I’m in Australia and we just got fiber/nbn it was working for one day and now the IPv4 Address suddenly changed to 144... same with the gateway but when it put in that gateway into chrome it doesn’t take you to the router. Even if you put the original 192... gateway it doesn’t work. Any help would be appreciated
Saturday, December 1, 2018
Cisco C891F - Easiest way to duplicate config?
I need to set up a Cisco C891F for a new location (2nd office) the problem is it's above my head. However, I have a properly set up one already existing at another location for the same company (I directly work for this company). I am wondering if I can get familiar enough to download its configuration and apply it to the new one or if anyone has some advice?
To give some backstory, I work for a quickly growing software company. The first C891F was installed prior to my employment. I set the second office up using Ubiquiti equipment and it's been fine but the office is quickly growing and the network slowing down (this is where are Developers work). They already have another C891F and are wanting to set it up. So having said that, I am wondering what my options/my company's options. So far what I am thinking is...
- They hire another contractor to set up the 2nd one
- This is practical, but not ideal - worth noting that there are discussions of my company paying for my certifications but this doesn't help immediately
- Possible to put enough time and research to learn enough to copy its configuration and upload it to the new one and making the necessary tweaks since it's for a different network
- Another idea from a generous person? :D
Happy to hear your thoughts & to answer any questions if you have any.
Moving away from a failing DSFW environment
Hey all,
I have inherited a failing DSFW healthcare environment and need to move away from it ASAP. The majority of our business critical applications have been moved to cloud based solutions, and there is no longer a need for the organization to hold on to failing equipment.
The current environment:
- OES DSFW running on OpenSuse VMs
- DHCP and DNS handled by OpenSuse VMs
- Physical hosts are 3 years past end of life
- Each campus has a primary internet circuit provided by Comcast or Verizon
- MPLS circuit implemented for WAN connectivity, as well as redundancy in the event of a primary circuit failure
- on-premise PBX for each site
- ~350-400 end user devices and workstations accross the organization.
- ForcePoint/Websense is utilized for Web Proxy, filtering, email security, and file sandboxing
The DSFW, DHCP, and DNS servers are failing on a regular basis, and require constant monitoring and restarting of services to keep them up and running, the physical hosts are past due and I have some serious concerns regarding their health. Things are getting progressively worst and we need to make a move to viable safe and stable environment.
Our concept of moving forward:
We will be deploying Trend Micro Worry-Free as our end-user antivirus solution, as we roll out the software to each workstation, the workstation will be removed from the DSFW domain and brought into a simple workgroup environment.
Websense Endpoint Client will also be removed at this point, as users will have no means to authenticate to the Web Proxy without DSFW. This is okay because Trend Micro will full-fill the Web Proxy and Content filtering roll as well.
Also, during the roll-out wrokstations will be pointed to Google's DNS servers.
Once the roll-out of Trend Micro is complete and all computers are removed from the DSFW domain and brought into a workgroup environment, DHCP will be stopped on the OpenSuse VMs, and instead we will have our Cisco ASA's handling DHCP for each respective facility and subnet.
This will enable us to completely turn down the failing servers, and put us in a stable environment. The end result will be users logging in with a local computer account and authenticating to each one of their cloud applications independently.
This is a short-term solution. Obviously it is not ideal from an administration perspective, to have 400 devices in a workgroup environment spread out over a large geographical area. We will have 0 ability to centrally manage our users and devices until we implement a new Domain Environment.
I would love to just jump right into an Active Directory environment, and join the computers to a new Domain at the time of the Trend Micro rollout, but unfortunately we do not currenrly have the time or cash flow required to provision new physical hosts. So this implementation will have to happen at a later date.
My concept for the future implementation of a new Domain:
I am still on the fence about joining the workstations to a new Domain or keeping them in a workgroup environment, and utilizing some different solutions to centrally manage the devices, as all of our applications are in the cloud, as well as our file-sharing and email solutions etc.
But if I did implement AD, I was thinking of something like this:
Once we are able to we will spin up two new VMs for our AD DCs with DNS, and rejoin each computer to the new Domain. We will keep Trend Micro in place as our Web Filtering and Proxy solution.
DHCP will remain on the Cisco ASA for each site.
We are also moving away from the MPLS circuit and implementing an SD-WAN solution with hosted PBX.
What do you guys think of my plan? This is the first time I am taking on a project of this magnitude and I don't want to overlook anything huge.
Any comments, criticisms, or idea generating questions are welcome and much appreciated!
PeeringDB / Interconnect - Can someone please clarify
I have another post where I requested guidance to set up a Site-to-site VPN to connect two data centers between SF Bay Area and Chennai, India:
https://www.reddit.com/r/networking/comments/a1ckbf/connecting_datacenters_between_us_west_coast_and
I got some really good ideas on different ISPs to reach.
Here's a follow-up question.
I know there are these PeeringDB type of sites which show the networks that different ISPs / data centers peer with. Can I query a PeeringDB and figure out which data centers / IP transit points peer with each network, so that I can find the best route with limited hops to set up the interconnects at both end-points with minimal latency / hops? Isn't that one of the purposes of a PeeringDB or is my understanding just plain wrong? Would appreciate if someone can chip in.
Cisco ASA - Cisco Router (Site2Site VPN with routing all traffic to internet by ASA VPN server) Where to find how to ?
Hi, Someone have link to blog, yt etc. where I can find how to config connection between site to site vpn between ASA and cisco router where all traffic from router wil pass-through ASA vpn server.
How to lay and set up fibre optic internet?
I live in a rural part of the UK, and at my house we rarely get speeds above 1mbps. Right now I'm getting 0.58mbps.
Some houses near us are able to get fibre optic internet, but not us, as for some reason our house is connected to a different cabinet that only has copper wire going to it, and it doesn't look like there are any plans to upgrade anytime soon. It's really frustrating because it takes so long to do anything with such a slow connection.
I've heard of satellite internet, but it doesn't sound ideal either.
I read about the B4RN project a while ago, where a community got together and laid down their own fibre optic cables directly to their houses, and created their own ISP, which got me thinking about this.
However, I know very little on the subject and don't really know where to begin. I've done some reading online but so far it's hard to put it all together. So, could anyone advise me on where to begin with something like this? We have access to farming equipment, but I don't even know whether it would be easier to lay cables underground or overhead. Additionally, fibre optic cables wouldn't actually be necessary, since the other cabinet near me has fibre optic, if we could just get copper wire from it to our house it would suffice, but if we were going to do this, would it be as easy to install fibre optic? And would we even need to go as far as the cabinet - my neighbor a few hundred yards down the road gets 20mbps - would it be possible to just connect to the copper cable at his house?
I'm a newbie to most of this stuff, and I realise it's probably really expensive and likely impossible for me, but I'd appreciate any info or advice on where to start reading!
Network monitoring with grafana is super easy and free!
See an example i found in this video. https://youtu.be/xWnI3sHMbGI
I did nor realize that beautiful graphs were easy to create. Definitely trying it at work.
Are POE+ devices connecting to a POE+ switch plug-n-play ?
I have a Cisco 2802 APs and a Aruba 2930F (POE+)
The APs power-on without any additonal configuration on the switch. Is this enough or do I need to change any of the following settings? https://i.imgur.com/Q8B7z3O.png
OpenVPN or VPS blocking download over https
I have a VPS with DO, i use primarly as a openvpn server, i used a easy to setup script (wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh) and everything work fine, but i cant download file over https, if i connect my clients and even try a apt-get update, it cant download anything, i wanna use the vps for a Metatrader 4 program (forex exchange broker) but it need to download some file over https and cant get it to download.
i try another vps just created and work just fine, but i cant afort aonther vps at the moment so i like to use the one i have.
ISIS and QoS
I was listening to some networking podcast discussing ISIS as their main topic. And one of the guys mentioned about the ISIS is a pain in regards to QoS implementation.
For the life of me, I could not remember the podcast and I am pretty sure it was not Packetpusher. Can someone please go in detail why ISIS is not the best option when QoS is going to be implemented?
Any advanages and disadvantages of ISIS vs OSPF or even eBGP?
Thanks
MPLS VPN and OSPF
Hello,
My company has bought MPLS VPN service from ISP, that connects several sites around Europe. I want to start IGP protocol inside it and tract the entire company as one AS. ISP tells me that we could use his BGP from a MPLS and tract each site as a different AS. Sites aren't big: mostly 3 persons on site, two bigger with 50 employers. What approach would be the best? Connecting each sites using GRE tunnels over MPLS and start using OSPF or BGP from ISP?
Fast convergence and faster response to failures in the network (switch to IPSec tunnel if MPLS is down) has a big factor to choose the solution.
Thanks for any tips.
How do I SNAT interesting traffic for L2L tunnel, while PAT ‘d all other non-interesting traffic.
NAT interesting traffic with IPSEC L2L How do I NAT interesting traffic going through a L2L tunnel? The NAT'ing happens on the same router that it the L2L tunnel terminates on. Below is the config for the two routers. I have an ISP in between, but everything is routing and working correctly w/o the NAT. Once I enable the NAT, my tunnel breaks. All other traffic needs to PAT to an interface, I have a NAT exemption, for the LAN of the L2L, and built a separate SNAT for the VPN L2L traffic.
ROUTER1 >>>>> ISP <<<<<< ROUTER2
PAT 10.200.0.0/16 OVERLOAD w/exception of 10.200.10.10 (that's the server that is considered interesting traffic to the tunnel)
SNAT 10.200.10.10 to 10.200.10.100
I removed all unnecessary configs such as routing and the server on corp network, as the tunnel works w/o the NAT, but fails w/the NAT.
hostname VENDOR
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key cisco address 1.100.50.1
crypto ipsec transform-set VENDOR2 ah-md5-hmac esp-3des esp-md5-hmac
mode tunnel
crypto map VENDOR 10 ipsec-isakmp
description VENDOR2
set peer 1.100.50.1
set security-association dummy pps 20
set transform-set VENDOR2
set pfs group24
match address 100
interface Ethernet2/1
description VPN PEER
ip address 192.168.118.2 255.255.255.252
duplex full
interface Ethernet2/2
description ISP
ip address 1.100.118.1 255.255.255.252
duplex full
crypto map VENDOR
ip route 0.0.0.0 0.0.0.0 Ethernet2/2 1.100.118.2
access-list 100 permit ip host 50.50.50.50 host 10.200.10.10
access-list 100 permit ip host 50.50.50.50 host 10.200.10.100 log-input
access-list 103 permit ip any host 50.50.50.50 log-input
object-group network Local-LAN
object-group network VPN-LAN
description NAT'd
host 10.200.10.100
host 10.200.10.10
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key cisco address 1.100.118.1
crypto ipsec transform-set VENDOR2 ah-md5-hmac esp-3des esp-md5-hmac
mode tunnel
crypto map VENDOR 10 ipsec-isakmp
description VENDOR2
set peer 1.100.118.1
set security-association dummy pps 20
set transform-set VENDOR2
set pfs group24
match address 100
interface Ethernet2/0
description CORP
ip address 10.200.50.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex full
interface Ethernet2/5
description ISP
ip address 1.100.50.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
crypto map VENDOR
ip nat Stateful id 100
ip nat inside source list 10 interface Ethernet2/5 overload
ip nat inside source static network 10.200.10.10 10.200.10.100 /32 no-alias
ip route 10.200.10.100 255.255.255.255 Null0
access-list 1 permit 10.200.10.10
access-list 10 deny 10.200.10.10
access-list 10 permit 10.200.0.0 0.0.255.255 log
access-list 100 remark IPSEC
access-list 100 permit ip object-group VPN-LAN host 50.50.50.50 log-input
Inconsistent Linux server download speed
Hey all, I've been having this weird issue, where most downloads (TCP transfers to my server from outside) are painfully slow, and some are blazing fast.
The server in question runs CentOS 7 and is connected to a gigabit pipe in a DC.
The issue:
- I wget a test file from a near datacenter (2ms, 1GB file) on the server. It will start at 1MB/s and slowly climb to average 15MB/s.
- I do it again and it's a very similar story
- I do it once again and it starts at 107MB/s and finishes at 100MB/s average.
- One more and it is slow again.
No such issue with upload speed, I can always saturate the full gigabit connection.
I tried to play with TCP congestion control, but it doesn't seem to have much (or any) impact.
It also doesn't matter from where I'm downloading from, all downloads from all servers exhibit a similar behaviour. It seems to get worse with distance (latency) though. There is no packet loss.
Would be really glad for any pointers, I've been trying to troubleshoot this for few days now.
Virtualized hardware routers
Does anybody have any experience with virtualized routers running off of a bare metal hypervisor? The thought is to take a business class router that would support later 3 interfaces (IPSec tunnels, ebgp, etc.) and set up a headend in a lab. I would like to set this up as a tool for new techs to use and abuse. This would emulate a multi-site VPN based solution over an emulated internet connection (like an MPLS connection).
Doing initial research, it seems like all the SDN solutions are cloud based... I would like to have this as an offline lab with minimal physical components. Thanks bin advance for any input
Friday, November 30, 2018
Question regarding port numbers and NAPT routers
So from what I understand pretty much most routers are NAPT routers and they require port numbers to know which computer on the network to direct the traffic to but is there a different port number to tell what program/application the data is being sent to as well? Sorry if this a stupid question I just dont quite understand it.
Solid networking tool for testing access rules and IPS signatures.
nsauditor is what ive seen based on some video ive watched on udemy. i want to test how my ips behaves against certain traffic and be able to source from a different ip as well...its on a nonproduction firewall at the moment.
Is SonicWall even relevant anymore?
I'm a bit new to the networking world (CCNA level), and I've been working with Palo Altos, ASAs, Merakis, etc for the past 2 years. I joined a smaller MSP who had a lot of SonicWalls deployed.
Am I just missing something with them? The pricing for one of them seems pretty hefty. They just don't seem all that special, and the interface just feels so unintuitive. We got a quote for a SonicWall, and it was more expensive than the equivalent Meraki, which IMO for uncomplicated clients, is better in almost every way (minus the no VPN client).
I just hear a lot of people swear by them and "They're great once you get used to them", and I just don't see it. Is it just the young punk in me that dislikes them? I don't see why I would pick a SonicWall over Palo Alto/Meraki/Fortinet.
Trying to build a 10Gbe network for a client
Hello Redditors of networking!
Let me start by thanking this wonderful community for any input/suggestions/corrections. I am not a total neophyte when it comes to networking, but I have not had enough experience with 10Gbe networks outside of the datacenters I work at. As a field engineer I am only involved in the racking and cabling as deployment is above my pay-grade.
That being said, let's get to the technical stuff!
I have a client who says his graphic designers are complaining that the transfer speed to and from the file server sucks.
The client:
-17 graphic designers
-File server is a DiskStation DS1817+ w/ 4 x 4TB Iron Wolf Drives
-17 iMacs with 1Gb NICs connected via unshielded CAT6.
-Netgear 24-port Gigabit switch
-Average file is around 2-6Gigs.
-Average file transfer speed is around 5-10MBps.
The solution:
I offered them a 10Gb solution by preforming the following (please correct me if I'm wrong):
-UniFi Switch Model: US‑48‑500W + 2 SFP+ Copper modules
-Synology Dual-Port 10GB SFP+ PCIe 3.0 X8 Ethernet Adapter (E10G17-F2) connected to the two SFP+ ports on the switch for a bonded speed of 20Gb.
-17 Dells - (This upgrade has less to do with networking and more with performance, but the NICs are upgradeable to 10Gb nics, and the client approved, so I figured why not?)
The confusion:
- To create a fully 10Gb network I will need a 10Gb switch that can do 100/1000/10000 on each port individually. However, since the files aren't HUGE, maybe the switch I ordered will be okay?
- CAT6A is the standard for 10Gb. The CAT6 runs I have are about >= ~25 meters from the switch.
- Since the file server will be aggregated to 20Gb, and the ports on the switch are 10/100/1000, will the Dells finally be able to use a full 1Gb and communicate with the file server a whole lot faster?
- I did some math, in theory, if all 17 computers are trying to transfer a Gig file at the same time, with max 20 Gb throughput, each machine should average out to ~150MBps?
Any input will be greatly appreciated. Thank you all in advance.
Visualize network connections and devices
Hello, can any of you guys recommend a good software to visualize all network connections between network devices?
We have SolarWinds right now but I don't think it's doing a good job. It's kind of OK to monitor individual devices, but when you try to see the big picture - it's a mess, especially if I'm trying to see 50 VPN tunnels to 50 different locations. As far as I can tell it's almost impossible unless you do some voodoo custom stuff. As far as devices it mostly Cisco Switches and ASAs, couple Uniquity routers, a lot of HP blades, a few Nexus 5Ks.
Thanks,
Adding a router to a modem/router combo provided by Spectrum.
I was curious about if I wanted to add a separate router to the current modem/router provided by Spectrum, does the router that will be connected also have to be “approved” by spectrum? Or because I am just connecting it to the modem/router that it can be any router that I want.
Study choice ????
Hello everyone, I’m looking for some guidance I have graduated from college in a computer networking program but realizing that I need to take the CCNA in order to move up the food chain. I have two choice for study material Todd Lammel, and the in60day book of choice to study, I would like your opinion on which should I use and why would you advise this. Thanks for you feed backs regard
Question on IP SLA reachability for a tunnel interface source vs IP (Cisco ASR)
First off I'm trying to determine from logs based on currently configured reachability SLAs if an outage is from our ISP, or if it's from the tunnel/endpoint itself. We have an Amazon DX tunnel interface configured as:
IP: 100.64.#.#
Source: 192.#.#.# (Amazon block, also configured as a loopback address)
Destination: 52.#.#.# (tunnel endpoint)
The SLA echoes tracked in config are approx a half dozen for each the interface IP (100.64.#.#) and the source (192.#.#.#). Any time the echoes from the IP (100.64.#.#) fail, the router assumes the tunnel is down and forwards everything to our secondary router. But I guess my question is under what conditions would the echoes from the source (192.#.#.#) fail but not the 100.64.#.# IP?
Looking for some career advice, recently got my CCIE (R&S), looking to move out of operations into a Solution Architect role.
As the title states just looking for advice from people who have transitioned into that role, currently job searching however most contracts,positions are looking for 5 years experience in a solution architect type role, which I don't have.
I'm currently a senior network engineer working for an ISP in service assurance, I was wondering if there are any good steeping stone positions I should be looking for (pre sales, technical delivery manager etc ), Or are there any other certs I should be looking to get that would help my chances in an interview like the CISSP, TOGAF or ITIL. or Any Advice would be greatly appreciated.
Idle thought - In Cisco IOS, why does the command 'wr' do a write memory?
Every other command that isn't specific enough will ask you what you are talking about, but 'wr' goes ahead and saves your config. Maybe I wanted a 'wr t' or something. The command does say 'mem' is the default, but it's kind of an important command to be loosy goosy with. I've wondered about it for years.
Wrong Subreddit? I am looking for some good cheap / free beginner Avaya training
As the title says, I'm not entirely sure this is where I should post this but My company uses Avaya for communications and it seems that there is no one here who is a dedicated expert with it. (We use vendors a lot for assistance with it.) I was going to try and leverage my value and get more comfortable with it.
Any useful resources like books, videos, guides or cheap courses you would recommend?
Thanks a ton everyone!
EDIT: I should note too, I currently have access to a spare G430 and phones to play with as well.
How far are we from MDS emulators for FC SAN on GNS3/EVE-NG?
We now live in a time with NXOSv 9000 and IOSv. Is SANOSv coming?
Dec. 2018 - Does anyone use Cisco VIRL? Is it worth it now?
I know there is an archived thread in this subreddit, but it is over a year old. Can anyone give an updated review regarding VIRL?
Network Traffic is getting routed to mail server in Turkey. Is this a red flag?
Little bit of a noob, I hope this question shows enough effort. I'm not a network engineer, just an enthusiast.
Days ago I noticed my network got very slow randomly. I run my visual trace route tool (PingPlotter) and I pinged 3 targets. Amazon, LinkedIn, and Google Drive.
All three targets were showing hop #2 (the hop right after my modem) the traffic was being routed to a mail server in Turkey. On hop 3 it went back into the Charter/Spectrum backbone, on to the following hops, then onto my final targets.
I was using a VPN at the time, using a server on the east coast. I disconnected. Re-connected to a VPN server in the midwest. Disconnected, and re-connected back again to the same server on the east coast again. All during these times of connected and disconnected to the VPN it was showing "trmail.trhosted.com" on the second hop, for all 3 targets. Eventually the routes changed and it no longer showed this on hop 2, but it would intermittently show up again on the 2nd hop for all 3 targets.
I called my ISP asking their tech support/engineering team if there would be any reason that my traffic would be routed to another country. Their answer was "it depends on your targets, it's likely the websites you were visiting aren't hosted in the US". That answer doesn't make any sense if the target websites servers were in the U.S., right? And, even while using a VPN that could route traffic to somewhere strange... those were still in the U.S. too. And, it happened while connected AND disconnected to the VPN. Additionally, it wasn't just "somewhere down the line it routes through Turkey".. but rather, after my traffic leaves my LAN it goes directly to this "mail server" THEN back to the U.S. backbone.... or so it all appears to me.
I brought this concern up to them, they said they couldn't answer my questions and referred me to their Subscriber Security (spectrum network security). After emailing them, and sending my PingPlotter data, they refer me back to Spectrum tech support.
I emailed the company that makes the network tool, PingPlotter, to confirm I wasn't reading results wrong. Being that I used to work there and know the caliber of people, technical talent, and mission to quality of customer service - they confirmed that it was extremely peculiar, and to continue to reach out to my ISP to resolve the issue.
I'm also considering drafting a letter to the FCC about the issue.
Is this a big red flag or am I being an overly-paranoid noob?
Maybe this is a big misunderstanding on my part?
Or maybe Spectrum's network has been compromised?
What do the network engineers of reddit think I should do?
I hope this post fits the criteria, and apologies if it doesn't and I missed something.
I also have all of the PingPlotter data that I can share with any of you to better explain my situation. DM me and I can share the files or links to private web pages that include the trace data, hops, etc.
Please and thank you in advance!
2 SFF machines, 1 Lenovo with Win10, 1 HP with Debian, both kick users off the local switch when asleep/frozen.
I have an endpoint with a handful of users connected to an unmanaged Netgear-ish switch, of the GS108 variety. These 2 machines I mentioned are business units with i5 CPUs and about 8GB of RAM, for whatever reason, will kick everyone else off the network ONLY when (A) The Windows machine goes into a deep sleep. Generally reproducible. (B) The debian machine freezes/becomes completely unresponsive (Used for signage, was using incognito firefox with Grafana, happened once so far.)
- Has anyone had this happen? I cannot find similar examples online, numerous issues with Windows Sleep itself clogs the results.
- Is this more likely a BIOS issue or a Power Supply Unit issue or a unmanaged switch issue?
My instinct feels like the managed switch up the chain is just ignoring all requests made when the offending machine sleeps and, if I may, shits out a bunch of requests or broadcasts or multicasts. I don't have time to trouble-shoot when it has occurred, and it is rare to happen, because getting those users back up is more valuable.
I do not think spending a lot of time on this is valuable but the obscure nature of the situation strikes my curiosity. If it can be solved, great.
Network Lab Dashboard
Is anyone currently using any type of dashboard to show like a real time lab rack diagram? Such as who has what racked and what RU it is at and what it is plugged up to? Not sure if this is even available but after some Google searches I have found no results.
Setting up a branch IPsec tunnel on a 1918 address behind 1:1 NAT on Cisco gear
Standing up a quick-n-dirty temporary solution for a site affected by a natural disaster. Local WISP gave us a "static" IP, which is really 1:1 NAT. They gave my ISR an rfc1918 address, that DMZs to a public IP. All traffic to that public IP is 1:1 translated to the 1918 address. All my experience with s2s ipsec is with real pubic addresses on all endpoints. I know ipsec can do NAT traversal, but I've never configured it in Cisco land and my google-fu turns up nothing relevant to this use case.
Failover with Adtran 1638
Good afternoon. We are adding a secondary internet service to one of our locations and I just wanted to see if anyone had any advice on best practices for setting up the failover.
Situation: We have a remote site that connects via metro E back to our main location that hosts the servers and has the primary internet connection. We are wanting to add a secondary internet provider at the remote site in instances where the Metro E is down(It was just cut killing that site for almost two days)
We have an Adtran 1638 providing routing at the remote site that also sends the traffic back over the metro e to the main location.
Question: Is the 1638 capable of handling failover? We can set up a VPN to provide access to servers, but we want the 1638 to recognize the metro E is down and route traffic out towards the new provider.
Any advise or will this require a router with more capabilites?
Summarization and Redistribution Question
Currently each of our sites has two connection to our WAN, one via layer 2 metroE and one via MPLS, metro e is our primary. We are using EIGRP over the metro E and we are redistributing EIGRP over BGP for MPLS. We are looking to summarize the routes being advertises at each site. The config for EIGRP seems simple enough. The problem that I am running into is that when I add the ip summary-address command to the interfaces (I tried adding it to both ints going to both WAN providers) , it summarizes the EIGRP route but then we bounce over to the MPLS network because the EIGRP routes redistributed through EIGRP are not summarized and those are now the most specific routes. Am I missing something huge here? Or is my design just stupid? Any help would be much appreciated. This is our current config for routing.
router eigrp 100
network 10.20.0.0 0.0.255.255
network 192.168.50.0
network 192.168.201.0
redistribute static
passive-interface GigabitEthernet0/0.99
passive-interface GigabitEthernet0/0.100
passive-interface GigabitEthernet0/0.200
passive-interface GigabitEthernet0/0.300
!
router bgp 65005
bgp log-neighbor-changes
redistribute eigrp 100
neighbor 192.168.202.17 remote-as 13979
distance bgp 190 190 190
Interesting lil problem
Hey /r/networking.
I am writing here to see if anyone has some insight or a path to investigate further into a strange little issue.
We have some compliance in our environment and because of this leverage Solarwinds UDT. This lil issue essentially makes the UDT unreliable because if it is not functioning as intended... and providing false alerts, it does not serve it's purpose.
The issue I am running into... about once per day, sometimes twice, I will get an alert that a Rogue MAC address has been detected. The MAC address is vendorless and appears to be generated randomly. There doesn't appear to be a timestamp correlation to when this occurs, it just happens when it damn well pleases.
Fortunately, using SW UDT, I can see what switch this has a direct connection to. It is not always the same path through the network, but often passes or direct connects to a specific port. I mirrored out the port (well, the port that is most commonly flagged, it's not consistent) to an unused one & ran a dumpcap/shark on the wire for the past 24 hours and it came back with three separate hits across the span of 24 hours.
Filtering out the results is interesting (well, to me anyways, I'm not a super network guru-type).
The packet that this exists in appears only once in the span of roughly 3 hours. It is always a single source:dest mac set and both of them are vendorless. A strange occurrence that has happened once (that I've noticed since capturing) is the mac address exists as "concurre_00:00:34"
The protocols I've seen listed associated with the packet are: "0x0c78" and "0x748c" (so far anyway).
Somewhere in here, the managed switch must be registering this in it's arp table, or I'm guessing it wouldn't be detected? When I've http'd into the switch to view the arp table, it does not exist there either. It blips and disappears, almost as if it's relying on this for some internal function that I am unaware of.
I have no doubt it is something in the environment that is doing this and I'd like to remove it so that the UDT solution can function as intended. As it stands now, it's unreliable because of this.
I'm stumped. Any seen something similar to this or have a better path? Glad to answer anything, but can't always respond immediately.
Hope everyone had a nice holiday & I greatly appreciate your time.
Why border/service leafs?
In VXLAN fabrics, why would you have separate border/service leafs? Instead of just connecting your firewalls/routers/whatever to any two leafs you decide?
OpenVPN
I have a Mikrotik routerboard rb951g-2hnd
This are my network configuration. I have two bridges.. Bridge one for all my Ethernet and WLan
And bridge 2 for my guest Wifi
Each bridge as a DHCP server and IP address range.
My router is behind a private IP subnet and as such, I can't access my router and devices from the internet.
I hosted an OPENVPN service on cloud.
I am able to connect my other devices (mobile phone and laptop) to the openvpn server in cloud.
These are my challenges.
I was able to configure my router as an OpenVPN client on the interface, and you could see that it's connected.
So 1) how can I route some specific traffic through the VPN i.e maybe allow my Guest wifi on bridge 2 to connect through the VPN while everything on bridge 1 remains the same.
2) how can I access my router configurations (winbox, webui ssh) and network devices on my router (NAS, server) through the VPN from the internet? Since all my mobile phone and laptop are connected to the same OpenVPN server as the router.
Question about failover routing
I need some help with designing a solution. I've got a old dell 6224 that is my core. It connects to 2 routers, 1 directly and 1 through a VPN. Both those routers are the next hop to my target address. I'm trying to find a reliable way to route to the router 2 if router 1 goes down or vice versa. Our network is pretty static so we've been using just static routes. However using weighted preference on the Dell switch doesn't seem to work well. Any ideas?
Thanks
Breaking RFC 1519
I have a problem and I'm hoping someone has some advice for how to best deal with a vendor. Their situation bothers me.
So a vendor installed a network for a new initiative in what is a more or less shared space. This system required networking, as you would expect, they needed a couple of things, provided a couple of things, etc. So, long story short: their gear: gateway/router/firewall ... The gear we provided: switches.
We chose stacked multilayer switches because of the requirements they set forward. We gave them admin access, to all the things, so they could round out the config for final implementation.
So yesterday, I went in to see how they're doing with it, and get some minor training on supporting their equipment (I'll help with onsite work since the vendors location is pretty far away).
I found out that they're setting up Windows on a /24 network, x.x.101.y (where x is always the same across all network subnets) and they're setting the default gateway to x.x.100.1
I don't even understand how that works, at all, or why Windows would allow any communication to happen. They're not using vlans, so their x.x.100.y gear is on the same L2 domain as their x.x.101.y, but as far as I can tell, everything is set to /24.
This hurts me a little bit, but for some reason, it works. Communication happens.
I have not ever been witness to a network breaking CIDR boundaries like this. What is happening? Why does this work? What are the pitfalls here?
Obviously I just want to claw my eyes out and re-arrange the network into vlans and set up the L3 switch to route everything correctly, however, I have no access to set up routes in their gateways, so I'm pretty stuck.
Is this worth pursuing? I mean, for the purposes of shielding my client from a bad network design? Or will the problems be minimal and I shouldn't worry about it.
Thanks.
Testing Loop Prevention
I've been task with testing our VXLAN fabric for loop prevention to see how it effects the environment. Obviously I can create a loop by attaching a rough switch to multiple ports, but I'm looking for other scenarios to test.
What do you guys have?
Thanks!
VXLAN Design Question - Firewalling and VXLAN
Question for those of you VXLAN experts. If a person wants to do an HA pair of firewalls (lets say through PAN), and they want to run one firewall in DC A and another in DC B. Because it is in HA they need to be in the same network.
So the admin creates 10.0.0.0/24. Each firewall is going to a pair of leafs.
Is it possible to run ospf on the 10.0.0.0/24 network on the leafs if they are running in anycast gateway mode? If not, then how can you stretch the layer 2, when you also want to use layer 3 to advertise things like your default route from your firewalls.
Remote Infrastructure Management Server
Hello,
Is the RIM Server only for monitoring purposes?
For example, can I set DNS/DHCP service on this server or is it just for monitoring what is on other servers?
Trouble with DNSSEC, Windows Server 2016
I'm trying to teach myself to properly implement DNSSEC across a local AD domain, and I keep getting broken trust chain errors. I'd like to fix the trust chain if possible,
I have activated DNSSEC at my registrar and It checks out as secure.
https://dnssec-analyzer.verisignlabs.com/sglrit.com
I then followed this tutorial to activate DNSSEC on my local AD domain.
I then used powershell to export DS records from my local nameserver and entered the records at my public nameserver
Export-DnsServerDnsSecPublicKey -DigestType Sha256 -ZoneName hq.sglrit.com -Path C:\Tech -force
Then I ran the following commands in CMD to test that everything was working. Output below.
C:\Windows\system32>dnscmd /clearcache && ipconfig /flushdns . completed successfully. Command completed successfully. Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Windows\system32>dig @10.42.60.7 blackbox.hq.sglrit.com. A +dnssec ; <<>> DiG 9.12.3 <<>> @10.42.60.7 blackbox.hq.sglrit.com. A +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43034 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ; COOKIE: 0c8d703a5ad0a80e (echoed) ;; QUESTION SECTION: ;blackbox.hq.sglrit.com. IN A ;; ANSWER SECTION: blackbox.hq.sglrit.com. 3600 IN A 10.42.60.10 blackbox.hq.sglrit.com. 3600 IN RRSIG A 8 4 3600 20181210105226 20181130095226 7390 hq.sglrit.com. rRmORxdnVNhuSosWZ+k9RI7Kc2PqvSAIq9YH27N3Fv3+t5MJZpSQO8zC DTVlVKOtHcU96WdVFJY0V0/zDE00Yv8VjqLJa7i82HxvwofpUCEilet0 xc5xPIle385lC72LXYTFyR7wT7vN+zGERr8Rtl73WbEIQ9CfaQE7HetM KlSY5MKZld+5C/qmoq+uCvS9szusuQ9zmCXIgvDZIOE6GRXDPhitcARG T/ZKHzwPuFAsegjdz5EsjWkMsx2TZzpSHWKKt9mYPvWoGMCUSgr1eV4m GYH5AZohk28yoJGG1vhWTLF2+SA1OhcbAcLGO3X++4U3JWdow0thz/7k RscZdw== ;; Query time: 0 msec ;; SERVER: 10.42.60.7#53(10.42.60.7) ;; WHEN: Fri Nov 30 06:46:35 Eastern Standard Time 2018 ;; MSG SIZE rcvd: 380 C:\Windows\system32>delv @10.42.60.7 blackbox.hq.sglrit.com. A +rtrace ;; fetch: blackbox.hq.sglrit.com/A ;; fetch: hq.sglrit.com/DNSKEY ;; fetch: hq.sglrit.com/DS ;; chase DS servers resolving 'hq.sglrit.com/DS/IN': 10.42.60.7#53 ;; fetch: sglrit.com/NS ;; fetch: sglrit.com/DNSKEY ;; fetch: sglrit.com/DS ;; fetch: com/DNSKEY ;; fetch: com/DS ;; no valid RRSIG resolving 'com/DS/IN': 10.42.60.7#53 ;; validating com/DNSKEY: bad cache hit (com/DS) ;; broken trust chain resolving 'com/DNSKEY/IN': 10.42.60.7#53 ;; broken trust chain resolving 'sglrit.com/DS/IN': 10.42.60.7#53 ;; broken trust chain resolving 'sglrit.com/DNSKEY/IN': 10.42.60.7#53 ;; broken trust chain resolving 'sglrit.com/NS/IN': 10.42.60.7#53 ;; fetch: com/NS ;; validating com/DNSKEY: bad cache hit (com/DS) ;; broken trust chain resolving 'com/NS/IN': 10.42.60.7#53 ;; fetch: ./NS ;; fetch: ./DNSKEY ;; validating hq.sglrit.com/DNSKEY: bad cache hit (com/DS) ;; broken trust chain resolving 'hq.sglrit.com/DNSKEY/IN': 10.42.60.7#53 ;; broken trust chain resolving 'blackbox.hq.sglrit.com/A/IN': 10.42.60.7#53 ;; resolution failed: broken trust chain C:\Windows\system32>
The DIG command shows an RRSIG, so I see that the server is signing something, but the DELV command shows a break in the trust chain that I have no idea how to resolve.
Is this as good as it gets? or is there something I can do to get proper validation from local AD up to root domain?
Cisco SG350 privilege levels
Hi Guys,
I'm quite used to Cisco IOS but haven't done a huge amount with the SG series.
On our IOS switches we generally create a privilege level and limit what commands it can execute.
However, while reading about the SG350's I have come across the following:
Manual:
Read/Limited Write CLI Access (7)—User cannot access the GUI, and can only
access some CLI commands that change the device configuration. See the CLI
Reference Guide for more information.
CLI Reference Guide:
Level 7
Users with this level can run commands in the User EXEC mode
and a subset of commands in the Privileged EXEC mode. Users at this level
cannot access the web GUI.
What isn't overly clear is whether I can customise a privilege level as I can with IOS and choose a specific set of commands.
Has anyone done this on the SG350 series?
I'd also be interested as to what "subset" of commands level 7 can use as this doesn't appear to be expanded on in the manual.
Free course with certification
Don't miss your chance to become Marketing Automation Specialist for FREE with #SALESmanago - system recognized all over the world.
➡ Register here: https://elearning.salesmanago.com
Thursday, November 29, 2018
Multicast issue with Informacast
We use Informacast at our offices to send pages and such to a group of phones. I recently finished setting up the network for a new location of ours. The paging and other multicast related things (AV devices) were functioning as intended.
About a week ago we got a report that the folks in the new location were suddenly receiving only a beep without any audio when a page was sent.
They have a combination of Cisco 7800 and 7900 series phones (none are receiving audio at the site). Knowing that Informacast uses Multicast I checked to make sure that any L3 interfaces along the path to the new site had pim enabled, which they did. I then began googling about the issue and tried the steps that were outlined including: disabling igmp snooping on the voice vlan and enabling IGMPv3 on the L3 interfaces. Still no audio. Has anyone experienced these sort of issues with it? It works fine at our other locations with the same configuration. It's worth noting that the switches at the new location are a combination of Cisco 9300 and 9400 with IOS-XE 3.6.x whereas most other sites have 3750x's.
VLAN Routing Question
Hi I will try to make this as short as possible.
Say I have a switch operating at L2 with tagged VLAN's 100 and 200 configured connecting back to my router.
The networks are entered into the router.
Now I have a server connected to one of the trunk ports, configured with VLAN 100. I'm unable to reach the gateway.
VLAN's are both showing as active.
What are some tests I can run to verify if everything is correctly configured?
Mayday Mayday: Data center guys are bull shitting me. I need your support.
I have recently identified a L1 Auto negotiation issue due to Duplex Mismatch. Our security equipment is configured as Auto negotiation and we were encountering Duplex mismatch error counters ( Collision and Tx errors) at the interface.
As per the logs I could clearly see that the port was configured as Duplex Mode full. However,DC guys are telling me that it will show as full even if it is configured as Auto!
The Interface status is literally shown as FULL in both capabilities and Status output. However, Network engineer who handle this Switch is telling me that it will show it as full event if it is shown as auto!? Is this true? I think he is trying to bullshit me. Why on earth a switch will show that port status as Full if it is configured as Auto?
If someone have an access to Cisco 5596 equipment, Can you guys check this for me or help me to verify it?
I believe if a port is configured as Auto then the status and capabilities will show as Auto itself and Not full.! I'm also ready to prove me wrong, if it is really the case.
This is the query I raised in NE Stack exchange.
https://networkengineering.stackexchange.com/questions/54045/how-to-debug-l1-auto-negotiation-issues
Please check the status of the accepted answer.
<Masked> # sh int status | i HSM
Eth100/1/5 <Masked> connected 128 full 100 10/100/1000
Eth100/1/6 <Masked> connected 128 full a-1000 10/100/1000
Eth100/1/7 <Masked> connected 128 full 100 10/100/1000
Eth100/1/8 <Masked> connected 128 full a-1000 10/100/1000
<Masked> # sh int e100/1/5 capabilities
Ethernet100/1/5
Model: N2K-C2248TP-1GE
Type (Non SFP): 10/100/1000BaseT
Speed: 10,100,1000,auto
Duplex: full
Cisco ASA 5505 Default Config Random Sites Not working
An example of two sites that won't load, or load halfway are BankofAmerica.com and PCMAG.com
Here's a picture of how the website looks after it "loads".
I configured the ASA 5505 using the youtube video from soundtraining.net "Cisco ASA 5505 Firewall Initial Setup: Cisco ASA Training 101"
ASA Version 9.1(6) ; ASDM Version: 7.5(2)
When using packet trace from inside IP to BoA's website IP, I'm getting packet dropped because of nat-xlate-failed.
I'm not knowledgeable enough to get any further than this.. any help is appreciated. Thank you.
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Newbie question about iSCSI MPIO with mixed 1Gb and 10Gb
Sorry, if this is the wrong sub for this.
I am thinking of whether this is possible.
One iSCSi target with 4 x 1Gb NICs MPIO aware. One iSCSI initiator with a 10 Gb NIC. Connected through 10 Gb switch (one 10Gb connection to host with 10Gb able NIC, and 4 x 1 Gb connections to switch from iSCSi target with only 1Gb NICs)
Setting up host with 10Gb NIC with all paths to all IPs of the MPIO 1Gb target on vSphere (4 links).
Will this give me ~4 Gbit iSCSI transfers to the target?
Sorry if this is a dumb question...
Cisco Firepower IPS - Dynamic Rule state
been reading about the default pattern of a certain ips rule, when an ip on the internet performs this type of attack the ips detects and drops and generates event.
but they try like 4 times to 4 dfferent hosted devices in 2 mins, i want to drop and generate after 1st attempt in under 60 seconds but also block for 24hours necause if not then they can just keep trying and trying, if im reading and watching videos correctly its definitely do-able to modify this ips rule...anyone use this feature to automatically block for a certain time?
[Update] Cisco ASA 5516 W/ FP, Complete loss of connectivity.
Original Port here
After quite a bit of trial and error and a second occurrence of the issue. Cisco found the issue to be caused by Snort crashing on the FMC modules.
The solution is to remove the module from Firepower, Re-image and finally add them to Firepower.
The Cisco Doc can be found here: https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
Access Switches (Ruckus vs HP/Aruba vs Juniper)
So for the past ~5 years we have been a brocade/ruckus shop. We had previously used cisco but dont see a need to go back in that direction. At first it was the ICX6430, then 7250, and now 7150. The horizontal/closet stacking is very useful to us, and allows us to design a lot of redundancy between our different swtich stacks (LACP/LAG's), etc.
Obviously the ride has been interesting, considering we went from Brocade > Combined with Ruckus acquisition > Broadcom (Temporarily) > Arris > now Commscope
Certainly the ICX is a strong product line and they have continued to develop and release new models, however obviously there is continued uncertainly. I know many folks that have left that i worked with there previously. We have also had issues mentioned in other threads (POE firmware corruption) and RMA problems.
We have the need for 60+ switches next year so i want to look at comparable options. Our primary needs are the SFP+ stacking and layer 2 access only, do not see a need for anything layer3.
For HP/Aruba, i believe that would be the 2930F model . I am waiting on bulk pricing, but obviously they are a leader in switching and have tons of options available.
For Juniper, it would either be the EX3400 or EX2300. Obviously the 2300 compares more to the 7150 we are using now, and for us is right around the same price. EX3400 is a reasonable amount more and could be used selectively where the case justifies the dual power supplies. We have never used Juniper products before and thus do not know Junos. However everywhere i read folks love it, and looking at the syntax it will be an adjustment but one i am sure we can make.
For Ruckus, it would be the ICX7150 that we have been using.
There are some differences in support. All have limited lifetime hardware replacement and software updates. Ruckus includes 3 years of tech support, HP is as long as owned, but Juniper is only 90 days. Juniper is also RTF after 90 days, where as Ruckus and HP are NBD for the limited lifetime of the product. However we typically do on site spares for branch offices and ship internally then RMA and restock, so that is not necessarily a huge issue.
Obviously from my reading i assume Juniper would be the most popular choice which is sort of what i am leaning towards. I did see someone mention about more common PSU failure on some models, so any conversation about folks experiences would be appreciated!
Recommend an IPAM
I see there are a multitude of options for IPAMs out there. I have a specific use case that I'm having some trouble finding a solution. Maybe you all can give me a head start rather than downloading and trying out a bunch?
I have over 70 sites that are small SMB Networks. Most subnets are /24s with a small handful of /22s. In these networks I have standardized DHCP Ranges and Static Ranges. The DHCP ranges are for your standard laptops, PCs, Phones. If the device requires and Static Address, the PC technicians in that area know to just use the Static Ranges. To know if the IP is free, they just ping out and see if it is free. This worked out well for a while but as we had large growth the past few years, we're seeing conflicts in the Static Ranges and sometimes the static ranges are getting full and we're not realizing it.
Here are some features I am looking for:
- We put all the subnets in and it pings out to just see if the address is taken currently and shows last seen.
- Addresses can be reserved, notes applied, roles maybe?- Show percentage of used addresses
- Permissions can be set by either Site or Subnet (maybe by tags or something)
Not sure if something like this exists. I tried out Netbox for a bit but I realized it's all manual input. I'm not really wanting to completely rely on the manual entry.
Cloud cert / reading for Network Engineers
Hey all -
As a network engineer I'm looking to learn how networking works in AWS / Azure / GPC. What is the best way to learn this? Any certs?
Looking at things like routing between VPC / VDC, how network functions are deployed / managed, Express Routes, etc.
I'd probably want to get some idea of the solutions as a whole as well.
Lab Networking setup has connectivity issues I have not run across before. Any help is appreciated!
So, I was asked to install a simple lab setup for my company, on an isolated ISP connection, for an experiment. We had to mimic a client's setup, so my choice of hardware was forced (and overkill for the job). Let me go over the topology and the problem.
The Topology
Switch - Cisco SGE2000P 24-Port Gigabit Switch. One port going to my ISP connection (just a wall jack on the lab end), one port going to the WLC, One Port to the Laptop I'm using to configure everything
WLC - Cisco 3504 Wireless Controller. Running everything through the Untagged Management VLAN (I know, not ideal, but this is just a lab setup). Port 1 to the Switch. Port 3 (PoE) connected to a Direct AP. WLC is also running the DHCP server, all addresses on the 192.168.1.X network.
AP - Cisco Aironet 1652-E Outdoor Access Point (god knows why we are using this). Has a static IP on the management subnet outside of the DHCP range.
Wireless Clients (only about 20 max will be connected). All are obtaining IP's and DNS servers through DHCP without issue.
DNS Server - Using Google's for testing (8.8.8.8)
The Problem
So, after many struggles (most surprisingly resolved when I disabled and then reenabled the license), I was able to get the AP to join. My SSID for my WLAN is broadcasting fine, Wireless clients can join and pull IPs, and Broadcast forwarding is enabled on the WLC.
However, Wireless clients are only able to load certain sites, intermittently. For example, one client was able to load Yahoo, but not BBC. 10 minutes later, it's the opposite. At first I thought it was wireless interference from other AP's, but that seems not to be the case, and when the sites fail to load, it looks like DNS failure (502 Bad Gateway).
This is frustrating as it happens without warning, then goes away just as quickly. I have tried using alternate DNS servers (tried Open DNS, Google's Backups, etc...), but it has not resolved the issue. Using an internal DNS server is not really an option. Does anyone have any ideas what may be causing this behavior?
Connecting 4 physically separate networks via Fiber backbone
Connecting 4 buildings, all of which have 4 physically separate copper networks in them. Is there a media converter that can take those 4 RJ-45s on one end, connect via a single fiber cable, and give all 4 networks at the other end?
I've always done copper backbones, but would like to run a single cable if possible in this case.
2-Port Switch
Does anyone know of a cheap switch with only 2 ethernet ports + the network connect port?
Essentially it will be for connecting two devices to a network that will generally be installed next to a single wall port.
Thanks
Legit CCIEs of Reddit... Is the exam as impossible people make it out to be?
I've been told by a few people at work that the exam is impossible without cheating. Could those who got their CCIE legit without using any cheating tell your story (how long did you study, how many times did you fail, was the exam fair?)
RPC traffic breaks when HSRP active fails over
I am setting up a new project for an industrial scada client and they have a distributed pair of servers essentially at different sites. The two servers communicate using RPC calls and talk directly via IP on some high numbered TCP port (40xxx). Anyway I am testing the network to ensure that when HSRP fails over to the secondary router that the communication doesnt fail with it, and so far all my tests indicate that this isn't the case. The 2 servers are synchronized and can withstand a delay of up to 200ms between them however HSRP by default is slower than that and even though I have tuned the timers to 200ms/600ms (hello/hold) I am still seeing a loss of synchronization and all the RPC traffic fail at the same time in the server logs. Is there anyway to preserve RPC over a change in HSRP state on a cisco router? I am using 3850's I believe the RPC traffic maintains the synchronization.
Public IP
Question for the folks who run their network using public IP - no NAT whatsoever.
Do you have your router to router links in public IP? Do you have in your network that you use private IP? If you do, what type of network it is that you decided to give it a RRC1918 IP?
Tomato router: multiple static IP devices w/ same IP address on the same router?
Diagram to explain my question: https://i.postimg.cc/GmTPXgSS/network-question-static-ports.jpg
I'm doing development on some embedded devices that are connected via ethernet. They all have the same static IP address (192.168.7.250). They also all run a DHCP server.
I have a router with a WAN port connected to corporate network (DHCP client). The router has four LAN ports, one of which I want to act as a DHCP server for a desktop network switch to service my laptop and other devices that need to ask for local IP addresses. I'd like to utilize the other three LAN ports so I can connect up to three of these embedded devices that I'm working on.
Since the embedded devices are configured for static IP address (and also have their own DHCP server!), how do I segregate the physical ports 1, 2 and 3 from each other, as well as from my laptop so I'm the laptop is using the router's DHCP server and not any of the ones on 1,2 and 3?
Additionally, how do I assign IP addresses to ports 1, 2, and 3 such that I can still ssh into each of the embedded devices individually from my laptop? I think I need each of the ports 1, 2, and 3 to be separate virtual LANs. But I'm not sure how I would be able to access these VLAN.
I'm using a router with Tomato firmware. Here's what one of the configuration pages look like:
https://i.postimg.cc/SxtSxDSq/network-multiple-statics.jpg
Huawei MA5800-X15 MPLA Active/Standby failure after config load
I have 2 Huawei MA5800-X15 OLTs with 2 H902MPLA boards each, one on my desk and one working in production. Initially, both boards of the OLT on my desk were running fine. One of the boards had ACT led ON and the RUN/ALM led was blinking green (0.5s) on both of the boards, as it should be when things are running correctly.
I've exported the config from the production OLT via tftp running:
backup configuration tftp 192.168.1.11 backup.cfg
After that I've loaded and applied this configuration into the OLT on my desk using:
load configuration tftp 192.168.1.11 backup.cfg all active configuration system
After that, OLT on my desk has rebooted successfully and loaded new configuration. Then I run "save" command to save config and data.
Then I decided to reboot the active board (board1) with:
reboot active
During the reboot of board1 the ACT led on board2 has switched ON (green) and the RUN/ALM led on board1 started blinking red every 0.25 sec, which is normal during reboot. Unfortunately the board2's RUN/ALM led never became green again and ACT led has never blinked again. I left everything for a couple of days and nothing changed. Complete OLT reboot did not help.
I know that none of the boards are faulty because when I reboot the board2 then board1 comes online and board2 stays with RUN/ALM blinking led in red. Seems like they are working separately and cannot get synchronized. When one board reboots, the other loads up and becomes active, but the recently rebooted board just hangs in the middle of the loading process.
I've connected two console cables, one to each board, and I can see that the board with the red light just stops at the same point every time.
The active board on OLT has an alarm which says:
The communication between the board and the control board fails
Here is the console output from both boards:
The board with RUN/ALM red light always stops after
Starting system application init......successfully!
After this line it should start loading config, but it does not until the active board goes for reboot!
I've tried to do a factory reset on both boards with:
erase flash data reboot system
But it did not work out. Both boards have a default configuration now, but keep doing the same thing again and again. Looks like the boards can't sync the configuration between them. Or both want to become Active and only one loads up.
I tried to google about this situation, but i did not find a single word about it. Seems like some unique situation. Did anyone have similar problems with Huawei OLT?
Portchannel - Stacked Switch
I have a Cisco 3560-CX that I want to connect to stack of 2960X's.
Can I setup a portchannel and run one trunk to Gi1/0/49 in the stack and the other to 2/0/49?
Essentially, I'm wondering if I can run a portchannel to two different switches within a stack.
What motivates you?
I was just asked - randomly - by someone above me, "What motivates you?".
Totally caught me off guard - but wondering what motivates all of you?
VPN Tunnel Goes Down During IP Sec (Phase 2) Auto Re-negotiation
Hello all, I hope this question is acceptable here.
We have a SonicWALL NSA 2600 at main site and a SonicWALL FV-400 at remote site.
A site-to-site VPN tunnel between them had been working flawlessly for about 2 years.
Approximately one month ago, we began having an issue where the tunnel would go down, at around the same time of day everyday, and then it would magically heal itself and come back online in about 15 minutes.
After a few days, we realized that it went down at the exact same time that IP Sec (Phase 2) was set to auto re-negotiate. That meant we could now predict precisely when it would happen, but we still didn't know the cause. It didn't make sense that the tunnel worked for 2 years straight and then randomly started having this issue.
We have SonicWALL support on both devices, but they are absolutely useless and clueless about their own equipment.
I've had them make minor tweaks here or there on the tunnel settings, but they were all guesses and never fixed the issue.
I've called 5 times now to get this figured out and each time, they make minor tweaks and tell me to call in again if it keeps happening. Well, it keeps happening, and it's severely impacting our business now, not to mention my reputation with our business owner. It baffles me that after a month, SonicWALL is still in the "guessing stage" with our issue.
They've done numerous packet captures and log exports, etc... They have NO CLUE what's happening. I was at least able to be escalated to a senior level tech today, but he and I spent 2 hours on the phone today and he still didn't know what was going on.
One thing we DID discover today, however, is that when we change IP Sec proposal protocol from ESP to AH, it instantly starts working. But when it's on ESP, it takes 15-45 minutes to start working. During that time, absolutely no traffic passes between the two subnets, however both SonicWALLs show a green light indicating that the tunnel is up.
I've been using ESP protocol for 2 years just fine.
Why would it suddenly start exhibiting this behavior, seemingly out of nowhere?
No changes were made to either router when the issue presented itself. However, since the issue began, we have updated to latest firmware on both sides in an attempt to resolve the issue. No luck.
Also, I have TZ-105 at my house with an ESP-based tunnel going to both sites, and that tunnel is rock solid. Stays up at all times. So when SonicWALL tried to suggest that perhaps AT&T was blocking ESP, I was able to refute that because;
1) It worked as ESP for 2 years. Why would AT&T suddenly start blocking that with no warning?
2) If ESP was suddenly being blocked by ISP, it wouldn't start working again after 15-45 minutes post re-negotiation. It just wouldn't work, period.
3) If ESP were being blocked, the ESP tunnels I have at home, going to both the remote site and main site, would have to be affected too, right?
So for now, I have put a band-aid on the problem, by setting my negotiation between remote and main site to occur every 24 hours at midnight (8 hours is default), so the issue still exists, but no one's in the office to notice it. It's bugging the hell out of me and am open to suggestions since SonicWALL is utterly useless.
Thanks everyone!
My home network setup - please evaluate and advise
I got 300mb (up)/50mb (down) fibre into my house a few weeks ago. I have a two story house with 3 bedrooms upstairs and 3 rooms downstairs ... typical small family home.
For various reasons the router (Huawei HG659b) went upstairs in the main bedroom, and is currently placed on top of the wardrobe in the corner of the room. I have a Google mesh https://store.google.com/product/google_wifi attached to the router, and another Google mesh downstairs in the living room which is directly below the main bedroom. Wireless tests close to the router show that I'm getting full speeds, but this degrades dramatically when I move outside the main bedroom.
I thought that this setup would be enough to get decent wireless signal around the whole house, but apparently not. When I run tests on the Google mesh (through the app) the mesh gives a result of "weak" or "fail" around 50% of the time (shows a speed of 15-20mbps). The other 50% of the time the mesh test shows "great!" with a speed of 120mbps.
I've tried moving the mesh units around a bit (not a huge amount), but it makes no difference to results.
I have an Nvidia Shield (Plex, gaming etc) downstairs which is stuttering when connected to the mesh network. I did try to connect to the 5g wireless signal, but this doesn't always reach downstairs. The 2.5g wireless signal is too slow at about 5mbps.
Moving the router downstairs or hard wiring is not an option at the moment. I'm a bit stunned that my wifi in a reasonably small house is so poor. I'm also very disappointed that the Google mesh system seemingly cant reach from the bedroom to the living room directly below.
If anyone has any advice I'd greatly appreciate it. I'm using the cat5 cables that came with the hardware. Would it make any difference to replace with better (maybe cat6??) cables? What else could I do to improve things? Another Google mesh? As I've said previously, moving the router or hard wiring not an option at the moment.
I'm a noob at this so maybe doing something stupid. Any advice greatly appreciated.
/edit/ I can upgrade to gigabit speeds ... would this solve my problems? Would upgrading the router be an option (not sure if my isp allows this?)
Cisco Networking - AP - WLC - VLANs
Hello,
I'm not really at home with Cisco, but do have advance network knowledge, so better to ask someone who knows not to make a mess :)
My current setup:
PoE switch - WS-C2960X-24PS-L
40 APs - AIR-AP1810W-E-K9
WLC 2500
I did some adjustments in my network infrastructure and my last step is this wifi.
How I should set-up tagged, untagged ports on switch to have this situation:
When I connect Cisco AP to switch, I want him to take address and be in VLAN 17
When guest connect to AP, I want him to take address from VLAN 100
WLC Controller to be in VLAN 17
Mikrotik is in between.
VLAN 107 - Business
VLAN 17 - APs
VLAN 100 - guests
sfp1(trunk) - Is going to main router where the DHCP-s are for all three VLANS
ether8 - Cisco switch
ether7 - Business network
ether6 - Cisco WLC (or maybe should be connected to Cisco switch?)
What would be best scenario for me? Currenly Business network is working flawless, no problems, all devices are taking addresses through trunk port from main router.
Connection between Cisco switch port and Mikrotik ether8 port, what should be port on Cisco? Trunk? or Tagged in 17 and 100? Then what should be ether8 on Mikrotik? Trunk or?
Thanks
Wednesday, November 28, 2018
Loving Juniper’s Virtual Chassis
I love that I can make a switch stack out of a couple of EX platforms and get not only port density but redundancy, all for way less cost than the comparable Cisco solution... But as I’m new to this tech, any “gotchas” I should look out for? Only have made a couple of 2-switch VCs to date, but looking to maybe replace an aging Cisco 4506 chassis (L2 only, trunked to an upstream core switch/router) with a bunch of EX2300s or the like...
Is there -any- logical reason for my ancestor to have done this?
I've inherited a network that reminds me of those pictures of the webs of spiders who were on various drugs.
sh config returns the following gibberish:
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Followed by 11 lines of ip routes that send 11 different 10.x.x.x subnets to 10.0.0.1, except for the 10th one which replaces 10.0.0.1 with FastEthernet0/0
Am I completely missing something here or was somebody a little less than rational when he programmed this thing?
Shaping Outbound Internet
One of our providers recommends shaping outbound traffic over their link. They don't really explain why they recommend this, so I assume it's to smooth out traffic peaks, to lower the number of packet drops.
I'm wondering, how many of you actually do this? Do you see any real benefit from doing it (or not doing it)?
What's happening when you access 0.0.0.0 via the browser?
When using it locally, it behaves like localhost, so if I have a server is listening on port 80, so localhost:80, 127.0.0.1:80, and 0.0.0.0:80 all end up behaving the same.
My question is, since 0.0.0.0 is the meta address for "all networks" (EDIT, I meant all ip addresses known to the current machine my bad), is it trying to access port 80 on every network, getting a response from 127.0.0.1:80, and using that? Why is this not interacting with every other host ip on my immediate network? or is it, but i'm just not seeing that interaction?
My understanding is that if you ping 0.0.0.0, it would be the same as pinging the broadcast address for your network, so im confused how this works when accessing a single port to connect to a host through a browser
Cisco WLC multiple VLANs, SSIDs - going around in circles...
The TL:DR, I have multiple VLANs mapped to SSIDs on the WLC, but can only use them and get DHCP for clients if i run a trunk to the AP itself. But, if i do this, i cannot manage the AP's in the WLC. I'm using Virtual WLC, so its flex connect.
- I have a service port, can connect to that just fine.
- I moved management to a dedicated VLAN20. This has no SSID on it, and AP's get IP from here.
- I have 3 x user VLANs and SSID's. VLAN10, 30 and 50. Each with associated range, 192.168.10, .30 and .50 respectively.
- All interfaces go to its relevant gateway on a pfSense box, each VLAN has a DHCP server for its subnet on the firewall.
From what i have read, best practice on a normal WLC is to have APs connect to an access port on the management VLAN (20 in my case), and then it will tunnel to the controller, and break out to each VLAN from there. I'm using virtual controller, so using flexconnect - read in places to use a trunk to AP in this case. Lots of conflicting info on the web.
If i do use access port to AP, clients are getting an IP address from VLAN20 (management VLAN) and even then that only works if i connect to SSID for VLAN10. If i try VLAN 30, it wont get an address at all (which is more odd)
But - if i trunk to the AP, all SSID's work, clients get a DHCP address in the correct VLAN . However I cannot see the AP's on the controller. So i'm going around in circles.... and getting a little frustrated.
Can anyone point out my stupid for me please?
Renewing CCIE using Continuing Education Program Question
Does anybody know if when you recertify a CCIE using the Continuing Education Program does it also recertify your active CCNP?
Are there any tweaks you can make on the NXOSv9000 image so that it could run lower resources?
I run 9.2.1 on GNS3 and the running VM has so much ports on it. Is that something you can cut down?
Making changes to a switch in a Juniper virtual chassis stack
Hey guys i`m trying to figure out how to configure a port in a VC pair of 4 on Juniper 4300 EX switches I can access the master via the VC management IP, but I have no idea how to configure 1 of the other switches in the stack.
I tried edit virtual chassis member 1 I saw it switched to member 1 on the cli level, but I still can`t configure anything like ports etc.
I`m fairly new to Junos (cisco R&S background) so im lost lol I did some reading and found that the vcp ports are for the vc but all the documentation shows is configuring VC not how to configure an individual switch port on 1 of the other switches in the VC.
All I want to do is configure a port as access with a VLAN on 1 of the switches in the stack sigh.
Multiple Internet Connections for Small Offices
What are folks doing these days for managing multiple internet connections per location for branch offices? On the high end, I have multiple internet connections with BGP and ARIN-assigned blocks. I've got a couple offices coming online with BGP and /28s SWIPped to us. And then I've got a bunch of small offices we're upgrading to two connections, where budget prohibits me from finding DIA/MIA with BGP peering. I'm currently using IOS IP SLA tracking to fail over from one connection to another, but selection of IPs to track is problematic. The simple fact that tracking a single IP in provider space or on the internet doesn't isn't a reliable way to tell if a circuit or provider is down is really bugging me too. A previous gig used Packetshapers to do slightly more complex Internet gateway selection. So tell me what other options are out there for this space. Thanks
Everyone gets a trunk port!
While setting up a new VLAN at our main office I found that every port (in a stack of 6 switches) was set to switch port mode trunk. Trunk for computer, printers, etc. I asked the vendor why it was done this way long ago as I inherited it. See how many mistakes you can spot. Comments welcome on what they said.
That connection config indicates that VLAN 15 is the LAN network and VLAN 10 is for phones. Any place that has dual purpose ports or allows tethering uses trunking.
Because 15 is native, anything plugged in will default to that VLAN while a phone, which will get specific config instructions on boot normally, will switch over to VLAN 10 to segregate the traffic. You have to do that config unless you specifically want to dedicate LAN port and Phone ports.
Spanning tree isn’t an issue unless you introduce loops and don’t have it configured well.
If there’s no loop I have a hard time understanding how spanning-tree would come into play period. If spanning-tree did come into play, we would still have the same issue in general mode as ports would be have untagged VLANs.
The general recommended/best-practice in the industry for both Cisco and Dell has always been to utilize Trunk mode when 2 different networks come into play like, otherwise Access mode is normally recommended.
Connecting datacenters between US West Coast and India - Need advice
Can some experts here chip in with some expert guidance, please?
I am trying to sign up with a Colo provider in West Coast (Am inclined to HE Fremont, or Switch Tahoe Reno) to run an OpenStack private cloud.
We have an offshore delivery center in Chennai, India, where we intend to set up another OpenStack instance. These two Openstack instances will be connected to each other for redundancy / disaster recovery.
Questions for which I would like guidance:
1. We are planning to get an ASN in Asia. Will the Asia ASN suffice to assign IPs to the OpenStack region in US West Coast or do I need a separate ASN for each?
2. I assume that we will connect the two locations over VPN. But, how do I determine which ISP in USA and which ISP in India can set up a VPN connection, to minimize latency? I assume we need to identify ISPs on either end, who have some kind of peering relationship. Not sure how to go about it, since the service providers are different. In India, we have quotes for Internet connectivity from Airtel, Vodafone, Spectranet. In the US, I assume it will be AT&T or someone like that. Can someone advise on this?
First Jr Network/Cloud Engineer job
Cross-posted to r/ccna
First, I want to say thank you to everyone on this sub for the motivation. Seeing everyone getting CCNA certified pushed me to learn as much as I could. I'm not CCNA certified yet but will be soon.
Second, I failed the "technical" part of the interview when they asked me to configure a basic network with OSPF, EIGRP, BGP, VPN Tunnels, and everything else that we are required to know; however, I did demonstrate that I could follow direction and that I had the willingness to learn and not give up when things got hard.
Some background on my experience: Start by pulling cable and building out physical network infrastructure, moved to a management position doing this but was not satisfied at this level. Took a pay cut to go and learn more of the "general" IT stuff as in System Administrative work. After a few months of dealing with customers that self-determined the universe revolved around them, I knew it was time to pursue my passion; Networking. Took a few classes from the local college and got CCENT certified along with some other networking related certs. The company did mention that the CCENT wasn't anything great but it did show I was determined.
Hope this gives you guys/gals some motivation to get up and do it. If a person starting from working construction/pulling cable can move to a networking position, so can you.
Feel free to ask questions If you have any!
Engenius WDS Bridge Issue
Using Engenius ENS500ACs in WDS Bridge.
600 feet max between transmitters across a giant parking lot. Maybe 150MBPS max (17 IP cameras topped off at 6000kbps) at Channel 112, Green mode off, 80MHz (AC Only). These things are advertised at 300MBPS and I assume this is in whatever mode.
Whatever I do, this group (2 transmitters to 1 receiver) continue to drop off. Power cycling the remote transmitters brings back the connection but will drop off again over and over.
Let me know if I can provide any additional details and any insight would be greatly appreciated.
Which NAC would you choose for this mixed environment?
Choice is between ISE and Clearpass only.
Wireless environment is 100% Aruba, switches are 100% Cisco, firewalls are Cisco. Neither of these vendors will be changing in the next 5 years.
Initial use case for NAC is wireless only, but intend to use it for wired in future. The current solution is Windows NPS for corporate and external provider for guest portal, both of which will be replaced by the selected system.
I know that both NACs are capable of servicing the other vendor's equipment well enough, but I'm looking for advice, recommendations or anecdotes that could help me decide which of these 2 NAC options to use in this scenario.
E.g. Would I be missing out on some magical Cisco tie-in to the ASA if I went with Clearpass? Would I suffer from lack of 3rd party integrations if I went with ISE?
What type of power cord does a 3com superstack3 hub uses?
Hey guys just a quick question. What type of power cord or power supply does a 3com superstack3 3c16470 hub uses?
Thank you so much.
Where do Adblockers fall in the TCP/IP stack?
I was wondering how advertisement filters work in relation to the TCP/IP Stack? I am assuming they use an application gateway; so does the blocker inspect traffic and drop certain packets? How does it know what an advertisement is since they take many forms (unless it's by domain)? TIA
Help configuring L3 switch into Comcast ENS
I have a L2 connection set up via Comcast ENS service. It supposed to resemble a large L2 full mesh network.
I have inherited several sites working via this service and am pretty green insofar and R&S.
I am trying to bring a up a new site using and SFP port on 3560 but I'm unsure on how to configure the port. It's connected via the ENS but does not see any of the other connected devices.
I can get to the switch via SSH without issue.
Current configuration : 4017 bytes ! ! Last configuration change at 22:40:39 UTC Wed Nov 28 2018 by jadmin ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname datacenter-CORESW1 ! boot-start-marker boot-end-marker ! ! enable secret 4 ! no aaa new-model system mtu routing 1500 ! ! ! ip domain-name xxx.org ip name-server 8.8.8.8 ip name-server 8.8.4.4 ! ! crypto pki trustpoint TP-self-signed-1543620224 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1543620224 revocation-check none rsakeypair TP-self-signed-1543620224 ! ! crypto pki certificate chain TP-self-signed-1543620224 ! ! spanning-tree mode pvst spanning-tree extend system-id ! ! ! ! ! ! ! ! ! vlan internal allocation policy ascending ! ip ssh version 2 ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0 no ip address shutdown ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/3 ! interface GigabitEthernet0/4 ! interface GigabitEthernet0/5 ! interface GigabitEthernet0/6 ! interface GigabitEthernet0/7 ! interface GigabitEthernet0/8 ! interface GigabitEthernet0/9 ! interface GigabitEthernet0/10 ! interface GigabitEthernet0/11 ! interface GigabitEthernet0/12 ! interface GigabitEthernet0/13 ! interface GigabitEthernet0/14 ! interface GigabitEthernet0/15 ! interface GigabitEthernet0/16 ! interface GigabitEthernet0/17 ! interface GigabitEthernet0/18 ! interface GigabitEthernet0/19 ! interface GigabitEthernet0/20 ! interface GigabitEthernet0/21 ! interface GigabitEthernet0/22 ! interface GigabitEthernet0/23 ! interface GigabitEthernet0/24 ! interface GigabitEthernet1/1 description Comcast EDI switchport access vlan 888 ! interface GigabitEthernet1/2 ! interface GigabitEthernet1/3 description Comcast ENS switchport trunk encapsulation dot1q switchport mode trunk switchport priority extend trust ! interface GigabitEthernet1/4 ! interface TenGigabitEthernet1/1 ! interface TenGigabitEthernet1/2 ! interface Vlan1 no ip address shutdown ! interface Vlan888 ip address xx.xx.xx.234 255.255.255.248 ! ip default-gateway xx.xx.xx.233 ! ip http server ip http secure-server ! ip route 0.0.0.0 0.0.0.0 xx.xx.xx.233 ip route 0.0.0.0 0.0.0.0 Vlan888 ! ! ! ! line con 0 line vty 0 4 exec-timeout 5 0 login local transport input ssh line vty 5 15 no login transport input ssh ! ntp server time.google.com end
Is BGP over vPC a good idea?
My team is required to make dynamic routing working between multiple data centers and I am considering change the static routes to peer BGP to our firewalls. Since the firewall HA pair is currently configured over vPC, I am wondering if peer BGP from the switch to the firewall over vPC is a good idea.
Design Choices:
1. RouterA --- BGP --- SwitchA --- BGP --- FWA
| |
RouterB --- BGP --- SwitchB --- BGP --- FWB
Everything is P2P L3 links and there is no vPC.
Pros:
a. No need to upgrade the switch.
b. We are confident the routing will work.
Cons:
a. Need to move the cables, previously SwitchA to FWB and SwitchB to FWA cables needs to change to SwitchA to FWA and SwitchB to FWB since crisscross connections are no longer needed
b. According to Ciscolive 2016 BRKSEC-2020 Page 109, it is not a good design to minimize firewall failovers.
c. Only half of the ports are utilized
2. RouterA --- BGP over vPC --- SwitchA --- BGP over vPC --- FWA
| x | x
RouterB --- BGP over vPC --- SwitchB --- BGP over vPC --- FWB
Pros:
a. No need to change the cables
b. Good for firewall failover scenarios
c. Utilizes all ports
Cons:
a. Need to upgrade to Release 7
b. Not certain if BGP over vPC is a good idea. The OSPF over vPC post 8 days ago looks very scary.
3. |------------BGP Multihop----------------|
RouterA --- vPC --- SwitchA --- vPC --- FWA
| x | x
RouterB --- vPC --- SwitchB --- vPC --- FWB
|------------BGP Multihop---------------------|
Pros:
a. No need to change the cables
b. No need to upgrade the switches.
c. Good for firewall failover scenarios
d. Utilizes all ports
Cons:
a. The servers connected directly to the switches might take more hops because the switch cannot make routing decision for certain traffic. Depending where the default route is pointed to, certain traffic will be routed to the router then back to the firewall.
Securing network with switch in shared rack
Evening all,
I have a predicament with how best to secure a switch in a 'shared' rack. The switch itself is in a locked cabinet which only we have access to, but the patch panels are in a shared rack with the other building tenant.
I have contemplated implementing either port-security or 802.1x along with shutting all unused ports, but cannot see a way past the following to limit access to our network:
Most wall ports are patched to the shared rack and we can configure port-security for the known MACs for these PC's into the switch. There is an uplink to another switch that goes through a patched port in the shared rack, this would mean I would have to configure all downstream MAC's on this port with port-security enabled. Is this correct and achievable?
If I was to pursue the 802.1x route the uplink to the other switch would be in a forced authorised state meaning that the uplink could be unplugged at the shared patching rack and unrestricted access to the network would be granted. What is the best practice for securing uplinks when using 802.1x?
This is not a position I would like to be in but currently have no choice due to a plethora of reasons out of my control and need to make the best of the situation. I'm also currently limited with the switches I have to use. I have some Netgear FS728TP v2's or some procurves. Personally I hate the Netgears and would never buy them myself unless for very basic distribution/access switches.
If anyone can offer some advice on best practices or can suggest a solution I would be most grateful!
Axis network camera occassionally showing up twice as an LLDP neighbor on one port
An Axis network camera connected to an IE 2000 switch is pinging. I cleared the counters on the interface and it is receiving input data, no errors, and never flapped. The camera is showing up as an lldp neighbor. Clearing the MAC address table, ARP table, and changing the speed and duplex settings did not help. I do not know the exact model of the camera and show lldp neighbors did not show any more info. The IP of the camera is 10.X.X.X. Note I changed the serial numbers in the MAC address, device names, and the IP for security reasons.
ie2000-switch#sh lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
Switch 1 Fa1/1 120 B Gi0
Axis Camera Fa1/5 120 S eth0
Axis Camera Fa1/5 120 S eth0
ie2000-switch#sh run int fa1/5
interface FastEthernet1/5
description Sec-camera-1
switchport access vlan 100
switchport mode access
switchport nonegotiate
no logging event link-status
speed 100
duplex half
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
storm-control broadcast level 5.00
service-policy input HOST-INPUT-MARKING
end
The camera does show up when showing the arp table
ie2000-siwtch#sh ip arp | i accc.8eXX.XXXX
Internet 10.X.X.X accc.8eXX.XXXX ARPA Vlan100
ie2000-switch#sh mac address-table | i 1/5
100 00f1.caXX.XXXX DYNAMIC Fa1/5
100 4036.5aXX.XXXX DYNAMIC Fa1/5
100 accc.8eXX.XXXX DYNAMIC Fa1/5
A few minutes later entering in sh mac address-table and lldp neighbors on the interface displayed the following:
ie2000-switch#sh mac address-table | i 1/5
100 00f1.caXX.XXXX DYNAMIC Fa1/5
100 accc.8eXX.XXXX DYNAMIC Fa1/5
ie2000-switch#sh lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
Switch 1-Fa1/1 120 B Gi0
Axis Camera Fa1/5 120 S eth0
Earlier I set the interface to the default config and I was able to briefly ping the camera, though the problem recurred. I believe that the issue is related to the camera. What would the issue with the camera most likely involve? If it is the switch what would it most likely involve?
We're soon getting an EPL to connect our two sites. Need advice on a few things.
Good afternoon, fellas,
I'm sysadmin for a company with two offices. Both sites are currently running on a 100down/30up cable service (not ideal, I know), tunnelled via IPSec between the two sites.
We're upgrading, after the holiday, to an EPL 100Mbps between the two sites, along with a 100Mbps symetrical fiber internet, and a secondary internet fiber at the second office for redundancy (so that if the head office goes down, the second office can continue working). Both sites have Sonicwall TZ500 firewalls.
I'm currently doing research on the best way to configure all this, and I have a few questions :
-
Anyone else had that same configuration? How did you handle it?
-
The EPL is point-to-point, so I guess like a single patch cord between the two firewalls, but should I still encrypt the traffic between the two?
-
Is there a specific way to go about routing the internet, whether through priority or metrics, so that if the head office firewall goes down, the remote office switches to the local internet link?
-
I've read on IPSec over GRE, should this apply in my case?
Thank you in advance for your help!
SD-WAN - What Has Your Experience Been Like?
We're looking into SD-WAN as a viable option and have been speaking with multiple vendors about their offerings. We're still scheduling meetings to see a few demos and I was curios to know what you guys take is on the whole thing. For us, we have a mandate by our regulatory body to have all WAN traffic encrypted so that is the main driver of this whole exercise. It was either this or purchase security licenses for all of our 50 ISRs and do VPNs that way. Obviously we wouldn't be taking advantage of the full feature set of "SD-WAN" up front but it would address the immediate need for encryption. Then down the road we can make use of things like "application based routing" and whatnot and throw in secondary cheap internet ckts. So my questions: What has your experience been like and do you have any success stories? Which vendor (there are so many!!!) did you go with?
Ordered a Bandwidth increase - ISP says that we need to provide a router
As our Internet usage needs have grown, we have finally convinced management of the need to increase our bandwidth and next month we will be increasing the bandwidth to 250Mb. (YAY!) We've purchased a new FortiGate 200E and have already started pre-configuring it to replace our existing firewall and we thought that we were ready to go BUT we received this message in an email from the $ISP$ Project Manager:
this bandwidth exceeds the capabilities of the router we have on site. If you are comfortable bypassing this yourself, I can complete your bandwidth upgrade as an office only rate shape. I would have my Technician recover the router when on site for the PRI migration. $ISP$ no longer supplies routers with our internet circuits.
$ISP$ has stated that we can rent a router from them for about $400/month.
My questions are:
- Is it Best Practice to have a router in front of the firewall? Or can I integrate the routing functions into my firewall?
- Is it common for ISPs to not provide a router to handoff to customer equipment anymore?
- Should we just rent the router from $ISP$ for support purposes?
Thank you!
Cisco ASA issue
Hello all,
I started having issues with my ASA 5512-X yesterday. It seems to have started after i copied a HostScan image to the flash. Our monitoring software alerted that HTTPS was down on the ASA almost immediately after the file copied. It might have been a coincidence, I'm not sure. After that my ASDM session was not refreshing correctly so I closed it and tried to reconnect but I just get "Unable to launch device manager from <IP of ASA>"
The bigger issue is that now when I try to save the config I get an error stating:"The flash device is in use by another task." and I also get that error when trying to view the startup config and it also says "No Configuration"
I also get this when I browse to https://<ip of ASA>/admin:
The flash device is in use by another task.
The flash device is in use by another task.
HTTP/1.1 404 Not Found
Date: Tue, 27 Nov 2018 20:21:40 UTC
Connection: close
Content-Type: text/html
<HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY BGCOLOR=#FFFFFF><H1>404 Not Found</H1>The requested URL /admin/public/index.html was not found on this server. </BODY>
Everything else seems to be functioning properly. I've exhausted my online search for answers on this issue. It seems there has been only a handful of cases of this over the years. A lot of people have suggested it could be caused by other sessions viewing the configuration but using "show asp table socket" i only see my ssh session and the anyconnect clients.
I have not yet rebooted the device as I'm concerned that if it's not seeing the startup config it's not going to come back up properly. I opened a case with TAC but they have been slow so I just wanted to see if others have run into this issue.
Subscribe to:
Posts (Atom)