Buying one of these for both home use and to make it easier to access my home lab remotely.
Cheap as dirt on ebay..
Before I buy it... anything anyone aware of for problems? I've got asdm-781-150.bin and asa917-32-k8.bin downloaded already to update it.
By just loading these in, am I going to brick it or do I need to stepping-stone into other updates first?
Some background:
I installed two brand new servers at a DC. Both have 1GbE NICs and 10GbE NICs. I want to do LACP for maximum bandwidth, redundancy, and a cleaner failover. I confirmed with the operations that they support the protocol; however, one of the techs mentioned that they might not be able to handle different speed connections under one dynamic link aggregate. At the moment I have it configured for active load balancing, but I would like to move to LACP as it will provide the best performance (from what I've read). My understanding was LACP could handle different speed NIC grouping.
One server is a hypervisor (in this case the team is a slave to the bridge), and the other is a backup server dealing with a some large files from various machines.
Should I be using LACP? Can it support different speed NICs? Is there a better LAG configuration for my application?
*note: I'm studying computer engineering and have more experience with embedded systems than I do networking. Thanks for your patience!
I'm trying to get an idea of how much the VeloCloud devices are leased for.
our biggest offices is about 60 users, does anyone know how much it costs to lease a veloCloud device.
Do different vendors charge different prices? I don't want to get ripped off what we're moving from costs $1200/month (100/100M ethernet hand-off)
I've been cleaning up one of my inherited data centers & come to the realization that part of the accumulation of mess & trash was cause by there not being any racks/shelves/cabinets/drawers for storage of accessories, cables, tools, parts, etc.
Short of a rack/shelf system from the hardware store, what is everyone's choice/favorite for the storage of their data center accessories/parts (or is the rack/shelf with some bins really the easiest)?
I cringe when I hear it. It's not always unfounded but it does mean you've been defeated. When you have a budget like a non-profit sometimes you got to work around shit, Those are the smartest people I've ever met. They never said shit was garbage, they never knew any better. There are at least 3 ways to do almost anything in this industry these days. Is it really that you can't work with a solution or is it that you wont??
I know this is slightly off topic but it's been said a lot recently.
Without getting into the details of how, what are other network engineers using (or wanting to use) network automation tools and techniques to solve, and why?
As an aside, I wonder who has the coolest or whackiest use case?
I hear a lot about automation, and use it for certain things myself, but don't get to socialize much with other Network engineers anymore, and it'd be fun to read about what y'all are working on.
I am working on troubleshooting a dot1x implementation and we basically are strictly falling back on mab. The main platform giving me issue is a 3750x and I'm going through most any Cisco documentation that I can find on the topic. Running debug on aaa, radius, mab and dot1x events so far but it doesn't look like when we toggle the port that a request is even being generated (there is no real debug output). We can generate requests, however, when we do a "test aaa group NAME USERNAME MAC new-code". I know that it is not much to go on but was wondering if anyone could offer some troubleshooting avenues that I haven't tried.
Here is what we started with. Three Dell Poweredge servers each with two Mellanox ConnectX-3 cards. On each server one card goes to an Extreme switch using the SFP+ cables. And on each server the other card goes to another Extreme switch with another set of SFP+ cables for redundancy. All working as designed.
Then the office moved to a new location. At the new site, the cards in slot1 of all three servers show cable not connected. Odd that three cables would suddenly fail. However here is the only common factor we know. The Extreme switch they are connected into had an issue after the move and the firmware had to be reloaded again to get it to boot.
I've eliminated the cables by replacing them. Moved the connection to other ports on the switch. Tested the ports in question using another device to see the link indicator light up. I can't explain how three mellanox cards that worked before a move now show cable not connected.
Any suggestions?
I know there are people around here that are a fan of leaving everything in L2 or Area 0, but I'm sure once you get to run a larger network that is no longer the best option due to reconvergence + lack of summarization and filtering capability.
So, how do you go about separating areas? Do you give each PoP its own, and put the Backbone links in L2/A0? Do you ever stretch areas between the PoPs? Or do you do away with the multi-area design altogether in favour of some sort of a BGP solution?
First, thank you all for your support and help and ideas. Even ya'll that were spiteful. I love you guys too :)
SO as of today everything is (mostly) working as planned. Mostly because some other unexpected (expected?) issues arose, but otherwise everything is flowing along correctly.
First, let's see- CARP/VIP issues. 1 HA unit (2 machines) had a bad interconnect. I called it from day one, but I didn't know squat so it was ignored. I'm told that 'it must be something new' when I finally whittled it down to the missing interconnect port on one of the nodes. We're waiting to RMA that.
As for the other HA box, the reason the VIP IP constantly broke? Because the sysad at that site had an IP conflict on another piece of hardware. In combination with the M4300 Netgear switch (which apparently Does NOT) enforce the correct warnings or protocols. I don't know what to say here/there yet but I'm going to try and raise the issue with netgear to see if that's an outstanding bug for VIPs or if something else is weird. It was diagnosed by watching a local ARP table on Windows machine and matching line by line the MAC addresses with the other machines. Since the MAC of VIP/CARP is in a certain prefix- it was easy to find once you knew what to look for.
Second issue- the switch wasn't properly configured for IGMP. Many of you pointed to that, and I certainly spent tens of hours running it down. So (improperly) I turned it all on, and it's been working fine. That's not the correct solution but it'll do until I get the customer to sign off on accepting the hardware. That and pegging each of the settings. There's still VLAN and management interfaces that needs to be done too so some of this will be corrected then.
Third, the packet loss: See above.
Fourth, the 1x40gbE to 4x10gbe breakouts: Well, that was interesting. For the Chelsio cards to function properly the switch had to have static LAG turned off- so basically dynamic LACP. Once that was enabled everything was goodish.
In addition, it was discovered that the Chelsio adapters were NOT flashed correctly from the factory. Reflashing them to the correct firmware did the trick.
In even MORE addition, my wonderful purchasing department couldn't follow instructions and bought the wrong adapters... again.. for the 3rd time. Once I engaged the supplier directly and shipped out the gear for reflashing, they came back with the write firmware to match the hardware. Geezus I can't imagine doing this in a data center.
Fifth, performance: Even with 2x 10gbE connections but not teamed (THAT is still an issue- used to work, now broken with Intel), I can move around almost the data I need. Using iperf (in a hurry because I had 20 mins to get it done before the customer pulled my cable)
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 928 MBytes 7.78 Gbits/sec
[ 4] 1.00-2.00 sec 751 MBytes 6.30 Gbits/sec
[ 4] 2.00-3.00 sec 783 MBytes 6.56 Gbits/sec
[ 4] 3.00-4.00 sec 788 MBytes 6.62 Gbits/sec
[ 4] 4.00-5.00 sec 792 MBytes 6.64 Gbits/sec
[ 4] 5.00-6.00 sec 752 MBytes 6.31 Gbits/sec
[ 4] 6.00-7.00 sec 92.2 MBytes 774 Mbits/sec
[ 4] 7.00-8.00 sec 93.6 MBytes 785 Mbits/sec
[ 4] 8.00-9.00 sec 111 MBytes 932 Mbits/sec
[ 4] 9.00-10.00 sec 109 MBytes 917 Mbits/sec
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 5.08 GBytes 4.36 Gbits/sec sender
[ 4] 0.00-10.00 sec 5.08 GBytes 4.36 Gbits/sec receiver
You can see some weird stuff there, but most of the other runs were just fine.
SO, thank you all. Quite grateful for the ideas. Doing this all remotely was practically impossible but it got done.
Src Links:
https://www.reddit.com/r/Cisco/comments/a7s2em/sg350xg48_carp_ha_compatibility_netgear_m4300_and/ https://www.reddit.com/r/networking/comments/a6bzx4/10gbe_70_packet_loss/
Fine members of this sub, I shall ask for your input as I can't seem to find decent info elsewhere.
I have a home network comprised of Ubiquiti switches and APs but *no* USG. I use another Linux based router that handles all the routing including to the WAN. That one also handles the VLAN setup, of course in combination with the Unifi gear (i.e. trunk ports, VLANs assigned to the SSIDs, etc.). Works like a charm. Well, almost...
With all this I have a VLAN 30 that is the pool for my IoT devices that are assigned dedicated IPs per client to the 10.1.30.0/24 (V)LAN. So, for instance, one of my Echo Dots has the 10.1.30.120. As the Dots are connected via WiFi I have made sure that a) this SSID is not set up as a guest network (and gets passed the VLAN ID) and b) does indeed have internet access. A client on that VLAN can ping its gateway (10.1.30.250) which is also the DHCP-server (on the main LAN, 192.168.1.250) and passes DNS requests on to a pihole on the main LAN (192.168.1.50). All this works, since I also have firewall rules on the .250 router that ensures access of the VLAN to the .250 router as well as to the pihole.
Connecting e.g. a smartphone to that IoT-WLAN allows full internet access using domains as well as pinging 10.1.30.250 and 192.168.1.50 and 192.168.1.250. But no other devices on the 192.168.x net. And no other devices in 10.1.30.x. The latter I find a bit odd but it *should* not play a role here.
With the smartphone on said SSID a speedtest shows pretty much full speed.
The Dots on the main 192.168.1-LAN work totally fine (= they are properly set up and yes, the WAN is working just fine as is the overall network).
Yet, having them on the above VLAN makes them act up: they react to their wake word, showing the blue ring, awaiting input. But when I give a command they keep working the blue magic and eventually (after some 10-15 seconds or so) give up, saying that they lost internet connectivity.
As a matter of fact, my router's interface does more often than not show those Dots as being "offline". Yet they obviously are not as they do react. As we all know a Dot that is entirely offline will immediately show the red ring and happily inform half the town that it's offline... Mine start off with a blue dot. That != offline.
I am at a loss what the issue could be. Of course I have 2 things that could cause issues:
1) them being on a VLAN, and
2) the pihole
Again, when the dots are *not* in the VLAN but in the main LAN (which also goes via the pihole!) everything is just fine and works as expected. This tells me that the pihole and its blacklists is not the problem. And since a smartphone in the VLAN 30 can access the internet just fine, the VLAN itself is also not - per se - the problem.
In general, the firewall rules for my main LAN and the VLAN are pretty much the same. There is no additional blocking happening on the VLANs. Therefore I have no idea why this isn't working. Maybe some broadcast problem but: why and what?
Any pointers much appreciated!
So I’m a little confused about one of the knobs on Cisco QoS (ios-xe on 3850/3650) that is queue-buffer ratio.
So look at this policy map below
policy-map Outbound class VOIP priority percent 5 class VIDEO bandwidth remaining percent 15 class ASSURED bandwidth remaining percent 20 class class-default bandwidth remaining percent 60
So the way I understand it this configuration breaks the interface up into four outbound queues. One of them is a low latency/strict queue for class VOIP and guaranteed it 5% of the bandwidth. Next queue is for class VIDEO and guarantees 15% of the bandwidth. Next is the 3rd queue for class ASSURED, and it’s guarenteed 20% of the bandwidth. The 4th and final queue is best effort and it gets a guaranteed 60% of the bandwidth.
Each queue can go above their guaranteed limit, so long as the interface isn’t congested... except for the priority queue which will never be allowed more than 5% of the interface bandwidth? (Is this actually true?)
But that just has to do with bandwidth, or transmit rate? But since no buffer ratios configured, all the queues will split the interface buffer space so they’ll each get 25% of the interface buffer?
So as traffic is switched every bit will transmit as it arrives. This goes until the interface is filled up I.e. until it can’t transmit any faster. So once that happens, additional traffic that needs to be sent waits in line in a buffer.
I guess I’m just a little confused how a class of traffic can be guaranteed 15% of the bandwidth but it holds 25% of the buffer space. Maybe I’m not thinking about it correctly. I think an animation would probably help me, but can’t realky find anything out there.
So when would you adjust buffer-ratios?
Does the policy map above make sense where you think it’s a sane configuration. Would you want to give voice/video more buffer space because they’re more sensitive for user experience, or would you give them smaller buffer since they shouldn’t be waiting in line as much.
Hi all my dear techies network brothers! I'm having a look on a NAC solution, specifically oriented to Wi-Fi guests access and control. Would really appreciate a suggestion for products you would recommend. My respects, Cheers!
Hy guys, I work as a junior embedded c in automotive and we have to adapt some eth drivers and implement a Ethernet application layer for some component. Someone asked me when link local address is used vs IP address and what are the advantages and disadvantage for both, but I had no idea. I started looking online but I didn't found the exact answer, do you how any article or book that could help me ? Or if someone could briefly lighten me with this would be greate! Thank you!
Hey all,
I’m purchasing two of Ciena’s 3916 service delivery switches to primarily use as a media converter to get me from a SMF handoff to RJ45. It will also act as an SNMP traffic monitoring device for an ELAN I’m getting delivered from my Fiber provider.
It seems to offer all of the regular features you’d expect to see on a basic Cisco switch. 3916 the price is way lower than any Cisco switch and I like it for the dual PSU for this application.
I’ve played with Ciena’s CLI and it it’s almost just the exact opposite as Cisco (instead of “show int” ciena is “int show”). Nothing too bad.
Anyone have experience with ciena gear? Horror stories? Happy stories?
Thanks!
Hi guys
Can this be avoided? I am installing software on one of these systems and it takes for ever to reboot the server. I am seeing this as a big issue compared with other vendors. If by accident your server goes down (loses power) you need like 10 minutes to get it back
I looked into BIOS (standalone C220 series server) and I could not find anything there to shorten this process
I have DSL. I recently discovered the RJ11 cable coming into the house is damaged (it's old AF). If I jiggle the cord I can either lose my signal entirely, or as I found out- double my downlink bandwidth. So I bought a new nice RJ11 cord off amazon to run from the NID to my modem. Now I'm wondering if I should run it directly into the test jack inside the NID, or cut the head off and wire it to the posts. Any thoughts?
trying to send a pppoe packet that exceed 1422 bytes WITH no fragmentation set "on" to google.com or even any public website using the well known "icmp" ping protocol the packet wont go knowing that 20 bytes are reserved for ip, 8 bytes for the ping and 8 bytes for pppoe header >> which leaves 1464 bytes !!
Am I missing something here ?
Guys,
If I have N clusters and each cluster is load balanced within itself, how do I load balance between clusters?
Just to add each cluster has an ECMP switch at L2, a few NLB at L4, and a few more ALB at L7.
What device can I put at the top of clusters to load-balance them? Also, which layer of OSI does that device then belongs to?
I am trying to understand stuff here. Apologies if I put my question in a wrong way.
So I have been doing some testing with DHCPv6 with my test environment that I own. I have been given a /64 from my ISP and I subnet it to a /80 based upon VLAN number. So say I was given 1:1:1:1::/64 from my ISP, I have subnetted that to be 1:1:1:1:60::/80 for vlan 60 and 1:1:1:1:70::/80 for vlan 70. I currently have DHCPv6 working perfectly like this on my openwrt router, but when trying to test on Windows Server 2012 R2 or Windows Server 2016, it seems I can only create DHCPv6 scopes with a /64 prefix delegation.
Is there anyway to change that to hand out the correct prefix based on the vlans I have?
Greetings networkers,
Anyone with experience doing vxlan between Nexus 9300 over encrypted IPSec?
Best Regards
I was wondering if anyone on here has been asked to create a page that displays the network “health” for your company for end users and management to be able to view. What did you put on it? How did you do it? One person mentioned that they wanted something like how you can go to status.reddit and see all the things that are up and down for reddit.
I just saw that Cisco released a new line of ruggedized industrial hardware. Has anyone else read up on these or tested or plan on buying this line? We were looking for this type of hardware recently but Cisco didn't have anything to fit the bill at the time. Curious to other people's thoughts on this line and plans to test. /Discuss
Fell upon this while doing research. Anyone has any insight on this training company in India? They offer personal trainer, 24/7 lab, and the trainer stick with you until you pass CCIE. Anyone ever heard of them?
I'm looking at my Cisco switch specs and it says the min storage temperature is -4F, and operating temperature is 32F. So this got me wondering.....
When DCs are built for year-round cooling, what happens when the outside gets into the -30F or -40F range? Is the same level of cooling still necessary, or do these DCs go through a different process to regulate temperature? Can DCs become 'too cold', to where heat needs to be considered? Thanks!
I have a project that will require 10's of thousands of feet of CAT6. I can't find a source selling anything larger than a 1000' box or spool. As much of this cable will terminate in a single location, I would think it way easier to have a large spool on a spool holder than to deal with multiple boxes and all of the waste because what's left in a box is 4' too short. Am I just looking in the wrong places? Do manufacturers just not make 2K', 5K' or 10K' spools?
Some clarification. The last project was wiring a new office facility, 3 cables to each drop. No single run was longer than 225' but there were enough drops that we used about 30 boxes of cable, all terminated on one end in a single location. I ended up with close to 1000' of cable across all of the leftover boxes but of course not a single piece is longer than ~50'. I envision a spool holder with 3 large spools in it that sits in a single location the whole job. The goals would be to reduce waste as well as speed up the process as you shouldn't have to stop and calculate the next run distance and see if you have enough cable to run it.
How the computer knows if a received packet either uses TCP,UDP or IP protocol?
Hi all. In programming world people use static code analizer for sorce code.
This tools help find error, check standarts and so on.
Is there a similar solution for the analysis of configuration files of network equipment? (Juniper, Cisco IOS, Huawei, Moxa)
Gentlemen,
I won't try to hide it. I'm spoiled by a business that lets me pay other people to solve many problems.
I know a lot about how to build out a new environment (by paying someone to construct my vision).
But I know a good bit less than I wish I knew about maintaining a fiber plant after it's implemented.
Anyone who wants to step up and take their shot at me with a "You're that senior and you don't know how to ..." may feel free to do so. I'll stand tall and take it like a man.
But let's move to the problem I need guidance with from the great reddit collective:
We've been getting our asses kicked with dirty optical connections all of a sudden.
8 or 10 years of piece and quiet with these devices and now like 3 or 5 critical links racking up a billion CRC errors.
We've been playing whack-a-mole with just replacing the transceivers (and RMAing the old ones) and replacing the fiber too if that doesn't do the trick.
But there has to be a better way. Doesn't there?
Should we be cleaning the LC connectors with something?
Do you clean an SFP transceiver with compressed air or something?
Are these steps worth the extra trial & error?
Some of these devices are in managed facilities, and sometimes remote hands aren't as talented or knowledgeable as we might like.
Should we stick with the big hammer and just replace everything until the problem goes away?
Please hit me with your best rookie GIF or Dunce_Cap.jpg if you choose to do so, but please provide a little wisdom along with your zinger, if you please.
Thank you all in advance.
-Nerd
Let's say I have 4 computers connected to the network, all sending and receiving sample amounts of data frequently, like in a game.
Questions: 1) If I were to adjust the MTUs of these 4 computers to something like 320 + overhead (yes I know that's stupid small), would the router send those 4 x ~360 within a single 1500 MTU frame out to the internet?
2) If so, does it have any benefits with something like congestion? I know what the disadvantages are already.
Reason: I figured out that a network issue is related to MTU size but then I had this thought.
TL;DR If I have this right, a single Ethernet frame has a MTU 1500. I imagine it as a train with each frame being a railcar. Can I put 4 different products in one railcar if they all fit?
So I'm looking just for some more ideas to brainstorm with intermittent issues we have. I've got a bunch of sites coming back to our data center over IPSEC tunnels. Now due to some restrictions put on us and the ipsec devices we're using, it doesn't appear like we are able to get PMTUD working.
Most sites have a firewall we control, where we've been setting the WAN interface MTU down, because in the past we've had some sites lose functionality. However, it was set a while ago by people who aren't here anymore, and i'm to determine better ways of doing things, as some sites have mtu set down to like 1100.
Now I have the option of simply grabbing a packet capture for wireshark. That is a great tool, but if i'm being honest with my ability, it's not always very clear cut in my eyes. That may be mostly on myself.
Do people on here have suggestions of maybe certain tools to give a try with or maybe even wireshark is the option and you have suggestions of a good way I can use it/filter it.
I'm trying to use sFlow on my EX4600 (with elastiflow) to collect some data on P <-> P links in my MPLS backbone.
However, I am not able to get any sflow data for MPLS tagged traffic, I am only seeing flow samples for SNMP and management traffic. I am using MPLS and VRFs to transport Internet traffic across my backbone.
Is this a limitation of sflow or possibly Elastiflow is getting confused by the labeled packets?
I'm wiring a network cable through my wall for streaming / gaming. I have two cables: a blue, ticker one that I purchased myself. It says nothing on the cable, but the package says "high performance, 100% copper attending to the norm enforced by datacenters". I also have a white, thinner one that the internet provider left. I don't have the package, but it says on the wire: ""SOHOPLUS U/UTP 24AWGX4P NBR 14703 --- ROHS COMPLIANT -- CMX 60 degrees C --- VERIFIED TO TIA-568-C.2 CATEGORY ANATEL 00036-08-00256 --- 31807071331 054m"". I'm wondering which one is the best, or if it doesn't make a difference? Here is a picture of them.
I am often deployed to places with no internet. To get our team online, we use small Ku or Ka band satellite. I need a way to allow and block people from accessing the internet. Sometimes I need to allow everyone access but limit the type of traffic. For example, I need to block YouTube and other video streaming sites as sat time can be expensive. I love Ubiquit products, but I am not certain their gateway is really up to the task in terms of quickly and easily making changes to types of traffic. Any recommendations? Max users <100 and typical internet speeds <50Mbps so nothing powerful is needed.
Getting together for beer with network friends in Bedford NH tonight, wonder if there's anybody here would like to join me.
Currently using an older version of AnyConnect that doesn't have posture/umbrella or any of that other nonsense. Now that we need to move to the lastest version can someone tell me how to control what gets installed when the the client gets updated when connecting tot the VPN? I just want the VPN Client software and none of the other stuff but not clear on how to configure the ASA to just install that piece.
For those of you who have been in the industry for years, how often do you encounter out of band management networks? What kind of business (or what size of business) usually spends the money to invest in an out of band management network?
I'm curious because I've been learning automation with Python/Netmiko, and I see it's often recommended to have an out of band management network. I'm pretty junior though, and haven't worked at a business that spent money on one. Do most businesses just opt for a management VLAN?
Hey guys,
I handle the wireless for a large institution and I am working on a migration plan for a move to Aruba 8 on our main campus. I support ~8-10k users on our main SSID per day. Our guest network services 2-3k per day.
I have a controller in each of our two DCs connected via L2, clustered. Our core is L3 and the APs are tunneling L3 to the controllers. I am doing active AP load balancing as well as 50% client load balancing between the two controllers. I am still working on the design, but what I want to do is to be trunking the user VLANs to our active/active fortinet firewall setup and put the user gateways there. DHCP and DNS will be served from an external DHCP server not from the firewalls.
I wanted to get some input from you guys on how you are handling your user subnets. How big of a subnet are you using? I am confident in Aruba's solution for converting broadcast to unicast and dropping multicast on the VAP, but I am concerned about flooding from the switches and ending up with a broadcast storm that takes down the network.
Am I just asking for trouble by going with a /20 or larger? Perhaps even a /18?
What are you guys doing?
Happy read only Friday.
I am a software dev who is fascinated by networking and am eagerly pursuing more knowledge on this topic in my free time. Any suggested books, particularly dealing with linux networking. Thanks.
Anyone have any suggestions of a backup 4G LTE internet solution that offers a static IP and I could also just plug into the router that kicks in if the main internet is down?
A small business I help with IT for recently had their internet down for 30 hrs, so they're in need of a backup. Currently they're just using a Netgear R8500 router, so it may not have the capabilities to automatically switch over to a backup connection if the main one drops, but the business owner would be fine with just manually turning on the LTE device and it just starts working.
Any suggestions of devices?
Anything I should look out for?
Thanks
Hey gang,
So my CCIE lab hangs off my Ethernet port. My WiFi connection is the main source for the web.
Its so weird, on Win10 when I bridged these 2 connections off my laptop (so APs & Clients can pull IPs, etc) - no issue.
However when I bridge the 2 connections off my big nasty gaming machine - it works but my actual browsing/surfing experience slows to a crawl.
Anyone ever seen this?
Long story short, I had to move several DHCP scopes from a Windows server onto my Cisco 3850 switch stack temporarily. Most of these are working fine. However I have a Management VLAN which only needs DHCP for our 3 AP's. When this scope lived on a Windows server, I just set up a network, excluded the entire range, and then added 3 reservations. Those reserved IP's were assigned to the AP's. No sweat. I'm trying to do similar on my switch with a scope built as follows:
!
ip dhcp pool Management
network 10.200.220.0 255.255.255.0
default-router 10.200.220.1
dns-server 192.168.1.20
domain-name domain.net
address 10.200.220.11 hardware-address 01de.adde.adde.ad
address 10.200.220.12 hardware-address 01be.efbe.efbe.ef
address 10.200.220.13 hardware-address 01ba.beba.beba.be
!
I tried the above both with and without putting the "01" before the MAC address. I don't really understand why it's there, but a web page I found online said to use it... and based on the command output below I decided to go with it. I also tried putting the line "reserved-only" in the scope above, the only difference is then it doesn't hand out any IP's at all.
Goofyswitch#sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/ User name
10.200.209.115 01ma.cadd.ress.01 Feb 01 2019 04:03 PM Automatic Active Vlan209
10.200.209.116 01ma.cadd.ress.02 Feb 01 2019 04:25 PM Automatic Active Vlan209
10.200.209.121 01ma.cadd.ress.03 Feb 01 2019 09:40 AM Automatic Active Vlan209
10.200.210.117 01ma.cadd.ress.04 Feb 01 2019 04:45 PM Automatic Active Vlan210
10.200.210.123 01ma.cadd.ress.05 Feb 01 2019 07:53 AM Automatic Active Vlan210
10.200.210.128 maca.ddre.ss06 Jan 31 2019 09:11 PM Automatic Active Vlan210
10.200.210.129 01ma.cadd.ress.07 Jan 31 2019 10:26 PM Automatic Active Vlan210
10.200.210.130 01ma.cadd.ress.08 Feb 01 2019 02:06 PM Automatic Active Vlan210
10.200.210.131 01ma.cadd.ress.09 Feb 01 2019 01:53 PM Automatic Active Vlan210
10.200.220.4 01be.efbe.efbe.ef Feb 01 2019 04:32 PM Automatic Active Vlan220
10.200.220.11 01de.adde.adde.ad Infinite Manual Selecting Unknown
10.200.220.12 01be.efbe.efbe.ef Infinite Manual Selecting Unknown
10.200.220.13 01ba.beba.beba.be Infinite Manual Selecting Unknown
Goofyswitch#
So with the reservations I have set up in the scope, why is the switch handing out 10.200.220.4 to my AP? I've only rebooted the one AP so far as a test. The MAC associated with 10.200.220.4 is identical to the MAC I'm trying to hand 10.200.220.12 to.
On an unrelated note, what's with the 01's appearing before the MAC addresses and why doesn't that 10.200.210.128 system have a 01 in front of it? It's the only system which seems to be behaving that way I don't get it.
Greetings,
I am designing a network for my organization's new building and I am hoping to build in redundancy from the access switches to the core and firewall (see diagram).
I'm struggling to understand the best way to create redundant "uplinks" to the core from the access switch stacks, without creating loops. Is LAG/LACP the best practice for this? The switches are mostly Aruba 2930F.
Here's an example: the Floor 2 IDF has a stack of (3) 2930F switches. Two of those switches have an uplink back to the core switch stack (2x 2930F switches). If all switches are operational, would this create a loop?
Hi,
I have posted on the LibreNMS forums with no success. I need to enable OSPF alerting, but am lost on how to get it to behave in the manner in which I want.
I have the following rule:
(ospf_nbrs.ospfNbrState != ""full"" AND ospf_nbrs.ospfNbrState != "'twoWay"" AND macros.device_up = 1)
This is fine for any neighbor that is not reaching full adjacency. But when a neighbor goes down, the entry is removed from the ospf_nbrs mysql table. This means that the alert does not trigger if a neighbor goes completely down.
As a work around, I could create a rule that is based on OSPF neighbor count, but this is cumbersome and requires a rule written for a variety of different devices with varying neighbor count.
Is there another table or setting in Libre that I can reference if a neighbor goes down? I am migrating from Solarwinds, and this is literally the last thing keeping me from turning off Solarwinds completely.
Thanks in advance!
Imagine this topology:
[PC] ------- [VOIP Phone] ------- [eth0/0 on a Switch]
And this configuration on the switch:
vlan 22 name DATA vlan 33 name VOICE
There are two ways to have both the PC's traffic and the VOIP phone's traffic "arrive" on eth0/0 in distinct VLANs. 1. Use a Trunk port, 2. Use the Auxillary VLAN feature".
Option 1:
int eth0/0 switchport mode trunk switchport trunk native vlan 22 switchport trunk allowed vlan 22,33
Option 2:
int eth0/0 switchport mode access switchport access vlan 22 switchport voice vlan 33
The net effect of either of these is the same untagged traffic from the PC arrives and is accepted into VLAN 22 (the data VLAN), and tagged traffic from the VOIP phone arrives and is accepted into VLAN 33.
My question:
What are the benefits of using Option 1 or Option 2? What reasons exist that make either of these better than the other?
Hello,
It’s finally Friday! I had a quick question regarding IP cameras and NVRs. I’ve been looking around Amazon and a few surveillance store sites and haven’t been able to find a budget system (under $1000 for 32CH NVR & at least 10 cameras).
Would anyone be able to share what setup/brand of cameras and NVR they use? I’ve looked into Blue Iris and would cost $65 for the full version which supports up to 64 cameras which seems like a good deal. Is this a one-time fee you pay? If anyone has used Blue Iris, does it usually work with most IP cameras?
Most importantly, what brand of IP cameras do you think are the best? I’ve looked into HIKVision and some other cheap Chinese cameras. They all have their flaws.
This will be setup for a medium size church. Room for expansion will be needed.
Thank you.
We've had one of our P/PE devices die last night and im looking for tips on how to swap it out with as least disruption as possible.
The issue is that we take full routing table from our Tier1 provider and when we put a new device in, it blackholes traffic for about 30 minutes while routes are being imported from RIB to FIB. We also advertise our /21 and /22.
This router has 1 internet uplink, 3 connections back to other PE's and P devices.
I was thinking as follows:
Is there anything else ive missed out? or is there a better/less disruptive way to do it?
Curious what the various policies are for folks when it comes to filtering individual ip addresses at the border rather than at the firewall?
I oversee three AS's and control all the internet routing between them. For years we've avoided putting filters to block ip's that might be doing bad things. (spam, phishing etc) I feel our job is moving packets as efficiently and as fast as possible. Always felt the job for that type of security should be the firewall folks at each site.
That being said- hardware is faster and better - the ability to script block lists is a lot easier and can be somewhat automated. (Although the thought of another group being allowed to upload lists freaks me out.. they mess up I'm the one getting yelled at.) Yep we could oversee it but we are a small team and time is better spent running the WAN not dealing with what we have always felt is a layer 7 issue. Maybe this isn't a layer 7 issue?
Also- this is not DDOS related at all , we have stuff in place for that and is a different problem. This is more policy between LAN vs WAN.
Thanks in advance!
Hi fellow netadmins,
My question is related to the need of use of mode conditioning patch cables (MCP).
I try to use our existing MM fibres (which I assume should be OM1, 62.5/125) with SFP-10GB-LRM transceivers over quite short distances. 30m - 100m.
My first test was on a cable of around 100m and it worked fine without the mode conditioning cable despite of recommendations to use MCP on both ends.
1 huge SFP+ order later and I am finding out that I have issues establishing a link on shorter cables (30m)
From what I have researched, MCP is not neccessary on short distances as the Differential Mode Delay (DMD) does not have an effect on MMF over short distances and some people say you only need MCP on cables over 120m or so.
I do not have any MCP to test if this fixes the problem, however I have some links that work completely fine and others that go down after a second due to link-flap.
Have you come across this problem in your uplink upgrades? Any recommendations to test before I place an order for hundreds of cables?
Your advice is appreciated.
Hello r/networking!
I am looking for suggestions as to what do you guys use for deploying the same config on 100s of devices
I know there's a solution in scripting but i am looking for a software, convenient solution, does SecureCRT do it?
I am also looking in ways to get the serial number of 100s of devices and output into csv or xlsx.
If the solution is in some scripting can you give some pointers as to what language to look at?
Thank you!
Hello Team!
I would like to monitor unknown unicast storms in my network. Do you know any good way for that? What is the best practice?
Remark:
some days ago my two Juniper QFX switches (MC-LAG peers) stopped synchronizing MAC tables via ICCP -> one of the boxes started forwarding normal unicast traffic as unknown unicast -> servers connected to this switch began suffering from unknown unicast flood +20kpps + 200mbps (right now I am still trying to define the root cause of the issue with JTAC)
Hi Guys,
As per subject, I'm trying to find a Virtual Router appliance / addon etc. that utilises BGP AS (Origin-AS|Peer-AS), fields in the various flavours of Flow. From the research and lab time I've spent thus far:
Just wondering if anyone has had a similar requirement and what was used to get it all over the line?
Many thanks in advance!
I have a question. If I have on two link where there is same interfaces with different manifactures and sameone is faster than other, can I manipulate the speed of packet injection in the link for an interface to make it slower and go fast as another one?
It's only an idea, i don't need it, but i want to say if there is a way to make it
I was hoping to save space in my rack and all the cables coming in are already terminated- anyone know of a half-U patch panel that can have double female jacks installed?
I have two firewalls (P.Alto) sitting in two different campuses within our infrastructure connected via fiber. They are not synced to each other, just plain standalone FW's. Setup for Redundancy n protection for our internal network. From the Firewall up to the ISP all devices have assigned public I.P's.
The question is can I set up a separate DMZ on the other end FW1? everything is off FW2 DMZ interface >- servers, etc. if unreachable (site or FW) everything off that is blackholed. Oddly the DMZ interface on FW2 has a Public IP.
Is it possible to create an additional DMZ in FW1 to put some services behind that? Even though on FW2 the DMZ interface has a public IP address? Should I assign the FW1 DMZ a private IP or will have to get a new set of routable public IPs from the ISP? issues?
I'm no expert but if FW1 gets a DMZ, they will have to use a new set of routable IP's (NAT)? doubt that the DMZ can use the same subnet off of the IPs from FW2 DMZ
Connected from top to bottom (ISP to Campus)
| ISP1 | ISP2 | |
|---|---|---|
| ASR1(HSRP) | VirtualIP | ASR2(HSRP) |
| Sw1(Pub IP)------------------------------ | -----------------------------fiber(Pub)---------------------------- | ------------------Sw2(Pub IP) |
| FW1(in, out) | FW2 (in,out,DMZ = PublicIP) | |
| Campus 1 ----------------------------------- | ------------------------------fiber(internal------------------------- | ----------------------Campus 2 |
We are being asked to look into this. Anybody do this recently? I would imagine a hosted solution with a company or Cisco's new acquisition would be the only solutions out at this point.
I recently got a OneTouch AT G2.
One of the things I want to do is basic Ethernet cable tests (i.e. that they're crimped correctly etc).
(I have a separate JDSU Certifier)
However, the OneTouch seems really slow. I plug in a cable to both ports, push the green Test button and it takes 15-20 seconds.
The MicroScanner 2 was much faster - the LinkRunner AT-2000 was in the middle.
Are there any tricks to make Ethernet cable tests faster on the OneTouch?
Over the years there have been numerous wide-area and inter-networking technologies that faded away.
What are some examples of those that have come back as "new and improved".
We are dangerously close to our crappy xfinity data cap this month. I put the kids on notice to begin extreme bandwidth conservation. My daughters iPhone used 4.3 gigs yesterday and 14 gigs over the past week. This seems quite excessive. I looked at the bandwidthd graphs for her phone and I'm seeing a lot of UDP traffic. I don't see that much brown from any other iOS device in the house.
Here's the graph: https://1drv.ms/u/s!AiwjqTLzz79hqEui5CjrM9-FIyxY
Does anyone have any idea what the UDP traffic might be or how I could find out what it is? I wonder if her phone has been compromised somehow.
I’m a senior wireless neteng guy working for a $7B Cisco VAR.
I have been there ~2 years and am mostly happy. My biggest complaint is that I work remote 100% of the time and it’s hard to really get a feel for management etc.
They pay for my certs and conferences, and I made $133k last year. I decided to stick my head up just to see what’s out there and have had an onslaught of requests that I am considering.
Top contenders are a $10B Cisco Var in the top 10 on the CRN list. Another is a even larger one in the top 5 of the same list- both are offering ~12k more annually as a base, All would be a lateral move essentially.
Then there is this one $1B regional VAR. They had a complete mgmt change about 2 years ago and are looking to really establish senior architects and engineers into the company. They are offering $165k and my commute would be 90% the same.
The benefits are mostly the same, I’m just not sure if it’s worth it.
Pros -Practice Arch level work
-Money is $35k better
-I would be the top dude for the firm nationally (although they are mostly regional)
-Higher visibility
Cons -smaller company (if $1B is a “small firm”)
-not as established I guess?
As a delivery guy I can always go get another delivery/SA gig at Presidio/Insight/WWT/CDW, especially in this market for security and wireless folks. Am I just being apprehensive in leaving my comfort zone?
I almost feel like I owe it to myself to try for this new gig, it’s 30% raise, more impact and seniority, same benefits....I just have this weird feeling and I don’t know how to quantify it...maybe it’s fear of leaving my bubble?
I would fear being bored but if a firm is willing to pay this much for a super senior dude to straddle WLAN/Campus LAN stuff for pre & post sales, I would hope they have a pipeline to justify it all.
I got the call today that the execs and practice want to meet me. If that goes well a long white-boarding session would be next.
What questions should I ask? What should I look for? I’ve never left an established comfy FTE for a less known, smaller firm for a 30% raise.
TIA
As the title states.
My provider is Telstra and i have confirmed they use IPv6 through IPv4, i have managed to configure my pfSense gateway to use Telstra's IPv6 tunnel to get an external IPv6 address and obtain a sub net prefix. I have the DHCP server built into pfSense using that prefix to issue IP addresses to my LAN BUT...
I wish to move all these settings across to my CentOS box that uses BIND and DHCPD to run my IPv4 local LAN and authoritative local domain addresses. Not worried about this right now but, once i get this working locally i want to then configure my external authoritative DNS to allow customers to use my IPv6 to access to services.
All the research i have done has come from posts only as recent as 2014, many were older.
I think i am close to getting bind to work as a recursive IPv6 DNS server but i haven't been able to test it as i haven't worked out using prefix requests to get a local IPv6 address and then have the DHCP server issue that address as a local IPv6 DNS server.
My BIND main config: https://justpaste.it/6juru
My Bind zone config doesn't have IPv6 addresses in it yet.
My DHCPD config doesn't not have any DHCP6 info in it yet either: https://justpaste.it/72lbs
I have also tried to add my DUID of my CentOS box to the DHCP6 server of pfSense to assign a static address but it isn't working. this was my plan to initially test the BIND server.
from what i searched down my DUID should be located in the file : /var/lib/NetworkManager/dhclient6-*.lease
Mine is: dhclient6-8de8796d-a9f6-4178-8461-3e65658b076b-enp1s0.lease
and the content of that file is: https://justpaste.it/2fz0p
so i assume my DUID is: \000\004\204\273\203h\011\243\325\225Y\321e\366\247\217\303\014
but that hasn't worked when i put it in the DHCP6 server to be assigned a specific IP address
I talked to a vendor today about my network requirements and they recommended not having a distribution layer and instead using a virtual chassis to connect all of the switches. Taking that design into consideration here is a diagram I came up with. All of the network switches are EX3400s and the EX2300 will just be for out of band management. As far as a firewall goes we are planning on going with a FortiGate 80E.
I can see the good things about it such as it being easier to manage and cutting costs, however I am concerned about there being potential security issues. All devices including servers, workstations, laptops, employee byod devices, cameras, building automation systems, guest devices, etc would be on one stack. I know juniper has firewall filters, but would that and the edge firewall be enough to properly secure the network?
I would really appreciate feedback on my network design and suggestions on how to improve it. This isn't a huge network so I can see how it would make sense to go down this route, but I really want to make sure I am making the right decision.
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Each room has a Roku TV, that only uses the internet for TV (no cable). I will be bringing in a dedicated line with 40MB speeds. Should I put that out to several routers around the property and that's about it? Or what about a power line set up? Thanks for any suggestions
This issue came up when I tried to setup my new netgate 1100 and was hoping you smart people might help explain what is happening.
Setup: netgate with normal setup. Desktop is connected to Lan port. no Traffic sharper setup. ISP giving me 100 mbits/s down and up
Exactly every 6 minutes my desktop drops 100% of packets for a few seconds. Viewed via pingplotter and ping to 8.8.8.8 I have searched for an answer on google with no luck.
I finally fixed it by setting a limit on my bandwidth to 80 mbits/s down and up. I am unsure what would cause this kind of issue. ISP bufferbloat? This is not specific to this router, before this one I had an ubiquity edge router X with the same issue. Is there anything I can do without throttling myself?
Thanks!
I work in a small/medium-sized network environment with about 150 users. I recently set up a Windows Server 2016 with Hyper-V role on a brand new tower that we were not using. It's housing 3 Hyper-V Ubuntu Apache VMs. They are connected to a virtual internal NAT switch.
I was setting up an open source ticketing system on one of the VMs (2 other Apache servers were not running at the time). We started receiving phone calls from people that the internet was very slow. I noticed that the timing coincided with the time when I turned on the server and working on the server. The internet speed came back to normal when I shut down the Windows Server.
I am gonna go back to work and find out what's taking up network resources the most from the server. What could possibly be causing the network congestion?
Basically I'm using 10.10.40.1-10.10.40.254 as my static range, and I have 10.10.41., 10.10.42., and 10.10.43.* as the rest of my DHCP scope. I'm falling short on IP's during high use. Main issue I believe is that they setup wifi on the same scope so even though there are only 350 devices hard wired, that's at least another 300 devices on wifi. What are my options?
Hello,
Curious if anyone would care to share a typical setup/design of how best to achieve OOBM to a small stack of network devices which would sit behind a cradlepoint CBA850 we are thinking of purchasing? More specifically, since I am assuming we would have/need a static public ip address, we are curious if to gain access to device(s) situated behind the cradlepoint - is it possible and secure enough to simply use the cradlepoint only and lock down access to only specific inbound IP's? OR, is it recommended to throw a firewall in as well for more features + security? We would ideally be connecting to a console server with all networking gear connected to that. thanks
Mainly trying to figure out how (if I even can) automate policy installations for our change windows. Looks like in the GUI theres options for Application and URL filtering and IPS automated updates, but none for just a pure policy installation.
Running on R80.10
We ran into some issues on our last cutover that were rather technically specific that management was unable to comprehend the details of. After laying out a plan of action I keep getting requests to open a "proactive" case. How is this any different from just opening a Sev2 on the day of the case? Because I can't open a Sev2 today and keep it in that status. And if it is a Sev3, I might be assigned an engineer who doesn't work on shift come the day of a cutover. Just wondering if anyone else has found "proactive TAC cases" as effective.
I am a bit puzzled by the operation of this one particular cisco switch in my infrastructure.
The switch (with the weird behavior) lets say has an IP of 192.168.1.254/24 on int vlan 1. I am using another box to access it via that IP. Let's say the IP of that box is:192.168.2.254/24. My infrastructure routes the traffic between a couple subnets (going through a L3 switch and a firewall), to arrive to the 192.168.1.0/24 subnet.
Now the weird part is that the switch itself has ARP entries (shown with the sh arp command) of devices on the 192.168.2.0/24 subnet. The device only has an IP address of 192.168.1.254. Since the 192.168.2.254 is on a different subnet it should not arp it... at all. It should arp its gateway. Makes sense right? Well I look at the MACs associating with the remote subnet and they are all have the MAC address of the default gateway (which is a asa firewall). I know the ASA does proxy ARP, but the ASA is NOT directly attached to the 192.168.2.0/24 subnet. There is another network inbetween until it gets to the 192.168.2.0/24 subnet.
Now, the connection to the switch is fine. It is routing as intended. I am just perplexed why the hell this switch 1: does an ARP for an IP on a different subnet and 2: why the hell does ASA respond to the arp, for an IP address it doesn't even have an arp entry for?
Has anyone found software that ingests packet captures like Wireshark, but makes customizable graphs?
Solarwinds came out and tried to sell me on their software, but I don't want SNMP or anything reaching out into my operational network. I just want a windows workstation to take in packets from a monitor port on one of my backbone switches that shows all traffic and display the results in graphical form.
Wireshark works great for troubleshooting and identifying issues, but I wanted to stand up a constantly running graphical display of typical traffic and connectivity to a multitude of sites and systems. Does this exist?
I read the post about Scapy, but that doesn't seem to fit the bill, as I'm looking for a packaged windows application, even one that would work in conjunction with Wireshark.
In STP, the command spanning-tree portfast only applies portfast if an interface is configured as or negotiated as an Access port.
This is an example of an optimization that only applies to Access ports.
(I know you can apply it to a trunk using switchport port-fast trunk)
My question is, what other optimization exist that only apply to access ports (even if there are workarounds to also apply them to Trunk ports)?
Thread is here:
OP, you deleted your account! Why? Did you get fired? We need an update to see how things are going. Curious who needs to eat crow, you or the rest of us.
We are looking to deploy Procurve/Aruba Switches on our edge to replace misc ethernet switches, while leveraging our Cisco Nexus 3524's as a core.
I know Cisco switches complain relentlessly about using non-Cisco SFP cables and GBICs so we'll probably get Cisco cables.
I know they work between Nexus > our Servers and Storage
But anyone have experience using DACs between Cisco and Procurve/Aruba's? We just want proof that they will work. (1gb/s and 10gb/s)
I forgot something very basic. Looking to setup some IP Spoofing measures. Have been buried pretty deep in Windows Server environment and looking at IP spoofing protection with our Meraki MX FW and I forgot a concept of general routing/switching.
PC/Guest APs --> L3SWITCH ----(Tagged port)-> FW -> ISP RTR
Right now we have our core switch operating at L3 and is the default gateway. This will then push the traffic from 3x different vlans to the FW. In order to setup IP Spoofing a requirement when device is using Nat is as such:
I completely forgot what happens to a packet at the GW switch in this type of structure and how it's tagged when it gets the to FW. I feel like it could complicate things. Left the Switch as the gateway so we could have better lower level control, was this a bad idea?
TL;DR - Core switch is the Default gateway, passes traffic to the FW from local vlans. Forgot how that traffic looks when it arrives at the FW and how it's tagged. Looking to setup some IP Spoofing preventative measure.
The router doesn't need many ports because in my design there is only 2 devices connected to the router. I'm planning to use etherchannel to join up the ports for higher bandwidth. Could you guys link me a router that supports these features and has high speeds? I can't seem to find one.
Cheers
Been working with support for a while, and since they don't provide a community I thought I'd ask here.
starting with code 8.1.7.14 my ISP tunnels seem to fail regularly. They go down for less than a minute. I've monitored latency/ping and all are within acceptable values. Support is telling me it's poor network, but this is occurring between 8 sites at different times, and there's no issues with internet access at the times the tunnels fail.
Has anyone experienced this? Support had me change "Quiescent tunnel keep alive time" from 60 to 1 but that hasn't had any effect. I've been asked to change "Enable IPsec Anti-replay Window" to disable and as soon as I find that setting I'll change it.
I've since upgraded to 8.1.7.15 but this issue has not improved.
I have seen some messages on the blue bird social media suggesting BGPmon EoL will be announced but I can't find anything official for now. Do you guys have more info about it?
EDIT : found this: https://bgpmon.net/wp-content/uploads/2019/01/BGPMon.net-EOL-EOS-faq.pdf
Hello,
I manage a psychological clinic, and we have two locations. I need to upgrade my firewalls in both locations. Our main location has 20 offices, and the satellite location has 6. We have VoIP phones, and use a shared network drive. I'm not incredibly knowledgeable in the whole networking department, so here are my main questions.
Thank you for taking the time to help this. I have been reading other threads that are along these lines, but most of the conversations are over my head. I am currently trying to learn all I can, while still actually doing my job of managing the clinic.
I have inherited 6 sites that I manage under 1 organization. All sites have a Sonicwall router. Site 1 is the datacenter where all services are hosted. All other sites make a PTP VPN connection back to the main office. Each site has its own lan subnet, a few 192.168/24 and a few 172.16/12. Is it possible to reconfigure the sites so that. Each VPN connection is made over a 172.16/32 address and have 10.x.0.0/16 vlans that span every site? If I had direct connections it would be cake, but I've never had to work with a scenario like this before. Here is a Packet Tracer diagram of what I'm trying to accomplish. https://imgur.com/s9JAr8q The top middle router is "The Internet"
I'm working on a non-working Cisco SSL VPN connection. This is an item that was not working before I started into the role I'm in.
The setup is Cisco ASA 5510 with Cisco AnyConnect being used on the outside.
I can connect to the VPN and then am prompted with an Certificate error window. I accept the self-signed certificate error. Then I receive two error messages in message history of the AnyConnect client
"No Valid Certificates available for authentication"
"Connection attempt has failed"
I was curious if I can generate a new SSL key then change the SSL VPN trust-point to point to the newer cert. As I have no idea when or what actually broke/failed. I'm only told the VPN used to work fine.
Ideally, I would like to know the steps for how the ASA processes the SSL VPN connection. Knowing that would allow me to really understand how it all works and where the failure could be happening.
Any ideas?
Thanks,
Matt
Just curious what the best practices are for a DMZ for a SME who might be short on cash? In the past I've gone full segregated network with a separate physical server \ host and air gapped networking infrastructure for externally facing devices.
Looking at a SME who don't really have the money nor resources to do this so I'm thinking about how to go about making it cost effective but still secure.
One option is thinking about configuring a separate on the firewall and assigning it to a dedicated "DMZ" port then having this port patched into the host on a separate nic which only the VMs in the DMZ can use. Then just using firewall rules to set what can and can't talk between the networks. This is one option although not sure this is scaleable if they have more hosts. I wouldn't want to use 2 or 3 ports on the firewall!
Other option is just to create dmz vlan on the firewall and have that going through the existing network infrastructure with ACL \ NO Routing to stop that VLAN talking to anything else then just tagging then on the trunk to the host and creating new DMZ virtual switch just for that VLAN to allow only the externally facing machines. Anything wrong with this if option one isn't a goer? Ideally I'd like to keep it completely separate but is running it over the main network on it's own VLAN secure enough for a SME?
Hi Guys,
Im trying to lab a Cisco nexus (NX-OSv) VXLAN EVPN topology to get my head around this architecture.
I know that we are using VXLAN as the data-plane transport but I am having confusion with the control plane. Is multicast required if we are using MP-BGP control plane ? I am lookoing at various blogs and some are configuring with multicast and MP-BGP and some are just using MP-BGP.
Some have peerings in the ipv4 unicast address family, some do not - Im confused on the correct way to do this
Can anyone shed any light on this and provide any links to labs / blogs that are doing this the "correct" way from a Cisco perspective...
Cheers
A co-worker and I are trying to setup a connection using OpenVPN. I have done this a few times on my own but this particular co-worker... anyway.
His network is 192.168.10.0. He has the OpenVPN server at 192.168.10.1 with a VPN side address of 10.0.8.1.
My side has the client connected at 10.0.8.6 with a LAN side IP of 172.21.10.10.
When the connection is established, I can see and ping everything on the 10 and 192 networks. He can only see/ping his and the 10 network, nothing on the 172 network.
In my novice/amateur knowledge of networking, I am under the impression that he needs a static route in his router to send all traffic bound for the 172 to 10.0.8.6. He says he has tried this and it hasn't worked.
Am I missing something?
Thanks everyone.
I am reading some Cisco introductory WAN and I am not sure on a few things.
What is the differences between the following:
Customer Premises Equipment
Data Terminal Equipment
Data Communications Equipment
Demarcation Point
In a cable network is the Demarcation point the ISP modem, the cable splitter or is it the router for the subscribers area?
I've come across this requirement a few times and feel I might be missing another way to do it.
If we have a Layer3 MPLS network with multiple sites all using a centralised breakout for internet. All sites are part of the same VRF which includes the firewall itself.
Is there a way to restrict two subnets from talking to each other via the centralised firewall other than creating another separate VRF?
For example in the attached diagram we can see two subnets on the same site. I can put an ACL on the router itself on site stopping them from talking to each other but what if the customer wants the traffic to be controlled from the firewall. So any traffic from 192.168.1.0/24 to 10.0.0.0/24 has to go to the firewall and the decision to allow that traffic is done there?
My only idea on doing this is by setting up VRF-Lite on the router itself with the second subnet as part of this and then creating a seperate VRF on the core which this is placed in. Then the firewall will have two interfaces to the MPLS. One for each VRF. This doesn't seem very elegent but I'm not sure if there would be an alternative?
Thanks
Hey Everyone -
We're currently working toward designing a new network.
We'll be upgrading our current setup and are considering a Cisco Core Switch to increase overall networking performance. We'd like a Cisco Core Switch (we have a Cisco Call Manager) that allows for up to 100GB of speed for stacking. I'm familiar with Aruba and don't know too much about Cisco high-end switching.
Should I be looking at the Nexus line? I'll need 4 48-Port switches, stacked. If you can let me know what series of the family I should look at as well that'd be appreciated.
Hi
Is there a way to detect if a cable is plugged in a SFP/SFP+ port?
Please note I am not looking for solutions that tell if a link is present (like ethtool eth0 or /sys/class/net/eth0/carrier). I want to know if a cable is plugged in even if its other end is dangling or powered down.
Thanks
Alberta, Canada is the location.
I don't think Id ever actually do it, its more a thought exercise but what would it take to lay my own fiber. Say I have two buildings, in a downtown location, 1km from each other. I want to lay a piece of fiber between them.
Where do you even start? I guess permits?
Are those pits and trenches with electrical companies and telecommunications companies logos on them, even able to be used? Or do you have to dig your own?
I'm thinking about ways to support a remote group of users at a WeWork type site. If I could just ship them a pre-provisioned WAP that would automatically tunnel their traffic back to our controller, it would ideal.
So I've been looking over the HTTP tunneling solutions and they all seem very dated and/or not maintained at all. I'd like one I can self host from my home server and one I can potentially tunnel SSH/RDP through as well.
Anyone know of one that still has ongoing support/development?
NOTE: http://http-tunnel.sourceforge.net/ sucks, it crashes on my computer as well as crashes Apache, but I need something just like it that actually works.
Anybody know why some users that are on wireless cannot access other computers shared folder? They can access server share folder fine. Other computers that are on wireless or Ethernet can access the shared folder on the computer.
Also the laptops that cannot connect to the computers shared folder cannot ping those computers too.
Router is pinging those computers fine.
I have received the go ahead for setting up commercial wifi for my dorm to use. Dorm management is restricting us on the specifics of the set up due to contracts with Boingo Wireless and with their construction regulations.
Here are the specific restrictions and details on the set up:
The current plan is to use 3 routers (+modem) to provide coverage in 3 hallways. The dorm is a T shape with the modem+router in the center of vertical line of the T. The other two routers will work as secondary access points on the top left and right corners of the T. We intend to use the 2.4hz freq to backhaul to the central router (because we can't use ethernet cables to connect them) because I believe it will have greater range and penetration - we are getting gigabit so I believe it does not require 5ghz especially if we can split it between the three routers. We could then use 5ghz channel or channels (if triband) to connect to each device. I currently am looking at Netgear Docsis 3.1 Modem and the ASUS AC2900 or the Netgear AC5300 for routers.
So, does this sound reasonable? What routers would you recommend for this project? Any changes I should do within the constraints (maybe more, cheaper, routers)? Is a wifi backhaul possible with consumer routers? Thank you for any help!
Hi,
I have some trouble understanding Juniper Version numbering. I already read a lot in Juniper’s knowledge base but it’s still not clear to me. It would be nice if someone could give me a quick explanation.
For example looking at newer EX switches the article about JTAC recommend versions lists 15.1X and 18.1R. I don’t quite understand what’s up with the X versions vs R version and why I would pick an X version or R version.
I understand that R versions are simply numbered by year and release within the year so 18.1 is the first release of 2018.
However I am not sure about the X versions. Is 15.1X based on 15.1R? And if so why does it exist in parallel to the R version and where are the differences?
I saw that the 18R versions are supported for way longer than the 15X versions. Does this mean that X versions will be phased out?
Is there a generally advice for a green field deployment on which software version to use?
What is y'all's opinion of what is too much change management? At what point do the downsides outweigh the positives?
A streamlined, centrally-managed approach to branch connectivity appeals to me.
Shoving the whole paradigm into a proprietary vendor-specific black box does not.
Part of me thinks it's the necessary and good next step forward. As ecosystems become more complex, it makes sense to outsource problem spaces to specialists that inevitably emerge to fill evolutionary niches.
Part of me thinks it's a dangerous trap, ripe with short-term gains but setting us up for long-term pains, as we slowly cede our standards-based, "knowable" infrastructure to tightly integrated, proprietary black boxes.
Thoughts?
I work in a Cisco lab at a community college. We installed serial console servers in our lab/data center so the students can perform initial device configuration without having to mess with rollover cables. The computers in each of our classrooms each have 2 NICs. One is connected to a patch panel in the data center with no intervening layer 2 or 3 devices. The other one is connected to the school's network, I think to a layer 3 switch Which also eventually connects to the console servers in the data center. The NIC connected to the patch panel doesn't have a fixed configuration. It's used for the labs.
In the past, if the lab config conflicted with the school's network settings we just disabled that NIC in control panel, but we can't do that now because we need access to the console servers. We can add static routes on each PC, but we'd have to change the route for every lab.
I suggested using the IP address ranges reserved for testing for the labs with a permanent static route on the PCs, but that would require the instructors to edit the curriculum, not to mention it would limit what stuff we could do in the labs.
There's also a wrinkle regarding jurisdiction. We (the Cisco academy) don't have access to the equipment between the classrooms and the data center. While I'm sure we can work something out with the IT department, I'd like to know if there's something we can do on the PCs alone that would solve the problem.
hey, I'm studying now and I had a doubt about RA message in IPv6. Are this messages something like DHCP? Because as I read, the info says that this messages are given to hosts with addressing information.
I guess they are different from dhcp but what is the difference? because both are giving addressing info
Hello everyone. I work in the IT industry but was born with a radial plexus injury to my right arm and hand. This means that I have limited strength and mobility when utilizing my fingers on that hand. I can successfully terminate Cat5 cable but it takes me a long time. Anyone else out there that has a similar situation that has a found or built a tool to help?
Do you log blocked traffic to the firewall? Or only log permitted traffic? Or is should all traffic be logged?
Does it change if it's a office or dc firewall? Looking for best practices
I have been tasked by the power that be in my shop to put together a lab for our guys to work on getting their NRS1/2 and CCNA/CCNP certifications. This is for a large company that is an ISP so assume for a moment that were looking at a magic budget, build it for future generations lab. Does any one have any experience with this or ideas on what equipment we would want? I have a CCNA so I have some vague ideas for that but all the Nokia gear we use is in the ridiculous overkill range for what would be needed for the Nokia certs.
looking for opinions about openDNS. My company is thinking about going to Cisco Umbrella but I just found WebTitan. thoughts on the matter? We currently run a Cisco WSA as our web proxy filter.
sorry its late, i keep getting the same error, ive assigned 5 different vlans to 5 different ports. they're all set to access, none of them are on the same vlan as ive mentioned. does anyone know why i keep getting this error?
https://gyazo.com/383419c9ec068b0fca8618a5724f58d0 - the error
https://gyazo.com/a9127d4379382df45b179e49d25ab3fe- my vlan name+ ID
Hi, I am looking into tools to help automate network configuration, activation and maintenance type tasks. We've been using Ansible for a while and it's pretty good but looking to hear opinions on what else we should kick the tires on. Interested in API and GUI options that engineers could use. Itential was on my list but it's relatively new so I'd like to hear if you have any feedback. I don't work for a vendors just a network guy looking at ways to move beyond the CLI. Thanks
I work for a VAR / MSP in the SMB / SME space. Over the past year or so we have seen some big jumps in bandwidth on offer from ISPs to our clients. The old average for our area used to be 25-50 Mbps for smaller shops, but now we're seeing 100 at a minimum in most cases, up to 400. Nearly all of these networks are designed with perimeter firewalls handling most if not all of their routing, VPNs, etc. The price difference between an NGFW that can do 50Mbps and 400Mbps is substantial (at least in re: to most businesses of this size).
The best I've really got right now is the very honest answer of, "It comes down to whether you want more bandwidth or more security based on your budget", i.e. we can deliver 400Mbps on your budget if you don't run IPS anymore (or similar). This can be a bit of a tough discussion because most clients assume that more bandwidth is always the answer, and while I don't disagree with them it doesn't always align with their other requests. Even if they never utilize that actual amount of bandwidth, if they happen to run a speedtest and see lower they assume something is wrong.
In a meeting with our primary NGFW vendor, they said they're experiencing the same growth issue where mom and pop shops are getting 1Gb fiber circuits and if they want to make use of that full pipe they're going to need a very expensive perimeter unit, and that's just not going to happen.
So, who has been dealing with this and what was your solution overall?
I need to wirelessly transfer messages from node/sensor to gateway that would be at most 2km apart from each other. The message would go through gateway to local server. The main information here is I need to work with 40 endpoints (that are present in field) that are sending messages to the local server. Here are some requirements for the system that would be nice to have:
I have worked with bluetooth, LoRa and sigfox. Unfortunately none of them worked well either due to range or one-directional messaging capability. I am currently looking in to Haystack Dash7 and Symphony Link but their online community is quite small. I would like to know what other technologies within LPWAN or aside from LPWAN I can use that would fit the aforementioned requirements?
Trying to create an svc-tag-action but trying to see if the Calix OLT can support a customer sending two tags as I use TLAN if they're only sending one.
Is the change tag service tag action the way to go?
We're setting up a new security device and setting up the monitor session, all the examples I've seen show using "both" on the source but all i have is "rx" as below. How do I grab the bidirectional traffic?
monitor session 2 type erspan-source
erspan-id 32
vrf default
destination ip x.x.x.x
source vlan x,x,x, rx
no shut
EDIT:
duh
it's
source vlan x,x,x
no modifier needed ...
I'm a noob when it comes to this kind of stuff, but FMC is running at 100% CPU usage and is unresponsive within VMware, can I just reset the VM with no issues or will there be any issues after that elsewhere
Hello fellow packeteers
Recently, my organization has been running into a peculiar issue with WAAS acceleration. The machines which have been upgraded to Windows 10 will often give a "Page Cannot Be Displayed" error, even though the internet is working fine. When the internal SM module is disabled or wccp redirect removed from the interface, all traffic works fine. If you refresh the page a few times, it will eventually load.
The really interesting bit is that this issue does not occur on Windows 7, only on the devices that are updated to 10. I am leaning towards it being some type of security handshake issue that is different between the two versions of Windows...
Can someone outline the basic steps on getting a network running for a company? My guess is it works something like this.
The position is for an internship for a business that does outsourcing and stuff like that . I’m a bit nervous and was curious as to what questions you think they will ask me . I’ve pretty much studied all the basic questions that my school thinks they would ask me but still I’m pretty nervous since I’m still a beginner any tips would be appreciated
Can someone try to describe what problem SDA is trying to solve? Also what do they mean with 'campus' networks, why are they not called 'enterprise networks'?
Somebody cares to explain a bit?
Hi,
Two machines over a high bandwidth, low latency network. One is Ubuntu Desktop, the other is Windows 10. There's an iPerf server on the other end. The network is a 1gbps leased line. Same version of iPerf on both clients and server.
When I run Ubuntu TCP iPerf, I receive ~900 Mbps which is what I'd expect. However when I run a Windows TCP iPerf, I get around ~50-100Mbps. Weird right?
I directly connected this Ubuntu and Windows laptop together, and ran the test again: 1Gbps between the two, so I know both laptops are capable of achieving the speed.
I wiresharked the test with the packet captures side by side: the packets are *identical* other than the Window Size Value, and it differs as follows:
Windows - Window Size = 53248, Window size scaling factor = 4, Calculated Window Size = 212992.
Ubuntu - Window Size = 229, Window size scaling factor = 128, Calculated Window Size = 29312.
When disabling TCP Window Scaling on either machine, performance degrades.
Really confused, no idea and have never seen anything like this. Anyone got any ideas?
Hello. I needed to know if there can be better ways to disconnect/terminate the internet connection of our clients who have pending bills and expired subscription. We have been using Mikrotik routers(the firewall has been helpful) but not the best method.
Any new ideas will be highly appreciated.
Hi.
Has anyone tested (third party) SFP+ modules in this one?
The data sheet says 1/10/25G Gigabit Ethernet switch with SFP28, so I have to assume it means that it supports SFP /SFP+, since SFP28 only supports 25G.
But I thought it would be wise to ask first :)
Thanks.
Hi everyone. I've got a head-scratcher, and wondering if /r/networking can help me understand the behavior OSPF is exhibiting.
The topology is here: https://imgur.com/a/MPRg3DO
The hardware is mixed variety, Brocade, Fortigate and some Ubiquiti.
I can't figure out why OSPF is routing traffic from Host A destined for R5 the way it does (green arrows), while a lower cost option exists directly from R2 to R4.
Egress traffic from R5 back to Host A does utilize the R4-R2 path, just not inbound. I think it might be due to some inter-area nuances, but just can't seem to put a finger on it.
Thanks for any insights!
edit: some more info. Destination on R5 is 192.168.168.128/26.
'show ip route 192.168.168.128 detail' on R2:
Interface 1/3 is the interconnect between R1 & R2.
telnet@rtr-02>show ip route 192.168.168.128 detail Type Codes - B:BGP D:Connected I:ISIS O:OSPF R:RIP S:Static; Cost - Dist/Metric BGP Codes - i:iBGP e:eBGP ISIS Codes - L1:Level-1 L2:Level-2 OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 s:Sham Link STATIC Codes - d:DHCPv6 Destination Gateway Port Cost Type Uptime src-vrf 1 192.168.168.128/26 192.168.161.28 eth 1/3 110/246 Oi 9h49m - Nexthop Entry ID:65536, Paths: 1, Ref_Count:100836/100837 D:Dynamic P:Permanent F:Forward U:Us C:Connected Network E: ESI VLAN W:Wait ARP I:ICMP Deny K:Drop R:Fragment S:Snap Encap N:CamInvalid Module S1: IP Address Next Hop MAC Type Port Vlan Pri 192.168.168.128/26 192.168.161.28 0012.f290.b102 PF 1/3 1 0 OutgoingIf ArpIndex PPCR_ID CamLevel Parent DontAge Index Is_trunk eth 1/3 3 1:1 1 0 54539 0 U_flags Entry_flags Age Cam:Index HW_Path_count 0000e000 0 0x00011ca8 (L3, left) 1 CAM Entry Flag: 00000001H PPCR : 1:1 CIDX: 0x00011ca8 (L3, left) (IP_NETWORK: 0xfc357) pram_index_programmed: ppcr[0] 0x0007fedb
show ip ospf database on R2 (snipped to relevant network):
192.168.66.1 is ID for R4.
192.168.162.9 is ID for R3.
180 0.0.0.0 Summ 192.168.168.128 192.168.162.9 80000014 1573 0xde57 Done 181 0.0.0.0 Summ 192.168.168.128 192.168.66.1 80000014 1414 0xe2ae Done
Howdy y'all. This hardware is for my home, which is also my office. Less than 20 nodes connecting to the device(s).
I'm tired of consumer pos routers / ap that die after a few years. I've installed dd-wrt and tomato on various routers to expand their functionality in the past.
Now, I'm looking for something that is a bit less consumer grade, and closer to pro-sumer or soho. I want to focus on quality of build and security. I'm currently leaning towards Mikrotik and/or Ubiquiti.
Any thoughts? What do you use and what are the advantages and disadvantages?
Thanks!
I have a historically grown /16 network containing multiple MRP rings, each containing assets with critical availability requirements. Right now, the rings are connected redundantly to the central switches. Is it possible to implement redundant firewalling in bridging mode (transparent on layer 2) by using OSPF?
The setup would be the following, from bottom to top:
The goal is: Send all traffic through transparent firewall A. If the active firewall A fails, the link-state changes, the OSPF routers notice the change and forward the traffic through firewall B.
I understand that OSPF is an IGP routing protocol so intuitively I'd say this isn't possible, however, I talked to a colleague who claims this works. Wouldn't this have to be different networks because of the routing aspect?
The scenario is kind of specific and more complex in reality (we are already changing the MRP rings to /24 subnets one by one at the moment and are using ProxyARP to keep connectivity). I am not able to change the devices (e.g. use Cisco) and am not looking for alternative solutions by using routed /24 subnets with HA firewall (HSRP or VRRP or CARP), since this is our goal anyway. I am looking for an temporary solution that doesn't require changing the network settings in the individual rings.
Thanks in advance!
To preface- I’m new to my organization and this project got slammed on my desk. We have approximately 50 Excel workbooks containing all the fiber patch panels we manage. They are asking me to provide a simple solution to determine what devices are connected where (and what patch panels that device might go through). They also want some functionality where you can specify one point and get an output of its far end. I have a couple ideas using pivot tables in excel or an Access database. However, what do you use to document your fiber infrastructure?
I am looking at a network that currently operates a full VPLS mesh with BVIs terminated on two ASR9Ks acting as BNGs. The request is to migrate away from VPLS to PWE3, however every document I can find regarding BNG features and IOS-XR say PWHE is expressly not supported.
does this mean I need separate chassis -- one to do BNG duties and another to act as PWHE? I can clearly see ASR9K supports PWHE...and BNG features...just not together?
appreciate any clarity anyone with experience on this platform can provide
Dropping this here to see if anyone has any ideas, here is the scenario. The local network runs out to a switch and then to a router.
This has become a problem in our network for about a year now, the issue cannot always be replicated. We have person "A" connect to a CAT6 ethernet port in their office, everything works like a charm. Person "A" then moves to a conference room and connects to the ethernet port in the conference area, they then cannot get an IP address until they move back to the previous working port in the office. Person "B" then connects to the port in the conference room and it works fine.
This happens on various ports, various computers, and various people.
We eventually had enough and changed out the switch, thinking this may be some sort of arp cache issue. The issue still remains.
Now I have a wifi router "A" and wifi router "B", wifi router "A" works perfectly in the port it is in. Wifi router "B" does not receive authentication signals in any other port except for the one router "A" is plugged in to. Maybe related, maybe not.
I'm curious how many of you heat up every drop in a building. Do you install enough switches to cover all drops, even if a percentage of those drops will not be used? We've tried both ways, and while we like having to buy fewer switches, we are finding it difficult to manage the workload from drop usage changes. When we've had our onsite techs make the cabling changes from patch panel to switch, the end result is some pretty gnarly cable management in our IDFs, as they don't always have the appropriate cable lengths in the right color (to follow our established convention). Ideas on how to manage this are greatly appreciated.