How difficult is it for a large regional Wireless Internet Service Provider to isolate customers from one another? Would this require significant investment in additional infrastructure?
Ubiquity equipment (dish, AP, backhaul). If a customer manually assigns themselves an IP, they can end up on another customer's private network (router, printer, smart tv, etc) and thus poses a significant security issue.
Main problem: Pings to google.com and any internet address are fine. Websites load sporadically -- sometimes fully and instantly, sometimes partially, and sometimes not all. Speedtest.net app results are great at times, and other times will fail the latency test.
My WAN connection is a 4G LTE connection using a Verizon Wireless Novatel 7730L hotspot tethered by USB to a GL-AR300M router with OpenWRT 18.06.0-rc1 r7090-d2aa3a1b62 installed. I have also tried using a different router, an Asus RT-AC1900P, with essentially the same experience.
I'm suspecting this might be an MTU issue.
In OpenWRT, I have changed the MTU for both the LAN and the Tethering interfaces to 1428. I have also enabled MSS clamping on both the LAN and WAN firewall zones.
I have used the mturoute.exe tool (found on another forum) to do tests to both Google and to my gateway. The result for Google says the path MTU is 1428, and for my gateway it says the path MTU is 1500.
Any ideas on what to check?
I'll keep it short. Working on a simple topology in packet tracer for review of CCNA 1. The network has a router on a /30 network( 192.168.1.208-192.168.1.211) trying to assign the two available addresses to the gigabit ethernet ports. G 0/0 took address 192.168.1.209 fine, however when i try to assign G 0/1 with 192.168.1.210 it says im overlapping with 192.168.1.208 which i don't get because i accounted for it to be that network address.
feel like im missing somthing small here.
Ok, I have a dumb networking question. I think I really misunderstood a basic concept for a long time (since 2002/2003) and I want to make sure I understand it now.
I always thought that the default gateway of a device needed to be an interface on a router with an ip address in the same subnet as the device.
And for that reason, all the devices on a switch, as well as any switches connected to said switch, all needed to be one the same subnet. Like i couldn't, on one switch, have some devices on 192.168.2.0 /24 and some on 192.168.3.0.24, and the switch is connected to an interface on a router with ip address 10.30.86.1, and all the 192.168.x.x devices have their default gw set to 10.30.86.1.
That's what I thought...
And then I started a new job a month ago where DHCP is not used anywhere and their environment seems to be configured as described above. It confused the crap out of me. It actually continues to.
I think that the actual reason that I always saw one network per router interface was not what I had thought about gateways needing to be on the same network, but rather because every other network I have worked with used DHCP, which involves broadcast communications to function, and I don't think DHCP servers can have multi-network pools....how would it know that a device with MAC address requesting an IP address should be given an address in range 192.168.2.0 /24 rather than 192.168.3.0 /24? It just wouldn't work in a DHCP setup. But it can in a static environment.
Am I (noww, finally) understanding this correctly?
I am looking for a NPM that can give in depth knowledge and help with troubleshooting slowness complaints. Currently I do it through wireshark, but this can be time consuming. I would like a product that can give network and application statistics such as delay, loss, etc, but also have the ability to dig into the packets and export as a pcap if needed.
I would like a centralized monitoring platform, but be able to get large appliances for DC, and have cheaper/smaller appliances that can easily be deployed at remote sites. I also would like it to not require to much time for maintenance and be simple to configure/manage.
I am looking for opinions specifically on Viavi Observer and Savvius Omnipeak, but am open to others as well. I have seen Extrahop and it looks good, but it was very expensive and seems like it would require a little more time than I have to manage it.
Without the use of a specialized "packet broker" type of product?
I know I can plug the output port of a physical, in-line network tap into a switchport, and then configure that switchport to be a SPAN Source Interface, and configure ERSPAN to then route that SPAN input to a remote destination.
My question is: will it actually work?
After all, the frames being duplicated by that physical tap will have the original source/destination mac addresses, 802.1q tags, as well as any inherent errors that may be present. Will the switch still wrap these up in their unadulterated form and send them packing across the ether as ERSPAN traffic, when the chosen action of the switch receiving it would be discard?
Just something I'm pondering.
Also how do ethernet timestamps works with ERSPAN in general? Obviously latency is introduced in sending those duplicated frames to a remote destination. When you look at the captured traffic, will the time stamps match the original packet, or will it match the new packets when they arrived at the packet broker?
Hey everyone!
I am setting a standard for a QOS design for all our sites. Before I started, we had a vendor come in and do it for us, and while its a good design I think the table mapping portion has me a bit confused. From the best of my knowledge it allows you to change the values from 0 to 8 (IP Precedence to DSCP values) to, I believe, change the way the data is prioritized (Unfortunately I've looked for details on the table mapping for QOS and Cisco's white papers are meh). We only do QOS at the layer 2 portion of our network, so the core doesn't even do anything in terms of IP Precedence or DSCP (Cores are 6800s). Can someone elaborate on this?
Also, it got me thinking to a conversation I once had with my architect (2x CCIE, CCDE) who did our entire data center design at my last place and he made an interesting point when I asked him why we don't run QOS exclusively. His reasoning was that physical links and switches are getting better at handling larger bandwidth (10G, 40G, etc.), so his solution was to not do QOS but to add more port density (example: 9Ks handle 40Gs, which will allow for a bigger backbone and the 9Ks are capable of supporting it in terms of the Data/Control Planes). What are your guys' thoughts on this? I know that most campus networks (like ours) usually have 10GB ports for basic Catalyst switches, so I can understand how that can apply to a data center with upwards of 100 Gig backbones (very unlikely to ever have that in a campus network at a cost efficient rate right now). Let me know I am willing to hear some opinions on this.
We have a restaurant with...unrealiable...internet. This leaves us without a way to view cameras remotely or, more importantly, to process credit cards, etc.
I need a pretty simple, maybe a one with minimal ports or one with 4-8 ports. Something small and reliable.
Is there such a beast? Thanks!
Original Post: https://www.reddit.com/r/networking/comments/9w02aw/feedback_on_our_ubiquity_setup_and_advice/
The network is rock solid now. Customer service and sales successfully are taking live calls on WiFi, and people constantly comment on how solid the wireless network is.
I placed all APs on a map of the office I uploaded in Unifi. In the map, I made sure the APs were as accurately placed as possible.
Then I used the auto scan feature on all channels on the 20 MHz channel width. Then I fine tuned signal strength to ensure wireless interference and overlap was minimal.
After this, all APs had -75 rssi in cell site tuning and airtime fairness enabled. This basically is a hardfail if a device's signal quality drops below -75.
If this happens, the device is forced to connect to another ap. Airtime fairness prevents a device there's having a bad connection to constantly reconnect and transmit to an Ap. Before I did this, the one or two devices having issues would hammer APs, causing WiFi performance to be poor for everyone.
I currently have ~800 devices on the wireless network at any one time, and WiFi is rock solid.
Even when we have company wide meetings in conference halls, WiFi is rock solid.
I'm updating everyone after 1 1/2 of my changes to make sure everything is working properly.
Tried ordering PA-VM-50-LAB, VAR is saying the lowest LAB sku is PAN-VM-100-VND-LAB4.
If you are a var and you can sell me a PA-VM-50-LAB license (I'm in Canada), PM me and I'll buy it.
I'm just looking to lab out some scenarios between PA and Windows Server 2019 for a PoC.
My boss put me in charge to lead a infrastructure rebuild/relocation for a small company, but it was slightly above my experience level.
The only thing I did wrong is put POS systems and everything else all in the same network because I wasn't aware that to be PCI DSS Compliant all POS traffic must be segmented away from user devices. He left me on site with someone who barely knows the difference between DHCP and DNS. And then when I was asking for help on how to create the VLANs on an SG200 and get it all to work on separate networks, he got mad and told me it's a "very simple task" but couldn't explain how to do it.
Anyway, I have attached pictures of the original topology and the new one, and wondering what I need to do to separate the POS systems from the user devices. In the "new topology" picture, the devices outlined in red boxes are what I need to separate from everything else.
If I run another line to Building B, I can just bring that TP-Link back in the picture, and do it the same way it was before. But the same boss told me not to run a new line to building B, just recover the existing line and use it as an uplink. That's when I realized to do that, I needed to eliminate the TP link router because there wouldn't be a way to connect that other POS device to it and still power the AP in Building B. He says the SG-200 is a L3 switch but I don't think it is. And I'm almost certain the 8-port is not an L3 switch, but he said that didn't matter it would just send the traffic to SG and SG would handle routing it? Huh?
I hate the SG switches. I feel like I would have had better luck creating VLANs with a switch that had CLI. Couldn't figure out how to join ports to VLANs and create the trunks to allow traffic on both VLANs from building B. Really frustrated me but I'm glad he trusts me and allows me to lead projects. But from these diagrams you can see it's not "very simple". Hence why he couldn't explain over the phone how exactly to do it. I know this is small stuff compared to what some of you guys do, but any help is appreciated.
OLD TOPOLOGY:
NEW TOPOLOGY:
Again, the devices outlined by red boxes are what need to segregate as they are touch screen POS devices. Is it possible to do this with the equipment mentioned? The 8-port is some small cisco w/ poe offering, not even sure if it's managed.
EDIT: The 8 port is an SG-110 (8) which is UNMANAGED
The router is Cisco DPC3941B and I'm investigating now whether it can accomplish my task.
I am building a virtual network for a company(just a project for learning, not actually working for anyone) that houses a Headquarters and 2 separate branches with slightly different parameters. I just finished configuring the Headquarters and about to start working on branch 1. I just wanted to show someone how far I have gotten and I am excited to break into my new career! Learning has been tons of fun and very tough at the same time- I am looking forward to more! I plan to start off with my ICND1 and ICND2 for my CCNA R&S certifications this Spring/Summer. Take a look at my build so far and if you like it please upvote and leave comments! Thanks!!!
https://ibb.co/Mp6sNRw (on ImgBB bc I couldnt upload the screenshot directly)
I am trying to connect two PCs so I can use synergy to operate them both with one mouse and keyboard.
One PC is connected to my home interent router via ethernet cable, and the other is connected only to my NAS via an ethernet cable.
Both PCs only have 1 ethernet port, so I bought USB adapters to creatE more ethernet port. The cable looks like this when assembled.
http://imgur.com/gallery/WFazk8G
Will this work, or am I retarted? I know two PCI ethernet adapters would have been better, i just don't want to spend that much money.
I also want to keep the secondary PC offline, hence the need for a 2nd network between the two PCs.
PLEASE ADVISE WILL UPVOTE, MUCH SUPPORT VERY PROBLEM.
My org is a small rural ILEC/CLEC provider. Basically everyone in our network operations group has been swapped from an hourly to salary position being classified exempt under "computer employee". They "averaged out" what the over time pay has been on top of hourly citing "making it easier to hire people saying one salary pay rate will help greatly". Overall, everyone is making less than the last year with about 5k~ variance.
Being switched from hourly to salary, I'm not seeing the benefit to me as an employee now. Other than this basically ensuring I'm going from my 8-5 work schedule and ensuring I take my hour lunch to maximize my pay rate for 40 hours. No changes to our PTO structure, no "well if your work is done then the day is over". We're also a 24/7 shop with an on-call rotation still for practically every department involved in this change.
What has been your guy's perception of going salary, either knowingly into a new job or being switched out? This is new to any of us non-managers, and we all feel like we're getting ripped off effectively.
Hi, Does number of ping vary? I'm dealing with this customer that having packet loss issue 1-4 drops the thing is they always pings @ 12k with the size of 1500 on P2P verification.
I'm thinking that this high number of request causing this drop, since ICMP packet might not be prioritize by their router and they still insisting that its a link issue. Another thing is from my send tried pinging 12k with 1500 same parameters and the result is good and I'm not seeing any packet drop. 100% successfull.
TOPOLOGY:
ASR9k CUSTOMER ----Localloop provider ---- ME(ASR)
I'm still check tech docs so I can show but just asking .. and how to handle this kind of customer lol..
Thanks in advance.
I'm not really sure how far you're legally required to go to comply in regards to networking. I can understand the info kept on the webservers but what about everything else that caches uniquely identifiable information?
I have an access point and was wondering if I could have it broadcast two networks on two different it's. As in network 1 broadcasts on "net1" and network 2 broadcasts on "net2". My main issue is that my access point only has one Ethernet port on it. I was wondering if I could send it both networks in as trunk and have it broadcast both? I don't need this to be two effective just somewhat stable. Also I was going to flash the AP with either ddwrt or openwrt as I'm positive the horrible Linksys portal can't do it. For more information I have a Netgear switch and a wpa54g access point (I know its old and not the best)
Basically how (and if) is it possible to define a BGP router-id under family ipv6 VRF?
At first I thought the family ipv6 vrf bgp would use the lowest loopback/ip from its own vrf (ipv4 family).
But apparently it's using the router-id from global?
Also it doesn't seem to be possible to configure router-id under family ipv6.
VSS1(config-router)#address-family ipv4 vrf VPNA VSS1(config-router-af)#bgp ? aggregate-timer Configure Aggregation Timer dampening Enable route-flap dampening redistribute-internal Allow redistribution of iBGP into IGPs (dangerous) router-id Router identifier configuration suppress-inactive Suppress routes that are not in the routing table VSS1(config-router-af)#exit VSS1(config-router)#address-family ipv6 vrf VPNB VSS1(config-router-af)#bgp ? aggregate-timer Configure Aggregation Timer dampening Enable route-flap dampening redistribute-internal Allow redistribution of iBGP into IGPs (dangerous)
12.2(17r)SX7 in question.
I will try to explain what I am doing the best I can.
I will be setting up network security for a client and I am using one of my switches to test the setup. It is an older FWS648.
I have setup the Radius and dot1x settings and have a Windows Server 2012 r2 as the Radius server.
I have two policies setup; One to authenticate users managing the switch and one to handle the port security.
The policy to authenticate users has the Condition: User group equals "SwitchAccess"
The policy for port security has the Condition: User group equals "Users". Once a computer and user is authenticated the port automatically gets put in the correct vlan.
The issue I am having is I cannot get both policies to work at the same time. If I have the Switch access policy at the top of the order I can authenticate to the switch just fine. But then if I try to authenticate a computer, the radius server just states that the user is not part of the SwitchAccess group and denies access. It never checks the next policy.
Vice versa the same thing happens if I switch the order of the policies. The computer will authenticate and the port will move to the correct vlan but then I cannot log into the switch.
Any ideas? Do I need multiple radius servers configured to achieve this?
Thanks!
Hey all,
Looking for some recommendations on a managed switch with dual power supply and SFP ports.
I’m getting a single mode fiber handoff from a fiber provider and looking for a good media converter to get me to RJ45 as well as provide some basic port monitoring/statistics.
I’d rather not buy an entire Cisco 2960x (what we regularly use in our facilities) if I don’t have to for this use case. I realize that the ask for dual PSU immediately eliminates a lot of lower end switches. Open to suggestions and advice!
Thanks!
Hi. I configured Remote Access VPN on my Cisco FTD 6.2.2. At the first I created a VPN profile with standalone VPN Profile Editor on my PC and saved it. Then On the FTD I set up Split tunnel config as this:
Group Policy > General tab > DNS/Wins ==========> Primary DNS =my internal DNS server
Group Policy > General tab > DNS/Wins ==========> Secondary DNS =a public DNS Server
Group Policy > General tab > Default Domain ===========> xinmix.test
Group Policy > General tab > Split Tunneling > IPv4 Split Tunneling =======> Tunnel Networks Specified Below
Group Policy > General tab > Split Tunneling > Split Tunnel Network List Type ======> my internal Addresses
Group Policy > General tab > Split Tunneling > DNS Request Split Tunneling > Send Only Specified Domains ==> xinmix.test
But on my PC, All of the DNS requested are sent to my internal DNS server at the office. How can I edit the setting to redirect my public DNS requests to the Internet through my local internet connection at home?
We currently use Airmagnet but are migrating over to Ekahau (finally) but in a gradual phase in. Has anyone come across any issues with having both on the same laptop? I will need to use both for a while based on different customers.
Cheers
Ok, this is a weird question and I'll probably get some flak for this, but is there any real proof that an SFP (1000BASE) transceiver cannot be at the end of a QSFP+ breakout? Afaik QSA type adapters are just splitters but leave the other 3 out as evidenced by how they are configured in the CLI as a breakout. Yet they support older SFP transceivers just fine. Is there something I'm missing here?
What I'm trying to experiment with at the moment:
QSFP+ LR4 -> MTP -> 4x SFP LX
Hi,
I need to retrieve ARP table from ~ 250 HPE 1910 switch. I would like, obviously, automate this task.
All switches are SSH enabled and run these folowing commands to obtain the ARP table:
<enter password> _cmdline-mode on <y> <password> display arp
I tought I could write a powershell script but I have no idea where to start. Any clues ?
Or maybe there an another way to do that ?
Thank you
Little backstory. Our family runs a small business. At one time the business was at 250 employees. Now it is at around 20. The network infrastructure is still there. All HP Procurves. My question is: is it worth my time/effort/money to try to upgrade the network to something like SDN Ubiquiti Unifi switches or something of the like? I learned the ProCurve CLI language enough to setup VLANS and get them to interVLAN route and tag and untag ports and such, but I feel like I am chasing a dragon trying to make sure everything is set up correctly and maintained. SDN just seems so effortless and easy to maintenance/maintain. Any thoughts?
Sorry for the click bait title. I don’t have a case against captive portal, but I’m looking to build one. I’ve always heard anecdotally that captive portals are not worth the hassle for end users or the lack of legal protection they provide. I’m acutely aware of the hassle it provides end users, but cannot find any evidence that they are legally ineffective.
My Google-fu isn’t working here. Any lawyers hang around here who can share an opinion?
Verizon Fios came today to install gigabit internet only, on their GPON network. They ran their pre-made fiber drop from the pole into the office, and in the process of doing so, the fiber, right after the connector on the office end, was smashed and broken. They had a special tech come out and they did a nice splice in the field but it all neatly in a box, and used a fiber patch cable to go from box to ONT. They activated ONT, tested ethernet direct from ONT to my laptop and we are only getting 100Mbps down and up, not 940/840.... The tech double checked the light readings on the line just in case something weird was with the splice, line checks out fine. He checked his tech tablet and it confirmed we have gigabit service active.... We tried a new ONT, we tried the ONT with their Fios gateway router, we tried it with my MikroTik CCR. Nothing would get this connection to work faster than 100-150Mbps down and up.
The tech called in to what I am guessing is the NOC or backend tech support. They ran a "speed test" from their end and claimed they are seeing gigabit from their end to ONT/router. The tech initiated a speed test on his tech tablet which tests from their end to ONT/router, it also reports gigabit. But if we plug tech's tablet or my laptop or my router or their router into ONT, actual devices can't get more than 100-150. So I think their "speed test" from NOC is total BS.
Tech decides the only other issue could be bad fiber drop. He runs an entire new drop from pole into office, spends an hour doing it, making sure of no damage at all this time. Same results as above. Clearly it is now on Verizon's backend of the network, but tech says NOC refuses claiming it "works" on their end.
Anyone have any ideas what could possibly be wrong here? Bad passive splitter on the pole? Bad switches in nearest terminal?
Hey all, I'm having a strange issue here with a site not establishing isis adjacency.
We have an almost all private mpls network running is-is . We have a few sites that are remote and we got a mesh circuit setup from a provider. One site we added to the circuit is not getting routes or adjacency with the rest of the sites on the circuit. The config is correct as it's the same template for the other sites as well. We are running Nokia 7705 platform.
When showing adjacency on the problem site, it sees the other sites in the mesh but they are all in initialize state. The other sites in the mesh do not see the new site in their adjacency tables. The logs show ldp sessions are in service and shows the adjacent nodes begin initializing but that's it. I've had the carrier(well 3 carriers total after all their hand-offs) verify the MTU and they say it is correct. They say they see traffic in both directions but very little. The end carrier had the vlan encapsulation wrong at first and I didn't see any anything in our adjacency table. When they fixed the encapsulation the adjacencies appeared in the init state. The port is discarding packets but not sure why.
The port on our router is a hybrid port tagged 2001 with dot1q encap and an MTU of 1576.
I've tried moving from a SFP port with a copper connection to a straight copper port and configured that port and it didn't change. The end carrier equipment is a zhone device that looks like a junk residential device which is different than the usual RAD equipment provided at the other sites..they are convinced the issue is on my end now. I'm no expert so I'm looking for some things to look at.. thanks
So, this morning, I came into work expecting it to be like any other Friday: slow, dull, and annoyingly quiet. By 10AM, the day seemed to be progressing in this very way. Then the phone rang....
PT: My wireless keeps dropping on both my phone and my computer. It'll go away, and come back
Me: Alright, is anyone else in your area experiencing the same thing?
PT: Let me check.... Yep, four others within 20 feet of me.
Me: Alright, let me check a few things. I'll call you back, or stop by.
Pull up my wireless controllers, and all AP's are showing online and active. Uptimes indicate they're not rebooting.
*phone rings*
DR: My wireless keeps dropping... blah blah blah
Me: Anyone else around... blah blah blah
DR: Yep all the staff on this unit
Me: Ok, I'll look into it and let you know
PT's department, and DR's department (PT = Physical Therapist; DR = Doctor) are on different floors, on opposite ends of the building. Their AP's report to separate controllers. Alright... Now I'm starting to really scratch my head. Grab my heat mapping tool and laptop, go over by PT's area. Stand there for a while, and watch the 2.4GHz band just vanish. 5GHz is still strong, but 2.4 is just gone. A few seconds later, it comes back.
Go up to DR's area. Same thing. Exact same behavior. Start actively monitoring the Tx power levels on the AP's from the controller. Refresh, refresh, refresh. Boom there it is on Controller A: AP's in that area on 2.4GHz, Tx power drops to minimum, then comes back up. look at Controller B: Same thing, seemingly at random. Look at other areas on the facility. Seeing random activity of the same nature scattered across both controllers, but not in any traceable pattern. Look around, and the only common thread is it appears to primarily affect AP's closest to the perimeter of the building. However, it's not happening to the AP's on the same side of the building, on separate floors, simultaneously.
Headscratching continues.... Kept monitoring for about 3-4 hours. Suddenly, it just stops happening. Haven't had a Tx fluctuation in over 30 minutes. I'm at a loss. We're in close proximity to a military base. "Would you like to play a game?"
I'm currently in a finger pointing match with another ISP. Lets call them Jitternet. Were seeing extreme levels of out of order UDP packets which are just dropped by our application and are essentially lost packets. The nature of the application prevents doing any kind of jitter buffer and we just have to take the data as it arrives. I would have thought providing the data that the 5 other major ISPs we peer with do not show this problem and peer at the same location would have been sufficient to prove the issue isn't on our side but Jitternet disagrees. We also peer with Jitternet at a secondary location and clients behind that peering show much better performance.
What testing could I run that would track down the source of latency jitter on udp streams? MTRs don't seem to show any problem because the issue only seems to arise when a small burst of data is transmitted (5KB in a few ms), not just on smooth datastreams.
I am unable to print from any application & ping to local LAN printer when connected to Cisco anyconnect VPN. But when i disconnects from anyconnect, i am able to print & ping. I think split tunneling is enabled. Route print output for printer/PC subnet is different when connected to VPN & when not connected to VPN. So would cisco anyconnect be interfering & what is the solution?
Hi,
I have a redundant up-link port between two switches. The ports are trunked.
- Port 48 copper link
-Port 47 - Wireless bridge
I am trying to have it so if the copper link goes down the wireless bridge would kick in.
The question is:
- Is spanning tree the only way to have redundant links properly fail-over?
- If so, how can I manually choose which port is primary/secondary?
- The switches I am using are Ruckus.
I have spanning tree enabled. Below is the spanning tree details of both links currently plugged in.
Port 1/1/47 is FORWARDING
Port - Path cost: 4, Priority: 128, Root: 0x8000609c9ffdf1dc
Designated - Bridge: 0x8000609c9ffdf1dc, Interface: 46, Path cost: 0
Active Timers - Hold: 0
BPDUs - Sent: 473, Received: 2
Port 1/1/48 is FORWARDING
Port - Path cost: 4, Priority: 128, Root: 0x8000609c9ffdf1dc
Designated - Bridge: 0x8000609c9ffdf1dc, Interface: 47, Path cost: 0
Active Timers - Hold: 0
BPDUs - Sent: 932, Received: 2
Hi, Just want to ask what are your method in troubleshooting or resolving jitter on your network, especially to those who have worked in telco?
Let's say you have a network with long haul connection to different countries and I want to troubleshoot and resolve the high jitter?
Simple topology:
PE1-(contry1)(country2)--PE1
Troubleshooting:
1. hop by hop ping and compare the ave/max rt.
2. Create a ipsla jitter and responder.
Conducted solution:
1. Create a TE tunnel to lessen the delay/jitter
2. Prioritize the packet from Pe1 to pe2
Anyidea?
Thanks
A friend of mine works at a school that is part of a member/community based ISP and I am trying to understand the security risks that could stem from it. My main curiosity has to do with the connectivity between different schools on the network.
I'll share the information that he provided and try to get this to make sense:
The ISP provides access to the Internet using ring topology
There are several different organizations (I think just schools) that are part of this state-wide community that are, as they describe, "on the same network 'loop' built by that provider."
Traffic between the members is not on the public Internet.
The members do not share public IP space and maintain their own firewalls and VPNs.
I believe the primary purpose for them using this is to essentially function as a National Research & Education Network
My question is, could one member be a risk to another member if they experienced a breach or malware that spread over the network? (Example: Say School A has a virus that is spread over the network, wouldn't it just be able to move to School B or School C part of the same network?) When he brought this up to me it seemed like it could be a huge risk area and it got me thinking.
Do you guys know of any work in the literature which talks about the difference in trends of increasing network bandwidth and increasing cpu bandwidth over the years and compare the rates at which this bandwidth is increasing?
I am not a networking professional. But I am assisting our Network admin. What are the best ways to troubleshoot public DNS and ISP routing issues. We are a small school district and during our break our outside DNS crashed causing issues with some of our online portals. Our firewall (sonic) support suggested a few changes to our outside DNS server and things started working on the portals. But now our access to most of our educational secure sites are timing out and/or getting DNS errors. What are best practices on how to troubleshoot these type of issues? Thanks...
I have my APs on HiveManager NG. Does anyone know a way to enable SNMP on eth0 without having to create a Device Template? I've created an SNMP server and enabled it under filters, but assigning/allowing SNMP on the interface is what i'm looking to do. With HiveManager classic the change could be done from within the filters section, select the interface and allow SNMP. On NG I can't seem to find it other than creating a Device Template.
Hey guys. We just purchased Cisco ISE at my company and have been kind of left dead in the water in terms of resources for deployment.
I was wondering if anyone here had any useful resources, documentation or advice even that would be much appreciated.
We’re currently trying to bring up the RADIUS capabilities and run a node scan leveraging active directory to ID and start monitoring a test group.
I'm used to single switch "stacks" when I deploy. That is not what is currently happening.
We're putting out 2-5 switch stacks, and one thing is seriously bothering me. I come from the cable world where something in "standby" means its literally "off" but its hot and ready to go at a moment's notice.
Im looking at show switch detail for a 3650 stack.
Switch# Role Mac Address Priority Version State
------------------------------------------------------------
*1 Active 1234.5678.9101 1 V02 Ready
2 Standby 2345.6789.1011 1 V02 Ready
Stack Port Status Neighbors
Switch# Port 1 Port 2 Port 1 Port 2
--------------------------------------------------------
1 OK OK 2 2
To me this says that switch 2 is not going to be able to be active in tandem with switch 1. This is being built as a non-redundant system. (but with redundant links).
Am I overthinking this? Cisco documentation is shit.
Hi all,
I have a large deployment network at work and we could be imaging anywhere between 500 - 900 systems a week. So this deployment network gets hammered (We are a system integrator).
I took over the role around 2 years ago and I'm trying to improve things for reliability etc etc...
I've been looking at the switches and trying to figure out the best way to have them configured in order to have the best performance and reliability. We have around 20 switches.
Am I right in thinking it's best to have one of these switches as a 'master switch' and then have the 19 switches that go to various ports around the building all link into this one switch. At the moment the switches are daisy chained into each other before eventually plugging into a switch where the router and servers are plugged in.
If I configure the switches this way, would it give me better performance but potentially giving me an issue of the master switch dying one day (as hardware can), but can easily be replaced.
How would you do this? The business has grown massively and I want to make sure that I offer the best reliability and performance possible.
Hey guys i will make this short as i know we all have wayyy too much stuff to do.
I was just put in the lead of a small team that does a ton of cabling (CAT/Fiber/RG6) to setup business networks. I have been tasked with planning out each job site either by hand or digitally. I wanted to know what you guys are using for mapping these kinds of jobs out. End game being i want to be able to hand these guys a layout of runs that is rather simple to put together but super simple for these guys to read.
This may be a little dumbed down from what you guys are used to, hey im trying :)
Thank in advance
I currently use SecureCRT and it's fine. I don't really have real complaints, but maybe there is something better out there.
I need a program that is multi OS platform (OSX/Windows/Linux (or chromeOS)
The ONLY thing that would make me stupidly happy is if it asked for my creds when I first opened the program rather than everytime i open each session.
Hello,
Our previous network manager didn't really understand networks and now he has left I'm trying to improve our network.
Everything is connected to switches, just daisy chained. Some switches have 5-6 hops to get back to the router. All I know is that is bad because you got 5-6 switches of traffic at the end hop.
I just want to understand how we can connect them more efficiently. I have researched we need a "core switch" Is this a particular device or just a normal switch but with a role of being the core? So my understanding is every switch will then connect to the core by link aggregation and that's it? We'll see somewhat of a network improvement? Or is there more to it.
ASA 5525 on 9.6(3)1
This is driving me crazy - I have a site to site VPN set up and connected with one of our remote offices while we wait for MPLS to be installed.
Office A (me): 10.1.0.0/19
Office B: 10.1.32.0/20
The VPN is connected and I can reach certain subnets, but not others. Packet tracers are virtually identical (the only difference is the destination IP) right up until the VPN step:
Unreachable (10.1.43.XXX)
Phase: 9 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2aaac81b4690, priority=70, domain=encrypt, deny=false hits=9093, user_data=0x0, cs_id=0x2aaac8d74c80, reverse, flags=0x0, protocol=0 src ip/id=10.1.0.0, mask=255.255.224.0, port=0, tag=any dst ip/id=10.1.32.0, mask=255.255.240.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=outside
Reachable (10.1.32.XXX)
Phase: 9 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2aaacb54b540, priority=70, domain=encrypt, deny=false hits=12460, user_data=0x24cb87c, cs_id=0x2aaac8d74c80, reverse, flags=0x0, protocol=0 src ip/id=10.1.0.0, mask=255.255.224.0, port=0, tag=any dst ip/id=10.1.32.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=outside
We have changed nothing, and here's where things get stranger. We experienced this exact same behavior yesterday, but the reachable/unreachable subnets were swapped. Then it mysteriously started working. Now it's back to this. Has anyone experienced this before?
I help manage a network for a small private elementary school and our internet connection is through Spectrum using an Arris Touchstone DG1670A modem. The problem is that several times throughout the day we lose connection to the Internet. I have set up several pings to internal systems and Google (8.8.8.8) and when the connection gets flaky, the internal pings are all OK but the Google one gets slower and slower until it finally starts to drop packets.
After a few minutes (5-15) the connection comes back and everything is fine. Until it happens again. There doesn't seem to be a particular cause for the Internet connection to go down, it just happens randomly throughout the day.
Our Internet connection is 300/30 but I never see anything approaching that on our firewall. Most of the time our traffic is <150MB down and <15MB up. Our ISP says that everything is fine with the modem (it's been changed out 3 times) and the line looks good. However, the service guy says when the outage occurs the modem stops logging bandwidth and other metrics.
My question is, how do I debug this problem? Is there a bad packet somewhere on the network? Are we just generating too much sustained traffic and causing the modem to freak out? Are these Arris modems known to have these types of issues?
We're looking to upgrade from 2.0 to 2.4. The VM doesn't meet the minimum specs for 2.4...
No problem, we'll allocate more resources in the hypervisor. Then I read this:
"If you increase the disk size of your virtual machine after initial installation, then you must perform a fresh installation of Cisco ISE on your virtual machine to properly detect and utilize the full disk allocation."
So does an upgrade not constitute a valid installation operation to detect an increase in disk size? Anyone have any experience with this?
Here's the link to the 2.4 upgrade guide with the text I quoted: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24.pdf
We have a requirement from a customer which requires the CRC and input errors from one end of the circuit to be transported across to other end. He has requested EoSDH. Based on my understanding L2VPN over MPLS doesn't do it. Will MEF E-Line technology help? If yes, does it required pure L1 link between the MEF devices or it can work even if we take it over MPLS?
Hello all,
I'm dealing with some strangeness in a multicast network for security cameras. Basically the cams stream multicast 24/7 to the entire network. We are experiencing intermittent packet loss, high latency and UDP fragmentation (we think).
I was hoping to setup a lab situation where I can produce different rates of already mentioned latency, packet loss and UDP fragmentation.
From a linux perspective I can pretty easily add latency which I've been doing, effectively routing through a linux box with and using the TC to add latency, and UDP fragmentation has also been sorta easy by adjusting the UDP. The random packet loss is the tricky one. Suggestions on a tool, or linux trick, or any trick to create packet loss?
Thanks!
Right now as a network team we use an access-control network share folder to store our shared documents, password files, etc in excel spreadsheets and word documents.
I would like to spin up some server/database that can be access by the team via a web UI.
What do you guys out there use to accomplished this? Hopefully there are some open-sourced/free examples out there as I will be doing this as a side project.
Thanks.
Hello - what would cause a ping through device to come in at <1ms but to the actual switch device to be >2/10/13/14/2/13/ random slower pings. Ideally, I want to be sure no loop or device sending out errant traffic is involved. Tools to use?
I have a IPSec tunnel configured between USG200 and USG100. USG100 has a 10.1.100.0/24 network behind its LAN1. USG200 has a 10.1.1.0/24 network behind its LAN1 which host different services on few Macs. Everything works fine and there is communication all the way between two subnets. However, to save power on Macs, we want to implement sleep or wake-up feature from our remote network (10.1.100.0/24). But the problem is Apple Remote Desktop (ARD) allows Mac to sleep or wake-up if the machines are on the same subnet.
I tried to use SNAT on USG100 and NATing the IPs to few redundant IPs in 10.1.1.0/24 range. However, I could not establish any communication between the sites. Is there an easier way to achieve this? I know the rule of thumb of not having same subnets on different ends of IPSec tunnel, but is there a way we can mask the IPs and make ARD believe we are on the same subnet?
I build my network in packet tracer in my iPad and after the completion I tried to save it its saved inside the packet tracer saved file but when I tried to export it or save it to drop box (.pkt) file its not saved in my Dropbox ani I tried to forward it as email it says no email address is assigned. I have my assignment submission due on 3 hours from now. In serious trouble. Can anyone help ?? I can’t export the file and submit it. It’s stuck inside in my iPad packet tracer app
So we use Cisco only and I'm unsure on what technology to use for what I need to achieve.
the topology goes like this
UK
Cisco ASR (DMVPN HUB ) UK BASED SPOKES - Cisco ASA (RA VPN) > software-defined networking dmvpn spoke to UK based Router CSR1000V interconnected to Australian router CSR 1000V with DMVPN ( HUb ) > internet breakout > Australian BASED Spokes.
the issue i have is i have 2 hubs together via 1 router uk Router with 2 spokes and i need all web traffic to go from the end spoke via the first hub , iv used route maps but it just refuses to route past the first hub can Ping it no problem.
What technology should i use to get all these endpoints together?
I need to keep the 2 DMVPNS 1 for uk based clients and 1 for the AUS based clients but interconnecting them and routing internet traffic in a better manner would be good.
any help/suggestions welcome.
thanks
High Level View
Hub > SPOKE >SPOKE >HUB >Spoke
Hello everyone,
We are in the process of revamping our network and one of the main things we are looking for is OOB. We currently don't hane OOB Network (ILOs, ,Mgmt ports are all inband) , so would be great if i can get some ideas about the best way to design the OOB with a minimal dependency on the inband network.
My company is planning on upgrading our internet connection from a 3Mbps bonded T1 to Gigabit fiber. Wlsince we are doing this we have to upgrade our SD-WAN equipment as well due to the increased throughput.
We currently have Silverpeak NX1700 appliances at our sites. We are thinking about changing to Fortigate 200E boxes to implement the new SD-WAN links instead of going to the SilverPeak EdgeConnect due to the exorbitant cost of the licensing for the increased throughput.
Aside from the lack of WAN Optimization on the Fortigate would they do the VoIP QoS and other features that the NX1700s are doing now?
Thank you in advance.
Hey all,
Hoping for some constructive feedback and suggestions on how to best accomplish the networking element of a project I have coming up in just over three weeks. In short, a client is moving their office to a different floor of the same building. This client is not in need of replacement of any of their gear, so unfortunately the customary side by side approach is not viable. As they are in the same building, we did get fiber between the floors, and we ordered some small amount of swing gear for better flexibility.
Anyway, the current design (and this question is really focused on switching only) - is as follows:
They have 1 MDF and 4 IDFs. We have 2 stacks of 3850s in the MDF - each stack consists of 2 48 port POE switches, and a 12 port 10gb SFP+ switch. Presently, I have these two stacks connected via the 4 port 10g network modules with a LACP cross-stack etherchannel. I have the two core stacks running HSRP on all l3 vlans, and have set STP priorities with an even-odd for which stack is root per vlan using RPVST.
Each of the 4 closets has 2 3850s in a single stack, with a 1g uplink to each core stack (also, using ports on the 10\1g 4nm module on the 48 port switches in the mdf. We also have plenty of free 10\1gb SFP\SFP+ ports on the 12-x models. Presently, the 2 48s in each MDF stack are in their own power-stack, and the 12-x are not in a power stack. We also have each IDF stack in a power-stack, and every switch has dual PSUs (all 14 of them).
Other devices (WAN routers, ASAs, etc) are redundant and served via disparate power feeds + ATS units. This design as has been 100pct reliable - we have all the ESXi and NetApp systems redundantly connected and have been able to bounce stacks in the MDF with no disruption whatsoever.
Now, the new design will have roughly a 65/35 split on user (and WAP, etc) ports between the new MDF and SINGLE IDF. I have a bunch of twinax cables, but am concerned about layout and length. I also have bigger concerns about stack-wise and stack-power cabling.
Questions:
1) Right now, these 8 3850-24 switches in stacks will need to be configured as additional members to other stacks. What is the best way to do so? Any best practices would be appreciated. I know about setting priority, hot-adding, etc - should i wipe config on each first? Want to minimize those 18 minute reboots. Assume all will be on the same code prior to the project.
2) My IDF layout is pretty straightforward; and will certainly have one stack with a mix of 48 and 24 port switches. Am leaning towards having 2x48+ whatever number of 24s in there with 2 of my 4 4 port network modules and 10g-SR optics that i already have to have redundant 10g connectivity (I know, i could use single mode and third party optics - that doesn't solve the additional network module issue). I also have both a 12strand of OS2 in addition to my 12strand of OM4. However, i'm torn on the MDF design. Should I have a combined core\access layer and just have 2 stacks which have some user and some core functions each? I have 2 cabinets adjacent to each other, and to the right of which are three relay racks, on which all my patch panels (fiber and copper) are terminated. While stackwise cables and twinax can be fairly long, stack-power cables are very short. What layout is recommended? Or should I have two independant 12-xs switches each stacked with a 24 perform all core functionality, and buy a few more NMs to have 1 user stack in the MDF, 1 in the IDF, and 2 core stacks? I will need about 12 HA copper 1g connections for important management devices, and am using about 8 10gb twinax connections from infrastructure to each 3850-12-xs switch.
Any suggestions are welcomed
Anyone know of any sites that you can log into and configure virtual appliances, routers, switchers and firewalls?
I'd appreciate any suggestions. It's been awhile since I've worked with any and want a bit of a hands on refresher.
Just curious if anyone out there is running an integration between Netflow and Grafana? Specifically a non-commercial netflow collector.
I’ve seen some articles with Plixer and ntopng - curious if there was a way to do this open source.
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Hi, we're looking to connect three Ubiquity POE switches to each other using SFP's and fiber. This is to connect POE security cameras in three different locations to the same Network Video Recorder (this will be connected to one of the switches using a patch cord). Is this possible without a router in the mix somewhere? Simple picture is below...
(Switch A)---(Switch B & NVR)---(Switch C)
Thanks!
I am doing some AP testing on our Ixia VeriWave and came across some unexpected results I'm hoping someone on here might have more info on. I'm still waiting to hear back from Cisco on it.
I am performing testing on the various maximum throughput rates of a 1x1:1 connection using different QoS markings. From wired to wireless my EF marked traffic has very little capacity. At 64 byte frame sizing I can do 3mbps sustains. At 1518 bytes i get 18mbps. Any other DSCP value does not yield this same results (eg: AF41 gives me 177mbps @ 1518 bytes)
I know its hitting the AV_VO queue but if I mark a packet from the wireless to wired direction using UP 6 or 7 I cant replicate this response, it seems to be specific to EF marked traffic. Does the 3702 have a undocumented priority queue?
Edit: all of this testing is done on 5ghz inside of a RF testing chamber, no interference possible.
I'm looking to replace two HP ProCurve 2810-24G with two switches that have stacking. Our data center says that the stacking needs to be done through LACP, which confusingly our current ProCurve switches have, but can't use to stack. I'd love to get suggestions on the switches to replace these with that'll do the stacking as required.
I've looked at the Cisco Catalyst 9300, the HPE Aruba 2930F 24G and the HPE Aruba 2930M 24G. The Aruba switches seem to be a better deal, though I'm still trying to figure out what the difference is between them other than being able to add an extra power supply to the 2930M. I only need layer 2 switches, but everything I've been able to find that can do stacking seems to be layer 3. They all seem to have LACP, but it isn't clear to me that the stacking is done using that. I'm open to any other suggestions as well. I also looked at the HPE 5400R, but am somewhat confused as to whether (and how) it replaces two switches and how the stacking works. I'm very curious to hear what people here recommend. Thanks in advance!
Edit: Meant layer 2, said level 2.
I have some access switches in stacks. Since they're access switches, I don't really want to monitor the individual interfaces because I don't really care when people turn on/off their workstations. But I DO care if a whole switch within the stack dies. Note that the stack IP address continues to stay up and SNMP polling continues just fine. How do people determine if a switch member goes down? I know the "ifNumber" interfaces MIB SNMP object will change to reflect the reduced number of ports... is that what I should be alarming on?
(I'm Using Cisco 3750 & 2960 switch stacks and Intermapper for polling, but I'm also interested in how people would do it for other products too)
Hello everyone,
I am lookin for a way or a tool/script to help me calculate and/or verify the number of concurent sessions it's supporting. I played with the API where we can read the current concurent sessions but not the total capacity of the deployment.
I'll come back with our deployment so you'll have a clear picture of how things are and also the issues that we had and drived me to those questions.
Thank you,
Hi guys,
I posted this in /r/meraki, but figured I would ask here, too.
I have an environment with two MS350-48s stacked acting as my Layer 3 core for the network. All L3 routing is configured on that stack. I am now looking to configure an extra MS350 in my DR environment as a warm spare, so if my primary L3s go down, the DR L3s can take over routing.
Digging through the Meraki dashboard, I see that I do not have the 'Configure Warm Spare' button available on either switch in my core stack, so clearly using a stack as a primary is not doable. Would it be possible, though, to un-stack the switches, configure L3 routing on one of the switches, then re-stack the switches? Or would that move the L3 configuration back to the stack instead of the single switch?
Has anyone deployed this unit yet, looking for some non sales feedback before we buy a few. Thanks!
I know on an ASA I need to reload the device before changing the ssh management interface. I'm curious though, as I have been unsuccessful in my google fu, if you need to reload IOS/CATOS devices when changing the ssh source interface. I have changed the ssh source interface to a seperate SVI on a device that was running, but it didn't seem to behave the way I expected and I was just wondering if anyone knew the reason. My first guess would be a restart is required when doing this, or maybe I just needed to purge some arp tables or something?
Hello network folks, I was wondering something about a project someone has proposed. So we want to image about a few hundred machines here via some program (not sure what it is), but we have hired a 3rd party to do it for us. So I was tasked with creating a l-2-l tunnel from my ASA to that 3rd party company Fortinet firewall. Setup the tunnel, made sure they can access our dns servers, dhcp servers, ssccm servers etc.. Everything works well as of now. I’m just wondering, if they want to do a lot of transferring of data from their corp network to ours over this tunnel…this means transferring these windows computer images over the tunnel to us so they can image our machines…using nothing but windows machines (so this is probably SMB transfers I’m pretty sure)….isn’t there a better way to do this? Isn’t encrypted SMB over this tunnel going to be slow as shi* !? I already know all the complaints will come to me saying “why is this transfer slow???” Am I just complaining here or is this not a good method to use?
I have a Panasonic IP camera system connected to my tp-link archer 2 router with fiber internet connection (200/200mbs). I can view the cameras via the app when I'm within my wifi network at home however I can't remotely view the cameras (using mobile data on my smartphone).
I have set up a static dns account, but still no luck.
I'm completely ignorant about technology. Please help.
Thanks
Long story short I have the week off work and the place to myself so nobody to kick off the internet by fucking around with it. Setup my uverse gatewaay in passthrough mode and everything seems to be working smoothly. Thing is my gateway still has dhcp enabled. Should I turn that off?
So I'm implementing a project for a client of mine (I was not the one who scoped this out or designed it) where they are migrating to a VPWS-based WAN that terminates directly on their core switches (which are Aruba). These new circuits are 1gb ports with CIRs that are much lower (like 10-50mb).
Dealing with QoS was not called out in the statement of work I'm bound to, however, I know that performance will suck if I don't configure some sort of traffic shaping. The thing is, I can't figure out how to accomplish this on HPE/Aruba, or if it is even possible. (I discovered the rate-limit command, but that seems more like policing than traffic shaping.) Do any of you guys know if/how this can be accomplished?
Thanks.
Hi!
I have an alcatel omni 6850 connected to the backbone.
I am trying to connect ANOTHER 6850 to that 6850 to get more ports. Daisy chaining
I am pretty new to this so dont assume knowledge. I might be overlooking something basic.
On the first four interfaces I configured them for fiber. I got switch A on the backbone and switch B talking to A.
A has every mac address on the whole network. B only has A+B so it's not getting mac addresses from the backbone.
I made sure 802.1q was on for both fiber ports.
The only issue I can maybe see is that the backbone expects to see switch B by a unique IP on a direct fiber connection when of course its connected through A
What am I maybe missing?
I'm about at my wit's end with this POS product. Can't believe I spent money on this. It cannot properly map anything. Tech support always has excuses. Latest is a damn IP camera shows up as ICMP even though SNMP is clearly enabled on the camera. I give up. Does anyone know of a better piece of software to ACCURATELY crawl and generate network maps?
This is a X-Post from /r/sysadmin as I wasn't sure where to post it.
We having two new 48 port 10G Base T switches (Cisco Nexus 31108TC) that are going to be stacked in a data center with about 80/96 of the ports being used.
Right now, we have 1G stacked switches and are running a mixture of random cat 5 and cat 6 cables.
For cabling the new switches we are going to buy all new cables and was thinking of using the following cables Monoprice SlimRun Cat6A
Are the monoprice cables good enough for use in a data center that runs production? The nice thing about their site is that it is easy to order different lengths of premade cables with various color options.
If anyone has any experience or recommendations on cables that would be appreciated.
Newb to using wireshark, and not a networking background dude. So soz ....
I need to see if I can use Wireshark to look at traffic to a specific printer installed on a print server.
We'll say the names and IPs are:
App server: App01 10.10.10.1
Print Server: PRTSRV01 10.10.10.2
Printer: Printer1 10.10.10.3
I'm seeing all the traffic currently from 10.10.10.1 to 10.10.10.2 and vice versa. Is there anyway to differentiate between the traffic and pull out the traffic to that one printer though? Again, the printer is installed on a Windows print server so we won't see the actual print server traffic to the printer itself. I'm just wondering if we can see a name or anything in the headers of any of this?
When you add sub-interfaces to a port you have to have a vlan tag on the port, so do you need to have spanning-tree running as well?
I need to monitor devices that are connecting to a service providers network, but they will not allow us direct access to pull SNMP. We need to see real-time info and I am looking for options. The SP is running SolarWinds and they are willing to *kind* of work with us. Does anyone have any suggestions on how I can get access to the data? SNMP forwarding? SNMP Proxy forwarding?
Thanks
Dealing with a certain Datacenter, Equinix, that has a bare patch panel and only installs jumpers on a per cross-connect basis. If I were to install my own jumpers, so that I can pre-patch to my equipment, is that frowned upon or outright banned? I can't find anything in my ToS concerning it.
Hey folks!
I've been asked to review a company's monitoring system (network side only, the servers are being delt with separately)
Currently these are the things being monitored:
Currently the throughput percentages warn at 75% (if over for 5 mins) and become critial at 90% This is the same for memory and processor utilization.
I am curious to what other people set as their thresholds. Also at what point would you consider upgrading the speed of a link? Is it when its at 75%+ all day, everyday for a month? or if its 75%+ every second day?
What are your thoughts and experiences?
I find myself working in a tech company where networking is a very important component in our software stack. TBH I don't know shit nor where to start. I don't need the depth of knowledge a lot of you guys have, but practical knowledge of networking basics. (like, what are gateways and netmasks, vlans, bond modes, etc).
Help!
We are currently looking into going from something in house, which does everything we need but the code is old and has demons in those lines, to something off the shelf and would require less dev time.
However we looked at a lot of ITIL based systems and it seems that ITIL works differently then how we work.
ie... ITIL is Many to One (Multiple Incidents that roll into a Problem).
These ticketing systems often do not allow multiple people or organizations public access to view the tickets, instead they should each have their own incident.
We however work on a one to many concept.
ie... Fiber break, we know the problem.. now we need to inform ALL affected. Preferably without looking up each individual Org.
Our current system does this. We get alerts through Zenoss, we open a ticket on the alert, we check a button next to the node that says "Notify Orgs" and it populates the ticket with all the Members that are affected by said node.
This works for maintenance also. One ticket to many people. The logs can then be shared publicly to all Orgs, just specific orgs, or kept private.
I guess I am looking for something that may work similarly if possible and am interested in seeing if anyone made a similar jump.
Thanks in advance.
I am currently writing a report on designing a network for a university campus. I struggle quite a bit with what hardware to choose as I have to pick the exact switches and router models. I have only one router to hold the entire network of about 400/500 hosts. What router would be good for that? Can anyone recommend some models?
Also switches, I will have 2 core layer switches, 6 distribution layer switches for each building, and then many many switches within the buildings as the access layer. Can any recommend any switches for that?
Finally, is it best to go for 10gb bandwidth or 1gb for the switches?
Thanks, I hope I followed the rules this time when making a post.
Sorry if this isn’t the place for this kind of post but I’m not sure where to ask this. I work for a small company (less than 10 users wired/wireless) and while I am studying for my CCNA to learn more about networking, the company I work for has tasked me with replacing their Netgear FVS318n with something that has “stronger wifi “ as my boss says. I’m capable of configuring all the settings but I don’t know what to replace it with Ubiquiti, Aruba etc for a company of this size.
To clarify this is one building that is less than 1200 sq ft one floor with spectrum as the provider.
We need a good way to automatically back up switch configurations, but we're an MSP with a lot of small/medium size clients. Some Cisco, Dell N-series and PowerConnect, HP models. We've tried auvik for a while and it works for the most part, but I don't trust it.
Is something like Rancid or Oxydized feasible in an MSP environment? Is it possible to set it up at one of our own servers (or in the cloud) and then pull the switch configs from all of our client sites over the internet (assuming we have all the firewall rules in place)? I don't think it's doable for us to set up something like Rancid at all of our clients. Some of them only have 1 or 2 switches and 1 server.
Would you take a job that is 50+ miles away from your home + 1 day work from home and get paid $160K or take a job that is 3 miles away but for $110K?
I always tell myself that I am going back to school, but never did. If I take the $110K job, I might be able to do the school or certification I want to take. The downside is, of course, is the pay is less and just layer 2 kinds of work.
We have a circuit with Cogent at our datacenter. Starting Sunday around 3:30AM we noticed a VPN to one of our clients on Comcast went down. Troubleshooting, we couldn't ping in either direction. Traceroutes in either direction show it drops off right around the last hop (makes it into the other providers network before dropping off).
Then on Monday we noticed another IP on a completely different Comcast line in another state we couldn't ping. At this point we're thinking either Comcast or Cogent issue. But then a third IP popped up that we wouldn't reach either, on a completely different provider.
We've been troubleshooting with Cogent all week, back and forth. Them saying it's our equipment. So of course our first step was to test bypassing our firewall. Our Cogent fiber connects to a switch with basically no config on it, then goes into our HA Sonicwalls. So I plugged my laptop into the switch, assigned an available IP on our /25 block, and I still couldn't ping either of the three IPs. From our Cogent gateway the IPs can be pinged no problem, but not from any IP in our usable range.
At this point Cogent's blaming Comcast still (even though there's another provider IP we can't reach). But that would make no sense that Comcast would be blocking our IP - when I have an entire /25 block and I can't reach these IPS from ANY IP on our block. For further testing, Cogent assigned a test IP block to our interface. Still can't ping using one of those IPs. The guy put the test block on a different interface, pings fine.
At this point, myself, and Cogent support are completely baffled. They want the next step to be taking our switch/Sonicwall out of the equation, meaning tomorrow I'm going to have to do a maintenance window and connect Cogent up to a media converter then to my laptop and do the tests again, but I'm expecting the same results seeing as how there's nothing wrong with our switch - would make no sense for a dumb switch to block three random IPs all of a sudden. But after that it's going to go back to Cogent, get their NOC guys involved, and figure out wtf is going on.
Has anyone ever seen anything like this??? The entire issue makes absolutely no sense what so ever.
Hello All,
I'm kinda new to working with Palo Alto equipment and networking isn't really my forte. I had my net+ in high school but I have a bachelors in hardware engineering.. so please bare with me.
I take care of a banks IT and I think they're getting hit with a denial of service attack from many different sources. They're sucking GB of data slowing down the network tremendously. At least from what I can understand by looking at the different network activity. Here is an example of what I'm looking at in the Source Activity. None of those IPs are ones that the bank needs to communicate with.
https://i.gyazo.com/9da564df57103b6cafda56a568d6647c.png
Here is the 7 day. You can see it increase by quite a bit.
https://i.gyazo.com/8d31a0bf1f9a0325f26cf11f3b6896f0.png
I tried setting up block rule(s) according to the guys at Palo they should be set up properly. I had support there verify them. But from waiting overnight it appears that they're still not working. Here is what they look like.
https://i.gyazo.com/369e6d6f6cd47828a34f916043351890.png
I'm honestly at a loss, I don't know what to do at this point.
Hello,
Might be a silly question, but we are stretching a vlan across 2 geographically separate sites, connected by a 10G "ethernet private line" wave service from our ISP.
given that this is a wavelength service is it required to implement bpdu tunneling as a best practice? both sides connect to a HP 5940AF.
Thanks for any input.
Students came back and the other day at our institution and ever since then for the past three days one of our VLANS are not communicating with the dhcp server. Students connect to a SSID and are supposed to authenticate through Aruba Clearpass, but with this problem a ton of students are trying to jump on to the VLAN that isn't working. We've turned on DHCP snooping and looked into ARP snooping as well, but we're coming up short. We've activated a port in our office and tagged it for the VLAN, and connected to it and ran Wireshark, but we're not getting DHCP ACK, NAK or even Offer requests. We disabled one of our Aruba controllers yesterday and it kicked off the device, but today they came back on a different VLAN and it isn't working, so we have no clue where to look to trace what's causing our issue.
Any help or suggestions to help trace would be great. We're running Extreme switches, with a Palo Alto firewall and using Aruba for wireless.
Hello :)
I'm an engineering student and I've been asked to create a 464XLAT laboratory, where a host with IPv4 or IPv6 must be able to access IPv4 and IPv6 sites.
I'm strugling to determine the architechture of the setup and I wondered if you could give me a hand. To my understanding I need a host, wich could be my computer, and a router that would be the CLAT and would forward my host requests to the ISP in IPv6 format. If my host is trying to reach an IPv6 server the PLAT wouldn't intervene and the network would rout my request to its destiny in the IPv6 internet. If my request goes to an IPv4 network the PLAT would do its magic and forward it. I think I understand the theory.
The thing is I'm trying to create an isolated network to try this. Do you think this would work? Do you have any suggestions? https://i.postimg.cc/pXJXR6dV/Screenshot-2019-01-10-at-12-21-10.png Thanks for your time. I would appreciate it a lot.
EDIT: May this be more accurate? The ISP shoud be a IPv6-only network
We are migrating branches to an mpls setup with central internet breakout.
We have "limited" bandwidth available at each branch (100Mbit) and they run telephony, citrix and some other stuff.
The HQ - where im guessing the issue is - have a 500Mbit MPLS vlan, and 500Mbit internet vlan. Traffic runs from the branch via the MPLS into the HQ router (ME3400) and then to our firewall.
The SP are doing remarkings at each branch to prioritize telephony, citrix and some other data that we want to forward before web traffic etc. They then remark return traffic aswell from the HQ.
Now, my thought.
We added two branches at first, everything running well and no issues with performance. Yesterday we added three more branches and they are now complaining about slow citrix performance and phonecalls dropping.
HQ has redundant connections, one is on an ME3400 router, the other is hosted on a much newer box. So im wondering.. is the ME3400 router suffering from the remarking of egress traffic towards the MPLS network?
Can anyone chime in on their experiences with these boxes?
Hi,
does anyone have any experience with Aruba SD-Branch/SD-WAN?
We're setting up a multi-site (15?) network for our 1000-person tech company. Currently, we're doing Palo Alto firewalling with Aruba WLAN & LAN (including ClearPass and Panorama) at HQ.
The sites are within a 1000km of each other, 1-10Gbit connectivity, all on the same provider's network. The only service provided by this ISP is internet access, so encryption/tunneling/VPN has to be done by us.
Looking at cost, going PA for all the sites for full L7 firewalling (with local internet egress) is probably too expensive for us. So, we're thinking of doing internet egress only at HQ, so traffic from all sites would mostly be IPSec to or through HQ (with a couple of exceptions for servers available at a couple of the smaller sites)
Has anyone tried Arubas SD-branch gear in such a setup (or indeed at all?). I find lots of marketing material, but no real-world implementations.
Hi,
Has anyone taken an IKM network engineer test? I need to do one and I'm not sure what to expect.
If anyone could provide any insight into the exam, the level of knowledge required or any study advice/links then that would be great.
Thanks
Are chassis form factors dead? If I go Juniper, I can purchase 4 x MX204 for the cost of a single MX10003. On the other hand, even Edge-Core now make a whitebox product in a chassis form factor. I must be missing something. With today’s high end, small form factor equipment, when does it make since to go chassis?
Hey all,
I was wondering your guys thoughts and opinions on MikroTik devices. The price seems to be more than right, but is their stuff too good to be true?
I wanted to pick up a router just to play around with it, I thought I would ask before hand about quality, security, etc.
This question popped into my head today at work. The DoD is very selective about where it purchases its networking hardware (for good reason). DoD is not allowed to procure equipment manufactured in China, Russia, Eastern Europe and a handful of other places. Any idea what the Russians use? To my knowledge, except for a handful of manufacturers in China which I imagine the Russians trust about as much as we do, is there not a Cisco Juniper equivalent in Eastern Europe? Are the Russians relegated to using US vendors? Do they manufacture their own gear or have a supplier that they can reliably count on to meet their needs? It's my understanding that the US government works closely with industry to ensure that products, especially targeted overseas enterprises have certain technical capabilities should the need arise. So, what vendors can the Russians trust if they can't trust Juniper or Cisco?
Hi all, I have a (currently theoretical) project involving putting thousands of RPi's in a bunch of remote locations to sense humidity, temperature and also take photos. I would like to secure them with a VPN but am curious as to whether this is a terrible idea or not.
If I was to launch an EC2 instance and host an OpenVPN server, would that be capable of supporting several thousand raspberry pi's? My goal is to have them on the VPN so I can SSH into them from any connected node
One thing I like about VPN is the *relatively* simple setup, on RPi it's just a sudo apt-away and it'll work.
What other issues come about with large quantity devices on VPNs?
what is different between N3K-C3064PQ-10GX vs N3K-C3064PQ-10GE
Hello,
I'm looking for a modern web server image, preferably a Windows and a Linux image. A vmware image would be even better. ultimately a 2-tier or 3-tier image would be best or even a test ecom site.
Anyone know where I can obtain some images like this?
FYI - I am a network/security guy and not a web developer. This is why I want a 90% pre-configured image.
Thank you,
So I got some fantastic advice from r/sysadmin regarding engineering and automation last year that helped me grow exponentially as an engineer. Here’s hoping that lightning can strike twice!
I’m currently in charge of designing and implementing a SaltStack/NAPALM automation solution for our network team. The end goal is to have all network device configuration done through GitHub so that we have history, diffs, tracking for all networking changes across the org. We plan on locking direct ssh access to the network devices to a select few people if we can get this implemented.
I’ve already figured out the GitHub integrations with SaltStack/NAPALM, but I’m stuck wondering how much I can really lean on Salt States for the network configurations. (Webhooks set off scripts to pull the changed files to minions and upload diffs)
Personally, all SaltStack documentation has been useless for me in answering this question. I’ve spent weeks now pouring over module documentation and blog posts from the NAPALM team and it just isn’t getting me anywhere. I realize that all of the engineers involved in both are much more talented and intelligent than I could hope to be, but I can’t even seem to find an example of an SLS file that defines ACLs for network devices without just referring to set commands.
Anybody have any experience and/or advice regarding this setup? Am I just working with stuff that’s bleeding-edge enough that the resources I need just don’t exist yet or is this all just way over my head?
So been wondering about how smaller datacenters (10000sqft) run networking in a rack, between racks and between rows? Are unterminated fibers run and terminated for everything? Rack only are using patch fiber or mix of patch fiber/ethernet? Better to have TOR of EOR switches? Would be probably mix of colo and on premise servers? Wondering cause possibly getting into setting up some datacenters and I know there's a million ways one could do it depending on tier and funding.
Hey guys, being a complete networking fool I was wondering about the benefits I would get for spending $500 on the net gear xr700 as opposed to the net gear xr500, I browsed through the hardware differences online but have yet to arrive at a proper conclusion as to what benefits I will see from buying the higher priced version
I was told access list rules in firewall apply only for traffic PASSING through the firewall and not for traffic originating in firewall. Is it correct? If so, when a host which is connected to 1 of the interface/subnet of firewall sends a DHCP discover message, it will be a broadcast message & will reach default gateway of that subnet which is applied on firewall. Default gateway will use DHCP relay & change source IP address as it’s own (default gateway IP) IP. So now traffic appears like it is originating in firewall. So access list rule is not required.
But if a L3 switch is connected to a firewall, then the L3 switch would already have changed the source IP address. So when packet comes to interface of firewall, again the source IP address might not change probably because packet is no longer a broadcast when it reaches firewall interface & this packet now has a source & destination IP address. So in this case, access list rules need to allow UDP 67 & 68. Am i correct?
TLS uses key exchange, authentication, encryption and message authentication. How relevant is the message authentication if identity has already been established through authentication and encryption is safeguarding the data?
Say for example, message data is encrypted and changed in transit. Wouldn't the recipient then decrypt the changed data and receive junk text and therefore know it can't use the data? Is message authentication such as HMAC then also failing because the data has been changed in transit still necessary?
Hey guys,
Looking for a bit of advice or anecdotes on running Cisco ASA software on the FTD hardware.
We recently purchased a couple of demo boxes along with the Cisco Firepower management console in order to test the new platform out. We have found that there is a few issues with the FTD software platform that we simply can't work around. (Slow deployments with FMC and port-channel limitations using the onboard management)
Our Cisco rep has suggested loading the ASA software onto the FTD hardware in order to get the latest and greatest performance on a familiar platform and to maintain hardware support for the life of the devices. I have some concerns with regards to performance and optimization with the legacy software on a modern hardware platform and was wondering if anyone had experience with this. Is there any major limitations that a normal ASA would not experience? Any issues/bugs that you've encountered. We have a new order going in soon and are still debating whether or not to scrap it and start over with native ASA instead of FTD hardware.
(I have voiced my opinion on experimenting with Fortinet and PAN but management feels that the project that these firewalls will be destined for is too time sensitive to learn a new vendor's platform so we will reevaluate when we have more time with regards to other vendors)
Thanks in advance.
We manage our own MPLS network on top of ISPs VPLS/WDM links, and currently just manually configure our CE routers. Either with "VRF lite" with BGP peerings to our DC routers in each VRF or just full MPLS to the CE and do L3VPNs there. ISPs only provide us means to directly connect our different routers.
It works well with our 50 "PEs" (we also do MPLS in our campuses so couting those PE devices too) but it's of course a lot of manual work. We're also closing in on a deal that would add something like 100 or in best scenario 200 new sites but those would be mostly with few users, couple printers etc.
So, how would you feel about connecting all those sites using Fortigate firewalls instead of traditional routers? I'm hoping to achieve easier management, monitoring, visibility and maybe even some load balancing / QoS stuff with those. I could do QoS rules based on firewall objects I have in the central FortiManager, instead of manually updating rules in every router. Idea is to still get L2 connectivity from our ISPs, but connect the remote Fortigate to our DC FW and then towards the rest of the network.
It's a type of network where we want to segment stuff as much as we can instead of letting everyone to talk to everyone. Firewalls would of course help in that situation. Our DC FW terminates all the different VRFs we have in our campus network.
We have good enough deals with our ISPs for L2 so I'm not interested in replacing those links with consumer broadbands, might do those as a backup though.
Any ideas?
Thanks!
I hope some of you enjoy this.
The routers represent myself and my wife (extra pun for those of us in Aus/NZ)
The switches are my children size is youngest to oldest. My oldest is actually my step-son (hence dotted line) and the switch attached to him is his fiancee, that will get upgraded to an ether channel when they marry. There are spaces to do the same for the others.
Once grandkids arrive I will add two new LANs off their parents - not sure what icon I will use for them yet :)
https://www.reddit.com/r/tattoos/comments/ae4mhr/just_got_a_new_piece
Hi guys,
I'm staffed in a project as an intern into an area that is above my technical skills. The good thing is i have a decent foudnation in the networking basics and so I don't think it should be impossibel for me to get up to scratch on what I need to know to be able to contribute as much as possible to the current project that I am on.
I will be here for 4 weeks.
What I need to improve my understanding is on:
Out of band management systems, including architceture and design (spine/leaf - CLOS)
Being able to architect these out of band management systems including understanding of protocols such as STP, VXLAN, overlay/underlay, MLAG, etc.
My current knowledge:
Programming / scripting
Minor AWS stuff (EC2,VPCs, security groups, monitoring/logging etc)
Networking bascis: DHCP, routers, OSI model, common protocols, etc
I'm probably gonna be posting alot on this sub alot so happy to gild resposnes that are helpful. If anyone is interested in potentially tutoring me (I'll pay per half hour) or providing a quick QA/crash course I'd also consider that, too.
Thanks!
Hey Guys!!
I work for a MSP & we're in the process of trying to make a model for how many support hours we should expect per customer, device or some other factor and would like your input. For example, we could use this to estimate the amount of additional ongoing network support we would expect if we landed a new customer.
Any insight into what the best factor(s) are for determining this?
Ran the command:
crypto key generate rsa general-keys modulus 2048
But I'm still seeing a 1024 key, anyone know why this is?
SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
EDIT:
Figured out my problem, needed this command:
ip ssh dh min size 2048
So here's the scenario, a bad guy/girl has come along and planted a Raspberry Pi type device on your employers network. You don't use 802.1x/NAC/ISE/Port-Security. The Raspberry Pi has a 4G connection in the back so any C2 traffic from the bad guy is not going to go anywhere near your external firewalls, but in the meantime he's going to explore your network. How do you detect him/her and what kind of tools do you use?
At the moment I have a script that dumps the arp table from the gateway routers and then NMAPs new devices. There are some select ports that we would always expect to see open on our hosts. Everything else is considered bad. However, I'm looking for new ideas.
This is by no means an enterprise setting, but we have two pfSense firewalls running a perpetual IPSEC tunnel between office and a remote location (datacenter).
Right now all traffic can pass between the IPSEC interfaces on both ends, going either way (not secure). I believe it's a best practice to limit that traffic within reason for security reasons.
Would it make a difference as to which end the firewall rules exist? Let's say I want to allow traffic only for backup replication, should I create matching rules on both ends (with reversed source/destination so it works)?
Thanks in advance!
Just a friendly reminder for my fellow engineers working with Cisco ASA / Firepower.
For everyone who already downloaded the new Firepower bugfix release.... Under any circumstances don't install 6.2.3.8. There is a catastrophic bug that results in traffic blackholing in case you are using a file policy. Bug ID: CSCvn82378
Source: Installed 6.2.3.8 2 days after release thinking what could possibly go wrong with a bugfix release. Well apparently it can result in an outage a few hours after the update.
p.s. 6.2.3.8 has already been removed from the website.
I had issues with my router/modem could not deliver WiFi throughout my house so I bought the Nighthawk. I asked the Best Buy rep which is the best and he recommended that.
So, my router/modem is on the second floor in the Loft which is open (half wall that looks down into the main hallway and kitchen). I placed the Nighthawk in the dining room/family room and right next to the kitchen. That is pretty much the middle of the house and also close enough to the router/modem. The basement had issues getting a WiFi signal and still does. The internet cuts off still down there.
When I move from room to room I feel like my phone is disconnecting from the router/modem and connecting to the Nighthawk because the internet won’t work for a few minutes. The internet is fine on the second floor but the first and basement seems to cutoff. I’m pretty sure I followed the setup constructions correctly. I pressed the WPS on my router modem and the Nighthawk connected. The lights were solid white and didn’t turn orange or red meaning the signal isn’t strong.
I'm doing reorganization of one of mine buildings and have around 70PC-s/laptops, with some 40 printers, and around 15 switches and servers.
Switches and servers - static IP-s and nothing else.
I'm not sure what would I do with those workstations and printers? Would be better to give them DHCP and reserve their addresses on my Fortigate or better to put all of them static? I'm thinking... It's much easier to manage DHCP network. If I need a device to have fixed IP, I will just reserve it on my fortigate and good to go...
But yet... if I ever need to change Fortigate, I need to re-type all of those DHCP reservations...
or if I decide to go with static addresses... I don't know?
How do guys have it?
