760 760 10.28.24.10 (metric 10) from 10.28.24.2 (10.28.24.2) Origin IGP, metric 100, localpref 200, valid, confed-internal, best, group-best Received Path ID 0, Local Path ID 0, version 2342752258 Community: 40:40 30:30 Originator: 10.28.24.100, Cluster list: 0.0.0.204 1.1.16.0/24 455 36.8.1.1 (metric 10) from 36.18.4.10 (36.8.1.1) Origin IGP, metric 100, localpref 200, valid, confed-internal, best, group-best Received Path ID 0, Local Path ID 0, version 3114343623 Community: 40:40 30:30 Originator: 36.8.1.1, Cluster list: 0.0.0.204, 0.0.0.114
Thank you... :)
Unable to ping virtual interfaces on Foundry Super-X 800
Hi everyone. I'd appreciate some help with this issue. I have a Foundry FastIron Super-X 800 that I need to add four VLANs to. I have added them and assigned some ports, however I am unable to ping the virtual interfaces (ve's in Foundry/Brocade speak).
- None of the ports have had real devices plugged into them yet, however on newer Brocade or Ruckus switches this wouldn't affect pinging the ve.
- All of the physical interfaces are down, but not disabled.
- If I try to use one of the new ve's as the source IP to ping something else, the switch returns 'inactive source IP address'. Other ve's can ping each other without issue.
- I have manually enabled each of the new ve's but this made no change.
- I have not reloaded the switch as it's difficult to get a maintenance window where I can do so. I've never had to reload a switch to be able to ping a ve before but if that's what I have to do, it's what I have to do.
I'm really baffled by this. Unfortunately the switch is old and out of support so I haven't had much luck from Ruckus. I am aware also that the software is quite old but as I mentioned getting a window to do this has proven impossible so far.
Config below. The non-responsive VEs are 110, 111, 112, and 120.
show running-config Current configuration: ! ver 04.3.00T3e1 ! module 1 fi-sx4-2-port-10g-module module 2 fi-sx4-2-port-10g-module module 3 fi-sx4-2-port-10g-module module 4 fi-sx4-2-port-10g-module module 5 fi-sx4-2-port-10g-module module 6 fi-sx4-2-port-10g-module module 7 fi-sx4-2-port-10g-module module 8 fi-sx4-24-port-gig-copper-module module 9 fi-sx4-4g-4f-port-management-module module 10 fi-sx4-4g-4f-port-management-module ! global-stp ! ! vlan 9 by port tagged ethe 4/1 router-interface ve 9 spanning-tree 802-1w ! vlan 10 by port tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2 ethe 6/1 ethe 7/1 to 7/2 untagged ethe 8/1 to 8/9 ethe 8/16 to 8/24 ethe 9/1 to 9/8 ethe 10/1 to 10/6 router-interface ve 10 spanning-tree 802-1w spanning-tree 802-1w priority 100 ! vlan 12 by port tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2 ethe 6/1 ethe 7/1 to 7/2 router-interface ve 12 spanning-tree 802-1w spanning-tree 802-1w priority 100 ! vlan 13 by port tagged ethe 1/1 to 1/2 ethe 2/1 to 2/2 ethe 3/1 to 3/2 ethe 4/1 to 4/2 ethe 5/1 to 5/2 ethe 6/1 ethe 7/1 to 7/2 untagged ethe 10/7 to 10/8 router-interface ve 13 spanning-tree 802-1w spanning-tree 802-1w priority 100 ! vlan 110 by port tagged ethe 6/2 ethe 8/10 to 8/15 router-interface ve 110 spanning-tree 802-1w spanning-tree 802-1w priority 100 ! vlan 111 by port tagged ethe 6/2 ethe 8/10 to 8/15 router-interface ve 111 spanning-tree 802-1w spanning-tree 802-1w priority 100 ! vlan 112 by port tagged ethe 6/2 ethe 8/10 to 8/15 router-interface ve 112 spanning-tree 802-1w spanning-tree 802-1w priority 100 ! vlan 120 by port tagged ethe 6/2 ethe 8/10 to 8/15 router-interface ve 120 spanning-tree 802-1w spanning-tree 802-1w priority 100 ! vlan 4000 name DEFAULT-VLAN by port ! ! ! ! ! ! boot sys fl sec default-vlan-id 4000 enable telnet password ..... enable super-user-password ..... hostname SX-800-MDF ip route 0.0.0.0 0.0.0.0 10.1.100.2 ip route 10.1.10.0 255.255.254.0 10.1.100.3 ip route 172.27.104.0 255.255.254.0 10.1.100.3 ip route 172.27.106.0 255.255.254.0 10.1.100.3 ip route 172.27.97.0 255.255.255.0 10.1.100.3 ip route 172.17.74.0 255.255.255.0 10.1.100.3 (public ips redacted) ! logging console cdp run fdp run snmp-server community ..... rw snmp-server group SNMP3 v3 priv read all write none notify all interface ethernet 8/10 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 8/11 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 8/12 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 8/13 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 8/14 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 8/15 link-aggregate configure key 10000 link-aggregate active ! interface ethernet 10/7 no spanning-tree ! interface ethernet 10/8 no spanning-tree ! interface ve 9 ip address 10.1.9.1 255.255.255.0 ! interface ve 10 ip address 10.1.100.1 255.255.254.0 ! interface ve 12 ip address 10.1.12.1 255.255.255.0 ip helper-address 1 10.1.100.26 ! interface ve 13 ip address 10.1.13.1 255.255.255.0 ! interface ve 110 ip address 10.1.110.1 255.255.255.0 ! interface ve 111 ip address 10.1.111.1 255.255.255.0 ! interface ve 112 ip address 10.1.112.1 255.255.255.0 ! interface ve 120 ip address 10.1.120.1 255.255.255.0 ! ! ! ! lldp run ! ! ! ! end
Any help is appreciated. Thanks!
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
DMVPN over MPLS: dual-hub, dual-isp, dual-ivrf, dual-fvrf
Hi all you smart networking people, I've got a good one for ya ...
This is a 3-tier DMVPN deployment:
- Central Hubs: Dual-hub, dual-cloud (PE devices) at HQ, running MPLS/ISIS/OSPF/BGP (3 tunnels, 1 WAN)
- 1 Global tunnel to Azure running MPLS over the tunnel
- 1 MGMT VRF tunnel to spoke
- 1 CUST VRF tunnel to spoke
- Regional Hub: Single device in Azure (CSR), acting as a spoke for HQ and also a Hub for downstream spokes (5 tunnels, 1 WAN)
- All Tunnels use
tunnel vrf OUTSIDEwhich is an FVRF created to get rid of the global routing table. The outside interface sits in this VRF - 1 Global Tunnel to HQ running MPLS over the tunnel, no
vrf forwarding - 2 Tunnels to the spoke(s) for each ivrf (MGMT and CUST) using
vrf forwarding MGMT | CUST
- All Tunnels use
- Spoke(s): Dual-stack of ISR's, one acting the primary and one the backup using iBGP for failover between them (6 tunnels, 2 WANs, 4 VRFs). Also no global routing table. Each WAN interface uses
vrf forwarding ISP1 | ISP2- 1 Tunnel with 2 NHRP maps to HQ via IVRF MGMT and FVRF ISP1
- 1 Tunnel with 2 NHRP maps to HQ via IVRF MGMT and FVRF ISP2
- The above are using different tunnel keys, NHRP auth, tunnel source and tunnel protection
- 1 Tunnel to Azure via IVRF MGMT and FVRF ISP1
- 1 Tunnel to Azure via IVRF MGMT and FVRF ISP2
- Also using different tunnel keys, NHRP auth, tunnel source and tunnel protection
- 1 Tunnel to Azure via IVRF CUST and FVRF ISP1
- 1 Tunnel to Azure via IVRF CUST and FVRF ISP2
- different tunnel keys ... blah blah
- I have 4 isakmp profiles setup under 4 ipsec profiles - MGMT and CUST both have a primary and a backup and the
sharedkeyword is being used on the tunnel interfaces, regarding which ipsec profile they need for protection. The isakmp profiles point to specific F/IVRF's to separate the VRF in the Phase II SA. - All tunnels in every location use RSA via in-house PKI
And here's the problem ...
The Spoke is using a cellular interface for ISP2 which is behind NAT. So I think "ok, well NAT-T is kind of ugly but works ok", so I go for it. Come to find out, Azure also does a static NAT in front of the CSR :(
I know it's a long-shot but does anyone know of a "trick" or something you've come across in the past?
I've turned on debug and find a few repeating offenders:
ISAKMP-ERROR: (1076):phase 2 SA policy not acceptable! (local 10.116.34.170)
ISAKMP-ERROR: (1076):IPSec policy invalidated proposal with error 32
ISAKMP-PAK: (1076):sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) QM_IDLE
Any assistance is appreciated. I know it's kind of a cluster - I can send out configs if that would help.
Thanks, Guys & Gals!
Differences between C9300 C9200 and 3850?
We need about 480 GigE ports in the next couple months. I am curious about the differences between the C9300, C9200, and the old 3850.
We currently run 3850s and 2960s. My network engineer wants to buy more 2960s, but I am trying to push him to the newer stuff. I personally don't like 3850s as I've heard about and seen tons of bugs on those things.
We don't do anything too fancy, but we do use QOS features for voice, video, and Citrix.
Any quick thoughts or references I could read?
How much power for VoIP phones?
One of our business units is getting ready to deploy a VoIP phone system, and they want to buy new switches to power the phones. I'm trying to figure out which switches to buy, but the vendor (Panasonic) can't tell me how much power their phones draw.
The phones that are going to be deployed are Panasonic KX-NT511P and KX-NT543.
The quick start guide states that they "comply with the PoE class II standard". If I interpret the PoE wiki correctly, that means they draw less than 7 Watts.
Does this sound correct? How does one typically calculate PoE requirements for a PoE phone deployment?
Acquisition based companies - Rip, strip, replace vs integrate?
Curious what other companies mind sets are about what to do with an acquisition's networking equipment(and general other IT equipment for that matter) when an acquisition comes along.
I just left a healthcare company that was heavily acquisition based, went from 80 to 500 remote offices during my time there. Most of our acquisitions were large, 30-50 offices and others 100+.. Normally we would try to integrate due to the size it just wasn't feasible to replace 50 offices router/switches or PCs. We'd build a tunnel back and reimage the machines, have to learn a new platform in the process maybe..
Well anyways, my new company, also an acquisition based healthcare company, just absolutely refuses to integrate any tech that isn't their standard(cisco) and replaces every PC. I've been on a few meetings already when they're discussing an acquisition and the cost for replacing all their gear is discussed with ops guys and theres gasps and eye rolls when IT are answering their questions.
I've suggested to my team integration strategies and that I even have experience with some of the techs we run across but just get shut down, this is the way we do it, replace everything or they don't touch our network.
I'm all for standardization but I see plans to just dump even recently refreshed equipment just based on the standardization merit alone.
Networking knowledge for VMware NSX SE Interview
Hi,
so, I've been contacted by VMware and been doing a few rounds of interviews. Today I was told I will be contacted by some dude to kind of test my technical knowledge (just a talk) for an NSX SE position.
I know about networking, but I'm no expert in NSX, so I wonder what kind of networking knowledge is relevant to be a successful NSX admin (or SE), so I can prepare for that call?
Any pointers are appreciated!
Any good VyOS v18.x Courses/Material?
Vyatta Virtual Routing Appliance v18.x has quickly become the bane of my existence. Are there any good tutorials/courses that fellow redditors have come across that will help me better understand how to work with this device?
ADSL Circuits
My company took over about 125 sites in the UK recently and we’ve come to find out their network is being run through ADSL lines. Does anyone have experience with ISP’s in the London area? Is this something that’s normal over there? It’s a nightmare trying to provide remote support and obviously they are having severe bandwidth issues with their point of sale systems/PC’s.
Warehouse Freezer Wifi - Plz Help
Does anyone have a solution for a Wi-Fi system for a industrial sized freezer. It is 180ft long by 120ft wide and 40ft tall with 4 rows of warehouse raking.
We have one AP with 6 antennas on it but the end rows don't get good signal.
We need a better system for the tablets to connect to. Also the freezer is also set to -10°F, so the new AP(s) would need to be able to handle the cold.
Corp firewall blocking openvpn on guest wifi?
Before calling my companies firewall group I'm trying to get my ducks in a row and understand why they may be blocking openvpn. I'm not sure if its a something isn't configured right issue or a openvpn security issue. Wanted to see if any u/* had input. Thanks
Anyone au fait with Azure networking? Need to default route all traffic down P2PVPN
I'm really struggling with this one, we have a very simple Azure setup, we're really testing the waters with it at the minute. However as we're a healthcare org we need to have all traffic passing through our on prem firewalls.
I can't seem to figure out how to force all traffic from the VM's created back down the P2P VPN. There is a single entry in a RouteTable for all traffic 0.0.0.0/0 to 'internet' I can't delete this as it's in use, and any attempt at adding an additional route errors.
I've found guides on 'Force Tunnelling'
but the cmdlets don't seem to be supported in the build in cloud shell which I find bizzare.
That said there must be an easier / simpler way that mucking about i powershell!
Appreciate any advise and help!
Cheers
Rich
RIP ping is working but not traceroute?!
Hi everyone can somebody tell my why sometimes ping is working and sometime it is not and most of the time traceroute doesnt work even if the ping works specially connect to the router internet.
https://www.dropbox.com/s/aob6jlkk16l9vfn/tp_RESEAU.pkt?dl=0
InterVLAN communications
Hey guys,
I’m troubleshooting a network problem here where two machines can’t ping/communicate. Looking at the switch configs basically this is an HP ProCurve setup with several VLANs set up by someone else.
It looks like this (minus all the listed subnets/VLANs and just the two I want to chat):
192.168.30.0/24 DEFAULT Connected 192.168.40.0/24 V40 Connected 192.168.50.0/24 V50 192.168.30.1 Static
Desktop 192.168.40.X can’t ping 192.168.30.X because (based on my knowledge) they don’t know the other exists yet.
30 is our main group, 40 is the host that can’t talk to servers in .30 and the .50 is there an example of a static setup that I think means 50 can talk to 30 since they have a common gateway (correct me if I’m wrong).
My question is do I need to set up a static route from 40.X to 30.1 for them to communicate properly?
Issue adding static route to Cisco switch stack
Hi Guys,
I'm working on a 3750x stack trying to add an additional static route for a new subnet we've created at the remote end of a site to site VPN.
Below are some of the routes for the networks in the same office which work absolutely fine (with some info removed):
ip route vrf "office name" 192.168.150.0 255.255.254.0 "firewall IP" name "network name"
ip route vrf "office name" 192.168.180.0 255.255.255.0 "firewall IP" name "network name"
ip route vrf "office name" 192.168.181.0 255.255.255.0 "firewall IP" name "network name"
ip route vrf "office name" 192.168.182.0 255.255.255.0 "firewall IP" name "network name"
However when trying to add the route for 192.168.183.0/24, after adding the route it doesn't appear in the routing table and isn't in the running config, just wondering if anyone has come across this before, below is what im trying to add:
ip route vrf "office name" 192.168.183.0 255.255.255.0 "firewall IP" name "network name"
Any help would be really appreciated
BGP Inbound prefix filters
Out of curiosity, from a horsepower/resource standpoint... Say you wanted to limit the number of prefixes in your BGP table because your router can't handle anything above say 400k safely (Cisco 6500 Sup-720)... Say you do inbound prefix filtering, where you filter out anything larger then a /22. So take Cogent for example, they are 310k prefix if you take partial routes, applying that prefix filter might reduce that number to say 190k. Lets say you do this same thing, for 2 more peers on the router.
Everytime there is an update and new data comes in and these ACLs are applied, is there performance hit? Just curious as to how much hardware resource is needed to crunch those ACLs every time.
Exam tomorrow. Please give me time management tips for the exam.
Hi guys,
Tomorrow I am going to take the CCNA R&S exam (200-125)
I know it has all kinds of questions (1 answer, multiple answers, drag & drop, simulations, etc.)
My question is what is the best strategy for time management. I know that drag and drop and simulations give a lot of points. On the other hand, the are time consuming and I might not have time left for the questions.
Which approach would you recommend? I feel pretty prepared for the questions, I fell OK about the simulations as well, but I spent more time on questions though.
Any advice will be highly appreciated!
is Cisco Meraki SD-WAN capable over Satellite connectivity?
Hello,
I've had some trouble finding any information relating to this question. I'm trying to determine if Meraki SD-WAN can be deployed on a network that has a branch with their WAN connectivity over a Satellite link. Can anyone point me in the direction of resources/ documentation that discuss this? My googling is brining me up short and the meraki documentation/ support portal gives completely unrelated results when i search "satellite" in their search field.
Thanks for your time.
Is the lack of skilled engineers really true?
Listening to Packet Pushers Show 345 and I heard a familiar sentiment that there aren't enough skilled engineers available but an excess of people with superb resume fluff.
I hear networkers frequently say that they've interviewed people who don't know the port numbers/commands/ protocols but have CCIE's. Part of me wants to believe its hyperbole but the prevalence of the complaint worries me.
Would something like a union or association alleviate this? Where we have ranks that have been verified by experienced engineers?(sorry if this topic has been beaten to death.)
Why is my transfer rate so slow? [Read Description]
Hello,
This has been irking me, and I've experienced this issue at many client sites. Essentially, I have had to transfer large data files(in the gigabytes) over the network and sometimes over the internet. During and after this process, my downloads speed get policed to around 0.05 Mbps.
It becomes almost unusable. When I am at a client site, I often use my laptop so I connect wirelessly. Why is this happening? It is apparent to me that this is some kind of QoS setting on the firewall. It has seriously impacted my work performance. Anyone help?
Remotely Power On/Off PC From Abroad?
Hey guys,
I was just doing some research on this, and it would appear to be possible if you are on the same network? Am I understanding it correctly? My question is: can I do it from abroad? The ability to turn my PC at home on and off while I'm traveling.
Thanks!
ASA Utilizing Two ISPs (PBR) - Small Issue with AnyConnect
I've got PBR setup in order to utilize both of our ISPs simultaneously. I was hoping to set up AnyConnect so that users could connect inbound on either ISP (in the event that one ISP goes down for some reason).
My issue is that my secondary outside interface is unreachable from the internet. Example:
outside_1: 1.1.1.1
outside_2: 2.2.2.2
Gateway of last resort: 1.1.1.2
All outbound traffic works fine, but traffic (initiated from the internet) attempting to come in via outside_2 is dropped as it attempts to respond via the gateway of last resort, which is the gateway for the outside_1 interface. Ideally I should be able to ping either outside interface from an external location, but I can't seem to get that to work. Is what I'm doing even feasible?
Cisco Catalyst diagnostic commands gone?
Never ran into this before so not sure if there is something i missed with a code release.
Running: Catalyst 4510R+E , Sup 7-E,
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.10.01.E
I am trying to do diagnostics on a linecard, I can do a show diagnostics, but that's it. There are no diagnostic commands to run ondemand tests, or anything else. Is this an XE thing?
Iphone and Ipad can't reach Server my own server
Hello, i recently set up a Synology DS218+ in my home network (Fritzbox!7590) and set up an owncloud (port 80/443/5000/5001 opended).
Now my Macbook, Windows 10 Laptop and Windows 10 Desktop can access the synology-server website, my owncloud and owncloud through the sync client.
But the IphoneX and Ipad can't reach the server. Neither through safari nor by app.
In the logfiles (owncloud) i clearly see the macbook and windows-pc's connecting. But no such requests from the iphone and ipad. Is there something special about the iphone und ipad so that they can't connect to my server?
Thanks in advance <3
Cisco WLC 8.140 and AP groups
We currently have 5 BSSIDs in our wireless network. I have a secondary failover 5508 in another building over a single mode 10GB uplink. Our building is a manufacturing and assembly plant the secondary site is our division office space. That is the quick and dirty rundown.
We are fairly covered with enough APs but with the environment being lots of metal and 600V three phase hoist it’s a challenge to balance the over population of APs and too few. We have a collection of wireless clients from new tech to 10+ or older EOL devices.
I decided to prune some unnecessary BSSIDs with groups and one of our older devices (802.11b/g) AGV (automated guided vehicle) controllers are showing 20 of 26 online, some are out for repairs, but the server can only see 16.
After running multiple Angry IP scans on the subnet I see they are going up and down randomly but too fast for the WLC to catch it.
The APs they are limited to are not congested (30-40 clients). I turned on aggressive load balancing on the WLANs except the one the AGVs are on but in the RF Profile I can’t say no load balancing.
Am I double load balancing or is the RF Profile overriding the Aggressive settings?
SD-WAN, VeloCloud, CloudGenix, or Viptella?
SD-WAN, VeloCloud, CloudGenix, or Viptella?
Pros, cons, what does everyone think?
We like spinning up virtual boxes in velocloud equipment. Velocloud is also packet based, and we don't know if that's good or bad.
Cisco ASA VPN IKE Issue
Hello, I have just tried to replace a single ASA5520 with a pair of ASA5516s. To copy the config across, I Litterally just done a copy/paste from running config, I did have to alter the Interface numbers from 0/x to 1/x. Everything 'looks' the same. I made the swap and all seems well (I can get internet) apart from the Site to Site VPNs don't connect. It appears to be an issue with IKE Versions. These are the related logs:
IP = x.x.x.x, Warning: Ignoring IKE SA (dst) without VM bit set
IKEv1 was Unsuccessful at setting up a tunnel. Map Tag = InternetRouting_map3. Map Sequence Number = 3.
Tunnel Manager has failed to establish an L2L SA. All configured IKE Versions failed to establish the tunnel. Map Tag= InternetRouting_map3. Map Sequence Number = 3.
IKEv1 was Unsuccessful at setting up a tunnel. Map Tag = InternetRouting_map3. Map Sequence Number = 3.
Tunnel Manager has failed to establish an L2L SA. All configured IKE Versions failed to establish the tunnel. Map Tag= InternetRouting_map3. Map Sequence Number = 3.
Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = InternetRoutingmap3. Map Sequence Number = 2.
IKEv2 Doesn't have a proposal specified
It was always working with IKEv1, I only enabled IKEv2 to see if that worked. Both sides of the tunnels seem to have the same protocols.
I am wondering if something is wrong with the InternetRouting_map3 part, could that be something copied across that is incorrect?
Any advice much appreciated.
A few options for a network refresh
Hi there!
I am having a bit of a conundrum with our refresh project. I have looked into several options from Cisco to swap out our current 3750G's and am having a hard time deciding between the 2960X's or the 9300 Nexus series; we even had the Small Business Switches on the table as an option...
Essentially the requirements are quite simple; PoE for the desk phones which drop down to machines, 10G fibre between the desktop stack and the server stack (therefore stackable switches) and standardizing the models across the business as there are some odd ones here and there.
My biggest concern is the EoL on the devices as we don't get to do these hardware updates often. This years budget allows me to get all the 2960Xs to cover the whole network whereas the 9300 would need to be split between 2018/2019. I am also looking to get some professional help from the 3rd party suppliers in terms of config.
Do you guys have any recommendations or is there anything else I should consider?
ASA (Not FTD) on FX-OS, licensing message
I have an ASA, running as a logical device on FXOS. I am getting a warning at the bottom of my ASA code in the #show version, see below.
Serial Number: XXXXXXXXXXX License mode: Smart Licensing Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 1024 Inside Hosts : Unlimited Failover : Active/Active Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 10 Carrier : Disabled AnyConnect Premium Peers : 10000 AnyConnect Essentials : Disabled Other VPN Peers : 10000 Total VPN Peers : 10000 AnyConnect for Mobile : Enabled AnyConnect for Cisco VPN Phone : Enabled Advanced Endpoint Assessment : Enabled Shared License : Disabled Total TLS Proxy Sessions : 10000 Cluster : Enabled *************************************************************************** * WARNING * * * * THIS DEVICE IS NOT LICENSED WITH A VALID FEATURE TIER ENTITLEMENT * * * ***************************************************************************
Within FXOS I am also getting an out-of-compliance message, see below.
Registration: Status: REGISTERED Smart Account: XXXXXX XXXXXXX Virtual Account: XXXXXXX Export-Controlled Functionality: Allowed Initial Registration: SUCCEEDED on Nov 15 XX XX XX XXXX GMT Last Renewal Attempt: None Next Renewal Attempt: May 14 XX XX XX XXXX BST Registration Expires: Nov 15 XX XX XX XXXX GMT License Authorization: Status: OUT OF COMPLIANCE
What does all this shit mean, and do I need to get the status in compliance? If so, how? I don't need ANY good features off this ASA. I just need the basic license which comes with the box.
Telecom engineers of networking, what are your opinions of NFWare virtual CGNAT?
I'm looking for recommendation regarding virtual CGNAT. While we were searching, we found nfware virtual solution. We're also looking to try Juniper or Cisco solutions as well. However, we are on a limited budget and I find that nfware prices are quite reasonable. Does anyone know anything about NFWare virtual CGNAT?
Wednesday, November 14, 2018
How to convince someone that SoftEther VPN is not Malware?
So we recently had a client bring an old server out of retirement (Windows Server 2008 R1, last patched in 2011), and connected it to the net so we had a portal into their Office for management etc.
Being that the server is so old, our Management software did not want to run and so I set up a Softether VPN to my PC so I could use my local management tools and send everything over the VPN. This worked great, until the next morning the Server is infected with Ransomware and now the blame is being put on SoftEther.
I've been using SoftEther for about a year and have never come across this, can I be sure that the Server was compromised by being out of date and not by the VPN server?
Cheers
Advice needed strange issue with ACL
Hi,
I need some advice.
I am having a strange issue with any ACL's I set up on a Cisco C891F-K9, I set up the ACL below to block ICMP replies and echo's on the WAN interface but for some reason, I am still able to ping 2.2.2.2 externally from the router,
I have tried the same thing with TCP port 22 for remote SSH access and it also won't block SSH is there something I am missing here?
! interface Loopback0 description # WAN # ip address 2.2.2.2 255.255.255.248 ip access-group INET in no ip proxy-arp shutdown ! interface FastEthernet0 description # PE # no ip address duplex full speed 100 ! interface FastEthernet0.3002 description # P2P PE VLAN # encapsulation dot1Q 3002 ip address 1.1.1.1 255.255.255.254 ! ip route 0.0.0.0 0.0.0.0 1.1.1.2 ! ip access-list extended INET deny icmp any any !
Wireless Utilization Reports
Hello,
I am interested in hearing from the community as to what (if any) data is your org collecting for wireless traffic? I have been diving in to wireless so I built a few reports in Prime and would like to see if someone has any suggestions.
As of now, I am collecting channel utilization stats & maximum client count per AP. I get a daily report and this has allowed me to visualize some trends, such as some APs getting way more clients than others. Obviously this depends on several factors such as day/time, what group is near the AP, etc. I have also been able to correlate the number of clients with high channel utilization.
Still trying to work out my reporting skills in Prime so I don't have to manually filter out data in Excel.
I work for an enterprise in the financial services area and we are a Cisco shop with mostly 3702i APs and a 5508 WLC.
Thanks!
7962G VoIP
So i have this VoIP and it says "Auto-REG" in the top right corner of the screen and "registering in the bottom. The VoIP has an IP address and I'm able to ping it from my router.
Any ideas on how to get the phone to register? Call manager has the mac address and has verified it already.
Help please
Slow site to site speeds over ipsec tunnel?!
Both locations have 100Mbps pipes.
But transfers between them over an ipsec tunnel is only getting 2.5mbps both ways. Something is clearly wrong here. No throttle on the tunnels, and I've adjusted MTU. Any other suggestions that I could use to troubleshoot this issue?
Is the difference really just ipsec overhead? Both sites using Cisco 1921 routers.
VG310 - upgrade automatic command
First time really messing with voice switches much and I am trying to upgrade the firmware on a VG310.
It doesn't use the "archive download-sw" syntax for firmware but instead runs with the "upgrade automatic". No problem it seems to more or less work similarly when using tftp with some enhancements...etc..etc
Heres what I dont' get... so I run the command, it goes to reload but when it comes back up I see that its still running the same IOS. I check the flash and I see the new image on there but I don't quite understand why its not using it.
I notice this in my config
boot-start-marker
boot system flash flash:vg3x0-universalk9-mz.SPA.155-3.M6.bin
boot-end-marker
I ended up changing that line to reflect the new IOS, reloaded and that worked.. but I'm kinda scratching my head why the "upgrade automatic" didn't do it?!?!
Is this not a "default" statement to have? Or is there something else I'm missing? The docs lead me to believe at the most a "upgrade automatic runversion" should put the new IOS in place, if "upgrade automatic getversion" didn't but that didn't work out either.
Velocloud needs new quality control
Time for a rant.
Whoever works in Veloclouds quality control department should be fired! (If anyone works there at all). We've had nothing but bug after bug after bug after bug. Because Velocloud doesn't offer much in the way of being able to check logs, ssh to devices, etc, we have no way of troubleshooting or remedying. Basic features have bugs, features that are supposed to be one checkbox. Then they don't work and we are left troubleshooting by ticking and unticking said box, only to be told "Velocloud made changes by logging into device..." That's not helpful to me or my users!
Seriously, Velocloud, feel free to contact me. I'd love to help you setup a real testing department.
Choosing 10gbit NIC for 3 OS's
I'm upgrading my homelab from 1gbit to 10gbit.
I need help to choose a 2x10gbit NIC for
- FreeNAS 11.2
- Vmware ESXI 6.7
- Windows 10 v1809
I've already chosen the 10gbit switch as Ubiquiti US-16-XG, which support 12x10Gbit SFP+ ports.
I've narrowed down to 5 options (all supporting 3 OS's above):
- Intel X520-DA2
- Lifetime warranty
- No support for RDMA
- $415cad
- Mellanox Connectx-3 Pro (MCX312B-XCCT)
- 1 year warranty, I believe
- supports RDMA
- $300cad
- Addon Chelsio T520-CR-AO
- Lifetime warranty
- supports RDMA
- $320cad
- Chelsio T520-CR
- 3 year warranty, I believe
- supports RDMA
- $483cad
- Chelsio T520-SO-CR
- 3 year warranty, I believe
- supports RDMA
- $277cad
Yes, Im in Canada.
I'm not considering:
- Chelsio T420-CR
- No support for Vmware ESXI 6.7 (latest supported is 5.1)
- Price will be the same as T520 for me, which has a newer generation ASIC
- Intel X710-DA4
- Intel X710-DA2
A couple of questions:
- I've heard that RDMA is much faster than non-RDMA NIC like Intel X520-DA2. Is that true? If that's true, then I guess Intel NIC is out of the question.
- What's the difference between Addon Chelsio NIC and Chelsio NIC?
- What's better T520-SO-CR and T520-CR? I've read the discussion and I think the T520-SO-CR is a better value.
Anyway, what should I choose?
Advice: Job offer
Seeking some advice about an oppurtunity that has recently been offered to me. Our local electric cooperative is rolling out a fiber internet solution to its customers. The initiative is backed by government funding to provide broadband to rural areas. After the interview I'm very interested but concerned about what all is involved. I get the feeling they aren't really sure what all is involved besides running some fiber. My experience is primarily supporting a manufacturing environment with several factories , 2 data centers and multiple branch offices. I wore most of the hats (routing, switching, wireless, aci, security etc..) and would say I mastered none of them. I supposed I'm scared of what it takes to startup something like this from "scratch". The isp space is a bit of a black hole for me and bit intimidating. I also come from a Cisco shop and this wold be primarily Juniper. Any advice is welcome. An gotchas I should consider?
Tldr. Have a job offer to help start a rural fiber service and I'm scared.
ACI vs. Juniper VXLAN fabric
We're planning to upgrade our DC networks, 6 DCs in 3 different cities. Dark fibers within city, 2x10G WDM/L2VPN between each city. We've been offered Cisco ACI (2x 9332 + 4x9180 per DC) or Juniper (2xQFX5200+4x5110/5120). Running mostly HCI stuff so no need for that many ports or SAN network.
We run our own MPLS network in the campus and between cities, currently the WDM/VPLS links are connected to our DC PEs (switches that don't support EVPN/MPLS) that handle all the routing in the DCs. Wondering if we actually need a device capable of doing EVPN/MPLS or could we just connect the current WDM/VPLS links to our DC switches and run our MPLS over that? And just run L3 between VXLAN fabrics. For Juniper we would need MX204 for DCI if we plan to do EVPN/MPLS.
Juniper is about 15% more expensive if we compare the switches only (Cisco price includes ACI controller and switches). Not sure what kind of routers we would need for ACI.
Any ideas or thoughts?
Help with FreeRadius.
I am looking for help to fully flesh out what I need in my network. I work for a Telecom that wants to implement various servers across our network. What I have figured out so far is that we are going to run a FreeRadius server on an Ubuntu server. We want to have a GUI on the front end for the users to log into for account setup and informational purposes. We would also be interested in a backend GUI to the FreeRadius. I am also unsure if I need a system like an AD for FreeRadius, if so what would you suggest? I have looked into some GUI's on google like PacketFence, RadiusDesk, and DaloRadius. Are there others that I have not found? Open source is best paid might be an option.
Mushroom Networks and static route issues
Seems like these are pretty rare, as I can't find any forums online with experience with Mushroom devices. I'm having an issue with static routes and trying to bind target subnets to specific interfaces. Anyone have one of these and been successful in doing so?
Studying for ccnp
Hello,
My ccna will be expiring in 1year, I would like to go for ccnp switching route any study guide that is recommended. I have about 2 hours where it’s really slow currently where I work. I would like to use these two hour dedicated on studying and wanted the most optimized study guide. Please feel free to give me any advices. Thanks!
Windows 10 nic teaming card
I know windows server allows nic teaming, and some add in nic's have software for teaming.
I put an older intel pro/1000 into a windows 10 desktop to try out their software but it's not compatible with intel's software.
What cards actually have have teaming software? I can't run server on this workstation and don't have a 10g drop here. I'd buy an intel card but not sure which one... seems as though Rosewill Dual Port RJ45 10/100/1000Mbps has software but it looks to be 5+ years old.
Thanks
Concurrent up/down speed tests?
I'm switching ISPs next week and the new ISP warned me that even though their gigabit fiber links are symmetrical they do not have the ability to offer concurrent symmetrical gigabit speeds. This is the first time I've heard of it so I'm wondering how I can test this.
I currently have symmetrical gigabit fiber with CenturyLink and I'm not sure whether they support concurrent symmetrical gigabit speeds. Every speed test I can find will test download first, pause, then test upload.
How common is it to have concurrent symmetrical gigabit fiber in the US?
Short of starting one speed test, waiting for it to start testing upload speeds, then kicking off another speed test at the same time, are there any speed test sites that can perform upload/download tests concurrently at gigabit speeds? I know I could roll my own iperf solution, but I don't have another endpoint to test the connection from.
Question: Port-sec violations and dynamic MAC addresses not flushing from old port
2960X on 15.x, port-sec w/ max 5, using phone and desktop. Users at a site are moving things around, so I don't know the order of their operations. In one instance, a couple phones are moved to different switchports and those switchports go down. Shut/noshut does not fix it because they go down AGAIN as the MAC is still on the old port. We are only using dynamic and no sticky.
Today I checked the switch and port-sec had shut another port several days ago. I shut/noshut and it returned to normal, port-sec showing a new MAC. Obviously I don't know remotely what went on, but my general takeaway was that I did not know how mac address aging interacts with port-sec aging. We have no port-sec aging, and with the first experience my impression was that it would stick until cleared. With the second it was that it had flushed from either/both.
If anyone can speak to this and how they affect each other I would appreciate it.
Where Do You Store Your Documentation?
I see a lot of posts on this subreddit about what to include in documentation and how diagrams should look etc, but I am wondering where people store their documentation.
Today a lot of people on our team spread information out on several different platforms we have, all which have their own issues. This leads to not one common place to go for information and worse, since it is such a hassle of putting this information different places people usually just keep it on their own machines making this useless.
Are there any recommendations people have for what they like using so far? It would be nice if the tool would allow "wiki" style posts that are searchable within the document and also allow for external documents to be linked into the tool. Also something with more of an enterprise support would be nice as we are not sysadmins so we like to stay away from maintaining systems by ourselves
Software for PaloAlto PA-500
I recently got my hands on a PaloAlto PA-500 that i want to use in a ClearPass lab for integration, the problem is that i am not a partner and i dont have a valid support agreement for the Firewall. And the current software on the PA-500 does not support CPPM integration. So i am in dire need for the latest software for the Firewall. If any kind soul out there could help me with this it would be greatly appriciated.
Question about loopback interface usage
My ISP gave me a P2P /31 subnet to use on our Cisco router which I am able to configure on a physical interface and then also a public IP range would there be any downsides to configuring the public IP on a loopback interface?
We only need to use a single public IP to run a site to site IPSec tunnel.
Site to Site VPN Palo Alto to Watchguard?
Hi All,
Im probably missing something here but i need to create a site to site vpn with a watchguard. I control the palo but for some reason the phase 1 of the tunnel is not coming up!
I have done many VPN's on the Palo and know my way around them very well but cannot work this out for the life of me!
the IKE and IPSEC profiles match exactly on both ends. The only thing that has not been established yet is the proxy IDs as the local subnet to be used is not fully routable yet (just needs to be added to the MPLS but ignore that for now) I would have expected the phase 1 of the tunnel to come up at least!? Ive tried using local and remote identifiers and not use them but what ever i try nothing works.
Confirmed all transform sets are correct on both ends, all policies, encryption keys... but again i dont care about phase 2 yet as i know thats not going to work till the 3rd party update their local and remote LAN settings.... but come on phase 1 should be working man!!!
so in order i have created IKE policy, IPSEC policy, IKE gateway, IPSEC tunnel. I ahve checked, double checked and tripple checked everything and cant work out where im going wrong. Really need your help. I cant find anything online that will help me so as a last resort (should have come here first probably) i thought i would ask you fine ladies and gentlemen.
Has anyone set up a VPN from PA to Watchguard that can let me know if theres something different or special i need to use?
IETF Charter Decentralized Internet Infrastructure (dinrg)
https://datatracker.ietf.org/rg/dinrg/about/
The Decentralized Internet Infrastructure Research Group (DINRG) will investigate open research issues in decentralizing infrastructure services such as trust management, identity management, name resolution, resource/asset ownership management, and resource discovery. The focus of DINRG is on infrastructure services that can benefit from decentralization or that are difficult to realize in local, potentially connectivity-constrained networks. The objective of DINRG is to 1) investigate (understand, document, survey) use cases and their specific requirements with respect to implementing them in a distributed manner; 2) to discuss and assess solutions for specific use cases with a focus on Internet level deployment issues such as scalability, performance, and security; 3) to develop and document technical solutions and best practices; 4) to develop tools and metrics to identify scaling issues and to determine whether components are missing; and 5) to identify future work items for the IETF. Other topics of interest are the investigation of economic drivers and incentives and the development and operation of experimental platforms. DINRG will operate in a technology- and solution-neutral manner, i.e., while the RG has an interest in distributed ledger technologies, it is not limited to specific technologies and or implementation aspect. We expect DINRG to advance the state of the art with respect to fostering a better understanding of the merits and constraints of specific technologies with respect to the DINRG use cases.
Question about coax vs fiber
Currently we have about 20 users using laptops and voip phones. We are paying for 150 mbps coax but never get close to that. We’ve been experiencing packet loss with the voip and want to know if fiber would remedy that? Our ip rep said that 30mbps fiber would be about all we need. Have any of you experienced anything like this and if so, what speeds are required? I know fiber is supposed to be more dependable than coax, but is there a conversion of sorts?
Cisco Closes San Jose CCIE Testing, Open One in Texas
I would think that Cisco is cutting costs here by closing expensive locations and moving to cheaper cities. Cisco is less of networking company these days and much more an Enterprise IT company.
November 2018 - CCIE Lab Update
Cisco continues to evolve its certification and training portfolio — and the delivery platforms — to help our customers succeed. That’s why we’re adding a new, permanent CCIE lab in Richardson, Texas to our network of Cisco lab facilities located around the world. Research Triangle Park (RTP), NC and San Jose, CA will now become mobile test sites, adding to the 40+ plus locations we offer globally to provide candidates with convenient access to lab testing. We’ll continue to monitor the demands for labs and adjust delivery where necessary.
Link: Expert Certifications - Cisco - https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/expert.html
Internet connection in a student apartment
Helle everyone
As this is my first post on this subreddit, and I do not have a big knowledge about networking and computer programming in general, you can consider me as a computer noobie :).
I'll sketch my current network status and the situation I live in: I live in a student studio in a big building together with 18 other students. There is a general modem, which is connected to all the studio's via LAN. So if the student want to have WIFI, they should buy an acces point (like 80% has done).
Now, my problem: when I wake up and I start my Macbook, and want to listen to Spotify for example, I do not have an internet connection. In order to listen to Spotify, I either have to turn off my internet on my macbook and turn it on again, or I have to renew the DHCP-lease in the advanced internet settings. I also have to reconnect my internet on my PS4 everyday, in order to play online.
Is there a way I can solve this problem? It isn't that big of a deal, but I would like to solve it anyway.
Thanks in advance!
William
[ISP] Cisco WAP Issue
I work for a small ISP and we are running into an issue with a WAP that we deploy for W-STBs. I wanted to see what you guys think/suggest for testing.
Issue: We have an ONT/NID on-site that we have the WAP (Cisco VEN501) hooked up to (Wired) and we have W-STBs (ISB7105) hooked up to the WAP. We are running into an issue where our customer sees a loss of signal on all W-STBs and when we look into the NID we are not seeing any leases for the W-STBs. The issue is not affecting the wired STBs. To fix the issue we are having customer reboot the AP and sometimes reboot the W-STBs afterward.
*The Cisco VEN501 is at the current up to date firmware: 20.2.59.9-NA. The Cisco VEN501 also only uses 5Ghz and supports up to 802.11n.
We have tried to recreate this issue in our lab by taking some of the affected APs/W-STBs from customers and putting them in the lab but have been unsuccessful. We think it is environmental/interference but we are starting to see more and more of the issue. We have tried to hook up 4+ WAPs that were affected and turned off the auto channel changing and put them all on the same channel as well as turned on other wireless networks around the WAPs to dirty up the wireless in the lab as much as possible and still can't recreate the issue.
Possible Fix: We have deployed a test unit (802.11ac, 1700Mbps) to a customer that was having the issue daily and it seemed to fix the issue (Going on 2+ weeks without issue). And we are more than likely going to replace the Cisco VEN501 but I still would like to know what the issue would be instead of just replacing it and not knowing.
What do you guys think?
Stop a Cisco AP switching to standalone mode?
We have an office which is experiencing intermittent connectivity issues with the WAN provider, site visit is scheduled for Friday.
In the meantime whenever the office has a glitch the AP's fail to standalone mode due to loss of connectivity to the WLC back at HQ. Is there a way to force them to stay in LWAPP mode?
Juniper QSFP+ PLR4 MTP to 4xLC SMF Breakout
Does anyone know if this works? I am thinking about doing this on EX4600 switches. However Juniper only lists QSFP+ breakout cables with fixed SFP+ modules on the cable which can only be used for short distances in a rack (like dac).
So I was wondering if the QSFP+ can be broken out to MTP using 3rd party optics like: https://www.fs.com/products/75300.html
And then split into 4 LC connector pairs of single mode fiber which can be connected to 4 different switches over long distances using a cable like this: https://www.fs.com/products/68048.html
So one question is does anyone have experience with the breakout in general and then especially using PLR4 for breakout to achieve long distances over single mode? Any practical advice why this is a good or bad idea? (if it even works)
Why do so many people here like PaloAlto firewalls?
Hello fellow Networkadmins, I have a simple question and would like some oppinions from you all.
I see a lot of heat on Cisco Firepower (and from what I have seen/experienced it is deserved) and most of the time someone will suggest going to PA. I wonder why?
For example, do you all realise that PA is not really a 0-day protection? PA does not do Store-And-Forward (afaik their architecture is incapable of this). All files/malware without a signature will pass the firewall for the first time. Their Sandbox will evaluate the file and generate a signature within a certain time (PA claims 5 Minutes) and will only protect against subsequent files of this type. In the meantime the original malware is already doing its thing in your network. ( Wilfire Signatures).
On top of that, they are not really cheaper than their competition... ;)
So, why?
Tuesday, November 13, 2018
Trunking Questions for DHCP Pools
I will try my best to organize my thoughts on this.
Brief Topology:
[ROUTER]------[S1]-------[S2]
| | | | v v v v PC1 PC2 PC3 PC4
I am attempting to complete a packet tracer for class, and I am having troubles getting the IP addresses from my DHCP pools on my router to the second switch. I am able to get the first two PCs the proper IP addresses, however, when I attempt to acquire the IPs for PC3 and PC4, APIPA occurs and I am stumped. Can anyone assist me in troubleshooting this trunking issue?
Configurations to follow in comments
Multicast over IPSec
Is it possible to multicast to many sites each of which has its own site to site IPSec tunnel to the source site? I'm really looking for this to work on Juniper SRXs with no luck so far after much trial and error and no support contract. Any help would be greatly appreciated. Thanks.
Can someone help me understand BBR and CAKE (Details in post)
I use Linux, and I recently changed my TCP congestion control setting on my PC's to BBR [0][1]. I saw a noticeable improvement in downloads getting up to speed. And I think I have a good high-level understanding of how it works.
But I recently discovered CAKE [2][3] and I'm not quite sure where this fits in. It doesn't seem to be a congestion control algorithm like BBR, CUBIC or RENO. So what exactly is it? Does it do something similar, but on another network layer? Can I use BBR and CAKE together?
I'd really appreciate anyone's answers on this. I am not a network guy so please excuse my ignorance.
[0] https://cloud.google.com/blog/products/gcp/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster [1] https://queue.acm.org/detail.cfm?id=3022184 [2] https://www.bufferbloat.net/projects/codel/wiki/Cake/ [3] https://lwn.net/Articles/758353/
Ping based tool
I can't seem to find a good tool to do this. We used to use Solarwinds Netpath, but we've moved completely away from Solarwinds as the return on investment wasn't worth it.
We have approximately 10 sites. These sites have Cisco switches on site mainly.
I'm looking for a tool that can run on a single linux host, that will login multiple switches and then run pings from them. It needs to then be able to monitor packet loss and run actions based on the output. Also would be nice to have a web interface for monitoring (that builds pretty graphs or whatever).
For example, login to office5-switch1 and ping 8.8.8.8. If ping has more than 30% packetloss, run /usr/bin/notify.py.
Isolate VLAN for Internet Only
So one of our remote sites is in the process of separating from our company. So my boss is asking me to cut of that vlan from accessing anything from HQ but make sure they still have internet and VOIP. I'm not sure what to do. The remote site has it's on router and switch. Current connection is router on a stick back to HQ I believe. Can anybody offer any help on where to start?
How to connect the virtual router in EVE NG to real physical computer irl?
The main question is the title.
For a back story and some explanations, I'm a newbie at networking and even more newbie at EVE NG, because I usually do some configurations in a real physical device for educational purpose provided by my university. Now I'm starting to get into network automation, so I'm using Ansible. I want to try to configure many devices at once using Ansible, so that's why I'm trying to use virtual router and switch in EVE NG. I need a SSH connection to the router to configure it with Ansible but I dont know how to connect my computer to those virtual routers.
I tried searching some tutorials on internet, but the one closest to my need is to connect those virtual routes to internet and set the IP config into DHCP. I need the IP address of the router too to config with Ansible.
I'm sorry for my bad english and my newb knowledge of networking and sorry if this is counted as low quality post or judged not showing effort by the mods.
Thank you
“Cloud-based” firewalls?
I’m curious what other network engineers thoughts are on this.
The company I work for provides ISP services to our clients. All of our clients are education based. We lease the fiber through a local company, connect them up to our ISP customer edge, do some routing, tada they have internet. ISP isn’t our primary function, we’re more an MSP, do it all place for expertise in IT for education.
Management is asking us if it were to be possible to have a firewall in our data center and connect our clients into it and host their firewall for them. It’d be multi-tenant separated by VDOM. We’d just tag the VLANs all the way down to the customer site just like the firewall were on their premise.
What are your thoughts on the idea?
I personally don’t think I like it. I like the idea of a firewall on prem, it gives them more flexibility, and to me feels more secured. We’d have to buy a super big firewall, lots of licenses and I feel like it makes more sense to buy smaller firewalls to put on customer sites and manage them there.
What are your thoughts? I’d like to hear the arguments on this to see if my thinking is rational. Has anyone done this? Heard of this?
Rant Wednesday!
It's Wednesday! Time to get that crap that's been bugging you off your chest! In the interests of spicing things up a bit around here, we're going to try out a Rant Wednesday thread for you all to vent your frustrations. Feel free to vent about vendors, co-workers, price of scotch or anything else network related.
There is no guiding question to help stir up some rage-feels, feel free to fire at will, ranting about anything and everything that's been pissing you off or getting on your nerves!
WAF (Cloud or SaaS)
we are looking for a cloud hosted or SaaS solution for WAF services. We have some websites and applications of which need protection L4-7.
We cannot host it on azure because of some marketplace issue, also cannot host it locally since we don't have the necessary bandwidth.
I was considering FortiWeb or Pulse WAF?
Any recommendations will be welcomed.
ELI5: Wave internet
What makes wave internet different than a dark fiber or Metro ethernet? How does it work?
Stupid STP question
I'm trying to get this right in my head but I've read different articles which seem to tell me different things.
Does a device connected to a port in the blocked state still receive data? Does it just block all packets apart from the device physically on that port? Or does the blocked state mean nothing goes to whatever is there?
Getting in and out of China in the SD-WAN era
What is everyone doing to connect to sites in China these days? For all my non-China sites we're moving to SD-WAN over internet links, and planned to just keep MPLS at my sites in Hong Kong and the mainland (Through the SD-WAN Appliance) to hub and spoke the mainland to Hong Kong where it could hop on the internet SD-WAN to everywhere else. This worked for about a month until there was some big Expo and my VPN over the MPLS back to Hong Kong went belly up. We failed back to checkpoint appliances on both sides, which seem to use encryption that the great firewall is okay with. (Using SteelConnect and it just does pretty standard IPSEC over port 4500 by default, so it doesn't surprise me that it got blocked). We could also have just sent the data directly over the MPLS, but tend to try to build tunnels and encrypt if possible.
I'd probably leave it this way, but the next challenge is that the business management has heard of recent Dawn Raids on companies like ours in China and want to get all the server hardware out of the offices. They feel as though putting all the Chinese data in a Mainland region of AWS / Azure will at least keep from having to worry about someone showing up and taking all the servers and killing the production lines until more hardware can be acquired, etc. Of course, since those regions don't talk to any non-mainland regions, it seems like I'd be routing my internal access to those things through my network in Hong Kong, through the mainland and over some China Telcom links to the AWS/Azure infrastructure.
Just curious what everyone else is doing to connect to China both for access to on premise networks and/or AWS/Azure, and experiences with MPLS Links in the country or even Aryaka.
Subscribe to:
Posts (Atom)